[gssproxy/f20] Fix flags handling in gss_init_sec_context() - resolves: https://fedorahosted.org/gss-proxy/ticket/1
Guenther Deschner
gd at fedoraproject.org
Tue Nov 19 13:19:21 UTC 2013
commit ea75636bbd9328d77a8756cfc665175090c4983b
Author: Günther Deschner <gdeschner at redhat.com>
Date: Tue Nov 19 14:18:28 2013 +0100
Fix flags handling in gss_init_sec_context()
- resolves: https://fedorahosted.org/gss-proxy/ticket/106
Fix OID handling in gss_inquire_cred_by_mech()
- resolves: https://fedorahosted.org/gss-proxy/ticket/107
gssproxy-0.3.0-gss_init_sec_context.patch | 36 +++++
gssproxy-0.3.0-gss_inquire_cred_by_mech.patch | 186 +++++++++++++++++++++++++
gssproxy.spec | 13 ++-
3 files changed, 234 insertions(+), 1 deletions(-)
---
diff --git a/gssproxy-0.3.0-gss_init_sec_context.patch b/gssproxy-0.3.0-gss_init_sec_context.patch
new file mode 100644
index 0000000..117a071
--- /dev/null
+++ b/gssproxy-0.3.0-gss_init_sec_context.patch
@@ -0,0 +1,36 @@
+From cc538c36ca32850e0b3280b7d8524d23345eed9e Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Wed, 13 Nov 2013 17:57:06 -0500
+Subject: [PATCH 1/3] Preserve requested flags and lifetime
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These arguments have been accidentally forgotten causing failures for
+applications that specify non default flags and non indefinite lifetime.
+
+https://fedorahosted.org/gss-proxy/ticket/106
+
+Reviewed-by: Günther Deschner <gdeschner at redhat.com>
+---
+ proxy/src/client/gpm_init_sec_context.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c
+index 12df858..b6ce34f 100644
+--- a/proxy/src/client/gpm_init_sec_context.c
++++ b/proxy/src/client/gpm_init_sec_context.c
+@@ -70,6 +70,9 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
+ goto done;
+ }
+
++ arg->req_flags = req_flags;
++ arg->time_req = time_req;
++
+ if (input_cb) {
+ ret = gp_conv_cb_to_gssx_alloc(input_cb, &arg->input_cb);
+ if (ret) {
+--
+1.8.3.1
+
+
diff --git a/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch b/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
new file mode 100644
index 0000000..0543417
--- /dev/null
+++ b/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
@@ -0,0 +1,186 @@
+From 122b35f7adf37bc81f6d53bb5f9e058b68334cbb Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Wed, 13 Nov 2013 18:12:44 -0500
+Subject: [PATCH 2/3] Add way to return regular oid from special
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In some cases we need to pass on the corresponding real oid, after we
+are given a special oid.
+Add helper functions to do that.
+
+https://fedorahosted.org/gss-proxy/ticket/107
+
+Reviewed-by: Günther Deschner <gdeschner at redhat.com>
+---
+ proxy/src/mechglue/gss_plugin.c | 55 +++++++++++++++++++++++++++++++----------
+ proxy/src/mechglue/gss_plugin.h | 1 +
+ 2 files changed, 43 insertions(+), 13 deletions(-)
+
+diff --git a/proxy/src/mechglue/gss_plugin.c b/proxy/src/mechglue/gss_plugin.c
+index 0e62990..5b40df9 100644
+--- a/proxy/src/mechglue/gss_plugin.c
++++ b/proxy/src/mechglue/gss_plugin.c
+@@ -176,7 +176,8 @@ static bool gpp_special_equal(const gss_OID s, const gss_OID n)
+ }
+
+ struct gpp_special_oid_list {
+- gss_OID_desc oid;
++ gss_OID_desc regular_oid;
++ gss_OID_desc special_oid;
+ struct gpp_special_oid_list *next;
+ sig_atomic_t next_is_set;
+ };
+@@ -250,19 +251,25 @@ static const gss_OID gpp_new_special_mech(const gss_OID n)
+ if (!item) {
+ return GSS_C_NO_OID;
+ }
+- item->oid.length = base->length + n->length;
+- item->oid.elements = malloc(item->oid.length);
+- if (!item->oid.elements) {
++ item->regular_oid.length = n->length;
++ item->regular_oid.elements = malloc(n->length);
++ item->special_oid.length = base->length + n->length;
++ item->special_oid.elements = malloc(item->special_oid.length);
++ if (!item->regular_oid.elements ||
++ !item->special_oid.elements) {
++ free(item->regular_oid.elements);
++ free(item->special_oid.elements);
+ free(item);
+ return GSS_C_NO_OID;
+ }
+
+- memcpy(item->oid.elements, base->elements, base->length);
+- memcpy(item->oid.elements + base->length, n->elements, n->length);
++ memcpy(item->regular_oid.elements, n->elements, n->length);
++ memcpy(item->special_oid.elements, base->elements, base->length);
++ memcpy(item->special_oid.elements + base->length, n->elements, n->length);
+
+ gpp_add_special_oids(item);
+
+- return (const gss_OID)&item->oid;
++ return (const gss_OID)&item->special_oid;
+ }
+
+ const gss_OID gpp_special_mech(const gss_OID mech_type)
+@@ -278,14 +285,14 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
+ if (mech_type == GSS_C_NO_OID) {
+ /* return the first special one if none specified */
+ if (item) {
+- return (const gss_OID)&item->oid;
++ return (const gss_OID)&item->special_oid;
+ }
+ return GSS_C_NO_OID;
+ }
+
+ while (item) {
+- if (gpp_special_equal(&item->oid, mech_type)) {
+- return (const gss_OID)&item->oid;
++ if (gpp_special_equal(&item->special_oid, mech_type)) {
++ return (const gss_OID)&item->special_oid;
+ }
+ item = gpp_next_special_oids(item);
+ }
+@@ -294,6 +301,26 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
+ return gpp_new_special_mech(mech_type);
+ }
+
++const gss_OID gpp_unspecial_mech(const gss_OID mech_type)
++{
++ struct gpp_special_oid_list *item = NULL;
++
++ if (!gpp_is_special_oid(mech_type)) {
++ return mech_type;
++ }
++
++ item = gpp_get_special_oids();
++ while (item) {
++ if (gss_oid_equal(&item->special_oid, mech_type)) {
++ return (const gss_OID)&item->regular_oid;
++ }
++ item = gpp_next_special_oids(item);
++ }
++
++ /* none matched */
++ return mech_type;
++}
++
+ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ {
+ gss_OID_set amechs = GSS_C_NO_OID_SET;
+@@ -318,8 +345,9 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ }
+ break;
+ }
+- if (gpp_special_equal(&item->oid, &mechs->elements[i])) {
+- maj = gss_add_oid_set_member(&min, &item->oid, &amechs);
++ if (gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
++ maj = gss_add_oid_set_member(&min, &item->special_oid,
++ &amechs);
+ if (maj != GSS_S_COMPLETE) {
+ goto done;
+ }
+@@ -362,7 +390,8 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
+ item = gpp_get_special_oids();
+
+ while (item) {
+- if (&item->oid == *oid) {
++ if ((&item->regular_oid == *oid) ||
++ (&item->special_oid == *oid)) {
+ *oid = GSS_C_NO_OID;
+ return GSS_S_COMPLETE;
+ }
+diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h
+index 26e04c5..739ec26 100644
+--- a/proxy/src/mechglue/gss_plugin.h
++++ b/proxy/src/mechglue/gss_plugin.h
+@@ -78,6 +78,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type);
+ enum gpp_behavior gpp_get_behavior(void);
+ bool gpp_is_special_oid(const gss_OID mech_type);
+ const gss_OID gpp_special_mech(const gss_OID mech_type);
++const gss_OID gpp_unspecial_mech(const gss_OID mech_type);
+ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs);
+ uint32_t gpp_map_error(uint32_t err);
+ uint32_t gpp_unmap_error(uint32_t err);
+--
+1.8.3.1
+
+
+From b8901d1d20a5d0ef1a3118bfe5816e04c09e6cf5 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Wed, 13 Nov 2013 18:13:44 -0500
+Subject: [PATCH 3/3] Fix calling gpm_inquire_cred_by_mech
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need to pass the real mechanism oid here, not the spcial oid.
+special oids are used exclusively by the interposer and gssapi
+machinery that calls the interposer, they must never be propagated
+to clients or servers.
+
+https://fedorahosted.org/gss-proxy/ticket/107
+
+Reviewed-by: Günther Deschner <gdeschner at redhat.com>
+---
+ proxy/src/mechglue/gpp_creds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
+index aaaf577..dff9c44 100644
+--- a/proxy/src/mechglue/gpp_creds.c
++++ b/proxy/src/mechglue/gpp_creds.c
+@@ -213,7 +213,8 @@ OM_uint32 gssi_inquire_cred_by_mech(OM_uint32 *minor_status,
+ initiator_lifetime, acceptor_lifetime,
+ cred_usage);
+ } else if (cred->remote) {
+- maj = gpm_inquire_cred_by_mech(&min, cred->remote, mech_type,
++ maj = gpm_inquire_cred_by_mech(&min, cred->remote,
++ gpp_unspecial_mech(mech_type),
+ gpname ? &gpname->remote : NULL,
+ initiator_lifetime, acceptor_lifetime,
+ cred_usage);
+--
+1.8.3.1
+
diff --git a/gssproxy.spec b/gssproxy.spec
index 2d8e8d2..3a5ea9e 100644
--- a/gssproxy.spec
+++ b/gssproxy.spec
@@ -1,6 +1,6 @@
Name: gssproxy
Version: 0.3.0
-Release: 0%{?dist}
+Release: 1%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@@ -8,6 +8,8 @@ License: MIT
URL: http://fedorahosted.org/gss-proxy
Source0: http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+Patch0: gssproxy-0.3.0-gss_init_sec_context.patch
+Patch1: gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
%global servicename gssproxy
%global pubconfpath %{_sysconfdir}/gssproxy
@@ -52,6 +54,9 @@ A proxy for GSSAPI credential handling
%prep
%setup -q
+%patch0 -p2 -b .gss_init_sec_context
+%patch1 -p2 -b .gss_inquire_cred_by_mech
+
%build
autoreconf -f -i
%configure \
@@ -103,6 +108,12 @@ rm -rf %{buildroot}
%systemd_postun_with_restart gssproxy.service
%changelog
+* Tue Nov 19 2013 Guenther Deschner <gdeschner at redhat.com> 0.3.0-1
+- Fix flags handling in gss_init_sec_context()
+- resolves: https://fedorahosted.org/gss-proxy/ticket/106
+- Fix OID handling in gss_inquire_cred_by_mech()
+- resolves: https://fedorahosted.org/gss-proxy/ticket/107
+
* Wed Oct 23 2013 Guenther Deschner <gdeschner at redhat.com> 0.3.0-0
- New upstream release 0.3.0:
* Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)
More information about the scm-commits
mailing list