1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/krb/princ_comp.c - Compare two principals for equality */
3 /*
4 * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology.
5 * All Rights Reserved.
6 *
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
25 */
26
27 #include "k5-int.h"
28 #include "k5-unicode.h"
29
30 static krb5_boolean
realm_compare_flags(krb5_context context,krb5_const_principal princ1,krb5_const_principal princ2,int flags)31 realm_compare_flags(krb5_context context,
32 krb5_const_principal princ1,
33 krb5_const_principal princ2,
34 int flags)
35 {
36 const krb5_data *realm1 = &princ1->realm;
37 const krb5_data *realm2 = &princ2->realm;
38
39 if (realm1->length != realm2->length)
40 return FALSE;
41 if (realm1->length == 0)
42 return TRUE;
43
44 return (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) ?
45 (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) :
46 (memcmp(realm1->data, realm2->data, realm2->length) == 0);
47 }
48
49 krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context,krb5_const_principal princ1,krb5_const_principal princ2)50 krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
51 {
52 return realm_compare_flags(context, princ1, princ2, 0);
53 }
54
55 static krb5_error_code
upn_to_principal(krb5_context context,krb5_const_principal princ,krb5_principal * upn)56 upn_to_principal(krb5_context context,
57 krb5_const_principal princ,
58 krb5_principal *upn)
59 {
60 char *unparsed_name;
61 krb5_error_code code;
62
63 code = krb5_unparse_name_flags(context, princ,
64 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
65 &unparsed_name);
66 if (code) {
67 *upn = NULL;
68 return code;
69 }
70
71 code = krb5_parse_name(context, unparsed_name, upn);
72
73 free(unparsed_name);
74
75 return code;
76 }
77
78 krb5_boolean KRB5_CALLCONV
krb5_principal_compare_flags(krb5_context context,krb5_const_principal princ1,krb5_const_principal princ2,int flags)79 krb5_principal_compare_flags(krb5_context context,
80 krb5_const_principal princ1,
81 krb5_const_principal princ2,
82 int flags)
83 {
84 krb5_int32 i;
85 unsigned int utf8 = (flags & KRB5_PRINCIPAL_COMPARE_UTF8) != 0;
86 unsigned int casefold = (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) != 0;
87 krb5_principal upn1 = NULL;
88 krb5_principal upn2 = NULL;
89 krb5_boolean ret = FALSE;
90
91 if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
92 /* Treat UPNs as if they were real principals */
93 if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
94 if (upn_to_principal(context, princ1, &upn1) == 0)
95 princ1 = upn1;
96 }
97 if (princ2->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
98 if (upn_to_principal(context, princ2, &upn2) == 0)
99 princ2 = upn2;
100 }
101 }
102
103 if (princ1->length != princ2->length)
104 goto out;
105
106 if ((flags & KRB5_PRINCIPAL_COMPARE_IGNORE_REALM) == 0 &&
107 !realm_compare_flags(context, princ1, princ2, flags))
108 goto out;
109
110 for (i = 0; i < princ1->length; i++) {
111 const krb5_data *p1 = &princ1->data[i];
112 const krb5_data *p2 = &princ2->data[i];
113 krb5_boolean eq;
114
115 if (casefold) {
116 if (utf8)
117 eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0);
118 else
119 eq = (p1->length == p2->length
120 && strncasecmp(p1->data, p2->data, p2->length) == 0);
121 } else
122 eq = data_eq(*p1, *p2);
123
124 if (!eq)
125 goto out;
126 }
127
128 ret = TRUE;
129
130 out:
131 if (upn1 != NULL)
132 krb5_free_principal(context, upn1);
133 if (upn2 != NULL)
134 krb5_free_principal(context, upn2);
135
136 return ret;
137 }
138
krb5_is_referral_realm(const krb5_data * r)139 krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r)
140 {
141 /*
142 * Check for a match with KRB5_REFERRAL_REALM. Currently this relies
143 * on that string constant being zero-length. (Unlike principal realm
144 * names, KRB5_REFERRAL_REALM is known to be a string.)
145 */
146 assert(strlen(KRB5_REFERRAL_REALM)==0);
147 if (r->length==0)
148 return TRUE;
149 else
150 return FALSE;
151 }
152
153 krb5_boolean KRB5_CALLCONV
krb5_principal_compare(krb5_context context,krb5_const_principal princ1,krb5_const_principal princ2)154 krb5_principal_compare(krb5_context context,
155 krb5_const_principal princ1,
156 krb5_const_principal princ2)
157 {
158 return krb5_principal_compare_flags(context, princ1, princ2, 0);
159 }
160
161 krb5_boolean KRB5_CALLCONV
krb5_principal_compare_any_realm(krb5_context context,krb5_const_principal princ1,krb5_const_principal princ2)162 krb5_principal_compare_any_realm(krb5_context context,
163 krb5_const_principal princ1,
164 krb5_const_principal princ2)
165 {
166 return krb5_principal_compare_flags(context, princ1, princ2, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM);
167 }
168