From: Tom Yu Date: Thu, 20 Sep 2012 19:35:56 +0000 (-0400) Subject: Enforce TGS principals having 2 components X-Git-Tag: krb5-1.11-alpha1~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=688dce2916b04932ffb42c2ff265a00ce01d7189;p=thirdparty%2Fkrb5.git Enforce TGS principals having 2 components RFC 4120 section 7.3 says that TGS principal names have two components. Make krb5_is_tgs_principal() and is_cross_tgs_principal() enforce this constraint. Code elsewhere in the KDC already checks for two components anyway. --- diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a2a9b4b078..4f6ce6f30b 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -145,22 +145,26 @@ is_local_principal(krb5_const_principal princ1) krb5_boolean krb5_is_tgs_principal(krb5_const_principal principal) { - if ((krb5_princ_size(kdc_context, principal) > 0) && - data_eq_string (*krb5_princ_component(kdc_context, principal, 0), - KRB5_TGS_NAME)) + if (krb5_princ_size(kdc_context, principal) != 2) + return FALSE; + if (data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME)) return TRUE; - return FALSE; + else + return FALSE; } /* Returns TRUE if principal is the name of a cross-realm TGS. */ krb5_boolean is_cross_tgs_principal(krb5_const_principal principal) { - return (krb5_princ_size(kdc_context, principal) >= 2 && - data_eq_string(*krb5_princ_component(kdc_context, principal, 0), - KRB5_TGS_NAME) && - !data_eq(*krb5_princ_component(kdc_context, principal, 1), - *krb5_princ_realm(kdc_context, principal))); + if (!krb5_is_tgs_principal(principal)) + return FALSE; + if (!data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kdc_context, principal))) + return TRUE; + else + return FALSE; } /*