main/nfs-utils: fix build with libtirpc 1.3.5

backport fixes to build with libtirpc 1.3.5

main/nfs-utils/0001-gssd-revert-commit-a5f3b7ccb01c.patch

@@ -0,0 +1,99 @@
+From 20c0797937e9ec43a78a2f5475d4296897f8c537 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:46:35 -0500
+Subject: [PATCH 1/6] gssd: revert commit a5f3b7ccb01c
+
+In preparation for using rpc_gss_seccreate() function, revert commit
+a5f3b7ccb01c "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user
+credentials"
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ utils/gssd/gssd_proc.c |  2 --
+ utils/gssd/krb5_util.c | 42 ------------------------------------------
+ utils/gssd/krb5_util.h |  1 -
+ 3 files changed, 45 deletions(-)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index a96647df..e5cc1d98 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -419,8 +419,6 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 			if (cred == GSS_C_NO_CREDENTIAL)
+ 				retval = gssd_refresh_krb5_machine_credential(clp->servername,
+ 					"*", NULL, 1);
+-			else
+-				retval = gssd_k5_remove_bad_service_cred(clp->servername);
+ 			if (!retval) {
+ 				auth = authgss_create_default(rpc_clnt, tgtname,
+ 						&sec);
+diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
+index 6f66ef4f..f6ce1fec 100644
+--- a/utils/gssd/krb5_util.c
++++ b/utils/gssd/krb5_util.c
+@@ -1553,48 +1553,6 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred)
+ 	return ret;
+ }
+ 
+-/* Removed a service ticket for nfs/<name> from the ticket cache
+- */
+-int
+-gssd_k5_remove_bad_service_cred(char *name)
+-{
+-        krb5_creds in_creds, out_creds;
+-        krb5_error_code ret;
+-        krb5_context context;
+-        krb5_ccache cache;
+-        krb5_principal principal;
+-        int retflags = KRB5_TC_MATCH_SRV_NAMEONLY;
+-        char srvname[1024];
+-
+-        ret = krb5_init_context(&context);
+-        if (ret)
+-                goto out_cred;
+-        ret = krb5_cc_default(context, &cache);
+-        if (ret)
+-                goto out_free_context;
+-        ret = krb5_cc_get_principal(context, cache, &principal);
+-        if (ret)
+-                goto out_close_cache;
+-        memset(&in_creds, 0, sizeof(in_creds));
+-        in_creds.client = principal;
+-        sprintf(srvname, "nfs/%s", name);
+-        ret = krb5_parse_name(context, srvname, &in_creds.server);
+-        if (ret)
+-                goto out_free_principal;
+-        ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds);
+-        if (ret)
+-                goto out_free_principal;
+-        ret = krb5_cc_remove_cred(context, cache, 0, &out_creds);
+-out_free_principal:
+-        krb5_free_principal(context, principal);
+-out_close_cache:
+-        krb5_cc_close(context, cache);
+-out_free_context:
+-        krb5_free_context(context);
+-out_cred:
+-        return ret;
+-}
+-
+ #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ /*
+  * this routine obtains a credentials handle via gss_acquire_cred()
+diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
+index 7ef87018..62c91a0e 100644
+--- a/utils/gssd/krb5_util.h
++++ b/utils/gssd/krb5_util.h
+@@ -22,7 +22,6 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
+ void gssd_k5_get_default_realm(char **def_realm);
+ 
+ int gssd_acquire_user_cred(gss_cred_id_t *gss_cred);
+-int gssd_k5_remove_bad_service_cred(char *srvname);
+ 
+ #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ extern int limit_to_legacy_enctypes;
+-- 
+2.46.0
+

main/nfs-utils/0002-gssd-revert-commit-513630d720bd.patch

@@ -0,0 +1,51 @@
+From f05af7d9924b5e455f4e750c1e8985c560784fce Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:50:57 -0500
+Subject: [PATCH 2/6] gssd: revert commit 513630d720bd
+
+In preparation for using rpc_gss_seccreate(), revert commit 513630d720bd
+"gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials"
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ utils/gssd/gssd_proc.c | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index e5cc1d98..4fb6b72d 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -412,27 +412,13 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 		tid, tgtname);
+ 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
+ 	if (!auth) {
+-		if (sec.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+-			printerr(2, "WARNING: server=%s failed context "
+-				 "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
+-				 clp->servername);
+-			if (cred == GSS_C_NO_CREDENTIAL)
+-				retval = gssd_refresh_krb5_machine_credential(clp->servername,
+-					"*", NULL, 1);
+-			if (!retval) {
+-				auth = authgss_create_default(rpc_clnt, tgtname,
+-						&sec);
+-				if (auth)
+-					goto success;
+-			}
+-		}
+ 		/* Our caller should print appropriate message */
+ 		printerr(2, "WARNING: Failed to create krb5 context for "
+ 			    "user with uid %d for server %s\n",
+ 			 uid, tgtname);
+ 		goto out_fail;
+ 	}
+-success:
++
+ 	/* Success !!! */
+ 	rpc_clnt->cl_auth = auth;
+ 	*clnt_return = rpc_clnt;
+-- 
+2.46.0
+

main/nfs-utils/0003-gssd-switch-to-using-rpc_gss_seccreate.patch

@@ -0,0 +1,60 @@
+From 3abf6b5223af0ccf07d217d71978ee7987acce88 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:52:47 -0500
+Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate()
+
+If available from the libtirpc library, switch to using
+rpc_gss_seccreate() instead of authgss_create_default() which does not
+expose gss error codes.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ utils/gssd/gssd_proc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index 4fb6b72d..99761157 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -70,6 +70,9 @@
+ #include <sys/types.h>
+ #include <sys/wait.h>
+ #include <syscall.h>
++#ifdef HAVE_TIRPC_GSS_SECCREATE
++#include <rpc/rpcsec_gss.h>
++#endif
+ 
+ #include "gssd.h"
+ #include "err_util.h"
+@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 	struct timeval	timeout;
+ 	struct sockaddr		*addr = (struct sockaddr *) &clp->addr;
+ 	socklen_t		salen;
++#ifdef HAVE_TIRPC_GSS_SECCREATE
++	rpc_gss_options_req_t	req;
++	rpc_gss_options_ret_t	ret;
++	char			mechanism[] = "kerberos_v5";
++#endif
+ 	pthread_t tid = pthread_self();
+ 
+ 	sec.qop = GSS_C_QOP_DEFAULT;
+@@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 
+ 	printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", 
+ 		tid, tgtname);
++#ifdef HAVE_TIRPC_GSS_SECCREATE
++	memset(&req, 0, sizeof(req));
++	req.my_cred = sec.cred;
++	auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism,
++			rpcsec_gss_svc_none, NULL, &req, &ret);
++#else
+ 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
++#endif
+ 	if (!auth) {
+ 		/* Our caller should print appropriate message */
+ 		printerr(2, "WARNING: Failed to create krb5 context for "
+-- 
+2.46.0
+

main/nfs-utils/0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch

@@ -0,0 +1,62 @@
+From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:55:35 -0500
+Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine
+ credentials
+
+During context establishment, when the client received
+KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server
+updating its key material. To handle such error, get a new
+service ticket and re-try the AP_REQ.
+
+This functionality relies on the new API in libtirpc that
+exposes the gss errors.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index 99761157..29600a3f 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
+ #endif
+ 	if (!auth) {
++#ifdef HAVE_TIRPC_GSS_SECCREATE
++		if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
++			printerr(2, "WARNING: server=%s failed context "
++				 "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
++				 clp->servername);
++			if (cred == GSS_C_NO_CREDENTIAL)
++				retval = gssd_refresh_krb5_machine_credential(clp->servername,
++					"*", NULL, 1);
++			if (!retval) {
++				auth = rpc_gss_seccreate(rpc_clnt, tgtname,
++						mechanism, rpcsec_gss_svc_none,
++						NULL, &req, &ret);
++				if (auth)
++					goto success;
++			}
++		}
++#endif
+ 		/* Our caller should print appropriate message */
+ 		printerr(2, "WARNING: Failed to create krb5 context for "
+ 			    "user with uid %d for server %s\n",
+ 			 uid, tgtname);
+ 		goto out_fail;
+ 	}
+-
++#ifdef HAVE_TIRPC_GSS_SECCREATE
++success:
++#endif
+ 	/* Success !!! */
+ 	rpc_clnt->cl_auth = auth;
+ 	*clnt_return = rpc_clnt;
+-- 
+2.46.0
+

main/nfs-utils/0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch

@@ -0,0 +1,101 @@
+From 15cd566633b1546f0808d0694ede094b4c99752d Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:57:28 -0500
+Subject: [PATCH 5/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user
+ credentials
+
+Unlike the machine credential case, we can't throw away the ticket
+cache and use the keytab to renew the credentials. Instead, we
+need to remove the service ticket for the server that returned
+KRB5_AP_ERR_BAD_INTEGRITY and try again.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ utils/gssd/gssd_proc.c |  2 ++
+ utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ utils/gssd/krb5_util.h |  1 +
+ 3 files changed, 45 insertions(+)
+
+diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
+index 29600a3f..7629de0b 100644
+--- a/utils/gssd/gssd_proc.c
++++ b/utils/gssd/gssd_proc.c
+@@ -435,6 +435,8 @@ create_auth_rpc_client(struct clnt_info *clp,
+ 			if (cred == GSS_C_NO_CREDENTIAL)
+ 				retval = gssd_refresh_krb5_machine_credential(clp->servername,
+ 					"*", NULL, 1);
++			else
++				retval = gssd_k5_remove_bad_service_cred(clp->servername);
+ 			if (!retval) {
+ 				auth = rpc_gss_seccreate(rpc_clnt, tgtname,
+ 						mechanism, rpcsec_gss_svc_none,
+diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
+index f6ce1fec..6f66ef4f 100644
+--- a/utils/gssd/krb5_util.c
++++ b/utils/gssd/krb5_util.c
+@@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred)
+ 	return ret;
+ }
+ 
++/* Removed a service ticket for nfs/<name> from the ticket cache
++ */
++int
++gssd_k5_remove_bad_service_cred(char *name)
++{
++        krb5_creds in_creds, out_creds;
++        krb5_error_code ret;
++        krb5_context context;
++        krb5_ccache cache;
++        krb5_principal principal;
++        int retflags = KRB5_TC_MATCH_SRV_NAMEONLY;
++        char srvname[1024];
++
++        ret = krb5_init_context(&context);
++        if (ret)
++                goto out_cred;
++        ret = krb5_cc_default(context, &cache);
++        if (ret)
++                goto out_free_context;
++        ret = krb5_cc_get_principal(context, cache, &principal);
++        if (ret)
++                goto out_close_cache;
++        memset(&in_creds, 0, sizeof(in_creds));
++        in_creds.client = principal;
++        sprintf(srvname, "nfs/%s", name);
++        ret = krb5_parse_name(context, srvname, &in_creds.server);
++        if (ret)
++                goto out_free_principal;
++        ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds);
++        if (ret)
++                goto out_free_principal;
++        ret = krb5_cc_remove_cred(context, cache, 0, &out_creds);
++out_free_principal:
++        krb5_free_principal(context, principal);
++out_close_cache:
++        krb5_cc_close(context, cache);
++out_free_context:
++        krb5_free_context(context);
++out_cred:
++        return ret;
++}
++
+ #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ /*
+  * this routine obtains a credentials handle via gss_acquire_cred()
+diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
+index 62c91a0e..7ef87018 100644
+--- a/utils/gssd/krb5_util.h
++++ b/utils/gssd/krb5_util.h
+@@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
+ void gssd_k5_get_default_realm(char **def_realm);
+ 
+ int gssd_acquire_user_cred(gss_cred_id_t *gss_cred);
++int gssd_k5_remove_bad_service_cred(char *srvname);
+ 
+ #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ extern int limit_to_legacy_enctypes;
+-- 
+2.46.0
+

main/nfs-utils/0006-configure-check-for-rpc_gss_seccreate.patch

@@ -0,0 +1,35 @@
+From 49567e7d03a5605c590be2135a24d4de8345fa3c Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Mon, 11 Dec 2023 08:59:43 -0500
+Subject: [PATCH 6/6] configure: check for rpc_gss_seccreate
+
+If we have rpc_gss_sccreate in tirpc library define
+HAVE_TIRPC_GSS_SECCREATE, which would allow us to handle bad_integrity
+errors.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ aclocal/libtirpc.m4 | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4
+index bddae022..ef48a2ae 100644
+--- a/aclocal/libtirpc.m4
++++ b/aclocal/libtirpc.m4
+@@ -26,6 +26,11 @@ AC_DEFUN([AC_LIBTIRPC], [
+                                     [Define to 1 if your tirpc library provides libtirpc_set_debug])],,
+                          [${LIBS}])])
+ 
++     AS_IF([test -n "${LIBTIRPC}"],
++           [AC_CHECK_LIB([tirpc], [rpc_gss_seccreate],
++                         [AC_DEFINE([HAVE_TIRPC_GSS_SECCREATE], [1],
++                                    [Define to 1 if your tirpc library provides rpc_gss_seccreate])],,
++                         [${LIBS}])])
+   AC_SUBST([AM_CPPFLAGS])
+   AC_SUBST(LIBTIRPC)
+ 
+-- 
+2.46.0
+

main/nfs-utils/APKBUILD

@@ -2,14 +2,14 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=nfs-utils
 pkgver=2.6.4
-pkgrel=1
+pkgrel=2
 pkgdesc="kernel-mode NFS"
 url="https://linux-nfs.org/"
 arch="all"
 license="GPL-2.0-only"
 depends="rpcbind python3"
 options="suid"
-makedepends="
+makedepends="autoconf automake libtool
 	bsd-compat-headers
 	keyutils-dev
 	krb5-dev
@@ -38,6 +38,13 @@ source="https://www.kernel.org/pub/linux/utils/nfs-utils/$pkgver/nfs-utils-$pkgv
 	musl-stat64.patch
 	include-unistd.patch
 
+	0001-gssd-revert-commit-a5f3b7ccb01c.patch
+	0002-gssd-revert-commit-513630d720bd.patch
+	0003-gssd-switch-to-using-rpc_gss_seccreate.patch
+	0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch
+	0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch
+	0006-configure-check-for-rpc_gss_seccreate.patch
+
 	nfs.initd
 	nfsmount.initd
 	nfsmount.confd
@@ -53,6 +60,11 @@ source="https://www.kernel.org/pub/linux/utils/nfs-utils/$pkgver/nfs-utils-$pkgv
 	nfsidmap.request-key.conf
 	"
 
+prepare() {
+	default_prepare
+	autoreconf -vif
+}
+
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -137,6 +149,12 @@ sha512sums="
 52eeade44753f2002bf99d58ad4982086aab74ef8b14de46be547f23508197f58a6ff529145f96de7f031ac0bb7779b648d05fd981cdd91556dd13d068dfe57b  musl-svcgssd-sysconf.patch
 f186a758a7e1e489920be8f7d3b957f358cbcfc158b0ebfe25d8558f54491a4732bfb3b7a3778bc70da5c186d6e6c0901c6c94b7c0475a659420429ee948025f  musl-stat64.patch
 c4fd642960fab82956dc1386a0209c7f66f7bc52dc855ad7004ba31c999933f1d0c66ac37f97b6db9548c0b6c799bd3918373789238338f9942ffafe42d0f186  include-unistd.patch
+ff74c0a7919de92ca528e72ebaafcddde38957f85c21a7e376befac6af7b4c1464a31a8b88caa47606b3b31845bb6c55d7cc7a232f4d85358ce33f244b5a1cc4  0001-gssd-revert-commit-a5f3b7ccb01c.patch
+ac87cd38513df44d5bf97dce1f58757c07878d9a66237c8f377e8eb85baaf291b917de59b7f13bc0fab5335cd5a46026f39b014fc0f06bde65fd7d2fc460f9a3  0002-gssd-revert-commit-513630d720bd.patch
+f17b52bfaa2b344958c20123fc32186e83979a8b948373c12dee256de7d967991772e67b4206d1dafdd0f1ed9f268a01bf8820fe9c7b71e4d3da69de98f9527d  0003-gssd-switch-to-using-rpc_gss_seccreate.patch
+82f0c131bc0b849ae7e5ed71bcff130cc341c84f26fa7fa97996b58b02b2193652aca2c59ac167e1c9be5899a77412f1755b2632b7d9744c98e4e4d20ea0821b  0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch
+ca143dd227975d8c05c9e7e855e567a468681741bb78a0cf095059f0cf61a860c75153e8b579fcc97beaf6706b5d5297d31e74e329608fcee68696672d111396  0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch
+fcaf41a87c22fe39411266ab53e051625a15affdb29421a17a4d12dbb59ce849e8ad2bab7cbed22973b345880b3c55eaf9d518deb4dea4147d542ffa14bfa5d6  0006-configure-check-for-rpc_gss_seccreate.patch
 b7c2f8d0f8f7ff5fa59ef326432b3e063f52ccdf664fd2b4908adb8cac63bbfe12a60d3a75c4c3e893a0ff0fb6e8c726899d7b7245f1acd39efd5c2c29398e2d  nfs.initd
 89259b9f0878658d48792b5b2f42b43c966ed098dba1fecf9e07fb0de4aab37ad67655ea8dbcc2361ddab2b5013b2de35a03048a513aaeedf790e4b416a35a54  nfsmount.initd
 6e23897885cc33c49d9c7353b456585a1e0c7300822edba81bc48ba4ccc18297adce137260cc0aa9487aa5ef0aab3eecf931532cfa5bd40fd03bc9e0ddacfb28  nfsmount.confd