Make gss_store_cred*() work

krb5_cc_cache_match() searches all ccache collections for a ccache that has credentials for a given principal name. This includes MEMORY ccaches, which means it can find the same ccache as is referenced by a GSS cred handle given to gss_store_cred(), which means that gss_store_cred() can fail. For now we work around this by including a private variant of krb5_cc_cache_match() that only searches the default ccache, not all collections. Eventually we should ensure that krb5_cc_default() also searches all collection-type (other than MEMORY) ccaches for a default credential, then we can go back to using krb5_cc_cache_match() (though we'll need to make sure that MEMORY is searched last or not at all).
2019-07-25 20:18:22 -05:00
parent fae8df3839
commit 2709f28a1b
3 changed files with 158 additions and 66 deletions
--- a/lib/gssapi/mech/gss_store_cred.c
+++ b/lib/gssapi/mech/gss_store_cred.c
@@ -33,6 +33,7 @@

 #include "mech_locl.h"

+/* See RFC5588 */
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_store_cred(OM_uint32         *minor_status,
 	       gss_cred_id_t     input_cred_handle,
--- a/lib/gssapi/mech/gss_store_cred_into.c
+++ b/lib/gssapi/mech/gss_store_cred_into.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 Kungliga Tekniska H<EFBFBD>gskolan
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
@@ -61,6 +61,13 @@ store_mech_cred(OM_uint32 *minor_status,
    return major_status;
 }

+/*
+ * See RFC5588 for gss_store_cred().  This function is a variant that takes a
+ * const key/value hashmap-like thing that specifies a credential store in a
+ * mechanism- and implementation-specific way, though Heimdal and MIT agree on
+ * at least the following keys for the Kerberos mechanism: ccache, keytab, and
+ * client_keytab.
+ */
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_store_cred_into(OM_uint32 *minor_status,
 		    gss_const_cred_id_t input_cred_handle,