From: Greg Hudson Date: Thu, 24 Sep 2009 16:48:57 +0000 (+0000) Subject: Update the kadmin client code to most current coding practices X-Git-Tag: krb5-1.8-alpha1~338 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=324ba91fc437b8e40ff82e710a724963051f8b5f;p=krb5.git Update the kadmin client code to most current coding practices git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22785 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 6f8c04b8e..ad9f6bc9b 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1994, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -52,58 +53,57 @@ /* special struct to convert flag names for principals to actual krb5_flags for a principal */ struct pflag { - char *flagname; /* name of flag as typed to CLI */ - int flaglen; /* length of string (not counting -,+) */ - krb5_flags theflag; /* actual principal flag to set/clear */ - int set; /* 0 means clear, 1 means set (on '-') */ + char *flagname; /* name of flag as typed to CLI */ + size_t flaglen; /* length of string (not counting -,+) */ + krb5_flags theflag; /* actual principal flag to set/clear */ + int set; /* 0 means clear, 1 means set (on '-') */ }; static struct pflag flags[] = { -{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1}, -{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1}, -{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1}, -{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1}, -{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1}, -{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1}, -{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1}, -{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0}, -{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0}, -{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, -{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, -{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, -{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, -{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, -{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0}, +{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 }, +{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 }, +{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 }, +{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 }, +{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 }, +{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 }, +{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 }, +{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 }, +{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 }, +{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 }, +{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 }, +{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, +{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, +{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 }, }; static char *prflags[] = { - "DISALLOW_POSTDATED", /* 0x00000001 */ - "DISALLOW_FORWARDABLE", /* 0x00000002 */ - "DISALLOW_TGT_BASED", /* 0x00000004 */ - "DISALLOW_RENEWABLE", /* 0x00000008 */ - "DISALLOW_PROXIABLE", /* 0x00000010 */ - "DISALLOW_DUP_SKEY", /* 0x00000020 */ - "DISALLOW_ALL_TIX", /* 0x00000040 */ - "REQUIRES_PRE_AUTH", /* 0x00000080 */ - "REQUIRES_HW_AUTH", /* 0x00000100 */ - "REQUIRES_PWCHANGE", /* 0x00000200 */ - "UNKNOWN_0x00000400", /* 0x00000400 */ - "UNKNOWN_0x00000800", /* 0x00000800 */ - "DISALLOW_SVR", /* 0x00001000 */ - "PWCHANGE_SERVICE", /* 0x00002000 */ - "SUPPORT_DESMD5", /* 0x00004000 */ - "NEW_PRINC", /* 0x00008000 */ - "UNKNOWN_0x00010000", /* 0x00010000 */ - "UNKNOWN_0x00020000", /* 0x00020000 */ - "UNKNOWN_0x00040000", /* 0x00040000 */ - "UNKNOWN_0x00080000", /* 0x00080000 */ - "OK_AS_DELEGATE", /* 0x00100000 */ - "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ - "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ + "DISALLOW_POSTDATED", /* 0x00000001 */ + "DISALLOW_FORWARDABLE", /* 0x00000002 */ + "DISALLOW_TGT_BASED", /* 0x00000004 */ + "DISALLOW_RENEWABLE", /* 0x00000008 */ + "DISALLOW_PROXIABLE", /* 0x00000010 */ + "DISALLOW_DUP_SKEY", /* 0x00000020 */ + "DISALLOW_ALL_TIX", /* 0x00000040 */ + "REQUIRES_PRE_AUTH", /* 0x00000080 */ + "REQUIRES_HW_AUTH", /* 0x00000100 */ + "REQUIRES_PWCHANGE", /* 0x00000200 */ + "UNKNOWN_0x00000400", /* 0x00000400 */ + "UNKNOWN_0x00000800", /* 0x00000800 */ + "DISALLOW_SVR", /* 0x00001000 */ + "PWCHANGE_SERVICE", /* 0x00002000 */ + "SUPPORT_DESMD5", /* 0x00004000 */ + "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ + "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ + "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ }; -char *getenv(); int exit_status = 0; char *def_realm = NULL; char *whoami = NULL; @@ -114,29 +114,30 @@ char *ccache_name = NULL; int locked = 0; -static void usage() +static void +usage() { fprintf(stderr, - "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" - "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n" - "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" - "where,\n\t[-x db_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n", - whoami); + "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" + "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n" + "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" + "where,\n\t[-x db_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n", + whoami); exit(1); } -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -145,13 +146,13 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", - hours, minutes, seconds); + days, days == 1 ? "day" : "days", + hours, minutes, seconds); return out; } -static char *strdate(when) - krb5_timestamp when; +static char * +strdate(krb5_timestamp when) { struct tm *tm; static char out[40]; @@ -165,9 +166,7 @@ static char *strdate(when) /* this is a wrapper to go around krb5_parse_principal so we can set the default realm up properly */ static krb5_error_code -kadmin_parse_name(name, principal) - char *name; - krb5_principal *principal; +kadmin_parse_name(char *name, krb5_principal *principal) { char *cp, *fullname; krb5_error_code retval; @@ -176,63 +175,64 @@ kadmin_parse_name(name, principal) /* assumes def_realm is initialized! */ cp = strchr(name, '@'); while (cp) { - if (cp - name && *(cp - 1) != '\\') - break; - else - cp = strchr(cp + 1, '@'); + if (cp - name && *(cp - 1) != '\\') + break; + else + cp = strchr(cp + 1, '@'); } if (cp == NULL) - result = asprintf(&fullname, "%s@%s", name, def_realm); + result = asprintf(&fullname, "%s@%s", name, def_realm); else - result = asprintf(&fullname, "%s", name); + result = asprintf(&fullname, "%s", name); if (result < 0) - return ENOMEM; + return ENOMEM; retval = krb5_parse_name(context, fullname, principal); free(fullname); return retval; } -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void +extended_com_err_fn(const char *myprog, errcode_t code, + const char *fmt, va_list args) { + const char *emsg; + if (code) { - const char *emsg; - emsg = krb5_get_error_message (context, code); - fprintf (stderr, "%s: %s ", myprog, emsg); - krb5_free_error_message (context, emsg); + emsg = krb5_get_error_message(context, code); + fprintf(stderr, "%s: %s ", myprog, emsg); + krb5_free_error_message(context, emsg); } else { - fprintf (stderr, "%s: ", myprog); + fprintf(stderr, "%s: ", myprog); } - vfprintf (stderr, fmt, args); - fprintf (stderr, "\n"); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); } /* Create a principal using the oldest appropriate kadm5 API. */ static krb5_error_code create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks, - krb5_key_salt_tuple *ks, char *pass) + krb5_key_salt_tuple *ks, char *pass) { if (ks) - return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass); + return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass); else - return kadm5_create_principal(handle, princ, mask, pass); + return kadm5_create_principal(handle, princ, mask, pass); } /* Randomize a principal's password using the oldest appropriate kadm5 API. */ static krb5_error_code randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks, - krb5_key_salt_tuple *ks) + krb5_key_salt_tuple *ks) { if (keepold || ks) { - return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks, - NULL, NULL); + return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks, + NULL, NULL); } else - return kadm5_randkey_principal(handle, princ, NULL, NULL); + return kadm5_randkey_principal(handle, princ, NULL, NULL); } -char *kadmin_startup(argc, argv) - int argc; - char *argv[]; +char * +kadmin_startup(int argc, char *argv[]) { extern char *optarg; char *princstr = NULL, *keytab_name = NULL, *query = NULL; @@ -247,155 +247,141 @@ char *kadmin_startup(argc, argv) char **db_args = NULL; int db_args_size = 0; char *db_name = NULL; - char *svcname; + char *svcname, *realm; memset(¶ms, 0, sizeof(params)); #if defined(USE_KIM) /* Turn off all password prompting from the KLL */ - retval = kim_library_set_allow_automatic_prompting (0); + retval = kim_library_set_allow_automatic_prompting(0); if (retval) { - com_err(whoami, retval, + com_err(whoami, retval, "while calling kim_library_set_allow_automatic_prompting()"); - exit(1); + exit(1); } #endif - if (strcmp (whoami, "kadmin.local") == 0) - set_com_err_hook(extended_com_err_fn); + if (strcmp(whoami, "kadmin.local") == 0) + set_com_err_hook(extended_com_err_fn); retval = kadm5_init_krb5_context(&context); if (retval) { - com_err(whoami, retval, "while initializing krb5 library"); - exit(1); + com_err(whoami, retval, "while initializing krb5 library"); + exit(1); } while ((optchar = getopt(argc, argv, "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { - switch (optchar) { - case 'x': - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); - if (temp == NULL) { - fprintf(stderr,"%s: Cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = optarg; - db_args[db_args_size] = NULL; - break; - - case 'r': - def_realm = optarg; - break; - case 'p': - princstr = optarg; - break; - case 'c': - ccache_name = optarg; - break; - case 'k': - use_keytab++; - break; - case 't': - keytab_name = optarg; - break; - case 'w': - password = optarg; - break; - case 'q': - query = optarg; - break; - case 'd': - /* now db_name is not a seperate argument. It has to be passed as part of the db_args */ - if (db_name) - free(db_name); - asprintf(&db_name, "dbname=%s", optarg); - - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if (temp == NULL) { - fprintf(stderr, - "%s: Cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = db_name; - db_args[db_args_size] = NULL; - break; - case 's': - params.admin_server = optarg; - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - break; - case 'm': - params.mkey_from_kbd = 1; - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - break; - case 'e': - retval = krb5_string_to_keysalts(optarg, - ", \t", - ":.-", - 0, - ¶ms.keysalts, - ¶ms.num_keysalts); - if (retval) { - com_err(whoami, retval, "while parsing keysalts %s", optarg); - exit(1); - } - params.mask |= KADM5_CONFIG_ENCTYPES; - break; - case 'O': - params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI; - break; - case 'N': - params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK; - break; - default: - usage(); - } + switch (optchar) { + case 'x': + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "%s: Cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + db_args[db_args_size - 1] = optarg; + db_args[db_args_size] = NULL; + break; + + case 'r': + def_realm = optarg; + break; + case 'p': + princstr = optarg; + break; + case 'c': + ccache_name = optarg; + break; + case 'k': + use_keytab++; + break; + case 't': + keytab_name = optarg; + break; + case 'w': + password = optarg; + break; + case 'q': + query = optarg; + break; + case 'd': + /* db_name has to be passed as part of the db_args. */ + free(db_name); + asprintf(&db_name, "dbname=%s", optarg); + + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "%s: Cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + db_args[db_args_size - 1] = db_name; + db_args[db_args_size] = NULL; + break; + case 's': + params.admin_server = optarg; + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + break; + case 'm': + params.mkey_from_kbd = 1; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + break; + case 'e': + retval = krb5_string_to_keysalts(optarg, ", \t", ":.-", 0, + ¶ms.keysalts, + ¶ms.num_keysalts); + if (retval) { + com_err(whoami, retval, "while parsing keysalts %s", optarg); + exit(1); + } + params.mask |= KADM5_CONFIG_ENCTYPES; + break; + case 'O': + params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI; + break; + case 'N': + params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK; + break; + default: + usage(); + } } if ((ccache_name && use_keytab) || - (keytab_name && !use_keytab)) - usage(); + (keytab_name && !use_keytab)) + usage(); if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) { - if (freeprinc) - free(princstr); - fprintf(stderr, "%s: unable to get default realm\n", whoami); - exit(1); + fprintf(stderr, "%s: unable to get default realm\n", whoami); + exit(1); } params.mask |= KADM5_CONFIG_REALM; params.realm = def_realm; if (params.mask & KADM5_CONFIG_OLD_AUTH_GSSAPI) - svcname = KADM5_ADMIN_SERVICE; + svcname = KADM5_ADMIN_SERVICE; else - svcname = NULL; + svcname = NULL; /* * Set cc to an open credentials cache, either specified by the -c * argument or the default. */ if (ccache_name == NULL) { - if ((retval = krb5_cc_default(context, &cc))) { - com_err(whoami, retval, - "while opening default credentials cache"); - exit(1); - } + retval = krb5_cc_default(context, &cc); + if (retval) { + com_err(whoami, retval, "while opening default credentials cache"); + exit(1); + } } else { - if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) { - com_err(whoami, retval, - "while opening credentials cache %s", ccache_name); - exit(1); - } + retval = krb5_cc_resolve(context, ccache_name, &cc); + if (retval) { + com_err(whoami, retval, "while opening credentials cache %s", + ccache_name); + exit(1); + } } /* @@ -410,93 +396,85 @@ char *kadmin_startup(argc, argv) */ if (princstr == NULL) { - if (ccache_name != NULL && - !krb5_cc_get_principal(context, cc, &princ)) { - if ((retval = krb5_unparse_name(context, princ, &princstr))) { - com_err(whoami, retval, - "while canonicalizing principal name"); - krb5_free_principal(context, princ); - exit(1); - } - krb5_free_principal(context, princ); - freeprinc++; - } else if (use_keytab != 0) { - if ((retval = krb5_sname_to_principal(context, NULL, - "host", - KRB5_NT_SRV_HST, - &princ))) { - com_err(whoami, retval, - "creating host service principal"); - exit(1); - } - if ((retval = krb5_unparse_name(context, princ, &princstr))) { - com_err(whoami, retval, - "while canonicalizing principal name"); - krb5_free_principal(context, princ); - exit(1); - } - krb5_free_principal(context, princ); - freeprinc++; - } else if (!krb5_cc_get_principal(context, cc, &princ)) { - char *realm = NULL; - if (krb5_unparse_name(context, princ, &canon)) { - fprintf(stderr, - "%s: unable to canonicalize principal\n", whoami); - krb5_free_principal(context, princ); - exit(1); - } - /* strip out realm of principal if it's there */ - realm = strchr(canon, '@'); - while (realm) { - if (realm - canon && *(realm - 1) != '\\') - break; - else - realm = strchr(realm+1, '@'); - } - if (realm) - *realm++ = '\0'; - cp = strchr(canon, '/'); - while (cp) { - if (cp - canon && *(cp - 1) != '\\') - break; - else - cp = strchr(cp+1, '/'); - } - if (cp != NULL) - *cp = '\0'; - if (asprintf(&princstr, "%s/admin%s%s", canon, - (realm) ? "@" : "", - (realm) ? realm : "") < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - free(canon); - krb5_free_principal(context, princ); - freeprinc++; - } else if ((luser = getenv("USER"))) { - if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - freeprinc++; - } else if ((pw = getpwuid(getuid()))) { - if (asprintf(&princstr, "%s/admin@%s", pw->pw_name, - def_realm) < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - freeprinc++; - } else { - fprintf(stderr, "%s: unable to figure out a principal name\n", - whoami); - exit(1); - } + if (ccache_name != NULL && + !krb5_cc_get_principal(context, cc, &princ)) { + retval = krb5_unparse_name(context, princ, &princstr); + if (retval) { + com_err(whoami, retval, "while canonicalizing principal name"); + exit(1); + } + krb5_free_principal(context, princ); + freeprinc++; + } else if (use_keytab != 0) { + retval = krb5_sname_to_principal(context, NULL, "host", + KRB5_NT_SRV_HST, &princ); + if (retval) { + com_err(whoami, retval, "creating host service principal"); + exit(1); + } + retval = krb5_unparse_name(context, princ, &princstr); + if (retval) { + com_err(whoami, retval, "while canonicalizing principal name"); + exit(1); + } + krb5_free_principal(context, princ); + freeprinc++; + } else if (!krb5_cc_get_principal(context, cc, &princ)) { + if (krb5_unparse_name(context, princ, &canon)) { + fprintf(stderr, "%s: unable to canonicalize principal\n", + whoami); + exit(1); + } + /* Strip out realm of principal if it's there. */ + realm = strchr(canon, '@'); + while (realm) { + if (realm > canon && *(realm - 1) != '\\') + break; + realm = strchr(realm + 1, '@'); + } + if (realm) + *realm++ = '\0'; + cp = strchr(canon, '/'); + while (cp) { + if (cp > canon && *(cp - 1) != '\\') + break; + cp = strchr(cp + 1, '/'); + } + if (cp != NULL) + *cp = '\0'; + if (asprintf(&princstr, "%s/admin%s%s", canon, + (realm) ? "@" : "", + (realm) ? realm : "") < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + free(canon); + krb5_free_principal(context, princ); + freeprinc++; + } else if ((luser = getenv("USER"))) { + if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + freeprinc++; + } else if ((pw = getpwuid(getuid()))) { + if (asprintf(&princstr, "%s/admin@%s", pw->pw_name, + def_realm) < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + freeprinc++; + } else { + fprintf(stderr, "%s: unable to figure out a principal name\n", + whoami); + exit(1); + } } retval = krb5_klog_init(context, "admin_server", whoami, 0); if (retval) { - com_err(whoami, retval, "while setting up logging"); - exit(1); + com_err(whoami, retval, "while setting up logging"); + exit(1); } /* @@ -504,97 +482,83 @@ char *kadmin_startup(argc, argv) * use it. Otherwise, use/prompt for the password. */ if (ccache_name) { - printf("Authenticating as principal %s with existing credentials.\n", - princstr); - retval = kadm5_init_with_creds(context, princstr, cc, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + printf("Authenticating as principal %s with existing credentials.\n", + princstr); + retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, &handle); } else if (use_keytab) { - if (keytab_name) - printf("Authenticating as principal %s with keytab %s.\n", - princstr, keytab_name); - else - printf("Authenticating as principal %s with default keytab.\n", - princstr); - retval = kadm5_init_with_skey(context, princstr, keytab_name, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + if (keytab_name) + printf("Authenticating as principal %s with keytab %s.\n", + princstr, keytab_name); + else + printf("Authenticating as principal %s with default keytab.\n", + princstr); + retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, &handle); } else { - printf("Authenticating as principal %s with password.\n", - princstr); - retval = kadm5_init_with_password(context, princstr, password, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + printf("Authenticating as principal %s with password.\n", + princstr); + retval = kadm5_init_with_password(context, princstr, password, svcname, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, + &handle); } if (retval) { - com_err(whoami, retval, "while initializing %s interface", whoami); - if (retval == KADM5_BAD_CLIENT_PARAMS || - retval == KADM5_BAD_SERVER_PARAMS) - usage(); - exit(1); + com_err(whoami, retval, "while initializing %s interface", whoami); + if (retval == KADM5_BAD_CLIENT_PARAMS || + retval == KADM5_BAD_SERVER_PARAMS) + usage(); + exit(1); } if (freeprinc) - free(princstr); - - if (db_name) - free(db_name), db_name=NULL; + free(princstr); - if (db_args) - free(db_args), db_args=NULL; + free(db_name); + free(db_args); - if ((retval = krb5_cc_close(context, cc))) { - com_err(whoami, retval, "while closing ccache %s", - ccache_name); - exit(1); + retval = krb5_cc_close(context, cc); + if (retval) { + com_err(whoami, retval, "while closing ccache %s", ccache_name); + exit(1); } /* register the WRFILE keytab type and set it as the default */ { #define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab" - /* XXX krb5_defkeyname is an internal library global and - should go away */ - extern char *krb5_defkeyname; - krb5_defkeyname = DEFAULT_KEYTAB; + /* XXX krb5_defkeyname is an internal library global and + should go away */ + extern char *krb5_defkeyname; + krb5_defkeyname = DEFAULT_KEYTAB; } - if ((retval = kadm5_init_iprop(handle, 0)) != 0) { - com_err(whoami, retval, _("while mapping update log")); - exit(1); + retval = kadm5_init_iprop(handle, 0); + if (retval) { + com_err(whoami, retval, _("while mapping update log")); + exit(1); } return query; } -int quit() +int +quit() { kadm5_ret_t retval; if (locked) { - retval = kadm5_unlock(handle); - if (retval) { - com_err("quit", retval, "while unlocking locked database"); - return 1; - } - locked = 0; + retval = kadm5_unlock(handle); + if (retval) { + com_err("quit", retval, "while unlocking locked database"); + return 1; + } + locked = 0; } kadm5_destroy(handle); - if (ccache_name != NULL) { - fprintf(stderr, - "\n\a\a\aAdministration credentials NOT DESTROYED.\n"); - } + if (ccache_name != NULL) + fprintf(stderr, "\n\a\a\aAdministration credentials NOT DESTROYED.\n"); /* insert more random cleanup here */ krb5_klog_close(context); @@ -602,321 +566,259 @@ int quit() return 0; } -void kadmin_lock(argc, argv) - int argc; - char *argv[]; +void +kadmin_lock(int argc, char *argv[]) { kadm5_ret_t retval; if (locked) - return; + return; retval = kadm5_lock(handle); if (retval) { - com_err("lock", retval, ""); - return; + com_err("lock", retval, ""); + return; } locked = 1; } -void kadmin_unlock(argc, argv) - int argc; - char *argv[]; +void +kadmin_unlock(int argc, char *argv[]) { kadm5_ret_t retval; if (!locked) - return; + return; retval = kadm5_unlock(handle); if (retval) { - com_err("unlock", retval, ""); - return; + com_err("unlock", retval, ""); + return; } locked = 0; } -void kadmin_delprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_delprinc(int argc, char *argv[]) { kadm5_ret_t retval; - krb5_principal princ; - char *canon; + krb5_principal princ = NULL; + char *canon = NULL; char reply[5]; if (! (argc == 2 || - (argc == 3 && !strcmp("-force", argv[1])))) { - fprintf(stderr, "usage: delete_principal [-force] principal\n"); - return; + (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: delete_principal [-force] principal\n"); + return; } retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("delete_principal", retval, "while parsing principal name"); - return; + com_err("delete_principal", retval, "while parsing principal name"); + return; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("delete_principal", retval, - "while canonicalizing principal"); - krb5_free_principal(context, princ); - return; + com_err("delete_principal", retval, "while canonicalizing principal"); + goto cleanup; } if (argc == 2) { - printf("Are you sure you want to delete the principal \"%s\"? (yes/no): ", canon); - fgets(reply, sizeof (reply), stdin); - if (strcmp("yes\n", reply)) { - fprintf(stderr, "Principal \"%s\" not deleted\n", canon); - free(canon); - krb5_free_principal(context, princ); - return; - } + printf("Are you sure you want to delete the principal \"%s\"? " + "(yes/no): ", canon); + fgets(reply, sizeof (reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Principal \"%s\" not deleted\n", canon); + goto cleanup; + } } retval = kadm5_delete_principal(handle, princ); - krb5_free_principal(context, princ); if (retval) { - com_err("delete_principal", retval, - "while deleting principal \"%s\"", canon); - free(canon); - return; + com_err("delete_principal", retval, + "while deleting principal \"%s\"", canon); + goto cleanup; } - printf("Principal \"%s\" deleted.\nMake sure that you have removed this principal from all ACLs before reusing.\n", canon); + printf("Principal \"%s\" deleted.\nMake sure that you have removed this " + "principal from all ACLs before reusing.\n", canon); + +cleanup: + krb5_free_principal(context, princ); free(canon); - return; } -void kadmin_cpw(argc, argv) - int argc; - char *argv[]; +static void +cpw_usage(const char *str) +{ + if (str) + fprintf(stderr, "%s\n", str); + fprintf(stderr, "usage: change_password [-randkey] [-keepold] " + "[-e keysaltlist] [-pw password] principal\n"); +} + +void +kadmin_cpw(int argc, char *argv[]) { kadm5_ret_t retval; static char newpw[1024]; static char prompt1[1024], prompt2[1024]; - char *canon; - char *pwarg = NULL; + char *canon = NULL, *pwarg = NULL; int n_ks_tuple = 0, randkey = 0; krb5_boolean keepold = FALSE; krb5_key_salt_tuple *ks_tuple = NULL; - krb5_principal princ; + krb5_principal princ = NULL; char **db_args = NULL; int db_args_size = 0; - if (argc < 2) { - goto usage; + cpw_usage(NULL); + return; } for (argv++, argc--; argc > 1; argc--, argv++) { - if (!strcmp("-x", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, "change_password: missing db argument\n"); - goto usage; - } - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if (temp == NULL) { - fprintf(stderr,"change_password: Not enough memory\n"); - free(db_args), db_args = NULL; - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = *++argv; - db_args[db_args_size] = NULL; - continue; - } - if (!strcmp("-pw", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, "change_password: missing password arg\n"); - goto usage; - } - pwarg = *++argv; - continue; - } - if (!strcmp("-randkey", *argv)) { - randkey++; - continue; - } - if (!strcmp("-keepold", *argv)) { - keepold = TRUE; - continue; - } - if (!strcmp("-e", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, - "change_password: missing keysaltlist arg\n"); - goto usage; - } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, - &ks_tuple, &n_ks_tuple); - if (retval) { - com_err("change_password", retval, - "while parsing keysalts %s", *argv); - return; - } - continue; - } - goto usage; + if (!strcmp("-x", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing db argument"); + goto cleanup; + } + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "change_password: Not enough memory\n"); + exit(1); + } + db_args[db_args_size - 1] = *++argv; + db_args[db_args_size] = NULL; + } else if (!strcmp("-pw", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing password arg"); + goto cleanup; + } + pwarg = *++argv; + } else if (!strcmp("-randkey", *argv)) { + randkey++; + } else if (!strcmp("-keepold", *argv)) { + keepold = TRUE; + } else if (!strcmp("-e", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing keysaltlist arg"); + goto cleanup; + } + retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + &ks_tuple, &n_ks_tuple); + if (retval) { + com_err("change_password", retval, + "while parsing keysalts %s", *argv); + goto cleanup; + } + } else { + cpw_usage(NULL); + goto cleanup; + } } if (*argv == NULL) { - com_err("change_password", 0, "missing principal name"); - goto usage; + com_err("change_password", 0, "missing principal name"); + cpw_usage(NULL); + goto cleanup; } retval = kadmin_parse_name(*argv, &princ); if (retval) { - com_err("change_password", retval, "while parsing principal name"); - if (ks_tuple != NULL) - free(ks_tuple); - if (db_args) free(db_args); - return; + com_err("change_password", retval, "while parsing principal name"); + goto cleanup; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("change_password", retval, "while canonicalizing principal"); - krb5_free_principal(context, princ); - if (ks_tuple != NULL) - free(ks_tuple); - if (db_args) free(db_args); - return; + com_err("change_password", retval, "while canonicalizing principal"); + goto cleanup; } if (pwarg != NULL) { - if (keepold || ks_tuple != NULL) { - retval = kadm5_chpass_principal_3(handle, princ, keepold, - n_ks_tuple, ks_tuple, pwarg); - if (ks_tuple != NULL) - free(ks_tuple); - } else { - retval = kadm5_chpass_principal(handle, princ, pwarg); - } - krb5_free_principal(context, princ); - if (retval) { - com_err("change_password", retval, - "while changing password for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Password for \"%s\" changed.\n", canon); - free(canon); - if (db_args) free(db_args); - return; + if (keepold || ks_tuple != NULL) { + retval = kadm5_chpass_principal_3(handle, princ, keepold, + n_ks_tuple, ks_tuple, pwarg); + } else { + retval = kadm5_chpass_principal(handle, princ, pwarg); + } + if (retval) { + com_err("change_password", retval, + "while changing password for \"%s\".", canon); + goto cleanup; + } + printf("Password for \"%s\" changed.\n", canon); } else if (randkey) { - retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple); - if (ks_tuple != NULL) - free(ks_tuple); - krb5_free_principal(context, princ); - if (retval) { - com_err("change_password", retval, - "while randomizing key for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Key for \"%s\" randomized.\n", canon); - free(canon); - if (db_args) free(db_args); - return; - } else if (argc == 1) { - unsigned int i = sizeof (newpw) - 1; - - snprintf(prompt1, sizeof(prompt1), - "Enter password for principal \"%.900s\"", - *argv); - snprintf(prompt2, sizeof(prompt2), - "Re-enter password for principal \"%.900s\"", - *argv); - retval = krb5_read_password(context, prompt1, prompt2, - newpw, &i); - if (retval) { - com_err("change_password", retval, - "while reading password for \"%s\".", canon); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - krb5_free_principal(context, princ); - if (db_args) free(db_args); - return; - } - if (keepold || ks_tuple != NULL) { - retval = kadm5_chpass_principal_3(handle, princ, keepold, - n_ks_tuple, ks_tuple, - newpw); - if (ks_tuple != NULL) - free(ks_tuple); - } else { - retval = kadm5_chpass_principal(handle, princ, newpw); - } - krb5_free_principal(context, princ); - memset(newpw, 0, sizeof (newpw)); - if (retval) { - com_err("change_password", retval, - "while changing password for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Password for \"%s\" changed.\n", canon); - free(canon); - if (db_args) free(db_args); - return; + retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple); + if (retval) { + com_err("change_password", retval, + "while randomizing key for \"%s\".", canon); + goto cleanup; + } + printf("Key for \"%s\" randomized.\n", canon); } else { - free(canon); - krb5_free_principal(context, princ); - usage: - if (db_args) free(db_args); - if (ks_tuple != NULL) - free(ks_tuple); - fprintf(stderr, - "usage: change_password [-randkey] [-keepold] " - "[-e keysaltlist] [-pw password] " - "principal\n"); - return; + unsigned int i = sizeof (newpw) - 1; + + snprintf(prompt1, sizeof(prompt1), + "Enter password for principal \"%s\"", canon); + snprintf(prompt2, sizeof(prompt2), + "Re-enter password for principal \"%s\"", canon); + retval = krb5_read_password(context, prompt1, prompt2, + newpw, &i); + if (retval) { + com_err("change_password", retval, + "while reading password for \"%s\".", canon); + goto cleanup; + } + if (keepold || ks_tuple != NULL) { + retval = kadm5_chpass_principal_3(handle, princ, keepold, + n_ks_tuple, ks_tuple, + newpw); + } else { + retval = kadm5_chpass_principal(handle, princ, newpw); + } + memset(newpw, 0, sizeof (newpw)); + if (retval) { + com_err("change_password", retval, + "while changing password for \"%s\".", canon); + goto cleanup; + } + printf("Password for \"%s\" changed.\n", canon); } +cleanup: + free(canon); + free(db_args); + krb5_free_principal(context, princ); + free(ks_tuple); } static void kadmin_free_tl_data(kadm5_principal_ent_t princ) { - krb5_tl_data *tl_data = princ->tl_data; - int n_tl_data = princ->n_tl_data; + krb5_tl_data *tl_data = princ->tl_data, *next; + int n_tl_data = princ->n_tl_data; int i; princ->n_tl_data = 0; - princ->tl_data = NULL; + princ->tl_data = NULL; for (i = 0; tl_data && (i < n_tl_data); i++) { - krb5_tl_data *next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); - free(tl_data); - tl_data = next; + next = tl_data->tl_data_next; + free(tl_data->tl_data_contents); + free(tl_data); + tl_data = next; } } +/* + * Parse addprinc or modprinc arguments. Some output fields may be + * filled in on error. + */ #define KRB5_TL_DB_ARGS 0x7fff static int -kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, - ks_tuple, n_ks_tuple, +kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, + long *mask, char **pass, krb5_boolean *randkey, + krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple, #if APPLE_PKINIT - cert_hash, + char **cert_hash, #endif /* APPLE_PKINIT */ - caller) - int argc; - char *argv[]; - kadm5_principal_ent_t oprinc; - long *mask; - char **pass; - krb5_boolean *randkey; - krb5_key_salt_tuple **ks_tuple; - int *n_ks_tuple; -#if APPLE_PKINIT - char **cert_hash; -#endif /* APPLE_PKINIT */ - char *caller; + char *caller) { - int i, j, attrib_set; + int i, attrib_set; + size_t j; time_t date; time_t now; krb5_error_code retval; @@ -932,239 +834,229 @@ kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, time(&now); *randkey = FALSE; for (i = 1; i < argc - 1; i++) { - attrib_set = 0; - if (strlen(argv[i]) == 2 && - !strcmp("-x",argv[i])) { - if (++i > argc - 2) - return -1; - - tl_data = malloc(sizeof(krb5_tl_data)); - if (tl_data == NULL) { - fprintf(stderr, "Not enough memory\n"); - return ENOMEM; - } - - memset(tl_data, 0, sizeof(krb5_tl_data)); - tl_data->tl_data_type = KRB5_TL_DB_ARGS; - tl_data->tl_data_length = strlen(argv[i])+1; - tl_data->tl_data_contents = strdup(argv[i]); - - if (tail) { - tail->tl_data_next = tl_data; - } else { - oprinc->tl_data = tl_data; - } - tail = tl_data; - oprinc->n_tl_data++; - - if (tl_data->tl_data_contents == NULL) { - fprintf(stderr, "Not enough memory\n"); - return ENOMEM; - } - *mask |= KADM5_TL_DATA; - continue; - } - if (strlen(argv[i]) == 7 && - !strcmp("-expire", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->princ_expire_time = date; - *mask |= KADM5_PRINC_EXPIRE_TIME; - continue; - } - } - if (strlen(argv[i]) == 9 && - !strcmp("-pwexpire", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->pw_expiration = date; - *mask |= KADM5_PW_EXPIRATION; - continue; - } - } - if (strlen(argv[i]) == 8 && - !strcmp("-maxlife", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->max_life = date - now; - *mask |= KADM5_MAX_LIFE; - continue; - } - } - if (strlen(argv[i]) == 13 && - !strcmp("-maxrenewlife", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->max_renewable_life = date - now; - *mask |= KADM5_MAX_RLIFE; - continue; - } - } - if (strlen(argv[i]) == 5 && - !strcmp("-kvno", argv[i])) { - if (++i > argc - 2) - return -1; - else { - oprinc->kvno = atoi(argv[i]); - *mask |= KADM5_KVNO; - continue; - } - } - if (strlen(argv[i]) == 7 && - !strcmp("-policy", argv[i])) { - if (++i > argc - 2) - return -1; - else { - oprinc->policy = argv[i]; - *mask |= KADM5_POLICY; - continue; - } - } - if (strlen(argv[i]) == 12 && - !strcmp("-clearpolicy", argv[i])) { - oprinc->policy = NULL; - *mask |= KADM5_POLICY_CLR; - continue; - } - if (strlen(argv[i]) == 3 && - !strcmp("-pw", argv[i])) { - if (++i > argc - 2) - return -1; - else { - *pass = argv[i]; - continue; - } - } - if (strlen(argv[i]) == 8 && - !strcmp("-randkey", argv[i])) { - *randkey = TRUE; - continue; - } + attrib_set = 0; + if (strlen(argv[i]) == 2 && !strcmp("-x",argv[i])) { + if (++i > argc - 2) + return -1; + + tl_data = malloc(sizeof(krb5_tl_data)); + if (tl_data == NULL) { + fprintf(stderr, "Not enough memory\n"); + exit(1); + } + + memset(tl_data, 0, sizeof(krb5_tl_data)); + tl_data->tl_data_type = KRB5_TL_DB_ARGS; + tl_data->tl_data_length = strlen(argv[i])+1; + tl_data->tl_data_contents = (krb5_octet *) strdup(argv[i]); + + if (tail) { + tail->tl_data_next = tl_data; + } else { + oprinc->tl_data = tl_data; + } + tail = tl_data; + oprinc->n_tl_data++; + + if (tl_data->tl_data_contents == NULL) { + fprintf(stderr, "Not enough memory\n"); + exit(1); + } + *mask |= KADM5_TL_DATA; + continue; + } + if (strlen(argv[i]) == 7 && !strcmp("-expire", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->princ_expire_time = date; + *mask |= KADM5_PRINC_EXPIRE_TIME; + continue; + } + } + if (strlen(argv[i]) == 9 && !strcmp("-pwexpire", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->pw_expiration = date; + *mask |= KADM5_PW_EXPIRATION; + continue; + } + } + if (strlen(argv[i]) == 8 && !strcmp("-maxlife", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->max_life = date - now; + *mask |= KADM5_MAX_LIFE; + continue; + } + } + if (strlen(argv[i]) == 13 && !strcmp("-maxrenewlife", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->max_renewable_life = date - now; + *mask |= KADM5_MAX_RLIFE; + continue; + } + } + if (strlen(argv[i]) == 5 && !strcmp("-kvno", argv[i])) { + if (++i > argc - 2) + return -1; + else { + oprinc->kvno = atoi(argv[i]); + *mask |= KADM5_KVNO; + continue; + } + } + if (strlen(argv[i]) == 7 && !strcmp("-policy", argv[i])) { + if (++i > argc - 2) + return -1; + else { + oprinc->policy = argv[i]; + *mask |= KADM5_POLICY; + continue; + } + } + if (strlen(argv[i]) == 12 && !strcmp("-clearpolicy", argv[i])) { + oprinc->policy = NULL; + *mask |= KADM5_POLICY_CLR; + continue; + } + if (strlen(argv[i]) == 3 && !strcmp("-pw", argv[i])) { + if (++i > argc - 2) + return -1; + else { + *pass = argv[i]; + continue; + } + } + if (strlen(argv[i]) == 8 && !strcmp("-randkey", argv[i])) { + *randkey = TRUE; + continue; + } #if APPLE_PKINIT - if (strlen(argv[i]) == 9 && - !strcmp("-certhash", argv[i])) { - if (++i > argc - 2) - return -1; - else { - *cert_hash = argv[i]; - continue; - } - } + if (strlen(argv[i]) == 9 && !strcmp("-certhash", argv[i])) { + if (++i > argc - 2) + return -1; + else { + *cert_hash = argv[i]; + continue; + } + } #endif /* APPLE_PKINIT */ - if (!strcmp("-e", argv[i])) { - if (++i > argc - 2) - return -1; - else { - retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0, - ks_tuple, n_ks_tuple); - if (retval) { - com_err(caller, retval, - "while parsing keysalts %s", argv[i]); - return -1; - } - } - continue; - } - for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) { - if (strlen(argv[i]) == flags[j].flaglen + 1 && - !strcmp(flags[j].flagname, - &argv[i][1] /* strip off leading + or - */)) { - if ((flags[j].set && argv[i][0] == '-') || - (!flags[j].set && argv[i][0] == '+')) { - oprinc->attributes |= flags[j].theflag; - *mask |= KADM5_ATTRIBUTES; - attrib_set++; - break; - } else if ((flags[j].set && argv[i][0] == '+') || - (!flags[j].set && argv[i][0] == '-')) { - oprinc->attributes &= ~flags[j].theflag; - *mask |= KADM5_ATTRIBUTES; - attrib_set++; - break; - } else { - return -1; - } - } - } - if (!attrib_set) - return -1; /* nothing was parsed */ - } - if (i != argc - 1) { - return -1; + if (!strcmp("-e", argv[i])) { + if (++i > argc - 2) + return -1; + else { + retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0, + ks_tuple, n_ks_tuple); + if (retval) { + com_err(caller, retval, + "while parsing keysalts %s", argv[i]); + return -1; + } + } + continue; + } + for (j = 0; j < sizeof(flags) / sizeof(struct pflag); j++) { + if (strlen(argv[i]) == flags[j].flaglen + 1 && + !strcmp(flags[j].flagname, + &argv[i][1] /* strip off leading + or - */)) { + if ((flags[j].set && argv[i][0] == '-') || + (!flags[j].set && argv[i][0] == '+')) { + oprinc->attributes |= flags[j].theflag; + *mask |= KADM5_ATTRIBUTES; + attrib_set++; + break; + } else if ((flags[j].set && argv[i][0] == '+') || + (!flags[j].set && argv[i][0] == '-')) { + oprinc->attributes &= ~flags[j].theflag; + *mask |= KADM5_ATTRIBUTES; + attrib_set++; + break; + } else { + return -1; + } + } + } + if (!attrib_set) + return -1; /* nothing was parsed */ } + if (i != argc - 1) + return -1; retval = kadmin_parse_name(argv[i], &oprinc->principal); if (retval) { - com_err(caller, retval, "while parsing principal"); - return -1; + com_err(caller, retval, "while parsing principal"); + return -1; } return 0; } static void -kadmin_addprinc_usage(func) - char *func; +kadmin_addprinc_usage() { - fprintf(stderr, "usage: %s [options] principal\n", func); + fprintf(stderr, "usage: add_principal [options] principal\n"); fprintf(stderr, "\toptions are:\n"); - fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n\t\t[-pw password] [-maxrenewlife maxrenewlife]\n\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n" + fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] " + "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n" + "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n" + "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" + "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n" #if APPLE_PKINIT "\t\t[-certhash hash_string]\n" #endif /* APPLE_PKINIT */ ); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" - "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n"); + "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", + "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", + "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" + "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n"); } static void -kadmin_modprinc_usage(func) - char *func; +kadmin_modprinc_usage() { - fprintf(stderr, "usage: %s [options] principal\n", func); + fprintf(stderr, "usage: modify_principal [options] principal\n"); fprintf(stderr, "\toptions are:\n"); fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n"); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" - "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n" - ); + "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", + "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", + "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" + "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n" + ); } /* Create a dummy password for old-style (pre-1.8) randkey creation. */ @@ -1176,21 +1068,20 @@ prepare_dummy_password(char *buf, size_t sz) /* Must try to pass any password policy in place, and be valid UTF-8. */ strlcpy(buf, "6F a[", sz); for (i = strlen(buf); i < sz - 1; i++) - buf[i] = 'a' + (i % 26); + buf[i] = 'a' + (i % 26); buf[sz - 1] = '\0'; } -void kadmin_addprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; kadm5_policy_ent_rec defpol; long mask; krb5_boolean randkey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; - krb5_key_salt_tuple *ks_tuple; - char *pass, *canon; + krb5_key_salt_tuple *ks_tuple = NULL; + char *pass, *canon = NULL; krb5_error_code retval; char newpw[1024], dummybuf[256]; static char prompt1[1024], prompt2[1024]; @@ -1202,35 +1093,28 @@ void kadmin_addprinc(argc, argv) memset(&princ, 0, sizeof(princ)); princ.attributes = 0; - if (kadmin_parse_princ_args(argc, argv, - &princ, &mask, &pass, &randkey, - &ks_tuple, &n_ks_tuple, + if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey, + &ks_tuple, &n_ks_tuple, #if APPLE_PKINIT &cert_hash, #endif /* APPLE_PKINIT */ - "add_principal")) { - kadmin_addprinc_usage("add_principal"); - kadmin_free_tl_data(&princ); /* need to free ks_tuple also??? */ - return; + "add_principal")) { + kadmin_addprinc_usage(); + goto cleanup; } #if APPLE_PKINIT if(cert_hash != NULL) { - fprintf(stderr, + fprintf(stderr, "add_principal: -certhash not allowed; use modify_principal\n"); - return; + goto cleanup; } #endif /* APPLE_PKINIT */ retval = krb5_unparse_name(context, princ.principal, &canon); if (retval) { - com_err("add_principal", - retval, "while canonicalizing principal"); - krb5_free_principal(context, princ.principal); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; + com_err("add_principal", retval, "while canonicalizing principal"); + goto cleanup; } /* @@ -1239,124 +1123,98 @@ void kadmin_addprinc(argc, argv) * -clearpolicy was specified, then KADM5_POLICY_CLR should be * unset, since it is never valid for kadm5_create_principal. */ - if ((! (mask & KADM5_POLICY)) && - (! (mask & KADM5_POLICY_CLR))) { - if (! kadm5_get_policy(handle, "default", &defpol)) { - fprintf(stderr, - "NOTICE: no policy specified for %s; assigning \"default\"\n", - canon); - princ.policy = "default"; - mask |= KADM5_POLICY; - (void) kadm5_free_policy_ent(handle, &defpol); - } else - fprintf(stderr, - "WARNING: no policy specified for %s; defaulting to no policy\n", - canon); + if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) { + if (!kadm5_get_policy(handle, "default", &defpol)) { + fprintf(stderr, "NOTICE: no policy specified for %s; " + "assigning \"default\"\n", canon); + princ.policy = "default"; + mask |= KADM5_POLICY; + kadm5_free_policy_ent(handle, &defpol); + } else + fprintf(stderr, "WARNING: no policy specified for %s; " + "defaulting to no policy\n", canon); } mask &= ~KADM5_POLICY_CLR; if (randkey) { - pass = NULL; + pass = NULL; } else if (pass == NULL) { - unsigned int sz = sizeof (newpw) - 1; - - snprintf(prompt1, sizeof(prompt1), - "Enter password for principal \"%.900s\"", - canon); - snprintf(prompt2, sizeof(prompt2), - "Re-enter password for principal \"%.900s\"", - canon); - retval = krb5_read_password(context, prompt1, prompt2, - newpw, &sz); - if (retval) { - com_err("add_principal", retval, - "while reading password for \"%s\".", canon); - free(canon); - krb5_free_principal(context, princ.principal); - kadmin_free_tl_data(&princ); - return; - } - pass = newpw; + unsigned int sz = sizeof(newpw) - 1; + + snprintf(prompt1, sizeof(prompt1), + "Enter password for principal \"%s\"", canon); + snprintf(prompt2, sizeof(prompt2), + "Re-enter password for principal \"%s\"", canon); + retval = krb5_read_password(context, prompt1, prompt2, newpw, &sz); + if (retval) { + com_err("add_principal", retval, + "while reading password for \"%s\".", canon); + goto cleanup; + } + pass = newpw; } mask |= KADM5_PRINCIPAL; retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); if (retval == EINVAL && randkey) { - /* - * The server doesn't support randkey creation. Create the principal - * with a dummy password and disallow tickets. - */ - prepare_dummy_password(dummybuf, sizeof(dummybuf)); - princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; - pass = dummybuf; - retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); - old_style_randkey = 1; + /* + * The server doesn't support randkey creation. Create the principal + * with a dummy password and disallow tickets. + */ + prepare_dummy_password(dummybuf, sizeof(dummybuf)); + princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + mask |= KADM5_ATTRIBUTES; + pass = dummybuf; + retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); + old_style_randkey = 1; } if (retval) { - com_err("add_principal", retval, "while creating \"%s\".", - canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; + com_err("add_principal", retval, "while creating \"%s\".", canon); + goto cleanup; } if (old_style_randkey) { - /* Randomize the password and re-enable tickets. */ - retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple); - if (retval) { - com_err("add_principal", retval, - "while randomizing key for \"%s\".", canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; - } - princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */ - mask = KADM5_ATTRIBUTES; - retval = kadm5_modify_principal(handle, &princ, mask); - if (retval) { - com_err("add_principal", retval, - "while clearing DISALLOW_ALL_TIX for \"%s\".", canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; - } + /* Randomize the password and re-enable tickets. */ + retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple); + if (retval) { + com_err("add_principal", retval, + "while randomizing key for \"%s\".", canon); + goto cleanup; + } + princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */ + mask = KADM5_ATTRIBUTES; + retval = kadm5_modify_principal(handle, &princ, mask); + if (retval) { + com_err("add_principal", retval, + "while clearing DISALLOW_ALL_TIX for \"%s\".", canon); + goto cleanup; + } } - krb5_free_principal(context, princ.principal); printf("Principal \"%s\" created.\n", canon); - if (ks_tuple != NULL) - free(ks_tuple); + +cleanup: + krb5_free_principal(context, princ.principal); + free(ks_tuple); free(canon); kadmin_free_tl_data(&princ); - } -void kadmin_modprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_modprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ, oldprinc; - krb5_principal kprinc; + krb5_principal kprinc = NULL; long mask; krb5_error_code retval; - char *pass, *canon; + char *pass, *canon = NULL; krb5_boolean randkey = FALSE; int n_ks_tuple = 0; - krb5_key_salt_tuple *ks_tuple; + krb5_key_salt_tuple *ks_tuple = NULL; #if APPLE_PKINIT char *cert_hash = NULL; #endif /* APPLE_PKINIT */ if (argc < 2) { - kadmin_modprinc_usage("modify_principal"); - return; + kadmin_modprinc_usage(); + return; } memset(&oldprinc, 0, sizeof(oldprinc)); @@ -1364,77 +1222,44 @@ void kadmin_modprinc(argc, argv) retval = kadmin_parse_name(argv[argc - 1], &kprinc); if (retval) { - com_err("modify_principal", retval, "while parsing principal"); - return; + com_err("modify_principal", retval, "while parsing principal"); + return; } retval = krb5_unparse_name(context, kprinc, &canon); if (retval) { - com_err("modify_principal", retval, - "while canonicalizing principal"); - krb5_free_principal(context, kprinc); - return; + com_err("modify_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = kadm5_get_principal(handle, kprinc, &oldprinc, - KADM5_PRINCIPAL_NORMAL_MASK); + KADM5_PRINCIPAL_NORMAL_MASK); if (retval) { - com_err("modify_principal", retval, "while getting \"%s\".", - canon); - krb5_free_principal(context, kprinc); - free(canon); - return; + com_err("modify_principal", retval, "while getting \"%s\".", canon); + goto cleanup; } princ.attributes = oldprinc.attributes; kadm5_free_principal_ent(handle, &oldprinc); retval = kadmin_parse_princ_args(argc, argv, - &princ, &mask, - &pass, &randkey, - &ks_tuple, &n_ks_tuple, + &princ, &mask, + &pass, &randkey, + &ks_tuple, &n_ks_tuple, #if APPLE_PKINIT &cert_hash, #endif /* APPLE_PKINIT */ - "modify_principal"); - if (ks_tuple != NULL) { - free(ks_tuple); - kadmin_modprinc_usage("modify_principal"); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */ - return; - } - if (retval) { - kadmin_modprinc_usage("modify_principal"); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */ - return; - } - if (randkey) { - fprintf(stderr, "modify_principal: -randkey not allowed\n"); - krb5_free_principal(context, princ.principal); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); - return; - } - if (pass) { - fprintf(stderr, - "modify_principal: -pw not allowed; use change_password\n"); - krb5_free_principal(context, princ.principal); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); - return; + "modify_principal"); + if (retval || ks_tuple != NULL || randkey || pass) { + kadmin_modprinc_usage(); + goto cleanup; } #if APPLE_PKINIT if (cert_hash) { - /* + /* * Use something other than the 1st preferred enctype here for fallback * to pwd authentication */ krb5_key_salt_tuple key_salt = {ENCTYPE_ARCFOUR_HMAC, KRB5_KDB_SALTTYPE_CERTHASH}; krb5_keyblock keyblock; kadm5_ret_t kadmin_rtn; - + keyblock.magic = KV5M_KEYBLOCK; keyblock.enctype = ENCTYPE_ARCFOUR_HMAC; keyblock.length = strlen(cert_hash); @@ -1447,275 +1272,250 @@ void kadmin_modprinc(argc, argv) com_err("modify_principal", kadmin_rtn, "while adding certhash for \"%s\".", canon); printf("realm %s data %s\n", (char *)kprinc->realm.data, (char *)kprinc->data->data); - free(canon); - krb5_free_principal(context, princ.principal); - krb5_free_principal(context, kprinc); - return; + goto cleanup; } retval = 0; } #endif /* APPLE_PKINIT */ if (mask) { - /* skip this if all we're doing is setting certhash */ - retval = kadm5_modify_principal(handle, &princ, mask); + /* Skip this if all we're doing is setting certhash. */ + retval = kadm5_modify_principal(handle, &princ, mask); } - krb5_free_principal(context, kprinc); - krb5_free_principal(context, princ.principal); if (retval) { - com_err("modify_principal", retval, - "while modifying \"%s\".", canon); - free(canon); - kadmin_free_tl_data(&princ); - return; + com_err("modify_principal", retval, "while modifying \"%s\".", canon); + goto cleanup; } printf("Principal \"%s\" modified.\n", canon); +cleanup: + krb5_free_principal(context, kprinc); + krb5_free_principal(context, princ.principal); kadmin_free_tl_data(&princ); free(canon); + free(ks_tuple); } -void kadmin_getprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprinc(int argc, char *argv[]) { kadm5_principal_ent_rec dprinc; - krb5_principal princ; + krb5_principal princ = NULL; krb5_error_code retval; - char *canon, *modcanon; + char *canon = NULL, *modcanon = NULL; int i; + size_t j; - if (! (argc == 2 || - (argc == 3 && !strcmp("-terse", argv[1])))) { - fprintf(stderr, "usage: get_principal [-terse] principal\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) { + fprintf(stderr, "usage: get_principal [-terse] principal\n"); + return; } - memset(&dprinc, 0, sizeof(dprinc)); - memset(&princ, 0, sizeof(princ)); retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("get_principal", retval, "while parsing principal"); - return; + com_err("get_principal", retval, "while parsing principal"); + return; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("get_principal", retval, "while canonicalizing principal"); - krb5_free_principal(context, princ); - return; + com_err("get_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = kadm5_get_principal(handle, princ, &dprinc, - KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA); - krb5_free_principal(context, princ); + KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA); if (retval) { - com_err("get_principal", retval, "while retrieving \"%s\".", canon); - free(canon); - return; + com_err("get_principal", retval, "while retrieving \"%s\".", canon); + goto cleanup; } - free(canon); - canon = NULL; retval = krb5_unparse_name(context, dprinc.principal, &canon); if (retval) { - com_err("get_principal", retval, "while canonicalizing principal"); - kadm5_free_principal_ent(handle, &dprinc); - return; + com_err("get_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon); if (retval) { - com_err("get_principal", retval, "while unparsing modname"); - kadm5_free_principal_ent(handle, &dprinc); - free(canon); - return; + com_err("get_principal", retval, "while unparsing modname"); + goto cleanup; } if (argc == 2) { - printf("Principal: %s\n", canon); - printf("Expiration date: %s\n", dprinc.princ_expire_time ? - strdate(dprinc.princ_expire_time) : "[never]"); - printf("Last password change: %s\n", dprinc.last_pwd_change ? - strdate(dprinc.last_pwd_change) : "[never]"); - printf("Password expiration date: %s\n", - dprinc.pw_expiration ? - strdate(dprinc.pw_expiration) : "[none]"); - printf("Maximum ticket life: %s\n", strdur(dprinc.max_life)); - printf("Maximum renewable life: %s\n", strdur(dprinc.max_renewable_life)); - printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon); - printf("Last successful authentication: %s\n", - dprinc.last_success ? strdate(dprinc.last_success) : - "[never]"); - printf("Last failed authentication: %s\n", - dprinc.last_failed ? strdate(dprinc.last_failed) : - "[never]"); - printf("Failed password attempts: %d\n", - dprinc.fail_auth_count); - printf("Number of keys: %d\n", dprinc.n_key_data); - for (i = 0; i < dprinc.n_key_data; i++) { - krb5_key_data *key_data = &dprinc.key_data[i]; - char enctype[BUFSIZ], salttype[BUFSIZ]; - - if (krb5_enctype_to_string(key_data->key_data_type[0], - enctype, sizeof(enctype))) - snprintf(enctype, sizeof(enctype), "", - key_data->key_data_type[0]); - printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype); - if (key_data->key_data_ver > 1) { - if (krb5_salttype_to_string(key_data->key_data_type[1], - salttype, sizeof(salttype))) - snprintf(salttype, sizeof(salttype), "", - key_data->key_data_type[1]); - printf("%s\n", salttype); - } else - printf("no salt\n"); - } - printf("MKey: vno %d\n", - dprinc.mkvno); - - printf("Attributes:"); - for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) { - if (dprinc.attributes & (krb5_flags) 1 << i) - printf(" %s", prflags[i]); - } - printf("\n"); - printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]"); + printf("Principal: %s\n", canon); + printf("Expiration date: %s\n", dprinc.princ_expire_time ? + strdate(dprinc.princ_expire_time) : "[never]"); + printf("Last password change: %s\n", dprinc.last_pwd_change ? + strdate(dprinc.last_pwd_change) : "[never]"); + printf("Password expiration date: %s\n", + dprinc.pw_expiration ? + strdate(dprinc.pw_expiration) : "[none]"); + printf("Maximum ticket life: %s\n", strdur(dprinc.max_life)); + printf("Maximum renewable life: %s\n", + strdur(dprinc.max_renewable_life)); + printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon); + printf("Last successful authentication: %s\n", + dprinc.last_success ? strdate(dprinc.last_success) : + "[never]"); + printf("Last failed authentication: %s\n", + dprinc.last_failed ? strdate(dprinc.last_failed) : + "[never]"); + printf("Failed password attempts: %d\n", + dprinc.fail_auth_count); + printf("Number of keys: %d\n", dprinc.n_key_data); + for (i = 0; i < dprinc.n_key_data; i++) { + krb5_key_data *key_data = &dprinc.key_data[i]; + char enctype[BUFSIZ], salttype[BUFSIZ]; + + if (krb5_enctype_to_string(key_data->key_data_type[0], + enctype, sizeof(enctype))) + snprintf(enctype, sizeof(enctype), "", + key_data->key_data_type[0]); + printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype); + if (key_data->key_data_ver > 1) { + if (krb5_salttype_to_string(key_data->key_data_type[1], + salttype, sizeof(salttype))) + snprintf(salttype, sizeof(salttype), "", + key_data->key_data_type[1]); + printf("%s\n", salttype); + } else + printf("no salt\n"); + } + printf("MKey: vno %d\n", + dprinc.mkvno); + + printf("Attributes:"); + for (j = 0; j < sizeof(prflags) / sizeof(char *); j++) { + if (dprinc.attributes & (krb5_flags) 1 << j) + printf(" %s", prflags[j]); + } + printf("\n"); + printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]"); } else { - printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" - "\t%d\t%d\t%d\t%d\t%d", - canon, dprinc.princ_expire_time, dprinc.last_pwd_change, - dprinc.pw_expiration, dprinc.max_life, modcanon, - dprinc.mod_date, dprinc.attributes, dprinc.kvno, - dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]", - dprinc.max_renewable_life, dprinc.last_success, - dprinc.last_failed, dprinc.fail_auth_count, - dprinc.n_key_data); - for (i = 0; i < dprinc.n_key_data; i++) - printf("\t%d\t%d\t%d\t%d", - dprinc.key_data[i].key_data_ver, - dprinc.key_data[i].key_data_kvno, - dprinc.key_data[i].key_data_type[0], - dprinc.key_data[i].key_data_type[1]); - printf("\n"); - } - free(modcanon); + printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" + "\t%d\t%d\t%d\t%d\t%d", + canon, dprinc.princ_expire_time, dprinc.last_pwd_change, + dprinc.pw_expiration, dprinc.max_life, modcanon, + dprinc.mod_date, dprinc.attributes, dprinc.kvno, + dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]", + dprinc.max_renewable_life, dprinc.last_success, + dprinc.last_failed, dprinc.fail_auth_count, + dprinc.n_key_data); + for (i = 0; i < dprinc.n_key_data; i++) + printf("\t%d\t%d\t%d\t%d", + dprinc.key_data[i].key_data_ver, + dprinc.key_data[i].key_data_kvno, + dprinc.key_data[i].key_data_type[0], + dprinc.key_data[i].key_data_type[1]); + printf("\n"); + } +cleanup: + krb5_free_principal(context, princ); kadm5_free_principal_ent(handle, &dprinc); + free(modcanon); free(canon); } -void kadmin_getprincs(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprincs(int argc, char *argv[]) { krb5_error_code retval; char *expr, **names; int i, count; expr = NULL; - if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { - fprintf(stderr, "usage: get_principals [expression]\n"); - return; + if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) { + fprintf(stderr, "usage: get_principals [expression]\n"); + return; } retval = kadm5_get_principals(handle, expr, &names, &count); if (retval) { - com_err("get_principals", retval, "while retrieving list."); - return; + com_err("get_principals", retval, "while retrieving list."); + return; } for (i = 0; i < count; i++) - printf("%s\n", names[i]); + printf("%s\n", names[i]); kadm5_free_name_list(handle, names, count); } static int -kadmin_parse_policy_args(argc, argv, policy, mask, caller) - int argc; - char *argv[]; - kadm5_policy_ent_t policy; - long *mask; - char *caller; +kadmin_parse_policy_args(int argc, char *argv[], kadm5_policy_ent_t policy, + long *mask, char *caller) { int i; - time_t now; - time_t date; + time_t now, date; time(&now); *mask = 0; for (i = 1; i < argc - 1; i++) { - if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-maxlife")) { - if (++i > argc -2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - policy->pw_max_life = date - now; - *mask |= KADM5_PW_MAX_LIFE; - continue; - } - } else if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-minlife")) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - policy->pw_min_life = date - now; - *mask |= KADM5_PW_MIN_LIFE; - continue; - } - } else if (strlen(argv[i]) == 10 && - !strcmp(argv[i], "-minlength")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_min_length = atoi(argv[i]); - *mask |= KADM5_PW_MIN_LENGTH; - continue; - } - } else if (strlen(argv[i]) == 11 && - !strcmp(argv[i], "-minclasses")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_min_classes = atoi(argv[i]); - *mask |= KADM5_PW_MIN_CLASSES; - continue; - } - } else if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-history")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_history_num = atoi(argv[i]); - *mask |= KADM5_PW_HISTORY_NUM; - continue; - } - } else - return -1; + if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-maxlife")) { + if (++i > argc -2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + policy->pw_max_life = date - now; + *mask |= KADM5_PW_MAX_LIFE; + continue; + } + } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-minlife")) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + policy->pw_min_life = date - now; + *mask |= KADM5_PW_MIN_LIFE; + continue; + } + } else if (strlen(argv[i]) == 10 && !strcmp(argv[i], "-minlength")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_min_length = atoi(argv[i]); + *mask |= KADM5_PW_MIN_LENGTH; + continue; + } + } else if (strlen(argv[i]) == 11 && !strcmp(argv[i], "-minclasses")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_min_classes = atoi(argv[i]); + *mask |= KADM5_PW_MIN_CLASSES; + continue; + } + } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-history")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_history_num = atoi(argv[i]); + *mask |= KADM5_PW_HISTORY_NUM; + continue; + } + } else + return -1; } if (i != argc -1) { - fprintf(stderr, "%s: parser lost count!\n", caller); - return -1; + fprintf(stderr, "%s: parser lost count!\n", caller); + return -1; } else - return 0; + return 0; } static void -kadmin_addmodpol_usage(func) - char *func; +kadmin_addmodpol_usage(char *func) { fprintf(stderr, "usage; %s [options] policy\n", func); fprintf(stderr, "\toptions are:\n"); fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n"); } -void kadmin_addpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_addpol(int argc, char *argv[]) { krb5_error_code retval; long mask; @@ -1723,24 +1523,20 @@ void kadmin_addpol(argc, argv) memset(&policy, 0, sizeof(policy)); if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) { - kadmin_addmodpol_usage("add_policy"); - return; - } else { - policy.policy = argv[argc - 1]; - mask |= KADM5_POLICY; - retval = kadm5_create_policy(handle, &policy, mask); - if (retval) { - com_err("add_policy", retval, "while creating policy \"%s\".", - policy.policy); - return; - } - } - return; + kadmin_addmodpol_usage("add_policy"); + return; + } + policy.policy = argv[argc - 1]; + mask |= KADM5_POLICY; + retval = kadm5_create_policy(handle, &policy, mask); + if (retval) { + com_err("add_policy", retval, "while creating policy \"%s\".", + policy.policy); + } } -void kadmin_modpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_modpol(int argc, char *argv[]) { krb5_error_code retval; long mask; @@ -1748,133 +1544,121 @@ void kadmin_modpol(argc, argv) memset(&policy, 0, sizeof(policy)); if (kadmin_parse_policy_args(argc, argv, &policy, &mask, - "modify_policy")) { - kadmin_addmodpol_usage("modify_policy"); - return; - } else { - policy.policy = argv[argc - 1]; - retval = kadm5_modify_policy(handle, &policy, mask); - if (retval) { - com_err("modify_policy", retval, "while modifying policy \"%s\".", - policy.policy); - return; - } - } - return; + "modify_policy")) { + kadmin_addmodpol_usage("modify_policy"); + return; + } + policy.policy = argv[argc - 1]; + retval = kadm5_modify_policy(handle, &policy, mask); + if (retval) { + com_err("modify_policy", retval, "while modifying policy \"%s\".", + policy.policy); + } } -void kadmin_delpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_delpol(int argc, char *argv[]) { krb5_error_code retval; char reply[5]; - if (! (argc == 2 || - (argc == 3 && !strcmp("-force", argv[1])))) { - fprintf(stderr, "usage: delete_policy [-force] policy\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: delete_policy [-force] policy\n"); + return; } if (argc == 2) { - printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", argv[1]); - fgets(reply, sizeof (reply), stdin); - if (strcmp("yes\n", reply)) { - fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]); - return; - } + printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", + argv[1]); + fgets(reply, sizeof(reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]); + return; + } } retval = kadm5_delete_policy(handle, argv[argc - 1]); if (retval) { - com_err("delete_policy:", retval, "while deleting policy \"%s\"", - argv[argc - 1]); - return; + com_err("delete_policy:", retval, "while deleting policy \"%s\"", + argv[argc - 1]); } - return; } -void kadmin_getpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_getpol(int argc, char *argv[]) { krb5_error_code retval; kadm5_policy_ent_rec policy; - if (! (argc == 2 || - (argc == 3 && !strcmp("-terse", argv[1])))) { - fprintf(stderr, "usage: get_policy [-terse] policy\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) { + fprintf(stderr, "usage: get_policy [-terse] policy\n"); + return; } retval = kadm5_get_policy(handle, argv[argc - 1], &policy); if (retval) { - com_err("get_policy", retval, "while retrieving policy \"%s\".", - argv[argc - 1]); - return; + com_err("get_policy", retval, "while retrieving policy \"%s\".", + argv[argc - 1]); + return; } if (argc == 2) { - printf("Policy: %s\n", policy.policy); - printf("Maximum password life: %ld\n", policy.pw_max_life); - printf("Minimum password life: %ld\n", policy.pw_min_life); - printf("Minimum password length: %ld\n", policy.pw_min_length); - printf("Minimum number of password character classes: %ld\n", - policy.pw_min_classes); - printf("Number of old keys kept: %ld\n", policy.pw_history_num); - printf("Reference count: %ld\n", policy.policy_refcnt); + printf("Policy: %s\n", policy.policy); + printf("Maximum password life: %ld\n", policy.pw_max_life); + printf("Minimum password life: %ld\n", policy.pw_min_life); + printf("Minimum password length: %ld\n", policy.pw_min_length); + printf("Minimum number of password character classes: %ld\n", + policy.pw_min_classes); + printf("Number of old keys kept: %ld\n", policy.pw_history_num); + printf("Reference count: %ld\n", policy.policy_refcnt); } else { - printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", - policy.policy, policy.pw_max_life, policy.pw_min_life, - policy.pw_min_length, policy.pw_min_classes, - policy.pw_history_num, policy.policy_refcnt); + printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", + policy.policy, policy.pw_max_life, policy.pw_min_life, + policy.pw_min_length, policy.pw_min_classes, + policy.pw_history_num, policy.policy_refcnt); } kadm5_free_policy_ent(handle, &policy); - return; } -void kadmin_getpols(argc, argv) - int argc; - char *argv[]; +void +kadmin_getpols(int argc, char *argv[]) { krb5_error_code retval; char *expr, **names; int i, count; expr = NULL; - if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { - fprintf(stderr, "usage: get_policies [expression]\n"); - return; + if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) { + fprintf(stderr, "usage: get_policies [expression]\n"); + return; } retval = kadm5_get_policies(handle, expr, &names, &count); if (retval) { - com_err("get_policies", retval, "while retrieving list."); - return; + com_err("get_policies", retval, "while retrieving list."); + return; } for (i = 0; i < count; i++) - printf("%s\n", names[i]); + printf("%s\n", names[i]); kadm5_free_name_list(handle, names, count); } -void kadmin_getprivs(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprivs(int argc, char *argv[]) { static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE"}; krb5_error_code retval; - int i; + size_t i; long plist; if (argc != 1) { - fprintf(stderr, "usage: get_privs\n"); - return; + fprintf(stderr, "usage: get_privs\n"); + return; } retval = kadm5_get_privs(handle, &plist); if (retval) { - com_err("get_privs", retval, "while retrieving privileges"); - return; + com_err("get_privs", retval, "while retrieving privileges"); + return; } printf("current privileges:"); for (i = 0; i < sizeof (privs) / sizeof (char *); i++) { - if (plist & 1 << i) - printf(" %s", privs[i]); + if (plist & 1 << i) + printf(" %s", privs[i]); } printf("\n"); - return; } diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c index 5fb5613f2..643e91de4 100644 --- a/src/kadmin/cli/keytab.c +++ b/src/kadmin/cli/keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * @@ -7,14 +8,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -25,7 +26,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -45,12 +46,12 @@ static char *rcsid = "$Header$"; #include #include "kadmin.h" -static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, - krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *princ_str); -static int remove_principal(char *keytab_str, krb5_keytab keytab, char - *princ_str, char *kvno_str); +static void add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + char *princ_str); +static void remove_principal(char *keytab_str, krb5_keytab keytab, + char *princ_str, char *kvno_str); static char *etype_string(krb5_enctype enctype); static int quiet; @@ -59,417 +60,411 @@ static int quiet; static int norandkey; #endif -static void add_usage() +static void +add_usage() { #ifdef KADMIN_LOCAL - fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n"); + fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n"); #else - fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n"); + fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n"); #endif } - -static void rem_usage() + +static void +rem_usage() { - fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"); + fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"); } -static int process_keytab(krb5_context my_context, char **keytab_str, - krb5_keytab *keytab) +static int +process_keytab(krb5_context my_context, char **keytab_str, + krb5_keytab *keytab) { - int code; - - if (*keytab_str == NULL) { - /* XXX krb5_defkeyname is an internal library global and - should go away */ - if (! (*keytab_str = strdup(krb5_defkeyname))) { - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - code = krb5_kt_default(my_context, keytab); - if (code != 0) { - com_err(whoami, code, "while opening default keytab"); - free(*keytab_str); - return 1; - } - } else { - if (strchr(*keytab_str, ':') != NULL) { - *keytab_str = strdup(*keytab_str); - if (*keytab_str == NULL) { - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - } else { - if (asprintf(keytab_str, "WRFILE:%s", *keytab_str) < 0) { - *keytab_str = NULL; - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - } - - code = krb5_kt_resolve(my_context, *keytab_str, keytab); - if (code != 0) { - com_err(whoami, code, "while resolving keytab %s", *keytab_str); - free(keytab_str); - return 1; - } - } - - return 0; + int code; + char *name = *keytab_str; + + if (name == NULL) { + /* XXX krb5_defkeyname is an internal library global and + should go away */ + name = strdup(krb5_defkeyname); + if (!name) { + com_err(whoami, ENOMEM, "while creating keytab name"); + return 1; + } + code = krb5_kt_default(my_context, keytab); + if (code != 0) { + com_err(whoami, code, "while opening default keytab"); + free(name); + return 1; + } + } else { + if (strchr(name, ':') != NULL) + name = strdup(name); + else if (asprintf(keytab_str, "WRFILE:%s", name) < 0) + name = NULL; + if (name == NULL) { + com_err(whoami, ENOMEM, "while creating keytab name"); + return 1; + } + + code = krb5_kt_resolve(my_context, name, keytab); + if (code != 0) { + com_err(whoami, code, "while resolving keytab %s", name); + free(name); + return 1; + } + } + + *keytab_str = name; + return 0; } - -void kadmin_keytab_add(int argc, char **argv) +void +kadmin_keytab_add(int argc, char **argv) { - krb5_keytab keytab = 0; - char *keytab_str = NULL, **princs; - int code, num, i; - krb5_error_code retval; - int n_ks_tuple = 0; - krb5_boolean keepold = FALSE; - krb5_key_salt_tuple *ks_tuple = NULL; - - argc--; argv++; - quiet = 0; + krb5_keytab keytab = 0; + char *keytab_str = NULL, **princs; + int code, num, i; + krb5_error_code retval; + int n_ks_tuple = 0; + krb5_boolean keepold = FALSE; + krb5_key_salt_tuple *ks_tuple = NULL; + + argc--; argv++; + quiet = 0; #ifdef KADMIN_LOCAL - norandkey = 0; + norandkey = 0; #endif - while (argc) { - if (strncmp(*argv, "-k", 2) == 0) { - argc--; argv++; - if (!argc || keytab_str) { - add_usage(); - return; - } - keytab_str = *argv; - } else if (strcmp(*argv, "-q") == 0) { - quiet++; + while (argc) { + if (strncmp(*argv, "-k", 2) == 0) { + argc--; argv++; + if (!argc || keytab_str) { + add_usage(); + return; + } + keytab_str = *argv; + } else if (strcmp(*argv, "-q") == 0) { + quiet++; #ifdef KADMIN_LOCAL } else if (strcmp(*argv, "-norandkey") == 0) { - norandkey++; + norandkey++; #endif - } else if (strcmp(*argv, "-e") == 0) { - argc--; - if (argc < 1) { - add_usage(); - return; - } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, - &ks_tuple, &n_ks_tuple); - if (retval) { - com_err("ktadd", retval, "while parsing keysalts %s", - *argv); - - return; - } - } else - break; - argc--; argv++; - } - - if (argc == 0) { - add_usage(); - return; - } + } else if (strcmp(*argv, "-e") == 0) { + argc--; + if (argc < 1) { + add_usage(); + return; + } + retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + &ks_tuple, &n_ks_tuple); + if (retval) { + com_err("ktadd", retval, "while parsing keysalts %s", + *argv); + + return; + } + } else + break; + argc--; argv++; + } + + if (argc == 0) { + add_usage(); + return; + } #ifdef KADMIN_LOCAL - if (norandkey && ks_tuple) { - fprintf(stderr, "cannot specify keysaltlist when not changing key\n"); - return; - } + if (norandkey && ks_tuple) { + fprintf(stderr, "cannot specify keysaltlist when not changing key\n"); + return; + } #endif - if (process_keytab(context, &keytab_str, &keytab)) - return; - - while (*argv) { - if (strcmp(*argv, "-glob") == 0) { - if (*++argv == NULL) { - add_usage(); - break; - } - - code = kadm5_get_principals(handle, *argv, &princs, &num); - if (code) { - com_err(whoami, code, "while expanding expression \"%s\".", - *argv); - argv++; - continue; - } - - for (i = 0; i < num; i++) - (void) add_principal(handle, keytab_str, keytab, - keepold, n_ks_tuple, ks_tuple, - princs[i]); - kadm5_free_name_list(handle, princs, num); - } else - (void) add_principal(handle, keytab_str, keytab, - keepold, n_ks_tuple, ks_tuple, - *argv); - argv++; - } - - code = krb5_kt_close(context, keytab); - if (code != 0) - com_err(whoami, code, "while closing keytab"); - - free(keytab_str); + if (process_keytab(context, &keytab_str, &keytab)) + return; + + while (*argv) { + if (strcmp(*argv, "-glob") == 0) { + if (*++argv == NULL) { + add_usage(); + break; + } + + code = kadm5_get_principals(handle, *argv, &princs, &num); + if (code) { + com_err(whoami, code, "while expanding expression \"%s\".", + *argv); + argv++; + continue; + } + + for (i = 0; i < num; i++) + add_principal(handle, keytab_str, keytab, keepold, + n_ks_tuple, ks_tuple, princs[i]); + kadm5_free_name_list(handle, princs, num); + } else { + add_principal(handle, keytab_str, keytab, keepold, + n_ks_tuple, ks_tuple, *argv); + argv++; + } + } + + code = krb5_kt_close(context, keytab); + if (code != 0) + com_err(whoami, code, "while closing keytab"); + + free(keytab_str); } -void kadmin_keytab_remove(int argc, char **argv) +void +kadmin_keytab_remove(int argc, char **argv) { - krb5_keytab keytab = 0; - char *keytab_str = NULL; - int code; - - argc--; argv++; - quiet = 0; - while (argc) { - if (strncmp(*argv, "-k", 2) == 0) { - argc--; argv++; - if (!argc || keytab_str) { - rem_usage(); - return; - } - keytab_str = *argv; - } else if (strcmp(*argv, "-q") == 0) { - quiet++; - } else - break; - argc--; argv++; - } - - if (argc != 1 && argc != 2) { - rem_usage(); - return; - } - if (process_keytab(context, &keytab_str, &keytab)) - return; - - (void) remove_principal(keytab_str, keytab, argv[0], argv[1]); - - code = krb5_kt_close(context, keytab); - if (code != 0) - com_err(whoami, code, "while closing keytab"); - - free(keytab_str); + krb5_keytab keytab = 0; + char *keytab_str = NULL; + int code; + + argc--; argv++; + quiet = 0; + while (argc) { + if (strncmp(*argv, "-k", 2) == 0) { + argc--; argv++; + if (!argc || keytab_str) { + rem_usage(); + return; + } + keytab_str = *argv; + } else if (strcmp(*argv, "-q") == 0) { + quiet++; + } else + break; + argc--; argv++; + } + + if (argc != 1 && argc != 2) { + rem_usage(); + return; + } + if (process_keytab(context, &keytab_str, &keytab)) + return; + + remove_principal(keytab_str, keytab, argv[0], argv[1]); + + code = krb5_kt_close(context, keytab); + if (code != 0) + com_err(whoami, code, "while closing keytab"); + + free(keytab_str); } -static -int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, - krb5_boolean keepold, int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *princ_str) +static void +add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, char *princ_str) { - kadm5_principal_ent_rec princ_rec; - krb5_principal princ; - krb5_keytab_entry new_entry; - krb5_keyblock *keys; - int code, nkeys, i; + kadm5_principal_ent_rec princ_rec; + krb5_principal princ = NULL; + krb5_keytab_entry new_entry; + krb5_keyblock *keys; + int code, nkeys, i; - (void) memset(&princ_rec, 0, sizeof(princ_rec)); + memset(&princ_rec, 0, sizeof(princ_rec)); - princ = NULL; - keys = NULL; - nkeys = 0; + princ = NULL; + keys = NULL; + nkeys = 0; - code = krb5_parse_name(context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, "while parsing -add principal name %s", - princ_str); - goto cleanup; - } + code = krb5_parse_name(context, princ_str, &princ); + if (code != 0) { + com_err(whoami, code, "while parsing -add principal name %s", + princ_str); + goto cleanup; + } #ifdef KADMIN_LOCAL - if (norandkey) - code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); - else + if (norandkey) + code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); + else #endif - if (keepold || ks_tuple != NULL) { - code = kadm5_randkey_principal_3(lhandle, princ, - keepold, n_ks_tuple, ks_tuple, - &keys, &nkeys); - } else { - code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); - } - if (code != 0) { - if (code == KADM5_UNK_PRINC) { - fprintf(stderr, "%s: Principal %s does not exist.\n", - whoami, princ_str); - } else - com_err(whoami, code, "while changing %s's key", - princ_str); - goto cleanup; - } - - code = kadm5_get_principal(lhandle, princ, &princ_rec, - KADM5_PRINCIPAL_NORMAL_MASK); - if (code != 0) { - com_err(whoami, code, "while retrieving principal"); - goto cleanup; - } - - for (i = 0; i < nkeys; i++) { - memset(&new_entry, 0, sizeof(new_entry)); - new_entry.principal = princ; - new_entry.key = keys[i]; - new_entry.vno = princ_rec.kvno; - - code = krb5_kt_add_entry(context, keytab, &new_entry); - if (code != 0) { - com_err(whoami, code, "while adding key to keytab"); - (void) kadm5_free_principal_ent(lhandle, &princ_rec); - goto cleanup; - } - - if (!quiet) - printf("Entry for principal %s with kvno %d, " - "encryption type %s added to keytab %s.\n", - princ_str, princ_rec.kvno, - etype_string(keys[i].enctype), keytab_str); - } - - code = kadm5_free_principal_ent(lhandle, &princ_rec); - if (code != 0) { - com_err(whoami, code, "while freeing principal entry"); - goto cleanup; - } + if (keepold || ks_tuple != NULL) { + code = kadm5_randkey_principal_3(lhandle, princ, keepold, + n_ks_tuple, ks_tuple, &keys, &nkeys); + } else + code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); + if (code != 0) { + if (code == KADM5_UNK_PRINC) { + fprintf(stderr, "%s: Principal %s does not exist.\n", + whoami, princ_str); + } else + com_err(whoami, code, "while changing %s's key", princ_str); + goto cleanup; + } + + code = kadm5_get_principal(lhandle, princ, &princ_rec, + KADM5_PRINCIPAL_NORMAL_MASK); + if (code != 0) { + com_err(whoami, code, "while retrieving principal"); + goto cleanup; + } + + for (i = 0; i < nkeys; i++) { + memset(&new_entry, 0, sizeof(new_entry)); + new_entry.principal = princ; + new_entry.key = keys[i]; + new_entry.vno = princ_rec.kvno; + + code = krb5_kt_add_entry(context, keytab, &new_entry); + if (code != 0) { + com_err(whoami, code, "while adding key to keytab"); + kadm5_free_principal_ent(lhandle, &princ_rec); + goto cleanup; + } + + if (!quiet) { + printf("Entry for principal %s with kvno %d, " + "encryption type %s added to keytab %s.\n", + princ_str, princ_rec.kvno, + etype_string(keys[i].enctype), keytab_str); + } + } + + code = kadm5_free_principal_ent(lhandle, &princ_rec); + if (code != 0) { + com_err(whoami, code, "while freeing principal entry"); + goto cleanup; + } cleanup: - if (nkeys) { - for (i = 0; i < nkeys; i++) - krb5_free_keyblock_contents(context, &keys[i]); - free(keys); - } - if (princ) - krb5_free_principal(context, princ); - - return code; + if (nkeys) { + for (i = 0; i < nkeys; i++) + krb5_free_keyblock_contents(context, &keys[i]); + free(keys); + } + krb5_free_principal(context, princ); } -int remove_principal(char *keytab_str, krb5_keytab keytab, char - *princ_str, char *kvno_str) +void +remove_principal(char *keytab_str, krb5_keytab keytab, + char *princ_str, char *kvno_str) { - krb5_principal princ; - krb5_keytab_entry entry; - krb5_kt_cursor cursor; - enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; - int code, did_something; - krb5_kvno kvno; - - code = krb5_parse_name(context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, "while parsing principal name %s", - princ_str); - return code; - } - - mode = UNDEF; - if (kvno_str == NULL) { - mode = HIGH; - kvno = 0; - } else if (strcmp(kvno_str, "all") == 0) { - mode = ALL; - kvno = 0; - } else if (strcmp(kvno_str, "old") == 0) { - mode = OLD; - kvno = 0; - } else { - mode = SPEC; - kvno = atoi(kvno_str); - } - - /* kvno is set to specified value for SPEC, 0 otherwise */ - code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry); - if (code != 0) { - if (code == ENOENT) { - fprintf(stderr, "%s: Keytab %s does not exist.\n", - whoami, keytab_str); - } else if (code == KRB5_KT_NOTFOUND) { - if (mode != SPEC) - fprintf(stderr, "%s: No entry for principal " - "%s exists in keytab %s\n", - whoami, princ_str, keytab_str); - else - fprintf(stderr, "%s: No entry for principal " - "%s with kvno %d exists in keytab " - "%s.\n", whoami, princ_str, kvno, - keytab_str); - } else { - com_err(whoami, code, "while retrieving highest kvno " - "from keytab"); - } - return code; - } - - /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ - kvno = entry.vno; - krb5_kt_free_entry(context, &entry); - - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while starting keytab scan"); - return code; - } - - did_something = 0; - while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { - if (krb5_principal_compare(context, princ, entry.principal) && - ((mode == ALL) || - (mode == SPEC && entry.vno == kvno) || - (mode == OLD && entry.vno != kvno) || - (mode == HIGH && entry.vno == kvno))) { - - /* - * Ack! What a kludge... the scanning functions lock - * the keytab so entries cannot be removed while they - * are operating. - */ - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while temporarily ending " - "keytab scan"); - return code; - } - code = krb5_kt_remove_entry(context, keytab, &entry); - if (code != 0) { - com_err(whoami, code, "while deleting entry from keytab"); - return code; - } - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while restarting keytab scan"); - return code; - } - - did_something++; - if (!quiet) - printf("Entry for principal %s with kvno %d " - "removed from keytab %s.\n", - princ_str, entry.vno, keytab_str); - } - krb5_kt_free_entry(context, &entry); - } - if (code && code != KRB5_KT_END) { - com_err(whoami, code, "while scanning keytab"); - return code; - } - if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) { - com_err(whoami, code, "while ending keytab scan"); - return code; - } - - /* - * If !did_someting then mode must be OLD or we would have - * already returned with an error. But check it anyway just to - * prevent unexpected error messages... - */ - if (!did_something && mode == OLD) { - fprintf(stderr, "%s: There is only one entry for principal " - "%s in keytab %s\n", whoami, princ_str, keytab_str); - return 1; - } - - return 0; + krb5_principal princ; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; + int code, did_something; + krb5_kvno kvno; + + code = krb5_parse_name(context, princ_str, &princ); + if (code != 0) { + com_err(whoami, code, "while parsing principal name %s", princ_str); + return code; + } + + mode = UNDEF; + if (kvno_str == NULL) { + mode = HIGH; + kvno = 0; + } else if (strcmp(kvno_str, "all") == 0) { + mode = ALL; + kvno = 0; + } else if (strcmp(kvno_str, "old") == 0) { + mode = OLD; + kvno = 0; + } else { + mode = SPEC; + kvno = atoi(kvno_str); + } + + /* kvno is set to specified value for SPEC, 0 otherwise */ + code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry); + if (code != 0) { + if (code == ENOENT) { + fprintf(stderr, "%s: Keytab %s does not exist.\n", + whoami, keytab_str); + } else if (code == KRB5_KT_NOTFOUND) { + if (mode != SPEC) { + fprintf(stderr, "%s: No entry for principal " + "%s exists in keytab %s\n", + whoami, princ_str, keytab_str); + } else { + fprintf(stderr, "%s: No entry for principal " + "%s with kvno %d exists in keytab " + "%s.\n", whoami, princ_str, kvno, keytab_str); + } + } else + com_err(whoami, code, "while retrieving highest kvno from keytab"); + return code; + } + + /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ + kvno = entry.vno; + krb5_kt_free_entry(context, &entry); + + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while starting keytab scan"); + return code; + } + + did_something = 0; + while ((code = krb5_kt_next_entry(context, keytab, &entry, + &cursor)) == 0) { + if (krb5_principal_compare(context, princ, entry.principal) && + ((mode == ALL) || + (mode == SPEC && entry.vno == kvno) || + (mode == OLD && entry.vno != kvno) || + (mode == HIGH && entry.vno == kvno))) { + + /* + * Ack! What a kludge... the scanning functions lock + * the keytab so entries cannot be removed while they + * are operating. + */ + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while temporarily ending keytab scan"); + return code; + } + code = krb5_kt_remove_entry(context, keytab, &entry); + if (code != 0) { + com_err(whoami, code, "while deleting entry from keytab"); + return code; + } + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while restarting keytab scan"); + return code; + } + + did_something++; + if (!quiet) + printf("Entry for principal %s with kvno %d " + "removed from keytab %s.\n", + princ_str, entry.vno, keytab_str); + } + krb5_kt_free_entry(context, &entry); + } + if (code && code != KRB5_KT_END) { + com_err(whoami, code, "while scanning keytab"); + return code; + } + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code) { + com_err(whoami, code, "while ending keytab scan"); + return code; + } + + /* + * If !did_someting then mode must be OLD or we would have + * already returned with an error. But check it anyway just to + * prevent unexpected error messages... + */ + if (!did_something && mode == OLD) { + fprintf(stderr, "%s: There is only one entry for principal " + "%s in keytab %s\n", whoami, princ_str, keytab_str); + return 1; + } + + return 0; } /* @@ -477,14 +472,15 @@ int remove_principal(char *keytab_str, krb5_keytab keytab, char * encryption type. XXX copied from klist.c; this should be a * library function, or perhaps just #defines */ -static char *etype_string(enctype) - krb5_enctype enctype; +static char * +etype_string(krb5_enctype enctype) { static char buf[100]; krb5_error_code ret; - if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)))) - snprintf(buf, sizeof(buf), "etype %d", enctype); + ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)); + if (ret) + snprintf(buf, sizeof(buf), "etype %d", enctype); return buf; } diff --git a/src/kadmin/cli/ss_wrapper.c b/src/kadmin/cli/ss_wrapper.c index f73ba8238..93cf1dc7d 100644 --- a/src/kadmin/cli/ss_wrapper.c +++ b/src/kadmin/cli/ss_wrapper.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -35,9 +36,8 @@ extern ss_request_table kadmin_cmds; extern int exit_status; extern char *whoami; -int main(argc, argv) - int argc; - char *argv[]; +int +main(int argc, char *argv[]) { char *request; krb5_error_code retval; @@ -46,18 +46,17 @@ int main(argc, argv) whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]); request = kadmin_startup(argc, argv); - sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL, - &kadmin_cmds, &retval); + sci_idx = ss_create_invocation(whoami, "5.0", NULL, &kadmin_cmds, &retval); if (retval) { - ss_perror(sci_idx, retval, "creating invocation"); - exit(1); + ss_perror(sci_idx, retval, "creating invocation"); + exit(1); } if (request) { - code = ss_execute_line(sci_idx, request); - if (code != 0) { - ss_perror(sci_idx, code, request); - exit_status++; - } + code = ss_execute_line(sci_idx, request); + if (code != 0) { + ss_perror(sci_idx, code, request); + exit_status++; + } } else retval = ss_listen(sci_idx); return quit() ? 1 : exit_status; diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp index 3ec5103db..1eac9e339 100644 --- a/src/tests/dejagnu/krb-standalone/kadmin.exp +++ b/src/tests/dejagnu/krb-standalone/kadmin.exp @@ -269,8 +269,8 @@ proc kadmin_cpw { pname password } { send "adminpass$KEY\r" } - expect "Enter password for principal \"$pname\":" { send "$password\r" } - expect "Re-enter password for principal \"$pname\":" { send "$password\r" } + expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } + expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } # When in doubt, jam one of these in there. expect "\r" expect "Password for \"$pname@$REALMNAME\" changed."