Chuck Lever [Wed, 22 Apr 2015 15:04:04 +0000 (11:04 -0400)]
Finish server-side rpc_gss_*() APIs
In a previous patch, rpc_gss_set_callback(3t) was added as a
stub function. Now, plumb in real support for callbacks.
As I understand it:
The libtirpc API consumer can register any number of callbacks.
Each callback function is invoked once when a GSS context is
established.
The callback function return value indicates whether the API
consumer wants to allow the new GSS context, or refuse it. It can
also specify whether the client may use other qop or svc settings
for subsequent requests using this GSS context (locked).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 22 Apr 2015 15:00:35 +0000 (11:00 -0400)]
Add server-side rpc_gss_*() APIs
Introduce new RPCSEC API functions that match the same libtirpc API
in FreeBSD and Solaris. This includes rpc_gss_getcred(3t),
rpc_gss_svc_max_data_length(3t), rpc_gss_set_svc_name(3t),
rpc_gss_set_callback(3t), and rpc_gss_get_principal_name(3t).
The man pages, written by Doug Rabson, come from FreeBSD, with
some adjustments by me.
The new code was written from scratch based on FreeBSD's
implementation, but adapted to invoke the existing legacy U-M APIs
in our implementation. We will maintain the legacy APIs until
consumers are switched to the new ones. FreeBSD never had the
legacy U-M API.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 22 Apr 2015 14:45:05 +0000 (10:45 -0400)]
Add client-side rpc_gss_*() APIs
Introduce new client-side RPCSEC API functions that match the same
libtirpc API in FreeBSD and Solaris. This includes
rpc_gss_seccreate(3t), rpc_gss_set_defaults(3t), and
rpc_gss_max_data_length(3t).
The man pages, written by Doug Rabson, come from FreeBSD, with
some adjustments by me.
The new code was written from scratch based on FreeBSD's
implementation, but adapted to invoke the existing legacy U-M APIs
in our implementation. We will continue to provide the legaacy APIs
until API consumers are switched to the new ones. FreeBSD never had
the legacy U-M GSS APIs.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 9 Feb 2015 15:47:30 +0000 (10:47 -0500)]
Add utility rpc_gss_*() APIs
These are utility functions used by both client and server consumers
of RPCSEC GSS. The man pages, written by Doug Rabson, come from
FreeBSD, with some adjustments by me. The following functions are
added:
rpc_gss_get_error(3t), rpc_gss_get_mechanisms(3t),
rpc_gss_get_mech_info(3t), rpc_gss_get_versions(3t)
rpc_gss_is_installed(3t), rpc_gss_mech_to_oid(3t), and
rpc_gss_qop_to_num(3t)
This is a relatively simple patch, but there are a couple of
important design points to call out.
1. Don't add a new DLL
Solaris and FreeBSD keep a dynamic library separate from libtirpc
for RPCSEC_GSS support, called librpcsec_gss. Our existing
RPCSEC_GSS support, though unfinished, is already built into our
fork of the libtirpc library. This patch continues with that
approach by adding these new functions in libtirpc instead of
introducing another library.
2. Don't bother with /etc/gss/{mech,qop}
The Solaris gssapi implementation uses the files
/etc/gss/{mech,qop} to define supported GSS mechanisms. The
rpc_gss_*() API provides the utility functions added in this patch
so that RPC consumers can easily discover what GSS mechanisms are
available.
FreeBSD and Linux use the MIT gssapi implementation, which does not
use /etc/gss/{mech,qop} .
The FreeBSD implementation of the rpc_gss_*() API emulates support
for these configuration files, rather than invoking gssapi functions
that don't exist in the MIT gssapi library.
For Linux, I don't see a need for the extra config files:
o Our fork of libtirpc will support only the Kerberos GSS
mechanism for the foreseeable future.
o It's easy to add another GSS mechanism in the static data
structures, and that should be done only after thorough
testing.
o It should be a simple change to add support for /etc/gss/* if
we find we need it.
o Consumers of the rpc_gss_*() API ported from FreeBSD or
Solaris should see exactly the same result when calling the
new utility functions.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 9 Feb 2015 15:42:20 +0000 (10:42 -0500)]
Add header definitions for rpc_gss_*() APIs
This patch describes the API defined in Solaris and FreeBSD to
provide RPCSEC GSS support for user space TI-RPC consumers.
The header file is based on the API provided in Solaris, but was
written from scratch. The man page was written by Doug Rabson
for the FreeBSD implementation of this API, and updated by me
where needed.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Olaf Kirch [Thu, 23 Apr 2015 12:39:50 +0000 (08:39 -0400)]
rpc_broadcast: handle misformed rpcbind replies
Some rpcbind implementations seem to return IPv6 uaddrs
in response to an IPv4 broadcast (which is probably due
to their using a single v6 socket to handle both v6 and
v4 requests).
We can either discard these replies, or fix them up silently.
Here's a patch that implements the latter.
Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
The bootstrap script in the libtirpc directory currently doesn't
work because it doesn't setup libtool. This leads to a for me non
working configure script and missing Makefile.in
Natanael Copa [Wed, 22 Apr 2015 18:50:27 +0000 (14:50 -0400)]
Fix location of various standard header includes
poll.h, signal.h, errno.h and fcntl.h are all defined in POSIX
and their location are not under sys/
This fixes various compile warning when building with musl libc like:
In file included from clnt_dg.c:40:0:
/usr/include/sys/poll.h:1:2: warning: #warning redirecting
incorrect #include <sys/poll.h> to <poll.h> [-Wcpp]
In file included from clnt_generic.c:32:0:
/usr/include/sys/fcntl.h:1:2: warning: #warning redirecting
incorrect #include <sys/fcntl.h> to <fcntl.h> [-Wcpp]
In file included from auth_time.c:34:0:
/usr/include/sys/signal.h:1:2: warning: #warning redirecting
incorrect #include <sys/signal.h> to <signal.h> [-Wcpp]
In file included from auth_time.c:35:0:
/usr/include/sys/errno.h:1:2: warning: #warning redirecting
incorrect #include <sys/errno.h> to <errno.h> [-Wcpp]
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Natanael Copa [Wed, 22 Apr 2015 16:26:14 +0000 (12:26 -0400)]
Fix compile error: 'IPPORT_RESERVED' undeclared
The IPPORT_RESERVED is declared in netdb.h. This fixes the following
compile error with musl libc:
bindresvport.c: In function 'bindresvport_sa':
bindresvport.c:67:18: error: 'IPPORT_RESERVED' undeclared (first use in
this function)
#define ENDPORT (IPPORT_RESERVED - 1)
^ Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Natanael Copa [Wed, 22 Apr 2015 16:23:57 +0000 (12:23 -0400)]
Add configure option to disable DES authentication
DES is not good for encryption anymore and some C libraries does not
even implement it. We add a --disable-authdes to optionally disable
it, but let it be enabled by default for compatibility.
This is needed for musl libc.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Natanael Copa [Wed, 22 Apr 2015 16:17:33 +0000 (12:17 -0400)]
Provide getrpcbynumber and getrpcbyname if those are missing
We enable the config.h again and check if getrpcbynumber and
getrpcbyname exists on the building patform. If it does not exist, then
provide those functions.
This is needed for musl libc.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Olaf Kirch [Tue, 16 Dec 2014 19:02:39 +0000 (14:02 -0500)]
libtirpc: fix crash with tuntap devices
Linux tuntap devices and other virtual network devices, if not
configured, will be reported by getifaddrs() with a NULL ifa_addr
pointer. __rpc_getifaddrs would trip over that, because it derefenced
the ifa_addr pointer without checking.
Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Thorsten Kukuk [Tue, 16 Dec 2014 19:00:12 +0000 (14:00 -0500)]
tirpc: fix taddr2uaddr for AF_LOCAL
taddr2uaddr would return trailing garbage for AF_LOCAL addresses
taddr2uaddr assumed that the sun_path field of an AF_LOCAL address
was always NULL terminated, but that is not necessarily the case,
especially if the buffer was allocated using the correct SUN_LEN().
Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Olaf Kirch [Tue, 16 Dec 2014 18:48:52 +0000 (13:48 -0500)]
Fix a crash in clntunix_create
Programs using clntunix_create would abort because glibc detected an
attempt to free a bad pointer. It turns out that clntunix_create
has two bugs:
- it sets up a struct netbuf to hold the sockaddr_un passed
into the function, but instead of copying the data, it
just assigns the sockaddr pointer - and eventually tries to
free that pointer.
- when setting up the netbuf, it uses sizeof(raddr) instead
of sizeof(*raddr).
Instead of doing the trivial fixes, I changed the function to use
the __rpc_set_netbuf utility function. While I was at it, I removed
an unused local variable.
Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Olaf Kirch [Tue, 16 Dec 2014 18:38:33 +0000 (13:38 -0500)]
Fix a bug in clnt broadcast
Before calling the replyproc function on a broadcast reply,
we convert the server-provided address using uaddr2taddr.
This may fail (eg if the server provided a garbage address),
and return NULL. In this case, we should not call the replyproc
function - because the caller expects the address netbuf to
be a valid pointer, rather than NULL.
Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Bodo Stroesser [Thu, 6 Nov 2014 18:26:00 +0000 (13:26 -0500)]
write_vc: fix write retry loop for nonblocking mode
This is a simple fix for the write retry loop that is used on
non-blocking connections if write() failed with -EAGAIN.
Additionally it removes a redundant if () {}
Erroneously at each cycle of the loop the length of the data
to send is incremented and the buffer pointer is decremented.
Thus, it might happen that:
* the application crashes
* data from the memory before the buffer is sent
Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Mon, 14 Jul 2014 13:21:11 +0000 (09:21 -0400)]
print_rpc_gss_sec: Make sure logging to stderr is enabled.
It does not make sense to try an covert this routine to
used the new debugging macro. So just insure the correct
debugging level and printing to stderr is enabled.
Steve Dickson [Mon, 14 Jul 2014 13:02:10 +0000 (09:02 -0400)]
gss_log: Replace gss_log_debug with LIBTIRPC_DEBUG macros
A couple gss_log_debug() calls are reporting errors.
To allow errors to be logged with the least amount
of debugging on, replace those calls the LIBTIRPC_DEBUG
macro
Steve Dickson [Mon, 14 Jul 2014 17:05:35 +0000 (13:05 -0400)]
libtirpc: New configurable debugging routines
This patch added new configurable debugging interface that
will allow existing debugging statements to be enabled
and disabled by the calling application.
libtirpc_set_debug(char *name, int level, int use_stderr)
* This called by the application to set the debugging level.
If use_stderr is set, all message will go to stderr,
otherwise syslog() will be used.
LIBTIRPC_DEBUG(level, msg)
* This is the macro called by functions within the library.
libtirpc_log_dbg(char *fmt, ...)
* This is the routine the LIBTIRPC_DEBUG macro uses to
log the messages and can be called directly by internal
routines
vlibtirpc_log_dbg(int level, const char *fmt, va_list args)
* This routine is used by existing debugging routines
that have already obtained their arguments using
stdarg(3) macros.
Chuck Lever [Wed, 9 Apr 2014 18:00:56 +0000 (14:00 -0400)]
Pre-register server side RPCSEC GSS support
When --enable-gss is specified on the ./configure command line,
have the library automatically register server-side support for the
RPCSEC_GSS auth flavor.
The complication is that specific interaction is required with the
RPC client if GSS authentication fails. GSS authentication sometimes
has to squelch the normal reply done by svc_getreq(), and substitute
its own.
_svcauth_gss() already has a boolean argument to do this. But
_authenticate() is an official API (see rpc/svc_auth.h). We can't
alter its synopsis.
Instead of adding a "no_dispatch" argument to our existing
_authenticate() API, preserve its synopsis for backwards
compatibility, and introduce a second external authentication API
for the dispatcher.
This matches a similar API change done in the Solaris libtirpc.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:24:24 +0000 (11:24 -0500)]
man: Organize man/Makefile.am
Clean up man/Makefile.
Document man pages we maintain upstream but that are typically not
installed by distributions.
Finally, restore the man page which describes the libtirpc rpcbind
client API. This includes rpcb_getmaps(3t), rpcb_getaddr(3t),
rpcb_gettime(3t), rpcb_rmtcall(3t), rpcb_set(3t), and
rpcb_unset(3t).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:21:29 +0000 (11:21 -0500)]
Clean up forward declarations in src/svc_auth_gss.c
Address some sparse complaints
Bring the forward declarations for the auth_ops defined in
svc_auth_gss.c up to recent C standards. These should match the
function prototypes used to declare the auth_ops structure.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:19:55 +0000 (11:19 -0500)]
Clean up forward declarations in src/auth_gss.c
Address some sparse complaints
Bring the forward declarations for the auth_ops defined in auth_gss.c
up to recent C standards. These should match the function prototypes
used to declare the auth_ops structure.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:17:09 +0000 (11:17 -0500)]
Add a pthread key initializer constant
Clean up: replace the naked "-1" with a symbolic constant that helps
document what is going on. The name matches the name of the other
pthread initializer constants.
Also, since pthread_key_t is an unsigned integer, use a type cast to
eliminate the implicit cast that occurs every time foo_key is
compared to -1. This eliminates a number of compiler warnings.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:13:51 +0000 (11:13 -0500)]
configure: permanently enable maintainer mode
I noticed that "make" doesn't run configure again when a patch is
applied that changes the build environment. Maintainer mode appears
to be disabled by default.
Section 27.2 of the Automake manual suggests that disabling
Maintainer Mode causes unreliable builds because it removes the
guarantee that the build environment is up to date.
Remove the configure.ac macro to disable or enable maintainer mode.
This leaves Maintainer Mode enabled all the time.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The function clnt_create is *not* thread safe. Race conditions in the
function clnt_vc_create that accesses static data disrupt, which is
*not* protected by any mutex. When more than one thread access it
it has become a nonlocal side effect . This race conditions can lead to
undesired behaviour . By introducing the mutex disrupt_lock
the function clnt_vc_create is serialized
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The function clnt_create is *not* thread safe . Race conditions in
the function bindresvport that accesses static data port and startport,
which are *not* protected by any mutex. When more than one thread
access them the variables become a nonlocal side effect. These race
conditions
can lead to undesired behaviour . By introducing the mutex port_lock
the function bindresvport is serialized.
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The clnt_* functions are *not* thread safe. Race conditions are caused
by the functions setnetconfig , getnetconfig, endnetconfig and
getnetconfigent that accesses global static data nc_file and ni which
are defined in the file getnetconfig are *not* protected by any mutex.
When more than one thread access them the variables become a nonlocal
side effect . These race conditions causing process to give undesired
behavior and leading to crash on file operations mostly on fclose. By
introducing the mutex nc_db_lock the netconfig database is synchronized
and prevented from crash.
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 1 Jul 2013 13:40:02 +0000 (09:40 -0400)]
Remove variadic macro invocation
Commit f8104ba9 "Fix debugging reference from non-GSS to optional"
GSS code.", Thu Apr 26 15:12:08 2012, introduces a variadic macro
invocation (a GNU C extension) in the rpc/auth.h header.
An attempt was made to hide the extension behind #ifdef __GNUC__
but the #else arm also uses the same synopsis, so the variadic macro
is visible for non-GNU C compiles as well.
With gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8) on Fedora 18, I
see:
/usr/include/tirpc/rpc/auth.h:255:32: warning: ISO C does not permit
named variadic macros [-Wvariadic-macros]
I imagine this warning is produced by the "-pedantic" gcc option,
which I use in various projects that depend on libtirpc headers.
Rather than further cluttering the code in auth.h, we can live
without this debugging message.
Cc: Nick Alcock <nick.alcock@oracle.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Thu, 18 Apr 2013 18:29:58 +0000 (14:29 -0400)]
svc_getargs(): Should not be freeing arg pointers on failures
commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
that causes callers of svc_getargs() to crash when svc_freeargs() frees
args points that are allocated on the stack.
svc_getargs() should let the callers do the freeing and not make any
assumptions on the type of memory passed in.
Also see:
https://bugzilla.redhat.com/show_bug.cgi?id=948378
and
CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
Simo Sorce [Wed, 10 Apr 2013 15:38:14 +0000 (11:38 -0400)]
gss: Fix private data giveaway
When the private data is given away the gss context also needs to go,
because the caller may destroy it, such as when the context is exported
into a lucid context to hand it to the kernel.
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Simo Sorce [Tue, 26 Mar 2013 15:13:05 +0000 (11:13 -0400)]
Switch to use standard GSSAPI by default
Make libgssglue configurable still but disabled by default.
There is no reason to use libgssglue anymore, and modern gssapi
supports all needed features for libtirpc and its dependencies.
NeilBrown [Tue, 12 Feb 2013 14:43:45 +0000 (09:43 -0500)]
Add authgss_free_private_data interface.
This is a necessary partner to authgss_get_private_data, so that
the caller can free the data when needed (and not before).
The previous practice of leaving the private data where it was resulted
in authgss_destroy_context() attempting to destroy the context on the
server which was incorrect, and fortunately fails for other reasons.
An application which uses authgss_get_private_data() but does not call
authgss_free_private_data() will be as correct as, or slightly more
correct than, it was, but will suffer a slight memory leak.
When compiled on rhel 5.5, the build fails due to a missing
SOCK_CLOEXEC flag that is not available in the downstream kernel.
This patch corrects this error by checking to see if the flag is
present before using it
Signed-off-by: Allison Henderson <achender@linux.vnet.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>