155682Smarkm/* 2233294Sstas * Copyright (c) 1997 - 2001 Kungliga Tekniska H��gskolan 3233294Sstas * (Royal Institute of Technology, Stockholm, Sweden). 4233294Sstas * All rights reserved. 555682Smarkm * 6233294Sstas * Redistribution and use in source and binary forms, with or without 7233294Sstas * modification, are permitted provided that the following conditions 8233294Sstas * are met: 955682Smarkm * 10233294Sstas * 1. Redistributions of source code must retain the above copyright 11233294Sstas * notice, this list of conditions and the following disclaimer. 1255682Smarkm * 13233294Sstas * 2. Redistributions in binary form must reproduce the above copyright 14233294Sstas * notice, this list of conditions and the following disclaimer in the 15233294Sstas * documentation and/or other materials provided with the distribution. 1655682Smarkm * 17233294Sstas * 3. Neither the name of the Institute nor the names of its contributors 18233294Sstas * may be used to endorse or promote products derived from this software 19233294Sstas * without specific prior written permission. 2055682Smarkm * 21233294Sstas * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22233294Sstas * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23233294Sstas * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24233294Sstas * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25233294Sstas * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26233294Sstas * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27233294Sstas * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28233294Sstas * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29233294Sstas * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30233294Sstas * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31233294Sstas * SUCH DAMAGE. 3255682Smarkm */ 3355682Smarkm 3455682Smarkm#include "kdc_locl.h" 3555682Smarkm 36178825Sdfrstruct timeval _kdc_now; 3755682Smarkm 3872445Sassarkrb5_error_code 39178825Sdfr_kdc_db_fetch(krb5_context context, 40178825Sdfr krb5_kdc_configuration *config, 41178825Sdfr krb5_const_principal principal, 42178825Sdfr unsigned flags, 43233294Sstas krb5uint32 *kvno_ptr, 44178825Sdfr HDB **db, 45178825Sdfr hdb_entry_ex **h) 4655682Smarkm{ 47178825Sdfr hdb_entry_ex *ent; 48233294Sstas krb5_error_code ret = HDB_ERR_NOENTRY; 4955682Smarkm int i; 50233294Sstas unsigned kvno = 0; 5172445Sassar 52233294Sstas if (kvno_ptr) { 53233294Sstas kvno = *kvno_ptr; 54233294Sstas flags |= HDB_F_KVNO_SPECIFIED; 55233294Sstas } 56233294Sstas 57178825Sdfr ent = calloc (1, sizeof (*ent)); 58178825Sdfr if (ent == NULL) { 59233294Sstas krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); 6072445Sassar return ENOMEM; 61178825Sdfr } 6255682Smarkm 63178825Sdfr for(i = 0; i < config->num_db; i++) { 64233294Sstas krb5_principal enterprise_principal = NULL; 65233294Sstas if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) 66233294Sstas && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { 67233294Sstas if (principal->name.name_string.len != 1) { 68233294Sstas ret = KRB5_PARSE_MALFORMED; 69233294Sstas krb5_set_error_message(context, ret, 70233294Sstas "malformed request: " 71233294Sstas "enterprise name with %d name components", 72233294Sstas principal->name.name_string.len); 73233294Sstas free(ent); 74233294Sstas return ret; 75233294Sstas } 76233294Sstas ret = krb5_parse_name(context, principal->name.name_string.val[0], 77233294Sstas &enterprise_principal); 78233294Sstas if (ret) { 79233294Sstas free(ent); 80233294Sstas return ret; 81233294Sstas } 82233294Sstas 83233294Sstas principal = enterprise_principal; 84233294Sstas } 85233294Sstas 86178825Sdfr ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); 8755682Smarkm if (ret) { 88233294Sstas const char *msg = krb5_get_error_message(context, ret); 89233294Sstas kdc_log(context, config, 0, "Failed to open database: %s", msg); 90233294Sstas krb5_free_error_message(context, msg); 9155682Smarkm continue; 9255682Smarkm } 93233294Sstas 94233294Sstas ret = config->db[i]->hdb_fetch_kvno(context, 95233294Sstas config->db[i], 96233294Sstas principal, 97233294Sstas flags | HDB_F_DECRYPT, 98233294Sstas kvno, 99233294Sstas ent); 100233294Sstas 101233294Sstas krb5_free_principal(context, enterprise_principal); 102233294Sstas 103178825Sdfr config->db[i]->hdb_close(context, config->db[i]); 10472445Sassar if(ret == 0) { 105178825Sdfr if (db) 106178825Sdfr *db = config->db[i]; 10772445Sassar *h = ent; 10872445Sassar return 0; 10972445Sassar } 11055682Smarkm } 11155682Smarkm free(ent); 112233294Sstas krb5_set_error_message(context, ret, 113233294Sstas "no such entry found in hdb"); 114233294Sstas return ret; 11555682Smarkm} 11672445Sassar 11772445Sassarvoid 118178825Sdfr_kdc_free_ent(krb5_context context, hdb_entry_ex *ent) 11972445Sassar{ 12072445Sassar hdb_free_entry (context, ent); 12172445Sassar free (ent); 12272445Sassar} 12372445Sassar 124178825Sdfr/* 125178825Sdfr * Use the order list of preferred encryption types and sort the 126178825Sdfr * available keys and return the most preferred key. 127178825Sdfr */ 128178825Sdfr 129178825Sdfrkrb5_error_code 130178825Sdfr_kdc_get_preferred_key(krb5_context context, 131178825Sdfr krb5_kdc_configuration *config, 132178825Sdfr hdb_entry_ex *h, 133178825Sdfr const char *name, 134178825Sdfr krb5_enctype *enctype, 135178825Sdfr Key **key) 136178825Sdfr{ 137178825Sdfr krb5_error_code ret; 138178825Sdfr int i; 139178825Sdfr 140233294Sstas if (config->use_strongest_server_key) { 141233294Sstas const krb5_enctype *p = krb5_kerberos_enctypes(context); 142178825Sdfr 143233294Sstas for (i = 0; p[i] != ETYPE_NULL; i++) { 144233294Sstas if (krb5_enctype_valid(context, p[i]) != 0) 145233294Sstas continue; 146233294Sstas ret = hdb_enctype2key(context, &h->entry, p[i], key); 147233294Sstas if (ret != 0) 148233294Sstas continue; 149233294Sstas if (enctype != NULL) 150233294Sstas *enctype = p[i]; 151178825Sdfr return 0; 152178825Sdfr } 153233294Sstas } else { 154233294Sstas *key = NULL; 155233294Sstas 156233294Sstas for (i = 0; i < h->entry.keys.len; i++) { 157233294Sstas if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) 158233294Sstas != 0) 159233294Sstas continue; 160233294Sstas ret = hdb_enctype2key(context, &h->entry, 161233294Sstas h->entry.keys.val[i].key.keytype, key); 162233294Sstas if (ret != 0) 163233294Sstas continue; 164233294Sstas if (enctype != NULL) 165233294Sstas *enctype = (*key)->key.keytype; 166233294Sstas return 0; 167233294Sstas } 168178825Sdfr } 169178825Sdfr 170233294Sstas krb5_set_error_message(context, EINVAL, 171233294Sstas "No valid kerberos key found for %s", name); 172233294Sstas return EINVAL; /* XXX */ 173178825Sdfr} 174178825Sdfr 175