make sure lock is acquired before exporting auth data context

author Luke Howard <lukeh@padl.com>

Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)

committer Luke Howard <lukeh@padl.com>

Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)
author Luke Howard <lukeh@padl.com>
Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)
committer Luke Howard <lukeh@padl.com>
Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c

index eace54f3444920180dd14dad6a6afc7e2d0dc983..93784ad98584c2c577d7e157a1eca6919f609a23 100644 (file)
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -163,7 +163,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
          mcreds.client = cred->name->princ;
  
          code = krb5_cc_retrieve_cred(context, cred->ccache,
-                                     KRB5_TC_MATCH_TIMES, &mcreds,
+                                     KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
+                                     &mcreds,
                                       &evidence_creds);
          if (code)
              goto cleanup;
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c

index f91d4fb34567978a20f847a38e3097380df7defe..1f6e9eb7d90063bc3bf66a2f1d065fdbfa4f379d 100644 (file)
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -130,17 +130,26 @@ kg_impersonate_name(OM_uint32 *minor_status,
      if (impersonator_cred->req_enctypes != NULL)
          in_creds.keyblock.enctype = impersonator_cred->req_enctypes[0];
  
+    code = k5_mutex_lock(&user->lock);
+    if (code != 0) {
+        *minor_status = code;
+        return GSS_S_FAILURE;
+    }
+
      if (user->ad_context != NULL) {
          code = krb5_authdata_export_attributes(context,
                                                 user->ad_context,
                                                 AD_USAGE_TGS_REQ,
                                                 &in_creds.authdata);
          if (code != 0) {
+            k5_mutex_unlock(&user->lock);
              *minor_status = code;
              return GSS_S_FAILURE;
          }
      }
  
+    k5_mutex_unlock(&user->lock);
+
      code = krb5_get_credentials_for_user(context,
                                           KRB5_GC_CANONICALIZE | KRB5_GC_NO_STORE,
                                           impersonator_cred->ccache,
author	Luke Howard <lukeh@padl.com>
	Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)
committer	Luke Howard <lukeh@padl.com>
	Sun, 13 Sep 2009 09:36:15 +0000 (09:36 +0000)
src/lib/gssapi/krb5/init_sec_context.c		patch \| blob \| blame \| history
src/lib/gssapi/krb5/s4u_gss_glue.c		patch \| blob \| blame \| history