1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 2009, Sun Microsystems, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are met:
9 * - Redistributions of source code must retain the above copyright notice,
10 *   this list of conditions and the following disclaimer.
11 * - Redistributions in binary form must reproduce the above copyright notice,
12 *   this list of conditions and the following disclaimer in the documentation
13 *   and/or other materials provided with the distribution.
14 * - Neither the name of Sun Microsystems, Inc. nor the names of its
15 *   contributors may be used to endorse or promote products derived
16 *   from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30/*
31 * auth_kerb.h, Protocol for Kerberos style authentication for RPC
32 *
33 * Copyright (C) 1986, Sun Microsystems, Inc.
34 */
35
36#ifndef	_RPC_AUTH_KERB_H
37#define	_RPC_AUTH_KERB_H
38
39#ifdef KERBEROS
40
41#include <kerberos/krb.h>
42#include <sys/socket.h>
43#include <sys/t_kuser.h>
44#include <netinet/in.h>
45#include <rpc/svc.h>
46
47/*
48 * There are two kinds of "names": fullnames and nicknames
49 */
50enum authkerb_namekind {
51	AKN_FULLNAME,
52	AKN_NICKNAME
53};
54/*
55 * A fullname contains the ticket and the window
56 */
57struct authkerb_fullname {
58	KTEXT_ST ticket;
59	u_long window;		/* associated window */
60};
61
62/*
63 *  cooked credential stored in rq_clntcred
64 */
65struct authkerb_clnt_cred {
66	/* start of AUTH_DAT */
67	unsigned char k_flags;	/* Flags from ticket */
68	char    pname[ANAME_SZ]; /* Principal's name */
69	char    pinst[INST_SZ];	/* His Instance */
70	char    prealm[REALM_SZ]; /* His Realm */
71	unsigned long checksum;	/* Data checksum (opt) */
72	C_Block session;	/* Session Key */
73	int	life;		/* Life of ticket */
74	unsigned long time_sec;	/* Time ticket issued */
75	unsigned long address;	/* Address in ticket */
76	/* KTEXT_ST reply;	Auth reply (opt) */
77	/* end of AUTH_DAT */
78	unsigned long expiry;	/* time the ticket is expiring */
79	u_long nickname;	/* Nickname into cache */
80	u_long window;		/* associated window */
81};
82
83typedef struct authkerb_clnt_cred authkerb_clnt_cred;
84
85/*
86 * A credential
87 */
88struct authkerb_cred {
89	enum authkerb_namekind akc_namekind;
90	struct authkerb_fullname akc_fullname;
91	u_long akc_nickname;
92};
93
94/*
95 * A kerb authentication verifier
96 */
97struct authkerb_verf {
98	union {
99		struct timeval akv_ctime;	/* clear time */
100		des_block akv_xtime;		/* crypt time */
101	} akv_time_u;
102	u_long akv_int_u;
103};
104
105/*
106 * des authentication verifier: client variety
107 *
108 * akv_timestamp is the current time.
109 * akv_winverf is the credential window + 1.
110 * Both are encrypted using the conversation key.
111 */
112#ifndef akv_timestamp
113#define	akv_timestamp	akv_time_u.akv_ctime
114#define	akv_xtimestamp	akv_time_u.akv_xtime
115#define	akv_winverf	akv_int_u
116#endif
117/*
118 * des authentication verifier: server variety
119 *
120 * akv_timeverf is the client's timestamp + client's window
121 * akv_nickname is the server's nickname for the client.
122 * akv_timeverf is encrypted using the conversation key.
123 */
124#ifndef akv_timeverf
125#define	akv_timeverf	akv_time_u.akv_ctime
126#define	akv_xtimeverf	akv_time_u.akv_xtime
127#define	akv_nickname	akv_int_u
128#endif
129
130/*
131 * Register the service name, instance and realm.
132 */
133extern int	authkerb_create(char *, char *, char *, u_int,
134			struct netbuf *, int *, dev_t, int, AUTH **);
135extern bool_t	xdr_authkerb_cred(XDR *, struct authkerb_cred *);
136extern bool_t	xdr_authkerb_verf(XDR *, struct authkerb_verf *);
137extern int	svc_kerb_reg(SVCXPRT *, char *, char *, char *);
138extern enum auth_stat _svcauth_kerb(struct svc_req *, struct rpc_msg *);
139
140#endif	/* KERBEROS */
141#endif	/* !_RPC_AUTH_KERB_H */
142