git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 15 Jan 2021 18:51:34 +0000 (13:51 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 28 Jan 2021 15:57:46 +0000 (10:57 -0500)
commit	c374ab40dd059a5938ffc0440d87457ac5da3a46
tree	f6afbc4cc0390d860c08e4cc490b1667b2945c48	tree
parent	225fffe4e912772acea3a01d45bafb60bfb80948	commit \| diff

Support host-based GSS initiator names

When checking if we can get initial credentials in the GSS krb5 mech,
use krb5_kt_have_match() to support fallback iteration.  When scanning
the ccache or getting initial credentials, rewrite cred->name->princ
to the canonical client name.  When a name check is necessary (such as
when the caller specifies both a name and ccache), use a new internal
API k5_sname_compare() to support fallback iteration.  Add fallback
iteration to krb5_cc_cache_match() to allow host-based names to be
canonicalized against the cache collection.

Create and store the matching principal for acceptor names in
acquire_accept_cred() so that it isn't affected by changes in
cred->name->princ during acquire_init_cred().

ticket: 8978 (new)

src/include/k5-int.h		diff \| blob \| blame \| history
src/include/k5-trace.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/accept_sec_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/acquire_cred.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapiP_krb5.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/rel_cred.c		diff \| blob \| blame \| history
src/lib/krb5/ccache/cccursor.c		diff \| blob \| blame \| history
src/lib/krb5/libkrb5.exports		diff \| blob \| blame \| history
src/lib/krb5/os/sn2princ.c		diff \| blob \| blame \| history
src/lib/krb5_32.def		diff \| blob \| blame \| history
src/tests/gssapi/t_client_keytab.py		diff \| blob \| blame \| history
src/tests/gssapi/t_credstore.py		diff \| blob \| blame \| history