/* IBM_PROLOG_BEGIN_TAG                                                   */
/* This is an automatically generated prolog.                             */
/*                                                                        */
/* onc720 src/oncplus/usr/include/tirpc/rpc/auth.h 1.5.1.1                */
/*                                                                        */
/* Licensed Materials - Property of IBM                                   */
/*                                                                        */
/* COPYRIGHT International Business Machines Corp. 1996,2006              */
/* All Rights Reserved                                                    */
/*                                                                        */
/* US Government Users Restricted Rights - Use, duplication or            */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.      */
/*                                                                        */
/* IBM_PROLOG_END_TAG                                                     */


#ifndef _RPC_AUTH_H
#define	_RPC_AUTH_H

/* #pragma ident	"@(#)auth.h	1.39	97/06/10 SMI" */

#include <rpc/xdr.h>
#include <rpc/clnt_stat.h>
#include <sys/cred.h>
#include <sys/tiuser.h>

#ifdef	__cplusplus
extern "C" {
#endif

#define	MAX_AUTH_BYTES	400
#define	MAXNETNAMELEN	255	/* maximum length of network user's name */

/*
 *  Client side authentication/security data
 */
typedef struct sec_data {
	u_int	secmod;		/* security mode number e.g. in nfssec.conf */
	u_int	rpcflavor;	/* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */
	int	flags;		/* AUTH_F_xxx flags */
	caddr_t	data;		/* opaque data per flavor */
} sec_data_t;

/*
 * AUTH_DES flavor specific data from sec_data opaque data field.
 * AUTH_KERB has the same structure.
 */
typedef struct des_clnt_data {
	struct netbuf	syncaddr;	/* time sync addr */
	struct knetconfig *knconf;	/* knetconfig info that associated */
					/* with the syncaddr. */
	char		*netname;	/* server's netname */
	int		netnamelen;	/* server's netname len */
} dh_k4_clntdata_t;

/*
 * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4)
 * in sec_data->data opaque field.
 */
typedef struct krb4_svc_data {
	int		window;		/* window option value */
} krb4_svcdata_t;

typedef struct krb4_svc_data	des_svcdata_t;

/*
 * authentication/security specific flags
 */
#define	AUTH_F_RPCTIMESYNC	0x001	/* use RPC to do time sync */
#define	AUTH_F_TRYNONE		0x002	/* allow fall back to AUTH_NONE */


/*
 * Status returned from authentication check
 */
enum auth_stat {
	AUTH_OK = 0,
	/*
	 * failed at remote end
	 */
	AUTH_BADCRED = 1,		/* bogus credentials (seal broken) */
	AUTH_REJECTEDCRED = 2,		/* client should begin new session */
	AUTH_BADVERF = 3,		/* bogus verifier (seal broken) */
	AUTH_REJECTEDVERF = 4,		/* verifier expired or was replayed */
	AUTH_TOOWEAK = 5,		/* rejected due to security reasons */
	/*
	 * failed locally
	 */
	AUTH_INVALIDRESP = 6,		/* bogus response verifier */
	AUTH_FAILED = 7,			/* some unknown reason */
	/*
	 * kerberos errors
	 */
	AUTH_KERB_GENERIC = 8,		/* kerberos generic error */
	AUTH_TIMEEXPIRE = 9,		/* time of credential expired */
	AUTH_TKT_FILE = 10,		/* something wrong with ticket file */
	AUTH_DECODE = 11,		/* can't decode authenticator */
	AUTH_NET_ADDR = 12,		/* wrong net address in ticket */
	/*
	 * GSS related errors
	 */
	RPCSEC_GSS_NOCRED = 13,		/* no credentials for user */
	RPCSEC_GSS_FAILED = 14		/* GSS failure, credentials deleted */
};
typedef enum auth_stat AUTH_STAT;

/*
 * The following assumes a 32 bit operating system where an unsigned long
 * is 32 bits.  That is the case with Solaris.  Should this change in the
 * future, this following will need attention.  However, even in the planned
 * world of 64 bit machines a long is expected to remain 32 bits.
 */
union des_block {
	struct  {
#ifndef __64BIT__
		u_long high;
		u_long low;
#else
	  	u_int high;
	  	u_int low;
#endif
	} key;
	char c[8];
};
typedef union des_block des_block;

extern bool_t xdr_des_block(XDR *, des_block *);


/*
 * Authentication info. Opaque to client.
 */
struct opaque_auth {
	enum_t	oa_flavor;		/* flavor of auth */
	caddr_t	oa_base;		/* address of more auth stuff */
	u_int	oa_length;		/* not to exceed MAX_AUTH_BYTES */
};

extern bool_t	xdr_opaque_auth(XDR *, struct opaque_auth *);

/*
 * Auth handle, interface to client side authenticators.
 */
typedef struct __auth {
	struct	opaque_auth	ah_cred;
	struct	opaque_auth	ah_verf;
	union	des_block	ah_key;
	struct auth_ops {
		void	(*ah_nextverf)(struct __auth *);
		int	(*ah_marshal)(struct __auth *, XDR *);
		/* nextverf & serialize */
		int	(*ah_validate)(struct __auth *,
					struct opaque_auth *);
		/* validate verifier */
		int	(*ah_refresh)(struct __auth *, void *);
		/* refresh credentials */
		void	(*ah_destroy)(struct __auth *);
		/* destroy this structure */
	} *ah_ops;
	caddr_t ah_private;
} AUTH;


/*
 * Authentication ops.
 * The ops and the auth handle provide the interface to the authenticators.
 *
 * AUTH	*auth;
 * XDR	*xdrs;
 * struct opaque_auth verf;
 */
#define	AUTH_NEXTVERF(auth)		\
		((*((auth)->ah_ops->ah_nextverf))(auth))
#define	auth_nextverf(auth)		\
		((*((auth)->ah_ops->ah_nextverf))(auth))


#define	AUTH_MARSHALL(auth, xdrs)	\
		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))
#define	auth_marshall(auth, xdrs)	\
		((*((auth)->ah_ops->ah_marshal))(auth, xdrs))


#define	AUTH_VALIDATE(auth, verfp)	\
		((*((auth)->ah_ops->ah_validate))((auth), verfp))
#define	auth_validate(auth, verfp)	\
		((*((auth)->ah_ops->ah_validate))((auth), verfp))

#define	AUTH_REFRESH(auth, msg)		\
		((*((auth)->ah_ops->ah_refresh))(auth, msg))
#define	auth_refresh(auth, msg)		\
		((*((auth)->ah_ops->ah_refresh))(auth, msg))

#define	AUTH_DESTROY(auth)		\
		((*((auth)->ah_ops->ah_destroy))(auth))
#define	auth_destroy(auth)		\
		((*((auth)->ah_ops->ah_destroy))(auth))

extern struct opaque_auth _null_auth;

/*
 * These are the various implementations of client side authenticators.
 */

/*
 * System style authentication
 * AUTH *authsys_create(machname, uid, gid, len, aup_gids)
 *	const char *machname;
 *	const uid_t uid;
 *	const gid_t gid;
 *	const int len;
 *	const gid_t *aup_gids;
 */

extern AUTH *authsys_create(const char *, const uid_t,
			    const gid_t, const int, const gid_t *);
extern AUTH *authsys_create_default(void);	/* takes no parameters */
extern AUTH *authnone_create(void);		/* takes no parameters */
/* Will get obsolete in near future */
#define	authunix_create		authsys_create
#define	authunix_create_default authsys_create_default


/*
 * DES style authentication
 * AUTH *authdes_seccreate(servername, window, timehost, ckey)
 *	const char *servername;		- network name of server
 *	const uint_t window;		- time to live
 *	const char *timehost;		- optional hostname to sync with
 *	const des_block *ckey;		- optional conversation key to use
 */
/* Will get obsolete in near future */
extern AUTH *authdes_seccreate(const char *, const uint_t, const  char *,
			       const  des_block *);

/*
 *  Netname manipulating functions
 *
 */

extern int getnetname(char *);
extern int host2netname(char *, const char *, const char *);
extern int user2netname(char *, const uid_t, const char *);
extern int netname2user(const char *, uid_t *, gid_t *, int *, gid_t *);
extern int netname2host(const char *, char *, const int);

/*
 *
 * These routines interface to the keyserv daemon
 *
 */

extern int key_decryptsession(const char *, des_block *);
extern int key_encryptsession(const char *, des_block *);
extern int key_gendes(des_block *);
extern int key_setsecret(const char *);
extern int key_secretkey_is_set(void);


/*
 * Kerberos style authentication
 * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status)
 *	const char *service;		- service name
 *	const char *srv_inst;		- server instance
 *	const char *realm;		- server realm
 *	const u_int window;		- time to live
 *	const char *timehost;		- optional hostname to sync with
 *	int *status;			- kerberos status returned
 */
extern AUTH *authkerb_seccreate(const char *, const char *, const  char *,
				const u_int, const char *, int *);

/*
 * Map a kerberos credential into a unix cred.
 *
 *  authkerb_getucred(rqst, uid, gid, grouplen, groups)
 *	const struct svc_req *rqst;		- request pointer
 *	uid_t *uid;
 *	gid_t *gid;
 *	short *grouplen;
 *	int   *groups;
 *
 */
extern int	authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *,
				     short *, int * */);


#define	AUTH_NONE	0		/* no authentication */
#define	AUTH_NULL	0		/* backward compatibility */
#define	AUTH_SYS	1		/* unix style (uid, gids) */
#define	AUTH_UNIX	AUTH_SYS
#define	AUTH_SHORT	2		/* short hand unix style */
#define	AUTH_DH		3		/* for Diffie-Hellman mechanism */
#define	AUTH_DES	AUTH_DH		/* for backward compatibility */
#define	AUTH_KERB	4		/* kerberos style */
#define	RPCSEC_GSS	6		/* GSS-API style */

/*
 * Pseudo-flavors for RPCSEC_GSS
 */
#define AUTH_KERB5	390003		/* Kerberos 5, service == none */
#define AUTH_KERB5I	390004		/* Kerberos 5, service == integrity */
#define AUTH_KERB5P	390005		/* Kerberos 5, service == privacy */

#define	AUTH_LOOPBACK	21982		/* unix style w/ expanded groups */
					/* for use over the local transport */

#ifdef	__cplusplus
}
#endif

#endif	/* !_RPC_AUTH_H */