Implement the GSS-API credential store API extensions defined by MIT here:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);
(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials. In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:
ssh_gssapi_accept_ctx() ->
ssh_gssapi_getclient() ->
gss_inquire_cred_by_mech()
When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
a whole krb5_context in TLS. This have some interestion side-effekts
for the configruration setting options since they operate on
per-thread basis now.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19031 ec53bebd-3082-4978-b11e-865c3cabbd6b
acquire the acceptor cred and initator cred in two diffrent steps and
then query them for the information, this way, the code wont fail if
there are no keytab, but there is a credential cache.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17815 ec53bebd-3082-4978-b11e-865c3cabbd6b
Stop exposing global gssapi symbols.
Rename gss_context_id_t and gss_cred_id_t to local names.
Remove SPNEGO code, its now in its own gssapi module.
Add mechglue inquire functions.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17697 ec53bebd-3082-4978-b11e-865c3cabbd6b
removed while still used)
- don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct
- make sure all lifetime are returned in seconds left until expired,
not in unix epoch
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12317 ec53bebd-3082-4978-b11e-865c3cabbd6b
before we start so caller will have harmless values in them if we
fails
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11740 ec53bebd-3082-4978-b11e-865c3cabbd6b
``A caller may provide the value NULL (GSS_C_NO_NAME) for
desired_name, which will be interpreted as a request for a
credential handle that will invoke default behavior when passed
to GSS_Init_sec_context(), if cred_usage is GSS_C_INITIATE
or GSS_C_BOTH, or GSS_Accept_sec_context(), if cred_usage is
GSS_C_ACCEPT or GSS_C_BOTH.''
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11155 ec53bebd-3082-4978-b11e-865c3cabbd6b
