first stab at SSPI leaving gss calls in

build.vc10/libtirpc.vcxproj

@@ -125,7 +125,7 @@
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;secur32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <ModuleDefinitionFile>..\libtirpc\libtirpc\libtirpc.def</ModuleDefinitionFile>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <SubSystem>Windows</SubSystem>
@@ -187,7 +187,9 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\libtirpc\src\asprintf.c" />
+    <ClCompile Include="..\libtirpc\src\authsspi_prot.c" />
     <ClCompile Include="..\libtirpc\src\auth_none.c" />
+    <ClCompile Include="..\libtirpc\src\auth_sspi.c" />
     <ClCompile Include="..\libtirpc\src\auth_time.c" />
     <ClCompile Include="..\libtirpc\src\auth_unix.c" />
     <ClCompile Include="..\libtirpc\src\authunix_prot.c" />
@@ -257,6 +259,7 @@
     <ClInclude Include="..\libtirpc\tirpc\rpc\auth_des.h" />
     <ClInclude Include="..\libtirpc\tirpc\rpc\auth_gss.h" />
     <ClInclude Include="..\libtirpc\tirpc\rpc\auth_kerb.h" />
+    <ClInclude Include="..\libtirpc\tirpc\rpc\auth_sspi.h" />
     <ClInclude Include="..\libtirpc\tirpc\rpc\auth_unix.h" />
     <ClInclude Include="..\libtirpc\tirpc\rpc\clnt.h" />
     <ClInclude Include="..\libtirpc\tirpc\rpc\clnt_soc.h" />

build.vc10/libtirpc.vcxproj.filters

@@ -207,6 +207,12 @@
     <ClCompile Include="..\libtirpc\src\xdr_stdio.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\libtirpc\src\auth_sspi.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\libtirpc\src\authsspi_prot.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\libtirpc\src\rpc_com.h">
@@ -341,6 +347,9 @@
     <ClInclude Include="..\libtirpc\tirpc\rpc\xdr.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\libtirpc\tirpc\rpc\auth_sspi.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\libtirpc\libtirpc\libtirpc.rc">

daemon/nfs41_rpc.c

@@ -27,6 +27,9 @@
 #include "nfs41_callback.h"
 
 #include "rpc/rpc.h"
+#define SECURITY_WIN32
+#include <security.h>
+#include "rpc/auth_sspi.h"
 
 static enum clnt_stat send_null(CLIENT *client)
 {
@@ -42,6 +45,7 @@ static int get_client_for_netaddr(
     IN uint32_t wsize,
     IN uint32_t rsize,
     IN nfs41_rpc_clnt *rpc,
+    OUT char **server_name,
     OUT CLIENT **client_out)
 {
     int status = ERROR_NETWORK_UNREACHABLE;
@@ -57,6 +61,13 @@ static int get_client_for_netaddr(
     if (addr == NULL)
         goto out_free_conf;
 
+    *server_name = calloc(NFS41_HOSTNAME_LEN, sizeof(char));
+    if (*server_name == NULL)
+        goto out_free_addr;
+
+    getnameinfo(addr->buf, addr->len, *server_name, NFS41_HOSTNAME_LEN, NULL, 0, 0);
+    dprintf(1, "servername is %s\n", *server_name);
+
     dprintf(1, "callback function %p args %p\n", nfs41_handle_callback, rpc);
     client = clnt_tli_create(RPC_ANYFD, nconf, addr,
         NFS41_RPC_PROGRAM, NFS41_RPC_VERSION, wsize, rsize, 
@@ -79,6 +90,7 @@ static int get_client_for_multi_addr(
     IN uint32_t wsize,
     IN uint32_t rsize,
     IN nfs41_rpc_clnt *rpc,
+    OUT char **server_name,
     OUT CLIENT **client_out,
     OUT uint32_t *addr_index)
 {
@@ -86,7 +98,7 @@ static int get_client_for_multi_addr(
     uint32_t i;
     for (i = 0; i < addrs->count; i++) {
         status = get_client_for_netaddr(&addrs->arr[i],
-            wsize, rsize, rpc, client_out);
+            wsize, rsize, rpc, server_name, client_out);
         if (status == NO_ERROR) {
             *addr_index = i;
             break;
@@ -111,6 +123,7 @@ int nfs41_rpc_clnt_create(
     int status;
     char machname[MAXHOSTNAMELEN + 1];
     gid_t gids[1];
+    char *server_name = NULL;
 
     rpc = calloc(1, sizeof(nfs41_rpc_clnt));
     if (rpc == NULL) {
@@ -123,13 +136,19 @@ int nfs41_rpc_clnt_create(
         eprintf("CreateEvent failed %d\n", status);
         goto out_free_rpc_clnt;
     }
-
+    status = get_client_for_multi_addr(addrs, wsize, rsize, needcb?rpc:NULL, 
-    status = get_client_for_multi_addr(addrs,
+                &server_name, &client, &addr_index);
-        wsize, rsize, needcb?rpc:NULL, &client, &addr_index);
     if (status) {
         clnt_pcreateerror("connecting failed");
         goto out_free_rpc_clnt;
     }
+    if (send_null(client) != RPC_SUCCESS) {
+        // XXX Do what here?
+        eprintf("nfs41_rpc_clnt_create: send_null failed\n");
+        status = ERROR_NETWORK_UNREACHABLE;
+        goto out_err_auth;
+    }
+#if 0
     // XXX Pick credentials in better manner
     if (gethostname(machname, sizeof(machname)) == -1) {
         eprintf("nfs41_rpc_clnt_create: gethostname failed\n");
@@ -140,16 +159,22 @@ int nfs41_rpc_clnt_create(
     if (client->cl_auth == NULL) {
         // XXX log failure in auth creation somewhere
         // XXX Better error return
+        eprintf("nfs41_rpc_clnt_create: failed to create AUTHSYS\n");
         status = ERROR_NETWORK_UNREACHABLE;
         goto out_err_client;
-    }
+    } else dprintf(1, "nfs41_rpc_clnt_create: successfully created AUTHSYS\n");
-    if (send_null(client) != RPC_SUCCESS) {
+#else
-        // XXX Do what here?
+    client->cl_auth = authsspi_create_default(client, server_name, RPCSEC_SSPI_SVC_NONE);
-        eprintf("nfs41_rpc_clnt_create: send_null failed\n");
+#endif
+    if (client->cl_auth == NULL) {
+        // XXX log failure in auth creation somewhere
+        // XXX Better error return
+        eprintf("nfs41_rpc_clnt_create: failed to create AUTHGSS\n");
         status = ERROR_NETWORK_UNREACHABLE;
-        goto out_err_auth;
+        goto out_err_client;
-    }
+    } else dprintf(1, "nfs41_rpc_clnt_create: successfully created AUTHGSS\n");
 
+    free(server_name);
     rpc->rpc = client;
 
     /* keep a copy of the address and buffer sizes for reconnect */
@@ -219,11 +244,12 @@ static int rpc_reconnect(
     CLIENT *client = NULL;
     uint32_t addr_index;
     int status;
+    char *server_name = NULL;
 
     AcquireSRWLockExclusive(&rpc->lock);
 
-    status = get_client_for_multi_addr(&rpc->addrs,
+    status = get_client_for_multi_addr(&rpc->addrs, rpc->wsize, rpc->rsize, 
-        rpc->wsize, rpc->rsize, rpc, &client, &addr_index);
+                rpc, &server_name, &client, &addr_index);
     if (status)
         goto out_unlock;
 

libtirpc/libtirpc/libtirpc.def

@@ -3,6 +3,8 @@ EXPORTS
 authnone_create
 authunix_create
 authunix_create_default
+authsspi_create
+authsspi_create_default
 clnt_create
 clnt_broadcast
 clnt_pcreateerror

libtirpc/src/auth_none.c

@@ -58,9 +58,9 @@ __FBSDID("$FreeBSD: src/lib/libc/rpc/auth_none.c,v 1.12 2002/03/22 23:18:35 obri
  * Authenticator operations routines
  */
 
-static bool_t authnone_marshal (AUTH *, XDR *);
+static bool_t authnone_marshal (AUTH *, XDR *, u_int *);
 static void authnone_verf (AUTH *);
-static bool_t authnone_validate (AUTH *, struct opaque_auth *);
+static bool_t authnone_validate (AUTH *, struct opaque_auth *, u_int);
 static bool_t authnone_refresh (AUTH *, void *);
 static void authnone_destroy (AUTH *);
 
@@ -108,7 +108,7 @@ authnone_create()
 
 /*ARGSUSED*/
 static bool_t
-authnone_marshal(AUTH *client, XDR *xdrs)
+authnone_marshal(AUTH *client, XDR *xdrs, u_int *seq)
 {
 	struct authnone_private *ap;
 	bool_t dummy;
@@ -136,7 +136,7 @@ authnone_verf(AUTH *client)
 
 /*ARGSUSED*/
 static bool_t
-authnone_validate(AUTH *client, struct opaque_auth *opaque)
+authnone_validate(AUTH *client, struct opaque_auth *opaque, u_int seq)
 {
 
 	return (TRUE);

libtirpc/src/auth_unix.c

@@ -58,8 +58,8 @@
 
 /* auth_unix.c */
 static void authunix_nextverf (AUTH *);
-static bool_t authunix_marshal (AUTH *, XDR *);
+static bool_t authunix_marshal (AUTH *, XDR *, u_int *seq);
-static bool_t authunix_validate (AUTH *, struct opaque_auth *);
+static bool_t authunix_validate (AUTH *, struct opaque_auth *, u_int);
 static bool_t authunix_refresh (AUTH *, void *);
 static void authunix_destroy (AUTH *);
 static void marshal_new_auth (AUTH *);
@@ -213,9 +213,10 @@ authunix_nextverf(auth)
 }
 
 static bool_t
-authunix_marshal(auth, xdrs)
+authunix_marshal(auth, xdrs, seq)
 	AUTH *auth;
 	XDR *xdrs;
+    u_int *seq;
 {
 	struct audata *au;
 
@@ -227,9 +228,10 @@ authunix_marshal(auth, xdrs)
 }
 
 static bool_t
-authunix_validate(auth, verf)
+authunix_validate(auth, verf, seq)
 	AUTH *auth;
 	struct opaque_auth *verf;
+    u_int seq;
 {
 	struct audata *au;
 	XDR xdrs;

libtirpc/src/authsspi_prot.c

@@ -0,0 +1,303 @@
+/* Copyright (c) 2010
+ * The Regents of the University of Michigan
+ * All Rights Reserved
+ *
+ * Permission is granted to use, copy and redistribute this software
+ * for noncommercial education and research purposes, so long as no
+ * fee is charged, and so long as the name of the University of Michigan
+ * is not used in any advertising or publicity pertaining to the use
+ * or distribution of this software without specific, written prior
+ * authorization.  Permission to modify or otherwise create derivative
+ * works of this software is not granted.
+ *
+ * This software is provided as is, without representation or warranty
+ * of any kind either express or implied, including without limitation
+ * the implied warranties of merchantability, fitness for a particular
+ * purpose, or noninfringement.  The Regents of the University of
+ * Michigan shall not be liable for any damages, including special,
+ * indirect, incidental, or consequential damages, with respect to any
+ * claim arising out of or in connection with the use of the software,
+ * even if it has been or is hereafter advised of the possibility of
+ * such damages.
+ */
+
+#include <wintirpc.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+//#include <rpc/types.h>
+#include <rpc/xdr.h>
+#include <rpc/auth.h>
+#include <rpc/auth_sspi.h>
+#include <rpc/rpc.h>
+#include <security.h>
+
+bool_t
+xdr_rpc_sspi_cred(XDR *xdrs, struct rpc_sspi_cred *p)
+{
+	bool_t xdr_stat;
+
+	xdr_stat = (xdr_u_int(xdrs, &p->gc_v) &&
+		        xdr_enum(xdrs, (enum_t *)&p->gc_proc) &&
+		        xdr_u_int(xdrs, &p->gc_seq) &&
+		        xdr_enum(xdrs, (enum_t *)&p->gc_svc) &&
+		        xdr_bytes(xdrs, (char **)&p->gc_ctx.value,
+                (u_int *)&p->gc_ctx.length, MAX_AUTH_BYTES));
+
+	log_debug("xdr_rpc_gss_cred: %s %s "
+                "(v %d, proc %d, seq %d, svc %d, ctx %p:%d)",
+                (xdrs->x_op == XDR_ENCODE) ? "encode" : "decode",
+                (xdr_stat == TRUE) ? "success" : "failure",
+                p->gc_v, p->gc_proc, p->gc_seq, p->gc_svc,
+                p->gc_ctx.value, p->gc_ctx.length);
+
+	return (xdr_stat);
+}
+
+bool_t
+xdr_rpc_sspi_init_args(XDR *xdrs, sspi_buffer_desc *p)
+{
+	bool_t xdr_stat;
+
+	xdr_stat = xdr_bytes(xdrs, (char **)&p->value,
+                        (u_int *)&p->length, MAX_NETOBJ_SZ);
+
+	log_debug("xdr_rpc_gss_init_args: %s %s (token %p:%d)",
+                (xdrs->x_op == XDR_ENCODE) ? "encode" : "decode",
+                (xdr_stat == TRUE) ? "success" : "failure",
+                p->value, p->length);
+
+	return (xdr_stat);
+}
+
+bool_t
+xdr_rpc_sspi_init_res(XDR *xdrs, struct rpc_sspi_init_res *p)
+{
+	bool_t xdr_stat;
+
+	xdr_stat = (xdr_bytes(xdrs, (char **)&p->gr_ctx.value,
+                (u_int *)&p->gr_ctx.length, MAX_NETOBJ_SZ) &&
+                xdr_u_int(xdrs, &p->gr_major) &&
+                xdr_u_int(xdrs, &p->gr_minor) &&
+                xdr_u_int(xdrs, &p->gr_win) &&
+                xdr_bytes(xdrs, (char **)&p->gr_token.value,
+                (u_int *)&p->gr_token.length, MAX_NETOBJ_SZ));
+
+	log_debug("xdr_rpc_gss_init_res %s %s "
+                "(ctx %p:%d, maj %d, min %d, win %d, token %p:%d)",
+                (xdrs->x_op == XDR_ENCODE) ? "encode" : "decode",
+                (xdr_stat == TRUE) ? "success" : "failure",
+                p->gr_ctx.value, p->gr_ctx.length,
+                p->gr_major, p->gr_minor, p->gr_win,
+                p->gr_token.value, p->gr_token.length);
+
+	return (xdr_stat);
+}
+
+bool_t
+xdr_rpc_sspi_wrap_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr,
+		      PCtxtHandle ctx, sspi_qop_t qop,
+		      rpc_sspi_svc_t svc, u_int seq)
+{
+	sspi_buffer_desc databuf, wrapbuf;
+	uint32_t maj_stat;
+	int start, end, conf_state;
+	bool_t xdr_stat;
+
+    log_debug("in xdr_rpc_sspi_wrap_data()");
+
+    /* Skip databody length. */
+	start = XDR_GETPOS(xdrs);
+	//XDR_SETPOS(xdrs, start + 4);
+
+	/* Marshal rpc_gss_data_t (sequence number + arguments). */
+	if (!xdr_u_int(xdrs, &seq) || !(*xdr_func)(xdrs, xdr_ptr))
+		return (FALSE);
+	end = XDR_GETPOS(xdrs);
+
+	/* Set databuf to marshalled rpc_gss_data_t. */
+	databuf.length = end - start - 4;
+	//XDR_SETPOS(xdrs, start + 4);
+	//databuf.value = XDR_INLINE(xdrs, databuf.length);
+	databuf.value = xdrrec_getoutbase(xdrs) + 1;
+
+	xdr_stat = FALSE;
+
+	if (svc == RPCSEC_SSPI_SVC_INTEGRITY) {
+		/* Marshal databody_integ length. */
+		//XDR_SETPOS(xdrs, start);
+		if (!xdr_u_int(xdrs, (u_int *)&databuf.length))
+			return (FALSE);
+
+		/* Checksum rpc_gss_data_t. */
+#if 0
+		maj_stat = gss_get_mic(&min_stat, ctx, qop,
+				       &databuf, &wrapbuf);
+#else
+        maj_stat = sspi_get_mic(ctx, 0, seq, &databuf, &wrapbuf);
+#endif
+		if (maj_stat != SEC_E_OK) {
+			log_debug("xdr_rpc_sspi_wrap_data: sspi_get_mic failed with %x", maj_stat);
+			return (FALSE);
+		}
+		/* Marshal checksum. */
+		//XDR_SETPOS(xdrs, end);
+		xdr_stat = xdr_bytes(xdrs, (char **)&wrapbuf.value,
+                            (u_int *)&wrapbuf.length, MAX_NETOBJ_SZ);
+#if 0
+		gss_release_buffer(&min_stat, &wrapbuf);
+#else
+        sspi_release_buffer(&wrapbuf);
+#endif
+	}
+	else if (svc == RPCSEC_SSPI_SVC_PRIVACY) {
+		/* Encrypt rpc_gss_data_t. */
+#if 0
+		maj_stat = gss_wrap(&min_stat, ctx, TRUE, qop, &databuf,
+				    &conf_state, &wrapbuf);
+#endif
+		if (maj_stat != SEC_E_OK) {
+			log_debug("xdr_rpc_sspi_wrap_data: sspi_wrap failed with %x", maj_stat);
+			return (FALSE);
+		}
+		/* Marshal databody_priv. */
+		XDR_SETPOS(xdrs, start);
+		xdr_stat = xdr_bytes(xdrs, (char **)&wrapbuf.value,
+                            (u_int *)&wrapbuf.length, MAX_NETOBJ_SZ);
+#if 0
+		gss_release_buffer(&min_stat, &wrapbuf);
+#else
+        sspi_release_buffer(&wrapbuf);
+#endif
+	}
+	return (xdr_stat);
+}
+
+bool_t
+xdr_rpc_sspi_unwrap_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr,
+			PCtxtHandle ctx, sspi_qop_t qop,
+			rpc_sspi_svc_t svc, u_int seq)
+{
+	XDR tmpxdrs;
+	sspi_buffer_desc databuf, wrapbuf;
+	uint32_t maj_stat;
+	u_int seq_num, qop_state;
+	int conf_state;
+	bool_t xdr_stat;
+
+    log_debug("in xdr_rpc_sspi_unwrap_data()");
+
+	if (xdr_func == (xdrproc_t)xdr_void || xdr_ptr == NULL)
+		return (TRUE);
+
+	memset(&databuf, 0, sizeof(databuf));
+	memset(&wrapbuf, 0, sizeof(wrapbuf));
+
+	if (svc == RPCSEC_SSPI_SVC_INTEGRITY) {
+		/* Decode databody_integ. */
+		if (!xdr_bytes(xdrs, (char **)&databuf.value, (u_int *)&databuf.length,
+                        MAX_NETOBJ_SZ)) {
+			log_debug("xdr_rpc_sspi_unwrap_data: xdr decode databody_integ failed");
+			return (FALSE);
+		}
+		/* Decode checksum. */
+		if (!xdr_bytes(xdrs, (char **)&wrapbuf.value, (u_int *)&wrapbuf.length,
+                        MAX_NETOBJ_SZ)) {
+#if 0
+			gss_release_buffer(&min_stat, &databuf);
+#else
+            sspi_release_buffer(&databuf);
+#endif
+			log_debug("xdr_rpc_sspi_unwrap_data: xdr decode checksum failed");
+			return (FALSE);
+		}
+		/* Verify checksum and QOP. */
+#if 0
+		maj_stat = gss_verify_mic(&min_stat, ctx, &databuf,
+					  &wrapbuf, &qop_state);
+#else
+        maj_stat = sspi_verify_mic(ctx, seq, &databuf, &wrapbuf, &qop_state);
+#endif
+#if 0
+		gss_release_buffer(&min_stat, &wrapbuf);
+#else
+        sspi_release_buffer(&wrapbuf);
+#endif
+
+		if (maj_stat != SEC_E_OK || qop_state != qop) {
+#if 0
+			gss_release_buffer(&min_stat, &databuf);
+#else
+            sspi_release_buffer(&databuf);
+#endif
+			log_debug("xdr_rpc_sspi_unwrap_data: sspi_verify_mic "
+                        "failed with %x", maj_stat);
+			return (FALSE);
+		}
+	}
+	else if (svc == RPCSEC_SSPI_SVC_PRIVACY) {
+		/* Decode databody_priv. */
+		if (!xdr_bytes(xdrs, (char **)&wrapbuf.value, (u_int *)&wrapbuf.length,
+                        MAX_NETOBJ_SZ)) {
+			log_debug("xdr_rpc_sspi_unwrap_data: xdr decode databody_priv failed");
+			return (FALSE);
+		}
+		/* Decrypt databody. */
+#if 0
+		maj_stat = gss_unwrap(&min_stat, ctx, &wrapbuf, &databuf,
+				      &conf_state, &qop_state);
+#endif
+#if 0
+		gss_release_buffer(&min_stat, &wrapbuf);
+#else
+        sspi_release_buffer(&wrapbuf);
+#endif
+		/* Verify encryption and QOP. */
+		if (maj_stat != SEC_E_OK || qop_state != qop ||
+			conf_state != TRUE) {
+#if 0
+			gss_release_buffer(&min_stat, &databuf);
+#else
+            sspi_release_buffer(&databuf);
+#endif
+			log_debug("xdr_rpc_sspi_unwrap_data: sspi_unwrap failed with %x", maj_stat);
+			return (FALSE);
+		}
+	}
+	/* Decode rpc_gss_data_t (sequence number + arguments). */
+	xdrmem_create(&tmpxdrs, databuf.value, databuf.length, XDR_DECODE);
+	xdr_stat = (xdr_u_int(&tmpxdrs, &seq_num) &&
+                (*xdr_func)(&tmpxdrs, xdr_ptr));
+	XDR_DESTROY(&tmpxdrs);
+#if 0
+	gss_release_buffer(&min_stat, &databuf);
+#else
+        sspi_release_buffer(&databuf);
+#endif
+	/* Verify sequence number. */
+	if (xdr_stat == TRUE && seq_num != seq) {
+		log_debug("wrong sequence number in databody");
+		return (FALSE);
+	}
+
+	return (xdr_stat);
+}
+
+bool_t
+xdr_rpc_sspi_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr,
+		 PCtxtHandle ctx, sspi_qop_t qop,
+		 rpc_sspi_svc_t svc, u_int seq)
+{
+	switch (xdrs->x_op) {
+
+	case XDR_ENCODE:
+		return (xdr_rpc_sspi_wrap_data(xdrs, xdr_func, xdr_ptr,
+                    ctx, qop, svc, seq));
+	case XDR_DECODE:
+		return (xdr_rpc_sspi_unwrap_data(xdrs, xdr_func, xdr_ptr,
+                    ctx, qop, svc, seq));
+	case XDR_FREE:
+		return (TRUE);
+	}
+	return (FALSE);
+}

libtirpc/src/clnt_dg.c

@@ -395,7 +395,7 @@ call_again:
 	*(u_int32_t *)(void *)(cu->cu_outbuf) = htonl(xid);
 
 	if ((! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
-	    (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
+	    (! AUTH_MARSHALL(cl->cl_auth, xdrs, NULL)) ||
 	    (! (*xargs)(xdrs, argsp))) {
 		cu->cu_error.re_status = RPC_CANTENCODEARGS;
 		goto out;
@@ -541,7 +541,7 @@ get_reply:
 
 		if (cu->cu_error.re_status == RPC_SUCCESS) {
 			if (! AUTH_VALIDATE(cl->cl_auth,
-					    &reply_msg.acpted_rply.ar_verf)) {
+					    &reply_msg.acpted_rply.ar_verf, 0)) {
 				cu->cu_error.re_status = RPC_AUTHERROR;
 				cu->cu_error.re_why = AUTH_INVALIDRESP;
 			}

libtirpc/src/clnt_raw.c

@@ -166,7 +166,7 @@ call_again:
 	clp->u.mashl_rpcmsg.rm_xid ++ ;
 	if ((! XDR_PUTBYTES(xdrs, clp->u.mashl_callmsg, clp->mcnt)) ||
 	    (! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
-	    (! AUTH_MARSHALL(h->cl_auth, xdrs)) ||
+	    (! AUTH_MARSHALL(h->cl_auth, xdrs, NULL)) ||
 	    (! (*xargs)(xdrs, argsp))) {
 		return (RPC_CANTENCODEARGS);
 	}
@@ -207,7 +207,7 @@ call_again:
 	status = error.re_status;
 
 	if (status == RPC_SUCCESS) {
-		if (! AUTH_VALIDATE(h->cl_auth, &msg.acpted_rply.ar_verf)) {
+		if (! AUTH_VALIDATE(h->cl_auth, &msg.acpted_rply.ar_verf, 0)) {
 			status = RPC_AUTHERROR;
 		}
 	}  /* end successful completion */
@@ -217,7 +217,7 @@ call_again:
 	}  /* end of unsuccessful completion */
 
 	if (status == RPC_SUCCESS) {
-		if (! AUTH_VALIDATE(h->cl_auth, &msg.acpted_rply.ar_verf)) {
+		if (! AUTH_VALIDATE(h->cl_auth, &msg.acpted_rply.ar_verf, 0)) {
 			status = RPC_AUTHERROR;
 		}
 		if (msg.acpted_rply.ar_verf.oa_base != NULL) {

libtirpc/src/clnt_vc.c

@@ -488,6 +488,7 @@ clnt_vc_call(cl, proc, xdr_args, args_ptr, xdr_results, results_ptr, timeout)
 	u_int32_t *msg_x_id = &ct->ct_u.ct_mcalli;    /* yuk */
 	bool_t shipnow;
 	int refreshes = 2;
+    u_int seq = -1;
 #ifndef _WIN32
 	sigset_t mask, newmask;
 #else
@@ -520,7 +521,7 @@ call_again:
 
 	if ((! XDR_PUTBYTES(xdrs, ct->ct_u.ct_mcallc, ct->ct_mpos)) ||
 	    (! XDR_PUTINT32(xdrs, (int32_t *)&proc)) ||
-	    (! AUTH_MARSHALL(cl->cl_auth, xdrs)) ||
+	    (! AUTH_MARSHALL(cl->cl_auth, xdrs, &seq)) ||
 	    (! (*xdr_args)(xdrs, args_ptr))) {
 		if (ct->ct_error.re_status == RPC_SUCCESS)
 			ct->ct_error.re_status = RPC_CANTENCODEARGS;
@@ -607,7 +608,7 @@ call_again:
 	_seterr_reply(&ct->reply_msg, &(ct->ct_error));
 	if (ct->ct_error.re_status == RPC_SUCCESS) {
 		if (! AUTH_VALIDATE(cl->cl_auth,
-		    &ct->reply_msg.acpted_rply.ar_verf)) {
+		    &ct->reply_msg.acpted_rply.ar_verf, seq)) {
 			ct->ct_error.re_status = RPC_AUTHERROR;
 			ct->ct_error.re_why = AUTH_INVALIDRESP;
 		} else if (! (*xdr_results)(xdrs, results_ptr)) {

libtirpc/src/sources

@@ -5,6 +5,8 @@ SOURCES=\
 	auth_none.c \
 	auth_time.c \
 	auth_unix.c \
+	auth_sspi.c \
+	authsspi_prot.c \
 	authunix_prot.c \
 	bindresvport.c \
 	clnt_bcast.c \
@@ -69,13 +71,12 @@ SOURCES=\
 #	crypt_client.c \
 #	des_crypt.c \
 #	svc_auth_sspi.c \
-#	auth_sspi.c \
 #	auth_des.c \
 #	authdes_prot.c \
 #	authgss_prot.c \
 
 UMTYPE=console
-UNICODE=1
+#UNICODE=1
 DLLBASE=0x1010000
 #USE_NTDLL=1
 #USE_MSVCRT=1

libtirpc/src/xdr_rec.c

@@ -330,10 +330,10 @@ xdrrec_getpos(xdrs)
 	XDR *xdrs;
 {
 	RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private;
-	off_t pos;
+	off_t pos = 0;
 
 	//pos = lseek((int)(u_long)rstrm->tcp_handle, (off_t)0, 1);
-	pos = _lseek((int)PtrToUlong(rstrm->tcp_handle), (off_t)0, 1);
+	//pos = _lseek((int)PtrToUlong(rstrm->tcp_handle), (off_t)0, 1);
 	if (pos != -1)
 		switch (xdrs->x_op) {
 
@@ -391,6 +391,28 @@ xdrrec_setpos(xdrs, pos)
 	return (FALSE);
 }
 
+int32_t *
+xdrrec_getoutbase(xdrs)
+	XDR *xdrs;
+{
+	RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private;
+	int32_t *buf = NULL;
+
+	switch (xdrs->x_op) {
+
+	case XDR_ENCODE:
+        buf = rstrm->out_base;
+		break;
+
+	case XDR_DECODE:
+		break;
+
+	case XDR_FREE:
+		break;
+	}
+	return (buf);
+}
+
 static int32_t *
 xdrrec_inline(xdrs, len)
 	XDR *xdrs;

libtirpc/tirpc/rpc/auth.h

@@ -188,10 +188,9 @@ typedef struct __auth {
 	struct auth_ops {
 		void	(*ah_nextverf) (struct __auth *);
 		/* nextverf & serialize */
-		int	(*ah_marshal) (struct __auth *, XDR *);
+		int	(*ah_marshal) (struct __auth *, XDR *, u_int *);
 		/* validate verifier */
-		int	(*ah_validate) (struct __auth *,
+		int	(*ah_validate) (struct __auth *, struct opaque_auth *, u_int);
-			    struct opaque_auth *);
 		/* refresh credentials */
 		int	(*ah_refresh) (struct __auth *, void *);
 		/* destroy this structure */
@@ -219,15 +218,15 @@ typedef struct __auth {
 #define auth_nextverf(auth)		\
 		((*((auth)->ah_ops->ah_nextverf))(auth))
 
-#define AUTH_MARSHALL(auth, xdrs)	\
+#define AUTH_MARSHALL(auth, xdrs, seq)	\
-		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
+		((*((auth)->ah_ops->ah_marshal))(auth, xdrs, seq))
-#define auth_marshall(auth, xdrs)	\
+#define auth_marshall(auth, xdrs, seq)	\
 		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
 
-#define AUTH_VALIDATE(auth, verfp)	\
+#define AUTH_VALIDATE(auth, verfp, seq)	\
-		((*((auth)->ah_ops->ah_validate))((auth), verfp))
+		((*((auth)->ah_ops->ah_validate))((auth), verfp, seq))
-#define auth_validate(auth, verfp)	\
+#define auth_validate(auth, verfp, seq)	\
-		((*((auth)->ah_ops->ah_validate))((auth), verfp))
+		((*((auth)->ah_ops->ah_validate))((auth), verfp, seq))
 
 #define AUTH_REFRESH(auth, msg)		\
 		((*((auth)->ah_ops->ah_refresh))(auth, msg))

libtirpc/tirpc/rpc/auth_sspi.h

@@ -0,0 +1,117 @@
+/* Copyright (c) 2010
+ * The Regents of the University of Michigan
+ * All Rights Reserved
+ *
+ * Permission is granted to use, copy and redistribute this software
+ * for noncommercial education and research purposes, so long as no
+ * fee is charged, and so long as the name of the University of Michigan
+ * is not used in any advertising or publicity pertaining to the use
+ * or distribution of this software without specific, written prior
+ * authorization.  Permission to modify or otherwise create derivative
+ * works of this software is not granted.
+ *
+ * This software is provided as is, without representation or warranty
+ * of any kind either express or implied, including without limitation
+ * the implied warranties of merchantability, fitness for a particular
+ * purpose, or noninfringement.  The Regents of the University of
+ * Michigan shall not be liable for any damages, including special,
+ * indirect, incidental, or consequential damages, with respect to any
+ * claim arising out of or in connection with the use of the software,
+ * even if it has been or is hereafter advised of the possibility of
+ * such damages.
+ */
+
+#ifndef _TIRPC_AUTH_GSS_H
+#define _TIRPC_AUTH_GSS_H
+
+#include <rpc/clnt.h>
+#define SECURITY_WIN32
+#include <security.h>
+
+/* RPCSEC_SSPI control procedures. */
+typedef enum {
+	RPCSEC_SSPI_DATA = 0,
+	RPCSEC_SSPI_INIT = 1,
+	RPCSEC_SSPI_CONTINUE_INIT = 2,
+	RPCSEC_SSPI_DESTROY = 3
+} rpc_sspi_proc_t;
+
+/* RPCSEC_SSPI services. */
+typedef enum {
+	RPCSEC_SSPI_SVC_NONE = 1,
+	RPCSEC_SSPI_SVC_INTEGRITY = 2,
+	RPCSEC_SSPI_SVC_PRIVACY = 3
+} rpc_sspi_svc_t;
+
+#define RPCSEC_SSPI_VERSION	1
+
+#define sspi_name_t SEC_CHAR *
+#define sspi_qop_t uint32_t
+
+typedef struct _sspi_OID_desc {
+    int length;
+    void *elements;
+} sspi_OID_desc, *sspi_OID;
+
+typedef struct _sspi_buffer_desc {
+    int length;
+    void *value;
+} sspi_buffer_desc, *sspi_buffer_t;
+
+#define SSPI_C_NO_NAME ((sspi_name_t) NULL)
+#define SSPI_C_NO_BUFFER ((sspi_buffer_t) NULL)
+#define SSPI_C_NO_CONTEXT ((PCtxtHandle) NULL)
+
+/* RPCSEC_SSPI security triple. */
+struct rpc_sspi_sec {
+	sspi_OID        mech;		/* mechanism */
+	uint32_t        qop;		/* quality of protection */
+	rpc_sspi_svc_t	svc;		/* service */
+    CredHandle      cred;       /* cred handle */
+	u_int		    req_flags;	/* req flags for init_sec_context */
+    TimeStamp       expiry;
+};
+
+/* Credentials. */
+struct rpc_sspi_cred {
+	u_int		        gc_v;		/* version */
+	rpc_sspi_proc_t	    gc_proc;	/* control procedure */
+	u_int		        gc_seq;		/* sequence number */
+	rpc_sspi_svc_t	    gc_svc;		/* service */
+	sspi_buffer_desc	gc_ctx;		/* server's returned context handle */
+};
+
+/* Context creation response. */
+struct rpc_sspi_init_res {
+	sspi_buffer_desc    gr_ctx;		/* context handle */
+	u_int			    gr_major;	/* major status */
+	u_int			    gr_minor;	/* minor status */
+	u_int			    gr_win;		/* sequence window */
+	sspi_buffer_desc    gr_token;	/* token */
+};
+
+/* Prototypes. */
+__BEGIN_DECLS
+bool_t xdr_rpc_sspi_cred(XDR *xdrs, struct rpc_sspi_cred *p);
+bool_t xdr_rpc_sspi_init_args(XDR *xdrs, sspi_buffer_desc *p);
+bool_t xdr_rpc_sspi_init_res(XDR *xdrs, struct rpc_sspi_init_res *p);
+bool_t xdr_rpc_sspi_data(XDR *xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr, 
+                         PCtxtHandle ctx, sspi_qop_t qop, 
+                         rpc_sspi_svc_t svc, u_int seq);
+AUTH *authsspi_create(CLIENT *, sspi_name_t, struct rpc_sspi_sec *);
+AUTH *authsspi_create_default(CLIENT *, char *, int);
+bool_t authsspi_service(AUTH *auth, int svc);
+uint32_t sspi_get_mic(void *ctx, u_int qop, u_int seq, 
+                      sspi_buffer_desc *bufin, sspi_buffer_desc *bufout);
+uint32_t sspi_verify_mic(void *ctx, u_int seq, sspi_buffer_desc *bufin, 
+                         sspi_buffer_desc *bufout, u_int *qop_state);
+void sspi_release_buffer(sspi_buffer_desc *buf);
+uint32_t sspi_import_name(sspi_buffer_desc *name_in, sspi_name_t *name_out);
+
+void log_debug(const char *fmt, ...);
+void log_status(char *m, uint32_t major, uint32_t minor);
+void log_hexdump(bool_t on, const u_char *title, const u_char *buf, int len, int offset);
+
+__END_DECLS
+
+#endif /* !_TIRPC_AUTH_GSS_H */

libtirpc/tirpc/rpc/xdr.h

@@ -354,6 +354,7 @@ extern void   xdrrec_create(XDR *, u_int, u_int, void *,
 
 /* make end of xdr record */
 extern bool_t xdrrec_endofrecord(XDR *, int);
+extern int32_t *xdrrec_getoutbase(XDR *);
 
 /* move to beginning of next record */
 extern bool_t xdrrec_skiprecord(XDR *);

sys/nfs41_driver.c

@@ -2704,7 +2704,7 @@ NTSTATUS nfs41_Create(
 
     status = map_open_errors(entry->status, SrvOpen->pAlreadyPrefixedName->Length);
     if (status != STATUS_SUCCESS) {
-        print_open_error(1, entry->status);
+        print_open_error(1, status);
         goto out_free;
     }