Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
krb5: Don't cache/reuse referral TGTs
Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained via KDC referrals in the "*ret_tgts" array returned to the caller. The caller typically stores these TGTs in the active credential cache. However, referrals TGTs must not be cached or reused for any request beyond the one it was issued for. The referral is for a specific service principal and the resulting TGT could include service specific AuthData. The referral might also direct the client along a transitive path that is specific to this service and not applicable in the general case. This change removes the *ret_tgts parameter from get_cred_kdc_referral() so that the obtained TGTs are never returned to its caller. This also prevents these TGTs from being used by any subsequent call to get_cred_kdc_capath(). Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d
- Loading branch information
1 parent
d9e3e37
commit c37f1b3
Showing
1 changed file
with
21 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters