kdb.h revision 7934:6aeeafc994de
1/* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6/* 7 * include/krb5/kdb.h 8 * 9 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 10 * All Rights Reserved. 11 * 12 * Export of this software from the United States of America may 13 * require a specific license from the United States Government. 14 * It is the responsibility of any person or organization contemplating 15 * export to obtain such a license before exporting. 16 * 17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 18 * distribute this software and its documentation for any purpose and 19 * without fee is hereby granted, provided that the above copyright 20 * notice appear in all copies and that both that copyright notice and 21 * this permission notice appear in supporting documentation, and that 22 * the name of M.I.T. not be used in advertising or publicity pertaining 23 * to distribution of the software without specific, written prior 24 * permission. Furthermore if you modify this software you must label 25 * your software as modified software and not distribute it in such a 26 * fashion that it might be confused with the original M.I.T. software. 27 * M.I.T. makes no representations about the suitability of 28 * this software for any purpose. It is provided "as is" without express 29 * or implied warranty. 30 * 31 * 32 * KDC Database interface definitions. 33 */ 34 35/* 36 * Copyright (C) 1998 by the FundsXpress, INC. 37 * 38 * All rights reserved. 39 * 40 * Export of this software from the United States of America may require 41 * a specific license from the United States Government. It is the 42 * responsibility of any person or organization contemplating export to 43 * obtain such a license before exporting. 44 * 45 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 46 * distribute this software and its documentation for any purpose and 47 * without fee is hereby granted, provided that the above copyright 48 * notice appear in all copies and that both that copyright notice and 49 * this permission notice appear in supporting documentation, and that 50 * the name of FundsXpress. not be used in advertising or publicity pertaining 51 * to distribution of the software without specific, written prior 52 * permission. FundsXpress makes no representations about the suitability of 53 * this software for any purpose. It is provided "as is" without express 54 * or implied warranty. 55 * 56 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 57 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 58 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 */ 60 61#ifndef KRB5_KDB5__ 62#define KRB5_KDB5__ 63 64/* Salt types */ 65#define KRB5_KDB_SALTTYPE_NORMAL 0 66#define KRB5_KDB_SALTTYPE_V4 1 67#define KRB5_KDB_SALTTYPE_NOREALM 2 68#define KRB5_KDB_SALTTYPE_ONLYREALM 3 69#define KRB5_KDB_SALTTYPE_SPECIAL 4 70#define KRB5_KDB_SALTTYPE_AFS3 5 71 72/* Attributes */ 73#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 74#define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 75#define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 76#define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 77#define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 78#define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 79#define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 80#define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 81#define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 82#define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 83#define KRB5_KDB_DISALLOW_SVR 0x00001000 84#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 85#define KRB5_KDB_SUPPORT_DESMD5 0x00004000 86#define KRB5_KDB_NEW_PRINC 0x00008000 87 88/* Creation flags */ 89#define KRB5_KDB_CREATE_BTREE 0x00000001 90#define KRB5_KDB_CREATE_HASH 0x00000002 91 92/* 93 * Note --- these structures cannot be modified without changing the 94 * database version number in libkdb.a, but should be expandable by 95 * adding new tl_data types. 96 */ 97typedef struct _krb5_tl_data { 98 struct _krb5_tl_data* tl_data_next; /* NOT saved */ 99 krb5_int16 tl_data_type; 100 krb5_ui_2 tl_data_length; 101 krb5_octet * tl_data_contents; 102} krb5_tl_data; 103 104/* 105 * If this ever changes up the version number and make the arrays be as 106 * big as necessary. 107 * 108 * Currently the first type is the enctype and the second is the salt type. 109 */ 110typedef struct _krb5_key_data { 111 krb5_int16 key_data_ver; /* Version */ 112 krb5_int16 key_data_kvno; /* Key Version */ 113 krb5_int16 key_data_type[2]; /* Array of types */ 114#if 0 115 /* 116 * SUNW14resync (mech) 117 * This has changed in the mech so we change it here also 118 * prior to the admin resync. 119 */ 120 krb5_ui_2 key_data_length[2]; Array of lengths 121#endif 122 krb5_int16 key_data_length[2]; /* Array of lengths */ 123 krb5_octet * key_data_contents[2]; /* Array of pointers */ 124} krb5_key_data; 125 126#define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ 127 128typedef struct _krb5_keysalt { 129 krb5_int16 type; 130 krb5_data data; /* Length, data */ 131} krb5_keysalt; 132 133typedef struct _krb5_db_entry_new { 134 krb5_magic magic; /* NOT saved */ 135 krb5_ui_2 len; 136 krb5_ui_4 mask; /* members currently changed/set */ 137 krb5_flags attributes; 138 krb5_deltat max_life; 139 krb5_deltat max_renewable_life; 140 krb5_timestamp expiration; /* When the client expires */ 141 krb5_timestamp pw_expiration; /* When its passwd expires */ 142 krb5_timestamp last_success; /* Last successful passwd */ 143 krb5_timestamp last_failed; /* Last failed passwd attempt */ 144 krb5_kvno fail_auth_count; /* # of failed passwd attempt */ 145 krb5_int16 n_tl_data; 146 krb5_int16 n_key_data; 147 krb5_ui_2 e_length; /* Length of extra data */ 148 krb5_octet * e_data; /* Extra data to be saved */ 149 150 krb5_principal princ; /* Length, data */ 151 krb5_tl_data * tl_data; /* Linked list */ 152 krb5_key_data * key_data; /* Array */ 153} krb5_db_entry; 154 155typedef struct __krb5_key_salt_tuple { 156 krb5_enctype ks_enctype; 157 krb5_int32 ks_salttype; 158} krb5_key_salt_tuple; 159 160#define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb 161#define KRB5_KDB_V1_BASE_LENGTH 38 162 163#define KRB5_TL_LAST_PWD_CHANGE 0x0001 164#define KRB5_TL_MOD_PRINC 0x0002 165#define KRB5_TL_KADM_DATA 0x0003 166#define KRB5_TL_KADM5_E_DATA 0x0004 167#define KRB5_TL_RB1_CHALLENGE 0x0005 168#ifdef SECURID 169#define KRB5_TL_SECURID_STATE 0x0006 170#define KRB5_TL_DB_ARGS 0x7fff 171#endif /* SECURID */ 172#define KRB5_TL_USER_CERTIFICATE 0x0007 173 174/* 175 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set 176 * on the principal. 177 */ 178#define KRB5_MAX_FAIL_COUNT 5 179 180/* XXX depends on knowledge of krb5_parse_name() formats */ 181#define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */ 182 183/* prompts used by default when reading the KDC password from the keyboard. */ 184#define KRB5_KDC_MKEY_1 "Enter KDC database master key" 185#define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify" 186 187 188extern char *krb5_mkey_pwd_prompt1; 189extern char *krb5_mkey_pwd_prompt2; 190 191/* 192 * These macros specify the encoding of data within the database. 193 * 194 * Data encoding is little-endian. 195 */ 196#include "k5-platform.h" 197#define krb5_kdb_decode_int16(cp, i16) \ 198 *((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \ 199 ((krb5_int16) ((unsigned char) (cp)[1]) << 8)) 200#define krb5_kdb_decode_int32(cp, i32) \ 201 *((krb5_int32 *) &(i32)) = (((krb5_int32) ((unsigned char) (cp)[0]))| \ 202 ((krb5_int32) ((unsigned char) (cp)[1]) << 8) | \ 203 ((krb5_int32) ((unsigned char) (cp)[2]) << 16)| \ 204 ((krb5_int32) ((unsigned char) (cp)[3]) << 24)) 205#define krb5_kdb_encode_int16(i16, cp) \ 206 { \ 207 (cp)[0] = (unsigned char) ((i16) & 0xff); \ 208 (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \ 209 } 210#define krb5_kdb_encode_int32(i32, cp) \ 211 { \ 212 (cp)[0] = (unsigned char) ((i32) & 0xff); \ 213 (cp)[1] = (unsigned char) (((i32) >> 8) & 0xff); \ 214 (cp)[2] = (unsigned char) (((i32) >> 16) & 0xff); \ 215 (cp)[3] = (unsigned char) (((i32) >> 24) & 0xff); \ 216 } 217 218#define KRB5_KDB_OPEN_RW 0 219#define KRB5_KDB_OPEN_RO 1 220 221#ifndef KRB5_KDB_SRV_TYPE_KDC 222#define KRB5_KDB_SRV_TYPE_KDC 0x0100 223#endif 224 225#ifndef KRB5_KDB_SRV_TYPE_ADMIN 226#define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 227#endif 228 229#ifndef KRB5_KDB_SRV_TYPE_PASSWD 230#define KRB5_KDB_SRV_TYPE_PASSWD 0x0300 231#endif 232 233#ifndef KRB5_KDB_SRV_TYPE_OTHER 234#define KRB5_KDB_SRV_TYPE_OTHER 0x0400 235#endif 236 237#define KRB5_KDB_OPT_SET_DB_NAME 0 238#define KRB5_KDB_OPT_SET_LOCK_MODE 1 239 240#define KRB5_DB_LOCKMODE_SHARED 0x0001 241#define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002 242#define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 243#define KRB5_DB_LOCKMODE_PERMANENT 0x0008 244 245/* libkdb.spec */ 246krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); 247krb5_error_code krb5_db_init ( krb5_context kcontext ); 248krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); 249krb5_error_code krb5_db_inited ( krb5_context kcontext ); 250krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args ); 251krb5_error_code krb5_db_fini ( krb5_context kcontext ); 252const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code ); 253krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args ); 254krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args ); 255krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t ); 256krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value ); 257krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); 258krb5_error_code krb5_db_unlock ( krb5_context kcontext ); 259krb5_error_code krb5_db_get_principal ( krb5_context kcontext, 260 krb5_const_principal search_for, 261 krb5_db_entry *entries, 262 int *nentries, 263 krb5_boolean *more ); 264krb5_error_code krb5_db_get_principal_nolock ( krb5_context kcontext, 265 krb5_const_principal search_for, 266 krb5_db_entry *entries, 267 int *nentries, 268 krb5_boolean *more ); 269krb5_error_code krb5_db_free_principal ( krb5_context kcontext, 270 krb5_db_entry *entry, 271 int count ); 272krb5_error_code krb5_db_put_principal ( krb5_context kcontext, 273 krb5_db_entry *entries, 274 int *nentries); 275krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, 276 krb5_principal search_for, 277 int *nentries ); 278/* Solaris Kerberos: adding support for db_args */ 279krb5_error_code krb5_db_iterate ( krb5_context kcontext, 280 char *match_entry, 281 int (*func) (krb5_pointer, krb5_db_entry *), 282 krb5_pointer func_arg, 283 char **db_args ); 284krb5_error_code krb5_supported_realms ( krb5_context kcontext, 285 char **realms ); 286krb5_error_code krb5_free_supported_realms ( krb5_context kcontext, 287 char **realms ); 288krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext, 289 char *pwd, 290 krb5_keyblock *key ); 291krb5_error_code krb5_db_set_mkey ( krb5_context context, 292 krb5_keyblock *key); 293krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, 294 krb5_keyblock **key ); 295krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, 296 krb5_keyblock *key ); 297krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, 298 char *db_arg, 299 krb5_principal mname, 300 krb5_keyblock *key, 301 char *master_pwd); 302krb5_error_code krb5_db_fetch_mkey ( krb5_context context, 303 krb5_principal mname, 304 krb5_enctype etype, 305 krb5_boolean fromkeyboard, 306 krb5_boolean twice, 307 char *db_args, 308 krb5_data *salt, 309 krb5_keyblock *key); 310krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, 311 krb5_principal mprinc, 312 krb5_keyblock *mkey ); 313krb5_error_code 314krb5_dbe_find_enctype( krb5_context kcontext, 315 krb5_db_entry *dbentp, 316 krb5_int32 ktype, 317 krb5_int32 stype, 318 krb5_int32 kvno, 319 krb5_key_data **kdatap); 320 321 322krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 323 krb5_db_entry *dbentp, 324 krb5_int32 *start, 325 krb5_int32 ktype, 326 krb5_int32 stype, 327 krb5_int32 kvno, 328 krb5_key_data **kdatap); 329 330krb5_error_code 331krb5_db_setup_mkey_name ( krb5_context context, 332 const char *keyname, 333 const char *realm, 334 char **fullname, 335 krb5_principal *principal); 336 337krb5_error_code 338krb5_dbekd_decrypt_key_data( krb5_context context, 339 const krb5_keyblock * mkey, 340 const krb5_key_data * key_data, 341 krb5_keyblock * dbkey, 342 krb5_keysalt * keysalt); 343 344krb5_error_code 345krb5_dbekd_encrypt_key_data( krb5_context context, 346 const krb5_keyblock * mkey, 347 const krb5_keyblock * dbkey, 348 const krb5_keysalt * keysalt, 349 int keyver, 350 krb5_key_data * key_data); 351 352krb5_error_code 353krb5_dbe_lookup_mod_princ_data( krb5_context context, 354 krb5_db_entry * entry, 355 krb5_timestamp * mod_time, 356 krb5_principal * mod_princ); 357 358 359krb5_error_code 360krb5_dbe_update_last_pwd_change( krb5_context context, 361 krb5_db_entry * entry, 362 krb5_timestamp stamp); 363 364krb5_error_code 365krb5_dbe_lookup_tl_data( krb5_context context, 366 krb5_db_entry * entry, 367 krb5_tl_data * ret_tl_data); 368 369krb5_error_code 370krb5_dbe_create_key_data( krb5_context context, 371 krb5_db_entry * entry); 372 373 374krb5_error_code 375krb5_dbe_update_mod_princ_data( krb5_context context, 376 krb5_db_entry * entry, 377 krb5_timestamp mod_date, 378 krb5_const_principal mod_princ); 379 380krb5_error_code 381krb5_dbe_update_last_pwd_change( krb5_context context, 382 krb5_db_entry * entry, 383 krb5_timestamp stamp); 384 385void *krb5_db_alloc( krb5_context kcontext, 386 void *ptr, 387 size_t size ); 388 389void krb5_db_free( krb5_context kcontext, 390 void *ptr); 391 392 393krb5_error_code 394krb5_dbe_lookup_last_pwd_change( krb5_context context, 395 krb5_db_entry * entry, 396 krb5_timestamp * stamp); 397 398krb5_error_code 399krb5_dbe_update_tl_data( krb5_context context, 400 krb5_db_entry * entry, 401 krb5_tl_data * new_tl_data); 402 403krb5_error_code 404krb5_dbe_cpw( krb5_context kcontext, 405 krb5_keyblock * master_key, 406 krb5_key_salt_tuple * ks_tuple, 407 int ks_tuple_count, 408 char * passwd, 409 int new_kvno, 410 krb5_boolean keepold, 411 krb5_db_entry * db_entry); 412 413 414krb5_error_code 415krb5_dbe_ark( krb5_context context, 416 krb5_keyblock * master_key, 417 krb5_key_salt_tuple * ks_tuple, 418 int ks_tuple_count, 419 krb5_db_entry * db_entry); 420 421krb5_error_code 422krb5_dbe_crk( krb5_context context, 423 krb5_keyblock * master_key, 424 krb5_key_salt_tuple * ks_tuple, 425 int ks_tuple_count, 426 krb5_boolean keepold, 427 krb5_db_entry * db_entry); 428 429krb5_error_code 430krb5_dbe_apw( krb5_context context, 431 krb5_keyblock * master_key, 432 krb5_key_salt_tuple * ks_tuple, 433 int ks_tuple_count, 434 char * passwd, 435 krb5_db_entry * db_entry); 436 437/* default functions. Should not be directly called */ 438/* 439 * Default functions prototype 440 */ 441 442krb5_error_code 443krb5_dbe_def_search_enctype( krb5_context kcontext, 444 krb5_db_entry *dbentp, 445 krb5_int32 *start, 446 krb5_int32 ktype, 447 krb5_int32 stype, 448 krb5_int32 kvno, 449 krb5_key_data **kdatap); 450 451krb5_error_code 452krb5_def_store_mkey( krb5_context context, 453 char *keyfile, 454 krb5_principal mname, 455 krb5_keyblock *key, 456 char *master_pwd); 457 458 459krb5_error_code 460krb5_db_def_fetch_mkey( krb5_context context, 461 krb5_principal mname, 462 krb5_keyblock *key, 463 int *kvno, 464 char *db_args); 465 466krb5_error_code 467krb5_def_verify_master_key( krb5_context context, 468 krb5_principal mprinc, 469 krb5_keyblock *mkey); 470 471krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, 472 char *pwd, 473 krb5_keyblock *key ); 474 475krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, 476 krb5_keyblock **key ); 477 478krb5_error_code 479krb5_dbe_def_cpw( krb5_context context, 480 krb5_keyblock * master_key, 481 krb5_key_salt_tuple * ks_tuple, 482 int ks_tuple_count, 483 char * passwd, 484 int new_kvno, 485 krb5_boolean keepold, 486 krb5_db_entry * db_entry); 487 488krb5_error_code 489krb5_db_supports_iprop(krb5_context kcontext, int *iprop_supported); 490 491krb5_error_code 492krb5_def_promote_db(krb5_context, char *, char **); 493 494typedef struct _osa_policy_ent_t { 495 int version; 496 char *name; 497 uint32_t pw_min_life; 498 uint32_t pw_max_life; 499 uint32_t pw_min_length; 500 uint32_t pw_min_classes; 501 uint32_t pw_history_num; 502 uint32_t policy_refcnt; 503} osa_policy_ent_rec, *osa_policy_ent_t; 504 505typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); 506 507krb5_error_code 508krb5_db_create_policy( krb5_context kcontext, 509 osa_policy_ent_t policy); 510 511krb5_error_code 512krb5_db_get_policy ( krb5_context kcontext, 513 char *name, 514 osa_policy_ent_t *policy, 515 int *nentries); 516 517krb5_error_code 518krb5_db_put_policy( krb5_context kcontext, 519 osa_policy_ent_t policy); 520 521krb5_error_code 522krb5_db_iter_policy( krb5_context kcontext, 523 char *match_entry, 524 osa_adb_iter_policy_func func, 525 void *data); 526 527krb5_error_code 528krb5_db_delete_policy( krb5_context kcontext, 529 char *policy); 530 531void 532krb5_db_free_policy( krb5_context kcontext, 533 osa_policy_ent_t policy); 534 535#define KRB5_KDB_DEF_FLAGS 0 536 537#endif /* KRB5_KDB5__ */ 538