1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 %/*
  23 % * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  24 % * Use is subject to license terms.
  25 % */
  26 %
  27 %#pragma ident  "%Z%%M% %I%     %E% SMI"
  28 %
  29 %/*
  30 % *  RPC protocol information for gssd, the usermode daemon that
  31 % *  assists the kernel with gssapi. It is gssd that executes all
  32 % *  gssapi calls except for some such as gss_sign(), and
  33 % *  gss_verify(), which are executed in the kernel itself.
  34 % *
  35 % *  File generated from gssd.x
  36 % */
  37 %
  38 %#define        NO 0
  39 %#define        YES 1
  40 %#define        FOREVER 1
  41 %
  42 %#include <sys/types.h>
  43 %#include <sys/time.h>
  44 %#include <rpc/auth_sys.h>
  45 %#ifndef _KERNEL
  46 %#include <locale.h>
  47 %#endif /* not _KERNEL */
  48 %
  49 
  50 %#ifdef _KERNEL
  51 %extern void killgssd_handle(CLIENT *);
  52 %extern CLIENT *getgssd_handle(void);
  53 %#endif /* _KERNEL */
  54 %
  55 /*
  56  * These are the definitions for the interface to GSSD.
  57  */
  58 
  59 typedef unsigned int                            OM_UINT32;
  60 
  61 typedef opaque                                  GSS_CTX_ID_T<>;
  62 typedef opaque                                  GSS_CRED_ID_T<>;
  63 typedef opaque                                  GSS_OID<>;
  64 typedef opaque                                  GSS_BUFFER_T<>;
  65 typedef gid_t                                   GSSCRED_GIDS<>;
  66 
  67 typedef GSS_OID                                 GSS_OID_SET<>;
  68 
  69 struct GSS_CHANNEL_BINDINGS_STRUCT {
  70         int             present;
  71         OM_UINT32       initiator_addrtype;
  72         GSS_BUFFER_T    initiator_address;
  73         OM_UINT32       acceptor_addrtype;
  74         GSS_BUFFER_T    acceptor_address;
  75         GSS_BUFFER_T    application_data;
  76 };
  77 
  78 typedef struct GSS_CHANNEL_BINDINGS_STRUCT      GSS_CHANNEL_BINDINGS;
  79 
  80 struct gss_acquire_cred_arg {
  81         uid_t           uid;                    /* client uid */
  82         GSS_BUFFER_T    desired_name;           /* name of cred */
  83         GSS_OID         name_type;              /* type of desired name */
  84         OM_UINT32       time_req;               /* context validity interval */
  85         GSS_OID_SET     desired_mechs;          /* cred mechanisms */
  86         int             cred_usage;             /* init/accept/both */
  87 };
  88 
  89 struct gss_acquire_cred_res {
  90         OM_UINT32       minor_status;           /* status from the mechanism */
  91         GSS_CRED_ID_T   output_cred_handle;     /* returned credential handle */
  92         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
  93         GSS_OID_SET     actual_mechs;           /* found cred mechanisms */
  94         OM_UINT32       time_rec;               /* actual context validity */
  95         OM_UINT32       status;                 /* status of GSSAPI call */
  96 };
  97 
  98 struct gss_add_cred_arg {
  99         uid_t           uid;                    /* client uid */
 100         GSS_CRED_ID_T   input_cred_handle;      /* input credential handle */
 101         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 102         GSS_BUFFER_T    desired_name;           /* name of cred */
 103         GSS_OID         name_type;              /* type of desired name */
 104         GSS_OID         desired_mech_type;      /* cred mechanisms */
 105         int             cred_usage;             /* init/accept/both */
 106         OM_UINT32       initiator_time_req;     /* context validity interval */
 107         OM_UINT32       acceptor_time_req;      /* context validity interval */
 108 };
 109 /* Note: For gss_add_cred we always update the underlying credentials of 
 110  * input_cred_handle. We always pass NULL as output_cred_handle when the call
 111  * to gss_add_cred is made 
 112 */
 113 struct gss_add_cred_res {
 114         OM_UINT32       minor_status;           /* status from the mechanism */
 115         GSS_OID_SET     actual_mechs;           /* found cred mechanisms */
 116         OM_UINT32       initiator_time_rec;     /* cred validity interval */
 117         OM_UINT32       acceptor_time_rec;      /* cred validity interval */
 118         OM_UINT32       status;                 /* status of GSSAPI call */
 119 };
 120 
 121 struct gss_release_cred_arg {
 122         uid_t           uid;                    /* client uid */
 123         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handles */
 124         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 125 };
 126 
 127 struct gss_release_cred_res {
 128         OM_UINT32       minor_status;           /* status from the mechanism */
 129         OM_UINT32       status;                 /* status of GSSAPI call */
 130 };
 131 
 132 struct gss_init_sec_context_arg {
 133         uid_t           uid;                    /* client uid */
 134         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 135         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 136         GSS_CRED_ID_T   claimant_cred_handle;   /* must = GSS_C_NO_CREDENTIAL */
 137         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 138         GSS_BUFFER_T    target_name;            /* name of server */
 139         GSS_OID         name_type;              /* type of principal name */
 140         GSS_OID         mech_type;              /* requested mechanism */
 141         int             req_flags;              /* requested context options */
 142         OM_UINT32       time_req;               /* context validity interval */
 143         GSS_CHANNEL_BINDINGS
 144                         input_chan_bindings;    /* requested channel bindings */
 145         GSS_BUFFER_T    input_token;            /* token to send to peer */
 146 };
 147 
 148 struct gss_init_sec_context_res {
 149         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 150         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 151         OM_UINT32       minor_status;           /* status from the mechanism */
 152         GSS_OID         actual_mech_type;       /* actual mechanism used */
 153         GSS_BUFFER_T    output_token;           /* where peer token is put */
 154         OM_UINT32       ret_flags;              /* options of context */
 155         OM_UINT32       time_rec;               /* actual context validity */
 156         OM_UINT32       status;                 /* status of GSSAPI call */
 157 };
 158 
 159 struct gss_accept_sec_context_arg {
 160         uid_t           uid;                    /* client uid */
 161         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 162         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 163         GSS_CRED_ID_T   verifier_cred_handle;   /* must = GSS_C_NO_CREDENTIAL */
 164         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 165         GSS_BUFFER_T    input_token_buffer;     /* token to send to peer */
 166         GSS_CHANNEL_BINDINGS
 167                         input_chan_bindings;    /* requested channel bindings */
 168 };
 169 
 170 struct gss_accept_sec_context_res {
 171         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 172         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 173         OM_UINT32       minor_status;           /* status from the mechanism */
 174         GSS_BUFFER_T    src_name;               /* authenticated name of peer */
 175         GSS_OID         mech_type;              /* mechanism used */
 176         GSS_BUFFER_T    output_token;           /* where peer token is put */
 177         OM_UINT32       ret_flags;              /* options of context */
 178         OM_UINT32       time_rec;               /* actual context validity */
 179         GSS_CRED_ID_T   delegated_cred_handle;  /* always GSS_C_NO_CREDENTIAL */
 180         OM_UINT32       status;                 /* status of GSSAPI call */
 181 };
 182 
 183 struct gss_process_context_token_arg {
 184         uid_t           uid;                    /* client uid */
 185         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 186         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 187         GSS_BUFFER_T    token_buffer;           /* token to process */
 188 };
 189 
 190 struct gss_process_context_token_res {
 191         OM_UINT32       minor_status;           /* status from the mechanism */
 192         OM_UINT32       status;                 /* status of GSSAPI call */
 193 };
 194 
 195 struct gss_delete_sec_context_arg {
 196         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 197         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 198 };
 199 
 200 struct gss_delete_sec_context_res {
 201         OM_UINT32       minor_status;           /* status from the mechanism */
 202         GSS_CTX_ID_T    context_handle;         /* handle to deleted context */
 203         GSS_BUFFER_T    output_token;           /* output token for peer */
 204         OM_UINT32       status;                 /* status of GSSAPI call */
 205 };
 206 
 207 struct gss_export_sec_context_arg {
 208         GSS_CTX_ID_T context_handle;            /* handle to existing context */
 209         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 210 };
 211 
 212 struct gss_export_sec_context_res {
 213         OM_UINT32       minor_status;           /* status from the mechanism */
 214         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 215         GSS_BUFFER_T    output_token;           /* input token for import_sec_context */
 216         OM_UINT32       status;                 /* status of GSSAPI call */
 217 };
 218 
 219 struct gss_import_sec_context_arg {
 220         GSS_BUFFER_T    input_token;            /* input token for import_sec_context */
 221         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 222 };
 223 
 224 struct gss_import_sec_context_res {
 225         OM_UINT32       minor_status;           /* status from the mechanism */
 226         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 227         OM_UINT32       status;                 /* status of GSSAPI call */
 228 };
 229 
 230 struct gss_context_time_arg {
 231         uid_t           uid;                    /* client uid */
 232         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 233         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 234 };
 235 
 236 struct gss_context_time_res {
 237         OM_UINT32       minor_status;           /* status from the mechanism */
 238         OM_UINT32       time_rec;               /* actual context validity */
 239         OM_UINT32       status;                 /* status of GSSAPI call */
 240 };
 241 
 242 struct gss_sign_arg {
 243         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 244         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 245         int             qop_req;                /* quality of protection */
 246         GSS_BUFFER_T    message_buffer;         /* message to sign */
 247 };
 248 
 249 struct gss_sign_res {
 250         OM_UINT32       minor_status;           /* status from the mechanism */
 251         GSS_BUFFER_T    msg_token;              /* msg_token */
 252         OM_UINT32       status;                 /* status of GSSAPI call */
 253 };
 254 
 255 struct gss_verify_arg {
 256         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 257         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 258         GSS_BUFFER_T    message_buffer;         /* message to verify */
 259         GSS_BUFFER_T    token_buffer;           /* buffer containg token */
 260 };
 261 
 262 struct gss_verify_res {
 263         OM_UINT32       minor_status;           /* status from the mechanism */
 264         int             qop_state;              /* quality of protection */
 265         OM_UINT32       status;                 /* status of GSSAPI call */
 266 };
 267 
 268 %/* EXPORT DELETE START */
 269 struct gss_seal_arg {
 270         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 271         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 272         int             conf_req_flag;          /* type of conf requested */
 273         int             qop_req;                /* quality of prot. requested */
 274         GSS_BUFFER_T    input_message_buffer;   /* message to protect */
 275 };
 276 
 277 struct gss_seal_res {
 278         OM_UINT32       minor_status;           /* status from the mechanism */
 279         int             conf_state;             /* type of conf. applied */
 280         GSS_BUFFER_T    output_message_buffer;  /* protected message */
 281         OM_UINT32       status;                 /* status of GSSAPI call */
 282 };
 283 
 284 struct gss_unseal_arg {
 285         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 286         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 287         GSS_BUFFER_T    input_message_buffer;   /* message to protect */
 288 };
 289 
 290 struct gss_unseal_res {
 291         OM_UINT32       minor_status;           /* status from the mechanism */
 292         GSS_BUFFER_T    output_message_buffer;  /* protected message */
 293         int             conf_state;             /* type of conf. provided */
 294         int             qop_state;              /* quality of prot. provided */
 295         OM_UINT32       status;                 /* status of GSSAPI call */
 296 };
 297 
 298 %/* EXPORT DELETE END */
 299 
 300 struct gss_display_status_arg {
 301         uid_t           uid;                    /* client uid */
 302         int             status_value;           /* status to be converted */
 303         int             status_type;            /* GSS or mech status */
 304         GSS_OID         mech_type;              /* mechanism */
 305         OM_UINT32       message_context;        /* recursion flag */
 306 };
 307 
 308 struct gss_display_status_res {
 309         OM_UINT32       minor_status;           /* status from the mechanism */
 310         int             message_context;        /* recursion flag */
 311         GSS_BUFFER_T    status_string;          /* text equiv of status */
 312         OM_UINT32       status;                 /* status of GSSAPI call */
 313 };
 314 
 315 %/* gss_indicate_mechs_arg is void. This appears in the rpc call def */
 316 
 317 struct gss_indicate_mechs_res {
 318         OM_UINT32       minor_status;           /* status from the mechanism */
 319         GSS_OID_SET     mech_set;               /* mechanism set supported */
 320         OM_UINT32       status;                 /* status of GSSAPI call */
 321 };
 322 
 323 struct gss_inquire_cred_arg {
 324         uid_t           uid;                    /* client uid */
 325         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 326         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 327 };
 328 
 329 struct gss_inquire_cred_res {
 330         OM_UINT32       minor_status;           /* status from the mechanism */
 331         GSS_BUFFER_T    name;                   /* name associated with cred */
 332         GSS_OID         name_type;              /* type of name */
 333         OM_UINT32       lifetime;               /* remaining validiy period */
 334         int             cred_usage;             /* how creds may be used */
 335         GSS_OID_SET     mechanisms;             /* mechs associated with cred */
 336         OM_UINT32       status;                 /* status of GSSAPI call */
 337 };
 338 
 339 struct gss_inquire_cred_by_mech_arg {
 340         uid_t           uid;                    /* client uid */
 341         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 342         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 343         GSS_OID         mech_type;              /* cred mechanism */
 344 };
 345 
 346 struct gss_inquire_cred_by_mech_res {
 347         OM_UINT32       minor_status;           /* status from the mechanism */
 348         OM_UINT32       status;                 /* status of GSSAPI call */
 349 };
 350 
 351 struct gsscred_name_to_unix_cred_arg {
 352         uid_t           uid;                    /* client uid */
 353         GSS_BUFFER_T    pname;                  /* principal name */
 354         GSS_OID         name_type;              /* oid of principal name */
 355         GSS_OID         mech_type;              /* for which mechanism to use */
 356 };
 357 
 358 struct gsscred_name_to_unix_cred_res {
 359         uid_t           uid;                    /* principal's uid */
 360         gid_t           gid;                    /* principal's gid */
 361         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 362         OM_UINT32       major;                  /* status of the GSSAPI call */
 363 };
 364 
 365 
 366 struct
 367 gsscred_expname_to_unix_cred_arg {
 368         uid_t           uid;                    /* client uid */
 369         GSS_BUFFER_T    expname;                /* principal in export format */
 370 };
 371 
 372 struct
 373 gsscred_expname_to_unix_cred_res {
 374         uid_t           uid;                    /* principal's uid */
 375         gid_t           gid;                    /* principal's gid */
 376         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 377         OM_UINT32       major;                  /* major status code */
 378 };
 379 
 380 
 381 struct gss_get_group_info_arg {
 382         uid_t           uid;                    /* client uid */
 383         uid_t           puid;                   /* principal's uid */
 384 };
 385 
 386 struct gss_get_group_info_res {
 387         gid_t           gid;                    /* principal's gid */
 388         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 389         OM_UINT32       major;                  /* major status code */
 390 };
 391 
 392 
 393 struct gss_get_kmod_arg {
 394         GSS_OID mech_oid;
 395 
 396 };
 397 
 398 union gss_get_kmod_res switch (bool module_follow) {
 399         case TRUE:
 400                 string modname<>;
 401         case FALSE:
 402                 void;
 403 };
 404 
 405 
 406 /*
 407  *  The server accepts requests only from the loopback address.
 408  *  Unix authentication is used, and the port must be in the reserved range.
 409  */
 410 
 411 program GSSPROG {
 412     version GSSVERS {
 413 
 414         /*
 415          *  Called by the client to acquire a credential.
 416          */
 417         gss_acquire_cred_res
 418                 GSS_ACQUIRE_CRED(gss_acquire_cred_arg)                  = 1;
 419 
 420         /*
 421          *  Called by the client to release a credential.
 422          */
 423         gss_release_cred_res
 424                 GSS_RELEASE_CRED(gss_release_cred_arg)                  = 2;
 425 
 426         /*
 427          *  Called by the client to initialize a security context.
 428          */
 429         gss_init_sec_context_res
 430                 GSS_INIT_SEC_CONTEXT(gss_init_sec_context_arg)          = 3;
 431 
 432         /*
 433          *  Called by the server to initialize a security context.
 434          */
 435         gss_accept_sec_context_res
 436                 GSS_ACCEPT_SEC_CONTEXT(gss_accept_sec_context_arg)      = 4;
 437 
 438         /*
 439          *  Called to pass token to underlying mechanism.
 440          */
 441         gss_process_context_token_res
 442                 GSS_PROCESS_CONTEXT_TOKEN(gss_process_context_token_arg) = 5;
 443 
 444         /*
 445          *  Called to delete a security context.
 446          */
 447         gss_delete_sec_context_res
 448                 GSS_DELETE_SEC_CONTEXT(gss_delete_sec_context_arg)      = 6;
 449 
 450         /*
 451          *  Called to get remaining time security context has to live.
 452          */
 453         gss_context_time_res
 454                 GSS_CONTEXT_TIME(gss_context_time_arg)                  = 7;
 455 
 456         /*
 457          *  Called to sign a message.
 458          */
 459         gss_sign_res    GSS_SIGN(gss_sign_arg)                          = 8;
 460 
 461         /*
 462          *  Called to verify a signed message.
 463          */
 464         gss_verify_res  GSS_VERIFY(gss_verify_arg)                      = 9;
 465 
 466         /*
 467          *  Called to translate minor status into a string.
 468          */
 469         gss_display_status_res
 470                         GSS_DISPLAY_STATUS(gss_display_status_arg)      = 10;
 471 
 472         /*
 473          *  Called to indicate which underlying mechanisms are supported
 474          */
 475         gss_indicate_mechs_res
 476                         GSS_INDICATE_MECHS(void)                        = 11;
 477 
 478         /*
 479          *  Called by the client to inquire about a credential.
 480          */
 481         gss_inquire_cred_res
 482                 GSS_INQUIRE_CRED(gss_inquire_cred_arg)                  = 12;
 483 
 484 
 485 /* EXPORT DELETE START */
 486 
 487         /*
 488          *  Called to seal a message.
 489          */
 490         gss_seal_res    GSS_SEAL(gss_seal_arg)                          = 13;
 491 
 492         /*
 493          *  Called to unseal a message.
 494          */
 495         gss_unseal_res  GSS_UNSEAL(gss_unseal_arg)                      = 14;
 496 
 497 /* EXPORT DELETE END */
 498 
 499         /*
 500          * gsscred interface functions to obtain principal uid and gids
 501          */
 502         gsscred_expname_to_unix_cred_res
 503                         GSSCRED_EXPNAME_TO_UNIX_CRED(
 504                                 gsscred_expname_to_unix_cred_arg)       = 15;
 505 
 506         gsscred_name_to_unix_cred_res
 507                         GSSCRED_NAME_TO_UNIX_CRED(
 508                                 gsscred_name_to_unix_cred_arg)          = 16;
 509 
 510         gss_get_group_info_res
 511                         GSS_GET_GROUP_INFO(gss_get_group_info_arg)      = 17;
 512 
 513         gss_get_kmod_res
 514                         GSS_GET_KMOD(gss_get_kmod_arg)                  = 18;
 515 
 516         gss_export_sec_context_res
 517                         GSS_EXPORT_SEC_CONTEXT(gss_export_sec_context_arg) = 19;
 518         
 519         gss_import_sec_context_res
 520                         GSS_IMPORT_SEC_CONTEXT(gss_import_sec_context_arg) = 20;
 521         /*
 522          *  Called by the client to add to a credential.
 523          */
 524         gss_add_cred_res
 525                 GSS_ADD_CRED(gss_add_cred_arg)                          = 21;
 526         gss_inquire_cred_by_mech_res
 527                 GSS_INQUIRE_CRED_BY_MECH(gss_inquire_cred_by_mech_arg)
 528                                                                         = 22;
 529 
 530     } = 1;
 531 } = 100234;