1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 %/*
  23 % * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
  24 % * Use is subject to license terms.
  25 % */
  26 %
  27 %#pragma ident  "%Z%%M% %I%     %E% SMI"
  28 %
  29 %/*
  30 % *  RPC protocol information for gssd, the usermode daemon that
  31 % *  assists the kernel with gssapi. It is gssd that executes all
  32 % *  gssapi calls except for some such as gss_sign(), and
  33 % *  gss_verify(), which are executed in the kernel itself.
  34 % *
  35 % *  File generated from gssd.x
  36 % */
  37 %
  38 %#define        NO 0
  39 %#define        YES 1
  40 %#define        FOREVER 1
  41 %
  42 %#include <sys/types.h>
  43 %#include <sys/time.h>
  44 %#include <rpc/auth_sys.h>
  45 %#ifndef _KERNEL
  46 %#include <locale.h>
  47 %#endif /* not _KERNEL */
  48 %
  49 
  50 %#ifdef _KERNEL
  51 %extern void killgssd_handle(CLIENT *);
  52 %extern CLIENT *getgssd_handle(void);
  53 %#endif /* _KERNEL */
  54 %
  55 /*
  56  * These are the definitions for the interface to GSSD.
  57  */
  58 
  59 typedef unsigned int                            OM_UINT32;
  60 
  61 typedef opaque                                  GSS_CTX_ID_T<>;
  62 typedef opaque                                  GSS_CRED_ID_T<>;
  63 typedef opaque                                  GSS_OID<>;
  64 typedef opaque                                  GSS_BUFFER_T<>;
  65 typedef gid_t                                   GSSCRED_GIDS<>;
  66 
  67 typedef GSS_OID                                 GSS_OID_SET<>;
  68 
  69 struct GSS_CHANNEL_BINDINGS_STRUCT {
  70         int             present;
  71         OM_UINT32       initiator_addrtype;
  72         GSS_BUFFER_T    initiator_address;
  73         OM_UINT32       acceptor_addrtype;
  74         GSS_BUFFER_T    acceptor_address;
  75         GSS_BUFFER_T    application_data;
  76 };
  77 
  78 typedef struct GSS_CHANNEL_BINDINGS_STRUCT      GSS_CHANNEL_BINDINGS;
  79 
  80 struct gss_acquire_cred_arg {
  81         uid_t           uid;                    /* client uid */
  82         GSS_BUFFER_T    desired_name;           /* name of cred */
  83         GSS_OID         name_type;              /* type of desired name */
  84         OM_UINT32       time_req;               /* context validity interval */
  85         GSS_OID_SET     desired_mechs;          /* cred mechanisms */
  86         int             cred_usage;             /* init/accept/both */
  87 };
  88 
  89 struct gss_acquire_cred_res {
  90         OM_UINT32       minor_status;           /* status from the mechanism */
  91         GSS_CRED_ID_T   output_cred_handle;     /* returned credential handle */
  92         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
  93         GSS_OID_SET     actual_mechs;           /* found cred mechanisms */
  94         OM_UINT32       time_rec;               /* actual context validity */
  95         OM_UINT32       status;                 /* status of GSSAPI call */
  96 };
  97 
  98 struct gss_add_cred_arg {
  99         uid_t           uid;                    /* client uid */
 100         GSS_CRED_ID_T   input_cred_handle;      /* input credential handle */
 101         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 102         GSS_BUFFER_T    desired_name;           /* name of cred */
 103         GSS_OID         name_type;              /* type of desired name */
 104         GSS_OID         desired_mech_type;      /* cred mechanisms */
 105         int             cred_usage;             /* init/accept/both */
 106         OM_UINT32       initiator_time_req;     /* context validity interval */
 107         OM_UINT32       acceptor_time_req;      /* context validity interval */
 108 };
 109 /* Note: For gss_add_cred we always update the underlying credentials of 
 110  * input_cred_handle. We always pass NULL as output_cred_handle when the call
 111  * to gss_add_cred is made 
 112 */
 113 struct gss_add_cred_res {
 114         OM_UINT32       minor_status;           /* status from the mechanism */
 115         GSS_OID_SET     actual_mechs;           /* found cred mechanisms */
 116         OM_UINT32       initiator_time_rec;     /* cred validity interval */
 117         OM_UINT32       acceptor_time_rec;      /* cred validity interval */
 118         OM_UINT32       status;                 /* status of GSSAPI call */
 119 };
 120 
 121 struct gss_release_cred_arg {
 122         uid_t           uid;                    /* client uid */
 123         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handles */
 124         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 125 };
 126 
 127 struct gss_release_cred_res {
 128         OM_UINT32       minor_status;           /* status from the mechanism */
 129         OM_UINT32       status;                 /* status of GSSAPI call */
 130 };
 131 
 132 struct gss_init_sec_context_arg {
 133         uid_t           uid;                    /* client uid */
 134         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 135         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 136         GSS_CRED_ID_T   claimant_cred_handle;   /* must = GSS_C_NO_CREDENTIAL */
 137         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 138         GSS_BUFFER_T    target_name;            /* name of server */
 139         GSS_OID         name_type;              /* type of principal name */
 140         GSS_OID         mech_type;              /* requested mechanism */
 141         int             req_flags;              /* requested context options */
 142         OM_UINT32       time_req;               /* context validity interval */
 143         GSS_CHANNEL_BINDINGS
 144                         input_chan_bindings;    /* requested channel bindings */
 145         GSS_BUFFER_T    input_token;            /* token to send to peer */
 146 };
 147 
 148 struct gss_init_sec_context_res {
 149         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 150         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 151         OM_UINT32       minor_status;           /* status from the mechanism */
 152         GSS_OID         actual_mech_type;       /* actual mechanism used */
 153         GSS_BUFFER_T    output_token;           /* where peer token is put */
 154         OM_UINT32       ret_flags;              /* options of context */
 155         OM_UINT32       time_rec;               /* actual context validity */
 156         OM_UINT32       status;                 /* status of GSSAPI call */
 157 };
 158 
 159 struct gss_accept_sec_context_arg {
 160         uid_t           uid;                    /* client uid */
 161         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 162         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 163         GSS_CRED_ID_T   verifier_cred_handle;   /* must = GSS_C_NO_CREDENTIAL */
 164         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 165         GSS_BUFFER_T    input_token_buffer;     /* token to send to peer */
 166         GSS_CHANNEL_BINDINGS
 167                         input_chan_bindings;    /* requested channel bindings */
 168 };
 169 
 170 struct gss_accept_sec_context_res {
 171         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 172         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 173         OM_UINT32       minor_status;           /* status from the mechanism */
 174         GSS_BUFFER_T    src_name;               /* authenticated name of peer */
 175         GSS_OID         mech_type;              /* mechanism used */
 176         GSS_BUFFER_T    output_token;           /* where peer token is put */
 177         OM_UINT32       ret_flags;              /* options of context */
 178         OM_UINT32       time_rec;               /* actual context validity */
 179         GSS_CRED_ID_T   delegated_cred_handle;  /* always GSS_C_NO_CREDENTIAL */
 180         OM_UINT32       status;                 /* status of GSSAPI call */
 181 };
 182 
 183 struct gss_process_context_token_arg {
 184         uid_t           uid;                    /* client uid */
 185         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 186         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 187         GSS_BUFFER_T    token_buffer;           /* token to process */
 188 };
 189 
 190 struct gss_process_context_token_res {
 191         OM_UINT32       minor_status;           /* status from the mechanism */
 192         OM_UINT32       status;                 /* status of GSSAPI call */
 193 };
 194 
 195 struct gss_delete_sec_context_arg {
 196         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 197         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 198 };
 199 
 200 struct gss_delete_sec_context_res {
 201         OM_UINT32       minor_status;           /* status from the mechanism */
 202         GSS_CTX_ID_T    context_handle;         /* handle to deleted context */
 203         GSS_BUFFER_T    output_token;           /* output token for peer */
 204         OM_UINT32       status;                 /* status of GSSAPI call */
 205 };
 206 
 207 struct gss_export_sec_context_arg {
 208         GSS_CTX_ID_T context_handle;            /* handle to existing context */
 209         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 210 };
 211 
 212 struct gss_export_sec_context_res {
 213         OM_UINT32       minor_status;           /* status from the mechanism */
 214         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 215         GSS_BUFFER_T    output_token;           /* input token for import_sec_context */
 216         OM_UINT32       status;                 /* status of GSSAPI call */
 217 };
 218 
 219 struct gss_import_sec_context_arg {
 220         GSS_BUFFER_T    input_token;            /* input token for import_sec_context */
 221         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 222 };
 223 
 224 struct gss_import_sec_context_res {
 225         OM_UINT32       minor_status;           /* status from the mechanism */
 226         GSS_CTX_ID_T    context_handle;         /* handle to created context */
 227         OM_UINT32       status;                 /* status of GSSAPI call */
 228 };
 229 
 230 struct gss_context_time_arg {
 231         uid_t           uid;                    /* client uid */
 232         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 233         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 234 };
 235 
 236 struct gss_context_time_res {
 237         OM_UINT32       minor_status;           /* status from the mechanism */
 238         OM_UINT32       time_rec;               /* actual context validity */
 239         OM_UINT32       status;                 /* status of GSSAPI call */
 240 };
 241 
 242 struct gss_sign_arg {
 243         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 244         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 245         int             qop_req;                /* quality of protection */
 246         GSS_BUFFER_T    message_buffer;         /* message to sign */
 247 };
 248 
 249 struct gss_sign_res {
 250         OM_UINT32       minor_status;           /* status from the mechanism */
 251         GSS_BUFFER_T    msg_token;              /* msg_token */
 252         OM_UINT32       status;                 /* status of GSSAPI call */
 253 };
 254 
 255 struct gss_verify_arg {
 256         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 257         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 258         GSS_BUFFER_T    message_buffer;         /* message to verify */
 259         GSS_BUFFER_T    token_buffer;           /* buffer containg token */
 260 };
 261 
 262 struct gss_verify_res {
 263         OM_UINT32       minor_status;           /* status from the mechanism */
 264         int             qop_state;              /* quality of protection */
 265         OM_UINT32       status;                 /* status of GSSAPI call */
 266 };
 267 
 268 struct gss_seal_arg {
 269         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 270         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 271         int             conf_req_flag;          /* type of conf requested */
 272         int             qop_req;                /* quality of prot. requested */
 273         GSS_BUFFER_T    input_message_buffer;   /* message to protect */
 274 };
 275 
 276 struct gss_seal_res {
 277         OM_UINT32       minor_status;           /* status from the mechanism */
 278         int             conf_state;             /* type of conf. applied */
 279         GSS_BUFFER_T    output_message_buffer;  /* protected message */
 280         OM_UINT32       status;                 /* status of GSSAPI call */
 281 };
 282 
 283 struct gss_unseal_arg {
 284         OM_UINT32       gssd_context_verifier;  /* verifier for context handles */
 285         GSS_CTX_ID_T    context_handle;         /* handle to existing context */
 286         GSS_BUFFER_T    input_message_buffer;   /* message to protect */
 287 };
 288 
 289 struct gss_unseal_res {
 290         OM_UINT32       minor_status;           /* status from the mechanism */
 291         GSS_BUFFER_T    output_message_buffer;  /* protected message */
 292         int             conf_state;             /* type of conf. provided */
 293         int             qop_state;              /* quality of prot. provided */
 294         OM_UINT32       status;                 /* status of GSSAPI call */
 295 };
 296 
 297 struct gss_display_status_arg {
 298         uid_t           uid;                    /* client uid */
 299         int             status_value;           /* status to be converted */
 300         int             status_type;            /* GSS or mech status */
 301         GSS_OID         mech_type;              /* mechanism */
 302         OM_UINT32       message_context;        /* recursion flag */
 303 };
 304 
 305 struct gss_display_status_res {
 306         OM_UINT32       minor_status;           /* status from the mechanism */
 307         int             message_context;        /* recursion flag */
 308         GSS_BUFFER_T    status_string;          /* text equiv of status */
 309         OM_UINT32       status;                 /* status of GSSAPI call */
 310 };
 311 
 312 %/* gss_indicate_mechs_arg is void. This appears in the rpc call def */
 313 
 314 struct gss_indicate_mechs_res {
 315         OM_UINT32       minor_status;           /* status from the mechanism */
 316         GSS_OID_SET     mech_set;               /* mechanism set supported */
 317         OM_UINT32       status;                 /* status of GSSAPI call */
 318 };
 319 
 320 struct gss_inquire_cred_arg {
 321         uid_t           uid;                    /* client uid */
 322         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 323         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 324 };
 325 
 326 struct gss_inquire_cred_res {
 327         OM_UINT32       minor_status;           /* status from the mechanism */
 328         GSS_BUFFER_T    name;                   /* name associated with cred */
 329         GSS_OID         name_type;              /* type of name */
 330         OM_UINT32       lifetime;               /* remaining validiy period */
 331         int             cred_usage;             /* how creds may be used */
 332         GSS_OID_SET     mechanisms;             /* mechs associated with cred */
 333         OM_UINT32       status;                 /* status of GSSAPI call */
 334 };
 335 
 336 struct gss_inquire_cred_by_mech_arg {
 337         uid_t           uid;                    /* client uid */
 338         OM_UINT32       gssd_cred_verifier;     /* verifier for cred handle */
 339         GSS_CRED_ID_T   cred_handle;            /* credential handle */
 340         GSS_OID         mech_type;              /* cred mechanism */
 341 };
 342 
 343 struct gss_inquire_cred_by_mech_res {
 344         OM_UINT32       minor_status;           /* status from the mechanism */
 345         OM_UINT32       status;                 /* status of GSSAPI call */
 346 };
 347 
 348 struct gsscred_name_to_unix_cred_arg {
 349         uid_t           uid;                    /* client uid */
 350         GSS_BUFFER_T    pname;                  /* principal name */
 351         GSS_OID         name_type;              /* oid of principal name */
 352         GSS_OID         mech_type;              /* for which mechanism to use */
 353 };
 354 
 355 struct gsscred_name_to_unix_cred_res {
 356         uid_t           uid;                    /* principal's uid */
 357         gid_t           gid;                    /* principal's gid */
 358         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 359         OM_UINT32       major;                  /* status of the GSSAPI call */
 360 };
 361 
 362 
 363 struct
 364 gsscred_expname_to_unix_cred_arg {
 365         uid_t           uid;                    /* client uid */
 366         GSS_BUFFER_T    expname;                /* principal in export format */
 367 };
 368 
 369 struct
 370 gsscred_expname_to_unix_cred_res {
 371         uid_t           uid;                    /* principal's uid */
 372         gid_t           gid;                    /* principal's gid */
 373         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 374         OM_UINT32       major;                  /* major status code */
 375 };
 376 
 377 
 378 struct gss_get_group_info_arg {
 379         uid_t           uid;                    /* client uid */
 380         uid_t           puid;                   /* principal's uid */
 381 };
 382 
 383 struct gss_get_group_info_res {
 384         gid_t           gid;                    /* principal's gid */
 385         GSSCRED_GIDS    gids;                   /* array of principal's gids */
 386         OM_UINT32       major;                  /* major status code */
 387 };
 388 
 389 
 390 struct gss_get_kmod_arg {
 391         GSS_OID mech_oid;
 392 
 393 };
 394 
 395 union gss_get_kmod_res switch (bool module_follow) {
 396         case TRUE:
 397                 string modname<>;
 398         case FALSE:
 399                 void;
 400 };
 401 
 402 
 403 /*
 404  *  The server accepts requests only from the loopback address.
 405  *  Unix authentication is used, and the port must be in the reserved range.
 406  */
 407 
 408 program GSSPROG {
 409     version GSSVERS {
 410 
 411         /*
 412          *  Called by the client to acquire a credential.
 413          */
 414         gss_acquire_cred_res
 415                 GSS_ACQUIRE_CRED(gss_acquire_cred_arg)                  = 1;
 416 
 417         /*
 418          *  Called by the client to release a credential.
 419          */
 420         gss_release_cred_res
 421                 GSS_RELEASE_CRED(gss_release_cred_arg)                  = 2;
 422 
 423         /*
 424          *  Called by the client to initialize a security context.
 425          */
 426         gss_init_sec_context_res
 427                 GSS_INIT_SEC_CONTEXT(gss_init_sec_context_arg)          = 3;
 428 
 429         /*
 430          *  Called by the server to initialize a security context.
 431          */
 432         gss_accept_sec_context_res
 433                 GSS_ACCEPT_SEC_CONTEXT(gss_accept_sec_context_arg)      = 4;
 434 
 435         /*
 436          *  Called to pass token to underlying mechanism.
 437          */
 438         gss_process_context_token_res
 439                 GSS_PROCESS_CONTEXT_TOKEN(gss_process_context_token_arg) = 5;
 440 
 441         /*
 442          *  Called to delete a security context.
 443          */
 444         gss_delete_sec_context_res
 445                 GSS_DELETE_SEC_CONTEXT(gss_delete_sec_context_arg)      = 6;
 446 
 447         /*
 448          *  Called to get remaining time security context has to live.
 449          */
 450         gss_context_time_res
 451                 GSS_CONTEXT_TIME(gss_context_time_arg)                  = 7;
 452 
 453         /*
 454          *  Called to sign a message.
 455          */
 456         gss_sign_res    GSS_SIGN(gss_sign_arg)                          = 8;
 457 
 458         /*
 459          *  Called to verify a signed message.
 460          */
 461         gss_verify_res  GSS_VERIFY(gss_verify_arg)                      = 9;
 462 
 463         /*
 464          *  Called to translate minor status into a string.
 465          */
 466         gss_display_status_res
 467                         GSS_DISPLAY_STATUS(gss_display_status_arg)      = 10;
 468 
 469         /*
 470          *  Called to indicate which underlying mechanisms are supported
 471          */
 472         gss_indicate_mechs_res
 473                         GSS_INDICATE_MECHS(void)                        = 11;
 474 
 475         /*
 476          *  Called by the client to inquire about a credential.
 477          */
 478         gss_inquire_cred_res
 479                 GSS_INQUIRE_CRED(gss_inquire_cred_arg)                  = 12;
 480 
 481 
 482         /*
 483          *  Called to seal a message.
 484          */
 485         gss_seal_res    GSS_SEAL(gss_seal_arg)                          = 13;
 486 
 487         /*
 488          *  Called to unseal a message.
 489          */
 490         gss_unseal_res  GSS_UNSEAL(gss_unseal_arg)                      = 14;
 491 
 492         /*
 493          * gsscred interface functions to obtain principal uid and gids
 494          */
 495         gsscred_expname_to_unix_cred_res
 496                         GSSCRED_EXPNAME_TO_UNIX_CRED(
 497                                 gsscred_expname_to_unix_cred_arg)       = 15;
 498 
 499         gsscred_name_to_unix_cred_res
 500                         GSSCRED_NAME_TO_UNIX_CRED(
 501                                 gsscred_name_to_unix_cred_arg)          = 16;
 502 
 503         gss_get_group_info_res
 504                         GSS_GET_GROUP_INFO(gss_get_group_info_arg)      = 17;
 505 
 506         gss_get_kmod_res
 507                         GSS_GET_KMOD(gss_get_kmod_arg)                  = 18;
 508 
 509         gss_export_sec_context_res
 510                         GSS_EXPORT_SEC_CONTEXT(gss_export_sec_context_arg) = 19;
 511         
 512         gss_import_sec_context_res
 513                         GSS_IMPORT_SEC_CONTEXT(gss_import_sec_context_arg) = 20;
 514         /*
 515          *  Called by the client to add to a credential.
 516          */
 517         gss_add_cred_res
 518                 GSS_ADD_CRED(gss_add_cred_arg)                          = 21;
 519         gss_inquire_cred_by_mech_res
 520                 GSS_INQUIRE_CRED_BY_MECH(gss_inquire_cred_by_mech_arg)
 521                                                                         = 22;
 522 
 523     } = 1;
 524 } = 100234;