10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7387SRobert.Gordon@Sun.COM * Common Development and Distribution License (the "License"). 6*7387SRobert.Gordon@Sun.COM * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*7387SRobert.Gordon@Sun.COM * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate /* 270Sstevel@tonic-gate * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. 280Sstevel@tonic-gate */ 290Sstevel@tonic-gate 300Sstevel@tonic-gate /* 310Sstevel@tonic-gate * rpcsec_gss.h, RPCSEC_GSS security service interface. 320Sstevel@tonic-gate */ 330Sstevel@tonic-gate 340Sstevel@tonic-gate #ifndef _RPCSEC_GSS_H 350Sstevel@tonic-gate #define _RPCSEC_GSS_H 360Sstevel@tonic-gate 370Sstevel@tonic-gate #ifdef __cplusplus 380Sstevel@tonic-gate extern "C" { 390Sstevel@tonic-gate #endif 400Sstevel@tonic-gate 410Sstevel@tonic-gate #include <rpc/auth.h> 420Sstevel@tonic-gate #include <rpc/clnt.h> 430Sstevel@tonic-gate #include <gssapi/gssapi.h> 440Sstevel@tonic-gate 450Sstevel@tonic-gate /* 460Sstevel@tonic-gate * Interface definitions. 470Sstevel@tonic-gate */ 480Sstevel@tonic-gate #define MAX_NAME_LEN 64 490Sstevel@tonic-gate #define MAX_GSS_MECH 128 500Sstevel@tonic-gate #define MAX_GSS_NAME 128 510Sstevel@tonic-gate 520Sstevel@tonic-gate typedef enum { 530Sstevel@tonic-gate rpc_gss_svc_default = 0, 540Sstevel@tonic-gate rpc_gss_svc_none = 1, 550Sstevel@tonic-gate rpc_gss_svc_integrity = 2, 560Sstevel@tonic-gate rpc_gss_svc_privacy = 3 570Sstevel@tonic-gate } rpc_gss_service_t; 580Sstevel@tonic-gate 590Sstevel@tonic-gate /* 600Sstevel@tonic-gate * GSS-API based security mechanism type specified as 610Sstevel@tonic-gate * object identifiers (OIDs). 620Sstevel@tonic-gate * This type is derived from gss_OID_desc/gss_OID. 630Sstevel@tonic-gate */ 640Sstevel@tonic-gate #define rpc_gss_OID_s gss_OID_desc_struct 650Sstevel@tonic-gate typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID; 660Sstevel@tonic-gate 670Sstevel@tonic-gate /* 680Sstevel@tonic-gate * Interface data. 690Sstevel@tonic-gate * This is already suitable for both LP64 and ILP32. 700Sstevel@tonic-gate */ 710Sstevel@tonic-gate typedef struct rpc_gss_principal { 720Sstevel@tonic-gate int len; 730Sstevel@tonic-gate char name[1]; 740Sstevel@tonic-gate } *rpc_gss_principal_t; 750Sstevel@tonic-gate 760Sstevel@tonic-gate typedef struct { 770Sstevel@tonic-gate int req_flags; 780Sstevel@tonic-gate int time_req; 790Sstevel@tonic-gate gss_cred_id_t my_cred; 800Sstevel@tonic-gate gss_channel_bindings_t input_channel_bindings; 810Sstevel@tonic-gate } rpc_gss_options_req_t; 820Sstevel@tonic-gate 830Sstevel@tonic-gate typedef struct { 840Sstevel@tonic-gate int major_status; 850Sstevel@tonic-gate int minor_status; 860Sstevel@tonic-gate uint_t rpcsec_version; 870Sstevel@tonic-gate int ret_flags; 880Sstevel@tonic-gate int time_ret; 890Sstevel@tonic-gate gss_ctx_id_t gss_context; 900Sstevel@tonic-gate #ifdef _KERNEL 910Sstevel@tonic-gate rpc_gss_OID actual_mechanism; 920Sstevel@tonic-gate #else 930Sstevel@tonic-gate char actual_mechanism[MAX_GSS_MECH]; 940Sstevel@tonic-gate #endif 950Sstevel@tonic-gate } rpc_gss_options_ret_t; 960Sstevel@tonic-gate 970Sstevel@tonic-gate /* 980Sstevel@tonic-gate * raw credentials 990Sstevel@tonic-gate */ 1000Sstevel@tonic-gate typedef struct { 1010Sstevel@tonic-gate uint_t version; 1020Sstevel@tonic-gate #ifdef _KERNEL 1030Sstevel@tonic-gate rpc_gss_OID mechanism; 1040Sstevel@tonic-gate uint_t qop; 1050Sstevel@tonic-gate #else 1060Sstevel@tonic-gate char *mechanism; 1070Sstevel@tonic-gate char *qop; 1080Sstevel@tonic-gate #endif 1090Sstevel@tonic-gate rpc_gss_principal_t client_principal; 1100Sstevel@tonic-gate char *svc_principal; /* service@server, e.g. nfs@caribe */ 1110Sstevel@tonic-gate rpc_gss_service_t service; 1120Sstevel@tonic-gate } rpc_gss_rawcred_t; 1130Sstevel@tonic-gate 1140Sstevel@tonic-gate /* 1150Sstevel@tonic-gate * unix credentials 1160Sstevel@tonic-gate */ 1170Sstevel@tonic-gate typedef struct { 1180Sstevel@tonic-gate uid_t uid; 1190Sstevel@tonic-gate gid_t gid; 1200Sstevel@tonic-gate short gidlen; 1210Sstevel@tonic-gate gid_t *gidlist; 1220Sstevel@tonic-gate } rpc_gss_ucred_t; 1230Sstevel@tonic-gate 1240Sstevel@tonic-gate /* 1250Sstevel@tonic-gate * for callback routine 1260Sstevel@tonic-gate */ 1270Sstevel@tonic-gate typedef struct { 1280Sstevel@tonic-gate uint_t program; 1290Sstevel@tonic-gate uint_t version; 1300Sstevel@tonic-gate bool_t (*callback)(); 1310Sstevel@tonic-gate } rpc_gss_callback_t; 1320Sstevel@tonic-gate 1330Sstevel@tonic-gate /* 1340Sstevel@tonic-gate * lock used for the callback routine 1350Sstevel@tonic-gate */ 1360Sstevel@tonic-gate typedef struct { 1370Sstevel@tonic-gate bool_t locked; 1380Sstevel@tonic-gate rpc_gss_rawcred_t *raw_cred; 1390Sstevel@tonic-gate } rpc_gss_lock_t; 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate 1420Sstevel@tonic-gate /* 1430Sstevel@tonic-gate * This is for user RPC applications. 1440Sstevel@tonic-gate * Structure used to fetch the error code when one of 1450Sstevel@tonic-gate * the rpc_gss_* routines fails. 1460Sstevel@tonic-gate */ 1470Sstevel@tonic-gate typedef struct { 1480Sstevel@tonic-gate int rpc_gss_error; 1490Sstevel@tonic-gate int system_error; 1500Sstevel@tonic-gate } rpc_gss_error_t; 1510Sstevel@tonic-gate 1520Sstevel@tonic-gate #define RPC_GSS_ER_SUCCESS 0 /* no error */ 1530Sstevel@tonic-gate #define RPC_GSS_ER_SYSTEMERROR 1 /* system error */ 1540Sstevel@tonic-gate 1550Sstevel@tonic-gate 1560Sstevel@tonic-gate #ifdef _SYSCALL32 1570Sstevel@tonic-gate struct gss_clnt_data32 { 1580Sstevel@tonic-gate gss_OID_desc32 mechanism; 1590Sstevel@tonic-gate rpc_gss_service_t service; 1600Sstevel@tonic-gate char uname[MAX_NAME_LEN]; /* server's service name */ 1610Sstevel@tonic-gate char inst[MAX_NAME_LEN]; /* server's instance name */ 1620Sstevel@tonic-gate char realm[MAX_NAME_LEN]; /* server's realm */ 1630Sstevel@tonic-gate uint_t qop; 1640Sstevel@tonic-gate }; 1650Sstevel@tonic-gate #endif 1660Sstevel@tonic-gate 1670Sstevel@tonic-gate /* 1680Sstevel@tonic-gate * This is for Kernel RPC applications. 1690Sstevel@tonic-gate * RPCSEC_GSS flavor specific data in sec_data opaque field. 1700Sstevel@tonic-gate */ 1710Sstevel@tonic-gate typedef struct gss_clnt_data { 1720Sstevel@tonic-gate rpc_gss_OID_desc mechanism; 1730Sstevel@tonic-gate rpc_gss_service_t service; 1740Sstevel@tonic-gate char uname[MAX_NAME_LEN]; /* server's service name */ 1750Sstevel@tonic-gate char inst[MAX_NAME_LEN]; /* server's instance name */ 1760Sstevel@tonic-gate char realm[MAX_NAME_LEN]; /* server's realm */ 1770Sstevel@tonic-gate uint_t qop; 1780Sstevel@tonic-gate } gss_clntdata_t; 1790Sstevel@tonic-gate 1800Sstevel@tonic-gate 1810Sstevel@tonic-gate struct svc_req; 1820Sstevel@tonic-gate /* 1830Sstevel@tonic-gate * KERNEL rpc_gss_* interfaces. 1840Sstevel@tonic-gate */ 1850Sstevel@tonic-gate #ifdef _KERNEL 1860Sstevel@tonic-gate int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID, 1870Sstevel@tonic-gate rpc_gss_service_t, uint_t, rpc_gss_options_req_t *, 1880Sstevel@tonic-gate rpc_gss_options_ret_t *, void *, cred_t *, AUTH **); 1890Sstevel@tonic-gate 1900Sstevel@tonic-gate void rpc_gss_secfree(AUTH *); 1910Sstevel@tonic-gate 1920Sstevel@tonic-gate int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID, 1930Sstevel@tonic-gate rpc_gss_service_t, uint_t, rpc_gss_options_req_t *, 1940Sstevel@tonic-gate rpc_gss_options_ret_t *, cred_t *, AUTH **); 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate int rpc_gss_revauth(uid_t, rpc_gss_OID); 1970Sstevel@tonic-gate void rpc_gss_secpurge(void *); 1980Sstevel@tonic-gate enum auth_stat __svcrpcsec_gss(struct svc_req *, 1990Sstevel@tonic-gate struct rpc_msg *, bool_t *); 2000Sstevel@tonic-gate bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t); 201*7387SRobert.Gordon@Sun.COM rpc_gss_service_t rpc_gss_get_service_type(AUTH *); 2020Sstevel@tonic-gate 2030Sstevel@tonic-gate 2040Sstevel@tonic-gate #else 2050Sstevel@tonic-gate /* 2060Sstevel@tonic-gate * USER rpc_gss_* public interfaces 2070Sstevel@tonic-gate */ 2080Sstevel@tonic-gate AUTH * 2090Sstevel@tonic-gate rpc_gss_seccreate( 2100Sstevel@tonic-gate CLIENT *clnt, /* associated client handle */ 2110Sstevel@tonic-gate char *principal, /* server service principal */ 2120Sstevel@tonic-gate char *mechanism, /* security mechanism */ 2130Sstevel@tonic-gate rpc_gss_service_t service_type, /* security service */ 2140Sstevel@tonic-gate char *qop, /* requested QOP */ 2150Sstevel@tonic-gate rpc_gss_options_req_t *options_req, /* requested options */ 2160Sstevel@tonic-gate rpc_gss_options_ret_t *options_ret /* returned options */ 2170Sstevel@tonic-gate ); 2180Sstevel@tonic-gate 2190Sstevel@tonic-gate bool_t 2200Sstevel@tonic-gate rpc_gss_get_principal_name( 2210Sstevel@tonic-gate rpc_gss_principal_t *principal, 2220Sstevel@tonic-gate char *mechanism, 2230Sstevel@tonic-gate char *user_name, 2240Sstevel@tonic-gate char *node, 2250Sstevel@tonic-gate char *secdomain 2260Sstevel@tonic-gate ); 2270Sstevel@tonic-gate 2280Sstevel@tonic-gate char **rpc_gss_get_mechanisms(); 2290Sstevel@tonic-gate 2300Sstevel@tonic-gate char **rpc_gss_get_mech_info( 2310Sstevel@tonic-gate char *mechanism, 2320Sstevel@tonic-gate rpc_gss_service_t *service 2330Sstevel@tonic-gate ); 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate bool_t 2360Sstevel@tonic-gate rpc_gss_is_installed( 2370Sstevel@tonic-gate char *mechanism 2380Sstevel@tonic-gate ); 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate bool_t 2410Sstevel@tonic-gate rpc_gss_mech_to_oid( 2420Sstevel@tonic-gate char *mech, 2430Sstevel@tonic-gate rpc_gss_OID *oid 2440Sstevel@tonic-gate ); 2450Sstevel@tonic-gate 2460Sstevel@tonic-gate bool_t 2470Sstevel@tonic-gate rpc_gss_qop_to_num( 2480Sstevel@tonic-gate char *qop, 2490Sstevel@tonic-gate char *mech, 2500Sstevel@tonic-gate uint_t *num 2510Sstevel@tonic-gate ); 2520Sstevel@tonic-gate 2530Sstevel@tonic-gate bool_t 2540Sstevel@tonic-gate rpc_gss_set_svc_name( 2550Sstevel@tonic-gate char *principal, 2560Sstevel@tonic-gate char *mechanism, 2570Sstevel@tonic-gate uint_t req_time, 2580Sstevel@tonic-gate uint_t program, 2590Sstevel@tonic-gate uint_t version 2600Sstevel@tonic-gate ); 2610Sstevel@tonic-gate 2620Sstevel@tonic-gate bool_t 2630Sstevel@tonic-gate rpc_gss_set_defaults( 2640Sstevel@tonic-gate AUTH *auth, 2650Sstevel@tonic-gate rpc_gss_service_t service, 2660Sstevel@tonic-gate char *qop 2670Sstevel@tonic-gate ); 2680Sstevel@tonic-gate 2690Sstevel@tonic-gate void 2700Sstevel@tonic-gate rpc_gss_get_error( 2710Sstevel@tonic-gate rpc_gss_error_t *error 2720Sstevel@tonic-gate ); 2730Sstevel@tonic-gate 2740Sstevel@tonic-gate /* 2750Sstevel@tonic-gate * User level private interfaces 2760Sstevel@tonic-gate */ 2770Sstevel@tonic-gate enum auth_stat __svcrpcsec_gss(); 2780Sstevel@tonic-gate bool_t __rpc_gss_wrap(); 2790Sstevel@tonic-gate bool_t __rpc_gss_unwrap(); 2800Sstevel@tonic-gate 2810Sstevel@tonic-gate #endif 2820Sstevel@tonic-gate 2830Sstevel@tonic-gate /* 2840Sstevel@tonic-gate * USER and KERNEL rpc_gss_* interfaces. 2850Sstevel@tonic-gate */ 2860Sstevel@tonic-gate bool_t 2870Sstevel@tonic-gate rpc_gss_set_callback( 2880Sstevel@tonic-gate rpc_gss_callback_t *cb 2890Sstevel@tonic-gate ); 2900Sstevel@tonic-gate 2910Sstevel@tonic-gate bool_t 2920Sstevel@tonic-gate rpc_gss_getcred( 2930Sstevel@tonic-gate struct svc_req *req, 2940Sstevel@tonic-gate rpc_gss_rawcred_t **rcred, 2950Sstevel@tonic-gate rpc_gss_ucred_t **ucred, 2960Sstevel@tonic-gate void **cookie 2970Sstevel@tonic-gate ); 2980Sstevel@tonic-gate 2990Sstevel@tonic-gate int 3000Sstevel@tonic-gate rpc_gss_max_data_length( 3010Sstevel@tonic-gate AUTH *rpcgss_handle, 3020Sstevel@tonic-gate int max_tp_unit_len 3030Sstevel@tonic-gate ); 3040Sstevel@tonic-gate 3050Sstevel@tonic-gate int 3060Sstevel@tonic-gate rpc_gss_svc_max_data_length( 3070Sstevel@tonic-gate struct svc_req *req, 3080Sstevel@tonic-gate int max_tp_unit_len 3090Sstevel@tonic-gate ); 3100Sstevel@tonic-gate 3110Sstevel@tonic-gate bool_t 3120Sstevel@tonic-gate rpc_gss_get_versions( 3130Sstevel@tonic-gate uint_t *vers_hi, 3140Sstevel@tonic-gate uint_t *vers_lo 3150Sstevel@tonic-gate ); 3160Sstevel@tonic-gate 3170Sstevel@tonic-gate #define RPCSEC_GSS_REFRESH_ATTEMPTS 20 3180Sstevel@tonic-gate 3190Sstevel@tonic-gate /* 3200Sstevel@tonic-gate * Protocol data. 3210Sstevel@tonic-gate * 3220Sstevel@tonic-gate * The reason to put these definition in this header file 3230Sstevel@tonic-gate * is for 2.6 snoop to handle the RPCSEC_GSS protocol 3240Sstevel@tonic-gate * interpretation. 3250Sstevel@tonic-gate */ 3260Sstevel@tonic-gate #define RPCSEC_GSS_DATA 0 3270Sstevel@tonic-gate #define RPCSEC_GSS_INIT 1 3280Sstevel@tonic-gate #define RPCSEC_GSS_CONTINUE_INIT 2 3290Sstevel@tonic-gate #define RPCSEC_GSS_DESTROY 3 3300Sstevel@tonic-gate 3310Sstevel@tonic-gate #define RPCSEC_GSS_VERSION 1 3320Sstevel@tonic-gate 3330Sstevel@tonic-gate #ifdef __cplusplus 3340Sstevel@tonic-gate } 3350Sstevel@tonic-gate #endif 3360Sstevel@tonic-gate 3370Sstevel@tonic-gate #endif /* !_RPCSEC_GSS_H */ 338