Fix gss_store_cred()

This commit is contained in:
Nicolas Williams
2015-03-19 12:30:26 -05:00
parent df41d53c67
commit f73c4edf69
3 changed files with 76 additions and 27 deletions

View File

@@ -302,12 +302,14 @@ test_cfx_SOURCES = krb5/test_cfx.c
check_PROGRAMS = test_acquire_cred $(TESTS)
bin_PROGRAMS = gsstool
noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm
noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
test_context_SOURCES = test_context.c test_common.c test_common.h
test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
test_add_store_cred_SOURCES = test_add_store_cred.c
test_ntlm_LDADD = \
$(top_builddir)/lib/ntlm/libheimntlm.la \
$(LDADD)

View File

@@ -46,8 +46,11 @@ _gsskrb5_store_cred(OM_uint32 *minor_status,
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id;
int destroy = 0;
krb5_ccache id = NULL;
krb5_ccache def_ccache = NULL;
const char *def_type = NULL;
time_t exp_current;
time_t exp_new;
*minor_status = 0;
@@ -70,48 +73,87 @@ _gsskrb5_store_cred(OM_uint32 *minor_status,
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return(GSS_S_FAILURE);
return GSS_S_FAILURE;
}
ret = krb5_cc_get_lifetime(context, cred->ccache, &exp_new);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_NO_CRED;
}
if (cred->principal == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
return(GSS_S_FAILURE);
return GSS_S_FAILURE;
}
/* write out cred to credential cache */
ret = krb5_cc_default(context, &def_ccache);
if (ret == 0) {
def_type = krb5_cc_get_type(context, def_ccache);
krb5_cc_close(context, def_ccache);
}
def_ccache = NULL;
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
ret = krb5_cc_new_unique(context, NULL, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
destroy = 1;
if (default_cred) {
ret = krb5_cc_default(context, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
} else {
if (def_type == NULL ||
!krb5_cc_support_switch(context, def_type)) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0; /* XXX */
return GSS_S_NO_CRED; /* XXX */
}
ret = krb5_cc_new_unique(context, def_type, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
overwrite_cred = 1;
}
}
if (!overwrite_cred) {
/* If current creds are expired or near it, overwrite */
ret = krb5_cc_get_lifetime(context, id, &exp_current);
if (ret != 0 || exp_new > exp_current)
overwrite_cred = 1;
}
if (!overwrite_cred) {
/* Nothing to do */
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_DUPLICATE_ELEMENT;
}
ret = krb5_cc_initialize(context, id, cred->principal);
if (ret == 0)
ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
if (ret) {
if (destroy)
krb5_cc_destroy(context, id);
else
krb5_cc_close(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred)
if (default_cred && def_type != NULL &&
krb5_cc_support_switch(context, def_type))
krb5_cc_switch(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}

View File

@@ -34,9 +34,12 @@
# $Id$
#
env_setup="@env_setup@"
srcdir="@srcdir@"
objdir="@objdir@"
. ${env_setup}
# If there is no useful db support compile in, disable test
../db/have-db || exit 77
@@ -51,14 +54,12 @@ cache="FILE:krb5ccfile"
cache2="FILE:krb5ccfile2"
nocache="FILE:no-such-cache"
kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache ${afs_no_unlog}"
klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
kadmin="${kadmin} -l -r $R"
kdc="${kdc} --addresses=localhost -P $port"
acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred"
test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
@@ -107,7 +108,11 @@ trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
exitcode=0
echo "initial ticket"
${kinit} --password-file=${objdir}/foopassword user@${R} || exitcode=1
${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
echo "copy ccache with gss_store_cred"
${test_add_store_cred} ${cache} ${cache2} || exit 1
${klist} -c ${cache2} || exit 1
echo "keytab"
${acquire_cred} \
@@ -188,7 +193,7 @@ KRB5_KTNAME=${nokeytab}
echo "kcred"
${test_kcred} || exit 1
${kdestroy}
${kdestroy} -c ${cache}
KRB5_KTNAME="${keytab}"