Ticket 49972 - use-after-free in case of several parallel krb authentication
Bug Description:
When several threads (RA) authenticates to the same host and at the same time
There is a good chance they will share the same credential cache.
If one authentication fails, the thread will clear the cache (krb5_cc_destroy)
although others threads may still use it.
Fix Description:
The best approach is to drop using krb5 function and use gssapi.
It is a quite intrusive change and a simplest temporary fix will serialize
all krb5 calls.
During initialization of the interaction structure (sasl), if using gssapi mechanism,
the calls to krb5 functions are serialized with a lock.
Then the lock is released for the authentication and cleanup.
Cleanup needs to be serialized as well as it calls krb5_cc_destroy.
The fix consist to acquire the lock over initialization/authentication/cleanup.
So only one RA can authenticate at the same time.
https://pagure.io/389-ds-base/issue/49972
Reviewed by: Robbie Harwood, William Brown (many thanks for your reviews !!)
Platforms tested: F27 & F28
Flag Day: no
Doc impact: no