xref: /titanic_50/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h (revision 159d09a20817016f09b3ea28d1bdada4a336bb91)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * include/krb5/kdb.h
8  *
9  * Copyright 1990,1991 by the Massachusetts Institute of Technology.
10  * All Rights Reserved.
11  *
12  * Export of this software from the United States of America may
13  *   require a specific license from the United States Government.
14  *   It is the responsibility of any person or organization contemplating
15  *   export to obtain such a license before exporting.
16  *
17  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18  * distribute this software and its documentation for any purpose and
19  * without fee is hereby granted, provided that the above copyright
20  * notice appear in all copies and that both that copyright notice and
21  * this permission notice appear in supporting documentation, and that
22  * the name of M.I.T. not be used in advertising or publicity pertaining
23  * to distribution of the software without specific, written prior
24  * permission.  Furthermore if you modify this software you must label
25  * your software as modified software and not distribute it in such a
26  * fashion that it might be confused with the original M.I.T. software.
27  * M.I.T. makes no representations about the suitability of
28  * this software for any purpose.  It is provided "as is" without express
29  * or implied warranty.
30  *
31  *
32  * KDC Database interface definitions.
33  */
34 
35 /*
36  * Copyright (C) 1998 by the FundsXpress, INC.
37  *
38  * All rights reserved.
39  *
40  * Export of this software from the United States of America may require
41  * a specific license from the United States Government.  It is the
42  * responsibility of any person or organization contemplating export to
43  * obtain such a license before exporting.
44  *
45  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
46  * distribute this software and its documentation for any purpose and
47  * without fee is hereby granted, provided that the above copyright
48  * notice appear in all copies and that both that copyright notice and
49  * this permission notice appear in supporting documentation, and that
50  * the name of FundsXpress. not be used in advertising or publicity pertaining
51  * to distribution of the software without specific, written prior
52  * permission.  FundsXpress makes no representations about the suitability of
53  * this software for any purpose.  It is provided "as is" without express
54  * or implied warranty.
55  *
56  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
57  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
58  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
59  */
60 
61 #ifndef KRB5_KDB5__
62 #define KRB5_KDB5__
63 
64 /* Salt types */
65 #define KRB5_KDB_SALTTYPE_NORMAL	0
66 #define KRB5_KDB_SALTTYPE_V4		1
67 #define KRB5_KDB_SALTTYPE_NOREALM	2
68 #define KRB5_KDB_SALTTYPE_ONLYREALM	3
69 #define KRB5_KDB_SALTTYPE_SPECIAL	4
70 #define KRB5_KDB_SALTTYPE_AFS3		5
71 
72 /* Attributes */
73 #define	KRB5_KDB_DISALLOW_POSTDATED	0x00000001
74 #define	KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
75 #define	KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
76 #define	KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
77 #define	KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
78 #define	KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
79 #define	KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
80 #define	KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
81 #define KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
82 #define	KRB5_KDB_REQUIRES_PWCHANGE	0x00000200
83 #define KRB5_KDB_DISALLOW_SVR		0x00001000
84 #define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
85 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
86 #define	KRB5_KDB_NEW_PRINC		0x00008000
87 
88 /* Creation flags */
89 #define KRB5_KDB_CREATE_BTREE		0x00000001
90 #define KRB5_KDB_CREATE_HASH		0x00000002
91 
92 /*
93  * Note --- these structures cannot be modified without changing the
94  * database version number in libkdb.a, but should be expandable by
95  * adding new tl_data types.
96  */
97 typedef struct _krb5_tl_data {
98     struct _krb5_tl_data* tl_data_next;		/* NOT saved */
99     krb5_int16 		  tl_data_type;
100     krb5_ui_2		  tl_data_length;
101     krb5_octet 	        * tl_data_contents;
102 } krb5_tl_data;
103 
104 /*
105  * If this ever changes up the version number and make the arrays be as
106  * big as necessary.
107  *
108  * Currently the first type is the enctype and the second is the salt type.
109  */
110 typedef struct _krb5_key_data {
111     krb5_int16 		  key_data_ver;		/* Version */
112     krb5_int16		  key_data_kvno;	/* Key Version */
113     krb5_int16		  key_data_type[2];	/* Array of types */
114 #if 0
115      /*
116       * SUNW14resync (mech)
117       * This has changed in the mech so we change it here also
118       * prior to the admin resync.
119       */
120      krb5_ui_2      key_data_length[2];  Array of lengths
121 #endif
122     krb5_int16		  key_data_length[2];	/* Array of lengths */
123     krb5_octet 	        * key_data_contents[2];	/* Array of pointers */
124 } krb5_key_data;
125 
126 #define KRB5_KDB_V1_KEY_DATA_ARRAY	2	/* # of array elements */
127 
128 typedef struct _krb5_keysalt {
129     krb5_int16		  type;
130     krb5_data		  data;			/* Length, data */
131 } krb5_keysalt;
132 
133 typedef struct _krb5_db_entry_new {
134     krb5_magic 		  magic;		/* NOT saved */
135     krb5_ui_2		  len;
136     krb5_ui_4             mask;                 /* members currently changed/set */
137     krb5_flags 		  attributes;
138     krb5_deltat		  max_life;
139     krb5_deltat		  max_renewable_life;
140     krb5_timestamp 	  expiration;	  	/* When the client expires */
141     krb5_timestamp 	  pw_expiration;  	/* When its passwd expires */
142     krb5_timestamp 	  last_success;		/* Last successful passwd */
143     krb5_timestamp 	  last_failed;		/* Last failed passwd attempt */
144     krb5_kvno 	 	  fail_auth_count; 	/* # of failed passwd attempt */
145     krb5_int16 		  n_tl_data;
146     krb5_int16 		  n_key_data;
147     krb5_ui_2		  e_length;		/* Length of extra data */
148     krb5_octet		* e_data;		/* Extra data to be saved */
149 
150     krb5_principal 	  princ;		/* Length, data */
151     krb5_tl_data	* tl_data;		/* Linked list */
152     krb5_key_data       * key_data;		/* Array */
153 } krb5_db_entry;
154 
155 typedef struct __krb5_key_salt_tuple {
156     krb5_enctype	ks_enctype;
157     krb5_int32		ks_salttype;
158 } krb5_key_salt_tuple;
159 
160 #define	KRB5_KDB_MAGIC_NUMBER		0xdbdbdbdb
161 #define KRB5_KDB_V1_BASE_LENGTH		38
162 
163 #define KRB5_TL_LAST_PWD_CHANGE		0x0001
164 #define KRB5_TL_MOD_PRINC		0x0002
165 #define KRB5_TL_KADM_DATA		0x0003
166 #define KRB5_TL_KADM5_E_DATA		0x0004
167 #define KRB5_TL_RB1_CHALLENGE		0x0005
168 #ifdef SECURID
169 #define KRB5_TL_SECURID_STATE           0x0006
170 #define KRB5_TL_DB_ARGS                 0x7fff
171 #endif /* SECURID */
172 #define KRB5_TL_USER_CERTIFICATE        0x0007
173 
174 /*
175  * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
176  * on the principal.
177  */
178 #define KRB5_MAX_FAIL_COUNT		5
179 
180 /* XXX depends on knowledge of krb5_parse_name() formats */
181 #define KRB5_KDB_M_NAME		"K/M"	/* Kerberos/Master */
182 
183 /* prompts used by default when reading the KDC password from the keyboard. */
184 #define KRB5_KDC_MKEY_1	"Enter KDC database master key"
185 #define KRB5_KDC_MKEY_2	"Re-enter KDC database master key to verify"
186 
187 
188 extern char *krb5_mkey_pwd_prompt1;
189 extern char *krb5_mkey_pwd_prompt2;
190 
191 /*
192  * These macros specify the encoding of data within the database.
193  *
194  * Data encoding is little-endian.
195  */
196 #include "k5-platform.h"
197 #define	krb5_kdb_decode_int16(cp, i16)	\
198 	*((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \
199 			      ((krb5_int16) ((unsigned char) (cp)[1]) << 8))
200 #define	krb5_kdb_decode_int32(cp, i32)	\
201 	*((krb5_int32 *) &(i32)) = (((krb5_int32) ((unsigned char) (cp)[0]))| \
202 			      ((krb5_int32) ((unsigned char) (cp)[1]) << 8) | \
203 			      ((krb5_int32) ((unsigned char) (cp)[2]) << 16)| \
204 			      ((krb5_int32) ((unsigned char) (cp)[3]) << 24))
205 #define	krb5_kdb_encode_int16(i16, cp)	\
206 	{							\
207 	    (cp)[0] = (unsigned char) ((i16) & 0xff);		\
208 	    (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff);	\
209 	}
210 #define	krb5_kdb_encode_int32(i32, cp)	\
211 	{							\
212 	    (cp)[0] = (unsigned char) ((i32) & 0xff);		\
213 	    (cp)[1] = (unsigned char) (((i32) >> 8) & 0xff);	\
214 	    (cp)[2] = (unsigned char) (((i32) >> 16) & 0xff);	\
215 	    (cp)[3] = (unsigned char) (((i32) >> 24) & 0xff);	\
216 	}
217 
218 #define KRB5_KDB_OPEN_RW                0
219 #define KRB5_KDB_OPEN_RO                1
220 
221 #ifndef KRB5_KDB_SRV_TYPE_KDC
222 #define KRB5_KDB_SRV_TYPE_KDC           0x0100
223 #endif
224 
225 #ifndef KRB5_KDB_SRV_TYPE_ADMIN
226 #define KRB5_KDB_SRV_TYPE_ADMIN         0x0200
227 #endif
228 
229 #ifndef KRB5_KDB_SRV_TYPE_PASSWD
230 #define KRB5_KDB_SRV_TYPE_PASSWD        0x0300
231 #endif
232 
233 #ifndef KRB5_KDB_SRV_TYPE_OTHER
234 #define KRB5_KDB_SRV_TYPE_OTHER         0x0400
235 #endif
236 
237 #define KRB5_KDB_OPT_SET_DB_NAME        0
238 #define KRB5_KDB_OPT_SET_LOCK_MODE      1
239 
240 #define KRB5_DB_LOCKMODE_SHARED       0x0001
241 #define KRB5_DB_LOCKMODE_EXCLUSIVE    0x0002
242 #define KRB5_DB_LOCKMODE_DONTBLOCK    0x0004
243 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
244 
245 /* libkdb.spec */
246 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
247 krb5_error_code krb5_db_init  ( krb5_context kcontext );
248 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
249 krb5_error_code krb5_db_inited  ( krb5_context kcontext );
250 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
251 krb5_error_code krb5_db_fini ( krb5_context kcontext );
252 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
253 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
254 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
255 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
256 krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value );
257 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
258 krb5_error_code krb5_db_unlock ( krb5_context kcontext );
259 krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
260 					krb5_const_principal search_for,
261 					krb5_db_entry *entries,
262 					int *nentries,
263 					krb5_boolean *more );
264 krb5_error_code krb5_db_get_principal_nolock ( krb5_context kcontext,
265 					krb5_const_principal search_for,
266 					krb5_db_entry *entries,
267 					int *nentries,
268 					krb5_boolean *more );
269 krb5_error_code krb5_db_free_principal ( krb5_context kcontext,
270 					 krb5_db_entry *entry,
271 					 int count );
272 krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
273 					krb5_db_entry *entries,
274 					int *nentries);
275 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
276 					   krb5_principal search_for,
277 					   int *nentries );
278 /* Solaris Kerberos: adding support for db_args */
279 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
280 				  char *match_entry,
281 				  int (*func) (krb5_pointer, krb5_db_entry *),
282 				  krb5_pointer func_arg,
283 				  char **db_args );
284 krb5_error_code krb5_supported_realms ( krb5_context kcontext,
285 					char **realms );
286 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext,
287 					     char **realms );
288 krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext,
289 					     char *pwd,
290 					     krb5_keyblock *key );
291 krb5_error_code krb5_db_set_mkey ( krb5_context context,
292 				   krb5_keyblock *key);
293 krb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
294 				   krb5_keyblock **key );
295 krb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
296 					  krb5_keyblock *key );
297 krb5_error_code krb5_db_store_master_key  ( krb5_context kcontext,
298 					    char *db_arg,
299 					    krb5_principal mname,
300 					    krb5_keyblock *key,
301 					    char *master_pwd);
302 krb5_error_code krb5_db_fetch_mkey  ( krb5_context   context,
303 				      krb5_principal mname,
304 				      krb5_enctype   etype,
305 				      krb5_boolean   fromkeyboard,
306 				      krb5_boolean   twice,
307 				      char          *db_args,
308 				      krb5_data     *salt,
309 				      krb5_keyblock *key);
310 krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
311 					    krb5_principal mprinc,
312 					    krb5_keyblock *mkey );
313 krb5_error_code
314 krb5_dbe_find_enctype( krb5_context	kcontext,
315 		       krb5_db_entry	*dbentp,
316 		       krb5_int32		ktype,
317 		       krb5_int32		stype,
318 		       krb5_int32		kvno,
319 		       krb5_key_data	**kdatap);
320 
321 
322 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext,
323 					  krb5_db_entry *dbentp,
324 					  krb5_int32 *start,
325 					  krb5_int32 ktype,
326 					  krb5_int32 stype,
327 					  krb5_int32 kvno,
328 					  krb5_key_data **kdatap);
329 
330 krb5_error_code
331 krb5_db_setup_mkey_name ( krb5_context context,
332 			  const char *keyname,
333 			  const char *realm,
334 			  char **fullname,
335 			  krb5_principal *principal);
336 
337 krb5_error_code
338 krb5_dbekd_decrypt_key_data( krb5_context 	  context,
339 			     const krb5_keyblock	* mkey,
340 			     const krb5_key_data	* key_data,
341 			     krb5_keyblock 	* dbkey,
342 			     krb5_keysalt 	* keysalt);
343 
344 krb5_error_code
345 krb5_dbekd_encrypt_key_data( krb5_context 		  context,
346 			     const krb5_keyblock	* mkey,
347 			     const krb5_keyblock 	* dbkey,
348 			     const krb5_keysalt		* keysalt,
349 			     int			  keyver,
350 			     krb5_key_data	        * key_data);
351 
352 krb5_error_code
353 krb5_dbe_lookup_mod_princ_data( krb5_context          context,
354 				krb5_db_entry       * entry,
355 				krb5_timestamp      * mod_time,
356 				krb5_principal      * mod_princ);
357 
358 
359 krb5_error_code
360 krb5_dbe_update_last_pwd_change( krb5_context          context,
361 				 krb5_db_entry       * entry,
362 				 krb5_timestamp	  stamp);
363 
364 krb5_error_code
365 krb5_dbe_lookup_tl_data( krb5_context          context,
366 			 krb5_db_entry       * entry,
367 			 krb5_tl_data        * ret_tl_data);
368 
369 krb5_error_code
370 krb5_dbe_create_key_data( krb5_context          context,
371 			  krb5_db_entry       * entry);
372 
373 
374 krb5_error_code
375 krb5_dbe_update_mod_princ_data( krb5_context          context,
376 				krb5_db_entry       * entry,
377 				krb5_timestamp        mod_date,
378 				krb5_const_principal  mod_princ);
379 
380 krb5_error_code
381 krb5_dbe_update_last_pwd_change( krb5_context          context,
382 				 krb5_db_entry       * entry,
383 				 krb5_timestamp	  stamp);
384 
385 void *krb5_db_alloc( krb5_context kcontext,
386 		     void *ptr,
387 		     size_t size );
388 
389 void krb5_db_free( krb5_context kcontext,
390 		   void *ptr);
391 
392 
393 krb5_error_code
394 krb5_dbe_lookup_last_pwd_change( krb5_context          context,
395 				 krb5_db_entry       * entry,
396 				 krb5_timestamp      * stamp);
397 
398 krb5_error_code
399 krb5_dbe_update_tl_data( krb5_context          context,
400 			 krb5_db_entry       * entry,
401 			 krb5_tl_data        * new_tl_data);
402 
403 krb5_error_code
404 krb5_dbe_cpw( krb5_context	  kcontext,
405 	      krb5_keyblock       * master_key,
406 	      krb5_key_salt_tuple	* ks_tuple,
407 	      int			  ks_tuple_count,
408 	      char 		* passwd,
409 	      int			  new_kvno,
410 	      krb5_boolean	  keepold,
411 	      krb5_db_entry	* db_entry);
412 
413 
414 krb5_error_code
415 krb5_dbe_ark( krb5_context	  context,
416 	      krb5_keyblock       * master_key,
417 	      krb5_key_salt_tuple	* ks_tuple,
418 	      int			  ks_tuple_count,
419 	      krb5_db_entry	* db_entry);
420 
421 krb5_error_code
422 krb5_dbe_crk( krb5_context	  context,
423 	      krb5_keyblock       * master_key,
424 	      krb5_key_salt_tuple	* ks_tuple,
425 	      int			  ks_tuple_count,
426 	      krb5_boolean	  keepold,
427 	      krb5_db_entry	* db_entry);
428 
429 krb5_error_code
430 krb5_dbe_apw( krb5_context	  context,
431 	      krb5_keyblock       * master_key,
432 	      krb5_key_salt_tuple	* ks_tuple,
433 	      int			  ks_tuple_count,
434 	      char 		* passwd,
435 	      krb5_db_entry	* db_entry);
436 
437 /* default functions. Should not be directly called */
438 /*
439  *   Default functions prototype
440  */
441 
442 krb5_error_code
443 krb5_dbe_def_search_enctype( krb5_context kcontext,
444 			     krb5_db_entry *dbentp,
445 			     krb5_int32 *start,
446 			     krb5_int32 ktype,
447 			     krb5_int32 stype,
448 			     krb5_int32 kvno,
449 			     krb5_key_data **kdatap);
450 
451 krb5_error_code
452 krb5_def_store_mkey( krb5_context context,
453 		     char *keyfile,
454 		     krb5_principal mname,
455 		     krb5_keyblock *key,
456 		     char *master_pwd);
457 
458 
459 krb5_error_code
460 krb5_db_def_fetch_mkey( krb5_context   context,
461 			krb5_principal mname,
462 			krb5_keyblock *key,
463 			int           *kvno,
464 			char          *db_args);
465 
466 krb5_error_code
467 krb5_def_verify_master_key( krb5_context context,
468 			    krb5_principal mprinc,
469 			    krb5_keyblock *mkey);
470 
471 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
472 				   char *pwd,
473 				   krb5_keyblock *key );
474 
475 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
476 				   krb5_keyblock **key );
477 
478 krb5_error_code
479 krb5_dbe_def_cpw( krb5_context	  context,
480 		  krb5_keyblock       * master_key,
481 		  krb5_key_salt_tuple	* ks_tuple,
482 		  int			  ks_tuple_count,
483 		  char 		* passwd,
484 		  int			  new_kvno,
485 		  krb5_boolean	  keepold,
486 		  krb5_db_entry	* db_entry);
487 
488 krb5_error_code
489 krb5_db_supports_iprop(krb5_context kcontext, int *iprop_supported);
490 
491 krb5_error_code
492 krb5_def_promote_db(krb5_context, char *, char **);
493 
494 typedef struct _osa_policy_ent_t {
495     int		version;
496     char	*name;
497     uint32_t	pw_min_life;
498     uint32_t	pw_max_life;
499     uint32_t	pw_min_length;
500     uint32_t	pw_min_classes;
501     uint32_t	pw_history_num;
502     uint32_t	policy_refcnt;
503 } osa_policy_ent_rec, *osa_policy_ent_t;
504 
505 typedef	void	(*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
506 
507 krb5_error_code
508 krb5_db_create_policy( krb5_context kcontext,
509 		       osa_policy_ent_t policy);
510 
511 krb5_error_code
512 krb5_db_get_policy ( krb5_context kcontext,
513 		     char *name,
514 		     osa_policy_ent_t *policy,
515 		     int *nentries);
516 
517 krb5_error_code
518 krb5_db_put_policy( krb5_context kcontext,
519 		    osa_policy_ent_t policy);
520 
521 krb5_error_code
522 krb5_db_iter_policy( krb5_context kcontext,
523 		     char *match_entry,
524 		     osa_adb_iter_policy_func func,
525 		     void *data);
526 
527 krb5_error_code
528 krb5_db_delete_policy( krb5_context kcontext,
529 		       char *policy);
530 
531 void
532 krb5_db_free_policy( krb5_context kcontext,
533 		     osa_policy_ent_t policy);
534 
535 #define KRB5_KDB_DEF_FLAGS	0
536 
537 #endif /* KRB5_KDB5__ */
538