auth: check for keytab before using in akimpersonate

Heimdal 1.5.2 happily tries to dereference a keytab file even if
none is there. if we have a FILE: type, stat it before use

1.6 only change: master uses KeyFileExt

FIXES 131852

Change-Id: I939eb9e47d2dbbef75c2a64724fdb9111f600150
Reviewed-on: http://gerrit.openafs.org/11075
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/auth/akimpersonate.c b/src/auth/akimpersonate.c
index d5222044deb832a393f1fdf5d354adadddef714f..1ecf71e664c472cc879c17f346a83fdc7a737824 100644 (file)
--- a/src/auth/akimpersonate.c
+++ b/src/auth/akimpersonate.c
@@ -68,6 +68,9 @@
 #define KERBEROS_APPLE_DEPRECATED(x)
 #include <krb5.h>
 
+#include <string.h>
+#include <sys/stat.h>
+
 #include "akimpersonate.h"
 #include "akimpersonate_v5gen.h"
 
@@ -680,6 +683,9 @@ get_credv5_akimpersonate(krb5_context context, char* keytab,
                         time_t endtime, const int *allowed_enctypes,
                         krb5_creds** out_creds /* out */ )
 {
+    char *tmpkt = NULL;
+    struct stat tstat;
+    char *ktname = NULL;
     krb5_error_code code;
     krb5_keytab kt = 0;
     krb5_keytab_entry entry[1];
@@ -719,10 +725,31 @@ get_credv5_akimpersonate(krb5_context context, char* keytab,
     if (allowed_enctypes == NULL)
         allowed_enctypes = any_enctype;
 
-    if (keytab != NULL)
-      code = krb5_kt_resolve(context, keytab, &kt);
-    else
-      code = krb5_kt_default(context, &kt);
+    if (keytab != NULL) {
+       tmpkt = strdup(keytab);
+       if (!tmpkt)
+           code = ENOMEM;
+    } else {
+       tmpkt = malloc(256);
+       if (!tmpkt)
+           code = ENOMEM;
+       else
+           code = krb5_kt_default_name(context, tmpkt, 256);
+    }
+    if (code)
+       goto cleanup;
+
+    if (strncmp(tmpkt, "WRFILE:", 7) == 0)
+       ktname = &(tmpkt[7]);
+    else if (strncmp(tmpkt, "FILE:", 5) == 0)
+       ktname = &(tmpkt[5]);
+
+    if (ktname && (stat(ktname, &tstat) != 0)) {
+       code = KRB5_KT_NOTFOUND;
+       goto cleanup;
+    }
+
+    code = krb5_kt_resolve(context, tmpkt, &kt);
     if (code != 0)
         goto cleanup;
 
@@ -758,6 +785,8 @@ get_credv5_akimpersonate(krb5_context context, char* keytab,
     *out_creds = creds;
     creds = NULL;
 cleanup:
+    if (tmpkt)
+       free(tmpkt);
     if (deref_enc_data(&ticket_reply->enc_part) != NULL)
         free(deref_enc_data(&ticket_reply->enc_part));
     krb5_free_keytab_entry_contents(context, entry);