Hello community, here is the log from the commit of package python-kerberos for openSUSE:Factory checked in at 2018-02-09 15:53:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-kerberos (Old) and /work/SRC/openSUSE:Factory/.python-kerberos.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-kerberos" Fri Feb 9 15:53:17 2018 rev:3 rq:574530 version:1.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/python-kerberos/python-kerberos.changes 2015-07-21 13:29:10.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-kerberos.new/python-kerberos.changes 2018-02-09 15:53:19.018955425 +0100 @@ -1,0 +2,9 @@ +Wed Dec 20 09:43:38 UTC 2017 - dmuel...@suse.com + +- update to 1.2.5 + * no changelog available +- convert to singlespec +- drop 0001-Initialise-pydelegatestate-variable-to-NULL.patch: + already upstream + +------------------------------------------------------------------- Old: ---- 0001-Initialise-pydelegatestate-variable-to-NULL.patch kerberos-1.2.2.tar.gz New: ---- kerberos-1.2.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-kerberos.spec ++++++ --- /var/tmp/diff_new_pack.zde6TF/_old 2018-02-09 15:53:19.906923529 +0100 +++ /var/tmp/diff_new_pack.zde6TF/_new 2018-02-09 15:53:19.906923529 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-kerberos # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,22 +16,22 @@ # +%{?!python_module:%define python_module() python-%{**} python3-%{**}} +%bcond_without test Name: python-kerberos -Version: 1.2.2 +Version: 1.2.5 Release: 0 Summary: Kerberos high-level interface License: Apache-2.0 Group: Development/Languages/Python Url: http://www.calendarserver.org/ -Source: https://pypi.python.org/packages/source/k/kerberos/kerberos-%{version}.tar.gz -Patch1: 0001-Initialise-pydelegatestate-variable-to-NULL.patch -BuildRequires: krb5-devel -BuildRequires: python-devel -BuildRequires: python-setuptools -BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if 0%{?suse_version} && 0%{?suse_version} <= 1110 -%{!?python_sitearch: %global python_sitearch %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} -%endif +Source: https://files.pythonhosted.org/packages/source/k/kerberos/kerberos-%{version}.tar.gz +BuildRequires: %{python_module devel} +BuildRequires: %{python_module setuptools} +BuildRequires: fdupes +BuildRequires: krb5-mini-devel +BuildRequires: python-rpm-macros +%python_subpackages %description A high-level wrapper for Kerberos (GSSAPI) operations. @@ -42,17 +42,18 @@ %prep %setup -q -n kerberos-%{version} -%patch1 -p1 %build -CFLAGS="%{optflags}" python setup.py build +export CFLAGS="%{optflags}" +%python_build %install -python setup.py install --prefix=%{_prefix} --root=%{buildroot} +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitearch} -%files +%files %{python_files} %defattr(-,root,root,-) -%doc LICENSE README.rst +%doc README.rst %{python_sitearch}/* %changelog ++++++ kerberos-1.2.2.tar.gz -> kerberos-1.2.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/LICENSE new/kerberos-1.2.5/LICENSE --- old/kerberos-1.2.2/LICENSE 2015-03-26 19:31:17.000000000 +0100 +++ new/kerberos-1.2.5/LICENSE 1970-01-01 01:00:00.000000000 +0100 @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/PKG-INFO new/kerberos-1.2.5/PKG-INFO --- old/kerberos-1.2.2/PKG-INFO 2015-03-27 02:15:27.000000000 +0100 +++ new/kerberos-1.2.5/PKG-INFO 2016-07-18 21:18:19.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: kerberos -Version: 1.2.2 +Version: 1.2.5 Summary: Kerberos high-level interface Home-page: http://www.calendarserver.org/ Author: Apple Inc. @@ -69,7 +69,7 @@ Copyright and License ===================== - Copyright (c) 2006-2015 Apple Inc. All rights reserved. + Copyright (c) 2006-2016 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/README.rst new/kerberos-1.2.5/README.rst --- old/kerberos-1.2.2/README.rst 2015-03-26 19:31:17.000000000 +0100 +++ new/kerberos-1.2.5/README.rst 2016-01-25 18:51:33.000000000 +0100 @@ -61,7 +61,7 @@ Copyright and License ===================== -Copyright (c) 2006-2015 Apple Inc. All rights reserved. +Copyright (c) 2006-2016 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/kerberos.egg-info/PKG-INFO new/kerberos-1.2.5/kerberos.egg-info/PKG-INFO --- old/kerberos-1.2.2/kerberos.egg-info/PKG-INFO 2015-03-27 02:15:27.000000000 +0100 +++ new/kerberos-1.2.5/kerberos.egg-info/PKG-INFO 2016-07-18 21:18:19.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: kerberos -Version: 1.2.2 +Version: 1.2.5 Summary: Kerberos high-level interface Home-page: http://www.calendarserver.org/ Author: Apple Inc. @@ -69,7 +69,7 @@ Copyright and License ===================== - Copyright (c) 2006-2015 Apple Inc. All rights reserved. + Copyright (c) 2006-2016 Apple Inc. All rights reserved. This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/kerberos.egg-info/SOURCES.txt new/kerberos-1.2.5/kerberos.egg-info/SOURCES.txt --- old/kerberos-1.2.2/kerberos.egg-info/SOURCES.txt 2015-03-27 02:15:27.000000000 +0100 +++ new/kerberos-1.2.5/kerberos.egg-info/SOURCES.txt 2016-07-18 21:18:19.000000000 +0200 @@ -1,4 +1,3 @@ -LICENSE MANIFEST.in README.rst setup.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/pysrc/kerberos.py new/kerberos-1.2.5/pysrc/kerberos.py --- old/kerberos-1.2.2/pysrc/kerberos.py 2015-03-26 21:31:26.000000000 +0100 +++ new/kerberos-1.2.5/pysrc/kerberos.py 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ ## -# Copyright (c) 2006-2015 Apple Inc. All rights reserved. +# Copyright (c) 2006-2016 Apple Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -158,6 +158,8 @@ @param delegated: Optional server context containing delegated credentials + @param mech_oid: Optional GGS mech OID + @return: A tuple of (result, context) where result is the result code (see above) and context is an opaque value that will need to be passed to subsequent functions. @@ -177,6 +179,20 @@ +def authGSSClientInquireCred(context): + """ + Get the current user name, if any, without a client-side GSSAPI step. + If the principal has already been authenticated via completed client-side + GSSAPI steps then the user name of the authenticated principal is kept. The + user name will be available via authGSSClientUserName. + + @param context: The context object returned from L{authGSSClientInit}. + + @return: A result code (see above). + """ + + + def authGSSClientStep(context, challenge): """ Processes a single GSSAPI client-side step using the supplied server data. @@ -219,9 +235,10 @@ def authGSSClientUserName(context): """ Get the user name of the principal authenticated via the now complete - GSSAPI client-side operations. - This method must only be called after authGSSClientStep returns a complete - response code. + GSSAPI client-side operations, or the current user name obtained via + authGSSClientInquireCred. This method must only be called after + authGSSClientStep or authGSSClientInquireCred return a complete response + code. @param context: The context object returned from L{authGSSClientInit}. @@ -266,7 +283,8 @@ to dispose of the context once all GSSAPI operations are complete. @param service: A string containing the service principal in the form - C{"type@fqdn"}. + C{"type@fqdn"}. To initialize the context for the purpose of accepting + delegated credentials, pass the literal string C{"DELEGATE"}. @return: A tuple of (result, context) where result is the result code (see above) and context is an opaque value that will need to be passed to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/setup.py new/kerberos-1.2.5/setup.py --- old/kerberos-1.2.2/setup.py 2015-03-27 02:15:10.000000000 +0100 +++ new/kerberos-1.2.5/setup.py 2016-07-18 21:18:04.000000000 +0200 @@ -1,5 +1,5 @@ ## -# Copyright (c) 2006-2015 Apple Inc. All rights reserved. +# Copyright (c) 2006-2016 Apple Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,11 +29,11 @@ project_name = "kerberos" -version_string = "1.2.2" +version_string = "1.2.5" description = "Kerberos high-level interface" -long_description = file(joinpath(dirname(__file__), "README.rst")).read() +long_description = open(joinpath(dirname(__file__), "README.rst")).read() url = "http://www.calendarserver.org/" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/base64.c new/kerberos-1.2.5/src/base64.c --- old/kerberos-1.2.2/src/base64.c 2015-03-26 22:29:55.000000000 +0100 +++ new/kerberos-1.2.5/src/base64.c 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,6 +43,10 @@ char *base64_encode(const unsigned char *value, size_t vlen) { char *result = (char *)malloc((vlen * 4) / 3 + 5); + if (result == NULL) + { + return NULL; + } char *out = result; while (vlen >= 3) { @@ -79,6 +83,10 @@ size_t vlen = strlen(value); unsigned char *result =(unsigned char *)malloc((vlen * 3) / 4 + 1); + if (result == NULL) + { + return NULL; + } unsigned char *out = result; while (1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/base64.h new/kerberos-1.2.5/src/base64.h --- old/kerberos-1.2.2/src/base64.h 2015-03-26 22:30:02.000000000 +0100 +++ new/kerberos-1.2.5/src/base64.h 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberos.c new/kerberos-1.2.5/src/kerberos.c --- old/kerberos-1.2.2/src/kerberos.c 2015-03-27 00:13:12.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberos.c 2016-07-18 21:14:56.000000000 +0200 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -57,6 +57,14 @@ ob = Py_InitModule3(name, methods, doc); #endif +static char krb5_mech_oid_bytes [] = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"; +gss_OID_desc krb5_mech_oid = { 9, &krb5_mech_oid_bytes }; + +static char spnego_mech_oid_bytes[] = "\x2b\x06\x01\x05\x05\x02"; +gss_OID_desc spnego_mech_oid = { 6, &spnego_mech_oid_bytes }; + +char STATE_NULL_C = 'C'; +void* STATE_NULL = &STATE_NULL_C; PyObject *KrbException_class; PyObject *BasicAuthException_class; @@ -108,7 +116,7 @@ { const char *service = NULL; const char *hostname = NULL; - char* result; + char* result = NULL; if (! PyArg_ParseTuple(args, "ss", &service, &hostname)) { return NULL; @@ -129,32 +137,44 @@ { const char *service = NULL; const char *principal = NULL; - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; gss_server_state *delegatestate = NULL; - PyObject *pydelegatestate; + PyObject *pydelegatestate = NULL; + gss_OID mech_oid = GSS_C_NO_OID; + PyObject *pymech_oid = NULL; static char *kwlist[] = { - "service", "principal", "gssflags", "delegated", NULL + "service", "principal", "gssflags", "delegated", "mech_oid", NULL }; long int gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; int result = 0; if (! PyArg_ParseTupleAndKeywords( - args, keywds, "s|slO", kwlist, - &service, &principal, &gss_flags, &pydelegatestate + args, keywds, "s|slOO", kwlist, + &service, &principal, &gss_flags, &pydelegatestate, &pymech_oid )) { return NULL; } state = (gss_client_state *) malloc(sizeof(gss_client_state)); + if (state == NULL) + { + PyErr_NoMemory(); + return NULL; + } pystate = PyCObject_FromVoidPtr(state, NULL); - if (PyCObject_Check(pydelegatestate)) { + if (pydelegatestate != NULL && PyCObject_Check(pydelegatestate)) { delegatestate = PyCObject_AsVoidPtr(pydelegatestate); } + if (pymech_oid != NULL && PyCapsule_CheckExact(pymech_oid)) { + const char * mech_oid_name = PyCapsule_GetName(pymech_oid); + mech_oid = PyCapsule_GetPointer(pymech_oid, mech_oid_name); + } + result = authenticate_gss_client_init( - service, principal, gss_flags, delegatestate, state + service, principal, gss_flags, delegatestate, mech_oid, state ); if (result == AUTH_GSS_ERROR) { @@ -166,8 +186,8 @@ static PyObject *authGSSClientClean(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; int result = 0; if (! PyArg_ParseTuple(args, "O", &pystate)) { @@ -181,11 +201,11 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state != NULL) { + if (state != STATE_NULL) { result = authenticate_gss_client_clean(state); free(state); - PyCObject_SetVoidPtr(pystate, NULL); + PyCObject_SetVoidPtr(pystate, STATE_NULL); } return Py_BuildValue("i", result); @@ -193,8 +213,8 @@ static PyObject *authGSSClientStep(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; char *challenge = NULL; int result = 0; @@ -209,7 +229,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -224,8 +244,8 @@ static PyObject *authGSSClientResponseConf(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -238,7 +258,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -247,8 +267,8 @@ static PyObject *authGSSServerHasDelegated(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -261,7 +281,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -270,8 +290,8 @@ static PyObject *authGSSClientResponse(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -284,7 +304,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -293,8 +313,8 @@ static PyObject *authGSSClientUserName(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -307,7 +327,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -316,8 +336,8 @@ static PyObject *authGSSClientUnwrap(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; char *challenge = NULL; int result = 0; @@ -332,7 +352,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -347,8 +367,8 @@ static PyObject *authGSSClientWrap(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; char *challenge = NULL; char *user = NULL; int protect = 0; @@ -367,7 +387,7 @@ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -382,8 +402,8 @@ static PyObject *authGSSClientInquireCred(PyObject *self, PyObject *args) { - gss_client_state *state; - PyObject *pystate; + gss_client_state *state = NULL; + PyObject *pystate = NULL; int result = 0; if (!PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -395,7 +415,7 @@ } state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -410,8 +430,8 @@ static PyObject *authGSSServerInit(PyObject *self, PyObject *args) { const char *service = NULL; - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; int result = 0; if (! PyArg_ParseTuple(args, "s", &service)) { @@ -419,6 +439,11 @@ } state = (gss_server_state *) malloc(sizeof(gss_server_state)); + if (state == NULL) + { + PyErr_NoMemory(); + return NULL; + } pystate = PyCObject_FromVoidPtr(state, NULL); result = authenticate_gss_server_init(service, state); @@ -432,8 +457,8 @@ static PyObject *authGSSServerClean(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; int result = 0; if (! PyArg_ParseTuple(args, "O", &pystate)) { @@ -447,11 +472,11 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state != NULL) { + if (state != STATE_NULL) { result = authenticate_gss_server_clean(state); free(state); - PyCObject_SetVoidPtr(pystate, NULL); + PyCObject_SetVoidPtr(pystate, STATE_NULL); } return Py_BuildValue("i", result); @@ -459,8 +484,8 @@ static PyObject *authGSSServerStep(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; char *challenge = NULL; int result = 0; @@ -475,7 +500,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -490,8 +515,8 @@ static PyObject *authGSSServerStoreDelegate(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; int result = 0; if (! PyArg_ParseTuple(args, "O", &pystate)) { @@ -505,7 +530,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -520,8 +545,8 @@ static PyObject *authGSSServerResponse(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -534,7 +559,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -543,8 +568,8 @@ static PyObject *authGSSServerUserName(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -557,7 +582,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -566,8 +591,8 @@ static PyObject *authGSSServerCacheName(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -580,7 +605,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -589,8 +614,8 @@ static PyObject *authGSSServerTargetName(PyObject *self, PyObject *args) { - gss_server_state *state; - PyObject *pystate; + gss_server_state *state = NULL; + PyObject *pystate = NULL; if (! PyArg_ParseTuple(args, "O", &pystate)) { return NULL; @@ -603,7 +628,7 @@ state = (gss_server_state *)PyCObject_AsVoidPtr(pystate); - if (state == NULL) { + if (state == STATE_NULL) { return NULL; } @@ -808,6 +833,12 @@ PyDict_SetItemString( d, "GSS_C_TRANS_FLAG", PyInt_FromLong(GSS_C_TRANS_FLAG) ); + PyDict_SetItemString( + d, "GSS_MECH_OID_KRB5", PyCapsule_New(&krb5_mech_oid, "kerberos.GSS_MECH_OID_KRB5", NULL) + ); + PyDict_SetItemString( + d, "GSS_MECH_OID_SPNEGO", PyCapsule_New(&spnego_mech_oid, "kerberos.GSS_MECH_OID_SPNEGO", NULL) + ); error: if (PyErr_Occurred()) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberosbasic.c new/kerberos-1.2.5/src/kerberosbasic.c --- old/kerberos-1.2.2/src/kerberosbasic.c 2015-03-26 22:33:16.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberosbasic.c 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -76,6 +76,12 @@ name = NULL; name = (char *)malloc(256); + if (name == NULL) + { + PyErr_NoMemory(); + ret = 0; + goto end; + } p = strchr(user, '@'); if (p == NULL) { snprintf(name, 256, "%s@%s", user, default_realm); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberosbasic.h new/kerberos-1.2.5/src/kerberosbasic.h --- old/kerberos-1.2.2/src/kerberosbasic.h 2015-03-26 22:33:48.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberosbasic.h 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberosgss.c new/kerberos-1.2.5/src/kerberosgss.c --- old/kerberos-1.2.2/src/kerberosgss.c 2015-03-27 02:07:57.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberosgss.c 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -93,6 +93,10 @@ if (strncmp(pname, match, match_len) == 0) { result = malloc(strlen(pname) + 1); + if (result == NULL) { + PyErr_NoMemory(); + goto end; + } strcpy(result, pname); krb5_free_unparsed_name(kcontext, pname); krb5_free_keytab_entry_contents(kcontext, &entry); @@ -124,7 +128,7 @@ int authenticate_gss_client_init( const char* service, const char* principal, long int gss_flags, - gss_server_state* delegatestate, gss_client_state* state + gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state ) { OM_uint32 maj_stat; @@ -134,6 +138,7 @@ int ret = AUTH_GSS_COMPLETE; state->server_name = GSS_C_NO_NAME; + state->mech_oid = mech_oid; state->context = GSS_C_NO_CONTEXT; state->gss_flags = gss_flags; state->client_creds = GSS_C_NO_CREDENTIAL; @@ -245,6 +250,12 @@ if (challenge && *challenge) { size_t len; input_token.value = base64_decode(challenge, &len); + if (input_token.value == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } input_token.length = len; } @@ -255,7 +266,7 @@ state->client_creds, &state->context, state->server_name, - GSS_C_NO_OID, + state->mech_oid, (OM_uint32)state->gss_flags, 0, GSS_C_NO_CHANNEL_BINDINGS, @@ -276,7 +287,12 @@ ret = (maj_stat == GSS_S_COMPLETE) ? AUTH_GSS_COMPLETE : AUTH_GSS_CONTINUE; // Grab the client response to send back to the server if (output_token.length) { - state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);; + state->response = base64_encode((const unsigned char *)output_token.value, output_token.length); + if (state->response == NULL) { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } maj_stat = gss_release_buffer(&min_stat, &output_token); } @@ -294,15 +310,25 @@ name_token.length = 0; maj_stat = gss_display_name(&min_stat, gssuser, &name_token, NULL); if (GSS_ERROR(maj_stat)) { - if (name_token.value) + if (name_token.value) { gss_release_buffer(&min_stat, &name_token); + } gss_release_name(&min_stat, &gssuser); set_gss_error(maj_stat, min_stat); ret = AUTH_GSS_ERROR; goto end; } else { + if (state->username != NULL) { + free(state->username); + state->username = NULL; + } state->username = (char *)malloc(name_token.length + 1); + if (state->username == NULL) { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } strncpy(state->username, (char*) name_token.value, name_token.length); state->username[name_token.length] = 0; gss_release_buffer(&min_stat, &name_token); @@ -341,6 +367,11 @@ if (challenge && *challenge) { size_t len; input_token.value = base64_decode(challenge, &len); + if (input_token.value == NULL) { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } input_token.length = len; } @@ -367,6 +398,12 @@ state->response = base64_encode( (const unsigned char *)output_token.value, output_token.length ); + if (state->response == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } state->responseConf = conf; maj_stat = gss_release_buffer(&min_stat, &output_token); } @@ -402,6 +439,12 @@ if (challenge && *challenge) { size_t len; input_token.value = base64_decode(challenge, &len); + if (input_token.value == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } input_token.length = len; } @@ -451,7 +494,12 @@ } // Grab the client response to send back to the server if (output_token.length) { - state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);; + state->response = base64_encode((const unsigned char *)output_token.value, output_token.length); + if (state->response == NULL) { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } maj_stat = gss_release_buffer(&min_stat, &output_token); } @@ -471,6 +519,11 @@ gss_name_t name = GSS_C_NO_NAME; int ret = AUTH_GSS_COMPLETE; + // Check whether credentials have already been obtained. + if (state->username != NULL) { + goto end; + } + // Get credentials maj_stat = gss_acquire_cred( &min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE, @@ -502,17 +555,25 @@ goto end; } - state->username = strndup(name_token.value, name_token.length); - if (!state->username) { - set_gss_error(GSS_S_FAILURE, ENOMEM); + state->username = (char *)malloc(name_token.length + 1); + if (state->username == NULL) { + PyErr_NoMemory(); ret = AUTH_GSS_ERROR; + goto end; } + strncpy(state->username, (char*) name_token.value, name_token.length); + state->username[name_token.length] = 0; end: - (void)gss_release_cred(&min_stat, &client_creds); - (void)gss_release_buffer(&min_stat, &name_token); - (void)gss_release_name(&min_stat, &name); - + if (client_creds != GSS_C_NO_CREDENTIAL) { + gss_release_cred(&min_stat, &client_creds); + } + if (name_token.length) { + gss_release_buffer(&min_stat, &name_token); + } + if (name != GSS_C_NO_NAME) { + gss_release_name(&min_stat, &name); + } return ret; } @@ -532,29 +593,35 @@ state->targetname = NULL; state->response = NULL; state->ccname = NULL; + int cred_usage = GSS_C_ACCEPT; // Server name may be empty which means we aren't going to create our own creds size_t service_len = strlen(service); if (service_len != 0) { // Import server name first - name_token.length = strlen(service); - name_token.value = (char *)service; + if (strcmp(service, "DELEGATE") == 0) { + cred_usage = GSS_C_BOTH; + } + else { + name_token.length = strlen(service); + name_token.value = (char *)service; - maj_stat = gss_import_name( - &min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, - &state->server_name - ); + maj_stat = gss_import_name( + &min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, + &state->server_name + ); - if (GSS_ERROR(maj_stat)) { - set_gss_error(maj_stat, min_stat); - ret = AUTH_GSS_ERROR; - goto end; - } + if (GSS_ERROR(maj_stat)) { + set_gss_error(maj_stat, min_stat); + ret = AUTH_GSS_ERROR; + goto end; + } + } // Get credentials maj_stat = gss_acquire_cred( - &min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, - GSS_C_BOTH, &state->server_creds, NULL, NULL + &min_stat, state->server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + cred_usage, &state->server_creds, NULL, NULL ); if (GSS_ERROR(maj_stat)) { @@ -630,6 +697,12 @@ if (challenge && *challenge) { size_t len; input_token.value = base64_decode(challenge, &len); + if (input_token.value == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } input_token.length = len; } else { PyErr_SetString( @@ -665,7 +738,13 @@ if (output_token.length) { state->response = base64_encode( (const unsigned char *)output_token.value, output_token.length - );; + ); + if (state->response == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } maj_stat = gss_release_buffer(&min_stat, &output_token); } @@ -679,6 +758,12 @@ goto end; } state->username = (char *)malloc(output_token.length + 1); + if (state->username == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } strncpy(state->username, (char*) output_token.value, output_token.length); state->username[output_token.length] = 0; @@ -703,6 +788,12 @@ goto end; } state->targetname = (char *)malloc(output_token.length + 1); + if (state->targetname == NULL) + { + PyErr_NoMemory(); + ret = AUTH_GSS_ERROR; + goto end; + } strncpy( state->targetname, (char*) output_token.value, output_token.length ); @@ -906,6 +997,10 @@ } state->ccname = (char *)malloc(32*sizeof(char)); + if (state->ccname == NULL) { + PyErr_NoMemory(); + return 1; + } strcpy(state->ccname, ccname); return ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberosgss.h new/kerberos-1.2.5/src/kerberosgss.h --- old/kerberos-1.2.2/src/kerberosgss.h 2015-03-27 00:15:29.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberosgss.h 2016-01-25 18:51:33.000000000 +0100 @@ -1,5 +1,5 @@ /** - * Copyright (c) 2006-2015 Apple Inc. All rights reserved. + * Copyright (c) 2006-2016 Apple Inc. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,7 @@ typedef struct { gss_ctx_id_t context; gss_name_t server_name; + gss_OID mech_oid; long int gss_flags; gss_cred_id_t client_creds; char* username; @@ -54,7 +55,7 @@ int authenticate_gss_client_init( const char* service, const char* principal, long int gss_flags, - gss_server_state* delegatestate, gss_client_state* state + gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state ); int authenticate_gss_client_clean( gss_client_state *state diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kerberos-1.2.2/src/kerberospw.c new/kerberos-1.2.5/src/kerberospw.c --- old/kerberos-1.2.2/src/kerberospw.c 2015-03-26 22:53:06.000000000 +0100 +++ new/kerberos-1.2.5/src/kerberospw.c 2016-01-25 18:51:33.000000000 +0100 @@ -86,6 +86,7 @@ krb5_principal client = NULL; krb5_creds creds; int ret = 0; + int bytes = 0; char *name = NULL; const char* service = "kadmin/changepw"; @@ -104,6 +105,11 @@ } name = (char *)malloc(256); + if (name == NULL) + { + PyErr_NoMemory(); + goto end; + } snprintf(name, 256, "%s", user); code = krb5_parse_name(kcontext, name, &client); @@ -125,18 +131,25 @@ } if (result_code) { char *message = NULL; - asprintf( + bytes = asprintf( &message, "%.*s: %.*s", (int) result_code_string.length, (char *) result_code_string.data, (int) result_string.length, (char *) result_string.data ); - PyErr_SetObject( - PwdChangeException_class, - Py_BuildValue("((s:i))", message, result_code) - ); - free(message); + if (bytes == -1) + { + PyErr_NoMemory(); + } + else + { + PyErr_SetObject( + PwdChangeException_class, + Py_BuildValue("((s:i))", message, result_code) + ); + free(message); + } goto end; }