commit 6f8d5135334c9ddb674f9824e750872b3b0642ea
Author: Greg Hudson <ghudson@mit.edu>
Date:   Thu Jan 16 11:49:55 2014 -0500

    Add test for gss_acquire_cred_from rcache feature

diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c
index 575f96d..e28f5d0 100644
--- a/src/tests/gssapi/t_credstore.c
+++ b/src/tests/gssapi/t_credstore.c
@@ -46,7 +46,9 @@ main(int argc, char *argv[])
     gss_cred_usage_t cred_usage = GSS_C_BOTH;
     gss_OID_set mechs = GSS_C_NO_OID_SET;
     gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
-    krb5_boolean store_creds = FALSE;
+    gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc itok, atok;
+    krb5_boolean store_creds = FALSE, replay = FALSE;
     char opt;
 
     /* Parse options. */
@@ -54,6 +56,8 @@ main(int argc, char *argv[])
         opt = (*argv)[1];
         if (opt == 's')
             store_creds = TRUE;
+        else if (opt == 'r')
+            replay = TRUE;
         else if (opt == 'a')
             cred_usage = GSS_C_ACCEPT;
         else if (opt == 'b')
@@ -101,6 +105,31 @@ main(int argc, char *argv[])
                                   &store, &cred, NULL, NULL);
     check_gsserr("gss_acquire_cred_from", major, minor);
 
+    if (replay) {
+        /* Induce a replay using cred as the acceptor cred, to test the replay
+         * cache indicated by the store. */
+        major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, name,
+                                     &mech_krb5, 0, GSS_C_INDEFINITE,
+                                     GSS_C_NO_CHANNEL_BINDINGS,
+                                     GSS_C_NO_BUFFER, NULL, &itok, NULL, NULL);
+        check_gsserr("gss_init_sec_context", major, minor);
+        (void)gss_delete_sec_context(&minor, &ictx, NULL);
+
+        major = gss_accept_sec_context(&minor, &actx, cred, &itok,
+                                       GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+                                       &atok, NULL, NULL, NULL);
+        check_gsserr("gss_accept_sec_context(1)", major, minor);
+        (void)gss_release_buffer(&minor, &atok);
+        (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+        major = gss_accept_sec_context(&minor, &actx, cred, &itok,
+                                       GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+                                       &atok, NULL, NULL, NULL);
+        check_gsserr("gss_accept_sec_context(2)", major, minor);
+        (void)gss_release_buffer(&minor, &atok);
+        (void)gss_delete_sec_context(&minor, &actx, NULL);
+    }
+
     gss_release_name(&minor, &name);
     gss_release_cred(&minor, &cred);
     free(store.elements);
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 74139e4..106910d 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -91,6 +91,15 @@ realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
 realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
            'keytab', servicekeytab])
 
+# Test rcache feature of cred stores.  t_credstore -r should produce a
+# replay error normally, but not with rcache set to "none:".
+output = realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ],
+                   expected_code=1)
+if 'gss_accept_sec_context(2): Request is a replay' not in output:
+    fail('Expected replay error not seen in t_credstore output')
+realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ,
+           'rcache', 'none:'])
+
 # Verify that we can't acquire acceptor creds without a keytab.
 os.remove(realm.keytab)
 output = realm.run(['./t_accname', 'p:abc'], expected_code=1)