keytab.c revision 1.1
1 /* $NetBSD: keytab.c,v 1.1 2011/04/13 18:15:34 elric Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2005 Kungliga Tekniska Hgskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "krb5_locl.h" 37 38 /** 39 * @page krb5_keytab_intro The keytab handing functions 40 * @section section_krb5_keytab Kerberos Keytabs 41 * 42 * See the library functions here: @ref krb5_keytab 43 * 44 * Keytabs are long term key storage for servers, their equvalment of 45 * password files. 46 * 47 * Normally the only function that useful for server are to specify 48 * what keytab to use to other core functions like krb5_rd_req() 49 * krb5_kt_resolve(), and krb5_kt_close(). 50 * 51 * @subsection krb5_keytab_names Keytab names 52 * 53 * A keytab name is on the form type:residual. The residual part is 54 * specific to each keytab-type. 55 * 56 * When a keytab-name is resolved, the type is matched with an internal 57 * list of keytab types. If there is no matching keytab type, 58 * the default keytab is used. The current default type is FILE. 59 * 60 * The default value can be changed in the configuration file 61 * /etc/krb5.conf by setting the variable 62 * [defaults]default_keytab_name. 63 * 64 * The keytab types that are implemented in Heimdal are: 65 * - file 66 * store the keytab in a file, the type's name is FILE . The 67 * residual part is a filename. For compatibility with other 68 * Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE 69 * has the same format as FILE. JAVA14 have a format that is 70 * compatible with older versions of MIT kerberos and SUN's Java 71 * based installation. They store a truncted kvno, so when the knvo 72 * excess 255, they are truncted in this format. 73 * 74 * - keytab 75 * store the keytab in a AFS keyfile (usually /usr/afs/etc/KeyFile ), 76 * the type's name is AFSKEYFILE. The residual part is a filename. 77 * 78 * - memory 79 * The keytab is stored in a memory segment. This allows sensitive 80 * and/or temporary data not to be stored on disk. The type's name 81 * is MEMORY. Each MEMORY keytab is referenced counted by and 82 * opened by the residual name, so two handles can point to the 83 * same memory area. When the last user closes using krb5_kt_close() 84 * the keytab, the keys in they keytab is memset() to zero and freed 85 * and can no longer be looked up by name. 86 * 87 * 88 * @subsection krb5_keytab_example Keytab example 89 * 90 * This is a minimalistic version of ktutil. 91 * 92 * @code 93 int 94 main (int argc, char **argv) 95 { 96 krb5_context context; 97 krb5_keytab keytab; 98 krb5_kt_cursor cursor; 99 krb5_keytab_entry entry; 100 krb5_error_code ret; 101 char *principal; 102 103 if (krb5_init_context (&context) != 0) 104 errx(1, "krb5_context"); 105 106 ret = krb5_kt_default (context, &keytab); 107 if (ret) 108 krb5_err(context, 1, ret, "krb5_kt_default"); 109 110 ret = krb5_kt_start_seq_get(context, keytab, &cursor); 111 if (ret) 112 krb5_err(context, 1, ret, "krb5_kt_start_seq_get"); 113 while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ 114 krb5_unparse_name(context, entry.principal, &principal); 115 printf("principal: %s\n", principal); 116 free(principal); 117 krb5_kt_free_entry(context, &entry); 118 } 119 ret = krb5_kt_end_seq_get(context, keytab, &cursor); 120 if (ret) 121 krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); 122 ret = krb5_kt_close(context, keytab); 123 if (ret) 124 krb5_err(context, 1, ret, "krb5_kt_close"); 125 krb5_free_context(context); 126 return 0; 127 } 128 * @endcode 129 * 130 */ 131 132 133 /** 134 * Register a new keytab backend. 135 * 136 * @param context a Keberos context. 137 * @param ops a backend to register. 138 * 139 * @return Return an error code or 0, see krb5_get_error_message(). 140 * 141 * @ingroup krb5_keytab 142 */ 143 144 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 145 krb5_kt_register(krb5_context context, 146 const krb5_kt_ops *ops) 147 { 148 struct krb5_keytab_data *tmp; 149 150 if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) { 151 krb5_set_error_message(context, KRB5_KT_BADNAME, 152 N_("can't register cache type, prefix too long", "")); 153 return KRB5_KT_BADNAME; 154 } 155 156 tmp = realloc(context->kt_types, 157 (context->num_kt_types + 1) * sizeof(*context->kt_types)); 158 if(tmp == NULL) { 159 krb5_set_error_message(context, ENOMEM, 160 N_("malloc: out of memory", "")); 161 return ENOMEM; 162 } 163 memcpy(&tmp[context->num_kt_types], ops, 164 sizeof(tmp[context->num_kt_types])); 165 context->kt_types = tmp; 166 context->num_kt_types++; 167 return 0; 168 } 169 170 static const char * 171 keytab_name(const char *name, const char **type, size_t *type_len) 172 { 173 const char *residual; 174 175 residual = strchr(name, ':'); 176 177 if (residual == NULL || 178 name[0] == '/' 179 #ifdef _WIN32 180 /* Avoid treating <drive>:<path> as a keytab type 181 * specification */ 182 || name + 1 == residual 183 #endif 184 ) { 185 186 *type = "FILE"; 187 *type_len = strlen(*type); 188 residual = name; 189 } else { 190 *type = name; 191 *type_len = residual - name; 192 residual++; 193 } 194 195 return residual; 196 } 197 198 /** 199 * Resolve the keytab name (of the form `type:residual') in `name' 200 * into a keytab in `id'. 201 * 202 * @param context a Keberos context. 203 * @param name name to resolve 204 * @param id resulting keytab, free with krb5_kt_close(). 205 * 206 * @return Return an error code or 0, see krb5_get_error_message(). 207 * 208 * @ingroup krb5_keytab 209 */ 210 211 212 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 213 krb5_kt_resolve(krb5_context context, 214 const char *name, 215 krb5_keytab *id) 216 { 217 krb5_keytab k; 218 int i; 219 const char *type, *residual; 220 size_t type_len; 221 krb5_error_code ret; 222 223 residual = keytab_name(name, &type, &type_len); 224 225 for(i = 0; i < context->num_kt_types; i++) { 226 if(strncasecmp(type, context->kt_types[i].prefix, type_len) == 0) 227 break; 228 } 229 if(i == context->num_kt_types) { 230 krb5_set_error_message(context, KRB5_KT_UNKNOWN_TYPE, 231 N_("unknown keytab type %.*s", "type"), 232 (int)type_len, type); 233 return KRB5_KT_UNKNOWN_TYPE; 234 } 235 236 k = malloc (sizeof(*k)); 237 if (k == NULL) { 238 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 239 return ENOMEM; 240 } 241 memcpy(k, &context->kt_types[i], sizeof(*k)); 242 k->data = NULL; 243 ret = (*k->resolve)(context, residual, k); 244 if(ret) { 245 free(k); 246 k = NULL; 247 } 248 *id = k; 249 return ret; 250 } 251 252 /** 253 * copy the name of the default keytab into `name'. 254 * 255 * @param context a Keberos context. 256 * @param name buffer where the name will be written 257 * @param namesize length of name 258 * 259 * @return Return an error code or 0, see krb5_get_error_message(). 260 * 261 * @ingroup krb5_keytab 262 */ 263 264 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 265 krb5_kt_default_name(krb5_context context, char *name, size_t namesize) 266 { 267 if (strlcpy (name, context->default_keytab, namesize) >= namesize) { 268 krb5_clear_error_message (context); 269 return KRB5_CONFIG_NOTENUFSPACE; 270 } 271 return 0; 272 } 273 274 /** 275 * Copy the name of the default modify keytab into `name'. 276 * 277 * @param context a Keberos context. 278 * @param name buffer where the name will be written 279 * @param namesize length of name 280 * 281 * @return Return an error code or 0, see krb5_get_error_message(). 282 * 283 * @ingroup krb5_keytab 284 */ 285 286 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 287 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) 288 { 289 const char *kt = NULL; 290 if(context->default_keytab_modify == NULL) { 291 if(strncasecmp(context->default_keytab, "ANY:", 4) != 0) 292 kt = context->default_keytab; 293 else { 294 size_t len = strcspn(context->default_keytab + 4, ","); 295 if(len >= namesize) { 296 krb5_clear_error_message(context); 297 return KRB5_CONFIG_NOTENUFSPACE; 298 } 299 strlcpy(name, context->default_keytab + 4, namesize); 300 name[len] = '\0'; 301 return 0; 302 } 303 } else 304 kt = context->default_keytab_modify; 305 if (strlcpy (name, kt, namesize) >= namesize) { 306 krb5_clear_error_message (context); 307 return KRB5_CONFIG_NOTENUFSPACE; 308 } 309 return 0; 310 } 311 312 /** 313 * Set `id' to the default keytab. 314 * 315 * @param context a Keberos context. 316 * @param id the new default keytab. 317 * 318 * @return Return an error code or 0, see krb5_get_error_message(). 319 * 320 * @ingroup krb5_keytab 321 */ 322 323 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 324 krb5_kt_default(krb5_context context, krb5_keytab *id) 325 { 326 return krb5_kt_resolve (context, context->default_keytab, id); 327 } 328 329 /** 330 * Read the key identified by `(principal, vno, enctype)' from the 331 * keytab in `keyprocarg' (the default if == NULL) into `*key'. 332 * 333 * @param context a Keberos context. 334 * @param keyprocarg 335 * @param principal 336 * @param vno 337 * @param enctype 338 * @param key 339 * 340 * @return Return an error code or 0, see krb5_get_error_message(). 341 * 342 * @ingroup krb5_keytab 343 */ 344 345 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 346 krb5_kt_read_service_key(krb5_context context, 347 krb5_pointer keyprocarg, 348 krb5_principal principal, 349 krb5_kvno vno, 350 krb5_enctype enctype, 351 krb5_keyblock **key) 352 { 353 krb5_keytab keytab; 354 krb5_keytab_entry entry; 355 krb5_error_code ret; 356 357 if (keyprocarg) 358 ret = krb5_kt_resolve (context, keyprocarg, &keytab); 359 else 360 ret = krb5_kt_default (context, &keytab); 361 362 if (ret) 363 return ret; 364 365 ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry); 366 krb5_kt_close (context, keytab); 367 if (ret) 368 return ret; 369 ret = krb5_copy_keyblock (context, &entry.keyblock, key); 370 krb5_kt_free_entry(context, &entry); 371 return ret; 372 } 373 374 /** 375 * Return the type of the `keytab' in the string `prefix of length 376 * `prefixsize'. 377 * 378 * @param context a Keberos context. 379 * @param keytab the keytab to get the prefix for 380 * @param prefix prefix buffer 381 * @param prefixsize length of prefix buffer 382 * 383 * @return Return an error code or 0, see krb5_get_error_message(). 384 * 385 * @ingroup krb5_keytab 386 */ 387 388 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 389 krb5_kt_get_type(krb5_context context, 390 krb5_keytab keytab, 391 char *prefix, 392 size_t prefixsize) 393 { 394 strlcpy(prefix, keytab->prefix, prefixsize); 395 return 0; 396 } 397 398 /** 399 * Retrieve the name of the keytab `keytab' into `name', `namesize' 400 * 401 * @param context a Keberos context. 402 * @param keytab the keytab to get the name for. 403 * @param name name buffer. 404 * @param namesize size of name buffer. 405 * 406 * @return Return an error code or 0, see krb5_get_error_message(). 407 * 408 * @ingroup krb5_keytab 409 */ 410 411 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 412 krb5_kt_get_name(krb5_context context, 413 krb5_keytab keytab, 414 char *name, 415 size_t namesize) 416 { 417 return (*keytab->get_name)(context, keytab, name, namesize); 418 } 419 420 /** 421 * Retrieve the full name of the keytab `keytab' and store the name in 422 * `str'. 423 * 424 * @param context a Keberos context. 425 * @param keytab keytab to get name for. 426 * @param str the name of the keytab name, usee krb5_xfree() to free 427 * the string. On error, *str is set to NULL. 428 * 429 * @return Return an error code or 0, see krb5_get_error_message(). 430 * 431 * @ingroup krb5_keytab 432 */ 433 434 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 435 krb5_kt_get_full_name(krb5_context context, 436 krb5_keytab keytab, 437 char **str) 438 { 439 char type[KRB5_KT_PREFIX_MAX_LEN]; 440 char name[MAXPATHLEN]; 441 krb5_error_code ret; 442 443 *str = NULL; 444 445 ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); 446 if (ret) 447 return ret; 448 449 ret = krb5_kt_get_name(context, keytab, name, sizeof(name)); 450 if (ret) 451 return ret; 452 453 if (asprintf(str, "%s:%s", type, name) == -1) { 454 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 455 *str = NULL; 456 return ENOMEM; 457 } 458 459 return 0; 460 } 461 462 /** 463 * Finish using the keytab in `id'. All resources will be released, 464 * even on errors. 465 * 466 * @param context a Keberos context. 467 * @param id keytab to close. 468 * 469 * @return Return an error code or 0, see krb5_get_error_message(). 470 * 471 * @ingroup krb5_keytab 472 */ 473 474 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 475 krb5_kt_close(krb5_context context, 476 krb5_keytab id) 477 { 478 krb5_error_code ret; 479 480 ret = (*id->close)(context, id); 481 memset(id, 0, sizeof(*id)); 482 free(id); 483 return ret; 484 } 485 486 /** 487 * Destroy (remove) the keytab in `id'. All resources will be released, 488 * even on errors, does the equvalment of krb5_kt_close() on the resources. 489 * 490 * @param context a Keberos context. 491 * @param id keytab to destroy. 492 * 493 * @return Return an error code or 0, see krb5_get_error_message(). 494 * 495 * @ingroup krb5_keytab 496 */ 497 498 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 499 krb5_kt_destroy(krb5_context context, 500 krb5_keytab id) 501 { 502 krb5_error_code ret; 503 504 ret = (*id->destroy)(context, id); 505 krb5_kt_close(context, id); 506 return ret; 507 } 508 509 /* 510 * Match any aliases in keytab `entry' with `principal'. 511 */ 512 513 static krb5_boolean 514 compare_aliseses(krb5_context context, 515 krb5_keytab_entry *entry, 516 krb5_const_principal principal) 517 { 518 unsigned int i; 519 if (entry->aliases == NULL) 520 return FALSE; 521 for (i = 0; i < entry->aliases->len; i++) 522 if (krb5_principal_compare(context, &entry->aliases->val[i], principal)) 523 return TRUE; 524 return FALSE; 525 } 526 527 /** 528 * Compare `entry' against `principal, vno, enctype'. 529 * Any of `principal, vno, enctype' might be 0 which acts as a wildcard. 530 * Return TRUE if they compare the same, FALSE otherwise. 531 * 532 * @param context a Keberos context. 533 * @param entry an entry to match with. 534 * @param principal principal to match, NULL matches all principals. 535 * @param vno key version to match, 0 matches all key version numbers. 536 * @param enctype encryption type to match, 0 matches all encryption types. 537 * 538 * @return Return TRUE or match, FALSE if not matched. 539 * 540 * @ingroup krb5_keytab 541 */ 542 543 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 544 krb5_kt_compare(krb5_context context, 545 krb5_keytab_entry *entry, 546 krb5_const_principal principal, 547 krb5_kvno vno, 548 krb5_enctype enctype) 549 { 550 if(principal != NULL && 551 !(krb5_principal_compare(context, entry->principal, principal) || 552 compare_aliseses(context, entry, principal))) 553 return FALSE; 554 if(vno && vno != entry->vno) 555 return FALSE; 556 if(enctype && enctype != entry->keyblock.keytype) 557 return FALSE; 558 return TRUE; 559 } 560 561 krb5_error_code 562 _krb5_kt_principal_not_found(krb5_context context, 563 krb5_error_code ret, 564 krb5_keytab id, 565 krb5_const_principal principal, 566 krb5_enctype enctype, 567 int kvno) 568 { 569 char princ[256], kvno_str[25], *kt_name; 570 char *enctype_str = NULL; 571 572 krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); 573 krb5_kt_get_full_name (context, id, &kt_name); 574 krb5_enctype_to_string(context, enctype, &enctype_str); 575 576 if (kvno) 577 snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); 578 else 579 kvno_str[0] = '\0'; 580 581 krb5_set_error_message (context, ret, 582 N_("Failed to find %s%s in keytab %s (%s)", 583 "principal, kvno, keytab file, enctype"), 584 princ, 585 kvno_str, 586 kt_name ? kt_name : "unknown keytab", 587 enctype_str ? enctype_str : "unknown enctype"); 588 free(kt_name); 589 free(enctype_str); 590 return ret; 591 } 592 593 594 /** 595 * Retrieve the keytab entry for `principal, kvno, enctype' into `entry' 596 * from the keytab `id'. Matching is done like krb5_kt_compare(). 597 * 598 * @param context a Keberos context. 599 * @param id a keytab. 600 * @param principal principal to match, NULL matches all principals. 601 * @param kvno key version to match, 0 matches all key version numbers. 602 * @param enctype encryption type to match, 0 matches all encryption types. 603 * @param entry the returned entry, free with krb5_kt_free_entry(). 604 * 605 * @return Return an error code or 0, see krb5_get_error_message(). 606 * 607 * @ingroup krb5_keytab 608 */ 609 610 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 611 krb5_kt_get_entry(krb5_context context, 612 krb5_keytab id, 613 krb5_const_principal principal, 614 krb5_kvno kvno, 615 krb5_enctype enctype, 616 krb5_keytab_entry *entry) 617 { 618 krb5_keytab_entry tmp; 619 krb5_error_code ret; 620 krb5_kt_cursor cursor; 621 622 if(id->get) 623 return (*id->get)(context, id, principal, kvno, enctype, entry); 624 625 ret = krb5_kt_start_seq_get (context, id, &cursor); 626 if (ret) { 627 /* This is needed for krb5_verify_init_creds, but keep error 628 * string from previous error for the human. */ 629 context->error_code = KRB5_KT_NOTFOUND; 630 return KRB5_KT_NOTFOUND; 631 } 632 633 entry->vno = 0; 634 while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) { 635 if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) { 636 /* the file keytab might only store the lower 8 bits of 637 the kvno, so only compare those bits */ 638 if (kvno == tmp.vno 639 || (tmp.vno < 256 && kvno % 256 == tmp.vno)) { 640 krb5_kt_copy_entry_contents (context, &tmp, entry); 641 krb5_kt_free_entry (context, &tmp); 642 krb5_kt_end_seq_get(context, id, &cursor); 643 return 0; 644 } else if (kvno == 0 && tmp.vno > entry->vno) { 645 if (entry->vno) 646 krb5_kt_free_entry (context, entry); 647 krb5_kt_copy_entry_contents (context, &tmp, entry); 648 } 649 } 650 krb5_kt_free_entry(context, &tmp); 651 } 652 krb5_kt_end_seq_get (context, id, &cursor); 653 if (entry->vno == 0) 654 return _krb5_kt_principal_not_found(context, KRB5_KT_NOTFOUND, 655 id, principal, enctype, kvno); 656 return 0; 657 } 658 659 /** 660 * Copy the contents of `in' into `out'. 661 * 662 * @param context a Keberos context. 663 * @param in the keytab entry to copy. 664 * @param out the copy of the keytab entry, free with krb5_kt_free_entry(). 665 * 666 * @return Return an error code or 0, see krb5_get_error_message(). 667 * 668 * @ingroup krb5_keytab 669 */ 670 671 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 672 krb5_kt_copy_entry_contents(krb5_context context, 673 const krb5_keytab_entry *in, 674 krb5_keytab_entry *out) 675 { 676 krb5_error_code ret; 677 678 memset(out, 0, sizeof(*out)); 679 out->vno = in->vno; 680 681 ret = krb5_copy_principal (context, in->principal, &out->principal); 682 if (ret) 683 goto fail; 684 ret = krb5_copy_keyblock_contents (context, 685 &in->keyblock, 686 &out->keyblock); 687 if (ret) 688 goto fail; 689 out->timestamp = in->timestamp; 690 return 0; 691 fail: 692 krb5_kt_free_entry (context, out); 693 return ret; 694 } 695 696 /** 697 * Free the contents of `entry'. 698 * 699 * @param context a Keberos context. 700 * @param entry the entry to free 701 * 702 * @return Return an error code or 0, see krb5_get_error_message(). 703 * 704 * @ingroup krb5_keytab 705 */ 706 707 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 708 krb5_kt_free_entry(krb5_context context, 709 krb5_keytab_entry *entry) 710 { 711 krb5_free_principal (context, entry->principal); 712 krb5_free_keyblock_contents (context, &entry->keyblock); 713 memset(entry, 0, sizeof(*entry)); 714 return 0; 715 } 716 717 /** 718 * Set `cursor' to point at the beginning of `id'. 719 * 720 * @param context a Keberos context. 721 * @param id a keytab. 722 * @param cursor a newly allocated cursor, free with krb5_kt_end_seq_get(). 723 * 724 * @return Return an error code or 0, see krb5_get_error_message(). 725 * 726 * @ingroup krb5_keytab 727 */ 728 729 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 730 krb5_kt_start_seq_get(krb5_context context, 731 krb5_keytab id, 732 krb5_kt_cursor *cursor) 733 { 734 if(id->start_seq_get == NULL) { 735 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, 736 N_("start_seq_get is not supported " 737 "in the %s keytab type", ""), 738 id->prefix); 739 return HEIM_ERR_OPNOTSUPP; 740 } 741 return (*id->start_seq_get)(context, id, cursor); 742 } 743 744 /** 745 * Get the next entry from keytab, advance the cursor. On last entry 746 * the function will return KRB5_KT_END. 747 * 748 * @param context a Keberos context. 749 * @param id a keytab. 750 * @param entry the returned entry, free with krb5_kt_free_entry(). 751 * @param cursor the cursor of the iteration. 752 * 753 * @return Return an error code or 0, see krb5_get_error_message(). 754 * 755 * @ingroup krb5_keytab 756 */ 757 758 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 759 krb5_kt_next_entry(krb5_context context, 760 krb5_keytab id, 761 krb5_keytab_entry *entry, 762 krb5_kt_cursor *cursor) 763 { 764 if(id->next_entry == NULL) { 765 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, 766 N_("next_entry is not supported in the %s " 767 " keytab", ""), 768 id->prefix); 769 return HEIM_ERR_OPNOTSUPP; 770 } 771 return (*id->next_entry)(context, id, entry, cursor); 772 } 773 774 /** 775 * Release all resources associated with `cursor'. 776 * 777 * @param context a Keberos context. 778 * @param id a keytab. 779 * @param cursor the cursor to free. 780 * 781 * @return Return an error code or 0, see krb5_get_error_message(). 782 * 783 * @ingroup krb5_keytab 784 */ 785 786 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 787 krb5_kt_end_seq_get(krb5_context context, 788 krb5_keytab id, 789 krb5_kt_cursor *cursor) 790 { 791 if(id->end_seq_get == NULL) { 792 krb5_set_error_message(context, HEIM_ERR_OPNOTSUPP, 793 "end_seq_get is not supported in the %s " 794 " keytab", id->prefix); 795 return HEIM_ERR_OPNOTSUPP; 796 } 797 return (*id->end_seq_get)(context, id, cursor); 798 } 799 800 /** 801 * Add the entry in `entry' to the keytab `id'. 802 * 803 * @param context a Keberos context. 804 * @param id a keytab. 805 * @param entry the entry to add 806 * 807 * @return Return an error code or 0, see krb5_get_error_message(). 808 * 809 * @ingroup krb5_keytab 810 */ 811 812 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 813 krb5_kt_add_entry(krb5_context context, 814 krb5_keytab id, 815 krb5_keytab_entry *entry) 816 { 817 if(id->add == NULL) { 818 krb5_set_error_message(context, KRB5_KT_NOWRITE, 819 N_("Add is not supported in the %s keytab", ""), 820 id->prefix); 821 return KRB5_KT_NOWRITE; 822 } 823 entry->timestamp = time(NULL); 824 return (*id->add)(context, id,entry); 825 } 826 827 /** 828 * Remove an entry from the keytab, matching is done using 829 * krb5_kt_compare(). 830 831 * @param context a Keberos context. 832 * @param id a keytab. 833 * @param entry the entry to remove 834 * 835 * @return Return an error code or 0, see krb5_get_error_message(). 836 * 837 * @ingroup krb5_keytab 838 */ 839 840 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 841 krb5_kt_remove_entry(krb5_context context, 842 krb5_keytab id, 843 krb5_keytab_entry *entry) 844 { 845 if(id->remove == NULL) { 846 krb5_set_error_message(context, KRB5_KT_NOWRITE, 847 N_("Remove is not supported in the %s keytab", ""), 848 id->prefix); 849 return KRB5_KT_NOWRITE; 850 } 851 return (*id->remove)(context, id, entry); 852 } 853 854 /** 855 * Return true if the keytab exists and have entries 856 * 857 * @param context a Keberos context. 858 * @param id a keytab. 859 * 860 * @return Return an error code or 0, see krb5_get_error_message(). 861 * 862 * @ingroup krb5_keytab 863 */ 864 865 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 866 krb5_kt_have_content(krb5_context context, 867 krb5_keytab id) 868 { 869 krb5_keytab_entry entry; 870 krb5_kt_cursor cursor; 871 krb5_error_code ret; 872 char *name; 873 874 ret = krb5_kt_start_seq_get(context, id, &cursor); 875 if (ret) 876 goto notfound; 877 878 ret = krb5_kt_next_entry(context, id, &entry, &cursor); 879 krb5_kt_end_seq_get(context, id, &cursor); 880 if (ret) 881 goto notfound; 882 883 krb5_kt_free_entry(context, &entry); 884 885 return 0; 886 887 notfound: 888 ret = krb5_kt_get_full_name(context, id, &name); 889 if (ret == 0) { 890 krb5_set_error_message(context, KRB5_KT_NOTFOUND, 891 N_("No entry in keytab: %s", ""), name); 892 free(name); 893 } 894 return KRB5_KT_NOTFOUND; 895 } 896
Indexes created Sat Apr 25 00:22:52 UTC 2026