2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadmin_locl.h"
35 #include "kadmin-commands.h"
37 struct ext_keytab_data
{
42 krb5_key_salt_tuple
*kstuple
;
47 do_ext_keytab(krb5_principal principal
, void *data
)
50 kadm5_principal_ent_rec princ
;
51 struct ext_keytab_data
*e
= data
;
52 krb5_keytab_entry
*keys
= NULL
;
53 krb5_keyblock
*k
= NULL
;
57 char *unparsed
= NULL
;
59 mask
= KADM5_PRINCIPAL
;
60 if (!e
->random_key_flag
)
61 mask
|= KADM5_KVNO
| KADM5_KEY_DATA
;
63 ret
= kadm5_get_principal(e
->kadm_handle
, principal
, &princ
, mask
);
67 ret
= krb5_unparse_name(context
, principal
, &unparsed
);
71 if (!e
->random_key_flag
) {
72 if (princ
.n_key_data
== 0) {
73 krb5_warnx(context
, "principal has no keys, or user lacks "
74 "get-keys privilege for %s", unparsed
);
78 * kadmin clients and servers from master between 1.5 and 1.6
79 * can have corrupted a principal's keys in the HDB. If some
80 * are bogus but not all are, then that must have happened.
82 * If all keys are bogus then the server may be a pre-1.6,
83 * post-1.5 server and the client lacks get-keys privilege, or
84 * the keys are corrupted. We can't tell here.
86 if (kadm5_all_keys_are_bogus(princ
.n_key_data
, princ
.key_data
)) {
87 krb5_warnx(context
, "user lacks get-keys privilege for %s",
91 if (kadm5_some_keys_are_bogus(princ
.n_key_data
, princ
.key_data
)) {
92 krb5_warnx(context
, "some keys for %s are corrupted in the HDB",
95 keys
= calloc(sizeof(*keys
), princ
.n_key_data
);
97 ret
= krb5_enomem(context
);
100 for (i
= 0; i
< princ
.n_key_data
; i
++) {
101 krb5_key_data
*kd
= &princ
.key_data
[i
];
103 /* Don't extract bogus keys */
104 if (kadm5_all_keys_are_bogus(1, kd
))
107 keys
[i
].principal
= princ
.principal
;
108 keys
[i
].vno
= kd
->key_data_kvno
;
109 keys
[i
].keyblock
.keytype
= kd
->key_data_type
[0];
110 keys
[i
].keyblock
.keyvalue
.length
= kd
->key_data_length
[0];
111 keys
[i
].keyblock
.keyvalue
.data
= kd
->key_data_contents
[0];
112 keys
[i
].timestamp
= time(NULL
);
115 } else if (e
->random_key_flag
) {
116 ret
= kadm5_randkey_principal_3(e
->kadm_handle
, principal
, e
->keep
,
117 e
->nkstuple
, e
->kstuple
, &k
, &n_k
);
121 keys
= calloc(sizeof(*keys
), n_k
);
123 ret
= krb5_enomem(context
);
126 for (i
= 0; i
< n_k
; i
++) {
127 keys
[i
].principal
= principal
;
128 keys
[i
].vno
= princ
.kvno
+ 1; /* XXX get entry again */
129 keys
[i
].keyblock
= k
[i
];
130 keys
[i
].timestamp
= time(NULL
);
135 krb5_warn(context
, ret
, "no keys written to keytab for %s", unparsed
);
137 for (i
= 0; i
< n_k
; i
++) {
138 ret
= krb5_kt_add_entry(context
, e
->keytab
, &keys
[i
]);
140 krb5_warn(context
, ret
, "krb5_kt_add_entry(%lu)", (unsigned long)i
);
144 kadm5_free_principal_ent(e
->kadm_handle
, &princ
);
146 for (i
= 0; i
< n_k
; i
++)
147 memset(k
[i
].keyvalue
.data
, 0, k
[i
].keyvalue
.length
);
156 ext_keytab(struct ext_keytab_options
*opt
, int argc
, char **argv
)
159 struct ext_keytab_data data
;
160 const char *enctypes
;
163 data
.kadm_handle
= NULL
;
164 ret
= kadm5_dup_context(kadm_handle
, &data
.kadm_handle
);
166 krb5_err(context
, 1, ret
, "Could not duplicate kadmin connection");
167 data
.random_key_flag
= opt
->random_key_flag
;
170 if (opt
->keepallold_flag
) {
174 if (opt
->keepold_flag
) {
178 if (opt
->pruneall_flag
) {
184 "use only one of --keepold, --keepallold, or --pruneall\n");
188 if (opt
->keytab_string
== NULL
)
189 ret
= krb5_kt_default(context
, &data
.keytab
);
191 ret
= krb5_kt_resolve(context
, opt
->keytab_string
, &data
.keytab
);
194 krb5_warn(context
, ret
, "krb5_kt_resolve");
197 enctypes
= opt
->enctypes_string
;
198 if (enctypes
== NULL
|| enctypes
[0] == '\0')
199 enctypes
= krb5_config_get_string(context
, NULL
, "libdefaults",
200 "supported_enctypes", NULL
);
201 if (enctypes
== NULL
|| enctypes
[0] == '\0')
202 enctypes
= "aes128-cts-hmac-sha1-96";
203 ret
= krb5_string_to_keysalts2(context
, enctypes
, &data
.nkstuple
,
206 fprintf(stderr
, "enctype(s) unknown\n");
207 krb5_kt_close(context
, data
.keytab
);
211 for(i
= 0; i
< argc
; i
++) {
212 ret
= foreach_principal(argv
[i
], do_ext_keytab
, "ext", &data
);
217 kadm5_destroy(data
.kadm_handle
);
218 krb5_kt_close(context
, data
.keytab
);