Cradicle Explorer
darling-Heimdal
/ lib / hdb / hdb.h
hdb.h
  1  /*
  2   * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  3   * (Royal Institute of Technology, Stockholm, Sweden).
  4   * All rights reserved.
  5   *
  6   * Redistribution and use in source and binary forms, with or without
  7   * modification, are permitted provided that the following conditions
  8   * are met:
  9   *
 10   * 1. Redistributions of source code must retain the above copyright
 11   *    notice, this list of conditions and the following disclaimer.
 12   *
 13   * 2. Redistributions in binary form must reproduce the above copyright
 14   *    notice, this list of conditions and the following disclaimer in the
 15   *    documentation and/or other materials provided with the distribution.
 16   *
 17   * 3. Neither the name of the Institute nor the names of its contributors
 18   *    may be used to endorse or promote products derived from this software
 19   *    without specific prior written permission.
 20   *
 21   * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 22   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 23   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 24   * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 25   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 26   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 27   * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 28   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 29   * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 30   * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 31   * SUCH DAMAGE.
 32   */
 33  
 34  /* $Id$ */
 35  
 36  #ifndef __HDB_H__
 37  #define __HDB_H__
 38  
 39  #include <krb5.h>
 40  
 41  #include <hdb_err.h>
 42  
 43  #include <heim_asn1.h>
 44  #include <hdb_asn1.h>
 45  
 46  struct hdb_dbinfo;
 47  
 48  enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 49  
 50  /* flags for various functions */
 51  #define HDB_F_DECRYPT		1	/* decrypt keys */
 52  #define HDB_F_REPLACE		2	/* replace entry */
 53  #define HDB_F_GET_CLIENT	4	/* fetch client */
 54  #define HDB_F_GET_SERVER	8	/* fetch server */
 55  #define HDB_F_GET_KRBTGT	16	/* fetch krbtgt */
 56  #define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
 57  #define HDB_F_CANON		32	/* want canonicalition */
 58  #define HDB_F_ADMIN_DATA	64	/* want data that kdc don't use  */
 59  #define HDB_F_CHANGE_PASSWORD	128	/* change password store  */
 60  #define HDB_F_KVNO_SPECIFIED	256	/* we want a particular KVNO */
 61  #define HDB_F_CURRENT_KVNO	512	/* we want the current KVNO */
 62  #define HDB_F_LIVE_CLNT_KVNOS	1024	/* we want all live keys for pre-auth */
 63  #define HDB_F_LIVE_SVC_KVNOS	2048	/* we want all live keys for tix */
 64  #define HDB_F_ALL_KVNOS		4096	/* we want all the keys, live or not */
 65  #define HDB_F_FOR_AS_REQ	8192	/* fetch is for a AS REQ */
 66  #define HDB_F_FOR_TGS_REQ	16384	/* fetch is for a TGS REQ */
 67  
 68  /* hdb_capability_flags */
 69  #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
 70  #define HDB_CAP_F_HANDLE_PASSWORDS	2
 71  #define HDB_CAP_F_PASSWORD_UPDATE_KEYS	4
 72  
 73  /* auth status values */
 74  #define HDB_AUTH_SUCCESS		0
 75  #define HDB_AUTH_WRONG_PASSWORD		1
 76  #define HDB_AUTH_INVALID_SIGNATURE	2
 77  
 78  #define HDB_PWD_CONDITIONAL		1
 79  
 80  /* key usage for master key */
 81  #define HDB_KU_MKEY	0x484442
 82  
 83  typedef struct hdb_master_key_data *hdb_master_key;
 84  
 85  /**
 86   * hdb_entry_ex is a wrapper structure around the hdb_entry structure
 87   * that allows backends to keep a pointer to the backing store, ie in
 88   * ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to
 89   * ->hdb_store(), the backend doesn't need to lookup the entry again.
 90   */
 91  
 92  typedef struct hdb_entry_ex {
 93      void *ctx;
 94      hdb_entry entry;
 95      void (*free_entry)(krb5_context, struct hdb_entry_ex *);
 96  } hdb_entry_ex;
 97  
 98  
 99  /**
100   * HDB backend function pointer structure
101   *
102   * The HDB structure is what the KDC and kadmind framework uses to
103   * query the backend database when talking about principals.
104   */
105  
106  typedef struct HDB{
107      void *hdb_db;
108      void *hdb_dbc; /** don't use, only for DB3 */
109      char *hdb_name;
110      int hdb_master_key_set;
111      hdb_master_key hdb_master_key;
112      int hdb_openp;
113      int hdb_capability_flags;
114      int lock_count;
115      int lock_type;
116      /**
117       * Open (or create) the a Kerberos database.
118       *
119       * Open (or create) the a Kerberos database that was resolved with
120       * hdb_create(). The third and fourth flag to the function are the
121       * same as open(), thus passing O_CREAT will create the data base
122       * if it doesn't exists.
123       *
124       * Then done the caller should call hdb_close(), and to release
125       * all resources hdb_destroy().
126       */
127      krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t);
128      /**
129       * Close the database for transaction
130       *
131       * Closes the database for further transactions, wont release any
132       * permanant resources. the database can be ->hdb_open-ed again.
133       */
134      krb5_error_code (*hdb_close)(krb5_context, struct HDB*);
135      /**
136       * Free an entry after use.
137       */
138      void	    (*hdb_free)(krb5_context, struct HDB*, hdb_entry_ex*);
139      /**
140       * Fetch an entry from the backend
141       *
142       * Fetch an entry from the backend, flags are what type of entry
143       * should be fetch: client, server, krbtgt.
144       * knvo (if specified and flags HDB_F_KVNO_SPECIFIED set) is the kvno to get
145       */
146      krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
147  				      krb5_const_principal, unsigned, krb5_kvno,
148  				      hdb_entry_ex*);
149      /**
150       * Store an entry to database
151       */
152      krb5_error_code (*hdb_store)(krb5_context, struct HDB*,
153  				 unsigned, hdb_entry_ex*);
154      /**
155       * Remove an entry from the database.
156       */
157      krb5_error_code (*hdb_remove)(krb5_context, struct HDB*,
158  				  krb5_const_principal);
159      /**
160       * As part of iteration, fetch one entry
161       */
162      krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
163  				    unsigned, hdb_entry_ex*);
164      /**
165       * As part of iteration, fetch next entry
166       */
167      krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
168  				   unsigned, hdb_entry_ex*);
169      /**
170       * Lock database
171       *
172       * A lock can only be held by one consumers. Transaction can still
173       * happen on the database while the lock is held, so the entry is
174       * only useful for syncroning creation of the database and renaming of the database.
175       */
176      krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int);
177      /**
178       * Unlock database
179       */
180      krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
181      /**
182       * Rename the data base.
183       *
184       * Assume that the database is not hdb_open'ed and not locked.
185       */
186      krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
187      /**
188       * Get an hdb_entry from a classical DB backend
189       *
190       * If the database is a classical DB (ie BDB, NDBM, GDBM, etc)
191       * backend, this function will take a principal key (krb5_data)
192       * and return all data related to principal in the return
193       * krb5_data. The returned encoded entry is of type hdb_entry or
194       * hdb_entry_alias.
195       */
196      krb5_error_code (*hdb__get)(krb5_context, struct HDB*,
197  				krb5_data, krb5_data*);
198      /**
199       * Store an hdb_entry from a classical DB backend
200       *
201       * Same discussion as in @ref HDB::hdb__get
202       */
203      krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int,
204  				krb5_data, krb5_data);
205      /**
206       * Delete and hdb_entry from a classical DB backend
207       *
208       * Same discussion as in @ref HDB::hdb__get
209       */
210      krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data);
211      /**
212       * Destroy the handle to the database.
213       *
214       * Destroy the handle to the database, deallocate all memory and
215       * related resources. Does not remove any permanent data. Its the
216       * logical reverse of hdb_create() function that is the entry
217       * point for the module.
218       */
219      krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
220  
221      /**
222       * Get the list of realms this backend handles.
223       * This call is optional to support. The returned realms are used
224       * for announcing the realms over bonjour. Free returned array
225       * with krb5_free_host_realm().
226       */
227      krb5_error_code (*hdb_get_realms)(krb5_context, struct HDB *, krb5_realm **);
228      /**
229       * Change password.
230       *
231       * Will update keys for the entry when given password.  The new
232       * keys must be written into the entry and will then later be
233       * ->hdb_store() into the database. The backend will still perform
234       * all other operations, increasing the kvno, and update
235       * modification timestamp.
236       *
237       * The backend needs to call _kadm5_set_keys() and perform
238       * password quality checks. The password quality should only be
239       * performed when the flag argument have HDB_PWD_CONDITIONAL set.
240       */
241      krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
242  
243      /**
244       * Auth feedback
245       *
246       * This is a feedback call that allows backends that provides
247       * lockout functionality to register failure and/or successes.
248       *
249       * In case the entry is locked out, the backend should set the
250       * hdb_entry.flags.locked-out flag.
251       */
252      krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
253      /**
254       * Check if delegation is allowed.
255       */
256      krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
257  
258      /**
259       * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
260       */
261      krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
262  
263      /**
264       * Return 0 if this domain support NTLM and return the domain name
265       */
266      krb5_error_code (*hdb_get_ntlm_domain)(krb5_context, struct HDB *, char **);
267  
268      /**
269       * Check if s4u2self is allowed from this client to this server
270       */
271      krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
272  }HDB;
273  
274  #define HDB_INTERFACE_VERSION	7
275  
276  struct hdb_so_method {
277      int version;
278      const char *prefix;
279      krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
280  };
281  
282  typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
283  					      hdb_entry_ex*, void*);
284  extern krb5_kt_ops hdb_kt_ops;
285  
286  struct hdb_method {
287      int interface_version;
288      const char *prefix;
289      krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
290  };
291  
292  extern const int hdb_interface_version;
293  
294  #include <hdb-protos.h>
295  
296  #endif /* __HDB_H__ */