Support both BE and LE MIT master key file formats

Prompted by discussion on heimdal-discuss by Michael Wood, Russ Allbery,
and Henry B. Hotz.

lib/hdb/Makefile.am

@@ -65,7 +65,7 @@ if versionscript
 libhdb_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 
-noinst_PROGRAMS = test_dbinfo test_hdbkeys
+noinst_PROGRAMS = test_dbinfo test_hdbkeys test_mkey
 
 dist_libhdb_la_SOURCES =			\
 	common.c				\
@@ -119,6 +119,7 @@ hdb_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/hdb.asn1
 test_dbinfo_LIBS = libhdb.la
 
 test_hdbkeys_LIBS = ../krb5/libkrb5.la libhdb.la
+test_mkey_LIBS = $(test_hdbkeys_LIBS)
 
 # to help stupid solaris make
 

lib/hdb/mkey.c

@@ -146,7 +146,7 @@ read_master_keytab(krb5_context context, const char *filename,
 /* read a MIT master keyfile */
 static krb5_error_code
 read_master_mit(krb5_context context, const char *filename,
-		hdb_master_key *mkey)
+		int byteorder, hdb_master_key *mkey)
 {
     int fd;
     krb5_error_code ret;
@@ -166,20 +166,16 @@ read_master_mit(krb5_context context, const char *filename,
 	close(fd);
 	return errno;
     }
-    krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+    krb5_storage_set_flags(sp, byteorder);
     /* could possibly use ret_keyblock here, but do it with more
        checks for now */
     {
 	ret = krb5_ret_int16(sp, &enctype);
 	if (ret)
 	    goto out;
-	if((htons(enctype) & 0xff00) == 0x3000) {
+	ret = krb5_enctype_valid(context, enctype);
-	    ret = HEIM_ERR_BAD_MKEY;
+	if (ret)
-	    krb5_set_error_message(context, ret, "unknown keytype in %s: "
+	   goto out;
-				   "%#x, expected %#x",
-				   filename, htons(enctype), 0x3000);
-	    goto out;
-	}
 	key.keytype = enctype;
 	ret = krb5_ret_data(sp, &key.keyvalue);
 	if(ret)
@@ -330,7 +326,14 @@ hdb_read_master_key(krb5_context context, const char *filename,
     } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
 	ret = read_master_keytab(context, filename, mkey);
     } else {
-	ret = read_master_mit(context, filename, mkey);
+      /*
+       * Check both LittleEndian and BigEndian since they key file
+       * might be moved from a machine with diffrent byte order, or
+       * its running on MacOS X that always uses BE master keys.
+       */
+      ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_LE, mkey);
+      if (ret)
+          ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_BE, mkey);
     }
     return ret;
 }

lib/hdb/test_mkey.c

@@ -0,0 +1,55 @@
+
+#include "hdb_locl.h"
+#include <getarg.h>
+#include <base64.h>
+
+static char *mkey_file;
+static int help_flag;
+static int version_flag;
+
+struct getargs args[] = {
+    { "mkey-file",	0,      arg_string, &mkey_file },
+    { "help",		'h',	arg_flag,   &help_flag },
+    { "version",	0,	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    int ret, o = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &o))
+	krb5_std_usage(1, args, num_args);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+
+    if (mkey_file) {
+        hdb_master_key mkey;
+
+	ret = hdb_read_master_key(context, mkey_file, &mkey);
+	if (ret)
+	    krb5_err(context, 1, ret, "failed to read master key %s", mkey_file);
+      
+	hdb_free_master_key(context, mkey);
+    } else
+      krb5_errx(context, 1, "no command option given");
+
+    krb5_free_context(context);
+
+    return 0;
+}

tests/db/check-dbinfo.in

@@ -42,4 +42,8 @@ export KRB5_CONFIG
 
 ../../lib/hdb/test_dbinfo > dbinfo.out || exit 1
 
+../../lib/hdb/test_mkey --mkey-file="${srcdir}/../../lib/hdb/data-mkey.mit.des3.le" || exit 1
+../../lib/hdb/test_mkey --mkey-file="${srcdir}/../../lib/hdb/data-mkey.mit.des3.be" || exit 1
+
+
 exit 0