diff --git a/SOURCES/0001-Add-an-option-for-minimum-lifetime.patch b/SOURCES/0001-Add-an-option-for-minimum-lifetime.patch new file mode 100644 index 0000000..002cc76 --- /dev/null +++ b/SOURCES/0001-Add-an-option-for-minimum-lifetime.patch @@ -0,0 +1,139 @@ +From 7945bd756c5e41ec223c058b2c698809f04f3c77 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Thu, 2 Sep 2021 12:44:27 -0400 +Subject: [PATCH] Add an option for minimum lifetime + +It's possible for gssproxy to return a cached credential with a very +small remaining lifetime. This can be problematic for NFS clients since +it requires a round trip to the NFS server to establish a GSS context. +Add a min_lifetime option that represents the lowest value that the +lifetime of the cached credential can be. Any lower than that, and +gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that +gp_add_krb5_creds() is forced to try to obtain a new credential. + +Signed-off-by: Scott Mayhew +--- + examples/99-nfs-client.conf.in | 1 + + man/gssproxy.conf.5.xml | 15 +++++++++++++++ + src/gp_config.c | 12 ++++++++++++ + src/gp_creds.c | 12 ++++++++++-- + src/gp_proxy.h | 1 + + 5 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in +index c0985d9..9dd1891 100644 +--- a/examples/99-nfs-client.conf.in ++++ b/examples/99-nfs-client.conf.in +@@ -7,3 +7,4 @@ + allow_any_uid = yes + trusted = yes + euid = 0 ++ min_lifetime = 60 +diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml +index 67dce68..f02b1d3 100644 +--- a/man/gssproxy.conf.5.xml ++++ b/man/gssproxy.conf.5.xml +@@ -331,6 +331,21 @@ + + + ++ ++ min_lifetime (integer) ++ ++ Minimum lifetime of a cached credential, in seconds. ++ If non-zero, when gssproxy is deciding whether to use ++ a cached credential, it will compare the lifetime of the ++ cached credential to this value. If the lifetime of the ++ cached credential is lower, gssproxy will treat the cached ++ credential as expired and will attempt to obtain a new ++ credential. ++ ++ Default: min_lifetime = 15 ++ ++ ++ + + program (string) + +diff --git a/src/gp_config.c b/src/gp_config.c +index 88d5f29..6a6aa90 100644 +--- a/src/gp_config.c ++++ b/src/gp_config.c +@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = { + + #define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG + #define DEFAULT_ENFORCED_FLAGS 0 ++#define DEFAULT_MIN_LIFETIME 15 + + static void free_str_array(const char ***a, int *count) + { +@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) + goto done; + } + } ++ ++ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME; ++ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum); ++ if (ret == 0) { ++ if (valnum >= 0) { ++ cfg->svcs[n]->min_lifetime = valnum; ++ } else { ++ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n", ++ valnum, secname); ++ } ++ } + } + safefree(secname); + } +diff --git a/src/gp_creds.c b/src/gp_creds.c +index 92a6f13..843d1a3 100644 +--- a/src/gp_creds.c ++++ b/src/gp_creds.c +@@ -492,6 +492,7 @@ done: + } + + static uint32_t gp_check_cred(uint32_t *min, ++ struct gp_service *svc, + gss_cred_id_t in_cred, + gssx_name *desired_name, + gss_cred_usage_t cred_usage) +@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min, + if (lifetime == 0) { + ret_maj = GSS_S_CREDENTIALS_EXPIRED; + } else { +- ret_maj = GSS_S_COMPLETE; ++ if (svc->min_lifetime && lifetime < svc->min_lifetime) { ++ GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) " ++ "for service \"%s\" - returning\n", ++ __func__, lifetime, svc->min_lifetime, svc->name); ++ ret_maj = GSS_S_CREDENTIALS_EXPIRED; ++ } else { ++ ret_maj = GSS_S_COMPLETE; ++ } + } + + done: +@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min, + * function completely */ + + /* just check if it is a valid krb5 cred */ +- ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage); ++ ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage); + if (ret_maj == GSS_S_COMPLETE) { + return GSS_S_COMPLETE; + } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED || +diff --git a/src/gp_proxy.h b/src/gp_proxy.h +index 3f58a43..f56d640 100644 +--- a/src/gp_proxy.h ++++ b/src/gp_proxy.h +@@ -45,6 +45,7 @@ struct gp_service { + gss_cred_usage_t cred_usage; + uint32_t filter_flags; + uint32_t enforce_flags; ++ uint32_t min_lifetime; + char *program; + + uint32_t mechs; +-- +2.39.2 + diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec index c0be42f..f847722 100644 --- a/SPECS/gssproxy.spec +++ b/SPECS/gssproxy.spec @@ -1,7 +1,7 @@ Name: gssproxy Version: 0.8.4 -Release: 4%{?dist} +Release: 6%{?dist} Summary: GSSAPI Proxy License: MIT @@ -14,6 +14,7 @@ Source1: rwtab %global gpstatedir %{_localstatedir}/lib/gssproxy ### Patches ### +Patch0001: 0001-Add-an-option-for-minimum-lifetime.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -110,6 +111,16 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy %systemd_postun_with_restart gssproxy.service %changelog +* Wed Apr 05 2023 Julien Rische - 0.8.4-6 +- Use openldap-servers from EPEL repo for testing +- Resolves: rhbz#2187634 + +* Mon Apr 03 2023 Julien Rische - 0.8.4-5 +- Add an option for minimum lifetime +- Resolves: rhbz#2184333 +- Remove unused patch files +- Fix date typographical error in changelog + * Mon Aug 09 2021 Mohan Boddu - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 @@ -120,7 +131,7 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy * Tue Jan 26 2021 Fedora Release Engineering - 0.8.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Wed Jan 13 2020 Robbie Harwood - 0.8.4-1 +* Wed Jan 13 2021 Robbie Harwood - 0.8.4-1 - New upstream release (0.8.4) * Thu Oct 29 2020 Robbie Harwood - 0.8.3-6