Fix flags handling in gss_init_sec_context()

- resolves: https://fedorahosted.org/gss-proxy/ticket/106 Fix OID handling in gss_inquire_cred_by_mech() - resolves: https://fedorahosted.org/gss-proxy/ticket/107
2013-11-19 14:18:28 +01:00 · 2013-11-19 14:18:28 +01:00 · 349bd3c1c3
commit 349bd3c1c3
parent ecfa34db00
3 changed files with 234 additions and 1 deletions
--- a/gssproxy-0.3.0-gss_init_sec_context.patch
+++ b/gssproxy-0.3.0-gss_init_sec_context.patch
@ -0,0 +1,36 @@
+From cc538c36ca32850e0b3280b7d8524d23345eed9e Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 13 Nov 2013 17:57:06 -0500
+Subject: [PATCH 1/3] Preserve requested flags and lifetime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These arguments have been accidentally forgotten causing failures for
+applications that specify non default flags and non indefinite lifetime.
+
+https://fedorahosted.org/gss-proxy/ticket/106
+
+Reviewed-by: Günther Deschner <gdeschner@redhat.com>
+---
+ proxy/src/client/gpm_init_sec_context.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c
+index 12df858..b6ce34f 100644
+--- a/proxy/src/client/gpm_init_sec_context.c
+++ b/proxy/src/client/gpm_init_sec_context.c
+@@ -70,6 +70,9 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
+         goto done;
+     }
+ 
+    arg->req_flags = req_flags;
+    arg->time_req = time_req;
+
+     if (input_cb) {
+         ret = gp_conv_cb_to_gssx_alloc(input_cb, &arg->input_cb);
+         if (ret) {
+-- 
+1.8.3.1
+
+
--- a/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
+++ b/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
@ -0,0 +1,186 @@
+From 122b35f7adf37bc81f6d53bb5f9e058b68334cbb Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 13 Nov 2013 18:12:44 -0500
+Subject: [PATCH 2/3] Add way to return regular oid from special
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In some cases we need to pass on the corresponding real oid, after we
+are given a special oid.
+Add helper functions to do that.
+
+https://fedorahosted.org/gss-proxy/ticket/107
+
+Reviewed-by: Günther Deschner <gdeschner@redhat.com>
+---
+ proxy/src/mechglue/gss_plugin.c | 55 +++++++++++++++++++++++++++++++----------
+ proxy/src/mechglue/gss_plugin.h |  1 +
+ 2 files changed, 43 insertions(+), 13 deletions(-)
+
+diff --git a/proxy/src/mechglue/gss_plugin.c b/proxy/src/mechglue/gss_plugin.c
+index 0e62990..5b40df9 100644
+--- a/proxy/src/mechglue/gss_plugin.c
+++ b/proxy/src/mechglue/gss_plugin.c
+@@ -176,7 +176,8 @@ static bool gpp_special_equal(const gss_OID s, const gss_OID n)
+ }
+ 
+ struct gpp_special_oid_list {
+-    gss_OID_desc oid;
+    gss_OID_desc regular_oid;
+    gss_OID_desc special_oid;
+     struct gpp_special_oid_list *next;
+     sig_atomic_t next_is_set;
+ };
+@@ -250,19 +251,25 @@ static const gss_OID gpp_new_special_mech(const gss_OID n)
+     if (!item) {
+         return GSS_C_NO_OID;
+     }
+-    item->oid.length = base->length + n->length;
+-    item->oid.elements = malloc(item->oid.length);
+-    if (!item->oid.elements) {
+    item->regular_oid.length = n->length;
+    item->regular_oid.elements = malloc(n->length);
+    item->special_oid.length = base->length + n->length;
+    item->special_oid.elements = malloc(item->special_oid.length);
+    if (!item->regular_oid.elements ||
+        !item->special_oid.elements) {
+        free(item->regular_oid.elements);
+        free(item->special_oid.elements);
+         free(item);
+         return GSS_C_NO_OID;
+     }
+ 
+-    memcpy(item->oid.elements, base->elements, base->length);
+-    memcpy(item->oid.elements + base->length, n->elements, n->length);
+    memcpy(item->regular_oid.elements, n->elements, n->length);
+    memcpy(item->special_oid.elements, base->elements, base->length);
+    memcpy(item->special_oid.elements + base->length, n->elements, n->length);
+ 
+     gpp_add_special_oids(item);
+ 
+-    return (const gss_OID)&item->oid;
+    return (const gss_OID)&item->special_oid;
+ }
+ 
+ const gss_OID gpp_special_mech(const gss_OID mech_type)
+@@ -278,14 +285,14 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
+     if (mech_type == GSS_C_NO_OID) {
+         /* return the first special one if none specified */
+         if (item) {
+-            return (const gss_OID)&item->oid;
+            return (const gss_OID)&item->special_oid;
+         }
+         return GSS_C_NO_OID;
+     }
+ 
+     while (item) {
+-        if (gpp_special_equal(&item->oid, mech_type)) {
+-            return (const gss_OID)&item->oid;
+        if (gpp_special_equal(&item->special_oid, mech_type)) {
+            return (const gss_OID)&item->special_oid;
+         }
+         item = gpp_next_special_oids(item);
+     }
+@@ -294,6 +301,26 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
+     return gpp_new_special_mech(mech_type);
+ }
+ 
+const gss_OID gpp_unspecial_mech(const gss_OID mech_type)
+{
+    struct gpp_special_oid_list *item = NULL;
+
+    if (!gpp_is_special_oid(mech_type)) {
+        return mech_type;
+    }
+
+    item = gpp_get_special_oids();
+    while (item) {
+        if (gss_oid_equal(&item->special_oid, mech_type)) {
+            return (const gss_OID)&item->regular_oid;
+        }
+        item = gpp_next_special_oids(item);
+    }
+
+    /* none matched */
+    return mech_type;
+}
+
+ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ {
+     gss_OID_set amechs = GSS_C_NO_OID_SET;
+@@ -318,8 +345,9 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+                 }
+                 break;
+             }
+-            if (gpp_special_equal(&item->oid, &mechs->elements[i])) {
+-                maj = gss_add_oid_set_member(&min, &item->oid, &amechs);
+            if (gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
+                maj = gss_add_oid_set_member(&min, &item->special_oid,
+                                             &amechs);
+                 if (maj != GSS_S_COMPLETE) {
+                     goto done;
+                 }
+@@ -362,7 +390,8 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
+     item = gpp_get_special_oids();
+ 
+     while (item) {
+-        if (&item->oid == *oid) {
+        if ((&item->regular_oid == *oid) ||
+            (&item->special_oid == *oid)) {
+             *oid = GSS_C_NO_OID;
+             return GSS_S_COMPLETE;
+         }
+diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h
+index 26e04c5..739ec26 100644
+--- a/proxy/src/mechglue/gss_plugin.h
+++ b/proxy/src/mechglue/gss_plugin.h
+@@ -78,6 +78,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type);
+ enum gpp_behavior gpp_get_behavior(void);
+ bool gpp_is_special_oid(const gss_OID mech_type);
+ const gss_OID gpp_special_mech(const gss_OID mech_type);
+const gss_OID gpp_unspecial_mech(const gss_OID mech_type);
+ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs);
+ uint32_t gpp_map_error(uint32_t err);
+ uint32_t gpp_unmap_error(uint32_t err);
+-- 
+1.8.3.1
+
+
+From b8901d1d20a5d0ef1a3118bfe5816e04c09e6cf5 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 13 Nov 2013 18:13:44 -0500
+Subject: [PATCH 3/3] Fix calling gpm_inquire_cred_by_mech
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need to pass the real mechanism oid here, not the spcial oid.
+special oids are used exclusively by the interposer and gssapi
+machinery that calls the interposer, they must never be propagated
+to clients or servers.
+
+https://fedorahosted.org/gss-proxy/ticket/107
+
+Reviewed-by: Günther Deschner <gdeschner@redhat.com>
+---
+ proxy/src/mechglue/gpp_creds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
+index aaaf577..dff9c44 100644
+--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
+@@ -213,7 +213,8 @@ OM_uint32 gssi_inquire_cred_by_mech(OM_uint32 *minor_status,
+                                        initiator_lifetime, acceptor_lifetime,
+                                        cred_usage);
+     } else if (cred->remote) {
+-        maj = gpm_inquire_cred_by_mech(&min, cred->remote, mech_type,
+        maj = gpm_inquire_cred_by_mech(&min, cred->remote,
+                                       gpp_unspecial_mech(mech_type),
+                                        gpname ? &gpname->remote : NULL,
+                                        initiator_lifetime, acceptor_lifetime,
+                                        cred_usage);
+-- 
+1.8.3.1
+
--- a/gssproxy.spec
+++ b/gssproxy.spec
@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.3.0
-Release:	0%{?dist}
+Release:	1%{?dist}
 Summary:	GSSAPI Proxy

 Group:		System Environment/Libraries
@ -8,6 +8,8 @@ License:	MIT
 URL:		http://fedorahosted.org/gss-proxy
 Source0:	http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+Patch0:		gssproxy-0.3.0-gss_init_sec_context.patch
+Patch1:		gssproxy-0.3.0-gss_inquire_cred_by_mech.patch

 %global servicename gssproxy
 %global pubconfpath %{_sysconfdir}/gssproxy
@ -52,6 +54,9 @@ A proxy for GSSAPI credential handling
 %prep
 %setup -q

+%patch0 -p2 -b .gss_init_sec_context
+%patch1 -p2 -b .gss_inquire_cred_by_mech
+
 %build
 autoreconf -f -i
 %configure \
@ -103,6 +108,12 @@ rm -rf %{buildroot}
 %systemd_postun_with_restart gssproxy.service

 %changelog
+* Tue Nov 19 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-1
+- Fix flags handling in gss_init_sec_context()
+- resolves: https://fedorahosted.org/gss-proxy/ticket/106
+- Fix OID handling in gss_inquire_cred_by_mech()
+- resolves: https://fedorahosted.org/gss-proxy/ticket/107
+
 * Wed Oct 23 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-0
 - New upstream release 0.3.0:
  * Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)