From 8230c4b7b7323cdef2a6c877deb710a15380f40f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 19 Apr 2012 17:55:14 +0000 Subject: [PATCH] Use etypes from keytab in krb5_gic_keytab When getting initial credentials with a keytab, filter the list of request enctypes based on the keys in the keytab. Based on a patch from Stef Walter. ticket: 2131 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-trace.h | 4 ++ src/lib/krb5/krb/gic_keytab.c | 118 ++++++++++++++++++++++++++++++++++ src/tests/t_keytab.py | 7 +- 3 files changed, 128 insertions(+), 1 deletion(-) diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 3749cf900..36eb23bb3 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -187,6 +187,10 @@ #define TRACE_INIT_CREDS_GAK(c, salt, s2kparams) \ TRACE(c, (c, "Getting AS key, salt \"{data}\", params \"{data}\"", \ salt, s2kparams)) +#define TRACE_INIT_CREDS_KEYTAB_LOOKUP(c, etypes) \ + TRACE(c, (c, "Looked up etypes in keytab: {etypes}", etypes)) +#define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code) \ + TRACE(c, (c, "Couldn't lookup etypes in keytab: {kerr}", code)) #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ TRACE(c, (c, "Decrypt with preauth AS key failed: {kerr}", code)) #define TRACE_INIT_CREDS_RESTART_FAST(c) \ diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index e59177fda..3554b257c 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -77,14 +77,132 @@ get_as_key_keytab(krb5_context context, return(ret); } +/* Return the list of etypes available for client in keytab. */ +static krb5_error_code +lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab, + krb5_principal client, krb5_enctype **etypes_out) +{ + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_enctype *p, *etypes = NULL; + krb5_kvno max_kvno = 0; + krb5_error_code ret; + size_t count = 0; + + *etypes_out = NULL; + + if (keytab->ops->start_seq_get == NULL) + return EINVAL; + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret != 0) + return ret; + + for (;;) { + ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); + if (ret == KRB5_KT_END) + break; + if (ret) + goto cleanup; + + if (!krb5_c_valid_enctype(entry.key.enctype)) + continue; + if (!krb5_principal_compare(context, entry.principal, client)) + continue; + /* Make sure our list is for the highest kvno found for client. */ + if (entry.vno > max_kvno) { + free(etypes); + etypes = NULL; + count = 0; + max_kvno = entry.vno; + } else if (entry.vno != max_kvno) + continue; + + /* Leave room for the terminator and possibly a second entry. */ + p = realloc(etypes, (count + 3) * sizeof(*etypes)); + if (p == NULL) { + ret = ENOMEM; + goto cleanup; + } + etypes = p; + etypes[count++] = entry.key.enctype; + /* All DES key types work with des-cbc-crc, which is more likely to be + * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */ + if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 || + entry.key.enctype == ENCTYPE_DES_CBC_MD4) + etypes[count++] = ENCTYPE_DES_CBC_CRC; + etypes[count] = 0; + } + + ret = 0; + *etypes_out = etypes; + etypes = NULL; +cleanup: + krb5_kt_end_seq_get(context, keytab, &cursor); + free(etypes); + return ret; +} + +/* Return true if search_for is in etype_list. */ +static krb5_boolean +check_etypes_have(krb5_enctype *etype_list, krb5_enctype search_for) +{ + int i; + + if (!etype_list) + return FALSE; + + for (i = 0; etype_list[i] != 0; i++) { + if (etype_list[i] == search_for) + return TRUE; + } + + return FALSE; +} + krb5_error_code KRB5_CALLCONV krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab) { + krb5_enctype *etype_list; + krb5_error_code ret; + int i, j; + char *name; + ctx->gak_fct = get_as_key_keytab; ctx->gak_data = keytab; + ret = lookup_etypes_for_keytab(context, keytab, ctx->request->client, + &etype_list); + if (ret) { + TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(context, ret); + return 0; + } + + TRACE_INIT_CREDS_KEYTAB_LOOKUP(context, etype_list); + + /* Filter the ktypes list based on what's in the keytab */ + for (i = 0, j = 0; i < ctx->request->nktypes; i++) { + if (check_etypes_have(etype_list, ctx->request->ktype[i])) { + ctx->request->ktype[j] = ctx->request->ktype[i]; + j++; + } + } + ctx->request->nktypes = j; + free(etype_list); + + /* Error out now if there's no overlap. */ + if (ctx->request->nktypes == 0) { + ret = krb5_unparse_name(context, ctx->request->client, &name); + if (ret == 0) { + krb5_set_error_message(context, KRB5_KT_NOTFOUND, + _("Keytab contains no suitable keys for " + "%s"), name); + } + krb5_free_unparsed_name(context, name); + return KRB5_KT_NOTFOUND; + } + return 0; } diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index b45bfa6d9..7faf23cbf 100644 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -10,7 +10,12 @@ realm.kinit(realm.host_princ, flags=['-k']) pkeytab = realm.keytab + '.partial' realm.run_as_master([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % (realm.keytab, pkeytab))) -realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab], expected_code=1) +realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab]) + +# Test kinit with no keys for client in keytab. +output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1) +if 'no suitable keys' not in output: + fail('Expected error not seen in kinit output') # Test handling of kvno values beyond 255. princ = 'foo/bar@%s' % realm.realm -- 2.26.2