oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Expand tokens in gss cred store "ccache" value

Browse Source 
This is needed so that sshd and such can get make practical use of the
"ccache" key in GSS cred stores.

This commit only changes the store path, not the acquisition path.
This commit is contained in:
Nicolas Williams
2020-03-18 13:37:13 -05:00
parent 31a73c3c27
commit 7055365f47
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/gssapi/krb5/store_cred.c
View File

@@ -141,6 +141,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status,
const char *cs_ccache_name = NULL;
const char *cs_user_name = NULL;
const char *cs_app_name = NULL;
char *ccache_name = NULL;
OM_uint32 major_status, junk;
OM_uint32 overwrite_cred = store_cred_flags & GSS_C_STORE_CRED_OVERWRITE;
int default_for = 0;
@@ -194,11 +195,23 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status,
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&input_cred->cred_id_mutex);
if (cs_ccache_name && strchr(cs_ccache_name, '%')) {
ret = _krb5_expand_default_cc_name(context, cs_ccache_name,
&ccache_name);
if (ret) {
HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
cs_ccache_name = ccache_name;
}
/* More sanity checking of the input_cred (good to fail early) */
ret = krb5_cc_get_lifetime(context, input_cred->ccache, &exp_new);
if (ret) {
HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex);
*minor_status = ret;
free(ccache_name);
return GSS_S_NO_CRED;
}
@@ -233,6 +246,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status,
if (ret || id == NULL) {
HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex);
*minor_status = ret;
free(ccache_name);
return ret == 0 ? GSS_S_NO_CRED : GSS_S_FAILURE;
}
@@ -279,6 +293,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status,
(major_status = set_proc(minor_status, *envp)) != GSS_S_COMPLETE)
ret = *minor_status;
(void) gss_release_buffer_set(&junk, &env);
free(ccache_name);
*minor_status = ret;
return ret ? GSS_S_FAILURE : GSS_S_COMPLETE;
}

3
tests/gss/check-basic.in
View File

@@ -105,7 +105,8 @@ echo "initial ticket"
${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
echo "copy ccache with gss_store_cred"
${test_add_store_cred} --default --overwrite --env ${cache} ${cache2} || exit 1
# Note we test that the ccache used for storing is token-expanded
${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
${klist} -c ${cache2} || exit 1
echo "keytab"