Correctly import "service@" GSS host-based name

Correctly-import-service-GSS-host-based-name.patch

@@ -0,0 +1,52 @@
+From 53b7be87de77b09f44b4ced1d4e85f520c9ce71a Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 30 Mar 2020 15:26:02 -0400
+Subject: [PATCH] Correctly import "service@" GSS host-based name
+
+The intended way to specify only a service in a GSS host-based name is
+to omit the "@" separator.  Some applications include the separator
+but no hostname, and this happened to yield wildcard hostname behavior
+prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when
+shortname qualification was added.  To restore this behavior, check in
+parse_hostbased() that at least one character is present after the "@"
+separator before copying the hostname.  Add a test case to t_gssapi.py.
+
+ticket: 8892
+tags: pullup
+target_version: 1.18-next
+
+(cherry picked from commit a2f047af0400ba8080dc26033fae2b17534501e2)
+---
+ src/lib/gssapi/krb5/import_name.c | 4 ++--
+ src/tests/gssapi/t_gssapi.py      | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
+index da2ab1423..21023dd76 100644
+--- a/src/lib/gssapi/krb5/import_name.c
++++ b/src/lib/gssapi/krb5/import_name.c
+@@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len,
+     memcpy(service, str, servicelen);
+     service[servicelen] = '\0';
+ 
+-    /* If present, copy the hostname. */
+-    if (at != NULL) {
++    /* Copy the hostname if present (at least one character after '@'). */
++    if (len - servicelen > 1) {
+         hostlen = len - servicelen - 1;
+         host = malloc(hostlen + 1);
+         if (host == NULL) {
+diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
+index 54d5cf549..ecf982604 100755
+--- a/src/tests/gssapi/t_gssapi.py
++++ b/src/tests/gssapi/t_gssapi.py
+@@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
+           expected_msg='service2/calvin')
+ realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
+           expected_msg=' found in keytab but does not match server principal')
++# Regression test for #8892 (trailing @ in name).
++realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'],
++          expected_msg='service1/abraham')
+ 
+ # Test with acceptor name containing service and host.  Use the
+ # client's un-canonicalized hostname as acceptor input to mirror what

krb5.spec

@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 9%{?dist}
+Release: 10%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -57,6 +57,7 @@ Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
 Patch12: Document-client-keytab-usage.patch
 Patch13: Add-finalization-safety-check-to-com_err.patch
 Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch
+Patch15: Correctly-import-service-GSS-host-based-name.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -634,6 +635,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Apr 01 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-10
+- Correctly import "service@" GSS host-based name
+
 * Thu Mar 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-9
 - Eliminate redundant PKINIT responder invocation