1 /* $NetBSD: get.c,v 1.1.1.2 2014/04/24 12:45:26 pettai Exp $ */
2
3 /*
4 * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "ktutil_locl.h"
37
38 __RCSID("NetBSD");
39
40 static void*
open_kadmin_connection(char * principal,const char * realm,char * admin_server,int server_port)41 open_kadmin_connection(char *principal,
42 const char *realm,
43 char *admin_server,
44 int server_port)
45 {
46 static kadm5_config_params conf;
47 krb5_error_code ret;
48 void *kadm_handle;
49 memset(&conf, 0, sizeof(conf));
50
51 if(realm) {
52 conf.realm = strdup(realm);
53 if (conf.realm == NULL) {
54 krb5_set_error_message(context, 0, "malloc: out of memory");
55 return NULL;
56 }
57 conf.mask |= KADM5_CONFIG_REALM;
58 }
59
60 if (admin_server) {
61 conf.admin_server = admin_server;
62 conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
63 }
64
65 if (server_port) {
66 conf.kadmind_port = htons(server_port);
67 conf.mask |= KADM5_CONFIG_KADMIND_PORT;
68 }
69
70 /* should get realm from each principal, instead of doing
71 everything with the same (local) realm */
72
73 ret = kadm5_init_with_password_ctx(context,
74 principal,
75 NULL,
76 KADM5_ADMIN_SERVICE,
77 &conf, 0, 0,
78 &kadm_handle);
79 free(conf.realm);
80 if(ret) {
81 krb5_warn(context, ret, "kadm5_init_with_password");
82 return NULL;
83 }
84 return kadm_handle;
85 }
86
87 int
kt_get(struct get_options * opt,int argc,char ** argv)88 kt_get(struct get_options *opt, int argc, char **argv)
89 {
90 krb5_error_code ret = 0;
91 krb5_keytab keytab;
92 void *kadm_handle = NULL;
93 krb5_enctype *etypes = NULL;
94 size_t netypes = 0;
95 size_t i;
96 int a, j;
97 unsigned int failed = 0;
98
99 if((keytab = ktutil_open_keytab()) == NULL)
100 return 1;
101
102 if(opt->realm_string)
103 krb5_set_default_realm(context, opt->realm_string);
104
105 if (opt->enctypes_strings.num_strings != 0) {
106
107 etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes));
108 if (etypes == NULL) {
109 krb5_warnx(context, "malloc failed");
110 goto out;
111 }
112 netypes = opt->enctypes_strings.num_strings;
113 for(i = 0; i < netypes; i++) {
114 ret = krb5_string_to_enctype(context,
115 opt->enctypes_strings.strings[i],
116 &etypes[i]);
117 if(ret) {
118 krb5_warnx(context, "unrecognized enctype: %s",
119 opt->enctypes_strings.strings[i]);
120 goto out;
121 }
122 }
123 }
124
125
126 for(a = 0; a < argc; a++){
127 krb5_principal princ_ent;
128 kadm5_principal_ent_rec princ;
129 int mask = 0;
130 krb5_keyblock *keys;
131 int n_keys;
132 int created = 0;
133 krb5_keytab_entry entry;
134
135 ret = krb5_parse_name(context, argv[a], &princ_ent);
136 if (ret) {
137 krb5_warn(context, ret, "can't parse principal %s", argv[a]);
138 failed++;
139 continue;
140 }
141 memset(&princ, 0, sizeof(princ));
142 princ.principal = princ_ent;
143 mask |= KADM5_PRINCIPAL;
144 princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
145 mask |= KADM5_ATTRIBUTES;
146 princ.princ_expire_time = 0;
147 mask |= KADM5_PRINC_EXPIRE_TIME;
148
149 if(kadm_handle == NULL) {
150 const char *r;
151 if(opt->realm_string != NULL)
152 r = opt->realm_string;
153 else
154 r = krb5_principal_get_realm(context, princ_ent);
155 kadm_handle = open_kadmin_connection(opt->principal_string,
156 r,
157 opt->admin_server_string,
158 opt->server_port_integer);
159 if(kadm_handle == NULL)
160 break;
161 }
162
163 ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
164 if(ret == 0)
165 created = 1;
166 else if(ret != KADM5_DUP) {
167 krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
168 krb5_free_principal(context, princ_ent);
169 failed++;
170 continue;
171 }
172 ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
173 if (ret) {
174 krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
175 krb5_free_principal(context, princ_ent);
176 failed++;
177 continue;
178 }
179
180 ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
181 KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
182 if (ret) {
183 krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
184 for (j = 0; j < n_keys; j++)
185 krb5_free_keyblock_contents(context, &keys[j]);
186 krb5_free_principal(context, princ_ent);
187 failed++;
188 continue;
189 }
190 if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
191 krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
192 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
193 mask = KADM5_ATTRIBUTES;
194 if(created) {
195 princ.kvno = 1;
196 mask |= KADM5_KVNO;
197 }
198 ret = kadm5_modify_principal(kadm_handle, &princ, mask);
199 if (ret) {
200 krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
201 for (j = 0; j < n_keys; j++)
202 krb5_free_keyblock_contents(context, &keys[j]);
203 krb5_free_principal(context, princ_ent);
204 failed++;
205 continue;
206 }
207 for(j = 0; j < n_keys; j++) {
208 int do_add = TRUE;
209
210 if (netypes) {
211 size_t k;
212
213 do_add = FALSE;
214 for (k = 0; k < netypes; ++k)
215 if (keys[j].keytype == etypes[k]) {
216 do_add = TRUE;
217 break;
218 }
219 }
220 if (do_add) {
221 entry.principal = princ_ent;
222 entry.vno = princ.kvno;
223 entry.keyblock = keys[j];
224 entry.timestamp = time (NULL);
225 ret = krb5_kt_add_entry(context, keytab, &entry);
226 if (ret)
227 krb5_warn(context, ret, "krb5_kt_add_entry");
228 }
229 krb5_free_keyblock_contents(context, &keys[j]);
230 }
231
232 kadm5_free_principal_ent(kadm_handle, &princ);
233 krb5_free_principal(context, princ_ent);
234 }
235 out:
236 free(etypes);
237 if (kadm_handle)
238 kadm5_destroy(kadm_handle);
239 krb5_kt_close(context, keytab);
240 return ret != 0 || failed > 0;
241 }
242