src/include/kdb.h

   1 /*
   2  * include/krb5/kdb.h
   3  *
   4  * Copyright 1990,1991 by the Massachusetts Institute of Technology.
   5  * All Rights Reserved.
   6  *
   7  * Export of this software from the United States of America may
   8  *   require a specific license from the United States Government.
   9  *   It is the responsibility of any person or organization contemplating
  10  *   export to obtain such a license before exporting.
  11  *
  12  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  13  * distribute this software and its documentation for any purpose and
  14  * without fee is hereby granted, provided that the above copyright
  15  * notice appear in all copies and that both that copyright notice and
  16  * this permission notice appear in supporting documentation, and that
  17  * the name of M.I.T. not be used in advertising or publicity pertaining
  18  * to distribution of the software without specific, written prior
  19  * permission.  Furthermore if you modify this software you must label
  20  * your software as modified software and not distribute it in such a
  21  * fashion that it might be confused with the original M.I.T. software.
  22  * M.I.T. makes no representations about the suitability of
  23  * this software for any purpose.  It is provided "as is" without express
  24  * or implied warranty.
  25  *
  26  *
  27  * KDC Database interface definitions.
  28  */
  29
  30 /*
  31  * Copyright (C) 1998 by the FundsXpress, INC.
  32  *
  33  * All rights reserved.
  34  *
  35  * Export of this software from the United States of America may require
  36  * a specific license from the United States Government.  It is the
  37  * responsibility of any person or organization contemplating export to
  38  * obtain such a license before exporting.
  39  *
  40  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  41  * distribute this software and its documentation for any purpose and
  42  * without fee is hereby granted, provided that the above copyright
  43  * notice appear in all copies and that both that copyright notice and
  44  * this permission notice appear in supporting documentation, and that
  45  * the name of FundsXpress. not be used in advertising or publicity pertaining
  46  * to distribution of the software without specific, written prior
  47  * permission.  FundsXpress makes no representations about the suitability of
  48  * this software for any purpose.  It is provided "as is" without express
  49  * or implied warranty.
  50  *
  51  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  52  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  53  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  54  */
  55
  56 #ifndef KRB5_KDB5__
  57 #define KRB5_KDB5__
  58
  59 /* Salt types */
  60 #define KRB5_KDB_SALTTYPE_NORMAL        0
  61 #define KRB5_KDB_SALTTYPE_V4            1
  62 #define KRB5_KDB_SALTTYPE_NOREALM       2
  63 #define KRB5_KDB_SALTTYPE_ONLYREALM     3
  64 #define KRB5_KDB_SALTTYPE_SPECIAL       4
  65 #define KRB5_KDB_SALTTYPE_AFS3          5
  66
  67 /* Attributes */
  68 #define KRB5_KDB_DISALLOW_POSTDATED     0x00000001
  69 #define KRB5_KDB_DISALLOW_FORWARDABLE   0x00000002
  70 #define KRB5_KDB_DISALLOW_TGT_BASED     0x00000004
  71 #define KRB5_KDB_DISALLOW_RENEWABLE     0x00000008
  72 #define KRB5_KDB_DISALLOW_PROXIABLE     0x00000010
  73 #define KRB5_KDB_DISALLOW_DUP_SKEY      0x00000020
  74 #define KRB5_KDB_DISALLOW_ALL_TIX       0x00000040
  75 #define KRB5_KDB_REQUIRES_PRE_AUTH      0x00000080
  76 #define KRB5_KDB_REQUIRES_HW_AUTH       0x00000100
  77 #define KRB5_KDB_REQUIRES_PWCHANGE      0x00000200
  78 #define KRB5_KDB_DISALLOW_SVR           0x00001000
  79 #define KRB5_KDB_PWCHANGE_SERVICE       0x00002000
  80 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
  81 #define KRB5_KDB_NEW_PRINC              0x00008000
  82
  83 /* Creation flags */
  84 #define KRB5_KDB_CREATE_BTREE           0x00000001
  85 #define KRB5_KDB_CREATE_HASH            0x00000002
  86
  87 #if !defined(_WIN32)
  88
  89 /*
  90  * Note --- these structures cannot be modified without changing the
  91  * database version number in libkdb.a, but should be expandable by
  92  * adding new tl_data types.
  93  */
  94 typedef struct _krb5_tl_data {
  95     struct _krb5_tl_data* tl_data_next;         /* NOT saved */
  96     krb5_int16            tl_data_type;
  97     krb5_ui_2             tl_data_length;
  98     krb5_octet          * tl_data_contents;
  99 } krb5_tl_data;
 100
 101 /*
 102  * If this ever changes up the version number and make the arrays be as
 103  * big as necessary.
 104  *
 105  * Currently the first type is the enctype and the second is the salt type.
 106  */
 107 typedef struct _krb5_key_data {
 108     krb5_int16            key_data_ver;         /* Version */
 109     krb5_int16            key_data_kvno;        /* Key Version */
 110     krb5_int16            key_data_type[2];     /* Array of types */
 111     krb5_ui_2             key_data_length[2];   /* Array of lengths */
 112     krb5_octet          * key_data_contents[2]; /* Array of pointers */
 113 } krb5_key_data;
 114
 115 #define KRB5_KDB_V1_KEY_DATA_ARRAY      2       /* # of array elements */
 116
 117 typedef struct _krb5_keysalt {
 118     krb5_int16            type;
 119     krb5_data             data;                 /* Length, data */
 120 } krb5_keysalt;
 121
 122 typedef struct _krb5_db_entry_new {
 123     krb5_magic            magic;                /* NOT saved */
 124     krb5_ui_2             len;
 125     krb5_ui_4             mask;                 /* members currently changed/set */
 126     krb5_flags            attributes;
 127     krb5_deltat           max_life;
 128     krb5_deltat           max_renewable_life;
 129     krb5_timestamp        expiration;           /* When the client expires */
 130     krb5_timestamp        pw_expiration;        /* When its passwd expires */
 131     krb5_timestamp        last_success;         /* Last successful passwd */
 132     krb5_timestamp        last_failed;          /* Last failed passwd attempt */
 133     krb5_kvno             fail_auth_count;      /* # of failed passwd attempt */
 134     krb5_int16            n_tl_data;
 135     krb5_int16            n_key_data;
 136     krb5_ui_2             e_length;             /* Length of extra data */
 137     krb5_octet          * e_data;               /* Extra data to be saved */
 138
 139     krb5_principal        princ;                /* Length, data */
 140     krb5_tl_data        * tl_data;              /* Linked list */
 141     krb5_key_data       * key_data;             /* Array */
 142 } krb5_db_entry;
 143
 144 typedef struct _osa_policy_ent_t {
 145     int               version;
 146     char      *name;
 147     krb5_ui_4       pw_min_life;
 148     krb5_ui_4       pw_max_life;
 149     krb5_ui_4       pw_min_length;
 150     krb5_ui_4       pw_min_classes;
 151     krb5_ui_4       pw_history_num;
 152     krb5_ui_4       policy_refcnt;
 153 } osa_policy_ent_rec, *osa_policy_ent_t;
 154
 155 typedef       void    (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
 156
 157 typedef struct __krb5_key_salt_tuple {
 158     krb5_enctype        ks_enctype;
 159     krb5_int32          ks_salttype;
 160 } krb5_key_salt_tuple;
 161
 162 #define KRB5_KDB_MAGIC_NUMBER           0xdbdbdbdb
 163 #define KRB5_KDB_V1_BASE_LENGTH         38
 164
 165 #define KRB5_TL_LAST_PWD_CHANGE         0x0001
 166 #define KRB5_TL_MOD_PRINC               0x0002
 167 #define KRB5_TL_KADM_DATA               0x0003
 168 #define KRB5_TL_KADM5_E_DATA            0x0004
 169 #define KRB5_TL_RB1_CHALLENGE           0x0005
 170 #ifdef SECURID
 171 #define KRB5_TL_SECURID_STATE           0x0006
 172 #define KRB5_TL_DB_ARGS                 0x7fff
 173 #endif /* SECURID */
 174
 175 /*
 176  * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
 177  * on the principal.
 178  */
 179 #define KRB5_MAX_FAIL_COUNT             5
 180
 181 /* XXX depends on knowledge of krb5_parse_name() formats */
 182 #define KRB5_KDB_M_NAME         "K/M"   /* Kerberos/Master */
 183
 184 /* prompts used by default when reading the KDC password from the keyboard. */
 185 #define KRB5_KDC_MKEY_1 "Enter KDC database master key"
 186 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify"
 187
 188
 189 extern char *krb5_mkey_pwd_prompt1;
 190 extern char *krb5_mkey_pwd_prompt2;
 191
 192 /*
 193  * These macros specify the encoding of data within the database.
 194  *
 195  * Data encoding is little-endian.
 196  */
 197 #include "k5-platform.h"
 198 #define krb5_kdb_decode_int16(cp, i16)  \
 199         *((krb5_int16 *) &(i16)) = load_16_le(cp)
 200 #define krb5_kdb_decode_int32(cp, i32)  \
 201         *((krb5_int32 *) &(i32)) = load_32_le(cp)
 202 #define krb5_kdb_encode_int16(i16, cp)  store_16_le(i16, cp)
 203 #define krb5_kdb_encode_int32(i32, cp)  store_32_le(i32, cp)
 204
 205 #define KRB5_KDB_OPEN_RW                0
 206 #define KRB5_KDB_OPEN_RO                1
 207
 208 #ifndef KRB5_KDB_SRV_TYPE_KDC
 209 #define KRB5_KDB_SRV_TYPE_KDC           0x0100
 210 #endif
 211
 212 #ifndef KRB5_KDB_SRV_TYPE_ADMIN
 213 #define KRB5_KDB_SRV_TYPE_ADMIN         0x0200
 214 #endif
 215
 216 #ifndef KRB5_KDB_SRV_TYPE_PASSWD
 217 #define KRB5_KDB_SRV_TYPE_PASSWD        0x0300
 218 #endif
 219
 220 #ifndef KRB5_KDB_SRV_TYPE_OTHER
 221 #define KRB5_KDB_SRV_TYPE_OTHER         0x0400
 222 #endif
 223
 224 #define KRB5_KDB_OPT_SET_DB_NAME        0
 225 #define KRB5_KDB_OPT_SET_LOCK_MODE      1
 226
 227 #define KRB5_DB_LOCKMODE_SHARED       0x0001
 228 #define KRB5_DB_LOCKMODE_EXCLUSIVE    0x0002
 229 #define KRB5_DB_LOCKMODE_DONTBLOCK    0x0004
 230 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 231
 232 /* libkdb.spec */
 233 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
 234 krb5_error_code krb5_db_init  ( krb5_context kcontext );
 235 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
 236 krb5_error_code krb5_db_inited  ( krb5_context kcontext );
 237 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
 238 krb5_error_code krb5_db_fini ( krb5_context kcontext );
 239 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
 240 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
 241 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
 242 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
 243 krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value );
 244 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
 245 krb5_error_code krb5_db_unlock ( krb5_context kcontext );
 246 krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
 247                                         krb5_const_principal search_for,
 248                                         krb5_db_entry *entries,
 249                                         int *nentries,
 250                                         krb5_boolean *more );
 251 krb5_error_code krb5_db_free_principal ( krb5_context kcontext,
 252                                          krb5_db_entry *entry,
 253                                          int count );
 254 krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
 255                                         krb5_db_entry *entries,
 256                                         int *nentries);
 257 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
 258                                            krb5_principal search_for,
 259                                            int *nentries );
 260 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
 261                                   char *match_entry,
 262                                   int (*func) (krb5_pointer, krb5_db_entry *),
 263                                   krb5_pointer func_arg );
 264 krb5_error_code krb5_supported_realms ( krb5_context kcontext,
 265                                         char **realms );
 266 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext,
 267                                              char **realms );
 268 krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext,
 269                                              char *pwd,
 270                                              krb5_keyblock *key );
 271 krb5_error_code krb5_db_set_mkey ( krb5_context context,
 272                                    krb5_keyblock *key);
 273 krb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
 274                                    krb5_keyblock **key );
 275 krb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
 276                                           krb5_keyblock *key );
 277 krb5_error_code krb5_db_store_master_key  ( krb5_context kcontext,
 278                                             char *db_arg,
 279                                             krb5_principal mname,
 280                                             krb5_keyblock *key,
 281                                             char *master_pwd);
 282 krb5_error_code krb5_db_fetch_mkey  ( krb5_context   context,
 283                                       krb5_principal mname,
 284                                       krb5_enctype   etype,
 285                                       krb5_boolean   fromkeyboard,
 286                                       krb5_boolean   twice,
 287                                       char          *db_args,
 288                                       krb5_data     *salt,
 289                                       krb5_keyblock *key);
 290 krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
 291                                             krb5_principal mprinc,
 292                                             krb5_keyblock *mkey );
 293 krb5_error_code
 294 krb5_dbe_find_enctype( krb5_context     kcontext,
 295                        krb5_db_entry    *dbentp,
 296                        krb5_int32               ktype,
 297                        krb5_int32               stype,
 298                        krb5_int32               kvno,
 299                        krb5_key_data    **kdatap);
 300
 301
 302 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext,
 303                                           krb5_db_entry *dbentp,
 304                                           krb5_int32 *start,
 305                                           krb5_int32 ktype,
 306                                           krb5_int32 stype,
 307                                           krb5_int32 kvno,
 308                                           krb5_key_data **kdatap);
 309
 310 krb5_error_code
 311 krb5_db_setup_mkey_name ( krb5_context context,
 312                           const char *keyname,
 313                           const char *realm,
 314                           char **fullname,
 315                           krb5_principal *principal);
 316
 317 krb5_error_code
 318 krb5_dbekd_decrypt_key_data( krb5_context         context,
 319                              const krb5_keyblock        * mkey,
 320                              const krb5_key_data        * key_data,
 321                              krb5_keyblock      * dbkey,
 322                              krb5_keysalt       * keysalt);
 323
 324 krb5_error_code
 325 krb5_dbekd_encrypt_key_data( krb5_context                 context,
 326                              const krb5_keyblock        * mkey,
 327                              const krb5_keyblock        * dbkey,
 328                              const krb5_keysalt         * keysalt,
 329                              int                          keyver,
 330                              krb5_key_data              * key_data);
 331
 332 krb5_error_code
 333 krb5_dbe_lookup_mod_princ_data( krb5_context          context,
 334                                 krb5_db_entry       * entry,
 335                                 krb5_timestamp      * mod_time,
 336                                 krb5_principal      * mod_princ);
 337
 338
 339 krb5_error_code
 340 krb5_dbe_update_last_pwd_change( krb5_context          context,
 341                                  krb5_db_entry       * entry,
 342                                  krb5_timestamp   stamp);
 343
 344 krb5_error_code
 345 krb5_dbe_lookup_tl_data( krb5_context          context,
 346                          krb5_db_entry       * entry,
 347                          krb5_tl_data        * ret_tl_data);
 348
 349 krb5_error_code
 350 krb5_dbe_create_key_data( krb5_context          context,
 351                           krb5_db_entry       * entry);
 352
 353
 354 krb5_error_code
 355 krb5_dbe_update_mod_princ_data( krb5_context          context,
 356                                 krb5_db_entry       * entry,
 357                                 krb5_timestamp        mod_date,
 358                                 krb5_const_principal  mod_princ);
 359
 360 krb5_error_code
 361 krb5_dbe_update_last_pwd_change( krb5_context          context,
 362                                  krb5_db_entry       * entry,
 363                                  krb5_timestamp   stamp);
 364
 365 void *krb5_db_alloc( krb5_context kcontext,
 366                      void *ptr,
 367                      size_t size );
 368
 369 void krb5_db_free( krb5_context kcontext,
 370                    void *ptr);
 371
 372
 373 krb5_error_code
 374 krb5_dbe_lookup_last_pwd_change( krb5_context          context,
 375                                  krb5_db_entry       * entry,
 376                                  krb5_timestamp      * stamp);
 377
 378 krb5_error_code
 379 krb5_dbe_update_tl_data( krb5_context          context,
 380                          krb5_db_entry       * entry,
 381                          krb5_tl_data        * new_tl_data);
 382
 383 krb5_error_code
 384 krb5_dbe_cpw( krb5_context        kcontext,
 385               krb5_keyblock       * master_key,
 386               krb5_key_salt_tuple       * ks_tuple,
 387               int                         ks_tuple_count,
 388               char              * passwd,
 389               int                         new_kvno,
 390               krb5_boolean        keepold,
 391               krb5_db_entry     * db_entry);
 392
 393
 394 krb5_error_code
 395 krb5_dbe_ark( krb5_context        context,
 396               krb5_keyblock       * master_key,
 397               krb5_key_salt_tuple       * ks_tuple,
 398               int                         ks_tuple_count,
 399               krb5_db_entry     * db_entry);
 400
 401 krb5_error_code
 402 krb5_dbe_crk( krb5_context        context,
 403               krb5_keyblock       * master_key,
 404               krb5_key_salt_tuple       * ks_tuple,
 405               int                         ks_tuple_count,
 406               krb5_boolean        keepold,
 407               krb5_db_entry     * db_entry);
 408
 409 krb5_error_code
 410 krb5_dbe_apw( krb5_context        context,
 411               krb5_keyblock       * master_key,
 412               krb5_key_salt_tuple       * ks_tuple,
 413               int                         ks_tuple_count,
 414               char              * passwd,
 415               krb5_db_entry     * db_entry);
 416
 417 /* default functions. Should not be directly called */
 418 /*
 419  *   Default functions prototype
 420  */
 421
 422 krb5_error_code
 423 krb5_dbe_def_search_enctype( krb5_context kcontext,
 424                              krb5_db_entry *dbentp,
 425                              krb5_int32 *start,
 426                              krb5_int32 ktype,
 427                              krb5_int32 stype,
 428                              krb5_int32 kvno,
 429                              krb5_key_data **kdatap);
 430
 431 krb5_error_code
 432 krb5_def_store_mkey( krb5_context context,
 433                      char *keyfile,
 434                      krb5_principal mname,
 435                      krb5_keyblock *key,
 436                      char *master_pwd);
 437
 438
 439 krb5_error_code
 440 krb5_db_def_fetch_mkey( krb5_context   context,
 441                         krb5_principal mname,
 442                         krb5_keyblock *key,
 443                         int           *kvno,
 444                         char          *db_args);
 445
 446 krb5_error_code
 447 krb5_def_verify_master_key( krb5_context context,
 448                             krb5_principal mprinc,
 449                             krb5_keyblock *mkey);
 450
 451 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
 452                                    char *pwd,
 453                                    krb5_keyblock *key );
 454
 455 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
 456                                    krb5_keyblock **key );
 457
 458 krb5_error_code
 459 krb5_dbe_def_cpw( krb5_context    context,
 460                   krb5_keyblock       * master_key,
 461                   krb5_key_salt_tuple   * ks_tuple,
 462                   int                     ks_tuple_count,
 463                   char          * passwd,
 464                   int                     new_kvno,
 465                   krb5_boolean    keepold,
 466                   krb5_db_entry * db_entry);
 467
 468 krb5_error_code
 469 krb5_def_promote_db(krb5_context, char *, char **);
 470
 471 krb5_error_code
 472 krb5_db_create_policy( krb5_context kcontext,
 473                        osa_policy_ent_t policy);
 474
 475 krb5_error_code
 476 krb5_db_get_policy ( krb5_context kcontext,
 477                      char *name,
 478                      osa_policy_ent_t *policy,
 479                      int *nentries);
 480
 481 krb5_error_code
 482 krb5_db_put_policy( krb5_context kcontext,
 483                     osa_policy_ent_t policy);
 484
 485 krb5_error_code
 486 krb5_db_iter_policy( krb5_context kcontext,
 487                      char *match_entry,
 488                      osa_adb_iter_policy_func func,
 489                      void *data);
 490
 491 krb5_error_code
 492 krb5_db_delete_policy( krb5_context kcontext,
 493                        char *policy);
 494
 495 void
 496 krb5_db_free_policy( krb5_context kcontext,
 497                      osa_policy_ent_t policy);
 498
 499 #define KRB5_KDB_DEF_FLAGS      0
 500
 501 #endif /* !defined(_WIN32) */
 502
 503 #endif /* KRB5_KDB5__ */