lib/kadm5/set_keys.c

1541Srgrimes/*
1541Srgrimes * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska H�gskolan
1541Srgrimes * (Royal Institute of Technology, Stockholm, Sweden).
1541Srgrimes * All rights reserved.
1541Srgrimes *
1541Srgrimes * Redistribution and use in source and binary forms, with or without
1541Srgrimes * modification, are permitted provided that the following conditions
1541Srgrimes * are met:
1541Srgrimes *
1541Srgrimes * 1. Redistributions of source code must retain the above copyright
1541Srgrimes *    notice, this list of conditions and the following disclaimer.
1541Srgrimes *
1541Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
1541Srgrimes *    notice, this list of conditions and the following disclaimer in the
1541Srgrimes *    documentation and/or other materials provided with the distribution.
1541Srgrimes *
1541Srgrimes * 3. Neither the name of the Institute nor the names of its contributors
1541Srgrimes *    may be used to endorse or promote products derived from this software
1541Srgrimes *    without specific prior written permission.
1541Srgrimes *
1541Srgrimes * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
1541Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1541Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1541Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
1541Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1541Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1541Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1541Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1541Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1541Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1541Srgrimes * SUCH DAMAGE.
1541Srgrimes */
1541Srgrimes
1541Srgrimes#include "kadm5_locl.h"
1541Srgrimes
1541SrgrimesRCSID("$Id: set_keys.c 15888 2005-08-11 13:40:35Z lha $");
1541Srgrimes
44510Swollman/*
50477Speter * Set the keys of `ent' to the string-to-key of `password'
1541Srgrimes */
1541Srgrimes
1541Srgrimeskadm5_ret_t
1541Srgrimes_kadm5_set_keys(kadm5_server_context *context,
33392Sphk		hdb_entry *ent,
1541Srgrimes		const char *password)
74914Sjhb{
68840Sjhb    Key *keys;
1541Srgrimes    size_t num_keys;
33392Sphk    kadm5_ret_t ret;
33392Sphk
33392Sphk    ret = hdb_generate_key_set_password(context->context,
33392Sphk					ent->principal,
33392Sphk					password, &keys, &num_keys);
33392Sphk    if (ret)
29680Sgibbs	return ret;
29680Sgibbs
29680Sgibbs    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
29680Sgibbs    ent->keys.val = keys;
33392Sphk    ent->keys.len = num_keys;
68889Sjake
2112Swollman    hdb_entry_set_pw_change_time(context->context, ent, 0);
29680Sgibbs
1541Srgrimes    if (krb5_config_get_bool_default(context->context, NULL, FALSE,
1541Srgrimes				     "kadmin", "save-password", NULL))
82127Sdillon    {
82127Sdillon	ret = hdb_entry_set_password(context->context, context->db,
82127Sdillon				     ent, password);
82127Sdillon	if (ret)
82127Sdillon	    return ret;
82127Sdillon    }
82127Sdillon
82127Sdillon    return 0;
82127Sdillon}
82127Sdillon
82127Sdillon/*
82127Sdillon * Set the keys of `ent' to (`n_key_data', `key_data')
82127Sdillon */
82127Sdillon
82127Sdillonkadm5_ret_t
82127Sdillon_kadm5_set_keys2(kadm5_server_context *context,
82127Sdillon		 hdb_entry *ent,
82127Sdillon		 int16_t n_key_data,
82127Sdillon		 krb5_key_data *key_data)
82127Sdillon{
82127Sdillon    krb5_error_code ret;
82127Sdillon    int i;
82127Sdillon    unsigned len;
82127Sdillon    Key *keys;
82127Sdillon
82127Sdillon    len  = n_key_data;
82127Sdillon    keys = malloc (len * sizeof(*keys));
82127Sdillon    if (keys == NULL)
82127Sdillon	return ENOMEM;
82127Sdillon
82127Sdillon    _kadm5_init_keys (keys, len);
82127Sdillon
82127Sdillon    for(i = 0; i < n_key_data; i++) {
82127Sdillon	keys[i].mkvno = NULL;
82127Sdillon	keys[i].key.keytype = key_data[i].key_data_type[0];
82127Sdillon	ret = krb5_data_copy(&keys[i].key.keyvalue,
82127Sdillon			     key_data[i].key_data_contents[0],
82127Sdillon			     key_data[i].key_data_length[0]);
82127Sdillon	if(ret)
82127Sdillon	    goto out;
82127Sdillon	if(key_data[i].key_data_ver == 2) {
82127Sdillon	    Salt *salt;
82127Sdillon
82127Sdillon	    salt = malloc(sizeof(*salt));
82127Sdillon	    if(salt == NULL) {
93818Sjhb		ret = ENOMEM;
82127Sdillon		goto out;
82127Sdillon	    }
82127Sdillon	    keys[i].salt = salt;
29680Sgibbs	    salt->type = key_data[i].key_data_type[1];
29680Sgibbs	    krb5_data_copy(&salt->salt,
29680Sgibbs			   key_data[i].key_data_contents[1],
29680Sgibbs			   key_data[i].key_data_length[1]);
29680Sgibbs	} else
29680Sgibbs	    keys[i].salt = NULL;
29680Sgibbs    }
29680Sgibbs    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
29680Sgibbs    ent->keys.len = len;
29680Sgibbs    ent->keys.val = keys;
32388Sphk
29680Sgibbs    hdb_entry_set_pw_change_time(context->context, ent, 0);
1541Srgrimes    hdb_entry_clear_password(context->context, ent);
1541Srgrimes
1541Srgrimes    return 0;
1541Srgrimes out:
67551Sjhb    _kadm5_free_keys (context->context, len, keys);
1541Srgrimes    return ret;
102936Sphk}
102936Sphk
102936Sphk/*
102936Sphk * Set the keys of `ent' to `n_keys, keys'
102936Sphk */
102936Sphk
102936Sphkkadm5_ret_t
102936Sphk_kadm5_set_keys3(kadm5_server_context *context,
102936Sphk		 hdb_entry *ent,
1541Srgrimes		 int n_keys,
33392Sphk		 krb5_keyblock *keyblocks)
33392Sphk{
33392Sphk    krb5_error_code ret;
29680Sgibbs    int i;
29680Sgibbs    unsigned len;
72200Sbmilekic    Key *keys;
29680Sgibbs
29805Sgibbs    len  = n_keys;
29805Sgibbs    keys = malloc (len * sizeof(*keys));
29805Sgibbs    if (keys == NULL)
29805Sgibbs	return ENOMEM;
29805Sgibbs
29805Sgibbs    _kadm5_init_keys (keys, len);
29805Sgibbs
29805Sgibbs    for(i = 0; i < n_keys; i++) {
29680Sgibbs	keys[i].mkvno = NULL;
29805Sgibbs	ret = krb5_copy_keyblock_contents (context->context,
29680Sgibbs					   &keyblocks[i],
29680Sgibbs					   &keys[i].key);
29680Sgibbs	if(ret)
29680Sgibbs	    goto out;
29805Sgibbs	keys[i].salt = NULL;
72200Sbmilekic    }
81370Sjhb    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
72200Sbmilekic    ent->keys.len = len;
29680Sgibbs    ent->keys.val = keys;
29680Sgibbs
29680Sgibbs    hdb_entry_set_pw_change_time(context->context, ent, 0);
29680Sgibbs    hdb_entry_clear_password(context->context, ent);
29680Sgibbs
29680Sgibbs    return 0;
68889Sjake out:
29680Sgibbs    _kadm5_free_keys (context->context, len, keys);
29680Sgibbs    return ret;
29805Sgibbs}
29680Sgibbs
29680Sgibbs/*
68889Sjake *
29680Sgibbs */
44510Swollman
44510Swollmanstatic int
44510Swollmanis_des_key_p(int keytype)
44510Swollman{
44510Swollman    return keytype == ETYPE_DES_CBC_CRC ||
44510Swollman    	keytype == ETYPE_DES_CBC_MD4 ||
50673Sjlemon	keytype == ETYPE_DES_CBC_MD5;
44510Swollman}
72200Sbmilekic
68889Sjake
72200Sbmilekic/*
102936Sphk * Set the keys of `ent' to random keys and return them in `n_keys'
102936Sphk * and `new_keys'.
102936Sphk */
29680Sgibbs
102936Sphkkadm5_ret_t
102936Sphk_kadm5_set_keys_randomly (kadm5_server_context *context,
102936Sphk			  hdb_entry *ent,
102936Sphk			  krb5_keyblock **new_keys,
102936Sphk			  int *n_keys)
102936Sphk{
102936Sphk   krb5_keyblock *kblock = NULL;
102936Sphk   kadm5_ret_t ret = 0;
102936Sphk   int i, des_keyblock;
102936Sphk   size_t num_keys;
102936Sphk   Key *keys;
68889Sjake
72200Sbmilekic   ret = hdb_generate_key_set(context->context, ent->principal,
72200Sbmilekic			       &keys, &num_keys, 1);
29680Sgibbs   if (ret)
29680Sgibbs	return ret;
29680Sgibbs
29680Sgibbs   kblock = malloc(num_keys * sizeof(kblock[0]));
1541Srgrimes   if (kblock == NULL) {
29680Sgibbs	ret = ENOMEM;
72200Sbmilekic	_kadm5_free_keys (context->context, num_keys, keys);
1541Srgrimes	return ret;
1541Srgrimes   }
1541Srgrimes   memset(kblock, 0, num_keys * sizeof(kblock[0]));
1541Srgrimes
1541Srgrimes   des_keyblock = -1;
1541Srgrimes   for (i = 0; i < num_keys; i++) {
1541Srgrimes
1541Srgrimes	/*
1541Srgrimes	 * To make sure all des keys are the the same we generate only
29680Sgibbs	 * the first one and then copy key to all other des keys.
29680Sgibbs	 */
29680Sgibbs
1541Srgrimes	if (des_keyblock != -1 && is_des_key_p(keys[i].key.keytype)) {
29680Sgibbs	    ret = krb5_copy_keyblock_contents (context->context,
29680Sgibbs					       &kblock[des_keyblock],
29680Sgibbs					       &kblock[i]);
29680Sgibbs	    if (ret)
1541Srgrimes		goto out;
29680Sgibbs	    kblock[i].keytype = keys[i].key.keytype;
29680Sgibbs	} else {
33824Sbde	    ret = krb5_generate_random_keyblock (context->context,
1541Srgrimes						 keys[i].key.keytype,
69147Sjlemon						 &kblock[i]);
1541Srgrimes	    if (ret)
29680Sgibbs		goto out;
29680Sgibbs
1541Srgrimes	    if (is_des_key_p(keys[i].key.keytype))
72200Sbmilekic		des_keyblock = i;
1541Srgrimes	}
1541Srgrimes
29680Sgibbs	ret = krb5_copy_keyblock_contents (context->context,
29680Sgibbs					   &kblock[i],
29680Sgibbs					   &keys[i].key);
1541Srgrimes	if (ret)
29680Sgibbs	    goto out;
44510Swollman   }
44510Swollman
1541Srgrimesout:
44510Swollman   if(ret) {
72200Sbmilekic	for (i = 0; i < num_keys; ++i)
29680Sgibbs	    krb5_free_keyblock_contents (context->context, &kblock[i]);
1541Srgrimes	free(kblock);
1541Srgrimes	_kadm5_free_keys (context->context, num_keys, keys);
1541Srgrimes	return ret;
29680Sgibbs   }
33824Sbde
1541Srgrimes   _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
29680Sgibbs   ent->keys.val = keys;
1541Srgrimes   ent->keys.len = num_keys;
1541Srgrimes   *new_keys     = kblock;
29680Sgibbs   *n_keys       = num_keys;
29680Sgibbs
29680Sgibbs   hdb_entry_set_pw_change_time(context->context, ent, 0);
29680Sgibbs   hdb_entry_clear_password(context->context, ent);
29680Sgibbs
29680Sgibbs   return 0;
29680Sgibbs}
29680Sgibbs