diff --git a/.gitignore b/.gitignore
index 7ea46e0..41fdedf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/gssproxy-0.3.0.tar.gz
+SOURCES/gssproxy-0.4.1.tar.gz
diff --git a/.gssproxy.metadata b/.gssproxy.metadata
index cff9997..10c33c6 100644
--- a/.gssproxy.metadata
+++ b/.gssproxy.metadata
@@ -1 +1 @@
-9fd0e8d989319aed4cff9fe9563e10a6ae072114 SOURCES/gssproxy-0.3.0.tar.gz
+665bb3925994a7411488931bdcedcdbfd1268977 SOURCES/gssproxy-0.4.1.tar.gz
diff --git a/SOURCES/0001-Correct-handling-of-EINTR-on-read-write.patch b/SOURCES/0001-Correct-handling-of-EINTR-on-read-write.patch
new file mode 100644
index 0000000..a7a35d6
--- /dev/null
+++ b/SOURCES/0001-Correct-handling-of-EINTR-on-read-write.patch
@@ -0,0 +1,41 @@
+From df58bccfa5bfb42d7162f537c506a658729d4175 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 28 Sep 2015 19:59:59 -0400
+Subject: [PATCH] Correct handling of EINTR on read()/write()
+
+The common send/recv functions where zeroing the ret variable only
+once causing a loop if EINTR as actually ever set.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ proxy/src/client/gpm_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
+index f0d5e1104aa5f7198a382e2533c1347045bb9d95..6d626e8bc41e2f0e3294d2ebaf563155d18a528f 100644
+--- a/proxy/src/client/gpm_common.c
++++ b/proxy/src/client/gpm_common.c
+@@ -160,8 +160,8 @@ static int gpm_send_buffer(struct gpm_ctx *gpmctx,
+
+ retry = false;
+ do {
+- ret = 0;
+ do {
++ ret = 0;
+ wn = send(gpmctx->fd, &size, sizeof(uint32_t), MSG_NOSIGNAL);
+ if (wn == -1) {
+ ret = errno;
+@@ -216,8 +216,8 @@ static int gpm_recv_buffer(struct gpm_ctx *gpmctx,
+ size_t pos;
+ int ret;
+
+- ret = 0;
+ do {
++ ret = 0;
+ rn = read(gpmctx->fd, &size, sizeof(uint32_t));
+ if (rn == -1) {
+ ret = errno;
+--
+2.4.3
+
diff --git a/SOURCES/gssproxy-0.3.0-continuations.patch b/SOURCES/gssproxy-0.3.0-continuations.patch
deleted file mode 100644
index 967d329..0000000
--- a/SOURCES/gssproxy-0.3.0-continuations.patch
+++ /dev/null
@@ -1,331 +0,0 @@
-From 556ea844a5783f9876ee748e1c686bb268f54e8a Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 15 Nov 2013 10:33:52 -0500
-Subject: [PATCH] Fix continuations in context establishment calls
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Properly support continuations, including returning the rigth error code
-and exporting partial contexts.
-
-Fixes multistep authentications in particular for the initialization case
-which always uses continuations.
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/108
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/client/gpm_init_sec_context.c | 21 ++++++++++-----------
- proxy/src/gp_export.c | 33 +++++++++++++++++++++++++++++----
- proxy/src/gp_export.h | 3 ++-
- proxy/src/gp_rpc_accept_sec_context.c | 20 +++++++++++++++++---
- proxy/src/gp_rpc_get_mic.c | 2 +-
- proxy/src/gp_rpc_init_sec_context.c | 16 +++++++++++++++-
- proxy/src/gp_rpc_unwrap.c | 2 +-
- proxy/src/gp_rpc_verify_mic.c | 2 +-
- proxy/src/gp_rpc_wrap.c | 2 +-
- 9 files changed, 77 insertions(+), 24 deletions(-)
-
-diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c
-index b6ce34f..f6dfe53 100644
---- a/proxy/src/client/gpm_init_sec_context.c
-+++ b/proxy/src/client/gpm_init_sec_context.c
-@@ -104,13 +104,6 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
- }
- }
-
-- if (res->status.major_status) {
-- gpm_save_status(&res->status);
-- ret_maj = res->status.major_status;
-- ret_min = res->status.minor_status;
-- goto done;
-- }
--
- if (res->context_handle) {
- ctx = res->context_handle;
- /* we are stealing the delegated creds on success, so we do not want
-@@ -118,12 +111,18 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
- res->context_handle = NULL;
- }
-
-- ret = gp_conv_gssx_to_buffer_alloc(res->output_token, &outbuf);
-- if (ret) {
-- gpm_save_internal_status(ret, strerror(ret));
-- goto done;
-+ if (res->output_token) {
-+ ret = gp_conv_gssx_to_buffer_alloc(res->output_token, &outbuf);
-+ if (ret) {
-+ gpm_save_internal_status(ret, strerror(ret));
-+ goto done;
-+ }
- }
-
-+ ret_maj = res->status.major_status;
-+ ret_min = res->status.minor_status;
-+ gpm_save_status(&res->status);
-+
- done:
- if (ret != 0) {
- ret_min = ret;
-diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
-index 51dd686..3cd5148 100644
---- a/proxy/src/gp_export.c
-+++ b/proxy/src/gp_export.c
-@@ -390,6 +390,7 @@ done:
- #define LINUX_LUCID_V1 "linux_lucid_v1"
-
- enum exp_ctx_types {
-+ EXP_CTX_PARTIAL = -1, /* cannot be specified by client */
- EXP_CTX_DEFAULT = 0,
- EXP_CTX_LINUX_LUCID_V1 = 1,
- };
-@@ -418,6 +419,11 @@ int gp_get_exported_context_type(struct gssx_call_ctx *ctx)
- return EXP_CTX_DEFAULT;
- }
-
-+int gp_get_continue_needed_type(void)
-+{
-+ return EXP_CTX_PARTIAL;
-+}
-+
- #define KRB5_CTX_FLAG_INITIATOR 0x00000001
- #define KRB5_CTX_FLAG_CFX 0x00000002
- #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
-@@ -513,7 +519,7 @@ done:
- }
-
-
--uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,
-+uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
- gss_ctx_id_t *in, gssx_ctx *out)
- {
- uint32_t ret_maj;
-@@ -529,9 +535,6 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,
- int is_open;
- int ret;
-
--/* TODO: For mechs that need multiple roundtrips to complete */
-- /* out->state; */
--
- /* we do not need the client to release anything until we handle state */
- out->needs_release = false;
-
-@@ -539,6 +542,11 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,
- &lifetime_rec, &mech_type, &ctx_flags,
- &is_locally_initiated, &is_open);
- if (ret_maj) {
-+ if (type == EXP_CTX_PARTIAL) {
-+ /* This may happen on partially established context,
-+ * so just go on and put in what we can */
-+ goto export;
-+ }
- goto done;
- }
-
-@@ -571,9 +579,26 @@ uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,
- out->open = true;
- }
-
-+export:
- /* note: once converted the original context token is not usable anymore,
- * so this must be the last call to use it */
- switch (type) {
-+ case EXP_CTX_PARTIAL:
-+ /* this happens only when a init_sec_context call returns a partially
-+ * initialized context so we return only what we have, not much */
-+ ret = gp_conv_oid_to_gssx(mech, &out->mech);
-+ if (ret) {
-+ ret_maj = GSS_S_FAILURE;
-+ ret_min = ret;
-+ goto done;
-+ }
-+
-+ out->locally_initiated = true;
-+ out->open = false;
-+
-+ /* out->state; */
-+
-+ /* fall through */
- case EXP_CTX_DEFAULT:
- ret_maj = gss_export_sec_context(&ret_min, in, &export_buffer);
- if (ret_maj) {
-diff --git a/proxy/src/gp_export.h b/proxy/src/gp_export.h
-index 58c0040..03e5d18 100644
---- a/proxy/src/gp_export.h
-+++ b/proxy/src/gp_export.h
-@@ -37,7 +37,8 @@ uint32_t gp_import_gssx_cred(uint32_t *min, struct gp_call_ctx *gpcall,
- gssx_cred *cred, gss_cred_id_t *out);
-
- int gp_get_exported_context_type(struct gssx_call_ctx *ctx);
--uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type,
-+int gp_get_continue_needed_type(void);
-+uint32_t gp_export_ctx_id_to_gssx(uint32_t *min, int type, gss_OID mech,
- gss_ctx_id_t *in, gssx_ctx *out);
- uint32_t gp_import_gssx_to_ctx_id(uint32_t *min, int type,
- gssx_ctx *in, gss_ctx_id_t *out);
-diff --git a/proxy/src/gp_rpc_accept_sec_context.c b/proxy/src/gp_rpc_accept_sec_context.c
-index 40370aa..efbf07a 100644
---- a/proxy/src/gp_rpc_accept_sec_context.c
-+++ b/proxy/src/gp_rpc_accept_sec_context.c
-@@ -46,6 +46,8 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
- gss_cred_id_t *pdch = NULL;
- int exp_ctx_type;
- int exp_creds_type;
-+ uint32_t acpt_maj;
-+ uint32_t acpt_min;
- int ret;
-
- asca = &arg->accept_sec_context;
-@@ -109,17 +111,25 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
- &ret_flags,
- NULL,
- pdch);
-- if (ret_maj) {
-+ if (ret_maj != GSS_S_COMPLETE &&
-+ ret_maj != GSS_S_CONTINUE_NEEDED) {
- goto done;
-+ } else {
-+ acpt_maj = ret_maj;
-+ acpt_min = ret_min;
-+ }
-+ if (acpt_maj == GSS_S_CONTINUE_NEEDED) {
-+ exp_ctx_type = gp_get_continue_needed_type();
- }
-
-+
- ascr->context_handle = calloc(1, sizeof(gssx_ctx));
- if (!ascr->context_handle) {
- ret_maj = GSS_S_FAILURE;
- ret_min = ENOMEM;
- goto done;
- }
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, oid,
- &ctx, ascr->context_handle);
- if (ret_maj) {
- goto done;
-@@ -138,7 +148,7 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
- goto done;
- }
-
-- if ((ret_flags & GSS_C_DELEG_FLAG) && asca->ret_deleg_cred) {
-+ if ((ret_flags & GSS_C_DELEG_FLAG) && asca->ret_deleg_cred && dch) {
- ascr->delegated_cred_handle = calloc(1, sizeof(gssx_cred));
- if (!ascr->delegated_cred_handle) {
- ret_maj = GSS_S_FAILURE;
-@@ -159,6 +169,10 @@ int gp_accept_sec_context(struct gp_call_ctx *gpcall,
- &ascr->options.options_val);
-
- done:
-+ if (ret_maj == GSS_S_COMPLETE) {
-+ ret_maj = acpt_maj;
-+ ret_min = acpt_min;
-+ }
- ret = gp_conv_status_to_gssx(&asca->call_ctx,
- ret_maj, ret_min, oid,
- &ascr->status);
-diff --git a/proxy/src/gp_rpc_get_mic.c b/proxy/src/gp_rpc_get_mic.c
-index ca60fe4..2db7d3f 100644
---- a/proxy/src/gp_rpc_get_mic.c
-+++ b/proxy/src/gp_rpc_get_mic.c
-@@ -73,7 +73,7 @@ int gp_get_mic(struct gp_call_ctx *gpcall,
- goto done;
- }
-
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,
- &context_handle,
- gmr->context_handle);
- if (ret_maj) {
-diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c
-index 944389c..2781238 100644
---- a/proxy/src/gp_rpc_init_sec_context.c
-+++ b/proxy/src/gp_rpc_init_sec_context.c
-@@ -45,6 +45,8 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- gss_buffer_desc obuf = GSS_C_EMPTY_BUFFER;
- uint32_t ret_maj;
- uint32_t ret_min;
-+ uint32_t init_maj;
-+ uint32_t init_min;
- int exp_ctx_type;
- int ret;
-
-@@ -121,6 +123,12 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- if (ret_maj != GSS_S_COMPLETE &&
- ret_maj != GSS_S_CONTINUE_NEEDED) {
- goto done;
-+ } else {
-+ init_maj = ret_maj;
-+ init_min = ret_min;
-+ }
-+ if (init_maj == GSS_S_CONTINUE_NEEDED) {
-+ exp_ctx_type = gp_get_continue_needed_type();
- }
-
- iscr->context_handle = calloc(1, sizeof(gssx_ctx));
-@@ -129,7 +137,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- ret_min = ENOMEM;
- goto done;
- }
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, mech_type,
- &ctx, iscr->context_handle);
- if (ret_maj) {
- goto done;
-@@ -150,7 +158,13 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- }
- }
-
-+ ret_maj = GSS_S_COMPLETE;
-+
- done:
-+ if (ret_maj == GSS_S_COMPLETE) {
-+ ret_maj = init_maj;
-+ ret_min = init_min;
-+ }
- ret = gp_conv_status_to_gssx(&isca->call_ctx,
- ret_maj, ret_min, mech_type,
- &iscr->status);
-diff --git a/proxy/src/gp_rpc_unwrap.c b/proxy/src/gp_rpc_unwrap.c
-index a20b8ea..faffa82 100644
---- a/proxy/src/gp_rpc_unwrap.c
-+++ b/proxy/src/gp_rpc_unwrap.c
-@@ -85,7 +85,7 @@ int gp_unwrap(struct gp_call_ctx *gpcall,
- goto done;
- }
-
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,
- &context_handle,
- uwr->context_handle);
- if (ret_maj) {
-diff --git a/proxy/src/gp_rpc_verify_mic.c b/proxy/src/gp_rpc_verify_mic.c
-index 68369a0..a2d3f7e 100644
---- a/proxy/src/gp_rpc_verify_mic.c
-+++ b/proxy/src/gp_rpc_verify_mic.c
-@@ -76,7 +76,7 @@ int gp_verify_mic(struct gp_call_ctx *gpcall,
- goto done;
- }
-
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,
- &context_handle,
- vmr->context_handle);
- if (ret_maj) {
-diff --git a/proxy/src/gp_rpc_wrap.c b/proxy/src/gp_rpc_wrap.c
-index d17c292..c2da7ba 100644
---- a/proxy/src/gp_rpc_wrap.c
-+++ b/proxy/src/gp_rpc_wrap.c
-@@ -85,7 +85,7 @@ int gp_wrap(struct gp_call_ctx *gpcall,
- goto done;
- }
-
-- ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type,
-+ ret_maj = gp_export_ctx_id_to_gssx(&ret_min, exp_ctx_type, GSS_C_NO_OID,
- &context_handle, wr->context_handle);
- if (ret_maj) {
- goto done;
---
-1.8.3.1
-
diff --git a/SOURCES/gssproxy-0.3.0-flags_handling.patch b/SOURCES/gssproxy-0.3.0-flags_handling.patch
deleted file mode 100644
index 0beeb79..0000000
--- a/SOURCES/gssproxy-0.3.0-flags_handling.patch
+++ /dev/null
@@ -1,451 +0,0 @@
-From 591fad86aba3520a76eaf75aa0fd5e585fac94a5 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 13 Nov 2013 19:54:27 -0500
-Subject: [PATCH 1/5] Autoinitialize creds on init_sec_context
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the remote client tries to initialize the context without first
-acquiring credentials, try to acquire appropriate credentials if
-the service allows it.
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_rpc_init_sec_context.c | 25 +++++++++++++++++++------
- 1 file changed, 19 insertions(+), 6 deletions(-)
-
-diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c
-index 2781238..76ffaab 100644
---- a/proxy/src/gp_rpc_init_sec_context.c
-+++ b/proxy/src/gp_rpc_init_sec_context.c
-@@ -24,6 +24,7 @@
- */
-
- #include "gp_rpc_process.h"
-+#include <gssapi/gssapi_krb5.h>
-
- int gp_init_sec_context(struct gp_call_ctx *gpcall,
- union gp_rpc_arg *arg,
-@@ -74,13 +75,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- if (ret_maj) {
- goto done;
- }
-- } else {
-- /* FIXME: get ccache from gpsvc ? */
-- ret_maj = GSS_S_CRED_UNAVAIL;
-- ret_min = 0;
-- goto done;
- }
--
- ret_maj = gp_conv_gssx_to_name(&ret_min, isca->target_name, &target_name);
- if (ret_maj) {
- goto done;
-@@ -107,6 +102,23 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- gp_conv_gssx_to_buffer(isca->input_token, &ibuf);
- }
-
-+ if (!isca->cred_handle) {
-+ if (gss_oid_equal(mech_type, gss_mech_krb5)) {
-+ ret_maj = gp_add_krb5_creds(&ret_min, gpcall,
-+ NULL, NULL,
-+ GSS_C_INITIATE,
-+ time_req, 0, &ich,
-+ NULL, NULL, NULL);
-+ } else {
-+ ret_maj = GSS_S_NO_CRED;
-+ ret_min = 0;
-+ }
-+
-+ if (ret_maj) {
-+ goto done;
-+ }
-+ }
-+
- ret_maj = gss_init_sec_context(&ret_min,
- ich,
- &ctx,
-@@ -170,5 +182,6 @@ done:
- &iscr->status);
- gss_release_name(&ret_min, &target_name);
- gss_release_oid(&ret_min, &mech_type);
-+ gss_release_cred(&ret_min, &ich);
- return ret;
- }
---
-1.8.3.1
-
-
-From 32b1d5aa0497c4e3677b4575cc7e299590df5618 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 13 Nov 2013 20:03:53 -0500
-Subject: [PATCH 2/5] Try impersonation even when a name is not provided
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In some cases a name may not be provided, still try to perform
-impersonation if the service is configured that way.
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_creds.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
-index e02a667..5337390 100644
---- a/proxy/src/gp_creds.c
-+++ b/proxy/src/gp_creds.c
-@@ -289,6 +289,11 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
- }
- *requested_name = name;
- }
-+ } else {
-+ /* No name provided */
-+ if (svc->euid != target_uid) {
-+ user_requested = true;
-+ }
- }
-
- /* impersonation case (only for initiation) */
---
-1.8.3.1
-
-
-From 6a096c0a0a37d2fa9e0b03edce05929a7d98f390 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Sat, 16 Nov 2013 17:01:24 -0500
-Subject: [PATCH 3/5] config: Add code to source flag filters
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-2 New configuration options are made available:
-- filter_flags
-- enforce_flags
-
-Any GSS Flags listed in the filter_flags option is forcibly filtered
-out before a gss_init_sec_context() call is invoked.
-Any GSS Flags listed in the enforce_flags option is forcibly added
-to the list of flags requested by a gss_init_sec_context() call is
-invoked.
-
-Flags can be either literals or numeric and must be preceded by the
-sign + (to add to the list) or - (to remove from the list).
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/109
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_config.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++
- proxy/src/gp_proxy.h | 2 ++
- 2 files changed, 90 insertions(+)
-
-diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
-index 8da291b..e21e70d 100644
---- a/proxy/src/gp_config.c
-+++ b/proxy/src/gp_config.c
-@@ -32,6 +32,27 @@
- #include "gp_config.h"
- #include "gp_selinux.h"
-
-+#include <gssapi/gssapi.h>
-+
-+struct gp_flag_def {
-+ const char *name;
-+ uint32_t value;
-+};
-+
-+struct gp_flag_def flag_names[] = {
-+ { "DELEGATE", GSS_C_DELEG_FLAG },
-+ { "MUTUAL_AUTH", GSS_C_MUTUAL_FLAG },
-+ { "REPLAY_DETECT", GSS_C_REPLAY_FLAG },
-+ { "SEQUENCE", GSS_C_SEQUENCE_FLAG },
-+ { "CONFIDENTIALITY", GSS_C_CONF_FLAG },
-+ { "INTEGRITIY", GSS_C_INTEG_FLAG },
-+ { "ANONYMOUS", GSS_C_ANON_FLAG },
-+ { NULL, 0 }
-+};
-+
-+#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
-+#define DEFAULT_ENFORCED_FLAGS 0
-+
- static void free_str_array(const char ***a, int *count)
- {
- const char **array;
-@@ -117,6 +138,60 @@ static int get_krb5_mech_cfg(struct gp_service *svc,
- return ret;
- }
-
-+static int parse_flags(const char *value, uint32_t *storage)
-+{
-+ char *handle;
-+ char *token;
-+ char *str;
-+ bool add;
-+ unsigned long int conv;
-+ uint32_t flagval;
-+ int i;
-+
-+ str = strdup(value);
-+ if (!str) {
-+ return ENOMEM;
-+ }
-+
-+ token = strtok_r(str, ", ", &handle);
-+ for (token = strtok_r(str, ", ", &handle);
-+ token != NULL;
-+ token = strtok_r(NULL, ", ", &handle)) {
-+ switch (token[0]) {
-+ case '+':
-+ add = true;
-+ break;
-+ case '-':
-+ add = false;
-+ break;
-+ default:
-+ GPERROR("Ignoring flag [%s], missing +/- qualifier.\n", token);
-+ continue;
-+ }
-+ token++;
-+ for (i = 0; flag_names[i].name != NULL; i++) {
-+ if (strcasecmp(token, flag_names[i].name) == 0) {
-+ flagval = flag_names[i].value;
-+ break;
-+ }
-+ }
-+ if (flag_names[i].name == NULL) {
-+ conv = strtoul(token, &handle, 0);
-+ if (conv == 0 || conv == ULONG_MAX || *handle != '\0') {
-+ GPERROR("Ignoring flag [%s], unrecognized value.\n", token);
-+ continue;
-+ }
-+ flagval = conv;
-+ }
-+ GPDEBUG("%s Flag %s (%u).\n", add?"Add":"Remove", token, flagval);
-+ if (add) *storage |= flagval;
-+ else *storage &= ~flagval;
-+ }
-+ safefree(str);
-+
-+ return 0;
-+}
-+
- static int setup_service_creds_handle(struct gp_service *svc)
- {
- uint32_t ret_maj, ret_min;
-@@ -297,6 +372,19 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
- goto done;
- }
- }
-+
-+ cfg->svcs[n]->filter_flags = DEFAULT_FILTERED_FLAGS;
-+ ret = gp_config_get_string(ctx, secname, "filter_flags", &value);
-+ if (ret == 0) {
-+ parse_flags(value, &cfg->svcs[n]->filter_flags);
-+ }
-+
-+ cfg->svcs[n]->enforce_flags = DEFAULT_ENFORCED_FLAGS;
-+ ret = gp_config_get_string(ctx, secname, "enforce_flags", &value);
-+ if (ret == 0) {
-+ ret = parse_flags(value, &cfg->svcs[n]->enforce_flags);
-+ if (ret) goto done;
-+ }
- }
- safefree(secname);
- }
-diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
-index 8390f5d..b6c64ae 100644
---- a/proxy/src/gp_proxy.h
-+++ b/proxy/src/gp_proxy.h
-@@ -57,6 +57,8 @@ struct gp_service {
- char *socket;
- SELINUX_CTX selinux_ctx;
- gss_cred_usage_t cred_usage;
-+ uint32_t filter_flags;
-+ uint32_t enforce_flags;
-
- uint32_t mechs;
- struct gp_cred_krb5 krb5;
---
-1.8.3.1
-
-
-From 3df6ac81f4a6d8cf6ff514e7d7f2cbe58840c393 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Sat, 16 Nov 2013 17:09:45 -0500
-Subject: [PATCH 4/5] server: Implement flag filtering enforcement
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/109
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_creds.c | 6 ++++++
- proxy/src/gp_rpc_creds.h | 3 +++
- proxy/src/gp_rpc_init_sec_context.c | 2 ++
- 3 files changed, 11 insertions(+)
-
-diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
-index 5337390..60c4e12 100644
---- a/proxy/src/gp_creds.c
-+++ b/proxy/src/gp_creds.c
-@@ -548,3 +548,9 @@ done:
-
- return ret_maj;
- }
-+
-+void gp_filter_flags(struct gp_call_ctx *gpcall, uint32_t *flags)
-+{
-+ *flags |= gpcall->service->enforce_flags;
-+ *flags &= ~gpcall->service->filter_flags;
-+}
-diff --git a/proxy/src/gp_rpc_creds.h b/proxy/src/gp_rpc_creds.h
-index 6389ebe..4c8febb 100644
---- a/proxy/src/gp_rpc_creds.h
-+++ b/proxy/src/gp_rpc_creds.h
-@@ -46,4 +46,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
- gss_OID_set *actual_mechs,
- uint32_t *initiator_time_rec,
- uint32_t *acceptor_time_rec);
-+
-+void gp_filter_flags(struct gp_call_ctx *gpcall, uint32_t *flags);
-+
- #endif /* _GP_RPC_CREDS_H_ */
-diff --git a/proxy/src/gp_rpc_init_sec_context.c b/proxy/src/gp_rpc_init_sec_context.c
-index 76ffaab..5e5d6f1 100644
---- a/proxy/src/gp_rpc_init_sec_context.c
-+++ b/proxy/src/gp_rpc_init_sec_context.c
-@@ -119,6 +119,8 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
- }
- }
-
-+ gp_filter_flags(gpcall, &req_flags);
-+
- ret_maj = gss_init_sec_context(&ret_min,
- ich,
- &ctx,
---
-1.8.3.1
-
-
-From c8386418a754211da5ddf5469a0f1c0fddf21240 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Sat, 16 Nov 2013 17:27:52 -0500
-Subject: [PATCH 5/5] man: Describe new flag filtering/enforcing options
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/109
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/man/gssproxy.conf.5.xml | 58 +++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 58 insertions(+)
-
-diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
-index b0012b5..b4d5add 100644
---- a/proxy/man/gssproxy.conf.5.xml
-+++ b/proxy/man/gssproxy.conf.5.xml
-@@ -162,6 +162,64 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>enforce_flags (string)</term>
-+ <listitem>
-+ <para>
-+ A list of GSS Request Flags that are added
-+ unconditionally to every context initialization
-+ call.
-+ Flags can only be added to the list or removed
-+ from the list by prepending a +/- sign to the
-+ flag name or value.
-+ </para>
-+ <para>
-+ Recognized flag names: DELEGATE, MUTUAL_AUTH,
-+ REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY,
-+ INTEGRITY, ANONYMOUS
-+ </para>
-+ <para>Examples:
-+<programlisting>
-+ <userinput moreinfo="none">enforce_flags = +REPLAY_DETECT</userinput>
-+ <userinput moreinfo="none">enforce_flags = -0x0001</userinput>
-+</programlisting>
-+ </para>
-+ <para>Default: enforce_flags =</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>filter_flags (string)</term>
-+ <listitem>
-+ <para>
-+ A list of GSS Request Flags that are filtered
-+ unconditionally from every context initialization
-+ call.
-+ Flags can only be added to the list or removed
-+ from the list by prepending a +/- sign to the
-+ flag name or value.
-+ </para>
-+ <para>
-+ NOTE: Because often gssproxy is used to withold
-+ access to credentials the Delegate Flag is filtered
-+ by default. To allow a service to delegate
-+ credentials use the first example below.
-+ </para>
-+ <para>
-+ Recognized flag names: DELEGATE, MUTUAL_AUTH,
-+ REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY,
-+ INTEGRITY, ANONYMOUS
-+ </para>
-+ <para>Examples:
-+<programlisting>
-+ <userinput moreinfo="none">filter_flags = -DELEGATE</userinput>
-+ <userinput moreinfo="none">filter_flags = -0x0001 +ANONYMOUS</userinput>
-+</programlisting>
-+ </para>
-+ <para>Default: filter_flags = +DELEGATE</para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>impersonate (boolean)</term>
- <listitem>
- <para>Use impersonation (s4u2self + s4u2proxy) to obtain credentials</para>
---
-1.8.3.1
-
-From 8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 6 Dec 2013 17:51:14 -0500
-Subject: [PATCH] Fix config token parsing.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/112
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_config.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
-index 2fc4a6f..ee96975 100644
---- a/proxy/src/gp_config.c
-+++ b/proxy/src/gp_config.c
-@@ -153,7 +153,6 @@ static int parse_flags(const char *value, uint32_t *storage)
- return ENOMEM;
- }
-
-- token = strtok_r(str, ", ", &handle);
- for (token = strtok_r(str, ", ", &handle);
- token != NULL;
- token = strtok_r(NULL, ", ", &handle)) {
---
-1.8.3.1
-
diff --git a/SOURCES/gssproxy-0.3.0-gss_init_sec_context.patch b/SOURCES/gssproxy-0.3.0-gss_init_sec_context.patch
deleted file mode 100644
index 117a071..0000000
--- a/SOURCES/gssproxy-0.3.0-gss_init_sec_context.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From cc538c36ca32850e0b3280b7d8524d23345eed9e Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 13 Nov 2013 17:57:06 -0500
-Subject: [PATCH 1/3] Preserve requested flags and lifetime
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-These arguments have been accidentally forgotten causing failures for
-applications that specify non default flags and non indefinite lifetime.
-
-https://fedorahosted.org/gss-proxy/ticket/106
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/client/gpm_init_sec_context.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c
-index 12df858..b6ce34f 100644
---- a/proxy/src/client/gpm_init_sec_context.c
-+++ b/proxy/src/client/gpm_init_sec_context.c
-@@ -70,6 +70,9 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
- goto done;
- }
-
-+ arg->req_flags = req_flags;
-+ arg->time_req = time_req;
-+
- if (input_cb) {
- ret = gp_conv_cb_to_gssx_alloc(input_cb, &arg->input_cb);
- if (ret) {
---
-1.8.3.1
-
-
diff --git a/SOURCES/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch b/SOURCES/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
deleted file mode 100644
index 0543417..0000000
--- a/SOURCES/gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-From 122b35f7adf37bc81f6d53bb5f9e058b68334cbb Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 13 Nov 2013 18:12:44 -0500
-Subject: [PATCH 2/3] Add way to return regular oid from special
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In some cases we need to pass on the corresponding real oid, after we
-are given a special oid.
-Add helper functions to do that.
-
-https://fedorahosted.org/gss-proxy/ticket/107
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/mechglue/gss_plugin.c | 55 +++++++++++++++++++++++++++++++----------
- proxy/src/mechglue/gss_plugin.h | 1 +
- 2 files changed, 43 insertions(+), 13 deletions(-)
-
-diff --git a/proxy/src/mechglue/gss_plugin.c b/proxy/src/mechglue/gss_plugin.c
-index 0e62990..5b40df9 100644
---- a/proxy/src/mechglue/gss_plugin.c
-+++ b/proxy/src/mechglue/gss_plugin.c
-@@ -176,7 +176,8 @@ static bool gpp_special_equal(const gss_OID s, const gss_OID n)
- }
-
- struct gpp_special_oid_list {
-- gss_OID_desc oid;
-+ gss_OID_desc regular_oid;
-+ gss_OID_desc special_oid;
- struct gpp_special_oid_list *next;
- sig_atomic_t next_is_set;
- };
-@@ -250,19 +251,25 @@ static const gss_OID gpp_new_special_mech(const gss_OID n)
- if (!item) {
- return GSS_C_NO_OID;
- }
-- item->oid.length = base->length + n->length;
-- item->oid.elements = malloc(item->oid.length);
-- if (!item->oid.elements) {
-+ item->regular_oid.length = n->length;
-+ item->regular_oid.elements = malloc(n->length);
-+ item->special_oid.length = base->length + n->length;
-+ item->special_oid.elements = malloc(item->special_oid.length);
-+ if (!item->regular_oid.elements ||
-+ !item->special_oid.elements) {
-+ free(item->regular_oid.elements);
-+ free(item->special_oid.elements);
- free(item);
- return GSS_C_NO_OID;
- }
-
-- memcpy(item->oid.elements, base->elements, base->length);
-- memcpy(item->oid.elements + base->length, n->elements, n->length);
-+ memcpy(item->regular_oid.elements, n->elements, n->length);
-+ memcpy(item->special_oid.elements, base->elements, base->length);
-+ memcpy(item->special_oid.elements + base->length, n->elements, n->length);
-
- gpp_add_special_oids(item);
-
-- return (const gss_OID)&item->oid;
-+ return (const gss_OID)&item->special_oid;
- }
-
- const gss_OID gpp_special_mech(const gss_OID mech_type)
-@@ -278,14 +285,14 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
- if (mech_type == GSS_C_NO_OID) {
- /* return the first special one if none specified */
- if (item) {
-- return (const gss_OID)&item->oid;
-+ return (const gss_OID)&item->special_oid;
- }
- return GSS_C_NO_OID;
- }
-
- while (item) {
-- if (gpp_special_equal(&item->oid, mech_type)) {
-- return (const gss_OID)&item->oid;
-+ if (gpp_special_equal(&item->special_oid, mech_type)) {
-+ return (const gss_OID)&item->special_oid;
- }
- item = gpp_next_special_oids(item);
- }
-@@ -294,6 +301,26 @@ const gss_OID gpp_special_mech(const gss_OID mech_type)
- return gpp_new_special_mech(mech_type);
- }
-
-+const gss_OID gpp_unspecial_mech(const gss_OID mech_type)
-+{
-+ struct gpp_special_oid_list *item = NULL;
-+
-+ if (!gpp_is_special_oid(mech_type)) {
-+ return mech_type;
-+ }
-+
-+ item = gpp_get_special_oids();
-+ while (item) {
-+ if (gss_oid_equal(&item->special_oid, mech_type)) {
-+ return (const gss_OID)&item->regular_oid;
-+ }
-+ item = gpp_next_special_oids(item);
-+ }
-+
-+ /* none matched */
-+ return mech_type;
-+}
-+
- gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
- {
- gss_OID_set amechs = GSS_C_NO_OID_SET;
-@@ -318,8 +345,9 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
- }
- break;
- }
-- if (gpp_special_equal(&item->oid, &mechs->elements[i])) {
-- maj = gss_add_oid_set_member(&min, &item->oid, &amechs);
-+ if (gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
-+ maj = gss_add_oid_set_member(&min, &item->special_oid,
-+ &amechs);
- if (maj != GSS_S_COMPLETE) {
- goto done;
- }
-@@ -362,7 +390,8 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
- item = gpp_get_special_oids();
-
- while (item) {
-- if (&item->oid == *oid) {
-+ if ((&item->regular_oid == *oid) ||
-+ (&item->special_oid == *oid)) {
- *oid = GSS_C_NO_OID;
- return GSS_S_COMPLETE;
- }
-diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h
-index 26e04c5..739ec26 100644
---- a/proxy/src/mechglue/gss_plugin.h
-+++ b/proxy/src/mechglue/gss_plugin.h
-@@ -78,6 +78,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type);
- enum gpp_behavior gpp_get_behavior(void);
- bool gpp_is_special_oid(const gss_OID mech_type);
- const gss_OID gpp_special_mech(const gss_OID mech_type);
-+const gss_OID gpp_unspecial_mech(const gss_OID mech_type);
- gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs);
- uint32_t gpp_map_error(uint32_t err);
- uint32_t gpp_unmap_error(uint32_t err);
---
-1.8.3.1
-
-
-From b8901d1d20a5d0ef1a3118bfe5816e04c09e6cf5 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 13 Nov 2013 18:13:44 -0500
-Subject: [PATCH 3/3] Fix calling gpm_inquire_cred_by_mech
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We need to pass the real mechanism oid here, not the spcial oid.
-special oids are used exclusively by the interposer and gssapi
-machinery that calls the interposer, they must never be propagated
-to clients or servers.
-
-https://fedorahosted.org/gss-proxy/ticket/107
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/mechglue/gpp_creds.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
-index aaaf577..dff9c44 100644
---- a/proxy/src/mechglue/gpp_creds.c
-+++ b/proxy/src/mechglue/gpp_creds.c
-@@ -213,7 +213,8 @@ OM_uint32 gssi_inquire_cred_by_mech(OM_uint32 *minor_status,
- initiator_lifetime, acceptor_lifetime,
- cred_usage);
- } else if (cred->remote) {
-- maj = gpm_inquire_cred_by_mech(&min, cred->remote, mech_type,
-+ maj = gpm_inquire_cred_by_mech(&min, cred->remote,
-+ gpp_unspecial_mech(mech_type),
- gpname ? &gpname->remote : NULL,
- initiator_lifetime, acceptor_lifetime,
- cred_usage);
---
-1.8.3.1
-
diff --git a/SOURCES/gssproxy-0.3.0-inquire-context.patch b/SOURCES/gssproxy-0.3.0-inquire-context.patch
deleted file mode 100644
index b119f7e..0000000
--- a/SOURCES/gssproxy-0.3.0-inquire-context.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From c17f20b949d2e80e596ce21ecd944db80aaa80b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gdeschner@redhat.com>
-Date: Wed, 29 Jan 2014 17:59:03 +0100
-Subject: [PATCH] Fix potential segfault in gssi_inquire_context().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Günther Deschner <gdeschner@redhat.com>
-Reviewed-by: Simo Sorce <simo@redhat.com>
----
- proxy/src/mechglue/gpp_context.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/proxy/src/mechglue/gpp_context.c b/proxy/src/mechglue/gpp_context.c
-index 6010724f8ece09413e85c8926303276b4dffe89b..bb16a93a39b5892388ba9e963fff9b0066283cf4 100644
---- a/proxy/src/mechglue/gpp_context.c
-+++ b/proxy/src/mechglue/gpp_context.c
-@@ -223,7 +223,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status,
- maj = gss_inquire_context(&min,
- ctx_handle->local,
- s_name ? &s_name->local : NULL,
-- s_name ? &t_name->local : NULL,
-+ t_name ? &t_name->local : NULL,
- lifetime_rec,
- &mech_oid,
- ctx_flags,
-@@ -233,7 +233,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status,
- maj = gpm_inquire_context(&min,
- ctx_handle->remote,
- s_name ? &s_name->remote : NULL,
-- s_name ? &t_name->remote : NULL,
-+ t_name ? &t_name->remote : NULL,
- lifetime_rec,
- &mech_oid,
- ctx_flags,
---
-2.1.0
-
-From 9da1bc9dec8d228b35ef8639832cddc5e477ddf8 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 22 Jan 2015 14:26:23 -0500
-Subject: [PATCH] Zero out the outputs of display_name
-
-The mechglue expects the mechanism function to zero them in all cases.
-Otherwise on error it will later try to free the output buffer value
-which can be an arbitrary pointer. This will cause a segfault or
-worse in glibc's free().
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Roland Mainz <rmainz@redhat.com>
----
- proxy/src/mechglue/gpp_import_and_canon_name.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/proxy/src/mechglue/gpp_import_and_canon_name.c b/proxy/src/mechglue/gpp_import_and_canon_name.c
-index 727823c383c32d4ab5ec8a41b034997f18e433f7..92e6e5dca522742c181900fdd43c66318695923e 100644
---- a/proxy/src/mechglue/gpp_import_and_canon_name.c
-+++ b/proxy/src/mechglue/gpp_import_and_canon_name.c
-@@ -33,6 +33,11 @@ OM_uint32 gssi_display_name(OM_uint32 *minor_status,
- struct gpp_name_handle *name;
- OM_uint32 maj, min = 0;
-
-+ output_name_buffer->length = 0;
-+ output_name_buffer->value = NULL;
-+ if (output_name_type)
-+ *output_name_type = GSS_C_NO_OID;
-+
- GSSI_TRACE();
-
- name = (struct gpp_name_handle *)input_name;
---
-2.1.0
-
diff --git a/SOURCES/gssproxy-0.3.1-deadlock_fix.patch b/SOURCES/gssproxy-0.3.1-deadlock_fix.patch
deleted file mode 100644
index c6e7661..0000000
--- a/SOURCES/gssproxy-0.3.1-deadlock_fix.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From f39b471f34b381784a1bd1906bf8335ac2c7ef5e Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 11 Mar 2014 18:16:32 -0400
-Subject: [PATCH] Properly cleanup mutex on failure.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the call to create socket fails we leave a dangling lock and the client
-enters into a deadlock on the next call.
-
-Fixes: https://fedorahosted.org/gss-proxy/ticket/121
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/client/gpm_common.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
-index 74296da..4651194 100644
---- a/proxy/src/client/gpm_common.c
-+++ b/proxy/src/client/gpm_common.c
-@@ -153,6 +153,9 @@ static int gpm_grab_sock(struct gpm_ctx *gpmctx)
- ret = gpm_open_socket(gpmctx);
- }
-
-+ if (ret) {
-+ pthread_mutex_unlock(&gpmctx->lock);
-+ }
- return ret;
- }
-
---
-1.8.5.3
-
diff --git a/SOURCES/gssproxy-0.3.1-nfsd_startup.patch b/SOURCES/gssproxy-0.3.1-nfsd_startup.patch
deleted file mode 100644
index ebd4530..0000000
--- a/SOURCES/gssproxy-0.3.1-nfsd_startup.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-From 58a39677c961c72b052eae0b9d94b992254d6e10 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 3 Jan 2014 16:45:35 -0500
-Subject: [PATCH 1/2] Add utility functions to read()/write() safely
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Automatically handle short reads due to singals interrupting the process.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_common.h | 2 ++
- proxy/src/gp_util.c | 39 +++++++++++++++++++++++++++++++++++++++
- 2 files changed, 41 insertions(+)
-
-diff --git a/proxy/src/gp_common.h b/proxy/src/gp_common.h
-index f2b8c3e..3a1b7be 100644
---- a/proxy/src/gp_common.h
-+++ b/proxy/src/gp_common.h
-@@ -69,6 +69,8 @@ bool gp_same(const char *a, const char *b);
- bool gp_boolean_is_true(const char *s);
- char *gp_getenv(const char *name);
-
-+ssize_t gp_safe_read(int fd, void *buf, size_t count);
-+ssize_t gp_safe_write(int fd, const void *buf, size_t count);
- /* NOTE: read the note in gp_util.c before using gp_strerror() */
- char *gp_strerror(int errnum);
-
-diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
-index 4fbac4e..34f3024 100644
---- a/proxy/src/gp_util.c
-+++ b/proxy/src/gp_util.c
-@@ -29,6 +29,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <errno.h>
-+#include <unistd.h>
-
- bool gp_same(const char *a, const char *b)
- {
-@@ -125,3 +126,41 @@ char *gp_strerror(int errnum)
- errno = saved_errno;
- return buf;
- }
-+
-+ssize_t gp_safe_read(int fd, void *buf, size_t count)
-+{
-+ char *b = (char *)buf;
-+ ssize_t len = 0;
-+ ssize_t ret;
-+
-+ do {
-+ ret = read(fd, &b[len], count - len);
-+ if (ret == -1) {
-+ if (errno == EINTR) continue;
-+ return ret;
-+ }
-+ if (ret == 0) break; /* EOF */
-+ len += ret;
-+ } while (count > len);
-+
-+ return len;
-+}
-+
-+ssize_t gp_safe_write(int fd, const void *buf, size_t count)
-+{
-+ const char *b = (const char *)buf;
-+ ssize_t len = 0;
-+ ssize_t ret;
-+
-+ do {
-+ ret = write(fd, &b[len], count - len);
-+ if (ret == -1) {
-+ if (errno == EINTR) continue;
-+ return ret;
-+ }
-+ if (ret == 0) break; /* EOF */
-+ len += ret;
-+ } while (count > len);
-+
-+ return len;
-+}
---
-1.8.4.2
-
-
-From bd8ffcf67be8fdbe14bc49a65a8eafe904119d88 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 3 Jan 2014 12:10:36 -0500
-Subject: [PATCH 2/2] Block parent process until child is initialized.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This way the init system will not proceed starting dependencies until gssproxy
-is actually ready to serve requests.
-In particular this is used to make sure the nfsd proc file has been touched
-before the nfsd server is started.
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/114
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_init.c | 42 +++++++++++++++++++++++++++++++++++++++---
- proxy/src/gp_proxy.h | 3 ++-
- proxy/src/gssproxy.c | 11 +++++++++--
- 3 files changed, 50 insertions(+), 6 deletions(-)
-
-diff --git a/proxy/src/gp_init.c b/proxy/src/gp_init.c
-index 830ae16..6207a78 100644
---- a/proxy/src/gp_init.c
-+++ b/proxy/src/gp_init.c
-@@ -37,12 +37,22 @@
- #include <stdio.h>
- #include "gp_proxy.h"
-
--void init_server(bool daemonize)
-+void init_server(bool daemonize, int *wait_fd)
- {
- pid_t pid, sid;
- int ret;
-
-+ *wait_fd = -1;
-+
- if (daemonize) {
-+ int pipefd[2];
-+ char buf[1];
-+
-+ /* create parent-child pipe */
-+ ret = pipe(pipefd);
-+ if (ret == -1) {
-+ exit(EXIT_FAILURE);
-+ }
-
- pid = fork();
- if (pid == -1) {
-@@ -50,10 +60,22 @@ void init_server(bool daemonize)
- exit(EXIT_FAILURE);
- }
- if (pid != 0) {
-- /* ok kill the parent */
-- exit(EXIT_SUCCESS);
-+ /* wait for child to signal it is ready */
-+ close(pipefd[1]);
-+ ret = gp_safe_read(pipefd[0], buf, 1);
-+ if (ret == 1) {
-+ /* child signaled all ok */
-+ exit(EXIT_SUCCESS);
-+ } else {
-+ /* lost child, something went wrong */
-+ exit(EXIT_FAILURE);
-+ }
- }
-
-+ /* child */
-+ close(pipefd[0]);
-+ *wait_fd = pipefd[1];
-+
- sid = setsid();
- if (sid == -1) {
- /* setsid error ? abort */
-@@ -78,6 +100,20 @@ void init_server(bool daemonize)
- gp_logging_init();
- }
-
-+void init_done(int wait_fd)
-+{
-+ char buf = 0;
-+ int ret;
-+
-+ if (wait_fd != -1) {
-+ ret = gp_safe_write(wait_fd, &buf, 1);
-+ if (ret != 1) {
-+ exit(EXIT_FAILURE);
-+ }
-+ close(wait_fd);
-+ }
-+}
-+
- void fini_server(void)
- {
- closelog();
-diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
-index 733fec5..79bebb8 100644
---- a/proxy/src/gp_proxy.h
-+++ b/proxy/src/gp_proxy.h
-@@ -106,7 +106,8 @@ struct gp_creds_handle *gp_service_get_creds_handle(struct gp_service *svc);
- void free_config(struct gp_config **config);
-
- /* from gp_init.c */
--void init_server(bool daemonize);
-+void init_server(bool daemonize, int *wait_fd);
-+void init_done(int wait_fd);
- void fini_server(void);
- verto_ctx *init_event_loop(void);
- void init_proc_nfsd(struct gp_config *cfg);
-diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c
-index 1bf0a0b..80430d6 100644
---- a/proxy/src/gssproxy.c
-+++ b/proxy/src/gssproxy.c
-@@ -42,6 +42,7 @@ int main(int argc, const char *argv[])
- int vflags;
- struct gssproxy_ctx *gpctx;
- struct gp_sock_ctx *sock_ctx;
-+ int wait_fd;
- int ret;
- int i;
-
-@@ -97,7 +98,7 @@ int main(int argc, const char *argv[])
- exit(EXIT_FAILURE);
- }
-
-- init_server(gpctx->config->daemonize);
-+ init_server(gpctx->config->daemonize, &wait_fd);
-
- write_pid();
-
-@@ -139,9 +140,15 @@ int main(int argc, const char *argv[])
- }
- }
-
-- /* special call to tell the Linux kernel gss-proxy is available */
-+ /* We need to tell nfsd that GSS-Proxy is available before it starts,
-+ * as nfsd needs to know GSS-Proxy is in use before the first time it
-+ * needs to call accept_sec_context. */
- init_proc_nfsd(gpctx->config);
-
-+ /* Now it is safe to tell the init system that we're done starting up,
-+ * so it can continue with dependencies and start nfsd */
-+ init_done(wait_fd);
-+
- ret = gp_workers_init(gpctx);
- if (ret) {
- exit(EXIT_FAILURE);
---
-1.8.4.2
-
diff --git a/SOURCES/gssproxy-0.3.1-secure_getenv.patch b/SOURCES/gssproxy-0.3.1-secure_getenv.patch
deleted file mode 100644
index fd540c4..0000000
--- a/SOURCES/gssproxy-0.3.1-secure_getenv.patch
+++ /dev/null
@@ -1,249 +0,0 @@
-From 1d78d1af3da7eeb15aa1f054b740f31a12f48f31 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Sat, 16 Nov 2013 17:08:06 -0500
-Subject: [PATCH 1/3] config: Do not modify const strings
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Take a copy here, the option string is const and strtok_r() is not a safe
-function as it may change the string it manipulates.
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_config.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
-index e21e70d..63f264e 100644
---- a/proxy/src/gp_config.c
-+++ b/proxy/src/gp_config.c
-@@ -209,6 +209,7 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
- int num_sec;
- char *secname = NULL;
- const char *value;
-+ char *vcopy;
- char *token;
- char *handle;
- int valnum;
-@@ -318,7 +319,12 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
- goto done;
- }
-
-- token = strtok_r(no_const(value), ", ", &handle);
-+ vcopy = strdup(value);
-+ if (!vcopy) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+ token = strtok_r(vcopy, ", ", &handle);
- do {
-
- ret = strcmp(value, "krb5");
-@@ -329,6 +335,7 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
- } else {
- GPERROR("Failed to read krb5 config for %s.\n",
- secname);
-+ safefree(vcopy);
- return ret;
- }
- } else {
-@@ -338,6 +345,7 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
-
- token = strtok_r(NULL, ", ", &handle);
- } while (token != NULL);
-+ safefree(vcopy);
-
- if (cfg->svcs[n]->mechs == 0) {
- GPDEBUG("No mechs found for [%s], ignoring.\n", secname);
---
-1.8.3.1
-
-
-From a272091dfd568cb96738cc96ea01bbf7f24ee62c Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Sat, 16 Nov 2013 18:54:28 -0500
-Subject: [PATCH 2/3] creds: Allow admins to define only client creds
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When a service is configured with cred_usage = initiate it is
-ok to allow only client credentials to be defined.
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_creds.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
-index 60c4e12..1ac1fac 100644
---- a/proxy/src/gp_creds.c
-+++ b/proxy/src/gp_creds.c
-@@ -376,7 +376,12 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
- * if any. */
- if (use_service_keytab) {
- if (k_num == -1) {
-- ret = EINVAL;
-+ if (ck_num == -1) {
-+ ret = EINVAL;
-+ } else {
-+ /* allow a service to define only the client keytab */
-+ ret = 0;
-+ }
- goto done;
- }
- if (ck_num == -1) {
---
-1.8.3.1
-
-
-From 23f4ee4359d10f66e1938ce6b1d92d3cc77865ff Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 20 Nov 2013 11:58:22 -0500
-Subject: [PATCH 3/3] Use secure_getenv in client and mechglue module
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-proxymehc.so may be used in setuid binaries so follow best security
-practices and use secure_getenv() if available.
-Fallback to poorman emulation when secure_getenv() is not available.
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/110
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/Makefile.am | 7 ++++---
- proxy/configure.ac | 2 ++
- proxy/src/client/gpm_common.c | 2 +-
- proxy/src/gp_common.h | 1 +
- proxy/src/gp_util.c | 20 ++++++++++++++++++++
- proxy/src/mechglue/gss_plugin.c | 4 ++--
- 6 files changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/proxy/Makefile.am b/proxy/Makefile.am
-index 065be6e..c946421 100644
---- a/proxy/Makefile.am
-+++ b/proxy/Makefile.am
-@@ -102,7 +102,9 @@ GP_RPCCLI_OBJ = \
- src/client/gpm_wrap.c \
- src/client/gpm_unwrap.c \
- src/client/gpm_wrap_size_limit.c \
-- src/client/gpm_common.c
-+ src/client/gpm_common.c \
-+ src/gp_util.c
-+
- GP_MECHGLUE_OBJ = \
- src/mechglue/gpp_accept_sec_context.c \
- src/mechglue/gpp_acquire_cred.c \
-@@ -114,8 +116,7 @@ GP_MECHGLUE_OBJ = \
- src/mechglue/gpp_indicate_mechs.c \
- src/mechglue/gpp_priv_integ.c \
- src/mechglue/gpp_misc.c \
-- src/mechglue/gss_plugin.c \
-- src/gp_util.c
-+ src/mechglue/gss_plugin.c
-
- dist_noinst_HEADERS = \
- rpcgen/gp_rpc.h \
-diff --git a/proxy/configure.ac b/proxy/configure.ac
-index b75a1ef..a0cc4ef 100644
---- a/proxy/configure.ac
-+++ b/proxy/configure.ac
-@@ -149,6 +149,8 @@ AC_CHECK_LIB(gssrpc, gssrpc_xdrmem_create,,
- [$GSSAPI_LIBS $GSSRPC_LIBS])
- AC_SUBST([GSSRPC_LIBS])
-
-+AC_CHECK_FUNCS([__secure_getenv secure_getenv])
-+
- WITH_INITSCRIPT
- if test x$initscript = xsystemd; then
- WITH_SYSTEMD_UNIT_DIR
-diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
-index df1f5a1..74296da 100644
---- a/proxy/src/client/gpm_common.c
-+++ b/proxy/src/client/gpm_common.c
-@@ -68,7 +68,7 @@ static int get_pipe_name(struct gpm_ctx *gpmctx, char *name)
- const char *socket;
- int ret;
-
-- socket = getenv("GSSPROXY_SOCKET");
-+ socket = gp_getenv("GSSPROXY_SOCKET");
- if (!socket) {
- socket = GP_SOCKET_NAME;
- }
-diff --git a/proxy/src/gp_common.h b/proxy/src/gp_common.h
-index 9e4ae81..b5c525f 100644
---- a/proxy/src/gp_common.h
-+++ b/proxy/src/gp_common.h
-@@ -67,6 +67,7 @@
-
- bool gp_same(const char *a, const char *b);
- bool gp_boolean_is_true(const char *s);
-+char *gp_getenv(const char *name);
-
- #include "rpcgen/gss_proxy.h"
-
-diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
-index 8400da1..a6c870f 100644
---- a/proxy/src/gp_util.c
-+++ b/proxy/src/gp_util.c
-@@ -23,8 +23,10 @@
- DEALINGS IN THE SOFTWARE.
- */
-
-+#include "config.h"
- #include <stdbool.h>
- #include <string.h>
-+#include <stdlib.h>
-
- bool gp_same(const char *a, const char *b)
- {
-@@ -46,3 +48,21 @@ bool gp_boolean_is_true(const char *s)
-
- return false;
- }
-+
-+char *gp_getenv(const char *name)
-+{
-+#if HAVE_SECURE_GETENV
-+ return secure_getenv(name);
-+#elif HAVE___SECURE_GETENV
-+ return __secure_getenv(name);
-+#else
-+#include <unistd.h>
-+#include <sys/types.h>
-+#warning secure_getenv not available, falling back to poorman emulation
-+ if ((getuid() == geteuid()) &&
-+ (getgid() == getegid())) {
-+ return getenv(name);
-+ }
-+ return NULL;
-+#endif
-+}
-diff --git a/proxy/src/mechglue/gss_plugin.c b/proxy/src/mechglue/gss_plugin.c
-index 5b40df9..372ab2e 100644
---- a/proxy/src/mechglue/gss_plugin.c
-+++ b/proxy/src/mechglue/gss_plugin.c
-@@ -64,7 +64,7 @@ enum gpp_behavior gpp_get_behavior(void)
- char *envval;
-
- if (behavior == GPP_UNINITIALIZED) {
-- envval = getenv("GSSPROXY_BEHAVIOR");
-+ envval = gp_getenv("GSSPROXY_BEHAVIOR");
- if (envval) {
- if (strcmp(envval, "LOCAL_ONLY") == 0) {
- behavior = GPP_LOCAL_ONLY;
-@@ -102,7 +102,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
-
- /* avoid looping in the gssproxy daemon by avoiding to interpose
- * any mechanism */
-- envval = getenv("GSS_USE_PROXY");
-+ envval = gp_getenv("GSS_USE_PROXY");
- if (!envval) {
- return NULL;
- }
---
-1.8.3.1
-
diff --git a/SOURCES/gssproxy-0.3.1-strerror_r.patch b/SOURCES/gssproxy-0.3.1-strerror_r.patch
deleted file mode 100644
index 7b82051..0000000
--- a/SOURCES/gssproxy-0.3.1-strerror_r.patch
+++ /dev/null
@@ -1,307 +0,0 @@
-From 27ae6c5b8b37a8086800cd1a4edbb01a7fddfad6 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 21 Nov 2013 11:59:40 -0500
-Subject: [PATCH 1/2] Add Thread-safe implementation of strerror()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Unfortunately strerror() is not thread safe so we have to juggle with
-strerror_r() which is a can of worms as 2 incompatible implementations
-are available depending on what is defined at compile time.
-
-Try to do something sane.
-
-https://fedorahosted.org/gss-proxy/ticket/111
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/gp_common.h | 3 +++
- proxy/src/gp_util.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 62 insertions(+)
-
-diff --git a/proxy/src/gp_common.h b/proxy/src/gp_common.h
-index b5c525f..f2b8c3e 100644
---- a/proxy/src/gp_common.h
-+++ b/proxy/src/gp_common.h
-@@ -69,6 +69,9 @@ bool gp_same(const char *a, const char *b);
- bool gp_boolean_is_true(const char *s);
- char *gp_getenv(const char *name);
-
-+/* NOTE: read the note in gp_util.c before using gp_strerror() */
-+char *gp_strerror(int errnum);
-+
- #include "rpcgen/gss_proxy.h"
-
- union gp_rpc_arg {
-diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
-index a6c870f..4fbac4e 100644
---- a/proxy/src/gp_util.c
-+++ b/proxy/src/gp_util.c
-@@ -27,6 +27,8 @@
- #include <stdbool.h>
- #include <string.h>
- #include <stdlib.h>
-+#include <stdio.h>
-+#include <errno.h>
-
- bool gp_same(const char *a, const char *b)
- {
-@@ -66,3 +68,60 @@ char *gp_getenv(const char *name)
- return NULL;
- #endif
- }
-+
-+/* NOTE: because strerror_r() is such a mess with glibc, we need to do some
-+ * magic checking to find out what function prototype is being used of the
-+ * two incompatible ones, and pray it doesn't change in the future.
-+ * On top of that to avoid impacting the current code too much we've got to use
-+ * thread-local storage to hold a buffer.
-+ * gp_strerror() is basically a thread-safe version of strerror() that can
-+ * never fail.
-+ */
-+const char gp_internal_err[] = "Internal strerror_r() error.";
-+#define MAX_GP_STRERROR 1024
-+char *gp_strerror(int errnum)
-+{
-+ static __thread char buf[MAX_GP_STRERROR];
-+ int saved_errno = errno;
-+
-+#if ((_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && !_GNU_SOURCE)
-+ /* XSI version */
-+ int ret;
-+
-+ ret = strerror_r(errnum, buf, MAX_GP_STRERROR);
-+ if (ret == -1) ret = errno;
-+ switch (ret) {
-+ case 0:
-+ break;
-+ case EINVAL:
-+ ret = snprintf(buf, MAX_GP_STRERROR,
-+ "Unknown error code: %d", errnum);
-+ if (ret > 0) break;
-+ /* fallthrough */
-+ default:
-+ ret = snprintf(buf, MAX_GP_STRERROR,
-+ "Internal error describing error code: %d", errnum);
-+ if (ret > 0) break;
-+ memset(buf, 0, MAX_GP_STRERROR);
-+ strncpy(buf, gp_internal_err, MAX_GP_STRERROR);
-+ buf[MAX_GP_STRERROR -1] = '\0';
-+ }
-+#else
-+ /* GNU-specific version */
-+ char *ret;
-+
-+ ret = strerror_r(errnum, buf, MAX_GP_STRERROR);
-+ if (ret == NULL) {
-+ memset(buf, 0, MAX_GP_STRERROR);
-+ strncpy(buf, gp_internal_err, MAX_GP_STRERROR);
-+ buf[MAX_GP_STRERROR -1] = '\0';
-+ } else if (ret != buf) {
-+ memset(buf, 0, MAX_GP_STRERROR);
-+ strncpy(buf, ret, MAX_GP_STRERROR);
-+ buf[MAX_GP_STRERROR -1] = '\0';
-+ }
-+#endif
-+
-+ errno = saved_errno;
-+ return buf;
-+}
---
-1.8.3.1
-
-
-From db8099da53167ca4ebf3b9f5ef0c702ddfe8b366 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 21 Nov 2013 12:14:36 -0500
-Subject: [PATCH 2/2] Use gp_strerror() everywhere instead of strerror()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-https://fedorahosted.org/gss-proxy/ticket/111
-
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/src/client/gpm_init_sec_context.c | 4 ++--
- proxy/src/gp_config.c | 2 +-
- proxy/src/gp_config_dinglibs.c | 4 ++--
- proxy/src/gp_init.c | 10 +++++-----
- proxy/src/gp_socket.c | 14 +++++++-------
- 5 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/proxy/src/client/gpm_init_sec_context.c b/proxy/src/client/gpm_init_sec_context.c
-index f6dfe53..bd88055 100644
---- a/proxy/src/client/gpm_init_sec_context.c
-+++ b/proxy/src/client/gpm_init_sec_context.c
-@@ -90,7 +90,7 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
- /* execute proxy request */
- ret = gpm_make_call(GSSX_INIT_SEC_CONTEXT, &uarg, &ures);
- if (ret) {
-- gpm_save_internal_status(ret, strerror(ret));
-+ gpm_save_internal_status(ret, gp_strerror(ret));
- goto done;
- }
-
-@@ -114,7 +114,7 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
- if (res->output_token) {
- ret = gp_conv_gssx_to_buffer_alloc(res->output_token, &outbuf);
- if (ret) {
-- gpm_save_internal_status(ret, strerror(ret));
-+ gpm_save_internal_status(ret, gp_strerror(ret));
- goto done;
- }
- }
-diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
-index 63f264e..2fc4a6f 100644
---- a/proxy/src/gp_config.c
-+++ b/proxy/src/gp_config.c
-@@ -464,7 +464,7 @@ int load_config(struct gp_config *cfg)
-
- done:
- if (ret != 0) {
-- GPERROR("Error reading configuration %d: %s", ret, strerror(ret));
-+ GPERROR("Error reading configuration %d: %s", ret, gp_strerror(ret));
- }
- gp_config_close(ctx);
- safefree(ctx);
-diff --git a/proxy/src/gp_config_dinglibs.c b/proxy/src/gp_config_dinglibs.c
-index 8716b91..515b951 100644
---- a/proxy/src/gp_config_dinglibs.c
-+++ b/proxy/src/gp_config_dinglibs.c
-@@ -238,7 +238,7 @@ int gp_dinglibs_init(const char *config_file,
- &file_ctx);
- if (ret) {
- GPDEBUG("Failed to open config file: %d (%s)\n",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- ini_config_destroy(ini_config);
- return ret;
- }
-@@ -255,7 +255,7 @@ int gp_dinglibs_init(const char *config_file,
- char **errors = NULL;
- /* we had a parsing failure */
- GPDEBUG("Failed to parse config file: %d (%s)\n",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- if (ini_config_error_count(ini_config)) {
- ini_config_get_errors(ini_config, &errors);
- if (errors) {
-diff --git a/proxy/src/gp_init.c b/proxy/src/gp_init.c
-index 92c0a47..7e29c59 100644
---- a/proxy/src/gp_init.c
-+++ b/proxy/src/gp_init.c
-@@ -158,7 +158,7 @@ void init_proc_nfsd(struct gp_config *cfg)
- ret = errno;
- GPDEBUG("Failed to open %s: %d (%s)\n",
- LINUX_PROC_USE_GSS_PROXY_FILE,
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- return;
- }
-
-@@ -167,7 +167,7 @@ void init_proc_nfsd(struct gp_config *cfg)
- ret = errno;
- GPDEBUG("Failed to write to %s: %d (%s)\n",
- LINUX_PROC_USE_GSS_PROXY_FILE,
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- }
-
- ret = close(fd);
-@@ -175,7 +175,7 @@ void init_proc_nfsd(struct gp_config *cfg)
- ret = errno;
- GPDEBUG("Failed to close %s: %d (%s)\n",
- LINUX_PROC_USE_GSS_PROXY_FILE,
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- }
- }
-
-@@ -191,7 +191,7 @@ void write_pid(void)
- if (!f) {
- ret = errno;
- GPDEBUG("Failed to open %s: %d (%s)\n",
-- GP_PID_FILE, ret, strerror(ret));
-+ GP_PID_FILE, ret, gp_strerror(ret));
- return;
- }
-
-@@ -204,6 +204,6 @@ void write_pid(void)
- if (ret != 0) {
- ret = errno;
- GPDEBUG("Failed to close %s: %d (%s)\n",
-- GP_PID_FILE, ret, strerror(ret));
-+ GP_PID_FILE, ret, gp_strerror(ret));
- }
- }
-diff --git a/proxy/src/gp_socket.c b/proxy/src/gp_socket.c
-index b1851a2..3e8afc5 100644
---- a/proxy/src/gp_socket.c
-+++ b/proxy/src/gp_socket.c
-@@ -184,7 +184,7 @@ struct gp_sock_ctx *init_unix_socket(struct gssproxy_ctx *gpctx,
- fd = socket(AF_UNIX, SOCK_STREAM, 0);
- if (fd == -1) {
- ret = errno;
-- GPDEBUG("Failed to init socket! (%d: %s)\n", ret, strerror(ret));
-+ GPDEBUG("Failed to init socket! (%d: %s)\n", ret, gp_strerror(ret));
- goto done;
- }
-
-@@ -192,14 +192,14 @@ struct gp_sock_ctx *init_unix_socket(struct gssproxy_ctx *gpctx,
- if (ret == -1) {
- ret = errno;
- GPDEBUG("Failed to bind socket %s! (%d: %s)\n", addr.sun_path,
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- goto done;
- }
-
- ret = listen(fd, 10);
- if (ret == -1) {
- ret = errno;
-- GPDEBUG("Failed to listen! (%d: %s)\n", ret, strerror(ret));
-+ GPDEBUG("Failed to listen! (%d: %s)\n", ret, gp_strerror(ret));
- goto done;
- }
-
-@@ -218,7 +218,7 @@ struct gp_sock_ctx *init_unix_socket(struct gssproxy_ctx *gpctx,
- done:
- if (ret) {
- GPERROR("Failed to create Unix Socket! (%d:%s)",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- if (fd != -1) {
- close(fd);
- fd = -1;
-@@ -245,7 +245,7 @@ static int get_peercred(int fd, struct gp_conn *conn)
- if (ret == -1) {
- ret = errno;
- GPDEBUG("Failed to get SO_PEERCRED options! (%d:%s)\n",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- return ret;
- }
- if (len != sizeof(struct ucred)) {
-@@ -262,7 +262,7 @@ static int get_peercred(int fd, struct gp_conn *conn)
- } else {
- ret = errno;
- GPDEBUG("Failed to get peer's SELinux context (%d:%s)\n",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- /* consider thisnot fatal, selinux may be disabled */
- }
-
-@@ -579,7 +579,7 @@ void accept_sock_conn(verto_ctx *vctx, verto_ev *ev)
- done:
- if (ret) {
- GPERROR("Error connecting client: (%d:%s)",
-- ret, strerror(ret));
-+ ret, gp_strerror(ret));
- gp_conn_free(conn);
- }
- }
---
-1.8.3.1
-
diff --git a/SOURCES/gssproxy_ticket_140_0001-bug-140-Remove-fno-strict-aliasing.patch b/SOURCES/gssproxy_ticket_140_0001-bug-140-Remove-fno-strict-aliasing.patch
new file mode 100644
index 0000000..b64110a
--- /dev/null
+++ b/SOURCES/gssproxy_ticket_140_0001-bug-140-Remove-fno-strict-aliasing.patch
@@ -0,0 +1,41 @@
+From 21cde7fde306b3a4699fff415c90df457f5b30c7 Mon Sep 17 00:00:00 2001
+From: Roland Mainz <rmainz@redhat.com>
+Date: Thu, 9 Apr 2015 19:56:45 +0200
+Subject: [PATCH] bug #140: Remove -fno-strict-aliasing
+
+Remove -fno-strict-aliasing (this is not required because gssproxy
+is mostly a good ISO C99/C11 citizen) and replace it with
+-Werror=strict-aliasing to ensure that if *anything* creeps up
+the build will just fail (this requires in gcc4.x's case the
+use of -fstrict-aliasing, too).
+
+References:
+ - http://dbp-consulting.com/tutorials/StrictAliasing.html
+
+Signed-off-by: Roland Mainz <rmainz@redhat.com>
+---
+ proxy/Makefile.am | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/proxy/Makefile.am b/proxy/Makefile.am
+index 1e7c39cf2c2d3ef2c96c1b28c76d53d378054da6..6e38cf8116b70d51fe873720a2205572402d9f99 100644
+--- a/proxy/Makefile.am
++++ b/proxy/Makefile.am
+@@ -36,10 +36,12 @@ if WANT_AUX_INFO
+ AM_CFLAGS += -aux-info $@.X
+ endif
+ if HAVE_GCC
++# -fstrict-aliasing is needed so that -W*strict-aliasing works
++# properly
+ AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
+ -Wcast-qual -Wcast-align -Wwrite-strings \
+- -Werror-implicit-function-declaration \
+- -fno-strict-aliasing
++ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
++ -Werror-implicit-function-declaration
+ endif
+
+ dist_pkgconfig_DATA =
+--
+1.9.3
+
diff --git a/SOURCES/gssproxy_ticket_143_workaround_Service-HTTP.patch b/SOURCES/gssproxy_ticket_143_workaround_Service-HTTP.patch
new file mode 100644
index 0000000..9e8fdbe
--- /dev/null
+++ b/SOURCES/gssproxy_ticket_143_workaround_Service-HTTP.patch
@@ -0,0 +1,16 @@
+diff --git a/proxy/examples/gssproxy.conf.in b/proxy/examples/gssproxy.conf.in
+index 321a4e7..5dd708b 100644
+--- a/proxy/examples/gssproxy.conf.in
++++ b/proxy/examples/gssproxy.conf.in
+@@ -1,5 +1,11 @@
+ [gssproxy]
+
++[service/HTTP]
++ mechs = krb5
++ cred_store = keytab:/etc/gssproxy/http.keytab
++ cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
++ euid = 48
++
+ [service/nfs-server]
+ mechs = krb5
+ socket = /run/gssproxy.sock
diff --git a/SOURCES/gssproxy_ticket_145_130-Set-default-rcache.patch b/SOURCES/gssproxy_ticket_145_130-Set-default-rcache.patch
new file mode 100644
index 0000000..368305c
--- /dev/null
+++ b/SOURCES/gssproxy_ticket_145_130-Set-default-rcache.patch
@@ -0,0 +1,12 @@
+diff --git a/proxy/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
+index 7aa6785..dae39ee 100644
+--- a/proxy/systemd/gssproxy.service.in
++++ b/proxy/systemd/gssproxy.service.in
+@@ -6,6 +6,7 @@ Before=nfs-secure.service nfs-secure-server.service
+ Requires=proc-fs-nfsd.mount
+
+ [Service]
++Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
+ ExecStart=@sbindir@/gssproxy -D
+ # These two should be used with traditional UNIX forking daemons
+ # consult systemd.service(5) for more details
diff --git a/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch b/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
new file mode 100644
index 0000000..7d199ed
--- /dev/null
+++ b/SOURCES/gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
@@ -0,0 +1,44 @@
+From 0f33846367ea29d06c30a8b881675dfc2fb8892c Mon Sep 17 00:00:00 2001
+From: Roland Mainz <rmainz@redhat.com>
+Date: Thu, 7 May 2015 20:21:21 +0200
+Subject: [PATCH] Add PIE and RELRO compiler flags for hardening
+
+Add PIE (=position independent code) and RELRO (=read-only jump
+tables and relocation addresses) compiler flags for hardening.
+
+Fixes: https://fedorahosted.org/gss-proxy/ticket/147
+Signed-off-by: Roland Mainz <rmainz@redhat.com>
+Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
+Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
+---
+ proxy/Makefile.am | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/proxy/Makefile.am b/proxy/Makefile.am
+index 821362502483f046c46209c16ef422d796c4b384..39674f6764da914f5d54d68672b6b1bcd4247f8f 100644
+--- a/proxy/Makefile.am
++++ b/proxy/Makefile.am
+@@ -31,6 +31,10 @@ pkgconfigdir = $(libdir)/pkgconfig
+ gpstatedir = @gpstatedir@
+ gpclidir = @gpstatedir@/clients
+
++# Flags for hardening (separated out so we can override them for testing)
++PIE_CFLAGS = -fPIE
++RELRO_CFLAGS = -Wl,-z,relro,-z,now
++
+ AM_CFLAGS =
+ if WANT_AUX_INFO
+ AM_CFLAGS += -aux-info $@.X
+@@ -41,7 +45,8 @@ if HAVE_GCC
+ AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
+ -Wcast-qual -Wcast-align -Wwrite-strings \
+ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
+- -Werror-implicit-function-declaration
++ -Werror-implicit-function-declaration \
++ $(PIE_CFLAGS) $(RELRO_CFLAGS)
+ endif
+
+ dist_pkgconfig_DATA =
+--
+2.4.0
+
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index a968f6e..6c38dad 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,6 +1,6 @@
Name: gssproxy
-Version: 0.3.0
-Release: 10%{?dist}
+Version: 0.4.1
+Release: 7%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@@ -8,25 +8,21 @@ License: MIT
URL: http://fedorahosted.org/gss-proxy
Source0: http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
-Patch0: gssproxy-0.3.0-gss_init_sec_context.patch
-Patch1: gssproxy-0.3.0-gss_inquire_cred_by_mech.patch
-Patch2: gssproxy-0.3.0-continuations.patch
-Patch3: gssproxy-0.3.0-flags_handling.patch
-Patch4: gssproxy-0.3.1-secure_getenv.patch
-Patch5: gssproxy-0.3.1-strerror_r.patch
-Patch6: gssproxy-0.3.1-nfsd_startup.patch
-Patch7: gssproxy-0.3.1-deadlock_fix.patch
-Patch8: gssproxy-0.3.0-inquire-context.patch
%global servicename gssproxy
%global pubconfpath %{_sysconfdir}/gssproxy
%global gpstatedir %{_localstatedir}/lib/gssproxy
### Patches ###
+Patch1: gssproxy_ticket_140_0001-bug-140-Remove-fno-strict-aliasing.patch
+Patch2: gssproxy_ticket_147_0001-Add-PIE-and-RELRO-compiler-flags-for-hardening.patch
+Patch3: gssproxy_ticket_145_130-Set-default-rcache.patch
+Patch4: gssproxy_ticket_143_workaround_Service-HTTP.patch
+Patch5: 0001-Correct-handling-of-EINTR-on-read-write.patch
### Dependencies ###
-Requires: krb5-libs >= 1.11.3-27
+Requires: krb5-libs >= 1.12.0
Requires: keyutils-libs
Requires: libverto-tevent
Requires(post): systemd-units
@@ -37,64 +33,62 @@ Requires(postun): systemd-units
BuildRequires: autoconf
BuildRequires: automake
-BuildRequires: libtool
-BuildRequires: m4
-BuildRequires: libxslt
-BuildRequires: libxml2
+BuildRequires: coreutils
BuildRequires: docbook-style-xsl
BuildRequires: doxygen
+BuildRequires: findutils
BuildRequires: gettext-devel
-BuildRequires: pkgconfig
-BuildRequires: krb5-devel >= 1.11.3-27
-BuildRequires: libselinux-devel
BuildRequires: keyutils-libs-devel
+BuildRequires: krb5-devel >= 1.12.0
BuildRequires: libini_config-devel >= 1.0.0.1
+BuildRequires: libselinux-devel
+BuildRequires: libtool
BuildRequires: libverto-devel
+BuildRequires: libxml2
+BuildRequires: libxslt
+BuildRequires: m4
+BuildRequires: pkgconfig
BuildRequires: popt-devel
-BuildRequires: findutils
+BuildRequires: sed
BuildRequires: systemd-units
%description
A proxy for GSSAPI credential handling
+
%prep
%setup -q
-%patch0 -p2 -b .gss_init_sec_context
-%patch1 -p2 -b .gss_inquire_cred_by_mech
-%patch2 -p2 -b .continuations
-%patch3 -p2 -b .flags_handling
-%patch4 -p2 -b .secure_getenv
-%patch5 -p2 -b .strerror_r
-%patch6 -p2 -b .nfsd_startup
-%patch7 -p2 -b .deadlock_fix
-%patch8 -p2 -b .inq_context
+%patch1 -p2 -b .gssproxy_ticket_140_0001-bug-140-remove-fno-strict-aliasing
+%patch2 -p2 -b .gssproxy_ticket_147_0001-add-pie-and-relro-compiler-flags-for-hardening
+%patch3 -p2 -b .gssproxy_ticket_145_130-set-default-rcache
+%patch4 -p2 -b .gssproxy_ticket_143_workaround_service-http
+%patch5 -p2 -b .gssproxy_EINTR_loop_fix
%build
autoreconf -f -i
%configure \
--with-pubconf-path=%{pubconfpath} \
- --with-init-dir=%{_initrddir} \
+ --with-initscript=systemd \
--disable-static \
--disable-rpath \
--with-gpp-default-behavior=REMOTE_FIRST
-
make %{?_smp_mflags} all
make test_proxymech
%install
-rm -rf %{buildroot}
+rm -rf -- "%{buildroot}"
make install DESTDIR=%{buildroot}
-rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la
+rm -f -- %{buildroot}%{_libdir}/gssproxy/proxymech.la
install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
-install -d -m755 %{buildroot}%{_unitdir}
install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
-install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech
-install -m644 systemd/gssproxy.service %{buildroot}%{_unitdir}/gssproxy.service
+mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d
+install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
+mkdir -p %{buildroot}/var/lib/gssproxy/rcache
%clean
-rm -rf %{buildroot}
+rm -rf -- "%{buildroot}"
%files
@@ -106,22 +100,82 @@ rm -rf %{buildroot}
%attr(755,root,root) %dir %{gpstatedir}
%attr(700,root,root) %dir %{gpstatedir}/clients
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
-%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech
+%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
+%attr(700,root,root) %dir /var/lib/gssproxy/rcache
%{_libdir}/gssproxy/proxymech.so
%{_mandir}/man5/gssproxy.conf.5*
%{_mandir}/man8/gssproxy.8*
%{_mandir}/man8/gssproxy-mech.8*
+
%post
%systemd_post gssproxy.service
+
%preun
%systemd_preun gssproxy.service
+
%postun
%systemd_postun_with_restart gssproxy.service
+
%changelog
+* Tue Sep 29 2015 Simo Sorce <simo@redhat.com> 0.4.1-7
+- Fix loop cause by imporper EINTR handling
+- resolves: #1266564
+
+* Mon Aug 24 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-6
+- Remove extra whitespaces from #1208640/#1194299 patches
+- spec file cleanup
+related: #1208640 #1194299
+
+* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-5
+- Carry service/HTTP default conf section
+- resolves: #1208640
+
+* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-4
+- Set default rcache location patch
+- resolves: #1194299
+
+* Mon Jul 13 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-3
+- Bug #1213852 ("[gssproxy] NFS clients cannot mount with
+ sec=krb5 if the NFS server is running gssproxy") was
+ fixed by the rebase to 0.4.1 in bug ("[RFE] Rebase
+ gssproxy to the latest to match expectations of other
+ projects").
+ Note that the same bug was also fixed in the kernel with
+ "9507271 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT
+ decoding failures" (see
+ https://bugzilla.redhat.com/show_bug.cgi?id=1213852#c2
+ and RH Bug #1120860 ("[NFS] NFS clients cannot mount with
+ sec=krb5 if the NFS server is running gssproxy")) to
+ handle various corner cases not covered by gssproxy,
+ for example individual krb5 ticket fields exceeding
+ the kernel's buffer size.
+
+* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-2
+- The following bugs have been fixed by the rebase to 0.4.1
+ in bug ("[RFE] Rebase gssproxy to the latest to match
+ expectations of other projects"):
+ - Bug #1196371 ("rpc.gssd segfaults in gssproxy (proxymech.so)")
+ Upstream tickets { #137, #144 }
+ - Bug #1053730 ("KrbLocalUserMapping does not work with
+ Apache & GSS-Proxy")
+ Upstream ticket #101
+ - Bug #1168962 ("gssproxy is not working with httpd on ppc64 and s390x")
+ Upstream ticket #146
+
+* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-1
+- Add patch to remove -fno-strict-aliasing (gssproxy ticket #140,
+ a dependicy for the fix for bug #1092515 (see below))
+- Add patch to fix bug #1092515 ("gssproxy - PIE and RELRO check")
+
+* Fri Jun 5 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-0
+- Rebase gssproxy to 0.4.1 per bug #1132389 ("[RFE] Rebase
+ gssproxy to the latest to match expectations of other
+ projects").
+
* Fri Jan 23 2015 Simo Sorce <ssorce@redhat.com> 0.3.0-10
- Fix crash bug affecting updated rpc.gssd
- resolves: #1184531