1 /* 2 * Copyright (c) 1997-2004 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "headers.h" 35 36 RCSID("$Id: kstash.c 22244 2007-12-08 23:47:42Z lha $"); 37 38 krb5_context context; 39 40 static char *keyfile; 41 static int convert_flag; 42 static int help_flag; 43 static int version_flag; 44 45 static int master_key_fd = -1; 46 static int random_key_flag; 47 48 static const char *enctype_str = "des3-cbc-sha1"; 49 50 static struct getargs args[] = { 51 { "enctype", 'e', arg_string, &enctype_str, "encryption type" }, 52 { "key-file", 'k', arg_string, &keyfile, "master key file", "file" }, 53 { "convert-file", 0, arg_flag, &convert_flag, 54 "just convert keyfile to new format" }, 55 { "master-key-fd", 0, arg_integer, &master_key_fd, 56 "filedescriptor to read passphrase from", "fd" }, 57 { "random-key", 0, arg_flag, &random_key_flag, "generate a random master key" }, 58 { "help", 'h', arg_flag, &help_flag }, 59 { "version", 0, arg_flag, &version_flag } 60 }; 61 62 int num_args = sizeof(args) / sizeof(args[0]); 63 64 int 65 main(int argc, char **argv) 66 { 67 char buf[1024]; 68 krb5_error_code ret; 69 70 krb5_enctype enctype; 71 72 hdb_master_key mkey; 73 74 krb5_program_setup(&context, argc, argv, args, num_args, NULL); 75 76 if(help_flag) 77 krb5_std_usage(0, args, num_args); 78 if(version_flag){ 79 print_version(NULL); 80 exit(0); 81 } 82 83 if (master_key_fd != -1 && random_key_flag) 84 krb5_errx(context, 1, "random-key and master-key-fd " 85 "is mutual exclusive"); 86 87 if (keyfile == NULL) 88 asprintf(&keyfile, "%s/m-key", hdb_db_dir(context)); 89 90 ret = krb5_string_to_enctype(context, enctype_str, &enctype); 91 if(ret) 92 krb5_err(context, 1, ret, "krb5_string_to_enctype"); 93 94 ret = hdb_read_master_key(context, keyfile, &mkey); 95 if(ret && ret != ENOENT) 96 krb5_err(context, 1, ret, "reading master key from %s", keyfile); 97 98 if (convert_flag) { 99 if (ret) 100 krb5_err(context, 1, ret, "reading master key from %s", keyfile); 101 } else { 102 krb5_keyblock key; 103 krb5_salt salt; 104 salt.salttype = KRB5_PW_SALT; 105 /* XXX better value? */ 106 salt.saltvalue.data = NULL; 107 salt.saltvalue.length = 0; 108 if (random_key_flag) { 109 ret = krb5_generate_random_keyblock(context, enctype, &key); 110 if (ret) 111 krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); 112 113 } else { 114 if(master_key_fd != -1) { 115 ssize_t n; 116 n = read(master_key_fd, buf, sizeof(buf)); 117 if(n <= 0) 118 krb5_err(context, 1, errno, "failed to read passphrase"); 119 buf[n] = '\0'; 120 buf[strcspn(buf, "\r\n")] = '\0'; 121 122 } else { 123 if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) 124 exit(1); 125 } 126 krb5_string_to_key_salt(context, enctype, buf, salt, &key); 127 } 128 ret = hdb_add_master_key(context, &key, &mkey); 129 130 krb5_free_keyblock_contents(context, &key); 131 132 } 133 134 { 135 char *new, *old; 136 asprintf(&old, "%s.old", keyfile); 137 asprintf(&new, "%s.new", keyfile); 138 if(unlink(new) < 0 && errno != ENOENT) { 139 ret = errno; 140 goto out; 141 } 142 krb5_warnx(context, "writing key to `%s'", keyfile); 143 ret = hdb_write_master_key(context, new, mkey); 144 if(ret) 145 unlink(new); 146 else { 147 unlink(old); 148 if(link(keyfile, old) < 0 && errno != ENOENT) { 149 ret = errno; 150 unlink(new); 151 } else if(rename(new, keyfile) < 0) { 152 ret = errno; 153 } 154 } 155 out: 156 free(old); 157 free(new); 158 if(ret) 159 krb5_warn(context, errno, "writing master key file"); 160 } 161 162 hdb_free_master_key(context, mkey); 163 164 exit(ret != 0); 165 } 166