Pull up fix for reimporting ccaches in gssapi
- pull up fix for importing previously-exported credential caches in the gssapi library (RT# 7706, #1019420)
This commit is contained in:
parent
84fe7d69da
commit
16e749771f
131
krb5-1.11.3-gss-ccache-import.patch
Normal file
131
krb5-1.11.3-gss-ccache-import.patch
Normal file
@ -0,0 +1,131 @@
|
||||
Tweaked for 1.11.3.
|
||||
|
||||
commit 48dd01f29b893a958a64dcf6eb0b734e8463425b
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon Oct 7 09:51:56 2013 -0400
|
||||
|
||||
Fix GSSAPI krb5 cred ccache import
|
||||
|
||||
json_to_ccache was incorrectly indexing the JSON array when restoring
|
||||
a memory ccache. Fix it.
|
||||
|
||||
Add test coverage for a multi-cred ccache by exporting/importing the
|
||||
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
|
||||
export_import_cred from t_export_cred.c to common.c to facilitate
|
||||
this. Make a note in t_export_cred.py that this case is covered in
|
||||
t_s4u.py.
|
||||
|
||||
ticket: 7706
|
||||
target_version: 1.11.4
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c
|
||||
index 973b9d0..f0a0373 100644
|
||||
--- a/src/lib/gssapi/krb5/import_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/import_cred.c
|
||||
@@ -486,7 +486,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
|
||||
|
||||
/* Add remaining array entries to the ccache as credentials. */
|
||||
for (i = 1; i < len; i++) {
|
||||
- if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
|
||||
+ if (json_to_creds(context, k5_json_array_get(array, i), &creds))
|
||||
goto invalid;
|
||||
ret = krb5_cc_store_cred(context, ccache, &creds);
|
||||
krb5_free_cred_contents(context, &creds);
|
||||
diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
|
||||
index 19a781a..231f44a 100644
|
||||
--- a/src/tests/gssapi/common.c
|
||||
+++ b/src/tests/gssapi/common.c
|
||||
@@ -149,6 +149,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
|
||||
}
|
||||
|
||||
void
|
||||
+export_import_cred(gss_cred_id_t *cred)
|
||||
+{
|
||||
+ OM_uint32 major, minor;
|
||||
+ gss_buffer_desc buf;
|
||||
+
|
||||
+ major = gss_export_cred(&minor, *cred, &buf);
|
||||
+ check_gsserr("gss_export_cred", major, minor);
|
||||
+ (void)gss_release_cred(&minor, cred);
|
||||
+ major = gss_import_cred(&minor, &buf, cred);
|
||||
+ check_gsserr("gss_import_cred", major, minor);
|
||||
+ (void)gss_release_buffer(&minor, &buf);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
|
||||
{
|
||||
gss_name_t canon;
|
||||
diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
|
||||
index 54c0d36..ae11b51 100644
|
||||
--- a/src/tests/gssapi/common.h
|
||||
+++ b/src/tests/gssapi/common.h
|
||||
@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
|
||||
* 'p:principalname', or 'h:host@service' (or just 'h:service'). */
|
||||
gss_name_t import_name(const char *str);
|
||||
|
||||
+/* Export *cred to a token, then release *cred and replace it by re-importing
|
||||
+ * the token. */
|
||||
+void export_import_cred(gss_cred_id_t *cred);
|
||||
+
|
||||
/* Display name as canonicalized to mech, preceded by tag. */
|
||||
void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
|
||||
|
||||
diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
|
||||
index 5214cd5..4d7c028 100644
|
||||
--- a/src/tests/gssapi/t_export_cred.c
|
||||
+++ b/src/tests/gssapi/t_export_cred.c
|
||||
@@ -37,22 +37,6 @@ usage(void)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
-/* Export *cred to a token, then release *cred and replace it by re-importing
|
||||
- * the token. */
|
||||
-static void
|
||||
-export_import_cred(gss_cred_id_t *cred)
|
||||
-{
|
||||
- OM_uint32 major, minor;
|
||||
- gss_buffer_desc buf;
|
||||
-
|
||||
- major = gss_export_cred(&minor, *cred, &buf);
|
||||
- check_gsserr("gss_export_cred", major, minor);
|
||||
- (void)gss_release_cred(&minor, cred);
|
||||
- major = gss_import_cred(&minor, &buf, cred);
|
||||
- check_gsserr("gss_import_cred", major, minor);
|
||||
- (void)gss_release_buffer(&minor, &buf);
|
||||
-}
|
||||
-
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
|
||||
index 53dd13c..6988359 100644
|
||||
--- a/src/tests/gssapi/t_export_cred.py
|
||||
+++ b/src/tests/gssapi/t_export_cred.py
|
||||
@@ -1,7 +1,10 @@
|
||||
#!/usr/bin/python
|
||||
from k5test import *
|
||||
|
||||
-# Test gss_export_cred and gss_import_cred.
|
||||
+# Test gss_export_cred and gss_import_cred for initiator creds,
|
||||
+# acceptor creds, and traditional delegated creds. t_s4u.py tests
|
||||
+# exporting and importing a synthesized S4U2Proxy delegated
|
||||
+# credential.
|
||||
|
||||
# Make up a filename to hold user's initial credentials.
|
||||
def ccache_savefile(realm):
|
||||
diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
|
||||
index 3ad1086..483d915 100644
|
||||
--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
|
||||
+++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
|
||||
@@ -117,6 +117,10 @@ main(int argc, char *argv[])
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ /* Take the opportunity to test cred export/import on the synthesized
|
||||
+ * S4U2Proxy delegated cred. */
|
||||
+ export_import_cred(&deleg_cred);
|
||||
+
|
||||
/* Store the delegated credentials. */
|
||||
ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
|
||||
check_k5err(context, "krb5_cc_resolve", ret);
|
@ -41,7 +41,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.11.3
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -108,6 +108,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
|
||||
Patch135: krb5-1.11-check_transited.patch
|
||||
Patch136: krb5-1.11.3-prompter1.patch
|
||||
Patch137: krb5-1.11.3-prompter2.patch
|
||||
Patch138: krb5-1.11.3-gss-ccache-import.patch
|
||||
|
||||
# Patches for otp plugin backport
|
||||
Patch201: krb5-1.11.2-keycheck.patch
|
||||
@ -353,6 +354,7 @@ ln -s NOTICE LICENSE
|
||||
%patch135 -p1 -b .check_transited
|
||||
%patch136 -p1 -b .prompter1
|
||||
%patch137 -p1 -b .prompter2
|
||||
%patch138 -p1 -b .gss-ccache-import
|
||||
|
||||
%patch201 -p1 -b .keycheck
|
||||
%patch202 -p1 -b .otp
|
||||
@ -998,6 +1000,10 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Tue Oct 15 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-25
|
||||
- pull up fix for importing previously-exported credential caches in the
|
||||
gssapi library (RT# 7706, #1019420)
|
||||
|
||||
* Mon Oct 14 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-24
|
||||
- backport the callback to use the libkrb5 prompter when we can't load PEM
|
||||
files for PKINIT (RT#7590, includes part of #965721/#1016690)
|
||||
|
Loading…
Reference in New Issue
Block a user