1*7f2fe78bSCy Schubert /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2*7f2fe78bSCy Schubert /* 3*7f2fe78bSCy Schubert * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 4*7f2fe78bSCy Schubert * 5*7f2fe78bSCy Schubert * $Header$ 6*7f2fe78bSCy Schubert */ 7*7f2fe78bSCy Schubert 8*7f2fe78bSCy Schubert /* 9*7f2fe78bSCy Schubert * This header file is used internally by the Admin API server 10*7f2fe78bSCy Schubert * libraries and Admin server. IF YOU THINK YOU NEED TO USE THIS FILE 11*7f2fe78bSCy Schubert * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG. 12*7f2fe78bSCy Schubert */ 13*7f2fe78bSCy Schubert 14*7f2fe78bSCy Schubert #ifndef __KADM5_SERVER_INTERNAL_H__ 15*7f2fe78bSCy Schubert #define __KADM5_SERVER_INTERNAL_H__ 16*7f2fe78bSCy Schubert 17*7f2fe78bSCy Schubert #include "autoconf.h" 18*7f2fe78bSCy Schubert #ifdef HAVE_MEMORY_H 19*7f2fe78bSCy Schubert #include <memory.h> 20*7f2fe78bSCy Schubert #endif 21*7f2fe78bSCy Schubert #include <stdlib.h> 22*7f2fe78bSCy Schubert #include <errno.h> 23*7f2fe78bSCy Schubert #include <kdb.h> 24*7f2fe78bSCy Schubert #include <kadm5/admin.h> 25*7f2fe78bSCy Schubert #include <krb5/plugin.h> 26*7f2fe78bSCy Schubert #include "admin_internal.h" 27*7f2fe78bSCy Schubert 28*7f2fe78bSCy Schubert /* 29*7f2fe78bSCy Schubert * This is the history key version for a newly created DB. We use this value 30*7f2fe78bSCy Schubert * for principals which have no password history yet to avoid having to look up 31*7f2fe78bSCy Schubert * the history key. Values other than 2 will cause compatibility issues with 32*7f2fe78bSCy Schubert * pre-1.8 libkadm5 code; the older code will reject key changes when it sees 33*7f2fe78bSCy Schubert * an unexpected value of admin_history_kvno. 34*7f2fe78bSCy Schubert */ 35*7f2fe78bSCy Schubert #define INITIAL_HIST_KVNO 2 36*7f2fe78bSCy Schubert 37*7f2fe78bSCy Schubert /* A pwqual_handle represents a password quality plugin module. */ 38*7f2fe78bSCy Schubert typedef struct pwqual_handle_st *pwqual_handle; 39*7f2fe78bSCy Schubert 40*7f2fe78bSCy Schubert typedef struct kadm5_hook_handle_st *kadm5_hook_handle; 41*7f2fe78bSCy Schubert 42*7f2fe78bSCy Schubert typedef struct _kadm5_server_handle_t { 43*7f2fe78bSCy Schubert krb5_ui_4 magic_number; 44*7f2fe78bSCy Schubert krb5_ui_4 struct_version; 45*7f2fe78bSCy Schubert krb5_ui_4 api_version; 46*7f2fe78bSCy Schubert krb5_context context; 47*7f2fe78bSCy Schubert krb5_principal current_caller; 48*7f2fe78bSCy Schubert kadm5_config_params params; 49*7f2fe78bSCy Schubert struct _kadm5_server_handle_t *lhandle; 50*7f2fe78bSCy Schubert char **db_args; 51*7f2fe78bSCy Schubert pwqual_handle *qual_handles; 52*7f2fe78bSCy Schubert kadm5_hook_handle *hook_handles; 53*7f2fe78bSCy Schubert } kadm5_server_handle_rec, *kadm5_server_handle_t; 54*7f2fe78bSCy Schubert 55*7f2fe78bSCy Schubert #define OSA_ADB_PRINC_VERSION_1 0x12345C01 56*7f2fe78bSCy Schubert 57*7f2fe78bSCy Schubert typedef struct _osa_pw_hist_t { 58*7f2fe78bSCy Schubert int n_key_data; 59*7f2fe78bSCy Schubert krb5_key_data *key_data; 60*7f2fe78bSCy Schubert } osa_pw_hist_ent, *osa_pw_hist_t; 61*7f2fe78bSCy Schubert 62*7f2fe78bSCy Schubert typedef struct _osa_princ_ent_t { 63*7f2fe78bSCy Schubert int version; 64*7f2fe78bSCy Schubert char *policy; 65*7f2fe78bSCy Schubert long aux_attributes; 66*7f2fe78bSCy Schubert unsigned int old_key_len; 67*7f2fe78bSCy Schubert unsigned int old_key_next; 68*7f2fe78bSCy Schubert krb5_kvno admin_history_kvno; 69*7f2fe78bSCy Schubert osa_pw_hist_ent *old_keys; 70*7f2fe78bSCy Schubert } osa_princ_ent_rec, *osa_princ_ent_t; 71*7f2fe78bSCy Schubert 72*7f2fe78bSCy Schubert 73*7f2fe78bSCy Schubert kadm5_ret_t passwd_check(kadm5_server_handle_t handle, 74*7f2fe78bSCy Schubert const char *pass, kadm5_policy_ent_t policy, 75*7f2fe78bSCy Schubert krb5_principal principal); 76*7f2fe78bSCy Schubert kadm5_ret_t principal_exists(krb5_principal principal); 77*7f2fe78bSCy Schubert krb5_error_code kdb_init_master(kadm5_server_handle_t handle, 78*7f2fe78bSCy Schubert char *r, int from_keyboard); 79*7f2fe78bSCy Schubert krb5_error_code kdb_get_active_mkey(kadm5_server_handle_t handle, 80*7f2fe78bSCy Schubert krb5_kvno *act_kvno_out, 81*7f2fe78bSCy Schubert krb5_keyblock **act_mkey_out); 82*7f2fe78bSCy Schubert krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, 83*7f2fe78bSCy Schubert char *r); 84*7f2fe78bSCy Schubert krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle, 85*7f2fe78bSCy Schubert krb5_keyblock **keyblocks_out, 86*7f2fe78bSCy Schubert krb5_kvno *kvno_out); 87*7f2fe78bSCy Schubert void kdb_free_keyblocks(kadm5_server_handle_t handle, 88*7f2fe78bSCy Schubert krb5_keyblock *keyblocks); 89*7f2fe78bSCy Schubert krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, 90*7f2fe78bSCy Schubert krb5_principal principal, 91*7f2fe78bSCy Schubert krb5_db_entry **kdb, osa_princ_ent_rec *adb); 92*7f2fe78bSCy Schubert krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, 93*7f2fe78bSCy Schubert krb5_db_entry *kdb, osa_princ_ent_rec *adb); 94*7f2fe78bSCy Schubert krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, 95*7f2fe78bSCy Schubert krb5_db_entry *kdb, osa_princ_ent_rec *adb); 96*7f2fe78bSCy Schubert krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, 97*7f2fe78bSCy Schubert krb5_principal name); 98*7f2fe78bSCy Schubert krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, 99*7f2fe78bSCy Schubert char *match_entry, 100*7f2fe78bSCy Schubert void (*iter_fct)(void *, krb5_principal), 101*7f2fe78bSCy Schubert void *data); 102*7f2fe78bSCy Schubert 103*7f2fe78bSCy Schubert kadm5_ret_t init_pwqual(kadm5_server_handle_t handle); 104*7f2fe78bSCy Schubert void destroy_pwqual(kadm5_server_handle_t handle); 105*7f2fe78bSCy Schubert 106*7f2fe78bSCy Schubert /* XXX this ought to be in libkrb5.a, but isn't */ 107*7f2fe78bSCy Schubert kadm5_ret_t krb5_copy_key_data_contents(krb5_context context, 108*7f2fe78bSCy Schubert krb5_key_data *from, 109*7f2fe78bSCy Schubert krb5_key_data *to); 110*7f2fe78bSCy Schubert kadm5_ret_t krb5_free_key_data_contents(krb5_context context, 111*7f2fe78bSCy Schubert krb5_key_data *key); 112*7f2fe78bSCy Schubert 113*7f2fe78bSCy Schubert /* 114*7f2fe78bSCy Schubert * *Warning* 115*7f2fe78bSCy Schubert * *Warning* This is going to break if we 116*7f2fe78bSCy Schubert * *Warning* ever go multi-threaded 117*7f2fe78bSCy Schubert * *Warning* 118*7f2fe78bSCy Schubert */ 119*7f2fe78bSCy Schubert extern krb5_principal current_caller; 120*7f2fe78bSCy Schubert 121*7f2fe78bSCy Schubert /* 122*7f2fe78bSCy Schubert * Why is this (or something similar) not defined *anywhere* in krb5? 123*7f2fe78bSCy Schubert */ 124*7f2fe78bSCy Schubert #define KSUCCESS 0 125*7f2fe78bSCy Schubert #define WORD_NOT_FOUND 1 126*7f2fe78bSCy Schubert 127*7f2fe78bSCy Schubert /* 128*7f2fe78bSCy Schubert * all the various mask bits or'd together 129*7f2fe78bSCy Schubert */ 130*7f2fe78bSCy Schubert 131*7f2fe78bSCy Schubert #define ALL_PRINC_MASK \ 132*7f2fe78bSCy Schubert (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \ 133*7f2fe78bSCy Schubert KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \ 134*7f2fe78bSCy Schubert KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \ 135*7f2fe78bSCy Schubert KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \ 136*7f2fe78bSCy Schubert KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT ) 137*7f2fe78bSCy Schubert 138*7f2fe78bSCy Schubert #define ALL_POLICY_MASK \ 139*7f2fe78bSCy Schubert (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \ 140*7f2fe78bSCy Schubert KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \ 141*7f2fe78bSCy Schubert KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \ 142*7f2fe78bSCy Schubert KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES | \ 143*7f2fe78bSCy Schubert KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE | \ 144*7f2fe78bSCy Schubert KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA) 145*7f2fe78bSCy Schubert 146*7f2fe78bSCy Schubert #define SERVER_CHECK_HANDLE(handle) \ 147*7f2fe78bSCy Schubert { \ 148*7f2fe78bSCy Schubert kadm5_server_handle_t srvr = \ 149*7f2fe78bSCy Schubert (kadm5_server_handle_t) handle; \ 150*7f2fe78bSCy Schubert \ 151*7f2fe78bSCy Schubert if (! srvr->current_caller) \ 152*7f2fe78bSCy Schubert return KADM5_BAD_SERVER_HANDLE; \ 153*7f2fe78bSCy Schubert if (! srvr->lhandle) \ 154*7f2fe78bSCy Schubert return KADM5_BAD_SERVER_HANDLE; \ 155*7f2fe78bSCy Schubert } 156*7f2fe78bSCy Schubert 157*7f2fe78bSCy Schubert #define CHECK_HANDLE(handle) \ 158*7f2fe78bSCy Schubert GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \ 159*7f2fe78bSCy Schubert KADM5_NEW_SERVER_API_VERSION) \ 160*7f2fe78bSCy Schubert SERVER_CHECK_HANDLE(handle) 161*7f2fe78bSCy Schubert 162*7f2fe78bSCy Schubert bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); 163*7f2fe78bSCy Schubert 164*7f2fe78bSCy Schubert void 165*7f2fe78bSCy Schubert osa_free_princ_ent(osa_princ_ent_t val); 166*7f2fe78bSCy Schubert 167*7f2fe78bSCy Schubert /*** Password quality plugin consumer interface ***/ 168*7f2fe78bSCy Schubert 169*7f2fe78bSCy Schubert /* Load all available password quality plugin modules, bind each module to the 170*7f2fe78bSCy Schubert * realm's dictionary file, and store the result into *handles_out. Free the 171*7f2fe78bSCy Schubert * result with k5_pwqual_free_handles. */ 172*7f2fe78bSCy Schubert krb5_error_code 173*7f2fe78bSCy Schubert k5_pwqual_load(krb5_context context, const char *dict_file, 174*7f2fe78bSCy Schubert pwqual_handle **handles_out); 175*7f2fe78bSCy Schubert 176*7f2fe78bSCy Schubert /* Release a handle list allocated by k5_pwqual_load. */ 177*7f2fe78bSCy Schubert void 178*7f2fe78bSCy Schubert k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles); 179*7f2fe78bSCy Schubert 180*7f2fe78bSCy Schubert /* Return the name of a password quality plugin module. */ 181*7f2fe78bSCy Schubert const char * 182*7f2fe78bSCy Schubert k5_pwqual_name(krb5_context context, pwqual_handle handle); 183*7f2fe78bSCy Schubert 184*7f2fe78bSCy Schubert /* Check a password using a password quality plugin module. */ 185*7f2fe78bSCy Schubert krb5_error_code 186*7f2fe78bSCy Schubert k5_pwqual_check(krb5_context context, pwqual_handle handle, 187*7f2fe78bSCy Schubert const char *password, const char *policy_name, 188*7f2fe78bSCy Schubert krb5_principal princ); 189*7f2fe78bSCy Schubert 190*7f2fe78bSCy Schubert /*** initvt functions for built-in password quality modules ***/ 191*7f2fe78bSCy Schubert 192*7f2fe78bSCy Schubert /* The dict module checks passwords against the realm's dictionary. */ 193*7f2fe78bSCy Schubert krb5_error_code 194*7f2fe78bSCy Schubert pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver, 195*7f2fe78bSCy Schubert krb5_plugin_vtable vtable); 196*7f2fe78bSCy Schubert 197*7f2fe78bSCy Schubert /* The empty module rejects empty passwords (even with no password policy). */ 198*7f2fe78bSCy Schubert krb5_error_code 199*7f2fe78bSCy Schubert pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver, 200*7f2fe78bSCy Schubert krb5_plugin_vtable vtable); 201*7f2fe78bSCy Schubert 202*7f2fe78bSCy Schubert /* The hesiod module checks passwords against GECOS fields from Hesiod passwd 203*7f2fe78bSCy Schubert * information (only if the tree was built with Hesiod support). */ 204*7f2fe78bSCy Schubert krb5_error_code 205*7f2fe78bSCy Schubert pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver, 206*7f2fe78bSCy Schubert krb5_plugin_vtable vtable); 207*7f2fe78bSCy Schubert 208*7f2fe78bSCy Schubert /* The princ module checks passwords against principal components. */ 209*7f2fe78bSCy Schubert krb5_error_code 210*7f2fe78bSCy Schubert pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver, 211*7f2fe78bSCy Schubert krb5_plugin_vtable vtable); 212*7f2fe78bSCy Schubert 213*7f2fe78bSCy Schubert /** @{ 214*7f2fe78bSCy Schubert * @name kadm5_hook plugin support 215*7f2fe78bSCy Schubert */ 216*7f2fe78bSCy Schubert 217*7f2fe78bSCy Schubert /** Load all kadm5_hook plugins. */ 218*7f2fe78bSCy Schubert krb5_error_code 219*7f2fe78bSCy Schubert k5_kadm5_hook_load(krb5_context context, 220*7f2fe78bSCy Schubert kadm5_hook_handle **handles_out); 221*7f2fe78bSCy Schubert 222*7f2fe78bSCy Schubert /** Free handles allocated by k5_kadm5_hook_load(). */ 223*7f2fe78bSCy Schubert void 224*7f2fe78bSCy Schubert k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles); 225*7f2fe78bSCy Schubert 226*7f2fe78bSCy Schubert /** Call the chpass entry point on every kadm5_hook in @a handles. */ 227*7f2fe78bSCy Schubert kadm5_ret_t 228*7f2fe78bSCy Schubert k5_kadm5_hook_chpass (krb5_context context, 229*7f2fe78bSCy Schubert kadm5_hook_handle *handles, 230*7f2fe78bSCy Schubert int stage, krb5_principal princ, 231*7f2fe78bSCy Schubert krb5_boolean keepold, 232*7f2fe78bSCy Schubert int n_ks_tuple, 233*7f2fe78bSCy Schubert krb5_key_salt_tuple *ks_tuple, 234*7f2fe78bSCy Schubert const char *newpass); 235*7f2fe78bSCy Schubert 236*7f2fe78bSCy Schubert /** Call the create entry point for kadm5_hook_plugins. */ 237*7f2fe78bSCy Schubert kadm5_ret_t 238*7f2fe78bSCy Schubert k5_kadm5_hook_create (krb5_context context, 239*7f2fe78bSCy Schubert kadm5_hook_handle *handles, 240*7f2fe78bSCy Schubert int stage, 241*7f2fe78bSCy Schubert kadm5_principal_ent_t princ, long mask, 242*7f2fe78bSCy Schubert int n_ks_tuple, 243*7f2fe78bSCy Schubert krb5_key_salt_tuple *ks_tuple, 244*7f2fe78bSCy Schubert const char *newpass); 245*7f2fe78bSCy Schubert 246*7f2fe78bSCy Schubert /** Call modify kadm5_hook entry point. */ 247*7f2fe78bSCy Schubert kadm5_ret_t 248*7f2fe78bSCy Schubert k5_kadm5_hook_modify (krb5_context context, 249*7f2fe78bSCy Schubert kadm5_hook_handle *handles, 250*7f2fe78bSCy Schubert int stage, 251*7f2fe78bSCy Schubert kadm5_principal_ent_t princ, long mask); 252*7f2fe78bSCy Schubert 253*7f2fe78bSCy Schubert /** Call remove kadm5_hook entry point. */ 254*7f2fe78bSCy Schubert kadm5_ret_t 255*7f2fe78bSCy Schubert k5_kadm5_hook_remove (krb5_context context, 256*7f2fe78bSCy Schubert kadm5_hook_handle *handles, 257*7f2fe78bSCy Schubert int stage, 258*7f2fe78bSCy Schubert krb5_principal princ); 259*7f2fe78bSCy Schubert 260*7f2fe78bSCy Schubert /** Call rename kadm5_hook entry point. */ 261*7f2fe78bSCy Schubert kadm5_ret_t 262*7f2fe78bSCy Schubert k5_kadm5_hook_rename (krb5_context context, 263*7f2fe78bSCy Schubert kadm5_hook_handle *handles, 264*7f2fe78bSCy Schubert int stage, 265*7f2fe78bSCy Schubert krb5_principal oprinc, krb5_principal nprinc); 266*7f2fe78bSCy Schubert 267*7f2fe78bSCy Schubert /** @}*/ 268*7f2fe78bSCy Schubert 269*7f2fe78bSCy Schubert #endif /* __KADM5_SERVER_INTERNAL_H__ */ 270