174462Salfred/* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */ 274462Salfred 3261057Smav/*- 4261057Smav * Copyright (c) 2009, Sun Microsystems, Inc. 5261057Smav * All rights reserved. 68858Srgrimes * 7261057Smav * Redistribution and use in source and binary forms, with or without 8261057Smav * modification, are permitted provided that the following conditions are met: 9261057Smav * - Redistributions of source code must retain the above copyright notice, 10261057Smav * this list of conditions and the following disclaimer. 11261057Smav * - Redistributions in binary form must reproduce the above copyright notice, 12261057Smav * this list of conditions and the following disclaimer in the documentation 13261057Smav * and/or other materials provided with the distribution. 14261057Smav * - Neither the name of Sun Microsystems, Inc. nor the names of its 15261057Smav * contributors may be used to endorse or promote products derived 16261057Smav * from this software without specific prior written permission. 178858Srgrimes * 18261057Smav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19261057Smav * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20261057Smav * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21261057Smav * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22261057Smav * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23261057Smav * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24261057Smav * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25261057Smav * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26261057Smav * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27261057Smav * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28261057Smav * POSSIBILITY OF SUCH DAMAGE. 298858Srgrimes * 301903Swollman * from: @(#)auth.h 1.17 88/02/08 SMI 311903Swollman * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC 3274462Salfred * from: @(#)auth.h 1.43 98/02/02 SMI 3350473Speter * $FreeBSD$ 341839Swollman */ 351839Swollman 361839Swollman/* 371839Swollman * auth.h, Authentication interface. 381839Swollman * 391839Swollman * Copyright (C) 1984, Sun Microsystems, Inc. 401839Swollman * 411839Swollman * The data structures are completely opaque to the client. The client 42108533Sschweikh * is required to pass an AUTH * to routines that create rpc 431839Swollman * "sessions". 441839Swollman */ 451839Swollman 461903Swollman#ifndef _RPC_AUTH_H 471903Swollman#define _RPC_AUTH_H 4874462Salfred#include <rpc/xdr.h> 4974462Salfred#include <rpc/clnt_stat.h> 501903Swollman#include <sys/cdefs.h> 5126211Swpaul#include <sys/socket.h> 521839Swollman 531839Swollman#define MAX_AUTH_BYTES 400 541839Swollman#define MAXNETNAMELEN 255 /* maximum length of network user's name */ 551839Swollman 561839Swollman/* 5774462Salfred * Client side authentication/security data 5874462Salfred */ 5974462Salfred 6074462Salfredtypedef struct sec_data { 6174462Salfred u_int secmod; /* security mode number e.g. in nfssec.conf */ 6274462Salfred u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 6374462Salfred int flags; /* AUTH_F_xxx flags */ 6474462Salfred caddr_t data; /* opaque data per flavor */ 6574462Salfred} sec_data_t; 6674462Salfred 6774462Salfred#ifdef _SYSCALL32_IMPL 6874462Salfredstruct sec_data32 { 6974462Salfred uint32_t secmod; /* security mode number e.g. in nfssec.conf */ 7074462Salfred uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 7174462Salfred int32_t flags; /* AUTH_F_xxx flags */ 7274462Salfred caddr32_t data; /* opaque data per flavor */ 7374462Salfred}; 7474462Salfred#endif /* _SYSCALL32_IMPL */ 7574462Salfred 7674462Salfred/* 7774462Salfred * AUTH_DES flavor specific data from sec_data opaque data field. 7874462Salfred * AUTH_KERB has the same structure. 7974462Salfred */ 8074462Salfredtypedef struct des_clnt_data { 8174462Salfred struct netbuf syncaddr; /* time sync addr */ 8274462Salfred struct knetconfig *knconf; /* knetconfig info that associated */ 8374462Salfred /* with the syncaddr. */ 8474462Salfred char *netname; /* server's netname */ 8574462Salfred int netnamelen; /* server's netname len */ 8674462Salfred} dh_k4_clntdata_t; 8774462Salfred 8874462Salfred#ifdef _SYSCALL32_IMPL 8974462Salfredstruct des_clnt_data32 { 9074462Salfred struct netbuf32 syncaddr; /* time sync addr */ 9174462Salfred caddr32_t knconf; /* knetconfig info that associated */ 9274462Salfred /* with the syncaddr. */ 9374462Salfred caddr32_t netname; /* server's netname */ 9474462Salfred int32_t netnamelen; /* server's netname len */ 9574462Salfred}; 9674462Salfred#endif /* _SYSCALL32_IMPL */ 9774462Salfred 9874462Salfred#ifdef KERBEROS 9974462Salfred/* 10074462Salfred * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) 10174462Salfred * in sec_data->data opaque field. 10274462Salfred */ 10374462Salfredtypedef struct krb4_svc_data { 10474462Salfred int window; /* window option value */ 10574462Salfred} krb4_svcdata_t; 10674462Salfred 10774462Salfredtypedef struct krb4_svc_data des_svcdata_t; 10874462Salfred#endif /* KERBEROS */ 10974462Salfred 11074462Salfred/* 11174462Salfred * authentication/security specific flags 11274462Salfred */ 11374462Salfred#define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ 11474462Salfred#define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ 11574462Salfred 11674462Salfred 11774462Salfred/* 1181839Swollman * Status returned from authentication check 1191839Swollman */ 1201839Swollmanenum auth_stat { 1211839Swollman AUTH_OK=0, 1221839Swollman /* 1231839Swollman * failed at remote end 1241839Swollman */ 1251839Swollman AUTH_BADCRED=1, /* bogus credentials (seal broken) */ 1261839Swollman AUTH_REJECTEDCRED=2, /* client should begin new session */ 1271839Swollman AUTH_BADVERF=3, /* bogus verifier (seal broken) */ 1281839Swollman AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */ 1291839Swollman AUTH_TOOWEAK=5, /* rejected due to security reasons */ 1301839Swollman /* 1311839Swollman * failed locally 1321839Swollman */ 1331839Swollman AUTH_INVALIDRESP=6, /* bogus response verifier */ 134181344Sdfr AUTH_FAILED=7, /* some unknown reason */ 13574462Salfred#ifdef KERBEROS 13674462Salfred /* 13774462Salfred * kerberos errors 13874462Salfred */ 13974472Salfred , 14074462Salfred AUTH_KERB_GENERIC = 8, /* kerberos generic error */ 14174462Salfred AUTH_TIMEEXPIRE = 9, /* time of credential expired */ 14274462Salfred AUTH_TKT_FILE = 10, /* something wrong with ticket file */ 14374462Salfred AUTH_DECODE = 11, /* can't decode authenticator */ 144181344Sdfr AUTH_NET_ADDR = 12, /* wrong net address in ticket */ 14574462Salfred#endif /* KERBEROS */ 146181344Sdfr /* 147181344Sdfr * RPCSEC_GSS errors 148181344Sdfr */ 149181344Sdfr RPCSEC_GSS_CREDPROBLEM = 13, 150181344Sdfr RPCSEC_GSS_CTXPROBLEM = 14, 151181344Sdfr RPCSEC_GSS_NODISPATCH = 0x8000000 1521839Swollman}; 1531839Swollman 1541839Swollmanunion des_block { 1551839Swollman struct { 15674462Salfred uint32_t high; 15774462Salfred uint32_t low; 1581839Swollman } key; 1591839Swollman char c[8]; 1601839Swollman}; 1611839Swollmantypedef union des_block des_block; 1621903Swollman__BEGIN_DECLS 16374462Salfredextern bool_t xdr_des_block(XDR *, des_block *); 1641903Swollman__END_DECLS 1651839Swollman 1661839Swollman/* 1671839Swollman * Authentication info. Opaque to client. 1681839Swollman */ 1691839Swollmanstruct opaque_auth { 1701839Swollman enum_t oa_flavor; /* flavor of auth */ 1711839Swollman caddr_t oa_base; /* address of more auth stuff */ 1721839Swollman u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ 1731839Swollman}; 1741839Swollman 1751839Swollman 1761839Swollman/* 1771839Swollman * Auth handle, interface to client side authenticators. 1781839Swollman */ 17974462Salfredtypedef struct __auth { 1801839Swollman struct opaque_auth ah_cred; 1811839Swollman struct opaque_auth ah_verf; 1821839Swollman union des_block ah_key; 1831839Swollman struct auth_ops { 18474462Salfred void (*ah_nextverf) (struct __auth *); 18521059Speter /* nextverf & serialize */ 18674462Salfred int (*ah_marshal) (struct __auth *, XDR *); 18721059Speter /* validate verifier */ 18874462Salfred int (*ah_validate) (struct __auth *, 18974462Salfred struct opaque_auth *); 19021059Speter /* refresh credentials */ 19174462Salfred int (*ah_refresh) (struct __auth *, void *); 19221059Speter /* destroy this structure */ 19374462Salfred void (*ah_destroy) (struct __auth *); 1941839Swollman } *ah_ops; 19574472Salfred void *ah_private; 1961839Swollman} AUTH; 1971839Swollman 1981839Swollman 1991839Swollman/* 2001839Swollman * Authentication ops. 2011839Swollman * The ops and the auth handle provide the interface to the authenticators. 2021839Swollman * 2031839Swollman * AUTH *auth; 2041839Swollman * XDR *xdrs; 2051839Swollman * struct opaque_auth verf; 2061839Swollman */ 2071839Swollman#define AUTH_NEXTVERF(auth) \ 2081839Swollman ((*((auth)->ah_ops->ah_nextverf))(auth)) 2091839Swollman#define auth_nextverf(auth) \ 2101839Swollman ((*((auth)->ah_ops->ah_nextverf))(auth)) 2111839Swollman 2121839Swollman#define AUTH_MARSHALL(auth, xdrs) \ 2131839Swollman ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 2141839Swollman#define auth_marshall(auth, xdrs) \ 2151839Swollman ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 2161839Swollman 2171839Swollman#define AUTH_VALIDATE(auth, verfp) \ 2181839Swollman ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 2191839Swollman#define auth_validate(auth, verfp) \ 2201839Swollman ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 2211839Swollman 22274462Salfred#define AUTH_REFRESH(auth, msg) \ 22374462Salfred ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 22474462Salfred#define auth_refresh(auth, msg) \ 22574462Salfred ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 2261839Swollman 2271839Swollman#define AUTH_DESTROY(auth) \ 2281839Swollman ((*((auth)->ah_ops->ah_destroy))(auth)) 2291839Swollman#define auth_destroy(auth) \ 2301839Swollman ((*((auth)->ah_ops->ah_destroy))(auth)) 2311839Swollman 2321839Swollman 23374462Salfred__BEGIN_DECLS 2341839Swollmanextern struct opaque_auth _null_auth; 23574462Salfred__END_DECLS 2361839Swollman 2371839Swollman/* 2381839Swollman * These are the various implementations of client side authenticators. 2391839Swollman */ 2401839Swollman 2411839Swollman/* 24274462Salfred * System style authentication 2431839Swollman * AUTH *authunix_create(machname, uid, gid, len, aup_gids) 2441839Swollman * char *machname; 245241309Spfg * u_int uid; 246241309Spfg * u_int gid; 2471839Swollman * int len; 248241309Spfg * u_int *aup_gids; 2491839Swollman */ 2501903Swollman__BEGIN_DECLS 251241309Spfgextern AUTH *authunix_create(char *, u_int, u_int, int, u_int *); 25274462Salfredextern AUTH *authunix_create_default(void); /* takes no parameters */ 25374462Salfredextern AUTH *authnone_create(void); /* takes no parameters */ 2541903Swollman__END_DECLS 25526211Swpaul/* 25626211Swpaul * DES style authentication 25774462Salfred * AUTH *authsecdes_create(servername, window, timehost, ckey) 25826211Swpaul * char *servername; - network name of server 25926211Swpaul * u_int window; - time to live 26074462Salfred * const char *timehost; - optional hostname to sync with 26126211Swpaul * des_block *ckey; - optional conversation key to use 26226211Swpaul */ 26326211Swpaul__BEGIN_DECLS 26474462Salfredextern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); 26574462Salfredextern AUTH *authdes_seccreate (const char *, const u_int, const char *, 26674462Salfred const des_block *); 26774462Salfred__END_DECLS 26874462Salfred 26974462Salfred__BEGIN_DECLS 27090271Salfredextern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); 27174462Salfred__END_DECLS 27274462Salfred 27374462Salfred#define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip)) 27474462Salfred#define authsys_create_default() authunix_create_default() 27574462Salfred 27626211Swpaul/* 27774462Salfred * Netname manipulation routines. 27826211Swpaul */ 27974462Salfred__BEGIN_DECLS 28074462Salfredextern int getnetname(char *); 28174462Salfredextern int host2netname(char *, const char *, const char *); 28274462Salfredextern int user2netname(char *, const uid_t, const char *); 28374462Salfredextern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *); 28474462Salfredextern int netname2host(char *, char *, const int); 28574462Salfredextern void passwd2des ( char *, char * ); 28626211Swpaul__END_DECLS 28726211Swpaul 28826211Swpaul/* 28974462Salfred * 29074462Salfred * These routines interface to the keyserv daemon 29174462Salfred * 29226211Swpaul */ 29326211Swpaul__BEGIN_DECLS 29474462Salfredextern int key_decryptsession(const char *, des_block *); 29574462Salfredextern int key_encryptsession(const char *, des_block *); 29674462Salfredextern int key_gendes(des_block *); 29774462Salfredextern int key_setsecret(const char *); 29874462Salfredextern int key_secretkey_is_set(void); 29926211Swpaul__END_DECLS 30026211Swpaul 30190271Salfred/* 30290271Salfred * Publickey routines. 30390271Salfred */ 30490271Salfred__BEGIN_DECLS 30590271Salfredextern int getpublickey (const char *, char *); 306156109Sdeischenextern int getpublicandprivatekey (const char *, char *); 30790271Salfredextern int getsecretkey (char *, char *, char *); 30890271Salfred__END_DECLS 30990271Salfred 31074462Salfred#ifdef KERBEROS 31126211Swpaul/* 31274462Salfred * Kerberos style authentication 31374462Salfred * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) 31474462Salfred * const char *service; - service name 31574462Salfred * const char *srv_inst; - server instance 31674462Salfred * const char *realm; - server realm 31774462Salfred * const u_int window; - time to live 31874462Salfred * const char *timehost; - optional hostname to sync with 31974462Salfred * int *status; - kerberos status returned 32026211Swpaul */ 32126211Swpaul__BEGIN_DECLS 32274462Salfredextern AUTH *authkerb_seccreate(const char *, const char *, const char *, 32374462Salfred const u_int, const char *, int *); 32426211Swpaul__END_DECLS 32526211Swpaul 32626211Swpaul/* 32774462Salfred * Map a kerberos credential into a unix cred. 32874462Salfred * 32974462Salfred * authkerb_getucred(rqst, uid, gid, grouplen, groups) 33074462Salfred * const struct svc_req *rqst; - request pointer 33174462Salfred * uid_t *uid; 33274462Salfred * gid_t *gid; 33374462Salfred * short *grouplen; 33474462Salfred * int *groups; 33574462Salfred * 33626211Swpaul */ 33726211Swpaul__BEGIN_DECLS 33874462Salfredextern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, 33974462Salfred short *, int * */); 34026211Swpaul__END_DECLS 34174462Salfred#endif /* KERBEROS */ 34226211Swpaul 34374462Salfred__BEGIN_DECLS 34474462Salfredstruct svc_req; 34574462Salfredstruct rpc_msg; 34690271Salfredenum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *); 34790271Salfredenum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *); 34890271Salfredenum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *); 34974462Salfred__END_DECLS 35026211Swpaul 3511839Swollman#define AUTH_NONE 0 /* no authentication */ 3521839Swollman#define AUTH_NULL 0 /* backward compatibility */ 35374462Salfred#define AUTH_SYS 1 /* unix style (uid, gids) */ 35474462Salfred#define AUTH_UNIX AUTH_SYS 3551839Swollman#define AUTH_SHORT 2 /* short hand unix style */ 35674462Salfred#define AUTH_DH 3 /* for Diffie-Hellman mechanism */ 35774462Salfred#define AUTH_DES AUTH_DH /* for backward compatibility */ 35874462Salfred#define AUTH_KERB 4 /* kerberos style */ 359181344Sdfr#define RPCSEC_GSS 6 /* RPCSEC_GSS */ 3601903Swollman 361181344Sdfr/* 362181344Sdfr * Pseudo auth flavors for RPCSEC_GSS. 363181344Sdfr */ 364181344Sdfr#define RPCSEC_GSS_KRB5 390003 365181344Sdfr#define RPCSEC_GSS_KRB5I 390004 366181344Sdfr#define RPCSEC_GSS_KRB5P 390005 367181344Sdfr 3681903Swollman#endif /* !_RPC_AUTH_H */ 369