Initial support for kadm5_randkey_principal_3(), needed by krb5_admin.

NOT TESTED YET.

lib/kadm5/ad.c

@@ -1224,9 +1224,13 @@ kadm5_ad_modify_principal(void *server_handle,
 #endif
 }
 
+/*ARGSUSED*/
 static kadm5_ret_t
 kadm5_ad_randkey_principal(void *server_handle,
 			   krb5_principal principal,
+			   krb5_boolean keepold,
+			   int n_ks_tuple,
+			   krb5_key_salt_tuple *ks_tuple,
 			   krb5_keyblock **keys,
 			   int *n_keys)
 {

lib/kadm5/admin.h

@@ -195,10 +195,6 @@ typedef struct _kadm5_policy_ent_t {
 #define KADM5_PRIV_CPW		(1 << 5)
 #define KADM5_PRIV_ALL		(KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW)
 
-typedef struct {
-    int XXX;
-}krb5_key_salt_tuple;
-
 typedef struct _kadm5_config_params {
     uint32_t mask;
 

lib/kadm5/common_glue.c

@@ -92,6 +92,16 @@ kadm5_get_principal(void *server_handle,
     return __CALL(get_principal, (server_handle, princ, out, mask));
 }
 
+kadm5_ret_t
+kadm5_decrypt_key(void *server_handle,
+                  kadm5_principal_ent_t entry,
+		  int32_t ktype, int32_t stype,
+		  int32_t kvno, krb5_keyblock *keyblock,
+                  krb5_keysalt *keysalt, int *kvnop)
+{
+	
+}
+
 kadm5_ret_t
 kadm5_modify_principal(void *server_handle,
 		       kadm5_principal_ent_t princ,
@@ -106,7 +116,21 @@ kadm5_randkey_principal(void *server_handle,
 			krb5_keyblock **new_keys,
 			int *n_keys)
 {
-    return __CALL(randkey_principal, (server_handle, princ, new_keys, n_keys));
+    return __CALL(randkey_principal, (server_handle, princ, FALSE, 0, NULL,
+		  new_keys, n_keys));
+}
+
+kadm5_ret_t
+kadm5_randkey_principal_3(void *server_handle,
+			  krb5_principal princ,
+			  krb5_boolean keepold,
+			  int n_ks_tuple,
+			  krb5_key_salt_tuple *ks_tuple,
+			  krb5_keyblock **new_keys,
+			  int *n_keys)
+{
+    return __CALL(randkey_principal, (server_handle, princ, keepold,
+				      n_ks_tuple, ks_tuple, new_keys, n_keys));
 }
 
 kadm5_ret_t

lib/kadm5/default_keys.c

@@ -85,7 +85,8 @@ parse_file(krb5_context context, krb5_principal principal, int no_salt)
     size_t nkeys;
     Key *keys;
 
-    ret = hdb_generate_key_set(context, principal, &keys, &nkeys, no_salt);
+    ret = hdb_generate_key_set(context, principal, 0, NULL, &keys, &nkeys,
+			       no_salt);
     if (ret)
 	krb5_err(context, 1, ret, "hdb_generate_key_set");
 

lib/kadm5/private.h

@@ -48,8 +48,9 @@ struct kadm_func {
     kadm5_ret_t (*get_principals) (void*, const char*, char***, int*);
     kadm5_ret_t (*get_privs) (void*, uint32_t*);
     kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, uint32_t);
-    kadm5_ret_t (*randkey_principal) (void*, krb5_principal,
-				      krb5_keyblock**, int*);
+    kadm5_ret_t (*randkey_principal) (void*, krb5_principal, krb5_boolean, int,
+				      krb5_key_salt_tuple*, krb5_keyblock**,
+				      int*);
     kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
     kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal,
 					      int, krb5_key_data *);

lib/kadm5/randkey_c.c

@@ -38,14 +38,18 @@ RCSID("$Id$");
 kadm5_ret_t
 kadm5_c_randkey_principal(void *server_handle,
 			  krb5_principal princ,
+			  krb5_boolean keepold,
+			  int n_ks_tuple,
+			  krb5_key_salt_tuple *ks_tuple,
 			  krb5_keyblock **new_keys,
 			  int *n_keys)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
     krb5_storage *sp;
-    unsigned char buf[1024];
+    unsigned char buf[1536];
     int32_t tmp;
+    int i;
     krb5_data reply;
 
     ret = _kadm5_connect(server_handle);
@@ -57,12 +61,41 @@ kadm5_c_randkey_principal(void *server_handle,
 	krb5_clear_error_message(context->context);
 	return ENOMEM;
     }
+
+    /*
+     * NOTE WELL: This message is extensible.  It currently consists of:
+     *
+     *  - opcode (kadm_randkey)
+     *  - principal name (princ)
+     *
+     * followed by optional items, each of which must be present if
+     * there are any items following them that are also present:
+     *
+     *  - keepold boolean (whether to delete old kvnos)
+     *  - number of key/salt type tuples
+     *  - array of {enctype, salttype}
+     *
+     * Eventually we may add:
+     *
+     *  - opaque string2key parameters (salt, rounds, ...)
+     */
     krb5_store_int32(sp, kadm_randkey);
     krb5_store_principal(sp, princ);
     ret = _kadm5_client_send(context, sp);
     krb5_storage_free(sp);
     if (ret)
 	return ret;
+
+    if (keepold == TRUE || n_ks_tuple > 0)
+	krb5_store_uint32(sp, keepold);
+    if (n_ks_tuple > 0)
+	krb5_store_uint32(sp, n_ks_tuple);
+    for (i = 0; i < n_ks_tuple; i++) {
+	krb5_store_int32(sp, ks_tuple[i].ks_enctype);
+	krb5_store_int32(sp, ks_tuple[i].ks_salttype);
+    }
+
+    /* Future extensions go here */
     ret = _kadm5_client_recv(context, &reply);
     if(ret)
 	return ret;

lib/kadm5/randkey_s.c

@@ -43,6 +43,9 @@ RCSID("$Id$");
 kadm5_ret_t
 kadm5_s_randkey_principal(void *server_handle,
 			  krb5_principal princ,
+			  krb5_boolean keepold,
+			  int n_ks_tuple,
+			  krb5_key_salt_tuple *ks_tuple,
 			  krb5_keyblock **new_keys,
 			  int *n_keys)
 {
@@ -65,6 +68,8 @@ kadm5_s_randkey_principal(void *server_handle,
 
     ret = _kadm5_set_keys_randomly (context,
 				    &ent.entry,
+				    n_ks_tuple,
+				    ks_tuple,
 				    new_keys,
 				    n_keys);
     if (ret)

lib/kadm5/set_keys.c

@@ -196,6 +196,8 @@ is_des_key_p(int keytype)
 kadm5_ret_t
 _kadm5_set_keys_randomly (kadm5_server_context *context,
 			  hdb_entry *ent,
+			  int n_ks_tuple,
+			  krb5_key_salt_tuple *ks_tuple,
 			  krb5_keyblock **new_keys,
 			  int *n_keys)
 {
@@ -206,7 +208,7 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
    Key *keys;
 
    ret = hdb_generate_key_set(context->context, ent->principal,
-			       &keys, &num_keys, 1);
+			      n_ks_tuple, ks_tuple, &keys, &num_keys, 1);
    if (ret)
 	return ret;
 

lib/kadm5/version-script.map

@@ -26,6 +26,7 @@ HEIMDAL_KAMD5_SERVER_1.0 {
 		kadm5_init_with_skey_ctx;
 		kadm5_modify_principal;
 		kadm5_randkey_principal;
+		kadm5_randkey_principal_3;
 		kadm5_rename_principal;
 		kadm5_ret_key_data;
 		kadm5_ret_principal_ent;