1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26/*
27 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
28 */
29
30/*
31 * rpcsec_gss.h, RPCSEC_GSS security service interface.
32 */
33
34#ifndef	_RPCSEC_GSS_H
35#define	_RPCSEC_GSS_H
36
37#ifdef	__cplusplus
38extern "C" {
39#endif
40
41#include <rpc/auth.h>
42#include <rpc/clnt.h>
43#include <gssapi/gssapi.h>
44
45/*
46 * Interface definitions.
47 */
48#define	MAX_NAME_LEN			 64
49#define	MAX_GSS_MECH			128
50#define	MAX_GSS_NAME			128
51
52typedef enum {
53	rpc_gss_svc_default = 0,
54	rpc_gss_svc_none = 1,
55	rpc_gss_svc_integrity = 2,
56	rpc_gss_svc_privacy = 3
57} rpc_gss_service_t;
58
59/*
60 * GSS-API based security mechanism type specified as
61 * object identifiers (OIDs).
62 * This type is derived from gss_OID_desc/gss_OID.
63 */
64#define	rpc_gss_OID_s	gss_OID_desc_struct
65typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID;
66
67/*
68 * Interface data.
69 * This is already suitable for both LP64 and ILP32.
70 */
71typedef struct rpc_gss_principal {
72	int	len;
73	char	name[1];
74} *rpc_gss_principal_t;
75
76typedef struct {
77	int			req_flags;
78	int			time_req;
79	gss_cred_id_t		my_cred;
80	gss_channel_bindings_t	input_channel_bindings;
81} rpc_gss_options_req_t;
82
83typedef struct {
84	int			major_status;
85	int			minor_status;
86	uint_t			rpcsec_version;
87	int			ret_flags;
88	int			time_ret;
89	gss_ctx_id_t		gss_context;
90#ifdef _KERNEL
91	rpc_gss_OID		actual_mechanism;
92#else
93	char			actual_mechanism[MAX_GSS_MECH];
94#endif
95} rpc_gss_options_ret_t;
96
97/*
98 * raw credentials
99 */
100typedef struct {
101	uint_t			version;
102#ifdef _KERNEL
103	rpc_gss_OID		mechanism;
104	uint_t			qop;
105#else
106	char			*mechanism;
107	char			*qop;
108#endif
109	rpc_gss_principal_t	client_principal;
110	char	*svc_principal;	/* service@server, e.g. nfs@caribe */
111	rpc_gss_service_t	service;
112} rpc_gss_rawcred_t;
113
114/*
115 * unix credentials
116 */
117typedef struct {
118	uid_t			uid;
119	gid_t			gid;
120	short			gidlen;
121	gid_t			*gidlist;
122} rpc_gss_ucred_t;
123
124/*
125 * for callback routine
126 */
127typedef struct {
128	uint_t			program;
129	uint_t			version;
130	bool_t			(*callback)();
131} rpc_gss_callback_t;
132
133/*
134 * lock used for the callback routine
135 */
136typedef struct {
137	bool_t			locked;
138	rpc_gss_rawcred_t	*raw_cred;
139} rpc_gss_lock_t;
140
141
142/*
143 * This is for user RPC applications.
144 * Structure used to fetch the error code when one of
145 * the rpc_gss_* routines fails.
146 */
147typedef struct {
148	int	rpc_gss_error;
149	int	system_error;
150} rpc_gss_error_t;
151
152#define	RPC_GSS_ER_SUCCESS	0	/* no error */
153#define	RPC_GSS_ER_SYSTEMERROR	1	/* system error */
154
155
156#ifdef _SYSCALL32
157struct gss_clnt_data32 {
158	gss_OID_desc32	mechanism;
159	rpc_gss_service_t	service;
160	char		uname[MAX_NAME_LEN];	/* server's service name */
161	char		inst[MAX_NAME_LEN];	/* server's instance name */
162	char		realm[MAX_NAME_LEN];	/* server's realm */
163	uint_t		qop;
164};
165#endif
166
167/*
168 * This is for Kernel RPC applications.
169 * RPCSEC_GSS flavor specific data in sec_data opaque field.
170 */
171typedef struct gss_clnt_data {
172	rpc_gss_OID_desc	mechanism;
173	rpc_gss_service_t	service;
174	char		uname[MAX_NAME_LEN];	/* server's service name */
175	char		inst[MAX_NAME_LEN];	/* server's instance name */
176	char		realm[MAX_NAME_LEN];	/* server's realm */
177	uint_t		qop;
178} gss_clntdata_t;
179
180
181struct svc_req;
182/*
183 *  KERNEL rpc_gss_* interfaces.
184 */
185#ifdef _KERNEL
186int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID,
187			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
188			rpc_gss_options_ret_t *, void *, cred_t *, AUTH **);
189
190void rpc_gss_secfree(AUTH *);
191
192int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID,
193			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
194			rpc_gss_options_ret_t *, cred_t *, AUTH **);
195
196int rpc_gss_revauth(uid_t, rpc_gss_OID);
197void rpc_gss_secpurge(void *);
198enum auth_stat __svcrpcsec_gss(struct svc_req *,
199			struct rpc_msg *, bool_t *);
200bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t);
201rpc_gss_service_t rpc_gss_get_service_type(AUTH *);
202
203
204#else
205/*
206 *  USER rpc_gss_* public interfaces
207 */
208AUTH *
209rpc_gss_seccreate(
210	CLIENT			*clnt,		/* associated client handle */
211	char			*principal,	/* server service principal */
212	char			*mechanism,	/* security mechanism */
213	rpc_gss_service_t	service_type,	/* security service */
214	char			*qop,		/* requested QOP */
215	rpc_gss_options_req_t	*options_req,	/* requested options */
216	rpc_gss_options_ret_t   *options_ret    /* returned options */
217);
218
219bool_t
220rpc_gss_get_principal_name(
221	rpc_gss_principal_t	*principal,
222	char			*mechanism,
223	char			*user_name,
224	char			*node,
225	char			*secdomain
226);
227
228char **rpc_gss_get_mechanisms();
229
230char **rpc_gss_get_mech_info(
231	char			*mechanism,
232	rpc_gss_service_t	*service
233);
234
235bool_t
236rpc_gss_is_installed(
237	char	*mechanism
238);
239
240bool_t
241rpc_gss_mech_to_oid(
242	char		*mech,
243	rpc_gss_OID	*oid
244);
245
246bool_t
247rpc_gss_qop_to_num(
248	char	*qop,
249	char	*mech,
250	uint_t	*num
251);
252
253bool_t
254rpc_gss_set_svc_name(
255	char			*principal,
256	char			*mechanism,
257	uint_t			req_time,
258	uint_t			program,
259	uint_t			version
260);
261
262bool_t
263rpc_gss_set_defaults(
264	AUTH			*auth,
265	rpc_gss_service_t	service,
266	char			*qop
267);
268
269void
270rpc_gss_get_error(
271	rpc_gss_error_t		*error
272);
273
274/*
275 * User level private interfaces
276 */
277enum auth_stat __svcrpcsec_gss();
278bool_t	__rpc_gss_wrap();
279bool_t	__rpc_gss_unwrap();
280
281#endif
282
283/*
284 *  USER and KERNEL rpc_gss_* interfaces.
285 */
286bool_t
287rpc_gss_set_callback(
288	rpc_gss_callback_t	*cb
289);
290
291bool_t
292rpc_gss_getcred(
293	struct svc_req		*req,
294	rpc_gss_rawcred_t	**rcred,
295	rpc_gss_ucred_t		**ucred,
296	void			**cookie
297);
298
299int
300rpc_gss_max_data_length(
301	AUTH			*rpcgss_handle,
302	int			max_tp_unit_len
303);
304
305int
306rpc_gss_svc_max_data_length(
307	struct	svc_req		*req,
308	int			max_tp_unit_len
309);
310
311bool_t
312rpc_gss_get_versions(
313	uint_t	*vers_hi,
314	uint_t	*vers_lo
315);
316
317#define	RPCSEC_GSS_REFRESH_ATTEMPTS 	20
318
319/*
320 * Protocol data.
321 *
322 * The reason to put these definition in this header file
323 * is for 2.6 snoop to handle the RPCSEC_GSS protocol
324 * interpretation.
325 */
326#define	RPCSEC_GSS_DATA			0
327#define	RPCSEC_GSS_INIT			1
328#define	RPCSEC_GSS_CONTINUE_INIT	2
329#define	RPCSEC_GSS_DESTROY		3
330
331#define	RPCSEC_GSS_VERSION		1
332
333#ifdef	__cplusplus
334}
335#endif
336
337#endif	/* !_RPCSEC_GSS_H */
338