[26620] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fail from gss_acquire_cred if we have no creds
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jun 15 00:16:22 2012
Date: Fri, 15 Jun 2012 00:16:04 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201206150416.q5F4G4lC032443@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/cdb50c57f1852dabda4929129e1470e6b334a812
commit cdb50c57f1852dabda4929129e1470e6b334a812
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jun 14 14:15:05 2012 -0400
Fail from gss_acquire_cred if we have no creds
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
ticket: 7160
src/lib/gssapi/krb5/acquire_cred.c | 8 ++++++++
src/tests/gssapi/t_ccselect.py | 7 +++++++
2 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 2bbee5f..a784dd3 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -606,6 +606,14 @@ acquire_init_cred(krb5_context context,
return GSS_S_CRED_UNAVAIL;
}
cred->ccache = ccache;
+ } else {
+ /* We haven't decided on a ccache or principal yet, but fail now if
+ * there are no krb5 credentials at all. */
+ code = krb5_cccol_have_content(context);
+ if (code != 0) {
+ *minor_status = code;
+ return GSS_S_CRED_UNAVAIL;
+ }
}
/*
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index a3a1330..5350d92 100644
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -45,6 +45,13 @@ refserver = 'host/' + hostname + '@'
#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
# (r1.keytab, r2.keytab, ktutil)])
+# Verify that we can't get initiator creds with no credentials in the
+# collection.
+output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'],
+ expected_code=1)
+if 'No Kerberos credentials available' not in output:
+ fail('Expected error not seen in output when no credentials available')
+
# Make a directory collection and use it for client commands in both realms.
ccdir = os.path.join(r1.testdir, 'cc')
ccname = 'DIR:' + ccdir
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
