1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Copyright 2017 Joyent Inc 24 * Use is subject to license terms. 25 */ 26 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 /* 29 * Portions of this source code were derived from Berkeley 30 * 4.3 BSD under license from the Regents of the University of 31 * California. 32 */ 33 34 /* 35 * auth.h, Authentication interface. 36 * 37 * The data structures are completely opaque to the client. The client 38 * is required to pass a AUTH * to routines that create rpc 39 * "sessions". 40 */ 41 42 #ifndef _RPC_AUTH_H 43 #define _RPC_AUTH_H 44 45 #include <rpc/xdr.h> 46 #include <rpc/clnt_stat.h> 47 #include <sys/cred.h> 48 #include <sys/tiuser.h> 49 #ifdef _KERNEL 50 #include <sys/zone.h> 51 #endif 52 53 #ifdef __cplusplus 54 extern "C" { 55 #endif 56 57 #define MAX_AUTH_BYTES 400 /* maximum length of an auth type, from RFC */ 58 #define MAXNETNAMELEN 255 /* maximum length of network user's name */ 59 60 /* 61 * NOTE: this value *must* be kept larger than the maximum size of all the 62 * structs that rq_clntcred is cast to in the different authentication types. 63 * If changes are made to any of these *_area structs, double-check they all 64 * still fit. If any new authentication mechanisms are added, add a note here. 65 * 66 * Currently these structs can be found in: 67 * - __svcauth_sys (svc_auth_sys.c) 68 * - __svcauth_des (svcauth_des.c) 69 * - __svcauth_loopback (svc_auth_loopb.c) 70 */ 71 #define RQCRED_SIZE 700 /* size allocated for rq_clntcred */ 72 73 /* 74 * Client side authentication/security data 75 */ 76 typedef struct sec_data { 77 uint_t secmod; /* security mode number e.g. in nfssec.conf */ 78 uint_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 79 int flags; /* AUTH_F_xxx flags */ 80 uid_t uid; /* uid of caller for all sec flavors (NFSv4) */ 81 caddr_t data; /* opaque data per flavor */ 82 } sec_data_t; 83 84 #ifdef _SYSCALL32_IMPL 85 struct sec_data32 { 86 uint32_t secmod; /* security mode number e.g. in nfssec.conf */ 87 uint32_t rpcflavor; /* AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ 88 int32_t flags; /* AUTH_F_xxx flags */ 89 uid_t uid; /* uid of caller for all sec flavors (NFSv4) */ 90 caddr32_t data; /* opaque data per flavor */ 91 }; 92 #endif /* _SYSCALL32_IMPL */ 93 94 /* 95 * AUTH_DES flavor specific data from sec_data opaque data field. 96 * AUTH_KERB has the same structure. 97 */ 98 typedef struct des_clnt_data { 99 struct netbuf syncaddr; /* time sync addr */ 100 struct knetconfig *knconf; /* knetconfig info that associated */ 101 /* with the syncaddr. */ 102 char *netname; /* server's netname */ 103 int netnamelen; /* server's netname len */ 104 } dh_k4_clntdata_t; 105 106 #ifdef _SYSCALL32_IMPL 107 struct des_clnt_data32 { 108 struct netbuf32 syncaddr; /* time sync addr */ 109 caddr32_t knconf; /* knetconfig info that associated */ 110 /* with the syncaddr. */ 111 caddr32_t netname; /* server's netname */ 112 int32_t netnamelen; /* server's netname len */ 113 }; 114 #endif /* _SYSCALL32_IMPL */ 115 116 /* 117 * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) 118 * in sec_data->data opaque field. 119 */ 120 typedef struct krb4_svc_data { 121 int window; /* window option value */ 122 } krb4_svcdata_t; 123 124 typedef struct krb4_svc_data des_svcdata_t; 125 126 /* 127 * authentication/security specific flags 128 */ 129 #define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ 130 #define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ 131 132 133 /* 134 * Status returned from authentication check 135 */ 136 enum auth_stat { 137 AUTH_OK = 0, 138 /* 139 * failed at remote end 140 */ 141 AUTH_BADCRED = 1, /* bogus credentials (seal broken) */ 142 AUTH_REJECTEDCRED = 2, /* client should begin new session */ 143 AUTH_BADVERF = 3, /* bogus verifier (seal broken) */ 144 AUTH_REJECTEDVERF = 4, /* verifier expired or was replayed */ 145 AUTH_TOOWEAK = 5, /* rejected due to security reasons */ 146 /* 147 * failed locally 148 */ 149 AUTH_INVALIDRESP = 6, /* bogus response verifier */ 150 AUTH_FAILED = 7, /* some unknown reason */ 151 /* 152 * kerberos errors 153 */ 154 AUTH_KERB_GENERIC = 8, /* kerberos generic error */ 155 AUTH_TIMEEXPIRE = 9, /* time of credential expired */ 156 AUTH_TKT_FILE = 10, /* something wrong with ticket file */ 157 AUTH_DECODE = 11, /* can't decode authenticator */ 158 AUTH_NET_ADDR = 12, /* wrong net address in ticket */ 159 /* 160 * GSS related errors 161 */ 162 RPCSEC_GSS_NOCRED = 13, /* no credentials for user */ 163 RPCSEC_GSS_FAILED = 14 /* GSS failure, credentials deleted */ 164 }; 165 typedef enum auth_stat AUTH_STAT; 166 167 union des_block { 168 struct { 169 uint32_t high; 170 uint32_t low; 171 } key; 172 char c[8]; 173 }; 174 typedef union des_block des_block; 175 176 #ifdef __STDC__ 177 extern bool_t xdr_des_block(XDR *, des_block *); 178 #else 179 extern bool_t xdr_des_block(); 180 #endif 181 182 183 /* 184 * Authentication info. Opaque to client. 185 */ 186 struct opaque_auth { 187 enum_t oa_flavor; /* flavor of auth */ 188 caddr_t oa_base; /* address of more auth stuff */ 189 uint_t oa_length; /* not to exceed MAX_AUTH_BYTES */ 190 }; 191 192 193 /* 194 * Auth handle, interface to client side authenticators. 195 */ 196 typedef struct __auth { 197 struct opaque_auth ah_cred; 198 struct opaque_auth ah_verf; 199 union des_block ah_key; 200 struct auth_ops { 201 #ifdef __STDC__ 202 void (*ah_nextverf)(struct __auth *); 203 #ifdef _KERNEL 204 int (*ah_marshal)(struct __auth *, XDR *, struct cred *); 205 #else 206 int (*ah_marshal)(struct __auth *, XDR *); 207 #endif 208 /* nextverf & serialize */ 209 int (*ah_validate)(struct __auth *, 210 struct opaque_auth *); 211 /* validate varifier */ 212 #ifdef _KERNEL 213 int (*ah_refresh)(struct __auth *, struct rpc_msg *, 214 cred_t *); 215 #else 216 int (*ah_refresh)(struct __auth *, void *); 217 /* refresh credentials */ 218 #endif 219 void (*ah_destroy)(struct __auth *); 220 /* destroy this structure */ 221 222 #ifdef _KERNEL 223 int (*ah_wrap)(struct __auth *, caddr_t, uint_t, 224 XDR *, xdrproc_t, caddr_t); 225 int (*ah_unwrap)(struct __auth *, XDR *, xdrproc_t, 226 caddr_t); 227 #endif 228 #else 229 void (*ah_nextverf)(); 230 int (*ah_marshal)(); /* nextverf & serialize */ 231 int (*ah_validate)(); /* validate verifier */ 232 int (*ah_refresh)(); /* refresh credentials */ 233 void (*ah_destroy)(); /* destroy this structure */ 234 #ifdef _KERNEL 235 int (*ah_wrap)(); /* encode XDR data */ 236 int (*ah_unwrap)(); /* decode XDR data */ 237 #endif 238 239 #endif 240 } *ah_ops; 241 caddr_t ah_private; 242 } AUTH; 243 244 245 /* 246 * Authentication ops. 247 * The ops and the auth handle provide the interface to the authenticators. 248 * 249 * AUTH *auth; 250 * XDR *xdrs; 251 * struct opaque_auth verf; 252 */ 253 #define AUTH_NEXTVERF(auth) \ 254 ((*((auth)->ah_ops->ah_nextverf))(auth)) 255 #define auth_nextverf(auth) \ 256 ((*((auth)->ah_ops->ah_nextverf))(auth)) 257 258 259 #ifdef _KERNEL 260 #define AUTH_MARSHALL(auth, xdrs, cred) \ 261 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs, cred)) 262 #define auth_marshall(auth, xdrs, cred) \ 263 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs, cred)) 264 #else 265 #define AUTH_MARSHALL(auth, xdrs) \ 266 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 267 #define auth_marshall(auth, xdrs) \ 268 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) 269 #endif 270 271 272 #define AUTH_VALIDATE(auth, verfp) \ 273 ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 274 #define auth_validate(auth, verfp) \ 275 ((*((auth)->ah_ops->ah_validate))((auth), verfp)) 276 277 #ifdef _KERNEL 278 #define AUTH_REFRESH(auth, msg, cr) \ 279 ((*((auth)->ah_ops->ah_refresh))(auth, msg, cr)) 280 #define auth_refresh(auth, msg, cr) \ 281 ((*((auth)->ah_ops->ah_refresh))(auth, msg, cr)) 282 #else 283 #define AUTH_REFRESH(auth, msg) \ 284 ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 285 #define auth_refresh(auth, msg) \ 286 ((*((auth)->ah_ops->ah_refresh))(auth, msg)) 287 #endif 288 289 #define AUTH_DESTROY(auth) \ 290 ((*((auth)->ah_ops->ah_destroy))(auth)) 291 #define auth_destroy(auth) \ 292 ((*((auth)->ah_ops->ah_destroy))(auth)) 293 294 /* 295 * Auth flavors can now apply a transformation in addition to simple XDR 296 * on the body of a call/response in ways that depend on the flavor being 297 * used. These interfaces provide a generic interface between the 298 * internal RPC frame and the auth flavor specific code to allow the 299 * auth flavor to encode (WRAP) or decode (UNWRAP) the body. 300 */ 301 #ifdef _KERNEL 302 #define AUTH_WRAP(auth, buf, buflen, xdrs, xfunc, xwhere) \ 303 ((*((auth)->ah_ops->ah_wrap))(auth, buf, buflen, \ 304 xdrs, xfunc, xwhere)) 305 #define auth_wrap(auth, buf, buflen, xdrs, xfunc, xwhere) \ 306 ((*((auth)->ah_ops->ah_wrap))(auth, buf, buflen, \ 307 xdrs, xfunc, xwhere)) 308 309 #define AUTH_UNWRAP(auth, xdrs, xfunc, xwhere) \ 310 ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, xfunc, xwhere)) 311 #define auth_unwrap(auth, xdrs) \ 312 ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, xfunc, xwhere)) 313 #endif 314 315 extern struct opaque_auth _null_auth; 316 317 /* 318 * These are the various implementations of client side authenticators. 319 */ 320 321 /* 322 * System style authentication 323 * AUTH *authsys_create(machname, uid, gid, len, aup_gids) 324 * const char *machname; 325 * const uid_t uid; 326 * const gid_t gid; 327 * const int len; 328 * const gid_t *aup_gids; 329 */ 330 #ifdef _KERNEL 331 extern AUTH *authkern_create(void); /* takes no parameters */ 332 extern int authkern_init(void *, void *, int); 333 extern struct kmem_cache *authkern_cache; 334 extern AUTH *authnone_create(void); /* takes no parameters */ 335 extern int authnone_init(void *, void *, int); 336 extern struct kmem_cache *authnone_cache; 337 extern AUTH *authloopback_create(void); /* takes no parameters */ 338 extern int authloopback_init(void *, void *, int); 339 extern struct kmem_cache *authloopback_cache; 340 #else /* _KERNEL */ 341 #ifdef __STDC__ 342 extern AUTH *authsys_create(const char *, const uid_t, const gid_t, const int, 343 const gid_t *); 344 extern AUTH *authsys_create_default(void); /* takes no parameters */ 345 extern AUTH *authnone_create(void); /* takes no parameters */ 346 #else /* __STDC__ */ 347 extern AUTH *authsys_create(); 348 extern AUTH *authsys_create_default(); /* takes no parameters */ 349 extern AUTH *authnone_create(); /* takes no parameters */ 350 #endif /* __STDC__ */ 351 /* Will get obsolete in near future */ 352 #define authunix_create authsys_create 353 #define authunix_create_default authsys_create_default 354 #endif /* _KERNEL */ 355 356 /* 357 * DES style authentication 358 * AUTH *authdes_seccreate(servername, window, timehost, ckey) 359 * const char *servername; - network name of server 360 * const uint_t window; - time to live 361 * const char *timehost; - optional hostname to sync with 362 * const des_block *ckey; - optional conversation key to use 363 */ 364 /* Will get obsolete in near future */ 365 #ifdef _KERNEL 366 extern int authdes_create(char *, uint_t, struct netbuf *, struct knetconfig *, 367 des_block *, int, AUTH **retauth); 368 #else /* _KERNEL */ 369 #ifdef __STDC__ 370 extern AUTH *authdes_seccreate(const char *, const uint_t, const char *, 371 const des_block *); 372 #else 373 extern AUTH *authdes_seccreate(); 374 #endif /* __STDC__ */ 375 #endif /* _KERNEL */ 376 377 /* 378 * Netname manipulating functions 379 */ 380 381 #ifdef _KERNEL 382 extern enum clnt_stat netname2user(char *, uid_t *, gid_t *, int *, gid_t *); 383 #endif 384 #ifdef __STDC__ 385 extern int getnetname(char *); 386 extern int host2netname(char *, const char *, const char *); 387 extern int user2netname(char *, const uid_t, const char *); 388 #ifndef _KERNEL 389 extern int netname2user(const char *, uid_t *, gid_t *, int *, gid_t *); 390 #endif 391 extern int netname2host(const char *, char *, const int); 392 #else 393 extern int getnetname(); 394 extern int host2netname(); 395 extern int user2netname(); 396 extern int netname2host(); 397 #endif 398 399 /* 400 * These routines interface to the keyserv daemon 401 */ 402 403 #ifdef _KERNEL 404 extern enum clnt_stat key_decryptsession(); 405 extern enum clnt_stat key_encryptsession(); 406 extern enum clnt_stat key_gendes(); 407 extern enum clnt_stat key_getnetname(); 408 #endif 409 410 #ifndef _KERNEL 411 #ifdef __STDC__ 412 extern int key_decryptsession(const char *, des_block *); 413 extern int key_encryptsession(const char *, des_block *); 414 extern int key_gendes(des_block *); 415 extern int key_setsecret(const char *); 416 extern int key_secretkey_is_set(void); 417 /* 418 * The following routines are private. 419 */ 420 extern int key_setnet_ruid(); 421 extern int key_setnet_g_ruid(); 422 extern int key_removesecret_g_ruid(); 423 extern int key_secretkey_is_set_g_ruid(); 424 extern AUTH *authsys_create_ruid(); 425 #else 426 extern int key_decryptsession(); 427 extern int key_encryptsession(); 428 extern int key_gendes(); 429 extern int key_setsecret(); 430 extern int key_secretkey_is_set(); 431 #endif 432 #endif 433 434 435 /* 436 * Kerberos style authentication 437 * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) 438 * const char *service; - service name 439 * const char *srv_inst; - server instance 440 * const char *realm; - server realm 441 * const uint_t window; - time to live 442 * const char *timehost; - optional hostname to sync with 443 * int *status; - kerberos status returned 444 */ 445 #ifdef _KERNEL 446 extern int authkerb_create(char *, char *, char *, uint_t, 447 struct netbuf *, int *, struct knetconfig *, int, AUTH **); 448 #else 449 #ifdef __STDC__ 450 extern AUTH *authkerb_seccreate(const char *, const char *, const char *, 451 const uint_t, const char *, int *); 452 #else 453 extern AUTH *authkerb_seccreate(); 454 #endif 455 #endif /* _KERNEL */ 456 457 /* 458 * Map a kerberos credential into a unix cred. 459 * 460 * authkerb_getucred(rqst, uid, gid, grouplen, groups) 461 * const struct svc_req *rqst; - request pointer 462 * uid_t *uid; 463 * gid_t *gid; 464 * short *grouplen; 465 * int *groups; 466 * 467 */ 468 #ifdef __STDC__ 469 struct svc_req; 470 extern int authkerb_getucred(struct svc_req *, uid_t *, gid_t *, 471 short *, int *); 472 #else 473 extern int authkerb_getucred(); 474 #endif 475 476 #ifdef _KERNEL 477 /* 478 * XDR an opaque authentication struct. See auth.h. 479 */ 480 extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *); 481 #endif 482 483 #ifdef _KERNEL 484 extern int authany_wrap(AUTH *, caddr_t, uint_t, XDR *, xdrproc_t, caddr_t); 485 extern int authany_unwrap(AUTH *, XDR *, xdrproc_t, caddr_t); 486 #endif 487 488 #define AUTH_NONE 0 /* no authentication */ 489 #define AUTH_NULL 0 /* backward compatibility */ 490 #define AUTH_SYS 1 /* unix style (uid, gids) */ 491 #define AUTH_UNIX AUTH_SYS 492 #define AUTH_SHORT 2 /* short hand unix style */ 493 #define AUTH_DH 3 /* for Diffie-Hellman mechanism */ 494 #define AUTH_DES AUTH_DH /* for backward compatibility */ 495 #define AUTH_KERB 4 /* kerberos style */ 496 #define RPCSEC_GSS 6 /* GSS-API style */ 497 498 #define AUTH_LOOPBACK 21982 /* unix style w/ expanded groups */ 499 /* for use over the local transport */ 500 501 #ifdef _KERNEL 502 extern char loopback_name[]; 503 504 extern zone_key_t auth_zone_key; 505 extern void * auth_zone_init(zoneid_t); 506 extern void auth_zone_fini(zoneid_t, void *); 507 #endif 508 509 #ifdef __cplusplus 510 } 511 #endif 512 513 #endif /* !_RPC_AUTH_H */ 514