xref: /illumos-gate/usr/src/uts/common/rpc/rpcsec_gss.h (revision 24da5b34f49324ed742a340010ed5bd3d4e06625)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
29  */
30 
31 /*
32  * rpcsec_gss.h, RPCSEC_GSS security service interface.
33  */
34 
35 #ifndef	_RPCSEC_GSS_H
36 #define	_RPCSEC_GSS_H
37 
38 #pragma ident	"%Z%%M%	%I%	%E% SMI"
39 
40 #ifdef	__cplusplus
41 extern "C" {
42 #endif
43 
44 #include <rpc/auth.h>
45 #include <rpc/clnt.h>
46 #include <gssapi/gssapi.h>
47 
48 /*
49  * Interface definitions.
50  */
51 #define	MAX_NAME_LEN			 64
52 #define	MAX_GSS_MECH			128
53 #define	MAX_GSS_NAME			128
54 
55 typedef enum {
56 	rpc_gss_svc_default = 0,
57 	rpc_gss_svc_none = 1,
58 	rpc_gss_svc_integrity = 2,
59 	rpc_gss_svc_privacy = 3
60 } rpc_gss_service_t;
61 
62 /*
63  * GSS-API based security mechanism type specified as
64  * object identifiers (OIDs).
65  * This type is derived from gss_OID_desc/gss_OID.
66  */
67 #define	rpc_gss_OID_s	gss_OID_desc_struct
68 typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID;
69 
70 /*
71  * Interface data.
72  * This is already suitable for both LP64 and ILP32.
73  */
74 typedef struct rpc_gss_principal {
75 	int	len;
76 	char	name[1];
77 } *rpc_gss_principal_t;
78 
79 typedef struct {
80 	int			req_flags;
81 	int			time_req;
82 	gss_cred_id_t		my_cred;
83 	gss_channel_bindings_t	input_channel_bindings;
84 } rpc_gss_options_req_t;
85 
86 typedef struct {
87 	int			major_status;
88 	int			minor_status;
89 	uint_t			rpcsec_version;
90 	int			ret_flags;
91 	int			time_ret;
92 	gss_ctx_id_t		gss_context;
93 #ifdef _KERNEL
94 	rpc_gss_OID		actual_mechanism;
95 #else
96 	char			actual_mechanism[MAX_GSS_MECH];
97 #endif
98 } rpc_gss_options_ret_t;
99 
100 /*
101  * raw credentials
102  */
103 typedef struct {
104 	uint_t			version;
105 #ifdef _KERNEL
106 	rpc_gss_OID		mechanism;
107 	uint_t			qop;
108 #else
109 	char			*mechanism;
110 	char			*qop;
111 #endif
112 	rpc_gss_principal_t	client_principal;
113 	char	*svc_principal;	/* service@server, e.g. nfs@caribe */
114 	rpc_gss_service_t	service;
115 } rpc_gss_rawcred_t;
116 
117 /*
118  * unix credentials
119  */
120 typedef struct {
121 	uid_t			uid;
122 	gid_t			gid;
123 	short			gidlen;
124 	gid_t			*gidlist;
125 } rpc_gss_ucred_t;
126 
127 /*
128  * for callback routine
129  */
130 typedef struct {
131 	uint_t			program;
132 	uint_t			version;
133 	bool_t			(*callback)();
134 } rpc_gss_callback_t;
135 
136 /*
137  * lock used for the callback routine
138  */
139 typedef struct {
140 	bool_t			locked;
141 	rpc_gss_rawcred_t	*raw_cred;
142 } rpc_gss_lock_t;
143 
144 
145 /*
146  * This is for user RPC applications.
147  * Structure used to fetch the error code when one of
148  * the rpc_gss_* routines fails.
149  */
150 typedef struct {
151 	int	rpc_gss_error;
152 	int	system_error;
153 } rpc_gss_error_t;
154 
155 #define	RPC_GSS_ER_SUCCESS	0	/* no error */
156 #define	RPC_GSS_ER_SYSTEMERROR	1	/* system error */
157 
158 
159 #ifdef _SYSCALL32
160 struct gss_clnt_data32 {
161 	gss_OID_desc32	mechanism;
162 	rpc_gss_service_t	service;
163 	char		uname[MAX_NAME_LEN];	/* server's service name */
164 	char		inst[MAX_NAME_LEN];	/* server's instance name */
165 	char		realm[MAX_NAME_LEN];	/* server's realm */
166 	uint_t		qop;
167 };
168 #endif
169 
170 /*
171  * This is for Kernel RPC applications.
172  * RPCSEC_GSS flavor specific data in sec_data opaque field.
173  */
174 typedef struct gss_clnt_data {
175 	rpc_gss_OID_desc	mechanism;
176 	rpc_gss_service_t	service;
177 	char		uname[MAX_NAME_LEN];	/* server's service name */
178 	char		inst[MAX_NAME_LEN];	/* server's instance name */
179 	char		realm[MAX_NAME_LEN];	/* server's realm */
180 	uint_t		qop;
181 } gss_clntdata_t;
182 
183 
184 struct svc_req;
185 /*
186  *  KERNEL rpc_gss_* interfaces.
187  */
188 #ifdef _KERNEL
189 int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID,
190 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
191 			rpc_gss_options_ret_t *, void *, cred_t *, AUTH **);
192 
193 void rpc_gss_secfree(AUTH *);
194 
195 int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID,
196 			rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
197 			rpc_gss_options_ret_t *, cred_t *, AUTH **);
198 
199 int rpc_gss_revauth(uid_t, rpc_gss_OID);
200 void rpc_gss_secpurge(void *);
201 enum auth_stat __svcrpcsec_gss(struct svc_req *,
202 			struct rpc_msg *, bool_t *);
203 bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t);
204 
205 
206 #else
207 /*
208  *  USER rpc_gss_* public interfaces
209  */
210 AUTH *
211 rpc_gss_seccreate(
212 	CLIENT			*clnt,		/* associated client handle */
213 	char			*principal,	/* server service principal */
214 	char			*mechanism,	/* security mechanism */
215 	rpc_gss_service_t	service_type,	/* security service */
216 	char			*qop,		/* requested QOP */
217 	rpc_gss_options_req_t	*options_req,	/* requested options */
218 	rpc_gss_options_ret_t   *options_ret    /* returned options */
219 );
220 
221 bool_t
222 rpc_gss_get_principal_name(
223 	rpc_gss_principal_t	*principal,
224 	char			*mechanism,
225 	char			*user_name,
226 	char			*node,
227 	char			*secdomain
228 );
229 
230 char **rpc_gss_get_mechanisms();
231 
232 char **rpc_gss_get_mech_info(
233 	char			*mechanism,
234 	rpc_gss_service_t	*service
235 );
236 
237 bool_t
238 rpc_gss_is_installed(
239 	char	*mechanism
240 );
241 
242 bool_t
243 rpc_gss_mech_to_oid(
244 	char		*mech,
245 	rpc_gss_OID	*oid
246 );
247 
248 bool_t
249 rpc_gss_qop_to_num(
250 	char	*qop,
251 	char	*mech,
252 	uint_t	*num
253 );
254 
255 bool_t
256 rpc_gss_set_svc_name(
257 	char			*principal,
258 	char			*mechanism,
259 	uint_t			req_time,
260 	uint_t			program,
261 	uint_t			version
262 );
263 
264 bool_t
265 rpc_gss_set_defaults(
266 	AUTH			*auth,
267 	rpc_gss_service_t	service,
268 	char			*qop
269 );
270 
271 void
272 rpc_gss_get_error(
273 	rpc_gss_error_t		*error
274 );
275 
276 /*
277  * User level private interfaces
278  */
279 enum auth_stat __svcrpcsec_gss();
280 bool_t	__rpc_gss_wrap();
281 bool_t	__rpc_gss_unwrap();
282 
283 #endif
284 
285 /*
286  *  USER and KERNEL rpc_gss_* interfaces.
287  */
288 bool_t
289 rpc_gss_set_callback(
290 	rpc_gss_callback_t	*cb
291 );
292 
293 bool_t
294 rpc_gss_getcred(
295 	struct svc_req		*req,
296 	rpc_gss_rawcred_t	**rcred,
297 	rpc_gss_ucred_t		**ucred,
298 	void			**cookie
299 );
300 
301 int
302 rpc_gss_max_data_length(
303 	AUTH			*rpcgss_handle,
304 	int			max_tp_unit_len
305 );
306 
307 int
308 rpc_gss_svc_max_data_length(
309 	struct	svc_req		*req,
310 	int			max_tp_unit_len
311 );
312 
313 bool_t
314 rpc_gss_get_versions(
315 	uint_t	*vers_hi,
316 	uint_t	*vers_lo
317 );
318 
319 #define	RPCSEC_GSS_REFRESH_ATTEMPTS 	20
320 
321 /*
322  * Protocol data.
323  *
324  * The reason to put these definition in this header file
325  * is for 2.6 snoop to handle the RPCSEC_GSS protocol
326  * interpretation.
327  */
328 #define	RPCSEC_GSS_DATA			0
329 #define	RPCSEC_GSS_INIT			1
330 #define	RPCSEC_GSS_CONTINUE_INIT	2
331 #define	RPCSEC_GSS_DESTROY		3
332 
333 #define	RPCSEC_GSS_VERSION		1
334 
335 #ifdef	__cplusplus
336 }
337 #endif
338 
339 #endif	/* !_RPCSEC_GSS_H */
340