Make gss_store_cred*() work
krb5_cc_cache_match() searches all ccache collections for a ccache that has credentials for a given principal name. This includes MEMORY ccaches, which means it can find the same ccache as is referenced by a GSS cred handle given to gss_store_cred(), which means that gss_store_cred() can fail. For now we work around this by including a private variant of krb5_cc_cache_match() that only searches the default ccache, not all collections. Eventually we should ensure that krb5_cc_default() also searches all collection-type (other than MEMORY) ccaches for a default credential, then we can go back to using krb5_cc_cache_match() (though we'll need to make sure that MEMORY is searched last or not at all).
This commit is contained in:
Nicolas Williams
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2009 Kungliga Tekniska H<EFBFBD>gskolan
|
||||
* Copyright (c) 2009 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -61,6 +61,13 @@ store_mech_cred(OM_uint32 *minor_status,
|
||||
return major_status;
|
||||
}
|
||||
|
||||
/*
|
||||
* See RFC5588 for gss_store_cred(). This function is a variant that takes a
|
||||
* const key/value hashmap-like thing that specifies a credential store in a
|
||||
* mechanism- and implementation-specific way, though Heimdal and MIT agree on
|
||||
* at least the following keys for the Kerberos mechanism: ccache, keytab, and
|
||||
* client_keytab.
|
||||
*/
|
||||
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
|
||||
gss_store_cred_into(OM_uint32 *minor_status,
|
||||
gss_const_cred_id_t input_cred_handle,
|
||||
|
||||
Reference in New Issue
Block a user