[krb5] Pull up fix for reimporting ccaches in gssapi

Nalin Dahyabhai nalin at fedoraproject.org
Tue Oct 15 18:40:49 UTC 2013 

commit 16e749771f249960d09ede42cf0918ab8685fce3
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Tue Oct 15 13:44:56 2013 -0400

    Pull up fix for reimporting ccaches in gssapi
    
    - pull up fix for importing previously-exported credential caches in the
      gssapi library (RT# 7706, #1019420)

 krb5-1.11.3-gss-ccache-import.patch |  131 +++++++++++++++++++++++++++++++++++
 krb5.spec                           |    8 ++-
 2 files changed, 138 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.11.3-gss-ccache-import.patch b/krb5-1.11.3-gss-ccache-import.patch
new file mode 100644
index 0000000..2bfd927
--- /dev/null
+++ b/krb5-1.11.3-gss-ccache-import.patch
@@ -0,0 +1,131 @@
+Tweaked for 1.11.3.
+
+commit 48dd01f29b893a958a64dcf6eb0b734e8463425b
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Mon Oct 7 09:51:56 2013 -0400
+
+    Fix GSSAPI krb5 cred ccache import
+    
+    json_to_ccache was incorrectly indexing the JSON array when restoring
+    a memory ccache.  Fix it.
+    
+    Add test coverage for a multi-cred ccache by exporting/importing the
+    synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
+    export_import_cred from t_export_cred.c to common.c to facilitate
+    this.  Make a note in t_export_cred.py that this case is covered in
+    t_s4u.py.
+    
+    ticket: 7706
+    target_version: 1.11.4
+
+diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c
+index 973b9d0..f0a0373 100644
+--- a/src/lib/gssapi/krb5/import_cred.c
++++ b/src/lib/gssapi/krb5/import_cred.c
+@@ -486,7 +486,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
+ 
+     /* Add remaining array entries to the ccache as credentials. */
+     for (i = 1; i < len; i++) {
+-        if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
++        if (json_to_creds(context, k5_json_array_get(array, i), &creds))
+             goto invalid;
+         ret = krb5_cc_store_cred(context, ccache, &creds);
+         krb5_free_cred_contents(context, &creds);
+diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c
+index 19a781a..231f44a 100644
+--- a/src/tests/gssapi/common.c
++++ b/src/tests/gssapi/common.c
+@@ -149,6 +149,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred,
+ }
+ 
+ void
++export_import_cred(gss_cred_id_t *cred)
++{
++    OM_uint32 major, minor;
++    gss_buffer_desc buf;
++
++    major = gss_export_cred(&minor, *cred, &buf);
++    check_gsserr("gss_export_cred", major, minor);
++    (void)gss_release_cred(&minor, cred);
++    major = gss_import_cred(&minor, &buf, cred);
++    check_gsserr("gss_import_cred", major, minor);
++    (void)gss_release_buffer(&minor, &buf);
++}
++
++void
+ display_canon_name(const char *tag, gss_name_t name, gss_OID mech)
+ {
+     gss_name_t canon;
+diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h
+index 54c0d36..ae11b51 100644
+--- a/src/tests/gssapi/common.h
++++ b/src/tests/gssapi/common.h
+@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred,
+  * 'p:principalname', or 'h:host at service' (or just 'h:service'). */
+ gss_name_t import_name(const char *str);
+ 
++/* Export *cred to a token, then release *cred and replace it by re-importing
++ * the token. */
++void export_import_cred(gss_cred_id_t *cred);
++
+ /* Display name as canonicalized to mech, preceded by tag. */
+ void display_canon_name(const char *tag, gss_name_t name, gss_OID mech);
+ 
+diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c
+index 5214cd5..4d7c028 100644
+--- a/src/tests/gssapi/t_export_cred.c
++++ b/src/tests/gssapi/t_export_cred.c
+@@ -37,22 +37,6 @@ usage(void)
+     exit(1);
+ }
+ 
+-/* Export *cred to a token, then release *cred and replace it by re-importing
+- * the token. */
+-static void
+-export_import_cred(gss_cred_id_t *cred)
+-{
+-    OM_uint32 major, minor;
+-    gss_buffer_desc buf;
+-
+-    major = gss_export_cred(&minor, *cred, &buf);
+-    check_gsserr("gss_export_cred", major, minor);
+-    (void)gss_release_cred(&minor, cred);
+-    major = gss_import_cred(&minor, &buf, cred);
+-    check_gsserr("gss_import_cred", major, minor);
+-    (void)gss_release_buffer(&minor, &buf);
+-}
+-
+ int
+ main(int argc, char *argv[])
+ {
+diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
+index 53dd13c..6988359 100644
+--- a/src/tests/gssapi/t_export_cred.py
++++ b/src/tests/gssapi/t_export_cred.py
+@@ -1,7 +1,10 @@
+ #!/usr/bin/python
+ from k5test import *
+ 
+-# Test gss_export_cred and gss_import_cred.
++# Test gss_export_cred and gss_import_cred for initiator creds,
++# acceptor creds, and traditional delegated creds.  t_s4u.py tests
++# exporting and importing a synthesized S4U2Proxy delegated
++# credential.
+ 
+ # Make up a filename to hold user's initial credentials.
+ def ccache_savefile(realm):
+diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c
+index 3ad1086..483d915 100644
+--- a/src/tests/gssapi/t_s4u2proxy_krb5.c
++++ b/src/tests/gssapi/t_s4u2proxy_krb5.c
+@@ -117,6 +117,10 @@ main(int argc, char *argv[])
+         goto cleanup;
+     }
+ 
++    /* Take the opportunity to test cred export/import on the synthesized
++     * S4U2Proxy delegated cred. */
++    export_import_cred(&deleg_cred);
++
+     /* Store the delegated credentials. */
+     ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache);
+     check_k5err(context, "krb5_cc_resolve", ret);
diff --git a/krb5.spec b/krb5.spec
index b8f346e..31f1320 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 24%{?dist}
+Release: 25%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -108,6 +108,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
 Patch135: krb5-1.11-check_transited.patch
 Patch136: krb5-1.11.3-prompter1.patch
 Patch137: krb5-1.11.3-prompter2.patch
+Patch138: krb5-1.11.3-gss-ccache-import.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -353,6 +354,7 @@ ln -s NOTICE LICENSE
 %patch135 -p1 -b .check_transited
 %patch136 -p1 -b .prompter1
 %patch137 -p1 -b .prompter2
+%patch138 -p1 -b .gss-ccache-import
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -998,6 +1000,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue Oct 15 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-25
+- pull up fix for importing previously-exported credential caches in the
+  gssapi library (RT# 7706, #1019420)
+
 * Mon Oct 14 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-24
 - backport the callback to use the libkrb5 prompter when we can't load PEM
   files for PKINIT (RT#7590, includes part of #965721/#1016690)

More information about the scm-commits mailing list