Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/lib/kadm5/server_internal.h
39536 views
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

2
/*

3
 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved

4
 *

5
 * $Header$

6
 */

7


8
/*

9
 * This header file is used internally by the Admin API server

10
 * libraries and Admin server.  IF YOU THINK YOU NEED TO USE THIS FILE

11
 * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG.

12
 */

13


14
#ifndef __KADM5_SERVER_INTERNAL_H__

15
#define __KADM5_SERVER_INTERNAL_H__

16


17
#include    "autoconf.h"

18
#ifdef HAVE_MEMORY_H

19
#include    <memory.h>

20
#endif

21
#include    <stdlib.h>

22
#include    <errno.h>

23
#include    <kdb.h>

24
#include    <kadm5/admin.h>

25
#include    <krb5/plugin.h>

26
#include    "admin_internal.h"

27


28
/*

29
 * This is the history key version for a newly created DB.  We use this value

30
 * for principals which have no password history yet to avoid having to look up

31
 * the history key.  Values other than 2 will cause compatibility issues with

32
 * pre-1.8 libkadm5 code; the older code will reject key changes when it sees

33
 * an unexpected value of admin_history_kvno.

34
 */

35
#define INITIAL_HIST_KVNO 2

36


37
/* A pwqual_handle represents a password quality plugin module. */

38
typedef struct pwqual_handle_st *pwqual_handle;

39


40
typedef struct kadm5_hook_handle_st *kadm5_hook_handle;

41


42
typedef struct _kadm5_server_handle_t {

43
    krb5_ui_4       magic_number;

44
    krb5_ui_4       struct_version;

45
    krb5_ui_4       api_version;

46
    krb5_context    context;

47
    krb5_principal  current_caller;

48
    kadm5_config_params  params;

49
    struct _kadm5_server_handle_t *lhandle;

50
    char **db_args;

51
    pwqual_handle   *qual_handles;

52
    kadm5_hook_handle *hook_handles;

53
} kadm5_server_handle_rec, *kadm5_server_handle_t;

54


55
#define OSA_ADB_PRINC_VERSION_1  0x12345C01

56


57
typedef struct _osa_pw_hist_t {

58
    int n_key_data;

59
    krb5_key_data *key_data;

60
} osa_pw_hist_ent, *osa_pw_hist_t;

61


62
typedef struct _osa_princ_ent_t {

63
    int                         version;

64
    char                        *policy;

65
    long                        aux_attributes;

66
    unsigned int                old_key_len;

67
    unsigned int                old_key_next;

68
    krb5_kvno                   admin_history_kvno;

69
    osa_pw_hist_ent             *old_keys;

70
} osa_princ_ent_rec, *osa_princ_ent_t;

71


72


73
kadm5_ret_t    passwd_check(kadm5_server_handle_t handle,

74
                            const char *pass, kadm5_policy_ent_t policy,

75
                            krb5_principal principal);

76
kadm5_ret_t    principal_exists(krb5_principal principal);

77
krb5_error_code     kdb_init_master(kadm5_server_handle_t handle,

78
                                    char *r, int from_keyboard);

79
krb5_error_code     kdb_get_active_mkey(kadm5_server_handle_t handle,

80
                                        krb5_kvno *act_kvno_out,

81
                                        krb5_keyblock **act_mkey_out);

82
krb5_error_code     kdb_init_hist(kadm5_server_handle_t handle,

83
                                  char *r);

84
krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,

85
                                     krb5_keyblock **keyblocks_out,

86
                                     krb5_kvno *kvno_out);

87
void                kdb_free_keyblocks(kadm5_server_handle_t handle,

88
                                       krb5_keyblock *keyblocks);

89
krb5_error_code     kdb_get_entry(kadm5_server_handle_t handle,

90
                                  krb5_principal principal,

91
                                  krb5_db_entry **kdb, osa_princ_ent_rec *adb);

92
krb5_error_code     kdb_free_entry(kadm5_server_handle_t handle,

93
                                   krb5_db_entry *kdb, osa_princ_ent_rec *adb);

94
krb5_error_code     kdb_put_entry(kadm5_server_handle_t handle,

95
                                  krb5_db_entry *kdb, osa_princ_ent_rec *adb);

96
krb5_error_code     kdb_delete_entry(kadm5_server_handle_t handle,

97
                                     krb5_principal name);

98
krb5_error_code     kdb_iter_entry(kadm5_server_handle_t handle,

99
                                   char *match_entry,

100
                                   void (*iter_fct)(void *, krb5_principal),

101
                                   void *data);

102


103
kadm5_ret_t         init_pwqual(kadm5_server_handle_t handle);

104
void                destroy_pwqual(kadm5_server_handle_t handle);

105


106
/* XXX this ought to be in libkrb5.a, but isn't */

107
kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,

108
                                        krb5_key_data *from,

109
                                        krb5_key_data *to);

110
kadm5_ret_t krb5_free_key_data_contents(krb5_context context,

111
                                        krb5_key_data *key);

112


113
/*

114
 * *Warning*

115
 * *Warning*        This is going to break if we

116
 * *Warning*        ever go multi-threaded

117
 * *Warning*

118
 */

119
extern  krb5_principal  current_caller;

120


121
/*

122
 * Why is this (or something similar) not defined *anywhere* in krb5?

123
 */

124
#define KSUCCESS        0

125
#define WORD_NOT_FOUND  1

126


127
/*

128
 * all the various mask bits or'd together

129
 */

130


131
#define ALL_PRINC_MASK                                                  \

132
    (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION |  \

133
     KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE |        \

134
     KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO |       \

135
     KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY |           \

136
     KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT )

137


138
#define ALL_POLICY_MASK                                                 \

139
    (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE |             \

140
     KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \

141
     KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \

142
     KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES |              \

143
     KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE |                   \

144
     KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)

145


146
#define SERVER_CHECK_HANDLE(handle)             \

147
    {                                           \

148
        kadm5_server_handle_t srvr =            \

149
            (kadm5_server_handle_t) handle;     \

150
                                                \

151
        if (! srvr->current_caller)             \

152
            return KADM5_BAD_SERVER_HANDLE;     \

153
        if (! srvr->lhandle)                    \

154
            return KADM5_BAD_SERVER_HANDLE;     \

155
    }

156


157
#define CHECK_HANDLE(handle)                                    \

158
    GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION,  \

159
                         KADM5_NEW_SERVER_API_VERSION)          \

160
    SERVER_CHECK_HANDLE(handle)

161


162
bool_t          xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp);

163


164
void

165
osa_free_princ_ent(osa_princ_ent_t val);

166


167
/*** Password quality plugin consumer interface ***/

168


169
/* Load all available password quality plugin modules, bind each module to the

170
 * realm's dictionary file, and store the result into *handles_out.  Free the

171
 * result with k5_pwqual_free_handles. */

172
krb5_error_code

173
k5_pwqual_load(krb5_context context, const char *dict_file,

174
               pwqual_handle **handles_out);

175


176
/* Release a handle list allocated by k5_pwqual_load. */

177
void

178
k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);

179


180
/* Return the name of a password quality plugin module. */

181
const char *

182
k5_pwqual_name(krb5_context context, pwqual_handle handle);

183


184
/* Check a password using a password quality plugin module. */

185
krb5_error_code

186
k5_pwqual_check(krb5_context context, pwqual_handle handle,

187
                const char *password, const char *policy_name,

188
                krb5_principal princ);

189


190
/*** initvt functions for built-in password quality modules ***/

191


192
/* The dict module checks passwords against the realm's dictionary. */

193
krb5_error_code

194
pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,

195
                   krb5_plugin_vtable vtable);

196


197
/* The empty module rejects empty passwords (even with no password policy). */

198
krb5_error_code

199
pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,

200
                    krb5_plugin_vtable vtable);

201


202
/* The hesiod module checks passwords against GECOS fields from Hesiod passwd

203
 * information (only if the tree was built with Hesiod support). */

204
krb5_error_code

205
pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,

206
                     krb5_plugin_vtable vtable);

207


208
/* The princ module checks passwords against principal components. */

209
krb5_error_code

210
pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,

211
                    krb5_plugin_vtable vtable);

212


213
/** @{

214
 * @name kadm5_hook plugin support

215
 */

216


217
/** Load all kadm5_hook plugins. */

218
krb5_error_code

219
k5_kadm5_hook_load(krb5_context context,

220
                   kadm5_hook_handle **handles_out);

221


222
/** Free handles allocated by k5_kadm5_hook_load(). */

223
void

224
k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles);

225


226
/** Call the chpass entry point on every kadm5_hook in @a handles. */

227
kadm5_ret_t

228
k5_kadm5_hook_chpass (krb5_context context,

229
                      kadm5_hook_handle *handles,

230
                      int stage, krb5_principal princ,

231
                      krb5_boolean keepold,

232
                      int n_ks_tuple,

233
                      krb5_key_salt_tuple *ks_tuple,

234
                      const char *newpass);

235


236
/** Call the create entry point for kadm5_hook_plugins. */

237
kadm5_ret_t

238
k5_kadm5_hook_create (krb5_context context,

239
                      kadm5_hook_handle *handles,

240
                      int stage,

241
                      kadm5_principal_ent_t princ, long mask,

242
                      int n_ks_tuple,

243
                      krb5_key_salt_tuple *ks_tuple,

244
                      const char *newpass);

245


246
/** Call modify kadm5_hook entry point. */

247
kadm5_ret_t

248
k5_kadm5_hook_modify (krb5_context context,

249
                      kadm5_hook_handle *handles,

250
                      int stage,

251
                      kadm5_principal_ent_t princ, long mask);

252


253
/** Call remove kadm5_hook entry point. */

254
kadm5_ret_t

255
k5_kadm5_hook_remove (krb5_context context,

256
                      kadm5_hook_handle *handles,

257
                      int stage,

258
                      krb5_principal princ);

259


260
/** Call rename kadm5_hook entry point. */

261
kadm5_ret_t

262
k5_kadm5_hook_rename (krb5_context context,

263
                      kadm5_hook_handle *handles,

264
                      int stage,

265
                      krb5_principal oprinc, krb5_principal nprinc);

266


267
/** Call alias kadm5_hook entry point. */

268
kadm5_ret_t

269
k5_kadm5_hook_alias (krb5_context context,

270
                     kadm5_hook_handle *handles,

271
                     int stage,

272
                     krb5_principal alias, krb5_principal target);

273


274
/** @}*/

275


276
#endif /* __KADM5_SERVER_INTERNAL_H__ */

277


278