new file mode 100644

@@ -0,0 +1,77 @@

+From e353652831978d3cf1b756def7782b52dc495668 Mon Sep 17 00:00:00 2001

+From: Greg Hudson <ghudson@mit.edu>

+Date: Mon, 29 Feb 2016 16:51:22 -0500

+Subject: [PATCH] Skip unnecessary mech calls in gss_inquire_cred()

+

+If the caller does not request a name, lifetime, or cred_usage when

+calling gss_inquire_cred(), service the call by copying the mechanism

+list (if requested) but do not call into the mech.

+

+This change alleviates an issue (reported by Adam Bernstein) where

+SPNEGO can fail in the presence of expired krb5 credentials rather

+than proceeding with a different mechanism, or can resolve a krb5

+credential with the benefit of the target name.

+

+ticket: 8373

+target_version: 1.14-next

+target_version: 1.13-next

+tags: pullup

+---

+ src/lib/gssapi/mechglue/g_inq_cred.c | 39 ++++++++++++++++++++----------------

+ 1 file changed, 22 insertions(+), 17 deletions(-)

+

+diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c

+index c5577d4..9111962 100644

+--- a/src/lib/gssapi/mechglue/g_inq_cred.c

+@@ -92,27 +92,32 @@ gss_OID_set *		mechanisms;

+ 	mech_cred = GSS_C_NO_CREDENTIAL;

+ 	mech = gssint_get_mechanism(GSS_C_NULL_OID);

+     }

+-    if (mech == NULL)

+-	return (GSS_S_DEFECTIVE_CREDENTIAL);

+-    if (!mech->gss_inquire_cred)

+-	return (GSS_S_UNAVAILABLE);

+ 

+-    status = mech->gss_inquire_cred(minor_status, mech_cred,

+-				    name ? &mech_name : NULL,

+-				    lifetime, cred_usage, NULL);

+-    if (status != GSS_S_COMPLETE) {

+-	map_error(minor_status, mech);

+-	return(status);

+-    }

++    /* Skip the call into the mech if the caller doesn't care about any of the

++     * values we would ask for. */

++    if (name != NULL || lifetime != NULL || cred_usage != NULL) {

++	if (mech == NULL)

++	    return (GSS_S_DEFECTIVE_CREDENTIAL);

++	if (!mech->gss_inquire_cred)

++	    return (GSS_S_UNAVAILABLE);

+ 

+-    if (name) {

+-	/* Convert mech_name into a union_name equivalent. */

+-	status = gssint_convert_name_to_union_name(&temp_minor_status,

+-						   mech, mech_name, name);

++	status = mech->gss_inquire_cred(minor_status, mech_cred,

++					name ? &mech_name : NULL,

++					lifetime, cred_usage, NULL);

+ 	if (status != GSS_S_COMPLETE) {

+-	    *minor_status = temp_minor_status;

+ 	    map_error(minor_status, mech);

+-	    return (status);

++	    return(status);

++	}

++

++	if (name) {

++	    /* Convert mech_name into a union_name equivalent. */

++	    status = gssint_convert_name_to_union_name(&temp_minor_status,

++						       mech, mech_name, name);

++	    if (status != GSS_S_COMPLETE) {

++		*minor_status = temp_minor_status;

++		map_error(minor_status, mech);

++		return (status);

++	    }

+ 	}

+     }

+ 

+

@@ -1,7 +1,7 @@

 Summary:	The Kerberos newtork authentication system

 Name:		krb5

 Version:	1.14

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:	MIT

 URL:		http://cyrusimap.web.cmu.edu/

 Group:		System Environment/Security

@@ -9,6 +9,7 @@ Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:	http://web.mit.edu/kerberos/www/dist/%{name}/%{version}/%{name}-%{version}.tar.gz

 %define sha1 krb5=02973f6605b1170bec812af9c8da4e447eeca9a9

+Patch0:         krb5-1.14-skip-unnecessary-mech-calls.patch

 Requires:	openssl

 Requires:	e2fsprogs

 BuildRequires: 	openssl-devel

@@ -19,6 +20,7 @@ which can improve your network's security by eliminating the insecure

 practice of clear text passwords.

 %prep

 %setup -q

+%patch0 -p1

 %build

 cd src &&

@@ -88,6 +90,8 @@ rm -rf %{buildroot}/*

 %{_datarootdir}/man/man5/.k5login.5.gz

 %{_docdir}/%{name}-%{version}

 %changelog

+* 	Fri Mar 18 2016 Anish Swaminathan <anishs@vmware.com>  1.14-2

+- 	Add patch for skipping unnecessary mech calls in gss_inquire_cred

 *	Thu Jan 21 2016 Anish Swaminathan <anishs@vmware.com> 1.14-1

 -	Upgrade version

 *	Tue Oct 07 2014 Divya Thaluru <dthaluru@vmware.com> 1.12.2-1