bd3a05a Ticket 49972 - use-after-free in case of several parallel krb authentication

Authored and Committed by tbordaz 5 years ago
    Ticket 49972 - use-after-free in case of several parallel krb authentication
    
    Bug Description:
    	When several threads (RA) authenticates to the same host and at the same time
    	There is a good chance they will share the same credential cache.
    	If one authentication fails, the thread will clear the cache (krb5_cc_destroy)
    	although others threads may still use it.
    
    Fix Description:
    	The best approach is to drop using krb5 function and use gssapi.
    	It is a quite intrusive change and a simplest temporary fix will serialize
    	all krb5 calls.
    
    	During initialization of the interaction structure (sasl), if using gssapi mechanism,
    	the calls to krb5 functions are serialized with a lock.
    	Then the lock is released for the authentication and cleanup.
    	Cleanup needs to be serialized as well as it calls krb5_cc_destroy.
    
    	The fix consist to acquire the lock over initialization/authentication/cleanup.
    	So only one RA can authenticate at the same time.
    
    https://pagure.io/389-ds-base/issue/49972
    
    Reviewed by: Robbie Harwood, William Brown (many thanks for your reviews !!)
    
    Platforms tested: F27 & F28
    
    Flag Day: no
    
    Doc impact: no
    
        
file modified
+45 -33