]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/net/sunrpc/auth.c | |
3 | * | |
4 | * Generic RPC client authentication API. | |
5 | * | |
6 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | |
7 | */ | |
8 | ||
9 | #include <linux/types.h> | |
10 | #include <linux/sched.h> | |
11 | #include <linux/module.h> | |
12 | #include <linux/slab.h> | |
13 | #include <linux/errno.h> | |
1da177e4 LT |
14 | #include <linux/sunrpc/clnt.h> |
15 | #include <linux/spinlock.h> | |
16 | ||
17 | #ifdef RPC_DEBUG | |
18 | # define RPCDBG_FACILITY RPCDBG_AUTH | |
19 | #endif | |
20 | ||
21 | static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { | |
22 | &authnull_ops, /* AUTH_NULL */ | |
23 | &authunix_ops, /* AUTH_UNIX */ | |
24 | NULL, /* others can be loadable modules */ | |
25 | }; | |
26 | ||
27 | static u32 | |
28 | pseudoflavor_to_flavor(u32 flavor) { | |
29 | if (flavor >= RPC_AUTH_MAXFLAVOR) | |
30 | return RPC_AUTH_GSS; | |
31 | return flavor; | |
32 | } | |
33 | ||
34 | int | |
35 | rpcauth_register(struct rpc_authops *ops) | |
36 | { | |
37 | rpc_authflavor_t flavor; | |
38 | ||
39 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
40 | return -EINVAL; | |
41 | if (auth_flavors[flavor] != NULL) | |
42 | return -EPERM; /* what else? */ | |
43 | auth_flavors[flavor] = ops; | |
44 | return 0; | |
45 | } | |
46 | ||
47 | int | |
48 | rpcauth_unregister(struct rpc_authops *ops) | |
49 | { | |
50 | rpc_authflavor_t flavor; | |
51 | ||
52 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
53 | return -EINVAL; | |
54 | if (auth_flavors[flavor] != ops) | |
55 | return -EPERM; /* what else? */ | |
56 | auth_flavors[flavor] = NULL; | |
57 | return 0; | |
58 | } | |
59 | ||
60 | struct rpc_auth * | |
61 | rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) | |
62 | { | |
63 | struct rpc_auth *auth; | |
64 | struct rpc_authops *ops; | |
65 | u32 flavor = pseudoflavor_to_flavor(pseudoflavor); | |
66 | ||
67 | if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor])) | |
6a19275a | 68 | return ERR_PTR(-EINVAL); |
1da177e4 | 69 | auth = ops->create(clnt, pseudoflavor); |
6a19275a BF |
70 | if (IS_ERR(auth)) |
71 | return auth; | |
1da177e4 LT |
72 | if (clnt->cl_auth) |
73 | rpcauth_destroy(clnt->cl_auth); | |
74 | clnt->cl_auth = auth; | |
75 | return auth; | |
76 | } | |
77 | ||
78 | void | |
79 | rpcauth_destroy(struct rpc_auth *auth) | |
80 | { | |
81 | if (!atomic_dec_and_test(&auth->au_count)) | |
82 | return; | |
83 | auth->au_ops->destroy(auth); | |
84 | } | |
85 | ||
86 | static DEFINE_SPINLOCK(rpc_credcache_lock); | |
87 | ||
88 | /* | |
89 | * Initialize RPC credential cache | |
90 | */ | |
91 | int | |
92 | rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) | |
93 | { | |
94 | struct rpc_cred_cache *new; | |
95 | int i; | |
96 | ||
97 | new = (struct rpc_cred_cache *)kmalloc(sizeof(*new), GFP_KERNEL); | |
98 | if (!new) | |
99 | return -ENOMEM; | |
100 | for (i = 0; i < RPC_CREDCACHE_NR; i++) | |
101 | INIT_HLIST_HEAD(&new->hashtable[i]); | |
102 | new->expire = expire; | |
103 | new->nextgc = jiffies + (expire >> 1); | |
104 | auth->au_credcache = new; | |
105 | return 0; | |
106 | } | |
107 | ||
108 | /* | |
109 | * Destroy a list of credentials | |
110 | */ | |
111 | static inline | |
112 | void rpcauth_destroy_credlist(struct hlist_head *head) | |
113 | { | |
114 | struct rpc_cred *cred; | |
115 | ||
116 | while (!hlist_empty(head)) { | |
117 | cred = hlist_entry(head->first, struct rpc_cred, cr_hash); | |
118 | hlist_del_init(&cred->cr_hash); | |
119 | put_rpccred(cred); | |
120 | } | |
121 | } | |
122 | ||
123 | /* | |
124 | * Clear the RPC credential cache, and delete those credentials | |
125 | * that are not referenced. | |
126 | */ | |
127 | void | |
128 | rpcauth_free_credcache(struct rpc_auth *auth) | |
129 | { | |
130 | struct rpc_cred_cache *cache = auth->au_credcache; | |
131 | HLIST_HEAD(free); | |
132 | struct hlist_node *pos, *next; | |
133 | struct rpc_cred *cred; | |
134 | int i; | |
135 | ||
136 | spin_lock(&rpc_credcache_lock); | |
137 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { | |
138 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | |
139 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | |
140 | __hlist_del(&cred->cr_hash); | |
141 | hlist_add_head(&cred->cr_hash, &free); | |
142 | } | |
143 | } | |
144 | spin_unlock(&rpc_credcache_lock); | |
145 | rpcauth_destroy_credlist(&free); | |
146 | } | |
147 | ||
148 | static void | |
149 | rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) | |
150 | { | |
151 | if (atomic_read(&cred->cr_count) != 1) | |
152 | return; | |
153 | if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) | |
154 | cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | |
155 | if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { | |
156 | __hlist_del(&cred->cr_hash); | |
157 | hlist_add_head(&cred->cr_hash, free); | |
158 | } | |
159 | } | |
160 | ||
161 | /* | |
162 | * Remove stale credentials. Avoid sleeping inside the loop. | |
163 | */ | |
164 | static void | |
165 | rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) | |
166 | { | |
167 | struct rpc_cred_cache *cache = auth->au_credcache; | |
168 | struct hlist_node *pos, *next; | |
169 | struct rpc_cred *cred; | |
170 | int i; | |
171 | ||
172 | dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); | |
173 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { | |
174 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | |
175 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | |
176 | rpcauth_prune_expired(auth, cred, free); | |
177 | } | |
178 | } | |
179 | cache->nextgc = jiffies + cache->expire; | |
180 | } | |
181 | ||
182 | /* | |
183 | * Look up a process' credentials in the authentication cache | |
184 | */ | |
185 | struct rpc_cred * | |
186 | rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, | |
187 | int taskflags) | |
188 | { | |
189 | struct rpc_cred_cache *cache = auth->au_credcache; | |
190 | HLIST_HEAD(free); | |
191 | struct hlist_node *pos, *next; | |
192 | struct rpc_cred *new = NULL, | |
193 | *cred = NULL; | |
194 | int nr = 0; | |
195 | ||
196 | if (!(taskflags & RPC_TASK_ROOTCREDS)) | |
197 | nr = acred->uid & RPC_CREDCACHE_MASK; | |
198 | retry: | |
199 | spin_lock(&rpc_credcache_lock); | |
200 | if (time_before(cache->nextgc, jiffies)) | |
201 | rpcauth_gc_credcache(auth, &free); | |
202 | hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { | |
203 | struct rpc_cred *entry; | |
204 | entry = hlist_entry(pos, struct rpc_cred, cr_hash); | |
205 | if (entry->cr_ops->crmatch(acred, entry, taskflags)) { | |
206 | hlist_del(&entry->cr_hash); | |
207 | cred = entry; | |
208 | break; | |
209 | } | |
210 | rpcauth_prune_expired(auth, entry, &free); | |
211 | } | |
212 | if (new) { | |
213 | if (cred) | |
214 | hlist_add_head(&new->cr_hash, &free); | |
215 | else | |
216 | cred = new; | |
217 | } | |
218 | if (cred) { | |
219 | hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); | |
220 | get_rpccred(cred); | |
221 | } | |
222 | spin_unlock(&rpc_credcache_lock); | |
223 | ||
224 | rpcauth_destroy_credlist(&free); | |
225 | ||
226 | if (!cred) { | |
227 | new = auth->au_ops->crcreate(auth, acred, taskflags); | |
228 | if (!IS_ERR(new)) { | |
229 | #ifdef RPC_DEBUG | |
230 | new->cr_magic = RPCAUTH_CRED_MAGIC; | |
231 | #endif | |
232 | goto retry; | |
233 | } else | |
234 | cred = new; | |
235 | } | |
236 | ||
237 | return (struct rpc_cred *) cred; | |
238 | } | |
239 | ||
240 | struct rpc_cred * | |
241 | rpcauth_lookupcred(struct rpc_auth *auth, int taskflags) | |
242 | { | |
243 | struct auth_cred acred = { | |
244 | .uid = current->fsuid, | |
245 | .gid = current->fsgid, | |
246 | .group_info = current->group_info, | |
247 | }; | |
248 | struct rpc_cred *ret; | |
249 | ||
250 | dprintk("RPC: looking up %s cred\n", | |
251 | auth->au_ops->au_name); | |
252 | get_group_info(acred.group_info); | |
253 | ret = auth->au_ops->lookup_cred(auth, &acred, taskflags); | |
254 | put_group_info(acred.group_info); | |
255 | return ret; | |
256 | } | |
257 | ||
258 | struct rpc_cred * | |
259 | rpcauth_bindcred(struct rpc_task *task) | |
260 | { | |
261 | struct rpc_auth *auth = task->tk_auth; | |
262 | struct auth_cred acred = { | |
263 | .uid = current->fsuid, | |
264 | .gid = current->fsgid, | |
265 | .group_info = current->group_info, | |
266 | }; | |
267 | struct rpc_cred *ret; | |
268 | ||
269 | dprintk("RPC: %4d looking up %s cred\n", | |
270 | task->tk_pid, task->tk_auth->au_ops->au_name); | |
271 | get_group_info(acred.group_info); | |
272 | ret = auth->au_ops->lookup_cred(auth, &acred, task->tk_flags); | |
273 | if (!IS_ERR(ret)) | |
274 | task->tk_msg.rpc_cred = ret; | |
275 | else | |
276 | task->tk_status = PTR_ERR(ret); | |
277 | put_group_info(acred.group_info); | |
278 | return ret; | |
279 | } | |
280 | ||
281 | void | |
282 | rpcauth_holdcred(struct rpc_task *task) | |
283 | { | |
284 | dprintk("RPC: %4d holding %s cred %p\n", | |
285 | task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); | |
286 | if (task->tk_msg.rpc_cred) | |
287 | get_rpccred(task->tk_msg.rpc_cred); | |
288 | } | |
289 | ||
290 | void | |
291 | put_rpccred(struct rpc_cred *cred) | |
292 | { | |
293 | cred->cr_expire = jiffies; | |
294 | if (!atomic_dec_and_test(&cred->cr_count)) | |
295 | return; | |
296 | cred->cr_ops->crdestroy(cred); | |
297 | } | |
298 | ||
299 | void | |
300 | rpcauth_unbindcred(struct rpc_task *task) | |
301 | { | |
1da177e4 LT |
302 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
303 | ||
304 | dprintk("RPC: %4d releasing %s cred %p\n", | |
0bbacc40 | 305 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
1da177e4 LT |
306 | |
307 | put_rpccred(cred); | |
308 | task->tk_msg.rpc_cred = NULL; | |
309 | } | |
310 | ||
311 | u32 * | |
312 | rpcauth_marshcred(struct rpc_task *task, u32 *p) | |
313 | { | |
1da177e4 LT |
314 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
315 | ||
316 | dprintk("RPC: %4d marshaling %s cred %p\n", | |
0bbacc40 CL |
317 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
318 | ||
1da177e4 LT |
319 | return cred->cr_ops->crmarshal(task, p); |
320 | } | |
321 | ||
322 | u32 * | |
323 | rpcauth_checkverf(struct rpc_task *task, u32 *p) | |
324 | { | |
1da177e4 LT |
325 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
326 | ||
327 | dprintk("RPC: %4d validating %s cred %p\n", | |
0bbacc40 CL |
328 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
329 | ||
1da177e4 LT |
330 | return cred->cr_ops->crvalidate(task, p); |
331 | } | |
332 | ||
333 | int | |
334 | rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, | |
335 | u32 *data, void *obj) | |
336 | { | |
337 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | |
338 | ||
339 | dprintk("RPC: %4d using %s cred %p to wrap rpc data\n", | |
340 | task->tk_pid, cred->cr_ops->cr_name, cred); | |
341 | if (cred->cr_ops->crwrap_req) | |
342 | return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); | |
343 | /* By default, we encode the arguments normally. */ | |
344 | return encode(rqstp, data, obj); | |
345 | } | |
346 | ||
347 | int | |
348 | rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, | |
349 | u32 *data, void *obj) | |
350 | { | |
351 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | |
352 | ||
353 | dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n", | |
354 | task->tk_pid, cred->cr_ops->cr_name, cred); | |
355 | if (cred->cr_ops->crunwrap_resp) | |
356 | return cred->cr_ops->crunwrap_resp(task, decode, rqstp, | |
357 | data, obj); | |
358 | /* By default, we decode the arguments normally. */ | |
359 | return decode(rqstp, data, obj); | |
360 | } | |
361 | ||
362 | int | |
363 | rpcauth_refreshcred(struct rpc_task *task) | |
364 | { | |
1da177e4 LT |
365 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
366 | int err; | |
367 | ||
368 | dprintk("RPC: %4d refreshing %s cred %p\n", | |
0bbacc40 CL |
369 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
370 | ||
1da177e4 LT |
371 | err = cred->cr_ops->crrefresh(task); |
372 | if (err < 0) | |
373 | task->tk_status = err; | |
374 | return err; | |
375 | } | |
376 | ||
377 | void | |
378 | rpcauth_invalcred(struct rpc_task *task) | |
379 | { | |
380 | dprintk("RPC: %4d invalidating %s cred %p\n", | |
381 | task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); | |
382 | spin_lock(&rpc_credcache_lock); | |
383 | if (task->tk_msg.rpc_cred) | |
384 | task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | |
385 | spin_unlock(&rpc_credcache_lock); | |
386 | } | |
387 | ||
388 | int | |
389 | rpcauth_uptodatecred(struct rpc_task *task) | |
390 | { | |
391 | return !(task->tk_msg.rpc_cred) || | |
392 | (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); | |
393 | } |