(krb5_domain_x500_decode): handle zero length tr data;

(krb5_check_transited): new function that does more useful stuff


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13025 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/transited.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska H<>gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -308,6 +308,12 @@ krb5_domain_x500_decode(krb5_context context,
     struct tr_realm *p, **q;
     int ret;
     
+    if(tr.length == 0) {
+	*realms = NULL;
+	num_realms = 0;
+	return 0;
+    }
+
     /* split string in components */
     ret = decode_realms(context, tr.data, tr.length, &r);
     if(ret)
@@ -382,6 +388,44 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding)
     return 0;
 }
 
+krb5_error_code
+krb5_check_transited(krb5_context context,
+		     krb5_const_realm client_realm,
+		     krb5_const_realm server_realm,
+		     krb5_realm *realms,
+		     int num_realms,
+		     int *bad_realm)
+{
+    char **tr_realms;
+    char **p;
+    int i;
+
+    if(num_realms == 0)
+	return 0;
+    
+    tr_realms = krb5_config_get_strings(context, NULL, 
+					"capaths", 
+					client_realm, 
+					server_realm, 
+					NULL);
+    for(i = 0; i < num_realms; i++) {
+	for(p = tr_realms; p && *p; p++) {
+	    if(strcmp(*p, realms[i]) == 0)
+		break;
+	}
+	if(p == NULL || *p == NULL) {
+	    krb5_config_free_strings(tr_realms);
+	    krb5_set_error_string (context, "no transit through realm %s",
+				   realms[i]);
+	    if(bad_realm)
+		*bad_realm = i;
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+    }
+    krb5_config_free_strings(tr_realms);
+    return 0;
+}
+
 krb5_error_code
 krb5_check_transited_realms(krb5_context context,
 			    const char *const *realms,