1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License").  You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22%/*
23% * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24% * Use is subject to license terms.
25% */
26%
27%/*
28% *  RPC protocol information for gssd, the usermode daemon that
29% *  assists the kernel with gssapi. It is gssd that executes all
30% *  gssapi calls except for some such as gss_sign(), and
31% *  gss_verify(), which are executed in the kernel itself.
32% *
33% *  File generated from gssd.x
34% */
35%
36%#define	NO 0
37%#define	YES 1
38%#define	FOREVER 1
39%
40%#include <sys/types.h>
41%#include <sys/time.h>
42%#include <rpc/auth_sys.h>
43%#ifndef _KERNEL
44%#include <locale.h>
45%#endif /* not _KERNEL */
46%
47
48%#ifdef _KERNEL
49%extern void killgssd_handle(CLIENT *);
50%extern CLIENT *getgssd_handle(void);
51%#endif /* _KERNEL */
52%
53/*
54 * These are the definitions for the interface to GSSD.
55 */
56
57typedef unsigned int				OM_UINT32;
58
59typedef opaque					GSS_CTX_ID_T<>;
60typedef opaque					GSS_CRED_ID_T<>;
61typedef opaque					GSS_OID<>;
62typedef opaque					GSS_BUFFER_T<>;
63typedef gid_t					GSSCRED_GIDS<>;
64
65typedef GSS_OID					GSS_OID_SET<>;
66
67struct GSS_CHANNEL_BINDINGS_STRUCT {
68	int		present;
69	OM_UINT32	initiator_addrtype;
70	GSS_BUFFER_T	initiator_address;
71	OM_UINT32	acceptor_addrtype;
72	GSS_BUFFER_T    acceptor_address;
73	GSS_BUFFER_T    application_data;
74};
75
76typedef	struct GSS_CHANNEL_BINDINGS_STRUCT	GSS_CHANNEL_BINDINGS;
77
78struct gss_acquire_cred_arg {
79	uid_t		uid;			/* client uid */
80	GSS_BUFFER_T	desired_name;		/* name of cred */
81	GSS_OID		name_type;		/* type of desired name */
82	OM_UINT32	time_req;		/* context validity interval */
83	GSS_OID_SET	desired_mechs;		/* cred mechanisms */
84	int		cred_usage;		/* init/accept/both */
85};
86
87struct gss_acquire_cred_res {
88	OM_UINT32	minor_status;		/* status from the mechanism */
89	GSS_CRED_ID_T	output_cred_handle;	/* returned credential handle */
90	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handle */
91	GSS_OID_SET	actual_mechs;		/* found cred mechanisms */
92	OM_UINT32	time_rec;		/* actual context validity */
93	OM_UINT32	status;			/* status of GSSAPI call */
94};
95
96struct gss_add_cred_arg {
97	uid_t		uid;			/* client uid */
98	GSS_CRED_ID_T	input_cred_handle;	/* input credential handle */
99	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handle */
100	GSS_BUFFER_T	desired_name;		/* name of cred */
101	GSS_OID		name_type;		/* type of desired name */
102	GSS_OID		desired_mech_type;	/* cred mechanisms */
103	int		cred_usage;		/* init/accept/both */
104	OM_UINT32	initiator_time_req;	/* context validity interval */
105	OM_UINT32	acceptor_time_req;	/* context validity interval */
106};
107/* Note: For gss_add_cred we always update the underlying credentials of
108 * input_cred_handle. We always pass NULL as output_cred_handle when the call
109 * to gss_add_cred is made
110*/
111struct gss_add_cred_res {
112	OM_UINT32	minor_status;		/* status from the mechanism */
113	GSS_OID_SET	actual_mechs;		/* found cred mechanisms */
114	OM_UINT32	initiator_time_rec;	/* cred validity interval */
115	OM_UINT32	acceptor_time_rec;	/* cred validity interval */
116	OM_UINT32	status;			/* status of GSSAPI call */
117};
118
119struct gss_release_cred_arg {
120	uid_t		uid;			/* client uid */
121	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handles */
122	GSS_CRED_ID_T	cred_handle;		/* credential handle */
123};
124
125struct gss_release_cred_res {
126	OM_UINT32	minor_status;		/* status from the mechanism */
127	OM_UINT32	status;			/* status of GSSAPI call */
128};
129
130struct gss_init_sec_context_arg {
131	uid_t		uid;			/* client uid */
132	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
133	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
134	GSS_CRED_ID_T	claimant_cred_handle;	/* must = GSS_C_NO_CREDENTIAL */
135	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
136	GSS_BUFFER_T	target_name;		/* name of server */
137	GSS_OID		name_type;		/* type of principal name */
138	GSS_OID		mech_type;		/* requested mechanism */
139	int		req_flags;		/* requested context options */
140	OM_UINT32	time_req;		/* context validity interval */
141	GSS_CHANNEL_BINDINGS
142			input_chan_bindings;	/* requested channel bindings */
143	GSS_BUFFER_T	input_token;		/* token to send to peer */
144};
145
146struct gss_init_sec_context_res {
147	GSS_CTX_ID_T	context_handle;		/* handle to created context */
148	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
149	OM_UINT32	minor_status;		/* status from the mechanism */
150	GSS_OID		actual_mech_type;	/* actual mechanism used */
151	GSS_BUFFER_T	output_token;		/* where peer token is put */
152	OM_UINT32	ret_flags;		/* options of context */
153	OM_UINT32	time_rec;		/* actual context validity */
154	OM_UINT32	status;			/* status of GSSAPI call */
155};
156
157struct gss_accept_sec_context_arg {
158	uid_t		uid;			/* client uid */
159	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
160	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
161	GSS_CRED_ID_T	verifier_cred_handle;	/* must = GSS_C_NO_CREDENTIAL */
162	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
163	GSS_BUFFER_T	input_token_buffer;	/* token to send to peer */
164	GSS_CHANNEL_BINDINGS
165			input_chan_bindings;	/* requested channel bindings */
166};
167
168struct gss_accept_sec_context_res {
169	GSS_CTX_ID_T	context_handle;		/* handle to created context */
170	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
171	OM_UINT32	minor_status;		/* status from the mechanism */
172	GSS_BUFFER_T	src_name;		/* authenticated name of peer */
173	GSS_OID		mech_type;		/* mechanism used */
174	GSS_BUFFER_T	output_token;		/* where peer token is put */
175	OM_UINT32	ret_flags;		/* options of context */
176	OM_UINT32	time_rec;		/* actual context validity */
177	GSS_CRED_ID_T	delegated_cred_handle;	/* always GSS_C_NO_CREDENTIAL */
178	OM_UINT32	status;			/* status of GSSAPI call */
179};
180
181struct gss_process_context_token_arg {
182	uid_t		uid;			/* client uid */
183	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
184	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
185	GSS_BUFFER_T	token_buffer;		/* token to process */
186};
187
188struct gss_process_context_token_res {
189	OM_UINT32	minor_status;		/* status from the mechanism */
190	OM_UINT32	status;			/* status of GSSAPI call */
191};
192
193struct gss_delete_sec_context_arg {
194	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
195	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
196};
197
198struct gss_delete_sec_context_res {
199	OM_UINT32	minor_status;		/* status from the mechanism */
200	GSS_CTX_ID_T	context_handle;		/* handle to deleted context */
201	GSS_BUFFER_T	output_token;		/* output token for peer */
202	OM_UINT32	status;			/* status of GSSAPI call */
203};
204
205struct gss_export_sec_context_arg {
206        GSS_CTX_ID_T context_handle;		/* handle to existing context */
207	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
208};
209
210struct gss_export_sec_context_res {
211        OM_UINT32	minor_status;		/* status from the mechanism */
212        GSS_CTX_ID_T	context_handle;		/* handle to existing context */
213        GSS_BUFFER_T	output_token;		/* input token for import_sec_context */
214        OM_UINT32	status;			/* status of GSSAPI call */
215};
216
217struct gss_import_sec_context_arg {
218        GSS_BUFFER_T	input_token;		/* input token for import_sec_context */
219	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
220};
221
222struct gss_import_sec_context_res {
223        OM_UINT32	minor_status;		/* status from the mechanism */
224        GSS_CTX_ID_T	context_handle;		/* handle to created context */
225        OM_UINT32	status;			/* status of GSSAPI call */
226};
227
228struct gss_context_time_arg {
229	uid_t		uid;			/* client uid */
230	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
231	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
232};
233
234struct gss_context_time_res {
235	OM_UINT32	minor_status;		/* status from the mechanism */
236	OM_UINT32	time_rec;		/* actual context validity */
237	OM_UINT32	status;			/* status of GSSAPI call */
238};
239
240struct gss_sign_arg {
241	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
242	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
243	int		qop_req;		/* quality of protection */
244	GSS_BUFFER_T	message_buffer;		/* message to sign */
245};
246
247struct gss_sign_res {
248	OM_UINT32	minor_status;		/* status from the mechanism */
249	GSS_BUFFER_T	msg_token;		/* msg_token */
250	OM_UINT32	status;			/* status of GSSAPI call */
251};
252
253struct gss_verify_arg {
254	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
255	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
256	GSS_BUFFER_T	message_buffer;		/* message to verify */
257	GSS_BUFFER_T	token_buffer;		/* buffer containg token */
258};
259
260struct gss_verify_res {
261	OM_UINT32	minor_status;		/* status from the mechanism */
262	int		qop_state;		/* quality of protection */
263	OM_UINT32	status;			/* status of GSSAPI call */
264};
265
266struct gss_seal_arg {
267	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
268	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
269	int		conf_req_flag;		/* type of conf requested */
270	int		qop_req;		/* quality of prot. requested */
271	GSS_BUFFER_T	input_message_buffer;	/* message to protect */
272};
273
274struct gss_seal_res {
275	OM_UINT32	minor_status;		/* status from the mechanism */
276	int		conf_state;		/* type of conf. applied */
277	GSS_BUFFER_T	output_message_buffer;	/* protected message */
278	OM_UINT32	status;			/* status of GSSAPI call */
279};
280
281struct gss_unseal_arg {
282	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
283	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
284	GSS_BUFFER_T	input_message_buffer;	/* message to protect */
285};
286
287struct gss_unseal_res {
288	OM_UINT32	minor_status;		/* status from the mechanism */
289	GSS_BUFFER_T	output_message_buffer;	/* protected message */
290	int		conf_state;		/* type of conf. provided */
291	int		qop_state;		/* quality of prot. provided */
292	OM_UINT32	status;			/* status of GSSAPI call */
293};
294
295struct gss_display_status_arg {
296	uid_t		uid;			/* client uid */
297	int		status_value;		/* status to be converted */
298	int		status_type;		/* GSS or mech status */
299	GSS_OID		mech_type;		/* mechanism */
300	OM_UINT32	message_context;	/* recursion flag */
301};
302
303struct gss_display_status_res {
304	OM_UINT32	minor_status;		/* status from the mechanism */
305	int		message_context;	/* recursion flag */
306	GSS_BUFFER_T	status_string;		/* text equiv of status */
307	OM_UINT32	status;			/* status of GSSAPI call */
308};
309
310%/* gss_indicate_mechs_arg is void. This appears in the rpc call def */
311
312struct gss_indicate_mechs_res {
313	OM_UINT32	minor_status;		/* status from the mechanism */
314	GSS_OID_SET	mech_set;		/* mechanism set supported */
315	OM_UINT32	status;			/* status of GSSAPI call */
316};
317
318struct gss_inquire_cred_arg {
319	uid_t		uid;			/* client uid */
320	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
321	GSS_CRED_ID_T	cred_handle;		/* credential handle */
322};
323
324struct gss_inquire_cred_res {
325	OM_UINT32	minor_status;		/* status from the mechanism */
326	GSS_BUFFER_T	name;			/* name associated with cred */
327	GSS_OID		name_type;		/* type of name */
328	OM_UINT32	lifetime;		/* remaining validiy period */
329	int		cred_usage;		/* how creds may be used */
330	GSS_OID_SET	mechanisms;		/* mechs associated with cred */
331	OM_UINT32	status;			/* status of GSSAPI call */
332};
333
334struct gss_inquire_cred_by_mech_arg {
335	uid_t		uid;			/* client uid */
336	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
337	GSS_CRED_ID_T	cred_handle;		/* credential handle */
338	GSS_OID		mech_type;		/* cred mechanism */
339};
340
341struct gss_inquire_cred_by_mech_res {
342	OM_UINT32	minor_status;		/* status from the mechanism */
343	OM_UINT32	status;			/* status of GSSAPI call */
344};
345
346struct gsscred_name_to_unix_cred_arg {
347	uid_t		uid;			/* client uid */
348	GSS_BUFFER_T	pname;			/* principal name */
349	GSS_OID		name_type;		/* oid of principal name */
350	GSS_OID		mech_type;		/* for which mechanism to use */
351};
352
353struct gsscred_name_to_unix_cred_res {
354	uid_t		uid;			/* principal's uid */
355	gid_t		gid;			/* principal's gid */
356	GSSCRED_GIDS	gids;			/* array of principal's gids */
357	OM_UINT32	major;			/* status of the GSSAPI call */
358};
359
360
361struct
362gsscred_expname_to_unix_cred_arg {
363	uid_t		uid;			/* client uid */
364	GSS_BUFFER_T	expname;		/* principal in export format */
365};
366
367struct
368gsscred_expname_to_unix_cred_res {
369	uid_t		uid;			/* principal's uid */
370	gid_t		gid;			/* principal's gid */
371	GSSCRED_GIDS	gids;			/* array of principal's gids */
372	OM_UINT32	major;			/* major status code */
373};
374
375
376struct gss_get_group_info_arg {
377	uid_t		uid;			/* client uid */
378	uid_t		puid;			/* principal's uid */
379};
380
381struct gss_get_group_info_res {
382	gid_t		gid;			/* principal's gid */
383	GSSCRED_GIDS	gids;			/* array of principal's gids */
384	OM_UINT32	major;			/* major status code */
385};
386
387
388struct gss_get_kmod_arg	{
389	GSS_OID mech_oid;
390
391};
392
393union gss_get_kmod_res switch (bool module_follow) {
394	case TRUE:
395		string modname<>;
396	case FALSE:
397		void;
398};
399
400
401/*
402 *  The server accepts requests only from the loopback address.
403 *  Unix authentication is used, and the port must be in the reserved range.
404 */
405
406program GSSPROG {
407    version GSSVERS {
408
409	/*
410	 *  Called by the client to acquire a credential.
411	 */
412	gss_acquire_cred_res
413		GSS_ACQUIRE_CRED(gss_acquire_cred_arg)			= 1;
414
415	/*
416	 *  Called by the client to release a credential.
417	 */
418	gss_release_cred_res
419		GSS_RELEASE_CRED(gss_release_cred_arg)			= 2;
420
421	/*
422	 *  Called by the client to initialize a security context.
423	 */
424	gss_init_sec_context_res
425		GSS_INIT_SEC_CONTEXT(gss_init_sec_context_arg)		= 3;
426
427	/*
428	 *  Called by the server to initialize a security context.
429	 */
430	gss_accept_sec_context_res
431		GSS_ACCEPT_SEC_CONTEXT(gss_accept_sec_context_arg) 	= 4;
432
433	/*
434	 *  Called to pass token to underlying mechanism.
435	 */
436	gss_process_context_token_res
437		GSS_PROCESS_CONTEXT_TOKEN(gss_process_context_token_arg) = 5;
438
439	/*
440	 *  Called to delete a security context.
441	 */
442	gss_delete_sec_context_res
443		GSS_DELETE_SEC_CONTEXT(gss_delete_sec_context_arg) 	= 6;
444
445	/*
446	 *  Called to get remaining time security context has to live.
447	 */
448	gss_context_time_res
449		GSS_CONTEXT_TIME(gss_context_time_arg) 			= 7;
450
451	/*
452	 *  Called to sign a message.
453	 */
454	gss_sign_res	GSS_SIGN(gss_sign_arg)				= 8;
455
456	/*
457	 *  Called to verify a signed message.
458	 */
459	gss_verify_res	GSS_VERIFY(gss_verify_arg)			= 9;
460
461	/*
462	 *  Called to translate minor status into a string.
463	 */
464	gss_display_status_res
465			GSS_DISPLAY_STATUS(gss_display_status_arg)	= 10;
466
467	/*
468	 *  Called to indicate which underlying mechanisms are supported
469	 */
470	gss_indicate_mechs_res
471			GSS_INDICATE_MECHS(void)			= 11;
472
473	/*
474	 *  Called by the client to inquire about a credential.
475	 */
476	gss_inquire_cred_res
477		GSS_INQUIRE_CRED(gss_inquire_cred_arg)			= 12;
478
479
480	/*
481	 *  Called to seal a message.
482	 */
483	gss_seal_res	GSS_SEAL(gss_seal_arg)				= 13;
484
485	/*
486	 *  Called to unseal a message.
487	 */
488	gss_unseal_res	GSS_UNSEAL(gss_unseal_arg)			= 14;
489
490	/*
491	 * gsscred interface functions to obtain principal uid and gids
492	 */
493	gsscred_expname_to_unix_cred_res
494			GSSCRED_EXPNAME_TO_UNIX_CRED(
495				gsscred_expname_to_unix_cred_arg)	= 15;
496
497	gsscred_name_to_unix_cred_res
498			GSSCRED_NAME_TO_UNIX_CRED(
499				gsscred_name_to_unix_cred_arg)		= 16;
500
501	gss_get_group_info_res
502			GSS_GET_GROUP_INFO(gss_get_group_info_arg)	= 17;
503
504	gss_get_kmod_res
505			GSS_GET_KMOD(gss_get_kmod_arg)			= 18;
506
507	gss_export_sec_context_res
508			GSS_EXPORT_SEC_CONTEXT(gss_export_sec_context_arg) = 19;
509
510	gss_import_sec_context_res
511			GSS_IMPORT_SEC_CONTEXT(gss_import_sec_context_arg) = 20;
512	/*
513	 *  Called by the client to add to a credential.
514	 */
515	gss_add_cred_res
516		GSS_ADD_CRED(gss_add_cred_arg)				= 21;
517	gss_inquire_cred_by_mech_res
518		GSS_INQUIRE_CRED_BY_MECH(gss_inquire_cred_by_mech_arg)
519									= 22;
520
521    } = 1;
522} = 100234;
523