[CalendarServer-changes] [15428] PyKerberos/trunk

source_changes at macosforge.org source_changes at macosforge.org
Thu Jan 7 12:42:43 PST 2016 

Revision: 15428
          http://trac.calendarserver.org//changeset/15428
Author:   wsanchez at apple.com
Date:     2016-01-07 12:42:43 -0800 (Thu, 07 Jan 2016)
Log Message:
-----------
Fix leak in authGSSClientInquireCred per #915.
Also finishes the work of #830 by:
 * Adding authGSSClientInquireCred to documentation module kerberos.py
 * Updating docstring for authGSSClientUserName in kerberos.py to add details of authGSSClientInquireCred as a source of the user name.
 * Updating authenticate_gss_client_inquire_cred to allocate and populate the username variable the same way as authenticate_gss_client_step.
 * Updating authenticate_gss_client_inquire_cred to clean up the same way as other functions in kerberosgss.c

Author: glen at walker.gen.nz

Modified Paths:
--------------
    PyKerberos/trunk/pysrc/kerberos.py
    PyKerberos/trunk/src/kerberosgss.c

Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py	2016-01-07 20:34:23 UTC (rev 15427)
+++ PyKerberos/trunk/pysrc/kerberos.py	2016-01-07 20:42:43 UTC (rev 15428)
@@ -179,6 +179,20 @@
 
 
 
+def authGSSClientInquireCred(context):
+    """
+    Get the current user name, if any, without a client-side GSSAPI step.
+    If the principal has already been authenticated via completed client-side
+    GSSAPI steps then the user name of the authenticated principal is kept. The
+    user name will be available via authGSSClientUserName.
+
+    @param context: The context object returned from L{authGSSClientInit}.
+
+    @return: A result code (see above).
+    """
+
+
+
 def authGSSClientStep(context, challenge):
     """
     Processes a single GSSAPI client-side step using the supplied server data.
@@ -221,9 +235,10 @@
 def authGSSClientUserName(context):
     """
     Get the user name of the principal authenticated via the now complete
-    GSSAPI client-side operations.
-    This method must only be called after authGSSClientStep returns a complete
-    response code.
+    GSSAPI client-side operations, or the current user name obtained via
+    authGSSClientInquireCred. This method must only be called after
+    authGSSClientStep or authGSSClientInquireCred return a complete response
+    code.
 
     @param context: The context object returned from L{authGSSClientInit}.
 

Modified: PyKerberos/trunk/src/kerberosgss.c
===================================================================
--- PyKerberos/trunk/src/kerberosgss.c	2016-01-07 20:34:23 UTC (rev 15427)
+++ PyKerberos/trunk/src/kerberosgss.c	2016-01-07 20:42:43 UTC (rev 15428)
@@ -319,6 +319,10 @@
             ret = AUTH_GSS_ERROR;
             goto end;
         } else {
+            if (state->username != NULL) {                                                                                                    
+                free(state->username);                                                                                                        
+                state->username = NULL;                                                                                                       
+            }                                                                                                                                 
             state->username = (char *)malloc(name_token.length + 1);
             if (state->username == NULL) {
                 PyErr_NoMemory();
@@ -515,6 +519,11 @@
     gss_name_t name = GSS_C_NO_NAME;
     int ret = AUTH_GSS_COMPLETE;
 
+    // Check whether credentials have already been obtained.
+    if (state->username != NULL) {
+        goto end;
+    }
+
     // Get credentials
     maj_stat = gss_acquire_cred(
         &min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
@@ -546,17 +555,25 @@
         goto end;
     }
 
-    state->username = strndup(name_token.value, name_token.length);
-    if (!state->username) {
-        set_gss_error(GSS_S_FAILURE, ENOMEM);
+    state->username = (char *)malloc(name_token.length + 1);
+    if (state->username == NULL) {
+        PyErr_NoMemory();
         ret = AUTH_GSS_ERROR;
+        goto end;
     }
+    strncpy(state->username, (char*) name_token.value, name_token.length);
+    state->username[name_token.length] = 0;
 
 end:
-    (void)gss_release_cred(&min_stat, &client_creds);
-    (void)gss_release_buffer(&min_stat, &name_token);
-    (void)gss_release_name(&min_stat, &name);
-
+    if (client_creds != GSS_C_NO_CREDENTIAL) {
+        gss_release_cred(&min_stat, &client_creds);
+    }
+    if (name_token.length) {
+        gss_release_buffer(&min_stat, &name_token);
+    }
+    if (name != GSS_C_NO_NAME) {
+        gss_release_name(&min_stat, &name);
+    }
     return ret;
 }
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160107/d335c062/attachment.html>

More information about the calendarserver-changes mailing list