diff options
Diffstat (limited to 'src/admin/edit/cpw.c')
-rw-r--r-- | src/admin/edit/cpw.c | 470 |
1 files changed, 186 insertions, 284 deletions
diff --git a/src/admin/edit/cpw.c b/src/admin/edit/cpw.c index fd8988253..dbf3f503b 100644 --- a/src/admin/edit/cpw.c +++ b/src/admin/edit/cpw.c @@ -36,200 +36,218 @@ extern char *Err_no_master_msg; extern char *Err_no_database; extern char *current_dbname; - -/* - * XXX Ick, ick, ick. These global variables shouldn't be global.... - */ -/* -static char search_name[40]; -static int num_name_tokens; -static char search_instance[40]; -static int num_instance_tokens; -static int must_be_first[2]; -static char *mkey_password = 0; -static char *stash_file = (char *) NULL; -*/ - /* * I can't figure out any way for this not to be global, given how ss * works. */ - extern int exit_status; - extern krb5_context edit_context; - extern krb5_keyblock master_keyblock; extern krb5_principal master_princ; extern krb5_db_entry master_entry; extern krb5_encrypt_block master_encblock; -extern krb5_pointer master_random; extern int valid_master_key; - extern char *krb5_default_pwd_prompt1, *krb5_default_pwd_prompt2; - -extern char *progname; -extern char *cur_realm; -extern char *mkey_name; -extern krb5_boolean manual_mkey; extern krb5_boolean dbactive; -/* - * This is the guts of add_rnd_key() and change_rnd_key() - */ -void -enter_rnd_key(argc, argv, change) +static krb5_key_salt_tuple ks_tuple_rnd_def[] = { KEYTYPE_DES, 0 }; +static int ks_tuple_rnd_def_count = 1; + +static void +enter_rnd_key(argc, argv, entry) int argc; char ** argv; - int change; + krb5_db_entry * entry; { krb5_error_code retval; - krb5_keyblock * tempkey; - krb5_principal newprinc; - krb5_key_data * key_data; - krb5_db_entry entry; - krb5_boolean more; int nprincs = 1; - int vno; - - if (argc < 2) { - com_err(argv[0], 0, "Too few arguments"); - com_err(argv[0], 0, "Usage: %s principal", argv[0]); - exit_status++; - return; - } - if (!dbactive) { - com_err(argv[0], 0, Err_no_database); - exit_status++; - return; - } - if (!valid_master_key) { - com_err(argv[0], 0, Err_no_master_msg); - exit_status++; - return; - } - if (retval = krb5_parse_name(edit_context, argv[1], &newprinc)) { - com_err(argv[0], retval, "while parsing '%s'", argv[1]); - exit_status++; - return; - } - if (retval = krb5_db_get_principal(edit_context, newprinc, &entry, - &nprincs, &more)) { - com_err(argv[0], retval, "while trying to get principal's database entry"); - exit_status++; - return; - } - if (change && !nprincs) { - com_err(argv[0], 0, "No principal '%s' exists", argv[1]); - exit_status++; - goto errout; - } - if (!change && nprincs) { - com_err(argv[0], 0, "Principal '%s' already exists.", argv[1]); - exit_status++; - goto errout; - } - if (!change) { - if (retval = create_db_entry(newprinc, &entry)) { - com_err(argv[0], retval, "While creating new db entry."); - exit_status++; - goto errout; - } - if (retval = krb5_dbe_create_key_data(edit_context, &entry)) { - com_err(argv[0], retval, "While creating key_data for db_entry."); - exit_status++; - goto errout; - } - nprincs = 1; - vno = 1; - } else { - vno = entry.key_data[0].key_data_kvno++; - } - /* For now we only set the first key_data */ - key_data = entry.key_data; - - if (retval = krb5_random_key(edit_context, &master_encblock, - master_random, &tempkey)) { + if (retval = krb5_dbe_crk(edit_context, &master_encblock, ks_tuple_rnd_def, + ks_tuple_rnd_def_count, entry)) { com_err(argv[0], retval, "while generating random key"); + krb5_db_free_principal(edit_context, entry, nprincs); exit_status++; return; } - /* Encoding over an old key_data will free old key contents */ - retval = krb5_dbekd_encrypt_key_data(edit_context, &master_encblock, - tempkey, NULL, vno, key_data); - krb5_free_keyblock(edit_context, tempkey); - if (retval) { - com_err(argv[0], retval, "while encrypting key for '%s'", argv[1]); - exit_status++; - goto errout; - } - - if (retval = krb5_db_put_principal(edit_context, &entry, &nprincs)) { + if (retval = krb5_db_put_principal(edit_context, entry, &nprincs)) { com_err(argv[0], retval, "while storing entry for '%s'\n", argv[1]); + krb5_db_free_principal(edit_context, entry, nprincs); exit_status++; - goto errout; + return; } + krb5_db_free_principal(edit_context, entry, nprincs); + if (nprincs != 1) { com_err(argv[0], 0, "entry not stored in database (unknown failure)"); exit_status++; } -errout: - krb5_free_principal(edit_context, newprinc); - if (nprincs) - krb5_db_free_principal(edit_context, &entry, nprincs); - return; +} + +static int +pre_key(argc, argv, newprinc, entry) + int argc; + char ** argv; + krb5_principal * newprinc; + krb5_db_entry * entry; +{ + krb5_boolean more; + krb5_error_code retval; + int nprincs = 1; + + if (!dbactive) { + com_err(argv[0], 0, Err_no_database); + } else if (!valid_master_key) { + com_err(argv[0], 0, Err_no_master_msg); + } else if (retval = krb5_parse_name(edit_context, argv[argc-1], newprinc)) { + com_err(argv[0], retval, "while parsing '%s'", argv[argc-1]); + } else if (retval = krb5_db_get_principal(edit_context, *newprinc, entry, + &nprincs, &more)) { + com_err(argv[0],retval,"while trying to get principal's db entry"); + } else if ((nprincs > 1) || (more)) { + krb5_db_free_principal(edit_context, entry, nprincs); + krb5_free_principal(edit_context, *newprinc); + } else if (nprincs) + return(1); + else + return(0); + return(-1); } void add_rnd_key(argc, argv) int argc; char *argv[]; { - enter_rnd_key(argc, argv, 0); + krb5_error_code retval; + krb5_principal newprinc; + krb5_db_entry entry; + + if (argc < 2) { + com_err(argv[0], 0, "Too few arguments"); + com_err(argv[0], 0, "Usage: %s principal", argv[0]); + exit_status++; + return; + } + switch (pre_key(argc, argv, &newprinc, &entry)) { + case 0: + if (retval = create_db_entry(newprinc, &entry)) { + com_err(argv[0], retval, "While creating new db entry."); + exit_status++; + return; + } + krb5_free_principal(edit_context, newprinc); + enter_rnd_key(argc, argv, &entry); + return; + case 1: + com_err(argv[0], 0, "Principal '%s' already exists.", argv[1]); + krb5_db_free_principal(edit_context, &entry, 1); + krb5_free_principal(edit_context, newprinc); + default: + exit_status++; + break; + } } void change_rnd_key(argc, argv) int argc; char *argv[]; { - enter_rnd_key(argc, argv, 1); + krb5_error_code retval; + krb5_principal newprinc; + krb5_db_entry entry; + + if (argc < 2) { + com_err(argv[0], 0, "Too few arguments"); + com_err(argv[0], 0, "Usage: %s principal", argv[0]); + exit_status++; + return; + } + switch (pre_key(argc, argv, &newprinc, &entry)) { + case 1: + krb5_free_principal(edit_context, newprinc); + enter_rnd_key(argc, argv, &entry); + break; + case 0: + com_err(argv[0], 0, "No principal '%s' exists", argv[1]); + default: + exit_status++; + break; + } +} + +static krb5_key_salt_tuple ks_tuple_default[] = { KEYTYPE_DES, 0 }; +static int ks_tuple_count_default = 1; + +void +enter_pwd_key(cmdname, princ, ks_tuple, ks_tuple_count, entry) + char * cmdname; + char * princ; + krb5_key_salt_tuple * ks_tuple; + int ks_tuple_count; + krb5_db_entry * entry; +{ + char password[KRB5_ADM_MAX_PASSWORD_LEN]; + int pwsize = KRB5_ADM_MAX_PASSWORD_LEN; + krb5_error_code retval; + int one = 1; + + if (retval = krb5_read_password(edit_context, krb5_default_pwd_prompt1, + krb5_default_pwd_prompt2, + password, &pwsize)) { + com_err(cmdname, retval, "while reading password for '%s'", princ); + goto errout; + } + + if (ks_tuple_count == 0) { + ks_tuple_count = ks_tuple_count_default; + ks_tuple = ks_tuple_default; + } + if (retval = krb5_dbe_cpw(edit_context, &master_encblock, ks_tuple, + ks_tuple_count, password, entry)) { + com_err(cmdname, retval, "while storing entry for '%s'\n", princ); + memset(password, 0, sizeof(password)); /* erase it */ + krb5_dbe_free_contents(edit_context, entry); + goto errout; + } + memset(password, 0, sizeof(password)); /* erase it */ + + /* Write the entry back out and we're done */ + if (retval = krb5_db_put_principal(edit_context, entry, &one)) { + com_err(cmdname, retval, "while storing entry for '%s'\n", princ); + } + + if (one != 1) { + com_err(cmdname, 0, "entry not stored in database (unknown failure)"); + exit_status++; + } + +errout:; + krb5_db_free_principal(edit_context, entry, one); + if (retval) + exit_status++; + return; } -krb5_key_salt_tuple ks_tuple_default = { KEYTYPE_DES, 0 }; void change_pwd_key(argc, argv) int argc; char *argv[]; { krb5_key_salt_tuple * ks_tuple = NULL; - krb5_db_entry db_entry; krb5_error_code retval; - krb5_principal princ; - krb5_boolean more; + krb5_principal newprinc; + krb5_db_entry entry; + krb5_kvno vno; int one; int i; - char password[KRB5_ADM_MAX_PASSWORD_LEN]; - int pwsize = KRB5_ADM_MAX_PASSWORD_LEN; - - if (!dbactive) { - com_err(argv[0], 0, Err_no_database); - exit_status++; - return; - } - if (!valid_master_key) { - com_err(argv[0], 0, Err_no_master_msg); - exit_status++; - return; - } - if (argc < 2) { - com_err(argv[0], 0, "Usage: % [-<key_type[:<salt_type>]> principal", + com_err(argv[0], 0, "Too few arguments"); + com_err(argv[0], 0, "Usage: %s [-<key_type[:<salt_type>]> principal", argv[0]); - exit_status++; + exit_status++; return; } @@ -280,173 +298,57 @@ void change_pwd_key(argc, argv) goto change_pwd_key_error; } - if (retval = krb5_parse_name(edit_context, argv[i], &princ)) { - com_err(argv[0], retval, "while parsing '%s'", argv[i]); - goto change_pwd_key_error; - } - if ((retval = krb5_db_get_principal(edit_context, princ, &db_entry, - &one, &more)) || (!one) || (more)) { - com_err(argv[0], 0, "No principal '%s' exists!", argv[i]); - krb5_free_principal(edit_context, princ); - goto change_pwd_key_error; - } - - /* Done with principal */ - krb5_free_principal(edit_context, princ); - - if (retval = krb5_read_password(edit_context, krb5_default_pwd_prompt1, - krb5_default_pwd_prompt2, - password, &pwsize)) { - com_err(argv[0], retval, "while reading password for '%s'", argv[i]); - goto change_pwd_key_error; - } - - if (retval = krb5_dbe_cpw(edit_context, &master_encblock, &db_entry, - ks_tuple ? ks_tuple : &ks_tuple_default, - i, password)) { - com_err(argv[0], retval, "while storing entry for '%s'\n", argv[i]); - krb5_dbe_free_contents(edit_context, &db_entry); - goto change_pwd_key_error; - } - - /* Write the entry back out and we're done */ - if (retval = krb5_db_put_principal(edit_context, &db_entry, &one)) { - com_err(argv[0], retval, "while storing entry for '%s'\n", argv[i]); + switch (pre_key(argc, argv, &newprinc, &entry)) { + case 1: + /* Done with principal */ + krb5_free_principal(edit_context, newprinc); + enter_pwd_key(argv[0], argv[i], ks_tuple, i-1, &entry); + break; + case 0: + com_err(argv[0], 0, "No principal '%s' exists", argv[i]); + default: + exit_status++; + break; } change_pwd_key_error:; - krb5_xfree(ks_tuple); - if (retval) - exit_status++; - return; + if (ks_tuple) { + free(ks_tuple); + } } -void change_v4_key(argc, argv) +void add_new_key(argc, argv) int argc; char *argv[]; { - krb5_error_code retval; - krb5_principal newprinc; - krb5_kvno vno; + krb5_error_code retval; + krb5_principal newprinc; + krb5_db_entry entry; if (argc < 2) { com_err(argv[0], 0, "Too few arguments"); - com_err(argv[0], 0, "Usage: %s principal", argv[0]); - exit_status++; - return; - } - if (!dbactive) { - com_err(argv[0], 0, Err_no_database); - exit_status++; - return; - } - if (!valid_master_key) { - com_err(argv[0], 0, Err_no_master_msg); - exit_status++; - return; - } - if (retval = krb5_parse_name(edit_context, argv[1], &newprinc)) { - com_err(argv[0], retval, "while parsing '%s'", argv[1]); - exit_status++; - return; - } - if ((vno = princ_exists(argv[0], newprinc)) == 0) { - com_err(argv[0], 0, "No principal '%s' exists!", argv[1]); - exit_status++; - krb5_free_principal(edit_context, newprinc); - return; - } - enter_pwd_key(argv[0], argv[1], newprinc, newprinc, vno, - KRB5_KDB_SALTTYPE_V4); - krb5_free_principal(edit_context, newprinc); - return; -} - -void -enter_pwd_key(cmdname, newprinc, princ, string_princ, vno, salttype) - char * cmdname; - char * newprinc; - krb5_const_principal princ; - krb5_const_principal string_princ; - krb5_kvno vno; - int salttype; -{ - krb5_error_code retval; - char password[BUFSIZ]; - int pwsize = sizeof(password); - krb5_keyblock tempkey; - krb5_keysalt salt; - krb5_data pwd; - - if (retval = krb5_read_password(edit_context, krb5_default_pwd_prompt1, - krb5_default_pwd_prompt2, - password, &pwsize)) { - com_err(cmdname, retval, "while reading password for '%s'", newprinc); - exit_status++; + com_err(argv[0], 0, "Usage: %s [-<key_type[:<salt_type>]> principal", + argv[0]); + exit_status++; return; } - pwd.data = password; - pwd.length = pwsize; - - switch (salt.type = salttype) { - case KRB5_KDB_SALTTYPE_NORMAL: - if (retval = krb5_principal2salt(edit_context,string_princ,&salt.data)){ - com_err(cmdname, retval, - "while converting principal to salt for '%s'", newprinc); - exit_status++; - return; - } - break; - case KRB5_KDB_SALTTYPE_V4: - salt.data.length = 0; - salt.data.data = 0; - break; - case KRB5_KDB_SALTTYPE_NOREALM: - if (retval = krb5_principal2salt_norealm(edit_context, string_princ, - &salt.data)) { - com_err(cmdname, retval, - "while converting principal to salt for '%s'", newprinc); - exit_status++; - return; - } - break; - case KRB5_KDB_SALTTYPE_ONLYREALM: { - krb5_data * saltdata; - if (retval = krb5_copy_data(edit_context, - krb5_princ_realm(edit_context,string_princ), - &saltdata)) { - com_err(cmdname, retval, - "while converting principal to salt for '%s'", newprinc); + switch (pre_key(argc, argv, &newprinc, &entry)) { + case 0: + if (retval = create_db_entry(newprinc, &entry)) { + com_err(argv[0], retval, "While creating new db entry."); exit_status++; return; } - salt.data = *saltdata; - krb5_xfree(saltdata); - break; - } - default: - com_err(cmdname, 0, "Don't know how to enter salt type %d", salttype); - exit_status++; - return; - } - retval = krb5_string_to_key(edit_context, &master_encblock, - master_keyblock.keytype, &tempkey, - &pwd, &salt.data); - memset(password, 0, sizeof(password)); /* erase it */ - if (retval) { - com_err(cmdname, retval, "while converting password to key for '%s'", - newprinc); - if (salt.data.data) - krb5_xfree(salt.data.data); - exit_status++; + enter_pwd_key(argv[0], argv[argc - 1], NULL, 0, &entry); + krb5_free_principal(edit_context, newprinc); return; + case 1: + com_err(argv[0], 0, "Principal '%s' already exists.", argv[argc - 1]); + krb5_db_free_principal(edit_context, &entry, 1); + krb5_free_principal(edit_context, newprinc); + default: + exit_status++; + break; } - add_key(cmdname, newprinc, princ, &tempkey, ++vno, - (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? NULL : &salt); - memset((char *)tempkey.contents, 0, tempkey.length); - if (salt.data.data) - krb5_xfree(salt.data.data); - krb5_xfree(tempkey.contents); - return; } |