1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
Tweaked for 1.11.3.
commit 48dd01f29b893a958a64dcf6eb0b734e8463425b
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Oct 7 09:51:56 2013 -0400
Fix GSSAPI krb5 cred ccache import
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache. Fix it.
Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this. Make a note in t_export_cred.py that this case is covered in
t_s4u.py.
ticket: 7706
target_version: 1.11.4
diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c
index 973b9d0..f0a0373 100644
--- a/src/lib/gssapi/krb5/import_cred.c
+++ b/src/lib/gssapi/krb5/import_cred.c
@@ -486,7 +486,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
/* Add remaining array entries to the ccache as credentials. */
for (i = 1; i < len; i++) {
- if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
+ if (json_to_creds(context, k5_json_array_get(array, i), &creds))
goto invalid;
ret = krb5_cc_store_cred(context, ccache, &creds);
krb5_free_cred_contents(context, &creds);
diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
index 19a781a..231f44a 100644
--- a/src/tests/gssapi/common.c
+++ b/src/tests/gssapi/common.c
@@ -149,6 +149,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
}
void
+export_import_cred(gss_cred_id_t *cred)
+{
+ OM_uint32 major, minor;
+ gss_buffer_desc buf;
+
+ major = gss_export_cred(&minor, *cred, &buf);
+ check_gsserr("gss_export_cred", major, minor);
+ (void)gss_release_cred(&minor, cred);
+ major = gss_import_cred(&minor, &buf, cred);
+ check_gsserr("gss_import_cred", major, minor);
+ (void)gss_release_buffer(&minor, &buf);
+}
+
+void
display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
{
gss_name_t canon;
diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
index 54c0d36..ae11b51 100644
--- a/src/tests/gssapi/common.h
+++ b/src/tests/gssapi/common.h
@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
* 'p:principalname', or 'h:host@service' (or just 'h:service'). */
gss_name_t import_name(const char *str);
+/* Export *cred to a token, then release *cred and replace it by re-importing
+ * the token. */
+void export_import_cred(gss_cred_id_t *cred);
+
/* Display name as canonicalized to mech, preceded by tag. */
void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
index 5214cd5..4d7c028 100644
--- a/src/tests/gssapi/t_export_cred.c
+++ b/src/tests/gssapi/t_export_cred.c
@@ -37,22 +37,6 @@ usage(void)
exit(1);
}
-/* Export *cred to a token, then release *cred and replace it by re-importing
- * the token. */
-static void
-export_import_cred(gss_cred_id_t *cred)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf;
-
- major = gss_export_cred(&minor, *cred, &buf);
- check_gsserr("gss_export_cred", major, minor);
- (void)gss_release_cred(&minor, cred);
- major = gss_import_cred(&minor, &buf, cred);
- check_gsserr("gss_import_cred", major, minor);
- (void)gss_release_buffer(&minor, &buf);
-}
-
int
main(int argc, char *argv[])
{
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 53dd13c..6988359 100644
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -1,7 +1,10 @@
#!/usr/bin/python
from k5test import *
-# Test gss_export_cred and gss_import_cred.
+# Test gss_export_cred and gss_import_cred for initiator creds,
+# acceptor creds, and traditional delegated creds. t_s4u.py tests
+# exporting and importing a synthesized S4U2Proxy delegated
+# credential.
# Make up a filename to hold user's initial credentials.
def ccache_savefile(realm):
diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
index 3ad1086..483d915 100644
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
@@ -117,6 +117,10 @@ main(int argc, char *argv[])
goto cleanup;
}
+ /* Take the opportunity to test cred export/import on the synthesized
+ * S4U2Proxy delegated cred. */
+ export_import_cred(&deleg_cred);
+
/* Store the delegated credentials. */
ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
check_k5err(context, "krb5_cc_resolve", ret);
|
