* accept_sec_context.c (rd_and_store_for_creds): Don't mess with

        krb5_cc_default--use a new mem-based ccache.

        * Makefile.in:
        * gssapi_krb5.h:
        * copy_ccache.c (gss_krb5_copy_ccache): Routine to copy a
        gss_cred_id_t (such as a forwarded creds) into an existing
        krb5_ccache.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10389 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 74 insertions, 3 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index df0c1fe5e..3088ee7f8 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,14 @@
+Thu Jan 29 20:08:02 1998  Dan Winship  <danw@mit.edu>
+
+	* accept_sec_context.c (rd_and_store_for_creds): Don't mess with
+	krb5_cc_default--use a new mem-based ccache.
+
+	* Makefile.in: 
+	* gssapi_krb5.h: 
+	* copy_ccache.c (gss_krb5_copy_ccache): Routine to copy a
+	gss_cred_id_t (such as a forwarded creds) into an existing
+	krb5_ccache.
+
 Fri Jun 27 08:37:11 1997  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* accept_sec_context.c (krb5_gss_accept_sec_context): Will now
diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in
index c8f71e72c..2a16c7e4d 100644
--- a/src/lib/gssapi/krb5/Makefile.in
+++ b/src/lib/gssapi/krb5/Makefile.in
@@ -19,6 +19,7 @@ SRCS = \
 	$(srcdir)/canon_name.c \
 	$(srcdir)/compare_name.c \
 	$(srcdir)/context_time.c \
+	$(srcdir)/copy_ccache.c \
 	$(srcdir)/delete_sec_context.c \
 	$(srcdir)/disp_name.c \
 	$(srcdir)/disp_status.c \
@@ -63,6 +64,7 @@ OBJS = \
 	canon_name.$(OBJEXT) \
 	compare_name.$(OBJEXT) \
 	context_time.$(OBJEXT) \
+	copy_ccache.$(OBJEXT) \
 	delete_sec_context.$(OBJEXT) \
 	disp_name.$(OBJEXT) \
 	disp_status.$(OBJEXT) \
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index b9f614cf6..ef5d7ebc5 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -68,12 +68,20 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
     krb5_error_code retval;
     krb5_ccache ccache;
     krb5_gss_cred_id_t cred = NULL;
+    extern krb5_cc_ops krb5_mcc_ops;
 
     if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) 
 	return(retval);
 
-    if ((retval = krb5_cc_default(context, &ccache)))
-       goto cleanup;
+    /* Lots of kludging going on here... Some day the ccache interface
+       will be rewritten though */
+
+    krb5_cc_register(context, &krb5_mcc_ops, 0);
+    if ((retval = krb5_cc_resolve(context, "MEMORY:GSSAPI", &ccache)))
+        goto cleanup;
+
+    if ((retval = krb5_cc_gen_new(context, &ccache)))
+        goto cleanup;
     
     if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
 	goto cleanup;
@@ -414,7 +422,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 
 		    krb5_auth_con_setflags(context, auth_context_cred, 0);
 
-		    /* store the delegated credential in the user's cache */
+		    /* store the delegated credential */
 
 		    rd_and_store_for_creds(context, auth_context_cred,
 					   &option,
diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c
new file mode 100644
index 000000000..39d9bc277
--- /dev/null
+++ b/src/lib/gssapi/krb5/copy_ccache.c
@@ -0,0 +1,46 @@
+#include "gssapiP_krb5.h"
+
+OM_uint32
+gss_krb5_copy_ccache(minor_status, cred_handle, out_ccache)
+     OM_uint32 *minor_status;
+     gss_cred_id_t cred_handle;
+     krb5_ccache out_ccache;
+{
+   OM_uint32 stat;
+   krb5_gss_cred_id_t k5creds;
+   krb5_cc_cursor cursor;
+   krb5_creds creds;
+   krb5_error_code code;
+   krb5_context context;
+
+   /* validate the cred handle */
+   stat = krb5_gss_validate_cred(minor_status, creds);
+   if (stat)
+       return(stat);
+   
+   k5creds = (krb5_gss_cred_id_t) cred_handle;
+   if (k5creds->usage == GSS_C_ACCEPT) {
+       *minor_status = (OM_uint32) G_BAD_USAGE;
+       return(GSS_S_FAILURE);
+   }
+
+   if (GSS_ERROR(kg_get_context(minor_status, &context)))
+       return (GSS_S_FAILURE);
+
+   code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
+   if (code) {
+       *minor_status = code;
+       return(GSS_S_FAILURE);
+   }
+   while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &creds, &cursor)) 
+       code = krb5_cc_store_cred(context, out_ccache, &creds);
+   krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
+
+   if (code) {
+       *minor_status = code;
+       return(GSS_S_FAILURE);
+   } else {
+       *minor_status = 0;
+       return(GSS_S_COMPLETE);
+   }
+}
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h
index 71182f22b..b2ef5806b 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.h
+++ b/src/lib/gssapi/krb5/gssapi_krb5.h
@@ -51,6 +51,10 @@ OM_uint32 gss_krb5_get_tkt_flags
 		   gss_ctx_id_t context_handle,
 		   krb5_flags *ticket_flags));
 
+OM_uint32 gss_krb5_copy_ccache
+	PROTOTYPE((OM_uint32 *minor_status,
+		   gss_cred_id_t cred_handle,
+		   krb5_ccache out_ccache));
 
 /* this is for backward compatibility only.  It is declared here for
    completeness, but should not be used */