static kadm5_ret_t kadm5_get_either(int princ, void *server_handle, char *exp, char ***princs, int *count) { struct iter_data data; #ifdef BSD_REGEXPS char *msg; #endif char *regexp; int i, ret; kadm5_server_handle_t handle = server_handle; *count = 0; if (exp == NULL) exp = "*"; CHECK_HANDLE(server_handle); if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL, ®exp)) != KADM5_OK) return ret; if ( #ifdef SOLARIS_REGEXPS ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) #endif #ifdef POSIX_REGEXPS ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) #endif #ifdef BSD_REGEXPS ((msg = (char *) re_comp(regexp)) != NULL) #endif ) { /* XXX syslog msg or regerr(regerrno) */ free(regexp); return EINVAL; } data.n_names = 0; data.sz_names = 10; data.malloc_failed = 0; data.names = malloc(sizeof(char *) * data.sz_names); if (data.names == NULL) { free(regexp); return ENOMEM; } if (princ) { data.context = handle->context; ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data); } else { ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data); } free(regexp); #ifdef POSIX_REGEXPS regfree(&data.preg); #endif if ( !ret && data.malloc_failed) ret = ENOMEM; if ( ret ) { for (i = 0; i < data.n_names; i++) free(data.names[i]); free(data.names); return ret; } *princs = data.names; *count = data.n_names; return KADM5_OK; }
void kdb5_update_princ_encryption(int argc, char *argv[]) { struct update_enc_mkvno data = { 0 }; char *name_pattern = NULL; int force = 0; int optchar; krb5_error_code retval; krb5_actkvno_node *actkvno_list = 0; krb5_db_entry *master_entry; char *mkey_fullname = 0; #ifdef BSD_REGEXPS char *msg; #endif char *regexp = NULL; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { case 'f': force = 1; break; case 'n': data.dry_run = 1; break; case 'v': data.verbose = 1; break; case '?': case ':': default: usage(); } } if (argv[optind] != NULL) { name_pattern = argv[optind]; if (argv[optind+1] != NULL) usage(); } retval = krb5_unparse_name(util_context, master_princ, &mkey_fullname); if (retval) { com_err(progname, retval, _("while formatting master principal name")); exit_status++; goto cleanup; } if (master_keylist == NULL) { com_err(progname, retval, _("master keylist not initialized")); exit_status++; goto cleanup; } /* The glob_to_regexp code only cares if the "realm" parameter is NULL or not; the string data is irrelevant. */ if (name_pattern == NULL) name_pattern = "*"; if (glob_to_regexp(name_pattern, "hi", ®exp) != 0) { com_err(progname, ENOMEM, _("converting glob pattern '%s' to regular expression"), name_pattern); exit_status++; goto cleanup; } if ( #ifdef SOLARIS_REGEXPS ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) #endif #ifdef POSIX_REGEXPS ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) #endif #ifdef BSD_REGEXPS ((msg = (char *) re_comp(regexp)) != NULL) #endif ) { /* XXX syslog msg or regerr(regerrno) */ com_err(progname, 0, _("error compiling converted regexp '%s'"), regexp); exit_status++; goto cleanup; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup; } retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno, &act_mkey); if (retval) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup; } new_master_keyblock = *act_mkey; if (!force && !data.dry_run && !are_you_sure(_("Re-encrypt all keys not using master key vno %u?"), new_mkvno)) { printf(_("OK, doing nothing.\n")); exit_status++; goto cleanup; } if (data.verbose) { if (data.dry_run) { printf(_("Principals whose keys WOULD BE re-encrypted to master " "key vno %u:\n"), new_mkvno); } else { printf(_("Principals whose keys are being re-encrypted to master " "key vno %u if necessary:\n"), new_mkvno); } } if (!data.dry_run) { /* Grab a write lock so we don't have to upgrade to a write lock and * reopen the DB while iterating. */ retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE); if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) { com_err(progname, retval, _("trying to lock database")); exit_status++; } } retval = krb5_db_iterate(util_context, name_pattern, update_princ_encryption_1, &data); /* If exit_status is set, then update_princ_encryption_1 already printed a message. */ if (retval != 0 && exit_status == 0) { com_err(progname, retval, _("trying to process principal database")); exit_status++; } if (!data.dry_run) (void)krb5_db_unlock(util_context); (void) krb5_db_fini(util_context); if (data.dry_run) { printf(_("%u principals processed: %u would be updated, %u already " "current\n"), data.re_match_count, data.updated, data.already_current); } else { printf(_("%u principals processed: %u updated, %u already current\n"), data.re_match_count, data.updated, data.already_current); } cleanup: free(regexp); memset(&new_master_keyblock, 0, sizeof(new_master_keyblock)); krb5_free_unparsed_name(util_context, mkey_fullname); krb5_dbe_free_actkvno_list(util_context, actkvno_list); }