Fix issues with 1.14

2015-12-16 23:23:04 +00:00 · 2015-12-16 23:23:04 +00:00 · b179495c47
commit b179495c47
parent 1a42aaa8ce
3 changed files with 141 additions and 5 deletions
--- a/gssproxy.spec
+++ b/gssproxy.spec
@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.4.1
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	GSSAPI Proxy
 Group:		System Environment/Libraries
@ -15,9 +15,10 @@ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 ### Patches ###
 Patch0: clear_message_structure.patch
 Patch1: krb5-1.14-inquire_context_no_name.patch
 Patch2: krb5-1.14-inquire_attrs_accept_null.patch
 ### Dependencies ###
 Requires: krb5-libs >= 1.12.0
 Requires: keyutils-libs
 Requires: libverto-tevent
@ -26,7 +27,6 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 ### Build Dependencies ###
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@ -53,7 +53,9 @@ A proxy for GSSAPI credential handling
 %prep
 %setup -q
-%patch0 -p2
+%patch0 -p2 -b .clear_message_structure
 %patch1 -p2 -b .krb5-1.14-inquire_context_no_name
 %patch2 -p2 -b .krb5-1.14-inquire_attrs_accept_null
 %build
 autoreconf -f -i
@ -105,6 +107,10 @@ rm -rf %{buildroot}
 %systemd_postun_with_restart gssproxy.service
 %changelog
 * Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-4
 - Fix issues with 1.14
 - Fix bogus date in changelog (March 30 2015 was a Monday)
 * Wed Oct 21 2015 Robbie Harwood <rharwood@redhat.com> - 0.4.1-3
 - Clear message buffer to fix segfault on arm
 - resolves: #1235902
@ -112,7 +118,7 @@ rm -rf %{buildroot}
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-* Tue Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
+* Mon Mar 30 2015 Simo Sorce <simo@redhat.com> 0.4.1-1
 - New upstream release
 - Fix issues with paths in config files
--- a/krb5-1.14-inquire_attrs_accept_null.patch
+++ b/krb5-1.14-inquire_attrs_accept_null.patch
@ -0,0 +1,82 @@
 From 14e33b725c991d6c500ca93e241ed64e1a755843 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 16 Dec 2015 17:48:11 -0500
 Subject: [PATCH 2/2] Fix for gss_inquire_attrs_for_mech accepting NULLs
 As per rfc5587, gss_inquire_attrs_for_mech must accept NULL mech_attrs
 and known_mech_attrs arguments.  Up until 1.14, MIT krb5 was not ever
 passing NULLs in these fields.
 This fixes an interposer loop (and subsequent segmentation fault) due
 to our previous assumption that these arguments not be NULL.
 See also: https://tools.ietf.org/html/rfc5587#section-3.4.3
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 Reviewed-by: Simo Sorce <simo@redhat.com>
 ---
 proxy/src/client/gpm_indicate_mechs.c | 38 ++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 16 deletions(-)
 diff --git a/proxy/src/client/gpm_indicate_mechs.c b/proxy/src/client/gpm_indicate_mechs.c
 index 35ce3bb..d4df923 100644
 --- a/proxy/src/client/gpm_indicate_mechs.c
 +++ b/proxy/src/client/gpm_indicate_mechs.c
@@ -444,10 +444,6 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
     if (!minor_status) {
         return GSS_S_CALL_INACCESSIBLE_WRITE;
     }
 -    if (!mech_attrs || !known_mech_attrs) {
 -        *minor_status = 0;
 -        return GSS_S_CALL_INACCESSIBLE_WRITE;
 -    }
     ret_min = gpmint_init_global_mechs();
     if (ret_min) {
@@ -459,21 +455,31 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
         if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
             continue;
         }
 -        ret_maj = gpm_copy_gss_OID_set(&ret_min,
 -                                       global_mechs.info[i].mech_attrs,
 -                                       mech_attrs);
 -        if (ret_maj) {
 +
 +        if (mech_attrs != NULL) {
 +            ret_maj = gpm_copy_gss_OID_set(&ret_min,
 +                                           global_mechs.info[i].mech_attrs,
 +                                           mech_attrs);
 +            if (ret_maj) {
 +                *minor_status = ret_min;
 +                return ret_maj;
 +            }
 +        }
 +
 +        if (known_mech_attrs != NULL) {
 +            ret_maj = gpm_copy_gss_OID_set(&ret_min,
 +                                           global_mechs.info[i].known_mech_attrs,
 +                                           known_mech_attrs);
 +            if (ret_maj) {
 +                gss_release_oid_set(&discard, known_mech_attrs);
 +            }
             *minor_status = ret_min;
             return ret_maj;
         }
 -        ret_maj = gpm_copy_gss_OID_set(&ret_min,
 -                                       global_mechs.info[i].known_mech_attrs,
 -                                       known_mech_attrs);
 -        if (ret_maj) {
 -            gss_release_oid_set(&discard, known_mech_attrs);
 -        }
 -        *minor_status = ret_min;
 -        return ret_maj;
 +
 +        /* all requested attributes copied successfully */
 +        *minor_status = 0;
 +        return GSS_S_COMPLETE;
     }
     *minor_status = 0;
 -- 
 2.6.4
--- a/krb5-1.14-inquire_context_no_name.patch
+++ b/krb5-1.14-inquire_context_no_name.patch
@ -0,0 +1,48 @@
 From 14ecfa9fe9e843bdb2eb09c60a5ec592c8de4cdc Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Mon, 14 Dec 2015 17:38:36 -0500
 Subject: [PATCH 1/2] Since krb5 1.14 inquire_context may return no name
 In 1.14 a patch to more officially support partially established contexts
 has been intrdouced. With this patch names are not returned.
 Cope with that by checking if a name is provided before trying to convert.
 Signed-off-by: Simo Sorce <simo@redhat.com>
 Reviewed-by: Robbie Harwood <rharwood@redhat.com>
 ---
 proxy/src/gp_export.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)
 diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
 index 0ef3128..3b9a23b 100644
 --- a/proxy/src/gp_export.c
 +++ b/proxy/src/gp_export.c
@@ -526,14 +526,18 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
         goto done;
     }
 -    ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
 -    if (ret_maj) {
 -        goto done;
 +    if (src_name != GSS_C_NO_NAME) {
 +        ret_maj = gp_conv_name_to_gssx(&ret_min, src_name, &out->src_name);
 +        if (ret_maj) {
 +            goto done;
 +        }
     }
 -    ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
 -    if (ret_maj) {
 -        goto done;
 +    if (targ_name != GSS_C_NO_NAME) {
 +        ret_maj = gp_conv_name_to_gssx(&ret_min, targ_name, &out->targ_name);
 +        if (ret_maj) {
 +            goto done;
 +        }
     }
     out->lifetime = lifetime_rec;
 -- 
 2.6.4