1 /* 2 * linux/net/sunrpc/auth.c 3 * 4 * Generic RPC client authentication API. 5 * 6 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> 7 */ 8 9 #include <linux/types.h> 10 #include <linux/sched.h> 11 #include <linux/module.h> 12 #include <linux/slab.h> 13 #include <linux/errno.h> 14 #include <linux/sunrpc/clnt.h> 15 #include <linux/spinlock.h> 16 17 #ifdef RPC_DEBUG 18 # define RPCDBG_FACILITY RPCDBG_AUTH 19 #endif 20 21 static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { 22 &authnull_ops, /* AUTH_NULL */ 23 &authunix_ops, /* AUTH_UNIX */ 24 NULL, /* others can be loadable modules */ 25 }; 26 27 static u32 28 pseudoflavor_to_flavor(u32 flavor) { 29 if (flavor >= RPC_AUTH_MAXFLAVOR) 30 return RPC_AUTH_GSS; 31 return flavor; 32 } 33 34 int 35 rpcauth_register(struct rpc_authops *ops) 36 { 37 rpc_authflavor_t flavor; 38 39 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 40 return -EINVAL; 41 if (auth_flavors[flavor] != NULL) 42 return -EPERM; /* what else? */ 43 auth_flavors[flavor] = ops; 44 return 0; 45 } 46 47 int 48 rpcauth_unregister(struct rpc_authops *ops) 49 { 50 rpc_authflavor_t flavor; 51 52 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 53 return -EINVAL; 54 if (auth_flavors[flavor] != ops) 55 return -EPERM; /* what else? */ 56 auth_flavors[flavor] = NULL; 57 return 0; 58 } 59 60 struct rpc_auth * 61 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) 62 { 63 struct rpc_auth *auth; 64 struct rpc_authops *ops; 65 u32 flavor = pseudoflavor_to_flavor(pseudoflavor); 66 67 if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor])) 68 return ERR_PTR(-EINVAL); 69 auth = ops->create(clnt, pseudoflavor); 70 if (IS_ERR(auth)) 71 return auth; 72 if (clnt->cl_auth) 73 rpcauth_destroy(clnt->cl_auth); 74 clnt->cl_auth = auth; 75 return auth; 76 } 77 78 void 79 rpcauth_destroy(struct rpc_auth *auth) 80 { 81 if (!atomic_dec_and_test(&auth->au_count)) 82 return; 83 auth->au_ops->destroy(auth); 84 } 85 86 static DEFINE_SPINLOCK(rpc_credcache_lock); 87 88 /* 89 * Initialize RPC credential cache 90 */ 91 int 92 rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) 93 { 94 struct rpc_cred_cache *new; 95 int i; 96 97 new = kmalloc(sizeof(*new), GFP_KERNEL); 98 if (!new) 99 return -ENOMEM; 100 for (i = 0; i < RPC_CREDCACHE_NR; i++) 101 INIT_HLIST_HEAD(&new->hashtable[i]); 102 new->expire = expire; 103 new->nextgc = jiffies + (expire >> 1); 104 auth->au_credcache = new; 105 return 0; 106 } 107 108 /* 109 * Destroy a list of credentials 110 */ 111 static inline 112 void rpcauth_destroy_credlist(struct hlist_head *head) 113 { 114 struct rpc_cred *cred; 115 116 while (!hlist_empty(head)) { 117 cred = hlist_entry(head->first, struct rpc_cred, cr_hash); 118 hlist_del_init(&cred->cr_hash); 119 put_rpccred(cred); 120 } 121 } 122 123 /* 124 * Clear the RPC credential cache, and delete those credentials 125 * that are not referenced. 126 */ 127 void 128 rpcauth_free_credcache(struct rpc_auth *auth) 129 { 130 struct rpc_cred_cache *cache = auth->au_credcache; 131 HLIST_HEAD(free); 132 struct hlist_node *pos, *next; 133 struct rpc_cred *cred; 134 int i; 135 136 spin_lock(&rpc_credcache_lock); 137 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 138 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 139 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 140 __hlist_del(&cred->cr_hash); 141 hlist_add_head(&cred->cr_hash, &free); 142 } 143 } 144 spin_unlock(&rpc_credcache_lock); 145 rpcauth_destroy_credlist(&free); 146 } 147 148 static void 149 rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) 150 { 151 if (atomic_read(&cred->cr_count) != 1) 152 return; 153 if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) 154 cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 155 if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { 156 __hlist_del(&cred->cr_hash); 157 hlist_add_head(&cred->cr_hash, free); 158 } 159 } 160 161 /* 162 * Remove stale credentials. Avoid sleeping inside the loop. 163 */ 164 static void 165 rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) 166 { 167 struct rpc_cred_cache *cache = auth->au_credcache; 168 struct hlist_node *pos, *next; 169 struct rpc_cred *cred; 170 int i; 171 172 dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); 173 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 174 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 175 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 176 rpcauth_prune_expired(auth, cred, free); 177 } 178 } 179 cache->nextgc = jiffies + cache->expire; 180 } 181 182 /* 183 * Look up a process' credentials in the authentication cache 184 */ 185 struct rpc_cred * 186 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, 187 int taskflags) 188 { 189 struct rpc_cred_cache *cache = auth->au_credcache; 190 HLIST_HEAD(free); 191 struct hlist_node *pos, *next; 192 struct rpc_cred *new = NULL, 193 *cred = NULL; 194 int nr = 0; 195 196 if (!(taskflags & RPC_TASK_ROOTCREDS)) 197 nr = acred->uid & RPC_CREDCACHE_MASK; 198 retry: 199 spin_lock(&rpc_credcache_lock); 200 if (time_before(cache->nextgc, jiffies)) 201 rpcauth_gc_credcache(auth, &free); 202 hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { 203 struct rpc_cred *entry; 204 entry = hlist_entry(pos, struct rpc_cred, cr_hash); 205 if (entry->cr_ops->crmatch(acred, entry, taskflags)) { 206 hlist_del(&entry->cr_hash); 207 cred = entry; 208 break; 209 } 210 rpcauth_prune_expired(auth, entry, &free); 211 } 212 if (new) { 213 if (cred) 214 hlist_add_head(&new->cr_hash, &free); 215 else 216 cred = new; 217 } 218 if (cred) { 219 hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); 220 get_rpccred(cred); 221 } 222 spin_unlock(&rpc_credcache_lock); 223 224 rpcauth_destroy_credlist(&free); 225 226 if (!cred) { 227 new = auth->au_ops->crcreate(auth, acred, taskflags); 228 if (!IS_ERR(new)) { 229 #ifdef RPC_DEBUG 230 new->cr_magic = RPCAUTH_CRED_MAGIC; 231 #endif 232 goto retry; 233 } else 234 cred = new; 235 } 236 237 return (struct rpc_cred *) cred; 238 } 239 240 struct rpc_cred * 241 rpcauth_lookupcred(struct rpc_auth *auth, int taskflags) 242 { 243 struct auth_cred acred = { 244 .uid = current->fsuid, 245 .gid = current->fsgid, 246 .group_info = current->group_info, 247 }; 248 struct rpc_cred *ret; 249 250 dprintk("RPC: looking up %s cred\n", 251 auth->au_ops->au_name); 252 get_group_info(acred.group_info); 253 ret = auth->au_ops->lookup_cred(auth, &acred, taskflags); 254 put_group_info(acred.group_info); 255 return ret; 256 } 257 258 struct rpc_cred * 259 rpcauth_bindcred(struct rpc_task *task) 260 { 261 struct rpc_auth *auth = task->tk_auth; 262 struct auth_cred acred = { 263 .uid = current->fsuid, 264 .gid = current->fsgid, 265 .group_info = current->group_info, 266 }; 267 struct rpc_cred *ret; 268 269 dprintk("RPC: %4d looking up %s cred\n", 270 task->tk_pid, task->tk_auth->au_ops->au_name); 271 get_group_info(acred.group_info); 272 ret = auth->au_ops->lookup_cred(auth, &acred, task->tk_flags); 273 if (!IS_ERR(ret)) 274 task->tk_msg.rpc_cred = ret; 275 else 276 task->tk_status = PTR_ERR(ret); 277 put_group_info(acred.group_info); 278 return ret; 279 } 280 281 void 282 rpcauth_holdcred(struct rpc_task *task) 283 { 284 dprintk("RPC: %4d holding %s cred %p\n", 285 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 286 if (task->tk_msg.rpc_cred) 287 get_rpccred(task->tk_msg.rpc_cred); 288 } 289 290 void 291 put_rpccred(struct rpc_cred *cred) 292 { 293 cred->cr_expire = jiffies; 294 if (!atomic_dec_and_test(&cred->cr_count)) 295 return; 296 cred->cr_ops->crdestroy(cred); 297 } 298 299 void 300 rpcauth_unbindcred(struct rpc_task *task) 301 { 302 struct rpc_cred *cred = task->tk_msg.rpc_cred; 303 304 dprintk("RPC: %4d releasing %s cred %p\n", 305 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 306 307 put_rpccred(cred); 308 task->tk_msg.rpc_cred = NULL; 309 } 310 311 u32 * 312 rpcauth_marshcred(struct rpc_task *task, u32 *p) 313 { 314 struct rpc_cred *cred = task->tk_msg.rpc_cred; 315 316 dprintk("RPC: %4d marshaling %s cred %p\n", 317 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 318 319 return cred->cr_ops->crmarshal(task, p); 320 } 321 322 u32 * 323 rpcauth_checkverf(struct rpc_task *task, u32 *p) 324 { 325 struct rpc_cred *cred = task->tk_msg.rpc_cred; 326 327 dprintk("RPC: %4d validating %s cred %p\n", 328 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 329 330 return cred->cr_ops->crvalidate(task, p); 331 } 332 333 int 334 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, 335 u32 *data, void *obj) 336 { 337 struct rpc_cred *cred = task->tk_msg.rpc_cred; 338 339 dprintk("RPC: %4d using %s cred %p to wrap rpc data\n", 340 task->tk_pid, cred->cr_ops->cr_name, cred); 341 if (cred->cr_ops->crwrap_req) 342 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); 343 /* By default, we encode the arguments normally. */ 344 return encode(rqstp, data, obj); 345 } 346 347 int 348 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, 349 u32 *data, void *obj) 350 { 351 struct rpc_cred *cred = task->tk_msg.rpc_cred; 352 353 dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n", 354 task->tk_pid, cred->cr_ops->cr_name, cred); 355 if (cred->cr_ops->crunwrap_resp) 356 return cred->cr_ops->crunwrap_resp(task, decode, rqstp, 357 data, obj); 358 /* By default, we decode the arguments normally. */ 359 return decode(rqstp, data, obj); 360 } 361 362 int 363 rpcauth_refreshcred(struct rpc_task *task) 364 { 365 struct rpc_cred *cred = task->tk_msg.rpc_cred; 366 int err; 367 368 dprintk("RPC: %4d refreshing %s cred %p\n", 369 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 370 371 err = cred->cr_ops->crrefresh(task); 372 if (err < 0) 373 task->tk_status = err; 374 return err; 375 } 376 377 void 378 rpcauth_invalcred(struct rpc_task *task) 379 { 380 dprintk("RPC: %4d invalidating %s cred %p\n", 381 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 382 spin_lock(&rpc_credcache_lock); 383 if (task->tk_msg.rpc_cred) 384 task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 385 spin_unlock(&rpc_credcache_lock); 386 } 387 388 int 389 rpcauth_uptodatecred(struct rpc_task *task) 390 { 391 return !(task->tk_msg.rpc_cred) || 392 (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); 393 } 394