Branch data Line data Source code
1 : : /* SPDX-License-Identifier: GPL-2.0 */ 2 : : /* 3 : : * linux/include/linux/sunrpc/svcauth.h 4 : : * 5 : : * RPC server-side authentication stuff. 6 : : * 7 : : * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de> 8 : : */ 9 : : 10 : : #ifndef _LINUX_SUNRPC_SVCAUTH_H_ 11 : : #define _LINUX_SUNRPC_SVCAUTH_H_ 12 : : 13 : : #include <linux/string.h> 14 : : #include <linux/sunrpc/msg_prot.h> 15 : : #include <linux/sunrpc/cache.h> 16 : : #include <linux/sunrpc/gss_api.h> 17 : : #include <linux/hash.h> 18 : : #include <linux/stringhash.h> 19 : : #include <linux/cred.h> 20 : : 21 : : struct svc_cred { 22 : : kuid_t cr_uid; 23 : : kgid_t cr_gid; 24 : : struct group_info *cr_group_info; 25 : : u32 cr_flavor; /* pseudoflavor */ 26 : : /* name of form servicetype/hostname@REALM, passed down by 27 : : * gss-proxy: */ 28 : : char *cr_raw_principal; 29 : : /* name of form servicetype@hostname, passed down by 30 : : * rpc.svcgssd, or computed from the above: */ 31 : : char *cr_principal; 32 : : char *cr_targ_princ; 33 : : struct gss_api_mech *cr_gss_mech; 34 : : }; 35 : : 36 : 0 : static inline void init_svc_cred(struct svc_cred *cred) 37 : : { 38 : 0 : cred->cr_group_info = NULL; 39 : 0 : cred->cr_raw_principal = NULL; 40 : 0 : cred->cr_principal = NULL; 41 : 0 : cred->cr_targ_princ = NULL; 42 : 0 : cred->cr_gss_mech = NULL; 43 : : } 44 : : 45 : 0 : static inline void free_svc_cred(struct svc_cred *cred) 46 : : { 47 [ # # ]: 0 : if (cred->cr_group_info) 48 [ # # ]: 0 : put_group_info(cred->cr_group_info); 49 : 0 : kfree(cred->cr_raw_principal); 50 : 0 : kfree(cred->cr_principal); 51 : 0 : kfree(cred->cr_targ_princ); 52 : 0 : gss_mech_put(cred->cr_gss_mech); 53 : 0 : init_svc_cred(cred); 54 : 0 : } 55 : : 56 : : struct svc_rqst; /* forward decl */ 57 : : struct in6_addr; 58 : : 59 : : /* Authentication is done in the context of a domain. 60 : : * 61 : : * Currently, the nfs server uses the auth_domain to stand 62 : : * for the "client" listed in /etc/exports. 63 : : * 64 : : * More generally, a domain might represent a group of clients using 65 : : * a common mechanism for authentication and having a common mapping 66 : : * between local identity (uid) and network identity. All clients 67 : : * in a domain have similar general access rights. Each domain can 68 : : * contain multiple principals which will have different specific right 69 : : * based on normal Discretionary Access Control. 70 : : * 71 : : * A domain is created by an authentication flavour module based on name 72 : : * only. Userspace then fills in detail on demand. 73 : : * 74 : : * In the case of auth_unix and auth_null, the auth_domain is also 75 : : * associated with entries in another cache representing the mapping 76 : : * of ip addresses to the given client. 77 : : */ 78 : : struct auth_domain { 79 : : struct kref ref; 80 : : struct hlist_node hash; 81 : : char *name; 82 : : struct auth_ops *flavour; 83 : : struct rcu_head rcu_head; 84 : : }; 85 : : 86 : : /* 87 : : * Each authentication flavour registers an auth_ops 88 : : * structure. 89 : : * name is simply the name. 90 : : * flavour gives the auth flavour. It determines where the flavour is registered 91 : : * accept() is given a request and should verify it. 92 : : * It should inspect the authenticator and verifier, and possibly the data. 93 : : * If there is a problem with the authentication *authp should be set. 94 : : * The return value of accept() can indicate: 95 : : * OK - authorised. client and credential are set in rqstp. 96 : : * reqbuf points to arguments 97 : : * resbuf points to good place for results. verfier 98 : : * is (probably) already in place. Certainly space is 99 : : * reserved for it. 100 : : * DROP - simply drop the request. It may have been deferred 101 : : * GARBAGE - rpc garbage_args error 102 : : * SYSERR - rpc system_err error 103 : : * DENIED - authp holds reason for denial. 104 : : * COMPLETE - the reply is encoded already and ready to be sent; no 105 : : * further processing is necessary. (This is used for processing 106 : : * null procedure calls which are used to set up encryption 107 : : * contexts.) 108 : : * 109 : : * accept is passed the proc number so that it can accept NULL rpc requests 110 : : * even if it cannot authenticate the client (as is sometimes appropriate). 111 : : * 112 : : * release() is given a request after the procedure has been run. 113 : : * It should sign/encrypt the results if needed 114 : : * It should return: 115 : : * OK - the resbuf is ready to be sent 116 : : * DROP - the reply should be quitely dropped 117 : : * DENIED - authp holds a reason for MSG_DENIED 118 : : * SYSERR - rpc system_err 119 : : * 120 : : * domain_release() 121 : : * This call releases a domain. 122 : : * set_client() 123 : : * Givens a pending request (struct svc_rqst), finds and assigns 124 : : * an appropriate 'auth_domain' as the client. 125 : : */ 126 : : struct auth_ops { 127 : : char * name; 128 : : struct module *owner; 129 : : int flavour; 130 : : int (*accept)(struct svc_rqst *rq, __be32 *authp); 131 : : int (*release)(struct svc_rqst *rq); 132 : : void (*domain_release)(struct auth_domain *); 133 : : int (*set_client)(struct svc_rqst *rq); 134 : : }; 135 : : 136 : : #define SVC_GARBAGE 1 137 : : #define SVC_SYSERR 2 138 : : #define SVC_VALID 3 139 : : #define SVC_NEGATIVE 4 140 : : #define SVC_OK 5 141 : : #define SVC_DROP 6 142 : : #define SVC_CLOSE 7 /* Like SVC_DROP, but request is definitely 143 : : * lost so if there is a tcp connection, it 144 : : * should be closed 145 : : */ 146 : : #define SVC_DENIED 8 147 : : #define SVC_PENDING 9 148 : : #define SVC_COMPLETE 10 149 : : 150 : : struct svc_xprt; 151 : : 152 : : extern int svc_authenticate(struct svc_rqst *rqstp, __be32 *authp); 153 : : extern int svc_authorise(struct svc_rqst *rqstp); 154 : : extern int svc_set_client(struct svc_rqst *rqstp); 155 : : extern int svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops); 156 : : extern void svc_auth_unregister(rpc_authflavor_t flavor); 157 : : 158 : : extern struct auth_domain *unix_domain_find(char *name); 159 : : extern void auth_domain_put(struct auth_domain *item); 160 : : extern int auth_unix_add_addr(struct net *net, struct in6_addr *addr, struct auth_domain *dom); 161 : : extern struct auth_domain *auth_domain_lookup(char *name, struct auth_domain *new); 162 : : extern struct auth_domain *auth_domain_find(char *name); 163 : : extern struct auth_domain *auth_unix_lookup(struct net *net, struct in6_addr *addr); 164 : : extern int auth_unix_forget_old(struct auth_domain *dom); 165 : : extern void svcauth_unix_purge(struct net *net); 166 : : extern void svcauth_unix_info_release(struct svc_xprt *xpt); 167 : : extern int svcauth_unix_set_client(struct svc_rqst *rqstp); 168 : : 169 : : extern int unix_gid_cache_create(struct net *net); 170 : : extern void unix_gid_cache_destroy(struct net *net); 171 : : 172 : : /* 173 : : * The <stringhash.h> functions are good enough that we don't need to 174 : : * use hash_32() on them; just extracting the high bits is enough. 175 : : */ 176 : 0 : static inline unsigned long hash_str(char const *name, int bits) 177 : : { 178 : 0 : return hashlen_hash(hashlen_string(NULL, name)) >> (32 - bits); 179 : : } 180 : : 181 : 0 : static inline unsigned long hash_mem(char const *buf, int length, int bits) 182 : : { 183 : 0 : return full_name_hash(NULL, buf, length) >> (32 - bits); 184 : : } 185 : : 186 : : #endif /* _LINUX_SUNRPC_SVCAUTH_H_ */