LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/krb5 - keytab.c (source / functions) Hit Total Coverage
Test: coverage report for v4-17-test 1498b464 Lines: 155 275 56.4 %
Date: 2024-06-13 04:01:37 Functions: 19 27 70.4 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Redistribution and use in source and binary forms, with or without
       7             :  * modification, are permitted provided that the following conditions
       8             :  * are met:
       9             :  *
      10             :  * 1. Redistributions of source code must retain the above copyright
      11             :  *    notice, this list of conditions and the following disclaimer.
      12             :  *
      13             :  * 2. Redistributions in binary form must reproduce the above copyright
      14             :  *    notice, this list of conditions and the following disclaimer in the
      15             :  *    documentation and/or other materials provided with the distribution.
      16             :  *
      17             :  * 3. Neither the name of the Institute nor the names of its contributors
      18             :  *    may be used to endorse or promote products derived from this software
      19             :  *    without specific prior written permission.
      20             :  *
      21             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      22             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      23             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      24             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      25             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      26             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      27             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      28             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      29             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      30             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      31             :  * SUCH DAMAGE.
      32             :  */
      33             : 
      34             : #include "krb5_locl.h"
      35             : 
      36             : /**
      37             :  * @page krb5_keytab_intro The keytab handing functions
      38             :  * @section section_krb5_keytab Kerberos Keytabs
      39             :  *
      40             :  * See the library functions here: @ref krb5_keytab
      41             :  *
      42             :  * Keytabs are long term key storage for servers, their equvalment of
      43             :  * password files.
      44             :  *
      45             :  * Normally the only function that useful for server are to specify
      46             :  * what keytab to use to other core functions like krb5_rd_req()
      47             :  * krb5_kt_resolve(), and krb5_kt_close().
      48             :  *
      49             :  * @subsection krb5_keytab_names Keytab names
      50             :  *
      51             :  * A keytab name is on the form type:residual. The residual part is
      52             :  * specific to each keytab-type.
      53             :  *
      54             :  * When a keytab-name is resolved, the type is matched with an internal
      55             :  * list of keytab types. If there is no matching keytab type,
      56             :  * the default keytab is used. The current default type is FILE.
      57             :  *
      58             :  * The default value can be changed in the configuration file
      59             :  * /etc/krb5.conf by setting the variable
      60             :  * [defaults]default_keytab_name.
      61             :  *
      62             :  * The keytab types that are implemented in Heimdal are:
      63             :  * - file
      64             :  *   store the keytab in a file, the type's name is FILE .  The
      65             :  *   residual part is a filename. For compatibility with other
      66             :  *   Kerberos implemtation WRFILE and JAVA14 is also accepted.  WRFILE
      67             :  *   has the same format as FILE. JAVA14 have a format that is
      68             :  *   compatible with older versions of MIT kerberos and SUN's Java
      69             :  *   based installation.  They store a truncted kvno, so when the knvo
      70             :  *   excess 255, they are truncted in this format.
      71             :  *
      72             :  * - keytab
      73             :  *   store the keytab in a AFS keyfile (usually /usr/afs/etc/KeyFile ),
      74             :  *   the type's name is AFSKEYFILE. The residual part is a filename.
      75             :  *
      76             :  * - memory
      77             :  *   The keytab is stored in a memory segment. This allows sensitive
      78             :  *   and/or temporary data not to be stored on disk. The type's name
      79             :  *   is MEMORY. Each MEMORY keytab is referenced counted by and
      80             :  *   opened by the residual name, so two handles can point to the
      81             :  *   same memory area.  When the last user closes using krb5_kt_close()
      82             :  *   the keytab, the keys in they keytab is memset() to zero and freed
      83             :  *   and can no longer be looked up by name.
      84             :  *
      85             :  *
      86             :  * @subsection krb5_keytab_example Keytab example
      87             :  *
      88             :  *  This is a minimalistic version of ktutil.
      89             :  *
      90             :  * @code
      91             : int
      92             : main (int argc, char **argv)
      93             : {
      94             :     krb5_context context;
      95             :     krb5_keytab keytab;
      96             :     krb5_kt_cursor cursor;
      97             :     krb5_keytab_entry entry;
      98             :     krb5_error_code ret;
      99             :     char *principal;
     100             : 
     101             :     if (krb5_init_context (&context) != 0)
     102             :         errx(1, "krb5_context");
     103             : 
     104             :     ret = krb5_kt_default (context, &keytab);
     105             :     if (ret)
     106             :         krb5_err(context, 1, ret, "krb5_kt_default");
     107             : 
     108             :     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     109             :     if (ret)
     110             :         krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
     111             :     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
     112             :         krb5_unparse_name(context, entry.principal, &principal);
     113             :         printf("principal: %s\n", principal);
     114             :         free(principal);
     115             :         krb5_kt_free_entry(context, &entry);
     116             :     }
     117             :     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
     118             :     if (ret)
     119             :         krb5_err(context, 1, ret, "krb5_kt_end_seq_get");
     120             :     ret = krb5_kt_close(context, keytab);
     121             :     if (ret)
     122             :         krb5_err(context, 1, ret, "krb5_kt_close");
     123             :     krb5_free_context(context);
     124             :     return 0;
     125             : }
     126             :  * @endcode
     127             :  *
     128             :  */
     129             : 
     130             : 
     131             : /**
     132             :  * Register a new keytab backend.
     133             :  *
     134             :  * @param context a Keberos context.
     135             :  * @param ops a backend to register.
     136             :  *
     137             :  * @return Return an error code or 0, see krb5_get_error_message().
     138             :  *
     139             :  * @ingroup krb5_keytab
     140             :  */
     141             : 
     142             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     143     3334967 : krb5_kt_register(krb5_context context,
     144             :                  const krb5_kt_ops *ops)
     145             : {
     146             :     struct krb5_keytab_data *tmp;
     147             : 
     148     3334967 :     if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) {
     149           0 :         krb5_set_error_message(context, KRB5_KT_BADNAME,
     150           0 :                                N_("can't register cache type, prefix too long", ""));
     151           0 :         return KRB5_KT_BADNAME;
     152             :     }
     153             : 
     154     3334967 :     tmp = realloc(context->kt_types,
     155     3334967 :                   (context->num_kt_types + 1) * sizeof(*context->kt_types));
     156     3334967 :     if(tmp == NULL)
     157           0 :         return krb5_enomem(context);
     158     3334967 :     memcpy(&tmp[context->num_kt_types], ops,
     159             :            sizeof(tmp[context->num_kt_types]));
     160     3334967 :     context->kt_types = tmp;
     161     3334967 :     context->num_kt_types++;
     162     3334967 :     return 0;
     163             : }
     164             : 
     165             : static const char *
     166      180445 : keytab_name(const char *name, const char **type, size_t *type_len)
     167             : {
     168             :     const char *residual;
     169             : 
     170      180445 :     residual = strchr(name, ':');
     171             : 
     172      360883 :     if (residual == NULL ||
     173      180438 :         ISPATHSEP(name[0])
     174             : #ifdef _WIN32
     175             :         /* Avoid treating <drive>:<path> as a keytab type
     176             :          * specification */
     177             :         || name + 1 == residual
     178             : #endif
     179             :         ) {
     180             : 
     181           7 :         *type = "FILE";
     182           7 :         *type_len = strlen(*type);
     183           7 :         residual = name;
     184             :     } else {
     185      180438 :         *type = name;
     186      180438 :         *type_len = residual - name;
     187      180438 :         residual++;
     188             :     }
     189             : 
     190      180445 :     return residual;
     191             : }
     192             : 
     193             : /**
     194             :  * Resolve the keytab name (of the form `type:residual') in `name'
     195             :  * into a keytab in `id'.
     196             :  *
     197             :  * @param context a Keberos context.
     198             :  * @param name name to resolve
     199             :  * @param id resulting keytab, free with krb5_kt_close().
     200             :  *
     201             :  * @return Return an error code or 0, see krb5_get_error_message().
     202             :  *
     203             :  * @ingroup krb5_keytab
     204             :  */
     205             : 
     206             : 
     207             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     208      180445 : krb5_kt_resolve(krb5_context context,
     209             :                 const char *name,
     210             :                 krb5_keytab *id)
     211             : {
     212             :     krb5_keytab k;
     213             :     int i;
     214             :     const char *type, *residual;
     215             :     size_t type_len;
     216             :     krb5_error_code ret;
     217             : 
     218      180445 :     residual = keytab_name(name, &type, &type_len);
     219             : 
     220      194218 :     for(i = 0; i < context->num_kt_types; i++) {
     221      194218 :         if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0)
     222      180445 :             break;
     223             :     }
     224      180445 :     if(i == context->num_kt_types) {
     225           0 :         krb5_set_error_message(context, KRB5_KT_UNKNOWN_TYPE,
     226           0 :                                N_("unknown keytab type %.*s", "type"),
     227             :                                (int)type_len, type);
     228           0 :         return KRB5_KT_UNKNOWN_TYPE;
     229             :     }
     230             : 
     231      180445 :     k = malloc (sizeof(*k));
     232      180445 :     if (k == NULL)
     233           0 :         return krb5_enomem(context);
     234      180445 :     memcpy(k, &context->kt_types[i], sizeof(*k));
     235      180445 :     k->data = NULL;
     236      180445 :     ret = (*k->resolve)(context, residual, k);
     237      180445 :     if(ret) {
     238           0 :         free(k);
     239           0 :         k = NULL;
     240             :     }
     241      180445 :     *id = k;
     242      180445 :     return ret;
     243             : }
     244             : 
     245             : /*
     246             :  * Default ktname from context with possible environment
     247             :  * override
     248             :  */
     249           0 : static const char *default_ktname(krb5_context context)
     250             : {
     251           0 :     const char *tmp = NULL;
     252             : 
     253           0 :     tmp = secure_getenv("KRB5_KTNAME");
     254           0 :     if(tmp != NULL)
     255           0 :         return tmp;
     256           0 :     return context->default_keytab;
     257             : }
     258             : 
     259             : /**
     260             :  * copy the name of the default keytab into `name'.
     261             :  *
     262             :  * @param context a Keberos context.
     263             :  * @param name buffer where the name will be written
     264             :  * @param namesize length of name
     265             :  *
     266             :  * @return Return an error code or 0, see krb5_get_error_message().
     267             :  *
     268             :  * @ingroup krb5_keytab
     269             :  */
     270             : 
     271             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     272           0 : krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
     273             : {
     274           0 :     if (strlcpy (name, default_ktname(context), namesize) >= namesize) {
     275           0 :         krb5_clear_error_message (context);
     276           0 :         return KRB5_CONFIG_NOTENUFSPACE;
     277             :     }
     278           0 :     return 0;
     279             : }
     280             : 
     281             : /**
     282             :  * Copy the name of the default modify keytab into `name'.
     283             :  *
     284             :  * @param context a Keberos context.
     285             :  * @param name buffer where the name will be written
     286             :  * @param namesize length of name
     287             :  *
     288             :  * @return Return an error code or 0, see krb5_get_error_message().
     289             :  *
     290             :  * @ingroup krb5_keytab
     291             :  */
     292             : 
     293             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     294           0 : krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
     295             : {
     296             :     const char *kt;
     297             : 
     298           0 :     if(context->default_keytab_modify == NULL) {
     299           0 :         kt = default_ktname(context);
     300             : 
     301           0 :         if (strncasecmp(kt, "ANY:", 4) == 0) {
     302           0 :             size_t len = strcspn(kt + 4, ",");
     303           0 :             if (len >= namesize) {
     304           0 :                 krb5_clear_error_message(context);
     305           0 :                 return KRB5_CONFIG_NOTENUFSPACE;
     306             :             }
     307           0 :             strlcpy(name, kt + 4, namesize);
     308           0 :             name[len] = '\0';
     309           0 :             return 0;
     310             :         }
     311             :     } else
     312           0 :         kt = context->default_keytab_modify;
     313           0 :     if (strlcpy (name, kt, namesize) >= namesize) {
     314           0 :         krb5_clear_error_message (context);
     315           0 :         return KRB5_CONFIG_NOTENUFSPACE;
     316             :     }
     317           0 :     return 0;
     318             : }
     319             : 
     320             : /**
     321             :  * Set `id' to the default keytab.
     322             :  *
     323             :  * @param context a Keberos context.
     324             :  * @param id the new default keytab.
     325             :  *
     326             :  * @return Return an error code or 0, see krb5_get_error_message().
     327             :  *
     328             :  * @ingroup krb5_keytab
     329             :  */
     330             : 
     331             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     332           0 : krb5_kt_default(krb5_context context, krb5_keytab *id)
     333             : {
     334           0 :     return krb5_kt_resolve (context, default_ktname(context), id);
     335             : }
     336             : 
     337             : /**
     338             :  * Read the key identified by `(principal, vno, enctype)' from the
     339             :  * keytab in `keyprocarg' (the default if == NULL) into `*key'.
     340             :  *
     341             :  * @param context a Keberos context.
     342             :  * @param keyprocarg
     343             :  * @param principal
     344             :  * @param vno
     345             :  * @param enctype
     346             :  * @param key
     347             :  *
     348             :  * @return Return an error code or 0, see krb5_get_error_message().
     349             :  *
     350             :  * @ingroup krb5_keytab
     351             :  */
     352             : 
     353             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     354           0 : krb5_kt_read_service_key(krb5_context context,
     355             :                          krb5_pointer keyprocarg,
     356             :                          krb5_principal principal,
     357             :                          krb5_kvno vno,
     358             :                          krb5_enctype enctype,
     359             :                          krb5_keyblock **key)
     360             : {
     361           0 :     krb5_keytab keytab = NULL; /* Quiet lint */
     362             :     krb5_keytab_entry entry;
     363             :     krb5_error_code ret;
     364             : 
     365           0 :     memset(&entry, 0, sizeof(entry));
     366           0 :     if (keyprocarg)
     367           0 :         ret = krb5_kt_resolve (context, keyprocarg, &keytab);
     368             :     else
     369           0 :         ret = krb5_kt_default (context, &keytab);
     370             : 
     371           0 :     if (ret)
     372           0 :         return ret;
     373             : 
     374           0 :     ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
     375           0 :     if (ret == 0) {
     376           0 :         ret = krb5_copy_keyblock (context, &entry.keyblock, key);
     377           0 :         krb5_kt_free_entry(context, &entry);
     378             :     }
     379           0 :     krb5_kt_close (context, keytab);
     380           0 :     return ret;
     381             : }
     382             : 
     383             : /**
     384             :  * Return the type of the `keytab' in the string `prefix of length
     385             :  * `prefixsize'.
     386             :  *
     387             :  * @param context a Keberos context.
     388             :  * @param keytab the keytab to get the prefix for
     389             :  * @param prefix prefix buffer
     390             :  * @param prefixsize length of prefix buffer
     391             :  *
     392             :  * @return Return an error code or 0, see krb5_get_error_message().
     393             :  *
     394             :  * @ingroup krb5_keytab
     395             :  */
     396             : 
     397             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     398      101193 : krb5_kt_get_type(krb5_context context,
     399             :                  krb5_keytab keytab,
     400             :                  char *prefix,
     401             :                  size_t prefixsize)
     402             : {
     403      101193 :     strlcpy(prefix, keytab->prefix, prefixsize);
     404      101193 :     return 0;
     405             : }
     406             : 
     407             : /**
     408             :  * Retrieve the name of the keytab `keytab' into `name', `namesize'
     409             :  *
     410             :  * @param context a Keberos context.
     411             :  * @param keytab the keytab to get the name for.
     412             :  * @param name name buffer.
     413             :  * @param namesize size of name buffer.
     414             :  *
     415             :  * @return Return an error code or 0, see krb5_get_error_message().
     416             :  *
     417             :  * @ingroup krb5_keytab
     418             :  */
     419             : 
     420             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     421      101193 : krb5_kt_get_name(krb5_context context,
     422             :                  krb5_keytab keytab,
     423             :                  char *name,
     424             :                  size_t namesize)
     425             : {
     426      101193 :     return (*keytab->get_name)(context, keytab, name, namesize);
     427             : }
     428             : 
     429             : /**
     430             :  * Retrieve the full name of the keytab `keytab' and store the name in
     431             :  * `str'.
     432             :  *
     433             :  * @param context a Keberos context.
     434             :  * @param keytab keytab to get name for.
     435             :  * @param str the name of the keytab name, usee krb5_xfree() to free
     436             :  *        the string.  On error, *str is set to NULL.
     437             :  *
     438             :  * @return Return an error code or 0, see krb5_get_error_message().
     439             :  *
     440             :  * @ingroup krb5_keytab
     441             :  */
     442             : 
     443             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     444      101193 : krb5_kt_get_full_name(krb5_context context,
     445             :                       krb5_keytab keytab,
     446             :                       char **str)
     447             : {
     448             :     char type[KRB5_KT_PREFIX_MAX_LEN];
     449             :     char name[MAXPATHLEN];
     450             :     krb5_error_code ret;
     451             : 
     452      101193 :     *str = NULL;
     453             : 
     454      101193 :     ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
     455      101193 :     if (ret)
     456           0 :         return ret;
     457             : 
     458      101193 :     ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
     459      101193 :     if (ret)
     460           0 :         return ret;
     461             : 
     462      101193 :     if (asprintf(str, "%s:%s", type, name) == -1) {
     463           0 :         *str = NULL;
     464           0 :         return krb5_enomem(context);
     465             :     }
     466             : 
     467      101193 :     return 0;
     468             : }
     469             : 
     470             : /**
     471             :  * Finish using the keytab in `id'.  All resources will be released,
     472             :  * even on errors.
     473             :  *
     474             :  * @param context a Keberos context.
     475             :  * @param id keytab to close.
     476             :  *
     477             :  * @return Return an error code or 0, see krb5_get_error_message().
     478             :  *
     479             :  * @ingroup krb5_keytab
     480             :  */
     481             : 
     482             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     483      180404 : krb5_kt_close(krb5_context context,
     484             :               krb5_keytab id)
     485             : {
     486      180404 :     krb5_error_code ret = 0;
     487             : 
     488      180404 :     if (id) {
     489      180390 :         ret = (id->close)(context, id);
     490      180390 :         memset(id, 0, sizeof(*id));
     491      180390 :         free(id);
     492             :     }
     493      180404 :     return ret;
     494             : }
     495             : 
     496             : /**
     497             :  * Destroy (remove) the keytab in `id'.  All resources will be released,
     498             :  * even on errors, does the equvalment of krb5_kt_close() on the resources.
     499             :  *
     500             :  * @param context a Keberos context.
     501             :  * @param id keytab to destroy.
     502             :  *
     503             :  * @return Return an error code or 0, see krb5_get_error_message().
     504             :  *
     505             :  * @ingroup krb5_keytab
     506             :  */
     507             : 
     508             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     509           0 : krb5_kt_destroy(krb5_context context,
     510             :                 krb5_keytab id)
     511             : {
     512             :     krb5_error_code ret;
     513             : 
     514           0 :     ret = (*id->destroy)(context, id);
     515           0 :     krb5_kt_close(context, id);
     516           0 :     return ret;
     517             : }
     518             : 
     519             : /*
     520             :  * Match any aliases in keytab `entry' with `principal'.
     521             :  */
     522             : 
     523             : static krb5_boolean
     524      111408 : compare_aliases(krb5_context context,
     525             :                  krb5_keytab_entry *entry,
     526             :                  krb5_const_principal principal)
     527             : {
     528             :     unsigned int i;
     529      111408 :     if (entry->aliases == NULL)
     530      111408 :         return FALSE;
     531           0 :     for (i = 0; i < entry->aliases->len; i++)
     532           0 :         if (krb5_principal_compare(context, &entry->aliases->val[i], principal))
     533           0 :             return TRUE;
     534           0 :     return FALSE;
     535             : }
     536             : 
     537             : /**
     538             :  * Compare `entry' against `principal, vno, enctype'.
     539             :  * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
     540             :  * Return TRUE if they compare the same, FALSE otherwise.
     541             :  *
     542             :  * @param context a Keberos context.
     543             :  * @param entry an entry to match with.
     544             :  * @param principal principal to match, NULL matches all principals.
     545             :  * @param vno key version to match, 0 matches all key version numbers.
     546             :  * @param enctype encryption type to match, 0 matches all encryption types.
     547             :  *
     548             :  * @return Return TRUE or match, FALSE if not matched.
     549             :  *
     550             :  * @ingroup krb5_keytab
     551             :  */
     552             : 
     553             : KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
     554      165623 : krb5_kt_compare(krb5_context context,
     555             :                 krb5_keytab_entry *entry,
     556             :                 krb5_const_principal principal,
     557             :                 krb5_kvno vno,
     558             :                 krb5_enctype enctype)
     559             : {
     560             :     /* krb5_principal_compare() does not special-case the referral realm */
     561      165623 :     if (principal != NULL && strcmp(principal->realm, "") == 0 &&
     562           0 :         !(krb5_principal_compare_any_realm(context, entry->principal, principal) ||
     563           0 :           compare_aliases(context, entry, principal))) {
     564           0 :         return FALSE;
     565      331246 :     } else if (principal != NULL && strcmp(principal->realm, "") != 0 &&
     566      277031 :         !(krb5_principal_compare(context, entry->principal, principal) ||
     567      111408 :           compare_aliases(context, entry, principal))) {
     568      111408 :         return FALSE;
     569             :     }
     570       54215 :     if (vno && vno != entry->vno)
     571         315 :         return FALSE;
     572       53900 :     if (enctype && enctype != entry->keyblock.keytype)
     573        7368 :         return FALSE;
     574       46532 :     return TRUE;
     575             : }
     576             : 
     577             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     578         775 : _krb5_kt_principal_not_found(krb5_context context,
     579             :                              krb5_error_code ret,
     580             :                              krb5_keytab id,
     581             :                              krb5_const_principal principal,
     582             :                              krb5_enctype enctype,
     583             :                              int kvno)
     584             : {
     585             :     char kvno_str[25];
     586         775 :     char *enctype_str = NULL;
     587         775 :     char *kt_name = NULL;
     588         775 :     char *princ = NULL;
     589             : 
     590         775 :     (void) krb5_unparse_name(context, principal, &princ);
     591         775 :     (void) krb5_kt_get_full_name(context, id, &kt_name);
     592         775 :     if (enctype)
     593         775 :         (void) krb5_enctype_to_string(context, enctype, &enctype_str);
     594             : 
     595         775 :     if (kvno)
     596         775 :         snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
     597             :     else
     598           0 :         kvno_str[0] = '\0';
     599             : 
     600        3100 :     krb5_set_error_message(context, ret,
     601         775 :                            N_("Failed to find %s%s in keytab %s (%s)",
     602             :                               "principal, kvno, keytab file, enctype"),
     603         775 :                            princ ? princ : "<unknown>",
     604             :                            kvno_str,
     605         775 :                            kt_name ? kt_name : "unknown keytab",
     606         775 :                            enctype_str ? enctype_str : "unknown enctype");
     607         775 :     free(princ);
     608         775 :     free(kt_name);
     609         775 :     free(enctype_str);
     610         775 :     return ret;
     611             : }
     612             : 
     613             : static krb5_error_code
     614       45694 : krb5_kt_get_entry_wrapped(krb5_context context,
     615             :                           krb5_keytab id,
     616             :                           krb5_const_principal principal,
     617             :                           krb5_kvno kvno,
     618             :                           krb5_enctype enctype,
     619             :                           krb5_keytab_entry *entry)
     620             : {
     621             :     krb5_keytab_entry tmp;
     622             :     krb5_error_code ret;
     623             :     krb5_kt_cursor cursor;
     624             : 
     625       45694 :     if(id->get)
     626          32 :         return (*id->get)(context, id, principal, kvno, enctype, entry);
     627             : 
     628       45662 :     memset(&tmp, 0, sizeof(tmp));
     629       45662 :     ret = krb5_kt_start_seq_get (context, id, &cursor);
     630       45662 :     if (ret) {
     631             :         /* This is needed for krb5_verify_init_creds, but keep error
     632             :          * string from previous error for the human. */
     633           0 :         context->error_code = KRB5_KT_NOTFOUND;
     634           0 :         return KRB5_KT_NOTFOUND;
     635             :     }
     636             : 
     637       45662 :     entry->vno = 0;
     638      205533 :     while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
     639      159082 :         if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
     640             :             /* the file keytab might only store the lower 8 bits of
     641             :                the kvno, so only compare those bits */
     642       44991 :             if (kvno == tmp.vno
     643         118 :                 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) {
     644       44873 :                 krb5_kt_copy_entry_contents (context, &tmp, entry);
     645       44873 :                 krb5_kt_free_entry (context, &tmp);
     646       44873 :                 krb5_kt_end_seq_get(context, id, &cursor);
     647       44873 :                 return 0;
     648         118 :             } else if (kvno == 0 && tmp.vno > entry->vno) {
     649          14 :                 if (entry->vno)
     650           0 :                     krb5_kt_free_entry (context, entry);
     651          14 :                 krb5_kt_copy_entry_contents (context, &tmp, entry);
     652             :             }
     653             :         }
     654      114209 :         krb5_kt_free_entry(context, &tmp);
     655             :     }
     656         789 :     krb5_kt_end_seq_get (context, id, &cursor);
     657         789 :     if (entry->vno == 0)
     658         775 :         return _krb5_kt_principal_not_found(context, KRB5_KT_NOTFOUND,
     659             :                                             id, principal, enctype, kvno);
     660          14 :     return 0;
     661             : }
     662             : 
     663             : /**
     664             :  * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
     665             :  * from the keytab `id'. Matching is done like krb5_kt_compare().
     666             :  *
     667             :  * @param context a Keberos context.
     668             :  * @param id a keytab.
     669             :  * @param principal principal to match, NULL matches all principals.
     670             :  * @param kvno key version to match, 0 matches all key version numbers.
     671             :  * @param enctype encryption type to match, 0 matches all encryption types.
     672             :  * @param entry the returned entry, free with krb5_kt_free_entry().
     673             :  *
     674             :  * @return Return an error code or 0, see krb5_get_error_message().
     675             :  *
     676             :  * @ingroup krb5_keytab
     677             :  */
     678             : 
     679             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     680       45694 : krb5_kt_get_entry(krb5_context context,
     681             :                   krb5_keytab id,
     682             :                   krb5_const_principal principal,
     683             :                   krb5_kvno kvno,
     684             :                   krb5_enctype enctype,
     685             :                   krb5_keytab_entry *entry)
     686             : {
     687             :     krb5_error_code ret;
     688             :     krb5_const_principal try_princ;
     689             :     krb5_name_canon_iterator name_canon_iter;
     690             : 
     691       45694 :     if (!principal)
     692             :         /* Use `NULL' instead of `principal' to quiet static analizers */
     693           0 :         return krb5_kt_get_entry_wrapped(context, id, NULL, kvno, enctype,
     694             :                                          entry);
     695             : 
     696       45694 :     ret = krb5_name_canon_iterator_start(context, principal, &name_canon_iter);
     697       45694 :     if (ret)
     698           0 :         return ret;
     699             : 
     700             :     do {
     701       46469 :         ret = krb5_name_canon_iterate(context, &name_canon_iter, &try_princ,
     702             :                                       NULL);
     703       46469 :         if (ret)
     704           0 :             break;
     705       46469 :         if (try_princ == NULL) {
     706         775 :             ret = KRB5_KT_NOTFOUND;
     707         775 :             continue;
     708             :         }
     709       45694 :         ret = krb5_kt_get_entry_wrapped(context, id, try_princ, kvno,
     710             :                                         enctype, entry);
     711       46469 :     } while (ret == KRB5_KT_NOTFOUND && name_canon_iter);
     712             : 
     713       45694 :     if (ret && ret != KRB5_KT_NOTFOUND)
     714           0 :         krb5_set_error_message(context, ret,
     715           0 :                                N_("Name canon failed while searching keytab",
     716             :                                   ""));
     717       45694 :     krb5_free_name_canon_iterator(context, name_canon_iter);
     718       45694 :     return ret;
     719             : }
     720             : 
     721             : /**
     722             :  * Copy the contents of `in' into `out'.
     723             :  *
     724             :  * @param context a Keberos context.
     725             :  * @param in the keytab entry to copy.
     726             :  * @param out the copy of the keytab entry, free with krb5_kt_free_entry().
     727             :  *
     728             :  * @return Return an error code or 0, see krb5_get_error_message().
     729             :  *
     730             :  * @ingroup krb5_keytab
     731             :  */
     732             : 
     733             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     734       61512 : krb5_kt_copy_entry_contents(krb5_context context,
     735             :                             const krb5_keytab_entry *in,
     736             :                             krb5_keytab_entry *out)
     737             : {
     738             :     krb5_error_code ret;
     739             : 
     740       61512 :     memset(out, 0, sizeof(*out));
     741             : 
     742       61512 :     ret = krb5_copy_principal (context, in->principal, &out->principal);
     743       61512 :     if (ret)
     744           0 :         return ret;
     745       61512 :     ret = krb5_copy_keyblock_contents (context,
     746             :                                        &in->keyblock,
     747             :                                        &out->keyblock);
     748       61512 :     if (ret) {
     749           0 :         krb5_free_principal(context, out->principal);
     750           0 :         memset(out, 0, sizeof(*out));
     751           0 :         return ret;
     752             :     }
     753       61512 :     out->vno = in->vno;
     754       61512 :     out->timestamp = in->timestamp;
     755       61512 :     return 0;
     756             : }
     757             : 
     758             : /**
     759             :  * Free the contents of `entry'.
     760             :  *
     761             :  * @param context a Keberos context.
     762             :  * @param entry the entry to free
     763             :  *
     764             :  * @return Return an error code or 0, see krb5_get_error_message().
     765             :  *
     766             :  * @ingroup krb5_keytab
     767             :  */
     768             : 
     769             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     770      222333 : krb5_kt_free_entry(krb5_context context,
     771             :                    krb5_keytab_entry *entry)
     772             : {
     773      222333 :     krb5_free_principal (context, entry->principal);
     774      222333 :     krb5_free_keyblock_contents (context, &entry->keyblock);
     775      222333 :     memset(entry, 0, sizeof(*entry));
     776      222333 :     return 0;
     777             : }
     778             : 
     779             : /**
     780             :  * Set `cursor' to point at the beginning of `id'.
     781             :  *
     782             :  * @param context a Keberos context.
     783             :  * @param id a keytab.
     784             :  * @param cursor a newly allocated cursor, free with krb5_kt_end_seq_get().
     785             :  *
     786             :  * @return Return an error code or 0, see krb5_get_error_message().
     787             :  *
     788             :  * @ingroup krb5_keytab
     789             :  */
     790             : 
     791             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     792       48943 : krb5_kt_start_seq_get(krb5_context context,
     793             :                       krb5_keytab id,
     794             :                       krb5_kt_cursor *cursor)
     795             : {
     796       48943 :     if(id->start_seq_get == NULL) {
     797           0 :         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
     798           0 :                                N_("start_seq_get is not supported "
     799             :                                   "in the %s keytab type", ""),
     800             :                                id->prefix);
     801           0 :         return HEIM_ERR_OPNOTSUPP;
     802             :     }
     803       48943 :     return (*id->start_seq_get)(context, id, cursor);
     804             : }
     805             : 
     806             : /**
     807             :  * Get the next entry from keytab, advance the cursor.  On last entry
     808             :  * the function will return KRB5_KT_END.
     809             :  *
     810             :  * @param context a Keberos context.
     811             :  * @param id a keytab.
     812             :  * @param entry the returned entry, free with krb5_kt_free_entry().
     813             :  * @param cursor the cursor of the iteration.
     814             :  *
     815             :  * @return Return an error code or 0, see krb5_get_error_message().
     816             :  *
     817             :  * @ingroup krb5_keytab
     818             :  */
     819             : 
     820             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     821      166772 : krb5_kt_next_entry(krb5_context context,
     822             :                    krb5_keytab id,
     823             :                    krb5_keytab_entry *entry,
     824             :                    krb5_kt_cursor *cursor)
     825             : {
     826      166772 :     if(id->next_entry == NULL) {
     827           0 :         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
     828           0 :                                N_("next_entry is not supported in the %s "
     829             :                                   " keytab", ""),
     830             :                                id->prefix);
     831           0 :         return HEIM_ERR_OPNOTSUPP;
     832             :     }
     833      166772 :     memset(entry, 0x0, sizeof(*entry));
     834      166772 :     return (*id->next_entry)(context, id, entry, cursor);
     835             : }
     836             : 
     837             : /**
     838             :  * Release all resources associated with `cursor'.
     839             :  *
     840             :  * @param context a Keberos context.
     841             :  * @param id a keytab.
     842             :  * @param cursor the cursor to free.
     843             :  *
     844             :  * @return Return an error code or 0, see krb5_get_error_message().
     845             :  *
     846             :  * @ingroup krb5_keytab
     847             :  */
     848             : 
     849             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     850       49051 : krb5_kt_end_seq_get(krb5_context context,
     851             :                     krb5_keytab id,
     852             :                     krb5_kt_cursor *cursor)
     853             : {
     854       49051 :     if(id->end_seq_get == NULL) {
     855           0 :         krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP,
     856             :                                "end_seq_get is not supported in the %s "
     857             :                                " keytab", id->prefix);
     858           0 :         return HEIM_ERR_OPNOTSUPP;
     859             :     }
     860       49051 :     return (*id->end_seq_get)(context, id, cursor);
     861             : }
     862             : 
     863             : /**
     864             :  * Add the entry in `entry' to the keytab `id'.
     865             :  *
     866             :  * @param context a Keberos context.
     867             :  * @param id a keytab.
     868             :  * @param entry the entry to add
     869             :  *
     870             :  * @return Return an error code or 0, see krb5_get_error_message().
     871             :  *
     872             :  * @ingroup krb5_keytab
     873             :  */
     874             : 
     875             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     876       12607 : krb5_kt_add_entry(krb5_context context,
     877             :                   krb5_keytab id,
     878             :                   krb5_keytab_entry *entry)
     879             : {
     880       12607 :     if(id->add == NULL) {
     881           0 :         krb5_set_error_message(context, KRB5_KT_NOWRITE,
     882           0 :                                N_("Add is not supported in the %s keytab", ""),
     883             :                                id->prefix);
     884           0 :         return KRB5_KT_NOWRITE;
     885             :     }
     886       12607 :     entry->timestamp = time(NULL);
     887       12607 :     return (*id->add)(context, id,entry);
     888             : }
     889             : 
     890             : /**
     891             :  * Remove an entry from the keytab, matching is done using
     892             :  * krb5_kt_compare().
     893             : 
     894             :  * @param context a Keberos context.
     895             :  * @param id a keytab.
     896             :  * @param entry the entry to remove
     897             :  *
     898             :  * @return Return an error code or 0, see krb5_get_error_message().
     899             :  *
     900             :  * @ingroup krb5_keytab
     901             :  */
     902             : 
     903             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     904         236 : krb5_kt_remove_entry(krb5_context context,
     905             :                      krb5_keytab id,
     906             :                      krb5_keytab_entry *entry)
     907             : {
     908         236 :     if(id->remove == NULL) {
     909           0 :         krb5_set_error_message(context, KRB5_KT_NOWRITE,
     910           0 :                                N_("Remove is not supported in the %s keytab", ""),
     911             :                                id->prefix);
     912           0 :         return KRB5_KT_NOWRITE;
     913             :     }
     914         236 :     return (*id->remove)(context, id, entry);
     915             : }
     916             : 
     917             : /**
     918             :  * Return true if the keytab exists and have entries
     919             :  *
     920             :  * @param context a Keberos context.
     921             :  * @param id a keytab.
     922             :  *
     923             :  * @return Return an error code or 0, see krb5_get_error_message().
     924             :  *
     925             :  * @ingroup krb5_keytab
     926             :  */
     927             : 
     928             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     929           0 : krb5_kt_have_content(krb5_context context,
     930             :                      krb5_keytab id)
     931             : {
     932             :     krb5_keytab_entry entry;
     933             :     krb5_kt_cursor cursor;
     934             :     krb5_error_code ret;
     935             :     char *name;
     936             : 
     937           0 :     memset(&entry, 0, sizeof(entry));
     938           0 :     ret = krb5_kt_start_seq_get(context, id, &cursor);
     939           0 :     if (ret)
     940           0 :         goto notfound;
     941             : 
     942           0 :     ret = krb5_kt_next_entry(context, id, &entry, &cursor);
     943           0 :     krb5_kt_end_seq_get(context, id, &cursor);
     944           0 :     if (ret)
     945           0 :         goto notfound;
     946             : 
     947           0 :     krb5_kt_free_entry(context, &entry);
     948             : 
     949           0 :     return 0;
     950             : 
     951           0 :  notfound:
     952           0 :     ret = krb5_kt_get_full_name(context, id, &name);
     953           0 :     if (ret == 0) {
     954           0 :         krb5_set_error_message(context, KRB5_KT_NOTFOUND,
     955           0 :                                N_("No entry in keytab: %s", ""), name);
     956           0 :         free(name);
     957             :     }
     958           0 :     return KRB5_KT_NOTFOUND;
     959             : }
     960             : 
     961             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     962           0 : _krb5_kt_client_default_name(krb5_context context, char **name)
     963             : {
     964             :     const char *tmp;
     965             : 
     966           0 :     tmp = secure_getenv("KRB5_CLIENT_KTNAME");
     967           0 :     if (tmp == NULL)
     968           0 :         tmp =  krb5_config_get_string(context, NULL,
     969             :                                       "libdefaults",
     970             :                                       "default_client_keytab_name", NULL);
     971           0 :     if (tmp == NULL)
     972           0 :         tmp = CLIENT_KEYTAB_DEFAULT;
     973             : 
     974           0 :     return _krb5_expand_path_tokens(context, tmp, 1, name);
     975             : }

Generated by: LCOV version 1.13