Pre-register server side RPCSEC GSS support

When --enable-gss is specified on the ./configure command line,
have the library automatically register server-side support for the
RPCSEC_GSS auth flavor.

The complication is that specific interaction is required with the
RPC client if GSS authentication fails. GSS authentication sometimes
has to squelch the normal reply done by svc_getreq(), and substitute
its own.

_svcauth_gss() already has a boolean argument to do this.  But
_authenticate() is an official API (see rpc/svc_auth.h). We can't
alter its synopsis.

Instead of adding a "no_dispatch" argument to our existing
_authenticate() API, preserve its synopsis for backwards
compatibility, and introduce a second external authentication API
for the dispatcher.

This matches a similar API change done in the Solaris libtirpc.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/src/svc.c b/src/svc.c
index 08cd6c9887adc214ed5da51660e8dc45530b16c6..8afd15d4cef1472efa45f03e55382703c8ef3519 100644 (file)
--- a/src/svc.c
+++ b/src/svc.c
@@ -649,6 +649,7 @@ svc_getreq_common (fd)
     {
       if (SVC_RECV (xprt, &msg))
        {
+         bool_t no_dispatch;
 
          /* now find the exported program and call it */
          struct svc_callout *s;
@@ -660,11 +661,14 @@ svc_getreq_common (fd)
          r.rq_proc = msg.rm_call.cb_proc;
          r.rq_cred = msg.rm_call.cb_cred;
          /* first authenticate the message */
-         if ((why = _authenticate (&r, &msg)) != AUTH_OK)
+         why = _gss_authenticate(&r, &msg, &no_dispatch);
+         if (why != AUTH_OK)
            {
              svcerr_auth (xprt, why);
              goto call_done;
            }
+         if (no_dispatch)
+           goto call_done;
          /* now match message with a registered service */
          prog_found = FALSE;
          low_vers = (rpcvers_t) - 1L;

diff --git a/src/svc_auth.c b/src/svc_auth.c
index e80d5f91177e6274710fb390657c3d3e38c6628d..31241c921d3200685bf3ee4ed6613605db7faece 100644 (file)
--- a/src/svc_auth.c
+++ b/src/svc_auth.c
@@ -82,9 +82,10 @@ static struct authsvc *Auths = NULL;
  * invalid.
  */
 enum auth_stat
-_authenticate(rqst, msg)
+_gss_authenticate(rqst, msg, no_dispatch)
        struct svc_req *rqst;
        struct rpc_msg *msg;
+       bool_t *no_dispatch;
 {
        int cred_flavor;
        struct authsvc *asp;
@@ -97,6 +98,7 @@ _authenticate(rqst, msg)
        rqst->rq_xprt->xp_verf.oa_flavor = _null_auth.oa_flavor;
        rqst->rq_xprt->xp_verf.oa_length = 0;
        cred_flavor = rqst->rq_cred.oa_flavor;
+       *no_dispatch = FALSE;
        switch (cred_flavor) {
        case AUTH_NONE:
                dummy = _svcauth_none(rqst, msg);
@@ -111,6 +113,11 @@ _authenticate(rqst, msg)
        case AUTH_DES:
                dummy = _svcauth_des(rqst, msg);
                return (dummy);
+#endif
+#ifdef HAVE_RPCSEC_GSS
+       case RPCSEC_GSS:
+               dummy = _svcauth_gss(rqst, msg, no_dispatch);
+               return (dummy);
 #endif
        default:
                break;
@@ -132,6 +139,13 @@ _authenticate(rqst, msg)
        return (AUTH_REJECTEDCRED);
 }
 
+enum auth_stat
+_authenticate(struct svc_req *rqst, struct rpc_msg *msg)
+{
+       bool_t no_dispatch;
+       return _gss_authenticate(rqst, msg, &no_dispatch);
+}
+
 /*
  *  Allow the rpc service to register new authentication types that it is
  *  prepared to handle.  When an authentication flavor is registered,
@@ -160,6 +174,9 @@ svc_auth_reg(cred_flavor, handler)
            case AUTH_SHORT:
 #ifdef DES_BUILTIN
            case AUTH_DES:
+#endif
+#ifdef HAVE_RPCSEC_GSS
+           case RPCSEC_GSS:
 #endif
                /* already registered */
                return (1);

diff --git a/tirpc/rpc/auth.h b/tirpc/rpc/auth.h
index 4ce11f0a3805b2e5f60f505ab529f595fcb6a041..7c8f81352350a4cc0269df36fa3bcafea086f779 100644 (file)
--- a/tirpc/rpc/auth.h
+++ b/tirpc/rpc/auth.h
@@ -399,6 +399,7 @@ struct rpc_msg;
 enum auth_stat _svcauth_none (struct svc_req *, struct rpc_msg *);
 enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
 enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
+enum auth_stat _svcauth_gss (struct svc_req *, struct rpc_msg *, bool_t *);
 __END_DECLS
 
 #define AUTH_NONE      0               /* no authentication */

diff --git a/tirpc/rpc/svc_auth.h b/tirpc/rpc/svc_auth.h
index 14269d124c3d2cc50135dbf0e6699f763fc6d941..723c989996f97fdb50ac76788975f668aac2f8af 100644 (file)
--- a/tirpc/rpc/svc_auth.h
+++ b/tirpc/rpc/svc_auth.h
@@ -66,6 +66,8 @@ typedef struct SVCAUTH {
  * Server side authenticator
  */
 __BEGIN_DECLS
+extern enum auth_stat _gss_authenticate(struct svc_req *, struct rpc_msg *,
+               bool_t *);
 extern enum auth_stat _authenticate(struct svc_req *, struct rpc_msg *);
 extern int svc_auth_reg(int, enum auth_stat (*)(struct svc_req *,
                          struct rpc_msg *));