Attachment 201862 Details for Bug 235582 – updated fix for srv side rpcsec_gss NULL client principal

[patch] updated fix for srv side rpcsec_gss NULL client principal

svcgss2.patch (text/plain), 4.64 KB, created by Rick Macklem on 2019-02-09 05:18:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rick Macklem

Created: 2019-02-09 05:18:36 UTC

Size: 4.64 KB

patch

obsolete

>--- rpc/rpcsec_gss/svc_rpcsec_gss.c.sav	2019-02-08 19:19:29.390541000 -0500
>+++ rpc/rpcsec_gss/svc_rpcsec_gss.c	2019-02-09 00:59:43.377244000 -0500
>@@ -794,12 +794,15 @@ svc_rpc_gss_build_ucred(struct svc_rpc_g
> 	uc->gidlist = client->cl_gid_storage;
> 
> 	numgroups = NGROUPS;
>-	maj_stat = gss_pname_to_unix_cred(&min_stat, name, client->cl_mech,
>-	    &uc->uid, &uc->gid, &numgroups, &uc->gidlist[0]);
>-	if (GSS_ERROR(maj_stat))
>+	if (name != NULL) {
>+		maj_stat = gss_pname_to_unix_cred(&min_stat, name, client->cl_mech,
>+		    &uc->uid, &uc->gid, &numgroups, &uc->gidlist[0]);
>+		if (GSS_ERROR(maj_stat))
>+			uc->gidlen = 0;
>+		else
>+			uc->gidlen = numgroups;
>+	} else
> 		uc->gidlen = 0;
>-	else
>-		uc->gidlen = numgroups;
> }
> 
> static void
>@@ -841,6 +844,7 @@ svc_rpc_gss_accept_sec_context(struct sv
> 	OM_uint32		maj_stat = 0, min_stat = 0, ret_flags;
> 	OM_uint32		cred_lifetime;
> 	struct svc_rpc_gss_svc_name *sname;
>+	gss_name_t		cname;
> 
> 	rpc_gss_log_debug("in svc_rpc_gss_accept_context()");
> 	
>@@ -854,6 +858,7 @@ svc_rpc_gss_accept_sec_context(struct sv
> 		return (FALSE);
> 	}
> 
>+	cname = NULL;
> 	/*
> 	 * First time round, try all the server names we have until
> 	 * one matches. Afterwards, stick with that one.
>@@ -870,7 +875,7 @@ svc_rpc_gss_accept_sec_context(struct sv
> 					sname->sn_cred,
> 					&recv_tok,
> 					GSS_C_NO_CHANNEL_BINDINGS,
>-					&client->cl_cname,
>+					&cname,
> 					&mech,
> 					&gr->gr_token,
> 					&ret_flags,
>@@ -903,7 +908,7 @@ svc_rpc_gss_accept_sec_context(struct sv
> 			client->cl_sname->sn_cred,
> 			&recv_tok,
> 			GSS_C_NO_CHANNEL_BINDINGS,
>-			&client->cl_cname,
>+			&cname,
> 			&mech,
> 			&gr->gr_token,
> 			&ret_flags,
>@@ -954,20 +959,28 @@ svc_rpc_gss_accept_sec_context(struct sv
> 		 */
> 		client->cl_rawcred.version = RPCSEC_GSS_VERSION;
> 		rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism);
>-		maj_stat = gss_export_name(&min_stat, client->cl_cname,
>-		    &export_name);
>-		if (maj_stat != GSS_S_COMPLETE) {
>-			rpc_gss_log_status("gss_export_name", client->cl_mech,
>-			    maj_stat, min_stat);
>-			return (FALSE);
>+		if (cname != NULL) {
>+			maj_stat = gss_export_name(&min_stat, cname,
>+			    &export_name);
>+			if (maj_stat != GSS_S_COMPLETE) {
>+				rpc_gss_log_status("gss_export_name", client->cl_mech,
>+				    maj_stat, min_stat);
>+				return (FALSE);
>+			}
>+			client->cl_rawcred.client_principal =
>+				mem_alloc(sizeof(*client->cl_rawcred.client_principal)
>+				    + export_name.length);
>+			client->cl_rawcred.client_principal->len = export_name.length;
>+			memcpy(client->cl_rawcred.client_principal->name,
>+			    export_name.value, export_name.length);
>+			gss_release_buffer(&min_stat, &export_name);
>+		} else {
>+			printf("svc_rpcsec_gss: cname NULL\n");
>+			if (client->cl_rawcred.client_principal == NULL)
>+				printf("svc_rpcsec_gss: client_princ NULL\n");
>+			else
>+				printf("svc_rpcsec_gss: client_princ not NULL\n");
> 		}
>-		client->cl_rawcred.client_principal =
>-			mem_alloc(sizeof(*client->cl_rawcred.client_principal)
>-			    + export_name.length);
>-		client->cl_rawcred.client_principal->len = export_name.length;
>-		memcpy(client->cl_rawcred.client_principal->name,
>-		    export_name.value, export_name.length);
>-		gss_release_buffer(&min_stat, &export_name);
> 		client->cl_rawcred.svc_principal =
> 			client->cl_sname->sn_principal;
> 		client->cl_rawcred.service = gc->gc_svc;
>@@ -976,9 +989,10 @@ svc_rpc_gss_accept_sec_context(struct sv
> 		 * Use gss_pname_to_uid to map to unix creds. For
> 		 * kerberos5, this uses krb5_aname_to_localname.
> 		 */
>-		svc_rpc_gss_build_ucred(client, client->cl_cname);
>+		svc_rpc_gss_build_ucred(client, cname);
> 		svc_rpc_gss_set_flavor(client);
>-		gss_release_name(&min_stat, &client->cl_cname);
>+		if (cname != NULL)
>+			gss_release_name(&min_stat, &cname);
> 
> #ifdef DEBUG
> 		{
>@@ -986,11 +1000,17 @@ svc_rpc_gss_accept_sec_context(struct sv
> 
> 			gss_oid_to_str(&min_stat, mech, &mechname);
> 			
>-			rpc_gss_log_debug("accepted context for %s with "
>-			    "<mech %.*s, qop %d, svc %d>",
>-			    client->cl_rawcred.client_principal->name,
>-			    mechname.length, (char *)mechname.value,
>-			    client->cl_qop, client->cl_rawcred.service);
>+			if (client->cl_rawcred.client_principal != NULL)
>+				rpc_gss_log_debug("accepted context for %s with "
>+				    "<mech %.*s, qop %d, svc %d>",
>+				    client->cl_rawcred.client_principal->name,
>+				    mechname.length, (char *)mechname.value,
>+				    client->cl_qop, client->cl_rawcred.service);
>+			else
>+				rpc_gss_log_debug("accepted context for no principal with "
>+				    "<mech %.*s, qop %d, svc %d>",
>+				    mechname.length, (char *)mechname.value,
>+				    client->cl_qop, client->cl_rawcred.service);
> 
> 			gss_release_buffer(&min_stat, &mechname);
> 		}

Actions: View | Diff

Attachments on bug 235582: 201858 | 201862 | 201876