rpms/gssproxy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release - 0.7.0

Browse Source
This commit is contained in:
Robbie Harwood 2017-03-07 22:32:21 +00:00
parent 07be2820f2
commit d3c2500ea7
12 changed files with 10 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -17,3 +17,5 @@
/gssproxy-0.6.1.tar.gz.sha512sum.txt
/gssproxy-0.6.2.tar.gz
/gssproxy-0.6.2.tar.gz.sha512sum.txt
/gssproxy-0.7.0.tar.gz
/gssproxy-0.7.0.tar.gz.sha512sum.txt

79
Always-check-if-we-have-a-remote-credential.patch
View File

@ -1,79 +0,0 @@
From c5d80e916e087b584f8890c383fe699ec17a97ad Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 23 Feb 2017 13:56:34 -0500
Subject: [PATCH] Always check if we have a remote credential
Even if we are not given an explicit ccache, check if the ccache we are
going to use for operations on the client side has a stored remote
credential. If one is found use it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
PR: #51
(cherry picked from commit ba27dee8a32750493664e720f751db2ff652d9a0)
---
proxy/src/mechglue/gpp_acquire_cred.c | 43 +++++++++++++++++------------------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
index 1444728..277e61a 100644
--- a/proxy/src/mechglue/gpp_acquire_cred.c
+++ b/proxy/src/mechglue/gpp_acquire_cred.c
@@ -88,6 +88,7 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
struct gpp_name_handle *name;
struct gpp_cred_handle *out_cred_handle = NULL;
struct gssx_cred *in_cred_remote = NULL;
+ const char *ccache_name = NULL;
OM_uint32 maj, min;
OM_uint32 tmaj, tmin;
@@ -111,29 +112,27 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
name = (struct gpp_name_handle *)desired_name;
behavior = gpp_get_behavior();
- /* if a cred_store option is passed in, check if it references
- * valid credentials, if so switch behavior appropriately */
- if (cred_store) {
- for (unsigned i = 0; i < cred_store->count; i++) {
- if (strcmp(cred_store->elements[i].key, "ccache") == 0) {
- gssx_cred remote = {0};
- maj = gppint_retrieve_remote_creds(&min,
- cred_store->elements[i].value, NULL, &remote);
- if (maj == GSS_S_COMPLETE) {
- in_cred_remote = malloc(sizeof(gssx_cred));
- if (!in_cred_remote) {
- maj = GSS_S_FAILURE;
- min = ENOMEM;
- goto done;
- }
- *in_cred_remote = remote;
- break;
- }
- }
+ /* Always check if we have remote creds stored in the local ccache */
+ for (unsigned i = 0; cred_store && i < cred_store->count; i++) {
+ if (strcmp(cred_store->elements[i].key, "ccache") == 0) {
+ ccache_name = cred_store->elements[i].value;
+ break;
}
- if (in_cred_remote) {
- behavior = GPP_REMOTE_ONLY;
- } else {
+ }
+
+ in_cred_remote = calloc(1, sizeof(gssx_cred));
+ if (!in_cred_remote) {
+ maj = GSS_S_FAILURE;
+ min = ENOMEM;
+ goto done;
+ }
+ maj = gppint_retrieve_remote_creds(&min, ccache_name, NULL,
+ in_cred_remote);
+ if (maj == GSS_S_COMPLETE) {
+ behavior = GPP_REMOTE_ONLY;
+ } else {
+ safefree(in_cred_remote);
+ if (ccache_name) {
behavior = GPP_LOCAL_ONLY;
}
}

29
Appease-Coverity.patch
View File

@ -1,29 +0,0 @@
From 03b76c1ca376d01622df7e599c9882b693054675 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 27 Feb 2017 11:52:17 -0500
Subject: [PATCH] Appease Coverity
There is only one call site of gpp_store_remote_creds(), and it already checks
that `creds != NULL`, so we don't need to duplicate the check.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
PR: #52
(cherry picked from commit 348d5df4864639ebe50bfeaabd8c423233da24d6)
---
proxy/src/mechglue/gpp_creds.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 37517d6..8fcef36 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -20,8 +20,6 @@ uint32_t gpp_store_remote_creds(uint32_t *min,
*min = 0;
- if (creds == NULL) return GSS_S_CALL_INACCESSIBLE_READ;
-
memset(&cred, 0, sizeof(cred));
ret = krb5_init_context(&ctx);

45
Clean-up-build-flags.patch
View File

@ -1,45 +0,0 @@
From 5edd13736430e5df71c728a15da5d469bfcb931d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 20 Feb 2017 22:21:55 -0500
Subject: [PATCH] Clean up build flags
Don't pretend to support non-gcc-like compilers, and don't require
-Wdate-time on all builds.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit db9b56f54dfb4920b01b6a32ae6e221d231e54ce)
---
proxy/Makefile.am | 18 ++++++------------
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am
index 644694f..e1fbac1 100644
--- a/proxy/Makefile.am
+++ b/proxy/Makefile.am
@@ -40,19 +40,13 @@ AM_LDFLAGS =
if WANT_AUX_INFO
AM_CFLAGS += -aux-info $@.X
endif
-if HAVE_GCC
-# -fstrict-aliasing is needed so that -W*strict-aliasing works
-# properly
- AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
- -Wcast-qual -Wcast-align -Wwrite-strings \
- -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
- -Werror-implicit-function-declaration \
- -Werror=format-security
-
- AM_CPPFLAGS += -Wdate-time
-endif
+AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
+ -Wcast-qual -Wcast-align -Wwrite-strings \
+ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
+ -Werror-implicit-function-declaration \
+ -Werror=format-security
if BUILD_HARDENING
- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 -Wdate-time
AM_CFLAGS += -fPIE -fstack-protector-strong
AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif

34
Detect-kerberos.schema-on-RHEL.patch
View File

@ -1,34 +0,0 @@
From 6511f2a8343ca0cef863d12cec59ecc1a8cfa08e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 20 Feb 2017 22:34:13 -0500
Subject: [PATCH] Detect kerberos.schema on RHEL
The docpath on RHEL includes the package version. Since there will
only ever be one version, just glob it.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 57e8fb3ac1be3ed648629066509b832fb8231554)
---
proxy/tests/testlib.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/proxy/tests/testlib.py b/proxy/tests/testlib.py
index 858e9a9..bb210d3 100755
--- a/proxy/tests/testlib.py
+++ b/proxy/tests/testlib.py
@@ -148,10 +148,11 @@ def setup_ldap(testdir, wrapenv):
raise ValueError("Did not find LDAP schemas; is openldap installed?")
k5schema = None
- for path in ["/usr/share/doc/krb5-server-ldap/kerberos.schema",
+ for path in ["/usr/share/doc/krb5-server-ldap*/kerberos.schema",
"/usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"]:
- if os.path.exists(path):
- k5schema = path
+ pathlist = glob.glob(path)
+ if len(pathlist) > 0:
+ k5schema = pathlist[0]
break
if k5schema == None:
print("Please be sure krb5 ldap packages are installed")

44
Document-debug_level-option-in-gssproxy.conf-5.patch
View File

@ -1,44 +0,0 @@
From 77a838db589801c23c85ead8b16a78d14aaa65e3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 22 Feb 2017 15:03:50 -0500
Subject: [PATCH] Document debug_level option in gssproxy.conf(5)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit dd9ed3d321e74fbd138f5d8760fe540bb1f4d7bc)
---
proxy/man/gssproxy.conf.5.xml | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
index 7c724d6..7ddb2fb 100644
--- a/proxy/man/gssproxy.conf.5.xml
+++ b/proxy/man/gssproxy.conf.5.xml
@@ -180,7 +180,26 @@
<para>Enable debugging to syslog.</para>
<para>Default: debug = false</para>
</listitem>
- </varlistentry>
+ </varlistentry>
+
+ <varlistentry>
+ <term>debug_level (integer)</term>
+ <listitem>
+ <para>
+ Detail level at which to log debugging messages.
+ 0 corresponds to no logging, while 1 turns on
+ basic debug logging. Level 2 increases verbosity,
+ including more detailed credential verification.
+ </para>
+ <para>
+ At level 3 and above, KRB5_TRACE output is logged.
+ If KRB5_TRACE was already set in the execution
+ environment, trace output is sent to its value
+ instead.
+ </para>
+ <para>Default: 1 if debug is true, otherwise 0</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>euid (integer or string)</term>

33
Fix-another-incorrect-use-of-non-null-term.-string.patch
View File

@ -1,33 +0,0 @@
From a69d4d16327916d6dde549aa0873ed1323248c8c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 23 Feb 2017 13:32:06 -0500
Subject: [PATCH] Fix another incorrect use of non-null term. string
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
PR: #50
(cherry picked from commit 02d9a798c1019f93579e5d29b0b21c0570717dc2)
---
proxy/src/mechglue/gpp_creds.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index 38d03fd..37517d6 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -103,9 +103,12 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name,
if (ret) goto done;
if (name) {
- ret = krb5_parse_name(ctx,
- name->display_name.octet_string_val,
- &icred.client);
+ char client_name[name->display_name.octet_string_len + 1];
+ memcpy(client_name, name->display_name.octet_string_val,
+ name->display_name.octet_string_len);
+ client_name[name->display_name.octet_string_len] = '\0';
+
+ ret = krb5_parse_name(ctx, client_name, &icred.client);
} else {
ret = krb5_cc_get_principal(ctx, ccache, &icred.client);
}

26
Fix-asprintf-3-call-in-ensure_segregated_ccache.patch
View File

@ -1,26 +0,0 @@
From 6e2ee182afa62d7003fad8110f7877410ddc7d6d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 27 Feb 2017 14:44:06 -0500
Subject: [PATCH] Fix asprintf(3) call in ensure_segregated_ccache()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
PR: #53
(cherry picked from commit fbf882e770474a60022d93c009f277a2d2674e42)
---
proxy/src/gp_creds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index 0e5532f..db5b4b2 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -276,7 +276,7 @@ static int ensure_segregated_ccache(struct gp_call_ctx *gpcall,
} while (tid == -1 && errno == EINTR);
ret = asprintf(&buf, "MEMORY:internal_%d", tid);
- if (!buf) {
+ if (ret == -1) {
return ENOMEM;
}

49
Fix-behavior-when-not-passed-config_dir-on-the-comma.patch
View File

@ -1,49 +0,0 @@
From 727e5a91d930750b4cf814f8b37fd4aace303c4c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 21 Feb 2017 17:24:48 -0500
Subject: [PATCH] Fix behavior when not passed config_dir on the command line
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5da58d18668b3e6ce175ad3d4f74a357c31784de)
---
proxy/src/gp_config.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index cf1c08b..184f59e 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -612,7 +612,7 @@ struct gp_config *read_config(char *config_file, char *config_dir,
char *socket_name, int opt_daemonize)
{
const char *socket = GP_SOCKET_NAME;
- const char *dir = PUBCONF_PATH;
+ const char *dir = NULL;
struct gp_config *cfg;
int ret;
@@ -634,12 +634,18 @@ struct gp_config *read_config(char *config_file, char *config_dir,
}
}
- if (config_dir) dir = config_dir;
+ if (config_dir) {
+ dir = config_dir;
+ } else if (!config_file) {
+ dir = PUBCONF_PATH;
+ }
- cfg->config_dir = strdup(dir);
- if (!cfg->config_dir) {
- ret = ENOMEM;
- goto done;
+ if (dir) {
+ cfg->config_dir = strdup(dir);
+ if (!cfg->config_dir) {
+ ret = ENOMEM;
+ goto done;
+ }
}
if (socket_name) socket = socket_name;

42
Fix-incorrect-use-of-non-null-terminated-string.patch
View File

@ -1,42 +0,0 @@
From 1214f2e9ad34783e8f12a42c8b06793c6e42217c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 23 Feb 2017 11:51:04 -0500
Subject: [PATCH] Fix incorrect use of non-null terminated string
Octet_string_val values are not guaranteed to be zero terminated.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Resolves: #49
(cherry picked from commit 25c587458c90893168fd906a5de9cc7598e94619)
---
proxy/src/mechglue/gpp_creds.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
index c1506e6..38d03fd 100644
--- a/proxy/src/mechglue/gpp_creds.c
+++ b/proxy/src/mechglue/gpp_creds.c
@@ -14,6 +14,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min,
krb5_ccache ccache = NULL;
krb5_creds cred;
krb5_error_code ret;
+ char cred_name[creds->desired_name.display_name.octet_string_len + 1];
XDR xdrctx;
bool xdrok;
@@ -41,9 +42,11 @@ uint32_t gpp_store_remote_creds(uint32_t *min,
if (ret) goto done;
}
- ret = krb5_parse_name(ctx,
- creds->desired_name.display_name.octet_string_val,
- &cred.client);
+ memcpy(cred_name, creds->desired_name.display_name.octet_string_val,
+ creds->desired_name.display_name.octet_string_len);
+ cred_name[creds->desired_name.display_name.octet_string_len] = '\0';
+
+ ret = krb5_parse_name(ctx, cred_name, &cred.client);
if (ret) goto done;
ret = krb5_parse_name(ctx, GPKRB_SRV_NAME, &cred.server);

40
gssproxy.spec
View File

@ -1,6 +1,6 @@
Name: gssproxy
Version: 0.6.2
Release: 4%{?dist}
Version: 0.7.0
Release: 1%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@ -14,15 +14,6 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
%global gpstatedir %{_localstatedir}/lib/gssproxy
### Patches ###
Patch0: Clean-up-build-flags.patch
Patch1: Detect-kerberos.schema-on-RHEL.patch
Patch2: Fix-behavior-when-not-passed-config_dir-on-the-comma.patch
Patch3: Document-debug_level-option-in-gssproxy.conf-5.patch
Patch4: Fix-incorrect-use-of-non-null-terminated-string.patch
Patch5: Fix-another-incorrect-use-of-non-null-term.-string.patch
Patch6: Always-check-if-we-have-a-remote-credential.patch
Patch7: Fix-asprintf-3-call-in-ensure_segregated_ccache.patch
Patch8: Appease-Coverity.patch
### Dependencies ###
Requires: krb5-libs >= 1.12.0
@ -53,28 +44,12 @@ BuildRequires: popt-devel
BuildRequires: findutils
BuildRequires: systemd-units
# Tests stuff
# BuildRequires: openldap-clients
# BuildRequires: openldap-servers
# BuildRequires: krb5-server-ldap
# BuildRequires: valgrind
# BuildRequires: socket_wrapper
# BuildRequires: nss_wrapper
%description
A proxy for GSSAPI credential handling
%prep
%setup -q
%patch0 -p2 -b .Clean-up-build-flags
%patch1 -p2 -b .Detect-kerberos.schema-on-RHEL
%patch2 -p2 -b .Fix-behavior-when-not-passed-config_dir-on-the-comma
%patch3 -p2 -b .Document-debug_level-option-in-gssproxy.conf-5
%patch4 -p2 -b .Fix-incorrect-use-of-non-null-terminated-string
%patch5 -p2 -b .Fix-another-incorrect-use-of-non-null-term.-string
%patch6 -p2 -b .Always-check-if-we-have-a-remote-credential
%patch7 -p2 -b .Fix-asprintf-3-call-in-ensure_segregated_ccache
%patch8 -p2 -b .Appease-Coverity
%build
autoreconf -f -i
@ -88,9 +63,6 @@ autoreconf -f -i
make %{?_smp_mflags} all
make test_proxymech
# %check
# make check
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
@ -135,10 +107,10 @@ rm -rf %{buildroot}
%systemd_postun_with_restart gssproxy.service
%changelog
* Mon Mar 06 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-4
- TODO edit me
* Tue Mar 07 2017 Robbie Harwood <rharwood@redhat.com> - 0.7.0-1
- New upstream release - 0.7.0
* Mon Mar 06 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-3
* Mon Mar 06 2017 Robbie Harwood <rharwood@redhat.com> - 0.6.2-4
- Actually apply the patches I just added
- Also include a Coverity fix.

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (gssproxy-0.6.2.tar.gz) = 3c19fbd6e6c8aa2946512f947e016642672a98559b0c47dfb2a4abe2c9dbf06f1bd4f028199cd4828edf00eb0f5d3eac55bda73dcfeb27095e8e9ab14fc88bcd
SHA512 (gssproxy-0.6.2.tar.gz.sha512sum.txt) = 180f91ee7ef560077ecb689b64c0b71c305c12130a510c5e5c7a51c59593e6f509cb91726ab6cbb35f43905d96e87c77966471b814d02a9d6754aa6b44b192cb
SHA512 (gssproxy-0.7.0.tar.gz) = 00cd1d05e12f93f81c11062ccf4950e521960f752a6121f2055e47294a51894eda2415c558d3bc0d4c496146ab8f82a1162328acfb5eb3405c7b116774fa9f89
SHA512 (gssproxy-0.7.0.tar.gz.sha512sum.txt) = dd91bec2c1aecad01152d4f8d51252ce33e80b378050458b36d868397df6d14a37aa424245df09d006a9cb91b34aa8ba51b30630cfb9babe0da3e348ac53f382