gems-kernel/source/THIRDPARTY/xnu/bsd/nfs/nfs_gss.h
2024-06-03 11:29:39 -05:00

131 lines
5.4 KiB
C

/*
* Copyright (c) 2007-2015 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
#ifndef _NFS_NFS_GSS_H_
#define _NFS_NFS_GSS_H_
#include "gss/gss_krb5_mech.h"
#include <gssd/gssd_mach.h>
#include <sys/param.h>
#define RPCSEC_GSS 6
#define RPCSEC_GSS_VERS_1 1
enum rpcsec_gss_proc {
RPCSEC_GSS_DATA = 0,
RPCSEC_GSS_INIT = 1,
RPCSEC_GSS_CONTINUE_INIT = 2,
RPCSEC_GSS_DESTROY = 3
};
enum rpcsec_gss_service {
RPCSEC_GSS_SVC_NONE = 1, // sec=krb5
RPCSEC_GSS_SVC_INTEGRITY = 2, // sec=krb5i
RPCSEC_GSS_SVC_PRIVACY = 3, // sec=krb5p
};
/*
* RFC 2203 and friends don't define maximums for token lengths
* and context handles. We try to pick reasonable values here.
*
* N.B. Kerberos mech tokens can be quite large from the output
* of a gss_init_sec_context if it includes a large PAC.
*/
#define GSS_MAX_TOKEN_LEN 64*1024
/*
* Put a "reasonable" bound on MIC lengths
*/
#define GSS_MAX_MIC_LEN 2048
#define GSS_MAXSEQ 0x80000000 // The biggest sequence number
#define GSS_SVC_MAXCONTEXTS 500000 // Max contexts supported
#define GSS_SVC_SEQWINDOW 256 // Server's sequence window
#define MAX_SKEYLEN 32
#define MAX_LUCIDLEN (sizeof (lucid_context) + MAX_SKEYLEN)
/*
* The server's RPCSEC_GSS context information
*/
struct nfs_gss_svc_ctx {
lck_mtx_t gss_svc_mtx;
LIST_ENTRY(nfs_gss_svc_ctx) gss_svc_entries;
uint32_t gss_svc_handle; // Identifies server context to client
uint32_t gss_svc_refcnt; // Reference count
uint32_t gss_svc_proc; // Current GSS proc from cred
uid_t gss_svc_uid; // UID of this user
gid_t gss_svc_gids[NGROUPS]; // GIDs of this user
uint32_t gss_svc_ngroups; // Count of gids
uint64_t gss_svc_incarnation; // Delete ctx if we exceed this + ttl value
uint32_t gss_svc_seqmax; // Current max GSS sequence number
uint32_t gss_svc_seqwin; // GSS sequence number window
uint32_t *gss_svc_seqbits; // Bitmap to track seq numbers
gssd_cred gss_svc_cred_handle; // Opaque cred handle from gssd
gssd_ctx gss_svc_context; // Opaque context handle from gssd
gss_ctx_id_t gss_svc_ctx_id; // Underlying gss context
u_char *gss_svc_token; // GSS token exchanged via gssd & client
uint32_t gss_svc_tokenlen; // Length of token
uint32_t gss_svc_major; // GSS major result from gssd
uint32_t gss_svc_minor; // GSS minor result from gssd
};
#define SVC_CTX_HASHSZ 64
#define SVC_CTX_HASH(handle) ((handle) % SVC_CTX_HASHSZ)
LIST_HEAD(nfs_gss_svc_ctx_hashhead, nfs_gss_svc_ctx);
/*
* Macros to manipulate bits in the sequence window
*/
#define win_getbit(bits, bit) ((bits[(bit) / 32] & (1 << (bit) % 32)) != 0)
#define win_setbit(bits, bit) do { bits[(bit) / 32] |= (1 << (bit) % 32); } while (0)
#define win_resetbit(bits, bit) do { bits[(bit) / 32] &= ~(1 << (bit) % 32); } while (0)
/*
* Server context stale times
*/
#define GSS_CTX_PEND 5 // seconds
#define GSS_CTX_EXPIRE (8 * 3600) // seconds
#define GSS_CTX_TTL_MIN 1 // seconds
#define GSS_TIMER_PERIOD 300 // seconds
#define MSECS_PER_SEC 1000
__BEGIN_DECLS
void nfs_gss_svc_init(void);
int nfs_gss_svc_cred_get(struct nfsrv_descript *, struct nfsm_chain *);
int nfs_gss_svc_verf_put(struct nfsrv_descript *, struct nfsm_chain *);
int nfs_gss_svc_ctx_init(struct nfsrv_descript *, struct nfsrv_sock *, mbuf_t *);
int nfs_gss_svc_prepare_reply(struct nfsrv_descript *, struct nfsm_chain *);
int nfs_gss_svc_protect_reply(struct nfsrv_descript *, mbuf_t);
void nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *);
void nfs_gss_svc_cleanup(void);
__END_DECLS
#endif /* _NFS_NFS_GSS_H_ */