search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / kadm5 / init_c.c
blobce57b17f2dde4b65ef20bde521fc5ce70e4cf2d8
1 /*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kadm5_locl.h"
35 #include <sys/types.h>
36 #include <sys/socket.h>
37 #include <netinet/in.h>
38 #include <netdb.h>
39
40 __RCSID("$Heimdal: init_c.c 21972 2007-10-18 19:11:15Z lha $"
41 "$NetBSD$");
42
43 static void
44 set_funcs(kadm5_client_context *c)
45 {
46 #define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
47 SET(c, chpass_principal);
48 SET(c, chpass_principal_with_key);
49 SET(c, create_principal);
50 SET(c, delete_principal);
51 SET(c, destroy);
52 SET(c, flush);
53 SET(c, get_principal);
54 SET(c, get_principals);
55 SET(c, get_privs);
56 SET(c, modify_principal);
57 SET(c, randkey_principal);
58 SET(c, rename_principal);
59 }
60
61 kadm5_ret_t
62 _kadm5_c_init_context(kadm5_client_context **ctx,
63 kadm5_config_params *params,
64 krb5_context context)
65 {
66 krb5_error_code ret;
67 char *colon;
68
69 *ctx = malloc(sizeof(**ctx));
70 if(*ctx == NULL)
71 return ENOMEM;
72 memset(*ctx, 0, sizeof(**ctx));
73 krb5_add_et_list (context, initialize_kadm5_error_table_r);
74 set_funcs(*ctx);
75 (*ctx)->context = context;
76 if(params->mask & KADM5_CONFIG_REALM) {
77 ret = 0;
78 (*ctx)->realm = strdup(params->realm);
79 if ((*ctx)->realm == NULL)
80 ret = ENOMEM;
81 } else
82 ret = krb5_get_default_realm((*ctx)->context, &(*ctx)->realm);
83 if (ret) {
84 free(*ctx);
85 return ret;
86 }
87 if(params->mask & KADM5_CONFIG_ADMIN_SERVER)
88 (*ctx)->admin_server = strdup(params->admin_server);
89 else {
90 char **hostlist;
91
92 ret = krb5_get_krb_admin_hst (context, &(*ctx)->realm, &hostlist);
93 if (ret) {
94 free((*ctx)->realm);
95 free(*ctx);
96 return ret;
97 }
98 (*ctx)->admin_server = strdup(*hostlist);
99 krb5_free_krbhst (context, hostlist);
100 }
101
102 if ((*ctx)->admin_server == NULL) {
103 free((*ctx)->realm);
104 free(*ctx);
105 return ENOMEM;
106 }
107 colon = strchr ((*ctx)->admin_server, ':');
108 if (colon != NULL)
109 *colon++ = '\0';
110
111 (*ctx)->kadmind_port = 0;
112
113 if(params->mask & KADM5_CONFIG_KADMIND_PORT)
114 (*ctx)->kadmind_port = params->kadmind_port;
115 else if (colon != NULL) {
116 char *end;
117
118 (*ctx)->kadmind_port = htons(strtol (colon, &end, 0));
119 }
120 if ((*ctx)->kadmind_port == 0)
121 (*ctx)->kadmind_port = krb5_getportbyname (context, "kerberos-adm",
122 "tcp", 749);
123 return 0;
124 }
125
126 static krb5_error_code
127 get_kadm_ticket(krb5_context context,
128 krb5_ccache id,
129 krb5_principal client,
130 const char *server_name)
131 {
132 krb5_error_code ret;
133 krb5_creds in, *out;
134
135 memset(&in, 0, sizeof(in));
136 in.client = client;
137 ret = krb5_parse_name(context, server_name, &in.server);
138 if(ret)
139 return ret;
140 ret = krb5_get_credentials(context, 0, id, &in, &out);
141 if(ret == 0)
142 krb5_free_creds(context, out);
143 krb5_free_principal(context, in.server);
144 return ret;
145 }
146
147 static krb5_error_code
148 get_new_cache(krb5_context context,
149 krb5_principal client,
150 const char *password,
151 krb5_prompter_fct prompter,
152 const char *keytab,
153 const char *server_name,
154 krb5_ccache *ret_cache)
155 {
156 krb5_error_code ret;
157 krb5_creds cred;
158 krb5_get_init_creds_opt *opt;
159 krb5_ccache id;
160
161 ret = krb5_get_init_creds_opt_alloc (context, &opt);
162 if (ret)
163 return ret;
164
165 krb5_get_init_creds_opt_set_default_flags(context, "kadmin",
166 krb5_principal_get_realm(context,
167 client),
168 opt);
169
170
171 krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
172 krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
173
174 if(password == NULL && prompter == NULL) {
175 krb5_keytab kt;
176 if(keytab == NULL)
177 ret = krb5_kt_default(context, &kt);
178 else
179 ret = krb5_kt_resolve(context, keytab, &kt);
180 if(ret) {
181 krb5_get_init_creds_opt_free(context, opt);
182 return ret;
183 }
184 ret = krb5_get_init_creds_keytab (context,
185 &cred,
186 client,
187 kt,
188 0,
189 server_name,
190 opt);
191 krb5_kt_close(context, kt);
192 } else {
193 ret = krb5_get_init_creds_password (context,
194 &cred,
195 client,
196 password,
197 prompter,
198 NULL,
199 0,
200 server_name,
201 opt);
202 }
203 krb5_get_init_creds_opt_free(context, opt);
204 switch(ret){
205 case 0:
206 break;
207 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
208 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
209 case KRB5KRB_AP_ERR_MODIFIED:
210 return KADM5_BAD_PASSWORD;
211 default:
212 return ret;
213 }
214 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
215 if(ret)
216 return ret;
217 ret = krb5_cc_initialize (context, id, cred.client);
218 if (ret)
219 return ret;
220 ret = krb5_cc_store_cred (context, id, &cred);
221 if (ret)
222 return ret;
223 krb5_free_cred_contents (context, &cred);
224 *ret_cache = id;
225 return 0;
226 }
227
228 /*
229 * Check the credential cache `id´ to figure out what principal to use
230 * when talking to the kadmind. If there is a initial kadmin/admin@
231 * credential in the cache, use that client principal. Otherwise, use
232 * the client principals first component and add /admin to the
233 * principal.
234 */
235
236 static krb5_error_code
237 get_cache_principal(krb5_context context,
238 krb5_ccache *id,
239 krb5_principal *client)
240 {
241 krb5_error_code ret;
242 const char *name, *inst;
243 krb5_principal p1, p2;
244
245 ret = krb5_cc_default(context, id);
246 if(ret) {
247 *id = NULL;
248 return ret;
249 }
250
251 ret = krb5_cc_get_principal(context, *id, &p1);
252 if(ret) {
253 krb5_cc_close(context, *id);
254 *id = NULL;
255 return ret;
256 }
257
258 ret = krb5_make_principal(context, &p2, NULL,
259 "kadmin", "admin", NULL);
260 if (ret) {
261 krb5_cc_close(context, *id);
262 *id = NULL;
263 krb5_free_principal(context, p1);
264 return ret;
265 }
266
267 {
268 krb5_creds in, *out;
269 krb5_kdc_flags flags;
270
271 flags.i = 0;
272 memset(&in, 0, sizeof(in));
273
274 in.client = p1;
275 in.server = p2;
276
277 /* check for initial ticket kadmin/admin */
278 ret = krb5_get_credentials_with_flags(context, KRB5_GC_CACHED, flags,
279 *id, &in, &out);
280 krb5_free_principal(context, p2);
281 if (ret == 0) {
282 if (out->flags.b.initial) {
283 *client = p1;
284 krb5_free_creds(context, out);
285 return 0;
286 }
287 krb5_free_creds(context, out);
288 }
289 }
290 krb5_cc_close(context, *id);
291 *id = NULL;
292
293 name = krb5_principal_get_comp_string(context, p1, 0);
294 inst = krb5_principal_get_comp_string(context, p1, 1);
295 if(inst == NULL || strcmp(inst, "admin") != 0) {
296 ret = krb5_make_principal(context, &p2, NULL, name, "admin", NULL);
297 krb5_free_principal(context, p1);
298 if(ret != 0)
299 return ret;
300
301 *client = p2;
302 return 0;
303 }
304
305 *client = p1;
306
307 return 0;
308 }
309
310 krb5_error_code
311 _kadm5_c_get_cred_cache(krb5_context context,
312 const char *client_name,
313 const char *server_name,
314 const char *password,
315 krb5_prompter_fct prompter,
316 const char *keytab,
317 krb5_ccache ccache,
318 krb5_ccache *ret_cache)
319 {
320 krb5_error_code ret;
321 krb5_ccache id = NULL;
322 krb5_principal default_client = NULL, client = NULL;
323
324 /* treat empty password as NULL */
325 if(password && *password == '\0')
326 password = NULL;
327 if(server_name == NULL)
328 server_name = KADM5_ADMIN_SERVICE;
329
330 if(client_name != NULL) {
331 ret = krb5_parse_name(context, client_name, &client);
332 if(ret)
333 return ret;
334 }
335
336 if(ccache != NULL) {
337 id = ccache;
338 ret = krb5_cc_get_principal(context, id, &client);
339 if(ret)
340 return ret;
341 } else {
342 /* get principal from default cache, ok if this doesn't work */
343
344 ret = get_cache_principal(context, &id, &default_client);
345 if (ret) {
346 /*
347 * No client was specified by the caller and we cannot
348 * determine the client from a credentials cache.
349 */
350 const char *user;
351
352 user = get_default_username ();
353
354 if(user == NULL) {
355 krb5_set_error_string(context, "Unable to find local user name");
356 return KADM5_FAILURE;
357 }
358 ret = krb5_make_principal(context, &default_client,
359 NULL, user, "admin", NULL);
360 if(ret)
361 return ret;
362 }
363 }
364
365
366 /*
367 * No client was specified by the caller, but we have a client
368 * from the default credentials cache.
369 */
370 if (client == NULL && default_client != NULL)
371 client = default_client;
372
373
374 if(id && (default_client == NULL ||
375 krb5_principal_compare(context, client, default_client))) {
376 ret = get_kadm_ticket(context, id, client, server_name);
377 if(ret == 0) {
378 *ret_cache = id;
379 krb5_free_principal(context, default_client);
380 if (default_client != client)
381 krb5_free_principal(context, client);
382 return 0;
383 }
384 if(ccache != NULL)
385 /* couldn't get ticket from cache */
386 return -1;
387 }
388 /* get creds via AS request */
389 if(id && (id != ccache))
390 krb5_cc_close(context, id);
391 if (client != default_client)
392 krb5_free_principal(context, default_client);
393
394 ret = get_new_cache(context, client, password, prompter, keytab,
395 server_name, ret_cache);
396 krb5_free_principal(context, client);
397 return ret;
398 }
399
400 static kadm5_ret_t
401 kadm_connect(kadm5_client_context *ctx)
402 {
403 kadm5_ret_t ret;
404 krb5_principal server;
405 krb5_ccache cc;
406 int s;
407 struct addrinfo *ai, *a;
408 struct addrinfo hints;
409 int error;
410 char portstr[NI_MAXSERV];
411 char *hostname, *slash;
412 char *service_name;
413 krb5_context context = ctx->context;
414
415 memset (&hints, 0, sizeof(hints));
416 hints.ai_socktype = SOCK_STREAM;
417 hints.ai_protocol = IPPROTO_TCP;
418
419 snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port));
420
421 hostname = ctx->admin_server;
422 slash = strchr (hostname, '/');
423 if (slash != NULL)
424 hostname = slash + 1;
425
426 error = getaddrinfo (hostname, portstr, &hints, &ai);
427 if (error) {
428 krb5_clear_error_string(context);
429 return KADM5_BAD_SERVER_NAME;
430 }
431
432 for (a = ai; a != NULL; a = a->ai_next) {
433 s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
434 if (s < 0)
435 continue;
436 if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
437 krb5_clear_error_string(context);
438 krb5_warn (context, errno, "connect(%s)", hostname);
439 close (s);
440 continue;
441 }
442 break;
443 }
444 if (a == NULL) {
445 freeaddrinfo (ai);
446 krb5_clear_error_string(context);
447 krb5_warnx (context, "failed to contact %s", hostname);
448 return KADM5_FAILURE;
449 }
450 ret = _kadm5_c_get_cred_cache(context,
451 ctx->client_name,
452 ctx->service_name,
453 NULL, ctx->prompter, ctx->keytab,
454 ctx->ccache, &cc);
455
456 if(ret) {
457 freeaddrinfo (ai);
458 close(s);
459 return ret;
460 }
461
462 if (ctx->realm)
463 asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE, ctx->realm);
464 else
465 asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE);
466
467 if (service_name == NULL) {
468 freeaddrinfo (ai);
469 close(s);
470 krb5_clear_error_string(context);
471 return ENOMEM;
472 }
473
474 ret = krb5_parse_name(context, service_name, &server);
475 free(service_name);
476 if(ret) {
477 freeaddrinfo (ai);
478 if(ctx->ccache == NULL)
479 krb5_cc_close(context, cc);
480 close(s);
481 return ret;
482 }
483 ctx->ac = NULL;
484
485 ret = krb5_sendauth(context, &ctx->ac, &s,
486 KADMIN_APPL_VERSION, NULL,
487 server, AP_OPTS_MUTUAL_REQUIRED,
488 NULL, NULL, cc, NULL, NULL, NULL);
489 if(ret == 0) {
490 krb5_data params;
491 kadm5_config_params p;
492 memset(&p, 0, sizeof(p));
493 if(ctx->realm) {
494 p.mask |= KADM5_CONFIG_REALM;
495 p.realm = ctx->realm;
496 }
497 ret = _kadm5_marshal_params(context, &p, &params);
498
499 ret = krb5_write_priv_message(context, ctx->ac, &s, &params);
500 krb5_data_free(&params);
501 if(ret) {
502 freeaddrinfo (ai);
503 close(s);
504 if(ctx->ccache == NULL)
505 krb5_cc_close(context, cc);
506 return ret;
507 }
508 } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) {
509 close(s);
510
511 s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
512 if (s < 0) {
513 freeaddrinfo (ai);
514 krb5_clear_error_string(context);
515 return errno;
516 }
517 if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
518 close (s);
519 freeaddrinfo (ai);
520 krb5_clear_error_string(context);
521 return errno;
522 }
523 ret = krb5_sendauth(context, &ctx->ac, &s,
524 KADMIN_OLD_APPL_VERSION, NULL,
525 server, AP_OPTS_MUTUAL_REQUIRED,
526 NULL, NULL, cc, NULL, NULL, NULL);
527 }
528 freeaddrinfo (ai);
529 if(ret) {
530 close(s);
531 return ret;
532 }
533
534 krb5_free_principal(context, server);
535 if(ctx->ccache == NULL)
536 krb5_cc_close(context, cc);
537 ctx->sock = s;
538
539 return 0;
540 }
541
542 kadm5_ret_t
543 _kadm5_connect(void *handle)
544 {
545 kadm5_client_context *ctx = handle;
546 if(ctx->sock == -1)
547 return kadm_connect(ctx);
548 return 0;
549 }
550
551 static kadm5_ret_t
552 kadm5_c_init_with_context(krb5_context context,
553 const char *client_name,
554 const char *password,
555 krb5_prompter_fct prompter,
556 const char *keytab,
557 krb5_ccache ccache,
558 const char *service_name,
559 kadm5_config_params *realm_params,
560 unsigned long struct_version,
561 unsigned long api_version,
562 void **server_handle)
563 {
564 kadm5_ret_t ret;
565 kadm5_client_context *ctx;
566 krb5_ccache cc;
567
568 ret = _kadm5_c_init_context(&ctx, realm_params, context);
569 if(ret)
570 return ret;
571
572 if(password != NULL && *password != '\0') {
573 ret = _kadm5_c_get_cred_cache(context,
574 client_name,
575 service_name,
576 password, prompter, keytab, ccache, &cc);
577 if(ret)
578 return ret; /* XXX */
579 ccache = cc;
580 }
581
582
583 if (client_name != NULL)
584 ctx->client_name = strdup(client_name);
585 else
586 ctx->client_name = NULL;
587 if (service_name != NULL)
588 ctx->service_name = strdup(service_name);
589 else
590 ctx->service_name = NULL;
591 ctx->prompter = prompter;
592 ctx->keytab = keytab;
593 ctx->ccache = ccache;
594 /* maybe we should copy the params here */
595 ctx->sock = -1;
596
597 *server_handle = ctx;
598 return 0;
599 }
600
601 static kadm5_ret_t
602 init_context(const char *client_name,
603 const char *password,
604 krb5_prompter_fct prompter,
605 const char *keytab,
606 krb5_ccache ccache,
607 const char *service_name,
608 kadm5_config_params *realm_params,
609 unsigned long struct_version,
610 unsigned long api_version,
611 void **server_handle)
612 {
613 krb5_context context;
614 kadm5_ret_t ret;
615 kadm5_server_context *ctx;
616
617 ret = krb5_init_context(&context);
618 if (ret)
619 return ret;
620 ret = kadm5_c_init_with_context(context,
621 client_name,
622 password,
623 prompter,
624 keytab,
625 ccache,
626 service_name,
627 realm_params,
628 struct_version,
629 api_version,
630 server_handle);
631 if(ret){
632 krb5_free_context(context);
633 return ret;
634 }
635 ctx = *server_handle;
636 ctx->my_context = 1;
637 return 0;
638 }
639
640 kadm5_ret_t
641 kadm5_c_init_with_password_ctx(krb5_context context,
642 const char *client_name,
643 const char *password,
644 const char *service_name,
645 kadm5_config_params *realm_params,
646 unsigned long struct_version,
647 unsigned long api_version,
648 void **server_handle)
649 {
650 return kadm5_c_init_with_context(context,
651 client_name,
652 password,
653 krb5_prompter_posix,
654 NULL,
655 NULL,
656 service_name,
657 realm_params,
658 struct_version,
659 api_version,
660 server_handle);
661 }
662
663 kadm5_ret_t
664 kadm5_c_init_with_password(const char *client_name,
665 const char *password,
666 const char *service_name,
667 kadm5_config_params *realm_params,
668 unsigned long struct_version,
669 unsigned long api_version,
670 void **server_handle)
671 {
672 return init_context(client_name,
673 password,
674 krb5_prompter_posix,
675 NULL,
676 NULL,
677 service_name,
678 realm_params,
679 struct_version,
680 api_version,
681 server_handle);
682 }
683
684 kadm5_ret_t
685 kadm5_c_init_with_skey_ctx(krb5_context context,
686 const char *client_name,
687 const char *keytab,
688 const char *service_name,
689 kadm5_config_params *realm_params,
690 unsigned long struct_version,
691 unsigned long api_version,
692 void **server_handle)
693 {
694 return kadm5_c_init_with_context(context,
695 client_name,
696 NULL,
697 NULL,
698 keytab,
699 NULL,
700 service_name,
701 realm_params,
702 struct_version,
703 api_version,
704 server_handle);
705 }
706
707
708 kadm5_ret_t
709 kadm5_c_init_with_skey(const char *client_name,
710 const char *keytab,
711 const char *service_name,
712 kadm5_config_params *realm_params,
713 unsigned long struct_version,
714 unsigned long api_version,
715 void **server_handle)
716 {
717 return init_context(client_name,
718 NULL,
719 NULL,
720 keytab,
721 NULL,
722 service_name,
723 realm_params,
724 struct_version,
725 api_version,
726 server_handle);
727 }
728
729 kadm5_ret_t
730 kadm5_c_init_with_creds_ctx(krb5_context context,
731 const char *client_name,
732 krb5_ccache ccache,
733 const char *service_name,
734 kadm5_config_params *realm_params,
735 unsigned long struct_version,
736 unsigned long api_version,
737 void **server_handle)
738 {
739 return kadm5_c_init_with_context(context,
740 client_name,
741 NULL,
742 NULL,
743 NULL,
744 ccache,
745 service_name,
746 realm_params,
747 struct_version,
748 api_version,
749 server_handle);
750 }
751
752 kadm5_ret_t
753 kadm5_c_init_with_creds(const char *client_name,
754 krb5_ccache ccache,
755 const char *service_name,
756 kadm5_config_params *realm_params,
757 unsigned long struct_version,
758 unsigned long api_version,
759 void **server_handle)
760 {
761 return init_context(client_name,
762 NULL,
763 NULL,
764 NULL,
765 ccache,
766 service_name,
767 realm_params,
768 struct_version,
769 api_version,
770 server_handle);
771 }
772
773 #if 0
774 kadm5_ret_t
775 kadm5_init(char *client_name, char *pass,
776 char *service_name,
777 kadm5_config_params *realm_params,
778 unsigned long struct_version,
779 unsigned long api_version,
780 void **server_handle)
781 {
782 }
783 #endif
784
NetBSD on the FriendlyARM MINI2440