pull up patch to mark imported gss contexts right
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI contexts (RT#7592)
This commit is contained in:
Nalin Dahyabhai
parent
557835fdb3
commit
c761eb0da7
105
krb5-1.11.1-interposers.patch
Normal file
105
krb5-1.11.1-interposers.patch
Normal file
@ -0,0 +1,105 @@
|
||||
commit 36c76aa3c625afc9291b9e1df071db51ccf37dab
|
||||
Author: Simo Sorce <simo@redhat.com>
|
||||
Date: Sat Mar 16 15:23:03 2013 -0400
|
||||
|
||||
Fix import_sec_context with interposers
|
||||
|
||||
The code was correctly selecting the mechanism to execute, but it was
|
||||
improperly setting the mechanism type of the internal context when the
|
||||
selected mechanism was that of an interposer and vice versa.
|
||||
|
||||
When an interposer is involved the internal context is that of the
|
||||
interposer, so the mechanism type of the context needs to be the
|
||||
interposer oid. Conversely, when an interposer re-enters gssapi and
|
||||
presents a token with a special oid, the mechanism called is the real
|
||||
mechanism, and the context returned is a real mechanism context. In
|
||||
this case the mechanism type of the context needs to be that of the
|
||||
real mechanism.
|
||||
|
||||
ticket: 7592
|
||||
target_version: 1.11.2
|
||||
tags: pullup
|
||||
|
||||
diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c
|
||||
index 53310dd..a0e2d71 100644
|
||||
--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c
|
||||
+++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c
|
||||
@@ -84,6 +84,7 @@ gss_ctx_id_t * context_handle;
|
||||
gss_union_ctx_id_t ctx;
|
||||
gss_ctx_id_t mctx;
|
||||
gss_buffer_desc token;
|
||||
+ gss_OID_desc token_mech;
|
||||
gss_OID selected_mech = GSS_C_NO_OID;
|
||||
gss_OID public_mech;
|
||||
gss_mechanism mech;
|
||||
@@ -100,12 +101,6 @@ gss_ctx_id_t * context_handle;
|
||||
if (!ctx)
|
||||
return (GSS_S_FAILURE);
|
||||
|
||||
- ctx->mech_type = (gss_OID) malloc(sizeof(gss_OID_desc));
|
||||
- if (!ctx->mech_type) {
|
||||
- free(ctx);
|
||||
- return (GSS_S_FAILURE);
|
||||
- }
|
||||
-
|
||||
if (interprocess_token->length >= sizeof (OM_uint32)) {
|
||||
p = interprocess_token->value;
|
||||
length = (OM_uint32)*p++;
|
||||
@@ -120,12 +115,9 @@ gss_ctx_id_t * context_handle;
|
||||
return (GSS_S_CALL_BAD_STRUCTURE | GSS_S_DEFECTIVE_TOKEN);
|
||||
}
|
||||
|
||||
- ctx->mech_type->length = length;
|
||||
- ctx->mech_type->elements = malloc(length);
|
||||
- if (!ctx->mech_type->elements) {
|
||||
- goto error_out;
|
||||
- }
|
||||
- memcpy(ctx->mech_type->elements, p, length);
|
||||
+ token_mech.length = length;
|
||||
+ token_mech.elements = p;
|
||||
+
|
||||
p += length;
|
||||
|
||||
token.length = interprocess_token->length - sizeof (OM_uint32) - length;
|
||||
@@ -136,7 +128,7 @@ gss_ctx_id_t * context_handle;
|
||||
* call it.
|
||||
*/
|
||||
|
||||
- status = gssint_select_mech_type(minor_status, ctx->mech_type,
|
||||
+ status = gssint_select_mech_type(minor_status, &token_mech,
|
||||
&selected_mech);
|
||||
if (status != GSS_S_COMPLETE)
|
||||
goto error_out;
|
||||
@@ -152,6 +144,12 @@ gss_ctx_id_t * context_handle;
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
+ if (generic_gss_copy_oid(minor_status, selected_mech,
|
||||
+ &ctx->mech_type) != GSS_S_COMPLETE) {
|
||||
+ status = GSS_S_FAILURE;
|
||||
+ goto error_out;
|
||||
+ }
|
||||
+
|
||||
if (mech->gssspi_import_sec_context_by_mech) {
|
||||
public_mech = gssint_get_public_oid(selected_mech);
|
||||
status = mech->gssspi_import_sec_context_by_mech(minor_status,
|
||||
@@ -167,16 +165,11 @@ gss_ctx_id_t * context_handle;
|
||||
return (GSS_S_COMPLETE);
|
||||
}
|
||||
map_error(minor_status, mech);
|
||||
+ free(ctx->mech_type->elements);
|
||||
+ free(ctx->mech_type);
|
||||
|
||||
error_out:
|
||||
- if (ctx) {
|
||||
- if (ctx->mech_type) {
|
||||
- if (ctx->mech_type->elements)
|
||||
- free(ctx->mech_type->elements);
|
||||
- free(ctx->mech_type);
|
||||
- }
|
||||
- free(ctx);
|
||||
- }
|
||||
+ free(ctx);
|
||||
return status;
|
||||
}
|
||||
#endif /* LEAN_CLIENT */
|
||||
@ -30,7 +30,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.11.1
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -74,6 +74,7 @@ Patch86: krb5-1.9-debuginfo.patch
|
||||
Patch105: krb5-kvno-230379.patch
|
||||
Patch113: krb5-1.11-alpha1-init.patch
|
||||
Patch114: krb5-lookup_etypes-leak.patch
|
||||
Patch115: krb5-1.11.1-interposers.patch
|
||||
|
||||
Patch201: 0001-add-libk5radius.patch
|
||||
Patch202: 0002-Add-internal-KDC_DIR-macro.patch
|
||||
@ -289,6 +290,7 @@ ln -s NOTICE LICENSE
|
||||
%patch105 -p1 -b .kvno
|
||||
%patch113 -p1 -b .init
|
||||
%patch114 -p1 -b .lookup_etypes-leak
|
||||
%patch115 -p1 -b .interposers
|
||||
|
||||
%patch201 -p1
|
||||
%patch202 -p1
|
||||
@ -809,6 +811,10 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
|
||||
contexts (RT#7592)
|
||||
|
||||
* Mon Mar 18 2013 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix a version comparison to expect newer texlive build requirements when
|
||||
%%{_rhel} > 6 rather than when it's > 7
|
||||
|
||||
Loading…
Reference in New Issue
Block a user