nfs4.1: Minimal SP4_MACH_CRED implementation

}

/*

 * nfs4_proc_exchange_id()

 * Minimum set of SP4_MACH_CRED operations from RFC 5661

 */

static const struct nfs41_state_protection nfs4_sp4_mach_cred_request = {

	.how = SP4_MACH_CRED,

	.enforce.u.words = {

		[1] = 1 << (OP_BIND_CONN_TO_SESSION - 32) |

		      1 << (OP_EXCHANGE_ID - 32) |

		      1 << (OP_CREATE_SESSION - 32) |

		      1 << (OP_DESTROY_SESSION - 32) |

		      1 << (OP_DESTROY_CLIENTID - 32)

	}

};

/*

 * Select the state protection mode for client `clp' given the server results

 * from exchange_id in `sp'.

 *

 * Returns zero, a negative errno, or a negative NFS4ERR status code.

 * Returns 0 on success, negative errno otherwise.

 */

static int nfs4_sp4_select_mode(struct nfs_client *clp,

				 struct nfs41_state_protection *sp)

{

	static const u32 supported_enforce[NFS4_OP_MAP_NUM_WORDS] = {

		[1] = 1 << (OP_BIND_CONN_TO_SESSION - 32) |

		      1 << (OP_EXCHANGE_ID - 32) |

		      1 << (OP_CREATE_SESSION - 32) |

		      1 << (OP_DESTROY_SESSION - 32) |

		      1 << (OP_DESTROY_CLIENTID - 32)

	};

	unsigned int i;

	if (sp->how == SP4_MACH_CRED) {

		/* Print state protect result */

		dfprintk(MOUNT, "Server SP4_MACH_CRED support:\n");

		for (i = 0; i <= LAST_NFS4_OP; i++) {

			if (test_bit(i, sp->enforce.u.longs))

				dfprintk(MOUNT, "  enforce op %d\n", i);

			if (test_bit(i, sp->allow.u.longs))

				dfprintk(MOUNT, "  allow op %d\n", i);

		}

		/* make sure nothing is on enforce list that isn't supported */

		for (i = 0; i < NFS4_OP_MAP_NUM_WORDS; i++) {

			if (sp->enforce.u.words[i] & ~supported_enforce[i]) {

				dfprintk(MOUNT, "sp4_mach_cred: disabled\n");

				return -EINVAL;

			}

		}

		/*

		 * Minimal mode - state operations are allowed to use machine

		 * credential.  Note this already happens by default, so the

		 * client doesn't have to do anything more than the negotiation.

		 *

 * Since the clientid has expired, all compounds using sessions

 * associated with the stale clientid will be returning

 * NFS4ERR_BADSESSION in the sequence operation, and will therefore

 * be in some phase of session reset.

		 * NOTE: we don't care if EXCHANGE_ID is in the list -

		 *       we're already using the machine cred for exchange_id

		 *       and will never use a different cred.

		 */

int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred)

		if (test_bit(OP_BIND_CONN_TO_SESSION, sp->enforce.u.longs) &&

		    test_bit(OP_CREATE_SESSION, sp->enforce.u.longs) &&

		    test_bit(OP_DESTROY_SESSION, sp->enforce.u.longs) &&

		    test_bit(OP_DESTROY_CLIENTID, sp->enforce.u.longs)) {

			dfprintk(MOUNT, "sp4_mach_cred:\n");

			dfprintk(MOUNT, "  minimal mode enabled\n");

			set_bit(NFS_SP4_MACH_CRED_MINIMAL, &clp->cl_sp4_flags);

		} else {

			dfprintk(MOUNT, "sp4_mach_cred: disabled\n");

			return -EINVAL;

		}

	}

	return 0;

}

/*

 * _nfs4_proc_exchange_id()

 *

 * Wrapper for EXCHANGE_ID operation.

 */

static int _nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred,

	u32 sp4_how)

{

	nfs4_verifier verifier;

	struct nfs41_exchange_id_args args = {

		goto out_server_scope;

	}

	switch (sp4_how) {

	case SP4_NONE:

		args.state_protect.how = SP4_NONE;

		break;

	case SP4_MACH_CRED:

		args.state_protect = nfs4_sp4_mach_cred_request;

		break;

	default:

		/* unsupported! */

		WARN_ON_ONCE(1);

		status = -EINVAL;

		goto out_server_scope;

	}

	status = rpc_call_sync(clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);

	trace_nfs4_exchange_id(clp, status);

	if (status == 0)

		status = nfs4_check_cl_exchange_flags(res.flags);

	if (status == 0)

		status = nfs4_sp4_select_mode(clp, &res.state_protect);

	if (status == 0) {

		clp->cl_clientid = res.clientid;

		clp->cl_exchange_flags = (res.flags & ~EXCHGID4_FLAG_CONFIRMED_R);

	return status;

}

/*

 * nfs4_proc_exchange_id()

 *

 * Returns zero, a negative errno, or a negative NFS4ERR status code.

 *

 * Since the clientid has expired, all compounds using sessions

 * associated with the stale clientid will be returning

 * NFS4ERR_BADSESSION in the sequence operation, and will therefore

 * be in some phase of session reset.

 *

 * Will attempt to negotiate SP4_MACH_CRED if krb5i / krb5p auth is used.

 */

int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred)

{

	rpc_authflavor_t authflavor = clp->cl_rpcclient->cl_auth->au_flavor;

	int status;

	/* try SP4_MACH_CRED if krb5i/p	*/

	if (authflavor == RPC_AUTH_GSS_KRB5I ||

	    authflavor == RPC_AUTH_GSS_KRB5P) {

		status = _nfs4_proc_exchange_id(clp, cred, SP4_MACH_CRED);

		if (!status)

			return 0;

	}

	/* try SP4_NONE */

	return _nfs4_proc_exchange_id(clp, cred, SP4_NONE);

}

static int _nfs4_proc_destroy_clientid(struct nfs_client *clp,

		struct rpc_cred *cred)

{

				XDR_QUADLEN(NFS4_EXCHANGE_ID_LEN) + \

				1 /* flags */ + \

				1 /* spa_how */ + \

				0 /* SP4_NONE (for now) */ + \

				/* max is SP4_MACH_CRED (for now) */ + \

				1 + NFS4_OP_MAP_NUM_WORDS + \

				1 + NFS4_OP_MAP_NUM_WORDS + \

				1 /* implementation id array of size 1 */ + \

				1 /* nii_domain */ + \

				XDR_QUADLEN(NFS4_OPAQUE_LIMIT) + \

				1 /* eir_sequenceid */ + \

				1 /* eir_flags */ + \

				1 /* spr_how */ + \

				0 /* SP4_NONE (for now) */ + \

				  /* max is SP4_MACH_CRED (for now) */ + \

				1 + NFS4_OP_MAP_NUM_WORDS + \

				1 + NFS4_OP_MAP_NUM_WORDS + \

				2 /* eir_server_owner.so_minor_id */ + \

				/* eir_server_owner.so_major_id<> */ \

				XDR_QUADLEN(NFS4_OPAQUE_LIMIT) + 1 + \

	*p = 0;	/* use_conn_in_rdma_mode = False */

}

static void encode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)

{

	unsigned int i;

	encode_uint32(xdr, NFS4_OP_MAP_NUM_WORDS);

	for (i = 0; i < NFS4_OP_MAP_NUM_WORDS; i++)

		encode_uint32(xdr, op_map->u.words[i]);

}

static void encode_exchange_id(struct xdr_stream *xdr,

			       struct nfs41_exchange_id_args *args,

			       struct compound_hdr *hdr)

	encode_string(xdr, args->id_len, args->id);

	p = reserve_space(xdr, 12);

	*p++ = cpu_to_be32(args->flags);

	*p++ = cpu_to_be32(0);	/* zero length state_protect4_a */

	encode_uint32(xdr, args->flags);

	encode_uint32(xdr, args->state_protect.how);

	switch (args->state_protect.how) {

	case SP4_NONE:

		break;

	case SP4_MACH_CRED:

		encode_op_map(xdr, &args->state_protect.enforce);

		encode_op_map(xdr, &args->state_protect.allow);

		break;

	default:

		WARN_ON_ONCE(1);

		break;

	}

	if (send_implementation_id &&

	    sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) > 1 &&

			       utsname()->version, utsname()->machine);

	if (len > 0) {

		*p = cpu_to_be32(1);	/* implementation id array length=1 */

		encode_uint32(xdr, 1);	/* implementation id array length=1 */

		encode_string(xdr,

			sizeof(CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN) - 1,

		p = xdr_encode_hyper(p, 0);

		*p = cpu_to_be32(0);

	} else

		*p = cpu_to_be32(0);	/* implementation id array length=0 */

		encode_uint32(xdr, 0);	/* implementation id array length=0 */

}

static void encode_create_session(struct xdr_stream *xdr,

	return decode_secinfo_common(xdr, res);

}

static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)

{

	__be32 *p;

	uint32_t bitmap_words;

	unsigned int i;

	p = xdr_inline_decode(xdr, 4);

	bitmap_words = be32_to_cpup(p++);

	if (bitmap_words > NFS4_OP_MAP_NUM_WORDS)

		return -EIO;

	p = xdr_inline_decode(xdr, 4 * bitmap_words);

	for (i = 0; i < bitmap_words; i++)

		op_map->u.words[i] = be32_to_cpup(p++);

	return 0;

}

static int decode_exchange_id(struct xdr_stream *xdr,

			      struct nfs41_exchange_id_res *res)

{

	res->seqid = be32_to_cpup(p++);

	res->flags = be32_to_cpup(p++);

	/* We ask for SP4_NONE */

	dummy = be32_to_cpup(p);

	if (dummy != SP4_NONE)

	res->state_protect.how = be32_to_cpup(p);

	switch (res->state_protect.how) {

	case SP4_NONE:

		break;

	case SP4_MACH_CRED:

		status = decode_op_map(xdr, &res->state_protect.enforce);

		if (status)

			return status;

		status = decode_op_map(xdr, &res->state_protect.allow);

		if (status)

			return status;

		break;

	default:

		WARN_ON_ONCE(1);

		return -EIO;

	}

	/* server_owner4.so_minor_id */

	p = xdr_inline_decode(xdr, 8);

	struct nfs41_server_owner *cl_serverowner;

	struct nfs41_server_scope *cl_serverscope;

	struct nfs41_impl_id	*cl_implid;

	/* nfs 4.1+ state protection modes: */

	unsigned long		cl_sp4_flags;

#define NFS_SP4_MACH_CRED_MINIMAL  1	/* Minimal sp4_mach_cred - state ops

					 * must use machine cred */

#endif /* CONFIG_NFS_V4 */

#ifdef CONFIG_NFS_FSCACHE

	struct pnfs_commit_bucket *buckets;

};

#define NFS4_OP_MAP_NUM_LONGS \

	DIV_ROUND_UP(LAST_NFS4_OP, 8 * sizeof(unsigned long))

#define NFS4_OP_MAP_NUM_WORDS \

	(NFS4_OP_MAP_NUM_LONGS * sizeof(unsigned long) / sizeof(u32))

struct nfs4_op_map {

	union {

		unsigned long longs[NFS4_OP_MAP_NUM_LONGS];

		u32 words[NFS4_OP_MAP_NUM_WORDS];

	} u;

};

struct nfs41_state_protection {

	u32 how;

	struct nfs4_op_map enforce;

	struct nfs4_op_map allow;

};

#define NFS4_EXCHANGE_ID_LEN	(48)

struct nfs41_exchange_id_args {

	struct nfs_client		*client;

	unsigned int 			id_len;

	char 				id[NFS4_EXCHANGE_ID_LEN];

	u32				flags;

	struct nfs41_state_protection	state_protect;

};

struct nfs41_server_owner {

	struct nfs41_server_owner	*server_owner;

	struct nfs41_server_scope	*server_scope;

	struct nfs41_impl_id		*impl_id;

	struct nfs41_state_protection	state_protect;

};

struct nfs41_create_session_args {