xref: /illumos-gate/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c (revision 1a220b56b93ff1dc80855691548503117af4cc10)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
10  *
11  *	Openvision retains the copyright to derivative works of
12  *	this source code.  Do *NOT* create a derivative of this
13  *	source code before consulting with your legal department.
14  *	Do *NOT* integrate *ANY* of this source code into another
15  *	product before consulting with your legal department.
16  *
17  *	For further information, read the top-level Openvision
18  *	copyright which is contained in the top-level MIT Kerberos
19  *	copyright.
20  *
21  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
22  *
23  */
24 
25 
26 /*
27  * admin/create/kdb5_create.c
28  *
29  * Copyright 1990,1991 by the Massachusetts Institute of Technology.
30  * All Rights Reserved.
31  *
32  * Export of this software from the United States of America may
33  *   require a specific license from the United States Government.
34  *   It is the responsibility of any person or organization contemplating
35  *   export to obtain such a license before exporting.
36  *
37  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
38  * distribute this software and its documentation for any purpose and
39  * without fee is hereby granted, provided that the above copyright
40  * notice appear in all copies and that both that copyright notice and
41  * this permission notice appear in supporting documentation, and that
42  * the name of M.I.T. not be used in advertising or publicity pertaining
43  * to distribution of the software without specific, written prior
44  * permission.  Furthermore if you modify this software you must label
45  * your software as modified software and not distribute it in such a
46  * fashion that it might be confused with the original M.I.T. software.
47  * M.I.T. makes no representations about the suitability of
48  * this software for any purpose.  It is provided "as is" without express
49  * or implied warranty.
50  *
51  *
52  * Generate (from scratch) a Kerberos KDC database.
53  */
54 
55 /*
56  *  Yes, I know this is a hack, but we need admin.h without including the
57  *  rpc.h header. Additionally, our rpc.h header brings in
58  *  a des.h header which causes other problems.
59  */
60 #define	_RPC_RPC_H
61 
62 #include <stdio.h>
63 #define KDB5_DISPATCH
64 #define KRB5_KDB5_DBM__
65 #include <k5-int.h>
66 /* #define these to avoid an indirection function; for future implementations,
67    these may be redirected from a dispatch table/routine */
68 #define krb5_dbm_db_set_name krb5_db_set_name
69 #define krb5_dbm_db_set_nonblocking krb5_db_set_nonblocking
70 #define krb5_dbm_db_init krb5_db_init
71 #define krb5_dbm_db_get_age krb5_db_get_age
72 #define krb5_dbm_db_create krb5_db_create
73 #define krb5_dbm_db_rename krb5_db_rename
74 #define krb5_dbm_db_get_principal krb5_db_get_principal
75 #define krb5_dbm_db_free_principal krb5_db_free_principal
76 #define krb5_dbm_db_put_principal krb5_db_put_principal
77 #define krb5_dbm_db_delete_principal krb5_db_delete_principal
78 #define krb5_dbm_db_lock krb5_db_lock
79 #define krb5_dbm_db_unlock krb5_db_unlock
80 #define krb5_dbm_db_set_lockmode krb5_db_set_lockmode
81 #define krb5_dbm_db_close_database krb5_db_close_database
82 #define krb5_dbm_db_open_database krb5_db_open_database
83 
84 #include <kadm5/admin.h>
85 #include <rpc/types.h>
86 #include <rpc/xdr.h>
87 #include <kadm5/adb.h>
88 #include <libintl.h>
89 #include "kdb5_util.h"
90 
91 enum ap_op {
92     NULL_KEY,				/* setup null keys */
93     MASTER_KEY,				/* use master key as new key */
94     TGT_KEY				/* special handling for tgt key */
95 };
96 
97 krb5_key_salt_tuple def_kslist =
98 	{ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
99 
100 struct realm_info {
101     krb5_deltat max_life;
102     krb5_deltat max_rlife;
103     krb5_timestamp expiration;
104     krb5_flags flags;
105     krb5_keyblock *key;
106     krb5_int32 nkslist;
107     krb5_key_salt_tuple *kslist;
108 } rblock = { /* XXX */
109 
110     KRB5_KDB_MAX_LIFE,
111     KRB5_KDB_MAX_RLIFE,
112     KRB5_KDB_EXPIRATION,
113     KRB5_KDB_DEF_FLAGS,
114     (krb5_keyblock *) NULL,
115     1,
116     &def_kslist
117 };
118 
119 struct iterate_args {
120     krb5_context	ctx;
121     struct realm_info	*rblock;
122     krb5_db_entry	*dbentp;
123 };
124 
125 static krb5_error_code add_principal(krb5_context,
126 		krb5_principal,
127 		enum ap_op,
128 		struct realm_info *,
129 		krb5_keyblock *);
130 
131 /*
132  * Steps in creating a database:
133  *
134  * 1) use the db calls to open/create a new database
135  *
136  * 2) get a realm name for the new db
137  *
138  * 3) get a master password for the new db; convert to an encryption key.
139  *
140  * 4) create various required entries in the database
141  *
142  * 5) close & exit
143  */
144 
145 extern krb5_principal master_princ;
146 
147 krb5_data tgt_princ_entries[] = {
148 	{0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
149 	{0, 0, 0} };
150 
151 krb5_data db_creator_entries[] = {
152 	{0, sizeof("db_creation")-1, "db_creation"} };
153 
154 /*
155  * XXX knows about contents of krb5_principal, and that tgt names
156  * are of form TGT/REALM@REALM
157  */
158 krb5_principal_data tgt_princ = {
159         0,					/* magic number */
160 	{0, 0, 0},				/* krb5_data realm */
161 	tgt_princ_entries,			/* krb5_data *data */
162 	2,					/* int length */
163 	KRB5_NT_SRV_INST			/* int type */
164 };
165 
166 krb5_principal_data db_create_princ = {
167         0,					/* magic number */
168 	{0, 0, 0},				/* krb5_data realm */
169 	db_creator_entries,			/* krb5_data *data */
170 	1,					/* int length */
171 	KRB5_NT_SRV_INST			/* int type */
172 };
173 
174 extern char *mkey_password;
175 
176 extern char *progname;
177 extern int exit_status;
178 extern osa_adb_policy_t policy_db;
179 extern kadm5_config_params global_params;
180 extern krb5_context util_context;
181 
182 void
183 kdb5_create(argc, argv)
184    int argc;
185    char *argv[];
186 {
187     int optchar;
188 
189     krb5_error_code retval;
190     char *mkey_fullname;
191     char *pw_str = 0;
192     unsigned int pw_size = 0;
193     int do_stash = 0;
194     krb5_int32 crflags = KRB5_KDB_CREATE_BTREE;
195     krb5_data pwd, seed;
196     kdb_log_context *log_ctx;
197     krb5_keyblock mkey;
198     krb5_data master_salt = { 0, NULL };
199 
200     if (strrchr(argv[0], '/'))
201 	argv[0] = strrchr(argv[0], '/')+1;
202 
203     while ((optchar = getopt(argc, argv, "s")) != -1) {
204 	switch(optchar) {
205 	case 's':
206 	    do_stash++;
207 	    break;
208 	case 'h':
209 	    crflags = KRB5_KDB_CREATE_HASH;
210 	case '?':
211 	default:
212 	    usage();
213 	    return;
214 	}
215     }
216 
217     rblock.max_life = global_params.max_life;
218     rblock.max_rlife = global_params.max_rlife;
219     rblock.expiration = global_params.expiration;
220     rblock.flags = global_params.flags;
221     rblock.nkslist = global_params.num_keysalts;
222     rblock.kslist = global_params.keysalts;
223 
224     log_ctx = util_context->kdblog_context;
225 
226     retval = krb5_db_set_name(util_context, global_params.dbname);
227 	if (!retval)
228 		retval = EEXIST;
229 
230     if (retval == EEXIST || retval == EACCES || retval == EPERM) {
231 	/* it exists ! */
232 		com_err(argv[0], 0,
233 			gettext("The database '%s' appears to already exist"),
234 		global_params.dbname);
235 		exit_status++;
236 		return;
237     }
238     /* assemble & parse the master key name */
239 
240     if ((retval = krb5_db_setup_mkey_name(util_context,
241 					  global_params.mkey_name,
242 					  global_params.realm,
243 					  &mkey_fullname, &master_princ))) {
244 		com_err(argv[0], retval,
245 			gettext("while setting up master key name"));
246 		exit_status++;
247 		return;
248     }
249 	krb5_princ_set_realm_data(util_context,
250 				&db_create_princ, global_params.realm);
251 	krb5_princ_set_realm_length(util_context,
252 				    &db_create_princ,
253 				    strlen(global_params.realm));
254 	krb5_princ_set_realm_data(util_context,
255 				&tgt_princ, global_params.realm);
256 	krb5_princ_set_realm_length(util_context,
257 				    &tgt_princ, strlen(global_params.realm));
258 	krb5_princ_component(util_context, &tgt_princ, 1)->data =
259 	    global_params.realm;
260 	krb5_princ_component(util_context, &tgt_princ, 1)->length =
261 	    strlen(global_params.realm);
262 
263 	printf(gettext("Initializing database '%s' for realm '%s',\n"
264 			"master key name '%s'\n"),
265 	   global_params.dbname, global_params.realm, mkey_fullname);
266 
267     if (!mkey_password) {
268 	printf(gettext("You will be prompted for the "
269 			"database Master Password.\n"));
270 	printf(gettext("It is important that you NOT FORGET this password.\n"));
271 	fflush(stdout);
272 
273 	pw_size = 1024;
274 	pw_str = malloc(pw_size);
275 
276 	retval = krb5_read_password(util_context,
277 			    gettext("Enter KDC database master key"),
278 			    gettext("Re-enter KDC database "
279 				    "master key to verify"),
280 			    pw_str, &pw_size);
281 	if (retval) {
282 		com_err(argv[0], retval,
283 		    gettext("while reading master key from keyboard"));
284 		exit_status++;
285 		return;
286 	}
287 	mkey_password = pw_str;
288     }
289 
290     pwd.data = mkey_password;
291     pwd.length = strlen(mkey_password);
292 
293     retval = krb5_principal2salt(util_context, master_princ, &master_salt);
294     if (retval) {
295 	com_err(argv[0], retval,
296 		gettext("while calculated master key salt"));
297 	exit_status++;
298 	goto cleanup;
299     }
300 
301     if (retval = krb5_c_string_to_key(util_context, global_params.enctype,
302 			      &pwd, &master_salt, &mkey)) {
303 	com_err(argv[0], retval,
304 	    gettext("while transforming master key from password"));
305 	exit_status++;
306 	goto cleanup;
307     }
308 
309     retval = krb5_copy_keyblock(util_context, &mkey, &rblock.key);
310     if (retval) {
311 	com_err(argv[0], retval, gettext("while copying master key"));
312 	exit_status++;
313 	goto cleanup;
314     }
315 
316     seed.length = mkey.length;
317     seed.data = (char *)mkey.contents;
318 
319     if ((retval = krb5_c_random_seed(util_context, &seed))) {
320 	com_err(argv[0], retval,
321 		gettext("while initializing random key generator"));
322 	exit_status++;
323 	goto cleanup;
324     }
325     if ((retval = krb5_db_create(util_context,
326 				 global_params.dbname, crflags))) {
327 	com_err(argv[0], retval,
328 		gettext("while creating database '%s'"),
329 		global_params.dbname);
330 	exit_status++;
331 	goto cleanup;
332     }
333     if (retval = krb5_db_fini(util_context)) {
334 	com_err(argv[0], retval,
335 		gettext("while closing current database"));
336 	exit_status++;
337 	goto cleanup;
338     }
339     if ((retval = krb5_db_set_name(util_context, global_params.dbname))) {
340 	com_err(argv[0], retval,
341 		gettext("while setting active database to '%s'"),
342                global_params.dbname);
343 	exit_status++;
344 	goto cleanup;
345     }
346     if ((retval = krb5_db_init(util_context))) {
347 	com_err(argv[0], retval,
348 		gettext("while initializing the database '%s'"),
349 	global_params.dbname);
350 	exit_status++;
351 	goto cleanup;
352     }
353 
354     if (log_ctx && log_ctx->iproprole) {
355 	if (retval = ulog_map(util_context, &global_params, FKCOMMAND)) {
356 		com_err(argv[0], retval,
357 			gettext("while creating update log"));
358 		exit_status++;
359 		goto cleanup;
360 	}
361 
362 	/*
363 	 * We're reinitializing the update log in case one already
364 	 * existed, but this should never happen.
365 	 */
366 	(void) memset(log_ctx->ulog, 0, sizeof (kdb_hlog_t));
367 
368 	log_ctx->ulog->kdb_hmagic = KDB_HMAGIC;
369 	log_ctx->ulog->db_version_num = KDB_VERSION;
370 	log_ctx->ulog->kdb_state = KDB_STABLE;
371 	log_ctx->ulog->kdb_block = ULOG_BLOCK;
372 
373 	/*
374 	 * Since we're creating a new db we shouldn't worry about
375 	 * adding the initial principals since any slave might as well
376 	 * do full resyncs from this newly created db.
377 	 */
378 	log_ctx->iproprole = IPROP_NULL;
379     }
380 
381     if ((retval = add_principal(util_context,
382 		    master_princ, MASTER_KEY, &rblock, &mkey)) ||
383 	(retval = add_principal(util_context,
384 			    &tgt_princ, TGT_KEY, &rblock, &mkey))) {
385 	(void) krb5_db_fini(util_context);
386 	com_err(argv[0], retval,
387 	    gettext("while adding entries to the database"));
388 	exit_status++;
389 	goto cleanup;
390     }
391     /*
392      * Always stash the master key so kadm5_create does not prompt for
393      * it; delete the file below if it was not requested.  DO NOT EXIT
394      * BEFORE DELETING THE KEYFILE if do_stash is not set.
395      */
396     if (retval = krb5_db_store_mkey(util_context,
397 				    global_params.stash_file,
398 				    master_princ,
399 				    &mkey)) {
400 	com_err(argv[0], errno, gettext("while storing key"));
401 	printf(gettext("Warning: couldn't stash master key.\n"));
402     }
403 
404     if (pw_str)
405 	memset(pw_str, 0, pw_size);
406 
407     if (kadm5_create(&global_params)) {
408 	if (!do_stash)
409 		unlink(global_params.stash_file);
410 	exit_status++;
411 	goto cleanup;
412     }
413     if (!do_stash)
414 	unlink(global_params.stash_file);
415 
416 cleanup:
417     if (pw_str) {
418 	if (mkey_password == pw_str)
419 		mkey_password = NULL;
420 	free(pw_str);
421     }
422     if (master_salt.data)
423 	free(master_salt.data);
424     krb5_free_keyblock_contents(util_context, rblock.key);
425     krb5_free_keyblock_contents(util_context, &mkey);
426     (void) krb5_db_fini(util_context);
427 
428     return;
429 
430 }
431 
432 static krb5_error_code
433 tgt_keysalt_iterate(ksent, ptr)
434     krb5_key_salt_tuple	*ksent;
435     krb5_pointer	ptr;
436 {
437     krb5_context	context;
438     krb5_error_code	kret;
439     struct iterate_args	*iargs;
440     krb5_keyblock	key;
441     krb5_int32		ind;
442     krb5_pointer rseed;
443     krb5_data	pwd;
444 
445     iargs = (struct iterate_args *) ptr;
446     kret = 0;
447 
448     context = iargs->ctx;
449 
450     /*
451      * Convert the master key password into a key for this particular
452      * encryption system.
453      */
454     pwd.data = mkey_password;
455     pwd.length = strlen(mkey_password);
456     if (kret = krb5_c_random_seed(context, &pwd))
457 	return kret;
458 
459     if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {
460 	ind = iargs->dbentp->n_key_data-1;
461 	if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
462 					    &key))) {
463 	    kret = krb5_dbekd_encrypt_key_data(context,
464 					       iargs->rblock->key,
465 					       &key,
466 					       NULL,
467 					       1,
468 					       &iargs->dbentp->key_data[ind]);
469 	    krb5_free_keyblock_contents(context, &key);
470 	}
471     }
472 
473     return(kret);
474 }
475 
476 static krb5_error_code
477 add_principal(krb5_context context,
478     krb5_principal princ,
479     enum ap_op op,
480     struct realm_info *pblock,
481     krb5_keyblock *mkey)
482 {
483     krb5_error_code 	  retval;
484     krb5_db_entry 	  entry;
485 
486     krb5_timestamp	  now;
487     struct iterate_args	  iargs;
488 
489     int			  nentries = 1;
490 
491     memset((char *) &entry, 0, sizeof(entry));
492 
493     entry.len = KRB5_KDB_V1_BASE_LENGTH;
494     entry.attributes = pblock->flags;
495     entry.max_life = pblock->max_life;
496     entry.max_renewable_life = pblock->max_rlife;
497     entry.expiration = pblock->expiration;
498 
499     if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
500 	goto error_out;
501 
502     if ((retval = krb5_timeofday(context, &now)))
503 	goto error_out;
504 
505     if ((retval = krb5_dbe_update_mod_princ_data(context, &entry,
506 						 now, &db_create_princ)))
507 	goto error_out;
508 
509     switch (op) {
510     case MASTER_KEY:
511 	entry.key_data = (krb5_key_data *) malloc(sizeof (krb5_key_data));
512 	if (entry.key_data == NULL)
513 	    goto error_out;
514 
515 	memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
516 	entry.n_key_data = 1;
517 
518 	entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
519 	if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
520 				  mkey, NULL, 1, entry.key_data)))
521 		goto error_out;
522 	break;
523     case TGT_KEY:
524 	iargs.ctx = context;
525 	iargs.rblock = pblock;
526 	iargs.dbentp = &entry;
527 	/*
528 	 * Iterate through the key/salt list, ignoring salt types.
529 	 */
530 	if ((retval = krb5_keysalt_iterate(pblock->kslist,
531 					   pblock->nkslist,
532 					   1,
533 					   tgt_keysalt_iterate,
534 					   (krb5_pointer) &iargs)))
535 		return (retval);
536 	break;
537     case NULL_KEY:
538 	return (EOPNOTSUPP);
539     default:
540 	break;
541     }
542 
543     retval = krb5_db_put_principal(context, &entry, &nentries);
544 
545 error_out:;
546 	krb5_dbe_free_contents(context, &entry);
547 	return (retval);
548 }
549