Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/net/sunrpc/auth.c | |
3 | * | |
4 | * Generic RPC client authentication API. | |
5 | * | |
6 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | |
7 | */ | |
8 | ||
9 | #include <linux/types.h> | |
10 | #include <linux/sched.h> | |
11 | #include <linux/module.h> | |
12 | #include <linux/slab.h> | |
13 | #include <linux/errno.h> | |
1da177e4 LT |
14 | #include <linux/sunrpc/clnt.h> |
15 | #include <linux/spinlock.h> | |
16 | ||
17 | #ifdef RPC_DEBUG | |
18 | # define RPCDBG_FACILITY RPCDBG_AUTH | |
19 | #endif | |
20 | ||
fc1b356f | 21 | static DEFINE_SPINLOCK(rpc_authflavor_lock); |
1da177e4 LT |
22 | static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { |
23 | &authnull_ops, /* AUTH_NULL */ | |
24 | &authunix_ops, /* AUTH_UNIX */ | |
25 | NULL, /* others can be loadable modules */ | |
26 | }; | |
27 | ||
28 | static u32 | |
29 | pseudoflavor_to_flavor(u32 flavor) { | |
30 | if (flavor >= RPC_AUTH_MAXFLAVOR) | |
31 | return RPC_AUTH_GSS; | |
32 | return flavor; | |
33 | } | |
34 | ||
35 | int | |
36 | rpcauth_register(struct rpc_authops *ops) | |
37 | { | |
38 | rpc_authflavor_t flavor; | |
fc1b356f | 39 | int ret = -EPERM; |
1da177e4 LT |
40 | |
41 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
42 | return -EINVAL; | |
fc1b356f TM |
43 | spin_lock(&rpc_authflavor_lock); |
44 | if (auth_flavors[flavor] == NULL) { | |
45 | auth_flavors[flavor] = ops; | |
46 | ret = 0; | |
47 | } | |
48 | spin_unlock(&rpc_authflavor_lock); | |
49 | return ret; | |
1da177e4 LT |
50 | } |
51 | ||
52 | int | |
53 | rpcauth_unregister(struct rpc_authops *ops) | |
54 | { | |
55 | rpc_authflavor_t flavor; | |
fc1b356f | 56 | int ret = -EPERM; |
1da177e4 LT |
57 | |
58 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | |
59 | return -EINVAL; | |
fc1b356f TM |
60 | spin_lock(&rpc_authflavor_lock); |
61 | if (auth_flavors[flavor] == ops) { | |
62 | auth_flavors[flavor] = NULL; | |
63 | ret = 0; | |
64 | } | |
65 | spin_unlock(&rpc_authflavor_lock); | |
66 | return ret; | |
1da177e4 LT |
67 | } |
68 | ||
69 | struct rpc_auth * | |
70 | rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) | |
71 | { | |
72 | struct rpc_auth *auth; | |
73 | struct rpc_authops *ops; | |
74 | u32 flavor = pseudoflavor_to_flavor(pseudoflavor); | |
75 | ||
f344f6df OK |
76 | auth = ERR_PTR(-EINVAL); |
77 | if (flavor >= RPC_AUTH_MAXFLAVOR) | |
78 | goto out; | |
79 | ||
f344f6df OK |
80 | #ifdef CONFIG_KMOD |
81 | if ((ops = auth_flavors[flavor]) == NULL) | |
82 | request_module("rpc-auth-%u", flavor); | |
83 | #endif | |
fc1b356f TM |
84 | spin_lock(&rpc_authflavor_lock); |
85 | ops = auth_flavors[flavor]; | |
86 | if (ops == NULL || !try_module_get(ops->owner)) { | |
87 | spin_unlock(&rpc_authflavor_lock); | |
f344f6df | 88 | goto out; |
fc1b356f TM |
89 | } |
90 | spin_unlock(&rpc_authflavor_lock); | |
1da177e4 | 91 | auth = ops->create(clnt, pseudoflavor); |
fc1b356f | 92 | module_put(ops->owner); |
6a19275a BF |
93 | if (IS_ERR(auth)) |
94 | return auth; | |
1da177e4 LT |
95 | if (clnt->cl_auth) |
96 | rpcauth_destroy(clnt->cl_auth); | |
97 | clnt->cl_auth = auth; | |
f344f6df OK |
98 | |
99 | out: | |
1da177e4 LT |
100 | return auth; |
101 | } | |
102 | ||
103 | void | |
104 | rpcauth_destroy(struct rpc_auth *auth) | |
105 | { | |
106 | if (!atomic_dec_and_test(&auth->au_count)) | |
107 | return; | |
108 | auth->au_ops->destroy(auth); | |
109 | } | |
110 | ||
111 | static DEFINE_SPINLOCK(rpc_credcache_lock); | |
112 | ||
113 | /* | |
114 | * Initialize RPC credential cache | |
115 | */ | |
116 | int | |
117 | rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) | |
118 | { | |
119 | struct rpc_cred_cache *new; | |
120 | int i; | |
121 | ||
8b3a7005 | 122 | new = kmalloc(sizeof(*new), GFP_KERNEL); |
1da177e4 LT |
123 | if (!new) |
124 | return -ENOMEM; | |
125 | for (i = 0; i < RPC_CREDCACHE_NR; i++) | |
126 | INIT_HLIST_HEAD(&new->hashtable[i]); | |
127 | new->expire = expire; | |
128 | new->nextgc = jiffies + (expire >> 1); | |
129 | auth->au_credcache = new; | |
130 | return 0; | |
131 | } | |
132 | ||
133 | /* | |
134 | * Destroy a list of credentials | |
135 | */ | |
136 | static inline | |
137 | void rpcauth_destroy_credlist(struct hlist_head *head) | |
138 | { | |
139 | struct rpc_cred *cred; | |
140 | ||
141 | while (!hlist_empty(head)) { | |
142 | cred = hlist_entry(head->first, struct rpc_cred, cr_hash); | |
143 | hlist_del_init(&cred->cr_hash); | |
144 | put_rpccred(cred); | |
145 | } | |
146 | } | |
147 | ||
148 | /* | |
149 | * Clear the RPC credential cache, and delete those credentials | |
150 | * that are not referenced. | |
151 | */ | |
152 | void | |
3ab9bb72 | 153 | rpcauth_clear_credcache(struct rpc_cred_cache *cache) |
1da177e4 | 154 | { |
1da177e4 LT |
155 | HLIST_HEAD(free); |
156 | struct hlist_node *pos, *next; | |
157 | struct rpc_cred *cred; | |
158 | int i; | |
159 | ||
160 | spin_lock(&rpc_credcache_lock); | |
161 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { | |
162 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | |
163 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | |
164 | __hlist_del(&cred->cr_hash); | |
165 | hlist_add_head(&cred->cr_hash, &free); | |
166 | } | |
167 | } | |
168 | spin_unlock(&rpc_credcache_lock); | |
169 | rpcauth_destroy_credlist(&free); | |
170 | } | |
171 | ||
3ab9bb72 TM |
172 | /* |
173 | * Destroy the RPC credential cache | |
174 | */ | |
175 | void | |
176 | rpcauth_destroy_credcache(struct rpc_auth *auth) | |
177 | { | |
178 | struct rpc_cred_cache *cache = auth->au_credcache; | |
179 | ||
180 | if (cache) { | |
181 | auth->au_credcache = NULL; | |
182 | rpcauth_clear_credcache(cache); | |
183 | kfree(cache); | |
184 | } | |
185 | } | |
186 | ||
1da177e4 LT |
187 | static void |
188 | rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) | |
189 | { | |
190 | if (atomic_read(&cred->cr_count) != 1) | |
191 | return; | |
192 | if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) | |
193 | cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | |
194 | if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { | |
195 | __hlist_del(&cred->cr_hash); | |
196 | hlist_add_head(&cred->cr_hash, free); | |
197 | } | |
198 | } | |
199 | ||
200 | /* | |
201 | * Remove stale credentials. Avoid sleeping inside the loop. | |
202 | */ | |
203 | static void | |
204 | rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) | |
205 | { | |
206 | struct rpc_cred_cache *cache = auth->au_credcache; | |
207 | struct hlist_node *pos, *next; | |
208 | struct rpc_cred *cred; | |
209 | int i; | |
210 | ||
46121cf7 | 211 | dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); |
1da177e4 LT |
212 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { |
213 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | |
214 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | |
215 | rpcauth_prune_expired(auth, cred, free); | |
216 | } | |
217 | } | |
218 | cache->nextgc = jiffies + cache->expire; | |
219 | } | |
220 | ||
221 | /* | |
222 | * Look up a process' credentials in the authentication cache | |
223 | */ | |
224 | struct rpc_cred * | |
225 | rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, | |
8a317760 | 226 | int flags) |
1da177e4 LT |
227 | { |
228 | struct rpc_cred_cache *cache = auth->au_credcache; | |
229 | HLIST_HEAD(free); | |
230 | struct hlist_node *pos, *next; | |
231 | struct rpc_cred *new = NULL, | |
232 | *cred = NULL; | |
233 | int nr = 0; | |
234 | ||
8a317760 | 235 | if (!(flags & RPCAUTH_LOOKUP_ROOTCREDS)) |
1da177e4 LT |
236 | nr = acred->uid & RPC_CREDCACHE_MASK; |
237 | retry: | |
238 | spin_lock(&rpc_credcache_lock); | |
239 | if (time_before(cache->nextgc, jiffies)) | |
240 | rpcauth_gc_credcache(auth, &free); | |
241 | hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { | |
242 | struct rpc_cred *entry; | |
cca5172a | 243 | entry = hlist_entry(pos, struct rpc_cred, cr_hash); |
8a317760 | 244 | if (entry->cr_ops->crmatch(acred, entry, flags)) { |
1da177e4 LT |
245 | hlist_del(&entry->cr_hash); |
246 | cred = entry; | |
247 | break; | |
248 | } | |
249 | rpcauth_prune_expired(auth, entry, &free); | |
250 | } | |
251 | if (new) { | |
252 | if (cred) | |
253 | hlist_add_head(&new->cr_hash, &free); | |
254 | else | |
255 | cred = new; | |
256 | } | |
257 | if (cred) { | |
258 | hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); | |
259 | get_rpccred(cred); | |
260 | } | |
261 | spin_unlock(&rpc_credcache_lock); | |
262 | ||
263 | rpcauth_destroy_credlist(&free); | |
264 | ||
265 | if (!cred) { | |
8a317760 | 266 | new = auth->au_ops->crcreate(auth, acred, flags); |
1da177e4 LT |
267 | if (!IS_ERR(new)) { |
268 | #ifdef RPC_DEBUG | |
269 | new->cr_magic = RPCAUTH_CRED_MAGIC; | |
270 | #endif | |
271 | goto retry; | |
272 | } else | |
273 | cred = new; | |
fba3bad4 TM |
274 | } else if ((cred->cr_flags & RPCAUTH_CRED_NEW) |
275 | && cred->cr_ops->cr_init != NULL | |
276 | && !(flags & RPCAUTH_LOOKUP_NEW)) { | |
277 | int res = cred->cr_ops->cr_init(auth, cred); | |
278 | if (res < 0) { | |
279 | put_rpccred(cred); | |
280 | cred = ERR_PTR(res); | |
281 | } | |
1da177e4 LT |
282 | } |
283 | ||
284 | return (struct rpc_cred *) cred; | |
285 | } | |
286 | ||
287 | struct rpc_cred * | |
8a317760 | 288 | rpcauth_lookupcred(struct rpc_auth *auth, int flags) |
1da177e4 LT |
289 | { |
290 | struct auth_cred acred = { | |
291 | .uid = current->fsuid, | |
292 | .gid = current->fsgid, | |
293 | .group_info = current->group_info, | |
294 | }; | |
295 | struct rpc_cred *ret; | |
296 | ||
46121cf7 | 297 | dprintk("RPC: looking up %s cred\n", |
1da177e4 LT |
298 | auth->au_ops->au_name); |
299 | get_group_info(acred.group_info); | |
8a317760 | 300 | ret = auth->au_ops->lookup_cred(auth, &acred, flags); |
1da177e4 LT |
301 | put_group_info(acred.group_info); |
302 | return ret; | |
303 | } | |
304 | ||
305 | struct rpc_cred * | |
306 | rpcauth_bindcred(struct rpc_task *task) | |
307 | { | |
308 | struct rpc_auth *auth = task->tk_auth; | |
309 | struct auth_cred acred = { | |
310 | .uid = current->fsuid, | |
311 | .gid = current->fsgid, | |
312 | .group_info = current->group_info, | |
313 | }; | |
314 | struct rpc_cred *ret; | |
8a317760 | 315 | int flags = 0; |
1da177e4 | 316 | |
46121cf7 | 317 | dprintk("RPC: %5u looking up %s cred\n", |
1da177e4 LT |
318 | task->tk_pid, task->tk_auth->au_ops->au_name); |
319 | get_group_info(acred.group_info); | |
8a317760 TM |
320 | if (task->tk_flags & RPC_TASK_ROOTCREDS) |
321 | flags |= RPCAUTH_LOOKUP_ROOTCREDS; | |
322 | ret = auth->au_ops->lookup_cred(auth, &acred, flags); | |
1da177e4 LT |
323 | if (!IS_ERR(ret)) |
324 | task->tk_msg.rpc_cred = ret; | |
325 | else | |
326 | task->tk_status = PTR_ERR(ret); | |
327 | put_group_info(acred.group_info); | |
328 | return ret; | |
329 | } | |
330 | ||
331 | void | |
332 | rpcauth_holdcred(struct rpc_task *task) | |
333 | { | |
46121cf7 CL |
334 | dprintk("RPC: %5u holding %s cred %p\n", |
335 | task->tk_pid, task->tk_auth->au_ops->au_name, | |
336 | task->tk_msg.rpc_cred); | |
1da177e4 LT |
337 | if (task->tk_msg.rpc_cred) |
338 | get_rpccred(task->tk_msg.rpc_cred); | |
339 | } | |
340 | ||
341 | void | |
342 | put_rpccred(struct rpc_cred *cred) | |
343 | { | |
344 | cred->cr_expire = jiffies; | |
345 | if (!atomic_dec_and_test(&cred->cr_count)) | |
346 | return; | |
347 | cred->cr_ops->crdestroy(cred); | |
348 | } | |
349 | ||
350 | void | |
351 | rpcauth_unbindcred(struct rpc_task *task) | |
352 | { | |
1da177e4 LT |
353 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
354 | ||
46121cf7 | 355 | dprintk("RPC: %5u releasing %s cred %p\n", |
0bbacc40 | 356 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
1da177e4 LT |
357 | |
358 | put_rpccred(cred); | |
359 | task->tk_msg.rpc_cred = NULL; | |
360 | } | |
361 | ||
d8ed029d AD |
362 | __be32 * |
363 | rpcauth_marshcred(struct rpc_task *task, __be32 *p) | |
1da177e4 | 364 | { |
1da177e4 LT |
365 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
366 | ||
46121cf7 | 367 | dprintk("RPC: %5u marshaling %s cred %p\n", |
0bbacc40 CL |
368 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
369 | ||
1da177e4 LT |
370 | return cred->cr_ops->crmarshal(task, p); |
371 | } | |
372 | ||
d8ed029d AD |
373 | __be32 * |
374 | rpcauth_checkverf(struct rpc_task *task, __be32 *p) | |
1da177e4 | 375 | { |
1da177e4 LT |
376 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
377 | ||
46121cf7 | 378 | dprintk("RPC: %5u validating %s cred %p\n", |
0bbacc40 CL |
379 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
380 | ||
1da177e4 LT |
381 | return cred->cr_ops->crvalidate(task, p); |
382 | } | |
383 | ||
384 | int | |
385 | rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, | |
d8ed029d | 386 | __be32 *data, void *obj) |
1da177e4 LT |
387 | { |
388 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | |
389 | ||
46121cf7 | 390 | dprintk("RPC: %5u using %s cred %p to wrap rpc data\n", |
1da177e4 LT |
391 | task->tk_pid, cred->cr_ops->cr_name, cred); |
392 | if (cred->cr_ops->crwrap_req) | |
393 | return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); | |
394 | /* By default, we encode the arguments normally. */ | |
395 | return encode(rqstp, data, obj); | |
396 | } | |
397 | ||
398 | int | |
399 | rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, | |
d8ed029d | 400 | __be32 *data, void *obj) |
1da177e4 LT |
401 | { |
402 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | |
403 | ||
46121cf7 | 404 | dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n", |
1da177e4 LT |
405 | task->tk_pid, cred->cr_ops->cr_name, cred); |
406 | if (cred->cr_ops->crunwrap_resp) | |
407 | return cred->cr_ops->crunwrap_resp(task, decode, rqstp, | |
408 | data, obj); | |
409 | /* By default, we decode the arguments normally. */ | |
410 | return decode(rqstp, data, obj); | |
411 | } | |
412 | ||
413 | int | |
414 | rpcauth_refreshcred(struct rpc_task *task) | |
415 | { | |
1da177e4 LT |
416 | struct rpc_cred *cred = task->tk_msg.rpc_cred; |
417 | int err; | |
418 | ||
46121cf7 | 419 | dprintk("RPC: %5u refreshing %s cred %p\n", |
0bbacc40 CL |
420 | task->tk_pid, task->tk_auth->au_ops->au_name, cred); |
421 | ||
1da177e4 LT |
422 | err = cred->cr_ops->crrefresh(task); |
423 | if (err < 0) | |
424 | task->tk_status = err; | |
425 | return err; | |
426 | } | |
427 | ||
428 | void | |
429 | rpcauth_invalcred(struct rpc_task *task) | |
430 | { | |
46121cf7 | 431 | dprintk("RPC: %5u invalidating %s cred %p\n", |
1da177e4 LT |
432 | task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); |
433 | spin_lock(&rpc_credcache_lock); | |
434 | if (task->tk_msg.rpc_cred) | |
435 | task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | |
436 | spin_unlock(&rpc_credcache_lock); | |
437 | } | |
438 | ||
439 | int | |
440 | rpcauth_uptodatecred(struct rpc_task *task) | |
441 | { | |
442 | return !(task->tk_msg.rpc_cred) || | |
443 | (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); | |
444 | } |