1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * include/krb5/kdb.h 8 * 9 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 10 * All Rights Reserved. 11 * 12 * Export of this software from the United States of America may 13 * require a specific license from the United States Government. 14 * It is the responsibility of any person or organization contemplating 15 * export to obtain such a license before exporting. 16 * 17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 18 * distribute this software and its documentation for any purpose and 19 * without fee is hereby granted, provided that the above copyright 20 * notice appear in all copies and that both that copyright notice and 21 * this permission notice appear in supporting documentation, and that 22 * the name of M.I.T. not be used in advertising or publicity pertaining 23 * to distribution of the software without specific, written prior 24 * permission. Furthermore if you modify this software you must label 25 * your software as modified software and not distribute it in such a 26 * fashion that it might be confused with the original M.I.T. software. 27 * M.I.T. makes no representations about the suitability of 28 * this software for any purpose. It is provided "as is" without express 29 * or implied warranty. 30 * 31 * 32 * KDC Database interface definitions. 33 */ 34 35 /* 36 * Copyright (C) 1998 by the FundsXpress, INC. 37 * 38 * All rights reserved. 39 * 40 * Export of this software from the United States of America may require 41 * a specific license from the United States Government. It is the 42 * responsibility of any person or organization contemplating export to 43 * obtain such a license before exporting. 44 * 45 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 46 * distribute this software and its documentation for any purpose and 47 * without fee is hereby granted, provided that the above copyright 48 * notice appear in all copies and that both that copyright notice and 49 * this permission notice appear in supporting documentation, and that 50 * the name of FundsXpress. not be used in advertising or publicity pertaining 51 * to distribution of the software without specific, written prior 52 * permission. FundsXpress makes no representations about the suitability of 53 * this software for any purpose. It is provided "as is" without express 54 * or implied warranty. 55 * 56 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 57 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 58 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 59 */ 60 61 #ifndef KRB5_KDB5__ 62 #define KRB5_KDB5__ 63 64 #pragma ident "%Z%%M% %I% %E% SMI" 65 66 67 /* Salt types */ 68 #define KRB5_KDB_SALTTYPE_NORMAL 0 69 #define KRB5_KDB_SALTTYPE_V4 1 70 #define KRB5_KDB_SALTTYPE_NOREALM 2 71 #define KRB5_KDB_SALTTYPE_ONLYREALM 3 72 #define KRB5_KDB_SALTTYPE_SPECIAL 4 73 #define KRB5_KDB_SALTTYPE_AFS3 5 74 75 /* Attributes */ 76 #define KRB5_KDB_DISALLOW_POSTDATED 0x00000001 77 #define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 78 #define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 79 #define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 80 #define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 81 #define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 82 #define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 83 #define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 84 #define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 85 #define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 86 #define KRB5_KDB_DISALLOW_SVR 0x00001000 87 #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 88 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 89 #define KRB5_KDB_NEW_PRINC 0x00008000 90 91 /* Creation flags */ 92 #define KRB5_KDB_CREATE_BTREE 0x00000001 93 #define KRB5_KDB_CREATE_HASH 0x00000002 94 95 #if !defined(_WIN32) 96 97 /* 98 * Note --- these structures cannot be modified without changing the 99 * database version number in libkdb.a, but should be expandable by 100 * adding new tl_data types. 101 */ 102 typedef struct _krb5_tl_data { 103 struct _krb5_tl_data* tl_data_next; /* NOT saved */ 104 krb5_int16 tl_data_type; 105 krb5_ui_2 tl_data_length; 106 krb5_octet * tl_data_contents; 107 } krb5_tl_data; 108 109 /* 110 * If this ever changes up the version number and make the arrays be as 111 * big as necessary. 112 * 113 * Currently the first type is the enctype and the second is the salt type. 114 */ 115 typedef struct _krb5_key_data { 116 krb5_int16 key_data_ver; /* Version */ 117 krb5_int16 key_data_kvno; /* Key Version */ 118 krb5_int16 key_data_type[2]; /* Array of types */ 119 #if 0 120 /* 121 * SUNW14resync (mech) 122 * This has changed in the mech so we change it here also 123 * prior to the admin resync. 124 */ 125 krb5_ui_2 key_data_length[2]; Array of lengths 126 #endif 127 krb5_int16 key_data_length[2]; /* Array of lengths */ 128 krb5_octet * key_data_contents[2]; /* Array of pointers */ 129 } krb5_key_data; 130 131 #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */ 132 133 typedef struct _krb5_keysalt { 134 krb5_int16 type; 135 krb5_data data; /* Length, data */ 136 } krb5_keysalt; 137 138 typedef struct _krb5_db_entry_new { 139 krb5_magic magic; /* NOT saved */ 140 krb5_ui_2 len; 141 krb5_ui_4 mask; /* members currently changed/set */ 142 krb5_flags attributes; 143 krb5_deltat max_life; 144 krb5_deltat max_renewable_life; 145 krb5_timestamp expiration; /* When the client expires */ 146 krb5_timestamp pw_expiration; /* When its passwd expires */ 147 krb5_timestamp last_success; /* Last successful passwd */ 148 krb5_timestamp last_failed; /* Last failed passwd attempt */ 149 krb5_kvno fail_auth_count; /* # of failed passwd attempt */ 150 krb5_int16 n_tl_data; 151 krb5_int16 n_key_data; 152 krb5_ui_2 e_length; /* Length of extra data */ 153 krb5_octet * e_data; /* Extra data to be saved */ 154 155 krb5_principal princ; /* Length, data */ 156 krb5_tl_data * tl_data; /* Linked list */ 157 krb5_key_data * key_data; /* Array */ 158 } krb5_db_entry; 159 160 typedef struct __krb5_key_salt_tuple { 161 krb5_enctype ks_enctype; 162 krb5_int32 ks_salttype; 163 } krb5_key_salt_tuple; 164 165 #define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb 166 #define KRB5_KDB_V1_BASE_LENGTH 38 167 168 #define KRB5_TL_LAST_PWD_CHANGE 0x0001 169 #define KRB5_TL_MOD_PRINC 0x0002 170 #define KRB5_TL_KADM_DATA 0x0003 171 #define KRB5_TL_KADM5_E_DATA 0x0004 172 #define KRB5_TL_RB1_CHALLENGE 0x0005 173 #ifdef SECURID 174 #define KRB5_TL_SECURID_STATE 0x0006 175 #define KRB5_TL_DB_ARGS 0x7fff 176 #endif /* SECURID */ 177 178 /* 179 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set 180 * on the principal. 181 */ 182 #define KRB5_MAX_FAIL_COUNT 5 183 184 /* XXX depends on knowledge of krb5_parse_name() formats */ 185 #define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */ 186 187 /* prompts used by default when reading the KDC password from the keyboard. */ 188 #define KRB5_KDC_MKEY_1 "Enter KDC database master key" 189 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify" 190 191 extern char *krb5_mkey_pwd_prompt1; 192 extern char *krb5_mkey_pwd_prompt2; 193 194 /* 195 * These macros specify the encoding of data within the database. 196 * 197 * Data encoding is little-endian. 198 */ 199 #define krb5_kdb_decode_int16(cp, i16) \ 200 *((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \ 201 ((krb5_int16) ((unsigned char) (cp)[1]) << 8)) 202 #define krb5_kdb_decode_int32(cp, i32) \ 203 *((krb5_int32 *) &(i32)) = (((krb5_int32) ((unsigned char) (cp)[0]))| \ 204 ((krb5_int32) ((unsigned char) (cp)[1]) << 8) | \ 205 ((krb5_int32) ((unsigned char) (cp)[2]) << 16)| \ 206 ((krb5_int32) ((unsigned char) (cp)[3]) << 24)) 207 #define krb5_kdb_encode_int16(i16, cp) \ 208 { \ 209 (cp)[0] = (unsigned char) ((i16) & 0xff); \ 210 (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \ 211 } 212 #define krb5_kdb_encode_int32(i32, cp) \ 213 { \ 214 (cp)[0] = (unsigned char) ((i32) & 0xff); \ 215 (cp)[1] = (unsigned char) (((i32) >> 8) & 0xff); \ 216 (cp)[2] = (unsigned char) (((i32) >> 16) & 0xff); \ 217 (cp)[3] = (unsigned char) (((i32) >> 24) & 0xff); \ 218 } 219 220 #define KRB5_KDB_OPEN_RW 0 221 #define KRB5_KDB_OPEN_RO 1 222 223 #ifndef KRB5_KDB_SRV_TYPE_KDC 224 #define KRB5_KDB_SRV_TYPE_KDC 0x0100 225 #endif 226 227 #ifndef KRB5_KDB_SRV_TYPE_ADMIN 228 #define KRB5_KDB_SRV_TYPE_ADMIN 0x0200 229 #endif 230 231 #ifndef KRB5_KDB_SRV_TYPE_PASSWD 232 #define KRB5_KDB_SRV_TYPE_PASSWD 0x0300 233 #endif 234 235 #ifndef KRB5_KDB_SRV_TYPE_OTHER 236 #define KRB5_KDB_SRV_TYPE_OTHER 0x0400 237 #endif 238 239 #define KRB5_KDB_OPT_SET_DB_NAME 0 240 #define KRB5_KDB_OPT_SET_LOCK_MODE 1 241 242 #define KRB5_DB_LOCKMODE_SHARED 0x0001 243 #define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002 244 #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 245 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 246 247 /* libkdb.spec */ 248 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); 249 krb5_error_code krb5_db_init ( krb5_context kcontext ); 250 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); 251 krb5_error_code krb5_db_inited ( krb5_context kcontext ); 252 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args ); 253 krb5_error_code krb5_db_fini ( krb5_context kcontext ); 254 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code ); 255 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args ); 256 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args ); 257 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t ); 258 krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value ); 259 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); 260 krb5_error_code krb5_db_unlock ( krb5_context kcontext ); 261 krb5_error_code krb5_db_get_principal ( krb5_context kcontext, 262 krb5_const_principal search_for, 263 krb5_db_entry *entries, 264 int *nentries, 265 krb5_boolean *more ); 266 krb5_error_code krb5_db_get_principal_nolock ( krb5_context kcontext, 267 krb5_const_principal search_for, 268 krb5_db_entry *entries, 269 int *nentries, 270 krb5_boolean *more ); 271 krb5_error_code krb5_db_free_principal ( krb5_context kcontext, 272 krb5_db_entry *entry, 273 int count ); 274 krb5_error_code krb5_db_put_principal ( krb5_context kcontext, 275 krb5_db_entry *entries, 276 int *nentries); 277 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, 278 krb5_principal search_for, 279 int *nentries ); 280 /* Solaris Kerberos: adding support for db_args */ 281 krb5_error_code krb5_db_iterate ( krb5_context kcontext, 282 char *match_entry, 283 int (*func) (krb5_pointer, krb5_db_entry *), 284 krb5_pointer func_arg, 285 char **db_args ); 286 krb5_error_code krb5_supported_realms ( krb5_context kcontext, 287 char **realms ); 288 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext, 289 char **realms ); 290 krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext, 291 char *pwd, 292 krb5_keyblock *key ); 293 krb5_error_code krb5_db_set_mkey ( krb5_context context, 294 krb5_keyblock *key); 295 krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, 296 krb5_keyblock **key ); 297 krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, 298 krb5_keyblock *key ); 299 krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, 300 char *db_arg, 301 krb5_principal mname, 302 krb5_keyblock *key, 303 char *master_pwd); 304 krb5_error_code krb5_db_fetch_mkey ( krb5_context context, 305 krb5_principal mname, 306 krb5_enctype etype, 307 krb5_boolean fromkeyboard, 308 krb5_boolean twice, 309 char *db_args, 310 krb5_data *salt, 311 krb5_keyblock *key); 312 krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, 313 krb5_principal mprinc, 314 krb5_keyblock *mkey ); 315 krb5_error_code 316 krb5_dbe_find_enctype( krb5_context kcontext, 317 krb5_db_entry *dbentp, 318 krb5_int32 ktype, 319 krb5_int32 stype, 320 krb5_int32 kvno, 321 krb5_key_data **kdatap); 322 323 324 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 325 krb5_db_entry *dbentp, 326 krb5_int32 *start, 327 krb5_int32 ktype, 328 krb5_int32 stype, 329 krb5_int32 kvno, 330 krb5_key_data **kdatap); 331 332 krb5_error_code 333 krb5_db_setup_mkey_name ( krb5_context context, 334 const char *keyname, 335 const char *realm, 336 char **fullname, 337 krb5_principal *principal); 338 339 krb5_error_code 340 krb5_dbekd_decrypt_key_data( krb5_context context, 341 const krb5_keyblock * mkey, 342 const krb5_key_data * key_data, 343 krb5_keyblock * dbkey, 344 krb5_keysalt * keysalt); 345 346 krb5_error_code 347 krb5_dbekd_encrypt_key_data( krb5_context context, 348 const krb5_keyblock * mkey, 349 const krb5_keyblock * dbkey, 350 const krb5_keysalt * keysalt, 351 int keyver, 352 krb5_key_data * key_data); 353 354 krb5_error_code 355 krb5_dbe_lookup_mod_princ_data( krb5_context context, 356 krb5_db_entry * entry, 357 krb5_timestamp * mod_time, 358 krb5_principal * mod_princ); 359 360 361 krb5_error_code 362 krb5_dbe_update_last_pwd_change( krb5_context context, 363 krb5_db_entry * entry, 364 krb5_timestamp stamp); 365 366 krb5_error_code 367 krb5_dbe_lookup_tl_data( krb5_context context, 368 krb5_db_entry * entry, 369 krb5_tl_data * ret_tl_data); 370 371 krb5_error_code 372 krb5_dbe_create_key_data( krb5_context context, 373 krb5_db_entry * entry); 374 375 376 krb5_error_code 377 krb5_dbe_update_mod_princ_data( krb5_context context, 378 krb5_db_entry * entry, 379 krb5_timestamp mod_date, 380 krb5_const_principal mod_princ); 381 382 krb5_error_code 383 krb5_dbe_update_last_pwd_change( krb5_context context, 384 krb5_db_entry * entry, 385 krb5_timestamp stamp); 386 387 void *krb5_db_alloc( krb5_context kcontext, 388 void *ptr, 389 size_t size ); 390 391 void krb5_db_free( krb5_context kcontext, 392 void *ptr); 393 394 395 krb5_error_code 396 krb5_dbe_lookup_last_pwd_change( krb5_context context, 397 krb5_db_entry * entry, 398 krb5_timestamp * stamp); 399 400 krb5_error_code 401 krb5_dbe_update_tl_data( krb5_context context, 402 krb5_db_entry * entry, 403 krb5_tl_data * new_tl_data); 404 405 krb5_error_code 406 krb5_dbe_cpw( krb5_context kcontext, 407 krb5_keyblock * master_key, 408 krb5_key_salt_tuple * ks_tuple, 409 int ks_tuple_count, 410 char * passwd, 411 int new_kvno, 412 krb5_boolean keepold, 413 krb5_db_entry * db_entry); 414 415 416 krb5_error_code 417 krb5_dbe_ark( krb5_context context, 418 krb5_keyblock * master_key, 419 krb5_key_salt_tuple * ks_tuple, 420 int ks_tuple_count, 421 krb5_db_entry * db_entry); 422 423 krb5_error_code 424 krb5_dbe_crk( krb5_context context, 425 krb5_keyblock * master_key, 426 krb5_key_salt_tuple * ks_tuple, 427 int ks_tuple_count, 428 krb5_boolean keepold, 429 krb5_db_entry * db_entry); 430 431 krb5_error_code 432 krb5_dbe_apw( krb5_context context, 433 krb5_keyblock * master_key, 434 krb5_key_salt_tuple * ks_tuple, 435 int ks_tuple_count, 436 char * passwd, 437 krb5_db_entry * db_entry); 438 439 /* default functions. Should not be directly called */ 440 /* 441 * Default functions prototype 442 */ 443 444 krb5_error_code 445 krb5_dbe_def_search_enctype( krb5_context kcontext, 446 krb5_db_entry *dbentp, 447 krb5_int32 *start, 448 krb5_int32 ktype, 449 krb5_int32 stype, 450 krb5_int32 kvno, 451 krb5_key_data **kdatap); 452 453 krb5_error_code 454 krb5_def_store_mkey( krb5_context context, 455 char *keyfile, 456 krb5_principal mname, 457 krb5_keyblock *key, 458 char *master_pwd); 459 460 461 krb5_error_code 462 krb5_db_def_fetch_mkey( krb5_context context, 463 krb5_principal mname, 464 krb5_keyblock *key, 465 int *kvno, 466 char *db_args); 467 468 krb5_error_code 469 krb5_def_verify_master_key( krb5_context context, 470 krb5_principal mprinc, 471 krb5_keyblock *mkey); 472 473 krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, 474 char *pwd, 475 krb5_keyblock *key ); 476 477 krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, 478 krb5_keyblock **key ); 479 480 krb5_error_code 481 krb5_dbe_def_cpw( krb5_context context, 482 krb5_keyblock * master_key, 483 krb5_key_salt_tuple * ks_tuple, 484 int ks_tuple_count, 485 char * passwd, 486 int new_kvno, 487 krb5_boolean keepold, 488 krb5_db_entry * db_entry); 489 490 krb5_error_code 491 krb5_db_supports_iprop(krb5_context kcontext, int *iprop_supported); 492 493 krb5_error_code 494 krb5_def_promote_db(krb5_context, char *, char **); 495 496 typedef struct _osa_policy_ent_t { 497 int version; 498 char *name; 499 uint32_t pw_min_life; 500 uint32_t pw_max_life; 501 uint32_t pw_min_length; 502 uint32_t pw_min_classes; 503 uint32_t pw_history_num; 504 uint32_t policy_refcnt; 505 } osa_policy_ent_rec, *osa_policy_ent_t; 506 507 typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); 508 509 krb5_error_code 510 krb5_db_create_policy( krb5_context kcontext, 511 osa_policy_ent_t policy); 512 513 krb5_error_code 514 krb5_db_get_policy ( krb5_context kcontext, 515 char *name, 516 osa_policy_ent_t *policy, 517 int *nentries); 518 519 krb5_error_code 520 krb5_db_put_policy( krb5_context kcontext, 521 osa_policy_ent_t policy); 522 523 krb5_error_code 524 krb5_db_iter_policy( krb5_context kcontext, 525 char *match_entry, 526 osa_adb_iter_policy_func func, 527 void *data); 528 529 krb5_error_code 530 krb5_db_delete_policy( krb5_context kcontext, 531 char *policy); 532 533 void 534 krb5_db_free_policy( krb5_context kcontext, 535 osa_policy_ent_t policy); 536 537 #define KRB5_KDB_DEF_FLAGS 0 538 539 #endif /* !defined(_WIN32) */ 540 #endif /* KRB5_KDB5__ */ 541