xref: /titanic_51/usr/src/lib/krb5/kadm5/admin.h (revision 356f72340a69936724c69f2f87fffa6f5887f885)
1 /*
2  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3  */
4 
5 #ifndef	__KADM5_ADMIN_H__
6 #define	__KADM5_ADMIN_H__
7 
8 
9 #ifdef __cplusplus
10 extern "C" {
11 #endif
12 
13 /*
14  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
15  *
16  *	Openvision retains the copyright to derivative works of
17  *	this source code.  Do *NOT* create a derivative of this
18  *	source code before consulting with your legal department.
19  *	Do *NOT* integrate *ANY* of this source code into another
20  *	product before consulting with your legal department.
21  *
22  *	For further information, read the top-level Openvision
23  *	copyright which is contained in the top-level MIT Kerberos
24  *	copyright.
25  *
26  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
27  *
28  */
29 /*
30  * lib/kadm5/admin.h
31  *
32  * Copyright 2001 by the Massachusetts Institute of Technology.
33  * All Rights Reserved.
34  *
35  * Export of this software from the United States of America may
36  *   require a specific license from the United States Government.
37  *   It is the responsibility of any person or organization contemplating
38  *   export to obtain such a license before exporting.
39  *
40  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
41  * distribute this software and its documentation for any purpose and
42  * without fee is hereby granted, provided that the above copyright
43  * notice appear in all copies and that both that copyright notice and
44  * this permission notice appear in supporting documentation, and that
45  * the name of M.I.T. not be used in advertising or publicity pertaining
46  * to distribution of the software without specific, written prior
47  * permission.  Furthermore if you modify this software you must label
48  * your software as modified software and not distribute it in such a
49  * fashion that it might be confused with the original M.I.T. software.
50  * M.I.T. makes no representations about the suitability of
51  * this software for any purpose.  It is provided "as is" without express
52  * or implied warranty.
53  *
54  */
55 /*
56  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
57  *
58  * $Header$
59  */
60 
61 #include	<sys/types.h>
62 #include	<rpc/types.h>
63 #include	<rpc/rpc.h>
64 #include	<k5-int.h>
65 #include	<krb5.h>
66 #include	<krb5/kdb.h>
67 #include	<com_err.h>
68 #include	<kadm5/kadm_err.h>
69 #include	<kadm5/chpass_util_strings.h>
70 
71 #define KADM5_ADMIN_SERVICE_P	"kadmin@admin"
72 /*
73  * Solaris Kerberos:
74  * The kadmin/admin principal is unused on Solaris. This principal is used
75  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
76  * be used with host-based principals.
77  *
78  */
79 /* #define KADM5_ADMIN_SERVICE	"kadmin/admin" */
80 #define KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
81 #define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
82 #define KADM5_HIST_PRINCIPAL	"kadmin/history"
83 #define KADM5_ADMIN_HOST_SERVICE "kadmin"
84 #define KADM5_CHANGEPW_HOST_SERVICE "changepw"
85 #define KADM5_KIPROP_HOST_SERVICE "kiprop"
86 
87 typedef krb5_principal	kadm5_princ_t;
88 typedef	char		*kadm5_policy_t;
89 typedef long		kadm5_ret_t;
90 typedef int rpc_int32;
91 typedef unsigned int rpc_u_int32;
92 
93 #define KADM5_PW_FIRST_PROMPT \
94 	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
95 #define KADM5_PW_SECOND_PROMPT \
96 	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
97 
98 /*
99  * Successful return code
100  */
101 #define KADM5_OK	0
102 
103 /*
104  * Field masks
105  */
106 
107 /* kadm5_principal_ent_t */
108 #define KADM5_PRINCIPAL		0x000001
109 #define KADM5_PRINC_EXPIRE_TIME	0x000002
110 #define KADM5_PW_EXPIRATION	0x000004
111 #define KADM5_LAST_PWD_CHANGE	0x000008
112 #define KADM5_ATTRIBUTES	0x000010
113 #define KADM5_MAX_LIFE		0x000020
114 #define KADM5_MOD_TIME		0x000040
115 #define KADM5_MOD_NAME		0x000080
116 #define KADM5_KVNO		0x000100
117 #define KADM5_MKVNO		0x000200
118 #define KADM5_AUX_ATTRIBUTES	0x000400
119 #define KADM5_POLICY		0x000800
120 #define KADM5_POLICY_CLR	0x001000
121 /* version 2 masks */
122 #define KADM5_MAX_RLIFE		0x002000
123 #define KADM5_LAST_SUCCESS	0x004000
124 #define KADM5_LAST_FAILED	0x008000
125 #define KADM5_FAIL_AUTH_COUNT	0x010000
126 #define KADM5_KEY_DATA		0x020000
127 #define KADM5_TL_DATA		0x040000
128 #ifdef notyet /* Novell */
129 #define KADM5_CPW_FUNCTION      0x080000
130 #define KADM5_RANDKEY_USED      0x100000
131 #endif
132 #define KADM5_LOAD		0x200000
133 /* Solaris Kerberos: adding support for key history in LDAP KDB */
134 #define KADM5_KEY_HIST		0x400000
135 
136 /* all but KEY_DATA and TL_DATA */
137 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
138 
139 
140 /* kadm5_policy_ent_t */
141 #define KADM5_PW_MAX_LIFE	0x004000
142 #define KADM5_PW_MIN_LIFE	0x008000
143 #define KADM5_PW_MIN_LENGTH	0x010000
144 #define KADM5_PW_MIN_CLASSES	0x020000
145 #define KADM5_PW_HISTORY_NUM	0x040000
146 #define KADM5_REF_COUNT		0x080000
147 
148 /* kadm5_config_params */
149 #define KADM5_CONFIG_REALM		0x0000001
150 #define KADM5_CONFIG_DBNAME		0x0000002
151 #define KADM5_CONFIG_MKEY_NAME		0x0000004
152 #define KADM5_CONFIG_MAX_LIFE		0x0000008
153 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
154 #define KADM5_CONFIG_EXPIRATION		0x0000020
155 #define KADM5_CONFIG_FLAGS		0x0000040
156 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
157 #define KADM5_CONFIG_STASH_FILE		0x0000100
158 #define KADM5_CONFIG_ENCTYPE		0x0000200
159 #define KADM5_CONFIG_ADBNAME		0x0000400
160 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
161 #define KADM5_CONFIG_PROFILE		0x0001000
162 #define KADM5_CONFIG_ACL_FILE		0x0002000
163 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
164 #define KADM5_CONFIG_ENCTYPES		0x0008000
165 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
166 #define KADM5_CONFIG_DICT_FILE		0x0020000
167 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
168 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
169 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
170 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
171 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
172 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
173 #define	KADM5_CONFIG_POLL_TIME		0x1000000
174 
175 /* password change constants */
176 #define	KRB5_KPASSWD_SUCCESS		0
177 #define	KRB5_KPASSWD_MALFORMED		1
178 #define	KRB5_KPASSWD_HARDERROR		2
179 #define	KRB5_KPASSWD_AUTHERROR		3
180 #define	KRB5_KPASSWD_SOFTERROR		4
181 #define	KRB5_KPASSWD_ACCESSDENIED	5
182 #define	KRB5_KPASSWD_BAD_VERSION	6
183 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
184 #define	KRB5_KPASSWD_POLICY_REJECT	8
185 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
186 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
187 
188 /*
189  * permission bits
190  */
191 #define KADM5_PRIV_GET		0x01
192 #define KADM5_PRIV_ADD		0x02
193 #define KADM5_PRIV_MODIFY	0x04
194 #define KADM5_PRIV_DELETE	0x08
195 
196 /*
197  * API versioning constants
198  */
199 #define KADM5_MASK_BITS		0xffffff00
200 
201 #define KADM5_STRUCT_VERSION_MASK	0x12345600
202 #define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
203 #define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
204 
205 #define KADM5_API_VERSION_MASK	0x12345700
206 #define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
207 #define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
208 
209 #ifdef KRB5_DNS_LOOKUP
210 /*
211  * Name length constants for DNS lookups
212  */
213 #define	MAX_HOST_NAMELEN 256
214 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
215 #endif /* KRB5_DNS_LOOKUP */
216 
217 typedef struct _kadm5_principal_ent_t_v2 {
218 	krb5_principal	principal;
219 	krb5_timestamp	princ_expire_time;
220 	krb5_timestamp	last_pwd_change;
221 	krb5_timestamp	pw_expiration;
222 	krb5_deltat	max_life;
223 	krb5_principal	mod_name;
224 	krb5_timestamp	mod_date;
225 	krb5_flags	attributes;
226 	krb5_kvno	kvno;
227 	krb5_kvno	mkvno;
228 	char		*policy;
229 	long		aux_attributes;
230 
231 	/* version 2 fields */
232 	krb5_deltat max_renewable_life;
233         krb5_timestamp last_success;
234         krb5_timestamp last_failed;
235         krb5_kvno fail_auth_count;
236 	krb5_int16 n_key_data;
237 	krb5_int16 n_tl_data;
238         krb5_tl_data *tl_data;
239 	krb5_key_data *key_data;
240 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
241 
242 typedef struct _kadm5_principal_ent_t_v1 {
243 	krb5_principal	principal;
244 	krb5_timestamp	princ_expire_time;
245 	krb5_timestamp	last_pwd_change;
246 	krb5_timestamp	pw_expiration;
247 	krb5_deltat	max_life;
248 	krb5_principal	mod_name;
249 	krb5_timestamp	mod_date;
250 	krb5_flags	attributes;
251 	krb5_kvno	kvno;
252 	krb5_kvno	mkvno;
253 	char		*policy;
254 	long		aux_attributes;
255 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
256 
257 #if USE_KADM5_API_VERSION == 1
258 typedef struct _kadm5_principal_ent_t_v1
259      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
260 #else
261 typedef struct _kadm5_principal_ent_t_v2
262      kadm5_principal_ent_rec, *kadm5_principal_ent_t;
263 #endif
264 
265 typedef struct _kadm5_policy_ent_t {
266 	char		*policy;
267 	long		pw_min_life;
268 	long		pw_max_life;
269 	long		pw_min_length;
270 	long		pw_min_classes;
271 	long		pw_history_num;
272 	long		policy_refcnt;
273 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
274 
275 /*
276  * New types to indicate which protocol to use when sending
277  * password change requests
278  */
279 typedef enum {
280 	KRB5_CHGPWD_RPCSEC,
281 	KRB5_CHGPWD_CHANGEPW_V2
282 } krb5_chgpwd_prot;
283 
284 /*
285  * Data structure returned by kadm5_get_config_params()
286  */
287 typedef struct _kadm5_config_params {
288      long		mask;
289      char *		realm;
290      int		kadmind_port;
291      int		kpasswd_port;
292 
293      char *		admin_server;
294 #ifdef notyet /* Novell */ /* ABI change? */
295      char *		kpasswd_server;
296 #endif
297 
298      char *		dbname;
299      char *		admin_dbname;
300      char *		admin_lockfile;
301      char *		admin_keytab;
302      char *		acl_file;
303      char *		dict_file;
304 
305      int		mkey_from_kbd;
306      char *		stash_file;
307      char *		mkey_name;
308      krb5_enctype	enctype;
309      krb5_deltat	max_life;
310      krb5_deltat	max_rlife;
311      krb5_timestamp	expiration;
312      krb5_flags		flags;
313      krb5_key_salt_tuple *keysalts;
314      krb5_int32		num_keysalts;
315      char 			*kpasswd_server;
316 
317      krb5_chgpwd_prot	kpasswd_protocol;
318      bool_t			iprop_enabled;
319      int			iprop_ulogsize;
320      char			*iprop_polltime;
321 } kadm5_config_params;
322 
323 /***********************************************************************
324  * This is the old krb5_realm_read_params, which I mutated into
325  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
326  * still uses.
327  ***********************************************************************/
328 
329 /*
330  * Data structure returned by krb5_read_realm_params()
331  */
332 typedef struct __krb5_realm_params {
333     char *		realm_profile;
334     char *		realm_dbname;
335     char *		realm_mkey_name;
336     char *		realm_stash_file;
337     char *		realm_kdc_ports;
338     char *		realm_kdc_tcp_ports;
339     char *		realm_acl_file;
340     krb5_int32		realm_kadmind_port;
341     krb5_enctype	realm_enctype;
342     krb5_deltat		realm_max_life;
343     krb5_deltat		realm_max_rlife;
344     krb5_timestamp	realm_expiration;
345     krb5_flags		realm_flags;
346     krb5_key_salt_tuple	*realm_keysalts;
347     unsigned int	realm_reject_bad_transit:1;
348     unsigned int	realm_kadmind_port_valid:1;
349     unsigned int	realm_enctype_valid:1;
350     unsigned int	realm_max_life_valid:1;
351     unsigned int	realm_max_rlife_valid:1;
352     unsigned int	realm_expiration_valid:1;
353     unsigned int	realm_flags_valid:1;
354     unsigned int	realm_reject_bad_transit_valid:1;
355     krb5_int32		realm_num_keysalts;
356 } krb5_realm_params;
357 
358 /*
359  * functions
360  */
361 
362 kadm5_ret_t
363 kadm5_get_adm_host_srv_name(krb5_context context,
364                            const char *realm, char **host_service_name);
365 
366 kadm5_ret_t
367 kadm5_get_cpw_host_srv_name(krb5_context context,
368                            const char *realm, char **host_service_name);
369 
370 #if USE_KADM5_API_VERSION > 1
371 krb5_error_code kadm5_get_config_params(krb5_context context,
372 					int use_kdc_config,
373 					kadm5_config_params *params_in,
374 					kadm5_config_params *params_out);
375 
376 krb5_error_code kadm5_free_config_params(krb5_context context,
377 					 kadm5_config_params *params);
378 
379 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
380 					kadm5_config_params *params);
381 
382 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
383 					     char *, size_t);
384 #endif
385 
386 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
387 			  char *service_name,
388 #if USE_KADM5_API_VERSION == 1
389 			  char *realm,
390 #else
391 			  kadm5_config_params *params,
392 #endif
393 			  krb5_ui_4 struct_version,
394 			  krb5_ui_4 api_version,
395 			  char **db_args,
396 			  void **server_handle);
397 kadm5_ret_t    kadm5_init_with_password(char *client_name,
398 					char *pass,
399 					char *service_name,
400 #if USE_KADM5_API_VERSION == 1
401 					char *realm,
402 #else
403 					kadm5_config_params *params,
404 #endif
405 					krb5_ui_4 struct_version,
406 					krb5_ui_4 api_version,
407 					char **db_args,
408 					void **server_handle);
409 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
410 				    char *keytab,
411 				    char *service_name,
412 #if USE_KADM5_API_VERSION == 1
413 				    char *realm,
414 #else
415 				    kadm5_config_params *params,
416 #endif
417 				    krb5_ui_4 struct_version,
418 				    krb5_ui_4 api_version,
419 				    char **db_args,
420 				    void **server_handle);
421 #if USE_KADM5_API_VERSION > 1
422 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
423 				     krb5_ccache cc,
424 				     char *service_name,
425 				     kadm5_config_params *params,
426 				     krb5_ui_4 struct_version,
427 				     krb5_ui_4 api_version,
428 				     char **db_args,
429 				     void **server_handle);
430 #endif
431 kadm5_ret_t    kadm5_lock(void *server_handle);
432 kadm5_ret_t    kadm5_unlock(void *server_handle);
433 kadm5_ret_t    kadm5_flush(void *server_handle);
434 kadm5_ret_t    kadm5_destroy(void *server_handle);
435 kadm5_ret_t    kadm5_check_min_life(void *server_handle,	/* Solaris Kerberos */
436 			      krb5_principal principal,
437 			      char *msg_ret,
438 			      unsigned int msg_len);
439 kadm5_ret_t    kadm5_create_principal(void *server_handle,
440 				      kadm5_principal_ent_t ent,
441 				      long mask, char *pass);
442 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
443 					kadm5_principal_ent_t ent,
444 					long mask,
445 					int n_ks_tuple,
446 					krb5_key_salt_tuple *ks_tuple,
447 					char *pass);
448 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
449 				      krb5_principal principal);
450 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
451 				      kadm5_principal_ent_t ent,
452 				      long mask);
453 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
454 				      krb5_principal,krb5_principal);
455 #if USE_KADM5_API_VERSION == 1
456 kadm5_ret_t    kadm5_get_principal(void *server_handle,
457 				   krb5_principal principal,
458 				   kadm5_principal_ent_t *ent);
459 #else
460 kadm5_ret_t    kadm5_get_principal(void *server_handle,
461 				   krb5_principal principal,
462 				   kadm5_principal_ent_t ent,
463 				   long mask);
464 #endif
465 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
466 				      krb5_principal principal,
467 				      char *pass);
468 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
469 					krb5_principal principal,
470 					krb5_boolean keepold,
471 					int n_ks_tuple,
472 					krb5_key_salt_tuple *ks_tuple,
473 					char *pass);
474 #if USE_KADM5_API_VERSION == 1
475 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
476 				       krb5_principal principal,
477 				       krb5_keyblock **keyblock);
478 #else
479 
480 /*
481  * Solaris Kerberos:
482  * this routine is only implemented in the client library.
483  */
484 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
485 				    krb5_principal principal,
486 				    krb5_keyblock **keyblocks,
487 				    int *n_keys);
488 
489 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
490 				       krb5_principal principal,
491 				       krb5_keyblock **keyblocks,
492 				       int *n_keys);
493 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
494 					 krb5_principal principal,
495 					 krb5_boolean keepold,
496 					 int n_ks_tuple,
497 					 krb5_key_salt_tuple *ks_tuple,
498 					 krb5_keyblock **keyblocks,
499 					 int *n_keys);
500 #endif
501 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
502 					krb5_principal principal,
503 					krb5_keyblock *keyblock);
504 
505 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
506 				      krb5_principal principal,
507 				      krb5_keyblock *keyblocks,
508 				      int n_keys);
509 
510 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
511 					krb5_principal principal,
512 					krb5_boolean keepold,
513 					int n_ks_tuple,
514 					krb5_key_salt_tuple *ks_tuple,
515 					krb5_keyblock *keyblocks,
516 					int n_keys);
517 
518 kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
519 				 kadm5_principal_ent_t entry, krb5_int32
520 				 ktype, krb5_int32 stype, krb5_int32
521 				 kvno, krb5_keyblock *keyblock,
522 				 krb5_keysalt *keysalt, int *kvnop);
523 
524 kadm5_ret_t    kadm5_create_policy(void *server_handle,
525 				   kadm5_policy_ent_t ent,
526 				   long mask);
527 /*
528  * kadm5_create_policy_internal is not part of the supported,
529  * exposed API.  It is available only in the server library, and you
530  * shouldn't use it unless you know why it's there and how it's
531  * different from kadm5_create_policy.
532  */
533 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
534 					    kadm5_policy_ent_t
535 					    entry, long mask);
536 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
537 				   kadm5_policy_t policy);
538 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
539 				   kadm5_policy_ent_t ent,
540 				   long mask);
541 /*
542  * kadm5_modify_policy_internal is not part of the supported,
543  * exposed API.  It is available only in the server library, and you
544  * shouldn't use it unless you know why it's there and how it's
545  * different from kadm5_modify_policy.
546  */
547 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
548 					    kadm5_policy_ent_t
549 					    entry, long mask);
550 #if USE_KADM5_API_VERSION == 1
551 kadm5_ret_t    kadm5_get_policy(void *server_handle,
552 				kadm5_policy_t policy,
553 				kadm5_policy_ent_t *ent);
554 #else
555 kadm5_ret_t    kadm5_get_policy(void *server_handle,
556 				kadm5_policy_t policy,
557 				kadm5_policy_ent_t ent);
558 #endif
559 kadm5_ret_t    kadm5_get_privs(void *server_handle,
560 			       long *privs);
561 
562 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
563 					   krb5_principal princ,
564 					   char *new_pw,
565 					   char **ret_pw,
566 					   char *msg_ret,
567 					   unsigned int msg_len);
568 
569 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
570 					kadm5_principal_ent_t
571 					ent);
572 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
573 				     kadm5_policy_ent_t ent);
574 
575 kadm5_ret_t    kadm5_get_principals(void *server_handle,
576 				    char *exp, char ***princs,
577 				    int *count);
578 
579 kadm5_ret_t    kadm5_get_policies(void *server_handle,
580 				  char *exp, char ***pols,
581 				  int *count);
582 
583 #if USE_KADM5_API_VERSION > 1
584 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
585 				   krb5_int16 *n_key_data,
586 				   krb5_key_data *key_data);
587 #endif
588 
589 kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
590 				    int count);
591 
592 krb5_error_code kadm5_init_krb5_context (krb5_context *);
593 
594 #if USE_KADM5_API_VERSION == 1
595 /*
596  * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
597  * compatible with KADM5_API_VERSION_2.  Basically, this means we have
598  * to continue to provide all the old ovsec_kadm function and symbol
599  * names.
600  */
601 
602 #define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
603 #define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
604 
605 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
606 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
607 #define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
608 
609 typedef krb5_principal	ovsec_kadm_princ_t;
610 typedef krb5_keyblock	ovsec_kadm_keyblock;
611 typedef	char		*ovsec_kadm_policy_t;
612 typedef long		ovsec_kadm_ret_t;
613 
614 enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
615 enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
616 
617 #define OVSEC_KADM_PW_FIRST_PROMPT \
618 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
619 #define OVSEC_KADM_PW_SECOND_PROMPT \
620 	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
621 
622 /*
623  * Successful return code
624  */
625 #define OVSEC_KADM_OK	0
626 
627 /*
628  * Create/Modify masks
629  */
630 /* principal */
631 #define OVSEC_KADM_PRINCIPAL		0x000001
632 #define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
633 #define OVSEC_KADM_PW_EXPIRATION	0x000004
634 #define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
635 #define OVSEC_KADM_ATTRIBUTES		0x000010
636 #define OVSEC_KADM_MAX_LIFE		0x000020
637 #define OVSEC_KADM_MOD_TIME		0x000040
638 #define OVSEC_KADM_MOD_NAME		0x000080
639 #define OVSEC_KADM_KVNO			0x000100
640 #define OVSEC_KADM_MKVNO		0x000200
641 #define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
642 #define OVSEC_KADM_POLICY		0x000800
643 #define OVSEC_KADM_POLICY_CLR		0x001000
644 /* policy */
645 #define OVSEC_KADM_PW_MAX_LIFE		0x004000
646 #define OVSEC_KADM_PW_MIN_LIFE		0x008000
647 #define OVSEC_KADM_PW_MIN_LENGTH	0x010000
648 #define OVSEC_KADM_PW_MIN_CLASSES	0x020000
649 #define OVSEC_KADM_PW_HISTORY_NUM	0x040000
650 #define OVSEC_KADM_REF_COUNT		0x080000
651 
652 /*
653  * permission bits
654  */
655 #define OVSEC_KADM_PRIV_GET	0x01
656 #define OVSEC_KADM_PRIV_ADD	0x02
657 #define OVSEC_KADM_PRIV_MODIFY	0x04
658 #define OVSEC_KADM_PRIV_DELETE	0x08
659 
660 /*
661  * API versioning constants
662  */
663 #define OVSEC_KADM_MASK_BITS		0xffffff00
664 
665 #define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
666 #define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
667 #define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
668 
669 #define OVSEC_KADM_API_VERSION_MASK	0x12345700
670 #define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
671 
672 
673 typedef struct _ovsec_kadm_principal_ent_t {
674 	krb5_principal	principal;
675 	krb5_timestamp	princ_expire_time;
676 	krb5_timestamp	last_pwd_change;
677 	krb5_timestamp	pw_expiration;
678 	krb5_deltat	max_life;
679 	krb5_principal	mod_name;
680 	krb5_timestamp	mod_date;
681 	krb5_flags	attributes;
682 	krb5_kvno	kvno;
683 	krb5_kvno	mkvno;
684 	char		*policy;
685 	long		aux_attributes;
686 } ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
687 
688 typedef struct _ovsec_kadm_policy_ent_t {
689 	char		*policy;
690 	long		pw_min_life;
691 	long		pw_max_life;
692 	long		pw_min_length;
693 	long		pw_min_classes;
694 	long		pw_history_num;
695 	long		policy_refcnt;
696 } ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
697 
698 /*
699  * functions
700  */
701 ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
702 				    char *service_name, char *realm,
703 				    krb5_ui_4 struct_version,
704 				    krb5_ui_4 api_version,
705 				    char **db_args,
706 				    void **server_handle);
707 ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
708 						  char *pass,
709 						  char *service_name,
710 						  char *realm,
711 						  krb5_ui_4 struct_version,
712 						  krb5_ui_4 api_version,
713 						  char ** db_args,
714 						  void **server_handle);
715 ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
716 					      char *keytab,
717 					      char *service_name,
718 					      char *realm,
719 					      krb5_ui_4 struct_version,
720 					      krb5_ui_4 api_version,
721 					      char **db_args,
722 					      void **server_handle);
723 ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
724 ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
725 ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
726 						ovsec_kadm_principal_ent_t ent,
727 						long mask, char *pass);
728 ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
729 						krb5_principal principal);
730 ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
731 						ovsec_kadm_principal_ent_t ent,
732 						long mask);
733 ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
734 						krb5_principal,krb5_principal);
735 ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
736 					     krb5_principal principal,
737 					     ovsec_kadm_principal_ent_t *ent);
738 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
739 						krb5_principal principal,
740 						char *pass);
741 ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
742 						 krb5_principal principal,
743 						 krb5_keyblock **keyblock);
744 ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
745 					     ovsec_kadm_policy_ent_t ent,
746 					     long mask);
747 /*
748  * ovsec_kadm_create_policy_internal is not part of the supported,
749  * exposed API.  It is available only in the server library, and you
750  * shouldn't use it unless you know why it's there and how it's
751  * different from ovsec_kadm_create_policy.
752  */
753 ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
754 						      ovsec_kadm_policy_ent_t
755 						      entry, long mask);
756 ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
757 					     ovsec_kadm_policy_t policy);
758 ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
759 					     ovsec_kadm_policy_ent_t ent,
760 					     long mask);
761 /*
762  * ovsec_kadm_modify_policy_internal is not part of the supported,
763  * exposed API.  It is available only in the server library, and you
764  * shouldn't use it unless you know why it's there and how it's
765  * different from ovsec_kadm_modify_policy.
766  */
767 ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
768 						      ovsec_kadm_policy_ent_t
769 						      entry, long mask);
770 ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
771 					  ovsec_kadm_policy_t policy,
772 					  ovsec_kadm_policy_ent_t *ent);
773 ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
774 					 long *privs);
775 
776 ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
777 						     krb5_principal princ,
778 						     char *new_pw,
779 						     char **ret_pw,
780 						     char *msg_ret);
781 
782 ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
783 						  ovsec_kadm_principal_ent_t
784 						  ent);
785 ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
786 					       ovsec_kadm_policy_ent_t ent);
787 
788 ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
789 					   char **names, int count);
790 
791 ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
792 					      char *exp, char ***princs,
793 					      int *count);
794 
795 ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
796 					    char *exp, char ***pols,
797 					    int *count);
798 
799 #define OVSEC_KADM_FAILURE KADM5_FAILURE
800 #define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
801 #define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
802 #define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
803 #define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
804 #define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
805 #define OVSEC_KADM_BAD_DB KADM5_BAD_DB
806 #define OVSEC_KADM_DUP KADM5_DUP
807 #define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
808 #define OVSEC_KADM_NO_SRV KADM5_NO_SRV
809 #define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
810 #define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
811 #define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
812 #define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
813 #define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
814 #define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
815 #define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
816 #define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
817 #define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
818 #define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
819 #define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
820 #define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
821 #define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
822 #define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
823 #define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
824 #define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
825 #define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
826 #define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
827 #define OVSEC_KADM_INIT KADM5_INIT
828 #define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
829 #define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
830 #define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
831 #define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
832 #define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
833 #define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
834 #define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
835 #define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
836 #define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
837 #define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
838 #define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
839 #define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
840 #define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
841 
842 #endif /* USE_KADM5_API_VERSION == 1 */
843 
844 #define MAXPRINCLEN 125
845 
846 void trunc_name(size_t *len, char **dots);
847 
848 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
849 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
850 					krb5_principal princ,
851 					char *new_password,
852 					kadm5_ret_t *srvr_rsp_code,
853 					krb5_data *srvr_msg);
854 
855 void handle_chpw(krb5_context context, int s, void *serverhandle,
856 			kadm5_config_params *params);
857 
858 #ifdef __cplusplus
859 }
860 #endif
861 
862 #endif	/* __KADM5_ADMIN_H__ */
863