#include <k5-int.h>
#include <kadm5/admin.h>
#include <locale.h>
#include <adm_proto.h>
#include <time.h>
#include "kdb5_util.h"
char *mkey_password = 0;
int exit_status = 0;
krb5_context util_context;
kadm5_config_params global_params;
void usage(void)
{
fprintf(stderr,
_("Usage: kdb5_util [-r realm] [-d dbname] "
"[-k mkeytype] [-kv mkeyVNO]\n"
"\t [-M mkeyname] [-m] [-sf stashfilename] "
"[-P password]\n"
"\t [-x db_args]* cmd [cmd_options]\n"
"\tcreate [-s]\n"
"\tdestroy [-f]\n"
"\tstash [-f keyfile]\n"
"\tdump [-b7|-r13|-r18] [-verbose]\n"
"\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
"\t [-rev] [-recurse] [filename [princs...]]\n"
"\tload [-b7|-r13|-r18] [-hash] [-verbose] [-update] "
"filename\n"
"\tark [-e etype_list] principal\n"
"\tadd_mkey [-e etype] [-s]\n"
"\tuse_mkey kvno [time]\n"
"\tlist_mkeys\n"));
fprintf(stderr,
_("\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n"
"\tpurge_mkeys [-f] [-n] [-v]\n"
"\ttabdump [-H] [-c] [-e] [-n] [-o outfile] dumptype\n"
"\nwhere,\n\t[-x db_args]* - any number of database specific "
"arguments.\n"
"\t\t\tLook at each database documentation for supported "
"arguments\n"));
exit(1);
}
krb5_keyblock master_keyblock;
krb5_kvno master_kvno;
extern krb5_principal master_princ;
char *mkey_fullname;
krb5_db_entry *master_entry = NULL;
int valid_master_key = 0;
char *progname;
krb5_boolean manual_mkey = FALSE;
krb5_boolean dbactive = FALSE;
static int open_db_and_mkey(void);
static void add_random_key(int, char **);
typedef void (*cmd_func)(int, char **);
struct _cmd_table {
char *name;
cmd_func func;
int opendb;
} cmd_table[] = {
{"create", kdb5_create, 0},
{"destroy", kdb5_destroy, 1},
{"stash", kdb5_stash, 1},
{"dump", dump_db, 1},
{"load", load_db, 0},
{"ark", add_random_key, 1},
{"add_mkey", kdb5_add_mkey, 1},
{"use_mkey", kdb5_use_mkey, 1},
{"list_mkeys", kdb5_list_mkeys, 1},
{"update_princ_encryption", kdb5_update_princ_encryption, 1},
{"purge_mkeys", kdb5_purge_mkeys, 1},
{"tabdump", tabdump, 1},
{NULL, NULL, 0},
};
static struct _cmd_table *
cmd_lookup(char *name)
{
struct _cmd_table *cmd = cmd_table;
while (cmd->name) {
if (strcmp(cmd->name, name) == 0)
return cmd;
else
cmd++;
}
return NULL;
}
#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL))
char **db5util_db_args = NULL;
size_t db5util_db_args_size = 0;
static void
extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt,
va_list args)
{
const char *emsg;
if (code) {
emsg = krb5_get_error_message (util_context, code);
fprintf (stderr, "%s: %s ", myprog, emsg);
krb5_free_error_message (util_context, emsg);
} else {
fprintf (stderr, "%s: ", myprog);
}
vfprintf (stderr, fmt, args);
fprintf (stderr, "\n");
}
int
add_db_arg(char *arg)
{
char **temp;
db5util_db_args_size++;
temp = realloc(db5util_db_args,
sizeof(char *) * (db5util_db_args_size + 1));
if (temp == NULL)
return 0;
db5util_db_args = temp;
db5util_db_args[db5util_db_args_size-1] = arg;
db5util_db_args[db5util_db_args_size] = NULL;
return 1;
}
int
main(int argc, char *argv[])
{
struct _cmd_table *cmd = NULL;
char *koptarg, **cmd_argv;
char *db_name_tmp = NULL;
int cmd_argc;
krb5_error_code retval;
setlocale(LC_ALL, "");
set_com_err_hook(extended_com_err_fn);
progname = (strrchr(argv[0], '/') ?
strrchr(argv[0], '/') + 1 : argv[0]);
retval = kadm5_init_krb5_context(&util_context);
if (retval) {
com_err (progname, retval, _("while initializing Kerberos code"));
exit(1);
}
cmd_argv = (char **) malloc(sizeof(char *)*argc);
if (cmd_argv == NULL) {
com_err(progname, ENOMEM, _("while creating sub-command arguments"));
exit(1);
}
memset(cmd_argv, 0, sizeof(char *)*argc);
cmd_argc = 0;
argv++; argc--;
while (*argv) {
if (strcmp(*argv, "-P") == 0 && ARG_VAL) {
mkey_password = koptarg;
manual_mkey = TRUE;
} else if (strcmp(*argv, "-d") == 0 && ARG_VAL) {
global_params.dbname = koptarg;
global_params.mask |= KADM5_CONFIG_DBNAME;
if (asprintf(&db_name_tmp, "dbname=%s", global_params.dbname) < 0)
{
com_err(progname, ENOMEM,
_("while parsing command arguments"));
exit(1);
}
if (!add_db_arg(db_name_tmp)) {
com_err(progname, ENOMEM,
_("while parsing command arguments\n"));
exit(1);
}
} else if (strcmp(*argv, "-x") == 0 && ARG_VAL) {
if (!add_db_arg(koptarg)) {
com_err(progname, ENOMEM,
_("while parsing command arguments\n"));
exit(1);
}
} else if (strcmp(*argv, "-r") == 0 && ARG_VAL) {
global_params.realm = koptarg;
global_params.mask |= KADM5_CONFIG_REALM;
if ((retval = krb5_set_default_realm(util_context,
global_params.realm))) {
com_err(progname, retval,
_("while setting default realm name"));
exit(1);
}
} else if (strcmp(*argv, "-k") == 0 && ARG_VAL) {
if (krb5_string_to_enctype(koptarg, &global_params.enctype)) {
com_err(progname, EINVAL, _(": %s is an invalid enctype"),
koptarg);
exit(1);
} else
global_params.mask |= KADM5_CONFIG_ENCTYPE;
} else if (strcmp(*argv, "-kv") == 0 && ARG_VAL) {
global_params.kvno = (krb5_kvno) atoi(koptarg);
if (global_params.kvno == IGNORE_VNO) {
com_err(progname, EINVAL, _(": %s is an invalid mkeyVNO"),
koptarg);
exit(1);
} else
global_params.mask |= KADM5_CONFIG_KVNO;
} else if (strcmp(*argv, "-M") == 0 && ARG_VAL) {
global_params.mkey_name = koptarg;
global_params.mask |= KADM5_CONFIG_MKEY_NAME;
} else if (strcmp(*argv, "-sf") == 0 && ARG_VAL) {
global_params.stash_file = koptarg;
global_params.mask |= KADM5_CONFIG_STASH_FILE;
} else if (strcmp(*argv, "-m") == 0) {
manual_mkey = TRUE;
global_params.mkey_from_kbd = 1;
global_params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
} else {
cmd_argv[cmd_argc++] = *argv;
}
argv++; argc--;
}
if (cmd_argv[0] == NULL)
usage();
cmd = cmd_lookup(cmd_argv[0]);
if (cmd == NULL)
usage();
if( !util_context->default_realm )
{
char *temp = NULL;
retval = krb5_get_default_realm(util_context, &temp);
if( retval )
{
com_err(progname, retval, _("while getting default realm"));
exit(1);
}
krb5_free_default_realm(util_context, temp);
}
retval = kadm5_get_config_params(util_context, 1,
&global_params, &global_params);
if (retval) {
com_err(progname, retval,
_("while retrieving configuration parameters"));
exit(1);
}
(void) umask(077);
master_keyblock.enctype = global_params.enctype;
if ((master_keyblock.enctype != ENCTYPE_UNKNOWN) &&
(!krb5_c_valid_enctype(master_keyblock.enctype))) {
com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
"while setting up enctype %d", master_keyblock.enctype);
}
if (cmd->opendb && open_db_and_mkey())
return exit_status;
if (global_params.iprop_enabled == TRUE)
ulog_set_role(util_context, IPROP_PRIMARY);
else
ulog_set_role(util_context, IPROP_NULL);
(*cmd->func)(cmd_argc, cmd_argv);
if( db_name_tmp )
free( db_name_tmp );
if( db5util_db_args )
free(db5util_db_args);
quit();
kadm5_free_config_params(util_context, &global_params);
krb5_free_context(util_context);
free(cmd_argv);
return exit_status;
}
static int
open_db_and_mkey(void)
{
krb5_error_code retval;
krb5_data scratch, pwd, seed;
dbactive = FALSE;
valid_master_key = 0;
if ((retval = krb5_db_open(util_context, db5util_db_args,
KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN))) {
com_err(progname, retval, _("while initializing database"));
exit_status++;
return(1);
}
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return(1);
}
if ((retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry))) {
com_err(progname, retval, _("while retrieving master entry"));
exit_status++;
(void) krb5_db_fini(util_context);
return(1);
}
if (global_params.mask & KADM5_CONFIG_KVNO)
master_kvno = global_params.kvno;
else
master_kvno = IGNORE_VNO;
dbactive = TRUE;
if (mkey_password) {
pwd.data = mkey_password;
pwd.length = strlen(mkey_password);
retval = krb5_principal2salt(util_context, master_princ, &scratch);
if (retval) {
com_err(progname, retval, _("while calculated master key salt"));
exit_status++;
return(1);
}
if (master_keyblock.enctype == ENCTYPE_UNKNOWN)
master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
if (!krb5_c_valid_enctype(master_keyblock.enctype))
com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
"while setting up enctype %d",
master_keyblock.enctype);
retval = krb5_c_string_to_key(util_context, master_keyblock.enctype,
&pwd, &scratch, &master_keyblock);
if (retval) {
com_err(progname, retval,
_("while transforming master key from password"));
exit_status++;
return(1);
}
free(scratch.data);
mkey_password = 0;
} else {
if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
master_keyblock.enctype,
manual_mkey, FALSE,
global_params.stash_file,
&master_kvno,
0, &master_keyblock))) {
com_err(progname, retval, _("while reading master key"));
com_err(progname, 0, _("Warning: proceeding without master key"));
exit_status++;
return(0);
}
}
if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ,
&master_keyblock))) {
com_err(progname, retval, "while getting master key list");
com_err(progname, 0, "Warning: proceeding without master key list");
exit_status++;
return(0);
}
seed.length = master_keyblock.length;
seed.data = (char *) master_keyblock.contents;
if ((retval = krb5_c_random_seed(util_context, &seed))) {
com_err(progname, retval, _("while seeding random number generator"));
exit_status++;
memset(master_keyblock.contents, 0, master_keyblock.length);
krb5_free_keyblock_contents(util_context, &master_keyblock);
return(1);
}
if (global_params.iprop_enabled) {
if (ulog_map(util_context, global_params.iprop_logfile,
global_params.iprop_ulogsize)) {
fprintf(stderr, _("%s: Could not map log\n"), progname);
exit_status++;
return(1);
}
}
valid_master_key = 1;
dbactive = TRUE;
return 0;
}
#ifdef HAVE_GETCWD
#undef getwd
#endif
int
quit(void)
{
krb5_error_code retval;
static krb5_boolean finished = 0;
if (finished)
return 0;
ulog_fini(util_context);
retval = krb5_db_fini(util_context);
zapfree(master_keyblock.contents, master_keyblock.length);
krb5_free_principal(util_context, master_princ);
finished = TRUE;
if (retval && retval != KRB5_KDB_DBNOTINITED) {
com_err(progname, retval, _("while closing database"));
exit_status++;
return 1;
}
return 0;
}
static void
add_random_key(int argc, char **argv)
{
krb5_error_code ret;
krb5_principal princ;
krb5_db_entry *dbent;
krb5_timestamp now;
krb5_key_salt_tuple *keysalts = NULL;
krb5_int32 num_keysalts = 0;
int free_keysalts;
char *me = progname;
char *ks_str = "";
char *pr_str;
krb5_keyblock *tmp_mkey;
if (argc < 2)
usage();
for (argv++, argc--; *argv; argv++, argc--) {
if (!strcmp(*argv, "-e")) {
argv++; argc--;
ks_str = *argv;
continue;
} else
break;
}
if (argc < 1)
usage();
pr_str = *argv;
ret = krb5_parse_name(util_context, pr_str, &princ);
if (ret) {
com_err(me, ret, _("while parsing principal name %s"), pr_str);
exit_status++;
return;
}
ret = krb5_db_get_principal(util_context, princ, 0, &dbent);
if (ret) {
com_err(me, ret, _("while fetching principal %s"), pr_str);
exit_status++;
return;
}
ret = krb5_string_to_keysalts(ks_str,
NULL, NULL, 0,
&keysalts,
&num_keysalts);
if (ret) {
com_err(me, ret, _("while parsing keysalts %s"), ks_str);
exit_status++;
return;
}
if (!num_keysalts || keysalts == NULL) {
num_keysalts = global_params.num_keysalts;
keysalts = global_params.keysalts;
free_keysalts = 0;
} else
free_keysalts = 1;
ret = krb5_dbe_find_mkey(util_context, dbent, &tmp_mkey);
if (ret) {
com_err(me, ret, _("while finding mkey"));
krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
ret = krb5_dbe_ark(util_context, tmp_mkey, keysalts, num_keysalts, dbent);
if (free_keysalts)
free(keysalts);
if (ret) {
com_err(me, ret, "while randomizing principal %s", pr_str);
krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
dbent->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(util_context, &now);
if (ret) {
com_err(me, ret, _("while getting time"));
krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
ret = krb5_dbe_update_last_pwd_change(util_context, dbent, now);
if (ret) {
com_err(me, ret, _("while setting changetime"));
krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
dbent->mask |= KADM5_ATTRIBUTES | KADM5_KEY_DATA | KADM5_TL_DATA;
ret = krb5_db_put_principal(util_context, dbent);
krb5_db_free_principal(util_context, dbent);
if (ret) {
com_err(me, ret, _("while saving principal %s"), pr_str);
exit_status++;
return;
}
printf(_("%s changed\n"), pr_str);
}
