From d370e2a431a42b1fa46c89275def24e844697326 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 22 May 2020 13:28:09 -0400 Subject: [PATCH] Fix SPNEGO acceptor mech filtering --- Fix-SPNEGO-acceptor-mech-filtering.patch | 32 ++++++++++++++++++++++++ krb5.spec | 6 ++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 Fix-SPNEGO-acceptor-mech-filtering.patch diff --git a/Fix-SPNEGO-acceptor-mech-filtering.patch b/Fix-SPNEGO-acceptor-mech-filtering.patch new file mode 100644 index 0000000..3f07637 --- /dev/null +++ b/Fix-SPNEGO-acceptor-mech-filtering.patch @@ -0,0 +1,32 @@ +From b8a19522f0169be3b4a2f539e28c89755cd85d6f Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 21 May 2020 14:15:25 -0400 +Subject: [PATCH] Fix SPNEGO acceptor mech filtering + +Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) +accidentally changed the SPNEGO acceptor code to filter mechanisms by +the obtainability of initiator credentials rather than acceptor +credentials, when the default acceptor credential is used. + +ticket: 8908 (new) +tags: pullup +target_version: 1.18-next + +(cherry picked from commit e25918cb9efd7361aa78d2d96cd097dd34fdf35d) +--- + src/lib/gssapi/spnego/spnego_mech.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 8d36a05e8..255db6e30 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -1379,7 +1379,7 @@ acc_ctx_new(OM_uint32 *minor_status, + goto cleanup; + } + +- ret = get_negotiable_mechs(minor_status, sc, spcred, GSS_C_INITIATE); ++ ret = get_negotiable_mechs(minor_status, sc, spcred, GSS_C_ACCEPT); + if (ret != GSS_S_COMPLETE) { + *return_token = NO_TOKEN_SEND; + goto cleanup; diff --git a/krb5.spec b/krb5.spec index 9622f8f..fe42e76 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.1 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 5%{?dist} +Release: 6%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -59,6 +59,7 @@ Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch +Patch20: Fix-SPNEGO-acceptor-mech-filtering.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -631,6 +632,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri May 22 2020 Robbie Harwood - 1.18.1-6 +- Fix SPNEGO acceptor mech filtering + * Mon May 18 2020 Robbie Harwood - 1.18.1-5 - Fix typo ("in in") in the ksu man page