10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
50Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only
60Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance
70Sstevel@tonic-gate * with the License.
80Sstevel@tonic-gate *
90Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
100Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
110Sstevel@tonic-gate * See the License for the specific language governing permissions
120Sstevel@tonic-gate * and limitations under the License.
130Sstevel@tonic-gate *
140Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
150Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
160Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
170Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
180Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
190Sstevel@tonic-gate *
200Sstevel@tonic-gate * CDDL HEADER END
21132Srobinson */
22132Srobinson
23132Srobinson /*
24*1219Sraf * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
250Sstevel@tonic-gate * Use is subject to license terms.
260Sstevel@tonic-gate */
27*1219Sraf
280Sstevel@tonic-gate /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
290Sstevel@tonic-gate /* All Rights Reserved */
300Sstevel@tonic-gate /*
310Sstevel@tonic-gate * Portions of this source code were derived from Berkeley
320Sstevel@tonic-gate * 4.3 BSD under license from the Regents of the University of
330Sstevel@tonic-gate * California.
340Sstevel@tonic-gate */
350Sstevel@tonic-gate
360Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
370Sstevel@tonic-gate
380Sstevel@tonic-gate /*
390Sstevel@tonic-gate * Handles UNIX flavor authentication parameters on the service side of rpc.
400Sstevel@tonic-gate * There are two svc auth implementations here: AUTH_SYS and AUTH_SHORT.
410Sstevel@tonic-gate * __svcauth_sys does full blown unix style uid, gid+gids auth,
420Sstevel@tonic-gate * __svcauth_short uses a shorthand auth to index into a cache of
430Sstevel@tonic-gate * longhand auths.
440Sstevel@tonic-gate * Note: the shorthand has been gutted for efficiency.
450Sstevel@tonic-gate *
460Sstevel@tonic-gate */
470Sstevel@tonic-gate
48*1219Sraf #include "mt.h"
490Sstevel@tonic-gate #include <stdio.h>
500Sstevel@tonic-gate #include <rpc/rpc.h>
510Sstevel@tonic-gate #include <syslog.h>
520Sstevel@tonic-gate #include <sys/types.h>
53132Srobinson #include <string.h>
540Sstevel@tonic-gate
550Sstevel@tonic-gate /*
560Sstevel@tonic-gate * System (Unix) longhand authenticator
570Sstevel@tonic-gate */
580Sstevel@tonic-gate enum auth_stat
__svcauth_sys(struct svc_req * rqst,struct rpc_msg * msg)59132Srobinson __svcauth_sys(struct svc_req *rqst, struct rpc_msg *msg)
600Sstevel@tonic-gate {
61132Srobinson enum auth_stat stat;
620Sstevel@tonic-gate XDR xdrs;
63132Srobinson struct authsys_parms *aup;
64132Srobinson rpc_inline_t *buf;
650Sstevel@tonic-gate struct area {
660Sstevel@tonic-gate struct authsys_parms area_aup;
670Sstevel@tonic-gate char area_machname[MAX_MACHINE_NAME+1];
680Sstevel@tonic-gate gid_t area_gids[NGRPS];
690Sstevel@tonic-gate } *area;
70132Srobinson uint_t auth_len;
71132Srobinson uint_t str_len, gid_len;
72132Srobinson int i;
730Sstevel@tonic-gate
74132Srobinson /* LINTED pointer cast */
75132Srobinson area = (struct area *)rqst->rq_clntcred;
760Sstevel@tonic-gate aup = &area->area_aup;
770Sstevel@tonic-gate aup->aup_machname = area->area_machname;
780Sstevel@tonic-gate aup->aup_gids = area->area_gids;
79132Srobinson auth_len = (uint_t)msg->rm_call.cb_cred.oa_length;
80132Srobinson if (auth_len == 0)
810Sstevel@tonic-gate return (AUTH_BADCRED);
820Sstevel@tonic-gate xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,
830Sstevel@tonic-gate XDR_DECODE);
840Sstevel@tonic-gate buf = XDR_INLINE(&xdrs, auth_len);
850Sstevel@tonic-gate if (buf != NULL) {
860Sstevel@tonic-gate aup->aup_time = IXDR_GET_INT32(buf);
870Sstevel@tonic-gate str_len = IXDR_GET_U_INT32(buf);
880Sstevel@tonic-gate if (str_len > MAX_MACHINE_NAME) {
890Sstevel@tonic-gate stat = AUTH_BADCRED;
900Sstevel@tonic-gate goto done;
910Sstevel@tonic-gate }
92132Srobinson (void) memcpy(aup->aup_machname, buf, str_len);
930Sstevel@tonic-gate aup->aup_machname[str_len] = 0;
940Sstevel@tonic-gate str_len = RNDUP(str_len);
95132Srobinson buf += str_len / (int)sizeof (int32_t);
960Sstevel@tonic-gate aup->aup_uid = IXDR_GET_INT32(buf);
970Sstevel@tonic-gate aup->aup_gid = IXDR_GET_INT32(buf);
980Sstevel@tonic-gate gid_len = IXDR_GET_U_INT32(buf);
990Sstevel@tonic-gate if (gid_len > NGRPS) {
1000Sstevel@tonic-gate stat = AUTH_BADCRED;
1010Sstevel@tonic-gate goto done;
1020Sstevel@tonic-gate }
1030Sstevel@tonic-gate aup->aup_len = gid_len;
1040Sstevel@tonic-gate for (i = 0; i < gid_len; i++) {
105132Srobinson aup->aup_gids[i] = (gid_t)IXDR_GET_INT32(buf);
1060Sstevel@tonic-gate }
1070Sstevel@tonic-gate /*
1080Sstevel@tonic-gate * five is the smallest unix credentials structure -
1090Sstevel@tonic-gate * timestamp, hostname len (0), uid, gid, and gids len (0).
1100Sstevel@tonic-gate */
1110Sstevel@tonic-gate if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
1120Sstevel@tonic-gate (void) syslog(LOG_ERR,
1130Sstevel@tonic-gate "bad auth_len gid %d str %d auth %d",
1140Sstevel@tonic-gate gid_len, str_len, auth_len);
1150Sstevel@tonic-gate stat = AUTH_BADCRED;
1160Sstevel@tonic-gate goto done;
1170Sstevel@tonic-gate }
1180Sstevel@tonic-gate } else if (! xdr_authsys_parms(&xdrs, aup)) {
1190Sstevel@tonic-gate xdrs.x_op = XDR_FREE;
1200Sstevel@tonic-gate (void) xdr_authsys_parms(&xdrs, aup);
1210Sstevel@tonic-gate stat = AUTH_BADCRED;
1220Sstevel@tonic-gate goto done;
1230Sstevel@tonic-gate }
1240Sstevel@tonic-gate rqst->rq_xprt->xp_verf.oa_flavor = AUTH_NULL;
1250Sstevel@tonic-gate rqst->rq_xprt->xp_verf.oa_length = 0;
1260Sstevel@tonic-gate stat = AUTH_OK;
1270Sstevel@tonic-gate done:
1280Sstevel@tonic-gate XDR_DESTROY(&xdrs);
1290Sstevel@tonic-gate return (stat);
1300Sstevel@tonic-gate }
1310Sstevel@tonic-gate
1320Sstevel@tonic-gate /*
1330Sstevel@tonic-gate * Shorthand unix authenticator
1340Sstevel@tonic-gate * Looks up longhand in a cache.
1350Sstevel@tonic-gate */
1360Sstevel@tonic-gate /*ARGSUSED*/
1370Sstevel@tonic-gate enum auth_stat
__svcauth_short(struct svc_req * rqst,struct rpc_msg * msg)138132Srobinson __svcauth_short(struct svc_req *rqst, struct rpc_msg *msg)
1390Sstevel@tonic-gate {
1400Sstevel@tonic-gate return (AUTH_REJECTEDCRED);
1410Sstevel@tonic-gate }
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate /*
1440Sstevel@tonic-gate * Unix longhand authenticator. Will be obsoleted
1450Sstevel@tonic-gate */
1460Sstevel@tonic-gate enum auth_stat
__svcauth_unix(struct svc_req * rqst,struct rpc_msg * msg)147132Srobinson __svcauth_unix(struct svc_req *rqst, struct rpc_msg *msg)
1480Sstevel@tonic-gate {
149132Srobinson return (__svcauth_sys(rqst, msg));
1500Sstevel@tonic-gate }
151