]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 35cd8db) | patch
Improve PKINIT UPN SAN matching
authorMatt Rogers <mrogers@redhat.com>
Mon, 5 Dec 2016 17:17:59 +0000 (12:17 -0500)
committerGreg Hudson <ghudson@mit.edu>
Tue, 3 Jan 2017 17:56:54 +0000 (12:56 -0500)
commit46ff765e1fb8cbec2bb602b43311269e695dbedc
treebb7d078f1e2efc144af0f96cde038208a871fba9tree | snapshot
parent35cd8db0f6627324b3b3a31f29b34774f649263bcommit | diff
Improve PKINIT UPN SAN matching

Add the match_client() kdcpreauth callback and use it in
verify_client_san().  match_client() preserves the direct UPN to
request principal comparison and adds a direct comparison to the
client principal, falling back to an alias DB search and comparison
against the client principal.  Change crypto_retreive_X509_sans() to
parse UPN values as enterprise principals.

[ghudson@mit.edu: use match_client for both kinds of SANs]

ticket: 8528 (new)
src/include/krb5/kdcpreauth_plugin.h diff | blob | blame | history
src/kdc/kdc_preauth.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_srv.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git