Attila Bogar and Herbert Poeckl both reported similar problems

w.r.t. a Linux NFS client doing a krb5 NFS mount against the FreeBSD server. We determined this was a Linux bug: http://www.spinics.net/lists/linux-nfs/msg32466.html, however the mount failed to work, because the Destroy operation with a bogus encrypted checksum destroyed the authenticator handle. This patch changes the rpcsec_gss code so that it doesn't Destroy the authenticator handle for this case and, as such, the Linux mount will work. Tested by: Attila Bogar and Herbert Poeckl MFC after: 2 weeks
2012-10-01 12:28:58 +00:00 · 2012-10-01 12:28:58 +00:00 · 9290b3731b
commit 9290b3731b
parent 53bc32bb8f
1 changed files with 4 additions and 3 deletions
--- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
@ -984,7 +984,7 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,

 static bool_t
 svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
-    gss_qop_t *qop)
+    gss_qop_t *qop, rpc_gss_proc_t gcproc)
 {
 	struct opaque_auth	*oa;
 	gss_buffer_desc		 rpcbuf, checksum;
@ -1024,7 +1024,8 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	if (maj_stat != GSS_S_COMPLETE) {
 		rpc_gss_log_status("gss_verify_mic", client->cl_mech,
 		    maj_stat, min_stat);
-		client->cl_state = CLIENT_STALE;
+		if (gcproc != RPCSEC_GSS_DESTROY)
+			client->cl_state = CLIENT_STALE;
 		return (FALSE);
 	}

@ -1358,7 +1359,7 @@ svc_rpc_gss(struct svc_req *rqst, struct rpc_msg *msg)
 			break;
 		}

-		if (!svc_rpc_gss_validate(client, msg, &qop)) {
+		if (!svc_rpc_gss_validate(client, msg, &qop, gc.gc_proc)) {
 			result = RPCSEC_GSS_CREDPROBLEM;
 			break;
 		}