[30518] in CVS-changelog-for-Kerberos-V5
krb5 commit: Stop double-caching referral tickets
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 29 12:59:22 2019
Date: Wed, 29 May 2019 12:58:51 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201905291658.x4TGwph4000612@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/03ecb09d2af3544af7b9232c11278f9d2bee4b4b
commit 03ecb09d2af3544af7b9232c11278f9d2bee4b4b
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue May 28 12:16:41 2019 -0400
Stop double-caching referral tickets
Caching referral tickets under two names can generate duplicate cache
entries, and is speculative--if credentials are requested with the
referral realm, there is no good reason to expect a subsequent request
with the canonical realm. Only cache under the referral realm.
ticket: 8764
src/lib/krb5/ccache/ccfns.c | 27 +--------------------------
src/tests/t_referral.py | 4 ++--
2 files changed, 3 insertions(+), 28 deletions(-)
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
index b594bdd..62a6983 100644
--- a/src/lib/krb5/ccache/ccfns.c
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -80,33 +80,8 @@ krb5_error_code KRB5_CALLCONV
krb5_cc_store_cred(krb5_context context, krb5_ccache cache,
krb5_creds *creds)
{
- krb5_error_code ret;
- krb5_ticket *tkt;
- krb5_principal s1, s2;
-
TRACE_CC_STORE(context, cache, creds);
- ret = cache->ops->store(context, cache, creds);
- if (ret) return ret;
-
- /*
- * If creds->server and the server in the decoded ticket differ,
- * store both principals.
- */
- s1 = creds->server;
- ret = decode_krb5_ticket(&creds->ticket, &tkt);
- /* Bail out on errors in case someone is storing a non-ticket. */
- if (ret) return 0;
- s2 = tkt->server;
- if (!krb5_principal_compare(context, s1, s2)) {
- creds->server = s2;
- TRACE_CC_STORE_TKT(context, cache, creds);
- /* remove any dups */
- krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
- ret = cache->ops->store(context, cache, creds);
- creds->server = s1;
- }
- krb5_free_ticket(context, tkt);
- return ret;
+ return cache->ops->store(context, cache, creds);
}
krb5_error_code KRB5_CALLCONV
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 52313ae..1a82ad0 100755
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -18,9 +18,9 @@ def testref(realm, nametype):
shutil.copyfile(savefile, realm.ccache)
realm.run(['./gcred', nametype, 'a/x.d@'])
out = realm.run([klist]).split('\n')
- if len(out) != 9:
+ if len(out) != 8:
fail('unexpected number of lines in klist output')
- if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d@REFREALM':
+ if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d@REFREALM':
fail('unexpected service principals in klist output')
# Get credentials and check that we get an error, not a referral.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
