/include/rpc/auth.h

https://bitbucket.org/freebsd/freebsd-head/ · C Header · 369 lines · 183 code · 39 blank · 147 comment · 0 complexity · d0abfa45db59aa52d0d88a132defd16c MD5 · raw file

  1. /* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */
  2. /*
  3. * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
  4. * unrestricted use provided that this legend is included on all tape
  5. * media and as a part of the software program in whole or part. Users
  6. * may copy or modify Sun RPC without charge, but are not authorized
  7. * to license or distribute it to anyone else except as part of a product or
  8. * program developed by the user.
  9. *
  10. * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
  11. * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  12. * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
  13. *
  14. * Sun RPC is provided with no support and without any obligation on the
  15. * part of Sun Microsystems, Inc. to assist in its use, correction,
  16. * modification or enhancement.
  17. *
  18. * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
  19. * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
  20. * OR ANY PART THEREOF.
  21. *
  22. * In no event will Sun Microsystems, Inc. be liable for any lost revenue
  23. * or profits or other special, indirect and consequential damages, even if
  24. * Sun has been advised of the possibility of such damages.
  25. *
  26. * Sun Microsystems, Inc.
  27. * 2550 Garcia Avenue
  28. * Mountain View, California 94043
  29. *
  30. * from: @(#)auth.h 1.17 88/02/08 SMI
  31. * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC
  32. * from: @(#)auth.h 1.43 98/02/02 SMI
  33. * $FreeBSD$
  34. */
  35. /*
  36. * auth.h, Authentication interface.
  37. *
  38. * Copyright (C) 1984, Sun Microsystems, Inc.
  39. *
  40. * The data structures are completely opaque to the client. The client
  41. * is required to pass an AUTH * to routines that create rpc
  42. * "sessions".
  43. */
  44. #ifndef _RPC_AUTH_H
  45. #define _RPC_AUTH_H
  46. #include <rpc/xdr.h>
  47. #include <rpc/clnt_stat.h>
  48. #include <sys/cdefs.h>
  49. #include <sys/socket.h>
  50. #define MAX_AUTH_BYTES 400
  51. #define MAXNETNAMELEN 255 /* maximum length of network user's name */
  52. /*
  53. * Client side authentication/security data
  54. */
  55. typedef struct sec_data {
  56. u_int secmod; /* security mode number e.g. in nfssec.conf */
  57. u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
  58. int flags; /* AUTH_F_xxx flags */
  59. caddr_t data; /* opaque data per flavor */
  60. } sec_data_t;
  61. #ifdef _SYSCALL32_IMPL
  62. struct sec_data32 {
  63. uint32_t secmod; /* security mode number e.g. in nfssec.conf */
  64. uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
  65. int32_t flags; /* AUTH_F_xxx flags */
  66. caddr32_t data; /* opaque data per flavor */
  67. };
  68. #endif /* _SYSCALL32_IMPL */
  69. /*
  70. * AUTH_DES flavor specific data from sec_data opaque data field.
  71. * AUTH_KERB has the same structure.
  72. */
  73. typedef struct des_clnt_data {
  74. struct netbuf syncaddr; /* time sync addr */
  75. struct knetconfig *knconf; /* knetconfig info that associated */
  76. /* with the syncaddr. */
  77. char *netname; /* server's netname */
  78. int netnamelen; /* server's netname len */
  79. } dh_k4_clntdata_t;
  80. #ifdef _SYSCALL32_IMPL
  81. struct des_clnt_data32 {
  82. struct netbuf32 syncaddr; /* time sync addr */
  83. caddr32_t knconf; /* knetconfig info that associated */
  84. /* with the syncaddr. */
  85. caddr32_t netname; /* server's netname */
  86. int32_t netnamelen; /* server's netname len */
  87. };
  88. #endif /* _SYSCALL32_IMPL */
  89. #ifdef KERBEROS
  90. /*
  91. * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
  92. * in sec_data->data opaque field.
  93. */
  94. typedef struct krb4_svc_data {
  95. int window; /* window option value */
  96. } krb4_svcdata_t;
  97. typedef struct krb4_svc_data des_svcdata_t;
  98. #endif /* KERBEROS */
  99. /*
  100. * authentication/security specific flags
  101. */
  102. #define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */
  103. #define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */
  104. /*
  105. * Status returned from authentication check
  106. */
  107. enum auth_stat {
  108. AUTH_OK=0,
  109. /*
  110. * failed at remote end
  111. */
  112. AUTH_BADCRED=1, /* bogus credentials (seal broken) */
  113. AUTH_REJECTEDCRED=2, /* client should begin new session */
  114. AUTH_BADVERF=3, /* bogus verifier (seal broken) */
  115. AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */
  116. AUTH_TOOWEAK=5, /* rejected due to security reasons */
  117. /*
  118. * failed locally
  119. */
  120. AUTH_INVALIDRESP=6, /* bogus response verifier */
  121. AUTH_FAILED=7, /* some unknown reason */
  122. #ifdef KERBEROS
  123. /*
  124. * kerberos errors
  125. */
  126. ,
  127. AUTH_KERB_GENERIC = 8, /* kerberos generic error */
  128. AUTH_TIMEEXPIRE = 9, /* time of credential expired */
  129. AUTH_TKT_FILE = 10, /* something wrong with ticket file */
  130. AUTH_DECODE = 11, /* can't decode authenticator */
  131. AUTH_NET_ADDR = 12, /* wrong net address in ticket */
  132. #endif /* KERBEROS */
  133. /*
  134. * RPCSEC_GSS errors
  135. */
  136. RPCSEC_GSS_CREDPROBLEM = 13,
  137. RPCSEC_GSS_CTXPROBLEM = 14,
  138. RPCSEC_GSS_NODISPATCH = 0x8000000
  139. };
  140. union des_block {
  141. struct {
  142. uint32_t high;
  143. uint32_t low;
  144. } key;
  145. char c[8];
  146. };
  147. typedef union des_block des_block;
  148. __BEGIN_DECLS
  149. extern bool_t xdr_des_block(XDR *, des_block *);
  150. __END_DECLS
  151. /*
  152. * Authentication info. Opaque to client.
  153. */
  154. struct opaque_auth {
  155. enum_t oa_flavor; /* flavor of auth */
  156. caddr_t oa_base; /* address of more auth stuff */
  157. u_int oa_length; /* not to exceed MAX_AUTH_BYTES */
  158. };
  159. /*
  160. * Auth handle, interface to client side authenticators.
  161. */
  162. typedef struct __auth {
  163. struct opaque_auth ah_cred;
  164. struct opaque_auth ah_verf;
  165. union des_block ah_key;
  166. struct auth_ops {
  167. void (*ah_nextverf) (struct __auth *);
  168. /* nextverf & serialize */
  169. int (*ah_marshal) (struct __auth *, XDR *);
  170. /* validate verifier */
  171. int (*ah_validate) (struct __auth *,
  172. struct opaque_auth *);
  173. /* refresh credentials */
  174. int (*ah_refresh) (struct __auth *, void *);
  175. /* destroy this structure */
  176. void (*ah_destroy) (struct __auth *);
  177. } *ah_ops;
  178. void *ah_private;
  179. } AUTH;
  180. /*
  181. * Authentication ops.
  182. * The ops and the auth handle provide the interface to the authenticators.
  183. *
  184. * AUTH *auth;
  185. * XDR *xdrs;
  186. * struct opaque_auth verf;
  187. */
  188. #define AUTH_NEXTVERF(auth) \
  189. ((*((auth)->ah_ops->ah_nextverf))(auth))
  190. #define auth_nextverf(auth) \
  191. ((*((auth)->ah_ops->ah_nextverf))(auth))
  192. #define AUTH_MARSHALL(auth, xdrs) \
  193. ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
  194. #define auth_marshall(auth, xdrs) \
  195. ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
  196. #define AUTH_VALIDATE(auth, verfp) \
  197. ((*((auth)->ah_ops->ah_validate))((auth), verfp))
  198. #define auth_validate(auth, verfp) \
  199. ((*((auth)->ah_ops->ah_validate))((auth), verfp))
  200. #define AUTH_REFRESH(auth, msg) \
  201. ((*((auth)->ah_ops->ah_refresh))(auth, msg))
  202. #define auth_refresh(auth, msg) \
  203. ((*((auth)->ah_ops->ah_refresh))(auth, msg))
  204. #define AUTH_DESTROY(auth) \
  205. ((*((auth)->ah_ops->ah_destroy))(auth))
  206. #define auth_destroy(auth) \
  207. ((*((auth)->ah_ops->ah_destroy))(auth))
  208. __BEGIN_DECLS
  209. extern struct opaque_auth _null_auth;
  210. __END_DECLS
  211. /*
  212. * These are the various implementations of client side authenticators.
  213. */
  214. /*
  215. * System style authentication
  216. * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
  217. * char *machname;
  218. * u_int uid;
  219. * u_int gid;
  220. * int len;
  221. * u_int *aup_gids;
  222. */
  223. __BEGIN_DECLS
  224. extern AUTH *authunix_create(char *, u_int, u_int, int, u_int *);
  225. extern AUTH *authunix_create_default(void); /* takes no parameters */
  226. extern AUTH *authnone_create(void); /* takes no parameters */
  227. __END_DECLS
  228. /*
  229. * DES style authentication
  230. * AUTH *authsecdes_create(servername, window, timehost, ckey)
  231. * char *servername; - network name of server
  232. * u_int window; - time to live
  233. * const char *timehost; - optional hostname to sync with
  234. * des_block *ckey; - optional conversation key to use
  235. */
  236. __BEGIN_DECLS
  237. extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *);
  238. extern AUTH *authdes_seccreate (const char *, const u_int, const char *,
  239. const des_block *);
  240. __END_DECLS
  241. __BEGIN_DECLS
  242. extern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *);
  243. __END_DECLS
  244. #define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip))
  245. #define authsys_create_default() authunix_create_default()
  246. /*
  247. * Netname manipulation routines.
  248. */
  249. __BEGIN_DECLS
  250. extern int getnetname(char *);
  251. extern int host2netname(char *, const char *, const char *);
  252. extern int user2netname(char *, const uid_t, const char *);
  253. extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
  254. extern int netname2host(char *, char *, const int);
  255. extern void passwd2des ( char *, char * );
  256. __END_DECLS
  257. /*
  258. *
  259. * These routines interface to the keyserv daemon
  260. *
  261. */
  262. __BEGIN_DECLS
  263. extern int key_decryptsession(const char *, des_block *);
  264. extern int key_encryptsession(const char *, des_block *);
  265. extern int key_gendes(des_block *);
  266. extern int key_setsecret(const char *);
  267. extern int key_secretkey_is_set(void);
  268. __END_DECLS
  269. /*
  270. * Publickey routines.
  271. */
  272. __BEGIN_DECLS
  273. extern int getpublickey (const char *, char *);
  274. extern int getpublicandprivatekey (const char *, char *);
  275. extern int getsecretkey (char *, char *, char *);
  276. __END_DECLS
  277. #ifdef KERBEROS
  278. /*
  279. * Kerberos style authentication
  280. * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
  281. * const char *service; - service name
  282. * const char *srv_inst; - server instance
  283. * const char *realm; - server realm
  284. * const u_int window; - time to live
  285. * const char *timehost; - optional hostname to sync with
  286. * int *status; - kerberos status returned
  287. */
  288. __BEGIN_DECLS
  289. extern AUTH *authkerb_seccreate(const char *, const char *, const char *,
  290. const u_int, const char *, int *);
  291. __END_DECLS
  292. /*
  293. * Map a kerberos credential into a unix cred.
  294. *
  295. * authkerb_getucred(rqst, uid, gid, grouplen, groups)
  296. * const struct svc_req *rqst; - request pointer
  297. * uid_t *uid;
  298. * gid_t *gid;
  299. * short *grouplen;
  300. * int *groups;
  301. *
  302. */
  303. __BEGIN_DECLS
  304. extern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *,
  305. short *, int * */);
  306. __END_DECLS
  307. #endif /* KERBEROS */
  308. __BEGIN_DECLS
  309. struct svc_req;
  310. struct rpc_msg;
  311. enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *);
  312. enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
  313. enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
  314. __END_DECLS
  315. #define AUTH_NONE 0 /* no authentication */
  316. #define AUTH_NULL 0 /* backward compatibility */
  317. #define AUTH_SYS 1 /* unix style (uid, gids) */
  318. #define AUTH_UNIX AUTH_SYS
  319. #define AUTH_SHORT 2 /* short hand unix style */
  320. #define AUTH_DH 3 /* for Diffie-Hellman mechanism */
  321. #define AUTH_DES AUTH_DH /* for backward compatibility */
  322. #define AUTH_KERB 4 /* kerberos style */
  323. #define RPCSEC_GSS 6 /* RPCSEC_GSS */
  324. /*
  325. * Pseudo auth flavors for RPCSEC_GSS.
  326. */
  327. #define RPCSEC_GSS_KRB5 390003
  328. #define RPCSEC_GSS_KRB5I 390004
  329. #define RPCSEC_GSS_KRB5P 390005
  330. #endif /* !_RPC_AUTH_H */