From 25660ba3ae371bb1d2bd7fe89351dfe206f5a406 Mon Sep 17 00:00:00 2001 From: John Carr Date: Fri, 21 Aug 1992 03:29:21 +0000 Subject: [PATCH] Principal type changes git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2367 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/do_tgs_req.c | 39 ++++++++++++++++++++----------------- src/kdc/extern.h | 3 ++- src/kdc/kdc_util.c | 17 ++++++++-------- src/lib/krb425/get_cred.c | 16 +++++++-------- src/lib/krb425/rd_req.c | 9 ++++++--- src/lib/krb5/free/f_princ.c | 6 +++--- src/slave/kpropd.c | 11 +++++++---- 7 files changed, 56 insertions(+), 45 deletions(-) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b06a4cf5f..eac018b50 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -157,14 +157,18 @@ tgt_again: fromstring, response)); } else if (nprincs != 1) { + /* XXX Is it possible for a principal to have length 1 so that + the following statement is undefined? Only length 3 is valid + here, but can a length 1 ticket pass through all prior tests? */ + + krb5_data *server_1 = krb5_princ_component(request->server, 1); + krb5_data *tgs_1 = krb5_princ_component(tgs_server, 1); + /* might be a request for a TGT for some other realm; we should do our best to find such a TGS in this db */ - if (firstpass && request->server[1] && - request->server[1]->length == tgs_server[1]->length && - !memcmp(request->server[1]->data, tgs_server[1]->data, - tgs_server[1]->length) && - /* also must be proper form for tgs request */ - request->server[2] && !request->server[3]) { + if (firstpass && krb5_princ_size(request->server) == 3 && + server_1->length == tgs_1->length && + !memcmp(server_1->data, tgs_1->data, tgs_1->length)) { krb5_db_free_principal(&server, nprincs); find_alternate_tgs(request, &server, &more, &nprincs); firstpass = 0; @@ -650,8 +654,6 @@ krb5_data **response; return retval; } -#include "../lib/krb/int-proto.h" - /* * The request seems to be for a ticket-granting service somewhere else, * but we don't have a ticket for the final TGS. Try to give the requestor @@ -671,22 +673,23 @@ int *nprincs; *nprincs = 0; *more = FALSE; - if (retval = krb5_walk_realm_tree(request->server[0], - request->server[2], - &plist)) + if (retval = krb5_walk_realm_tree(krb5_princ_component(request->server, 0), + krb5_princ_component(request->server, 2), + &plist, KRB5_REALM_BRANCH_CHAR)) return; /* move to the end */ + /* SUPPRESS 530 */ for (pl2 = plist; *pl2; pl2++); /* the first entry in this array is for krbtgt/local@local, so we ignore it */ while (--pl2 > plist) { *nprincs = 1; - tmp = (*pl2)[0]; - (*pl2)[0] = tgs_server[0]; + tmp = krb5_princ_realm(*pl2); + krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server)); retval = krb5_db_get_principal(*pl2, server, nprincs, more); - (*pl2)[0] = tmp; + krb5_princ_set_realm(*pl2, tmp); if (retval) { *nprincs = 0; *more = FALSE; @@ -701,14 +704,14 @@ int *nprincs; krb5_principal tmpprinc; char *sname; - tmp = (*pl2)[0]; - (*pl2)[0] = tgs_server[0]; + tmp = krb5_princ_realm(*pl2); + krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server)); if (retval = krb5_copy_principal(*pl2, &tmpprinc)) { krb5_db_free_principal(server, *nprincs); - (*pl2)[0] = tmp; + krb5_princ_set_realm(*pl2, tmp); continue; } - (*pl2)[0] = tmp; + krb5_princ_set_realm(*pl2, tmp); krb5_free_principal(request->server); request->server = tmpprinc; diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 70738c997..3e845508f 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -48,6 +48,7 @@ extern char *dbm_db_name; extern krb5_keyblock tgs_key; extern krb5_kvno tgs_kvno; -extern krb5_data *tgs_server[4]; +extern krb5_principal_data tgs_server_struct; +#define tgs_server (&tgs_server_struct) #endif /* __KRB5_KDC_EXTERN__ */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 19dd720f0..5748ca8a4 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -239,14 +239,15 @@ krb5_tkt_authent **ret_authdat; /* now rearrange output from rd_req_decoded */ /* make sure the client is of proper lineage (see above) */ - if (!local_client && - (ticket_enc->client[0]->length == tgs_server[0]->length) && - !memcmp(ticket_enc->client[0]->data, - tgs_server[0]->data, - tgs_server[0]->length)) { - /* someone in a foreign realm claiming to be local */ - krb5_free_ap_req(apreq); - return KRB5KDC_ERR_POLICY; + if (!local_client) { + krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client); + krb5_data *tgs_realm = krb5_princ_realm(tgs_server); + if (tkt_realm->length != tgs_realm->length || + memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) { + /* someone in a foreign realm claiming to be local */ + krb5_free_ap_req(apreq); + return KRB5KDC_ERR_POLICY; + } } our_cksum.checksum_type = authdat->authenticator->checksum->checksum_type; if (!valid_cksumtype(our_cksum.checksum_type)) { diff --git a/src/lib/krb425/get_cred.c b/src/lib/krb425/get_cred.c index 739be1e7f..58c13b1ff 100644 --- a/src/lib/krb425/get_cred.c +++ b/src/lib/krb425/get_cred.c @@ -76,7 +76,7 @@ CREDENTIALS *c; i = 0; if (creds.server) while (creds.server[i]) { - EPRINT "server: %d: ``%.*s''\n", i, + EPRINT("server: %d: ``%.*s''\n", i, creds.server[i]->length, creds.server[i]->data ? creds.server[i]->data : ""); @@ -85,7 +85,7 @@ CREDENTIALS *c; i = 0; if (creds.client) while (creds.client[i]) { - EPRINT "client: %d: ``%.*s''\n", i, + EPRINT("client: %d: ``%.*s''\n", i, creds.client[i]->length, creds.client[i]->data ? creds.client[i]->data : ""); @@ -93,12 +93,12 @@ CREDENTIALS *c; } } #endif - set_string(c->pname, ANAME_SZ, creds.client[1]); - set_string(c->pinst, INST_SZ, creds.client[2]); - - set_string(c->realm, REALM_SZ, creds.server[0]); - set_string(c->service, REALM_SZ, creds.server[1]); - set_string(c->instance, REALM_SZ, creds.server[2]); + set_string(c->pname, ANAME_SZ, krb5_princ_component(creds.client, 1)); + set_string(c->pinst, INST_SZ, krb5_princ_component(creds.client, 2)); + + set_string(c->realm, REALM_SZ, krb5_princ_realm(creds.server)); + set_string(c->service, REALM_SZ, krb5_princ_component(creds.server, 1)); + set_string(c->instance, REALM_SZ, krb5_princ_component(creds.server, 2)); c->ticket_st.length = creds.ticket.length; memcpy((char *)c->ticket_st.dat, diff --git a/src/lib/krb425/rd_req.c b/src/lib/krb425/rd_req.c index 9049e7d42..f604cb359 100644 --- a/src/lib/krb425/rd_req.c +++ b/src/lib/krb425/rd_req.c @@ -174,9 +174,12 @@ char *fn; } r = 0; #endif - set_string(ad->pname, ANAME_SZ, authdat->authenticator->client[1]); - set_string(ad->pinst, INST_SZ, authdat->authenticator->client[2]); - set_string(ad->prealm, REALM_SZ, authdat->authenticator->client[0]); + set_string(ad->pname, ANAME_SZ, + krb5_princ_component(authdat->authenticator->client, 1)); + set_string(ad->pinst, INST_SZ, + krb5_princ_component(authdat->authenticator->client, 2)); + set_string(ad->prealm, REALM_SZ, + krb5_princ_component(authdat->authenticator->client, 0)); ad->checksum = *(long *)authdat->authenticator->checksum->contents; diff --git a/src/lib/krb5/free/f_princ.c b/src/lib/krb5/free/f_princ.c index 7536ae0a5..f08262769 100644 --- a/src/lib/krb5/free/f_princ.c +++ b/src/lib/krb5/free/f_princ.c @@ -37,10 +37,10 @@ void krb5_free_principal(val) krb5_principal val; { - register krb5_data **temp; + register int i = krb5_princ_size(val); - for (temp = val; *temp; temp++) - krb5_free_data(*temp); + while(--i >= 0) + free(krb5_princ_component(val, i)->data); xfree(val); return; } diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c index 31ec869b5..b878d56e0 100644 --- a/src/slave/kpropd.c +++ b/src/slave/kpropd.c @@ -558,6 +558,7 @@ authorized_principal(p) static char *localrealm = NULL; char *default_realm; krb5_error_code retval; + krb5_data *tmpdata; if (!localrealm) { if (realm) @@ -574,14 +575,16 @@ authorized_principal(p) /* * The other side must be coming from the local realm! */ - if (!p[0] || (p[0]->length != strlen(localrealm)) - || memcmp(p[0]->data, localrealm, p[0]->length)) + tmpdata = krb5_princ_realm(p); + if (tmpdata->length != strlen(localrealm) + || memcmp(tmpdata->data, localrealm, tmpdata->length)) return(FALSE); /* * The client's service must be KPROP_SERVICE_NAME */ - if (!p[1] || (p[1]->length != strlen(KPROP_SERVICE_NAME)) - || memcmp(p[1]->data, KPROP_SERVICE_NAME, p[1]->length)) + tmpdata = krb5_princ_component(p, 0); + if (!tmpdata || (tmpdata->length != strlen(KPROP_SERVICE_NAME)) + || memcmp(tmpdata->data, KPROP_SERVICE_NAME, tmpdata->length)) return(FALSE); /* * For now, it can come from any hostname. We this needs to -- 2.26.2