Add initial meta-stx to support StarlingX build

[pti/rtp.git] / meta-stx / recipes-security / gssproxy / files / Properly-renew-expired-credentials.patch

diff --git a/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch b/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch
new file mode 100644 (file)
index 0000000..a4b3005
--- /dev/null
+++ b/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch
@@ -0,0 +1,75 @@
+From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 13 Mar 2017 08:06:12 -0400
+Subject: [PATCH] Properly renew expired credentials
+
+When a caller imports expired credentials, we aim to actually renew them
+if we can. However due to incorrect checks and not clearing of the
+ret_maj variable after checks we end up returning an error instead.
+
+Also fix mechglue to also save and properly report the first call errors
+when both remote and local fail.
+
+Resolves: #170
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2)
+---
+ proxy/src/gp_creds.c                  | 14 +++++++++-----
+ proxy/src/mechglue/gpp_acquire_cred.c |  5 +++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
+index 5d84904..171a724 100644
+--- a/proxy/src/gp_creds.c
++++ b/proxy/src/gp_creds.c
+@@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
+         ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
+         if (ret_maj == GSS_S_COMPLETE) {
+             return GSS_S_COMPLETE;
+-        } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
+-                   ret_maj != GSS_S_NO_CRED) {
++        } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
++                   ret_maj == GSS_S_NO_CRED) {
++            /* continue and try to obtain new creds */
++            ret_maj = 0;
++            ret_min = 0;
++        } else {
+             *min = ret_min;
+             return GSS_S_CRED_UNAVAIL;
+         }
+@@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
+     if (acquire_type == ACQ_NORMAL) {
+         ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
+                                           &cred_usage, &cred_store);
++        if (ret_min) {
++            ret_maj = GSS_S_CRED_UNAVAIL;
++        }
+     } else if (desired_name) {
+         ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
+     }
+     if (ret_maj) {
+         goto done;
+-    } else if (ret_min) {
+-        ret_maj = GSS_S_CRED_UNAVAIL;
+-        goto done;
+     }
+ 
+     if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {
+diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
+index d876699..514fdd1 100644
+--- a/proxy/src/mechglue/gpp_acquire_cred.c
++++ b/proxy/src/mechglue/gpp_acquire_cred.c
+@@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
+     }
+ 
+     if (behavior == GPP_REMOTE_FIRST) {
++        if (maj != GSS_S_COMPLETE) {
++            /* save errors */
++            tmaj = maj;
++            tmin = min;
++        }
+         /* So remote failed, but we can fallback to local, try that */
+         maj = acquire_local(&min, NULL, name,
+                             time_req, desired_mechs, cred_usage, cred_store,