src/lib/kadm5/server_internal.h

   1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
   2 /*
   3  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
   4  *
   5  * $Header$
   6  */
   7
   8 /*
   9  * This header file is used internally by the Admin API server
  10  * libraries and Admin server.  IF YOU THINK YOU NEED TO USE THIS FILE
  11  * FOR ANYTHING, YOU'RE ALMOST CERTAINLY WRONG.
  12  */
  13
  14 #ifndef __KADM5_SERVER_INTERNAL_H__
  15 #define __KADM5_SERVER_INTERNAL_H__
  16
  17 #include    "autoconf.h"
  18 #ifdef HAVE_MEMORY_H
  19 #include    <memory.h>
  20 #endif
  21 #include    <stdlib.h>
  22 #include    <errno.h>
  23 #include    <kdb.h>
  24 #include    <kadm5/admin.h>
  25 #include    <krb5/plugin.h>
  26 #include    "admin_internal.h"
  27
  28 /*
  29  * This is the history key version for a newly created DB.  We use this value
  30  * for principals which have no password history yet to avoid having to look up
  31  * the history key.  Values other than 2 will cause compatibility issues with
  32  * pre-1.8 libkadm5 code; the older code will reject key changes when it sees
  33  * an unexpected value of admin_history_kvno.
  34  */
  35 #define INITIAL_HIST_KVNO 2
  36
  37 /* A pwqual_handle represents a password quality plugin module. */
  38 typedef struct pwqual_handle_st *pwqual_handle;
  39
  40 typedef struct kadm5_hook_handle_st *kadm5_hook_handle;
  41
  42 typedef struct _kadm5_server_handle_t {
  43     krb5_ui_4       magic_number;
  44     krb5_ui_4       struct_version;
  45     krb5_ui_4       api_version;
  46     krb5_context    context;
  47     krb5_principal  current_caller;
  48     kadm5_config_params  params;
  49     struct _kadm5_server_handle_t *lhandle;
  50     char **db_args;
  51     pwqual_handle   *qual_handles;
  52     kadm5_hook_handle *hook_handles;
  53 } kadm5_server_handle_rec, *kadm5_server_handle_t;
  54
  55 #define OSA_ADB_PRINC_VERSION_1  0x12345C01
  56
  57 typedef struct _osa_pw_hist_t {
  58     int n_key_data;
  59     krb5_key_data *key_data;
  60 } osa_pw_hist_ent, *osa_pw_hist_t;
  61
  62 typedef struct _osa_princ_ent_t {
  63     int                         version;
  64     char                        *policy;
  65     long                        aux_attributes;
  66     unsigned int                old_key_len;
  67     unsigned int                old_key_next;
  68     krb5_kvno                   admin_history_kvno;
  69     osa_pw_hist_ent             *old_keys;
  70 } osa_princ_ent_rec, *osa_princ_ent_t;
  71
  72
  73 kadm5_ret_t    passwd_check(kadm5_server_handle_t handle,
  74                             const char *pass, kadm5_policy_ent_t policy,
  75                             krb5_principal principal);
  76 kadm5_ret_t    principal_exists(krb5_principal principal);
  77 krb5_error_code     kdb_init_master(kadm5_server_handle_t handle,
  78                                     char *r, int from_keyboard);
  79 krb5_error_code     kdb_get_active_mkey(kadm5_server_handle_t handle,
  80                                         krb5_kvno *act_kvno_out,
  81                                         krb5_keyblock **act_mkey_out);
  82 krb5_error_code     kdb_init_hist(kadm5_server_handle_t handle,
  83                                   char *r);
  84 krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,
  85                                      krb5_keyblock **keyblocks_out,
  86                                      krb5_kvno *kvno_out);
  87 void                kdb_free_keyblocks(kadm5_server_handle_t handle,
  88                                        krb5_keyblock *keyblocks);
  89 krb5_error_code     kdb_get_entry(kadm5_server_handle_t handle,
  90                                   krb5_principal principal,
  91                                   krb5_db_entry **kdb, osa_princ_ent_rec *adb);
  92 krb5_error_code     kdb_free_entry(kadm5_server_handle_t handle,
  93                                    krb5_db_entry *kdb, osa_princ_ent_rec *adb);
  94 krb5_error_code     kdb_put_entry(kadm5_server_handle_t handle,
  95                                   krb5_db_entry *kdb, osa_princ_ent_rec *adb);
  96 krb5_error_code     kdb_delete_entry(kadm5_server_handle_t handle,
  97                                      krb5_principal name);
  98 krb5_error_code     kdb_iter_entry(kadm5_server_handle_t handle,
  99                                    char *match_entry,
 100                                    void (*iter_fct)(void *, krb5_principal),
 101                                    void *data);
 102
 103 kadm5_ret_t         init_pwqual(kadm5_server_handle_t handle);
 104 void                destroy_pwqual(kadm5_server_handle_t handle);
 105
 106 /* XXX this ought to be in libkrb5.a, but isn't */
 107 kadm5_ret_t krb5_copy_key_data_contents(krb5_context context,
 108                                         krb5_key_data *from,
 109                                         krb5_key_data *to);
 110 kadm5_ret_t krb5_free_key_data_contents(krb5_context context,
 111                                         krb5_key_data *key);
 112
 113 /*
 114  * *Warning*
 115  * *Warning*        This is going to break if we
 116  * *Warning*        ever go multi-threaded
 117  * *Warning*
 118  */
 119 extern  krb5_principal  current_caller;
 120
 121 /*
 122  * Why is this (or something similar) not defined *anywhere* in krb5?
 123  */
 124 #define KSUCCESS        0
 125 #define WORD_NOT_FOUND  1
 126
 127 /*
 128  * all the various mask bits or'd together
 129  */
 130
 131 #define ALL_PRINC_MASK                                                  \
 132     (KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION |  \
 133      KADM5_LAST_PWD_CHANGE | KADM5_ATTRIBUTES | KADM5_MAX_LIFE |        \
 134      KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_KVNO | KADM5_MKVNO |       \
 135      KADM5_AUX_ATTRIBUTES | KADM5_POLICY_CLR | KADM5_POLICY |           \
 136      KADM5_MAX_RLIFE | KADM5_TL_DATA | KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT )
 137
 138 #define ALL_POLICY_MASK                                                 \
 139     (KADM5_POLICY | KADM5_PW_MAX_LIFE | KADM5_PW_MIN_LIFE |             \
 140      KADM5_PW_MIN_LENGTH | KADM5_PW_MIN_CLASSES | KADM5_PW_HISTORY_NUM | \
 141      KADM5_REF_COUNT | KADM5_PW_MAX_FAILURE | KADM5_PW_FAILURE_COUNT_INTERVAL | \
 142      KADM5_PW_LOCKOUT_DURATION | KADM5_POLICY_ATTRIBUTES |              \
 143      KADM5_POLICY_MAX_LIFE | KADM5_POLICY_MAX_RLIFE |                   \
 144      KADM5_POLICY_ALLOWED_KEYSALTS | KADM5_POLICY_TL_DATA)
 145
 146 #define SERVER_CHECK_HANDLE(handle)             \
 147     {                                           \
 148         kadm5_server_handle_t srvr =            \
 149             (kadm5_server_handle_t) handle;     \
 150                                                 \
 151         if (! srvr->current_caller)             \
 152             return KADM5_BAD_SERVER_HANDLE;     \
 153         if (! srvr->lhandle)                    \
 154             return KADM5_BAD_SERVER_HANDLE;     \
 155     }
 156
 157 #define CHECK_HANDLE(handle)                                    \
 158     GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION,  \
 159                          KADM5_NEW_SERVER_API_VERSION)          \
 160     SERVER_CHECK_HANDLE(handle)
 161
 162 bool_t          xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp);
 163
 164 void
 165 osa_free_princ_ent(osa_princ_ent_t val);
 166
 167 /*** Password quality plugin consumer interface ***/
 168
 169 /* Load all available password quality plugin modules, bind each module to the
 170  * realm's dictionary file, and store the result into *handles_out.  Free the
 171  * result with k5_pwqual_free_handles. */
 172 krb5_error_code
 173 k5_pwqual_load(krb5_context context, const char *dict_file,
 174                pwqual_handle **handles_out);
 175
 176 /* Release a handle list allocated by k5_pwqual_load. */
 177 void
 178 k5_pwqual_free_handles(krb5_context context, pwqual_handle *handles);
 179
 180 /* Return the name of a password quality plugin module. */
 181 const char *
 182 k5_pwqual_name(krb5_context context, pwqual_handle handle);
 183
 184 /* Check a password using a password quality plugin module. */
 185 krb5_error_code
 186 k5_pwqual_check(krb5_context context, pwqual_handle handle,
 187                 const char *password, const char *policy_name,
 188                 krb5_principal princ);
 189
 190 /*** initvt functions for built-in password quality modules ***/
 191
 192 /* The dict module checks passwords against the realm's dictionary. */
 193 krb5_error_code
 194 pwqual_dict_initvt(krb5_context context, int maj_ver, int min_ver,
 195                    krb5_plugin_vtable vtable);
 196
 197 /* The empty module rejects empty passwords (even with no password policy). */
 198 krb5_error_code
 199 pwqual_empty_initvt(krb5_context context, int maj_ver, int min_ver,
 200                     krb5_plugin_vtable vtable);
 201
 202 /* The hesiod module checks passwords against GECOS fields from Hesiod passwd
 203  * information (only if the tree was built with Hesiod support). */
 204 krb5_error_code
 205 pwqual_hesiod_initvt(krb5_context context, int maj_ver, int min_ver,
 206                      krb5_plugin_vtable vtable);
 207
 208 /* The princ module checks passwords against principal components. */
 209 krb5_error_code
 210 pwqual_princ_initvt(krb5_context context, int maj_ver, int min_ver,
 211                     krb5_plugin_vtable vtable);
 212
 213 /** @{
 214  * @name kadm5_hook plugin support
 215  */
 216
 217 /** Load all kadm5_hook plugins. */
 218 krb5_error_code
 219 k5_kadm5_hook_load(krb5_context context,
 220                    kadm5_hook_handle **handles_out);
 221
 222 /** Free handles allocated by k5_kadm5_hook_load(). */
 223 void
 224 k5_kadm5_hook_free_handles(krb5_context context, kadm5_hook_handle *handles);
 225
 226 /** Call the chpass entry point on every kadm5_hook in @a handles. */
 227 kadm5_ret_t
 228 k5_kadm5_hook_chpass (krb5_context context,
 229                       kadm5_hook_handle *handles,
 230                       int stage, krb5_principal princ,
 231                       krb5_boolean keepold,
 232                       int n_ks_tuple,
 233                       krb5_key_salt_tuple *ks_tuple,
 234                       const char *newpass);
 235
 236 /** Call the create entry point for kadm5_hook_plugins. */
 237 kadm5_ret_t
 238 k5_kadm5_hook_create (krb5_context context,
 239                       kadm5_hook_handle *handles,
 240                       int stage,
 241                       kadm5_principal_ent_t princ, long mask,
 242                       int n_ks_tuple,
 243                       krb5_key_salt_tuple *ks_tuple,
 244                       const char *newpass);
 245
 246 /** Call modify kadm5_hook entry point. */
 247 kadm5_ret_t
 248 k5_kadm5_hook_modify (krb5_context context,
 249                       kadm5_hook_handle *handles,
 250                       int stage,
 251                       kadm5_principal_ent_t princ, long mask);
 252
 253 /** Call remove kadm5_hook entry point. */
 254 kadm5_ret_t
 255 k5_kadm5_hook_remove (krb5_context context,
 256                       kadm5_hook_handle *handles,
 257                       int stage,
 258                       krb5_principal princ);
 259
 260 /** Call rename kadm5_hook entry point. */
 261 kadm5_ret_t
 262 k5_kadm5_hook_rename (krb5_context context,
 263                       kadm5_hook_handle *handles,
 264                       int stage,
 265                       krb5_principal oprinc, krb5_principal nprinc);
 266
 267 /** @}*/
 268
 269 #endif /* __KADM5_SERVER_INTERNAL_H__ */