- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached

(more of #761317)
2011-12-13 10:48:28 -05:00 · 2011-12-13 10:48:28 -05:00 · 6d68d342c9
commit 6d68d342c9
parent fb7c02faff
2 changed files with 32 additions and 0 deletions
--- a/krb5-trunk-7047.patch
+++ b/krb5-trunk-7047.patch
@ -0,0 +1,28 @@
+commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136
+Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Wed Dec 7 19:38:22 2011 +0000
+
+    ticket: 7047
+    subject: Allow S4U2Proxy service tickets to be cached
+    
+    Previous to this change, the GSS code avoids caching S4U2Proxy results
+    for fear of the memory cache growing without bound, but that seems
+    unlikely to be a serious problem.  Allow these to be cached.
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
+index d7b9ffa..07baefa 100644
+--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
+@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
+         !krb5_principal_compare(context, cred->impersonator, server->princ)) {
+         krb5_creds mcreds;
+ 
+-        flags |= KRB5_GC_CANONICALIZE |
+-            KRB5_GC_NO_STORE |
+-            KRB5_GC_CONSTRAINED_DELEGATION;
+        flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION;
+ 
+         memset(&mcreds, 0, sizeof(mcreds));
+ 
--- a/krb5.spec
+++ b/krb5.spec
@ -60,6 +60,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch92: krb5-1.10-alpha1-uninit.patch
 Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
 Patch100: krb5-trunk-7046.patch
+Patch101: krb5-trunk-7047.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -227,6 +228,7 @@ ln -s NOTICE LICENSE
 %patch86 -p0 -b .debuginfo
 %patch93 -p1 -b .2011-007
 %patch100 -p1 -b .7046
+%patch101 -p1 -b .7047
 # XXX Temporary, backported from trunk.
 %patch92 -p1 -b .uninit
 # XXX Temporary, fixed properly in trunk.
@ -744,6 +746,8 @@ exit 0
 * Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
 - pull in patch for RT#7046: tag a ccache containing credentials obtained via
  S4U2Proxy with the principal name of the proxying principal (part of #761317)
+- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
+  (more of #761317)

 * Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
 - apply upstream patch to fix a null pointer dereference when processing