xref: /illumos-gate/usr/src/uts/common/rpc/rpcsec_gss.h (revision 0a701b1e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
28  */
29 
30 /*
31  * rpcsec_gss.h, RPCSEC_GSS security service interface.
32  */
33 
34 #ifndef	_RPCSEC_GSS_H
35 #define	_RPCSEC_GSS_H
36 
37 #ifdef	__cplusplus
38 extern "C" {
39 #endif
40 
41 #include <rpc/auth.h>
42 #include <rpc/clnt.h>
43 #include <gssapi/gssapi.h>
44 
45 /*
46  * Interface definitions.
47  */
48 #define	MAX_NAME_LEN			 64
49 #define	MAX_GSS_MECH			128
50 #define	MAX_GSS_NAME			128
51 
52 typedef enum {
53 	rpc_gss_svc_default = 0,
54 	rpc_gss_svc_none = 1,
55 	rpc_gss_svc_integrity = 2,
56 	rpc_gss_svc_privacy = 3
57 } rpc_gss_service_t;
58 
59 /*
60  * GSS-API based security mechanism type specified as
61  * object identifiers (OIDs).
62  * This type is derived from gss_OID_desc/gss_OID.
63  */
64 #define	rpc_gss_OID_s	gss_OID_desc_struct
65 typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID;
66 
67 /*
68  * Interface data.
69  * This is already suitable for both LP64 and ILP32.
70  */
71 typedef struct rpc_gss_principal {
72 	int	len;
73 	char	name[1];
74 } *rpc_gss_principal_t;
75 
76 typedef struct {
77 	int			req_flags;
78 	int			time_req;
79 	gss_cred_id_t		my_cred;
80 	gss_channel_bindings_t	input_channel_bindings;
81 } rpc_gss_options_req_t;
82 
83 typedef struct {
84 	int			major_status;
85 	int			minor_status;
86 	uint_t			rpcsec_version;
87 	int			ret_flags;
88 	int			time_ret;
89 	gss_ctx_id_t		gss_context;
90 #ifdef _KERNEL
91 	rpc_gss_OID		actual_mechanism;
92 #else
93 	char			actual_mechanism[MAX_GSS_MECH];
94 #endif
95 } rpc_gss_options_ret_t;
96 
97 /*
98  * raw credentials
99  */
100 typedef struct {
101 	uint_t			version;
102 #ifdef _KERNEL
103 	rpc_gss_OID		mechanism;
104 	uint_t			qop;
105 #else
106 	char			*mechanism;
107 	char			*qop;
108 #endif
109 	rpc_gss_principal_t	client_principal;
110 	char	*svc_principal;	/* service@server, e.g. nfs@caribe */
111 	rpc_gss_service_t	service;
112 } rpc_gss_rawcred_t;
113 
114 /*
115  * unix credentials
116  */
117 typedef struct {
118 	uid_t			uid;
119 	gid_t			gid;
120 	short			gidlen;
121 	gid_t			*gidlist;
122 } rpc_gss_ucred_t;
123 
124 /*
125  * for callback routine
126  */
127 typedef struct {
128 	uint_t			program;
129 	uint_t			version;
130 	bool_t			(*callback)();
131 } rpc_gss_callback_t;
132 
133 /*
134  * lock used for the callback routine
135  */
136 typedef struct {
137 	bool_t			locked;
138 	rpc_gss_rawcred_t	*raw_cred;
139 } rpc_gss_lock_t;
140 
141 
142 /*
143  * This is for user RPC applications.
144  * Structure used to fetch the error code when one of
145  * the rpc_gss_* routines fails.
146  */
147 typedef struct {
148 	int	rpc_gss_error;
149 	int	system_error;
150 } rpc_gss_error_t;
151 
152 #define	RPC_GSS_ER_SUCCESS	0	/* no error */
153 #define	RPC_GSS_ER_SYSTEMERROR	1	/* system error */
154 
155 
156 #ifdef _SYSCALL32
157 struct gss_clnt_data32 {
158 	gss_OID_desc32	mechanism;
159 	rpc_gss_service_t	service;
160 	char		uname[MAX_NAME_LEN];	/* server's service name */
161 	char		inst[MAX_NAME_LEN];	/* server's instance name */
162 	char		realm[MAX_NAME_LEN];	/* server's realm */
163 	uint_t		qop;
164 };
165 #endif
166 
167 /*
168  * This is for Kernel RPC applications.
169  * RPCSEC_GSS flavor specific data in sec_data opaque field.
170  */
171 typedef struct gss_clnt_data {
172 	rpc_gss_OID_desc	mechanism;
173 	rpc_gss_service_t	service;
174 	char		uname[MAX_NAME_LEN];	/* server's service name */
175 	char		inst[MAX_NAME_LEN];	/* server's instance name */
176 	char		realm[MAX_NAME_LEN];	/* server's realm */
177 	uint_t		qop;
178 } gss_clntdata_t;
179 
180 
181 struct svc_req;
182 /*
183  *  KERNEL rpc_gss_* interfaces.
184  */
185 #ifdef _KERNEL
186 int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID,
187 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
188 			rpc_gss_options_ret_t *, void *, cred_t *, AUTH **);
189 
190 void rpc_gss_secfree(AUTH *);
191 
192 int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID,
193 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
194 			rpc_gss_options_ret_t *, cred_t *, AUTH **);
195 
196 int rpc_gss_revauth(uid_t, rpc_gss_OID);
197 void rpc_gss_secpurge(void *);
198 enum auth_stat __svcrpcsec_gss(struct svc_req *,
199 			struct rpc_msg *, bool_t *);
200 bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t);
201 rpc_gss_service_t rpc_gss_get_service_type(AUTH *);
202 
203 
204 #else
205 /*
206  *  USER rpc_gss_* public interfaces
207  */
208 AUTH *
209 rpc_gss_seccreate(
210 	CLIENT			*clnt,		/* associated client handle */
211 	char			*principal,	/* server service principal */
212 	char			*mechanism,	/* security mechanism */
213 	rpc_gss_service_t	service_type,	/* security service */
214 	char			*qop,		/* requested QOP */
215 	rpc_gss_options_req_t	*options_req,	/* requested options */
216 	rpc_gss_options_ret_t   *options_ret    /* returned options */
217 );
218 
219 bool_t
220 rpc_gss_get_principal_name(
221 	rpc_gss_principal_t	*principal,
222 	char			*mechanism,
223 	char			*user_name,
224 	char			*node,
225 	char			*secdomain
226 );
227 
228 char **rpc_gss_get_mechanisms();
229 
230 char **rpc_gss_get_mech_info(
231 	char			*mechanism,
232 	rpc_gss_service_t	*service
233 );
234 
235 bool_t
236 rpc_gss_is_installed(
237 	char	*mechanism
238 );
239 
240 bool_t
241 rpc_gss_mech_to_oid(
242 	char		*mech,
243 	rpc_gss_OID	*oid
244 );
245 
246 bool_t
247 rpc_gss_qop_to_num(
248 	char	*qop,
249 	char	*mech,
250 	uint_t	*num
251 );
252 
253 bool_t
254 rpc_gss_set_svc_name(
255 	char			*principal,
256 	char			*mechanism,
257 	uint_t			req_time,
258 	uint_t			program,
259 	uint_t			version
260 );
261 
262 bool_t
263 rpc_gss_set_defaults(
264 	AUTH			*auth,
265 	rpc_gss_service_t	service,
266 	char			*qop
267 );
268 
269 void
270 rpc_gss_get_error(
271 	rpc_gss_error_t		*error
272 );
273 
274 /*
275  * User level private interfaces
276  */
277 enum auth_stat __svcrpcsec_gss();
278 bool_t	__rpc_gss_wrap();
279 bool_t	__rpc_gss_unwrap();
280 
281 #endif
282 
283 /*
284  *  USER and KERNEL rpc_gss_* interfaces.
285  */
286 bool_t
287 rpc_gss_set_callback(
288 	rpc_gss_callback_t	*cb
289 );
290 
291 bool_t
292 rpc_gss_getcred(
293 	struct svc_req		*req,
294 	rpc_gss_rawcred_t	**rcred,
295 	rpc_gss_ucred_t		**ucred,
296 	void			**cookie
297 );
298 
299 int
300 rpc_gss_max_data_length(
301 	AUTH			*rpcgss_handle,
302 	int			max_tp_unit_len
303 );
304 
305 int
306 rpc_gss_svc_max_data_length(
307 	struct	svc_req		*req,
308 	int			max_tp_unit_len
309 );
310 
311 bool_t
312 rpc_gss_get_versions(
313 	uint_t	*vers_hi,
314 	uint_t	*vers_lo
315 );
316 
317 #define	RPCSEC_GSS_REFRESH_ATTEMPTS 	20
318 
319 /*
320  * Protocol data.
321  *
322  * The reason to put these definition in this header file
323  * is for 2.6 snoop to handle the RPCSEC_GSS protocol
324  * interpretation.
325  */
326 #define	RPCSEC_GSS_DATA			0
327 #define	RPCSEC_GSS_INIT			1
328 #define	RPCSEC_GSS_CONTINUE_INIT	2
329 #define	RPCSEC_GSS_DESTROY		3
330 
331 #define	RPCSEC_GSS_VERSION		1
332 
333 #ifdef	__cplusplus
334 }
335 #endif
336 
337 #endif	/* !_RPCSEC_GSS_H */
338