krb5 commit: Use memory cache in gss_acquire_cred_with_password
Greg Hudson
ghudson at mit.edu
Mon Jul 6 15:04:10 EDT 2015
https://github.com/krb5/krb5/commit/1be1c3593e6a50cbed2e5d2d52b98d4413f669d4
commit 1be1c3593e6a50cbed2e5d2d52b98d4413f669d4
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Apr 21 13:39:34 2015 -0400
Use memory cache in gss_acquire_cred_with_password
gss_acquire_cred_with_password() was originally introduced in Solaris.
When we introduced it in 1.9, we unfortunately gave it different and
less useful semantics. Restore this function to the Solaris
semantics, which are to always get credentials and store them in a
private memory ccache. The caller can use gss_store_cred() to make
the resulting creds visible to other processes if desired.
ticket: 8152
src/appl/gss-sample/t_gss_sample.py | 11 ++++++++---
src/lib/gssapi/krb5/acquire_cred.c | 24 +++++++++++++++---------
2 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index c53edd6..f6cd18c 100755
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -41,7 +41,6 @@ def server_client_test(realm, options):
if 'Signature verified.' not in output:
fail('Expected message not seen in gss-client output')
stop_daemon(server)
- realm.klist(realm.user_princ, realm.host_princ)
# Make up a filename to hold user's initial credentials.
def ccache_savefile(realm):
@@ -59,19 +58,25 @@ def ccache_restore(realm):
def tgs_test(realm, options):
ccache_restore(realm)
server_client_test(realm, options)
+ realm.klist(realm.user_princ, realm.host_princ)
# Perform a test of the server and client with initial credentials
# obtained through gss_acquire_cred_with_password().
def pw_test(realm, options):
- os.remove(realm.ccache)
+ if os.path.exists(realm.ccache):
+ os.remove(realm.ccache)
server_client_test(realm, options + ['-user', realm.user_princ,
'-pass', password('user')])
+ if os.path.exists(realm.ccache):
+ fail('gss_acquire_cred_with_password created ccache')
# Perform a test of the server and client with initial credentials
# obtained with the client keytab
def kt_test(realm, options):
- os.remove(realm.ccache)
+ if os.path.exists(realm.ccache):
+ os.remove(realm.ccache)
server_client_test(realm, options)
+ realm.klist(realm.user_princ, realm.host_princ)
for realm in multipass_realms():
ccache_save(realm)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index ff51901..5bcfec9 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -655,7 +655,21 @@ acquire_init_cred(krb5_context context,
if (GSS_ERROR(kg_caller_provided_ccache_name(minor_status,
&caller_ccname)))
return GSS_S_FAILURE;
- if (req_ccache != NULL) {
+
+ if (password != GSS_C_NO_BUFFER) {
+ pwdata = make_data(password->value, password->length);
+ code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
+ if (code)
+ goto error;
+ cred->password = pwcopy.data;
+
+ /* We will fetch the credential into a private memory ccache. */
+ assert(req_ccache == NULL);
+ code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache);
+ if (code)
+ goto error;
+ cred->destroy_ccache = 1;
+ } else if (req_ccache != NULL) {
code = krb5_cc_dup(context, req_ccache, &cred->ccache);
if (code)
goto error;
@@ -673,14 +687,6 @@ acquire_init_cred(krb5_context context,
if (code)
goto error;
- if (password != GSS_C_NO_BUFFER) {
- pwdata = make_data(password->value, password->length);
- code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
- if (code)
- goto error;
- cred->password = pwcopy.data;
- }
-
if (cred->ccache != NULL) {
/* The caller specified a ccache; check what's in it. */
code = scan_ccache(context, cred);
More information about the cvs-krb5
mailing list