diff options
-rw-r--r-- | x-files/gss_proxy.x | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/x-files/gss_proxy.x b/x-files/gss_proxy.x index 15c06b5..a3bb6b3 100644 --- a/x-files/gss_proxy.x +++ b/x-files/gss_proxy.x @@ -262,8 +262,17 @@ struct gssx_name { /* * CREDENTIAL HANDLEs are really just a description plus whatever state * reference or encoded (and protected) state the server needs. + * + * Of course, the way CREDENTIAL HANDLEs work in the GSS-API they are + * actually sets of elements, all of which are supposed to be for the + * same desired_name but different mechanism OIDs. In practice the + * desired_names for each element will be MNs, thus all different, but + * we might have the original non-MN desired_name, and that is useful to + * keep for GSS_Inquire_cred(). + * + * First we have credential elements: */ -struct gssx_cred { +struct gssx_cred_element { /* GSS_Inquire_cred_by_mech() outputs */ gssx_name MN; gssx_OID mech; @@ -271,6 +280,16 @@ struct gssx_cred { gssx_time initiator_time_rec; gssx_time acceptor_time_rec; gssx_option cred_options<>; + /* Extensions */ + gssx_typed_hole extensions<>; +}; + +/* + * Then we have the actual credential handle: + */ +struct gssx_cred { + gssx_name desired_name; /* possibly not an MN */ + gssx_cred_element elements<>; /* * Server-side state reference or encoded state; may or may not * require releasing. This may be just a ccache name, or an encoded @@ -286,8 +305,6 @@ struct gssx_cred { */ octet_string cred_handle_reference; bool needs_release; - /* Extensions */ - gssx_typed_hole extensions<>; }; /* |