krb5 commit [krb5-1.11]: Fix GSSAPI krb5 cred ccache import

Tom Yu tlyu at MIT.EDU
Thu Oct 17 18:33:35 EDT 2013 

https://github.com/krb5/krb5/commit/cf003fc2ed7e345de3103d76a3801fb9f61fdc5f
commit cf003fc2ed7e345de3103d76a3801fb9f61fdc5f
Author: Tom Yu <tlyu at mit.edu>
Date:   Thu Oct 17 18:20:37 2013 -0400

    Fix GSSAPI krb5 cred ccache import
    
    json_to_ccache was incorrectly indexing the JSON array when restoring
    a memory ccache.  Fix it.
    
    Add test coverage for a multi-cred ccache by exporting/importing the
    synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
    export_import_cred from t_export_cred.c to common.c to facilitate
    this.  Make a note in t_export_cred.py that this case is covered in
    t_s4u.py.
    
    (cherry picked from commit 48dd01f29b893a958a64dcf6eb0b734e8463425b)
    
    ticket: 7723 (new)
    version_fixed: 1.11.4
    status: resolved

 src/lib/gssapi/krb5/import_cred.c   |    2 +-
 src/tests/gssapi/common.c           |   14 ++++++++++++++
 src/tests/gssapi/common.h           |    4 ++++
 src/tests/gssapi/t_export_cred.c    |   16 ----------------
 src/tests/gssapi/t_export_cred.py   |    5 ++++-
 src/tests/gssapi/t_s4u2proxy_krb5.c |    4 ++++
 6 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c
index 4de6fa6..7646f47 100644
--- a/src/lib/gssapi/krb5/import_cred.c
+++ b/src/lib/gssapi/krb5/import_cred.c
@@ -488,7 +488,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
 
     /* Add remaining array entries to the ccache as credentials. */
     for (i = 1; i < len; i++) {
-        if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
+        if (json_to_creds(context, k5_json_array_get(array, i), &creds))
             goto invalid;
         ret = krb5_cc_store_cred(context, ccache, &creds);
         krb5_free_cred_contents(context, &creds);
diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 61558a0..03bfa0e 100644
--- a/src/tests/gssapi/common.c
+++ b/src/tests/gssapi/common.c
@@ -109,6 +109,20 @@ import_name(const char *str)
 }
 
 void
+export_import_cred(gss_cred_id_t *cred)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc buf;
+
+    major = gss_export_cred(&minor, *cred, &buf);
+    check_gsserr("gss_export_cred", major, minor);
+    (void)gss_release_cred(&minor, cred);
+    major = gss_import_cred(&minor, &buf, cred);
+    check_gsserr("gss_import_cred", major, minor);
+    (void)gss_release_buffer(&minor, &buf);
+}
+
+void
 display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
 {
     gss_name_t canon;
diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
index e2ca8b9..83a5777 100644
--- a/src/tests/gssapi/common.h
+++ b/src/tests/gssapi/common.h
@@ -55,6 +55,10 @@ void errout(const char *msg);
  * 'p:principalname', or 'h:host at service' (or just 'h:service'). */
 gss_name_t import_name(const char *str);
 
+/* Export *cred to a token, then release *cred and replace it by re-importing
+ * the token. */
+void export_import_cred(gss_cred_id_t *cred);
+
 /* Display name as canonicalized to mech, preceded by tag. */
 void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
 
diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
index 6f62eed..6859a43 100644
--- a/src/tests/gssapi/t_export_cred.c
+++ b/src/tests/gssapi/t_export_cred.c
@@ -37,22 +37,6 @@ usage(void)
     exit(1);
 }
 
-/* Export *cred to a token, then release *cred and replace it by re-importing
- * the token. */
-static void
-export_import_cred(gss_cred_id_t *cred)
-{
-    OM_uint32 major, minor;
-    gss_buffer_desc buf;
-
-    major = gss_export_cred(&minor, *cred, &buf);
-    check_gsserr("gss_export_cred", major, minor);
-    (void)gss_release_cred(&minor, cred);
-    major = gss_import_cred(&minor, &buf, cred);
-    check_gsserr("gss_import_cred", major, minor);
-    (void)gss_release_buffer(&minor, &buf);
-}
-
 int
 main(int argc, char *argv[])
 {
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 3f7b657..8fef4a7 100644
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -1,7 +1,10 @@
 #!/usr/bin/python
 from k5test import *
 
-# Test gss_export_cred and gss_import_cred.
+# Test gss_export_cred and gss_import_cred for initiator creds,
+# acceptor creds, and traditional delegated creds.  t_s4u.py tests
+# exporting and importing a synthesized S4U2Proxy delegated
+# credential.
 
 # Make up a filename to hold user's initial credentials.
 def ccache_savefile(realm):
diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
index 6108715..52c1202 100644
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
@@ -130,6 +130,10 @@ main(int argc, char *argv[])
         goto cleanup;
     }
 
+    /* Take the opportunity to test cred export/import on the synthesized
+     * S4U2Proxy delegated cred. */
+    export_import_cred(&deleg_cred);
+
     /* Store the delegated credentials. */
     ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
     check_k5err(context, "krb5_cc_resolve", ret);

More information about the cvs-krb5 mailing list