svc_auth.c revision 261046 
1/*	$NetBSD: svc_auth.c,v 1.12 2000/07/06 03:10:35 christos Exp $	*/
2
3/*-
4 * Copyright (c) 2009, Sun Microsystems, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are met:
9 * - Redistributions of source code must retain the above copyright notice,
10 *   this list of conditions and the following disclaimer.
11 * - Redistributions in binary form must reproduce the above copyright notice,
12 *   this list of conditions and the following disclaimer in the documentation
13 *   and/or other materials provided with the distribution.
14 * - Neither the name of Sun Microsystems, Inc. nor the names of its
15 *   contributors may be used to endorse or promote products derived
16 *   from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30/*
31 * Copyright (c) 1986-1991 by Sun Microsystems Inc.
32 */
33
34#if defined(LIBC_SCCS) && !defined(lint)
35#ident	"@(#)svc_auth.c	1.16	94/04/24 SMI"
36static char sccsid[] = "@(#)svc_auth.c 1.26 89/02/07 Copyr 1984 Sun Micro";
37#endif
38#include <sys/cdefs.h>
39__FBSDID("$FreeBSD: stable/10/lib/libc/rpc/svc_auth.c 261046 2014-01-22 23:45:27Z mav $");
40
41/*
42 * svc_auth.c, Server-side rpc authenticator interface.
43 *
44 */
45
46#include "namespace.h"
47#include "reentrant.h"
48#include <sys/types.h>
49#include <rpc/rpc.h>
50#include <stdlib.h>
51#include "un-namespace.h"
52#include "mt_misc.h"
53
54/*
55 * svcauthsw is the bdevsw of server side authentication.
56 *
57 * Server side authenticators are called from authenticate by
58 * using the client auth struct flavor field to index into svcauthsw.
59 * The server auth flavors must implement a routine that looks
60 * like:
61 *
62 *	enum auth_stat
63 *	flavorx_auth(rqst, msg)
64 *		struct svc_req *rqst;
65 *		struct rpc_msg *msg;
66 *
67 */
68
69/* declarations to allow servers to specify new authentication flavors */
70struct authsvc {
71	int	flavor;
72	enum	auth_stat (*handler)(struct svc_req *, struct rpc_msg *);
73	struct	authsvc	  *next;
74};
75static struct authsvc *Auths = NULL;
76
77struct svc_auth_ops svc_auth_null_ops;
78
79/*
80 * The call rpc message, msg has been obtained from the wire.  The msg contains
81 * the raw form of credentials and verifiers.  authenticate returns AUTH_OK
82 * if the msg is successfully authenticated.  If AUTH_OK then the routine also
83 * does the following things:
84 * set rqst->rq_xprt->verf to the appropriate response verifier;
85 * sets rqst->rq_client_cred to the "cooked" form of the credentials.
86 *
87 * NB: rqst->rq_cxprt->verf must be pre-alloctaed;
88 * its length is set appropriately.
89 *
90 * The caller still owns and is responsible for msg->u.cmb.cred and
91 * msg->u.cmb.verf.  The authentication system retains ownership of
92 * rqst->rq_client_cred, the cooked credentials.
93 *
94 * There is an assumption that any flavour less than AUTH_NULL is
95 * invalid.
96 */
97enum auth_stat
98_authenticate(rqst, msg)
99	struct svc_req *rqst;
100	struct rpc_msg *msg;
101{
102	int cred_flavor;
103	struct authsvc *asp;
104	enum auth_stat dummy;
105
106/* VARIABLES PROTECTED BY authsvc_lock: asp, Auths */
107
108	rqst->rq_cred = msg->rm_call.cb_cred;
109	SVC_AUTH(rqst->rq_xprt).svc_ah_ops = &svc_auth_null_ops;
110	SVC_AUTH(rqst->rq_xprt).svc_ah_private = NULL;
111	rqst->rq_xprt->xp_verf.oa_flavor = _null_auth.oa_flavor;
112	rqst->rq_xprt->xp_verf.oa_length = 0;
113	cred_flavor = rqst->rq_cred.oa_flavor;
114	switch (cred_flavor) {
115	case AUTH_NULL:
116		dummy = _svcauth_null(rqst, msg);
117		return (dummy);
118	case AUTH_SYS:
119		dummy = _svcauth_unix(rqst, msg);
120		return (dummy);
121	case AUTH_SHORT:
122		dummy = _svcauth_short(rqst, msg);
123		return (dummy);
124#ifdef DES_BUILTIN
125	case AUTH_DES:
126		dummy = _svcauth_des(rqst, msg);
127		return (dummy);
128#endif
129	default:
130		break;
131	}
132
133	/* flavor doesn't match any of the builtin types, so try new ones */
134	mutex_lock(&authsvc_lock);
135	for (asp = Auths; asp; asp = asp->next) {
136		if (asp->flavor == cred_flavor) {
137			enum auth_stat as;
138
139			as = (*asp->handler)(rqst, msg);
140			mutex_unlock(&authsvc_lock);
141			return (as);
142		}
143	}
144	mutex_unlock(&authsvc_lock);
145
146	return (AUTH_REJECTEDCRED);
147}
148
149/*
150 * A set of null auth methods used by any authentication protocols
151 * that don't need to inspect or modify the message body.
152 */
153static bool_t
154svcauth_null_wrap(auth, xdrs, xdr_func, xdr_ptr)
155	SVCAUTH *auth;
156	XDR *xdrs;
157	xdrproc_t xdr_func;
158	caddr_t xdr_ptr;
159{
160
161	return (xdr_func(xdrs, xdr_ptr));
162}
163
164struct svc_auth_ops svc_auth_null_ops = {
165	svcauth_null_wrap,
166	svcauth_null_wrap,
167};
168
169/*ARGSUSED*/
170enum auth_stat
171_svcauth_null(rqst, msg)
172	struct svc_req *rqst;
173	struct rpc_msg *msg;
174{
175	return (AUTH_OK);
176}
177
178/*
179 *  Allow the rpc service to register new authentication types that it is
180 *  prepared to handle.  When an authentication flavor is registered,
181 *  the flavor is checked against already registered values.  If not
182 *  registered, then a new Auths entry is added on the list.
183 *
184 *  There is no provision to delete a registration once registered.
185 *
186 *  This routine returns:
187 *	 0 if registration successful
188 *	 1 if flavor already registered
189 *	-1 if can't register (errno set)
190 */
191
192int
193svc_auth_reg(cred_flavor, handler)
194	int cred_flavor;
195	enum auth_stat (*handler)(struct svc_req *, struct rpc_msg *);
196{
197	struct authsvc *asp;
198
199	switch (cred_flavor) {
200	    case AUTH_NULL:
201	    case AUTH_SYS:
202	    case AUTH_SHORT:
203#ifdef DES_BUILTIN
204	    case AUTH_DES:
205#endif
206		/* already registered */
207		return (1);
208
209	    default:
210		mutex_lock(&authsvc_lock);
211		for (asp = Auths; asp; asp = asp->next) {
212			if (asp->flavor == cred_flavor) {
213				/* already registered */
214				mutex_unlock(&authsvc_lock);
215				return (1);
216			}
217		}
218
219		/* this is a new one, so go ahead and register it */
220		asp = mem_alloc(sizeof (*asp));
221		if (asp == NULL) {
222			mutex_unlock(&authsvc_lock);
223			return (-1);
224		}
225		asp->flavor = cred_flavor;
226		asp->handler = handler;
227		asp->next = Auths;
228		Auths = asp;
229		mutex_unlock(&authsvc_lock);
230		break;
231	}
232	return (0);
233}
234