2 * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
35 #ifdef HAVE_RES_SEARCH
38 #ifdef HAVE_ARPA_NAMESER_H
39 #include <arpa/nameser.h>
44 RCSID("$Id: principal.c,v 1.90 2005/06/30 01:38:15 lha Exp $");
46 #define princ_num_comp(P) ((P)->name.name_string.len)
47 #define princ_type(P) ((P)->name.name_type)
48 #define princ_comp(P) ((P)->name.name_string.val)
49 #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
50 #define princ_realm(P) ((P)->realm)
52 void KRB5_LIB_FUNCTION
53 krb5_free_principal(krb5_context context,
62 void KRB5_LIB_FUNCTION
63 krb5_principal_set_type(krb5_context context,
64 krb5_principal principal,
67 princ_type(principal) = type;
71 krb5_principal_get_type(krb5_context context,
72 krb5_principal principal)
74 return princ_type(principal);
77 const char* KRB5_LIB_FUNCTION
78 krb5_principal_get_realm(krb5_context context,
79 krb5_principal principal)
81 return princ_realm(principal);
84 const char* KRB5_LIB_FUNCTION
85 krb5_principal_get_comp_string(krb5_context context,
86 krb5_principal principal,
87 unsigned int component)
89 if(component >= princ_num_comp(principal))
91 return princ_ncomp(principal, component);
94 krb5_error_code KRB5_LIB_FUNCTION
95 krb5_parse_name(krb5_context context,
97 krb5_principal *principal)
100 heim_general_string *comp;
101 heim_general_string realm;
113 /* count number of component */
115 for(p = name; *p; p++){
118 krb5_set_error_string (context,
119 "trailing \\ in principal name");
120 return KRB5_PARSE_MALFORMED;
126 comp = calloc(ncomp, sizeof(*comp));
128 krb5_set_error_string (context, "malloc: out of memory");
133 p = start = q = s = strdup(name);
136 krb5_set_error_string (context, "malloc: out of memory");
152 krb5_set_error_string (context,
153 "trailing \\ in principal name");
154 ret = KRB5_PARSE_MALFORMED;
157 }else if(c == '/' || c == '@'){
159 krb5_set_error_string (context,
160 "part after realm in principal name");
161 ret = KRB5_PARSE_MALFORMED;
164 comp[n] = malloc(q - start + 1);
165 if (comp[n] == NULL) {
166 krb5_set_error_string (context, "malloc: out of memory");
170 memcpy(comp[n], start, q - start);
171 comp[n][q - start] = 0;
179 if(got_realm && (c == ':' || c == '/' || c == '\0')) {
180 krb5_set_error_string (context,
181 "part after realm in principal name");
182 ret = KRB5_PARSE_MALFORMED;
188 realm = malloc(q - start + 1);
190 krb5_set_error_string (context, "malloc: out of memory");
194 memcpy(realm, start, q - start);
195 realm[q - start] = 0;
197 ret = krb5_get_default_realm (context, &realm);
201 comp[n] = malloc(q - start + 1);
202 if (comp[n] == NULL) {
203 krb5_set_error_string (context, "malloc: out of memory");
207 memcpy(comp[n], start, q - start);
208 comp[n][q - start] = 0;
211 *principal = malloc(sizeof(**principal));
212 if (*principal == NULL) {
213 krb5_set_error_string (context, "malloc: out of memory");
217 (*principal)->name.name_type = KRB5_NT_PRINCIPAL;
218 (*principal)->name.name_string.val = comp;
219 princ_num_comp(*principal) = n;
220 (*principal)->realm = realm;
232 static const char quotable_chars[] = " \n\t\b\\/@";
233 static const char replace_chars[] = " ntb\\/@";
235 #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
238 quote_string(const char *s, char *out, size_t idx, size_t len)
241 for(p = s; *p && idx < len; p++){
242 if((q = strchr(quotable_chars, *p))){
243 add_char(out, idx, len, '\\');
244 add_char(out, idx, len, replace_chars[q - quotable_chars]);
246 add_char(out, idx, len, *p);
254 static krb5_error_code
255 unparse_name_fixed(krb5_context context,
256 krb5_const_principal principal,
259 krb5_boolean short_form)
263 for(i = 0; i < princ_num_comp(principal); i++){
265 add_char(name, idx, len, '/');
266 idx = quote_string(princ_ncomp(principal, i), name, idx, len);
270 /* add realm if different from default realm */
274 ret = krb5_get_default_realm(context, &r);
277 if(strcmp(princ_realm(principal), r) != 0)
282 add_char(name, idx, len, '@');
283 idx = quote_string(princ_realm(principal), name, idx, len);
290 krb5_error_code KRB5_LIB_FUNCTION
291 krb5_unparse_name_fixed(krb5_context context,
292 krb5_const_principal principal,
296 return unparse_name_fixed(context, principal, name, len, FALSE);
299 krb5_error_code KRB5_LIB_FUNCTION
300 krb5_unparse_name_fixed_short(krb5_context context,
301 krb5_const_principal principal,
305 return unparse_name_fixed(context, principal, name, len, TRUE);
308 static krb5_error_code
309 unparse_name(krb5_context context,
310 krb5_const_principal principal,
312 krb5_boolean short_flag)
314 size_t len = 0, plen;
318 plen = strlen(princ_realm(principal));
319 if(strcspn(princ_realm(principal), quotable_chars) == plen)
324 for(i = 0; i < princ_num_comp(principal); i++){
325 plen = strlen(princ_ncomp(principal, i));
326 if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)
335 krb5_set_error_string (context, "malloc: out of memory");
338 ret = unparse_name_fixed(context, principal, *name, len, short_flag);
346 krb5_error_code KRB5_LIB_FUNCTION
347 krb5_unparse_name(krb5_context context,
348 krb5_const_principal principal,
351 return unparse_name(context, principal, name, FALSE);
354 krb5_error_code KRB5_LIB_FUNCTION
355 krb5_unparse_name_short(krb5_context context,
356 krb5_const_principal principal,
359 return unparse_name(context, principal, name, TRUE);
362 #if 0 /* not implemented */
364 krb5_error_code KRB5_LIB_FUNCTION
365 krb5_unparse_name_ext(krb5_context context,
366 krb5_const_principal principal,
370 krb5_abortx(context, "unimplemented krb5_unparse_name_ext called");
376 krb5_princ_realm(krb5_context context,
377 krb5_principal principal)
379 return &princ_realm(principal);
383 void KRB5_LIB_FUNCTION
384 krb5_princ_set_realm(krb5_context context,
385 krb5_principal principal,
388 princ_realm(principal) = *realm;
392 krb5_error_code KRB5_LIB_FUNCTION
393 krb5_build_principal(krb5_context context,
394 krb5_principal *principal,
396 krb5_const_realm realm,
402 ret = krb5_build_principal_va(context, principal, rlen, realm, ap);
407 static krb5_error_code
408 append_component(krb5_context context, krb5_principal p,
412 heim_general_string *tmp;
413 size_t len = princ_num_comp(p);
415 tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp));
417 krb5_set_error_string (context, "malloc: out of memory");
421 princ_ncomp(p, len) = malloc(comp_len + 1);
422 if (princ_ncomp(p, len) == NULL) {
423 krb5_set_error_string (context, "malloc: out of memory");
426 memcpy (princ_ncomp(p, len), comp, comp_len);
427 princ_ncomp(p, len)[comp_len] = '\0';
433 va_ext_princ(krb5_context context, krb5_principal p, va_list ap)
438 len = va_arg(ap, int);
441 s = va_arg(ap, const char*);
442 append_component(context, p, s, len);
447 va_princ(krb5_context context, krb5_principal p, va_list ap)
451 s = va_arg(ap, const char*);
454 append_component(context, p, s, strlen(s));
459 static krb5_error_code
460 build_principal(krb5_context context,
461 krb5_principal *principal,
463 krb5_const_realm realm,
464 void (*func)(krb5_context, krb5_principal, va_list),
469 p = calloc(1, sizeof(*p));
471 krb5_set_error_string (context, "malloc: out of memory");
474 princ_type(p) = KRB5_NT_PRINCIPAL;
476 princ_realm(p) = strdup(realm);
477 if(p->realm == NULL){
479 krb5_set_error_string (context, "malloc: out of memory");
483 (*func)(context, p, ap);
488 krb5_error_code KRB5_LIB_FUNCTION
489 krb5_make_principal(krb5_context context,
490 krb5_principal *principal,
491 krb5_const_realm realm,
498 ret = krb5_get_default_realm(context, &r);
504 ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
511 krb5_error_code KRB5_LIB_FUNCTION
512 krb5_build_principal_va(krb5_context context,
513 krb5_principal *principal,
515 krb5_const_realm realm,
518 return build_principal(context, principal, rlen, realm, va_princ, ap);
521 krb5_error_code KRB5_LIB_FUNCTION
522 krb5_build_principal_va_ext(krb5_context context,
523 krb5_principal *principal,
525 krb5_const_realm realm,
528 return build_principal(context, principal, rlen, realm, va_ext_princ, ap);
532 krb5_error_code KRB5_LIB_FUNCTION
533 krb5_build_principal_ext(krb5_context context,
534 krb5_principal *principal,
536 krb5_const_realm realm,
542 ret = krb5_build_principal_va_ext(context, principal, rlen, realm, ap);
548 krb5_error_code KRB5_LIB_FUNCTION
549 krb5_copy_principal(krb5_context context,
550 krb5_const_principal inprinc,
551 krb5_principal *outprinc)
553 krb5_principal p = malloc(sizeof(*p));
555 krb5_set_error_string (context, "malloc: out of memory");
558 if(copy_Principal(inprinc, p)) {
560 krb5_set_error_string (context, "malloc: out of memory");
568 * return TRUE iff princ1 == princ2 (without considering the realm)
571 krb5_boolean KRB5_LIB_FUNCTION
572 krb5_principal_compare_any_realm(krb5_context context,
573 krb5_const_principal princ1,
574 krb5_const_principal princ2)
577 if(princ_num_comp(princ1) != princ_num_comp(princ2))
579 for(i = 0; i < princ_num_comp(princ1); i++){
580 if(strcmp(princ_ncomp(princ1, i), princ_ncomp(princ2, i)) != 0)
587 * return TRUE iff princ1 == princ2
590 krb5_boolean KRB5_LIB_FUNCTION
591 krb5_principal_compare(krb5_context context,
592 krb5_const_principal princ1,
593 krb5_const_principal princ2)
595 if(!krb5_realm_compare(context, princ1, princ2))
597 return krb5_principal_compare_any_realm(context, princ1, princ2);
601 * return TRUE iff realm(princ1) == realm(princ2)
604 krb5_boolean KRB5_LIB_FUNCTION
605 krb5_realm_compare(krb5_context context,
606 krb5_const_principal princ1,
607 krb5_const_principal princ2)
609 return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0;
613 * return TRUE iff princ matches pattern
616 krb5_boolean KRB5_LIB_FUNCTION
617 krb5_principal_match(krb5_context context,
618 krb5_const_principal princ,
619 krb5_const_principal pattern)
622 if(princ_num_comp(princ) != princ_num_comp(pattern))
624 if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
626 for(i = 0; i < princ_num_comp(princ); i++){
627 if(fnmatch(princ_ncomp(pattern, i), princ_ncomp(princ, i), 0) != 0)
634 static struct v4_name_convert {
637 } default_v4_name_convert[] = {
639 { "hprop", "hprop" },
648 * return the converted instance name of `name' in `realm'.
649 * look in the configuration file and then in the default set above.
650 * return NULL if no conversion is appropriate.
654 get_name_conversion(krb5_context context, const char *realm, const char *name)
656 struct v4_name_convert *q;
659 p = krb5_config_get_string(context, NULL, "realms", realm,
660 "v4_name_convert", "host", name, NULL);
662 p = krb5_config_get_string(context, NULL, "libdefaults",
663 "v4_name_convert", "host", name, NULL);
667 /* XXX should be possible to override default list */
668 p = krb5_config_get_string(context, NULL,
677 p = krb5_config_get_string(context, NULL,
685 for(q = default_v4_name_convert; q->from; q++)
686 if(strcmp(q->from, name) == 0)
692 * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'.
693 * if `resolve', use DNS.
694 * if `func', use that function for validating the conversion
697 krb5_error_code KRB5_LIB_FUNCTION
698 krb5_425_conv_principal_ext2(krb5_context context,
700 const char *instance,
702 krb5_boolean (*func)(krb5_context,
703 void *, krb5_principal),
705 krb5_boolean resolve,
706 krb5_principal *princ)
711 char host[MAXHOSTNAMELEN];
712 char local_hostname[MAXHOSTNAMELEN];
714 /* do the following: if the name is found in the
715 `v4_name_convert:host' part, is is assumed to be a `host' type
716 principal, and the instance is looked up in the
717 `v4_instance_convert' part. if not found there the name is
718 (optionally) looked up as a hostname, and if that doesn't yield
719 anything, the `default_domain' is appended to the instance
724 if(instance[0] == 0){
728 p = get_name_conversion(context, realm, name);
732 p = krb5_config_get_string(context, NULL, "realms", realm,
733 "v4_instance_convert", instance, NULL);
736 ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
737 if(func == NULL || (*func)(context, funcctx, pr)){
741 krb5_free_principal(context, pr);
743 krb5_clear_error_string (context);
744 return HEIM_ERR_V4_PRINC_NO_CONV;
747 krb5_boolean passed = FALSE;
752 r = dns_lookup(instance, "aaaa");
753 if (r && r->head && r->head->type == T_AAAA) {
754 inst = strdup(r->head->domain);
758 r = dns_lookup(instance, "a");
759 if(r && r->head && r->head->type == T_A) {
760 inst = strdup(r->head->domain);
766 struct addrinfo hints, *ai;
769 memset (&hints, 0, sizeof(hints));
770 hints.ai_flags = AI_CANONNAME;
771 ret = getaddrinfo(instance, NULL, &hints, &ai);
773 const struct addrinfo *a;
774 for (a = ai; a != NULL; a = a->ai_next) {
775 if (a->ai_canonname != NULL) {
776 inst = strdup (a->ai_canonname);
786 krb5_set_error_string (context, "malloc: out of memory");
790 ret = krb5_make_principal(context, &pr, realm, name, inst,
794 if(func == NULL || (*func)(context, funcctx, pr)){
798 krb5_free_principal(context, pr);
803 snprintf(host, sizeof(host), "%s.%s", instance, realm);
805 ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
806 if((*func)(context, funcctx, pr)){
810 krb5_free_principal(context, pr);
814 * if the instance is the first component of the local hostname,
815 * the converted host should be the long hostname.
819 gethostname (local_hostname, sizeof(local_hostname)) == 0 &&
820 strncmp(instance, local_hostname, strlen(instance)) == 0 &&
821 local_hostname[strlen(instance)] == '.') {
822 strlcpy(host, local_hostname, sizeof(host));
828 domains = krb5_config_get_strings(context, NULL, "realms", realm,
830 for(d = domains; d && *d; d++){
831 snprintf(host, sizeof(host), "%s.%s", instance, *d);
832 ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
833 if(func == NULL || (*func)(context, funcctx, pr)){
835 krb5_config_free_strings(domains);
838 krb5_free_principal(context, pr);
840 krb5_config_free_strings(domains);
844 p = krb5_config_get_string(context, NULL, "realms", realm,
845 "default_domain", NULL);
847 /* this should be an error, just faking a name is not good */
848 krb5_clear_error_string (context);
849 return HEIM_ERR_V4_PRINC_NO_CONV;
854 snprintf(host, sizeof(host), "%s.%s", instance, p);
856 ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
857 if(func == NULL || (*func)(context, funcctx, pr)){
861 krb5_free_principal(context, pr);
862 krb5_clear_error_string (context);
863 return HEIM_ERR_V4_PRINC_NO_CONV;
865 p = krb5_config_get_string(context, NULL,
873 p = krb5_config_get_string(context, NULL,
882 ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
883 if(func == NULL || (*func)(context, funcctx, pr)){
887 krb5_free_principal(context, pr);
888 krb5_clear_error_string (context);
889 return HEIM_ERR_V4_PRINC_NO_CONV;
893 convert_func(krb5_context conxtext, void *funcctx, krb5_principal principal)
895 krb5_boolean (*func)(krb5_context, krb5_principal) = funcctx;
896 return (*func)(conxtext, principal);
899 krb5_error_code KRB5_LIB_FUNCTION
900 krb5_425_conv_principal_ext(krb5_context context,
902 const char *instance,
904 krb5_boolean (*func)(krb5_context, krb5_principal),
905 krb5_boolean resolve,
906 krb5_principal *principal)
908 return krb5_425_conv_principal_ext2(context,
912 func ? convert_func : NULL,
920 krb5_error_code KRB5_LIB_FUNCTION
921 krb5_425_conv_principal(krb5_context context,
923 const char *instance,
925 krb5_principal *princ)
927 krb5_boolean resolve = krb5_config_get_bool(context,
930 "v4_instance_resolve",
933 return krb5_425_conv_principal_ext(context, name, instance, realm,
934 NULL, resolve, princ);
939 check_list(const krb5_config_binding *l, const char *name, const char **out)
942 if (l->type != krb5_config_string)
944 if(strcmp(name, l->u.string) == 0) {
954 name_convert(krb5_context context, const char *name, const char *realm,
957 const krb5_config_binding *l;
958 l = krb5_config_get_list (context,
965 if(l && check_list(l, name, out))
966 return KRB5_NT_SRV_HST;
967 l = krb5_config_get_list (context,
973 if(l && check_list(l, name, out))
974 return KRB5_NT_SRV_HST;
975 l = krb5_config_get_list (context,
982 if(l && check_list(l, name, out))
983 return KRB5_NT_UNKNOWN;
984 l = krb5_config_get_list (context,
990 if(l && check_list(l, name, out))
991 return KRB5_NT_UNKNOWN;
993 /* didn't find it in config file, try built-in list */
995 struct v4_name_convert *q;
996 for(q = default_v4_name_convert; q->from; q++) {
997 if(strcmp(name, q->to) == 0) {
999 return KRB5_NT_SRV_HST;
1007 * convert the v5 principal in `principal' into a v4 corresponding one
1008 * in `name, instance, realm'
1009 * this is limited interface since there's no length given for these
1010 * three parameters. They have to be 40 bytes each (ANAME_SZ).
1013 krb5_error_code KRB5_LIB_FUNCTION
1014 krb5_524_conv_principal(krb5_context context,
1015 const krb5_principal principal,
1020 const char *n, *i, *r;
1022 int type = princ_type(principal);
1023 const int aname_sz = 40;
1025 r = principal->realm;
1027 switch(principal->name.name_string.len){
1029 n = principal->name.name_string.val[0];
1033 n = principal->name.name_string.val[0];
1034 i = principal->name.name_string.val[1];
1037 krb5_set_error_string (context,
1038 "cannot convert a %d component principal",
1039 principal->name.name_string.len);
1040 return KRB5_PARSE_MALFORMED;
1045 int t = name_convert(context, n, r, &tmp);
1052 if(type == KRB5_NT_SRV_HST){
1055 strlcpy (tmpinst, i, sizeof(tmpinst));
1056 p = strchr(tmpinst, '.');
1062 if (strlcpy (name, n, aname_sz) >= aname_sz) {
1063 krb5_set_error_string (context,
1064 "too long name component to convert");
1065 return KRB5_PARSE_MALFORMED;
1067 if (strlcpy (instance, i, aname_sz) >= aname_sz) {
1068 krb5_set_error_string (context,
1069 "too long instance component to convert");
1070 return KRB5_PARSE_MALFORMED;
1072 if (strlcpy (realm, r, aname_sz) >= aname_sz) {
1073 krb5_set_error_string (context,
1074 "too long realm component to convert");
1075 return KRB5_PARSE_MALFORMED;
1081 * Create a principal in `ret_princ' for the service `sname' running
1082 * on host `hostname'. */
1084 krb5_error_code KRB5_LIB_FUNCTION
1085 krb5_sname_to_principal (krb5_context context,
1086 const char *hostname,
1089 krb5_principal *ret_princ)
1091 krb5_error_code ret;
1092 char localhost[MAXHOSTNAMELEN];
1093 char **realms, *host = NULL;
1095 if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
1096 krb5_set_error_string (context, "unsupported name type %d",
1098 return KRB5_SNAME_UNSUPP_NAMETYPE;
1100 if(hostname == NULL) {
1101 gethostname(localhost, sizeof(localhost));
1102 hostname = localhost;
1106 if(type == KRB5_NT_SRV_HST) {
1107 ret = krb5_expand_hostname_realms (context, hostname,
1114 ret = krb5_get_host_realm(context, hostname, &realms);
1119 ret = krb5_make_principal(context, ret_princ, realms[0], sname,
1123 krb5_free_host_realm(context, realms);