From 2abb87646f696726f4ee3a89db6ebfc8adbd9b9b Mon Sep 17 00:00:00 2001 From: "Matthew N. Dodd" Date: Mon, 20 Jun 2011 13:34:34 -0400 Subject: [PATCH] AUTH_WRAP/AUTH_UNWRAP support. Client code lacks support for authenticator wrapping/unwrapping, which is particularly useful when using GSS. Verified for both tcp & udp using a trivial RPC client against a MIT Krb5 server. Signed-off-by: Steve Dickson --- src/auth_des.c | 8 ++++++++ src/auth_none.c | 8 ++++++++ src/auth_unix.c | 8 ++++++++ src/clnt_dg.c | 10 +++++++--- src/clnt_vc.c | 5 +++-- 5 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/auth_des.c b/src/auth_des.c index 37e7667..829c817 100644 --- a/src/auth_des.c +++ b/src/auth_des.c @@ -472,6 +472,12 @@ authdes_destroy(AUTH *auth) FREE(auth, sizeof(AUTH)); } +static bool_t +authdes_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere) +{ + return ((*xfunc)(xdrs, xwhere)); +} + static struct auth_ops * authdes_ops(void) { @@ -487,6 +493,8 @@ authdes_ops(void) ops.ah_validate = authdes_validate; ops.ah_refresh = authdes_refresh; ops.ah_destroy = authdes_destroy; + ops.ah_wrap = authdes_wrap; + ops.ah_unwrap = authdes_wrap; } mutex_unlock(&authdes_ops_lock); return (&ops); diff --git a/src/auth_none.c b/src/auth_none.c index a439ec6..008c589 100644 --- a/src/auth_none.c +++ b/src/auth_none.c @@ -155,6 +155,12 @@ authnone_destroy(AUTH *client) { } +static bool_t +authnone_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere) +{ + return ((*xfunc)(xdrs, xwhere)); +} + static struct auth_ops * authnone_ops() { @@ -170,6 +176,8 @@ authnone_ops() ops.ah_validate = authnone_validate; ops.ah_refresh = authnone_refresh; ops.ah_destroy = authnone_destroy; + ops.ah_wrap = authnone_wrap; + ops.ah_unwrap = authnone_wrap; } mutex_unlock(&ops_lock); return (&ops); diff --git a/src/auth_unix.c b/src/auth_unix.c index c2469da..5b8990f 100644 --- a/src/auth_unix.c +++ b/src/auth_unix.c @@ -396,6 +396,12 @@ marshal_new_auth(auth) XDR_DESTROY(xdrs); } +static bool_t +authunix_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere) +{ + return ((*xfunc)(xdrs, xwhere)); +} + static struct auth_ops * authunix_ops() { @@ -411,6 +417,8 @@ authunix_ops() ops.ah_validate = authunix_validate; ops.ah_refresh = authunix_refresh; ops.ah_destroy = authunix_destroy; + ops.ah_wrap = authunix_wrap; + ops.ah_unwrap = authunix_wrap; } mutex_unlock(&ops_lock); return (&ops); diff --git a/src/clnt_dg.c b/src/clnt_dg.c index 79fed5d..4a1f60a 100644 --- a/src/clnt_dg.c +++ b/src/clnt_dg.c @@ -366,7 +366,7 @@ call_again: if ((! XDR_PUTINT32(xdrs, (int32_t *)&proc)) || (! AUTH_MARSHALL(cl->cl_auth, xdrs)) || - (! (*xargs)(xdrs, argsp))) { + (! AUTH_WRAP(cl->cl_auth, xdrs, xargs, argsp))) { cu->cu_error.re_status = RPC_CANTENCODEARGS; goto out; } @@ -400,8 +400,8 @@ get_reply: * (We assume that this is actually only executed once.) */ reply_msg.acpted_rply.ar_verf = _null_auth; - reply_msg.acpted_rply.ar_results.where = resultsp; - reply_msg.acpted_rply.ar_results.proc = xresults; + reply_msg.acpted_rply.ar_results.where = NULL; + reply_msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_void; fd.fd = cu->cu_fd; fd.events = POLLIN; @@ -512,6 +512,10 @@ get_reply: &reply_msg.acpted_rply.ar_verf)) { cu->cu_error.re_status = RPC_AUTHERROR; cu->cu_error.re_why = AUTH_INVALIDRESP; + } else if (! AUTH_UNWRAP(cl->cl_auth, &reply_xdrs, + xresults, resultsp)) { + if (cu->cu_error.re_status == RPC_SUCCESS) + cu->cu_error.re_status = RPC_CANTDECODERES; } if (reply_msg.acpted_rply.ar_verf.oa_base != NULL) { xdrs->x_op = XDR_FREE; diff --git a/src/clnt_vc.c b/src/clnt_vc.c index 359063c..097cae8 100644 --- a/src/clnt_vc.c +++ b/src/clnt_vc.c @@ -364,7 +364,7 @@ call_again: if ((! XDR_PUTBYTES(xdrs, ct->ct_u.ct_mcallc, ct->ct_mpos)) || (! XDR_PUTINT32(xdrs, (int32_t *)&proc)) || (! AUTH_MARSHALL(cl->cl_auth, xdrs)) || - (! (*xdr_args)(xdrs, args_ptr))) { + (! AUTH_WRAP(cl->cl_auth, xdrs, xdr_args, args_ptr))) { if (ct->ct_error.re_status == RPC_SUCCESS) ct->ct_error.re_status = RPC_CANTENCODEARGS; (void)xdrrec_endofrecord(xdrs, TRUE); @@ -420,7 +420,8 @@ call_again: &reply_msg.acpted_rply.ar_verf)) { ct->ct_error.re_status = RPC_AUTHERROR; ct->ct_error.re_why = AUTH_INVALIDRESP; - } else if (! (*xdr_results)(xdrs, results_ptr)) { + } else if (! AUTH_UNWRAP(cl->cl_auth, xdrs, + xdr_results, results_ptr)) { if (ct->ct_error.re_status == RPC_SUCCESS) ct->ct_error.re_status = RPC_CANTDECODERES; } -- 2.40.0