From owner-svn-src-head@FreeBSD.ORG Mon Oct 1 12:28:59 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 229CD106566C; Mon, 1 Oct 2012 12:28:59 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 0DCBB8FC14; Mon, 1 Oct 2012 12:28:59 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q91CSw4G046364; Mon, 1 Oct 2012 12:28:58 GMT (envelope-from rmacklem@svn.freebsd.org) Received: (from rmacklem@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q91CSwJA046362; Mon, 1 Oct 2012 12:28:58 GMT (envelope-from rmacklem@svn.freebsd.org) Message-Id: <201210011228.q91CSwJA046362@svn.freebsd.org> From: Rick Macklem Date: Mon, 1 Oct 2012 12:28:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r241097 - head/sys/rpc/rpcsec_gss X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 12:28:59 -0000 Author: rmacklem Date: Mon Oct 1 12:28:58 2012 New Revision: 241097 URL: http://svn.freebsd.org/changeset/base/241097 Log: Attila Bogar and Herbert Poeckl both reported similar problems w.r.t. a Linux NFS client doing a krb5 NFS mount against the FreeBSD server. We determined this was a Linux bug: http://www.spinics.net/lists/linux-nfs/msg32466.html, however the mount failed to work, because the Destroy operation with a bogus encrypted checksum destroyed the authenticator handle. This patch changes the rpcsec_gss code so that it doesn't Destroy the authenticator handle for this case and, as such, the Linux mount will work. Tested by: Attila Bogar and Herbert Poeckl MFC after: 2 weeks Modified: head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Modified: head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c ============================================================================== --- head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Mon Oct 1 11:26:49 2012 (r241096) +++ head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Mon Oct 1 12:28:58 2012 (r241097) @@ -984,7 +984,7 @@ svc_rpc_gss_accept_sec_context(struct sv static bool_t svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, - gss_qop_t *qop) + gss_qop_t *qop, rpc_gss_proc_t gcproc) { struct opaque_auth *oa; gss_buffer_desc rpcbuf, checksum; @@ -1024,7 +1024,8 @@ svc_rpc_gss_validate(struct svc_rpc_gss_ if (maj_stat != GSS_S_COMPLETE) { rpc_gss_log_status("gss_verify_mic", client->cl_mech, maj_stat, min_stat); - client->cl_state = CLIENT_STALE; + if (gcproc != RPCSEC_GSS_DESTROY) + client->cl_state = CLIENT_STALE; return (FALSE); } @@ -1358,7 +1359,7 @@ svc_rpc_gss(struct svc_req *rqst, struct break; } - if (!svc_rpc_gss_validate(client, msg, &qop)) { + if (!svc_rpc_gss_validate(client, msg, &qop, gc.gc_proc)) { result = RPCSEC_GSS_CREDPROBLEM; break; }