diff options
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/sss_krb5.c | 137 | ||||
-rw-r--r-- | src/util/sss_krb5.h | 8 |
2 files changed, 145 insertions, 0 deletions
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index d29dbe7d..98853199 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -981,3 +981,140 @@ sss_krb5_free_keytab_entry_contents(krb5_context context, return krb5_kt_free_entry(context, entry); } #endif + +static int +is_preferred_etype (krb5_enctype etype) +{ + static const krb5_enctype preferred[] = { + ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, +#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC + ENCTYPE_CAMELLIA128_CTS_CMAC, +#endif +#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC + ENCTYPE_CAMELLIA256_CTS_CMAC, +#endif + 0 + }; + int i; + + for (i = 0; preferred[i] != 0; i++) { + if (preferred[i] == etype) { + return 1; + } + } + + return 0; +} + +static int +compare_etypes (const void *one, + const void *two) +{ + const krb5_enctype *e1 = one; + const krb5_enctype *e2 = two; + int p1, p2; + + p1 = is_preferred_etype(*e1); + p2 = is_preferred_etype(*e2); + + if (p1 == p2) { + return (int)*e2 - (int)*e1; + } + + /* Sort preferred etypes first */ + return p2 - p1; +} + +krb5_error_code +sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_keytab keytab, + krb5_principal princ, + krb5_enctype **etype_list, + int *n_etype_list) +{ + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_enctype *etypes = NULL; + krb5_kvno max_kvno = 0; + int allocated = 0; + TALLOC_CTX *tmp_ctx; + int count = 0; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret != 0) { + talloc_free(tmp_ctx); + return ret; + } + + for (;;) { + ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); + if (ret != 0) { + break; + } + + if (!krb5_c_valid_enctype(entry.key.enctype) || + !krb5_principal_compare(context, entry.principal, princ)) { + continue; + } + + /* Make sure our list is for the highest kvno found for client. */ + if (entry.vno > max_kvno) { + count = 0; + max_kvno = entry.vno; + } else if (entry.vno != max_kvno) { + continue; + } + + /* + * Reallocate and add enctype. When reallocating always reserve + * one for extra logic below. + */ + if (count + 1 >= allocated) { + allocated += 16; + etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, allocated); + if (etypes == NULL) { + ret = ENOMEM; + break; + } + } + etypes[count] = entry.key.enctype; + count++; + + /* All DES key types work with des-cbc-crc, which is more likely to be + * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */ + if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 || + entry.key.enctype == ENCTYPE_DES_CBC_MD4) { + etypes[count] = ENCTYPE_DES_CBC_CRC; + count++; + } + } + + krb5_kt_end_seq_get(context, keytab, &cursor); + + if (ret == KRB5_KT_END) { + ret = 0; + } + + if (ret == 0) { + /* Sort the preferred enctypes first */ + qsort(etypes, count, sizeof(*etypes), compare_etypes); + etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count); + if (etypes == NULL) { + ret = ENOMEM; + } else { + *etype_list = talloc_steal(mem_ctx, etypes); + *n_etype_list = count; + } + } + + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 6ad80806..12412585 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -137,4 +137,12 @@ typedef krb5_ticket_times sss_krb5_ticket_times; typedef krb5_times sss_krb5_ticket_times; #endif +krb5_error_code +sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_keytab keytab, + krb5_principal princ, + krb5_enctype **etype_list, + int *n_etype_list); + #endif /* __SSS_KRB5_H__ */ |