Backport interposer fix from master

Drop workaround pwsize initialization patch (gcc has been fixed)

Resolves: rhbz#1284985
This commit is contained in:
Robbie Harwood (frozencemetery) 2015-12-03 21:51:45 +00:00
parent bf282deaf1
commit 1560d2b3cc
3 changed files with 230 additions and 27 deletions

View File

@ -1,24 +0,0 @@
From eb7aa0386f60496aabcb1f30893649bb6599d6d1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 22 Oct 2015 14:27:33 -0400
Subject: [PATCH] Ensure pwsize is initialized
---
src/lib/kadm5/chpass_util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c
index 408b0eb..02305be 100644
--- a/src/lib/kadm5/chpass_util.c
+++ b/src/lib/kadm5/chpass_util.c
@@ -74,6 +74,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
if (ret_pw)
*ret_pw = NULL;
+ pwsize = 0;
if (new_pw != NULL) {
new_password = new_pw;
} else { /* read the password */
--
2.6.1

222
krb5-fix_interposer.patch Normal file
View File

@ -0,0 +1,222 @@
From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 13 Nov 2015 14:54:11 -0500
Subject: [PATCH] Fix impersonate_name to work with interposers
This follows the same modifications applied to
gss_acquire_cred_with_password() when interposer plugins were
introduced.
[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
spnego_gss_acquire_cred_impersonate_name() since it is released in the
cleanup handler]
ticket: 8280 (new)
---
src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++-------
2 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
index 0dd4f87..9eab25e 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
gss_cred_id_t cred = NULL;
gss_OID new_mechs_array = NULL;
gss_cred_id_t * new_cred_array = NULL;
+ gss_OID_set target_mechs = GSS_C_NO_OID_SET;
+ gss_OID selected_mech = GSS_C_NO_OID;
status = val_add_cred_impersonate_name_args(minor_status,
input_cred_handle,
@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
return (status);
- mech = gssint_get_mechanism(desired_mech);
+ status = gssint_select_mech_type(minor_status, desired_mech,
+ &selected_mech);
+ if (status != GSS_S_COMPLETE)
+ return status;
+
+ mech = gssint_get_mechanism(selected_mech);
if (!mech)
return GSS_S_BAD_MECH;
else if (!mech->gss_acquire_cred)
@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
internal_name = GSS_C_NO_NAME;
} else {
union_cred = (gss_union_cred_t)input_cred_handle;
- if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
+ if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
GSS_C_NO_CREDENTIAL)
return (GSS_S_DUPLICATE_ELEMENT);
}
mech_impersonator_cred =
gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
- desired_mech);
+ selected_mech);
if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
return (GSS_S_NO_CRED);
/* may need to create a mechanism specific name */
union_name = (gss_union_name_t)desired_name;
if (union_name->mech_type &&
- g_OID_equal(union_name->mech_type,
- &mech->mech_type))
+ g_OID_equal(union_name->mech_type, selected_mech))
internal_name = union_name->mech_name;
else {
if (gssint_import_internal_name(minor_status,
- &mech->mech_type, union_name,
- &allocated_name) != GSS_S_COMPLETE)
+ selected_mech, union_name,
+ &allocated_name) != GSS_S_COMPLETE)
return (GSS_S_BAD_NAME);
internal_name = allocated_name;
}
@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
else
time_req = 0;
+ status = gss_create_empty_oid_set(minor_status, &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
+ status = gss_add_oid_set_member(minor_status,
+ gssint_get_public_oid(selected_mech),
+ &target_mechs);
+ if (status != GSS_S_COMPLETE)
+ goto errout;
+
status = mech->gss_acquire_cred_impersonate_name(minor_status,
mech_impersonator_cred,
internal_name,
time_req,
- GSS_C_NULL_OID_SET,
+ target_mechs,
cred_usage,
&cred,
NULL,
@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
new_cred_array[union_cred->count] = cred;
if ((new_mechs_array[union_cred->count].elements =
- malloc(mech->mech_type.length)) == NULL)
+ malloc(selected_mech->length)) == NULL)
goto errout;
- g_OID_copy(&new_mechs_array[union_cred->count],
- &mech->mech_type);
+ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
if (actual_mechs != NULL) {
- gss_OID_set_desc oids;
-
- oids.count = union_cred->count + 1;
- oids.elements = new_mechs_array;
-
- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
+ status = gssint_make_public_oid_set(minor_status, new_mechs_array,
+ union_cred->count + 1,
+ actual_mechs);
if (GSS_ERROR(status)) {
free(new_mechs_array[union_cred->count].elements);
goto errout;
@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
/* We're done with the internal name. Free it if we allocated it. */
if (allocated_name)
- (void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
+ (void) gssint_release_internal_name(&temp_minor_status, selected_mech,
&allocated_name);
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
+
return (GSS_S_COMPLETE);
errout:
@@ -503,8 +517,10 @@ errout:
if (allocated_name)
(void) gssint_release_internal_name(&temp_minor_status,
- &mech->mech_type,
- &allocated_name);
+ selected_mech, &allocated_name);
+
+ if (target_mechs)
+ (void) gss_release_oid_set(&temp_minor_status, &target_mechs);
if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
free(union_cred);
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index e6703eb..28fb9b1 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- OM_uint32 status;
+ OM_uint32 status, tmpmin;
gss_OID_set amechs = GSS_C_NULL_OID_SET;
spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
- gss_cred_id_t imp_mcred, out_mcred;
+ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
- if (desired_mechs == GSS_C_NO_OID_SET) {
- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
- NULL, &amechs);
- if (status != GSS_S_COMPLETE)
- return status;
-
- desired_mechs = amechs;
- }
+ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
+ NULL, &amechs);
+ if (status != GSS_S_COMPLETE)
+ return status;
status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
desired_name, time_req,
- desired_mechs, cred_usage,
+ amechs, cred_usage,
&out_mcred, actual_mechs,
time_rec);
-
- if (amechs != GSS_C_NULL_OID_SET)
- (void) gss_release_oid_set(minor_status, &amechs);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
- if (status != GSS_S_COMPLETE) {
- gss_release_cred(minor_status, &out_mcred);
- return (status);
- }
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+
+ out_mcred = GSS_C_NO_CREDENTIAL;
*output_cred_handle = (gss_cred_id_t)out_spcred;
+cleanup:
+ (void) gss_release_oid_set(&tmpmin, &amechs);
+ (void) gss_release_cred(&tmpmin, &out_mcred);
+
dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
return (status);
}
--
2.6.2

View File

@ -20,7 +20,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.14 Version: 1.14
Release: 10%{?dist} Release: 11%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -64,7 +64,7 @@ Patch86: krb5-1.9-debuginfo.patch
Patch129: krb5-1.11-run_user_0.patch Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch Patch134: krb5-1.11-kpasswdtest.patch
Patch148: krb5-disable_ofd_locks.patch Patch148: krb5-disable_ofd_locks.patch
Patch149: krb5-1.14-pwsize_initialize.patch Patch150: krb5-fix_interposer.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -244,7 +244,8 @@ ln NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest %patch134 -p1 -b .kpasswdtest
%patch148 -p1 -b .disable_ofd_locks %patch148 -p1 -b .disable_ofd_locks
%patch149 -p1 -b .pwsize_initialize
%patch150 -p1 -b .fix_interposer
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -815,6 +816,10 @@ exit 0
%changelog %changelog
* Thu Dec 03 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-11
- Backport interposer fix (#1284985)
- Drop workaround pwsize initialization patch (gcc has been fixed)
* Tue Nov 24 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-10 * Tue Nov 24 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-10
- Fix FTBFS by no longer working around bug in nss_wrapper - Fix FTBFS by no longer working around bug in nss_wrapper