1 /* @(#)auth.h	2.3 88/08/07 4.0 RPCSRC; from 1.17 88/02/08 SMI */
2 /*
3  * Copyright (c) 2010, Oracle America, Inc.
4  *
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions are met:
9  *
10  *     * Redistributions of source code must retain the above copyright
11  *       notice, this list of conditions and the following disclaimer.
12  *
13  *     * Redistributions in binary form must reproduce the above copyright
14  *       notice, this list of conditions and the following disclaimer in
15  *       the documentation and/or other materials provided with the
16  *       distribution.
17  *
18  *     * Neither the name of the "Oracle America, Inc." nor the names of
19  *       its contributors may be used to endorse or promote products
20  *       derived from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
23  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
24  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
25  * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
28  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
30  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
31  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
32  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 /*
36  * auth.h, Authentication interface.
37  *
38  * The data structures are completely opaque to the client.  The client
39  * is required to pass a AUTH * to routines that create rpc
40  * "sessions".
41  */
42 #ifndef GSSRPC_AUTH_H
43 #define GSSRPC_AUTH_H
44 
45 #include <gssrpc/xdr.h>
46 
47 GSSRPC__BEGIN_DECLS
48 
49 #define MAX_AUTH_BYTES	400
50 #define MAXNETNAMELEN	255	/* maximum length of network user's name */
51 
52 /*
53  * Status returned from authentication check
54  */
55 enum auth_stat {
56 	AUTH_OK=0,
57 	/*
58 	 * failed at remote end
59 	 */
60 	AUTH_BADCRED=1,			/* bogus credentials (seal broken) */
61 	AUTH_REJECTEDCRED=2,		/* client should begin new session */
62 	AUTH_BADVERF=3,			/* bogus verifier (seal broken) */
63 	AUTH_REJECTEDVERF=4,		/* verifier expired or was replayed */
64 	AUTH_TOOWEAK=5,			/* rejected due to security reasons */
65 	/*
66 	 * failed locally
67 	*/
68 	AUTH_INVALIDRESP=6,		/* bogus response verifier */
69 	AUTH_FAILED=7,			/* some unknown reason */
70 	/*
71 	 * RPCSEC_GSS errors
72 	 */
73 	RPCSEC_GSS_CREDPROBLEM = 13,
74 	RPCSEC_GSS_CTXPROBLEM = 14
75 };
76 
77 union des_block {
78 	char c[8];
79 };
80 typedef union des_block des_block;
81 extern bool_t	xdr_des_block(XDR *, des_block *);
82 
83 /*
84  * Authentication info.  Opaque to client.
85  */
86 struct opaque_auth {
87 	enum_t	oa_flavor;		/* flavor of auth */
88 	caddr_t	oa_base;		/* address of more auth stuff */
89 	u_int	oa_length;		/* not to exceed MAX_AUTH_BYTES */
90 };
91 
92 
93 /*
94  * Auth handle, interface to client side authenticators.
95  */
96 struct rpc_msg;
97 
98 typedef struct AUTH {
99 	struct	opaque_auth	ah_cred;
100 	struct	opaque_auth	ah_verf;
101 	union	des_block	ah_key;
102 	struct auth_ops {
103 		void	(*ah_nextverf)(struct AUTH *);
104 	        /* nextverf & serialize */
105 		int	(*ah_marshal)(struct AUTH *, XDR *);
106 	        /* validate varifier */
107 		int	(*ah_validate)(struct AUTH *,
108 				       struct opaque_auth *);
109 	        /* refresh credentials */
110 		int	(*ah_refresh)(struct AUTH *, struct rpc_msg *);
111 	        /* destroy this structure */
112 		void	(*ah_destroy)(struct AUTH *);
113 		/* encode data for wire */
114 		int     (*ah_wrap)(struct AUTH *, XDR *,
115 				   xdrproc_t, caddr_t);
116 	        /* decode data from wire */
117   	        int	(*ah_unwrap)(struct AUTH *, XDR *,
118 				     xdrproc_t, caddr_t);
119 	} *ah_ops;
120 	void *ah_private;
121 } AUTH;
122 
123 
124 /*
125  * Authentication ops.
126  * The ops and the auth handle provide the interface to the authenticators.
127  *
128  * AUTH	*auth;
129  * XDR	*xdrs;
130  * struct opaque_auth verf;
131  */
132 #define AUTH_NEXTVERF(auth)		\
133 		((*((auth)->ah_ops->ah_nextverf))(auth))
134 #define auth_nextverf(auth)		\
135 		((*((auth)->ah_ops->ah_nextverf))(auth))
136 
137 #define AUTH_MARSHALL(auth, xdrs)	\
138 		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
139 #define auth_marshall(auth, xdrs)	\
140 		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
141 
142 #define AUTH_VALIDATE(auth, verfp)	\
143 		((*((auth)->ah_ops->ah_validate))((auth), verfp))
144 #define auth_validate(auth, verfp)	\
145 		((*((auth)->ah_ops->ah_validate))((auth), verfp))
146 
147 #define AUTH_REFRESH(auth, msg)		\
148 		((*((auth)->ah_ops->ah_refresh))(auth, msg))
149 #define auth_refresh(auth, msg)		\
150 		((*((auth)->ah_ops->ah_refresh))(auth, msg))
151 
152 #define AUTH_WRAP(auth, xdrs, xfunc, xwhere)		\
153 		((*((auth)->ah_ops->ah_wrap))(auth, xdrs, \
154 					      xfunc, xwhere))
155 #define auth_wrap(auth, xdrs, xfunc, xwhere)		\
156 		((*((auth)->ah_ops->ah_wrap))(auth, xdrs, \
157 					      xfunc, xwhere))
158 #define AUTH_UNWRAP(auth, xdrs, xfunc, xwhere)		\
159 		((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, \
160 					      xfunc, xwhere))
161 #define auth_unwrap(auth, xdrs, xfunc, xwhere)		\
162 		((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, \
163 					      xfunc, xwhere))
164 
165 #define AUTH_DESTROY(auth)		\
166 		((*((auth)->ah_ops->ah_destroy))(auth))
167 #define auth_destroy(auth)		\
168 		((*((auth)->ah_ops->ah_destroy))(auth))
169 
170 
171 #ifdef GSSRPC__IMPL
172 /* RENAMED: should be _null_auth if we can use reserved namespace. */
173 extern struct opaque_auth gssrpc__null_auth;
174 #endif
175 
176 /*
177  * These are the various implementations of client side authenticators.
178  */
179 
180 /*
181  * Unix style authentication
182  * AUTH *authunix_create(machname, uid, gid, len, aup_gids)
183  *	char *machname;
184  *	int uid;
185  *	int gid;
186  *	int len;
187  *	int *aup_gids;
188  */
189 extern AUTH *authunix_create(char *machname, int uid, int gid, int len,
190 			     int *aup_gids);
191 extern AUTH *authunix_create_default(void);	/* takes no parameters */
192 extern AUTH *authnone_create(void);		/* takes no parameters */
193 extern AUTH *authdes_create();
194 extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *);
195 
196 #define AUTH_NONE	0		/* no authentication */
197 #define	AUTH_NULL	0		/* backward compatibility */
198 #define	AUTH_UNIX	1		/* unix style (uid, gids) */
199 #define	AUTH_SHORT	2		/* short hand unix style */
200 #define AUTH_DES	3		/* des style (encrypted timestamps) */
201 #define AUTH_GSSAPI	300001		/* GSS-API style */
202 #define RPCSEC_GSS	6		/* RPCSEC_GSS */
203 
204 GSSRPC__END_DECLS
205 
206 #endif /* !defined(GSSRPC_AUTH_H) */
207