geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Two changes:

Browse Source 
1. Enable privileged process ('system' owned) to access logged in user's
   Kerberos credential cache while authenticating to the ATS. The LUID
   of the logged in user is an input. This is required by Zenworks.
2. Fix a buffer overflow. A memory buffer was being used after being
   freed.
This commit is contained in:
S Rahul 2009-09-25 06:06:03 +00:00
parent f867391074
commit 2feba2710f
2 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CASA-auth-token/client/library/mechanisms/krb5/internal.h
View File

@ -29,6 +29,7 @@
#include "platform.h" #include "platform.h"
#include <micasa_types.h> #include <micasa_types.h>
#include <micasa_mgmd.h>
#include <casa_status.h> #include <casa_status.h>
#include "config_if.h" #include "config_if.h"
#include "mech_if.h" #include "mech_if.h"

28
CASA-auth-token/client/library/mechanisms/krb5/windows/get.c
View File

@ -33,6 +33,7 @@
//===[ Global variables ]================================================== //===[ Global variables ]==================================================
#define WINDOWS_LOGIN_ID 1
//++======================================================================= //++=======================================================================
CasaStatus SSCS_CALL CasaStatus SSCS_CALL
@ -101,6 +102,8 @@ AuthTokenIf_GetAuthToken(
SECURITY_STATUS secStatus; SECURITY_STATUS secStatus;
TimeStamp expiry; TimeStamp expiry;
CredHandle hCredentials = {0}; CredHandle hCredentials = {0};
LUID *pluid = NULL;
SSCS_EXT_T *ext = (SSCS_EXT_T *)pCredStoreScope;
DbgTrace(1, "-AuthTokenIf_GetAuthToken- Start\n", 0); DbgTrace(1, "-AuthTokenIf_GetAuthToken- Start\n", 0);
@ -147,7 +150,16 @@ AuthTokenIf_GetAuthToken(
// Process the setting // Process the setting
if (stricmp(pSettingName, "SVC_PRINCIPAL") == 0) if (stricmp(pSettingName, "SVC_PRINCIPAL") == 0)
{ {
pKrbServiceName = pSettingValue; pKrbServiceName = strdup(pSettingValue);
if (pKrbServiceName == NULL)
{
DbgTrace(0, "-AuthTokenIf_GetAuthToken- Memory allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_KRB5TOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
goto exit;
}
freeKrbSvcNameBuf = true;
} }
} }
else else
@ -191,12 +203,24 @@ AuthTokenIf_GetAuthToken(
goto exit; goto exit;
} }
} }
if (ext != NULL) {
char err[128];
if ((ext->extID != WINDOWS_LOGIN_ID) || (ext->version != 1)) {
DbgTrace(0, "-AuthTokenIf_GetAuthToken- Unknown extension ID\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, CASA_FACILITY_KRB5TOKEN, CASA_STATUS_INVALID_PARAMETER);
goto exit;
}
pluid = (LUID *)ext->ext;
sprintf(err, "-AuthTokenIf_GetAuthToken- Found luid %d.%d\n", pluid->LowPart, pluid->HighPart);
DbgTrace(1, err, 0);
}
// Acquire a credential handle for the current user // Acquire a credential handle for the current user
secStatus = AcquireCredentialsHandle(NULL, // no principal name secStatus = AcquireCredentialsHandle(NULL, // no principal name
"Kerberos", // package name "Kerberos", // package name
SECPKG_CRED_OUTBOUND, SECPKG_CRED_OUTBOUND,
NULL, // no logon id pluid,
NULL, // no auth data NULL, // no auth data
NULL, // no get key fn NULL, // no get key fn
NULL, // noget key arg NULL, // noget key arg