From 9779dd29e7bd76a2b3b759587d6eb919682dfba0 Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Thu, 9 Nov 2017 12:50:53 -0600 Subject: [PATCH] asetkey: add 'add-random' command Add a new command, 'add-random', to allow the creation of a new key with random data. This is helpful for certain rxgk keys, which only need to exist in KeyFileExt and not in any other database (like a krb5 KDC), and so aren't derived from a krb5 keytab. Change-Id: I1f3b27e074b0931deb8645f7550e0b315d82e249 Reviewed-on: https://gerrit.openafs.org/12768 Tested-by: BuildBot Reviewed-by: Benjamin Kaduk --- doc/man-pages/pod8/asetkey.pod | 8 +++++ src/aklog/asetkey.c | 82 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) diff --git a/doc/man-pages/pod8/asetkey.pod b/doc/man-pages/pod8/asetkey.pod index 237cef9..94fb522 100644 --- a/doc/man-pages/pod8/asetkey.pod +++ b/doc/man-pages/pod8/asetkey.pod @@ -15,6 +15,10 @@ B add > > > > B add > > > > > +B add-random > > + +B add-random > > > + B delete > B delete > > @@ -54,6 +58,10 @@ C function of B). I should be the name of the AFS principal in the keytab, which must be either C or C>. +The B command can be used to create randomized keys, +instead of using keys derived from an existing krb5 principal. This is useful +primarily for some rxgk keys. + =head1 CAUTIONS Historically, AFS only supported des-cbc-crc:v4 Kerberos keys. In environments diff --git a/src/aklog/asetkey.c b/src/aklog/asetkey.c index 84c86e4..134b5fe 100644 --- a/src/aklog/asetkey.c +++ b/src/aklog/asetkey.c @@ -237,6 +237,83 @@ addKey(struct afsconf_dir *dir, int argc, char **argv) { } } +static struct afsconf_typedKey * +random_key(char **argv, int type, int kvno, int subtype) +{ + struct afsconf_typedKey *typedKey; + krb5_context ctx; + krb5_keyblock keyblock; + struct rx_opaque key; + int code; + + code = krb5_init_context(&ctx); + if (code) { + afs_com_err(argv[0], code, "while initializing krb5 ctx"); + exit(1); + } + + memset(&keyblock, 0, sizeof(keyblock)); + code = krb5_c_make_random_key(ctx, subtype, &keyblock); + if (code) { + afs_com_err(argv[0], code, "while generating random key"); + exit(1); + } + + memset(&key, 0, sizeof(key)); + key.len = keyblock.length; + key.val = keyblock.contents; + + typedKey = afsconf_typedKey_new(type, kvno, subtype, &key); + + krb5_free_keyblock_contents(ctx, &keyblock); + krb5_free_context(ctx); + + return typedKey; +} + +static void +addRandomKey(struct afsconf_dir *dir, int argc, char **argv) +{ + struct afsconf_typedKey *typedKey; + int type; + int kvno; + int code; + int subtype; + + /* Just pick a reasonable enctype */ + const int RAND_ENCTYPE = ENCTYPE_AES128_CTS_HMAC_SHA1_96; + + subtype = RAND_ENCTYPE; + + switch (argc) { + case 5: + subtype = atoi(argv[4]); + /* fall through */ + case 4: + type = stringToType(argv[2]); + kvno = atoi(argv[3]); + + typedKey = random_key(argv, type, kvno, subtype); + + code = afsconf_AddTypedKey(dir, typedKey, 1); + afsconf_typedKey_put(&typedKey); + if (code) { + afs_com_err(argv[0], code, "while adding random key"); + exit(1); + } + + printf("Added random key with type %d kvno %d subtype %d\n", + type, kvno, subtype); + break; + + default: + fprintf(stderr, "%s add-random: usage is '%s add-random \n", + argv[0], argv[0]); + fprintf(stderr, "\tOR\n\t%s add-random \n", argv[0]); + exit(1); + } +} + static void deleteKey(struct afsconf_dir *dir, int argc, char **argv) { @@ -357,6 +434,8 @@ main(int argc, char *argv[]) fprintf(stderr, "\tOR\n\t%s add \n", argv[0]); fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]); + fprintf(stderr, "\t%s add-random \n", argv[0]); + fprintf(stderr, "\t%s add-random \n", argv[0]); fprintf(stderr, "\t%s delete \n", argv[0]); fprintf(stderr, "\t%s delete \n", argv[0]); fprintf(stderr, "\t%s delete \n", argv[0]); @@ -382,6 +461,9 @@ main(int argc, char *argv[]) listKey(tdir, argc, argv); } + else if (strcmp(argv[1], "add-random") == 0) { + addRandomKey(tdir, argc, argv); + } else { fprintf(stderr, "%s: unknown operation '%s', type '%s' for " "assistance\n", argv[0], argv[1], argv[0]); -- 1.9.4