meta-starlingx/meta-stx-distro/recipes-security/gssproxy/files/Properly-renew-expired-credentials.patch

   1 From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001
   2 From: Simo Sorce <simo@redhat.com>
   3 Date: Mon, 13 Mar 2017 08:06:12 -0400
   4 Subject: [PATCH] Properly renew expired credentials
   5
   6 When a caller imports expired credentials, we aim to actually renew them
   7 if we can. However due to incorrect checks and not clearing of the
   8 ret_maj variable after checks we end up returning an error instead.
   9
  10 Also fix mechglue to also save and properly report the first call errors
  11 when both remote and local fail.
  12
  13 Resolves: #170
  14
  15 Signed-off-by: Simo Sorce <simo@redhat.com>
  16 Reviewed-by: Robbie Harwood <rharwood@redhat.com>
  17 (cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2)
  18 ---
  19  proxy/src/gp_creds.c                  | 14 +++++++++-----
  20  proxy/src/mechglue/gpp_acquire_cred.c |  5 +++++
  21  2 files changed, 14 insertions(+), 5 deletions(-)
  22
  23 diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
  24 index 5d84904..171a724 100644
  25 --- a/proxy/src/gp_creds.c
  26 +++ b/proxy/src/gp_creds.c
  27 @@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
  28          ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
  29          if (ret_maj == GSS_S_COMPLETE) {
  30              return GSS_S_COMPLETE;
  31 -        } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
  32 -                   ret_maj != GSS_S_NO_CRED) {
  33 +        } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
  34 +                   ret_maj == GSS_S_NO_CRED) {
  35 +            /* continue and try to obtain new creds */
  36 +            ret_maj = 0;
  37 +            ret_min = 0;
  38 +        } else {
  39              *min = ret_min;
  40              return GSS_S_CRED_UNAVAIL;
  41          }
  42 @@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
  43      if (acquire_type == ACQ_NORMAL) {
  44          ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
  45                                            &cred_usage, &cred_store);
  46 +        if (ret_min) {
  47 +            ret_maj = GSS_S_CRED_UNAVAIL;
  48 +        }
  49      } else if (desired_name) {
  50          ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
  51      }
  52      if (ret_maj) {
  53          goto done;
  54 -    } else if (ret_min) {
  55 -        ret_maj = GSS_S_CRED_UNAVAIL;
  56 -        goto done;
  57      }
  58
  59      if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {
  60 diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
  61 index d876699..514fdd1 100644
  62 --- a/proxy/src/mechglue/gpp_acquire_cred.c
  63 +++ b/proxy/src/mechglue/gpp_acquire_cred.c
  64 @@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
  65      }
  66
  67      if (behavior == GPP_REMOTE_FIRST) {
  68 +        if (maj != GSS_S_COMPLETE) {
  69 +            /* save errors */
  70 +            tmaj = maj;
  71 +            tmin = min;
  72 +        }
  73          /* So remote failed, but we can fallback to local, try that */
  74          maj = acquire_local(&min, NULL, name,
  75                              time_req, desired_mechs, cred_usage, cred_store,