net/sunrpc/auth.c

   1 /*
   2  * linux/net/sunrpc/auth.c
   3  *
   4  * Generic RPC client authentication API.
   5  *
   6  * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
   7  */
   8
   9 #include <linux/types.h>
  10 #include <linux/sched.h>
  11 #include <linux/module.h>
  12 #include <linux/slab.h>
  13 #include <linux/errno.h>
  14 #include <linux/sunrpc/clnt.h>
  15 #include <linux/spinlock.h>
  16 #include <linux/vserver/xid.h>
  17
  18 #ifdef RPC_DEBUG
  19 # define RPCDBG_FACILITY        RPCDBG_AUTH
  20 #endif
  21
  22 static struct rpc_authops *     auth_flavors[RPC_AUTH_MAXFLAVOR] = {
  23         &authnull_ops,          /* AUTH_NULL */
  24         &authunix_ops,          /* AUTH_UNIX */
  25         NULL,                   /* others can be loadable modules */
  26 };
  27
  28 static u32
  29 pseudoflavor_to_flavor(u32 flavor) {
  30         if (flavor >= RPC_AUTH_MAXFLAVOR)
  31                 return RPC_AUTH_GSS;
  32         return flavor;
  33 }
  34
  35 int
  36 rpcauth_register(struct rpc_authops *ops)
  37 {
  38         rpc_authflavor_t flavor;
  39
  40         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  41                 return -EINVAL;
  42         if (auth_flavors[flavor] != NULL)
  43                 return -EPERM;          /* what else? */
  44         auth_flavors[flavor] = ops;
  45         return 0;
  46 }
  47
  48 int
  49 rpcauth_unregister(struct rpc_authops *ops)
  50 {
  51         rpc_authflavor_t flavor;
  52
  53         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  54                 return -EINVAL;
  55         if (auth_flavors[flavor] != ops)
  56                 return -EPERM;          /* what else? */
  57         auth_flavors[flavor] = NULL;
  58         return 0;
  59 }
  60
  61 struct rpc_auth *
  62 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt)
  63 {
  64         struct rpc_auth         *auth;
  65         struct rpc_authops      *ops;
  66         u32                     flavor = pseudoflavor_to_flavor(pseudoflavor);
  67
  68         auth = ERR_PTR(-EINVAL);
  69         if (flavor >= RPC_AUTH_MAXFLAVOR)
  70                 goto out;
  71
  72         /* FIXME - auth_flavors[] really needs an rw lock,
  73          * and module refcounting. */
  74 #ifdef CONFIG_KMOD
  75         if ((ops = auth_flavors[flavor]) == NULL)
  76                 request_module("rpc-auth-%u", flavor);
  77 #endif
  78         if ((ops = auth_flavors[flavor]) == NULL)
  79                 goto out;
  80         auth = ops->create(clnt, pseudoflavor);
  81         if (IS_ERR(auth))
  82                 return auth;
  83         if (clnt->cl_auth)
  84                 rpcauth_destroy(clnt->cl_auth);
  85         clnt->cl_auth = auth;
  86
  87 out:
  88         return auth;
  89 }
  90
  91 void
  92 rpcauth_destroy(struct rpc_auth *auth)
  93 {
  94         if (!atomic_dec_and_test(&auth->au_count))
  95                 return;
  96         auth->au_ops->destroy(auth);
  97 }
  98
  99 static DEFINE_SPINLOCK(rpc_credcache_lock);
 100
 101 /*
 102  * Initialize RPC credential cache
 103  */
 104 int
 105 rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire)
 106 {
 107         struct rpc_cred_cache *new;
 108         int i;
 109
 110         new = kmalloc(sizeof(*new), GFP_KERNEL);
 111         if (!new)
 112                 return -ENOMEM;
 113         for (i = 0; i < RPC_CREDCACHE_NR; i++)
 114                 INIT_HLIST_HEAD(&new->hashtable[i]);
 115         new->expire = expire;
 116         new->nextgc = jiffies + (expire >> 1);
 117         auth->au_credcache = new;
 118         return 0;
 119 }
 120
 121 /*
 122  * Destroy a list of credentials
 123  */
 124 static inline
 125 void rpcauth_destroy_credlist(struct hlist_head *head)
 126 {
 127         struct rpc_cred *cred;
 128
 129         while (!hlist_empty(head)) {
 130                 cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
 131                 hlist_del_init(&cred->cr_hash);
 132                 put_rpccred(cred);
 133         }
 134 }
 135
 136 /*
 137  * Clear the RPC credential cache, and delete those credentials
 138  * that are not referenced.
 139  */
 140 void
 141 rpcauth_free_credcache(struct rpc_auth *auth)
 142 {
 143         struct rpc_cred_cache *cache = auth->au_credcache;
 144         HLIST_HEAD(free);
 145         struct hlist_node *pos, *next;
 146         struct rpc_cred *cred;
 147         int             i;
 148
 149         spin_lock(&rpc_credcache_lock);
 150         for (i = 0; i < RPC_CREDCACHE_NR; i++) {
 151                 hlist_for_each_safe(pos, next, &cache->hashtable[i]) {
 152                         cred = hlist_entry(pos, struct rpc_cred, cr_hash);
 153                         __hlist_del(&cred->cr_hash);
 154                         hlist_add_head(&cred->cr_hash, &free);
 155                 }
 156         }
 157         spin_unlock(&rpc_credcache_lock);
 158         rpcauth_destroy_credlist(&free);
 159 }
 160
 161 static void
 162 rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free)
 163 {
 164         if (atomic_read(&cred->cr_count) != 1)
 165                return;
 166         if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire))
 167                 cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
 168         if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) {
 169                 __hlist_del(&cred->cr_hash);
 170                 hlist_add_head(&cred->cr_hash, free);
 171         }
 172 }
 173
 174 /*
 175  * Remove stale credentials. Avoid sleeping inside the loop.
 176  */
 177 static void
 178 rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free)
 179 {
 180         struct rpc_cred_cache *cache = auth->au_credcache;
 181         struct hlist_node *pos, *next;
 182         struct rpc_cred *cred;
 183         int             i;
 184
 185         dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth);
 186         for (i = 0; i < RPC_CREDCACHE_NR; i++) {
 187                 hlist_for_each_safe(pos, next, &cache->hashtable[i]) {
 188                         cred = hlist_entry(pos, struct rpc_cred, cr_hash);
 189                         rpcauth_prune_expired(auth, cred, free);
 190                 }
 191         }
 192         cache->nextgc = jiffies + cache->expire;
 193 }
 194
 195 /*
 196  * Look up a process' credentials in the authentication cache
 197  */
 198 struct rpc_cred *
 199 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred,
 200                 int flags)
 201 {
 202         struct rpc_cred_cache *cache = auth->au_credcache;
 203         HLIST_HEAD(free);
 204         struct hlist_node *pos, *next;
 205         struct rpc_cred *new = NULL,
 206                         *cred = NULL;
 207         int             nr = 0;
 208
 209         if (!(flags & RPCAUTH_LOOKUP_ROOTCREDS))
 210                 nr = acred->uid & RPC_CREDCACHE_MASK;
 211 retry:
 212         spin_lock(&rpc_credcache_lock);
 213         if (time_before(cache->nextgc, jiffies))
 214                 rpcauth_gc_credcache(auth, &free);
 215         hlist_for_each_safe(pos, next, &cache->hashtable[nr]) {
 216                 struct rpc_cred *entry;
 217                 entry = hlist_entry(pos, struct rpc_cred, cr_hash);
 218                 if (entry->cr_ops->crmatch(acred, entry, flags)) {
 219                         hlist_del(&entry->cr_hash);
 220                         cred = entry;
 221                         break;
 222                 }
 223                 rpcauth_prune_expired(auth, entry, &free);
 224         }
 225         if (new) {
 226                 if (cred)
 227                         hlist_add_head(&new->cr_hash, &free);
 228                 else
 229                         cred = new;
 230         }
 231         if (cred) {
 232                 hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]);
 233                 get_rpccred(cred);
 234         }
 235         spin_unlock(&rpc_credcache_lock);
 236
 237         rpcauth_destroy_credlist(&free);
 238
 239         if (!cred) {
 240                 new = auth->au_ops->crcreate(auth, acred, flags);
 241                 if (!IS_ERR(new)) {
 242 #ifdef RPC_DEBUG
 243                         new->cr_magic = RPCAUTH_CRED_MAGIC;
 244 #endif
 245                         goto retry;
 246                 } else
 247                         cred = new;
 248         } else if ((cred->cr_flags & RPCAUTH_CRED_NEW)
 249                         && cred->cr_ops->cr_init != NULL
 250                         && !(flags & RPCAUTH_LOOKUP_NEW)) {
 251                 int res = cred->cr_ops->cr_init(auth, cred);
 252                 if (res < 0) {
 253                         put_rpccred(cred);
 254                         cred = ERR_PTR(res);
 255                 }
 256         }
 257
 258         return (struct rpc_cred *) cred;
 259 }
 260
 261 struct rpc_cred *
 262 rpcauth_lookupcred(struct rpc_auth *auth, int flags)
 263 {
 264         struct auth_cred acred = {
 265                 .uid = current->fsuid,
 266                 .gid = current->fsgid,
 267                 .xid = vx_current_xid(),
 268                 .group_info = current->group_info,
 269         };
 270         struct rpc_cred *ret;
 271
 272         dprintk("RPC:     looking up %s cred\n",
 273                 auth->au_ops->au_name);
 274         get_group_info(acred.group_info);
 275         ret = auth->au_ops->lookup_cred(auth, &acred, flags);
 276         put_group_info(acred.group_info);
 277         return ret;
 278 }
 279
 280 struct rpc_cred *
 281 rpcauth_bindcred(struct rpc_task *task)
 282 {
 283         struct rpc_auth *auth = task->tk_auth;
 284         struct auth_cred acred = {
 285                 .uid = current->fsuid,
 286                 .gid = current->fsgid,
 287                 .xid = vx_current_xid(),
 288                 .group_info = current->group_info,
 289         };
 290         struct rpc_cred *ret;
 291         int flags = 0;
 292
 293         dprintk("RPC: %4d looking up %s cred\n",
 294                 task->tk_pid, task->tk_auth->au_ops->au_name);
 295         get_group_info(acred.group_info);
 296         if (task->tk_flags & RPC_TASK_ROOTCREDS)
 297                 flags |= RPCAUTH_LOOKUP_ROOTCREDS;
 298         ret = auth->au_ops->lookup_cred(auth, &acred, flags);
 299         if (!IS_ERR(ret))
 300                 task->tk_msg.rpc_cred = ret;
 301         else
 302                 task->tk_status = PTR_ERR(ret);
 303         put_group_info(acred.group_info);
 304         return ret;
 305 }
 306
 307 void
 308 rpcauth_holdcred(struct rpc_task *task)
 309 {
 310         dprintk("RPC: %4d holding %s cred %p\n",
 311                 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred);
 312         if (task->tk_msg.rpc_cred)
 313                 get_rpccred(task->tk_msg.rpc_cred);
 314 }
 315
 316 void
 317 put_rpccred(struct rpc_cred *cred)
 318 {
 319         cred->cr_expire = jiffies;
 320         if (!atomic_dec_and_test(&cred->cr_count))
 321                 return;
 322         cred->cr_ops->crdestroy(cred);
 323 }
 324
 325 void
 326 rpcauth_unbindcred(struct rpc_task *task)
 327 {
 328         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 329
 330         dprintk("RPC: %4d releasing %s cred %p\n",
 331                 task->tk_pid, task->tk_auth->au_ops->au_name, cred);
 332
 333         put_rpccred(cred);
 334         task->tk_msg.rpc_cred = NULL;
 335 }
 336
 337 u32 *
 338 rpcauth_marshcred(struct rpc_task *task, u32 *p)
 339 {
 340         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 341
 342         dprintk("RPC: %4d marshaling %s cred %p\n",
 343                 task->tk_pid, task->tk_auth->au_ops->au_name, cred);
 344
 345         return cred->cr_ops->crmarshal(task, p);
 346 }
 347
 348 u32 *
 349 rpcauth_checkverf(struct rpc_task *task, u32 *p)
 350 {
 351         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 352
 353         dprintk("RPC: %4d validating %s cred %p\n",
 354                 task->tk_pid, task->tk_auth->au_ops->au_name, cred);
 355
 356         return cred->cr_ops->crvalidate(task, p);
 357 }
 358
 359 int
 360 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp,
 361                 u32 *data, void *obj)
 362 {
 363         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 364
 365         dprintk("RPC: %4d using %s cred %p to wrap rpc data\n",
 366                         task->tk_pid, cred->cr_ops->cr_name, cred);
 367         if (cred->cr_ops->crwrap_req)
 368                 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
 369         /* By default, we encode the arguments normally. */
 370         return encode(rqstp, data, obj);
 371 }
 372
 373 int
 374 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp,
 375                 u32 *data, void *obj)
 376 {
 377         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 378
 379         dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n",
 380                         task->tk_pid, cred->cr_ops->cr_name, cred);
 381         if (cred->cr_ops->crunwrap_resp)
 382                 return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
 383                                                    data, obj);
 384         /* By default, we decode the arguments normally. */
 385         return decode(rqstp, data, obj);
 386 }
 387
 388 int
 389 rpcauth_refreshcred(struct rpc_task *task)
 390 {
 391         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 392         int err;
 393
 394         dprintk("RPC: %4d refreshing %s cred %p\n",
 395                 task->tk_pid, task->tk_auth->au_ops->au_name, cred);
 396
 397         err = cred->cr_ops->crrefresh(task);
 398         if (err < 0)
 399                 task->tk_status = err;
 400         return err;
 401 }
 402
 403 void
 404 rpcauth_invalcred(struct rpc_task *task)
 405 {
 406         dprintk("RPC: %4d invalidating %s cred %p\n",
 407                 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred);
 408         spin_lock(&rpc_credcache_lock);
 409         if (task->tk_msg.rpc_cred)
 410                 task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
 411         spin_unlock(&rpc_credcache_lock);
 412 }
 413
 414 int
 415 rpcauth_uptodatecred(struct rpc_task *task)
 416 {
 417         return !(task->tk_msg.rpc_cred) ||
 418                 (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE);
 419 }