auth.h revision 184588
1177633Sdfr/* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */ 2177633Sdfr 3177633Sdfr/* 4177633Sdfr * Sun RPC is a product of Sun Microsystems, Inc. and is provided for 5177633Sdfr * unrestricted use provided that this legend is included on all tape 6177633Sdfr * media and as a part of the software program in whole or part. Users 7177633Sdfr * may copy or modify Sun RPC without charge, but are not authorized 8177633Sdfr * to license or distribute it to anyone else except as part of a product or 9177633Sdfr * program developed by the user. 10177633Sdfr * 11177633Sdfr * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE 12177633Sdfr * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR 13177633Sdfr * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. 14177633Sdfr * 15177633Sdfr * Sun RPC is provided with no support and without any obligation on the 16177633Sdfr * part of Sun Microsystems, Inc. to assist in its use, correction, 17177633Sdfr * modification or enhancement. 18177633Sdfr * 19177633Sdfr * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE 20177633Sdfr * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC 21177633Sdfr * OR ANY PART THEREOF. 22177633Sdfr * 23177633Sdfr * In no event will Sun Microsystems, Inc. be liable for any lost revenue 24177633Sdfr * or profits or other special, indirect and consequential damages, even if 25177633Sdfr * Sun has been advised of the possibility of such damages. 26177633Sdfr * 27177633Sdfr * Sun Microsystems, Inc. 28177633Sdfr * 2550 Garcia Avenue 29177633Sdfr * Mountain View, California 94043 30177633Sdfr * 31177633Sdfr * from: @(#)auth.h 1.17 88/02/08 SMI 32177633Sdfr * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC 33177633Sdfr * from: @(#)auth.h 1.43 98/02/02 SMI 34177633Sdfr * $FreeBSD: head/sys/rpc/auth.h 184588 2008-11-03 10:38:00Z dfr $ 35177633Sdfr */ 36177633Sdfr 37177633Sdfr/* 38177633Sdfr * auth.h, Authentication interface. 39177633Sdfr * 40177633Sdfr * Copyright (C) 1984, Sun Microsystems, Inc. 41177633Sdfr * 42177633Sdfr * The data structures are completely opaque to the client. The client 43177633Sdfr * is required to pass an AUTH * to routines that create rpc 44177633Sdfr * "sessions". 45177633Sdfr */ 46177633Sdfr 47177633Sdfr#ifndef _RPC_AUTH_H 48177633Sdfr#define _RPC_AUTH_H 49177633Sdfr#include <rpc/xdr.h> 50177633Sdfr#include <rpc/clnt_stat.h> 51177633Sdfr#include <sys/cdefs.h> 52177633Sdfr#include <sys/socket.h> 53177633Sdfr 54177633Sdfr#define MAX_AUTH_BYTES 400 55177633Sdfr#define MAXNETNAMELEN 255 /* maximum length of network user's name */ 56177633Sdfr 57177633Sdfr/* 58177633Sdfr * Client side authentication/security data 59177633Sdfr */ 60177633Sdfr 61177633Sdfrtypedef struct sec_data { 62177633Sdfr u_int secmod; /* security mode number e.g. in nfssec.conf */ 63177633Sdfr u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 64177633Sdfr int flags; /* AUTH_F_xxx flags */ 65177633Sdfr caddr_t data; /* opaque data per flavor */ 66177633Sdfr} sec_data_t; 67177633Sdfr 68177633Sdfr#ifdef _SYSCALL32_IMPL 69177633Sdfrstruct sec_data32 { 70177633Sdfr uint32_t secmod; /* security mode number e.g. in nfssec.conf */ 71177633Sdfr uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 72177633Sdfr int32_t flags; /* AUTH_F_xxx flags */ 73177633Sdfr caddr32_t data; /* opaque data per flavor */ 74177633Sdfr}; 75177633Sdfr#endif /* _SYSCALL32_IMPL */ 76177633Sdfr 77177633Sdfr/* 78177633Sdfr * AUTH_DES flavor specific data from sec_data opaque data field. 79177633Sdfr * AUTH_KERB has the same structure. 80177633Sdfr */ 81177633Sdfrtypedef struct des_clnt_data { 82177633Sdfr struct netbuf syncaddr; /* time sync addr */ 83177633Sdfr struct knetconfig *knconf; /* knetconfig info that associated */ 84177633Sdfr /* with the syncaddr. */ 85177633Sdfr char *netname; /* server's netname */ 86177633Sdfr int netnamelen; /* server's netname len */ 87177633Sdfr} dh_k4_clntdata_t; 88177633Sdfr 89177633Sdfr#ifdef _SYSCALL32_IMPL 90177633Sdfrstruct des_clnt_data32 { 91177633Sdfr struct netbuf32 syncaddr; /* time sync addr */ 92177633Sdfr caddr32_t knconf; /* knetconfig info that associated */ 93177633Sdfr /* with the syncaddr. */ 94177633Sdfr caddr32_t netname; /* server's netname */ 95177633Sdfr int32_t netnamelen; /* server's netname len */ 96177633Sdfr}; 97177633Sdfr#endif /* _SYSCALL32_IMPL */ 98177633Sdfr 99177633Sdfr#ifdef KERBEROS 100177633Sdfr/* 101177633Sdfr * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) 102177633Sdfr * in sec_data->data opaque field. 103177633Sdfr */ 104177633Sdfrtypedef struct krb4_svc_data { 105177633Sdfr int window; /* window option value */ 106177633Sdfr} krb4_svcdata_t; 107177633Sdfr 108177633Sdfrtypedef struct krb4_svc_data des_svcdata_t; 109177633Sdfr#endif /* KERBEROS */ 110177633Sdfr 111177633Sdfr/* 112177633Sdfr * authentication/security specific flags 113177633Sdfr */ 114177633Sdfr#define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ 115177633Sdfr#define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ 116177633Sdfr 117177633Sdfr 118177633Sdfr/* 119177633Sdfr * Status returned from authentication check 120177633Sdfr */ 121177633Sdfrenum auth_stat { 122177633Sdfr AUTH_OK=0, 123177633Sdfr /* 124177633Sdfr * failed at remote end 125177633Sdfr */ 126177633Sdfr AUTH_BADCRED=1, /* bogus credentials (seal broken) */ 127177633Sdfr AUTH_REJECTEDCRED=2, /* client should begin new session */ 128177633Sdfr AUTH_BADVERF=3, /* bogus verifier (seal broken) */ 129177633Sdfr AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */ 130177633Sdfr AUTH_TOOWEAK=5, /* rejected due to security reasons */ 131177633Sdfr /* 132177633Sdfr * failed locally 133177633Sdfr */ 134177633Sdfr AUTH_INVALIDRESP=6, /* bogus response verifier */ 135184588Sdfr AUTH_FAILED=7, /* some unknown reason */ 136177633Sdfr#ifdef KERBEROS 137177633Sdfr /* 138177633Sdfr * kerberos errors 139177633Sdfr */ 140177633Sdfr , 141177633Sdfr AUTH_KERB_GENERIC = 8, /* kerberos generic error */ 142177633Sdfr AUTH_TIMEEXPIRE = 9, /* time of credential expired */ 143177633Sdfr AUTH_TKT_FILE = 10, /* something wrong with ticket file */ 144177633Sdfr AUTH_DECODE = 11, /* can't decode authenticator */ 145184588Sdfr AUTH_NET_ADDR = 12, /* wrong net address in ticket */ 146177633Sdfr#endif /* KERBEROS */ 147184588Sdfr /* 148184588Sdfr * RPCSEC_GSS errors 149184588Sdfr */ 150184588Sdfr RPCSEC_GSS_CREDPROBLEM = 13, 151184588Sdfr RPCSEC_GSS_CTXPROBLEM = 14, 152184588Sdfr RPCSEC_GSS_NODISPATCH = 0x8000000 153177633Sdfr}; 154177633Sdfr 155177633Sdfrunion des_block { 156177633Sdfr struct { 157177633Sdfr uint32_t high; 158177633Sdfr uint32_t low; 159177633Sdfr } key; 160177633Sdfr char c[8]; 161177633Sdfr}; 162177633Sdfrtypedef union des_block des_block; 163177633Sdfr__BEGIN_DECLS 164177633Sdfrextern bool_t xdr_des_block(XDR *, des_block *); 165177633Sdfr__END_DECLS 166177633Sdfr 167177633Sdfr/* 168177633Sdfr * Authentication info. Opaque to client. 169177633Sdfr */ 170177633Sdfrstruct opaque_auth { 171177633Sdfr enum_t oa_flavor; /* flavor of auth */ 172177633Sdfr caddr_t oa_base; /* address of more auth stuff */ 173177633Sdfr u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ 174177633Sdfr}; 175177633Sdfr 176177633Sdfr 177177633Sdfr/* 178177633Sdfr * Auth handle, interface to client side authenticators. 179177633Sdfr */ 180184588Sdfrstruct rpc_err; 181177633Sdfrtypedef struct __auth { 182177633Sdfr struct opaque_auth ah_cred; 183177633Sdfr struct opaque_auth ah_verf; 184177633Sdfr union des_block ah_key; 185177633Sdfr struct auth_ops { 186177633Sdfr void (*ah_nextverf) (struct __auth *); 187177633Sdfr /* nextverf & serialize */ 188184588Sdfr int (*ah_marshal) (struct __auth *, uint32_t, XDR *, 189184588Sdfr struct mbuf *); 190177633Sdfr /* validate verifier */ 191184588Sdfr int (*ah_validate) (struct __auth *, uint32_t, 192184588Sdfr struct opaque_auth *, struct mbuf **); 193177633Sdfr /* refresh credentials */ 194177633Sdfr int (*ah_refresh) (struct __auth *, void *); 195177633Sdfr /* destroy this structure */ 196177633Sdfr void (*ah_destroy) (struct __auth *); 197177633Sdfr } *ah_ops; 198177633Sdfr void *ah_private; 199177633Sdfr} AUTH; 200177633Sdfr 201177633Sdfr 202177633Sdfr/* 203177633Sdfr * Authentication ops. 204177633Sdfr * The ops and the auth handle provide the interface to the authenticators. 205177633Sdfr * 206177633Sdfr * AUTH *auth; 207177633Sdfr * XDR *xdrs; 208177633Sdfr * struct opaque_auth verf; 209177633Sdfr */ 210177633Sdfr#define AUTH_NEXTVERF(auth) \ 211177633Sdfr ((*((auth)->ah_ops->ah_nextverf))(auth)) 212177633Sdfr 213184588Sdfr#define AUTH_MARSHALL(auth, xid, xdrs, args) \ 214184588Sdfr ((*((auth)->ah_ops->ah_marshal))(auth, xid, xdrs, args)) 215177633Sdfr 216184588Sdfr#define AUTH_VALIDATE(auth, xid, verfp, resultsp) \ 217184588Sdfr ((*((auth)->ah_ops->ah_validate))((auth), xid, verfp, resultsp)) 218177633Sdfr 219177633Sdfr#define AUTH_REFRESH(auth, msg) \ 220177633Sdfr ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 221177633Sdfr 222177633Sdfr#define AUTH_DESTROY(auth) \ 223177633Sdfr ((*((auth)->ah_ops->ah_destroy))(auth)) 224177633Sdfr 225177633Sdfr__BEGIN_DECLS 226177633Sdfrextern struct opaque_auth _null_auth; 227177633Sdfr__END_DECLS 228177633Sdfr 229177633Sdfr/* 230177633Sdfr * These are the various implementations of client side authenticators. 231177633Sdfr */ 232177633Sdfr 233177633Sdfr/* 234177633Sdfr * System style authentication 235177633Sdfr * AUTH *authunix_create(machname, uid, gid, len, aup_gids) 236177633Sdfr * char *machname; 237177633Sdfr * int uid; 238177633Sdfr * int gid; 239177633Sdfr * int len; 240177633Sdfr * int *aup_gids; 241177633Sdfr */ 242177633Sdfr__BEGIN_DECLS 243177633Sdfr#ifdef _KERNEL 244177633Sdfrstruct ucred; 245177633Sdfrextern AUTH *authunix_create(struct ucred *); 246177633Sdfr#else 247177633Sdfrextern AUTH *authunix_create(char *, int, int, int, 248177633Sdfr int *); 249177633Sdfrextern AUTH *authunix_create_default(void); /* takes no parameters */ 250177633Sdfr#endif 251177633Sdfrextern AUTH *authnone_create(void); /* takes no parameters */ 252177633Sdfr__END_DECLS 253177633Sdfr/* 254177633Sdfr * DES style authentication 255177633Sdfr * AUTH *authsecdes_create(servername, window, timehost, ckey) 256177633Sdfr * char *servername; - network name of server 257177633Sdfr * u_int window; - time to live 258177633Sdfr * const char *timehost; - optional hostname to sync with 259177633Sdfr * des_block *ckey; - optional conversation key to use 260177633Sdfr */ 261177633Sdfr__BEGIN_DECLS 262177633Sdfrextern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); 263177633Sdfrextern AUTH *authdes_seccreate (const char *, const u_int, const char *, 264177633Sdfr const des_block *); 265177633Sdfr__END_DECLS 266177633Sdfr 267177633Sdfr__BEGIN_DECLS 268177633Sdfrextern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); 269177633Sdfr__END_DECLS 270177633Sdfr 271177633Sdfr#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip)) 272177633Sdfr#define authsys_create_default() authunix_create_default() 273177633Sdfr 274177633Sdfr/* 275177633Sdfr * Netname manipulation routines. 276177633Sdfr */ 277177633Sdfr__BEGIN_DECLS 278177633Sdfrextern int getnetname(char *); 279177633Sdfrextern int host2netname(char *, const char *, const char *); 280177633Sdfrextern int user2netname(char *, const uid_t, const char *); 281177633Sdfrextern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *); 282177633Sdfrextern int netname2host(char *, char *, const int); 283177633Sdfrextern void passwd2des ( char *, char * ); 284177633Sdfr__END_DECLS 285177633Sdfr 286177633Sdfr/* 287177633Sdfr * 288177633Sdfr * These routines interface to the keyserv daemon 289177633Sdfr * 290177633Sdfr */ 291177633Sdfr__BEGIN_DECLS 292177633Sdfrextern int key_decryptsession(const char *, des_block *); 293177633Sdfrextern int key_encryptsession(const char *, des_block *); 294177633Sdfrextern int key_gendes(des_block *); 295177633Sdfrextern int key_setsecret(const char *); 296177633Sdfrextern int key_secretkey_is_set(void); 297177633Sdfr__END_DECLS 298177633Sdfr 299177633Sdfr/* 300177633Sdfr * Publickey routines. 301177633Sdfr */ 302177633Sdfr__BEGIN_DECLS 303177633Sdfrextern int getpublickey (const char *, char *); 304177633Sdfrextern int getpublicandprivatekey (const char *, char *); 305177633Sdfrextern int getsecretkey (char *, char *, char *); 306177633Sdfr__END_DECLS 307177633Sdfr 308177633Sdfr#ifdef KERBEROS 309177633Sdfr/* 310177633Sdfr * Kerberos style authentication 311177633Sdfr * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) 312177633Sdfr * const char *service; - service name 313177633Sdfr * const char *srv_inst; - server instance 314177633Sdfr * const char *realm; - server realm 315177633Sdfr * const u_int window; - time to live 316177633Sdfr * const char *timehost; - optional hostname to sync with 317177633Sdfr * int *status; - kerberos status returned 318177633Sdfr */ 319177633Sdfr__BEGIN_DECLS 320177633Sdfrextern AUTH *authkerb_seccreate(const char *, const char *, const char *, 321177633Sdfr const u_int, const char *, int *); 322177633Sdfr__END_DECLS 323177633Sdfr 324177633Sdfr/* 325177633Sdfr * Map a kerberos credential into a unix cred. 326177633Sdfr * 327177633Sdfr * authkerb_getucred(rqst, uid, gid, grouplen, groups) 328177633Sdfr * const struct svc_req *rqst; - request pointer 329177633Sdfr * uid_t *uid; 330177633Sdfr * gid_t *gid; 331177633Sdfr * short *grouplen; 332177633Sdfr * int *groups; 333177633Sdfr * 334177633Sdfr */ 335177633Sdfr__BEGIN_DECLS 336177633Sdfrextern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, 337177633Sdfr short *, int * */); 338177633Sdfr__END_DECLS 339177633Sdfr#endif /* KERBEROS */ 340177633Sdfr 341177633Sdfr__BEGIN_DECLS 342177633Sdfrstruct svc_req; 343177633Sdfrstruct rpc_msg; 344177633Sdfrenum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *); 345177633Sdfrenum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *); 346177633Sdfrenum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *); 347177633Sdfr__END_DECLS 348177633Sdfr 349177633Sdfr#define AUTH_NONE 0 /* no authentication */ 350177633Sdfr#define AUTH_NULL 0 /* backward compatibility */ 351177633Sdfr#define AUTH_SYS 1 /* unix style (uid, gids) */ 352177633Sdfr#define AUTH_UNIX AUTH_SYS 353177633Sdfr#define AUTH_SHORT 2 /* short hand unix style */ 354177633Sdfr#define AUTH_DH 3 /* for Diffie-Hellman mechanism */ 355177633Sdfr#define AUTH_DES AUTH_DH /* for backward compatibility */ 356177633Sdfr#define AUTH_KERB 4 /* kerberos style */ 357184588Sdfr#define RPCSEC_GSS 6 /* RPCSEC_GSS */ 358177633Sdfr 359184588Sdfr/* 360184588Sdfr * Pseudo auth flavors for RPCSEC_GSS. 361184588Sdfr */ 362184588Sdfr#define RPCSEC_GSS_KRB5 390003 363184588Sdfr#define RPCSEC_GSS_KRB5I 390004 364184588Sdfr#define RPCSEC_GSS_KRB5P 390005 365184588Sdfr 366177633Sdfr#endif /* !_RPC_AUTH_H */ 367