acquire_cred(), kg_caller_provided_ccache_name(): On further reflection
authorAlexandra Ellwood <lxs@mit.edu>
Wed, 19 Jul 2006 18:14:01 +0000 (18:14 +0000)
committerAlexandra Ellwood <lxs@mit.edu>
Wed, 19 Jul 2006 18:14:01 +0000 (18:14 +0000)
and testing the correct thing appears to be to have gss_krb5_ccache_name()
stop gss_acquire_cred() from searching for the desired name in the cache
collection.  If the caller sets the ccache name then gss_acquire_cred will only
look in that ccache.  Added kg_caller_provided_ccache_name() to tell whether
or not the caller has actually set the ccache.  This should fix the problem for
both Mac OS X and Windows.

ticket: 4024

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18343 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/acquire_cred.c
src/lib/gssapi/krb5/gssapiP_krb5.h
src/lib/gssapi/krb5/gssapi_krb5.c

index 65ba976c7ea226c237c3ed3aa1c245c187c78ca6..3f213a12eefec23f1cfda58d8eb05ac6687632ea 100644 (file)
@@ -222,6 +222,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    krb5_cc_cursor cur;
    krb5_creds creds;
    int got_endtime;
+   int caller_provided_ccache_name = 0;
 
    cred->ccache = NULL;
 
@@ -230,27 +231,26 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
        return(GSS_S_FAILURE);
 
+   /* check to see if the caller provided a ccache name if so 
+    * we will just use that and not search the cache collection */
+   if (GSS_ERROR(kg_caller_provided_ccache_name (minor_status, &caller_provided_ccache_name))) {
+       return(GSS_S_FAILURE);
+   }
+
 #if defined(USE_LOGIN_LIBRARY) || defined(USE_LEASH)
-   if (desired_name != NULL) {
+   if (desired_name && !caller_provided_ccache_name) {
 #if defined(USE_LOGIN_LIBRARY)
        KLStatus err = klNoErr;
-       KLPrincipal kl_desired_princ = NULL;
-       char *default_name = krb5_cc_default_name (context);
        char *ccache_name = NULL;
-       
+       KLPrincipal kl_desired_princ = NULL;
+
        err = __KLCreatePrincipalFromKerberos5Principal ((krb5_principal) desired_name,
                                                         &kl_desired_princ);
        
        if (!err) {
-           if (default_name) {
-               err = __KLAcquireInitialTicketsForCacheAndPrincipal (default_name, kerberosVersion_V5,
-                                                                    kl_desired_princ, NULL, NULL, 
-                                                                    &ccache_name);
-           } else {
-               err = KLAcquireInitialTickets (kl_desired_princ, NULL, NULL, &ccache_name);
-           }
+           err = KLAcquireInitialTickets (kl_desired_princ, NULL, NULL, &ccache_name);
        }
-       
+
        if (!err) {
            err = krb5_cc_resolve (context, ccache_name, &ccache);
        }
@@ -260,8 +260,8 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
            return(GSS_S_CRED_UNAVAIL);
        }
        
-       if (ccache_name      != NULL) { KLDisposeString (ccache_name); }
        if (kl_desired_princ != NULL) { KLDisposePrincipal (kl_desired_princ); }
+       if (ccache_name      != NULL) { KLDisposeString (ccache_name); }
        
 #elif defined(USE_LEASH)
        if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
index 08e76d77039a36ef87c5c8f96f60529290075776..8887a4ddfa0aba7e03a326ddddeb752e8a5b2569 100644 (file)
@@ -319,6 +319,9 @@ krb5_error_code kg_ctx_internalize (krb5_context kcontext,
 
 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
 
+OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status, 
+                                          int *out_caller_provided_name);
+
 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, 
                               const char **out_name);
 
index f1c27e487e51dc462e68de3154aaca66b8733032..a0953e0b2387a9405ebe47d9be0864250329e213 100644 (file)
@@ -175,6 +175,22 @@ kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status)
     return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
 }
 
+/* This function returns whether or not the caller set a cccache name.  Used by
+ * gss_acquire_cred to figure out if the caller wants to only look at this 
+ * ccache or search the cache collection for the desired name */
+OM_uint32
+kg_caller_provided_ccache_name (OM_uint32 *minor_status, 
+int *out_caller_provided_name)
+{
+    if (out_caller_provided_name) {
+        *out_caller_provided_name = 
+         (k5_getspecific(K5_KEY_GSS_KRB5_CCACHE_NAME) != NULL);
+    }
+    
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
 OM_uint32
 kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name)
 {