From cb72cbcc691e644d8951b302a4528ed0748dc81c Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Sat, 22 May 2010 13:16:52 -0700
Subject: [PATCH] Support both BE and LE MIT master key file formats

Prompted by discussion on heimdal-discuss by Michael Wood, Russ Allbery,
and Henry B. Hotz.
---
 lib/hdb/Makefile.am           |   3 ++-
 lib/hdb/data-mkey.mit.des3.be | Bin 0 -> 46 bytes
 lib/hdb/data-mkey.mit.des3.le | Bin 0 -> 30 bytes
 lib/hdb/mkey.c                |  23 ++++++++++--------
 lib/hdb/test_mkey.c           |  55 ++++++++++++++++++++++++++++++++++++++++++
 tests/db/check-dbinfo.in      |   4 +++
 6 files changed, 74 insertions(+), 11 deletions(-)
 create mode 100644 lib/hdb/data-mkey.mit.des3.be
 create mode 100644 lib/hdb/data-mkey.mit.des3.le
 create mode 100644 lib/hdb/test_mkey.c

diff --git a/lib/hdb/Makefile.am b/lib/hdb/Makefile.am
index 77a1f6b39..17367fe37 100644
--- a/lib/hdb/Makefile.am
+++ b/lib/hdb/Makefile.am
@@ -62,7 +62,7 @@ if versionscript
 libhdb_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 
-noinst_PROGRAMS = test_dbinfo test_hdbkeys
+noinst_PROGRAMS = test_dbinfo test_hdbkeys test_mkey
 
 dist_libhdb_la_SOURCES =			\
 	common.c				\
@@ -116,6 +116,7 @@ $(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
 test_dbinfo_LIBS = libhdb.la
 
 test_hdbkeys_LIBS = ../krb5/libkrb5.la libhdb.la
+test_mkey_LIBS = $(test_hdbkeys_LIBS)
 
 # to help stupid solaris make
 
diff --git a/lib/hdb/data-mkey.mit.des3.be b/lib/hdb/data-mkey.mit.des3.be
new file mode 100644
index 0000000000000000000000000000000000000000..4278ed339e520328e37626f1c42e785c5264a243
GIT binary patch
literal 46
QcwS==U|?X7P#_Wj0Bu$UDF6Tf

literal 0
HcwPel00001

diff --git a/lib/hdb/data-mkey.mit.des3.le b/lib/hdb/data-mkey.mit.des3.le
new file mode 100644
index 0000000000000000000000000000000000000000..19fdc93b40d485d6e258692f6e9becfee489b691
GIT binary patch
literal 30
PcwQ4=kYHe7P{08IDjowV

literal 0
HcwPel00001

diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c
index 35323cf10..635e632fa 100644
--- a/lib/hdb/mkey.c
+++ b/lib/hdb/mkey.c
@@ -146,7 +146,7 @@ read_master_keytab(krb5_context context, const char *filename,
 /* read a MIT master keyfile */
 static krb5_error_code
 read_master_mit(krb5_context context, const char *filename,
-		hdb_master_key *mkey)
+		int byteorder, hdb_master_key *mkey)
 {
     int fd;
     krb5_error_code ret;
@@ -166,20 +166,16 @@ read_master_mit(krb5_context context, const char *filename,
 	close(fd);
 	return errno;
     }
-    krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+    krb5_storage_set_flags(sp, byteorder);
     /* could possibly use ret_keyblock here, but do it with more
        checks for now */
     {
 	ret = krb5_ret_int16(sp, &enctype);
 	if (ret)
 	    goto out;
-	if((htons(enctype) & 0xff00) == 0x3000) {
-	    ret = HEIM_ERR_BAD_MKEY;
-	    krb5_set_error_message(context, ret, "unknown keytype in %s: "
-				   "%#x, expected %#x",
-				   filename, htons(enctype), 0x3000);
-	    goto out;
-	}
+	ret = krb5_enctype_valid(context, enctype);
+	if (ret)
+	   goto out;
 	key.keytype = enctype;
 	ret = krb5_ret_data(sp, &key.keyvalue);
 	if(ret)
@@ -330,7 +326,14 @@ hdb_read_master_key(krb5_context context, const char *filename,
     } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
 	ret = read_master_keytab(context, filename, mkey);
     } else {
-	ret = read_master_mit(context, filename, mkey);
+      /*
+       * Check both LittleEndian and BigEndian since they key file
+       * might be moved from a machine with diffrent byte order, or
+       * its running on MacOS X that always uses BE master keys.
+       */
+      ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_LE, mkey);
+      if (ret)
+          ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_BE, mkey);
     }
     return ret;
 }
diff --git a/lib/hdb/test_mkey.c b/lib/hdb/test_mkey.c
new file mode 100644
index 000000000..ee7b7f05b
--- /dev/null
+++ b/lib/hdb/test_mkey.c
@@ -0,0 +1,55 @@
+
+#include "hdb_locl.h"
+#include <getarg.h>
+#include <base64.h>
+
+static char *mkey_file;
+static int help_flag;
+static int version_flag;
+
+struct getargs args[] = {
+    { "mkey-file",	0,      arg_string, &mkey_file },
+    { "help",		'h',	arg_flag,   &help_flag },
+    { "version",	0,	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    int ret, o = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &o))
+	krb5_std_usage(1, args, num_args);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+
+    if (mkey_file) {
+        hdb_master_key mkey;
+
+	ret = hdb_read_master_key(context, mkey_file, &mkey);
+	if (ret)
+	    krb5_err(context, 1, ret, "failed to read master key %s", mkey_file);
+      
+	hdb_free_master_key(context, mkey);
+    } else
+      krb5_errx(context, 1, "no command option given");
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/tests/db/check-dbinfo.in b/tests/db/check-dbinfo.in
index 1102ef44d..9905daede 100644
--- a/tests/db/check-dbinfo.in
+++ b/tests/db/check-dbinfo.in
@@ -42,4 +42,8 @@ export KRB5_CONFIG
 
 ../../lib/hdb/test_dbinfo > dbinfo.out || exit 1
 
+../../lib/hdb/test_mkey --mkey-file="${srcdir}/../../lib/hdb/data-mkey.mit.des3.le" || exit 1
+../../lib/hdb/test_mkey --mkey-file="${srcdir}/../../lib/hdb/data-mkey.mit.des3.be" || exit 1
+
+
 exit 0
-- 
2.11.4.GIT