a stash file is not a keytab

Note, this is the commit for the associated Krb Consortium project:
Projects/Masterkey Keytab Stash

ticket: 194

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20661 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 108 insertions, 28 deletions

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 0cc227d30b..fbb8fd21e2 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -270,6 +270,7 @@ static krb5_error_code master_key_convert(context, db_entry)
     int	      i, j;
     krb5_key_data	new_key_data, *key_data;
     krb5_boolean	is_mkey;
+    krb5_kvno           kvno;
 
     is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
 
@@ -288,10 +289,22 @@ static krb5_error_code master_key_convert(context, db_entry)
 		return retval;
 
 	memset(&new_key_data, 0, sizeof(new_key_data));
-	key_ptr = is_mkey ? &new_master_keyblock : &v5plainkey;
+
+	if (is_mkey) {
+		key_ptr = &new_master_keyblock;
+		/* override mkey princ's kvno */
+		if (global_params.mask & KADM5_CONFIG_KVNO)
+			kvno = global_params.kvno;
+		else
+			kvno = (krb5_kvno) key_data->key_data_kvno;
+	} else {
+		key_ptr = &v5plainkey;
+		kvno = (krb5_kvno) key_data->key_data_kvno;
+	}
+
 	retval = krb5_dbekd_encrypt_key_data(context, &new_master_keyblock,
 					     key_ptr, &keysalt,
-					     key_data->key_data_kvno,
+					     (int) kvno,
 					     &new_key_data);
 	if (retval)
 		return retval;
@@ -1126,7 +1139,8 @@ dump_db(argc, argv)
 						master_princ,
 						master_keyblock.enctype,
 						TRUE, FALSE,
-						(char *) NULL, 0,
+						(char *) NULL,
+						NULL, NULL,
 						&master_keyblock);
 		    if (retval) {
 			    com_err(progname, retval,
@@ -1135,6 +1149,7 @@ dump_db(argc, argv)
 		    }
 		    retval = krb5_db_verify_master_key(util_context,
 						       master_princ,
+						       IGNORE_VNO,
 						       &master_keyblock);
 		    if (retval) {
 			    com_err(progname, retval,
@@ -1145,17 +1160,37 @@ dump_db(argc, argv)
 	    new_master_keyblock.enctype = global_params.enctype;
 	    if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN)
 		    new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-	    if (!new_mkey_file)
+
+	    if (new_mkey_file) {
+		    krb5_kvno kt_kvno;
+
+		    if (global_params.mask & KADM5_CONFIG_KVNO)
+			    kt_kvno = global_params.kvno;
+		    else
+			    kt_kvno = IGNORE_VNO;
+
+		    if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
+						     new_master_keyblock.enctype,
+						     FALSE, 
+						     FALSE, 
+						     new_mkey_file,
+						     &kt_kvno,
+						     NULL,
+						     &new_master_keyblock))) { 
+			    com_err(progname, retval, "while reading new master key");
+			    exit(1);
+		    }
+	    } else {
 		    printf("Please enter new master key....\n");
-	    if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
-					     new_master_keyblock.enctype,
-					     (new_mkey_file == 0) ? 
-					        (krb5_boolean) 1 : 0, 
-					     TRUE, 
-					     new_mkey_file, 0,
-					     &new_master_keyblock))) { 
-		    com_err(progname, retval, "while reading new master key");
-		    exit(1);
+		    if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
+						     new_master_keyblock.enctype,
+						     TRUE,
+						     TRUE, 
+						     NULL, NULL, NULL,
+						     &new_master_keyblock))) { 
+			    com_err(progname, retval, "while reading new master key");
+			    exit(1);
+		    }
 	    }
     }
 
diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c
index eaeade1630..c996dad25f 100644
--- a/src/kadmin/dbutil/kdb5_create.c
+++ b/src/kadmin/dbutil/kdb5_create.c
@@ -166,6 +166,7 @@ void kdb5_create(argc, argv)
     int do_stash = 0;
     krb5_data pwd, seed;
     kdb_log_context *log_ctx;
+    krb5_kvno mkey_kvno;
 	   
     while ((optchar = getopt(argc, argv, "s")) != -1) {
 	switch(optchar) {
@@ -319,9 +320,20 @@ master key name '%s'\n",
      * it; delete the file below if it was not requested.  DO NOT EXIT
      * BEFORE DELETING THE KEYFILE if do_stash is not set.
      */
+
+    /*
+     * Determine the kvno to use, it must be that used to create the master key
+     * princ.
+     */
+    if (global_params.mask & KADM5_CONFIG_KVNO)
+        mkey_kvno = global_params.kvno; /* user specified */
+    else
+        mkey_kvno = 1;  /* Default */
+
     retval = krb5_db_store_master_key(util_context,
 				      global_params.stash_file,
 				      master_princ,
+				      mkey_kvno,
 				      &master_keyblock,
 				      mkey_password);
     if (retval) {
@@ -401,6 +413,7 @@ add_principal(context, princ, op, pblock)
 {
     krb5_error_code 	  retval;
     krb5_db_entry 	  entry;
+    krb5_kvno             mkey_kvno;
 
     krb5_timestamp	  now;
     struct iterate_args	  iargs;
@@ -433,10 +446,14 @@ add_principal(context, princ, op, pblock)
 	memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
 	entry.n_key_data = 1;
 
+        if (global_params.mask & KADM5_CONFIG_KVNO)
+            mkey_kvno = global_params.kvno; /* user specified */
+        else
+            mkey_kvno = 1;  /* Default */
 	entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
 	if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
 						  &master_keyblock, NULL, 
-						  1, entry.key_data)))
+						  mkey_kvno, entry.key_data)))
 	    return retval;
 	break;
     case TGT_KEY:
diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index a34aa132a2..3583a3285f 100644
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -81,6 +81,7 @@ kdb5_stash(argc, argv)
     char *mkey_fullname;
     char *keyfile = 0;
     krb5_context context;
+    krb5_kvno mkey_kvno;
 
     retval = kadm5_init_krb5_context(&context);
     if( retval )
@@ -139,11 +140,17 @@ kdb5_stash(argc, argv)
 	exit_status++; return; 
     }
 
+    if (global_params.mask & KADM5_CONFIG_KVNO)
+        mkey_kvno = global_params.kvno; /* user specified */
+    else
+        mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */
+
     /* TRUE here means read the keyboard, but only once */
     retval = krb5_db_fetch_mkey(context, master_princ,
 				master_keyblock.enctype,
 				TRUE, FALSE, (char *) NULL,
-				0, &master_keyblock);
+                                &mkey_kvno,
+				NULL, &master_keyblock);
     if (retval) {
 	com_err(progname, retval, "while reading master key");
 	(void) krb5_db_fini(context);
@@ -151,6 +158,7 @@ kdb5_stash(argc, argv)
     }
 
     retval = krb5_db_verify_master_key(context, master_princ, 
+                                       mkey_kvno,
 				       &master_keyblock);
     if (retval) {
 	com_err(progname, retval, "while verifying master key");
@@ -159,7 +167,7 @@ kdb5_stash(argc, argv)
     }	
 
     retval = krb5_db_store_master_key(context, keyfile, master_princ, 
-				      &master_keyblock, NULL);
+                                      mkey_kvno, &master_keyblock, NULL);
     if (retval) {
 	com_err(progname, errno, "while storing key");
 	memset((char *)master_keyblock.contents, 0, master_keyblock.length);
diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
index 11ef7ca18c..d58c972aff 100644
--- a/src/kadmin/dbutil/kdb5_util.M
+++ b/src/kadmin/dbutil/kdb5_util.M
@@ -5,6 +5,7 @@ kdb5_util \- Kerberos database maintainance utility
 .B kdb5_util
 [\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP]
 [\fB\-k\fP\ \fImkeytype\fP] [\fB\-M\fP\ \fImkeyname\fP]
+[\fB\-kv\fP\ \fImkeyVNO\fP] 
 [\fB\-sf\fP\ \fIstashfilename\fP]
 [\fB\-m\fP]
 .I command
@@ -58,6 +59,10 @@ specifies the key type of the master key in the database; the default is
 that given in
 .IR kdc.conf .
 .TP
+\fB\-kv\fP\ \fImkeyVNO\fP
+Specifies the version number of the master key in the database; the default is
+1.  Note that 0 is not allowed.
+.TP
 \fB\-M\fP\ \fImkeyname\fP
 principal name for the master key in the database; the default is
 that given in
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index cfc3d08218..ff6bcc9957 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -81,7 +81,7 @@ void usage()
 {
      fprintf(stderr, "Usage: "
 	   "kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n"
-	     "\t        [-sf stashfilename] [-m] cmd [cmd_options]\n"
+	     "\t        [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n"
 	     "\tcreate	[-s]\n"
 	     "\tdestroy	[-f]\n"
 	     "\tstash	[-f keyfile]\n"
@@ -205,7 +205,7 @@ int main(argc, argv)
     }
     memset(cmd_argv, 0, sizeof(char *)*argc);
     cmd_argc = 1;
-	 
+
     argv++; argc--;
     while (*argv) {
        if (strcmp(*argv, "-P") == 0 && ARG_VAL) {
@@ -246,10 +246,18 @@ int main(argc, argv)
 		 exit(1);
 	    }
        } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) {
-	    if (krb5_string_to_enctype(koptarg, &global_params.enctype))
-		 com_err(progname, 0, "%s is an invalid enctype", koptarg);
-	    else
+	    if (krb5_string_to_enctype(koptarg, &global_params.enctype)) {
+		com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg);
+                exit(1);
+            } else
 		 global_params.mask |= KADM5_CONFIG_ENCTYPE;
+       } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) {
+	    global_params.kvno = (krb5_kvno) atoi(koptarg);
+            if (global_params.kvno == IGNORE_VNO) {
+                com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg);
+                exit(1);
+            } else
+                global_params.mask |= KADM5_CONFIG_KVNO;
        } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) {
 	    global_params.mkey_name = koptarg;
 	    global_params.mask |= KADM5_CONFIG_MKEY_NAME;
@@ -380,6 +388,7 @@ static int open_db_and_mkey()
     int nentries;
     krb5_boolean more;
     krb5_data scratch, pwd, seed;
+    krb5_kvno kvno;
 
     dbactive = FALSE;
     valid_master_key = 0;
@@ -421,6 +430,11 @@ static int open_db_and_mkey()
 	return(1);
     }
 
+    if (global_params.mask & KADM5_CONFIG_KVNO)
+        kvno = global_params.kvno; /* user specified */
+    else
+        kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
+
     krb5_db_free_principal(util_context, &master_entry, nentries);
 
     /* the databases are now open, and the master principal exists */
@@ -437,13 +451,12 @@ static int open_db_and_mkey()
 	}
 
 	/* If no encryption type is set, use the default */
-	if (master_keyblock.enctype == ENCTYPE_UNKNOWN) {
+	if (master_keyblock.enctype == ENCTYPE_UNKNOWN)
 	    master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-	    if (!krb5_c_valid_enctype(master_keyblock.enctype))
-		com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
-			"while setting up enctype %d",
-			master_keyblock.enctype);
-	}
+        if (!krb5_c_valid_enctype(master_keyblock.enctype))
+            com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
+                    "while setting up enctype %d",
+                    master_keyblock.enctype);
 
 	retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, 
 				      &pwd, &scratch, &master_keyblock);
@@ -455,10 +468,12 @@ static int open_db_and_mkey()
 	}
 	free(scratch.data);
 	mkey_password = 0;
+
     } else if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
 					    master_keyblock.enctype,
 					    manual_mkey, FALSE,
 					    global_params.stash_file,
+					    &kvno,
 					    0, &master_keyblock))) {
 	com_err(progname, retval, "while reading master key");
 	com_err(progname, 0, "Warning: proceeding without master key");
@@ -466,7 +481,7 @@ static int open_db_and_mkey()
 	return(0);
     }
     if ((retval = krb5_db_verify_master_key(util_context, master_princ, 
-					    &master_keyblock))) {
+					    kvno, &master_keyblock))) {
 	com_err(progname, retval, "while verifying master key");
 	exit_status++;
 	krb5_free_keyblock_contents(util_context, &master_keyblock);