1/* 2 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* $Id: hdb.h,v 1.1.1.1 2011/06/10 09:34:42 andrew Exp $ */ 35 36#ifndef __HDB_H__ 37#define __HDB_H__ 38 39#include <hdb_err.h> 40 41#include <heim_asn1.h> 42#include <hdb_asn1.h> 43 44struct hdb_dbinfo; 45 46enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; 47 48/* flags for various functions */ 49#define HDB_F_DECRYPT 1 /* decrypt keys */ 50#define HDB_F_REPLACE 2 /* replace entry */ 51#define HDB_F_GET_CLIENT 4 /* fetch client */ 52#define HDB_F_GET_SERVER 8 /* fetch server */ 53#define HDB_F_GET_KRBTGT 16 /* fetch krbtgt */ 54#define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ 55#define HDB_F_CANON 32 /* want canonicalition */ 56 57/* hdb_capability_flags */ 58#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 59#define HDB_CAP_F_HANDLE_PASSWORDS 2 60#define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 61 62/* auth status values */ 63#define HDB_AUTH_SUCCESS 0 64#define HDB_AUTH_WRONG_PASSWORD 1 65#define HDB_AUTH_INVALID_SIGNATURE 2 66 67/* key usage for master key */ 68#define HDB_KU_MKEY 0x484442 69 70typedef struct hdb_master_key_data *hdb_master_key; 71 72typedef struct hdb_entry_ex { 73 void *ctx; 74 hdb_entry entry; 75 void (*free_entry)(krb5_context, struct hdb_entry_ex *); 76} hdb_entry_ex; 77 78 79/** 80 * HDB backend function pointer structure 81 * 82 * The HDB structure is what the KDC and kadmind framework uses to 83 * query the backend database when talking about principals. 84 */ 85 86typedef struct HDB{ 87 void *hdb_db; 88 void *hdb_dbc; /** don't use, only for DB3 */ 89 char *hdb_name; 90 int hdb_master_key_set; 91 hdb_master_key hdb_master_key; 92 int hdb_openp; 93 int hdb_capability_flags; 94 /** 95 * Open (or create) the a Kerberos database. 96 * 97 * Open (or create) the a Kerberos database that was resolved with 98 * hdb_create(). The third and fourth flag to the function are the 99 * same as open(), thus passing O_CREAT will create the data base 100 * if it doesn't exists. 101 * 102 * Then done the caller should call hdb_close(), and to release 103 * all resources hdb_destroy(). 104 */ 105 krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t); 106 /** 107 * Close the database for transaction 108 * 109 * Closes the database for further transactions, wont release any 110 * permanant resources. the database can be ->hdb_open-ed again. 111 */ 112 krb5_error_code (*hdb_close)(krb5_context, struct HDB*); 113 /** 114 * Free an entry after use. 115 */ 116 void (*hdb_free)(krb5_context, struct HDB*, hdb_entry_ex*); 117 /** 118 * Fetch an entry from the backend 119 * 120 * Fetch an entry from the backend, flags are what type of entry 121 * should be fetch: client, server, krbtgt. 122 */ 123 krb5_error_code (*hdb_fetch)(krb5_context, struct HDB*, 124 krb5_const_principal, unsigned, 125 hdb_entry_ex*); 126 /** 127 * Store an entry to database 128 */ 129 krb5_error_code (*hdb_store)(krb5_context, struct HDB*, 130 unsigned, hdb_entry_ex*); 131 /** 132 * Remove an entry from the database. 133 */ 134 krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, 135 krb5_const_principal); 136 /** 137 * As part of iteration, fetch one entry 138 */ 139 krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, 140 unsigned, hdb_entry_ex*); 141 /** 142 * As part of iteration, fetch next entry 143 */ 144 krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, 145 unsigned, hdb_entry_ex*); 146 /** 147 * Lock database 148 * 149 * A lock can only be held by one consumers. Transaction can still 150 * happen on the database while the lock is held, so the entry is 151 * only useful for syncroning creation of the database and renaming of the database. 152 */ 153 krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int); 154 /** 155 * Unlock database 156 */ 157 krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*); 158 /** 159 * Rename the data base. 160 */ 161 krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*); 162 /** 163 * Get an hdb_entry from a classical DB backend 164 * 165 * If the database is a classical DB (ie BDB, NDBM, GDBM, etc) 166 * backend, this function will take a principal key (krb5_data) 167 * and return all data related to principal in the return 168 * krb5_data. The returned encoded entry is of type hdb_entry or 169 * hdb_entry_alias. 170 */ 171 krb5_error_code (*hdb__get)(krb5_context, struct HDB*, 172 krb5_data, krb5_data*); 173 /** 174 * Store an hdb_entry from a classical DB backend 175 * 176 * Same discussion as in @ref HDB::hdb__get 177 */ 178 krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int, 179 krb5_data, krb5_data); 180 /** 181 * Delete and hdb_entry from a classical DB backend 182 * 183 * Same discussion as in @ref HDB::hdb__get 184 */ 185 krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data); 186 /** 187 * Destroy the handle to the database. 188 * 189 * Destroy the handle to the database, deallocate all memory and 190 * related resources. Does not remove any permanent data. Its the 191 * logical reverse of hdb_create() function that is the entry 192 * point for the module. 193 */ 194 krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); 195 /** 196 * Change password. 197 * 198 * Will update keys for the entry when given password. The new 199 * keys must be written into the entry and and will then later be 200 * ->hdb_store() into the database. The backend will still perform 201 * all other operations, increasing the kvno, and update 202 * modification timestamp. 203 * 204 * The backen need to call _kadm5_set_keys() and perform password 205 * quality checks. 206 */ 207 krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); 208 209 /** 210 * Auth feedback 211 * 212 * This is a feedback call that allows backends that provides 213 * lockout functionality to register failure and/or successes. 214 * 215 * In case the entry is locked out, the backend should set the 216 * hdb_entry.flags.locked-out flag. 217 */ 218 krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int); 219 /** 220 * Check is delegation is allowed. 221 */ 222 krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); 223 224 /** 225 * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins 226 */ 227 krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); 228}HDB; 229 230#define HDB_INTERFACE_VERSION 6 231 232struct hdb_so_method { 233 int version; 234 const char *prefix; 235 krb5_error_code (*create)(krb5_context, HDB **, const char *filename); 236}; 237 238typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, 239 hdb_entry_ex*, void*); 240extern krb5_kt_ops hdb_kt_ops; 241 242struct hdb_method { 243 int interface_version; 244 const char *prefix; 245 krb5_error_code (*create)(krb5_context, HDB **, const char *filename); 246}; 247 248#include <hdb-protos.h> 249 250#endif /* __HDB_H__ */ 251