diff --git a/krb5-1.7-spnego-deleg.patch b/krb5-1.7-spnego-deleg.patch new file mode 100644 index 0000000..31a074c --- /dev/null +++ b/krb5-1.7-spnego-deleg.patch @@ -0,0 +1,61 @@ +Punt a set_cred_option() call down to the mechanism for the first +credential that we have whose mechanism implements a set_cred_option() +method. Not completely sure this is the correct fix, as we may need to +change gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE +back from the mechanism-specific function (which is what the Kerberos +mechanism, previously the only provider of a set_cred_option(), returns +if it doesn't understand the request). + +diff -up krb5/src/lib/gssapi/spnego/gssapiP_spnego.h krb5/src/lib/gssapi/spnego/gssapiP_spnego.h +--- krb5/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-12-08 14:46:57.000000000 -0500 ++++ krb5/src/lib/gssapi/spnego/gssapiP_spnego.h 2009-12-08 14:46:20.000000000 -0500 +@@ -333,6 +333,15 @@ spnego_gss_inquire_sec_context_by_oid + ); + + OM_uint32 ++spnego_gss_set_cred_option ++( ++ OM_uint32 *minor_status, ++ gss_cred_id_t cred_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value ++); ++ ++OM_uint32 + spnego_gss_set_sec_context_option + ( + OM_uint32 *minor_status, +diff -up krb5/src/lib/gssapi/spnego/spnego_mech.c krb5/src/lib/gssapi/spnego/spnego_mech.c +--- krb5/src/lib/gssapi/spnego/spnego_mech.c 2009-12-08 14:47:01.000000000 -0500 ++++ krb5/src/lib/gssapi/spnego/spnego_mech.c 2009-12-08 14:46:20.000000000 -0500 +@@ -250,7 +250,7 @@ static struct gss_config spnego_mechanis + spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */ + NULL, /* gss_inquire_cred_by_oid */ + spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */ +- NULL, /* gssspi_set_cred_option */ ++ spnego_gss_set_cred_option, /* gssspi_set_cred_option */ + NULL, /* gssspi_mech_invoke */ + spnego_gss_wrap_aead, + spnego_gss_unwrap_aead, +@@ -2081,6 +2081,21 @@ spnego_gss_inquire_sec_context_by_oid( + } + + OM_uint32 ++spnego_gss_set_cred_option( ++ OM_uint32 *minor_status, ++ gss_cred_id_t cred_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value) ++{ ++ OM_uint32 ret; ++ ret = gssspi_set_cred_option(minor_status, ++ cred_handle, ++ desired_object, ++ value); ++ return (ret); ++} ++ ++OM_uint32 + spnego_gss_set_sec_context_option( + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, diff --git a/krb5.spec b/krb5.spec index 058daa7..7ea92bc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.7 -Release: 11%{?dist} +Release: 12%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar Source0: krb5-%{version}.tar.gz @@ -79,6 +79,7 @@ Patch87: krb5-1.7-errs.patch Patch88: krb5-1.7-sizeof.patch Patch89: krb5-1.7-largefile.patch Patch90: krb5-1.7-openssl-1.0.patch +Patch91: krb5-1.7-spnego-deleg.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -215,7 +216,10 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog -* Fri Dec 4 2009 Nalin Dahyabhai - 1.7-12 +* Tue Dec 8 2009 Nalin Dahyabhai - 1.7-13 +- try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) + +* Fri Dec 4 2009 Nalin Dahyabhai - make krb5-config suppress CFLAGS output when called with --libs (#544391) * Thu Dec 3 2009 Nalin Dahyabhai - 1.7-11 @@ -1501,6 +1505,7 @@ popd %patch88 -p1 -b .sizeof %patch89 -p1 -b .largefile %patch90 -p0 -b .openssl-1.0 +%patch91 -p1 -b .spnego-deleg gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex