+Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
+
+ * kdb5_create.c : Use new kdb format.
+
Mon Jul 17 14:58:00 EDT 1995 Paul Park (pjpark@mit.edu)
* configure.in - Add KADM library.
* kdb5_create.c - Add KDC profile reading/handling as a supplement to
enum ap_op op;
struct realm_info *pblock;
{
- krb5_db_entry entry;
- krb5_error_code retval;
- krb5_encrypted_keyblock ekey;
- krb5_keyblock *rkey;
- int nentries = 1;
+ krb5_error_code retval;
+ krb5_db_entry entry;
+ krb5_keyblock * rkey;
+
+ krb5_tl_mod_princ mod_princ;
+
+ int nentries = 1;
memset((char *) &entry, 0, sizeof(entry));
- entry.principal = princ;
- entry.kvno = 1;
+
+ entry.mkvno = 1;
+ entry.len = KRB5_KDB_V1_BASE_LENGTH;
+ entry.attributes = pblock->flags;
entry.max_life = pblock->max_life;
entry.max_renewable_life = pblock->max_rlife;
- entry.mkvno = 1;
entry.expiration = pblock->expiration;
- entry.mod_name = &db_create_princ;
- if (retval = krb5_timeofday(context, &entry.mod_date))
- return retval;
- entry.attributes = pblock->flags;
+ if (retval = krb5_copy_principal(context, princ, &entry.princ))
+ goto error_out;
+
+ mod_princ.mod_princ = &db_create_princ;
+ if (retval = krb5_timeofday(context, &mod_princ.mod_date))
+ goto error_out;
+ if (retval = krb5_dbe_encode_mod_princ_data(context, &mod_princ, &entry))
+ goto error_out;
+
+ if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) == NULL)
+ goto error_out;
+ memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
+ entry.n_key_data = 1;
switch (op) {
case MASTER_KEY:
entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- if (retval = krb5_kdb_encrypt_key(context, pblock->eblock,
- &master_keyblock, &ekey))
+ if (retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock,
+ &master_keyblock, NULL,
+ 1, entry.key_data))
return retval;
break;
case RANDOM_KEY:
if (retval = krb5_random_key(context, pblock->eblock,
pblock->rseed, &rkey))
return retval;
- retval = krb5_kdb_encrypt_key(context, pblock->eblock, rkey, &ekey);
+ retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock, rkey,
+ NULL, 1, entry.key_data);
krb5_free_keyblock(context, rkey);
if (retval)
return retval;
default:
break;
}
- entry.key = ekey;
- entry.salt_type = KRB5_KDB_SALTTYPE_NORMAL;
- entry.salt_length = 0;
- entry.salt = 0;
- if (retval = krb5_db_put_principal(context, &entry, &nentries))
- return retval;
+ retval = krb5_db_put_principal(context, &entry, &nentries);
- krb5_xfree(ekey.contents);
- return 0;
+error_out:;
+ krb5_dbe_free_contents(context, &entry);
+ return retval;
}
+Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
+
+ * dump.c kdb5_edit.c kdb5_edit.h util.c : Use new kdb format.
+
Mon Jul 17 15:00:08 EDT 1995 Paul Park (pjpark@mit.edu)
* configure.in - Add KADM library.
* dumpv4.c - Change calling sequence to krb5_db_fetch_mkey().
FILE *f;
};
-static char ld_vers[] = "kdb5_edit load_dump version 2.0\n";
+static char ld_vers[] = "kdb5_edit load_dump version 3.0\n";
krb5_encrypt_block master_encblock;
extern char *current_dbname;
krb5_error_code
dump_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
+ krb5_pointer ptr;
+ krb5_db_entry * entry;
{
- krb5_error_code retval;
- struct dump_record *arg = (struct dump_record *) ptr;
- char *name=NULL, *mod_name=NULL;
- int i;
+ struct dump_record * arg = (struct dump_record *) ptr;
+ krb5_error_code retval;
+ datum content;
- if (retval = krb5_unparse_name(edit_context, entry->principal, &name)) {
- com_err(arg->comerr_name, retval, "while unparsing principal");
+ if (retval = krb5_encode_princ_contents(edit_context, &content, entry)) {
+ com_err(arg->comerr_name, retval, "while encoding an entry");
exit_status++;
return retval;
}
- if (retval = krb5_unparse_name(edit_context, entry->mod_name, &mod_name)) {
- free(name);
- com_err(arg->comerr_name, retval, "while unparsing principal");
- exit_status++;
- return retval;
- }
- fprintf(arg->f, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", strlen(name),
- strlen(mod_name), entry->key.length, entry->alt_key.length,
- entry->salt_length, entry->alt_salt_length, name,
- entry->key.keytype);
- for (i=0; i<entry->key.length; i++) {
- fprintf(arg->f, "%02x", *(entry->key.contents+i));
- }
- fprintf(arg->f,
- "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t",
- entry->kvno, entry->max_life, entry->max_renewable_life,
- entry->mkvno, entry->expiration, entry->pw_expiration,
- entry->last_pwd_change, entry->last_success, entry->last_failed,
- entry->fail_auth_count, mod_name, entry->mod_date,
- entry->attributes, entry->salt_type);
- for (i=0; i<entry->salt_length; i++) {
- fprintf(arg->f, "%02x", *(entry->salt+i));
- }
- fprintf(arg->f, "\t%u\t", entry->alt_key.keytype);
- for (i=0; i<entry->alt_key.length; i++) {
- fprintf(arg->f, "%02x", *(entry->alt_key.contents+i));
- }
- fprintf(arg->f, "\t%u\t", entry->alt_salt_type);
- for (i=0; i<entry->alt_salt_length; i++) {
- fprintf(arg->f, "%02x", *(entry->alt_salt+i));
- }
- for (i=0; i < 8; i++) {
- fprintf(arg->f, "\t%u", entry->expansion[i]);
- }
+ fprintf(arg->f, "%d\t", content.dsize);
+ fwrite(content.dptr, content.dsize, 1, arg->f);
fprintf(arg->f, ";\n");
- free(name);
- free(mod_name);
return 0;
}
/*ARGSUSED*/
fputs(ld_vers, f);
arg.comerr_name = argv[0];
arg.f = f;
- (void) krb5_db_iterate(edit_context, dump_iterator, (krb5_pointer) &arg);
+ (void)krb5_db_iterate(edit_context, dump_iterator, (krb5_pointer) &arg);
if (argc == 2)
fclose(f);
if (argv[1])
int argc;
char **argv;
{
- FILE *f;
- krb5_db_entry entry;
- krb5_error_code retval;
- int name_len, mod_name_len, key_len, alt_key_len;
- int salt_len, alt_salt_len;
- int i, one;
- char *name, *mod_name;
+ krb5_error_code retval;
+ krb5_db_entry entry;
+ datum contents;
+ FILE * f;
+ char * new_dbname;
+ char buf[64]; /* Must be longer than ld_vers */
+ int lineno;
+ int one;
+
+ int i;
int name_ret;
- char *new_dbname;
int ch;
int load_error = 0;
- int lineno = 0;
int stype;
int tmp1, tmp2, tmp3;
- char buf[64]; /* Must be longer than ld_vers */
if (argc != 3) {
com_err(argv[0], 0, "Usage: %s filename dbname", argv[0]);
if (strcmp(buf, ld_vers)) {
com_err(argv[0], 0, "Bad dump file version");
load_error++;
- goto error_out;
}
- lineno++;
- for (;;) {
- int nitems;
+ for (lineno = 1; load_error == 0; lineno++) {
+ datum contents;
+ int nitems;
- lineno++;
- memset((char *)&entry, 0, sizeof(entry));
- nitems = fscanf(f, "%d\t%d\t%d\t%d\t%d\t%d\t",
- &name_len, &mod_name_len, &key_len,
- &alt_key_len, &salt_len, &alt_salt_len);
- if (nitems == EOF)
- break;
- if (nitems != 6) {
- fprintf(stderr, "Couldn't parse line #%d\n", lineno);
- load_error++;
- break;
- }
- if (!(name = malloc(name_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for name");
- load_error++;
- goto cleanup;
- }
- if (!(mod_name = malloc(mod_name_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for mod_name");
- load_error++;
- goto cleanup;
- }
- entry.key.length = key_len;
- if (key_len) {
- if (!(entry.key.contents = (krb5_octet *)
- malloc(key_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for the key");
- load_error++;
- goto cleanup;
- }
- }
- entry.alt_key.length = alt_key_len;
- if (alt_key_len) {
- if (!(entry.alt_key.contents = (krb5_octet *)
- malloc(alt_key_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for alt_key");
- load_error++;
- goto cleanup;
- }
- }
- entry.salt_length = salt_len;
- if (salt_len) {
- if (!(entry.salt = (krb5_octet *) malloc(salt_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for the salt");
- load_error++;
- goto cleanup;
- }
- }
- entry.alt_salt_length = alt_salt_len;
- if (alt_salt_len) {
- if (!(entry.alt_salt = (krb5_octet *)
- malloc(alt_salt_len+1))) {
- com_err(argv[0], errno,
- "While allocating space for the alt_salt");
- load_error++;
- goto cleanup;
- }
- }
- if ((name_ret = read_name(f, name, name_len)) < 0) {
- fprintf(stderr, "Couldn't parse line #%d\n", lineno);
- load_error++;
- break;
- }
- lineno += name_ret;
- if (fscanf(f, "%d\t", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n", lineno);
- load_error++;
- break;
- }
- /* keytype is probably a short, but might not be.
- To avoid problems with scanf, read into a variable of
- known type then copy the value. */
- entry.key.keytype = tmp1;
- for (i=0; i<entry.key.length; i++) {
- if (fscanf(f,"%02x", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.key.contents[i] = tmp1;
- }
- if (fscanf(f, "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t",
- &tmp1, &entry.max_life, &entry.max_renewable_life,
- &tmp2, &entry.expiration, &entry.pw_expiration,
- &entry.last_pwd_change, &entry.last_success,
- &entry.last_failed, &tmp3) != 10) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- if ((name_ret = read_name(f, mod_name, mod_name_len)) < 0) {
- fprintf(stderr, "Couldn't parse line #%d\n", lineno);
- load_error++;
- break;
- }
- lineno += name_ret;
- if (fscanf(f, "%u\t%u\t%u\t",
- &entry.mod_date, &entry.attributes, &stype) != 3) {
- fprintf(stderr, "Couldn't parse line #%d\n", lineno);
- load_error++;
- break;
- }
- entry.kvno = tmp1;
- entry.mkvno = tmp2;
- entry.fail_auth_count = tmp3;
- entry.salt_type = stype;
- for (i=0; i < salt_len; i++) {
- if (fscanf(f, "%02x", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.salt[i] = tmp1;
- }
- if (fscanf(f, "\t%u\t", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.alt_key.keytype = tmp1;
- for (i=0; i<alt_key_len; i++) {
- if (fscanf(f,"%02x", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.alt_key.contents[i] = tmp1;
- }
- if (fscanf(f, "\t%u\t", &stype) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.alt_salt_type = stype;
- for (i=0; i < alt_salt_len; i++) {
- if (fscanf(f, "%02x", &tmp1) != 1) {
- fprintf(stderr, "Couldn't parse line #%d\n",
- lineno);
- load_error++;
- break;
- }
- entry.alt_salt[i] = tmp1;
- }
- for (i=0; i < 8; i++) {
- fscanf(f, "\t%u", &entry.expansion[i]);
- }
- if (((ch = fgetc(f)) != ';') || ((ch = fgetc(f)) != '\n')) {
- fprintf(stderr, "Ignoring trash at end of entry: ");
- while (ch != '\n') {
- putc(ch, stderr);
- ch = fgetc(f);
- }
- putc(ch, stderr);
- }
- if (retval=krb5_parse_name(edit_context, name, &entry.principal)) {
- com_err(argv[0], retval,
- "while trying to parse %s in line %d",
- name, lineno);
- load_error++;
- goto cleanup;
- }
- if (retval=krb5_parse_name(edit_context, mod_name, &entry.mod_name)) {
- com_err(argv[0], retval,
- "while trying to parse %s in line %d",
- mod_name, lineno);
- load_error++;
- goto cleanup;
- }
- one=1;
- if (retval = krb5_db_put_principal(edit_context, &entry, &one)) {
- com_err(argv[0], retval,
- "while trying to store principal %s",
- name);
- load_error++;
- goto cleanup;
+ memset((char *)&entry, 0, sizeof(entry));
+ if ((nitems = fscanf(f, "%d\t", &contents.dsize)) != 1) {
+ if (nitems != EOF) {
+ fprintf(stderr, "Couldn't parse line #%d\n", lineno);
+ load_error++;
+ continue;
}
- cleanup:
- free(name);
- free(mod_name);
- if (entry.key.contents)
- krb5_xfree(entry.key.contents);
- if (entry.alt_key.contents)
- krb5_xfree(entry.alt_key.contents);
- if (entry.salt)
- krb5_xfree(entry.salt);
- if (entry.alt_salt)
- krb5_xfree(entry.alt_salt);
+ break;
+ }
+ if (!(contents.dptr = malloc(contents.dsize))) {
+ com_err(argv[0], errno, "While allocating space");
+ load_error++;
+ continue;
+ }
+ if (fread(contents.dptr, contents.dsize, 1, f) == EOF) {
+ fprintf(stderr, "Couldn't read line #%d\n", lineno);
+ free(contents.dptr);
+ load_error++;
+ continue;
+ }
+ if (((ch = fgetc(f)) != ';') || ((ch = fgetc(f)) != '\n')) {
+ fprintf(stderr, "Ignoring trash at end of entry: ");
+ while ((ch != '\n') && (ch != EOF)) {
+ putc(ch, stderr);
+ ch = fgetc(f);
+ }
+ putc(ch, stderr);
+ load_error++;
+ continue;
+ }
+ if (retval = krb5_decode_princ_contents(edit_context, &contents, &entry)) {
+ com_err(argv[0], retval,"while trying to parse line %d",lineno);
+ free (contents.dptr);
+ load_error++;
+ continue;
+ }
+ one=1;
+ if (retval = krb5_db_put_principal(edit_context, &entry, &one)) {
+ com_err(argv[0], retval, "while trying to write db entry");
+ krb5_dbe_free_contents(edit_context, &entry);
+ free (contents.dptr);
+ continue;
+ }
}
-error_out:
if (retval = krb5_db_fini(edit_context)) {
com_err(argv[0], retval,
"while closing database '%s'", new_dbname);
char *pname;
krb5_principal principal;
{
- int nprincs = 1;
+ int i, nprincs = 1;
krb5_db_entry entry;
krb5_boolean more;
krb5_error_code retval;
- krb5_kvno vno;
+ krb5_kvno vno = 0;
if (retval = krb5_db_get_principal(edit_context, principal, &entry,
&nprincs, &more)) {
}
if (!nprincs)
return NO_PRINC;
- vno = entry.kvno;
+ for (i = 0; i < entry.n_key_data; i++)
+ if (vno < entry.key_data[i].key_data_kvno)
+ vno = entry.key_data[i].key_data_kvno;
krb5_db_free_principal(edit_context, &entry, nprincs);
return(vno);
}
-int create_db_entry( principal, newentry)
- krb5_principal principal;
- krb5_db_entry *newentry;
+int create_db_entry(principal, newentry)
+ krb5_principal principal;
+ krb5_db_entry * newentry;
{
+ krb5_tl_mod_princ mod_princ;
int retval;
memset(newentry, 0, sizeof(krb5_db_entry));
- if (retval = krb5_copy_principal(edit_context, principal, &newentry->principal))
- return retval;
- newentry->kvno = 1;
+ newentry->len = KRB5_KDB_V1_BASE_LENGTH;
+ newentry->mkvno = mblock.mkvno;
+ newentry->attributes = mblock.flags;
newentry->max_life = mblock.max_life;
newentry->max_renewable_life = mblock.max_rlife;
- newentry->mkvno = mblock.mkvno;
newentry->expiration = mblock.expiration;
- if (retval = krb5_copy_principal(edit_context, master_princ,&newentry->mod_name))
- goto errout;
-
- newentry->attributes = mblock.flags;
- newentry->salt_type = KRB5_KDB_SALTTYPE_NORMAL;
- if (retval = krb5_timeofday(edit_context, &newentry->mod_date))
- goto errout;
+ if (retval = krb5_copy_principal(edit_context, principal, &newentry->princ))
+ return retval;
- return 0;
+ if (retval = krb5_timeofday(edit_context, &mod_princ.mod_date))
+ goto create_db_entry_error;
-errout:
- if (newentry->principal)
- krb5_free_principal(edit_context, newentry->principal);
- memset(newentry, 0, sizeof(krb5_db_entry));
+ if (retval = krb5_copy_principal(edit_context, master_princ,
+ &mod_princ.mod_princ))
+ goto create_db_entry_error;
+
+ retval = krb5_dbe_encode_mod_princ_data(edit_context, &mod_princ, newentry);
+ krb5_xfree(mod_princ.mod_princ->data);
+
+ if (!retval)
+ return 0;
+
+create_db_entry_error:
+ krb5_dbe_free_contents(edit_context, newentry);
+ exit_status++;
return retval;
}
krb5_const_principal principal;
const krb5_keyblock * key;
krb5_kvno vno;
- struct saltblock * salt;
+ krb5_keysalt * salt;
{
- krb5_error_code retval;
- krb5_db_entry newentry;
+ krb5_error_code retval;
+ krb5_db_entry entry;
int one = 1;
- memset((char *) &newentry, 0, sizeof(newentry));
- retval = krb5_kdb_encrypt_key(edit_context, &master_encblock,
- key,
- &newentry.key);
- if (retval) {
- com_err(cmdname, retval, "while encrypting key for '%s'", newprinc);
- exit_status++;
- return;
- }
- newentry.principal = (krb5_principal) principal;
- newentry.kvno = vno;
- newentry.max_life = mblock.max_life;
- newentry.max_renewable_life = mblock.max_rlife;
- newentry.mkvno = mblock.mkvno;
- newentry.expiration = mblock.expiration;
- newentry.mod_name = master_princ;
- if (retval = krb5_timeofday(edit_context, &newentry.mod_date)) {
- com_err(cmdname, retval, "while fetching date");
- exit_status++;
- memset((char *)newentry.key.contents, 0, newentry.key.length);
- krb5_xfree(newentry.key.contents);
+ /* First create a db_entry */
+ if (retval = create_db_entry(principal, &entry)) {
+ com_err(cmdname, retval, "while creating db_entry.");
return;
}
- newentry.attributes = mblock.flags;
- if (salt) {
- newentry.salt_type = salt->salttype;
- newentry.salt_length = salt->saltdata.length;
- newentry.salt = (krb5_octet *) salt->saltdata.data;
- } else {
- newentry.salt_type = KRB5_KDB_SALTTYPE_NORMAL;
- newentry.salt_length = 0;
- newentry.salt = 0;
+
+ /* Now add the key */
+ if (retval = krb5_dbe_create_key_data(edit_context, &entry)) {
+ com_err(cmdname, retval, "while creating key_data for db_entry.");
+ goto add_key_error;
+ }
+
+ if (retval = krb5_dbekd_encrypt_key_data(edit_context, &master_encblock,
+ key, salt, vno, entry.key_data)) {
+ com_err(cmdname, retval, "while encrypting key for '%s'", newprinc);
+ goto add_key_error;
}
- retval = krb5_db_put_principal(edit_context, &newentry, &one);
- memset((char *)newentry.key.contents, 0, newentry.key.length);
- krb5_xfree(newentry.key.contents);
- if (retval) {
+ if (retval = krb5_db_put_principal(edit_context, &entry, &one)) {
com_err(cmdname, retval, "while storing entry for '%s'\n", newprinc);
- exit_status++;
- return;
+ goto add_key_error;
}
+
if (one != 1) {
com_err(cmdname, 0, "entry not stored in database (unknown failure)");
- exit_status++;
+ goto add_key_error;
}
+
+add_key_error:
+ krb5_dbe_free_contents(edit_context, &entry);
+ if (retval)
+ exit_status++;
return;
}
char *dbname;
{
krb5_error_code retval;
- int nentries;
+ int nentries, i;
krb5_boolean more;
krb5_data scratch, pwd;
mblock.expiration = master_entry.expiration;
#endif /* notdef */
/* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry.kvno;
+ for (mblock.mkvno = 1, i = 0; i < master_entry.n_key_data; i++)
+ if (mblock.mkvno < master_entry.key_data[i].key_data_kvno)
+ mblock.mkvno = master_entry.key_data[i].key_data_kvno;
krb5_db_free_principal(edit_context, &master_entry, nentries);
if (mkey_password) {
exit_status++;
goto cleanmost;
}
- if (retval = krb5_kdb_decrypt_key(edit_context, &master_encblock,
- &dbentry.key,
- &newentry.key)) {
+ if (retval = krb5_dbekd_decrypt_key_data(edit_context, &master_encblock,
+ &dbentry.key_data[0],
+ &newentry.key, NULL)) {
com_err(argv[0], retval, "while decrypting key for '%s'", pname);
exit_status++;
goto cleanall;
}
newentry.principal = princ;
- newentry.vno = dbentry.kvno;
+ newentry.vno = dbentry.key_data[0].key_data_kvno;
if (retval = krb5_kt_add_entry(edit_context, ktid, &newentry)) {
com_err(argv[0], retval, "while adding key to keytab '%s'",
ktname);
exit_status++;
goto cleanmost;
}
- if (retval = krb5_kdb_decrypt_key(edit_context, &master_encblock,
- &dbentry.key,
- &key)) {
+ if (retval = krb5_dbekd_decrypt_key_data(edit_context, &master_encblock,
+ &dbentry.key_data[0],
+ &key, NULL)) {
com_err(argv[0], retval, "while decrypting key for '%s'", pname);
exit_status++;
goto cleanall;
fwrite(argv[i], strlen(argv[i]) + 1, 1, fout); /* p.name */
fwrite(argv[1], strlen(argv[1]) + 1, 1, fout); /* p.instance */
fwrite(cur_realm, strlen(cur_realm) + 1, 1, fout); /* p.realm */
- fwrite((char *)&dbentry.kvno, sizeof(dbentry.kvno), 1, fout);
+ fwrite((char *)&dbentry.key_data[0].key_data_kvno,
+ sizeof(dbentry.key_data[0].key_data_kvno), 1, fout);
fwrite((char *)key.contents, 8, 1, fout);
printf("'%s' added to V4 srvtab '%s'\n", pname, ktname);
memset((char *)key.contents, 0, key.length);
cleanall:
krb5_db_free_principal(edit_context, &dbentry, nentries);
cleanmost:
- free(pname);
krb5_free_principal(edit_context, princ);
+ free(pname);
}
fclose(fout);
return;
return(check_for_match(search_name, must_be_first[0], chk_entry,
num_name_tokens, names));
- if ((krb5_princ_size(edit_context, chk_entry->principal) > 1) &&
+ if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) &&
(num_name_tokens == 0) &&
(num_instance_tokens > 0))
return(check_for_match(search_instance, must_be_first[1], chk_entry,
num_instance_tokens, instances));
- if ((krb5_princ_size(edit_context, chk_entry->principal) > 1) &&
+ if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) &&
(num_name_tokens > 0) &&
(num_instance_tokens > 0)) {
check1 = check_for_match(search_name, must_be_first[0], chk_entry,
struct list_iterator_struct *lis = (struct list_iterator_struct *)ptr;
char *name;
- if (retval = krb5_unparse_name(edit_context, entry->principal, &name)) {
+ if (retval = krb5_unparse_name(edit_context, entry->princ, &name)) {
com_err(lis->cmdname, retval, "while unparsing principal");
exit_status++;
return retval;
}
if (princ_exists(argv[0], newprinc) == NO_PRINC) {
com_err(argv[0], 0, "principal '%s' is not in the database", argv[1]);
- exit_status++;
krb5_free_principal(edit_context, newprinc);
+ exit_status++;
return;
}
printf("Are you sure you want to delete '%s'?\nType 'yes' to confirm:",
*/
void
enter_rnd_key(argc, argv, change)
- int argc;
- char **argv;
- int change;
+ int argc;
+ char ** argv;
+ int change;
{
- krb5_error_code retval;
- krb5_keyblock *tempkey;
- krb5_principal newprinc;
- int nprincs = 1;
- krb5_db_entry entry;
- krb5_boolean more;
+ krb5_error_code retval;
+ krb5_keyblock * tempkey;
+ krb5_principal newprinc;
+ krb5_key_data * key_data;
+ krb5_db_entry entry;
+ krb5_boolean more;
+ int nprincs = 1;
+ int vno;
if (argc < 2) {
com_err(argv[0], 0, "Too few arguments");
}
if (!change) {
- retval = create_db_entry(newprinc, &entry);
- if (retval) {
+ if (retval = create_db_entry(newprinc, &entry)) {
com_err(argv[0], retval, "While creating new db entry.");
exit_status++;
goto errout;
}
+ if (retval = krb5_dbe_create_key_data(edit_context, &entry)) {
+ com_err(argv[0], retval, "While creating key_data for db_entry.");
+ exit_status++;
+ goto errout;
+ }
nprincs = 1;
+ vno = 1;
+ } else {
+ vno = entry.key_data[0].key_data_kvno++;
}
+ /* For now we only set the first key_data */
+ key_data = entry.key_data;
if (retval = krb5_random_key(edit_context, &master_encblock,
master_random, &tempkey)) {
return;
}
- /*
- * Free the old key, if it exists. Also nuke the alternative key,
- * and associated salting information, since it all doesn't apply
- * for random keys.
- */
- if (entry.key.contents) {
- memset((char *)entry.key.contents, 0, entry.key.length);
- krb5_xfree(entry.key.contents);
- }
- if (entry.alt_key.contents) {
- memset((char *)entry.alt_key.contents, 0, entry.alt_key.length);
- krb5_xfree(entry.alt_key.contents);
- entry.alt_key.contents = 0;
- }
- if (entry.salt) {
- krb5_xfree(entry.salt);
- entry.salt = 0;
- }
- if (entry.alt_salt) {
- krb5_xfree(entry.alt_salt);
- entry.alt_salt = 0;
- }
- entry.salt_type = entry.alt_salt_type = 0;
- entry.salt_length = entry.alt_salt_length = 0;
-
- retval = krb5_kdb_encrypt_key(edit_context, &master_encblock,
- tempkey, &entry.key);
+ /* Encoding over an old key_data will free old key contents */
+ retval = krb5_dbekd_encrypt_key_data(edit_context, &master_encblock,
+ tempkey, NULL, vno, key_data);
krb5_free_keyblock(edit_context, tempkey);
if (retval) {
com_err(argv[0], retval, "while encrypting key for '%s'", argv[1]);
char password[BUFSIZ];
int pwsize = sizeof(password);
krb5_keyblock tempkey;
+ krb5_keysalt salt;
krb5_data pwd;
- struct saltblock salt;
if (retval = krb5_read_password(edit_context, krb5_default_pwd_prompt1,
krb5_default_pwd_prompt2,
pwd.data = password;
pwd.length = pwsize;
- salt.salttype = salttype;
-
- switch (salttype) {
+ switch (salt.type = salttype) {
case KRB5_KDB_SALTTYPE_NORMAL:
- if (retval = krb5_principal2salt(edit_context,string_princ,&salt.saltdata)) {
+ if (retval = krb5_principal2salt(edit_context,string_princ,&salt.data)){
com_err(cmdname, retval,
"while converting principal to salt for '%s'", newprinc);
exit_status++;
}
break;
case KRB5_KDB_SALTTYPE_V4:
- salt.saltdata.data = 0;
- salt.saltdata.length = 0;
+ salt.data.length = 0;
+ salt.data.data = 0;
break;
- case KRB5_KDB_SALTTYPE_NOREALM:
+ case KRB5_KDB_SALTTYPE_NOREALM:
if (retval = krb5_principal2salt_norealm(edit_context, string_princ,
- &salt.saltdata)) {
+ &salt.data)) {
com_err(cmdname, retval,
"while converting principal to salt for '%s'", newprinc);
exit_status++;
return;
}
break;
- case KRB5_KDB_SALTTYPE_ONLYREALM:
- {
- krb5_data *foo;
+ case KRB5_KDB_SALTTYPE_ONLYREALM: {
+ krb5_data * saltdata;
if (retval = krb5_copy_data(edit_context,
- krb5_princ_realm(edit_context, string_princ),
- &foo)) {
+ krb5_princ_realm(edit_context,string_princ),
+ &saltdata)) {
com_err(cmdname, retval,
"while converting principal to salt for '%s'", newprinc);
exit_status++;
return;
}
- salt.saltdata = *foo;
- krb5_xfree(foo);
+ salt.data = *saltdata;
+ krb5_xfree(saltdata);
break;
}
default:
}
retval = krb5_string_to_key(edit_context, &master_encblock,
master_keyblock.keytype, &tempkey,
- &pwd, &salt.saltdata);
+ &pwd, &salt.data);
memset(password, 0, sizeof(password)); /* erase it */
if (retval) {
com_err(cmdname, retval, "while converting password to key for '%s'",
newprinc);
+ if (salt.data.data)
+ krb5_xfree(salt.data.data);
exit_status++;
- krb5_xfree(salt.saltdata.data);
return;
}
add_key(cmdname, newprinc, princ, &tempkey, ++vno,
- (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? 0 : &salt);
- krb5_xfree(salt.saltdata.data);
+ (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? NULL : &salt);
memset((char *)tempkey.contents, 0, tempkey.length);
+ if (salt.data.data)
+ krb5_xfree(salt.data.data);
krb5_xfree(tempkey.contents);
return;
}
krb5_boolean more;
krb5_error_code retval;
char *pr_name = 0;
- char *pr_mod = 0;
time_t tmp_date;
int i;
static char *prflags[32] = {
goto errout;
}
- if (retval = krb5_unparse_name(edit_context, entry.principal, &pr_name)) {
+ if (retval = krb5_unparse_name(edit_context, entry.princ, &pr_name)) {
com_err(argv[0], retval, "while unparsing principal");
exit_status++;
goto errout;
}
- if (retval = krb5_unparse_name(edit_context, entry.mod_name, &pr_mod)) {
- com_err(argv[0], retval, "while unparsing 'modified by' principal");
- exit_status++;
- goto errout;
- }
-
printf("Name: %s\n", pr_name);
- printf("Key version: %d\n", entry.kvno);
+/* printf("Key version: %d\n", entry.kvno); */
printf("Maximum life: %s\n", strdur(entry.max_life));
printf("Maximum renewable life: %s\n", strdur(entry.max_renewable_life));
printf("Master key version: %d\n", entry.mkvno);
printf("Expiration: %s", ctime(&tmp_date));
tmp_date = (time_t) entry.pw_expiration;
printf("Password expiration: %s", ctime(&tmp_date));
- tmp_date = (time_t) entry.last_pwd_change;
+ /* tmp_date = (time_t) entry.last_pwd_change; */
printf("Last password change: %s", ctime(&tmp_date));
tmp_date = (time_t) entry.last_success;
printf("Last successful password: %s", ctime(&tmp_date));
tmp_date = (time_t) entry.last_failed;
printf("Last failed password attempt: %s", ctime(&tmp_date));
printf("Failed password attempts: %d\n", entry.fail_auth_count);
- tmp_date = (time_t) entry.mod_date;
- printf("Last modified by %s on %s", pr_mod, ctime(&tmp_date));
+/* tmp_date = (time_t) entry.mod_date; */
+/* printf("Last modified by %s on %s", pr_mod, ctime(&tmp_date)); */
printf("Attributes:");
for (i = 0; i < 32; i++) {
if (entry.attributes & (krb5_flags) 1 << i)
printf("UNKNOWN_0x%08X", (krb5_flags) 1 << i);
}
printf("\n");
- printf("Salt: %d\n", entry.salt_type);
- printf("Alt salt: %d\n", entry.salt_type);
+ /* printf("Salt: %d\n", entry.salt_type);
+ printf("Alt salt: %d\n", entry.salt_type); */
if (!nprincs) {
com_err(argv[0], 0, "Principal '%s' does not exist", argv[1]);
*randkey = 0;
for (i = 1; i < argc - 1; i++) {
attrib_set = 0;
+/*
if (strlen(argv[i]) == 5 &&
!strcmp("-kvno", argv[i])) {
if (++i > argc - 2)
continue;
}
}
+*/
if (strlen(argv[i]) == 8 &&
!strcmp("-maxlife", argv[i])) {
if (++i > argc - 2)
fprintf(stderr, "%s: parser lost count!\n", caller);
return -1;
}
- retval = krb5_parse_name(edit_context, argv[i], &entry->principal);
+ retval = krb5_parse_name(edit_context, argv[i], &entry->princ);
if (retval) {
com_err(caller, retval, "while parsing principal");
return -1;
char *argv[];
{
krb5_db_entry entry, oldentry;
+ krb5_tl_mod_princ mod_princ;
krb5_principal kprinc;
krb5_error_code retval;
krb5_boolean more;
"modify_principal");
if (retval) {
fprintf(stderr, "modify_principal: bad arguments\n");
- krb5_free_principal(edit_context, entry.principal);
+ krb5_free_principal(edit_context, entry.princ);
free(canon);
return;
}
if (randkey) {
fprintf(stderr, "modify_principal: -randkey not allowed\n");
- krb5_free_principal(edit_context, entry.principal);
+ krb5_free_principal(edit_context, entry.princ);
free(canon);
return;
}
- entry.mod_name = master_princ;
- if (retval = krb5_timeofday(edit_context, &entry.mod_date)) {
+ mod_princ.mod_princ = master_princ;
+ if (retval = krb5_timeofday(edit_context, &mod_princ.mod_date)) {
com_err(argv[0], retval, "while fetching date");
- krb5_free_principal(edit_context, entry.principal);
+ krb5_free_principal(edit_context, entry.princ);
+ exit_status++;
+ free(canon);
+ return;
+ }
+ if (retval=krb5_dbe_encode_mod_princ_data(edit_context,&mod_princ,&entry)) {
+ com_err(argv[0], retval, "while setting mod_prince and mod_date");
+ krb5_free_principal(edit_context, entry.princ);
exit_status++;
free(canon);
return;
}
retval = krb5_db_put_principal(edit_context, &entry, &one);
- krb5_free_principal(edit_context, entry.principal);
+ krb5_free_principal(edit_context, entry.princ);
if (retval) {
com_err("modify_principal", retval,
"while modifying \"%s\".", canon);
krb5_kvno mkvno;
};
-struct saltblock {
- int salttype;
- krb5_data saltdata;
-};
-
void add_key
PROTOTYPE((char const *, char const *,
krb5_const_principal, const krb5_keyblock *,
- krb5_kvno, struct saltblock *));
+ krb5_kvno, krb5_keysalt *));
void enter_pwd_key
PROTOTYPE((char *, char *, krb5_const_principal,
krb5_const_principal, krb5_kvno, int));
char *found3;
char *local_entry;
- local_entry = chk_entry->principal->data[type].data;
+ local_entry = chk_entry->princ->data[type].data;
token1[0] = token2[0] = token3[0] = '\0';
+Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
+
+ * do_as_req.c do_tgs_req.c kdc_util.c main.c : Use new kdb format.
+
Mon Jul 17 15:13:09 EDT 1995 Paul Park (pjpark@mit.edu)
* main.c - Gut KDC profile handling logic and move it to lib/kadm/
alt_prof.c because it's now used by admin and kadmin programs.
of padata. */
int *flags;
{
- krb5_encrypted_keyblock *enckey;
- krb5_keyblock tmpkey;
krb5_error_code retval;
-
- enckey = &(client->key);
- /* Extract client key/alt_key from master key */
-
- retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock,enckey,&tmpkey);
- if (retval) {
- krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client key: %s",
- error_message(retval));
- return retval;
- }
- retval = krb5_verify_padata(kdc_context, *padata,client->principal,
- src_addr, &tmpkey, pa_id, flags);
- memset((char *)tmpkey.contents, 0, tmpkey.length);
- krb5_xfree(tmpkey.contents);
- if (retval && client->alt_key.length) {
- /*
- * If we failed, try again with the alternative key
- */
- enckey = &(client->alt_key);
- /* Extract client key/alt_key from master key */
- if ((retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock,
- enckey,&tmpkey))) {
- krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client alt_key: %s",
- error_message(retval));
+ krb5_keyblock tmpkey;
+ int i;
+
+ /* Extract a client key from master key */
+ for (i = 0; i < client->n_key_data; i++) {
+ if (retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock,
+ &client->key_data[i],
+ &tmpkey, NULL)) {
+ krb5_klog_syslog(LOG_ERR,"AS_REQ: Unable to extract client key: %s",
+ error_message(retval));
return retval;
}
- retval = krb5_verify_padata(kdc_context, *padata,client->principal,
+ retval = krb5_verify_padata(kdc_context, *padata, client->princ,
src_addr, &tmpkey, pa_id, flags);
- memset((char *)tmpkey.contents, 0, tmpkey.length);
- krb5_xfree(tmpkey.contents);
+ memset((char *)tmpkey.contents, 0, tmpkey.length);
+ krb5_xfree(tmpkey.contents);
+ if (!retval)
+ break;
}
return retval;
}
static krb5_principal cpw = 0;
char *status;
krb5_encrypt_block eblock;
+ int ok_key = 0;
register int i;
goto errout;
}
- for (i = 0; i < request->netypes; i++) {
- krb5_keytype ok_keytype;
+ { /* Get a key that fits the kvno and keytype */
+ int max_kvno = 0;
+
+ /*
+ * First find latest key unless a kvno is specified in which
+ * case we should only look for those keys.
+ *
+ * Note: specifing a kvno isn't defined yet
+ */
+ for (i = 0; i < server.n_key_data; i++) {
+ if (max_kvno < server.key_data[i].key_data_kvno) {
+ max_kvno = server.key_data[i].key_data_kvno;
+ }
+ }
+
+ /* This will change when the etype == keytype */
+ for (i = 0; i < request->netypes; i++) {
+ krb5_keytype ok_keytype;
+ int j;
- if (!valid_etype(request->etype[i]))
- continue;
+ if (!valid_etype(request->etype[i]))
+ continue;
- if (request->etype[i] == ETYPE_DES_CBC_MD5 &&
- !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))
- continue;
+ if (request->etype[i] == ETYPE_DES_CBC_MD5 &&
+ !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))
+ continue;
- ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype;
+ ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype;
- if (server.key.keytype == ok_keytype ||
- server.alt_key.keytype == ok_keytype)
- break;
+ for (ok_key = 0; ok_key < server.n_key_data; ok_key++) {
+ if ((server.key_data[ok_key].key_data_kvno = max_kvno) &&
+ (server.key_data[ok_key].key_data_type[0] == ok_keytype)) {
+ goto got_a_key;
+ }
+ }
+ }
}
- if (i == request->netypes) {
- /* unsupported etype */
-
- krb5_klog_syslog(LOG_INFO, "AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s",
- fromstring, cname, sname);
- retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response);
- goto errout;
- }
+ /* unsupported etype */
+ krb5_klog_syslog(LOG_INFO,"AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s",
+ fromstring, cname, sname);
+ retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response);
+ goto errout;
+
+got_a_key:;
useetype = request->etype[i];
krb5_use_cstype(kdc_context, &eblock, useetype);
krb5_csarray[useetype]->random_sequence,
&session_key))) {
/* random key failed */
- krb5_klog_syslog(LOG_INFO, "AS_REQ: RANDOM KEY FAILED: host %s, %s for %s",
- fromstring, cname, sname);
+ krb5_klog_syslog(LOG_INFO,"AS_REQ: RANDOM KEY FAILED: host %s, %s for %s",
+ fromstring, cname, sname);
goto errout;
}
/* convert server.key into a real key (it may be encrypted
in the database) */
- if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock,
- &server.key, &encrypting_key)))
+ if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock,
+ &server.key_data[ok_key],
+ &encrypting_key, NULL)))
goto errout;
- retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply);
+ retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key,
+ &ticket_reply);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
if (retval)
goto errout;
- ticket_reply.enc_part.kvno = server.kvno;
+ ticket_reply.enc_part.kvno = server.key_data[i].key_data_kvno;
/* Start assembling the response */
reply.msg_type = KRB5_AS_REP;
reply.padata = 0;
- if (client.salt_type != KRB5_KDB_SALTTYPE_NORMAL) {
+ /*
+ * XXX If the client principal has more than one key we have a problem
+ * -- proven
+ */
+ if (client.key_data[0].key_data_ver > 1) {
padat_tmp[0] = &padat_local;
padat_tmp[1] = 0;
/* WARNING: sharing substructure here, but it's not a real problem,
since nothing below will "pull out the rug" */
- switch (client.salt_type) {
+ switch (client.key_data[0].key_data_type[1]) {
krb5_data *data_foo;
case KRB5_KDB_SALTTYPE_V4:
/* send an empty (V4) salt */
request->client,
&salt_data)))
goto errout;
- padat_tmp[0]->length = salt_data.length;
padat_tmp[0]->contents = (krb5_octet *)salt_data.data;
+ padat_tmp[0]->length = salt_data.length;
break;
case KRB5_KDB_SALTTYPE_ONLYREALM:
data_foo = krb5_princ_realm(kdc_context, request->client);
- padat_tmp[0]->length = data_foo->length;
padat_tmp[0]->contents = (krb5_octet *)data_foo->data;
+ padat_tmp[0]->length = data_foo->length;
break;
case KRB5_KDB_SALTTYPE_SPECIAL:
- padat_tmp[0]->length = client.salt_length;
- padat_tmp[0]->contents = client.salt;
+ padat_tmp[0]->contents = client.key_data[0].key_data_contents[1];
+ padat_tmp[0]->length = client.key_data[0].key_data_length[1];
break;
}
reply.padata = padat_tmp;
/* now encode/encrypt the response */
- /* convert client.key into a real key (it may be encrypted
- in the database) */
- if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock,
- &client.key, &encrypting_key)))
- goto errout;
reply.enc_part.etype = useetype;
- reply.enc_part.kvno = client.kvno;
+ reply.enc_part.kvno = client.key_data[0].key_data_kvno;
+
+ /* convert client.key_data into a real key */
+ if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock,
+ &client.key_data[0],
+ &encrypting_key, NULL)))
+ goto errout;
+
retval = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
&eblock, &encrypting_key, &reply, response);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
if (retval) {
- krb5_klog_syslog(LOG_INFO, "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)",
- fromstring, cname, sname, error_message(retval));
+ krb5_klog_syslog(LOG_INFO,
+ "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)",
+ fromstring, cname, sname, error_message(retval));
goto errout;
}
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
- memset(reply.enc_part.ciphertext.data, 0,
- reply.enc_part.ciphertext.length);
+ memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
- if (is_secondary)
- krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s",
- authtime, fromstring, cname, sname);
- else
- krb5_klog_syslog(LOG_INFO, "AS_REQ: ISSUE: authtime %d, host %s, %s for %s",
- authtime, fromstring, cname, sname);
+ krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s",
+ authtime, fromstring, cname, sname);
errout:
if (cname)
int errcode, errcode2;
register int i;
int firstpass = 1;
+ int ok_key_data = 0;
char *status = 0;
char secondary_ch;
ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype;
- if (server.key.keytype == ok_keytype ||
- server.alt_key.keytype == ok_keytype)
- break;
+ for (ok_key_data = 0; ok_key_data < server.n_key_data; ok_key_data++)
+ if (server.key_data[ok_key_data].key_data_type[0] == ok_keytype)
+ goto got_a_key;
}
- if (i == request->netypes) {
- /* unsupported etype */
- status = "BAD_ENCRYPTION_TYPE";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto cleanup;
- }
+ /* unsupported etype */
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ status = "BAD_ENCRYPTION_TYPE";
+ goto cleanup;
+
+got_a_key:;
useetype = request->etype[i];
krb5_use_cstype(kdc_context, &eblock, useetype);
-
- retval = krb5_random_key(kdc_context, &eblock, krb5_csarray[useetype]->random_sequence,
+ retval = krb5_random_key(kdc_context, &eblock,
+ krb5_csarray[useetype]->random_sequence,
&session_key);
if (retval) {
/* random key failed */
goto cleanup;
}
/* scratch now has the authorization data, so we decode it */
-#ifdef KRB5_USE_ISODE
- retval = decode_krb5_authdata(&scratch, request->unenc_authdata);
-#else
retval = decode_krb5_authdata(&scratch, &(request->unenc_authdata));
-#endif
free(scratch.data);
if (retval) {
status = "AUTH_DECODE";
} else {
/* convert server.key into a real key (it may be encrypted
in the database) */
- if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock,
- &server.key, &encrypting_key))) {
+ if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock,
+ &server.key_data[ok_key_data],
+ &encrypting_key, NULL))) {
status = "CONV_KEY";
goto cleanup;
}
- ticket_reply.enc_part.kvno = server.kvno;
+ ticket_reply.enc_part.kvno = server.key_data[ok_key_data].key_data_kvno;
ticket_reply.enc_part.etype = useetype;
krb5_use_cstype(kdc_context, &eblock, ticket_reply.enc_part.etype);
- retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply);
+ retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key,
+ &ticket_reply);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
krb5_free_authenticator(kdc_context, authenticator);
cleanup_auth_context:
- /* We do not want the fre of the auth_context to close the rcache */
+ /* We do not want the free of the auth_context to close the rcache */
(void) krb5_auth_con_setrcache(kdc_context, auth_context, 0);
krb5_auth_con_free(kdc_context, auth_context);
krb5_error_code
kdc_get_server_key(ticket, key, kvno)
-krb5_ticket *ticket;
-krb5_keyblock **key;
-krb5_kvno *kvno;
+ krb5_ticket * ticket;
+ krb5_keyblock ** key;
+ krb5_kvno * kvno;
{
- krb5_error_code retval;
- int nprincs;
- krb5_db_entry server;
- krb5_boolean more;
+ krb5_error_code retval;
+ krb5_db_entry server;
+ krb5_boolean more;
+ int nprincs, i, last_i;
if (krb5_principal_compare(kdc_context, tgs_server, ticket->server)) {
+ retval = krb5_copy_keyblock(kdc_context, &tgs_key, key);
*kvno = tgs_kvno;
- return krb5_copy_keyblock(kdc_context, &tgs_key, key);
+ return retval;
} else {
nprincs = 1;
krb5_db_free_principal(kdc_context, &server, nprincs);
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
- krb5_klog_syslog(LOG_ERR, "TGS_REQ: UNKNOWN SERVER: server='%s'",
+ krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
sname);
free(sname);
}
return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
}
- /* convert server.key into a real key (it may be encrypted
- in the database) */
+ /*
+ * Get the latest version of the server key_data and
+ * convert the key into a real key (it may be encrypted in the database)
+ */
+ for (*kvno = last_i = i = 0; i < server.n_key_data; i++) {
+ if (*kvno < server.key_data[i].key_data_kvno) {
+ *kvno = server.key_data[i].key_data_kvno;
+ last_i = i;
+ }
+ }
if ((*key = (krb5_keyblock *)malloc(sizeof **key))) {
- retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock,
- &server.key, *key);
+ retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock,
+ &server.key_data[last_i],
+ *key, NULL);
} else
retval = ENOMEM;
- *kvno = server.kvno;
krb5_db_free_principal(kdc_context, &server, nprincs);
return retval;
}
krb5_boolean db_inited;
krb5_int32 ibuf;
krb5_enctype etype;
+ int i, keyno;
krb5_realm_params *rparams;
kret = EINVAL;
if (realm) {
rdp->realm_name = realm;
if (!(kret = krb5_init_context(&rdp->realm_context))) {
-
(void) krb5_read_realm_params(rdp->realm_context,
rdp->realm_name,
(char *) NULL,
"kdc",
def_port,
KDC_PORTNAME);
+
/* Handle KDC secondary port */
if (rparams && rparams->realm_kdc_sport_valid)
rdp->realm_sport = rparams->realm_kdc_sport;
com_err(progname, kret,
"while fetching master entry for realm %s", realm);
goto whoops;
- }
- else {
- rdp->realm_mkvno = db_entry.kvno;
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
+ } else {
+ /* Get the most recent mkvno */
+ for (rdp->realm_mkvno = i = 0; i < db_entry.n_key_data; i++) {
+ if (rdp->realm_mkvno < db_entry.key_data[i].key_data_kvno) {
+ rdp->realm_mkvno = db_entry.key_data[i].key_data_kvno;
+ keyno = i;
+ }
+ }
+ krb5_db_free_principal(rdp->realm_context, &db_entry, num2get);
}
/* Now preprocess the master key */
com_err(progname, kret,
"while fetching TGS entry for realm %s", realm);
goto whoops;
- }
- else {
- if (!(kret = krb5_kdb_decrypt_key(rdp->realm_context,
- &rdp->realm_encblock,
- &db_entry.key,
- &rdp->realm_tgskey))) {
- rdp->realm_tgskvno = db_entry.kvno;
+ } else {
+ if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context,
+ &rdp->realm_encblock,
+ &db_entry.key_data[keyno],
+ &rdp->realm_tgskey, NULL))){
+ rdp->realm_tgskvno = db_entry.key_data[keyno].key_data_kvno;
}
krb5_db_free_principal(rdp->realm_context,
&db_entry,
case 'r': /* realm name for db */
if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) {
- if (retval = init_realm(argv[0],
- rdatap,
- optarg,
- db_name,
- mkey_name,
- mkeytype,
- pport,
- sport,
- kdc_etype,
- manual)) {
+ if (retval = init_realm(argv[0], rdatap, optarg, db_name,
+ mkey_name, mkeytype, pport, sport,
+ kdc_etype, manual)) {
fprintf(stderr,"%s: cannot initialize realm %s\n",
argv[0], optarg);
exit(1);
exit(1);
}
if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) {
- if (retval = init_realm(argv[0],
- rdatap,
- lrealm,
- db_name,
- mkey_name,
- mkeytype,
- pport,
- sport,
- kdc_etype,
- manual)) {
+ if (retval = init_realm(argv[0], rdatap, lrealm, db_name, mkey_name,
+ mkeytype, pport, sport, kdc_etype, manual)){
fprintf(stderr,"%s: cannot initialize realm %s\n",
argv[0], lrealm);
exit(1);
* Now handle the replay cache.
*/
if (retval = kdc_initialize_rcache(kcontext, rcname)) {
- com_err(argv[0], retval,
- "while initializing KDC replay cache");
+ com_err(argv[0], retval, "while initializing KDC replay cache");
exit(1);
}
{
int i;
- for (i=0; i<kdc_numrealms; i++)
+ for (i = 0; i < kdc_numrealms; i++)
finish_realm(kdc_realmlist[i]);
}
+Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
+ * kdb5_mkdums.c : Use new kdb format.
Mon Jul 17 15:23:24 EDT 1995 Paul Park (pjpark@mit.edu)
* kdb5_mkdums.c - Change setting of defaulted keytype to be DEFAULT_
void
add_princ(context, str_newprinc)
- krb5_context context;
- char * str_newprinc;
+ krb5_context context;
+ char * str_newprinc;
{
- krb5_error_code retval;
- krb5_db_entry newentry;
- int one = 1;
- krb5_keyblock key;
- krb5_data pwd, salt;
- krb5_principal newprinc;
- char princ_name[4096];
+ krb5_error_code retval;
+ krb5_principal newprinc;
+ krb5_db_entry newentry;
+ char princ_name[4096];
- sprintf(princ_name, "%s@%s", str_newprinc, cur_realm);
-
memset((char *)&newentry, 0, sizeof(newentry));
-
+ sprintf(princ_name, "%s@%s", str_newprinc, cur_realm);
if (retval = krb5_parse_name(context, princ_name, &newprinc)) {
com_err(progname, retval, "while parsing '%s'", princ_name);
return;
}
- pwd.data = princ_name; /* must be able to regenerate */
- pwd.length = strlen(princ_name);
+ /* Add basic data */
+ newentry.len = KRB5_KDB_V1_BASE_LENGTH;
+ newentry.mkvno = mblock.mkvno;
+ newentry.attributes = mblock.flags;
+ newentry.max_life = mblock.max_life;
+ newentry.max_renewable_life = mblock.max_rlife;
+ newentry.expiration = mblock.expiration;
+ newentry.pw_expiration = mblock.expiration;
+
+ /* Add princ to db entry */
+ if (retval = krb5_copy_principal(context, newprinc, &newentry.princ)) {
+ com_err(progname, retval, "while encoding princ to db entry for '%s'",
+ princ_name);
+ goto error;
+ }
- if (retval = krb5_principal2salt(context, newprinc, &salt)) {
- com_err(progname, retval, "while converting principal to salt for '%s'", princ_name);
- return;
+ { /* Add mod princ to db entry */
+ krb5_tl_mod_princ mod_princ;
+
+ mod_princ.mod_princ = master_princ;
+ if (retval = krb5_timeofday(context, &mod_princ.mod_date)) {
+ com_err(progname, retval, "while fetching date");
+ goto error;
+ }
+ if(retval=krb5_dbe_encode_mod_princ_data(context,&mod_princ,&newentry)){
+ com_err(progname, retval, "while encoding mod_princ data");
+ goto error;
+ }
}
- retval = krb5_string_to_key(context, &master_encblock,
- master_keyblock.keytype, &key, &pwd, &salt);
- if (retval) {
- com_err(progname, retval, "while converting password to key for '%s'", princ_name);
- return;
+ { /* Add key and salt data to db entry */
+ krb5_data pwd, salt;
+ krb5_keyblock key;
+
+ if (retval = krb5_principal2salt(context, newprinc, &salt)) {
+ com_err(progname, retval, "while converting princ to salt for '%s'",
+ princ_name);
+ goto error;
+ }
+
+ pwd.length = strlen(princ_name);
+ pwd.data = princ_name; /* must be able to regenerate */
+ if (retval = krb5_string_to_key(context, &master_encblock,
+ master_keyblock.keytype,
+ &key, &pwd, &salt)) {
+ com_err(progname,retval,"while converting password to key for '%s'",
+ princ_name);
+ krb5_xfree(salt.data);
+ goto error;
+ }
+ krb5_xfree(salt.data);
+
+ if (retval = krb5_dbe_create_key_data(context, &newentry)) {
+ com_err(progname, retval, "while creating key_data for '%s'",
+ princ_name);
+ free(key.contents);
+ goto error;
+ }
+
+ if (retval = krb5_dbekd_encrypt_key_data(context,&master_encblock, &key,
+ NULL, 1, newentry.key_data)) {
+ com_err(progname, retval, "while encrypting key for '%s'",
+ princ_name);
+ free(key.contents);
+ goto error;
+ }
+ free(key.contents);
}
- retval = krb5_kdb_encrypt_key(context, &master_encblock, &key,
- &newentry.key);
- if (retval) {
- com_err(progname, retval, "while encrypting key for '%s'", princ_name);
- return;
+ {
+ int one = 1;
+
+ if (retval = krb5_db_put_principal(context, &newentry, &one)) {
+ com_err(progname, retval, "while storing principal date");
+ goto error;
+ }
+ if (one != 1) {
+ com_err(progname,0,"entry not stored in database (unknown failure)");
+ goto error;
+ }
}
- free(key.contents);
+ fprintf(stdout, "Added %s to database\n", princ_name);
- newentry.principal = newprinc;
- newentry.kvno = 1;
- newentry.max_life = mblock.max_life;
- newentry.max_renewable_life = mblock.max_rlife;
- newentry.mkvno = mblock.mkvno;
- newentry.expiration = mblock.expiration;
- newentry.pw_expiration = mblock.expiration;
- newentry.mod_name = master_princ;
- if (retval = krb5_timeofday(context, &newentry.mod_date)) {
- com_err(progname, retval, "while fetching date");
- memset((char *)newentry.key.contents, 0, newentry.key.length);
- free((char *)newentry.key.contents);
- return;
- }
- newentry.attributes = mblock.flags;
- newentry.salt_type = KRB5_KDB_SALTTYPE_NORMAL;
- newentry.salt_length = 0;
- newentry.salt = 0;
- newentry.alt_key.length = 0;
- newentry.alt_key.contents = 0;
- newentry.alt_salt_length = 0;
- newentry.alt_salt = 0;
-
- retval = krb5_db_put_principal(context, &newentry, &one);
- if (retval) {
- com_err(progname, retval, "while storing principal date");
- free((char *)newentry.key.contents);
- return;
- }
- fprintf(stdout, "Added %s ...\n", princ_name);
- free((char *)newentry.key.contents);
- if (retval) {
- com_err(progname, retval, "while storing entry for '%s'\n", princ_name);
- return;
- }
- if (one != 1)
- com_err(progname, 0, "entry not stored in database (unknown failure)");
+error: /* Do cleanup of newentry regardless of error */
+ krb5_dbe_free_contents(context, &newentry);
return;
}
com_err(pname, retval, "while calculated master key salt");
return(1);
}
- retval = krb5_string_to_key(test_context, &master_encblock, master_keyblock.keytype,
- &master_keyblock, &pwd, &scratch);
- if (retval) {
+ if (retval = krb5_string_to_key(test_context, &master_encblock,
+ master_keyblock.keytype, &master_keyblock,
+ &pwd, &scratch)) {
com_err(pname, retval,
"while transforming master key from password");
return(1);
}
free(scratch.data);
} else {
- if (retval = krb5_db_fetch_mkey(test_context, master_princ, &master_encblock,
- manual_mkey, FALSE, (char *) NULL, 0,
- &master_keyblock)) {
+ if (retval = krb5_db_fetch_mkey(test_context, master_princ,
+ &master_encblock, manual_mkey,
+ FALSE, 0, NULL, &master_keyblock)) {
com_err(pname, retval, "while reading master key");
return(1);
}
com_err(pname, retval, "while initializing database");
return(1);
}
- if (retval = krb5_db_verify_master_key(test_context, master_princ, &master_keyblock,
- &master_encblock)) {
+ if (retval = krb5_db_verify_master_key(test_context, master_princ,
+ &master_keyblock, &master_encblock)){
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(test_context);
return(1);
mblock.max_life = master_entry.max_life;
mblock.max_rlife = master_entry.max_renewable_life;
mblock.expiration = master_entry.expiration;
+
/* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry.kvno;
+ mblock.mkvno = master_entry.key_data[0].key_data_kvno;
krb5_db_free_principal(test_context, &master_entry, nentries);
dbactive = TRUE;
+Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
+ * kdb5_verify.c : Use new kdb format.
Mon Jul 17 15:25:03 EDT 1995 Paul Park (pjpark@mit.edu)
* kdb5_verify.c - Change setting of defaulted keytype to be DEFAULT_
goto errout;
}
- retval = krb5_kdb_decrypt_key(context, &master_encblock,
- &kdbe.key,
- &db_key);
- if (retval) {
+ if (retval = krb5_dbekd_decrypt_key_data(context, &master_encblock,
+ kdbe.key_data, &db_key, NULL)) {
com_err(progname, retval, "while decrypting key for '%s'", princ_name);
goto errout;
}
free((char *)pwd_key.contents);
free((char *)db_key.contents);
- if (kdbe.kvno != 1) {
- fprintf(stderr, "\tkvno did not match stored value for %s.\n", princ_name);
+ if (kdbe.key_data[0].key_data_kvno != 1) {
+ fprintf(stderr,"\tkvno did not match stored value for %s.\n", princ_name);
goto errout;
}
goto errout;
}
+/*
if (retval = krb5_unparse_name(context, kdbe.mod_name, &str_mod_name))
com_err(progname, retval, "while unparsing mode name");
else {
}
else free(str_mod_name);
}
+*/
if (kdbe.attributes != mblock.flags) {
fprintf(stderr, "\tAttributes did not match stored value for %s.\n",
mblock.max_rlife = master_entry.max_renewable_life;
mblock.expiration = master_entry.expiration;
/* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry.kvno;
+ mblock.mkvno = master_entry.key_data[0].key_data_kvno;
krb5_db_free_principal(context, &master_entry, nentries);
dbactive = TRUE;
projects / krb5.git / commitdiff