Mercurial > repos > rliterman > csp2

annotate CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/include/kdb.h @ 69:33d812a61356

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 17:55:14 -0400
parents
children
rev   line source
jpayne@69 1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
jpayne@69 2 /*
jpayne@69 3 * Copyright 1990, 1991, 2016 by the Massachusetts Institute of Technology.
jpayne@69 4 * All Rights Reserved.
jpayne@69 5 *
jpayne@69 6 * Export of this software from the United States of America may
jpayne@69 7 * require a specific license from the United States Government.
jpayne@69 8 * It is the responsibility of any person or organization contemplating
jpayne@69 9 * export to obtain such a license before exporting.
jpayne@69 10 *
jpayne@69 11 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
jpayne@69 12 * distribute this software and its documentation for any purpose and
jpayne@69 13 * without fee is hereby granted, provided that the above copyright
jpayne@69 14 * notice appear in all copies and that both that copyright notice and
jpayne@69 15 * this permission notice appear in supporting documentation, and that
jpayne@69 16 * the name of M.I.T. not be used in advertising or publicity pertaining
jpayne@69 17 * to distribution of the software without specific, written prior
jpayne@69 18 * permission. Furthermore if you modify this software you must label
jpayne@69 19 * your software as modified software and not distribute it in such a
jpayne@69 20 * fashion that it might be confused with the original M.I.T. software.
jpayne@69 21 * M.I.T. makes no representations about the suitability of
jpayne@69 22 * this software for any purpose. It is provided "as is" without express
jpayne@69 23 * or implied warranty.
jpayne@69 24 */
jpayne@69 25 /*
jpayne@69 26 * Copyright (C) 1998 by the FundsXpress, INC.
jpayne@69 27 *
jpayne@69 28 * All rights reserved.
jpayne@69 29 *
jpayne@69 30 * Export of this software from the United States of America may require
jpayne@69 31 * a specific license from the United States Government. It is the
jpayne@69 32 * responsibility of any person or organization contemplating export to
jpayne@69 33 * obtain such a license before exporting.
jpayne@69 34 *
jpayne@69 35 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
jpayne@69 36 * distribute this software and its documentation for any purpose and
jpayne@69 37 * without fee is hereby granted, provided that the above copyright
jpayne@69 38 * notice appear in all copies and that both that copyright notice and
jpayne@69 39 * this permission notice appear in supporting documentation, and that
jpayne@69 40 * the name of FundsXpress. not be used in advertising or publicity pertaining
jpayne@69 41 * to distribution of the software without specific, written prior
jpayne@69 42 * permission. FundsXpress makes no representations about the suitability of
jpayne@69 43 * this software for any purpose. It is provided "as is" without express
jpayne@69 44 * or implied warranty.
jpayne@69 45 *
jpayne@69 46 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
jpayne@69 47 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
jpayne@69 48 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
jpayne@69 49 */
jpayne@69 50 /*
jpayne@69 51 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
jpayne@69 52 * Use is subject to license terms.
jpayne@69 53 */
jpayne@69 54
jpayne@69 55 /* KDC Database interface definitions */
jpayne@69 56
jpayne@69 57 /* This API is not considered as stable as the main krb5 API.
jpayne@69 58 *
jpayne@69 59 * - We may make arbitrary incompatible changes between feature
jpayne@69 60 * releases (e.g. from 1.7 to 1.8).
jpayne@69 61 * - We will make some effort to avoid making incompatible changes for
jpayne@69 62 * bugfix releases, but will make them if necessary.
jpayne@69 63 */
jpayne@69 64
jpayne@69 65 #ifndef KRB5_KDB5__
jpayne@69 66 #define KRB5_KDB5__
jpayne@69 67
jpayne@69 68 #include <krb5.h>
jpayne@69 69
jpayne@69 70 /* This version will be incremented when incompatible changes are made to the
jpayne@69 71 * KDB API, and will be kept in sync with the libkdb major version. */
jpayne@69 72 #define KRB5_KDB_API_VERSION 10
jpayne@69 73
jpayne@69 74 /* Salt types */
jpayne@69 75 #define KRB5_KDB_SALTTYPE_NORMAL 0
jpayne@69 76 /* #define KRB5_KDB_SALTTYPE_V4 1 */
jpayne@69 77 #define KRB5_KDB_SALTTYPE_NOREALM 2
jpayne@69 78 #define KRB5_KDB_SALTTYPE_ONLYREALM 3
jpayne@69 79 #define KRB5_KDB_SALTTYPE_SPECIAL 4
jpayne@69 80 /* #define KRB5_KDB_SALTTYPE_AFS3 5 */
jpayne@69 81 #define KRB5_KDB_SALTTYPE_CERTHASH 6
jpayne@69 82
jpayne@69 83 /* Attributes */
jpayne@69 84 #define KRB5_KDB_DISALLOW_POSTDATED 0x00000001
jpayne@69 85 #define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002
jpayne@69 86 #define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004
jpayne@69 87 #define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008
jpayne@69 88 #define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010
jpayne@69 89 #define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020
jpayne@69 90 #define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040
jpayne@69 91 #define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080
jpayne@69 92 #define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100
jpayne@69 93 #define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200
jpayne@69 94 #define KRB5_KDB_DISALLOW_SVR 0x00001000
jpayne@69 95 #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
jpayne@69 96 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000
jpayne@69 97 #define KRB5_KDB_NEW_PRINC 0x00008000
jpayne@69 98 #define KRB5_KDB_OK_AS_DELEGATE 0x00100000
jpayne@69 99 #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */
jpayne@69 100 #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
jpayne@69 101 #define KRB5_KDB_LOCKDOWN_KEYS 0x00800000
jpayne@69 102
jpayne@69 103 /* Creation flags */
jpayne@69 104 #define KRB5_KDB_CREATE_BTREE 0x00000001
jpayne@69 105 #define KRB5_KDB_CREATE_HASH 0x00000002
jpayne@69 106
jpayne@69 107 /* Entry get flags */
jpayne@69 108 /* Okay to generate a referral on lookup */
jpayne@69 109 #define KRB5_KDB_FLAG_REFERRAL_OK 0x00000010
jpayne@69 110 /* Client principal lookup (client referrals only) */
jpayne@69 111 #define KRB5_KDB_FLAG_CLIENT 0x00000040
jpayne@69 112 /* Map cross-realm principals */
jpayne@69 113 #define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080
jpayne@69 114 /* Protocol transition */
jpayne@69 115 #define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100
jpayne@69 116 /* Constrained delegation */
jpayne@69 117 #define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200
jpayne@69 118 /* User-to-user */
jpayne@69 119 #define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
jpayne@69 120 /* Cross-realm */
jpayne@69 121 #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
jpayne@69 122 /* Issuing referral */
jpayne@69 123 #define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
jpayne@69 124
jpayne@69 125
jpayne@69 126 #define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
jpayne@69 127 KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
jpayne@69 128
jpayne@69 129 /* KDB iteration flags */
jpayne@69 130 #define KRB5_DB_ITER_WRITE 0x00000001
jpayne@69 131 #define KRB5_DB_ITER_REV 0x00000002
jpayne@69 132 #define KRB5_DB_ITER_RECURSE 0x00000004
jpayne@69 133
jpayne@69 134 /* String attribute names recognized by krb5 */
jpayne@69 135 #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
jpayne@69 136 #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
jpayne@69 137
jpayne@69 138 #if !defined(_WIN32)
jpayne@69 139
jpayne@69 140 /*
jpayne@69 141 * Note --- these structures cannot be modified without changing the
jpayne@69 142 * database version number in libkdb.a, but should be expandable by
jpayne@69 143 * adding new tl_data types.
jpayne@69 144 */
jpayne@69 145 typedef struct _krb5_tl_data {
jpayne@69 146 struct _krb5_tl_data* tl_data_next; /* NOT saved */
jpayne@69 147 krb5_int16 tl_data_type;
jpayne@69 148 krb5_ui_2 tl_data_length;
jpayne@69 149 krb5_octet * tl_data_contents;
jpayne@69 150 } krb5_tl_data;
jpayne@69 151
jpayne@69 152 /* String attributes (currently stored inside tl-data) map C string keys to
jpayne@69 153 * values. They can be set via kadmin and consumed by KDC plugins. */
jpayne@69 154 typedef struct krb5_string_attr_st {
jpayne@69 155 char *key;
jpayne@69 156 char *value;
jpayne@69 157 } krb5_string_attr;
jpayne@69 158
jpayne@69 159 /*
jpayne@69 160 * If this ever changes up the version number and make the arrays be as
jpayne@69 161 * big as necessary.
jpayne@69 162 *
jpayne@69 163 * Currently the first type is the enctype and the second is the salt type.
jpayne@69 164 */
jpayne@69 165 typedef struct _krb5_key_data {
jpayne@69 166 krb5_int16 key_data_ver; /* Version */
jpayne@69 167 krb5_ui_2 key_data_kvno; /* Key Version */
jpayne@69 168 krb5_int16 key_data_type[2]; /* Array of types */
jpayne@69 169 krb5_ui_2 key_data_length[2]; /* Array of lengths */
jpayne@69 170 krb5_octet * key_data_contents[2]; /* Array of pointers */
jpayne@69 171 } krb5_key_data;
jpayne@69 172
jpayne@69 173 #define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */
jpayne@69 174
jpayne@69 175 typedef struct _krb5_keysalt {
jpayne@69 176 krb5_int16 type;
jpayne@69 177 krb5_data data; /* Length, data */
jpayne@69 178 } krb5_keysalt;
jpayne@69 179
jpayne@69 180 /*
jpayne@69 181 * A principal database entry. Extensions to this structure currently use the
jpayne@69 182 * tl_data list. The e_data and e_length fields are not used by any calling
jpayne@69 183 * code except kdb5_util dump and load, which marshal and unmarshal the array
jpayne@69 184 * in the dump record. KDB modules may use these fields internally as long as
jpayne@69 185 * they set e_length appropriately (non-zero if the data should be marshalled
jpayne@69 186 * across dump and load, zero if not) and handle null e_data values in
jpayne@69 187 * caller-constructed principal entries.
jpayne@69 188 */
jpayne@69 189 typedef struct _krb5_db_entry_new {
jpayne@69 190 krb5_magic magic; /* NOT saved */
jpayne@69 191 krb5_ui_2 len;
jpayne@69 192 krb5_ui_4 mask; /* members currently changed/set */
jpayne@69 193 krb5_flags attributes;
jpayne@69 194 krb5_deltat max_life;
jpayne@69 195 krb5_deltat max_renewable_life;
jpayne@69 196 krb5_timestamp expiration; /* When the client expires */
jpayne@69 197 krb5_timestamp pw_expiration; /* When its passwd expires */
jpayne@69 198 krb5_timestamp last_success; /* Last successful passwd */
jpayne@69 199 krb5_timestamp last_failed; /* Last failed passwd attempt */
jpayne@69 200 krb5_kvno fail_auth_count; /* # of failed passwd attempt */
jpayne@69 201 krb5_int16 n_tl_data;
jpayne@69 202 krb5_int16 n_key_data;
jpayne@69 203 krb5_ui_2 e_length; /* Length of extra data */
jpayne@69 204 krb5_octet * e_data; /* Extra data to be saved */
jpayne@69 205
jpayne@69 206 krb5_principal princ; /* Length, data */
jpayne@69 207 krb5_tl_data * tl_data; /* Linked list */
jpayne@69 208
jpayne@69 209 /* key_data must be sorted by kvno in descending order. */
jpayne@69 210 krb5_key_data * key_data; /* Array */
jpayne@69 211 } krb5_db_entry;
jpayne@69 212
jpayne@69 213 typedef struct _osa_policy_ent_t {
jpayne@69 214 int version;
jpayne@69 215 char *name;
jpayne@69 216 krb5_ui_4 pw_min_life;
jpayne@69 217 krb5_ui_4 pw_max_life;
jpayne@69 218 krb5_ui_4 pw_min_length;
jpayne@69 219 krb5_ui_4 pw_min_classes;
jpayne@69 220 krb5_ui_4 pw_history_num;
jpayne@69 221 krb5_ui_4 policy_refcnt; /* no longer used */
jpayne@69 222 /* Only valid if version > 1 */
jpayne@69 223 krb5_ui_4 pw_max_fail; /* pwdMaxFailure */
jpayne@69 224 krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */
jpayne@69 225 krb5_ui_4 pw_lockout_duration; /* pwdLockoutDuration */
jpayne@69 226 /* Only valid if version > 2 */
jpayne@69 227 krb5_ui_4 attributes;
jpayne@69 228 krb5_ui_4 max_life;
jpayne@69 229 krb5_ui_4 max_renewable_life;
jpayne@69 230 char * allowed_keysalts;
jpayne@69 231 krb5_int16 n_tl_data;
jpayne@69 232 krb5_tl_data * tl_data;
jpayne@69 233 } osa_policy_ent_rec, *osa_policy_ent_t;
jpayne@69 234
jpayne@69 235 typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
jpayne@69 236
jpayne@69 237 typedef struct __krb5_key_salt_tuple {
jpayne@69 238 krb5_enctype ks_enctype;
jpayne@69 239 krb5_int32 ks_salttype;
jpayne@69 240 } krb5_key_salt_tuple;
jpayne@69 241
jpayne@69 242 #define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb
jpayne@69 243 #define KRB5_KDB_V1_BASE_LENGTH 38
jpayne@69 244
jpayne@69 245 #define KRB5_KDB_MAX_ALLOWED_KS_LEN 512
jpayne@69 246
jpayne@69 247 #define KRB5_TL_LAST_PWD_CHANGE 0x0001
jpayne@69 248 #define KRB5_TL_MOD_PRINC 0x0002
jpayne@69 249 #define KRB5_TL_KADM_DATA 0x0003
jpayne@69 250 #define KRB5_TL_KADM5_E_DATA 0x0004
jpayne@69 251 #define KRB5_TL_RB1_CHALLENGE 0x0005
jpayne@69 252 #ifdef SECURID
jpayne@69 253 #define KRB5_TL_SECURID_STATE 0x0006
jpayne@69 254 #endif /* SECURID */
jpayne@69 255 #define KRB5_TL_USER_CERTIFICATE 0x0007
jpayne@69 256 #define KRB5_TL_MKVNO 0x0008
jpayne@69 257 #define KRB5_TL_ACTKVNO 0x0009
jpayne@69 258 #define KRB5_TL_MKEY_AUX 0x000a
jpayne@69 259
jpayne@69 260 /* String attributes may not always be represented in tl-data. kadmin clients
jpayne@69 261 * must use the get_strings and set_string RPCs. */
jpayne@69 262 #define KRB5_TL_STRING_ATTRS 0x000b
jpayne@69 263
jpayne@69 264 #define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */
jpayne@69 265 #define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */
jpayne@69 266 #define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */
jpayne@69 267 #define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */
jpayne@69 268 #define KRB5_TL_LM_KEY 0x0500 /* LM OWF */
jpayne@69 269 #define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */
jpayne@69 270 #define KRB5_TL_LAST_ADMIN_UNLOCK 0x0700 /* Timestamp of admin unlock */
jpayne@69 271
jpayne@69 272 #define KRB5_TL_DB_ARGS 0x7fff
jpayne@69 273
jpayne@69 274 /* version number for KRB5_TL_ACTKVNO data */
jpayne@69 275 #define KRB5_TL_ACTKVNO_VER 1
jpayne@69 276
jpayne@69 277 /* version number for KRB5_TL_MKEY_AUX data */
jpayne@69 278 #define KRB5_TL_MKEY_AUX_VER 1
jpayne@69 279
jpayne@69 280 typedef struct _krb5_actkvno_node {
jpayne@69 281 struct _krb5_actkvno_node *next;
jpayne@69 282 krb5_kvno act_kvno;
jpayne@69 283 krb5_timestamp act_time;
jpayne@69 284 } krb5_actkvno_node;
jpayne@69 285
jpayne@69 286 typedef struct _krb5_mkey_aux_node {
jpayne@69 287 struct _krb5_mkey_aux_node *next;
jpayne@69 288 krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */
jpayne@69 289 krb5_key_data latest_mkey; /* most recent mkey */
jpayne@69 290 } krb5_mkey_aux_node;
jpayne@69 291
jpayne@69 292 typedef struct _krb5_keylist_node {
jpayne@69 293 krb5_keyblock keyblock;
jpayne@69 294 krb5_kvno kvno;
jpayne@69 295 struct _krb5_keylist_node *next;
jpayne@69 296 } krb5_keylist_node;
jpayne@69 297
jpayne@69 298 /*
jpayne@69 299 * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
jpayne@69 300 * on the principal.
jpayne@69 301 */
jpayne@69 302 #define KRB5_MAX_FAIL_COUNT 5
jpayne@69 303
jpayne@69 304 /* XXX depends on knowledge of krb5_parse_name() formats */
jpayne@69 305 #define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */
jpayne@69 306
jpayne@69 307 /* prompts used by default when reading the KDC password from the keyboard. */
jpayne@69 308 #define KRB5_KDC_MKEY_1 "Enter KDC database master key"
jpayne@69 309 #define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify"
jpayne@69 310
jpayne@69 311
jpayne@69 312 extern char *krb5_mkey_pwd_prompt1;
jpayne@69 313 extern char *krb5_mkey_pwd_prompt2;
jpayne@69 314
jpayne@69 315 /*
jpayne@69 316 * These macros specify the encoding of data within the database.
jpayne@69 317 *
jpayne@69 318 * Data encoding is little-endian.
jpayne@69 319 */
jpayne@69 320 #ifdef _KRB5_INT_H
jpayne@69 321 #include "k5-platform.h"
jpayne@69 322 #define krb5_kdb_decode_int16(cp, i16) \
jpayne@69 323 *((krb5_int16 *) &(i16)) = load_16_le(cp)
jpayne@69 324 #define krb5_kdb_decode_int32(cp, i32) \
jpayne@69 325 *((krb5_int32 *) &(i32)) = load_32_le(cp)
jpayne@69 326 #define krb5_kdb_encode_int16(i16, cp) store_16_le(i16, cp)
jpayne@69 327 #define krb5_kdb_encode_int32(i32, cp) store_32_le(i32, cp)
jpayne@69 328 #endif /* _KRB5_INT_H */
jpayne@69 329
jpayne@69 330 #define KRB5_KDB_OPEN_RW 0
jpayne@69 331 #define KRB5_KDB_OPEN_RO 1
jpayne@69 332
jpayne@69 333 #ifndef KRB5_KDB_SRV_TYPE_KDC
jpayne@69 334 #define KRB5_KDB_SRV_TYPE_KDC 0x0100
jpayne@69 335 #endif
jpayne@69 336
jpayne@69 337 #ifndef KRB5_KDB_SRV_TYPE_ADMIN
jpayne@69 338 #define KRB5_KDB_SRV_TYPE_ADMIN 0x0200
jpayne@69 339 #endif
jpayne@69 340
jpayne@69 341 /* 0x0300 was KRB5_KDB_SRV_TYPE_PASSWD but it is no longer used. */
jpayne@69 342
jpayne@69 343 #ifndef KRB5_KDB_SRV_TYPE_OTHER
jpayne@69 344 #define KRB5_KDB_SRV_TYPE_OTHER 0x0400
jpayne@69 345 #endif
jpayne@69 346
jpayne@69 347 #define KRB5_KDB_OPT_SET_DB_NAME 0
jpayne@69 348 #define KRB5_KDB_OPT_SET_LOCK_MODE 1
jpayne@69 349
jpayne@69 350 #define KRB5_DB_LOCKMODE_SHARED 0x0001
jpayne@69 351 #define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002
jpayne@69 352 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008
jpayne@69 353
jpayne@69 354 /* libkdb.spec */
jpayne@69 355 krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
jpayne@69 356 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
jpayne@69 357 krb5_error_code krb5_db_init ( krb5_context kcontext );
jpayne@69 358 krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
jpayne@69 359 krb5_error_code krb5_db_inited ( krb5_context kcontext );
jpayne@69 360 krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
jpayne@69 361 krb5_error_code krb5_db_fini ( krb5_context kcontext );
jpayne@69 362 const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
jpayne@69 363 krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
jpayne@69 364 krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
jpayne@69 365 krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
jpayne@69 366 krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
jpayne@69 367 krb5_error_code krb5_db_unlock ( krb5_context kcontext );
jpayne@69 368 krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
jpayne@69 369 krb5_const_principal search_for,
jpayne@69 370 unsigned int flags,
jpayne@69 371 krb5_db_entry **entry );
jpayne@69 372 void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry );
jpayne@69 373 krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
jpayne@69 374 krb5_db_entry *entry );
jpayne@69 375 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
jpayne@69 376 krb5_principal search_for );
jpayne@69 377 krb5_error_code krb5_db_rename_principal ( krb5_context kcontext,
jpayne@69 378 krb5_principal source,
jpayne@69 379 krb5_principal target );
jpayne@69 380
jpayne@69 381 /*
jpayne@69 382 * Iterate over principals in the KDB. If the callback may write to the DB,
jpayne@69 383 * the caller must get an exclusive lock with krb5_db_lock before iterating,
jpayne@69 384 * and release it with krb5_db_unlock after iterating.
jpayne@69 385 */
jpayne@69 386 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
jpayne@69 387 char *match_entry,
jpayne@69 388 int (*func) (krb5_pointer, krb5_db_entry *),
jpayne@69 389 krb5_pointer func_arg, krb5_flags iterflags );
jpayne@69 390
jpayne@69 391
jpayne@69 392 krb5_error_code krb5_db_store_master_key ( krb5_context kcontext,
jpayne@69 393 char *keyfile,
jpayne@69 394 krb5_principal mname,
jpayne@69 395 krb5_kvno kvno,
jpayne@69 396 krb5_keyblock *key,
jpayne@69 397 char *master_pwd);
jpayne@69 398 krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext,
jpayne@69 399 char *keyfile,
jpayne@69 400 krb5_principal mname,
jpayne@69 401 char *master_pwd);
jpayne@69 402 krb5_error_code krb5_db_fetch_mkey ( krb5_context context,
jpayne@69 403 krb5_principal mname,
jpayne@69 404 krb5_enctype etype,
jpayne@69 405 krb5_boolean fromkeyboard,
jpayne@69 406 krb5_boolean twice,
jpayne@69 407 char *db_args,
jpayne@69 408 krb5_kvno *kvno,
jpayne@69 409 krb5_data *salt,
jpayne@69 410 krb5_keyblock *key);
jpayne@69 411 krb5_error_code
jpayne@69 412 krb5_db_fetch_mkey_list( krb5_context context,
jpayne@69 413 krb5_principal mname,
jpayne@69 414 const krb5_keyblock * mkey );
jpayne@69 415
jpayne@69 416 krb5_error_code
jpayne@69 417 krb5_dbe_find_enctype( krb5_context kcontext,
jpayne@69 418 krb5_db_entry *dbentp,
jpayne@69 419 krb5_int32 ktype,
jpayne@69 420 krb5_int32 stype,
jpayne@69 421 krb5_int32 kvno,
jpayne@69 422 krb5_key_data **kdatap);
jpayne@69 423
jpayne@69 424
jpayne@69 425 krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext,
jpayne@69 426 krb5_db_entry *dbentp,
jpayne@69 427 krb5_int32 *start,
jpayne@69 428 krb5_int32 ktype,
jpayne@69 429 krb5_int32 stype,
jpayne@69 430 krb5_int32 kvno,
jpayne@69 431 krb5_key_data **kdatap);
jpayne@69 432
jpayne@69 433 krb5_error_code
jpayne@69 434 krb5_db_setup_mkey_name ( krb5_context context,
jpayne@69 435 const char *keyname,
jpayne@69 436 const char *realm,
jpayne@69 437 char **fullname,
jpayne@69 438 krb5_principal *principal);
jpayne@69 439
jpayne@69 440 /**
jpayne@69 441 * Decrypts the key given in @@a key_data. If @a mkey is specified, that
jpayne@69 442 * master key is used. If @a mkey is NULL, then all master keys are tried.
jpayne@69 443 */
jpayne@69 444 krb5_error_code
jpayne@69 445 krb5_dbe_decrypt_key_data( krb5_context context,
jpayne@69 446 const krb5_keyblock * mkey,
jpayne@69 447 const krb5_key_data * key_data,
jpayne@69 448 krb5_keyblock * dbkey,
jpayne@69 449 krb5_keysalt * keysalt);
jpayne@69 450
jpayne@69 451 krb5_error_code
jpayne@69 452 krb5_dbe_encrypt_key_data( krb5_context context,
jpayne@69 453 const krb5_keyblock * mkey,
jpayne@69 454 const krb5_keyblock * dbkey,
jpayne@69 455 const krb5_keysalt * keysalt,
jpayne@69 456 int keyver,
jpayne@69 457 krb5_key_data * key_data);
jpayne@69 458
jpayne@69 459 krb5_error_code
jpayne@69 460 krb5_dbe_fetch_act_key_list(krb5_context context,
jpayne@69 461 krb5_principal princ,
jpayne@69 462 krb5_actkvno_node **act_key_list);
jpayne@69 463
jpayne@69 464 krb5_error_code
jpayne@69 465 krb5_dbe_find_act_mkey( krb5_context context,
jpayne@69 466 krb5_actkvno_node * act_mkey_list,
jpayne@69 467 krb5_kvno * act_kvno,
jpayne@69 468 krb5_keyblock ** act_mkey);
jpayne@69 469
jpayne@69 470 krb5_error_code
jpayne@69 471 krb5_dbe_find_mkey( krb5_context context,
jpayne@69 472 krb5_db_entry * entry,
jpayne@69 473 krb5_keyblock ** mkey);
jpayne@69 474
jpayne@69 475 /* Set *mkvno to mkvno in entry tl_data, or 0 if not present. */
jpayne@69 476 krb5_error_code
jpayne@69 477 krb5_dbe_lookup_mkvno( krb5_context context,
jpayne@69 478 krb5_db_entry * entry,
jpayne@69 479 krb5_kvno * mkvno);
jpayne@69 480
jpayne@69 481 krb5_keylist_node *
jpayne@69 482 krb5_db_mkey_list_alias( krb5_context kcontext );
jpayne@69 483
jpayne@69 484 /* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */
jpayne@69 485 krb5_error_code
jpayne@69 486 krb5_dbe_get_mkvno( krb5_context context,
jpayne@69 487 krb5_db_entry * entry,
jpayne@69 488 krb5_kvno * mkvno);
jpayne@69 489
jpayne@69 490 krb5_error_code
jpayne@69 491 krb5_dbe_lookup_mod_princ_data( krb5_context context,
jpayne@69 492 krb5_db_entry * entry,
jpayne@69 493 krb5_timestamp * mod_time,
jpayne@69 494 krb5_principal * mod_princ);
jpayne@69 495
jpayne@69 496 krb5_error_code
jpayne@69 497 krb5_dbe_lookup_mkey_aux( krb5_context context,
jpayne@69 498 krb5_db_entry * entry,
jpayne@69 499 krb5_mkey_aux_node ** mkey_aux_data_list);
jpayne@69 500 krb5_error_code
jpayne@69 501 krb5_dbe_update_mkvno( krb5_context context,
jpayne@69 502 krb5_db_entry * entry,
jpayne@69 503 krb5_kvno mkvno);
jpayne@69 504
jpayne@69 505 krb5_error_code
jpayne@69 506 krb5_dbe_lookup_actkvno( krb5_context context,
jpayne@69 507 krb5_db_entry * entry,
jpayne@69 508 krb5_actkvno_node ** actkvno_list);
jpayne@69 509
jpayne@69 510 krb5_error_code
jpayne@69 511 krb5_dbe_update_mkey_aux( krb5_context context,
jpayne@69 512 krb5_db_entry * entry,
jpayne@69 513 krb5_mkey_aux_node * mkey_aux_data_list);
jpayne@69 514
jpayne@69 515 krb5_error_code
jpayne@69 516 krb5_dbe_update_actkvno(krb5_context context,
jpayne@69 517 krb5_db_entry * entry,
jpayne@69 518 const krb5_actkvno_node *actkvno_list);
jpayne@69 519
jpayne@69 520 krb5_error_code
jpayne@69 521 krb5_dbe_update_last_pwd_change( krb5_context context,
jpayne@69 522 krb5_db_entry * entry,
jpayne@69 523 krb5_timestamp stamp);
jpayne@69 524
jpayne@69 525 krb5_error_code
jpayne@69 526 krb5_dbe_update_last_admin_unlock( krb5_context context,
jpayne@69 527 krb5_db_entry * entry,
jpayne@69 528 krb5_timestamp stamp);
jpayne@69 529
jpayne@69 530 krb5_error_code
jpayne@69 531 krb5_dbe_lookup_tl_data( krb5_context context,
jpayne@69 532 krb5_db_entry * entry,
jpayne@69 533 krb5_tl_data * ret_tl_data);
jpayne@69 534
jpayne@69 535 krb5_error_code
jpayne@69 536 krb5_dbe_create_key_data( krb5_context context,
jpayne@69 537 krb5_db_entry * entry);
jpayne@69 538
jpayne@69 539
jpayne@69 540 krb5_error_code
jpayne@69 541 krb5_dbe_update_mod_princ_data( krb5_context context,
jpayne@69 542 krb5_db_entry * entry,
jpayne@69 543 krb5_timestamp mod_date,
jpayne@69 544 krb5_const_principal mod_princ);
jpayne@69 545
jpayne@69 546 /*
jpayne@69 547 * These are wrappers around realloc() and free(). Applications and KDB
jpayne@69 548 * modules can use them when manipulating principal and policy entries to
jpayne@69 549 * ensure that they allocate and free memory in a manner compatible with the
jpayne@69 550 * library. Using libkrb5 or libkbd5 functions to construct values (such as
jpayne@69 551 * krb5_copy_principal() to construct the princ field of a krb5_db_entry) is
jpayne@69 552 * also safe. On Unix platforms, just using malloc() and free() is safe as
jpayne@69 553 * long as the application or module does not use a malloc replacement.
jpayne@69 554 */
jpayne@69 555 void *krb5_db_alloc( krb5_context kcontext,
jpayne@69 556 void *ptr,
jpayne@69 557 size_t size );
jpayne@69 558 void krb5_db_free( krb5_context kcontext,
jpayne@69 559 void *ptr);
jpayne@69 560
jpayne@69 561
jpayne@69 562 krb5_error_code
jpayne@69 563 krb5_dbe_lookup_last_pwd_change( krb5_context context,
jpayne@69 564 krb5_db_entry * entry,
jpayne@69 565 krb5_timestamp * stamp);
jpayne@69 566
jpayne@69 567 krb5_error_code
jpayne@69 568 krb5_dbe_lookup_last_admin_unlock( krb5_context context,
jpayne@69 569 krb5_db_entry * entry,
jpayne@69 570 krb5_timestamp * stamp);
jpayne@69 571
jpayne@69 572 /* Retrieve the set of string attributes in entry, in no particular order.
jpayne@69 573 * Free *strings_out with krb5_dbe_free_strings when done. */
jpayne@69 574 krb5_error_code
jpayne@69 575 krb5_dbe_get_strings(krb5_context context, krb5_db_entry *entry,
jpayne@69 576 krb5_string_attr **strings_out, int *count_out);
jpayne@69 577
jpayne@69 578 /* Retrieve a single string attribute from entry, or NULL if there is no
jpayne@69 579 * attribute for key. Free *value_out with krb5_dbe_free_string when done. */
jpayne@69 580 krb5_error_code
jpayne@69 581 krb5_dbe_get_string(krb5_context context, krb5_db_entry *entry,
jpayne@69 582 const char *key, char **value_out);
jpayne@69 583
jpayne@69 584 /* Change or add a string attribute in entry, or delete it if value is NULL. */
jpayne@69 585 krb5_error_code
jpayne@69 586 krb5_dbe_set_string(krb5_context context, krb5_db_entry *entry,
jpayne@69 587 const char *key, const char *value);
jpayne@69 588
jpayne@69 589 krb5_error_code
jpayne@69 590 krb5_dbe_delete_tl_data( krb5_context context,
jpayne@69 591 krb5_db_entry * entry,
jpayne@69 592 krb5_int16 tl_data_type);
jpayne@69 593
jpayne@69 594 krb5_error_code
jpayne@69 595 krb5_db_update_tl_data(krb5_context context,
jpayne@69 596 krb5_int16 * n_tl_datap,
jpayne@69 597 krb5_tl_data **tl_datap,
jpayne@69 598 krb5_tl_data * new_tl_data);
jpayne@69 599
jpayne@69 600 krb5_error_code
jpayne@69 601 krb5_dbe_update_tl_data( krb5_context context,
jpayne@69 602 krb5_db_entry * entry,
jpayne@69 603 krb5_tl_data * new_tl_data);
jpayne@69 604
jpayne@69 605 /* Compute the salt for a key data entry given the corresponding principal. */
jpayne@69 606 krb5_error_code
jpayne@69 607 krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
jpayne@69 608 krb5_const_principal princ, krb5_int16 *salttype_out,
jpayne@69 609 krb5_data **salt_out);
jpayne@69 610
jpayne@69 611 /*
jpayne@69 612 * Modify the key data of entry to explicitly store salt values using the
jpayne@69 613 * KRB5_KDB_SALTTYPE_SPECIAL salt type.
jpayne@69 614 */
jpayne@69 615 krb5_error_code
jpayne@69 616 krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry);
jpayne@69 617
jpayne@69 618 krb5_error_code
jpayne@69 619 krb5_dbe_cpw( krb5_context kcontext,
jpayne@69 620 krb5_keyblock * master_key,
jpayne@69 621 krb5_key_salt_tuple * ks_tuple,
jpayne@69 622 int ks_tuple_count,
jpayne@69 623 char * passwd,
jpayne@69 624 int new_kvno,
jpayne@69 625 krb5_boolean keepold,
jpayne@69 626 krb5_db_entry * db_entry);
jpayne@69 627
jpayne@69 628
jpayne@69 629 krb5_error_code
jpayne@69 630 krb5_dbe_ark( krb5_context context,
jpayne@69 631 krb5_keyblock * master_key,
jpayne@69 632 krb5_key_salt_tuple * ks_tuple,
jpayne@69 633 int ks_tuple_count,
jpayne@69 634 krb5_db_entry * db_entry);
jpayne@69 635
jpayne@69 636 krb5_error_code
jpayne@69 637 krb5_dbe_crk( krb5_context context,
jpayne@69 638 krb5_keyblock * master_key,
jpayne@69 639 krb5_key_salt_tuple * ks_tuple,
jpayne@69 640 int ks_tuple_count,
jpayne@69 641 krb5_boolean keepold,
jpayne@69 642 krb5_db_entry * db_entry);
jpayne@69 643
jpayne@69 644 krb5_error_code
jpayne@69 645 krb5_dbe_apw( krb5_context context,
jpayne@69 646 krb5_keyblock * master_key,
jpayne@69 647 krb5_key_salt_tuple * ks_tuple,
jpayne@69 648 int ks_tuple_count,
jpayne@69 649 char * passwd,
jpayne@69 650 krb5_db_entry * db_entry);
jpayne@69 651
jpayne@69 652 int
jpayne@69 653 krb5_db_get_key_data_kvno( krb5_context context,
jpayne@69 654 int count,
jpayne@69 655 krb5_key_data * data);
jpayne@69 656
jpayne@69 657 krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext,
jpayne@69 658 const krb5_data *tr_contents,
jpayne@69 659 const krb5_data *client_realm,
jpayne@69 660 const krb5_data *server_realm);
jpayne@69 661
jpayne@69 662 krb5_error_code krb5_db_check_policy_as(krb5_context kcontext,
jpayne@69 663 krb5_kdc_req *request,
jpayne@69 664 krb5_db_entry *client,
jpayne@69 665 krb5_db_entry *server,
jpayne@69 666 krb5_timestamp kdc_time,
jpayne@69 667 const char **status,
jpayne@69 668 krb5_pa_data ***e_data);
jpayne@69 669
jpayne@69 670 krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
jpayne@69 671 krb5_kdc_req *request,
jpayne@69 672 krb5_db_entry *server,
jpayne@69 673 krb5_ticket *ticket,
jpayne@69 674 const char **status,
jpayne@69 675 krb5_pa_data ***e_data);
jpayne@69 676
jpayne@69 677 void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
jpayne@69 678 const krb5_address *local_addr,
jpayne@69 679 const krb5_address *remote_addr,
jpayne@69 680 krb5_db_entry *client, krb5_db_entry *server,
jpayne@69 681 krb5_timestamp authtime, krb5_error_code error_code);
jpayne@69 682
jpayne@69 683 void krb5_db_refresh_config(krb5_context kcontext);
jpayne@69 684
jpayne@69 685 krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext,
jpayne@69 686 krb5_const_principal client,
jpayne@69 687 const krb5_db_entry *server,
jpayne@69 688 krb5_const_principal proxy);
jpayne@69 689
jpayne@69 690 krb5_error_code krb5_db_get_s4u_x509_principal(krb5_context kcontext,
jpayne@69 691 const krb5_data *client_cert,
jpayne@69 692 krb5_const_principal in_princ,
jpayne@69 693 unsigned int flags,
jpayne@69 694 krb5_db_entry **entry);
jpayne@69 695
jpayne@69 696 krb5_error_code krb5_db_allowed_to_delegate_from(krb5_context context,
jpayne@69 697 krb5_const_principal client,
jpayne@69 698 krb5_const_principal server,
jpayne@69 699 krb5_pac server_pac,
jpayne@69 700 const krb5_db_entry *proxy);
jpayne@69 701
jpayne@69 702 /**
jpayne@69 703 * Sort an array of @a krb5_key_data keys in descending order by their kvno.
jpayne@69 704 * Key data order within a kvno is preserved.
jpayne@69 705 *
jpayne@69 706 * @param key_data
jpayne@69 707 * The @a krb5_key_data array to sort. This is sorted in place so the
jpayne@69 708 * array will be modified.
jpayne@69 709 * @param key_data_length
jpayne@69 710 * The length of @a key_data.
jpayne@69 711 */
jpayne@69 712 void
jpayne@69 713 krb5_dbe_sort_key_data(krb5_key_data *key_data, size_t key_data_length);
jpayne@69 714
jpayne@69 715 krb5_error_code
jpayne@69 716 krb5_db_issue_pac(krb5_context context, unsigned int flags,
jpayne@69 717 krb5_db_entry *client, krb5_keyblock *replaced_reply_key,
jpayne@69 718 krb5_db_entry *server, krb5_db_entry *krbtgt,
jpayne@69 719 krb5_timestamp authtime, krb5_pac old_pac, krb5_pac new_pac,
jpayne@69 720 krb5_data ***auth_indicators);
jpayne@69 721
jpayne@69 722 /* default functions. Should not be directly called */
jpayne@69 723 /*
jpayne@69 724 * Default functions prototype
jpayne@69 725 */
jpayne@69 726
jpayne@69 727 krb5_error_code
jpayne@69 728 krb5_dbe_def_search_enctype( krb5_context kcontext,
jpayne@69 729 krb5_db_entry *dbentp,
jpayne@69 730 krb5_int32 *start,
jpayne@69 731 krb5_int32 ktype,
jpayne@69 732 krb5_int32 stype,
jpayne@69 733 krb5_int32 kvno,
jpayne@69 734 krb5_key_data **kdatap);
jpayne@69 735
jpayne@69 736 krb5_error_code
jpayne@69 737 krb5_def_store_mkey_list( krb5_context context,
jpayne@69 738 char *keyfile,
jpayne@69 739 krb5_principal mname,
jpayne@69 740 krb5_keylist_node *keylist,
jpayne@69 741 char *master_pwd);
jpayne@69 742
jpayne@69 743 krb5_error_code
jpayne@69 744 krb5_db_def_fetch_mkey( krb5_context context,
jpayne@69 745 krb5_principal mname,
jpayne@69 746 krb5_keyblock *key,
jpayne@69 747 krb5_kvno *kvno,
jpayne@69 748 char *db_args);
jpayne@69 749
jpayne@69 750 krb5_error_code
jpayne@69 751 krb5_def_fetch_mkey_list( krb5_context context,
jpayne@69 752 krb5_principal mprinc,
jpayne@69 753 const krb5_keyblock *mkey,
jpayne@69 754 krb5_keylist_node **mkeys_list);
jpayne@69 755
jpayne@69 756 krb5_error_code
jpayne@69 757 krb5_dbe_def_cpw( krb5_context context,
jpayne@69 758 krb5_keyblock * master_key,
jpayne@69 759 krb5_key_salt_tuple * ks_tuple,
jpayne@69 760 int ks_tuple_count,
jpayne@69 761 char * passwd,
jpayne@69 762 int new_kvno,
jpayne@69 763 krb5_boolean keepold,
jpayne@69 764 krb5_db_entry * db_entry);
jpayne@69 765
jpayne@69 766 krb5_error_code
jpayne@69 767 krb5_dbe_def_decrypt_key_data( krb5_context context,
jpayne@69 768 const krb5_keyblock * mkey,
jpayne@69 769 const krb5_key_data * key_data,
jpayne@69 770 krb5_keyblock * dbkey,
jpayne@69 771 krb5_keysalt * keysalt);
jpayne@69 772
jpayne@69 773 krb5_error_code
jpayne@69 774 krb5_dbe_def_encrypt_key_data( krb5_context context,
jpayne@69 775 const krb5_keyblock * mkey,
jpayne@69 776 const krb5_keyblock * dbkey,
jpayne@69 777 const krb5_keysalt * keysalt,
jpayne@69 778 int keyver,
jpayne@69 779 krb5_key_data * key_data);
jpayne@69 780
jpayne@69 781 krb5_error_code
jpayne@69 782 krb5_db_def_rename_principal( krb5_context kcontext,
jpayne@69 783 krb5_const_principal source,
jpayne@69 784 krb5_const_principal target);
jpayne@69 785
jpayne@69 786 krb5_error_code
jpayne@69 787 krb5_db_create_policy( krb5_context kcontext,
jpayne@69 788 osa_policy_ent_t policy);
jpayne@69 789
jpayne@69 790 krb5_error_code
jpayne@69 791 krb5_db_get_policy ( krb5_context kcontext,
jpayne@69 792 char *name,
jpayne@69 793 osa_policy_ent_t *policy );
jpayne@69 794
jpayne@69 795 krb5_error_code
jpayne@69 796 krb5_db_put_policy( krb5_context kcontext,
jpayne@69 797 osa_policy_ent_t policy);
jpayne@69 798
jpayne@69 799 krb5_error_code
jpayne@69 800 krb5_db_iter_policy( krb5_context kcontext,
jpayne@69 801 char *match_entry,
jpayne@69 802 osa_adb_iter_policy_func func,
jpayne@69 803 void *data);
jpayne@69 804
jpayne@69 805 krb5_error_code
jpayne@69 806 krb5_db_delete_policy( krb5_context kcontext,
jpayne@69 807 char *policy);
jpayne@69 808
jpayne@69 809 void
jpayne@69 810 krb5_db_free_policy( krb5_context kcontext,
jpayne@69 811 osa_policy_ent_t policy);
jpayne@69 812
jpayne@69 813
jpayne@69 814 krb5_error_code
jpayne@69 815 krb5_db_set_context(krb5_context, void *db_context);
jpayne@69 816
jpayne@69 817 krb5_error_code
jpayne@69 818 krb5_db_get_context(krb5_context, void **db_context);
jpayne@69 819
jpayne@69 820 void
jpayne@69 821 krb5_dbe_free_key_data_contents(krb5_context, krb5_key_data *);
jpayne@69 822
jpayne@69 823 void
jpayne@69 824 krb5_dbe_free_key_list(krb5_context, krb5_keylist_node *);
jpayne@69 825
jpayne@69 826 void
jpayne@69 827 krb5_dbe_free_actkvno_list(krb5_context, krb5_actkvno_node *);
jpayne@69 828
jpayne@69 829 void
jpayne@69 830 krb5_dbe_free_mkey_aux_list(krb5_context, krb5_mkey_aux_node *);
jpayne@69 831
jpayne@69 832 void
jpayne@69 833 krb5_dbe_free_tl_data(krb5_context, krb5_tl_data *);
jpayne@69 834
jpayne@69 835 void
jpayne@69 836 krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count);
jpayne@69 837
jpayne@69 838 void
jpayne@69 839 krb5_dbe_free_string(krb5_context, char *);
jpayne@69 840
jpayne@69 841 /*
jpayne@69 842 * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name.
jpayne@69 843 * For this type to work, the context used for keytab operations must have an
jpayne@69 844 * associated database handle (via krb5_db_open()).
jpayne@69 845 */
jpayne@69 846 krb5_error_code krb5_db_register_keytab(krb5_context context);
jpayne@69 847
jpayne@69 848 #define KRB5_KDB_DEF_FLAGS 0
jpayne@69 849
jpayne@69 850 #define KDB_MAX_DB_NAME 128
jpayne@69 851 #define KDB_REALM_SECTION "realms"
jpayne@69 852 #define KDB_MODULE_POINTER "database_module"
jpayne@69 853 #define KDB_MODULE_DEF_SECTION "dbdefaults"
jpayne@69 854 #define KDB_MODULE_SECTION "dbmodules"
jpayne@69 855 #define KDB_LIB_POINTER "db_library"
jpayne@69 856 #define KDB_DATABASE_CONF_FILE DEFAULT_SECURE_PROFILE_PATH
jpayne@69 857 #define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV
jpayne@69 858
jpayne@69 859 #define KRB5_KDB_OPEN_RW 0
jpayne@69 860 #define KRB5_KDB_OPEN_RO 1
jpayne@69 861
jpayne@69 862 #define KRB5_KDB_OPT_SET_DB_NAME 0
jpayne@69 863 #define KRB5_KDB_OPT_SET_LOCK_MODE 1
jpayne@69 864
jpayne@69 865 /*
jpayne@69 866 * This number indicates the date of the last incompatible change to the DAL.
jpayne@69 867 * The maj_ver field of the module's vtable structure must match this version.
jpayne@69 868 */
jpayne@69 869 #define KRB5_KDB_DAL_MAJOR_VERSION 9
jpayne@69 870
jpayne@69 871 /*
jpayne@69 872 * Note the following when converting a module to DAL version 9:
jpayne@69 873 *
jpayne@69 874 * - get_authdata_info() and sign_authdata() have been removed, and issue_pac()
jpayne@69 875 * has been added.
jpayne@69 876 *
jpayne@69 877 * - check_allowed_to_delegate() must handle a null proxy argument, returning
jpayne@69 878 * success if server has any authorized delegation targets in the traditional
jpayne@69 879 * scheme.
jpayne@69 880 *
jpayne@69 881 * - allowed_to_delegate_from() accepts a krb5_pac parameter (in place
jpayne@69 882 * server_ad_info) for the impersonator's PAC.
jpayne@69 883 *
jpayne@69 884 * - check_allowed_to_delegate() and allowed_to_delegate_from() must return
jpayne@69 885 * KRB5KDC_ERR_BADOPTION on authorization failure.
jpayne@69 886 *
jpayne@69 887 * - the KRB5_KDB_FLAG_ISSUE_PAC and KRB5_FLAG_CLIENT_REFERRALS_ONLY flags have
jpayne@69 888 * been combined into KRB5_KDB_FLAG_CLIENT.
jpayne@69 889 *
jpayne@69 890 * - the KRB5_KDB_FLAG_CANONICALIZE flag has been renamed to
jpayne@69 891 * KRB5_KDB_FLAG_REFERRAL_OK, and is only passed to get_principal() when a
jpayne@69 892 * realm referral is allowed (AS client and TGS server lookups, when the
jpayne@69 893 * CANONICALIZE option is requested or, for AS requests, when the client is
jpayne@69 894 * an enterprise principal). As of DAL version 8 the KDB module should
jpayne@69 895 * always canonicalize aliases within a realm; the KDC will decide whether to
jpayne@69 896 * use the original or canonical principal.
jpayne@69 897 */
jpayne@69 898
jpayne@69 899 /*
jpayne@69 900 * A krb5_context can hold one database object. Modules should use
jpayne@69 901 * krb5_db_set_context and krb5_db_get_context to store state associated with
jpayne@69 902 * the database object.
jpayne@69 903 *
jpayne@69 904 * Some module functions are mandatory for KDC operation; others are optional
jpayne@69 905 * or apply only to administrative operations. If a function is optional, a
jpayne@69 906 * module can leave the function pointer as NULL. Alternatively, modules can
jpayne@69 907 * return KRB5_PLUGIN_OP_NOTSUPP when asked to perform an inapplicable action.
jpayne@69 908 *
jpayne@69 909 * Some module functions have default implementations which will call back into
jpayne@69 910 * the vtable interface. Leave these functions as NULL to use the default
jpayne@69 911 * implementations.
jpayne@69 912 *
jpayne@69 913 * The documentation in these comments describes the DAL as it is currently
jpayne@69 914 * implemented and used, not as it should be. So if anything seems off, that
jpayne@69 915 * probably means the current state of things is off.
jpayne@69 916 *
jpayne@69 917 * Modules must allocate memory for principal entries, policy entries, and
jpayne@69 918 * other structures using an allocator compatible with malloc() as seen by
jpayne@69 919 * libkdb5 and libkrb5. Modules may link against libkdb5 and call
jpayne@69 920 * krb5_db_alloc() to be certain that the same malloc implementation is used.
jpayne@69 921 */
jpayne@69 922
jpayne@69 923 typedef struct _kdb_vftabl {
jpayne@69 924 short int maj_ver;
jpayne@69 925 short int min_ver;
jpayne@69 926
jpayne@69 927 /*
jpayne@69 928 * Mandatory: Invoked after the module library is loaded, when the first DB
jpayne@69 929 * using the module is opened, across all contexts.
jpayne@69 930 */
jpayne@69 931 krb5_error_code (*init_library)(void);
jpayne@69 932
jpayne@69 933 /*
jpayne@69 934 * Mandatory: Invoked before the module library is unloaded, after the last
jpayne@69 935 * DB using the module is closed, across all contexts.
jpayne@69 936 */
jpayne@69 937 krb5_error_code (*fini_library)(void);
jpayne@69 938
jpayne@69 939 /*
jpayne@69 940 * Mandatory: Initialize a database object. Profile settings should be
jpayne@69 941 * read from conf_section inside KDB_MODULE_SECTION. db_args communicates
jpayne@69 942 * command-line arguments for module-specific flags. mode will be one of
jpayne@69 943 * KRB5_KDB_OPEN_{RW,RO} or'd with one of
jpayne@69 944 * KRB5_KDB_SRV_TYPE_{KDC,ADMIN,PASSWD,OTHER}.
jpayne@69 945 */
jpayne@69 946 krb5_error_code (*init_module)(krb5_context kcontext, char *conf_section,
jpayne@69 947 char **db_args, int mode);
jpayne@69 948
jpayne@69 949 /*
jpayne@69 950 * Mandatory: Finalize the database object contained in a context. Free
jpayne@69 951 * any state contained in the db_context pointer and null it out.
jpayne@69 952 */
jpayne@69 953 krb5_error_code (*fini_module)(krb5_context kcontext);
jpayne@69 954
jpayne@69 955 /*
jpayne@69 956 * Optional: Initialize a database object while creating the underlying
jpayne@69 957 * database. conf_section and db_args have the same meaning as in
jpayne@69 958 * init_module. This function may return an error if the database already
jpayne@69 959 * exists. Used by kdb5_util create.
jpayne@69 960 *
jpayne@69 961 * If db_args contains the value "temporary", the module should create an
jpayne@69 962 * exclusively locked side copy of the database suitable for loading in a
jpayne@69 963 * propagation from primary to replica. This side copy will later be
jpayne@69 964 * promoted with promote_db, allowing complete updates of the DB with no
jpayne@69 965 * loss in read availability. If the module cannot comply with this
jpayne@69 966 * architecture, it should return an error.
jpayne@69 967 */
jpayne@69 968 krb5_error_code (*create)(krb5_context kcontext, char *conf_section,
jpayne@69 969 char **db_args);
jpayne@69 970
jpayne@69 971 /*
jpayne@69 972 * Optional: Destroy a database. conf_section and db_args have the same
jpayne@69 973 * meaning as in init_module. Used by kdb5_util destroy. In current
jpayne@69 974 * usage, the database is destroyed while open, so the module should handle
jpayne@69 975 * that.
jpayne@69 976 */
jpayne@69 977 krb5_error_code (*destroy)(krb5_context kcontext, char *conf_section,
jpayne@69 978 char **db_args);
jpayne@69 979
jpayne@69 980 /*
jpayne@69 981 * Deprecated: No longer used as of krb5 1.10; can be removed in the next
jpayne@69 982 * DAL revision. Modules should leave as NULL.
jpayne@69 983 */
jpayne@69 984 krb5_error_code (*get_age)(krb5_context kcontext, char *db_name,
jpayne@69 985 time_t *age);
jpayne@69 986
jpayne@69 987 /*
jpayne@69 988 * Optional: Lock the database, with semantics depending on the mode
jpayne@69 989 * argument:
jpayne@69 990 *
jpayne@69 991 * KRB5_DB_LOCKMODE_SHARED: Lock may coexist with other shared locks.
jpayne@69 992 * KRB5_DB_LOCKMODE_EXCLUSIVE: Lock may not coexist with other locks.
jpayne@69 993 * KRB5_DB_LOCKMODE_PERMANENT: Exclusive lock surviving process exit.
jpayne@69 994 *
jpayne@69 995 * Used by the "kadmin lock" command, incremental propagation, and
jpayne@69 996 * kdb5_util dump. Incremental propagation support requires shared locks
jpayne@69 997 * to operate. kdb5_util dump will continue unlocked if the module returns
jpayne@69 998 * KRB5_PLUGIN_OP_NOTSUPP.
jpayne@69 999 */
jpayne@69 1000 krb5_error_code (*lock)(krb5_context kcontext, int mode);
jpayne@69 1001
jpayne@69 1002 /* Optional: Release a lock created with db_lock. */
jpayne@69 1003 krb5_error_code (*unlock)(krb5_context kcontext);
jpayne@69 1004
jpayne@69 1005 /*
jpayne@69 1006 * Mandatory: Set *entry to an allocated entry for the principal
jpayne@69 1007 * search_for. If the principal is not found, return KRB5_KDB_NOENTRY.
jpayne@69 1008 *
jpayne@69 1009 * The meaning of flags are as follows:
jpayne@69 1010 *
jpayne@69 1011 * KRB5_KDB_FLAG_REFERRAL_OK: Set by the KDC when looking up entries for an
jpayne@69 1012 * AS client with canonicalization requested or for an enterprise
jpayne@69 1013 * principal, or for a TGS request server with canonicalization
jpayne@69 1014 * requested. Determines whether the module should return out-of-realm
jpayne@69 1015 * referrals.
jpayne@69 1016 *
jpayne@69 1017 * KRB5_KDB_FLAG_CLIENT: Set by the KDC when looking up a client principal
jpayne@69 1018 * during an AS or TGS request. Affects how the module should return
jpayne@69 1019 * out-of-realm referrals.
jpayne@69 1020 *
jpayne@69 1021 * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client
jpayne@69 1022 * entry during TGS requests, except for S4U TGS requests and requests
jpayne@69 1023 * where the server entry has the KRB5_KDB_NO_AUTH_DATA_REQUIRED
jpayne@69 1024 * attribute. Indicates that the module should map foreign principals
jpayne@69 1025 * to local principals if it supports doing so.
jpayne@69 1026 *
jpayne@69 1027 * KRB5_KDB_FLAG_PROTOCOL_TRANSITION: Set by the KDC when looking up the
jpayne@69 1028 * client entry during an S4U2Self TGS request. This affects the PAC
jpayne@69 1029 * information which should be included when authorization data is
jpayne@69 1030 * generated; see the Microsoft S4U specification for details.
jpayne@69 1031 *
jpayne@69 1032 * KRB5_KDB_FLAG_CONSTRAINED_DELEGATION: Set by the KDC when looking up the
jpayne@69 1033 * client entry during an S4U2Proxy TGS request. Also affects PAC
jpayne@69 1034 * generation.
jpayne@69 1035 *
jpayne@69 1036 * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC after looking up a server
jpayne@69 1037 * entry during a TGS request, if the header ticket was issued by a
jpayne@69 1038 * different realm.
jpayne@69 1039 *
jpayne@69 1040 * KRB5_KDB_FLAG_ISSUING_REFERRAL: Set by the KDC after looking up a server
jpayne@69 1041 * entry during a TGS request, if the requested server principal is not
jpayne@69 1042 * part of the realm being served, and a referral or alternate TGT will
jpayne@69 1043 * be issued instead.
jpayne@69 1044 *
jpayne@69 1045 * A module may return an in-realm alias by setting (*entry)->princ to the
jpayne@69 1046 * canonical name. The KDC will decide based on the request whether to use
jpayne@69 1047 * the requested name or the canonical name in the issued ticket.
jpayne@69 1048 *
jpayne@69 1049 * A module can return a referral to another realm if flags contains
jpayne@69 1050 * KRB5_KDB_FLAG_REFERRAL_OK. If KRB5_KDB_FLAG_CLIENT is also set, the
jpayne@69 1051 * module should return a referral by simply filling in an out-of-realm
jpayne@69 1052 * name in (*entry)->princ and setting all other fields to NULL.
jpayne@69 1053 * Otherwise, the module should return the entry for the cross-realm TGS of
jpayne@69 1054 * the referred-to realm.
jpayne@69 1055 */
jpayne@69 1056 krb5_error_code (*get_principal)(krb5_context kcontext,
jpayne@69 1057 krb5_const_principal search_for,
jpayne@69 1058 unsigned int flags,
jpayne@69 1059 krb5_db_entry **entry);
jpayne@69 1060
jpayne@69 1061 /*
jpayne@69 1062 * Optional: Create or modify a principal entry. db_args communicates
jpayne@69 1063 * command-line arguments for module-specific flags.
jpayne@69 1064 *
jpayne@69 1065 * The mask field of an entry indicates the changed fields. Mask values
jpayne@69 1066 * are defined in kadmin's admin.h header. If KADM5_PRINCIPAL is set in
jpayne@69 1067 * the mask, the entry is new; otherwise it already exists. All fields of
jpayne@69 1068 * an entry are expected to contain correct values, regardless of whether
jpayne@69 1069 * they are specified in the mask, so it is acceptable for a module to
jpayne@69 1070 * ignore the mask and update the entire entry.
jpayne@69 1071 */
jpayne@69 1072 krb5_error_code (*put_principal)(krb5_context kcontext,
jpayne@69 1073 krb5_db_entry *entry, char **db_args);
jpayne@69 1074
jpayne@69 1075 /*
jpayne@69 1076 * Optional: Delete the entry for the principal search_for. If the
jpayne@69 1077 * principal did not exist, return KRB5_KDB_NOENTRY.
jpayne@69 1078 */
jpayne@69 1079 krb5_error_code (*delete_principal)(krb5_context kcontext,
jpayne@69 1080 krb5_const_principal search_for);
jpayne@69 1081
jpayne@69 1082 /*
jpayne@69 1083 * Optional with default: Rename a principal. If the source principal does
jpayne@69 1084 * not exist, return KRB5_KDB_NOENTRY. If the target exists, return an
jpayne@69 1085 * error.
jpayne@69 1086 *
jpayne@69 1087 * NOTE: If the module chooses to implement a custom function for renaming
jpayne@69 1088 * a principal instead of using the default, then rename operations will
jpayne@69 1089 * fail if iprop logging is enabled.
jpayne@69 1090 */
jpayne@69 1091 krb5_error_code (*rename_principal)(krb5_context kcontext,
jpayne@69 1092 krb5_const_principal source,
jpayne@69 1093 krb5_const_principal target);
jpayne@69 1094
jpayne@69 1095 /*
jpayne@69 1096 * Optional: For each principal entry in the database, invoke func with the
jpayne@69 1097 * arguments func_arg and the entry data. If match_entry is specified, the
jpayne@69 1098 * module may narrow the iteration to principal names matching that regular
jpayne@69 1099 * expression; a module may alternatively ignore match_entry.
jpayne@69 1100 */
jpayne@69 1101 krb5_error_code (*iterate)(krb5_context kcontext,
jpayne@69 1102 char *match_entry,
jpayne@69 1103 int (*func)(krb5_pointer, krb5_db_entry *),
jpayne@69 1104 krb5_pointer func_arg, krb5_flags iterflags);
jpayne@69 1105
jpayne@69 1106 /*
jpayne@69 1107 * Optional: Create a password policy entry. Return an error if the policy
jpayne@69 1108 * already exists.
jpayne@69 1109 */
jpayne@69 1110 krb5_error_code (*create_policy)(krb5_context kcontext,
jpayne@69 1111 osa_policy_ent_t policy);
jpayne@69 1112
jpayne@69 1113 /*
jpayne@69 1114 * Optional: Set *policy to the policy entry of the specified name. If the
jpayne@69 1115 * entry does not exist, return KRB5_KDB_NOENTRY.
jpayne@69 1116 */
jpayne@69 1117 krb5_error_code (*get_policy)(krb5_context kcontext, char *name,
jpayne@69 1118 osa_policy_ent_t *policy);
jpayne@69 1119
jpayne@69 1120 /*
jpayne@69 1121 * Optional: Modify an existing password policy entry to match the values
jpayne@69 1122 * in policy. Return an error if the policy does not already exist.
jpayne@69 1123 */
jpayne@69 1124 krb5_error_code (*put_policy)(krb5_context kcontext,
jpayne@69 1125 osa_policy_ent_t policy);
jpayne@69 1126
jpayne@69 1127 /*
jpayne@69 1128 * Optional: For each password policy entry in the database, invoke func
jpayne@69 1129 * with the arguments data and the entry data. If match_entry is
jpayne@69 1130 * specified, the module may narrow the iteration to policy names matching
jpayne@69 1131 * that regular expression; a module may alternatively ignore match_entry.
jpayne@69 1132 */
jpayne@69 1133 krb5_error_code (*iter_policy)(krb5_context kcontext, char *match_entry,
jpayne@69 1134 osa_adb_iter_policy_func func,
jpayne@69 1135 void *data);
jpayne@69 1136
jpayne@69 1137 /*
jpayne@69 1138 * Optional: Delete the password policy entry with the name policy. Return
jpayne@69 1139 * an error if the entry does not exist.
jpayne@69 1140 */
jpayne@69 1141 krb5_error_code (*delete_policy)(krb5_context kcontext, char *policy);
jpayne@69 1142
jpayne@69 1143 /*
jpayne@69 1144 * Optional with default: Retrieve a master keyblock from the stash file
jpayne@69 1145 * db_args, filling in *key and *kvno. mname is the name of the master
jpayne@69 1146 * principal for the realm.
jpayne@69 1147 *
jpayne@69 1148 * The default implementation reads the master keyblock from a keytab or
jpayne@69 1149 * old-format stash file.
jpayne@69 1150 */
jpayne@69 1151 krb5_error_code (*fetch_master_key)(krb5_context kcontext,
jpayne@69 1152 krb5_principal mname,
jpayne@69 1153 krb5_keyblock *key, krb5_kvno *kvno,
jpayne@69 1154 char *db_args);
jpayne@69 1155
jpayne@69 1156 /*
jpayne@69 1157 * Optional with default: Given a keyblock for some version of the
jpayne@69 1158 * database's master key, fetch the decrypted master key values from the
jpayne@69 1159 * database and store the list into *mkeys_list. The caller will free
jpayne@69 1160 * *mkeys_list using a libkdb5 function which uses the standard free()
jpayne@69 1161 * function, so the module must not use a custom allocator.
jpayne@69 1162 *
jpayne@69 1163 * The caller may not know the version number of the master key it has, in
jpayne@69 1164 * which case it will pass IGNORE_VNO.
jpayne@69 1165 *
jpayne@69 1166 * The default implementation ignores kvno and tries the key against the
jpayne@69 1167 * current master key data and all KRB5_TL_MKEY_AUX values, which contain
jpayne@69 1168 * copies of the master keys encrypted with old master keys.
jpayne@69 1169 */
jpayne@69 1170 krb5_error_code (*fetch_master_key_list)(krb5_context kcontext,
jpayne@69 1171 krb5_principal mname,
jpayne@69 1172 const krb5_keyblock *key,
jpayne@69 1173 krb5_keylist_node **mkeys_list);
jpayne@69 1174
jpayne@69 1175 /*
jpayne@69 1176 * Optional with default: Save a list of master keyblocks, obtained from
jpayne@69 1177 * fetch_master_key_list, into the stash file db_arg. The caller will set
jpayne@69 1178 * master_pwd to NULL, so the module should just ignore it. mname is the
jpayne@69 1179 * name of the master principal for the realm.
jpayne@69 1180 *
jpayne@69 1181 * The default implementation saves the list of master keys in a
jpayne@69 1182 * keytab-format file.
jpayne@69 1183 */
jpayne@69 1184 krb5_error_code (*store_master_key_list)(krb5_context kcontext,
jpayne@69 1185 char *db_arg,
jpayne@69 1186 krb5_principal mname,
jpayne@69 1187 krb5_keylist_node *keylist,
jpayne@69 1188 char *master_pwd);
jpayne@69 1189
jpayne@69 1190 /*
jpayne@69 1191 * Optional with default: Starting at position *start, scan the key data of
jpayne@69 1192 * a database entry for a key matching the enctype ktype, the salt type
jpayne@69 1193 * stype, and the version kvno. Store the resulting key into *kdatap and
jpayne@69 1194 * set *start to the position after the key found. If ktype is negative,
jpayne@69 1195 * match any enctype. If stype is negative, match any salt type. If kvno
jpayne@69 1196 * is zero or negative, find the most recent key version satisfying the
jpayne@69 1197 * other constraints.
jpayne@69 1198 */
jpayne@69 1199 krb5_error_code (*dbe_search_enctype)(krb5_context kcontext,
jpayne@69 1200 krb5_db_entry *dbentp,
jpayne@69 1201 krb5_int32 *start, krb5_int32 ktype,
jpayne@69 1202 krb5_int32 stype, krb5_int32 kvno,
jpayne@69 1203 krb5_key_data **kdatap);
jpayne@69 1204
jpayne@69 1205
jpayne@69 1206 /*
jpayne@69 1207 * Optional with default: Change the key data for db_entry to include keys
jpayne@69 1208 * derived from the password passwd in each of the specified key-salt
jpayne@69 1209 * types, at version new_kvno. Discard the old key data if keepold is not
jpayne@69 1210 * set.
jpayne@69 1211 *
jpayne@69 1212 * The default implementation uses the keyblock master_key to encrypt each
jpayne@69 1213 * new key, via the function encrypt_key_data.
jpayne@69 1214 */
jpayne@69 1215 krb5_error_code (*change_pwd)(krb5_context context,
jpayne@69 1216 krb5_keyblock *master_key,
jpayne@69 1217 krb5_key_salt_tuple *ks_tuple,
jpayne@69 1218 int ks_tuple_count, char *passwd,
jpayne@69 1219 int new_kvno, krb5_boolean keepold,
jpayne@69 1220 krb5_db_entry *db_entry);
jpayne@69 1221
jpayne@69 1222 /*
jpayne@69 1223 * Optional: Promote a temporary database to be the live one. context must
jpayne@69 1224 * be initialized with an exclusively locked database created with the
jpayne@69 1225 * "temporary" db_arg. On success, the database object contained in
jpayne@69 1226 * context will be finalized.
jpayne@69 1227 *
jpayne@69 1228 * This method is used by kdb5_util load to replace the live database with
jpayne@69 1229 * minimal loss of read availability.
jpayne@69 1230 */
jpayne@69 1231 krb5_error_code (*promote_db)(krb5_context context, char *conf_section,
jpayne@69 1232 char **db_args);
jpayne@69 1233
jpayne@69 1234 /*
jpayne@69 1235 * Optional with default: Decrypt the key in key_data with master keyblock
jpayne@69 1236 * mkey, placing the result into dbkey. Copy the salt from key_data, if
jpayne@69 1237 * any, into keysalt. Either dbkey or keysalt may be left unmodified on
jpayne@69 1238 * successful return if key_data does not contain key or salt information.
jpayne@69 1239 *
jpayne@69 1240 * The default implementation expects the encrypted key (in krb5_c_encrypt
jpayne@69 1241 * format) to be stored in key_data_contents[0], with length given by
jpayne@69 1242 * key_data_length[0]. If key_data_ver is 2, it expects the salt to be
jpayne@69 1243 * stored, unencrypted, in key_data_contents[1], with length given by
jpayne@69 1244 * key_data_length[1].
jpayne@69 1245 */
jpayne@69 1246 krb5_error_code (*decrypt_key_data)(krb5_context kcontext,
jpayne@69 1247 const krb5_keyblock *mkey,
jpayne@69 1248 const krb5_key_data *key_data,
jpayne@69 1249 krb5_keyblock *dbkey,
jpayne@69 1250 krb5_keysalt *keysalt);
jpayne@69 1251
jpayne@69 1252 /*
jpayne@69 1253 * Optional with default: Encrypt dbkey with master keyblock mkey, placing
jpayne@69 1254 * the result into key_data along with keysalt.
jpayne@69 1255 *
jpayne@69 1256 * The default implementation stores the encrypted key (in krb5_c_encrypt
jpayne@69 1257 * format) in key_data_contents[0] and the length in key_data_length[0].
jpayne@69 1258 * If keysalt is specified, it sets key_data_ver to 2, and stores the salt
jpayne@69 1259 * in key_data_contents[1] and its length in key_data_length[1]. If
jpayne@69 1260 * keysalt is not specified, key_data_ver is set to 1.
jpayne@69 1261 */
jpayne@69 1262 krb5_error_code (*encrypt_key_data)(krb5_context kcontext,
jpayne@69 1263 const krb5_keyblock *mkey,
jpayne@69 1264 const krb5_keyblock *dbkey,
jpayne@69 1265 const krb5_keysalt *keysalt,
jpayne@69 1266 int keyver, krb5_key_data *key_data);
jpayne@69 1267
jpayne@69 1268 /*
jpayne@69 1269 * Optional: Perform a policy check on a cross-realm ticket's transited
jpayne@69 1270 * field. Return 0 if the check authoritatively succeeds,
jpayne@69 1271 * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
jpayne@69 1272 * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
jpayne@69 1273 */
jpayne@69 1274 krb5_error_code (*check_transited_realms)(krb5_context kcontext,
jpayne@69 1275 const krb5_data *tr_contents,
jpayne@69 1276 const krb5_data *client_realm,
jpayne@69 1277 const krb5_data *server_realm);
jpayne@69 1278
jpayne@69 1279 /*
jpayne@69 1280 * Optional: Perform a policy check on an AS request, in addition to the
jpayne@69 1281 * standard policy checks. Return 0 if the AS request is allowed. If the
jpayne@69 1282 * AS request is not allowed:
jpayne@69 1283 * - Place a short string literal into *status.
jpayne@69 1284 * - If desired, place data into e_data. Any data placed here will be
jpayne@69 1285 * freed by the caller using the standard free function.
jpayne@69 1286 * - Return an appropriate error (such as KRB5KDC_ERR_POLICY).
jpayne@69 1287 */
jpayne@69 1288 krb5_error_code (*check_policy_as)(krb5_context kcontext,
jpayne@69 1289 krb5_kdc_req *request,
jpayne@69 1290 krb5_db_entry *client,
jpayne@69 1291 krb5_db_entry *server,
jpayne@69 1292 krb5_timestamp kdc_time,
jpayne@69 1293 const char **status,
jpayne@69 1294 krb5_pa_data ***e_data);
jpayne@69 1295
jpayne@69 1296 /*
jpayne@69 1297 * Optional: Perform a policy check on a TGS request, in addition to the
jpayne@69 1298 * standard policy checks. Return 0 if the TGS request is allowed. If the
jpayne@69 1299 * TGS request is not allowed:
jpayne@69 1300 * - Place a short string literal into *status.
jpayne@69 1301 * - If desired, place data into e_data. Any data placed here will be
jpayne@69 1302 * freed by the caller using the standard free function.
jpayne@69 1303 * - Return an appropriate error (such as KRB5KDC_ERR_POLICY).
jpayne@69 1304 * The input parameter ticket contains the TGT used in the TGS request.
jpayne@69 1305 */
jpayne@69 1306 krb5_error_code (*check_policy_tgs)(krb5_context kcontext,
jpayne@69 1307 krb5_kdc_req *request,
jpayne@69 1308 krb5_db_entry *server,
jpayne@69 1309 krb5_ticket *ticket,
jpayne@69 1310 const char **status,
jpayne@69 1311 krb5_pa_data ***e_data);
jpayne@69 1312
jpayne@69 1313 /*
jpayne@69 1314 * Optional: This method informs the module of a successful or unsuccessful
jpayne@69 1315 * AS request.
jpayne@69 1316 */
jpayne@69 1317 void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request,
jpayne@69 1318 const krb5_address *local_addr,
jpayne@69 1319 const krb5_address *remote_addr,
jpayne@69 1320 krb5_db_entry *client, krb5_db_entry *server,
jpayne@69 1321 krb5_timestamp authtime, krb5_error_code error_code);
jpayne@69 1322
jpayne@69 1323 /* Note: there is currently no method for auditing TGS requests. */
jpayne@69 1324
jpayne@69 1325 /*
jpayne@69 1326 * Optional: This method informs the module of a request to reload
jpayne@69 1327 * configuration or other state (that is, the KDC received a SIGHUP).
jpayne@69 1328 */
jpayne@69 1329 void (*refresh_config)(krb5_context kcontext);
jpayne@69 1330
jpayne@69 1331 /*
jpayne@69 1332 * Optional: Perform a policy check on server being allowed to obtain
jpayne@69 1333 * tickets from client to proxy. If proxy is NULL, check if server has any
jpayne@69 1334 * authorized delegation targets (client will also be NULL in this case).
jpayne@69 1335 * (Note that proxy is the target of the delegation, not the delegating
jpayne@69 1336 * service; the term "proxy" is from the viewpoint of the delegating
jpayne@69 1337 * service asking another service to perform some of its work in the
jpayne@69 1338 * authentication context of the client. This terminology comes from the
jpayne@69 1339 * Microsoft S4U protocol documentation.) Return 0 if policy allows
jpayne@69 1340 * delegation to the specified target (or to any target if proxy is NULL),
jpayne@69 1341 * or KRB5KDC_ERR_BADOPTION if not. If this method is not implemented, all
jpayne@69 1342 * S4U2Proxy delegation requests will be rejected.
jpayne@69 1343 */
jpayne@69 1344 krb5_error_code (*check_allowed_to_delegate)(krb5_context context,
jpayne@69 1345 krb5_const_principal client,
jpayne@69 1346 const krb5_db_entry *server,
jpayne@69 1347 krb5_const_principal proxy);
jpayne@69 1348
jpayne@69 1349 /*
jpayne@69 1350 * Optional: Free the e_data pointer of a database entry. If this method
jpayne@69 1351 * is not implemented, the e_data pointer in principal entries will be
jpayne@69 1352 * freed with free() as seen by libkdb5.
jpayne@69 1353 */
jpayne@69 1354 void (*free_principal_e_data)(krb5_context kcontext, krb5_octet *e_data);
jpayne@69 1355
jpayne@69 1356 /*
jpayne@69 1357 * Optional: get a client principal entry based on an X.509 certificate.
jpayne@69 1358 *
jpayne@69 1359 * If flags include KRB5_KDB_FLAG_REFERRAL_OK, the certificate was
jpayne@69 1360 * presented in an AS request. princ->realm indicates the request realm,
jpayne@69 1361 * but the data components should be ignored. The module can return an
jpayne@69 1362 * out-of-realm client referral as it would for get_principal().
jpayne@69 1363 *
jpayne@69 1364 * Otherwise, princ is from a TGS request. If it contains data components
jpayne@69 1365 * (and not just a realm), the module should verify that it is the same as
jpayne@69 1366 * the lookup result for client_cert. The module should not return a
jpayne@69 1367 * referral.
jpayne@69 1368 */
jpayne@69 1369 krb5_error_code (*get_s4u_x509_principal)(krb5_context kcontext,
jpayne@69 1370 const krb5_data *client_cert,
jpayne@69 1371 krb5_const_principal princ,
jpayne@69 1372 unsigned int flags,
jpayne@69 1373 krb5_db_entry **entry_out);
jpayne@69 1374
jpayne@69 1375 /*
jpayne@69 1376 * Optional: Perform a policy check on server being allowed to obtain
jpayne@69 1377 * tickets from client to proxy. This method is similar to
jpayne@69 1378 * check_allowed_to_delegate, but it operates on the target server DB entry
jpayne@69 1379 * (called "proxy" here as in Microsoft's protocol documentation) rather
jpayne@69 1380 * than the intermediate server entry. server_pac is the verified PAC from
jpayne@69 1381 * the authdata of the intermediate server. Return 0 if policy allows the
jpayne@69 1382 * delegation, or KRB5KDC_ERR_BADOPTION if not.
jpayne@69 1383 *
jpayne@69 1384 * This method is called for S4U2Proxy requests and implements the
jpayne@69 1385 * resource-based constrained delegation variant, which can support
jpayne@69 1386 * cross-realm delegation. If this method is not implemented or if it
jpayne@69 1387 * returns a policy error, the KDC will fall back to
jpayne@69 1388 * check_allowed_to_delegate if the intermediate and target servers are in
jpayne@69 1389 * the same realm and the evidence ticket is forwardable.
jpayne@69 1390 */
jpayne@69 1391 krb5_error_code (*allowed_to_delegate_from)(krb5_context context,
jpayne@69 1392 krb5_const_principal client,
jpayne@69 1393 krb5_const_principal server,
jpayne@69 1394 krb5_pac server_pac,
jpayne@69 1395 const krb5_db_entry *proxy);
jpayne@69 1396
jpayne@69 1397 /*
jpayne@69 1398 * Optional: Add buffers to new_pac using krb5_pac_add_buffer() before it
jpayne@69 1399 * is signed.
jpayne@69 1400 *
jpayne@69 1401 * The caller will handle the following buffer types, so do not copy or add
jpayne@69 1402 * them:
jpayne@69 1403 *
jpayne@69 1404 * KRB5_PAC_SERVER_CHECKSUM
jpayne@69 1405 * KRB5_PAC_PRIVSVR_CHECKSUM
jpayne@69 1406 * KRB5_PAC_TICKET_CHECKSUM
jpayne@69 1407 * KRB5_PAC_CLIENT_INFO
jpayne@69 1408 * KRB5_PAC_DELEGATION_INFO
jpayne@69 1409 *
jpayne@69 1410 * For TGS requests, old_pac is the PAC of the header ticket, except when
jpayne@69 1411 * KRB5_KDB_FLAG_CONTRAINED_DELEGATION is present in flags, in which case
jpayne@69 1412 * it is the PAC of the second ticket. If
jpayne@69 1413 * KRB5_KDB_FLAG_PROTOCOL_TRANSITION is present in flags and client is not
jpayne@69 1414 * NULL, old_pac is the PAC of the requesting service, not the subject of
jpayne@69 1415 * the S4U2Self request, and its buffers should not be copied into new_pac.
jpayne@69 1416 * The signatures and PAC_CLIENT_INFO of old_pac have been verified by the
jpayne@69 1417 * caller.
jpayne@69 1418 *
jpayne@69 1419 * If replaced_reply_key is not null, the request is an AS request and the
jpayne@69 1420 * reply key was replaced by a preauth mechanism such as PKINIT, meaning
jpayne@69 1421 * the Kerberos password or long-term key was not used. The module may use
jpayne@69 1422 * this key to encrypt a PAC_CREDENTIALS_INFO buffer containing credentials
jpayne@69 1423 * (such as an NTLM hash) that the client would ordinarily derive from the
jpayne@69 1424 * Kerberos password or long-term key.
jpayne@69 1425 *
jpayne@69 1426 * server is the database entry of the server the ticket will be issued to,
jpayne@69 1427 * which may be a referral TGS.
jpayne@69 1428 *
jpayne@69 1429 * signing_krbtgt is the database entry of the krbtgt principal used to
jpayne@69 1430 * verify old_pac (or null if old_pac is null). If
jpayne@69 1431 * KRB5_KDB_FLAG_CROSS_REALM is present in flags, this entry will be an
jpayne@69 1432 * incoming cross-realm TGS, and the PAC fields should undergo appropriate
jpayne@69 1433 * filtering based on the trust level of the cross-realm relationship.
jpayne@69 1434 *
jpayne@69 1435 * auth_indicators points to NULL or a null-terminated list of krb5_data
jpayne@69 1436 * pointers, each containing an authentication indicator (RFC 8129). The
jpayne@69 1437 * method may modify this list, or free it and replace *auth_indicators
jpayne@69 1438 * with NULL, to change which auth indicators will be included in the
jpayne@69 1439 * ticket.
jpayne@69 1440 */
jpayne@69 1441 krb5_error_code (*issue_pac)(krb5_context context, unsigned int flags,
jpayne@69 1442 krb5_db_entry *client,
jpayne@69 1443 krb5_keyblock *replaced_reply_key,
jpayne@69 1444 krb5_db_entry *server,
jpayne@69 1445 krb5_db_entry *signing_krbtgt,
jpayne@69 1446 krb5_timestamp authtime, krb5_pac old_pac,
jpayne@69 1447 krb5_pac new_pac,
jpayne@69 1448 krb5_data ***auth_indicators);
jpayne@69 1449
jpayne@69 1450 /* End of minor version 0 for major version 9. */
jpayne@69 1451 } kdb_vftabl;
jpayne@69 1452
jpayne@69 1453 #endif /* !defined(_WIN32) */
jpayne@69 1454
jpayne@69 1455 #endif /* KRB5_KDB5__ */