add `--convert-file' option to change keytype of existing master key

file


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@5388 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/kstash.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -40,8 +40,11 @@
 
 RCSID("$Id$");
 
+krb5_context context;
+
 char *keyfile = HDB_DB_DIR "/m-key";
 char *v4_keyfile;
+int convert_flag;
 int help_flag;
 int version_flag;
 
@@ -49,27 +52,116 @@ struct getargs args[] = {
     { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
     { "version4-key-file", '4', arg_string, &v4_keyfile, 
       "kerberos 4 master key file", "file" },
+    { "convert-file", 0, arg_flag, &convert_flag, 
+      "convert keytype of keyfile" },
     { "help", 'h', arg_flag, &help_flag },
     { "version", 0, arg_flag, &version_flag }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);
 
-int main(int argc, char **argv)
+static void
+write_keyfile(EncryptionKey key)
+{
+    FILE *f;
+    char buf[1024];
+    size_t len;
+
+#ifdef HAVE_UMASK
+    umask(077);
+#endif
+
+    f = fopen(keyfile, "w");
+    if(f == NULL)
+	krb5_err(context, 1, errno, "%s", keyfile);
+    encode_EncryptionKey((unsigned char *)buf + sizeof(buf) - 1,
+			 sizeof(buf), &key, &len);
+    fwrite(buf + sizeof(buf) - len, len, 1, f);
+    memset(buf, 0, sizeof(buf));
+    if(ferror(f))
+	krb5_err(context, 1, errno, "%s", keyfile);
+    fclose(f);
+}
+
+static int
+convert_file(void)
+{
+    FILE *f;
+    char buf[1024];
+    char *fn;
+    size_t len;
+    EncryptionKey key;
+    krb5_error_code ret;
+
+    f = fopen(keyfile, "r");
+    if(f == NULL) {
+	krb5_warn(context, errno, "%s", keyfile);
+	return 1;
+    }
+    len = fread(buf, 1, sizeof(buf), f);
+    if(ferror(f)) {
+	krb5_warn(context, errno, "fread");
+	ret = 1;
+	goto out1;
+    }
+    fclose(f);
+    ret = decode_EncryptionKey(buf, len, &key, &len);
+    memset(buf, 0, sizeof(buf));
+    if(ret) {
+	krb5_warn(context, ret, "decode_EncryptionKey");
+	goto out2;
+    }
+    if(key.keytype == KEYTYPE_DES)
+	key.keytype = ETYPE_DES_CBC_MD5;
+    else if(key.keytype == ETYPE_DES_CBC_MD5) {
+	krb5_warnx(context, "keyfile already converted");
+	ret = 0;
+	goto out2;
+    } else {
+	krb5_warnx(context, "bad encryption key type (%d)", key.keytype);
+	ret = 1;
+	goto out2;
+    }
+    asprintf(&fn, "%s.old", keyfile);
+    if(fn == NULL) {
+	krb5_warn(context, ENOMEM, "malloc");
+	ret = 1;
+	goto out1;
+    }
+    if(rename(keyfile, fn) < 0) {
+	krb5_warn(context, errno, "rename");
+	ret = 1;
+	goto out1;
+    }
+    write_keyfile(key);
+    krb5_free_keyblock_contents(context, &key);
+    return 0;
+out1:
+    memset(buf, 0, sizeof(buf));
+    return ret ? 1 : 0;
+out2:
+    krb5_free_keyblock_contents(context, &key);
+    return ret ? 1 : 0;
+}
+
+int
+main(int argc, char **argv)
 {
     char buf[1024];
     EncryptionKey key;
     FILE *f;
-    size_t len;
-    krb5_context context = NULL;
     
     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
     if(help_flag)
 	krb5_std_usage(0, args, num_args);
-    if(version_flag)
+    if(version_flag){
-	krb5_errx(context, 0, "%s", heimdal_version);
+	print_version(NULL);
+	exit(0);
+    }
 
+    if(convert_flag)
+	exit(convert_file());
 
     key.keytype = ETYPE_DES_CBC_MD5; /* XXX */
     if(v4_keyfile){
@@ -90,16 +182,7 @@ int main(int argc, char **argv)
 	krb5_string_to_key_salt(context, key.keytype, buf, salt, &key);
     }
     
-#ifdef HAVE_UMASK
+    write_keyfile(key);
-    umask(077);
+    krb5_free_keyblock_contents(context, &key);
-#endif
-
-    f = fopen(keyfile, "w");
-    if(f == NULL)
-	krb5_err(context, 1, errno, "fopen(%s)", keyfile);
-    encode_EncryptionKey((unsigned char *)buf + sizeof(buf) - 1,
-			 sizeof(buf), &key, &len);
-    fwrite(buf + sizeof(buf) - len, len, 1, f);
-    fclose(f);
     exit(0);
 }