X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FOnly-empty-FILE-ccaches-when-storing-remote-creds.patch;fp=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FOnly-empty-FILE-ccaches-when-storing-remote-creds.patch;h=0000000000000000000000000000000000000000;hb=6fc6934434f70595536a387ece31bc30141cafb5;hp=06edf09fe3f6001fc4d5f843a98689720c8f5ab4;hpb=eb1e26510491ba49de693ab3b0498edcb06be6c5;p=pti%2Frtp.git diff --git a/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch b/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch deleted file mode 100644 index 06edf09..0000000 --- a/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Only-empty-FILE-ccaches-when-storing-remote-creds.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1fa33903be640f8d22757d21da294e70f0812698 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 10 Oct 2017 18:00:45 -0400 -Subject: [PATCH] Only empty FILE ccaches when storing remote creds - -This mitigates issues when services share a ccache between two -processes. We cannot fix this for FILE ccaches without introducing -other issues. - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -Merges: #216 -(cherry picked from commit d09e87f47a21dd250bfd7a9c59a5932b5c995057) ---- - proxy/src/mechglue/gpp_creds.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c -index 9fe9bd1..6bdff45 100644 ---- a/proxy/src/mechglue/gpp_creds.c -+++ b/proxy/src/mechglue/gpp_creds.c -@@ -147,6 +147,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds, - char cred_name[creds->desired_name.display_name.octet_string_len + 1]; - XDR xdrctx; - bool xdrok; -+ const char *cc_type; - - *min = 0; - -@@ -193,13 +194,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds, - } - cred.ticket.length = xdr_getpos(&xdrctx); - -- /* Always initialize and destroy any existing contents to avoid pileup of -- * entries */ -- ret = krb5_cc_initialize(ctx, ccache, cred.client); -- if (ret == 0) { -- ret = krb5_cc_store_cred(ctx, ccache, &cred); -+ cc_type = krb5_cc_get_type(ctx, ccache); -+ if (strcmp(cc_type, "FILE") == 0) { -+ /* FILE ccaches don't handle updates properly: if they have the same -+ * principal name, they are blackholed. We either have to change the -+ * name (at which point the file grows forever) or flash the cache on -+ * every update. */ -+ ret = krb5_cc_initialize(ctx, ccache, cred.client); -+ if (ret != 0) { -+ goto done; -+ } - } - -+ ret = krb5_cc_store_cred(ctx, ccache, &cred); -+ - done: - if (ctx) { - krb5_free_cred_contents(ctx, &cred);