From a1c690cc02a021bc400be00808dcf8463744c083 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 11 Aug 2011 10:42:29 +0200
Subject: Fix client enrollment

Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
---
 freeipa.spec.in       | 29 +++++++++++++++++++++++++++--
 ipa-client/ipa-join.c |  4 +++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5dda8116a..cbc0f50ec 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -36,8 +36,18 @@ BuildRequires:  openldap-devel
 BuildRequires:  krb5-devel
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
-BuildRequires:  xmlrpc-c-devel
+%if 0%{?fedora} >= 16
+BuildRequires:  libcurl-devel >= 7.21.7-2
+BuildRequires:  xmlrpc-c-devel >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+BuildRequires:  libcurl-devel >= 7.21.3-9
+BuildRequires:  xmlrpc-c-devel >= 1.25.4
+%else
 BuildRequires:  libcurl-devel
+BuildRequires:  xmlrpc-c-devel
+%endif
+%endif
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -150,7 +160,18 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: wget
-Requires: xmlrpc-c
+%if 0%{?fedora} >= 16
+Requires:  libcurl >= 7.21.7-2
+Requires:  xmlrpc-c >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+Requires:  libcurl >= 7.21.3-9
+Requires:  xmlrpc-c >= 1.25.4
+%else
+Requires:  libcurl
+Requires:  xmlrpc-c
+%endif
+%endif
 Requires: sssd >= 1.5.1
 Requires: certmonger >= 0.26
 Requires: nss-tools
@@ -514,6 +535,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Thu Aug 11 2011 Martin Kosek <mkosek@redhat.com> - 2.0.90-11
+- Set min nvr of xmlrpc-c and libcurl to make sure GSSAPI delegation
+  support is in
+
 * Tue Aug 2 2011 Endi S. Dewata <edewata@redhat.com> - 2.0.90-10
 - Add *.ico files
 
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 95f2939cd..f6ca69367 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
     curlXportParmsP->no_ssl_verifypeer = 1;
     curlXportParmsP->no_ssl_verifyhost = 1;
     curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+    /* Enable GSSAPI credentials delegation */
+    curlXportParmsP->gssapi_delegation = 1;
 
     clientparms.transport = "curl";
     clientparms.transportparmsP = (struct xmlrpc_xportparms *)
             curlXportParmsP;
-    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
+    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
     xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
                          &clientparms, sizeof(clientparms),
                          &clientP);
-- 
cgit