/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright 2001, 2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* krb5_check_transited_list()
*/
#include "k5-int.h"
#include <stdarg.h>
# define DEBUG
#endif
#ifdef DEBUG
static int verbose = 0;
#else
#endif
static krb5_error_code
Tprintf (("process_intermediates(%.*s,%.*s)\n",
Tprintf (("(walking intermediates now)\n"));
/* Simplify... */
const krb5_data *p;
p = n1;
n2 = p;
}
/* Okay, now len1 is always shorter or equal. */
Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n",
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
Tprintf (("(end intermediates)\n"));
return 0;
}
/* Now len1 is always shorter. */
if (len1 == 0)
/* Shouldn't be possible. Internal error? */
return KRB5KRB_AP_ERR_ILL_CR_TKT;
if (p1[0] == '/') {
/* X.500 style names, with common prefix. */
if (p2[0] != '/') {
Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n",
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n",
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
if (p2[i] == '/') {
krb5_data d;
d.length = i;
if (r)
return r;
}
} else {
/* Domain style names, with common suffix. */
if (p2[0] == '/') {
Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n",
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n",
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
krb5_data d;
if (r)
return r;
}
}
}
Tprintf (("(end intermediates)\n"));
return 0;
}
static krb5_error_code
{
return 0;
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
/* We can ignore the case where the previous component was
empty; the strcat will be a no-op. It should probably
be an error case, but let's be flexible. */
Tprintf (("too big\n"));
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
}
/* Otherwise, do nothing. */
return 0;
}
/* The input strings cannot contain any \0 bytes, according to the
spec, but our API is such that they may not be \0 terminated
either. Thus we keep on treating them as krb5_data objects instead
of C strings. */
static krb5_error_code
{
char *p, *bufp;
/* Invariants:
- last_component points to last[]
- this_component points to buf[]
- last_component has length of last
- this_component has length of buf when calling out
Keep these consistent, and we should be okay. */
next_lit = 0;
intermediates = 0;
last_component.length = 0;
Tprintf (("no other realms transited\n"));
return 0;
}
if (next_lit) {
*bufp++ = *p;
return KRB5KRB_AP_ERR_ILL_CR_TKT;
next_lit = 0;
} else if (*p == '\\') {
next_lit = 1;
} else if (*p == ',') {
if (r)
return r;
if (r)
return r;
if (intermediates) {
&this_component, crealm);
else {
}
if (r)
return r;
}
intermediates = 0;
} else {
intermediates = 1;
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
}
/* This next component stands alone, even if it has a
trailing dot or leading slash. */
last_component.length = 0;
} else {
/* Not a special character; literal. */
*bufp++ = *p;
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
}
/* At end. Must be normal state. */
if (next_lit)
Tprintf (("ending in next-char-literal state\n"));
/* Process trailing element or comma. */
/* Trailing comma. */
} else {
/* Trailing component. */
if (r)
return r;
if (r)
return r;
if (intermediates)
}
if (r != 0)
return r;
return 0;
}
struct check_data {
};
static krb5_error_code
{
int i;
return 0;
}
Tprintf (("BAD!\n"));
return KRB5KRB_AP_ERR_ILL_CR_TKT;
}
{
Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n",
return 0;
return 0; /* Nothing to check for anonymous */
if (r) {
Tprintf (("error %ld\n", (long) r));
return r;
}
#ifdef DEBUG /* avoid compiler warning about 'd' unused */
{
int i;
Tprintf (("tgs list = {\n"));
char *name;
}
Tprintf (("}\n"));
}
#endif
return r;
}
#ifdef TEST
static krb5_error_code
{
return 0;
}
const char *me;
int expand_only = 0;
else
goto usage;
}
if (argc != 4) {
printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n",
me);
return 1;
}
if (expand_only) {
if (argv[3][0] == 0) {
printf ("no other realms transited\n");
return 0;
}
if (r)
printf ("--> returned error %ld\n", (long) r);
return r != 0;
} else {
/* Actually check the values against the supplied krb5.conf file. */
r = krb5_init_context (&ctx);
if (r) {
return 1;
}
if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) {
printf ("NO\n");
} else if (r == 0) {
printf ("YES\n");
} else {
printf ("kablooey!\n");
return 1;
}
return 0;
}
}
#endif /* TEST */