[apple/xnu.git] / bsd / nfs / nfs_gss.h

/*
 * Copyright (c) 2007-2015 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#ifndef _NFS_NFS_GSS_H_
#define _NFS_NFS_GSS_H_

#include <gssd/gssd_mach.h>
#include <sys/param.h>
#include <nfs/nfs_ioctl.h>
#include <libkern/crypto/des.h>

#define RPCSEC_GSS			6
#define	RPCSEC_GSS_VERS_1		1

enum rpcsec_gss_proc {
	RPCSEC_GSS_DATA			= 0,
	RPCSEC_GSS_INIT			= 1,
	RPCSEC_GSS_CONTINUE_INIT	= 2,
	RPCSEC_GSS_DESTROY		= 3
};

enum rpcsec_gss_service {
	RPCSEC_GSS_SVC_NONE		= 1,	// sec=krb5
	RPCSEC_GSS_SVC_INTEGRITY	= 2,	// sec=krb5i
	RPCSEC_GSS_SVC_PRIVACY		= 3,	// sec=krb5p
};

/* encoded krb5 OID */
extern u_char krb5_mech[11];

/*
 * GSS-API things
 */
typedef uint32_t OM_uint32;

#define GSS_S_COMPLETE			0
#define GSS_S_CONTINUE_NEEDED		1

/*
 * Some "helper" definitions to make the status code macros obvious.
 * From gssapi.h:
 */
#define GSS_C_CALLING_ERROR_OFFSET 24
#define GSS_C_ROUTINE_ERROR_OFFSET 16
#define GSS_C_SUPPLEMENTARY_OFFSET 0
#define GSS_C_CALLING_ERROR_MASK ((OM_uint32) 0377ul)
#define GSS_C_ROUTINE_ERROR_MASK ((OM_uint32) 0377ul)
#define GSS_C_SUPPLEMENTARY_MASK ((OM_uint32) 0177777ul)

/*
 * The macros that test status codes for error conditions.  Note that the
 * GSS_ERROR() macro has changed slightly from the V1 GSSAPI so that it now
 * evaluates its argument only once.
 */
#define GSS_CALLING_ERROR(x) \
	((x) & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
#define GSS_ROUTINE_ERROR(x) \
	((x) & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
#define GSS_SUPPLEMENTARY_INFO(x) \
	((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
#define GSS_ERROR(x) \
	((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
		(GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))

#define GSS_MAXSEQ			0x80000000	// The biggest sequence number
#define GSS_SVC_MAXCONTEXTS		500000		// Max contexts supported
#define GSS_SVC_SEQWINDOW		256		// Server's sequence window
#define GSS_CLNT_SEQLISTMAX		32		// Max length of req seq num list

#define SKEYLEN	8			// length of DES key
#define SKEYLEN3 24			// length of DES3 keyboard
#define MAX_SKEYLEN	SKEYLEN3

#define GSS_MAX_NEG_CACHE_ENTRIES 16
#define GSS_NEG_CACHE_TO 3
#define GSS_PRINT_DELAY	 (8 * 3600)	// Wait day before printing the same error message

typedef struct {
	uint32_t type; 		// See defines below
	uint32_t keybytes; 	// Session key length bytes;
	uint32_t hash_len;
	u_char   skey[MAX_SKEYLEN];	   	// Session key;
	union {
		struct {
			des_cblock  *key;
			des_cbc_key_schedule gss_sched;
			des_cbc_key_schedule gss_sched_Ke;
		} des;
		struct {
			des_cblock		(*key)[3];
			des_cblock		ckey[3];
			des3_cbc_key_schedule	gss_sched;
		} des3;
	} ks_u;
} gss_key_info;

#define NFS_GSS_0DES	0 // Not DES or uninitialized
#define NFS_GSS_1DES	1 // Single DES with DES_MAC_MD5
#define NFS_GSS_3DES	2 // Triple EDE DES KD with SHA1

/*
 * The client's RPCSEC_GSS context information
 */
struct nfs_gss_clnt_ctx {
	lck_mtx_t		*gss_clnt_mtx;
	thread_t		gss_clnt_thread;	// Thread creating context
	TAILQ_ENTRY(nfs_gss_clnt_ctx)	gss_clnt_entries;
	uint32_t		gss_clnt_flags;		// Flag bits - see below
	int32_t			gss_clnt_refcnt;	// Reference count
	kauth_cred_t		gss_clnt_cred;		// Owner of this context
	uint8_t			*gss_clnt_principal;	// Principal to use for this credential
	uint32_t		gss_clnt_prinlen;	// Length of principal
	gssd_nametype		gss_clnt_prinnt;	// Name type of principal
	char			*gss_clnt_display;	// display name of principal
	uint32_t		gss_clnt_proc;		// Current GSS proc for cred
	uint32_t		gss_clnt_seqnum;	// GSS sequence number
	uint32_t		gss_clnt_service;	// Indicates krb5, krb5i or krb5p
	uint8_t			*gss_clnt_handle;	// Identifies server context
	uint32_t		gss_clnt_handle_len;	// Size of server's ctx handle
	time_t			gss_clnt_nctime;	// When context was put in the negative cache
	uint32_t		gss_clnt_seqwin;	// Server's seq num window
	uint32_t		*gss_clnt_seqbits;	// Bitmap to track seq numbers in use
	mach_port_t		gss_clnt_mport;		// Mach port for gssd upcall
	uint8_t			*gss_clnt_verf;		// RPC verifier from server
	uint8_t			*gss_clnt_svcname;	// Service name e.g. "nfs/big.apple.com"
	uint32_t		gss_clnt_svcnamlen;	// Service name length
	gssd_nametype		gss_clnt_svcnt;		// Service name type
	gssd_cred		gss_clnt_cred_handle;	// Opaque cred handle from gssd
	gssd_ctx		gss_clnt_context;	// Opaque context handle from gssd
	uint8_t			*gss_clnt_token;	// GSS token exchanged via gssd & server
	uint32_t		gss_clnt_tokenlen;	// Length of token
	gss_key_info		*gss_clnt_kinfo;		// GSS key info
	uint32_t		gss_clnt_gssd_flags;	// Special flag bits to gssd
	uint32_t		gss_clnt_major;		// GSS major result from gssd or server
	uint32_t		gss_clnt_minor;		// GSS minor result from gssd or server
	time_t			gss_clnt_ptime;		// When last error message was printed
};

/*
 * gss_clnt_flags
 */
#define GSS_CTX_COMPLETE	0x00000001	// Context is complete
#define GSS_CTX_INVAL		0x00000002	// Context is invalid
#define GSS_CTX_STICKY		0x00000004	// Context has been set by user
#define GSS_NEEDSEQ		0x00000008	// Need a sequence number
#define GSS_NEEDCTX		0x00000010	// Need the context
#define GSS_CTX_DESTROY		0x00000020	// Context is being destroyed, don't cache

/*
 * The server's RPCSEC_GSS context information
 */
struct nfs_gss_svc_ctx {
	lck_mtx_t		*gss_svc_mtx;
	LIST_ENTRY(nfs_gss_svc_ctx)	gss_svc_entries;
	uint32_t		gss_svc_handle;		// Identifies server context to client
	uint32_t		gss_svc_refcnt;		// Reference count
	uint32_t		gss_svc_proc;		// Current GSS proc from cred
	uid_t			gss_svc_uid;		// UID of this user
	gid_t			gss_svc_gids[NGROUPS];	// GIDs of this user
	uint32_t		gss_svc_ngroups;	// Count of gids
	uint64_t		gss_svc_incarnation;	// Delete ctx if we exceed this + ttl value
	uint32_t		gss_svc_seqmax;		// Current max GSS sequence number
	uint32_t		gss_svc_seqwin;		// GSS sequence number window
	uint32_t		*gss_svc_seqbits;	// Bitmap to track seq numbers
	gssd_cred		gss_svc_cred_handle;	// Opaque cred handle from gssd
	gssd_ctx		gss_svc_context;	// Opaque context handle from gssd
	u_char			*gss_svc_token;		// GSS token exchanged via gssd & client
	uint32_t		gss_svc_tokenlen;	// Length of token
	gss_key_info		gss_svc_kinfo;		// Session key info
	uint32_t		gss_svc_major;		// GSS major result from gssd
	uint32_t		gss_svc_minor;		// GSS minor result from gssd
};

#define SVC_CTX_HASHSZ	64
#define SVC_CTX_HASH(handle)	((handle) % SVC_CTX_HASHSZ)
LIST_HEAD(nfs_gss_svc_ctx_hashhead, nfs_gss_svc_ctx);

/*
 * Macros to manipulate bits in the sequence window
 */
#define win_getbit(bits, bit)      ((bits[(bit) / 32] &   (1 << (bit) % 32)) != 0)
#define win_setbit(bits, bit)   do { bits[(bit) / 32] |=  (1 << (bit) % 32); } while (0)
#define win_resetbit(bits, bit) do { bits[(bit) / 32] &= ~(1 << (bit) % 32); } while (0)

/*
 * Server context stale times
 */
#define GSS_CTX_PEND		5 		// seconds
#define GSS_CTX_EXPIRE		(8 * 3600)	// seconds
#define GSS_CTX_TTL_MIN		1		// seconds
#define GSS_TIMER_PERIOD	300		// seconds
#define MSECS_PER_SEC		1000

#define auth_is_kerberized(auth) \
	(auth == RPCAUTH_KRB5 || \
	 auth == RPCAUTH_KRB5I || \
	 auth == RPCAUTH_KRB5P)

__BEGIN_DECLS

void	nfs_gss_init(void);
uid_t	nfs_cred_getasid2uid(kauth_cred_t);
int	nfs_gss_clnt_cred_put(struct nfsreq *, struct nfsm_chain *, mbuf_t);
int	nfs_gss_clnt_verf_get(struct nfsreq *, struct nfsm_chain *,
		uint32_t, uint32_t, uint32_t *);
void	nfs_gss_clnt_rpcdone(struct nfsreq *);
int	nfs_gss_clnt_args_restore(struct nfsreq *);
int	nfs_gss_clnt_ctx_renew(struct nfsreq *);
void	nfs_gss_clnt_ctx_ref(struct nfsreq *, struct nfs_gss_clnt_ctx *);
void	nfs_gss_clnt_ctx_unref(struct nfsreq *);
void	nfs_gss_clnt_ctx_unmount(struct nfsmount *);
int	nfs_gss_clnt_ctx_remove(struct nfsmount *, kauth_cred_t);
int	nfs_gss_clnt_ctx_set_principal(struct nfsmount *, vfs_context_t, uint8_t *, uint32_t, uint32_t);
int	nfs_gss_clnt_ctx_get_principal(struct nfsmount *, vfs_context_t, struct user_nfs_gss_principal *);
int	nfs_gss_svc_cred_get(struct nfsrv_descript *, struct nfsm_chain *);
int	nfs_gss_svc_verf_put(struct nfsrv_descript *, struct nfsm_chain *);
int	nfs_gss_svc_ctx_init(struct nfsrv_descript *, struct nfsrv_sock *, mbuf_t *);
int	nfs_gss_svc_prepare_reply(struct nfsrv_descript *, struct nfsm_chain *);
int	nfs_gss_svc_protect_reply(struct nfsrv_descript *, mbuf_t);
void	nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *);
void	nfs_gss_svc_cleanup(void);

__END_DECLS
#endif /* _NFS_NFS_GSS_H_ */
Commit	Line	Data
2d21ac55	1	/*
3e170ce0	2	* Copyright (c) 2007-2015 Apple Inc. All rights reserved.
2d21ac55 A	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#ifndef _NFS_NFS_GSS_H_
	30	#define _NFS_NFS_GSS_H_
	31
	32	#include <gssd/gssd_mach.h>
2d21ac55	33	#include <sys/param.h>
39236c6e	34	#include <nfs/nfs_ioctl.h>
316670eb	35	#include <libkern/crypto/des.h>
2d21ac55 A	36
	37	#define RPCSEC_GSS 6
	38	#define RPCSEC_GSS_VERS_1 1
	39
	40	enum rpcsec_gss_proc {
	41	RPCSEC_GSS_DATA = 0,
	42	RPCSEC_GSS_INIT = 1,
	43	RPCSEC_GSS_CONTINUE_INIT = 2,
	44	RPCSEC_GSS_DESTROY = 3
	45	};
	46
	47	enum rpcsec_gss_service {
	48	RPCSEC_GSS_SVC_NONE = 1, // sec=krb5
	49	RPCSEC_GSS_SVC_INTEGRITY = 2, // sec=krb5i
	50	RPCSEC_GSS_SVC_PRIVACY = 3, // sec=krb5p
2d21ac55 A	51	};
2d21ac55 A	52
6d2010ae A	53	/* encoded krb5 OID */
	54	extern u_char krb5_mech[11];
	55
2d21ac55 A	56	/*
	57	* GSS-API things
	58	*/
39236c6e A	59	typedef uint32_t OM_uint32;
39236c6e A	60
2d21ac55 A	61	#define GSS_S_COMPLETE 0
	62	#define GSS_S_CONTINUE_NEEDED 1
	63
39236c6e A	64	/*
	65	* Some "helper" definitions to make the status code macros obvious.
	66	* From gssapi.h:
	67	*/
	68	#define GSS_C_CALLING_ERROR_OFFSET 24
	69	#define GSS_C_ROUTINE_ERROR_OFFSET 16
	70	#define GSS_C_SUPPLEMENTARY_OFFSET 0
	71	#define GSS_C_CALLING_ERROR_MASK ((OM_uint32) 0377ul)
	72	#define GSS_C_ROUTINE_ERROR_MASK ((OM_uint32) 0377ul)
	73	#define GSS_C_SUPPLEMENTARY_MASK ((OM_uint32) 0177777ul)
	74
	75	/*
	76	* The macros that test status codes for error conditions. Note that the
	77	* GSS_ERROR() macro has changed slightly from the V1 GSSAPI so that it now
	78	* evaluates its argument only once.
	79	*/
	80	#define GSS_CALLING_ERROR(x) \
	81	((x) & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
	82	#define GSS_ROUTINE_ERROR(x) \
	83	((x) & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
	84	#define GSS_SUPPLEMENTARY_INFO(x) \
	85	((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
	86	#define GSS_ERROR(x) \
	87	((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) \| \
	88	(GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
	89
2d21ac55 A	90	#define GSS_MAXSEQ 0x80000000 // The biggest sequence number
	91	#define GSS_SVC_MAXCONTEXTS 500000 // Max contexts supported
	92	#define GSS_SVC_SEQWINDOW 256 // Server's sequence window
	93	#define GSS_CLNT_SEQLISTMAX 32 // Max length of req seq num list
2d21ac55 A	94
2d21ac55 A	95	#define SKEYLEN 8 // length of DES key
b0d623f7 A	96	#define SKEYLEN3 24 // length of DES3 keyboard
	97	#define MAX_SKEYLEN SKEYLEN3
	98
fe8ab488 A	99	#define GSS_MAX_NEG_CACHE_ENTRIES 16
	100	#define GSS_NEG_CACHE_TO 3
	101	#define GSS_PRINT_DELAY (8 * 3600) // Wait day before printing the same error message
	102
b0d623f7 A	103	typedef struct {
	104	uint32_t type; // See defines below
	105	uint32_t keybytes; // Session key length bytes;
	106	uint32_t hash_len;
	107	u_char skey[MAX_SKEYLEN]; // Session key;
	108	union {
	109	struct {
	110	des_cblock *key;
316670eb A	111	des_cbc_key_schedule gss_sched;
316670eb A	112	des_cbc_key_schedule gss_sched_Ke;
b0d623f7 A	113	} des;
	114	struct {
	115	des_cblock (*key)[3];
	116	des_cblock ckey[3];
316670eb	117	des3_cbc_key_schedule gss_sched;
b0d623f7 A	118	} des3;
	119	} ks_u;
	120	} gss_key_info;
	121
	122	#define NFS_GSS_0DES 0 // Not DES or uninitialized
	123	#define NFS_GSS_1DES 1 // Single DES with DES_MAC_MD5
	124	#define NFS_GSS_3DES 2 // Triple EDE DES KD with SHA1
2d21ac55 A	125
	126	/*
	127	* The client's RPCSEC_GSS context information
	128	*/
	129	struct nfs_gss_clnt_ctx {
	130	lck_mtx_t *gss_clnt_mtx;
	131	thread_t gss_clnt_thread; // Thread creating context
	132	TAILQ_ENTRY(nfs_gss_clnt_ctx) gss_clnt_entries;
	133	uint32_t gss_clnt_flags; // Flag bits - see below
fe8ab488	134	int32_t gss_clnt_refcnt; // Reference count
39236c6e A	135	kauth_cred_t gss_clnt_cred; // Owner of this context
	136	uint8_t *gss_clnt_principal; // Principal to use for this credential
	137	uint32_t gss_clnt_prinlen; // Length of principal
	138	gssd_nametype gss_clnt_prinnt; // Name type of principal
	139	char *gss_clnt_display; // display name of principal
2d21ac55 A	140	uint32_t gss_clnt_proc; // Current GSS proc for cred
	141	uint32_t gss_clnt_seqnum; // GSS sequence number
	142	uint32_t gss_clnt_service; // Indicates krb5, krb5i or krb5p
39236c6e	143	uint8_t *gss_clnt_handle; // Identifies server context
2d21ac55	144	uint32_t gss_clnt_handle_len; // Size of server's ctx handle
fe8ab488	145	time_t gss_clnt_nctime; // When context was put in the negative cache
2d21ac55 A	146	uint32_t gss_clnt_seqwin; // Server's seq num window
	147	uint32_t *gss_clnt_seqbits; // Bitmap to track seq numbers in use
	148	mach_port_t gss_clnt_mport; // Mach port for gssd upcall
39236c6e A	149	uint8_t *gss_clnt_verf; // RPC verifier from server
	150	uint8_t *gss_clnt_svcname; // Service name e.g. "nfs/big.apple.com"
	151	uint32_t gss_clnt_svcnamlen; // Service name length
	152	gssd_nametype gss_clnt_svcnt; // Service name type
6d2010ae A	153	gssd_cred gss_clnt_cred_handle; // Opaque cred handle from gssd
6d2010ae A	154	gssd_ctx gss_clnt_context; // Opaque context handle from gssd
39236c6e	155	uint8_t *gss_clnt_token; // GSS token exchanged via gssd & server
2d21ac55	156	uint32_t gss_clnt_tokenlen; // Length of token
3e170ce0	157	gss_key_info *gss_clnt_kinfo; // GSS key info
b0d623f7	158	uint32_t gss_clnt_gssd_flags; // Special flag bits to gssd
2d21ac55 A	159	uint32_t gss_clnt_major; // GSS major result from gssd or server
2d21ac55 A	160	uint32_t gss_clnt_minor; // GSS minor result from gssd or server
fe8ab488	161	time_t gss_clnt_ptime; // When last error message was printed
2d21ac55 A	162	};
	163
	164	/*
	165	* gss_clnt_flags
	166	*/
	167	#define GSS_CTX_COMPLETE 0x00000001 // Context is complete
	168	#define GSS_CTX_INVAL 0x00000002 // Context is invalid
3e170ce0	169	#define GSS_CTX_STICKY 0x00000004 // Context has been set by user
39236c6e A	170	#define GSS_NEEDSEQ 0x00000008 // Need a sequence number
39236c6e A	171	#define GSS_NEEDCTX 0x00000010 // Need the context
3e170ce0	172	#define GSS_CTX_DESTROY 0x00000020 // Context is being destroyed, don't cache
2d21ac55 A	173
	174	/*
	175	* The server's RPCSEC_GSS context information
	176	*/
	177	struct nfs_gss_svc_ctx {
	178	lck_mtx_t *gss_svc_mtx;
	179	LIST_ENTRY(nfs_gss_svc_ctx) gss_svc_entries;
	180	uint32_t gss_svc_handle; // Identifies server context to client
6d2010ae	181	uint32_t gss_svc_refcnt; // Reference count
2d21ac55 A	182	uint32_t gss_svc_proc; // Current GSS proc from cred
	183	uid_t gss_svc_uid; // UID of this user
	184	gid_t gss_svc_gids[NGROUPS]; // GIDs of this user
	185	uint32_t gss_svc_ngroups; // Count of gids
b0d623f7	186	uint64_t gss_svc_incarnation; // Delete ctx if we exceed this + ttl value
2d21ac55 A	187	uint32_t gss_svc_seqmax; // Current max GSS sequence number
	188	uint32_t gss_svc_seqwin; // GSS sequence number window
	189	uint32_t *gss_svc_seqbits; // Bitmap to track seq numbers
6d2010ae	190	gssd_cred gss_svc_cred_handle; // Opaque cred handle from gssd
39236c6e	191	gssd_ctx gss_svc_context; // Opaque context handle from gssd
2d21ac55 A	192	u_char *gss_svc_token; // GSS token exchanged via gssd & client
2d21ac55 A	193	uint32_t gss_svc_tokenlen; // Length of token
b0d623f7	194	gss_key_info gss_svc_kinfo; // Session key info
2d21ac55 A	195	uint32_t gss_svc_major; // GSS major result from gssd
	196	uint32_t gss_svc_minor; // GSS minor result from gssd
	197	};
	198
	199	#define SVC_CTX_HASHSZ 64
	200	#define SVC_CTX_HASH(handle) ((handle) % SVC_CTX_HASHSZ)
	201	LIST_HEAD(nfs_gss_svc_ctx_hashhead, nfs_gss_svc_ctx);
	202
	203	/*
	204	* Macros to manipulate bits in the sequence window
	205	*/
	206	#define win_getbit(bits, bit) ((bits[(bit) / 32] & (1 << (bit) % 32)) != 0)
	207	#define win_setbit(bits, bit) do { bits[(bit) / 32] \|= (1 << (bit) % 32); } while (0)
	208	#define win_resetbit(bits, bit) do { bits[(bit) / 32] &= ~(1 << (bit) % 32); } while (0)
	209
	210	/*
	211	* Server context stale times
	212	*/
	213	#define GSS_CTX_PEND 5 // seconds
	214	#define GSS_CTX_EXPIRE (8 * 3600) // seconds
b0d623f7	215	#define GSS_CTX_TTL_MIN 1 // seconds
2d21ac55 A	216	#define GSS_TIMER_PERIOD 300 // seconds
	217	#define MSECS_PER_SEC 1000
	218
3e170ce0 A	219	#define auth_is_kerberized(auth) \
	220	(auth == RPCAUTH_KRB5 \|\| \
	221	auth == RPCAUTH_KRB5I \|\| \
	222	auth == RPCAUTH_KRB5P)
	223
2d21ac55 A	224	__BEGIN_DECLS
	225
	226	void nfs_gss_init(void);
3e170ce0	227	uid_t nfs_cred_getasid2uid(kauth_cred_t);
2d21ac55 A	228	int nfs_gss_clnt_cred_put(struct nfsreq , struct nfsm_chain , mbuf_t);
	229	int nfs_gss_clnt_verf_get(struct nfsreq , struct nfsm_chain ,
	230	uint32_t, uint32_t, uint32_t *);
	231	void nfs_gss_clnt_rpcdone(struct nfsreq *);
	232	int nfs_gss_clnt_args_restore(struct nfsreq *);
	233	int nfs_gss_clnt_ctx_renew(struct nfsreq *);
	234	void nfs_gss_clnt_ctx_ref(struct nfsreq , struct nfs_gss_clnt_ctx );
	235	void nfs_gss_clnt_ctx_unref(struct nfsreq *);
6d2010ae	236	void nfs_gss_clnt_ctx_unmount(struct nfsmount *);
3e170ce0 A	237	int nfs_gss_clnt_ctx_remove(struct nfsmount *, kauth_cred_t);
	238	int nfs_gss_clnt_ctx_set_principal(struct nfsmount , vfs_context_t, uint8_t , uint32_t, uint32_t);
	239	int nfs_gss_clnt_ctx_get_principal(struct nfsmount , vfs_context_t, struct user_nfs_gss_principal );
2d21ac55 A	240	int nfs_gss_svc_cred_get(struct nfsrv_descript , struct nfsm_chain );
	241	int nfs_gss_svc_verf_put(struct nfsrv_descript , struct nfsm_chain );
	242	int nfs_gss_svc_ctx_init(struct nfsrv_descript , struct nfsrv_sock , mbuf_t *);
	243	int nfs_gss_svc_prepare_reply(struct nfsrv_descript , struct nfsm_chain );
	244	int nfs_gss_svc_protect_reply(struct nfsrv_descript *, mbuf_t);
6d2010ae	245	void nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *);
2d21ac55 A	246	void nfs_gss_svc_cleanup(void);
	247
	248	__END_DECLS
	249	#endif /* _NFS_NFS_GSS_H_ */