1
/*
2
 * Copyright (c) 2005, PADL Software Pty Ltd.
3
 * All rights reserved.
4
 *
5
 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 *
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 *
18
 * 3. Neither the name of PADL Software nor the names of its contributors
19
 *    may be used to endorse or promote products derived from this software
20
 *    without specific prior written permission.
21
 *
22
 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25
 * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32
 * SUCH DAMAGE.
33
 */
34

35
/*
36
 * $Id$
37
 */
38

39
#ifndef __KCM_LOCL_H__
40
#define __KCM_LOCL_H__
41

42
#include "headers.h"
43

44
#include <kcm.h>
45

46
#define KCM_LOG_REQUEST(_context, _client, _opcode)	do { \
47
    kcm_log(1, "%s request by process %d/uid %d", \
48
	    kcm_op2string(_opcode), (_client)->pid, (_client)->uid); \
49
    } while (0)
50

51
#define KCM_LOG_REQUEST_NAME(_context, _client, _opcode, _name)	do { \
52
    kcm_log(1, "%s request for cache %s by process %d/uid %d", \
53
	    kcm_op2string(_opcode), (_name), (_client)->pid, (_client)->uid); \
54
    } while (0)
55

56
/* Cache management */
57

58
#define KCM_FLAGS_VALID			0x0001
59
#define KCM_FLAGS_USE_KEYTAB		0x0002
60
#define KCM_FLAGS_RENEWABLE		0x0004
61
#define KCM_FLAGS_OWNER_IS_SYSTEM	0x0008
62
#define KCM_FLAGS_USE_CACHED_KEY	0x0010
63

64
#define KCM_MASK_KEY_PRESENT		( KCM_FLAGS_USE_KEYTAB | \
65
					  KCM_FLAGS_USE_CACHED_KEY )
66

67
struct kcm_ccache_data;
68
struct kcm_creds;
69

70
struct kcm_default_cache {
71
    uid_t uid;
72
    pid_t session; /* really au_asid_t */
73
    char *name;
74
    struct kcm_default_cache *next;
75
};
76

77
extern struct kcm_default_cache *default_caches;
78

79
struct kcm_creds {
80
    kcmuuid_t uuid;
81
    krb5_creds cred;
82
    struct kcm_creds *next;
83
};
84

85
typedef struct kcm_ccache_data {
86
    char *name;
87
    kcmuuid_t uuid;
88
    unsigned refcnt;
89
    uint16_t flags;
90
    uint16_t mode;
91
    uid_t uid;
92
    gid_t gid;
93
    pid_t session; /* really au_asid_t */
94
    krb5_principal client; /* primary client principal */
95
    krb5_principal server; /* primary server principal (TGS if NULL) */
96
    struct kcm_creds *creds;
97
    krb5_deltat tkt_life;
98
    krb5_deltat renew_life;
99
    int32_t kdc_offset;
100
    union {
101
	krb5_keytab keytab;
102
	krb5_keyblock keyblock;
103
    } key;
104
    HEIMDAL_MUTEX mutex;
105
    struct kcm_ccache_data *next;
106
} kcm_ccache_data;
107

108
#define KCM_ASSERT_VALID(_ccache)		do { \
109
    if (((_ccache)->flags & KCM_FLAGS_VALID) == 0) \
110
	krb5_abortx(context, "kcm_free_ccache_data: ccache invalid"); \
111
    else if ((_ccache)->refcnt == 0) \
112
	krb5_abortx(context, "kcm_free_ccache_data: ccache refcnt == 0"); \
113
    } while (0)
114

115
typedef kcm_ccache_data *kcm_ccache;
116

117
/* Event management */
118

119
typedef struct kcm_event {
120
    int valid;
121
    time_t fire_time;
122
    unsigned fire_count;
123
    time_t expire_time;
124
    time_t backoff_time;
125
    enum {
126
	KCM_EVENT_NONE = 0,
127
	KCM_EVENT_ACQUIRE_CREDS,
128
	KCM_EVENT_RENEW_CREDS,
129
	KCM_EVENT_DESTROY_CREDS,
130
	KCM_EVENT_DESTROY_EMPTY_CACHE
131
    } action;
132
    kcm_ccache ccache;
133
    struct kcm_event *next;
134
} kcm_event;
135

136
/* wakeup interval for event queue */
137
#define KCM_EVENT_QUEUE_INTERVAL		60
138
#define KCM_EVENT_DEFAULT_BACKOFF_TIME		5
139
#define KCM_EVENT_MAX_BACKOFF_TIME		(12 * 60 * 60)
140

141

142
/* Request format is  LENGTH | MAJOR | MINOR | OPERATION | request */
143
/* Response format is LENGTH | STATUS | response */
144

145
typedef struct kcm_client {
146
    pid_t pid;
147
    uid_t uid;
148
    gid_t gid;
149
    pid_t session;
150
} kcm_client;
151

152
#define CLIENT_IS_ROOT(client) ((client)->uid == 0)
153

154
/* Dispatch table */
155
/* passed in OPERATION | ... ; returns STATUS | ... */
156
typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *);
157

158
struct kcm_op {
159
    const char *name;
160
    kcm_method method;
161
};
162

163
#define DEFAULT_LOG_DEST    "0/FILE:" LOCALSTATEDIR "/log/kcmd.log"
164
#define _PATH_KCM_CONF	    SYSCONFDIR "/kcm.conf"
165

166
extern krb5_context kcm_context;
167
extern char *socket_path;
168
extern char *door_path;
169
extern size_t max_request;
170
extern sig_atomic_t exit_flag;
171
extern int name_constraints;
172
#ifdef SUPPORT_DETACH
173
extern int detach_from_console;
174
#endif
175
extern int launchd_flag;
176
extern int disallow_getting_krbtgt;
177

178
#if 0
179
extern const krb5_cc_ops krb5_kcmss_ops;
180
#endif
181

182
void	kcm_service(void *, const heim_idata *, const heim_icred,
183
		    heim_ipc_complete, heim_sipc_call);
184

185
#include <kcm-protos.h>
186

187
#endif /* __KCM_LOCL_H__ */
188

189

190