krb5_error_code
krb5_check_transited_list(context, trans, realm1, realm2)
krb5_context context;
-krb5_data *trans;
-krb5_data *realm1;
-krb5_data *realm2;
+ krb5_data *trans;
+ krb5_data *realm1;
+ krb5_data *realm2;
{
- char prev[MAX_REALM_LN+1];
- char next[MAX_REALM_LN+1];
- char *nextp;
- int i, j;
- int trans_length;
- krb5_error_code retval = 0;
- krb5_principal *tgs_list;
+ char prev[MAX_REALM_LN+1];
+ char next[MAX_REALM_LN+1];
+ char *nextp;
+ int i, j;
+ int trans_length;
+ krb5_error_code retval = 0;
+ krb5_principal *tgs_list;
- if (trans == NULL || trans->data == NULL || trans->length == 0)
- return(0);
- trans_length = trans->data[trans->length-1] ?
- trans->length : trans->length - 1;
+ if (trans == NULL || trans->data == NULL || trans->length == 0)
+ return(0);
+ trans_length = trans->data[trans->length-1] ?
+ trans->length : trans->length - 1;
- for (i = 0; i < trans_length; i++)
- if (trans->data[i] == '\0') {
- /* Realms may not contain ASCII NUL character. */
- return(KRB5KRB_AP_ERR_ILL_CR_TKT);
- }
-
- if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list,
- KRB5_REALM_BRANCH_CHAR))) {
- return(retval);
- }
+ for (i = 0; i < trans_length; i++)
+ if (trans->data[i] == '\0') {
+ /* Realms may not contain ASCII NUL character. */
+ return(KRB5KRB_AP_ERR_ILL_CR_TKT);
+ }
- memset(prev, 0, sizeof(prev));
- memset(next, 0, sizeof(next)), nextp = next;
- for (i = 0; i < trans_length; i++) {
- if (i < trans_length-1 && trans->data[i] == '\\') {
- i++;
- *nextp++ = trans->data[i];
- if (nextp - next >= sizeof(next)) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto finish;
- }
- continue;
+ if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list,
+ KRB5_REALM_BRANCH_CHAR))) {
+ return(retval);
}
- if (i < trans_length && trans->data[i] != ',') {
- *nextp++ = trans->data[i];
- if (nextp - next >= sizeof(next)) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto finish;
- }
- continue;
- }
- next[sizeof(next) - 1] = '\0';
- if (strlen(next) > 0) {
- if (next[0] != '/') {
- if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN)
- strncat(next, prev, sizeof(next) - 1 - strlen(next));
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- for (j = 0; tgs_list[j]; j++) {
- if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length &&
- !memcmp(next, krb5_princ_realm(context, tgs_list[j])->data,
- strlen(next))) {
- retval = 0;
- break;
- }
- }
- if (retval) goto finish;
- }
- if (i+1 < trans_length && trans->data[i+1] == ' ') {
- i++;
- memset(next, 0, sizeof(next)), nextp = next;
- continue;
- }
- if (i+1 < trans_length && trans->data[i+1] != '/') {
- strncpy(prev, next, sizeof(prev) - 1);
- memset(next, 0, sizeof(next)), nextp = next;
- continue;
- }
+
+ memset(prev, 0, sizeof(prev));
+ memset(next, 0, sizeof(next)), nextp = next;
+ for (i = 0; i < trans_length; i++) {
+ if (i < trans_length-1 && trans->data[i] == '\\') {
+ i++;
+ *nextp++ = trans->data[i];
+ if (nextp - next >= sizeof(next)) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto finish;
+ }
+ continue;
+ }
+ if (i < trans_length && trans->data[i] != ',') {
+ *nextp++ = trans->data[i];
+ if (nextp - next >= sizeof(next)) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto finish;
+ }
+ continue;
+ }
+ next[sizeof(next) - 1] = '\0';
+ if (strlen(next) > 0) {
+ if (next[0] != '/') {
+ if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN)
+ strncat(next, prev, sizeof(next) - 1 - strlen(next));
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ for (j = 0; tgs_list[j]; j++) {
+ if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length &&
+ !memcmp(next, krb5_princ_realm(context, tgs_list[j])->data,
+ strlen(next))) {
+ retval = 0;
+ break;
+ }
+ }
+ if (retval) goto finish;
+ }
+ if (i+1 < trans_length && trans->data[i+1] == ' ') {
+ i++;
+ memset(next, 0, sizeof(next)), nextp = next;
+ continue;
+ }
+ if (i+1 < trans_length && trans->data[i+1] != '/') {
+ strncpy(prev, next, sizeof(prev) - 1);
+ memset(next, 0, sizeof(next)), nextp = next;
+ continue;
+ }
+ }
}
- }
finish:
- krb5_free_realm_tree(context, tgs_list);
- return(retval);
+ krb5_free_realm_tree(context, tgs_list);
+ return(retval);
}
int nocommon = 1;
#ifdef CONFIGURABLE_AUTHENTICATION_PATH
- const char *cap_names[4];
- char *cap_client, *cap_server;
- char **cap_nodes;
- krb5_error_code cap_code;
- if ((cap_client = (char *)malloc(client->length + 1)) == NULL)
- return ENOMEM;
- strncpy(cap_client, client->data, client->length);
- cap_client[client->length] = '\0';
- if ((cap_server = (char *)malloc(server->length + 1)) == NULL) {
- krb5_xfree(cap_client);
- return ENOMEM;
+ const char *cap_names[4];
+ char *cap_client, *cap_server;
+ char **cap_nodes;
+ krb5_error_code cap_code;
+ if ((cap_client = (char *)malloc(client->length + 1)) == NULL)
+ return ENOMEM;
+ strncpy(cap_client, client->data, client->length);
+ cap_client[client->length] = '\0';
+ if ((cap_server = (char *)malloc(server->length + 1)) == NULL) {
+ krb5_xfree(cap_client);
+ return ENOMEM;
+ }
+ strncpy(cap_server, server->data, server->length);
+ cap_server[server->length] = '\0';
+ cap_names[0] = "capaths";
+ cap_names[1] = cap_client;
+ cap_names[2] = cap_server;
+ cap_names[3] = 0;
+ cap_code = profile_get_values(context->profile, cap_names, &cap_nodes);
+ krb5_xfree(cap_names[1]); /* done with client string */
+ if (cap_code == 0) { /* found a path, so lets use it */
+ links = 0;
+ if (*cap_nodes[0] != '.') { /* a link of . means direct */
+ while(cap_nodes[links]) {
+ links++;
+ }
}
- strncpy(cap_server, server->data, server->length);
- cap_server[server->length] = '\0';
- cap_names[0] = "capaths";
- cap_names[1] = cap_client;
- cap_names[2] = cap_server;
- cap_names[3] = 0;
- cap_code = profile_get_values(context->profile, cap_names, &cap_nodes);
- krb5_xfree(cap_names[1]); /* done with client string */
- if (cap_code == 0) { /* found a path, so lets use it */
- links = 0;
- if (*cap_nodes[0] != '.') { /* a link of . means direct */
- while(cap_nodes[links]) {
- links++;
- }
- }
- cap_nodes[links] = cap_server; /* put server on end of list */
- /* this simplifies the code later and make */
- /* cleanup eaiser as well */
- links++; /* count the null entry at end */
- } else { /* no path use hierarchical method */
+ cap_nodes[links] = cap_server; /* put server on end of list */
+ /* this simplifies the code later and make */
+ /* cleanup eaiser as well */
+ links++; /* count the null entry at end */
+ } else { /* no path use hierarchical method */
krb5_xfree(cap_names[2]); /* failed, don't need server string */
#endif
- clen = client->length;
- slen = server->length;
+ clen = client->length;
+ slen = server->length;
- for (com_cdot = ccp = client->data + clen - 1,
- com_sdot = scp = server->data + slen - 1;
- clen && slen && *ccp == *scp ;
- ccp--, scp--, clen--, slen--) {
- if (*ccp == realm_branch_char) {
- com_cdot = ccp;
- com_sdot = scp;
- nocommon = 0;
+ for (com_cdot = ccp = client->data + clen - 1,
+ com_sdot = scp = server->data + slen - 1;
+ clen && slen && *ccp == *scp ;
+ ccp--, scp--, clen--, slen--) {
+ if (*ccp == realm_branch_char) {
+ com_cdot = ccp;
+ com_sdot = scp;
+ nocommon = 0;
+ }
}
- }
- /* ccp, scp point to common root.
- com_cdot, com_sdot point to common components. */
- /* handle case of one ran out */
- if (!clen) {
- /* construct path from client to server, down the tree */
- if (!slen)
- /* in the same realm--this means there is no ticket
- in this realm. */
- return KRB5_NO_TKT_IN_RLM;
- if (*scp == realm_branch_char) {
- /* one is a subdomain of the other */
- com_cdot = client->data;
- com_sdot = scp;
- nocommon = 0;
- } /* else normal case of two sharing parents */
- }
- if (!slen) {
- /* construct path from client to server, up the tree */
- if (*ccp == realm_branch_char) {
- /* one is a subdomain of the other */
- com_sdot = server->data;
- com_cdot = ccp;
- nocommon = 0;
- } /* else normal case of two sharing parents */
- }
- /* determine #links to/from common ancestor */
- if (nocommon)
- links = 1;
- else
- links = 2;
- /* if no common ancestor, artificially set up common root at the last
- component, then join with special code */
- for (ccp = client->data; ccp < com_cdot; ccp++) {
- if (*ccp == realm_branch_char) {
- links++;
- if (nocommon)
- prevccp = ccp;
+ /* ccp, scp point to common root.
+ com_cdot, com_sdot point to common components. */
+ /* handle case of one ran out */
+ if (!clen) {
+ /* construct path from client to server, down the tree */
+ if (!slen)
+ /* in the same realm--this means there is no ticket
+ in this realm. */
+ return KRB5_NO_TKT_IN_RLM;
+ if (*scp == realm_branch_char) {
+ /* one is a subdomain of the other */
+ com_cdot = client->data;
+ com_sdot = scp;
+ nocommon = 0;
+ } /* else normal case of two sharing parents */
+ }
+ if (!slen) {
+ /* construct path from client to server, up the tree */
+ if (*ccp == realm_branch_char) {
+ /* one is a subdomain of the other */
+ com_sdot = server->data;
+ com_cdot = ccp;
+ nocommon = 0;
+ } /* else normal case of two sharing parents */
+ }
+ /* determine #links to/from common ancestor */
+ if (nocommon)
+ links = 1;
+ else
+ links = 2;
+ /* if no common ancestor, artificially set up common root at the last
+ component, then join with special code */
+ for (ccp = client->data; ccp < com_cdot; ccp++) {
+ if (*ccp == realm_branch_char) {
+ links++;
+ if (nocommon)
+ prevccp = ccp;
+ }
}
- }
- for (scp = server->data; scp < com_sdot; scp++) {
- if (*scp == realm_branch_char) {
- links++;
- if (nocommon)
- prevscp = scp;
+ for (scp = server->data; scp < com_sdot; scp++) {
+ if (*scp == realm_branch_char) {
+ links++;
+ if (nocommon)
+ prevscp = scp;
+ }
}
- }
- if (nocommon) {
- if (prevccp)
- com_cdot = prevccp;
- if (prevscp)
- com_sdot = prevscp;
+ if (nocommon) {
+ if (prevccp)
+ com_cdot = prevccp;
+ if (prevscp)
+ com_sdot = prevscp;
- if(com_cdot == client->data + client->length -1)
- com_cdot = client->data - 1 ;
- if(com_sdot == server->data + server->length -1)
- com_sdot = server->data - 1 ;
- }
+ if(com_cdot == client->data + client->length -1)
+ com_cdot = client->data - 1 ;
+ if(com_sdot == server->data + server->length -1)
+ com_sdot = server->data - 1 ;
+ }
#ifdef CONFIGURABLE_AUTHENTICATION_PATH
- } /* end of if use hierarchical method */
+ } /* end of if use hierarchical method */
#endif
if (!(rettree = (krb5_principal *)calloc(links+2,
return retval;
}
#ifdef CONFIGURABLE_AUTHENTICATION_PATH
- links--; /* dont count the null entry on end */
- if (cap_code == 0) { /* found a path above */
- tmpcrealm.data = client->data;
- tmpcrealm.length = client->length;
- while( i-1 <= links) {
+ links--; /* dont count the null entry on end */
+ if (cap_code == 0) { /* found a path above */
+ tmpcrealm.data = client->data;
+ tmpcrealm.length = client->length;
+ while( i-1 <= links) {
- tmpsrealm.data = cap_nodes[i-1];
- /* don't count trailing whitespace from profile_get */
- tmpsrealm.length = strcspn(cap_nodes[i-1],"\t ");
- if ((retval = krb5_tgtname(context,
- &tmpsrealm,
- &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
- }
- krb5_xfree(rettree);
- /* cleanup the cap_nodes from profile_get */
- for (i = 0; i<=links; i++) {
- krb5_xfree(cap_nodes[i]);
- }
- krb5_xfree((char *)cap_nodes);
- return retval;
- }
- tmpcrealm.data = tmpsrealm.data;
- tmpcrealm.length = tmpsrealm.length;
- i++;
+ tmpsrealm.data = cap_nodes[i-1];
+ /* don't count trailing whitespace from profile_get */
+ tmpsrealm.length = strcspn(cap_nodes[i-1],"\t ");
+ if ((retval = krb5_tgtname(context,
+ &tmpsrealm,
+ &tmpcrealm,
+ &rettree[i]))) {
+ while (i) {
+ krb5_free_principal(context, rettree[i-1]);
+ i--;
}
- /* cleanup the cap_nodes from profile_get last one has server */
+ krb5_xfree(rettree);
+ /* cleanup the cap_nodes from profile_get */
for (i = 0; i<=links; i++) {
- krb5_xfree(cap_nodes[i]);
+ krb5_xfree(cap_nodes[i]);
}
krb5_xfree((char *)cap_nodes);
- } else { /* if not cap then use hierarchical method */
+ return retval;
+ }
+ tmpcrealm.data = tmpsrealm.data;
+ tmpcrealm.length = tmpsrealm.length;
+ i++;
+ }
+ /* cleanup the cap_nodes from profile_get last one has server */
+ for (i = 0; i<=links; i++) {
+ krb5_xfree(cap_nodes[i]);
+ }
+ krb5_xfree((char *)cap_nodes);
+ } else { /* if not cap then use hierarchical method */
#endif
- for (prevccp = ccp = client->data;
- ccp <= com_cdot;
- ccp++) {
- if (*ccp != realm_branch_char)
- continue;
- ++ccp; /* advance past dot */
- tmpcrealm.data = prevccp;
- tmpcrealm.length = client->length -
- (prevccp - client->data);
- tmpsrealm.data = ccp;
- tmpsrealm.length = client->length -
- (ccp - client->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
+ for (prevccp = ccp = client->data;
+ ccp <= com_cdot;
+ ccp++) {
+ if (*ccp != realm_branch_char)
+ continue;
+ ++ccp; /* advance past dot */
+ tmpcrealm.data = prevccp;
+ tmpcrealm.length = client->length -
+ (prevccp - client->data);
+ tmpsrealm.data = ccp;
+ tmpsrealm.length = client->length -
+ (ccp - client->data);
+ if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
+ &rettree[i]))) {
+ while (i) {
+ krb5_free_principal(context, rettree[i-1]);
+ i--;
+ }
+ krb5_xfree(rettree);
+ return retval;
}
- krb5_xfree(rettree);
- return retval;
+ prevccp = ccp;
+ i++;
}
- prevccp = ccp;
- i++;
- }
- if (nocommon) {
- tmpcrealm.data = com_cdot + 1;
- tmpcrealm.length = client->length -
- (com_cdot + 1 - client->data);
- tmpsrealm.data = com_sdot + 1;
- tmpsrealm.length = server->length -
- (com_sdot + 1 - server->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
+ if (nocommon) {
+ tmpcrealm.data = com_cdot + 1;
+ tmpcrealm.length = client->length -
+ (com_cdot + 1 - client->data);
+ tmpsrealm.data = com_sdot + 1;
+ tmpsrealm.length = server->length -
+ (com_sdot + 1 - server->data);
+ if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
+ &rettree[i]))) {
+ while (i) {
+ krb5_free_principal(context, rettree[i-1]);
+ i--;
+ }
+ krb5_xfree(rettree);
+ return retval;
}
- krb5_xfree(rettree);
- return retval;
+ i++;
}
- i++;
- }
- for (prevscp = com_sdot + 1, scp = com_sdot - 1;
- scp > server->data;
- scp--) {
- if (*scp != realm_branch_char)
- continue;
- if (scp - 1 < server->data)
- break; /* XXX only if . starts realm? */
- tmpcrealm.data = prevscp;
- tmpcrealm.length = server->length -
- (prevscp - server->data);
- tmpsrealm.data = scp + 1;
- tmpsrealm.length = server->length -
- (scp + 1 - server->data);
- if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
+ for (prevscp = com_sdot + 1, scp = com_sdot - 1;
+ scp > server->data;
+ scp--) {
+ if (*scp != realm_branch_char)
+ continue;
+ if (scp - 1 < server->data)
+ break; /* XXX only if . starts realm? */
+ tmpcrealm.data = prevscp;
+ tmpcrealm.length = server->length -
+ (prevscp - server->data);
+ tmpsrealm.data = scp + 1;
+ tmpsrealm.length = server->length -
+ (scp + 1 - server->data);
+ if ((retval = krb5_tgtname(context, &tmpsrealm, &tmpcrealm,
+ &rettree[i]))) {
+ while (i) {
+ krb5_free_principal(context, rettree[i-1]);
+ i--;
+ }
+ krb5_xfree(rettree);
+ return retval;
}
- krb5_xfree(rettree);
- return retval;
+ prevscp = scp + 1;
+ i++;
}
- prevscp = scp + 1;
- i++;
- }
- if (slen && com_sdot >= server->data) {
- /* only necessary if building down tree from ancestor or client */
- /* however, we can get here if we have only one component
- in the server realm name, hence we make sure we found a component
- separator there... */
- tmpcrealm.data = prevscp;
- tmpcrealm.length = server->length -
- (prevscp - server->data);
- if ((retval = krb5_tgtname(context, server, &tmpcrealm,
- &rettree[i]))) {
- while (i) {
- krb5_free_principal(context, rettree[i-1]);
- i--;
+ if (slen && com_sdot >= server->data) {
+ /* only necessary if building down tree from ancestor or client */
+ /* however, we can get here if we have only one component
+ in the server realm name, hence we make sure we found a component
+ separator there... */
+ tmpcrealm.data = prevscp;
+ tmpcrealm.length = server->length -
+ (prevscp - server->data);
+ if ((retval = krb5_tgtname(context, server, &tmpcrealm,
+ &rettree[i]))) {
+ while (i) {
+ krb5_free_principal(context, rettree[i-1]);
+ i--;
+ }
+ krb5_xfree(rettree);
+ return retval;
}
- krb5_xfree(rettree);
- return retval;
}
- }
#ifdef CONFIGURABLE_AUTHENTICATION_PATH
- }
+ }
#endif
*tree = rettree;
return 0;
projects / krb5.git / commitdiff