walk_rtree.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
#pragma ident "%Z%%M% %I% %E% SMI"
/*
*
* Copyright 1990,1991 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* krb5_walk_realm_tree()
*/
/* ANL - Modified to allow Configurable Authentication Paths.
* This modification removes the restriction on the choice of realm
* names, i.e. they nolonger have to be hierarchical. This
* is allowed by RFC 1510: "If a hierarchical orginization is not used
* it may be necessary to consult some database in order to construct
* an authentication path between realms." The database is contained
* in the [capath] section of the krb5.conf file.
* Client to server paths are defined. There are n**2 possible
* entries, but only those entries which are needed by the client
* or server need be present in its krb5.conf file. (n entries or 2*n
* entries if the same krb5.conf is used for clients and servers)
*
* for example: ESnet will be running a KDC which will share
* inter-realm keys with its many orginizations which include among
* other ANL, NERSC and PNL. Each of these orginizations wants to
* use its DNS name in the realm, ANL.GOV. In addition ANL wants
* to authenticatite to HAL.COM via a K5.MOON and K5.JUPITER
* A [capath] section of the krb5.conf file for the ANL.GOV clients
* and servers would look like:
*
* [capath]
* ANL.GOV = {
* NERSC.GOV = ES.NET
* PNL.GOV = ES.NET
* ES.NET = .
* HAL.COM = K5.MOON
* HAL.COM = K5.JUPITER
* }
* NERSC.GOV = {
* ANL.GOV = ES.NET
* }
* PNL.GOV = {
* ANL.GOV = ES.NET
* }
* ES.NET = {
* ANL.GOV = .
* }
* HAL.COM = {
* ANL.GOV = K5.JUPITER
* ANL.GOV = K5.MOON
* }
*
* In the above a "." is used to mean directly connected since the
* the profile routines cannot handle a null entry.
*
* If no client-to-server path is found, the default hierarchical path
* is still generated.
*
* This version of the Configurable Authentication Path modification
* differs from the previous versions prior to K5 beta 5 in that
* the profile routines are used, and the explicite path from
* client's realm to server's realm must be given. The modifications
* will work together.
* DEE - 5/23/95
*/
#define CONFIGURABLE_AUTHENTICATION_PATH
#include "k5-int.h"
#include "int-proto.h"
/* internal function, used by krb5_get_cred_from_kdc() */
#ifndef min
#define min(x,y) ((x) < (y) ? (x) : (y))
#define max(x,y) ((x) > (y) ? (x) : (y))
#endif
/*
* xxx The following function is very confusing to read and probably
* is buggy. It should be documented better. Here is what I've
* learned about it doing a quick bug fixing walk through. The
* function takes a client and server realm name and returns the set
* of realms (in a field called tree) that you need to get tickets in
* in order to get from the source realm to the destination realm. It
* takes a realm separater character (normally ., but presumably there
* for all those X.500 realms) . There are two modes it runs in: the
* ANL krb5.confmode and the hierarchy mode. The ANL mode is
* fairly obvious. The hierarchy mode looks for common components in
* both the client and server realms. In general, the pointer scp and
* ccp are used to walk through the client and server realms. The
* com_sdot and com_cdot pointers point to (I think) the beginning of
* the common part of the realm names. I.E. strcmp(com_cdot,
* com_sdot) ==0 is roughly an invarient. However, there are cases
* where com_sdot and com_cdot are set to point before the start of
* the client or server strings. I think this only happens when there
* are no common components. --hartmans 2002/03/14
*/
int realm_branch_char;
{
register int i, links = 0;
int nocommon = 1;
const char *cap_names[4];
char *cap_client, *cap_server;
char **cap_nodes;
#endif
return KRB5_NO_TKT_IN_RLM;
return ENOMEM;
return ENOMEM;
}
cap_names[0] = "capaths";
cap_names[3] = 0;
if (cap_code == 0) { /* found a path, so lets use it */
links = 0;
links++;
}
}
/* this simplifies the code later and make */
/* cleanup eaiser as well */
links++; /* count the null entry at end */
} else { /* no path use hierarchical method */
#endif
if (*ccp == realm_branch_char) {
nocommon = 0;
}
}
/* ccp, scp point to common root.
com_cdot, com_sdot point to common components. */
/* handle case of one ran out */
if (!clen) {
/* construct path from client to server, down the tree */
if (!slen)
/* in the same realm--this means there is no ticket
in this realm. */
return KRB5_NO_TKT_IN_RLM;
if (*scp == realm_branch_char) {
/* one is a subdomain of the other */
nocommon = 0;
} /* else normal case of two sharing parents */
}
if (!slen) {
/* construct path from client to server, up the tree */
if (*ccp == realm_branch_char) {
/* one is a subdomain of the other */
nocommon = 0;
} /* else normal case of two sharing parents */
}
if (nocommon)
links = 1;
else
links = 2;
/* if no common ancestor, artificially set up common root at the last
component, then join with special code */
if (*ccp == realm_branch_char) {
links++;
if (nocommon)
}
}
if (*scp == realm_branch_char) {
links++;
if (nocommon)
}
}
if (nocommon) {
if (prevccp)
if (prevscp)
}
} /* end of if use hierarchical method */
#endif
sizeof(krb5_principal)))) {
return ENOMEM;
}
i = 1;
return retval;
}
links--; /* dont count the null entry on end */
if (cap_code == 0) { /* found a path above */
while( i-1 <= links) {
/* don't count trailing whitespace from profile_get */
&rettree[i]))) {
while (i) {
i--;
}
/* cleanup the cap_nodes from profile_get */
for (i = 0; i<=links; i++) {
krb5_xfree(cap_nodes[i]);
}
krb5_xfree((char *)cap_nodes);
return retval;
}
i++;
}
/* cleanup the cap_nodes from profile_get last one has server */
for (i = 0; i<=links; i++) {
krb5_xfree(cap_nodes[i]);
}
krb5_xfree((char *)cap_nodes);
} else { /* if not cap then use hierarchical method */
#endif
ccp++) {
if (*ccp != realm_branch_char)
continue;
++ccp; /* advance past dot */
&rettree[i]))) {
while (i) {
i--;
}
return retval;
}
i++;
}
if (nocommon) {
&rettree[i]))) {
while (i) {
i--;
}
return retval;
}
i++;
}
scp--) {
if (*scp != realm_branch_char)
continue;
break; /* XXX only if . starts realm? */
&rettree[i]))) {
while (i) {
i--;
}
return retval;
}
i++;
}
/* only necessary if building down tree from ancestor or client */
/* however, we can get here if we have only one component
in the server realm name, hence we make sure we found a component
separator there... */
&rettree[i]))) {
while (i) {
i--;
}
return retval;
}
}
}
#endif
return 0;
}