X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-stx%2Frecipes-security%2Fgssproxy%2Ffiles%2FProperly-renew-expired-credentials.patch;fp=meta-stx%2Frecipes-security%2Fgssproxy%2Ffiles%2FProperly-renew-expired-credentials.patch;h=a4b3005a4878e0b1983a5b0655c2ed7292c77cb0;hb=57fdea704bd62af847872c40508f00aa1d7cac60;hp=0000000000000000000000000000000000000000;hpb=f23f21bccfb750b9e30141fd9676515215ffbc4e;p=pti%2Frtp.git diff --git a/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch b/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch new file mode 100644 index 0000000..a4b3005 --- /dev/null +++ b/meta-stx/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch @@ -0,0 +1,75 @@ +From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 13 Mar 2017 08:06:12 -0400 +Subject: [PATCH] Properly renew expired credentials + +When a caller imports expired credentials, we aim to actually renew them +if we can. However due to incorrect checks and not clearing of the +ret_maj variable after checks we end up returning an error instead. + +Also fix mechglue to also save and properly report the first call errors +when both remote and local fail. + +Resolves: #170 + +Signed-off-by: Simo Sorce +Reviewed-by: Robbie Harwood +(cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2) +--- + proxy/src/gp_creds.c | 14 +++++++++----- + proxy/src/mechglue/gpp_acquire_cred.c | 5 +++++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c +index 5d84904..171a724 100644 +--- a/proxy/src/gp_creds.c ++++ b/proxy/src/gp_creds.c +@@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min, + ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage); + if (ret_maj == GSS_S_COMPLETE) { + return GSS_S_COMPLETE; +- } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED && +- ret_maj != GSS_S_NO_CRED) { ++ } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED || ++ ret_maj == GSS_S_NO_CRED) { ++ /* continue and try to obtain new creds */ ++ ret_maj = 0; ++ ret_min = 0; ++ } else { + *min = ret_min; + return GSS_S_CRED_UNAVAIL; + } +@@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min, + if (acquire_type == ACQ_NORMAL) { + ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name, + &cred_usage, &cred_store); ++ if (ret_min) { ++ ret_maj = GSS_S_CRED_UNAVAIL; ++ } + } else if (desired_name) { + ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name); + } + if (ret_maj) { + goto done; +- } else if (ret_min) { +- ret_maj = GSS_S_CRED_UNAVAIL; +- goto done; + } + + if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) { +diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c +index d876699..514fdd1 100644 +--- a/proxy/src/mechglue/gpp_acquire_cred.c ++++ b/proxy/src/mechglue/gpp_acquire_cred.c +@@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status, + } + + if (behavior == GPP_REMOTE_FIRST) { ++ if (maj != GSS_S_COMPLETE) { ++ /* save errors */ ++ tmaj = maj; ++ tmin = min; ++ } + /* So remote failed, but we can fallback to local, try that */ + maj = acquire_local(&min, NULL, name, + time_req, desired_mechs, cred_usage, cred_store,