From c438b327af4cf5ba96ed3f7e02b6327b9d06c1ae Mon Sep 17 00:00:00 2001 From: Will Fiveash Date: Fri, 15 Aug 2008 00:38:41 +0000 Subject: a stash file is not a keytab Note, this is the commit for the associated Krb Consortium project: Projects/Masterkey Keytab Stash ticket: 194 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20661 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/dbutil/dump.c | 61 ++++++++++++++++++++++++++++++++--------- src/kadmin/dbutil/kdb5_create.c | 19 ++++++++++++- src/kadmin/dbutil/kdb5_stash.c | 12 ++++++-- src/kadmin/dbutil/kdb5_util.M | 5 ++++ src/kadmin/dbutil/kdb5_util.c | 39 ++++++++++++++++++-------- 5 files changed, 108 insertions(+), 28 deletions(-) (limited to 'src/kadmin') diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 0cc227d30b..fbb8fd21e2 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -270,6 +270,7 @@ static krb5_error_code master_key_convert(context, db_entry) int i, j; krb5_key_data new_key_data, *key_data; krb5_boolean is_mkey; + krb5_kvno kvno; is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ); @@ -288,10 +289,22 @@ static krb5_error_code master_key_convert(context, db_entry) return retval; memset(&new_key_data, 0, sizeof(new_key_data)); - key_ptr = is_mkey ? &new_master_keyblock : &v5plainkey; + + if (is_mkey) { + key_ptr = &new_master_keyblock; + /* override mkey princ's kvno */ + if (global_params.mask & KADM5_CONFIG_KVNO) + kvno = global_params.kvno; + else + kvno = (krb5_kvno) key_data->key_data_kvno; + } else { + key_ptr = &v5plainkey; + kvno = (krb5_kvno) key_data->key_data_kvno; + } + retval = krb5_dbekd_encrypt_key_data(context, &new_master_keyblock, key_ptr, &keysalt, - key_data->key_data_kvno, + (int) kvno, &new_key_data); if (retval) return retval; @@ -1126,7 +1139,8 @@ dump_db(argc, argv) master_princ, master_keyblock.enctype, TRUE, FALSE, - (char *) NULL, 0, + (char *) NULL, + NULL, NULL, &master_keyblock); if (retval) { com_err(progname, retval, @@ -1135,6 +1149,7 @@ dump_db(argc, argv) } retval = krb5_db_verify_master_key(util_context, master_princ, + IGNORE_VNO, &master_keyblock); if (retval) { com_err(progname, retval, @@ -1145,17 +1160,37 @@ dump_db(argc, argv) new_master_keyblock.enctype = global_params.enctype; if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; - if (!new_mkey_file) + + if (new_mkey_file) { + krb5_kvno kt_kvno; + + if (global_params.mask & KADM5_CONFIG_KVNO) + kt_kvno = global_params.kvno; + else + kt_kvno = IGNORE_VNO; + + if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, + FALSE, + FALSE, + new_mkey_file, + &kt_kvno, + NULL, + &new_master_keyblock))) { + com_err(progname, retval, "while reading new master key"); + exit(1); + } + } else { printf("Please enter new master key....\n"); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - new_master_keyblock.enctype, - (new_mkey_file == 0) ? - (krb5_boolean) 1 : 0, - TRUE, - new_mkey_file, 0, - &new_master_keyblock))) { - com_err(progname, retval, "while reading new master key"); - exit(1); + if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, + TRUE, + TRUE, + NULL, NULL, NULL, + &new_master_keyblock))) { + com_err(progname, retval, "while reading new master key"); + exit(1); + } } } diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index eaeade1630..c996dad25f 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -166,6 +166,7 @@ void kdb5_create(argc, argv) int do_stash = 0; krb5_data pwd, seed; kdb_log_context *log_ctx; + krb5_kvno mkey_kvno; while ((optchar = getopt(argc, argv, "s")) != -1) { switch(optchar) { @@ -319,9 +320,20 @@ master key name '%s'\n", * it; delete the file below if it was not requested. DO NOT EXIT * BEFORE DELETING THE KEYFILE if do_stash is not set. */ + + /* + * Determine the kvno to use, it must be that used to create the master key + * princ. + */ + if (global_params.mask & KADM5_CONFIG_KVNO) + mkey_kvno = global_params.kvno; /* user specified */ + else + mkey_kvno = 1; /* Default */ + retval = krb5_db_store_master_key(util_context, global_params.stash_file, master_princ, + mkey_kvno, &master_keyblock, mkey_password); if (retval) { @@ -401,6 +413,7 @@ add_principal(context, princ, op, pblock) { krb5_error_code retval; krb5_db_entry entry; + krb5_kvno mkey_kvno; krb5_timestamp now; struct iterate_args iargs; @@ -433,10 +446,14 @@ add_principal(context, princ, op, pblock) memset((char *) entry.key_data, 0, sizeof(krb5_key_data)); entry.n_key_data = 1; + if (global_params.mask & KADM5_CONFIG_KVNO) + mkey_kvno = global_params.kvno; /* user specified */ + else + mkey_kvno = 1; /* Default */ entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key, &master_keyblock, NULL, - 1, entry.key_data))) + mkey_kvno, entry.key_data))) return retval; break; case TGT_KEY: diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index a34aa132a2..3583a3285f 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -81,6 +81,7 @@ kdb5_stash(argc, argv) char *mkey_fullname; char *keyfile = 0; krb5_context context; + krb5_kvno mkey_kvno; retval = kadm5_init_krb5_context(&context); if( retval ) @@ -139,11 +140,17 @@ kdb5_stash(argc, argv) exit_status++; return; } + if (global_params.mask & KADM5_CONFIG_KVNO) + mkey_kvno = global_params.kvno; /* user specified */ + else + mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */ + /* TRUE here means read the keyboard, but only once */ retval = krb5_db_fetch_mkey(context, master_princ, master_keyblock.enctype, TRUE, FALSE, (char *) NULL, - 0, &master_keyblock); + &mkey_kvno, + NULL, &master_keyblock); if (retval) { com_err(progname, retval, "while reading master key"); (void) krb5_db_fini(context); @@ -151,6 +158,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_verify_master_key(context, master_princ, + mkey_kvno, &master_keyblock); if (retval) { com_err(progname, retval, "while verifying master key"); @@ -159,7 +167,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_store_master_key(context, keyfile, master_princ, - &master_keyblock, NULL); + mkey_kvno, &master_keyblock, NULL); if (retval) { com_err(progname, errno, "while storing key"); memset((char *)master_keyblock.contents, 0, master_keyblock.length); diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M index 11ef7ca18c..d58c972aff 100644 --- a/src/kadmin/dbutil/kdb5_util.M +++ b/src/kadmin/dbutil/kdb5_util.M @@ -5,6 +5,7 @@ kdb5_util \- Kerberos database maintainance utility .B kdb5_util [\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-M\fP\ \fImkeyname\fP] +[\fB\-kv\fP\ \fImkeyVNO\fP] [\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-m\fP] .I command @@ -58,6 +59,10 @@ specifies the key type of the master key in the database; the default is that given in .IR kdc.conf . .TP +\fB\-kv\fP\ \fImkeyVNO\fP +Specifies the version number of the master key in the database; the default is +1. Note that 0 is not allowed. +.TP \fB\-M\fP\ \fImkeyname\fP principal name for the master key in the database; the default is that given in diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index cfc3d08218..ff6bcc9957 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -81,7 +81,7 @@ void usage() { fprintf(stderr, "Usage: " "kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n" - "\t [-sf stashfilename] [-m] cmd [cmd_options]\n" + "\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" "\tcreate [-s]\n" "\tdestroy [-f]\n" "\tstash [-f keyfile]\n" @@ -205,7 +205,7 @@ int main(argc, argv) } memset(cmd_argv, 0, sizeof(char *)*argc); cmd_argc = 1; - + argv++; argc--; while (*argv) { if (strcmp(*argv, "-P") == 0 && ARG_VAL) { @@ -246,10 +246,18 @@ int main(argc, argv) exit(1); } } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) - com_err(progname, 0, "%s is an invalid enctype", koptarg); - else + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) { + com_err(progname, EINVAL, ": %s is an invalid enctype", koptarg); + exit(1); + } else global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) { + global_params.kvno = (krb5_kvno) atoi(koptarg); + if (global_params.kvno == IGNORE_VNO) { + com_err(progname, EINVAL, ": %s is an invalid mkeyVNO", koptarg); + exit(1); + } else + global_params.mask |= KADM5_CONFIG_KVNO; } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { global_params.mkey_name = koptarg; global_params.mask |= KADM5_CONFIG_MKEY_NAME; @@ -380,6 +388,7 @@ static int open_db_and_mkey() int nentries; krb5_boolean more; krb5_data scratch, pwd, seed; + krb5_kvno kvno; dbactive = FALSE; valid_master_key = 0; @@ -421,6 +430,11 @@ static int open_db_and_mkey() return(1); } + if (global_params.mask & KADM5_CONFIG_KVNO) + kvno = global_params.kvno; /* user specified */ + else + kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; + krb5_db_free_principal(util_context, &master_entry, nentries); /* the databases are now open, and the master principal exists */ @@ -437,13 +451,12 @@ static int open_db_and_mkey() } /* If no encryption type is set, use the default */ - if (master_keyblock.enctype == ENCTYPE_UNKNOWN) { + if (master_keyblock.enctype == ENCTYPE_UNKNOWN) master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; - if (!krb5_c_valid_enctype(master_keyblock.enctype)) - com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", - master_keyblock.enctype); - } + if (!krb5_c_valid_enctype(master_keyblock.enctype)) + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", + master_keyblock.enctype); retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, &pwd, &scratch, &master_keyblock); @@ -455,10 +468,12 @@ static int open_db_and_mkey() } free(scratch.data); mkey_password = 0; + } else if ((retval = krb5_db_fetch_mkey(util_context, master_princ, master_keyblock.enctype, manual_mkey, FALSE, global_params.stash_file, + &kvno, 0, &master_keyblock))) { com_err(progname, retval, "while reading master key"); com_err(progname, 0, "Warning: proceeding without master key"); @@ -466,7 +481,7 @@ static int open_db_and_mkey() return(0); } if ((retval = krb5_db_verify_master_key(util_context, master_princ, - &master_keyblock))) { + kvno, &master_keyblock))) { com_err(progname, retval, "while verifying master key"); exit_status++; krb5_free_keyblock_contents(util_context, &master_keyblock); -- cgit