git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Wed, 2 Jan 2019 21:54:28 +0000 (16:54 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 5 Mar 2019 16:45:21 +0000 (11:45 -0500)
commit	9d6847c8f0187a0dd6466420335b5460de5c449e
tree	94bf7e5a0a8d9f285f550aaace3a0cb50cfbb5e6	tree
parent	46655c8557c00c639e6aba2e0ed1980ff5df50af	commit \| diff

Improve S4U2Self realm identification internals

Realm identification for S4U2Self requests ([MS-SFU] 3.1.5.1.1.1) uses
the AS code path with some differences: we might want to include a
subject certificate in pa-data, we want to stop as soon as we get a
reply indicating which realm the client is in, and we want to
communicate that realm to the caller. The current method of making
these changes is fragile--it uses an optimistic preauth type but does
not actually pre-authenticate, and it assumes that the AS code will
terminate with a predictable error if there is no prompter and a
trivial GAK function.

Instead, add fields to krb5_get_init_creds_context for realm
identification, and support them in the AS state machine, making sure
never to invoke preauth modules. Add a new library-internal function
k5_identify_realm() to set up an appropriate context, run the state
machine, and copy out the client principal of the last request on
success.

src/include/k5-trace.h		diff \| blob \| blame \| history
src/lib/krb5/krb/get_in_tkt.c		diff \| blob \| blame \| history
src/lib/krb5/krb/init_creds_ctx.h		diff \| blob \| blame \| history
src/lib/krb5/krb/int-proto.h		diff \| blob \| blame \| history
src/lib/krb5/krb/preauth2.c		diff \| blob \| blame \| history
src/lib/krb5/krb/s4u_creds.c		diff \| blob \| blame \| history
src/tests/gssapi/t_s4u.py		diff \| blob \| blame \| history