From c761eb0da7f9813f0e6c4ad4b8e6f563f1f5af9a Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue, 26 Mar 2013 16:32:29 -0400
Subject: [PATCH] pull up patch to mark imported gss contexts right

- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
  contexts (RT#7592)
---
 krb5-1.11.1-interposers.patch | 105 ++++++++++++++++++++++++++++++++++
 krb5.spec                     |   8 ++-
 2 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 krb5-1.11.1-interposers.patch

diff --git a/krb5-1.11.1-interposers.patch b/krb5-1.11.1-interposers.patch
new file mode 100644
index 0000000..a74b655
--- /dev/null
+++ b/krb5-1.11.1-interposers.patch
@@ -0,0 +1,105 @@
+commit 36c76aa3c625afc9291b9e1df071db51ccf37dab
+Author: Simo Sorce <simo@redhat.com>
+Date:   Sat Mar 16 15:23:03 2013 -0400
+
+    Fix import_sec_context with interposers
+    
+    The code was correctly selecting the mechanism to execute, but it was
+    improperly setting the mechanism type of the internal context when the
+    selected mechanism was that of an interposer and vice versa.
+    
+    When an interposer is involved the internal context is that of the
+    interposer, so the mechanism type of the context needs to be the
+    interposer oid.  Conversely, when an interposer re-enters gssapi and
+    presents a token with a special oid, the mechanism called is the real
+    mechanism, and the context returned is a real mechanism context.  In
+    this case the mechanism type of the context needs to be that of the
+    real mechanism.
+    
+    ticket: 7592
+    target_version: 1.11.2
+    tags: pullup
+
+diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c
+index 53310dd..a0e2d71 100644
+--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c
++++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c
+@@ -84,6 +84,7 @@ gss_ctx_id_t *		context_handle;
+     gss_union_ctx_id_t	ctx;
+     gss_ctx_id_t	mctx;
+     gss_buffer_desc	token;
++    gss_OID_desc	token_mech;
+     gss_OID		selected_mech = GSS_C_NO_OID;
+     gss_OID		public_mech;
+     gss_mechanism	mech;
+@@ -100,12 +101,6 @@ gss_ctx_id_t *		context_handle;
+     if (!ctx)
+ 	return (GSS_S_FAILURE);
+ 
+-    ctx->mech_type = (gss_OID) malloc(sizeof(gss_OID_desc));
+-    if (!ctx->mech_type) {
+-	free(ctx);
+-	return (GSS_S_FAILURE);
+-    }
+-
+     if (interprocess_token->length >= sizeof (OM_uint32)) {
+ 	p = interprocess_token->value;
+ 	length = (OM_uint32)*p++;
+@@ -120,12 +115,9 @@ gss_ctx_id_t *		context_handle;
+ 	return (GSS_S_CALL_BAD_STRUCTURE | GSS_S_DEFECTIVE_TOKEN);
+     }
+ 
+-    ctx->mech_type->length = length;
+-    ctx->mech_type->elements = malloc(length);
+-    if (!ctx->mech_type->elements) {
+-	goto error_out;
+-    }
+-    memcpy(ctx->mech_type->elements, p, length);
++    token_mech.length = length;
++    token_mech.elements = p;
++
+     p += length;
+ 
+     token.length = interprocess_token->length - sizeof (OM_uint32) - length;
+@@ -136,7 +128,7 @@ gss_ctx_id_t *		context_handle;
+      * call it.
+      */
+ 
+-    status = gssint_select_mech_type(minor_status, ctx->mech_type,
++    status = gssint_select_mech_type(minor_status, &token_mech,
+ 				     &selected_mech);
+     if (status != GSS_S_COMPLETE)
+ 	goto error_out;
+@@ -152,6 +144,12 @@ gss_ctx_id_t *		context_handle;
+ 	goto error_out;
+     }
+ 
++    if (generic_gss_copy_oid(minor_status, selected_mech,
++			     &ctx->mech_type) != GSS_S_COMPLETE) {
++	status = GSS_S_FAILURE;
++	goto error_out;
++    }
++
+     if (mech->gssspi_import_sec_context_by_mech) {
+ 	public_mech = gssint_get_public_oid(selected_mech);
+ 	status = mech->gssspi_import_sec_context_by_mech(minor_status,
+@@ -167,16 +165,11 @@ gss_ctx_id_t *		context_handle;
+ 	return (GSS_S_COMPLETE);
+     }
+     map_error(minor_status, mech);
++    free(ctx->mech_type->elements);
++    free(ctx->mech_type);
+ 
+ error_out:
+-    if (ctx) {
+-	if (ctx->mech_type) {
+-	    if (ctx->mech_type->elements)
+-		free(ctx->mech_type->elements);
+-	    free(ctx->mech_type);
+-	}
+-	free(ctx);
+-    }
++    free(ctx);
+     return status;
+ }
+ #endif /* LEAN_CLIENT */
diff --git a/krb5.spec b/krb5.spec
index d0bbb4c..bfa3d14 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -74,6 +74,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
 Patch113: krb5-1.11-alpha1-init.patch
 Patch114: krb5-lookup_etypes-leak.patch
+Patch115: krb5-1.11.1-interposers.patch
 
 Patch201: 0001-add-libk5radius.patch
 Patch202: 0002-Add-internal-KDC_DIR-macro.patch
@@ -289,6 +290,7 @@ ln -s NOTICE LICENSE
 %patch105 -p1 -b .kvno
 %patch113 -p1 -b .init
 %patch114 -p1 -b .lookup_etypes-leak
+%patch115 -p1 -b .interposers
 
 %patch201 -p1
 %patch202 -p1
@@ -809,6 +811,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com>
+- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
+  contexts (RT#7592)
+
 * Mon Mar 18 2013 Nalin Dahyabhai <nalin@redhat.com>
 - fix a version comparison to expect newer texlive build requirements when
   %%{_rhel} > 6 rather than when it's > 7