Principal type changes

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2367 dc483132-0cff-0310-8789-dd5450dbe970

7 files changed, 56 insertions, 45 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b06a4cf5fc..eac018b506 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -157,14 +157,18 @@ tgt_again:
 				 fromstring,
 				 response));
     } else if (nprincs != 1) {
+	/* XXX Is it possible for a principal to have length 1 so that
+	   the following statement is undefined?  Only length 3 is valid
+	   here, but can a length 1 ticket pass through all prior tests?  */
+
+	krb5_data *server_1 = krb5_princ_component(request->server, 1);
+	krb5_data *tgs_1 = krb5_princ_component(tgs_server, 1);
+
 	/* might be a request for a TGT for some other realm; we should
 	   do our best to find such a TGS in this db */
-	if (firstpass && request->server[1] &&
-	    request->server[1]->length == tgs_server[1]->length &&
-	    !memcmp(request->server[1]->data, tgs_server[1]->data,
-		    tgs_server[1]->length) &&
-	    /* also must be proper form for tgs request */
-	    request->server[2] && !request->server[3]) {
+	if (firstpass && krb5_princ_size(request->server) == 3 &&
+	    server_1->length == tgs_1->length &&
+	    !memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
 	    krb5_db_free_principal(&server, nprincs);
 	    find_alternate_tgs(request, &server, &more, &nprincs);
 	    firstpass = 0;
@@ -650,8 +654,6 @@ krb5_data **response;
     return retval;
 }
 
-#include "../lib/krb/int-proto.h"
-
 /*
  * The request seems to be for a ticket-granting service somewhere else,
  * but we don't have a ticket for the final TGS.  Try to give the requestor
@@ -671,22 +673,23 @@ int *nprincs;
     *nprincs = 0;
     *more = FALSE;
 
-    if (retval = krb5_walk_realm_tree(request->server[0],
-				      request->server[2],
-				      &plist))
+    if (retval = krb5_walk_realm_tree(krb5_princ_component(request->server, 0),
+				      krb5_princ_component(request->server, 2),
+				      &plist, KRB5_REALM_BRANCH_CHAR))
 	return;
 
     /* move to the end */
+    /* SUPPRESS 530 */
     for (pl2 = plist; *pl2; pl2++);
 
     /* the first entry in this array is for krbtgt/local@local, so we
        ignore it */
     while (--pl2 > plist) {
 	*nprincs = 1;
-	tmp = (*pl2)[0];
-	(*pl2)[0] = tgs_server[0];
+	tmp = krb5_princ_realm(*pl2);
+	krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
 	retval = krb5_db_get_principal(*pl2, server, nprincs, more);
-	(*pl2)[0] = tmp;
+	krb5_princ_set_realm(*pl2, tmp);
 	if (retval) {
 	    *nprincs = 0;
 	    *more = FALSE;
@@ -701,14 +704,14 @@ int *nprincs;
 	    krb5_principal tmpprinc;
 	    char *sname;
 
-	    tmp = (*pl2)[0];
-	    (*pl2)[0] = tgs_server[0];
+	    tmp = krb5_princ_realm(*pl2);
+	    krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
 	    if (retval = krb5_copy_principal(*pl2, &tmpprinc)) {
 		krb5_db_free_principal(server, *nprincs);
-		(*pl2)[0] = tmp;
+		krb5_princ_set_realm(*pl2, tmp);
 		continue;
 	    }
-	    (*pl2)[0] = tmp;
+	    krb5_princ_set_realm(*pl2, tmp);
 
 	    krb5_free_principal(request->server);
 	    request->server = tmpprinc;
diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 70738c9973..3e845508fa 100644
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -48,6 +48,7 @@ extern char *dbm_db_name;
 
 extern krb5_keyblock tgs_key;
 extern krb5_kvno tgs_kvno;
-extern krb5_data *tgs_server[4];
+extern krb5_principal_data tgs_server_struct;
+#define	tgs_server (&tgs_server_struct)
 
 #endif /* __KRB5_KDC_EXTERN__ */
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 19dd720f04..5748ca8a46 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -239,14 +239,15 @@ krb5_tkt_authent **ret_authdat;
     /* now rearrange output from rd_req_decoded */
 
     /* make sure the client is of proper lineage (see above) */
-    if (!local_client &&
-	(ticket_enc->client[0]->length == tgs_server[0]->length) &&
-	!memcmp(ticket_enc->client[0]->data,
-		tgs_server[0]->data,
-		tgs_server[0]->length)) {
-	/* someone in a foreign realm claiming to be local */
-	krb5_free_ap_req(apreq);
-	return KRB5KDC_ERR_POLICY;
+    if (!local_client) {
+	krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
+	krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
+	if (tkt_realm->length != tgs_realm->length ||
+	    memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
+	    /* someone in a foreign realm claiming to be local */
+	    krb5_free_ap_req(apreq);
+	    return KRB5KDC_ERR_POLICY;
+	}
     }
     our_cksum.checksum_type = authdat->authenticator->checksum->checksum_type;
     if (!valid_cksumtype(our_cksum.checksum_type)) {
diff --git a/src/lib/krb425/get_cred.c b/src/lib/krb425/get_cred.c
index 739be1e7f7..58c13b1ff8 100644
--- a/src/lib/krb425/get_cred.c
+++ b/src/lib/krb425/get_cred.c
@@ -76,7 +76,7 @@ CREDENTIALS *c;
 		i = 0;
 		if (creds.server)
 			while (creds.server[i]) {
-				EPRINT "server: %d: ``%.*s''\n", i,
+				EPRINT("server: %d: ``%.*s''\n", i,
 					creds.server[i]->length,
 					creds.server[i]->data
 						? creds.server[i]->data : "");
@@ -85,7 +85,7 @@ CREDENTIALS *c;
 		i = 0;
 		if (creds.client)
 			while (creds.client[i]) {
-				EPRINT "client: %d: ``%.*s''\n", i,
+				EPRINT("client: %d: ``%.*s''\n", i,
 					creds.client[i]->length,
 					creds.client[i]->data
 						? creds.client[i]->data : "");
@@ -93,12 +93,12 @@ CREDENTIALS *c;
 			}
 	}
 #endif
-	set_string(c->pname, ANAME_SZ, creds.client[1]);
-	set_string(c->pinst, INST_SZ, creds.client[2]);
-	
-	set_string(c->realm, REALM_SZ, creds.server[0]);
-	set_string(c->service, REALM_SZ, creds.server[1]);
-	set_string(c->instance, REALM_SZ, creds.server[2]);
+	set_string(c->pname, ANAME_SZ, krb5_princ_component(creds.client, 1));
+	set_string(c->pinst, INST_SZ, krb5_princ_component(creds.client, 2));
+
+	set_string(c->realm, REALM_SZ, krb5_princ_realm(creds.server));
+	set_string(c->service, REALM_SZ, krb5_princ_component(creds.server, 1));
+	set_string(c->instance, REALM_SZ, krb5_princ_component(creds.server, 2));
 
 	c->ticket_st.length = creds.ticket.length;
 	memcpy((char *)c->ticket_st.dat,
diff --git a/src/lib/krb425/rd_req.c b/src/lib/krb425/rd_req.c
index 9049e7d422..f604cb359a 100644
--- a/src/lib/krb425/rd_req.c
+++ b/src/lib/krb425/rd_req.c
@@ -174,9 +174,12 @@ char *fn;
 	}
 	r = 0;
 #endif
-	set_string(ad->pname, ANAME_SZ, authdat->authenticator->client[1]);
-	set_string(ad->pinst, INST_SZ, authdat->authenticator->client[2]);
-	set_string(ad->prealm, REALM_SZ, authdat->authenticator->client[0]);
+	set_string(ad->pname, ANAME_SZ,
+		   krb5_princ_component(authdat->authenticator->client, 1));
+	set_string(ad->pinst, INST_SZ,
+		   krb5_princ_component(authdat->authenticator->client, 2));
+	set_string(ad->prealm, REALM_SZ,
+		   krb5_princ_component(authdat->authenticator->client, 0));
 
 	ad->checksum = *(long *)authdat->authenticator->checksum->contents;
 
diff --git a/src/lib/krb5/free/f_princ.c b/src/lib/krb5/free/f_princ.c
index 7536ae0a5c..f08262769e 100644
--- a/src/lib/krb5/free/f_princ.c
+++ b/src/lib/krb5/free/f_princ.c
@@ -37,10 +37,10 @@ void
 krb5_free_principal(val)
 krb5_principal val;
 {
-    register krb5_data **temp;
+    register int i = krb5_princ_size(val);
 
-    for (temp = val; *temp; temp++)
-	krb5_free_data(*temp);
+    while(--i >= 0)
+	free(krb5_princ_component(val, i)->data);
     xfree(val);
     return;
 }
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
index 31ec869b5c..b878d56e01 100644
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -558,6 +558,7 @@ authorized_principal(p)
 	static char	*localrealm = NULL;
 	char	*default_realm;
 	krb5_error_code	retval;
+	krb5_data *tmpdata;
 
 	if (!localrealm) {
 		if (realm)
@@ -574,14 +575,16 @@ authorized_principal(p)
 	/*
 	 * The other side must be coming from the local realm!
 	 */
-	if (!p[0] || (p[0]->length != strlen(localrealm))
-	    || memcmp(p[0]->data, localrealm, p[0]->length))
+	tmpdata = krb5_princ_realm(p);
+	if (tmpdata->length != strlen(localrealm)
+	    || memcmp(tmpdata->data, localrealm, tmpdata->length))
 		return(FALSE);
 	/*
 	 * The client's service must be KPROP_SERVICE_NAME
 	 */
-	if (!p[1] || (p[1]->length != strlen(KPROP_SERVICE_NAME))
-	    || memcmp(p[1]->data, KPROP_SERVICE_NAME, p[1]->length))
+	tmpdata = krb5_princ_component(p, 0);
+	if (!tmpdata || (tmpdata->length != strlen(KPROP_SERVICE_NAME))
+	    || memcmp(tmpdata->data, KPROP_SERVICE_NAME, tmpdata->length))
 		return(FALSE);
 	/*
 	 * For now, it can come from any hostname.  We this needs to