Simple ACL wildcard patch

[Greg Hudson]

I'm moving this to krbdev at mit.edu.  kerberos at mit.edu is more
user-oriented and isn't specific to MIT krb5.  The original message is at:

http://mailman.mit.edu/pipermail/kerberos/2014-August/020150.html

On 08/29/2014 05:54 AM, Kenneth MacDonald wrote:
> I have deployed this simple patch (attached) that checks for an asterisk
> at the beginning of the target, but followed by a non-digit.  It then
> matches on the rest of the target.

I think we can do more general wildcard matching using fnmatch(), as
long as the component isn't a back-reference.  I would rather do that
than support a wildcard at the beginning only.

It would be even better if we could do wildcard matching with
back-references mixed in, but that requires a custom fnmatch.

I found two old entries in our bug tracker containing patches for
limited wildcard support, so this is definitely not an unprecedented
request:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=843
http://krbdev.mit.edu/rt/Ticket/Display.html?id=5498

> Is this patch small and simple enough to form the basis of a change to
> the core code?  If so, I'll happily patch up the documentation and
> prepare it against trunk.

There are a few issues with this patch, most of which are mooted by the
above.  The biggest thing is that pointers inside krb5_data structures
should not be assumed to be zero-terminated.  In practice,
krb5_parse_name defensively zero-terminates components, so you shouldn't
expect to run into trouble.  But we don't like to rely on that.

If you do decide to work up a patch using fnmatch, and have a github
account or don't mind making one, you can submit a pull request at
github.com/krb5/krb5.  There's more information at:

http://k5wiki.kerberos.org/wiki/Contributing_code

Be aware that we're in the stabilization period for 1.13, so at this
point contributed new features will go into 1.14.