105186eeee
(Including all changes for FreeBSD - importing the original eBones distribution would be too complex at this stage, since I don't have access to Piero's CVS.) (If you want to include eBones in your system, don't forget to include MAKE_EBONES in /etc/make.conf.) (This stuff is now also suppable from braae.ru.ac.za.) Bones originally from MIT SIPB. Original port to FreeBSD 1.x by Piero Serini. Moved to FreeBSD 2.0 by Doug Rabson and Geoff Rehmet. Nice bug fixes from Doug Rabson.
142 lines
3.7 KiB
C
142 lines
3.7 KiB
C
/*
|
|
* Copyright 1988 by the Massachusetts Institute of Technology.
|
|
* For copying and distribution information, please see the file
|
|
* <Copyright.MIT>.
|
|
*
|
|
* Utility routines for Kerberos programs which directly access
|
|
* the database. This code was duplicated in too many places
|
|
* before I gathered it here.
|
|
*
|
|
* Jon Rochlis, MIT Telecom, March 1988
|
|
*
|
|
* from: krb_kdb_utils.c,v 4.1 89/07/26 11:01:12 jtkohl Exp $
|
|
* $Id: krb_kdb_utils.c,v 1.2 1994/07/19 19:23:38 g89r4222 Exp $
|
|
*/
|
|
|
|
#ifndef lint
|
|
static char rcsid[] =
|
|
"$Id: krb_kdb_utils.c,v 1.2 1994/07/19 19:23:38 g89r4222 Exp $";
|
|
#endif lint
|
|
|
|
#include <des.h>
|
|
#include <krb.h>
|
|
#include <krb_db.h>
|
|
#include <kdc.h>
|
|
#include <stdio.h>
|
|
#include <sys/file.h>
|
|
|
|
long kdb_get_master_key(prompt, master_key, master_key_sched)
|
|
int prompt;
|
|
C_Block master_key;
|
|
Key_schedule master_key_sched;
|
|
{
|
|
int kfile;
|
|
|
|
if (prompt) {
|
|
#ifdef NOENCRYPTION
|
|
placebo_read_password(master_key,
|
|
"\nEnter Kerberos master key: ", 0);
|
|
#else
|
|
des_read_password(master_key,
|
|
"\nEnter Kerberos master key: ", 0);
|
|
#endif
|
|
printf ("\n");
|
|
}
|
|
else {
|
|
kfile = open(MKEYFILE, O_RDONLY, 0600);
|
|
if (kfile < 0) {
|
|
/* oh, for com_err_ */
|
|
return (-1);
|
|
}
|
|
if (read(kfile, (char *) master_key, 8) != 8) {
|
|
return (-1);
|
|
}
|
|
close(kfile);
|
|
}
|
|
|
|
#ifndef NOENCRYPTION
|
|
key_sched(master_key,master_key_sched);
|
|
#endif
|
|
return (0);
|
|
}
|
|
|
|
/* The caller is reasponsible for cleaning up the master key and sched,
|
|
even if we can't verify the master key */
|
|
|
|
/* Returns master key version if successful, otherwise -1 */
|
|
|
|
long kdb_verify_master_key (master_key, master_key_sched, out)
|
|
C_Block master_key;
|
|
Key_schedule master_key_sched;
|
|
FILE *out; /* setting this to non-null be do output */
|
|
{
|
|
C_Block key_from_db;
|
|
Principal principal_data[1];
|
|
int n, more = 0;
|
|
long master_key_version;
|
|
|
|
/* lookup the master key version */
|
|
n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data,
|
|
1 /* only one please */, &more);
|
|
if ((n != 1) || more) {
|
|
if (out != (FILE *) NULL)
|
|
fprintf(out,
|
|
"verify_master_key: %s, %d found.\n",
|
|
"Kerberos error on master key version lookup",
|
|
n);
|
|
return (-1);
|
|
}
|
|
|
|
master_key_version = (long) principal_data[0].key_version;
|
|
|
|
/* set up the master key */
|
|
if (out != (FILE *) NULL) /* should we punt this? */
|
|
fprintf(out, "Current Kerberos master key version is %d.\n",
|
|
principal_data[0].kdc_key_ver);
|
|
|
|
/*
|
|
* now use the master key to decrypt the key in the db, had better
|
|
* be the same!
|
|
*/
|
|
bcopy(&principal_data[0].key_low, key_from_db, 4);
|
|
bcopy(&principal_data[0].key_high, ((long *) key_from_db) + 1, 4);
|
|
kdb_encrypt_key (key_from_db, key_from_db,
|
|
master_key, master_key_sched, DECRYPT);
|
|
|
|
/* the decrypted database key had better equal the master key */
|
|
n = bcmp((char *) master_key, (char *) key_from_db,
|
|
sizeof(master_key));
|
|
/* this used to zero the master key here! */
|
|
bzero(key_from_db, sizeof(key_from_db));
|
|
bzero(principal_data, sizeof (principal_data));
|
|
|
|
if (n && (out != (FILE *) NULL)) {
|
|
fprintf(out, "\n\07\07verify_master_key: Invalid master key; ");
|
|
fprintf(out, "does not match database.\n");
|
|
return (-1);
|
|
}
|
|
if (out != (FILE *) NULL) {
|
|
fprintf(out, "\nMaster key entered. BEWARE!\07\07\n");
|
|
fflush(out);
|
|
}
|
|
|
|
return (master_key_version);
|
|
}
|
|
|
|
/* The old algorithm used the key schedule as the initial vector which
|
|
was byte order depedent ... */
|
|
|
|
kdb_encrypt_key (in, out, master_key, master_key_sched, e_d_flag)
|
|
C_Block in, out, master_key;
|
|
Key_schedule master_key_sched;
|
|
int e_d_flag;
|
|
{
|
|
|
|
#ifdef NOENCRYPTION
|
|
bcopy(in, out, sizeof(C_Block));
|
|
#else
|
|
pcbc_encrypt(in,out,(long)sizeof(C_Block),master_key_sched,master_key,
|
|
e_d_flag);
|
|
#endif
|
|
}
|