[27145] in CVS-changelog-for-Kerberos-V5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

krb5 commit: Enforce TGS principals having 2 components

daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Oct 15 20:27:44 2012

Date: Mon, 15 Oct 2012 20:27:42 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201210160027.q9G0RgnC005716@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/688dce2916b04932ffb42c2ff265a00ce01d7189
commit 688dce2916b04932ffb42c2ff265a00ce01d7189
Author: Tom Yu <tlyu@mit.edu>
Date:   Thu Sep 20 15:35:56 2012 -0400

    Enforce TGS principals having 2 components
    
    RFC 4120 section 7.3 says that TGS principal names have two
    components.  Make krb5_is_tgs_principal() and is_cross_tgs_principal()
    enforce this constraint.  Code elsewhere in the KDC already checks for
    two components anyway.

 src/kdc/kdc_util.c |   22 +++++++++++++---------
 1 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a2a9b4b..4f6ce6f 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -145,22 +145,26 @@ is_local_principal(krb5_const_principal princ1)
 krb5_boolean
 krb5_is_tgs_principal(krb5_const_principal principal)
 {
-    if ((krb5_princ_size(kdc_context, principal) > 0) &&
-        data_eq_string (*krb5_princ_component(kdc_context, principal, 0),
-                        KRB5_TGS_NAME))
+    if (krb5_princ_size(kdc_context, principal) != 2)
+        return FALSE;
+    if (data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+                       KRB5_TGS_NAME))
         return TRUE;
-    return FALSE;
+    else
+        return FALSE;
 }
 
 /* Returns TRUE if principal is the name of a cross-realm TGS. */
 krb5_boolean
 is_cross_tgs_principal(krb5_const_principal principal)
 {
-    return (krb5_princ_size(kdc_context, principal) >= 2 &&
-            data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
-                           KRB5_TGS_NAME) &&
-            !data_eq(*krb5_princ_component(kdc_context, principal, 1),
-                     *krb5_princ_realm(kdc_context, principal)));
+    if (!krb5_is_tgs_principal(principal))
+        return FALSE;
+    if (!data_eq(*krb5_princ_component(kdc_context, principal, 1),
+                 *krb5_princ_realm(kdc_context, principal)))
+        return TRUE;
+    else
+        return FALSE;
 }
 
 /*
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[27145] in CVS-changelog-for-Kerberos-V5

krb5 commit: Enforce TGS principals having 2 components

daemon@ATHENA.MIT.EDU (Tom Yu)Mon Oct 15 20:27:44 2012

daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Oct 15 20:27:44 2012