oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make gss_store_cred*() work

Browse Source 
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name.  This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.

For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections.  Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
This commit is contained in:
Nicolas Williams
2019-07-25 20:18:22 -05:00
parent fae8df3839
commit 2709f28a1b
3 changed files with 158 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/gssapi/mech/gss_store_cred.c
View File

@@ -33,6 +33,7 @@
#include "mech_locl.h"
/* See RFC5588 */
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,