krb5_boolean
_kdc_is_anonymous(krb5_context context, krb5_const_principal principal)
{
- if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
- principal->name.name_type != KRB5_NT_UNKNOWN) ||
- principal->name.name_string.len != 2 ||
- strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
- strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
- return 0;
- return 1;
+ return _krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY);
}
static int
}
#endif
-static krb5_boolean
-is_anonymous_princ_p(krb5_const_principal principal)
-{
- if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
- principal->name.name_type != KRB5_NT_UNKNOWN) ||
- principal->name.name_string.len != 2 ||
- strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
- strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
- return 0;
- return 1;
-}
-
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_warn(context, ret, "krb5_init_creds_set_keytab");
goto out;
}
- } else if (pk_user_id || ent_user_id || is_anonymous_princ_p(principal)) {
+ } else if (pk_user_id || ent_user_id ||
+ _krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
} else if (!interactive && passwd[0] == '\0') {
static int already_warned = 0;
#include <parse_time.h>
#include <err.h>
#include <krb5.h>
+#include "krb5_locl.h"
#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
#include <sys/ioctl.h>
krb5_get_instance_func_t get_instance;
};
+/* _krb5_principal_is_anonymous() */
+#define KRB5_ANON_MATCH_AUTHENTICATED 1 /* authenticated with anon flag */
+#define KRB5_ANON_MATCH_UNAUTHENTICATED 2 /* anonymous PKINIT */
+#define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
+
#endif /* __KRB5_LOCL_H__ */
_krb5_pk_octetstring2key
_krb5_plugin_run_f
_krb5_enctype_requires_random_salt
+ _krb5_principal_is_anonymous
_krb5_principal2principalname
_krb5_principalname2krb5_principal
_krb5_put_int
strcmp(p->name.name_string.val[1], p->realm) == 0;
}
+/**
+ * Returns true iff name is WELLKNOWN/ANONYMOUS
+ *
+ * @ingroup krb5_principal
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
+_krb5_principal_is_anonymous(krb5_context context,
+ krb5_const_principal p,
+ unsigned int flags)
+{
+ int anon_realm;
+
+ if ((p->name.name_type != KRB5_NT_WELLKNOWN &&
+ p->name.name_type != KRB5_NT_UNKNOWN) ||
+ p->name.name_string.len != 2 ||
+ strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+ strcmp(p->name.name_string.val[1], KRB5_ANON_NAME) != 0)
+ return FALSE;
+
+ anon_realm = strcmp(p->realm, KRB5_ANON_REALM) == 0;
+
+ return ((flags & KRB5_ANON_MATCH_AUTHENTICATED) && !anon_realm) ||
+ ((flags & KRB5_ANON_MATCH_UNAUTHENTICATED) && anon_realm);
+}
+
static int
tolower_ascii(int c)
{
}
-static krb5_boolean
-is_anonymous_principal(krb5_context context, krb5_const_principal principal)
-{
- if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
- principal->name.name_type != KRB5_NT_UNKNOWN) ||
- principal->name.name_string.len != 2 ||
- strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
- strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
- return 0;
- return 1;
-}
-
/*
* Verify returned client principal name in anonymous/referral case
*/
krb5_keyblock const * key)
{
if (rep->enc_part.flags.anonymous) {
- if (!is_anonymous_principal(context, mapped)) {
+ if (!_krb5_principal_is_anonymous(context, mapped, KRB5_ANON_MATCH_ANY)) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Anonymous ticket does not contain anonymous "
"principal", ""));
_krb5_pk_mk_ContentInfo;
_krb5_pk_octetstring2key;
_krb5_plugin_run_f;
+ _krb5_principal_is_anonymous;
_krb5_principal2principalname;
_krb5_principalname2krb5_principal;
_krb5_put_int;