void uw_init_crypto() { if (uw_sig_file) { int fd; if (access(uw_sig_file, F_OK)) { random_password(); if ((fd = open(uw_sig_file, O_WRONLY | O_CREAT, 0700)) < 0) { fprintf(stderr, "Can't open signature file %s\n", uw_sig_file); perror("open"); exit(1); } if (write(fd, &password, sizeof password) != sizeof password) { fprintf(stderr, "Error writing signature file\n"); exit(1); } close(fd); } else { if ((fd = open(uw_sig_file, O_RDONLY)) < 0) { fprintf(stderr, "Can't open signature file %s\n", uw_sig_file); perror("open"); exit(1); } if (read(fd, &password, sizeof password) != sizeof password) { fprintf(stderr, "Error reading signature file\n"); exit(1); } close(fd); } } else random_password(); }
static int set_random_password (krb5_principal principal, int keepold) { krb5_error_code ret; char pw[128]; random_password (pw, sizeof(pw)); ret = kadm5_chpass_principal_3(kadm_handle, principal, keepold, 0, NULL, pw); if (ret == 0) { char *princ_name; krb5_unparse_name(context, principal, &princ_name); printf ("%s's password set to \"%s\"\n", princ_name, pw); free (princ_name); } memset (pw, 0, sizeof(pw)); return ret; }
static kadm5_ret_t create_random_entry(krb5_principal princ, unsigned max_life, unsigned max_rlife, uint32_t attributes) { kadm5_principal_ent_rec ent; kadm5_ret_t ret; int mask = 0; krb5_keyblock *keys; int n_keys, i; char *name; const char *password; char pwbuf[512]; random_password(pwbuf, sizeof(pwbuf)); password = pwbuf; ret = krb5_unparse_name(context, princ, &name); if (ret) { krb5_warn(context, ret, "failed to unparse principal name"); return ret; } memset(&ent, 0, sizeof(ent)); ent.principal = princ; mask |= KADM5_PRINCIPAL; if (max_life) { ent.max_life = max_life; mask |= KADM5_MAX_LIFE; } if (max_rlife) { ent.max_renewable_life = max_rlife; mask |= KADM5_MAX_RLIFE; } ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; /* Create the entry with a random password */ ret = kadm5_create_principal(kadm_handle, &ent, mask, password); if(ret) { krb5_warn(context, ret, "create_random_entry(%s): randkey failed", name); goto out; } /* Replace the string2key based keys with real random bytes */ ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys); if(ret) { krb5_warn(context, ret, "create_random_entry(%s): randkey failed", name); goto out; } for(i = 0; i < n_keys; i++) krb5_free_keyblock_contents(context, &keys[i]); free(keys); ret = kadm5_get_principal(kadm_handle, princ, &ent, KADM5_PRINCIPAL | KADM5_ATTRIBUTES); if(ret) { krb5_warn(context, ret, "create_random_entry(%s): " "unable to get principal", name); goto out; } ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); ent.kvno = 1; ret = kadm5_modify_principal(kadm_handle, &ent, KADM5_ATTRIBUTES|KADM5_KVNO); kadm5_free_principal_ent (kadm_handle, &ent); if(ret) { krb5_warn(context, ret, "create_random_entry(%s): " "unable to modify principal", name); goto out; } out: free(name); return ret; }
static krb5_error_code add_one_principal (const char *name, int rand_key, int rand_password, int use_defaults, char *password, krb5_key_data *key_data, const char *max_ticket_life, const char *max_renewable_life, const char *attributes, const char *expiration, const char *pw_expiration) { krb5_error_code ret; kadm5_principal_ent_rec princ, defrec; kadm5_principal_ent_rec *default_ent = NULL; krb5_principal princ_ent = NULL; int mask = 0; int default_mask = 0; char pwbuf[1024]; memset(&princ, 0, sizeof(princ)); ret = krb5_parse_name(context, name, &princ_ent); if (ret) { krb5_warn(context, ret, "krb5_parse_name"); return ret; } princ.principal = princ_ent; mask |= KADM5_PRINCIPAL; ret = set_entry(context, &princ, &mask, max_ticket_life, max_renewable_life, expiration, pw_expiration, attributes); if (ret) goto out; default_ent = &defrec; ret = get_default (kadm_handle, princ_ent, default_ent); if (ret) { default_ent = NULL; default_mask = 0; } else { default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION; } if(use_defaults) set_defaults(&princ, &mask, default_ent, default_mask); else if(edit_entry(&princ, &mask, default_ent, default_mask)) goto out; if(rand_key || key_data) { princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; random_password (pwbuf, sizeof(pwbuf)); password = pwbuf; } else if (rand_password) { random_password (pwbuf, sizeof(pwbuf)); password = pwbuf; } else if(password == NULL) { char *princ_name; char *prompt; krb5_unparse_name(context, princ_ent, &princ_name); asprintf (&prompt, "%s's Password: "******"failed to verify password"); goto out; } password = pwbuf; } ret = kadm5_create_principal(kadm_handle, &princ, mask, password); if(ret) { krb5_warn(context, ret, "kadm5_create_principal"); goto out; } if(rand_key) { krb5_keyblock *new_keys; int n_keys, i; ret = kadm5_randkey_principal(kadm_handle, princ_ent, &new_keys, &n_keys); if(ret){ krb5_warn(context, ret, "kadm5_randkey_principal"); n_keys = 0; } for(i = 0; i < n_keys; i++) krb5_free_keyblock_contents(context, &new_keys[i]); if (n_keys > 0) free(new_keys); kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); princ.kvno = 1; kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES | KADM5_KVNO); kadm5_free_principal_ent(kadm_handle, &princ); } else if (key_data) { ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent, 3, key_data); if (ret) { krb5_warn(context, ret, "kadm5_chpass_principal_with_key"); } kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_PRINCIPAL | KADM5_ATTRIBUTES); princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES); kadm5_free_principal_ent(kadm_handle, &princ); } else if (rand_password) { char *princ_name; krb5_unparse_name(context, princ_ent, &princ_name); printf ("added %s with password \"%s\"\n", princ_name, password); free (princ_name); } out: if (princ_ent) krb5_free_principal (context, princ_ent); if(default_ent) kadm5_free_principal_ent (kadm_handle, default_ent); if (password != NULL) memset (password, 0, strlen(password)); return ret; }
int stash(struct stash_options *opt, int argc, char **argv) { char buf[1024]; krb5_error_code ret; krb5_enctype enctype; hdb_master_key mkey; int aret; if(!local_flag) { krb5_warnx(context, "stash is only available in local (-l) mode"); return 0; } ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); if(ret) { krb5_warn(context, ret, "%s", opt->enctype_string); return 0; } if(opt->key_file_string == NULL) { aret = asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context)); if (aret == -1) errx(1, "out of memory"); } ret = hdb_read_master_key(context, opt->key_file_string, &mkey); if(ret && ret != ENOENT) { krb5_warn(context, ret, "reading master key from %s", opt->key_file_string); return 0; } if (opt->convert_file_flag) { if (ret) krb5_warn(context, ret, "reading master key from %s", opt->key_file_string); return 0; } else { krb5_keyblock key; krb5_salt salt; salt.salttype = KRB5_PW_SALT; /* XXX better value? */ salt.saltvalue.data = NULL; salt.saltvalue.length = 0; if(opt->master_key_fd_integer != -1) { ssize_t n; n = read(opt->master_key_fd_integer, buf, sizeof(buf)); if(n == 0) krb5_warnx(context, "end of file reading passphrase"); else if(n < 0) { krb5_warn(context, errno, "reading passphrase"); n = 0; } buf[n] = '\0'; buf[strcspn(buf, "\r\n")] = '\0'; } else if (opt->random_password_flag) { random_password (buf, sizeof(buf)); printf("Using random master stash password: %s\n", buf); } else { if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) { hdb_free_master_key(context, mkey); return 0; } } ret = krb5_string_to_key_salt(context, enctype, buf, salt, &key); ret = hdb_add_master_key(context, &key, &mkey); krb5_free_keyblock_contents(context, &key); } { char *new = NULL, *old = NULL; int aret; aret = asprintf(&old, "%s.old", opt->key_file_string); if (aret == -1) { ret = ENOMEM; goto out; } aret = asprintf(&new, "%s.new", opt->key_file_string); if (aret == -1) { ret = ENOMEM; goto out; } if(unlink(new) < 0 && errno != ENOENT) { ret = errno; goto out; } krb5_warnx(context, "writing key to \"%s\"", opt->key_file_string); ret = hdb_write_master_key(context, new, mkey); if(ret) unlink(new); else { unlink(old); #ifndef NO_POSIX_LINKS if(link(opt->key_file_string, old) < 0 && errno != ENOENT) { ret = errno; unlink(new); } else { #endif if(rename(new, opt->key_file_string) < 0) {