diff --git a/Always-check-if-we-have-a-remote-credential.patch b/Always-check-if-we-have-a-remote-credential.patch new file mode 100644 index 0000000..ead26f4 --- /dev/null +++ b/Always-check-if-we-have-a-remote-credential.patch @@ -0,0 +1,79 @@ +From c5d80e916e087b584f8890c383fe699ec17a97ad Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 23 Feb 2017 13:56:34 -0500 +Subject: [PATCH] Always check if we have a remote credential + +Even if we are not given an explicit ccache, check if the ccache we are +going to use for operations on the client side has a stored remote +credential. If one is found use it. + +Signed-off-by: Simo Sorce +Reviewed-by: Robbie Harwood +PR: #51 +(cherry picked from commit ba27dee8a32750493664e720f751db2ff652d9a0) +--- + proxy/src/mechglue/gpp_acquire_cred.c | 43 +++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 22 deletions(-) + +diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c +index 1444728..277e61a 100644 +--- a/proxy/src/mechglue/gpp_acquire_cred.c ++++ b/proxy/src/mechglue/gpp_acquire_cred.c +@@ -88,6 +88,7 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status, + struct gpp_name_handle *name; + struct gpp_cred_handle *out_cred_handle = NULL; + struct gssx_cred *in_cred_remote = NULL; ++ const char *ccache_name = NULL; + OM_uint32 maj, min; + OM_uint32 tmaj, tmin; + +@@ -111,29 +112,27 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status, + name = (struct gpp_name_handle *)desired_name; + behavior = gpp_get_behavior(); + +- /* if a cred_store option is passed in, check if it references +- * valid credentials, if so switch behavior appropriately */ +- if (cred_store) { +- for (unsigned i = 0; i < cred_store->count; i++) { +- if (strcmp(cred_store->elements[i].key, "ccache") == 0) { +- gssx_cred remote = {0}; +- maj = gppint_retrieve_remote_creds(&min, +- cred_store->elements[i].value, NULL, &remote); +- if (maj == GSS_S_COMPLETE) { +- in_cred_remote = malloc(sizeof(gssx_cred)); +- if (!in_cred_remote) { +- maj = GSS_S_FAILURE; +- min = ENOMEM; +- goto done; +- } +- *in_cred_remote = remote; +- break; +- } +- } ++ /* Always check if we have remote creds stored in the local ccache */ ++ for (unsigned i = 0; cred_store && i < cred_store->count; i++) { ++ if (strcmp(cred_store->elements[i].key, "ccache") == 0) { ++ ccache_name = cred_store->elements[i].value; ++ break; + } +- if (in_cred_remote) { +- behavior = GPP_REMOTE_ONLY; +- } else { ++ } ++ ++ in_cred_remote = calloc(1, sizeof(gssx_cred)); ++ if (!in_cred_remote) { ++ maj = GSS_S_FAILURE; ++ min = ENOMEM; ++ goto done; ++ } ++ maj = gppint_retrieve_remote_creds(&min, ccache_name, NULL, ++ in_cred_remote); ++ if (maj == GSS_S_COMPLETE) { ++ behavior = GPP_REMOTE_ONLY; ++ } else { ++ safefree(in_cred_remote); ++ if (ccache_name) { + behavior = GPP_LOCAL_ONLY; + } + } diff --git a/Clean-up-build-flags.patch b/Clean-up-build-flags.patch new file mode 100644 index 0000000..76b9d68 --- /dev/null +++ b/Clean-up-build-flags.patch @@ -0,0 +1,45 @@ +From 5edd13736430e5df71c728a15da5d469bfcb931d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 20 Feb 2017 22:21:55 -0500 +Subject: [PATCH] Clean up build flags + +Don't pretend to support non-gcc-like compilers, and don't require +-Wdate-time on all builds. + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +(cherry picked from commit db9b56f54dfb4920b01b6a32ae6e221d231e54ce) +--- + proxy/Makefile.am | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/proxy/Makefile.am b/proxy/Makefile.am +index 644694f..e1fbac1 100644 +--- a/proxy/Makefile.am ++++ b/proxy/Makefile.am +@@ -40,19 +40,13 @@ AM_LDFLAGS = + if WANT_AUX_INFO + AM_CFLAGS += -aux-info $@.X + endif +-if HAVE_GCC +-# -fstrict-aliasing is needed so that -W*strict-aliasing works +-# properly +- AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ +- -Wcast-qual -Wcast-align -Wwrite-strings \ +- -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \ +- -Werror-implicit-function-declaration \ +- -Werror=format-security +- +- AM_CPPFLAGS += -Wdate-time +-endif ++AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ ++ -Wcast-qual -Wcast-align -Wwrite-strings \ ++ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \ ++ -Werror-implicit-function-declaration \ ++ -Werror=format-security + if BUILD_HARDENING +- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 ++ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 -Wdate-time + AM_CFLAGS += -fPIE -fstack-protector-strong + AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now + endif diff --git a/Detect-kerberos.schema-on-RHEL.patch b/Detect-kerberos.schema-on-RHEL.patch new file mode 100644 index 0000000..d23571f --- /dev/null +++ b/Detect-kerberos.schema-on-RHEL.patch @@ -0,0 +1,34 @@ +From 6511f2a8343ca0cef863d12cec59ecc1a8cfa08e Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 20 Feb 2017 22:34:13 -0500 +Subject: [PATCH] Detect kerberos.schema on RHEL + +The docpath on RHEL includes the package version. Since there will +only ever be one version, just glob it. + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +(cherry picked from commit 57e8fb3ac1be3ed648629066509b832fb8231554) +--- + proxy/tests/testlib.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/proxy/tests/testlib.py b/proxy/tests/testlib.py +index 858e9a9..bb210d3 100755 +--- a/proxy/tests/testlib.py ++++ b/proxy/tests/testlib.py +@@ -148,10 +148,11 @@ def setup_ldap(testdir, wrapenv): + raise ValueError("Did not find LDAP schemas; is openldap installed?") + + k5schema = None +- for path in ["/usr/share/doc/krb5-server-ldap/kerberos.schema", ++ for path in ["/usr/share/doc/krb5-server-ldap*/kerberos.schema", + "/usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"]: +- if os.path.exists(path): +- k5schema = path ++ pathlist = glob.glob(path) ++ if len(pathlist) > 0: ++ k5schema = pathlist[0] + break + if k5schema == None: + print("Please be sure krb5 ldap packages are installed") diff --git a/Document-debug_level-option-in-gssproxy.conf-5.patch b/Document-debug_level-option-in-gssproxy.conf-5.patch new file mode 100644 index 0000000..8e66715 --- /dev/null +++ b/Document-debug_level-option-in-gssproxy.conf-5.patch @@ -0,0 +1,44 @@ +From 77a838db589801c23c85ead8b16a78d14aaa65e3 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 22 Feb 2017 15:03:50 -0500 +Subject: [PATCH] Document debug_level option in gssproxy.conf(5) + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +(cherry picked from commit dd9ed3d321e74fbd138f5d8760fe540bb1f4d7bc) +--- + proxy/man/gssproxy.conf.5.xml | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml +index 7c724d6..7ddb2fb 100644 +--- a/proxy/man/gssproxy.conf.5.xml ++++ b/proxy/man/gssproxy.conf.5.xml +@@ -180,7 +180,26 @@ + Enable debugging to syslog. + Default: debug = false + +- ++ ++ ++ ++ debug_level (integer) ++ ++ ++ Detail level at which to log debugging messages. ++ 0 corresponds to no logging, while 1 turns on ++ basic debug logging. Level 2 increases verbosity, ++ including more detailed credential verification. ++ ++ ++ At level 3 and above, KRB5_TRACE output is logged. ++ If KRB5_TRACE was already set in the execution ++ environment, trace output is sent to its value ++ instead. ++ ++ Default: 1 if debug is true, otherwise 0 ++ ++ + + + euid (integer or string) diff --git a/Fix-another-incorrect-use-of-non-null-term.-string.patch b/Fix-another-incorrect-use-of-non-null-term.-string.patch new file mode 100644 index 0000000..e59e681 --- /dev/null +++ b/Fix-another-incorrect-use-of-non-null-term.-string.patch @@ -0,0 +1,33 @@ +From a69d4d16327916d6dde549aa0873ed1323248c8c Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 23 Feb 2017 13:32:06 -0500 +Subject: [PATCH] Fix another incorrect use of non-null term. string + +Signed-off-by: Simo Sorce +Reviewed-by: Robbie Harwood +PR: #50 +(cherry picked from commit 02d9a798c1019f93579e5d29b0b21c0570717dc2) +--- + proxy/src/mechglue/gpp_creds.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c +index 38d03fd..37517d6 100644 +--- a/proxy/src/mechglue/gpp_creds.c ++++ b/proxy/src/mechglue/gpp_creds.c +@@ -103,9 +103,12 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name, + if (ret) goto done; + + if (name) { +- ret = krb5_parse_name(ctx, +- name->display_name.octet_string_val, +- &icred.client); ++ char client_name[name->display_name.octet_string_len + 1]; ++ memcpy(client_name, name->display_name.octet_string_val, ++ name->display_name.octet_string_len); ++ client_name[name->display_name.octet_string_len] = '\0'; ++ ++ ret = krb5_parse_name(ctx, client_name, &icred.client); + } else { + ret = krb5_cc_get_principal(ctx, ccache, &icred.client); + } diff --git a/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch b/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch new file mode 100644 index 0000000..281b85e --- /dev/null +++ b/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch @@ -0,0 +1,26 @@ +From 6e2ee182afa62d7003fad8110f7877410ddc7d6d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 27 Feb 2017 14:44:06 -0500 +Subject: [PATCH] Fix asprintf(3) call in ensure_segregated_ccache() + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +PR: #53 +(cherry picked from commit fbf882e770474a60022d93c009f277a2d2674e42) +--- + proxy/src/gp_creds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c +index 0e5532f..db5b4b2 100644 +--- a/proxy/src/gp_creds.c ++++ b/proxy/src/gp_creds.c +@@ -276,7 +276,7 @@ static int ensure_segregated_ccache(struct gp_call_ctx *gpcall, + } while (tid == -1 && errno == EINTR); + + ret = asprintf(&buf, "MEMORY:internal_%d", tid); +- if (!buf) { ++ if (ret == -1) { + return ENOMEM; + } + diff --git a/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch b/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch new file mode 100644 index 0000000..f60c907 --- /dev/null +++ b/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch @@ -0,0 +1,49 @@ +From 727e5a91d930750b4cf814f8b37fd4aace303c4c Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 21 Feb 2017 17:24:48 -0500 +Subject: [PATCH] Fix behavior when not passed config_dir on the command line + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +(cherry picked from commit 5da58d18668b3e6ce175ad3d4f74a357c31784de) +--- + proxy/src/gp_config.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c +index cf1c08b..184f59e 100644 +--- a/proxy/src/gp_config.c ++++ b/proxy/src/gp_config.c +@@ -612,7 +612,7 @@ struct gp_config *read_config(char *config_file, char *config_dir, + char *socket_name, int opt_daemonize) + { + const char *socket = GP_SOCKET_NAME; +- const char *dir = PUBCONF_PATH; ++ const char *dir = NULL; + struct gp_config *cfg; + int ret; + +@@ -634,12 +634,18 @@ struct gp_config *read_config(char *config_file, char *config_dir, + } + } + +- if (config_dir) dir = config_dir; ++ if (config_dir) { ++ dir = config_dir; ++ } else if (!config_file) { ++ dir = PUBCONF_PATH; ++ } + +- cfg->config_dir = strdup(dir); +- if (!cfg->config_dir) { +- ret = ENOMEM; +- goto done; ++ if (dir) { ++ cfg->config_dir = strdup(dir); ++ if (!cfg->config_dir) { ++ ret = ENOMEM; ++ goto done; ++ } + } + + if (socket_name) socket = socket_name; diff --git a/Fix-incorrect-use-of-non-null-terminated-string.patch b/Fix-incorrect-use-of-non-null-terminated-string.patch index d54bb43..7732c6d 100644 --- a/Fix-incorrect-use-of-non-null-terminated-string.patch +++ b/Fix-incorrect-use-of-non-null-terminated-string.patch @@ -1,4 +1,4 @@ -From 5066d2d9d150d9761a33307ecd533f045e11ad59 Mon Sep 17 00:00:00 2001 +From 1214f2e9ad34783e8f12a42c8b06793c6e42217c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 23 Feb 2017 11:51:04 -0500 Subject: [PATCH] Fix incorrect use of non-null terminated string diff --git a/gssproxy.spec b/gssproxy.spec index 8b7d91f..7a47221 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.6.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -14,7 +14,14 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %global gpstatedir %{_localstatedir}/lib/gssproxy ### Patches ### -Patch1: Fix-incorrect-use-of-non-null-terminated-string.patch +Patch0: Clean-up-build-flags.patch +Patch1: Detect-kerberos.schema-on-RHEL.patch +Patch2: Fix-behavior-when-not-passed-config_dir-on-the-comma.patch +Patch3: Document-debug_level-option-in-gssproxy.conf-5.patch +Patch4: Fix-incorrect-use-of-non-null-terminated-string.patch +Patch5: Fix-another-incorrect-use-of-non-null-term.-string.patch +Patch6: Always-check-if-we-have-a-remote-credential.patch +Patch7: Fix-asprintf-3-call-in-ensure_segregated_ccache.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -119,6 +126,9 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Tue Feb 28 2017 Robbie Harwood - 0.6.2-2 +- Include other non-null fix and various things from master + * Thu Feb 23 2017 Robbie Harwood - 0.6.2-1 - Fix incorrect use of non-null string in xdr - Also move version number to better reflect what is inside