Steve Dickson [Mon, 14 Jul 2014 13:21:11 +0000 (09:21 -0400)]
print_rpc_gss_sec: Make sure logging to stderr is enabled.
It does not make sense to try an covert this routine to
used the new debugging macro. So just insure the correct
debugging level and printing to stderr is enabled.
Steve Dickson [Mon, 14 Jul 2014 13:02:10 +0000 (09:02 -0400)]
gss_log: Replace gss_log_debug with LIBTIRPC_DEBUG macros
A couple gss_log_debug() calls are reporting errors.
To allow errors to be logged with the least amount
of debugging on, replace those calls the LIBTIRPC_DEBUG
macro
Steve Dickson [Mon, 14 Jul 2014 17:05:35 +0000 (13:05 -0400)]
libtirpc: New configurable debugging routines
This patch added new configurable debugging interface that
will allow existing debugging statements to be enabled
and disabled by the calling application.
libtirpc_set_debug(char *name, int level, int use_stderr)
* This called by the application to set the debugging level.
If use_stderr is set, all message will go to stderr,
otherwise syslog() will be used.
LIBTIRPC_DEBUG(level, msg)
* This is the macro called by functions within the library.
libtirpc_log_dbg(char *fmt, ...)
* This is the routine the LIBTIRPC_DEBUG macro uses to
log the messages and can be called directly by internal
routines
vlibtirpc_log_dbg(int level, const char *fmt, va_list args)
* This routine is used by existing debugging routines
that have already obtained their arguments using
stdarg(3) macros.
Chuck Lever [Wed, 9 Apr 2014 18:00:56 +0000 (14:00 -0400)]
Pre-register server side RPCSEC GSS support
When --enable-gss is specified on the ./configure command line,
have the library automatically register server-side support for the
RPCSEC_GSS auth flavor.
The complication is that specific interaction is required with the
RPC client if GSS authentication fails. GSS authentication sometimes
has to squelch the normal reply done by svc_getreq(), and substitute
its own.
_svcauth_gss() already has a boolean argument to do this. But
_authenticate() is an official API (see rpc/svc_auth.h). We can't
alter its synopsis.
Instead of adding a "no_dispatch" argument to our existing
_authenticate() API, preserve its synopsis for backwards
compatibility, and introduce a second external authentication API
for the dispatcher.
This matches a similar API change done in the Solaris libtirpc.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:24:24 +0000 (11:24 -0500)]
man: Organize man/Makefile.am
Clean up man/Makefile.
Document man pages we maintain upstream but that are typically not
installed by distributions.
Finally, restore the man page which describes the libtirpc rpcbind
client API. This includes rpcb_getmaps(3t), rpcb_getaddr(3t),
rpcb_gettime(3t), rpcb_rmtcall(3t), rpcb_set(3t), and
rpcb_unset(3t).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:21:29 +0000 (11:21 -0500)]
Clean up forward declarations in src/svc_auth_gss.c
Address some sparse complaints
Bring the forward declarations for the auth_ops defined in
svc_auth_gss.c up to recent C standards. These should match the
function prototypes used to declare the auth_ops structure.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:19:55 +0000 (11:19 -0500)]
Clean up forward declarations in src/auth_gss.c
Address some sparse complaints
Bring the forward declarations for the auth_ops defined in auth_gss.c
up to recent C standards. These should match the function prototypes
used to declare the auth_ops structure.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:17:09 +0000 (11:17 -0500)]
Add a pthread key initializer constant
Clean up: replace the naked "-1" with a symbolic constant that helps
document what is going on. The name matches the name of the other
pthread initializer constants.
Also, since pthread_key_t is an unsigned integer, use a type cast to
eliminate the implicit cast that occurs every time foo_key is
compared to -1. This eliminates a number of compiler warnings.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 23 Jan 2014 16:13:51 +0000 (11:13 -0500)]
configure: permanently enable maintainer mode
I noticed that "make" doesn't run configure again when a patch is
applied that changes the build environment. Maintainer mode appears
to be disabled by default.
Section 27.2 of the Automake manual suggests that disabling
Maintainer Mode causes unreliable builds because it removes the
guarantee that the build environment is up to date.
Remove the configure.ac macro to disable or enable maintainer mode.
This leaves Maintainer Mode enabled all the time.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The function clnt_create is *not* thread safe. Race conditions in the
function clnt_vc_create that accesses static data disrupt, which is
*not* protected by any mutex. When more than one thread access it
it has become a nonlocal side effect . This race conditions can lead to
undesired behaviour . By introducing the mutex disrupt_lock
the function clnt_vc_create is serialized
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The function clnt_create is *not* thread safe . Race conditions in
the function bindresvport that accesses static data port and startport,
which are *not* protected by any mutex. When more than one thread
access them the variables become a nonlocal side effect. These race
conditions
can lead to undesired behaviour . By introducing the mutex port_lock
the function bindresvport is serialized.
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The clnt_* functions are *not* thread safe. Race conditions are caused
by the functions setnetconfig , getnetconfig, endnetconfig and
getnetconfigent that accesses global static data nc_file and ni which
are defined in the file getnetconfig are *not* protected by any mutex.
When more than one thread access them the variables become a nonlocal
side effect . These race conditions causing process to give undesired
behavior and leading to crash on file operations mostly on fclose. By
introducing the mutex nc_db_lock the netconfig database is synchronized
and prevented from crash.
Signed-off-by: Susant Sahani <ssahani@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 1 Jul 2013 13:40:02 +0000 (09:40 -0400)]
Remove variadic macro invocation
Commit f8104ba9 "Fix debugging reference from non-GSS to optional"
GSS code.", Thu Apr 26 15:12:08 2012, introduces a variadic macro
invocation (a GNU C extension) in the rpc/auth.h header.
An attempt was made to hide the extension behind #ifdef __GNUC__
but the #else arm also uses the same synopsis, so the variadic macro
is visible for non-GNU C compiles as well.
With gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8) on Fedora 18, I
see:
/usr/include/tirpc/rpc/auth.h:255:32: warning: ISO C does not permit
named variadic macros [-Wvariadic-macros]
I imagine this warning is produced by the "-pedantic" gcc option,
which I use in various projects that depend on libtirpc headers.
Rather than further cluttering the code in auth.h, we can live
without this debugging message.
Cc: Nick Alcock <nick.alcock@oracle.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Thu, 18 Apr 2013 18:29:58 +0000 (14:29 -0400)]
svc_getargs(): Should not be freeing arg pointers on failures
commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
that causes callers of svc_getargs() to crash when svc_freeargs() frees
args points that are allocated on the stack.
svc_getargs() should let the callers do the freeing and not make any
assumptions on the type of memory passed in.
Also see:
https://bugzilla.redhat.com/show_bug.cgi?id=948378
and
CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
Simo Sorce [Wed, 10 Apr 2013 15:38:14 +0000 (11:38 -0400)]
gss: Fix private data giveaway
When the private data is given away the gss context also needs to go,
because the caller may destroy it, such as when the context is exported
into a lucid context to hand it to the kernel.
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Simo Sorce [Tue, 26 Mar 2013 15:13:05 +0000 (11:13 -0400)]
Switch to use standard GSSAPI by default
Make libgssglue configurable still but disabled by default.
There is no reason to use libgssglue anymore, and modern gssapi
supports all needed features for libtirpc and its dependencies.
NeilBrown [Tue, 12 Feb 2013 14:43:45 +0000 (09:43 -0500)]
Add authgss_free_private_data interface.
This is a necessary partner to authgss_get_private_data, so that
the caller can free the data when needed (and not before).
The previous practice of leaving the private data where it was resulted
in authgss_destroy_context() attempting to destroy the context on the
server which was incorrect, and fortunately fails for other reasons.
An application which uses authgss_get_private_data() but does not call
authgss_free_private_data() will be as correct as, or slightly more
correct than, it was, but will suffer a slight memory leak.
When compiled on rhel 5.5, the build fails due to a missing
SOCK_CLOEXEC flag that is not available in the downstream kernel.
This patch corrects this error by checking to see if the flag is
present before using it
Signed-off-by: Allison Henderson <achender@linux.vnet.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Nick Alcock [Thu, 26 Apr 2012 19:42:42 +0000 (15:42 -0400)]
Fix debugging-related namespace pollution.
From: Nick Alcock <nick.alcock@oracle.com>
When GSS is compiled in, libtirpc exports three symbols, 'log_debug',
'log_status', and 'log_hexdump', which do nothing unless DEBUG is #defined
at libtirpc compile time. This is a pretty abominable piece of namespace
pollution: these symbols are quite likely to be used for local debugging
routines by other binaries and shared libraries, and those local calls
are now likely to go astray into libtirpc's do-nothing versions instead.
So this changes the names of these functions. This is technically an ABI
break, but since these symbols are undocumented and useless (with variable
behaviour depending on whether DEBUG was #defined, and only present at
all if GSS was compiled in) anything using those symbols was broken anyway.
(A quick grep of my local sources shows numerous other local users of
the name log_debug() in particular, including LVM, libassuan, GnuPG, gvfs,
and dhcp. If you include binaries as well as intra-shared-library calls,
the count goes much higher.)
Signed-off-by: Nick Alcock <nick.alcock@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Nick Alcock [Thu, 26 Apr 2012 19:38:56 +0000 (15:38 -0400)]
No longer require NIS.
From: Nick Alcock <nick.alcock@oracle.com>
NIS is deader than the proverbial dodo, and eglibc allows you to compile
it out entirely. Though libtirpc can work with NIS, it works perfectly
well if NIS is not in the libc, thanks to nsswitch (acting as if NIS
is there but empty).
However, when NIS is not compiled into eglibc, libnsl is not present.
So check for it at configure time, and include it via LIBS if available.
(I suspect this LIBS-inclusion will have no effect, and we don't even
need to check for NIS at compile time, but I have no NIS-capable systems to
test this on.)
Signed-off-by: Nick Alcock <nick.alcock@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Nick Alcock [Thu, 26 Apr 2012 19:12:08 +0000 (15:12 -0400)]
Fix debugging reference from non-GSS to optional GSS code.
From: Nick Alcock <nick.alcock@oracle.com>
AUTH_DESTROY() and auth_destroy() are pulling in log_debug() from
authgss_prot.c, but are used from outside the GSS code, thus preventing
libtirpc
from being used if compiled without GSS support.
The (somewhat ugly) fix here defines a new macro to do the job. Because
we're
not compiling as C99, I use the GNU C variadic macro extension: if we
mean to
be compiled with other compilers, this needs to change.
Signed-off-by: Nick Alcock <nick.alcock@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Mike Frysinger [Mon, 20 Jun 2011 17:52:14 +0000 (13:52 -0400)]
Revert "Include des_crypt in build"
The des_crypt code requires the crypt_client code (which wasn't
added), and that code requires a currently undefined function
(namely xdr_desresp). Since I have no idea what that's about,
and this change ends up breaking some systems, just revert it.
Once we have a patch that improves portability without breaking
existing systems, we can revisit this.
Matthew N. Dodd [Mon, 20 Jun 2011 17:42:18 +0000 (13:42 -0400)]
Reference count AUTHs
RPCSEC GSSv3 has the concept of a parent and a compound credential. As
the normal course of operation involves using multiple AUTHs per client
connection, and providing parent and compounds AUTHs when creating a
GSSv3 AUTH, we need a way of reference counting them so that
AUTH_DESTROY does not free them out from under a GSSv3 AUTH that is
using them.
Matthew N. Dodd [Mon, 20 Jun 2011 17:33:35 +0000 (13:33 -0400)]
Use of lseek() in xdr_rec.c:xdrrec_getpos().
The use of lseek() in xdr_rec.c:xdrrec_getpos() without checking for
ESPIPE will fail to handle the common case, resulting in poor behavior
in calling code. (In particular auth_gss.c:authgss_marshal() calls
gss_get_mic() with rpcbuf.length set to -1, with spectacular results.)
The original MIT Krb5 RPC code lacks this addition, which I'm unclear of
the utility of in the first place.
Reverting to the MIT code permits correct function of a trivial RPC
client using GSS.
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Matthew N. Dodd [Mon, 20 Jun 2011 17:32:58 +0000 (13:32 -0400)]
PCSEC_GSS_SVC_PRIVACY failure.
in authgss_prot.c:xdr_rpc_gss_wrap_data(), gss_wrap() is called in the
svc == RPCSEC_GSS_SVC_PRIVACY conditional block with databuf.length
uninitialized.
Initialization performed in the svc == RPCSEC_GSS_SVC_INTEGRITY
conditional block should be moved.
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Sat, 18 Jun 2011 13:49:40 +0000 (09:49 -0400)]
Do not skip records with nonblocking connections
With non-blocking connections, do not skip records when receiving
the streams since entire value messages can be ignored which
in cause the entire stream to become out of sync.
For example, two mounts simultaneously send two unmaps
commands. The first one is read, then the second thrown
away due to skipping the record. Skipping this record
will cause XDR error later in processing of the stream.
Olaf Kirch [Wed, 2 Mar 2011 15:09:24 +0000 (10:09 -0500)]
Try to ensure datagram replies come from the address requests were sent to.
On multi-homed servers it is currently possible for a reply to be sent
from a different address to the one the request was received from. This
is because there is no strong connection between the request and the
reply as there is with stream.
This causes problems with some clients, particularly those that uses
connected datagram sockets.
So use IP_PKTINFO or IP6_PKTINFO to create the necessary connection,
recording the destination of the request, and setting the source of
the reply.
Note that we clear the interface index (ifindex) as it is not necessary
(and is sometimes wrong) to set the reply out on the same interface that
the request arrived on.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Olaf Kirch <okir@suse.de> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Mike Frysinger [Wed, 9 Feb 2011 15:13:19 +0000 (10:13 -0500)]
Include des_crypt in build
Some C libraries (like glibc) provide cbc_crypt and ecb_crypt and
friends, but others may not. So build the local des_crypt.c file
that is already in libtirpc.
Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Tue, 4 Jan 2011 19:47:55 +0000 (14:47 -0500)]
Authunix_create_default() should truncate at 16 groups instead of failing
Instead of failing if the calling process has more than 16 supplemen-
tal groups, authunix_create_default() should simply truncate the group
list to 16 entries. This is what the legacy RPC implementation in
glibc does, what the Linux kernel's RPC implementation does (see
net/sunrpc/auth_unix.c:unx_create_cred()), and what libtirpc on
Solaris does.
RFC 5531, Appendix A does not provide any guidance about AUTH_SYS
behavior when a calling process is a member of more than 16 groups.
Thus we cannot follow a specification, but must instead be guided by
the conventional precedent set by existing implementations.
Sun doc 816-1435, "ONC+ Developer's Guide," p. 148, refers to
authunix_create_default() as one of several functions that are
supported for backwards compatibility. Therefore, our libtirpc
implementation should behave just like the glibc implementation it
is replacing, so that applications can easily migrate from glibc's
legacy RPC implementation to the newer libtirpc implementation.
The upshot is that glibc's authunix_create_default() is a formal
legacy API. The rules about changing formal APIs trump the idea that
existing APIs should be changed to fail if they can't ideally fulfill
an application's request.
Steve Dickson [Thu, 16 Dec 2010 16:49:44 +0000 (11:49 -0500)]
Makefile Improvements
Currently when one .c file is changed all the .c files
are recompile, which obviously is not needed. The patch
removes the explicit rules that causes those recompiles
and let the autoconf code deal with dependencies
Three files in libtirpc have the "BSD with advertising" or "BSD 4
clause" license on them (Free, but GPL incompatible). Thankfully, two of
the three files (tirpc/libc_private.h and tirpc/nss_tls.h) aren't
necessary on Linux at all. They were copied from FreeBSD, but FreeBSD
(and NetBSD) include those headers, so they can be conditionalized out
in the code. The third header, tirpc/reentrant.h originally came from
FreeBSD, but had been modified to point to the Linux pthread equivalent
functions. I'm pretty sure that would cause the code to break on
FreeBSD/NetBSD.
This patch does the following:
- Zeros out tirpc/libc_private.h (This file should be deleted from the
source control)
- Zeros out tirpc/nss_tls.h (This file should be deleted from the source
control)
- Takes a fresh copy of tirpc/reentrant.h from FreeBSD CVS to inherit
the new license (the advertising clause has been dropped in FreeBSD)
- Updates tirpc/reentrant.h so that it contains the correct definition
mappings for Linux, conditionalized only for Linux.
- Updates all source files which #include libc_private.h so that the
include is conditionalized on FreeBSD or NetBSD. I honestly don't think
these files even need to be included on those platforms, but I'd rather
be safe than sorry here.
Ulrich Drepper [Tue, 18 May 2010 23:18:38 +0000 (19:18 -0400)]
Automount with nis maps crashes and generates a core
I think I added the appropriate backward compatibility support to handle
old kernels. And certainly the existing libtirpc functions are unchanged.
Only one additional extenal interface (__libc_clntudp_bufcreate) is added.
The remaining changes are necessary to implement it. The changes are
straightforward.
See https://bugzilla.redhat.com/show_bug.cgi?id=519430
Signed-off-by: Ulrich Drepper <drepper@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 25 Mar 2010 17:34:27 +0000 (13:34 -0400)]
Add a note about rpcbind's use of __svc_clean_idle()
__svc_clean_idle() is an internal function that is also called by
the version of rpcbind we are currently using. Make a note of this
so that the function does not get accidentally removed or changed.
We should keep an eye out for other APIs like this, and document
them accordingly.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 25 Mar 2010 17:32:54 +0000 (13:32 -0400)]
libtoolize: Squelch libtoolize warnings
Address these build-time complaints from libtoolize:
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac
and
libtoolize: rerunning libtoolize, to keep the correct libtool macros
in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
libtoolize: `AC_PROG_RANLIB' is rendered obsolete by `LT_INIT'
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Reported-by: Jens-Uwe Mozdzen <jmozdzen@nde.de Fix-by: Jay Lan <jlan@sgi.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 25 Mar 2010 17:24:44 +0000 (13:24 -0400)]
Fix memory leak in getclnthandle()
getclnthandle() can return a NULL RPC client, but sometimes it does
this without ensuring that *targaddr is freed. Even though the
documenting comment claims that callers must free *targaddr, callers
don't check the value of *targaddr if getclnthandle() returns NULL.
Reported-by: Jens-Uwe Mozdzen <jmozdzen@nde.ag> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Fri, 5 Mar 2010 19:27:13 +0000 (14:27 -0500)]
libtirpc: allow larger ticket sizes with RPCSEC_GSS
libtirpc currently limits RPCSEC_GSS args to MAX_NETOBJ_SZ (1024) bytes.
This causes problems when you try to use large krb5 tickets, such as
those handed out by MS' Active Directory when the user has a large PAC.
This patch backports a set of changes from librpcsecgss which fixed this
problem there. It declares a new routine specifically for encoding
gss_buffer_t's and has the various auth_gss routines use that instead of
calling xdr_bytes directly.
An RPC_SLACK_SPACE constant is defined and added to the buffer length to
get a max buffer length to pass to xdr_rpc_gss_buf for the appropriate
callers.
Jeff Layton [Fri, 5 Mar 2010 17:55:31 +0000 (12:55 -0500)]
libtirpc: don't call abort() in the AUTH_UNIX creation codepaths
When there are problems creating an AUTH_UNIX auth handle, libtirpc will
sometimes call abort(). It's bad for a library to do this since
decisions about how to handle errors are better left up to the
application and abort() generally causes the app to crash and dump core.
Make it so that these functions return NULL instead in these situations.
authunix_create already returns NULL for other error conditions so it
seems like an appropriate way to handle errors in these codepaths.
Have authunix_create and authunix_create_default set appropriate errors
in the rpc_createerr struct. It seems a little odd to do this since
rpc_createerr is supposed to report information about why CLIENT
creation failed, and the problem here is in creating an AUTH handle.
authgss_create does this already however, so there is some precedent.
While we're at it, it's also bad for libraries to log to stderr. It's
possible that a daemon is calling here and it has closed stderr and is
resuing fd 2 for something else. Rip out the warnx calls from these two
functions to make sure that they don't cause problems.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
projects / libtirpc / log