[CalendarServer-changes] [15428] PyKerberos/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Thu Jan 7 12:42:43 PST 2016
Revision: 15428
http://trac.calendarserver.org//changeset/15428
Author: wsanchez at apple.com
Date: 2016-01-07 12:42:43 -0800 (Thu, 07 Jan 2016)
Log Message:
-----------
Fix leak in authGSSClientInquireCred per #915.
Also finishes the work of #830 by:
* Adding authGSSClientInquireCred to documentation module kerberos.py
* Updating docstring for authGSSClientUserName in kerberos.py to add details of authGSSClientInquireCred as a source of the user name.
* Updating authenticate_gss_client_inquire_cred to allocate and populate the username variable the same way as authenticate_gss_client_step.
* Updating authenticate_gss_client_inquire_cred to clean up the same way as other functions in kerberosgss.c
Author: glen at walker.gen.nz
Modified Paths:
--------------
PyKerberos/trunk/pysrc/kerberos.py
PyKerberos/trunk/src/kerberosgss.c
Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py 2016-01-07 20:34:23 UTC (rev 15427)
+++ PyKerberos/trunk/pysrc/kerberos.py 2016-01-07 20:42:43 UTC (rev 15428)
@@ -179,6 +179,20 @@
+def authGSSClientInquireCred(context):
+ """
+ Get the current user name, if any, without a client-side GSSAPI step.
+ If the principal has already been authenticated via completed client-side
+ GSSAPI steps then the user name of the authenticated principal is kept. The
+ user name will be available via authGSSClientUserName.
+
+ @param context: The context object returned from L{authGSSClientInit}.
+
+ @return: A result code (see above).
+ """
+
+
+
def authGSSClientStep(context, challenge):
"""
Processes a single GSSAPI client-side step using the supplied server data.
@@ -221,9 +235,10 @@
def authGSSClientUserName(context):
"""
Get the user name of the principal authenticated via the now complete
- GSSAPI client-side operations.
- This method must only be called after authGSSClientStep returns a complete
- response code.
+ GSSAPI client-side operations, or the current user name obtained via
+ authGSSClientInquireCred. This method must only be called after
+ authGSSClientStep or authGSSClientInquireCred return a complete response
+ code.
@param context: The context object returned from L{authGSSClientInit}.
Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c 2016-01-07 20:34:23 UTC (rev 15427)
+++ PyKerberos/trunk/src/kerberosgss.c 2016-01-07 20:42:43 UTC (rev 15428)
@@ -319,6 +319,10 @@
ret = AUTH_GSS_ERROR;
goto end;
} else {
+ if (state->username != NULL) {
+ free(state->username);
+ state->username = NULL;
+ }
state->username = (char *)malloc(name_token.length + 1);
if (state->username == NULL) {
PyErr_NoMemory();
@@ -515,6 +519,11 @@
gss_name_t name = GSS_C_NO_NAME;
int ret = AUTH_GSS_COMPLETE;
+ // Check whether credentials have already been obtained.
+ if (state->username != NULL) {
+ goto end;
+ }
+
// Get credentials
maj_stat = gss_acquire_cred(
&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
@@ -546,17 +555,25 @@
goto end;
}
- state->username = strndup(name_token.value, name_token.length);
- if (!state->username) {
- set_gss_error(GSS_S_FAILURE, ENOMEM);
+ state->username = (char *)malloc(name_token.length + 1);
+ if (state->username == NULL) {
+ PyErr_NoMemory();
ret = AUTH_GSS_ERROR;
+ goto end;
}
+ strncpy(state->username, (char*) name_token.value, name_token.length);
+ state->username[name_token.length] = 0;
end:
- (void)gss_release_cred(&min_stat, &client_creds);
- (void)gss_release_buffer(&min_stat, &name_token);
- (void)gss_release_name(&min_stat, &name);
-
+ if (client_creds != GSS_C_NO_CREDENTIAL) {
+ gss_release_cred(&min_stat, &client_creds);
+ }
+ if (name_token.length) {
+ gss_release_buffer(&min_stat, &name_token);
+ }
+ if (name != GSS_C_NO_NAME) {
+ gss_release_name(&min_stat, &name);
+ }
return ret;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160107/d335c062/attachment.html>
More information about the calendarserver-changes
mailing list