oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Initial support for kadm5_randkey_principal_3(), needed by krb5_admin.

Browse Source 
NOT TESTED YET.
This commit is contained in:
Nicolas Williams
2011-07-14 15:44:14 -05:00
committed by Nicolas Williams
parent 51e9da4a66
commit 6e04b05e9d
12 changed files with 180 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
kadmin/server.c
View File

@@ -47,6 +47,9 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
kadm5_principal_ent_rec ent; kadm5_principal_ent_rec ent;
char *password, *expression; char *password, *expression;
krb5_keyblock *new_keys; krb5_keyblock *new_keys;
krb5_key_salt_tuple *ks_tuple = NULL;
krb5_boolean keepold = FALSE;
int n_ks_tuple = 0;
int n_keys; int n_keys;
char **princs; char **princs;
int n_princs; int n_princs;
@@ -355,9 +358,47 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
krb5_free_principal(contextp->context, princ); krb5_free_principal(contextp->context, princ);
goto fail; goto fail;
} }
ret = kadm5_randkey_principal(kadm_handlep, princ,
&new_keys, &n_keys); /*
krb5_free_principal(contextp->context, princ); * See comments in kadm5_c_randkey_principal() regarding the
* protocol.
*/
ret = krb5_ret_int32(sp, &keepold);
if (ret != 0 && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &n_ks_tuple);
if (ret != 0 && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
} else if (ret == 0) {
size_t i;
if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) {
ret = errno;
krb5_free_principal(contextp->context, princ);
goto fail;
}
for (i = 0; i < n_ks_tuple; i++) {
ret = krb5_ret_int32(sp, &ks_tuple[i].ks_enctype);
if (ret != 0) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &ks_tuple[i].ks_salttype);
if (ret != 0) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
}
}
ret = kadm5_randkey_principal_3(kadm_handle, princ, keepold, n_ks_tuple,
ks_tuple, &new_keys, &n_keys);
krb5_free_principal(context->context, princ);
krb5_storage_free(sp); krb5_storage_free(sp);
sp = krb5_storage_emem(); sp = krb5_storage_emem();
krb5_store_int32(sp, ret); krb5_store_int32(sp, ret);

59
lib/hdb/keys.c
View File

@@ -33,6 +33,7 @@
*/ */
#include "hdb_locl.h" #include "hdb_locl.h"
#include <assert.h>
/* /*
* free all the memory used by (len, keys) * free all the memory used by (len, keys)
@@ -328,6 +329,50 @@ add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
} }
static
krb5_error_code
ks_tuple2str(krb5_context context, int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple, char ***ks_tuple_strs)
{
int i;
char **ksnames;
char *ename, *sname;
krb5_error_code rc = KRB5_PROG_ETYPE_NOSUPP;
*ks_tuple_strs = NULL;
if (n_ks_tuple < 1)
return 0;
if ((ksnames = calloc(n_ks_tuple, sizeof (*ksnames))) == NULL)
return (errno);
for (i = 0; i < n_ks_tuple; i++) {
if (krb5_enctype_to_string(context, ks_tuple[i].ks_enctype, &ename))
goto out;
if (krb5_salttype_to_string(context, ks_tuple[i].ks_enctype,
ks_tuple[i].ks_salttype, &sname))
goto out;
if (asprintf(&ksnames[i], "%s:%s", ename, sname) == -1) {
rc = errno;
free(ename);
free(sname);
goto out;
}
free(ename);
free(sname);
}
*ks_tuple_strs = ksnames;
rc = 0;
out:
for (i = 0; i < n_ks_tuple; i++)
free(ksnames[i]);
free(ksnames);
return (rc);
}
/* /*
* Generate the `key_set' from the [kadmin]default_keys statement. If * Generate the `key_set' from the [kadmin]default_keys statement. If
* `no_salt' is set, salt is not important (and will not be set) since * `no_salt' is set, salt is not important (and will not be set) since
@@ -336,12 +381,14 @@ add_enctype_to_key_set(Key **key_set, size_t *nkeyset,
krb5_error_code krb5_error_code
hdb_generate_key_set(krb5_context context, krb5_principal principal, hdb_generate_key_set(krb5_context context, krb5_principal principal,
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
Key **ret_key_set, size_t *nkeyset, int no_salt) Key **ret_key_set, size_t *nkeyset, int no_salt)
{ {
char **ktypes, **kp; char **ktypes, **kp;
krb5_error_code ret; krb5_error_code ret;
Key *k, *key_set; Key *k, *key_set;
size_t i, j; size_t i, j;
char **ks_tuple_strs;
static const char *default_keytypes[] = { static const char *default_keytypes[] = {
"aes256-cts-hmac-sha1-96:pw-salt", "aes256-cts-hmac-sha1-96:pw-salt",
"des3-cbc-sha1:pw-salt", "des3-cbc-sha1:pw-salt",
@@ -349,16 +396,18 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
NULL NULL
}; };
ktypes = krb5_config_get_strings(context, NULL, "kadmin", if ((ret = ks_tuple2str(context, n_ks_tuple, ks_tuple, &ks_tuple_strs)))
"default_keys", NULL); return ret;
if (ks_tuple_strs == NULL)
ktypes = krb5_config_get_strings(context, NULL, "kadmin",
"default_keys", NULL);
if (ktypes == NULL) if (ktypes == NULL)
ktypes = (char **)(intptr_t)default_keytypes; ktypes = (char **)(intptr_t)default_keytypes;
*ret_key_set = key_set = NULL; *ret_key_set = key_set = NULL;
*nkeyset = 0; *nkeyset = 0;
ret = 0;
for(kp = ktypes; kp && *kp; kp++) { for(kp = ktypes; kp && *kp; kp++) {
const char *p; const char *p;
krb5_salt salt; krb5_salt salt;
@@ -451,7 +500,7 @@ hdb_generate_key_set_password(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
size_t i; size_t i;
ret = hdb_generate_key_set(context, principal, ret = hdb_generate_key_set(context, principal, 0, NULL,
keys, num_keys, 0); keys, num_keys, 0);
if (ret) if (ret)
return ret; return ret;

4
lib/kadm5/ad.c
View File

@@ -1224,9 +1224,13 @@ kadm5_ad_modify_principal(void *server_handle,
#endif #endif
} }
/*ARGSUSED*/
static kadm5_ret_t static kadm5_ret_t
kadm5_ad_randkey_principal(void *server_handle, kadm5_ad_randkey_principal(void *server_handle,
krb5_principal principal, krb5_principal principal,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **keys, krb5_keyblock **keys,
int *n_keys) int *n_keys)
{ {

4
lib/kadm5/admin.h
View File

@@ -195,10 +195,6 @@ typedef struct _kadm5_policy_ent_t {
#define KADM5_PRIV_CPW (1 << 5) #define KADM5_PRIV_CPW (1 << 5)
#define KADM5_PRIV_ALL (KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW) #define KADM5_PRIV_ALL (KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW)
typedef struct {
int XXX;
}krb5_key_salt_tuple;
typedef struct _kadm5_config_params { typedef struct _kadm5_config_params {
uint32_t mask; uint32_t mask;

26
lib/kadm5/common_glue.c
View File

@@ -92,6 +92,16 @@ kadm5_get_principal(void *server_handle,
return __CALL(get_principal, (server_handle, princ, out, mask)); return __CALL(get_principal, (server_handle, princ, out, mask));
} }
kadm5_ret_t
kadm5_decrypt_key(void *server_handle,
kadm5_principal_ent_t entry,
int32_t ktype, int32_t stype,
int32_t kvno, krb5_keyblock *keyblock,
krb5_keysalt *keysalt, int *kvnop)
{
}
kadm5_ret_t kadm5_ret_t
kadm5_modify_principal(void *server_handle, kadm5_modify_principal(void *server_handle,
kadm5_principal_ent_t princ, kadm5_principal_ent_t princ,
@@ -106,7 +116,21 @@ kadm5_randkey_principal(void *server_handle,
krb5_keyblock **new_keys, krb5_keyblock **new_keys,
int *n_keys) int *n_keys)
{ {
return __CALL(randkey_principal, (server_handle, princ, new_keys, n_keys)); return __CALL(randkey_principal, (server_handle, princ, FALSE, 0, NULL,
new_keys, n_keys));
}
kadm5_ret_t
kadm5_randkey_principal_3(void *server_handle,
krb5_principal princ,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **new_keys,
int *n_keys)
{
return __CALL(randkey_principal, (server_handle, princ, keepold,
n_ks_tuple, ks_tuple, new_keys, n_keys));
} }
kadm5_ret_t kadm5_ret_t

3
lib/kadm5/default_keys.c
View File

@@ -85,7 +85,8 @@ parse_file(krb5_context context, krb5_principal principal, int no_salt)
size_t nkeys; size_t nkeys;
Key *keys; Key *keys;
ret = hdb_generate_key_set(context, principal, &keys, &nkeys, no_salt); ret = hdb_generate_key_set(context, principal, 0, NULL, &keys, &nkeys,
no_salt);
if (ret) if (ret)
krb5_err(context, 1, ret, "hdb_generate_key_set"); krb5_err(context, 1, ret, "hdb_generate_key_set");

5
lib/kadm5/private.h
View File

@@ -48,8 +48,9 @@ struct kadm_func {
kadm5_ret_t (*get_principals) (void*, const char*, char***, int*); kadm5_ret_t (*get_principals) (void*, const char*, char***, int*);
kadm5_ret_t (*get_privs) (void*, uint32_t*); kadm5_ret_t (*get_privs) (void*, uint32_t*);
kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, uint32_t); kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, uint32_t);
kadm5_ret_t (*randkey_principal) (void*, krb5_principal, kadm5_ret_t (*randkey_principal) (void*, krb5_principal, krb5_boolean, int,
krb5_keyblock**, int*); krb5_key_salt_tuple*, krb5_keyblock**,
int*);
kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal); kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal, kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal,
int, krb5_key_data *); int, krb5_key_data *);

35
lib/kadm5/randkey_c.c
View File

@@ -38,14 +38,18 @@ RCSID("$Id$");
kadm5_ret_t kadm5_ret_t
kadm5_c_randkey_principal(void *server_handle, kadm5_c_randkey_principal(void *server_handle,
krb5_principal princ, krb5_principal princ,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **new_keys, krb5_keyblock **new_keys,
int *n_keys) int *n_keys)
{ {
kadm5_client_context *context = server_handle; kadm5_client_context *context = server_handle;
kadm5_ret_t ret; kadm5_ret_t ret;
krb5_storage *sp; krb5_storage *sp;
unsigned char buf[1024]; unsigned char buf[1536];
int32_t tmp; int32_t tmp;
int i;
krb5_data reply; krb5_data reply;
ret = _kadm5_connect(server_handle); ret = _kadm5_connect(server_handle);
@@ -57,12 +61,41 @@ kadm5_c_randkey_principal(void *server_handle,
krb5_clear_error_message(context->context); krb5_clear_error_message(context->context);
return ENOMEM; return ENOMEM;
} }
/*
* NOTE WELL: This message is extensible. It currently consists of:
*
* - opcode (kadm_randkey)
* - principal name (princ)
*
* followed by optional items, each of which must be present if
* there are any items following them that are also present:
*
* - keepold boolean (whether to delete old kvnos)
* - number of key/salt type tuples
* - array of {enctype, salttype}
*
* Eventually we may add:
*
* - opaque string2key parameters (salt, rounds, ...)
*/
krb5_store_int32(sp, kadm_randkey); krb5_store_int32(sp, kadm_randkey);
krb5_store_principal(sp, princ); krb5_store_principal(sp, princ);
ret = _kadm5_client_send(context, sp); ret = _kadm5_client_send(context, sp);
krb5_storage_free(sp); krb5_storage_free(sp);
if (ret) if (ret)
return ret; return ret;
if (keepold == TRUE || n_ks_tuple > 0)
krb5_store_uint32(sp, keepold);
if (n_ks_tuple > 0)
krb5_store_uint32(sp, n_ks_tuple);
for (i = 0; i < n_ks_tuple; i++) {
krb5_store_int32(sp, ks_tuple[i].ks_enctype);
krb5_store_int32(sp, ks_tuple[i].ks_salttype);
}
/* Future extensions go here */
ret = _kadm5_client_recv(context, &reply); ret = _kadm5_client_recv(context, &reply);
if(ret) if(ret)
return ret; return ret;

5
lib/kadm5/randkey_s.c
View File

@@ -43,6 +43,9 @@ RCSID("$Id$");
kadm5_ret_t kadm5_ret_t
kadm5_s_randkey_principal(void *server_handle, kadm5_s_randkey_principal(void *server_handle,
krb5_principal princ, krb5_principal princ,
krb5_boolean keepold,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **new_keys, krb5_keyblock **new_keys,
int *n_keys) int *n_keys)
{ {
@@ -65,6 +68,8 @@ kadm5_s_randkey_principal(void *server_handle,
ret = _kadm5_set_keys_randomly (context, ret = _kadm5_set_keys_randomly (context,
&ent.entry, &ent.entry,
n_ks_tuple,
ks_tuple,
new_keys, new_keys,
n_keys); n_keys);
if (ret) if (ret)

4
lib/kadm5/set_keys.c
View File

@@ -196,6 +196,8 @@ is_des_key_p(int keytype)
kadm5_ret_t kadm5_ret_t
_kadm5_set_keys_randomly (kadm5_server_context *context, _kadm5_set_keys_randomly (kadm5_server_context *context,
hdb_entry *ent, hdb_entry *ent,
int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **new_keys, krb5_keyblock **new_keys,
int *n_keys) int *n_keys)
{ {
@@ -206,7 +208,7 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
Key *keys; Key *keys;
ret = hdb_generate_key_set(context->context, ent->principal, ret = hdb_generate_key_set(context->context, ent->principal,
&keys, &num_keys, 1); n_ks_tuple, ks_tuple, &keys, &num_keys, 1);
if (ret) if (ret)
return ret; return ret;

1
lib/kadm5/version-script.map
View File

@@ -26,6 +26,7 @@ HEIMDAL_KAMD5_SERVER_1.0 {
kadm5_init_with_skey_ctx; kadm5_init_with_skey_ctx;
kadm5_modify_principal; kadm5_modify_principal;
kadm5_randkey_principal; kadm5_randkey_principal;
kadm5_randkey_principal_3;
kadm5_rename_principal; kadm5_rename_principal;
kadm5_ret_key_data; kadm5_ret_key_data;
kadm5_ret_principal_ent; kadm5_ret_principal_ent;

5
lib/krb5/krb5.h
View File

@@ -876,6 +876,11 @@ typedef struct {
typedef krb5_error_code typedef krb5_error_code
(KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *); (KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *);
typedef struct {
krb5_enctype ks_enctype;
krb5int32 ks_salttype;
}krb5_key_salt_tuple;
/* /*
* *
*/ */