xref: /illumos-gate/usr/src/uts/common/gssapi/gssd.x (revision 8629b981ede6d47b0583ca2d3e62baeaa4f26e93)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 %/*
23 % * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24 % * Use is subject to license terms.
25 % */
26 %
27 %/*
28 % *  RPC protocol information for gssd, the usermode daemon that
29 % *  assists the kernel with gssapi. It is gssd that executes all
30 % *  gssapi calls except for some such as gss_sign(), and
31 % *  gss_verify(), which are executed in the kernel itself.
32 % *
33 % *  File generated from gssd.x
34 % */
35 %
36 %#define	NO 0
37 %#define	YES 1
38 %#define	FOREVER 1
39 %
40 %#include <sys/types.h>
41 %#include <sys/time.h>
42 %#include <rpc/auth_sys.h>
43 %#ifndef _KERNEL
44 %#include <locale.h>
45 %#endif /* not _KERNEL */
46 %
47 
48 %#ifdef _KERNEL
49 %extern void killgssd_handle(CLIENT *);
50 %extern CLIENT *getgssd_handle(void);
51 %#endif /* _KERNEL */
52 %
53 /*
54  * These are the definitions for the interface to GSSD.
55  */
56 
57 typedef unsigned int				OM_UINT32;
58 
59 typedef opaque					GSS_CTX_ID_T<>;
60 typedef opaque					GSS_CRED_ID_T<>;
61 typedef opaque					GSS_OID<>;
62 typedef opaque					GSS_BUFFER_T<>;
63 typedef gid_t					GSSCRED_GIDS<>;
64 
65 typedef GSS_OID					GSS_OID_SET<>;
66 
67 struct GSS_CHANNEL_BINDINGS_STRUCT {
68 	int		present;
69 	OM_UINT32	initiator_addrtype;
70 	GSS_BUFFER_T	initiator_address;
71 	OM_UINT32	acceptor_addrtype;
72 	GSS_BUFFER_T    acceptor_address;
73 	GSS_BUFFER_T    application_data;
74 };
75 
76 typedef	struct GSS_CHANNEL_BINDINGS_STRUCT	GSS_CHANNEL_BINDINGS;
77 
78 struct gss_acquire_cred_arg {
79 	uid_t		uid;			/* client uid */
80 	GSS_BUFFER_T	desired_name;		/* name of cred */
81 	GSS_OID		name_type;		/* type of desired name */
82 	OM_UINT32	time_req;		/* context validity interval */
83 	GSS_OID_SET	desired_mechs;		/* cred mechanisms */
84 	int		cred_usage;		/* init/accept/both */
85 };
86 
87 struct gss_acquire_cred_res {
88 	OM_UINT32	minor_status;		/* status from the mechanism */
89 	GSS_CRED_ID_T	output_cred_handle;	/* returned credential handle */
90 	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handle */
91 	GSS_OID_SET	actual_mechs;		/* found cred mechanisms */
92 	OM_UINT32	time_rec;		/* actual context validity */
93 	OM_UINT32	status;			/* status of GSSAPI call */
94 };
95 
96 struct gss_add_cred_arg {
97 	uid_t		uid;			/* client uid */
98 	GSS_CRED_ID_T	input_cred_handle;	/* input credential handle */
99 	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handle */
100 	GSS_BUFFER_T	desired_name;		/* name of cred */
101 	GSS_OID		name_type;		/* type of desired name */
102 	GSS_OID		desired_mech_type;	/* cred mechanisms */
103 	int		cred_usage;		/* init/accept/both */
104 	OM_UINT32	initiator_time_req;	/* context validity interval */
105 	OM_UINT32	acceptor_time_req;	/* context validity interval */
106 };
107 /* Note: For gss_add_cred we always update the underlying credentials of
108  * input_cred_handle. We always pass NULL as output_cred_handle when the call
109  * to gss_add_cred is made
110 */
111 struct gss_add_cred_res {
112 	OM_UINT32	minor_status;		/* status from the mechanism */
113 	GSS_OID_SET	actual_mechs;		/* found cred mechanisms */
114 	OM_UINT32	initiator_time_rec;	/* cred validity interval */
115 	OM_UINT32	acceptor_time_rec;	/* cred validity interval */
116 	OM_UINT32	status;			/* status of GSSAPI call */
117 };
118 
119 struct gss_release_cred_arg {
120 	uid_t		uid;			/* client uid */
121 	OM_UINT32	gssd_cred_verifier; 	/* verifier for cred handles */
122 	GSS_CRED_ID_T	cred_handle;		/* credential handle */
123 };
124 
125 struct gss_release_cred_res {
126 	OM_UINT32	minor_status;		/* status from the mechanism */
127 	OM_UINT32	status;			/* status of GSSAPI call */
128 };
129 
130 struct gss_init_sec_context_arg {
131 	uid_t		uid;			/* client uid */
132 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
133 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
134 	GSS_CRED_ID_T	claimant_cred_handle;	/* must = GSS_C_NO_CREDENTIAL */
135 	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
136 	GSS_BUFFER_T	target_name;		/* name of server */
137 	GSS_OID		name_type;		/* type of principal name */
138 	GSS_OID		mech_type;		/* requested mechanism */
139 	int		req_flags;		/* requested context options */
140 	OM_UINT32	time_req;		/* context validity interval */
141 	GSS_CHANNEL_BINDINGS
142 			input_chan_bindings;	/* requested channel bindings */
143 	GSS_BUFFER_T	input_token;		/* token to send to peer */
144 };
145 
146 struct gss_init_sec_context_res {
147 	GSS_CTX_ID_T	context_handle;		/* handle to created context */
148 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
149 	OM_UINT32	minor_status;		/* status from the mechanism */
150 	GSS_OID		actual_mech_type;	/* actual mechanism used */
151 	GSS_BUFFER_T	output_token;		/* where peer token is put */
152 	OM_UINT32	ret_flags;		/* options of context */
153 	OM_UINT32	time_rec;		/* actual context validity */
154 	OM_UINT32	status;			/* status of GSSAPI call */
155 };
156 
157 struct gss_accept_sec_context_arg {
158 	uid_t		uid;			/* client uid */
159 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
160 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
161 	GSS_CRED_ID_T	verifier_cred_handle;	/* must = GSS_C_NO_CREDENTIAL */
162 	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
163 	GSS_BUFFER_T	input_token_buffer;	/* token to send to peer */
164 	GSS_CHANNEL_BINDINGS
165 			input_chan_bindings;	/* requested channel bindings */
166 };
167 
168 struct gss_accept_sec_context_res {
169 	GSS_CTX_ID_T	context_handle;		/* handle to created context */
170 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
171 	OM_UINT32	minor_status;		/* status from the mechanism */
172 	GSS_BUFFER_T	src_name;		/* authenticated name of peer */
173 	GSS_OID		mech_type;		/* mechanism used */
174 	GSS_BUFFER_T	output_token;		/* where peer token is put */
175 	OM_UINT32	ret_flags;		/* options of context */
176 	OM_UINT32	time_rec;		/* actual context validity */
177 	GSS_CRED_ID_T	delegated_cred_handle;	/* always GSS_C_NO_CREDENTIAL */
178 	OM_UINT32	status;			/* status of GSSAPI call */
179 };
180 
181 struct gss_process_context_token_arg {
182 	uid_t		uid;			/* client uid */
183 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
184 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
185 	GSS_BUFFER_T	token_buffer;		/* token to process */
186 };
187 
188 struct gss_process_context_token_res {
189 	OM_UINT32	minor_status;		/* status from the mechanism */
190 	OM_UINT32	status;			/* status of GSSAPI call */
191 };
192 
193 struct gss_delete_sec_context_arg {
194 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
195 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
196 };
197 
198 struct gss_delete_sec_context_res {
199 	OM_UINT32	minor_status;		/* status from the mechanism */
200 	GSS_CTX_ID_T	context_handle;		/* handle to deleted context */
201 	GSS_BUFFER_T	output_token;		/* output token for peer */
202 	OM_UINT32	status;			/* status of GSSAPI call */
203 };
204 
205 struct gss_export_sec_context_arg {
206         GSS_CTX_ID_T context_handle;		/* handle to existing context */
207 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
208 };
209 
210 struct gss_export_sec_context_res {
211         OM_UINT32	minor_status;		/* status from the mechanism */
212         GSS_CTX_ID_T	context_handle;		/* handle to existing context */
213         GSS_BUFFER_T	output_token;		/* input token for import_sec_context */
214         OM_UINT32	status;			/* status of GSSAPI call */
215 };
216 
217 struct gss_import_sec_context_arg {
218         GSS_BUFFER_T	input_token;		/* input token for import_sec_context */
219 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
220 };
221 
222 struct gss_import_sec_context_res {
223         OM_UINT32	minor_status;		/* status from the mechanism */
224         GSS_CTX_ID_T	context_handle;		/* handle to created context */
225         OM_UINT32	status;			/* status of GSSAPI call */
226 };
227 
228 struct gss_context_time_arg {
229 	uid_t		uid;			/* client uid */
230 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
231 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
232 };
233 
234 struct gss_context_time_res {
235 	OM_UINT32	minor_status;		/* status from the mechanism */
236 	OM_UINT32	time_rec;		/* actual context validity */
237 	OM_UINT32	status;			/* status of GSSAPI call */
238 };
239 
240 struct gss_sign_arg {
241 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
242 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
243 	int		qop_req;		/* quality of protection */
244 	GSS_BUFFER_T	message_buffer;		/* message to sign */
245 };
246 
247 struct gss_sign_res {
248 	OM_UINT32	minor_status;		/* status from the mechanism */
249 	GSS_BUFFER_T	msg_token;		/* msg_token */
250 	OM_UINT32	status;			/* status of GSSAPI call */
251 };
252 
253 struct gss_verify_arg {
254 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
255 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
256 	GSS_BUFFER_T	message_buffer;		/* message to verify */
257 	GSS_BUFFER_T	token_buffer;		/* buffer containg token */
258 };
259 
260 struct gss_verify_res {
261 	OM_UINT32	minor_status;		/* status from the mechanism */
262 	int		qop_state;		/* quality of protection */
263 	OM_UINT32	status;			/* status of GSSAPI call */
264 };
265 
266 struct gss_seal_arg {
267 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
268 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
269 	int		conf_req_flag;		/* type of conf requested */
270 	int		qop_req;		/* quality of prot. requested */
271 	GSS_BUFFER_T	input_message_buffer;	/* message to protect */
272 };
273 
274 struct gss_seal_res {
275 	OM_UINT32	minor_status;		/* status from the mechanism */
276 	int		conf_state;		/* type of conf. applied */
277 	GSS_BUFFER_T	output_message_buffer;	/* protected message */
278 	OM_UINT32	status;			/* status of GSSAPI call */
279 };
280 
281 struct gss_unseal_arg {
282 	OM_UINT32	gssd_context_verifier;	/* verifier for context handles */
283 	GSS_CTX_ID_T	context_handle;		/* handle to existing context */
284 	GSS_BUFFER_T	input_message_buffer;	/* message to protect */
285 };
286 
287 struct gss_unseal_res {
288 	OM_UINT32	minor_status;		/* status from the mechanism */
289 	GSS_BUFFER_T	output_message_buffer;	/* protected message */
290 	int		conf_state;		/* type of conf. provided */
291 	int		qop_state;		/* quality of prot. provided */
292 	OM_UINT32	status;			/* status of GSSAPI call */
293 };
294 
295 struct gss_display_status_arg {
296 	uid_t		uid;			/* client uid */
297 	int		status_value;		/* status to be converted */
298 	int		status_type;		/* GSS or mech status */
299 	GSS_OID		mech_type;		/* mechanism */
300 	OM_UINT32	message_context;	/* recursion flag */
301 };
302 
303 struct gss_display_status_res {
304 	OM_UINT32	minor_status;		/* status from the mechanism */
305 	int		message_context;	/* recursion flag */
306 	GSS_BUFFER_T	status_string;		/* text equiv of status */
307 	OM_UINT32	status;			/* status of GSSAPI call */
308 };
309 
310 %/* gss_indicate_mechs_arg is void. This appears in the rpc call def */
311 
312 struct gss_indicate_mechs_res {
313 	OM_UINT32	minor_status;		/* status from the mechanism */
314 	GSS_OID_SET	mech_set;		/* mechanism set supported */
315 	OM_UINT32	status;			/* status of GSSAPI call */
316 };
317 
318 struct gss_inquire_cred_arg {
319 	uid_t		uid;			/* client uid */
320 	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
321 	GSS_CRED_ID_T	cred_handle;		/* credential handle */
322 };
323 
324 struct gss_inquire_cred_res {
325 	OM_UINT32	minor_status;		/* status from the mechanism */
326 	GSS_BUFFER_T	name;			/* name associated with cred */
327 	GSS_OID		name_type;		/* type of name */
328 	OM_UINT32	lifetime;		/* remaining validiy period */
329 	int		cred_usage;		/* how creds may be used */
330 	GSS_OID_SET	mechanisms;		/* mechs associated with cred */
331 	OM_UINT32	status;			/* status of GSSAPI call */
332 };
333 
334 struct gss_inquire_cred_by_mech_arg {
335 	uid_t		uid;			/* client uid */
336 	OM_UINT32	gssd_cred_verifier;	/* verifier for cred handle */
337 	GSS_CRED_ID_T	cred_handle;		/* credential handle */
338 	GSS_OID		mech_type;		/* cred mechanism */
339 };
340 
341 struct gss_inquire_cred_by_mech_res {
342 	OM_UINT32	minor_status;		/* status from the mechanism */
343 	OM_UINT32	status;			/* status of GSSAPI call */
344 };
345 
346 struct gsscred_name_to_unix_cred_arg {
347 	uid_t		uid;			/* client uid */
348 	GSS_BUFFER_T	pname;			/* principal name */
349 	GSS_OID		name_type;		/* oid of principal name */
350 	GSS_OID		mech_type;		/* for which mechanism to use */
351 };
352 
353 struct gsscred_name_to_unix_cred_res {
354 	uid_t		uid;			/* principal's uid */
355 	gid_t		gid;			/* principal's gid */
356 	GSSCRED_GIDS	gids;			/* array of principal's gids */
357 	OM_UINT32	major;			/* status of the GSSAPI call */
358 };
359 
360 
361 struct
362 gsscred_expname_to_unix_cred_arg {
363 	uid_t		uid;			/* client uid */
364 	GSS_BUFFER_T	expname;		/* principal in export format */
365 };
366 
367 struct
368 gsscred_expname_to_unix_cred_res {
369 	uid_t		uid;			/* principal's uid */
370 	gid_t		gid;			/* principal's gid */
371 	GSSCRED_GIDS	gids;			/* array of principal's gids */
372 	OM_UINT32	major;			/* major status code */
373 };
374 
375 
376 struct gss_get_group_info_arg {
377 	uid_t		uid;			/* client uid */
378 	uid_t		puid;			/* principal's uid */
379 };
380 
381 struct gss_get_group_info_res {
382 	gid_t		gid;			/* principal's gid */
383 	GSSCRED_GIDS	gids;			/* array of principal's gids */
384 	OM_UINT32	major;			/* major status code */
385 };
386 
387 
388 struct gss_get_kmod_arg	{
389 	GSS_OID mech_oid;
390 
391 };
392 
393 union gss_get_kmod_res switch (bool module_follow) {
394 	case TRUE:
395 		string modname<>;
396 	case FALSE:
397 		void;
398 };
399 
400 
401 /*
402  *  The server accepts requests only from the loopback address.
403  *  Unix authentication is used, and the port must be in the reserved range.
404  */
405 
406 program GSSPROG {
407     version GSSVERS {
408 
409 	/*
410 	 *  Called by the client to acquire a credential.
411 	 */
412 	gss_acquire_cred_res
413 		GSS_ACQUIRE_CRED(gss_acquire_cred_arg)			= 1;
414 
415 	/*
416 	 *  Called by the client to release a credential.
417 	 */
418 	gss_release_cred_res
419 		GSS_RELEASE_CRED(gss_release_cred_arg)			= 2;
420 
421 	/*
422 	 *  Called by the client to initialize a security context.
423 	 */
424 	gss_init_sec_context_res
425 		GSS_INIT_SEC_CONTEXT(gss_init_sec_context_arg)		= 3;
426 
427 	/*
428 	 *  Called by the server to initialize a security context.
429 	 */
430 	gss_accept_sec_context_res
431 		GSS_ACCEPT_SEC_CONTEXT(gss_accept_sec_context_arg) 	= 4;
432 
433 	/*
434 	 *  Called to pass token to underlying mechanism.
435 	 */
436 	gss_process_context_token_res
437 		GSS_PROCESS_CONTEXT_TOKEN(gss_process_context_token_arg) = 5;
438 
439 	/*
440 	 *  Called to delete a security context.
441 	 */
442 	gss_delete_sec_context_res
443 		GSS_DELETE_SEC_CONTEXT(gss_delete_sec_context_arg) 	= 6;
444 
445 	/*
446 	 *  Called to get remaining time security context has to live.
447 	 */
448 	gss_context_time_res
449 		GSS_CONTEXT_TIME(gss_context_time_arg) 			= 7;
450 
451 	/*
452 	 *  Called to sign a message.
453 	 */
454 	gss_sign_res	GSS_SIGN(gss_sign_arg)				= 8;
455 
456 	/*
457 	 *  Called to verify a signed message.
458 	 */
459 	gss_verify_res	GSS_VERIFY(gss_verify_arg)			= 9;
460 
461 	/*
462 	 *  Called to translate minor status into a string.
463 	 */
464 	gss_display_status_res
465 			GSS_DISPLAY_STATUS(gss_display_status_arg)	= 10;
466 
467 	/*
468 	 *  Called to indicate which underlying mechanisms are supported
469 	 */
470 	gss_indicate_mechs_res
471 			GSS_INDICATE_MECHS(void)			= 11;
472 
473 	/*
474 	 *  Called by the client to inquire about a credential.
475 	 */
476 	gss_inquire_cred_res
477 		GSS_INQUIRE_CRED(gss_inquire_cred_arg)			= 12;
478 
479 
480 	/*
481 	 *  Called to seal a message.
482 	 */
483 	gss_seal_res	GSS_SEAL(gss_seal_arg)				= 13;
484 
485 	/*
486 	 *  Called to unseal a message.
487 	 */
488 	gss_unseal_res	GSS_UNSEAL(gss_unseal_arg)			= 14;
489 
490 	/*
491 	 * gsscred interface functions to obtain principal uid and gids
492 	 */
493 	gsscred_expname_to_unix_cred_res
494 			GSSCRED_EXPNAME_TO_UNIX_CRED(
495 				gsscred_expname_to_unix_cred_arg)	= 15;
496 
497 	gsscred_name_to_unix_cred_res
498 			GSSCRED_NAME_TO_UNIX_CRED(
499 				gsscred_name_to_unix_cred_arg)		= 16;
500 
501 	gss_get_group_info_res
502 			GSS_GET_GROUP_INFO(gss_get_group_info_arg)	= 17;
503 
504 	gss_get_kmod_res
505 			GSS_GET_KMOD(gss_get_kmod_arg)			= 18;
506 
507 	gss_export_sec_context_res
508 			GSS_EXPORT_SEC_CONTEXT(gss_export_sec_context_arg) = 19;
509 
510 	gss_import_sec_context_res
511 			GSS_IMPORT_SEC_CONTEXT(gss_import_sec_context_arg) = 20;
512 	/*
513 	 *  Called by the client to add to a credential.
514 	 */
515 	gss_add_cred_res
516 		GSS_ADD_CRED(gss_add_cred_arg)				= 21;
517 	gss_inquire_cred_by_mech_res
518 		GSS_INQUIRE_CRED_BY_MECH(gss_inquire_cred_by_mech_arg)
519 									= 22;
520 
521     } = 1;
522 } = 100234;
523