From 7055365f47d94d9f1f089afab556bf17414dff44 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 18 Mar 2020 13:37:13 -0500 Subject: [PATCH] Expand tokens in gss cred store "ccache" value This is needed so that sshd and such can get make practical use of the "ccache" key in GSS cred stores. This commit only changes the store path, not the acquisition path. --- lib/gssapi/krb5/store_cred.c | 15 +++++++++++++++ tests/gss/check-basic.in | 3 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/krb5/store_cred.c b/lib/gssapi/krb5/store_cred.c index 9afaf030f..b2666c74e 100644 --- a/lib/gssapi/krb5/store_cred.c +++ b/lib/gssapi/krb5/store_cred.c @@ -141,6 +141,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status, const char *cs_ccache_name = NULL; const char *cs_user_name = NULL; const char *cs_app_name = NULL; + char *ccache_name = NULL; OM_uint32 major_status, junk; OM_uint32 overwrite_cred = store_cred_flags & GSS_C_STORE_CRED_OVERWRITE; int default_for = 0; @@ -194,11 +195,23 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status, GSSAPI_KRB5_INIT (&context); HEIMDAL_MUTEX_lock(&input_cred->cred_id_mutex); + if (cs_ccache_name && strchr(cs_ccache_name, '%')) { + ret = _krb5_expand_default_cc_name(context, cs_ccache_name, + &ccache_name); + if (ret) { + HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex); + *minor_status = ret; + return GSS_S_FAILURE; + } + cs_ccache_name = ccache_name; + } + /* More sanity checking of the input_cred (good to fail early) */ ret = krb5_cc_get_lifetime(context, input_cred->ccache, &exp_new); if (ret) { HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex); *minor_status = ret; + free(ccache_name); return GSS_S_NO_CRED; } @@ -233,6 +246,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status, if (ret || id == NULL) { HEIMDAL_MUTEX_unlock(&input_cred->cred_id_mutex); *minor_status = ret; + free(ccache_name); return ret == 0 ? GSS_S_NO_CRED : GSS_S_FAILURE; } @@ -279,6 +293,7 @@ _gsskrb5_store_cred_into2(OM_uint32 *minor_status, (major_status = set_proc(minor_status, *envp)) != GSS_S_COMPLETE) ret = *minor_status; (void) gss_release_buffer_set(&junk, &env); + free(ccache_name); *minor_status = ret; return ret ? GSS_S_FAILURE : GSS_S_COMPLETE; } diff --git a/tests/gss/check-basic.in b/tests/gss/check-basic.in index a4c58db7d..ea077140d 100644 --- a/tests/gss/check-basic.in +++ b/tests/gss/check-basic.in @@ -105,7 +105,8 @@ echo "initial ticket" ${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1 echo "copy ccache with gss_store_cred" -${test_add_store_cred} --default --overwrite --env ${cache} ${cache2} || exit 1 +# Note we test that the ccache used for storing is token-expanded +${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1 ${klist} -c ${cache2} || exit 1 echo "keytab"