[cvs/f15] Fix GSS API authentication against multihomed server

Petr Pisar ppisar at fedoraproject.org
Thu Jul 21 14:24:10 UTC 2011 

commit 651056b318408828d7567a68c076d0015e075a85
Author: Petr Písař <ppisar at redhat.com>
Date:   Thu Jul 21 16:00:59 2011 +0200

    Fix GSS API authentication against multihomed server

 ...-IP-address-instead-of-hostname-to-GSSAPI.patch |   70 ++++++++++++++++++++
 cvs.spec                                           |    8 ++-
 2 files changed, 77 insertions(+), 1 deletions(-)
---
diff --git a/cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch b/cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
new file mode 100644
index 0000000..2d502c2
--- /dev/null
+++ b/cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
@@ -0,0 +1,70 @@
+From 9a5eb874aaa49106d8c326e325c0d8a85b925ac0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 21 Jul 2011 15:34:35 +0200
+Subject: [PATCH] Pass server IP address instead of hostname to GSSAPI
+
+GSSAPI will do its own lookup for the "primary" hostname, with a
+rotating DNS alias it will end up occasionally with a different result
+than the machine we already connected to. This gives errors along the
+line of
+
+GSSAPI authentication failed: lxcvs08.cern.ch Miscellaneous
+failure/Unknown code krb5 144
+
+Since GSSAPI will do a forward+reverse lookup anyway to find the
+"canocical" hostname, we just feed it the IP we are currently
+connected to.
+---
+ src/client.c |   28 +++++++++++++++++++++++++---
+ 1 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 7212ebb..d0abd41 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -4289,17 +4289,39 @@ connect_to_gserver (root, sock, hostname)
+     gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
+     OM_uint32 stat_min, stat_maj;
+     gss_name_t server_name;
++    struct sockaddr_storage peer;
++    socklen_t peer_len = sizeof(peer);
++    int retval;
+ 
+     str = "BEGIN GSSAPI REQUEST\012";
+ 
+     if (send (sock, str, strlen (str), 0) < 0)
+ 	error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+ 
+-    if (strlen (hostname) > BUFSIZE - 5)
+-	error (1, 0, "Internal error: hostname exceeds length of buffer");
+-    sprintf (buf, "cvs@%s", hostname);
++    /* find out who we are really talking to - should not allow
++       GSSAPI to resolve the name again to something different */
++    if (getpeername (sock, (struct sockaddr*)&peer, &peer_len) < 0 )
++    {
++	error (1, 0, "cannot identify remote peer: %s",
++	       	SOCK_STRERROR (SOCK_ERRNO));
++    }
++    retval = getnameinfo ((struct sockaddr *)&peer, peer_len, buf+4, BUFSIZE-4,
++	    NULL, 0, NI_NUMERICHOST);
++    if (retval)
++    {
++	error (1, 0, "cannot format remote peer address: %s",
++	       	gai_strerror(retval));
++    }
++    /* ???: Delimit IPv6 address by brackets? */
++    memcpy (buf, "cvs@", 4);
++
+     tok_in.length = strlen (buf);
+     tok_in.value = buf;
++    if (trace) 
++    {
++	fprintf (stderr, " -> will use GSSAPI principal '%s' for %s\n",
++	       buf,hostname);
++    }
+     gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
+ 		     &server_name);
+ 
+-- 
+1.7.6
+
diff --git a/cvs.spec b/cvs.spec
index aecbd6e..cbcf6b6 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
 
 Name: cvs
 Version: 1.11.23
-Release: 15%{?dist}
+Release: 16%{?dist}
 Summary: Concurrent Versions System
 Group: Development/Tools
 URL: http://cvs.nongnu.org/
@@ -53,6 +53,8 @@ Patch21: cvs-1.11.23-cve-2010-3846.patch
 Patch22: cvs-1.11.23-remove_undefined_date_from_cvs_1_header.patch
 Patch23: cvs-1.11.23-sanity.patch
 Patch24: cvs-1.11.23-make_make_check_sanity_testing_verbose.patch
+# bug #722972
+Patch25: cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
 
 # Don't let find provides to add csh to automatic requires
 %filter_requires_in ^%{buildroot}%{_datadir}/%{name}/contrib/sccs2rcs$
@@ -112,6 +114,7 @@ pages in PDF.
 %patch22 -p1 -b .undefined_date
 %patch23 -p1 -b .sanity
 %patch24 -p1 -b .verbose_sanity
+%patch25 -p1 -b .gssapi_dns
 
 # Apply a patch to the generated files, OR
 # run autoreconf and require autoconf >= 2.58, automake >= 1.7.9
@@ -199,6 +202,9 @@ exit 0
 
 
 %changelog
+* Thu Jul 21 2011 Petr Pisar <ppisar at redhat.com> - 1.11.23-16
+- Fix GSS API authentication against multihomed server (bug #722972)
+
 * Thu May 26 2011 Petr Pisar <ppisar at redhat.com> - 1.11.23-15
 - Filter sccs2rcs interpreter from dependencies again (bug #225672)

More information about the scm-commits mailing list