2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2N/A/*
2N/A * include/krb5/kdb.h
2N/A *
2N/A * Copyright 1990,1991 by the Massachusetts Institute of Technology.
2N/A * All Rights Reserved.
2N/A *
2N/A * Export of this software from the United States of America may
2N/A * require a specific license from the United States Government.
2N/A * It is the responsibility of any person or organization contemplating
2N/A * export to obtain such a license before exporting.
2N/A *
2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
2N/A * distribute this software and its documentation for any purpose and
2N/A * without fee is hereby granted, provided that the above copyright
2N/A * notice appear in all copies and that both that copyright notice and
2N/A * this permission notice appear in supporting documentation, and that
2N/A * the name of M.I.T. not be used in advertising or publicity pertaining
2N/A * to distribution of the software without specific, written prior
2N/A * permission. Furthermore if you modify this software you must label
2N/A * your software as modified software and not distribute it in such a
2N/A * fashion that it might be confused with the original M.I.T. software.
2N/A * M.I.T. makes no representations about the suitability of
2N/A * this software for any purpose. It is provided "as is" without express
2N/A * or implied warranty.
2N/A *
2N/A *
2N/A * KDC Database interface definitions.
2N/A */
2N/A
2N/A/*
2N/A * Copyright (C) 1998 by the FundsXpress, INC.
2N/A *
2N/A * All rights reserved.
2N/A *
2N/A * Export of this software from the United States of America may require
2N/A * a specific license from the United States Government. It is the
2N/A * responsibility of any person or organization contemplating export to
2N/A * obtain such a license before exporting.
2N/A *
2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
2N/A * distribute this software and its documentation for any purpose and
2N/A * without fee is hereby granted, provided that the above copyright
2N/A * notice appear in all copies and that both that copyright notice and
2N/A * this permission notice appear in supporting documentation, and that
2N/A * the name of FundsXpress. not be used in advertising or publicity pertaining
2N/A * to distribution of the software without specific, written prior
2N/A * permission. FundsXpress makes no representations about the suitability of
2N/A * this software for any purpose. It is provided "as is" without express
2N/A * or implied warranty.
2N/A *
2N/A * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
2N/A * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
2N/A * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
2N/A */
2N/A
2N/A/*
2N/A * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A/* This API is not considered as stable as the main krb5 API.
2N/A *
2N/A * - We may make arbitrary incompatible changes between feature
2N/A * releases (e.g. from 1.7 to 1.8).
2N/A * - We will make some effort to avoid making incompatible changes for
2N/A * bugfix releases, but will make them if necessary.
2N/A */
2N/A
2N/A#ifndef KRB5_KDB5__
2N/A#define KRB5_KDB5__
2N/A
2N/A#include <krb5.h>
2N/A
2N/A/* Salt types */
2N/A#define KRB5_KDB_SALTTYPE_NORMAL 0
2N/A#define KRB5_KDB_SALTTYPE_V4 1
2N/A#define KRB5_KDB_SALTTYPE_NOREALM 2
2N/A#define KRB5_KDB_SALTTYPE_ONLYREALM 3
2N/A#define KRB5_KDB_SALTTYPE_SPECIAL 4
2N/A#define KRB5_KDB_SALTTYPE_AFS3 5
2N/A#define KRB5_KDB_SALTTYPE_CERTHASH 6
2N/A
2N/A/* Attributes */
2N/A#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001
2N/A#define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002
2N/A#define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004
2N/A#define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008
2N/A#define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010
2N/A#define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020
2N/A#define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040
2N/A#define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080
2N/A#define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100
2N/A#define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200
2N/A#define KRB5_KDB_DISALLOW_SVR 0x00001000
2N/A#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
2N/A#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
2N/A#define KRB5_KDB_NEW_PRINC 0x00008000
2N/A#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
2N/A#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */
2N/A#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
2N/A
2N/A/* Creation flags */
2N/A#define KRB5_KDB_CREATE_BTREE 0x00000001
2N/A#define KRB5_KDB_CREATE_HASH 0x00000002
2N/A
2N/A/* Private flag used to indicate principal is local TGS */
2N/A#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000
2N/A/* Private flag used to indicate xrealm relationship is non-transitive */
2N/A#define KRB5_KDB_XREALM_NON_TRANSITIVE 0x02000000
2N/A
2N/A/* Entry get flags */
2N/A/* Name canonicalization requested */
2N/A#define KRB5_KDB_FLAG_CANONICALIZE 0x00000010
2N/A/* Include authorization data generated by backend */
2N/A#define KRB5_KDB_FLAG_INCLUDE_PAC 0x00000020
2N/A/* Is AS-REQ (client referrals only) */
2N/A#define KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY 0x00000040
2N/A/* Map cross-realm principals */
2N/A#define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080
2N/A/* Protocol transition */
2N/A#define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100
2N/A/* Constrained delegation */
2N/A#define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200
2N/A/* User-to-user */
2N/A#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
2N/A/* Cross-realm */
2N/A#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
2N/A
2N/A#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
2N/A KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
2N/A
2N/A#if !defined(_WIN32)
2N/A
2N/A/*
2N/A * Note --- these structures cannot be modified without changing the
2N/A * database version number in libkdb.a, but should be expandable by
2N/A * adding new tl_data types.
2N/A */
2N/Atypedef struct _krb5_tl_data {
2N/A struct _krb5_tl_data* tl_data_next; /* NOT saved */
2N/A krb5_int16 tl_data_type;
2N/A krb5_ui_2 tl_data_length;
2N/A krb5_octet * tl_data_contents;
2N/A} krb5_tl_data;
2N/A
2N/A/*
2N/A * If this ever changes up the version number and make the arrays be as
2N/A * big as necessary.
2N/A *
2N/A * Currently the first type is the enctype and the second is the salt type.
2N/A */
2N/Atypedef struct _krb5_key_data {
2N/A krb5_int16 key_data_ver; /* Version */
2N/A krb5_int16 key_data_kvno; /* Key Version */
2N/A krb5_int16 key_data_type[2]; /* Array of types */
2N/A krb5_ui_2 key_data_length[2]; /* Array of lengths */
2N/A krb5_octet * key_data_contents[2]; /* Array of pointers */
2N/A} krb5_key_data;
2N/A
2N/A#define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */
2N/A
2N/Atypedef struct _krb5_keysalt {
2N/A krb5_int16 type;
2N/A krb5_data data; /* Length, data */
2N/A} krb5_keysalt;
2N/A
2N/Atypedef struct _krb5_db_entry_new {
2N/A krb5_magic magic; /* NOT saved */
2N/A krb5_ui_2 len;
2N/A krb5_ui_4 mask; /* members currently changed/set */
2N/A krb5_flags attributes;
2N/A krb5_deltat max_life;
2N/A krb5_deltat max_renewable_life;
2N/A krb5_timestamp expiration; /* When the client expires */
2N/A krb5_timestamp pw_expiration; /* When its passwd expires */
2N/A krb5_timestamp last_success; /* Last successful passwd */
2N/A krb5_timestamp last_failed; /* Last failed passwd attempt */
2N/A krb5_kvno fail_auth_count; /* # of failed passwd attempt */
2N/A krb5_int16 n_tl_data;
2N/A krb5_int16 n_key_data;
2N/A krb5_ui_2 e_length; /* Length of extra data */
2N/A krb5_octet * e_data; /* Extra data to be saved */
2N/A
2N/A krb5_principal princ; /* Length, data */
2N/A krb5_tl_data * tl_data; /* Linked list */
2N/A krb5_key_data * key_data; /* Array */
2N/A} krb5_db_entry;
2N/A
2N/Atypedef struct _osa_policy_ent_t {
2N/A int version;
2N/A char *name;
2N/A krb5_ui_4 pw_min_life;
2N/A krb5_ui_4 pw_max_life;
2N/A krb5_ui_4 pw_min_length;
2N/A krb5_ui_4 pw_min_classes;
2N/A krb5_ui_4 pw_history_num;
2N/A krb5_ui_4 policy_refcnt;
2N/A /* Only valid if version > 1 */
2N/A krb5_ui_4 pw_max_fail; /* pwdMaxFailure */
2N/A krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */
2N/A krb5_ui_4 pw_lockout_duration; /* pwdLockoutDuration */
2N/A} osa_policy_ent_rec, *osa_policy_ent_t;
2N/A
2N/Atypedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
2N/A
2N/Atypedef struct __krb5_key_salt_tuple {
2N/A krb5_enctype ks_enctype;
2N/A krb5_int32 ks_salttype;
2N/A} krb5_key_salt_tuple;
2N/A
2N/A#define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb
2N/A#define KRB5_KDB_V1_BASE_LENGTH 38
2N/A
2N/A#define KRB5_TL_LAST_PWD_CHANGE 0x0001
2N/A#define KRB5_TL_MOD_PRINC 0x0002
2N/A#define KRB5_TL_KADM_DATA 0x0003
2N/A#define KRB5_TL_KADM5_E_DATA 0x0004
2N/A#define KRB5_TL_RB1_CHALLENGE 0x0005
2N/A#ifdef SECURID
2N/A#define KRB5_TL_SECURID_STATE 0x0006
2N/A#define KRB5_TL_DB_ARGS 0x7fff
2N/A#endif /* SECURID */
2N/A#define KRB5_TL_USER_CERTIFICATE 0x0007
2N/A#define KRB5_TL_MKVNO 0x0008
2N/A#define KRB5_TL_ACTKVNO 0x0009
2N/A#define KRB5_TL_MKEY_AUX 0x000a
2N/A
2N/A#define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */
2N/A#define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */
2N/A#define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */
2N/A#define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */
2N/A#define KRB5_TL_LM_KEY 0x0500 /* LM OWF */
2N/A#define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */
2N/A
2N/A/* version number for KRB5_TL_ACTKVNO data */
2N/A#define KRB5_TL_ACTKVNO_VER 1
2N/A
2N/A/* version number for KRB5_TL_MKEY_AUX data */
2N/A#define KRB5_TL_MKEY_AUX_VER 1
2N/A
2N/Atypedef struct _krb5_actkvno_node {
2N/A struct _krb5_actkvno_node *next;
2N/A krb5_kvno act_kvno;
2N/A krb5_timestamp act_time;
2N/A} krb5_actkvno_node;
2N/A
2N/Atypedef struct _krb5_mkey_aux_node {
2N/A struct _krb5_mkey_aux_node *next;
2N/A krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */
2N/A krb5_key_data latest_mkey; /* most recent mkey */
2N/A} krb5_mkey_aux_node;
2N/A
2N/Atypedef struct _krb5_keylist_node {
2N/A krb5_keyblock keyblock;
2N/A krb5_kvno kvno;
2N/A struct _krb5_keylist_node *next;
2N/A} krb5_keylist_node;
2N/A
2N/A/*
2N/A * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
2N/A * on the principal.
2N/A */
2N/A#define KRB5_MAX_FAIL_COUNT 5
2N/A
2N/A/* XXX depends on knowledge of krb5_parse_name() formats */
2N/A#define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */
2N/A
2N/A/* prompts used by default when reading the KDC password from the keyboard. */
2N/A#define KRB5_KDC_MKEY_1 "Enter KDC database master key"
2N/A#define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify"
2N/A
2N/A
2N/Aextern char *krb5_mkey_pwd_prompt1;
2N/Aextern char *krb5_mkey_pwd_prompt2;
2N/A
2N/A/*
2N/A * These macros specify the encoding of data within the database.
2N/A *
2N/A * Data encoding is little-endian.
2N/A */
2N/A#ifdef _KRB5_INT_H
2N/A#include "k5-platform.h"
2N/A#define krb5_kdb_decode_int16(cp, i16) \
2N/A *((krb5_int16 *) &(i16)) = load_16_le(cp)
2N/A#define krb5_kdb_decode_int32(cp, i32) \
2N/A *((krb5_int32 *) &(i32)) = load_32_le(cp)
2N/A#define krb5_kdb_encode_int16(i16, cp) store_16_le(i16, cp)
2N/A#define krb5_kdb_encode_int32(i32, cp) store_32_le(i32, cp)
2N/A#endif /* _KRB5_INT_H */
2N/A
2N/A#define KRB5_KDB_OPEN_RW 0
2N/A#define KRB5_KDB_OPEN_RO 1
2N/A
2N/A#ifndef KRB5_KDB_SRV_TYPE_KDC
2N/A#define KRB5_KDB_SRV_TYPE_KDC 0x0100
2N/A#endif
2N/A
2N/A#ifndef KRB5_KDB_SRV_TYPE_ADMIN
2N/A#define KRB5_KDB_SRV_TYPE_ADMIN 0x0200
2N/A#endif
2N/A
2N/A#ifndef KRB5_KDB_SRV_TYPE_PASSWD
2N/A#define KRB5_KDB_SRV_TYPE_PASSWD 0x0300
2N/A#endif
2N/A
2N/A#ifndef KRB5_KDB_SRV_TYPE_OTHER
2N/A#define KRB5_KDB_SRV_TYPE_OTHER 0x0400
2N/A#endif
2N/A
2N/A#define KRB5_KDB_OPT_SET_DB_NAME 0
2N/A#define KRB5_KDB_OPT_SET_LOCK_MODE 1
2N/A
2N/A#define KRB5_DB_LOCKMODE_SHARED 0x0001
2N/A#define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002
2N/A#define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004
2N/A#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
2N/A
2N/A/* db_invoke methods */
2N/A#define KRB5_KDB_METHOD_SIGN_AUTH_DATA 0x00000010
2N/A#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020
2N/A#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030
2N/A#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040
2N/A#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050
2N/A#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060
2N/A#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
2N/A#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
2N/A
2N/Atypedef struct _kdb_sign_auth_data_req {
2N/A krb5_magic magic;
2N/A unsigned int flags; /* KRB5_KDB flags */
2N/A krb5_const_principal client_princ; /* Client name used in ticket */
2N/A krb5_db_entry *client; /* DB entry for client principal */
2N/A krb5_db_entry *server; /* DB entry for server principal */
2N/A krb5_db_entry *krbtgt; /* DB entry for ticket granting service principal */
2N/A krb5_keyblock *client_key; /* Reply key, valid for AS-REQ only */
2N/A krb5_keyblock *server_key; /* Key used to generate server signature */
2N/A krb5_timestamp authtime; /* Authtime of TGT */
2N/A krb5_authdata **auth_data; /* Authorization data from TGT */
2N/A krb5_keyblock *session_key; /* Reply session key */
2N/A krb5_keyblock *krbtgt_key; /* Key used to decrypt TGT, valid for TGS-REQ only */
2N/A} kdb_sign_auth_data_req;
2N/A
2N/Atypedef struct _kdb_sign_auth_data_rep {
2N/A krb5_magic magic;
2N/A krb5_authdata **auth_data; /* Signed authorization data */
2N/A} kdb_sign_auth_data_rep;
2N/A
2N/Atypedef struct _kdb_check_transited_realms_req {
2N/A krb5_magic magic;
2N/A const krb5_data *tr_contents;
2N/A const krb5_data *client_realm;
2N/A const krb5_data *server_realm;
2N/A} kdb_check_transited_realms_req;
2N/A
2N/Atypedef struct _kdb_check_policy_as_req {
2N/A krb5_magic magic;
2N/A krb5_kdc_req *request;
2N/A krb5_db_entry *client;
2N/A krb5_db_entry *server;
2N/A krb5_timestamp kdc_time;
2N/A} kdb_check_policy_as_req;
2N/A
2N/Atypedef struct _kdb_check_policy_as_rep {
2N/A krb5_magic magic;
2N/A const char *status;
2N/A krb5_data e_data;
2N/A} kdb_check_policy_as_rep;
2N/A
2N/Atypedef struct _kdb_check_policy_tgs_req {
2N/A krb5_magic magic;
2N/A krb5_kdc_req *request;
2N/A krb5_db_entry *server;
2N/A krb5_ticket *ticket;
2N/A} kdb_check_policy_tgs_req;
2N/A
2N/Atypedef struct _kdb_check_policy_tgs_rep {
2N/A krb5_magic magic;
2N/A const char *status;
2N/A krb5_data e_data;
2N/A} kdb_check_policy_tgs_rep;
2N/A
2N/Atypedef struct _kdb_audit_as_req {
2N/A krb5_magic magic;
2N/A krb5_kdc_req *request;
2N/A krb5_db_entry *client;
2N/A krb5_db_entry *server;
2N/A krb5_timestamp authtime;
2N/A krb5_error_code error_code;
2N/A} kdb_audit_as_req;
2N/A
2N/Atypedef struct _kdb_audit_tgs_req {
2N/A krb5_magic magic;
2N/A krb5_kdc_req *request;
2N/A krb5_const_principal client;
2N/A krb5_db_entry *server;
2N/A krb5_timestamp authtime;
2N/A krb5_error_code error_code;
2N/A} kdb_audit_tgs_req;
2N/A
2N/Atypedef struct _kdb_check_allowed_to_delegate_req {
2N/A krb5_magic magic;
2N/A const krb5_db_entry *server;
2N/A krb5_const_principal proxy;
2N/A krb5_const_principal client;
2N/A} kdb_check_allowed_to_delegate_req;
2N/A
2N/A/* libkdb.spec */
2N/Akrb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
2N/Akrb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
2N/Akrb5_error_code krb5_db_init ( krb5_context kcontext );
2N/Akrb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
2N/Akrb5_error_code krb5_db_inited ( krb5_context kcontext );
2N/Akrb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
2N/Akrb5_error_code krb5_db_fini ( krb5_context kcontext );
2N/Aconst char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
2N/Akrb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
2N/Akrb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
2N/Akrb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
2N/Akrb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value );
2N/Akrb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
2N/Akrb5_error_code krb5_db_unlock ( krb5_context kcontext );
2N/Akrb5_error_code krb5_db_get_principal ( krb5_context kcontext,
2N/A krb5_const_principal search_for,
2N/A krb5_db_entry *entries,
2N/A int *nentries,
2N/A krb5_boolean *more );
2N/Akrb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext,
2N/A krb5_const_principal search_for,
2N/A unsigned int flags,
2N/A krb5_db_entry *entries,
2N/A int *nentries,
2N/A krb5_boolean *more );
2N/Akrb5_error_code krb5_db_free_principal ( krb5_context kcontext,
2N/A krb5_db_entry *entry,
2N/A int count );
2N/Akrb5_error_code krb5_db_put_principal ( krb5_context kcontext,
2N/A krb5_db_entry *entries,
2N/A int *nentries);
2N/Akrb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
2N/A krb5_principal search_for,
2N/A int *nentries );
2N/A/* Solaris Kerberos: adding support for db_args */
2N/Akrb5_error_code krb5_db_iterate ( krb5_context kcontext,
2N/A char *match_entry,
2N/A int (*func) (krb5_pointer, krb5_db_entry *),
2N/A krb5_pointer func_arg,
2N/A char **db_args );
2N/Akrb5_error_code krb5_supported_realms ( krb5_context kcontext,
2N/A char **realms );
2N/Akrb5_error_code krb5_free_supported_realms ( krb5_context kcontext,
2N/A char **realms );
2N/Akrb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext,
2N/A char *pwd,
2N/A krb5_keyblock *key );
2N/Akrb5_error_code krb5_db_set_mkey ( krb5_context context,
2N/A krb5_keyblock *key);
2N/Akrb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
2N/A krb5_keyblock **key );
2N/A
2N/Akrb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
2N/A krb5_keyblock *key );
2N/Akrb5_error_code krb5_db_store_master_key ( krb5_context kcontext,
2N/A char *keyfile,
2N/A krb5_principal mname,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *key,
2N/A char *master_pwd);
2N/Akrb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext,
2N/A char *keyfile,
2N/A krb5_principal mname,
2N/A char *master_pwd);
2N/Akrb5_error_code krb5_db_fetch_mkey ( krb5_context context,
2N/A krb5_principal mname,
2N/A krb5_enctype etype,
2N/A krb5_boolean fromkeyboard,
2N/A krb5_boolean twice,
2N/A char *db_args,
2N/A krb5_kvno *kvno,
2N/A krb5_data *salt,
2N/A krb5_keyblock *key);
2N/Akrb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
2N/A krb5_principal mprinc,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *mkey );
2N/A
2N/A/* Solaris Kerberos: removed unused mkvno arg */
2N/Akrb5_error_code
2N/Akrb5_db_fetch_mkey_list( krb5_context context,
2N/A krb5_principal mname,
2N/A const krb5_keyblock * mkey );
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_find_enctype( krb5_context kcontext,
2N/A krb5_db_entry *dbentp,
2N/A krb5_int32 ktype,
2N/A krb5_int32 stype,
2N/A krb5_int32 kvno,
2N/A krb5_key_data **kdatap);
2N/A
2N/A
2N/Akrb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext,
2N/A krb5_db_entry *dbentp,
2N/A krb5_int32 *start,
2N/A krb5_int32 ktype,
2N/A krb5_int32 stype,
2N/A krb5_int32 kvno,
2N/A krb5_key_data **kdatap);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_setup_mkey_name ( krb5_context context,
2N/A const char *keyname,
2N/A const char *realm,
2N/A char **fullname,
2N/A krb5_principal *principal);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_decrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_key_data * key_data,
2N/A krb5_keyblock * dbkey,
2N/A krb5_keysalt * keysalt);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_encrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_keyblock * dbkey,
2N/A const krb5_keysalt * keysalt,
2N/A int keyver,
2N/A krb5_key_data * key_data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_fetch_act_key_list(krb5_context context,
2N/A krb5_principal princ,
2N/A krb5_actkvno_node **act_key_list);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_find_act_mkey( krb5_context context,
2N/A krb5_actkvno_node * act_mkey_list,
2N/A krb5_kvno * act_kvno,
2N/A krb5_keyblock ** act_mkey);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_find_mkey( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_keyblock ** mkey);
2N/A
2N/A/* Set *mkvno to mkvno in entry tl_data, or 0 if not present. */
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_mkvno( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_kvno * mkvno);
2N/A
2N/Akrb5_keylist_node *
2N/Akrb5_db_mkey_list_alias( krb5_context kcontext );
2N/A
2N/A/* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */
2N/Akrb5_error_code
2N/Akrb5_dbe_get_mkvno( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_kvno * mkvno);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_mod_princ_data( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_timestamp * mod_time,
2N/A krb5_principal * mod_princ);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_mkey_aux( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_mkey_aux_node ** mkey_aux_data_list);
2N/Akrb5_error_code
2N/Akrb5_dbe_update_mkvno( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_kvno mkvno);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_actkvno( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_actkvno_node ** actkvno_list);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_update_mkey_aux( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_mkey_aux_node * mkey_aux_data_list);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_update_actkvno(krb5_context context,
2N/A krb5_db_entry * entry,
2N/A const krb5_actkvno_node *actkvno_list);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_update_last_pwd_change( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_timestamp stamp);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_tl_data( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_tl_data * ret_tl_data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_create_key_data( krb5_context context,
2N/A krb5_db_entry * entry);
2N/A
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_update_mod_princ_data( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_timestamp mod_date,
2N/A krb5_const_principal mod_princ);
2N/A
2N/Avoid *krb5_db_alloc( krb5_context kcontext,
2N/A void *ptr,
2N/A size_t size );
2N/A
2N/Avoid krb5_db_free( krb5_context kcontext,
2N/A void *ptr);
2N/A
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_lookup_last_pwd_change( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_timestamp * stamp);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_delete_tl_data( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_int16 tl_data_type);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_update_tl_data( krb5_context context,
2N/A krb5_db_entry * entry,
2N/A krb5_tl_data * new_tl_data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_cpw( krb5_context kcontext,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A char * passwd,
2N/A int new_kvno,
2N/A krb5_boolean keepold,
2N/A krb5_db_entry * db_entry);
2N/A
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_ark( krb5_context context,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A krb5_db_entry * db_entry);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_crk( krb5_context context,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A krb5_boolean keepold,
2N/A krb5_db_entry * db_entry);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_apw( krb5_context context,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A char * passwd,
2N/A krb5_db_entry * db_entry);
2N/A
2N/Aint
2N/Akrb5_db_get_key_data_kvno( krb5_context context,
2N/A int count,
2N/A krb5_key_data * data);
2N/A
2N/Akrb5_error_code krb5_db_invoke ( krb5_context kcontext,
2N/A unsigned int method,
2N/A const krb5_data *req,
2N/A krb5_data *rep );
2N/A
2N/A
2N/A/* default functions. Should not be directly called */
2N/A/*
2N/A * Default functions prototype
2N/A */
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_def_search_enctype( krb5_context kcontext,
2N/A krb5_db_entry *dbentp,
2N/A krb5_int32 *start,
2N/A krb5_int32 ktype,
2N/A krb5_int32 stype,
2N/A krb5_int32 kvno,
2N/A krb5_key_data **kdatap);
2N/A
2N/Akrb5_error_code
2N/Akrb5_def_store_mkey( krb5_context context,
2N/A char *keyfile,
2N/A krb5_principal mname,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *key,
2N/A char *master_pwd);
2N/A
2N/Akrb5_error_code
2N/Akrb5_def_store_mkey_list( krb5_context context,
2N/A char *keyfile,
2N/A krb5_principal mname,
2N/A krb5_keylist_node *keylist,
2N/A char *master_pwd);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_def_fetch_mkey( krb5_context context,
2N/A krb5_principal mname,
2N/A krb5_keyblock *key,
2N/A krb5_kvno *kvno,
2N/A char *db_args);
2N/A
2N/Akrb5_error_code
2N/Akrb5_def_verify_master_key( krb5_context context,
2N/A krb5_principal mprinc,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *mkey);
2N/A
2N/A/* Solaris Kerberos: removed unused mkvno arg */
2N/Akrb5_error_code
2N/Akrb5_def_fetch_mkey_list( krb5_context context,
2N/A krb5_principal mprinc,
2N/A const krb5_keyblock *mkey,
2N/A krb5_keylist_node **mkeys_list);
2N/A
2N/Akrb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
2N/A char *pwd,
2N/A krb5_keyblock *key );
2N/A
2N/Akrb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext,
2N/A krb5_keylist_node *keylist );
2N/A
2N/Akrb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
2N/A krb5_keyblock **key );
2N/A
2N/Akrb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext,
2N/A krb5_keylist_node **keylist );
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbe_def_cpw( krb5_context context,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A char * passwd,
2N/A int new_kvno,
2N/A krb5_boolean keepold,
2N/A krb5_db_entry * db_entry);
2N/A
2N/Akrb5_error_code
2N/Akrb5_def_promote_db(krb5_context, char *, char **);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_def_decrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_key_data * key_data,
2N/A krb5_keyblock * dbkey,
2N/A krb5_keysalt * keysalt);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_def_encrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_keyblock * dbkey,
2N/A const krb5_keysalt * keysalt,
2N/A int keyver,
2N/A krb5_key_data * key_data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_def_decrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_key_data * key_data,
2N/A krb5_keyblock * dbkey,
2N/A krb5_keysalt * keysalt);
2N/A
2N/Akrb5_error_code
2N/Akrb5_dbekd_def_encrypt_key_data( krb5_context context,
2N/A const krb5_keyblock * mkey,
2N/A const krb5_keyblock * dbkey,
2N/A const krb5_keysalt * keysalt,
2N/A int keyver,
2N/A krb5_key_data * key_data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_create_policy( krb5_context kcontext,
2N/A osa_policy_ent_t policy);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_get_policy ( krb5_context kcontext,
2N/A char *name,
2N/A osa_policy_ent_t *policy,
2N/A int *nentries);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_put_policy( krb5_context kcontext,
2N/A osa_policy_ent_t policy);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_iter_policy( krb5_context kcontext,
2N/A char *match_entry,
2N/A osa_adb_iter_policy_func func,
2N/A void *data);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_delete_policy( krb5_context kcontext,
2N/A char *policy);
2N/A
2N/Avoid
2N/Akrb5_db_free_policy( krb5_context kcontext,
2N/A osa_policy_ent_t policy);
2N/A
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_set_context(krb5_context, void *db_context);
2N/A
2N/Akrb5_error_code
2N/Akrb5_db_get_context(krb5_context, void **db_context);
2N/A
2N/Avoid
2N/Akrb5_dbe_free_key_data_contents(krb5_context, krb5_key_data *);
2N/A
2N/Avoid
2N/Akrb5_dbe_free_key_list(krb5_context, krb5_keylist_node *);
2N/A
2N/Avoid
2N/Akrb5_dbe_free_actkvno_list(krb5_context, krb5_actkvno_node *);
2N/A
2N/Avoid
2N/Akrb5_dbe_free_mkey_aux_list(krb5_context, krb5_mkey_aux_node *);
2N/A
2N/Avoid
2N/Akrb5_dbe_free_tl_data(krb5_context, krb5_tl_data *);
2N/A
2N/A#define KRB5_KDB_DEF_FLAGS 0
2N/A
2N/A#define KDB_MAX_DB_NAME 128
2N/A#define KDB_REALM_SECTION "realms"
2N/A#define KDB_MODULE_POINTER "database_module"
2N/A#define KDB_MODULE_DEF_SECTION "dbdefaults"
2N/A#define KDB_MODULE_SECTION "dbmodules"
2N/A#define KDB_LIB_POINTER "db_library"
2N/A#define KDB_DATABASE_CONF_FILE DEFAULT_SECURE_PROFILE_PATH
2N/A#define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV
2N/A
2N/A#define KRB5_KDB_OPEN_RW 0
2N/A#define KRB5_KDB_OPEN_RO 1
2N/A
2N/A#define KRB5_KDB_OPT_SET_DB_NAME 0
2N/A#define KRB5_KDB_OPT_SET_LOCK_MODE 1
2N/A
2N/Atypedef struct _kdb_vftabl {
2N/A short int maj_ver;
2N/A short int min_ver;
2N/A
2N/A krb5_error_code (*init_library)();
2N/A krb5_error_code (*fini_library)();
2N/A krb5_error_code (*init_module) ( krb5_context kcontext,
2N/A char * conf_section,
2N/A char ** db_args,
2N/A int mode );
2N/A
2N/A krb5_error_code (*fini_module) ( krb5_context kcontext );
2N/A
2N/A krb5_error_code (*db_create) ( krb5_context kcontext,
2N/A char * conf_section,
2N/A char ** db_args );
2N/A
2N/A krb5_error_code (*db_destroy) ( krb5_context kcontext,
2N/A char *conf_section,
2N/A char ** db_args );
2N/A
2N/A krb5_error_code (*db_get_age) ( krb5_context kcontext,
2N/A char *db_name,
2N/A time_t *age );
2N/A
2N/A krb5_error_code (*db_set_option) ( krb5_context kcontext,
2N/A int option,
2N/A void *value );
2N/A
2N/A krb5_error_code (*db_lock) ( krb5_context kcontext,
2N/A int mode );
2N/A
2N/A krb5_error_code (*db_unlock) ( krb5_context kcontext);
2N/A
2N/A krb5_error_code (*db_get_principal) ( krb5_context kcontext,
2N/A krb5_const_principal search_for,
2N/A unsigned int flags,
2N/A krb5_db_entry *entries,
2N/A int *nentries,
2N/A krb5_boolean *more );
2N/A
2N/A krb5_error_code (*db_free_principal) ( krb5_context kcontext,
2N/A krb5_db_entry *entry,
2N/A int count );
2N/A
2N/A krb5_error_code (*db_put_principal) ( krb5_context kcontext,
2N/A krb5_db_entry *entries,
2N/A int *nentries,
2N/A char **db_args);
2N/A
2N/A krb5_error_code (*db_delete_principal) ( krb5_context kcontext,
2N/A krb5_const_principal search_for,
2N/A int *nentries );
2N/A
2N/A krb5_error_code (*db_iterate) ( krb5_context kcontext,
2N/A char *match_entry,
2N/A int (*func) (krb5_pointer, krb5_db_entry *),
2N/A krb5_pointer func_arg,
2N/A char **db_args);
2N/A
2N/A krb5_error_code (*db_create_policy) ( krb5_context kcontext,
2N/A osa_policy_ent_t policy );
2N/A
2N/A krb5_error_code (*db_get_policy) ( krb5_context kcontext,
2N/A char *name,
2N/A osa_policy_ent_t *policy,
2N/A int *cnt);
2N/A
2N/A krb5_error_code (*db_put_policy) ( krb5_context kcontext,
2N/A osa_policy_ent_t policy );
2N/A
2N/A krb5_error_code (*db_iter_policy) ( krb5_context kcontext,
2N/A char *match_entry,
2N/A osa_adb_iter_policy_func func,
2N/A void *data );
2N/A
2N/A
2N/A krb5_error_code (*db_delete_policy) ( krb5_context kcontext,
2N/A char *policy );
2N/A
2N/A void (*db_free_policy) ( krb5_context kcontext,
2N/A osa_policy_ent_t val );
2N/A
2N/A krb5_error_code (*db_supported_realms) ( krb5_context kcontext,
2N/A char **realms );
2N/A
2N/A krb5_error_code (*db_free_supported_realms) ( krb5_context kcontext,
2N/A char **realms );
2N/A
2N/A
2N/A const char * (*errcode_2_string) ( krb5_context kcontext,
2N/A long err_code );
2N/A
2N/A void (*release_errcode_string) (krb5_context kcontext, const char *msg);
2N/A
2N/A void * (*db_alloc) (krb5_context kcontext, void *ptr, size_t size);
2N/A void (*db_free) (krb5_context kcontext, void *ptr);
2N/A
2N/A
2N/A
2N/A /* optional functions */
2N/A krb5_error_code (*set_master_key) ( krb5_context kcontext,
2N/A char *pwd,
2N/A krb5_keyblock *key);
2N/A
2N/A krb5_error_code (*get_master_key) ( krb5_context kcontext,
2N/A krb5_keyblock **key);
2N/A
2N/A krb5_error_code (*setup_master_key_name) ( krb5_context kcontext,
2N/A char *keyname,
2N/A char *realm,
2N/A char **fullname,
2N/A krb5_principal *principal);
2N/A
2N/A krb5_error_code (*store_master_key) ( krb5_context kcontext,
2N/A char *db_arg,
2N/A krb5_principal mname,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *key,
2N/A char *master_pwd);
2N/A
2N/A krb5_error_code (*fetch_master_key) ( krb5_context kcontext,
2N/A krb5_principal mname,
2N/A krb5_keyblock *key,
2N/A krb5_kvno *kvno,
2N/A char *db_args);
2N/A
2N/A krb5_error_code (*verify_master_key) ( krb5_context kcontext,
2N/A krb5_principal mprinc,
2N/A krb5_kvno kvno,
2N/A krb5_keyblock *mkey );
2N/A
2N/A krb5_error_code (*fetch_master_key_list) (krb5_context kcontext,
2N/A krb5_principal mname,
2N/A const krb5_keyblock *key,
2N/A krb5_keylist_node **mkeys_list);
2N/A
2N/A krb5_error_code (*store_master_key_list) ( krb5_context kcontext,
2N/A char *db_arg,
2N/A krb5_principal mname,
2N/A krb5_keylist_node *keylist,
2N/A char *master_pwd);
2N/A
2N/A krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext,
2N/A krb5_db_entry *dbentp,
2N/A krb5_int32 *start,
2N/A krb5_int32 ktype,
2N/A krb5_int32 stype,
2N/A krb5_int32 kvno,
2N/A krb5_key_data **kdatap);
2N/A
2N/A
2N/A krb5_error_code
2N/A (*db_change_pwd) ( krb5_context context,
2N/A krb5_keyblock * master_key,
2N/A krb5_key_salt_tuple * ks_tuple,
2N/A int ks_tuple_count,
2N/A char * passwd,
2N/A int new_kvno,
2N/A krb5_boolean keepold,
2N/A krb5_db_entry * db_entry);
2N/A
2N/A /* Promote a temporary database to be the live one. */
2N/A krb5_error_code (*promote_db) (krb5_context context,
2N/A char *conf_section,
2N/A char **db_args);
2N/A
2N/A krb5_error_code (*dbekd_decrypt_key_data) ( krb5_context kcontext,
2N/A const krb5_keyblock *mkey,
2N/A const krb5_key_data *key_data,
2N/A krb5_keyblock *dbkey,
2N/A krb5_keysalt *keysalt );
2N/A
2N/A krb5_error_code (*dbekd_encrypt_key_data) ( krb5_context kcontext,
2N/A const krb5_keyblock *mkey,
2N/A const krb5_keyblock *dbkey,
2N/A const krb5_keysalt *keyselt,
2N/A int keyver,
2N/A krb5_key_data *key_data );
2N/A
2N/A krb5_error_code
2N/A (*db_invoke) ( krb5_context context,
2N/A unsigned int method,
2N/A const krb5_data *req,
2N/A krb5_data *rep );
2N/A} kdb_vftabl;
2N/A
2N/A#endif /* !defined(_WIN32) */
2N/A
2N/A/* Solaris Kerberos */
2N/Akrb5_error_code krb5_db_supports_iprop(krb5_context kcontext,
2N/A int *iprop_supported);
2N/A
2N/A#endif /* KRB5_KDB5__ */