From f2db0f29ce283385d5663c390a3ca7fb40e21dde Mon Sep 17 00:00:00 2001
From: "Matthew N. Dodd" <matthew.nygard.dodd@gmail.com>
Date: Mon, 20 Jun 2011 13:34:34 -0400
Subject: AUTH_WRAP/AUTH_UNWRAP support.

Client code lacks support for authenticator wrapping/unwrapping, which
is particularly useful when using GSS.

Verified for both tcp & udp using a trivial RPC client against a MIT
Krb5 server.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 src/auth_des.c  |  8 ++++++++
 src/auth_none.c |  8 ++++++++
 src/auth_unix.c |  8 ++++++++
 src/clnt_dg.c   | 10 +++++++---
 src/clnt_vc.c   |  5 +++--
 5 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/auth_des.c b/src/auth_des.c
index 37e7667..829c817 100644
--- a/src/auth_des.c
+++ b/src/auth_des.c
@@ -472,6 +472,12 @@ authdes_destroy(AUTH *auth)
 	FREE(auth, sizeof(AUTH));
 }
 
+static bool_t
+authdes_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+	return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authdes_ops(void)
 {
@@ -487,6 +493,8 @@ authdes_ops(void)
 		ops.ah_validate = authdes_validate;
 		ops.ah_refresh = authdes_refresh;
 		ops.ah_destroy = authdes_destroy;
+		ops.ah_wrap = authdes_wrap;
+		ops.ah_unwrap = authdes_wrap;
         }
 	mutex_unlock(&authdes_ops_lock);
 	return (&ops);
diff --git a/src/auth_none.c b/src/auth_none.c
index a439ec6..008c589 100644
--- a/src/auth_none.c
+++ b/src/auth_none.c
@@ -155,6 +155,12 @@ authnone_destroy(AUTH *client)
 {
 }
 
+static bool_t
+authnone_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+	return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authnone_ops()
 {
@@ -170,6 +176,8 @@ authnone_ops()
 		ops.ah_validate = authnone_validate;
 		ops.ah_refresh = authnone_refresh;
 		ops.ah_destroy = authnone_destroy;
+		ops.ah_wrap = authnone_wrap;
+		ops.ah_unwrap = authnone_wrap;
 	}
 	mutex_unlock(&ops_lock);
 	return (&ops);
diff --git a/src/auth_unix.c b/src/auth_unix.c
index c2469da..5b8990f 100644
--- a/src/auth_unix.c
+++ b/src/auth_unix.c
@@ -396,6 +396,12 @@ marshal_new_auth(auth)
 	XDR_DESTROY(xdrs);
 }
 
+static bool_t
+authunix_wrap(AUTH *auth, XDR *xdrs, xdrproc_t xfunc, caddr_t xwhere)
+{
+	return ((*xfunc)(xdrs, xwhere));
+}
+
 static struct auth_ops *
 authunix_ops()
 {
@@ -411,6 +417,8 @@ authunix_ops()
 		ops.ah_validate = authunix_validate;
 		ops.ah_refresh = authunix_refresh;
 		ops.ah_destroy = authunix_destroy;
+		ops.ah_wrap = authunix_wrap;
+		ops.ah_unwrap = authunix_wrap;
 	}
 	mutex_unlock(&ops_lock);
 	return (&ops);
diff --git a/src/clnt_dg.c b/src/clnt_dg.c
index 79fed5d..4a1f60a 100644
--- a/src/clnt_dg.c
+++ b/src/clnt_dg.c
@@ -366,7 +366,7 @@ call_again:
 
 	if ((! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
 	    (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
-	    (! (*xargs)(xdrs, argsp))) {
+	    (! AUTH_WRAP(cl->cl_auth, xdrs, xargs, argsp))) {
 		cu->cu_error.re_status = RPC_CANTENCODEARGS;
 		goto out;
 	}
@@ -400,8 +400,8 @@ get_reply:
 	 * (We assume that this is actually only executed once.)
 	 */
 	reply_msg.acpted_rply.ar_verf = _null_auth;
-	reply_msg.acpted_rply.ar_results.where = resultsp;
-	reply_msg.acpted_rply.ar_results.proc = xresults;
+	reply_msg.acpted_rply.ar_results.where = NULL;
+	reply_msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_void;
 
         fd.fd = cu->cu_fd;
         fd.events = POLLIN;
@@ -512,6 +512,10 @@ get_reply:
 					    &reply_msg.acpted_rply.ar_verf)) {
 				cu->cu_error.re_status = RPC_AUTHERROR;
 				cu->cu_error.re_why = AUTH_INVALIDRESP;
+			} else if (! AUTH_UNWRAP(cl->cl_auth, &reply_xdrs,
+						 xresults, resultsp)) {
+				if (cu->cu_error.re_status == RPC_SUCCESS)
+				     cu->cu_error.re_status = RPC_CANTDECODERES;
 			}
 			if (reply_msg.acpted_rply.ar_verf.oa_base != NULL) {
 				xdrs->x_op = XDR_FREE;
diff --git a/src/clnt_vc.c b/src/clnt_vc.c
index 359063c..097cae8 100644
--- a/src/clnt_vc.c
+++ b/src/clnt_vc.c
@@ -364,7 +364,7 @@ call_again:
 	if ((! XDR_PUTBYTES(xdrs, ct->ct_u.ct_mcallc, ct->ct_mpos)) ||
 	    (! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
 	    (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
-	    (! (*xdr_args)(xdrs, args_ptr))) {
+	    (! AUTH_WRAP(cl->cl_auth, xdrs, xdr_args, args_ptr))) {
 		if (ct->ct_error.re_status == RPC_SUCCESS)
 			ct->ct_error.re_status = RPC_CANTENCODEARGS;
 		(void)xdrrec_endofrecord(xdrs, TRUE);
@@ -420,7 +420,8 @@ call_again:
 		    &reply_msg.acpted_rply.ar_verf)) {
 			ct->ct_error.re_status = RPC_AUTHERROR;
 			ct->ct_error.re_why = AUTH_INVALIDRESP;
-		} else if (! (*xdr_results)(xdrs, results_ptr)) {
+		} else if (! AUTH_UNWRAP(cl->cl_auth, xdrs,
+					 xdr_results, results_ptr)) {
 			if (ct->ct_error.re_status == RPC_SUCCESS)
 				ct->ct_error.re_status = RPC_CANTDECODERES;
 		}
-- 
cgit v1.2.1