Merge branch 'rpcsec_gss-from_cel' into linux-next

* rpcsec_gss-from_cel: (21 commits) NFS: Retry SETCLIENTID with AUTH_SYS instead of AUTH_NONE NFSv4: Don't clear the machine cred when client establish returns EACCES NFSv4: Fix issues in nfs4_discover_server_trunking NFSv4: Fix the fallback to AUTH_NULL if krb5i is not available NFS: Use server-recommended security flavor by default (NFSv3) SUNRPC: Don't recognize RPC_AUTH_MAXFLAVOR NFS: Use "krb5i" to establish NFSv4 state whenever possible NFS: Try AUTH_UNIX when PUTROOTFH gets NFS4ERR_WRONGSEC NFS: Use static list of security flavors during root FH lookup recovery NFS: Avoid PUTROOTFH when managing leases NFS: Clean up nfs4_proc_get_rootfh NFS: Handle missing rpc.gssd when looking up root FH SUNRPC: Remove EXPORT_SYMBOL_GPL() from GSS mech switch SUNRPC: Make gss_mech_get() static SUNRPC: Refactor nfsd4_do_encode_secinfo() SUNRPC: Consider qop when looking up pseudoflavors SUNRPC: Load GSS kernel module by OID SUNRPC: Introduce rpcauth_get_pseudoflavor() SUNRPC: Define rpcsec_gss_info structure NFS: Remove unneeded forward declaration ...
author: Trond Myklebust <Trond.Myklebust@netapp.com> 2013-04-23 15:40:40 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2013-04-23 15:40:40 -0400
commit: bd1d421abcaae1b84ba377ea4c33bba31d654199 (patch)
tree: 10bf67d7063a95ffd013a9d01a35b906a7d89fcf /fs
parent: bdeca1b76cd56cd10a029f0ad2fd9ab6dd7e313d (diff)
parent: 79d852bf5e7691dc78cc6322ecd1860c50940785 (diff)
8 files changed, 164 insertions, 180 deletions
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index f4d4d4ec6bf7..c2b069e25819 100644
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -201,7 +201,9 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp,
        if (clp->cl_minorversion != 0)
                __set_bit(NFS_CS_INFINITE_SLOTS, &clp->cl_flags);
        __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags);
-        error = nfs_create_rpc_client(clp, timeparms, authflavour);
+        error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I);
+        if (error == -EINVAL)
+                error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_NULL);
        if (error < 0)
                goto error;
diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
index 0dd766079e1c..cdb0b41a4810 100644
--- a/fs/nfs/nfs4namespace.c
+++ b/fs/nfs/nfs4namespace.c
@@ -134,33 +134,38 @@ static size_t nfs_parse_server_name(char *string, size_t len,
        return ret;
 }
+/**
+ * nfs_find_best_sec - Find a security mechanism supported locally
+ * @flavors: List of security tuples returned by SECINFO procedure
+ *
+ * Return the pseudoflavor of the first security mechanism in
+ * "flavors" that is locally supported.  Return RPC_AUTH_UNIX if
+ * no matching flavor is found in the array.  The "flavors" array
+ * is searched in the order returned from the server, per RFC 3530
+ * recommendation.
+ */
 rpc_authflavor_t nfs_find_best_sec(struct nfs4_secinfo_flavors *flavors)
 {
-        struct gss_api_mech *mech;
+        rpc_authflavor_t pseudoflavor;
-        struct xdr_netobj oid;
+        struct nfs4_secinfo4 *secinfo;
-        int i;
+        unsigned int i;
-        rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
        for (i = 0; i < flavors->num_flavors; i++) {
-                struct nfs4_secinfo_flavor *flavor;
+                secinfo = &flavors->flavors[i];
-                flavor = &flavors->flavors[i];
+                switch (secinfo->flavor) {
-                if (flavor->flavor == RPC_AUTH_NULL || flavor->flavor == RPC_AUTH_UNIX) {
+                case RPC_AUTH_NULL:
-                        pseudoflavor = flavor->flavor;
+                case RPC_AUTH_UNIX:
-                        break;
+                case RPC_AUTH_GSS:
-                } else if (flavor->flavor == RPC_AUTH_GSS) {
+                        pseudoflavor = rpcauth_get_pseudoflavor(secinfo->flavor,
-                        oid.len  = flavor->gss.sec_oid4.len;
+                                                        &secinfo->flavor_info);
-                        oid.data = flavor->gss.sec_oid4.data;
+                        if (pseudoflavor != RPC_AUTH_MAXFLAVOR)
-                        mech = gss_mech_get_by_OID(&oid);
+                                return pseudoflavor;
-                        if (!mech)
-                                continue;
-                        pseudoflavor = gss_svc_to_pseudoflavor(mech, flavor->gss.service);
-                        gss_mech_put(mech);
                        break;
                }
        }
-        return pseudoflavor;
+        return RPC_AUTH_UNIX;
 }
 static rpc_authflavor_t nfs4_negotiate_security(struct inode *inode, struct qstr *name)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index e18b3b46c001..e13b7ccee98d 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2547,7 +2547,7 @@ static int nfs4_lookup_root_sec(struct nfs_server *server, struct nfs_fh *fhandl
        auth = rpcauth_create(flavor, server->client);
        if (IS_ERR(auth)) {
-                ret = -EIO;
+                ret = -EACCES;
                goto out;
        }
        ret = nfs4_lookup_root(server, fhandle, info);
@@ -2555,27 +2555,36 @@ out:
        return ret;
 }
+/*
+ * Retry pseudoroot lookup with various security flavors.  We do this when:
+ *
+ *   NFSv4.0: the PUTROOTFH operation returns NFS4ERR_WRONGSEC
+ *   NFSv4.1: the server does not support the SECINFO_NO_NAME operation
+ *
+ * Returns zero on success, or a negative NFS4ERR value, or a
+ * negative errno value.
+ */
 static int nfs4_find_root_sec(struct nfs_server *server, struct nfs_fh *fhandle,
                              struct nfs_fsinfo *info)
 {
-        int i, len, status = 0;
+        /* Per 3530bis 15.33.5 */
-        rpc_authflavor_t flav_array[NFS_MAX_SECFLAVORS];
+        static const rpc_authflavor_t flav_array[] = {
+                RPC_AUTH_GSS_KRB5P,
-        len = rpcauth_list_flavors(flav_array, ARRAY_SIZE(flav_array));
+                RPC_AUTH_GSS_KRB5I,
-        if (len < 0)
+                RPC_AUTH_GSS_KRB5,
-                return len;
+                RPC_AUTH_UNIX,                  /* courtesy */
+                RPC_AUTH_NULL,
-        for (i = 0; i < len; i++) {
+        };
-                /* AUTH_UNIX is the default flavor if none was specified,
+        int status = -EPERM;
-                 * thus has already been tried. */
+        size_t i;
-                if (flav_array[i] == RPC_AUTH_UNIX)
-                        continue;
+        for (i = 0; i < ARRAY_SIZE(flav_array); i++) {
                status = nfs4_lookup_root_sec(server, fhandle, info, flav_array[i]);
                if (status == -NFS4ERR_WRONGSEC || status == -EACCES)
                        continue;
                break;
        }
        /*
         * -EACCESS could mean that the user doesn't have correct permissions
         * to access the mount.  It could also mean that we tried to mount
@@ -2588,24 +2597,36 @@ static int nfs4_find_root_sec(struct nfs_server *server, struct nfs_fh *fhandle,
        return status;
 }
-/*
+static int nfs4_do_find_root_sec(struct nfs_server *server,
- * get the file handle for the "/" directory on the server
+                struct nfs_fh *fhandle, struct nfs_fsinfo *info)
+{
+        int mv = server->nfs_client->cl_minorversion;
+        return nfs_v4_minor_ops[mv]->find_root_sec(server, fhandle, info);
+}
+/**
+ * nfs4_proc_get_rootfh - get file handle for server's pseudoroot
+ * @server: initialized nfs_server handle
+ * @fhandle: we fill in the pseudo-fs root file handle
+ * @info: we fill in an FSINFO struct
+ *
+ * Returns zero on success, or a negative errno.
 */
 int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle,
                         struct nfs_fsinfo *info)
 {
-        int minor_version = server->nfs_client->cl_minorversion;
+        int status;
-        int status = nfs4_lookup_root(server, fhandle, info);
-        if ((status == -NFS4ERR_WRONGSEC) && !(server->flags & NFS_MOUNT_SECFLAVOUR))
+        status = nfs4_lookup_root(server, fhandle, info);
-                /*
+        if ((status == -NFS4ERR_WRONGSEC) &&
-                 * A status of -NFS4ERR_WRONGSEC will be mapped to -EPERM
+            !(server->flags & NFS_MOUNT_SECFLAVOUR))
-                 * by nfs4_map_errors() as this function exits.
+                status = nfs4_do_find_root_sec(server, fhandle, info);
-                 */
-                status = nfs_v4_minor_ops[minor_version]->find_root_sec(server, fhandle, info);
        if (status == 0)
                status = nfs4_server_capabilities(server, fhandle);
        if (status == 0)
                status = nfs4_do_fsinfo(server, fhandle, info);
        return nfs4_map_errors(status);
 }
@@ -3484,12 +3505,21 @@ static int _nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle,
 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
 {
        struct nfs4_exception exception = { };
+        unsigned long now = jiffies;
        int err;
        do {
-                err = nfs4_handle_exception(server,
+                err = _nfs4_do_fsinfo(server, fhandle, fsinfo);
-                                _nfs4_do_fsinfo(server, fhandle, fsinfo),
+                if (err == 0) {
-                                &exception);
+                        struct nfs_client *clp = server->nfs_client;
+                        spin_lock(&clp->cl_lock);
+                        clp->cl_lease_time = fsinfo->lease_time * HZ;
+                        clp->cl_last_renewal = now;
+                        spin_unlock(&clp->cl_lock);
+                        break;
+                }
+                err = nfs4_handle_exception(server, err, &exception);
        } while (exception.retry);
        return err;
 }
@@ -4330,27 +4360,17 @@ int nfs4_proc_setclientid_confirm(struct nfs_client *clp,
                struct nfs4_setclientid_res *arg,
                struct rpc_cred *cred)
 {
-        struct nfs_fsinfo fsinfo;
        struct rpc_message msg = {
                .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_SETCLIENTID_CONFIRM],
                .rpc_argp = arg,
-                .rpc_resp = &fsinfo,
                .rpc_cred = cred,
        };
-        unsigned long now;
        int status;
        dprintk("NFS call  setclientid_confirm auth=%s, (client ID %llx)\n",
                clp->cl_rpcclient->cl_auth->au_ops->au_name,
                clp->cl_clientid);
-        now = jiffies;
        status = rpc_call_sync(clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
-        if (status == 0) {
-                spin_lock(&clp->cl_lock);
-                clp->cl_lease_time = fsinfo.lease_time * HZ;
-                clp->cl_last_renewal = now;
-                spin_unlock(&clp->cl_lock);
-        }
        dprintk("NFS reply setclientid_confirm: %d\n", status);
        return status;
 }
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index b7796950eceb..7a74ea64bf54 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -154,18 +154,6 @@ struct rpc_cred *nfs4_get_machine_cred_locked(struct nfs_client *clp)
        return cred;
 }
-static void nfs4_clear_machine_cred(struct nfs_client *clp)
-{
-        struct rpc_cred *cred;
-        spin_lock(&clp->cl_lock);
-        cred = clp->cl_machine_cred;
-        clp->cl_machine_cred = NULL;
-        spin_unlock(&clp->cl_lock);
-        if (cred != NULL)
-                put_rpccred(cred);
-}
 static struct rpc_cred *
 nfs4_get_renew_cred_server_locked(struct nfs_server *server)
 {
@@ -1776,10 +1764,6 @@ static int nfs4_handle_reclaim_lease_error(struct nfs_client *clp, int status)
                clear_bit(NFS4CLNT_LEASE_CONFIRM, &clp->cl_state);
                return -EPERM;
        case -EACCES:
-                if (clp->cl_machine_cred == NULL)
-                        return -EACCES;
-                /* Handle case where the user hasn't set up machine creds */
-                nfs4_clear_machine_cred(clp);
        case -NFS4ERR_DELAY:
        case -ETIMEDOUT:
        case -EAGAIN:
@@ -1874,31 +1858,18 @@ int nfs4_discover_server_trunking(struct nfs_client *clp,
 {
        const struct nfs4_state_recovery_ops *ops =
                                clp->cl_mvops->reboot_recovery_ops;
-        rpc_authflavor_t *flavors, flav, save;
        struct rpc_clnt *clnt;
        struct rpc_cred *cred;
-        int i, len, status;
+        int i, status;
        dprintk("NFS: %s: testing '%s'\n", __func__, clp->cl_hostname);
-        len = NFS_MAX_SECFLAVORS;
-        flavors = kcalloc(len, sizeof(*flavors), GFP_KERNEL);
-        if (flavors == NULL) {
-                status = -ENOMEM;
-                goto out;
-        }
-        len = rpcauth_list_flavors(flavors, len);
-        if (len < 0) {
-                status = len;
-                goto out_free;
-        }
        clnt = clp->cl_rpcclient;
-        save = clnt->cl_auth->au_flavor;
        i = 0;
        mutex_lock(&nfs_clid_init_mutex);
-        status  = -ENOENT;
 again:
+        status  = -ENOENT;
        cred = ops->get_clid_cred(clp);
        if (cred == NULL)
                goto out_unlock;
@@ -1908,12 +1879,6 @@ again:
        switch (status) {
        case 0:
                break;
-        case -EACCES:
-                if (clp->cl_machine_cred == NULL)
-                        break;
-                /* Handle case where the user hasn't set up machine creds */
-                nfs4_clear_machine_cred(clp);
        case -NFS4ERR_DELAY:
        case -ETIMEDOUT:
        case -EAGAIN:
@@ -1922,17 +1887,12 @@ again:
                dprintk("NFS: %s after status %d, retrying\n",
                        __func__, status);
                goto again;
+        case -EACCES:
+                if (i++)
+                        break;
        case -NFS4ERR_CLID_INUSE:
        case -NFS4ERR_WRONGSEC:
-                status = -EPERM;
+                clnt = rpc_clone_client_set_auth(clnt, RPC_AUTH_UNIX);
-                if (i >= len)
-                        break;
-                flav = flavors[i++];
-                if (flav == save)
-                        flav = flavors[i++];
-                clnt = rpc_clone_client_set_auth(clnt, flav);
                if (IS_ERR(clnt)) {
                        status = PTR_ERR(clnt);
                        break;
@@ -1948,13 +1908,15 @@ again:
        case -NFS4ERR_NOT_SAME: /* FixMe: implement recovery
                                 * in nfs4_exchange_id */
                status = -EKEYEXPIRED;
+                break;
+        default:
+                pr_warn("NFS: %s unhandled error %d. Exiting with error EIO\n",
+                                __func__, status);
+                status = -EIO;
        }
 out_unlock:
        mutex_unlock(&nfs_clid_init_mutex);
-out_free:
-        kfree(flavors);
-out:
        dprintk("NFS: %s: status = %d\n", __func__, status);
        return status;
 }
diff --git a/fs/nfs/nfs4super.c b/fs/nfs/nfs4super.c
index 569b166cc050..a5e1a3026d48 100644
--- a/fs/nfs/nfs4super.c
+++ b/fs/nfs/nfs4super.c
@@ -252,6 +252,8 @@ struct dentry *nfs4_try_mount(int flags, const char *dev_name,
        dfprintk(MOUNT, "--> nfs4_try_mount()\n");
+        if (data->auth_flavors[0] == RPC_AUTH_MAXFLAVOR)
+                data->auth_flavors[0] = RPC_AUTH_UNIX;
        export_path = data->nfs_server.export_path;
        data->nfs_server.export_path = "/";
        root_mnt = nfs_do_root_mount(&nfs4_remote_fs_type, flags, mount_info,
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index c2cbf0d90a31..3c79c5878c6d 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -530,14 +530,10 @@ static int nfs4_stat_to_errno(int);
                                decode_setclientid_maxsz)
 #define NFS4_enc_setclientid_confirm_sz \
                                (compound_encode_hdr_maxsz + \
-                                encode_setclientid_confirm_maxsz + \
+                                encode_setclientid_confirm_maxsz)
-                                encode_putrootfh_maxsz + \
-                                encode_fsinfo_maxsz)
 #define NFS4_dec_setclientid_confirm_sz \
                                (compound_decode_hdr_maxsz + \
-                                decode_setclientid_confirm_maxsz + \
+                                decode_setclientid_confirm_maxsz)
-                                decode_putrootfh_maxsz + \
-                                decode_fsinfo_maxsz)
 #define NFS4_enc_lock_sz        (compound_encode_hdr_maxsz + \
                                encode_sequence_maxsz + \
                                encode_putfh_maxsz + \
@@ -2601,12 +2597,9 @@ static void nfs4_xdr_enc_setclientid_confirm(struct rpc_rqst *req,
        struct compound_hdr hdr = {
                .nops   = 0,
        };
-        const u32 lease_bitmap[3] = { FATTR4_WORD0_LEASE_TIME };
        encode_compound_hdr(xdr, req, &hdr);
        encode_setclientid_confirm(xdr, arg, &hdr);
-        encode_putrootfh(xdr, &hdr);
-        encode_fsinfo(xdr, lease_bitmap, &hdr);
        encode_nops(&hdr);
 }
@@ -5198,27 +5191,30 @@ static int decode_delegreturn(struct xdr_stream *xdr)
        return decode_op_hdr(xdr, OP_DELEGRETURN);
 }
-static int decode_secinfo_gss(struct xdr_stream *xdr, struct nfs4_secinfo_flavor *flavor)
+static int decode_secinfo_gss(struct xdr_stream *xdr,
+                              struct nfs4_secinfo4 *flavor)
 {
+        u32 oid_len;
        __be32 *p;
        p = xdr_inline_decode(xdr, 4);
        if (unlikely(!p))
                goto out_overflow;
-        flavor->gss.sec_oid4.len = be32_to_cpup(p);
+        oid_len = be32_to_cpup(p);
-        if (flavor->gss.sec_oid4.len > GSS_OID_MAX_LEN)
+        if (oid_len > GSS_OID_MAX_LEN)
                goto out_err;
-        p = xdr_inline_decode(xdr, flavor->gss.sec_oid4.len);
+        p = xdr_inline_decode(xdr, oid_len);
        if (unlikely(!p))
                goto out_overflow;
-        memcpy(flavor->gss.sec_oid4.data, p, flavor->gss.sec_oid4.len);
+        memcpy(flavor->flavor_info.oid.data, p, oid_len);
+        flavor->flavor_info.oid.len = oid_len;
        p = xdr_inline_decode(xdr, 8);
        if (unlikely(!p))
                goto out_overflow;
-        flavor->gss.qop4 = be32_to_cpup(p++);
+        flavor->flavor_info.qop = be32_to_cpup(p++);
-        flavor->gss.service = be32_to_cpup(p);
+        flavor->flavor_info.service = be32_to_cpup(p);
        return 0;
@@ -5231,10 +5227,10 @@ out_err:
 static int decode_secinfo_common(struct xdr_stream *xdr, struct nfs4_secinfo_res *res)
 {
-        struct nfs4_secinfo_flavor *sec_flavor;
+        struct nfs4_secinfo4 *sec_flavor;
+        unsigned int i, num_flavors;
        int status;
        __be32 *p;
-        int i, num_flavors;
        p = xdr_inline_decode(xdr, 4);
        if (unlikely(!p))
@@ -6637,8 +6633,7 @@ static int nfs4_xdr_dec_setclientid(struct rpc_rqst *req,
 * Decode SETCLIENTID_CONFIRM response
 */
 static int nfs4_xdr_dec_setclientid_confirm(struct rpc_rqst *req,
-                                            struct xdr_stream *xdr,
+                                            struct xdr_stream *xdr)
-                                            struct nfs_fsinfo *fsinfo)
 {
        struct compound_hdr hdr;
        int status;
@@ -6646,10 +6641,6 @@ static int nfs4_xdr_dec_setclientid_confirm(struct rpc_rqst *req,
        status = decode_compound_hdr(xdr, &hdr);
        if (!status)
                status = decode_setclientid_confirm(xdr);
-        if (!status)
-                status = decode_putrootfh(xdr);
-        if (!status)
-                status = decode_fsinfo(xdr, fsinfo);
        return status;
 }
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 17b32b722457..3bb8318f6d0c 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -917,7 +917,7 @@ static struct nfs_parsed_mount_data *nfs_alloc_parsed_mount_data(void)
                data->mount_server.port = NFS_UNSPEC_PORT;
                data->nfs_server.port   = NFS_UNSPEC_PORT;
                data->nfs_server.protocol = XPRT_TRANSPORT_TCP;
-                data->auth_flavors[0]   = RPC_AUTH_UNIX;
+                data->auth_flavors[0]   = RPC_AUTH_MAXFLAVOR;
                data->auth_flavor_len   = 1;
                data->minorversion      = 0;
                data->need_mount        = true;
@@ -1605,49 +1605,57 @@ out_security_failure:
 }
 /*
- * Match the requested auth flavors with the list returned by
+ * Select a security flavor for this mount.  The selected flavor
- * the server.  Returns zero and sets the mount's authentication
+ * is planted in args->auth_flavors[0].
- * flavor on success; returns -EACCES if server does not support
- * the requested flavor.
 */
-static int nfs_walk_authlist(struct nfs_parsed_mount_data *args,
+static void nfs_select_flavor(struct nfs_parsed_mount_data *args,
-                             struct nfs_mount_request *request)
+                              struct nfs_mount_request *request)
 {
-        unsigned int i, j, server_authlist_len = *(request->auth_flav_len);
+        unsigned int i, count = *(request->auth_flav_len);
+        rpc_authflavor_t flavor;
+        if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR)
+                goto out;
+        /*
+         * The NFSv2 MNT operation does not return a flavor list.
+         */
+        if (args->mount_server.version != NFS_MNT3_VERSION)
+                goto out_default;
        /*
         * Certain releases of Linux's mountd return an empty
-         * flavor list.  To prevent behavioral regression with
+         * flavor list in some cases.
-         * these servers (ie. rejecting mounts that used to
-         * succeed), revert to pre-2.6.32 behavior (no checking)
-         * if the returned flavor list is empty.
         */
-        if (server_authlist_len == 0)
+        if (count == 0)
-                return 0;
+                goto out_default;
        /*
-         * We avoid sophisticated negotiating here, as there are
-         * plenty of cases where we can get it wrong, providing
-         * either too little or too much security.
-         *
         * RFC 2623, section 2.7 suggests we SHOULD prefer the
         * flavor listed first.  However, some servers list
-         * AUTH_NULL first.  Our caller plants AUTH_SYS, the
+         * AUTH_NULL first.  Avoid ever choosing AUTH_NULL.
-         * preferred default, in args->auth_flavors[0] if user
-         * didn't specify sec= mount option.
         */
-        for (i = 0; i < args->auth_flavor_len; i++)
+        for (i = 0; i < count; i++) {
-                for (j = 0; j < server_authlist_len; j++)
+                struct rpcsec_gss_info info;
-                        if (args->auth_flavors[i] == request->auth_flavs[j]) {
-                                dfprintk(MOUNT, "NFS: using auth flavor %d\n",
+                flavor = request->auth_flavs[i];
-                                        request->auth_flavs[j]);
+                switch (flavor) {
-                                args->auth_flavors[0] = request->auth_flavs[j];
+                case RPC_AUTH_UNIX:
-                                return 0;
+                        goto out_set;
-                        }
+                case RPC_AUTH_NULL:
+                        continue;
+                default:
+                        if (rpcauth_get_gssinfo(flavor, &info) == 0)
+                                goto out_set;
+                }
+        }
-        dfprintk(MOUNT, "NFS: server does not support requested auth flavor\n");
+out_default:
-        nfs_umount(request);
+        flavor = RPC_AUTH_UNIX;
-        return -EACCES;
+out_set:
+        args->auth_flavors[0] = flavor;
+out:
+        dfprintk(MOUNT, "NFS: using auth flavor %d\n", args->auth_flavors[0]);
 }
 /*
@@ -1710,12 +1718,8 @@ static int nfs_request_mount(struct nfs_parsed_mount_data *args,
                return status;
        }
-        /*
+        nfs_select_flavor(args, &request);
-         * MNTv1 (NFSv2) does not support auth flavor negotiation.
+        return 0;
-         */
-        if (args->mount_server.version != NFS_MNT3_VERSION)
-                return 0;
-        return nfs_walk_authlist(args, &request);
 }
 struct dentry *nfs_try_mount(int flags, const char *dev_name,
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 01168865dd37..2a2745615b42 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3138,10 +3138,9 @@ nfsd4_encode_rename(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4_
 static __be32
 nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp,
-                         __be32 nfserr,struct svc_export *exp)
+                         __be32 nfserr, struct svc_export *exp)
 {
-        int i = 0;
+        u32 i, nflavs;
-        u32 nflavs;
        struct exp_flavor_info *flavs;
        struct exp_flavor_info def_flavs[2];
        __be32 *p;
@@ -3172,30 +3171,29 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp,
        WRITE32(nflavs);
        ADJUST_ARGS();
        for (i = 0; i < nflavs; i++) {
-                u32 flav = flavs[i].pseudoflavor;
+                struct rpcsec_gss_info info;
-                struct gss_api_mech *gm = gss_mech_get_by_pseudoflavor(flav);
-                if (gm) {
+                if (rpcauth_get_gssinfo(flavs[i].pseudoflavor, &info) == 0) {
                        RESERVE_SPACE(4);
                        WRITE32(RPC_AUTH_GSS);
                        ADJUST_ARGS();
-                        RESERVE_SPACE(4 + gm->gm_oid.len);
+                        RESERVE_SPACE(4 + info.oid.len);
-                        WRITE32(gm->gm_oid.len);
+                        WRITE32(info.oid.len);
-                        WRITEMEM(gm->gm_oid.data, gm->gm_oid.len);
+                        WRITEMEM(info.oid.data, info.oid.len);
                        ADJUST_ARGS();
                        RESERVE_SPACE(4);
-                        WRITE32(0); /* qop */
+                        WRITE32(info.qop);
                        ADJUST_ARGS();
                        RESERVE_SPACE(4);
-                        WRITE32(gss_pseudoflavor_to_service(gm, flav));
+                        WRITE32(info.service);
                        ADJUST_ARGS();
-                        gss_mech_put(gm);
                } else {
                        RESERVE_SPACE(4);
-                        WRITE32(flav);
+                        WRITE32(flavs[i].pseudoflavor);
                        ADJUST_ARGS();
                }
        }
 out:
        if (exp)
                exp_put(exp);
author	Trond Myklebust <Trond.Myklebust@netapp.com>	2013-04-23 15:40:40 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2013-04-23 15:40:40 -0400
commit	bd1d421abcaae1b84ba377ea4c33bba31d654199 (patch)
tree	10bf67d7063a95ffd013a9d01a35b906a7d89fcf /fs
parent	bdeca1b76cd56cd10a029f0ad2fd9ab6dd7e313d (diff)
parent	79d852bf5e7691dc78cc6322ecd1860c50940785 (diff)