/include/rpc/auth.h

  1/*	$NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $	*/
  2
  3/*
  4 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
  5 * unrestricted use provided that this legend is included on all tape
  6 * media and as a part of the software program in whole or part.  Users
  7 * may copy or modify Sun RPC without charge, but are not authorized
  8 * to license or distribute it to anyone else except as part of a product or
  9 * program developed by the user.
 10 *
 11 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
 12 * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 13 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
 14 *
 15 * Sun RPC is provided with no support and without any obligation on the
 16 * part of Sun Microsystems, Inc. to assist in its use, correction,
 17 * modification or enhancement.
 18 *
 19 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
 20 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
 21 * OR ANY PART THEREOF.
 22 *
 23 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
 24 * or profits or other special, indirect and consequential damages, even if
 25 * Sun has been advised of the possibility of such damages.
 26 *
 27 * Sun Microsystems, Inc.
 28 * 2550 Garcia Avenue
 29 * Mountain View, California  94043
 30 *
 31 *	from: @(#)auth.h 1.17 88/02/08 SMI
 32 *	from: @(#)auth.h	2.3 88/08/07 4.0 RPCSRC
 33 *	from: @(#)auth.h	1.43 	98/02/02 SMI
 34 * $FreeBSD$
 35 */
 36
 37/*
 38 * auth.h, Authentication interface.
 39 *
 40 * Copyright (C) 1984, Sun Microsystems, Inc.
 41 *
 42 * The data structures are completely opaque to the client.  The client
 43 * is required to pass an AUTH * to routines that create rpc
 44 * "sessions".
 45 */
 46
 47#ifndef _RPC_AUTH_H
 48#define _RPC_AUTH_H
 49#include <rpc/xdr.h>
 50#include <rpc/clnt_stat.h>
 51#include <sys/cdefs.h>
 52#include <sys/socket.h>
 53
 54#define MAX_AUTH_BYTES	400
 55#define MAXNETNAMELEN	255	/* maximum length of network user's name */
 56
 57/*
 58 *  Client side authentication/security data
 59 */
 60
 61typedef struct sec_data {
 62	u_int	secmod;		/* security mode number e.g. in nfssec.conf */
 63	u_int	rpcflavor;	/* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
 64	int	flags;		/* AUTH_F_xxx flags */
 65	caddr_t data;		/* opaque data per flavor */
 66} sec_data_t;
 67
 68#ifdef _SYSCALL32_IMPL
 69struct sec_data32 {
 70	uint32_t secmod;	/* security mode number e.g. in nfssec.conf */
 71	uint32_t rpcflavor;	/* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
 72	int32_t flags;		/* AUTH_F_xxx flags */
 73	caddr32_t data;		/* opaque data per flavor */
 74};
 75#endif /* _SYSCALL32_IMPL */
 76
 77/*
 78 * AUTH_DES flavor specific data from sec_data opaque data field.
 79 * AUTH_KERB has the same structure.
 80 */
 81typedef struct des_clnt_data {
 82	struct netbuf	syncaddr;	/* time sync addr */
 83	struct knetconfig *knconf;	/* knetconfig info that associated */
 84					/* with the syncaddr. */
 85	char		*netname;	/* server's netname */
 86	int		netnamelen;	/* server's netname len */
 87} dh_k4_clntdata_t;
 88
 89#ifdef _SYSCALL32_IMPL
 90struct des_clnt_data32 {
 91	struct netbuf32 syncaddr;	/* time sync addr */
 92	caddr32_t knconf;		/* knetconfig info that associated */
 93					/* with the syncaddr. */
 94	caddr32_t netname;		/* server's netname */
 95	int32_t netnamelen;		/* server's netname len */
 96};
 97#endif /* _SYSCALL32_IMPL */
 98
 99#ifdef KERBEROS
100/*
101 * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
102 * in sec_data->data opaque field.
103 */
104typedef struct krb4_svc_data {
105	int		window;		/* window option value */
106} krb4_svcdata_t;
107 
108typedef struct krb4_svc_data	des_svcdata_t;
109#endif /* KERBEROS */
110
111/*
112 * authentication/security specific flags
113 */
114#define AUTH_F_RPCTIMESYNC	0x001	/* use RPC to do time sync */
115#define AUTH_F_TRYNONE		0x002	/* allow fall back to AUTH_NONE */
116
117
118/*
119 * Status returned from authentication check
120 */
121enum auth_stat {
122	AUTH_OK=0,
123	/*
124	 * failed at remote end
125	 */
126	AUTH_BADCRED=1,			/* bogus credentials (seal broken) */
127	AUTH_REJECTEDCRED=2,		/* client should begin new session */
128	AUTH_BADVERF=3,			/* bogus verifier (seal broken) */
129	AUTH_REJECTEDVERF=4,		/* verifier expired or was replayed */
130	AUTH_TOOWEAK=5,			/* rejected due to security reasons */
131	/*
132	 * failed locally
133	*/
134	AUTH_INVALIDRESP=6,		/* bogus response verifier */
135	AUTH_FAILED=7,			/* some unknown reason */
136#ifdef KERBEROS
137	/*
138	 * kerberos errors
139	 */
140	,
141	AUTH_KERB_GENERIC = 8,		/* kerberos generic error */
142	AUTH_TIMEEXPIRE = 9,		/* time of credential expired */
143	AUTH_TKT_FILE = 10,		/* something wrong with ticket file */
144	AUTH_DECODE = 11,			/* can't decode authenticator */
145	AUTH_NET_ADDR = 12,		/* wrong net address in ticket */
146#endif /* KERBEROS */
147	/*
148	 * RPCSEC_GSS errors
149	 */
150	RPCSEC_GSS_CREDPROBLEM = 13,
151	RPCSEC_GSS_CTXPROBLEM = 14,
152	RPCSEC_GSS_NODISPATCH = 0x8000000
153};
154
155union des_block {
156	struct {
157		uint32_t high;
158		uint32_t low;
159	} key;
160	char c[8];
161};
162typedef union des_block des_block;
163__BEGIN_DECLS
164extern bool_t xdr_des_block(XDR *, des_block *);
165__END_DECLS
166
167/*
168 * Authentication info.  Opaque to client.
169 */
170struct opaque_auth {
171	enum_t	oa_flavor;		/* flavor of auth */
172	caddr_t	oa_base;		/* address of more auth stuff */
173	u_int	oa_length;		/* not to exceed MAX_AUTH_BYTES */
174};
175
176
177/*
178 * Auth handle, interface to client side authenticators.
179 */
180typedef struct __auth {
181	struct	opaque_auth	ah_cred;
182	struct	opaque_auth	ah_verf;
183	union	des_block	ah_key;
184	struct auth_ops {
185		void	(*ah_nextverf) (struct __auth *);
186		/* nextverf & serialize */
187		int	(*ah_marshal) (struct __auth *, XDR *);
188		/* validate verifier */
189		int	(*ah_validate) (struct __auth *,
190			    struct opaque_auth *);
191		/* refresh credentials */
192		int	(*ah_refresh) (struct __auth *, void *);
193		/* destroy this structure */
194		void	(*ah_destroy) (struct __auth *);
195	} *ah_ops;
196	void *ah_private;
197} AUTH;
198
199
200/*
201 * Authentication ops.
202 * The ops and the auth handle provide the interface to the authenticators.
203 *
204 * AUTH	*auth;
205 * XDR	*xdrs;
206 * struct opaque_auth verf;
207 */
208#define AUTH_NEXTVERF(auth)		\
209		((*((auth)->ah_ops->ah_nextverf))(auth))
210#define auth_nextverf(auth)		\
211		((*((auth)->ah_ops->ah_nextverf))(auth))
212
213#define AUTH_MARSHALL(auth, xdrs)	\
214		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
215#define auth_marshall(auth, xdrs)	\
216		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
217
218#define AUTH_VALIDATE(auth, verfp)	\
219		((*((auth)->ah_ops->ah_validate))((auth), verfp))
220#define auth_validate(auth, verfp)	\
221		((*((auth)->ah_ops->ah_validate))((auth), verfp))
222
223#define AUTH_REFRESH(auth, msg)		\
224		((*((auth)->ah_ops->ah_refresh))(auth, msg))
225#define auth_refresh(auth, msg)		\
226		((*((auth)->ah_ops->ah_refresh))(auth, msg))
227
228#define AUTH_DESTROY(auth)		\
229		((*((auth)->ah_ops->ah_destroy))(auth))
230#define auth_destroy(auth)		\
231		((*((auth)->ah_ops->ah_destroy))(auth))
232
233
234__BEGIN_DECLS
235extern struct opaque_auth _null_auth;
236__END_DECLS
237
238/*
239 * These are the various implementations of client side authenticators.
240 */
241
242/*
243 * System style authentication
244 * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
245 *	char *machname;
246 *	u_int uid;
247 *	u_int gid;
248 *	int len;
249 *	u_int *aup_gids;
250 */
251__BEGIN_DECLS
252extern AUTH *authunix_create(char *, u_int, u_int, int, u_int *);
253extern AUTH *authunix_create_default(void);	/* takes no parameters */
254extern AUTH *authnone_create(void);		/* takes no parameters */
255__END_DECLS
256/*
257 * DES style authentication
258 * AUTH *authsecdes_create(servername, window, timehost, ckey)
259 * 	char *servername;		- network name of server
260 *	u_int window;			- time to live
261 * 	const char *timehost;			- optional hostname to sync with
262 * 	des_block *ckey;		- optional conversation key to use
263 */
264__BEGIN_DECLS
265extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *);
266extern AUTH *authdes_seccreate (const char *, const u_int, const  char *,
267    const  des_block *);
268__END_DECLS
269
270__BEGIN_DECLS
271extern bool_t xdr_opaque_auth		(XDR *, struct opaque_auth *);
272__END_DECLS
273
274#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip))
275#define authsys_create_default() authunix_create_default()
276
277/*
278 * Netname manipulation routines.
279 */
280__BEGIN_DECLS
281extern int getnetname(char *);
282extern int host2netname(char *, const char *, const char *);
283extern int user2netname(char *, const uid_t, const char *);
284extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
285extern int netname2host(char *, char *, const int);
286extern void passwd2des ( char *, char * );
287__END_DECLS
288
289/*
290 *
291 * These routines interface to the keyserv daemon
292 *
293 */
294__BEGIN_DECLS
295extern int key_decryptsession(const char *, des_block *);
296extern int key_encryptsession(const char *, des_block *);
297extern int key_gendes(des_block *);
298extern int key_setsecret(const char *);
299extern int key_secretkey_is_set(void);
300__END_DECLS
301
302/*
303 * Publickey routines.
304 */
305__BEGIN_DECLS
306extern int getpublickey (const char *, char *);
307extern int getpublicandprivatekey (const char *, char *);
308extern int getsecretkey (char *, char *, char *);
309__END_DECLS
310
311#ifdef KERBEROS
312/*
313 * Kerberos style authentication
314 * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
315 *	const char *service;			- service name
316 *	const char *srv_inst;			- server instance
317 *	const char *realm;			- server realm
318 *	const u_int window;			- time to live
319 *	const char *timehost;			- optional hostname to sync with
320 *	int *status;				- kerberos status returned
321 */
322__BEGIN_DECLS
323extern AUTH	*authkerb_seccreate(const char *, const char *, const  char *,
324		    const u_int, const char *, int *);
325__END_DECLS
326
327/*
328 * Map a kerberos credential into a unix cred.
329 *
330 *	authkerb_getucred(rqst, uid, gid, grouplen, groups)
331 *	const struct svc_req *rqst;		- request pointer
332 *	uid_t *uid;
333 *	gid_t *gid;
334 *	short *grouplen;
335 *	int *groups;
336 *
337 */
338__BEGIN_DECLS
339extern int	authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *,
340		    short *, int * */);
341__END_DECLS
342#endif /* KERBEROS */
343
344__BEGIN_DECLS
345struct svc_req;
346struct rpc_msg;
347enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *);
348enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
349enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
350__END_DECLS
351
352#define AUTH_NONE	0		/* no authentication */
353#define	AUTH_NULL	0		/* backward compatibility */
354#define	AUTH_SYS	1		/* unix style (uid, gids) */
355#define AUTH_UNIX	AUTH_SYS
356#define	AUTH_SHORT	2		/* short hand unix style */
357#define AUTH_DH		3		/* for Diffie-Hellman mechanism */
358#define AUTH_DES	AUTH_DH		/* for backward compatibility */
359#define AUTH_KERB	4		/* kerberos style */
360#define RPCSEC_GSS	6		/* RPCSEC_GSS */
361
362/*
363 * Pseudo auth flavors for RPCSEC_GSS.
364 */
365#define	RPCSEC_GSS_KRB5		390003
366#define	RPCSEC_GSS_KRB5I	390004
367#define	RPCSEC_GSS_KRB5P	390005
368
369#endif /* !_RPC_AUTH_H */