1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
From 9151a39539145e1f62f8b30168d1cdeb19299dac Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 26 Mar 2013 11:13:05 -0400
Subject: [PATCH 1/2] Switch to use standard GSSAPI by default
Make libgssglue configurable still but disabled by default.
There is no reason to use libgssglue anymore, and modern gssapi
supports all needed features for libtirpc and its dependencies.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
configure.ac | 23 +++++++++++++++++++----
src/Makefile.am | 4 ++--
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index 40dce96..4a4adba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5,15 +5,30 @@ AC_CONFIG_SRCDIR([src/auth_des.c])
AC_CONFIG_MACRO_DIR([m4])
AC_ARG_ENABLE(gss,[ --enable-gss Turn on gss api], [case "${enableval}" in
- yes) gss=true ; AC_CHECK_LIB([gssapi],[gss_init_sec_context]) ;;
+ yes) gss=true ;;
no) gss=false ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-gss) ;;
esac],[gss=false])
AM_CONDITIONAL(GSS, test x$gss = xtrue)
+AC_ARG_WITH(gssglue,
+ [ --with-gssglue Use libgssglue],
+ [case "${enableval}" in
+ yes) gssglue=true ;;
+ no) gssglue=false ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --with-gssglue) ;;
+ esac],
+ [gssglue=false])
+AM_CONDITIONAL(USEGSSGLUE, test x$gssglue = xtrue)
if test x$gss = xtrue; then
- AC_DEFINE(HAVE_LIBGSSAPI, 1, [])
- PKG_CHECK_MODULES(GSSGLUE, libgssglue, [],
- AC_MSG_ERROR([Unable to locate information required to use libgssglue.]))
+ if test x$gssglue = xtrue; then
+ PKG_CHECK_MODULES(GSSAPI, libgssglue, [],
+ AC_MSG_ERROR([Unable to locate information required to use libgssglue.]))
+ else
+ GSSAPI_CFLAGS=`krb5-config --cflags gssapi`
+ GSSAPI_LIBS=`krb5-config --libs gssapi`
+ AC_SUBST([GSSAPI_CFLAGS])
+ AC_SUBST([GSSAPI_LIBS])
+ fi
fi
AC_ARG_ENABLE(ipv6,
[AC_HELP_STRING([--disable-ipv6], [Disable IPv6 support @<:@default=no@:>@])],
diff --git a/src/Makefile.am b/src/Makefile.am
index 66350f5..2dd7768 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,8 +58,8 @@ libtirpc_la_SOURCES += xdr.c xdr_rec.c xdr_array.c xdr_float.c xdr_mem.c xdr_ref
## Secure-RPC
if GSS
libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c
- libtirpc_la_LDFLAGS += $(GSSGLUE_LIBS)
- libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSGLUE_CFLAGS)
+ libtirpc_la_LDFLAGS += $(GSSAPI_LIBS)
+ libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSAPI_CFLAGS)
endif
## libtirpc_a_SOURCES += key_call.c key_prot_xdr.c getpublickey.c
--
1.8.1.4
From 4072a0bb8b619cab027bb3833785768681da4ed5 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 10 Apr 2013 11:38:14 -0400
Subject: [PATCH 2/2] gss: Fix private data giveaway
When the private data is given away the gss context also needs to go,
because the caller may destroy it, such as when the context is exported
into a lucid context to hand it to the kernel.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/auth_gss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/auth_gss.c b/src/auth_gss.c
index 81ae8ae..703bc3f 100644
--- a/src/auth_gss.c
+++ b/src/auth_gss.c
@@ -269,6 +269,7 @@ authgss_get_private_data(AUTH *auth, struct authgss_private_data *pd)
* send an RPCSEC_GSS_DESTROY request which might inappropriately
* destroy the context.
*/
+ gd->ctx = GSS_C_NO_CONTEXT;
gd->gc.gc_ctx.length = 0;
gd->gc.gc_ctx.value = NULL;
@@ -284,7 +285,8 @@ authgss_free_private_data(struct authgss_private_data *pd)
if (!pd)
return (FALSE);
- pd->pd_ctx = NULL;
+ if (pd->pd_ctx != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_stat, &pd->pd_ctx, NULL);
gss_release_buffer(&min_stat, &pd->pd_ctx_hndl);
memset(&pd->pd_ctx_hndl, 0, sizeof(pd->pd_ctx_hndl));
pd->pd_seq_win = 0;
--
1.8.1.4
|