diff options
Diffstat (limited to 'src/lib/kdb/kdb_cpw.c')
-rw-r--r-- | src/lib/kdb/kdb_cpw.c | 209 |
1 files changed, 89 insertions, 120 deletions
diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c index ec7419e..d68d784 100644 --- a/src/lib/kdb/kdb_cpw.c +++ b/src/lib/kdb/kdb_cpw.c @@ -22,6 +22,32 @@ * */ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + #include "k5-int.h" #include "krb5/adm.h" #include <stdio.h> @@ -61,32 +87,23 @@ cleanup_key_data(context, count, data) free(data); } -/* - * Currently we can only generate random keys for preinitialized - * krb5_encrypt_block with a seed. This is bogus but currently - * necessary to insure that we don't generate two keys with the - * same data. - */ static krb5_error_code -add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno) +add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; krb5_db_entry * db_entry; int kvno; { krb5_principal krbtgt_princ; - krb5_keyblock krbtgt_key, * key; - krb5_pointer krbtgt_seed; - krb5_encrypt_block krbtgt_eblock; + krb5_keyblock key; krb5_db_entry krbtgt_entry; krb5_key_data * krbtgt_kdata; - krb5_boolean more, found; + krb5_boolean more; int max_kvno, one, i, j; krb5_error_code retval; - memset(&krbtgt_key, 0, sizeof(krbtgt_key)); retval = krb5_build_principal_ext(context, &krbtgt_princ, db_entry->princ->realm.length, db_entry->princ->realm.data, @@ -119,17 +136,9 @@ add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno) } for (i = 0; i < ks_tuple_count; i++) { - krb5_enctype new_enctype, old_enctype; + krb5_boolean similar; - switch (new_enctype = ks_tuple[i].ks_enctype) { - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_RAW: - new_enctype = ENCTYPE_DES_CBC_CRC; - default: - break; - } - found = 0; + similar = 0; /* * We could use krb5_keysalt_iterate to replace this loop, or use @@ -137,74 +146,44 @@ add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno) * circular library dependencies. */ for (j = 0; j < i; j++) { - switch (old_enctype = ks_tuple[j].ks_enctype) { - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_RAW: - old_enctype = ENCTYPE_DES_CBC_CRC; - default: - break; - } - if (old_enctype == new_enctype) { - found = 1; + if ((retval = krb5_c_enctype_compare(context, + ks_tuple[i].ks_enctype, + ks_tuple[j].ks_enctype, + &similar))) + return(retval); + + if (similar) break; - } } - if (found) - continue; - if (retval = krb5_dbe_create_key_data(context, db_entry)) - goto add_key_rnd_err; - if (retval = krb5_dbe_find_enctype(context, &krbtgt_entry, - ks_tuple[i].ks_enctype, - -1, 0, &krbtgt_kdata)) - goto add_key_rnd_err; + if (similar) + continue; - /* Decrypt key */ - if (retval = krb5_dbekd_decrypt_key_data(context, master_eblock, - krbtgt_kdata,&krbtgt_key,NULL)) + if (retval = krb5_dbe_create_key_data(context, db_entry)) goto add_key_rnd_err; - /* Init key */ - krbtgt_key.enctype = ks_tuple[i].ks_enctype; - krb5_use_enctype(context, &krbtgt_eblock, ks_tuple[i].ks_enctype); - if (retval = krb5_process_key(context, &krbtgt_eblock, &krbtgt_key)) { - goto add_key_rnd_err; - } + /* there used to be code here to extract the old key, and derive + a new key from it. Now that there's a unified prng, that isn't + necessary. */ - /* Init random generator */ - if (retval = krb5_init_random_key(context, &krbtgt_eblock, - &krbtgt_key, &krbtgt_seed)) { - krb5_finish_key(context, &krbtgt_eblock); + /* make new key */ + if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype, + &key))) goto add_key_rnd_err; - } - if (retval = krb5_random_key(context,&krbtgt_eblock,krbtgt_seed,&key)) { - krb5_finish_random_key(context, &krbtgt_eblock, &krbtgt_seed); - krb5_finish_key(context, &krbtgt_eblock); - goto add_key_rnd_err; - } + retval = krb5_dbekd_encrypt_key_data(context, master_key, + &key, NULL, kvno, + &db_entry->key_data[db_entry->n_key_data-1]); - krb5_finish_random_key(context, &krbtgt_eblock, &krbtgt_seed); - krb5_finish_key(context, &krbtgt_eblock); + krb5_free_keyblock_contents(context, &key); - if (retval = krb5_dbekd_encrypt_key_data(context, master_eblock, - key, NULL, kvno, - &db_entry->key_data[db_entry->n_key_data-1])) { - krb5_free_keyblock(context, key); + if (retval) goto add_key_rnd_err; - } - - /* Finish random key */ - krb5_free_keyblock(context, key); } -add_key_rnd_err:; +add_key_rnd_err: krb5_db_free_principal(context, &krbtgt_entry, one); - if (krbtgt_key.contents && krbtgt_key.length) { - memset(krbtgt_key.contents, 0, krbtgt_key.length); - krb5_xfree(krbtgt_key.contents); - } + return(retval); } @@ -215,9 +194,9 @@ add_key_rnd_err:; * As a side effect all old keys are nuked. */ krb5_error_code -krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) +krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, db_entry) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; krb5_db_entry * db_entry; @@ -237,7 +216,7 @@ krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) /* increment the kvno */ kvno++; - if (retval = add_key_rnd(context, master_eblock, ks_tuple, + if (retval = add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; @@ -255,9 +234,9 @@ krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) * As a side effect all old keys older than the max kvno are nuked. */ krb5_error_code -krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) +krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; krb5_db_entry * db_entry; @@ -278,7 +257,7 @@ krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) /* increment the kvno */ kvno++; - if (retval = add_key_rnd(context, master_eblock, ks_tuple, + if (retval = add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; @@ -307,10 +286,10 @@ krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry) * If passwd is NULL the assumes that the caller wants a random password. */ static krb5_error_code -add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, +add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry, kvno) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; char * passwd; @@ -318,7 +297,6 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, int kvno; { krb5_error_code retval; - krb5_encrypt_block key_eblock; krb5_keysalt key_salt; krb5_keyblock key; krb5_data pwd; @@ -328,40 +306,30 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, retval = 0; for (i = 0; i < ks_tuple_count; i++) { - krb5_enctype new_enctype, old_enctype; + krb5_boolean similar; + + similar = 0; - switch (new_enctype = ks_tuple[i].ks_enctype) { - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_RAW: - new_enctype = ENCTYPE_DES_CBC_CRC; - default: - break; - } /* * We could use krb5_keysalt_iterate to replace this loop, or use * krb5_keysalt_is_present for the loop below, but we want to avoid * circular library dependencies. */ - for (found = j = 0; j < i; j++) { - if (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype) { - switch (old_enctype = ks_tuple[j].ks_enctype) { - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_RAW: - old_enctype = ENCTYPE_DES_CBC_CRC; - default: - break; - } - if (old_enctype == new_enctype) { - found = 1; - break; - } - } + for (j = 0; j < i; j++) { + if ((retval = krb5_c_enctype_compare(context, + ks_tuple[i].ks_enctype, + ks_tuple[j].ks_enctype, + &similar))) + return(retval); + + if (similar && + (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype)) + break; } - if (found) + + if (j < i) continue; - krb5_use_enctype(context, &key_eblock, ks_tuple[i].ks_enctype); + if (retval = krb5_dbe_create_key_data(context, db_entry)) return(retval); @@ -422,8 +390,9 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, pwd.data = passwd; pwd.length = strlen(passwd); - if (retval = krb5_string_to_key(context, &key_eblock, &key, &pwd, - &key_salt.data)) { + + if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype, + &pwd, &key_salt.data, &key))) { if (key_salt.data.data) free(key_salt.data.data); return(retval); @@ -433,7 +402,7 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, key_salt.data.length = krb5_princ_realm(context, db_entry->princ)->length; - if (retval = krb5_dbekd_encrypt_key_data(context, master_eblock, &key, + if (retval = krb5_dbekd_encrypt_key_data(context, master_key, &key, (const krb5_keysalt *)&key_salt, kvno, &db_entry->key_data[db_entry->n_key_data-1])) { if (key_salt.data.data) @@ -455,10 +424,10 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd, * As a side effect all old keys are nuked. */ krb5_error_code -krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, +krb5_dbe_cpw(context, master_key, ks_tuple, ks_tuple_count, passwd, new_kvno, db_entry) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; char * passwd; @@ -483,7 +452,7 @@ krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, if (new_kvno < old_kvno+1) new_kvno = old_kvno+1; - if (retval = add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, + if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry, new_kvno)) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; @@ -501,9 +470,9 @@ krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, * As a side effect all old keys older than the max kvno are nuked. */ krb5_error_code -krb5_dbe_apw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, db_entry) +krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry) krb5_context context; - krb5_encrypt_block * master_eblock; + krb5_keyblock * master_key; krb5_key_salt_tuple * ks_tuple; int ks_tuple_count; char * passwd; @@ -526,7 +495,7 @@ krb5_dbe_apw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, db_entry) /* increment the kvno */ new_kvno = old_kvno+1; - if (retval = add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, + if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry, new_kvno)) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; |