diff --git a/krb5-1.14-pwsize_initialize.patch b/krb5-1.14-pwsize_initialize.patch deleted file mode 100644 index 36ead7f..0000000 --- a/krb5-1.14-pwsize_initialize.patch +++ /dev/null @@ -1,24 +0,0 @@ -From eb7aa0386f60496aabcb1f30893649bb6599d6d1 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 22 Oct 2015 14:27:33 -0400 -Subject: [PATCH] Ensure pwsize is initialized - ---- - src/lib/kadm5/chpass_util.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c -index 408b0eb..02305be 100644 ---- a/src/lib/kadm5/chpass_util.c -+++ b/src/lib/kadm5/chpass_util.c -@@ -74,6 +74,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, - if (ret_pw) - *ret_pw = NULL; - -+ pwsize = 0; - if (new_pw != NULL) { - new_password = new_pw; - } else { /* read the password */ --- -2.6.1 - diff --git a/krb5-fix_interposer.patch b/krb5-fix_interposer.patch new file mode 100644 index 0000000..8a6aa19 --- /dev/null +++ b/krb5-fix_interposer.patch @@ -0,0 +1,222 @@ +From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 13 Nov 2015 14:54:11 -0500 +Subject: [PATCH] Fix impersonate_name to work with interposers + +This follows the same modifications applied to +gss_acquire_cred_with_password() when interposer plugins were +introduced. + +[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in +spnego_gss_acquire_cred_impersonate_name() since it is released in the +cleanup handler] + +ticket: 8280 (new) +--- + src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++-------- + src/lib/gssapi/spnego/spnego_mech.c | 35 +++++++------- + 2 files changed, 54 insertions(+), 39 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +index 0dd4f87..9eab25e 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c +@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + gss_cred_id_t cred = NULL; + gss_OID new_mechs_array = NULL; + gss_cred_id_t * new_cred_array = NULL; ++ gss_OID_set target_mechs = GSS_C_NO_OID_SET; ++ gss_OID selected_mech = GSS_C_NO_OID; + + status = val_add_cred_impersonate_name_args(minor_status, + input_cred_handle, +@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + if (status != GSS_S_COMPLETE) + return (status); + +- mech = gssint_get_mechanism(desired_mech); ++ status = gssint_select_mech_type(minor_status, desired_mech, ++ &selected_mech); ++ if (status != GSS_S_COMPLETE) ++ return status; ++ ++ mech = gssint_get_mechanism(selected_mech); + if (!mech) + return GSS_S_BAD_MECH; + else if (!mech->gss_acquire_cred) +@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + internal_name = GSS_C_NO_NAME; + } else { + union_cred = (gss_union_cred_t)input_cred_handle; +- if (gssint_get_mechanism_cred(union_cred, desired_mech) != ++ if (gssint_get_mechanism_cred(union_cred, selected_mech) != + GSS_C_NO_CREDENTIAL) + return (GSS_S_DUPLICATE_ELEMENT); + } + + mech_impersonator_cred = + gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle, +- desired_mech); ++ selected_mech); + if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL) + return (GSS_S_NO_CRED); + + /* may need to create a mechanism specific name */ + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && +- g_OID_equal(union_name->mech_type, +- &mech->mech_type)) ++ g_OID_equal(union_name->mech_type, selected_mech)) + internal_name = union_name->mech_name; + else { + if (gssint_import_internal_name(minor_status, +- &mech->mech_type, union_name, +- &allocated_name) != GSS_S_COMPLETE) ++ selected_mech, union_name, ++ &allocated_name) != GSS_S_COMPLETE) + return (GSS_S_BAD_NAME); + internal_name = allocated_name; + } +@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + else + time_req = 0; + ++ status = gss_create_empty_oid_set(minor_status, &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ ++ status = gss_add_oid_set_member(minor_status, ++ gssint_get_public_oid(selected_mech), ++ &target_mechs); ++ if (status != GSS_S_COMPLETE) ++ goto errout; ++ + status = mech->gss_acquire_cred_impersonate_name(minor_status, + mech_impersonator_cred, + internal_name, + time_req, +- GSS_C_NULL_OID_SET, ++ target_mechs, + cred_usage, + &cred, + NULL, +@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + + new_cred_array[union_cred->count] = cred; + if ((new_mechs_array[union_cred->count].elements = +- malloc(mech->mech_type.length)) == NULL) ++ malloc(selected_mech->length)) == NULL) + goto errout; + +- g_OID_copy(&new_mechs_array[union_cred->count], +- &mech->mech_type); ++ g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); + + if (actual_mechs != NULL) { +- gss_OID_set_desc oids; +- +- oids.count = union_cred->count + 1; +- oids.elements = new_mechs_array; +- +- status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs); ++ status = gssint_make_public_oid_set(minor_status, new_mechs_array, ++ union_cred->count + 1, ++ actual_mechs); + if (GSS_ERROR(status)) { + free(new_mechs_array[union_cred->count].elements); + goto errout; +@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status, + /* We're done with the internal name. Free it if we allocated it. */ + + if (allocated_name) +- (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, ++ (void) gssint_release_internal_name(&temp_minor_status, selected_mech, + &allocated_name); + ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); ++ + return (GSS_S_COMPLETE); + + errout: +@@ -503,8 +517,10 @@ errout: + + if (allocated_name) + (void) gssint_release_internal_name(&temp_minor_status, +- &mech->mech_type, +- &allocated_name); ++ selected_mech, &allocated_name); ++ ++ if (target_mechs) ++ (void) gss_release_oid_set(&temp_minor_status, &target_mechs); + + if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) + free(union_cred); +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index e6703eb..28fb9b1 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) + { +- OM_uint32 status; ++ OM_uint32 status, tmpmin; + gss_OID_set amechs = GSS_C_NULL_OID_SET; + spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL; +- gss_cred_id_t imp_mcred, out_mcred; ++ gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL; + + dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n"); + +@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, + + imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle; + imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL; +- if (desired_mechs == GSS_C_NO_OID_SET) { +- status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, +- NULL, &amechs); +- if (status != GSS_S_COMPLETE) +- return status; +- +- desired_mechs = amechs; +- } ++ status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL, ++ NULL, &amechs); ++ if (status != GSS_S_COMPLETE) ++ return status; + + status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred, + desired_name, time_req, +- desired_mechs, cred_usage, ++ amechs, cred_usage, + &out_mcred, actual_mechs, + time_rec); +- +- if (amechs != GSS_C_NULL_OID_SET) +- (void) gss_release_oid_set(minor_status, &amechs); ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; + + status = create_spnego_cred(minor_status, out_mcred, &out_spcred); +- if (status != GSS_S_COMPLETE) { +- gss_release_cred(minor_status, &out_mcred); +- return (status); +- } ++ if (status != GSS_S_COMPLETE) ++ goto cleanup; ++ ++ out_mcred = GSS_C_NO_CREDENTIAL; + *output_cred_handle = (gss_cred_id_t)out_spcred; + ++cleanup: ++ (void) gss_release_oid_set(&tmpmin, &amechs); ++ (void) gss_release_cred(&tmpmin, &out_mcred); ++ + dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n"); + return (status); + } +-- +2.6.2 + diff --git a/krb5.spec b/krb5.spec index f2f4cdb..7029c88 100644 --- a/krb5.spec +++ b/krb5.spec @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14 -Release: 10%{?dist} +Release: 11%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -64,7 +64,7 @@ Patch86: krb5-1.9-debuginfo.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch Patch148: krb5-disable_ofd_locks.patch -Patch149: krb5-1.14-pwsize_initialize.patch +Patch150: krb5-fix_interposer.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -244,7 +244,8 @@ ln NOTICE LICENSE %patch134 -p1 -b .kpasswdtest %patch148 -p1 -b .disable_ofd_locks -%patch149 -p1 -b .pwsize_initialize + +%patch150 -p1 -b .fix_interposer # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -815,6 +816,10 @@ exit 0 %changelog +* Thu Dec 03 2015 Robbie Harwood - 1.14-11 +- Backport interposer fix (#1284985) +- Drop workaround pwsize initialization patch (gcc has been fixed) + * Tue Nov 24 2015 Robbie Harwood - 1.14-10 - Fix FTBFS by no longer working around bug in nss_wrapper