diff --git a/include/rpc/auth.h b/include/rpc/auth.h index bf0d76c046c6..8773e7115d12 100644 --- a/include/rpc/auth.h +++ b/include/rpc/auth.h @@ -1,370 +1,371 @@ /* $NetBSD: auth.h,v 1.15 2000/06/02 22:57:55 fvdl Exp $ */ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 2009, Sun Microsystems, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * - Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - Neither the name of Sun Microsystems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * * from: @(#)auth.h 1.17 88/02/08 SMI * from: @(#)auth.h 2.3 88/08/07 4.0 RPCSRC * from: @(#)auth.h 1.43 98/02/02 SMI * $FreeBSD$ */ /* * auth.h, Authentication interface. * * Copyright (C) 1984, Sun Microsystems, Inc. * * The data structures are completely opaque to the client. The client * is required to pass an AUTH * to routines that create rpc * "sessions". */ #ifndef _RPC_AUTH_H #define _RPC_AUTH_H #include #include #include #include #define MAX_AUTH_BYTES 400 #define MAXNETNAMELEN 255 /* maximum length of network user's name */ /* * Client side authentication/security data */ typedef struct sec_data { u_int secmod; /* security mode number e.g. in nfssec.conf */ u_int rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ int flags; /* AUTH_F_xxx flags */ caddr_t data; /* opaque data per flavor */ } sec_data_t; #ifdef _SYSCALL32_IMPL struct sec_data32 { uint32_t secmod; /* security mode number e.g. in nfssec.conf */ uint32_t rpcflavor; /* rpc flavors:AUTH_UNIX,AUTH_DES,RPCSEC_GSS */ int32_t flags; /* AUTH_F_xxx flags */ caddr32_t data; /* opaque data per flavor */ }; #endif /* _SYSCALL32_IMPL */ /* * AUTH_DES flavor specific data from sec_data opaque data field. * AUTH_KERB has the same structure. */ typedef struct des_clnt_data { struct netbuf syncaddr; /* time sync addr */ struct knetconfig *knconf; /* knetconfig info that associated */ /* with the syncaddr. */ char *netname; /* server's netname */ int netnamelen; /* server's netname len */ } dh_k4_clntdata_t; #ifdef _SYSCALL32_IMPL struct des_clnt_data32 { struct netbuf32 syncaddr; /* time sync addr */ caddr32_t knconf; /* knetconfig info that associated */ /* with the syncaddr. */ caddr32_t netname; /* server's netname */ int32_t netnamelen; /* server's netname len */ }; #endif /* _SYSCALL32_IMPL */ #ifdef KERBEROS /* * flavor specific data to hold the data for AUTH_DES/AUTH_KERB(v4) * in sec_data->data opaque field. */ typedef struct krb4_svc_data { int window; /* window option value */ } krb4_svcdata_t; typedef struct krb4_svc_data des_svcdata_t; #endif /* KERBEROS */ /* * authentication/security specific flags */ #define AUTH_F_RPCTIMESYNC 0x001 /* use RPC to do time sync */ #define AUTH_F_TRYNONE 0x002 /* allow fall back to AUTH_NONE */ /* * Status returned from authentication check */ enum auth_stat { AUTH_OK=0, /* * failed at remote end */ AUTH_BADCRED=1, /* bogus credentials (seal broken) */ AUTH_REJECTEDCRED=2, /* client should begin new session */ AUTH_BADVERF=3, /* bogus verifier (seal broken) */ AUTH_REJECTEDVERF=4, /* verifier expired or was replayed */ AUTH_TOOWEAK=5, /* rejected due to security reasons */ /* * failed locally */ AUTH_INVALIDRESP=6, /* bogus response verifier */ AUTH_FAILED=7, /* some unknown reason */ #ifdef KERBEROS /* * kerberos errors */ , AUTH_KERB_GENERIC = 8, /* kerberos generic error */ AUTH_TIMEEXPIRE = 9, /* time of credential expired */ AUTH_TKT_FILE = 10, /* something wrong with ticket file */ AUTH_DECODE = 11, /* can't decode authenticator */ AUTH_NET_ADDR = 12, /* wrong net address in ticket */ #endif /* KERBEROS */ /* * RPCSEC_GSS errors */ RPCSEC_GSS_CREDPROBLEM = 13, RPCSEC_GSS_CTXPROBLEM = 14, RPCSEC_GSS_NODISPATCH = 0x8000000 }; union des_block { struct { uint32_t high; uint32_t low; } key; char c[8]; }; typedef union des_block des_block; __BEGIN_DECLS extern bool_t xdr_des_block(XDR *, des_block *); __END_DECLS /* * Authentication info. Opaque to client. */ struct opaque_auth { enum_t oa_flavor; /* flavor of auth */ caddr_t oa_base; /* address of more auth stuff */ u_int oa_length; /* not to exceed MAX_AUTH_BYTES */ }; /* * Auth handle, interface to client side authenticators. */ typedef struct __auth { struct opaque_auth ah_cred; struct opaque_auth ah_verf; union des_block ah_key; struct auth_ops { void (*ah_nextverf) (struct __auth *); /* nextverf & serialize */ int (*ah_marshal) (struct __auth *, XDR *); /* validate verifier */ int (*ah_validate) (struct __auth *, struct opaque_auth *); /* refresh credentials */ int (*ah_refresh) (struct __auth *, void *); /* destroy this structure */ void (*ah_destroy) (struct __auth *); } *ah_ops; void *ah_private; } AUTH; /* * Authentication ops. * The ops and the auth handle provide the interface to the authenticators. * * AUTH *auth; * XDR *xdrs; * struct opaque_auth verf; */ #define AUTH_NEXTVERF(auth) \ ((*((auth)->ah_ops->ah_nextverf))(auth)) #define auth_nextverf(auth) \ ((*((auth)->ah_ops->ah_nextverf))(auth)) #define AUTH_MARSHALL(auth, xdrs) \ ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) #define auth_marshall(auth, xdrs) \ ((*((auth)->ah_ops->ah_marshal))(auth, xdrs)) #define AUTH_VALIDATE(auth, verfp) \ ((*((auth)->ah_ops->ah_validate))((auth), verfp)) #define auth_validate(auth, verfp) \ ((*((auth)->ah_ops->ah_validate))((auth), verfp)) #define AUTH_REFRESH(auth, msg) \ ((*((auth)->ah_ops->ah_refresh))(auth, msg)) #define auth_refresh(auth, msg) \ ((*((auth)->ah_ops->ah_refresh))(auth, msg)) #define AUTH_DESTROY(auth) \ ((*((auth)->ah_ops->ah_destroy))(auth)) #define auth_destroy(auth) \ ((*((auth)->ah_ops->ah_destroy))(auth)) __BEGIN_DECLS extern struct opaque_auth _null_auth; __END_DECLS /* * These are the various implementations of client side authenticators. */ /* * System style authentication * AUTH *authunix_create(machname, uid, gid, len, aup_gids) * char *machname; * u_int uid; * u_int gid; * int len; * u_int *aup_gids; */ __BEGIN_DECLS extern AUTH *authunix_create(char *, u_int, u_int, int, u_int *); extern AUTH *authunix_create_default(void); /* takes no parameters */ extern AUTH *authnone_create(void); /* takes no parameters */ __END_DECLS /* * DES style authentication * AUTH *authsecdes_create(servername, window, timehost, ckey) * char *servername; - network name of server * u_int window; - time to live * const char *timehost; - optional hostname to sync with * des_block *ckey; - optional conversation key to use */ __BEGIN_DECLS extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); extern AUTH *authdes_seccreate (const char *, const u_int, const char *, const des_block *); __END_DECLS __BEGIN_DECLS extern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); __END_DECLS #define authsys_create(c,i1,i2,i3,ip) authunix_create((c),(i1),(i2),(i3),(ip)) #define authsys_create_default() authunix_create_default() /* * Netname manipulation routines. */ __BEGIN_DECLS -extern int getnetname(char *); -extern int host2netname(char *, const char *, const char *); -extern int user2netname(char *, const uid_t, const char *); -extern int netname2user(char *, uid_t *, gid_t *, int *, gid_t *); -extern int netname2host(char *, char *, const int); +extern int getnetname(char [MAXNETNAMELEN + 1]); +extern int host2netname(char [MAXNETNAMELEN + 1], const char *, const char *); +extern int user2netname(char [MAXNETNAMELEN + 1], const uid_t, const char *); +extern int netname2user(char [MAXNETNAMELEN + 1], uid_t *, gid_t *, int *, + gid_t *); +extern int netname2host(char [MAXNETNAMELEN + 1], char *, const int); extern void passwd2des ( char *, char * ); __END_DECLS /* * * These routines interface to the keyserv daemon * */ __BEGIN_DECLS extern int key_decryptsession(const char *, des_block *); extern int key_encryptsession(const char *, des_block *); extern int key_gendes(des_block *); extern int key_setsecret(const char *); extern int key_secretkey_is_set(void); __END_DECLS /* * Publickey routines. */ __BEGIN_DECLS extern int getpublickey (const char *, char *); extern int getpublicandprivatekey (const char *, char *); extern int getsecretkey (char *, char *, char *); __END_DECLS #ifdef KERBEROS /* * Kerberos style authentication * AUTH *authkerb_seccreate(service, srv_inst, realm, window, timehost, status) * const char *service; - service name * const char *srv_inst; - server instance * const char *realm; - server realm * const u_int window; - time to live * const char *timehost; - optional hostname to sync with * int *status; - kerberos status returned */ __BEGIN_DECLS extern AUTH *authkerb_seccreate(const char *, const char *, const char *, const u_int, const char *, int *); __END_DECLS /* * Map a kerberos credential into a unix cred. * * authkerb_getucred(rqst, uid, gid, grouplen, groups) * const struct svc_req *rqst; - request pointer * uid_t *uid; * gid_t *gid; * short *grouplen; * int *groups; * */ __BEGIN_DECLS extern int authkerb_getucred(/* struct svc_req *, uid_t *, gid_t *, short *, int * */); __END_DECLS #endif /* KERBEROS */ __BEGIN_DECLS struct svc_req; struct rpc_msg; enum auth_stat _svcauth_null (struct svc_req *, struct rpc_msg *); enum auth_stat _svcauth_short (struct svc_req *, struct rpc_msg *); enum auth_stat _svcauth_unix (struct svc_req *, struct rpc_msg *); __END_DECLS #define AUTH_NONE 0 /* no authentication */ #define AUTH_NULL 0 /* backward compatibility */ #define AUTH_SYS 1 /* unix style (uid, gids) */ #define AUTH_UNIX AUTH_SYS #define AUTH_SHORT 2 /* short hand unix style */ #define AUTH_DH 3 /* for Diffie-Hellman mechanism */ #define AUTH_DES AUTH_DH /* for backward compatibility */ #define AUTH_KERB 4 /* kerberos style */ #define RPCSEC_GSS 6 /* RPCSEC_GSS */ /* * Pseudo auth flavors for RPCSEC_GSS. */ #define RPCSEC_GSS_KRB5 390003 #define RPCSEC_GSS_KRB5I 390004 #define RPCSEC_GSS_KRB5P 390005 #endif /* !_RPC_AUTH_H */ diff --git a/lib/libc/rpc/netnamer.c b/lib/libc/rpc/netnamer.c index 591f6d5c91e5..8062c446dffe 100644 --- a/lib/libc/rpc/netnamer.c +++ b/lib/libc/rpc/netnamer.c @@ -1,325 +1,325 @@ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 2009, Sun Microsystems, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * - Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * - Neither the name of Sun Microsystems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)netnamer.c 1.13 91/03/11 Copyr 1986 Sun Micro"; #endif #include __FBSDID("$FreeBSD$"); /* * netname utility routines convert from unix names to network names and * vice-versa This module is operating system dependent! What we define here * will work with any unix system that has adopted the sun NIS domain * architecture. */ #include "namespace.h" #include #include #include #ifdef YP #include #include #endif #include #include #include #include #include #include #include #include "un-namespace.h" static char *OPSYS = "unix"; #ifdef YP static char *NETID = "netid.byname"; #endif static char *NETIDFILE = "/etc/netid"; static int getnetid( char *, char * ); -static int _getgroups( char *, gid_t * ); +static int _getgroups( char *, gid_t [NGRPS] ); /* * Convert network-name into unix credential */ int netname2user(char netname[MAXNETNAMELEN + 1], uid_t *uidp, gid_t *gidp, int *gidlenp, gid_t *gidlist) { char *p; int gidlen; uid_t uid; long luid; struct passwd *pwd; char val[1024]; char *val1, *val2; char *domain; int vallen; int err; if (getnetid(netname, val)) { char *res = val; p = strsep(&res, ":"); if (p == NULL) return (0); *uidp = (uid_t) atol(p); p = strsep(&res, "\n,"); if (p == NULL) { return (0); } *gidp = (gid_t) atol(p); for (gidlen = 0; gidlen < NGRPS; gidlen++) { p = strsep(&res, "\n,"); if (p == NULL) break; gidlist[gidlen] = (gid_t) atol(p); } *gidlenp = gidlen; return (1); } val1 = strchr(netname, '.'); if (val1 == NULL) return (0); if (strncmp(netname, OPSYS, (val1-netname))) return (0); val1++; val2 = strchr(val1, '@'); if (val2 == NULL) return (0); vallen = val2 - val1; if (vallen > (1024 - 1)) vallen = 1024 - 1; (void) strncpy(val, val1, 1024); val[vallen] = 0; err = __rpc_get_default_domain(&domain); /* change to rpc */ if (err) return (0); if (strcmp(val2 + 1, domain)) return (0); /* wrong domain */ if (sscanf(val, "%ld", &luid) != 1) return (0); uid = luid; /* use initgroups method */ pwd = getpwuid(uid); if (pwd == NULL) return (0); *uidp = pwd->pw_uid; *gidp = pwd->pw_gid; *gidlenp = _getgroups(pwd->pw_name, gidlist); return (1); } /* * initgroups */ static int _getgroups(char *uname, gid_t groups[NGRPS]) { gid_t ngroups = 0; struct group *grp; int i; int j; int filter; setgrent(); while ((grp = getgrent())) { for (i = 0; grp->gr_mem[i]; i++) if (!strcmp(grp->gr_mem[i], uname)) { if (ngroups == NGRPS) { #ifdef DEBUG fprintf(stderr, "initgroups: %s is in too many groups\n", uname); #endif goto toomany; } /* filter out duplicate group entries */ filter = 0; for (j = 0; j < ngroups; j++) if (groups[j] == grp->gr_gid) { filter++; break; } if (!filter) groups[ngroups++] = grp->gr_gid; } } toomany: endgrent(); return (ngroups); } /* * Convert network-name to hostname */ int netname2host(char netname[MAXNETNAMELEN + 1], char *hostname, int hostlen) { int err; char valbuf[1024]; char *val; char *val2; int vallen; char *domain; if (getnetid(netname, valbuf)) { val = valbuf; if ((*val == '0') && (val[1] == ':')) { (void) strncpy(hostname, val + 2, hostlen); return (1); } } val = strchr(netname, '.'); if (val == NULL) return (0); if (strncmp(netname, OPSYS, (val - netname))) return (0); val++; val2 = strchr(val, '@'); if (val2 == NULL) return (0); vallen = val2 - val; if (vallen > (hostlen - 1)) vallen = hostlen - 1; (void) strncpy(hostname, val, vallen); hostname[vallen] = 0; err = __rpc_get_default_domain(&domain); /* change to rpc */ if (err) return (0); if (strcmp(val2 + 1, domain)) return (0); /* wrong domain */ else return (1); } /* * reads the file /etc/netid looking for a + to optionally go to the * network information service. */ int getnetid(char *key, char *ret) { char buf[1024]; /* big enough */ char *res; char *mkey; char *mval; FILE *fd; #ifdef YP char *domain; int err; char *lookup; int len; #endif int rv; rv = 0; fd = fopen(NETIDFILE, "r"); if (fd == NULL) { #ifdef YP res = "+"; goto getnetidyp; #else return (0); #endif } while (fd != NULL) { res = fgets(buf, sizeof(buf), fd); if (res == NULL) { rv = 0; goto done; } if (res[0] == '#') continue; else if (res[0] == '+') { #ifdef YP getnetidyp: err = yp_get_default_domain(&domain); if (err) { continue; } lookup = NULL; err = yp_match(domain, NETID, key, strlen(key), &lookup, &len); if (err) { #ifdef DEBUG fprintf(stderr, "match failed error %d\n", err); #endif continue; } lookup[len] = 0; strcpy(ret, lookup); free(lookup); rv = 2; goto done; #else /* YP */ #ifdef DEBUG fprintf(stderr, "Bad record in %s '+' -- NIS not supported in this library copy\n", NETIDFILE); #endif continue; #endif /* YP */ } else { mkey = strsep(&res, "\t "); if (mkey == NULL) { fprintf(stderr, "Bad record in %s -- %s", NETIDFILE, buf); continue; } do { mval = strsep(&res, " \t#\n"); } while (mval != NULL && !*mval); if (mval == NULL) { fprintf(stderr, "Bad record in %s val problem - %s", NETIDFILE, buf); continue; } if (strcmp(mkey, key) == 0) { strcpy(ret, mval); rv = 1; goto done; } } } done: if (fd != NULL) fclose(fd); return (rv); }