1178825Sdfr/*
2178825Sdfr * Copyright (c) 2005, PADL Software Pty Ltd.
3178825Sdfr * All rights reserved.
4178825Sdfr *
5178825Sdfr * Redistribution and use in source and binary forms, with or without
6178825Sdfr * modification, are permitted provided that the following conditions
7178825Sdfr * are met:
8178825Sdfr *
9178825Sdfr * 1. Redistributions of source code must retain the above copyright
10178825Sdfr *    notice, this list of conditions and the following disclaimer.
11178825Sdfr *
12178825Sdfr * 2. Redistributions in binary form must reproduce the above copyright
13178825Sdfr *    notice, this list of conditions and the following disclaimer in the
14178825Sdfr *    documentation and/or other materials provided with the distribution.
15178825Sdfr *
16178825Sdfr * 3. Neither the name of PADL Software nor the names of its contributors
17178825Sdfr *    may be used to endorse or promote products derived from this software
18178825Sdfr *    without specific prior written permission.
19178825Sdfr *
20178825Sdfr * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21178825Sdfr * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22178825Sdfr * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23178825Sdfr * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24178825Sdfr * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25178825Sdfr * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26178825Sdfr * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27178825Sdfr * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28178825Sdfr * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29178825Sdfr * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30178825Sdfr * SUCH DAMAGE.
31178825Sdfr */
32178825Sdfr
33178825Sdfr/*
34178825Sdfr * $Id: kcm_locl.h 20470 2007-04-20 10:41:11Z lha $
35178825Sdfr */
36178825Sdfr
37178825Sdfr#ifndef __KCM_LOCL_H__
38178825Sdfr#define __KCM_LOCL_H__
39178825Sdfr
40178825Sdfr#include "headers.h"
41178825Sdfr
42178825Sdfr#include <kcm.h>
43178825Sdfr
44178825Sdfr#define KCM_LOG_REQUEST(_context, _client, _opcode)	do { \
45178825Sdfr    kcm_log(1, "%s request by process %d/uid %d", \
46178825Sdfr	    kcm_op2string(_opcode), (_client)->pid, (_client)->uid); \
47178825Sdfr    } while (0)
48178825Sdfr
49178825Sdfr#define KCM_LOG_REQUEST_NAME(_context, _client, _opcode, _name)	do { \
50178825Sdfr    kcm_log(1, "%s request for cache %s by process %d/uid %d", \
51178825Sdfr	    kcm_op2string(_opcode), (_name), (_client)->pid, (_client)->uid); \
52178825Sdfr    } while (0)
53178825Sdfr
54178825Sdfr/* Cache management */
55178825Sdfr
56178825Sdfr#define KCM_FLAGS_VALID			0x0001
57178825Sdfr#define KCM_FLAGS_USE_KEYTAB		0x0002
58178825Sdfr#define KCM_FLAGS_RENEWABLE		0x0004
59178825Sdfr#define KCM_FLAGS_OWNER_IS_SYSTEM	0x0008
60178825Sdfr#define KCM_FLAGS_USE_CACHED_KEY	0x0010
61178825Sdfr
62178825Sdfr#define KCM_MASK_KEY_PRESENT		( KCM_FLAGS_USE_KEYTAB | \
63178825Sdfr					  KCM_FLAGS_USE_CACHED_KEY )
64178825Sdfr
65178825Sdfrstruct kcm_ccache_data;
66178825Sdfrstruct kcm_creds;
67178825Sdfr
68178825Sdfrtypedef struct kcm_cursor {
69178825Sdfr    pid_t pid;
70178825Sdfr    uint32_t key;
71178825Sdfr    struct kcm_creds *credp;		/* pointer to next credential */
72178825Sdfr    struct kcm_cursor *next;
73178825Sdfr} kcm_cursor;
74178825Sdfr
75178825Sdfrtypedef struct kcm_ccache_data {
76178825Sdfr    char *name;
77178825Sdfr    unsigned refcnt;
78178825Sdfr    uint16_t flags;
79178825Sdfr    uint16_t mode;
80178825Sdfr    uid_t uid;
81178825Sdfr    gid_t gid;
82178825Sdfr    krb5_principal client; /* primary client principal */
83178825Sdfr    krb5_principal server; /* primary server principal (TGS if NULL) */
84178825Sdfr    struct kcm_creds {
85178825Sdfr	krb5_creds cred; /* XXX would be useful for have ACLs on creds */
86178825Sdfr	struct kcm_creds *next;
87178825Sdfr    } *creds;
88178825Sdfr    uint32_t n_cursor;
89178825Sdfr    kcm_cursor *cursors;
90178825Sdfr    krb5_deltat tkt_life;
91178825Sdfr    krb5_deltat renew_life;
92178825Sdfr    union {
93178825Sdfr	krb5_keytab keytab;
94178825Sdfr	krb5_keyblock keyblock;
95178825Sdfr    } key;
96178825Sdfr    HEIMDAL_MUTEX mutex;
97178825Sdfr    struct kcm_ccache_data *next;
98178825Sdfr} kcm_ccache_data;
99178825Sdfr
100178825Sdfr#define KCM_ASSERT_VALID(_ccache)		do { \
101178825Sdfr    if (((_ccache)->flags & KCM_FLAGS_VALID) == 0) \
102178825Sdfr	krb5_abortx(context, "kcm_free_ccache_data: ccache invalid"); \
103178825Sdfr    else if ((_ccache)->refcnt == 0) \
104178825Sdfr	krb5_abortx(context, "kcm_free_ccache_data: ccache refcnt == 0"); \
105178825Sdfr    } while (0)
106178825Sdfr
107178825Sdfrtypedef kcm_ccache_data *kcm_ccache;
108178825Sdfr
109178825Sdfr/* Event management */
110178825Sdfr
111178825Sdfrtypedef struct kcm_event {
112178825Sdfr    int valid;
113178825Sdfr    time_t fire_time;
114178825Sdfr    unsigned fire_count;
115178825Sdfr    time_t expire_time;
116178825Sdfr    time_t backoff_time;
117178825Sdfr    enum {
118178825Sdfr	KCM_EVENT_NONE = 0,
119178825Sdfr	KCM_EVENT_ACQUIRE_CREDS,
120178825Sdfr	KCM_EVENT_RENEW_CREDS,
121178825Sdfr	KCM_EVENT_DESTROY_CREDS,
122178825Sdfr	KCM_EVENT_DESTROY_EMPTY_CACHE
123178825Sdfr    } action;
124178825Sdfr    kcm_ccache ccache;
125178825Sdfr    struct kcm_event *next;
126178825Sdfr} kcm_event;
127178825Sdfr
128178825Sdfr/* wakeup interval for event queue */
129178825Sdfr#define KCM_EVENT_QUEUE_INTERVAL		60
130178825Sdfr#define KCM_EVENT_DEFAULT_BACKOFF_TIME		5
131178825Sdfr#define KCM_EVENT_MAX_BACKOFF_TIME		(12 * 60 * 60)
132178825Sdfr
133178825Sdfr
134178825Sdfr/* Request format is  LENGTH | MAJOR | MINOR | OPERATION | request */
135178825Sdfr/* Response format is LENGTH | STATUS | response */
136178825Sdfr
137178825Sdfrtypedef struct kcm_client {
138178825Sdfr    pid_t pid;
139178825Sdfr    uid_t uid;
140178825Sdfr    gid_t gid;
141178825Sdfr} kcm_client;
142178825Sdfr
143178825Sdfr#define CLIENT_IS_ROOT(client) ((client)->uid == 0)
144178825Sdfr
145178825Sdfr/* Dispatch table */
146178825Sdfr/* passed in OPERATION | ... ; returns STATUS | ... */
147178825Sdfrtypedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *);
148178825Sdfr
149178825Sdfrstruct kcm_op {
150178825Sdfr    const char *name;
151178825Sdfr    kcm_method method;
152178825Sdfr};
153178825Sdfr
154178825Sdfr#define DEFAULT_LOG_DEST    "0/FILE:" LOCALSTATEDIR "/log/kcmd.log"
155178825Sdfr#define _PATH_KCM_CONF	    SYSCONFDIR "/kcm.conf"
156178825Sdfr
157178825Sdfrextern krb5_context kcm_context;
158178825Sdfrextern char *socket_path;
159178825Sdfrextern char *door_path;
160178825Sdfrextern size_t max_request;
161178825Sdfrextern sig_atomic_t exit_flag;
162178825Sdfrextern int name_constraints;
163178825Sdfrextern int detach_from_console;
164178825Sdfrextern int disallow_getting_krbtgt;
165178825Sdfr
166178825Sdfr#if 0
167178825Sdfrextern const krb5_cc_ops krb5_kcmss_ops;
168178825Sdfr#endif
169178825Sdfr
170178825Sdfr#include <kcm_protos.h>
171178825Sdfr
172178825Sdfr#endif /* __KCM_LOCL_H__ */
173178825Sdfr
174