NFS: add support for multiple sec= mount options

extern struct file_system_type nfs4_xdev_fs_type;

extern struct file_system_type nfs4_referral_fs_type;

#endif

bool nfs_auth_info_match(const struct nfs_auth_info *, rpc_authflavor_t);

struct dentry *nfs_try_mount(int, const char *, struct nfs_mount_info *,

			struct nfs_subversion *);

void nfs_initialise_sb(struct super_block *);

	server->options = data->options;

	server->auth_info = data->auth_info;

	/* Use the first specified auth flavor. If this flavor isn't

	 * allowed by the server, use the SECINFO path to try the

	 * other specified flavors */

	if (data->auth_info.flavor_len >= 1)

		data->selected_flavor = data->auth_info.flavors[0];

	else

/**

 * nfs_find_best_sec - Find a security mechanism supported locally

 * @server: NFS server struct

 * @flavors: List of security tuples returned by SECINFO procedure

 *

 * Return the pseudoflavor of the first security mechanism in

 * is searched in the order returned from the server, per RFC 3530

 * recommendation.

 */

static rpc_authflavor_t nfs_find_best_sec(struct nfs4_secinfo_flavors *flavors)

static rpc_authflavor_t nfs_find_best_sec(struct nfs_server *server,

					  struct nfs4_secinfo_flavors *flavors)

{

	rpc_authflavor_t pseudoflavor;

	struct nfs4_secinfo4 *secinfo;

		case RPC_AUTH_GSS:

			pseudoflavor = rpcauth_get_pseudoflavor(secinfo->flavor,

							&secinfo->flavor_info);

			if (pseudoflavor != RPC_AUTH_MAXFLAVOR)

			/* make sure pseudoflavor matches sec= mount opt */

			if (pseudoflavor != RPC_AUTH_MAXFLAVOR &&

			    nfs_auth_info_match(&server->auth_info,

						pseudoflavor))

				return pseudoflavor;

			break;

		}

	}

	/* if there were any sec= options then nothing matched */

	if (server->auth_info.flavor_len > 0)

		return -EPERM;

	return RPC_AUTH_UNIX;

}

		goto out;

	}

	flavor = nfs_find_best_sec(flavors);

	flavor = nfs_find_best_sec(NFS_SERVER(inode), flavors);

out:

	put_page(page);

	if (client->cl_auth->au_flavor != flavor)

		flavor = client->cl_auth->au_flavor;

	else if (server->auth_info.flavor_len == 0) {

	else {

		rpc_authflavor_t new = nfs4_negotiate_security(dir, name);

		if ((int)new >= 0)

			flavor = new;

	int status = -EPERM;

	size_t i;

	if (server->auth_info.flavor_len > 0) {

		/* try each flavor specified by user */

		for (i = 0; i < server->auth_info.flavor_len; i++) {

			status = nfs4_lookup_root_sec(server, fhandle, info,

						server->auth_info.flavors[i]);

			if (status == -NFS4ERR_WRONGSEC || status == -EACCES)

				continue;

			break;

		}

	} else {

		/* no flavors specified by user, try default list */

		for (i = 0; i < ARRAY_SIZE(flav_array); i++) {

		status = nfs4_lookup_root_sec(server, fhandle, info, flav_array[i]);

			status = nfs4_lookup_root_sec(server, fhandle, info,

						      flav_array[i]);

			if (status == -NFS4ERR_WRONGSEC || status == -EACCES)

				continue;

			break;

		}

	}

	/*

	 * -EACCESS could mean that the user doesn't have correct permissions

		status = nfs4_lookup_root(server, fhandle, info);

		if (status != -NFS4ERR_WRONGSEC)

			break;

		/* Did user force a 'sec=' mount option? */

		if (server->auth_info.flavor_len > 0)

			break;

	default:

		status = nfs4_do_find_root_sec(server, fhandle, info);

	}

			err = -EPERM;

			if (client != *clnt)

				goto out;

			/* No security negotiation if the user specified 'sec=' */

			if (NFS_SERVER(dir)->auth_info.flavor_len > 0)

				goto out;

			client = nfs4_create_sec_client(client, dir, name);

			if (IS_ERR(client))

				return PTR_ERR(client);

			break;

		}

		if (!nfs_auth_info_match(&server->auth_info, flavor))

			flavor = RPC_AUTH_MAXFLAVOR;

		if (flavor != RPC_AUTH_MAXFLAVOR) {

			err = nfs4_lookup_root_sec(server, fhandle,

						   info, flavor);

	static const struct {

		rpc_authflavor_t flavour;

		const char *str;

	} sec_flavours[] = {

	} sec_flavours[NFS_AUTH_INFO_MAX_FLAVORS] = {

		/* update NFS_AUTH_INFO_MAX_FLAVORS when this list changes! */

		{ RPC_AUTH_NULL, "null" },

		{ RPC_AUTH_UNIX, "sys" },

		{ RPC_AUTH_GSS_KRB5, "krb5" },

	}

}

/*

 * Add 'flavor' to 'auth_info' if not already present.

 * Returns true if 'flavor' ends up in the list, false otherwise

 */

static bool nfs_auth_info_add(struct nfs_auth_info *auth_info,

			      rpc_authflavor_t flavor)

{

	unsigned int i;

	unsigned int max_flavor_len = (sizeof(auth_info->flavors) /

				       sizeof(auth_info->flavors[0]));

	/* make sure this flavor isn't already in the list */

	for (i = 0; i < auth_info->flavor_len; i++) {

		if (flavor == auth_info->flavors[i])

			return true;

	}

	if (auth_info->flavor_len + 1 >= max_flavor_len) {

		dfprintk(MOUNT, "NFS: too many sec= flavors\n");

		return false;

	}

	auth_info->flavors[auth_info->flavor_len++] = flavor;

	return true;

}

/*

 * Return true if 'match' is in auth_info or auth_info is empty.

 * Return false otherwise.

 */

bool nfs_auth_info_match(const struct nfs_auth_info *auth_info,

			 rpc_authflavor_t match)

{

	int i;

	if (!auth_info->flavor_len)

		return true;

	for (i = 0; i < auth_info->flavor_len; i++) {

		if (auth_info->flavors[i] == match)

			return true;

	}

	return false;

}

EXPORT_SYMBOL_GPL(nfs_auth_info_match);

/*

 * Parse the value of the 'sec=' option.

 */

{

	substring_t args[MAX_OPT_ARGS];

	rpc_authflavor_t pseudoflavor;

	char *p;

	dfprintk(MOUNT, "NFS: parsing sec=%s option\n", value);

	switch (match_token(value, nfs_secflavor_tokens, args)) {

	while ((p = strsep(&value, ":")) != NULL) {

		switch (match_token(p, nfs_secflavor_tokens, args)) {

		case Opt_sec_none:

			pseudoflavor = RPC_AUTH_NULL;

			break;

			pseudoflavor = RPC_AUTH_GSS_SPKMP;

			break;

		default:

			dfprintk(MOUNT,

				 "NFS: sec= option '%s' not recognized\n", p);

			return 0;

		}

		if (!nfs_auth_info_add(&mnt->auth_info, pseudoflavor))

			return 0;

	}

	mnt->auth_info.flavors[0] = pseudoflavor;

	mnt->auth_info.flavor_len = 1;

	return 1;

}

}

/*

 * Ensure that the specified authtype in args->auth_info is supported by

 * the server. Returns 0 if it's ok, and -EACCES if not.

 * Ensure that a specified authtype in args->auth_info is supported by

 * the server. Returns 0 and sets args->selected_flavor if it's ok, and

 * -EACCES if not.

 */

static int nfs_verify_authflavor(struct nfs_parsed_mount_data *args,

static int nfs_verify_authflavors(struct nfs_parsed_mount_data *args,

			rpc_authflavor_t *server_authlist, unsigned int count)

{

	rpc_authflavor_t flavor = RPC_AUTH_MAXFLAVOR;

	unsigned int i;

	/*

	 * can be used.

	 */

	for (i = 0; i < count; i++) {

		if (args->auth_info.flavors[0] == server_authlist[i] ||

		    server_authlist[i] == RPC_AUTH_NULL)

		flavor = server_authlist[i];

		if (nfs_auth_info_match(&args->auth_info, flavor) ||

		    flavor == RPC_AUTH_NULL)

			goto out;

	}

	dfprintk(MOUNT, "NFS: auth flavor %u not supported by server\n",

		args->auth_info.flavors[0]);

	dfprintk(MOUNT,

		 "NFS: specified auth flavors not supported by server\n");

	return -EACCES;

out:

	args->selected_flavor = args->auth_info.flavors[0];

	args->selected_flavor = flavor;

	dfprintk(MOUNT, "NFS: using auth flavor %u\n", args->selected_flavor);

	return 0;

}

	 * whether the server supports it, and then just try to use it if so.

	 */

	if (args->auth_info.flavor_len > 0) {

		status = nfs_verify_authflavor(args, authlist, authlist_len);

		status = nfs_verify_authflavors(args, authlist, authlist_len);

		dfprintk(MOUNT, "NFS: using auth flavor %u\n",

			 args->selected_flavor);

		if (status)

	nfs_set_port(sap, &args->nfs_server.port, port);

	if (args->auth_info.flavor_len > 1)

		goto out_bad_auth;

	return nfs_parse_devname(dev_name,

				   &args->nfs_server.hostname,

				   max_namelen,

out_no_address:

	dfprintk(MOUNT, "NFS: mount program didn't pass remote address\n");

	return -EINVAL;

out_bad_auth:

	dfprintk(MOUNT, "NFS: Too many RPC auth flavours specified\n");

	return -EINVAL;

}

static int