Fix incompatible assignment warning
[kai/samba-autobuild/.git] / source4 / auth / kerberos / srv_keytab.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Kerberos utility functions
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23
24 #include "includes.h"
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include "auth/kerberos/kerberos_srv_keytab.h"
28
29 static void keytab_principals_free(krb5_context context, krb5_principal *set)
30 {
31         int i;
32         for (i = 0; set[i] != NULL; i++) {
33                 krb5_free_principal(context, set[i]);
34         }
35 }
36
37 static krb5_error_code principals_from_list(TALLOC_CTX *parent_ctx,
38                                         const char *samAccountName,
39                                         const char *realm,
40                                         const char **SPNs, int num_SPNs,
41                                         krb5_context context,
42                                         krb5_principal **principals_out,
43                                         const char **error_string)
44 {
45         unsigned int i;
46         krb5_error_code ret;
47         char *upper_realm;
48         TALLOC_CTX *tmp_ctx;
49         krb5_principal *principals = NULL;
50         tmp_ctx = talloc_new(parent_ctx);
51         if (!tmp_ctx) {
52                 *error_string = "Cannot allocate tmp_ctx";
53                 return ENOMEM;
54         }
55
56         if (!realm) {
57                 *error_string = "Cannot make principal without a realm";
58                 ret = EINVAL;
59                 goto done;
60         }
61
62         upper_realm = strupper_talloc(tmp_ctx, realm);
63         if (!upper_realm) {
64                 *error_string = "Cannot allocate full upper case realm";
65                 ret = ENOMEM;
66                 goto done;
67         }
68
69         principals = talloc_zero_array(tmp_ctx, krb5_principal,
70                                         num_SPNs ? (num_SPNs + 2) : 2);
71
72         for (i = 0; num_SPNs && i < num_SPNs; i++) {
73                 ret = krb5_parse_name(context, SPNs[i], &principals[i]);
74
75                 if (ret) {
76                         *error_string = smb_get_krb5_error_message(context, ret,
77                                                                    parent_ctx);
78                         goto done;
79                 }
80         }
81
82         if (samAccountName) {
83                 ret = krb5_make_principal(context, &principals[i],
84                                           upper_realm, samAccountName,
85                                           NULL);
86                 if (ret) {
87                         *error_string = smb_get_krb5_error_message(context, ret,
88                                                                    parent_ctx);
89                         goto done;
90                 }
91         }
92
93 done:
94         if (ret) {
95                 keytab_principals_free(context, principals);
96         } else {
97                 *principals_out = talloc_steal(parent_ctx, principals);
98         }
99         talloc_free(tmp_ctx);
100         return ret;
101 }
102
103 static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
104                                 const char *samAccountName,
105                                 const char *realm,
106                                 const char *saltPrincipal,
107                                 krb5_context context,
108                                 krb5_principal *salt_princ,
109                                 const char **error_string)
110 {
111
112         krb5_error_code ret;
113         char *machine_username;
114         char *salt_body;
115         char *lower_realm;
116         char *upper_realm;
117
118         TALLOC_CTX *tmp_ctx;
119
120         if (saltPrincipal) {
121                 ret = krb5_parse_name(context, saltPrincipal, salt_princ);
122                 if (ret) {
123                         *error_string = smb_get_krb5_error_message(
124                                                 context, ret, parent_ctx);
125                 }
126                 return ret;
127         }
128
129         if (!samAccountName) {
130                 (*error_string) = "Cannot determine salt principal, no "
131                                 "saltPrincipal or samAccountName specified";
132                 return EINVAL;
133         }
134
135         if (!realm) {
136                 *error_string = "Cannot make principal without a realm";
137                 return EINVAL;
138         }
139
140         tmp_ctx = talloc_new(parent_ctx);
141         if (!tmp_ctx) {
142                 *error_string = "Cannot allocate tmp_ctx";
143                 return ENOMEM;
144         }
145
146         machine_username = talloc_strdup(tmp_ctx, samAccountName);
147         if (!machine_username) {
148                 *error_string = "Cannot duplicate samAccountName";
149                 talloc_free(tmp_ctx);
150                 return ENOMEM;
151         }
152
153         if (machine_username[strlen(machine_username)-1] == '$') {
154                 machine_username[strlen(machine_username)-1] = '\0';
155         }
156
157         lower_realm = strlower_talloc(tmp_ctx, realm);
158         if (!lower_realm) {
159                 *error_string = "Cannot allocate to lower case realm";
160                 talloc_free(tmp_ctx);
161                 return ENOMEM;
162         }
163
164         upper_realm = strupper_talloc(tmp_ctx, realm);
165         if (!upper_realm) {
166                 *error_string = "Cannot allocate to upper case realm";
167                 talloc_free(tmp_ctx);
168                 return ENOMEM;
169         }
170
171         salt_body = talloc_asprintf(tmp_ctx, "%s.%s",
172                                     machine_username, lower_realm);
173         if (!salt_body) {
174                 *error_string = "Cannot form salt principal body";
175                 talloc_free(tmp_ctx);
176                 return ENOMEM;
177         }
178
179         ret = krb5_make_principal(context, salt_princ, upper_realm,
180                                                 "host", salt_body, NULL);
181         if (ret) {
182                 *error_string = smb_get_krb5_error_message(context,
183                                                            ret, parent_ctx);
184         }
185
186         talloc_free(tmp_ctx);
187         return ret;
188 }
189
190 /* Translate between the Microsoft msDS-SupportedEncryptionTypes values
191  * and the IETF encryption type values */
192 static krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap)
193 {
194         switch (enctype_bitmap) {
195         case ENC_CRC32:
196                 return ENCTYPE_DES_CBC_CRC;
197         case ENC_RSA_MD5:
198                 return ENCTYPE_DES_CBC_MD5;
199         case ENC_RC4_HMAC_MD5:
200                 return ENCTYPE_ARCFOUR_HMAC_MD5;
201         case ENC_HMAC_SHA1_96_AES128:
202                 return ENCTYPE_AES128_CTS_HMAC_SHA1_96;
203         case ENC_HMAC_SHA1_96_AES256:
204                 return ENCTYPE_AES256_CTS_HMAC_SHA1_96;
205         default:
206                 return 0;
207         }
208 }
209
210 /* Return an array of krb5_enctype values */
211 static krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
212                                                 uint32_t enctype_bitmap,
213                                                 krb5_enctype **enctypes)
214 {
215         unsigned int i, j = 0;
216         *enctypes = talloc_zero_array(mem_ctx, krb5_enctype,
217                                         (8 * sizeof(enctype_bitmap)) + 1);
218         if (!*enctypes) {
219                 return ENOMEM;
220         }
221         for (i = 0; i < (8 * sizeof(enctype_bitmap)); i++) {
222                 uint32_t bit_value = (1 << i) & enctype_bitmap;
223                 if (bit_value & enctype_bitmap) {
224                         (*enctypes)[j] = ms_suptype_to_ietf_enctype(bit_value);
225                         if (!(*enctypes)[j]) {
226                                 continue;
227                         }
228                         j++;
229                 }
230         }
231         (*enctypes)[j] = 0;
232         return 0;
233 }
234
235 static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
236                                        krb5_principal *principals,
237                                        krb5_principal salt_princ,
238                                        int kvno,
239                                        const char *password_s,
240                                        krb5_context context,
241                                        krb5_enctype *enctypes,
242                                        krb5_keytab keytab,
243                                        const char **error_string)
244 {
245         unsigned int i, p;
246         krb5_error_code ret;
247         krb5_data password;
248         char *unparsed;
249
250         password.data = discard_const_p(char, password_s);
251         password.length = strlen(password_s);
252
253         for (i = 0; enctypes[i]; i++) {
254                 krb5_keytab_entry entry;
255
256                 ZERO_STRUCT(entry);
257
258                 ret = create_kerberos_key_from_string_direct(context,
259                                                 salt_princ, &password,
260                                                 &entry.keyblock, enctypes[i]);
261                 if (ret != 0) {
262                         return ret;
263                 }
264
265                 entry.vno = kvno;
266
267                 for (p = 0; principals[p]; p++) {
268                         unparsed = NULL;
269                         entry.principal = principals[p];
270                         ret = krb5_kt_add_entry(context, keytab, &entry);
271                         if (ret != 0) {
272                                 char *k5_error_string =
273                                         smb_get_krb5_error_message(context,
274                                                                    ret, NULL);
275                                 krb5_unparse_name(context,
276                                                 principals[p], &unparsed);
277                                 *error_string = talloc_asprintf(parent_ctx,
278                                         "Failed to add enctype %d entry for "
279                                         "%s(kvno %d) to keytab: %s\n",
280                                         (int)enctypes[i], unparsed,
281                                         kvno, k5_error_string);
282
283                                 free(unparsed);
284                                 talloc_free(k5_error_string);
285                                 krb5_free_keyblock_contents(context,
286                                                             &entry.keyblock);
287                                 return ret;
288                         }
289
290                         DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
291                                   kvno, (int)enctypes[i]));
292                 }
293                 krb5_free_keyblock_contents(context, &entry.keyblock);
294         }
295         return 0;
296 }
297
298 static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
299                                      const char *samAccountName,
300                                      const char *realm,
301                                      const char *saltPrincipal,
302                                      int kvno,
303                                      const char *new_secret,
304                                      const char *old_secret,
305                                      uint32_t supp_enctypes,
306                                      krb5_principal *principals,
307                                      krb5_context context,
308                                      krb5_keytab keytab,
309                                      bool add_old,
310                                      const char **error_string)
311 {
312         krb5_error_code ret;
313         krb5_principal salt_princ = NULL;
314         krb5_enctype *enctypes;
315         TALLOC_CTX *mem_ctx;
316
317         if (!new_secret) {
318                 /* There is no password here, so nothing to do */
319                 return 0;
320         }
321
322         mem_ctx = talloc_new(parent_ctx);
323         if (!mem_ctx) {
324                 *error_string = "unable to allocate tmp_ctx for create_keytab";
325                 return ENOMEM;
326         }
327
328         /* The salt used to generate these entries may be different however,
329          * fetch that */
330         ret = salt_principal(mem_ctx, samAccountName, realm, saltPrincipal,
331                              context, &salt_princ, error_string);
332         if (ret) {
333                 talloc_free(mem_ctx);
334                 return ret;
335         }
336
337         ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
338         if (ret) {
339                 *error_string = talloc_asprintf(parent_ctx,
340                                         "create_keytab: generating list of "
341                                         "encryption types failed (%s)\n",
342                                         smb_get_krb5_error_message(context,
343                                                                 ret, mem_ctx));
344                 goto done;
345         }
346
347         ret = keytab_add_keys(mem_ctx, principals,
348                               salt_princ, kvno, new_secret,
349                               context, enctypes, keytab, error_string);
350         if (ret) {
351                 goto done;
352         }
353
354         if (old_secret && add_old && kvno != 0) {
355                 ret = keytab_add_keys(mem_ctx, principals,
356                                       salt_princ, kvno - 1, old_secret,
357                                       context, enctypes, keytab, error_string);
358         }
359
360 done:
361         krb5_free_principal(context, salt_princ);
362         talloc_free(mem_ctx);
363         return ret;
364 }
365
366 /*
367  * Walk the keytab, looking for entries of this principal name,
368  * with KVNO other than current kvno -1.
369  *
370  * These entries are now stale,
371  * we only keep the current and previous entries around.
372  *
373  * Inspired by the code in Samba3 for 'use kerberos keytab'.
374  */
375
376 static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
377                                           int kvno,
378                                           krb5_principal *principals,
379                                           bool delete_all_kvno,
380                                           krb5_context context,
381                                           krb5_keytab keytab,
382                                           bool *found_previous,
383                                           const char **error_string)
384 {
385         krb5_error_code ret, ret2;
386         krb5_kt_cursor cursor;
387         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
388
389         if (!mem_ctx) {
390                 return ENOMEM;
391         }
392
393         *found_previous = false;
394
395         /* for each entry in the keytab */
396         ret = krb5_kt_start_seq_get(context, keytab, &cursor);
397         switch (ret) {
398         case 0:
399                 break;
400         case HEIM_ERR_OPNOTSUPP:
401         case ENOENT:
402         case KRB5_KT_END:
403                 /* no point enumerating if there isn't anything here */
404                 talloc_free(mem_ctx);
405                 return 0;
406         default:
407                 *error_string = talloc_asprintf(parent_ctx,
408                         "failed to open keytab for read of old entries: %s\n",
409                         smb_get_krb5_error_message(context, ret, mem_ctx));
410                 talloc_free(mem_ctx);
411                 return ret;
412         }
413
414         while (!ret) {
415                 unsigned int i;
416                 bool matched = false;
417                 krb5_keytab_entry entry;
418                 ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
419                 if (ret) {
420                         break;
421                 }
422                 for (i = 0; principals[i]; i++) {
423                         /* if it matches our principal */
424                         if (krb5_kt_compare(context, &entry,
425                                             principals[i], 0, 0)) {
426                                 matched = true;
427                                 break;
428                         }
429                 }
430
431                 if (!matched) {
432                         /* Free the entry,
433                          * it wasn't the one we were looking for anyway */
434                         krb5_kt_free_entry(context, &entry);
435                         continue;
436                 }
437
438                 /* delete it, if it is not kvno -1 */
439                 if (entry.vno != (kvno - 1 )) {
440                         /* Release the enumeration.  We are going to
441                          * have to start this from the top again,
442                          * because deletes during enumeration may not
443                          * always be consistent.
444                          *
445                          * Also, the enumeration locks a FILE: keytab
446                          */
447
448                         krb5_kt_end_seq_get(context, keytab, &cursor);
449
450                         ret = krb5_kt_remove_entry(context, keytab, &entry);
451                         krb5_kt_free_entry(context, &entry);
452
453                         /* Deleted: Restart from the top */
454                         ret2 = krb5_kt_start_seq_get(context, keytab, &cursor);
455                         if (ret2) {
456                                 krb5_kt_free_entry(context, &entry);
457                                 DEBUG(1, ("failed to restart enumeration of keytab: %s\n",
458                                           smb_get_krb5_error_message(context,
459                                                                 ret, mem_ctx)));
460
461                                 talloc_free(mem_ctx);
462                                 return ret2;
463                         }
464
465                         if (ret) {
466                                 break;
467                         }
468
469                 } else {
470                         *found_previous = true;
471                 }
472
473                 /* Free the entry, we don't need it any more */
474                 krb5_kt_free_entry(context, &entry);
475         }
476         krb5_kt_end_seq_get(context, keytab, &cursor);
477
478         switch (ret) {
479         case 0:
480                 break;
481         case ENOENT:
482         case KRB5_KT_END:
483                 ret = 0;
484                 break;
485         default:
486                 *error_string = talloc_asprintf(parent_ctx,
487                         "failed in deleting old entries for principal: %s\n",
488                         smb_get_krb5_error_message(context, ret, mem_ctx));
489         }
490         talloc_free(mem_ctx);
491         return ret;
492 }
493
494 krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
495                                 krb5_context context,
496                                 const char *keytab_name,
497                                 const char *samAccountName,
498                                 const char *realm,
499                                 const char **SPNs,
500                                 int num_SPNs,
501                                 const char *saltPrincipal,
502                                 const char *new_secret,
503                                 const char *old_secret,
504                                 int kvno,
505                                 uint32_t supp_enctypes,
506                                 bool delete_all_kvno,
507                                 krb5_keytab *_keytab,
508                                 const char **error_string)
509 {
510         krb5_keytab keytab;
511         krb5_error_code ret;
512         bool found_previous;
513         TALLOC_CTX *tmp_ctx;
514         krb5_principal *principals = NULL;
515
516         if (keytab_name == NULL) {
517                 return ENOENT;
518         }
519
520         ret = krb5_kt_resolve(context, keytab_name, &keytab);
521         if (ret) {
522                 *error_string = smb_get_krb5_error_message(context,
523                                                            ret, parent_ctx);
524                 return ret;
525         }
526
527         DEBUG(5, ("Opened keytab %s\n", keytab_name));
528
529         tmp_ctx = talloc_new(parent_ctx);
530         if (!tmp_ctx) {
531                 return ENOMEM;
532         }
533
534         /* Get the principal we will store the new keytab entries under */
535         ret = principals_from_list(tmp_ctx,
536                                   samAccountName, realm, SPNs, num_SPNs,
537                                   context, &principals, error_string);
538
539         if (ret != 0) {
540                 *error_string = talloc_asprintf(parent_ctx,
541                         "Failed to load principals from ldb message: %s\n",
542                         *error_string);
543                 goto done;
544         }
545
546         ret = remove_old_entries(tmp_ctx, kvno, principals, delete_all_kvno,
547                                  context, keytab, &found_previous, error_string);
548         if (ret != 0) {
549                 *error_string = talloc_asprintf(parent_ctx,
550                         "Failed to remove old principals from keytab: %s\n",
551                         *error_string);
552                 goto done;
553         }
554
555         if (!delete_all_kvno) {
556                 /* Create a new keytab.  If during the cleanout we found
557                  * entires for kvno -1, then don't try and duplicate them.
558                  * Otherwise, add kvno, and kvno -1 */
559
560                 ret = create_keytab(tmp_ctx,
561                                     samAccountName, realm, saltPrincipal,
562                                     kvno, new_secret, old_secret,
563                                     supp_enctypes, principals,
564                                     context, keytab,
565                                     found_previous ? false : true,
566                                     error_string);
567                 if (ret) {
568                         talloc_steal(parent_ctx, *error_string);
569                 }
570         }
571
572         if (ret == 0 && _keytab != NULL) {
573                 /* caller wants the keytab handle back */
574                 *_keytab = keytab;
575         }
576
577 done:
578         keytab_principals_free(context, principals);
579         if (ret != 0 || _keytab == NULL) {
580                 krb5_kt_close(context, keytab);
581         }
582         talloc_free(tmp_ctx);
583         return ret;
584 }
585
586 krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
587                                 krb5_context context,
588                                 const char *new_secret,
589                                 const char *samAccountName,
590                                 const char *realm,
591                                 int kvno,
592                                 krb5_keytab *keytab,
593                                 const char **keytab_name)
594 {
595         krb5_error_code ret;
596         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
597         const char *rand_string;
598         const char *error_string;
599         if (!mem_ctx) {
600                 return ENOMEM;
601         }
602
603         rand_string = generate_random_str(mem_ctx, 16);
604         if (!rand_string) {
605                 talloc_free(mem_ctx);
606                 return ENOMEM;
607         }
608
609         *keytab_name = talloc_asprintf(mem_ctx, "MEMORY:%s", rand_string);
610         if (*keytab_name == NULL) {
611                 talloc_free(mem_ctx);
612                 return ENOMEM;
613         }
614
615
616         ret = smb_krb5_update_keytab(mem_ctx, context,
617                                      *keytab_name, samAccountName, realm,
618                                      NULL, 0, NULL, new_secret, NULL,
619                                      kvno, ENC_ALL_TYPES,
620                                      false, keytab, &error_string);
621         if (ret == 0) {
622                 talloc_steal(parent_ctx, *keytab_name);
623         } else {
624                 DEBUG(0, ("Failed to create in-memory keytab: %s\n",
625                           error_string));
626                 *keytab_name = NULL;
627         }
628         talloc_free(mem_ctx);
629         return ret;
630 }