crypto/dist/heimdal/kadmin/check.c

   1 /*
   2  * Copyright (c) 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 /*
  35  * Check database for strange configurations on default principals
  36  */
  37
  38 #include "kadmin_locl.h"
  39 #include "kadmin-commands.h"
  40
  41 __RCSID("$Heimdal: check.c 20962 2007-06-07 05:09:24Z lha $"
  42         "$NetBSD: check.c,v 1.1 2008/03/22 08:37:02 mlelstv Exp $");
  43
  44 static int
  45 get_check_entry(const char *name, kadm5_principal_ent_rec *ent)
  46 {
  47     krb5_error_code ret;
  48     krb5_principal principal;
  49
  50     ret = krb5_parse_name(context, name, &principal);
  51     if (ret) {
  52         krb5_warn(context, ret, "krb5_unparse_name: %s", name);
  53         return 1;
  54     }
  55
  56     memset(ent, 0, sizeof(*ent));
  57     ret = kadm5_get_principal(kadm_handle, principal, ent, 0);
  58     krb5_free_principal(context, principal);
  59     if(ret)
  60         return 1;
  61
  62     return 0;
  63 }
  64
  65
  66 static int
  67 do_check_entry(krb5_principal principal, void *data)
  68 {
  69     krb5_error_code ret;
  70     kadm5_principal_ent_rec princ;
  71     char *name;
  72     int i;
  73
  74     ret = krb5_unparse_name(context, principal, &name);
  75     if (ret)
  76         return 1;
  77
  78     memset (&princ, 0, sizeof(princ));
  79     ret = kadm5_get_principal(kadm_handle, principal, &princ,
  80                               KADM5_PRINCIPAL | KADM5_KEY_DATA);
  81     if(ret) {
  82         krb5_warn(context, ret, "Failed to get principal: %s", name);
  83         free(name);
  84         return 0;
  85     }
  86
  87     for (i = 0; i < princ.n_key_data; i++) {
  88         size_t keysize;
  89         ret = krb5_enctype_keysize(context,
  90                                    princ.key_data[i].key_data_type[0],
  91                                    &keysize);
  92         if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) {
  93             krb5_warnx(context,
  94                        "Principal %s enctype %d, wrong length: %lu\n",
  95                        name, princ.key_data[i].key_data_type[0],
  96                        (unsigned long)princ.key_data[i].key_data_length);
  97         }
  98     }
  99
 100     free(name);
 101     kadm5_free_principal_ent(kadm_handle, &princ);
 102
 103     return 0;
 104 }
 105
 106 int
 107 check(void *opt, int argc, char **argv)
 108 {
 109     kadm5_principal_ent_rec ent;
 110     krb5_error_code ret;
 111     char *realm = NULL, *p, *p2;
 112     int found;
 113
 114     if (argc == 0) {
 115         ret = krb5_get_default_realm(context, &realm);
 116         if (ret) {
 117             krb5_warn(context, ret, "krb5_get_default_realm");
 118             goto fail;
 119         }
 120     } else {
 121         realm = strdup(argv[0]);
 122         if (realm == NULL) {
 123             krb5_warnx(context, "malloc");
 124             goto fail;
 125         }
 126     }
 127
 128     /*
 129      * Check krbtgt/REALM@REALM
 130      *
 131      * For now, just check existance
 132      */
 133
 134     if (asprintf(&p, "%s/%s@%s", KRB5_TGS_NAME, realm, realm) == -1) {
 135         krb5_warn(context, errno, "asprintf");
 136         goto fail;
 137     }
 138
 139     ret = get_check_entry(p, &ent);
 140     if (ret) {
 141         printf("%s doesn't exist, are you sure %s is a realm in your database",
 142                p, realm);
 143         free(p);
 144         goto fail;
 145     }
 146     free(p);
 147
 148     kadm5_free_principal_ent(kadm_handle, &ent);
 149
 150     /*
 151      * Check kadmin/admin@REALM
 152      */
 153
 154     if (asprintf(&p, "kadmin/admin@%s", realm) == -1) {
 155         krb5_warn(context, errno, "asprintf");
 156         goto fail;
 157     }
 158
 159     ret = get_check_entry(p, &ent);
 160     if (ret) {
 161         printf("%s doesn't exist, "
 162                "there is no way to do remote administration", p);
 163         free(p);
 164         goto fail;
 165     }
 166     free(p);
 167
 168     kadm5_free_principal_ent(kadm_handle, &ent);
 169
 170     /*
 171      * Check kadmin/changepw@REALM
 172      */
 173
 174     if (asprintf(&p, "kadmin/changepw@%s", realm) == -1) {
 175         krb5_warn(context, errno, "asprintf");
 176         goto fail;
 177     }
 178
 179     ret = get_check_entry(p, &ent);
 180     if (ret) {
 181         printf("%s doesn't exist, "
 182                "there is no way to do change password", p);
 183         free(p);
 184         goto fail;
 185     }
 186     free(p);
 187
 188     kadm5_free_principal_ent(kadm_handle, &ent);
 189
 190     /*
 191      * Check for duplicate afs keys
 192      */
 193
 194     p2 = strdup(realm);
 195     if (p2 == NULL) {
 196         krb5_warn(context, errno, "malloc");
 197         goto fail;
 198     }
 199     strlwr(p2);
 200
 201     if (asprintf(&p, "afs/%s@%s", p2, realm) == -1) {
 202         krb5_warn(context, errno, "asprintf");
 203         free(p2);
 204         goto fail;
 205     }
 206     free(p2);
 207
 208     ret = get_check_entry(p, &ent);
 209     free(p);
 210     if (ret == 0) {
 211         kadm5_free_principal_ent(kadm_handle, &ent);
 212         found = 1;
 213     } else
 214         found = 0;
 215
 216     if (asprintf(&p, "afs@%s", realm) == -1) {
 217         krb5_warn(context, errno, "asprintf");
 218         goto fail;
 219     }
 220
 221     ret = get_check_entry(p, &ent);
 222     free(p);
 223     if (ret == 0) {
 224         kadm5_free_principal_ent(kadm_handle, &ent);
 225         if (found) {
 226             krb5_warnx(context, "afs@REALM and afs/cellname@REALM both exists");
 227             goto fail;
 228         }
 229     }
 230
 231     foreach_principal("*", do_check_entry, "check", NULL);
 232
 233     free(realm);
 234     return 0;
 235 fail:
 236     free(realm);
 237     return 1;
 238 }