rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

pull up patch to mark imported gss contexts right

Browse Source 
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
  contexts (RT#7592)
This commit is contained in:
Nalin Dahyabhai 2013-03-26 16:32:29 -04:00
parent 557835fdb3
commit c761eb0da7
2 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
krb5-1.11.1-interposers.patch Normal file
View File

@ -0,0 +1,105 @@
commit 36c76aa3c625afc9291b9e1df071db51ccf37dab
Author: Simo Sorce <simo@redhat.com>
Date: Sat Mar 16 15:23:03 2013 -0400
Fix import_sec_context with interposers
The code was correctly selecting the mechanism to execute, but it was
improperly setting the mechanism type of the internal context when the
selected mechanism was that of an interposer and vice versa.
When an interposer is involved the internal context is that of the
interposer, so the mechanism type of the context needs to be the
interposer oid. Conversely, when an interposer re-enters gssapi and
presents a token with a special oid, the mechanism called is the real
mechanism, and the context returned is a real mechanism context. In
this case the mechanism type of the context needs to be that of the
real mechanism.
ticket: 7592
target_version: 1.11.2
tags: pullup
diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c
index 53310dd..a0e2d71 100644
--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c
@@ -84,6 +84,7 @@ gss_ctx_id_t * context_handle;
gss_union_ctx_id_t ctx;
gss_ctx_id_t mctx;
gss_buffer_desc token;
+ gss_OID_desc token_mech;
gss_OID selected_mech = GSS_C_NO_OID;
gss_OID public_mech;
gss_mechanism mech;
@@ -100,12 +101,6 @@ gss_ctx_id_t * context_handle;
if (!ctx)
return (GSS_S_FAILURE);
- ctx->mech_type = (gss_OID) malloc(sizeof(gss_OID_desc));
- if (!ctx->mech_type) {
- free(ctx);
- return (GSS_S_FAILURE);
- }
-
if (interprocess_token->length >= sizeof (OM_uint32)) {
p = interprocess_token->value;
length = (OM_uint32)*p++;
@@ -120,12 +115,9 @@ gss_ctx_id_t * context_handle;
return (GSS_S_CALL_BAD_STRUCTURE | GSS_S_DEFECTIVE_TOKEN);
}
- ctx->mech_type->length = length;
- ctx->mech_type->elements = malloc(length);
- if (!ctx->mech_type->elements) {
- goto error_out;
- }
- memcpy(ctx->mech_type->elements, p, length);
+ token_mech.length = length;
+ token_mech.elements = p;
+
p += length;
token.length = interprocess_token->length - sizeof (OM_uint32) - length;
@@ -136,7 +128,7 @@ gss_ctx_id_t * context_handle;
* call it.
*/
- status = gssint_select_mech_type(minor_status, ctx->mech_type,
+ status = gssint_select_mech_type(minor_status, &token_mech,
&selected_mech);
if (status != GSS_S_COMPLETE)
goto error_out;
@@ -152,6 +144,12 @@ gss_ctx_id_t * context_handle;
goto error_out;
}
+ if (generic_gss_copy_oid(minor_status, selected_mech,
+ &ctx->mech_type) != GSS_S_COMPLETE) {
+ status = GSS_S_FAILURE;
+ goto error_out;
+ }
+
if (mech->gssspi_import_sec_context_by_mech) {
public_mech = gssint_get_public_oid(selected_mech);
status = mech->gssspi_import_sec_context_by_mech(minor_status,
@@ -167,16 +165,11 @@ gss_ctx_id_t * context_handle;
return (GSS_S_COMPLETE);
}
map_error(minor_status, mech);
+ free(ctx->mech_type->elements);
+ free(ctx->mech_type);
error_out:
- if (ctx) {
- if (ctx->mech_type) {
- if (ctx->mech_type->elements)
- free(ctx->mech_type->elements);
- free(ctx->mech_type);
- }
- free(ctx);
- }
+ free(ctx);
return status;
}
#endif /* LEAN_CLIENT */

8
krb5.spec
View File

@ -30,7 +30,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.11.1 Version: 1.11.1
Release: 4%{?dist} Release: 5%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -74,6 +74,7 @@ Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch Patch105: krb5-kvno-230379.patch
Patch113: krb5-1.11-alpha1-init.patch Patch113: krb5-1.11-alpha1-init.patch
Patch114: krb5-lookup_etypes-leak.patch Patch114: krb5-lookup_etypes-leak.patch
Patch115: krb5-1.11.1-interposers.patch
Patch201: 0001-add-libk5radius.patch Patch201: 0001-add-libk5radius.patch
Patch202: 0002-Add-internal-KDC_DIR-macro.patch Patch202: 0002-Add-internal-KDC_DIR-macro.patch
@ -289,6 +290,7 @@ ln -s NOTICE LICENSE
%patch105 -p1 -b .kvno %patch105 -p1 -b .kvno
%patch113 -p1 -b .init %patch113 -p1 -b .init
%patch114 -p1 -b .lookup_etypes-leak %patch114 -p1 -b .lookup_etypes-leak
%patch115 -p1 -b .interposers
%patch201 -p1 %patch201 -p1
%patch202 -p1 %patch202 -p1
@ -809,6 +811,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com>
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
contexts (RT#7592)
* Mon Mar 18 2013 Nalin Dahyabhai <nalin@redhat.com> * Mon Mar 18 2013 Nalin Dahyabhai <nalin@redhat.com>
- fix a version comparison to expect newer texlive build requirements when - fix a version comparison to expect newer texlive build requirements when
%%{_rhel} > 6 rather than when it's > 7 %%{_rhel} > 6 rather than when it's > 7