[26594] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Fail from gss_acquire_cred if we have no keytab

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Jun 3 20:48:58 2012

Date: Sun, 3 Jun 2012 20:48:43 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201206040048.q540mhTl025584@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/9421a2652f645bd0beef3e58b4b8fbc18d98f742
commit 9421a2652f645bd0beef3e58b4b8fbc18d98f742
Author: Greg Hudson <ghudson@mit.edu>
Date:   Sun Jun 3 20:46:30 2012 -0400

    Fail from gss_acquire_cred if we have no keytab
    
    If a caller tries to acquire krb5 acceptor creds with no desired name
    and we have no keytab keys, fail from gss_acquire_cred instead of
    deferring until gss_accept_sec_context.
    
    ticket: 7159 (new)

 src/lib/gssapi/krb5/acquire_cred.c |    8 ++++++++
 src/tests/gssapi/t_gssapi.py       |    7 +++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c08e059..2bbee5f 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -227,6 +227,7 @@ acquire_accept_cred(krb5_context context,
     }
 
     if (desired_name != NULL) {
+        /* Make sure we keys matching the desired name in the keytab. */
         code = check_keytab(context, kt, desired_name);
         if (code) {
             krb5_kt_close(context, kt);
@@ -254,6 +255,13 @@ acquire_accept_cred(krb5_context context,
             *minor_status = code;
             return GSS_S_FAILURE;
         }
+    } else {
+        /* Make sure we have a keytab with keys in it. */
+        code = krb5_kt_have_content(context, kt);
+        if (code) {
+            *minor_status = code;
+            return GSS_S_FAILURE;
+        }
     }
 
     cred->keytab = kt;
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 3ace215..18123b3 100644
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -78,6 +78,13 @@ output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'],
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_imp_cred output')
 
+# Verify that we can't acquire acceptor creds without a keytab.
+os.remove(realm.keytab)
+output = realm.run_as_client(['./t_accname', 'abc'], expected_code=1)
+if ('gss_acquire_cred: Keytab' not in output or
+    'nonexistent or empty' not in output):
+    fail('Expected error message not seen for nonexistent keytab')
+
 realm.stop()
 
 # Re-run the last acceptor name test with ignore_acceptor_hostname set
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post