X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FChange-impersonator-check-code.patch;fp=meta-starlingx%2Fmeta-stx-distro%2Frecipes-security%2Fgssproxy%2Ffiles%2FChange-impersonator-check-code.patch;h=0000000000000000000000000000000000000000;hb=6fc6934434f70595536a387ece31bc30141cafb5;hp=27cf421f3dc5a62455e5e1a8a669a0c885053a6f;hpb=eb1e26510491ba49de693ab3b0498edcb06be6c5;p=pti%2Frtp.git

diff --git a/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Change-impersonator-check-code.patch b/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Change-impersonator-check-code.patch
deleted file mode 100644
index 27cf421..0000000
--- a/meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Change-impersonator-check-code.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From 37d1667ad0cc91f46a493281e62775cc8bbe3b5b Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 14 Mar 2017 10:20:08 -0400
-Subject: [PATCH] Change impersonator check code
-
-In MIT 1.15 we now have a native way to check for an impersonator,
-implement the use of that function but still keep the fallback for
-earlier krb5 versions that do not support this method for now.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Robbie Harwood <rharwood@redhat.com>
-Merges: #172
-(cherry picked from commit 73b50c0b2799f0aed53337a6516b8e1a27279ebf)
----
- proxy/configure.ac   |   3 +
- proxy/src/gp_creds.c | 147 ++++++++++++++++++++++++++++++++-----------
- 2 files changed, 112 insertions(+), 38 deletions(-)
-
-diff --git a/proxy/configure.ac b/proxy/configure.ac
-index 63c0edf..c52dbb6 100644
---- a/proxy/configure.ac
-+++ b/proxy/configure.ac
-@@ -131,6 +131,9 @@ AC_CHECK_LIB(gssapi_krb5, gss_export_cred,,
-              [AC_MSG_ERROR([GSSAPI library does not support gss_export_cred])],
-              [$GSSAPI_LIBS])
- 
-+AC_CHECK_DECLS([GSS_KRB5_GET_CRED_IMPERSONATOR], [], [],
-+               [[#include <gssapi/gssapi_krb5.h>]])
-+
- AC_SUBST([KRB5_CFLAGS])
- AC_SUBST([KRB5_LIBS])
- AC_SUBST([GSSAPI_CFLAGS])
-diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
-index 171a724..95a1c48 100644
---- a/proxy/src/gp_creds.c
-+++ b/proxy/src/gp_creds.c
-@@ -773,9 +773,9 @@ void gp_filter_flags(struct gp_call_ctx *gpcall, uint32_t *flags)
-     *flags &= ~gpcall->service->filter_flags;
- }
- 
--uint32_t gp_cred_allowed(uint32_t *min,
--                         struct gp_call_ctx *gpcall,
--                         gss_cred_id_t cred)
-+
-+static uint32_t get_impersonator_fallback(uint32_t *min, gss_cred_id_t cred,
-+                                          char **impersonator)
- {
-     uint32_t ret_maj = 0;
-     uint32_t ret_min = 0;
-@@ -785,22 +785,6 @@ uint32_t gp_cred_allowed(uint32_t *min,
-     krb5_data config;
-     int err;
- 
--    if (cred == GSS_C_NO_CREDENTIAL) {
--        return GSS_S_CRED_UNAVAIL;
--    }
--
--    if (gpcall->service->trusted ||
--        gpcall->service->impersonate ||
--        gpcall->service->allow_const_deleg) {
--
--        GPDEBUGN(2, "Credentials allowed by configuration\n");
--        *min = 0;
--        return GSS_S_COMPLETE;
--    }
--
--    /* FIXME: krb5 specific code, should get an oid registerd to query the
--     * cred with gss_inquire_cred_by_oid() or similar instead */
--
-     err = krb5_init_context(&context);
-     if (err) {
-         ret_min = err;
-@@ -835,21 +819,116 @@ uint32_t gp_cred_allowed(uint32_t *min,
-         goto done;
-     }
- 
-+    err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
-+                             &config);
-+    if (err == 0) {
-+        *impersonator = strndup(config.data, config.length);
-+        if (!*impersonator) {
-+            ret_min = ENOMEM;
-+            ret_maj = GSS_S_FAILURE;
-+        } else {
-+            ret_min = 0;
-+            ret_maj = GSS_S_COMPLETE;
-+        }
-+        krb5_free_data_contents(context, &config);
-+    } else {
-+        ret_min = err;
-+        ret_maj = GSS_S_FAILURE;
-+    }
-+
-+done:
-+    if (context) {
-+        if (ccache) {
-+            krb5_cc_destroy(context, ccache);
-+        }
-+        krb5_free_context(context);
-+    }
-+    free(memcache);
-+
-+    *min = ret_min;
-+    return ret_maj;
-+}
-+
-+#if !HAVE_DECL_GSS_KRB5_GET_CRED_IMPERSONATOR
-+gss_OID_desc impersonator_oid = {
-+    11, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e")
-+};
-+const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR = &impersonator_oid;
-+#endif
-+
-+static uint32_t get_impersonator_name(uint32_t *min, gss_cred_id_t cred,
-+                                      char **impersonator)
-+{
-+    gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
-+    uint32_t ret_maj = 0;
-+    uint32_t ret_min = 0;
-+    uint32_t discard;
-+
-+    *impersonator = NULL;
-+
-+    ret_maj = gss_inquire_cred_by_oid(&ret_min, cred,
-+                                      GSS_KRB5_GET_CRED_IMPERSONATOR,
-+                                      &bufset);
-+    if (ret_maj == GSS_S_COMPLETE) {
-+        if (bufset->count == 0) {
-+            ret_min = ENOENT;
-+            ret_maj = GSS_S_COMPLETE;
-+            goto done;
-+        }
-+        *impersonator = strndup(bufset->elements[0].value,
-+                                bufset->elements[0].length);
-+        if (!*impersonator) {
-+            ret_min = ENOMEM;
-+            ret_maj = GSS_S_FAILURE;
-+        }
-+    } else if (ret_maj == GSS_S_UNAVAILABLE) {
-+        /* Not supported by krb5 library yet, fallback to raw krb5 calls */
-+        /* TODO: Remove once we set a required dependency on MIT 1.15+ */
-+        ret_maj = get_impersonator_fallback(&ret_min, cred, impersonator);
-+        if (ret_maj == GSS_S_FAILURE) {
-+            if (ret_min == KRB5_CC_NOTFOUND) {
-+                ret_min = ENOENT;
-+                ret_maj = GSS_S_COMPLETE;
-+            }
-+        }
-+    }
-+
-+done:
-+    (void)gss_release_buffer_set(&discard, &bufset);
-+    *min = ret_min;
-+    return ret_maj;
-+}
-+
-+uint32_t gp_cred_allowed(uint32_t *min,
-+                         struct gp_call_ctx *gpcall,
-+                         gss_cred_id_t cred)
-+{
-+    char *impersonator = NULL;
-+    uint32_t ret_maj = 0;
-+    uint32_t ret_min = 0;
-+
-+    if (cred == GSS_C_NO_CREDENTIAL) {
-+        return GSS_S_CRED_UNAVAIL;
-+    }
-+
-+    if (gpcall->service->trusted ||
-+        gpcall->service->impersonate ||
-+        gpcall->service->allow_const_deleg) {
-+
-+        GPDEBUGN(2, "Credentials allowed by configuration\n");
-+        *min = 0;
-+        return GSS_S_COMPLETE;
-+    }
-+
-+    ret_maj = get_impersonator_name(&ret_min, cred, &impersonator);
-+    if (ret_maj) goto done;
-+
-     /* if we find an impersonator entry we bail as that is not authorized,
-      * if it were then gpcall->service->allow_const_deleg would have caused
-      * the ealier check to return GSS_S_COMPLETE already */
--    err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
--                             &config);
--    if (!err) {
--        krb5_free_data_contents(context, &config);
-+    if (impersonator != NULL) {
-         ret_min = 0;
-         ret_maj = GSS_S_UNAUTHORIZED;
--    } else if (err != KRB5_CC_NOTFOUND) {
--        ret_min = err;
--        ret_maj = GSS_S_FAILURE;
--    } else {
--        ret_min = 0;
--        ret_maj = GSS_S_COMPLETE;
-     }
- 
- done:
-@@ -864,15 +943,7 @@ done:
-         GPDEBUG("Failure while checking credentials\n");
-         break;
-     }
--    if (context) {
--        /* NOTE: destroy only if we created a MEMORY ccache */
--        if (ccache) {
--            if (memcache) krb5_cc_destroy(context, ccache);
--            else krb5_cc_close(context, ccache);
--        }
--        krb5_free_context(context);
--    }
--    free(memcache);
-+    free(impersonator);
-     *min = ret_min;
-     return ret_maj;
- }