Fix GSSAPI krb5 cred ccache import

json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4

5 files changed, 26 insertions, 17 deletions

diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 19a781a5e9..231f44af29 100644
--- a/src/tests/gssapi/common.c
+++ b/src/tests/gssapi/common.c
@@ -149,6 +149,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
 }
 
 void
+export_import_cred(gss_cred_id_t *cred)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc buf;
+
+    major = gss_export_cred(&minor, *cred, &buf);
+    check_gsserr("gss_export_cred", major, minor);
+    (void)gss_release_cred(&minor, cred);
+    major = gss_import_cred(&minor, &buf, cred);
+    check_gsserr("gss_import_cred", major, minor);
+    (void)gss_release_buffer(&minor, &buf);
+}
+
+void
 display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
 {
     gss_name_t canon;
diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
index 54c0d36b53..ae11b51d41 100644
--- a/src/tests/gssapi/common.h
+++ b/src/tests/gssapi/common.h
@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
                         gss_name_t *src_name, gss_OID *amech,
                         gss_cred_id_t *deleg_cred);
 
+/* Export *cred to a token, then release *cred and replace it by re-importing
+ * the token. */
+void export_import_cred(gss_cred_id_t *cred);
+
 /* Display name as canonicalized to mech, preceded by tag. */
 void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
 
diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
index 5214cd5104..4d7c028e6d 100644
--- a/src/tests/gssapi/t_export_cred.c
+++ b/src/tests/gssapi/t_export_cred.c
@@ -37,22 +37,6 @@ usage(void)
     exit(1);
 }
 
-/* Export *cred to a token, then release *cred and replace it by re-importing
- * the token. */
-static void
-export_import_cred(gss_cred_id_t *cred)
-{
-    OM_uint32 major, minor;
-    gss_buffer_desc buf;
-
-    major = gss_export_cred(&minor, *cred, &buf);
-    check_gsserr("gss_export_cred", major, minor);
-    (void)gss_release_cred(&minor, cred);
-    major = gss_import_cred(&minor, &buf, cred);
-    check_gsserr("gss_import_cred", major, minor);
-    (void)gss_release_buffer(&minor, &buf);
-}
-
 int
 main(int argc, char *argv[])
 {
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 53dd13c910..6988359289 100644
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -1,7 +1,10 @@
 #!/usr/bin/python
 from k5test import *
 
-# Test gss_export_cred and gss_import_cred.
+# Test gss_export_cred and gss_import_cred for initiator creds,
+# acceptor creds, and traditional delegated creds.  t_s4u.py tests
+# exporting and importing a synthesized S4U2Proxy delegated
+# credential.
 
 # Make up a filename to hold user's initial credentials.
 def ccache_savefile(realm):
diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
index 3ad1086485..483d915720 100644
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
@@ -117,6 +117,10 @@ main(int argc, char *argv[])
         goto cleanup;
     }
 
+    /* Take the opportunity to test cred export/import on the synthesized
+     * S4U2Proxy delegated cred. */
+    export_import_cred(&deleg_cred);
+
     /* Store the delegated credentials. */
     ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
     check_k5err(context, "krb5_cc_resolve", ret);