Name:		gssproxy

Version:	0.7.0

Release:	21%{?dist}.0.1

Summary:	GSSAPI Proxy

Group:		System Environment/Libraries

License:	MIT

URL:		https://pagure.io/gssproxy

Source0:	https://releases.pagure.org/gssproxy/gssproxy-%{version}.tar.gz

BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

%global servicename gssproxy

%global pubconfpath %{_sysconfdir}/gssproxy

%global gpstatedir %{_localstatedir}/lib/gssproxy

### Patches ###

Patch0: Properly-renew-expired-credentials.patch

Patch1: Change-impersonator-check-code.patch

Patch2: Allow-connection-to-self-when-impersonator-set.patch

Patch3: Make-proc-file-failure-loud-but-nonfatal.patch

Patch4: Turn-on-Wextra.patch

Patch5: Fix-unused-variables.patch

Patch6: Fix-mismatched-sign-comparisons.patch

Patch7: Fix-error-checking-on-get_impersonator_fallback.patch

Patch8: Remove-gpm_release_ctx-to-fix-double-unlock.patch

Patch9: Appease-gcc-7-s-fallthrough-detection.patch

Patch10: Fix-memory-leak.patch

Patch11: Fix-most-memory-leaks.patch

Patch12: Fix-segfault-when-no-config-files-are-present.patch

Patch13: Update-systemd-file.patch

Patch14: Fix-error-handling-in-gp_config_from_dir.patch

Patch15: Fix-silent-crash-with-duplicate-config-sections.patch

Patch16: Do-not-call-gpm_grab_sock-twice.patch

Patch18: Only-empty-FILE-ccaches-when-storing-remote-creds.patch

Patch19: Handle-outdated-encrypted-ccaches.patch

Patch20: Separate-cred-and-ccache-manipulation-in-gpp_store_r.patch

Patch21: Properly-locate-credentials-in-collection-caches-in-.patch

Patch22: Properly-initialize-ccaches-before-storing-into-them.patch

Patch23: Include-header-for-writev.patch

Patch24: Tolerate-NULL-pointers-in-gp_same.patch

Patch25: Add-Client-ID-to-debug-messages.patch

Patch26: client-Switch-to-non-blocking-sockets.patch

Patch27: server-Add-detailed-request-logging.patch

Patch28: Fix-potential-free-of-non-heap-address.patch

Patch29: Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch

Patch30: Simplify-setting-NONBLOCK-on-socket.patch

Patch31: Fix-handling-of-non-EPOLLIN-EPOLLOUT-events.patch

Patch32: Fix-error-handling-in-gpm_send_buffer-gpm_recv_buffe.patch

Patch33: Emit-debug-on-queue-errors.patch

Patch34: Conditionally-reload-kernel-interface-on-SIGHUP.patch

Patch35: Don-t-leak-mech_type-when-CONTINUE_NEEDED-from-init_.patch

Patch36: Always-use-the-encype-we-selected.patch

Patch37: Clarify-debug-and-debug_level-in-man-pages.patch

Patch38: Always-choose-highest-requested-debug-level.patch

Patch9999: 9999-fasttrack-attempt-fix-1699331.patch

### Dependencies ###

# From rhbz#1458913 and rhbz#1507607 (and friends)

Requires: libini_config >= 1.3.1-31

Requires: krb5-libs >= 1.15

Requires: keyutils-libs

Requires: libverto-module-base

Requires(post): systemd-units

Requires(preun): systemd-units

Requires(postun): systemd-units

# Currently from rhbz#1458850 and friends

Conflicts: selinux-policy < 3.13.1-166.el7.noarch

### Build Dependencies ###

BuildRequires: autoconf

BuildRequires: automake

BuildRequires: coreutils

BuildRequires: docbook-style-xsl

BuildRequires: doxygen

BuildRequires: findutils

BuildRequires: gettext-devel

BuildRequires: keyutils-libs-devel

BuildRequires: krb5-devel >= 1.15

BuildRequires: libini_config-devel >= 1.3.1-28

BuildRequires: libselinux-devel

BuildRequires: libtool

BuildRequires: libverto-devel

BuildRequires: libxml2

BuildRequires: libxslt

BuildRequires: m4

BuildRequires: pkgconfig

BuildRequires: popt-devel

BuildRequires: sed

BuildRequires: systemd-units

%description

A proxy for GSSAPI credential handling

%prep

%setup -q

%patch0 -p2 -b .Properly-renew-expired-credentials

%patch1 -p2 -b .Change-impersonator-check-code

%patch2 -p2 -b .Allow-connection-to-self-when-impersonator-set

%patch3 -p2 -b .Make-proc-file-failure-loud-but-nonfatal

%patch4 -p2 -b .Turn-on-Wextra

%patch5 -p2 -b .Fix-unused-variables

%patch6 -p2 -b .Fix-mismatched-sign-comparisons

%patch7 -p2 -b .Fix-error-checking-on-get_impersonator_fallback

%patch8 -p2 -b .Remove-gpm_release_ctx-to-fix-double-unlock

%patch9 -p2 -b .Appease-gcc-7-s-fallthrough-detection

%patch10 -p2 -b .Fix-memory-leak

%patch11 -p2 -b .Fix-most-memory-leaks

%patch12 -p2 -b .Fix-segfault-when-no-config-files-are-present

%patch13 -p2 -b .Update-systemd-file

%patch14 -p2 -b .Fix-error-handling-in-gp_config_from_dir

%patch15 -p2 -b .Fix-silent-crash-with-duplicate-config-sections

%patch16 -p2 -b .Do-not-call-gpm_grab_sock-twice

%patch18 -p2 -b .Only-empty-FILE-ccaches-when-storing-remote-creds

%patch19 -p2 -b .Handle-outdated-encrypted-ccaches

%patch20 -p2 -b .Separate-cred-and-ccache-manipulation-in-gpp_store_r

%patch21 -p2 -b .Properly-locate-credentials-in-collection-caches-in-

%patch22 -p2 -b .Properly-initialize-ccaches-before-storing-into-them

%patch23 -p2 -b .Include-header-for-writev

%patch24 -p2 -b .Tolerate-NULL-pointers-in-gp_same

%patch25 -p2 -b .Add-Client-ID-to-debug-messages

%patch26 -p2 -b .client-Switch-to-non-blocking-sockets

%patch27 -p2 -b .server-Add-detailed-request-logging

%patch28 -p2 -b .Fix-potential-free-of-non-heap-address

%patch29 -p2 -b .Prevent-uninitialized-read-in-error-path-of-XDR-cont

%patch30 -p2 -b .Simplify-setting-NONBLOCK-on-socket

%patch31 -p2 -b .Fix-handling-of-non-EPOLLIN-EPOLLOUT-events

%patch32 -p2 -b .Fix-error-handling-in-gpm_send_buffer-gpm_recv_buffe

%patch33 -p2 -b .Emit-debug-on-queue-errors

%patch34 -p2 -b .Conditionally-reload-kernel-interface-on-SIGHUP

%patch35 -p2 -b .Don-t-leak-mech_type-when-CONTINUE_NEEDED-from-init_

%patch36 -p2 -b .Always-use-the-encype-we-selected

%patch37 -p2 -b .Clarify-debug-and-debug_level-in-man-pages

%patch38 -p2 -b .Always-choose-highest-requested-debug-level

%patch9999 -p1 -b fasttrack

%build

autoreconf -f -i

%configure \

    --with-pubconf-path=%{pubconfpath} \

    --with-initscript=systemd \

    --disable-static \

    --disable-rpath \

    --with-gpp-default-behavior=REMOTE_FIRST \

    CFLAGS="$CFLAGS -fPIE -fstack-protector-all" \

    LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,now"

make %{?_smp_mflags} all

make test_proxymech

%install

rm -rf -- "%{buildroot}"

make install DESTDIR=%{buildroot}

rm -f -- %{buildroot}%{_libdir}/gssproxy/proxymech.la

install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy

install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf

install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf

mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d

install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf

mkdir -p %{buildroot}/var/lib/gssproxy/rcache

%clean

rm -rf -- "%{buildroot}"

%files

%defattr(-,root,root,-)

%doc COPYING

%{_unitdir}/gssproxy.service

%{_sbindir}/gssproxy

%attr(755,root,root) %dir %{pubconfpath}

%attr(755,root,root) %dir %{gpstatedir}

%attr(700,root,root) %dir %{gpstatedir}/clients

%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf

%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf

%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf

%attr(700,root,root) %dir /var/lib/gssproxy/rcache

%{_libdir}/gssproxy/proxymech.so

%{_mandir}/man5/gssproxy.conf.5*

%{_mandir}/man8/gssproxy.8*

%{_mandir}/man8/gssproxy-mech.8*

%post

%systemd_post gssproxy.service

%preun

%systemd_preun gssproxy.service

%postun

%systemd_postun_with_restart gssproxy.service

%changelog

* Sat May 04 2019 Pablo Greco <pablo@fliagreco.com.ar> 0.7.0-21.0.1

- Fasttrack version to resolve #1699331

* Fri Jun 08 2018 Robbie Harwood <rharwood@redhat.com> 0.7.0-21

- Always choose highest requested debug level

- Resolves: #1505741

* Fri Apr 27 2018 Robbie Harwood <rharwood@redhat.com> 0.7.0-20

- Clean up debug man page + behavior

- Resolves: #1554249

* Fri Apr 27 2018 Robbie Harwood <rharwood@redhat.com> 0.7.0-19

- Always use the encype we selected

- Resolves: #1549684

* Fri Apr 27 2018 Robbie Harwood <rharwood@redhat.com> 0.7.0-18

- Don't leak mech_type when CONTINUE_NEEDED from init_sec_context

- Resolves: #1553819

* Wed Dec 13 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-17

- Conditionally reload kernel interface on SIGHUP

- Resolves: #1507817

* Tue Dec 12 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-16

- Backport epoll() logic

- Resolves: #1507817

* Wed Dec 06 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-15

- Properly initialize ccaches before storing into them

- Resolves: #1488629

* Fri Dec 01 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-14

- Properly locate credentials in collection caches in mechglue

- Resolves: #1488629

* Tue Oct 31 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-13

- Handle outdated encrypted ccaches

- Resolves: #1488629

* Tue Oct 31 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-12

- Handle outdated encrypted ccaches

- Resolves: #1488629

* Mon Oct 30 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-11

- Fix error message handling in gp_config_from_dir()

- Resolves: #1458913

* Fri Oct 27 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-10

- Fix concurrency issue around server socket handling

- Resolves: #1462974

* Tue Oct 17 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-9

- Log useful warning and merge when config file has duplicate sections

- Resolves: #1458913

* Mon Oct 02 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-8

- Add Conflicts: line for old selinux-policy

- Resolves: #1458850

* Thu Sep 21 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-7

- Backport NFS-related gssproxy.service changes

- Resolves: #1326440

* Mon Sep 11 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-6

- Fix segfault when no config files are present

- Resolves: #1451255

* Thu Aug 17 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-5

- Backport hardening improvements

- Resolves: #1462974

* Wed May 31 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-4

- Make proc file failure loud but nonfatal

- Resolves: #1449238

* Tue Mar 28 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-3

- Stop shipping NFS server snippet (nfs-utils takes it instead)

- Resolves: #1379836

* Tue Mar 14 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-2

- Fix credential handling with mod_auth_gssapi that we broke

- Resolves: #1379836

* Fri Mar 10 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-1

- New upstream version - 0.7.0

- Resolves: #1379836

* Tue Feb 28 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-4

- Include fixes for NULL-termination

- Resolves: #1379836

* Thu Feb 23 2017 Robbie Harwood <rharwod@redhat.com> 0.6.2-3

- Document debug_level option

- Resolves: #1379836

* Tue Feb 21 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-2

- Enable running the test suite

- Resolves: #1379836

* Thu Feb 16 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-1

- Rebase to latest version since we have krb5-1.15

- Resolves: #1379836

- Resolves: #1344518

- Resolves: #1366782

- Resolves: #1379005

- Resolves: #1379482

- Resolves: #1379616

- Resolves: #1380490

- Resolves: #1378600

- Resolves: #1285012

- Resolves: #1333813

* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-13

- Third try is the charm

- Resolves: #1092515

* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-12

- Restore _FORTIFY_SOURCE behavior

- Resolves: #1092515

* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-11

- Actually harden build with PIE and RELRO

- Resolves: #1092515

* Fri Jun 10 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-10

- Fix behavior with multiple keys in a keytab

- Resolves: #1285012

* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-9

- Re-open socket in mechglue if client forks/changes privilege

- Resolves: #1340259

* Wed Mar 30 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-8

- Make GSS-Proxy work with krb5-1.14

- resolves: #1292487

* Tue Sep 29 2015 Simo Sorce <simo@redhat.com> 0.4.1-7

- Fix loop cause by imporper EINTR handling

- resolves: #1266564

* Mon Aug 24 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-6

- Remove extra whitespaces from #1208640/#1194299 patches

- spec file cleanup

related: #1208640 #1194299

* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-5

- Carry service/HTTP default conf section

- resolves: #1208640

* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-4

- Set default rcache location patch

- resolves: #1194299

* Mon Jul 13 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-3

- Bug #1213852 ("[gssproxy] NFS clients cannot mount with

  sec=krb5 if the NFS server is running gssproxy") was

  fixed by the rebase to 0.4.1 in bug ("[RFE] Rebase

  gssproxy to the latest to match expectations of other

  projects").

  Note that the same bug was also fixed in the kernel with

  "9507271 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT

  decoding failures" (see

  https://bugzilla.redhat.com/show_bug.cgi?id=1213852#c2

  and RH Bug #1120860 ("[NFS] NFS clients cannot mount with

  sec=krb5 if the NFS server is running gssproxy")) to

  handle various corner cases not covered by gssproxy,

  for example individual krb5 ticket fields exceeding

  the kernel's buffer size.

* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-2

- The following bugs have been fixed by the rebase to 0.4.1

  in bug ("[RFE] Rebase gssproxy to the latest to match

  expectations of other projects"):

  - Bug #1196371 ("rpc.gssd segfaults in gssproxy (proxymech.so)")

    Upstream tickets { #137, #144 }

  - Bug #1053730 ("KrbLocalUserMapping does not work with

    Apache & GSS-Proxy")

    Upstream ticket #101

  - Bug #1168962 ("gssproxy is not working with httpd on ppc64 and s390x")

    Upstream ticket #146

* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-1

- Add patch to remove -fno-strict-aliasing (gssproxy ticket #140,

  a dependicy for the fix for bug #1092515 (see below))

- Add patch to fix bug #1092515 ("gssproxy - PIE and RELRO check")

* Fri Jun 5 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-0

- Rebase gssproxy to 0.4.1 per bug #1132389 ("[RFE] Rebase

  gssproxy to the latest to match expectations of other

  projects").

* Fri Jan 23 2015 Simo Sorce <ssorce@redhat.com> 0.3.0-10

- Fix crash bug affecting updated rpc.gssd

- resolves: #1184531

* Wed Mar 12 2014 Guenther Deschner <gdeschner@redhat.com> 0.3.0-9

- Fix potential mutex deadlock

- resolves: #1075268

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.3.0-8

- Mass rebuild 2014-01-24

* Thu Jan 16 2014 Guenther Deschner <gdeschner@redhat.com> 0.3.0-7

- Fix nfsd startup

- resolves: https://fedorahosted.org/gss-proxy/ticket/114

- resolves: #1053710

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.3.0-6

- Mass rebuild 2013-12-27

* Tue Dec 17 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-5

- Fix flags handling.

- resolves: https://fedorahosted.org/gss-proxy/ticket/112

- related: #1031710

* Wed Nov 27 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-4

- Use secure_getenv

- resolves: https://fedorahosted.org/gss-proxy/ticket/110

- resolves: #1032684

- Use strerror_r instead of strerror

- resolves: https://fedorahosted.org/gss-proxy/ticket/111

- resolves: #1033350

* Tue Nov 19 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-3

- Fix flags handling in gss_init_sec_context()

- resolves: https://fedorahosted.org/gss-proxy/ticket/106

- resolves: #1031713

- Fix OID handling in gss_inquire_cred_by_mech()

- resolves: https://fedorahosted.org/gss-proxy/ticket/107

- resolves: #1031712

- Fix continuation processing for not yet fully established contexts.

- resolves: https://fedorahosted.org/gss-proxy/ticket/108

- resolves: #1031711

- Add flags filtering and flags enforcing.

- resolves: https://fedorahosted.org/gss-proxy/ticket/109

- resolves: #1031710

* Wed Oct 23 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-0

- New upstream release 0.3.0:

  * Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)

  * Add support for new rpc.gssd mode of operation that forks and changes uid

  * Add 2 new options allow_any_uid and cred_usage

* Fri Oct 18 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-8

- Fix default proxymech documentation and fix LOCAL_FIRST implementation

- resolves: https://fedorahosted.org/gss-proxy/ticket/105

* Wed Jul 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-6

- Add better default gssproxy.conf file for nfs client and server usage

* Thu Jun 06 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-5

- New upstream release

* Fri May 31 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-5

- Require libverto-tevent to make sure libverto initialization succeeds

* Wed May 29 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-4

- Modify systemd unit files for nfs-secure services

* Wed May 22 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-3

- Fix cred_store handling w/o client keytab

* Thu May 16 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-2

- New upstream release

* Tue May 07 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.1-2

- New upstream release

* Wed Apr 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.0-1

- New upstream release

* Mon Apr 01 2013 Simo Sorce <simo@redhat.com> - 0.1.0-0

- New upstream release

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.3-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Tue Nov 06 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.3-7

- Update to 0.0.3

* Wed Aug 22 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-6

- Use new systemd-rpm macros

- resolves: #850139

* Wed Jul 18 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-5

- More spec file fixes

* Mon Jul 16 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-4

- Fix systemd service file

* Fri Jul 13 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-3

- Fix various packaging issues

* Mon Jul 02 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-2

- Add systemd packaging

* Wed Mar 28 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-1

- Various fixes

* Mon Dec 12 2011 Simo Sorce <simo@redhat.com> - 0.0.2-0

- Automated build of the gssproxy daemon