search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libtommath: Fix possible integer overflow CVE-2023-36328
[heimdal.git] / lib / hdb / hdb.c
blobad0de7cbd93d961b182afee71f8308c74b2e0b7e
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include "hdb_locl.h"
38
39 #ifdef HAVE_DLFCN_H
40 #include <dlfcn.h>
41 #endif
42
43 /*! @mainpage Heimdal database backend library
44 *
45 * @section intro Introduction
46 *
47 * Heimdal libhdb library provides the backend support for Heimdal kdc
48 * and kadmind. Its here where plugins for diffrent database engines
49 * can be pluged in and extend support for here Heimdal get the
50 * principal and policy data from.
51 *
52 * Example of Heimdal backend are:
53 * - Berkeley DB 1.85
54 * - Berkeley DB 3.0
55 * - Berkeley DB 4.0
56 * - New Berkeley DB
57 * - LDAP
58 *
59 *
60 * The project web page: http://www.h5l.org/
61 *
62 */
63
64 const int hdb_interface_version = HDB_INTERFACE_VERSION;
65
66 static struct hdb_method methods[] = {
67 /* "db:" should be db3 if we have db3, or db1 if we have db1 */
68 #if HAVE_DB3
69 { HDB_INTERFACE_VERSION, NULL, NULL, 1 /*is_file_based*/, 1 /*can_taste*/,
70 "db:", hdb_db3_create},
71 #elif HAVE_DB1
72 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "db:", hdb_db1_create},
73 #endif
74 #if HAVE_DB1
75 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "db1:", hdb_db1_create},
76 #endif
77 #if HAVE_DB3
78 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "db3:", hdb_db3_create},
79 #endif
80 #if HAVE_MITDB
81 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "mit-db:", hdb_mitdb_create},
82 #endif
83 #if HAVE_LMDB
84 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "mdb:", hdb_mdb_create},
85 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "lmdb:", hdb_mdb_create},
86 #endif
87 #if HAVE_NDBM
88 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 0, "ndbm:", hdb_ndbm_create},
89 #endif
90 #ifdef HAVE_SQLITE3
91 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "sqlite:", hdb_sqlite_create},
92 #endif
93 /* The keytab interface can't use its hdb_open() method to "taste" a DB */
94 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 0, "keytab:", hdb_keytab_create},
95 /* The rest are not file-based */
96 #if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
97 { HDB_INTERFACE_VERSION, NULL, NULL, 0, 0, "ldap:", hdb_ldap_create},
98 { HDB_INTERFACE_VERSION, NULL, NULL, 0, 0, "ldapi:", hdb_ldapi_create},
99 #elif defined(OPENLDAP)
100 { HDB_INTERFACE_VERSION, NULL, NULL, 0, 0, "ldap:", NULL},
101 { HDB_INTERFACE_VERSION, NULL, NULL, 0, 0, "ldapi:", NULL},
102 #endif
103 { 0, NULL, NULL, 0, 0, NULL, NULL}
104 };
105
106 /**
107 * Returns the Keys of `e' for `kvno', or NULL if not found. The Keys will
108 * remain valid provided that the entry is not mutated.
109 *
110 * @param context Context
111 * @param e The HDB entry
112 * @param kvno The kvno
113 *
114 * @return A pointer to the Keys for the requested kvno.
115 */
116 const Keys *
117 hdb_kvno2keys(krb5_context context,
118 const hdb_entry *e,
119 krb5_kvno kvno)
120 {
121 HDB_Ext_KeySet *hist_keys;
122 HDB_extension *extp;
123 size_t i;
124
125 if (kvno == 0 || e->kvno == kvno)
126 return &e->keys;
127
128 extp = hdb_find_extension(e, choice_HDB_extension_data_hist_keys);
129 if (extp == NULL)
130 return 0;
131
132 hist_keys = &extp->data.u.hist_keys;
133 for (i = 0; i < hist_keys->len; i++) {
134 if (hist_keys->val[i].kvno == kvno)
135 return &hist_keys->val[i].keys;
136 }
137
138 return NULL;
139 }
140
141 /* Based on remove_HDB_Ext_KeySet(), generated by the ASN.1 compiler */
142 static int
143 dequeue_HDB_Ext_KeySet(HDB_Ext_KeySet *data, unsigned int element, hdb_keyset *ks)
144 {
145 if (element >= data->len) {
146 ks->kvno = 0;
147 ks->keys.len = 0;
148 ks->keys.val = 0;
149 ks->set_time = 0;
150 return ASN1_OVERRUN;
151 }
152 *ks = data->val[element];
153 data->len--;
154 /* Swap instead of memmove()... changes the order of elements */
155 if (element < data->len)
156 data->val[element] = data->val[data->len];
157 if (data->len == 0) {
158 free(data->val);
159 data->val = 0;
160 }
161 return 0;
162 }
163
164
165 /**
166 * Removes from `e' and optionally outputs the keyset for the requested `kvno'.
167 *
168 * @param context Context
169 * @param e The HDB entry
170 * @param kvno The key version number
171 * @param ks A pointer to a variable of type hdb_keyset (may be NULL)
172 *
173 * @return Zero on success, an error code otherwise.
174 */
175 krb5_error_code
176 hdb_remove_keys(krb5_context context,
177 hdb_entry *e,
178 krb5_kvno kvno,
179 hdb_keyset *ks)
180 {
181 HDB_Ext_KeySet *hist_keys;
182 HDB_extension *extp;
183 size_t i;
184
185 if (kvno == 0 || e->kvno == kvno) {
186 if (ks) {
187 KerberosTime t;
188
189 (void) hdb_entry_get_pw_change_time(e, &t);
190 if (t) {
191 if ((ks->set_time = malloc(sizeof(*ks->set_time))) == NULL)
192 return krb5_enomem(context);
193 *ks->set_time = t;
194 }
195 ks->kvno = e->kvno;
196 ks->keys = e->keys;
197 e->keys.len = 0;
198 e->keys.val = NULL;
199 e->kvno = 0;
200 } else {
201 free_Keys(&e->keys);
202 }
203 return 0;
204 }
205
206 if (ks) {
207 ks->kvno = 0;
208 ks->keys.len = 0;
209 ks->keys.val = 0;
210 ks->set_time = 0;
211 }
212
213 extp = hdb_find_extension(e, choice_HDB_extension_data_hist_keys);
214 if (extp == NULL)
215 return 0;
216
217 hist_keys = &extp->data.u.hist_keys;
218 for (i = 0; i < hist_keys->len; i++) {
219 if (hist_keys->val[i].kvno != kvno)
220 continue;
221 if (ks)
222 return dequeue_HDB_Ext_KeySet(hist_keys, i, ks);
223 return remove_HDB_Ext_KeySet(hist_keys, i);
224 }
225 return HDB_ERR_NOENTRY;
226 }
227
228 /**
229 * Removes from `e' and outputs all the base keys for virtual principal and/or
230 * key derivation.
231 *
232 * @param context Context
233 * @param e The HDB entry
234 * @param ks A pointer to a variable of type HDB_Ext_KeySet
235 * @param ckr A pointer to stable (copied) HDB_Ext_KeyRotation
236 *
237 * @return Zero on success, an error code otherwise.
238 */
239 krb5_error_code
240 _hdb_remove_base_keys(krb5_context context,
241 hdb_entry *e,
242 HDB_Ext_KeySet *base_keys,
243 const HDB_Ext_KeyRotation *ckr)
244 {
245 krb5_error_code ret = 0;
246 size_t i, k;
247
248 base_keys->len = 0;
249 if ((base_keys->val = calloc(ckr->len, sizeof(base_keys->val[0]))) == NULL)
250 ret = krb5_enomem(context);
251
252 for (k = i = 0; ret == 0 && i < ckr->len; i++) {
253 const KeyRotation *krp = &ckr->val[i];
254
255 /*
256 * WARNING: O(N * M) where M is number of keysets and N is the number
257 * of base keysets.
258 *
259 * In practice N will never be > 3 because the ASN.1 module imposes
260 * that as a constraint, and M will generally be the same as N, so this
261 * will be O(1) after all.
262 */
263 ret = hdb_remove_keys(context, e, krp->base_key_kvno,
264 &base_keys->val[k]);
265 if (ret == 0)
266 k++;
267 else if (ret == HDB_ERR_NOENTRY)
268 ret = 0;
269 }
270 if (ret == 0)
271 base_keys->len = k;
272 else
273 free_HDB_Ext_KeySet(base_keys);
274 return 0;
275 }
276
277 /**
278 * Removes from `e' and outputs all the base keys for virtual principal and/or
279 * key derivation.
280 *
281 * @param context Context
282 * @param e The HDB entry
283 * @param is_current_keyset Whether to make the keys the current keys for `e'
284 * @param ks A pointer to an hdb_keyset containing the keys to set
285 *
286 * @return Zero on success, an error code otherwise.
287 */
288 krb5_error_code
289 hdb_install_keyset(krb5_context context,
290 hdb_entry *e,
291 int is_current_keyset,
292 const hdb_keyset *ks)
293 {
294 krb5_error_code ret = 0;
295
296 if (is_current_keyset) {
297 if (e->keys.len &&
298 (ret = hdb_add_current_keys_to_history(context, e)))
299 return ret;
300 free_Keys(&e->keys);
301 e->kvno = ks->kvno;
302 if (ret == 0)
303 ret = copy_Keys(&ks->keys, &e->keys);
304 if (ret == 0 && ks->set_time)
305 ret = hdb_entry_set_pw_change_time(context, e, *ks->set_time);
306 return ret;
307 }
308 return hdb_add_history_keyset(context, e, ks);
309 }
310
311
312 krb5_error_code
313 hdb_next_enctype2key(krb5_context context,
314 const hdb_entry *e,
315 const Keys *keyset,
316 krb5_enctype enctype,
317 Key **key)
318 {
319 const Keys *keys = keyset ? keyset : &e->keys;
320 Key *k;
321
322 for (k = *key ? (*key) + 1 : keys->val; k < keys->val + keys->len; k++) {
323 if(k->key.keytype == enctype){
324 *key = k;
325 return 0;
326 }
327 }
328 krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
329 "No next enctype %d for hdb-entry",
330 (int)enctype);
331 return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
332 }
333
334 krb5_error_code
335 hdb_enctype2key(krb5_context context,
336 hdb_entry *e,
337 const Keys *keyset,
338 krb5_enctype enctype,
339 Key **key)
340 {
341 *key = NULL;
342 return hdb_next_enctype2key(context, e, keyset, enctype, key);
343 }
344
345 void
346 hdb_free_key(Key *key)
347 {
348 memset_s(key->key.keyvalue.data,
349 key->key.keyvalue.length,
350 0,
351 key->key.keyvalue.length);
352 free_Key(key);
353 free(key);
354 }
355
356
357 krb5_error_code
358 hdb_lock(int fd, int operation)
359 {
360 int i, code = 0;
361
362 for(i = 0; i < 3; i++){
363 code = flock(fd, (operation == HDB_RLOCK ? LOCK_SH : LOCK_EX) | LOCK_NB);
364 if(code == 0 || errno != EWOULDBLOCK)
365 break;
366 sleep(1);
367 }
368 if(code == 0)
369 return 0;
370 if(errno == EWOULDBLOCK)
371 return HDB_ERR_DB_INUSE;
372 return HDB_ERR_CANT_LOCK_DB;
373 }
374
375 krb5_error_code
376 hdb_unlock(int fd)
377 {
378 int code;
379 code = flock(fd, LOCK_UN);
380 if(code)
381 return 4711 /* XXX */;
382 return 0;
383 }
384
385 void
386 hdb_free_entry(krb5_context context, HDB *db, hdb_entry *ent)
387 {
388 Key *k;
389 size_t i;
390
391 if (db && db->hdb_free_entry_context)
392 db->hdb_free_entry_context(context, db, ent);
393
394 for(i = 0; i < ent->keys.len; i++) {
395 k = &ent->keys.val[i];
396
397 memset_s(k->key.keyvalue.data,
398 k->key.keyvalue.length,
399 0,
400 k->key.keyvalue.length);
401 }
402 free_HDB_entry(ent);
403 }
404
405 krb5_error_code
406 hdb_foreach(krb5_context context,
407 HDB *db,
408 unsigned flags,
409 hdb_foreach_func_t func,
410 void *data)
411 {
412 krb5_error_code ret;
413 hdb_entry entry;
414 ret = db->hdb_firstkey(context, db, flags, &entry);
415 if (ret == 0)
416 krb5_clear_error_message(context);
417 while(ret == 0){
418 ret = (*func)(context, db, &entry, data);
419 hdb_free_entry(context, db, &entry);
420 if(ret == 0)
421 ret = db->hdb_nextkey(context, db, flags, &entry);
422 }
423 if(ret == HDB_ERR_NOENTRY)
424 ret = 0;
425 return ret;
426 }
427
428 krb5_error_code
429 hdb_check_db_format(krb5_context context, HDB *db)
430 {
431 krb5_data tag;
432 krb5_data version;
433 krb5_error_code ret, ret2;
434 unsigned ver;
435 int foo;
436
437 ret = db->hdb_lock(context, db, HDB_RLOCK);
438 if (ret)
439 return ret;
440
441 tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
442 tag.length = strlen(tag.data);
443 ret = (*db->hdb__get)(context, db, tag, &version);
444 ret2 = db->hdb_unlock(context, db);
445 if(ret)
446 return ret;
447 if (ret2)
448 return ret2;
449 foo = sscanf(version.data, "%u", &ver);
450 krb5_data_free (&version);
451 if (foo != 1)
452 return HDB_ERR_BADVERSION;
453 if(ver != HDB_DB_FORMAT)
454 return HDB_ERR_BADVERSION;
455 return 0;
456 }
457
458 krb5_error_code
459 hdb_init_db(krb5_context context, HDB *db)
460 {
461 krb5_error_code ret, ret2;
462 krb5_data tag;
463 krb5_data version;
464 char ver[32];
465
466 ret = hdb_check_db_format(context, db);
467 if(ret != HDB_ERR_NOENTRY)
468 return ret;
469
470 ret = db->hdb_lock(context, db, HDB_WLOCK);
471 if (ret)
472 return ret;
473
474 tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
475 tag.length = strlen(tag.data);
476 snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
477 version.data = ver;
478 version.length = strlen(version.data) + 1; /* zero terminated */
479 ret = (*db->hdb__put)(context, db, 0, tag, version);
480 ret2 = db->hdb_unlock(context, db);
481 if (ret) {
482 if (ret2)
483 krb5_clear_error_message(context);
484 return ret;
485 }
486 return ret2;
487 }
488
489 /*
490 * `default_dbmethod' is the last resort default.
491 *
492 * In hdb_create() we may try all the `methods[]' until one succeeds or all
493 * fail.
494 */
495 #if defined(HAVE_LMDB)
496 static struct hdb_method default_dbmethod =
497 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "", hdb_mdb_create };
498 #elif defined(HAVE_DB3)
499 static struct hdb_method default_dbmethod =
500 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "", hdb_db3_create };
501 #elif defined(HAVE_DB1)
502 static struct hdb_method default_dbmethod =
503 { HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "", hdb_db1_create };
504 #elif defined(HAVE_NDBM)
505 static struct hdb_method default_dbmethod =
506 { HDB_INTERFACE_VERSION, NULL, NULL, 0, 1, "", hdb_ndbm_create };
507 #else
508 static struct hdb_method default_dbmethod =
509 { 0, NULL, NULL, 0, 0, NULL, NULL};
510 #endif
511
512 static int
513 is_pathish(const char *s)
514 {
515 if (s[0] == '/' ||
516 strncmp(s, "./", sizeof("./") - 1) == 0 ||
517 strncmp(s, "../", sizeof("../") - 1) == 0)
518 return 1;
519 #ifdef WIN32
520 if (s[0] == '\\' || (isalpha((unsigned char)s[0]) && s[0] == ':') ||
521 strncmp(s, ".\\", sizeof(".\\") - 1) == 0 ||
522 strncmp(s, "\\\\", sizeof("\\\\") - 1) == 0)
523 return 1;
524 #endif
525 return 0;
526 }
527
528 static const struct hdb_method *
529 has_method_prefix(const char *filename)
530 {
531 const struct hdb_method *h;
532
533 for (h = methods; h->prefix != NULL; ++h)
534 if (strncmp(filename, h->prefix, strlen(h->prefix)) == 0)
535 return h;
536 return NULL;
537 }
538
539 /*
540 * find the relevant method for `filename', returning a pointer to the
541 * rest in `rest'.
542 * return NULL if there's no such method.
543 */
544
545 static const struct hdb_method *
546 find_method(const char *filename, const char **rest)
547 {
548 const struct hdb_method *h = has_method_prefix(filename);
549
550 *rest = h ? filename + strlen(h->prefix) : filename;
551 return h;
552 }
553
554 struct cb_s {
555 const char *residual;
556 const char *filename;
557 const struct hdb_method *h;
558 };
559
560 static krb5_error_code KRB5_LIB_CALL
561 callback(krb5_context context, const void *plug, void *plugctx, void *userctx)
562 {
563 const struct hdb_method *h = (const struct hdb_method *)plug;
564 struct cb_s *cb_ctx = (struct cb_s *)userctx;
565
566 if (strncmp(cb_ctx->filename, h->prefix, strlen(h->prefix)) == 0) {
567 cb_ctx->residual = cb_ctx->filename + strlen(h->prefix) + 1;
568 cb_ctx->h = h;
569 return 0;
570 }
571 return KRB5_PLUGIN_NO_HANDLE;
572 }
573
574 static char *
575 make_sym(const char *prefix)
576 {
577 char *s, *sym;
578
579 errno = 0;
580 if (prefix == NULL || prefix[0] == '\0')
581 return NULL;
582 if ((s = strdup(prefix)) == NULL)
583 return NULL;
584 if (strchr(s, ':') != NULL)
585 *strchr(s, ':') = '\0';
586 if (asprintf(&sym, "hdb_%s_interface", s) == -1)
587 sym = NULL;
588 free(s);
589 return sym;
590 }
591
592 static const char *hdb_plugin_deps[] = { "hdb", "krb5", NULL };
593
594 krb5_error_code
595 hdb_list_builtin(krb5_context context, char **list)
596 {
597 const struct hdb_method *h;
598 size_t len = 0;
599 char *buf = NULL;
600
601 for (h = methods; h->prefix != NULL; ++h) {
602 if (h->prefix[0] == '\0')
603 continue;
604 len += strlen(h->prefix) + 2;
605 }
606
607 len += 1;
608 buf = malloc(len);
609 if (buf == NULL) {
610 return krb5_enomem(context);
611 }
612 buf[0] = '\0';
613
614 for (h = methods; h->prefix != NULL; ++h) {
615 if (h->create == NULL) {
616 struct cb_s cb_ctx;
617 char *f;
618 struct heim_plugin_data hdb_plugin_data;
619
620 hdb_plugin_data.module = "krb5";
621 hdb_plugin_data.min_version = HDB_INTERFACE_VERSION;
622 hdb_plugin_data.deps = hdb_plugin_deps;
623 hdb_plugin_data.get_instance = hdb_get_instance;
624
625 /* Try loading the plugin */
626 if (asprintf(&f, "%sfoo", h->prefix) == -1)
627 f = NULL;
628 if ((hdb_plugin_data.name = make_sym(h->prefix)) == NULL) {
629 free(buf);
630 free(f);
631 return krb5_enomem(context);
632 }
633 cb_ctx.filename = f;
634 cb_ctx.residual = NULL;
635 cb_ctx.h = NULL;
636 (void)_krb5_plugin_run_f(context, &hdb_plugin_data, 0,
637 &cb_ctx, callback);
638 free(f);
639 free(rk_UNCONST(hdb_plugin_data.name));
640 if (cb_ctx.h == NULL || cb_ctx.h->create == NULL)
641 continue;
642 }
643 if (h != methods)
644 strlcat(buf, ", ", len);
645 strlcat(buf, h->prefix, len);
646 }
647 *list = buf;
648 return 0;
649 }
650
651 krb5_error_code
652 _hdb_keytab2hdb_entry(krb5_context context,
653 const krb5_keytab_entry *ktentry,
654 hdb_entry *entry)
655 {
656 entry->kvno = ktentry->vno;
657 entry->created_by.time = ktentry->timestamp;
658
659 entry->keys.val = calloc(1, sizeof(entry->keys.val[0]));
660 if (entry->keys.val == NULL)
661 return ENOMEM;
662 entry->keys.len = 1;
663
664 entry->keys.val[0].mkvno = NULL;
665 entry->keys.val[0].salt = NULL;
666
667 return krb5_copy_keyblock_contents(context,
668 &ktentry->keyblock,
669 &entry->keys.val[0].key);
670 }
671
672 static krb5_error_code
673 load_config(krb5_context context, HDB *db)
674 {
675 db->enable_virtual_hostbased_princs =
676 krb5_config_get_bool_default(context, NULL, FALSE, "hdb",
677 "enable_virtual_hostbased_princs",
678 NULL);
679 db->virtual_hostbased_princ_ndots =
680 krb5_config_get_int_default(context, NULL, 1, "hdb",
681 "virtual_hostbased_princ_mindots",
682 NULL);
683 db->virtual_hostbased_princ_maxdots =
684 krb5_config_get_int_default(context, NULL, 0, "hdb",
685 "virtual_hostbased_princ_maxdots",
686 NULL);
687 db->new_service_key_delay =
688 krb5_config_get_time_default(context, NULL, 0, "hdb",
689 "new_service_key_delay", NULL);
690 /*
691 * XXX Needs freeing in the HDB backends because we don't have a
692 * first-class hdb_close() :(
693 */
694 db->virtual_hostbased_princ_svcs =
695 krb5_config_get_strings(context, NULL, "hdb",
696 "virtual_hostbased_princ_svcs", NULL);
697 /* Check for ENOMEM */
698 if (db->virtual_hostbased_princ_svcs == NULL
699 && krb5_config_get_string(context, NULL, "hdb",
700 "virtual_hostbased_princ_svcs", NULL)) {
701 return krb5_enomem(context);
702 }
703 return 0;
704 }
705
706 /**
707 * Create a handle for a Kerberos database
708 *
709 * Create a handle for a Kerberos database backend specified by a
710 * filename. Doesn't actually create or even open an HDB file(s);
711 * you have to call the hdb_open() open method of the resulting HDB
712 * to open the database, and you have to use O_CREAT to create it.
713 *
714 * If `filename' does not have a backend type prefix, all file-based
715 * backends will be tried until one succeeds or all fail, and if the
716 * HDB exists for some backend, that will be used. A build-time
717 * default backend type will be used if the `filename' does not exist.
718 *
719 * Note that the actual filename may have a suffix added, such as
720 * ".db". Also, for backends such as "ldap:" and "ldapi:" the
721 * `filename' is more like a URI.
722 *
723 * @param [in] context Context
724 * @param [out] db HDB handle output
725 * @param [in] filename The name of the HDB
726 *
727 * @return Zero on success else a krb5 error code.
728 */
729
730 krb5_error_code
731 hdb_create(krb5_context context, HDB **db, const char *filename)
732 {
733 krb5_error_code ret = ENOTSUP;
734 struct cb_s cb_ctx;
735
736 *db = NULL;
737 if (filename == NULL)
738 filename = hdb_default_db(context);
739
740 cb_ctx.h = find_method(filename, &cb_ctx.residual);
741 cb_ctx.filename = filename;
742
743 if (cb_ctx.h == NULL || cb_ctx.h->create == NULL) {
744 struct heim_plugin_data hdb_plugin_data;
745
746 /*
747 * `filename' does not start with a known HDB backend prefix.
748 *
749 * Try plugins.
750 */
751 hdb_plugin_data.module = "krb5";
752 hdb_plugin_data.min_version = HDB_INTERFACE_VERSION;
753 hdb_plugin_data.deps = hdb_plugin_deps;
754 hdb_plugin_data.get_instance = hdb_get_instance;
755
756 if ((hdb_plugin_data.name = make_sym(filename)) == NULL)
757 return krb5_enomem(context);
758
759 (void)_krb5_plugin_run_f(context, &hdb_plugin_data, 0 /* flags */,
760 &cb_ctx, callback);
761
762 free(rk_UNCONST(hdb_plugin_data.name));
763 }
764
765 if (cb_ctx.h == NULL || cb_ctx.h->create == NULL) {
766 int pathish = is_pathish(filename);
767 /*
768 * `filename' does not start with a known HDB backend prefix and it
769 * wasn't handled by any plugin.
770 *
771 * If it's "filename-ish", try all builtin HDB backends that are
772 * local-file-ish, but use hdb_open() to see if the HDB exists and stop
773 * when a backend is found for which the HDB exists.
774 */
775 if (!pathish) {
776 krb5_set_error_message(context, ret = ENOTSUP,
777 "No database support for %s",
778 cb_ctx.filename);
779 return ret;
780 }
781 for (cb_ctx.h = methods; cb_ctx.h->prefix != NULL; cb_ctx.h++) {
782 if (cb_ctx.h->is_file_based)
783 continue;
784 if (!cb_ctx.h->can_taste)
785 continue;
786 /* Taste the file */
787 ret = (*cb_ctx.h->create)(context, db, filename);
788 if (ret == 0)
789 ret = (*db)->hdb_open(context, *db, O_RDONLY, 0);
790 if (ret == 0) {
791 (void) (*db)->hdb_close(context, *db);
792 break;
793 }
794 if (*db)
795 (*db)->hdb_destroy(context, *db);
796 *db = NULL;
797 }
798 if (cb_ctx.h->prefix == NULL)
799 cb_ctx.h = NULL;
800 }
801 #ifdef HDB_DEFAULT_DB_TYPE
802 if (cb_ctx.h == NULL) {
803 /*
804 * If still we've not picked a backend, use a build configuration time
805 * default.
806 */
807 for (cb_ctx.h = methods; cb_ctx.h->prefix != NULL; cb_ctx.h++)
808 if (strcmp(cb_ctx.h->prefix, HDB_DEFAULT_DB_TYPE) == 0)
809 break;
810 if (cb_ctx.h->prefix == NULL)
811 cb_ctx.h = NULL;
812 }
813 #endif
814 if (cb_ctx.h == NULL)
815 /* Last resort default */
816 cb_ctx.h = &default_dbmethod;
817 if (cb_ctx.h->prefix == NULL) {
818 krb5_set_error_message(context, ENOTSUP,
819 "Could not determine default DB backend for %s",
820 filename);
821 return ENOTSUP;
822 }
823 if (!*db) {
824 ret = (*cb_ctx.h->create)(context, db, cb_ctx.residual);
825 if (ret == 0)
826 (*db)->hdb_method_name = cb_ctx.h->prefix;
827 }
828 if (ret == 0 && *db)
829 ret = load_config(context, *db);
830 if (ret && *db) {
831 (*db)->hdb_destroy(context, *db);
832 *db = NULL;
833 }
834 return ret;
835 }
836
837 uintptr_t KRB5_CALLCONV
838 hdb_get_instance(const char *libname)
839 {
840 static const char *instance = "libhdb";
841
842 if (strcmp(libname, "hdb") == 0)
843 return (uintptr_t)instance;
844 else if (strcmp(libname, "krb5") == 0)
845 return krb5_get_instance(libname);
846
847 return 0;
848 }
Heimdal