From 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 5 Sep 2011 16:35:40 +0000
Subject: Make gss-krb5 use cache collection

For default credentials, defer ccache resolution until we need the
information.  If this happens in init_sec_context when we have the
target principal in hand, use krb5_cc_select() to pick a cache.  If
the target principal is not known, use the default cache.

For credentials with a specified principal, use krb5_cc_cache_match()
to find the cache.  If no cache is found and a password is specified,
create a new cache within the collection to hold the new credentials,
if the default cache type supports a collection.

ticket: 6958

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25160 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/iakerb.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

(limited to 'src/lib/gssapi/krb5/iakerb.c')

diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index e0aede9fb2..84a96ac1bf 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -914,16 +914,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
 
     kname = (krb5_gss_name_t)target_name;
 
-    if (claimant_cred_handle != GSS_C_NO_CREDENTIAL) {
-        major_status = krb5_gss_validate_cred_1(minor_status,
-                                                claimant_cred_handle,
-                                                ctx->k5c);
-        if (GSS_ERROR(major_status))
-            goto cleanup;
-
-        cred_locked = TRUE;
-        kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
-    } else {
+    if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
         major_status = krb5_gss_acquire_cred(minor_status, NULL,
                                              GSS_C_INDEFINITE,
                                              GSS_C_NULL_OID_SET,
@@ -931,9 +922,16 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
                                              &defcred, NULL, NULL);
         if (GSS_ERROR(major_status))
             goto cleanup;
-        kcred = (krb5_gss_cred_id_t)defcred;
+        claimant_cred_handle = defcred;
     }
 
+    major_status = kg_cred_resolve(minor_status, ctx->k5c,
+                                   claimant_cred_handle, target_name);
+    if (GSS_ERROR(major_status))
+        goto cleanup;
+    cred_locked = TRUE;
+    kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
+
     major_status = GSS_S_FAILURE;
 
     if (initialContextToken) {
-- 
cgit