1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * include/krb5/kdb.h 8 * 9 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 10 * All Rights Reserved. 11 * 12 * Export of this software from the United States of America may 13 * require a specific license from the United States Government. 14 * It is the responsibility of any person or organization contemplating 15 * export to obtain such a license before exporting. 16 * 17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 18 * distribute this software and its documentation for any purpose and 19 * without fee is hereby granted, provided that the above copyright 20 * notice appear in all copies and that both that copyright notice and 21 * this permission notice appear in supporting documentation, and that 22 * the name of M.I.T. not be used in advertising or publicity pertaining 23 * to distribution of the software without specific, written prior 24 * permission. Furthermore if you modify this software you must label 25 * your software as modified software and not distribute it in such a 26 * fashion that it might be confused with the original M.I.T. software. 27 * M.I.T. makes no representations about the suitability of 28 * this software for any purpose. It is provided "as is" without express 29 * or implied warranty. 30 * 31 * 32 * KDC Database interface definitions. 33 */ 34 35 /* 36 * Copyright (C) 1998 by the FundsXpress, INC. 37 * 38 * All rights reserved. 39 * 40 * Export of this software from the United States of America may require 41 * a specific license from the United States Government. It is the 42 * responsibility of any person or organization contemplating export to 43 * obtain such a license before exporting. 44 * 45 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 46 * distribute this software and its documentation for any purpose and 47 * without fee is hereby granted, provided that the above copyright 48 * notice appear in all copies and that both that copyright notice and 49 * this permission notice appear in supporting documentation, and that 50 * the name of FundsXpress. not be used in advertising or publicity pertaining 51 * to distribution of the software without specific, written prior 52 * permission. FundsXpress makes no representations about the suitability of 53 * this software for any purpose. It is provided "as is" without express 54 * or implied warranty. 55 * 56 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 57 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 58 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 */ 60 61 #ifndef KRB5_KDB5__ 62 #define KRB5_KDB5__ 63 64 /* Salt types */ 65 #define KRB5_KDB_SALTTYPE_NORMAL 0 66 #define KRB5_KDB_SALTTYPE_V4 1 67 #define KRB5_KDB_SALTTYPE_NOREALM 2 68 #define KRB5_KDB_SALTTYPE_ONLYREALM 3 69 #define KRB5_KDB_SALTTYPE_SPECIAL 4 70 #define KRB5_KDB_SALTTYPE_AFS3 5 71 72 /* Attributes */ 73 #define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 74 #define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 75 #define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 76 #define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 77 #define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 78 #define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 79 #define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 80 #define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 81 #define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 82 #define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 83 #define KRB5_KDB_DISALLOW_SVR 0x00001000 84 #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 85 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 86 #define KRB5_KDB_NEW_PRINC 0x00008000 87 88 /* Creation flags */ 89 #define KRB5_KDB_CREATE_BTREE 0x00000001 90 #define KRB5_KDB_CREATE_HASH 0x00000002 91 92 /* 93 * Note --- these structures cannot be modified without changing the 94 * database version number in libkdb.a, but should be expandable by 95 * adding new tl_data types. 96 */ 97 typedef struct _krb5_tl_data { 98 struct _krb5_tl_data* tl_data_next; /* NOT saved */ 99 krb5_int16 tl_data_type; 100 krb5_ui_2 tl_data_length; 101 krb5_octet * tl_data_contents; 102 } krb5_tl_data; 103 104 /* 105 * If this ever changes up the version number and make the arrays be as 106 * big as necessary. 107 * 108 * Currently the first type is the enctype and the second is the salt type. 109 */ 110 typedef struct _krb5_key_data { 111 krb5_int16 key_data_ver; /* Version */ 112 krb5_int16 key_data_kvno; /* Key Version */ 113 krb5_int16 key_data_type[2]; /* Array of types */ 114 #if 0 115 /* 116 * SUNW14resync (mech) 117 * This has changed in the mech so we change it here also 118 * prior to the admin resync. 119 */ 120 krb5_ui_2 key_data_length[2]; Array of lengths 121 #endif 122 krb5_int16 key_data_length[2]; /* Array of lengths */ 123 krb5_octet * key_data_contents[2]; /* Array of pointers */ 124 } krb5_key_data; 125 126 #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ 127 128 typedef struct _krb5_keysalt { 129 krb5_int16 type; 130 krb5_data data; /* Length, data */ 131 } krb5_keysalt; 132 133 typedef struct _krb5_db_entry_new { 134 krb5_magic magic; /* NOT saved */ 135 krb5_ui_2 len; 136 krb5_ui_4 mask; /* members currently changed/set */ 137 krb5_flags attributes; 138 krb5_deltat max_life; 139 krb5_deltat max_renewable_life; 140 krb5_timestamp expiration; /* When the client expires */ 141 krb5_timestamp pw_expiration; /* When its passwd expires */ 142 krb5_timestamp last_success; /* Last successful passwd */ 143 krb5_timestamp last_failed; /* Last failed passwd attempt */ 144 krb5_kvno fail_auth_count; /* # of failed passwd attempt */ 145 krb5_int16 n_tl_data; 146 krb5_int16 n_key_data; 147 krb5_ui_2 e_length; /* Length of extra data */ 148 krb5_octet * e_data; /* Extra data to be saved */ 149 150 krb5_principal princ; /* Length, data */ 151 krb5_tl_data * tl_data; /* Linked list */ 152 krb5_key_data * key_data; /* Array */ 153 } krb5_db_entry; 154 155 typedef struct __krb5_key_salt_tuple { 156 krb5_enctype ks_enctype; 157 krb5_int32 ks_salttype; 158 } krb5_key_salt_tuple; 159 160 #define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb 161 #define KRB5_KDB_V1_BASE_LENGTH 38 162 163 #define KRB5_TL_LAST_PWD_CHANGE 0x0001 164 #define KRB5_TL_MOD_PRINC 0x0002 165 #define KRB5_TL_KADM_DATA 0x0003 166 #define KRB5_TL_KADM5_E_DATA 0x0004 167 #define KRB5_TL_RB1_CHALLENGE 0x0005 168 #ifdef SECURID 169 #define KRB5_TL_SECURID_STATE 0x0006 170 #define KRB5_TL_DB_ARGS 0x7fff 171 #endif /* SECURID */ 172 #define KRB5_TL_USER_CERTIFICATE 0x0007 173 174 /* 175 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set 176 * on the principal. 177 */ 178 #define KRB5_MAX_FAIL_COUNT 5 179 180 /* XXX depends on knowledge of krb5_parse_name() formats */ 181 #define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */ 182 183 /* prompts used by default when reading the KDC password from the keyboard. */ 184 #define KRB5_KDC_MKEY_1 "Enter KDC database master key" 185 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify" 186 187 188 extern char *krb5_mkey_pwd_prompt1; 189 extern char *krb5_mkey_pwd_prompt2; 190 191 /* 192 * These macros specify the encoding of data within the database. 193 * 194 * Data encoding is little-endian. 195 */ 196 #include "k5-platform.h" 197 #define krb5_kdb_decode_int16(cp, i16) \ 198 *((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \ 199 ((krb5_int16) ((unsigned char) (cp)[1]) << 8)) 200 #define krb5_kdb_decode_int32(cp, i32) \ 201 *((krb5_int32 *) &(i32)) = (((krb5_int32) ((unsigned char) (cp)[0]))| \ 202 ((krb5_int32) ((unsigned char) (cp)[1]) << 8) | \ 203 ((krb5_int32) ((unsigned char) (cp)[2]) << 16)| \ 204 ((krb5_int32) ((unsigned char) (cp)[3]) << 24)) 205 #define krb5_kdb_encode_int16(i16, cp) \ 206 { \ 207 (cp)[0] = (unsigned char) ((i16) & 0xff); \ 208 (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \ 209 } 210 #define krb5_kdb_encode_int32(i32, cp) \ 211 { \ 212 (cp)[0] = (unsigned char) ((i32) & 0xff); \ 213 (cp)[1] = (unsigned char) (((i32) >> 8) & 0xff); \ 214 (cp)[2] = (unsigned char) (((i32) >> 16) & 0xff); \ 215 (cp)[3] = (unsigned char) (((i32) >> 24) & 0xff); \ 216 } 217 218 #define KRB5_KDB_OPEN_RW 0 219 #define KRB5_KDB_OPEN_RO 1 220 221 #ifndef KRB5_KDB_SRV_TYPE_KDC 222 #define KRB5_KDB_SRV_TYPE_KDC 0x0100 223 #endif 224 225 #ifndef KRB5_KDB_SRV_TYPE_ADMIN 226 #define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 227 #endif 228 229 #ifndef KRB5_KDB_SRV_TYPE_PASSWD 230 #define KRB5_KDB_SRV_TYPE_PASSWD 0x0300 231 #endif 232 233 #ifndef KRB5_KDB_SRV_TYPE_OTHER 234 #define KRB5_KDB_SRV_TYPE_OTHER 0x0400 235 #endif 236 237 #define KRB5_KDB_OPT_SET_DB_NAME 0 238 #define KRB5_KDB_OPT_SET_LOCK_MODE 1 239 240 #define KRB5_DB_LOCKMODE_SHARED 0x0001 241 #define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002 242 #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 243 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 244 245 /* libkdb.spec */ 246 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); 247 krb5_error_code krb5_db_init ( krb5_context kcontext ); 248 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); 249 krb5_error_code krb5_db_inited ( krb5_context kcontext ); 250 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args ); 251 krb5_error_code krb5_db_fini ( krb5_context kcontext ); 252 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code ); 253 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args ); 254 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args ); 255 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t ); 256 krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value ); 257 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); 258 krb5_error_code krb5_db_unlock ( krb5_context kcontext ); 259 krb5_error_code krb5_db_get_principal ( krb5_context kcontext, 260 krb5_const_principal search_for, 261 krb5_db_entry *entries, 262 int *nentries, 263 krb5_boolean *more ); 264 krb5_error_code krb5_db_get_principal_nolock ( krb5_context kcontext, 265 krb5_const_principal search_for, 266 krb5_db_entry *entries, 267 int *nentries, 268 krb5_boolean *more ); 269 krb5_error_code krb5_db_free_principal ( krb5_context kcontext, 270 krb5_db_entry *entry, 271 int count ); 272 krb5_error_code krb5_db_put_principal ( krb5_context kcontext, 273 krb5_db_entry *entries, 274 int *nentries); 275 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, 276 krb5_principal search_for, 277 int *nentries ); 278 /* Solaris Kerberos: adding support for db_args */ 279 krb5_error_code krb5_db_iterate ( krb5_context kcontext, 280 char *match_entry, 281 int (*func) (krb5_pointer, krb5_db_entry *), 282 krb5_pointer func_arg, 283 char **db_args ); 284 krb5_error_code krb5_supported_realms ( krb5_context kcontext, 285 char **realms ); 286 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext, 287 char **realms ); 288 krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext, 289 char *pwd, 290 krb5_keyblock *key ); 291 krb5_error_code krb5_db_set_mkey ( krb5_context context, 292 krb5_keyblock *key); 293 krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, 294 krb5_keyblock **key ); 295 krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, 296 krb5_keyblock *key ); 297 krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, 298 char *db_arg, 299 krb5_principal mname, 300 krb5_keyblock *key, 301 char *master_pwd); 302 krb5_error_code krb5_db_fetch_mkey ( krb5_context context, 303 krb5_principal mname, 304 krb5_enctype etype, 305 krb5_boolean fromkeyboard, 306 krb5_boolean twice, 307 char *db_args, 308 krb5_data *salt, 309 krb5_keyblock *key); 310 krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, 311 krb5_principal mprinc, 312 krb5_keyblock *mkey ); 313 krb5_error_code 314 krb5_dbe_find_enctype( krb5_context kcontext, 315 krb5_db_entry *dbentp, 316 krb5_int32 ktype, 317 krb5_int32 stype, 318 krb5_int32 kvno, 319 krb5_key_data **kdatap); 320 321 322 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 323 krb5_db_entry *dbentp, 324 krb5_int32 *start, 325 krb5_int32 ktype, 326 krb5_int32 stype, 327 krb5_int32 kvno, 328 krb5_key_data **kdatap); 329 330 krb5_error_code 331 krb5_db_setup_mkey_name ( krb5_context context, 332 const char *keyname, 333 const char *realm, 334 char **fullname, 335 krb5_principal *principal); 336 337 krb5_error_code 338 krb5_dbekd_decrypt_key_data( krb5_context context, 339 const krb5_keyblock * mkey, 340 const krb5_key_data * key_data, 341 krb5_keyblock * dbkey, 342 krb5_keysalt * keysalt); 343 344 krb5_error_code 345 krb5_dbekd_encrypt_key_data( krb5_context context, 346 const krb5_keyblock * mkey, 347 const krb5_keyblock * dbkey, 348 const krb5_keysalt * keysalt, 349 int keyver, 350 krb5_key_data * key_data); 351 352 krb5_error_code 353 krb5_dbe_lookup_mod_princ_data( krb5_context context, 354 krb5_db_entry * entry, 355 krb5_timestamp * mod_time, 356 krb5_principal * mod_princ); 357 358 359 krb5_error_code 360 krb5_dbe_update_last_pwd_change( krb5_context context, 361 krb5_db_entry * entry, 362 krb5_timestamp stamp); 363 364 krb5_error_code 365 krb5_dbe_lookup_tl_data( krb5_context context, 366 krb5_db_entry * entry, 367 krb5_tl_data * ret_tl_data); 368 369 krb5_error_code 370 krb5_dbe_create_key_data( krb5_context context, 371 krb5_db_entry * entry); 372 373 374 krb5_error_code 375 krb5_dbe_update_mod_princ_data( krb5_context context, 376 krb5_db_entry * entry, 377 krb5_timestamp mod_date, 378 krb5_const_principal mod_princ); 379 380 krb5_error_code 381 krb5_dbe_update_last_pwd_change( krb5_context context, 382 krb5_db_entry * entry, 383 krb5_timestamp stamp); 384 385 void *krb5_db_alloc( krb5_context kcontext, 386 void *ptr, 387 size_t size ); 388 389 void krb5_db_free( krb5_context kcontext, 390 void *ptr); 391 392 393 krb5_error_code 394 krb5_dbe_lookup_last_pwd_change( krb5_context context, 395 krb5_db_entry * entry, 396 krb5_timestamp * stamp); 397 398 krb5_error_code 399 krb5_dbe_update_tl_data( krb5_context context, 400 krb5_db_entry * entry, 401 krb5_tl_data * new_tl_data); 402 403 krb5_error_code 404 krb5_dbe_cpw( krb5_context kcontext, 405 krb5_keyblock * master_key, 406 krb5_key_salt_tuple * ks_tuple, 407 int ks_tuple_count, 408 char * passwd, 409 int new_kvno, 410 krb5_boolean keepold, 411 krb5_db_entry * db_entry); 412 413 414 krb5_error_code 415 krb5_dbe_ark( krb5_context context, 416 krb5_keyblock * master_key, 417 krb5_key_salt_tuple * ks_tuple, 418 int ks_tuple_count, 419 krb5_db_entry * db_entry); 420 421 krb5_error_code 422 krb5_dbe_crk( krb5_context context, 423 krb5_keyblock * master_key, 424 krb5_key_salt_tuple * ks_tuple, 425 int ks_tuple_count, 426 krb5_boolean keepold, 427 krb5_db_entry * db_entry); 428 429 krb5_error_code 430 krb5_dbe_apw( krb5_context context, 431 krb5_keyblock * master_key, 432 krb5_key_salt_tuple * ks_tuple, 433 int ks_tuple_count, 434 char * passwd, 435 krb5_db_entry * db_entry); 436 437 /* default functions. Should not be directly called */ 438 /* 439 * Default functions prototype 440 */ 441 442 krb5_error_code 443 krb5_dbe_def_search_enctype( krb5_context kcontext, 444 krb5_db_entry *dbentp, 445 krb5_int32 *start, 446 krb5_int32 ktype, 447 krb5_int32 stype, 448 krb5_int32 kvno, 449 krb5_key_data **kdatap); 450 451 krb5_error_code 452 krb5_def_store_mkey( krb5_context context, 453 char *keyfile, 454 krb5_principal mname, 455 krb5_keyblock *key, 456 char *master_pwd); 457 458 459 krb5_error_code 460 krb5_db_def_fetch_mkey( krb5_context context, 461 krb5_principal mname, 462 krb5_keyblock *key, 463 int *kvno, 464 char *db_args); 465 466 krb5_error_code 467 krb5_def_verify_master_key( krb5_context context, 468 krb5_principal mprinc, 469 krb5_keyblock *mkey); 470 471 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, 472 char *pwd, 473 krb5_keyblock *key ); 474 475 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, 476 krb5_keyblock **key ); 477 478 krb5_error_code 479 krb5_dbe_def_cpw( krb5_context context, 480 krb5_keyblock * master_key, 481 krb5_key_salt_tuple * ks_tuple, 482 int ks_tuple_count, 483 char * passwd, 484 int new_kvno, 485 krb5_boolean keepold, 486 krb5_db_entry * db_entry); 487 488 krb5_error_code 489 krb5_db_supports_iprop(krb5_context kcontext, int *iprop_supported); 490 491 krb5_error_code 492 krb5_def_promote_db(krb5_context, char *, char **); 493 494 typedef struct _osa_policy_ent_t { 495 int version; 496 char *name; 497 uint32_t pw_min_life; 498 uint32_t pw_max_life; 499 uint32_t pw_min_length; 500 uint32_t pw_min_classes; 501 uint32_t pw_history_num; 502 uint32_t policy_refcnt; 503 } osa_policy_ent_rec, *osa_policy_ent_t; 504 505 typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); 506 507 krb5_error_code 508 krb5_db_create_policy( krb5_context kcontext, 509 osa_policy_ent_t policy); 510 511 krb5_error_code 512 krb5_db_get_policy ( krb5_context kcontext, 513 char *name, 514 osa_policy_ent_t *policy, 515 int *nentries); 516 517 krb5_error_code 518 krb5_db_put_policy( krb5_context kcontext, 519 osa_policy_ent_t policy); 520 521 krb5_error_code 522 krb5_db_iter_policy( krb5_context kcontext, 523 char *match_entry, 524 osa_adb_iter_policy_func func, 525 void *data); 526 527 krb5_error_code 528 krb5_db_delete_policy( krb5_context kcontext, 529 char *policy); 530 531 void 532 krb5_db_free_policy( krb5_context kcontext, 533 osa_policy_ent_t policy); 534 535 #define KRB5_KDB_DEF_FLAGS 0 536 537 #endif /* KRB5_KDB5__ */ 538