krb5 commit: Stop double-caching referral tickets

Greg Hudson ghudson at mit.edu
Wed May 29 12:58:51 EDT 2019 

https://github.com/krb5/krb5/commit/03ecb09d2af3544af7b9232c11278f9d2bee4b4b
commit 03ecb09d2af3544af7b9232c11278f9d2bee4b4b
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue May 28 12:16:41 2019 -0400

    Stop double-caching referral tickets
    
    Caching referral tickets under two names can generate duplicate cache
    entries, and is speculative--if credentials are requested with the
    referral realm, there is no good reason to expect a subsequent request
    with the canonical realm.  Only cache under the referral realm.
    
    ticket: 8764

 src/lib/krb5/ccache/ccfns.c |   27 +--------------------------
 src/tests/t_referral.py     |    4 ++--
 2 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
index b594bdd..62a6983 100644
--- a/src/lib/krb5/ccache/ccfns.c
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -80,33 +80,8 @@ krb5_error_code KRB5_CALLCONV
 krb5_cc_store_cred(krb5_context context, krb5_ccache cache,
                    krb5_creds *creds)
 {
-    krb5_error_code ret;
-    krb5_ticket *tkt;
-    krb5_principal s1, s2;
-
     TRACE_CC_STORE(context, cache, creds);
-    ret = cache->ops->store(context, cache, creds);
-    if (ret) return ret;
-
-    /*
-     * If creds->server and the server in the decoded ticket differ,
-     * store both principals.
-     */
-    s1 = creds->server;
-    ret = decode_krb5_ticket(&creds->ticket, &tkt);
-    /* Bail out on errors in case someone is storing a non-ticket. */
-    if (ret) return 0;
-    s2 = tkt->server;
-    if (!krb5_principal_compare(context, s1, s2)) {
-        creds->server = s2;
-        TRACE_CC_STORE_TKT(context, cache, creds);
-        /* remove any dups */
-        krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
-        ret = cache->ops->store(context, cache, creds);
-        creds->server = s1;
-    }
-    krb5_free_ticket(context, tkt);
-    return ret;
+    return cache->ops->store(context, cache, creds);
 }
 
 krb5_error_code KRB5_CALLCONV
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 52313ae..1a82ad0 100755
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -18,9 +18,9 @@ def testref(realm, nametype):
     shutil.copyfile(savefile, realm.ccache)
     realm.run(['./gcred', nametype, 'a/x.d@'])
     out = realm.run([klist]).split('\n')
-    if len(out) != 9:
+    if len(out) != 8:
         fail('unexpected number of lines in klist output')
-    if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d at REFREALM':
+    if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d at REFREALM':
         fail('unexpected service principals in klist output')
 
 # Get credentials and check that we get an error, not a referral.

More information about the cvs-krb5 mailing list