lib/krb5_wrap: Move enctype conversion functions into a simple helper file
[kai/samba-autobuild/.git] / source4 / auth / kerberos / srv_keytab.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Kerberos utility functions
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23
24 #include "includes.h"
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include "auth/kerberos/kerberos_srv_keytab.h"
28
29 static void keytab_principals_free(krb5_context context, krb5_principal *set)
30 {
31         int i;
32         for (i = 0; set[i] != NULL; i++) {
33                 krb5_free_principal(context, set[i]);
34         }
35 }
36
37 static krb5_error_code principals_from_list(TALLOC_CTX *parent_ctx,
38                                         const char *samAccountName,
39                                         const char *realm,
40                                         const char **SPNs, int num_SPNs,
41                                         krb5_context context,
42                                         krb5_principal **principals_out,
43                                         const char **error_string)
44 {
45         unsigned int i;
46         krb5_error_code ret;
47         char *upper_realm;
48         TALLOC_CTX *tmp_ctx;
49         krb5_principal *principals = NULL;
50         tmp_ctx = talloc_new(parent_ctx);
51         if (!tmp_ctx) {
52                 *error_string = "Cannot allocate tmp_ctx";
53                 return ENOMEM;
54         }
55
56         if (!realm) {
57                 *error_string = "Cannot make principal without a realm";
58                 ret = EINVAL;
59                 goto done;
60         }
61
62         upper_realm = strupper_talloc(tmp_ctx, realm);
63         if (!upper_realm) {
64                 *error_string = "Cannot allocate full upper case realm";
65                 ret = ENOMEM;
66                 goto done;
67         }
68
69         principals = talloc_zero_array(tmp_ctx, krb5_principal,
70                                         num_SPNs ? (num_SPNs + 2) : 2);
71
72         for (i = 0; num_SPNs && i < num_SPNs; i++) {
73                 ret = krb5_parse_name(context, SPNs[i], &principals[i]);
74
75                 if (ret) {
76                         *error_string = smb_get_krb5_error_message(context, ret,
77                                                                    parent_ctx);
78                         goto done;
79                 }
80         }
81
82         if (samAccountName) {
83                 ret = smb_krb5_make_principal(context, &principals[i],
84                                           upper_realm, samAccountName,
85                                           NULL);
86                 if (ret) {
87                         *error_string = smb_get_krb5_error_message(context, ret,
88                                                                    parent_ctx);
89                         goto done;
90                 }
91         }
92
93 done:
94         if (ret) {
95                 keytab_principals_free(context, principals);
96         } else {
97                 *principals_out = talloc_steal(parent_ctx, principals);
98         }
99         talloc_free(tmp_ctx);
100         return ret;
101 }
102
103 static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
104                                 const char *samAccountName,
105                                 const char *realm,
106                                 const char *saltPrincipal,
107                                 krb5_context context,
108                                 krb5_principal *salt_princ,
109                                 const char **error_string)
110 {
111
112         krb5_error_code ret;
113         char *machine_username;
114         char *salt_body;
115         char *lower_realm;
116         char *upper_realm;
117
118         TALLOC_CTX *tmp_ctx;
119
120         if (saltPrincipal) {
121                 ret = krb5_parse_name(context, saltPrincipal, salt_princ);
122                 if (ret) {
123                         *error_string = smb_get_krb5_error_message(
124                                                 context, ret, parent_ctx);
125                 }
126                 return ret;
127         }
128
129         if (!samAccountName) {
130                 (*error_string) = "Cannot determine salt principal, no "
131                                 "saltPrincipal or samAccountName specified";
132                 return EINVAL;
133         }
134
135         if (!realm) {
136                 *error_string = "Cannot make principal without a realm";
137                 return EINVAL;
138         }
139
140         tmp_ctx = talloc_new(parent_ctx);
141         if (!tmp_ctx) {
142                 *error_string = "Cannot allocate tmp_ctx";
143                 return ENOMEM;
144         }
145
146         machine_username = talloc_strdup(tmp_ctx, samAccountName);
147         if (!machine_username) {
148                 *error_string = "Cannot duplicate samAccountName";
149                 talloc_free(tmp_ctx);
150                 return ENOMEM;
151         }
152
153         if (machine_username[strlen(machine_username)-1] == '$') {
154                 machine_username[strlen(machine_username)-1] = '\0';
155         }
156
157         lower_realm = strlower_talloc(tmp_ctx, realm);
158         if (!lower_realm) {
159                 *error_string = "Cannot allocate to lower case realm";
160                 talloc_free(tmp_ctx);
161                 return ENOMEM;
162         }
163
164         upper_realm = strupper_talloc(tmp_ctx, realm);
165         if (!upper_realm) {
166                 *error_string = "Cannot allocate to upper case realm";
167                 talloc_free(tmp_ctx);
168                 return ENOMEM;
169         }
170
171         salt_body = talloc_asprintf(tmp_ctx, "%s.%s",
172                                     machine_username, lower_realm);
173         if (!salt_body) {
174                 *error_string = "Cannot form salt principal body";
175                 talloc_free(tmp_ctx);
176                 return ENOMEM;
177         }
178
179         ret = smb_krb5_make_principal(context, salt_princ, upper_realm,
180                                                 "host", salt_body, NULL);
181         if (ret) {
182                 *error_string = smb_get_krb5_error_message(context,
183                                                            ret, parent_ctx);
184         }
185
186         talloc_free(tmp_ctx);
187         return ret;
188 }
189
190 static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
191                                        krb5_principal *principals,
192                                        krb5_principal salt_princ,
193                                        int kvno,
194                                        const char *password_s,
195                                        krb5_context context,
196                                        krb5_enctype *enctypes,
197                                        krb5_keytab keytab,
198                                        const char **error_string)
199 {
200         unsigned int i, p;
201         krb5_error_code ret;
202         krb5_data password;
203         char *unparsed;
204
205         password.data = discard_const_p(char, password_s);
206         password.length = strlen(password_s);
207
208         for (i = 0; enctypes[i]; i++) {
209                 krb5_keytab_entry entry;
210
211                 ZERO_STRUCT(entry);
212
213                 ret = create_kerberos_key_from_string_direct(context,
214                                                 salt_princ, &password,
215                                                 KRB5_KT_KEY(&entry),
216                                                 enctypes[i]);
217                 if (ret != 0) {
218                         return ret;
219                 }
220
221                 entry.vno = kvno;
222
223                 for (p = 0; principals[p]; p++) {
224                         unparsed = NULL;
225                         entry.principal = principals[p];
226                         ret = krb5_kt_add_entry(context, keytab, &entry);
227                         if (ret != 0) {
228                                 char *k5_error_string =
229                                         smb_get_krb5_error_message(context,
230                                                                    ret, NULL);
231                                 krb5_unparse_name(context,
232                                                 principals[p], &unparsed);
233                                 *error_string = talloc_asprintf(parent_ctx,
234                                         "Failed to add enctype %d entry for "
235                                         "%s(kvno %d) to keytab: %s\n",
236                                         (int)enctypes[i], unparsed,
237                                         kvno, k5_error_string);
238
239                                 free(unparsed);
240                                 talloc_free(k5_error_string);
241                                 krb5_free_keyblock_contents(context,
242                                                             KRB5_KT_KEY(&entry));
243                                 return ret;
244                         }
245
246                         DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
247                                   kvno, (int)enctypes[i]));
248                 }
249                 krb5_free_keyblock_contents(context, KRB5_KT_KEY(&entry));
250         }
251         return 0;
252 }
253
254 static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
255                                      const char *samAccountName,
256                                      const char *realm,
257                                      const char *saltPrincipal,
258                                      int kvno,
259                                      const char *new_secret,
260                                      const char *old_secret,
261                                      uint32_t supp_enctypes,
262                                      krb5_principal *principals,
263                                      krb5_context context,
264                                      krb5_keytab keytab,
265                                      bool add_old,
266                                      const char **error_string)
267 {
268         krb5_error_code ret;
269         krb5_principal salt_princ = NULL;
270         krb5_enctype *enctypes;
271         TALLOC_CTX *mem_ctx;
272
273         if (!new_secret) {
274                 /* There is no password here, so nothing to do */
275                 return 0;
276         }
277
278         mem_ctx = talloc_new(parent_ctx);
279         if (!mem_ctx) {
280                 *error_string = "unable to allocate tmp_ctx for create_keytab";
281                 return ENOMEM;
282         }
283
284         /* The salt used to generate these entries may be different however,
285          * fetch that */
286         ret = salt_principal(mem_ctx, samAccountName, realm, saltPrincipal,
287                              context, &salt_princ, error_string);
288         if (ret) {
289                 talloc_free(mem_ctx);
290                 return ret;
291         }
292
293         ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
294         if (ret) {
295                 *error_string = talloc_asprintf(parent_ctx,
296                                         "create_keytab: generating list of "
297                                         "encryption types failed (%s)\n",
298                                         smb_get_krb5_error_message(context,
299                                                                 ret, mem_ctx));
300                 goto done;
301         }
302
303         ret = keytab_add_keys(mem_ctx, principals,
304                               salt_princ, kvno, new_secret,
305                               context, enctypes, keytab, error_string);
306         if (ret) {
307                 goto done;
308         }
309
310         if (old_secret && add_old && kvno != 0) {
311                 ret = keytab_add_keys(mem_ctx, principals,
312                                       salt_princ, kvno - 1, old_secret,
313                                       context, enctypes, keytab, error_string);
314         }
315
316 done:
317         krb5_free_principal(context, salt_princ);
318         talloc_free(mem_ctx);
319         return ret;
320 }
321
322 /*
323  * Walk the keytab, looking for entries of this principal name,
324  * with KVNO other than current kvno -1.
325  *
326  * These entries are now stale,
327  * we only keep the current and previous entries around.
328  *
329  * Inspired by the code in Samba3 for 'use kerberos keytab'.
330  */
331
332 static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
333                                           int kvno,
334                                           krb5_principal *principals,
335                                           bool delete_all_kvno,
336                                           krb5_context context,
337                                           krb5_keytab keytab,
338                                           bool *found_previous,
339                                           const char **error_string)
340 {
341         krb5_error_code ret, ret2;
342         krb5_kt_cursor cursor;
343         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
344
345         if (!mem_ctx) {
346                 return ENOMEM;
347         }
348
349         *found_previous = false;
350
351         /* for each entry in the keytab */
352         ret = krb5_kt_start_seq_get(context, keytab, &cursor);
353         switch (ret) {
354         case 0:
355                 break;
356 #ifdef HEIM_ERR_OPNOTSUPP
357         case HEIM_ERR_OPNOTSUPP:
358 #endif
359         case ENOENT:
360         case KRB5_KT_END:
361                 /* no point enumerating if there isn't anything here */
362                 talloc_free(mem_ctx);
363                 return 0;
364         default:
365                 *error_string = talloc_asprintf(parent_ctx,
366                         "failed to open keytab for read of old entries: %s\n",
367                         smb_get_krb5_error_message(context, ret, mem_ctx));
368                 talloc_free(mem_ctx);
369                 return ret;
370         }
371
372         while (!ret) {
373                 unsigned int i;
374                 bool matched = false;
375                 krb5_keytab_entry entry;
376                 ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
377                 if (ret) {
378                         break;
379                 }
380                 for (i = 0; principals[i]; i++) {
381                         /* if it matches our principal */
382                         if (smb_krb5_kt_compare(context, &entry,
383                                                 principals[i], 0, 0)) {
384                                 matched = true;
385                                 break;
386                         }
387                 }
388
389                 if (!matched) {
390                         /* Free the entry,
391                          * it wasn't the one we were looking for anyway */
392                         krb5_kt_free_entry(context, &entry);
393                         continue;
394                 }
395
396                 /* delete it, if it is not kvno -1 */
397                 if (entry.vno != (kvno - 1 )) {
398                         /* Release the enumeration.  We are going to
399                          * have to start this from the top again,
400                          * because deletes during enumeration may not
401                          * always be consistent.
402                          *
403                          * Also, the enumeration locks a FILE: keytab
404                          */
405
406                         krb5_kt_end_seq_get(context, keytab, &cursor);
407
408                         ret = krb5_kt_remove_entry(context, keytab, &entry);
409                         krb5_kt_free_entry(context, &entry);
410
411                         /* Deleted: Restart from the top */
412                         ret2 = krb5_kt_start_seq_get(context, keytab, &cursor);
413                         if (ret2) {
414                                 krb5_kt_free_entry(context, &entry);
415                                 DEBUG(1, ("failed to restart enumeration of keytab: %s\n",
416                                           smb_get_krb5_error_message(context,
417                                                                 ret, mem_ctx)));
418
419                                 talloc_free(mem_ctx);
420                                 return ret2;
421                         }
422
423                         if (ret) {
424                                 break;
425                         }
426
427                 } else {
428                         *found_previous = true;
429                 }
430
431                 /* Free the entry, we don't need it any more */
432                 krb5_kt_free_entry(context, &entry);
433         }
434         krb5_kt_end_seq_get(context, keytab, &cursor);
435
436         switch (ret) {
437         case 0:
438                 break;
439         case ENOENT:
440         case KRB5_KT_END:
441                 ret = 0;
442                 break;
443         default:
444                 *error_string = talloc_asprintf(parent_ctx,
445                         "failed in deleting old entries for principal: %s\n",
446                         smb_get_krb5_error_message(context, ret, mem_ctx));
447         }
448         talloc_free(mem_ctx);
449         return ret;
450 }
451
452 krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
453                                 krb5_context context,
454                                 const char *keytab_name,
455                                 const char *samAccountName,
456                                 const char *realm,
457                                 const char **SPNs,
458                                 int num_SPNs,
459                                 const char *saltPrincipal,
460                                 const char *new_secret,
461                                 const char *old_secret,
462                                 int kvno,
463                                 uint32_t supp_enctypes,
464                                 bool delete_all_kvno,
465                                 krb5_keytab *_keytab,
466                                 const char **error_string)
467 {
468         krb5_keytab keytab;
469         krb5_error_code ret;
470         bool found_previous;
471         TALLOC_CTX *tmp_ctx;
472         krb5_principal *principals = NULL;
473
474         if (keytab_name == NULL) {
475                 return ENOENT;
476         }
477
478         ret = krb5_kt_resolve(context, keytab_name, &keytab);
479         if (ret) {
480                 *error_string = smb_get_krb5_error_message(context,
481                                                            ret, parent_ctx);
482                 return ret;
483         }
484
485         DEBUG(5, ("Opened keytab %s\n", keytab_name));
486
487         tmp_ctx = talloc_new(parent_ctx);
488         if (!tmp_ctx) {
489                 return ENOMEM;
490         }
491
492         /* Get the principal we will store the new keytab entries under */
493         ret = principals_from_list(tmp_ctx,
494                                   samAccountName, realm, SPNs, num_SPNs,
495                                   context, &principals, error_string);
496
497         if (ret != 0) {
498                 *error_string = talloc_asprintf(parent_ctx,
499                         "Failed to load principals from ldb message: %s\n",
500                         *error_string);
501                 goto done;
502         }
503
504         ret = remove_old_entries(tmp_ctx, kvno, principals, delete_all_kvno,
505                                  context, keytab, &found_previous, error_string);
506         if (ret != 0) {
507                 *error_string = talloc_asprintf(parent_ctx,
508                         "Failed to remove old principals from keytab: %s\n",
509                         *error_string);
510                 goto done;
511         }
512
513         if (!delete_all_kvno) {
514                 /* Create a new keytab.  If during the cleanout we found
515                  * entires for kvno -1, then don't try and duplicate them.
516                  * Otherwise, add kvno, and kvno -1 */
517
518                 ret = create_keytab(tmp_ctx,
519                                     samAccountName, realm, saltPrincipal,
520                                     kvno, new_secret, old_secret,
521                                     supp_enctypes, principals,
522                                     context, keytab,
523                                     found_previous ? false : true,
524                                     error_string);
525                 if (ret) {
526                         talloc_steal(parent_ctx, *error_string);
527                 }
528         }
529
530         if (ret == 0 && _keytab != NULL) {
531                 /* caller wants the keytab handle back */
532                 *_keytab = keytab;
533         }
534
535 done:
536         keytab_principals_free(context, principals);
537         if (ret != 0 || _keytab == NULL) {
538                 krb5_kt_close(context, keytab);
539         }
540         talloc_free(tmp_ctx);
541         return ret;
542 }
543
544 krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
545                                 krb5_context context,
546                                 const char *new_secret,
547                                 const char *samAccountName,
548                                 const char *realm,
549                                 int kvno,
550                                 krb5_keytab *keytab,
551                                 const char **keytab_name)
552 {
553         krb5_error_code ret;
554         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
555         const char *rand_string;
556         const char *error_string;
557         if (!mem_ctx) {
558                 return ENOMEM;
559         }
560
561         rand_string = generate_random_str(mem_ctx, 16);
562         if (!rand_string) {
563                 talloc_free(mem_ctx);
564                 return ENOMEM;
565         }
566
567         *keytab_name = talloc_asprintf(mem_ctx, "MEMORY:%s", rand_string);
568         if (*keytab_name == NULL) {
569                 talloc_free(mem_ctx);
570                 return ENOMEM;
571         }
572
573
574         ret = smb_krb5_update_keytab(mem_ctx, context,
575                                      *keytab_name, samAccountName, realm,
576                                      NULL, 0, NULL, new_secret, NULL,
577                                      kvno, ENC_ALL_TYPES,
578                                      false, keytab, &error_string);
579         if (ret == 0) {
580                 talloc_steal(parent_ctx, *keytab_name);
581         } else {
582                 DEBUG(0, ("Failed to create in-memory keytab: %s\n",
583                           error_string));
584                 *keytab_name = NULL;
585         }
586         talloc_free(mem_ctx);
587         return ret;
588 }