common/rpc/rpcsec_gss.h

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
 */

/*
 * rpcsec_gss.h, RPCSEC_GSS security service interface.
 */

#ifndef _RPCSEC_GSS_H
#define _RPCSEC_GSS_H

#ifdef  __cplusplus
extern "C" {
#endif

#include <rpc/auth.h>
#include <rpc/clnt.h>
#include <gssapi/gssapi.h>

/*
 * Interface definitions.
 */
#define MAX_NAME_LEN             64
#define MAX_GSS_MECH            128
#define MAX_GSS_NAME            128

typedef enum {
    rpc_gss_svc_default = 0,
    rpc_gss_svc_none = 1,
    rpc_gss_svc_integrity = 2,
    rpc_gss_svc_privacy = 3
} rpc_gss_service_t;

/*
 * GSS-API based security mechanism type specified as
 * object identifiers (OIDs).
 * This type is derived from gss_OID_desc/gss_OID.
 */
#define rpc_gss_OID_s   gss_OID_desc_struct
typedef struct rpc_gss_OID_s rpc_gss_OID_desc, *rpc_gss_OID;

/*
 * Interface data.
 * This is already suitable for both LP64 and ILP32.
 */
typedef struct rpc_gss_principal {
    int len;
    char    name[1];
} *rpc_gss_principal_t;

typedef struct {
    int         req_flags;
    int         time_req;
    gss_cred_id_t       my_cred;
    gss_channel_bindings_t  input_channel_bindings;
} rpc_gss_options_req_t;

typedef struct {
    int         major_status;
    int         minor_status;
    uint_t          rpcsec_version;
    int         ret_flags;
    int         time_ret;
    gss_ctx_id_t        gss_context;
#ifdef _KERNEL
    rpc_gss_OID     actual_mechanism;
#else
    char            actual_mechanism[MAX_GSS_MECH];
#endif
} rpc_gss_options_ret_t;

/*
 * raw credentials
 */
typedef struct {
    uint_t          version;
#ifdef _KERNEL
    rpc_gss_OID     mechanism;
    uint_t          qop;
#else
    char            *mechanism;
    char            *qop;
#endif
    rpc_gss_principal_t client_principal;
    char    *svc_principal; /* service@server, e.g. nfs@caribe */
    rpc_gss_service_t   service;
} rpc_gss_rawcred_t;

/*
 * unix credentials
 */
typedef struct {
    uid_t           uid;
    gid_t           gid;
    short           gidlen;
    gid_t           *gidlist;
} rpc_gss_ucred_t;

/*
 * for callback routine
 */
typedef struct {
    uint_t          program;
    uint_t          version;
    bool_t          (*callback)();
} rpc_gss_callback_t;

/*
 * lock used for the callback routine
 */
typedef struct {
    bool_t          locked;
    rpc_gss_rawcred_t   *raw_cred;
} rpc_gss_lock_t;


/*
 * This is for user RPC applications.
 * Structure used to fetch the error code when one of
 * the rpc_gss_* routines fails.
 */
typedef struct {
    int rpc_gss_error;
    int system_error;
} rpc_gss_error_t;

#define RPC_GSS_ER_SUCCESS  0   /* no error */
#define RPC_GSS_ER_SYSTEMERROR  1   /* system error */


#ifdef _SYSCALL32
struct gss_clnt_data32 {
    gss_OID_desc32  mechanism;
    rpc_gss_service_t   service;
    char        uname[MAX_NAME_LEN];    /* server's service name */
    char        inst[MAX_NAME_LEN]; /* server's instance name */
    char        realm[MAX_NAME_LEN];    /* server's realm */
    uint_t      qop;
};
#endif

/*
 * This is for Kernel RPC applications.
 * RPCSEC_GSS flavor specific data in sec_data opaque field.
 */
typedef struct gss_clnt_data {
    rpc_gss_OID_desc    mechanism;
    rpc_gss_service_t   service;
    char        uname[MAX_NAME_LEN];    /* server's service name */
    char        inst[MAX_NAME_LEN]; /* server's instance name */
    char        realm[MAX_NAME_LEN];    /* server's realm */
    uint_t      qop;
} gss_clntdata_t;


struct svc_req;
/*
 *  KERNEL rpc_gss_* interfaces.
 */
#ifdef _KERNEL
int rpc_gss_secget(CLIENT *, char *, rpc_gss_OID,
            rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
            rpc_gss_options_ret_t *, void *, cred_t *, AUTH **);

void rpc_gss_secfree(AUTH *);

int rpc_gss_seccreate(CLIENT *, char *, rpc_gss_OID,
            rpc_gss_service_t, uint_t, rpc_gss_options_req_t *,
            rpc_gss_options_ret_t *, cred_t *, AUTH **);

int rpc_gss_revauth(uid_t, rpc_gss_OID);
void rpc_gss_secpurge(void *);
enum auth_stat __svcrpcsec_gss(struct svc_req *,
            struct rpc_msg *, bool_t *);
bool_t rpc_gss_set_defaults(AUTH *, rpc_gss_service_t, uint_t);
rpc_gss_service_t rpc_gss_get_service_type(AUTH *);


#else
/*
 *  USER rpc_gss_* public interfaces
 */
AUTH *
rpc_gss_seccreate(
    CLIENT          *clnt,      /* associated client handle */
    char            *principal, /* server service principal */
    char            *mechanism, /* security mechanism */
    rpc_gss_service_t   service_type,   /* security service */
    char            *qop,       /* requested QOP */
    rpc_gss_options_req_t   *options_req,   /* requested options */
    rpc_gss_options_ret_t   *options_ret    /* returned options */
);

bool_t
rpc_gss_get_principal_name(
    rpc_gss_principal_t *principal,
    char            *mechanism,
    char            *user_name,
    char            *node,
    char            *secdomain
);

char **rpc_gss_get_mechanisms();

char **rpc_gss_get_mech_info(
    char            *mechanism,
    rpc_gss_service_t   *service
);

bool_t
rpc_gss_is_installed(
    char    *mechanism
);

bool_t
rpc_gss_mech_to_oid(
    char        *mech,
    rpc_gss_OID *oid
);

bool_t
rpc_gss_qop_to_num(
    char    *qop,
    char    *mech,
    uint_t  *num
);

bool_t
rpc_gss_set_svc_name(
    char            *principal,
    char            *mechanism,
    uint_t          req_time,
    uint_t          program,
    uint_t          version
);

bool_t
rpc_gss_set_defaults(
    AUTH            *auth,
    rpc_gss_service_t   service,
    char            *qop
);

void
rpc_gss_get_error(
    rpc_gss_error_t     *error
);

/*
 * User level private interfaces
 */
enum auth_stat __svcrpcsec_gss();
bool_t  __rpc_gss_wrap();
bool_t  __rpc_gss_unwrap();

#endif

/*
 *  USER and KERNEL rpc_gss_* interfaces.
 */
bool_t
rpc_gss_set_callback(
    rpc_gss_callback_t  *cb
);

bool_t
rpc_gss_getcred(
    struct svc_req      *req,
    rpc_gss_rawcred_t   **rcred,
    rpc_gss_ucred_t     **ucred,
    void            **cookie
);

int
rpc_gss_max_data_length(
    AUTH            *rpcgss_handle,
    int         max_tp_unit_len
);

int
rpc_gss_svc_max_data_length(
    struct  svc_req     *req,
    int         max_tp_unit_len
);

bool_t
rpc_gss_get_versions(
    uint_t  *vers_hi,
    uint_t  *vers_lo
);

#define RPCSEC_GSS_REFRESH_ATTEMPTS     20

/*
 * Protocol data.
 *
 * The reason to put these definition in this header file
 * is for 2.6 snoop to handle the RPCSEC_GSS protocol
 * interpretation.
 */
#define RPCSEC_GSS_DATA         0
#define RPCSEC_GSS_INIT         1
#define RPCSEC_GSS_CONTINUE_INIT    2
#define RPCSEC_GSS_DESTROY      3

#define RPCSEC_GSS_VERSION      1

#ifdef  __cplusplus
}
#endif

#endif  /* !_RPCSEC_GSS_H */