Principal type changes
authorJohn Carr <jfc@mit.edu>
Fri, 21 Aug 1992 03:29:21 +0000 (03:29 +0000)
committerJohn Carr <jfc@mit.edu>
Fri, 21 Aug 1992 03:29:21 +0000 (03:29 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2367 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_tgs_req.c
src/kdc/extern.h
src/kdc/kdc_util.c
src/lib/krb425/get_cred.c
src/lib/krb425/rd_req.c
src/lib/krb5/free/f_princ.c
src/slave/kpropd.c

index b06a4cf5fc31ffcbf919ff987986e25f9fc02ca2..eac018b506a22cf0325861be0556d7c59548f631 100644 (file)
@@ -157,14 +157,18 @@ tgt_again:
                                 fromstring,
                                 response));
     } else if (nprincs != 1) {
+       /* XXX Is it possible for a principal to have length 1 so that
+          the following statement is undefined?  Only length 3 is valid
+          here, but can a length 1 ticket pass through all prior tests?  */
+
+       krb5_data *server_1 = krb5_princ_component(request->server, 1);
+       krb5_data *tgs_1 = krb5_princ_component(tgs_server, 1);
+
        /* might be a request for a TGT for some other realm; we should
           do our best to find such a TGS in this db */
-       if (firstpass && request->server[1] &&
-           request->server[1]->length == tgs_server[1]->length &&
-           !memcmp(request->server[1]->data, tgs_server[1]->data,
-                   tgs_server[1]->length) &&
-           /* also must be proper form for tgs request */
-           request->server[2] && !request->server[3]) {
+       if (firstpass && krb5_princ_size(request->server) == 3 &&
+           server_1->length == tgs_1->length &&
+           !memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
            krb5_db_free_principal(&server, nprincs);
            find_alternate_tgs(request, &server, &more, &nprincs);
            firstpass = 0;
@@ -650,8 +654,6 @@ krb5_data **response;
     return retval;
 }
 
-#include "../lib/krb/int-proto.h"
-
 /*
  * The request seems to be for a ticket-granting service somewhere else,
  * but we don't have a ticket for the final TGS.  Try to give the requestor
@@ -671,22 +673,23 @@ int *nprincs;
     *nprincs = 0;
     *more = FALSE;
 
-    if (retval = krb5_walk_realm_tree(request->server[0],
-                                     request->server[2],
-                                     &plist))
+    if (retval = krb5_walk_realm_tree(krb5_princ_component(request->server, 0),
+                                     krb5_princ_component(request->server, 2),
+                                     &plist, KRB5_REALM_BRANCH_CHAR))
        return;
 
     /* move to the end */
+    /* SUPPRESS 530 */
     for (pl2 = plist; *pl2; pl2++);
 
     /* the first entry in this array is for krbtgt/local@local, so we
        ignore it */
     while (--pl2 > plist) {
        *nprincs = 1;
-       tmp = (*pl2)[0];
-       (*pl2)[0] = tgs_server[0];
+       tmp = krb5_princ_realm(*pl2);
+       krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
        retval = krb5_db_get_principal(*pl2, server, nprincs, more);
-       (*pl2)[0] = tmp;
+       krb5_princ_set_realm(*pl2, tmp);
        if (retval) {
            *nprincs = 0;
            *more = FALSE;
@@ -701,14 +704,14 @@ int *nprincs;
            krb5_principal tmpprinc;
            char *sname;
 
-           tmp = (*pl2)[0];
-           (*pl2)[0] = tgs_server[0];
+           tmp = krb5_princ_realm(*pl2);
+           krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
            if (retval = krb5_copy_principal(*pl2, &tmpprinc)) {
                krb5_db_free_principal(server, *nprincs);
-               (*pl2)[0] = tmp;
+               krb5_princ_set_realm(*pl2, tmp);
                continue;
            }
-           (*pl2)[0] = tmp;
+           krb5_princ_set_realm(*pl2, tmp);
 
            krb5_free_principal(request->server);
            request->server = tmpprinc;
index 70738c99736c23ba26f0bcbb947242d7782ed0d7..3e845508fa5a19d0b3425c36f29ef83f95019e67 100644 (file)
@@ -48,6 +48,7 @@ extern char *dbm_db_name;
 
 extern krb5_keyblock tgs_key;
 extern krb5_kvno tgs_kvno;
-extern krb5_data *tgs_server[4];
+extern krb5_principal_data tgs_server_struct;
+#define        tgs_server (&tgs_server_struct)
 
 #endif /* __KRB5_KDC_EXTERN__ */
index 19dd720f044500f576dd198cc8743981229c96c7..5748ca8a46909b2f9361a99eed0d547d07a97505 100644 (file)
@@ -239,14 +239,15 @@ krb5_tkt_authent **ret_authdat;
     /* now rearrange output from rd_req_decoded */
 
     /* make sure the client is of proper lineage (see above) */
-    if (!local_client &&
-       (ticket_enc->client[0]->length == tgs_server[0]->length) &&
-       !memcmp(ticket_enc->client[0]->data,
-               tgs_server[0]->data,
-               tgs_server[0]->length)) {
-       /* someone in a foreign realm claiming to be local */
-       krb5_free_ap_req(apreq);
-       return KRB5KDC_ERR_POLICY;
+    if (!local_client) {
+       krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
+       krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
+       if (tkt_realm->length != tgs_realm->length ||
+           memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
+           /* someone in a foreign realm claiming to be local */
+           krb5_free_ap_req(apreq);
+           return KRB5KDC_ERR_POLICY;
+       }
     }
     our_cksum.checksum_type = authdat->authenticator->checksum->checksum_type;
     if (!valid_cksumtype(our_cksum.checksum_type)) {
index 739be1e7f7c4e6710ad566e197d8983896343c1d..58c13b1ff80674c891d8cf43757fae216c66626f 100644 (file)
@@ -76,7 +76,7 @@ CREDENTIALS *c;
                i = 0;
                if (creds.server)
                        while (creds.server[i]) {
-                               EPRINT "server: %d: ``%.*s''\n", i,
+                               EPRINT("server: %d: ``%.*s''\n", i,
                                        creds.server[i]->length,
                                        creds.server[i]->data
                                                ? creds.server[i]->data : "");
@@ -85,7 +85,7 @@ CREDENTIALS *c;
                i = 0;
                if (creds.client)
                        while (creds.client[i]) {
-                               EPRINT "client: %d: ``%.*s''\n", i,
+                               EPRINT("client: %d: ``%.*s''\n", i,
                                        creds.client[i]->length,
                                        creds.client[i]->data
                                                ? creds.client[i]->data : "");
@@ -93,12 +93,12 @@ CREDENTIALS *c;
                        }
        }
 #endif
-       set_string(c->pname, ANAME_SZ, creds.client[1]);
-       set_string(c->pinst, INST_SZ, creds.client[2]);
-       
-       set_string(c->realm, REALM_SZ, creds.server[0]);
-       set_string(c->service, REALM_SZ, creds.server[1]);
-       set_string(c->instance, REALM_SZ, creds.server[2]);
+       set_string(c->pname, ANAME_SZ, krb5_princ_component(creds.client, 1));
+       set_string(c->pinst, INST_SZ, krb5_princ_component(creds.client, 2));
+
+       set_string(c->realm, REALM_SZ, krb5_princ_realm(creds.server));
+       set_string(c->service, REALM_SZ, krb5_princ_component(creds.server, 1));
+       set_string(c->instance, REALM_SZ, krb5_princ_component(creds.server, 2));
 
        c->ticket_st.length = creds.ticket.length;
        memcpy((char *)c->ticket_st.dat,
index 9049e7d422382f5c82bb441acbd14f8de95f0093..f604cb359a4065a9c9d3f4368b920a92fb57b4cc 100644 (file)
@@ -174,9 +174,12 @@ char *fn;
        }
        r = 0;
 #endif
-       set_string(ad->pname, ANAME_SZ, authdat->authenticator->client[1]);
-       set_string(ad->pinst, INST_SZ, authdat->authenticator->client[2]);
-       set_string(ad->prealm, REALM_SZ, authdat->authenticator->client[0]);
+       set_string(ad->pname, ANAME_SZ,
+                  krb5_princ_component(authdat->authenticator->client, 1));
+       set_string(ad->pinst, INST_SZ,
+                  krb5_princ_component(authdat->authenticator->client, 2));
+       set_string(ad->prealm, REALM_SZ,
+                  krb5_princ_component(authdat->authenticator->client, 0));
 
        ad->checksum = *(long *)authdat->authenticator->checksum->contents;
 
index 7536ae0a5c1f840ce45685e0c3c40c1513175317..f08262769eaf5072832d431ee820703290e247d5 100644 (file)
@@ -37,10 +37,10 @@ void
 krb5_free_principal(val)
 krb5_principal val;
 {
-    register krb5_data **temp;
+    register int i = krb5_princ_size(val);
 
-    for (temp = val; *temp; temp++)
-       krb5_free_data(*temp);
+    while(--i >= 0)
+       free(krb5_princ_component(val, i)->data);
     xfree(val);
     return;
 }
index 31ec869b5c54627983b5885b8ca87a3780d64f08..b878d56e013c867a2c1e8235acd9f34f985885a7 100644 (file)
@@ -558,6 +558,7 @@ authorized_principal(p)
        static char     *localrealm = NULL;
        char    *default_realm;
        krb5_error_code retval;
+       krb5_data *tmpdata;
 
        if (!localrealm) {
                if (realm)
@@ -574,14 +575,16 @@ authorized_principal(p)
        /*
         * The other side must be coming from the local realm!
         */
-       if (!p[0] || (p[0]->length != strlen(localrealm))
-           || memcmp(p[0]->data, localrealm, p[0]->length))
+       tmpdata = krb5_princ_realm(p);
+       if (tmpdata->length != strlen(localrealm)
+           || memcmp(tmpdata->data, localrealm, tmpdata->length))
                return(FALSE);
        /*
         * The client's service must be KPROP_SERVICE_NAME
         */
-       if (!p[1] || (p[1]->length != strlen(KPROP_SERVICE_NAME))
-           || memcmp(p[1]->data, KPROP_SERVICE_NAME, p[1]->length))
+       tmpdata = krb5_princ_component(p, 0);
+       if (!tmpdata || (tmpdata->length != strlen(KPROP_SERVICE_NAME))
+           || memcmp(tmpdata->data, KPROP_SERVICE_NAME, tmpdata->length))
                return(FALSE);
        /*
         * For now, it can come from any hostname.  We this needs to