Home | History | Annotate | Download | only in rpc
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  */
     21 /*
     22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
     23  * Use is subject to license terms.
     24  */
     25 
     26 /*
     27  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
     28  */
     29 
     30 /*
     31  * rpcsec_gss.h, RPCSEC_GSS security service interface.
     32  */
     33 
     34 #ifndef	_RPCSEC_GSS_H
     35 #define	_RPCSEC_GSS_H
     36 
     37 #ifdef	__cplusplus
     38 extern "C" {
     39 #endif
     40 
     41 #include <rpc/auth.h>
     42 #include <rpc/clnt.h>
     43 #include <gssapi/gssapi.h>
     44 
     45 /*
     46  * Interface definitions.
     47  */
     48 #define	MAX_NAME_LEN			 64
     49 #define	MAX_GSS_MECH			128
     50 #define	MAX_GSS_NAME			128
     51 
     52 typedef enum {
     53 	rpc_gss_svc_default = 0,
     54 	rpc_gss_svc_none = 1,
     55 	rpc_gss_svc_integrity = 2,
     56 	rpc_gss_svc_privacy = 3
     57 } rpc_gss_service_t;
     58 
     59 /*
     60  * GSS-API based security mechanism type specified as
     61  * object identifiers (OIDs).
     62  * This type is derived from gss_OID_desc/gss_OID.
     63  */
     64 #define	rpc_gss_OID_s	gss_OID_desc_struct
     65 typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID;
     66 
     67 /*
     68  * Interface data.
     69  * This is already suitable for both LP64 and ILP32.
     70  */
     71 typedef struct rpc_gss_principal {
     72 	int	len;
     73 	char	name[1];
     74 } *rpc_gss_principal_t;
     75 
     76 typedef struct {
     77 	int			req_flags;
     78 	int			time_req;
     79 	gss_cred_id_t		my_cred;
     80 	gss_channel_bindings_t	input_channel_bindings;
     81 } rpc_gss_options_req_t;
     82 
     83 typedef struct {
     84 	int			major_status;
     85 	int			minor_status;
     86 	uint_t			rpcsec_version;
     87 	int			ret_flags;
     88 	int			time_ret;
     89 	gss_ctx_id_t		gss_context;
     90 #ifdef _KERNEL
     91 	rpc_gss_OID		actual_mechanism;
     92 #else
     93 	char			actual_mechanism[MAX_GSS_MECH];
     94 #endif
     95 } rpc_gss_options_ret_t;
     96 
     97 /*
     98  * raw credentials
     99  */
    100 typedef struct {
    101 	uint_t			version;
    102 #ifdef _KERNEL
    103 	rpc_gss_OID		mechanism;
    104 	uint_t			qop;
    105 #else
    106 	char			*mechanism;
    107 	char			*qop;
    108 #endif
    109 	rpc_gss_principal_t	client_principal;
    110 	char	*svc_principal;	/* service@server, e.g. nfs@caribe */
    111 	rpc_gss_service_t	service;
    112 } rpc_gss_rawcred_t;
    113 
    114 /*
    115  * unix credentials
    116  */
    117 typedef struct {
    118 	uid_t			uid;
    119 	gid_t			gid;
    120 	short			gidlen;
    121 	gid_t			*gidlist;
    122 } rpc_gss_ucred_t;
    123 
    124 /*
    125  * for callback routine
    126  */
    127 typedef struct {
    128 	uint_t			program;
    129 	uint_t			version;
    130 	bool_t			(*callback)();
    131 } rpc_gss_callback_t;
    132 
    133 /*
    134  * lock used for the callback routine
    135  */
    136 typedef struct {
    137 	bool_t			locked;
    138 	rpc_gss_rawcred_t	*raw_cred;
    139 } rpc_gss_lock_t;
    140 
    141 
    142 /*
    143  * This is for user RPC applications.
    144  * Structure used to fetch the error code when one of
    145  * the rpc_gss_* routines fails.
    146  */
    147 typedef struct {
    148 	int	rpc_gss_error;
    149 	int	system_error;
    150 } rpc_gss_error_t;
    151 
    152 #define	RPC_GSS_ER_SUCCESS	0	/* no error */
    153 #define	RPC_GSS_ER_SYSTEMERROR	1	/* system error */
    154 
    155 
    156 #ifdef _SYSCALL32
    157 struct gss_clnt_data32 {
    158 	gss_OID_desc32	mechanism;
    159 	rpc_gss_service_t	service;
    160 	char		uname[MAX_NAME_LEN];	/* server's service name */
    161 	char		inst[MAX_NAME_LEN];	/* server's instance name */
    162 	char		realm[MAX_NAME_LEN];	/* server's realm */
    163 	uint_t		qop;
    164 };
    165 #endif
    166 
    167 /*
    168  * This is for Kernel RPC applications.
    169  * RPCSEC_GSS flavor specific data in sec_data opaque field.
    170  */
    171 typedef struct gss_clnt_data {
    172 	rpc_gss_OID_desc	mechanism;
    173 	rpc_gss_service_t	service;
    174 	char		uname[MAX_NAME_LEN];	/* server's service name */
    175 	char		inst[MAX_NAME_LEN];	/* server's instance name */
    176 	char		realm[MAX_NAME_LEN];	/* server's realm */
    177 	uint_t		qop;
    178 } gss_clntdata_t;
    179 
    180 
    181 struct svc_req;
    182 /*
    183  *  KERNEL rpc_gss_* interfaces.
    184  */
    185 #ifdef _KERNEL
    186 int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID,
    187 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
    188 			rpc_gss_options_ret_t *, void *, cred_t *, AUTH **);
    189 
    190 void rpc_gss_secfree(AUTH *);
    191 
    192 int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID,
    193 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
    194 			rpc_gss_options_ret_t *, cred_t *, AUTH **);
    195 
    196 int rpc_gss_revauth(uid_t, rpc_gss_OID);
    197 void rpc_gss_secpurge(void *);
    198 enum auth_stat __svcrpcsec_gss(struct svc_req *,
    199 			struct rpc_msg *, bool_t *);
    200 bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t);
    201 rpc_gss_service_t rpc_gss_get_service_type(AUTH *);
    202 
    203 
    204 #else
    205 /*
    206  *  USER rpc_gss_* public interfaces
    207  */
    208 AUTH *
    209 rpc_gss_seccreate(
    210 	CLIENT			*clnt,		/* associated client handle */
    211 	char			*principal,	/* server service principal */
    212 	char			*mechanism,	/* security mechanism */
    213 	rpc_gss_service_t	service_type,	/* security service */
    214 	char			*qop,		/* requested QOP */
    215 	rpc_gss_options_req_t	*options_req,	/* requested options */
    216 	rpc_gss_options_ret_t   *options_ret    /* returned options */
    217 );
    218 
    219 bool_t
    220 rpc_gss_get_principal_name(
    221 	rpc_gss_principal_t	*principal,
    222 	char			*mechanism,
    223 	char			*user_name,
    224 	char			*node,
    225 	char			*secdomain
    226 );
    227 
    228 char **rpc_gss_get_mechanisms();
    229 
    230 char **rpc_gss_get_mech_info(
    231 	char			*mechanism,
    232 	rpc_gss_service_t	*service
    233 );
    234 
    235 bool_t
    236 rpc_gss_is_installed(
    237 	char	*mechanism
    238 );
    239 
    240 bool_t
    241 rpc_gss_mech_to_oid(
    242 	char		*mech,
    243 	rpc_gss_OID	*oid
    244 );
    245 
    246 bool_t
    247 rpc_gss_qop_to_num(
    248 	char	*qop,
    249 	char	*mech,
    250 	uint_t	*num
    251 );
    252 
    253 bool_t
    254 rpc_gss_set_svc_name(
    255 	char			*principal,
    256 	char			*mechanism,
    257 	uint_t			req_time,
    258 	uint_t			program,
    259 	uint_t			version
    260 );
    261 
    262 bool_t
    263 rpc_gss_set_defaults(
    264 	AUTH			*auth,
    265 	rpc_gss_service_t	service,
    266 	char			*qop
    267 );
    268 
    269 void
    270 rpc_gss_get_error(
    271 	rpc_gss_error_t		*error
    272 );
    273 
    274 /*
    275  * User level private interfaces
    276  */
    277 enum auth_stat __svcrpcsec_gss();
    278 bool_t	__rpc_gss_wrap();
    279 bool_t	__rpc_gss_unwrap();
    280 
    281 #endif
    282 
    283 /*
    284  *  USER and KERNEL rpc_gss_* interfaces.
    285  */
    286 bool_t
    287 rpc_gss_set_callback(
    288 	rpc_gss_callback_t	*cb
    289 );
    290 
    291 bool_t
    292 rpc_gss_getcred(
    293 	struct svc_req		*req,
    294 	rpc_gss_rawcred_t	**rcred,
    295 	rpc_gss_ucred_t		**ucred,
    296 	void			**cookie
    297 );
    298 
    299 int
    300 rpc_gss_max_data_length(
    301 	AUTH			*rpcgss_handle,
    302 	int			max_tp_unit_len
    303 );
    304 
    305 int
    306 rpc_gss_svc_max_data_length(
    307 	struct	svc_req		*req,
    308 	int			max_tp_unit_len
    309 );
    310 
    311 bool_t
    312 rpc_gss_get_versions(
    313 	uint_t	*vers_hi,
    314 	uint_t	*vers_lo
    315 );
    316 
    317 #define	RPCSEC_GSS_REFRESH_ATTEMPTS 	20
    318 
    319 /*
    320  * Protocol data.
    321  *
    322  * The reason to put these definition in this header file
    323  * is for 2.6 snoop to handle the RPCSEC_GSS protocol
    324  * interpretation.
    325  */
    326 #define	RPCSEC_GSS_DATA			0
    327 #define	RPCSEC_GSS_INIT			1
    328 #define	RPCSEC_GSS_CONTINUE_INIT	2
    329 #define	RPCSEC_GSS_DESTROY		3
    330 
    331 #define	RPCSEC_GSS_VERSION		1
    332 
    333 #ifdef	__cplusplus
    334 }
    335 #endif
    336 
    337 #endif	/* !_RPCSEC_GSS_H */
    338