import gssproxy-0.8.0-14.el8
This commit is contained in:
commit
57a7786063
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/gssproxy-0.8.0.tar.gz
|
1
.gssproxy.metadata
Normal file
1
.gssproxy.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
51f38bd9e0adf6018e4d3008bb06311c9cd12381 SOURCES/gssproxy-0.8.0.tar.gz
|
48
SOURCES/Add-a-safety-timeout-to-epoll.patch
Normal file
48
SOURCES/Add-a-safety-timeout-to-epoll.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From b4b7e3fc0f2008967202f2453e9c33b378e7a000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Wed, 6 Mar 2019 10:36:11 -0500
|
||||||
|
Subject: [PATCH] Add a safety timeout to epoll
|
||||||
|
|
||||||
|
Add a safety timeout just in case something goes wrong with the use of
|
||||||
|
timerfd. This way the process should't be stuck forever.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
[rharwood@redhat.com: remove outdated comment]
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Merges: #241
|
||||||
|
(cherry picked from commit d55be9fa2455fe52b6eb904ad427f22141ab3f26)
|
||||||
|
(cherry picked from commit a494f23b6d8d43fe1a824cd69c3dd93a18fc75a1)
|
||||||
|
---
|
||||||
|
src/client/gpm_common.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
|
||||||
|
index 36df5cc..808f350 100644
|
||||||
|
--- a/src/client/gpm_common.c
|
||||||
|
+++ b/src/client/gpm_common.c
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#define FRAGMENT_BIT (1 << 31)
|
||||||
|
|
||||||
|
#define RESPONSE_TIMEOUT 15
|
||||||
|
+#define SAFETY_TIMEOUT RESPONSE_TIMEOUT * 10 * 1000
|
||||||
|
#define MAX_TIMEOUT_RETRY 3
|
||||||
|
|
||||||
|
struct gpm_ctx {
|
||||||
|
@@ -291,7 +292,7 @@ static int gpm_epoll_wait(struct gpm_ctx *gpmctx, uint32_t event_flags)
|
||||||
|
}
|
||||||
|
|
||||||
|
do {
|
||||||
|
- epoll_ret = epoll_wait(gpmctx->epollfd, events, 2, -1);
|
||||||
|
+ epoll_ret = epoll_wait(gpmctx->epollfd, events, 2, SAFETY_TIMEOUT);
|
||||||
|
} while (epoll_ret < 0 && errno == EINTR);
|
||||||
|
|
||||||
|
if (epoll_ret < 0) {
|
||||||
|
@@ -299,8 +300,6 @@ static int gpm_epoll_wait(struct gpm_ctx *gpmctx, uint32_t event_flags)
|
||||||
|
ret = errno;
|
||||||
|
gpm_epoll_close(gpmctx);
|
||||||
|
} else if (epoll_ret == 0) {
|
||||||
|
- /* Shouldn't happen as timeout == -1; treat it like a timeout
|
||||||
|
- * occurred. */
|
||||||
|
ret = ETIMEDOUT;
|
||||||
|
gpm_epoll_close(gpmctx);
|
||||||
|
} else if (epoll_ret == 1 && events[0].data.fd == gpmctx->timerfd) {
|
107
SOURCES/Always-choose-highest-requested-debug-level.patch
Normal file
107
SOURCES/Always-choose-highest-requested-debug-level.patch
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
From d284ec7dc9fe0a824b177873078aeb36a25b7878 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Wed, 11 Apr 2018 16:15:00 -0400
|
||||||
|
Subject: [PATCH] Always choose highest requested debug level
|
||||||
|
|
||||||
|
Allowing the CLI to lower the debug level specified in a config file
|
||||||
|
is dubious, and previously broken since we don't distinguish "default
|
||||||
|
value" from "explicitly requested value of 0" in popt. This resulted
|
||||||
|
in "Debug Enabled (level: 0)" even when the log level was not actually
|
||||||
|
0, which is confusing for users.
|
||||||
|
|
||||||
|
Remove the gp_debug_args() function since it is no longer used.
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #229
|
||||||
|
(cherry picked from commit 5a714768aec776dc875237dd729c85389932a688)
|
||||||
|
---
|
||||||
|
src/gp_debug.c | 34 ++++++++--------------------------
|
||||||
|
src/gp_debug.h | 3 +--
|
||||||
|
src/gssproxy.c | 2 +-
|
||||||
|
3 files changed, 10 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_debug.c b/src/gp_debug.c
|
||||||
|
index 4a141fc..a0f51f0 100644
|
||||||
|
--- a/src/gp_debug.c
|
||||||
|
+++ b/src/gp_debug.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* Copyright (C) 2011 the GSS-PROXY contributors, see COPYING for license */
|
||||||
|
+/* Copyright (C) 2011,2018 the GSS-PROXY contributors, see COPYING for license */
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
|
#include <stdbool.h>
|
||||||
|
@@ -7,35 +7,17 @@
|
||||||
|
#include "gp_log.h"
|
||||||
|
|
||||||
|
/* global debug switch */
|
||||||
|
-int gp_debug;
|
||||||
|
-
|
||||||
|
-int gp_debug_args(int level) {
|
||||||
|
- static int args_level = 0;
|
||||||
|
-
|
||||||
|
- if (level != 0) {
|
||||||
|
- args_level = level;
|
||||||
|
- }
|
||||||
|
- return args_level;
|
||||||
|
-}
|
||||||
|
+int gp_debug = 0;
|
||||||
|
|
||||||
|
void gp_debug_toggle(int level)
|
||||||
|
{
|
||||||
|
- static bool krb5_trace_set = false;
|
||||||
|
+ if (level <= gp_debug)
|
||||||
|
+ return;
|
||||||
|
|
||||||
|
- /* Command line and environment options override config file */
|
||||||
|
- gp_debug = gp_debug_args(0);
|
||||||
|
- if (gp_debug == 0) {
|
||||||
|
- gp_debug = level;
|
||||||
|
- }
|
||||||
|
- if (level >= 3) {
|
||||||
|
- if (!getenv("KRB5_TRACE")) {
|
||||||
|
- setenv("KRB5_TRACE", "/dev/stderr", 1);
|
||||||
|
- krb5_trace_set = true;
|
||||||
|
- }
|
||||||
|
- } else if (krb5_trace_set) {
|
||||||
|
- unsetenv("KRB5_TRACE");
|
||||||
|
- krb5_trace_set = false;
|
||||||
|
- }
|
||||||
|
+ if (level >= 3 && !getenv("KRB5_TRACE"))
|
||||||
|
+ setenv("KRB5_TRACE", "/dev/stderr", 1);
|
||||||
|
+
|
||||||
|
+ gp_debug = level;
|
||||||
|
GPDEBUG("Debug Enabled (level: %d)\n", level);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/gp_debug.h b/src/gp_debug.h
|
||||||
|
index 1c2f8a3..4932bfd 100644
|
||||||
|
--- a/src/gp_debug.h
|
||||||
|
+++ b/src/gp_debug.h
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* Copyright (C) 2011 the GSS-PROXY contributors, see COPYING for license */
|
||||||
|
+/* Copyright (C) 2011,2018 the GSS-PROXY contributors, see COPYING for license */
|
||||||
|
|
||||||
|
#ifndef _GP_DEBUG_H_
|
||||||
|
#define _GP_DEBUG_H_
|
||||||
|
@@ -10,7 +10,6 @@
|
||||||
|
|
||||||
|
extern int gp_debug;
|
||||||
|
|
||||||
|
-int gp_debug_args(int level);
|
||||||
|
void gp_debug_toggle(int);
|
||||||
|
void gp_debug_printf(const char *format, ...);
|
||||||
|
void gp_debug_time_printf(const char *format, ...);
|
||||||
|
diff --git a/src/gssproxy.c b/src/gssproxy.c
|
||||||
|
index 6d36a5d..db6e89b 100644
|
||||||
|
--- a/src/gssproxy.c
|
||||||
|
+++ b/src/gssproxy.c
|
||||||
|
@@ -208,7 +208,7 @@ int main(int argc, const char *argv[])
|
||||||
|
|
||||||
|
if (opt_debug || opt_debug_level > 0) {
|
||||||
|
if (opt_debug_level == 0) opt_debug_level = 1;
|
||||||
|
- gp_debug_args(opt_debug_level);
|
||||||
|
+ gp_debug_toggle(opt_debug_level);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (opt_daemon && opt_interactive) {
|
@ -0,0 +1,34 @@
|
|||||||
|
From 8f787b66bc23b8317d95c6cf64fe6e0e6409f869 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Mon, 15 Apr 2019 19:54:17 -0400
|
||||||
|
Subject: [PATCH] Always initialize out cred in gp_import_gssx_cred()
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #244
|
||||||
|
(cherry picked from commit 5697dfd94345c945f93070c40b9d4480f3d3d7ea)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index 5e8e160..403e339 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -449,6 +449,8 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
|
||||||
|
uint32_t ret_min = 0;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ *out = GSS_C_NO_CREDENTIAL;
|
||||||
|
+
|
||||||
|
handle = gp_service_get_creds_handle(gpcall->service);
|
||||||
|
if (!handle) {
|
||||||
|
ret_maj = GSS_S_FAILURE;
|
||||||
|
@@ -470,7 +472,6 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
|
||||||
|
if (ret) {
|
||||||
|
/* Allow for re-issuance of the keytab. */
|
||||||
|
GPDEBUG("Stored ccache failed to decrypt; treating as empty\n");
|
||||||
|
- *out = GSS_C_NO_CREDENTIAL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
43
SOURCES/Always-use-the-encype-we-selected.patch
Normal file
43
SOURCES/Always-use-the-encype-we-selected.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From 64bf7f099fe52a214794486d16e3383ff25e8682 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Tue, 27 Feb 2018 11:59:25 -0500
|
||||||
|
Subject: [PATCH] Always use the encype we selected
|
||||||
|
|
||||||
|
The enctype is selected from the keytab or from the fallback code.
|
||||||
|
Either way make sure to use the enctype stored in the key block.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Merges: #226
|
||||||
|
(cherry picked from commit d73c96d658059ce64ecd41ff2924071d86f2b54f)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 7 +++----
|
||||||
|
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index c9f5fd4..5e8e160 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -168,11 +168,10 @@ uint32_t gp_init_creds_handle(uint32_t *min, const char *svc_name,
|
||||||
|
GP_CREDS_HANDLE_KEY_ENCTYPE, 0,
|
||||||
|
&handle->key);
|
||||||
|
if (ret == 0) {
|
||||||
|
- ret = krb5_c_make_random_key(handle->context,
|
||||||
|
- GP_CREDS_HANDLE_KEY_ENCTYPE,
|
||||||
|
+ ret = krb5_c_make_random_key(handle->context, handle->key->enctype,
|
||||||
|
handle->key);
|
||||||
|
GPDEBUG("Service: %s, Enckey: [ephemeral], Enctype: %d\n",
|
||||||
|
- svc_name, GP_CREDS_HANDLE_KEY_ENCTYPE);
|
||||||
|
+ svc_name, handle->key->enctype);
|
||||||
|
}
|
||||||
|
if (ret) {
|
||||||
|
ret_min = ret;
|
||||||
|
@@ -254,7 +253,7 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
|
||||||
|
memset(&enc_handle, '\0', sizeof(krb5_enc_data));
|
||||||
|
|
||||||
|
- enc_handle.enctype = GP_CREDS_HANDLE_KEY_ENCTYPE;
|
||||||
|
+ enc_handle.enctype = key->enctype;
|
||||||
|
enc_handle.ciphertext.data = in->octet_string_val;
|
||||||
|
enc_handle.ciphertext.length = in->octet_string_len;
|
||||||
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From 160f7a7c66e7e3d249de853cd5a1ebe0becd9fe1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Wed, 1 May 2019 11:27:13 -0400
|
||||||
|
Subject: [PATCH] Avoid uninitialized free when allocating buffers
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Resolves: #248
|
||||||
|
(cherry picked from commit eafa3c9272c95646400123f8e4d6fb50cf36d36c)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index dbfddeb..a5681c0 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -300,6 +300,7 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
&data_in,
|
||||||
|
&enc_handle);
|
||||||
|
if (ret) {
|
||||||
|
+ free(enc_handle.ciphertext.data);
|
||||||
|
ret = EINVAL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -308,12 +309,12 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
enc_handle.ciphertext.data,
|
||||||
|
out);
|
||||||
|
if (ret) {
|
||||||
|
+ free(enc_handle.ciphertext.data);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
free(padded);
|
||||||
|
- free(enc_handle.ciphertext.data);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
193
SOURCES/Change-the-way-we-handle-encrypted-buffers.patch
Normal file
193
SOURCES/Change-the-way-we-handle-encrypted-buffers.patch
Normal file
@ -0,0 +1,193 @@
|
|||||||
|
From 51bba6bf325716534c509e0528d2ccfd0050d28c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Wed, 17 Apr 2019 18:00:59 -0400
|
||||||
|
Subject: [PATCH] Change the way we handle encrypted buffers
|
||||||
|
|
||||||
|
The previous change has backwards incompatible behavior that may also
|
||||||
|
lead to buffer overruns.
|
||||||
|
|
||||||
|
Because we have no easy way to indicate a format change and to maintain
|
||||||
|
backwards compatibility for the ciphers that were working (those that
|
||||||
|
added padding were hopelessly borken anyway) introduce code to simply
|
||||||
|
add padding that we can recognize and remove when we read back the token.
|
||||||
|
|
||||||
|
On ciphers that do not add padding this is basically a no op and the
|
||||||
|
tokens will be identical to the ones we previously emitted.
|
||||||
|
|
||||||
|
On ciphers that add padding we pad the plaintext so that we hit a block
|
||||||
|
boundary and cause no extra padding to be added by krb5_c_encrypt
|
||||||
|
itself. On decryption we check if padding bytes are appended to the
|
||||||
|
buffer and remove them.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Merges: #246
|
||||||
|
(cherry picked from commit 839be8aa7e54e93819e8291b570e4c7cfe7e98f1)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 110 +++++++++++++++++++++++++++++++++++++-----------
|
||||||
|
1 file changed, 86 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index aa0a8ec..dbfddeb 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -193,9 +193,15 @@ done:
|
||||||
|
return ret_maj;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* We need to include a length in our payloads because krb5_c_decrypt() will
|
||||||
|
- * pad the contents for some enctypes, and gss_import_cred() doesn't like
|
||||||
|
- * having extra bytes on tokens. */
|
||||||
|
+#define ENC_MIN_PAD_LEN 8
|
||||||
|
+
|
||||||
|
+/* We need to pad our payloads because krb5_c_decrypt() may pad the
|
||||||
|
+ * contents for some enctypes, and gss_import_cred() doesn't like
|
||||||
|
+ * having extra bytes on tokens.
|
||||||
|
+ * Explicit padding and depadding is used in order to maintain backwards
|
||||||
|
+ * compatibility over upgrades (and downgrades), it would have been
|
||||||
|
+ * better if we simply had a better formatting of the returned blob
|
||||||
|
+ * so we could simply change a "blob version" number */
|
||||||
|
static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
size_t len, void *buf, octet_string *out)
|
||||||
|
{
|
||||||
|
@@ -203,8 +209,9 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
krb5_data data_in;
|
||||||
|
krb5_enc_data enc_handle;
|
||||||
|
size_t cipherlen;
|
||||||
|
- char *packed = NULL;
|
||||||
|
- uint32_t netlen;
|
||||||
|
+ size_t padcheck;
|
||||||
|
+ uint8_t pad = 0;
|
||||||
|
+ char *padded = NULL;
|
||||||
|
|
||||||
|
if (len > (uint32_t)(-1)) {
|
||||||
|
/* Needs to fit in 4 bytes of payload, so... */
|
||||||
|
@@ -212,28 +219,72 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- packed = malloc(len);
|
||||||
|
- if (!packed) {
|
||||||
|
- ret = errno;
|
||||||
|
+ ret = krb5_c_encrypt_length(context,
|
||||||
|
+ key->enctype,
|
||||||
|
+ len, &cipherlen);
|
||||||
|
+ if (ret) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- netlen = htonl(len);
|
||||||
|
- memcpy(packed, (uint8_t *)&netlen, 4);
|
||||||
|
- memcpy(packed + 4, buf, len);
|
||||||
|
-
|
||||||
|
- data_in.length = len + 4;
|
||||||
|
- data_in.data = packed;
|
||||||
|
-
|
||||||
|
- memset(&enc_handle, '\0', sizeof(krb5_enc_data));
|
||||||
|
-
|
||||||
|
+ /* try again with len + 1 to see if padding is required */
|
||||||
|
ret = krb5_c_encrypt_length(context,
|
||||||
|
key->enctype,
|
||||||
|
- data_in.length,
|
||||||
|
- &cipherlen);
|
||||||
|
+ len + 1, &padcheck);
|
||||||
|
if (ret) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+ if (padcheck == cipherlen) {
|
||||||
|
+ int i;
|
||||||
|
+ /* padding required */
|
||||||
|
+ pad = ENC_MIN_PAD_LEN;
|
||||||
|
+ /* always add enough padding that it makes it extremely unlikley
|
||||||
|
+ * legitimate plaintext will be incorrectly depadded in the
|
||||||
|
+ * decrypt function */
|
||||||
|
+ ret = krb5_c_encrypt_length(context,
|
||||||
|
+ key->enctype,
|
||||||
|
+ len + pad, &cipherlen);
|
||||||
|
+ if (ret) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ /* we support only block sizes up to 16 bytes as this is the largest
|
||||||
|
+ * supported block size in krb ciphers for now */
|
||||||
|
+ for (i = 0; i < 15; i++) {
|
||||||
|
+ /* find the point at which padcheck increases, that's when we
|
||||||
|
+ * cross a blocksize boundary internally and we can calculate
|
||||||
|
+ * the padding that will be used */
|
||||||
|
+ ret = krb5_c_encrypt_length(context,
|
||||||
|
+ key->enctype,
|
||||||
|
+ len + pad + i + 1, &padcheck);
|
||||||
|
+ if (ret) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ if (padcheck > cipherlen) {
|
||||||
|
+ pad += i;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (i > 15) {
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (pad != 0) {
|
||||||
|
+ padded = malloc(len + pad);
|
||||||
|
+ if (!padded) {
|
||||||
|
+ ret = errno;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(padded, buf, len);
|
||||||
|
+ memset(padded + len, pad, pad);
|
||||||
|
+
|
||||||
|
+ data_in.length = len + pad;
|
||||||
|
+ data_in.data = padded;
|
||||||
|
+ } else {
|
||||||
|
+ data_in.length = len;
|
||||||
|
+ data_in.data = buf;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
enc_handle.ciphertext.length = cipherlen;
|
||||||
|
enc_handle.ciphertext.data = malloc(enc_handle.ciphertext.length);
|
||||||
|
@@ -261,7 +312,7 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
- free(packed);
|
||||||
|
+ free(padded);
|
||||||
|
free(enc_handle.ciphertext.data);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -273,7 +324,8 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
int ret;
|
||||||
|
krb5_data data_out;
|
||||||
|
krb5_enc_data enc_handle;
|
||||||
|
- uint32_t netlen;
|
||||||
|
+ uint8_t pad;
|
||||||
|
+ int i, j;
|
||||||
|
|
||||||
|
memset(&enc_handle, '\0', sizeof(krb5_enc_data));
|
||||||
|
|
||||||
|
@@ -295,9 +347,19 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* And handle the padding. */
|
||||||
|
- memcpy(&netlen, buf, 4);
|
||||||
|
- *len = ntohl(netlen);
|
||||||
|
- memmove(buf, buf + 4, *len);
|
||||||
|
+ i = data_out.length - 1;
|
||||||
|
+ pad = data_out.data[i];
|
||||||
|
+ if (pad >= ENC_MIN_PAD_LEN && pad < i) {
|
||||||
|
+ j = pad;
|
||||||
|
+ while (j > 0) {
|
||||||
|
+ j--;
|
||||||
|
+ if (pad != data_out.data[i - j]) break;
|
||||||
|
+ }
|
||||||
|
+ if (j == 0) {
|
||||||
|
+ data_out.length -= pad;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ *len = data_out.length;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
74
SOURCES/Clarify-debug-and-debug_level-in-man-pages.patch
Normal file
74
SOURCES/Clarify-debug-and-debug_level-in-man-pages.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From d71d354f1020a7deac57f26cc7c2cafb3fa675a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Wed, 11 Apr 2018 16:01:21 -0400
|
||||||
|
Subject: [PATCH] Clarify debug and debug_level in man pages
|
||||||
|
|
||||||
|
In particular, add debug_level to gssproxy(5) since it was previously
|
||||||
|
accepted but not documented.
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #229
|
||||||
|
(cherry picked from commit e0e96e46be03102903533a9816b4deefe1adfaf8)
|
||||||
|
---
|
||||||
|
man/gssproxy.8.xml | 24 +++++++++++++++++++++++-
|
||||||
|
man/gssproxy.conf.5.xml | 5 ++++-
|
||||||
|
2 files changed, 27 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/gssproxy.8.xml b/man/gssproxy.8.xml
|
||||||
|
index 1df4b0d..21f7e6a 100644
|
||||||
|
--- a/man/gssproxy.8.xml
|
||||||
|
+++ b/man/gssproxy.8.xml
|
||||||
|
@@ -118,13 +118,35 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>-d</option>,<option>--debug</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
- Turn on debugging.
|
||||||
|
+ Turn on debugging. This option is identical to
|
||||||
|
+ --debug-level=1.
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>
|
||||||
|
+ <option>--debug-level=</option>
|
||||||
|
+ </term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ Turn on debugging at the specified level. 0
|
||||||
|
+ corresponds to no logging, while 1 turns on basic
|
||||||
|
+ debug logging. Level 2 increases verbosity, including
|
||||||
|
+ more detailed credential verification.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ At level 3 and above, KRB5_TRACE output is logged. If
|
||||||
|
+ KRB5_TRACE was already set in the execution
|
||||||
|
+ environment, trace output is sent to its value
|
||||||
|
+ instead.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
|
||||||
|
index de846b4..21c9653 100644
|
||||||
|
--- a/man/gssproxy.conf.5.xml
|
||||||
|
+++ b/man/gssproxy.conf.5.xml
|
||||||
|
@@ -192,7 +192,10 @@
|
||||||
|
<varlistentry>
|
||||||
|
<term>debug (boolean)</term>
|
||||||
|
<listitem>
|
||||||
|
- <para>Enable debugging to syslog.</para>
|
||||||
|
+ <para>
|
||||||
|
+ Enable debugging to syslog. Setting to true is
|
||||||
|
+ identical to setting debug_level to 1.
|
||||||
|
+ </para>
|
||||||
|
<para>Default: debug = false</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
159
SOURCES/Close-epoll-fd-within-the-lock.patch
Normal file
159
SOURCES/Close-epoll-fd-within-the-lock.patch
Normal file
@ -0,0 +1,159 @@
|
|||||||
|
From 01ff7b67bfaad9b4f6cebc7c46ac9b1d99671d4f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Wed, 6 Mar 2019 10:31:13 -0500
|
||||||
|
Subject: [PATCH] Close epoll fd within the lock
|
||||||
|
|
||||||
|
A race condition may happen where we close the epoll socket, after
|
||||||
|
another thread grabbed the lock and is using epoll itself.
|
||||||
|
On some kernels this may cause epoll to not fire any event leaving the
|
||||||
|
thread stuck forever.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
[rharwood@redhat.com: cleanup commit message, adjusted function ordering]
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Merges: #241
|
||||||
|
(cherry picked from commit 0ccfd32f8ef16caf65698c5319dfa251d43433af)
|
||||||
|
|
||||||
|
Squashed with:
|
||||||
|
|
||||||
|
Reorder functions
|
||||||
|
|
||||||
|
Keep related functions closer together like before
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Resolves: #242
|
||||||
|
(cherry picked from commit 6accc0afead574e11447447c949f2abcb1a34826)
|
||||||
|
(cherry picked from commit c33de0c213d570f370fd954869c2ad99901b2cf3)
|
||||||
|
---
|
||||||
|
src/client/gpm_common.c | 96 ++++++++++++++++++++++-------------------
|
||||||
|
1 file changed, 51 insertions(+), 45 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
|
||||||
|
index c254280..36df5cc 100644
|
||||||
|
--- a/src/client/gpm_common.c
|
||||||
|
+++ b/src/client/gpm_common.c
|
||||||
|
@@ -139,43 +139,6 @@ static void gpm_close_socket(struct gpm_ctx *gpmctx)
|
||||||
|
gpmctx->fd = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int gpm_grab_sock(struct gpm_ctx *gpmctx)
|
||||||
|
-{
|
||||||
|
- int ret;
|
||||||
|
- pid_t p;
|
||||||
|
- uid_t u;
|
||||||
|
- gid_t g;
|
||||||
|
-
|
||||||
|
- ret = pthread_mutex_lock(&gpmctx->lock);
|
||||||
|
- if (ret) {
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Detect fork / setresuid and friends */
|
||||||
|
- p = getpid();
|
||||||
|
- u = geteuid();
|
||||||
|
- g = getegid();
|
||||||
|
-
|
||||||
|
- if (gpmctx->fd != -1 &&
|
||||||
|
- (p != gpmctx->pid || u != gpmctx->uid || g != gpmctx->gid)) {
|
||||||
|
- gpm_close_socket(gpmctx);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (gpmctx->fd == -1) {
|
||||||
|
- ret = gpm_open_socket(gpmctx);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (ret) {
|
||||||
|
- pthread_mutex_unlock(&gpmctx->lock);
|
||||||
|
- }
|
||||||
|
- return ret;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int gpm_release_sock(struct gpm_ctx *gpmctx)
|
||||||
|
-{
|
||||||
|
- return pthread_mutex_unlock(&gpmctx->lock);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static void gpm_timer_close(struct gpm_ctx *gpmctx)
|
||||||
|
{
|
||||||
|
if (gpmctx->timerfd < 0) {
|
||||||
|
@@ -253,6 +216,57 @@ static int gpm_epoll_setup(struct gpm_ctx *gpmctx)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int gpm_release_sock(struct gpm_ctx *gpmctx)
|
||||||
|
+{
|
||||||
|
+ gpm_epoll_close(gpmctx);
|
||||||
|
+ gpm_timer_close(gpmctx);
|
||||||
|
+ return pthread_mutex_unlock(&gpmctx->lock);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int gpm_grab_sock(struct gpm_ctx *gpmctx)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ pid_t p;
|
||||||
|
+ uid_t u;
|
||||||
|
+ gid_t g;
|
||||||
|
+
|
||||||
|
+ ret = pthread_mutex_lock(&gpmctx->lock);
|
||||||
|
+ if (ret) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Detect fork / setresuid and friends */
|
||||||
|
+ p = getpid();
|
||||||
|
+ u = geteuid();
|
||||||
|
+ g = getegid();
|
||||||
|
+
|
||||||
|
+ if (gpmctx->fd != -1 &&
|
||||||
|
+ (p != gpmctx->pid || u != gpmctx->uid || g != gpmctx->gid)) {
|
||||||
|
+ gpm_close_socket(gpmctx);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (gpmctx->fd == -1) {
|
||||||
|
+ ret = gpm_open_socket(gpmctx);
|
||||||
|
+ if (ret) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* setup timer */
|
||||||
|
+ ret = gpm_timer_setup(gpmctx, RESPONSE_TIMEOUT);
|
||||||
|
+ if (ret) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ /* create epoll fd as well */
|
||||||
|
+ ret = gpm_epoll_setup(gpmctx);
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ if (ret) {
|
||||||
|
+ gpm_release_sock(gpmctx);
|
||||||
|
+ }
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int gpm_epoll_wait(struct gpm_ctx *gpmctx, uint32_t event_flags)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
@@ -530,11 +544,6 @@ static int gpm_send_recv_loop(struct gpm_ctx *gpmctx, char *send_buffer,
|
||||||
|
int ret;
|
||||||
|
int retry_count;
|
||||||
|
|
||||||
|
- /* setup timer */
|
||||||
|
- ret = gpm_timer_setup(gpmctx, RESPONSE_TIMEOUT);
|
||||||
|
- if (ret)
|
||||||
|
- return ret;
|
||||||
|
-
|
||||||
|
for (retry_count = 0; retry_count < MAX_TIMEOUT_RETRY; retry_count++) {
|
||||||
|
/* send to proxy */
|
||||||
|
ret = gpm_send_buffer(gpmctx, send_buffer, send_length);
|
||||||
|
@@ -761,9 +770,6 @@ int gpm_make_call(int proc, union gp_rpc_arg *arg, union gp_rpc_res *res)
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
- gpm_timer_close(gpmctx);
|
||||||
|
- gpm_epoll_close(gpmctx);
|
||||||
|
-
|
||||||
|
if (sockgrab) {
|
||||||
|
gpm_release_sock(gpmctx);
|
||||||
|
}
|
@ -0,0 +1,31 @@
|
|||||||
|
From 0379411547792a58b3d36c9928354072b5f6cabf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Mon, 15 Apr 2019 19:56:50 -0400
|
||||||
|
Subject: [PATCH] Handle gss_import_cred() failure when importing gssx creds
|
||||||
|
|
||||||
|
Otherwise, we might attempt to set options on a non-existent handle,
|
||||||
|
leading to a segfault.
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #244
|
||||||
|
(cherry picked from commit 84cf88f6c6cfeb8e3fd2c26ed0fe9fe5bf3810d2)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index 403e339..7ad8037 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -476,6 +476,10 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
|
||||||
|
}
|
||||||
|
|
||||||
|
ret_maj = gss_import_cred(&ret_min, &token, out);
|
||||||
|
+ if (ret_maj) {
|
||||||
|
+ GPDEBUG("gss_import_cred failed when importing gssx cred\n");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* check if there is any client option we need to set on credentials */
|
||||||
|
gp_set_cred_options(cred, *out);
|
98
SOURCES/Include-length-when-using-krb5_c_decrypt.patch
Normal file
98
SOURCES/Include-length-when-using-krb5_c_decrypt.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From 5dec1aeb0a6080ea661061b52248e60afc969426 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Tue, 16 Apr 2019 16:08:32 -0400
|
||||||
|
Subject: [PATCH] Include length when using krb5_c_decrypt()
|
||||||
|
|
||||||
|
For some enctypes, krb5_c_decrypt() will add padding bytes which are
|
||||||
|
included in the returned length. However, functions which use the
|
||||||
|
objects we're storing aren't always prepared for that: in particular,
|
||||||
|
gss_import_cred() will declare a token invalid if there's trailing
|
||||||
|
garbage.
|
||||||
|
|
||||||
|
Work around this by including 4 bytes of length on encrypted objects.
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #244
|
||||||
|
(cherry picked from commit 87957caf541114f6f15a495dd7d30556dc5801d9)
|
||||||
|
---
|
||||||
|
src/gp_export.c | 35 +++++++++++++++++++++++++++++++----
|
||||||
|
1 file changed, 31 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gp_export.c b/src/gp_export.c
|
||||||
|
index 7ad8037..aa0a8ec 100644
|
||||||
|
--- a/src/gp_export.c
|
||||||
|
+++ b/src/gp_export.c
|
||||||
|
@@ -193,6 +193,9 @@ done:
|
||||||
|
return ret_maj;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* We need to include a length in our payloads because krb5_c_decrypt() will
|
||||||
|
+ * pad the contents for some enctypes, and gss_import_cred() doesn't like
|
||||||
|
+ * having extra bytes on tokens. */
|
||||||
|
static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
size_t len, void *buf, octet_string *out)
|
||||||
|
{
|
||||||
|
@@ -200,9 +203,27 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
krb5_data data_in;
|
||||||
|
krb5_enc_data enc_handle;
|
||||||
|
size_t cipherlen;
|
||||||
|
+ char *packed = NULL;
|
||||||
|
+ uint32_t netlen;
|
||||||
|
|
||||||
|
- data_in.length = len;
|
||||||
|
- data_in.data = buf;
|
||||||
|
+ if (len > (uint32_t)(-1)) {
|
||||||
|
+ /* Needs to fit in 4 bytes of payload, so... */
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ packed = malloc(len);
|
||||||
|
+ if (!packed) {
|
||||||
|
+ ret = errno;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ netlen = htonl(len);
|
||||||
|
+ memcpy(packed, (uint8_t *)&netlen, 4);
|
||||||
|
+ memcpy(packed + 4, buf, len);
|
||||||
|
+
|
||||||
|
+ data_in.length = len + 4;
|
||||||
|
+ data_in.data = packed;
|
||||||
|
|
||||||
|
memset(&enc_handle, '\0', sizeof(krb5_enc_data));
|
||||||
|
|
||||||
|
@@ -240,16 +261,19 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
+ free(packed);
|
||||||
|
free(enc_handle.ciphertext.data);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* See comment above on gp_encrypt_buffer(). */
|
||||||
|
static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
- octet_string *in, size_t *len, void *buf)
|
||||||
|
+ octet_string *in, size_t *len, char *buf)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
krb5_data data_out;
|
||||||
|
krb5_enc_data enc_handle;
|
||||||
|
+ uint32_t netlen;
|
||||||
|
|
||||||
|
memset(&enc_handle, '\0', sizeof(krb5_enc_data));
|
||||||
|
|
||||||
|
@@ -270,7 +294,10 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- *len = data_out.length;
|
||||||
|
+ /* And handle the padding. */
|
||||||
|
+ memcpy(&netlen, buf, 4);
|
||||||
|
+ *len = ntohl(netlen);
|
||||||
|
+ memmove(buf, buf + 4, *len);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
27
SOURCES/Update-NFS-service-name-in-systemd-unit.patch
Normal file
27
SOURCES/Update-NFS-service-name-in-systemd-unit.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 9860e73b5da0f0448594ecc700ccc7ba08177718 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Wed, 24 Apr 2019 12:07:47 -0400
|
||||||
|
Subject: [PATCH] Update NFS service name in systemd unit
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Merges: #247
|
||||||
|
(cherry picked from commit 1a789a645175d5aea109a3c0831806b94337b20e)
|
||||||
|
(cherry picked from commit aa4f43049d1037d1c23becd78ad2f7dd601132f4)
|
||||||
|
---
|
||||||
|
systemd/gssproxy.service.in | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
|
||||||
|
index f50f526..ac37df6 100644
|
||||||
|
--- a/systemd/gssproxy.service.in
|
||||||
|
+++ b/systemd/gssproxy.service.in
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
Description=GSSAPI Proxy Daemon
|
||||||
|
# GSSPROXY will not be started until syslog is
|
||||||
|
After=syslog.target
|
||||||
|
-Before=nfs-secure.service nfs-secure-server.service
|
||||||
|
+Before=rpc-gssd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
|
150
SOURCES/Use-pthread-keys-for-thread-local-storage.patch
Normal file
150
SOURCES/Use-pthread-keys-for-thread-local-storage.patch
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
From e0b142320342ef16260b6072f1c83d6fcf4142e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Thu, 20 Sep 2018 17:37:53 -0400
|
||||||
|
Subject: [PATCH] Use pthread keys for thread local storage
|
||||||
|
|
||||||
|
This interface is slower but also more portable, and more importantly
|
||||||
|
it provides a way to specify destructor that is called when a thread
|
||||||
|
is canceled so we stop leaking memory.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Merges: #233
|
||||||
|
(cherry picked from commit 0faccc1441bc7a6b3e8bd806f22c8a961e5f586e)
|
||||||
|
(cherry picked from commit 89dc0ee157caa4617d32fd72287849296d7fe26d)
|
||||||
|
---
|
||||||
|
src/client/gpm_common.c | 2 ++
|
||||||
|
src/client/gpm_display_status.c | 57 ++++++++++++++++++++++-----------
|
||||||
|
src/client/gssapi_gpm.h | 1 +
|
||||||
|
3 files changed, 42 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
|
||||||
|
index dd29519..c254280 100644
|
||||||
|
--- a/src/client/gpm_common.c
|
||||||
|
+++ b/src/client/gpm_common.c
|
||||||
|
@@ -55,6 +55,8 @@ static void gpm_init_once(void)
|
||||||
|
gpm_global_ctx.next_xid = rand_r(&seedp);
|
||||||
|
|
||||||
|
pthread_mutexattr_destroy(&attr);
|
||||||
|
+
|
||||||
|
+ gpm_display_status_init_once();
|
||||||
|
}
|
||||||
|
|
||||||
|
static int get_pipe_name(char *name)
|
||||||
|
diff --git a/src/client/gpm_display_status.c b/src/client/gpm_display_status.c
|
||||||
|
index bbb546f..e3aa4ea 100644
|
||||||
|
--- a/src/client/gpm_display_status.c
|
||||||
|
+++ b/src/client/gpm_display_status.c
|
||||||
|
@@ -1,27 +1,47 @@
|
||||||
|
/* Copyright (C) 2011 the GSS-PROXY contributors, see COPYING for license */
|
||||||
|
|
||||||
|
#include "gssapi_gpm.h"
|
||||||
|
+#include <pthread.h>
|
||||||
|
|
||||||
|
-__thread gssx_status *tls_last_status = NULL;
|
||||||
|
+static pthread_key_t gpm_last_status;
|
||||||
|
|
||||||
|
-/* Thread local storage for return status.
|
||||||
|
- * FIXME: it's not the most portable construct, so may need fixing in future */
|
||||||
|
+static void gpm_destroy_last_status(void *arg)
|
||||||
|
+{
|
||||||
|
+ gssx_status *status = (gssx_status *)arg;
|
||||||
|
+ xdr_free((xdrproc_t)xdr_gssx_status, (char *)status);
|
||||||
|
+ free(status);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void gpm_display_status_init_once(void)
|
||||||
|
+{
|
||||||
|
+ (void)pthread_key_create(&gpm_last_status, gpm_destroy_last_status);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Portable thread local storage for return status. */
|
||||||
|
void gpm_save_status(gssx_status *status)
|
||||||
|
{
|
||||||
|
+ gssx_status *last_status;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- if (tls_last_status) {
|
||||||
|
- xdr_free((xdrproc_t)xdr_gssx_status, (char *)tls_last_status);
|
||||||
|
- free(tls_last_status);
|
||||||
|
+ last_status = (gssx_status *)pthread_getspecific(gpm_last_status);
|
||||||
|
+ if (last_status != NULL) {
|
||||||
|
+ /* store NULL first so we do not risk a double free if we are
|
||||||
|
+ * racing on a pthread_cancel */
|
||||||
|
+ pthread_setspecific(gpm_last_status, NULL);
|
||||||
|
+ gpm_destroy_last_status(last_status);
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = gp_copy_gssx_status_alloc(status, &tls_last_status);
|
||||||
|
- if (ret) {
|
||||||
|
- /* make sure tls_last_status is zeored on error */
|
||||||
|
- tls_last_status = NULL;
|
||||||
|
+ ret = gp_copy_gssx_status_alloc(status, &last_status);
|
||||||
|
+ if (ret == 0) {
|
||||||
|
+ pthread_setspecific(gpm_last_status, last_status);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+gssx_status *gpm_get_saved_status(void)
|
||||||
|
+{
|
||||||
|
+ return (gssx_status *)pthread_getspecific(gpm_last_status);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* This funciton is used to record internal mech errors that are
|
||||||
|
* generated by the proxy client code */
|
||||||
|
void gpm_save_internal_status(uint32_t err, char *err_str)
|
||||||
|
@@ -47,15 +67,16 @@ OM_uint32 gpm_display_status(OM_uint32 *minor_status,
|
||||||
|
OM_uint32 *message_context,
|
||||||
|
gss_buffer_t status_string)
|
||||||
|
{
|
||||||
|
+ gssx_status *last_status = gpm_get_saved_status();
|
||||||
|
utf8string tmp;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
switch(status_type) {
|
||||||
|
case GSS_C_GSS_CODE:
|
||||||
|
- if (tls_last_status &&
|
||||||
|
- tls_last_status->major_status == status_value &&
|
||||||
|
- tls_last_status->major_status_string.utf8string_len) {
|
||||||
|
- ret = gp_copy_utf8string(&tls_last_status->major_status_string,
|
||||||
|
+ if (last_status &&
|
||||||
|
+ last_status->major_status == status_value &&
|
||||||
|
+ last_status->major_status_string.utf8string_len) {
|
||||||
|
+ ret = gp_copy_utf8string(&last_status->major_status_string,
|
||||||
|
&tmp);
|
||||||
|
if (ret) {
|
||||||
|
*minor_status = ret;
|
||||||
|
@@ -70,9 +91,9 @@ OM_uint32 gpm_display_status(OM_uint32 *minor_status,
|
||||||
|
return GSS_S_UNAVAILABLE;
|
||||||
|
}
|
||||||
|
case GSS_C_MECH_CODE:
|
||||||
|
- if (tls_last_status &&
|
||||||
|
- tls_last_status->minor_status == status_value &&
|
||||||
|
- tls_last_status->minor_status_string.utf8string_len) {
|
||||||
|
+ if (last_status &&
|
||||||
|
+ last_status->minor_status == status_value &&
|
||||||
|
+ last_status->minor_status_string.utf8string_len) {
|
||||||
|
|
||||||
|
if (*message_context) {
|
||||||
|
/* we do not support multiple messages for now */
|
||||||
|
@@ -80,7 +101,7 @@ OM_uint32 gpm_display_status(OM_uint32 *minor_status,
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = gp_copy_utf8string(&tls_last_status->minor_status_string,
|
||||||
|
+ ret = gp_copy_utf8string(&last_status->minor_status_string,
|
||||||
|
&tmp);
|
||||||
|
if (ret) {
|
||||||
|
*minor_status = ret;
|
||||||
|
diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
|
||||||
|
index 22beecf..61124e0 100644
|
||||||
|
--- a/src/client/gssapi_gpm.h
|
||||||
|
+++ b/src/client/gssapi_gpm.h
|
||||||
|
@@ -23,6 +23,7 @@ OM_uint32 gpm_release_name(OM_uint32 *minor_status,
|
||||||
|
OM_uint32 gpm_release_buffer(OM_uint32 *minor_status,
|
||||||
|
gss_buffer_t buffer);
|
||||||
|
|
||||||
|
+void gpm_display_status_init_once(void);
|
||||||
|
void gpm_save_status(gssx_status *status);
|
||||||
|
void gpm_save_internal_status(uint32_t err, char *err_str);
|
||||||
|
|
457
SPECS/gssproxy.spec
Normal file
457
SPECS/gssproxy.spec
Normal file
@ -0,0 +1,457 @@
|
|||||||
|
Name: gssproxy
|
||||||
|
|
||||||
|
Version: 0.8.0
|
||||||
|
Release: 14%{?dist}
|
||||||
|
Summary: GSSAPI Proxy
|
||||||
|
|
||||||
|
Group: System Environment/Libraries
|
||||||
|
License: MIT
|
||||||
|
URL: https://pagure.io/gssproxy
|
||||||
|
Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.gz
|
||||||
|
|
||||||
|
%global servicename gssproxy
|
||||||
|
%global pubconfpath %{_sysconfdir}/gssproxy
|
||||||
|
%global gpstatedir %{_localstatedir}/lib/gssproxy
|
||||||
|
|
||||||
|
### Patches ###
|
||||||
|
Patch0: Always-use-the-encype-we-selected.patch
|
||||||
|
Patch1: Clarify-debug-and-debug_level-in-man-pages.patch
|
||||||
|
Patch2: Always-choose-highest-requested-debug-level.patch
|
||||||
|
Patch3: Use-pthread-keys-for-thread-local-storage.patch
|
||||||
|
Patch4: Close-epoll-fd-within-the-lock.patch
|
||||||
|
Patch5: Add-a-safety-timeout-to-epoll.patch
|
||||||
|
Patch7: Update-NFS-service-name-in-systemd-unit.patch
|
||||||
|
Patch8: Always-initialize-out-cred-in-gp_import_gssx_cred.patch
|
||||||
|
Patch9: Handle-gss_import_cred-failure-when-importing-gssx-c.patch
|
||||||
|
Patch10: Include-length-when-using-krb5_c_decrypt.patch
|
||||||
|
Patch11: Change-the-way-we-handle-encrypted-buffers.patch
|
||||||
|
Patch12: Avoid-uninitialized-free-when-allocating-buffers.patch
|
||||||
|
|
||||||
|
### Dependencies ###
|
||||||
|
Requires: krb5-libs >= 1.12.0
|
||||||
|
Requires: keyutils-libs
|
||||||
|
Requires: libverto-module-base
|
||||||
|
Requires: libini_config >= 1.2.0
|
||||||
|
Requires(post): systemd-units
|
||||||
|
Requires(preun): systemd-units
|
||||||
|
Requires(postun): systemd-units
|
||||||
|
|
||||||
|
# We use a Conflicts: here so as not to interfere with users who make
|
||||||
|
# their own policy. The version is the last time someone has filed a
|
||||||
|
# bug about gssproxy being broken with selinux.
|
||||||
|
Conflicts: selinux-policy < 3.13.1-283.5
|
||||||
|
|
||||||
|
### Build Dependencies ###
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: docbook-style-xsl
|
||||||
|
BuildRequires: doxygen
|
||||||
|
BuildRequires: findutils
|
||||||
|
BuildRequires: gettext-devel
|
||||||
|
BuildRequires: keyutils-libs-devel
|
||||||
|
BuildRequires: krb5-devel >= 1.12.0
|
||||||
|
BuildRequires: libini_config-devel >= 1.2.0
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: libverto-devel
|
||||||
|
BuildRequires: libxml2
|
||||||
|
BuildRequires: libxslt
|
||||||
|
BuildRequires: m4
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
BuildRequires: popt-devel
|
||||||
|
BuildRequires: systemd-units
|
||||||
|
|
||||||
|
BuildRequires: git
|
||||||
|
|
||||||
|
%description
|
||||||
|
A proxy for GSSAPI credential handling
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -S git
|
||||||
|
|
||||||
|
%build
|
||||||
|
autoreconf -f -i
|
||||||
|
%configure \
|
||||||
|
--with-pubconf-path=%{pubconfpath} \
|
||||||
|
--with-initscript=systemd \
|
||||||
|
--disable-static \
|
||||||
|
--disable-rpath \
|
||||||
|
--with-gpp-default-behavior=REMOTE_FIRST
|
||||||
|
|
||||||
|
make %{?_smp_mflags} all
|
||||||
|
make test_proxymech
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf %{buildroot}
|
||||||
|
make install DESTDIR=%{buildroot}
|
||||||
|
rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la
|
||||||
|
install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
|
||||||
|
install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
|
||||||
|
install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d
|
||||||
|
install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
|
||||||
|
mkdir -p %{buildroot}%{gpstatedir}/rcache
|
||||||
|
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%{_unitdir}/gssproxy.service
|
||||||
|
%{_sbindir}/gssproxy
|
||||||
|
%attr(755,root,root) %dir %{pubconfpath}
|
||||||
|
%attr(755,root,root) %dir %{gpstatedir}
|
||||||
|
%attr(700,root,root) %dir %{gpstatedir}/clients
|
||||||
|
%attr(700,root,root) %dir %{gpstatedir}/rcache
|
||||||
|
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
|
||||||
|
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf
|
||||||
|
%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
|
||||||
|
%dir %{_libdir}/gssproxy
|
||||||
|
%{_libdir}/gssproxy/proxymech.so
|
||||||
|
%{_mandir}/man5/gssproxy.conf.5*
|
||||||
|
%{_mandir}/man8/gssproxy.8*
|
||||||
|
%{_mandir}/man8/gssproxy-mech.8*
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post gssproxy.service
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun gssproxy.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart gssproxy.service
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon May 13 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-14
|
||||||
|
- Fix explicit NULL deref around encrypted token processing
|
||||||
|
- Resolves: #1700539
|
||||||
|
|
||||||
|
* Fri May 03 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-13
|
||||||
|
- Update NFS service name in systemd unit
|
||||||
|
- Resolves: #1701820
|
||||||
|
|
||||||
|
* Wed May 01 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-12
|
||||||
|
- Avoid uninitialized free when allocating buffers
|
||||||
|
- Resolves: #1682281
|
||||||
|
|
||||||
|
* Fri Mar 22 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-11
|
||||||
|
- Fix race condition around epoll and socket release
|
||||||
|
- Resolves: #1690082
|
||||||
|
|
||||||
|
* Fri Mar 22 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-10
|
||||||
|
- Add a safety timeout to epoll
|
||||||
|
- Resolves: #1690082
|
||||||
|
|
||||||
|
* Wed Mar 20 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-9
|
||||||
|
- Bump to re-run gating
|
||||||
|
- Resolves: #1682281
|
||||||
|
|
||||||
|
* Tue Mar 19 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-8
|
||||||
|
- Bump to re-run gating
|
||||||
|
- Resolves: #1682281
|
||||||
|
|
||||||
|
* Mon Mar 18 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-7
|
||||||
|
- Use pthread keys for thread local storage
|
||||||
|
- Resolves: #1631564
|
||||||
|
|
||||||
|
* Wed Mar 13 2019 Robbie Harwood <rharwood@redhat.com> - 0.8.0-6
|
||||||
|
- Add gating tests
|
||||||
|
- Resolves: #1682281
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Apr 12 2018 Robbie Harwood <rharwood@redhat.com> - 0.8.0-4
|
||||||
|
- Drop patch level by one (woo!)
|
||||||
|
|
||||||
|
* Thu Apr 12 2018 Robbie Harwood <rharwood@redhat.com> - 0.8.0-3
|
||||||
|
- Always choose highest requested debug level
|
||||||
|
- Update man pages about debugging
|
||||||
|
|
||||||
|
* Tue Feb 27 2018 Robbie Harwood <rharwood@redhat.com> - 0.8.0-2
|
||||||
|
- Always use the encype we selected
|
||||||
|
|
||||||
|
* Fri Feb 09 2018 Robbie Harwood <rharwood@redhat.com> - 0.8.0-1
|
||||||
|
- Release version 0.8.0
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-30
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Dec 13 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-29
|
||||||
|
- Conditionally reload kernel interface on SIGHUP
|
||||||
|
|
||||||
|
* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-28
|
||||||
|
- Fixup previous
|
||||||
|
|
||||||
|
* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-27
|
||||||
|
- More code hygeine fixes from upstream
|
||||||
|
- Reorder patches to match el7
|
||||||
|
|
||||||
|
* Tue Dec 05 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-26
|
||||||
|
- Properly initialize ccaches before storing into them
|
||||||
|
|
||||||
|
* Fri Dec 01 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-25
|
||||||
|
- Properly locate credentials in collection caches in mechglue
|
||||||
|
|
||||||
|
* Tue Oct 31 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-24
|
||||||
|
- Only empty FILE ccaches when storing remote creds
|
||||||
|
|
||||||
|
* Mon Oct 30 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-23
|
||||||
|
- Fix error message handling in gp_config_from_dir()
|
||||||
|
|
||||||
|
* Fri Oct 27 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-22
|
||||||
|
- Fix concurrency issue in server socket handling
|
||||||
|
|
||||||
|
* Mon Oct 02 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-21
|
||||||
|
- Off-by-one error fix in selinux-policy version
|
||||||
|
|
||||||
|
* Mon Oct 02 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-20
|
||||||
|
- Change selinux-policy versioning to Conflicts
|
||||||
|
|
||||||
|
* Fri Sep 29 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-19
|
||||||
|
- Add explicit selinux-policy dependency after some fixes
|
||||||
|
|
||||||
|
* Fri Sep 29 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-18
|
||||||
|
- Fix silent death if config file has duplicate sections
|
||||||
|
|
||||||
|
* Thu Sep 21 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-17
|
||||||
|
- Handle outdated encrypted ccaches
|
||||||
|
|
||||||
|
* Fri Sep 15 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-16
|
||||||
|
- Backport updates to epoll logic
|
||||||
|
|
||||||
|
* Tue Sep 12 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-15
|
||||||
|
- Backport two security fixes
|
||||||
|
|
||||||
|
* Tue Aug 22 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-14
|
||||||
|
- Non-blocking IO + Extended request debug logging
|
||||||
|
|
||||||
|
* Sun Aug 20 2017 Ville Skyttä <ville.skytta@iki.fi> - 0.7.0-13
|
||||||
|
- Own the %%{_libdir}/gssproxy dir
|
||||||
|
- Mark COPYING as %%license
|
||||||
|
|
||||||
|
* Mon Jul 31 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-12
|
||||||
|
- Add client ID to debug messages
|
||||||
|
- Move packaging to autosetup
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 19 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-10
|
||||||
|
- Fix potential explicit NULL deref of program name
|
||||||
|
|
||||||
|
* Thu May 25 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-9
|
||||||
|
- Make proc failure loud but nonfatal
|
||||||
|
|
||||||
|
* Wed May 24 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-8
|
||||||
|
- Remove (buggy?) logic around NFS snippet.
|
||||||
|
|
||||||
|
* Wed May 17 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-7
|
||||||
|
- Remove NFS server stanza if nfs-utils not present
|
||||||
|
- Also update gcc7 patch to match upstream
|
||||||
|
|
||||||
|
* Tue May 16 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-6
|
||||||
|
- Fix segfault when no configuration files are found
|
||||||
|
- Various build fixes for gcc7
|
||||||
|
|
||||||
|
* Mon May 01 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-5
|
||||||
|
- Update systemd unit file (nfs removal, reload capability)
|
||||||
|
|
||||||
|
* Mon Apr 03 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-4
|
||||||
|
- Backport fix for double unlock
|
||||||
|
|
||||||
|
* Tue Mar 28 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-3
|
||||||
|
- Drop NFS server snippet (removes dependency on nfs kernel component)
|
||||||
|
|
||||||
|
* Tue Mar 14 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-2
|
||||||
|
- Fix credential renewal and impersonator checking for m_a_g
|
||||||
|
|
||||||
|
* Tue Mar 07 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-1
|
||||||
|
- New upstream release - 0.7.0
|
||||||
|
|
||||||
|
* Mon Mar 06 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-4
|
||||||
|
- Actually apply the patches I just added
|
||||||
|
- Also include a Coverity fix.
|
||||||
|
|
||||||
|
* Tue Feb 28 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-2
|
||||||
|
- Include other non-null fix and various things from master
|
||||||
|
|
||||||
|
* Thu Feb 23 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-1
|
||||||
|
- Fix incorrect use of non-null string in xdr
|
||||||
|
- Also move version number to better reflect what is inside
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 23 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.1-2
|
||||||
|
- Fix allocation issue of cred store
|
||||||
|
- Resolves: #1415400
|
||||||
|
|
||||||
|
* Fri Jan 20 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.1-1
|
||||||
|
- New upstream release v0.6.1
|
||||||
|
- Resolves: #1415090
|
||||||
|
|
||||||
|
* Wed Jan 18 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.0-1
|
||||||
|
- New upstream release v0.6.0
|
||||||
|
|
||||||
|
* Tue Sep 27 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.1-3
|
||||||
|
- Adjust libverto dependency to not use a specific backend
|
||||||
|
- Resolves: #1379812
|
||||||
|
|
||||||
|
* Tue Jun 14 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.1-2
|
||||||
|
- Own /var/lib/gssproxy/rcache
|
||||||
|
|
||||||
|
* Mon Jun 13 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.1-1
|
||||||
|
- Update to upstream release v0.5.1
|
||||||
|
- Resolves: #1345871
|
||||||
|
|
||||||
|
* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-5
|
||||||
|
- Acquire new socket for fork/permission drops on clients
|
||||||
|
|
||||||
|
* Mon May 09 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-4
|
||||||
|
- Do not package mod_auth_gssapi conf file
|
||||||
|
- This ensures gssproxy works even when the apache user does not exist
|
||||||
|
|
||||||
|
* Thu May 05 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-3
|
||||||
|
- Ensure we actually package the config files
|
||||||
|
|
||||||
|
* Thu May 05 2016 Simo Sorce <simo@redhat.com> - 0.5.0-2
|
||||||
|
- Fix typo in requires
|
||||||
|
|
||||||
|
* Wed May 04 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-1
|
||||||
|
- Release new upstream version
|
||||||
|
- Bump ini_config version for `ini_config_augment()`
|
||||||
|
|
||||||
|
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-4
|
||||||
|
- Fix issues with 1.14
|
||||||
|
- Fix bogus date in changelog (March 30 2015 was a Monday)
|
||||||
|
|
||||||
|
* Wed Oct 21 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-3
|
||||||
|
- Clear message buffer to fix segfault on arm
|
||||||
|
- resolves: #1235902
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
|
||||||
|
- New upstream release
|
||||||
|
- Fix issues with paths in config files
|
||||||
|
|
||||||
|
* Tue Mar 24 2015 Simo Sorce <simo@redhat.com> 0.4.0-2
|
||||||
|
- Workaround rawhide bug (bz1204646) with krb5-config by switching to
|
||||||
|
pkg-config (patch from upstream)
|
||||||
|
|
||||||
|
* Tue Mar 24 2015 Simo Sorce <simo@redhat.com> 0.4.0-1
|
||||||
|
- New upstream realease
|
||||||
|
Added optional support for running GSS-Proxy as an unprivileged user
|
||||||
|
Uses new /etc/gss/mech.d configuration directory for gss mechanisms
|
||||||
|
Kernel related fixes
|
||||||
|
General bug fixing, many minor errors or incorrect behaviours have been corrected
|
||||||
|
- drop all patches, they are all included upstream
|
||||||
|
|
||||||
|
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.1-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 29 2014 Simo Sorce <simo@redhat.com> 0.3.1-2
|
||||||
|
- Rebuild as new ding-libs brings in soname bump
|
||||||
|
|
||||||
|
* Thu Mar 13 2014 Guenther Deschner <gdeschner@redhat.com> 0.3.1-1
|
||||||
|
- Fix flags handling in gss_init_sec_context()
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/112
|
||||||
|
- Fix nfsd startup
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/114
|
||||||
|
- Fix potential mutex deadlock
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/120
|
||||||
|
- Fix segfault in gssi_inquire_context
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/117
|
||||||
|
- resolves: #1061133
|
||||||
|
|
||||||
|
* Tue Nov 26 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.1-0
|
||||||
|
- New upstream release 0.3.1:
|
||||||
|
* Fix use of gssproxy for client initiation
|
||||||
|
* Add new enforcing and filtering options for context initialization
|
||||||
|
* Fix potential thread safety issues
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/110
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/111
|
||||||
|
|
||||||
|
* Tue Nov 19 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-3
|
||||||
|
- Fix flags handling in gss_init_sec_context()
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/106
|
||||||
|
- Fix OID handling in gss_inquire_cred_by_mech()
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/107
|
||||||
|
- Fix continuation processing for not yet fully established contexts.
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/108
|
||||||
|
- Add flags filtering and flags enforcing.
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/109
|
||||||
|
|
||||||
|
* Wed Oct 23 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-0
|
||||||
|
- New upstream release 0.3.0:
|
||||||
|
* Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)
|
||||||
|
* Add support for new rpc.gssd mode of operation that forks and changes uid
|
||||||
|
* Add 2 new options allow_any_uid and cred_usage
|
||||||
|
|
||||||
|
* Fri Oct 18 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-8
|
||||||
|
- Fix default proxymech documentation and fix LOCAL_FIRST implementation
|
||||||
|
- resolves: https://fedorahosted.org/gss-proxy/ticket/105
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2.3-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-6
|
||||||
|
- Add better default gssproxy.conf file for nfs client and server usage
|
||||||
|
|
||||||
|
* Thu Jun 06 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-5
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Fri May 31 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-5
|
||||||
|
- Require libverto-tevent to make sure libverto initialization succeeds
|
||||||
|
|
||||||
|
* Wed May 29 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-4
|
||||||
|
- Modify systemd unit files for nfs-secure services
|
||||||
|
|
||||||
|
* Wed May 22 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-3
|
||||||
|
- Fix cred_store handling w/o client keytab
|
||||||
|
|
||||||
|
* Thu May 16 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-2
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Tue May 07 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.1-2
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Wed Apr 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.0-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Mon Apr 01 2013 Simo Sorce <simo@redhat.com> - 0.1.0-0
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.3-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Nov 06 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.3-7
|
||||||
|
- Update to 0.0.3
|
||||||
|
|
||||||
|
* Wed Aug 22 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-6
|
||||||
|
- Use new systemd-rpm macros
|
||||||
|
- resolves: #850139
|
||||||
|
|
||||||
|
* Wed Jul 18 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-5
|
||||||
|
- More spec file fixes
|
||||||
|
|
||||||
|
* Mon Jul 16 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-4
|
||||||
|
- Fix systemd service file
|
||||||
|
|
||||||
|
* Fri Jul 13 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-3
|
||||||
|
- Fix various packaging issues
|
||||||
|
|
||||||
|
* Mon Jul 02 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-2
|
||||||
|
- Add systemd packaging
|
||||||
|
|
||||||
|
* Wed Mar 28 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-1
|
||||||
|
- Various fixes
|
||||||
|
|
||||||
|
* Mon Dec 12 2011 Simo Sorce <simo@redhat.com> - 0.0.2-0
|
||||||
|
- Automated build of the gssproxy daemon
|
Loading…
Reference in New Issue
Block a user