krb5_realm_params **);
krb5_error_code krb5_free_realm_params (krb5_context,
krb5_realm_params *);
+krb5_boolean match_config_pattern(const char *, const char *);
/* str_conv.c */
krb5_error_code
-/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* kdc/do_tgs_req.c
*
#include "policy.h"
#include "extern.h"
#include "adm_proto.h"
+#include <ctype.h>
-static void
-find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *,
- krb5_boolean *, int *);
+static void
+find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *,
+ krb5_boolean *,int *);
-static krb5_error_code
-prepare_error_tgs (krb5_kdc_req *, krb5_ticket *,
- int, krb5_principal,
- krb5_data **, const char *);
+static krb5_error_code
+prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int,
+ krb5_principal,krb5_data **,const char *);
static krb5_int32
-is_substr (char *, krb5_data *);
-
-static krb5_int32
-prep_reprocess_req(krb5_kdc_req *, krb5_principal *);
+prep_reprocess_req(krb5_kdc_req *,krb5_principal *);
/*ARGSUSED*/
krb5_error_code
}
db_ref_done = FALSE;
-
ref_tgt_again:
nprincs = 1;
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
return;
}
-/* is_substr - verfies if d1 contains d2->data with head/trail-ing whitespaces
- */
-static krb5_int32
-is_substr ( char *d1, krb5_data *d2)
-{
- krb5_boolean ret = FALSE;
- char *new_d2 = 0, *d2_formated = 0;
- if ( d1 && d2 && d2->data && (d2->length+2 <= strlen(d1))){
- new_d2 = calloc(1,d2->length+1);
- if (new_d2 != NULL) {
- strlcpy(new_d2,d2->data,d2->length+1);
- if (asprintf( &d2_formated, "%c%s%c",' ',new_d2,' ') < 0)
- ret = ENOMEM;
- else if (d2_formated != 0 && strstr(d1, d2_formated) != NULL)
- ret = TRUE;
- free(new_d2);
- free(d2_formated);
- }
- }
- return ret;
-}
-
static krb5_int32
prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
{
krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH;
+ size_t len = 0;
char **realms, **cpp, *temp_buf=NULL;
krb5_data *comp1 = NULL, *comp2 = NULL;
- krb5_int32 host_based_srv_listed = 0, no_host_referral_listed = 0;
+ char *comp1_str = NULL;
/* By now we know that server principal name is unknown.
* If CANONICALIZE flag is set in the request
*/
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) == TRUE &&
- !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
+ !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
krb5_princ_size(kdc_context, request->server) == 2) {
comp1 = krb5_princ_component(kdc_context, request->server, 0);
comp2 = krb5_princ_component(kdc_context, request->server, 1);
- host_based_srv_listed = FALSE;
- no_host_referral_listed = TRUE;
- if (kdc_active_realm->realm_host_based_services != NULL) {
- host_based_srv_listed = is_substr(kdc_active_realm->realm_host_based_services, comp1);
- if (host_based_srv_listed == ENOMEM) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- if (kdc_active_realm->realm_no_host_referral != NULL) {
- no_host_referral_listed = is_substr(kdc_active_realm->realm_no_host_referral,comp1);
- if (no_host_referral_listed == ENOMEM) {
- retval = ENOMEM;
- goto cleanup;
- }
- }
- if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
- (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
+ comp1_str = calloc(1,comp1->length+1);
+ if (!comp1_str) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ strlcpy(comp1_str,comp1->data,comp1->length+1);
+
+ if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
- (host_based_srv_listed == TRUE ||
- strchr(kdc_active_realm->realm_host_based_services, '*')))) &&
+ (match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE ||
+ match_config_pattern(kdc_active_realm->realm_host_based_services, "*") == TRUE))) &&
(kdc_active_realm->realm_no_host_referral == NULL ||
- (!strchr(kdc_active_realm->realm_host_based_services, '*') &&
- no_host_referral_listed == FALSE))) {
+ (match_config_pattern(kdc_active_realm->realm_no_host_referral, "*") == FALSE &&
+ match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) {
- if (memchr(comp2->data, '.', comp2->length) == NULL)
- goto cleanup;
+ for (len=0; len < comp2->length; len++) {
+ if (comp2->data[len] == '.') break;
+ }
+ if (len == comp2->length)
+ goto cleanup;
temp_buf = calloc(1, comp2->length+1);
if (!temp_buf){
retval = ENOMEM;
}
}
cleanup:
+ free(comp1_str);
return retval;
}
}
static krb5_error_code
-handle_referrals(krb5_realm_params *rparams, char *no_refrls, char *host_based_srvcs, kdc_realm_t *rdp )
+handle_referral_params(krb5_realm_params *rparams,
+ char *no_refrls, char *host_based_srvcs,
+ kdc_realm_t *rdp )
{
- int i = 0;
krb5_error_code retval = 0;
- if (no_refrls == NULL || strchr(no_refrls, '*') == NULL) {
- if (no_refrls != NULL){
- if (rparams && rparams->realm_no_host_referral) {
- if (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s",
- " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0)
+
+ if (no_refrls && match_config_pattern(no_refrls, "*") == TRUE)
+ rdp->realm_no_host_referral = strdup("*");
+ else {
+ if (rparams && rparams->realm_no_host_referral) {
+ if (match_config_pattern(rparams->realm_no_host_referral, "*") == TRUE)
+ rdp->realm_no_host_referral = strdup("*");
+ else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s",
+ " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0))
+ retval = ENOMEM;
+ else if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ",
+ rparams->realm_no_host_referral, " ") < 0)
+ retval = ENOMEM;
+ } else if( no_refrls != NULL && asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0)
+ retval = ENOMEM;
+ else
+ rdp->realm_no_host_referral = NULL;
+ }
+
+ if (rdp->realm_no_host_referral && match_config_pattern(rdp->realm_no_host_referral, "*") == TRUE) {
+ rdp->realm_host_based_services = NULL;
+ return 0;
+ }
+
+ if (host_based_srvcs && (match_config_pattern(host_based_srvcs, "*") == TRUE))
+ rdp->realm_host_based_services = strdup("*");
+ else {
+ if (rparams && rparams->realm_host_based_services) {
+ if (match_config_pattern(rparams->realm_host_based_services, "*") == TRUE)
+ rdp->realm_host_based_services = strdup("*");
+ else if (host_based_srvcs && asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s",
+ " ", host_based_srvcs," ",rparams->realm_host_based_services, " ") < 0)
retval = ENOMEM;
- } else {
- if(asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0)
+ else if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ",
+ rparams->realm_host_based_services, " ") < 0)
retval = ENOMEM;
- }
- } else {
- if (rparams && rparams->realm_no_host_referral) {
- if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ",
- rparams->realm_no_host_referral, " ") < 0)
+ } else if(host_based_srvcs != NULL && asprintf(&(rdp->realm_host_based_services),"%s%s%s",
+ " ", host_based_srvcs, " ") < 0)
retval = ENOMEM;
- } else
- rdp->realm_no_host_referral = NULL;
- }
-
- if (rdp->realm_no_host_referral &&
- strlen(rdp->realm_no_host_referral) > 1 && strchr(rdp->realm_no_host_referral, '*') != NULL) {
- rdp->realm_no_host_referral = strdup("*");
- } else {
- /* only if no_host_referral != "*" */
-
- if ((host_based_srvcs != NULL && strchr(host_based_srvcs,'*') != NULL) ||
- (rparams && rparams->realm_host_based_services &&
- strchr(rparams->realm_host_based_services,'*') != NULL)) {
- if (asprintf(&(rdp->realm_host_based_services),"%s", "*") < 0)
- retval = ENOMEM;
- } else {
- if (host_based_srvcs != NULL) {
- if (rparams && rparams->realm_host_based_services) {
- if (asprintf(&(rdp->realm_host_based_services),"%s%s%s%s%s",
- " ", host_based_srvcs," ",rparams->realm_host_based_services," ") < 0)
- retval = ENOMEM;
- } else
- if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ",
- host_based_srvcs, " ") < 0)
- retval = ENOMEM;
- } else {
- if (rparams && rparams->realm_host_based_services) {
- if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ",
- rparams->realm_host_based_services, " ") < 0)
- retval = ENOMEM;
- } else
- rdp->realm_host_based_services = NULL;
- }
- }
-
- /* Walk realm_host_based_services and realm_no_host_referral and replace all ',' with whitespace */
- i = 0;
- while (rdp && rdp->realm_host_based_services && (rdp->realm_host_based_services)[i] != 0){
- if ((rdp->realm_host_based_services)[i] == ',')
- (rdp->realm_host_based_services)[i] = ' ';
- i++;
- }
- i = 0;
- while (rdp && rdp->realm_no_host_referral && ( rdp->realm_no_host_referral)[i] != 0){
- if ((rdp->realm_no_host_referral)[i] == ',')
- (rdp->realm_no_host_referral)[i] = ' ';
- i++;
- }
- }
- } else {
- if (no_refrls != NULL && strchr(no_refrls,'*') != NULL) {
- if (asprintf(&(rdp->realm_no_host_referral),"%s", "*") < 0)
- retval = ENOMEM;
- } else
- rdp->realm_no_host_referral = NULL;
+ else
+ rdp->realm_host_based_services = NULL;
}
- return retval;
+ return 0;
}
/*
* Initialize a realm control structure from the alternate profile or from
rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
/* Handle KDC referrals */
- kret = handle_referrals(rparams, no_refrls, host_based_srvcs, rdp);
+ kret = handle_referral_params(rparams, no_refrls, host_based_srvcs, rdp);
if (kret == ENOMEM)
goto whoops;
{
int c;
char *db_name = (char *) NULL;
+ char *lrealm = (char *) NULL;
char *mkey_name = (char *) NULL;
char *rcname = KDCRCACHE;
- char *lrealm;
krb5_error_code retval;
krb5_enctype menctype = ENCTYPE_UNKNOWN;
- kdc_realm_t *rdatap;
+ kdc_realm_t *rdatap = NULL;
krb5_boolean manual = FALSE;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
hierarchy[1] = "kdc_max_dgram_reply_size";
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
- /* The service name "*" means any service. */
hierarchy[1] = "no_host_referral";
- if (!krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)){
- if (no_refrls != NULL && strlen(no_refrls) && strchr(no_refrls, '*')) {
- no_refrls = strdup("*");
- }
- }
- if (no_refrls == 0 || strchr(no_refrls, '*') == NULL) {
+ if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls))
+ no_refrls = 0;
+ if (!no_refrls || match_config_pattern(no_refrls, "*") == FALSE) {
hierarchy[1] = "host_based_services";
- if (!krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs)) {
- if (strchr(host_based_srvcs, '*')) {
- host_based_srvcs = strdup("*");
- }
- }
+ if (krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs))
+ host_based_srvcs = 0;
}
/* aprof_init can return 0 with aprof == NULL */
return errout;
}
+
#include <ctype.h>
#include <kdb_log.h>
+krb5_boolean match_config_pattern(const char *, const char*);
static krb5_key_salt_tuple *copy_key_salt_tuple(ksalt, len)
krb5_key_salt_tuple *ksalt;
krb5_int32 len;
{
krb5_error_code kret=0;
char **values;
- int lastidx;
- char *tmp;
- size_t buf_size=0;
+ int lastidx = 0;
+ char *tmp = NULL ;
+ size_t buf_size = 0;
kret = krb5_aprof_getvals(acontext, hierarchy, &values);
if (!kret) {
for (lastidx=0; values[lastidx]; lastidx++);
lastidx--;
- buf_size = strlen(values[0])+2;
+ buf_size = strlen(values[0])+3;
for (lastidx=1; values[lastidx]; lastidx++){
- buf_size += strlen(values[lastidx]+1);
+ buf_size += strlen(values[lastidx]) + 3;
}
}
if (buf_size > 0) {
*stringp = calloc(1,buf_size);
- if (stringp == NULL){
+ if (*stringp == NULL){
profile_free_list(values);
return ENOMEM;
}
rparams->realm_reject_bad_transit_valid = 1;
}
- hierarchy[2] = "no_host_referral";
- if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) {
-
- if (strchr(no_refrls, '*'))
- no_refrls = strdup("*");
- rparams->realm_no_host_referral = no_refrls;
- } else
+ hierarchy[2] = "no_host_referral";
+ if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls))
+ rparams->realm_no_host_referral = no_refrls;
+ else
no_refrls = 0;
- if (no_refrls == 0 || strlen(no_refrls) == 0 || strncmp(no_refrls, "*",1) != 0) {
- hierarchy[2] = "host_based_services";
- if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs)){
- if (strchr(host_based_srvcs, '*'))
- host_based_srvcs = strdup("*");
- rparams->realm_host_based_services = host_based_srvcs;
- } else
- host_based_srvcs = 0;
- }
-
+ if (!no_refrls || match_config_pattern(no_refrls, "*") == FALSE) {
+ hierarchy[2] = "host_based_services";
+ if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs))
+ rparams->realm_host_based_services = host_based_srvcs;
+ else
+ host_based_srvcs = 0;
+ }
/* Get the value for the default principal flags */
hierarchy[2] = "default_principal_flags";
krb5_error_code
krb5_free_realm_params(kcontext, rparams)
krb5_context kcontext;
- krb5_realm_params *rparams;
+ krb5_realm_params *rparams;
{
if (rparams) {
free(rparams->realm_profile);
}
return(0);
}
+/*
+ * match_config_pattern -
+ * returns TRUE is the pattern is found in the attr's list of values.
+ * Otherwise - FALSE.
+ * In conf file the values are separates by commas or whitespaces.
+ */
+krb5_boolean
+match_config_pattern(const char *string, const char *pattern)
+{
+ const char *ptr;
+ char next = '\0';
+ int len = strlen(pattern);
+
+ for (ptr = strstr(string,pattern); ptr != 0; ptr = strstr(ptr+len,pattern)) {
+ if (ptr == string || isspace(*(ptr-1)) || *(ptr-1) ==',') {
+ next = *(ptr + len);
+ if (next == '\0' || isspace(next) || next ==',') {
+ return TRUE;
+ }
+ }
+ }
+ return FALSE;
+}
+
+
krb5_read_realm_params
krb5_string_to_flags
krb5_string_to_keysalts
+match_config_pattern
master_db
master_keyblock
master_princ