karasz
/
package-update
1
0
Fork 0
Code Issues Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10227 Commits
46 Branches
0 Tags
0 B
Tree: a2bde50ff8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a2bde50ff8'
${ noResults }
package-update/network/libtirpc/libtirpc-0.2.3-rc2.patch

951 lines
29 KiB
Raw Normal View History Unescape

libtirpc: added patch integrating upstream fixes (0.2.3-rc2)
13 years ago
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../libtirpc/libtirpc-0.2.3-rc2.patch
# Copyright (C) 2011 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---
From 40dcc63eecbd1dfc30363351a61167353bb814a4 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Sat, 18 Jun 2011 09:49:40 -0400
Subject: [PATCH 01/11] Do not skip records with nonblocking connections
With non-blocking connections, do not skip records when receiving
the streams since entire value messages can be ignored which
in cause the entire stream to become out of sync.
For example, two mounts simultaneously send two unmaps
commands. The first one is read, then the second thrown
away due to skipping the record. Skipping this record
will cause XDR error later in processing of the stream.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/svc_vc.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git libtirpc-0.2.2/src/svc_vc.c libtirpc-0.2.3-rc2/src/svc_vc.c
index aaaf2d7..87406f1 100644
--- libtirpc-0.2.2/src/svc_vc.c
+++ libtirpc-0.2.3-rc2/src/svc_vc.c
@@ -610,7 +610,11 @@ svc_vc_recv(xprt, msg)
}
xdrs->x_op = XDR_DECODE;
- (void)xdrrec_skiprecord(xdrs);
+ /*
+ * No need skip records with nonblocking connections
+ */
+ if (cd->nonblock == FALSE)
+ (void)xdrrec_skiprecord(xdrs);
if (xdr_callmsg(xdrs, msg)) {
cd->x_id = msg->rm_xid;
return (TRUE);
--
1.7.2.3
From 84570a5f6c5d588d38fb4d42fb13048e62bea71d Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:32:58 -0400
Subject: [PATCH 02/11] PCSEC_GSS_SVC_PRIVACY failure.
in authgss_prot.c:xdr_rpc_gss_wrap_data(), gss_wrap() is called in the
svc == RPCSEC_GSS_SVC_PRIVACY conditional block with databuf.length
uninitialized.
Initialization performed in the svc == RPCSEC_GSS_SVC_INTEGRITY
conditional block should be moved.
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/authgss_prot.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git libtirpc-0.2.2/src/authgss_prot.c libtirpc-0.2.3-rc2/src/authgss_prot.c
index 9d7fa09..0168318 100644
--- libtirpc-0.2.2/src/authgss_prot.c
+++ libtirpc-0.2.3-rc2/src/authgss_prot.c
@@ -161,6 +161,7 @@ xdr_rpc_gss_wrap_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr,
databuflen = end - start - 4;
XDR_SETPOS(xdrs, start + 4);
databuf.value = XDR_INLINE(xdrs, databuflen);
+ databuf.length = databuflen;
xdr_stat = FALSE;
@@ -169,7 +170,6 @@ xdr_rpc_gss_wrap_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr,
XDR_SETPOS(xdrs, start);
if (!xdr_u_int(xdrs, (u_int *)&databuflen))
return (FALSE);
- databuf.length = databuflen;
/* Checksum rpc_gss_data_t. */
maj_stat = gss_get_mic(&min_stat, ctx, qop,
--
1.7.2.3
From 1e786fc401ff625fdcec3e0bdc495125feb0a070 Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:33:35 -0400
Subject: [PATCH 03/11] Use of lseek() in xdr_rec.c:xdrrec_getpos().
The use of lseek() in xdr_rec.c:xdrrec_getpos() without checking for
ESPIPE will fail to handle the common case, resulting in poor behavior
in calling code. (In particular auth_gss.c:authgss_marshal() calls
gss_get_mic() with rpcbuf.length set to -1, with spectacular results.)
The original MIT Krb5 RPC code lacks this addition, which I'm unclear of
the utility of in the first place.
Reverting to the MIT code permits correct function of a trivial RPC
client using GSS.
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/xdr_rec.c | 27 +++++++++++++--------------
1 files changed, 13 insertions(+), 14 deletions(-)
diff --git libtirpc-0.2.2/src/xdr_rec.c libtirpc-0.2.3-rc2/src/xdr_rec.c
index 4e815d7..2aca623 100644
--- libtirpc-0.2.2/src/xdr_rec.c
+++ libtirpc-0.2.3-rc2/src/xdr_rec.c
@@ -64,7 +64,6 @@
#include <rpc/clnt.h>
#include <stddef.h>
#include "rpc_com.h"
-#include <unistd.h>
static bool_t xdrrec_getlong(XDR *, long *);
static bool_t xdrrec_putlong(XDR *, const long *);
static bool_t xdrrec_getbytes(XDR *, char *, u_int);
@@ -330,22 +329,22 @@ xdrrec_getpos(xdrs)
RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private;
off_t pos;
- pos = lseek((int)(u_long)rstrm->tcp_handle, (off_t)0, 1);
- if (pos != -1)
- switch (xdrs->x_op) {
+ switch (xdrs->x_op) {
- case XDR_ENCODE:
- pos += rstrm->out_finger - rstrm->out_base;
- break;
+ case XDR_ENCODE:
+ pos = rstrm->out_finger - rstrm->out_base
+ - BYTES_PER_XDR_UNIT;
+ break;
- case XDR_DECODE:
- pos -= rstrm->in_boundry - rstrm->in_finger;
- break;
+ case XDR_DECODE:
+ pos = rstrm->in_boundry - rstrm->in_finger
+ - BYTES_PER_XDR_UNIT;
+ break;
- default:
- pos = (off_t) -1;
- break;
- }
+ default:
+ pos = (off_t) -1;
+ break;
+ }
return ((u_int) pos);
}
--
1.7.2.3
From 2abb87646f696726f4ee3a89db6ebfc8adbd9b9b Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:34:34 -0400
Subject: [PATCH 04/11] AUTH_WRAP/AUTH_UNWRAP support.
Client code lacks support for authenticator wrapping/unwrapping, which
is particularly useful when using GSS.
Verified for both tcp & udp using a trivial RPC client against a MIT
Krb5 server.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/auth_des.c | 8 ++++++++
src/auth_none.c | 8 ++++++++
src/auth_unix.c | 8 ++++++++
src/clnt_dg.c | 10 +++++++---
src/clnt_vc.c | 5 +++--
5 files changed, 34 insertions(+), 5 deletions(-)
diff --git libtirpc-0.2.2/src/auth_des.c libtirpc-0.2.3-rc2/src/auth_des.c
index 37e7667..829c817 100644
--- libtirpc-0.2.2/src/auth_des.c
+++ libtirpc-0.2.3-rc2/src/auth_des.c
@@ -472,6 +472,12 @@ authdes_destroy(AUTH *auth)
FREE(auth, sizeof(AUTH));
}
+static bool_t
+authdes_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+ return ((*xfunc)(xdrs, xwhere));
+}
+
static struct auth_ops *
authdes_ops(void)
{
@@ -487,6 +493,8 @@ authdes_ops(void)
ops.ah_validate = authdes_validate;
ops.ah_refresh = authdes_refresh;
ops.ah_destroy = authdes_destroy;
+ ops.ah_wrap = authdes_wrap;
+ ops.ah_unwrap = authdes_wrap;
}
mutex_unlock(&authdes_ops_lock);
return (&ops);
diff --git libtirpc-0.2.2/src/auth_none.c libtirpc-0.2.3-rc2/src/auth_none.c
index a439ec6..008c589 100644
--- libtirpc-0.2.2/src/auth_none.c
+++ libtirpc-0.2.3-rc2/src/auth_none.c
@@ -155,6 +155,12 @@ authnone_destroy(AUTH *client)
{
}
+static bool_t
+authnone_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+ return ((*xfunc)(xdrs, xwhere));
+}
+
static struct auth_ops *
authnone_ops()
{
@@ -170,6 +176,8 @@ authnone_ops()
ops.ah_validate = authnone_validate;
ops.ah_refresh = authnone_refresh;
ops.ah_destroy = authnone_destroy;
+ ops.ah_wrap = authnone_wrap;
+ ops.ah_unwrap = authnone_wrap;
}
mutex_unlock(&ops_lock);
return (&ops);
diff --git libtirpc-0.2.2/src/auth_unix.c libtirpc-0.2.3-rc2/src/auth_unix.c
index c2469da..5b8990f 100644
--- libtirpc-0.2.2/src/auth_unix.c
+++ libtirpc-0.2.3-rc2/src/auth_unix.c
@@ -396,6 +396,12 @@ marshal_new_auth(auth)
XDR_DESTROY(xdrs);
}
+static bool_t
+authunix_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+ return ((*xfunc)(xdrs, xwhere));
+}
+
static struct auth_ops *
authunix_ops()
{
@@ -411,6 +417,8 @@ authunix_ops()
ops.ah_validate = authunix_validate;
ops.ah_refresh = authunix_refresh;
ops.ah_destroy = authunix_destroy;
+ ops.ah_wrap = authunix_wrap;
+ ops.ah_unwrap = authunix_wrap;
}
mutex_unlock(&ops_lock);
return (&ops);
diff --git libtirpc-0.2.2/src/clnt_dg.c libtirpc-0.2.3-rc2/src/clnt_dg.c
index 79fed5d..4a1f60a 100644
--- libtirpc-0.2.2/src/clnt_dg.c
+++ libtirpc-0.2.3-rc2/src/clnt_dg.c
@@ -366,7 +366,7 @@ call_again:
if ((! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
(! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
- (! (*xargs)(xdrs, argsp))) {
+ (! AUTH_WRAP(cl->cl_auth, xdrs, xargs, argsp))) {
cu->cu_error.re_status = RPC_CANTENCODEARGS;
goto out;
}
@@ -400,8 +400,8 @@ get_reply:
* (We assume that this is actually only executed once.)
*/
reply_msg.acpted_rply.ar_verf = _null_auth;
- reply_msg.acpted_rply.ar_results.where = resultsp;
- reply_msg.acpted_rply.ar_results.proc = xresults;
+ reply_msg.acpted_rply.ar_results.where = NULL;
+ reply_msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
fd.fd = cu->cu_fd;
fd.events = POLLIN;
@@ -512,6 +512,10 @@ get_reply:
&reply_msg.acpted_rply.ar_verf)) {
cu->cu_error.re_status = RPC_AUTHERROR;
cu->cu_error.re_why = AUTH_INVALIDRESP;
+ } else if (! AUTH_UNWRAP(cl->cl_auth, &reply_xdrs,
+ xresults, resultsp)) {
+ if (cu->cu_error.re_status == RPC_SUCCESS)
+ cu->cu_error.re_status = RPC_CANTDECODERES;
}
if (reply_msg.acpted_rply.ar_verf.oa_base != NULL) {
xdrs->x_op = XDR_FREE;
diff --git libtirpc-0.2.2/src/clnt_vc.c libtirpc-0.2.3-rc2/src/clnt_vc.c
index 359063c..097cae8 100644
--- libtirpc-0.2.2/src/clnt_vc.c
+++ libtirpc-0.2.3-rc2/src/clnt_vc.c
@@ -364,7 +364,7 @@ call_again:
if ((! XDR_PUTBYTES(xdrs, ct->ct_u.ct_mcallc, ct->ct_mpos)) ||
(! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
(! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
- (! (*xdr_args)(xdrs, args_ptr))) {
+ (! AUTH_WRAP(cl->cl_auth, xdrs, xdr_args, args_ptr))) {
if (ct->ct_error.re_status == RPC_SUCCESS)
ct->ct_error.re_status = RPC_CANTENCODEARGS;
(void)xdrrec_endofrecord(xdrs, TRUE);
@@ -420,7 +420,8 @@ call_again:
&reply_msg.acpted_rply.ar_verf)) {
ct->ct_error.re_status = RPC_AUTHERROR;
ct->ct_error.re_why = AUTH_INVALIDRESP;
- } else if (! (*xdr_results)(xdrs, results_ptr)) {
+ } else if (! AUTH_UNWRAP(cl->cl_auth, xdrs,
+ xdr_results, results_ptr)) {
if (ct->ct_error.re_status == RPC_SUCCESS)
ct->ct_error.re_status = RPC_CANTDECODERES;
}
--
1.7.2.3
From 82cc2e6129c872c8be09381055f2fb5641c5e6fe Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:34:56 -0400
Subject: [PATCH 05/11] SVCAUTH_WRAP/SVCAUTH_UNWRAP
Server code lacks support for authenticator wrapping/unwrapping, which
is particularly useful when using GSS.
Verified for both tcp & udp using a trivial RPC server against an MIT
Krb5 client.
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/svc.c | 11 +++--------
src/svc_auth_unix.c | 5 +++++
src/svc_dg.c | 31 +++++++++++++++++++++++++++++--
src/svc_vc.c | 37 ++++++++++++++++++++++++++++++++++---
tirpc/rpc/svc_auth.h | 18 ++++++++++++------
5 files changed, 83 insertions(+), 19 deletions(-)
diff --git libtirpc-0.2.2/src/svc.c libtirpc-0.2.3-rc2/src/svc.c
index b4a63d0..08cd6c9 100644
--- libtirpc-0.2.2/src/svc.c
+++ libtirpc-0.2.3-rc2/src/svc.c
@@ -77,9 +77,6 @@ static struct svc_callout
extern rwlock_t svc_lock;
extern rwlock_t svc_fd_lock;
-#ifdef HAVE_LIBGSSAPI
-extern struct svc_auth_ops svc_auth_gss_ops;
-#endif
static struct svc_callout *svc_find (rpcprog_t, rpcvers_t,
struct svc_callout **, char *);
@@ -717,11 +714,9 @@ svc_getreq_common (fd)
SVC_DESTROY (xprt);
break;
}
- else if ((xprt->xp_auth != NULL)
-#ifdef HAVE_LIBGSSAPI
- && (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)
-#endif
- ) {
+ else if ((xprt->xp_auth != NULL) &&
+ (xprt->xp_auth->svc_ah_private == NULL))
+ {
xprt->xp_auth = NULL;
}
}
diff --git libtirpc-0.2.2/src/svc_auth_unix.c libtirpc-0.2.3-rc2/src/svc_auth_unix.c
index ce83859..9585069 100644
--- libtirpc-0.2.2/src/svc_auth_unix.c
+++ libtirpc-0.2.3-rc2/src/svc_auth_unix.c
@@ -43,6 +43,8 @@
#include <rpc/rpc.h>
+extern SVCAUTH svc_auth_none;
+
/*
* Unix longhand authenticator
*/
@@ -67,6 +69,8 @@ _svcauth_unix(rqst, msg)
assert(rqst != NULL);
assert(msg != NULL);
+ rqst->rq_xprt->xp_auth = &svc_auth_none;
+
area = (struct area *) rqst->rq_clntcred;
aup = &area->area_aup;
aup->aup_machname = area->area_machname;
@@ -142,5 +146,6 @@ _svcauth_short(rqst, msg)
struct svc_req *rqst;
struct rpc_msg *msg;
{
+ rqst->rq_xprt->xp_auth = &svc_auth_none;
return (AUTH_REJECTEDCRED);
}
diff --git libtirpc-0.2.2/src/svc_dg.c libtirpc-0.2.3-rc2/src/svc_dg.c
index 66a56ee..5ef9df2 100644
--- libtirpc-0.2.2/src/svc_dg.c
+++ libtirpc-0.2.3-rc2/src/svc_dg.c
@@ -134,6 +134,7 @@ svc_dg_create(fd, sendsize, recvsize)
su->su_cache = NULL;
xprt->xp_fd = fd;
xprt->xp_p2 = su;
+ xprt->xp_auth = NULL;
xprt->xp_verf.oa_base = su->su_verfbody;
svc_dg_ops(xprt);
xprt->xp_rtaddr.maxlen = sizeof (struct sockaddr_storage);
@@ -234,10 +235,27 @@ svc_dg_reply(xprt, msg)
bool_t stat = FALSE;
size_t slen;
+ xdrproc_t xdr_results;
+ caddr_t xdr_location;
+ bool_t has_args;
+
+ if (msg->rm_reply.rp_stat == MSG_ACCEPTED &&
+ msg->rm_reply.rp_acpt.ar_stat == SUCCESS) {
+ has_args = TRUE;
+ xdr_results = msg->acpted_rply.ar_results.proc;
+ xdr_location = msg->acpted_rply.ar_results.where;
+
+ msg->acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
+ msg->acpted_rply.ar_results.where = NULL;
+ } else
+ has_args = FALSE;
+
xdrs->x_op = XDR_ENCODE;
XDR_SETPOS(xdrs, 0);
msg->rm_xid = su->su_xid;
- if (xdr_replymsg(xdrs, msg)) {
+ if (xdr_replymsg(xdrs, msg) &&
+ (!has_args ||
+ (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
struct msghdr *msg = &su->su_msghdr;
struct iovec iov;
@@ -264,7 +282,12 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
xdrproc_t xdr_args;
void *args_ptr;
{
- return (*xdr_args)(&(su_data(xprt)->su_xdrs), args_ptr);
+ if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
+ xdr_args, args_ptr)) {
+ (void)svc_freeargs(xprt, xdr_args, args_ptr);
+ return FALSE;
+ }
+ return TRUE;
}
static bool_t
@@ -288,6 +311,10 @@ svc_dg_destroy(xprt)
xprt_unregister(xprt);
if (xprt->xp_fd != -1)
(void)close(xprt->xp_fd);
+ if (xprt->xp_auth != NULL) {
+ SVCAUTH_DESTROY(xprt->xp_auth);
+ xprt->xp_auth = NULL;
+ }
XDR_DESTROY(&(su->su_xdrs));
(void) mem_free(rpc_buffer(xprt), su->su_iosz);
(void) mem_free(su, sizeof (*su));
diff --git libtirpc-0.2.2/src/svc_vc.c libtirpc-0.2.3-rc2/src/svc_vc.c
index 87406f1..74632e2 100644
--- libtirpc-0.2.2/src/svc_vc.c
+++ libtirpc-0.2.3-rc2/src/svc_vc.c
@@ -172,6 +172,7 @@ svc_vc_create(fd, sendsize, recvsize)
xprt->xp_p1 = r;
xprt->xp_p2 = NULL;
xprt->xp_p3 = NULL;
+ xprt->xp_auth = NULL;
xprt->xp_verf = _null_auth;
svc_vc_rendezvous_ops(xprt);
xprt->xp_port = (u_short)-1; /* It is the rendezvouser */
@@ -283,6 +284,7 @@ makefd_xprt(fd, sendsize, recvsize)
xdrrec_create(&(cd->xdrs), sendsize, recvsize,
xprt, read_vc, write_vc);
xprt->xp_p1 = cd;
+ xprt->xp_auth = NULL;
xprt->xp_verf.oa_base = cd->verf_body;
svc_vc_ops(xprt); /* truely deals with calls */
xprt->xp_port = 0; /* this is a connection, not a rendezvouser */
@@ -412,6 +414,10 @@ __svc_vc_dodestroy(xprt)
XDR_DESTROY(&(cd->xdrs));
mem_free(cd, sizeof(struct cf_conn));
}
+ if (xprt->xp_auth != NULL) {
+ SVCAUTH_DESTROY(xprt->xp_auth);
+ xprt->xp_auth = NULL;
+ }
if (xprt->xp_rtaddr.buf)
mem_free(xprt->xp_rtaddr.buf, xprt->xp_rtaddr.maxlen);
if (xprt->xp_ltaddr.buf)
@@ -632,8 +638,13 @@ svc_vc_getargs(xprt, xdr_args, args_ptr)
assert(xprt != NULL);
/* args_ptr may be NULL */
- return ((*xdr_args)(&(((struct cf_conn *)(xprt->xp_p1))->xdrs),
- args_ptr));
+
+ if (! SVCAUTH_UNWRAP(xprt->xp_auth,
+ &(((struct cf_conn *)(xprt->xp_p1))->xdrs),
+ xdr_args, args_ptr)) {
+ return FALSE;
+ }
+ return TRUE;
}
static bool_t
@@ -662,15 +673,35 @@ svc_vc_reply(xprt, msg)
XDR *xdrs;
bool_t rstat;
+ xdrproc_t xdr_results;
+ caddr_t xdr_location;
+ bool_t has_args;
+
assert(xprt != NULL);
assert(msg != NULL);
cd = (struct cf_conn *)(xprt->xp_p1);
xdrs = &(cd->xdrs);
+ if (msg->rm_reply.rp_stat == MSG_ACCEPTED &&
+ msg->rm_reply.rp_acpt.ar_stat == SUCCESS) {
+ has_args = TRUE;
+ xdr_results = msg->acpted_rply.ar_results.proc;
+ xdr_location = msg->acpted_rply.ar_results.where;
+
+ msg->acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
+ msg->acpted_rply.ar_results.where = NULL;
+ } else
+ has_args = FALSE;
+
xdrs->x_op = XDR_ENCODE;
msg->rm_xid = cd->x_id;
- rstat = xdr_replymsg(xdrs, msg);
+ rstat = FALSE;
+ if (xdr_replymsg(xdrs, msg) &&
+ (!has_args ||
+ (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
+ rstat = TRUE;
+ }
(void)xdrrec_endofrecord(xdrs, TRUE);
return (rstat);
}
diff --git libtirpc-0.2.2/tirpc/rpc/svc_auth.h libtirpc-0.2.3-rc2/tirpc/rpc/svc_auth.h
index 659e90c..14269d1 100644
--- libtirpc-0.2.2/tirpc/rpc/svc_auth.h
+++ libtirpc-0.2.3-rc2/tirpc/rpc/svc_auth.h
@@ -44,17 +44,23 @@
/*
* Interface to server-side authentication flavors.
*/
-typedef struct {
+typedef struct SVCAUTH {
struct svc_auth_ops {
- int (*svc_ah_wrap)(void);
- int (*svc_ah_unwrap)(void);
- int (*svc_ah_destroy)(void);
+ int (*svc_ah_wrap)(struct SVCAUTH *, XDR *, xdrproc_t,
+ caddr_t);
+ int (*svc_ah_unwrap)(struct SVCAUTH *, XDR *, xdrproc_t,
+ caddr_t);
+ int (*svc_ah_destroy)(struct SVCAUTH *);
} *svc_ah_ops;
caddr_t svc_ah_private;
} SVCAUTH;
-#define SVCAUTH_DESTROY(cred) ((*(cred)->svc_ah_ops->svc_ah_destroy)())
-#define svcauth_destroy(cred) ((*(cred)->svc_ah_ops->svc_ah_destroy)())
+#define SVCAUTH_WRAP(auth, xdrs, xfunc, xwhere) \
+ ((*((auth)->svc_ah_ops->svc_ah_wrap))(auth, xdrs, xfunc, xwhere))
+#define SVCAUTH_UNWRAP(auth, xdrs, xfunc, xwhere) \
+ ((*((auth)->svc_ah_ops->svc_ah_unwrap))(auth, xdrs, xfunc, xwhere))
+#define SVCAUTH_DESTROY(auth) \
+ ((*((auth)->svc_ah_ops->svc_ah_destroy))(auth))
/*
* Server side authenticator
--
1.7.2.3
From 6c43043ececc2e9f613dc86086c7ac4970aeb690 Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:35:54 -0400
Subject: [PATCH 06/11] auth_null used when auth_none is appropriate
svc_auth.c uses a fake entry function for AUTH_NULL (AUTH_NONE) when the
use of the svc_auth_none is appropriate.
With the previous patches to make use of WRAP/UNWRAP svc_auth_none is
required.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/svc_auth.c | 13 ++-----------
tirpc/rpc/auth.h | 2 +-
2 files changed, 3 insertions(+), 12 deletions(-)
diff --git libtirpc-0.2.2/src/svc_auth.c libtirpc-0.2.3-rc2/src/svc_auth.c
index c6b3a0b..e80d5f9 100644
--- libtirpc-0.2.2/src/svc_auth.c
+++ libtirpc-0.2.3-rc2/src/svc_auth.c
@@ -98,8 +98,8 @@ _authenticate(rqst, msg)
rqst->rq_xprt->xp_verf.oa_length = 0;
cred_flavor = rqst->rq_cred.oa_flavor;
switch (cred_flavor) {
- case AUTH_NULL:
- dummy = _svcauth_null(rqst, msg);
+ case AUTH_NONE:
+ dummy = _svcauth_none(rqst, msg);
return (dummy);
case AUTH_SYS:
dummy = _svcauth_unix(rqst, msg);
@@ -132,15 +132,6 @@ _authenticate(rqst, msg)
return (AUTH_REJECTEDCRED);
}
-/*ARGSUSED*/
-enum auth_stat
-_svcauth_null(rqst, msg)
- struct svc_req *rqst;
- struct rpc_msg *msg;
-{
- return (AUTH_OK);
-}
-
/*
* Allow the rpc service to register new authentication types that it is
* prepared to handle. When an authentication flavor is registered,
diff --git libtirpc-0.2.2/tirpc/rpc/auth.h libtirpc-0.2.3-rc2/tirpc/rpc/auth.h
index 734e6b9..f669ae4 100644
--- libtirpc-0.2.2/tirpc/rpc/auth.h
+++ libtirpc-0.2.3-rc2/tirpc/rpc/auth.h
@@ -373,7 +373,7 @@ __END_DECLS
__BEGIN_DECLS
struct svc_req;
struct rpc_msg;
-enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *);
+enum auth_stat _svcauth_none (struct svc_req *, struct rpc_msg *);
enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
__END_DECLS
--
1.7.2.3
From 8271dfe7ec97a993fe3e369c9e02165f54f32322 Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:42:18 -0400
Subject: [PATCH 07/11] Reference count AUTHs
RPCSEC GSSv3 has the concept of a parent and a compound credential. As
the normal course of operation involves using multiple AUTHs per client
connection, and providing parent and compounds AUTHs when creating a
GSSv3 AUTH, we need a way of reference counting them so that
AUTH_DESTROY does not free them out from under a GSSv3 AUTH that is
using them.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/auth_des.c | 1 +
src/auth_gss.c | 2 ++
src/auth_unix.c | 1 +
tirpc/rpc/auth.h | 35 +++++++++++++++++++++++++++++++----
4 files changed, 35 insertions(+), 4 deletions(-)
diff --git libtirpc-0.2.2/src/auth_des.c libtirpc-0.2.3-rc2/src/auth_des.c
index 829c817..f0c8b8c 100644
--- libtirpc-0.2.2/src/auth_des.c
+++ libtirpc-0.2.3-rc2/src/auth_des.c
@@ -223,6 +223,7 @@ authdes_pk_seccreate(const char *servername, netobj *pkey, u_int window,
goto failed;
}
ad->ad_nis_srvr = NULL; /* not needed any longer */
+ auth_get(auth); /* Reference for caller */
return (auth);
failed:
diff --git libtirpc-0.2.2/src/auth_gss.c libtirpc-0.2.3-rc2/src/auth_gss.c
index df3017a..98f0341 100644
--- libtirpc-0.2.2/src/auth_gss.c
+++ libtirpc-0.2.3-rc2/src/auth_gss.c
@@ -200,6 +200,8 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec)
if (!authgss_refresh(auth))
auth = NULL;
+ else
+ auth_get(auth); /* Reference for caller */
clnt->cl_auth = save_auth;
diff --git libtirpc-0.2.2/src/auth_unix.c libtirpc-0.2.3-rc2/src/auth_unix.c
index 5b8990f..4b9b13f 100644
--- libtirpc-0.2.2/src/auth_unix.c
+++ libtirpc-0.2.3-rc2/src/auth_unix.c
@@ -162,6 +162,7 @@ authunix_create(machname, uid, gid, len, aup_gids)
*/
auth->ah_cred = au->au_origcred;
marshal_new_auth(auth);
+ auth_get(auth); /* Reference for caller */
return (auth);
#ifndef _KERNEL
cleanup_authunix_create:
diff --git libtirpc-0.2.2/tirpc/rpc/auth.h libtirpc-0.2.3-rc2/tirpc/rpc/auth.h
index f669ae4..5f66e67 100644
--- libtirpc-0.2.2/tirpc/rpc/auth.h
+++ libtirpc-0.2.3-rc2/tirpc/rpc/auth.h
@@ -203,8 +203,22 @@ typedef struct __auth {
} *ah_ops;
void *ah_private;
+ int ah_refcnt;
} AUTH;
+static __inline int
+auth_get(AUTH *auth)
+{
+ return __sync_add_and_fetch(&auth->ah_refcnt, 1);
+}
+
+static __inline int
+auth_put(AUTH *auth)
+{
+ return __sync_sub_and_fetch(&auth->ah_refcnt, 1);
+}
+
+
/*
* Authentication ops.
@@ -234,10 +248,23 @@ typedef struct __auth {
#define auth_refresh(auth, msg) \
((*((auth)->ah_ops->ah_refresh))(auth, msg))
-#define AUTH_DESTROY(auth) \
- ((*((auth)->ah_ops->ah_destroy))(auth))
-#define auth_destroy(auth) \
- ((*((auth)->ah_ops->ah_destroy))(auth))
+#define AUTH_DESTROY(auth) \
+ do { \
+ int refs; \
+ if ((refs = auth_put((auth))) == 0) \
+ ((*((auth)->ah_ops->ah_destroy))(auth));\
+ log_debug("%s: auth_put(), refs %d\n", \
+ __func__, refs); \
+ } while (0)
+
+#define auth_destroy(auth) \
+ do { \
+ int refs; \
+ if ((refs = auth_put((auth))) == 0) \
+ ((*((auth)->ah_ops->ah_destroy))(auth));\
+ log_debug("%s: auth_put(), refs %d\n", \
+ __func__, refs); \
+ } while (0)
#define AUTH_WRAP(auth, xdrs, xfunc, xwhere) \
((*((auth)->ah_ops->ah_wrap))(auth, xdrs, \
--
1.7.2.3
From e1cd6dc047c2f4d08f66776bc0206eeb5092f1f8 Mon Sep 17 00:00:00 2001
From: Matthew N. Dodd <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:45:11 -0400
Subject: [PATCH 08/11] Use correct AUTH when calling RPCSEC_GSS_DESTROY.
When using multiple AUTHs per client connection, calling
AUTH_DESTROY(auth) may result in 'cl_auth' being set to something other
than 'auth'.
Avoid this by saving and restoring 'cl_auth' across the
RPCSEC_GSS_DESTROY clnt_call().
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/auth_gss.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git libtirpc-0.2.2/src/auth_gss.c libtirpc-0.2.3-rc2/src/auth_gss.c
index 98f0341..a992049 100644
--- libtirpc-0.2.2/src/auth_gss.c
+++ libtirpc-0.2.3-rc2/src/auth_gss.c
@@ -557,9 +557,20 @@ authgss_destroy_context(AUTH *auth)
if (gd->gc.gc_ctx.length != 0) {
if (gd->established) {
+ AUTH *save_auth = NULL;
+
+ /* Make sure we use the right auth_ops */
+ if (gd->clnt->cl_auth != auth) {
+ save_auth = gd->clnt->cl_auth;
+ gd->clnt->cl_auth = auth;
+ }
+
gd->gc.gc_proc = RPCSEC_GSS_DESTROY;
clnt_call(gd->clnt, NULLPROC, (xdrproc_t)xdr_void, NULL,
(xdrproc_t)xdr_void, NULL, AUTH_TIMEOUT);
+
+ if (save_auth != NULL)
+ gd->clnt->cl_auth = save_auth;
}
gss_release_buffer(&min_stat, &gd->gc.gc_ctx);
/* XXX ANDROS check size of context - should be 8 */
--
1.7.2.3
From 5f9d6c0f7fc2dd1db56ec8bfad3661306fde3b5c Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Mon, 20 Jun 2011 13:48:56 -0400
Subject: [PATCH 09/11] Add multiple inclusion protection to rpc/des.h
If you try to include this file multiple times, you get a build failure
due to redefinitions of enums and such.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
tirpc/rpc/des.h | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git libtirpc-0.2.2/tirpc/rpc/des.h libtirpc-0.2.3-rc2/tirpc/rpc/des.h
index e3d6897..d2881ad 100644
--- libtirpc-0.2.2/tirpc/rpc/des.h
+++ libtirpc-0.2.3-rc2/tirpc/rpc/des.h
@@ -33,6 +33,9 @@
* Copyright (c) 1986 by Sun Microsystems, Inc.
*/
+#ifndef _RPC_DES_H_
+#define _RPC_DES_H_
+
#define DES_MAXLEN 65536 /* maximum # of bytes to encrypt */
#define DES_QUICKLEN 16 /* maximum # of bytes to encrypt quickly */
@@ -80,3 +83,5 @@ struct desparams {
* Software DES.
*/
extern int _des_crypt( char *, int, struct desparams * );
+
+#endif
--
1.7.2.3
From ebd3e644a79fa92b3b780d87d8028fcf64364abd Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Mon, 20 Jun 2011 13:52:14 -0400
Subject: [PATCH 10/11] Revert "Include des_crypt in build"
The des_crypt code requires the crypt_client code (which wasn't
added), and that code requires a currently undefined function
(namely xdr_desresp). Since I have no idea what that's about,
and this change ends up breaking some systems, just revert it.
Once we have a patch that improves portability without breaking
existing systems, we can revisit this.
This reverts commit 9bdcba10aa67ce3f67810c7aaac944a00dcfcee5.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/Makefile.am | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git libtirpc-0.2.2/src/Makefile.am libtirpc-0.2.3-rc2/src/Makefile.am
index 7ee8cbc..6731ff9 100644
--- libtirpc-0.2.2/src/Makefile.am
+++ libtirpc-0.2.3-rc2/src/Makefile.am
@@ -50,7 +50,7 @@ libtirpc_la_SOURCES = auth_none.c auth_unix.c authunix_prot.c bindresvport.c cln
rpc_callmsg.c rpc_generic.c rpc_soc.c rpcb_clnt.c rpcb_prot.c \
rpcb_st_xdr.c svc.c svc_auth.c svc_dg.c svc_auth_unix.c svc_generic.c \
svc_raw.c svc_run.c svc_simple.c svc_vc.c getpeereid.c \
- auth_time.c auth_des.c authdes_prot.c des_crypt.c
+ auth_time.c auth_des.c authdes_prot.c
## XDR
libtirpc_la_SOURCES += xdr.c xdr_rec.c xdr_array.c xdr_float.c xdr_mem.c xdr_reference.c xdr_stdio.c
--
1.7.2.3
From e6bdc5761e5340b0df03c2b5c344b04feabaad9e Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Wed, 20 Jul 2011 09:47:49 -0400
Subject: [PATCH 11/11] Segfault in SVCAUTH_WRAP call
The xprt->xp_auth pointer need to be checked before
used in the SVCAUTH_WRAP call since it can be NULL
during error conditions.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/svc_dg.c | 4 ++--
src/svc_vc.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git libtirpc-0.2.2/src/svc_dg.c libtirpc-0.2.3-rc2/src/svc_dg.c
index 5ef9df2..081db61 100644
--- libtirpc-0.2.2/src/svc_dg.c
+++ libtirpc-0.2.3-rc2/src/svc_dg.c
@@ -254,8 +254,8 @@ svc_dg_reply(xprt, msg)
XDR_SETPOS(xdrs, 0);
msg->rm_xid = su->su_xid;
if (xdr_replymsg(xdrs, msg) &&
- (!has_args ||
- (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
+ (!has_args || (xprt->xp_auth &&
+ SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
struct msghdr *msg = &su->su_msghdr;
struct iovec iov;
diff --git libtirpc-0.2.2/src/svc_vc.c libtirpc-0.2.3-rc2/src/svc_vc.c
index 74632e2..4c70de8 100644
--- libtirpc-0.2.2/src/svc_vc.c
+++ libtirpc-0.2.3-rc2/src/svc_vc.c
@@ -698,8 +698,8 @@ svc_vc_reply(xprt, msg)
msg->rm_xid = cd->x_id;
rstat = FALSE;
if (xdr_replymsg(xdrs, msg) &&
- (!has_args ||
- (SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
+ (!has_args || (xprt->xp_auth &&
+ SVCAUTH_WRAP(xprt->xp_auth, xdrs, xdr_results, xdr_location)))) {
rstat = TRUE;
}
(void)xdrrec_endofrecord(xdrs, TRUE);
--
1.7.2.3