git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 22 May 2020 17:10:36 +0000 (13:10 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Fri, 29 May 2020 16:10:16 +0000 (12:10 -0400)
commit	eb8d2ced232e60613b461b4410f6fff3800467ab
tree	2aff341f7614d0effe25175c218dede1acad1cfb	tree
parent	8d27ca0b2ba71439b044404bddfd64485bb38702	commit \| diff

Return GSS_S_NO_CRED from krb5 gss_acquire_cred

Earlier versions of the GSS-API spec (RFCs 1508 and 2078) do not list
GSS_S_NO_CRED as a valid error code for gss_acquire_cred.  As a
result, the OpenVision developers of the GSSAPI krb5 mech created
GSS_S_CRED_UNAVAIL as an alias for GSS_S_FAILURE and returned it when
no valid credentials could be obtained.  RFC 2743 lists GSS_S_NO_CRED
as the proper return code when matching credentials cannot be
accessed.  Change the krb5 gss_acquire_cred() implementation to return
GSS_S_NO_CRED where it currently returns GSS_S_CRED_UNAVAIL.

Also stop using GSS_S_CRED_UNAVAIL in the krb5 gss_store_cred(), but
change it to explicitly use GSS_S_FAILURE instead.  RFC 5588 specifies
GSS_S_NO_CRED as indicating a problem with input_cred_handle, not the
receiving store, so GSS_S_NO_CRED would be inappropriate.

ticket: 8909 (new)

src/lib/gssapi/krb5/acquire_cred.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/store_cred.c		diff \| blob \| blame \| history
src/tests/gssapi/t_add_cred.c		diff \| blob \| blame \| history