1 /* $NetBSD: kstash.c,v 1.3 2023/06/19 21:41:42 christos Exp $ */
2
3 /*
4 * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "headers.h"
37
38 krb5_context context;
39
40 static char *keyfile;
41 static int convert_flag;
42 static int help_flag;
43 static int version_flag;
44
45 static int master_key_fd = -1;
46 static int random_key_flag;
47
48 static const char *enctype_str = "des3-cbc-sha1";
49
50 static struct getargs args[] = {
51 { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type",
52 NULL },
53 { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
54 { "convert-file", 0, arg_flag, &convert_flag,
55 "just convert keyfile to new format", NULL },
56 { "master-key-fd", 0, arg_integer, &master_key_fd,
57 "filedescriptor to read passphrase from", "fd" },
58 { "random-key", 0, arg_flag, &random_key_flag,
59 "generate a random master key", NULL },
60 { "help", 'h', arg_flag, &help_flag, NULL, NULL },
61 { "version", 0, arg_flag, &version_flag, NULL, NULL }
62 };
63
64 int num_args = sizeof(args) / sizeof(args[0]);
65
66 int
main(int argc,char ** argv)67 main(int argc, char **argv)
68 {
69 char buf[1024+1];
70 krb5_error_code ret;
71 int aret;
72
73 krb5_enctype enctype;
74
75 hdb_master_key mkey;
76
77 krb5_program_setup(&context, argc, argv, args, num_args, NULL);
78
79 if(help_flag)
80 krb5_std_usage(0, args, num_args);
81 if(version_flag){
82 print_version(NULL);
83 exit(0);
84 }
85
86 if (master_key_fd != -1 && random_key_flag)
87 krb5_errx(context, 1, "random-key and master-key-fd "
88 "is mutual exclusive");
89
90 if (keyfile == NULL) {
91 aret = asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
92 if (aret == -1)
93 krb5_errx(context, 1, "out of memory");
94 }
95
96 ret = krb5_string_to_enctype(context, enctype_str, &enctype);
97 if(ret)
98 krb5_err(context, 1, ret, "krb5_string_to_enctype");
99
100 ret = hdb_read_master_key(context, keyfile, &mkey);
101 if(ret && ret != ENOENT)
102 krb5_err(context, 1, ret, "reading master key from %s", keyfile);
103
104 if (convert_flag) {
105 if (ret)
106 krb5_err(context, 1, ret, "reading master key from %s", keyfile);
107 } else {
108 krb5_keyblock key;
109 krb5_salt salt;
110 salt.salttype = KRB5_PW_SALT;
111 /* XXX better value? */
112 salt.saltvalue.data = NULL;
113 salt.saltvalue.length = 0;
114 if (random_key_flag) {
115 ret = krb5_generate_random_keyblock(context, enctype, &key);
116 if (ret)
117 krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
118
119 } else {
120 if(master_key_fd != -1) {
121 ssize_t n;
122 n = read(master_key_fd, buf, sizeof(buf)-1);
123 if(n <= 0)
124 krb5_err(context, 1, errno, "failed to read passphrase");
125 buf[n] = '\0';
126 buf[strcspn(buf, "\r\n")] = '\0';
127
128 } else {
129 if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ",
130 UI_UTIL_FLAG_VERIFY))
131 exit(1);
132 }
133 krb5_string_to_key_salt(context, enctype, buf, salt, &key);
134 }
135 ret = hdb_add_master_key(context, &key, &mkey);
136 if (ret)
137 krb5_err(context, 1, ret, "hdb_add_master_key");
138
139 krb5_free_keyblock_contents(context, &key);
140
141 }
142
143 {
144 char *new = NULL, *old = NULL;
145
146 aret = asprintf(&old, "%s.old", keyfile);
147 if (aret == -1) {
148 old = NULL;
149 ret = ENOMEM;
150 goto out;
151 }
152 aret = asprintf(&new, "%s.new", keyfile);
153 if (aret == -1) {
154 new = NULL;
155 ret = ENOMEM;
156 goto out;
157 }
158 if(unlink(new) < 0 && errno != ENOENT) {
159 ret = errno;
160 goto out;
161 }
162 krb5_warnx(context, "writing key to `%s'", keyfile);
163 ret = hdb_write_master_key(context, new, mkey);
164 if(ret)
165 unlink(new);
166 else {
167 #ifndef NO_POSIX_LINKS
168 unlink(old);
169 if(link(keyfile, old) < 0 && errno != ENOENT) {
170 ret = errno;
171 unlink(new);
172 } else {
173 #endif
174 if(rename(new, keyfile) < 0) {
175 ret = errno;
176 }
177 #ifndef NO_POSIX_LINKS
178 }
179 #endif
180 }
181 out:
182 free(old);
183 free(new);
184 if(ret)
185 krb5_warn(context, errno, "writing master key file");
186 }
187
188 hdb_free_master_key(context, mkey);
189
190 exit(ret != 0);
191 }
192