auth.h revision 177633
1177633Sdfr/* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */ 2177633Sdfr 3177633Sdfr/* 4177633Sdfr * Sun RPC is a product of Sun Microsystems, Inc. and is provided for 5177633Sdfr * unrestricted use provided that this legend is included on all tape 6177633Sdfr * media and as a part of the software program in whole or part. Users 7177633Sdfr * may copy or modify Sun RPC without charge, but are not authorized 8177633Sdfr * to license or distribute it to anyone else except as part of a product or 9177633Sdfr * program developed by the user. 10177633Sdfr * 11177633Sdfr * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE 12177633Sdfr * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR 13177633Sdfr * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. 14177633Sdfr * 15177633Sdfr * Sun RPC is provided with no support and without any obligation on the 16177633Sdfr * part of Sun Microsystems, Inc. to assist in its use, correction, 17177633Sdfr * modification or enhancement. 18177633Sdfr * 19177633Sdfr * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE 20177633Sdfr * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC 21177633Sdfr * OR ANY PART THEREOF. 22177633Sdfr * 23177633Sdfr * In no event will Sun Microsystems, Inc. be liable for any lost revenue 24177633Sdfr * or profits or other special, indirect and consequential damages, even if 25177633Sdfr * Sun has been advised of the possibility of such damages. 26177633Sdfr * 27177633Sdfr * Sun Microsystems, Inc. 28177633Sdfr * 2550 Garcia Avenue 29177633Sdfr * Mountain View, California 94043 30177633Sdfr * 31177633Sdfr * from: @(#)auth.h 1.17 88/02/08 SMI 32177633Sdfr * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC 33177633Sdfr * from: @(#)auth.h 1.43 98/02/02 SMI 34177633Sdfr * $FreeBSD: head/sys/rpc/auth.h 177633 2008-03-26 15:23:12Z dfr $ 35177633Sdfr */ 36177633Sdfr 37177633Sdfr/* 38177633Sdfr * auth.h, Authentication interface. 39177633Sdfr * 40177633Sdfr * Copyright (C) 1984, Sun Microsystems, Inc. 41177633Sdfr * 42177633Sdfr * The data structures are completely opaque to the client. The client 43177633Sdfr * is required to pass an AUTH * to routines that create rpc 44177633Sdfr * "sessions". 45177633Sdfr */ 46177633Sdfr 47177633Sdfr#ifndef _RPC_AUTH_H 48177633Sdfr#define _RPC_AUTH_H 49177633Sdfr#include <rpc/xdr.h> 50177633Sdfr#include <rpc/clnt_stat.h> 51177633Sdfr#include <sys/cdefs.h> 52177633Sdfr#include <sys/socket.h> 53177633Sdfr 54177633Sdfr#define MAX_AUTH_BYTES 400 55177633Sdfr#define MAXNETNAMELEN 255 /* maximum length of network user's name */ 56177633Sdfr 57177633Sdfr/* 58177633Sdfr * Client side authentication/security data 59177633Sdfr */ 60177633Sdfr 61177633Sdfrtypedef struct sec_data { 62177633Sdfr u_int secmod; /* security mode number e.g. in nfssec.conf */ 63177633Sdfr u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 64177633Sdfr int flags; /* AUTH_F_xxx flags */ 65177633Sdfr caddr_t data; /* opaque data per flavor */ 66177633Sdfr} sec_data_t; 67177633Sdfr 68177633Sdfr#ifdef _SYSCALL32_IMPL 69177633Sdfrstruct sec_data32 { 70177633Sdfr uint32_t secmod; /* security mode number e.g. in nfssec.conf */ 71177633Sdfr uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 72177633Sdfr int32_t flags; /* AUTH_F_xxx flags */ 73177633Sdfr caddr32_t data; /* opaque data per flavor */ 74177633Sdfr}; 75177633Sdfr#endif /* _SYSCALL32_IMPL */ 76177633Sdfr 77177633Sdfr/* 78177633Sdfr * AUTH_DES flavor specific data from sec_data opaque data field. 79177633Sdfr * AUTH_KERB has the same structure. 80177633Sdfr */ 81177633Sdfrtypedef struct des_clnt_data { 82177633Sdfr struct netbuf syncaddr; /* time sync addr */ 83177633Sdfr struct knetconfig *knconf; /* knetconfig info that associated */ 84177633Sdfr /* with the syncaddr. */ 85177633Sdfr char *netname; /* server's netname */ 86177633Sdfr int netnamelen; /* server's netname len */ 87177633Sdfr} dh_k4_clntdata_t; 88177633Sdfr 89177633Sdfr#ifdef _SYSCALL32_IMPL 90177633Sdfrstruct des_clnt_data32 { 91177633Sdfr struct netbuf32 syncaddr; /* time sync addr */ 92177633Sdfr caddr32_t knconf; /* knetconfig info that associated */ 93177633Sdfr /* with the syncaddr. */ 94177633Sdfr caddr32_t netname; /* server's netname */ 95177633Sdfr int32_t netnamelen; /* server's netname len */ 96177633Sdfr}; 97177633Sdfr#endif /* _SYSCALL32_IMPL */ 98177633Sdfr 99177633Sdfr#ifdef KERBEROS 100177633Sdfr/* 101177633Sdfr * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) 102177633Sdfr * in sec_data->data opaque field. 103177633Sdfr */ 104177633Sdfrtypedef struct krb4_svc_data { 105177633Sdfr int window; /* window option value */ 106177633Sdfr} krb4_svcdata_t; 107177633Sdfr 108177633Sdfrtypedef struct krb4_svc_data des_svcdata_t; 109177633Sdfr#endif /* KERBEROS */ 110177633Sdfr 111177633Sdfr/* 112177633Sdfr * authentication/security specific flags 113177633Sdfr */ 114177633Sdfr#define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ 115177633Sdfr#define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ 116177633Sdfr 117177633Sdfr 118177633Sdfr/* 119177633Sdfr * Status returned from authentication check 120177633Sdfr */ 121177633Sdfrenum auth_stat { 122177633Sdfr AUTH_OK=0, 123177633Sdfr /* 124177633Sdfr * failed at remote end 125177633Sdfr */ 126177633Sdfr AUTH_BADCRED=1, /* bogus credentials (seal broken) */ 127177633Sdfr AUTH_REJECTEDCRED=2, /* client should begin new session */ 128177633Sdfr AUTH_BADVERF=3, /* bogus verifier (seal broken) */ 129177633Sdfr AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */ 130177633Sdfr AUTH_TOOWEAK=5, /* rejected due to security reasons */ 131177633Sdfr /* 132177633Sdfr * failed locally 133177633Sdfr */ 134177633Sdfr AUTH_INVALIDRESP=6, /* bogus response verifier */ 135177633Sdfr AUTH_FAILED=7 /* some unknown reason */ 136177633Sdfr#ifdef KERBEROS 137177633Sdfr /* 138177633Sdfr * kerberos errors 139177633Sdfr */ 140177633Sdfr , 141177633Sdfr AUTH_KERB_GENERIC = 8, /* kerberos generic error */ 142177633Sdfr AUTH_TIMEEXPIRE = 9, /* time of credential expired */ 143177633Sdfr AUTH_TKT_FILE = 10, /* something wrong with ticket file */ 144177633Sdfr AUTH_DECODE = 11, /* can't decode authenticator */ 145177633Sdfr AUTH_NET_ADDR = 12 /* wrong net address in ticket */ 146177633Sdfr#endif /* KERBEROS */ 147177633Sdfr}; 148177633Sdfr 149177633Sdfrunion des_block { 150177633Sdfr struct { 151177633Sdfr uint32_t high; 152177633Sdfr uint32_t low; 153177633Sdfr } key; 154177633Sdfr char c[8]; 155177633Sdfr}; 156177633Sdfrtypedef union des_block des_block; 157177633Sdfr__BEGIN_DECLS 158177633Sdfrextern bool_t xdr_des_block(XDR *, des_block *); 159177633Sdfr__END_DECLS 160177633Sdfr 161177633Sdfr/* 162177633Sdfr * Authentication info. Opaque to client. 163177633Sdfr */ 164177633Sdfrstruct opaque_auth { 165177633Sdfr enum_t oa_flavor; /* flavor of auth */ 166177633Sdfr caddr_t oa_base; /* address of more auth stuff */ 167177633Sdfr u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ 168177633Sdfr}; 169177633Sdfr 170177633Sdfr 171177633Sdfr/* 172177633Sdfr * Auth handle, interface to client side authenticators. 173177633Sdfr */ 174177633Sdfrtypedef struct __auth { 175177633Sdfr struct opaque_auth ah_cred; 176177633Sdfr struct opaque_auth ah_verf; 177177633Sdfr union des_block ah_key; 178177633Sdfr struct auth_ops { 179177633Sdfr void (*ah_nextverf) (struct __auth *); 180177633Sdfr /* nextverf & serialize */ 181177633Sdfr int (*ah_marshal) (struct __auth *, XDR *); 182177633Sdfr /* validate verifier */ 183177633Sdfr int (*ah_validate) (struct __auth *, 184177633Sdfr struct opaque_auth *); 185177633Sdfr /* refresh credentials */ 186177633Sdfr int (*ah_refresh) (struct __auth *, void *); 187177633Sdfr /* destroy this structure */ 188177633Sdfr void (*ah_destroy) (struct __auth *); 189177633Sdfr } *ah_ops; 190177633Sdfr void *ah_private; 191177633Sdfr} AUTH; 192177633Sdfr 193177633Sdfr 194177633Sdfr/* 195177633Sdfr * Authentication ops. 196177633Sdfr * The ops and the auth handle provide the interface to the authenticators. 197177633Sdfr * 198177633Sdfr * AUTH *auth; 199177633Sdfr * XDR *xdrs; 200177633Sdfr * struct opaque_auth verf; 201177633Sdfr */ 202177633Sdfr#define AUTH_NEXTVERF(auth) \ 203177633Sdfr ((*((auth)->ah_ops->ah_nextverf))(auth)) 204177633Sdfr#define auth_nextverf(auth) \ 205177633Sdfr ((*((auth)->ah_ops->ah_nextverf))(auth)) 206177633Sdfr 207177633Sdfr#define AUTH_MARSHALL(auth, xdrs) \ 208177633Sdfr ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 209177633Sdfr#define auth_marshall(auth, xdrs) \ 210177633Sdfr ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 211177633Sdfr 212177633Sdfr#define AUTH_VALIDATE(auth, verfp) \ 213177633Sdfr ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 214177633Sdfr#define auth_validate(auth, verfp) \ 215177633Sdfr ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 216177633Sdfr 217177633Sdfr#define AUTH_REFRESH(auth, msg) \ 218177633Sdfr ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 219177633Sdfr#define auth_refresh(auth, msg) \ 220177633Sdfr ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 221177633Sdfr 222177633Sdfr#define AUTH_DESTROY(auth) \ 223177633Sdfr ((*((auth)->ah_ops->ah_destroy))(auth)) 224177633Sdfr#define auth_destroy(auth) \ 225177633Sdfr ((*((auth)->ah_ops->ah_destroy))(auth)) 226177633Sdfr 227177633Sdfr 228177633Sdfr__BEGIN_DECLS 229177633Sdfrextern struct opaque_auth _null_auth; 230177633Sdfr__END_DECLS 231177633Sdfr 232177633Sdfr/* 233177633Sdfr * These are the various implementations of client side authenticators. 234177633Sdfr */ 235177633Sdfr 236177633Sdfr/* 237177633Sdfr * System style authentication 238177633Sdfr * AUTH *authunix_create(machname, uid, gid, len, aup_gids) 239177633Sdfr * char *machname; 240177633Sdfr * int uid; 241177633Sdfr * int gid; 242177633Sdfr * int len; 243177633Sdfr * int *aup_gids; 244177633Sdfr */ 245177633Sdfr__BEGIN_DECLS 246177633Sdfr#ifdef _KERNEL 247177633Sdfrstruct ucred; 248177633Sdfrextern AUTH *authunix_create(struct ucred *); 249177633Sdfr#else 250177633Sdfrextern AUTH *authunix_create(char *, int, int, int, 251177633Sdfr int *); 252177633Sdfrextern AUTH *authunix_create_default(void); /* takes no parameters */ 253177633Sdfr#endif 254177633Sdfrextern AUTH *authnone_create(void); /* takes no parameters */ 255177633Sdfr__END_DECLS 256177633Sdfr/* 257177633Sdfr * DES style authentication 258177633Sdfr * AUTH *authsecdes_create(servername, window, timehost, ckey) 259177633Sdfr * char *servername; - network name of server 260177633Sdfr * u_int window; - time to live 261177633Sdfr * const char *timehost; - optional hostname to sync with 262177633Sdfr * des_block *ckey; - optional conversation key to use 263177633Sdfr */ 264177633Sdfr__BEGIN_DECLS 265177633Sdfrextern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); 266177633Sdfrextern AUTH *authdes_seccreate (const char *, const u_int, const char *, 267177633Sdfr const des_block *); 268177633Sdfr__END_DECLS 269177633Sdfr 270177633Sdfr__BEGIN_DECLS 271177633Sdfrextern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); 272177633Sdfr__END_DECLS 273177633Sdfr 274177633Sdfr#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip)) 275177633Sdfr#define authsys_create_default() authunix_create_default() 276177633Sdfr 277177633Sdfr/* 278177633Sdfr * Netname manipulation routines. 279177633Sdfr */ 280177633Sdfr__BEGIN_DECLS 281177633Sdfrextern int getnetname(char *); 282177633Sdfrextern int host2netname(char *, const char *, const char *); 283177633Sdfrextern int user2netname(char *, const uid_t, const char *); 284177633Sdfrextern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *); 285177633Sdfrextern int netname2host(char *, char *, const int); 286177633Sdfrextern void passwd2des ( char *, char * ); 287177633Sdfr__END_DECLS 288177633Sdfr 289177633Sdfr/* 290177633Sdfr * 291177633Sdfr * These routines interface to the keyserv daemon 292177633Sdfr * 293177633Sdfr */ 294177633Sdfr__BEGIN_DECLS 295177633Sdfrextern int key_decryptsession(const char *, des_block *); 296177633Sdfrextern int key_encryptsession(const char *, des_block *); 297177633Sdfrextern int key_gendes(des_block *); 298177633Sdfrextern int key_setsecret(const char *); 299177633Sdfrextern int key_secretkey_is_set(void); 300177633Sdfr__END_DECLS 301177633Sdfr 302177633Sdfr/* 303177633Sdfr * Publickey routines. 304177633Sdfr */ 305177633Sdfr__BEGIN_DECLS 306177633Sdfrextern int getpublickey (const char *, char *); 307177633Sdfrextern int getpublicandprivatekey (const char *, char *); 308177633Sdfrextern int getsecretkey (char *, char *, char *); 309177633Sdfr__END_DECLS 310177633Sdfr 311177633Sdfr#ifdef KERBEROS 312177633Sdfr/* 313177633Sdfr * Kerberos style authentication 314177633Sdfr * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) 315177633Sdfr * const char *service; - service name 316177633Sdfr * const char *srv_inst; - server instance 317177633Sdfr * const char *realm; - server realm 318177633Sdfr * const u_int window; - time to live 319177633Sdfr * const char *timehost; - optional hostname to sync with 320177633Sdfr * int *status; - kerberos status returned 321177633Sdfr */ 322177633Sdfr__BEGIN_DECLS 323177633Sdfrextern AUTH *authkerb_seccreate(const char *, const char *, const char *, 324177633Sdfr const u_int, const char *, int *); 325177633Sdfr__END_DECLS 326177633Sdfr 327177633Sdfr/* 328177633Sdfr * Map a kerberos credential into a unix cred. 329177633Sdfr * 330177633Sdfr * authkerb_getucred(rqst, uid, gid, grouplen, groups) 331177633Sdfr * const struct svc_req *rqst; - request pointer 332177633Sdfr * uid_t *uid; 333177633Sdfr * gid_t *gid; 334177633Sdfr * short *grouplen; 335177633Sdfr * int *groups; 336177633Sdfr * 337177633Sdfr */ 338177633Sdfr__BEGIN_DECLS 339177633Sdfrextern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, 340177633Sdfr short *, int * */); 341177633Sdfr__END_DECLS 342177633Sdfr#endif /* KERBEROS */ 343177633Sdfr 344177633Sdfr__BEGIN_DECLS 345177633Sdfrstruct svc_req; 346177633Sdfrstruct rpc_msg; 347177633Sdfrenum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *); 348177633Sdfrenum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *); 349177633Sdfrenum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *); 350177633Sdfr__END_DECLS 351177633Sdfr 352177633Sdfr#define AUTH_NONE 0 /* no authentication */ 353177633Sdfr#define AUTH_NULL 0 /* backward compatibility */ 354177633Sdfr#define AUTH_SYS 1 /* unix style (uid, gids) */ 355177633Sdfr#define AUTH_UNIX AUTH_SYS 356177633Sdfr#define AUTH_SHORT 2 /* short hand unix style */ 357177633Sdfr#define AUTH_DH 3 /* for Diffie-Hellman mechanism */ 358177633Sdfr#define AUTH_DES AUTH_DH /* for backward compatibility */ 359177633Sdfr#define AUTH_KERB 4 /* kerberos style */ 360177633Sdfr 361177633Sdfr#endif /* !_RPC_AUTH_H */ 362