]>
Commit | Line | Data |
---|---|---|
457c8996 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | /* |
3 | * linux/net/sunrpc/auth.c | |
4 | * | |
5 | * Generic RPC client authentication API. | |
6 | * | |
7 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | |
8 | */ | |
9 | ||
10 | #include <linux/types.h> | |
11 | #include <linux/sched.h> | |
5b825c3a | 12 | #include <linux/cred.h> |
1da177e4 LT |
13 | #include <linux/module.h> |
14 | #include <linux/slab.h> | |
15 | #include <linux/errno.h> | |
25337fdc | 16 | #include <linux/hash.h> |
1da177e4 | 17 | #include <linux/sunrpc/clnt.h> |
6a1a1e34 | 18 | #include <linux/sunrpc/gss_api.h> |
1da177e4 LT |
19 | #include <linux/spinlock.h> |
20 | ||
a0584ee9 CL |
21 | #include <trace/events/sunrpc.h> |
22 | ||
241269bd TM |
23 | #define RPC_CREDCACHE_DEFAULT_HASHBITS (4) |
24 | struct rpc_cred_cache { | |
25 | struct hlist_head *hashtable; | |
26 | unsigned int hashbits; | |
27 | spinlock_t lock; | |
28 | }; | |
29 | ||
30 | static unsigned int auth_hashbits = RPC_CREDCACHE_DEFAULT_HASHBITS; | |
31 | ||
4e4c3bef TM |
32 | static const struct rpc_authops __rcu *auth_flavors[RPC_AUTH_MAXFLAVOR] = { |
33 | [RPC_AUTH_NULL] = (const struct rpc_authops __force __rcu *)&authnull_ops, | |
34 | [RPC_AUTH_UNIX] = (const struct rpc_authops __force __rcu *)&authunix_ops, | |
1da177e4 LT |
35 | NULL, /* others can be loadable modules */ |
36 | }; | |
37 | ||
e092bdcd | 38 | static LIST_HEAD(cred_unused); |
f5c2187c | 39 | static unsigned long number_cred_unused; |
e092bdcd | 40 | |
a52458b4 N |
41 | static struct cred machine_cred = { |
42 | .usage = ATOMIC_INIT(1), | |
e7f45099 S |
43 | #ifdef CONFIG_DEBUG_CREDENTIALS |
44 | .magic = CRED_MAGIC, | |
45 | #endif | |
5e16923b N |
46 | }; |
47 | ||
48 | /* | |
49 | * Return the machine_cred pointer to be used whenever | |
50 | * the a generic machine credential is needed. | |
51 | */ | |
a52458b4 | 52 | const struct cred *rpc_machine_cred(void) |
5e16923b N |
53 | { |
54 | return &machine_cred; | |
55 | } | |
56 | EXPORT_SYMBOL_GPL(rpc_machine_cred); | |
57 | ||
db5fe265 | 58 | #define MAX_HASHTABLE_BITS (14) |
8e4e15d4 | 59 | static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp) |
241269bd TM |
60 | { |
61 | unsigned long num; | |
62 | unsigned int nbits; | |
63 | int ret; | |
64 | ||
65 | if (!val) | |
66 | goto out_inval; | |
00cfaa94 | 67 | ret = kstrtoul(val, 0, &num); |
1a54c0cf | 68 | if (ret) |
241269bd | 69 | goto out_inval; |
34ae685c | 70 | nbits = fls(num - 1); |
241269bd TM |
71 | if (nbits > MAX_HASHTABLE_BITS || nbits < 2) |
72 | goto out_inval; | |
73 | *(unsigned int *)kp->arg = nbits; | |
74 | return 0; | |
75 | out_inval: | |
76 | return -EINVAL; | |
77 | } | |
78 | ||
8e4e15d4 | 79 | static int param_get_hashtbl_sz(char *buffer, const struct kernel_param *kp) |
241269bd TM |
80 | { |
81 | unsigned int nbits; | |
82 | ||
83 | nbits = *(unsigned int *)kp->arg; | |
84 | return sprintf(buffer, "%u", 1U << nbits); | |
85 | } | |
86 | ||
87 | #define param_check_hashtbl_sz(name, p) __param_check(name, p, unsigned int); | |
88 | ||
9c27847d | 89 | static const struct kernel_param_ops param_ops_hashtbl_sz = { |
8e4e15d4 SR |
90 | .set = param_set_hashtbl_sz, |
91 | .get = param_get_hashtbl_sz, | |
92 | }; | |
93 | ||
241269bd TM |
94 | module_param_named(auth_hashtable_size, auth_hashbits, hashtbl_sz, 0644); |
95 | MODULE_PARM_DESC(auth_hashtable_size, "RPC credential cache hashtable size"); | |
96 | ||
bae6746f TM |
97 | static unsigned long auth_max_cred_cachesize = ULONG_MAX; |
98 | module_param(auth_max_cred_cachesize, ulong, 0644); | |
99 | MODULE_PARM_DESC(auth_max_cred_cachesize, "RPC credential maximum total cache size"); | |
100 | ||
1da177e4 LT |
101 | static u32 |
102 | pseudoflavor_to_flavor(u32 flavor) { | |
1c74a244 | 103 | if (flavor > RPC_AUTH_MAXFLAVOR) |
1da177e4 LT |
104 | return RPC_AUTH_GSS; |
105 | return flavor; | |
106 | } | |
107 | ||
108 | int | |
f1c0a861 | 109 | rpcauth_register(const struct rpc_authops *ops) |
1da177e4 | 110 | { |
4e4c3bef | 111 | const struct rpc_authops *old; |
1da177e4 LT |
112 | rpc_authflavor_t flavor; |
113 | ||
114 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
115 | return -EINVAL; | |
4e4c3bef TM |
116 | old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], NULL, ops); |
117 | if (old == NULL || old == ops) | |
118 | return 0; | |
119 | return -EPERM; | |
1da177e4 | 120 | } |
e8914c65 | 121 | EXPORT_SYMBOL_GPL(rpcauth_register); |
1da177e4 LT |
122 | |
123 | int | |
f1c0a861 | 124 | rpcauth_unregister(const struct rpc_authops *ops) |
1da177e4 | 125 | { |
4e4c3bef | 126 | const struct rpc_authops *old; |
1da177e4 LT |
127 | rpc_authflavor_t flavor; |
128 | ||
129 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
130 | return -EINVAL; | |
4e4c3bef TM |
131 | |
132 | old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], ops, NULL); | |
133 | if (old == ops || old == NULL) | |
134 | return 0; | |
135 | return -EPERM; | |
1da177e4 | 136 | } |
e8914c65 | 137 | EXPORT_SYMBOL_GPL(rpcauth_unregister); |
1da177e4 | 138 | |
4e4c3bef TM |
139 | static const struct rpc_authops * |
140 | rpcauth_get_authops(rpc_authflavor_t flavor) | |
141 | { | |
142 | const struct rpc_authops *ops; | |
143 | ||
144 | if (flavor >= RPC_AUTH_MAXFLAVOR) | |
145 | return NULL; | |
146 | ||
147 | rcu_read_lock(); | |
148 | ops = rcu_dereference(auth_flavors[flavor]); | |
149 | if (ops == NULL) { | |
150 | rcu_read_unlock(); | |
151 | request_module("rpc-auth-%u", flavor); | |
152 | rcu_read_lock(); | |
153 | ops = rcu_dereference(auth_flavors[flavor]); | |
154 | if (ops == NULL) | |
155 | goto out; | |
156 | } | |
157 | if (!try_module_get(ops->owner)) | |
158 | ops = NULL; | |
159 | out: | |
160 | rcu_read_unlock(); | |
161 | return ops; | |
162 | } | |
163 | ||
164 | static void | |
165 | rpcauth_put_authops(const struct rpc_authops *ops) | |
166 | { | |
167 | module_put(ops->owner); | |
168 | } | |
169 | ||
9568c5e9 CL |
170 | /** |
171 | * rpcauth_get_pseudoflavor - check if security flavor is supported | |
172 | * @flavor: a security flavor | |
173 | * @info: a GSS mech OID, quality of protection, and service value | |
174 | * | |
175 | * Verifies that an appropriate kernel module is available or already loaded. | |
176 | * Returns an equivalent pseudoflavor, or RPC_AUTH_MAXFLAVOR if "flavor" is | |
177 | * not supported locally. | |
178 | */ | |
179 | rpc_authflavor_t | |
180 | rpcauth_get_pseudoflavor(rpc_authflavor_t flavor, struct rpcsec_gss_info *info) | |
181 | { | |
4e4c3bef | 182 | const struct rpc_authops *ops = rpcauth_get_authops(flavor); |
9568c5e9 CL |
183 | rpc_authflavor_t pseudoflavor; |
184 | ||
4e4c3bef | 185 | if (!ops) |
9568c5e9 | 186 | return RPC_AUTH_MAXFLAVOR; |
9568c5e9 CL |
187 | pseudoflavor = flavor; |
188 | if (ops->info2flavor != NULL) | |
189 | pseudoflavor = ops->info2flavor(info); | |
190 | ||
4e4c3bef | 191 | rpcauth_put_authops(ops); |
9568c5e9 CL |
192 | return pseudoflavor; |
193 | } | |
194 | EXPORT_SYMBOL_GPL(rpcauth_get_pseudoflavor); | |
195 | ||
a77c806f CL |
196 | /** |
197 | * rpcauth_get_gssinfo - find GSS tuple matching a GSS pseudoflavor | |
198 | * @pseudoflavor: GSS pseudoflavor to match | |
199 | * @info: rpcsec_gss_info structure to fill in | |
200 | * | |
201 | * Returns zero and fills in "info" if pseudoflavor matches a | |
202 | * supported mechanism. | |
203 | */ | |
204 | int | |
205 | rpcauth_get_gssinfo(rpc_authflavor_t pseudoflavor, struct rpcsec_gss_info *info) | |
206 | { | |
207 | rpc_authflavor_t flavor = pseudoflavor_to_flavor(pseudoflavor); | |
208 | const struct rpc_authops *ops; | |
209 | int result; | |
210 | ||
4e4c3bef | 211 | ops = rpcauth_get_authops(flavor); |
a77c806f | 212 | if (ops == NULL) |
a77c806f | 213 | return -ENOENT; |
a77c806f CL |
214 | |
215 | result = -ENOENT; | |
216 | if (ops->flavor2info != NULL) | |
217 | result = ops->flavor2info(pseudoflavor, info); | |
218 | ||
4e4c3bef | 219 | rpcauth_put_authops(ops); |
a77c806f CL |
220 | return result; |
221 | } | |
222 | EXPORT_SYMBOL_GPL(rpcauth_get_gssinfo); | |
223 | ||
1da177e4 | 224 | struct rpc_auth * |
82b98ca5 | 225 | rpcauth_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) |
1da177e4 | 226 | { |
4e4c3bef | 227 | struct rpc_auth *auth = ERR_PTR(-EINVAL); |
f1c0a861 | 228 | const struct rpc_authops *ops; |
4e4c3bef | 229 | u32 flavor = pseudoflavor_to_flavor(args->pseudoflavor); |
1da177e4 | 230 | |
4e4c3bef TM |
231 | ops = rpcauth_get_authops(flavor); |
232 | if (ops == NULL) | |
f344f6df OK |
233 | goto out; |
234 | ||
c2190661 | 235 | auth = ops->create(args, clnt); |
4e4c3bef TM |
236 | |
237 | rpcauth_put_authops(ops); | |
6a19275a BF |
238 | if (IS_ERR(auth)) |
239 | return auth; | |
1da177e4 | 240 | if (clnt->cl_auth) |
de7a8ce3 | 241 | rpcauth_release(clnt->cl_auth); |
1da177e4 | 242 | clnt->cl_auth = auth; |
f344f6df OK |
243 | |
244 | out: | |
1da177e4 LT |
245 | return auth; |
246 | } | |
e8914c65 | 247 | EXPORT_SYMBOL_GPL(rpcauth_create); |
1da177e4 LT |
248 | |
249 | void | |
de7a8ce3 | 250 | rpcauth_release(struct rpc_auth *auth) |
1da177e4 | 251 | { |
331bc71c | 252 | if (!refcount_dec_and_test(&auth->au_count)) |
1da177e4 LT |
253 | return; |
254 | auth->au_ops->destroy(auth); | |
255 | } | |
256 | ||
257 | static DEFINE_SPINLOCK(rpc_credcache_lock); | |
258 | ||
95cd6232 TM |
259 | /* |
260 | * On success, the caller is responsible for freeing the reference | |
261 | * held by the hashtable | |
262 | */ | |
263 | static bool | |
31be5bf1 TM |
264 | rpcauth_unhash_cred_locked(struct rpc_cred *cred) |
265 | { | |
95cd6232 TM |
266 | if (!test_and_clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
267 | return false; | |
31be5bf1 | 268 | hlist_del_rcu(&cred->cr_hash); |
95cd6232 | 269 | return true; |
31be5bf1 TM |
270 | } |
271 | ||
95cd6232 | 272 | static bool |
9499b434 TM |
273 | rpcauth_unhash_cred(struct rpc_cred *cred) |
274 | { | |
275 | spinlock_t *cache_lock; | |
95cd6232 | 276 | bool ret; |
9499b434 | 277 | |
95cd6232 TM |
278 | if (!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
279 | return false; | |
9499b434 TM |
280 | cache_lock = &cred->cr_auth->au_credcache->lock; |
281 | spin_lock(cache_lock); | |
95cd6232 | 282 | ret = rpcauth_unhash_cred_locked(cred); |
9499b434 | 283 | spin_unlock(cache_lock); |
f0380f3d | 284 | return ret; |
9499b434 TM |
285 | } |
286 | ||
1da177e4 LT |
287 | /* |
288 | * Initialize RPC credential cache | |
289 | */ | |
290 | int | |
f5c2187c | 291 | rpcauth_init_credcache(struct rpc_auth *auth) |
1da177e4 LT |
292 | { |
293 | struct rpc_cred_cache *new; | |
988664a0 | 294 | unsigned int hashsize; |
1da177e4 | 295 | |
8b3a7005 | 296 | new = kmalloc(sizeof(*new), GFP_KERNEL); |
1da177e4 | 297 | if (!new) |
241269bd TM |
298 | goto out_nocache; |
299 | new->hashbits = auth_hashbits; | |
988664a0 | 300 | hashsize = 1U << new->hashbits; |
241269bd TM |
301 | new->hashtable = kcalloc(hashsize, sizeof(new->hashtable[0]), GFP_KERNEL); |
302 | if (!new->hashtable) | |
303 | goto out_nohashtbl; | |
9499b434 | 304 | spin_lock_init(&new->lock); |
1da177e4 LT |
305 | auth->au_credcache = new; |
306 | return 0; | |
241269bd TM |
307 | out_nohashtbl: |
308 | kfree(new); | |
309 | out_nocache: | |
310 | return -ENOMEM; | |
1da177e4 | 311 | } |
e8914c65 | 312 | EXPORT_SYMBOL_GPL(rpcauth_init_credcache); |
1da177e4 | 313 | |
a0337d1d JL |
314 | char * |
315 | rpcauth_stringify_acceptor(struct rpc_cred *cred) | |
316 | { | |
317 | if (!cred->cr_ops->crstringify_acceptor) | |
318 | return NULL; | |
319 | return cred->cr_ops->crstringify_acceptor(cred); | |
320 | } | |
321 | EXPORT_SYMBOL_GPL(rpcauth_stringify_acceptor); | |
322 | ||
1da177e4 LT |
323 | /* |
324 | * Destroy a list of credentials | |
325 | */ | |
326 | static inline | |
e092bdcd | 327 | void rpcauth_destroy_credlist(struct list_head *head) |
1da177e4 LT |
328 | { |
329 | struct rpc_cred *cred; | |
330 | ||
e092bdcd TM |
331 | while (!list_empty(head)) { |
332 | cred = list_entry(head->next, struct rpc_cred, cr_lru); | |
333 | list_del_init(&cred->cr_lru); | |
1da177e4 LT |
334 | put_rpccred(cred); |
335 | } | |
336 | } | |
337 | ||
95cd6232 TM |
338 | static void |
339 | rpcauth_lru_add_locked(struct rpc_cred *cred) | |
340 | { | |
341 | if (!list_empty(&cred->cr_lru)) | |
342 | return; | |
343 | number_cred_unused++; | |
344 | list_add_tail(&cred->cr_lru, &cred_unused); | |
345 | } | |
346 | ||
347 | static void | |
348 | rpcauth_lru_add(struct rpc_cred *cred) | |
349 | { | |
350 | if (!list_empty(&cred->cr_lru)) | |
351 | return; | |
352 | spin_lock(&rpc_credcache_lock); | |
353 | rpcauth_lru_add_locked(cred); | |
354 | spin_unlock(&rpc_credcache_lock); | |
355 | } | |
356 | ||
357 | static void | |
358 | rpcauth_lru_remove_locked(struct rpc_cred *cred) | |
359 | { | |
360 | if (list_empty(&cred->cr_lru)) | |
361 | return; | |
362 | number_cred_unused--; | |
363 | list_del_init(&cred->cr_lru); | |
364 | } | |
365 | ||
366 | static void | |
367 | rpcauth_lru_remove(struct rpc_cred *cred) | |
368 | { | |
369 | if (list_empty(&cred->cr_lru)) | |
370 | return; | |
371 | spin_lock(&rpc_credcache_lock); | |
372 | rpcauth_lru_remove_locked(cred); | |
373 | spin_unlock(&rpc_credcache_lock); | |
374 | } | |
375 | ||
1da177e4 LT |
376 | /* |
377 | * Clear the RPC credential cache, and delete those credentials | |
378 | * that are not referenced. | |
379 | */ | |
380 | void | |
3ab9bb72 | 381 | rpcauth_clear_credcache(struct rpc_cred_cache *cache) |
1da177e4 | 382 | { |
e092bdcd TM |
383 | LIST_HEAD(free); |
384 | struct hlist_head *head; | |
1da177e4 | 385 | struct rpc_cred *cred; |
988664a0 | 386 | unsigned int hashsize = 1U << cache->hashbits; |
1da177e4 LT |
387 | int i; |
388 | ||
389 | spin_lock(&rpc_credcache_lock); | |
9499b434 | 390 | spin_lock(&cache->lock); |
988664a0 | 391 | for (i = 0; i < hashsize; i++) { |
e092bdcd TM |
392 | head = &cache->hashtable[i]; |
393 | while (!hlist_empty(head)) { | |
394 | cred = hlist_entry(head->first, struct rpc_cred, cr_hash); | |
31be5bf1 | 395 | rpcauth_unhash_cred_locked(cred); |
95cd6232 TM |
396 | /* Note: We now hold a reference to cred */ |
397 | rpcauth_lru_remove_locked(cred); | |
398 | list_add_tail(&cred->cr_lru, &free); | |
1da177e4 LT |
399 | } |
400 | } | |
9499b434 | 401 | spin_unlock(&cache->lock); |
1da177e4 LT |
402 | spin_unlock(&rpc_credcache_lock); |
403 | rpcauth_destroy_credlist(&free); | |
404 | } | |
405 | ||
3ab9bb72 TM |
406 | /* |
407 | * Destroy the RPC credential cache | |
408 | */ | |
409 | void | |
410 | rpcauth_destroy_credcache(struct rpc_auth *auth) | |
411 | { | |
412 | struct rpc_cred_cache *cache = auth->au_credcache; | |
413 | ||
414 | if (cache) { | |
415 | auth->au_credcache = NULL; | |
416 | rpcauth_clear_credcache(cache); | |
241269bd | 417 | kfree(cache->hashtable); |
3ab9bb72 TM |
418 | kfree(cache); |
419 | } | |
420 | } | |
e8914c65 | 421 | EXPORT_SYMBOL_GPL(rpcauth_destroy_credcache); |
3ab9bb72 | 422 | |
d2b83141 TM |
423 | |
424 | #define RPC_AUTH_EXPIRY_MORATORIUM (60 * HZ) | |
425 | ||
e092bdcd TM |
426 | /* |
427 | * Remove stale credentials. Avoid sleeping inside the loop. | |
428 | */ | |
70534a73 | 429 | static long |
f5c2187c | 430 | rpcauth_prune_expired(struct list_head *free, int nr_to_scan) |
1da177e4 | 431 | { |
eac0d18d | 432 | struct rpc_cred *cred, *next; |
d2b83141 | 433 | unsigned long expired = jiffies - RPC_AUTH_EXPIRY_MORATORIUM; |
70534a73 | 434 | long freed = 0; |
e092bdcd | 435 | |
eac0d18d TM |
436 | list_for_each_entry_safe(cred, next, &cred_unused, cr_lru) { |
437 | ||
20673406 TM |
438 | if (nr_to_scan-- == 0) |
439 | break; | |
79b18181 | 440 | if (refcount_read(&cred->cr_count) > 1) { |
95cd6232 TM |
441 | rpcauth_lru_remove_locked(cred); |
442 | continue; | |
443 | } | |
93a05e65 TM |
444 | /* |
445 | * Enforce a 60 second garbage collection moratorium | |
446 | * Note that the cred_unused list must be time-ordered. | |
447 | */ | |
95cd6232 TM |
448 | if (!time_in_range(cred->cr_expire, expired, jiffies)) |
449 | continue; | |
450 | if (!rpcauth_unhash_cred(cred)) | |
e092bdcd | 451 | continue; |
eac0d18d | 452 | |
95cd6232 TM |
453 | rpcauth_lru_remove_locked(cred); |
454 | freed++; | |
455 | list_add_tail(&cred->cr_lru, free); | |
1da177e4 | 456 | } |
95cd6232 | 457 | return freed ? freed : SHRINK_STOP; |
1da177e4 LT |
458 | } |
459 | ||
bae6746f TM |
460 | static unsigned long |
461 | rpcauth_cache_do_shrink(int nr_to_scan) | |
462 | { | |
463 | LIST_HEAD(free); | |
464 | unsigned long freed; | |
465 | ||
466 | spin_lock(&rpc_credcache_lock); | |
467 | freed = rpcauth_prune_expired(&free, nr_to_scan); | |
468 | spin_unlock(&rpc_credcache_lock); | |
469 | rpcauth_destroy_credlist(&free); | |
470 | ||
471 | return freed; | |
472 | } | |
473 | ||
1da177e4 | 474 | /* |
f5c2187c | 475 | * Run memory cache shrinker. |
1da177e4 | 476 | */ |
70534a73 DC |
477 | static unsigned long |
478 | rpcauth_cache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) | |
479 | ||
1da177e4 | 480 | { |
70534a73 DC |
481 | if ((sc->gfp_mask & GFP_KERNEL) != GFP_KERNEL) |
482 | return SHRINK_STOP; | |
f5c2187c | 483 | |
70534a73 | 484 | /* nothing left, don't come back */ |
f5c2187c | 485 | if (list_empty(&cred_unused)) |
70534a73 DC |
486 | return SHRINK_STOP; |
487 | ||
bae6746f | 488 | return rpcauth_cache_do_shrink(sc->nr_to_scan); |
70534a73 DC |
489 | } |
490 | ||
491 | static unsigned long | |
492 | rpcauth_cache_shrink_count(struct shrinker *shrink, struct shrink_control *sc) | |
493 | ||
494 | { | |
4c3ffd05 | 495 | return number_cred_unused * sysctl_vfs_cache_pressure / 100; |
1da177e4 LT |
496 | } |
497 | ||
bae6746f TM |
498 | static void |
499 | rpcauth_cache_enforce_limit(void) | |
500 | { | |
501 | unsigned long diff; | |
502 | unsigned int nr_to_scan; | |
503 | ||
504 | if (number_cred_unused <= auth_max_cred_cachesize) | |
505 | return; | |
506 | diff = number_cred_unused - auth_max_cred_cachesize; | |
507 | nr_to_scan = 100; | |
508 | if (diff < nr_to_scan) | |
509 | nr_to_scan = diff; | |
510 | rpcauth_cache_do_shrink(nr_to_scan); | |
511 | } | |
512 | ||
1da177e4 LT |
513 | /* |
514 | * Look up a process' credentials in the authentication cache | |
515 | */ | |
516 | struct rpc_cred * | |
517 | rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, | |
3c6e0bc8 | 518 | int flags, gfp_t gfp) |
1da177e4 | 519 | { |
e092bdcd | 520 | LIST_HEAD(free); |
1da177e4 | 521 | struct rpc_cred_cache *cache = auth->au_credcache; |
31be5bf1 TM |
522 | struct rpc_cred *cred = NULL, |
523 | *entry, *new; | |
25337fdc TM |
524 | unsigned int nr; |
525 | ||
66cbd4ba | 526 | nr = auth->au_ops->hash_cred(acred, cache->hashbits); |
1da177e4 | 527 | |
31be5bf1 | 528 | rcu_read_lock(); |
b67bfe0d | 529 | hlist_for_each_entry_rcu(entry, &cache->hashtable[nr], cr_hash) { |
e092bdcd TM |
530 | if (!entry->cr_ops->crmatch(acred, entry, flags)) |
531 | continue; | |
532 | cred = get_rpccred(entry); | |
07d02a67 TM |
533 | if (cred) |
534 | break; | |
1da177e4 | 535 | } |
31be5bf1 TM |
536 | rcu_read_unlock(); |
537 | ||
9499b434 | 538 | if (cred != NULL) |
31be5bf1 | 539 | goto found; |
1da177e4 | 540 | |
3c6e0bc8 | 541 | new = auth->au_ops->crcreate(auth, acred, flags, gfp); |
31be5bf1 TM |
542 | if (IS_ERR(new)) { |
543 | cred = new; | |
544 | goto out; | |
545 | } | |
1da177e4 | 546 | |
9499b434 | 547 | spin_lock(&cache->lock); |
b67bfe0d | 548 | hlist_for_each_entry(entry, &cache->hashtable[nr], cr_hash) { |
31be5bf1 TM |
549 | if (!entry->cr_ops->crmatch(acred, entry, flags)) |
550 | continue; | |
551 | cred = get_rpccred(entry); | |
07d02a67 TM |
552 | if (cred) |
553 | break; | |
31be5bf1 TM |
554 | } |
555 | if (cred == NULL) { | |
5fe4755e | 556 | cred = new; |
31be5bf1 | 557 | set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags); |
79b18181 | 558 | refcount_inc(&cred->cr_count); |
31be5bf1 TM |
559 | hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]); |
560 | } else | |
561 | list_add_tail(&new->cr_lru, &free); | |
9499b434 | 562 | spin_unlock(&cache->lock); |
bae6746f | 563 | rpcauth_cache_enforce_limit(); |
31be5bf1 | 564 | found: |
f64f9e71 JP |
565 | if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) && |
566 | cred->cr_ops->cr_init != NULL && | |
567 | !(flags & RPCAUTH_LOOKUP_NEW)) { | |
fba3bad4 TM |
568 | int res = cred->cr_ops->cr_init(auth, cred); |
569 | if (res < 0) { | |
570 | put_rpccred(cred); | |
571 | cred = ERR_PTR(res); | |
572 | } | |
1da177e4 | 573 | } |
31be5bf1 TM |
574 | rpcauth_destroy_credlist(&free); |
575 | out: | |
576 | return cred; | |
1da177e4 | 577 | } |
e8914c65 | 578 | EXPORT_SYMBOL_GPL(rpcauth_lookup_credcache); |
1da177e4 LT |
579 | |
580 | struct rpc_cred * | |
8a317760 | 581 | rpcauth_lookupcred(struct rpc_auth *auth, int flags) |
1da177e4 | 582 | { |
86a264ab | 583 | struct auth_cred acred; |
1da177e4 | 584 | struct rpc_cred *ret; |
86a264ab | 585 | const struct cred *cred = current_cred(); |
1da177e4 | 586 | |
86a264ab | 587 | memset(&acred, 0, sizeof(acred)); |
97f68c6b | 588 | acred.cred = cred; |
8a317760 | 589 | ret = auth->au_ops->lookup_cred(auth, &acred, flags); |
1da177e4 LT |
590 | return ret; |
591 | } | |
66b06860 | 592 | EXPORT_SYMBOL_GPL(rpcauth_lookupcred); |
1da177e4 | 593 | |
5fe4755e TM |
594 | void |
595 | rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred, | |
596 | struct rpc_auth *auth, const struct rpc_credops *ops) | |
597 | { | |
598 | INIT_HLIST_NODE(&cred->cr_hash); | |
e092bdcd | 599 | INIT_LIST_HEAD(&cred->cr_lru); |
79b18181 | 600 | refcount_set(&cred->cr_count, 1); |
5fe4755e | 601 | cred->cr_auth = auth; |
2edd8d74 | 602 | cred->cr_flags = 0; |
5fe4755e TM |
603 | cred->cr_ops = ops; |
604 | cred->cr_expire = jiffies; | |
97f68c6b | 605 | cred->cr_cred = get_cred(acred->cred); |
5fe4755e | 606 | } |
e8914c65 | 607 | EXPORT_SYMBOL_GPL(rpcauth_init_cred); |
5fe4755e | 608 | |
8572b8e2 | 609 | static struct rpc_cred * |
5d351754 | 610 | rpcauth_bind_root_cred(struct rpc_task *task, int lookupflags) |
1da177e4 | 611 | { |
1be27f36 | 612 | struct rpc_auth *auth = task->tk_client->cl_auth; |
1da177e4 | 613 | struct auth_cred acred = { |
97f68c6b | 614 | .cred = get_task_cred(&init_task), |
1da177e4 | 615 | }; |
97f68c6b | 616 | struct rpc_cred *ret; |
1da177e4 | 617 | |
97f68c6b N |
618 | ret = auth->au_ops->lookup_cred(auth, &acred, lookupflags); |
619 | put_cred(acred.cred); | |
620 | return ret; | |
af093835 TM |
621 | } |
622 | ||
5e16923b N |
623 | static struct rpc_cred * |
624 | rpcauth_bind_machine_cred(struct rpc_task *task, int lookupflags) | |
625 | { | |
626 | struct rpc_auth *auth = task->tk_client->cl_auth; | |
627 | struct auth_cred acred = { | |
628 | .principal = task->tk_client->cl_principal, | |
629 | .cred = init_task.cred, | |
630 | }; | |
631 | ||
632 | if (!acred.principal) | |
633 | return NULL; | |
5e16923b N |
634 | return auth->au_ops->lookup_cred(auth, &acred, lookupflags); |
635 | } | |
636 | ||
8572b8e2 | 637 | static struct rpc_cred * |
5d351754 | 638 | rpcauth_bind_new_cred(struct rpc_task *task, int lookupflags) |
af093835 TM |
639 | { |
640 | struct rpc_auth *auth = task->tk_client->cl_auth; | |
af093835 | 641 | |
8572b8e2 | 642 | return rpcauth_lookupcred(auth, lookupflags); |
1da177e4 LT |
643 | } |
644 | ||
a17c2153 | 645 | static int |
a52458b4 | 646 | rpcauth_bindcred(struct rpc_task *task, const struct cred *cred, int flags) |
1da177e4 | 647 | { |
a17c2153 | 648 | struct rpc_rqst *req = task->tk_rqstp; |
5e16923b | 649 | struct rpc_cred *new = NULL; |
5d351754 | 650 | int lookupflags = 0; |
a52458b4 N |
651 | struct rpc_auth *auth = task->tk_client->cl_auth; |
652 | struct auth_cred acred = { | |
653 | .cred = cred, | |
654 | }; | |
5d351754 TM |
655 | |
656 | if (flags & RPC_TASK_ASYNC) | |
657 | lookupflags |= RPCAUTH_LOOKUP_NEW; | |
1de7eea9 N |
658 | if (task->tk_op_cred) |
659 | /* Task must use exactly this rpc_cred */ | |
d6efccd9 | 660 | new = get_rpccred(task->tk_op_cred); |
1de7eea9 | 661 | else if (cred != NULL && cred != &machine_cred) |
a52458b4 | 662 | new = auth->au_ops->lookup_cred(auth, &acred, lookupflags); |
5e16923b N |
663 | else if (cred == &machine_cred) |
664 | new = rpcauth_bind_machine_cred(task, lookupflags); | |
665 | ||
666 | /* If machine cred couldn't be bound, try a root cred */ | |
667 | if (new) | |
668 | ; | |
669 | else if (cred == &machine_cred || (flags & RPC_TASK_ROOTCREDS)) | |
8572b8e2 | 670 | new = rpcauth_bind_root_cred(task, lookupflags); |
a68a72e1 N |
671 | else if (flags & RPC_TASK_NULLCREDS) |
672 | new = authnull_ops.lookup_cred(NULL, NULL, 0); | |
4ccda2cd | 673 | else |
8572b8e2 TM |
674 | new = rpcauth_bind_new_cred(task, lookupflags); |
675 | if (IS_ERR(new)) | |
676 | return PTR_ERR(new); | |
9a8f6b5e | 677 | put_rpccred(req->rq_cred); |
a17c2153 | 678 | req->rq_cred = new; |
8572b8e2 | 679 | return 0; |
1da177e4 LT |
680 | } |
681 | ||
682 | void | |
683 | put_rpccred(struct rpc_cred *cred) | |
684 | { | |
9a8f6b5e TM |
685 | if (cred == NULL) |
686 | return; | |
95cd6232 | 687 | rcu_read_lock(); |
79b18181 | 688 | if (refcount_dec_and_test(&cred->cr_count)) |
95cd6232 | 689 | goto destroy; |
79b18181 | 690 | if (refcount_read(&cred->cr_count) != 1 || |
95cd6232 TM |
691 | !test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)) |
692 | goto out; | |
693 | if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) { | |
694 | cred->cr_expire = jiffies; | |
695 | rpcauth_lru_add(cred); | |
696 | /* Race breaker */ | |
697 | if (unlikely(!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))) | |
698 | rpcauth_lru_remove(cred); | |
699 | } else if (rpcauth_unhash_cred(cred)) { | |
700 | rpcauth_lru_remove(cred); | |
79b18181 | 701 | if (refcount_dec_and_test(&cred->cr_count)) |
95cd6232 | 702 | goto destroy; |
e092bdcd | 703 | } |
95cd6232 TM |
704 | out: |
705 | rcu_read_unlock(); | |
f0380f3d | 706 | return; |
95cd6232 TM |
707 | destroy: |
708 | rcu_read_unlock(); | |
709 | cred->cr_ops->crdestroy(cred); | |
1da177e4 | 710 | } |
e8914c65 | 711 | EXPORT_SYMBOL_GPL(put_rpccred); |
1da177e4 | 712 | |
e8680a24 CL |
713 | /** |
714 | * rpcauth_marshcred - Append RPC credential to end of @xdr | |
715 | * @task: controlling RPC task | |
716 | * @xdr: xdr_stream containing initial portion of RPC Call header | |
717 | * | |
718 | * On success, an appropriate verifier is added to @xdr, @xdr is | |
719 | * updated to point past the verifier, and zero is returned. | |
720 | * Otherwise, @xdr is in an undefined state and a negative errno | |
721 | * is returned. | |
722 | */ | |
723 | int rpcauth_marshcred(struct rpc_task *task, struct xdr_stream *xdr) | |
1da177e4 | 724 | { |
e8680a24 | 725 | const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops; |
1da177e4 | 726 | |
e8680a24 | 727 | return ops->crmarshal(task, xdr); |
1da177e4 LT |
728 | } |
729 | ||
e8680a24 CL |
730 | /** |
731 | * rpcauth_wrap_req_encode - XDR encode the RPC procedure | |
732 | * @task: controlling RPC task | |
733 | * @xdr: stream where on-the-wire bytes are to be marshalled | |
734 | * | |
735 | * On success, @xdr contains the encoded and wrapped message. | |
736 | * Otherwise, @xdr is in an undefined state. | |
737 | */ | |
738 | int rpcauth_wrap_req_encode(struct rpc_task *task, struct xdr_stream *xdr) | |
9f06c719 | 739 | { |
e8680a24 | 740 | kxdreproc_t encode = task->tk_msg.rpc_proc->p_encode; |
9f06c719 | 741 | |
e8680a24 CL |
742 | encode(task->tk_rqstp, xdr, task->tk_msg.rpc_argp); |
743 | return 0; | |
9f06c719 | 744 | } |
e8680a24 | 745 | EXPORT_SYMBOL_GPL(rpcauth_wrap_req_encode); |
9f06c719 | 746 | |
e8680a24 CL |
747 | /** |
748 | * rpcauth_wrap_req - XDR encode and wrap the RPC procedure | |
749 | * @task: controlling RPC task | |
750 | * @xdr: stream where on-the-wire bytes are to be marshalled | |
751 | * | |
752 | * On success, @xdr contains the encoded and wrapped message, | |
753 | * and zero is returned. Otherwise, @xdr is in an undefined | |
754 | * state and a negative errno is returned. | |
755 | */ | |
756 | int rpcauth_wrap_req(struct rpc_task *task, struct xdr_stream *xdr) | |
1da177e4 | 757 | { |
e8680a24 | 758 | const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops; |
1da177e4 | 759 | |
e8680a24 | 760 | return ops->crwrap_req(task, xdr); |
1da177e4 LT |
761 | } |
762 | ||
a0584ee9 CL |
763 | /** |
764 | * rpcauth_checkverf - Validate verifier in RPC Reply header | |
765 | * @task: controlling RPC task | |
766 | * @xdr: xdr_stream containing RPC Reply header | |
767 | * | |
768 | * On success, @xdr is updated to point past the verifier and | |
769 | * zero is returned. Otherwise, @xdr is in an undefined state | |
770 | * and a negative errno is returned. | |
771 | */ | |
772 | int | |
773 | rpcauth_checkverf(struct rpc_task *task, struct xdr_stream *xdr) | |
bf269551 | 774 | { |
a0584ee9 | 775 | const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops; |
bf269551 | 776 | |
a0584ee9 | 777 | return ops->crvalidate(task, xdr); |
bf269551 CL |
778 | } |
779 | ||
a0584ee9 CL |
780 | /** |
781 | * rpcauth_unwrap_resp_decode - Invoke XDR decode function | |
782 | * @task: controlling RPC task | |
783 | * @xdr: stream where the Reply message resides | |
784 | * | |
785 | * Returns zero on success; otherwise a negative errno is returned. | |
786 | */ | |
1da177e4 | 787 | int |
a0584ee9 | 788 | rpcauth_unwrap_resp_decode(struct rpc_task *task, struct xdr_stream *xdr) |
1da177e4 | 789 | { |
a0584ee9 CL |
790 | kxdrdproc_t decode = task->tk_msg.rpc_proc->p_decode; |
791 | ||
792 | return decode(task->tk_rqstp, xdr, task->tk_msg.rpc_resp); | |
793 | } | |
794 | EXPORT_SYMBOL_GPL(rpcauth_unwrap_resp_decode); | |
795 | ||
796 | /** | |
797 | * rpcauth_unwrap_resp - Invoke unwrap and decode function for the cred | |
798 | * @task: controlling RPC task | |
799 | * @xdr: stream where the Reply message resides | |
800 | * | |
801 | * Returns zero on success; otherwise a negative errno is returned. | |
802 | */ | |
803 | int | |
804 | rpcauth_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr) | |
805 | { | |
806 | const struct rpc_credops *ops = task->tk_rqstp->rq_cred->cr_ops; | |
1da177e4 | 807 | |
a0584ee9 | 808 | return ops->crunwrap_resp(task, xdr); |
1da177e4 LT |
809 | } |
810 | ||
3021a5bb TM |
811 | bool |
812 | rpcauth_xmit_need_reencode(struct rpc_task *task) | |
813 | { | |
814 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; | |
815 | ||
816 | if (!cred || !cred->cr_ops->crneed_reencode) | |
817 | return false; | |
818 | return cred->cr_ops->crneed_reencode(task); | |
819 | } | |
820 | ||
1da177e4 LT |
821 | int |
822 | rpcauth_refreshcred(struct rpc_task *task) | |
823 | { | |
9a84d380 | 824 | struct rpc_cred *cred; |
1da177e4 LT |
825 | int err; |
826 | ||
a17c2153 TM |
827 | cred = task->tk_rqstp->rq_cred; |
828 | if (cred == NULL) { | |
829 | err = rpcauth_bindcred(task, task->tk_msg.rpc_cred, task->tk_flags); | |
830 | if (err < 0) | |
831 | goto out; | |
832 | cred = task->tk_rqstp->rq_cred; | |
f81c6224 | 833 | } |
0bbacc40 | 834 | |
1da177e4 | 835 | err = cred->cr_ops->crrefresh(task); |
a17c2153 | 836 | out: |
1da177e4 LT |
837 | if (err < 0) |
838 | task->tk_status = err; | |
839 | return err; | |
840 | } | |
841 | ||
842 | void | |
843 | rpcauth_invalcred(struct rpc_task *task) | |
844 | { | |
a17c2153 | 845 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
fc432dd9 | 846 | |
fc432dd9 TM |
847 | if (cred) |
848 | clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); | |
1da177e4 LT |
849 | } |
850 | ||
851 | int | |
852 | rpcauth_uptodatecred(struct rpc_task *task) | |
853 | { | |
a17c2153 | 854 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
fc432dd9 TM |
855 | |
856 | return cred == NULL || | |
857 | test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0; | |
1da177e4 | 858 | } |
f5c2187c | 859 | |
8e1f936b | 860 | static struct shrinker rpc_cred_shrinker = { |
70534a73 DC |
861 | .count_objects = rpcauth_cache_shrink_count, |
862 | .scan_objects = rpcauth_cache_shrink_scan, | |
8e1f936b RR |
863 | .seeks = DEFAULT_SEEKS, |
864 | }; | |
f5c2187c | 865 | |
5d8d9a4d | 866 | int __init rpcauth_init_module(void) |
f5c2187c | 867 | { |
5d8d9a4d TM |
868 | int err; |
869 | ||
870 | err = rpc_init_authunix(); | |
871 | if (err < 0) | |
872 | goto out1; | |
2864486b KM |
873 | err = register_shrinker(&rpc_cred_shrinker); |
874 | if (err < 0) | |
89a4f758 | 875 | goto out2; |
5d8d9a4d TM |
876 | return 0; |
877 | out2: | |
878 | rpc_destroy_authunix(); | |
879 | out1: | |
880 | return err; | |
f5c2187c TM |
881 | } |
882 | ||
c135e84a | 883 | void rpcauth_remove_module(void) |
f5c2187c | 884 | { |
5d8d9a4d | 885 | rpc_destroy_authunix(); |
8e1f936b | 886 | unregister_shrinker(&rpc_cred_shrinker); |
f5c2187c | 887 | } |