AUTH_WRAP/AUTH_UNWRAP support.

Client code lacks support for authenticator wrapping/unwrapping, which
is particularly useful when using GSS.

Verified for both tcp & udp using a trivial RPC client against a MIT
Krb5 server.

Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/src/auth_des.c b/src/auth_des.c
index 37e766796bc5a255ed0baa749d09a456886f16f2..829c8172e087076e43beb17091f13bd0b4fb5735 100644 (file)
--- a/src/auth_des.c
+++ b/src/auth_des.c
@@ -472,6 +472,12 @@ authdes_destroy(AUTH *auth)
        FREE(auth, sizeof(AUTH));
 }
 
+static bool_t
+authdes_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+       return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authdes_ops(void)
 {
@@ -487,6 +493,8 @@ authdes_ops(void)
                ops.ah_validate = authdes_validate;
                ops.ah_refresh = authdes_refresh;
                ops.ah_destroy = authdes_destroy;
+               ops.ah_wrap = authdes_wrap;
+               ops.ah_unwrap = authdes_wrap;
         }
        mutex_unlock(&authdes_ops_lock);
        return (&ops);

diff --git a/src/auth_none.c b/src/auth_none.c
index a439ec6a38a64444a5affac0d0932e056bcb5626..008c589998b8ba7135615dd0017038a80a41e376 100644 (file)
--- a/src/auth_none.c
+++ b/src/auth_none.c
@@ -155,6 +155,12 @@ authnone_destroy(AUTH *client)
 {
 }
 
+static bool_t
+authnone_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+       return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authnone_ops()
 {
@@ -170,6 +176,8 @@ authnone_ops()
                ops.ah_validate = authnone_validate;
                ops.ah_refresh = authnone_refresh;
                ops.ah_destroy = authnone_destroy;
+               ops.ah_wrap = authnone_wrap;
+               ops.ah_unwrap = authnone_wrap;
        }
        mutex_unlock(&ops_lock);
        return (&ops);

diff --git a/src/auth_unix.c b/src/auth_unix.c
index c2469daff8d6476ee68e35622c1b211d4ce8e726..5b8990ffd1d50d12d1dda9347fcfa455dfddb29b 100644 (file)
--- a/src/auth_unix.c
+++ b/src/auth_unix.c
@@ -396,6 +396,12 @@ marshal_new_auth(auth)
        XDR_DESTROY(xdrs);
 }
 
+static bool_t
+authunix_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+       return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authunix_ops()
 {
@@ -411,6 +417,8 @@ authunix_ops()
                ops.ah_validate = authunix_validate;
                ops.ah_refresh = authunix_refresh;
                ops.ah_destroy = authunix_destroy;
+               ops.ah_wrap = authunix_wrap;
+               ops.ah_unwrap = authunix_wrap;
        }
        mutex_unlock(&ops_lock);
        return (&ops);

diff --git a/src/clnt_dg.c b/src/clnt_dg.c
index 79fed5d8caebecc3c2ebc26e33d1434564ff612f..4a1f60a6589356f0cd56cb69f1bfb3a738e28e98 100644 (file)
--- a/src/clnt_dg.c
+++ b/src/clnt_dg.c
@@ -366,7 +366,7 @@ call_again:
 
        if ((! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
            (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
-           (! (*xargs)(xdrs, argsp))) {
+           (! AUTH_WRAP(cl->cl_auth, xdrs, xargs, argsp))) {
                cu->cu_error.re_status = RPC_CANTENCODEARGS;
                goto out;
        }
@@ -400,8 +400,8 @@ get_reply:
         * (We assume that this is actually only executed once.)
         */
        reply_msg.acpted_rply.ar_verf = _null_auth;
-       reply_msg.acpted_rply.ar_results.where = resultsp;
-       reply_msg.acpted_rply.ar_results.proc = xresults;
+       reply_msg.acpted_rply.ar_results.where = NULL;
+       reply_msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
 
         fd.fd = cu->cu_fd;
         fd.events = POLLIN;
@@ -512,6 +512,10 @@ get_reply:
                                            &reply_msg.acpted_rply.ar_verf)) {
                                cu->cu_error.re_status = RPC_AUTHERROR;
                                cu->cu_error.re_why = AUTH_INVALIDRESP;
+                       } else if (! AUTH_UNWRAP(cl->cl_auth, &reply_xdrs,
+                                                xresults, resultsp)) {
+                               if (cu->cu_error.re_status == RPC_SUCCESS)
+                                    cu->cu_error.re_status = RPC_CANTDECODERES;
                        }
                        if (reply_msg.acpted_rply.ar_verf.oa_base != NULL) {
                                xdrs->x_op = XDR_FREE;

diff --git a/src/clnt_vc.c b/src/clnt_vc.c
index 359063c09d15f5cd5b6e6e3f974753d9a5202a27..097cae8e5e1c274346510914bdd89ed29848e4d6 100644 (file)
--- a/src/clnt_vc.c
+++ b/src/clnt_vc.c
@@ -364,7 +364,7 @@ call_again:
        if ((! XDR_PUTBYTES(xdrs, ct->ct_u.ct_mcallc, ct->ct_mpos)) ||
            (! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
            (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
-           (! (*xdr_args)(xdrs, args_ptr))) {
+           (! AUTH_WRAP(cl->cl_auth, xdrs, xdr_args, args_ptr))) {
                if (ct->ct_error.re_status == RPC_SUCCESS)
                        ct->ct_error.re_status = RPC_CANTENCODEARGS;
                (void)xdrrec_endofrecord(xdrs, TRUE);
@@ -420,7 +420,8 @@ call_again:
                    &reply_msg.acpted_rply.ar_verf)) {
                        ct->ct_error.re_status = RPC_AUTHERROR;
                        ct->ct_error.re_why = AUTH_INVALIDRESP;
-               } else if (! (*xdr_results)(xdrs, results_ptr)) {
+               } else if (! AUTH_UNWRAP(cl->cl_auth, xdrs,
+                                        xdr_results, results_ptr)) {
                        if (ct->ct_error.re_status == RPC_SUCCESS)
                                ct->ct_error.re_status = RPC_CANTDECODERES;
                }