1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
9 * This header file is used internally by the Admin API server
10 * libraries and Admin server. IF YOU THINK YOU NEED TO USE THIS FILE
11 * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG.
14 #ifndef __KADM5_SERVER_INTERNAL_H__
15 #define __KADM5_SERVER_INTERNAL_H__
24 #include <kadm5/admin.h>
25 #include <krb5/plugin.h>
26 #include "admin_internal.h"
29 * This is the history key version for a newly created DB. We use this value
30 * for principals which have no password history yet to avoid having to look up
31 * the history key. Values other than 2 will cause compatibility issues with
32 * pre-1.8 libkadm5 code; the older code will reject key changes when it sees
33 * an unexpected value of admin_history_kvno.
35 #define INITIAL_HIST_KVNO 2
37 /* A pwqual_handle represents a password quality plugin module. */
38 typedef struct pwqual_handle_st *pwqual_handle;
40 typedef struct kadm5_hook_handle_st *kadm5_hook_handle;
42 typedef struct _kadm5_server_handle_t {
43 krb5_ui_4 magic_number;
44 krb5_ui_4 struct_version;
45 krb5_ui_4 api_version;
47 krb5_principal current_caller;
48 kadm5_config_params params;
49 struct _kadm5_server_handle_t *lhandle;
51 pwqual_handle *qual_handles;
52 kadm5_hook_handle *hook_handles;
53 } kadm5_server_handle_rec, *kadm5_server_handle_t;
55 #define OSA_ADB_PRINC_VERSION_1 0x12345C01
57 typedef struct _osa_pw_hist_t {
59 krb5_key_data *key_data;
60 } osa_pw_hist_ent, *osa_pw_hist_t;
62 typedef struct _osa_princ_ent_t {
66 unsigned int old_key_len;
67 unsigned int old_key_next;
68 krb5_kvno admin_history_kvno;
69 osa_pw_hist_ent *old_keys;
70 } osa_princ_ent_rec, *osa_princ_ent_t;
73 kadm5_ret_t passwd_check(kadm5_server_handle_t handle,
74 const char *pass, kadm5_policy_ent_t policy,
75 krb5_principal principal);
76 kadm5_ret_t principal_exists(krb5_principal principal);
77 krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
78 char *r, int from_keyboard);
79 krb5_error_code kdb_get_active_mkey(kadm5_server_handle_t handle,
80 krb5_kvno *act_kvno_out,
81 krb5_keyblock **act_mkey_out);
82 krb5_error_code kdb_init_hist(kadm5_server_handle_t handle,
84 krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle,
85 krb5_keyblock **keyblocks_out,
87 void kdb_free_keyblocks(kadm5_server_handle_t handle,
88 krb5_keyblock *keyblocks);
89 krb5_error_code kdb_get_entry(kadm5_server_handle_t handle,
90 krb5_principal principal,
91 krb5_db_entry **kdb, osa_princ_ent_rec *adb);
92 krb5_error_code kdb_free_entry(kadm5_server_handle_t handle,
93 krb5_db_entry *kdb, osa_princ_ent_rec *adb);
94 krb5_error_code kdb_put_entry(kadm5_server_handle_t handle,
95 krb5_db_entry *kdb, osa_princ_ent_rec *adb);
96 krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle,
98 krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle,
100 void (*iter_fct)(void *, krb5_principal),
103 kadm5_ret_t init_pwqual(kadm5_server_handle_t handle);
104 void destroy_pwqual(kadm5_server_handle_t handle);
106 /* XXX this ought to be in libkrb5.a, but isn't */
107 kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
110 kadm5_ret_t krb5_free_key_data_contents(krb5_context context,
115 * *Warning* This is going to break if we
116 * *Warning* ever go multi-threaded
119 extern krb5_principal current_caller;
122 * Why is this (or something similar) not defined *anywhere* in krb5?
125 #define WORD_NOT_FOUND 1
128 * all the various mask bits or'd together
131 #define ALL_PRINC_MASK \
132 (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION | \
133 KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | \
134 KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO | \
135 KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY | \
136 KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT )
138 #define ALL_POLICY_MASK \
139 (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE | \
140 KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
141 KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
142 KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES | \
143 KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE | \
144 KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)
146 #define SERVER_CHECK_HANDLE(handle) \
148 kadm5_server_handle_t srvr = \
149 (kadm5_server_handle_t) handle; \
151 if (! srvr->current_caller) \
152 return KADM5_BAD_SERVER_HANDLE; \
153 if (! srvr->lhandle) \
154 return KADM5_BAD_SERVER_HANDLE; \
157 #define CHECK_HANDLE(handle) \
158 GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, \
159 KADM5_NEW_SERVER_API_VERSION) \
160 SERVER_CHECK_HANDLE(handle)
162 bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp);
165 osa_free_princ_ent(osa_princ_ent_t val);
167 /*** Password quality plugin consumer interface ***/
169 /* Load all available password quality plugin modules, bind each module to the
170 * realm's dictionary file, and store the result into *handles_out. Free the
171 * result with k5_pwqual_free_handles. */
173 k5_pwqual_load(krb5_context context, const char *dict_file,
174 pwqual_handle **handles_out);
176 /* Release a handle list allocated by k5_pwqual_load. */
178 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
180 /* Return the name of a password quality plugin module. */
182 k5_pwqual_name(krb5_context context, pwqual_handle handle);
184 /* Check a password using a password quality plugin module. */
186 k5_pwqual_check(krb5_context context, pwqual_handle handle,
187 const char *password, const char *policy_name,
188 krb5_principal princ);
190 /*** initvt functions for built-in password quality modules ***/
192 /* The dict module checks passwords against the realm's dictionary. */
194 pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
195 krb5_plugin_vtable vtable);
197 /* The empty module rejects empty passwords (even with no password policy). */
199 pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
200 krb5_plugin_vtable vtable);
202 /* The hesiod module checks passwords against GECOS fields from Hesiod passwd
203 * information (only if the tree was built with Hesiod support). */
205 pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
206 krb5_plugin_vtable vtable);
208 /* The princ module checks passwords against principal components. */
210 pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
211 krb5_plugin_vtable vtable);
214 * @name kadm5_hook plugin support
217 /** Load all kadm5_hook plugins. */
219 k5_kadm5_hook_load(krb5_context context,
220 kadm5_hook_handle **handles_out);
222 /** Free handles allocated by k5_kadm5_hook_load(). */
224 k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles);
226 /** Call the chpass entry point on every kadm5_hook in @a handles. */
228 k5_kadm5_hook_chpass (krb5_context context,
229 kadm5_hook_handle *handles,
230 int stage, krb5_principal princ,
231 krb5_boolean keepold,
233 krb5_key_salt_tuple *ks_tuple,
234 const char *newpass);
236 /** Call the create entry point for kadm5_hook_plugins. */
238 k5_kadm5_hook_create (krb5_context context,
239 kadm5_hook_handle *handles,
241 kadm5_principal_ent_t princ, long mask,
243 krb5_key_salt_tuple *ks_tuple,
244 const char *newpass);
246 /** Call modify kadm5_hook entry point. */
248 k5_kadm5_hook_modify (krb5_context context,
249 kadm5_hook_handle *handles,
251 kadm5_principal_ent_t princ, long mask);
253 /** Call remove kadm5_hook entry point. */
255 k5_kadm5_hook_remove (krb5_context context,
256 kadm5_hook_handle *handles,
258 krb5_principal princ);
260 /** Call rename kadm5_hook entry point. */
262 k5_kadm5_hook_rename (krb5_context context,
263 kadm5_hook_handle *handles,
265 krb5_principal oprinc, krb5_principal nprinc);
269 #endif /* __KADM5_SERVER_INTERNAL_H__ */