commit 807a811e8b5067c519d59f4a39e736b41a115103 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:52:12 2019 -0400 Package init diff --git a/Always-choose-highest-requested-debug-level.patch b/Always-choose-highest-requested-debug-level.patch new file mode 100644 index 0000000..59acb8e --- /dev/null +++ b/Always-choose-highest-requested-debug-level.patch @@ -0,0 +1,107 @@ +From d284ec7dc9fe0a824b177873078aeb36a25b7878 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 11 Apr 2018 16:15:00 -0400 +Subject: [PATCH] Always choose highest requested debug level + +Allowing the CLI to lower the debug level specified in a config file +is dubious, and previously broken since we don't distinguish "default +value" from "explicitly requested value of 0" in popt. This resulted +in "Debug Enabled (level: 0)" even when the log level was not actually +0, which is confusing for users. + +Remove the gp_debug_args() function since it is no longer used. + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +Merges: #229 +(cherry picked from commit 5a714768aec776dc875237dd729c85389932a688) +--- + src/gp_debug.c | 34 ++++++++-------------------------- + src/gp_debug.h | 3 +-- + src/gssproxy.c | 2 +- + 3 files changed, 10 insertions(+), 29 deletions(-) + +diff --git a/src/gp_debug.c b/src/gp_debug.c +index 4a141fc..a0f51f0 100644 +--- a/src/gp_debug.c ++++ b/src/gp_debug.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2011 the GSS-PROXY contributors, see COPYING for license */ ++/* Copyright (C) 2011,2018 the GSS-PROXY contributors, see COPYING for license */ + + #include "config.h" + #include +@@ -7,35 +7,17 @@ + #include "gp_log.h" + + /* global debug switch */ +-int gp_debug; +- +-int gp_debug_args(int level) { +- static int args_level = 0; +- +- if (level != 0) { +- args_level = level; +- } +- return args_level; +-} ++int gp_debug = 0; + + void gp_debug_toggle(int level) + { +- static bool krb5_trace_set = false; ++ if (level <= gp_debug) ++ return; + +- /* Command line and environment options override config file */ +- gp_debug = gp_debug_args(0); +- if (gp_debug == 0) { +- gp_debug = level; +- } +- if (level >= 3) { +- if (!getenv("KRB5_TRACE")) { +- setenv("KRB5_TRACE", "/dev/stderr", 1); +- krb5_trace_set = true; +- } +- } else if (krb5_trace_set) { +- unsetenv("KRB5_TRACE"); +- krb5_trace_set = false; +- } ++ if (level >= 3 && !getenv("KRB5_TRACE")) ++ setenv("KRB5_TRACE", "/dev/stderr", 1); ++ ++ gp_debug = level; + GPDEBUG("Debug Enabled (level: %d)\n", level); + } + +diff --git a/src/gp_debug.h b/src/gp_debug.h +index 1c2f8a3..4932bfd 100644 +--- a/src/gp_debug.h ++++ b/src/gp_debug.h +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2011 the GSS-PROXY contributors, see COPYING for license */ ++/* Copyright (C) 2011,2018 the GSS-PROXY contributors, see COPYING for license */ + + #ifndef _GP_DEBUG_H_ + #define _GP_DEBUG_H_ +@@ -10,7 +10,6 @@ + + extern int gp_debug; + +-int gp_debug_args(int level); + void gp_debug_toggle(int); + void gp_debug_printf(const char *format, ...); + void gp_debug_time_printf(const char *format, ...); +diff --git a/src/gssproxy.c b/src/gssproxy.c +index 6d36a5d..db6e89b 100644 +--- a/src/gssproxy.c ++++ b/src/gssproxy.c +@@ -208,7 +208,7 @@ int main(int argc, const char *argv[]) + + if (opt_debug || opt_debug_level > 0) { + if (opt_debug_level == 0) opt_debug_level = 1; +- gp_debug_args(opt_debug_level); ++ gp_debug_toggle(opt_debug_level); + } + + if (opt_daemon && opt_interactive) { diff --git a/Always-use-the-encype-we-selected.patch b/Always-use-the-encype-we-selected.patch new file mode 100644 index 0000000..afbf251 --- /dev/null +++ b/Always-use-the-encype-we-selected.patch @@ -0,0 +1,43 @@ +From 64bf7f099fe52a214794486d16e3383ff25e8682 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 27 Feb 2018 11:59:25 -0500 +Subject: [PATCH] Always use the encype we selected + +The enctype is selected from the keytab or from the fallback code. +Either way make sure to use the enctype stored in the key block. + +Signed-off-by: Simo Sorce +Reviewed-by: Robbie Harwood +Merges: #226 +(cherry picked from commit d73c96d658059ce64ecd41ff2924071d86f2b54f) +--- + src/gp_export.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/gp_export.c b/src/gp_export.c +index c9f5fd4..5e8e160 100644 +--- a/src/gp_export.c ++++ b/src/gp_export.c +@@ -168,11 +168,10 @@ uint32_t gp_init_creds_handle(uint32_t *min, const char *svc_name, + GP_CREDS_HANDLE_KEY_ENCTYPE, 0, + &handle->key); + if (ret == 0) { +- ret = krb5_c_make_random_key(handle->context, +- GP_CREDS_HANDLE_KEY_ENCTYPE, ++ ret = krb5_c_make_random_key(handle->context, handle->key->enctype, + handle->key); + GPDEBUG("Service: %s, Enckey: [ephemeral], Enctype: %d\n", +- svc_name, GP_CREDS_HANDLE_KEY_ENCTYPE); ++ svc_name, handle->key->enctype); + } + if (ret) { + ret_min = ret; +@@ -254,7 +253,7 @@ static int gp_decrypt_buffer(krb5_context context, krb5_keyblock *key, + + memset(&enc_handle, '\0', sizeof(krb5_enc_data)); + +- enc_handle.enctype = GP_CREDS_HANDLE_KEY_ENCTYPE; ++ enc_handle.enctype = key->enctype; + enc_handle.ciphertext.data = in->octet_string_val; + enc_handle.ciphertext.length = in->octet_string_len; + diff --git a/Clarify-debug-and-debug_level-in-man-pages.patch b/Clarify-debug-and-debug_level-in-man-pages.patch new file mode 100644 index 0000000..1a5f224 --- /dev/null +++ b/Clarify-debug-and-debug_level-in-man-pages.patch @@ -0,0 +1,74 @@ +From d71d354f1020a7deac57f26cc7c2cafb3fa675a3 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 11 Apr 2018 16:01:21 -0400 +Subject: [PATCH] Clarify debug and debug_level in man pages + +In particular, add debug_level to gssproxy(5) since it was previously +accepted but not documented. + +Signed-off-by: Robbie Harwood +Reviewed-by: Simo Sorce +Merges: #229 +(cherry picked from commit e0e96e46be03102903533a9816b4deefe1adfaf8) +--- + man/gssproxy.8.xml | 24 +++++++++++++++++++++++- + man/gssproxy.conf.5.xml | 5 ++++- + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/man/gssproxy.8.xml b/man/gssproxy.8.xml +index 1df4b0d..21f7e6a 100644 +--- a/man/gssproxy.8.xml ++++ b/man/gssproxy.8.xml +@@ -118,13 +118,35 @@ + + + ++ + + + , + + + +- Turn on debugging. ++ Turn on debugging. This option is identical to ++ --debug-level=1. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Turn on debugging at the specified level. 0 ++ corresponds to no logging, while 1 turns on basic ++ debug logging. Level 2 increases verbosity, including ++ more detailed credential verification. ++ ++ ++ At level 3 and above, KRB5_TRACE output is logged. If ++ KRB5_TRACE was already set in the execution ++ environment, trace output is sent to its value ++ instead. + + + +diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml +index de846b4..21c9653 100644 +--- a/man/gssproxy.conf.5.xml ++++ b/man/gssproxy.conf.5.xml +@@ -192,7 +192,10 @@ + + debug (boolean) + +- Enable debugging to syslog. ++ ++ Enable debugging to syslog. Setting to true is ++ identical to setting debug_level to 1. ++ + Default: debug = false + + diff --git a/Don-t-leak-sock_ctx-if-verto_add_io-fails.patch b/Don-t-leak-sock_ctx-if-verto_add_io-fails.patch new file mode 100644 index 0000000..aaa17b8 --- /dev/null +++ b/Don-t-leak-sock_ctx-if-verto_add_io-fails.patch @@ -0,0 +1,23 @@ +From 322a7e578cc1f3b54bfb317dd57442231a8f7cf7 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 Aug 2018 16:02:50 -0400 +Subject: [PATCH] Don't leak sock_ctx if verto_add_io() fails + +Signed-off-by: Robbie Harwood +(cherry picked from commit 459152be1e701af6aafdecffc1af21156b43bf78) +--- + src/gssproxy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gssproxy.c b/src/gssproxy.c +index db6e89b..93c1c1e 100644 +--- a/src/gssproxy.c ++++ b/src/gssproxy.c +@@ -46,6 +46,7 @@ static verto_ev *setup_socket(char *sock_name, verto_ctx *vctx) + + ev = verto_add_io(vctx, vflags, accept_sock_conn, sock_ctx->fd); + if (!ev) { ++ free(sock_ctx); + return NULL; + } + diff --git a/gssproxy-0.8.0.tar.gz b/gssproxy-0.8.0.tar.gz new file mode 100644 index 0000000..4794b25 Binary files /dev/null and b/gssproxy-0.8.0.tar.gz differ diff --git a/gssproxy.spec b/gssproxy.spec new file mode 100644 index 0000000..1c452ac --- /dev/null +++ b/gssproxy.spec @@ -0,0 +1,91 @@ +%global servicename gssproxy +%global pubconfpath %{_sysconfdir}/gssproxy +%global gpstatedir %{_localstatedir}/lib/gssproxy + +Name: gssproxy +Version: 0.8.0 +Release: 8 +Summary: GSSAPI Proxy +License: MIT +URL: https://pagure.io/gssproxy +Source0: %{name}-%{version}.tar.gz + +Patch0: Always-use-the-encype-we-selected.patch +Patch1: Clarify-debug-and-debug_level-in-man-pages.patch +Patch2: Always-choose-highest-requested-debug-level.patch +Patch3: Don-t-leak-sock_ctx-if-verto_add_io-fails.patch + +Requires: krb5 keyutils libverto-module-base libini_config systemd + +Conflicts: selinux-policy < 3.13.1-283.5 + +BuildRequires: autoconf automake libtool m4 libxslt libxml2 docbook-style-xsl doxygen findutils systemd-units git popt-devel +BuildRequires: gettext-devel pkgconfig krb5-devel >= 1.12.0 libselinux-devel keyutils-libs-devel libini_config-devel >= 1.2.0 libverto-devel + +%description +This is a proxy for GSSAPI which deals with credential handling + +%package help +Summary: Help files for %{name} +%description help +Help files for %{name}. + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +autoreconf -f -i +%configure \ + --with-pubconf-path=%{pubconfpath} \ + --with-initscript=systemd \ + --disable-static \ + --disable-rpath \ + --with-gpp-default-behavior=REMOTE_FIRST + +make %{?_smp_mflags} all +make test_proxymech + +%install +rm -rf %{buildroot} +%make_install +rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la +install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy +install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf +install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf +install -D -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf +mkdir -p %{buildroot}%{gpstatedir}/rcache + +%post +%systemd_post gssproxy.service + +%preun +%systemd_preun gssproxy.service + +%postun +%systemd_postun_with_restart gssproxy.service + +%files +%license COPYING +%{_unitdir}/gssproxy.service +%{_sbindir}/gssproxy +%attr(755,root,root) %dir %{pubconfpath} +%attr(755,root,root) %dir %{gpstatedir} +%attr(700,root,root) %dir %{gpstatedir}/clients +%attr(700,root,root) %dir %{gpstatedir}/rcache +%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf +%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf +%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf +%dir %{_libdir}/gssproxy +%{_libdir}/gssproxy/proxymech.so + +%files help +%{_mandir}/man5/gssproxy.conf.5* +%{_mandir}/man8/gssproxy.8* +%{_mandir}/man8/gssproxy-mech.8* + +%changelog +* Fri Sep 27 2018 openEuler Buildteam 0.8.0-8 +- Package init + +* Mon Sep 10 2018 openEuler Buildteam 0.8.0-7 +- Package init