1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. 29 */ 30 31 /* 32 * rpcsec_gss.h, RPCSEC_GSS security service interface. 33 */ 34 35 #ifndef _RPCSEC_GSS_H 36 #define _RPCSEC_GSS_H 37 38 #pragma ident "%Z%%M% %I% %E% SMI" 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 #include <rpc/auth.h> 45 #include <rpc/clnt.h> 46 #include <gssapi/gssapi.h> 47 48 /* 49 * Interface definitions. 50 */ 51 #define MAX_NAME_LEN 64 52 #define MAX_GSS_MECH 128 53 #define MAX_GSS_NAME 128 54 55 typedef enum { 56 rpc_gss_svc_default = 0, 57 rpc_gss_svc_none = 1, 58 rpc_gss_svc_integrity = 2, 59 rpc_gss_svc_privacy = 3 60 } rpc_gss_service_t; 61 62 /* 63 * GSS-API based security mechanism type specified as 64 * object identifiers (OIDs). 65 * This type is derived from gss_OID_desc/gss_OID. 66 */ 67 #define rpc_gss_OID_s gss_OID_desc_struct 68 typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID; 69 70 /* 71 * Interface data. 72 * This is already suitable for both LP64 and ILP32. 73 */ 74 typedef struct rpc_gss_principal { 75 int len; 76 char name[1]; 77 } *rpc_gss_principal_t; 78 79 typedef struct { 80 int req_flags; 81 int time_req; 82 gss_cred_id_t my_cred; 83 gss_channel_bindings_t input_channel_bindings; 84 } rpc_gss_options_req_t; 85 86 typedef struct { 87 int major_status; 88 int minor_status; 89 uint_t rpcsec_version; 90 int ret_flags; 91 int time_ret; 92 gss_ctx_id_t gss_context; 93 #ifdef _KERNEL 94 rpc_gss_OID actual_mechanism; 95 #else 96 char actual_mechanism[MAX_GSS_MECH]; 97 #endif 98 } rpc_gss_options_ret_t; 99 100 /* 101 * raw credentials 102 */ 103 typedef struct { 104 uint_t version; 105 #ifdef _KERNEL 106 rpc_gss_OID mechanism; 107 uint_t qop; 108 #else 109 char *mechanism; 110 char *qop; 111 #endif 112 rpc_gss_principal_t client_principal; 113 char *svc_principal; /* service@server, e.g. nfs@caribe */ 114 rpc_gss_service_t service; 115 } rpc_gss_rawcred_t; 116 117 /* 118 * unix credentials 119 */ 120 typedef struct { 121 uid_t uid; 122 gid_t gid; 123 short gidlen; 124 gid_t *gidlist; 125 } rpc_gss_ucred_t; 126 127 /* 128 * for callback routine 129 */ 130 typedef struct { 131 uint_t program; 132 uint_t version; 133 bool_t (*callback)(); 134 } rpc_gss_callback_t; 135 136 /* 137 * lock used for the callback routine 138 */ 139 typedef struct { 140 bool_t locked; 141 rpc_gss_rawcred_t *raw_cred; 142 } rpc_gss_lock_t; 143 144 145 /* 146 * This is for user RPC applications. 147 * Structure used to fetch the error code when one of 148 * the rpc_gss_* routines fails. 149 */ 150 typedef struct { 151 int rpc_gss_error; 152 int system_error; 153 } rpc_gss_error_t; 154 155 #define RPC_GSS_ER_SUCCESS 0 /* no error */ 156 #define RPC_GSS_ER_SYSTEMERROR 1 /* system error */ 157 158 159 #ifdef _SYSCALL32 160 struct gss_clnt_data32 { 161 gss_OID_desc32 mechanism; 162 rpc_gss_service_t service; 163 char uname[MAX_NAME_LEN]; /* server's service name */ 164 char inst[MAX_NAME_LEN]; /* server's instance name */ 165 char realm[MAX_NAME_LEN]; /* server's realm */ 166 uint_t qop; 167 }; 168 #endif 169 170 /* 171 * This is for Kernel RPC applications. 172 * RPCSEC_GSS flavor specific data in sec_data opaque field. 173 */ 174 typedef struct gss_clnt_data { 175 rpc_gss_OID_desc mechanism; 176 rpc_gss_service_t service; 177 char uname[MAX_NAME_LEN]; /* server's service name */ 178 char inst[MAX_NAME_LEN]; /* server's instance name */ 179 char realm[MAX_NAME_LEN]; /* server's realm */ 180 uint_t qop; 181 } gss_clntdata_t; 182 183 184 struct svc_req; 185 /* 186 * KERNEL rpc_gss_* interfaces. 187 */ 188 #ifdef _KERNEL 189 int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID, 190 rpc_gss_service_t, uint_t, rpc_gss_options_req_t *, 191 rpc_gss_options_ret_t *, void *, cred_t *, AUTH **); 192 193 void rpc_gss_secfree(AUTH *); 194 195 int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID, 196 rpc_gss_service_t, uint_t, rpc_gss_options_req_t *, 197 rpc_gss_options_ret_t *, cred_t *, AUTH **); 198 199 int rpc_gss_revauth(uid_t, rpc_gss_OID); 200 void rpc_gss_secpurge(void *); 201 enum auth_stat __svcrpcsec_gss(struct svc_req *, 202 struct rpc_msg *, bool_t *); 203 bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t); 204 205 206 #else 207 /* 208 * USER rpc_gss_* public interfaces 209 */ 210 AUTH * 211 rpc_gss_seccreate( 212 CLIENT *clnt, /* associated client handle */ 213 char *principal, /* server service principal */ 214 char *mechanism, /* security mechanism */ 215 rpc_gss_service_t service_type, /* security service */ 216 char *qop, /* requested QOP */ 217 rpc_gss_options_req_t *options_req, /* requested options */ 218 rpc_gss_options_ret_t *options_ret /* returned options */ 219 ); 220 221 bool_t 222 rpc_gss_get_principal_name( 223 rpc_gss_principal_t *principal, 224 char *mechanism, 225 char *user_name, 226 char *node, 227 char *secdomain 228 ); 229 230 char **rpc_gss_get_mechanisms(); 231 232 char **rpc_gss_get_mech_info( 233 char *mechanism, 234 rpc_gss_service_t *service 235 ); 236 237 bool_t 238 rpc_gss_is_installed( 239 char *mechanism 240 ); 241 242 bool_t 243 rpc_gss_mech_to_oid( 244 char *mech, 245 rpc_gss_OID *oid 246 ); 247 248 bool_t 249 rpc_gss_qop_to_num( 250 char *qop, 251 char *mech, 252 uint_t *num 253 ); 254 255 bool_t 256 rpc_gss_set_svc_name( 257 char *principal, 258 char *mechanism, 259 uint_t req_time, 260 uint_t program, 261 uint_t version 262 ); 263 264 bool_t 265 rpc_gss_set_defaults( 266 AUTH *auth, 267 rpc_gss_service_t service, 268 char *qop 269 ); 270 271 void 272 rpc_gss_get_error( 273 rpc_gss_error_t *error 274 ); 275 276 /* 277 * User level private interfaces 278 */ 279 enum auth_stat __svcrpcsec_gss(); 280 bool_t __rpc_gss_wrap(); 281 bool_t __rpc_gss_unwrap(); 282 283 #endif 284 285 /* 286 * USER and KERNEL rpc_gss_* interfaces. 287 */ 288 bool_t 289 rpc_gss_set_callback( 290 rpc_gss_callback_t *cb 291 ); 292 293 bool_t 294 rpc_gss_getcred( 295 struct svc_req *req, 296 rpc_gss_rawcred_t **rcred, 297 rpc_gss_ucred_t **ucred, 298 void **cookie 299 ); 300 301 int 302 rpc_gss_max_data_length( 303 AUTH *rpcgss_handle, 304 int max_tp_unit_len 305 ); 306 307 int 308 rpc_gss_svc_max_data_length( 309 struct svc_req *req, 310 int max_tp_unit_len 311 ); 312 313 bool_t 314 rpc_gss_get_versions( 315 uint_t *vers_hi, 316 uint_t *vers_lo 317 ); 318 319 #define RPCSEC_GSS_REFRESH_ATTEMPTS 20 320 321 /* 322 * Protocol data. 323 * 324 * The reason to put these definition in this header file 325 * is for 2.6 snoop to handle the RPCSEC_GSS protocol 326 * interpretation. 327 */ 328 #define RPCSEC_GSS_DATA 0 329 #define RPCSEC_GSS_INIT 1 330 #define RPCSEC_GSS_CONTINUE_INIT 2 331 #define RPCSEC_GSS_DESTROY 3 332 333 #define RPCSEC_GSS_VERSION 1 334 335 #ifdef __cplusplus 336 } 337 #endif 338 339 #endif /* !_RPCSEC_GSS_H */ 340