rpms/gssproxy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix issues with 1.14

Browse Source
This commit is contained in:
Robbie Harwood 2015-12-16 23:23:04 +00:00
parent 1a42aaa8ce
commit b179495c47
3 changed files with 141 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
gssproxy.spec
View File

@ -1,6 +1,6 @@
Name: gssproxy
Version: 0.4.1
Release: 3%{?dist}
Release: 4%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@ -15,9 +15,10 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0: clear_message_structure.patch
Patch1: krb5-1.14-inquire_context_no_name.patch
Patch2: krb5-1.14-inquire_attrs_accept_null.patch
### Dependencies ###
Requires: krb5-libs >= 1.12.0
Requires: keyutils-libs
Requires: libverto-tevent
@ -26,7 +27,6 @@ Requires(preun): systemd-units
Requires(postun): systemd-units
### Build Dependencies ###
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
@ -53,7 +53,9 @@ A proxy for GSSAPI credential handling
%prep
%setup -q
%patch0 -p2
%patch0 -p2 -b .clear_message_structure
%patch1 -p2 -b .krb5-1.14-inquire_context_no_name
%patch2 -p2 -b .krb5-1.14-inquire_attrs_accept_null
%build
autoreconf -f -i
@ -105,6 +107,10 @@ rm -rf %{buildroot}
%systemd_postun_with_restart gssproxy.service
%changelog
* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-4
- Fix issues with 1.14
- Fix bogus date in changelog (March 30 2015 was a Monday)
* Wed Oct 21 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-3
- Clear message buffer to fix segfault on arm
- resolves: #1235902
@ -112,7 +118,7 @@ rm -rf %{buildroot}
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
* Mon Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
- New upstream release
- Fix issues with paths in config files

82
krb5-1.14-inquire_attrs_accept_null.patch Normal file
View File

@ -0,0 +1,82 @@
From 14e33b725c991d6c500ca93e241ed64e1a755843 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 17:48:11 -0500
Subject: [PATCH 2/2] Fix for gss_inquire_attrs_for_mech accepting NULLs
As per rfc5587, gss_inquire_attrs_for_mech must accept NULL mech_attrs
and known_mech_attrs arguments. Up until 1.14, MIT krb5 was not ever
passing NULLs in these fields.
This fixes an interposer loop (and subsequent segmentation fault) due
to our previous assumption that these arguments not be NULL.
See also: https://tools.ietf.org/html/rfc5587#section-3.4.3
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
---
proxy/src/client/gpm_indicate_mechs.c | 38 ++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/proxy/src/client/gpm_indicate_mechs.c b/proxy/src/client/gpm_indicate_mechs.c
index 35ce3bb..d4df923 100644
--- a/proxy/src/client/gpm_indicate_mechs.c
+++ b/proxy/src/client/gpm_indicate_mechs.c
@@ -444,10 +444,6 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
if (!minor_status) {
return GSS_S_CALL_INACCESSIBLE_WRITE;
}
- if (!mech_attrs || !known_mech_attrs) {
- *minor_status = 0;
- return GSS_S_CALL_INACCESSIBLE_WRITE;
- }
ret_min = gpmint_init_global_mechs();
if (ret_min) {
@@ -459,21 +455,31 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
continue;
}
- ret_maj = gpm_copy_gss_OID_set(&ret_min,
- global_mechs.info[i].mech_attrs,
- mech_attrs);
- if (ret_maj) {
+
+ if (mech_attrs != NULL) {
+ ret_maj = gpm_copy_gss_OID_set(&ret_min,
+ global_mechs.info[i].mech_attrs,
+ mech_attrs);
+ if (ret_maj) {
+ *minor_status = ret_min;
+ return ret_maj;
+ }
+ }
+
+ if (known_mech_attrs != NULL) {
+ ret_maj = gpm_copy_gss_OID_set(&ret_min,
+ global_mechs.info[i].known_mech_attrs,
+ known_mech_attrs);
+ if (ret_maj) {
+ gss_release_oid_set(&discard, known_mech_attrs);
+ }
*minor_status = ret_min;
return ret_maj;
}
- ret_maj = gpm_copy_gss_OID_set(&ret_min,
- global_mechs.info[i].known_mech_attrs,
- known_mech_attrs);
- if (ret_maj) {
- gss_release_oid_set(&discard, known_mech_attrs);
- }
- *minor_status = ret_min;
- return ret_maj;
+
+ /* all requested attributes copied successfully */
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
}
*minor_status = 0;
--
2.6.4

48
krb5-1.14-inquire_context_no_name.patch Normal file
View File

@ -0,0 +1,48 @@
From 14ecfa9fe9e843bdb2eb09c60a5ec592c8de4cdc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Dec 2015 17:38:36 -0500
Subject: [PATCH 1/2] Since krb5 1.14 inquire_context may return no name
In 1.14 a patch to more officially support partially established contexts
has been intrdouced. With this patch names are not returned.
Cope with that by checking if a name is provided before trying to convert.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
---
proxy/src/gp_export.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
index 0ef3128..3b9a23b 100644
--- a/proxy/src/gp_export.c
+++ b/proxy/src/gp_export.c
@@ -526,14 +526,18 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
goto done;
}
- ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
- if (ret_maj) {
- goto done;
+ if (src_name != GSS_C_NO_NAME) {
+ ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
+ if (ret_maj) {
+ goto done;
+ }
}
- ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
- if (ret_maj) {
- goto done;
+ if (targ_name != GSS_C_NO_NAME) {
+ ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
+ if (ret_maj) {
+ goto done;
+ }
}
out->lifetime = lifetime_rec;
--
2.6.4