From owner-svn-src-stable@FreeBSD.ORG  Mon Jul  4 00:24:59 2011
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E5C8E106566B;
	Mon,  4 Jul 2011 00:24:59 +0000 (UTC)
	(envelope-from rmacklem@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id D2FAD8FC08;
	Mon,  4 Jul 2011 00:24:59 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p640OxxQ046348;
	Mon, 4 Jul 2011 00:24:59 GMT (envelope-from rmacklem@svn.freebsd.org)
Received: (from rmacklem@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p640OxkV046337;
	Mon, 4 Jul 2011 00:24:59 GMT (envelope-from rmacklem@svn.freebsd.org)
Message-Id: <201107040024.p640OxkV046337@svn.freebsd.org>
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Mon, 4 Jul 2011 00:24:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r223748 - in stable/8/sys: fs/nfs fs/nfsclient
	fs/nfsserver kgssapi modules modules/kgssapi_krb5 nfsclient
	nfsserver rpc
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2011 00:25:00 -0000

Author: rmacklem
Date: Mon Jul  4 00:24:59 2011
New Revision: 223748
URL: http://svn.freebsd.org/changeset/base/223748

Log:
  MFC: r223309
  Fix the kgssapi so that it can be loaded as a module. Currently
  the NFS subsystems use five of the rpcsec_gss/kgssapi entry points,
  but since it was not obvious which others might be useful, all
  nineteen were included. Basically the nineteen entry points are
  set in a structure called rpc_gss_entries and inline functions
  defined in sys/rpc/rpcsec_gss.h check for the entry points being
  non-NULL and then call them. A default value is returned otherwise.

Modified:
  stable/8/sys/fs/nfs/nfs_commonkrpc.c
  stable/8/sys/fs/nfsclient/nfs_clkrpc.c
  stable/8/sys/fs/nfsserver/nfs_nfsdkrpc.c
  stable/8/sys/kgssapi/gss_impl.c
  stable/8/sys/modules/Makefile
  stable/8/sys/modules/kgssapi_krb5/Makefile
  stable/8/sys/nfsclient/nfs_krpc.c
  stable/8/sys/nfsserver/nfs_srvkrpc.c
  stable/8/sys/rpc/rpc_generic.c
  stable/8/sys/rpc/rpcsec_gss.h
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/fs/nfs/nfs_commonkrpc.c
==============================================================================
--- stable/8/sys/fs/nfs/nfs_commonkrpc.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/fs/nfs/nfs_commonkrpc.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -300,9 +300,7 @@ newnfs_disconnect(struct nfssockreq *nrp
 		client = nrp->nr_client;
 		nrp->nr_client = NULL;
 		mtx_unlock(&nrp->nr_mtx);
-#ifdef KGSSAPI
-		rpc_gss_secpurge(client);
-#endif
+		rpc_gss_secpurge_call(client);
 		CLNT_CLOSE(client);
 		CLNT_RELEASE(client);
 	} else {
@@ -314,21 +312,18 @@ static AUTH *
 nfs_getauth(struct nfssockreq *nrp, int secflavour, char *clnt_principal,
     char *srv_principal, gss_OID mech_oid, struct ucred *cred)
 {
-#ifdef KGSSAPI
 	rpc_gss_service_t svc;
 	AUTH *auth;
 #ifdef notyet
 	rpc_gss_options_req_t req_options;
 #endif
-#endif
 
 	switch (secflavour) {
-#ifdef KGSSAPI
 	case RPCSEC_GSS_KRB5:
 	case RPCSEC_GSS_KRB5I:
 	case RPCSEC_GSS_KRB5P:
 		if (!mech_oid) {
-			if (!rpc_gss_mech_to_oid("kerberosv5", &mech_oid))
+			if (!rpc_gss_mech_to_oid_call("kerberosv5", &mech_oid))
 				return (NULL);
 		}
 		if (secflavour == RPCSEC_GSS_KRB5)
@@ -344,7 +339,7 @@ nfs_getauth(struct nfssockreq *nrp, int 
 		req_options.input_channel_bindings = NULL;
 		req_options.enc_type = nfs_keytab_enctype;
 
-		auth = rpc_gss_secfind(nrp->nr_client, cred,
+		auth = rpc_gss_secfind_call(nrp->nr_client, cred,
 		    clnt_principal, srv_principal, mech_oid, svc,
 		    &req_options);
 #else
@@ -354,7 +349,7 @@ nfs_getauth(struct nfssockreq *nrp, int 
 		 * principals. As such, that case cannot yet be handled.
 		 */
 		if (clnt_principal == NULL)
-			auth = rpc_gss_secfind(nrp->nr_client, cred,
+			auth = rpc_gss_secfind_call(nrp->nr_client, cred,
 			    srv_principal, mech_oid, svc);
 		else
 			auth = NULL;
@@ -362,7 +357,6 @@ nfs_getauth(struct nfssockreq *nrp, int 
 		if (auth != NULL)
 			return (auth);
 		/* fallthrough */
-#endif	/* KGSSAPI */
 	case AUTH_SYS:
 	default:
 		return (authunix_create(cred));

Modified: stable/8/sys/fs/nfsclient/nfs_clkrpc.c
==============================================================================
--- stable/8/sys/fs/nfsclient/nfs_clkrpc.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/fs/nfsclient/nfs_clkrpc.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -217,12 +217,9 @@ nfscbd_addsock(struct file *fp)
 int
 nfscbd_nfsd(struct thread *td, struct nfsd_nfscbd_args *args)
 {
-#ifdef KGSSAPI
 	char principal[128];
 	int error;
-#endif
 
-#ifdef KGSSAPI
 	if (args != NULL) {
 		error = copyinstr(args->principal, principal,
 		    sizeof(principal), NULL);
@@ -231,7 +228,6 @@ nfscbd_nfsd(struct thread *td, struct nf
 	} else {
 		principal[0] = '\0';
 	}
-#endif
 
 	/*
 	 * Only the first nfsd actually does any work. The RPC code
@@ -246,20 +242,16 @@ nfscbd_nfsd(struct thread *td, struct nf
 
 		NFSD_UNLOCK();
 
-#ifdef KGSSAPI
 		if (principal[0] != '\0')
-			rpc_gss_set_svc_name(principal, "kerberosv5",
+			rpc_gss_set_svc_name_call(principal, "kerberosv5",
 			    GSS_C_INDEFINITE, NFS_CALLBCKPROG, NFSV4_CBVERS);
-#endif
 
 		nfscbd_pool->sp_minthreads = 4;
 		nfscbd_pool->sp_maxthreads = 4;
 			
 		svc_run(nfscbd_pool);
 
-#ifdef KGSSAPI
-		rpc_gss_clear_svc_name(NFS_CALLBCKPROG, NFSV4_CBVERS);
-#endif
+		rpc_gss_clear_svc_name_call(NFS_CALLBCKPROG, NFSV4_CBVERS);
 
 		NFSD_LOCK();
 		nfs_numnfscbd--;

Modified: stable/8/sys/fs/nfsserver/nfs_nfsdkrpc.c
==============================================================================
--- stable/8/sys/fs/nfsserver/nfs_nfsdkrpc.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/fs/nfsserver/nfs_nfsdkrpc.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -386,18 +386,14 @@ nfsrvd_addsock(struct file *fp)
 int
 nfsrvd_nfsd(struct thread *td, struct nfsd_nfsd_args *args)
 {
-#ifdef KGSSAPI
 	char principal[MAXHOSTNAMELEN + 5];
 	int error;
 	bool_t ret2, ret3, ret4;
-#endif
 
-#ifdef KGSSAPI
 	error = copyinstr(args->principal, principal, sizeof (principal),
 	    NULL);
 	if (error)
 		return (error);
-#endif
 
 	/*
 	 * Only the first nfsd actually does any work. The RPC code
@@ -412,38 +408,29 @@ nfsrvd_nfsd(struct thread *td, struct nf
 
 		NFSD_UNLOCK();
 
-#ifdef KGSSAPI
 		/* An empty string implies AUTH_SYS only. */
 		if (principal[0] != '\0') {
-			ret2 = rpc_gss_set_svc_name(principal, "kerberosv5",
-			    GSS_C_INDEFINITE, NFS_PROG, NFS_VER2);
-			ret3 = rpc_gss_set_svc_name(principal, "kerberosv5",
-			    GSS_C_INDEFINITE, NFS_PROG, NFS_VER3);
-			ret4 = rpc_gss_set_svc_name(principal, "kerberosv5",
-			    GSS_C_INDEFINITE, NFS_PROG, NFS_VER4);
-
-			if (!ret2 || !ret3 || !ret4) {
-				NFSD_LOCK();
-				newnfs_numnfsd--;
-				nfsrvd_init(1);
-				NFSD_UNLOCK();
-				return (EAUTH);
-			}
+			ret2 = rpc_gss_set_svc_name_call(principal,
+			    "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER2);
+			ret3 = rpc_gss_set_svc_name_call(principal,
+			    "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER3);
+			ret4 = rpc_gss_set_svc_name_call(principal,
+			    "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER4);
+
+			if (!ret2 || !ret3 || !ret4)
+				printf("nfsd: can't register svc name\n");
 		}
-#endif
 
 		nfsrvd_pool->sp_minthreads = args->minthreads;
 		nfsrvd_pool->sp_maxthreads = args->maxthreads;
 			
 		svc_run(nfsrvd_pool);
 
-#ifdef KGSSAPI
 		if (principal[0] != '\0') {
-			rpc_gss_clear_svc_name(NFS_PROG, NFS_VER2);
-			rpc_gss_clear_svc_name(NFS_PROG, NFS_VER3);
-			rpc_gss_clear_svc_name(NFS_PROG, NFS_VER4);
+			rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2);
+			rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3);
+			rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER4);
 		}
-#endif
 
 		NFSD_LOCK();
 		newnfs_numnfsd--;

Modified: stable/8/sys/kgssapi/gss_impl.c
==============================================================================
--- stable/8/sys/kgssapi/gss_impl.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/kgssapi/gss_impl.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <kgssapi/gssapi_impl.h>
 #include <rpc/rpc.h>
 #include <rpc/rpc_com.h>
+#include <rpc/rpcsec_gss.h>
 
 #include "gssd.h"
 #include "kgss_if.h"
@@ -253,8 +254,40 @@ kgss_copy_buffer(const gss_buffer_t from
 static int
 kgssapi_modevent(module_t mod, int type, void *data)
 {
+	int error = 0;
 
-	return (0);
+	switch (type) {
+	case MOD_LOAD:
+		rpc_gss_entries.rpc_gss_secfind = rpc_gss_secfind;
+		rpc_gss_entries.rpc_gss_secpurge = rpc_gss_secpurge;
+		rpc_gss_entries.rpc_gss_seccreate = rpc_gss_seccreate;
+		rpc_gss_entries.rpc_gss_set_defaults = rpc_gss_set_defaults;
+		rpc_gss_entries.rpc_gss_max_data_length =
+		    rpc_gss_max_data_length;
+		rpc_gss_entries.rpc_gss_get_error = rpc_gss_get_error;
+		rpc_gss_entries.rpc_gss_mech_to_oid = rpc_gss_mech_to_oid;
+		rpc_gss_entries.rpc_gss_oid_to_mech = rpc_gss_oid_to_mech;
+		rpc_gss_entries.rpc_gss_qop_to_num = rpc_gss_qop_to_num;
+		rpc_gss_entries.rpc_gss_get_mechanisms = rpc_gss_get_mechanisms;
+		rpc_gss_entries.rpc_gss_get_versions = rpc_gss_get_versions;
+		rpc_gss_entries.rpc_gss_is_installed = rpc_gss_is_installed;
+		rpc_gss_entries.rpc_gss_set_svc_name = rpc_gss_set_svc_name;
+		rpc_gss_entries.rpc_gss_clear_svc_name = rpc_gss_clear_svc_name;
+		rpc_gss_entries.rpc_gss_getcred = rpc_gss_getcred;
+		rpc_gss_entries.rpc_gss_set_callback = rpc_gss_set_callback;
+		rpc_gss_entries.rpc_gss_clear_callback = rpc_gss_clear_callback;
+		rpc_gss_entries.rpc_gss_get_principal_name =
+		    rpc_gss_get_principal_name;
+		rpc_gss_entries.rpc_gss_svc_max_data_length =
+		    rpc_gss_svc_max_data_length;
+		break;
+	case MOD_UNLOAD:
+		/* Unloading of the kgssapi module isn't supported. */
+		/* FALLTHROUGH */
+	default:
+		error = EOPNOTSUPP;
+	};
+	return (error);
 }
 static moduledata_t kgssapi_mod = {
 	"kgssapi",

Modified: stable/8/sys/modules/Makefile
==============================================================================
--- stable/8/sys/modules/Makefile	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/modules/Makefile	Mon Jul  4 00:24:59 2011	(r223748)
@@ -152,6 +152,8 @@ SUBDIR=	${_3dfx} \
 	jme \
 	joy \
 	kbdmux \
+	kgssapi \
+	kgssapi_krb5 \
 	khelp \
 	krpc \
 	ksyms \

Modified: stable/8/sys/modules/kgssapi_krb5/Makefile
==============================================================================
--- stable/8/sys/modules/kgssapi_krb5/Makefile	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/modules/kgssapi_krb5/Makefile	Mon Jul  4 00:24:59 2011	(r223748)
@@ -8,7 +8,8 @@ SRCS=	krb5_mech.c \
 	kcrypto_des.c \
 	kcrypto_des3.c \
 	kcrypto_aes.c \
-	kcrypto_arcfour.c
+	kcrypto_arcfour.c \
+	opt_inet6.h
 
 SRCS+=		kgss_if.h gssd.h
 MFILES=		kgssapi/kgss_if.m

Modified: stable/8/sys/nfsclient/nfs_krpc.c
==============================================================================
--- stable/8/sys/nfsclient/nfs_krpc.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/nfsclient/nfs_krpc.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -306,9 +306,7 @@ nfs_disconnect(struct nfsmount *nmp)
 		client = nmp->nm_client;
 		nmp->nm_client = NULL;
 		mtx_unlock(&nmp->nm_mtx);
-#ifdef KGSSAPI
-		rpc_gss_secpurge(client);
-#endif
+		rpc_gss_secpurge_call(client);
 		CLNT_CLOSE(client);
 		CLNT_RELEASE(client);
 	} else
@@ -325,18 +323,15 @@ nfs_safedisconnect(struct nfsmount *nmp)
 static AUTH *
 nfs_getauth(struct nfsmount *nmp, struct ucred *cred)
 {
-#ifdef KGSSAPI
 	rpc_gss_service_t svc;
 	AUTH *auth;
-#endif
 
 	switch (nmp->nm_secflavor) {
-#ifdef KGSSAPI
 	case RPCSEC_GSS_KRB5:
 	case RPCSEC_GSS_KRB5I:
 	case RPCSEC_GSS_KRB5P:
 		if (!nmp->nm_mech_oid)
-			if (!rpc_gss_mech_to_oid("kerberosv5",
+			if (!rpc_gss_mech_to_oid_call("kerberosv5",
 			    &nmp->nm_mech_oid))
 				return (NULL);
 		if (nmp->nm_secflavor == RPCSEC_GSS_KRB5)
@@ -345,12 +340,11 @@ nfs_getauth(struct nfsmount *nmp, struct
 			svc = rpc_gss_svc_integrity;
 		else
 			svc = rpc_gss_svc_privacy;
-		auth = rpc_gss_secfind(nmp->nm_client, cred,
+		auth = rpc_gss_secfind_call(nmp->nm_client, cred,
 		    nmp->nm_principal, nmp->nm_mech_oid, svc);
 		if (auth)
 			return (auth);
 		/* fallthrough */
-#endif
 	case AUTH_SYS:
 	default:
 		return (authunix_create(cred));

Modified: stable/8/sys/nfsserver/nfs_srvkrpc.c
==============================================================================
--- stable/8/sys/nfsserver/nfs_srvkrpc.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/nfsserver/nfs_srvkrpc.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -418,12 +418,9 @@ nfssvc_addsock(struct file *fp, struct t
 static int
 nfssvc_nfsd(struct thread *td, struct nfsd_nfsd_args *args)
 {
-#ifdef KGSSAPI
 	char principal[128];
 	int error;
-#endif
 
-#ifdef KGSSAPI
 	if (args) {
 		error = copyinstr(args->principal, principal,
 		    sizeof(principal), NULL);
@@ -434,7 +431,6 @@ nfssvc_nfsd(struct thread *td, struct nf
 		getcredhostname(td->td_ucred, principal + 4,
 		    sizeof(principal) - 4);
 	}
-#endif
 
 	/*
 	 * Only the first nfsd actually does any work.  The RPC code
@@ -449,12 +445,10 @@ nfssvc_nfsd(struct thread *td, struct nf
 
 		NFSD_UNLOCK();
 
-#ifdef KGSSAPI
-		rpc_gss_set_svc_name(principal, "kerberosv5",
+		rpc_gss_set_svc_name_call(principal, "kerberosv5",
 		    GSS_C_INDEFINITE, NFS_PROG, NFS_VER2);
-		rpc_gss_set_svc_name(principal, "kerberosv5",
+		rpc_gss_set_svc_name_call(principal, "kerberosv5",
 		    GSS_C_INDEFINITE, NFS_PROG, NFS_VER3);
-#endif
 
 		if (args) {
 			nfsrv_pool->sp_minthreads = args->minthreads;
@@ -466,10 +460,8 @@ nfssvc_nfsd(struct thread *td, struct nf
 
 		svc_run(nfsrv_pool);
 
-#ifdef KGSSAPI
-		rpc_gss_clear_svc_name(NFS_PROG, NFS_VER2);
-		rpc_gss_clear_svc_name(NFS_PROG, NFS_VER3);
-#endif
+		rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2);
+		rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3);
 
 		NFSD_LOCK();
 		nfsrv_numnfsd--;

Modified: stable/8/sys/rpc/rpc_generic.c
==============================================================================
--- stable/8/sys/rpc/rpc_generic.c	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/rpc/rpc_generic.c	Mon Jul  4 00:24:59 2011	(r223748)
@@ -60,6 +60,7 @@ __FBSDID("$FreeBSD$");
 
 #include <rpc/rpc.h>
 #include <rpc/nettype.h>
+#include <rpc/rpcsec_gss.h>
 
 #include <rpc/rpc_com.h>
 
@@ -69,6 +70,9 @@ extern	u_long sb_max_adj;	/* not defined
 #define strrchr rindex
 #endif
 
+/* Provide an entry point hook for the rpcsec_gss module. */
+struct rpc_gss_entries	rpc_gss_entries;
+
 struct handle {
 	NCONF_HANDLE *nhandle;
 	int nflag;		/* Whether NETPATH or NETCONFIG */

Modified: stable/8/sys/rpc/rpcsec_gss.h
==============================================================================
--- stable/8/sys/rpc/rpcsec_gss.h	Sun Jul  3 21:44:26 2011	(r223747)
+++ stable/8/sys/rpc/rpcsec_gss.h	Mon Jul  4 00:24:59 2011	(r223748)
@@ -141,6 +141,271 @@ typedef struct {
 __BEGIN_DECLS
 
 #ifdef _KERNEL
+/*
+ * Set up a structure of entry points for the kgssapi module and inline
+ * functions named rpc_gss_XXX_call() to use them, so that the kgssapi
+ * module doesn't need to be loaded for the NFS modules to work using
+ * AUTH_SYS. The kgssapi modules will be loaded by the gssd(8) daemon
+ * when it is started up and the entry points will then be filled in.
+ */
+typedef AUTH	*rpc_gss_secfind_ftype(CLIENT *clnt, struct ucred *cred,
+		    const char *principal, gss_OID mech_oid,
+		    rpc_gss_service_t service);
+typedef void	rpc_gss_secpurge_ftype(CLIENT *clnt);
+typedef AUTH	*rpc_gss_seccreate_ftype(CLIENT *clnt, struct ucred *cred,
+		    const char *principal, const char *mechanism,
+		    rpc_gss_service_t service, const char *qop,
+		    rpc_gss_options_req_t *options_req,
+		    rpc_gss_options_ret_t *options_ret);
+typedef bool_t	rpc_gss_set_defaults_ftype(AUTH *auth,
+		    rpc_gss_service_t service, const char *qop);
+typedef int	rpc_gss_max_data_length_ftype(AUTH *handle,
+		    int max_tp_unit_len);
+typedef void	rpc_gss_get_error_ftype(rpc_gss_error_t *error);
+typedef bool_t	rpc_gss_mech_to_oid_ftype(const char *mech, gss_OID *oid_ret);
+typedef bool_t	rpc_gss_oid_to_mech_ftype(gss_OID oid, const char **mech_ret);
+typedef bool_t	rpc_gss_qop_to_num_ftype(const char *qop, const char *mech,
+		    u_int *num_ret);
+typedef const char **rpc_gss_get_mechanisms_ftype(void);
+typedef bool_t	rpc_gss_get_versions_ftype(u_int *vers_hi, u_int *vers_lo);
+typedef bool_t	rpc_gss_is_installed_ftype(const char *mech);
+typedef bool_t	rpc_gss_set_svc_name_ftype(const char *principal,
+		    const char *mechanism, u_int req_time, u_int program,
+		    u_int version);
+typedef void	rpc_gss_clear_svc_name_ftype(u_int program, u_int version);
+typedef bool_t	rpc_gss_getcred_ftype(struct svc_req *req,
+		    rpc_gss_rawcred_t **rcred,
+		    rpc_gss_ucred_t **ucred, void **cookie);
+typedef bool_t	rpc_gss_set_callback_ftype(rpc_gss_callback_t *cb);
+typedef void	rpc_gss_clear_callback_ftype(rpc_gss_callback_t *cb);
+typedef bool_t	rpc_gss_get_principal_name_ftype(rpc_gss_principal_t *principal,
+		    const char *mech, const char *name, const char *node,
+		    const char *domain);
+typedef int	rpc_gss_svc_max_data_length_ftype(struct svc_req *req,
+		    int max_tp_unit_len);
+
+struct rpc_gss_entries {
+	rpc_gss_secfind_ftype		*rpc_gss_secfind;
+	rpc_gss_secpurge_ftype		*rpc_gss_secpurge;
+	rpc_gss_seccreate_ftype		*rpc_gss_seccreate;
+	rpc_gss_set_defaults_ftype	*rpc_gss_set_defaults;
+	rpc_gss_max_data_length_ftype	*rpc_gss_max_data_length;
+	rpc_gss_get_error_ftype		*rpc_gss_get_error;
+	rpc_gss_mech_to_oid_ftype	*rpc_gss_mech_to_oid;
+	rpc_gss_oid_to_mech_ftype	*rpc_gss_oid_to_mech;
+	rpc_gss_qop_to_num_ftype	*rpc_gss_qop_to_num;
+	rpc_gss_get_mechanisms_ftype	*rpc_gss_get_mechanisms;
+	rpc_gss_get_versions_ftype	*rpc_gss_get_versions;
+	rpc_gss_is_installed_ftype	*rpc_gss_is_installed;
+	rpc_gss_set_svc_name_ftype	*rpc_gss_set_svc_name;
+	rpc_gss_clear_svc_name_ftype	*rpc_gss_clear_svc_name;
+	rpc_gss_getcred_ftype		*rpc_gss_getcred;
+	rpc_gss_set_callback_ftype	*rpc_gss_set_callback;
+	rpc_gss_clear_callback_ftype	*rpc_gss_clear_callback;
+	rpc_gss_get_principal_name_ftype *rpc_gss_get_principal_name;
+	rpc_gss_svc_max_data_length_ftype *rpc_gss_svc_max_data_length;
+};
+extern struct rpc_gss_entries	rpc_gss_entries;
+
+/* Functions to access the entry points. */
+static __inline AUTH *
+rpc_gss_secfind_call(CLIENT *clnt, struct ucred *cred, const char *principal,
+    gss_OID mech_oid, rpc_gss_service_t service)
+{
+	AUTH *ret = NULL;
+
+	if (rpc_gss_entries.rpc_gss_secfind != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_secfind)(clnt, cred, principal,
+		    mech_oid, service);
+	return (ret);
+}
+
+static __inline void
+rpc_gss_secpurge_call(CLIENT *clnt)
+{
+
+	if (rpc_gss_entries.rpc_gss_secpurge != NULL)
+		(*rpc_gss_entries.rpc_gss_secpurge)(clnt);
+}
+
+static __inline AUTH *
+rpc_gss_seccreate_call(CLIENT *clnt, struct ucred *cred, const char *principal,
+    const char *mechanism, rpc_gss_service_t service, const char *qop,
+    rpc_gss_options_req_t *options_req, rpc_gss_options_ret_t *options_ret)
+{
+	AUTH *ret = NULL;
+
+	if (rpc_gss_entries.rpc_gss_seccreate != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_seccreate)(clnt, cred,
+		    principal, mechanism, service, qop, options_req,
+		    options_ret);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_set_defaults_call(AUTH *auth, rpc_gss_service_t service,
+    const char *qop)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_set_defaults != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_set_defaults)(auth, service,
+		    qop);
+	return (ret);
+}
+
+static __inline int
+rpc_gss_max_data_length_call(AUTH *handle, int max_tp_unit_len)
+{
+	int ret = 0;
+
+	if (rpc_gss_entries.rpc_gss_max_data_length != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_max_data_length)(handle,
+		    max_tp_unit_len);
+	return (ret);
+}
+
+static __inline void
+rpc_gss_get_error_call(rpc_gss_error_t *error)
+{
+
+	if (rpc_gss_entries.rpc_gss_get_error != NULL)
+		(*rpc_gss_entries.rpc_gss_get_error)(error);
+}
+
+static __inline bool_t
+rpc_gss_mech_to_oid_call(const char *mech, gss_OID *oid_ret)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_mech_to_oid != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_mech_to_oid)(mech, oid_ret);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_oid_to_mech_call(gss_OID oid, const char **mech_ret)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_oid_to_mech != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_oid_to_mech)(oid, mech_ret);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_qop_to_num_call(const char *qop, const char *mech, u_int *num_ret)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_qop_to_num != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_qop_to_num)(qop, mech, num_ret);
+	return (ret);
+}
+
+static __inline const char **
+rpc_gss_get_mechanisms_call(void)
+{
+	const char **ret = NULL;
+
+	if (rpc_gss_entries.rpc_gss_get_mechanisms != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_get_mechanisms)();
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_get_versions_call(u_int *vers_hi, u_int *vers_lo)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_get_versions != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_get_versions)(vers_hi, vers_lo);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_is_installed_call(const char *mech)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_is_installed != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_is_installed)(mech);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_set_svc_name_call(const char *principal, const char *mechanism,
+    u_int req_time, u_int program, u_int version)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_set_svc_name != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_set_svc_name)(principal,
+		    mechanism, req_time, program, version);
+	return (ret);
+}
+
+static __inline void
+rpc_gss_clear_svc_name_call(u_int program, u_int version)
+{
+
+	if (rpc_gss_entries.rpc_gss_clear_svc_name != NULL)
+		(*rpc_gss_entries.rpc_gss_clear_svc_name)(program, version);
+}
+
+static __inline bool_t
+rpc_gss_getcred_call(struct svc_req *req, rpc_gss_rawcred_t **rcred,
+    rpc_gss_ucred_t **ucred, void **cookie)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_getcred != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_getcred)(req, rcred, ucred,
+		    cookie);
+	return (ret);
+}
+
+static __inline bool_t
+rpc_gss_set_callback_call(rpc_gss_callback_t *cb)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_set_callback != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_set_callback)(cb);
+	return (ret);
+}
+
+static __inline void
+rpc_gss_clear_callback_call(rpc_gss_callback_t *cb)
+{
+
+	if (rpc_gss_entries.rpc_gss_clear_callback != NULL)
+		(*rpc_gss_entries.rpc_gss_clear_callback)(cb);
+}
+
+static __inline bool_t
+rpc_gss_get_principal_name_call(rpc_gss_principal_t *principal,
+    const char *mech, const char *name, const char *node, const char *domain)
+{
+	bool_t ret = 1;
+
+	if (rpc_gss_entries.rpc_gss_get_principal_name != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_get_principal_name)(principal,
+		    mech, name, node, domain);
+	return (ret);
+}
+
+static __inline int
+rpc_gss_svc_max_data_length_call(struct svc_req *req, int max_tp_unit_len)
+{
+	int ret = 0;
+
+	if (rpc_gss_entries.rpc_gss_svc_max_data_length != NULL)
+		ret = (*rpc_gss_entries.rpc_gss_svc_max_data_length)(req,
+		    max_tp_unit_len);
+	return (ret);
+}
+
 AUTH	*rpc_gss_secfind(CLIENT *clnt, struct ucred *cred,
     const char *principal, gss_OID mech_oid, rpc_gss_service_t service);
 void	rpc_gss_secpurge(CLIENT *clnt);