From 9151a39539145e1f62f8b30168d1cdeb19299dac Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Mar 2013 11:13:05 -0400 Subject: [PATCH 1/2] Switch to use standard GSSAPI by default Make libgssglue configurable still but disabled by default. There is no reason to use libgssglue anymore, and modern gssapi supports all needed features for libtirpc and its dependencies. Signed-off-by: Steve Dickson --- configure.ac | 23 +++++++++++++++++++---- src/Makefile.am | 4 ++-- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 40dce96..4a4adba 100644 --- a/configure.ac +++ b/configure.ac @@ -5,15 +5,30 @@ AC_CONFIG_SRCDIR([src/auth_des.c]) AC_CONFIG_MACRO_DIR([m4]) AC_ARG_ENABLE(gss,[ --enable-gss Turn on gss api], [case "${enableval}" in - yes) gss=true ; AC_CHECK_LIB([gssapi],[gss_init_sec_context]) ;; + yes) gss=true ;; no) gss=false ;; *) AC_MSG_ERROR(bad value ${enableval} for --enable-gss) ;; esac],[gss=false]) AM_CONDITIONAL(GSS, test x$gss = xtrue) +AC_ARG_WITH(gssglue, + [ --with-gssglue Use libgssglue], + [case "${enableval}" in + yes) gssglue=true ;; + no) gssglue=false ;; + *) AC_MSG_ERROR(bad value ${enableval} for --with-gssglue) ;; + esac], + [gssglue=false]) +AM_CONDITIONAL(USEGSSGLUE, test x$gssglue = xtrue) if test x$gss = xtrue; then - AC_DEFINE(HAVE_LIBGSSAPI, 1, []) - PKG_CHECK_MODULES(GSSGLUE, libgssglue, [], - AC_MSG_ERROR([Unable to locate information required to use libgssglue.])) + if test x$gssglue = xtrue; then + PKG_CHECK_MODULES(GSSAPI, libgssglue, [], + AC_MSG_ERROR([Unable to locate information required to use libgssglue.])) + else + GSSAPI_CFLAGS=`krb5-config --cflags gssapi` + GSSAPI_LIBS=`krb5-config --libs gssapi` + AC_SUBST([GSSAPI_CFLAGS]) + AC_SUBST([GSSAPI_LIBS]) + fi fi AC_ARG_ENABLE(ipv6, [AC_HELP_STRING([--disable-ipv6], [Disable IPv6 support @<:@default=no@:>@])], diff --git a/src/Makefile.am b/src/Makefile.am index 66350f5..2dd7768 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -58,8 +58,8 @@ libtirpc_la_SOURCES += xdr.c xdr_rec.c xdr_array.c xdr_float.c xdr_mem.c xdr_ref ## Secure-RPC if GSS libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c - libtirpc_la_LDFLAGS += $(GSSGLUE_LIBS) - libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSGLUE_CFLAGS) + libtirpc_la_LDFLAGS += $(GSSAPI_LIBS) + libtirpc_la_CFLAGS = -DHAVE_RPCSEC_GSS $(GSSAPI_CFLAGS) endif ## libtirpc_a_SOURCES += key_call.c key_prot_xdr.c getpublickey.c -- 1.8.1.4 From 4072a0bb8b619cab027bb3833785768681da4ed5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 10 Apr 2013 11:38:14 -0400 Subject: [PATCH 2/2] gss: Fix private data giveaway When the private data is given away the gss context also needs to go, because the caller may destroy it, such as when the context is exported into a lucid context to hand it to the kernel. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson --- src/auth_gss.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/auth_gss.c b/src/auth_gss.c index 81ae8ae..703bc3f 100644 --- a/src/auth_gss.c +++ b/src/auth_gss.c @@ -269,6 +269,7 @@ authgss_get_private_data(AUTH *auth, struct authgss_private_data *pd) * send an RPCSEC_GSS_DESTROY request which might inappropriately * destroy the context. */ + gd->ctx = GSS_C_NO_CONTEXT; gd->gc.gc_ctx.length = 0; gd->gc.gc_ctx.value = NULL; @@ -284,7 +285,8 @@ authgss_free_private_data(struct authgss_private_data *pd) if (!pd) return (FALSE); - pd->pd_ctx = NULL; + if (pd->pd_ctx != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, &pd->pd_ctx, NULL); gss_release_buffer(&min_stat, &pd->pd_ctx_hndl); memset(&pd->pd_ctx_hndl, 0, sizeof(pd->pd_ctx_hndl)); pd->pd_seq_win = 0; -- 1.8.1.4