drop patch for RT#7858, fixed in 1.12.2

author: Nalin Dahyabhai <nalin@redhat.com> 2014-08-15 14:50:08 -0400
committer: Nalin Dahyabhai <nalin@redhat.com> 2014-08-15 14:50:08 -0400
commit: 0bd95b4771af78a537503159dd7d49fda6c39fa1 (patch)
tree: 2d1e0772b353673e6ea27d58273a85914151f678
parent: b3f78cf0dcfa8f8b5812e3bc5b1906bbe7805858 (diff)
download: krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.tar.gz
krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.tar.xz
krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.zip
2 files changed, 1 insertions, 168 deletions
diff --git a/krb5-master-spnego-preserve-oid.patch b/krb5-master-spnego-preserve-oid.patch
deleted file mode 100644
index 749de5e..0000000
--- a/krb5-master-spnego-preserve-oid.patch
+++ /dev/null
@@ -1,166 +0,0 @@
-commit 8255613476d4c1583a5e810b50444f188fde871f
-Author: Greg Hudson <ghudson@mit.edu>
-Date:   Mon Feb 3 21:11:34 2014 -0500
-
-    Properly reflect MS krb5 mech in SPNEGO acceptor
-    
-    r25590 changed negotiate_mech() to return an alias into the acceptor's
-    mech set, with the unfortunate side effect of transforming the
-    erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
-    meaning that we answer with a different OID than the requested one.
-    Return an alias into the initiator's mech set instead, and store that
-    in mech_set field the SPNEGO context.  The acceptor code only uses
-    mech_set to hold the allocated storage pointed into by internal_mech,
-    so this change is safe.
-    
-    ticket: 7858
-    target_version: 1.12.2
-    tags: pullup
-
-diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
-index 7e4bf90..7529c74 100644
---- a/src/lib/gssapi/spnego/spnego_mech.c
-+++ b/src/lib/gssapi/spnego/spnego_mech.c
-@@ -1388,8 +1388,8 @@ acc_ctx_new(OM_uint32 *minor_status,
- 		*return_token = NO_TOKEN_SEND;
- 		goto cleanup;
- 	}
--	sc->mech_set = supported_mechSet;
--	supported_mechSet = GSS_C_NO_OID_SET;
-+	sc->mech_set = mechTypes;
-+	mechTypes = GSS_C_NO_OID_SET;
- 	sc->internal_mech = mech_wanted;
- 	sc->DER_mechTypes = der_mechTypes;
- 	der_mechTypes.length = 0;
-@@ -3538,7 +3538,7 @@ put_negResult(unsigned char **buf_out, OM_uint32 negResult,
-  * is set to ACCEPT_INCOMPLETE if it's the first mech, REQUEST_MIC if
-  * it's not the first mech, otherwise we return NULL and negResult
-  * is set to REJECT. The returned pointer is an alias into
-- * supported->elements and should not be freed.
-+ * received->elements and should not be freed.
-  *
-  * NOTE: There is currently no way to specify a preference order of
-  * mechanisms supported by the acceptor.
-@@ -3560,7 +3560,7 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received,
- 			if (g_OID_equal(mech_oid, &supported->elements[j])) {
- 				*negResult = (i == 0) ? ACCEPT_INCOMPLETE :
- 					REQUEST_MIC;
--				return &supported->elements[j];
-+				return &received->elements[i];
- 			}
- 		}
- 	}
-
-commit 53cfb8327c452bd72a8e915338fb5ec838079cd3
-Author: Greg Hudson <ghudson@mit.edu>
-Date:   Mon Feb 3 20:59:54 2014 -0500
-
-    Test SPNEGO acceptor response to MS krb5 mech OID
-    
-    In t_spnego.c, add code to make a SPNEGO request with the erroneous
-    Microsoft OID value and examine the response to make sure that it uses
-    the same OID value as the request did.  The token and tmp variables
-    were unused, so rename them to itok and atok for the purpose of the
-    new test code.
-    
-    ticket: 7858
-    target_version: 1.12.2
-    tags: pullup
-
-diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c
-index cbf720b..ca05848 100644
---- a/src/tests/gssapi/t_spnego.c
-+++ b/src/tests/gssapi/t_spnego.c
-@@ -27,9 +27,15 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <assert.h>
- 
- #include "common.h"
- 
-+static gss_OID_desc mech_krb5_wrong = {
-+    9, "\052\206\110\202\367\022\001\002\002"
-+};
-+gss_OID_set_desc mechset_krb5_wrong = { 1, &mech_krb5_wrong };
-+
- /*
-  * Test program for SPNEGO and gss_set_neg_mechs
-  *
-@@ -44,11 +50,13 @@ main(int argc, char *argv[])
- {
-     OM_uint32 minor, major, flags;
-     gss_cred_id_t verifier_cred_handle = GSS_C_NO_CREDENTIAL;
-+    gss_cred_id_t initiator_cred_handle = GSS_C_NO_CREDENTIAL;
-     gss_OID_set actual_mechs = GSS_C_NO_OID_SET;
--    gss_buffer_desc token = GSS_C_EMPTY_BUFFER, tmp = GSS_C_EMPTY_BUFFER;
-+    gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
-     gss_ctx_id_t initiator_context, acceptor_context;
-     gss_name_t target_name, source_name = GSS_C_NO_NAME;
-     gss_OID mech = GSS_C_NO_OID;
-+    const unsigned char *atok_oid;
- 
-     if (argc < 2 || argc > 3) {
-         fprintf(stderr, "Usage: %s target_name [keytab]\n", argv[0]);
-@@ -83,10 +91,58 @@ main(int argc, char *argv[])
-     (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
-     (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
-     (void)gss_release_name(&minor, &source_name);
--    (void)gss_release_name(&minor, &target_name);
--    (void)gss_release_buffer(&minor, &token);
--    (void)gss_release_buffer(&minor, &tmp);
-     (void)gss_release_cred(&minor, &verifier_cred_handle);
-     (void)gss_release_oid_set(&minor, &actual_mechs);
-+
-+    /*
-+     * Test that the SPNEGO acceptor code properly reflects back the erroneous
-+     * Microsoft mech OID in the supportedMech field of the NegTokenResp
-+     * message.  Our initiator code doesn't care (it treats all variants of the
-+     * krb5 mech as equivalent when comparing the supportedMech response to its
-+     * first-choice mech), so we have to look directly at the DER encoding of
-+     * the response token.  If we don't request mutual authentication, the
-+     * SPNEGO reply will contain no underlying mech token, so the encoding of
-+     * the correct NegotiationToken response is completely predictable:
-+     *
-+     *   A1 14 (choice 1, length 20, meaning negTokenResp)
-+     *     30 12 (sequence, length 18)
-+     *       A0 03 (context tag 0, length 3)
-+     *         0A 01 00 (enumerated value 0, meaning accept-completed)
-+     *       A1 0B (context tag 1, length 11)
-+     *         06 09 (object identifier, length 9)
-+     *            2A 86 48 82 F7 12 01 02 02 (the erroneous krb5 OID)
-+     *
-+     * So we can just compare the length to 22 and the nine bytes at offset 13
-+     * to the expected OID.
-+     */
-+    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
-+                             &mechset_spnego, GSS_C_INITIATE,
-+                             &initiator_cred_handle, NULL, NULL);
-+    check_gsserr("gss_acquire_cred(2)", major, minor);
-+    major = gss_set_neg_mechs(&minor, initiator_cred_handle,
-+                              &mechset_krb5_wrong);
-+    check_gsserr("gss_set_neg_mechs(2)", major, minor);
-+    major = gss_init_sec_context(&minor, initiator_cred_handle,
-+                                 &initiator_context, target_name, &mech_spnego,
-+                                 flags, GSS_C_INDEFINITE,
-+                                 GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL, &itok,
-+                                 NULL, NULL);
-+    check_gsserr("gss_init_sec_context", major, minor);
-+    assert(major == GSS_S_CONTINUE_NEEDED);
-+    major = gss_accept_sec_context(&minor, &acceptor_context,
-+                                   GSS_C_NO_CREDENTIAL, &itok,
-+                                   GSS_C_NO_CHANNEL_BINDINGS, NULL,
-+                                   NULL, &atok, NULL, NULL, NULL);
-+    assert(atok.length == 22);
-+    atok_oid = (unsigned char *)atok.value + 13;
-+    assert(memcmp(atok_oid, mech_krb5_wrong.elements, 9) == 0);
-+    check_gsserr("gss_accept_sec_context", major, minor);
-+
-+    (void)gss_delete_sec_context(&minor, &initiator_context, NULL);
-+    (void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
-+    (void)gss_release_cred(&minor, &initiator_cred_handle);
-+    (void)gss_release_name(&minor, &target_name);
-+    (void)gss_release_buffer(&minor, &itok);
-+    (void)gss_release_buffer(&minor, &atok);
-     return 0;
- }
diff --git a/krb5.spec b/krb5.spec
index a11948d..81c16ef 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -97,7 +97,6 @@ Patch137: krb5-master-rcache-acquirecred-cleanup.patch
 Patch139: krb5-master-rcache-acquirecred-source.patch
 Patch141: krb5-master-rcache-acquirecred-test.patch
 Patch142: krb5-master-move-otp-sockets.patch
-Patch143: krb5-master-spnego-preserve-oid.patch
 Patch144: krb5-1.12-tcl86.patch
 Patch145: krb5-master-mechd.patch
 Patch146: krb5-1.12-CVE-2014-4341_4342.patch
@@ -352,7 +351,6 @@ ln -s NOTICE LICENSE
 %patch139 -p1 -b .rcache-acquirecred-source
 %patch141 -p1 -b .rcache-acquirecred-test
 %patch142 -p1 -b .move-otp-sockets
-%patch143 -p1 -b .spnego-preserve-oid
 %patch144 -p1 -b .tcl86
 %patch145 -p1 -b .master-mechd
 %patch146 -p1 -b .CVE-2014-4341_4342
@@ -1042,6 +1040,7 @@ exit 0
   - drop patch for #231147, fixed as RT#3277 in 1.12.2
   - drop patch for RT#7818, fixed in 1.12.2
   - drop patch for RT#7836, fixed in 1.12.2
+  - drop patch for RT#7858, fixed in 1.12.2
 - replace older proposed changes for ksu with backports of the changes
   after review and merging upstream (#1015559, #1026099, #1118347)
author	Nalin Dahyabhai <nalin@redhat.com>	2014-08-15 14:50:08 -0400
committer	Nalin Dahyabhai <nalin@redhat.com>	2014-08-15 14:50:08 -0400
commit	0bd95b4771af78a537503159dd7d49fda6c39fa1 (patch)
tree	2d1e0772b353673e6ea27d58273a85914151f678
parent	b3f78cf0dcfa8f8b5812e3bc5b1906bbe7805858 (diff)
download	krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.tar.gz krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.tar.xz krb5-0bd95b4771af78a537503159dd7d49fda6c39fa1.zip