search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:include: change smb_request->vuid to uint64_t
[Samba/gebeck_regimport.git] / source4 / heimdal / lib / hdb / mkey.c
blob6dcfc0294205d8f79a61d88564ee1d22fd8e0369
1 /*
2 * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hdb_locl.h"
35 #ifndef O_BINARY
36 #define O_BINARY 0
37 #endif
38
39 struct hdb_master_key_data {
40 krb5_keytab_entry keytab;
41 krb5_crypto crypto;
42 struct hdb_master_key_data *next;
43 };
44
45 void
46 hdb_free_master_key(krb5_context context, hdb_master_key mkey)
47 {
48 struct hdb_master_key_data *ptr;
49 while(mkey) {
50 krb5_kt_free_entry(context, &mkey->keytab);
51 if (mkey->crypto)
52 krb5_crypto_destroy(context, mkey->crypto);
53 ptr = mkey;
54 mkey = mkey->next;
55 free(ptr);
56 }
57 }
58
59 krb5_error_code
60 hdb_process_master_key(krb5_context context,
61 int kvno, krb5_keyblock *key, krb5_enctype etype,
62 hdb_master_key *mkey)
63 {
64 krb5_error_code ret;
65
66 *mkey = calloc(1, sizeof(**mkey));
67 if(*mkey == NULL) {
68 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
69 return ENOMEM;
70 }
71 (*mkey)->keytab.vno = kvno;
72 ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal);
73 if(ret)
74 goto fail;
75 ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock);
76 if(ret)
77 goto fail;
78 if(etype != 0)
79 (*mkey)->keytab.keyblock.keytype = etype;
80 (*mkey)->keytab.timestamp = time(NULL);
81 ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto);
82 if(ret)
83 goto fail;
84 return 0;
85 fail:
86 hdb_free_master_key(context, *mkey);
87 *mkey = NULL;
88 return ret;
89 }
90
91 krb5_error_code
92 hdb_add_master_key(krb5_context context, krb5_keyblock *key,
93 hdb_master_key *inout)
94 {
95 int vno = 0;
96 hdb_master_key p;
97 krb5_error_code ret;
98
99 for(p = *inout; p; p = p->next)
100 vno = max(vno, p->keytab.vno);
101 vno++;
102 ret = hdb_process_master_key(context, vno, key, 0, &p);
103 if(ret)
104 return ret;
105 p->next = *inout;
106 *inout = p;
107 return 0;
108 }
109
110 static krb5_error_code
111 read_master_keytab(krb5_context context, const char *filename,
112 hdb_master_key *mkey)
113 {
114 krb5_error_code ret;
115 krb5_keytab id;
116 krb5_kt_cursor cursor;
117 krb5_keytab_entry entry;
118 hdb_master_key p;
119
120 ret = krb5_kt_resolve(context, filename, &id);
121 if(ret)
122 return ret;
123
124 ret = krb5_kt_start_seq_get(context, id, &cursor);
125 if(ret)
126 goto out;
127 *mkey = NULL;
128 while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
129 p = calloc(1, sizeof(*p));
130 if(p == NULL) {
131 krb5_kt_end_seq_get(context, id, &cursor);
132 ret = ENOMEM;
133 goto out;
134 }
135 p->keytab = entry;
136 ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
137 p->next = *mkey;
138 *mkey = p;
139 }
140 krb5_kt_end_seq_get(context, id, &cursor);
141 out:
142 krb5_kt_close(context, id);
143 return ret;
144 }
145
146 /* read a MIT master keyfile */
147 static krb5_error_code
148 read_master_mit(krb5_context context, const char *filename,
149 int byteorder, hdb_master_key *mkey)
150 {
151 int fd;
152 krb5_error_code ret;
153 krb5_storage *sp;
154 int16_t enctype;
155 krb5_keyblock key;
156
157 fd = open(filename, O_RDONLY | O_BINARY);
158 if(fd < 0) {
159 int save_errno = errno;
160 krb5_set_error_message(context, save_errno, "failed to open %s: %s",
161 filename, strerror(save_errno));
162 return save_errno;
163 }
164 sp = krb5_storage_from_fd(fd);
165 if(sp == NULL) {
166 close(fd);
167 return errno;
168 }
169 krb5_storage_set_flags(sp, byteorder);
170 /* could possibly use ret_keyblock here, but do it with more
171 checks for now */
172 {
173 ret = krb5_ret_int16(sp, &enctype);
174 if (ret)
175 goto out;
176 ret = krb5_enctype_valid(context, enctype);
177 if (ret)
178 goto out;
179 key.keytype = enctype;
180 ret = krb5_ret_data(sp, &key.keyvalue);
181 if(ret)
182 goto out;
183 }
184 ret = hdb_process_master_key(context, 1, &key, 0, mkey);
185 krb5_free_keyblock_contents(context, &key);
186 out:
187 krb5_storage_free(sp);
188 close(fd);
189 return ret;
190 }
191
192 /* read an old master key file */
193 static krb5_error_code
194 read_master_encryptionkey(krb5_context context, const char *filename,
195 hdb_master_key *mkey)
196 {
197 int fd;
198 krb5_keyblock key;
199 krb5_error_code ret;
200 unsigned char buf[256];
201 ssize_t len;
202 size_t ret_len;
203
204 fd = open(filename, O_RDONLY | O_BINARY);
205 if(fd < 0) {
206 int save_errno = errno;
207 krb5_set_error_message(context, save_errno, "failed to open %s: %s",
208 filename, strerror(save_errno));
209 return save_errno;
210 }
211
212 len = read(fd, buf, sizeof(buf));
213 close(fd);
214 if(len < 0) {
215 int save_errno = errno;
216 krb5_set_error_message(context, save_errno, "error reading %s: %s",
217 filename, strerror(save_errno));
218 return save_errno;
219 }
220
221 ret = decode_EncryptionKey(buf, len, &key, &ret_len);
222 memset(buf, 0, sizeof(buf));
223 if(ret)
224 return ret;
225
226 /* Originally, the keytype was just that, and later it got changed
227 to des-cbc-md5, but we always used des in cfb64 mode. This
228 should cover all cases, but will break if someone has hacked
229 this code to really use des-cbc-md5 -- but then that's not my
230 problem. */
231 if(key.keytype == ETYPE_DES_CBC_CRC || key.keytype == ETYPE_DES_CBC_MD5)
232 key.keytype = ETYPE_DES_CFB64_NONE;
233
234 ret = hdb_process_master_key(context, 0, &key, 0, mkey);
235 krb5_free_keyblock_contents(context, &key);
236 return ret;
237 }
238
239 /* read a krb4 /.k style file */
240 static krb5_error_code
241 read_master_krb4(krb5_context context, const char *filename,
242 hdb_master_key *mkey)
243 {
244 int fd;
245 krb5_keyblock key;
246 krb5_error_code ret;
247 unsigned char buf[256];
248 ssize_t len;
249
250 fd = open(filename, O_RDONLY | O_BINARY);
251 if(fd < 0) {
252 int save_errno = errno;
253 krb5_set_error_message(context, save_errno, "failed to open %s: %s",
254 filename, strerror(save_errno));
255 return save_errno;
256 }
257
258 len = read(fd, buf, sizeof(buf));
259 close(fd);
260 if(len < 0) {
261 int save_errno = errno;
262 krb5_set_error_message(context, save_errno, "error reading %s: %s",
263 filename, strerror(save_errno));
264 return save_errno;
265 }
266 if(len != 8) {
267 krb5_set_error_message(context, HEIM_ERR_EOF,
268 "bad contents of %s", filename);
269 return HEIM_ERR_EOF; /* XXX file might be too large */
270 }
271
272 memset(&key, 0, sizeof(key));
273 key.keytype = ETYPE_DES_PCBC_NONE;
274 ret = krb5_data_copy(&key.keyvalue, buf, len);
275 memset(buf, 0, sizeof(buf));
276 if(ret)
277 return ret;
278
279 ret = hdb_process_master_key(context, 0, &key, 0, mkey);
280 krb5_free_keyblock_contents(context, &key);
281 return ret;
282 }
283
284 krb5_error_code
285 hdb_read_master_key(krb5_context context, const char *filename,
286 hdb_master_key *mkey)
287 {
288 FILE *f;
289 unsigned char buf[16];
290 krb5_error_code ret;
291
292 off_t len;
293
294 *mkey = NULL;
295
296 if(filename == NULL)
297 filename = HDB_DB_DIR "/m-key";
298
299 f = fopen(filename, "r");
300 if(f == NULL) {
301 int save_errno = errno;
302 krb5_set_error_message(context, save_errno, "failed to open %s: %s",
303 filename, strerror(save_errno));
304 return save_errno;
305 }
306
307 if(fread(buf, 1, 2, f) != 2) {
308 fclose(f);
309 krb5_set_error_message(context, HEIM_ERR_EOF, "end of file reading %s", filename);
310 return HEIM_ERR_EOF;
311 }
312
313 fseek(f, 0, SEEK_END);
314 len = ftell(f);
315
316 if(fclose(f) != 0)
317 return errno;
318
319 if(len < 0)
320 return errno;
321
322 if(len == 8) {
323 ret = read_master_krb4(context, filename, mkey);
324 } else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) {
325 ret = read_master_encryptionkey(context, filename, mkey);
326 } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
327 ret = read_master_keytab(context, filename, mkey);
328 } else {
329 /*
330 * Check both LittleEndian and BigEndian since they key file
331 * might be moved from a machine with diffrent byte order, or
332 * its running on MacOS X that always uses BE master keys.
333 */
334 ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_LE, mkey);
335 if (ret)
336 ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_BE, mkey);
337 }
338 return ret;
339 }
340
341 krb5_error_code
342 hdb_write_master_key(krb5_context context, const char *filename,
343 hdb_master_key mkey)
344 {
345 krb5_error_code ret;
346 hdb_master_key p;
347 krb5_keytab kt;
348
349 if(filename == NULL)
350 filename = HDB_DB_DIR "/m-key";
351
352 ret = krb5_kt_resolve(context, filename, &kt);
353 if(ret)
354 return ret;
355
356 for(p = mkey; p; p = p->next) {
357 ret = krb5_kt_add_entry(context, kt, &p->keytab);
358 }
359
360 krb5_kt_close(context, kt);
361
362 return ret;
363 }
364
365 hdb_master_key
366 _hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
367 {
368 hdb_master_key ret = NULL;
369 while(mkey) {
370 if(ret == NULL && mkey->keytab.vno == 0)
371 ret = mkey;
372 if(mkvno == NULL) {
373 if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
374 ret = mkey;
375 } else if((uint32_t)mkey->keytab.vno == *mkvno)
376 return mkey;
377 mkey = mkey->next;
378 }
379 return ret;
380 }
381
382 int
383 _hdb_mkey_version(hdb_master_key mkey)
384 {
385 return mkey->keytab.vno;
386 }
387
388 int
389 _hdb_mkey_decrypt(krb5_context context, hdb_master_key key,
390 krb5_key_usage usage,
391 void *ptr, size_t size, krb5_data *res)
392 {
393 return krb5_decrypt(context, key->crypto, usage,
394 ptr, size, res);
395 }
396
397 int
398 _hdb_mkey_encrypt(krb5_context context, hdb_master_key key,
399 krb5_key_usage usage,
400 const void *ptr, size_t size, krb5_data *res)
401 {
402 return krb5_encrypt(context, key->crypto, usage,
403 ptr, size, res);
404 }
405
406 krb5_error_code
407 hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
408 {
409
410 krb5_error_code ret;
411 krb5_data res;
412 size_t keysize;
413
414 hdb_master_key key;
415
416 if(k->mkvno == NULL)
417 return 0;
418
419 key = _hdb_find_master_key(k->mkvno, mkey);
420
421 if (key == NULL)
422 return HDB_ERR_NO_MKEY;
423
424 ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
425 k->key.keyvalue.data,
426 k->key.keyvalue.length,
427 &res);
428 if(ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
429 /* try to decrypt with MIT key usage */
430 ret = _hdb_mkey_decrypt(context, key, 0,
431 k->key.keyvalue.data,
432 k->key.keyvalue.length,
433 &res);
434 }
435 if (ret)
436 return ret;
437
438 /* fixup keylength if the key got padded when encrypting it */
439 ret = krb5_enctype_keysize(context, k->key.keytype, &keysize);
440 if (ret) {
441 krb5_data_free(&res);
442 return ret;
443 }
444 if (keysize > res.length) {
445 krb5_data_free(&res);
446 return KRB5_BAD_KEYSIZE;
447 }
448
449 memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
450 free(k->key.keyvalue.data);
451 k->key.keyvalue = res;
452 k->key.keyvalue.length = keysize;
453 free(k->mkvno);
454 k->mkvno = NULL;
455
456 return 0;
457 }
458
459 krb5_error_code
460 hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
461 {
462 size_t i;
463
464 for(i = 0; i < ent->keys.len; i++){
465 krb5_error_code ret;
466
467 ret = hdb_unseal_key_mkey(context, &ent->keys.val[i], mkey);
468 if (ret)
469 return ret;
470 }
471 return 0;
472 }
473
474 krb5_error_code
475 hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
476 {
477 if (db->hdb_master_key_set == 0)
478 return 0;
479 return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key);
480 }
481
482 krb5_error_code
483 hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
484 unsigned flags, hdb_entry *ent)
485 {
486 krb5_error_code ret = HDB_ERR_NOENTRY;
487 HDB_extension *ext;
488 HDB_Ext_KeySet *hist_keys;
489 Key *tmp_val;
490 time_t tmp_set_time;
491 unsigned int tmp_len;
492 unsigned int kvno_diff = 0;
493 krb5_kvno tmp_kvno;
494 size_t i, k;
495 int exclude_dead = 0;
496 KerberosTime now = 0;
497 time_t *set_time;
498
499 if (kvno == 0)
500 ret = 0;
501
502 if ((flags & HDB_F_LIVE_CLNT_KVNOS) || (flags & HDB_F_LIVE_SVC_KVNOS)) {
503 exclude_dead = 1;
504 now = time(NULL);
505 if (HDB_F_LIVE_CLNT_KVNOS)
506 kvno_diff = hdb_entry_get_kvno_diff_clnt(ent);
507 else
508 kvno_diff = hdb_entry_get_kvno_diff_svc(ent);
509 }
510
511 ext = hdb_find_extension(ent, choice_HDB_extension_data_hist_keys);
512 if (ext == NULL)
513 return ret;
514
515 /* For swapping; see below */
516 tmp_len = ent->keys.len;
517 tmp_val = ent->keys.val;
518 tmp_kvno = ent->kvno;
519 (void) hdb_entry_get_pw_change_time(ent, &tmp_set_time);
520
521 hist_keys = &ext->data.u.hist_keys;
522
523 for (i = 0; i < hist_keys->len; i++) {
524 if (kvno != 0 && hist_keys->val[i].kvno != kvno)
525 continue;
526
527 if (exclude_dead &&
528 ((ent->max_life != NULL &&
529 hist_keys->val[i].set_time != NULL &&
530 (*hist_keys->val[i].set_time) < (now - (*ent->max_life))) ||
531 (hist_keys->val[i].kvno < kvno &&
532 (kvno - hist_keys->val[i].kvno) > kvno_diff)))
533 /*
534 * The KDC may want to to check for this keyset's set_time
535 * is within the TGS principal's max_life, say. But we stop
536 * here.
537 */
538 continue;
539
540 /* Either the keys we want, or all the keys */
541 for (k = 0; k < hist_keys->val[i].keys.len; k++) {
542 ret = hdb_unseal_key_mkey(context,
543 &hist_keys->val[i].keys.val[k],
544 db->hdb_master_key);
545 /*
546 * If kvno == 0 we might not want to bail here! E.g., if we
547 * no longer have the right master key, so just ignore this.
548 *
549 * We could filter out keys that we can't decrypt here
550 * because of HDB_ERR_NO_MKEY. However, it seems safest to
551 * filter them out only where necessary, say, in kadm5.
552 */
553 if (ret && kvno != 0)
554 return ret;
555 if (ret && ret != HDB_ERR_NO_MKEY)
556 return (ret);
557 }
558
559 if (kvno == 0)
560 continue;
561
562 /*
563 * What follows is a bit of a hack.
564 *
565 * This is the keyset we're being asked for, but it's not the
566 * current keyset. So we add the current keyset to the history,
567 * leave the one we were asked for in the history, and pretend
568 * the one we were asked for is also the current keyset.
569 *
570 * This is a bit of a defensive hack in case an entry fetched
571 * this way ever gets modified then stored: if the keyset is not
572 * changed we can detect this and put things back, else we won't
573 * drop any keysets from history by accident.
574 *
575 * Note too that we only ever get called with a non-zero kvno
576 * either in the KDC or in cases where we aren't changing the
577 * HDB entry anyways, which is why this is just a defensive
578 * hack. We also don't fetch specific kvnos in the dump case,
579 * so there's no danger that we'll dump this entry and load it
580 * again, repeatedly causing the history to grow boundelessly.
581 */
582 set_time = malloc(sizeof (*set_time));
583 if (set_time == NULL)
584 return ENOMEM;
585
586 /* Swap key sets */
587 ent->kvno = hist_keys->val[i].kvno;
588 ent->keys.val = hist_keys->val[i].keys.val;
589 ent->keys.len = hist_keys->val[i].keys.len;
590 if (hist_keys->val[i].set_time != NULL)
591 /* Sloppy, but the callers we expect won't care */
592 (void) hdb_entry_set_pw_change_time(context, ent,
593 *hist_keys->val[i].set_time);
594 hist_keys->val[i].kvno = tmp_kvno;
595 hist_keys->val[i].keys.val = tmp_val;
596 hist_keys->val[i].keys.len = tmp_len;
597 if (hist_keys->val[i].set_time != NULL)
598 /* Sloppy, but the callers we expect won't care */
599 *hist_keys->val[i].set_time = tmp_set_time;
600
601 return 0;
602 }
603
604 return (ret);
605 }
606
607 krb5_error_code
608 hdb_unseal_key(krb5_context context, HDB *db, Key *k)
609 {
610 if (db->hdb_master_key_set == 0)
611 return 0;
612 return hdb_unseal_key_mkey(context, k, db->hdb_master_key);
613 }
614
615 krb5_error_code
616 hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
617 {
618 krb5_error_code ret;
619 krb5_data res;
620 hdb_master_key key;
621
622 if(k->mkvno != NULL)
623 return 0;
624
625 key = _hdb_find_master_key(k->mkvno, mkey);
626
627 if (key == NULL)
628 return HDB_ERR_NO_MKEY;
629
630 ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
631 k->key.keyvalue.data,
632 k->key.keyvalue.length,
633 &res);
634 if (ret)
635 return ret;
636
637 memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
638 free(k->key.keyvalue.data);
639 k->key.keyvalue = res;
640
641 if (k->mkvno == NULL) {
642 k->mkvno = malloc(sizeof(*k->mkvno));
643 if (k->mkvno == NULL)
644 return ENOMEM;
645 }
646 *k->mkvno = key->keytab.vno;
647
648 return 0;
649 }
650
651 krb5_error_code
652 hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
653 {
654 HDB_extension *ext;
655 HDB_Ext_KeySet *hist_keys;
656 size_t i, k;
657 krb5_error_code ret;
658
659 for(i = 0; i < ent->keys.len; i++){
660 ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey);
661 if (ret)
662 return ret;
663 }
664
665 ext = hdb_find_extension(ent, choice_HDB_extension_data_hist_keys);
666 if (ext == NULL)
667 return 0;
668 hist_keys = &ext->data.u.hist_keys;
669
670 for (i = 0; i < hist_keys->len; i++) {
671 for (k = 0; k < hist_keys->val[i].keys.len; k++) {
672 ret = hdb_seal_key_mkey(context, &hist_keys->val[i].keys.val[k],
673 mkey);
674 if (ret)
675 return ret;
676 }
677 }
678
679 return 0;
680 }
681
682 krb5_error_code
683 hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
684 {
685 if (db->hdb_master_key_set == 0)
686 return 0;
687
688 return hdb_seal_keys_mkey(context, ent, db->hdb_master_key);
689 }
690
691 krb5_error_code
692 hdb_seal_key(krb5_context context, HDB *db, Key *k)
693 {
694 if (db->hdb_master_key_set == 0)
695 return 0;
696
697 return hdb_seal_key_mkey(context, k, db->hdb_master_key);
698 }
699
700 krb5_error_code
701 hdb_set_master_key (krb5_context context,
702 HDB *db,
703 krb5_keyblock *key)
704 {
705 krb5_error_code ret;
706 hdb_master_key mkey;
707
708 ret = hdb_process_master_key(context, 0, key, 0, &mkey);
709 if (ret)
710 return ret;
711 db->hdb_master_key = mkey;
712 #if 0 /* XXX - why? */
713 des_set_random_generator_seed(key.keyvalue.data);
714 #endif
715 db->hdb_master_key_set = 1;
716 return 0;
717 }
718
719 krb5_error_code
720 hdb_set_master_keyfile (krb5_context context,
721 HDB *db,
722 const char *keyfile)
723 {
724 hdb_master_key key;
725 krb5_error_code ret;
726
727 ret = hdb_read_master_key(context, keyfile, &key);
728 if (ret) {
729 if (ret != ENOENT)
730 return ret;
731 krb5_clear_error_message(context);
732 return 0;
733 }
734 db->hdb_master_key = key;
735 db->hdb_master_key_set = 1;
736 return ret;
737 }
738
739 krb5_error_code
740 hdb_clear_master_key (krb5_context context,
741 HDB *db)
742 {
743 if (db->hdb_master_key_set) {
744 hdb_free_master_key(context, db->hdb_master_key);
745 db->hdb_master_key_set = 0;
746 }
747 return 0;
748 }
reg import