krb5: _krb5_principal_is_anonymous() helper API
Add _krb5_principal_is_anonymous() private API for checking if a principal is anonymous or not. The third argument determines whether to match authenticated anonymous, unauthenticated anonymous, or both types of principal.
This commit is contained in:

committed by
Jeffrey Altman

parent
4559618391
commit
bcc90f1b87
@@ -1613,13 +1613,7 @@ generate_pac(kdc_request_t r, Key *skey)
|
||||
krb5_boolean
|
||||
_kdc_is_anonymous(krb5_context context, krb5_const_principal principal)
|
||||
{
|
||||
if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
|
||||
principal->name.name_type != KRB5_NT_UNKNOWN) ||
|
||||
principal->name.name_string.len != 2 ||
|
||||
strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
|
||||
strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
|
||||
return 0;
|
||||
return 1;
|
||||
return _krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY);
|
||||
}
|
||||
|
||||
static int
|
||||
|
@@ -425,18 +425,6 @@ store_ntlmkey(krb5_context context, krb5_ccache id,
|
||||
}
|
||||
#endif
|
||||
|
||||
static krb5_boolean
|
||||
is_anonymous_princ_p(krb5_const_principal principal)
|
||||
{
|
||||
if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
|
||||
principal->name.name_type != KRB5_NT_UNKNOWN) ||
|
||||
principal->name.name_string.len != 2 ||
|
||||
strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
|
||||
strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
get_new_tickets(krb5_context context,
|
||||
krb5_principal principal,
|
||||
@@ -642,7 +630,8 @@ get_new_tickets(krb5_context context,
|
||||
krb5_warn(context, ret, "krb5_init_creds_set_keytab");
|
||||
goto out;
|
||||
}
|
||||
} else if (pk_user_id || ent_user_id || is_anonymous_princ_p(principal)) {
|
||||
} else if (pk_user_id || ent_user_id ||
|
||||
_krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
|
||||
|
||||
} else if (!interactive && passwd[0] == '\0') {
|
||||
static int already_warned = 0;
|
||||
|
@@ -72,6 +72,7 @@
|
||||
#include <parse_time.h>
|
||||
#include <err.h>
|
||||
#include <krb5.h>
|
||||
#include "krb5_locl.h"
|
||||
|
||||
#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
|
||||
#include <sys/ioctl.h>
|
||||
|
@@ -402,4 +402,9 @@ struct krb5_plugin_data {
|
||||
krb5_get_instance_func_t get_instance;
|
||||
};
|
||||
|
||||
/* _krb5_principal_is_anonymous() */
|
||||
#define KRB5_ANON_MATCH_AUTHENTICATED 1 /* authenticated with anon flag */
|
||||
#define KRB5_ANON_MATCH_UNAUTHENTICATED 2 /* anonymous PKINIT */
|
||||
#define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
|
||||
|
||||
#endif /* __KRB5_LOCL_H__ */
|
||||
|
@@ -776,6 +776,7 @@ EXPORTS
|
||||
_krb5_pk_octetstring2key
|
||||
_krb5_plugin_run_f
|
||||
_krb5_enctype_requires_random_salt
|
||||
_krb5_principal_is_anonymous
|
||||
_krb5_principal2principalname
|
||||
_krb5_principalname2krb5_principal
|
||||
_krb5_put_int
|
||||
|
@@ -1247,6 +1247,32 @@ krb5_principal_is_root_krbtgt(krb5_context context, krb5_const_principal p)
|
||||
strcmp(p->name.name_string.val[1], p->realm) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true iff name is WELLKNOWN/ANONYMOUS
|
||||
*
|
||||
* @ingroup krb5_principal
|
||||
*/
|
||||
|
||||
krb5_boolean KRB5_LIB_FUNCTION
|
||||
_krb5_principal_is_anonymous(krb5_context context,
|
||||
krb5_const_principal p,
|
||||
unsigned int flags)
|
||||
{
|
||||
int anon_realm;
|
||||
|
||||
if ((p->name.name_type != KRB5_NT_WELLKNOWN &&
|
||||
p->name.name_type != KRB5_NT_UNKNOWN) ||
|
||||
p->name.name_string.len != 2 ||
|
||||
strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
|
||||
strcmp(p->name.name_string.val[1], KRB5_ANON_NAME) != 0)
|
||||
return FALSE;
|
||||
|
||||
anon_realm = strcmp(p->realm, KRB5_ANON_REALM) == 0;
|
||||
|
||||
return ((flags & KRB5_ANON_MATCH_AUTHENTICATED) && !anon_realm) ||
|
||||
((flags & KRB5_ANON_MATCH_UNAUTHENTICATED) && anon_realm);
|
||||
}
|
||||
|
||||
static int
|
||||
tolower_ascii(int c)
|
||||
{
|
||||
|
@@ -527,18 +527,6 @@ noreferral:
|
||||
}
|
||||
|
||||
|
||||
static krb5_boolean
|
||||
is_anonymous_principal(krb5_context context, krb5_const_principal principal)
|
||||
{
|
||||
if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
|
||||
principal->name.name_type != KRB5_NT_UNKNOWN) ||
|
||||
principal->name.name_string.len != 2 ||
|
||||
strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
|
||||
strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify returned client principal name in anonymous/referral case
|
||||
*/
|
||||
@@ -551,7 +539,7 @@ check_client_mismatch(krb5_context context,
|
||||
krb5_keyblock const * key)
|
||||
{
|
||||
if (rep->enc_part.flags.anonymous) {
|
||||
if (!is_anonymous_principal(context, mapped)) {
|
||||
if (!_krb5_principal_is_anonymous(context, mapped, KRB5_ANON_MATCH_ANY)) {
|
||||
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
|
||||
N_("Anonymous ticket does not contain anonymous "
|
||||
"principal", ""));
|
||||
|
@@ -767,6 +767,7 @@ HEIMDAL_KRB5_2.0 {
|
||||
_krb5_pk_mk_ContentInfo;
|
||||
_krb5_pk_octetstring2key;
|
||||
_krb5_plugin_run_f;
|
||||
_krb5_principal_is_anonymous;
|
||||
_krb5_principal2principalname;
|
||||
_krb5_principalname2krb5_principal;
|
||||
_krb5_put_int;
|
||||
|
Reference in New Issue
Block a user