1 /* 2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kdc_locl.h" 35 36 struct timeval _kdc_now; 37 38 krb5_error_code 39 _kdc_db_fetch(krb5_context context, 40 krb5_kdc_configuration *config, 41 krb5_const_principal principal, 42 unsigned flags, 43 krb5uint32 *kvno_ptr, 44 HDB **db, 45 hdb_entry_ex **h) 46 { 47 hdb_entry_ex *ent; 48 krb5_error_code ret = HDB_ERR_NOENTRY; 49 int i; 50 unsigned kvno = 0; 51 52 if (kvno_ptr) { 53 kvno = *kvno_ptr; 54 flags |= HDB_F_KVNO_SPECIFIED; 55 } 56 57 ent = calloc (1, sizeof (*ent)); 58 if (ent == NULL) { 59 krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); 60 return ENOMEM; 61 } 62 63 for(i = 0; i < config->num_db; i++) { 64 krb5_principal enterprise_principal = NULL; 65 if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) 66 && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { 67 if (principal->name.name_string.len != 1) { 68 ret = KRB5_PARSE_MALFORMED; 69 krb5_set_error_message(context, ret, 70 "malformed request: " 71 "enterprise name with %d name components", 72 principal->name.name_string.len); 73 free(ent); 74 return ret; 75 } 76 ret = krb5_parse_name(context, principal->name.name_string.val[0], 77 &enterprise_principal); 78 if (ret) { 79 free(ent); 80 return ret; 81 } 82 83 principal = enterprise_principal; 84 } 85 86 ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); 87 if (ret) { 88 const char *msg = krb5_get_error_message(context, ret); 89 kdc_log(context, config, 0, "Failed to open database: %s", msg); 90 krb5_free_error_message(context, msg); 91 continue; 92 } 93 94 ret = config->db[i]->hdb_fetch_kvno(context, 95 config->db[i], 96 principal, 97 flags | HDB_F_DECRYPT, 98 kvno, 99 ent); 100 101 krb5_free_principal(context, enterprise_principal); 102 103 config->db[i]->hdb_close(context, config->db[i]); 104 if(ret == 0) { 105 if (db) 106 *db = config->db[i]; 107 *h = ent; 108 return 0; 109 } 110 } 111 free(ent); 112 krb5_set_error_message(context, ret, 113 "no such entry found in hdb"); 114 return ret; 115 } 116 117 void 118 _kdc_free_ent(krb5_context context, hdb_entry_ex *ent) 119 { 120 hdb_free_entry (context, ent); 121 free (ent); 122 } 123 124 /* 125 * Use the order list of preferred encryption types and sort the 126 * available keys and return the most preferred key. 127 */ 128 129 krb5_error_code 130 _kdc_get_preferred_key(krb5_context context, 131 krb5_kdc_configuration *config, 132 hdb_entry_ex *h, 133 const char *name, 134 krb5_enctype *enctype, 135 Key **key) 136 { 137 krb5_error_code ret; 138 int i; 139 140 if (config->use_strongest_server_key) { 141 const krb5_enctype *p = krb5_kerberos_enctypes(context); 142 143 for (i = 0; p[i] != ETYPE_NULL; i++) { 144 if (krb5_enctype_valid(context, p[i]) != 0) 145 continue; 146 ret = hdb_enctype2key(context, &h->entry, p[i], key); 147 if (ret != 0) 148 continue; 149 if (enctype != NULL) 150 *enctype = p[i]; 151 return 0; 152 } 153 } else { 154 *key = NULL; 155 156 for (i = 0; i < h->entry.keys.len; i++) { 157 if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) 158 != 0) 159 continue; 160 ret = hdb_enctype2key(context, &h->entry, 161 h->entry.keys.val[i].key.keytype, key); 162 if (ret != 0) 163 continue; 164 if (enctype != NULL) 165 *enctype = (*key)->key.keytype; 166 return 0; 167 } 168 } 169 170 krb5_set_error_message(context, EINVAL, 171 "No valid kerberos key found for %s", name); 172 return EINVAL; /* XXX */ 173 } 174 175