tirpc/rpc/auth.h

0001 /*  $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $   */
0002
0003 /*
0004  * Copyright (c) 2009, Sun Microsystems, Inc.
0005  * All rights reserved.
0006  *
0007  * Redistribution and use in source and binary forms, with or without
0008  * modification, are permitted provided that the following conditions are met:
0009  * - Redistributions of source code must retain the above copyright notice,
0010  *   this list of conditions and the following disclaimer.
0011  * - Redistributions in binary form must reproduce the above copyright notice,
0012  *   this list of conditions and the following disclaimer in the documentation
0013  *   and/or other materials provided with the distribution.
0014  * - Neither the name of Sun Microsystems, Inc. nor the names of its
0015  *   contributors may be used to endorse or promote products derived
0016  *   from this software without specific prior written permission.
0017  *
0018  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
0019  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
0020  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
0021  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
0022  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
0023  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
0024  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
0025  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
0026  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
0027  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
0028  * POSSIBILITY OF SUCH DAMAGE.
0029  *
0030  *  from: @(#)auth.h 1.17 88/02/08 SMI
0031  *  from: @(#)auth.h    2.3 88/08/07 4.0 RPCSRC
0032  *  from: @(#)auth.h    1.43    98/02/02 SMI
0033  * $FreeBSD: src/include/rpc/auth.h,v 1.20 2003/01/01 18:48:42 schweikh Exp $
0034  */
0035
0036 /*
0037  * auth.h, Authentication interface.
0038  *
0039  * Copyright (C) 1984, Sun Microsystems, Inc.
0040  *
0041  * The data structures are completely opaque to the client.  The client
0042  * is required to pass an AUTH * to routines that create rpc
0043  * "sessions".
0044  */
0045
0046 #ifndef _TIRPC_AUTH_H
0047 #define  _TIRPC_AUTH_H
0048
0049 #include <rpc/xdr.h>
0050 #include <rpc/clnt_stat.h>
0051 #include <sys/socket.h>
0052 #include <sys/types.h>
0053
0054
0055 #define MAX_AUTH_BYTES  400
0056 #define MAXNETNAMELEN   255 /* maximum length of network user's name */
0057
0058 /*
0059  *  Client side authentication/security data
0060  */
0061
0062 typedef struct sec_data {
0063     u_int   secmod;     /* security mode number e.g. in nfssec.conf */
0064     u_int   rpcflavor;  /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
0065     int flags;      /* AUTH_F_xxx flags */
0066     caddr_t data;       /* opaque data per flavor */
0067 } sec_data_t;
0068
0069 #ifdef _SYSCALL32_IMPL
0070 struct sec_data32 {
0071     uint32_t secmod;    /* security mode number e.g. in nfssec.conf */
0072     uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
0073     int32_t flags;      /* AUTH_F_xxx flags */
0074     caddr32_t data;     /* opaque data per flavor */
0075 };
0076 #endif /* _SYSCALL32_IMPL */
0077
0078 /*
0079  * AUTH_DES flavor specific data from sec_data opaque data field.
0080  * AUTH_KERB has the same structure.
0081  */
0082 typedef struct des_clnt_data {
0083     struct netbuf   syncaddr;   /* time sync addr */
0084     struct knetconfig *knconf;  /* knetconfig info that associated */
0085                     /* with the syncaddr. */
0086     char        *netname;   /* server's netname */
0087     int     netnamelen; /* server's netname len */
0088 } dh_k4_clntdata_t;
0089
0090 #ifdef _SYSCALL32_IMPL
0091 struct des_clnt_data32 {
0092     struct netbuf32 syncaddr;   /* time sync addr */
0093     caddr32_t knconf;       /* knetconfig info that associated */
0094                     /* with the syncaddr. */
0095     caddr32_t netname;      /* server's netname */
0096     int32_t netnamelen;     /* server's netname len */
0097 };
0098 #endif /* _SYSCALL32_IMPL */
0099
0100 /*
0101  * authentication/security specific flags
0102  */
0103 #define AUTH_F_RPCTIMESYNC  0x001   /* use RPC to do time sync */
0104 #define AUTH_F_TRYNONE      0x002   /* allow fall back to AUTH_NONE */
0105
0106
0107 /*
0108  * Status returned from authentication check
0109  */
0110 enum auth_stat {
0111     AUTH_OK=0,
0112     /*
0113      * failed at  remote end
0114      */
0115     AUTH_BADCRED=1,         /* bogus credentials (seal broken) */
0116     AUTH_REJECTEDCRED=2,        /* client should begin new session */
0117     AUTH_BADVERF=3,         /* bogus verifier (seal broken) */
0118     AUTH_REJECTEDVERF=4,        /* verifier expired or was replayed */
0119     AUTH_TOOWEAK=5,         /* rejected due to security reasons */
0120     /*
0121      * failed locally
0122     */
0123     AUTH_INVALIDRESP=6,     /* bogus response verifier */
0124     AUTH_FAILED=7,          /* some unknown reason */
0125     /*
0126      * kerberos errors
0127      */
0128     AUTH_KERB_GENERIC = 8,      /* kerberos generic error */
0129     AUTH_TIMEEXPIRE = 9,        /* time of credential expired */
0130     AUTH_TKT_FILE = 10,     /* something wrong with ticket file */
0131     AUTH_DECODE = 11,       /* can't decode authenticator */
0132     AUTH_NET_ADDR = 12,     /* wrong net address in ticket */
0133     /*
0134      * RPCSEC_GSS errors
0135      */
0136     RPCSEC_GSS_CREDPROBLEM = 13,
0137     RPCSEC_GSS_CTXPROBLEM = 14
0138
0139 };
0140
0141 typedef u_int32_t u_int32;  /* 32-bit unsigned integers */
0142
0143 union des_block {
0144     struct {
0145         u_int32_t high;
0146         u_int32_t low;
0147     } key;
0148     char c[8];
0149 };
0150 typedef union des_block des_block;
0151 #ifdef __cplusplus
0152 extern "C" {
0153 #endif
0154 extern bool_t xdr_des_block(XDR *, des_block *);
0155 #ifdef __cplusplus
0156 }
0157 #endif
0158
0159 /*
0160  * Authentication info.  Opaque to client.
0161  */
0162 struct opaque_auth {
0163     enum_t  oa_flavor;      /* flavor of auth */
0164     caddr_t oa_base;        /* address of more auth stuff */
0165     u_int   oa_length;      /* not to exceed MAX_AUTH_BYTES */
0166 };
0167
0168
0169 /*
0170  * Auth handle, interface to client side authenticators.
0171  */
0172 typedef struct __auth {
0173     struct  opaque_auth ah_cred;
0174     struct  opaque_auth ah_verf;
0175     union   des_block   ah_key;
0176     struct auth_ops {
0177         void    (*ah_nextverf) (struct __auth *);
0178         /* nextverf & serialize */
0179         int (*ah_marshal) (struct __auth *, XDR *);
0180         /* validate verifier */
0181         int (*ah_validate) (struct __auth *,
0182                 struct opaque_auth *);
0183         /* refresh credentials */
0184         int (*ah_refresh) (struct __auth *, void *);
0185         /* destroy this structure */
0186         void    (*ah_destroy) (struct __auth *);
0187         /* encode data for wire */
0188         int     (*ah_wrap) (struct __auth *, XDR *, xdrproc_t, caddr_t);
0189         /* decode data for wire */
0190         int     (*ah_unwrap) (struct __auth *, XDR *, xdrproc_t, caddr_t);
0191
0192     } *ah_ops;
0193     void *ah_private;
0194 } AUTH;
0195
0196 /*
0197  * Authentication ops.
0198  * The ops and the auth handle provide the interface to the authenticators.
0199  *
0200  * AUTH *auth;
0201  * XDR  *xdrs;
0202  * struct opaque_auth verf;
0203  */
0204 #define AUTH_NEXTVERF(auth)     \
0205         ((*((auth)->ah_ops->ah_nextverf))(auth))
0206 #define auth_nextverf(auth)     \
0207         ((*((auth)->ah_ops->ah_nextverf))(auth))
0208
0209 #define AUTH_MARSHALL(auth, xdrs)   \
0210         ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
0211 #define auth_marshall(auth, xdrs)   \
0212         ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
0213
0214 #define AUTH_VALIDATE(auth, verfp)  \
0215         ((*((auth)->ah_ops->ah_validate))((auth), verfp))
0216 #define auth_validate(auth, verfp)  \
0217         ((*((auth)->ah_ops->ah_validate))((auth), verfp))
0218
0219 #define AUTH_REFRESH(auth, msg)     \
0220         ((*((auth)->ah_ops->ah_refresh))(auth, msg))
0221 #define auth_refresh(auth, msg)     \
0222         ((*((auth)->ah_ops->ah_refresh))(auth, msg))
0223
0224 #define AUTH_DESTROY(auth)      \
0225         ((*((auth)->ah_ops->ah_destroy))(auth));
0226 #define auth_destroy(auth)      \
0227         ((*((auth)->ah_ops->ah_destroy))(auth));
0228
0229 #define AUTH_WRAP(auth, xdrs, xfunc, xwhere)            \
0230         ((*((auth)->ah_ops->ah_wrap))(auth, xdrs, \
0231         xfunc, xwhere))
0232 #define auth_wrap(auth, xdrs, xfunc, xwhere)            \
0233         ((*((auth)->ah_ops->ah_wrap))(auth, xdrs, \
0234         xfunc, xwhere))
0235
0236 #define AUTH_UNWRAP(auth, xdrs, xfunc, xwhere)          \
0237         ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, \
0238         xfunc, xwhere))
0239 #define auth_unwrap(auth, xdrs, xfunc, xwhere)          \
0240         ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, \
0241         xfunc, xwhere))
0242
0243
0244 #ifdef __cplusplus
0245 extern "C" {
0246 #endif
0247 extern struct opaque_auth _null_auth;
0248 #ifdef __cplusplus
0249 }
0250 #endif
0251
0252 /*
0253  * Any style authentication.  These routines can be used by any
0254  * authentication style that does not use the wrap/unwrap functions.
0255  */
0256 int authany_wrap(void), authany_unwrap(void);
0257
0258 /*
0259  * These are the various implementations of client side authenticators.
0260  */
0261
0262 /*
0263  * System style authentication
0264  * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
0265  *  char *machname;
0266  *  int uid;
0267  *  int gid;
0268  *  int len;
0269  *  int *aup_gids;
0270  */
0271 #ifdef __cplusplus
0272 extern "C" {
0273 #endif
0274 extern AUTH *authunix_create(char *, uid_t, uid_t, int, uid_t *);
0275 extern AUTH *authunix_create_default(void); /* takes no parameters */
0276 extern AUTH *authnone_create(void);     /* takes no parameters */
0277 #ifdef __cplusplus
0278 }
0279 #endif
0280 /*
0281  * DES style authentication
0282  * AUTH *authsecdes_create(servername, window, timehost, ckey)
0283  *  char *servername;       - network name of server
0284  *  u_int window;           - time to live
0285  *  const char *timehost;           - optional hostname to sync with
0286  *  des_block *ckey;        - optional conversation key to use
0287  */
0288 #ifdef __cplusplus
0289 extern "C" {
0290 #endif
0291 extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *);
0292 extern AUTH *authdes_pk_create (char *, netobj *, u_int,
0293                 struct sockaddr *, des_block *);
0294 extern AUTH *authdes_seccreate (const char *, const u_int, const  char *,
0295     const  des_block *);
0296 #ifdef __cplusplus
0297 }
0298 #endif
0299
0300 #ifdef __cplusplus
0301 extern "C" {
0302 #endif
0303 extern bool_t xdr_opaque_auth       (XDR *, struct opaque_auth *);
0304 #ifdef __cplusplus
0305 }
0306 #endif
0307
0308 #define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip))
0309 #define authsys_create_default() authunix_create_default()
0310
0311 /*
0312  * Netname manipulation routines.
0313  */
0314 #ifdef __cplusplus
0315 extern "C" {
0316 #endif
0317 extern int getnetname(char *);
0318 extern int host2netname(char *, const char *, const char *);
0319 extern int user2netname(char *, const uid_t, const char *);
0320 extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
0321 extern int netname2host(char *, char *, const int);
0322 extern void passwd2des ( char *, char * );
0323 #ifdef __cplusplus
0324 }
0325 #endif
0326
0327 /*
0328  *
0329  * These routines interface to the keyserv daemon
0330  *
0331  */
0332 #ifdef __cplusplus
0333 extern "C" {
0334 #endif
0335 extern int key_decryptsession(const char *, des_block *);
0336 extern int key_encryptsession(const char *, des_block *);
0337 extern int key_gendes(des_block *);
0338 extern int key_setsecret(const char *);
0339 extern int key_secretkey_is_set(void);
0340 #ifdef __cplusplus
0341 }
0342 #endif
0343
0344 /*
0345  * Publickey routines.
0346  */
0347 #ifdef __cplusplus
0348 extern "C" {
0349 #endif
0350 extern int getpublickey (const char *, char *);
0351 extern int getpublicandprivatekey (char *, char *);
0352 extern int getsecretkey (char *, char *, char *);
0353 #ifdef __cplusplus
0354 }
0355 #endif
0356
0357 #ifdef __cplusplus
0358 extern "C" {
0359 #endif
0360 struct svc_req;
0361 struct rpc_msg;
0362 enum auth_stat _svcauth_none (struct svc_req *, struct rpc_msg *);
0363 enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *);
0364 enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *);
0365 enum auth_stat _svcauth_gss (struct svc_req *, struct rpc_msg *, bool_t *);
0366 #ifdef __cplusplus
0367 }
0368 #endif
0369
0370 #define AUTH_NONE   0       /* no authentication */
0371 #define AUTH_NULL   0       /* backward compatibility */
0372 #define AUTH_SYS    1       /* unix style (uid, gids) */
0373 #define AUTH_UNIX   AUTH_SYS
0374 #define AUTH_SHORT  2       /* short hand unix style */
0375 #define AUTH_DH     3       /* for Diffie-Hellman mechanism */
0376 #define AUTH_DES    AUTH_DH     /* for backward compatibility */
0377 #define AUTH_KERB   4       /* kerberos style */
0378 #define RPCSEC_GSS  6       /* RPCSEC_GSS */
0379
0380 #endif /* !_TIRPC_AUTH_H */