X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FOnly-empty-FILE-ccaches-when-storing-remote-creds.patch;fp=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FOnly-empty-FILE-ccaches-when-storing-remote-creds.patch;h=06edf09fe3f6001fc4d5f843a98689720c8f5ab4;hb=e0634c6eaf2fe2641a0fb90e84a5defb880b1335;hp=0000000000000000000000000000000000000000;hpb=210d0f78485e760dffcdd3f630f59cec797f3f11;p=pti%2Frtp.git

diff --git a/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch b/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch
new file mode 100644
index 0000000..06edf09
--- /dev/null
+++ b/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch
@@ -0,0 +1,55 @@
+From 1fa33903be640f8d22757d21da294e70f0812698 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 10 Oct 2017 18:00:45 -0400
+Subject: [PATCH] Only empty FILE ccaches when storing remote creds
+
+This mitigates issues when services share a ccache between two
+processes.  We cannot fix this for FILE ccaches without introducing
+other issues.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Merges: #216
+(cherry picked from commit d09e87f47a21dd250bfd7a9c59a5932b5c995057)
+---
+ proxy/src/mechglue/gpp_creds.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
+index 9fe9bd1..6bdff45 100644
+--- a/proxy/src/mechglue/gpp_creds.c
++++ b/proxy/src/mechglue/gpp_creds.c
+@@ -147,6 +147,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
+     char cred_name[creds->desired_name.display_name.octet_string_len + 1];
+     XDR xdrctx;
+     bool xdrok;
++    const char *cc_type;
+ 
+     *min = 0;
+ 
+@@ -193,13 +194,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
+     }
+     cred.ticket.length = xdr_getpos(&xdrctx);
+ 
+-    /* Always initialize and destroy any existing contents to avoid pileup of
+-     * entries */
+-    ret = krb5_cc_initialize(ctx, ccache, cred.client);
+-    if (ret == 0) {
+-        ret = krb5_cc_store_cred(ctx, ccache, &cred);
++    cc_type = krb5_cc_get_type(ctx, ccache);
++    if (strcmp(cc_type, "FILE") == 0) {
++        /* FILE ccaches don't handle updates properly: if they have the same
++         * principal name, they are blackholed.  We either have to change the
++         * name (at which point the file grows forever) or flash the cache on
++         * every update. */
++        ret = krb5_cc_initialize(ctx, ccache, cred.client);
++        if (ret != 0) {
++            goto done;
++        }
+     }
+ 
++    ret = krb5_cc_store_cred(ctx, ccache, &cred);
++
+ done:
+     if (ctx) {
+         krb5_free_cred_contents(ctx, &cred);