1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
9 * This header file is used internally by the Admin API server
10 * libraries and Admin server. IF YOU THINK YOU NEED TO USE THIS FILE
11 * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG.
14 #ifndef __KADM5_SERVER_INTERNAL_H__
15 #define __KADM5_SERVER_INTERNAL_H__
24 #include <kadm5/admin.h>
25 #include <krb5/plugin.h>
26 #include "admin_internal.h"
29 * This is the history key version for a newly created DB. We use this value
30 * for principals which have no password history yet to avoid having to look up
31 * the history key. Values other than 2 will cause compatibility issues with
32 * pre-1.8 libkadm5 code; the older code will reject key changes when it sees
33 * an unexpected value of admin_history_kvno.
35 #define INITIAL_HIST_KVNO 2
37 /* A pwqual_handle represents a password quality plugin module. */
38 typedef struct pwqual_handle_st *pwqual_handle;
40 typedef struct kadm5_hook_handle_st *kadm5_hook_handle;
42 typedef struct _kadm5_server_handle_t {
43 krb5_ui_4 magic_number;
44 krb5_ui_4 struct_version;
45 krb5_ui_4 api_version;
47 krb5_principal current_caller;
48 kadm5_config_params params;
49 struct _kadm5_server_handle_t *lhandle;
51 pwqual_handle *qual_handles;
52 kadm5_hook_handle *hook_handles;
53 } kadm5_server_handle_rec, *kadm5_server_handle_t;
55 #define OSA_ADB_PRINC_VERSION_1 0x12345C01
57 typedef struct _osa_pw_hist_t {
59 krb5_key_data *key_data;
60 } osa_pw_hist_ent, *osa_pw_hist_t;
62 typedef struct _osa_princ_ent_t {
66 unsigned int old_key_len;
67 unsigned int old_key_next;
68 krb5_kvno admin_history_kvno;
69 osa_pw_hist_ent *old_keys;
70 } osa_princ_ent_rec, *osa_princ_ent_t;
73 kadm5_ret_t adb_policy_init(kadm5_server_handle_t handle);
74 kadm5_ret_t adb_policy_close(kadm5_server_handle_t handle);
75 kadm5_ret_t passwd_check(kadm5_server_handle_t handle,
76 const char *pass, kadm5_policy_ent_t policy,
77 krb5_principal principal);
78 kadm5_ret_t principal_exists(krb5_principal principal);
79 krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
80 char *r, int from_keyboard);
81 krb5_error_code kdb_init_hist(kadm5_server_handle_t handle,
83 krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle,
84 krb5_keyblock **keyblocks_out,
86 void kdb_free_keyblocks(kadm5_server_handle_t handle,
87 krb5_keyblock *keyblocks);
88 krb5_error_code kdb_get_entry(kadm5_server_handle_t handle,
89 krb5_principal principal,
90 krb5_db_entry **kdb, osa_princ_ent_rec *adb);
91 krb5_error_code kdb_free_entry(kadm5_server_handle_t handle,
92 krb5_db_entry *kdb, osa_princ_ent_rec *adb);
93 krb5_error_code kdb_put_entry(kadm5_server_handle_t handle,
94 krb5_db_entry *kdb, osa_princ_ent_rec *adb);
95 krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle,
97 krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle,
99 void (*iter_fct)(void *, krb5_principal),
102 kadm5_ret_t init_pwqual(kadm5_server_handle_t handle);
103 void destroy_pwqual(kadm5_server_handle_t handle);
105 /* XXX this ought to be in libkrb5.a, but isn't */
106 kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
109 kadm5_ret_t krb5_free_key_data_contents(krb5_context context,
114 * *Warning* This is going to break if we
115 * *Warning* ever go multi-threaded
118 extern krb5_principal current_caller;
121 * Why is this (or something similar) not defined *anywhere* in krb5?
124 #define WORD_NOT_FOUND 1
127 * all the various mask bits or'd together
130 #define ALL_PRINC_MASK \
131 (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \
132 KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \
133 KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \
134 KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \
135 KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT )
137 #define ALL_POLICY_MASK \
138 (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \
139 KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
140 KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
141 KADM5_PW_LOCKOUT_DURATION )
143 #define SERVER_CHECK_HANDLE(handle) \
145 kadm5_server_handle_t srvr = \
146 (kadm5_server_handle_t) handle; \
148 if (! srvr->current_caller) \
149 return KADM5_BAD_SERVER_HANDLE; \
150 if (! srvr->lhandle) \
151 return KADM5_BAD_SERVER_HANDLE; \
154 #define CHECK_HANDLE(handle) \
155 GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \
156 KADM5_NEW_SERVER_API_VERSION) \
157 SERVER_CHECK_HANDLE(handle)
159 bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp);
162 osa_free_princ_ent(osa_princ_ent_t val);
164 /*** Password quality plugin consumer interface ***/
166 /* Load all available password quality plugin modules, bind each module to the
167 * realm's dictionary file, and store the result into *handles_out. Free the
168 * result with k5_pwqual_free_handles. */
170 k5_pwqual_load(krb5_context context, const char *dict_file,
171 pwqual_handle **handles_out);
173 /* Release a handle list allocated by k5_pwqual_load. */
175 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
177 /* Return the name of a password quality plugin module. */
179 k5_pwqual_name(krb5_context context, pwqual_handle handle);
181 /* Check a password using a password quality plugin module. */
183 k5_pwqual_check(krb5_context context, pwqual_handle handle,
184 const char *password, const char *policy_name,
185 krb5_principal princ);
187 /*** initvt functions for built-in password quality modules ***/
189 /* The dict module checks passwords against the realm's dictionary. */
191 pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
192 krb5_plugin_vtable vtable);
194 /* The empty module rejects empty passwords (even with no password policy). */
196 pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
197 krb5_plugin_vtable vtable);
199 /* The hesiod module checks passwords against GECOS fields from Hesiod passwd
200 * information (only if the tree was built with Hesiod support). */
202 pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
203 krb5_plugin_vtable vtable);
205 /* The princ module checks passwords against principal components. */
207 pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
208 krb5_plugin_vtable vtable);
211 * @name kadm5_hook plugin support
214 /** Load all kadm5_hook plugins. */
216 k5_kadm5_hook_load(krb5_context context,
217 kadm5_hook_handle **handles_out);
219 /** Free handles allocated by k5_kadm5_hook_load(). */
221 k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles);
223 /** Call the chpass entry point on every kadm5_hook in @a handles. */
225 k5_kadm5_hook_chpass (krb5_context context,
226 kadm5_hook_handle *handles,
227 int stage, krb5_principal princ,
228 krb5_boolean keepold,
230 krb5_key_salt_tuple *ks_tuple,
231 const char *newpass);
233 /** Call the create entry point for kadm5_hook_plugins. */
235 k5_kadm5_hook_create (krb5_context context,
236 kadm5_hook_handle *handles,
238 kadm5_principal_ent_t princ, long mask,
240 krb5_key_salt_tuple *ks_tuple,
241 const char *newpass);
243 /** Call modify kadm5_hook entry point. */
245 k5_kadm5_hook_modify (krb5_context context,
246 kadm5_hook_handle *handles,
248 kadm5_principal_ent_t princ, long mask);
250 /** Call remove kadm5_hook entry point. */
252 k5_kadm5_hook_remove (krb5_context context,
253 kadm5_hook_handle *handles,
255 krb5_principal princ);
259 #endif /* __KADM5_SERVER_INTERNAL_H__ */