diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-10-15 17:35:23 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-11-19 17:38:54 -0500 |
| commit | 7448cea67e8682c825b3172dfb2787e18de6af3e (patch) | |
| tree | 74f7531e43ec7e3db95f95372a8a89163d79bf33 | |
| parent | 00cf6df3e6e8bd359d5c1c4f4f79f416039d5b09 (diff) | |
| download | krb5-7448cea67e8682c825b3172dfb2787e18de6af3e.tar.gz krb5-7448cea67e8682c825b3172dfb2787e18de6af3e.tar.xz krb5-7448cea67e8682c825b3172dfb2787e18de6af3e.zip | |
Untweak for 1.11.3
| -rw-r--r-- | krb5-1.12-alpha-gss-ccache-import.patch | 129 | ||||
| -rw-r--r-- | krb5.spec | 2 |
2 files changed, 131 insertions, 0 deletions
diff --git a/krb5-1.12-alpha-gss-ccache-import.patch b/krb5-1.12-alpha-gss-ccache-import.patch new file mode 100644 index 0000000..86690e4 --- /dev/null +++ b/krb5-1.12-alpha-gss-ccache-import.patch @@ -0,0 +1,129 @@ +commit 48dd01f29b893a958a64dcf6eb0b734e8463425b +Author: Greg Hudson <ghudson@mit.edu> +Date: Mon Oct 7 09:51:56 2013 -0400 + + Fix GSSAPI krb5 cred ccache import + + json_to_ccache was incorrectly indexing the JSON array when restoring + a memory ccache. Fix it. + + Add test coverage for a multi-cred ccache by exporting/importing the + synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move + export_import_cred from t_export_cred.c to common.c to facilitate + this. Make a note in t_export_cred.py that this case is covered in + t_s4u.py. + + ticket: 7706 + target_version: 1.11.4 + +diff --git a/src/lib/gssapi/krb5/import_cred.c b/src/lib/gssapi/krb5/import_cred.c +index 973b9d0..f0a0373 100644 +--- a/src/lib/gssapi/krb5/import_cred.c ++++ b/src/lib/gssapi/krb5/import_cred.c +@@ -486,7 +486,7 @@ json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out, + + /* Add remaining array entries to the ccache as credentials. */ + for (i = 1; i < len; i++) { +- if (json_to_creds(context, k5_json_array_get(array, 1), &creds)) ++ if (json_to_creds(context, k5_json_array_get(array, i), &creds)) + goto invalid; + ret = krb5_cc_store_cred(context, ccache, &creds); + krb5_free_cred_contents(context, &creds); +diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c +index 19a781a..231f44a 100644 +--- a/src/tests/gssapi/common.c ++++ b/src/tests/gssapi/common.c +@@ -149,6 +149,20 @@ establish_contexts(gss_OID imech, gss_cred_id_t icred, gss_cred_id_t acred, + } + + void ++export_import_cred(gss_cred_id_t *cred) ++{ ++ OM_uint32 major, minor; ++ gss_buffer_desc buf; ++ ++ major = gss_export_cred(&minor, *cred, &buf); ++ check_gsserr("gss_export_cred", major, minor); ++ (void)gss_release_cred(&minor, cred); ++ major = gss_import_cred(&minor, &buf, cred); ++ check_gsserr("gss_import_cred", major, minor); ++ (void)gss_release_buffer(&minor, &buf); ++} ++ ++void + display_canon_name(const char *tag, gss_name_t name, gss_OID mech) + { + gss_name_t canon; +diff --git a/src/tests/gssapi/common.h b/src/tests/gssapi/common.h +index 54c0d36..ae11b51 100644 +--- a/src/tests/gssapi/common.h ++++ b/src/tests/gssapi/common.h +@@ -62,6 +62,10 @@ void establish_contexts(gss_OID imech, gss_cred_id_t icred, + gss_name_t *src_name, gss_OID *amech, + gss_cred_id_t *deleg_cred); + ++/* Export *cred to a token, then release *cred and replace it by re-importing ++ * the token. */ ++void export_import_cred(gss_cred_id_t *cred); ++ + /* Display name as canonicalized to mech, preceded by tag. */ + void display_canon_name(const char *tag, gss_name_t name, gss_OID mech); + +diff --git a/src/tests/gssapi/t_export_cred.c b/src/tests/gssapi/t_export_cred.c +index 5214cd5..4d7c028 100644 +--- a/src/tests/gssapi/t_export_cred.c ++++ b/src/tests/gssapi/t_export_cred.c +@@ -37,22 +37,6 @@ usage(void) + exit(1); + } + +-/* Export *cred to a token, then release *cred and replace it by re-importing +- * the token. */ +-static void +-export_import_cred(gss_cred_id_t *cred) +-{ +- OM_uint32 major, minor; +- gss_buffer_desc buf; +- +- major = gss_export_cred(&minor, *cred, &buf); +- check_gsserr("gss_export_cred", major, minor); +- (void)gss_release_cred(&minor, cred); +- major = gss_import_cred(&minor, &buf, cred); +- check_gsserr("gss_import_cred", major, minor); +- (void)gss_release_buffer(&minor, &buf); +-} +- + int + main(int argc, char *argv[]) + { +diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py +index 53dd13c..6988359 100644 +--- a/src/tests/gssapi/t_export_cred.py ++++ b/src/tests/gssapi/t_export_cred.py +@@ -1,7 +1,10 @@ + #!/usr/bin/python + from k5test import * + +-# Test gss_export_cred and gss_import_cred. ++# Test gss_export_cred and gss_import_cred for initiator creds, ++# acceptor creds, and traditional delegated creds. t_s4u.py tests ++# exporting and importing a synthesized S4U2Proxy delegated ++# credential. + + # Make up a filename to hold user's initial credentials. + def ccache_savefile(realm): +diff --git a/src/tests/gssapi/t_s4u2proxy_krb5.c b/src/tests/gssapi/t_s4u2proxy_krb5.c +index 3ad1086..483d915 100644 +--- a/src/tests/gssapi/t_s4u2proxy_krb5.c ++++ b/src/tests/gssapi/t_s4u2proxy_krb5.c +@@ -117,6 +117,10 @@ main(int argc, char *argv[]) + goto cleanup; + } + ++ /* Take the opportunity to test cred export/import on the synthesized ++ * S4U2Proxy delegated cred. */ ++ export_import_cred(&deleg_cred); ++ + /* Store the delegated credentials. */ + ret = krb5_cc_resolve(context, storage_ccname, &storage_ccache); + check_k5err(context, "krb5_cc_resolve", ret); @@ -95,6 +95,7 @@ Patch131: krb5-1.11.3-skew3.patch Patch134: krb5-1.11-kpasswdtest.patch Patch138: krb5-master-keyring-offsets.patch Patch139: krb5-master-keyring-expiration.patch +Patch140: krb5-1.12-alpha-gss-ccache-import.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -320,6 +321,7 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest %patch138 -p1 -b .keyring-offsets %patch139 -p1 -b .keyring-expiration +%patch140 -p1 -b .gss-ccache-import %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp |