1 /* $NetBSD: get.c,v 1.1.1.1 2011/04/13 18:14:32 elric Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "ktutil_locl.h" 37 38 __RCSID("$NetBSD: get.c,v 1.1.1.1 2011/04/13 18:14:32 elric Exp $"); 39 40 static void* 41 open_kadmin_connection(char *principal, 42 const char *realm, 43 char *admin_server, 44 int server_port) 45 { 46 static kadm5_config_params conf; 47 krb5_error_code ret; 48 void *kadm_handle; 49 memset(&conf, 0, sizeof(conf)); 50 51 if(realm) { 52 conf.realm = strdup(realm); 53 if (conf.realm == NULL) { 54 krb5_set_error_message(context, 0, "malloc: out of memory"); 55 return NULL; 56 } 57 conf.mask |= KADM5_CONFIG_REALM; 58 } 59 60 if (admin_server) { 61 conf.admin_server = admin_server; 62 conf.mask |= KADM5_CONFIG_ADMIN_SERVER; 63 } 64 65 if (server_port) { 66 conf.kadmind_port = htons(server_port); 67 conf.mask |= KADM5_CONFIG_KADMIND_PORT; 68 } 69 70 /* should get realm from each principal, instead of doing 71 everything with the same (local) realm */ 72 73 ret = kadm5_init_with_password_ctx(context, 74 principal, 75 NULL, 76 KADM5_ADMIN_SERVICE, 77 &conf, 0, 0, 78 &kadm_handle); 79 free(conf.realm); 80 if(ret) { 81 krb5_warn(context, ret, "kadm5_init_with_password"); 82 return NULL; 83 } 84 return kadm_handle; 85 } 86 87 int 88 kt_get(struct get_options *opt, int argc, char **argv) 89 { 90 krb5_error_code ret = 0; 91 krb5_keytab keytab; 92 void *kadm_handle = NULL; 93 krb5_enctype *etypes = NULL; 94 size_t netypes = 0; 95 int i, j; 96 unsigned int failed = 0; 97 98 if((keytab = ktutil_open_keytab()) == NULL) 99 return 1; 100 101 if(opt->realm_string) 102 krb5_set_default_realm(context, opt->realm_string); 103 104 if (opt->enctypes_strings.num_strings != 0) { 105 106 etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes)); 107 if (etypes == NULL) { 108 krb5_warnx(context, "malloc failed"); 109 goto out; 110 } 111 netypes = opt->enctypes_strings.num_strings; 112 for(i = 0; i < netypes; i++) { 113 ret = krb5_string_to_enctype(context, 114 opt->enctypes_strings.strings[i], 115 &etypes[i]); 116 if(ret) { 117 krb5_warnx(context, "unrecognized enctype: %s", 118 opt->enctypes_strings.strings[i]); 119 goto out; 120 } 121 } 122 } 123 124 125 for(i = 0; i < argc; i++){ 126 krb5_principal princ_ent; 127 kadm5_principal_ent_rec princ; 128 int mask = 0; 129 krb5_keyblock *keys; 130 int n_keys; 131 int created = 0; 132 krb5_keytab_entry entry; 133 134 ret = krb5_parse_name(context, argv[i], &princ_ent); 135 if (ret) { 136 krb5_warn(context, ret, "can't parse principal %s", argv[i]); 137 failed++; 138 continue; 139 } 140 memset(&princ, 0, sizeof(princ)); 141 princ.principal = princ_ent; 142 mask |= KADM5_PRINCIPAL; 143 princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 144 mask |= KADM5_ATTRIBUTES; 145 princ.princ_expire_time = 0; 146 mask |= KADM5_PRINC_EXPIRE_TIME; 147 148 if(kadm_handle == NULL) { 149 const char *r; 150 if(opt->realm_string != NULL) 151 r = opt->realm_string; 152 else 153 r = krb5_principal_get_realm(context, princ_ent); 154 kadm_handle = open_kadmin_connection(opt->principal_string, 155 r, 156 opt->admin_server_string, 157 opt->server_port_integer); 158 if(kadm_handle == NULL) 159 break; 160 } 161 162 ret = kadm5_create_principal(kadm_handle, &princ, mask, "x"); 163 if(ret == 0) 164 created = 1; 165 else if(ret != KADM5_DUP) { 166 krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]); 167 krb5_free_principal(context, princ_ent); 168 failed++; 169 continue; 170 } 171 ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys); 172 if (ret) { 173 krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]); 174 krb5_free_principal(context, princ_ent); 175 failed++; 176 continue; 177 } 178 179 ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 180 KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); 181 if (ret) { 182 krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]); 183 for (j = 0; j < n_keys; j++) 184 krb5_free_keyblock_contents(context, &keys[j]); 185 krb5_free_principal(context, princ_ent); 186 failed++; 187 continue; 188 } 189 if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX)) 190 krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]); 191 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 192 mask = KADM5_ATTRIBUTES; 193 if(created) { 194 princ.kvno = 1; 195 mask |= KADM5_KVNO; 196 } 197 ret = kadm5_modify_principal(kadm_handle, &princ, mask); 198 if (ret) { 199 krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]); 200 for (j = 0; j < n_keys; j++) 201 krb5_free_keyblock_contents(context, &keys[j]); 202 krb5_free_principal(context, princ_ent); 203 failed++; 204 continue; 205 } 206 for(j = 0; j < n_keys; j++) { 207 int do_add = TRUE; 208 209 if (netypes) { 210 int k; 211 212 do_add = FALSE; 213 for (k = 0; k < netypes; ++k) 214 if (keys[j].keytype == etypes[k]) { 215 do_add = TRUE; 216 break; 217 } 218 } 219 if (do_add) { 220 entry.principal = princ_ent; 221 entry.vno = princ.kvno; 222 entry.keyblock = keys[j]; 223 entry.timestamp = time (NULL); 224 ret = krb5_kt_add_entry(context, keytab, &entry); 225 if (ret) 226 krb5_warn(context, ret, "krb5_kt_add_entry"); 227 } 228 krb5_free_keyblock_contents(context, &keys[j]); 229 } 230 231 kadm5_free_principal_ent(kadm_handle, &princ); 232 krb5_free_principal(context, princ_ent); 233 } 234 out: 235 free(etypes); 236 if (kadm_handle) 237 kadm5_destroy(kadm_handle); 238 krb5_kt_close(context, keytab); 239 return ret != 0 || failed > 0; 240 } 241