struct svc_serv * rq_server; /* RPC service definition */
struct svc_procedure * rq_procinfo; /* procedure info */
+ struct auth_ops * rq_authop; /* authentication flavour */
struct svc_cred rq_cred; /* auth info */
struct sk_buff * rq_skbuff; /* fast recv inet buffer */
struct svc_buf rq_defbuf; /* default buffer */
u32 rq_vers; /* program version */
u32 rq_proc; /* procedure number */
u32 rq_prot; /* IP protocol */
- unsigned short rq_verfed : 1, /* reply has verifier */
+ unsigned short
rq_userset : 1, /* auth->setuser OK */
- rq_secure : 1, /* secure port */
- rq_auth : 1; /* check client */
+ rq_secure : 1; /* secure port */
+
void * rq_argp; /* decoded arguments */
void * rq_resp; /* xdr'd results */
* to report (real or virtual)
*/
- wait_queue_head_t rq_wait; /* synchronozation */
+ wait_queue_head_t rq_wait; /* synchronization */
};
/*
#include <linux/sunrpc/msg_prot.h>
struct svc_cred {
- rpc_authflavor_t cr_flavor;
uid_t cr_uid;
gid_t cr_gid;
gid_t cr_groups[NGROUPS];
};
struct svc_rqst; /* forward decl */
-
-void svc_authenticate(struct svc_rqst *rqstp, u32 *statp, u32 *authp);
-int svc_auth_register(rpc_authflavor_t flavor,
- void (*)(struct svc_rqst *,u32 *,u32 *));
-void svc_auth_unregister(rpc_authflavor_t flavor);
-
-#if 0
/*
- * Decoded AUTH_UNIX data. This is different from what's in the RPC lib.
+ * Each authentication flavour registers an auth_ops
+ * structure.
+ * name is simply the name.
+ * flavour gives the auth flavour. It determines where the flavour is registered
+ * accept() is given a request and should verify it.
+ * It should inspect the authenticator and verifier, and possibly the data.
+ * If there is a problem with the authentication *authp should be set.
+ * The return value of accept() can indicate:
+ * OK - authorised. client and credential are set in rqstp.
+ * reqbuf points to arguments
+ * resbuf points to good place for results. verfier
+ * is (probably) already in place. Certainly space is
+ * reserved for it.
+ * DROP - simply drop the request. It may have been deferred
+ * GARBAGE - rpc garbage_args error
+ * SYSERR - rpc system_err error
+ * DENIED - authp holds reason for denial.
+ *
+ * accept is passed the proc number so that it can accept NULL rpc requests
+ * even if it cannot authenticate the client (as is sometimes appropriate).
+ *
+ * release() is given a request after the procedure has been run.
+ * It should sign/encrypt the results if needed
+ * It should return:
+ * OK - the resbuf is ready to be sent
+ * DROP - the reply should be quitely dropped
+ * DENIED - authp holds a reason for MSG_DENIED
+ * SYSERR - rpc system_err
*/
-#define NGRPS 16
-struct authunix_parms {
- u32 aup_stamp;
- u32 aup_uid;
- u32 aup_gid;
- u32 aup_len;
- u32 aup_gids[NGRPS];
+struct auth_ops {
+ char * name;
+ int flavour;
+ int (*accept)(struct svc_rqst *rq, u32 *authp, int proc);
+ int (*release)(struct svc_rqst *rq);
};
+extern struct auth_ops *authtab[RPC_AUTH_MAXFLAVOR];
+
+#define SVC_GARBAGE 1
+#define SVC_SYSERR 2
+#define SVC_VALID 3
+#define SVC_NEGATIVE 4
+#define SVC_OK 5
+#define SVC_DROP 6
+#define SVC_DENIED 7
+#define SVC_PENDING 8
+
-struct svc_authops * auth_getops(rpc_authflavor_t flavor);
-#endif
+extern int svc_authenticate(struct svc_rqst *rqstp, u32 *statp, u32 *authp, int proc);
+extern int svc_authorise(struct svc_rqst *rqstp);
+extern int svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops);
+extern void svc_auth_unregister(rpc_authflavor_t flavor);
#endif /* __KERNEL__ */
#define RPCDBG_FACILITY RPCDBG_AUTH
-/*
- * Type of authenticator function
- */
-typedef void (*auth_fn_t)(struct svc_rqst *rqstp, u32 *statp, u32 *authp);
-
/*
* Builtin auth flavors
*/
-static void svcauth_null(struct svc_rqst *rqstp, u32 *statp, u32 *authp);
-static void svcauth_unix(struct svc_rqst *rqstp, u32 *statp, u32 *authp);
+static int svcauth_null_accept(struct svc_rqst *rqstp, u32 *authp, int proc);
+static int svcauth_null_release(struct svc_rqst *rqstp);
+static int svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp, int proc);
+static int svcauth_unix_release(struct svc_rqst *rqstp);
+
+struct auth_ops svcauth_null = {
+ .name = "null",
+ .flavour = RPC_AUTH_NULL,
+ .accept = svcauth_null_accept,
+ .release = svcauth_null_release,
+};
+
+struct auth_ops svcauth_unix = {
+ .name = "unix",
+ .flavour = RPC_AUTH_UNIX,
+ .accept = svcauth_unix_accept,
+ .release = svcauth_unix_release,
+};
/*
* Table of authenticators
*/
-static auth_fn_t authtab[RPC_AUTH_MAXFLAVOR] = {
- svcauth_null,
- svcauth_unix,
- NULL,
+static struct auth_ops *authtab[RPC_AUTH_MAXFLAVOR] = {
+ [0] = &svcauth_null,
+ [1] = &svcauth_unix,
};
-void
-svc_authenticate(struct svc_rqst *rqstp, u32 *statp, u32 *authp)
+int
+svc_authenticate(struct svc_rqst *rqstp, u32 *statp, u32 *authp, int proc)
{
rpc_authflavor_t flavor;
- auth_fn_t func;
+ struct auth_ops *aops;
*statp = rpc_success;
*authp = rpc_auth_ok;
flavor = ntohl(flavor);
dprintk("svc: svc_authenticate (%d)\n", flavor);
- if (flavor >= RPC_AUTH_MAXFLAVOR || !(func = authtab[flavor])) {
+ if (flavor >= RPC_AUTH_MAXFLAVOR || !(aops = authtab[flavor])) {
*authp = rpc_autherr_badcred;
- return;
+ return 0;
+ }
+
+ rqstp->rq_authop = aops;
+ switch (aops->accept(rqstp, authp, proc)) {
+ case SVC_OK:
+ return 0;
+ case SVC_GARBAGE:
+ *statp = rpc_garbage_args;
+ return 0;
+ case SVC_SYSERR:
+ *statp = rpc_system_err;
+ return 0;
+ case SVC_DENIED:
+ return 0;
+ case SVC_DROP:
+ break;
}
+ return 1; /* drop the request */
+}
+
+/* A reqeust, which was authenticated, has now executed.
+ * Time to finalise the the credentials and verifier
+ * and release and resources
+ */
+int svc_authorise(struct svc_rqst *rqstp)
+{
+ struct auth_ops *aops = rqstp->rq_authop;
+ int rv = 0;
- rqstp->rq_cred.cr_flavor = flavor;
- func(rqstp, statp, authp);
+ rqstp->rq_authop = NULL;
+
+ if (aops)
+ rv = aops->release(rqstp);
+
+ /* FIXME should I count and release authops */
+ return rv;
}
int
-svc_auth_register(rpc_authflavor_t flavor, auth_fn_t func)
+svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops)
{
if (flavor >= RPC_AUTH_MAXFLAVOR || authtab[flavor])
return -EINVAL;
- authtab[flavor] = func;
+ authtab[flavor] = aops;
return 0;
}
authtab[flavor] = NULL;
}
-static void
-svcauth_null(struct svc_rqst *rqstp, u32 *statp, u32 *authp)
+static int
+svcauth_null_accept(struct svc_rqst *rqstp, u32 *authp, int proc)
{
struct svc_buf *argp = &rqstp->rq_argbuf;
struct svc_buf *resp = &rqstp->rq_resbuf;
if ((argp->len -= 3) < 0) {
- *statp = rpc_garbage_args;
- return;
+ return SVC_GARBAGE;
}
if (*(argp->buf)++ != 0) { /* we already skipped the flavor */
dprintk("svc: bad null cred\n");
*authp = rpc_autherr_badcred;
- return;
+ return SVC_DENIED;
}
if (*(argp->buf)++ != RPC_AUTH_NULL || *(argp->buf)++ != 0) {
dprintk("svc: bad null verf\n");
*authp = rpc_autherr_badverf;
- return;
+ return SVC_DENIED;
}
/* Signal that mapping to nobody uid/gid is required */
rqstp->rq_cred.cr_groups[0] = NOGROUP;
/* Put NULL verifier */
- rqstp->rq_verfed = 1;
svc_putu32(resp, RPC_AUTH_NULL);
svc_putu32(resp, 0);
+ return SVC_OK;
+}
+
+static int
+svcauth_null_release(struct svc_rqst *rqstp)
+{
+ return 0; /* don't drop */
}
-static void
-svcauth_unix(struct svc_rqst *rqstp, u32 *statp, u32 *authp)
+static int
+svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp, int proc)
{
struct svc_buf *argp = &rqstp->rq_argbuf;
struct svc_buf *resp = &rqstp->rq_resbuf;
u32 *bufp = argp->buf, slen, i;
int len = argp->len;
- if ((len -= 3) < 0) {
- *statp = rpc_garbage_args;
- return;
- }
+ if ((len -= 3) < 0)
+ return SVC_GARBAGE;
bufp++; /* length */
bufp++; /* time stamp */
- slen = (ntohl(*bufp++) + 3) >> 2; /* machname length */
+ slen = XDR_QUADLEN(ntohl(*bufp++)); /* machname length */
if (slen > 64 || (len -= slen + 3) < 0)
goto badcred;
bufp += slen; /* skip machname */
if (*bufp++ != RPC_AUTH_NULL || *bufp++ != 0) {
*authp = rpc_autherr_badverf;
- return;
+ return SVC_DENIED;
}
argp->buf = bufp;
argp->len = len;
/* Put NULL verifier */
- rqstp->rq_verfed = 1;
svc_putu32(resp, RPC_AUTH_NULL);
svc_putu32(resp, 0);
- return;
+ return SVC_OK;
badcred:
*authp = rpc_autherr_badcred;
+ return SVC_DENIED;
+}
+
+static int
+svcauth_unix_release(struct svc_rqst *rqstp)
+{
+ /* Verifier (such as it is) is already in place.
+ */
+ return 0;
}
projects / history.git / commitdiff