void uw_init_crypto() {
if (uw_sig_file) {
int fd;
if (access(uw_sig_file, F_OK)) {
random_password();
if ((fd = open(uw_sig_file, O_WRONLY | O_CREAT, 0700)) < 0) {
fprintf(stderr, "Can't open signature file %s\n", uw_sig_file);
perror("open");
exit(1);
}
if (write(fd, &password, sizeof password) != sizeof password) {
fprintf(stderr, "Error writing signature file\n");
exit(1);
}
close(fd);
} else {
if ((fd = open(uw_sig_file, O_RDONLY)) < 0) {
fprintf(stderr, "Can't open signature file %s\n", uw_sig_file);
perror("open");
exit(1);
}
if (read(fd, &password, sizeof password) != sizeof password) {
fprintf(stderr, "Error reading signature file\n");
exit(1);
}
close(fd);
}
} else
random_password();
}
static int
set_random_password (krb5_principal principal, int keepold)
{
krb5_error_code ret;
char pw[128];
random_password (pw, sizeof(pw));
ret = kadm5_chpass_principal_3(kadm_handle, principal, keepold, 0, NULL, pw);
if (ret == 0) {
char *princ_name;
krb5_unparse_name(context, principal, &princ_name);
printf ("%s's password set to \"%s\"\n", princ_name, pw);
free (princ_name);
}
memset (pw, 0, sizeof(pw));
return ret;
}
static kadm5_ret_t
create_random_entry(krb5_principal princ,
unsigned max_life,
unsigned max_rlife,
uint32_t attributes)
{
kadm5_principal_ent_rec ent;
kadm5_ret_t ret;
int mask = 0;
krb5_keyblock *keys;
int n_keys, i;
char *name;
const char *password;
char pwbuf[512];
random_password(pwbuf, sizeof(pwbuf));
password = pwbuf;
ret = krb5_unparse_name(context, princ, &name);
if (ret) {
krb5_warn(context, ret, "failed to unparse principal name");
return ret;
}
memset(&ent, 0, sizeof(ent));
ent.principal = princ;
mask |= KADM5_PRINCIPAL;
if (max_life) {
ent.max_life = max_life;
mask |= KADM5_MAX_LIFE;
}
if (max_rlife) {
ent.max_renewable_life = max_rlife;
mask |= KADM5_MAX_RLIFE;
}
ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
mask |= KADM5_ATTRIBUTES;
/* Create the entry with a random password */
ret = kadm5_create_principal(kadm_handle, &ent, mask, password);
if(ret) {
krb5_warn(context, ret, "create_random_entry(%s): randkey failed",
name);
goto out;
}
/* Replace the string2key based keys with real random bytes */
ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
if(ret) {
krb5_warn(context, ret, "create_random_entry(%s): randkey failed",
name);
goto out;
}
for(i = 0; i < n_keys; i++)
krb5_free_keyblock_contents(context, &keys[i]);
free(keys);
ret = kadm5_get_principal(kadm_handle, princ, &ent,
KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
if(ret) {
krb5_warn(context, ret, "create_random_entry(%s): "
"unable to get principal", name);
goto out;
}
ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
ent.kvno = 1;
ret = kadm5_modify_principal(kadm_handle, &ent,
KADM5_ATTRIBUTES|KADM5_KVNO);
kadm5_free_principal_ent (kadm_handle, &ent);
if(ret) {
krb5_warn(context, ret, "create_random_entry(%s): "
"unable to modify principal", name);
goto out;
}
out:
free(name);
return ret;
}
static krb5_error_code
add_one_principal (const char *name,
int rand_key,
int rand_password,
int use_defaults,
char *password,
krb5_key_data *key_data,
const char *max_ticket_life,
const char *max_renewable_life,
const char *attributes,
const char *expiration,
const char *pw_expiration)
{
krb5_error_code ret;
kadm5_principal_ent_rec princ, defrec;
kadm5_principal_ent_rec *default_ent = NULL;
krb5_principal princ_ent = NULL;
int mask = 0;
int default_mask = 0;
char pwbuf[1024];
memset(&princ, 0, sizeof(princ));
ret = krb5_parse_name(context, name, &princ_ent);
if (ret) {
krb5_warn(context, ret, "krb5_parse_name");
return ret;
}
princ.principal = princ_ent;
mask |= KADM5_PRINCIPAL;
ret = set_entry(context, &princ, &mask,
max_ticket_life, max_renewable_life,
expiration, pw_expiration, attributes);
if (ret)
goto out;
default_ent = &defrec;
ret = get_default (kadm_handle, princ_ent, default_ent);
if (ret) {
default_ent = NULL;
default_mask = 0;
} else {
default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION;
}
if(use_defaults)
set_defaults(&princ, &mask, default_ent, default_mask);
else
if(edit_entry(&princ, &mask, default_ent, default_mask))
goto out;
if(rand_key || key_data) {
princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
mask |= KADM5_ATTRIBUTES;
random_password (pwbuf, sizeof(pwbuf));
password = pwbuf;
} else if (rand_password) {
random_password (pwbuf, sizeof(pwbuf));
password = pwbuf;
} else if(password == NULL) {
char *princ_name;
char *prompt;
krb5_unparse_name(context, princ_ent, &princ_name);
asprintf (&prompt, "%s's Password: "******"failed to verify password");
goto out;
}
password = pwbuf;
}
ret = kadm5_create_principal(kadm_handle, &princ, mask, password);
if(ret) {
krb5_warn(context, ret, "kadm5_create_principal");
goto out;
}
if(rand_key) {
krb5_keyblock *new_keys;
int n_keys, i;
ret = kadm5_randkey_principal(kadm_handle, princ_ent,
&new_keys, &n_keys);
if(ret){
krb5_warn(context, ret, "kadm5_randkey_principal");
n_keys = 0;
}
for(i = 0; i < n_keys; i++)
krb5_free_keyblock_contents(context, &new_keys[i]);
if (n_keys > 0)
free(new_keys);
kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
princ.kvno = 1;
kadm5_modify_principal(kadm_handle, &princ,
KADM5_ATTRIBUTES | KADM5_KVNO);
kadm5_free_principal_ent(kadm_handle, &princ);
} else if (key_data) {
ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent,
3, key_data);
if (ret) {
krb5_warn(context, ret, "kadm5_chpass_principal_with_key");
}
kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES);
kadm5_free_principal_ent(kadm_handle, &princ);
} else if (rand_password) {
char *princ_name;
krb5_unparse_name(context, princ_ent, &princ_name);
printf ("added %s with password \"%s\"\n", princ_name, password);
free (princ_name);
}
out:
if (princ_ent)
krb5_free_principal (context, princ_ent);
if(default_ent)
kadm5_free_principal_ent (kadm_handle, default_ent);
if (password != NULL)
memset (password, 0, strlen(password));
return ret;
}
int
stash(struct stash_options *opt, int argc, char **argv)
{
char buf[1024];
krb5_error_code ret;
krb5_enctype enctype;
hdb_master_key mkey;
int aret;
if(!local_flag) {
krb5_warnx(context, "stash is only available in local (-l) mode");
return 0;
}
ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
if(ret) {
krb5_warn(context, ret, "%s", opt->enctype_string);
return 0;
}
if(opt->key_file_string == NULL) {
aret = asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
if (aret == -1)
errx(1, "out of memory");
}
ret = hdb_read_master_key(context, opt->key_file_string, &mkey);
if(ret && ret != ENOENT) {
krb5_warn(context, ret, "reading master key from %s",
opt->key_file_string);
return 0;
}
if (opt->convert_file_flag) {
if (ret)
krb5_warn(context, ret, "reading master key from %s",
opt->key_file_string);
return 0;
} else {
krb5_keyblock key;
krb5_salt salt;
salt.salttype = KRB5_PW_SALT;
/* XXX better value? */
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
if(opt->master_key_fd_integer != -1) {
ssize_t n;
n = read(opt->master_key_fd_integer, buf, sizeof(buf));
if(n == 0)
krb5_warnx(context, "end of file reading passphrase");
else if(n < 0) {
krb5_warn(context, errno, "reading passphrase");
n = 0;
}
buf[n] = '\0';
buf[strcspn(buf, "\r\n")] = '\0';
} else if (opt->random_password_flag) {
random_password (buf, sizeof(buf));
printf("Using random master stash password: %s\n", buf);
} else {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) {
hdb_free_master_key(context, mkey);
return 0;
}
}
ret = krb5_string_to_key_salt(context, enctype, buf, salt, &key);
ret = hdb_add_master_key(context, &key, &mkey);
krb5_free_keyblock_contents(context, &key);
}
{
char *new = NULL, *old = NULL;
int aret;
aret = asprintf(&old, "%s.old", opt->key_file_string);
if (aret == -1) {
ret = ENOMEM;
goto out;
}
aret = asprintf(&new, "%s.new", opt->key_file_string);
if (aret == -1) {
ret = ENOMEM;
goto out;
}
if(unlink(new) < 0 && errno != ENOENT) {
ret = errno;
goto out;
}
krb5_warnx(context, "writing key to \"%s\"", opt->key_file_string);
ret = hdb_write_master_key(context, new, mkey);
if(ret)
unlink(new);
else {
unlink(old);
#ifndef NO_POSIX_LINKS
if(link(opt->key_file_string, old) < 0 && errno != ENOENT) {
ret = errno;
unlink(new);
} else {
#endif
if(rename(new, opt->key_file_string) < 0) {
