1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* 3 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 4 * 5 * $Header$ 6 */ 7 8 /* 9 * This header file is used internally by the Admin API server 10 * libraries and Admin server. IF YOU THINK YOU NEED TO USE THIS FILE 11 * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG. 12 */ 13 14 #ifndef __KADM5_SERVER_INTERNAL_H__ 15 #define __KADM5_SERVER_INTERNAL_H__ 16 17 #include "autoconf.h" 18 #ifdef HAVE_MEMORY_H 19 #include <memory.h> 20 #endif 21 #include <stdlib.h> 22 #include <errno.h> 23 #include <kdb.h> 24 #include <kadm5/admin.h> 25 #include <krb5/plugin.h> 26 #include "admin_internal.h" 27 28 /* 29 * This is the history key version for a newly created DB. We use this value 30 * for principals which have no password history yet to avoid having to look up 31 * the history key. Values other than 2 will cause compatibility issues with 32 * pre-1.8 libkadm5 code; the older code will reject key changes when it sees 33 * an unexpected value of admin_history_kvno. 34 */ 35 #define INITIAL_HIST_KVNO 2 36 37 /* A pwqual_handle represents a password quality plugin module. */ 38 typedef struct pwqual_handle_st *pwqual_handle; 39 40 typedef struct kadm5_hook_handle_st *kadm5_hook_handle; 41 42 typedef struct _kadm5_server_handle_t { 43 krb5_ui_4 magic_number; 44 krb5_ui_4 struct_version; 45 krb5_ui_4 api_version; 46 krb5_context context; 47 krb5_principal current_caller; 48 kadm5_config_params params; 49 struct _kadm5_server_handle_t *lhandle; 50 char **db_args; 51 pwqual_handle *qual_handles; 52 kadm5_hook_handle *hook_handles; 53 } kadm5_server_handle_rec, *kadm5_server_handle_t; 54 55 #define OSA_ADB_PRINC_VERSION_1 0x12345C01 56 57 typedef struct _osa_pw_hist_t { 58 int n_key_data; 59 krb5_key_data *key_data; 60 } osa_pw_hist_ent, *osa_pw_hist_t; 61 62 typedef struct _osa_princ_ent_t { 63 int version; 64 char *policy; 65 long aux_attributes; 66 unsigned int old_key_len; 67 unsigned int old_key_next; 68 krb5_kvno admin_history_kvno; 69 osa_pw_hist_ent *old_keys; 70 } osa_princ_ent_rec, *osa_princ_ent_t; 71 72 73 kadm5_ret_t passwd_check(kadm5_server_handle_t handle, 74 const char *pass, kadm5_policy_ent_t policy, 75 krb5_principal principal); 76 kadm5_ret_t principal_exists(krb5_principal principal); 77 krb5_error_code kdb_init_master(kadm5_server_handle_t handle, 78 char *r, int from_keyboard); 79 krb5_error_code kdb_get_active_mkey(kadm5_server_handle_t handle, 80 krb5_kvno *act_kvno_out, 81 krb5_keyblock **act_mkey_out); 82 krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, 83 char *r); 84 krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle, 85 krb5_keyblock **keyblocks_out, 86 krb5_kvno *kvno_out); 87 void kdb_free_keyblocks(kadm5_server_handle_t handle, 88 krb5_keyblock *keyblocks); 89 krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, 90 krb5_principal principal, 91 krb5_db_entry **kdb, osa_princ_ent_rec *adb); 92 krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, 93 krb5_db_entry *kdb, osa_princ_ent_rec *adb); 94 krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, 95 krb5_db_entry *kdb, osa_princ_ent_rec *adb); 96 krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, 97 krb5_principal name); 98 krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, 99 char *match_entry, 100 void (*iter_fct)(void *, krb5_principal), 101 void *data); 102 103 kadm5_ret_t init_pwqual(kadm5_server_handle_t handle); 104 void destroy_pwqual(kadm5_server_handle_t handle); 105 106 /* XXX this ought to be in libkrb5.a, but isn't */ 107 kadm5_ret_t krb5_copy_key_data_contents(krb5_context context, 108 krb5_key_data *from, 109 krb5_key_data *to); 110 kadm5_ret_t krb5_free_key_data_contents(krb5_context context, 111 krb5_key_data *key); 112 113 /* 114 * *Warning* 115 * *Warning* This is going to break if we 116 * *Warning* ever go multi-threaded 117 * *Warning* 118 */ 119 extern krb5_principal current_caller; 120 121 /* 122 * Why is this (or something similar) not defined *anywhere* in krb5? 123 */ 124 #define KSUCCESS 0 125 #define WORD_NOT_FOUND 1 126 127 /* 128 * all the various mask bits or'd together 129 */ 130 131 #define ALL_PRINC_MASK \ 132 (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \ 133 KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \ 134 KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \ 135 KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \ 136 KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT ) 137 138 #define ALL_POLICY_MASK \ 139 (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \ 140 KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \ 141 KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \ 142 KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES | \ 143 KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE | \ 144 KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA) 145 146 #define SERVER_CHECK_HANDLE(handle) \ 147 { \ 148 kadm5_server_handle_t srvr = \ 149 (kadm5_server_handle_t) handle; \ 150 \ 151 if (! srvr->current_caller) \ 152 return KADM5_BAD_SERVER_HANDLE; \ 153 if (! srvr->lhandle) \ 154 return KADM5_BAD_SERVER_HANDLE; \ 155 } 156 157 #define CHECK_HANDLE(handle) \ 158 GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \ 159 KADM5_NEW_SERVER_API_VERSION) \ 160 SERVER_CHECK_HANDLE(handle) 161 162 bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); 163 164 void 165 osa_free_princ_ent(osa_princ_ent_t val); 166 167 /*** Password quality plugin consumer interface ***/ 168 169 /* Load all available password quality plugin modules, bind each module to the 170 * realm's dictionary file, and store the result into *handles_out. Free the 171 * result with k5_pwqual_free_handles. */ 172 krb5_error_code 173 k5_pwqual_load(krb5_context context, const char *dict_file, 174 pwqual_handle **handles_out); 175 176 /* Release a handle list allocated by k5_pwqual_load. */ 177 void 178 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles); 179 180 /* Return the name of a password quality plugin module. */ 181 const char * 182 k5_pwqual_name(krb5_context context, pwqual_handle handle); 183 184 /* Check a password using a password quality plugin module. */ 185 krb5_error_code 186 k5_pwqual_check(krb5_context context, pwqual_handle handle, 187 const char *password, const char *policy_name, 188 krb5_principal princ); 189 190 /*** initvt functions for built-in password quality modules ***/ 191 192 /* The dict module checks passwords against the realm's dictionary. */ 193 krb5_error_code 194 pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver, 195 krb5_plugin_vtable vtable); 196 197 /* The empty module rejects empty passwords (even with no password policy). */ 198 krb5_error_code 199 pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver, 200 krb5_plugin_vtable vtable); 201 202 /* The hesiod module checks passwords against GECOS fields from Hesiod passwd 203 * information (only if the tree was built with Hesiod support). */ 204 krb5_error_code 205 pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver, 206 krb5_plugin_vtable vtable); 207 208 /* The princ module checks passwords against principal components. */ 209 krb5_error_code 210 pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver, 211 krb5_plugin_vtable vtable); 212 213 /** @{ 214 * @name kadm5_hook plugin support 215 */ 216 217 /** Load all kadm5_hook plugins. */ 218 krb5_error_code 219 k5_kadm5_hook_load(krb5_context context, 220 kadm5_hook_handle **handles_out); 221 222 /** Free handles allocated by k5_kadm5_hook_load(). */ 223 void 224 k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles); 225 226 /** Call the chpass entry point on every kadm5_hook in @a handles. */ 227 kadm5_ret_t 228 k5_kadm5_hook_chpass (krb5_context context, 229 kadm5_hook_handle *handles, 230 int stage, krb5_principal princ, 231 krb5_boolean keepold, 232 int n_ks_tuple, 233 krb5_key_salt_tuple *ks_tuple, 234 const char *newpass); 235 236 /** Call the create entry point for kadm5_hook_plugins. */ 237 kadm5_ret_t 238 k5_kadm5_hook_create (krb5_context context, 239 kadm5_hook_handle *handles, 240 int stage, 241 kadm5_principal_ent_t princ, long mask, 242 int n_ks_tuple, 243 krb5_key_salt_tuple *ks_tuple, 244 const char *newpass); 245 246 /** Call modify kadm5_hook entry point. */ 247 kadm5_ret_t 248 k5_kadm5_hook_modify (krb5_context context, 249 kadm5_hook_handle *handles, 250 int stage, 251 kadm5_principal_ent_t princ, long mask); 252 253 /** Call remove kadm5_hook entry point. */ 254 kadm5_ret_t 255 k5_kadm5_hook_remove (krb5_context context, 256 kadm5_hook_handle *handles, 257 int stage, 258 krb5_principal princ); 259 260 /** Call rename kadm5_hook entry point. */ 261 kadm5_ret_t 262 k5_kadm5_hook_rename (krb5_context context, 263 kadm5_hook_handle *handles, 264 int stage, 265 krb5_principal oprinc, krb5_principal nprinc); 266 267 /** @}*/ 268 269 #endif /* __KADM5_SERVER_INTERNAL_H__ */ 270