2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * @page krb5_principal_intro The principal handing functions.
37 * A Kerberos principal is a email address looking string that
38 * contains two parts separated by @. The second part is the kerberos
39 * realm the principal belongs to and the first is a list of 0 or
40 * more components. For example
43 host/hummel.it.su.se@SU.SE
47 * See the library functions here: @ref krb5_principal
50 #include "krb5_locl.h"
51 #ifdef HAVE_RES_SEARCH
54 #ifdef HAVE_ARPA_NAMESER_H
55 #include <arpa/nameser.h>
60 #define princ_num_comp(P) ((P)->name.name_string.len)
61 #define princ_type(P) ((P)->name.name_type)
62 #define princ_comp(P) ((P)->name.name_string.val)
63 #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
64 #define princ_realm(P) ((P)->realm)
66 static krb5_error_code
67 set_default_princ_type(krb5_principal p
, NAME_TYPE defnt
)
69 if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), KRB5_TGS_NAME
) == 0)
70 princ_type(p
) = KRB5_NT_SRV_INST
;
71 else if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), "host") == 0)
72 princ_type(p
) = KRB5_NT_SRV_HST
;
73 else if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), "kca_service") == 0)
74 princ_type(p
) = KRB5_NT_SRV_HST
;
75 else if (princ_num_comp(p
) == 2 &&
76 strcmp(princ_ncomp(p
, 0), KRB5_WELLKNOWN_NAME
) == 0)
77 princ_type(p
) = KRB5_NT_WELLKNOWN
;
78 else if (princ_num_comp(p
) == 1 && strchr(princ_ncomp(p
, 0), '@') != NULL
)
79 princ_type(p
) = KRB5_NT_SMTP_NAME
;
81 princ_type(p
) = defnt
;
85 static krb5_error_code
append_component(krb5_context
, krb5_principal
,
86 const char *, size_t);
89 * Frees a Kerberos principal allocated by the library with
90 * krb5_parse_name(), krb5_make_principal() or any other related
91 * principal functions.
93 * @param context A Kerberos context.
94 * @param p a principal to free.
96 * @return An krb5 error code, see krb5_get_error_message().
98 * @ingroup krb5_principal
101 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
102 krb5_free_principal(krb5_context context
,
112 * Set the type of the principal
114 * @param context A Kerberos context.
115 * @param principal principal to set the type for
116 * @param type the new type
118 * @return An krb5 error code, see krb5_get_error_message().
120 * @ingroup krb5_principal
123 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
124 krb5_principal_set_type(krb5_context context
,
125 krb5_principal principal
,
128 princ_type(principal
) = type
;
132 * Get the type of the principal
134 * @param context A Kerberos context.
135 * @param principal principal to get the type for
137 * @return the type of principal
139 * @ingroup krb5_principal
142 KRB5_LIB_FUNCTION
int KRB5_LIB_CALL
143 krb5_principal_get_type(krb5_context context
,
144 krb5_const_principal principal
)
146 return princ_type(principal
);
150 * Get the realm of the principal
152 * @param context A Kerberos context.
153 * @param principal principal to get the realm for
155 * @return realm of the principal, don't free or use after krb5_principal is freed
157 * @ingroup krb5_principal
160 KRB5_LIB_FUNCTION
const char* KRB5_LIB_CALL
161 krb5_principal_get_realm(krb5_context context
,
162 krb5_const_principal principal
)
164 return princ_realm(principal
);
167 KRB5_LIB_FUNCTION
const char* KRB5_LIB_CALL
168 krb5_principal_get_comp_string(krb5_context context
,
169 krb5_const_principal principal
,
170 unsigned int component
)
172 if(component
>= princ_num_comp(principal
))
174 return princ_ncomp(principal
, component
);
178 * Get number of component is principal.
180 * @param context Kerberos 5 context
181 * @param principal principal to query
183 * @return number of components in string
185 * @ingroup krb5_principal
188 KRB5_LIB_FUNCTION
unsigned int KRB5_LIB_CALL
189 krb5_principal_get_num_comp(krb5_context context
,
190 krb5_const_principal principal
)
192 return princ_num_comp(principal
);
196 * Parse a name into a krb5_principal structure, flags controls the behavior.
198 * @param context Kerberos 5 context
199 * @param name name to parse into a Kerberos principal
200 * @param flags flags to control the behavior
201 * @param principal returned principal, free with krb5_free_principal().
203 * @return An krb5 error code, see krb5_get_error_message().
205 * @ingroup krb5_principal
208 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
209 krb5_parse_name_flags(krb5_context context
,
212 krb5_principal
*principal
)
215 heim_general_string
*comp
;
216 heim_general_string realm
= NULL
;
228 int no_realm
= flags
& KRB5_PRINCIPAL_PARSE_NO_REALM
;
229 int require_realm
= flags
& KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
;
230 int enterprise
= flags
& KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
231 int ignore_realm
= flags
& KRB5_PRINCIPAL_PARSE_IGNORE_REALM
;
232 int no_def_realm
= flags
& KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
236 if (no_realm
&& require_realm
) {
237 krb5_set_error_message(context
, EINVAL
,
238 N_("Can't require both realm and "
239 "no realm at the same time", ""));
243 /* count number of component,
244 * enterprise names only have one component
248 for (p
= name
; *p
; p
++) {
251 krb5_set_error_message(context
, KRB5_PARSE_MALFORMED
,
252 N_("trailing \\ in principal name", ""));
253 return KRB5_PARSE_MALFORMED
;
256 } else if (*p
== '/')
262 comp
= calloc(ncomp
, sizeof(*comp
));
264 return krb5_enomem(context
);
267 p
= start
= q
= s
= strdup(name
);
270 return krb5_enomem(context
);
284 * We'll ignore trailing embedded NULs in components and
285 * realms, but can't support any other embedded NULs.
288 if ((*p
== '/' || *p
== '@') && !got_realm
)
290 if (*(p
++) != '\\' || *(p
++) != '0') {
291 ret
= KRB5_PARSE_MALFORMED
;
292 krb5_set_error_message(context
, ret
,
293 N_("embedded NULs in principal "
294 "name not supported", ""));
299 } else if (c
== '\0') {
300 ret
= KRB5_PARSE_MALFORMED
;
301 krb5_set_error_message(context
, ret
,
302 N_("trailing \\ in principal name", ""));
305 } else if (enterprise
&& first_at
) {
308 } else if ((c
== '/' && !enterprise
) || c
== '@') {
310 ret
= KRB5_PARSE_MALFORMED
;
311 krb5_set_error_message(context
, ret
,
312 N_("part after realm in principal name", ""));
315 comp
[n
] = malloc(q
- start
+ 1);
316 if (comp
[n
] == NULL
) {
317 ret
= krb5_enomem(context
);
320 memcpy(comp
[n
], start
, q
- start
);
321 comp
[n
][q
- start
] = 0;
329 if (got_realm
&& (c
== '/' || c
== '\0')) {
330 ret
= KRB5_PARSE_MALFORMED
;
331 krb5_set_error_message(context
, ret
,
332 N_("part after realm in principal name", ""));
339 ret
= KRB5_PARSE_MALFORMED
;
340 krb5_set_error_message(context
, ret
,
341 N_("realm found in 'short' principal "
342 "expected to be without one", ""));
346 realm
= malloc(q
- start
+ 1);
348 ret
= krb5_enomem(context
);
351 memcpy(realm
, start
, q
- start
);
352 realm
[q
- start
] = 0;
356 ret
= KRB5_PARSE_MALFORMED
;
357 krb5_set_error_message(context
, ret
,
358 N_("realm NOT found in principal "
359 "expected to be with one", ""));
361 } else if (no_realm
|| no_def_realm
) {
364 ret
= krb5_get_default_realm(context
, &realm
);
369 comp
[n
] = malloc(q
- start
+ 1);
370 if (comp
[n
] == NULL
) {
371 ret
= krb5_enomem(context
);
374 memcpy(comp
[n
], start
, q
- start
);
375 comp
[n
][q
- start
] = 0;
378 *principal
= calloc(1, sizeof(**principal
));
379 if (*principal
== NULL
) {
380 ret
= krb5_enomem(context
);
383 (*principal
)->name
.name_string
.val
= comp
;
384 princ_num_comp(*principal
) = n
;
385 (*principal
)->realm
= realm
;
387 princ_type(*principal
) = KRB5_NT_ENTERPRISE_PRINCIPAL
;
389 set_default_princ_type(*principal
, KRB5_NT_PRINCIPAL
);
397 krb5_free_default_realm(context
, realm
);
403 * Parse a name into a krb5_principal structure
405 * @param context Kerberos 5 context
406 * @param name name to parse into a Kerberos principal
407 * @param principal returned principal, free with krb5_free_principal().
409 * @return An krb5 error code, see krb5_get_error_message().
411 * @ingroup krb5_principal
414 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
415 krb5_parse_name(krb5_context context
,
417 krb5_principal
*principal
)
419 return krb5_parse_name_flags(context
, name
, 0, principal
);
422 static const char quotable_chars
[] = " \n\t\b\\/@";
423 static const char replace_chars
[] = " ntb\\/@";
425 #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
428 quote_string(const char *s
, char *out
, size_t idx
, size_t len
, int display
)
431 for(p
= s
; *p
&& idx
< len
; p
++){
432 q
= strchr(quotable_chars
, *p
);
434 add_char(out
, idx
, len
, replace_chars
[q
- quotable_chars
]);
436 add_char(out
, idx
, len
, '\\');
437 add_char(out
, idx
, len
, replace_chars
[q
- quotable_chars
]);
439 add_char(out
, idx
, len
, *p
);
447 static krb5_error_code
448 unparse_name_fixed(krb5_context context
,
449 krb5_const_principal principal
,
456 int short_form
= (flags
& KRB5_PRINCIPAL_UNPARSE_SHORT
) != 0;
457 int no_realm
= (flags
& KRB5_PRINCIPAL_UNPARSE_NO_REALM
) != 0;
458 int display
= (flags
& KRB5_PRINCIPAL_UNPARSE_DISPLAY
) != 0;
461 krb5_set_error_message(context
, EINVAL
,
462 N_("Invalid name buffer, "
463 "can't unparse", ""));
468 krb5_set_error_message(context
, ERANGE
,
469 N_("Invalid name buffer length, "
470 "can't unparse", ""));
476 if (!no_realm
&& princ_realm(principal
) == NULL
) {
477 krb5_set_error_message(context
, ERANGE
,
478 N_("Realm missing from principal, "
479 "can't unparse", ""));
483 for(i
= 0; i
< princ_num_comp(principal
); i
++){
485 add_char(name
, idx
, len
, '/');
486 idx
= quote_string(princ_ncomp(principal
, i
), name
, idx
, len
, display
);
488 krb5_set_error_message(context
, ERANGE
,
489 N_("Out of space printing principal", ""));
493 /* add realm if different from default realm */
494 if(short_form
&& !no_realm
) {
497 ret
= krb5_get_default_realm(context
, &r
);
500 if(strcmp(princ_realm(principal
), r
) != 0)
502 krb5_free_default_realm(context
, r
);
504 if(!short_form
&& !no_realm
) {
505 add_char(name
, idx
, len
, '@');
506 idx
= quote_string(princ_realm(principal
), name
, idx
, len
, display
);
508 krb5_set_error_message(context
, ERANGE
,
509 N_("Out of space printing "
510 "realm of principal", ""));
518 * Unparse the principal name to a fixed buffer
520 * @param context A Kerberos context.
521 * @param principal principal to unparse
522 * @param name buffer to write name to
523 * @param len length of buffer
525 * @return An krb5 error code, see krb5_get_error_message().
527 * @ingroup krb5_principal
530 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
531 krb5_unparse_name_fixed(krb5_context context
,
532 krb5_const_principal principal
,
536 return unparse_name_fixed(context
, principal
, name
, len
, 0);
540 * Unparse the principal name to a fixed buffer. The realm is skipped
541 * if its a default realm.
543 * @param context A Kerberos context.
544 * @param principal principal to unparse
545 * @param name buffer to write name to
546 * @param len length of buffer
548 * @return An krb5 error code, see krb5_get_error_message().
550 * @ingroup krb5_principal
553 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
554 krb5_unparse_name_fixed_short(krb5_context context
,
555 krb5_const_principal principal
,
559 return unparse_name_fixed(context
, principal
, name
, len
,
560 KRB5_PRINCIPAL_UNPARSE_SHORT
);
564 * Unparse the principal name with unparse flags to a fixed buffer.
566 * @param context A Kerberos context.
567 * @param principal principal to unparse
568 * @param flags unparse flags
569 * @param name buffer to write name to
570 * @param len length of buffer
572 * @return An krb5 error code, see krb5_get_error_message().
574 * @ingroup krb5_principal
577 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
578 krb5_unparse_name_fixed_flags(krb5_context context
,
579 krb5_const_principal principal
,
584 return unparse_name_fixed(context
, principal
, name
, len
, flags
);
587 static krb5_error_code
588 unparse_name(krb5_context context
,
589 krb5_const_principal principal
,
593 size_t len
= 0, plen
;
597 if (princ_realm(principal
)) {
598 plen
= strlen(princ_realm(principal
));
600 if(strcspn(princ_realm(principal
), quotable_chars
) == plen
)
606 for(i
= 0; i
< princ_num_comp(principal
); i
++){
607 plen
= strlen(princ_ncomp(principal
, i
));
608 if(strcspn(princ_ncomp(principal
, i
), quotable_chars
) == plen
)
617 return krb5_enomem(context
);
618 ret
= unparse_name_fixed(context
, principal
, *name
, len
, flags
);
627 * Unparse the Kerberos name into a string
629 * @param context Kerberos 5 context
630 * @param principal principal to query
631 * @param name resulting string, free with krb5_xfree()
633 * @return An krb5 error code, see krb5_get_error_message().
635 * @ingroup krb5_principal
638 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
639 krb5_unparse_name(krb5_context context
,
640 krb5_const_principal principal
,
643 return unparse_name(context
, principal
, name
, 0);
647 * Unparse the Kerberos name into a string
649 * @param context Kerberos 5 context
650 * @param principal principal to query
651 * @param flags flag to determine the behavior
652 * @param name resulting string, free with krb5_xfree()
654 * @return An krb5 error code, see krb5_get_error_message().
656 * @ingroup krb5_principal
659 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
660 krb5_unparse_name_flags(krb5_context context
,
661 krb5_const_principal principal
,
665 return unparse_name(context
, principal
, name
, flags
);
669 * Unparse the principal name to a allocated buffer. The realm is
670 * skipped if its a default realm.
672 * @param context A Kerberos context.
673 * @param principal principal to unparse
674 * @param name returned buffer, free with krb5_xfree()
676 * @return An krb5 error code, see krb5_get_error_message().
678 * @ingroup krb5_principal
681 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
682 krb5_unparse_name_short(krb5_context context
,
683 krb5_const_principal principal
,
686 return unparse_name(context
, principal
, name
, KRB5_PRINCIPAL_UNPARSE_SHORT
);
690 * Set a new realm for a principal, and as a side-effect free the
693 * @param context A Kerberos context.
694 * @param principal principal set the realm for
695 * @param realm the new realm to set
697 * @return An krb5 error code, see krb5_get_error_message().
699 * @ingroup krb5_principal
702 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
703 krb5_principal_set_realm(krb5_context context
,
704 krb5_principal principal
,
705 krb5_const_realm realm
)
707 if (princ_realm(principal
))
708 free(princ_realm(principal
));
711 princ_realm(principal
) = NULL
;
712 else if ((princ_realm(principal
) = strdup(realm
)) == NULL
)
713 return krb5_enomem(context
);
717 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
718 krb5_principal_set_comp_string(krb5_context context
,
719 krb5_principal principal
,
721 const char *component
)
726 for (i
= princ_num_comp(principal
); i
<= k
; i
++)
727 append_component(context
, principal
, "", 0);
728 s
= strdup(component
);
730 return krb5_enomem(context
);
731 free(princ_ncomp(principal
, k
));
732 princ_ncomp(principal
, k
) = s
;
736 #ifndef HEIMDAL_SMALLER
738 * Build a principal using vararg style building
740 * @param context A Kerberos context.
741 * @param principal returned principal
742 * @param rlen length of realm
743 * @param realm realm name
744 * @param ... a list of components ended with NULL.
746 * @return An krb5 error code, see krb5_get_error_message().
748 * @ingroup krb5_principal
751 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
752 krb5_build_principal(krb5_context context
,
753 krb5_principal
*principal
,
755 krb5_const_realm realm
,
761 ret
= krb5_build_principal_va(context
, principal
, rlen
, realm
, ap
);
768 * Build a principal using vararg style building
770 * @param context A Kerberos context.
771 * @param principal returned principal
772 * @param realm realm name
773 * @param ... a list of components ended with NULL.
775 * @return An krb5 error code, see krb5_get_error_message().
777 * @ingroup krb5_principal
780 /* coverity[+alloc : arg-*1] */
781 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
782 krb5_make_principal(krb5_context context
,
783 krb5_principal
*principal
,
784 krb5_const_realm realm
,
791 ret
= krb5_get_default_realm(context
, &r
);
797 ret
= krb5_build_principal_va(context
, principal
, strlen(realm
), realm
, ap
);
800 krb5_free_default_realm(context
, r
);
804 static krb5_error_code
805 append_component(krb5_context context
, krb5_principal p
,
809 heim_general_string
*tmp
;
810 size_t len
= princ_num_comp(p
);
812 tmp
= realloc(princ_comp(p
), (len
+ 1) * sizeof(*tmp
));
814 return krb5_enomem(context
);
816 princ_ncomp(p
, len
) = malloc(comp_len
+ 1);
817 if (princ_ncomp(p
, len
) == NULL
)
818 return krb5_enomem(context
);
819 memcpy (princ_ncomp(p
, len
), comp
, comp_len
);
820 princ_ncomp(p
, len
)[comp_len
] = '\0';
825 static krb5_error_code
826 va_ext_princ(krb5_context context
, krb5_principal p
, va_list ap
)
828 krb5_error_code ret
= 0;
834 if ((len
= va_arg(ap
, int)) == 0)
836 s
= va_arg(ap
, const char*);
837 if ((ret
= append_component(context
, p
, s
, len
)) != 0)
843 static krb5_error_code
844 va_princ(krb5_context context
, krb5_principal p
, va_list ap
)
846 krb5_error_code ret
= 0;
851 if ((s
= va_arg(ap
, const char*)) == NULL
)
853 if ((ret
= append_component(context
, p
, s
, strlen(s
))) != 0)
859 static krb5_error_code
860 build_principal(krb5_context context
,
861 krb5_principal
*principal
,
863 krb5_const_realm realm
,
864 krb5_error_code (*func
)(krb5_context
, krb5_principal
, va_list),
871 p
= calloc(1, sizeof(*p
));
873 return krb5_enomem(context
);
875 princ_realm(p
) = strdup(realm
);
876 if (p
->realm
== NULL
) {
878 return krb5_enomem(context
);
881 ret
= func(context
, p
, ap
);
884 set_default_princ_type(p
, KRB5_NT_PRINCIPAL
);
886 krb5_free_principal(context
, p
);
890 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
891 krb5_build_principal_va(krb5_context context
,
892 krb5_principal
*principal
,
894 krb5_const_realm realm
,
897 return build_principal(context
, principal
, rlen
, realm
, va_princ
, ap
);
900 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
901 krb5_build_principal_va_ext(krb5_context context
,
902 krb5_principal
*principal
,
904 krb5_const_realm realm
,
907 return build_principal(context
, principal
, rlen
, realm
, va_ext_princ
, ap
);
911 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
912 krb5_build_principal_ext(krb5_context context
,
913 krb5_principal
*principal
,
915 krb5_const_realm realm
,
921 ret
= krb5_build_principal_va_ext(context
, principal
, rlen
, realm
, ap
);
929 * @param context A Kerberos context.
930 * @param inprinc principal to copy
931 * @param outprinc copied principal, free with krb5_free_principal()
933 * @return An krb5 error code, see krb5_get_error_message().
935 * @ingroup krb5_principal
939 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
940 krb5_copy_principal(krb5_context context
,
941 krb5_const_principal inprinc
,
942 krb5_principal
*outprinc
)
944 krb5_principal p
= malloc(sizeof(*p
));
946 return krb5_enomem(context
);
947 if(copy_Principal(inprinc
, p
)) {
949 return krb5_enomem(context
);
956 * Return TRUE iff princ1 == princ2 (without considering the realm)
958 * @param context Kerberos 5 context
959 * @param princ1 first principal to compare
960 * @param princ2 second principal to compare
962 * @return non zero if equal, 0 if not
964 * @ingroup krb5_principal
965 * @see krb5_principal_compare()
966 * @see krb5_realm_compare()
969 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
970 krb5_principal_compare_any_realm(krb5_context context
,
971 krb5_const_principal princ1
,
972 krb5_const_principal princ2
)
975 if(princ_num_comp(princ1
) != princ_num_comp(princ2
))
977 for(i
= 0; i
< princ_num_comp(princ1
); i
++){
978 if(strcmp(princ_ncomp(princ1
, i
), princ_ncomp(princ2
, i
)) != 0)
984 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
985 _krb5_principal_compare_PrincipalName(krb5_context context
,
986 krb5_const_principal princ1
,
987 PrincipalName
*princ2
)
990 if (princ_num_comp(princ1
) != princ2
->name_string
.len
)
992 for(i
= 0; i
< princ_num_comp(princ1
); i
++){
993 if(strcmp(princ_ncomp(princ1
, i
), princ2
->name_string
.val
[i
]) != 0)
1001 * Compares the two principals, including realm of the principals and returns
1002 * TRUE if they are the same and FALSE if not.
1004 * @param context Kerberos 5 context
1005 * @param princ1 first principal to compare
1006 * @param princ2 second principal to compare
1008 * @ingroup krb5_principal
1009 * @see krb5_principal_compare_any_realm()
1010 * @see krb5_realm_compare()
1014 * return TRUE iff princ1 == princ2
1017 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1018 krb5_principal_compare(krb5_context context
,
1019 krb5_const_principal princ1
,
1020 krb5_const_principal princ2
)
1022 if (!krb5_realm_compare(context
, princ1
, princ2
))
1024 return krb5_principal_compare_any_realm(context
, princ1
, princ2
);
1028 * return TRUE iff realm(princ1) == realm(princ2)
1030 * @param context Kerberos 5 context
1031 * @param princ1 first principal to compare
1032 * @param princ2 second principal to compare
1034 * @ingroup krb5_principal
1035 * @see krb5_principal_compare_any_realm()
1036 * @see krb5_principal_compare()
1039 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1040 krb5_realm_compare(krb5_context context
,
1041 krb5_const_principal princ1
,
1042 krb5_const_principal princ2
)
1044 return strcmp(princ_realm(princ1
), princ_realm(princ2
)) == 0;
1048 * return TRUE iff princ matches pattern
1050 * @ingroup krb5_principal
1053 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1054 krb5_principal_match(krb5_context context
,
1055 krb5_const_principal princ
,
1056 krb5_const_principal pattern
)
1059 if(princ_num_comp(princ
) != princ_num_comp(pattern
))
1061 if(fnmatch(princ_realm(pattern
), princ_realm(princ
), 0) != 0)
1063 for(i
= 0; i
< princ_num_comp(princ
); i
++){
1064 if(fnmatch(princ_ncomp(pattern
, i
), princ_ncomp(princ
, i
), 0) != 0)
1071 * This is the original krb5_sname_to_principal(), renamed to be a
1072 * helper of the new one.
1074 static krb5_error_code
1075 krb5_sname_to_principal_old(krb5_context context
,
1077 const char *hostname
,
1080 krb5_principal
*ret_princ
)
1082 krb5_error_code ret
;
1083 char localhost
[MAXHOSTNAMELEN
];
1084 char **realms
= NULL
, *host
= NULL
;
1086 if(type
!= KRB5_NT_SRV_HST
&& type
!= KRB5_NT_UNKNOWN
) {
1087 krb5_set_error_message(context
, KRB5_SNAME_UNSUPP_NAMETYPE
,
1088 N_("unsupported name type %d", ""),
1090 return KRB5_SNAME_UNSUPP_NAMETYPE
;
1092 if(hostname
== NULL
) {
1093 ret
= gethostname(localhost
, sizeof(localhost
) - 1);
1096 krb5_set_error_message(context
, ret
,
1097 N_("Failed to get local hostname", ""));
1100 localhost
[sizeof(localhost
) - 1] = '\0';
1101 hostname
= localhost
;
1105 if(type
== KRB5_NT_SRV_HST
) {
1107 ret
= krb5_expand_hostname(context
, hostname
, &host
);
1109 ret
= krb5_expand_hostname_realms(context
, hostname
,
1117 } else if (!realm
) {
1118 ret
= krb5_get_host_realm(context
, hostname
, &realms
);
1124 ret
= krb5_make_principal(context
, ret_princ
, realm
, sname
,
1129 krb5_free_host_realm(context
, realms
);
1133 static const struct {
1137 { "UNKNOWN", KRB5_NT_UNKNOWN
},
1138 { "PRINCIPAL", KRB5_NT_PRINCIPAL
},
1139 { "SRV_INST", KRB5_NT_SRV_INST
},
1140 { "SRV_HST", KRB5_NT_SRV_HST
},
1141 { "SRV_XHST", KRB5_NT_SRV_XHST
},
1142 { "UID", KRB5_NT_UID
},
1143 { "X500_PRINCIPAL", KRB5_NT_X500_PRINCIPAL
},
1144 { "SMTP_NAME", KRB5_NT_SMTP_NAME
},
1145 { "ENTERPRISE_PRINCIPAL", KRB5_NT_ENTERPRISE_PRINCIPAL
},
1146 { "WELLKNOWN", KRB5_NT_WELLKNOWN
},
1147 { "SRV_HST_DOMAIN", KRB5_NT_SRV_HST_DOMAIN
},
1148 { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID
},
1149 { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL
},
1150 { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID
},
1151 { "SRV_HST_NEEDS_CANON", KRB5_NT_SRV_HST_NEEDS_CANON
},
1156 * Parse nametype string and return a nametype integer
1158 * @ingroup krb5_principal
1161 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1162 krb5_parse_nametype(krb5_context context
, const char *str
, int32_t *nametype
)
1166 for(i
= 0; nametypes
[i
].type
; i
++) {
1167 if (strcasecmp(nametypes
[i
].type
, str
) == 0) {
1168 *nametype
= nametypes
[i
].value
;
1172 krb5_set_error_message(context
, KRB5_PARSE_MALFORMED
,
1173 N_("Failed to find name type %s", ""), str
);
1174 return KRB5_PARSE_MALFORMED
;
1178 * Returns true if name is Kerberos NULL name
1180 * @ingroup krb5_principal
1183 krb5_boolean KRB5_LIB_FUNCTION
1184 krb5_principal_is_null(krb5_context context
, krb5_const_principal principal
)
1186 if (principal
->name
.name_type
== KRB5_NT_WELLKNOWN
&&
1187 principal
->name
.name_string
.len
== 2 &&
1188 strcmp(principal
->name
.name_string
.val
[0], "WELLKNOWN") == 0 &&
1189 strcmp(principal
->name
.name_string
.val
[1], "NULL") == 0)
1194 const char _krb5_wellknown_lkdc
[] = "WELLKNOWN:COM.APPLE.LKDC";
1195 static const char lkdc_prefix
[] = "LKDC:";
1198 * Returns true if name is Kerberos an LKDC realm
1200 * @ingroup krb5_principal
1203 krb5_boolean KRB5_LIB_FUNCTION
1204 krb5_realm_is_lkdc(const char *realm
)
1207 return strncmp(realm
, lkdc_prefix
, sizeof(lkdc_prefix
)-1) == 0 ||
1208 strncmp(realm
, _krb5_wellknown_lkdc
, sizeof(_krb5_wellknown_lkdc
) - 1) == 0;
1212 * Returns true if name is Kerberos an LKDC realm
1214 * @ingroup krb5_principal
1217 krb5_boolean KRB5_LIB_FUNCTION
1218 krb5_principal_is_lkdc(krb5_context context
, krb5_const_principal principal
)
1220 return krb5_realm_is_lkdc(principal
->realm
);
1224 * Returns true if name is Kerberos an LKDC realm
1226 * @ingroup krb5_principal
1229 krb5_boolean KRB5_LIB_FUNCTION
1230 krb5_principal_is_pku2u(krb5_context context
, krb5_const_principal principal
)
1232 return strcmp(principal
->realm
, KRB5_PKU2U_REALM_NAME
) == 0;
1236 * Check if the cname part of the principal is a krbtgt principal
1238 * @ingroup krb5_principal
1241 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1242 krb5_principal_is_krbtgt(krb5_context context
, krb5_const_principal p
)
1244 return p
->name
.name_string
.len
== 2 &&
1245 strcmp(p
->name
.name_string
.val
[0], KRB5_TGS_NAME
) == 0;
1249 * Returns true iff name is an WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE
1251 * @ingroup krb5_principal
1254 krb5_boolean KRB5_LIB_FUNCTION
1255 krb5_principal_is_gss_hostbased_service(krb5_context context
,
1256 krb5_const_principal principal
)
1258 if (principal
== NULL
)
1260 if (principal
->name
.name_string
.len
!= 2)
1262 if (strcmp(principal
->name
.name_string
.val
[1], KRB5_GSS_HOSTBASED_SERVICE_NAME
) != 0)
1268 * Check if the cname part of the principal is a initial or renewed krbtgt principal
1270 * @ingroup krb5_principal
1273 krb5_boolean KRB5_LIB_FUNCTION
1274 krb5_principal_is_root_krbtgt(krb5_context context
, krb5_const_principal p
)
1276 return p
->name
.name_string
.len
== 2 &&
1277 strcmp(p
->name
.name_string
.val
[0], KRB5_TGS_NAME
) == 0 &&
1278 strcmp(p
->name
.name_string
.val
[1], p
->realm
) == 0;
1282 * Returns true iff name is WELLKNOWN/ANONYMOUS
1284 * @ingroup krb5_principal
1287 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1288 krb5_principal_is_anonymous(krb5_context context
,
1289 krb5_const_principal p
,
1293 * Heimdal versions 7.5 and below left the name-type at KRB5_NT_PRINCIPAL
1294 * even with anonymous pkinit responses. To retain interoperability with
1295 * legacy KDCs, the name-type is not checked by the client after requesting
1296 * a fully anonymous ticket.
1298 if (!(flags
& KRB5_ANON_IGNORE_NAME_TYPE
) &&
1299 p
->name
.name_type
!= KRB5_NT_WELLKNOWN
&&
1300 p
->name
.name_type
!= KRB5_NT_UNKNOWN
)
1303 if (p
->name
.name_string
.len
!= 2 ||
1304 strcmp(p
->name
.name_string
.val
[0], KRB5_WELLKNOWN_NAME
) != 0 ||
1305 strcmp(p
->name
.name_string
.val
[1], KRB5_ANON_NAME
) != 0)
1309 * While unauthenticated clients SHOULD get "WELLKNOWN:ANONYMOUS" as their
1310 * realm, Heimdal KDCs prior to 7.0 returned the requested realm. While
1311 * such tickets might lead *servers* to unwittingly grant access to fully
1312 * anonymous clients, trusting that the client was authenticated to the
1313 * realm in question, doing it right is the KDC's job, the client should
1314 * not refuse such a ticket.
1316 * If we ever do decide to enforce WELLKNOWN:ANONYMOUS for unauthenticated
1317 * clients, it is essential that calls that pass KRB5_ANON_MATCH_ANY still
1318 * ignore the realm, as in that case either case matches one of the two
1319 * possible conditions.
1321 if (flags
& KRB5_ANON_MATCH_UNAUTHENTICATED
)
1325 * Finally, authenticated clients that asked to be only anonymized do
1326 * legitimately expect a non-anon realm.
1328 return strcmp(p
->realm
, KRB5_ANON_REALM
) != 0;
1332 * Returns true iff name is WELLKNOWN/FEDERATED
1334 * @ingroup krb5_principal
1337 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1338 krb5_principal_is_federated(krb5_context context
,
1339 krb5_const_principal p
)
1341 if (p
->name
.name_type
!= KRB5_NT_WELLKNOWN
&&
1342 p
->name
.name_type
!= KRB5_NT_UNKNOWN
)
1345 if (p
->name
.name_string
.len
!= 2 ||
1346 strcmp(p
->name
.name_string
.val
[0], KRB5_WELLKNOWN_NAME
) != 0 ||
1347 strcmp(p
->name
.name_string
.val
[1], KRB5_FEDERATED_NAME
) != 0)
1354 tolower_ascii(int c
)
1356 if (c
>= 'A' && c
<= 'Z')
1357 return 'a' + (c
- 'A');
1361 typedef enum krb5_name_canon_rule_type
{
1362 KRB5_NCRT_BOGUS
= 0,
1366 } krb5_name_canon_rule_type
;
1369 #define MAXDOTS UINT8_MAX
1371 #define MAXDOTS (255U)
1374 #define MAXORDER UINT16_MAX
1376 #define MAXORDER (65535U)
1379 struct krb5_name_canon_rule_data
{
1380 krb5_name_canon_rule_type type
;
1381 krb5_name_canon_rule_options options
;
1382 uint8_t mindots
; /* match this many dots or more */
1383 uint8_t maxdots
; /* match no more than this many dots */
1384 uint16_t explicit_order
; /* given order */
1385 uint16_t order
; /* actual order */
1386 char *match_domain
; /* match this stem */
1387 char *match_realm
; /* match this realm */
1388 char *domain
; /* qualify with this domain */
1389 char *realm
; /* qualify with this realm */
1393 * Create a principal for the given service running on the given
1394 * hostname. If KRB5_NT_SRV_HST is used, the hostname is canonicalized
1395 * according the configured name canonicalization rules, with
1396 * canonicalization delayed in some cases. One rule involves DNS, which
1397 * is insecure unless DNSSEC is used, but we don't use DNSSEC-capable
1398 * resolver APIs here, so that if DNSSEC is used we wouldn't know it.
1400 * Canonicalization is immediate (not delayed) only when there is only
1401 * one canonicalization rule and that rule indicates that we should do a
1402 * host lookup by name (i.e., DNS).
1404 * @param context A Kerberos context.
1405 * @param hostname hostname to use
1406 * @param sname Service name to use
1407 * @param type name type of principal, use KRB5_NT_SRV_HST or KRB5_NT_UNKNOWN.
1408 * @param ret_princ return principal, free with krb5_free_principal().
1410 * @return An krb5 error code, see krb5_get_error_message().
1412 * @ingroup krb5_principal
1415 /* coverity[+alloc : arg-*4] */
1416 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1417 krb5_sname_to_principal(krb5_context context
,
1418 const char *hostname
,
1421 krb5_principal
*ret_princ
)
1423 char *realm
, *remote_host
;
1424 krb5_error_code ret
;
1426 char localname
[MAXHOSTNAMELEN
];
1430 if ((type
!= KRB5_NT_UNKNOWN
) &&
1431 (type
!= KRB5_NT_SRV_HST
))
1432 return KRB5_SNAME_UNSUPP_NAMETYPE
;
1434 /* if hostname is NULL, use local hostname */
1435 if (hostname
== NULL
) {
1436 if (gethostname(localname
, MAXHOSTNAMELEN
))
1438 hostname
= localname
;
1441 /* if sname is NULL, use "host" */
1445 remote_host
= strdup(hostname
);
1446 if (remote_host
== NULL
)
1447 return krb5_enomem(context
);
1449 if (type
== KRB5_NT_SRV_HST
) {
1450 krb5_name_canon_rule rules
;
1452 /* Lower-case the hostname, because that's the convention */
1453 for (cp
= remote_host
; *cp
; cp
++)
1454 if (isupper((int) (*cp
)))
1455 *cp
= tolower((int) (*cp
));
1458 * If there is only one name canon rule and it says to
1459 * canonicalize the old way, do that now, as we used to.
1461 ret
= _krb5_get_name_canon_rules(context
, &rules
);
1463 _krb5_debug(context
, 5, "Failed to get name canon rules: ret = %d",
1468 if (rules
[0].type
== KRB5_NCRT_NSS
&&
1469 rules
[1].type
== KRB5_NCRT_BOGUS
) {
1470 _krb5_debug(context
, 5, "Using nss for name canon immediately");
1471 ret
= krb5_sname_to_principal_old(context
, rules
[0].realm
,
1473 KRB5_NT_SRV_HST
, ret_princ
);
1479 /* Remove trailing dots */
1480 if (remote_host
[0]) {
1481 for (cp
= remote_host
+ strlen(remote_host
)-1;
1482 *cp
== '.' && cp
> remote_host
;
1488 realm
= ""; /* "Referral realm" */
1490 ret
= krb5_build_principal(context
, ret_princ
, strlen(realm
),
1491 realm
, sname
, remote_host
,
1494 if (ret
== 0 && type
== KRB5_NT_SRV_HST
) {
1496 * Hostname canonicalization is done elsewhere (in
1497 * krb5_get_credentials() and krb5_kt_get_entry()).
1499 * We overload the name type to indicate to those functions that
1500 * this principal name requires canonicalization.
1502 * We can't use the empty realm to denote the need to
1503 * canonicalize the hostname too: it would mean that users who
1504 * want to assert knowledge of a service's realm must also know
1505 * the canonical hostname, but in practice they don't.
1507 (*ret_princ
)->name
.name_type
= KRB5_NT_SRV_HST_NEEDS_CANON
;
1509 _krb5_debug(context
, 5, "Building a delayed canon principal for %s/%s@",
1510 sname
, remote_host
);
1518 tolower_str(char *s
)
1520 for (; *s
!= '\0'; s
++) {
1522 *s
= tolower_ascii(*s
);
1526 static krb5_error_code
1527 rule_parse_token(krb5_context context
, krb5_name_canon_rule rule
,
1531 int needs_type
= rule
->type
== KRB5_NCRT_BOGUS
;
1534 * Rules consist of a sequence of tokens, some of which indicate
1535 * what type of rule the rule is, and some of which set rule options
1536 * or ancilliary data. Last rule type token wins.
1539 /* Rule type tokens: */
1540 if (needs_type
&& strcmp(tok
, "as-is") == 0) {
1541 rule
->type
= KRB5_NCRT_AS_IS
;
1542 } else if (needs_type
&& strcmp(tok
, "qualify") == 0) {
1543 rule
->type
= KRB5_NCRT_QUALIFY
;
1544 } else if (needs_type
&& strcmp(tok
, "nss") == 0) {
1545 rule
->type
= KRB5_NCRT_NSS
;
1547 } else if (strcmp(tok
, "use_fast") == 0) {
1548 rule
->options
|= KRB5_NCRO_USE_FAST
;
1549 } else if (strcmp(tok
, "use_dnssec") == 0) {
1550 rule
->options
|= KRB5_NCRO_USE_DNSSEC
;
1551 } else if (strcmp(tok
, "ccache_only") == 0) {
1552 rule
->options
|= KRB5_NCRO_GC_ONLY
;
1553 } else if (strcmp(tok
, "no_referrals") == 0) {
1554 rule
->options
|= KRB5_NCRO_NO_REFERRALS
;
1555 } else if (strcmp(tok
, "use_referrals") == 0) {
1556 rule
->options
&= ~KRB5_NCRO_NO_REFERRALS
;
1557 if (rule
->realm
== NULL
) {
1558 rule
->realm
= strdup("");
1559 if (rule
->realm
== NULL
)
1560 return krb5_enomem(context
);
1562 } else if (strcmp(tok
, "lookup_realm") == 0) {
1563 rule
->options
|= KRB5_NCRO_LOOKUP_REALM
;
1566 /* Rule ancilliary data: */
1567 } else if (strncmp(tok
, "domain=", strlen("domain=")) == 0) {
1569 rule
->domain
= strdup(tok
+ strlen("domain="));
1570 if (rule
->domain
== NULL
)
1571 return krb5_enomem(context
);
1572 tolower_str(rule
->domain
);
1573 } else if (strncmp(tok
, "realm=", strlen("realm=")) == 0) {
1575 rule
->realm
= strdup(tok
+ strlen("realm="));
1576 if (rule
->realm
== NULL
)
1577 return krb5_enomem(context
);
1578 } else if (strncmp(tok
, "match_domain=", strlen("match_domain=")) == 0) {
1579 free(rule
->match_domain
);
1580 rule
->match_domain
= strdup(tok
+ strlen("match_domain="));
1581 if (rule
->match_domain
== NULL
)
1582 return krb5_enomem(context
);
1583 tolower_str(rule
->match_domain
);
1584 } else if (strncmp(tok
, "match_realm=", strlen("match_realm=")) == 0) {
1585 free(rule
->match_realm
);
1586 rule
->match_realm
= strdup(tok
+ strlen("match_realm="));
1587 if (rule
->match_realm
== NULL
)
1588 return krb5_enomem(context
);
1589 } else if (strncmp(tok
, "mindots=", strlen("mindots=")) == 0) {
1591 n
= strtol(tok
+ strlen("mindots="), NULL
, 10);
1592 if (errno
== 0 && n
> 0 && n
<= MAXDOTS
)
1594 } else if (strncmp(tok
, "maxdots=", strlen("maxdots=")) == 0) {
1596 n
= strtol(tok
+ strlen("maxdots="), NULL
, 10);
1597 if (errno
== 0 && n
> 0 && n
<= MAXDOTS
)
1599 } else if (strncmp(tok
, "order=", strlen("order=")) == 0) {
1601 n
= strtol(tok
+ strlen("order="), NULL
, 10);
1602 if (errno
== 0 && n
> 0 && n
<= MAXORDER
)
1603 rule
->explicit_order
= n
;
1605 _krb5_debug(context
, 5,
1606 "Unrecognized name canonicalization rule token %s", tok
);
1613 rule_cmp(const void *a
, const void *b
)
1615 krb5_const_name_canon_rule left
= a
;
1616 krb5_const_name_canon_rule right
= b
;
1618 if (left
->type
== KRB5_NCRT_BOGUS
&&
1619 right
->type
== KRB5_NCRT_BOGUS
)
1621 if (left
->type
== KRB5_NCRT_BOGUS
)
1623 if (right
->type
== KRB5_NCRT_BOGUS
)
1625 if (left
->explicit_order
< right
->explicit_order
)
1627 if (left
->explicit_order
> right
->explicit_order
)
1629 return left
->order
- right
->order
;
1632 static krb5_error_code
1633 parse_name_canon_rules(krb5_context context
, char **rulestrs
,
1634 krb5_name_canon_rule
*rules
)
1636 krb5_error_code ret
;
1643 krb5_name_canon_rule r
;
1647 for (n
=0, cpp
= rulestrs
; cpp
!= NULL
&& *cpp
!= NULL
; cpp
++)
1650 n
+= 2; /* Always at least one rule; two for the default case */
1652 if ((r
= calloc(n
, sizeof (*r
))) == NULL
)
1653 return krb5_enomem(context
);
1655 for (k
= 0; k
< n
; k
++) {
1656 r
[k
].type
= KRB5_NCRT_BOGUS
;
1657 r
[k
].match_domain
= NULL
;
1658 r
[k
].match_realm
= NULL
;
1663 for (i
= 0, k
= 0; i
< n
&& rulestrs
!= NULL
&& rulestrs
[i
] != NULL
; i
++) {
1665 r
[k
].explicit_order
= MAXORDER
; /* mark order, see below */
1666 r
[k
].maxdots
= MAXDOTS
;
1667 r
[k
].order
= k
; /* default order */
1669 /* Tokenize and parse value */
1672 cp
= strchr(cp
, ':'); /* XXX use strtok_r() */
1674 *cp
++ = '\0'; /* delimit token */
1675 ret
= rule_parse_token(context
, &r
[k
], tok
);
1676 if (ret
== EINVAL
) {
1677 r
[k
].type
= KRB5_NCRT_BOGUS
;
1681 _krb5_free_name_canon_rules(context
, r
);
1684 } while (cp
&& *cp
);
1685 if (r
[k
].explicit_order
!= MAXORDER
)
1688 /* Validate parsed rule */
1689 if (r
[k
].type
== KRB5_NCRT_BOGUS
||
1690 (r
[k
].type
== KRB5_NCRT_QUALIFY
&& !r
[k
].domain
) ||
1691 (r
[k
].type
== KRB5_NCRT_NSS
&& r
[k
].domain
)) {
1692 /* Invalid rule; mark it so and clean up */
1693 r
[k
].type
= KRB5_NCRT_BOGUS
;
1694 free(r
[k
].match_domain
);
1695 free(r
[k
].match_realm
);
1700 r
[k
].match_domain
= NULL
;
1701 r
[k
].match_realm
= NULL
;
1702 _krb5_debug(context
, 5,
1703 "Ignoring invalid name canonicalization rule %lu",
1707 k
++; /* good rule */
1712 * Note that we make make this a stable sort by using appareance
1713 * and explicit order.
1715 qsort(r
, n
, sizeof(r
[0]), rule_cmp
);
1718 if (r
[0].type
== KRB5_NCRT_BOGUS
) {
1719 /* No rules, or no valid rules */
1720 r
[0].type
= KRB5_NCRT_NSS
;
1724 return 0; /* We don't communicate bad rule errors here */
1728 * This exists only because the hostname canonicalization behavior in Heimdal
1729 * (and other implementations of Kerberos) has been to use getaddrinfo(),
1730 * unsafe though it is, for ages. We can't fix it in one day.
1733 make_rules_safe(krb5_context context
, krb5_name_canon_rule rules
)
1736 * If the only rule were to use the name service (getaddrinfo()) then we're
1737 * bound to fail. We could try to convert that rule to an as-is rule, but
1738 * when we do get a validating resolver we'd be unhappy that we did such a
1739 * conversion. Better let the user get failures and make them think about
1740 * their naming rules.
1744 for (; rules
[0].type
!= KRB5_NCRT_BOGUS
; rules
++) {
1745 if (rules
->type
== KRB5_NCRT_NSS
)
1746 rules
->options
|= KRB5_NCRO_USE_DNSSEC
;
1748 rules
->options
|= KRB5_NCRO_USE_FAST
;
1753 * This function returns an array of host-based service name
1754 * canonicalization rules. The array of rules is organized as a list.
1755 * See the definition of krb5_name_canon_rule.
1757 * @param context A Kerberos context.
1758 * @param rules Output location for array of rules.
1760 KRB5_LIB_FUNCTION krb5_error_code
1761 _krb5_get_name_canon_rules(krb5_context context
, krb5_name_canon_rule
*rules
)
1763 krb5_error_code ret
;
1764 char **values
= NULL
;
1766 *rules
= context
->name_canon_rules
;
1770 values
= krb5_config_get_strings(context
, NULL
,
1771 "libdefaults", "name_canon_rules", NULL
);
1772 ret
= parse_name_canon_rules(context
, values
, rules
);
1773 krb5_config_free_strings(values
);
1777 if (krb5_config_get_bool_default(context
, NULL
, FALSE
,
1778 "libdefaults", "safe_name_canon", NULL
))
1779 make_rules_safe(context
, *rules
);
1781 heim_assert((*rules
)[0].type
!= KRB5_NCRT_BOGUS
,
1782 "internal error in parsing principal name "
1783 "canonicalization rules");
1786 context
->name_canon_rules
= *rules
;
1791 static krb5_error_code
1792 get_host_realm(krb5_context context
, const char *hostname
, char **realm
)
1794 krb5_error_code ret
;
1795 char **hrealms
= NULL
;
1798 ret
= krb5_get_host_realm(context
, hostname
, &hrealms
);
1801 if (hrealms
== NULL
)
1802 return KRB5_ERR_HOST_REALM_UNKNOWN
; /* krb5_set_error() already done */
1803 if (hrealms
[0] == NULL
) {
1804 krb5_free_host_realm(context
, hrealms
);
1805 return KRB5_ERR_HOST_REALM_UNKNOWN
; /* krb5_set_error() already done */
1807 *realm
= strdup(hrealms
[0]);
1808 krb5_free_host_realm(context
, hrealms
);
1810 return krb5_enomem(context
);
1815 is_domain_suffix(const char *domain
, const char *suffix
)
1817 size_t dlen
= strlen(domain
);
1818 size_t slen
= strlen(suffix
);
1820 if (dlen
< slen
+ 2)
1823 if (strcasecmp(domain
+ (dlen
- slen
), suffix
) != 0)
1826 if (domain
[(dlen
- slen
) - 1] != '.')
1832 * Applies a name canonicalization rule to a principal.
1834 * Returns zero and no out_princ if the rule does not match.
1835 * Returns zero and an out_princ if the rule does match.
1837 static krb5_error_code
1838 apply_name_canon_rule(krb5_context context
, krb5_name_canon_rule rules
,
1839 size_t rule_idx
, krb5_const_principal in_princ
,
1840 krb5_principal
*out_princ
,
1841 krb5_name_canon_rule_options
*rule_opts
)
1843 krb5_name_canon_rule rule
= &rules
[rule_idx
];
1844 krb5_error_code ret
;
1845 unsigned int ndots
= 0;
1846 krb5_principal nss
= NULL
;
1847 const char *sname
= NULL
;
1848 const char *orig_hostname
= NULL
;
1849 const char *new_hostname
= NULL
;
1850 const char *new_realm
= NULL
;
1851 const char *port
= "";
1853 char *hostname_sans_port
= NULL
;
1854 char *hostname_with_port
= NULL
;
1855 char *tmp_hostname
= NULL
;
1856 char *tmp_realm
= NULL
;
1858 *out_princ
= NULL
; /* Signal no match */
1860 if (rule_opts
!= NULL
)
1861 *rule_opts
= rule
->options
;
1863 if (rule
->type
== KRB5_NCRT_BOGUS
)
1864 return 0; /* rule doesn't apply */
1866 sname
= krb5_principal_get_comp_string(context
, in_princ
, 0);
1867 orig_hostname
= krb5_principal_get_comp_string(context
, in_princ
, 1);
1870 * Some apps want to use the very non-standard svc/hostname:port@REALM
1871 * form. We do our best to support that here :(
1873 port
= strchr(orig_hostname
, ':');
1875 hostname_sans_port
= strndup(orig_hostname
, port
- orig_hostname
);
1876 if (hostname_sans_port
== NULL
)
1877 return krb5_enomem(context
);
1878 orig_hostname
= hostname_sans_port
;
1881 _krb5_debug(context
, 5, N_("Applying a name rule (type %d) to %s", ""),
1882 rule
->type
, orig_hostname
);
1884 if (rule
->mindots
> 0 || rule
->maxdots
> 0) {
1885 for (cp
= strchr(orig_hostname
, '.'); cp
&& *cp
; cp
= strchr(cp
+ 1, '.'))
1888 if (rule
->mindots
> 0 && ndots
< rule
->mindots
)
1890 if (ndots
> rule
->maxdots
)
1893 if (rule
->match_domain
!= NULL
&&
1894 !is_domain_suffix(orig_hostname
, rule
->match_domain
))
1897 if (rule
->match_realm
!= NULL
&&
1898 strcmp(rule
->match_realm
, in_princ
->realm
) != 0)
1901 new_realm
= rule
->realm
;
1902 switch (rule
->type
) {
1903 case KRB5_NCRT_AS_IS
:
1906 case KRB5_NCRT_QUALIFY
:
1907 heim_assert(rule
->domain
!= NULL
,
1908 "missing domain for qualify name canon rule");
1909 if (asprintf(&tmp_hostname
, "%s.%s", orig_hostname
,
1910 rule
->domain
) == -1 || tmp_hostname
== NULL
) {
1911 ret
= krb5_enomem(context
);
1914 new_hostname
= tmp_hostname
;
1918 if ((rule
->options
& KRB5_NCRO_USE_DNSSEC
)) {
1919 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1920 krb5_set_error_message(context
, ret
,
1921 "Secure hostname resolution not supported");
1924 _krb5_debug(context
, 5, "Using name service lookups");
1925 ret
= krb5_sname_to_principal_old(context
, rule
->realm
,
1926 orig_hostname
, sname
,
1929 if (rules
[rule_idx
+ 1].type
!= KRB5_NCRT_BOGUS
&&
1930 (ret
== KRB5_ERR_BAD_HOSTNAME
||
1931 ret
== KRB5_ERR_HOST_REALM_UNKNOWN
)) {
1933 * Bad hostname / realm unknown -> rule inapplicable if
1934 * there's more rules. If it's the last rule then we want
1935 * to return all errors from krb5_sname_to_principal_old()
1944 new_hostname
= krb5_principal_get_comp_string(context
, nss
, 1);
1945 new_realm
= krb5_principal_get_realm(context
, nss
);
1955 * This rule applies.
1957 * Copy in_princ and mutate the copy per the matched rule.
1959 * This way we apply to principals with two or more components, such as
1960 * domain-based names.
1962 ret
= krb5_copy_principal(context
, in_princ
, out_princ
);
1966 if (new_realm
== NULL
&& (rule
->options
& KRB5_NCRO_LOOKUP_REALM
) != 0) {
1967 ret
= get_host_realm(context
, new_hostname
, &tmp_realm
);
1970 new_realm
= tmp_realm
;
1973 /* If we stripped off a :port, add it back in */
1974 if (port
!= NULL
&& new_hostname
!= NULL
) {
1975 if (asprintf(&hostname_with_port
, "%s%s", new_hostname
, port
) == -1 ||
1976 hostname_with_port
== NULL
) {
1977 ret
= krb5_enomem(context
);
1980 new_hostname
= hostname_with_port
;
1983 if (new_realm
!= NULL
&&
1984 (ret
= krb5_principal_set_realm(context
, *out_princ
, new_realm
)))
1986 if (new_hostname
!= NULL
&&
1987 (ret
= krb5_principal_set_comp_string(context
, *out_princ
, 1, new_hostname
)))
1989 if (princ_type(*out_princ
) == KRB5_NT_SRV_HST_NEEDS_CANON
)
1990 princ_type(*out_princ
) = KRB5_NT_SRV_HST
;
1992 /* Trace rule application */
1994 krb5_error_code ret2
;
1997 ret2
= krb5_unparse_name(context
, *out_princ
, &unparsed
);
1999 _krb5_debug(context
, 5,
2000 N_("Couldn't unparse canonicalized princicpal (%d)",
2004 _krb5_debug(context
, 5,
2005 N_("Name canon rule application yields %s", ""),
2012 free(hostname_sans_port
);
2013 free(hostname_with_port
);
2016 krb5_free_principal(context
, nss
);
2018 krb5_set_error_message(context
, ret
,
2019 N_("Name canon rule application failed", ""));
2024 * Free name canonicalization rules
2026 KRB5_LIB_FUNCTION
void
2027 _krb5_free_name_canon_rules(krb5_context context
, krb5_name_canon_rule rules
)
2034 for (k
= 0; rules
[k
].type
!= KRB5_NCRT_BOGUS
; k
++) {
2035 free(rules
[k
].match_domain
);
2036 free(rules
[k
].match_realm
);
2037 free(rules
[k
].domain
);
2038 free(rules
[k
].realm
);
2043 struct krb5_name_canon_iterator_data
{
2044 krb5_name_canon_rule rules
;
2045 krb5_const_principal in_princ
; /* given princ */
2046 krb5_const_principal out_princ
; /* princ to be output */
2047 krb5_principal tmp_princ
; /* to be freed */
2048 int is_trivial
; /* no canon to be done */
2049 int done
; /* no more rules to be applied */
2050 size_t cursor
; /* current/next rule */
2054 * Initialize name canonicalization iterator.
2056 * @param context Kerberos context
2057 * @param in_princ principal name to be canonicalized OR
2058 * @param iter output iterator object
2060 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2061 krb5_name_canon_iterator_start(krb5_context context
,
2062 krb5_const_principal in_princ
,
2063 krb5_name_canon_iterator
*iter
)
2065 krb5_error_code ret
;
2066 krb5_name_canon_iterator state
;
2070 state
= calloc(1, sizeof (*state
));
2072 return krb5_enomem(context
);
2073 state
->in_princ
= in_princ
;
2075 if (princ_type(state
->in_princ
) == KRB5_NT_SRV_HST_NEEDS_CANON
) {
2076 ret
= _krb5_get_name_canon_rules(context
, &state
->rules
);
2080 /* Name needs no canon -> trivial iterator: in_princ is canonical */
2081 state
->is_trivial
= 1;
2088 krb5_free_name_canon_iterator(context
, state
);
2089 return krb5_enomem(context
);
2093 * Helper for name canon iteration.
2095 static krb5_error_code
2096 name_canon_iterate(krb5_context context
,
2097 krb5_name_canon_iterator
*iter
,
2098 krb5_name_canon_rule_options
*rule_opts
)
2100 krb5_error_code ret
;
2101 krb5_name_canon_iterator state
= *iter
;
2110 krb5_free_name_canon_iterator(context
, state
);
2115 if (state
->is_trivial
&& !state
->done
) {
2116 state
->out_princ
= state
->in_princ
;
2121 heim_assert(state
->rules
!= NULL
&&
2122 state
->rules
[state
->cursor
].type
!= KRB5_NCRT_BOGUS
,
2123 "Internal error during name canonicalization");
2126 krb5_free_principal(context
, state
->tmp_princ
);
2127 ret
= apply_name_canon_rule(context
, state
->rules
, state
->cursor
,
2128 state
->in_princ
, &state
->tmp_princ
, rule_opts
);
2130 krb5_free_name_canon_iterator(context
, state
);
2135 } while (state
->tmp_princ
== NULL
&&
2136 state
->rules
[state
->cursor
].type
!= KRB5_NCRT_BOGUS
);
2138 if (state
->rules
[state
->cursor
].type
== KRB5_NCRT_BOGUS
)
2141 state
->out_princ
= state
->tmp_princ
;
2142 if (state
->tmp_princ
== NULL
) {
2143 krb5_free_name_canon_iterator(context
, state
);
2151 * Iteratively apply name canon rules, outputing a principal and rule
2152 * options each time. Iteration completes when the @iter is NULL on
2153 * return or when an error is returned. Callers must free the iterator
2154 * if they abandon it mid-way.
2156 * @param context Kerberos context
2157 * @param iter name canon rule iterator (input/output)
2158 * @param try_princ output principal name
2159 * @param rule_opts output rule options
2161 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2162 krb5_name_canon_iterate(krb5_context context
,
2163 krb5_name_canon_iterator
*iter
,
2164 krb5_const_principal
*try_princ
,
2165 krb5_name_canon_rule_options
*rule_opts
)
2167 krb5_error_code ret
;
2171 ret
= name_canon_iterate(context
, iter
, rule_opts
);
2173 *try_princ
= (*iter
)->out_princ
;
2178 * Free a name canonicalization rule iterator.
2180 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
2181 krb5_free_name_canon_iterator(krb5_context context
,
2182 krb5_name_canon_iterator iter
)
2186 if (iter
->tmp_princ
)
2187 krb5_free_principal(context
, iter
->tmp_princ
);