struct gss_auth {
struct rpc_auth rpc_auth;
struct gss_api_mech *mech;
+ enum rpc_gss_svc service;
struct list_head upcalls;
+ struct rpc_clnt *client;
struct dentry *dentry;
char path[48];
spinlock_t lock;
return res;
}
-static inline int
-simple_get_bytes(char **ptr, const char *end, void *res, int len)
+static const void *
+simple_get_bytes(const void *p, const void *end, void *res, size_t len)
{
- char *p, *q;
- p = *ptr;
- q = p + len;
- if (q > end || q < p)
- return -1;
+ const void *q = (const void *)((const char *)p + len);
+ if (unlikely(q > end || q < p))
+ return ERR_PTR(-EFAULT);
memcpy(res, p, len);
- *ptr = q;
- return 0;
-}
-
-static inline int
-simple_get_netobj(char **ptr, const char *end, struct xdr_netobj *res)
-{
- char *p, *q;
- p = *ptr;
- if (simple_get_bytes(&p, end, &res->len, sizeof(res->len)))
- return -1;
- q = p + res->len;
- if (q > end || q < p)
- return -1;
- res->data = p;
- *ptr = q;
- return 0;
+ return q;
}
-static int
-dup_netobj(struct xdr_netobj *source, struct xdr_netobj *dest)
+static inline const void *
+simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest)
{
- dest->len = source->len;
- if (!(dest->data = kmalloc(dest->len, GFP_KERNEL)))
- return -1;
- memcpy(dest->data, source->data, dest->len);
- return 0;
+ const void *q;
+ unsigned int len;
+
+ p = simple_get_bytes(p, end, &len, sizeof(len));
+ if (IS_ERR(p))
+ return p;
+ q = (const void *)((const char *)p + len);
+ if (unlikely(q > end || q < p))
+ return ERR_PTR(-EFAULT);
+ dest->data = kmalloc(len, GFP_KERNEL);
+ if (unlikely(dest->data == NULL))
+ return ERR_PTR(-ENOMEM);
+ dest->len = len;
+ memcpy(dest->data, p, len);
+ return q;
}
static struct gss_cl_ctx *
return ctx;
}
-static int
-gss_parse_init_downcall(struct gss_api_mech *gm, struct xdr_netobj *buf,
- struct gss_cl_ctx **gc, uid_t *uid, int *gss_err)
+static struct gss_cl_ctx *
+gss_alloc_context(void)
{
- char *end = buf->data + buf->len;
- char *p = buf->data;
struct gss_cl_ctx *ctx;
- struct xdr_netobj tmp_buf;
+
+ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
+ if (ctx != NULL) {
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->gc_proc = RPC_GSS_PROC_DATA;
+ ctx->gc_seq = 1; /* NetApp 6.4R1 doesn't accept seq. no. 0 */
+ spin_lock_init(&ctx->gc_seq_lock);
+ atomic_set(&ctx->count,1);
+ }
+ return ctx;
+}
+
+#define GSSD_MIN_TIMEOUT (60 * 60)
+static const void *
+gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm)
+{
+ const void *q;
+ unsigned int seclen;
unsigned int timeout;
- int err = -EIO;
+ u32 window_size;
+ int ret;
- if (!(ctx = kmalloc(sizeof(*ctx), GFP_KERNEL))) {
- err = -ENOMEM;
+ /* First unsigned int gives the lifetime (in seconds) of the cred */
+ p = simple_get_bytes(p, end, &timeout, sizeof(timeout));
+ if (IS_ERR(p))
goto err;
- }
- ctx->gc_proc = RPC_GSS_PROC_DATA;
- ctx->gc_seq = 1; /* NetApp 6.4R1 doesn't accept seq. no. 0 */
- spin_lock_init(&ctx->gc_seq_lock);
- atomic_set(&ctx->count,1);
-
- if (simple_get_bytes(&p, end, uid, sizeof(*uid)))
- goto err_free_ctx;
- /* FIXME: discarded timeout for now */
- if (simple_get_bytes(&p, end, &timeout, sizeof(timeout)))
- goto err_free_ctx;
- *gss_err = 0;
- if (simple_get_bytes(&p, end, &ctx->gc_win, sizeof(ctx->gc_win)))
- goto err_free_ctx;
+ if (timeout == 0)
+ timeout = GSSD_MIN_TIMEOUT;
+ ctx->gc_expiry = jiffies + (unsigned long)timeout * HZ * 3 / 4;
+ /* Sequence number window. Determines the maximum number of simultaneous requests */
+ p = simple_get_bytes(p, end, &window_size, sizeof(window_size));
+ if (IS_ERR(p))
+ goto err;
+ ctx->gc_win = window_size;
/* gssd signals an error by passing ctx->gc_win = 0: */
- if (!ctx->gc_win) {
- /* in which case the next int is an error code: */
- if (simple_get_bytes(&p, end, gss_err, sizeof(*gss_err)))
- goto err_free_ctx;
- err = 0;
- goto err_free_ctx;
+ if (ctx->gc_win == 0) {
+ /* in which case, p points to an error code which we ignore */
+ p = ERR_PTR(-EACCES);
+ goto err;
}
- if (simple_get_netobj(&p, end, &tmp_buf))
- goto err_free_ctx;
- if (dup_netobj(&tmp_buf, &ctx->gc_wire_ctx)) {
- err = -ENOMEM;
- goto err_free_ctx;
+ /* copy the opaque wire context */
+ p = simple_get_netobj(p, end, &ctx->gc_wire_ctx);
+ if (IS_ERR(p))
+ goto err;
+ /* import the opaque security context */
+ p = simple_get_bytes(p, end, &seclen, sizeof(seclen));
+ if (IS_ERR(p))
+ goto err;
+ q = (const void *)((const char *)p + seclen);
+ if (unlikely(q > end || q < p)) {
+ p = ERR_PTR(-EFAULT);
+ goto err;
}
- if (simple_get_netobj(&p, end, &tmp_buf))
- goto err_free_wire_ctx;
- if (p != end)
- goto err_free_wire_ctx;
- if (gss_import_sec_context(&tmp_buf, gm, &ctx->gc_gss_ctx))
- goto err_free_wire_ctx;
- *gc = ctx;
- return 0;
-err_free_wire_ctx:
- kfree(ctx->gc_wire_ctx.data);
-err_free_ctx:
- kfree(ctx);
+ ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx);
+ if (ret < 0) {
+ p = ERR_PTR(ret);
+ goto err;
+ }
+ return q;
err:
- *gc = NULL;
- dprintk("RPC: gss_parse_init_downcall returning %d\n", err);
- return err;
+ dprintk("RPC: gss_fill_context returning %ld\n", -PTR_ERR(p));
+ return p;
}
struct gss_upcall_msg {
+ atomic_t count;
+ uid_t uid;
struct rpc_pipe_msg msg;
struct list_head list;
struct gss_auth *auth;
- struct rpc_wait_queue waitq;
- uid_t uid;
- atomic_t count;
+ struct rpc_wait_queue rpc_waitqueue;
+ wait_queue_head_t waitqueue;
+ struct gss_cl_ctx *ctx;
};
static void
if (!atomic_dec_and_test(&gss_msg->count))
return;
BUG_ON(!list_empty(&gss_msg->list));
+ if (gss_msg->ctx != NULL)
+ gss_put_ctx(gss_msg->ctx);
kfree(gss_msg);
}
return NULL;
}
+/* Try to add a upcall to the pipefs queue.
+ * If an upcall owned by our uid already exists, then we return a reference
+ * to that upcall instead of adding the new upcall.
+ */
+static inline struct gss_upcall_msg *
+gss_add_msg(struct gss_auth *gss_auth, struct gss_upcall_msg *gss_msg)
+{
+ struct gss_upcall_msg *old;
+
+ spin_lock(&gss_auth->lock);
+ old = __gss_find_upcall(gss_auth, gss_msg->uid);
+ if (old == NULL) {
+ atomic_inc(&gss_msg->count);
+ list_add(&gss_msg->list, &gss_auth->upcalls);
+ } else
+ gss_msg = old;
+ spin_unlock(&gss_auth->lock);
+ return gss_msg;
+}
+
static void
__gss_unhash_msg(struct gss_upcall_msg *gss_msg)
{
if (list_empty(&gss_msg->list))
return;
list_del_init(&gss_msg->list);
- if (gss_msg->msg.errno < 0)
- rpc_wake_up_status(&gss_msg->waitq, gss_msg->msg.errno);
- else
- rpc_wake_up(&gss_msg->waitq);
+ rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
+ wake_up_all(&gss_msg->waitqueue);
atomic_dec(&gss_msg->count);
}
spin_unlock(&gss_auth->lock);
}
-static int
-gss_upcall(struct rpc_clnt *clnt, struct rpc_task *task, struct rpc_cred *cred)
+static void
+gss_upcall_callback(struct rpc_task *task)
{
- struct gss_auth *gss_auth = container_of(clnt->cl_auth,
- struct gss_auth, rpc_auth);
- struct gss_upcall_msg *gss_msg, *gss_new = NULL;
- struct rpc_pipe_msg *msg;
- struct dentry *dentry = gss_auth->dentry;
- uid_t uid = cred->cr_uid;
- int res = 0;
+ struct gss_cred *gss_cred = container_of(task->tk_msg.rpc_cred,
+ struct gss_cred, gc_base);
+ struct gss_upcall_msg *gss_msg = gss_cred->gc_upcall;
- dprintk("RPC: %4u gss_upcall for uid %u\n", task->tk_pid, uid);
+ BUG_ON(gss_msg == NULL);
+ if (gss_msg->ctx)
+ gss_cred_set_ctx(task->tk_msg.rpc_cred, gss_get_ctx(gss_msg->ctx));
+ else
+ task->tk_status = gss_msg->msg.errno;
+ spin_lock(&gss_msg->auth->lock);
+ gss_cred->gc_upcall = NULL;
+ rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
+ spin_unlock(&gss_msg->auth->lock);
+ gss_release_msg(gss_msg);
+}
-retry:
- spin_lock(&gss_auth->lock);
- gss_msg = __gss_find_upcall(gss_auth, uid);
- if (gss_msg)
- goto out_sleep;
- if (gss_new == NULL) {
- spin_unlock(&gss_auth->lock);
- gss_new = kmalloc(sizeof(*gss_new), GFP_KERNEL);
- if (!gss_new) {
- dprintk("RPC: %4u gss_upcall -ENOMEM\n", task->tk_pid);
- return -ENOMEM;
+static inline struct gss_upcall_msg *
+gss_alloc_msg(struct gss_auth *gss_auth, uid_t uid)
+{
+ struct gss_upcall_msg *gss_msg;
+
+ gss_msg = kmalloc(sizeof(*gss_msg), GFP_KERNEL);
+ if (gss_msg != NULL) {
+ memset(gss_msg, 0, sizeof(*gss_msg));
+ INIT_LIST_HEAD(&gss_msg->list);
+ rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
+ init_waitqueue_head(&gss_msg->waitqueue);
+ atomic_set(&gss_msg->count, 1);
+ gss_msg->msg.data = &gss_msg->uid;
+ gss_msg->msg.len = sizeof(gss_msg->uid);
+ gss_msg->uid = uid;
+ gss_msg->auth = gss_auth;
+ }
+ return gss_msg;
+}
+
+static struct gss_upcall_msg *
+gss_setup_upcall(struct rpc_clnt *clnt, struct gss_auth *gss_auth, struct rpc_cred *cred)
+{
+ struct gss_upcall_msg *gss_new, *gss_msg;
+
+ gss_new = gss_alloc_msg(gss_auth, cred->cr_uid);
+ if (gss_new == NULL)
+ return ERR_PTR(-ENOMEM);
+ gss_msg = gss_add_msg(gss_auth, gss_new);
+ if (gss_msg == gss_new) {
+ int res = rpc_queue_upcall(gss_auth->dentry->d_inode, &gss_new->msg);
+ if (res) {
+ gss_unhash_msg(gss_new);
+ gss_msg = ERR_PTR(res);
}
- goto retry;
+ } else
+ gss_release_msg(gss_new);
+ return gss_msg;
+}
+
+static inline int
+gss_refresh_upcall(struct rpc_task *task)
+{
+ struct rpc_cred *cred = task->tk_msg.rpc_cred;
+ struct gss_auth *gss_auth = container_of(task->tk_client->cl_auth,
+ struct gss_auth, rpc_auth);
+ struct gss_cred *gss_cred = container_of(cred,
+ struct gss_cred, gc_base);
+ struct gss_upcall_msg *gss_msg;
+ int err = 0;
+
+ dprintk("RPC: %4u gss_refresh_upcall for uid %u\n", task->tk_pid, cred->cr_uid);
+ gss_msg = gss_setup_upcall(task->tk_client, gss_auth, cred);
+ if (IS_ERR(gss_msg)) {
+ err = PTR_ERR(gss_msg);
+ goto out;
}
- gss_msg = gss_new;
- memset(gss_new, 0, sizeof(*gss_new));
- INIT_LIST_HEAD(&gss_new->list);
- rpc_init_wait_queue(&gss_new->waitq, "RPCSEC_GSS upcall waitq");
- atomic_set(&gss_new->count, 2);
- msg = &gss_new->msg;
- msg->data = &gss_new->uid;
- msg->len = sizeof(gss_new->uid);
- gss_new->uid = uid;
- gss_new->auth = gss_auth;
- list_add(&gss_new->list, &gss_auth->upcalls);
- gss_new = NULL;
- /* Has someone updated the credential behind our back? */
- if (!gss_cred_is_uptodate_ctx(cred)) {
- /* No, so do upcall and sleep */
+ spin_lock(&gss_auth->lock);
+ if (gss_cred->gc_upcall != NULL)
+ rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL, NULL);
+ else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) {
task->tk_timeout = 0;
- rpc_sleep_on(&gss_msg->waitq, task, NULL, NULL);
- spin_unlock(&gss_auth->lock);
- res = rpc_queue_upcall(dentry->d_inode, msg);
- if (res)
- gss_unhash_msg(gss_msg);
- } else {
- /* Yes, so cancel upcall */
- __gss_unhash_msg(gss_msg);
+ gss_cred->gc_upcall = gss_msg;
+ /* gss_upcall_callback will release the reference to gss_upcall_msg */
+ atomic_inc(&gss_msg->count);
+ rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback, NULL);
+ } else
+ err = gss_msg->msg.errno;
+ spin_unlock(&gss_auth->lock);
+ gss_release_msg(gss_msg);
+out:
+ dprintk("RPC: %4u gss_refresh_upcall for uid %u result %d\n", task->tk_pid,
+ cred->cr_uid, err);
+ return err;
+}
+
+static inline int
+gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
+{
+ struct rpc_cred *cred = &gss_cred->gc_base;
+ struct gss_upcall_msg *gss_msg;
+ DEFINE_WAIT(wait);
+ int err = 0;
+
+ dprintk("RPC: gss_upcall for uid %u\n", cred->cr_uid);
+ gss_msg = gss_setup_upcall(gss_auth->client, gss_auth, cred);
+ if (IS_ERR(gss_msg)) {
+ err = PTR_ERR(gss_msg);
+ goto out;
+ }
+ for (;;) {
+ prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_INTERRUPTIBLE);
+ spin_lock(&gss_auth->lock);
+ if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) {
+ spin_unlock(&gss_auth->lock);
+ break;
+ }
spin_unlock(&gss_auth->lock);
+ if (signalled()) {
+ err = -ERESTARTSYS;
+ goto out_intr;
+ }
+ schedule();
}
+ if (gss_msg->ctx)
+ gss_cred_set_ctx(cred, gss_get_ctx(gss_msg->ctx));
+ else
+ err = gss_msg->msg.errno;
+out_intr:
+ finish_wait(&gss_msg->waitqueue, &wait);
gss_release_msg(gss_msg);
- dprintk("RPC: %4u gss_upcall for uid %u result %d\n", task->tk_pid,
- uid, res);
- return res;
-out_sleep:
- task->tk_timeout = 0;
- rpc_sleep_on(&gss_msg->waitq, task, NULL, NULL);
- spin_unlock(&gss_auth->lock);
- dprintk("RPC: %4u gss_upcall sleeping\n", task->tk_pid);
- if (gss_new)
- kfree(gss_new);
- /* Note: we drop the reference here: we are automatically removed
- * from the queue when we're woken up, and we should in any case
- * have no further responsabilities w.r.t. the upcall.
- */
- gss_release_msg(gss_msg);
- return 0;
+out:
+ dprintk("RPC: gss_create_upcall for uid %u result %d\n", cred->cr_uid, err);
+ return err;
}
static ssize_t
static ssize_t
gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
{
- struct xdr_netobj obj = {
- .len = mlen,
- };
- struct inode *inode = filp->f_dentry->d_inode;
- struct rpc_inode *rpci = RPC_I(inode);
+ const void *p, *end;
+ void *buf;
struct rpc_clnt *clnt;
- struct rpc_auth *auth;
struct gss_auth *gss_auth;
- struct gss_api_mech *mech;
- struct auth_cred acred = { 0 };
struct rpc_cred *cred;
struct gss_upcall_msg *gss_msg;
- struct gss_cl_ctx *ctx = NULL;
- ssize_t left;
- int err;
- int gss_err;
+ struct gss_cl_ctx *ctx;
+ uid_t uid;
+ int err = -EFBIG;
if (mlen > MSG_BUF_MAXSIZE)
- return -EFBIG;
- obj.data = kmalloc(mlen, GFP_KERNEL);
- if (!obj.data)
- return -ENOMEM;
- left = copy_from_user(obj.data, src, mlen);
- if (left) {
- err = -EFAULT;
goto out;
- }
- clnt = rpci->private;
- atomic_inc(&clnt->cl_users);
- auth = clnt->cl_auth;
- gss_auth = container_of(auth, struct gss_auth, rpc_auth);
- mech = gss_auth->mech;
- err = gss_parse_init_downcall(mech, &obj, &ctx, &acred.uid, &gss_err);
- if (err)
+ err = -ENOMEM;
+ buf = kmalloc(mlen, GFP_KERNEL);
+ if (!buf)
+ goto out;
+
+ clnt = RPC_I(filp->f_dentry->d_inode)->private;
+ err = -EFAULT;
+ if (copy_from_user(buf, src, mlen))
goto err;
- cred = rpcauth_lookup_credcache(auth, &acred, 0);
- if (!cred)
+
+ end = (const void *)((char *)buf + mlen);
+ p = simple_get_bytes(buf, end, &uid, sizeof(uid));
+ if (IS_ERR(p)) {
+ err = PTR_ERR(p);
goto err;
- if (gss_err)
- cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
- else
- gss_cred_set_ctx(cred, ctx);
+ }
+
+ err = -ENOMEM;
+ ctx = gss_alloc_context();
+ if (ctx == NULL)
+ goto err;
+ err = 0;
+ gss_auth = container_of(clnt->cl_auth, struct gss_auth, rpc_auth);
+ p = gss_fill_context(p, end, ctx, gss_auth->mech);
+ if (IS_ERR(p)) {
+ err = PTR_ERR(p);
+ if (err != -EACCES)
+ goto err_put_ctx;
+ }
spin_lock(&gss_auth->lock);
- gss_msg = __gss_find_upcall(gss_auth, acred.uid);
+ gss_msg = __gss_find_upcall(gss_auth, uid);
if (gss_msg) {
- if (gss_err)
- gss_msg->msg.errno = -EACCES;
+ if (err == 0 && gss_msg->ctx == NULL)
+ gss_msg->ctx = gss_get_ctx(ctx);
+ gss_msg->msg.errno = err;
__gss_unhash_msg(gss_msg);
spin_unlock(&gss_auth->lock);
gss_release_msg(gss_msg);
- } else
+ } else {
+ struct auth_cred acred = { .uid = uid };
spin_unlock(&gss_auth->lock);
- rpc_release_client(clnt);
- kfree(obj.data);
+ cred = rpcauth_lookup_credcache(clnt->cl_auth, &acred, 0);
+ if (IS_ERR(cred)) {
+ err = PTR_ERR(cred);
+ goto err_put_ctx;
+ }
+ gss_cred_set_ctx(cred, gss_get_ctx(ctx));
+ }
+ gss_put_ctx(ctx);
+ kfree(buf);
dprintk("RPC: gss_pipe_downcall returning length %Zu\n", mlen);
return mlen;
+err_put_ctx:
+ gss_put_ctx(ctx);
err:
- if (ctx)
- gss_destroy_ctx(ctx);
- rpc_release_client(clnt);
+ kfree(buf);
out:
- kfree(obj.data);
dprintk("RPC: gss_pipe_downcall returning %d\n", err);
return err;
}
dprintk("RPC: creating GSS authenticator for client %p\n",clnt);
+ if (!try_module_get(THIS_MODULE))
+ return NULL;
if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL)))
goto out_dec;
+ gss_auth->client = clnt;
gss_auth->mech = gss_mech_get_by_pseudoflavor(flavor);
if (!gss_auth->mech) {
printk(KERN_WARNING "%s: Pseudoflavor %d not found!",
__FUNCTION__, flavor);
goto err_free;
}
+ gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor);
+ /* FIXME: Will go away once privacy support is merged in */
+ if (gss_auth->service == RPC_GSS_SVC_PRIVACY)
+ gss_auth->service = RPC_GSS_SVC_INTEGRITY;
INIT_LIST_HEAD(&gss_auth->upcalls);
spin_lock_init(&gss_auth->lock);
auth = &gss_auth->rpc_auth;
auth->au_cslack = GSS_CRED_SLACK >> 2;
auth->au_rslack = GSS_VERF_SLACK >> 2;
- auth->au_expire = GSS_CRED_EXPIRE;
auth->au_ops = &authgss_ops;
auth->au_flavor = flavor;
+ atomic_set(&auth->au_count, 1);
- rpcauth_init_credcache(auth);
+ if (rpcauth_init_credcache(auth, GSS_CRED_EXPIRE) < 0)
+ goto err_put_mech;
snprintf(gss_auth->path, sizeof(gss_auth->path), "%s/%s",
clnt->cl_pathname,
err_free:
kfree(gss_auth);
out_dec:
+ module_put(THIS_MODULE);
return NULL;
}
gss_mech_put(gss_auth->mech);
rpcauth_free_credcache(auth);
+ kfree(gss_auth);
+ module_put(THIS_MODULE);
}
/* gss_destroy_cred (and gss_destroy_ctx) are used to clean up after failure
if (ctx->gc_gss_ctx)
gss_delete_sec_context(&ctx->gc_gss_ctx);
- if (ctx->gc_wire_ctx.len > 0) {
- kfree(ctx->gc_wire_ctx.data);
- ctx->gc_wire_ctx.len = 0;
- }
-
+ kfree(ctx->gc_wire_ctx.data);
kfree(ctx);
-
}
static void
gss_destroy_cred(struct rpc_cred *rc)
{
- struct gss_cred *cred = (struct gss_cred *)rc;
+ struct gss_cred *cred = container_of(rc, struct gss_cred, gc_base);
dprintk("RPC: gss_destroy_cred \n");
kfree(cred);
}
+/*
+ * Lookup RPCSEC_GSS cred for the current process
+ */
+static struct rpc_cred *
+gss_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int taskflags)
+{
+ return rpcauth_lookup_credcache(auth, acred, taskflags);
+}
+
static struct rpc_cred *
gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int taskflags)
{
+ struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth);
struct gss_cred *cred = NULL;
+ int err = -ENOMEM;
dprintk("RPC: gss_create_cred for uid %d, flavor %d\n",
acred->uid, auth->au_flavor);
goto out_err;
memset(cred, 0, sizeof(*cred));
- atomic_set(&cred->gc_count, 0);
+ atomic_set(&cred->gc_count, 1);
cred->gc_uid = acred->uid;
/*
* Note: in order to force a call to call_refresh(), we deliberately
*/
cred->gc_flags = 0;
cred->gc_base.cr_ops = &gss_credops;
- cred->gc_flavor = auth->au_flavor;
+ cred->gc_service = gss_auth->service;
+ err = gss_create_upcall(gss_auth, cred);
+ if (err < 0)
+ goto out_err;
- return (struct rpc_cred *) cred;
+ return &cred->gc_base;
out_err:
- dprintk("RPC: gss_create_cred failed\n");
- if (cred) gss_destroy_cred((struct rpc_cred *)cred);
- return NULL;
+ dprintk("RPC: gss_create_cred failed with error %d\n", err);
+ if (cred) gss_destroy_cred(&cred->gc_base);
+ return ERR_PTR(err);
}
static int
gss_match(struct auth_cred *acred, struct rpc_cred *rc, int taskflags)
{
+ struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
+
+ /* Don't match with creds that have expired. */
+ if (gss_cred->gc_ctx && time_after(jiffies, gss_cred->gc_ctx->gc_expiry))
+ return 0;
return (rc->cr_uid == acred->uid);
}
* Maybe we should keep a cached credential for performance reasons.
*/
static u32 *
-gss_marshal(struct rpc_task *task, u32 *p, int ruid)
+gss_marshal(struct rpc_task *task, u32 *p)
{
struct rpc_cred *cred = task->tk_msg.rpc_cred;
struct gss_cred *gss_cred = container_of(cred, struct gss_cred,
struct xdr_netobj mic;
struct kvec iov;
struct xdr_buf verf_buf;
- u32 service;
dprintk("RPC: %4u gss_marshal\n", task->tk_pid);
*p++ = htonl(RPC_AUTH_GSS);
cred_len = p++;
- service = gss_pseudoflavor_to_service(ctx->gc_gss_ctx->mech_type,
- gss_cred->gc_flavor);
- if (service == 0) {
- dprintk("RPC: %4u Bad pseudoflavor %d in gss_marshal\n",
- task->tk_pid, gss_cred->gc_flavor);
- goto out_put_ctx;
- }
spin_lock(&ctx->gc_seq_lock);
req->rq_seqno = ctx->gc_seq++;
spin_unlock(&ctx->gc_seq_lock);
*p++ = htonl((u32) RPC_GSS_VERSION);
*p++ = htonl((u32) ctx->gc_proc);
*p++ = htonl((u32) req->rq_seqno);
- *p++ = htonl((u32) service);
+ *p++ = htonl((u32) gss_cred->gc_service);
p = xdr_encode_netobj(p, &ctx->gc_wire_ctx);
*cred_len = htonl((p - (cred_len + 1)) << 2);
static int
gss_refresh(struct rpc_task *task)
{
- struct rpc_clnt *clnt = task->tk_client;
- struct rpc_cred *cred = task->tk_msg.rpc_cred;
- if (!gss_cred_is_uptodate_ctx(cred))
- return gss_upcall(clnt, task, cred);
+ if (!gss_cred_is_uptodate_ctx(task->tk_msg.rpc_cred))
+ return gss_refresh_upcall(task);
return 0;
}
struct xdr_buf verf_buf;
struct xdr_netobj mic;
u32 flav,len;
- u32 service;
u32 maj_stat;
dprintk("RPC: %4u gss_validate\n", task->tk_pid);
cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
if (maj_stat)
goto out_bad;
- service = gss_pseudoflavor_to_service(ctx->gc_gss_ctx->mech_type,
- gss_cred->gc_flavor);
- switch (service) {
+ switch (gss_cred->gc_service) {
case RPC_GSS_SVC_NONE:
/* verifier data, flavor, length: */
task->tk_auth->au_rslack = XDR_QUADLEN(len) + 2;
/* verifier data, flavor, length, length, sequence number: */
task->tk_auth->au_rslack = XDR_QUADLEN(len) + 4;
break;
- default:
+ case RPC_GSS_SVC_PRIVACY:
goto out_bad;
}
gss_put_ctx(ctx);
gc_base);
struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
int status = -EIO;
- u32 service;
dprintk("RPC: %4u gss_wrap_req\n", task->tk_pid);
if (ctx->gc_proc != RPC_GSS_PROC_DATA) {
status = encode(rqstp, p, obj);
goto out;
}
- service = gss_pseudoflavor_to_service(ctx->gc_gss_ctx->mech_type,
- gss_cred->gc_flavor);
- switch (service) {
+ switch (gss_cred->gc_service) {
case RPC_GSS_SVC_NONE:
status = encode(rqstp, p, obj);
- goto out;
+ break;
case RPC_GSS_SVC_INTEGRITY:
status = gss_wrap_req_integ(cred, ctx, encode,
rqstp, p, obj);
- goto out;
- case RPC_GSS_SVC_PRIVACY:
- default:
- goto out;
+ break;
+ case RPC_GSS_SVC_PRIVACY:
+ break;
}
out:
gss_put_ctx(ctx);
gc_base);
struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
int status = -EIO;
- u32 service;
if (ctx->gc_proc != RPC_GSS_PROC_DATA)
goto out_decode;
- service = gss_pseudoflavor_to_service(ctx->gc_gss_ctx->mech_type,
- gss_cred->gc_flavor);
- switch (service) {
+ switch (gss_cred->gc_service) {
case RPC_GSS_SVC_NONE:
- goto out_decode;
+ break;
case RPC_GSS_SVC_INTEGRITY:
status = gss_unwrap_resp_integ(cred, ctx, rqstp, &p);
if (status)
goto out;
break;
- case RPC_GSS_SVC_PRIVACY:
- default:
- goto out;
+ case RPC_GSS_SVC_PRIVACY:
+ break;
}
out_decode:
status = decode(rqstp, p, obj);
#endif
.create = gss_create,
.destroy = gss_destroy,
+ .lookup_cred = gss_lookup_cred,
.crcreate = gss_create_cred
};
static struct rpc_credops gss_credops = {
+ .cr_name = "AUTH_GSS",
.crdestroy = gss_destroy_cred,
.crmatch = gss_match,
.crmarshal = gss_marshal,
git://git.onelab.eu / linux-2.6.git / blobdiff