diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2013-03-26 16:32:29 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@redhat.com> | 2013-03-26 16:32:29 -0400 |
| commit | c761eb0da7f9813f0e6c4ad4b8e6f563f1f5af9a (patch) | |
| tree | 206fdc4f8216d1bae2f740c6edf5f83539cf3cce | |
| parent | 557835fdb361538cedde837d65d05459b30bf281 (diff) | |
| download | krb5-c761eb0da7f9813f0e6c4ad4b8e6f563f1f5af9a.tar.gz krb5-c761eb0da7f9813f0e6c4ad4b8e6f563f1f5af9a.tar.xz krb5-c761eb0da7f9813f0e6c4ad4b8e6f563f1f5af9a.zip | |
pull up patch to mark imported gss contexts right
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
contexts (RT#7592)
| -rw-r--r-- | krb5-1.11.1-interposers.patch | 105 | ||||
| -rw-r--r-- | krb5.spec | 8 |
2 files changed, 112 insertions, 1 deletions
diff --git a/krb5-1.11.1-interposers.patch b/krb5-1.11.1-interposers.patch new file mode 100644 index 0000000..a74b655 --- /dev/null +++ b/krb5-1.11.1-interposers.patch @@ -0,0 +1,105 @@ +commit 36c76aa3c625afc9291b9e1df071db51ccf37dab +Author: Simo Sorce <simo@redhat.com> +Date: Sat Mar 16 15:23:03 2013 -0400 + + Fix import_sec_context with interposers + + The code was correctly selecting the mechanism to execute, but it was + improperly setting the mechanism type of the internal context when the + selected mechanism was that of an interposer and vice versa. + + When an interposer is involved the internal context is that of the + interposer, so the mechanism type of the context needs to be the + interposer oid. Conversely, when an interposer re-enters gssapi and + presents a token with a special oid, the mechanism called is the real + mechanism, and the context returned is a real mechanism context. In + this case the mechanism type of the context needs to be that of the + real mechanism. + + ticket: 7592 + target_version: 1.11.2 + tags: pullup + +diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c +index 53310dd..a0e2d71 100644 +--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c +@@ -84,6 +84,7 @@ gss_ctx_id_t * context_handle; + gss_union_ctx_id_t ctx; + gss_ctx_id_t mctx; + gss_buffer_desc token; ++ gss_OID_desc token_mech; + gss_OID selected_mech = GSS_C_NO_OID; + gss_OID public_mech; + gss_mechanism mech; +@@ -100,12 +101,6 @@ gss_ctx_id_t * context_handle; + if (!ctx) + return (GSS_S_FAILURE); + +- ctx->mech_type = (gss_OID) malloc(sizeof(gss_OID_desc)); +- if (!ctx->mech_type) { +- free(ctx); +- return (GSS_S_FAILURE); +- } +- + if (interprocess_token->length >= sizeof (OM_uint32)) { + p = interprocess_token->value; + length = (OM_uint32)*p++; +@@ -120,12 +115,9 @@ gss_ctx_id_t * context_handle; + return (GSS_S_CALL_BAD_STRUCTURE | GSS_S_DEFECTIVE_TOKEN); + } + +- ctx->mech_type->length = length; +- ctx->mech_type->elements = malloc(length); +- if (!ctx->mech_type->elements) { +- goto error_out; +- } +- memcpy(ctx->mech_type->elements, p, length); ++ token_mech.length = length; ++ token_mech.elements = p; ++ + p += length; + + token.length = interprocess_token->length - sizeof (OM_uint32) - length; +@@ -136,7 +128,7 @@ gss_ctx_id_t * context_handle; + * call it. + */ + +- status = gssint_select_mech_type(minor_status, ctx->mech_type, ++ status = gssint_select_mech_type(minor_status, &token_mech, + &selected_mech); + if (status != GSS_S_COMPLETE) + goto error_out; +@@ -152,6 +144,12 @@ gss_ctx_id_t * context_handle; + goto error_out; + } + ++ if (generic_gss_copy_oid(minor_status, selected_mech, ++ &ctx->mech_type) != GSS_S_COMPLETE) { ++ status = GSS_S_FAILURE; ++ goto error_out; ++ } ++ + if (mech->gssspi_import_sec_context_by_mech) { + public_mech = gssint_get_public_oid(selected_mech); + status = mech->gssspi_import_sec_context_by_mech(minor_status, +@@ -167,16 +165,11 @@ gss_ctx_id_t * context_handle; + return (GSS_S_COMPLETE); + } + map_error(minor_status, mech); ++ free(ctx->mech_type->elements); ++ free(ctx->mech_type); + + error_out: +- if (ctx) { +- if (ctx->mech_type) { +- if (ctx->mech_type->elements) +- free(ctx->mech_type->elements); +- free(ctx->mech_type); +- } +- free(ctx); +- } ++ free(ctx); + return status; + } + #endif /* LEAN_CLIENT */ @@ -30,7 +30,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.1 -Release: 4%{?dist} +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -74,6 +74,7 @@ Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch Patch113: krb5-1.11-alpha1-init.patch Patch114: krb5-lookup_etypes-leak.patch +Patch115: krb5-1.11.1-interposers.patch Patch201: 0001-add-libk5radius.patch Patch202: 0002-Add-internal-KDC_DIR-macro.patch @@ -289,6 +290,7 @@ ln -s NOTICE LICENSE %patch105 -p1 -b .kvno %patch113 -p1 -b .init %patch114 -p1 -b .lookup_etypes-leak +%patch115 -p1 -b .interposers %patch201 -p1 %patch202 -p1 @@ -809,6 +811,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com> +- pull up Simo's patch to mark the correct mechanism on imported GSSAPI + contexts (RT#7592) + * Mon Mar 18 2013 Nalin Dahyabhai <nalin@redhat.com> - fix a version comparison to expect newer texlive build requirements when %%{_rhel} > 6 rather than when it's > 7 |