1 /*
2 * auth.h, Authentication interface.
3 *
4 * Copyright (c) 2010, Oracle America, Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are
8 * met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * * Redistributions in binary form must reproduce the above
13 * copyright notice, this list of conditions and the following
14 * disclaimer in the documentation and/or other materials
15 * provided with the distribution.
16 * * Neither the name of the "Oracle America, Inc." nor the names of its
17 * contributors may be used to endorse or promote products derived
18 * from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
27 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
30 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 *
33 * The data structures are completely opaque to the client. The client
34 * is required to pass a AUTH * to routines that create rpc
35 * "sessions".
36 */
37
38 #ifndef _RPC_AUTH_H
39
40 #define _RPC_AUTH_H 1
41 #include <features.h>
42 #include <rpc/xdr.h>
43
44 __BEGIN_DECLS
45
46 #define MAX_AUTH_BYTES 400
47 #define MAXNETNAMELEN 255 /* maximum length of network user's name */
48
49 /*
50 * Status returned from authentication check
51 */
52 enum auth_stat {
53 AUTH_OK=0,
54 /*
55 * failed at remote end
56 */
57 AUTH_BADCRED=1, /* bogus credentials (seal broken) */
58 AUTH_REJECTEDCRED=2, /* client should begin new session */
59 AUTH_BADVERF=3, /* bogus verifier (seal broken) */
60 AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */
61 AUTH_TOOWEAK=5, /* rejected due to security reasons */
62 /*
63 * failed locally
64 */
65 AUTH_INVALIDRESP=6, /* bogus response verifier */
66 AUTH_FAILED=7 /* some unknown reason */
67 };
68
69 union des_block {
70 struct {
71 uint32_t high;
72 uint32_t low;
73 } key;
74 char c[8];
75 };
76 typedef union des_block des_block;
77 extern bool_t xdr_des_block (XDR *__xdrs, des_block *__blkp) __THROW;
78
79 /*
80 * Authentication info. Opaque to client.
81 */
82 struct opaque_auth {
83 enum_t oa_flavor; /* flavor of auth */
84 caddr_t oa_base; /* address of more auth stuff */
85 u_int oa_length; /* not to exceed MAX_AUTH_BYTES */
86 };
87
88 /*
89 * Auth handle, interface to client side authenticators.
90 */
91 typedef struct AUTH AUTH;
92 struct AUTH {
93 struct opaque_auth ah_cred;
94 struct opaque_auth ah_verf;
95 union des_block ah_key;
96 struct auth_ops {
97 void (*ah_nextverf) (AUTH *);
98 int (*ah_marshal) (AUTH *, XDR *); /* nextverf & serialize */
99 int (*ah_validate) (AUTH *, struct opaque_auth *);
100 /* validate verifier */
101 int (*ah_refresh) (AUTH *); /* refresh credentials */
102 void (*ah_destroy) (AUTH *); /* destroy this structure */
103 } *ah_ops;
104 caddr_t ah_private;
105 };
106
107
108 /*
109 * Authentication ops.
110 * The ops and the auth handle provide the interface to the authenticators.
111 *
112 * AUTH *auth;
113 * XDR *xdrs;
114 * struct opaque_auth verf;
115 */
116 #define AUTH_NEXTVERF(auth) \
117 ((*((auth)->ah_ops->ah_nextverf))(auth))
118 #define auth_nextverf(auth) \
119 ((*((auth)->ah_ops->ah_nextverf))(auth))
120
121 #define AUTH_MARSHALL(auth, xdrs) \
122 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
123 #define auth_marshall(auth, xdrs) \
124 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
125
126 #define AUTH_VALIDATE(auth, verfp) \
127 ((*((auth)->ah_ops->ah_validate))((auth), verfp))
128 #define auth_validate(auth, verfp) \
129 ((*((auth)->ah_ops->ah_validate))((auth), verfp))
130
131 #define AUTH_REFRESH(auth) \
132 ((*((auth)->ah_ops->ah_refresh))(auth))
133 #define auth_refresh(auth) \
134 ((*((auth)->ah_ops->ah_refresh))(auth))
135
136 #define AUTH_DESTROY(auth) \
137 ((*((auth)->ah_ops->ah_destroy))(auth))
138 #define auth_destroy(auth) \
139 ((*((auth)->ah_ops->ah_destroy))(auth))
140
141
142 extern struct opaque_auth _null_auth;
143
144
145 /*
146 * These are the various implementations of client side authenticators.
147 */
148
149 /*
150 * Unix style authentication
151 * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
152 * char *machname;
153 * int uid;
154 * int gid;
155 * int len;
156 * int *aup_gids;
157 */
158 extern AUTH *authunix_create (char *__machname, __uid_t __uid, __gid_t __gid,
159 int __len, __gid_t *__aup_gids);
160 extern AUTH *authunix_create_default (void);
161 extern AUTH *authnone_create (void) __THROW;
162 extern AUTH *authdes_create (const char *__servername, u_int __window,
163 struct sockaddr *__syncaddr, des_block *__ckey)
164 __THROW;
165 extern AUTH *authdes_pk_create (const char *, netobj *, u_int,
166 struct sockaddr *, des_block *) __THROW;
167
168
169 #define AUTH_NONE 0 /* no authentication */
170 #define AUTH_NULL 0 /* backward compatibility */
171 #define AUTH_SYS 1 /* unix style (uid, gids) */
172 #define AUTH_UNIX AUTH_SYS
173 #define AUTH_SHORT 2 /* short hand unix style */
174 #define AUTH_DES 3 /* des style (encrypted timestamps) */
175 #define AUTH_DH AUTH_DES /* Diffie-Hellman (this is DES) */
176 #define AUTH_KERB 4 /* kerberos style */
177
178 /*
179 * Netname manipulating functions
180 *
181 */
182 extern int getnetname (char [MAXNETNAMELEN + 1]) __THROW;
183 extern int host2netname (char [MAXNETNAMELEN + 1], const char *,
184 const char *) __THROW;
185 extern int user2netname (char [MAXNETNAMELEN + 1], const uid_t,
186 const char *) __THROW;
187 extern int netname2user (const char *, uid_t *, gid_t *, int *, gid_t *)
188 __THROW;
189 extern int netname2host (const char *, char *, const int) __THROW;
190
191 /*
192 *
193 * These routines interface to the keyserv daemon
194 *
195 */
196 extern int key_decryptsession (char *, des_block *);
197 extern int key_decryptsession_pk (char *, netobj *, des_block *);
198 extern int key_encryptsession (char *, des_block *);
199 extern int key_encryptsession_pk (char *, netobj *, des_block *);
200 extern int key_gendes (des_block *);
201 extern int key_setsecret (char *);
202 extern int key_secretkey_is_set (void);
203 extern int key_get_conv (char *, des_block *);
204
205 /*
206 * XDR an opaque authentication struct.
207 */
208 extern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *) __THROW;
209
210 __END_DECLS
211
212 #endif /* rpc/auth.h */