From 688dce2916b04932ffb42c2ff265a00ce01d7189 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 20 Sep 2012 15:35:56 -0400 Subject: Enforce TGS principals having 2 components RFC 4120 section 7.3 says that TGS principal names have two components. Make krb5_is_tgs_principal() and is_cross_tgs_principal() enforce this constraint. Code elsewhere in the KDC already checks for two components anyway. --- src/kdc/kdc_util.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a2a9b4b07..4f6ce6f30 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -145,22 +145,26 @@ is_local_principal(krb5_const_principal princ1) krb5_boolean krb5_is_tgs_principal(krb5_const_principal principal) { - if ((krb5_princ_size(kdc_context, principal) > 0) && - data_eq_string (*krb5_princ_component(kdc_context, principal, 0), - KRB5_TGS_NAME)) + if (krb5_princ_size(kdc_context, principal) != 2) + return FALSE; + if (data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME)) return TRUE; - return FALSE; + else + return FALSE; } /* Returns TRUE if principal is the name of a cross-realm TGS. */ krb5_boolean is_cross_tgs_principal(krb5_const_principal principal) { - return (krb5_princ_size(kdc_context, principal) >= 2 && - data_eq_string(*krb5_princ_component(kdc_context, principal, 0), - KRB5_TGS_NAME) && - !data_eq(*krb5_princ_component(kdc_context, principal, 1), - *krb5_princ_realm(kdc_context, principal))); + if (!krb5_is_tgs_principal(principal)) + return FALSE; + if (!data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kdc_context, principal))) + return TRUE; + else + return FALSE; } /* -- cgit