2 * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
36 /* this is an attempt at one of the most horrible `compression'
37 schemes that has ever been invented; it's so amazingly brain-dead
38 that words can not describe it, and all this just to save a few
43 unsigned leading_space:1;
44 unsigned leading_slash:1;
45 unsigned trailing_dot:1;
46 struct tr_realm *next;
50 free_realms(struct tr_realm *r)
62 make_path(krb5_context context, struct tr_realm *r,
63 const char *from, const char *to)
66 struct tr_realm *path = r->next;
69 if(strlen(from) < strlen(to)){
76 if(strcmp(from + strlen(from) - strlen(to), to) == 0){
81 krb5_clear_error_message (context);
82 return KRB5KDC_ERR_POLICY;
85 if(strcmp(p, to) == 0)
87 tmp = calloc(1, sizeof(*tmp));
89 krb5_set_error_message(context, ENOMEM,
90 N_("malloc: out of memory", ""));
95 path->realm = strdup(p);
96 if(path->realm == NULL){
97 r->next = path; /* XXX */
98 krb5_set_error_message(context, ENOMEM,
99 N_("malloc: out of memory", ""));
103 }else if(strncmp(from, to, strlen(to)) == 0){
104 p = from + strlen(from);
106 while(p >= from && *p != '/') p--;
108 r->next = path; /* XXX */
109 return KRB5KDC_ERR_POLICY;
111 if(strncmp(to, from, p - from) == 0)
113 tmp = calloc(1, sizeof(*tmp));
115 krb5_set_error_message(context, ENOMEM,
116 N_("malloc: out of memory", ""));
121 path->realm = malloc(p - from + 1);
122 if(path->realm == NULL){
123 r->next = path; /* XXX */
124 krb5_set_error_message(context, ENOMEM,
125 N_("malloc: out of memory", ""));
128 memcpy(path->realm, from, p - from);
129 path->realm[p - from] = '\0';
133 krb5_clear_error_message (context);
134 return KRB5KDC_ERR_POLICY;
142 make_paths(krb5_context context,
143 struct tr_realm *realms, const char *client_realm,
144 const char *server_realm)
148 const char *prev_realm = client_realm;
149 const char *next_realm = NULL;
150 for(r = realms; r; r = r->next){
151 /* it *might* be that you can have more than one empty
152 component in a row, at least that's how I interpret the
153 "," exception in 1510 */
154 if(r->realm[0] == '\0'){
155 while(r->next && r->next->realm[0] == '\0')
158 next_realm = r->next->realm;
160 next_realm = server_realm;
161 ret = make_path(context, r, prev_realm, next_realm);
167 prev_realm = r->realm;
173 expand_realms(krb5_context context,
174 struct tr_realm *realms, const char *client_realm)
177 const char *prev_realm = NULL;
178 for(r = realms; r; r = r->next){
183 if(prev_realm == NULL)
184 prev_realm = client_realm;
186 len = strlen(r->realm) + strlen(prev_realm) + 1;
188 tmp = realloc(r->realm, len);
191 krb5_set_error_message(context, ENOMEM,
192 N_("malloc: out of memory", ""));
196 strlcat(r->realm, prev_realm, len);
197 }else if(r->leading_slash && !r->leading_space && prev_realm){
198 /* yet another exception: if you use x500-names, the
199 leading realm doesn't have to be "quoted" with a space */
201 size_t len = strlen(r->realm) + strlen(prev_realm) + 1;
206 krb5_set_error_message(context, ENOMEM,
207 N_("malloc: out of memory", ""));
210 strlcpy(tmp, prev_realm, len);
211 strlcat(tmp, r->realm, len);
215 prev_realm = r->realm;
220 static struct tr_realm *
221 make_realm(char *realm)
226 r = calloc(1, sizeof(*r));
232 for(p = q = r->realm; *p; p++){
233 if(p == r->realm && *p == ' '){
234 r->leading_space = 1;
237 if(q == r->realm && *p == '/')
238 r->leading_slash = 1;
248 if(p[0] == '.' && p[1] == '\0')
256 static struct tr_realm*
257 append_realm(struct tr_realm *head, struct tr_realm *r)
265 while(p->next) p = p->next;
271 decode_realms(krb5_context context,
272 const char *tr, int length, struct tr_realm **realms)
274 struct tr_realm *r = NULL;
278 const char *start = tr;
281 for(i = 0; i < length; i++){
291 tmp = malloc(tr + i - start + 1);
293 krb5_set_error_message(context, ENOMEM,
294 N_("malloc: out of memory", ""));
297 memcpy(tmp, start, tr + i - start);
298 tmp[tr + i - start] = '\0';
301 free_realms(*realms);
302 krb5_set_error_message(context, ENOMEM,
303 N_("malloc: out of memory", ""));
306 *realms = append_realm(*realms, r);
310 tmp = malloc(tr + i - start + 1);
313 krb5_set_error_message(context, ENOMEM,
314 N_("malloc: out of memory", ""));
317 memcpy(tmp, start, tr + i - start);
318 tmp[tr + i - start] = '\0';
321 free_realms(*realms);
322 krb5_set_error_message(context, ENOMEM,
323 N_("malloc: out of memory", ""));
326 *realms = append_realm(*realms, r);
332 krb5_error_code KRB5_LIB_FUNCTION
333 krb5_domain_x500_decode(krb5_context context,
334 krb5_data tr, char ***realms, unsigned int *num_realms,
335 const char *client_realm, const char *server_realm)
337 struct tr_realm *r = NULL;
338 struct tr_realm *p, **q;
347 /* split string in components */
348 ret = decode_realms(context, tr.data, tr.length, &r);
352 /* apply prefix rule */
353 ret = expand_realms(context, r, client_realm);
357 ret = make_paths(context, r, client_realm, server_realm);
361 /* remove empty components and count realms */
365 if(p->realm[0] == '\0'){
376 if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
381 R = malloc((*num_realms + 1) * sizeof(*R));
395 krb5_error_code KRB5_LIB_FUNCTION
396 krb5_domain_x500_encode(char **realms, unsigned int num_realms,
402 krb5_data_zero(encoding);
405 for(i = 0; i < num_realms; i++){
406 len += strlen(realms[i]);
407 if(realms[i][0] == '/')
410 len += num_realms - 1;
415 for(i = 0; i < num_realms; i++){
416 if(i && i < num_realms - 1)
417 strlcat(s, ",", len + 1);
418 if(realms[i][0] == '/')
419 strlcat(s, " ", len + 1);
420 strlcat(s, realms[i], len + 1);
423 encoding->length = strlen(s);
427 krb5_error_code KRB5_LIB_FUNCTION
428 krb5_check_transited(krb5_context context,
429 krb5_const_realm client_realm,
430 krb5_const_realm server_realm,
432 unsigned int num_realms,
442 tr_realms = krb5_config_get_strings(context, NULL,
447 for(i = 0; i < num_realms; i++) {
448 for(p = tr_realms; p && *p; p++) {
449 if(strcmp(*p, realms[i]) == 0)
452 if(p == NULL || *p == NULL) {
453 krb5_config_free_strings(tr_realms);
454 krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT,
455 N_("no transit allowed "
456 "through realm %s", ""),
460 return KRB5KRB_AP_ERR_ILL_CR_TKT;
463 krb5_config_free_strings(tr_realms);
467 krb5_error_code KRB5_LIB_FUNCTION
468 krb5_check_transited_realms(krb5_context context,
469 const char *const *realms,
470 unsigned int num_realms,
475 char **bad_realms = krb5_config_get_strings(context, NULL,
477 "transited_realms_reject",
479 if(bad_realms == NULL)
482 for(i = 0; i < num_realms; i++) {
484 for(p = bad_realms; *p; p++)
485 if(strcmp(*p, realms[i]) == 0) {
486 ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
487 krb5_set_error_message (context, ret,
488 N_("no transit allowed "
489 "through realm %s", ""),
496 krb5_config_free_strings(bad_realms);
502 main(int argc, char **argv)
508 x.length = strlen(x.data);
509 if(domain_expand(x, &r, &num, argv[2], argv[3]))
511 for(i = 0; i < num; i++)
512 printf("%s\n", r[i]);
git.samba.org / amitay / samba.git / blob