From: Greg Hudson Date: Tue, 21 Apr 2015 17:39:34 +0000 (-0400) Subject: Use memory cache in gss_acquire_cred_with_password X-Git-Tag: krb5-1.14-alpha1~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F276%2Fhead;p=thirdparty%2Fkrb5.git Use memory cache in gss_acquire_cred_with_password gss_acquire_cred_with_password() was originally introduced in Solaris. When we introduced it in 1.9, we unfortunately gave it different and less useful semantics. Restore this function to the Solaris semantics, which are to always get credentials and store them in a private memory ccache. The caller can use gss_store_cred() to make the resulting creds visible to other processes if desired. ticket: 8152 --- diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py index c53edd6ae9..f6cd18cdaf 100755 --- a/src/appl/gss-sample/t_gss_sample.py +++ b/src/appl/gss-sample/t_gss_sample.py @@ -41,7 +41,6 @@ def server_client_test(realm, options): if 'Signature verified.' not in output: fail('Expected message not seen in gss-client output') stop_daemon(server) - realm.klist(realm.user_princ, realm.host_princ) # Make up a filename to hold user's initial credentials. def ccache_savefile(realm): @@ -59,19 +58,25 @@ def ccache_restore(realm): def tgs_test(realm, options): ccache_restore(realm) server_client_test(realm, options) + realm.klist(realm.user_princ, realm.host_princ) # Perform a test of the server and client with initial credentials # obtained through gss_acquire_cred_with_password(). def pw_test(realm, options): - os.remove(realm.ccache) + if os.path.exists(realm.ccache): + os.remove(realm.ccache) server_client_test(realm, options + ['-user', realm.user_princ, '-pass', password('user')]) + if os.path.exists(realm.ccache): + fail('gss_acquire_cred_with_password created ccache') # Perform a test of the server and client with initial credentials # obtained with the client keytab def kt_test(realm, options): - os.remove(realm.ccache) + if os.path.exists(realm.ccache): + os.remove(realm.ccache) server_client_test(realm, options) + realm.klist(realm.user_princ, realm.host_princ) for realm in multipass_realms(): ccache_save(realm) diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index ff51901381..5bcfec9e56 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -655,7 +655,21 @@ acquire_init_cred(krb5_context context, if (GSS_ERROR(kg_caller_provided_ccache_name(minor_status, &caller_ccname))) return GSS_S_FAILURE; - if (req_ccache != NULL) { + + if (password != GSS_C_NO_BUFFER) { + pwdata = make_data(password->value, password->length); + code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy); + if (code) + goto error; + cred->password = pwcopy.data; + + /* We will fetch the credential into a private memory ccache. */ + assert(req_ccache == NULL); + code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache); + if (code) + goto error; + cred->destroy_ccache = 1; + } else if (req_ccache != NULL) { code = krb5_cc_dup(context, req_ccache, &cred->ccache); if (code) goto error; @@ -673,14 +687,6 @@ acquire_init_cred(krb5_context context, if (code) goto error; - if (password != GSS_C_NO_BUFFER) { - pwdata = make_data(password->value, password->length); - code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy); - if (code) - goto error; - cred->password = pwcopy.data; - } - if (cred->ccache != NULL) { /* The caller specified a ccache; check what's in it. */ code = scan_ccache(context, cred);