nfs: have NFSv3 try server-specified auth flavors in turn

The current scheme is to try and pick the auth flavor that the server prefers. In some cases though, we may find that we're not actually able to use that auth flavor later. For instance, the server may prefer an AUTH_GSS flavor, but we may not be able to get GSSAPI creds. The current code just gives up at that point. Change it instead to try the ->create_server call using each of the different authflavors in the server's list if one was not specified at mount time. Once we have a successful ->create_server call, return the result. Only give up and return error if all attempts fail. Cc: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: Jeff Layton <jlayton@redhat.com> 2013-06-27 15:54:41 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2013-06-28 15:52:37 -0400
commit: 9111c95b077a81573fb27df3ba8255d0a3a9ebdf (patch)
tree: c8ae18612cc3c6445f17d12d1860783f532fc175 /fs/nfs/super.c
parent: fb9b02fda06798cfca975c8b7fae3e6188a30572 (diff)
1 files changed, 69 insertions, 57 deletions
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index ceb60c78bfc0..8d51101771fc 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1608,16 +1608,13 @@ out_security_failure:
 }
 /*
- * Select a security flavor for this mount.  The selected flavor
+ * Ensure that the specified authtype in args->auth_flavors[0] is supported by
- * is planted in args->auth_flavors[0].
+ * the server. Returns 0 if it's ok, and -EACCES if not.
- *
- * Returns 0 on success, -EACCES on failure.
 */
-static int nfs_select_flavor(struct nfs_parsed_mount_data *args,
+static int nfs_verify_authflavor(struct nfs_parsed_mount_data *args,
-                              struct nfs_mount_request *request)
+                        rpc_authflavor_t *server_authlist, unsigned int count)
 {
-        unsigned int i, count = *(request->auth_flav_len);
+        unsigned int i;
-        rpc_authflavor_t flavor;
        /*
         * If the sec= mount option is used, the specified flavor or AUTH_NULL
@@ -1627,60 +1624,19 @@ static int nfs_select_flavor(struct nfs_parsed_mount_data *args,
         * means that the server will ignore the rpc creds, so any flavor
         * can be used.
         */
-        if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR) {
-                for (i = 0; i < count; i++) {
-                        if (args->auth_flavors[0] == request->auth_flavs[i] ||
-                            request->auth_flavs[i] == RPC_AUTH_NULL)
-                                goto out;
-                }
-                dfprintk(MOUNT, "NFS: auth flavor %d not supported by server\n",
-                        args->auth_flavors[0]);
-                goto out_err;
-        }
-        /*
-         * RFC 2623, section 2.7 suggests we SHOULD prefer the
-         * flavor listed first.  However, some servers list
-         * AUTH_NULL first.  Avoid ever choosing AUTH_NULL.
-         */
        for (i = 0; i < count; i++) {
-                struct rpcsec_gss_info info;
+                if (args->auth_flavors[0] == server_authlist[i] ||
+                    server_authlist[i] == RPC_AUTH_NULL)
-                flavor = request->auth_flavs[i];
+                        goto out;
-                switch (flavor) {
-                case RPC_AUTH_UNIX:
-                        goto out_set;
-                case RPC_AUTH_NULL:
-                        continue;
-                default:
-                        if (rpcauth_get_gssinfo(flavor, &info) == 0)
-                                goto out_set;
-                }
        }
-        /*
+        dfprintk(MOUNT, "NFS: auth flavor %u not supported by server\n",
-         * As a last chance, see if the server list contains AUTH_NULL -
+                args->auth_flavors[0]);
-         * if it does, use the default flavor.
+        return -EACCES;
-         */
-        for (i = 0; i < count; i++) {
-                if (request->auth_flavs[i] == RPC_AUTH_NULL)
-                        goto out_default;
-        }
-        dfprintk(MOUNT, "NFS: no auth flavors in common with server\n");
-        goto out_err;
-out_default:
-        /* use default if flavor not already set */
-        flavor = (args->auth_flavors[0] == RPC_AUTH_MAXFLAVOR) ?
-                RPC_AUTH_UNIX : args->auth_flavors[0];
-out_set:
-        args->auth_flavors[0] = flavor;
 out:
-        dfprintk(MOUNT, "NFS: using auth flavor %d\n", args->auth_flavors[0]);
+        dfprintk(MOUNT, "NFS: using auth flavor %u\n", args->auth_flavors[0]);
        return 0;
-out_err:
-        return -EACCES;
 }
 /*
@@ -1743,13 +1699,17 @@ static int nfs_request_mount(struct nfs_parsed_mount_data *args,
                return status;
        }
-        return nfs_select_flavor(args, &request);
+        return 0;
 }
 static struct nfs_server *nfs_try_mount_request(struct nfs_mount_info *mount_info,
                                        struct nfs_subversion *nfs_mod)
 {
        int status;
+        unsigned int i;
+        bool tried_auth_unix = false;
+        bool auth_null_in_list = false;
+        struct nfs_server *server = ERR_PTR(-EACCES);
        struct nfs_parsed_mount_data *args = mount_info->parsed;
        rpc_authflavor_t authlist[NFS_MAX_SECFLAVORS];
        unsigned int authlist_len = ARRAY_SIZE(authlist);
@@ -1759,6 +1719,58 @@ static struct nfs_server *nfs_try_mount_request(struct nfs_mount_info *mount_inf
        if (status)
                return ERR_PTR(status);
+        /*
+         * Was a sec= authflavor specified in the options? First, verify
+         * whether the server supports it, and then just try to use it if so.
+         */
+        if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR) {
+                status = nfs_verify_authflavor(args, authlist, authlist_len);
+                dfprintk(MOUNT, "NFS: using auth flavor %u\n", args->auth_flavors[0]);
+                if (status)
+                        return ERR_PTR(status);
+                return nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
+        }
+        /*
+         * No sec= option was provided. RFC 2623, section 2.7 suggests we
+         * SHOULD prefer the flavor listed first. However, some servers list
+         * AUTH_NULL first. Avoid ever choosing AUTH_NULL.
+         */
+        for (i = 0; i < authlist_len; ++i) {
+                rpc_authflavor_t flavor;
+                struct rpcsec_gss_info info;
+                flavor = authlist[i];
+                switch (flavor) {
+                case RPC_AUTH_UNIX:
+                        tried_auth_unix = true;
+                        break;
+                case RPC_AUTH_NULL:
+                        auth_null_in_list = true;
+                        continue;
+                default:
+                        if (rpcauth_get_gssinfo(flavor, &info) != 0)
+                                continue;
+                        /* Fallthrough */
+                }
+                dfprintk(MOUNT, "NFS: attempting to use auth flavor %u\n", flavor);
+                args->auth_flavors[0] = flavor;
+                server = nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
+                if (!IS_ERR(server))
+                        return server;
+        }
+        /*
+         * Nothing we tried so far worked. At this point, give up if we've
+         * already tried AUTH_UNIX or if the server's list doesn't contain
+         * AUTH_NULL
+         */
+        if (tried_auth_unix || !auth_null_in_list)
+                return server;
+        /* Last chance! Try AUTH_UNIX */
+        dfprintk(MOUNT, "NFS: attempting to use auth flavor %u\n", RPC_AUTH_UNIX);
+        args->auth_flavors[0] = RPC_AUTH_UNIX;
        return nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
 }
author	Jeff Layton <jlayton@redhat.com>	2013-06-27 15:54:41 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2013-06-28 15:52:37 -0400
commit	9111c95b077a81573fb27df3ba8255d0a3a9ebdf (patch)
tree	c8ae18612cc3c6445f17d12d1860783f532fc175 /fs/nfs/super.c
parent	fb9b02fda06798cfca975c8b7fae3e6188a30572 (diff)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c index ceb60c78bfc0..8d51101771fc 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c
@@ -1608,16 +1608,13 @@ out_security_failure:
1608	}	1608	}
1609		1609
1610	/*	1610	/*
1611	* Select a security flavor for this mount. The selected flavor	1611	* Ensure that the specified authtype in args->auth_flavors[0] is supported by
1612	* is planted in args->auth_flavors[0].	1612	* the server. Returns 0 if it's ok, and -EACCES if not.
1613	*
1614	* Returns 0 on success, -EACCES on failure.
1615	*/	1613	*/
1616	static int nfs_select_flavor(struct nfs_parsed_mount_data *args,	1614	static int nfs_verify_authflavor(struct nfs_parsed_mount_data *args,
1617	struct nfs_mount_request *request)	1615	rpc_authflavor_t *server_authlist, unsigned int count)
1618	{	1616	{
1619	unsigned int i, count = *(request->auth_flav_len);	1617	unsigned int i;
1620	rpc_authflavor_t flavor;
1621		1618
1622	/*	1619	/*
1623	* If the sec= mount option is used, the specified flavor or AUTH_NULL	1620	* If the sec= mount option is used, the specified flavor or AUTH_NULL
@@ -1627,60 +1624,19 @@ static int nfs_select_flavor(struct nfs_parsed_mount_data *args,
1627	* means that the server will ignore the rpc creds, so any flavor	1624	* means that the server will ignore the rpc creds, so any flavor
1628	* can be used.	1625	* can be used.
1629	*/	1626	*/
1630	if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR) {
1631	for (i = 0; i < count; i++) {
1632	if (args->auth_flavors[0] == request->auth_flavs[i] \|\|
1633	request->auth_flavs[i] == RPC_AUTH_NULL)
1634	goto out;
1635	}
1636	dfprintk(MOUNT, "NFS: auth flavor %d not supported by server\n",
1637	args->auth_flavors[0]);
1638	goto out_err;
1639	}
1640
1641	/*
1642	* RFC 2623, section 2.7 suggests we SHOULD prefer the
1643	* flavor listed first. However, some servers list
1644	* AUTH_NULL first. Avoid ever choosing AUTH_NULL.
1645	*/
1646	for (i = 0; i < count; i++) {	1627	for (i = 0; i < count; i++) {
1647	struct rpcsec_gss_info info;	1628	if (args->auth_flavors[0] == server_authlist[i] \|\|
1648		1629	server_authlist[i] == RPC_AUTH_NULL)
1649	flavor = request->auth_flavs[i];	1630	goto out;
1650	switch (flavor) {
1651	case RPC_AUTH_UNIX:
1652	goto out_set;
1653	case RPC_AUTH_NULL:
1654	continue;
1655	default:
1656	if (rpcauth_get_gssinfo(flavor, &info) == 0)
1657	goto out_set;
1658	}
1659	}	1631	}
1660		1632
1661	/*	1633	dfprintk(MOUNT, "NFS: auth flavor %u not supported by server\n",
1662	* As a last chance, see if the server list contains AUTH_NULL -	1634	args->auth_flavors[0]);
1663	* if it does, use the default flavor.	1635	return -EACCES;
1664	*/
1665	for (i = 0; i < count; i++) {
1666	if (request->auth_flavs[i] == RPC_AUTH_NULL)
1667	goto out_default;
1668	}
1669
1670	dfprintk(MOUNT, "NFS: no auth flavors in common with server\n");
1671	goto out_err;
1672		1636
1673	out_default:
1674	/* use default if flavor not already set */
1675	flavor = (args->auth_flavors[0] == RPC_AUTH_MAXFLAVOR) ?
1676	RPC_AUTH_UNIX : args->auth_flavors[0];
1677	out_set:
1678	args->auth_flavors[0] = flavor;
1679	out:	1637	out:
1680	dfprintk(MOUNT, "NFS: using auth flavor %d\n", args->auth_flavors[0]);	1638	dfprintk(MOUNT, "NFS: using auth flavor %u\n", args->auth_flavors[0]);
1681	return 0;	1639	return 0;
1682	out_err:
1683	return -EACCES;
1684	}	1640	}
1685		1641
1686	/*	1642	/*
@@ -1743,13 +1699,17 @@ static int nfs_request_mount(struct nfs_parsed_mount_data *args,
1743	return status;	1699	return status;
1744	}	1700	}
1745		1701
1746	return nfs_select_flavor(args, &request);	1702	return 0;
1747	}	1703	}
1748		1704
1749	static struct nfs_server nfs_try_mount_request(struct nfs_mount_info mount_info,	1705	static struct nfs_server nfs_try_mount_request(struct nfs_mount_info mount_info,
1750	struct nfs_subversion *nfs_mod)	1706	struct nfs_subversion *nfs_mod)
1751	{	1707	{
1752	int status;	1708	int status;
		1709	unsigned int i;
		1710	bool tried_auth_unix = false;
		1711	bool auth_null_in_list = false;
		1712	struct nfs_server *server = ERR_PTR(-EACCES);
1753	struct nfs_parsed_mount_data *args = mount_info->parsed;	1713	struct nfs_parsed_mount_data *args = mount_info->parsed;
1754	rpc_authflavor_t authlist[NFS_MAX_SECFLAVORS];	1714	rpc_authflavor_t authlist[NFS_MAX_SECFLAVORS];
1755	unsigned int authlist_len = ARRAY_SIZE(authlist);	1715	unsigned int authlist_len = ARRAY_SIZE(authlist);
@@ -1759,6 +1719,58 @@ static struct nfs_server nfs_try_mount_request(struct nfs_mount_info mount_inf
1759	if (status)	1719	if (status)
1760	return ERR_PTR(status);	1720	return ERR_PTR(status);
1761		1721
		1722	/*
		1723	* Was a sec= authflavor specified in the options? First, verify
		1724	* whether the server supports it, and then just try to use it if so.
		1725	*/
		1726	if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR) {
		1727	status = nfs_verify_authflavor(args, authlist, authlist_len);
		1728	dfprintk(MOUNT, "NFS: using auth flavor %u\n", args->auth_flavors[0]);
		1729	if (status)
		1730	return ERR_PTR(status);
		1731	return nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
		1732	}
		1733
		1734	/*
		1735	* No sec= option was provided. RFC 2623, section 2.7 suggests we
		1736	* SHOULD prefer the flavor listed first. However, some servers list
		1737	* AUTH_NULL first. Avoid ever choosing AUTH_NULL.
		1738	*/
		1739	for (i = 0; i < authlist_len; ++i) {
		1740	rpc_authflavor_t flavor;
		1741	struct rpcsec_gss_info info;
		1742
		1743	flavor = authlist[i];
		1744	switch (flavor) {
		1745	case RPC_AUTH_UNIX:
		1746	tried_auth_unix = true;
		1747	break;
		1748	case RPC_AUTH_NULL:
		1749	auth_null_in_list = true;
		1750	continue;
		1751	default:
		1752	if (rpcauth_get_gssinfo(flavor, &info) != 0)
		1753	continue;
		1754	/* Fallthrough */
		1755	}
		1756	dfprintk(MOUNT, "NFS: attempting to use auth flavor %u\n", flavor);
		1757	args->auth_flavors[0] = flavor;
		1758	server = nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
		1759	if (!IS_ERR(server))
		1760	return server;
		1761	}
		1762
		1763	/*
		1764	* Nothing we tried so far worked. At this point, give up if we've
		1765	* already tried AUTH_UNIX or if the server's list doesn't contain
		1766	* AUTH_NULL
		1767	*/
		1768	if (tried_auth_unix \|\| !auth_null_in_list)
		1769	return server;
		1770
		1771	/* Last chance! Try AUTH_UNIX */
		1772	dfprintk(MOUNT, "NFS: attempting to use auth flavor %u\n", RPC_AUTH_UNIX);
		1773	args->auth_flavors[0] = RPC_AUTH_UNIX;
1762	return nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);	1774	return nfs_mod->rpc_ops->create_server(mount_info, nfs_mod);
1763	}	1775	}
1764		1776