Resolve verifier cred in accept_sec_context

If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle.  (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)

ticket: 7356

2 files changed, 19 insertions, 20 deletions

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index d6a0f2b8d4..cd67591019 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -25,7 +25,7 @@ realm.kinit(service1, None, ['-f', '-k'])
 # support for allowing it.
 realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache])
 output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
-                              pservice1, pservice2], expected_code=1)
+                              '-', pservice1, pservice2], expected_code=1)
 if ('auth1: ' + realm.user_princ not in output or
     'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy')
@@ -33,7 +33,7 @@ if ('auth1: ' + realm.user_princ not in output or
 # Again with SPNEGO.  Bug #7045 prevents us from checking the error
 # message, but we can at least exercise the code.
 output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache,
-                              storagecache, pservice1, pservice2],
+                              storagecache, '-', pservice1, pservice2],
                              expected_code=1)
 if ('auth1: ' + realm.user_princ not in output):
     fail('krb5 -> s4u2proxy (SPNEGO)')
@@ -43,7 +43,7 @@ if ('auth1: ' + realm.user_princ not in output):
 # accept_sec_context.
 realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
 output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
-                              pservice1, pservice2])
+                              pservice1, pservice1, pservice2])
 if 'no credential delegated' not in output:
     fail('krb5 -> no delegated cred')
 
diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
index 36267302b5..4de6ed1c6c 100644
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
@@ -32,7 +32,7 @@
 
 /*
  * Usage: ./t_s4u2proxy_krb5 [--spnego] client_cache storage_cache
- *                                      service1 service2
+ *                                      [accname|-] service1 service2
  *
  * This program performs a regular Kerberos or SPNEGO authentication from the
  * default principal of client_cache to service1.  If that authentication
@@ -48,7 +48,7 @@
 int
 main(int argc, char *argv[])
 {
-    const char *client_ccname, *storage_ccname, *service1, *service2;
+    const char *client_ccname, *storage_ccname, *accname, *service1, *service2;
     krb5_context context = NULL;
     krb5_error_code ret;
     krb5_boolean use_spnego = FALSE;
@@ -58,9 +58,7 @@ main(int argc, char *argv[])
     gss_buffer_desc buf = GSS_C_EMPTY_BUFFER, token = GSS_C_EMPTY_BUFFER;
     gss_OID mech;
     gss_OID_set mechs;
-    gss_name_t service1_name = GSS_C_NO_NAME;
-    gss_name_t service2_name = GSS_C_NO_NAME;
-    gss_name_t client_name = GSS_C_NO_NAME;
+    gss_name_t acceptor_name, service1_name, service2_name, client_name;
     gss_cred_id_t service1_cred = GSS_C_NO_CREDENTIAL;
     gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
     gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
@@ -72,33 +70,33 @@ main(int argc, char *argv[])
         argc--;
         argv++;
     }
-    if (argc != 5) {
-        fprintf(stderr, "./t_s4u2proxy_krb5 [--spnego] client_cache "
-                "storage_ccache service1 service2\n");
+    if (argc != 6) {
+        fprintf(stderr, "./t_s4u2proxy_krb5 [--spnego] client_ccache "
+                "storage_ccache [accname|-] service1 service2\n");
         return 1;
     }
     client_ccname = argv[1];
     storage_ccname = argv[2];
-    service1 = argv[3];
-    service2 = argv[4];
+    accname = argv[3];
+    service1 = argv[4];
+    service2 = argv[5];
 
     mech = use_spnego ? &mech_spnego : &mech_krb5;
     mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
     ret = krb5_init_context(&context);
     check_k5err(context, "krb5_init_context", ret);
 
-    /* Get GSS name and GSS_C_BOTH cred for service1, using the default
-     * ccache. */
-    service1_name = import_name(service1);
-    major = gss_acquire_cred(&minor, service1_name, GSS_C_INDEFINITE,
+    /* Get GSS_C_BOTH acceptor credentials, using the default ccache. */
+    acceptor_name = GSS_C_NO_NAME;
+    if (strcmp(accname, "-") != 0)
+        acceptor_name = import_name(service1);
+    major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE,
                              mechs, GSS_C_BOTH, &service1_cred, NULL, NULL);
     check_gsserr("gss_acquire_cred(service1)", major, minor);
 
-    /* Get GSS name for service2. */
-    service2_name = import_name(service2);
-
     /* Create initiator context and get the first token, using the client
      * ccache. */
+    service1_name = import_name(service1);
     major = gss_krb5_ccache_name(&minor, client_ccname, NULL);
     check_gsserr("gss_krb5_ccache_name(1)", major, minor);
     major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL,
@@ -146,6 +144,7 @@ main(int argc, char *argv[])
 
     /* Create initiator context and get the first token, using the storage
      * ccache. */
+    service2_name = import_name(service2);
     major = gss_krb5_ccache_name(&minor, storage_ccname, NULL);
     check_gsserr("gss_krb5_ccache_name(2)", major, minor);
     major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL,