krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
char *r, int from_keyboard)
{
int ret = 0;
char *realm;
krb5_boolean from_kbd = FALSE;
if (from_keyboard)
from_kbd = TRUE;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
handle->params.mkey_name,
realm, NULL, &master_princ)))
goto done;
/* Solaris Kerberos */
#if 0
master_keyblock.enctype = handle->params.enctype;
#endif
/* Solaris Kerberos */
ret = krb5_db_fetch_mkey(handle->context, master_princ,
handle->params.enctype, from_kbd,
FALSE /* only prompt once */,
handle->params.stash_file,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&handle->master_keyblock);
if (ret)
goto done;
/* Solaris Kerberos */
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
&handle->master_keyblock))) {
krb5_db_fini(handle->context);
return ret;
}
done:
if (r == NULL)
free(realm);
return(ret);
}
krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
char *r, int from_keyboard)
{
int ret = 0;
char *realm;
krb5_keyblock tmk;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
handle->params.mkey_name,
realm, NULL, &master_princ)))
goto done;
if (ret = krb5_db_fetch_mkey(handle->context, master_princ,
handle->params.enctype,
from_keyboard,
FALSE /* only prompt once */,
handle->params.stash_file,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&handle->master_keyblock))
goto done;
if ((ret = krb5_db_init(handle->context)) != KSUCCESS)
goto done;
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
&handle->master_keyblock))) {
krb5_db_fini(handle->context);
return ret;
}
done:
if (r == NULL)
free(realm);
return(ret);
}
/*
* Initialize a realm control structure from the alternate profile or from
* the specified defaults.
*
* After we're complete here, the essence of the realm is embodied in the
* realm data and we should be all set to begin operation for that realm.
*/
static krb5_error_code
init_realm(krb5_context kcontext, char *progname, kdc_realm_t *rdp, char *realm,
char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports,
char *def_tcp_ports, krb5_boolean def_manual, char **db_args)
{
krb5_error_code kret;
krb5_boolean manual;
krb5_realm_params *rparams;
memset((char *) rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
kret = EINVAL;
goto whoops;
}
rdp->realm_name = realm;
kret = krb5int_init_context_kdc(&rdp->realm_context);
if (kret) {
com_err(progname, kret, gettext("while getting context for realm %s"),
realm);
goto whoops;
}
/*
* Solaris Kerberos:
* Set the current context to that of the realm being init'ed
*/
krb5_klog_set_context(rdp->realm_context);
kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name,
&rparams);
if (kret) {
com_err(progname, kret, gettext("while reading realm parameters"));
goto whoops;
}
/* Handle profile file name */
if (rparams && rparams->realm_profile)
rdp->realm_profile = strdup(rparams->realm_profile);
/* Handle master key name */
if (rparams && rparams->realm_mkey_name)
rdp->realm_mpname = strdup(rparams->realm_mkey_name);
else
rdp->realm_mpname = (def_mpname) ? strdup(def_mpname) :
strdup(KRB5_KDB_M_NAME);
/* Handle KDC ports */
if (rparams && rparams->realm_kdc_ports)
rdp->realm_ports = strdup(rparams->realm_kdc_ports);
else
rdp->realm_ports = strdup(def_udp_ports);
if (rparams && rparams->realm_kdc_tcp_ports)
rdp->realm_tcp_ports = strdup(rparams->realm_kdc_tcp_ports);
else
rdp->realm_tcp_ports = strdup(def_tcp_ports);
/* Handle stash file */
if (rparams && rparams->realm_stash_file) {
rdp->realm_stash = strdup(rparams->realm_stash_file);
manual = FALSE;
} else
manual = def_manual;
/* Handle master key type */
if (rparams && rparams->realm_enctype_valid)
rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype;
else
rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN;
/* Handle reject-bad-transit flag */
if (rparams && rparams->realm_reject_bad_transit_valid)
rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
else
rdp->realm_reject_bad_transit = 1;
/* Handle ticket maximum life */
rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
/* Handle ticket renewable maximum life */
rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
/*
* We've got our parameters, now go and setup our realm context.
*/
/* Set the default realm of this context */
if ((kret = krb5_set_default_realm(rdp->realm_context, realm))) {
com_err(progname, kret, gettext("while setting default realm to %s"),
realm);
goto whoops;
}
/* first open the database before doing anything */
#ifdef KRBCONF_KDC_MODIFIES_KDB
if ((kret = krb5_db_open(rdp->realm_context, db_args,
KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_KDC))) {
#else
if ((kret = krb5_db_open(rdp->realm_context, db_args,
KRB5_KDB_OPEN_RO | KRB5_KDB_SRV_TYPE_KDC))) {
#endif
/*
* Solaris Kerberos:
* Make sure that error messages are printed using gettext
*/
com_err(progname, kret,
gettext("while initializing database for realm %s"), realm);
goto whoops;
}
/* Assemble and parse the master key name */
if ((kret = krb5_db_setup_mkey_name(rdp->realm_context, rdp->realm_mpname,
rdp->realm_name, (char **) NULL,
&rdp->realm_mprinc))) {
com_err(progname, kret,
gettext("while setting up master key name %s for realm %s"),
rdp->realm_mpname, realm);
goto whoops;
}
/*
* Get the master key.
*/
if ((kret = krb5_db_fetch_mkey(rdp->realm_context, rdp->realm_mprinc,
rdp->realm_mkey.enctype, manual,
FALSE, rdp->realm_stash,
0, &rdp->realm_mkey))) {
com_err(progname, kret,
gettext("while fetching master key %s for realm %s"),
rdp->realm_mpname, realm);
goto whoops;
}
/* Verify the master key */
if ((kret = krb5_db_verify_master_key(rdp->realm_context,
rdp->realm_mprinc,
&rdp->realm_mkey))) {
com_err(progname, kret,
gettext("while verifying master key for realm %s"),
realm);
goto whoops;
}
if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) {
com_err(progname, kret,
gettext("while processing master key for realm %s"),
realm);
goto whoops;
}
/* Set up the keytab */
if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
&rdp->realm_keytab))) {
com_err(progname, kret,
gettext("while resolving kdb keytab for realm %s"),
realm);
goto whoops;
}
/* Preformat the TGS name */
if ((kret = krb5_build_principal(rdp->realm_context, &rdp->realm_tgsprinc,
strlen(realm), realm, KRB5_TGS_NAME,
realm, (char *) NULL))) {
com_err(progname, kret,
gettext("while building TGS name for realm %s"),
realm);
goto whoops;
}
if (!rkey_init_done) {
krb5_data seed;
#ifdef KRB5_KRB4_COMPAT
krb5_keyblock temp_key;
#endif
/*
* If all that worked, then initialize the random key
* generators.
*/
seed.length = rdp->realm_mkey.length;
seed.data = (char *)rdp->realm_mkey.contents;
/* SUNW14resync - XXX */
#if 0
if ((kret = krb5_c_random_add_entropy(rdp->realm_context,
KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed)))
goto whoops;
#endif
#ifdef KRB5_KRB4_COMPAT
if ((kret = krb5_c_make_random_key(rdp->realm_context,
ENCTYPE_DES_CBC_CRC, &temp_key))) {
com_err(progname, kret,
"while initializing V4 random key generator");
goto whoops;
}
(void) des_init_random_number_generator(temp_key.contents);
krb5_free_keyblock_contents(rdp->realm_context, &temp_key);
#endif
rkey_init_done = 1;
}
whoops:
/*
* If we choked, then clean up any dirt we may have dropped on the floor.
*/
if (kret) {
finish_realm(rdp);
}
/*
* Solaris Kerberos:
* Set the current context back to the general context
*/
krb5_klog_set_context(kcontext);
return(kret);
}
krb5_sigtype
request_exit(int signo)
{
signal_requests_exit = 1;
#ifdef POSIX_SIGTYPE
return;
#else
return(0);
#endif
}
