diff options
Diffstat (limited to 'net/sunrpc/auth.c')
-rw-r--r-- | net/sunrpc/auth.c | 395 |
1 files changed, 395 insertions, 0 deletions
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c new file mode 100644 index 000000000000..9bcec9b927b9 --- /dev/null +++ b/net/sunrpc/auth.c | |||
@@ -0,0 +1,395 @@ | |||
1 | /* | ||
2 | * linux/net/sunrpc/auth.c | ||
3 | * | ||
4 | * Generic RPC client authentication API. | ||
5 | * | ||
6 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | ||
7 | */ | ||
8 | |||
9 | #include <linux/types.h> | ||
10 | #include <linux/sched.h> | ||
11 | #include <linux/module.h> | ||
12 | #include <linux/slab.h> | ||
13 | #include <linux/errno.h> | ||
14 | #include <linux/socket.h> | ||
15 | #include <linux/sunrpc/clnt.h> | ||
16 | #include <linux/spinlock.h> | ||
17 | |||
18 | #ifdef RPC_DEBUG | ||
19 | # define RPCDBG_FACILITY RPCDBG_AUTH | ||
20 | #endif | ||
21 | |||
22 | static struct rpc_authops * auth_flavors[RPC_AUTH_MAXFLAVOR] = { | ||
23 | &authnull_ops, /* AUTH_NULL */ | ||
24 | &authunix_ops, /* AUTH_UNIX */ | ||
25 | NULL, /* others can be loadable modules */ | ||
26 | }; | ||
27 | |||
28 | static u32 | ||
29 | pseudoflavor_to_flavor(u32 flavor) { | ||
30 | if (flavor >= RPC_AUTH_MAXFLAVOR) | ||
31 | return RPC_AUTH_GSS; | ||
32 | return flavor; | ||
33 | } | ||
34 | |||
35 | int | ||
36 | rpcauth_register(struct rpc_authops *ops) | ||
37 | { | ||
38 | rpc_authflavor_t flavor; | ||
39 | |||
40 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | ||
41 | return -EINVAL; | ||
42 | if (auth_flavors[flavor] != NULL) | ||
43 | return -EPERM; /* what else? */ | ||
44 | auth_flavors[flavor] = ops; | ||
45 | return 0; | ||
46 | } | ||
47 | |||
48 | int | ||
49 | rpcauth_unregister(struct rpc_authops *ops) | ||
50 | { | ||
51 | rpc_authflavor_t flavor; | ||
52 | |||
53 | if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR) | ||
54 | return -EINVAL; | ||
55 | if (auth_flavors[flavor] != ops) | ||
56 | return -EPERM; /* what else? */ | ||
57 | auth_flavors[flavor] = NULL; | ||
58 | return 0; | ||
59 | } | ||
60 | |||
61 | struct rpc_auth * | ||
62 | rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt) | ||
63 | { | ||
64 | struct rpc_auth *auth; | ||
65 | struct rpc_authops *ops; | ||
66 | u32 flavor = pseudoflavor_to_flavor(pseudoflavor); | ||
67 | |||
68 | if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor])) | ||
69 | return NULL; | ||
70 | auth = ops->create(clnt, pseudoflavor); | ||
71 | if (!auth) | ||
72 | return NULL; | ||
73 | if (clnt->cl_auth) | ||
74 | rpcauth_destroy(clnt->cl_auth); | ||
75 | clnt->cl_auth = auth; | ||
76 | return auth; | ||
77 | } | ||
78 | |||
79 | void | ||
80 | rpcauth_destroy(struct rpc_auth *auth) | ||
81 | { | ||
82 | if (!atomic_dec_and_test(&auth->au_count)) | ||
83 | return; | ||
84 | auth->au_ops->destroy(auth); | ||
85 | } | ||
86 | |||
87 | static DEFINE_SPINLOCK(rpc_credcache_lock); | ||
88 | |||
89 | /* | ||
90 | * Initialize RPC credential cache | ||
91 | */ | ||
92 | int | ||
93 | rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire) | ||
94 | { | ||
95 | struct rpc_cred_cache *new; | ||
96 | int i; | ||
97 | |||
98 | new = (struct rpc_cred_cache *)kmalloc(sizeof(*new), GFP_KERNEL); | ||
99 | if (!new) | ||
100 | return -ENOMEM; | ||
101 | for (i = 0; i < RPC_CREDCACHE_NR; i++) | ||
102 | INIT_HLIST_HEAD(&new->hashtable[i]); | ||
103 | new->expire = expire; | ||
104 | new->nextgc = jiffies + (expire >> 1); | ||
105 | auth->au_credcache = new; | ||
106 | return 0; | ||
107 | } | ||
108 | |||
109 | /* | ||
110 | * Destroy a list of credentials | ||
111 | */ | ||
112 | static inline | ||
113 | void rpcauth_destroy_credlist(struct hlist_head *head) | ||
114 | { | ||
115 | struct rpc_cred *cred; | ||
116 | |||
117 | while (!hlist_empty(head)) { | ||
118 | cred = hlist_entry(head->first, struct rpc_cred, cr_hash); | ||
119 | hlist_del_init(&cred->cr_hash); | ||
120 | put_rpccred(cred); | ||
121 | } | ||
122 | } | ||
123 | |||
124 | /* | ||
125 | * Clear the RPC credential cache, and delete those credentials | ||
126 | * that are not referenced. | ||
127 | */ | ||
128 | void | ||
129 | rpcauth_free_credcache(struct rpc_auth *auth) | ||
130 | { | ||
131 | struct rpc_cred_cache *cache = auth->au_credcache; | ||
132 | HLIST_HEAD(free); | ||
133 | struct hlist_node *pos, *next; | ||
134 | struct rpc_cred *cred; | ||
135 | int i; | ||
136 | |||
137 | spin_lock(&rpc_credcache_lock); | ||
138 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { | ||
139 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | ||
140 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | ||
141 | __hlist_del(&cred->cr_hash); | ||
142 | hlist_add_head(&cred->cr_hash, &free); | ||
143 | } | ||
144 | } | ||
145 | spin_unlock(&rpc_credcache_lock); | ||
146 | rpcauth_destroy_credlist(&free); | ||
147 | } | ||
148 | |||
149 | static void | ||
150 | rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free) | ||
151 | { | ||
152 | if (atomic_read(&cred->cr_count) != 1) | ||
153 | return; | ||
154 | if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire)) | ||
155 | cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | ||
156 | if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) { | ||
157 | __hlist_del(&cred->cr_hash); | ||
158 | hlist_add_head(&cred->cr_hash, free); | ||
159 | } | ||
160 | } | ||
161 | |||
162 | /* | ||
163 | * Remove stale credentials. Avoid sleeping inside the loop. | ||
164 | */ | ||
165 | static void | ||
166 | rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free) | ||
167 | { | ||
168 | struct rpc_cred_cache *cache = auth->au_credcache; | ||
169 | struct hlist_node *pos, *next; | ||
170 | struct rpc_cred *cred; | ||
171 | int i; | ||
172 | |||
173 | dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth); | ||
174 | for (i = 0; i < RPC_CREDCACHE_NR; i++) { | ||
175 | hlist_for_each_safe(pos, next, &cache->hashtable[i]) { | ||
176 | cred = hlist_entry(pos, struct rpc_cred, cr_hash); | ||
177 | rpcauth_prune_expired(auth, cred, free); | ||
178 | } | ||
179 | } | ||
180 | cache->nextgc = jiffies + cache->expire; | ||
181 | } | ||
182 | |||
183 | /* | ||
184 | * Look up a process' credentials in the authentication cache | ||
185 | */ | ||
186 | struct rpc_cred * | ||
187 | rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred, | ||
188 | int taskflags) | ||
189 | { | ||
190 | struct rpc_cred_cache *cache = auth->au_credcache; | ||
191 | HLIST_HEAD(free); | ||
192 | struct hlist_node *pos, *next; | ||
193 | struct rpc_cred *new = NULL, | ||
194 | *cred = NULL; | ||
195 | int nr = 0; | ||
196 | |||
197 | if (!(taskflags & RPC_TASK_ROOTCREDS)) | ||
198 | nr = acred->uid & RPC_CREDCACHE_MASK; | ||
199 | retry: | ||
200 | spin_lock(&rpc_credcache_lock); | ||
201 | if (time_before(cache->nextgc, jiffies)) | ||
202 | rpcauth_gc_credcache(auth, &free); | ||
203 | hlist_for_each_safe(pos, next, &cache->hashtable[nr]) { | ||
204 | struct rpc_cred *entry; | ||
205 | entry = hlist_entry(pos, struct rpc_cred, cr_hash); | ||
206 | if (entry->cr_ops->crmatch(acred, entry, taskflags)) { | ||
207 | hlist_del(&entry->cr_hash); | ||
208 | cred = entry; | ||
209 | break; | ||
210 | } | ||
211 | rpcauth_prune_expired(auth, entry, &free); | ||
212 | } | ||
213 | if (new) { | ||
214 | if (cred) | ||
215 | hlist_add_head(&new->cr_hash, &free); | ||
216 | else | ||
217 | cred = new; | ||
218 | } | ||
219 | if (cred) { | ||
220 | hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]); | ||
221 | get_rpccred(cred); | ||
222 | } | ||
223 | spin_unlock(&rpc_credcache_lock); | ||
224 | |||
225 | rpcauth_destroy_credlist(&free); | ||
226 | |||
227 | if (!cred) { | ||
228 | new = auth->au_ops->crcreate(auth, acred, taskflags); | ||
229 | if (!IS_ERR(new)) { | ||
230 | #ifdef RPC_DEBUG | ||
231 | new->cr_magic = RPCAUTH_CRED_MAGIC; | ||
232 | #endif | ||
233 | goto retry; | ||
234 | } else | ||
235 | cred = new; | ||
236 | } | ||
237 | |||
238 | return (struct rpc_cred *) cred; | ||
239 | } | ||
240 | |||
241 | struct rpc_cred * | ||
242 | rpcauth_lookupcred(struct rpc_auth *auth, int taskflags) | ||
243 | { | ||
244 | struct auth_cred acred = { | ||
245 | .uid = current->fsuid, | ||
246 | .gid = current->fsgid, | ||
247 | .group_info = current->group_info, | ||
248 | }; | ||
249 | struct rpc_cred *ret; | ||
250 | |||
251 | dprintk("RPC: looking up %s cred\n", | ||
252 | auth->au_ops->au_name); | ||
253 | get_group_info(acred.group_info); | ||
254 | ret = auth->au_ops->lookup_cred(auth, &acred, taskflags); | ||
255 | put_group_info(acred.group_info); | ||
256 | return ret; | ||
257 | } | ||
258 | |||
259 | struct rpc_cred * | ||
260 | rpcauth_bindcred(struct rpc_task *task) | ||
261 | { | ||
262 | struct rpc_auth *auth = task->tk_auth; | ||
263 | struct auth_cred acred = { | ||
264 | .uid = current->fsuid, | ||
265 | .gid = current->fsgid, | ||
266 | .group_info = current->group_info, | ||
267 | }; | ||
268 | struct rpc_cred *ret; | ||
269 | |||
270 | dprintk("RPC: %4d looking up %s cred\n", | ||
271 | task->tk_pid, task->tk_auth->au_ops->au_name); | ||
272 | get_group_info(acred.group_info); | ||
273 | ret = auth->au_ops->lookup_cred(auth, &acred, task->tk_flags); | ||
274 | if (!IS_ERR(ret)) | ||
275 | task->tk_msg.rpc_cred = ret; | ||
276 | else | ||
277 | task->tk_status = PTR_ERR(ret); | ||
278 | put_group_info(acred.group_info); | ||
279 | return ret; | ||
280 | } | ||
281 | |||
282 | void | ||
283 | rpcauth_holdcred(struct rpc_task *task) | ||
284 | { | ||
285 | dprintk("RPC: %4d holding %s cred %p\n", | ||
286 | task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); | ||
287 | if (task->tk_msg.rpc_cred) | ||
288 | get_rpccred(task->tk_msg.rpc_cred); | ||
289 | } | ||
290 | |||
291 | void | ||
292 | put_rpccred(struct rpc_cred *cred) | ||
293 | { | ||
294 | cred->cr_expire = jiffies; | ||
295 | if (!atomic_dec_and_test(&cred->cr_count)) | ||
296 | return; | ||
297 | cred->cr_ops->crdestroy(cred); | ||
298 | } | ||
299 | |||
300 | void | ||
301 | rpcauth_unbindcred(struct rpc_task *task) | ||
302 | { | ||
303 | struct rpc_auth *auth = task->tk_auth; | ||
304 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
305 | |||
306 | dprintk("RPC: %4d releasing %s cred %p\n", | ||
307 | task->tk_pid, auth->au_ops->au_name, cred); | ||
308 | |||
309 | put_rpccred(cred); | ||
310 | task->tk_msg.rpc_cred = NULL; | ||
311 | } | ||
312 | |||
313 | u32 * | ||
314 | rpcauth_marshcred(struct rpc_task *task, u32 *p) | ||
315 | { | ||
316 | struct rpc_auth *auth = task->tk_auth; | ||
317 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
318 | |||
319 | dprintk("RPC: %4d marshaling %s cred %p\n", | ||
320 | task->tk_pid, auth->au_ops->au_name, cred); | ||
321 | return cred->cr_ops->crmarshal(task, p); | ||
322 | } | ||
323 | |||
324 | u32 * | ||
325 | rpcauth_checkverf(struct rpc_task *task, u32 *p) | ||
326 | { | ||
327 | struct rpc_auth *auth = task->tk_auth; | ||
328 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
329 | |||
330 | dprintk("RPC: %4d validating %s cred %p\n", | ||
331 | task->tk_pid, auth->au_ops->au_name, cred); | ||
332 | return cred->cr_ops->crvalidate(task, p); | ||
333 | } | ||
334 | |||
335 | int | ||
336 | rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp, | ||
337 | u32 *data, void *obj) | ||
338 | { | ||
339 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
340 | |||
341 | dprintk("RPC: %4d using %s cred %p to wrap rpc data\n", | ||
342 | task->tk_pid, cred->cr_ops->cr_name, cred); | ||
343 | if (cred->cr_ops->crwrap_req) | ||
344 | return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj); | ||
345 | /* By default, we encode the arguments normally. */ | ||
346 | return encode(rqstp, data, obj); | ||
347 | } | ||
348 | |||
349 | int | ||
350 | rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp, | ||
351 | u32 *data, void *obj) | ||
352 | { | ||
353 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
354 | |||
355 | dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n", | ||
356 | task->tk_pid, cred->cr_ops->cr_name, cred); | ||
357 | if (cred->cr_ops->crunwrap_resp) | ||
358 | return cred->cr_ops->crunwrap_resp(task, decode, rqstp, | ||
359 | data, obj); | ||
360 | /* By default, we decode the arguments normally. */ | ||
361 | return decode(rqstp, data, obj); | ||
362 | } | ||
363 | |||
364 | int | ||
365 | rpcauth_refreshcred(struct rpc_task *task) | ||
366 | { | ||
367 | struct rpc_auth *auth = task->tk_auth; | ||
368 | struct rpc_cred *cred = task->tk_msg.rpc_cred; | ||
369 | int err; | ||
370 | |||
371 | dprintk("RPC: %4d refreshing %s cred %p\n", | ||
372 | task->tk_pid, auth->au_ops->au_name, cred); | ||
373 | err = cred->cr_ops->crrefresh(task); | ||
374 | if (err < 0) | ||
375 | task->tk_status = err; | ||
376 | return err; | ||
377 | } | ||
378 | |||
379 | void | ||
380 | rpcauth_invalcred(struct rpc_task *task) | ||
381 | { | ||
382 | dprintk("RPC: %4d invalidating %s cred %p\n", | ||
383 | task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred); | ||
384 | spin_lock(&rpc_credcache_lock); | ||
385 | if (task->tk_msg.rpc_cred) | ||
386 | task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE; | ||
387 | spin_unlock(&rpc_credcache_lock); | ||
388 | } | ||
389 | |||
390 | int | ||
391 | rpcauth_uptodatecred(struct rpc_task *task) | ||
392 | { | ||
393 | return !(task->tk_msg.rpc_cred) || | ||
394 | (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE); | ||
395 | } | ||