From: Greg Hudson Date: Tue, 28 May 2019 16:16:41 +0000 (-0400) Subject: Stop double-caching referral tickets X-Git-Tag: krb5-1.18-beta1~122 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03ecb09d2af3544af7b9232c11278f9d2bee4b4b;p=thirdparty%2Fkrb5.git Stop double-caching referral tickets Caching referral tickets under two names can generate duplicate cache entries, and is speculative--if credentials are requested with the referral realm, there is no good reason to expect a subsequent request with the canonical realm. Only cache under the referral realm. ticket: 8764 --- diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c index b594bdd374..62a6983d8d 100644 --- a/src/lib/krb5/ccache/ccfns.c +++ b/src/lib/krb5/ccache/ccfns.c @@ -80,33 +80,8 @@ krb5_error_code KRB5_CALLCONV krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds) { - krb5_error_code ret; - krb5_ticket *tkt; - krb5_principal s1, s2; - TRACE_CC_STORE(context, cache, creds); - ret = cache->ops->store(context, cache, creds); - if (ret) return ret; - - /* - * If creds->server and the server in the decoded ticket differ, - * store both principals. - */ - s1 = creds->server; - ret = decode_krb5_ticket(&creds->ticket, &tkt); - /* Bail out on errors in case someone is storing a non-ticket. */ - if (ret) return 0; - s2 = tkt->server; - if (!krb5_principal_compare(context, s1, s2)) { - creds->server = s2; - TRACE_CC_STORE_TKT(context, cache, creds); - /* remove any dups */ - krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds); - ret = cache->ops->store(context, cache, creds); - creds->server = s1; - } - krb5_free_ticket(context, tkt); - return ret; + return cache->ops->store(context, cache, creds); } krb5_error_code KRB5_CALLCONV diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 52313ae116..1a82ad019e 100755 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -18,9 +18,9 @@ def testref(realm, nametype): shutil.copyfile(savefile, realm.ccache) realm.run(['./gcred', nametype, 'a/x.d@']) out = realm.run([klist]).split('\n') - if len(out) != 9: + if len(out) != 8: fail('unexpected number of lines in klist output') - if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d@REFREALM': + if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d@REFREALM': fail('unexpected service principals in klist output') # Get credentials and check that we get an error, not a referral.