fromstring,
response));
} else if (nprincs != 1) {
+ /* XXX Is it possible for a principal to have length 1 so that
+ the following statement is undefined? Only length 3 is valid
+ here, but can a length 1 ticket pass through all prior tests? */
+
+ krb5_data *server_1 = krb5_princ_component(request->server, 1);
+ krb5_data *tgs_1 = krb5_princ_component(tgs_server, 1);
+
/* might be a request for a TGT for some other realm; we should
do our best to find such a TGS in this db */
- if (firstpass && request->server[1] &&
- request->server[1]->length == tgs_server[1]->length &&
- !memcmp(request->server[1]->data, tgs_server[1]->data,
- tgs_server[1]->length) &&
- /* also must be proper form for tgs request */
- request->server[2] && !request->server[3]) {
+ if (firstpass && krb5_princ_size(request->server) == 3 &&
+ server_1->length == tgs_1->length &&
+ !memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
krb5_db_free_principal(&server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs);
firstpass = 0;
return retval;
}
-#include "../lib/krb/int-proto.h"
-
/*
* The request seems to be for a ticket-granting service somewhere else,
* but we don't have a ticket for the final TGS. Try to give the requestor
*nprincs = 0;
*more = FALSE;
- if (retval = krb5_walk_realm_tree(request->server[0],
- request->server[2],
- &plist))
+ if (retval = krb5_walk_realm_tree(krb5_princ_component(request->server, 0),
+ krb5_princ_component(request->server, 2),
+ &plist, KRB5_REALM_BRANCH_CHAR))
return;
/* move to the end */
+ /* SUPPRESS 530 */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local@local, so we
ignore it */
while (--pl2 > plist) {
*nprincs = 1;
- tmp = (*pl2)[0];
- (*pl2)[0] = tgs_server[0];
+ tmp = krb5_princ_realm(*pl2);
+ krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
retval = krb5_db_get_principal(*pl2, server, nprincs, more);
- (*pl2)[0] = tmp;
+ krb5_princ_set_realm(*pl2, tmp);
if (retval) {
*nprincs = 0;
*more = FALSE;
krb5_principal tmpprinc;
char *sname;
- tmp = (*pl2)[0];
- (*pl2)[0] = tgs_server[0];
+ tmp = krb5_princ_realm(*pl2);
+ krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
if (retval = krb5_copy_principal(*pl2, &tmpprinc)) {
krb5_db_free_principal(server, *nprincs);
- (*pl2)[0] = tmp;
+ krb5_princ_set_realm(*pl2, tmp);
continue;
}
- (*pl2)[0] = tmp;
+ krb5_princ_set_realm(*pl2, tmp);
krb5_free_principal(request->server);
request->server = tmpprinc;
extern krb5_keyblock tgs_key;
extern krb5_kvno tgs_kvno;
-extern krb5_data *tgs_server[4];
+extern krb5_principal_data tgs_server_struct;
+#define tgs_server (&tgs_server_struct)
#endif /* __KRB5_KDC_EXTERN__ */
/* now rearrange output from rd_req_decoded */
/* make sure the client is of proper lineage (see above) */
- if (!local_client &&
- (ticket_enc->client[0]->length == tgs_server[0]->length) &&
- !memcmp(ticket_enc->client[0]->data,
- tgs_server[0]->data,
- tgs_server[0]->length)) {
- /* someone in a foreign realm claiming to be local */
- krb5_free_ap_req(apreq);
- return KRB5KDC_ERR_POLICY;
+ if (!local_client) {
+ krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
+ krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
+ if (tkt_realm->length != tgs_realm->length ||
+ memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
+ /* someone in a foreign realm claiming to be local */
+ krb5_free_ap_req(apreq);
+ return KRB5KDC_ERR_POLICY;
+ }
}
our_cksum.checksum_type = authdat->authenticator->checksum->checksum_type;
if (!valid_cksumtype(our_cksum.checksum_type)) {
i = 0;
if (creds.server)
while (creds.server[i]) {
- EPRINT "server: %d: ``%.*s''\n", i,
+ EPRINT("server: %d: ``%.*s''\n", i,
creds.server[i]->length,
creds.server[i]->data
? creds.server[i]->data : "");
i = 0;
if (creds.client)
while (creds.client[i]) {
- EPRINT "client: %d: ``%.*s''\n", i,
+ EPRINT("client: %d: ``%.*s''\n", i,
creds.client[i]->length,
creds.client[i]->data
? creds.client[i]->data : "");
}
}
#endif
- set_string(c->pname, ANAME_SZ, creds.client[1]);
- set_string(c->pinst, INST_SZ, creds.client[2]);
-
- set_string(c->realm, REALM_SZ, creds.server[0]);
- set_string(c->service, REALM_SZ, creds.server[1]);
- set_string(c->instance, REALM_SZ, creds.server[2]);
+ set_string(c->pname, ANAME_SZ, krb5_princ_component(creds.client, 1));
+ set_string(c->pinst, INST_SZ, krb5_princ_component(creds.client, 2));
+
+ set_string(c->realm, REALM_SZ, krb5_princ_realm(creds.server));
+ set_string(c->service, REALM_SZ, krb5_princ_component(creds.server, 1));
+ set_string(c->instance, REALM_SZ, krb5_princ_component(creds.server, 2));
c->ticket_st.length = creds.ticket.length;
memcpy((char *)c->ticket_st.dat,
}
r = 0;
#endif
- set_string(ad->pname, ANAME_SZ, authdat->authenticator->client[1]);
- set_string(ad->pinst, INST_SZ, authdat->authenticator->client[2]);
- set_string(ad->prealm, REALM_SZ, authdat->authenticator->client[0]);
+ set_string(ad->pname, ANAME_SZ,
+ krb5_princ_component(authdat->authenticator->client, 1));
+ set_string(ad->pinst, INST_SZ,
+ krb5_princ_component(authdat->authenticator->client, 2));
+ set_string(ad->prealm, REALM_SZ,
+ krb5_princ_component(authdat->authenticator->client, 0));
ad->checksum = *(long *)authdat->authenticator->checksum->contents;
krb5_free_principal(val)
krb5_principal val;
{
- register krb5_data **temp;
+ register int i = krb5_princ_size(val);
- for (temp = val; *temp; temp++)
- krb5_free_data(*temp);
+ while(--i >= 0)
+ free(krb5_princ_component(val, i)->data);
xfree(val);
return;
}
static char *localrealm = NULL;
char *default_realm;
krb5_error_code retval;
+ krb5_data *tmpdata;
if (!localrealm) {
if (realm)
/*
* The other side must be coming from the local realm!
*/
- if (!p[0] || (p[0]->length != strlen(localrealm))
- || memcmp(p[0]->data, localrealm, p[0]->length))
+ tmpdata = krb5_princ_realm(p);
+ if (tmpdata->length != strlen(localrealm)
+ || memcmp(tmpdata->data, localrealm, tmpdata->length))
return(FALSE);
/*
* The client's service must be KPROP_SERVICE_NAME
*/
- if (!p[1] || (p[1]->length != strlen(KPROP_SERVICE_NAME))
- || memcmp(p[1]->data, KPROP_SERVICE_NAME, p[1]->length))
+ tmpdata = krb5_princ_component(p, 0);
+ if (!tmpdata || (tmpdata->length != strlen(KPROP_SERVICE_NAME))
+ || memcmp(tmpdata->data, KPROP_SERVICE_NAME, tmpdata->length))
return(FALSE);
/*
* For now, it can come from any hostname. We this needs to