2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * @page krb5_principal_intro The principal handing functions.
37 * A Kerberos principal is a email address looking string that
38 * contains two parts separated by @. The second part is the kerberos
39 * realm the principal belongs to and the first is a list of 0 or
40 * more components. For example
43 host/hummel.it.su.se@SU.SE
47 * See the library functions here: @ref krb5_principal
50 #include "krb5_locl.h"
51 #ifdef HAVE_RES_SEARCH
54 #ifdef HAVE_ARPA_NAMESER_H
55 #include <arpa/nameser.h>
60 #define princ_num_comp(P) ((P)->name.name_string.len)
61 #define princ_type(P) ((P)->name.name_type)
62 #define princ_comp(P) ((P)->name.name_string.val)
63 #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
64 #define princ_realm(P) ((P)->realm)
66 static krb5_error_code
67 set_default_princ_type(krb5_principal p
, NAME_TYPE defnt
)
69 if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), KRB5_TGS_NAME
) == 0)
70 princ_type(p
) = KRB5_NT_SRV_INST
;
71 else if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), "host") == 0)
72 princ_type(p
) = KRB5_NT_SRV_HST
;
73 else if (princ_num_comp(p
) > 1 && strcmp(princ_ncomp(p
, 0), "kca_service") == 0)
74 princ_type(p
) = KRB5_NT_SRV_HST
;
75 else if (princ_num_comp(p
) == 2 &&
76 strcmp(princ_ncomp(p
, 0), KRB5_WELLKNOWN_NAME
) == 0)
77 princ_type(p
) = KRB5_NT_WELLKNOWN
;
78 else if (princ_num_comp(p
) == 1 && strchr(princ_ncomp(p
, 0), '@') != NULL
)
79 princ_type(p
) = KRB5_NT_SMTP_NAME
;
81 princ_type(p
) = defnt
;
85 static krb5_error_code
append_component(krb5_context
, krb5_principal
,
86 const char *, size_t);
89 * Frees a Kerberos principal allocated by the library with
90 * krb5_parse_name(), krb5_make_principal() or any other related
91 * principal functions.
93 * @param context A Kerberos context.
94 * @param p a principal to free.
96 * @return An krb5 error code, see krb5_get_error_message().
98 * @ingroup krb5_principal
101 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
102 krb5_free_principal(krb5_context context
,
106 if (p
->nameattrs
&& p
->nameattrs
->pac
)
107 heim_release(p
->nameattrs
->pac
);
114 * Set the type of the principal
116 * @param context A Kerberos context.
117 * @param principal principal to set the type for
118 * @param type the new type
120 * @return An krb5 error code, see krb5_get_error_message().
122 * @ingroup krb5_principal
125 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
126 krb5_principal_set_type(krb5_context context
,
127 krb5_principal principal
,
130 princ_type(principal
) = type
;
134 * Get the type of the principal
136 * @param context A Kerberos context.
137 * @param principal principal to get the type for
139 * @return the type of principal
141 * @ingroup krb5_principal
144 KRB5_LIB_FUNCTION
int KRB5_LIB_CALL
145 krb5_principal_get_type(krb5_context context
,
146 krb5_const_principal principal
)
148 return princ_type(principal
);
152 * Get the realm of the principal
154 * @param context A Kerberos context.
155 * @param principal principal to get the realm for
157 * @return realm of the principal, don't free or use after krb5_principal is freed
159 * @ingroup krb5_principal
162 KRB5_LIB_FUNCTION
const char* KRB5_LIB_CALL
163 krb5_principal_get_realm(krb5_context context
,
164 krb5_const_principal principal
)
166 return princ_realm(principal
);
169 KRB5_LIB_FUNCTION
const char* KRB5_LIB_CALL
170 krb5_principal_get_comp_string(krb5_context context
,
171 krb5_const_principal principal
,
172 unsigned int component
)
174 if(component
>= princ_num_comp(principal
))
176 return princ_ncomp(principal
, component
);
180 * Get number of component is principal.
182 * @param context Kerberos 5 context
183 * @param principal principal to query
185 * @return number of components in string
187 * @ingroup krb5_principal
190 KRB5_LIB_FUNCTION
unsigned int KRB5_LIB_CALL
191 krb5_principal_get_num_comp(krb5_context context
,
192 krb5_const_principal principal
)
194 return princ_num_comp(principal
);
198 * Parse a name into a krb5_principal structure, flags controls the behavior.
200 * @param context Kerberos 5 context
201 * @param name name to parse into a Kerberos principal
202 * @param flags flags to control the behavior
203 * @param principal returned principal, free with krb5_free_principal().
205 * @return An krb5 error code, see krb5_get_error_message().
207 * @ingroup krb5_principal
210 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
211 krb5_parse_name_flags(krb5_context context
,
214 krb5_principal
*principal
)
217 heim_general_string
*comp
;
218 heim_general_string realm
= NULL
;
230 int no_realm
= flags
& KRB5_PRINCIPAL_PARSE_NO_REALM
;
231 int require_realm
= flags
& KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
;
232 int enterprise
= flags
& KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
233 int ignore_realm
= flags
& KRB5_PRINCIPAL_PARSE_IGNORE_REALM
;
234 int no_def_realm
= flags
& KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
238 if (no_realm
&& require_realm
) {
239 krb5_set_error_message(context
, EINVAL
,
240 N_("Can't require both realm and "
241 "no realm at the same time", ""));
245 /* count number of component,
246 * enterprise names only have one component
250 for (p
= name
; *p
; p
++) {
253 krb5_set_error_message(context
, KRB5_PARSE_MALFORMED
,
254 N_("trailing \\ in principal name", ""));
255 return KRB5_PARSE_MALFORMED
;
258 } else if (*p
== '/')
264 comp
= calloc(ncomp
, sizeof(*comp
));
266 return krb5_enomem(context
);
269 p
= start
= q
= s
= strdup(name
);
272 return krb5_enomem(context
);
286 * We'll ignore trailing embedded NULs in components and
287 * realms, but can't support any other embedded NULs.
290 if ((*p
== '/' || *p
== '@') && !got_realm
)
292 if (*(p
++) != '\\' || *(p
++) != '0') {
293 ret
= KRB5_PARSE_MALFORMED
;
294 krb5_set_error_message(context
, ret
,
295 N_("embedded NULs in principal "
296 "name not supported", ""));
301 } else if (c
== '\0') {
302 ret
= KRB5_PARSE_MALFORMED
;
303 krb5_set_error_message(context
, ret
,
304 N_("trailing \\ in principal name", ""));
307 } else if (enterprise
&& first_at
) {
310 } else if ((c
== '/' && !enterprise
) || c
== '@') {
312 ret
= KRB5_PARSE_MALFORMED
;
313 krb5_set_error_message(context
, ret
,
314 N_("part after realm in principal name", ""));
317 comp
[n
] = malloc(q
- start
+ 1);
318 if (comp
[n
] == NULL
) {
319 ret
= krb5_enomem(context
);
322 memcpy(comp
[n
], start
, q
- start
);
323 comp
[n
][q
- start
] = 0;
331 if (got_realm
&& (c
== '/' || c
== '\0')) {
332 ret
= KRB5_PARSE_MALFORMED
;
333 krb5_set_error_message(context
, ret
,
334 N_("part after realm in principal name", ""));
341 ret
= KRB5_PARSE_MALFORMED
;
342 krb5_set_error_message(context
, ret
,
343 N_("realm found in 'short' principal "
344 "expected to be without one", ""));
348 realm
= malloc(q
- start
+ 1);
350 ret
= krb5_enomem(context
);
353 memcpy(realm
, start
, q
- start
);
354 realm
[q
- start
] = 0;
358 ret
= KRB5_PARSE_MALFORMED
;
359 krb5_set_error_message(context
, ret
,
360 N_("realm NOT found in principal "
361 "expected to be with one", ""));
363 } else if (no_realm
|| no_def_realm
) {
366 ret
= krb5_get_default_realm(context
, &realm
);
371 comp
[n
] = malloc(q
- start
+ 1);
372 if (comp
[n
] == NULL
) {
373 ret
= krb5_enomem(context
);
376 memcpy(comp
[n
], start
, q
- start
);
377 comp
[n
][q
- start
] = 0;
380 *principal
= calloc(1, sizeof(**principal
));
381 if (*principal
== NULL
) {
382 ret
= krb5_enomem(context
);
385 (*principal
)->name
.name_string
.val
= comp
;
386 princ_num_comp(*principal
) = n
;
387 (*principal
)->realm
= realm
;
389 princ_type(*principal
) = KRB5_NT_ENTERPRISE_PRINCIPAL
;
391 set_default_princ_type(*principal
, KRB5_NT_PRINCIPAL
);
399 krb5_free_default_realm(context
, realm
);
405 * Parse a name into a krb5_principal structure
407 * @param context Kerberos 5 context
408 * @param name name to parse into a Kerberos principal
409 * @param principal returned principal, free with krb5_free_principal().
411 * @return An krb5 error code, see krb5_get_error_message().
413 * @ingroup krb5_principal
416 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
417 krb5_parse_name(krb5_context context
,
419 krb5_principal
*principal
)
421 return krb5_parse_name_flags(context
, name
, 0, principal
);
424 static const char quotable_chars
[] = " \n\t\b\\/@";
425 static const char replace_chars
[] = " ntb\\/@";
427 #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
430 quote_string(const char *s
, char *out
, size_t idx
, size_t len
, int display
)
433 for(p
= s
; *p
&& idx
< len
; p
++){
434 q
= strchr(quotable_chars
, *p
);
436 add_char(out
, idx
, len
, replace_chars
[q
- quotable_chars
]);
438 add_char(out
, idx
, len
, '\\');
439 add_char(out
, idx
, len
, replace_chars
[q
- quotable_chars
]);
441 add_char(out
, idx
, len
, *p
);
449 static krb5_error_code
450 unparse_name_fixed(krb5_context context
,
451 krb5_const_principal principal
,
458 int short_form
= (flags
& KRB5_PRINCIPAL_UNPARSE_SHORT
) != 0;
459 int no_realm
= (flags
& KRB5_PRINCIPAL_UNPARSE_NO_REALM
) != 0;
460 int display
= (flags
& KRB5_PRINCIPAL_UNPARSE_DISPLAY
) != 0;
463 krb5_set_error_message(context
, EINVAL
,
464 N_("Invalid name buffer, "
465 "can't unparse", ""));
470 krb5_set_error_message(context
, ERANGE
,
471 N_("Invalid name buffer length, "
472 "can't unparse", ""));
478 if (!no_realm
&& princ_realm(principal
) == NULL
) {
479 krb5_set_error_message(context
, ERANGE
,
480 N_("Realm missing from principal, "
481 "can't unparse", ""));
485 for(i
= 0; i
< princ_num_comp(principal
); i
++){
487 add_char(name
, idx
, len
, '/');
488 idx
= quote_string(princ_ncomp(principal
, i
), name
, idx
, len
, display
);
490 krb5_set_error_message(context
, ERANGE
,
491 N_("Out of space printing principal", ""));
495 /* add realm if different from default realm */
496 if(short_form
&& !no_realm
) {
499 ret
= krb5_get_default_realm(context
, &r
);
502 if(strcmp(princ_realm(principal
), r
) != 0)
504 krb5_free_default_realm(context
, r
);
506 if(!short_form
&& !no_realm
) {
507 add_char(name
, idx
, len
, '@');
508 idx
= quote_string(princ_realm(principal
), name
, idx
, len
, display
);
510 krb5_set_error_message(context
, ERANGE
,
511 N_("Out of space printing "
512 "realm of principal", ""));
520 * Unparse the principal name to a fixed buffer
522 * @param context A Kerberos context.
523 * @param principal principal to unparse
524 * @param name buffer to write name to
525 * @param len length of buffer
527 * @return An krb5 error code, see krb5_get_error_message().
529 * @ingroup krb5_principal
532 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
533 krb5_unparse_name_fixed(krb5_context context
,
534 krb5_const_principal principal
,
538 return unparse_name_fixed(context
, principal
, name
, len
, 0);
542 * Unparse the principal name to a fixed buffer. The realm is skipped
543 * if its a default realm.
545 * @param context A Kerberos context.
546 * @param principal principal to unparse
547 * @param name buffer to write name to
548 * @param len length of buffer
550 * @return An krb5 error code, see krb5_get_error_message().
552 * @ingroup krb5_principal
555 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
556 krb5_unparse_name_fixed_short(krb5_context context
,
557 krb5_const_principal principal
,
561 return unparse_name_fixed(context
, principal
, name
, len
,
562 KRB5_PRINCIPAL_UNPARSE_SHORT
);
566 * Unparse the principal name with unparse flags to a fixed buffer.
568 * @param context A Kerberos context.
569 * @param principal principal to unparse
570 * @param flags unparse flags
571 * @param name buffer to write name to
572 * @param len length of buffer
574 * @return An krb5 error code, see krb5_get_error_message().
576 * @ingroup krb5_principal
579 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
580 krb5_unparse_name_fixed_flags(krb5_context context
,
581 krb5_const_principal principal
,
586 return unparse_name_fixed(context
, principal
, name
, len
, flags
);
589 static krb5_error_code
590 unparse_name(krb5_context context
,
591 krb5_const_principal principal
,
595 size_t len
= 0, plen
;
599 if (princ_realm(principal
)) {
600 plen
= strlen(princ_realm(principal
));
602 if(strcspn(princ_realm(principal
), quotable_chars
) == plen
)
608 for(i
= 0; i
< princ_num_comp(principal
); i
++){
609 plen
= strlen(princ_ncomp(principal
, i
));
610 if(strcspn(princ_ncomp(principal
, i
), quotable_chars
) == plen
)
619 return krb5_enomem(context
);
620 ret
= unparse_name_fixed(context
, principal
, *name
, len
, flags
);
629 * Unparse the Kerberos name into a string
631 * @param context Kerberos 5 context
632 * @param principal principal to query
633 * @param name resulting string, free with krb5_xfree()
635 * @return An krb5 error code, see krb5_get_error_message().
637 * @ingroup krb5_principal
640 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
641 krb5_unparse_name(krb5_context context
,
642 krb5_const_principal principal
,
645 return unparse_name(context
, principal
, name
, 0);
649 * Unparse the Kerberos name into a string
651 * @param context Kerberos 5 context
652 * @param principal principal to query
653 * @param flags flag to determine the behavior
654 * @param name resulting string, free with krb5_xfree()
656 * @return An krb5 error code, see krb5_get_error_message().
658 * @ingroup krb5_principal
661 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
662 krb5_unparse_name_flags(krb5_context context
,
663 krb5_const_principal principal
,
667 return unparse_name(context
, principal
, name
, flags
);
671 * Unparse the principal name to a allocated buffer. The realm is
672 * skipped if its a default realm.
674 * @param context A Kerberos context.
675 * @param principal principal to unparse
676 * @param name returned buffer, free with krb5_xfree()
678 * @return An krb5 error code, see krb5_get_error_message().
680 * @ingroup krb5_principal
683 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
684 krb5_unparse_name_short(krb5_context context
,
685 krb5_const_principal principal
,
688 return unparse_name(context
, principal
, name
, KRB5_PRINCIPAL_UNPARSE_SHORT
);
692 * Set a new realm for a principal, and as a side-effect free the
695 * @param context A Kerberos context.
696 * @param principal principal set the realm for
697 * @param realm the new realm to set
699 * @return An krb5 error code, see krb5_get_error_message().
701 * @ingroup krb5_principal
704 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
705 krb5_principal_set_realm(krb5_context context
,
706 krb5_principal principal
,
707 krb5_const_realm realm
)
709 if (princ_realm(principal
))
710 free(princ_realm(principal
));
713 princ_realm(principal
) = NULL
;
714 else if ((princ_realm(principal
) = strdup(realm
)) == NULL
)
715 return krb5_enomem(context
);
719 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
720 krb5_principal_set_comp_string(krb5_context context
,
721 krb5_principal principal
,
723 const char *component
)
728 for (i
= princ_num_comp(principal
); i
<= k
; i
++)
729 append_component(context
, principal
, "", 0);
730 s
= strdup(component
);
732 return krb5_enomem(context
);
733 free(princ_ncomp(principal
, k
));
734 princ_ncomp(principal
, k
) = s
;
738 #ifndef HEIMDAL_SMALLER
740 * Build a principal using vararg style building
742 * @param context A Kerberos context.
743 * @param principal returned principal
744 * @param rlen length of realm
745 * @param realm realm name
746 * @param ... a list of components ended with NULL.
748 * @return An krb5 error code, see krb5_get_error_message().
750 * @ingroup krb5_principal
753 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
754 krb5_build_principal(krb5_context context
,
755 krb5_principal
*principal
,
757 krb5_const_realm realm
,
763 ret
= krb5_build_principal_va(context
, principal
, rlen
, realm
, ap
);
770 * Build a principal using vararg style building
772 * @param context A Kerberos context.
773 * @param principal returned principal
774 * @param realm realm name
775 * @param ... a list of components ended with NULL.
777 * @return An krb5 error code, see krb5_get_error_message().
779 * @ingroup krb5_principal
782 /* coverity[+alloc : arg-*1] */
783 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
784 krb5_make_principal(krb5_context context
,
785 krb5_principal
*principal
,
786 krb5_const_realm realm
,
796 ret
= krb5_get_default_realm(context
, &r
);
802 ret
= krb5_build_principal_va(context
, principal
, strlen(realm
), realm
, ap
);
805 krb5_free_default_realm(context
, r
);
809 static krb5_error_code
810 append_component(krb5_context context
, krb5_principal p
,
814 heim_general_string
*tmp
;
815 size_t len
= princ_num_comp(p
);
817 tmp
= realloc(princ_comp(p
), (len
+ 1) * sizeof(*tmp
));
819 return krb5_enomem(context
);
821 princ_ncomp(p
, len
) = malloc(comp_len
+ 1);
822 if (princ_ncomp(p
, len
) == NULL
)
823 return krb5_enomem(context
);
824 memcpy (princ_ncomp(p
, len
), comp
, comp_len
);
825 princ_ncomp(p
, len
)[comp_len
] = '\0';
830 static krb5_error_code
831 va_ext_princ(krb5_context context
, krb5_principal p
, va_list ap
)
833 krb5_error_code ret
= 0;
839 if ((len
= va_arg(ap
, int)) == 0)
841 s
= va_arg(ap
, const char*);
842 if ((ret
= append_component(context
, p
, s
, len
)) != 0)
848 static krb5_error_code
849 va_princ(krb5_context context
, krb5_principal p
, va_list ap
)
851 krb5_error_code ret
= 0;
856 if ((s
= va_arg(ap
, const char*)) == NULL
)
858 if ((ret
= append_component(context
, p
, s
, strlen(s
))) != 0)
864 static krb5_error_code
865 build_principal(krb5_context context
,
866 krb5_principal
*principal
,
868 krb5_const_realm realm
,
869 krb5_error_code (*func
)(krb5_context
, krb5_principal
, va_list),
876 p
= calloc(1, sizeof(*p
));
878 return krb5_enomem(context
);
880 princ_realm(p
) = strdup(realm
);
881 if (p
->realm
== NULL
) {
883 return krb5_enomem(context
);
886 ret
= func(context
, p
, ap
);
889 set_default_princ_type(p
, KRB5_NT_PRINCIPAL
);
891 krb5_free_principal(context
, p
);
895 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
896 krb5_build_principal_va(krb5_context context
,
897 krb5_principal
*principal
,
899 krb5_const_realm realm
,
902 return build_principal(context
, principal
, rlen
, realm
, va_princ
, ap
);
905 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
906 krb5_build_principal_va_ext(krb5_context context
,
907 krb5_principal
*principal
,
909 krb5_const_realm realm
,
912 return build_principal(context
, principal
, rlen
, realm
, va_ext_princ
, ap
);
916 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
917 krb5_build_principal_ext(krb5_context context
,
918 krb5_principal
*principal
,
920 krb5_const_realm realm
,
926 ret
= krb5_build_principal_va_ext(context
, principal
, rlen
, realm
, ap
);
934 * @param context A Kerberos context.
935 * @param inprinc principal to copy
936 * @param outprinc copied principal, free with krb5_free_principal()
938 * @return An krb5 error code, see krb5_get_error_message().
940 * @ingroup krb5_principal
944 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
945 krb5_copy_principal(krb5_context context
,
946 krb5_const_principal inprinc
,
947 krb5_principal
*outprinc
)
953 p
= malloc(sizeof(*p
));
955 return krb5_enomem(context
);
956 if(copy_Principal(inprinc
, p
)) {
958 return krb5_enomem(context
);
960 if (inprinc
->nameattrs
&& inprinc
->nameattrs
->pac
)
961 p
->nameattrs
->pac
= heim_retain(inprinc
->nameattrs
->pac
);
968 * Return TRUE iff princ1 == princ2 (without considering the realm)
970 * @param context Kerberos 5 context
971 * @param princ1 first principal to compare
972 * @param princ2 second principal to compare
974 * @return non zero if equal, 0 if not
976 * @ingroup krb5_principal
977 * @see krb5_principal_compare()
978 * @see krb5_realm_compare()
981 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
982 krb5_principal_compare_any_realm(krb5_context context
,
983 krb5_const_principal princ1
,
984 krb5_const_principal princ2
)
987 if(princ_num_comp(princ1
) != princ_num_comp(princ2
))
989 for(i
= 0; i
< princ_num_comp(princ1
); i
++){
990 if(strcmp(princ_ncomp(princ1
, i
), princ_ncomp(princ2
, i
)) != 0)
996 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
997 _krb5_principal_compare_PrincipalName(krb5_context context
,
998 krb5_const_principal princ1
,
999 PrincipalName
*princ2
)
1002 if (princ_num_comp(princ1
) != princ2
->name_string
.len
)
1004 for(i
= 0; i
< princ_num_comp(princ1
); i
++){
1005 if(strcmp(princ_ncomp(princ1
, i
), princ2
->name_string
.val
[i
]) != 0)
1013 * Compares the two principals, including realm of the principals and returns
1014 * TRUE if they are the same and FALSE if not.
1016 * @param context Kerberos 5 context
1017 * @param princ1 first principal to compare
1018 * @param princ2 second principal to compare
1020 * @ingroup krb5_principal
1021 * @see krb5_principal_compare_any_realm()
1022 * @see krb5_realm_compare()
1026 * return TRUE iff princ1 == princ2
1029 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1030 krb5_principal_compare(krb5_context context
,
1031 krb5_const_principal princ1
,
1032 krb5_const_principal princ2
)
1034 if (!krb5_realm_compare(context
, princ1
, princ2
))
1036 return krb5_principal_compare_any_realm(context
, princ1
, princ2
);
1040 * return TRUE iff realm(princ1) == realm(princ2)
1042 * @param context Kerberos 5 context
1043 * @param princ1 first principal to compare
1044 * @param princ2 second principal to compare
1046 * @ingroup krb5_principal
1047 * @see krb5_principal_compare_any_realm()
1048 * @see krb5_principal_compare()
1051 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1052 krb5_realm_compare(krb5_context context
,
1053 krb5_const_principal princ1
,
1054 krb5_const_principal princ2
)
1056 return strcmp(princ_realm(princ1
), princ_realm(princ2
)) == 0;
1060 * return TRUE iff princ matches pattern
1062 * @ingroup krb5_principal
1065 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1066 krb5_principal_match(krb5_context context
,
1067 krb5_const_principal princ
,
1068 krb5_const_principal pattern
)
1071 if(princ_num_comp(princ
) != princ_num_comp(pattern
))
1073 if(fnmatch(princ_realm(pattern
), princ_realm(princ
), 0) != 0)
1075 for(i
= 0; i
< princ_num_comp(princ
); i
++){
1076 if(fnmatch(princ_ncomp(pattern
, i
), princ_ncomp(princ
, i
), 0) != 0)
1083 * This is the original krb5_sname_to_principal(), renamed to be a
1084 * helper of the new one.
1086 static krb5_error_code
1087 krb5_sname_to_principal_old(krb5_context context
,
1089 const char *hostname
,
1092 krb5_principal
*ret_princ
)
1094 krb5_error_code ret
;
1095 char localhost
[MAXHOSTNAMELEN
];
1096 char **realms
= NULL
, *host
= NULL
;
1098 if(type
!= KRB5_NT_SRV_HST
&& type
!= KRB5_NT_UNKNOWN
) {
1099 krb5_set_error_message(context
, KRB5_SNAME_UNSUPP_NAMETYPE
,
1100 N_("unsupported name type %d", ""),
1102 return KRB5_SNAME_UNSUPP_NAMETYPE
;
1104 if(hostname
== NULL
) {
1105 ret
= gethostname(localhost
, sizeof(localhost
) - 1);
1108 krb5_set_error_message(context
, ret
,
1109 N_("Failed to get local hostname", ""));
1112 localhost
[sizeof(localhost
) - 1] = '\0';
1113 hostname
= localhost
;
1117 if(type
== KRB5_NT_SRV_HST
) {
1119 ret
= krb5_expand_hostname(context
, hostname
, &host
);
1121 ret
= krb5_expand_hostname_realms(context
, hostname
,
1129 } else if (!realm
) {
1130 ret
= krb5_get_host_realm(context
, hostname
, &realms
);
1136 ret
= krb5_make_principal(context
, ret_princ
, realm
, sname
,
1141 krb5_free_host_realm(context
, realms
);
1145 static const struct {
1149 { "UNKNOWN", KRB5_NT_UNKNOWN
},
1150 { "PRINCIPAL", KRB5_NT_PRINCIPAL
},
1151 { "SRV_INST", KRB5_NT_SRV_INST
},
1152 { "SRV_HST", KRB5_NT_SRV_HST
},
1153 { "SRV_XHST", KRB5_NT_SRV_XHST
},
1154 { "UID", KRB5_NT_UID
},
1155 { "X500_PRINCIPAL", KRB5_NT_X500_PRINCIPAL
},
1156 { "SMTP_NAME", KRB5_NT_SMTP_NAME
},
1157 { "ENTERPRISE_PRINCIPAL", KRB5_NT_ENTERPRISE_PRINCIPAL
},
1158 { "WELLKNOWN", KRB5_NT_WELLKNOWN
},
1159 { "SRV_HST_DOMAIN", KRB5_NT_SRV_HST_DOMAIN
},
1160 { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID
},
1161 { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL
},
1162 { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID
},
1163 { "SRV_HST_NEEDS_CANON", KRB5_NT_SRV_HST_NEEDS_CANON
},
1168 * Parse nametype string and return a nametype integer
1170 * @ingroup krb5_principal
1173 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1174 krb5_parse_nametype(krb5_context context
, const char *str
, int32_t *nametype
)
1178 for(i
= 0; nametypes
[i
].type
; i
++) {
1179 if (strcasecmp(nametypes
[i
].type
, str
) == 0) {
1180 *nametype
= nametypes
[i
].value
;
1184 krb5_set_error_message(context
, KRB5_PARSE_MALFORMED
,
1185 N_("Failed to find name type %s", ""), str
);
1186 return KRB5_PARSE_MALFORMED
;
1190 * Returns true if name is Kerberos NULL name
1192 * @ingroup krb5_principal
1195 krb5_boolean KRB5_LIB_FUNCTION
1196 krb5_principal_is_null(krb5_context context
, krb5_const_principal principal
)
1198 if (principal
->name
.name_type
== KRB5_NT_WELLKNOWN
&&
1199 principal
->name
.name_string
.len
== 2 &&
1200 strcmp(principal
->name
.name_string
.val
[0], "WELLKNOWN") == 0 &&
1201 strcmp(principal
->name
.name_string
.val
[1], "NULL") == 0)
1206 const char _krb5_wellknown_lkdc
[] = "WELLKNOWN:COM.APPLE.LKDC";
1207 static const char lkdc_prefix
[] = "LKDC:";
1210 * Returns true if name is Kerberos an LKDC realm
1212 * @ingroup krb5_principal
1215 krb5_boolean KRB5_LIB_FUNCTION
1216 krb5_realm_is_lkdc(const char *realm
)
1219 return strncmp(realm
, lkdc_prefix
, sizeof(lkdc_prefix
)-1) == 0 ||
1220 strncmp(realm
, _krb5_wellknown_lkdc
, sizeof(_krb5_wellknown_lkdc
) - 1) == 0;
1224 * Returns true if name is Kerberos an LKDC realm
1226 * @ingroup krb5_principal
1229 krb5_boolean KRB5_LIB_FUNCTION
1230 krb5_principal_is_lkdc(krb5_context context
, krb5_const_principal principal
)
1232 return krb5_realm_is_lkdc(principal
->realm
);
1236 * Returns true if name is Kerberos an LKDC realm
1238 * @ingroup krb5_principal
1241 krb5_boolean KRB5_LIB_FUNCTION
1242 krb5_principal_is_pku2u(krb5_context context
, krb5_const_principal principal
)
1244 return strcmp(principal
->realm
, KRB5_PKU2U_REALM_NAME
) == 0;
1248 * Check if the cname part of the principal is a krbtgt principal
1250 * @ingroup krb5_principal
1253 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1254 krb5_principal_is_krbtgt(krb5_context context
, krb5_const_principal p
)
1256 return p
->name
.name_string
.len
== 2 &&
1257 strcmp(p
->name
.name_string
.val
[0], KRB5_TGS_NAME
) == 0;
1261 * Returns true iff name is an WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE
1263 * @ingroup krb5_principal
1266 krb5_boolean KRB5_LIB_FUNCTION
1267 krb5_principal_is_gss_hostbased_service(krb5_context context
,
1268 krb5_const_principal principal
)
1270 if (principal
== NULL
)
1272 if (principal
->name
.name_string
.len
!= 2)
1274 if (strcmp(principal
->name
.name_string
.val
[1], KRB5_GSS_HOSTBASED_SERVICE_NAME
) != 0)
1280 * Check if the cname part of the principal is a initial or renewed krbtgt principal
1282 * @ingroup krb5_principal
1285 krb5_boolean KRB5_LIB_FUNCTION
1286 krb5_principal_is_root_krbtgt(krb5_context context
, krb5_const_principal p
)
1288 return p
->name
.name_string
.len
== 2 &&
1289 strcmp(p
->name
.name_string
.val
[0], KRB5_TGS_NAME
) == 0 &&
1290 strcmp(p
->name
.name_string
.val
[1], p
->realm
) == 0;
1294 * Returns true iff name is WELLKNOWN/ANONYMOUS
1296 * @ingroup krb5_principal
1299 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1300 krb5_principal_is_anonymous(krb5_context context
,
1301 krb5_const_principal p
,
1305 * Heimdal versions 7.5 and below left the name-type at KRB5_NT_PRINCIPAL
1306 * even with anonymous pkinit responses. To retain interoperability with
1307 * legacy KDCs, the name-type is not checked by the client after requesting
1308 * a fully anonymous ticket.
1310 if (!(flags
& KRB5_ANON_IGNORE_NAME_TYPE
) &&
1311 p
->name
.name_type
!= KRB5_NT_WELLKNOWN
&&
1312 p
->name
.name_type
!= KRB5_NT_UNKNOWN
)
1315 if (p
->name
.name_string
.len
!= 2 ||
1316 strcmp(p
->name
.name_string
.val
[0], KRB5_WELLKNOWN_NAME
) != 0 ||
1317 strcmp(p
->name
.name_string
.val
[1], KRB5_ANON_NAME
) != 0)
1321 * While unauthenticated clients SHOULD get "WELLKNOWN:ANONYMOUS" as their
1322 * realm, Heimdal KDCs prior to 7.0 returned the requested realm. While
1323 * such tickets might lead *servers* to unwittingly grant access to fully
1324 * anonymous clients, trusting that the client was authenticated to the
1325 * realm in question, doing it right is the KDC's job, the client should
1326 * not refuse such a ticket.
1328 * If we ever do decide to enforce WELLKNOWN:ANONYMOUS for unauthenticated
1329 * clients, it is essential that calls that pass KRB5_ANON_MATCH_ANY still
1330 * ignore the realm, as in that case either case matches one of the two
1331 * possible conditions.
1333 if (flags
& KRB5_ANON_MATCH_UNAUTHENTICATED
)
1337 * Finally, authenticated clients that asked to be only anonymized do
1338 * legitimately expect a non-anon realm.
1340 return strcmp(p
->realm
, KRB5_ANON_REALM
) != 0;
1344 * Returns true iff name is WELLKNOWN/FEDERATED
1346 * @ingroup krb5_principal
1349 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1350 krb5_principal_is_federated(krb5_context context
,
1351 krb5_const_principal p
)
1353 if (p
->name
.name_type
!= KRB5_NT_WELLKNOWN
&&
1354 p
->name
.name_type
!= KRB5_NT_UNKNOWN
)
1357 if (p
->name
.name_string
.len
!= 2 ||
1358 strcmp(p
->name
.name_string
.val
[0], KRB5_WELLKNOWN_NAME
) != 0 ||
1359 strcmp(p
->name
.name_string
.val
[1], KRB5_FEDERATED_NAME
) != 0)
1366 tolower_ascii(int c
)
1368 if (c
>= 'A' && c
<= 'Z')
1369 return 'a' + (c
- 'A');
1373 typedef enum krb5_name_canon_rule_type
{
1374 KRB5_NCRT_BOGUS
= 0,
1378 } krb5_name_canon_rule_type
;
1381 #define MAXDOTS UINT8_MAX
1383 #define MAXDOTS (255U)
1386 #define MAXORDER UINT16_MAX
1388 #define MAXORDER (65535U)
1391 struct krb5_name_canon_rule_data
{
1392 krb5_name_canon_rule_type type
;
1393 krb5_name_canon_rule_options options
;
1394 uint8_t mindots
; /* match this many dots or more */
1395 uint8_t maxdots
; /* match no more than this many dots */
1396 uint16_t explicit_order
; /* given order */
1397 uint16_t order
; /* actual order */
1398 char *match_domain
; /* match this stem */
1399 char *match_realm
; /* match this realm */
1400 char *domain
; /* qualify with this domain */
1401 char *realm
; /* qualify with this realm */
1405 * Create a principal for the given service running on the given
1406 * hostname. If KRB5_NT_SRV_HST is used, the hostname is canonicalized
1407 * according the configured name canonicalization rules, with
1408 * canonicalization delayed in some cases. One rule involves DNS, which
1409 * is insecure unless DNSSEC is used, but we don't use DNSSEC-capable
1410 * resolver APIs here, so that if DNSSEC is used we wouldn't know it.
1412 * Canonicalization is immediate (not delayed) only when there is only
1413 * one canonicalization rule and that rule indicates that we should do a
1414 * host lookup by name (i.e., DNS).
1416 * @param context A Kerberos context.
1417 * @param hostname hostname to use
1418 * @param sname Service name to use
1419 * @param type name type of principal, use KRB5_NT_SRV_HST or KRB5_NT_UNKNOWN.
1420 * @param ret_princ return principal, free with krb5_free_principal().
1422 * @return An krb5 error code, see krb5_get_error_message().
1424 * @ingroup krb5_principal
1427 /* coverity[+alloc : arg-*4] */
1428 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1429 krb5_sname_to_principal(krb5_context context
,
1430 const char *hostname
,
1433 krb5_principal
*ret_princ
)
1435 char *realm
, *remote_host
;
1436 krb5_error_code ret
;
1438 char localname
[MAXHOSTNAMELEN
];
1442 if ((type
!= KRB5_NT_UNKNOWN
) &&
1443 (type
!= KRB5_NT_SRV_HST
))
1444 return KRB5_SNAME_UNSUPP_NAMETYPE
;
1446 /* if hostname is NULL, use local hostname */
1447 if (hostname
== NULL
) {
1448 if (gethostname(localname
, MAXHOSTNAMELEN
))
1450 hostname
= localname
;
1453 /* if sname is NULL, use "host" */
1457 remote_host
= strdup(hostname
);
1458 if (remote_host
== NULL
)
1459 return krb5_enomem(context
);
1461 if (type
== KRB5_NT_SRV_HST
) {
1462 krb5_name_canon_rule rules
;
1464 /* Lower-case the hostname, because that's the convention */
1465 for (cp
= remote_host
; *cp
; cp
++)
1466 if (isupper((unsigned char) (*cp
)))
1467 *cp
= tolower((unsigned char) (*cp
));
1470 * If there is only one name canon rule and it says to
1471 * canonicalize the old way, do that now, as we used to.
1473 ret
= _krb5_get_name_canon_rules(context
, &rules
);
1475 _krb5_debug(context
, 5, "Failed to get name canon rules: ret = %d",
1480 if (rules
[0].type
== KRB5_NCRT_NSS
&&
1481 rules
[1].type
== KRB5_NCRT_BOGUS
) {
1482 _krb5_debug(context
, 5, "Using nss for name canon immediately");
1483 ret
= krb5_sname_to_principal_old(context
, rules
[0].realm
,
1485 KRB5_NT_SRV_HST
, ret_princ
);
1491 /* Remove trailing dots */
1492 if (remote_host
[0]) {
1493 for (cp
= remote_host
+ strlen(remote_host
)-1;
1494 *cp
== '.' && cp
> remote_host
;
1500 realm
= ""; /* "Referral realm" */
1502 ret
= krb5_build_principal(context
, ret_princ
, strlen(realm
),
1503 realm
, sname
, remote_host
,
1506 if (ret
== 0 && type
== KRB5_NT_SRV_HST
) {
1508 * Hostname canonicalization is done elsewhere (in
1509 * krb5_get_credentials() and krb5_kt_get_entry()).
1511 * We overload the name type to indicate to those functions that
1512 * this principal name requires canonicalization.
1514 * We can't use the empty realm to denote the need to
1515 * canonicalize the hostname too: it would mean that users who
1516 * want to assert knowledge of a service's realm must also know
1517 * the canonical hostname, but in practice they don't.
1519 (*ret_princ
)->name
.name_type
= KRB5_NT_SRV_HST_NEEDS_CANON
;
1521 _krb5_debug(context
, 5, "Building a delayed canon principal for %s/%s@",
1522 sname
, remote_host
);
1530 tolower_str(char *s
)
1532 for (; *s
!= '\0'; s
++) {
1533 if (isupper((unsigned char)*s
))
1534 *s
= tolower_ascii(*s
);
1538 static krb5_error_code
1539 rule_parse_token(krb5_context context
, krb5_name_canon_rule rule
,
1543 int needs_type
= rule
->type
== KRB5_NCRT_BOGUS
;
1546 * Rules consist of a sequence of tokens, some of which indicate
1547 * what type of rule the rule is, and some of which set rule options
1548 * or ancilliary data. Last rule type token wins.
1551 /* Rule type tokens: */
1552 if (needs_type
&& strcmp(tok
, "as-is") == 0) {
1553 rule
->type
= KRB5_NCRT_AS_IS
;
1554 } else if (needs_type
&& strcmp(tok
, "qualify") == 0) {
1555 rule
->type
= KRB5_NCRT_QUALIFY
;
1556 } else if (needs_type
&& strcmp(tok
, "nss") == 0) {
1557 rule
->type
= KRB5_NCRT_NSS
;
1559 } else if (strcmp(tok
, "use_fast") == 0) {
1560 rule
->options
|= KRB5_NCRO_USE_FAST
;
1561 } else if (strcmp(tok
, "use_dnssec") == 0) {
1562 rule
->options
|= KRB5_NCRO_USE_DNSSEC
;
1563 } else if (strcmp(tok
, "ccache_only") == 0) {
1564 rule
->options
|= KRB5_NCRO_GC_ONLY
;
1565 } else if (strcmp(tok
, "no_referrals") == 0) {
1566 rule
->options
|= KRB5_NCRO_NO_REFERRALS
;
1567 } else if (strcmp(tok
, "use_referrals") == 0) {
1568 rule
->options
&= ~KRB5_NCRO_NO_REFERRALS
;
1569 if (rule
->realm
== NULL
) {
1570 rule
->realm
= strdup("");
1571 if (rule
->realm
== NULL
)
1572 return krb5_enomem(context
);
1574 } else if (strcmp(tok
, "lookup_realm") == 0) {
1575 rule
->options
|= KRB5_NCRO_LOOKUP_REALM
;
1578 /* Rule ancilliary data: */
1579 } else if (strncmp(tok
, "domain=", strlen("domain=")) == 0) {
1581 rule
->domain
= strdup(tok
+ strlen("domain="));
1582 if (rule
->domain
== NULL
)
1583 return krb5_enomem(context
);
1584 tolower_str(rule
->domain
);
1585 } else if (strncmp(tok
, "realm=", strlen("realm=")) == 0) {
1587 rule
->realm
= strdup(tok
+ strlen("realm="));
1588 if (rule
->realm
== NULL
)
1589 return krb5_enomem(context
);
1590 } else if (strncmp(tok
, "match_domain=", strlen("match_domain=")) == 0) {
1591 free(rule
->match_domain
);
1592 rule
->match_domain
= strdup(tok
+ strlen("match_domain="));
1593 if (rule
->match_domain
== NULL
)
1594 return krb5_enomem(context
);
1595 tolower_str(rule
->match_domain
);
1596 } else if (strncmp(tok
, "match_realm=", strlen("match_realm=")) == 0) {
1597 free(rule
->match_realm
);
1598 rule
->match_realm
= strdup(tok
+ strlen("match_realm="));
1599 if (rule
->match_realm
== NULL
)
1600 return krb5_enomem(context
);
1601 } else if (strncmp(tok
, "mindots=", strlen("mindots=")) == 0) {
1603 n
= strtol(tok
+ strlen("mindots="), NULL
, 10);
1604 if (errno
== 0 && n
> 0 && n
<= MAXDOTS
)
1606 } else if (strncmp(tok
, "maxdots=", strlen("maxdots=")) == 0) {
1608 n
= strtol(tok
+ strlen("maxdots="), NULL
, 10);
1609 if (errno
== 0 && n
> 0 && n
<= MAXDOTS
)
1611 } else if (strncmp(tok
, "order=", strlen("order=")) == 0) {
1613 n
= strtol(tok
+ strlen("order="), NULL
, 10);
1614 if (errno
== 0 && n
> 0 && n
<= MAXORDER
)
1615 rule
->explicit_order
= n
;
1617 _krb5_debug(context
, 5,
1618 "Unrecognized name canonicalization rule token %s", tok
);
1625 rule_cmp(const void *a
, const void *b
)
1627 krb5_const_name_canon_rule left
= a
;
1628 krb5_const_name_canon_rule right
= b
;
1630 if (left
->type
== KRB5_NCRT_BOGUS
&&
1631 right
->type
== KRB5_NCRT_BOGUS
)
1633 if (left
->type
== KRB5_NCRT_BOGUS
)
1635 if (right
->type
== KRB5_NCRT_BOGUS
)
1637 if (left
->explicit_order
< right
->explicit_order
)
1639 if (left
->explicit_order
> right
->explicit_order
)
1641 return left
->order
- right
->order
;
1644 static krb5_error_code
1645 parse_name_canon_rules(krb5_context context
, char **rulestrs
,
1646 krb5_name_canon_rule
*rules
)
1648 krb5_error_code ret
;
1655 krb5_name_canon_rule r
;
1659 for (n
=0, cpp
= rulestrs
; cpp
!= NULL
&& *cpp
!= NULL
; cpp
++)
1662 n
+= 2; /* Always at least one rule; two for the default case */
1664 if ((r
= calloc(n
, sizeof (*r
))) == NULL
)
1665 return krb5_enomem(context
);
1667 for (k
= 0; k
< n
; k
++) {
1668 r
[k
].type
= KRB5_NCRT_BOGUS
;
1669 r
[k
].match_domain
= NULL
;
1670 r
[k
].match_realm
= NULL
;
1675 for (i
= 0, k
= 0; i
< n
&& rulestrs
!= NULL
&& rulestrs
[i
] != NULL
; i
++) {
1677 r
[k
].explicit_order
= MAXORDER
; /* mark order, see below */
1678 r
[k
].maxdots
= MAXDOTS
;
1679 r
[k
].order
= k
; /* default order */
1681 /* Tokenize and parse value */
1684 cp
= strchr(cp
, ':'); /* XXX use strtok_r() */
1686 *cp
++ = '\0'; /* delimit token */
1687 ret
= rule_parse_token(context
, &r
[k
], tok
);
1688 if (ret
== EINVAL
) {
1689 r
[k
].type
= KRB5_NCRT_BOGUS
;
1693 _krb5_free_name_canon_rules(context
, r
);
1696 } while (cp
&& *cp
);
1697 if (r
[k
].explicit_order
!= MAXORDER
)
1700 /* Validate parsed rule */
1701 if (r
[k
].type
== KRB5_NCRT_BOGUS
||
1702 (r
[k
].type
== KRB5_NCRT_QUALIFY
&& !r
[k
].domain
) ||
1703 (r
[k
].type
== KRB5_NCRT_NSS
&& r
[k
].domain
)) {
1704 /* Invalid rule; mark it so and clean up */
1705 r
[k
].type
= KRB5_NCRT_BOGUS
;
1706 free(r
[k
].match_domain
);
1707 free(r
[k
].match_realm
);
1712 r
[k
].match_domain
= NULL
;
1713 r
[k
].match_realm
= NULL
;
1714 _krb5_debug(context
, 5,
1715 "Ignoring invalid name canonicalization rule %lu",
1719 k
++; /* good rule */
1724 * Note that we make make this a stable sort by using appareance
1725 * and explicit order.
1727 qsort(r
, n
, sizeof(r
[0]), rule_cmp
);
1730 if (r
[0].type
== KRB5_NCRT_BOGUS
) {
1731 /* No rules, or no valid rules */
1732 r
[0].type
= KRB5_NCRT_NSS
;
1736 return 0; /* We don't communicate bad rule errors here */
1740 * This exists only because the hostname canonicalization behavior in Heimdal
1741 * (and other implementations of Kerberos) has been to use getaddrinfo(),
1742 * unsafe though it is, for ages. We can't fix it in one day.
1745 make_rules_safe(krb5_context context
, krb5_name_canon_rule rules
)
1748 * If the only rule were to use the name service (getaddrinfo()) then we're
1749 * bound to fail. We could try to convert that rule to an as-is rule, but
1750 * when we do get a validating resolver we'd be unhappy that we did such a
1751 * conversion. Better let the user get failures and make them think about
1752 * their naming rules.
1756 for (; rules
[0].type
!= KRB5_NCRT_BOGUS
; rules
++) {
1757 if (rules
->type
== KRB5_NCRT_NSS
)
1758 rules
->options
|= KRB5_NCRO_USE_DNSSEC
;
1760 rules
->options
|= KRB5_NCRO_USE_FAST
;
1765 * This function returns an array of host-based service name
1766 * canonicalization rules. The array of rules is organized as a list.
1767 * See the definition of krb5_name_canon_rule.
1769 * @param context A Kerberos context.
1770 * @param rules Output location for array of rules.
1772 KRB5_LIB_FUNCTION krb5_error_code
1773 _krb5_get_name_canon_rules(krb5_context context
, krb5_name_canon_rule
*rules
)
1775 krb5_error_code ret
;
1776 char **values
= NULL
;
1778 *rules
= context
->name_canon_rules
;
1782 values
= krb5_config_get_strings(context
, NULL
,
1783 "libdefaults", "name_canon_rules", NULL
);
1784 ret
= parse_name_canon_rules(context
, values
, rules
);
1785 krb5_config_free_strings(values
);
1789 return krb5_enomem(context
);
1791 if (krb5_config_get_bool_default(context
, NULL
, FALSE
,
1792 "libdefaults", "safe_name_canon", NULL
))
1793 make_rules_safe(context
, *rules
);
1795 heim_assert((*rules
)[0].type
!= KRB5_NCRT_BOGUS
,
1796 "internal error in parsing principal name "
1797 "canonicalization rules");
1800 context
->name_canon_rules
= *rules
;
1805 static krb5_error_code
1806 get_host_realm(krb5_context context
, const char *hostname
, char **realm
)
1808 krb5_error_code ret
;
1809 char **hrealms
= NULL
;
1812 ret
= krb5_get_host_realm(context
, hostname
, &hrealms
);
1815 if (hrealms
== NULL
)
1816 return KRB5_ERR_HOST_REALM_UNKNOWN
; /* krb5_set_error() already done */
1817 if (hrealms
[0] == NULL
) {
1818 krb5_free_host_realm(context
, hrealms
);
1819 return KRB5_ERR_HOST_REALM_UNKNOWN
; /* krb5_set_error() already done */
1821 *realm
= strdup(hrealms
[0]);
1822 krb5_free_host_realm(context
, hrealms
);
1824 return krb5_enomem(context
);
1829 is_domain_suffix(const char *domain
, const char *suffix
)
1831 size_t dlen
= strlen(domain
);
1832 size_t slen
= strlen(suffix
);
1834 if (dlen
< slen
+ 2)
1837 if (strcasecmp(domain
+ (dlen
- slen
), suffix
) != 0)
1840 if (domain
[(dlen
- slen
) - 1] != '.')
1846 * Applies a name canonicalization rule to a principal.
1848 * Returns zero and no out_princ if the rule does not match.
1849 * Returns zero and an out_princ if the rule does match.
1851 static krb5_error_code
1852 apply_name_canon_rule(krb5_context context
, krb5_name_canon_rule rules
,
1853 size_t rule_idx
, krb5_const_principal in_princ
,
1854 krb5_principal
*out_princ
,
1855 krb5_name_canon_rule_options
*rule_opts
)
1857 krb5_name_canon_rule rule
= &rules
[rule_idx
];
1858 krb5_error_code ret
= 0;
1859 unsigned int ndots
= 0;
1860 krb5_principal nss
= NULL
;
1861 const char *sname
= NULL
;
1862 const char *orig_hostname
= NULL
;
1863 const char *new_hostname
= NULL
;
1864 const char *new_realm
= NULL
;
1865 const char *port
= "";
1867 char *hostname_sans_port
= NULL
;
1868 char *hostname_with_port
= NULL
;
1869 char *tmp_hostname
= NULL
;
1870 char *tmp_realm
= NULL
;
1872 *out_princ
= NULL
; /* Signal no match */
1874 if (rule_opts
!= NULL
)
1875 *rule_opts
= rule
->options
;
1877 if (rule
->type
== KRB5_NCRT_BOGUS
)
1878 return 0; /* rule doesn't apply */
1880 sname
= krb5_principal_get_comp_string(context
, in_princ
, 0);
1881 orig_hostname
= krb5_principal_get_comp_string(context
, in_princ
, 1);
1884 * Some apps want to use the very non-standard svc/hostname:port@REALM
1885 * form. We do our best to support that here :(
1887 port
= strchr(orig_hostname
, ':');
1889 hostname_sans_port
= strndup(orig_hostname
, port
- orig_hostname
);
1890 if (hostname_sans_port
== NULL
)
1891 return krb5_enomem(context
);
1892 orig_hostname
= hostname_sans_port
;
1895 _krb5_debug(context
, 5, N_("Applying a name rule (type %d) to %s", ""),
1896 rule
->type
, orig_hostname
);
1898 if (rule
->mindots
> 0 || rule
->maxdots
> 0) {
1899 for (cp
= strchr(orig_hostname
, '.'); cp
&& *cp
; cp
= strchr(cp
+ 1, '.'))
1902 if (rule
->mindots
> 0 && ndots
< rule
->mindots
)
1904 if (ndots
> rule
->maxdots
)
1907 if (rule
->match_domain
!= NULL
&&
1908 !is_domain_suffix(orig_hostname
, rule
->match_domain
))
1911 if (rule
->match_realm
!= NULL
&&
1912 strcmp(rule
->match_realm
, in_princ
->realm
) != 0)
1915 new_realm
= rule
->realm
;
1916 switch (rule
->type
) {
1917 case KRB5_NCRT_AS_IS
:
1920 case KRB5_NCRT_QUALIFY
:
1921 heim_assert(rule
->domain
!= NULL
,
1922 "missing domain for qualify name canon rule");
1923 if (asprintf(&tmp_hostname
, "%s.%s", orig_hostname
,
1924 rule
->domain
) == -1 || tmp_hostname
== NULL
) {
1925 ret
= krb5_enomem(context
);
1928 new_hostname
= tmp_hostname
;
1932 if ((rule
->options
& KRB5_NCRO_USE_DNSSEC
)) {
1933 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1934 krb5_set_error_message(context
, ret
,
1935 "Secure hostname resolution not supported");
1938 _krb5_debug(context
, 5, "Using name service lookups");
1939 ret
= krb5_sname_to_principal_old(context
, rule
->realm
,
1940 orig_hostname
, sname
,
1943 if (rules
[rule_idx
+ 1].type
!= KRB5_NCRT_BOGUS
&&
1944 (ret
== KRB5_ERR_BAD_HOSTNAME
||
1945 ret
== KRB5_ERR_HOST_REALM_UNKNOWN
)) {
1947 * Bad hostname / realm unknown -> rule inapplicable if
1948 * there's more rules. If it's the last rule then we want
1949 * to return all errors from krb5_sname_to_principal_old()
1958 new_hostname
= krb5_principal_get_comp_string(context
, nss
, 1);
1959 new_realm
= krb5_principal_get_realm(context
, nss
);
1969 * This rule applies.
1971 * Copy in_princ and mutate the copy per the matched rule.
1973 * This way we apply to principals with two or more components, such as
1974 * domain-based names.
1976 ret
= krb5_copy_principal(context
, in_princ
, out_princ
);
1980 if (new_realm
== NULL
&& (rule
->options
& KRB5_NCRO_LOOKUP_REALM
) != 0) {
1981 ret
= get_host_realm(context
, new_hostname
, &tmp_realm
);
1984 new_realm
= tmp_realm
;
1987 /* If we stripped off a :port, add it back in */
1988 if (port
!= NULL
&& new_hostname
!= NULL
) {
1989 if (asprintf(&hostname_with_port
, "%s%s", new_hostname
, port
) == -1 ||
1990 hostname_with_port
== NULL
) {
1991 ret
= krb5_enomem(context
);
1994 new_hostname
= hostname_with_port
;
1997 if (new_realm
!= NULL
&&
1998 (ret
= krb5_principal_set_realm(context
, *out_princ
, new_realm
)))
2000 if (new_hostname
!= NULL
&&
2001 (ret
= krb5_principal_set_comp_string(context
, *out_princ
, 1, new_hostname
)))
2003 if (princ_type(*out_princ
) == KRB5_NT_SRV_HST_NEEDS_CANON
)
2004 princ_type(*out_princ
) = KRB5_NT_SRV_HST
;
2006 /* Trace rule application */
2008 krb5_error_code ret2
;
2011 ret2
= krb5_unparse_name(context
, *out_princ
, &unparsed
);
2013 _krb5_debug(context
, 5,
2014 N_("Couldn't unparse canonicalized princicpal (%d)",
2018 _krb5_debug(context
, 5,
2019 N_("Name canon rule application yields %s", ""),
2026 free(hostname_sans_port
);
2027 free(hostname_with_port
);
2030 krb5_free_principal(context
, nss
);
2032 krb5_set_error_message(context
, ret
,
2033 N_("Name canon rule application failed", ""));
2038 * Free name canonicalization rules
2040 KRB5_LIB_FUNCTION
void
2041 _krb5_free_name_canon_rules(krb5_context context
, krb5_name_canon_rule rules
)
2048 for (k
= 0; rules
[k
].type
!= KRB5_NCRT_BOGUS
; k
++) {
2049 free(rules
[k
].match_domain
);
2050 free(rules
[k
].match_realm
);
2051 free(rules
[k
].domain
);
2052 free(rules
[k
].realm
);
2057 struct krb5_name_canon_iterator_data
{
2058 krb5_name_canon_rule rules
;
2059 krb5_const_principal in_princ
; /* given princ */
2060 krb5_const_principal out_princ
; /* princ to be output */
2061 krb5_principal tmp_princ
; /* to be freed */
2062 int is_trivial
; /* no canon to be done */
2063 int done
; /* no more rules to be applied */
2064 size_t cursor
; /* current/next rule */
2068 * Initialize name canonicalization iterator.
2070 * @param context Kerberos context
2071 * @param in_princ principal name to be canonicalized OR
2072 * @param iter output iterator object
2074 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2075 krb5_name_canon_iterator_start(krb5_context context
,
2076 krb5_const_principal in_princ
,
2077 krb5_name_canon_iterator
*iter
)
2079 krb5_error_code ret
;
2080 krb5_name_canon_iterator state
;
2084 state
= calloc(1, sizeof (*state
));
2086 return krb5_enomem(context
);
2087 state
->in_princ
= in_princ
;
2089 if (princ_type(state
->in_princ
) == KRB5_NT_SRV_HST_NEEDS_CANON
) {
2090 ret
= _krb5_get_name_canon_rules(context
, &state
->rules
);
2094 /* Name needs no canon -> trivial iterator: in_princ is canonical */
2095 state
->is_trivial
= 1;
2102 krb5_free_name_canon_iterator(context
, state
);
2103 return krb5_enomem(context
);
2107 * Helper for name canon iteration.
2109 static krb5_error_code
2110 name_canon_iterate(krb5_context context
,
2111 krb5_name_canon_iterator
*iter
,
2112 krb5_name_canon_rule_options
*rule_opts
)
2114 krb5_error_code ret
;
2115 krb5_name_canon_iterator state
= *iter
;
2124 krb5_free_name_canon_iterator(context
, state
);
2129 if (state
->is_trivial
&& !state
->done
) {
2130 state
->out_princ
= state
->in_princ
;
2135 heim_assert(state
->rules
!= NULL
&&
2136 state
->rules
[state
->cursor
].type
!= KRB5_NCRT_BOGUS
,
2137 "Internal error during name canonicalization");
2140 krb5_free_principal(context
, state
->tmp_princ
);
2141 ret
= apply_name_canon_rule(context
, state
->rules
, state
->cursor
,
2142 state
->in_princ
, &state
->tmp_princ
, rule_opts
);
2144 krb5_free_name_canon_iterator(context
, state
);
2149 } while (state
->tmp_princ
== NULL
&&
2150 state
->rules
[state
->cursor
].type
!= KRB5_NCRT_BOGUS
);
2152 if (state
->rules
[state
->cursor
].type
== KRB5_NCRT_BOGUS
)
2155 state
->out_princ
= state
->tmp_princ
;
2156 if (state
->tmp_princ
== NULL
) {
2157 krb5_free_name_canon_iterator(context
, state
);
2165 * Iteratively apply name canon rules, outputing a principal and rule
2166 * options each time. Iteration completes when the @iter is NULL on
2167 * return or when an error is returned. Callers must free the iterator
2168 * if they abandon it mid-way.
2170 * @param context Kerberos context
2171 * @param iter name canon rule iterator (input/output)
2172 * @param try_princ output principal name
2173 * @param rule_opts output rule options
2175 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2176 krb5_name_canon_iterate(krb5_context context
,
2177 krb5_name_canon_iterator
*iter
,
2178 krb5_const_principal
*try_princ
,
2179 krb5_name_canon_rule_options
*rule_opts
)
2181 krb5_error_code ret
;
2185 ret
= name_canon_iterate(context
, iter
, rule_opts
);
2187 *try_princ
= (*iter
)->out_princ
;
2192 * Free a name canonicalization rule iterator.
2194 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
2195 krb5_free_name_canon_iterator(krb5_context context
,
2196 krb5_name_canon_iterator iter
)
2200 if (iter
->tmp_princ
)
2201 krb5_free_principal(context
, iter
->tmp_princ
);