Properly renew expired credentials

When a caller imports expired credentials, we aim to actually renew them
if we can. However due to incorrect checks and not clearing of the
ret_maj variable after checks we end up returning an error instead.

Also fix mechglue to also save and properly report the first call errors
when both remote and local fail.

Resolves: #170

Signed-off-by: Simo Sorce <[email protected]>
Reviewed-by: Robbie Harwood <[email protected]>

Author: simo5

src/gp_creds.c

@@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
         ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
         if (ret_maj == GSS_S_COMPLETE) {
             return GSS_S_COMPLETE;
-        } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
-                   ret_maj != GSS_S_NO_CRED) {
+        } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
+                   ret_maj == GSS_S_NO_CRED) {
+            /* continue and try to obtain new creds */
+            ret_maj = 0;
+            ret_min = 0;
+        } else {
             *min = ret_min;
             return GSS_S_CRED_UNAVAIL;
         }
@@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
     if (acquire_type == ACQ_NORMAL) {
         ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
                                           &cred_usage, &cred_store);
+        if (ret_min) {
+            ret_maj = GSS_S_CRED_UNAVAIL;
+        }
     } else if (desired_name) {
         ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
     }
     if (ret_maj) {
         goto done;
-    } else if (ret_min) {
-        ret_maj = GSS_S_CRED_UNAVAIL;
-        goto done;
     }
 
     if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {

src/mechglue/gpp_acquire_cred.c

@@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
     }
 
     if (behavior == GPP_REMOTE_FIRST) {
+        if (maj != GSS_S_COMPLETE) {
+            /* save errors */
+            tmaj = maj;
+            tmin = min;
+        }
         /* So remote failed, but we can fallback to local, try that */
         maj = acquire_local(&min, NULL, name,
                             time_req, desired_mechs, cred_usage, cred_store,