From b179495c4726820fbd5312957a6a58786b072f79 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 16 Dec 2015 23:23:04 +0000
Subject: [PATCH] Fix issues with 1.14

---
 gssproxy.spec                             | 16 +++--
 krb5-1.14-inquire_attrs_accept_null.patch | 82 +++++++++++++++++++++++
 krb5-1.14-inquire_context_no_name.patch   | 48 +++++++++++++
 3 files changed, 141 insertions(+), 5 deletions(-)
 create mode 100644 krb5-1.14-inquire_attrs_accept_null.patch
 create mode 100644 krb5-1.14-inquire_context_no_name.patch

diff --git a/gssproxy.spec b/gssproxy.spec
index 5a0f940..5584ad9 100644
--- a/gssproxy.spec
+++ b/gssproxy.spec
@@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.4.1
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -15,9 +15,10 @@ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 Patch0: clear_message_structure.patch
+Patch1: krb5-1.14-inquire_context_no_name.patch
+Patch2: krb5-1.14-inquire_attrs_accept_null.patch
 
 ### Dependencies ###
-
 Requires: krb5-libs >= 1.12.0
 Requires: keyutils-libs
 Requires: libverto-tevent
@@ -26,7 +27,6 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 
 ### Build Dependencies ###
-
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@@ -53,7 +53,9 @@ A proxy for GSSAPI credential handling
 %prep
 %setup -q
 
-%patch0 -p2
+%patch0 -p2 -b .clear_message_structure
+%patch1 -p2 -b .krb5-1.14-inquire_context_no_name
+%patch2 -p2 -b .krb5-1.14-inquire_attrs_accept_null
 
 %build
 autoreconf -f -i
@@ -105,6 +107,10 @@ rm -rf %{buildroot}
 %systemd_postun_with_restart gssproxy.service
 
 %changelog
+* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-4
+- Fix issues with 1.14
+- Fix bogus date in changelog (March 30 2015 was a Monday)
+
 * Wed Oct 21 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-3
 - Clear message buffer to fix segfault on arm
 - resolves: #1235902
@@ -112,7 +118,7 @@ rm -rf %{buildroot}
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 
-* Tue Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
+* Mon Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
 - New upstream release
 - Fix issues with paths in config files
 
diff --git a/krb5-1.14-inquire_attrs_accept_null.patch b/krb5-1.14-inquire_attrs_accept_null.patch
new file mode 100644
index 0000000..97cd609
--- /dev/null
+++ b/krb5-1.14-inquire_attrs_accept_null.patch
@@ -0,0 +1,82 @@
+From 14e33b725c991d6c500ca93e241ed64e1a755843 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 16 Dec 2015 17:48:11 -0500
+Subject: [PATCH 2/2] Fix for gss_inquire_attrs_for_mech accepting NULLs
+
+As per rfc5587, gss_inquire_attrs_for_mech must accept NULL mech_attrs
+and known_mech_attrs arguments.  Up until 1.14, MIT krb5 was not ever
+passing NULLs in these fields.
+
+This fixes an interposer loop (and subsequent segmentation fault) due
+to our previous assumption that these arguments not be NULL.
+
+See also: https://tools.ietf.org/html/rfc5587#section-3.4.3
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+---
+ proxy/src/client/gpm_indicate_mechs.c | 38 ++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/proxy/src/client/gpm_indicate_mechs.c b/proxy/src/client/gpm_indicate_mechs.c
+index 35ce3bb..d4df923 100644
+--- a/proxy/src/client/gpm_indicate_mechs.c
++++ b/proxy/src/client/gpm_indicate_mechs.c
+@@ -444,10 +444,6 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
+     if (!minor_status) {
+         return GSS_S_CALL_INACCESSIBLE_WRITE;
+     }
+-    if (!mech_attrs || !known_mech_attrs) {
+-        *minor_status = 0;
+-        return GSS_S_CALL_INACCESSIBLE_WRITE;
+-    }
+ 
+     ret_min = gpmint_init_global_mechs();
+     if (ret_min) {
+@@ -459,21 +455,31 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
+         if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
+             continue;
+         }
+-        ret_maj = gpm_copy_gss_OID_set(&ret_min,
+-                                       global_mechs.info[i].mech_attrs,
+-                                       mech_attrs);
+-        if (ret_maj) {
++
++        if (mech_attrs != NULL) {
++            ret_maj = gpm_copy_gss_OID_set(&ret_min,
++                                           global_mechs.info[i].mech_attrs,
++                                           mech_attrs);
++            if (ret_maj) {
++                *minor_status = ret_min;
++                return ret_maj;
++            }
++        }
++
++        if (known_mech_attrs != NULL) {
++            ret_maj = gpm_copy_gss_OID_set(&ret_min,
++                                           global_mechs.info[i].known_mech_attrs,
++                                           known_mech_attrs);
++            if (ret_maj) {
++                gss_release_oid_set(&discard, known_mech_attrs);
++            }
+             *minor_status = ret_min;
+             return ret_maj;
+         }
+-        ret_maj = gpm_copy_gss_OID_set(&ret_min,
+-                                       global_mechs.info[i].known_mech_attrs,
+-                                       known_mech_attrs);
+-        if (ret_maj) {
+-            gss_release_oid_set(&discard, known_mech_attrs);
+-        }
+-        *minor_status = ret_min;
+-        return ret_maj;
++
++        /* all requested attributes copied successfully */
++        *minor_status = 0;
++        return GSS_S_COMPLETE;
+     }
+ 
+     *minor_status = 0;
+-- 
+2.6.4
+
diff --git a/krb5-1.14-inquire_context_no_name.patch b/krb5-1.14-inquire_context_no_name.patch
new file mode 100644
index 0000000..865d301
--- /dev/null
+++ b/krb5-1.14-inquire_context_no_name.patch
@@ -0,0 +1,48 @@
+From 14ecfa9fe9e843bdb2eb09c60a5ec592c8de4cdc Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Dec 2015 17:38:36 -0500
+Subject: [PATCH 1/2] Since krb5 1.14 inquire_context may return no name
+
+In 1.14 a patch to more officially support partially established contexts
+has been intrdouced. With this patch names are not returned.
+
+Cope with that by checking if a name is provided before trying to convert.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+---
+ proxy/src/gp_export.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
+index 0ef3128..3b9a23b 100644
+--- a/proxy/src/gp_export.c
++++ b/proxy/src/gp_export.c
+@@ -526,14 +526,18 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
+         goto done;
+     }
+ 
+-    ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
+-    if (ret_maj) {
+-        goto done;
++    if (src_name != GSS_C_NO_NAME) {
++        ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
++        if (ret_maj) {
++            goto done;
++        }
+     }
+ 
+-    ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
+-    if (ret_maj) {
+-        goto done;
++    if (targ_name != GSS_C_NO_NAME) {
++        ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
++        if (ret_maj) {
++            goto done;
++        }
+     }
+ 
+     out->lifetime = lifetime_rec;
+-- 
+2.6.4
+