2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
39 add_tl_data(kadm5_principal_ent_t ent
, int16_t type
,
40 const void *data
, size_t size
)
44 tl
= calloc(1, sizeof(*tl
));
46 return _kadm5_error_code(ENOMEM
);
48 tl
->tl_data_type
= type
;
49 tl
->tl_data_length
= size
;
50 tl
->tl_data_contents
= malloc(size
);
51 if (tl
->tl_data_contents
== NULL
) {
53 return _kadm5_error_code(ENOMEM
);
55 memcpy(tl
->tl_data_contents
, data
, size
);
57 tl
->tl_data_next
= ent
->tl_data
;
64 krb5_ssize_t KRB5_LIB_FUNCTION
65 _krb5_put_int(void *buffer
, unsigned long value
, size_t size
); /* XXX */
68 kadm5_s_get_principal(void *server_handle
,
70 kadm5_principal_ent_t out
,
73 kadm5_server_context
*context
= server_handle
;
77 memset(&ent
, 0, sizeof(ent
));
78 ret
= context
->db
->hdb_open(context
->context
, context
->db
, O_RDONLY
, 0);
81 ret
= context
->db
->hdb_fetch(context
->context
, context
->db
, princ
,
82 HDB_F_DECRYPT
|HDB_F_GET_ANY
, &ent
);
83 context
->db
->hdb_close(context
->context
, context
->db
);
85 return _kadm5_error_code(ret
);
87 memset(out
, 0, sizeof(*out
));
88 if(mask
& KADM5_PRINCIPAL
)
89 ret
= krb5_copy_principal(context
->context
, ent
.entry
.principal
,
93 if(mask
& KADM5_PRINC_EXPIRE_TIME
&& ent
.entry
.valid_end
)
94 out
->princ_expire_time
= *ent
.entry
.valid_end
;
95 if(mask
& KADM5_PW_EXPIRATION
&& ent
.entry
.pw_end
)
96 out
->pw_expiration
= *ent
.entry
.pw_end
;
97 if(mask
& KADM5_LAST_PWD_CHANGE
)
98 hdb_entry_get_pw_change_time(&ent
.entry
, &out
->last_pwd_change
);
99 if(mask
& KADM5_ATTRIBUTES
){
100 out
->attributes
|= ent
.entry
.flags
.postdate
? 0 : KRB5_KDB_DISALLOW_POSTDATED
;
101 out
->attributes
|= ent
.entry
.flags
.forwardable
? 0 : KRB5_KDB_DISALLOW_FORWARDABLE
;
102 out
->attributes
|= ent
.entry
.flags
.initial
? KRB5_KDB_DISALLOW_TGT_BASED
: 0;
103 out
->attributes
|= ent
.entry
.flags
.renewable
? 0 : KRB5_KDB_DISALLOW_RENEWABLE
;
104 out
->attributes
|= ent
.entry
.flags
.proxiable
? 0 : KRB5_KDB_DISALLOW_PROXIABLE
;
105 out
->attributes
|= ent
.entry
.flags
.invalid
? KRB5_KDB_DISALLOW_ALL_TIX
: 0;
106 out
->attributes
|= ent
.entry
.flags
.require_preauth
? KRB5_KDB_REQUIRES_PRE_AUTH
: 0;
107 out
->attributes
|= ent
.entry
.flags
.server
? 0 : KRB5_KDB_DISALLOW_SVR
;
108 out
->attributes
|= ent
.entry
.flags
.change_pw
? KRB5_KDB_PWCHANGE_SERVICE
: 0;
109 out
->attributes
|= ent
.entry
.flags
.ok_as_delegate
? KRB5_KDB_OK_AS_DELEGATE
: 0;
110 out
->attributes
|= ent
.entry
.flags
.trusted_for_delegation
? KRB5_KDB_TRUSTED_FOR_DELEGATION
: 0;
111 out
->attributes
|= ent
.entry
.flags
.allow_kerberos4
? KRB5_KDB_ALLOW_KERBEROS4
: 0;
112 out
->attributes
|= ent
.entry
.flags
.allow_digest
? KRB5_KDB_ALLOW_DIGEST
: 0;
114 if(mask
& KADM5_MAX_LIFE
) {
115 if(ent
.entry
.max_life
)
116 out
->max_life
= *ent
.entry
.max_life
;
118 out
->max_life
= INT_MAX
;
120 if(mask
& KADM5_MOD_TIME
) {
121 if(ent
.entry
.modified_by
)
122 out
->mod_date
= ent
.entry
.modified_by
->time
;
124 out
->mod_date
= ent
.entry
.created_by
.time
;
126 if(mask
& KADM5_MOD_NAME
) {
127 if(ent
.entry
.modified_by
) {
128 if (ent
.entry
.modified_by
->principal
!= NULL
)
129 ret
= krb5_copy_principal(context
->context
,
130 ent
.entry
.modified_by
->principal
,
132 } else if(ent
.entry
.created_by
.principal
!= NULL
)
133 ret
= krb5_copy_principal(context
->context
,
134 ent
.entry
.created_by
.principal
,
137 out
->mod_name
= NULL
;
142 if(mask
& KADM5_KVNO
)
143 out
->kvno
= ent
.entry
.kvno
;
144 if(mask
& KADM5_MKVNO
) {
146 out
->mkvno
= 0; /* XXX */
147 for(n
= 0; n
< ent
.entry
.keys
.len
; n
++)
148 if(ent
.entry
.keys
.val
[n
].mkvno
) {
149 out
->mkvno
= *ent
.entry
.keys
.val
[n
].mkvno
; /* XXX this isn't right */
153 if(mask
& KADM5_AUX_ATTRIBUTES
)
155 if(mask
& KADM5_POLICY
)
157 if(mask
& KADM5_MAX_RLIFE
) {
158 if(ent
.entry
.max_renew
)
159 out
->max_renewable_life
= *ent
.entry
.max_renew
;
161 out
->max_renewable_life
= INT_MAX
;
163 if(mask
& KADM5_LAST_SUCCESS
)
165 if(mask
& KADM5_LAST_FAILED
)
167 if(mask
& KADM5_FAIL_AUTH_COUNT
)
169 if(mask
& KADM5_KEY_DATA
){
175 krb5_get_pw_salt(context
->context
, ent
.entry
.principal
, &salt
);
176 out
->key_data
= malloc(ent
.entry
.keys
.len
* sizeof(*out
->key_data
));
177 if (out
->key_data
== NULL
) {
181 for(i
= 0; i
< ent
.entry
.keys
.len
; i
++){
182 key
= &ent
.entry
.keys
.val
[i
];
183 kd
= &out
->key_data
[i
];
184 kd
->key_data_ver
= 2;
185 kd
->key_data_kvno
= ent
.entry
.kvno
;
186 kd
->key_data_type
[0] = key
->key
.keytype
;
188 kd
->key_data_type
[1] = key
->salt
->type
;
190 kd
->key_data_type
[1] = KRB5_PADATA_PW_SALT
;
192 kd
->key_data_length
[0] = key
->key
.keyvalue
.length
;
193 kd
->key_data_contents
[0] = malloc(kd
->key_data_length
[0]);
194 if(kd
->key_data_contents
[0] == NULL
){
198 memcpy(kd
->key_data_contents
[0], key
->key
.keyvalue
.data
,
199 kd
->key_data_length
[0]);
202 sp
= &key
->salt
->salt
;
204 sp
= &salt
.saltvalue
;
205 kd
->key_data_length
[1] = sp
->length
;
206 kd
->key_data_contents
[1] = malloc(kd
->key_data_length
[1]);
207 if(kd
->key_data_length
[1] != 0
208 && kd
->key_data_contents
[1] == NULL
) {
209 memset(kd
->key_data_contents
[0], 0, kd
->key_data_length
[0]);
213 memcpy(kd
->key_data_contents
[1], sp
->data
, kd
->key_data_length
[1]);
214 out
->n_key_data
= i
+ 1;
216 krb5_free_salt(context
->context
, salt
);
219 kadm5_free_principal_ent(context
, out
);
222 if(mask
& KADM5_TL_DATA
) {
223 time_t last_pw_expire
;
224 const HDB_Ext_Aliases
*aliases
;
226 ret
= hdb_entry_get_pw_change_time(&ent
.entry
, &last_pw_expire
);
227 if (ret
== 0 && last_pw_expire
) {
228 unsigned char buf
[4];
229 _krb5_put_int(buf
, last_pw_expire
, sizeof(buf
));
230 ret
= add_tl_data(out
, KRB5_TL_LAST_PWD_CHANGE
, buf
, sizeof(buf
));
233 kadm5_free_principal_ent(context
, out
);
237 * If the client was allowed to get key data, let it have the
240 if(mask
& KADM5_KEY_DATA
) {
243 ret
= hdb_entry_get_password(context
->context
,
244 context
->db
, &ent
.entry
, &pw
);
246 ret
= add_tl_data(out
, KRB5_TL_PASSWORD
, pw
, strlen(pw
) + 1);
249 krb5_clear_error_string(context
->context
);
253 ret
= hdb_entry_get_aliases(&ent
.entry
, &aliases
);
254 if (ret
== 0 && aliases
) {
258 ASN1_MALLOC_ENCODE(HDB_Ext_Aliases
, buf
.data
, buf
.length
,
261 kadm5_free_principal_ent(context
, out
);
264 if (len
!= buf
.length
)
265 krb5_abortx(context
->context
,
266 "internal ASN.1 encoder error");
267 ret
= add_tl_data(out
, KRB5_TL_ALIASES
, buf
.data
, buf
.length
);
270 kadm5_free_principal_ent(context
, out
);
275 kadm5_free_principal_ent(context
, out
);
281 hdb_free_entry(context
->context
, &ent
);
283 return _kadm5_error_code(ret
);