Fix GSSAPI krb5 cred ccache import

json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4

diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c
index 973b9d01521815e9a8f3611ffdf8a8df7104c696..f0a0373bfb7918d82d92526c507a73941b20e953 100644 (file)
--- a/src/lib/gssapi/krb5/import_cred.c
+++ b/src/lib/gssapi/krb5/import_cred.c
@@ -486,7 +486,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
 
     /* Add remaining array entries to the ccache as credentials. */
     for (i = 1; i < len; i++) {
-        if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
+        if (json_to_creds(context, k5_json_array_get(array, i), &creds))
             goto invalid;
         ret = krb5_cc_store_cred(context, ccache, &creds);
         krb5_free_cred_contents(context, &creds);

diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 19a781a5e9538f36275fe7246fe8507494549d93..231f44af291657d793e0ffc0028efce7d70f4687 100644 (file)
--- a/src/tests/gssapi/common.c
+++ b/src/tests/gssapi/common.c
@@ -148,6 +148,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
     (void)gss_release_buffer(&minor, &atok);
 }
 
+void
+export_import_cred(gss_cred_id_t *cred)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc buf;
+
+    major = gss_export_cred(&minor, *cred, &buf);
+    check_gsserr("gss_export_cred", major, minor);
+    (void)gss_release_cred(&minor, cred);
+    major = gss_import_cred(&minor, &buf, cred);
+    check_gsserr("gss_import_cred", major, minor);
+    (void)gss_release_buffer(&minor, &buf);
+}
+
 void
 display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
 {

diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
index 54c0d36b533d709d3df92a87ab25abe8e3a05846..ae11b51d4124452aa46abf753918ce433bbacfee 100644 (file)
--- a/src/tests/gssapi/common.h
+++ b/src/tests/gssapi/common.h
@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
                         gss_name_t *src_name, gss_OID *amech,
                         gss_cred_id_t *deleg_cred);
 
+/* Export *cred to a token, then release *cred and replace it by re-importing
+ * the token. */
+void export_import_cred(gss_cred_id_t *cred);
+
 /* Display name as canonicalized to mech, preceded by tag. */
 void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
 

diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
index 5214cd5104a0a5ed3bdff2f554c97fe744241110..4d7c028e6d4675ec37890f4d772d955c75269f93 100644 (file)
--- a/src/tests/gssapi/t_export_cred.c
+++ b/src/tests/gssapi/t_export_cred.c
@@ -37,22 +37,6 @@ usage(void)
     exit(1);
 }
 
-/* Export *cred to a token, then release *cred and replace it by re-importing
- * the token. */
-static void
-export_import_cred(gss_cred_id_t *cred)
-{
-    OM_uint32 major, minor;
-    gss_buffer_desc buf;
-
-    major = gss_export_cred(&minor, *cred, &buf);
-    check_gsserr("gss_export_cred", major, minor);
-    (void)gss_release_cred(&minor, cred);
-    major = gss_import_cred(&minor, &buf, cred);
-    check_gsserr("gss_import_cred", major, minor);
-    (void)gss_release_buffer(&minor, &buf);
-}
-
 int
 main(int argc, char *argv[])
 {

diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 53dd13c9105248aecc1cc9dba45ae39ebe2c5930..69883592890106a9f484bf363ada1778b2a408da 100644 (file)
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -1,7 +1,10 @@
 #!/usr/bin/python
 from k5test import *
 
-# Test gss_export_cred and gss_import_cred.
+# Test gss_export_cred and gss_import_cred for initiator creds,
+# acceptor creds, and traditional delegated creds.  t_s4u.py tests
+# exporting and importing a synthesized S4U2Proxy delegated
+# credential.
 
 # Make up a filename to hold user's initial credentials.
 def ccache_savefile(realm):

diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
index 3ad108648585c68f252cff29f5a752ef0175bb3c..483d915720ca93a9a690a387428b112afff0e3c0 100644 (file)
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
@@ -117,6 +117,10 @@ main(int argc, char *argv[])
         goto cleanup;
     }
 
+    /* Take the opportunity to test cred export/import on the synthesized
+     * S4U2Proxy delegated cred. */
+    export_import_cred(&deleg_cred);
+
     /* Store the delegated credentials. */
     ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
     check_k5err(context, "krb5_cc_resolve", ret);