1 /* 2 * linux/net/sunrpc/auth.c 3 * 4 * Generic RPC client authentication API. 5 * 6 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> 7 */ 8 9 #include <linux/types.h> 10 #include <linux/sched.h> 11 #include <linux/module.h> 12 #include <linux/slab.h> 13 #include <linux/errno.h> 14 #include <linux/socket.h> 15 #include <linux/sunrpc/clnt.h> 16 #include <linux/spinlock.h> 17 18 #ifdef RPC_DEBUG 19 # define RPCDBG_FACILITY RPCDBG_AUTH 20 #endif 21 22 static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { 23 &authnull_ops, /* AUTH_NULL */ 24 &authunix_ops, /* AUTH_UNIX */ 25 NULL, /* others can be loadable modules */ 26 }; 27 28 static u32 29 pseudoflavor_to_flavor(u32 flavor) { 30 if (flavor >= RPC_AUTH_MAXFLAVOR) 31 return RPC_AUTH_GSS; 32 return flavor; 33 } 34 35 int 36 rpcauth_register(struct rpc_authops *ops) 37 { 38 rpc_authflavor_t flavor; 39 40 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 41 return -EINVAL; 42 if (auth_flavors[flavor] != NULL) 43 return -EPERM; /* what else? */ 44 auth_flavors[flavor] = ops; 45 return 0; 46 } 47 48 int 49 rpcauth_unregister(struct rpc_authops *ops) 50 { 51 rpc_authflavor_t flavor; 52 53 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 54 return -EINVAL; 55 if (auth_flavors[flavor] != ops) 56 return -EPERM; /* what else? */ 57 auth_flavors[flavor] = NULL; 58 return 0; 59 } 60 61 struct rpc_auth * 62 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) 63 { 64 struct rpc_auth *auth; 65 struct rpc_authops *ops; 66 u32 flavor = pseudoflavor_to_flavor(pseudoflavor); 67 68 if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor])) 69 return ERR_PTR(-EINVAL); 70 auth = ops->create(clnt, pseudoflavor); 71 if (IS_ERR(auth)) 72 return auth; 73 if (clnt->cl_auth) 74 rpcauth_destroy(clnt->cl_auth); 75 clnt->cl_auth = auth; 76 return auth; 77 } 78 79 void 80 rpcauth_destroy(struct rpc_auth *auth) 81 { 82 if (!atomic_dec_and_test(&auth->au_count)) 83 return; 84 auth->au_ops->destroy(auth); 85 } 86 87 static DEFINE_SPINLOCK(rpc_credcache_lock); 88 89 /* 90 * Initialize RPC credential cache 91 */ 92 int 93 rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) 94 { 95 struct rpc_cred_cache *new; 96 int i; 97 98 new = (struct rpc_cred_cache *)kmalloc(sizeof(*new), GFP_KERNEL); 99 if (!new) 100 return -ENOMEM; 101 for (i = 0; i < RPC_CREDCACHE_NR; i++) 102 INIT_HLIST_HEAD(&new->hashtable[i]); 103 new->expire = expire; 104 new->nextgc = jiffies + (expire >> 1); 105 auth->au_credcache = new; 106 return 0; 107 } 108 109 /* 110 * Destroy a list of credentials 111 */ 112 static inline 113 void rpcauth_destroy_credlist(struct hlist_head *head) 114 { 115 struct rpc_cred *cred; 116 117 while (!hlist_empty(head)) { 118 cred = hlist_entry(head->first, struct rpc_cred, cr_hash); 119 hlist_del_init(&cred->cr_hash); 120 put_rpccred(cred); 121 } 122 } 123 124 /* 125 * Clear the RPC credential cache, and delete those credentials 126 * that are not referenced. 127 */ 128 void 129 rpcauth_free_credcache(struct rpc_auth *auth) 130 { 131 struct rpc_cred_cache *cache = auth->au_credcache; 132 HLIST_HEAD(free); 133 struct hlist_node *pos, *next; 134 struct rpc_cred *cred; 135 int i; 136 137 spin_lock(&rpc_credcache_lock); 138 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 139 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 140 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 141 __hlist_del(&cred->cr_hash); 142 hlist_add_head(&cred->cr_hash, &free); 143 } 144 } 145 spin_unlock(&rpc_credcache_lock); 146 rpcauth_destroy_credlist(&free); 147 } 148 149 static void 150 rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) 151 { 152 if (atomic_read(&cred->cr_count) != 1) 153 return; 154 if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) 155 cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 156 if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { 157 __hlist_del(&cred->cr_hash); 158 hlist_add_head(&cred->cr_hash, free); 159 } 160 } 161 162 /* 163 * Remove stale credentials. Avoid sleeping inside the loop. 164 */ 165 static void 166 rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) 167 { 168 struct rpc_cred_cache *cache = auth->au_credcache; 169 struct hlist_node *pos, *next; 170 struct rpc_cred *cred; 171 int i; 172 173 dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); 174 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 175 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 176 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 177 rpcauth_prune_expired(auth, cred, free); 178 } 179 } 180 cache->nextgc = jiffies + cache->expire; 181 } 182 183 /* 184 * Look up a process' credentials in the authentication cache 185 */ 186 struct rpc_cred * 187 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, 188 int taskflags) 189 { 190 struct rpc_cred_cache *cache = auth->au_credcache; 191 HLIST_HEAD(free); 192 struct hlist_node *pos, *next; 193 struct rpc_cred *new = NULL, 194 *cred = NULL; 195 int nr = 0; 196 197 if (!(taskflags & RPC_TASK_ROOTCREDS)) 198 nr = acred->uid & RPC_CREDCACHE_MASK; 199 retry: 200 spin_lock(&rpc_credcache_lock); 201 if (time_before(cache->nextgc, jiffies)) 202 rpcauth_gc_credcache(auth, &free); 203 hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { 204 struct rpc_cred *entry; 205 entry = hlist_entry(pos, struct rpc_cred, cr_hash); 206 if (entry->cr_ops->crmatch(acred, entry, taskflags)) { 207 hlist_del(&entry->cr_hash); 208 cred = entry; 209 break; 210 } 211 rpcauth_prune_expired(auth, entry, &free); 212 } 213 if (new) { 214 if (cred) 215 hlist_add_head(&new->cr_hash, &free); 216 else 217 cred = new; 218 } 219 if (cred) { 220 hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); 221 get_rpccred(cred); 222 } 223 spin_unlock(&rpc_credcache_lock); 224 225 rpcauth_destroy_credlist(&free); 226 227 if (!cred) { 228 new = auth->au_ops->crcreate(auth, acred, taskflags); 229 if (!IS_ERR(new)) { 230 #ifdef RPC_DEBUG 231 new->cr_magic = RPCAUTH_CRED_MAGIC; 232 #endif 233 goto retry; 234 } else 235 cred = new; 236 } 237 238 return (struct rpc_cred *) cred; 239 } 240 241 struct rpc_cred * 242 rpcauth_lookupcred(struct rpc_auth *auth, int taskflags) 243 { 244 struct auth_cred acred = { 245 .uid = current->fsuid, 246 .gid = current->fsgid, 247 .group_info = current->group_info, 248 }; 249 struct rpc_cred *ret; 250 251 dprintk("RPC: looking up %s cred\n", 252 auth->au_ops->au_name); 253 get_group_info(acred.group_info); 254 ret = auth->au_ops->lookup_cred(auth, &acred, taskflags); 255 put_group_info(acred.group_info); 256 return ret; 257 } 258 259 struct rpc_cred * 260 rpcauth_bindcred(struct rpc_task *task) 261 { 262 struct rpc_auth *auth = task->tk_auth; 263 struct auth_cred acred = { 264 .uid = current->fsuid, 265 .gid = current->fsgid, 266 .group_info = current->group_info, 267 }; 268 struct rpc_cred *ret; 269 270 dprintk("RPC: %4d looking up %s cred\n", 271 task->tk_pid, task->tk_auth->au_ops->au_name); 272 get_group_info(acred.group_info); 273 ret = auth->au_ops->lookup_cred(auth, &acred, task->tk_flags); 274 if (!IS_ERR(ret)) 275 task->tk_msg.rpc_cred = ret; 276 else 277 task->tk_status = PTR_ERR(ret); 278 put_group_info(acred.group_info); 279 return ret; 280 } 281 282 void 283 rpcauth_holdcred(struct rpc_task *task) 284 { 285 dprintk("RPC: %4d holding %s cred %p\n", 286 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 287 if (task->tk_msg.rpc_cred) 288 get_rpccred(task->tk_msg.rpc_cred); 289 } 290 291 void 292 put_rpccred(struct rpc_cred *cred) 293 { 294 cred->cr_expire = jiffies; 295 if (!atomic_dec_and_test(&cred->cr_count)) 296 return; 297 cred->cr_ops->crdestroy(cred); 298 } 299 300 void 301 rpcauth_unbindcred(struct rpc_task *task) 302 { 303 struct rpc_auth *auth = task->tk_auth; 304 struct rpc_cred *cred = task->tk_msg.rpc_cred; 305 306 dprintk("RPC: %4d releasing %s cred %p\n", 307 task->tk_pid, auth->au_ops->au_name, cred); 308 309 put_rpccred(cred); 310 task->tk_msg.rpc_cred = NULL; 311 } 312 313 u32 * 314 rpcauth_marshcred(struct rpc_task *task, u32 *p) 315 { 316 struct rpc_auth *auth = task->tk_auth; 317 struct rpc_cred *cred = task->tk_msg.rpc_cred; 318 319 dprintk("RPC: %4d marshaling %s cred %p\n", 320 task->tk_pid, auth->au_ops->au_name, cred); 321 return cred->cr_ops->crmarshal(task, p); 322 } 323 324 u32 * 325 rpcauth_checkverf(struct rpc_task *task, u32 *p) 326 { 327 struct rpc_auth *auth = task->tk_auth; 328 struct rpc_cred *cred = task->tk_msg.rpc_cred; 329 330 dprintk("RPC: %4d validating %s cred %p\n", 331 task->tk_pid, auth->au_ops->au_name, cred); 332 return cred->cr_ops->crvalidate(task, p); 333 } 334 335 int 336 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, 337 u32 *data, void *obj) 338 { 339 struct rpc_cred *cred = task->tk_msg.rpc_cred; 340 341 dprintk("RPC: %4d using %s cred %p to wrap rpc data\n", 342 task->tk_pid, cred->cr_ops->cr_name, cred); 343 if (cred->cr_ops->crwrap_req) 344 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); 345 /* By default, we encode the arguments normally. */ 346 return encode(rqstp, data, obj); 347 } 348 349 int 350 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, 351 u32 *data, void *obj) 352 { 353 struct rpc_cred *cred = task->tk_msg.rpc_cred; 354 355 dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n", 356 task->tk_pid, cred->cr_ops->cr_name, cred); 357 if (cred->cr_ops->crunwrap_resp) 358 return cred->cr_ops->crunwrap_resp(task, decode, rqstp, 359 data, obj); 360 /* By default, we decode the arguments normally. */ 361 return decode(rqstp, data, obj); 362 } 363 364 int 365 rpcauth_refreshcred(struct rpc_task *task) 366 { 367 struct rpc_auth *auth = task->tk_auth; 368 struct rpc_cred *cred = task->tk_msg.rpc_cred; 369 int err; 370 371 dprintk("RPC: %4d refreshing %s cred %p\n", 372 task->tk_pid, auth->au_ops->au_name, cred); 373 err = cred->cr_ops->crrefresh(task); 374 if (err < 0) 375 task->tk_status = err; 376 return err; 377 } 378 379 void 380 rpcauth_invalcred(struct rpc_task *task) 381 { 382 dprintk("RPC: %4d invalidating %s cred %p\n", 383 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 384 spin_lock(&rpc_credcache_lock); 385 if (task->tk_msg.rpc_cred) 386 task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 387 spin_unlock(&rpc_credcache_lock); 388 } 389 390 int 391 rpcauth_uptodatecred(struct rpc_task *task) 392 { 393 return !(task->tk_msg.rpc_cred) || 394 (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); 395 } 396