1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* 3 * Copyright 1990, 1991, 2016 by the Massachusetts Institute of Technology. 4 * All Rights Reserved. 5 * 6 * Export of this software from the United States of America may 7 * require a specific license from the United States Government. 8 * It is the responsibility of any person or organization contemplating 9 * export to obtain such a license before exporting. 10 * 11 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 12 * distribute this software and its documentation for any purpose and 13 * without fee is hereby granted, provided that the above copyright 14 * notice appear in all copies and that both that copyright notice and 15 * this permission notice appear in supporting documentation, and that 16 * the name of M.I.T. not be used in advertising or publicity pertaining 17 * to distribution of the software without specific, written prior 18 * permission. Furthermore if you modify this software you must label 19 * your software as modified software and not distribute it in such a 20 * fashion that it might be confused with the original M.I.T. software. 21 * M.I.T. makes no representations about the suitability of 22 * this software for any purpose. It is provided "as is" without express 23 * or implied warranty. 24 */ 25 /* 26 * Copyright (C) 1998 by the FundsXpress, INC. 27 * 28 * All rights reserved. 29 * 30 * Export of this software from the United States of America may require 31 * a specific license from the United States Government. It is the 32 * responsibility of any person or organization contemplating export to 33 * obtain such a license before exporting. 34 * 35 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 36 * distribute this software and its documentation for any purpose and 37 * without fee is hereby granted, provided that the above copyright 38 * notice appear in all copies and that both that copyright notice and 39 * this permission notice appear in supporting documentation, and that 40 * the name of FundsXpress. not be used in advertising or publicity pertaining 41 * to distribution of the software without specific, written prior 42 * permission. FundsXpress makes no representations about the suitability of 43 * this software for any purpose. It is provided "as is" without express 44 * or implied warranty. 45 * 46 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 47 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 48 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 49 */ 50 /* 51 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 52 * Use is subject to license terms. 53 */ 54 55 /* KDC Database interface definitions */ 56 57 /* This API is not considered as stable as the main krb5 API. 58 * 59 * - We may make arbitrary incompatible changes between feature 60 * releases (e.g. from 1.7 to 1.8). 61 * - We will make some effort to avoid making incompatible changes for 62 * bugfix releases, but will make them if necessary. 63 */ 64 65 #ifndef KRB5_KDB5__ 66 #define KRB5_KDB5__ 67 68 #include <time.h> 69 #include <krb5.h> 70 71 /* This version will be incremented when incompatible changes are made to the 72 * KDB API, and will be kept in sync with the libkdb major version. */ 73 #define KRB5_KDB_API_VERSION 10 74 75 /* Salt types */ 76 #define KRB5_KDB_SALTTYPE_NORMAL 0 77 /* #define KRB5_KDB_SALTTYPE_V4 1 */ 78 #define KRB5_KDB_SALTTYPE_NOREALM 2 79 #define KRB5_KDB_SALTTYPE_ONLYREALM 3 80 #define KRB5_KDB_SALTTYPE_SPECIAL 4 81 /* #define KRB5_KDB_SALTTYPE_AFS3 5 */ 82 #define KRB5_KDB_SALTTYPE_CERTHASH 6 83 84 /* Attributes */ 85 #define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 86 #define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 87 #define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 88 #define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 89 #define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 90 #define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 91 #define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 92 #define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 93 #define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 94 #define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 95 #define KRB5_KDB_DISALLOW_SVR 0x00001000 96 #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 97 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 98 #define KRB5_KDB_NEW_PRINC 0x00008000 99 #define KRB5_KDB_OK_AS_DELEGATE 0x00100000 100 #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */ 101 #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000 102 #define KRB5_KDB_LOCKDOWN_KEYS 0x00800000 103 104 /* Creation flags */ 105 #define KRB5_KDB_CREATE_BTREE 0x00000001 106 #define KRB5_KDB_CREATE_HASH 0x00000002 107 108 /* Entry get flags */ 109 /* Okay to generate a referral on lookup */ 110 #define KRB5_KDB_FLAG_REFERRAL_OK 0x00000010 111 /* Client principal lookup (client referrals only) */ 112 #define KRB5_KDB_FLAG_CLIENT 0x00000040 113 /* Map cross-realm principals */ 114 #define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080 115 /* Protocol transition */ 116 #define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100 117 /* Constrained delegation */ 118 #define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200 119 /* User-to-user */ 120 #define KRB5_KDB_FLAG_USER_TO_USER 0x00000800 121 /* Cross-realm */ 122 #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 123 /* Issuing referral */ 124 #define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000 125 126 127 #define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \ 128 KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) 129 130 /* KDB iteration flags */ 131 #define KRB5_DB_ITER_WRITE 0x00000001 132 #define KRB5_DB_ITER_REV 0x00000002 133 #define KRB5_DB_ITER_RECURSE 0x00000004 134 135 /* String attribute names recognized by krb5 */ 136 #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" 137 #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" 138 #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" 139 140 #if !defined(_WIN32) 141 142 /* 143 * Note --- these structures cannot be modified without changing the 144 * database version number in libkdb.a, but should be expandable by 145 * adding new tl_data types. 146 */ 147 typedef struct _krb5_tl_data { 148 struct _krb5_tl_data* tl_data_next; /* NOT saved */ 149 krb5_int16 tl_data_type; 150 krb5_ui_2 tl_data_length; 151 krb5_octet * tl_data_contents; 152 } krb5_tl_data; 153 154 /* String attributes (currently stored inside tl-data) map C string keys to 155 * values. They can be set via kadmin and consumed by KDC plugins. */ 156 typedef struct krb5_string_attr_st { 157 char *key; 158 char *value; 159 } krb5_string_attr; 160 161 /* 162 * If this ever changes up the version number and make the arrays be as 163 * big as necessary. 164 * 165 * Currently the first type is the enctype and the second is the salt type. 166 */ 167 typedef struct _krb5_key_data { 168 krb5_int16 key_data_ver; /* Version */ 169 krb5_ui_2 key_data_kvno; /* Key Version */ 170 krb5_int16 key_data_type[2]; /* Array of types */ 171 krb5_ui_2 key_data_length[2]; /* Array of lengths */ 172 krb5_octet * key_data_contents[2]; /* Array of pointers */ 173 } krb5_key_data; 174 175 #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ 176 177 typedef struct _krb5_keysalt { 178 krb5_int16 type; 179 krb5_data data; /* Length, data */ 180 } krb5_keysalt; 181 182 /* 183 * A principal database entry. Extensions to this structure currently use the 184 * tl_data list. The e_data and e_length fields are not used by any calling 185 * code except kdb5_util dump and load, which marshal and unmarshal the array 186 * in the dump record. KDB modules may use these fields internally as long as 187 * they set e_length appropriately (non-zero if the data should be marshalled 188 * across dump and load, zero if not) and handle null e_data values in 189 * caller-constructed principal entries. 190 */ 191 typedef struct _krb5_db_entry_new { 192 krb5_magic magic; /* NOT saved */ 193 krb5_ui_2 len; 194 krb5_ui_4 mask; /* members currently changed/set */ 195 krb5_flags attributes; 196 krb5_deltat max_life; 197 krb5_deltat max_renewable_life; 198 krb5_timestamp expiration; /* When the client expires */ 199 krb5_timestamp pw_expiration; /* When its passwd expires */ 200 krb5_timestamp last_success; /* Last successful passwd */ 201 krb5_timestamp last_failed; /* Last failed passwd attempt */ 202 krb5_kvno fail_auth_count; /* # of failed passwd attempt */ 203 krb5_int16 n_tl_data; 204 krb5_int16 n_key_data; 205 krb5_ui_2 e_length; /* Length of extra data */ 206 krb5_octet * e_data; /* Extra data to be saved */ 207 208 krb5_principal princ; /* Length, data */ 209 krb5_tl_data * tl_data; /* Linked list */ 210 211 /* key_data must be sorted by kvno in descending order. */ 212 krb5_key_data * key_data; /* Array */ 213 } krb5_db_entry; 214 215 typedef struct _osa_policy_ent_t { 216 int version; 217 char *name; 218 krb5_ui_4 pw_min_life; 219 krb5_ui_4 pw_max_life; 220 krb5_ui_4 pw_min_length; 221 krb5_ui_4 pw_min_classes; 222 krb5_ui_4 pw_history_num; 223 krb5_ui_4 policy_refcnt; /* no longer used */ 224 /* Only valid if version > 1 */ 225 krb5_ui_4 pw_max_fail; /* pwdMaxFailure */ 226 krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */ 227 krb5_ui_4 pw_lockout_duration; /* pwdLockoutDuration */ 228 /* Only valid if version > 2 */ 229 krb5_ui_4 attributes; 230 krb5_ui_4 max_life; 231 krb5_ui_4 max_renewable_life; 232 char * allowed_keysalts; 233 krb5_int16 n_tl_data; 234 krb5_tl_data * tl_data; 235 } osa_policy_ent_rec, *osa_policy_ent_t; 236 237 typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); 238 239 typedef struct __krb5_key_salt_tuple { 240 krb5_enctype ks_enctype; 241 krb5_int32 ks_salttype; 242 } krb5_key_salt_tuple; 243 244 #define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb 245 #define KRB5_KDB_V1_BASE_LENGTH 38 246 247 #define KRB5_KDB_MAX_ALLOWED_KS_LEN 512 248 249 #define KRB5_TL_LAST_PWD_CHANGE 0x0001 250 #define KRB5_TL_MOD_PRINC 0x0002 251 #define KRB5_TL_KADM_DATA 0x0003 252 #define KRB5_TL_KADM5_E_DATA 0x0004 253 #define KRB5_TL_RB1_CHALLENGE 0x0005 254 #ifdef SECURID 255 #define KRB5_TL_SECURID_STATE 0x0006 256 #endif /* SECURID */ 257 #define KRB5_TL_USER_CERTIFICATE 0x0007 258 #define KRB5_TL_MKVNO 0x0008 259 #define KRB5_TL_ACTKVNO 0x0009 260 #define KRB5_TL_MKEY_AUX 0x000a 261 262 /* String attributes may not always be represented in tl-data. kadmin clients 263 * must use the get_strings and set_string RPCs. */ 264 #define KRB5_TL_STRING_ATTRS 0x000b 265 266 #define KRB5_TL_ALIAS_TARGET 0x000c 267 268 #define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */ 269 #define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */ 270 #define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */ 271 #define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */ 272 #define KRB5_TL_LM_KEY 0x0500 /* LM OWF */ 273 #define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */ 274 #define KRB5_TL_LAST_ADMIN_UNLOCK 0x0700 /* Timestamp of admin unlock */ 275 276 #define KRB5_TL_DB_ARGS 0x7fff 277 278 /* version number for KRB5_TL_ACTKVNO data */ 279 #define KRB5_TL_ACTKVNO_VER 1 280 281 /* version number for KRB5_TL_MKEY_AUX data */ 282 #define KRB5_TL_MKEY_AUX_VER 1 283 284 typedef struct _krb5_actkvno_node { 285 struct _krb5_actkvno_node *next; 286 krb5_kvno act_kvno; 287 krb5_timestamp act_time; 288 } krb5_actkvno_node; 289 290 typedef struct _krb5_mkey_aux_node { 291 struct _krb5_mkey_aux_node *next; 292 krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */ 293 krb5_key_data latest_mkey; /* most recent mkey */ 294 } krb5_mkey_aux_node; 295 296 typedef struct _krb5_keylist_node { 297 krb5_keyblock keyblock; 298 krb5_kvno kvno; 299 struct _krb5_keylist_node *next; 300 } krb5_keylist_node; 301 302 /* 303 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set 304 * on the principal. 305 */ 306 #define KRB5_MAX_FAIL_COUNT 5 307 308 /* XXX depends on knowledge of krb5_parse_name() formats */ 309 #define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */ 310 311 /* prompts used by default when reading the KDC password from the keyboard. */ 312 #define KRB5_KDC_MKEY_1 "Enter KDC database master key" 313 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify" 314 315 316 extern char *krb5_mkey_pwd_prompt1; 317 extern char *krb5_mkey_pwd_prompt2; 318 319 /* 320 * These macros specify the encoding of data within the database. 321 * 322 * Data encoding is little-endian. 323 */ 324 #ifdef _KRB5_INT_H 325 #include "k5-platform.h" 326 #define krb5_kdb_decode_int16(cp, i16) \ 327 *((krb5_int16 *) &(i16)) = load_16_le(cp) 328 #define krb5_kdb_decode_int32(cp, i32) \ 329 *((krb5_int32 *) &(i32)) = load_32_le(cp) 330 #define krb5_kdb_encode_int16(i16, cp) store_16_le(i16, cp) 331 #define krb5_kdb_encode_int32(i32, cp) store_32_le(i32, cp) 332 #endif /* _KRB5_INT_H */ 333 334 #define KRB5_KDB_OPEN_RW 0 335 #define KRB5_KDB_OPEN_RO 1 336 337 #ifndef KRB5_KDB_SRV_TYPE_KDC 338 #define KRB5_KDB_SRV_TYPE_KDC 0x0100 339 #endif 340 341 #ifndef KRB5_KDB_SRV_TYPE_ADMIN 342 #define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 343 #endif 344 345 /* 0x0300 was KRB5_KDB_SRV_TYPE_PASSWD but it is no longer used. */ 346 347 #ifndef KRB5_KDB_SRV_TYPE_OTHER 348 #define KRB5_KDB_SRV_TYPE_OTHER 0x0400 349 #endif 350 351 #define KRB5_KDB_OPT_SET_DB_NAME 0 352 #define KRB5_KDB_OPT_SET_LOCK_MODE 1 353 354 #define KRB5_DB_LOCKMODE_SHARED 0x0001 355 #define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002 356 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 357 358 /* 359 * Load the specified KDB module, to be used for KDB operations with kcontext. 360 * This function must be called prior to any KDB operations with kcontext. 361 * name will be looked up relative to the configured database directories, with 362 * platform-specific suffixes suitable for shared objects. This function can 363 * be used to implement one KDB module in terms of another, but the outer 364 * module must supply a separate krb5_context from the one passed to its 365 * methods. 366 */ 367 krb5_error_code krb5_db_load_module(krb5_context kcontext, const char *name); 368 369 krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); 370 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); 371 krb5_error_code krb5_db_init ( krb5_context kcontext ); 372 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); 373 krb5_error_code krb5_db_inited ( krb5_context kcontext ); 374 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args ); 375 krb5_error_code krb5_db_fini ( krb5_context kcontext ); 376 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code ); 377 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args ); 378 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args ); 379 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t ); 380 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); 381 krb5_error_code krb5_db_unlock ( krb5_context kcontext ); 382 krb5_error_code krb5_db_get_principal ( krb5_context kcontext, 383 krb5_const_principal search_for, 384 unsigned int flags, 385 krb5_db_entry **entry ); 386 void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry ); 387 krb5_error_code krb5_db_put_principal ( krb5_context kcontext, 388 krb5_db_entry *entry ); 389 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, 390 krb5_principal search_for ); 391 krb5_error_code krb5_db_rename_principal ( krb5_context kcontext, 392 krb5_principal source, 393 krb5_principal target ); 394 395 /* 396 * Iterate over principals in the KDB. If the callback may write to the DB, 397 * the caller must get an exclusive lock with krb5_db_lock before iterating, 398 * and release it with krb5_db_unlock after iterating. 399 */ 400 krb5_error_code krb5_db_iterate ( krb5_context kcontext, 401 char *match_entry, 402 int (*func) (krb5_pointer, krb5_db_entry *), 403 krb5_pointer func_arg, krb5_flags iterflags ); 404 405 406 krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, 407 char *keyfile, 408 krb5_principal mname, 409 krb5_kvno kvno, 410 krb5_keyblock *key, 411 char *master_pwd); 412 krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext, 413 char *keyfile, 414 krb5_principal mname, 415 char *master_pwd); 416 krb5_error_code krb5_db_fetch_mkey ( krb5_context context, 417 krb5_principal mname, 418 krb5_enctype etype, 419 krb5_boolean fromkeyboard, 420 krb5_boolean twice, 421 char *db_args, 422 krb5_kvno *kvno, 423 krb5_data *salt, 424 krb5_keyblock *key); 425 krb5_error_code 426 krb5_db_fetch_mkey_list( krb5_context context, 427 krb5_principal mname, 428 const krb5_keyblock * mkey ); 429 430 krb5_error_code 431 krb5_dbe_find_enctype( krb5_context kcontext, 432 krb5_db_entry *dbentp, 433 krb5_int32 ktype, 434 krb5_int32 stype, 435 krb5_int32 kvno, 436 krb5_key_data **kdatap); 437 438 439 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 440 krb5_db_entry *dbentp, 441 krb5_int32 *start, 442 krb5_int32 ktype, 443 krb5_int32 stype, 444 krb5_int32 kvno, 445 krb5_key_data **kdatap); 446 447 krb5_error_code 448 krb5_db_setup_mkey_name ( krb5_context context, 449 const char *keyname, 450 const char *realm, 451 char **fullname, 452 krb5_principal *principal); 453 454 /** 455 * Decrypts the key given in @@a key_data. If @a mkey is specified, that 456 * master key is used. If @a mkey is NULL, then all master keys are tried. 457 */ 458 krb5_error_code 459 krb5_dbe_decrypt_key_data( krb5_context context, 460 const krb5_keyblock * mkey, 461 const krb5_key_data * key_data, 462 krb5_keyblock * dbkey, 463 krb5_keysalt * keysalt); 464 465 krb5_error_code 466 krb5_dbe_encrypt_key_data( krb5_context context, 467 const krb5_keyblock * mkey, 468 const krb5_keyblock * dbkey, 469 const krb5_keysalt * keysalt, 470 int keyver, 471 krb5_key_data * key_data); 472 473 krb5_error_code 474 krb5_dbe_fetch_act_key_list(krb5_context context, 475 krb5_principal princ, 476 krb5_actkvno_node **act_key_list); 477 478 krb5_error_code 479 krb5_dbe_find_act_mkey( krb5_context context, 480 krb5_actkvno_node * act_mkey_list, 481 krb5_kvno * act_kvno, 482 krb5_keyblock ** act_mkey); 483 484 krb5_error_code 485 krb5_dbe_find_mkey( krb5_context context, 486 krb5_db_entry * entry, 487 krb5_keyblock ** mkey); 488 489 /* Set *mkvno to mkvno in entry tl_data, or 0 if not present. */ 490 krb5_error_code 491 krb5_dbe_lookup_mkvno( krb5_context context, 492 krb5_db_entry * entry, 493 krb5_kvno * mkvno); 494 495 krb5_keylist_node * 496 krb5_db_mkey_list_alias( krb5_context kcontext ); 497 498 /* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */ 499 krb5_error_code 500 krb5_dbe_get_mkvno( krb5_context context, 501 krb5_db_entry * entry, 502 krb5_kvno * mkvno); 503 504 krb5_error_code 505 krb5_dbe_lookup_mod_princ_data( krb5_context context, 506 krb5_db_entry * entry, 507 krb5_timestamp * mod_time, 508 krb5_principal * mod_princ); 509 510 krb5_error_code 511 krb5_dbe_lookup_mkey_aux( krb5_context context, 512 krb5_db_entry * entry, 513 krb5_mkey_aux_node ** mkey_aux_data_list); 514 krb5_error_code 515 krb5_dbe_update_mkvno( krb5_context context, 516 krb5_db_entry * entry, 517 krb5_kvno mkvno); 518 519 krb5_error_code 520 krb5_dbe_lookup_actkvno( krb5_context context, 521 krb5_db_entry * entry, 522 krb5_actkvno_node ** actkvno_list); 523 524 krb5_error_code 525 krb5_dbe_update_mkey_aux( krb5_context context, 526 krb5_db_entry * entry, 527 krb5_mkey_aux_node * mkey_aux_data_list); 528 529 krb5_error_code 530 krb5_dbe_update_actkvno(krb5_context context, 531 krb5_db_entry * entry, 532 const krb5_actkvno_node *actkvno_list); 533 534 krb5_error_code 535 krb5_dbe_update_last_pwd_change( krb5_context context, 536 krb5_db_entry * entry, 537 krb5_timestamp stamp); 538 539 krb5_error_code 540 krb5_dbe_update_last_admin_unlock( krb5_context context, 541 krb5_db_entry * entry, 542 krb5_timestamp stamp); 543 544 krb5_error_code 545 krb5_dbe_lookup_tl_data( krb5_context context, 546 krb5_db_entry * entry, 547 krb5_tl_data * ret_tl_data); 548 549 krb5_error_code 550 krb5_dbe_create_key_data( krb5_context context, 551 krb5_db_entry * entry); 552 553 554 krb5_error_code 555 krb5_dbe_update_mod_princ_data( krb5_context context, 556 krb5_db_entry * entry, 557 krb5_timestamp mod_date, 558 krb5_const_principal mod_princ); 559 560 /* 561 * These are wrappers around realloc() and free(). Applications and KDB 562 * modules can use them when manipulating principal and policy entries to 563 * ensure that they allocate and free memory in a manner compatible with the 564 * library. Using libkrb5 or libkbd5 functions to construct values (such as 565 * krb5_copy_principal() to construct the princ field of a krb5_db_entry) is 566 * also safe. On Unix platforms, just using malloc() and free() is safe as 567 * long as the application or module does not use a malloc replacement. 568 */ 569 void *krb5_db_alloc( krb5_context kcontext, 570 void *ptr, 571 size_t size ); 572 void krb5_db_free( krb5_context kcontext, 573 void *ptr); 574 575 576 krb5_error_code 577 krb5_dbe_lookup_last_pwd_change( krb5_context context, 578 krb5_db_entry * entry, 579 krb5_timestamp * stamp); 580 581 krb5_error_code 582 krb5_dbe_lookup_last_admin_unlock( krb5_context context, 583 krb5_db_entry * entry, 584 krb5_timestamp * stamp); 585 586 /* Retrieve the set of string attributes in entry, in no particular order. 587 * Free *strings_out with krb5_dbe_free_strings when done. */ 588 krb5_error_code 589 krb5_dbe_get_strings(krb5_context context, krb5_db_entry *entry, 590 krb5_string_attr **strings_out, int *count_out); 591 592 /* Retrieve a single string attribute from entry, or NULL if there is no 593 * attribute for key. Free *value_out with krb5_dbe_free_string when done. */ 594 krb5_error_code 595 krb5_dbe_get_string(krb5_context context, krb5_db_entry *entry, 596 const char *key, char **value_out); 597 598 /* Change or add a string attribute in entry, or delete it if value is NULL. */ 599 krb5_error_code 600 krb5_dbe_set_string(krb5_context context, krb5_db_entry *entry, 601 const char *key, const char *value); 602 603 krb5_error_code 604 krb5_dbe_delete_tl_data( krb5_context context, 605 krb5_db_entry * entry, 606 krb5_int16 tl_data_type); 607 608 krb5_error_code 609 krb5_db_update_tl_data(krb5_context context, 610 krb5_int16 * n_tl_datap, 611 krb5_tl_data **tl_datap, 612 krb5_tl_data * new_tl_data); 613 614 krb5_error_code 615 krb5_dbe_update_tl_data( krb5_context context, 616 krb5_db_entry * entry, 617 krb5_tl_data * new_tl_data); 618 619 /* Compute the salt for a key data entry given the corresponding principal. */ 620 krb5_error_code 621 krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key, 622 krb5_const_principal princ, krb5_int16 *salttype_out, 623 krb5_data **salt_out); 624 625 /* 626 * Modify the key data of entry to explicitly store salt values using the 627 * KRB5_KDB_SALTTYPE_SPECIAL salt type. 628 */ 629 krb5_error_code 630 krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry); 631 632 krb5_error_code 633 krb5_dbe_cpw( krb5_context kcontext, 634 krb5_keyblock * master_key, 635 krb5_key_salt_tuple * ks_tuple, 636 int ks_tuple_count, 637 char * passwd, 638 int new_kvno, 639 unsigned int keepold, 640 krb5_db_entry * db_entry); 641 642 643 krb5_error_code 644 krb5_dbe_ark( krb5_context context, 645 krb5_keyblock * master_key, 646 krb5_key_salt_tuple * ks_tuple, 647 int ks_tuple_count, 648 krb5_db_entry * db_entry); 649 650 krb5_error_code 651 krb5_dbe_crk( krb5_context context, 652 krb5_keyblock * master_key, 653 krb5_key_salt_tuple * ks_tuple, 654 int ks_tuple_count, 655 unsigned int keepold, 656 krb5_db_entry * db_entry); 657 658 krb5_error_code 659 krb5_dbe_apw( krb5_context context, 660 krb5_keyblock * master_key, 661 krb5_key_salt_tuple * ks_tuple, 662 int ks_tuple_count, 663 char * passwd, 664 krb5_db_entry * db_entry); 665 666 int 667 krb5_db_get_key_data_kvno( krb5_context context, 668 int count, 669 krb5_key_data * data); 670 671 krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext, 672 const krb5_data *tr_contents, 673 const krb5_data *client_realm, 674 const krb5_data *server_realm); 675 676 krb5_error_code krb5_db_check_policy_as(krb5_context kcontext, 677 krb5_kdc_req *request, 678 krb5_db_entry *client, 679 krb5_db_entry *server, 680 krb5_timestamp kdc_time, 681 const char **status, 682 krb5_pa_data ***e_data); 683 684 krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext, 685 krb5_kdc_req *request, 686 krb5_db_entry *server, 687 krb5_ticket *ticket, 688 const char **status, 689 krb5_pa_data ***e_data); 690 691 void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, 692 const krb5_address *local_addr, 693 const krb5_address *remote_addr, 694 krb5_db_entry *client, krb5_db_entry *server, 695 krb5_timestamp authtime, krb5_error_code error_code); 696 697 void krb5_db_refresh_config(krb5_context kcontext); 698 699 krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext, 700 krb5_const_principal client, 701 const krb5_db_entry *server, 702 krb5_const_principal proxy); 703 704 krb5_error_code krb5_db_get_s4u_x509_principal(krb5_context kcontext, 705 const krb5_data *client_cert, 706 krb5_const_principal in_princ, 707 unsigned int flags, 708 krb5_db_entry **entry); 709 710 krb5_error_code krb5_db_allowed_to_delegate_from(krb5_context context, 711 krb5_const_principal client, 712 krb5_const_principal server, 713 krb5_pac server_pac, 714 const krb5_db_entry *proxy); 715 716 /** 717 * Sort an array of @a krb5_key_data keys in descending order by their kvno. 718 * Key data order within a kvno is preserved. 719 * 720 * @param key_data 721 * The @a krb5_key_data array to sort. This is sorted in place so the 722 * array will be modified. 723 * @param key_data_length 724 * The length of @a key_data. 725 */ 726 void 727 krb5_dbe_sort_key_data(krb5_key_data *key_data, size_t key_data_length); 728 729 krb5_error_code 730 krb5_db_issue_pac(krb5_context context, unsigned int flags, 731 krb5_db_entry *client, krb5_keyblock *replaced_reply_key, 732 krb5_db_entry *server, krb5_db_entry *krbtgt, 733 krb5_timestamp authtime, krb5_pac old_pac, krb5_pac new_pac, 734 krb5_data ***auth_indicators); 735 736 /* default functions. Should not be directly called */ 737 /* 738 * Default functions prototype 739 */ 740 741 krb5_error_code 742 krb5_dbe_def_search_enctype( krb5_context kcontext, 743 krb5_db_entry *dbentp, 744 krb5_int32 *start, 745 krb5_int32 ktype, 746 krb5_int32 stype, 747 krb5_int32 kvno, 748 krb5_key_data **kdatap); 749 750 krb5_error_code 751 krb5_def_store_mkey_list( krb5_context context, 752 char *keyfile, 753 krb5_principal mname, 754 krb5_keylist_node *keylist, 755 char *master_pwd); 756 757 krb5_error_code 758 krb5_db_def_fetch_mkey( krb5_context context, 759 krb5_principal mname, 760 krb5_keyblock *key, 761 krb5_kvno *kvno, 762 char *db_args); 763 764 krb5_error_code 765 krb5_def_fetch_mkey_list( krb5_context context, 766 krb5_principal mprinc, 767 const krb5_keyblock *mkey, 768 krb5_keylist_node **mkeys_list); 769 770 krb5_error_code 771 krb5_dbe_def_cpw( krb5_context context, 772 krb5_keyblock * master_key, 773 krb5_key_salt_tuple * ks_tuple, 774 int ks_tuple_count, 775 char * passwd, 776 int new_kvno, 777 unsigned int keepold, 778 krb5_db_entry * db_entry); 779 780 krb5_error_code 781 krb5_dbe_def_decrypt_key_data( krb5_context context, 782 const krb5_keyblock * mkey, 783 const krb5_key_data * key_data, 784 krb5_keyblock * dbkey, 785 krb5_keysalt * keysalt); 786 787 krb5_error_code 788 krb5_dbe_def_encrypt_key_data( krb5_context context, 789 const krb5_keyblock * mkey, 790 const krb5_keyblock * dbkey, 791 const krb5_keysalt * keysalt, 792 int keyver, 793 krb5_key_data * key_data); 794 795 krb5_error_code 796 krb5_db_def_rename_principal( krb5_context kcontext, 797 krb5_const_principal source, 798 krb5_const_principal target); 799 800 krb5_error_code 801 krb5_db_create_policy( krb5_context kcontext, 802 osa_policy_ent_t policy); 803 804 krb5_error_code 805 krb5_db_get_policy ( krb5_context kcontext, 806 char *name, 807 osa_policy_ent_t *policy ); 808 809 krb5_error_code 810 krb5_db_put_policy( krb5_context kcontext, 811 osa_policy_ent_t policy); 812 813 krb5_error_code 814 krb5_db_iter_policy( krb5_context kcontext, 815 char *match_entry, 816 osa_adb_iter_policy_func func, 817 void *data); 818 819 krb5_error_code 820 krb5_db_delete_policy( krb5_context kcontext, 821 char *policy); 822 823 void 824 krb5_db_free_policy( krb5_context kcontext, 825 osa_policy_ent_t policy); 826 827 828 krb5_error_code 829 krb5_db_set_context(krb5_context, void *db_context); 830 831 krb5_error_code 832 krb5_db_get_context(krb5_context, void **db_context); 833 834 void 835 krb5_dbe_free_key_data_contents(krb5_context, krb5_key_data *); 836 837 void 838 krb5_dbe_free_key_list(krb5_context, krb5_keylist_node *); 839 840 void 841 krb5_dbe_free_actkvno_list(krb5_context, krb5_actkvno_node *); 842 843 void 844 krb5_dbe_free_mkey_aux_list(krb5_context, krb5_mkey_aux_node *); 845 846 void 847 krb5_dbe_free_tl_data(krb5_context, krb5_tl_data *); 848 849 void 850 krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count); 851 852 void 853 krb5_dbe_free_string(krb5_context, char *); 854 855 /* Set *out to a stub alias entry pointing to target. */ 856 krb5_error_code 857 krb5_dbe_make_alias_entry(krb5_context context, krb5_const_principal alias, 858 krb5_const_principal target, krb5_db_entry **out); 859 860 /* If entry contains a stub alias entry, set *target_out to the alias target. 861 * If not, set *target_out to NULL and return 0. */ 862 krb5_error_code 863 krb5_dbe_read_alias(krb5_context context, krb5_db_entry *entry, 864 krb5_principal *target_out); 865 866 /* 867 * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name. 868 * For this type to work, the context used for keytab operations must have an 869 * associated database handle (via krb5_db_open()). 870 */ 871 krb5_error_code krb5_db_register_keytab(krb5_context context); 872 873 #define KRB5_KDB_DEF_FLAGS 0 874 875 #define KDB_MAX_DB_NAME 128 876 #define KDB_REALM_SECTION "realms" 877 #define KDB_MODULE_POINTER "database_module" 878 #define KDB_MODULE_DEF_SECTION "dbdefaults" 879 #define KDB_MODULE_SECTION "dbmodules" 880 #define KDB_LIB_POINTER "db_library" 881 #define KDB_DATABASE_CONF_FILE DEFAULT_SECURE_PROFILE_PATH 882 #define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV 883 884 #define KRB5_KDB_OPEN_RW 0 885 #define KRB5_KDB_OPEN_RO 1 886 887 #define KRB5_KDB_OPT_SET_DB_NAME 0 888 #define KRB5_KDB_OPT_SET_LOCK_MODE 1 889 890 /* 891 * This number indicates the date of the last incompatible change to the DAL. 892 * The maj_ver field of the module's vtable structure must match this version. 893 */ 894 #define KRB5_KDB_DAL_MAJOR_VERSION 9 895 896 /* 897 * Note the following when converting a module to DAL version 9: 898 * 899 * - get_authdata_info() and sign_authdata() have been removed, and issue_pac() 900 * has been added. 901 * 902 * - check_allowed_to_delegate() must handle a null proxy argument, returning 903 * success if server has any authorized delegation targets in the traditional 904 * scheme. 905 * 906 * - allowed_to_delegate_from() accepts a krb5_pac parameter (in place 907 * server_ad_info) for the impersonator's PAC. 908 * 909 * - check_allowed_to_delegate() and allowed_to_delegate_from() must return 910 * KRB5KDC_ERR_BADOPTION on authorization failure. 911 * 912 * - the KRB5_KDB_FLAG_ISSUE_PAC and KRB5_FLAG_CLIENT_REFERRALS_ONLY flags have 913 * been combined into KRB5_KDB_FLAG_CLIENT. 914 * 915 * - the KRB5_KDB_FLAG_CANONICALIZE flag has been renamed to 916 * KRB5_KDB_FLAG_REFERRAL_OK, and is only passed to get_principal() when a 917 * realm referral is allowed (AS client and TGS server lookups, when the 918 * CANONICALIZE option is requested or, for AS requests, when the client is 919 * an enterprise principal). As of DAL version 8 the KDB module should 920 * always canonicalize aliases within a realm; the KDC will decide whether to 921 * use the original or canonical principal. 922 */ 923 924 /* 925 * A krb5_context can hold one database object. Modules should use 926 * krb5_db_set_context and krb5_db_get_context to store state associated with 927 * the database object. 928 * 929 * Some module functions are mandatory for KDC operation; others are optional 930 * or apply only to administrative operations. If a function is optional, a 931 * module can leave the function pointer as NULL. Alternatively, modules can 932 * return KRB5_PLUGIN_OP_NOTSUPP when asked to perform an inapplicable action. 933 * 934 * Some module functions have default implementations which will call back into 935 * the vtable interface. Leave these functions as NULL to use the default 936 * implementations. 937 * 938 * The documentation in these comments describes the DAL as it is currently 939 * implemented and used, not as it should be. So if anything seems off, that 940 * probably means the current state of things is off. 941 * 942 * Modules must allocate memory for principal entries, policy entries, and 943 * other structures using an allocator compatible with malloc() as seen by 944 * libkdb5 and libkrb5. Modules may link against libkdb5 and call 945 * krb5_db_alloc() to be certain that the same malloc implementation is used. 946 */ 947 948 typedef struct _kdb_vftabl { 949 short int maj_ver; 950 short int min_ver; 951 952 /* 953 * Mandatory: Invoked after the module library is loaded, when the first DB 954 * using the module is opened, across all contexts. 955 */ 956 krb5_error_code (*init_library)(void); 957 958 /* 959 * Mandatory: Invoked before the module library is unloaded, after the last 960 * DB using the module is closed, across all contexts. 961 */ 962 krb5_error_code (*fini_library)(void); 963 964 /* 965 * Mandatory: Initialize a database object. Profile settings should be 966 * read from conf_section inside KDB_MODULE_SECTION. db_args communicates 967 * command-line arguments for module-specific flags. mode will be one of 968 * KRB5_KDB_OPEN_{RW,RO} or'd with one of 969 * KRB5_KDB_SRV_TYPE_{KDC,ADMIN,PASSWD,OTHER}. 970 */ 971 krb5_error_code (*init_module)(krb5_context kcontext, char *conf_section, 972 char **db_args, int mode); 973 974 /* 975 * Mandatory: Finalize the database object contained in a context. Free 976 * any state contained in the db_context pointer and null it out. 977 */ 978 krb5_error_code (*fini_module)(krb5_context kcontext); 979 980 /* 981 * Optional: Initialize a database object while creating the underlying 982 * database. conf_section and db_args have the same meaning as in 983 * init_module. This function may return an error if the database already 984 * exists. Used by kdb5_util create. 985 * 986 * If db_args contains the value "temporary", the module should create an 987 * exclusively locked side copy of the database suitable for loading in a 988 * propagation from primary to replica. This side copy will later be 989 * promoted with promote_db, allowing complete updates of the DB with no 990 * loss in read availability. If the module cannot comply with this 991 * architecture, it should return an error. 992 */ 993 krb5_error_code (*create)(krb5_context kcontext, char *conf_section, 994 char **db_args); 995 996 /* 997 * Optional: Destroy a database. conf_section and db_args have the same 998 * meaning as in init_module. Used by kdb5_util destroy. In current 999 * usage, the database is destroyed while open, so the module should handle 1000 * that. 1001 */ 1002 krb5_error_code (*destroy)(krb5_context kcontext, char *conf_section, 1003 char **db_args); 1004 1005 /* 1006 * Deprecated: No longer used as of krb5 1.10; can be removed in the next 1007 * DAL revision. Modules should leave as NULL. 1008 */ 1009 krb5_error_code (*get_age)(krb5_context kcontext, char *db_name, 1010 time_t *age); 1011 1012 /* 1013 * Optional: Lock the database, with semantics depending on the mode 1014 * argument: 1015 * 1016 * KRB5_DB_LOCKMODE_SHARED: Lock may coexist with other shared locks. 1017 * KRB5_DB_LOCKMODE_EXCLUSIVE: Lock may not coexist with other locks. 1018 * KRB5_DB_LOCKMODE_PERMANENT: Exclusive lock surviving process exit. 1019 * 1020 * Used by the "kadmin lock" command, incremental propagation, and 1021 * kdb5_util dump. Incremental propagation support requires shared locks 1022 * to operate. kdb5_util dump will continue unlocked if the module returns 1023 * KRB5_PLUGIN_OP_NOTSUPP. 1024 */ 1025 krb5_error_code (*lock)(krb5_context kcontext, int mode); 1026 1027 /* Optional: Release a lock created with db_lock. */ 1028 krb5_error_code (*unlock)(krb5_context kcontext); 1029 1030 /* 1031 * Mandatory: Set *entry to an allocated entry for the principal 1032 * search_for. If the principal is not found, return KRB5_KDB_NOENTRY. 1033 * 1034 * The meaning of flags are as follows: 1035 * 1036 * KRB5_KDB_FLAG_REFERRAL_OK: Set by the KDC when looking up entries for an 1037 * AS client with canonicalization requested or for an enterprise 1038 * principal, or for a TGS request server with canonicalization 1039 * requested. Determines whether the module should return out-of-realm 1040 * referrals. 1041 * 1042 * KRB5_KDB_FLAG_CLIENT: Set by the KDC when looking up a client principal 1043 * during an AS or TGS request. Affects how the module should return 1044 * out-of-realm referrals. 1045 * 1046 * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client 1047 * entry during TGS requests, except for S4U TGS requests and requests 1048 * where the server entry has the KRB5_KDB_NO_AUTH_DATA_REQUIRED 1049 * attribute. Indicates that the module should map foreign principals 1050 * to local principals if it supports doing so. 1051 * 1052 * KRB5_KDB_FLAG_PROTOCOL_TRANSITION: Set by the KDC when looking up the 1053 * client entry during an S4U2Self TGS request. This affects the PAC 1054 * information which should be included when authorization data is 1055 * generated; see the Microsoft S4U specification for details. 1056 * 1057 * KRB5_KDB_FLAG_CONSTRAINED_DELEGATION: Set by the KDC when looking up the 1058 * client entry during an S4U2Proxy TGS request. Also affects PAC 1059 * generation. 1060 * 1061 * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC after looking up a server 1062 * entry during a TGS request, if the header ticket was issued by a 1063 * different realm. 1064 * 1065 * KRB5_KDB_FLAG_ISSUING_REFERRAL: Set by the KDC after looking up a server 1066 * entry during a TGS request, if the requested server principal is not 1067 * part of the realm being served, and a referral or alternate TGT will 1068 * be issued instead. 1069 * 1070 * A module may return an in-realm alias by setting (*entry)->princ to the 1071 * canonical name. The KDC will decide based on the request whether to use 1072 * the requested name or the canonical name in the issued ticket. 1073 * 1074 * A module can return a referral to another realm if flags contains 1075 * KRB5_KDB_FLAG_REFERRAL_OK. If KRB5_KDB_FLAG_CLIENT is also set, the 1076 * module should return a referral by simply filling in an out-of-realm 1077 * name in (*entry)->princ and setting all other fields to NULL. 1078 * Otherwise, the module should return the entry for the cross-realm TGS of 1079 * the referred-to realm. 1080 */ 1081 krb5_error_code (*get_principal)(krb5_context kcontext, 1082 krb5_const_principal search_for, 1083 unsigned int flags, 1084 krb5_db_entry **entry); 1085 1086 /* 1087 * Optional: Create or modify a principal entry. db_args communicates 1088 * command-line arguments for module-specific flags. 1089 * 1090 * The mask field of an entry indicates the changed fields. Mask values 1091 * are defined in kadmin's admin.h header. If KADM5_PRINCIPAL is set in 1092 * the mask, the entry is new; otherwise it already exists. All fields of 1093 * an entry are expected to contain correct values, regardless of whether 1094 * they are specified in the mask, so it is acceptable for a module to 1095 * ignore the mask and update the entire entry. 1096 * 1097 * If the module has its own representation of principal aliases, this 1098 * method should recognize alias stub entries using krb5_dbe_read_alias() 1099 * and should create the alias instead of storing the stub entry. 1100 */ 1101 krb5_error_code (*put_principal)(krb5_context kcontext, 1102 krb5_db_entry *entry, char **db_args); 1103 1104 /* 1105 * Optional: Delete search_for from the database. If the principal did not 1106 * exist, return KRB5_KDB_NOENTRY. If search_for is an alias, delete the 1107 * alias, not the entry for the canonical principal. 1108 */ 1109 krb5_error_code (*delete_principal)(krb5_context kcontext, 1110 krb5_const_principal search_for); 1111 1112 /* 1113 * Optional with default: Rename a principal. If the source principal does 1114 * not exist, return KRB5_KDB_NOENTRY. If the target exists, return an 1115 * error. This method will not be called if source is an alias. 1116 * 1117 * NOTE: If the module chooses to implement a custom function for renaming 1118 * a principal instead of using the default, then rename operations will 1119 * fail if iprop logging is enabled. 1120 */ 1121 krb5_error_code (*rename_principal)(krb5_context kcontext, 1122 krb5_const_principal source, 1123 krb5_const_principal target); 1124 1125 /* 1126 * Optional: For each principal entry in the database, invoke func with the 1127 * arguments func_arg and the entry data. If match_entry is specified, the 1128 * module may narrow the iteration to principal names matching that regular 1129 * expression; a module may alternatively ignore match_entry. 1130 * 1131 * If the module has its own representation of principal aliases, this 1132 * method should invoke func with a stub alias entry for each alias, 1133 * created using krb5_dbe_make_alias_entry(). 1134 */ 1135 krb5_error_code (*iterate)(krb5_context kcontext, 1136 char *match_entry, 1137 int (*func)(krb5_pointer, krb5_db_entry *), 1138 krb5_pointer func_arg, krb5_flags iterflags); 1139 1140 /* 1141 * Optional: Create a password policy entry. Return an error if the policy 1142 * already exists. 1143 */ 1144 krb5_error_code (*create_policy)(krb5_context kcontext, 1145 osa_policy_ent_t policy); 1146 1147 /* 1148 * Optional: Set *policy to the policy entry of the specified name. If the 1149 * entry does not exist, return KRB5_KDB_NOENTRY. 1150 */ 1151 krb5_error_code (*get_policy)(krb5_context kcontext, char *name, 1152 osa_policy_ent_t *policy); 1153 1154 /* 1155 * Optional: Modify an existing password policy entry to match the values 1156 * in policy. Return an error if the policy does not already exist. 1157 */ 1158 krb5_error_code (*put_policy)(krb5_context kcontext, 1159 osa_policy_ent_t policy); 1160 1161 /* 1162 * Optional: For each password policy entry in the database, invoke func 1163 * with the arguments data and the entry data. If match_entry is 1164 * specified, the module may narrow the iteration to policy names matching 1165 * that regular expression; a module may alternatively ignore match_entry. 1166 */ 1167 krb5_error_code (*iter_policy)(krb5_context kcontext, char *match_entry, 1168 osa_adb_iter_policy_func func, 1169 void *data); 1170 1171 /* 1172 * Optional: Delete the password policy entry with the name policy. Return 1173 * an error if the entry does not exist. 1174 */ 1175 krb5_error_code (*delete_policy)(krb5_context kcontext, char *policy); 1176 1177 /* 1178 * Optional with default: Retrieve a master keyblock from the stash file 1179 * db_args, filling in *key and *kvno. mname is the name of the master 1180 * principal for the realm. 1181 * 1182 * The default implementation reads the master keyblock from a keytab or 1183 * old-format stash file. 1184 */ 1185 krb5_error_code (*fetch_master_key)(krb5_context kcontext, 1186 krb5_principal mname, 1187 krb5_keyblock *key, krb5_kvno *kvno, 1188 char *db_args); 1189 1190 /* 1191 * Optional with default: Given a keyblock for some version of the 1192 * database's master key, fetch the decrypted master key values from the 1193 * database and store the list into *mkeys_list. The caller will free 1194 * *mkeys_list using a libkdb5 function which uses the standard free() 1195 * function, so the module must not use a custom allocator. 1196 * 1197 * The caller may not know the version number of the master key it has, in 1198 * which case it will pass IGNORE_VNO. 1199 * 1200 * The default implementation ignores kvno and tries the key against the 1201 * current master key data and all KRB5_TL_MKEY_AUX values, which contain 1202 * copies of the master keys encrypted with old master keys. 1203 */ 1204 krb5_error_code (*fetch_master_key_list)(krb5_context kcontext, 1205 krb5_principal mname, 1206 const krb5_keyblock *key, 1207 krb5_keylist_node **mkeys_list); 1208 1209 /* 1210 * Optional with default: Save a list of master keyblocks, obtained from 1211 * fetch_master_key_list, into the stash file db_arg. The caller will set 1212 * master_pwd to NULL, so the module should just ignore it. mname is the 1213 * name of the master principal for the realm. 1214 * 1215 * The default implementation saves the list of master keys in a 1216 * keytab-format file. 1217 */ 1218 krb5_error_code (*store_master_key_list)(krb5_context kcontext, 1219 char *db_arg, 1220 krb5_principal mname, 1221 krb5_keylist_node *keylist, 1222 char *master_pwd); 1223 1224 /* 1225 * Optional with default: Starting at position *start, scan the key data of 1226 * a database entry for a key matching the enctype ktype, the salt type 1227 * stype, and the version kvno. Store the resulting key into *kdatap and 1228 * set *start to the position after the key found. If ktype is negative, 1229 * match any enctype. If stype is negative, match any salt type. If kvno 1230 * is zero or negative, find the most recent key version satisfying the 1231 * other constraints. 1232 */ 1233 krb5_error_code (*dbe_search_enctype)(krb5_context kcontext, 1234 krb5_db_entry *dbentp, 1235 krb5_int32 *start, krb5_int32 ktype, 1236 krb5_int32 stype, krb5_int32 kvno, 1237 krb5_key_data **kdatap); 1238 1239 1240 /* 1241 * Optional with default: Change the key data for db_entry to include keys 1242 * derived from the password passwd in each of the specified key-salt 1243 * types, at version new_kvno. Discard the old key data if keepold is not 1244 * set. 1245 * 1246 * The default implementation uses the keyblock master_key to encrypt each 1247 * new key, via the function encrypt_key_data. 1248 */ 1249 krb5_error_code (*change_pwd)(krb5_context context, 1250 krb5_keyblock *master_key, 1251 krb5_key_salt_tuple *ks_tuple, 1252 int ks_tuple_count, char *passwd, 1253 int new_kvno, unsigned int keepold, 1254 krb5_db_entry *db_entry); 1255 1256 /* 1257 * Optional: Promote a temporary database to be the live one. context must 1258 * be initialized with an exclusively locked database created with the 1259 * "temporary" db_arg. On success, the database object contained in 1260 * context will be finalized. 1261 * 1262 * This method is used by kdb5_util load to replace the live database with 1263 * minimal loss of read availability. 1264 */ 1265 krb5_error_code (*promote_db)(krb5_context context, char *conf_section, 1266 char **db_args); 1267 1268 /* 1269 * Optional with default: Decrypt the key in key_data with master keyblock 1270 * mkey, placing the result into dbkey. Copy the salt from key_data, if 1271 * any, into keysalt. Either dbkey or keysalt may be left unmodified on 1272 * successful return if key_data does not contain key or salt information. 1273 * 1274 * The default implementation expects the encrypted key (in krb5_c_encrypt 1275 * format) to be stored in key_data_contents[0], with length given by 1276 * key_data_length[0]. If key_data_ver is 2, it expects the salt to be 1277 * stored, unencrypted, in key_data_contents[1], with length given by 1278 * key_data_length[1]. 1279 */ 1280 krb5_error_code (*decrypt_key_data)(krb5_context kcontext, 1281 const krb5_keyblock *mkey, 1282 const krb5_key_data *key_data, 1283 krb5_keyblock *dbkey, 1284 krb5_keysalt *keysalt); 1285 1286 /* 1287 * Optional with default: Encrypt dbkey with master keyblock mkey, placing 1288 * the result into key_data along with keysalt. 1289 * 1290 * The default implementation stores the encrypted key (in krb5_c_encrypt 1291 * format) in key_data_contents[0] and the length in key_data_length[0]. 1292 * If keysalt is specified, it sets key_data_ver to 2, and stores the salt 1293 * in key_data_contents[1] and its length in key_data_length[1]. If 1294 * keysalt is not specified, key_data_ver is set to 1. 1295 */ 1296 krb5_error_code (*encrypt_key_data)(krb5_context kcontext, 1297 const krb5_keyblock *mkey, 1298 const krb5_keyblock *dbkey, 1299 const krb5_keysalt *keysalt, 1300 int keyver, krb5_key_data *key_data); 1301 1302 /* 1303 * Optional: Perform a policy check on a cross-realm ticket's transited 1304 * field. Return 0 if the check authoritatively succeeds, 1305 * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or 1306 * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. 1307 */ 1308 krb5_error_code (*check_transited_realms)(krb5_context kcontext, 1309 const krb5_data *tr_contents, 1310 const krb5_data *client_realm, 1311 const krb5_data *server_realm); 1312 1313 /* 1314 * Optional: Perform a policy check on an AS request, in addition to the 1315 * standard policy checks. Return 0 if the AS request is allowed. If the 1316 * AS request is not allowed: 1317 * - Place a short string literal into *status. 1318 * - If desired, place data into e_data. Any data placed here will be 1319 * freed by the caller using the standard free function. 1320 * - Return an appropriate error (such as KRB5KDC_ERR_POLICY). 1321 */ 1322 krb5_error_code (*check_policy_as)(krb5_context kcontext, 1323 krb5_kdc_req *request, 1324 krb5_db_entry *client, 1325 krb5_db_entry *server, 1326 krb5_timestamp kdc_time, 1327 const char **status, 1328 krb5_pa_data ***e_data); 1329 1330 /* 1331 * Optional: Perform a policy check on a TGS request, in addition to the 1332 * standard policy checks. Return 0 if the TGS request is allowed. If the 1333 * TGS request is not allowed: 1334 * - Place a short string literal into *status. 1335 * - If desired, place data into e_data. Any data placed here will be 1336 * freed by the caller using the standard free function. 1337 * - Return an appropriate error (such as KRB5KDC_ERR_POLICY). 1338 * The input parameter ticket contains the TGT used in the TGS request. 1339 */ 1340 krb5_error_code (*check_policy_tgs)(krb5_context kcontext, 1341 krb5_kdc_req *request, 1342 krb5_db_entry *server, 1343 krb5_ticket *ticket, 1344 const char **status, 1345 krb5_pa_data ***e_data); 1346 1347 /* 1348 * Optional: This method informs the module of a successful or unsuccessful 1349 * AS request. 1350 */ 1351 void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request, 1352 const krb5_address *local_addr, 1353 const krb5_address *remote_addr, 1354 krb5_db_entry *client, krb5_db_entry *server, 1355 krb5_timestamp authtime, krb5_error_code error_code); 1356 1357 /* Note: there is currently no method for auditing TGS requests. */ 1358 1359 /* 1360 * Optional: This method informs the module of a request to reload 1361 * configuration or other state (that is, the KDC received a SIGHUP). 1362 */ 1363 void (*refresh_config)(krb5_context kcontext); 1364 1365 /* 1366 * Optional: Perform a policy check on server being allowed to obtain 1367 * tickets from client to proxy. If proxy is NULL, check if server has any 1368 * authorized delegation targets (client will also be NULL in this case). 1369 * (Note that proxy is the target of the delegation, not the delegating 1370 * service; the term "proxy" is from the viewpoint of the delegating 1371 * service asking another service to perform some of its work in the 1372 * authentication context of the client. This terminology comes from the 1373 * Microsoft S4U protocol documentation.) Return 0 if policy allows 1374 * delegation to the specified target (or to any target if proxy is NULL), 1375 * or KRB5KDC_ERR_BADOPTION if not. If this method is not implemented, all 1376 * S4U2Proxy delegation requests will be rejected. 1377 */ 1378 krb5_error_code (*check_allowed_to_delegate)(krb5_context context, 1379 krb5_const_principal client, 1380 const krb5_db_entry *server, 1381 krb5_const_principal proxy); 1382 1383 /* 1384 * Optional: Free the e_data pointer of a database entry. If this method 1385 * is not implemented, the e_data pointer in principal entries will be 1386 * freed with free() as seen by libkdb5. 1387 */ 1388 void (*free_principal_e_data)(krb5_context kcontext, krb5_octet *e_data); 1389 1390 /* 1391 * Optional: get a client principal entry based on an X.509 certificate. 1392 * 1393 * If flags include KRB5_KDB_FLAG_REFERRAL_OK, the certificate was 1394 * presented in an AS request. princ->realm indicates the request realm, 1395 * but the data components should be ignored. The module can return an 1396 * out-of-realm client referral as it would for get_principal(). 1397 * 1398 * Otherwise, princ is from a TGS request. If it contains data components 1399 * (and not just a realm), the module should verify that it is the same as 1400 * the lookup result for client_cert. The module should not return a 1401 * referral. 1402 */ 1403 krb5_error_code (*get_s4u_x509_principal)(krb5_context kcontext, 1404 const krb5_data *client_cert, 1405 krb5_const_principal princ, 1406 unsigned int flags, 1407 krb5_db_entry **entry_out); 1408 1409 /* 1410 * Optional: Perform a policy check on server being allowed to obtain 1411 * tickets from client to proxy. This method is similar to 1412 * check_allowed_to_delegate, but it operates on the target server DB entry 1413 * (called "proxy" here as in Microsoft's protocol documentation) rather 1414 * than the intermediate server entry. server_pac is the verified PAC from 1415 * the authdata of the intermediate server. Return 0 if policy allows the 1416 * delegation, or KRB5KDC_ERR_BADOPTION if not. 1417 * 1418 * This method is called for S4U2Proxy requests and implements the 1419 * resource-based constrained delegation variant, which can support 1420 * cross-realm delegation. If this method is not implemented or if it 1421 * returns a policy error, the KDC will fall back to 1422 * check_allowed_to_delegate if the intermediate and target servers are in 1423 * the same realm and the evidence ticket is forwardable. 1424 */ 1425 krb5_error_code (*allowed_to_delegate_from)(krb5_context context, 1426 krb5_const_principal client, 1427 krb5_const_principal server, 1428 krb5_pac server_pac, 1429 const krb5_db_entry *proxy); 1430 1431 /* 1432 * Optional: Add buffers to new_pac using krb5_pac_add_buffer() before it 1433 * is signed. 1434 * 1435 * The caller will handle the following buffer types, so do not copy or add 1436 * them: 1437 * 1438 * KRB5_PAC_SERVER_CHECKSUM 1439 * KRB5_PAC_PRIVSVR_CHECKSUM 1440 * KRB5_PAC_TICKET_CHECKSUM 1441 * KRB5_PAC_CLIENT_INFO 1442 * KRB5_PAC_DELEGATION_INFO 1443 * 1444 * For TGS requests, old_pac is the PAC of the header ticket, except when 1445 * KRB5_KDB_FLAG_CONTRAINED_DELEGATION is present in flags, in which case 1446 * it is the PAC of the second ticket. If 1447 * KRB5_KDB_FLAG_PROTOCOL_TRANSITION is present in flags and client is not 1448 * NULL, old_pac is the PAC of the requesting service, not the subject of 1449 * the S4U2Self request, and its buffers should not be copied into new_pac. 1450 * The signatures and PAC_CLIENT_INFO of old_pac have been verified by the 1451 * caller. 1452 * 1453 * If replaced_reply_key is not null, the request is an AS request and the 1454 * reply key was replaced by a preauth mechanism such as PKINIT, meaning 1455 * the Kerberos password or long-term key was not used. The module may use 1456 * this key to encrypt a PAC_CREDENTIALS_INFO buffer containing credentials 1457 * (such as an NTLM hash) that the client would ordinarily derive from the 1458 * Kerberos password or long-term key. 1459 * 1460 * server is the database entry of the server the ticket will be issued to, 1461 * which may be a referral TGS. 1462 * 1463 * signing_krbtgt is the database entry of the krbtgt principal used to 1464 * verify old_pac (or null if old_pac is null). If 1465 * KRB5_KDB_FLAG_CROSS_REALM is present in flags, this entry will be an 1466 * incoming cross-realm TGS, and the PAC fields should undergo appropriate 1467 * filtering based on the trust level of the cross-realm relationship. 1468 * 1469 * auth_indicators points to NULL or a null-terminated list of krb5_data 1470 * pointers, each containing an authentication indicator (RFC 8129). The 1471 * method may modify this list, or free it and replace *auth_indicators 1472 * with NULL, to change which auth indicators will be included in the 1473 * ticket. 1474 */ 1475 krb5_error_code (*issue_pac)(krb5_context context, unsigned int flags, 1476 krb5_db_entry *client, 1477 krb5_keyblock *replaced_reply_key, 1478 krb5_db_entry *server, 1479 krb5_db_entry *signing_krbtgt, 1480 krb5_timestamp authtime, krb5_pac old_pac, 1481 krb5_pac new_pac, 1482 krb5_data ***auth_indicators); 1483 1484 /* End of minor version 0 for major version 9. */ 1485 } kdb_vftabl; 1486 1487 #endif /* !defined(_WIN32) */ 1488 1489 #endif /* KRB5_KDB5__ */ 1490