src/lib/kadm5/server_internal.h

   1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
   2 /*
   3  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
   4  *
   5  * $Header$
   6  */
   7
   8 /*
   9  * This header file is used internally by the Admin API server
  10  * libraries and Admin server.  IF YOU THINK YOU NEED TO USE THIS FILE
  11  * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG.
  12  */
  13
  14 #ifndef __KADM5_SERVER_INTERNAL_H__
  15 #define __KADM5_SERVER_INTERNAL_H__
  16
  17 #include    "autoconf.h"
  18 #ifdef HAVE_MEMORY_H
  19 #include    <memory.h>
  20 #endif
  21 #include    <stdlib.h>
  22 #include    <errno.h>
  23 #include    <kdb.h>
  24 #include    <kadm5/admin.h>
  25 #include    <krb5/plugin.h>
  26 #include    "admin_internal.h"
  27
  28 /*
  29  * This is the history key version for a newly created DB.  We use this value
  30  * for principals which have no password history yet to avoid having to look up
  31  * the history key.  Values other than 2 will cause compatibility issues with
  32  * pre-1.8 libkadm5 code; the older code will reject key changes when it sees
  33  * an unexpected value of admin_history_kvno.
  34  */
  35 #define INITIAL_HIST_KVNO 2
  36
  37 /* A pwqual_handle represents a password quality plugin module. */
  38 typedef struct pwqual_handle_st *pwqual_handle;
  39
  40 typedef struct kadm5_hook_handle_st *kadm5_hook_handle;
  41
  42 typedef struct _kadm5_server_handle_t {
  43     krb5_ui_4       magic_number;
  44     krb5_ui_4       struct_version;
  45     krb5_ui_4       api_version;
  46     krb5_context    context;
  47     krb5_principal  current_caller;
  48     kadm5_config_params  params;
  49     struct _kadm5_server_handle_t *lhandle;
  50     char **db_args;
  51     pwqual_handle   *qual_handles;
  52     kadm5_hook_handle *hook_handles;
  53 } kadm5_server_handle_rec, *kadm5_server_handle_t;
  54
  55 #define OSA_ADB_PRINC_VERSION_1  0x12345C01
  56
  57 typedef struct _osa_pw_hist_t {
  58     int n_key_data;
  59     krb5_key_data *key_data;
  60 } osa_pw_hist_ent, *osa_pw_hist_t;
  61
  62 typedef struct _osa_princ_ent_t {
  63     int                         version;
  64     char                        *policy;
  65     long                        aux_attributes;
  66     unsigned int                old_key_len;
  67     unsigned int                old_key_next;
  68     krb5_kvno                   admin_history_kvno;
  69     osa_pw_hist_ent             *old_keys;
  70 } osa_princ_ent_rec, *osa_princ_ent_t;
  71
  72
  73 kadm5_ret_t    passwd_check(kadm5_server_handle_t handle,
  74                             const char *pass, kadm5_policy_ent_t policy,
  75                             krb5_principal principal);
  76 kadm5_ret_t    principal_exists(krb5_principal principal);
  77 krb5_error_code     kdb_init_master(kadm5_server_handle_t handle,
  78                                     char *r, int from_keyboard);
  79 krb5_error_code     kdb_get_active_mkey(kadm5_server_handle_t handle,
  80                                         krb5_kvno *act_kvno_out,
  81                                         krb5_keyblock **act_mkey_out);
  82 krb5_error_code     kdb_init_hist(kadm5_server_handle_t handle,
  83                                   char *r);
  84 krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,
  85                                      krb5_keyblock **keyblocks_out,
  86                                      krb5_kvno *kvno_out);
  87 void                kdb_free_keyblocks(kadm5_server_handle_t handle,
  88                                        krb5_keyblock *keyblocks);
  89 krb5_error_code     kdb_get_entry(kadm5_server_handle_t handle,
  90                                   krb5_principal principal,
  91                                   krb5_db_entry **kdb, osa_princ_ent_rec *adb);
  92 krb5_error_code     kdb_free_entry(kadm5_server_handle_t handle,
  93                                    krb5_db_entry *kdb, osa_princ_ent_rec *adb);
  94 krb5_error_code     kdb_put_entry(kadm5_server_handle_t handle,
  95                                   krb5_db_entry *kdb, osa_princ_ent_rec *adb);
  96 krb5_error_code     kdb_delete_entry(kadm5_server_handle_t handle,
  97                                      krb5_principal name);
  98 krb5_error_code     kdb_iter_entry(kadm5_server_handle_t handle,
  99                                    char *match_entry,
 100                                    void (*iter_fct)(void *, krb5_principal),
 101                                    void *data);
 102
 103 kadm5_ret_t         init_pwqual(kadm5_server_handle_t handle);
 104 void                destroy_pwqual(kadm5_server_handle_t handle);
 105
 106 /* XXX this ought to be in libkrb5.a, but isn't */
 107 kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
 108                                         krb5_key_data *from,
 109                                         krb5_key_data *to);
 110 kadm5_ret_t krb5_free_key_data_contents(krb5_context context,
 111                                         krb5_key_data *key);
 112
 113 /*
 114  * *Warning*
 115  * *Warning*        This is going to break if we
 116  * *Warning*        ever go multi-threaded
 117  * *Warning*
 118  */
 119 extern  krb5_principal  current_caller;
 120
 121 /*
 122  * Why is this (or something similar) not defined *anywhere* in krb5?
 123  */
 124 #define KSUCCESS        0
 125 #define WORD_NOT_FOUND  1
 126
 127 /*
 128  * all the various mask bits or'd together
 129  */
 130
 131 #define ALL_PRINC_MASK                                                  \
 132     (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION |  \
 133      KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE |        \
 134      KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO |       \
 135      KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY |           \
 136      KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT )
 137
 138 #define ALL_POLICY_MASK                                                 \
 139     (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE |             \
 140      KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
 141      KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
 142      KADM5_PW_LOCKOUT_DURATION )
 143
 144 #define SERVER_CHECK_HANDLE(handle)             \
 145     {                                           \
 146         kadm5_server_handle_t srvr =            \
 147             (kadm5_server_handle_t) handle;     \
 148                                                 \
 149         if (! srvr->current_caller)             \
 150             return KADM5_BAD_SERVER_HANDLE;     \
 151         if (! srvr->lhandle)                    \
 152             return KADM5_BAD_SERVER_HANDLE;     \
 153     }
 154
 155 #define CHECK_HANDLE(handle)                                    \
 156     GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION,  \
 157                          KADM5_NEW_SERVER_API_VERSION)          \
 158     SERVER_CHECK_HANDLE(handle)
 159
 160 bool_t          xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp);
 161
 162 void
 163 osa_free_princ_ent(osa_princ_ent_t val);
 164
 165 /*** Password quality plugin consumer interface ***/
 166
 167 /* Load all available password quality plugin modules, bind each module to the
 168  * realm's dictionary file, and store the result into *handles_out.  Free the
 169  * result with k5_pwqual_free_handles. */
 170 krb5_error_code
 171 k5_pwqual_load(krb5_context context, const char *dict_file,
 172                pwqual_handle **handles_out);
 173
 174 /* Release a handle list allocated by k5_pwqual_load. */
 175 void
 176 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
 177
 178 /* Return the name of a password quality plugin module. */
 179 const char *
 180 k5_pwqual_name(krb5_context context, pwqual_handle handle);
 181
 182 /* Check a password using a password quality plugin module. */
 183 krb5_error_code
 184 k5_pwqual_check(krb5_context context, pwqual_handle handle,
 185                 const char *password, const char *policy_name,
 186                 krb5_principal princ);
 187
 188 /*** initvt functions for built-in password quality modules ***/
 189
 190 /* The dict module checks passwords against the realm's dictionary. */
 191 krb5_error_code
 192 pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
 193                    krb5_plugin_vtable vtable);
 194
 195 /* The empty module rejects empty passwords (even with no password policy). */
 196 krb5_error_code
 197 pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
 198                     krb5_plugin_vtable vtable);
 199
 200 /* The hesiod module checks passwords against GECOS fields from Hesiod passwd
 201  * information (only if the tree was built with Hesiod support). */
 202 krb5_error_code
 203 pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
 204                      krb5_plugin_vtable vtable);
 205
 206 /* The princ module checks passwords against principal components. */
 207 krb5_error_code
 208 pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
 209                     krb5_plugin_vtable vtable);
 210
 211 /** @{
 212  * @name kadm5_hook plugin support
 213  */
 214
 215 /** Load all kadm5_hook plugins. */
 216 krb5_error_code
 217 k5_kadm5_hook_load(krb5_context context,
 218                    kadm5_hook_handle **handles_out);
 219
 220 /** Free handles allocated by k5_kadm5_hook_load(). */
 221 void
 222 k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles);
 223
 224 /** Call the chpass entry point on every kadm5_hook in @a handles. */
 225 kadm5_ret_t
 226 k5_kadm5_hook_chpass (krb5_context context,
 227                       kadm5_hook_handle *handles,
 228                       int stage, krb5_principal princ,
 229                       krb5_boolean keepold,
 230                       int n_ks_tuple,
 231                       krb5_key_salt_tuple *ks_tuple,
 232                       const char *newpass);
 233
 234 /** Call the create entry point for kadm5_hook_plugins. */
 235 kadm5_ret_t
 236 k5_kadm5_hook_create (krb5_context context,
 237                       kadm5_hook_handle *handles,
 238                       int stage,
 239                       kadm5_principal_ent_t princ, long mask,
 240                       int n_ks_tuple,
 241                       krb5_key_salt_tuple *ks_tuple,
 242                       const char *newpass);
 243
 244 /** Call modify kadm5_hook entry point. */
 245 kadm5_ret_t
 246 k5_kadm5_hook_modify (krb5_context context,
 247                       kadm5_hook_handle *handles,
 248                       int stage,
 249                       kadm5_principal_ent_t princ, long mask);
 250
 251 /** Call remove kadm5_hook entry point. */
 252 kadm5_ret_t
 253 k5_kadm5_hook_remove (krb5_context context,
 254                       kadm5_hook_handle *handles,
 255                       int stage,
 256                       krb5_principal princ);
 257
 258 /** Call rename kadm5_hook entry point. */
 259 kadm5_ret_t
 260 k5_kadm5_hook_rename (krb5_context context,
 261                       kadm5_hook_handle *handles,
 262                       int stage,
 263                       krb5_principal oprinc, krb5_principal nprinc);
 264
 265 /** @}*/
 266
 267 #endif /* __KADM5_SERVER_INTERNAL_H__ */