1 /* $NetBSD: kstash.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "headers.h" 37 38 krb5_context context; 39 40 static char *keyfile; 41 static int convert_flag; 42 static int help_flag; 43 static int version_flag; 44 45 static int master_key_fd = -1; 46 static int random_key_flag; 47 48 static const char *enctype_str = "des3-cbc-sha1"; 49 50 static struct getargs args[] = { 51 { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type", 52 NULL }, 53 { "key-file", 'k', arg_string, &keyfile, "master key file", "file" }, 54 { "convert-file", 0, arg_flag, &convert_flag, 55 "just convert keyfile to new format", NULL }, 56 { "master-key-fd", 0, arg_integer, &master_key_fd, 57 "filedescriptor to read passphrase from", "fd" }, 58 { "random-key", 0, arg_flag, &random_key_flag, 59 "generate a random master key", NULL }, 60 { "help", 'h', arg_flag, &help_flag, NULL, NULL }, 61 { "version", 0, arg_flag, &version_flag, NULL, NULL } 62 }; 63 64 int num_args = sizeof(args) / sizeof(args[0]); 65 66 int 67 main(int argc, char **argv) 68 { 69 char buf[1024+1]; 70 krb5_error_code ret; 71 int aret; 72 73 krb5_enctype enctype; 74 75 hdb_master_key mkey; 76 77 krb5_program_setup(&context, argc, argv, args, num_args, NULL); 78 79 if(help_flag) 80 krb5_std_usage(0, args, num_args); 81 if(version_flag){ 82 print_version(NULL); 83 exit(0); 84 } 85 86 if (master_key_fd != -1 && random_key_flag) 87 krb5_errx(context, 1, "random-key and master-key-fd " 88 "is mutual exclusive"); 89 90 if (keyfile == NULL) { 91 aret = asprintf(&keyfile, "%s/m-key", hdb_db_dir(context)); 92 if (aret == -1) 93 krb5_errx(context, 1, "out of memory"); 94 } 95 96 ret = krb5_string_to_enctype(context, enctype_str, &enctype); 97 if(ret) 98 krb5_err(context, 1, ret, "krb5_string_to_enctype"); 99 100 ret = hdb_read_master_key(context, keyfile, &mkey); 101 if(ret && ret != ENOENT) 102 krb5_err(context, 1, ret, "reading master key from %s", keyfile); 103 104 if (convert_flag) { 105 if (ret) 106 krb5_err(context, 1, ret, "reading master key from %s", keyfile); 107 } else { 108 krb5_keyblock key; 109 krb5_salt salt; 110 salt.salttype = KRB5_PW_SALT; 111 /* XXX better value? */ 112 salt.saltvalue.data = NULL; 113 salt.saltvalue.length = 0; 114 if (random_key_flag) { 115 ret = krb5_generate_random_keyblock(context, enctype, &key); 116 if (ret) 117 krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); 118 119 } else { 120 if(master_key_fd != -1) { 121 ssize_t n; 122 n = read(master_key_fd, buf, sizeof(buf)-1); 123 if(n <= 0) 124 krb5_err(context, 1, errno, "failed to read passphrase"); 125 buf[n] = '\0'; 126 buf[strcspn(buf, "\r\n")] = '\0'; 127 128 } else { 129 if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) 130 exit(1); 131 } 132 krb5_string_to_key_salt(context, enctype, buf, salt, &key); 133 } 134 ret = hdb_add_master_key(context, &key, &mkey); 135 136 krb5_free_keyblock_contents(context, &key); 137 138 } 139 140 { 141 char *new = NULL, *old = NULL; 142 143 aret = asprintf(&old, "%s.old", keyfile); 144 if (aret == -1) { 145 old = NULL; 146 ret = ENOMEM; 147 goto out; 148 } 149 aret = asprintf(&new, "%s.new", keyfile); 150 if (aret == -1) { 151 new = NULL; 152 ret = ENOMEM; 153 goto out; 154 } 155 if(unlink(new) < 0 && errno != ENOENT) { 156 ret = errno; 157 goto out; 158 } 159 krb5_warnx(context, "writing key to `%s'", keyfile); 160 ret = hdb_write_master_key(context, new, mkey); 161 if(ret) 162 unlink(new); 163 else { 164 #ifndef NO_POSIX_LINKS 165 unlink(old); 166 if(link(keyfile, old) < 0 && errno != ENOENT) { 167 ret = errno; 168 unlink(new); 169 } else { 170 #endif 171 if(rename(new, keyfile) < 0) { 172 ret = errno; 173 } 174 #ifndef NO_POSIX_LINKS 175 } 176 #endif 177 } 178 out: 179 free(old); 180 free(new); 181 if(ret) 182 krb5_warn(context, errno, "writing master key file"); 183 } 184 185 hdb_free_master_key(context, mkey); 186 187 exit(ret != 0); 188 } 189