[apple/xnu.git] / bsd / nfs / nfs_gss.h

/*
 * Copyright (c) 2007-2015 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#ifndef _NFS_NFS_GSS_H_
#define _NFS_NFS_GSS_H_

#include "gss/gss_krb5_mech.h"
#include <gssd/gssd_mach.h>
#include <sys/param.h>
#include <nfs/nfs_ioctl.h>

#define RPCSEC_GSS                      6
#define RPCSEC_GSS_VERS_1               1

enum rpcsec_gss_proc {
	RPCSEC_GSS_DATA                 = 0,
	RPCSEC_GSS_INIT                 = 1,
	RPCSEC_GSS_CONTINUE_INIT        = 2,
	RPCSEC_GSS_DESTROY              = 3
};

enum rpcsec_gss_service {
	RPCSEC_GSS_SVC_NONE             = 1,    // sec=krb5
	RPCSEC_GSS_SVC_INTEGRITY        = 2,    // sec=krb5i
	RPCSEC_GSS_SVC_PRIVACY          = 3,    // sec=krb5p
};

/* encoded krb5 OID */
extern u_char krb5_mech_oid[11];


/*
 * RFC 2203 and friends don't define maximums for token lengths
 * and context handles. We try to pick reasonable values here.
 *
 * N.B. Kerberos mech tokens can be quite large from the output
 * of a gss_init_sec_context if it includes a large PAC.
 */

#define GSS_MAX_CTX_HANDLE_LEN          256
#define GSS_MAX_TOKEN_LEN               64*1024

/*
 * Put a "reasonble" bound on MIC lengths
 */
#define GSS_MAX_MIC_LEN                 2048

#define GSS_MAXSEQ                      0x80000000      // The biggest sequence number
#define GSS_SVC_MAXCONTEXTS             500000          // Max contexts supported
#define GSS_SVC_SEQWINDOW               256             // Server's sequence window
#define GSS_CLNT_SEQLISTMAX             32              // Max length of req seq num list

#define MAX_SKEYLEN     32
#define MAX_LUCIDLEN    (sizeof (lucid_context) + MAX_SKEYLEN)
#define GSS_MAX_NEG_CACHE_ENTRIES 16
#define GSS_NEG_CACHE_TO 3
#define GSS_PRINT_DELAY  (8 * 3600)     // Wait day before printing the same error message

/*
 * The client's RPCSEC_GSS context information
 */
struct nfs_gss_clnt_ctx {
	lck_mtx_t               *gss_clnt_mtx;
	thread_t                gss_clnt_thread;        // Thread creating context
	TAILQ_ENTRY(nfs_gss_clnt_ctx)   gss_clnt_entries;
	uint32_t                gss_clnt_flags;         // Flag bits - see below
	int32_t                 gss_clnt_refcnt;        // Reference count
	kauth_cred_t            gss_clnt_cred;          // Owner of this context
	uint8_t                 *gss_clnt_principal;    // Principal to use for this credential
	uint32_t                gss_clnt_prinlen;       // Length of principal
	gssd_nametype           gss_clnt_prinnt;        // Name type of principal
	char                    *gss_clnt_display;      // display name of principal
	uint32_t                gss_clnt_proc;          // Current GSS proc for cred
	uint32_t                gss_clnt_seqnum;        // GSS sequence number
	uint32_t                gss_clnt_service;       // Indicates krb5, krb5i or krb5p
	uint8_t                 *gss_clnt_handle;       // Identifies server context
	uint32_t                gss_clnt_handle_len;    // Size of server's ctx handle
	time_t                  gss_clnt_nctime;        // When context was put in the negative cache
	uint32_t                gss_clnt_seqwin;        // Server's seq num window
	uint32_t                *gss_clnt_seqbits;      // Bitmap to track seq numbers in use
	mach_port_t             gss_clnt_mport;         // Mach port for gssd upcall
	uint32_t                gss_clnt_verflen;       // RPC verifier length from server
	uint8_t                 *gss_clnt_verf;         // RPC verifier from server
	uint8_t                 *gss_clnt_svcname;      // Service name e.g. "nfs/big.apple.com"
	uint32_t                gss_clnt_svcnamlen;     // Service name length
	gssd_nametype           gss_clnt_svcnt;         // Service name type
	gssd_cred               gss_clnt_cred_handle;   // Opaque cred handle from gssd
	gssd_ctx                gss_clnt_context;       // Opaque context handle from gssd
	gss_ctx_id_t            gss_clnt_ctx_id;        // Underlying gss context
	uint8_t                 *gss_clnt_token;        // GSS token exchanged via gssd & server
	uint32_t                gss_clnt_tokenlen;      // Length of token
	uint32_t                gss_clnt_gssd_flags;    // Special flag bits to gssd
	uint32_t                gss_clnt_major;         // GSS major result from gssd or server
	uint32_t                gss_clnt_minor;         // GSS minor result from gssd or server
	time_t                  gss_clnt_ptime;         // When last error message was printed
};

/*
 * gss_clnt_flags
 */
#define GSS_CTX_COMPLETE        0x00000001      // Context is complete
#define GSS_CTX_INVAL           0x00000002      // Context is invalid
#define GSS_CTX_STICKY          0x00000004      // Context has been set by user
#define GSS_NEEDSEQ             0x00000008      // Need a sequence number
#define GSS_NEEDCTX             0x00000010      // Need the context
#define GSS_CTX_DESTROY         0x00000020      // Context is being destroyed, don't cache

/*
 * The server's RPCSEC_GSS context information
 */
struct nfs_gss_svc_ctx {
	lck_mtx_t               *gss_svc_mtx;
	LIST_ENTRY(nfs_gss_svc_ctx)     gss_svc_entries;
	uint32_t                gss_svc_handle;         // Identifies server context to client
	uint32_t                gss_svc_refcnt;         // Reference count
	uint32_t                gss_svc_proc;           // Current GSS proc from cred
	uid_t                   gss_svc_uid;            // UID of this user
	gid_t                   gss_svc_gids[NGROUPS];  // GIDs of this user
	uint32_t                gss_svc_ngroups;        // Count of gids
	uint64_t                gss_svc_incarnation;    // Delete ctx if we exceed this + ttl value
	uint32_t                gss_svc_seqmax;         // Current max GSS sequence number
	uint32_t                gss_svc_seqwin;         // GSS sequence number window
	uint32_t                *gss_svc_seqbits;       // Bitmap to track seq numbers
	gssd_cred               gss_svc_cred_handle;    // Opaque cred handle from gssd
	gssd_ctx                gss_svc_context;        // Opaque context handle from gssd
	gss_ctx_id_t            gss_svc_ctx_id;         // Underlying gss context
	u_char                  *gss_svc_token;         // GSS token exchanged via gssd & client
	uint32_t                gss_svc_tokenlen;       // Length of token
	uint32_t                gss_svc_major;          // GSS major result from gssd
	uint32_t                gss_svc_minor;          // GSS minor result from gssd
};

#define SVC_CTX_HASHSZ  64
#define SVC_CTX_HASH(handle)    ((handle) % SVC_CTX_HASHSZ)
LIST_HEAD(nfs_gss_svc_ctx_hashhead, nfs_gss_svc_ctx);

/*
 * Macros to manipulate bits in the sequence window
 */
#define win_getbit(bits, bit)      ((bits[(bit) / 32] &   (1 << (bit) % 32)) != 0)
#define win_setbit(bits, bit)   do { bits[(bit) / 32] |=  (1 << (bit) % 32); } while (0)
#define win_resetbit(bits, bit) do { bits[(bit) / 32] &= ~(1 << (bit) % 32); } while (0)

/*
 * Server context stale times
 */
#define GSS_CTX_PEND            5               // seconds
#define GSS_CTX_EXPIRE          (8 * 3600)      // seconds
#define GSS_CTX_TTL_MIN         1               // seconds
#define GSS_TIMER_PERIOD        300             // seconds
#define MSECS_PER_SEC           1000

#define auth_is_kerberized(auth) \
	(auth == RPCAUTH_KRB5 || \
	 auth == RPCAUTH_KRB5I || \
	 auth == RPCAUTH_KRB5P)

__BEGIN_DECLS

void    nfs_gss_init(void);
uid_t   nfs_cred_getasid2uid(kauth_cred_t);
int     nfs_gss_clnt_cred_put(struct nfsreq *, struct nfsm_chain *, mbuf_t);
int     nfs_gss_clnt_verf_get(struct nfsreq *, struct nfsm_chain *,
    uint32_t, uint32_t, uint32_t *);
void    nfs_gss_clnt_rpcdone(struct nfsreq *);
int     nfs_gss_clnt_args_restore(struct nfsreq *);
int     nfs_gss_clnt_ctx_renew(struct nfsreq *);
void    nfs_gss_clnt_ctx_ref(struct nfsreq *, struct nfs_gss_clnt_ctx *);
void    nfs_gss_clnt_ctx_unref(struct nfsreq *);
void    nfs_gss_clnt_ctx_unmount(struct nfsmount *);
int     nfs_gss_clnt_ctx_remove(struct nfsmount *, kauth_cred_t);
int     nfs_gss_clnt_ctx_set_principal(struct nfsmount *, vfs_context_t, uint8_t *, uint32_t, uint32_t);
int     nfs_gss_clnt_ctx_get_principal(struct nfsmount *, vfs_context_t, struct user_nfs_gss_principal *);
int     nfs_gss_svc_cred_get(struct nfsrv_descript *, struct nfsm_chain *);
int     nfs_gss_svc_verf_put(struct nfsrv_descript *, struct nfsm_chain *);
int     nfs_gss_svc_ctx_init(struct nfsrv_descript *, struct nfsrv_sock *, mbuf_t *);
int     nfs_gss_svc_prepare_reply(struct nfsrv_descript *, struct nfsm_chain *);
int     nfs_gss_svc_protect_reply(struct nfsrv_descript *, mbuf_t);
void    nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *);
void    nfs_gss_svc_cleanup(void);

__END_DECLS
#endif /* _NFS_NFS_GSS_H_ */
Commit	Line	Data
2d21ac55	1	/*
3e170ce0	2	* Copyright (c) 2007-2015 Apple Inc. All rights reserved.
2d21ac55 A	3	*
2d21ac55 A	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
0a7de745	5	*
2d21ac55 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
0a7de745	14	*
2d21ac55 A	15	* Please obtain a copy of the License at
2d21ac55 A	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
0a7de745	17	*
2d21ac55 A	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
0a7de745	25	*
2d21ac55 A	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#ifndef _NFS_NFS_GSS_H_
	30	#define _NFS_NFS_GSS_H_
	31
39037602	32	#include "gss/gss_krb5_mech.h"
2d21ac55	33	#include <gssd/gssd_mach.h>
2d21ac55	34	#include <sys/param.h>
39236c6e	35	#include <nfs/nfs_ioctl.h>
2d21ac55	36
0a7de745 A	37	#define RPCSEC_GSS 6
0a7de745 A	38	#define RPCSEC_GSS_VERS_1 1
2d21ac55 A	39
2d21ac55 A	40	enum rpcsec_gss_proc {
0a7de745 A	41	RPCSEC_GSS_DATA = 0,
	42	RPCSEC_GSS_INIT = 1,
	43	RPCSEC_GSS_CONTINUE_INIT = 2,
	44	RPCSEC_GSS_DESTROY = 3
2d21ac55 A	45	};
	46
	47	enum rpcsec_gss_service {
0a7de745 A	48	RPCSEC_GSS_SVC_NONE = 1, // sec=krb5
	49	RPCSEC_GSS_SVC_INTEGRITY = 2, // sec=krb5i
	50	RPCSEC_GSS_SVC_PRIVACY = 3, // sec=krb5p
2d21ac55 A	51	};
2d21ac55 A	52
6d2010ae	53	/* encoded krb5 OID */
39037602	54	extern u_char krb5_mech_oid[11];
6d2010ae	55
39236c6e	56
d9a64523 A	57	/*
	58	* RFC 2203 and friends don't define maximums for token lengths
	59	* and context handles. We try to pick reasonable values here.
	60	*
	61	* N.B. Kerberos mech tokens can be quite large from the output
	62	* of a gss_init_sec_context if it includes a large PAC.
	63	*/
	64
0a7de745 A	65	#define GSS_MAX_CTX_HANDLE_LEN 256
0a7de745 A	66	#define GSS_MAX_TOKEN_LEN 64*1024
d9a64523 A	67
	68	/*
	69	* Put a "reasonble" bound on MIC lengths
	70	*/
0a7de745	71	#define GSS_MAX_MIC_LEN 2048
d9a64523	72
0a7de745 A	73	#define GSS_MAXSEQ 0x80000000 // The biggest sequence number
	74	#define GSS_SVC_MAXCONTEXTS 500000 // Max contexts supported
	75	#define GSS_SVC_SEQWINDOW 256 // Server's sequence window
	76	#define GSS_CLNT_SEQLISTMAX 32 // Max length of req seq num list
2d21ac55	77
0a7de745 A	78	#define MAX_SKEYLEN 32
0a7de745 A	79	#define MAX_LUCIDLEN (sizeof (lucid_context) + MAX_SKEYLEN)
fe8ab488 A	80	#define GSS_MAX_NEG_CACHE_ENTRIES 16
fe8ab488 A	81	#define GSS_NEG_CACHE_TO 3
0a7de745	82	#define GSS_PRINT_DELAY (8 * 3600) // Wait day before printing the same error message
fe8ab488	83
2d21ac55 A	84	/*
	85	* The client's RPCSEC_GSS context information
	86	*/
	87	struct nfs_gss_clnt_ctx {
0a7de745 A	88	lck_mtx_t *gss_clnt_mtx;
	89	thread_t gss_clnt_thread; // Thread creating context
	90	TAILQ_ENTRY(nfs_gss_clnt_ctx) gss_clnt_entries;
	91	uint32_t gss_clnt_flags; // Flag bits - see below
	92	int32_t gss_clnt_refcnt; // Reference count
	93	kauth_cred_t gss_clnt_cred; // Owner of this context
	94	uint8_t *gss_clnt_principal; // Principal to use for this credential
	95	uint32_t gss_clnt_prinlen; // Length of principal
	96	gssd_nametype gss_clnt_prinnt; // Name type of principal
	97	char *gss_clnt_display; // display name of principal
	98	uint32_t gss_clnt_proc; // Current GSS proc for cred
	99	uint32_t gss_clnt_seqnum; // GSS sequence number
	100	uint32_t gss_clnt_service; // Indicates krb5, krb5i or krb5p
	101	uint8_t *gss_clnt_handle; // Identifies server context
	102	uint32_t gss_clnt_handle_len; // Size of server's ctx handle
	103	time_t gss_clnt_nctime; // When context was put in the negative cache
	104	uint32_t gss_clnt_seqwin; // Server's seq num window
	105	uint32_t *gss_clnt_seqbits; // Bitmap to track seq numbers in use
	106	mach_port_t gss_clnt_mport; // Mach port for gssd upcall
	107	uint32_t gss_clnt_verflen; // RPC verifier length from server
	108	uint8_t *gss_clnt_verf; // RPC verifier from server
	109	uint8_t *gss_clnt_svcname; // Service name e.g. "nfs/big.apple.com"
	110	uint32_t gss_clnt_svcnamlen; // Service name length
	111	gssd_nametype gss_clnt_svcnt; // Service name type
	112	gssd_cred gss_clnt_cred_handle; // Opaque cred handle from gssd
	113	gssd_ctx gss_clnt_context; // Opaque context handle from gssd
	114	gss_ctx_id_t gss_clnt_ctx_id; // Underlying gss context
	115	uint8_t *gss_clnt_token; // GSS token exchanged via gssd & server
	116	uint32_t gss_clnt_tokenlen; // Length of token
	117	uint32_t gss_clnt_gssd_flags; // Special flag bits to gssd
	118	uint32_t gss_clnt_major; // GSS major result from gssd or server
	119	uint32_t gss_clnt_minor; // GSS minor result from gssd or server
	120	time_t gss_clnt_ptime; // When last error message was printed
2d21ac55 A	121	};
	122
	123	/*
	124	* gss_clnt_flags
	125	*/
0a7de745 A	126	#define GSS_CTX_COMPLETE 0x00000001 // Context is complete
	127	#define GSS_CTX_INVAL 0x00000002 // Context is invalid
	128	#define GSS_CTX_STICKY 0x00000004 // Context has been set by user
	129	#define GSS_NEEDSEQ 0x00000008 // Need a sequence number
	130	#define GSS_NEEDCTX 0x00000010 // Need the context
	131	#define GSS_CTX_DESTROY 0x00000020 // Context is being destroyed, don't cache
2d21ac55 A	132
	133	/*
	134	* The server's RPCSEC_GSS context information
	135	*/
	136	struct nfs_gss_svc_ctx {
0a7de745 A	137	lck_mtx_t *gss_svc_mtx;
	138	LIST_ENTRY(nfs_gss_svc_ctx) gss_svc_entries;
	139	uint32_t gss_svc_handle; // Identifies server context to client
	140	uint32_t gss_svc_refcnt; // Reference count
	141	uint32_t gss_svc_proc; // Current GSS proc from cred
	142	uid_t gss_svc_uid; // UID of this user
	143	gid_t gss_svc_gids[NGROUPS]; // GIDs of this user
	144	uint32_t gss_svc_ngroups; // Count of gids
	145	uint64_t gss_svc_incarnation; // Delete ctx if we exceed this + ttl value
	146	uint32_t gss_svc_seqmax; // Current max GSS sequence number
	147	uint32_t gss_svc_seqwin; // GSS sequence number window
	148	uint32_t *gss_svc_seqbits; // Bitmap to track seq numbers
	149	gssd_cred gss_svc_cred_handle; // Opaque cred handle from gssd
	150	gssd_ctx gss_svc_context; // Opaque context handle from gssd
	151	gss_ctx_id_t gss_svc_ctx_id; // Underlying gss context
	152	u_char *gss_svc_token; // GSS token exchanged via gssd & client
	153	uint32_t gss_svc_tokenlen; // Length of token
	154	uint32_t gss_svc_major; // GSS major result from gssd
	155	uint32_t gss_svc_minor; // GSS minor result from gssd
2d21ac55 A	156	};
2d21ac55 A	157
0a7de745 A	158	#define SVC_CTX_HASHSZ 64
0a7de745 A	159	#define SVC_CTX_HASH(handle) ((handle) % SVC_CTX_HASHSZ)
2d21ac55 A	160	LIST_HEAD(nfs_gss_svc_ctx_hashhead, nfs_gss_svc_ctx);
	161
	162	/*
	163	* Macros to manipulate bits in the sequence window
	164	*/
	165	#define win_getbit(bits, bit) ((bits[(bit) / 32] & (1 << (bit) % 32)) != 0)
	166	#define win_setbit(bits, bit) do { bits[(bit) / 32] \|= (1 << (bit) % 32); } while (0)
	167	#define win_resetbit(bits, bit) do { bits[(bit) / 32] &= ~(1 << (bit) % 32); } while (0)
	168
	169	/*
	170	* Server context stale times
	171	*/
0a7de745 A	172	#define GSS_CTX_PEND 5 // seconds
	173	#define GSS_CTX_EXPIRE (8 * 3600) // seconds
	174	#define GSS_CTX_TTL_MIN 1 // seconds
	175	#define GSS_TIMER_PERIOD 300 // seconds
	176	#define MSECS_PER_SEC 1000
2d21ac55	177
3e170ce0 A	178	#define auth_is_kerberized(auth) \
	179	(auth == RPCAUTH_KRB5 \|\| \
	180	auth == RPCAUTH_KRB5I \|\| \
	181	auth == RPCAUTH_KRB5P)
	182
2d21ac55 A	183	__BEGIN_DECLS
2d21ac55 A	184
0a7de745 A	185	void nfs_gss_init(void);
	186	uid_t nfs_cred_getasid2uid(kauth_cred_t);
	187	int nfs_gss_clnt_cred_put(struct nfsreq , struct nfsm_chain , mbuf_t);
	188	int nfs_gss_clnt_verf_get(struct nfsreq , struct nfsm_chain ,
	189	uint32_t, uint32_t, uint32_t *);
	190	void nfs_gss_clnt_rpcdone(struct nfsreq *);
	191	int nfs_gss_clnt_args_restore(struct nfsreq *);
	192	int nfs_gss_clnt_ctx_renew(struct nfsreq *);
	193	void nfs_gss_clnt_ctx_ref(struct nfsreq , struct nfs_gss_clnt_ctx );
	194	void nfs_gss_clnt_ctx_unref(struct nfsreq *);
	195	void nfs_gss_clnt_ctx_unmount(struct nfsmount *);
	196	int nfs_gss_clnt_ctx_remove(struct nfsmount *, kauth_cred_t);
	197	int nfs_gss_clnt_ctx_set_principal(struct nfsmount , vfs_context_t, uint8_t , uint32_t, uint32_t);
	198	int nfs_gss_clnt_ctx_get_principal(struct nfsmount , vfs_context_t, struct user_nfs_gss_principal );
	199	int nfs_gss_svc_cred_get(struct nfsrv_descript , struct nfsm_chain );
	200	int nfs_gss_svc_verf_put(struct nfsrv_descript , struct nfsm_chain );
	201	int nfs_gss_svc_ctx_init(struct nfsrv_descript , struct nfsrv_sock , mbuf_t *);
	202	int nfs_gss_svc_prepare_reply(struct nfsrv_descript , struct nfsm_chain );
	203	int nfs_gss_svc_protect_reply(struct nfsrv_descript *, mbuf_t);
	204	void nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *);
	205	void nfs_gss_svc_cleanup(void);
2d21ac55 A	206
	207	__END_DECLS
	208	#endif /* _NFS_NFS_GSS_H_ */