/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
* Copyright 1990, 1991, 2016 by the Massachusetts Institute of Technology.
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* Copyright (C) 1998 by the FundsXpress, INC.
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of FundsXpress. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
/* KDC Database interface definitions */
/* This API is not considered as stable as the main krb5 API.
* - We may make arbitrary incompatible changes between feature
* releases (e.g. from 1.7 to 1.8).
* - We will make some effort to avoid making incompatible changes for
* bugfix releases, but will make them if necessary.
/* This version will be incremented when incompatible changes are made to the
* KDB API, and will be kept in sync with the libkdb major version. */
#define KRB5_KDB_API_VERSION 10
#define KRB5_KDB_SALTTYPE_NORMAL 0
/* #define KRB5_KDB_SALTTYPE_V4 1 */
#define KRB5_KDB_SALTTYPE_NOREALM 2
#define KRB5_KDB_SALTTYPE_ONLYREALM 3
#define KRB5_KDB_SALTTYPE_SPECIAL 4
/* #define KRB5_KDB_SALTTYPE_AFS3 5 */
#define KRB5_KDB_SALTTYPE_CERTHASH 6
#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001
#define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002
#define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004
#define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008
#define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010
#define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020
#define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040
#define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080
#define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100
#define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200
#define KRB5_KDB_DISALLOW_SVR 0x00001000
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
#define KRB5_KDB_LOCKDOWN_KEYS 0x00800000
#define KRB5_KDB_CREATE_BTREE 0x00000001
#define KRB5_KDB_CREATE_HASH 0x00000002
/* Name canonicalization requested */
#define KRB5_KDB_FLAG_CANONICALIZE 0x00000010
/* Include authorization data generated by backend */
#define KRB5_KDB_FLAG_INCLUDE_PAC 0x00000020
/* Is AS-REQ (client referrals only) */
#define KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY 0x00000040
/* Map cross-realm principals */
#define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080
/* Protocol transition */
#define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100
/* Constrained delegation */
#define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200
#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
/* KDB iteration flags */
#define KRB5_DB_ITER_WRITE 0x00000001
#define KRB5_DB_ITER_REV 0x00000002
#define KRB5_DB_ITER_RECURSE 0x00000004
/* String attribute names recognized by krb5 */
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
* Note --- these structures cannot be modified without changing the
* database version number in libkdb.a, but should be expandable by
* adding new tl_data types.
typedef struct _krb5_tl_data {
struct _krb5_tl_data* tl_data_next; /* NOT saved */
krb5_ui_2 tl_data_length;
krb5_octet * tl_data_contents;
/* String attributes (currently stored inside tl-data) map C string keys to
* values. They can be set via kadmin and consumed by KDC plugins. */
typedef struct krb5_string_attr_st {
* If this ever changes up the version number and make the arrays be as
* Currently the first type is the enctype and the second is the salt type.
typedef struct _krb5_key_data {
krb5_int16 key_data_ver; /* Version */
krb5_ui_2 key_data_kvno; /* Key Version */
krb5_int16 key_data_type[2]; /* Array of types */
krb5_ui_2 key_data_length[2]; /* Array of lengths */
krb5_octet * key_data_contents[2]; /* Array of pointers */
#define KRB5_KDB_V1_KEY_DATA_ARRAY 2 /* # of array elements */
typedef struct _krb5_keysalt {
krb5_data data; /* Length, data */
* A principal database entry. Extensions to this structure currently use the
* tl_data list. The e_data and e_length fields are not used by any calling
* code except kdb5_util dump and load, which marshal and unmarshal the array
* in the dump record. KDB modules may use these fields internally as long as
* they set e_length appropriately (non-zero if the data should be marshalled
* across dump and load, zero if not) and handle null e_data values in
* caller-constructed principal entries.
typedef struct _krb5_db_entry_new {
krb5_magic magic; /* NOT saved */
krb5_ui_4 mask; /* members currently changed/set */
krb5_deltat max_renewable_life;
krb5_timestamp expiration; /* When the client expires */
krb5_timestamp pw_expiration; /* When its passwd expires */
krb5_timestamp last_success; /* Last successful passwd */
krb5_timestamp last_failed; /* Last failed passwd attempt */
krb5_kvno fail_auth_count; /* # of failed passwd attempt */
krb5_ui_2 e_length; /* Length of extra data */
krb5_octet * e_data; /* Extra data to be saved */
krb5_principal princ; /* Length, data */
krb5_tl_data * tl_data; /* Linked list */
/* key_data must be sorted by kvno in descending order. */
krb5_key_data * key_data; /* Array */
typedef struct _osa_policy_ent_t {
krb5_ui_4 pw_min_classes;
krb5_ui_4 pw_history_num;
krb5_ui_4 policy_refcnt; /* no longer used */
/* Only valid if version > 1 */
krb5_ui_4 pw_max_fail; /* pwdMaxFailure */
krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */
krb5_ui_4 pw_lockout_duration; /* pwdLockoutDuration */
/* Only valid if version > 2 */
krb5_ui_4 max_renewable_life;
} osa_policy_ent_rec, *osa_policy_ent_t;
typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
typedef struct __krb5_key_salt_tuple {
#define KRB5_KDB_MAGIC_NUMBER 0xdbdbdbdb
#define KRB5_KDB_V1_BASE_LENGTH 38
#define KRB5_KDB_MAX_ALLOWED_KS_LEN 512
#define KRB5_TL_LAST_PWD_CHANGE 0x0001
#define KRB5_TL_MOD_PRINC 0x0002
#define KRB5_TL_KADM_DATA 0x0003
#define KRB5_TL_KADM5_E_DATA 0x0004
#define KRB5_TL_RB1_CHALLENGE 0x0005
#define KRB5_TL_SECURID_STATE 0x0006
#define KRB5_TL_USER_CERTIFICATE 0x0007
#define KRB5_TL_MKVNO 0x0008
#define KRB5_TL_ACTKVNO 0x0009
#define KRB5_TL_MKEY_AUX 0x000a
/* String attributes may not always be represented in tl-data. kadmin clients
* must use the get_strings and set_string RPCs. */
#define KRB5_TL_STRING_ATTRS 0x000b
#define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */
#define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */
#define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */
#define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */
#define KRB5_TL_LM_KEY 0x0500 /* LM OWF */
#define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */
#define KRB5_TL_LAST_ADMIN_UNLOCK 0x0700 /* Timestamp of admin unlock */
#define KRB5_TL_DB_ARGS 0x7fff
/* version number for KRB5_TL_ACTKVNO data */
#define KRB5_TL_ACTKVNO_VER 1
/* version number for KRB5_TL_MKEY_AUX data */
#define KRB5_TL_MKEY_AUX_VER 1
typedef struct _krb5_actkvno_node {
struct _krb5_actkvno_node *next;
typedef struct _krb5_mkey_aux_node {
struct _krb5_mkey_aux_node *next;
krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */
krb5_key_data latest_mkey; /* most recent mkey */
typedef struct _krb5_keylist_node {
struct _krb5_keylist_node *next;
* Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
#define KRB5_MAX_FAIL_COUNT 5
/* XXX depends on knowledge of krb5_parse_name() formats */
#define KRB5_KDB_M_NAME "K/M" /* Kerberos/Master */
/* prompts used by default when reading the KDC password from the keyboard. */
#define KRB5_KDC_MKEY_1 "Enter KDC database master key"
#define KRB5_KDC_MKEY_2 "Re-enter KDC database master key to verify"
extern char *krb5_mkey_pwd_prompt1;
extern char *krb5_mkey_pwd_prompt2;
* These macros specify the encoding of data within the database.
* Data encoding is little-endian.
#define krb5_kdb_decode_int16(cp, i16) \
*((krb5_int16 *) &(i16)) = load_16_le(cp)
#define krb5_kdb_decode_int32(cp, i32) \
*((krb5_int32 *) &(i32)) = load_32_le(cp)
#define krb5_kdb_encode_int16(i16, cp) store_16_le(i16, cp)
#define krb5_kdb_encode_int32(i32, cp) store_32_le(i32, cp)
#define KRB5_KDB_OPEN_RW 0
#define KRB5_KDB_OPEN_RO 1
#ifndef KRB5_KDB_SRV_TYPE_KDC
#define KRB5_KDB_SRV_TYPE_KDC 0x0100
#ifndef KRB5_KDB_SRV_TYPE_ADMIN
#define KRB5_KDB_SRV_TYPE_ADMIN 0x0200
/* 0x0300 was KRB5_KDB_SRV_TYPE_PASSWD but it is no longer used. */
#ifndef KRB5_KDB_SRV_TYPE_OTHER
#define KRB5_KDB_SRV_TYPE_OTHER 0x0400
#define KRB5_KDB_OPT_SET_DB_NAME 0
#define KRB5_KDB_OPT_SET_LOCK_MODE 1
#define KRB5_DB_LOCKMODE_SHARED 0x0001
#define KRB5_DB_LOCKMODE_EXCLUSIVE 0x0002
#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
krb5_error_code krb5_db_init ( krb5_context kcontext );
krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
krb5_error_code krb5_db_inited ( krb5_context kcontext );
krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
krb5_error_code krb5_db_fini ( krb5_context kcontext );
const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
krb5_error_code krb5_db_unlock ( krb5_context kcontext );
krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
krb5_const_principal search_for,
void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry );
krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
krb5_principal search_for );
krb5_error_code krb5_db_rename_principal ( krb5_context kcontext,
* Iterate over principals in the KDB. If the callback may write to the DB,
* the caller must get an exclusive lock with krb5_db_lock before iterating,
* and release it with krb5_db_unlock after iterating.
krb5_error_code krb5_db_iterate ( krb5_context kcontext,
int (*func) (krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg, krb5_flags iterflags );
krb5_error_code krb5_db_store_master_key ( krb5_context kcontext,
krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext,
krb5_error_code krb5_db_fetch_mkey ( krb5_context context,
krb5_boolean fromkeyboard,
krb5_db_fetch_mkey_list( krb5_context context,
const krb5_keyblock * mkey );
krb5_dbe_find_enctype( krb5_context kcontext,
krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext,
krb5_db_setup_mkey_name ( krb5_context context,
krb5_principal *principal);
* Decrypts the key given in @@a key_data. If @a mkey is specified, that
* master key is used. If @a mkey is NULL, then all master keys are tried.
krb5_dbe_decrypt_key_data( krb5_context context,
const krb5_keyblock * mkey,
const krb5_key_data * key_data,
krb5_dbe_encrypt_key_data( krb5_context context,
const krb5_keyblock * mkey,
const krb5_keyblock * dbkey,
const krb5_keysalt * keysalt,
krb5_key_data * key_data);
krb5_dbe_fetch_act_key_list(krb5_context context,
krb5_actkvno_node **act_key_list);
krb5_dbe_find_act_mkey( krb5_context context,
krb5_actkvno_node * act_mkey_list,
krb5_keyblock ** act_mkey);
krb5_dbe_find_mkey( krb5_context context,
/* Set *mkvno to mkvno in entry tl_data, or 0 if not present. */
krb5_dbe_lookup_mkvno( krb5_context context,
krb5_db_mkey_list_alias( krb5_context kcontext );
/* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */
krb5_dbe_get_mkvno( krb5_context context,
krb5_dbe_lookup_mod_princ_data( krb5_context context,
krb5_timestamp * mod_time,
krb5_principal * mod_princ);
krb5_dbe_lookup_mkey_aux( krb5_context context,