1 /*
2 * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hdb_locl.h"
35
36 int
hdb_principal2key(krb5_context context,krb5_const_principal p,krb5_data * key)37 hdb_principal2key(krb5_context context, krb5_const_principal p, krb5_data *key)
38 {
39 Principal new;
40 size_t len = 0;
41 int ret;
42
43 ret = copy_Principal(p, &new);
44 if(ret)
45 return ret;
46 new.name.name_type = 0;
47
48 ASN1_MALLOC_ENCODE(Principal, key->data, key->length, &new, &len, ret);
49 if (ret == 0 && key->length != len)
50 krb5_abortx(context, "internal asn.1 encoder error");
51 free_Principal(&new);
52 return ret;
53 }
54
55 int
hdb_key2principal(krb5_context context,krb5_data * key,krb5_principal p)56 hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
57 {
58 return decode_Principal(key->data, key->length, p, NULL);
59 }
60
61 int
hdb_entry2value(krb5_context context,const hdb_entry * ent,krb5_data * value)62 hdb_entry2value(krb5_context context, const hdb_entry *ent, krb5_data *value)
63 {
64 size_t len = 0;
65 int ret;
66
67 ASN1_MALLOC_ENCODE(hdb_entry, value->data, value->length, ent, &len, ret);
68 if (ret == 0 && value->length != len)
69 krb5_abortx(context, "internal asn.1 encoder error");
70 return ret;
71 }
72
73 int
hdb_value2entry(krb5_context context,krb5_data * value,hdb_entry * ent)74 hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
75 {
76 return decode_hdb_entry(value->data, value->length, ent, NULL);
77 }
78
79 int
hdb_entry_alias2value(krb5_context context,const hdb_entry_alias * alias,krb5_data * value)80 hdb_entry_alias2value(krb5_context context,
81 const hdb_entry_alias *alias,
82 krb5_data *value)
83 {
84 size_t len = 0;
85 int ret;
86
87 ASN1_MALLOC_ENCODE(hdb_entry_alias, value->data, value->length,
88 alias, &len, ret);
89 if (ret == 0 && value->length != len)
90 krb5_abortx(context, "internal asn.1 encoder error");
91 return ret;
92 }
93
94 int
hdb_value2entry_alias(krb5_context context,krb5_data * value,hdb_entry_alias * ent)95 hdb_value2entry_alias(krb5_context context, krb5_data *value,
96 hdb_entry_alias *ent)
97 {
98 return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
99 }
100
101 krb5_error_code
_hdb_fetch_kvno(krb5_context context,HDB * db,krb5_const_principal principal,unsigned flags,krb5_kvno kvno,hdb_entry_ex * entry)102 _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
103 unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
104 {
105 krb5_principal enterprise_principal = NULL;
106 krb5_data key, value;
107 krb5_error_code ret;
108 int code;
109
110 if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
111 if (principal->name.name_string.len != 1) {
112 ret = KRB5_PARSE_MALFORMED;
113 krb5_set_error_message(context, ret, "malformed principal: "
114 "enterprise name with %d name components",
115 principal->name.name_string.len);
116 return ret;
117 }
118 ret = krb5_parse_name(context, principal->name.name_string.val[0],
119 &enterprise_principal);
120 if (ret)
121 return ret;
122 principal = enterprise_principal;
123 }
124
125 hdb_principal2key(context, principal, &key);
126 if (enterprise_principal)
127 krb5_free_principal(context, enterprise_principal);
128 code = db->hdb__get(context, db, key, &value);
129 krb5_data_free(&key);
130 if(code)
131 return code;
132 code = hdb_value2entry(context, &value, &entry->entry);
133 if (code == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
134 krb5_data_free(&value);
135 return HDB_ERR_NOENTRY;
136 } else if (code == ASN1_BAD_ID) {
137 hdb_entry_alias alias;
138
139 code = hdb_value2entry_alias(context, &value, &alias);
140 if (code) {
141 krb5_data_free(&value);
142 return code;
143 }
144 hdb_principal2key(context, alias.principal, &key);
145 krb5_data_free(&value);
146 free_hdb_entry_alias(&alias);
147
148 code = db->hdb__get(context, db, key, &value);
149 krb5_data_free(&key);
150 if (code)
151 return code;
152 code = hdb_value2entry(context, &value, &entry->entry);
153 if (code) {
154 krb5_data_free(&value);
155 return code;
156 }
157 }
158 krb5_data_free(&value);
159 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
160 code = hdb_unseal_keys (context, db, &entry->entry);
161 if (code)
162 hdb_free_entry(context, entry);
163 }
164 return code;
165 }
166
167 static krb5_error_code
hdb_remove_aliases(krb5_context context,HDB * db,krb5_data * key)168 hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
169 {
170 const HDB_Ext_Aliases *aliases;
171 krb5_error_code code;
172 hdb_entry oldentry;
173 krb5_data value;
174 size_t i;
175
176 code = db->hdb__get(context, db, *key, &value);
177 if (code == HDB_ERR_NOENTRY)
178 return 0;
179 else if (code)
180 return code;
181
182 code = hdb_value2entry(context, &value, &oldentry);
183 krb5_data_free(&value);
184 if (code)
185 return code;
186
187 code = hdb_entry_get_aliases(&oldentry, &aliases);
188 if (code || aliases == NULL) {
189 free_hdb_entry(&oldentry);
190 return code;
191 }
192 for (i = 0; i < aliases->aliases.len; i++) {
193 krb5_data akey;
194
195 hdb_principal2key(context, &aliases->aliases.val[i], &akey);
196 code = db->hdb__del(context, db, akey);
197 krb5_data_free(&akey);
198 if (code) {
199 free_hdb_entry(&oldentry);
200 return code;
201 }
202 }
203 free_hdb_entry(&oldentry);
204 return 0;
205 }
206
207 static krb5_error_code
hdb_add_aliases(krb5_context context,HDB * db,unsigned flags,hdb_entry_ex * entry)208 hdb_add_aliases(krb5_context context, HDB *db,
209 unsigned flags, hdb_entry_ex *entry)
210 {
211 const HDB_Ext_Aliases *aliases;
212 krb5_error_code code;
213 krb5_data key, value;
214 size_t i;
215
216 code = hdb_entry_get_aliases(&entry->entry, &aliases);
217 if (code || aliases == NULL)
218 return code;
219
220 for (i = 0; i < aliases->aliases.len; i++) {
221 hdb_entry_alias entryalias;
222 entryalias.principal = entry->entry.principal;
223
224 hdb_principal2key(context, &aliases->aliases.val[i], &key);
225 code = hdb_entry_alias2value(context, &entryalias, &value);
226 if (code) {
227 krb5_data_free(&key);
228 return code;
229 }
230 code = db->hdb__put(context, db, flags, key, value);
231 krb5_data_free(&key);
232 krb5_data_free(&value);
233 if (code)
234 return code;
235 }
236 return 0;
237 }
238
239 static krb5_error_code
hdb_check_aliases(krb5_context context,HDB * db,hdb_entry_ex * entry)240 hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
241 {
242 const HDB_Ext_Aliases *aliases;
243 int code;
244 size_t i;
245
246 /* check if new aliases already is used */
247
248 code = hdb_entry_get_aliases(&entry->entry, &aliases);
249 if (code)
250 return code;
251
252 for (i = 0; aliases && i < aliases->aliases.len; i++) {
253 hdb_entry_alias alias;
254 krb5_data akey, value;
255
256 hdb_principal2key(context, &aliases->aliases.val[i], &akey);
257 code = db->hdb__get(context, db, akey, &value);
258 krb5_data_free(&akey);
259 if (code == HDB_ERR_NOENTRY)
260 continue;
261 else if (code)
262 return code;
263
264 code = hdb_value2entry_alias(context, &value, &alias);
265 krb5_data_free(&value);
266
267 if (code == ASN1_BAD_ID)
268 return HDB_ERR_EXISTS;
269 else if (code)
270 return code;
271
272 code = krb5_principal_compare(context, alias.principal,
273 entry->entry.principal);
274 free_hdb_entry_alias(&alias);
275 if (code == 0)
276 return HDB_ERR_EXISTS;
277 }
278 return 0;
279 }
280
281 krb5_error_code
_hdb_store(krb5_context context,HDB * db,unsigned flags,hdb_entry_ex * entry)282 _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
283 {
284 krb5_data key, value;
285 int code;
286
287 /* check if new aliases already is used */
288 code = hdb_check_aliases(context, db, entry);
289 if (code)
290 return code;
291
292 if(entry->entry.generation == NULL) {
293 struct timeval t;
294 entry->entry.generation = malloc(sizeof(*entry->entry.generation));
295 if(entry->entry.generation == NULL) {
296 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
297 return ENOMEM;
298 }
299 gettimeofday(&t, NULL);
300 entry->entry.generation->time = t.tv_sec;
301 entry->entry.generation->usec = t.tv_usec;
302 entry->entry.generation->gen = 0;
303 } else
304 entry->entry.generation->gen++;
305
306 code = hdb_seal_keys(context, db, &entry->entry);
307 if (code)
308 return code;
309
310 hdb_principal2key(context, entry->entry.principal, &key);
311
312 /* remove aliases */
313 code = hdb_remove_aliases(context, db, &key);
314 if (code) {
315 krb5_data_free(&key);
316 return code;
317 }
318 hdb_entry2value(context, &entry->entry, &value);
319 code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
320 krb5_data_free(&value);
321 krb5_data_free(&key);
322 if (code)
323 return code;
324
325 code = hdb_add_aliases(context, db, flags, entry);
326
327 return code;
328 }
329
330 krb5_error_code
_hdb_remove(krb5_context context,HDB * db,krb5_const_principal principal)331 _hdb_remove(krb5_context context, HDB *db, krb5_const_principal principal)
332 {
333 krb5_data key;
334 int code;
335
336 hdb_principal2key(context, principal, &key);
337
338 code = hdb_remove_aliases(context, db, &key);
339 if (code) {
340 krb5_data_free(&key);
341 return code;
342 }
343 code = db->hdb__del(context, db, key);
344 krb5_data_free(&key);
345 return code;
346 }
347
348