From d97562fd4e735509c86cfd94588bebf3240f8dde Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 25 Oct 2010 21:55:54 +0000 Subject: [PATCH] When we create a temporary memory ccache for use within a krb5_gss_cred_id_rec, set a flag to indicate that the ccache should be destroyed rather than closed. Patch from aberry@likewise.com. ticket: 6787 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24482 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/accept_sec_context.c | 1 + src/lib/gssapi/krb5/acquire_cred.c | 1 + src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + src/lib/gssapi/krb5/rel_cred.c | 9 ++++++--- src/lib/gssapi/krb5/s4u_gss_glue.c | 1 + 5 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 47eff359d..0c0b3a547 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -253,6 +253,7 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) cred->keytab = NULL; /* no keytab associated with this... */ cred->tgt_expire = creds[0]->times.endtime; /* store the end time */ cred->ccache = ccache; /* the ccache containing the credential */ + cred->destroy_ccache = 1; ccache = NULL; /* cred takes ownership so don't destroy */ } diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 8e222ff01..a328a3db8 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -546,6 +546,7 @@ acquire_cred(OM_uint32 *minor_status, #ifndef LEAN_CLIENT cred->keytab = NULL; #endif /* LEAN_CLIENT */ + cred->destroy_ccache = 0; cred->ccache = NULL; code = k5_mutex_init(&cred->lock); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index fc74ff1a1..ce0265234 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -173,6 +173,7 @@ typedef struct _krb5_gss_cred_id_rec { unsigned int proxy_cred : 1; unsigned int default_identity : 1; unsigned int iakerb_mech : 1; + unsigned int destroy_ccache : 1; /* keytab (accept) data */ krb5_keytab keytab; diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c index d1c571a2f..7f9a16fc4 100644 --- a/src/lib/gssapi/krb5/rel_cred.c +++ b/src/lib/gssapi/krb5/rel_cred.c @@ -55,9 +55,12 @@ krb5_gss_release_cred(minor_status, cred_handle) k5_mutex_destroy(&cred->lock); /* ignore error destroying mutex */ - if (cred->ccache) - code1 = krb5_cc_close(context, cred->ccache); - else + if (cred->ccache) { + if (cred->destroy_ccache) + code1 = krb5_cc_destroy(context, cred->ccache); + else + code1 = krb5_cc_close(context, cred->ccache); + } else code1 = 0; #ifndef LEAN_CLIENT diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index 5e75aede9..ac07dad5d 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -228,6 +228,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, code = krb5_cc_new_unique(context, "MEMORY", NULL, &cred->ccache); if (code != 0) goto cleanup; + cred->destroy_ccache = 1; code = krb5_cc_initialize(context, cred->ccache, cred->proxy_cred ? impersonator_cred->name->princ : -- 2.26.2