155682Smarkm/*
2233294Sstas * Copyright (c) 1997 - 2001 Kungliga Tekniska H��gskolan
3233294Sstas * (Royal Institute of Technology, Stockholm, Sweden).
4233294Sstas * All rights reserved.
555682Smarkm *
6233294Sstas * Redistribution and use in source and binary forms, with or without
7233294Sstas * modification, are permitted provided that the following conditions
8233294Sstas * are met:
955682Smarkm *
10233294Sstas * 1. Redistributions of source code must retain the above copyright
11233294Sstas *    notice, this list of conditions and the following disclaimer.
1255682Smarkm *
13233294Sstas * 2. Redistributions in binary form must reproduce the above copyright
14233294Sstas *    notice, this list of conditions and the following disclaimer in the
15233294Sstas *    documentation and/or other materials provided with the distribution.
1655682Smarkm *
17233294Sstas * 3. Neither the name of the Institute nor the names of its contributors
18233294Sstas *    may be used to endorse or promote products derived from this software
19233294Sstas *    without specific prior written permission.
2055682Smarkm *
21233294Sstas * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22233294Sstas * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23233294Sstas * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24233294Sstas * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25233294Sstas * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26233294Sstas * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27233294Sstas * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28233294Sstas * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29233294Sstas * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30233294Sstas * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31233294Sstas * SUCH DAMAGE.
3255682Smarkm */
3355682Smarkm
3455682Smarkm#include "kdc_locl.h"
3555682Smarkm
36178825Sdfrstruct timeval _kdc_now;
3755682Smarkm
3872445Sassarkrb5_error_code
39178825Sdfr_kdc_db_fetch(krb5_context context,
40178825Sdfr	      krb5_kdc_configuration *config,
41178825Sdfr	      krb5_const_principal principal,
42178825Sdfr	      unsigned flags,
43233294Sstas	      krb5uint32 *kvno_ptr,
44178825Sdfr	      HDB **db,
45178825Sdfr	      hdb_entry_ex **h)
4655682Smarkm{
47178825Sdfr    hdb_entry_ex *ent;
48233294Sstas    krb5_error_code ret = HDB_ERR_NOENTRY;
4955682Smarkm    int i;
50233294Sstas    unsigned kvno = 0;
5172445Sassar
52233294Sstas    if (kvno_ptr) {
53233294Sstas	    kvno = *kvno_ptr;
54233294Sstas	    flags |= HDB_F_KVNO_SPECIFIED;
55233294Sstas    }
56233294Sstas
57178825Sdfr    ent = calloc (1, sizeof (*ent));
58178825Sdfr    if (ent == NULL) {
59233294Sstas	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
6072445Sassar	return ENOMEM;
61178825Sdfr    }
6255682Smarkm
63178825Sdfr    for(i = 0; i < config->num_db; i++) {
64233294Sstas	krb5_principal enterprise_principal = NULL;
65233294Sstas	if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
66233294Sstas	    && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
67233294Sstas	    if (principal->name.name_string.len != 1) {
68233294Sstas		ret = KRB5_PARSE_MALFORMED;
69233294Sstas		krb5_set_error_message(context, ret,
70233294Sstas				       "malformed request: "
71233294Sstas				       "enterprise name with %d name components",
72233294Sstas				       principal->name.name_string.len);
73233294Sstas		free(ent);
74233294Sstas		return ret;
75233294Sstas	    }
76233294Sstas	    ret = krb5_parse_name(context, principal->name.name_string.val[0],
77233294Sstas				  &enterprise_principal);
78233294Sstas	    if (ret) {
79233294Sstas		free(ent);
80233294Sstas		return ret;
81233294Sstas	    }
82233294Sstas
83233294Sstas	    principal = enterprise_principal;
84233294Sstas	}
85233294Sstas
86178825Sdfr	ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
8755682Smarkm	if (ret) {
88233294Sstas	    const char *msg = krb5_get_error_message(context, ret);
89233294Sstas	    kdc_log(context, config, 0, "Failed to open database: %s", msg);
90233294Sstas	    krb5_free_error_message(context, msg);
9155682Smarkm	    continue;
9255682Smarkm	}
93233294Sstas
94233294Sstas	ret = config->db[i]->hdb_fetch_kvno(context,
95233294Sstas					    config->db[i],
96233294Sstas					    principal,
97233294Sstas					    flags | HDB_F_DECRYPT,
98233294Sstas					    kvno,
99233294Sstas					    ent);
100233294Sstas
101233294Sstas	krb5_free_principal(context, enterprise_principal);
102233294Sstas
103178825Sdfr	config->db[i]->hdb_close(context, config->db[i]);
10472445Sassar	if(ret == 0) {
105178825Sdfr	    if (db)
106178825Sdfr		*db = config->db[i];
10772445Sassar	    *h = ent;
10872445Sassar	    return 0;
10972445Sassar	}
11055682Smarkm    }
11155682Smarkm    free(ent);
112233294Sstas    krb5_set_error_message(context, ret,
113233294Sstas			   "no such entry found in hdb");
114233294Sstas    return ret;
11555682Smarkm}
11672445Sassar
11772445Sassarvoid
118178825Sdfr_kdc_free_ent(krb5_context context, hdb_entry_ex *ent)
11972445Sassar{
12072445Sassar    hdb_free_entry (context, ent);
12172445Sassar    free (ent);
12272445Sassar}
12372445Sassar
124178825Sdfr/*
125178825Sdfr * Use the order list of preferred encryption types and sort the
126178825Sdfr * available keys and return the most preferred key.
127178825Sdfr */
128178825Sdfr
129178825Sdfrkrb5_error_code
130178825Sdfr_kdc_get_preferred_key(krb5_context context,
131178825Sdfr		       krb5_kdc_configuration *config,
132178825Sdfr		       hdb_entry_ex *h,
133178825Sdfr		       const char *name,
134178825Sdfr		       krb5_enctype *enctype,
135178825Sdfr		       Key **key)
136178825Sdfr{
137178825Sdfr    krb5_error_code ret;
138178825Sdfr    int i;
139178825Sdfr
140233294Sstas    if (config->use_strongest_server_key) {
141233294Sstas	const krb5_enctype *p = krb5_kerberos_enctypes(context);
142178825Sdfr
143233294Sstas	for (i = 0; p[i] != ETYPE_NULL; i++) {
144233294Sstas	    if (krb5_enctype_valid(context, p[i]) != 0)
145233294Sstas		continue;
146233294Sstas	    ret = hdb_enctype2key(context, &h->entry, p[i], key);
147233294Sstas	    if (ret != 0)
148233294Sstas		continue;
149233294Sstas	    if (enctype != NULL)
150233294Sstas		*enctype = p[i];
151178825Sdfr	    return 0;
152178825Sdfr	}
153233294Sstas    } else {
154233294Sstas	*key = NULL;
155233294Sstas
156233294Sstas	for (i = 0; i < h->entry.keys.len; i++) {
157233294Sstas	    if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
158233294Sstas		!= 0)
159233294Sstas		continue;
160233294Sstas	    ret = hdb_enctype2key(context, &h->entry,
161233294Sstas		h->entry.keys.val[i].key.keytype, key);
162233294Sstas	    if (ret != 0)
163233294Sstas		continue;
164233294Sstas	    if (enctype != NULL)
165233294Sstas		*enctype = (*key)->key.keytype;
166233294Sstas	    return 0;
167233294Sstas	}
168178825Sdfr    }
169178825Sdfr
170233294Sstas    krb5_set_error_message(context, EINVAL,
171233294Sstas			   "No valid kerberos key found for %s", name);
172233294Sstas    return EINVAL; /* XXX */
173178825Sdfr}
174178825Sdfr
175