• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src/router/samba-3.5.8/source4/heimdal/lib/hdb/
1/*
2 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* $Id: hdb.h,v 1.1.1.1 2011/06/10 09:34:42 andrew Exp $ */
35
36#ifndef __HDB_H__
37#define __HDB_H__
38
39#include <hdb_err.h>
40
41#include <heim_asn1.h>
42#include <hdb_asn1.h>
43
44struct hdb_dbinfo;
45
46enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
47
48/* flags for various functions */
49#define HDB_F_DECRYPT		1	/* decrypt keys */
50#define HDB_F_REPLACE		2	/* replace entry */
51#define HDB_F_GET_CLIENT	4	/* fetch client */
52#define HDB_F_GET_SERVER	8	/* fetch server */
53#define HDB_F_GET_KRBTGT	16	/* fetch krbtgt */
54#define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
55#define HDB_F_CANON		32	/* want canonicalition */
56
57/* hdb_capability_flags */
58#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
59#define HDB_CAP_F_HANDLE_PASSWORDS	2
60#define HDB_CAP_F_PASSWORD_UPDATE_KEYS	4
61
62/* auth status values */
63#define HDB_AUTH_SUCCESS		0
64#define HDB_AUTH_WRONG_PASSWORD		1
65#define HDB_AUTH_INVALID_SIGNATURE	2
66
67/* key usage for master key */
68#define HDB_KU_MKEY	0x484442
69
70typedef struct hdb_master_key_data *hdb_master_key;
71
72typedef struct hdb_entry_ex {
73    void *ctx;
74    hdb_entry entry;
75    void (*free_entry)(krb5_context, struct hdb_entry_ex *);
76} hdb_entry_ex;
77
78
79/**
80 * HDB backend function pointer structure
81 *
82 * The HDB structure is what the KDC and kadmind framework uses to
83 * query the backend database when talking about principals.
84 */
85
86typedef struct HDB{
87    void *hdb_db;
88    void *hdb_dbc; /** don't use, only for DB3 */
89    char *hdb_name;
90    int hdb_master_key_set;
91    hdb_master_key hdb_master_key;
92    int hdb_openp;
93    int hdb_capability_flags;
94    /**
95     * Open (or create) the a Kerberos database.
96     *
97     * Open (or create) the a Kerberos database that was resolved with
98     * hdb_create(). The third and fourth flag to the function are the
99     * same as open(), thus passing O_CREAT will create the data base
100     * if it doesn't exists.
101     *
102     * Then done the caller should call hdb_close(), and to release
103     * all resources hdb_destroy().
104     */
105    krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t);
106    /**
107     * Close the database for transaction
108     *
109     * Closes the database for further transactions, wont release any
110     * permanant resources. the database can be ->hdb_open-ed again.
111     */
112    krb5_error_code (*hdb_close)(krb5_context, struct HDB*);
113    /**
114     * Free an entry after use.
115     */
116    void	    (*hdb_free)(krb5_context, struct HDB*, hdb_entry_ex*);
117    /**
118     * Fetch an entry from the backend
119     *
120     * Fetch an entry from the backend, flags are what type of entry
121     * should be fetch: client, server, krbtgt.
122     */
123    krb5_error_code (*hdb_fetch)(krb5_context, struct HDB*,
124				 krb5_const_principal, unsigned,
125				 hdb_entry_ex*);
126    /**
127     * Store an entry to database
128     */
129    krb5_error_code (*hdb_store)(krb5_context, struct HDB*,
130				 unsigned, hdb_entry_ex*);
131    /**
132     * Remove an entry from the database.
133     */
134    krb5_error_code (*hdb_remove)(krb5_context, struct HDB*,
135				  krb5_const_principal);
136    /**
137     * As part of iteration, fetch one entry
138     */
139    krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
140				    unsigned, hdb_entry_ex*);
141    /**
142     * As part of iteration, fetch next entry
143     */
144    krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
145				   unsigned, hdb_entry_ex*);
146    /**
147     * Lock database
148     *
149     * A lock can only be held by one consumers. Transaction can still
150     * happen on the database while the lock is held, so the entry is
151     * only useful for syncroning creation of the database and renaming of the database.
152     */
153    krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int);
154    /**
155     * Unlock database
156     */
157    krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
158    /**
159     * Rename the data base.
160     */
161    krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
162    /**
163     * Get an hdb_entry from a classical DB backend
164     *
165     * If the database is a classical DB (ie BDB, NDBM, GDBM, etc)
166     * backend, this function will take a principal key (krb5_data)
167     * and return all data related to principal in the return
168     * krb5_data. The returned encoded entry is of type hdb_entry or
169     * hdb_entry_alias.
170     */
171    krb5_error_code (*hdb__get)(krb5_context, struct HDB*,
172				krb5_data, krb5_data*);
173    /**
174     * Store an hdb_entry from a classical DB backend
175     *
176     * Same discussion as in @ref HDB::hdb__get
177     */
178    krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int,
179				krb5_data, krb5_data);
180    /**
181     * Delete and hdb_entry from a classical DB backend
182     *
183     * Same discussion as in @ref HDB::hdb__get
184     */
185    krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data);
186    /**
187     * Destroy the handle to the database.
188     *
189     * Destroy the handle to the database, deallocate all memory and
190     * related resources. Does not remove any permanent data. Its the
191     * logical reverse of hdb_create() function that is the entry
192     * point for the module.
193     */
194    krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
195    /**
196     * Change password.
197     *
198     * Will update keys for the entry when given password.  The new
199     * keys must be written into the entry and and will then later be
200     * ->hdb_store() into the database. The backend will still perform
201     * all other operations, increasing the kvno, and update
202     * modification timestamp.
203     *
204     * The backen need to call _kadm5_set_keys() and perform password
205     * quality checks.
206     */
207    krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
208
209    /**
210     * Auth feedback
211     *
212     * This is a feedback call that allows backends that provides
213     * lockout functionality to register failure and/or successes.
214     *
215     * In case the entry is locked out, the backend should set the
216     * hdb_entry.flags.locked-out flag.
217     */
218    krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
219    /**
220     * Check is delegation is allowed.
221     */
222    krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
223
224    /**
225     * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
226     */
227    krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
228}HDB;
229
230#define HDB_INTERFACE_VERSION	6
231
232struct hdb_so_method {
233    int version;
234    const char *prefix;
235    krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
236};
237
238typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
239					      hdb_entry_ex*, void*);
240extern krb5_kt_ops hdb_kt_ops;
241
242struct hdb_method {
243    int interface_version;
244    const char *prefix;
245    krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
246};
247
248#include <hdb-protos.h>
249
250#endif /* __HDB_H__ */
251