diff options
| author | Greg Hudson <ghudson@mit.edu> | 2015-04-21 13:39:34 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2015-07-06 14:51:05 -0400 |
| commit | 1be1c3593e6a50cbed2e5d2d52b98d4413f669d4 (patch) | |
| tree | ade5464cfeb44efb75fc7af1f4191ed8a8bba2f5 /src | |
| parent | e110ce6ed19f5349e304e826e6b8066312c6c15c (diff) | |
| download | krb5-1be1c3593e6a50cbed2e5d2d52b98d4413f669d4.zip krb5-1be1c3593e6a50cbed2e5d2d52b98d4413f669d4.tar.gz krb5-1be1c3593e6a50cbed2e5d2d52b98d4413f669d4.tar.bz2 | |
Use memory cache in gss_acquire_cred_with_password
gss_acquire_cred_with_password() was originally introduced in Solaris.
When we introduced it in 1.9, we unfortunately gave it different and
less useful semantics. Restore this function to the Solaris
semantics, which are to always get credentials and store them in a
private memory ccache. The caller can use gss_store_cred() to make
the resulting creds visible to other processes if desired.
ticket: 8152
Diffstat (limited to 'src')
| -rwxr-xr-x | src/appl/gss-sample/t_gss_sample.py | 11 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 24 |
2 files changed, 23 insertions, 12 deletions
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py index c53edd6..f6cd18c 100755 --- a/src/appl/gss-sample/t_gss_sample.py +++ b/src/appl/gss-sample/t_gss_sample.py @@ -41,7 +41,6 @@ def server_client_test(realm, options): if 'Signature verified.' not in output: fail('Expected message not seen in gss-client output') stop_daemon(server) - realm.klist(realm.user_princ, realm.host_princ) # Make up a filename to hold user's initial credentials. def ccache_savefile(realm): @@ -59,19 +58,25 @@ def ccache_restore(realm): def tgs_test(realm, options): ccache_restore(realm) server_client_test(realm, options) + realm.klist(realm.user_princ, realm.host_princ) # Perform a test of the server and client with initial credentials # obtained through gss_acquire_cred_with_password(). def pw_test(realm, options): - os.remove(realm.ccache) + if os.path.exists(realm.ccache): + os.remove(realm.ccache) server_client_test(realm, options + ['-user', realm.user_princ, '-pass', password('user')]) + if os.path.exists(realm.ccache): + fail('gss_acquire_cred_with_password created ccache') # Perform a test of the server and client with initial credentials # obtained with the client keytab def kt_test(realm, options): - os.remove(realm.ccache) + if os.path.exists(realm.ccache): + os.remove(realm.ccache) server_client_test(realm, options) + realm.klist(realm.user_princ, realm.host_princ) for realm in multipass_realms(): ccache_save(realm) diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index ff51901..5bcfec9 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -655,7 +655,21 @@ acquire_init_cred(krb5_context context, if (GSS_ERROR(kg_caller_provided_ccache_name(minor_status, &caller_ccname))) return GSS_S_FAILURE; - if (req_ccache != NULL) { + + if (password != GSS_C_NO_BUFFER) { + pwdata = make_data(password->value, password->length); + code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy); + if (code) + goto error; + cred->password = pwcopy.data; + + /* We will fetch the credential into a private memory ccache. */ + assert(req_ccache == NULL); + code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache); + if (code) + goto error; + cred->destroy_ccache = 1; + } else if (req_ccache != NULL) { code = krb5_cc_dup(context, req_ccache, &cred->ccache); if (code) goto error; @@ -673,14 +687,6 @@ acquire_init_cred(krb5_context context, if (code) goto error; - if (password != GSS_C_NO_BUFFER) { - pwdata = make_data(password->value, password->length); - code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy); - if (code) - goto error; - cred->password = pwcopy.data; - } - if (cred->ccache != NULL) { /* The caller specified a ccache; check what's in it. */ code = scan_ccache(context, cred); |