Backport patch to fix mechglue for gss_inqure_attrs_for_mech()

2 files changed, 62 insertions, 1 deletions

diff --git a/krb5-mechglue_inqure_attrs.patch b/krb5-mechglue_inqure_attrs.patch
new file mode 100644
index 0000000..d55febb
--- /dev/null
+++ b/krb5-mechglue_inqure_attrs.patch
@@ -0,0 +1,56 @@
+From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 16 Dec 2015 19:31:22 -0500
+Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
+
+This includes proper mechanism selection in gss_inquire_attrs_for_mech()
+itself as well as passing the correct mech down from gss_accept_sec_context()
+through allow_mech_by_default().
+
+Also-authored-by: Simo Sorce <simo@redhat.com>
+---
+ src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
+ src/lib/gssapi/mechglue/g_mechattr.c           | 7 ++++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
+index 6c72d1f..4a86024 100644
+--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
++++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
+@@ -245,7 +245,7 @@ gss_cred_id_t *		d_cred;
+ 	    status = GSS_S_NO_CRED;
+ 	    goto error_out;
+ 	}
+-    } else if (!allow_mech_by_default(selected_mech)) {
++    } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
+ 	status = GSS_S_NO_CRED;
+ 	goto error_out;
+     }
+diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
+index e9299f4..4bd44b5 100644
+--- a/src/lib/gssapi/mechglue/g_mechattr.c
++++ b/src/lib/gssapi/mechglue/g_mechattr.c
+@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
+ {
+     OM_uint32       status, tmpMinor;
+     gss_mechanism   mech;
++    gss_OID         selected_mech;
+ 
+     if (minor == NULL)
+         return GSS_S_CALL_INACCESSIBLE_WRITE;
+@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
+     if (known_mech_attrs != NULL)
+         *known_mech_attrs = GSS_C_NO_OID_SET;
+ 
+-    mech = gssint_get_mechanism((gss_OID)mech_oid);
++    status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
++    if (status != GSS_S_COMPLETE)
++        return (status);
++
++    mech = gssint_get_mechanism(selected_mech);
+     if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
+         status = mech->gss_inquire_attrs_for_mech(minor,
+                                                   mech_oid,
+-- 
+2.6.4
+
diff --git a/krb5.spec b/krb5.spec
index 7029c88..9362d83 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14
-Release: 11%{?dist}
+Release: 12%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -65,6 +65,7 @@ Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch148: krb5-disable_ofd_locks.patch
 Patch150: krb5-fix_interposer.patch
+Patch151: krb5-mechglue_inqure_attrs.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -246,6 +247,7 @@ ln NOTICE LICENSE
 %patch148 -p1 -b .disable_ofd_locks
 
 %patch150 -p1 -b .fix_interposer
+%patch151 -p1 -b .mechglue_inqure_attrs
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -816,6 +818,9 @@ exit 0
 
 
 %changelog
+* Wed Dec 16 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-12
+- Backport patch to fix mechglue for gss_inqure_attrs_for_mech()
+
 * Thu Dec 03 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-11
 - Backport interposer fix (#1284985)
 - Drop workaround pwsize initialization patch (gcc has been fixed)