1177633Sdfr/* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */ 2177633Sdfr 3261046Smav/*- 4261046Smav * Copyright (c) 2009, Sun Microsystems, Inc. 5261046Smav * All rights reserved. 6177633Sdfr * 7261046Smav * Redistribution and use in source and binary forms, with or without 8261046Smav * modification, are permitted provided that the following conditions are met: 9261046Smav * - Redistributions of source code must retain the above copyright notice, 10261046Smav * this list of conditions and the following disclaimer. 11261046Smav * - Redistributions in binary form must reproduce the above copyright notice, 12261046Smav * this list of conditions and the following disclaimer in the documentation 13261046Smav * and/or other materials provided with the distribution. 14261046Smav * - Neither the name of Sun Microsystems, Inc. nor the names of its 15261046Smav * contributors may be used to endorse or promote products derived 16261046Smav * from this software without specific prior written permission. 17261046Smav * 18261046Smav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19261046Smav * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20261046Smav * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21261046Smav * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22261046Smav * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23261046Smav * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24261046Smav * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25261046Smav * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26261046Smav * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27261046Smav * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28261046Smav * POSSIBILITY OF SUCH DAMAGE. 29177633Sdfr * 30177633Sdfr * from: @(#)auth.h 1.17 88/02/08 SMI 31177633Sdfr * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC 32177633Sdfr * from: @(#)auth.h 1.43 98/02/02 SMI 33177633Sdfr * $FreeBSD: releng/10.3/sys/rpc/auth.h 261046 2014-01-22 23:45:27Z mav $ 34177633Sdfr */ 35177633Sdfr 36177633Sdfr/* 37177633Sdfr * auth.h, Authentication interface. 38177633Sdfr * 39177633Sdfr * Copyright (C) 1984, Sun Microsystems, Inc. 40177633Sdfr * 41177633Sdfr * The data structures are completely opaque to the client. The client 42177633Sdfr * is required to pass an AUTH * to routines that create rpc 43177633Sdfr * "sessions". 44177633Sdfr */ 45177633Sdfr 46177633Sdfr#ifndef _RPC_AUTH_H 47177633Sdfr#define _RPC_AUTH_H 48177633Sdfr#include <rpc/xdr.h> 49177633Sdfr#include <rpc/clnt_stat.h> 50177633Sdfr#include <sys/cdefs.h> 51177633Sdfr#include <sys/socket.h> 52177633Sdfr 53177633Sdfr#define MAX_AUTH_BYTES 400 54177633Sdfr#define MAXNETNAMELEN 255 /* maximum length of network user's name */ 55177633Sdfr 56177633Sdfr/* 57177633Sdfr * Client side authentication/security data 58177633Sdfr */ 59177633Sdfr 60177633Sdfrtypedef struct sec_data { 61177633Sdfr u_int secmod; /* security mode number e.g. in nfssec.conf */ 62177633Sdfr u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 63177633Sdfr int flags; /* AUTH_F_xxx flags */ 64177633Sdfr caddr_t data; /* opaque data per flavor */ 65177633Sdfr} sec_data_t; 66177633Sdfr 67177633Sdfr#ifdef _SYSCALL32_IMPL 68177633Sdfrstruct sec_data32 { 69177633Sdfr uint32_t secmod; /* security mode number e.g. in nfssec.conf */ 70177633Sdfr uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 71177633Sdfr int32_t flags; /* AUTH_F_xxx flags */ 72177633Sdfr caddr32_t data; /* opaque data per flavor */ 73177633Sdfr}; 74177633Sdfr#endif /* _SYSCALL32_IMPL */ 75177633Sdfr 76177633Sdfr/* 77177633Sdfr * AUTH_DES flavor specific data from sec_data opaque data field. 78177633Sdfr * AUTH_KERB has the same structure. 79177633Sdfr */ 80177633Sdfrtypedef struct des_clnt_data { 81177633Sdfr struct netbuf syncaddr; /* time sync addr */ 82177633Sdfr struct knetconfig *knconf; /* knetconfig info that associated */ 83177633Sdfr /* with the syncaddr. */ 84177633Sdfr char *netname; /* server's netname */ 85177633Sdfr int netnamelen; /* server's netname len */ 86177633Sdfr} dh_k4_clntdata_t; 87177633Sdfr 88177633Sdfr#ifdef _SYSCALL32_IMPL 89177633Sdfrstruct des_clnt_data32 { 90177633Sdfr struct netbuf32 syncaddr; /* time sync addr */ 91177633Sdfr caddr32_t knconf; /* knetconfig info that associated */ 92177633Sdfr /* with the syncaddr. */ 93177633Sdfr caddr32_t netname; /* server's netname */ 94177633Sdfr int32_t netnamelen; /* server's netname len */ 95177633Sdfr}; 96177633Sdfr#endif /* _SYSCALL32_IMPL */ 97177633Sdfr 98177633Sdfr#ifdef KERBEROS 99177633Sdfr/* 100177633Sdfr * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) 101177633Sdfr * in sec_data->data opaque field. 102177633Sdfr */ 103177633Sdfrtypedef struct krb4_svc_data { 104177633Sdfr int window; /* window option value */ 105177633Sdfr} krb4_svcdata_t; 106177633Sdfr 107177633Sdfrtypedef struct krb4_svc_data des_svcdata_t; 108177633Sdfr#endif /* KERBEROS */ 109177633Sdfr 110177633Sdfr/* 111177633Sdfr * authentication/security specific flags 112177633Sdfr */ 113177633Sdfr#define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ 114177633Sdfr#define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ 115177633Sdfr 116177633Sdfr 117177633Sdfr/* 118177633Sdfr * Status returned from authentication check 119177633Sdfr */ 120177633Sdfrenum auth_stat { 121177633Sdfr AUTH_OK=0, 122177633Sdfr /* 123177633Sdfr * failed at remote end 124177633Sdfr */ 125177633Sdfr AUTH_BADCRED=1, /* bogus credentials (seal broken) */ 126177633Sdfr AUTH_REJECTEDCRED=2, /* client should begin new session */ 127177633Sdfr AUTH_BADVERF=3, /* bogus verifier (seal broken) */ 128177633Sdfr AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */ 129177633Sdfr AUTH_TOOWEAK=5, /* rejected due to security reasons */ 130177633Sdfr /* 131177633Sdfr * failed locally 132177633Sdfr */ 133177633Sdfr AUTH_INVALIDRESP=6, /* bogus response verifier */ 134184588Sdfr AUTH_FAILED=7, /* some unknown reason */ 135177633Sdfr#ifdef KERBEROS 136177633Sdfr /* 137177633Sdfr * kerberos errors 138177633Sdfr */ 139177633Sdfr , 140177633Sdfr AUTH_KERB_GENERIC = 8, /* kerberos generic error */ 141177633Sdfr AUTH_TIMEEXPIRE = 9, /* time of credential expired */ 142177633Sdfr AUTH_TKT_FILE = 10, /* something wrong with ticket file */ 143177633Sdfr AUTH_DECODE = 11, /* can't decode authenticator */ 144184588Sdfr AUTH_NET_ADDR = 12, /* wrong net address in ticket */ 145177633Sdfr#endif /* KERBEROS */ 146184588Sdfr /* 147184588Sdfr * RPCSEC_GSS errors 148184588Sdfr */ 149184588Sdfr RPCSEC_GSS_CREDPROBLEM = 13, 150184588Sdfr RPCSEC_GSS_CTXPROBLEM = 14, 151184588Sdfr RPCSEC_GSS_NODISPATCH = 0x8000000 152177633Sdfr}; 153177633Sdfr 154177633Sdfrunion des_block { 155177633Sdfr struct { 156177633Sdfr uint32_t high; 157177633Sdfr uint32_t low; 158177633Sdfr } key; 159177633Sdfr char c[8]; 160177633Sdfr}; 161177633Sdfrtypedef union des_block des_block; 162177633Sdfr__BEGIN_DECLS 163177633Sdfrextern bool_t xdr_des_block(XDR *, des_block *); 164177633Sdfr__END_DECLS 165177633Sdfr 166177633Sdfr/* 167177633Sdfr * Authentication info. Opaque to client. 168177633Sdfr */ 169177633Sdfrstruct opaque_auth { 170177633Sdfr enum_t oa_flavor; /* flavor of auth */ 171177633Sdfr caddr_t oa_base; /* address of more auth stuff */ 172177633Sdfr u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ 173177633Sdfr}; 174177633Sdfr 175177633Sdfr 176177633Sdfr/* 177177633Sdfr * Auth handle, interface to client side authenticators. 178177633Sdfr */ 179184588Sdfrstruct rpc_err; 180177633Sdfrtypedef struct __auth { 181177633Sdfr struct opaque_auth ah_cred; 182177633Sdfr struct opaque_auth ah_verf; 183177633Sdfr union des_block ah_key; 184177633Sdfr struct auth_ops { 185177633Sdfr void (*ah_nextverf) (struct __auth *); 186177633Sdfr /* nextverf & serialize */ 187184588Sdfr int (*ah_marshal) (struct __auth *, uint32_t, XDR *, 188184588Sdfr struct mbuf *); 189177633Sdfr /* validate verifier */ 190184588Sdfr int (*ah_validate) (struct __auth *, uint32_t, 191184588Sdfr struct opaque_auth *, struct mbuf **); 192177633Sdfr /* refresh credentials */ 193177633Sdfr int (*ah_refresh) (struct __auth *, void *); 194177633Sdfr /* destroy this structure */ 195177633Sdfr void (*ah_destroy) (struct __auth *); 196177633Sdfr } *ah_ops; 197177633Sdfr void *ah_private; 198177633Sdfr} AUTH; 199177633Sdfr 200177633Sdfr 201177633Sdfr/* 202177633Sdfr * Authentication ops. 203177633Sdfr * The ops and the auth handle provide the interface to the authenticators. 204177633Sdfr * 205177633Sdfr * AUTH *auth; 206177633Sdfr * XDR *xdrs; 207177633Sdfr * struct opaque_auth verf; 208177633Sdfr */ 209177633Sdfr#define AUTH_NEXTVERF(auth) \ 210177633Sdfr ((*((auth)->ah_ops->ah_nextverf))(auth)) 211177633Sdfr 212184588Sdfr#define AUTH_MARSHALL(auth, xid, xdrs, args) \ 213184588Sdfr ((*((auth)->ah_ops->ah_marshal))(auth, xid, xdrs, args)) 214177633Sdfr 215184588Sdfr#define AUTH_VALIDATE(auth, xid, verfp, resultsp) \ 216184588Sdfr ((*((auth)->ah_ops->ah_validate))((auth), xid, verfp, resultsp)) 217177633Sdfr 218177633Sdfr#define AUTH_REFRESH(auth, msg) \ 219177633Sdfr ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 220177633Sdfr 221177633Sdfr#define AUTH_DESTROY(auth) \ 222177633Sdfr ((*((auth)->ah_ops->ah_destroy))(auth)) 223177633Sdfr 224177633Sdfr__BEGIN_DECLS 225177633Sdfrextern struct opaque_auth _null_auth; 226177633Sdfr__END_DECLS 227177633Sdfr 228177633Sdfr/* 229177633Sdfr * These are the various implementations of client side authenticators. 230177633Sdfr */ 231177633Sdfr 232177633Sdfr/* 233177633Sdfr * System style authentication 234177633Sdfr * AUTH *authunix_create(machname, uid, gid, len, aup_gids) 235177633Sdfr * char *machname; 236241181Spfg * u_int uid; 237241181Spfg * u_int gid; 238177633Sdfr * int len; 239241181Spfg * u_int *aup_gids; 240177633Sdfr */ 241177633Sdfr__BEGIN_DECLS 242177633Sdfr#ifdef _KERNEL 243177633Sdfrstruct ucred; 244177633Sdfrextern AUTH *authunix_create(struct ucred *); 245177633Sdfr#else 246241181Spfgextern AUTH *authunix_create(char *, u_int, u_int, int, u_int *); 247177633Sdfrextern AUTH *authunix_create_default(void); /* takes no parameters */ 248177633Sdfr#endif 249177633Sdfrextern AUTH *authnone_create(void); /* takes no parameters */ 250177633Sdfr__END_DECLS 251177633Sdfr/* 252177633Sdfr * DES style authentication 253177633Sdfr * AUTH *authsecdes_create(servername, window, timehost, ckey) 254177633Sdfr * char *servername; - network name of server 255177633Sdfr * u_int window; - time to live 256177633Sdfr * const char *timehost; - optional hostname to sync with 257177633Sdfr * des_block *ckey; - optional conversation key to use 258177633Sdfr */ 259177633Sdfr__BEGIN_DECLS 260177633Sdfrextern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); 261177633Sdfrextern AUTH *authdes_seccreate (const char *, const u_int, const char *, 262177633Sdfr const des_block *); 263177633Sdfr__END_DECLS 264177633Sdfr 265177633Sdfr__BEGIN_DECLS 266177633Sdfrextern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); 267177633Sdfr__END_DECLS 268177633Sdfr 269177633Sdfr#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip)) 270177633Sdfr#define authsys_create_default() authunix_create_default() 271177633Sdfr 272177633Sdfr/* 273177633Sdfr * Netname manipulation routines. 274177633Sdfr */ 275177633Sdfr__BEGIN_DECLS 276177633Sdfrextern int getnetname(char *); 277177633Sdfrextern int host2netname(char *, const char *, const char *); 278177633Sdfrextern int user2netname(char *, const uid_t, const char *); 279177633Sdfrextern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *); 280177633Sdfrextern int netname2host(char *, char *, const int); 281177633Sdfrextern void passwd2des ( char *, char * ); 282177633Sdfr__END_DECLS 283177633Sdfr 284177633Sdfr/* 285177633Sdfr * 286177633Sdfr * These routines interface to the keyserv daemon 287177633Sdfr * 288177633Sdfr */ 289177633Sdfr__BEGIN_DECLS 290177633Sdfrextern int key_decryptsession(const char *, des_block *); 291177633Sdfrextern int key_encryptsession(const char *, des_block *); 292177633Sdfrextern int key_gendes(des_block *); 293177633Sdfrextern int key_setsecret(const char *); 294177633Sdfrextern int key_secretkey_is_set(void); 295177633Sdfr__END_DECLS 296177633Sdfr 297177633Sdfr/* 298177633Sdfr * Publickey routines. 299177633Sdfr */ 300177633Sdfr__BEGIN_DECLS 301177633Sdfrextern int getpublickey (const char *, char *); 302177633Sdfrextern int getpublicandprivatekey (const char *, char *); 303177633Sdfrextern int getsecretkey (char *, char *, char *); 304177633Sdfr__END_DECLS 305177633Sdfr 306177633Sdfr#ifdef KERBEROS 307177633Sdfr/* 308177633Sdfr * Kerberos style authentication 309177633Sdfr * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) 310177633Sdfr * const char *service; - service name 311177633Sdfr * const char *srv_inst; - server instance 312177633Sdfr * const char *realm; - server realm 313177633Sdfr * const u_int window; - time to live 314177633Sdfr * const char *timehost; - optional hostname to sync with 315177633Sdfr * int *status; - kerberos status returned 316177633Sdfr */ 317177633Sdfr__BEGIN_DECLS 318177633Sdfrextern AUTH *authkerb_seccreate(const char *, const char *, const char *, 319177633Sdfr const u_int, const char *, int *); 320177633Sdfr__END_DECLS 321177633Sdfr 322177633Sdfr/* 323177633Sdfr * Map a kerberos credential into a unix cred. 324177633Sdfr * 325177633Sdfr * authkerb_getucred(rqst, uid, gid, grouplen, groups) 326177633Sdfr * const struct svc_req *rqst; - request pointer 327177633Sdfr * uid_t *uid; 328177633Sdfr * gid_t *gid; 329177633Sdfr * short *grouplen; 330177633Sdfr * int *groups; 331177633Sdfr * 332177633Sdfr */ 333177633Sdfr__BEGIN_DECLS 334177633Sdfrextern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, 335177633Sdfr short *, int * */); 336177633Sdfr__END_DECLS 337177633Sdfr#endif /* KERBEROS */ 338177633Sdfr 339177633Sdfr__BEGIN_DECLS 340177633Sdfrstruct svc_req; 341177633Sdfrstruct rpc_msg; 342177633Sdfrenum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *); 343177633Sdfrenum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *); 344177633Sdfrenum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *); 345177633Sdfr__END_DECLS 346177633Sdfr 347177633Sdfr#define AUTH_NONE 0 /* no authentication */ 348177633Sdfr#define AUTH_NULL 0 /* backward compatibility */ 349177633Sdfr#define AUTH_SYS 1 /* unix style (uid, gids) */ 350177633Sdfr#define AUTH_UNIX AUTH_SYS 351177633Sdfr#define AUTH_SHORT 2 /* short hand unix style */ 352177633Sdfr#define AUTH_DH 3 /* for Diffie-Hellman mechanism */ 353177633Sdfr#define AUTH_DES AUTH_DH /* for backward compatibility */ 354177633Sdfr#define AUTH_KERB 4 /* kerberos style */ 355184588Sdfr#define RPCSEC_GSS 6 /* RPCSEC_GSS */ 356177633Sdfr 357184588Sdfr/* 358184588Sdfr * Pseudo auth flavors for RPCSEC_GSS. 359184588Sdfr */ 360184588Sdfr#define RPCSEC_GSS_KRB5 390003 361184588Sdfr#define RPCSEC_GSS_KRB5I 390004 362184588Sdfr#define RPCSEC_GSS_KRB5P 390005 363184588Sdfr 364177633Sdfr#endif /* !_RPC_AUTH_H */ 365