From 56e199042f3e9b17ccd0081f303a211247d88a7c Mon Sep 17 00:00:00 2001 From: kouril Date: Thu, 11 Dec 2003 21:48:47 +0000 Subject: [PATCH] use krb5_cc_resolve() and manualy created temporary files (generated with mkstemp) to create ccache. This should more portable. --- src/mod_auth_kerb.c | 63 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 97b4761..e13d3a5 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -401,10 +401,10 @@ authenticate_user_krb4pwd(request_rec *r, if (realm == NULL) { ret = krb_get_lrealm(lrealm, 1); + if (ret) + break; realm = lrealm; } - if (realm == NULL || *realm == '\0') - break; ret = verify_krb4_user(r, (char *)sent_name, (sent_instance) ? sent_instance : "", @@ -535,29 +535,30 @@ create_krb5_ccache(krb5_context kcontext, krb5_ccache *ccache) { char *ccname; + int fd; krb5_error_code problem; int ret; krb5_ccache tmp_ccache = NULL; -#ifdef HAVE_KRB5_CC_GEN_NEW - problem = krb5_cc_gen_new(kcontext, &krb5_fcc_ops, &tmp_ccache); -#else - /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use - * MIT specific call here */ - problem = krb5_fcc_generate_new(kcontext, &tmp_ccache); - /* krb5_fcc_generate_new() doesn't set KRB5_TC_OPENCLOSE, which makes - krb5_cc_initialize() fail */ - krb5_fcc_set_flags(kcontext, tmp_ccache, KRB5_TC_OPENCLOSE); -#endif - if (problem) { + ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + fd = mkstemp(ccname + strlen("FILE:")); + if (fd < 0) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Cannot create file for new krb5 ccache: %s", - krb5_get_err_text(kcontext, problem)); + "mkstemp() failed: %s", strerror(errno)); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } + close(fd); - ccname = ap_pstrdup(r->pool, krb5_cc_get_name(kcontext, tmp_ccache)); + problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache); + if (problem) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_resolve() failed: %s", + krb5_get_err_text(kcontext, problem)); + ret = HTTP_INTERNAL_SERVER_ERROR; + unlink(ccname); + goto end; + } problem = krb5_cc_initialize(kcontext, tmp_ccache, princ); if (problem) { @@ -642,6 +643,8 @@ int authenticate_user_krb5pwd(request_rec *r, int ret; char *name = NULL; int all_principals_unkown; + char *ccname = NULL; + int fd; code = krb5_init_context(&kcontext); if (code) { @@ -658,20 +661,26 @@ int authenticate_user_krb5pwd(request_rec *r, "specifying realm in user name is prohibited"); ret = HTTP_UNAUTHORIZED; goto end; - } + } -#ifdef HAVE_KRB5_CC_GEN_NEW - code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache); -#else - /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use - * MIT specific call here */ - code = krb5_mcc_generate_new(kcontext, &ccache); -#endif + /* XXX Heimdal allows to use the MEMORY: type with empty argument ? */ + ccname = ap_psprintf(r->pool, "MEMORY:%s/krb5cc_apache_XXXXXX", P_tmpdir); + fd = mkstemp(ccname + strlen("MEMORY:")); + if (fd < 0) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mkstemp() failed: %s", strerror(errno)); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; + } + close(fd); + + code = krb5_cc_resolve(kcontext, ccname, &ccache); if (code) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Cannot generate new ccache: %s", - krb5_get_err_text(kcontext, code)); + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_resolve() failed: %s", + krb5_get_err_text(kcontext, code)); ret = HTTP_INTERNAL_SERVER_ERROR; + unlink(ccname); goto end; } -- 2.1.4