From b6e3c9896c1c3f20a8d98ba7721b44afcc144bac Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 23 Jan 2012 17:51:29 -0600 Subject: Fix error that made credential handles not an array of elements --- x-files/gss_proxy.x | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/x-files/gss_proxy.x b/x-files/gss_proxy.x index 15c06b5..a3bb6b3 100644 --- a/x-files/gss_proxy.x +++ b/x-files/gss_proxy.x @@ -262,8 +262,17 @@ struct gssx_name { /* * CREDENTIAL HANDLEs are really just a description plus whatever state * reference or encoded (and protected) state the server needs. + * + * Of course, the way CREDENTIAL HANDLEs work in the GSS-API they are + * actually sets of elements, all of which are supposed to be for the + * same desired_name but different mechanism OIDs. In practice the + * desired_names for each element will be MNs, thus all different, but + * we might have the original non-MN desired_name, and that is useful to + * keep for GSS_Inquire_cred(). + * + * First we have credential elements: */ -struct gssx_cred { +struct gssx_cred_element { /* GSS_Inquire_cred_by_mech() outputs */ gssx_name MN; gssx_OID mech; @@ -271,6 +280,16 @@ struct gssx_cred { gssx_time initiator_time_rec; gssx_time acceptor_time_rec; gssx_option cred_options<>; + /* Extensions */ + gssx_typed_hole extensions<>; +}; + +/* + * Then we have the actual credential handle: + */ +struct gssx_cred { + gssx_name desired_name; /* possibly not an MN */ + gssx_cred_element elements<>; /* * Server-side state reference or encoded state; may or may not * require releasing. This may be just a ccache name, or an encoded @@ -286,8 +305,6 @@ struct gssx_cred { */ octet_string cred_handle_reference; bool needs_release; - /* Extensions */ - gssx_typed_hole extensions<>; }; /* -- cgit