1b528cefcSMark Murray /*
2*ae771770SStanislav Sedov * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3b528cefcSMark Murray * (Royal Institute of Technology, Stockholm, Sweden).
4b528cefcSMark Murray * All rights reserved.
5b528cefcSMark Murray *
6b528cefcSMark Murray * Redistribution and use in source and binary forms, with or without
7b528cefcSMark Murray * modification, are permitted provided that the following conditions
8b528cefcSMark Murray * are met:
9b528cefcSMark Murray *
10b528cefcSMark Murray * 1. Redistributions of source code must retain the above copyright
11b528cefcSMark Murray * notice, this list of conditions and the following disclaimer.
12b528cefcSMark Murray *
13b528cefcSMark Murray * 2. Redistributions in binary form must reproduce the above copyright
14b528cefcSMark Murray * notice, this list of conditions and the following disclaimer in the
15b528cefcSMark Murray * documentation and/or other materials provided with the distribution.
16b528cefcSMark Murray *
17b528cefcSMark Murray * 3. Neither the name of the Institute nor the names of its contributors
18b528cefcSMark Murray * may be used to endorse or promote products derived from this software
19b528cefcSMark Murray * without specific prior written permission.
20b528cefcSMark Murray *
21b528cefcSMark Murray * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22b528cefcSMark Murray * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23b528cefcSMark Murray * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24b528cefcSMark Murray * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25b528cefcSMark Murray * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26b528cefcSMark Murray * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27b528cefcSMark Murray * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28b528cefcSMark Murray * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29b528cefcSMark Murray * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30b528cefcSMark Murray * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31b528cefcSMark Murray * SUCH DAMAGE.
32b528cefcSMark Murray */
33b528cefcSMark Murray
34b528cefcSMark Murray #include "hdb_locl.h"
35b528cefcSMark Murray
36b528cefcSMark Murray int
hdb_principal2key(krb5_context context,krb5_const_principal p,krb5_data * key)37c19800e8SDoug Rabson hdb_principal2key(krb5_context context, krb5_const_principal p, krb5_data *key)
38b528cefcSMark Murray {
39b528cefcSMark Murray Principal new;
40*ae771770SStanislav Sedov size_t len = 0;
41b528cefcSMark Murray int ret;
42b528cefcSMark Murray
43b528cefcSMark Murray ret = copy_Principal(p, &new);
44b528cefcSMark Murray if(ret)
450cadf2f4SJacques Vidrine return ret;
46b528cefcSMark Murray new.name.name_type = 0;
470cadf2f4SJacques Vidrine
480cadf2f4SJacques Vidrine ASN1_MALLOC_ENCODE(Principal, key->data, key->length, &new, &len, ret);
49c19800e8SDoug Rabson if (ret == 0 && key->length != len)
50c19800e8SDoug Rabson krb5_abortx(context, "internal asn.1 encoder error");
51b528cefcSMark Murray free_Principal(&new);
52b528cefcSMark Murray return ret;
53b528cefcSMark Murray }
54b528cefcSMark Murray
55b528cefcSMark Murray int
hdb_key2principal(krb5_context context,krb5_data * key,krb5_principal p)56b528cefcSMark Murray hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
57b528cefcSMark Murray {
58b528cefcSMark Murray return decode_Principal(key->data, key->length, p, NULL);
59b528cefcSMark Murray }
60b528cefcSMark Murray
61b528cefcSMark Murray int
hdb_entry2value(krb5_context context,const hdb_entry * ent,krb5_data * value)62c19800e8SDoug Rabson hdb_entry2value(krb5_context context, const hdb_entry *ent, krb5_data *value)
63b528cefcSMark Murray {
64*ae771770SStanislav Sedov size_t len = 0;
65b528cefcSMark Murray int ret;
66b528cefcSMark Murray
670cadf2f4SJacques Vidrine ASN1_MALLOC_ENCODE(hdb_entry, value->data, value->length, ent, &len, ret);
68c19800e8SDoug Rabson if (ret == 0 && value->length != len)
69c19800e8SDoug Rabson krb5_abortx(context, "internal asn.1 encoder error");
70b528cefcSMark Murray return ret;
71b528cefcSMark Murray }
72b528cefcSMark Murray
73b528cefcSMark Murray int
hdb_value2entry(krb5_context context,krb5_data * value,hdb_entry * ent)74b528cefcSMark Murray hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
75b528cefcSMark Murray {
76b528cefcSMark Murray return decode_hdb_entry(value->data, value->length, ent, NULL);
77b528cefcSMark Murray }
78b528cefcSMark Murray
79c19800e8SDoug Rabson int
hdb_entry_alias2value(krb5_context context,const hdb_entry_alias * alias,krb5_data * value)80c19800e8SDoug Rabson hdb_entry_alias2value(krb5_context context,
81c19800e8SDoug Rabson const hdb_entry_alias *alias,
82c19800e8SDoug Rabson krb5_data *value)
83c19800e8SDoug Rabson {
84*ae771770SStanislav Sedov size_t len = 0;
85c19800e8SDoug Rabson int ret;
86c19800e8SDoug Rabson
87c19800e8SDoug Rabson ASN1_MALLOC_ENCODE(hdb_entry_alias, value->data, value->length,
88c19800e8SDoug Rabson alias, &len, ret);
89c19800e8SDoug Rabson if (ret == 0 && value->length != len)
90c19800e8SDoug Rabson krb5_abortx(context, "internal asn.1 encoder error");
91c19800e8SDoug Rabson return ret;
92c19800e8SDoug Rabson }
93c19800e8SDoug Rabson
94c19800e8SDoug Rabson int
hdb_value2entry_alias(krb5_context context,krb5_data * value,hdb_entry_alias * ent)95c19800e8SDoug Rabson hdb_value2entry_alias(krb5_context context, krb5_data *value,
96c19800e8SDoug Rabson hdb_entry_alias *ent)
97c19800e8SDoug Rabson {
98c19800e8SDoug Rabson return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
99c19800e8SDoug Rabson }
100c19800e8SDoug Rabson
101b528cefcSMark Murray krb5_error_code
_hdb_fetch_kvno(krb5_context context,HDB * db,krb5_const_principal principal,unsigned flags,krb5_kvno kvno,hdb_entry_ex * entry)102*ae771770SStanislav Sedov _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
103*ae771770SStanislav Sedov unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
104b528cefcSMark Murray {
105*ae771770SStanislav Sedov krb5_principal enterprise_principal = NULL;
106b528cefcSMark Murray krb5_data key, value;
107*ae771770SStanislav Sedov krb5_error_code ret;
108bbd80c28SJacques Vidrine int code;
109b528cefcSMark Murray
110*ae771770SStanislav Sedov if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
111*ae771770SStanislav Sedov if (principal->name.name_string.len != 1) {
112*ae771770SStanislav Sedov ret = KRB5_PARSE_MALFORMED;
113*ae771770SStanislav Sedov krb5_set_error_message(context, ret, "malformed principal: "
114*ae771770SStanislav Sedov "enterprise name with %d name components",
115*ae771770SStanislav Sedov principal->name.name_string.len);
116*ae771770SStanislav Sedov return ret;
117*ae771770SStanislav Sedov }
118*ae771770SStanislav Sedov ret = krb5_parse_name(context, principal->name.name_string.val[0],
119*ae771770SStanislav Sedov &enterprise_principal);
120*ae771770SStanislav Sedov if (ret)
121*ae771770SStanislav Sedov return ret;
122*ae771770SStanislav Sedov principal = enterprise_principal;
123*ae771770SStanislav Sedov }
124*ae771770SStanislav Sedov
125c19800e8SDoug Rabson hdb_principal2key(context, principal, &key);
126*ae771770SStanislav Sedov if (enterprise_principal)
127*ae771770SStanislav Sedov krb5_free_principal(context, enterprise_principal);
128c19800e8SDoug Rabson code = db->hdb__get(context, db, key, &value);
129b528cefcSMark Murray krb5_data_free(&key);
130b528cefcSMark Murray if(code)
131b528cefcSMark Murray return code;
132c19800e8SDoug Rabson code = hdb_value2entry(context, &value, &entry->entry);
133c19800e8SDoug Rabson if (code == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
134bbd80c28SJacques Vidrine krb5_data_free(&value);
135c19800e8SDoug Rabson return HDB_ERR_NOENTRY;
136c19800e8SDoug Rabson } else if (code == ASN1_BAD_ID) {
137c19800e8SDoug Rabson hdb_entry_alias alias;
138c19800e8SDoug Rabson
139c19800e8SDoug Rabson code = hdb_value2entry_alias(context, &value, &alias);
140c19800e8SDoug Rabson if (code) {
141c19800e8SDoug Rabson krb5_data_free(&value);
142c19800e8SDoug Rabson return code;
143c19800e8SDoug Rabson }
144c19800e8SDoug Rabson hdb_principal2key(context, alias.principal, &key);
145c19800e8SDoug Rabson krb5_data_free(&value);
146c19800e8SDoug Rabson free_hdb_entry_alias(&alias);
147c19800e8SDoug Rabson
148c19800e8SDoug Rabson code = db->hdb__get(context, db, key, &value);
149c19800e8SDoug Rabson krb5_data_free(&key);
150bbd80c28SJacques Vidrine if (code)
151bbd80c28SJacques Vidrine return code;
152c19800e8SDoug Rabson code = hdb_value2entry(context, &value, &entry->entry);
153c19800e8SDoug Rabson if (code) {
154c19800e8SDoug Rabson krb5_data_free(&value);
155c19800e8SDoug Rabson return code;
156c19800e8SDoug Rabson }
157c19800e8SDoug Rabson }
158c19800e8SDoug Rabson krb5_data_free(&value);
159c19800e8SDoug Rabson if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
160c19800e8SDoug Rabson code = hdb_unseal_keys (context, db, &entry->entry);
1615e9cd1aeSAssar Westerlund if (code)
1625e9cd1aeSAssar Westerlund hdb_free_entry(context, entry);
1635e9cd1aeSAssar Westerlund }
1645e9cd1aeSAssar Westerlund return code;
165b528cefcSMark Murray }
166b528cefcSMark Murray
167c19800e8SDoug Rabson static krb5_error_code
hdb_remove_aliases(krb5_context context,HDB * db,krb5_data * key)168c19800e8SDoug Rabson hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
169b528cefcSMark Murray {
170c19800e8SDoug Rabson const HDB_Ext_Aliases *aliases;
171c19800e8SDoug Rabson krb5_error_code code;
172c19800e8SDoug Rabson hdb_entry oldentry;
173c19800e8SDoug Rabson krb5_data value;
174*ae771770SStanislav Sedov size_t i;
175b528cefcSMark Murray
176c19800e8SDoug Rabson code = db->hdb__get(context, db, *key, &value);
177c19800e8SDoug Rabson if (code == HDB_ERR_NOENTRY)
178c19800e8SDoug Rabson return 0;
179c19800e8SDoug Rabson else if (code)
180c19800e8SDoug Rabson return code;
181c19800e8SDoug Rabson
182c19800e8SDoug Rabson code = hdb_value2entry(context, &value, &oldentry);
183c19800e8SDoug Rabson krb5_data_free(&value);
184c19800e8SDoug Rabson if (code)
185c19800e8SDoug Rabson return code;
186c19800e8SDoug Rabson
187c19800e8SDoug Rabson code = hdb_entry_get_aliases(&oldentry, &aliases);
188c19800e8SDoug Rabson if (code || aliases == NULL) {
189c19800e8SDoug Rabson free_hdb_entry(&oldentry);
190c19800e8SDoug Rabson return code;
1914137ff4cSJacques Vidrine }
192c19800e8SDoug Rabson for (i = 0; i < aliases->aliases.len; i++) {
193c19800e8SDoug Rabson krb5_data akey;
194c19800e8SDoug Rabson
195c19800e8SDoug Rabson hdb_principal2key(context, &aliases->aliases.val[i], &akey);
196c19800e8SDoug Rabson code = db->hdb__del(context, db, akey);
197c19800e8SDoug Rabson krb5_data_free(&akey);
198c19800e8SDoug Rabson if (code) {
199c19800e8SDoug Rabson free_hdb_entry(&oldentry);
200c19800e8SDoug Rabson return code;
201c19800e8SDoug Rabson }
202c19800e8SDoug Rabson }
203c19800e8SDoug Rabson free_hdb_entry(&oldentry);
204c19800e8SDoug Rabson return 0;
205c19800e8SDoug Rabson }
206c19800e8SDoug Rabson
207c19800e8SDoug Rabson static krb5_error_code
hdb_add_aliases(krb5_context context,HDB * db,unsigned flags,hdb_entry_ex * entry)208c19800e8SDoug Rabson hdb_add_aliases(krb5_context context, HDB *db,
209c19800e8SDoug Rabson unsigned flags, hdb_entry_ex *entry)
210c19800e8SDoug Rabson {
211c19800e8SDoug Rabson const HDB_Ext_Aliases *aliases;
212c19800e8SDoug Rabson krb5_error_code code;
213c19800e8SDoug Rabson krb5_data key, value;
214*ae771770SStanislav Sedov size_t i;
215c19800e8SDoug Rabson
216c19800e8SDoug Rabson code = hdb_entry_get_aliases(&entry->entry, &aliases);
217c19800e8SDoug Rabson if (code || aliases == NULL)
218c19800e8SDoug Rabson return code;
219c19800e8SDoug Rabson
220c19800e8SDoug Rabson for (i = 0; i < aliases->aliases.len; i++) {
221c19800e8SDoug Rabson hdb_entry_alias entryalias;
222c19800e8SDoug Rabson entryalias.principal = entry->entry.principal;
223c19800e8SDoug Rabson
224c19800e8SDoug Rabson hdb_principal2key(context, &aliases->aliases.val[i], &key);
225c19800e8SDoug Rabson code = hdb_entry_alias2value(context, &entryalias, &value);
2265e9cd1aeSAssar Westerlund if (code) {
2275e9cd1aeSAssar Westerlund krb5_data_free(&key);
2285e9cd1aeSAssar Westerlund return code;
2295e9cd1aeSAssar Westerlund }
230c19800e8SDoug Rabson code = db->hdb__put(context, db, flags, key, value);
231c19800e8SDoug Rabson krb5_data_free(&key);
232b528cefcSMark Murray krb5_data_free(&value);
233c19800e8SDoug Rabson if (code)
234c19800e8SDoug Rabson return code;
235c19800e8SDoug Rabson }
236c19800e8SDoug Rabson return 0;
237c19800e8SDoug Rabson }
238c19800e8SDoug Rabson
239*ae771770SStanislav Sedov static krb5_error_code
hdb_check_aliases(krb5_context context,HDB * db,hdb_entry_ex * entry)240*ae771770SStanislav Sedov hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
241*ae771770SStanislav Sedov {
242*ae771770SStanislav Sedov const HDB_Ext_Aliases *aliases;
243*ae771770SStanislav Sedov int code;
244*ae771770SStanislav Sedov size_t i;
245*ae771770SStanislav Sedov
246*ae771770SStanislav Sedov /* check if new aliases already is used */
247*ae771770SStanislav Sedov
248*ae771770SStanislav Sedov code = hdb_entry_get_aliases(&entry->entry, &aliases);
249*ae771770SStanislav Sedov if (code)
250*ae771770SStanislav Sedov return code;
251*ae771770SStanislav Sedov
252*ae771770SStanislav Sedov for (i = 0; aliases && i < aliases->aliases.len; i++) {
253*ae771770SStanislav Sedov hdb_entry_alias alias;
254*ae771770SStanislav Sedov krb5_data akey, value;
255*ae771770SStanislav Sedov
256*ae771770SStanislav Sedov hdb_principal2key(context, &aliases->aliases.val[i], &akey);
257*ae771770SStanislav Sedov code = db->hdb__get(context, db, akey, &value);
258*ae771770SStanislav Sedov krb5_data_free(&akey);
259*ae771770SStanislav Sedov if (code == HDB_ERR_NOENTRY)
260*ae771770SStanislav Sedov continue;
261*ae771770SStanislav Sedov else if (code)
262*ae771770SStanislav Sedov return code;
263*ae771770SStanislav Sedov
264*ae771770SStanislav Sedov code = hdb_value2entry_alias(context, &value, &alias);
265*ae771770SStanislav Sedov krb5_data_free(&value);
266*ae771770SStanislav Sedov
267*ae771770SStanislav Sedov if (code == ASN1_BAD_ID)
268*ae771770SStanislav Sedov return HDB_ERR_EXISTS;
269*ae771770SStanislav Sedov else if (code)
270*ae771770SStanislav Sedov return code;
271*ae771770SStanislav Sedov
272*ae771770SStanislav Sedov code = krb5_principal_compare(context, alias.principal,
273*ae771770SStanislav Sedov entry->entry.principal);
274*ae771770SStanislav Sedov free_hdb_entry_alias(&alias);
275*ae771770SStanislav Sedov if (code == 0)
276*ae771770SStanislav Sedov return HDB_ERR_EXISTS;
277*ae771770SStanislav Sedov }
278*ae771770SStanislav Sedov return 0;
279*ae771770SStanislav Sedov }
280*ae771770SStanislav Sedov
281c19800e8SDoug Rabson krb5_error_code
_hdb_store(krb5_context context,HDB * db,unsigned flags,hdb_entry_ex * entry)282c19800e8SDoug Rabson _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
283c19800e8SDoug Rabson {
284c19800e8SDoug Rabson krb5_data key, value;
285c19800e8SDoug Rabson int code;
286c19800e8SDoug Rabson
287*ae771770SStanislav Sedov /* check if new aliases already is used */
288*ae771770SStanislav Sedov code = hdb_check_aliases(context, db, entry);
289*ae771770SStanislav Sedov if (code)
290*ae771770SStanislav Sedov return code;
291*ae771770SStanislav Sedov
292c19800e8SDoug Rabson if(entry->entry.generation == NULL) {
293c19800e8SDoug Rabson struct timeval t;
294c19800e8SDoug Rabson entry->entry.generation = malloc(sizeof(*entry->entry.generation));
295c19800e8SDoug Rabson if(entry->entry.generation == NULL) {
296*ae771770SStanislav Sedov krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
297c19800e8SDoug Rabson return ENOMEM;
298c19800e8SDoug Rabson }
299c19800e8SDoug Rabson gettimeofday(&t, NULL);
300c19800e8SDoug Rabson entry->entry.generation->time = t.tv_sec;
301c19800e8SDoug Rabson entry->entry.generation->usec = t.tv_usec;
302c19800e8SDoug Rabson entry->entry.generation->gen = 0;
303c19800e8SDoug Rabson } else
304c19800e8SDoug Rabson entry->entry.generation->gen++;
305*ae771770SStanislav Sedov
306c19800e8SDoug Rabson code = hdb_seal_keys(context, db, &entry->entry);
307*ae771770SStanislav Sedov if (code)
308b528cefcSMark Murray return code;
309*ae771770SStanislav Sedov
310*ae771770SStanislav Sedov hdb_principal2key(context, entry->entry.principal, &key);
311b528cefcSMark Murray
312c19800e8SDoug Rabson /* remove aliases */
313c19800e8SDoug Rabson code = hdb_remove_aliases(context, db, &key);
314c19800e8SDoug Rabson if (code) {
315c19800e8SDoug Rabson krb5_data_free(&key);
316c19800e8SDoug Rabson return code;
317c19800e8SDoug Rabson }
318c19800e8SDoug Rabson hdb_entry2value(context, &entry->entry, &value);
319c19800e8SDoug Rabson code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
320c19800e8SDoug Rabson krb5_data_free(&value);
321c19800e8SDoug Rabson krb5_data_free(&key);
322c19800e8SDoug Rabson if (code)
323c19800e8SDoug Rabson return code;
324c19800e8SDoug Rabson
325c19800e8SDoug Rabson code = hdb_add_aliases(context, db, flags, entry);
326c19800e8SDoug Rabson
327c19800e8SDoug Rabson return code;
328c19800e8SDoug Rabson }
329c19800e8SDoug Rabson
330b528cefcSMark Murray krb5_error_code
_hdb_remove(krb5_context context,HDB * db,krb5_const_principal principal)331c19800e8SDoug Rabson _hdb_remove(krb5_context context, HDB *db, krb5_const_principal principal)
332b528cefcSMark Murray {
333b528cefcSMark Murray krb5_data key;
334b528cefcSMark Murray int code;
335b528cefcSMark Murray
336c19800e8SDoug Rabson hdb_principal2key(context, principal, &key);
337c19800e8SDoug Rabson
338c19800e8SDoug Rabson code = hdb_remove_aliases(context, db, &key);
339c19800e8SDoug Rabson if (code) {
340c19800e8SDoug Rabson krb5_data_free(&key);
341c19800e8SDoug Rabson return code;
342c19800e8SDoug Rabson }
343c19800e8SDoug Rabson code = db->hdb__del(context, db, key);
344b528cefcSMark Murray krb5_data_free(&key);
345b528cefcSMark Murray return code;
346b528cefcSMark Murray }
347b528cefcSMark Murray
348