krb5 commit: Enforce TGS principals having 2 components
Tom Yu
tlyu at MIT.EDU
Mon Oct 15 20:27:42 EDT 2012
https://github.com/krb5/krb5/commit/688dce2916b04932ffb42c2ff265a00ce01d7189
commit 688dce2916b04932ffb42c2ff265a00ce01d7189
Author: Tom Yu <tlyu at mit.edu>
Date: Thu Sep 20 15:35:56 2012 -0400
Enforce TGS principals having 2 components
RFC 4120 section 7.3 says that TGS principal names have two
components. Make krb5_is_tgs_principal() and is_cross_tgs_principal()
enforce this constraint. Code elsewhere in the KDC already checks for
two components anyway.
src/kdc/kdc_util.c | 22 +++++++++++++---------
1 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a2a9b4b..4f6ce6f 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -145,22 +145,26 @@ is_local_principal(krb5_const_principal princ1)
krb5_boolean
krb5_is_tgs_principal(krb5_const_principal principal)
{
- if ((krb5_princ_size(kdc_context, principal) > 0) &&
- data_eq_string (*krb5_princ_component(kdc_context, principal, 0),
- KRB5_TGS_NAME))
+ if (krb5_princ_size(kdc_context, principal) != 2)
+ return FALSE;
+ if (data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+ KRB5_TGS_NAME))
return TRUE;
- return FALSE;
+ else
+ return FALSE;
}
/* Returns TRUE if principal is the name of a cross-realm TGS. */
krb5_boolean
is_cross_tgs_principal(krb5_const_principal principal)
{
- return (krb5_princ_size(kdc_context, principal) >= 2 &&
- data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
- KRB5_TGS_NAME) &&
- !data_eq(*krb5_princ_component(kdc_context, principal, 1),
- *krb5_princ_realm(kdc_context, principal)));
+ if (!krb5_is_tgs_principal(principal))
+ return FALSE;
+ if (!data_eq(*krb5_princ_component(kdc_context, principal, 1),
+ *krb5_princ_realm(kdc_context, principal)))
+ return TRUE;
+ else
+ return FALSE;
}
/*
More information about the cvs-krb5
mailing list