search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'origin/master'
[unleashed/lotheac.git] / usr / src / uts / common / rpc / auth.h
blobbf4a97cfe9cc3d9dd0e5f49ef4b6273b4dc61935
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Copyright 2017 Joyent Inc
24 * Use is subject to license terms.
25 */
26 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Portions of this source code were derived from Berkeley
30 * 4.3 BSD under license from the Regents of the University of
31 * California.
32 */
33
34 /*
35 * auth.h, Authentication interface.
36 *
37 * The data structures are completely opaque to the client. The client
38 * is required to pass a AUTH * to routines that create rpc
39 * "sessions".
40 */
41
42 #ifndef _RPC_AUTH_H
43 #define _RPC_AUTH_H
44
45 #include <rpc/xdr.h>
46 #include <rpc/clnt_stat.h>
47 #include <sys/cred.h>
48 #include <sys/tiuser.h>
49 #ifdef _KERNEL
50 #include <sys/zone.h>
51 #endif
52
53 #ifdef __cplusplus
54 extern "C" {
55 #endif
56
57 #define MAX_AUTH_BYTES 400 /* maximum length of an auth type, from RFC */
58 #define MAXNETNAMELEN 255 /* maximum length of network user's name */
59
60 /*
61 * NOTE: this value *must* be kept larger than the maximum size of all the
62 * structs that rq_clntcred is cast to in the different authentication types.
63 * If changes are made to any of these *_area structs, double-check they all
64 * still fit. If any new authentication mechanisms are added, add a note here.
65 *
66 * Currently these structs can be found in:
67 * - __svcauth_sys (svc_auth_sys.c)
68 * - __svcauth_des (svcauth_des.c)
69 * - __svcauth_loopback (svc_auth_loopb.c)
70 */
71 #define RQCRED_SIZE 700 /* size allocated for rq_clntcred */
72
73 /*
74 * Client side authentication/security data
75 */
76 typedef struct sec_data {
77 uint_t secmod; /* security mode number e.g. in nfssec.conf */
78 uint_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
79 int flags; /* AUTH_F_xxx flags */
80 uid_t uid; /* uid of caller for all sec flavors (NFSv4) */
81 caddr_t data; /* opaque data per flavor */
82 } sec_data_t;
83
84 #ifdef _SYSCALL32_IMPL
85 struct sec_data32 {
86 uint32_t secmod; /* security mode number e.g. in nfssec.conf */
87 uint32_t rpcflavor; /* AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
88 int32_t flags; /* AUTH_F_xxx flags */
89 uid_t uid; /* uid of caller for all sec flavors (NFSv4) */
90 caddr32_t data; /* opaque data per flavor */
91 };
92 #endif /* _SYSCALL32_IMPL */
93
94 /*
95 * AUTH_DES flavor specific data from sec_data opaque data field.
96 * AUTH_KERB has the same structure.
97 */
98 typedef struct des_clnt_data {
99 struct netbuf syncaddr; /* time sync addr */
100 struct knetconfig *knconf; /* knetconfig info that associated */
101 /* with the syncaddr. */
102 char *netname; /* server's netname */
103 int netnamelen; /* server's netname len */
104 } dh_k4_clntdata_t;
105
106 #ifdef _SYSCALL32_IMPL
107 struct des_clnt_data32 {
108 struct netbuf32 syncaddr; /* time sync addr */
109 caddr32_t knconf; /* knetconfig info that associated */
110 /* with the syncaddr. */
111 caddr32_t netname; /* server's netname */
112 int32_t netnamelen; /* server's netname len */
113 };
114 #endif /* _SYSCALL32_IMPL */
115
116 /*
117 * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
118 * in sec_data->data opaque field.
119 */
120 typedef struct krb4_svc_data {
121 int window; /* window option value */
122 } krb4_svcdata_t;
123
124 typedef struct krb4_svc_data des_svcdata_t;
125
126 /*
127 * authentication/security specific flags
128 */
129 #define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */
130 #define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */
131
132
133 /*
134 * Status returned from authentication check
135 */
136 enum auth_stat {
137 AUTH_OK = 0,
138 /*
139 * failed at remote end
140 */
141 AUTH_BADCRED = 1, /* bogus credentials (seal broken) */
142 AUTH_REJECTEDCRED = 2, /* client should begin new session */
143 AUTH_BADVERF = 3, /* bogus verifier (seal broken) */
144 AUTH_REJECTEDVERF = 4, /* verifier expired or was replayed */
145 AUTH_TOOWEAK = 5, /* rejected due to security reasons */
146 /*
147 * failed locally
148 */
149 AUTH_INVALIDRESP = 6, /* bogus response verifier */
150 AUTH_FAILED = 7, /* some unknown reason */
151 /*
152 * kerberos errors
153 */
154 AUTH_KERB_GENERIC = 8, /* kerberos generic error */
155 AUTH_TIMEEXPIRE = 9, /* time of credential expired */
156 AUTH_TKT_FILE = 10, /* something wrong with ticket file */
157 AUTH_DECODE = 11, /* can't decode authenticator */
158 AUTH_NET_ADDR = 12, /* wrong net address in ticket */
159 /*
160 * GSS related errors
161 */
162 RPCSEC_GSS_NOCRED = 13, /* no credentials for user */
163 RPCSEC_GSS_FAILED = 14 /* GSS failure, credentials deleted */
164 };
165 typedef enum auth_stat AUTH_STAT;
166
167 union des_block {
168 struct {
169 uint32_t high;
170 uint32_t low;
171 } key;
172 char c[8];
173 };
174 typedef union des_block des_block;
175
176 #ifdef __STDC__
177 extern bool_t xdr_des_block(XDR *, des_block *);
178 #else
179 extern bool_t xdr_des_block();
180 #endif
181
182
183 /*
184 * Authentication info. Opaque to client.
185 */
186 struct opaque_auth {
187 enum_t oa_flavor; /* flavor of auth */
188 caddr_t oa_base; /* address of more auth stuff */
189 uint_t oa_length; /* not to exceed MAX_AUTH_BYTES */
190 };
191
192
193 /*
194 * Auth handle, interface to client side authenticators.
195 */
196 typedef struct __auth {
197 struct opaque_auth ah_cred;
198 struct opaque_auth ah_verf;
199 union des_block ah_key;
200 struct auth_ops {
201 #ifdef __STDC__
202 void (*ah_nextverf)(struct __auth *);
203 #ifdef _KERNEL
204 int (*ah_marshal)(struct __auth *, XDR *, struct cred *);
205 #else
206 int (*ah_marshal)(struct __auth *, XDR *);
207 #endif
208 /* nextverf & serialize */
209 int (*ah_validate)(struct __auth *,
210 struct opaque_auth *);
211 /* validate varifier */
212 #ifdef _KERNEL
213 int (*ah_refresh)(struct __auth *, struct rpc_msg *,
214 cred_t *);
215 #else
216 int (*ah_refresh)(struct __auth *, void *);
217 /* refresh credentials */
218 #endif
219 void (*ah_destroy)(struct __auth *);
220 /* destroy this structure */
221
222 #ifdef _KERNEL
223 int (*ah_wrap)(struct __auth *, caddr_t, uint_t,
224 XDR *, xdrproc_t, caddr_t);
225 int (*ah_unwrap)(struct __auth *, XDR *, xdrproc_t,
226 caddr_t);
227 #endif
228 #else
229 void (*ah_nextverf)();
230 int (*ah_marshal)(); /* nextverf & serialize */
231 int (*ah_validate)(); /* validate verifier */
232 int (*ah_refresh)(); /* refresh credentials */
233 void (*ah_destroy)(); /* destroy this structure */
234 #ifdef _KERNEL
235 int (*ah_wrap)(); /* encode XDR data */
236 int (*ah_unwrap)(); /* decode XDR data */
237 #endif
238
239 #endif
240 } *ah_ops;
241 caddr_t ah_private;
242 } AUTH;
243
244
245 /*
246 * Authentication ops.
247 * The ops and the auth handle provide the interface to the authenticators.
248 *
249 * AUTH *auth;
250 * XDR *xdrs;
251 * struct opaque_auth verf;
252 */
253 #define AUTH_NEXTVERF(auth) \
254 ((*((auth)->ah_ops->ah_nextverf))(auth))
255 #define auth_nextverf(auth) \
256 ((*((auth)->ah_ops->ah_nextverf))(auth))
257
258
259 #ifdef _KERNEL
260 #define AUTH_MARSHALL(auth, xdrs, cred) \
261 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs, cred))
262 #define auth_marshall(auth, xdrs, cred) \
263 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs, cred))
264 #else
265 #define AUTH_MARSHALL(auth, xdrs) \
266 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
267 #define auth_marshall(auth, xdrs) \
268 ((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
269 #endif
270
271
272 #define AUTH_VALIDATE(auth, verfp) \
273 ((*((auth)->ah_ops->ah_validate))((auth), verfp))
274 #define auth_validate(auth, verfp) \
275 ((*((auth)->ah_ops->ah_validate))((auth), verfp))
276
277 #ifdef _KERNEL
278 #define AUTH_REFRESH(auth, msg, cr) \
279 ((*((auth)->ah_ops->ah_refresh))(auth, msg, cr))
280 #define auth_refresh(auth, msg, cr) \
281 ((*((auth)->ah_ops->ah_refresh))(auth, msg, cr))
282 #else
283 #define AUTH_REFRESH(auth, msg) \
284 ((*((auth)->ah_ops->ah_refresh))(auth, msg))
285 #define auth_refresh(auth, msg) \
286 ((*((auth)->ah_ops->ah_refresh))(auth, msg))
287 #endif
288
289 #define AUTH_DESTROY(auth) \
290 ((*((auth)->ah_ops->ah_destroy))(auth))
291 #define auth_destroy(auth) \
292 ((*((auth)->ah_ops->ah_destroy))(auth))
293
294 /*
295 * Auth flavors can now apply a transformation in addition to simple XDR
296 * on the body of a call/response in ways that depend on the flavor being
297 * used. These interfaces provide a generic interface between the
298 * internal RPC frame and the auth flavor specific code to allow the
299 * auth flavor to encode (WRAP) or decode (UNWRAP) the body.
300 */
301 #ifdef _KERNEL
302 #define AUTH_WRAP(auth, buf, buflen, xdrs, xfunc, xwhere) \
303 ((*((auth)->ah_ops->ah_wrap))(auth, buf, buflen, \
304 xdrs, xfunc, xwhere))
305 #define auth_wrap(auth, buf, buflen, xdrs, xfunc, xwhere) \
306 ((*((auth)->ah_ops->ah_wrap))(auth, buf, buflen, \
307 xdrs, xfunc, xwhere))
308
309 #define AUTH_UNWRAP(auth, xdrs, xfunc, xwhere) \
310 ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, xfunc, xwhere))
311 #define auth_unwrap(auth, xdrs) \
312 ((*((auth)->ah_ops->ah_unwrap))(auth, xdrs, xfunc, xwhere))
313 #endif
314
315 extern struct opaque_auth _null_auth;
316
317 /*
318 * These are the various implementations of client side authenticators.
319 */
320
321 /*
322 * System style authentication
323 * AUTH *authsys_create(machname, uid, gid, len, aup_gids)
324 * const char *machname;
325 * const uid_t uid;
326 * const gid_t gid;
327 * const int len;
328 * const gid_t *aup_gids;
329 */
330 #ifdef _KERNEL
331 extern AUTH *authkern_create(void); /* takes no parameters */
332 extern int authkern_init(void *, void *, int);
333 extern struct kmem_cache *authkern_cache;
334 extern AUTH *authnone_create(void); /* takes no parameters */
335 extern int authnone_init(void *, void *, int);
336 extern struct kmem_cache *authnone_cache;
337 extern AUTH *authloopback_create(void); /* takes no parameters */
338 extern int authloopback_init(void *, void *, int);
339 extern struct kmem_cache *authloopback_cache;
340 #else /* _KERNEL */
341 #ifdef __STDC__
342 extern AUTH *authsys_create(const char *, const uid_t, const gid_t, const int,
343 const gid_t *);
344 extern AUTH *authsys_create_default(void); /* takes no parameters */
345 extern AUTH *authnone_create(void); /* takes no parameters */
346 #else /* __STDC__ */
347 extern AUTH *authsys_create();
348 extern AUTH *authsys_create_default(); /* takes no parameters */
349 extern AUTH *authnone_create(); /* takes no parameters */
350 #endif /* __STDC__ */
351 /* Will get obsolete in near future */
352 #define authunix_create authsys_create
353 #define authunix_create_default authsys_create_default
354 #endif /* _KERNEL */
355
356 /*
357 * DES style authentication
358 * AUTH *authdes_seccreate(servername, window, timehost, ckey)
359 * const char *servername; - network name of server
360 * const uint_t window; - time to live
361 * const char *timehost; - optional hostname to sync with
362 * const des_block *ckey; - optional conversation key to use
363 */
364 /* Will get obsolete in near future */
365 #ifdef _KERNEL
366 extern int authdes_create(char *, uint_t, struct netbuf *, struct knetconfig *,
367 des_block *, int, AUTH **retauth);
368 #else /* _KERNEL */
369 #ifdef __STDC__
370 extern AUTH *authdes_seccreate(const char *, const uint_t, const char *,
371 const des_block *);
372 #else
373 extern AUTH *authdes_seccreate();
374 #endif /* __STDC__ */
375 #endif /* _KERNEL */
376
377 /*
378 * Netname manipulating functions
379 */
380
381 #ifdef _KERNEL
382 extern enum clnt_stat netname2user(char *, uid_t *, gid_t *, int *, gid_t *);
383 #endif
384 #ifdef __STDC__
385 extern int getnetname(char *);
386 extern int host2netname(char *, const char *, const char *);
387 extern int user2netname(char *, const uid_t, const char *);
388 #ifndef _KERNEL
389 extern int netname2user(const char *, uid_t *, gid_t *, int *, gid_t *);
390 #endif
391 extern int netname2host(const char *, char *, const int);
392 #else
393 extern int getnetname();
394 extern int host2netname();
395 extern int user2netname();
396 extern int netname2host();
397 #endif
398
399 /*
400 * These routines interface to the keyserv daemon
401 */
402
403 #ifdef _KERNEL
404 extern enum clnt_stat key_decryptsession();
405 extern enum clnt_stat key_encryptsession();
406 extern enum clnt_stat key_gendes();
407 extern enum clnt_stat key_getnetname();
408 #endif
409
410 #ifndef _KERNEL
411 #ifdef __STDC__
412 extern int key_decryptsession(const char *, des_block *);
413 extern int key_encryptsession(const char *, des_block *);
414 extern int key_gendes(des_block *);
415 extern int key_setsecret(const char *);
416 extern int key_secretkey_is_set(void);
417 /*
418 * The following routines are private.
419 */
420 extern int key_setnet_ruid();
421 extern int key_setnet_g_ruid();
422 extern int key_removesecret_g_ruid();
423 extern int key_secretkey_is_set_g_ruid();
424 extern AUTH *authsys_create_ruid();
425 #else
426 extern int key_decryptsession();
427 extern int key_encryptsession();
428 extern int key_gendes();
429 extern int key_setsecret();
430 extern int key_secretkey_is_set();
431 #endif
432 #endif
433
434
435 /*
436 * Kerberos style authentication
437 * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
438 * const char *service; - service name
439 * const char *srv_inst; - server instance
440 * const char *realm; - server realm
441 * const uint_t window; - time to live
442 * const char *timehost; - optional hostname to sync with
443 * int *status; - kerberos status returned
444 */
445 #ifdef _KERNEL
446 extern int authkerb_create(char *, char *, char *, uint_t,
447 struct netbuf *, int *, struct knetconfig *, int, AUTH **);
448 #else
449 #ifdef __STDC__
450 extern AUTH *authkerb_seccreate(const char *, const char *, const char *,
451 const uint_t, const char *, int *);
452 #else
453 extern AUTH *authkerb_seccreate();
454 #endif
455 #endif /* _KERNEL */
456
457 /*
458 * Map a kerberos credential into a unix cred.
459 *
460 * authkerb_getucred(rqst, uid, gid, grouplen, groups)
461 * const struct svc_req *rqst; - request pointer
462 * uid_t *uid;
463 * gid_t *gid;
464 * short *grouplen;
465 * int *groups;
466 *
467 */
468 #ifdef __STDC__
469 struct svc_req;
470 extern int authkerb_getucred(struct svc_req *, uid_t *, gid_t *,
471 short *, int *);
472 #else
473 extern int authkerb_getucred();
474 #endif
475
476 #ifdef _KERNEL
477 /*
478 * XDR an opaque authentication struct. See auth.h.
479 */
480 extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *);
481 #endif
482
483 #ifdef _KERNEL
484 extern int authany_wrap(AUTH *, caddr_t, uint_t, XDR *, xdrproc_t, caddr_t);
485 extern int authany_unwrap(AUTH *, XDR *, xdrproc_t, caddr_t);
486 #endif
487
488 #define AUTH_NONE 0 /* no authentication */
489 #define AUTH_NULL 0 /* backward compatibility */
490 #define AUTH_SYS 1 /* unix style (uid, gids) */
491 #define AUTH_UNIX AUTH_SYS
492 #define AUTH_SHORT 2 /* short hand unix style */
493 #define AUTH_DH 3 /* for Diffie-Hellman mechanism */
494 #define AUTH_DES AUTH_DH /* for backward compatibility */
495 #define AUTH_KERB 4 /* kerberos style */
496 #define RPCSEC_GSS 6 /* GSS-API style */
497
498 #define AUTH_LOOPBACK 21982 /* unix style w/ expanded groups */
499 /* for use over the local transport */
500
501 #ifdef _KERNEL
502 extern char loopback_name[];
503
504 extern zone_key_t auth_zone_key;
505 extern void * auth_zone_init(zoneid_t);
506 extern void auth_zone_fini(zoneid_t, void *);
507 #endif
508
509 #ifdef __cplusplus
510 }
511 #endif
512
513 #endif /* !_RPC_AUTH_H */