1  /*
  2   * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  3   * (Royal Institute of Technology, Stockholm, Sweden).
  4   * All rights reserved.
  5   *
  6   * Redistribution and use in source and binary forms, with or without
  7   * modification, are permitted provided that the following conditions
  8   * are met:
  9   *
 10   * 1. Redistributions of source code must retain the above copyright
 11   *    notice, this list of conditions and the following disclaimer.
 12   *
 13   * 2. Redistributions in binary form must reproduce the above copyright
 14   *    notice, this list of conditions and the following disclaimer in the
 15   *    documentation and/or other materials provided with the distribution.
 16   *
 17   * 3. Neither the name of the Institute nor the names of its contributors
 18   *    may be used to endorse or promote products derived from this software
 19   *    without specific prior written permission.
 20   *
 21   * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 22   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 23   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 24   * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 25   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 26   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 27   * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 28   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 29   * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 30   * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 31   * SUCH DAMAGE.
 32   */
 33  
 34  #include "ktutil_locl.h"
 35  
 36  RCSID("$Id$");
 37  
 38  static void*
 39  open_kadmin_connection(char *principal,
 40  		       const char *realm,
 41  		       char *admin_server,
 42  		       int server_port)
 43  {
 44      static kadm5_config_params conf;
 45      krb5_error_code ret;
 46      void *kadm_handle;
 47      memset(&conf, 0, sizeof(conf));
 48  
 49      if(realm) {
 50  	conf.realm = strdup(realm);
 51  	if (conf.realm == NULL) {
 52  	    krb5_set_error_message(context, 0, "malloc: out of memory");
 53  	    return NULL;
 54  	}
 55  	conf.mask |= KADM5_CONFIG_REALM;
 56      }
 57  
 58      if (admin_server) {
 59  	conf.admin_server = admin_server;
 60  	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
 61      }
 62  
 63      if (server_port) {
 64  	conf.kadmind_port = htons(server_port);
 65  	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
 66      }
 67  
 68      /* should get realm from each principal, instead of doing
 69         everything with the same (local) realm */
 70  
 71      ret = kadm5_init_with_password_ctx(context,
 72  				       principal,
 73  				       NULL,
 74  				       KADM5_ADMIN_SERVICE,
 75  				       &conf, 0, 0,
 76  				       &kadm_handle);
 77      free(conf.realm);
 78      if(ret) {
 79  	krb5_warn(context, ret, "kadm5_init_with_password");
 80  	return NULL;
 81      }
 82      return kadm_handle;
 83  }
 84  
 85  int
 86  kt_get(struct get_options *opt, int argc, char **argv)
 87  {
 88      krb5_error_code ret = 0;
 89      krb5_keytab keytab;
 90      void *kadm_handle = NULL;
 91      krb5_enctype *etypes = NULL;
 92      size_t netypes = 0;
 93      size_t i;
 94      int a, j;
 95      unsigned int failed = 0;
 96  
 97      if((keytab = ktutil_open_keytab()) == NULL)
 98  	return 1;
 99  
100      if(opt->realm_string)
101  	krb5_set_default_realm(context, opt->realm_string);
102  
103      if (opt->enctypes_strings.num_strings != 0) {
104  
105  	etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes));
106  	if (etypes == NULL) {
107  	    krb5_warnx(context, "malloc failed");
108  	    goto out;
109  	}
110  	netypes = opt->enctypes_strings.num_strings;
111  	for(i = 0; i < netypes; i++) {
112  	    ret = krb5_string_to_enctype(context,
113  					 opt->enctypes_strings.strings[i],
114  					 &etypes[i]);
115  	    if(ret) {
116  		krb5_warnx(context, "unrecognized enctype: %s",
117  			   opt->enctypes_strings.strings[i]);
118  		goto out;
119  	    }
120  	}
121      }
122  
123  
124      for(a = 0; a < argc; a++){
125  	krb5_principal princ_ent;
126  	kadm5_principal_ent_rec princ;
127  	int mask = 0;
128  	krb5_keyblock *keys;
129  	int n_keys;
130  	int created = 0;
131  	krb5_keytab_entry entry;
132  
133  	ret = krb5_parse_name(context, argv[a], &princ_ent);
134  	if (ret) {
135  	    krb5_warn(context, ret, "can't parse principal %s", argv[a]);
136  	    failed++;
137  	    continue;
138  	}
139  	memset(&princ, 0, sizeof(princ));
140  	princ.principal = princ_ent;
141  	mask |= KADM5_PRINCIPAL;
142  	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
143  	mask |= KADM5_ATTRIBUTES;
144  	princ.princ_expire_time = 0;
145  	mask |= KADM5_PRINC_EXPIRE_TIME;
146  
147  	if(kadm_handle == NULL) {
148  	    const char *r;
149  	    if(opt->realm_string != NULL)
150  		r = opt->realm_string;
151  	    else
152  		r = krb5_principal_get_realm(context, princ_ent);
153  	    kadm_handle = open_kadmin_connection(opt->principal_string,
154  						 r,
155  						 opt->admin_server_string,
156  						 opt->server_port_integer);
157  	    if(kadm_handle == NULL)
158  		break;
159  	}
160  
161  	ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
162  	if(ret == 0)
163  	    created = 1;
164  	else if(ret != KADM5_DUP) {
165  	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
166  	    krb5_free_principal(context, princ_ent);
167  	    failed++;
168  	    continue;
169  	}
170  	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
171  	if (ret) {
172  	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
173  	    krb5_free_principal(context, princ_ent);
174  	    failed++;
175  	    continue;
176  	}
177  
178  	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
179  			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
180  	if (ret) {
181  	    krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
182  	    for (j = 0; j < n_keys; j++)
183  		krb5_free_keyblock_contents(context, &keys[j]);
184  	    krb5_free_principal(context, princ_ent);
185  	    failed++;
186  	    continue;
187  	}
188  	if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
189  	    krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
190  	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
191  	mask = KADM5_ATTRIBUTES;
192  	if(created) {
193  	    princ.kvno = 1;
194  	    mask |= KADM5_KVNO;
195  	}
196  	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
197  	if (ret) {
198  	    krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
199  	    for (j = 0; j < n_keys; j++)
200  		krb5_free_keyblock_contents(context, &keys[j]);
201  	    krb5_free_principal(context, princ_ent);
202  	    failed++;
203  	    continue;
204  	}
205  	for(j = 0; j < n_keys; j++) {
206  	    int do_add = TRUE;
207  
208  	    if (netypes) {
209  		size_t k;
210  
211  		do_add = FALSE;
212  		for (k = 0; k < netypes; ++k)
213  		    if (keys[j].keytype == etypes[k]) {
214  			do_add = TRUE;
215  			break;
216  		    }
217  	    }
218  	    if (do_add) {
219  		entry.principal = princ_ent;
220  		entry.vno = princ.kvno;
221  		entry.keyblock = keys[j];
222  		entry.timestamp = (uint32_t)time (NULL);
223  		ret = krb5_kt_add_entry(context, keytab, &entry);
224  		if (ret)
225  		    krb5_warn(context, ret, "krb5_kt_add_entry");
226  	    }
227  	    krb5_free_keyblock_contents(context, &keys[j]);
228  	}
229  
230  	kadm5_free_principal_ent(kadm_handle, &princ);
231  	krb5_free_principal(context, princ_ent);
232      }
233   out:
234      free(etypes);
235      if (kadm_handle)
236  	kadm5_destroy(kadm_handle);
237      krb5_kt_close(context, keytab);
238      return ret != 0 || failed > 0;
239  }