return ret;
}
- if (disallow_getting_krbtgt &&
- mcreds.server->name.name_string.len == 2 &&
- strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+ if (disallow_getting_krbtgt && krb5_principal_is_krbtgt(context, mcreds.server))
{
free(name);
krb5_free_cred_contents(context, &mcreds);
goto out;
}
- if(!get_krbtgt_realm(&ap_req.ticket.sname)){
+ if(!krb5_principalname_is_krbtgt(r->context, &ap_req.ticket.sname)){
+ /*
+ * Note: this check is not to be depended upon for security. Nothing
+ * prevents a client modifying the sname, as it is located in the
+ * unencrypted part of the ticket.
+ */
+
/* XXX check for ticket.sname == req.sname */
kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */
goto out;
}
t = &b->additional_tickets->val[0];
- if(!get_krbtgt_realm(&t->sname)){
+ if(!krb5_principalname_is_krbtgt(context, &t->sname)){
+ /*
+ * Note: this check is not to be depended upon for
+ * security. Nothing prevents a client modifying the sname, as
+ * it is located in the unencrypted part of the ticket.
+ */
+
kdc_log(context, config, 4,
"Additional ticket is not a ticket-granting ticket");
kdc_audit_addreason((kdc_request_t)priv,
if (!db->enable_virtual_hostbased_princs)
maxdots = mindots = 0;
if (db->enable_virtual_hostbased_princs && comp1 &&
- strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0) {
+ (comp0 == NULL || (strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0))) {
char *htmp;
if ((host = strdup(comp1)) == NULL)
krb5_principal_set_comp_string
krb5_principal_set_realm
krb5_principal_set_type
+ krb5_principalname_is_krbtgt
krb5_print_address
krb5_program_setup
krb5_prompter_posix
return strcmp(principal->realm, KRB5_PKU2U_REALM_NAME) == 0;
}
+/**
+ * Check if the cname part of the principal name is a krbtgt principal
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principalname_is_krbtgt(krb5_context context, const PrincipalName *p)
+{
+ return 1 <= p->name_string.len &&
+ p->name_string.len <= 2 &&
+ strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0;
+}
+
/**
* Check if the cname part of the principal is a krbtgt principal
*
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p)
{
- return p->name.name_string.len == 2 &&
- strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0;
+ return krb5_principalname_is_krbtgt(context, &p->name);
}
/**
krb5_err(context, 1, error, "test %s failed in %s", test, func);
}
-static krb5_boolean
-is_krbtgt(const PrincipalName *p)
-{
- return (p->name_string.len == 2 &&
- strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0);
-}
-
static void
check_ticket_signature(krb5_context context,
const struct test_pac_ticket *tkt)
if (ret)
t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse", ret);
- heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+ heim_assert(!krb5_principalname_is_krbtgt(context,
+ &ticket.sname) == !!signedticket,
+ "ticket-signature");
ret = krb5_pac_verify(context, pac, et.authtime, client,
tkt->key, tkt->kdc_key);
if (ret)
t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse 2", ret);
- heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+ heim_assert(!krb5_principalname_is_krbtgt(context,
+ &ticket.sname) == !!signedticket,
+ "ticket-signature");
ret = krb5_pac_verify(context, pac, et.authtime, client, tkt->key,
tkt->kdc_key);
krb5_principal_is_federated;
krb5_principal_is_krbtgt;
krb5_principal_is_root_krbtgt;
+ krb5_principalname_is_krbtgt;
krb5_print_address;
krb5_program_setup;
krb5_prompter_posix;