From: | ghudson@mit.edu |
Subject: | git commit |
Return GSS_S_NO_CRED from krb5 gss_acquire_cred
Earlier versions of the GSS-API spec (RFCs 1508 and 2078) do not list
GSS_S_NO_CRED as a valid error code for gss_acquire_cred. As a
result, the OpenVision developers of the GSSAPI krb5 mech created
GSS_S_CRED_UNAVAIL as an alias for GSS_S_FAILURE and returned it when
no valid credentials could be obtained. RFC 2743 lists GSS_S_NO_CRED
as the proper return code when matching credentials cannot be
accessed. Change the krb5 gss_acquire_cred() implementation to return
GSS_S_NO_CRED where it currently returns GSS_S_CRED_UNAVAIL.
Also stop using GSS_S_CRED_UNAVAIL in the krb5 gss_store_cred(), but
change it to explicitly use GSS_S_FAILURE instead. RFC 5588 specifies
GSS_S_NO_CRED as indicating a problem with input_cred_handle, not the
receiving store, so GSS_S_NO_CRED would be inappropriate.
https://github.com/krb5/krb5/commit/eb8d2ced232e60613b461b4410f6fff3800467ab
Author: Greg Hudson <ghudson@mit.edu>
Commit: eb8d2ced232e60613b461b4410f6fff3800467ab
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 16 ++++++++--------
src/lib/gssapi/krb5/store_cred.c | 4 ++--
src/tests/gssapi/t_add_cred.c | 2 +-
3 files changed, 11 insertions(+), 11 deletions(-)