source/heimdal/lib/hdb/ext.c

   1 /*
   2  * Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "hdb_locl.h"
  35 #include <der.h>
  36
  37 RCSID("$Id: ext.c,v 1.1 2005/08/11 20:49:31 lha Exp $");
  38
  39 krb5_error_code
  40 hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
  41 {
  42     int i;
  43
  44     if (ent->extensions == NULL)
  45         return 0;
  46
  47     /*
  48      * check for unknown extensions and if they where tagged mandatory
  49      */
  50
  51     for (i = 0; i < ent->extensions->len; i++) {
  52         if (ent->extensions->val[i].data.element !=
  53             choice_HDB_extension_data_asn1_ellipsis)
  54             continue;
  55         if (ent->extensions->val[i].mandatory) {
  56             krb5_set_error_string(context,  "Principal have unknown "
  57                                   "mandatory extension");
  58             return HDB_ERR_MANDATORY_OPTION;
  59         }
  60     }
  61     return 0;
  62 }
  63
  64 HDB_extension *
  65 hdb_find_extension(const hdb_entry *entry, int type)
  66 {
  67     int i;
  68
  69     if (entry->extensions == NULL)
  70         return NULL;
  71
  72     for (i = 0; i < entry->extensions->len; i++)
  73         if (entry->extensions->val[i].data.element == type)
  74             return &entry->extensions->val[i];
  75     return NULL;
  76 }
  77
  78 /*
  79  * Replace the extension `ext' in `entry'. Make a copy of the
  80  * extension, so the caller must still free `ext' on both success and
  81  * failure. Returns 0 or error code.
  82  */
  83
  84 krb5_error_code
  85 hdb_replace_extension(krb5_context context,
  86                       hdb_entry *entry,
  87                       const HDB_extension *ext)
  88 {
  89     HDB_extension *ext2;
  90     HDB_extension *es;
  91     int ret;
  92
  93     ext2 = NULL;
  94
  95     if (entry->extensions == NULL) {
  96         entry->extensions = calloc(1, sizeof(*entry->extensions));
  97         if (entry->extensions == NULL) {
  98             krb5_set_error_string(context, "malloc: out of memory");
  99             return ENOMEM;
 100         }
 101     } else if (ext->data.element != choice_HDB_extension_data_asn1_ellipsis) {
 102         ext2 = hdb_find_extension(entry, ext->data.element);
 103     } else {
 104         /*
 105          * This is an unknown extention, and we are asked to replace a
 106          * possible entry in `entry' that is of the same type. This
 107          * might seem impossible, but ASN.1 CHOICE comes to our
 108          * rescue. The first tag in each branch in the CHOICE is
 109          * unique, so just find the element in the list that have the
 110          * same tag was we are putting into the list.
 111          */
 112         Der_class replace_class, list_class;
 113         Der_type replace_type, list_type;
 114         unsigned int replace_tag, list_tag;
 115         size_t size;
 116         int i;
 117
 118         ret = der_get_tag(ext->data.u.asn1_ellipsis.data,
 119                           ext->data.u.asn1_ellipsis.length,
 120                           &replace_class, &replace_type, &replace_tag,
 121                           &size);
 122         if (ret) {
 123             krb5_set_error_string(context, "hdb: failed to decode "
 124                                   "replacement hdb extention");
 125             return ret;
 126         }
 127
 128         for (i = 0; i < entry->extensions->len; i++) {
 129             HDB_extension *ext3 = &entry->extensions->val[i];
 130
 131             if (ext3->data.element != choice_HDB_extension_data_asn1_ellipsis)
 132                 continue;
 133
 134             ret = der_get_tag(ext3->data.u.asn1_ellipsis.data,
 135                               ext3->data.u.asn1_ellipsis.length,
 136                               &list_class, &list_type, &list_tag,
 137                               &size);
 138             if (ret) {
 139                 krb5_set_error_string(context, "hdb: failed to decode "
 140                                       "present hdb extention");
 141                 return ret;
 142             }
 143
 144             if (MAKE_TAG(replace_class,replace_type,replace_type) ==
 145                 MAKE_TAG(list_class,list_type,list_type)) {
 146                 ext2 = ext3;
 147                 break;
 148             }
 149         }
 150     }
 151
 152     if (ext2) {
 153         free_HDB_extension(ext2);
 154         ret = copy_HDB_extension(ext, ext2);
 155         if (ret)
 156             krb5_set_error_string(context, "hdb: failed to copy replacement "
 157                                   "hdb extention");
 158         return ret;
 159     }
 160
 161     es = realloc(entry->extensions->val,
 162                  (entry->extensions->len+1)*sizeof(entry->extensions->val[0]));
 163     if (es == NULL) {
 164         krb5_set_error_string(context, "malloc: out of memory");
 165         return ENOMEM;
 166     }
 167     entry->extensions->val = es;
 168
 169     ret = copy_HDB_extension(ext,
 170                              &entry->extensions->val[entry->extensions->len]);
 171     if (ret == 0) {
 172         entry->extensions->len++;
 173         krb5_set_error_string(context, "hdb: failed to copy new extension");
 174     }
 175
 176     return ret;
 177 }
 178
 179 krb5_error_code
 180 hdb_clear_extension(krb5_context context,
 181                     hdb_entry *entry,
 182                     int type)
 183 {
 184     int i;
 185
 186     if (entry->extensions == NULL)
 187         return 0;
 188
 189     for (i = 0; i < entry->extensions->len; i++) {
 190         if (entry->extensions->val[i].data.element == type) {
 191             free_HDB_extension(&entry->extensions->val[i]);
 192             memmove(&entry->extensions->val[i],
 193                     &entry->extensions->val[i + 1],
 194                     sizeof(entry->extensions->val[i]) * (entry->extensions->len - i - 1));
 195             entry->extensions->len--;
 196         }
 197     }
 198     if (entry->extensions->len == 0) {
 199         free(entry->extensions->val);
 200         free(entry->extensions);
 201         entry->extensions = NULL;
 202     }
 203
 204     return 0;
 205 }
 206
 207
 208 krb5_error_code
 209 hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a)
 210 {
 211     const HDB_extension *ext;
 212
 213     ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_acl);
 214     if (ext)
 215         *a = &ext->data.u.pkinit_acl;
 216     else
 217         *a = NULL;
 218
 219     return 0;
 220 }
 221
 222 krb5_error_code
 223 hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t)
 224 {
 225     const HDB_extension *ext;
 226
 227     ext = hdb_find_extension(entry, choice_HDB_extension_data_last_pw_change);
 228     if (ext)
 229         *t = ext->data.u.last_pw_change;
 230     else
 231         *t = 0;
 232
 233     return 0;
 234 }
 235
 236 krb5_error_code
 237 hdb_entry_set_pw_change_time(krb5_context context,
 238                              hdb_entry *entry,
 239                              time_t t)
 240 {
 241     HDB_extension ext;
 242
 243     ext.mandatory = FALSE;
 244     ext.data.element = choice_HDB_extension_data_last_pw_change;
 245     if (t == 0)
 246         t = time(NULL);
 247     ext.data.u.last_pw_change = t;
 248
 249     return hdb_replace_extension(context, entry, &ext);
 250 }
 251
 252 int
 253 hdb_entry_get_password(krb5_context context, HDB *db,
 254                        const hdb_entry *entry, char **p)
 255 {
 256     HDB_extension *ext;
 257     int ret;
 258
 259     ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
 260     if (ext) {
 261         heim_utf8_string str;
 262         heim_octet_string pw;
 263
 264         if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
 265             hdb_master_key key;
 266
 267             key = _hdb_find_master_key(ext->data.u.password.mkvno,
 268                                        db->hdb_master_key);
 269
 270             if (key == NULL) {
 271                 krb5_set_error_string(context, "master key %d missing",
 272                                       *ext->data.u.password.mkvno);
 273                 return HDB_ERR_NO_MKEY;
 274             }
 275
 276             ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
 277                                     ext->data.u.password.password.data,
 278                                     ext->data.u.password.password.length,
 279                                     &pw);
 280         } else {
 281             ret = copy_octet_string(&ext->data.u.password.password, &pw);
 282         }
 283         if (ret) {
 284             krb5_clear_error_string(context);
 285             return ret;
 286         }
 287
 288         str = pw.data;
 289         if (str[pw.length - 1] != '\0') {
 290             krb5_set_error_string(context, "password malformated");
 291             return EINVAL;
 292         }
 293
 294         *p = strdup(str);
 295
 296         free_octet_string(&pw);
 297         if (*p == NULL) {
 298             krb5_set_error_string(context, "malloc: out of memory");
 299             return ENOMEM;
 300         }
 301         return 0;
 302     }
 303     krb5_set_error_string(context, "password attribute not found");
 304     return ENOENT;
 305 }
 306
 307 int
 308 hdb_entry_set_password(krb5_context context, HDB *db,
 309                        hdb_entry *entry, const char *p)
 310 {
 311     HDB_extension ext;
 312     hdb_master_key key;
 313     int ret;
 314
 315     ext.mandatory = FALSE;
 316     ext.data.element = choice_HDB_extension_data_password;
 317
 318     if (db->hdb_master_key_set) {
 319
 320         key = _hdb_find_master_key(NULL, db->hdb_master_key);
 321         if (key == NULL) {
 322             krb5_set_error_string(context, "hdb_entry_set_password: "
 323                                   "failed to find masterkey");
 324             return HDB_ERR_NO_MKEY;
 325         }
 326
 327         ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
 328                                 p, strlen(p) + 1,
 329                                 &ext.data.u.password.password);
 330         if (ret)
 331             return ret;
 332
 333         ext.data.u.password.mkvno =
 334             malloc(sizeof(*ext.data.u.password.mkvno));
 335         if (ext.data.u.password.mkvno == NULL) {
 336             free_HDB_extension(&ext);
 337             krb5_set_error_string(context, "malloc: out of memory");
 338             return ENOMEM;
 339         }
 340         *ext.data.u.password.mkvno = _hdb_mkey_version(key);
 341
 342     } else {
 343         ext.data.u.password.mkvno = NULL;
 344
 345         ret = krb5_data_copy(&ext.data.u.password.password,
 346                              p, strlen(p) + 1);
 347         if (ret) {
 348             krb5_set_error_string(context, "malloc: out of memory");
 349             free_HDB_extension(&ext);
 350             return ret;
 351         }
 352     }
 353
 354     ret = hdb_replace_extension(context, entry, &ext);
 355
 356     free_HDB_extension(&ext);
 357
 358     return ret;
 359 }
 360
 361 int
 362 hdb_entry_clear_password(krb5_context context, hdb_entry *entry)
 363 {
 364     return hdb_clear_extension(context, entry,
 365                                choice_HDB_extension_data_password);
 366 }