Principal type changes

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2367 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 32 insertions, 27 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b06a4cf5f..eac018b50 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -157,14 +157,18 @@ tgt_again:
 				 fromstring,
 				 response));
     } else if (nprincs != 1) {
+	/* XXX Is it possible for a principal to have length 1 so that
+	   the following statement is undefined?  Only length 3 is valid
+	   here, but can a length 1 ticket pass through all prior tests?  */
+
+	krb5_data *server_1 = krb5_princ_component(request->server, 1);
+	krb5_data *tgs_1 = krb5_princ_component(tgs_server, 1);
+
 	/* might be a request for a TGT for some other realm; we should
 	   do our best to find such a TGS in this db */
-	if (firstpass && request->server[1] &&
-	    request->server[1]->length == tgs_server[1]->length &&
-	    !memcmp(request->server[1]->data, tgs_server[1]->data,
-		    tgs_server[1]->length) &&
-	    /* also must be proper form for tgs request */
-	    request->server[2] && !request->server[3]) {
+	if (firstpass && krb5_princ_size(request->server) == 3 &&
+	    server_1->length == tgs_1->length &&
+	    !memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
 	    krb5_db_free_principal(&server, nprincs);
 	    find_alternate_tgs(request, &server, &more, &nprincs);
 	    firstpass = 0;
@@ -650,8 +654,6 @@ krb5_data **response;
     return retval;
 }
 
-#include "../lib/krb/int-proto.h"
-
 /*
  * The request seems to be for a ticket-granting service somewhere else,
  * but we don't have a ticket for the final TGS.  Try to give the requestor
@@ -671,22 +673,23 @@ int *nprincs;
     *nprincs = 0;
     *more = FALSE;
 
-    if (retval = krb5_walk_realm_tree(request->server[0],
-				      request->server[2],
-				      &plist))
+    if (retval = krb5_walk_realm_tree(krb5_princ_component(request->server, 0),
+				      krb5_princ_component(request->server, 2),
+				      &plist, KRB5_REALM_BRANCH_CHAR))
 	return;
 
     /* move to the end */
+    /* SUPPRESS 530 */
     for (pl2 = plist; *pl2; pl2++);
 
     /* the first entry in this array is for krbtgt/local@local, so we
        ignore it */
     while (--pl2 > plist) {
 	*nprincs = 1;
-	tmp = (*pl2)[0];
-	(*pl2)[0] = tgs_server[0];
+	tmp = krb5_princ_realm(*pl2);
+	krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
 	retval = krb5_db_get_principal(*pl2, server, nprincs, more);
-	(*pl2)[0] = tmp;
+	krb5_princ_set_realm(*pl2, tmp);
 	if (retval) {
 	    *nprincs = 0;
 	    *more = FALSE;
@@ -701,14 +704,14 @@ int *nprincs;
 	    krb5_principal tmpprinc;
 	    char *sname;
 
-	    tmp = (*pl2)[0];
-	    (*pl2)[0] = tgs_server[0];
+	    tmp = krb5_princ_realm(*pl2);
+	    krb5_princ_set_realm(*pl2, krb5_princ_realm(tgs_server));
 	    if (retval = krb5_copy_principal(*pl2, &tmpprinc)) {
 		krb5_db_free_principal(server, *nprincs);
-		(*pl2)[0] = tmp;
+		krb5_princ_set_realm(*pl2, tmp);
 		continue;
 	    }
-	    (*pl2)[0] = tmp;
+	    krb5_princ_set_realm(*pl2, tmp);
 
 	    krb5_free_principal(request->server);
 	    request->server = tmpprinc;
diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 70738c997..3e845508f 100644
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -48,6 +48,7 @@ extern char *dbm_db_name;
 
 extern krb5_keyblock tgs_key;
 extern krb5_kvno tgs_kvno;
-extern krb5_data *tgs_server[4];
+extern krb5_principal_data tgs_server_struct;
+#define	tgs_server (&tgs_server_struct)
 
 #endif /* __KRB5_KDC_EXTERN__ */
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 19dd720f0..5748ca8a4 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -239,14 +239,15 @@ krb5_tkt_authent **ret_authdat;
     /* now rearrange output from rd_req_decoded */
 
     /* make sure the client is of proper lineage (see above) */
-    if (!local_client &&
-	(ticket_enc->client[0]->length == tgs_server[0]->length) &&
-	!memcmp(ticket_enc->client[0]->data,
-		tgs_server[0]->data,
-		tgs_server[0]->length)) {
-	/* someone in a foreign realm claiming to be local */
-	krb5_free_ap_req(apreq);
-	return KRB5KDC_ERR_POLICY;
+    if (!local_client) {
+	krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
+	krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
+	if (tkt_realm->length != tgs_realm->length ||
+	    memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
+	    /* someone in a foreign realm claiming to be local */
+	    krb5_free_ap_req(apreq);
+	    return KRB5KDC_ERR_POLICY;
+	}
     }
     our_cksum.checksum_type = authdat->authenticator->checksum->checksum_type;
     if (!valid_cksumtype(our_cksum.checksum_type)) {