| 1 | /* $NetBSD: hdb.h,v 1.2 2017/01/28 21:31:48 christos Exp $ */ |
|---|---|
| 2 | |
| 3 | /* |
| 4 | * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan |
| 5 | * (Royal Institute of Technology, Stockholm, Sweden). |
| 6 | * All rights reserved. |
| 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions |
| 10 | * are met: |
| 11 | * |
| 12 | * 1. Redistributions of source code must retain the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer. |
| 14 | * |
| 15 | * 2. Redistributions in binary form must reproduce the above copyright |
| 16 | * notice, this list of conditions and the following disclaimer in the |
| 17 | * documentation and/or other materials provided with the distribution. |
| 18 | * |
| 19 | * 3. Neither the name of the Institute nor the names of its contributors |
| 20 | * may be used to endorse or promote products derived from this software |
| 21 | * without specific prior written permission. |
| 22 | * |
| 23 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
| 24 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
| 27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 33 | * SUCH DAMAGE. |
| 34 | */ |
| 35 | |
| 36 | /* Id */ |
| 37 | |
| 38 | #ifndef __HDB_H__ |
| 39 | #define __HDB_H__ |
| 40 | |
| 41 | #include <stdio.h> |
| 42 | |
| 43 | #include <krb5/krb5.h> |
| 44 | |
| 45 | #include <krb5/hdb_err.h> |
| 46 | |
| 47 | #include <krb5/heim_asn1.h> |
| 48 | #include <krb5/hdb_asn1.h> |
| 49 | |
| 50 | struct hdb_dbinfo; |
| 51 | |
| 52 | enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; |
| 53 | |
| 54 | /* flags for various functions */ |
| 55 | #define HDB_F_DECRYPT 1 /* decrypt keys */ |
| 56 | #define HDB_F_REPLACE 2 /* replace entry */ |
| 57 | #define HDB_F_GET_CLIENT 4 /* fetch client */ |
| 58 | #define HDB_F_GET_SERVER 8 /* fetch server */ |
| 59 | #define HDB_F_GET_KRBTGT 16 /* fetch krbtgt */ |
| 60 | #define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ |
| 61 | #define HDB_F_CANON 32 /* want canonicalition */ |
| 62 | #define HDB_F_ADMIN_DATA 64 /* want data that kdc don't use */ |
| 63 | #define HDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ |
| 64 | #define HDB_F_CURRENT_KVNO 256 /* we want the current KVNO */ |
| 65 | #define HDB_F_LIVE_CLNT_KVNOS 512 /* we want all live keys for pre-auth */ |
| 66 | #define HDB_F_LIVE_SVC_KVNOS 1024 /* we want all live keys for tix */ |
| 67 | #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ |
| 68 | #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ |
| 69 | #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ |
| 70 | #define HDB_F_PRECHECK 16384 /* check that the operation would succeed */ |
| 71 | |
| 72 | /* hdb_capability_flags */ |
| 73 | #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 |
| 74 | #define HDB_CAP_F_HANDLE_PASSWORDS 2 |
| 75 | #define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 |
| 76 | #define HDB_CAP_F_SHARED_DIRECTORY 8 |
| 77 | |
| 78 | /* auth status values */ |
| 79 | #define HDB_AUTH_SUCCESS 0 |
| 80 | #define HDB_AUTH_WRONG_PASSWORD 1 |
| 81 | #define HDB_AUTH_INVALID_SIGNATURE 2 |
| 82 | |
| 83 | /* key usage for master key */ |
| 84 | #define HDB_KU_MKEY 0x484442 |
| 85 | |
| 86 | typedef struct hdb_master_key_data *hdb_master_key; |
| 87 | |
| 88 | /** |
| 89 | * hdb_entry_ex is a wrapper structure around the hdb_entry structure |
| 90 | * that allows backends to keep a pointer to the backing store, ie in |
| 91 | * ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to |
| 92 | * ->hdb_store(), the backend doesn't need to lookup the entry again. |
| 93 | */ |
| 94 | |
| 95 | typedef struct hdb_entry_ex { |
| 96 | void *ctx; |
| 97 | hdb_entry entry; |
| 98 | void (*free_entry)(krb5_context, struct hdb_entry_ex *); |
| 99 | } hdb_entry_ex; |
| 100 | |
| 101 | |
| 102 | /** |
| 103 | * HDB backend function pointer structure |
| 104 | * |
| 105 | * The HDB structure is what the KDC and kadmind framework uses to |
| 106 | * query the backend database when talking about principals. |
| 107 | */ |
| 108 | |
| 109 | typedef struct HDB { |
| 110 | void *hdb_db; |
| 111 | void *hdb_dbc; /** don't use, only for DB3 */ |
| 112 | char *hdb_name; |
| 113 | int hdb_master_key_set; |
| 114 | hdb_master_key hdb_master_key; |
| 115 | int hdb_openp; |
| 116 | int hdb_capability_flags; |
| 117 | int lock_count; |
| 118 | int lock_type; |
| 119 | /** |
| 120 | * Open (or create) the a Kerberos database. |
| 121 | * |
| 122 | * Open (or create) the a Kerberos database that was resolved with |
| 123 | * hdb_create(). The third and fourth flag to the function are the |
| 124 | * same as open(), thus passing O_CREAT will create the data base |
| 125 | * if it doesn't exists. |
| 126 | * |
| 127 | * Then done the caller should call hdb_close(), and to release |
| 128 | * all resources hdb_destroy(). |
| 129 | */ |
| 130 | krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t); |
| 131 | /** |
| 132 | * Close the database for transaction |
| 133 | * |
| 134 | * Closes the database for further transactions, wont release any |
| 135 | * permanant resources. the database can be ->hdb_open-ed again. |
| 136 | */ |
| 137 | krb5_error_code (*hdb_close)(krb5_context, struct HDB*); |
| 138 | /** |
| 139 | * Free an entry after use. |
| 140 | */ |
| 141 | void (*hdb_free)(krb5_context, struct HDB*, hdb_entry_ex*); |
| 142 | /** |
| 143 | * Fetch an entry from the backend |
| 144 | * |
| 145 | * Fetch an entry from the backend, flags are what type of entry |
| 146 | * should be fetch: client, server, krbtgt. |
| 147 | * knvo (if specified and flags HDB_F_KVNO_SPECIFIED set) is the kvno to get |
| 148 | */ |
| 149 | krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*, |
| 150 | krb5_const_principal, unsigned, krb5_kvno, |
| 151 | hdb_entry_ex*); |
| 152 | /** |
| 153 | * Store an entry to database |
| 154 | */ |
| 155 | krb5_error_code (*hdb_store)(krb5_context, struct HDB*, |
| 156 | unsigned, hdb_entry_ex*); |
| 157 | /** |
| 158 | * Remove an entry from the database. |
| 159 | */ |
| 160 | krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, |
| 161 | unsigned, krb5_const_principal); |
| 162 | /** |
| 163 | * As part of iteration, fetch one entry |
| 164 | */ |
| 165 | krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, |
| 166 | unsigned, hdb_entry_ex*); |
| 167 | /** |
| 168 | * As part of iteration, fetch next entry |
| 169 | */ |
| 170 | krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, |
| 171 | unsigned, hdb_entry_ex*); |
| 172 | /** |
| 173 | * Lock database |
| 174 | * |
| 175 | * A lock can only be held by one consumers. Transaction can still |
| 176 | * happen on the database while the lock is held, so the entry is |
| 177 | * only useful for syncroning creation of the database and renaming of the database. |
| 178 | */ |
| 179 | krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int); |
| 180 | /** |
| 181 | * Unlock database |
| 182 | */ |
| 183 | krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*); |
| 184 | /** |
| 185 | * Rename the data base. |
| 186 | * |
| 187 | * Assume that the database is not hdb_open'ed and not locked. |
| 188 | */ |
| 189 | krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*); |
| 190 | /** |
| 191 | * Get an hdb_entry from a classical DB backend |
| 192 | * |
| 193 | * This function takes a principal key (krb5_data) and returns all |
| 194 | * data related to principal in the return krb5_data. The returned |
| 195 | * encoded entry is of type hdb_entry or hdb_entry_alias. |
| 196 | */ |
| 197 | krb5_error_code (*hdb__get)(krb5_context, struct HDB*, |
| 198 | krb5_data, krb5_data*); |
| 199 | /** |
| 200 | * Store an hdb_entry from a classical DB backend |
| 201 | * |
| 202 | * This function takes a principal key (krb5_data) and encoded |
| 203 | * hdb_entry or hdb_entry_alias as the data to store. |
| 204 | * |
| 205 | * For a file-based DB, this must synchronize to disk when done. |
| 206 | * This is sub-optimal for kadm5_s_rename_principal(), and for |
| 207 | * kadm5_s_modify_principal() when using principal aliases; to |
| 208 | * improve this so that only one fsync() need be done |
| 209 | * per-transaction will require HDB API extensions. |
| 210 | */ |
| 211 | krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int, |
| 212 | krb5_data, krb5_data); |
| 213 | /** |
| 214 | * Delete and hdb_entry from a classical DB backend |
| 215 | * |
| 216 | * This function takes a principal key (krb5_data) naming the record |
| 217 | * to delete. |
| 218 | * |
| 219 | * Same discussion as in @ref HDB::hdb__put |
| 220 | */ |
| 221 | krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data); |
| 222 | /** |
| 223 | * Destroy the handle to the database. |
| 224 | * |
| 225 | * Destroy the handle to the database, deallocate all memory and |
| 226 | * related resources. Does not remove any permanent data. Its the |
| 227 | * logical reverse of hdb_create() function that is the entry |
| 228 | * point for the module. |
| 229 | */ |
| 230 | krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); |
| 231 | /** |
| 232 | * Get the list of realms this backend handles. |
| 233 | * This call is optional to support. The returned realms are used |
| 234 | * for announcing the realms over bonjour. Free returned array |
| 235 | * with krb5_free_host_realm(). |
| 236 | */ |
| 237 | krb5_error_code (*hdb_get_realms)(krb5_context, struct HDB *, krb5_realm **); |
| 238 | /** |
| 239 | * Change password. |
| 240 | * |
| 241 | * Will update keys for the entry when given password. The new |
| 242 | * keys must be written into the entry and will then later be |
| 243 | * ->hdb_store() into the database. The backend will still perform |
| 244 | * all other operations, increasing the kvno, and update |
| 245 | * modification timestamp. |
| 246 | * |
| 247 | * The backend needs to call _kadm5_set_keys() and perform password |
| 248 | * quality checks. |
| 249 | */ |
| 250 | krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); |
| 251 | |
| 252 | /** |
| 253 | * Auth feedback |
| 254 | * |
| 255 | * This is a feedback call that allows backends that provides |
| 256 | * lockout functionality to register failure and/or successes. |
| 257 | * |
| 258 | * In case the entry is locked out, the backend should set the |
| 259 | * hdb_entry.flags.locked-out flag. |
| 260 | */ |
| 261 | krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int); |
| 262 | /** |
| 263 | * Check if delegation is allowed. |
| 264 | */ |
| 265 | krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); |
| 266 | |
| 267 | /** |
| 268 | * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins |
| 269 | */ |
| 270 | krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); |
| 271 | |
| 272 | /** |
| 273 | * Check if s4u2self is allowed from this client to this server |
| 274 | */ |
| 275 | krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); |
| 276 | }HDB; |
| 277 | |
| 278 | #define HDB_INTERFACE_VERSION 9 |
| 279 | |
| 280 | struct hdb_method { |
| 281 | int version; |
| 282 | krb5_error_code (*init)(krb5_context, void **); |
| 283 | void (*fini)(void *); |
| 284 | const char *prefix; |
| 285 | krb5_error_code (*create)(krb5_context, HDB **, const char *filename); |
| 286 | }; |
| 287 | |
| 288 | /* dump entry format, for hdb_print_entry() */ |
| 289 | typedef enum hdb_dump_format { |
| 290 | HDB_DUMP_HEIMDAL = 0, |
| 291 | HDB_DUMP_MIT = 1, |
| 292 | } hdb_dump_format_t; |
| 293 | |
| 294 | struct hdb_print_entry_arg { |
| 295 | FILE *out; |
| 296 | hdb_dump_format_t fmt; |
| 297 | }; |
| 298 | |
| 299 | typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, |
| 300 | hdb_entry_ex*, void*); |
| 301 | extern krb5_kt_ops hdb_kt_ops; |
| 302 | extern krb5_kt_ops hdb_get_kt_ops; |
| 303 | |
| 304 | extern const int hdb_interface_version; |
| 305 | |
| 306 | #include <krb5/hdb-protos.h> |
| 307 | |
| 308 | #endif /* __HDB_H__ */ |
| 309 |
Generated while processing netbsd/crypto/external/bsd/heimdal/dist/lib/hdb/common.c
Generated on 2019-Jul-19 from project netbsd revision f9da89e0d
Powered by 
Code Browser 2.1
Generator usage only permitted with license.