Commit eb6dc19d authored by Trond Myklebust's avatar Trond Myklebust

RPCSEC_GSS: Share all credential caches on a per-transport basis

Ensure that all struct rpc_clnt for any given socket/rdma channel
share the same RPCSEC_GSS/krb5,krb5i,krb5p caches.
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 414a6295
...@@ -51,6 +51,7 @@ ...@@ -51,6 +51,7 @@
#include <linux/sunrpc/rpc_pipe_fs.h> #include <linux/sunrpc/rpc_pipe_fs.h>
#include <linux/sunrpc/gss_api.h> #include <linux/sunrpc/gss_api.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <linux/hashtable.h>
#include "../netns.h" #include "../netns.h"
...@@ -71,6 +72,9 @@ static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED; ...@@ -71,6 +72,9 @@ static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
* using integrity (two 4-byte integers): */ * using integrity (two 4-byte integers): */
#define GSS_VERF_SLACK 100 #define GSS_VERF_SLACK 100
static DEFINE_HASHTABLE(gss_auth_hash_table, 16);
static DEFINE_SPINLOCK(gss_auth_hash_lock);
struct gss_pipe { struct gss_pipe {
struct rpc_pipe_dir_object pdo; struct rpc_pipe_dir_object pdo;
struct rpc_pipe *pipe; struct rpc_pipe *pipe;
...@@ -81,6 +85,7 @@ struct gss_pipe { ...@@ -81,6 +85,7 @@ struct gss_pipe {
struct gss_auth { struct gss_auth {
struct kref kref; struct kref kref;
struct hlist_node hash;
struct rpc_auth rpc_auth; struct rpc_auth rpc_auth;
struct gss_api_mech *mech; struct gss_api_mech *mech;
enum rpc_gss_svc service; enum rpc_gss_svc service;
...@@ -940,8 +945,8 @@ static void gss_pipe_free(struct gss_pipe *p) ...@@ -940,8 +945,8 @@ static void gss_pipe_free(struct gss_pipe *p)
* NOTE: we have the opportunity to use different * NOTE: we have the opportunity to use different
* parameters based on the input flavor (which must be a pseudoflavor) * parameters based on the input flavor (which must be a pseudoflavor)
*/ */
static struct rpc_auth * static struct gss_auth *
gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt) gss_create_new(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
{ {
rpc_authflavor_t flavor = args->pseudoflavor; rpc_authflavor_t flavor = args->pseudoflavor;
struct gss_auth *gss_auth; struct gss_auth *gss_auth;
...@@ -955,6 +960,7 @@ gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt) ...@@ -955,6 +960,7 @@ gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
return ERR_PTR(err); return ERR_PTR(err);
if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL))) if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL)))
goto out_dec; goto out_dec;
INIT_HLIST_NODE(&gss_auth->hash);
gss_auth->target_name = NULL; gss_auth->target_name = NULL;
if (args->target_name) { if (args->target_name) {
gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL); gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL);
...@@ -1004,7 +1010,7 @@ gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt) ...@@ -1004,7 +1010,7 @@ gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
} }
gss_auth->gss_pipe[0] = gss_pipe; gss_auth->gss_pipe[0] = gss_pipe;
return auth; return gss_auth;
err_destroy_pipe_1: err_destroy_pipe_1:
gss_pipe_free(gss_auth->gss_pipe[1]); gss_pipe_free(gss_auth->gss_pipe[1]);
err_destroy_credcache: err_destroy_credcache:
...@@ -1051,6 +1057,12 @@ gss_destroy(struct rpc_auth *auth) ...@@ -1051,6 +1057,12 @@ gss_destroy(struct rpc_auth *auth)
dprintk("RPC: destroying GSS authenticator %p flavor %d\n", dprintk("RPC: destroying GSS authenticator %p flavor %d\n",
auth, auth->au_flavor); auth, auth->au_flavor);
if (hash_hashed(&gss_auth->hash)) {
spin_lock(&gss_auth_hash_lock);
hash_del(&gss_auth->hash);
spin_unlock(&gss_auth_hash_lock);
}
gss_pipe_free(gss_auth->gss_pipe[0]); gss_pipe_free(gss_auth->gss_pipe[0]);
gss_auth->gss_pipe[0] = NULL; gss_auth->gss_pipe[0] = NULL;
gss_pipe_free(gss_auth->gss_pipe[1]); gss_pipe_free(gss_auth->gss_pipe[1]);
...@@ -1060,6 +1072,80 @@ gss_destroy(struct rpc_auth *auth) ...@@ -1060,6 +1072,80 @@ gss_destroy(struct rpc_auth *auth)
kref_put(&gss_auth->kref, gss_free_callback); kref_put(&gss_auth->kref, gss_free_callback);
} }
static struct gss_auth *
gss_auth_find_or_add_hashed(struct rpc_auth_create_args *args,
struct rpc_clnt *clnt,
struct gss_auth *new)
{
struct gss_auth *gss_auth;
unsigned long hashval = (unsigned long)clnt;
spin_lock(&gss_auth_hash_lock);
hash_for_each_possible(gss_auth_hash_table,
gss_auth,
hash,
hashval) {
if (gss_auth->rpc_auth.au_flavor != args->pseudoflavor)
continue;
if (gss_auth->target_name != args->target_name) {
if (gss_auth->target_name == NULL)
continue;
if (args->target_name == NULL)
continue;
if (strcmp(gss_auth->target_name, args->target_name))
continue;
}
if (!atomic_inc_not_zero(&gss_auth->rpc_auth.au_count))
continue;
goto out;
}
if (new)
hash_add(gss_auth_hash_table, &new->hash, hashval);
gss_auth = new;
out:
spin_unlock(&gss_auth_hash_lock);
return gss_auth;
}
static struct gss_auth *
gss_create_hashed(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
{
struct gss_auth *gss_auth;
struct gss_auth *new;
gss_auth = gss_auth_find_or_add_hashed(args, clnt, NULL);
if (gss_auth != NULL)
goto out;
new = gss_create_new(args, clnt);
if (IS_ERR(new))
return new;
gss_auth = gss_auth_find_or_add_hashed(args, clnt, new);
if (gss_auth != new)
gss_destroy(&new->rpc_auth);
out:
return gss_auth;
}
static struct rpc_auth *
gss_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
{
struct gss_auth *gss_auth;
struct rpc_xprt *xprt = rcu_access_pointer(clnt->cl_xprt);
while (clnt != clnt->cl_parent) {
struct rpc_clnt *parent = clnt->cl_parent;
/* Find the original parent for this transport */
if (rcu_access_pointer(parent->cl_xprt) != xprt)
break;
clnt = parent;
}
gss_auth = gss_create_hashed(args, clnt);
if (IS_ERR(gss_auth))
return ERR_CAST(gss_auth);
return &gss_auth->rpc_auth;
}
/* /*
* gss_destroying_context will cause the RPCSEC_GSS to send a NULL RPC call * gss_destroying_context will cause the RPCSEC_GSS to send a NULL RPC call
* to the server with the GSS control procedure field set to * to the server with the GSS control procedure field set to
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment