kdc/kstash.c

   1 /*
   2  * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "headers.h"
  35
  36 krb5_context context;
  37
  38 static char *keyfile;
  39 static int convert_flag;
  40 static int help_flag;
  41 static int version_flag;
  42
  43 static int master_key_fd = -1;
  44 static int random_key_flag;
  45
  46 static const char *enctype_str = "des3-cbc-sha1";
  47
  48 static struct getargs args[] = {
  49     { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type",
  50         NULL },
  51     { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
  52     { "convert-file", 0, arg_flag, &convert_flag,
  53       "just convert keyfile to new format", NULL },
  54     { "master-key-fd", 0, arg_integer, &master_key_fd,
  55       "filedescriptor to read passphrase from", "fd" },
  56     { "random-key", 0, arg_flag, &random_key_flag,
  57         "generate a random master key", NULL },
  58     { "help", 'h', arg_flag, &help_flag, NULL, NULL },
  59     { "version", 0, arg_flag, &version_flag, NULL, NULL }
  60 };
  61
  62 int num_args = sizeof(args) / sizeof(args[0]);
  63
  64 int
  65 main(int argc, char **argv)
  66 {
  67     char buf[1024+1];
  68     krb5_error_code ret;
  69     int aret;
  70
  71     krb5_enctype enctype;
  72
  73     hdb_master_key mkey;
  74
  75     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
  76
  77     if(help_flag)
  78         krb5_std_usage(0, args, num_args);
  79     if(version_flag){
  80         print_version(NULL);
  81         exit(0);
  82     }
  83
  84     if (master_key_fd != -1 && random_key_flag)
  85         krb5_errx(context, 1, "random-key and master-key-fd "
  86                   "is mutual exclusive");
  87
  88     if (keyfile == NULL) {
  89         aret = asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
  90         if (aret == -1)
  91             krb5_errx(context, 1, "out of memory");
  92     }
  93
  94     ret = krb5_string_to_enctype(context, enctype_str, &enctype);
  95     if(ret)
  96         krb5_err(context, 1, ret, "krb5_string_to_enctype");
  97
  98     ret = hdb_read_master_key(context, keyfile, &mkey);
  99     if(ret && ret != ENOENT)
 100         krb5_err(context, 1, ret, "reading master key from %s", keyfile);
 101
 102     if (convert_flag) {
 103         if (ret)
 104             krb5_err(context, 1, ret, "reading master key from %s", keyfile);
 105     } else {
 106         krb5_keyblock key;
 107         krb5_salt salt;
 108         salt.salttype = KRB5_PW_SALT;
 109         /* XXX better value? */
 110         salt.saltvalue.data = NULL;
 111         salt.saltvalue.length = 0;
 112         if (random_key_flag) {
 113             ret = krb5_generate_random_keyblock(context, enctype, &key);
 114             if (ret)
 115                 krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
 116
 117         } else {
 118             if(master_key_fd != -1) {
 119                 ssize_t n;
 120                 n = read(master_key_fd, buf, sizeof(buf)-1);
 121                 if(n <= 0)
 122                     krb5_err(context, 1, errno, "failed to read passphrase");
 123                 buf[n] = '\0';
 124                 buf[strcspn(buf, "\r\n")] = '\0';
 125
 126             } else {
 127                 if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ",
 128                                           UI_UTIL_FLAG_VERIFY))
 129                     exit(1);
 130             }
 131             krb5_string_to_key_salt(context, enctype, buf, salt, &key);
 132         }
 133         ret = hdb_add_master_key(context, &key, &mkey);
 134         if (ret)
 135             krb5_err(context, 1, ret, "hdb_add_master_key");
 136
 137         krb5_free_keyblock_contents(context, &key);
 138
 139     }
 140
 141     {
 142         char *new = NULL, *old = NULL;
 143
 144         aret = asprintf(&old, "%s.old", keyfile);
 145         if (aret == -1) {
 146             old = NULL;
 147             ret = ENOMEM;
 148             goto out;
 149         }
 150         aret = asprintf(&new, "%s.new", keyfile);
 151         if (aret == -1) {
 152             new = NULL;
 153             ret = ENOMEM;
 154             goto out;
 155         }
 156         if(unlink(new) < 0 && errno != ENOENT) {
 157             ret = errno;
 158             goto out;
 159         }
 160         krb5_warnx(context, "writing key to `%s'", keyfile);
 161         ret = hdb_write_master_key(context, new, mkey);
 162         if(ret)
 163             unlink(new);
 164         else {
 165 #ifndef NO_POSIX_LINKS
 166             unlink(old);
 167             if(link(keyfile, old) < 0 && errno != ENOENT) {
 168                 ret = errno;
 169                 unlink(new);
 170             } else {
 171 #endif
 172                 if(rename(new, keyfile) < 0) {
 173                     ret = errno;
 174                 }
 175 #ifndef NO_POSIX_LINKS
 176             }
 177 #endif
 178         }
 179     out:
 180         free(old);
 181         free(new);
 182         if(ret)
 183             krb5_warn(context, errno, "writing master key file");
 184     }
 185
 186     hdb_free_master_key(context, mkey);
 187
 188     exit(ret != 0);
 189 }