#include "hdb_locl.h"
#include <assert.h>
#ifndef O_BINARY
#define O_BINARY 0
#endif
struct hdb_master_key_data {
krb5_keytab_entry keytab;
krb5_crypto crypto;
struct hdb_master_key_data *next;
unsigned int key_usage;
};
void
hdb_free_master_key(krb5_context context, hdb_master_key mkey)
{
struct hdb_master_key_data *ptr;
while(mkey) {
krb5_kt_free_entry(context, &mkey->keytab);
if (mkey->crypto)
krb5_crypto_destroy(context, mkey->crypto);
ptr = mkey;
mkey = mkey->next;
free(ptr);
}
}
krb5_error_code
hdb_process_master_key(krb5_context context,
int kvno, krb5_keyblock *key, krb5_enctype etype,
hdb_master_key *mkey)
{
krb5_error_code ret;
*mkey = calloc(1, sizeof(**mkey));
if(*mkey == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
(*mkey)->key_usage = HDB_KU_MKEY;
(*mkey)->keytab.vno = kvno;
ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal);
if(ret)
goto fail;
ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock);
if(ret)
goto fail;
if(etype != 0)
(*mkey)->keytab.keyblock.keytype = etype;
(*mkey)->keytab.timestamp = time(NULL);
ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto);
if(ret)
goto fail;
return 0;
fail:
hdb_free_master_key(context, *mkey);
*mkey = NULL;
return ret;
}
krb5_error_code
hdb_add_master_key(krb5_context context, krb5_keyblock *key,
hdb_master_key *inout)
{
int vno = 0;
hdb_master_key p;
krb5_error_code ret;
for(p = *inout; p; p = p->next)
vno = max(vno, p->keytab.vno);
vno++;
ret = hdb_process_master_key(context, vno, key, 0, &p);
if(ret)
return ret;
p->next = *inout;
*inout = p;
return 0;
}
static krb5_error_code
read_master_keytab(krb5_context context, const char *filename,
hdb_master_key *mkey)
{
krb5_error_code ret;
krb5_keytab id;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
hdb_master_key p;
ret = krb5_kt_resolve(context, filename, &id);
if(ret)
return ret;
ret = krb5_kt_start_seq_get(context, id, &cursor);
if(ret)
goto out;
*mkey = NULL;
while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
p = calloc(1, sizeof(*p));
if(p == NULL) {
krb5_kt_end_seq_get(context, id, &cursor);
ret = ENOMEM;
goto out;
}
p->keytab = entry;
ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
p->next = *mkey;
*mkey = p;
}
krb5_kt_end_seq_get(context, id, &cursor);
out:
krb5_kt_close(context, id);
return ret;
}
static krb5_error_code
read_master_mit(krb5_context context, const char *filename,
int byteorder, hdb_master_key *mkey)
{
int fd;
krb5_error_code ret;
krb5_storage *sp;
int16_t enctype;
krb5_keyblock key;
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "failed to open %s: %s",
filename, strerror(save_errno));
return save_errno;
}
sp = krb5_storage_from_fd(fd);
if(sp == NULL) {
close(fd);
return errno;
}
krb5_storage_set_flags(sp, byteorder);
{
ret = krb5_ret_int16(sp, &enctype);
if (ret)
goto out;
ret = krb5_enctype_valid(context, enctype);
if (ret)
goto out;
key.keytype = enctype;
ret = krb5_ret_data(sp, &key.keyvalue);
if(ret)
goto out;
}
ret = hdb_process_master_key(context, 1, &key, 0, mkey);
krb5_free_keyblock_contents(context, &key);
out:
krb5_storage_free(sp);
close(fd);
return ret;
}
static krb5_error_code
read_master_encryptionkey(krb5_context context, const char *filename,
hdb_master_key *mkey)
{
int fd;
krb5_keyblock key;
krb5_error_code ret;
unsigned char buf[256];
ssize_t len;
size_t ret_len;
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "failed to open %s: %s",
filename, strerror(save_errno));
return save_errno;
}
len = read(fd, buf, sizeof(buf));
close(fd);
if(len < 0) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "error reading %s: %s",
filename, strerror(save_errno));
return save_errno;
}
ret = decode_EncryptionKey(buf, len, &key, &ret_len);
memset(buf, 0, sizeof(buf));
if(ret)
return ret;
if(key.keytype == ETYPE_DES_CBC_CRC || key.keytype == ETYPE_DES_CBC_MD5)
key.keytype = ETYPE_DES_CFB64_NONE;
ret = hdb_process_master_key(context, 0, &key, 0, mkey);
krb5_free_keyblock_contents(context, &key);
return ret;
}
static krb5_error_code
read_master_krb4(krb5_context context, const char *filename,
hdb_master_key *mkey)
{
int fd;
krb5_keyblock key;
krb5_error_code ret;
unsigned char buf[256];
ssize_t len;
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "failed to open %s: %s",
filename, strerror(save_errno));
return save_errno;
}
len = read(fd, buf, sizeof(buf));
close(fd);
if(len < 0) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "error reading %s: %s",
filename, strerror(save_errno));
return save_errno;
}
if(len != 8) {
krb5_set_error_message(context, HEIM_ERR_EOF,
"bad contents of %s", filename);
return HEIM_ERR_EOF;
}
memset(&key, 0, sizeof(key));
key.keytype = ETYPE_DES_PCBC_NONE;
ret = krb5_data_copy(&key.keyvalue, buf, len);
memset(buf, 0, sizeof(buf));
if(ret)
return ret;
ret = hdb_process_master_key(context, 0, &key, 0, mkey);
krb5_free_keyblock_contents(context, &key);
return ret;
}
krb5_error_code
hdb_read_master_key(krb5_context context, const char *filename,
hdb_master_key *mkey)
{
FILE *f;
unsigned char buf[16];
krb5_error_code ret;
off_t len;
*mkey = NULL;
if(filename == NULL)
filename = HDB_DB_DIR "/m-key";
f = fopen(filename, "r");
if(f == NULL) {
int save_errno = errno;
krb5_set_error_message(context, save_errno, "failed to open %s: %s",
filename, strerror(save_errno));
return save_errno;
}
if(fread(buf, 1, 2, f) != 2) {
fclose(f);
krb5_set_error_message(context, HEIM_ERR_EOF, "end of file reading %s", filename);
return HEIM_ERR_EOF;
}
fseek(f, 0, SEEK_END);
len = ftell(f);
if(fclose(f) != 0)
return errno;
if(len < 0)
return errno;
if(len == 8) {
ret = read_master_krb4(context, filename, mkey);
} else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) {
ret = read_master_encryptionkey(context, filename, mkey);
} else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
ret = read_master_keytab(context, filename, mkey);
} else {
ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_LE, mkey);
if (ret)
ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_BE, mkey);
}
return ret;
}
krb5_error_code
hdb_write_master_key(krb5_context context, const char *filename,
hdb_master_key mkey)
{
krb5_error_code ret;
hdb_master_key p;
krb5_keytab kt;
if(filename == NULL)
filename = HDB_DB_DIR "/m-key";
ret = krb5_kt_resolve(context, filename, &kt);
if(ret)
return ret;
for(p = mkey; p; p = p->next) {
ret = krb5_kt_add_entry(context, kt, &p->keytab);
}
krb5_kt_close(context, kt);
return ret;
}
krb5_error_code
_hdb_set_master_key_usage(krb5_context context, HDB *db, unsigned int key_usage)
{
if (db->hdb_master_key_set == 0)
return HDB_ERR_NO_MKEY;
db->hdb_master_key->key_usage = key_usage;
return 0;
}
hdb_master_key
_hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
{
hdb_master_key ret = NULL;
while(mkey) {
if(ret == NULL && mkey->keytab.vno == 0)
ret = mkey;
if(mkvno == NULL) {
if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
ret = mkey;
} else if((uint32_t)mkey->keytab.vno == *mkvno)
return mkey;
mkey = mkey->next;
}
return ret;
}
int
_hdb_mkey_version(hdb_master_key mkey)
{
return mkey->keytab.vno;
}
int
_hdb_mkey_decrypt(krb5_context context, hdb_master_key key,
krb5_key_usage usage,
void *ptr, size_t size, krb5_data *res)
{
return krb5_decrypt(context, key->crypto, usage,
ptr, size, res);
}
int
_hdb_mkey_encrypt(krb5_context context, hdb_master_key key,
krb5_key_usage usage,
const void *ptr, size_t size, krb5_data *res)
{
return krb5_encrypt(context, key->crypto, usage,
ptr, size, res);
}
static krb5_error_code
_hdb_reseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey,
hdb_master_key mit_key)
{
krb5_error_code ret;
krb5_data mitres, res;
size_t keysize;
hdb_master_key key, mitkey;
if(k->mkvno == NULL)
return 0;
key = _hdb_find_master_key(k->mkvno, mkey);
if (key == NULL)
return HDB_ERR_NO_MKEY;
ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
k->key.keyvalue.data,
k->key.keyvalue.length,
&res);
if(ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
ret = _hdb_mkey_decrypt(context, key, 0,
k->key.keyvalue.data,
k->key.keyvalue.length,
&res);
}
if (ret)
return ret;
ret = krb5_enctype_keysize(context, k->key.keytype, &keysize);
if (ret) {
krb5_data_free(&res);
return ret;
}
if (keysize > res.length) {
krb5_data_free(&res);
return KRB5_BAD_KEYSIZE;
}
if (mit_key != NULL) {
mitkey = _hdb_find_master_key(NULL, mit_key);
if (mitkey == NULL) {
krb5_data_free(&res);
return HDB_ERR_NO_MKEY;
}
ret = _hdb_mkey_encrypt(context, mitkey, 0,
res.data,
keysize,
&mitres);
krb5_data_free(&res);
if (ret)
return ret;
}
krb5_data_free(&k->key.keyvalue);
if (mit_key == NULL) {
k->key.keyvalue = res;
k->key.keyvalue.length = keysize;
free(k->mkvno);
k->mkvno = NULL;
} else {
k->key.keyvalue = mitres;
*k->mkvno = mitkey->keytab.vno;
}
return 0;
}
krb5_error_code
hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
{
krb5_error_code ret;
ret = _hdb_reseal_key_mkey(context, k, mkey, NULL);
return ret;
}
static krb5_error_code
_hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey,
hdb_master_key mitkey)
{
krb5_error_code ret;
size_t i;
int got_one = 0;
for(i = 0; i < ent->keys.len; i++){
if (mitkey == NULL || mit_strong_etype(ent->keys.val[i].key.keytype)) {
ret = _hdb_reseal_key_mkey(context, &ent->keys.val[i], mkey,
mitkey);
if (ret)
return ret;
got_one = 1;
}
}
if (got_one == 0 && mitkey != NULL && ent->keys.len > 0) {
krb5_keyblock key;
krb5_salt salt;
krb5_free_keyblock_contents(context, &ent->keys.val[0].key);
salt.salttype = KRB5_PW_SALT;
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
ret = krb5_string_to_key_salt(context, ETYPE_AES256_CTS_HMAC_SHA1_96,
"XXXX", salt, &ent->keys.val[0].key);
if (ret)
return ret;
}
return 0;
}
krb5_error_code
hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
{
krb5_error_code ret;
ret = _hdb_unseal_keys_mkey(context, ent, mkey, NULL);
return ret;
}
krb5_error_code
hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
{
if (db->hdb_master_key_set == 0)
return 0;
if (db->hdb_mit_key_set != 0)
return _hdb_unseal_keys_mkey(context, ent, db->hdb_master_key,
db->hdb_mit_key);
else
return _hdb_unseal_keys_mkey(context, ent, db->hdb_master_key,
NULL);
}
#ifdef notnow
krb5_error_code
hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
hdb_entry *ent)
{
krb5_error_code ret = KRB5KRB_AP_ERR_NOKEY;
HDB_extension *tmp;
HDB_Ext_KeySet *hist_keys;
hdb_keyset *tmp_keys;
Key *tmp_val;
unsigned int tmp_len;
krb5_kvno tmp_kvno;
int i, k;
assert(kvno == 0 || kvno < ent->kvno);
tmp = hdb_find_extension(ent, choice_HDB_extension_data_hist_keys);
if (tmp == NULL)
return ret;
tmp_len = ent->keys.len;
tmp_val = ent->keys.val;
tmp_kvno = ent->kvno;
hist_keys = &tmp->data.u.hist_keys;
for (i = hist_keys->len - 1; i >= 0; i++) {
if (kvno != 0 && hist_keys->val[i].kvno != kvno)
continue;
for (k = 0; k < hist_keys->val[i].keys.len; k++) {
ret = _hdb_reseal_key_mkey(context,
&hist_keys->val[i].keys.val[k],
db->hdb_master_key, NULL);
if (ret)
return (ret);
}
if (kvno == 0)
continue;
tmp_keys = realloc(hist_keys->val,
sizeof (*hist_keys->val) * (hist_keys->len + 1));
if (tmp_keys == NULL)
return ENOMEM;
memmove(&tmp_keys[1], tmp_keys,
sizeof (*hist_keys->val) * hist_keys->len++);
tmp_keys[0].keys.len = ent->keys.len;
tmp_keys[0].keys.val = ent->keys.val;
tmp_keys[0].kvno = ent->kvno;
tmp_keys[0].replace_time = time(NULL);
i++;
ent->keys.len = hist_keys->val[i].keys.len;
ent->keys.val = hist_keys->val[i].keys.val;
ent->kvno = kvno;
}
return (ret);
}
#endif
krb5_error_code
hdb_unseal_key(krb5_context context, HDB *db, Key *k)
{
if (db->hdb_master_key_set == 0)
return 0;
return _hdb_reseal_key_mkey(context, k, db->hdb_master_key, NULL);
}
krb5_error_code
hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
{
krb5_error_code ret;
krb5_data res;
hdb_master_key key;
if(k->mkvno != NULL)
return 0;
key = _hdb_find_master_key(k->mkvno, mkey);
if (key == NULL)
return HDB_ERR_NO_MKEY;
ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
k->key.keyvalue.data,
k->key.keyvalue.length,
&res);
if (ret)
return ret;
memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
free(k->key.keyvalue.data);
k->key.keyvalue = res;
if (k->mkvno == NULL) {
k->mkvno = malloc(sizeof(*k->mkvno));
if (k->mkvno == NULL)
return ENOMEM;
}
*k->mkvno = key->keytab.vno;
return 0;
}
krb5_error_code
hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
{
size_t i;
for(i = 0; i < ent->keys.len; i++){
krb5_error_code ret;
ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey);
if (ret)
return ret;
}
return 0;
}
krb5_error_code
hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
{
if (db->hdb_master_key_set == 0)
return 0;
return hdb_seal_keys_mkey(context, ent, db->hdb_master_key);
}
krb5_error_code
hdb_seal_key(krb5_context context, HDB *db, Key *k)
{
if (db->hdb_master_key_set == 0)
return 0;
return hdb_seal_key_mkey(context, k, db->hdb_master_key);
}
krb5_error_code
hdb_set_master_key(krb5_context context,
HDB *db,
krb5_keyblock *key)
{
krb5_error_code ret;
hdb_master_key mkey;
ret = hdb_process_master_key(context, 0, key, 0, &mkey);
if (ret)
return ret;
db->hdb_master_key = mkey;
#if 0
des_set_random_generator_seed(key.keyvalue.data);
#endif
db->hdb_master_key_set = 1;
db->hdb_master_key->key_usage = HDB_KU_MKEY;
return 0;
}
krb5_error_code
hdb_set_master_keyfile (krb5_context context,
HDB *db,
const char *keyfile)
{
hdb_master_key key;
krb5_error_code ret;
ret = hdb_read_master_key(context, keyfile, &key);
if (ret) {
if (ret != ENOENT)
return ret;
krb5_clear_error_message(context);
return 0;
}
db->hdb_master_key = key;
db->hdb_master_key_set = 1;
return ret;
}
krb5_error_code
hdb_clear_master_key (krb5_context context,
HDB *db)
{
if (db->hdb_master_key_set) {
hdb_free_master_key(context, db->hdb_master_key);
db->hdb_master_key_set = 0;
}
return 0;
}
