diff options
author | Greg Hudson <ghudson@mit.edu> | 2018-09-14 20:35:50 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2018-10-29 19:06:38 -0400 |
commit | 0ab749b38930d43b4640b7b2e9448079510fd4a5 (patch) | |
tree | 641f6baf00b8b6b31e1488938f90f7ff3e7c6f4b | |
parent | e058595730c57032b84bacbb00806a95fd5eb470 (diff) | |
download | krb5-0ab749b38930d43b4640b7b2e9448079510fd4a5.zip krb5-0ab749b38930d43b4640b7b2e9448079510fd4a5.tar.gz krb5-0ab749b38930d43b4640b7b2e9448079510fd4a5.tar.bz2 |
Always honor desired_name in gss_add_cred()
Remove the conditionalization around the desired_name processing in
gss_add_cred_from(), so that we always honor the requested name.
(cherry picked from commit 6d4eb6eb473c93f0db05409195448364382760a9)
ticket: 8737
version_fixed: 1.15.4
-rw-r--r-- | src/lib/gssapi/mechglue/g_acquire_cred.c | 28 | ||||
-rw-r--r-- | src/tests/gssapi/t_add_cred.c | 10 |
2 files changed, 23 insertions, 15 deletions
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c index 5e82495..e7b3ed6 100644 --- a/src/lib/gssapi/mechglue/g_acquire_cred.c +++ b/src/lib/gssapi/mechglue/g_acquire_cred.c @@ -408,22 +408,20 @@ gss_add_cred_from(minor_status, input_cred_handle, return (GSS_S_DUPLICATE_ELEMENT); } - /* for default credentials we will use GSS_C_NO_NAME */ - if (input_cred_handle != GSS_C_NO_CREDENTIAL || - cred_store != GSS_C_NO_CRED_STORE) { - /* may need to create a mechanism specific name */ - if (desired_name) { - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && - g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, selected_mech, - union_name, &allocated_name) != - GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; + /* We may need to create a mechanism specific name. */ + if (desired_name != GSS_C_NO_NAME) { + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && + g_OID_equal(union_name->mech_type, selected_mech)) { + internal_name = union_name->mech_name; + } else { + if (gssint_import_internal_name(minor_status, selected_mech, + union_name, &allocated_name) != + GSS_S_COMPLETE) { + status = GSS_S_BAD_NAME; + goto errout; } + internal_name = allocated_name; } } diff --git a/src/tests/gssapi/t_add_cred.c b/src/tests/gssapi/t_add_cred.c index d59fde9..1407e67 100644 --- a/src/tests/gssapi/t_add_cred.c +++ b/src/tests/gssapi/t_add_cred.c @@ -48,6 +48,7 @@ main() OM_uint32 minor, major; gss_cred_id_t cred1; gss_cred_usage_t usage; + gss_name_t name; /* Check that we get the expected error if we pass neither an input nor an * output cred handle. */ @@ -56,6 +57,15 @@ main() GSS_C_INDEFINITE, NULL, NULL, NULL, NULL); assert(major == (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED)); + /* Regression test for #8737: make sure that desired_name is honored when + * creating a credential by passing in a non-matching name. */ + name = import_name("p:does/not/match@WRONG_REALM"); + major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, name, &mech_krb5, + GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, + &cred1, NULL, NULL, NULL); + assert(major == GSS_S_CRED_UNAVAIL); + gss_release_name(&minor, &name); + /* Create cred1 with a krb5 initiator cred by passing an output handle but * no input handle. */ major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, |