[CalendarServer-changes] [13317] PyKerberos/trunk/src/kerberosgss.c
source_changes at macosforge.org
source_changes at macosforge.org
Fri Apr 18 07:29:33 PDT 2014
Revision: 13317
http://trac.calendarserver.org//changeset/13317
Author: cdaboo at apple.com
Date: 2014-04-18 07:29:33 -0700 (Fri, 18 Apr 2014)
Log Message:
-----------
Fix to prevent crash when delegation creds are null.
Modified Paths:
--------------
PyKerberos/trunk/src/kerberosgss.c
Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c 2014-04-18 06:33:45 UTC (rev 13316)
+++ PyKerberos/trunk/src/kerberosgss.c 2014-04-18 14:29:33 UTC (rev 13317)
@@ -673,53 +673,58 @@
int authenticate_gss_server_store_delegate(gss_server_state *state)
{
- gss_cred_id_t delegated_cred = state->client_creds;
- char *princ_name = state->username;
- OM_uint32 maj_stat, min_stat;
- krb5_principal princ = NULL;
- krb5_ccache ccache = NULL;
- krb5_error_code problem;
- krb5_context context;
- int ret = 500;
+ gss_cred_id_t delegated_cred = state->client_creds;
+ char *princ_name = state->username;
+ OM_uint32 maj_stat, min_stat;
+ krb5_principal princ = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_error_code problem;
+ krb5_context context;
+ int ret = 500;
- problem = krb5_init_context(&context);
- if (problem) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s)", "Cannot initialize krb5 context"));
- return AUTH_GSS_ERROR;
- }
+ if (delegated_cred == GSS_C_NO_CREDENTIAL){
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s)", "Ticket is not delegatable"));
+ return AUTH_GSS_ERROR;
+ }
- problem = krb5_parse_name(context, princ_name, &princ);
- if (problem) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Cannot parse delegated username", krb5_get_err_text(context, problem)));
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ problem = krb5_init_context(&context);
+ if (problem) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s)", "Cannot initialize krb5 context"));
+ return AUTH_GSS_ERROR;
+ }
- problem = create_krb5_ccache(state, context, princ, &ccache);
- if (problem) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error in creating krb5 cache", krb5_get_err_text(context, problem)));
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ problem = krb5_parse_name(context, princ_name, &princ);
+ if (problem) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Cannot parse delegated username", krb5_get_err_text(context, problem)));
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
- if (GSS_ERROR(maj_stat)) {
- set_gss_error(maj_stat, min_stat);
- ret = AUTH_GSS_ERROR;
- goto end;
- }
+ problem = create_krb5_ccache(state, context, princ, &ccache);
+ if (problem) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error in creating krb5 cache", krb5_get_err_text(context, problem)));
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
- krb5_cc_close(context, ccache);
- ccache = NULL;
- ret = 0;
+ maj_stat = gss_krb5_copy_ccache(&min_stat, delegated_cred, ccache);
+ if (GSS_ERROR(maj_stat)) {
+ set_gss_error(maj_stat, min_stat);
+ ret = AUTH_GSS_ERROR;
+ goto end;
+ }
-end:
- if (princ)
- krb5_free_principal(context, princ);
- if (ccache)
- krb5_cc_destroy(context, ccache);
- krb5_free_context(context);
- return ret;
+ krb5_cc_close(context, ccache);
+ ccache = NULL;
+ ret = 0;
+
+ end:
+ if (princ)
+ krb5_free_principal(context, princ);
+ if (ccache)
+ krb5_cc_destroy(context, ccache);
+ krb5_free_context(context);
+ return ret;
}
int create_krb5_ccache(gss_server_state *state,
@@ -727,47 +732,47 @@
krb5_principal princ,
krb5_ccache *ccache)
{
- int fd;
- char ccname[32];
- krb5_error_code problem;
- int ret;
- krb5_ccache tmp_ccache = NULL;
+ int fd;
+ char ccname[32];
+ krb5_error_code problem;
+ int ret;
+ krb5_ccache tmp_ccache = NULL;
- snprintf(ccname, sizeof(ccname), "/tmp/krb5cc_pyserv_XXXXXX");
- fd = mkstemp(ccname);
- if (fd < 0) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error in mkstemp", strerror(errno)));
- ret = 1;
- goto end;
- }
- close(fd);
+ snprintf(ccname, sizeof(ccname), "/tmp/krb5cc_pyserv_XXXXXX");
+ fd = mkstemp(ccname);
+ if (fd < 0) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error in mkstemp", strerror(errno)));
+ ret = 1;
+ goto end;
+ }
+ close(fd);
- problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache);
- if (problem) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error resolving the credential cache", krb5_get_err_text(kcontext, problem)));
- ret = 1;
- unlink(ccname);
- goto end;
- }
+ problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache);
+ if (problem) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error resolving the credential cache", krb5_get_err_text(kcontext, problem)));
+ ret = 1;
+ unlink(ccname);
+ goto end;
+ }
- problem = krb5_cc_initialize(kcontext, tmp_ccache, princ);
- if (problem) {
- PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error initialising the credential cache", krb5_get_err_text(kcontext, problem)));
- ret = 1;
- goto end;
- }
+ problem = krb5_cc_initialize(kcontext, tmp_ccache, princ);
+ if (problem) {
+ PyErr_SetObject(KrbException_class, Py_BuildValue("(s:s)", "Error initialising the credential cache", krb5_get_err_text(kcontext, problem)));
+ ret = 1;
+ goto end;
+ }
- *ccache = tmp_ccache;
- tmp_ccache = NULL;
+ *ccache = tmp_ccache;
+ tmp_ccache = NULL;
- ret = 0;
+ ret = 0;
-end:
- if (tmp_ccache)
- krb5_cc_destroy(kcontext, tmp_ccache);
+ end:
+ if (tmp_ccache)
+ krb5_cc_destroy(kcontext, tmp_ccache);
- state->ccname = (char *)malloc(32*sizeof(char));
- strcpy(state->ccname, ccname);
+ state->ccname = (char *)malloc(32*sizeof(char));
+ strcpy(state->ccname, ccname);
- return ret;
+ return ret;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140418/5d9a48a6/attachment-0001.html>
More information about the calendarserver-changes
mailing list