/* IBM_PROLOG_BEGIN_TAG */ /* This is an automatically generated prolog. */ /* */ /* onc720 src/oncplus/usr/include/tirpc/rpc/auth.h 1.5.1.1 */ /* */ /* Licensed Materials - Property of IBM */ /* */ /* COPYRIGHT International Business Machines Corp. 1996,2006 */ /* All Rights Reserved */ /* */ /* US Government Users Restricted Rights - Use, duplication or */ /* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* */ /* IBM_PROLOG_END_TAG */ #ifndef _RPC_AUTH_H #define _RPC_AUTH_H /* #pragma ident "@(#)auth.h 1.39 97/06/10 SMI" */ #include #include #include #include #ifdef __cplusplus extern "C" { #endif #define MAX_AUTH_BYTES 400 #define MAXNETNAMELEN 255 /* maximum length of network user's name */ /* * Client side authentication/security data */ typedef struct sec_data { u_int secmod; /* security mode number e.g. in nfssec.conf */ u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ int flags; /* AUTH_F_xxx flags */ caddr_t data; /* opaque data per flavor */ } sec_data_t; /* * AUTH_DES flavor specific data from sec_data opaque data field. * AUTH_KERB has the same structure. */ typedef struct des_clnt_data { struct netbuf syncaddr; /* time sync addr */ struct knetconfig *knconf; /* knetconfig info that associated */ /* with the syncaddr. */ char *netname; /* server's netname */ int netnamelen; /* server's netname len */ } dh_k4_clntdata_t; /* * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) * in sec_data->data opaque field. */ typedef struct krb4_svc_data { int window; /* window option value */ } krb4_svcdata_t; typedef struct krb4_svc_data des_svcdata_t; /* * authentication/security specific flags */ #define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ #define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ /* * Status returned from authentication check */ enum auth_stat { AUTH_OK = 0, /* * failed at remote end */ AUTH_BADCRED = 1, /* bogus credentials (seal broken) */ AUTH_REJECTEDCRED = 2, /* client should begin new session */ AUTH_BADVERF = 3, /* bogus verifier (seal broken) */ AUTH_REJECTEDVERF = 4, /* verifier expired or was replayed */ AUTH_TOOWEAK = 5, /* rejected due to security reasons */ /* * failed locally */ AUTH_INVALIDRESP = 6, /* bogus response verifier */ AUTH_FAILED = 7, /* some unknown reason */ /* * kerberos errors */ AUTH_KERB_GENERIC = 8, /* kerberos generic error */ AUTH_TIMEEXPIRE = 9, /* time of credential expired */ AUTH_TKT_FILE = 10, /* something wrong with ticket file */ AUTH_DECODE = 11, /* can't decode authenticator */ AUTH_NET_ADDR = 12, /* wrong net address in ticket */ /* * GSS related errors */ RPCSEC_GSS_NOCRED = 13, /* no credentials for user */ RPCSEC_GSS_FAILED = 14 /* GSS failure, credentials deleted */ }; typedef enum auth_stat AUTH_STAT; /* * The following assumes a 32 bit operating system where an unsigned long * is 32 bits. That is the case with Solaris. Should this change in the * future, this following will need attention. However, even in the planned * world of 64 bit machines a long is expected to remain 32 bits. */ union des_block { struct { #ifndef __64BIT__ u_long high; u_long low; #else u_int high; u_int low; #endif } key; char c[8]; }; typedef union des_block des_block; extern bool_t xdr_des_block(XDR *, des_block *); /* * Authentication info. Opaque to client. */ struct opaque_auth { enum_t oa_flavor; /* flavor of auth */ caddr_t oa_base; /* address of more auth stuff */ u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ }; extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *); /* * Auth handle, interface to client side authenticators. */ typedef struct __auth { struct opaque_auth ah_cred; struct opaque_auth ah_verf; union des_block ah_key; struct auth_ops { void (*ah_nextverf)(struct __auth *); int (*ah_marshal)(struct __auth *, XDR *); /* nextverf & serialize */ int (*ah_validate)(struct __auth *, struct opaque_auth *); /* validate verifier */ int (*ah_refresh)(struct __auth *, void *); /* refresh credentials */ void (*ah_destroy)(struct __auth *); /* destroy this structure */ } *ah_ops; caddr_t ah_private; } AUTH; /* * Authentication ops. * The ops and the auth handle provide the interface to the authenticators. * * AUTH *auth; * XDR *xdrs; * struct opaque_auth verf; */ #define AUTH_NEXTVERF(auth) \ ((*((auth)->ah_ops->ah_nextverf))(auth)) #define auth_nextverf(auth) \ ((*((auth)->ah_ops->ah_nextverf))(auth)) #define AUTH_MARSHALL(auth, xdrs) \ ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) #define auth_marshall(auth, xdrs) \ ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) #define AUTH_VALIDATE(auth, verfp) \ ((*((auth)->ah_ops->ah_validate))((auth), verfp)) #define auth_validate(auth, verfp) \ ((*((auth)->ah_ops->ah_validate))((auth), verfp)) #define AUTH_REFRESH(auth, msg) \ ((*((auth)->ah_ops->ah_refresh))(auth, msg)) #define auth_refresh(auth, msg) \ ((*((auth)->ah_ops->ah_refresh))(auth, msg)) #define AUTH_DESTROY(auth) \ ((*((auth)->ah_ops->ah_destroy))(auth)) #define auth_destroy(auth) \ ((*((auth)->ah_ops->ah_destroy))(auth)) extern struct opaque_auth _null_auth; /* * These are the various implementations of client side authenticators. */ /* * System style authentication * AUTH *authsys_create(machname, uid, gid, len, aup_gids) * const char *machname; * const uid_t uid; * const gid_t gid; * const int len; * const gid_t *aup_gids; */ extern AUTH *authsys_create(const char *, const uid_t, const gid_t, const int, const gid_t *); extern AUTH *authsys_create_default(void); /* takes no parameters */ extern AUTH *authnone_create(void); /* takes no parameters */ /* Will get obsolete in near future */ #define authunix_create authsys_create #define authunix_create_default authsys_create_default /* * DES style authentication * AUTH *authdes_seccreate(servername, window, timehost, ckey) * const char *servername; - network name of server * const uint_t window; - time to live * const char *timehost; - optional hostname to sync with * const des_block *ckey; - optional conversation key to use */ /* Will get obsolete in near future */ extern AUTH *authdes_seccreate(const char *, const uint_t, const char *, const des_block *); /* * Netname manipulating functions * */ extern int getnetname(char *); extern int host2netname(char *, const char *, const char *); extern int user2netname(char *, const uid_t, const char *); extern int netname2user(const char *, uid_t *, gid_t *, int *, gid_t *); extern int netname2host(const char *, char *, const int); /* * * These routines interface to the keyserv daemon * */ extern int key_decryptsession(const char *, des_block *); extern int key_encryptsession(const char *, des_block *); extern int key_gendes(des_block *); extern int key_setsecret(const char *); extern int key_secretkey_is_set(void); /* * Kerberos style authentication * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) * const char *service; - service name * const char *srv_inst; - server instance * const char *realm; - server realm * const u_int window; - time to live * const char *timehost; - optional hostname to sync with * int *status; - kerberos status returned */ extern AUTH *authkerb_seccreate(const char *, const char *, const char *, const u_int, const char *, int *); /* * Map a kerberos credential into a unix cred. * * authkerb_getucred(rqst, uid, gid, grouplen, groups) * const struct svc_req *rqst; - request pointer * uid_t *uid; * gid_t *gid; * short *grouplen; * int *groups; * */ extern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, short *, int * */); #define AUTH_NONE 0 /* no authentication */ #define AUTH_NULL 0 /* backward compatibility */ #define AUTH_SYS 1 /* unix style (uid, gids) */ #define AUTH_UNIX AUTH_SYS #define AUTH_SHORT 2 /* short hand unix style */ #define AUTH_DH 3 /* for Diffie-Hellman mechanism */ #define AUTH_DES AUTH_DH /* for backward compatibility */ #define AUTH_KERB 4 /* kerberos style */ #define RPCSEC_GSS 6 /* GSS-API style */ /* * Pseudo-flavors for RPCSEC_GSS */ #define AUTH_KERB5 390003 /* Kerberos 5, service == none */ #define AUTH_KERB5I 390004 /* Kerberos 5, service == integrity */ #define AUTH_KERB5P 390005 /* Kerberos 5, service == privacy */ #define AUTH_LOOPBACK 21982 /* unix style w/ expanded groups */ /* for use over the local transport */ #ifdef __cplusplus } #endif #endif /* !_RPC_AUTH_H */