Date: Mon, 24 Feb 2020 04:51:17 +0000 (UTC) From: Hajimu UMEMOTO <ume@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r526953 - in head/security: cyrus-sasl2-gssapi cyrus-sasl2/files Message-ID: <202002240451.01O4pHwl097233@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ume Date: Mon Feb 24 04:51:17 2020 New Revision: 526953 URL: https://svnweb.freebsd.org/changeset/ports/526953 Log: - Call gss_acquire_cred() before gss_init_sec_context() in gssapi_client_mech_step() - Fix a bug which prevented the client from retrieving a credential from CCACHE. These patches were already merged into upstream. https://github.com/cyrusimap/cyrus-sasl/pull/575 https://github.com/cyrusimap/cyrus-sasl/pull/591 Submitted by: hrs Modified: head/security/cyrus-sasl2-gssapi/Makefile head/security/cyrus-sasl2/files/patch-plugins_gssapi.c Modified: head/security/cyrus-sasl2-gssapi/Makefile ============================================================================== --- head/security/cyrus-sasl2-gssapi/Makefile Mon Feb 24 03:36:59 2020 (r526952) +++ head/security/cyrus-sasl2-gssapi/Makefile Mon Feb 24 04:51:17 2020 (r526953) @@ -1,6 +1,7 @@ # $FreeBSD$ PKGNAMESUFFIX= -gssapi +PORTREVISION= 1 COMMENT= SASL GSSAPI authentication plugin Modified: head/security/cyrus-sasl2/files/patch-plugins_gssapi.c ============================================================================== --- head/security/cyrus-sasl2/files/patch-plugins_gssapi.c Mon Feb 24 03:36:59 2020 (r526952) +++ head/security/cyrus-sasl2/files/patch-plugins_gssapi.c Mon Feb 24 04:51:17 2020 (r526953) @@ -1,8 +1,15 @@ ---- plugins/gssapi.c.orig 2016-01-30 14:06:08 UTC +# +# Fixes of "keytab" keyword on the client side. +# +# https://github.com/cyrusimap/cyrus-sasl/commit/74faca7400f414784b5e2e136668e6f4ef0d6b96 +# https://github.com/cyrusimap/cyrus-sasl/commit/7a95382c68e7187fe7407b2a94036d9ca3246e34 +# https://github.com/cyrusimap/cyrus-sasl/commit/238380260fe623212c0f21d63e763b7a849540d1 +# +--- plugins/gssapi.c.orig 2018-11-08 17:29:57 UTC +++ plugins/gssapi.c -@@ -1531,8 +1531,10 @@ static int gssapi_client_mech_step(void - *clientout = NULL; - *clientoutlen = 0; +@@ -1668,8 +1668,10 @@ static int gssapi_client_mech_step(void *conn_context, + if (clientoutlen) + *clientoutlen = 0; +#if 0 params->utils->log(params->utils->conn, SASL_LOG_DEBUG, @@ -11,3 +18,100 @@ switch (text->state) { +@@ -1777,6 +1779,39 @@ static int gssapi_client_mech_step(void *conn_context, + req_flags = req_flags | GSS_C_DELEG_FLAG; + } + ++ /* ++ * If caller didn't provide creds already. ++ * ++ * In the case of Kerberos, a client typically wants to use ++ * a credential in either a keytab file or the credentials cache ++ * of the current process context. This code path will try to ++ * find a credential in the specified keytab file, then the ++ * credentials cache. The keytab file can be specified by ++ * "keytab" option, and it is configured by using ++ * gsskrb5_register_acceptor_identity() API when available. ++ */ ++ if (client_creds == GSS_C_NO_CREDENTIAL) { ++ GSS_LOCK_MUTEX_CTX(params->utils, text); ++ maj_stat = gss_acquire_cred(&min_stat, ++ text->server_name, ++ GSS_C_INDEFINITE, ++ GSS_C_NO_OID_SET, ++ GSS_C_INITIATE, ++ &text->client_creds, ++ NULL, ++ NULL); ++ GSS_UNLOCK_MUTEX_CTX(params->utils, text); ++ ++ /* ++ * Ignore the error intentionally. The credential was ++ * not found in the specified keytab file. ++ */ ++ if (GSS_ERROR(maj_stat) == 0) { ++ client_creds = text->client_creds; ++ } ++ } ++ ++ /* Try the credentials cache. */ + GSS_LOCK_MUTEX_CTX(params->utils, text); + maj_stat = gss_init_sec_context(&min_stat, + client_creds, /* GSS_C_NO_CREDENTIAL */ +@@ -2227,16 +2262,55 @@ static sasl_client_plug_t gssapi_client_plugins[] = + #endif + }; + +-int gssapiv2_client_plug_init(const sasl_utils_t *utils __attribute__((unused)), ++int gssapiv2_client_plug_init( ++#ifndef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++ const sasl_utils_t *utils __attribute__((unused)), ++#else ++ const sasl_utils_t *utils, ++#endif + int maxversion, + int *out_version, + sasl_client_plug_t **pluglist, + int *plugcount) + { ++#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++ const char *keytab = NULL; ++ char keytab_path[1024]; ++ unsigned int rl; ++#endif ++ + if (maxversion < SASL_CLIENT_PLUG_VERSION) { + SETERROR(utils, "Version mismatch in GSSAPI"); + return SASL_BADVERS; + } ++ ++#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY ++ /* unfortunately, we don't check for readability of keytab if it's ++ the standard one, since we don't know where it is */ ++ ++ /* FIXME: This code is broken */ ++ ++ utils->getopt(utils->getopt_context, "GSSAPI", "keytab", &keytab, &rl); ++ if (keytab != NULL) { ++ if (access(keytab, R_OK) != 0) { ++ utils->log(NULL, SASL_LOG_ERR, ++ "Could not find keytab file: %s: %m", keytab); ++ return SASL_FAIL; ++ } ++ ++ if(strlen(keytab) > sizeof(keytab_path)) { ++ utils->log(NULL, SASL_LOG_ERR, ++ "path to keytab is > %zu characters", ++ sizeof(keytab_path)); ++ return SASL_BUFOVER; ++ } ++ ++ strncpy(keytab_path, keytab, sizeof(keytab_path)); ++ keytab_path[sizeof(keytab_path) - 1] = '\0'; ++ ++ gsskrb5_register_acceptor_identity(keytab_path); ++ } ++#endif + + *out_version = SASL_CLIENT_PLUG_VERSION; + *pluglist = gssapi_client_plugins;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002240451.01O4pHwl097233>