1 /* $NetBSD: transited.c,v 1.1.1.2 2014/04/24 12:45:51 pettai Exp $ */
4 * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
38 /* this is an attempt at one of the most horrible `compression'
39 schemes that has ever been invented; it's so amazingly brain-dead
40 that words can not describe it, and all this just to save a few
45 unsigned leading_space
:1;
46 unsigned leading_slash
:1;
47 unsigned trailing_dot
:1;
48 struct tr_realm
*next
;
52 free_realms(struct tr_realm
*r
)
64 make_path(krb5_context context
, struct tr_realm
*r
,
65 const char *from
, const char *to
)
70 if(strlen(from
) < strlen(to
)){
77 if(strcmp(from
+ strlen(from
) - strlen(to
), to
) == 0){
82 krb5_clear_error_message (context
);
83 return KRB5KDC_ERR_POLICY
;
86 if(strcmp(p
, to
) == 0)
88 tmp
= calloc(1, sizeof(*tmp
));
90 return krb5_enomem(context
);
93 tmp
->realm
= strdup(p
);
94 if(tmp
->realm
== NULL
){
97 return krb5_enomem(context
);
100 }else if(strncmp(from
, to
, strlen(to
)) == 0){
101 p
= from
+ strlen(from
);
103 while(p
>= from
&& *p
!= '/') p
--;
105 return KRB5KDC_ERR_POLICY
;
107 if(strncmp(to
, from
, p
- from
) == 0)
109 tmp
= calloc(1, sizeof(*tmp
));
111 return krb5_enomem(context
);
114 tmp
->realm
= malloc(p
- from
+ 1);
115 if(tmp
->realm
== NULL
){
118 return krb5_enomem(context
);
120 memcpy(tmp
->realm
, from
, p
- from
);
121 tmp
->realm
[p
- from
] = '\0';
125 krb5_clear_error_message (context
);
126 return KRB5KDC_ERR_POLICY
;
133 make_paths(krb5_context context
,
134 struct tr_realm
*realms
, const char *client_realm
,
135 const char *server_realm
)
139 const char *prev_realm
= client_realm
;
140 const char *next_realm
= NULL
;
141 for(r
= realms
; r
; r
= r
->next
){
142 /* it *might* be that you can have more than one empty
143 component in a row, at least that's how I interpret the
144 "," exception in 1510 */
145 if(r
->realm
[0] == '\0'){
146 while(r
->next
&& r
->next
->realm
[0] == '\0')
149 next_realm
= r
->next
->realm
;
151 next_realm
= server_realm
;
152 ret
= make_path(context
, r
, prev_realm
, next_realm
);
158 prev_realm
= r
->realm
;
164 expand_realms(krb5_context context
,
165 struct tr_realm
*realms
, const char *client_realm
)
168 const char *prev_realm
= NULL
;
169 for(r
= realms
; r
; r
= r
->next
){
174 if(prev_realm
== NULL
)
175 prev_realm
= client_realm
;
177 len
= strlen(r
->realm
) + strlen(prev_realm
) + 1;
179 tmp
= realloc(r
->realm
, len
);
182 return krb5_enomem(context
);
185 strlcat(r
->realm
, prev_realm
, len
);
186 }else if(r
->leading_slash
&& !r
->leading_space
&& prev_realm
){
187 /* yet another exception: if you use x500-names, the
188 leading realm doesn't have to be "quoted" with a space */
190 size_t len
= strlen(r
->realm
) + strlen(prev_realm
) + 1;
195 return krb5_enomem(context
);
197 strlcpy(tmp
, prev_realm
, len
);
198 strlcat(tmp
, r
->realm
, len
);
202 prev_realm
= r
->realm
;
207 static struct tr_realm
*
208 make_realm(char *realm
)
213 r
= calloc(1, sizeof(*r
));
219 for(p
= q
= r
->realm
; *p
; p
++){
220 if(p
== r
->realm
&& *p
== ' '){
221 r
->leading_space
= 1;
224 if(q
== r
->realm
&& *p
== '/')
225 r
->leading_slash
= 1;
235 if(p
[0] == '.' && p
[1] == '\0')
243 static struct tr_realm
*
244 append_realm(struct tr_realm
*head
, struct tr_realm
*r
)
252 while(p
->next
) p
= p
->next
;
258 decode_realms(krb5_context context
,
259 const char *tr
, int length
, struct tr_realm
**realms
)
261 struct tr_realm
*r
= NULL
;
265 const char *start
= tr
;
268 for(i
= 0; i
< length
; i
++){
278 tmp
= malloc(tr
+ i
- start
+ 1);
280 return krb5_enomem(context
);
281 memcpy(tmp
, start
, tr
+ i
- start
);
282 tmp
[tr
+ i
- start
] = '\0';
285 free_realms(*realms
);
286 return krb5_enomem(context
);
288 *realms
= append_realm(*realms
, r
);
292 tmp
= malloc(tr
+ i
- start
+ 1);
295 return krb5_enomem(context
);
297 memcpy(tmp
, start
, tr
+ i
- start
);
298 tmp
[tr
+ i
- start
] = '\0';
301 free_realms(*realms
);
302 return krb5_enomem(context
);
304 *realms
= append_realm(*realms
, r
);
310 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
311 krb5_domain_x500_decode(krb5_context context
,
312 krb5_data tr
, char ***realms
, unsigned int *num_realms
,
313 const char *client_realm
, const char *server_realm
)
315 struct tr_realm
*r
= NULL
;
316 struct tr_realm
*p
, **q
;
325 /* split string in components */
326 ret
= decode_realms(context
, tr
.data
, tr
.length
, &r
);
330 /* apply prefix rule */
331 ret
= expand_realms(context
, r
, client_realm
);
335 ret
= make_paths(context
, r
, client_realm
, server_realm
);
339 /* remove empty components and count realms */
342 if((*q
)->realm
[0] == '\0'){
352 if (*num_realms
+ 1 > UINT_MAX
/sizeof(**realms
))
357 R
= malloc((*num_realms
+ 1) * sizeof(*R
));
359 return krb5_enomem(context
);
371 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
372 krb5_domain_x500_encode(char **realms
, unsigned int num_realms
,
378 krb5_data_zero(encoding
);
381 for(i
= 0; i
< num_realms
; i
++){
382 len
+= strlen(realms
[i
]);
383 if(realms
[i
][0] == '/')
386 len
+= num_realms
- 1;
391 for(i
= 0; i
< num_realms
; i
++){
393 strlcat(s
, ",", len
+ 1);
394 if(realms
[i
][0] == '/')
395 strlcat(s
, " ", len
+ 1);
396 strlcat(s
, realms
[i
], len
+ 1);
399 encoding
->length
= strlen(s
);
403 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
404 krb5_check_transited(krb5_context context
,
405 krb5_const_realm client_realm
,
406 krb5_const_realm server_realm
,
408 unsigned int num_realms
,
418 tr_realms
= krb5_config_get_strings(context
, NULL
,
423 for(i
= 0; i
< num_realms
; i
++) {
424 for(p
= tr_realms
; p
&& *p
; p
++) {
425 if(strcmp(*p
, realms
[i
]) == 0)
428 if(p
== NULL
|| *p
== NULL
) {
429 krb5_config_free_strings(tr_realms
);
430 krb5_set_error_message (context
, KRB5KRB_AP_ERR_ILL_CR_TKT
,
431 N_("no transit allowed "
432 "through realm %s", ""),
436 return KRB5KRB_AP_ERR_ILL_CR_TKT
;
439 krb5_config_free_strings(tr_realms
);
443 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
444 krb5_check_transited_realms(krb5_context context
,
445 const char *const *realms
,
446 unsigned int num_realms
,
451 char **bad_realms
= krb5_config_get_strings(context
, NULL
,
453 "transited_realms_reject",
455 if(bad_realms
== NULL
)
458 for(i
= 0; i
< num_realms
; i
++) {
460 for(p
= bad_realms
; *p
; p
++)
461 if(strcmp(*p
, realms
[i
]) == 0) {
462 ret
= KRB5KRB_AP_ERR_ILL_CR_TKT
;
463 krb5_set_error_message (context
, ret
,
464 N_("no transit allowed "
465 "through realm %s", ""),
472 krb5_config_free_strings(bad_realms
);
478 main(int argc
, char **argv
)
484 x
.length
= strlen(x
.data
);
485 if(domain_expand(x
, &r
, &num
, argv
[2], argv
[3]))
487 for(i
= 0; i
< num
; i
++)
488 printf("%s\n", r
[i
]);