1 /* $NetBSD: hdb.h,v 1.1.1.2 2011/04/14 14:08:23 elric Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 /* Id */ 37 38 #ifndef __HDB_H__ 39 #define __HDB_H__ 40 41 #include <krb5/krb5.h> 42 43 #include <krb5/hdb_err.h> 44 45 #include <krb5/heim_asn1.h> 46 #include <krb5/hdb_asn1.h> 47 48 struct hdb_dbinfo; 49 50 enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; 51 52 /* flags for various functions */ 53 #define HDB_F_DECRYPT 1 /* decrypt keys */ 54 #define HDB_F_REPLACE 2 /* replace entry */ 55 #define HDB_F_GET_CLIENT 4 /* fetch client */ 56 #define HDB_F_GET_SERVER 8 /* fetch server */ 57 #define HDB_F_GET_KRBTGT 16 /* fetch krbtgt */ 58 #define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ 59 #define HDB_F_CANON 32 /* want canonicalition */ 60 #define HDB_F_ADMIN_DATA 64 /* want data that kdc don't use */ 61 #define HDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ 62 63 /* hdb_capability_flags */ 64 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 65 #define HDB_CAP_F_HANDLE_PASSWORDS 2 66 #define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 67 68 /* auth status values */ 69 #define HDB_AUTH_SUCCESS 0 70 #define HDB_AUTH_WRONG_PASSWORD 1 71 #define HDB_AUTH_INVALID_SIGNATURE 2 72 73 /* key usage for master key */ 74 #define HDB_KU_MKEY 0x484442 75 76 typedef struct hdb_master_key_data *hdb_master_key; 77 78 /** 79 * hdb_entry_ex is a wrapper structure around the hdb_entry structure 80 * that allows backends to keep a pointer to the backing store, ie in 81 * ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to 82 * ->hdb_store(), the backend doesn't need to lookup the entry again. 83 */ 84 85 typedef struct hdb_entry_ex { 86 void *ctx; 87 hdb_entry entry; 88 void (*free_entry)(krb5_context, struct hdb_entry_ex *); 89 } hdb_entry_ex; 90 91 92 /** 93 * HDB backend function pointer structure 94 * 95 * The HDB structure is what the KDC and kadmind framework uses to 96 * query the backend database when talking about principals. 97 */ 98 99 typedef struct HDB{ 100 void *hdb_db; 101 void *hdb_dbc; /** don't use, only for DB3 */ 102 char *hdb_name; 103 int hdb_master_key_set; 104 hdb_master_key hdb_master_key; 105 int hdb_openp; 106 int hdb_capability_flags; 107 /** 108 * Open (or create) the a Kerberos database. 109 * 110 * Open (or create) the a Kerberos database that was resolved with 111 * hdb_create(). The third and fourth flag to the function are the 112 * same as open(), thus passing O_CREAT will create the data base 113 * if it doesn't exists. 114 * 115 * Then done the caller should call hdb_close(), and to release 116 * all resources hdb_destroy(). 117 */ 118 krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t); 119 /** 120 * Close the database for transaction 121 * 122 * Closes the database for further transactions, wont release any 123 * permanant resources. the database can be ->hdb_open-ed again. 124 */ 125 krb5_error_code (*hdb_close)(krb5_context, struct HDB*); 126 /** 127 * Free an entry after use. 128 */ 129 void (*hdb_free)(krb5_context, struct HDB*, hdb_entry_ex*); 130 /** 131 * Fetch an entry from the backend 132 * 133 * Fetch an entry from the backend, flags are what type of entry 134 * should be fetch: client, server, krbtgt. 135 * knvo (if specified and flags HDB_F_KVNO_SPECIFIED set) is the kvno to get 136 */ 137 krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*, 138 krb5_const_principal, unsigned, krb5_kvno, 139 hdb_entry_ex*); 140 /** 141 * Store an entry to database 142 */ 143 krb5_error_code (*hdb_store)(krb5_context, struct HDB*, 144 unsigned, hdb_entry_ex*); 145 /** 146 * Remove an entry from the database. 147 */ 148 krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, 149 krb5_const_principal); 150 /** 151 * As part of iteration, fetch one entry 152 */ 153 krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, 154 unsigned, hdb_entry_ex*); 155 /** 156 * As part of iteration, fetch next entry 157 */ 158 krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, 159 unsigned, hdb_entry_ex*); 160 /** 161 * Lock database 162 * 163 * A lock can only be held by one consumers. Transaction can still 164 * happen on the database while the lock is held, so the entry is 165 * only useful for syncroning creation of the database and renaming of the database. 166 */ 167 krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int); 168 /** 169 * Unlock database 170 */ 171 krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*); 172 /** 173 * Rename the data base. 174 * 175 * Assume that the database is not hdb_open'ed and not locked. 176 */ 177 krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*); 178 /** 179 * Get an hdb_entry from a classical DB backend 180 * 181 * If the database is a classical DB (ie BDB, NDBM, GDBM, etc) 182 * backend, this function will take a principal key (krb5_data) 183 * and return all data related to principal in the return 184 * krb5_data. The returned encoded entry is of type hdb_entry or 185 * hdb_entry_alias. 186 */ 187 krb5_error_code (*hdb__get)(krb5_context, struct HDB*, 188 krb5_data, krb5_data*); 189 /** 190 * Store an hdb_entry from a classical DB backend 191 * 192 * Same discussion as in @ref HDB::hdb__get 193 */ 194 krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int, 195 krb5_data, krb5_data); 196 /** 197 * Delete and hdb_entry from a classical DB backend 198 * 199 * Same discussion as in @ref HDB::hdb__get 200 */ 201 krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data); 202 /** 203 * Destroy the handle to the database. 204 * 205 * Destroy the handle to the database, deallocate all memory and 206 * related resources. Does not remove any permanent data. Its the 207 * logical reverse of hdb_create() function that is the entry 208 * point for the module. 209 */ 210 krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); 211 /** 212 * Get the list of realms this backend handles. 213 * This call is optional to support. The returned realms are used 214 * for announcing the realms over bonjour. Free returned array 215 * with krb5_free_host_realm(). 216 */ 217 krb5_error_code (*hdb_get_realms)(krb5_context, struct HDB *, krb5_realm **); 218 /** 219 * Change password. 220 * 221 * Will update keys for the entry when given password. The new 222 * keys must be written into the entry and will then later be 223 * ->hdb_store() into the database. The backend will still perform 224 * all other operations, increasing the kvno, and update 225 * modification timestamp. 226 * 227 * The backend needs to call _kadm5_set_keys() and perform password 228 * quality checks. 229 */ 230 krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); 231 232 /** 233 * Auth feedback 234 * 235 * This is a feedback call that allows backends that provides 236 * lockout functionality to register failure and/or successes. 237 * 238 * In case the entry is locked out, the backend should set the 239 * hdb_entry.flags.locked-out flag. 240 */ 241 krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int); 242 /** 243 * Check if delegation is allowed. 244 */ 245 krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); 246 247 /** 248 * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins 249 */ 250 krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); 251 252 /** 253 * Check if s4u2self is allowed from this client to this server 254 */ 255 krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); 256 }HDB; 257 258 #define HDB_INTERFACE_VERSION 7 259 260 struct hdb_so_method { 261 int version; 262 const char *prefix; 263 krb5_error_code (*create)(krb5_context, HDB **, const char *filename); 264 }; 265 266 typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, 267 hdb_entry_ex*, void*); 268 extern krb5_kt_ops hdb_kt_ops; 269 270 struct hdb_method { 271 int interface_version; 272 const char *prefix; 273 krb5_error_code (*create)(krb5_context, HDB **, const char *filename); 274 }; 275 276 extern const int hdb_interface_version; 277 278 #include <krb5/hdb-protos.h> 279 280 #endif /* __HDB_H__ */ 281