1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 %/* 23 % * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 % * Use is subject to license terms. 25 % */ 26 % 27 %#pragma ident "%Z%%M% %I% %E% SMI" 28 % 29 %/* 30 % * RPC protocol information for gssd, the usermode daemon that 31 % * assists the kernel with gssapi. It is gssd that executes all 32 % * gssapi calls except for some such as gss_sign(), and 33 % * gss_verify(), which are executed in the kernel itself. 34 % * 35 % * File generated from gssd.x 36 % */ 37 % 38 %#define NO 0 39 %#define YES 1 40 %#define FOREVER 1 41 % 42 %#include <sys/types.h> 43 %#include <sys/time.h> 44 %#include <rpc/auth_sys.h> 45 %#ifndef _KERNEL 46 %#include <locale.h> 47 %#endif /* not _KERNEL */ 48 % 49 50 %#ifdef _KERNEL 51 %extern void killgssd_handle(CLIENT *); 52 %extern CLIENT *getgssd_handle(void); 53 %#endif /* _KERNEL */ 54 % 55 /* 56 * These are the definitions for the interface to GSSD. 57 */ 58 59 typedef unsigned int OM_UINT32; 60 61 typedef opaque GSS_CTX_ID_T<>; 62 typedef opaque GSS_CRED_ID_T<>; 63 typedef opaque GSS_OID<>; 64 typedef opaque GSS_BUFFER_T<>; 65 typedef gid_t GSSCRED_GIDS<>; 66 67 typedef GSS_OID GSS_OID_SET<>; 68 69 struct GSS_CHANNEL_BINDINGS_STRUCT { 70 int present; 71 OM_UINT32 initiator_addrtype; 72 GSS_BUFFER_T initiator_address; 73 OM_UINT32 acceptor_addrtype; 74 GSS_BUFFER_T acceptor_address; 75 GSS_BUFFER_T application_data; 76 }; 77 78 typedef struct GSS_CHANNEL_BINDINGS_STRUCT GSS_CHANNEL_BINDINGS; 79 80 struct gss_acquire_cred_arg { 81 uid_t uid; /* client uid */ 82 GSS_BUFFER_T desired_name; /* name of cred */ 83 GSS_OID name_type; /* type of desired name */ 84 OM_UINT32 time_req; /* context validity interval */ 85 GSS_OID_SET desired_mechs; /* cred mechanisms */ 86 int cred_usage; /* init/accept/both */ 87 }; 88 89 struct gss_acquire_cred_res { 90 OM_UINT32 minor_status; /* status from the mechanism */ 91 GSS_CRED_ID_T output_cred_handle; /* returned credential handle */ 92 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 93 GSS_OID_SET actual_mechs; /* found cred mechanisms */ 94 OM_UINT32 time_rec; /* actual context validity */ 95 OM_UINT32 status; /* status of GSSAPI call */ 96 }; 97 98 struct gss_add_cred_arg { 99 uid_t uid; /* client uid */ 100 GSS_CRED_ID_T input_cred_handle; /* input credential handle */ 101 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 102 GSS_BUFFER_T desired_name; /* name of cred */ 103 GSS_OID name_type; /* type of desired name */ 104 GSS_OID desired_mech_type; /* cred mechanisms */ 105 int cred_usage; /* init/accept/both */ 106 OM_UINT32 initiator_time_req; /* context validity interval */ 107 OM_UINT32 acceptor_time_req; /* context validity interval */ 108 }; 109 /* Note: For gss_add_cred we always update the underlying credentials of 110 * input_cred_handle. We always pass NULL as output_cred_handle when the call 111 * to gss_add_cred is made 112 */ 113 struct gss_add_cred_res { 114 OM_UINT32 minor_status; /* status from the mechanism */ 115 GSS_OID_SET actual_mechs; /* found cred mechanisms */ 116 OM_UINT32 initiator_time_rec; /* cred validity interval */ 117 OM_UINT32 acceptor_time_rec; /* cred validity interval */ 118 OM_UINT32 status; /* status of GSSAPI call */ 119 }; 120 121 struct gss_release_cred_arg { 122 uid_t uid; /* client uid */ 123 OM_UINT32 gssd_cred_verifier; /* verifier for cred handles */ 124 GSS_CRED_ID_T cred_handle; /* credential handle */ 125 }; 126 127 struct gss_release_cred_res { 128 OM_UINT32 minor_status; /* status from the mechanism */ 129 OM_UINT32 status; /* status of GSSAPI call */ 130 }; 131 132 struct gss_init_sec_context_arg { 133 uid_t uid; /* client uid */ 134 GSS_CTX_ID_T context_handle; /* handle to existing context */ 135 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 136 GSS_CRED_ID_T claimant_cred_handle; /* must = GSS_C_NO_CREDENTIAL */ 137 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 138 GSS_BUFFER_T target_name; /* name of server */ 139 GSS_OID name_type; /* type of principal name */ 140 GSS_OID mech_type; /* requested mechanism */ 141 int req_flags; /* requested context options */ 142 OM_UINT32 time_req; /* context validity interval */ 143 GSS_CHANNEL_BINDINGS 144 input_chan_bindings; /* requested channel bindings */ 145 GSS_BUFFER_T input_token; /* token to send to peer */ 146 }; 147 148 struct gss_init_sec_context_res { 149 GSS_CTX_ID_T context_handle; /* handle to created context */ 150 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 151 OM_UINT32 minor_status; /* status from the mechanism */ 152 GSS_OID actual_mech_type; /* actual mechanism used */ 153 GSS_BUFFER_T output_token; /* where peer token is put */ 154 OM_UINT32 ret_flags; /* options of context */ 155 OM_UINT32 time_rec; /* actual context validity */ 156 OM_UINT32 status; /* status of GSSAPI call */ 157 }; 158 159 struct gss_accept_sec_context_arg { 160 uid_t uid; /* client uid */ 161 GSS_CTX_ID_T context_handle; /* handle to existing context */ 162 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 163 GSS_CRED_ID_T verifier_cred_handle; /* must = GSS_C_NO_CREDENTIAL */ 164 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 165 GSS_BUFFER_T input_token_buffer; /* token to send to peer */ 166 GSS_CHANNEL_BINDINGS 167 input_chan_bindings; /* requested channel bindings */ 168 }; 169 170 struct gss_accept_sec_context_res { 171 GSS_CTX_ID_T context_handle; /* handle to created context */ 172 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 173 OM_UINT32 minor_status; /* status from the mechanism */ 174 GSS_BUFFER_T src_name; /* authenticated name of peer */ 175 GSS_OID mech_type; /* mechanism used */ 176 GSS_BUFFER_T output_token; /* where peer token is put */ 177 OM_UINT32 ret_flags; /* options of context */ 178 OM_UINT32 time_rec; /* actual context validity */ 179 GSS_CRED_ID_T delegated_cred_handle; /* always GSS_C_NO_CREDENTIAL */ 180 OM_UINT32 status; /* status of GSSAPI call */ 181 }; 182 183 struct gss_process_context_token_arg { 184 uid_t uid; /* client uid */ 185 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 186 GSS_CTX_ID_T context_handle; /* handle to existing context */ 187 GSS_BUFFER_T token_buffer; /* token to process */ 188 }; 189 190 struct gss_process_context_token_res { 191 OM_UINT32 minor_status; /* status from the mechanism */ 192 OM_UINT32 status; /* status of GSSAPI call */ 193 }; 194 195 struct gss_delete_sec_context_arg { 196 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 197 GSS_CTX_ID_T context_handle; /* handle to existing context */ 198 }; 199 200 struct gss_delete_sec_context_res { 201 OM_UINT32 minor_status; /* status from the mechanism */ 202 GSS_CTX_ID_T context_handle; /* handle to deleted context */ 203 GSS_BUFFER_T output_token; /* output token for peer */ 204 OM_UINT32 status; /* status of GSSAPI call */ 205 }; 206 207 struct gss_export_sec_context_arg { 208 GSS_CTX_ID_T context_handle; /* handle to existing context */ 209 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 210 }; 211 212 struct gss_export_sec_context_res { 213 OM_UINT32 minor_status; /* status from the mechanism */ 214 GSS_CTX_ID_T context_handle; /* handle to existing context */ 215 GSS_BUFFER_T output_token; /* input token for import_sec_context */ 216 OM_UINT32 status; /* status of GSSAPI call */ 217 }; 218 219 struct gss_import_sec_context_arg { 220 GSS_BUFFER_T input_token; /* input token for import_sec_context */ 221 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 222 }; 223 224 struct gss_import_sec_context_res { 225 OM_UINT32 minor_status; /* status from the mechanism */ 226 GSS_CTX_ID_T context_handle; /* handle to created context */ 227 OM_UINT32 status; /* status of GSSAPI call */ 228 }; 229 230 struct gss_context_time_arg { 231 uid_t uid; /* client uid */ 232 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 233 GSS_CTX_ID_T context_handle; /* handle to existing context */ 234 }; 235 236 struct gss_context_time_res { 237 OM_UINT32 minor_status; /* status from the mechanism */ 238 OM_UINT32 time_rec; /* actual context validity */ 239 OM_UINT32 status; /* status of GSSAPI call */ 240 }; 241 242 struct gss_sign_arg { 243 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 244 GSS_CTX_ID_T context_handle; /* handle to existing context */ 245 int qop_req; /* quality of protection */ 246 GSS_BUFFER_T message_buffer; /* message to sign */ 247 }; 248 249 struct gss_sign_res { 250 OM_UINT32 minor_status; /* status from the mechanism */ 251 GSS_BUFFER_T msg_token; /* msg_token */ 252 OM_UINT32 status; /* status of GSSAPI call */ 253 }; 254 255 struct gss_verify_arg { 256 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 257 GSS_CTX_ID_T context_handle; /* handle to existing context */ 258 GSS_BUFFER_T message_buffer; /* message to verify */ 259 GSS_BUFFER_T token_buffer; /* buffer containg token */ 260 }; 261 262 struct gss_verify_res { 263 OM_UINT32 minor_status; /* status from the mechanism */ 264 int qop_state; /* quality of protection */ 265 OM_UINT32 status; /* status of GSSAPI call */ 266 }; 267 268 %/* EXPORT DELETE START */ 269 struct gss_seal_arg { 270 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 271 GSS_CTX_ID_T context_handle; /* handle to existing context */ 272 int conf_req_flag; /* type of conf requested */ 273 int qop_req; /* quality of prot. requested */ 274 GSS_BUFFER_T input_message_buffer; /* message to protect */ 275 }; 276 277 struct gss_seal_res { 278 OM_UINT32 minor_status; /* status from the mechanism */ 279 int conf_state; /* type of conf. applied */ 280 GSS_BUFFER_T output_message_buffer; /* protected message */ 281 OM_UINT32 status; /* status of GSSAPI call */ 282 }; 283 284 struct gss_unseal_arg { 285 OM_UINT32 gssd_context_verifier; /* verifier for context handles */ 286 GSS_CTX_ID_T context_handle; /* handle to existing context */ 287 GSS_BUFFER_T input_message_buffer; /* message to protect */ 288 }; 289 290 struct gss_unseal_res { 291 OM_UINT32 minor_status; /* status from the mechanism */ 292 GSS_BUFFER_T output_message_buffer; /* protected message */ 293 int conf_state; /* type of conf. provided */ 294 int qop_state; /* quality of prot. provided */ 295 OM_UINT32 status; /* status of GSSAPI call */ 296 }; 297 298 %/* EXPORT DELETE END */ 299 300 struct gss_display_status_arg { 301 uid_t uid; /* client uid */ 302 int status_value; /* status to be converted */ 303 int status_type; /* GSS or mech status */ 304 GSS_OID mech_type; /* mechanism */ 305 OM_UINT32 message_context; /* recursion flag */ 306 }; 307 308 struct gss_display_status_res { 309 OM_UINT32 minor_status; /* status from the mechanism */ 310 int message_context; /* recursion flag */ 311 GSS_BUFFER_T status_string; /* text equiv of status */ 312 OM_UINT32 status; /* status of GSSAPI call */ 313 }; 314 315 %/* gss_indicate_mechs_arg is void. This appears in the rpc call def */ 316 317 struct gss_indicate_mechs_res { 318 OM_UINT32 minor_status; /* status from the mechanism */ 319 GSS_OID_SET mech_set; /* mechanism set supported */ 320 OM_UINT32 status; /* status of GSSAPI call */ 321 }; 322 323 struct gss_inquire_cred_arg { 324 uid_t uid; /* client uid */ 325 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 326 GSS_CRED_ID_T cred_handle; /* credential handle */ 327 }; 328 329 struct gss_inquire_cred_res { 330 OM_UINT32 minor_status; /* status from the mechanism */ 331 GSS_BUFFER_T name; /* name associated with cred */ 332 GSS_OID name_type; /* type of name */ 333 OM_UINT32 lifetime; /* remaining validiy period */ 334 int cred_usage; /* how creds may be used */ 335 GSS_OID_SET mechanisms; /* mechs associated with cred */ 336 OM_UINT32 status; /* status of GSSAPI call */ 337 }; 338 339 struct gss_inquire_cred_by_mech_arg { 340 uid_t uid; /* client uid */ 341 OM_UINT32 gssd_cred_verifier; /* verifier for cred handle */ 342 GSS_CRED_ID_T cred_handle; /* credential handle */ 343 GSS_OID mech_type; /* cred mechanism */ 344 }; 345 346 struct gss_inquire_cred_by_mech_res { 347 OM_UINT32 minor_status; /* status from the mechanism */ 348 OM_UINT32 status; /* status of GSSAPI call */ 349 }; 350 351 struct gsscred_name_to_unix_cred_arg { 352 uid_t uid; /* client uid */ 353 GSS_BUFFER_T pname; /* principal name */ 354 GSS_OID name_type; /* oid of principal name */ 355 GSS_OID mech_type; /* for which mechanism to use */ 356 }; 357 358 struct gsscred_name_to_unix_cred_res { 359 uid_t uid; /* principal's uid */ 360 gid_t gid; /* principal's gid */ 361 GSSCRED_GIDS gids; /* array of principal's gids */ 362 OM_UINT32 major; /* status of the GSSAPI call */ 363 }; 364 365 366 struct 367 gsscred_expname_to_unix_cred_arg { 368 uid_t uid; /* client uid */ 369 GSS_BUFFER_T expname; /* principal in export format */ 370 }; 371 372 struct 373 gsscred_expname_to_unix_cred_res { 374 uid_t uid; /* principal's uid */ 375 gid_t gid; /* principal's gid */ 376 GSSCRED_GIDS gids; /* array of principal's gids */ 377 OM_UINT32 major; /* major status code */ 378 }; 379 380 381 struct gss_get_group_info_arg { 382 uid_t uid; /* client uid */ 383 uid_t puid; /* principal's uid */ 384 }; 385 386 struct gss_get_group_info_res { 387 gid_t gid; /* principal's gid */ 388 GSSCRED_GIDS gids; /* array of principal's gids */ 389 OM_UINT32 major; /* major status code */ 390 }; 391 392 393 struct gss_get_kmod_arg { 394 GSS_OID mech_oid; 395 396 }; 397 398 union gss_get_kmod_res switch (bool module_follow) { 399 case TRUE: 400 string modname<>; 401 case FALSE: 402 void; 403 }; 404 405 406 /* 407 * The server accepts requests only from the loopback address. 408 * Unix authentication is used, and the port must be in the reserved range. 409 */ 410 411 program GSSPROG { 412 version GSSVERS { 413 414 /* 415 * Called by the client to acquire a credential. 416 */ 417 gss_acquire_cred_res 418 GSS_ACQUIRE_CRED(gss_acquire_cred_arg) = 1; 419 420 /* 421 * Called by the client to release a credential. 422 */ 423 gss_release_cred_res 424 GSS_RELEASE_CRED(gss_release_cred_arg) = 2; 425 426 /* 427 * Called by the client to initialize a security context. 428 */ 429 gss_init_sec_context_res 430 GSS_INIT_SEC_CONTEXT(gss_init_sec_context_arg) = 3; 431 432 /* 433 * Called by the server to initialize a security context. 434 */ 435 gss_accept_sec_context_res 436 GSS_ACCEPT_SEC_CONTEXT(gss_accept_sec_context_arg) = 4; 437 438 /* 439 * Called to pass token to underlying mechanism. 440 */ 441 gss_process_context_token_res 442 GSS_PROCESS_CONTEXT_TOKEN(gss_process_context_token_arg) = 5; 443 444 /* 445 * Called to delete a security context. 446 */ 447 gss_delete_sec_context_res 448 GSS_DELETE_SEC_CONTEXT(gss_delete_sec_context_arg) = 6; 449 450 /* 451 * Called to get remaining time security context has to live. 452 */ 453 gss_context_time_res 454 GSS_CONTEXT_TIME(gss_context_time_arg) = 7; 455 456 /* 457 * Called to sign a message. 458 */ 459 gss_sign_res GSS_SIGN(gss_sign_arg) = 8; 460 461 /* 462 * Called to verify a signed message. 463 */ 464 gss_verify_res GSS_VERIFY(gss_verify_arg) = 9; 465 466 /* 467 * Called to translate minor status into a string. 468 */ 469 gss_display_status_res 470 GSS_DISPLAY_STATUS(gss_display_status_arg) = 10; 471 472 /* 473 * Called to indicate which underlying mechanisms are supported 474 */ 475 gss_indicate_mechs_res 476 GSS_INDICATE_MECHS(void) = 11; 477 478 /* 479 * Called by the client to inquire about a credential. 480 */ 481 gss_inquire_cred_res 482 GSS_INQUIRE_CRED(gss_inquire_cred_arg) = 12; 483 484 485 /* EXPORT DELETE START */ 486 487 /* 488 * Called to seal a message. 489 */ 490 gss_seal_res GSS_SEAL(gss_seal_arg) = 13; 491 492 /* 493 * Called to unseal a message. 494 */ 495 gss_unseal_res GSS_UNSEAL(gss_unseal_arg) = 14; 496 497 /* EXPORT DELETE END */ 498 499 /* 500 * gsscred interface functions to obtain principal uid and gids 501 */ 502 gsscred_expname_to_unix_cred_res 503 GSSCRED_EXPNAME_TO_UNIX_CRED( 504 gsscred_expname_to_unix_cred_arg) = 15; 505 506 gsscred_name_to_unix_cred_res 507 GSSCRED_NAME_TO_UNIX_CRED( 508 gsscred_name_to_unix_cred_arg) = 16; 509 510 gss_get_group_info_res 511 GSS_GET_GROUP_INFO(gss_get_group_info_arg) = 17; 512 513 gss_get_kmod_res 514 GSS_GET_KMOD(gss_get_kmod_arg) = 18; 515 516 gss_export_sec_context_res 517 GSS_EXPORT_SEC_CONTEXT(gss_export_sec_context_arg) = 19; 518 519 gss_import_sec_context_res 520 GSS_IMPORT_SEC_CONTEXT(gss_import_sec_context_arg) = 20; 521 /* 522 * Called by the client to add to a credential. 523 */ 524 gss_add_cred_res 525 GSS_ADD_CRED(gss_add_cred_arg) = 21; 526 gss_inquire_cred_by_mech_res 527 GSS_INQUIRE_CRED_BY_MECH(gss_inquire_cred_by_mech_arg) 528 = 22; 529 530 } = 1; 531 } = 100234; 532