diff --git a/.gitignore b/.gitignore index 0787596..6d40ad9 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ /gssproxy-0.6.1.tar.gz.sha512sum.txt /gssproxy-0.6.2.tar.gz /gssproxy-0.6.2.tar.gz.sha512sum.txt +/gssproxy-0.7.0.tar.gz +/gssproxy-0.7.0.tar.gz.sha512sum.txt diff --git a/Always-check-if-we-have-a-remote-credential.patch b/Always-check-if-we-have-a-remote-credential.patch deleted file mode 100644 index ead26f4..0000000 --- a/Always-check-if-we-have-a-remote-credential.patch +++ /dev/null @@ -1,79 +0,0 @@ -From c5d80e916e087b584f8890c383fe699ec17a97ad Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 23 Feb 2017 13:56:34 -0500 -Subject: [PATCH] Always check if we have a remote credential - -Even if we are not given an explicit ccache, check if the ccache we are -going to use for operations on the client side has a stored remote -credential. If one is found use it. - -Signed-off-by: Simo Sorce -Reviewed-by: Robbie Harwood -PR: #51 -(cherry picked from commit ba27dee8a32750493664e720f751db2ff652d9a0) ---- - proxy/src/mechglue/gpp_acquire_cred.c | 43 +++++++++++++++++------------------ - 1 file changed, 21 insertions(+), 22 deletions(-) - -diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c -index 1444728..277e61a 100644 ---- a/proxy/src/mechglue/gpp_acquire_cred.c -+++ b/proxy/src/mechglue/gpp_acquire_cred.c -@@ -88,6 +88,7 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status, - struct gpp_name_handle *name; - struct gpp_cred_handle *out_cred_handle = NULL; - struct gssx_cred *in_cred_remote = NULL; -+ const char *ccache_name = NULL; - OM_uint32 maj, min; - OM_uint32 tmaj, tmin; - -@@ -111,29 +112,27 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status, - name = (struct gpp_name_handle *)desired_name; - behavior = gpp_get_behavior(); - -- /* if a cred_store option is passed in, check if it references -- * valid credentials, if so switch behavior appropriately */ -- if (cred_store) { -- for (unsigned i = 0; i < cred_store->count; i++) { -- if (strcmp(cred_store->elements[i].key, "ccache") == 0) { -- gssx_cred remote = {0}; -- maj = gppint_retrieve_remote_creds(&min, -- cred_store->elements[i].value, NULL, &remote); -- if (maj == GSS_S_COMPLETE) { -- in_cred_remote = malloc(sizeof(gssx_cred)); -- if (!in_cred_remote) { -- maj = GSS_S_FAILURE; -- min = ENOMEM; -- goto done; -- } -- *in_cred_remote = remote; -- break; -- } -- } -+ /* Always check if we have remote creds stored in the local ccache */ -+ for (unsigned i = 0; cred_store && i < cred_store->count; i++) { -+ if (strcmp(cred_store->elements[i].key, "ccache") == 0) { -+ ccache_name = cred_store->elements[i].value; -+ break; - } -- if (in_cred_remote) { -- behavior = GPP_REMOTE_ONLY; -- } else { -+ } -+ -+ in_cred_remote = calloc(1, sizeof(gssx_cred)); -+ if (!in_cred_remote) { -+ maj = GSS_S_FAILURE; -+ min = ENOMEM; -+ goto done; -+ } -+ maj = gppint_retrieve_remote_creds(&min, ccache_name, NULL, -+ in_cred_remote); -+ if (maj == GSS_S_COMPLETE) { -+ behavior = GPP_REMOTE_ONLY; -+ } else { -+ safefree(in_cred_remote); -+ if (ccache_name) { - behavior = GPP_LOCAL_ONLY; - } - } diff --git a/Appease-Coverity.patch b/Appease-Coverity.patch deleted file mode 100644 index c5c2c45..0000000 --- a/Appease-Coverity.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 03b76c1ca376d01622df7e599c9882b693054675 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 27 Feb 2017 11:52:17 -0500 -Subject: [PATCH] Appease Coverity - -There is only one call site of gpp_store_remote_creds(), and it already checks -that `creds != NULL`, so we don't need to duplicate the check. - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -PR: #52 -(cherry picked from commit 348d5df4864639ebe50bfeaabd8c423233da24d6) ---- - proxy/src/mechglue/gpp_creds.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c -index 37517d6..8fcef36 100644 ---- a/proxy/src/mechglue/gpp_creds.c -+++ b/proxy/src/mechglue/gpp_creds.c -@@ -20,8 +20,6 @@ uint32_t gpp_store_remote_creds(uint32_t *min, - - *min = 0; - -- if (creds == NULL) return GSS_S_CALL_INACCESSIBLE_READ; -- - memset(&cred, 0, sizeof(cred)); - - ret = krb5_init_context(&ctx); diff --git a/Clean-up-build-flags.patch b/Clean-up-build-flags.patch deleted file mode 100644 index 76b9d68..0000000 --- a/Clean-up-build-flags.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5edd13736430e5df71c728a15da5d469bfcb931d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 20 Feb 2017 22:21:55 -0500 -Subject: [PATCH] Clean up build flags - -Don't pretend to support non-gcc-like compilers, and don't require --Wdate-time on all builds. - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -(cherry picked from commit db9b56f54dfb4920b01b6a32ae6e221d231e54ce) ---- - proxy/Makefile.am | 18 ++++++------------ - 1 file changed, 6 insertions(+), 12 deletions(-) - -diff --git a/proxy/Makefile.am b/proxy/Makefile.am -index 644694f..e1fbac1 100644 ---- a/proxy/Makefile.am -+++ b/proxy/Makefile.am -@@ -40,19 +40,13 @@ AM_LDFLAGS = - if WANT_AUX_INFO - AM_CFLAGS += -aux-info $@.X - endif --if HAVE_GCC --# -fstrict-aliasing is needed so that -W*strict-aliasing works --# properly -- AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -- -Wcast-qual -Wcast-align -Wwrite-strings \ -- -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \ -- -Werror-implicit-function-declaration \ -- -Werror=format-security -- -- AM_CPPFLAGS += -Wdate-time --endif -+AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -+ -Wcast-qual -Wcast-align -Wwrite-strings \ -+ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \ -+ -Werror-implicit-function-declaration \ -+ -Werror=format-security - if BUILD_HARDENING -- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 -+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 -Wdate-time - AM_CFLAGS += -fPIE -fstack-protector-strong - AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now - endif diff --git a/Detect-kerberos.schema-on-RHEL.patch b/Detect-kerberos.schema-on-RHEL.patch deleted file mode 100644 index d23571f..0000000 --- a/Detect-kerberos.schema-on-RHEL.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6511f2a8343ca0cef863d12cec59ecc1a8cfa08e Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 20 Feb 2017 22:34:13 -0500 -Subject: [PATCH] Detect kerberos.schema on RHEL - -The docpath on RHEL includes the package version. Since there will -only ever be one version, just glob it. - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -(cherry picked from commit 57e8fb3ac1be3ed648629066509b832fb8231554) ---- - proxy/tests/testlib.py | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/proxy/tests/testlib.py b/proxy/tests/testlib.py -index 858e9a9..bb210d3 100755 ---- a/proxy/tests/testlib.py -+++ b/proxy/tests/testlib.py -@@ -148,10 +148,11 @@ def setup_ldap(testdir, wrapenv): - raise ValueError("Did not find LDAP schemas; is openldap installed?") - - k5schema = None -- for path in ["/usr/share/doc/krb5-server-ldap/kerberos.schema", -+ for path in ["/usr/share/doc/krb5-server-ldap*/kerberos.schema", - "/usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"]: -- if os.path.exists(path): -- k5schema = path -+ pathlist = glob.glob(path) -+ if len(pathlist) > 0: -+ k5schema = pathlist[0] - break - if k5schema == None: - print("Please be sure krb5 ldap packages are installed") diff --git a/Document-debug_level-option-in-gssproxy.conf-5.patch b/Document-debug_level-option-in-gssproxy.conf-5.patch deleted file mode 100644 index 8e66715..0000000 --- a/Document-debug_level-option-in-gssproxy.conf-5.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 77a838db589801c23c85ead8b16a78d14aaa65e3 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 22 Feb 2017 15:03:50 -0500 -Subject: [PATCH] Document debug_level option in gssproxy.conf(5) - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -(cherry picked from commit dd9ed3d321e74fbd138f5d8760fe540bb1f4d7bc) ---- - proxy/man/gssproxy.conf.5.xml | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - -diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml -index 7c724d6..7ddb2fb 100644 ---- a/proxy/man/gssproxy.conf.5.xml -+++ b/proxy/man/gssproxy.conf.5.xml -@@ -180,7 +180,26 @@ - Enable debugging to syslog. - Default: debug = false - -- -+ -+ -+ -+ debug_level (integer) -+ -+ -+ Detail level at which to log debugging messages. -+ 0 corresponds to no logging, while 1 turns on -+ basic debug logging. Level 2 increases verbosity, -+ including more detailed credential verification. -+ -+ -+ At level 3 and above, KRB5_TRACE output is logged. -+ If KRB5_TRACE was already set in the execution -+ environment, trace output is sent to its value -+ instead. -+ -+ Default: 1 if debug is true, otherwise 0 -+ -+ - - - euid (integer or string) diff --git a/Fix-another-incorrect-use-of-non-null-term.-string.patch b/Fix-another-incorrect-use-of-non-null-term.-string.patch deleted file mode 100644 index e59e681..0000000 --- a/Fix-another-incorrect-use-of-non-null-term.-string.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a69d4d16327916d6dde549aa0873ed1323248c8c Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 23 Feb 2017 13:32:06 -0500 -Subject: [PATCH] Fix another incorrect use of non-null term. string - -Signed-off-by: Simo Sorce -Reviewed-by: Robbie Harwood -PR: #50 -(cherry picked from commit 02d9a798c1019f93579e5d29b0b21c0570717dc2) ---- - proxy/src/mechglue/gpp_creds.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c -index 38d03fd..37517d6 100644 ---- a/proxy/src/mechglue/gpp_creds.c -+++ b/proxy/src/mechglue/gpp_creds.c -@@ -103,9 +103,12 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name, - if (ret) goto done; - - if (name) { -- ret = krb5_parse_name(ctx, -- name->display_name.octet_string_val, -- &icred.client); -+ char client_name[name->display_name.octet_string_len + 1]; -+ memcpy(client_name, name->display_name.octet_string_val, -+ name->display_name.octet_string_len); -+ client_name[name->display_name.octet_string_len] = '\0'; -+ -+ ret = krb5_parse_name(ctx, client_name, &icred.client); - } else { - ret = krb5_cc_get_principal(ctx, ccache, &icred.client); - } diff --git a/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch b/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch deleted file mode 100644 index 281b85e..0000000 --- a/Fix-asprintf-3-call-in-ensure_segregated_ccache.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 6e2ee182afa62d7003fad8110f7877410ddc7d6d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Mon, 27 Feb 2017 14:44:06 -0500 -Subject: [PATCH] Fix asprintf(3) call in ensure_segregated_ccache() - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -PR: #53 -(cherry picked from commit fbf882e770474a60022d93c009f277a2d2674e42) ---- - proxy/src/gp_creds.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c -index 0e5532f..db5b4b2 100644 ---- a/proxy/src/gp_creds.c -+++ b/proxy/src/gp_creds.c -@@ -276,7 +276,7 @@ static int ensure_segregated_ccache(struct gp_call_ctx *gpcall, - } while (tid == -1 && errno == EINTR); - - ret = asprintf(&buf, "MEMORY:internal_%d", tid); -- if (!buf) { -+ if (ret == -1) { - return ENOMEM; - } - diff --git a/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch b/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch deleted file mode 100644 index f60c907..0000000 --- a/Fix-behavior-when-not-passed-config_dir-on-the-comma.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 727e5a91d930750b4cf814f8b37fd4aace303c4c Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Tue, 21 Feb 2017 17:24:48 -0500 -Subject: [PATCH] Fix behavior when not passed config_dir on the command line - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -(cherry picked from commit 5da58d18668b3e6ce175ad3d4f74a357c31784de) ---- - proxy/src/gp_config.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c -index cf1c08b..184f59e 100644 ---- a/proxy/src/gp_config.c -+++ b/proxy/src/gp_config.c -@@ -612,7 +612,7 @@ struct gp_config *read_config(char *config_file, char *config_dir, - char *socket_name, int opt_daemonize) - { - const char *socket = GP_SOCKET_NAME; -- const char *dir = PUBCONF_PATH; -+ const char *dir = NULL; - struct gp_config *cfg; - int ret; - -@@ -634,12 +634,18 @@ struct gp_config *read_config(char *config_file, char *config_dir, - } - } - -- if (config_dir) dir = config_dir; -+ if (config_dir) { -+ dir = config_dir; -+ } else if (!config_file) { -+ dir = PUBCONF_PATH; -+ } - -- cfg->config_dir = strdup(dir); -- if (!cfg->config_dir) { -- ret = ENOMEM; -- goto done; -+ if (dir) { -+ cfg->config_dir = strdup(dir); -+ if (!cfg->config_dir) { -+ ret = ENOMEM; -+ goto done; -+ } - } - - if (socket_name) socket = socket_name; diff --git a/Fix-incorrect-use-of-non-null-terminated-string.patch b/Fix-incorrect-use-of-non-null-terminated-string.patch deleted file mode 100644 index 7732c6d..0000000 --- a/Fix-incorrect-use-of-non-null-terminated-string.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 1214f2e9ad34783e8f12a42c8b06793c6e42217c Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 23 Feb 2017 11:51:04 -0500 -Subject: [PATCH] Fix incorrect use of non-null terminated string - -Octet_string_val values are not guaranteed to be zero terminated. - -Signed-off-by: Simo Sorce -Reviewed-by: Robbie Harwood -Resolves: #49 -(cherry picked from commit 25c587458c90893168fd906a5de9cc7598e94619) ---- - proxy/src/mechglue/gpp_creds.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c -index c1506e6..38d03fd 100644 ---- a/proxy/src/mechglue/gpp_creds.c -+++ b/proxy/src/mechglue/gpp_creds.c -@@ -14,6 +14,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, - krb5_ccache ccache = NULL; - krb5_creds cred; - krb5_error_code ret; -+ char cred_name[creds->desired_name.display_name.octet_string_len + 1]; - XDR xdrctx; - bool xdrok; - -@@ -41,9 +42,11 @@ uint32_t gpp_store_remote_creds(uint32_t *min, - if (ret) goto done; - } - -- ret = krb5_parse_name(ctx, -- creds->desired_name.display_name.octet_string_val, -- &cred.client); -+ memcpy(cred_name, creds->desired_name.display_name.octet_string_val, -+ creds->desired_name.display_name.octet_string_len); -+ cred_name[creds->desired_name.display_name.octet_string_len] = '\0'; -+ -+ ret = krb5_parse_name(ctx, cred_name, &cred.client); - if (ret) goto done; - - ret = krb5_parse_name(ctx, GPKRB_SRV_NAME, &cred.server); diff --git a/gssproxy.spec b/gssproxy.spec index eaf4e9f..02b2a4e 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy -Version: 0.6.2 -Release: 4%{?dist} +Version: 0.7.0 +Release: 1%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -14,15 +14,6 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %global gpstatedir %{_localstatedir}/lib/gssproxy ### Patches ### -Patch0: Clean-up-build-flags.patch -Patch1: Detect-kerberos.schema-on-RHEL.patch -Patch2: Fix-behavior-when-not-passed-config_dir-on-the-comma.patch -Patch3: Document-debug_level-option-in-gssproxy.conf-5.patch -Patch4: Fix-incorrect-use-of-non-null-terminated-string.patch -Patch5: Fix-another-incorrect-use-of-non-null-term.-string.patch -Patch6: Always-check-if-we-have-a-remote-credential.patch -Patch7: Fix-asprintf-3-call-in-ensure_segregated_ccache.patch -Patch8: Appease-Coverity.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -53,28 +44,12 @@ BuildRequires: popt-devel BuildRequires: findutils BuildRequires: systemd-units -# Tests stuff -# BuildRequires: openldap-clients -# BuildRequires: openldap-servers -# BuildRequires: krb5-server-ldap -# BuildRequires: valgrind -# BuildRequires: socket_wrapper -# BuildRequires: nss_wrapper - %description A proxy for GSSAPI credential handling %prep %setup -q -%patch0 -p2 -b .Clean-up-build-flags -%patch1 -p2 -b .Detect-kerberos.schema-on-RHEL -%patch2 -p2 -b .Fix-behavior-when-not-passed-config_dir-on-the-comma -%patch3 -p2 -b .Document-debug_level-option-in-gssproxy.conf-5 -%patch4 -p2 -b .Fix-incorrect-use-of-non-null-terminated-string -%patch5 -p2 -b .Fix-another-incorrect-use-of-non-null-term.-string -%patch6 -p2 -b .Always-check-if-we-have-a-remote-credential -%patch7 -p2 -b .Fix-asprintf-3-call-in-ensure_segregated_ccache -%patch8 -p2 -b .Appease-Coverity + %build autoreconf -f -i @@ -88,9 +63,6 @@ autoreconf -f -i make %{?_smp_mflags} all make test_proxymech -# %check -# make check - %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} @@ -135,10 +107,10 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog -* Mon Mar 06 2017 Robbie Harwood - 0.6.2-4 -- TODO edit me +* Tue Mar 07 2017 Robbie Harwood - 0.7.0-1 +- New upstream release - 0.7.0 -* Mon Mar 06 2017 Robbie Harwood - 0.6.2-3 +* Mon Mar 06 2017 Robbie Harwood - 0.6.2-4 - Actually apply the patches I just added - Also include a Coverity fix. diff --git a/sources b/sources index 1239a3c..d4641b4 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (gssproxy-0.6.2.tar.gz) = 3c19fbd6e6c8aa2946512f947e016642672a98559b0c47dfb2a4abe2c9dbf06f1bd4f028199cd4828edf00eb0f5d3eac55bda73dcfeb27095e8e9ab14fc88bcd -SHA512 (gssproxy-0.6.2.tar.gz.sha512sum.txt) = 180f91ee7ef560077ecb689b64c0b71c305c12130a510c5e5c7a51c59593e6f509cb91726ab6cbb35f43905d96e87c77966471b814d02a9d6754aa6b44b192cb +SHA512 (gssproxy-0.7.0.tar.gz) = 00cd1d05e12f93f81c11062ccf4950e521960f752a6121f2055e47294a51894eda2415c558d3bc0d4c496146ab8f82a1162328acfb5eb3405c7b116774fa9f89 +SHA512 (gssproxy-0.7.0.tar.gz.sha512sum.txt) = dd91bec2c1aecad01152d4f8d51252ce33e80b378050458b36d868397df6d14a37aa424245df09d006a9cb91b34aa8ba51b30630cfb9babe0da3e348ac53f382