1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * include/krb5/kdb.h 8 * 9 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 10 * All Rights Reserved. 11 * 12 * Export of this software from the United States of America may 13 * require a specific license from the United States Government. 14 * It is the responsibility of any person or organization contemplating 15 * export to obtain such a license before exporting. 16 * 17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 18 * distribute this software and its documentation for any purpose and 19 * without fee is hereby granted, provided that the above copyright 20 * notice appear in all copies and that both that copyright notice and 21 * this permission notice appear in supporting documentation, and that 22 * the name of M.I.T. not be used in advertising or publicity pertaining 23 * to distribution of the software without specific, written prior 24 * permission. Furthermore if you modify this software you must label 25 * your software as modified software and not distribute it in such a 26 * fashion that it might be confused with the original M.I.T. software. 27 * M.I.T. makes no representations about the suitability of 28 * this software for any purpose. It is provided "as is" without express 29 * or implied warranty. 30 * 31 * 32 * KDC Database interface definitions. 33 */ 34 35 /* 36 * Copyright (C) 1998 by the FundsXpress, INC. 37 * 38 * All rights reserved. 39 * 40 * Export of this software from the United States of America may require 41 * a specific license from the United States Government. It is the 42 * responsibility of any person or organization contemplating export to 43 * obtain such a license before exporting. 44 * 45 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 46 * distribute this software and its documentation for any purpose and 47 * without fee is hereby granted, provided that the above copyright 48 * notice appear in all copies and that both that copyright notice and 49 * this permission notice appear in supporting documentation, and that 50 * the name of FundsXpress. not be used in advertising or publicity pertaining 51 * to distribution of the software without specific, written prior 52 * permission. FundsXpress makes no representations about the suitability of 53 * this software for any purpose. It is provided "as is" without express 54 * or implied warranty. 55 * 56 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 57 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 58 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 */ 60 61 #ifndef KRB5_KDB5__ 62 #define KRB5_KDB5__ 63 64 #pragma ident "%Z%%M% %I% %E% SMI" 65 66 67 /* Salt types */ 68 #define KRB5_KDB_SALTTYPE_NORMAL 0 69 #define KRB5_KDB_SALTTYPE_V4 1 70 #define KRB5_KDB_SALTTYPE_NOREALM 2 71 #define KRB5_KDB_SALTTYPE_ONLYREALM 3 72 #define KRB5_KDB_SALTTYPE_SPECIAL 4 73 #define KRB5_KDB_SALTTYPE_AFS3 5 74 75 /* Attributes */ 76 #define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 77 #define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 78 #define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 79 #define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 80 #define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 81 #define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 82 #define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 83 #define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 84 #define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 85 #define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 86 #define KRB5_KDB_DISALLOW_SVR 0x00001000 87 #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 88 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 89 #define KRB5_KDB_NEW_PRINC 0x00008000 90 91 /* Creation flags */ 92 #define KRB5_KDB_CREATE_BTREE 0x00000001 93 #define KRB5_KDB_CREATE_HASH 0x00000002 94 95 #if !defined(_WIN32) 96 97 /* 98 * Note --- these structures cannot be modified without changing the 99 * database version number in libkdb.a, but should be expandable by 100 * adding new tl_data types. 101 */ 102 typedef struct _krb5_tl_data { 103 struct _krb5_tl_data* tl_data_next; /* NOT saved */ 104 krb5_int16 tl_data_type; 105 krb5_ui_2 tl_data_length; 106 krb5_octet * tl_data_contents; 107 } krb5_tl_data; 108 109 /* 110 * If this ever changes up the version number and make the arrays be as 111 * big as necessary. 112 * 113 * Currently the first type is the enctype and the second is the salt type. 114 */ 115 typedef struct _krb5_key_data { 116 krb5_int16 key_data_ver; /* Version */ 117 krb5_int16 key_data_kvno; /* Key Version */ 118 krb5_int16 key_data_type[2]; /* Array of types */ 119 #if 0 120 /* 121 * SUNW14resync (mech) 122 * This has changed in the mech so we change it here also 123 * prior to the admin resync. 124 */ 125 krb5_ui_2 key_data_length[2]; Array of lengths 126 #endif 127 krb5_int16 key_data_length[2]; /* Array of lengths */ 128 krb5_octet * key_data_contents[2]; /* Array of pointers */ 129 } krb5_key_data; 130 131 #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ 132 133 typedef struct _krb5_keysalt { 134 krb5_int16 type; 135 krb5_data data; /* Length, data */ 136 } krb5_keysalt; 137 138 typedef struct _krb5_db_entry_new { 139 krb5_magic magic; /* NOT saved */ 140 krb5_ui_2 len; 141 krb5_ui_4 mask; /* members currently changed/set */ 142 krb5_flags attributes; 143 krb5_deltat max_life; 144 krb5_deltat max_renewable_life; 145 krb5_timestamp expiration; /* When the client expires */ 146 krb5_timestamp pw_expiration; /* When its passwd expires */ 147 krb5_timestamp last_success; /* Last successful passwd */ 148 krb5_timestamp last_failed; /* Last failed passwd attempt */ 149 krb5_kvno fail_auth_count; /* # of failed passwd attempt */ 150 krb5_int16 n_tl_data; 151 krb5_int16 n_key_data; 152 krb5_ui_2 e_length; /* Length of extra data */ 153 krb5_octet * e_data; /* Extra data to be saved */ 154 155 krb5_principal princ; /* Length, data */ 156 krb5_tl_data * tl_data; /* Linked list */ 157 krb5_key_data * key_data; /* Array */ 158 } krb5_db_entry; 159 160 typedef struct __krb5_key_salt_tuple { 161 krb5_enctype ks_enctype; 162 krb5_int32 ks_salttype; 163 } krb5_key_salt_tuple; 164 165 #define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb 166 #define KRB5_KDB_V1_BASE_LENGTH 38 167 168 #define KRB5_TL_LAST_PWD_CHANGE 0x0001 169 #define KRB5_TL_MOD_PRINC 0x0002 170 #define KRB5_TL_KADM_DATA 0x0003 171 #define KRB5_TL_KADM5_E_DATA 0x0004 172 #define KRB5_TL_RB1_CHALLENGE 0x0005 173 #ifdef SECURID 174 #define KRB5_TL_SECURID_STATE 0x0006 175 #define KRB5_TL_DB_ARGS 0x7fff 176 #endif /* SECURID */ 177 178 /* 179 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set 180 * on the principal. 181 */ 182 #define KRB5_MAX_FAIL_COUNT 5 183 184 /* XXX depends on knowledge of krb5_parse_name() formats */ 185 #define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */ 186 187 /* prompts used by default when reading the KDC password from the keyboard. */ 188 #define KRB5_KDC_MKEY_1 "Enter KDC database master key" 189 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify" 190 191 extern char *krb5_mkey_pwd_prompt1; 192 extern char *krb5_mkey_pwd_prompt2; 193 194 /* 195 * These macros specify the encoding of data within the database. 196 * 197 * Data encoding is little-endian. 198 */ 199 #define krb5_kdb_decode_int16(cp, i16) \ 200 *((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \ 201 ((krb5_int16) ((unsigned char) (cp)[1]) << 8)) 202 #define krb5_kdb_decode_int32(cp, i32) \ 203 *((krb5_int32 *) &(i32)) = (((krb5_int32) ((unsigned char) (cp)[0]))| \ 204 ((krb5_int32) ((unsigned char) (cp)[1]) << 8) | \ 205 ((krb5_int32) ((unsigned char) (cp)[2]) << 16)| \ 206 ((krb5_int32) ((unsigned char) (cp)[3]) << 24)) 207 #define krb5_kdb_encode_int16(i16, cp) \ 208 { \ 209 (cp)[0] = (unsigned char) ((i16) & 0xff); \ 210 (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \ 211 } 212 #define krb5_kdb_encode_int32(i32, cp) \ 213 { \ 214 (cp)[0] = (unsigned char) ((i32) & 0xff); \ 215 (cp)[1] = (unsigned char) (((i32) >> 8) & 0xff); \ 216 (cp)[2] = (unsigned char) (((i32) >> 16) & 0xff); \ 217 (cp)[3] = (unsigned char) (((i32) >> 24) & 0xff); \ 218 } 219 220 #define KRB5_KDB_OPEN_RW 0 221 #define KRB5_KDB_OPEN_RO 1 222 223 #ifndef KRB5_KDB_SRV_TYPE_KDC 224 #define KRB5_KDB_SRV_TYPE_KDC 0x0100 225 #endif 226 227 #ifndef KRB5_KDB_SRV_TYPE_ADMIN 228 #define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 229 #endif 230 231 #ifndef KRB5_KDB_SRV_TYPE_PASSWD 232 #define KRB5_KDB_SRV_TYPE_PASSWD 0x0300 233 #endif 234 235 #ifndef KRB5_KDB_SRV_TYPE_OTHER 236 #define KRB5_KDB_SRV_TYPE_OTHER 0x0400 237 #endif 238 239 #define KRB5_KDB_OPT_SET_DB_NAME 0 240 #define KRB5_KDB_OPT_SET_LOCK_MODE 1 241 242 #define KRB5_DB_LOCKMODE_SHARED 0x0001 243 #define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002 244 #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 245 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 246 247 /* libkdb.spec */ 248 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); 249 krb5_error_code krb5_db_init ( krb5_context kcontext ); 250 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); 251 krb5_error_code krb5_db_inited ( krb5_context kcontext ); 252 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args ); 253 krb5_error_code krb5_db_fini ( krb5_context kcontext ); 254 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code ); 255 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args ); 256 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args ); 257 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t ); 258 krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value ); 259 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); 260 krb5_error_code krb5_db_unlock ( krb5_context kcontext ); 261 krb5_error_code krb5_db_get_principal ( krb5_context kcontext, 262 krb5_const_principal search_for, 263 krb5_db_entry *entries, 264 int *nentries, 265 krb5_boolean *more ); 266 krb5_error_code krb5_db_get_principal_nolock ( krb5_context kcontext, 267 krb5_const_principal search_for, 268 krb5_db_entry *entries, 269 int *nentries, 270 krb5_boolean *more ); 271 krb5_error_code krb5_db_free_principal ( krb5_context kcontext, 272 krb5_db_entry *entry, 273 int count ); 274 krb5_error_code krb5_db_put_principal ( krb5_context kcontext, 275 krb5_db_entry *entries, 276 int *nentries); 277 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, 278 krb5_principal search_for, 279 int *nentries ); 280 krb5_error_code krb5_db_iterate ( krb5_context kcontext, 281 char *match_entry, 282 int (*func) (krb5_pointer, krb5_db_entry *), 283 krb5_pointer func_arg ); 284 krb5_error_code krb5_supported_realms ( krb5_context kcontext, 285 char **realms ); 286 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext, 287 char **realms ); 288 krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext, 289 char *pwd, 290 krb5_keyblock *key ); 291 krb5_error_code krb5_db_set_mkey ( krb5_context context, 292 krb5_keyblock *key); 293 krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, 294 krb5_keyblock **key ); 295 krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, 296 krb5_keyblock *key ); 297 krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, 298 char *db_arg, 299 krb5_principal mname, 300 krb5_keyblock *key, 301 char *master_pwd); 302 krb5_error_code krb5_db_fetch_mkey ( krb5_context context, 303 krb5_principal mname, 304 krb5_enctype etype, 305 krb5_boolean fromkeyboard, 306 krb5_boolean twice, 307 char *db_args, 308 krb5_data *salt, 309 krb5_keyblock *key); 310 krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, 311 krb5_principal mprinc, 312 krb5_keyblock *mkey ); 313 krb5_error_code 314 krb5_dbe_find_enctype( krb5_context kcontext, 315 krb5_db_entry *dbentp, 316 krb5_int32 ktype, 317 krb5_int32 stype, 318 krb5_int32 kvno, 319 krb5_key_data **kdatap); 320 321 322 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 323 krb5_db_entry *dbentp, 324 krb5_int32 *start, 325 krb5_int32 ktype, 326 krb5_int32 stype, 327 krb5_int32 kvno, 328 krb5_key_data **kdatap); 329 330 krb5_error_code 331 krb5_db_setup_mkey_name ( krb5_context context, 332 const char *keyname, 333 const char *realm, 334 char **fullname, 335 krb5_principal *principal); 336 337 krb5_error_code 338 krb5_dbekd_decrypt_key_data( krb5_context context, 339 const krb5_keyblock * mkey, 340 const krb5_key_data * key_data, 341 krb5_keyblock * dbkey, 342 krb5_keysalt * keysalt); 343 344 krb5_error_code 345 krb5_dbekd_encrypt_key_data( krb5_context context, 346 const krb5_keyblock * mkey, 347 const krb5_keyblock * dbkey, 348 const krb5_keysalt * keysalt, 349 int keyver, 350 krb5_key_data * key_data); 351 352 krb5_error_code 353 krb5_dbe_lookup_mod_princ_data( krb5_context context, 354 krb5_db_entry * entry, 355 krb5_timestamp * mod_time, 356 krb5_principal * mod_princ); 357 358 359 krb5_error_code 360 krb5_dbe_update_last_pwd_change( krb5_context context, 361 krb5_db_entry * entry, 362 krb5_timestamp stamp); 363 364 krb5_error_code 365 krb5_dbe_lookup_tl_data( krb5_context context, 366 krb5_db_entry * entry, 367 krb5_tl_data * ret_tl_data); 368 369 krb5_error_code 370 krb5_dbe_create_key_data( krb5_context context, 371 krb5_db_entry * entry); 372 373 374 krb5_error_code 375 krb5_dbe_update_mod_princ_data( krb5_context context, 376 krb5_db_entry * entry, 377 krb5_timestamp mod_date, 378 krb5_const_principal mod_princ); 379 380 krb5_error_code 381 krb5_dbe_update_last_pwd_change( krb5_context context, 382 krb5_db_entry * entry, 383 krb5_timestamp stamp); 384 385 void *krb5_db_alloc( krb5_context kcontext, 386 void *ptr, 387 size_t size ); 388 389 void krb5_db_free( krb5_context kcontext, 390 void *ptr); 391 392 393 krb5_error_code 394 krb5_dbe_lookup_last_pwd_change( krb5_context context, 395 krb5_db_entry * entry, 396 krb5_timestamp * stamp); 397 398 krb5_error_code 399 krb5_dbe_update_tl_data( krb5_context context, 400 krb5_db_entry * entry, 401 krb5_tl_data * new_tl_data); 402 403 krb5_error_code 404 krb5_dbe_cpw( krb5_context kcontext, 405 krb5_keyblock * master_key, 406 krb5_key_salt_tuple * ks_tuple, 407 int ks_tuple_count, 408 char * passwd, 409 int new_kvno, 410 krb5_boolean keepold, 411 krb5_db_entry * db_entry); 412 413 414 krb5_error_code 415 krb5_dbe_ark( krb5_context context, 416 krb5_keyblock * master_key, 417 krb5_key_salt_tuple * ks_tuple, 418 int ks_tuple_count, 419 krb5_db_entry * db_entry); 420 421 krb5_error_code 422 krb5_dbe_crk( krb5_context context, 423 krb5_keyblock * master_key, 424 krb5_key_salt_tuple * ks_tuple, 425 int ks_tuple_count, 426 krb5_boolean keepold, 427 krb5_db_entry * db_entry); 428 429 krb5_error_code 430 krb5_dbe_apw( krb5_context context, 431 krb5_keyblock * master_key, 432 krb5_key_salt_tuple * ks_tuple, 433 int ks_tuple_count, 434 char * passwd, 435 krb5_db_entry * db_entry); 436 437 /* default functions. Should not be directly called */ 438 /* 439 * Default functions prototype 440 */ 441 442 krb5_error_code 443 krb5_dbe_def_search_enctype( krb5_context kcontext, 444 krb5_db_entry *dbentp, 445 krb5_int32 *start, 446 krb5_int32 ktype, 447 krb5_int32 stype, 448 krb5_int32 kvno, 449 krb5_key_data **kdatap); 450 451 krb5_error_code 452 krb5_def_store_mkey( krb5_context context, 453 char *keyfile, 454 krb5_principal mname, 455 krb5_keyblock *key, 456 char *master_pwd); 457 458 459 krb5_error_code 460 krb5_db_def_fetch_mkey( krb5_context context, 461 krb5_principal mname, 462 krb5_keyblock *key, 463 int *kvno, 464 char *db_args); 465 466 krb5_error_code 467 krb5_def_verify_master_key( krb5_context context, 468 krb5_principal mprinc, 469 krb5_keyblock *mkey); 470 471 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, 472 char *pwd, 473 krb5_keyblock *key ); 474 475 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, 476 krb5_keyblock **key ); 477 478 krb5_error_code 479 krb5_dbe_def_cpw( krb5_context context, 480 krb5_keyblock * master_key, 481 krb5_key_salt_tuple * ks_tuple, 482 int ks_tuple_count, 483 char * passwd, 484 int new_kvno, 485 krb5_boolean keepold, 486 krb5_db_entry * db_entry); 487 488 krb5_error_code 489 krb5_db_supports_iprop(krb5_context kcontext, int *iprop_supported); 490 491 krb5_error_code 492 krb5_def_promote_db(krb5_context, char *, char **); 493 494 typedef struct _osa_policy_ent_t { 495 int version; 496 char *name; 497 uint32_t pw_min_life; 498 uint32_t pw_max_life; 499 uint32_t pw_min_length; 500 uint32_t pw_min_classes; 501 uint32_t pw_history_num; 502 uint32_t policy_refcnt; 503 } osa_policy_ent_rec, *osa_policy_ent_t; 504 505 typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); 506 507 krb5_error_code 508 krb5_db_create_policy( krb5_context kcontext, 509 osa_policy_ent_t policy); 510 511 krb5_error_code 512 krb5_db_get_policy ( krb5_context kcontext, 513 char *name, 514 osa_policy_ent_t *policy, 515 int *nentries); 516 517 krb5_error_code 518 krb5_db_put_policy( krb5_context kcontext, 519 osa_policy_ent_t policy); 520 521 krb5_error_code 522 krb5_db_iter_policy( krb5_context kcontext, 523 char *match_entry, 524 osa_adb_iter_policy_func func, 525 void *data); 526 527 krb5_error_code 528 krb5_db_delete_policy( krb5_context kcontext, 529 char *policy); 530 531 void 532 krb5_db_free_policy( krb5_context kcontext, 533 osa_policy_ent_t policy); 534 535 #define KRB5_KDB_DEF_FLAGS 0 536 537 #endif /* !defined(_WIN32) */ 538 #endif /* KRB5_KDB5__ */ 539