auth.h revision 241181 
1/*	$NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $	*/
2
3/*
4 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
5 * unrestricted use provided that this legend is included on all tape
6 * media and as a part of the software program in whole or part.  Users
7 * may copy or modify Sun RPC without charge, but are not authorized
8 * to license or distribute it to anyone else except as part of a product or
9 * program developed by the user.
10 *
11 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
12 * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
13 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
14 *
15 * Sun RPC is provided with no support and without any obligation on the
16 * part of Sun Microsystems, Inc. to assist in its use, correction,
17 * modification or enhancement.
18 *
19 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
20 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
21 * OR ANY PART THEREOF.
22 *
23 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
24 * or profits or other special, indirect and consequential damages, even if
25 * Sun has been advised of the possibility of such damages.
26 *
27 * Sun Microsystems, Inc.
28 * 2550 Garcia Avenue
29 * Mountain View, California  94043
30 *
31 *	from: @(#)auth.h 1.17 88/02/08 SMI
32 *	from: @(#)auth.h	2.3 88/08/07 4.0 RPCSRC
33 *	from: @(#)auth.h	1.43 	98/02/02 SMI
34 * $FreeBSD: head/sys/rpc/auth.h 241181 2012-10-04 04:15:18Z pfg $
35 */
36
37/*
38 * auth.h, Authentication interface.
39 *
40 * Copyright (C) 1984, Sun Microsystems, Inc.
41 *
42 * The data structures are completely opaque to the client.  The client
43 * is required to pass an AUTH * to routines that create rpc
44 * "sessions".
45 */
46
47#ifndef _RPC_AUTH_H
48#define _RPC_AUTH_H
49#include <rpc/xdr.h>
50#include <rpc/clnt_stat.h>
51#include <sys/cdefs.h>
52#include <sys/socket.h>
53
54#define MAX_AUTH_BYTES	400
55#define MAXNETNAMELEN	255	/* maximum length of network user's name */
56
57/*
58 *  Client side authentication/security data
59 */
60
61typedef struct sec_data {
62	u_int	secmod;		/* security mode number e.g. in nfssec.conf */
63	u_int	rpcflavor;	/* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
64	int	flags;		/* AUTH_F_xxx flags */
65	caddr_t data;		/* opaque data per flavor */
66} sec_data_t;
67
68#ifdef _SYSCALL32_IMPL
69struct sec_data32 {
70	uint32_t secmod;	/* security mode number e.g. in nfssec.conf */
71	uint32_t rpcflavor;	/* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
72	int32_t flags;		/* AUTH_F_xxx flags */
73	caddr32_t data;		/* opaque data per flavor */
74};
75#endif /* _SYSCALL32_IMPL */
76
77/*
78 * AUTH_DES flavor specific data from sec_data opaque data field.
79 * AUTH_KERB has the same structure.
80 */
81typedef struct des_clnt_data {
82	struct netbuf	syncaddr;	/* time sync addr */
83	struct knetconfig *knconf;	/* knetconfig info that associated */
84					/* with the syncaddr. */
85	char		*netname;	/* server's netname */
86	int		netnamelen;	/* server's netname len */
87} dh_k4_clntdata_t;
88
89#ifdef _SYSCALL32_IMPL
90struct des_clnt_data32 {
91	struct netbuf32 syncaddr;	/* time sync addr */
92	caddr32_t knconf;		/* knetconfig info that associated */
93					/* with the syncaddr. */
94	caddr32_t netname;		/* server's netname */
95	int32_t netnamelen;		/* server's netname len */
96};
97#endif /* _SYSCALL32_IMPL */
98
99#ifdef KERBEROS
100/*
101 * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
102 * in sec_data->data opaque field.
103 */
104typedef struct krb4_svc_data {
105	int		window;		/* window option value */
106} krb4_svcdata_t;
107
108typedef struct krb4_svc_data	des_svcdata_t;
109#endif /* KERBEROS */
110
111/*
112 * authentication/security specific flags
113 */
114#define AUTH_F_RPCTIMESYNC	0x001	/* use RPC to do time sync */
115#define AUTH_F_TRYNONE		0x002	/* allow fall back to AUTH_NONE */
116
117
118/*
119 * Status returned from authentication check
120 */
121enum auth_stat {
122	AUTH_OK=0,
123	/*
124	 * failed at remote end
125	 */
126	AUTH_BADCRED=1,			/* bogus credentials (seal broken) */
127	AUTH_REJECTEDCRED=2,		/* client should begin new session */
128	AUTH_BADVERF=3,			/* bogus verifier (seal broken) */
129	AUTH_REJECTEDVERF=4,		/* verifier expired or was replayed */
130	AUTH_TOOWEAK=5,			/* rejected due to security reasons */
131	/*
132	 * failed locally
133	*/
134	AUTH_INVALIDRESP=6,		/* bogus response verifier */
135	AUTH_FAILED=7,			/* some unknown reason */
136#ifdef KERBEROS
137	/*
138	 * kerberos errors
139	 */
140	,
141	AUTH_KERB_GENERIC = 8,		/* kerberos generic error */
142	AUTH_TIMEEXPIRE = 9,		/* time of credential expired */
143	AUTH_TKT_FILE = 10,		/* something wrong with ticket file */
144	AUTH_DECODE = 11,			/* can't decode authenticator */
145	AUTH_NET_ADDR = 12,		/* wrong net address in ticket */
146#endif /* KERBEROS */
147	/*
148	 * RPCSEC_GSS errors
149	 */
150	RPCSEC_GSS_CREDPROBLEM = 13,
151	RPCSEC_GSS_CTXPROBLEM = 14,
152	RPCSEC_GSS_NODISPATCH = 0x8000000
153};
154
155union des_block {
156	struct {
157		uint32_t high;
158		uint32_t low;
159	} key;
160	char c[8];
161};
162typedef union des_block des_block;
163__BEGIN_DECLS
164extern bool_t xdr_des_block(XDR *, des_block *);
165__END_DECLS
166
167/*
168 * Authentication info.  Opaque to client.
169 */
170struct opaque_auth {
171	enum_t	oa_flavor;		/* flavor of auth */
172	caddr_t	oa_base;		/* address of more auth stuff */
173	u_int	oa_length;		/* not to exceed MAX_AUTH_BYTES */
174};
175
176
177/*
178 * Auth handle, interface to client side authenticators.
179 */
180struct rpc_err;
181typedef struct __auth {
182	struct	opaque_auth	ah_cred;
183	struct	opaque_auth	ah_verf;
184	union	des_block	ah_key;
185	struct auth_ops {
186		void	(*ah_nextverf) (struct __auth *);
187		/* nextverf & serialize */
188		int	(*ah_marshal) (struct __auth *, uint32_t, XDR *,
189		    struct mbuf *);
190		/* validate verifier */
191		int	(*ah_validate) (struct __auth *, uint32_t,
192		    struct opaque_auth *, struct mbuf **);
193		/* refresh credentials */
194		int	(*ah_refresh) (struct __auth *, void *);
195		/* destroy this structure */
196		void	(*ah_destroy) (struct __auth *);
197	} *ah_ops;
198	void *ah_private;
199} AUTH;
200
201
202/*
203 * Authentication ops.
204 * The ops and the auth handle provide the interface to the authenticators.
205 *
206 * AUTH	*auth;
207 * XDR	*xdrs;
208 * struct opaque_auth verf;
209 */
210#define AUTH_NEXTVERF(auth)		\
211		((*((auth)->ah_ops->ah_nextverf))(auth))
212
213#define AUTH_MARSHALL(auth, xid, xdrs, args)	\
214		((*((auth)->ah_ops->ah_marshal))(auth, xid, xdrs, args))
215
216#define AUTH_VALIDATE(auth, xid, verfp, resultsp) \
217		((*((auth)->ah_ops->ah_validate))((auth), xid, verfp, resultsp))
218
219#define AUTH_REFRESH(auth, msg)		\
220		((*((auth)->ah_ops->ah_refresh))(auth, msg))
221
222#define AUTH_DESTROY(auth)		\
223		((*((auth)->ah_ops->ah_destroy))(auth))
224
225__BEGIN_DECLS
226extern struct opaque_auth _null_auth;
227__END_DECLS
228
229/*
230 * These are the various implementations of client side authenticators.
231 */
232
233/*
234 * System style authentication
235 * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
236 *	char *machname;
237 *	u_int uid;
238 *	u_int gid;
239 *	int len;
240 *	u_int *aup_gids;
241 */
242__BEGIN_DECLS
243#ifdef _KERNEL
244struct ucred;
245extern AUTH *authunix_create(struct ucred *);
246#else
247extern AUTH *authunix_create(char *, u_int, u_int, int, u_int *);
248extern AUTH *authunix_create_default(void);	/* takes no parameters */
249#endif
250extern AUTH *authnone_create(void);		/* takes no parameters */
251__END_DECLS
252/*
253 * DES style authentication
254 * AUTH *authsecdes_create(servername, window, timehost, ckey)
255 * 	char *servername;		- network name of server
256 *	u_int window;			- time to live
257 * 	const char *timehost;			- optional hostname to sync with
258 * 	des_block *ckey;		- optional conversation key to use
259 */
260__BEGIN_DECLS
261extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *);
262extern AUTH *authdes_seccreate (const char *, const u_int, const  char *,
263    const  des_block *);
264__END_DECLS
265
266__BEGIN_DECLS
267extern bool_t xdr_opaque_auth		(XDR *, struct opaque_auth *);
268__END_DECLS
269
270#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip))
271#define authsys_create_default() authunix_create_default()
272
273/*
274 * Netname manipulation routines.
275 */
276__BEGIN_DECLS
277extern int getnetname(char *);
278extern int host2netname(char *, const char *, const char *);
279extern int user2netname(char *, const uid_t, const char *);
280extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
281extern int netname2host(char *, char *, const int);
282extern void passwd2des ( char *, char * );
283__END_DECLS
284
285/*
286 *
287 * These routines interface to the keyserv daemon
288 *
289 */
290__BEGIN_DECLS
291extern int key_decryptsession(const char *, des_block *);
292extern int key_encryptsession(const char *, des_block *);
293extern int key_gendes(des_block *);
294extern int key_setsecret(const char *);
295extern int key_secretkey_is_set(void);
296__END_DECLS
297
298/*
299 * Publickey routines.
300 */
301__BEGIN_DECLS
302extern int getpublickey (const char *, char *);
303extern int getpublicandprivatekey (const char *, char *);
304extern int getsecretkey (char *, char *, char *);
305__END_DECLS
306
307#ifdef KERBEROS
308/*
309 * Kerberos style authentication
310 * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
311 *	const char *service;			- service name
312 *	const char *srv_inst;			- server instance
313 *	const char *realm;			- server realm
314 *	const u_int window;			- time to live
315 *	const char *timehost;			- optional hostname to sync with
316 *	int *status;				- kerberos status returned
317 */
318__BEGIN_DECLS
319extern AUTH	*authkerb_seccreate(const char *, const char *, const  char *,
320		    const u_int, const char *, int *);
321__END_DECLS
322
323/*
324 * Map a kerberos credential into a unix cred.
325 *
326 *	authkerb_getucred(rqst, uid, gid, grouplen, groups)
327 *	const struct svc_req *rqst;		- request pointer
328 *	uid_t *uid;
329 *	gid_t *gid;
330 *	short *grouplen;
331 *	int *groups;
332 *
333 */
334__BEGIN_DECLS
335extern int	authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *,
336		    short *, int * */);
337__END_DECLS
338#endif /* KERBEROS */
339
340__BEGIN_DECLS
341struct svc_req;
342struct rpc_msg;
343enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *);
344enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
345enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
346__END_DECLS
347
348#define AUTH_NONE	0		/* no authentication */
349#define	AUTH_NULL	0		/* backward compatibility */
350#define	AUTH_SYS	1		/* unix style (uid, gids) */
351#define AUTH_UNIX	AUTH_SYS
352#define	AUTH_SHORT	2		/* short hand unix style */
353#define AUTH_DH		3		/* for Diffie-Hellman mechanism */
354#define AUTH_DES	AUTH_DH		/* for backward compatibility */
355#define AUTH_KERB	4		/* kerberos style */
356#define RPCSEC_GSS	6		/* RPCSEC_GSS */
357
358/*
359 * Pseudo auth flavors for RPCSEC_GSS.
360 */
361#define	RPCSEC_GSS_KRB5		390003
362#define	RPCSEC_GSS_KRB5I	390004
363#define	RPCSEC_GSS_KRB5P	390005
364
365#endif /* !_RPC_AUTH_H */
366