search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Initial commit for second approach for multiple kvno. NOT TESTED!
[heimdal.git] / lib / hdb / common.c
blob90e600521e342c0ba0b6b9e6c37f7d4018d04129
1 /*
2 * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hdb_locl.h"
35
36 int
37 hdb_principal2key(krb5_context context, krb5_const_principal p, krb5_data *key)
38 {
39 Principal new;
40 size_t len = 0;
41 int ret;
42
43 ret = copy_Principal(p, &new);
44 if(ret)
45 return ret;
46 new.name.name_type = 0;
47
48 ASN1_MALLOC_ENCODE(Principal, key->data, key->length, &new, &len, ret);
49 if (ret == 0 && key->length != len)
50 krb5_abortx(context, "internal asn.1 encoder error");
51 free_Principal(&new);
52 return ret;
53 }
54
55 int
56 hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
57 {
58 return decode_Principal(key->data, key->length, p, NULL);
59 }
60
61 int
62 hdb_entry2value(krb5_context context, const hdb_entry *ent, krb5_data *value)
63 {
64 size_t len = 0;
65 int ret;
66
67 ASN1_MALLOC_ENCODE(hdb_entry, value->data, value->length, ent, &len, ret);
68 if (ret == 0 && value->length != len)
69 krb5_abortx(context, "internal asn.1 encoder error");
70 return ret;
71 }
72
73 int
74 hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
75 {
76 return decode_hdb_entry(value->data, value->length, ent, NULL);
77 }
78
79 int
80 hdb_entry_alias2value(krb5_context context,
81 const hdb_entry_alias *alias,
82 krb5_data *value)
83 {
84 size_t len = 0;
85 int ret;
86
87 ASN1_MALLOC_ENCODE(hdb_entry_alias, value->data, value->length,
88 alias, &len, ret);
89 if (ret == 0 && value->length != len)
90 krb5_abortx(context, "internal asn.1 encoder error");
91 return ret;
92 }
93
94 int
95 hdb_value2entry_alias(krb5_context context, krb5_data *value,
96 hdb_entry_alias *ent)
97 {
98 return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
99 }
100
101 krb5_error_code
102 _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
103 unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
104 {
105 krb5_principal enterprise_principal = NULL;
106 krb5_data key, value;
107 krb5_error_code ret;
108
109 if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
110 if (principal->name.name_string.len != 1) {
111 ret = KRB5_PARSE_MALFORMED;
112 krb5_set_error_message(context, ret, "malformed principal: "
113 "enterprise name with %d name components",
114 principal->name.name_string.len);
115 return ret;
116 }
117 ret = krb5_parse_name(context, principal->name.name_string.val[0],
118 &enterprise_principal);
119 if (ret)
120 return ret;
121 principal = enterprise_principal;
122 }
123
124 hdb_principal2key(context, principal, &key);
125 if (enterprise_principal)
126 krb5_free_principal(context, enterprise_principal);
127 ret = db->hdb__get(context, db, key, &value);
128 krb5_data_free(&key);
129 if(ret)
130 return ret;
131 ret = hdb_value2entry(context, &value, &entry->entry);
132 if (ret == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
133 krb5_data_free(&value);
134 return HDB_ERR_NOENTRY;
135 } else if (ret == ASN1_BAD_ID) {
136 hdb_entry_alias alias;
137
138 ret = hdb_value2entry_alias(context, &value, &alias);
139 if (ret) {
140 krb5_data_free(&value);
141 return ret;
142 }
143 hdb_principal2key(context, alias.principal, &key);
144 krb5_data_free(&value);
145 free_hdb_entry_alias(&alias);
146
147 ret = db->hdb__get(context, db, key, &value);
148 krb5_data_free(&key);
149 if (ret)
150 return ret;
151 ret = hdb_value2entry(context, &value, &entry->entry);
152 if (ret) {
153 krb5_data_free(&value);
154 return ret;
155 }
156 }
157 krb5_data_free(&value);
158 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
159 if ((flags & HDB_F_KVNO_SPECIFIED) == 0 &&
160 (flags & HDB_F_CURRENT_KVNO) == 0) {
161
162 /*
163 * Decrypt all the old keys too, since we don't know which
164 * the caller will need.
165 */
166 ret = hdb_unseal_keys_kvno(context, db, 0, &entry->entry);
167 if (ret) {
168 hdb_free_entry(context, entry);
169 return ret;
170 }
171 } else if ((flags & HDB_F_KVNO_SPECIFIED) != 0 &&
172 kvno != entry->entry.kvno &&
173 kvno < entry->entry.kvno &&
174 kvno > 0) {
175
176 /* Decrypt the keys we were asked for, if not the current ones */
177 ret = hdb_unseal_keys_kvno(context, db, kvno, &entry->entry);
178 if (ret) {
179 hdb_free_entry(context, entry);
180 return ret;
181 }
182 }
183
184 /* Always decrypt the current keys too */
185 ret = hdb_unseal_keys(context, db, &entry->entry);
186 if (ret) {
187 hdb_free_entry(context, entry);
188 return ret;
189 }
190 }
191
192 return ret;
193 }
194
195 static krb5_error_code
196 hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
197 {
198 const HDB_Ext_Aliases *aliases;
199 krb5_error_code code;
200 hdb_entry oldentry;
201 krb5_data value;
202 size_t i;
203
204 code = db->hdb__get(context, db, *key, &value);
205 if (code == HDB_ERR_NOENTRY)
206 return 0;
207 else if (code)
208 return code;
209
210 code = hdb_value2entry(context, &value, &oldentry);
211 krb5_data_free(&value);
212 if (code)
213 return code;
214
215 code = hdb_entry_get_aliases(&oldentry, &aliases);
216 if (code || aliases == NULL) {
217 free_hdb_entry(&oldentry);
218 return code;
219 }
220 for (i = 0; i < aliases->aliases.len; i++) {
221 krb5_data akey;
222
223 hdb_principal2key(context, &aliases->aliases.val[i], &akey);
224 code = db->hdb__del(context, db, akey);
225 krb5_data_free(&akey);
226 if (code) {
227 free_hdb_entry(&oldentry);
228 return code;
229 }
230 }
231 free_hdb_entry(&oldentry);
232 return 0;
233 }
234
235 static krb5_error_code
236 hdb_add_aliases(krb5_context context, HDB *db,
237 unsigned flags, hdb_entry_ex *entry)
238 {
239 const HDB_Ext_Aliases *aliases;
240 krb5_error_code code;
241 krb5_data key, value;
242 size_t i;
243
244 code = hdb_entry_get_aliases(&entry->entry, &aliases);
245 if (code || aliases == NULL)
246 return code;
247
248 for (i = 0; i < aliases->aliases.len; i++) {
249 hdb_entry_alias entryalias;
250 entryalias.principal = entry->entry.principal;
251
252 hdb_principal2key(context, &aliases->aliases.val[i], &key);
253 code = hdb_entry_alias2value(context, &entryalias, &value);
254 if (code) {
255 krb5_data_free(&key);
256 return code;
257 }
258 code = db->hdb__put(context, db, flags, key, value);
259 krb5_data_free(&key);
260 krb5_data_free(&value);
261 if (code)
262 return code;
263 }
264 return 0;
265 }
266
267 static krb5_error_code
268 hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
269 {
270 const HDB_Ext_Aliases *aliases;
271 int code;
272 size_t i;
273
274 /* check if new aliases already is used */
275
276 code = hdb_entry_get_aliases(&entry->entry, &aliases);
277 if (code)
278 return code;
279
280 for (i = 0; aliases && i < aliases->aliases.len; i++) {
281 hdb_entry_alias alias;
282 krb5_data akey, value;
283
284 hdb_principal2key(context, &aliases->aliases.val[i], &akey);
285 code = db->hdb__get(context, db, akey, &value);
286 krb5_data_free(&akey);
287 if (code == HDB_ERR_NOENTRY)
288 continue;
289 else if (code)
290 return code;
291
292 code = hdb_value2entry_alias(context, &value, &alias);
293 krb5_data_free(&value);
294
295 if (code == ASN1_BAD_ID)
296 return HDB_ERR_EXISTS;
297 else if (code)
298 return code;
299
300 code = krb5_principal_compare(context, alias.principal,
301 entry->entry.principal);
302 free_hdb_entry_alias(&alias);
303 if (code == 0)
304 return HDB_ERR_EXISTS;
305 }
306 return 0;
307 }
308
309 krb5_error_code
310 _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
311 {
312 krb5_data key, value;
313 int code;
314
315 /* check if new aliases already is used */
316 code = hdb_check_aliases(context, db, entry);
317 if (code)
318 return code;
319
320 if(entry->entry.generation == NULL) {
321 struct timeval t;
322 entry->entry.generation = malloc(sizeof(*entry->entry.generation));
323 if(entry->entry.generation == NULL) {
324 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
325 return ENOMEM;
326 }
327 gettimeofday(&t, NULL);
328 entry->entry.generation->time = t.tv_sec;
329 entry->entry.generation->usec = t.tv_usec;
330 entry->entry.generation->gen = 0;
331 } else
332 entry->entry.generation->gen++;
333
334 code = hdb_seal_keys(context, db, &entry->entry);
335 if (code)
336 return code;
337
338 hdb_principal2key(context, entry->entry.principal, &key);
339
340 /* remove aliases */
341 code = hdb_remove_aliases(context, db, &key);
342 if (code) {
343 krb5_data_free(&key);
344 return code;
345 }
346 hdb_entry2value(context, &entry->entry, &value);
347 code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
348 krb5_data_free(&value);
349 krb5_data_free(&key);
350 if (code)
351 return code;
352
353 code = hdb_add_aliases(context, db, flags, entry);
354
355 return code;
356 }
357
358 krb5_error_code
359 _hdb_remove(krb5_context context, HDB *db, krb5_const_principal principal)
360 {
361 krb5_data key;
362 int code;
363
364 hdb_principal2key(context, principal, &key);
365
366 code = hdb_remove_aliases(context, db, &key);
367 if (code) {
368 krb5_data_free(&key);
369 return code;
370 }
371 code = db->hdb__del(context, db, key);
372 krb5_data_free(&key);
373 return code;
374 }
375
Heimdal