1 /* 2 * linux/net/sunrpc/auth.c 3 * 4 * Generic RPC client authentication API. 5 * 6 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> 7 */ 8 9 #include <linux/types.h> 10 #include <linux/sched.h> 11 #include <linux/module.h> 12 #include <linux/slab.h> 13 #include <linux/errno.h> 14 #include <linux/sunrpc/clnt.h> 15 #include <linux/spinlock.h> 16 17 #ifdef RPC_DEBUG 18 # define RPCDBG_FACILITY RPCDBG_AUTH 19 #endif 20 21 static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { 22 &authnull_ops, /* AUTH_NULL */ 23 &authunix_ops, /* AUTH_UNIX */ 24 NULL, /* others can be loadable modules */ 25 }; 26 27 static u32 28 pseudoflavor_to_flavor(u32 flavor) { 29 if (flavor >= RPC_AUTH_MAXFLAVOR) 30 return RPC_AUTH_GSS; 31 return flavor; 32 } 33 34 int 35 rpcauth_register(struct rpc_authops *ops) 36 { 37 rpc_authflavor_t flavor; 38 39 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 40 return -EINVAL; 41 if (auth_flavors[flavor] != NULL) 42 return -EPERM; /* what else? */ 43 auth_flavors[flavor] = ops; 44 return 0; 45 } 46 47 int 48 rpcauth_unregister(struct rpc_authops *ops) 49 { 50 rpc_authflavor_t flavor; 51 52 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) 53 return -EINVAL; 54 if (auth_flavors[flavor] != ops) 55 return -EPERM; /* what else? */ 56 auth_flavors[flavor] = NULL; 57 return 0; 58 } 59 60 struct rpc_auth * 61 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) 62 { 63 struct rpc_auth *auth; 64 struct rpc_authops *ops; 65 u32 flavor = pseudoflavor_to_flavor(pseudoflavor); 66 67 if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor])) 68 return ERR_PTR(-EINVAL); 69 auth = ops->create(clnt, pseudoflavor); 70 if (IS_ERR(auth)) 71 return auth; 72 if (clnt->cl_auth) 73 rpcauth_destroy(clnt->cl_auth); 74 clnt->cl_auth = auth; 75 return auth; 76 } 77 78 void 79 rpcauth_destroy(struct rpc_auth *auth) 80 { 81 if (!atomic_dec_and_test(&auth->au_count)) 82 return; 83 auth->au_ops->destroy(auth); 84 } 85 86 static DEFINE_SPINLOCK(rpc_credcache_lock); 87 88 /* 89 * Initialize RPC credential cache 90 */ 91 int 92 rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) 93 { 94 struct rpc_cred_cache *new; 95 int i; 96 97 new = kmalloc(sizeof(*new), GFP_KERNEL); 98 if (!new) 99 return -ENOMEM; 100 for (i = 0; i < RPC_CREDCACHE_NR; i++) 101 INIT_HLIST_HEAD(&new->hashtable[i]); 102 new->expire = expire; 103 new->nextgc = jiffies + (expire >> 1); 104 auth->au_credcache = new; 105 return 0; 106 } 107 108 /* 109 * Destroy a list of credentials 110 */ 111 static inline 112 void rpcauth_destroy_credlist(struct hlist_head *head) 113 { 114 struct rpc_cred *cred; 115 116 while (!hlist_empty(head)) { 117 cred = hlist_entry(head->first, struct rpc_cred, cr_hash); 118 hlist_del_init(&cred->cr_hash); 119 put_rpccred(cred); 120 } 121 } 122 123 /* 124 * Clear the RPC credential cache, and delete those credentials 125 * that are not referenced. 126 */ 127 void 128 rpcauth_free_credcache(struct rpc_auth *auth) 129 { 130 struct rpc_cred_cache *cache = auth->au_credcache; 131 HLIST_HEAD(free); 132 struct hlist_node *pos, *next; 133 struct rpc_cred *cred; 134 int i; 135 136 spin_lock(&rpc_credcache_lock); 137 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 138 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 139 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 140 __hlist_del(&cred->cr_hash); 141 hlist_add_head(&cred->cr_hash, &free); 142 } 143 } 144 spin_unlock(&rpc_credcache_lock); 145 rpcauth_destroy_credlist(&free); 146 } 147 148 static void 149 rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) 150 { 151 if (atomic_read(&cred->cr_count) != 1) 152 return; 153 if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) 154 cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 155 if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { 156 __hlist_del(&cred->cr_hash); 157 hlist_add_head(&cred->cr_hash, free); 158 } 159 } 160 161 /* 162 * Remove stale credentials. Avoid sleeping inside the loop. 163 */ 164 static void 165 rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) 166 { 167 struct rpc_cred_cache *cache = auth->au_credcache; 168 struct hlist_node *pos, *next; 169 struct rpc_cred *cred; 170 int i; 171 172 dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); 173 for (i = 0; i < RPC_CREDCACHE_NR; i++) { 174 hlist_for_each_safe(pos, next, &cache->hashtable[i]) { 175 cred = hlist_entry(pos, struct rpc_cred, cr_hash); 176 rpcauth_prune_expired(auth, cred, free); 177 } 178 } 179 cache->nextgc = jiffies + cache->expire; 180 } 181 182 /* 183 * Look up a process' credentials in the authentication cache 184 */ 185 struct rpc_cred * 186 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, 187 int flags) 188 { 189 struct rpc_cred_cache *cache = auth->au_credcache; 190 HLIST_HEAD(free); 191 struct hlist_node *pos, *next; 192 struct rpc_cred *new = NULL, 193 *cred = NULL; 194 int nr = 0; 195 196 if (!(flags & RPCAUTH_LOOKUP_ROOTCREDS)) 197 nr = acred->uid & RPC_CREDCACHE_MASK; 198 retry: 199 spin_lock(&rpc_credcache_lock); 200 if (time_before(cache->nextgc, jiffies)) 201 rpcauth_gc_credcache(auth, &free); 202 hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { 203 struct rpc_cred *entry; 204 entry = hlist_entry(pos, struct rpc_cred, cr_hash); 205 if (entry->cr_ops->crmatch(acred, entry, flags)) { 206 hlist_del(&entry->cr_hash); 207 cred = entry; 208 break; 209 } 210 rpcauth_prune_expired(auth, entry, &free); 211 } 212 if (new) { 213 if (cred) 214 hlist_add_head(&new->cr_hash, &free); 215 else 216 cred = new; 217 } 218 if (cred) { 219 hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); 220 get_rpccred(cred); 221 } 222 spin_unlock(&rpc_credcache_lock); 223 224 rpcauth_destroy_credlist(&free); 225 226 if (!cred) { 227 new = auth->au_ops->crcreate(auth, acred, flags); 228 if (!IS_ERR(new)) { 229 #ifdef RPC_DEBUG 230 new->cr_magic = RPCAUTH_CRED_MAGIC; 231 #endif 232 goto retry; 233 } else 234 cred = new; 235 } else if ((cred->cr_flags & RPCAUTH_CRED_NEW) 236 && cred->cr_ops->cr_init != NULL 237 && !(flags & RPCAUTH_LOOKUP_NEW)) { 238 int res = cred->cr_ops->cr_init(auth, cred); 239 if (res < 0) { 240 put_rpccred(cred); 241 cred = ERR_PTR(res); 242 } 243 } 244 245 return (struct rpc_cred *) cred; 246 } 247 248 struct rpc_cred * 249 rpcauth_lookupcred(struct rpc_auth *auth, int flags) 250 { 251 struct auth_cred acred = { 252 .uid = current->fsuid, 253 .gid = current->fsgid, 254 .group_info = current->group_info, 255 }; 256 struct rpc_cred *ret; 257 258 dprintk("RPC: looking up %s cred\n", 259 auth->au_ops->au_name); 260 get_group_info(acred.group_info); 261 ret = auth->au_ops->lookup_cred(auth, &acred, flags); 262 put_group_info(acred.group_info); 263 return ret; 264 } 265 266 struct rpc_cred * 267 rpcauth_bindcred(struct rpc_task *task) 268 { 269 struct rpc_auth *auth = task->tk_auth; 270 struct auth_cred acred = { 271 .uid = current->fsuid, 272 .gid = current->fsgid, 273 .group_info = current->group_info, 274 }; 275 struct rpc_cred *ret; 276 int flags = 0; 277 278 dprintk("RPC: %4d looking up %s cred\n", 279 task->tk_pid, task->tk_auth->au_ops->au_name); 280 get_group_info(acred.group_info); 281 if (task->tk_flags & RPC_TASK_ROOTCREDS) 282 flags |= RPCAUTH_LOOKUP_ROOTCREDS; 283 ret = auth->au_ops->lookup_cred(auth, &acred, flags); 284 if (!IS_ERR(ret)) 285 task->tk_msg.rpc_cred = ret; 286 else 287 task->tk_status = PTR_ERR(ret); 288 put_group_info(acred.group_info); 289 return ret; 290 } 291 292 void 293 rpcauth_holdcred(struct rpc_task *task) 294 { 295 dprintk("RPC: %4d holding %s cred %p\n", 296 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 297 if (task->tk_msg.rpc_cred) 298 get_rpccred(task->tk_msg.rpc_cred); 299 } 300 301 void 302 put_rpccred(struct rpc_cred *cred) 303 { 304 cred->cr_expire = jiffies; 305 if (!atomic_dec_and_test(&cred->cr_count)) 306 return; 307 cred->cr_ops->crdestroy(cred); 308 } 309 310 void 311 rpcauth_unbindcred(struct rpc_task *task) 312 { 313 struct rpc_cred *cred = task->tk_msg.rpc_cred; 314 315 dprintk("RPC: %4d releasing %s cred %p\n", 316 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 317 318 put_rpccred(cred); 319 task->tk_msg.rpc_cred = NULL; 320 } 321 322 u32 * 323 rpcauth_marshcred(struct rpc_task *task, u32 *p) 324 { 325 struct rpc_cred *cred = task->tk_msg.rpc_cred; 326 327 dprintk("RPC: %4d marshaling %s cred %p\n", 328 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 329 330 return cred->cr_ops->crmarshal(task, p); 331 } 332 333 u32 * 334 rpcauth_checkverf(struct rpc_task *task, u32 *p) 335 { 336 struct rpc_cred *cred = task->tk_msg.rpc_cred; 337 338 dprintk("RPC: %4d validating %s cred %p\n", 339 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 340 341 return cred->cr_ops->crvalidate(task, p); 342 } 343 344 int 345 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, 346 u32 *data, void *obj) 347 { 348 struct rpc_cred *cred = task->tk_msg.rpc_cred; 349 350 dprintk("RPC: %4d using %s cred %p to wrap rpc data\n", 351 task->tk_pid, cred->cr_ops->cr_name, cred); 352 if (cred->cr_ops->crwrap_req) 353 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); 354 /* By default, we encode the arguments normally. */ 355 return encode(rqstp, data, obj); 356 } 357 358 int 359 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, 360 u32 *data, void *obj) 361 { 362 struct rpc_cred *cred = task->tk_msg.rpc_cred; 363 364 dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n", 365 task->tk_pid, cred->cr_ops->cr_name, cred); 366 if (cred->cr_ops->crunwrap_resp) 367 return cred->cr_ops->crunwrap_resp(task, decode, rqstp, 368 data, obj); 369 /* By default, we decode the arguments normally. */ 370 return decode(rqstp, data, obj); 371 } 372 373 int 374 rpcauth_refreshcred(struct rpc_task *task) 375 { 376 struct rpc_cred *cred = task->tk_msg.rpc_cred; 377 int err; 378 379 dprintk("RPC: %4d refreshing %s cred %p\n", 380 task->tk_pid, task->tk_auth->au_ops->au_name, cred); 381 382 err = cred->cr_ops->crrefresh(task); 383 if (err < 0) 384 task->tk_status = err; 385 return err; 386 } 387 388 void 389 rpcauth_invalcred(struct rpc_task *task) 390 { 391 dprintk("RPC: %4d invalidating %s cred %p\n", 392 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); 393 spin_lock(&rpc_credcache_lock); 394 if (task->tk_msg.rpc_cred) 395 task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; 396 spin_unlock(&rpc_credcache_lock); 397 } 398 399 int 400 rpcauth_uptodatecred(struct rpc_task *task) 401 { 402 return !(task->tk_msg.rpc_cred) || 403 (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); 404 } 405