1a9148abdSDoug Rabson /*- 2a9148abdSDoug Rabson * Copyright (c) 2008 Doug Rabson 3a9148abdSDoug Rabson * All rights reserved. 4a9148abdSDoug Rabson * 5a9148abdSDoug Rabson * Redistribution and use in source and binary forms, with or without 6a9148abdSDoug Rabson * modification, are permitted provided that the following conditions 7a9148abdSDoug Rabson * are met: 8a9148abdSDoug Rabson * 1. Redistributions of source code must retain the above copyright 9a9148abdSDoug Rabson * notice, this list of conditions and the following disclaimer. 10a9148abdSDoug Rabson * 2. Redistributions in binary form must reproduce the above copyright 11a9148abdSDoug Rabson * notice, this list of conditions and the following disclaimer in the 12a9148abdSDoug Rabson * documentation and/or other materials provided with the distribution. 13a9148abdSDoug Rabson * 14a9148abdSDoug Rabson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15a9148abdSDoug Rabson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16a9148abdSDoug Rabson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17a9148abdSDoug Rabson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18a9148abdSDoug Rabson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19a9148abdSDoug Rabson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20a9148abdSDoug Rabson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21a9148abdSDoug Rabson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22a9148abdSDoug Rabson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23a9148abdSDoug Rabson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24a9148abdSDoug Rabson * SUCH DAMAGE. 25a9148abdSDoug Rabson * 26a9148abdSDoug Rabson * $FreeBSD$ 27a9148abdSDoug Rabson */ 28a9148abdSDoug Rabson 29a9148abdSDoug Rabson #ifndef _RPCSEC_GSS_H 30a9148abdSDoug Rabson #define _RPCSEC_GSS_H 31a9148abdSDoug Rabson 32a9148abdSDoug Rabson #include <kgssapi/gssapi.h> 33a9148abdSDoug Rabson 34a9148abdSDoug Rabson #ifndef MAX_GSS_MECH 35a9148abdSDoug Rabson #define MAX_GSS_MECH 64 36a9148abdSDoug Rabson #endif 37a9148abdSDoug Rabson 38a9148abdSDoug Rabson /* 39a9148abdSDoug Rabson * Define the types of security service required for rpc_gss_seccreate(). 40a9148abdSDoug Rabson */ 41a9148abdSDoug Rabson typedef enum { 42a9148abdSDoug Rabson rpc_gss_svc_default = 0, 43a9148abdSDoug Rabson rpc_gss_svc_none = 1, 44a9148abdSDoug Rabson rpc_gss_svc_integrity = 2, 45a9148abdSDoug Rabson rpc_gss_svc_privacy = 3 46a9148abdSDoug Rabson } rpc_gss_service_t; 47a9148abdSDoug Rabson 48a9148abdSDoug Rabson /* 49a9148abdSDoug Rabson * Structure containing options for rpc_gss_seccreate(). 50a9148abdSDoug Rabson */ 51a9148abdSDoug Rabson typedef struct { 52a9148abdSDoug Rabson int req_flags; /* GSS request bits */ 53a9148abdSDoug Rabson int time_req; /* requested credential lifetime */ 54a9148abdSDoug Rabson gss_cred_id_t my_cred; /* GSS credential */ 55a9148abdSDoug Rabson gss_channel_bindings_t input_channel_bindings; 56a9148abdSDoug Rabson } rpc_gss_options_req_t; 57a9148abdSDoug Rabson 58a9148abdSDoug Rabson /* 59a9148abdSDoug Rabson * Structure containing options returned by rpc_gss_seccreate(). 60a9148abdSDoug Rabson */ 61a9148abdSDoug Rabson typedef struct { 62a9148abdSDoug Rabson int major_status; 63a9148abdSDoug Rabson int minor_status; 64a9148abdSDoug Rabson u_int rpcsec_version; 65a9148abdSDoug Rabson int ret_flags; 66a9148abdSDoug Rabson int time_req; 67a9148abdSDoug Rabson gss_ctx_id_t gss_context; 68a9148abdSDoug Rabson char actual_mechanism[MAX_GSS_MECH]; 69a9148abdSDoug Rabson } rpc_gss_options_ret_t; 70a9148abdSDoug Rabson 71a9148abdSDoug Rabson /* 72a9148abdSDoug Rabson * Client principal type. Used as an argument to 73a9148abdSDoug Rabson * rpc_gss_get_principal_name(). Also referenced by the 74a9148abdSDoug Rabson * rpc_gss_rawcred_t structure. 75a9148abdSDoug Rabson */ 76a9148abdSDoug Rabson typedef struct { 77a9148abdSDoug Rabson int len; 78a9148abdSDoug Rabson char name[1]; 79a9148abdSDoug Rabson } *rpc_gss_principal_t; 80a9148abdSDoug Rabson 81a9148abdSDoug Rabson /* 82a9148abdSDoug Rabson * Structure for raw credentials used by rpc_gss_getcred() and 83a9148abdSDoug Rabson * rpc_gss_set_callback(). 84a9148abdSDoug Rabson */ 85a9148abdSDoug Rabson typedef struct { 86a9148abdSDoug Rabson u_int version; /* RPC version number */ 87a9148abdSDoug Rabson const char *mechanism; /* security mechanism */ 88a9148abdSDoug Rabson const char *qop; /* quality of protection */ 89a9148abdSDoug Rabson rpc_gss_principal_t client_principal; /* client name */ 90a9148abdSDoug Rabson const char *svc_principal; /* server name */ 91a9148abdSDoug Rabson rpc_gss_service_t service; /* service type */ 92a9148abdSDoug Rabson } rpc_gss_rawcred_t; 93a9148abdSDoug Rabson 94a9148abdSDoug Rabson /* 95a9148abdSDoug Rabson * Unix credentials derived from raw credentials. Returned by 96a9148abdSDoug Rabson * rpc_gss_getcred(). 97a9148abdSDoug Rabson */ 98a9148abdSDoug Rabson typedef struct { 99a9148abdSDoug Rabson uid_t uid; /* user ID */ 100a9148abdSDoug Rabson gid_t gid; /* group ID */ 101a9148abdSDoug Rabson short gidlen; 102a9148abdSDoug Rabson gid_t *gidlist; /* list of groups */ 103a9148abdSDoug Rabson } rpc_gss_ucred_t; 104a9148abdSDoug Rabson 105a9148abdSDoug Rabson /* 106a9148abdSDoug Rabson * Structure used to enforce a particular QOP and service. 107a9148abdSDoug Rabson */ 108a9148abdSDoug Rabson typedef struct { 109a9148abdSDoug Rabson bool_t locked; 110a9148abdSDoug Rabson rpc_gss_rawcred_t *raw_cred; 111a9148abdSDoug Rabson } rpc_gss_lock_t; 112a9148abdSDoug Rabson 113a9148abdSDoug Rabson /* 114a9148abdSDoug Rabson * Callback structure used by rpc_gss_set_callback(). 115a9148abdSDoug Rabson */ 116a9148abdSDoug Rabson typedef struct { 117a9148abdSDoug Rabson u_int program; /* RPC program number */ 118a9148abdSDoug Rabson u_int version; /* RPC version number */ 119a9148abdSDoug Rabson /* user defined callback */ 120a9148abdSDoug Rabson bool_t (*callback)(struct svc_req *req, 121a9148abdSDoug Rabson gss_cred_id_t deleg, 122a9148abdSDoug Rabson gss_ctx_id_t gss_context, 123a9148abdSDoug Rabson rpc_gss_lock_t *lock, 124a9148abdSDoug Rabson void **cookie); 125a9148abdSDoug Rabson } rpc_gss_callback_t; 126a9148abdSDoug Rabson 127a9148abdSDoug Rabson /* 128a9148abdSDoug Rabson * Structure used to return error information by rpc_gss_get_error() 129a9148abdSDoug Rabson */ 130a9148abdSDoug Rabson typedef struct { 131a9148abdSDoug Rabson int rpc_gss_error; 132a9148abdSDoug Rabson int system_error; /* same as errno */ 133a9148abdSDoug Rabson } rpc_gss_error_t; 134a9148abdSDoug Rabson 135a9148abdSDoug Rabson /* 136a9148abdSDoug Rabson * Values for rpc_gss_error 137a9148abdSDoug Rabson */ 138a9148abdSDoug Rabson #define RPC_GSS_ER_SUCCESS 0 /* no error */ 139a9148abdSDoug Rabson #define RPC_GSS_ER_SYSTEMERROR 1 /* system error */ 140a9148abdSDoug Rabson 141a9148abdSDoug Rabson __BEGIN_DECLS 142a9148abdSDoug Rabson 143a9148abdSDoug Rabson #ifdef _KERNEL 144a9148abdSDoug Rabson AUTH *rpc_gss_secfind(CLIENT *clnt, struct ucred *cred, 145a9148abdSDoug Rabson const char *principal, gss_OID mech_oid, rpc_gss_service_t service); 146a9148abdSDoug Rabson void rpc_gss_secpurge(CLIENT *clnt); 147a9148abdSDoug Rabson #endif 148a9148abdSDoug Rabson AUTH *rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred, 149a9148abdSDoug Rabson const char *principal, const char *mechanism, rpc_gss_service_t service, 150a9148abdSDoug Rabson const char *qop, rpc_gss_options_req_t *options_req, 151a9148abdSDoug Rabson rpc_gss_options_ret_t *options_ret); 152a9148abdSDoug Rabson bool_t rpc_gss_set_defaults(AUTH *auth, rpc_gss_service_t service, 153a9148abdSDoug Rabson const char *qop); 154a9148abdSDoug Rabson int rpc_gss_max_data_length(AUTH *handle, int max_tp_unit_len); 155a9148abdSDoug Rabson void rpc_gss_get_error(rpc_gss_error_t *error); 156a9148abdSDoug Rabson 157a9148abdSDoug Rabson bool_t rpc_gss_mech_to_oid(const char *mech, gss_OID *oid_ret); 158a9148abdSDoug Rabson bool_t rpc_gss_oid_to_mech(gss_OID oid, const char **mech_ret); 159a9148abdSDoug Rabson bool_t rpc_gss_qop_to_num(const char *qop, const char *mech, u_int *num_ret); 160a9148abdSDoug Rabson const char **rpc_gss_get_mechanisms(void); 161a9148abdSDoug Rabson const char **rpc_gss_get_mech_info(const char *mech, rpc_gss_service_t *service); 162a9148abdSDoug Rabson bool_t rpc_gss_get_versions(u_int *vers_hi, u_int *vers_lo); 163a9148abdSDoug Rabson bool_t rpc_gss_is_installed(const char *mech); 164a9148abdSDoug Rabson 165a9148abdSDoug Rabson bool_t rpc_gss_set_svc_name(const char *principal, const char *mechanism, 166a9148abdSDoug Rabson u_int req_time, u_int program, u_int version); 167a9148abdSDoug Rabson void rpc_gss_clear_svc_name(u_int program, u_int version); 168a9148abdSDoug Rabson bool_t rpc_gss_getcred(struct svc_req *req, rpc_gss_rawcred_t **rcred, 169a9148abdSDoug Rabson rpc_gss_ucred_t **ucred, void **cookie); 170a9148abdSDoug Rabson bool_t rpc_gss_set_callback(rpc_gss_callback_t *cb); 171a9148abdSDoug Rabson void rpc_gss_clear_callback(rpc_gss_callback_t *cb); 172a9148abdSDoug Rabson bool_t rpc_gss_get_principal_name(rpc_gss_principal_t *principal, 173a9148abdSDoug Rabson const char *mech, const char *name, const char *node, const char *domain); 174a9148abdSDoug Rabson int rpc_gss_svc_max_data_length(struct svc_req *req, int max_tp_unit_len); 175a9148abdSDoug Rabson 176a9148abdSDoug Rabson /* 177a9148abdSDoug Rabson * Internal interface from the RPC implementation. 178a9148abdSDoug Rabson */ 179a9148abdSDoug Rabson #ifndef _KERNEL 180a9148abdSDoug Rabson bool_t __rpc_gss_wrap(AUTH *auth, void *header, size_t headerlen, 181a9148abdSDoug Rabson XDR* xdrs, xdrproc_t xdr_args, void *args_ptr); 182a9148abdSDoug Rabson bool_t __rpc_gss_unwrap(AUTH *auth, XDR* xdrs, xdrproc_t xdr_args, 183a9148abdSDoug Rabson void *args_ptr); 184a9148abdSDoug Rabson #endif 185a9148abdSDoug Rabson bool_t __rpc_gss_set_error(int rpc_gss_error, int system_error); 186a9148abdSDoug Rabson 187a9148abdSDoug Rabson __END_DECLS 188a9148abdSDoug Rabson 189a9148abdSDoug Rabson #endif /* !_RPCSEC_GSS_H */ 190