From 736164870b99166ccecbfad2c5ea3ae991aba243 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 18 Oct 2013 14:42:12 +0200 Subject: [PATCH] Fix default proxymech documentation and fix LOCAL_FIRST implementation resolves: https://fedorahosted.org/gss-proxy/ticket/105 --- 0001-Fix-LOCAL_FIRST-behavior.patch | 79 +++++++++++++++++++ 0002-Fix-documentation-to-match-reality.patch | 39 +++++++++ gssproxy.spec | 10 ++- 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-LOCAL_FIRST-behavior.patch create mode 100644 0002-Fix-documentation-to-match-reality.patch diff --git a/0001-Fix-LOCAL_FIRST-behavior.patch b/0001-Fix-LOCAL_FIRST-behavior.patch new file mode 100644 index 0000000..ed200a9 --- /dev/null +++ b/0001-Fix-LOCAL_FIRST-behavior.patch @@ -0,0 +1,79 @@ +From b73a9a18cb2df0b39c30d3e03c66d2f24ec3f57d Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 15 Oct 2013 15:45:59 -0400 +Subject: [PATCH 1/2] Fix LOCAL_FIRST behavior + +We were erroneously returning and never falling back if LOCAL_FIRST was +selected. Correct also the remote first fallback flow. + +Resolves: https://fedorahosted.org/gss-proxy/ticket/105 +--- + proxy/src/mechglue/gpp_acquire_cred.c | 39 +++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 20 deletions(-) + +diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c +index a3290dd72ae2d97eaa05f250a4d2dd96824abebf..fb80677eed4680470e21b820633e87b94f36d6cc 100644 +--- a/proxy/src/mechglue/gpp_acquire_cred.c ++++ b/proxy/src/mechglue/gpp_acquire_cred.c +@@ -109,7 +109,7 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status, + maj = acquire_local(&min, name, time_req, desired_mechs, cred_usage, + out_cred_handle, actual_mechs, time_rec); + +- if (maj != GSS_S_NO_CRED || behavior != GPP_LOCAL_FIRST) { ++ if (maj == GSS_S_COMPLETE || behavior == GPP_LOCAL_ONLY) { + goto done; + } + +@@ -119,31 +119,30 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status, + } + + /* Then try with remote */ +- if (behavior == GPP_REMOTE_ONLY || behavior == GPP_REMOTE_FIRST) { +- +- if (name && name->local && !name->remote) { +- maj = gpp_local_to_name(&min, name->local, &name->remote); +- if (maj) { +- goto done; +- } +- } +- +- maj = gpm_acquire_cred(&min, +- name ? name->remote : NULL, +- time_req, +- desired_mechs, +- cred_usage, +- &out_cred_handle->remote, +- actual_mechs, +- time_rec); +- if (maj == GSS_S_COMPLETE || behavior == GPP_REMOTE_ONLY) { ++ if (name && name->local && !name->remote) { ++ maj = gpp_local_to_name(&min, name->local, &name->remote); ++ if (maj) { + goto done; + } ++ } + ++ maj = gpm_acquire_cred(&min, ++ name ? name->remote : NULL, ++ time_req, ++ desired_mechs, ++ cred_usage, ++ &out_cred_handle->remote, ++ actual_mechs, ++ time_rec); ++ if (maj == GSS_S_COMPLETE || behavior == GPP_REMOTE_ONLY) { ++ goto done; ++ } ++ ++ if (behavior == GPP_REMOTE_FIRST) { + /* So remote failed, but we can fallback to local, try that */ + maj = acquire_local(&min, name, time_req, desired_mechs, cred_usage, + out_cred_handle, actual_mechs, time_rec); +- } ++ } + + done: + if (maj != GSS_S_COMPLETE && +-- +1.8.3.1 + diff --git a/0002-Fix-documentation-to-match-reality.patch b/0002-Fix-documentation-to-match-reality.patch new file mode 100644 index 0000000..51d0e9a --- /dev/null +++ b/0002-Fix-documentation-to-match-reality.patch @@ -0,0 +1,39 @@ +From 788132ea70522663efab652d8653e1eaa8819822 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 15 Oct 2013 15:48:04 -0400 +Subject: [PATCH 2/2] Fix documentation to match reality + +LOCAL_FIRST is our default +--- + proxy/man/gssproxy-mech.8.xml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/proxy/man/gssproxy-mech.8.xml b/proxy/man/gssproxy-mech.8.xml +index b2d008cc8990c214027d2104bf72da776faf1b82..2249ced68af410d9f444ca479df1827712898354 100644 +--- a/proxy/man/gssproxy-mech.8.xml ++++ b/proxy/man/gssproxy-mech.8.xml +@@ -74,10 +74,7 @@ + All commands received with this setting will cause + to immediately reenter the GSSAPI w/o any interaction + with the gssproxy daemon. When the request cannot be +- processed it will just fail. This is the default +- behavior when the +- GSSPROXY_BEHAVIOR environment +- variable is not set at all. ++ processed it will just fail. + + + +@@ -88,6 +85,9 @@ + to immediately reenter the GSSAPI. When the local + GSSAPI cannot process the request, it will resend the + request to the gssproxy daemon. ++ This is the default behavior when the ++ GSSPROXY_BEHAVIOR environment ++ variable is not set. + + + +-- +1.8.3.1 + diff --git a/gssproxy.spec b/gssproxy.spec index 88dc9d0..2f4aaed 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.2.3 -Release: 7%{?dist} +Release: 8%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -9,6 +9,8 @@ URL: http://fedorahosted.org/gss-proxy Source0: http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Patch0: gssproxy-conf.patch +Patch1: 0001-Fix-LOCAL_FIRST-behavior.patch +Patch2: 0002-Fix-documentation-to-match-reality.patch %global servicename gssproxy %global pubconfpath %{_sysconfdir}/gssproxy @@ -54,6 +56,8 @@ A proxy for GSSAPI credential handling %setup -q %patch0 -p2 -b .gssproxy_conf +%patch1 -p2 -b .gpp_default_behavior +%patch2 -p2 -b .gpp_default_behavior_doc %build autoreconf -f -i @@ -106,6 +110,10 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Fri Oct 18 2013 Guenther Deschner 0.2.3-8 +- Fix default proxymech documentation and fix LOCAL_FIRST implementation +- resolves: https://fedorahosted.org/gss-proxy/ticket/105 + * Sat Aug 03 2013 Fedora Release Engineering - 0.2.3-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild