static kadm5_ret_t kadm5_get_either(int princ,
void *server_handle,
char *exp,
char ***princs,
int *count)
{
struct iter_data data;
#ifdef BSD_REGEXPS
char *msg;
#endif
char *regexp;
int i, ret;
kadm5_server_handle_t handle = server_handle;
*count = 0;
if (exp == NULL)
exp = "*";
CHECK_HANDLE(server_handle);
if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL,
®exp)) != KADM5_OK)
return ret;
if (
#ifdef SOLARIS_REGEXPS
((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
#endif
#ifdef POSIX_REGEXPS
((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
#endif
#ifdef BSD_REGEXPS
((msg = (char *) re_comp(regexp)) != NULL)
#endif
)
{
/* XXX syslog msg or regerr(regerrno) */
free(regexp);
return EINVAL;
}
data.n_names = 0;
data.sz_names = 10;
data.malloc_failed = 0;
data.names = malloc(sizeof(char *) * data.sz_names);
if (data.names == NULL) {
free(regexp);
return ENOMEM;
}
if (princ) {
data.context = handle->context;
ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data);
} else {
ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data);
}
free(regexp);
#ifdef POSIX_REGEXPS
regfree(&data.preg);
#endif
if ( !ret && data.malloc_failed)
ret = ENOMEM;
if ( ret ) {
for (i = 0; i < data.n_names; i++)
free(data.names[i]);
free(data.names);
return ret;
}
*princs = data.names;
*count = data.n_names;
return KADM5_OK;
}
void
kdb5_update_princ_encryption(int argc, char *argv[])
{
struct update_enc_mkvno data = { 0 };
char *name_pattern = NULL;
int force = 0;
int optchar;
krb5_error_code retval;
krb5_actkvno_node *actkvno_list = 0;
krb5_db_entry *master_entry;
char *mkey_fullname = 0;
#ifdef BSD_REGEXPS
char *msg;
#endif
char *regexp = NULL;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch (optchar) {
case 'f':
force = 1;
break;
case 'n':
data.dry_run = 1;
break;
case 'v':
data.verbose = 1;
break;
case '?':
case ':':
default:
usage();
}
}
if (argv[optind] != NULL) {
name_pattern = argv[optind];
if (argv[optind+1] != NULL)
usage();
}
retval = krb5_unparse_name(util_context, master_princ, &mkey_fullname);
if (retval) {
com_err(progname, retval, _("while formatting master principal name"));
exit_status++;
goto cleanup;
}
if (master_keylist == NULL) {
com_err(progname, retval, _("master keylist not initialized"));
exit_status++;
goto cleanup;
}
/* The glob_to_regexp code only cares if the "realm" parameter is
NULL or not; the string data is irrelevant. */
if (name_pattern == NULL)
name_pattern = "*";
if (glob_to_regexp(name_pattern, "hi", ®exp) != 0) {
com_err(progname, ENOMEM,
_("converting glob pattern '%s' to regular expression"),
name_pattern);
exit_status++;
goto cleanup;
}
if (
#ifdef SOLARIS_REGEXPS
((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
#endif
#ifdef POSIX_REGEXPS
((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
#endif
#ifdef BSD_REGEXPS
((msg = (char *) re_comp(regexp)) != NULL)
#endif
) {
/* XXX syslog msg or regerr(regerrno) */
com_err(progname, 0, _("error compiling converted regexp '%s'"),
regexp);
exit_status++;
goto cleanup;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno,
&act_mkey);
if (retval) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup;
}
new_master_keyblock = *act_mkey;
if (!force &&
!data.dry_run &&
!are_you_sure(_("Re-encrypt all keys not using master key vno %u?"),
new_mkvno)) {
printf(_("OK, doing nothing.\n"));
exit_status++;
goto cleanup;
}
if (data.verbose) {
if (data.dry_run) {
printf(_("Principals whose keys WOULD BE re-encrypted to master "
"key vno %u:\n"), new_mkvno);
} else {
printf(_("Principals whose keys are being re-encrypted to master "
"key vno %u if necessary:\n"), new_mkvno);
}
}
if (!data.dry_run) {
/* Grab a write lock so we don't have to upgrade to a write lock and
* reopen the DB while iterating. */
retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE);
if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) {
com_err(progname, retval, _("trying to lock database"));
exit_status++;
}
}
retval = krb5_db_iterate(util_context, name_pattern,
update_princ_encryption_1, &data);
/* If exit_status is set, then update_princ_encryption_1 already
printed a message. */
if (retval != 0 && exit_status == 0) {
com_err(progname, retval, _("trying to process principal database"));
exit_status++;
}
if (!data.dry_run)
(void)krb5_db_unlock(util_context);
(void) krb5_db_fini(util_context);
if (data.dry_run) {
printf(_("%u principals processed: %u would be updated, %u already "
"current\n"),
data.re_match_count, data.updated, data.already_current);
} else {
printf(_("%u principals processed: %u updated, %u already current\n"),
data.re_match_count, data.updated, data.already_current);
}
cleanup:
free(regexp);
memset(&new_master_keyblock, 0, sizeof(new_master_keyblock));
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
}
