rpc: ensure that client on startTLS sends an empty verifier

Motivation: according to the current draft on startTLS client should send an empty verifier, while server must reply with "STARTTLS" string. See: https://www.ietf.org/archive/id/draft-ietf-nfsv4-rpc-tls-11.txt Modification: Update RpcAuthTypeTls to have a different behavior in the client and server modes. Result: Interoperability with Solaris server. Acked-by: Lea Morschel Target: master
dCache · Dec 14, 2021 · 9926a66 · 9926a66
1 parent e04037d
commit 9926a66
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcAuthTypeTls.java b/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcAuthTypeTls.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2019 - 2021 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import javax.security.auth.Subject;
+
 import org.dcache.oncrpc4j.xdr.XdrAble;
 import org.dcache.oncrpc4j.xdr.XdrDecodingStream;
 import org.dcache.oncrpc4j.xdr.XdrEncodingStream;
@@ -32,13 +33,20 @@
  */
 public class RpcAuthTypeTls implements RpcAuth, XdrAble {
 
-    private final static byte[] STARTTLS = "STARTTLS".getBytes(StandardCharsets.US_ASCII);
-    private final RpcAuthVerifier verifier = new RpcAuthVerifier(RpcAuthType.NONE, STARTTLS);
+    public static final RpcAuthVerifier STARTTLS_VERIFIER = new RpcAuthVerifier(RpcAuthType.NONE, "STARTTLS".getBytes(StandardCharsets.US_ASCII));
+    public static final RpcAuthVerifier EMPTY_VERIFIER = new RpcAuthVerifier(RpcAuthType.NONE, new byte[0]);
+
+    private final RpcAuthVerifier verifier;
     private final Subject _subject;
 
     public RpcAuthTypeTls() {
+        this(EMPTY_VERIFIER);
+    }
+
+    public RpcAuthTypeTls(RpcAuthVerifier verifier) {
         _subject = new Subject();
         _subject.setReadOnly();
+        this.verifier = verifier;
     }
 
     @Override
@@ -58,8 +66,12 @@ public Subject getSubject() {
 
     @Override
     public void xdrDecode(XdrDecodingStream xdr) throws OncRpcException, IOException {
+
         byte[] opaque = xdr.xdrDecodeDynamicOpaque();
-        verifier.xdrDecode(xdr);
+
+        // we are not interested in the content of the verifier, but have to consume it
+        int type = xdr.xdrDecodeInt();
+        byte[] rawVerifier = xdr.xdrDecodeDynamicOpaque();
     }
 
     @Override

diff --git a/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcCredential.java b/oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcCredential.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2020 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2021 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -47,7 +47,7 @@ public static RpcAuth decode(XdrDecodingStream xdr, RpcTransport transport) thro
                 credential = new RpcAuthGss();
                 break;
             case RpcAuthType.TLS:
-                credential = new RpcAuthTypeTls();
+                credential = new RpcAuthTypeTls(RpcAuthTypeTls.STARTTLS_VERIFIER);
                 transport.startTLS();
                 break;
             default: