Use memory cache in gss_acquire_cred_with_password

gss_acquire_cred_with_password() was originally introduced in Solaris.
When we introduced it in 1.9, we unfortunately gave it different and
less useful semantics.  Restore this function to the Solaris
semantics, which are to always get credentials and store them in a
private memory ccache.  The caller can use gss_store_cred() to make
the resulting creds visible to other processes if desired.

ticket: 8152

diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index c53edd6ae9f9c4d1074259b90f58960fd48b8ee7..f6cd18cdaf2930dc4c4b85c07aa0da5979fa4c88 100755 (executable)
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -41,7 +41,6 @@ def server_client_test(realm, options):
     if 'Signature verified.' not in output:
         fail('Expected message not seen in gss-client output')
     stop_daemon(server)
-    realm.klist(realm.user_princ, realm.host_princ)
 
 # Make up a filename to hold user's initial credentials.
 def ccache_savefile(realm):
@@ -59,19 +58,25 @@ def ccache_restore(realm):
 def tgs_test(realm, options):
     ccache_restore(realm)
     server_client_test(realm, options)
+    realm.klist(realm.user_princ, realm.host_princ)
 
 # Perform a test of the server and client with initial credentials
 # obtained through gss_acquire_cred_with_password().
 def pw_test(realm, options):
-    os.remove(realm.ccache)
+    if os.path.exists(realm.ccache):
+        os.remove(realm.ccache)
     server_client_test(realm, options + ['-user', realm.user_princ,
                                          '-pass', password('user')])
+    if os.path.exists(realm.ccache):
+        fail('gss_acquire_cred_with_password created ccache')
 
 # Perform a test of the server and client with initial credentials
 # obtained with the client keytab
 def kt_test(realm, options):
-    os.remove(realm.ccache)
+    if os.path.exists(realm.ccache):
+        os.remove(realm.ccache)
     server_client_test(realm, options)
+    realm.klist(realm.user_princ, realm.host_princ)
 
 for realm in multipass_realms():
     ccache_save(realm)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index ff5190138131f83d587575182868d96f08bb9d44..5bcfec9e56bde4b7be9fc6c02230c829d7a2a91c 100644 (file)
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -655,7 +655,21 @@ acquire_init_cred(krb5_context context,
     if (GSS_ERROR(kg_caller_provided_ccache_name(minor_status,
                                                  &caller_ccname)))
         return GSS_S_FAILURE;
-    if (req_ccache != NULL) {
+
+    if (password != GSS_C_NO_BUFFER) {
+        pwdata = make_data(password->value, password->length);
+        code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
+        if (code)
+            goto error;
+        cred->password = pwcopy.data;
+
+        /* We will fetch the credential into a private memory ccache. */
+        assert(req_ccache == NULL);
+        code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache);
+        if (code)
+            goto error;
+        cred->destroy_ccache = 1;
+    } else if (req_ccache != NULL) {
         code = krb5_cc_dup(context, req_ccache, &cred->ccache);
         if (code)
             goto error;
@@ -673,14 +687,6 @@ acquire_init_cred(krb5_context context,
     if (code)
         goto error;
 
-    if (password != GSS_C_NO_BUFFER) {
-        pwdata = make_data(password->value, password->length);
-        code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
-        if (code)
-            goto error;
-        cred->password = pwcopy.data;
-    }
-
     if (cred->ccache != NULL) {
         /* The caller specified a ccache; check what's in it. */
         code = scan_ccache(context, cred);