static void
tokey(krb5_context context,
krb5_enctype enctype,
const char *pw,
krb5_salt salt,
const char *label)
{
krb5_error_code ret;
size_t i;
krb5_keyblock key;
char *e;
ret = krb5_string_to_key_salt(context, enctype, pw, salt, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_key_salt");
ret = krb5_enctype_to_string(context, enctype, &e);
if (ret)
krb5_err(context, 1, ret, "krb5_enctype_to_string");
printf(label, e);
printf(": ");
for(i = 0; i < key.keyvalue.length; i++)
printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
printf("\n");
krb5_free_keyblock_contents(context, &key);
free(e);
}
KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
krb5_password_key_proc (krb5_context context,
krb5_enctype type,
krb5_salt salt,
krb5_const_pointer keyseed,
krb5_keyblock **key)
{
krb5_error_code ret;
const char *password = (const char *)keyseed;
char buf[BUFSIZ];
*key = malloc (sizeof (**key));
if (*key == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
if (password == NULL) {
if(UI_UTIL_read_pw_string (buf, sizeof(buf), "Password: ", 0)) {
free (*key);
krb5_clear_error_message(context);
return KRB5_LIBOS_PWDINTR;
}
password = buf;
}
ret = krb5_string_to_key_salt (context, type, password, salt, *key);
memset (buf, 0, sizeof(buf));
return ret;
}
int create_kerberos_key_from_string_direct(krb5_context context,
krb5_principal host_princ,
krb5_data *password,
krb5_keyblock *key,
krb5_enctype enctype)
{
int ret;
krb5_salt salt;
ret = krb5_get_pw_salt(context, host_princ, &salt);
if (ret) {
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
return ret;
}
ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
krb5_free_salt(context, salt);
return ret;
}
krb5_error_code
hdb_generate_key_set_password(krb5_context context,
krb5_principal principal,
const char *password,
krb5_key_salt_tuple *ks_tuple, int n_ks_tuple,
Key **keys, size_t *num_keys)
{
krb5_error_code ret;
size_t i;
ret = hdb_generate_key_set(context, principal, ks_tuple, n_ks_tuple,
keys, num_keys, 0);
if (ret)
return ret;
for (i = 0; i < (*num_keys); i++) {
krb5_salt salt;
Key *key = &(*keys)[i];
salt.salttype = key->salt->type;
salt.saltvalue.length = key->salt->salt.length;
salt.saltvalue.data = key->salt->salt.data;
ret = krb5_string_to_key_salt (context,
key->key.keytype,
password,
salt,
&key->key);
if(ret)
break;
}
if(ret) {
hdb_free_keys (context, *num_keys, *keys);
return ret;
}
return ret;
}
static krb5_error_code
kcm_password_key_proc(krb5_context context,
krb5_enctype etype,
krb5_salt salt,
krb5_const_pointer keyseed,
krb5_keyblock **key)
{
krb5_error_code ret;
struct kcm_keyseed_data *s = (struct kcm_keyseed_data *)keyseed;
/* we may be called multiple times */
krb5_free_salt(context, s->salt);
krb5_data_zero(&s->salt.saltvalue);
/* stash the salt */
s->salt.salttype = salt.salttype;
ret = krb5_data_copy(&s->salt.saltvalue,
salt.saltvalue.data,
salt.saltvalue.length);
if (ret)
return ret;
*key = (krb5_keyblock *)malloc(sizeof(**key));
if (*key == NULL) {
return ENOMEM;
}
ret = krb5_string_to_key_salt(context, etype, s->password,
s->salt, *key);
if (ret) {
free(*key);
*key = NULL;
}
return ret;
}
krb5KeyblockObject *keyblock_new(PyObject *unused, PyObject *args)
{
krb5_error_code ret;
krb5ContextObject *context;
krb5EnctypeObject *enctype;
char *password;
PyObject *arg;
krb5KeyblockObject *self = (krb5KeyblockObject *) PyObject_New(krb5KeyblockObject, &krb5KeyblockType);
int error = 0;
if (!PyArg_ParseTuple(args, "OOsO", &context, &enctype, &password,
&arg))
return NULL;
if (self == NULL)
return NULL;
self->context = context->context;
#if PY_MAJOR_VERSION >= 2 && PY_MINOR_VERSION >= 2
if (PyObject_TypeCheck(arg, &krb5SaltType)) {
krb5SaltObject *salt = (krb5SaltObject*)arg;
ret = krb5_string_to_key_salt(context->context, enctype->enctype, password,
salt->salt, &self->keyblock);
} else if (PyObject_TypeCheck(arg, &krb5PrincipalType)) {
#else
if (1) {
#endif
krb5PrincipalObject *principal = (krb5PrincipalObject*)arg;
ret = krb5_string_to_key(context->context, enctype->enctype, password,
principal->principal, &self->keyblock);
} else {
PyErr_SetString(PyExc_TypeError, "either principal or salt needs to be passed");
error = 1;
goto out;
}
if (ret) {
error = 1;
krb5_exception(NULL, ret);
goto out;
}
out:
if (error)
return NULL;
else
return self;
}
krb5KeyblockObject *keyblock_raw_new(PyObject *unused, PyObject *args)
{
krb5_error_code ret;
krb5ContextObject *py_context;
PyObject *py_enctype;
PyObject *py_key;
uint8_t *key_buf;
size_t key_len;
krb5_enctype enctype;
int error = 0;
krb5KeyblockObject *self = (krb5KeyblockObject *) PyObject_NEW(krb5KeyblockObject, &krb5KeyblockType);
if (!PyArg_ParseTuple(args, "O!OS", &krb5ContextType, &py_context, &py_enctype, &py_key))
return NULL;
if (self == NULL)
return NULL;
self->context = py_context->context;
if (PyObject_TypeCheck(py_enctype, &krb5EnctypeType)) {
krb5EnctypeObject *enctype_obj = (krb5EnctypeObject*)py_enctype;
enctype = enctype_obj>enctype;
} else if (PyInt_Check(py_enctype)) {
enctype = PyInt_AsLong(py_enctype);
} else {
PyErr_SetString(PyExc_TypeError, "enctype must be of type integer or krb5EnctypeObject");
error = 1;
goto out;
}
key_buf = (uint8_t *) PyString_AsString(py_key);
key_len = PyString_Size(py_key);
ret = krb5_keyblock_init(py_context->context, enctype, key_buf, key_len, &self->keyblock);
if (ret) {
error = 1;
krb5_exception(NULL, ret);
goto out;
}
out:
if (error)
return NULL;
else
return self;
}
int
main(int argc, char **argv)
{
char buf[1024];
krb5_error_code ret;
krb5_enctype enctype;
hdb_master_key mkey;
krb5_program_setup(&context, argc, argv, args, num_args, NULL);
if(help_flag)
krb5_std_usage(0, args, num_args);
if(version_flag){
print_version(NULL);
exit(0);
}
if (master_key_fd != -1 && random_key_flag)
krb5_errx(context, 1, "random-key and master-key-fd "
"is mutual exclusive");
if (keyfile == NULL)
asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
ret = krb5_string_to_enctype(context, enctype_str, &enctype);
if(ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
ret = hdb_read_master_key(context, keyfile, &mkey);
if(ret && ret != ENOENT)
krb5_err(context, 1, ret, "reading master key from %s", keyfile);
if (convert_flag) {
if (ret)
krb5_err(context, 1, ret, "reading master key from %s", keyfile);
} else {
krb5_keyblock key;
krb5_salt salt;
salt.salttype = KRB5_PW_SALT;
/* XXX better value? */
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
if (random_key_flag) {
ret = krb5_generate_random_keyblock(context, enctype, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
} else {
if(master_key_fd != -1) {
ssize_t n;
n = read(master_key_fd, buf, sizeof(buf));
if(n <= 0)
krb5_err(context, 1, errno, "failed to read passphrase");
buf[n] = '\0';
buf[strcspn(buf, "\r\n")] = '\0';
} else {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
exit(1);
}
krb5_string_to_key_salt(context, enctype, buf, salt, &key);
}
ret = hdb_add_master_key(context, &key, &mkey);
krb5_free_keyblock_contents(context, &key);
}
{
char *new, *old;
asprintf(&old, "%s.old", keyfile);
asprintf(&new, "%s.new", keyfile);
if(unlink(new) < 0 && errno != ENOENT) {
ret = errno;
goto out;
}
krb5_warnx(context, "writing key to `%s'", keyfile);
ret = hdb_write_master_key(context, new, mkey);
if(ret)
unlink(new);
else {
#ifndef NO_POSIX_LINKS
unlink(old);
if(link(keyfile, old) < 0 && errno != ENOENT) {
ret = errno;
unlink(new);
} else {
#endif
if(rename(new, keyfile) < 0) {
int
stash(struct stash_options *opt, int argc, char **argv)
{
char buf[1024];
krb5_error_code ret;
krb5_enctype enctype;
hdb_master_key mkey;
int aret;
if(!local_flag) {
krb5_warnx(context, "stash is only available in local (-l) mode");
return 0;
}
ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
if(ret) {
krb5_warn(context, ret, "%s", opt->enctype_string);
return 0;
}
if(opt->key_file_string == NULL) {
aret = asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
if (aret == -1)
errx(1, "out of memory");
}
ret = hdb_read_master_key(context, opt->key_file_string, &mkey);
if(ret && ret != ENOENT) {
krb5_warn(context, ret, "reading master key from %s",
opt->key_file_string);
return 0;
}
if (opt->convert_file_flag) {
if (ret)
krb5_warn(context, ret, "reading master key from %s",
opt->key_file_string);
return 0;
} else {
krb5_keyblock key;
krb5_salt salt;
salt.salttype = KRB5_PW_SALT;
/* XXX better value? */
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
if(opt->master_key_fd_integer != -1) {
ssize_t n;
n = read(opt->master_key_fd_integer, buf, sizeof(buf));
if(n == 0)
krb5_warnx(context, "end of file reading passphrase");
else if(n < 0) {
krb5_warn(context, errno, "reading passphrase");
n = 0;
}
buf[n] = '\0';
buf[strcspn(buf, "\r\n")] = '\0';
} else if (opt->random_password_flag) {
random_password (buf, sizeof(buf));
printf("Using random master stash password: %s\n", buf);
} else {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) {
hdb_free_master_key(context, mkey);
return 0;
}
}
ret = krb5_string_to_key_salt(context, enctype, buf, salt, &key);
ret = hdb_add_master_key(context, &key, &mkey);
krb5_free_keyblock_contents(context, &key);
}
{
char *new = NULL, *old = NULL;
int aret;
aret = asprintf(&old, "%s.old", opt->key_file_string);
if (aret == -1) {
ret = ENOMEM;
goto out;
}
aret = asprintf(&new, "%s.new", opt->key_file_string);
if (aret == -1) {
ret = ENOMEM;
goto out;
}
if(unlink(new) < 0 && errno != ENOENT) {
ret = errno;
goto out;
}
krb5_warnx(context, "writing key to \"%s\"", opt->key_file_string);
ret = hdb_write_master_key(context, new, mkey);
if(ret)
unlink(new);
else {
unlink(old);
#ifndef NO_POSIX_LINKS
if(link(opt->key_file_string, old) < 0 && errno != ENOENT) {
ret = errno;
unlink(new);
} else {
#endif
if(rename(new, opt->key_file_string) < 0) {
