source-git / krb5

Clone
Source Code
GIT

Blame src/lib/kdb/kdb_cpw.c

c8 c8s master
  1.   25df4b69cf2d2e958962b121acf7facc87773959
  2.   src
  3.   lib
  4.   kdb
  5.   kdb_cpw.c
Blob History Raw
Packit fd8b60 
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
Packit fd8b60 
/* lib/kdb/kdb_cpw.c */
Packit fd8b60 
/*
Packit fd8b60 
 * Copyright 1995, 2009, 2014 by the Massachusetts Institute of Technology.
Packit fd8b60 
 * All Rights Reserved.
Packit fd8b60 
 *
Packit fd8b60 
 * Export of this software from the United States of America may
Packit fd8b60 
 *   require a specific license from the United States Government.
Packit fd8b60 
 *   It is the responsibility of any person or organization contemplating
Packit fd8b60 
 *   export to obtain such a license before exporting.
Packit fd8b60 
 *
Packit fd8b60 
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
Packit fd8b60 
 * distribute this software and its documentation for any purpose and
Packit fd8b60 
 * without fee is hereby granted, provided that the above copyright
Packit fd8b60 
 * notice appear in all copies and that both that copyright notice and
Packit fd8b60 
 * this permission notice appear in supporting documentation, and that
Packit fd8b60 
 * the name of M.I.T. not be used in advertising or publicity pertaining
Packit fd8b60 
 * to distribution of the software without specific, written prior
Packit fd8b60 
 * permission.  Furthermore if you modify this software you must label
Packit fd8b60 
 * your software as modified software and not distribute it in such a
Packit fd8b60 
 * fashion that it might be confused with the original M.I.T. software.
Packit fd8b60 
 * M.I.T. makes no representations about the suitability of
Packit fd8b60 
 * this software for any purpose.  It is provided "as is" without express
Packit fd8b60 
 * or implied warranty.
Packit fd8b60 
 */
Packit fd8b60 
/*
Packit fd8b60 
 * Copyright (C) 1998 by the FundsXpress, INC.
Packit fd8b60 
 *
Packit fd8b60 
 * All rights reserved.
Packit fd8b60 
 *
Packit fd8b60 
 * Export of this software from the United States of America may require
Packit fd8b60 
 * a specific license from the United States Government.  It is the
Packit fd8b60 
 * responsibility of any person or organization contemplating export to
Packit fd8b60 
 * obtain such a license before exporting.
Packit fd8b60 
 *
Packit fd8b60 
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
Packit fd8b60 
 * distribute this software and its documentation for any purpose and
Packit fd8b60 
 * without fee is hereby granted, provided that the above copyright
Packit fd8b60 
 * notice appear in all copies and that both that copyright notice and
Packit fd8b60 
 * this permission notice appear in supporting documentation, and that
Packit fd8b60 
 * the name of FundsXpress. not be used in advertising or publicity pertaining
Packit fd8b60 
 * to distribution of the software without specific, written prior
Packit fd8b60 
 * permission.  FundsXpress makes no representations about the suitability of
Packit fd8b60 
 * this software for any purpose.  It is provided "as is" without express
Packit fd8b60 
 * or implied warranty.
Packit fd8b60 
 *
Packit fd8b60 
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
Packit fd8b60 
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
Packit fd8b60 
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Packit fd8b60 
 */
Packit fd8b60
Packit fd8b60 
#include "k5-int.h"
Packit fd8b60 
#include "kdb.h"
Packit fd8b60 
#include <stdio.h>
Packit fd8b60 
#include <errno.h>
Packit fd8b60
Packit fd8b60 
enum save { DISCARD_ALL, KEEP_LAST_KVNO, KEEP_ALL };
Packit fd8b60
Packit fd8b60 
int
Packit fd8b60 
krb5_db_get_key_data_kvno(context, count, data)
Packit fd8b60 
    krb5_context          context;
Packit fd8b60 
    int                   count;
Packit fd8b60 
    krb5_key_data       * data;
Packit fd8b60 
{
Packit fd8b60 
    int i, kvno;
Packit fd8b60 
    /* Find last key version number */
Packit fd8b60 
    for (kvno = i = 0; i < count; i++) {
Packit fd8b60 
        if (kvno < data[i].key_data_kvno) {
Packit fd8b60 
            kvno = data[i].key_data_kvno;
Packit fd8b60 
        }
Packit fd8b60 
    }
Packit fd8b60 
    return(kvno);
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
static void
Packit fd8b60 
cleanup_key_data(context, count, data)
Packit fd8b60 
    krb5_context          context;
Packit fd8b60 
    int                   count;
Packit fd8b60 
    krb5_key_data       * data;
Packit fd8b60 
{
Packit fd8b60 
    int i;
Packit fd8b60
Packit fd8b60 
    /* If data is NULL, count is always 0 */
Packit fd8b60 
    if (data == NULL) return;
Packit fd8b60
Packit fd8b60 
    for (i = 0; i < count; i++)
Packit fd8b60 
        krb5_dbe_free_key_data_contents(context, &data[i]);
Packit fd8b60 
    free(data);
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/* Transfer key data from old_kd to new_kd, making sure that new_kd is
Packit fd8b60 
 * encrypted with mkey.  May steal from old_kd and zero it out. */
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
preserve_one_old_key(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
                     krb5_db_entry *dbent, krb5_key_data *old_kd,
Packit fd8b60 
                     krb5_key_data *new_kd)
Packit fd8b60 
{
Packit fd8b60 
    krb5_error_code ret;
Packit fd8b60 
    krb5_keyblock kb;
Packit fd8b60 
    krb5_keysalt salt;
Packit fd8b60
Packit fd8b60 
    memset(new_kd, 0, sizeof(*new_kd));
Packit fd8b60
Packit fd8b60 
    ret = krb5_dbe_decrypt_key_data(context, mkey, old_kd, &kb, NULL);
Packit fd8b60 
    if (ret == 0) {
Packit fd8b60 
        /* old_kd is already encrypted in mkey, so just move it. */
Packit fd8b60 
        *new_kd = *old_kd;
Packit fd8b60 
        memset(old_kd, 0, sizeof(*old_kd));
Packit fd8b60 
        krb5_free_keyblock_contents(context, &kb;;
Packit fd8b60 
        return 0;
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    /* Decrypt and re-encrypt old_kd using mkey. */
Packit fd8b60 
    ret = krb5_dbe_decrypt_key_data(context, NULL, old_kd, &kb, &salt);
Packit fd8b60 
    if (ret)
Packit fd8b60 
        return ret;
Packit fd8b60 
    ret = krb5_dbe_encrypt_key_data(context, mkey, &kb, &salt,
Packit fd8b60 
                                    old_kd->key_data_kvno, new_kd);
Packit fd8b60 
    krb5_free_keyblock_contents(context, &kb;;
Packit fd8b60 
    krb5_free_data_contents(context, &salt.data);
Packit fd8b60 
    return ret;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Add key_data to dbent, making sure that each entry is encrypted in mkey.  If
Packit fd8b60 
 * kvno is non-zero, preserve only keys of that kvno.  May steal some elements
Packit fd8b60 
 * from key_data and zero them out.
Packit fd8b60 
 */
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
preserve_old_keys(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
                  krb5_db_entry *dbent, int kvno, int n_key_data,
Packit fd8b60 
                  krb5_key_data *key_data)
Packit fd8b60 
{
Packit fd8b60 
    krb5_error_code ret;
Packit fd8b60 
    int i;
Packit fd8b60
Packit fd8b60 
    for (i = 0; i < n_key_data; i++) {
Packit fd8b60 
        if (kvno != 0 && key_data[i].key_data_kvno != kvno)
Packit fd8b60 
            continue;
Packit fd8b60 
        ret = krb5_dbe_create_key_data(context, dbent);
Packit fd8b60 
        if (ret)
Packit fd8b60 
            return ret;
Packit fd8b60 
        ret = preserve_one_old_key(context, mkey, dbent, &key_data[i],
Packit fd8b60 
                                   &dbent->key_data[dbent->n_key_data - 1]);
Packit fd8b60 
        if (ret)
Packit fd8b60 
            return ret;
Packit fd8b60 
    }
Packit fd8b60 
    return 0;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
Packit fd8b60 
    krb5_context          context;
Packit fd8b60 
    krb5_keyblock       * master_key;
Packit fd8b60 
    krb5_key_salt_tuple * ks_tuple;
Packit fd8b60 
    int                   ks_tuple_count;
Packit fd8b60 
    krb5_db_entry       * db_entry;
Packit fd8b60 
    int                   kvno;
Packit fd8b60 
{
Packit fd8b60 
    krb5_keyblock         key;
Packit fd8b60 
    int                   i, j;
Packit fd8b60 
    krb5_error_code       retval;
Packit fd8b60 
    krb5_key_data        *kd_slot;
Packit fd8b60
Packit fd8b60 
    for (i = 0; i < ks_tuple_count; i++) {
Packit fd8b60 
        krb5_boolean similar;
Packit fd8b60
Packit fd8b60 
        similar = 0;
Packit fd8b60
Packit fd8b60 
        /*
Packit fd8b60 
         * We could use krb5_keysalt_iterate to replace this loop, or use
Packit fd8b60 
         * krb5_keysalt_is_present for the loop below, but we want to avoid
Packit fd8b60 
         * circular library dependencies.
Packit fd8b60 
         */
Packit fd8b60 
        for (j = 0; j < i; j++) {
Packit fd8b60 
            if ((retval = krb5_c_enctype_compare(context,
Packit fd8b60 
                                                 ks_tuple[i].ks_enctype,
Packit fd8b60 
                                                 ks_tuple[j].ks_enctype,
Packit fd8b60 
                                                 &similar)))
Packit fd8b60 
                return(retval);
Packit fd8b60
Packit fd8b60 
            if (similar)
Packit fd8b60 
                break;
Packit fd8b60 
        }
Packit fd8b60
Packit fd8b60 
        if (similar)
Packit fd8b60 
            continue;
Packit fd8b60
Packit fd8b60 
        if ((retval = krb5_dbe_create_key_data(context, db_entry)))
Packit fd8b60 
            return retval;
Packit fd8b60 
        kd_slot = &db_entry->key_data[db_entry->n_key_data - 1];
Packit fd8b60
Packit fd8b60 
        /* there used to be code here to extract the old key, and derive
Packit fd8b60 
           a new key from it.  Now that there's a unified prng, that isn't
Packit fd8b60 
           necessary. */
Packit fd8b60
Packit fd8b60 
        /* make new key */
Packit fd8b60 
        if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype,
Packit fd8b60 
                                             &key)))
Packit fd8b60 
            return retval;
Packit fd8b60
Packit fd8b60 
        retval = krb5_dbe_encrypt_key_data(context, master_key, &key, NULL,
Packit fd8b60 
                                           kvno, kd_slot);
Packit fd8b60
Packit fd8b60 
        krb5_free_keyblock_contents(context, &key);
Packit fd8b60 
        if( retval )
Packit fd8b60 
            return retval;
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    return 0;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/* Construct a random explicit salt. */
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
make_random_salt(krb5_context context, krb5_keysalt *salt_out)
Packit fd8b60 
{
Packit fd8b60 
    krb5_error_code retval;
Packit fd8b60 
    unsigned char rndbuf[8];
Packit fd8b60 
    krb5_data salt, rnd = make_data(rndbuf, sizeof(rndbuf));
Packit fd8b60 
    unsigned int i;
Packit fd8b60
Packit fd8b60 
    /*
Packit fd8b60 
     * Salts are limited by RFC 4120 to 7-bit ASCII.  For ease of examination
Packit fd8b60 
     * and to avoid certain folding issues for older enctypes, we use printable
Packit fd8b60 
     * characters with four fixed bits and four random bits, encoding 64
Packit fd8b60 
     * psuedo-random bits into 16 bytes.
Packit fd8b60 
     */
Packit fd8b60 
    retval = krb5_c_random_make_octets(context, &rnd;;
Packit fd8b60 
    if (retval)
Packit fd8b60 
        return retval;
Packit fd8b60 
    retval = alloc_data(&salt, sizeof(rndbuf) * 2);
Packit fd8b60 
    if (retval)
Packit fd8b60 
        return retval;
Packit fd8b60 
    for (i = 0; i < sizeof(rndbuf); i++) {
Packit fd8b60 
        salt.data[i * 2] = 0x40 | (rndbuf[i] >> 4);
Packit fd8b60 
        salt.data[i * 2 + 1] = 0x40 | (rndbuf[i] & 0xf);
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    salt_out->type = KRB5_KDB_SALTTYPE_SPECIAL;
Packit fd8b60 
    salt_out->data = salt;
Packit fd8b60 
    return 0;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Add key_data for a krb5_db_entry
Packit fd8b60 
 * If passwd is NULL the assumes that the caller wants a random password.
Packit fd8b60 
 */
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
Packit fd8b60 
            db_entry, kvno)
Packit fd8b60 
    krb5_context          context;
Packit fd8b60 
    krb5_keyblock       * master_key;
Packit fd8b60 
    krb5_key_salt_tuple * ks_tuple;
Packit fd8b60 
    int                   ks_tuple_count;
Packit fd8b60 
    const char          * passwd;
Packit fd8b60 
    krb5_db_entry       * db_entry;
Packit fd8b60 
    int                   kvno;
Packit fd8b60 
{
Packit fd8b60 
    krb5_error_code       retval;
Packit fd8b60 
    krb5_keysalt          key_salt;
Packit fd8b60 
    krb5_keyblock         key;
Packit fd8b60 
    krb5_data             pwd;
Packit fd8b60 
    int                   i, j;
Packit fd8b60 
    krb5_key_data        *kd_slot;
Packit fd8b60
Packit fd8b60 
    for (i = 0; i < ks_tuple_count; i++) {
Packit fd8b60 
        krb5_boolean similar;
Packit fd8b60
Packit fd8b60 
        similar = 0;
Packit fd8b60
Packit fd8b60 
        /*
Packit fd8b60 
         * We could use krb5_keysalt_iterate to replace this loop, or use
Packit fd8b60 
         * krb5_keysalt_is_present for the loop below, but we want to avoid
Packit fd8b60 
         * circular library dependencies.
Packit fd8b60 
         */
Packit fd8b60 
        for (j = 0; j < i; j++) {
Packit fd8b60 
            if ((retval = krb5_c_enctype_compare(context,
Packit fd8b60 
                                                 ks_tuple[i].ks_enctype,
Packit fd8b60 
                                                 ks_tuple[j].ks_enctype,
Packit fd8b60 
                                                 &similar)))
Packit fd8b60 
                return(retval);
Packit fd8b60
Packit fd8b60 
            if (similar &&
Packit fd8b60 
                (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
Packit fd8b60 
                break;
Packit fd8b60 
        }
Packit fd8b60
Packit fd8b60 
        if (j < i)
Packit fd8b60 
            continue;
Packit fd8b60
Packit fd8b60 
        if ((retval = krb5_dbe_create_key_data(context, db_entry)))
Packit fd8b60 
            return(retval);
Packit fd8b60 
        kd_slot = &db_entry->key_data[db_entry->n_key_data - 1];
Packit fd8b60
Packit fd8b60 
        /* Convert password string to key using appropriate salt */
Packit fd8b60 
        switch (key_salt.type = ks_tuple[i].ks_salttype) {
Packit fd8b60 
        case KRB5_KDB_SALTTYPE_ONLYREALM: {
Packit fd8b60 
            krb5_data * saltdata;
Packit fd8b60 
            if ((retval = krb5_copy_data(context, krb5_princ_realm(context,
Packit fd8b60 
                                                                   db_entry->princ), &saltdata)))
Packit fd8b60 
                return(retval);
Packit fd8b60
Packit fd8b60 
            key_salt.data = *saltdata;
Packit fd8b60 
            free(saltdata);
Packit fd8b60 
        }
Packit fd8b60 
            break;
Packit fd8b60 
        case KRB5_KDB_SALTTYPE_NOREALM:
Packit fd8b60 
            if ((retval=krb5_principal2salt_norealm(context, db_entry->princ,
Packit fd8b60 
                                                    &key_salt.data)))
Packit fd8b60 
                return(retval);
Packit fd8b60 
            break;
Packit fd8b60 
        case KRB5_KDB_SALTTYPE_NORMAL:
Packit fd8b60 
            if ((retval = krb5_principal2salt(context, db_entry->princ,
Packit fd8b60 
                                              &key_salt.data)))
Packit fd8b60 
                return(retval);
Packit fd8b60 
            break;
Packit fd8b60 
        case KRB5_KDB_SALTTYPE_SPECIAL:
Packit fd8b60 
            retval = make_random_salt(context, &key_salt);
Packit fd8b60 
            if (retval)
Packit fd8b60 
                return retval;
Packit fd8b60 
            break;
Packit fd8b60 
        default:
Packit fd8b60 
            return(KRB5_KDB_BAD_SALTTYPE);
Packit fd8b60 
        }
Packit fd8b60
Packit fd8b60 
        pwd = string2data((char *)passwd);
Packit fd8b60
Packit fd8b60 
        retval = krb5_c_string_to_key_with_params(context,
Packit fd8b60 
                                                  ks_tuple[i].ks_enctype,
Packit fd8b60 
                                                  &pwd, &key_salt.data,
Packit fd8b60 
                                                  NULL, &key);
Packit fd8b60 
        if (retval) {
Packit fd8b60 
            free(key_salt.data.data);
Packit fd8b60 
            return retval;
Packit fd8b60 
        }
Packit fd8b60
Packit fd8b60 
        retval = krb5_dbe_encrypt_key_data(context, master_key, &key,
Packit fd8b60 
                                           (const krb5_keysalt *)&key_salt,
Packit fd8b60 
                                           kvno, kd_slot);
Packit fd8b60 
        if (key_salt.data.data)
Packit fd8b60 
            free(key_salt.data.data);
Packit fd8b60 
        free(key.contents);
Packit fd8b60
Packit fd8b60 
        if( retval )
Packit fd8b60 
            return retval;
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    return 0;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
static krb5_error_code
Packit fd8b60 
rekey(krb5_context context, krb5_keyblock *mkey, krb5_key_salt_tuple *ks_tuple,
Packit fd8b60 
      int ks_tuple_count, const char *password, int new_kvno,
Packit fd8b60 
      enum save savekeys, krb5_db_entry *db_entry)
Packit fd8b60 
{
Packit fd8b60 
    krb5_error_code ret;
Packit fd8b60 
    krb5_key_data *key_data;
Packit fd8b60 
    int n_key_data, old_kvno, save_kvno;
Packit fd8b60
Packit fd8b60 
    /* Save aside the old key data. */
Packit fd8b60 
    n_key_data = db_entry->n_key_data;
Packit fd8b60 
    key_data = db_entry->key_data;
Packit fd8b60 
    db_entry->n_key_data = 0;
Packit fd8b60 
    db_entry->key_data = NULL;
Packit fd8b60
Packit fd8b60 
    /* Make sure the new kvno is greater than the old largest kvno. */
Packit fd8b60 
    old_kvno = krb5_db_get_key_data_kvno(context, n_key_data, key_data);
Packit fd8b60 
    if (new_kvno < old_kvno + 1)
Packit fd8b60 
        new_kvno = old_kvno + 1;
Packit fd8b60 
    /* Wrap from 65535 to 1; we can only store 16-bit kvno values in key_data,
Packit fd8b60 
     * and we assign special meaning to kvno 0. */
Packit fd8b60 
    if (new_kvno == (1 << 16))
Packit fd8b60 
        new_kvno = 1;
Packit fd8b60
Packit fd8b60 
    /* Add new keys to the front of the list. */
Packit fd8b60 
    if (password != NULL) {
Packit fd8b60 
        ret = add_key_pwd(context, mkey, ks_tuple, ks_tuple_count, password,
Packit fd8b60 
                          db_entry, new_kvno);
Packit fd8b60 
    } else {
Packit fd8b60 
        ret = add_key_rnd(context, mkey, ks_tuple, ks_tuple_count, db_entry,
Packit fd8b60 
                          new_kvno);
Packit fd8b60 
    }
Packit fd8b60 
    if (ret) {
Packit fd8b60 
        cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
Packit fd8b60 
        db_entry->n_key_data = n_key_data;
Packit fd8b60 
        db_entry->key_data = key_data;
Packit fd8b60 
        return ret;
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    /* Possibly add some or all of the old keys to the back of the list.  May
Packit fd8b60 
     * steal from and zero out some of the old key data entries. */
Packit fd8b60 
    if (savekeys != DISCARD_ALL) {
Packit fd8b60 
        save_kvno = (savekeys == KEEP_LAST_KVNO) ? old_kvno : 0;
Packit fd8b60 
        ret = preserve_old_keys(context, mkey, db_entry, save_kvno, n_key_data,
Packit fd8b60 
                                key_data);
Packit fd8b60 
    }
Packit fd8b60
Packit fd8b60 
    /* Free any old key data entries not stolen and zeroed out above. */
Packit fd8b60 
    cleanup_key_data(context, n_key_data, key_data);
Packit fd8b60 
    return ret;
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Change random key for a krb5_db_entry
Packit fd8b60 
 * Assumes the max kvno
Packit fd8b60 
 *
Packit fd8b60 
 * As a side effect all old keys are nuked if keepold is false.
Packit fd8b60 
 */
Packit fd8b60 
krb5_error_code
Packit fd8b60 
krb5_dbe_crk(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
             krb5_key_salt_tuple *ks_tuple, int ks_tuple_count,
Packit fd8b60 
             krb5_boolean keepold, krb5_db_entry *dbent)
Packit fd8b60 
{
Packit fd8b60 
    return rekey(context, mkey, ks_tuple, ks_tuple_count, NULL, 0,
Packit fd8b60 
                 keepold ? KEEP_ALL : DISCARD_ALL, dbent);
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Add random key for a krb5_db_entry
Packit fd8b60 
 * Assumes the max kvno
Packit fd8b60 
 *
Packit fd8b60 
 * As a side effect all old keys older than the max kvno are nuked.
Packit fd8b60 
 */
Packit fd8b60 
krb5_error_code
Packit fd8b60 
krb5_dbe_ark(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
             krb5_key_salt_tuple *ks_tuple, int ks_tuple_count,
Packit fd8b60 
             krb5_db_entry *dbent)
Packit fd8b60 
{
Packit fd8b60 
    return rekey(context, mkey, ks_tuple, ks_tuple_count, NULL, 0,
Packit fd8b60 
                 KEEP_LAST_KVNO, dbent);
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Change password for a krb5_db_entry
Packit fd8b60 
 * Assumes the max kvno
Packit fd8b60 
 *
Packit fd8b60 
 * As a side effect all old keys are nuked if keepold is false.
Packit fd8b60 
 */
Packit fd8b60 
krb5_error_code
Packit fd8b60 
krb5_dbe_def_cpw(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
                 krb5_key_salt_tuple *ks_tuple, int ks_tuple_count,
Packit fd8b60 
                 char *password, int new_kvno, krb5_boolean keepold,
Packit fd8b60 
                 krb5_db_entry *dbent)
Packit fd8b60 
{
Packit fd8b60 
    return rekey(context, mkey, ks_tuple, ks_tuple_count, password, new_kvno,
Packit fd8b60 
                 keepold ? KEEP_ALL : DISCARD_ALL, dbent);
Packit fd8b60 
}
Packit fd8b60
Packit fd8b60 
/*
Packit fd8b60 
 * Add password for a krb5_db_entry
Packit fd8b60 
 * Assumes the max kvno
Packit fd8b60 
 *
Packit fd8b60 
 * As a side effect all old keys older than the max kvno are nuked.
Packit fd8b60 
 */
Packit fd8b60 
krb5_error_code
Packit fd8b60 
krb5_dbe_apw(krb5_context context, krb5_keyblock *mkey,
Packit fd8b60 
             krb5_key_salt_tuple *ks_tuple, int ks_tuple_count, char *password,
Packit fd8b60 
             krb5_db_entry *dbent)
Packit fd8b60 
{
Packit fd8b60 
    return rekey(context, mkey, ks_tuple, ks_tuple_count, password, 0,
Packit fd8b60 
                 KEEP_LAST_KVNO, dbent);
Packit fd8b60 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation