#ifndef __AUTHFILE_H__
#define __AUTHFILE_H__
#include <time.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#ifdef __cplusplus
extern "C" {
#endif
#include <sasl/sasl.h>
#define kPWFileSignature 'pwfi'
#define kPWFileVersion 1
#define kPWFileInitialSlots 512
#define kPWFileMaxWeakMethods 25
#define kPWFileMaxDigests 10
#define kPWFileMaxPublicKeyBytes 1024
#define kPWFileMaxPrivateKeyBytes 2048
#define kPWFileMaxHistoryCount 15
#define kPWFileMaxReplicaName 32
#define kSMBNTStorageTag "*cmusaslsecretSMBNT"
#define kEmptyPasswordAltStr "<1-empty-insecure-1>"
#define kPasswordServerErrPrefixStr "-ERR "
#define kPasswordServerAuthErrPrefixStr "-AUTHERR "
#define kPasswordServerSASLErrPrefixStr "SASL "
#define kPWDirPath "/var/db/authserver"
#define kPWAuxDirPath "/var/db/authserver/additional-data"
#define kPWAuxDirName "additional-data"
#define kPWFilePath "/var/db/authserver/authservermain"
#define kFreeListFilePath "/var/db/authserver/authserverfree"
#define kPWHistoryFileName "histories"
#define kPWWeakFileStart "/weakpasswords."
#define kTempKeyTemplate "/var/run/passwordserverKeyXXXXXX"
#define kPWReplicaLocalFile "/var/db/authserver/authserverreplicas.local"
#define kPWReplicaPreConfiguredFile "/var/db/authserver/authserverreplicas.manual"
#define kPWStatisticsFilePath "/var/db/authserver/.stats"
#define kPWUNIXDomainSocketAddress "/var/run/passwordserver"
#define kPWPolicyStr_isDisabled "isDisabled"
#define kPWPolicyStr_isAdminUser "isAdminUser"
#define kPWPolicyStr_newPasswordRequired "newPasswordRequired"
#define kPWPolicyStr_usingHistory "usingHistory"
#define kPWPolicyStr_canModifyPasswordforSelf "canModifyPasswordforSelf"
#define kPWPolicyStr_usingExpirationDate "usingExpirationDate"
#define kPWPolicyStr_usingHardExpirationDate "usingHardExpirationDate"
#define kPWPolicyStr_requiresAlpha "requiresAlpha"
#define kPWPolicyStr_requiresNumeric "requiresNumeric"
#define kPWPolicyStr_expirationDateGMT "expirationDateGMT"
#define kPWPolicyStr_hardExpireDateGMT "hardExpireDateGMT"
#define kPWPolicyStr_maxMinutesUntilChangePW "maxMinutesUntilChangePassword"
#define kPWPolicyStr_maxMinutesUntilDisabled "maxMinutesUntilDisabled"
#define kPWPolicyStr_maxMinutesOfNonUse "maxMinutesOfNonUse"
#define kPWPolicyStr_maxFailedLoginAttempts "maxFailedLoginAttempts"
#define kPWPolicyStr_minChars "minChars"
#define kPWPolicyStr_maxChars "maxChars"
#define kPWPolicyStr_passwordCannotBeName "passwordCannotBeName"
#define kPWPolicyStr_isSessionKeyAgent "isSessionKeyAgent"
#define kPWPolicyStr_isComputerAccount "isComputerAccount"
#define kPWPolicyStr_requiresMixedCase "requiresMixedCase"
#define kPWPolicyStr_requiresSymbol "requiresSymbol"
#define kPWPolicyStr_notGuessablePattern "notGuessablePattern"
#define kPWPolicyStr_warnOfExpirationMinutes "warnOfExpirationMinutes"
#define kPWPolicyStr_warnOfDisableMinutes "warnOfDisableMinutes"
#define kPWPolicyStr_adminNoChangePasswords "adminNoChangePasswords"
#define kPWPolicyStr_adminNoSetPolicies "adminNoSetPolicies"
#define kPWPolicyStr_adminNoCreate "adminNoCreate"
#define kPWPolicyStr_adminNoDelete "adminNoDelete"
#define kPWPolicyStr_adminNoClearState "adminNoClearState"
#define kPWPolicyStr_adminNoPromoteAdmins "adminNoPromoteAdmins"
#define kPWPolicyStr_adminClass "adminClass"
#define kPWPolicyStr_adminAuthorityGroups "adminAuthorityGroups"
#define kPWPolicyStr_resetToGlobalDefaults "resetToGlobalDefaults"
#define kPWPolicyStr_logOffTime "logOffTime"
#define kPWPolicyStr_kickOffTime "kickOffTime"
#define kPWPolicyStr_lastLoginTime "lastLoginTime"
#define kPWPolicyStr_passwordLastSetTime "passwordLastSetTime"
#define kPWPolicyStr_minutesUntilFailedLoginReset "minutesUntilFailedLoginReset"
#define kPWPolicyStr_newPasswordRequiredForAll "newPasswordRequiredForAll"
#define kPWPolicyStr_projectedPasswordExpireDate "projectedPasswordExpireDate"
#define kPWPolicyStr_projectedAccountDisableDate "projectedAccountDisableDate"
#define kPWKey_ScopeOfAuthority "ScopeOfAuthorityUUIDList"
#define kPWKey_ComputerAccountOwnerList "ComputerAccountOwnerList"
enum {
kPWByteOrderDiskAndNet = 0,
kPWByteOrderHost = 1
};
enum {
kPWHashSlotSMB_NT = 0,
kPWHashSlotSMB_LAN_MANAGER = 1,
kPWHashSlotDIGEST_MD5 = 2,
kPWHashSlotCRAM_MD5 = 3,
kPWHashSlotKERBEROS = 4,
kPWHashSlotKERBEROS_NAME = 5,
kPWHashSlotSALTED_SHA1 = 6
};
enum {
kPWGroupNotSet = 0,
kPWGroupInSlot = 1,
kPWGroupInFile = 2
};
typedef enum PWDisableReasonCode {
kPWDisabledNotSet,
kPWDisabledByAdmin,
kPWDisabledExpired,
kPWDisabledInactive,
kPWDisabledTooManyFailedLogins
} PWDisableReasonCode;
typedef struct BSDTimeStructCopy {
int tm_sec;
int tm_min;
int tm_hour;
int tm_mday;
int tm_mon;
int tm_year;
int tm_wday;
int tm_yday;
int tm_isdst;
long tm_gmtoff;
char *tm_zone;
} BSDTimeStructCopy;
typedef struct AuthMethName {
char method[SASL_MECHNAMEMAX + 1];
} AuthMethName;
typedef struct PasswordDigest {
char method[SASL_MECHNAMEMAX + 1];
char digest[256];
} PasswordDigest;
typedef struct PWAdminGroupList {
uint8_t list_type;
uuid_t group_uuid;
} PWAdminGroupList;
#if TARGET_RT_BIG_ENDIAN
#define GlobalHistoryCount(A) (A).historyCount
#define SetGlobalHistoryCount(A, B) (A).historyCount = (B)
#else
#define GlobalHistoryCount(A) ((A).hcLowBits | ((A).hcHighBit << 3))
#define SetGlobalHistoryCount(A, B) {(A).hcLowBits = ((B) & 0x07); (A).hcHighBit = (((B) & 0x08) != 0);}
#endif
typedef struct PWGlobalAccessFeatures {
#if TARGET_RT_BIG_ENDIAN
unsigned int usingHistory:1; unsigned int usingExpirationDate:1; unsigned int usingHardExpirationDate:1; unsigned int requiresAlpha:1; unsigned int requiresNumeric:1;
unsigned int passwordIsHash:1;
unsigned int passwordCannotBeName:1;
unsigned int historyCount:4;
unsigned int requiresMixedCase:1; unsigned int newPasswordRequired:1; unsigned int noModifyPasswordforSelf:1;
unsigned int requiresSymbol:1;
unsigned int unused:1;
#else
unsigned int hcHighBit:1;
unsigned int passwordCannotBeName:1;
unsigned int passwordIsHash:1;
unsigned int requiresNumeric:1; unsigned int requiresAlpha:1; unsigned int usingHardExpirationDate:1; unsigned int usingExpirationDate:1; unsigned int usingHistory:1; unsigned int unused:1;
unsigned int requiresSymbol:1;
unsigned int noModifyPasswordforSelf:1; unsigned int newPasswordRequired:1; unsigned int requiresMixedCase:1; unsigned int hcLowBits:3;
#endif
BSDTimeStructCopy expirationDateGMT; BSDTimeStructCopy hardExpireDateGMT;
UInt32 maxMinutesUntilChangePassword; UInt32 maxMinutesUntilDisabled; UInt32 maxMinutesOfNonUse; UInt16 maxFailedLoginAttempts;
UInt16 minChars; UInt16 maxChars;
} PWGlobalAccessFeatures;
typedef struct PWGlobalMoreAccessFeatures {
UInt32 minutesUntilFailedLoginReset; UInt32 notGuessablePattern; } PWGlobalMoreAccessFeatures;
typedef struct PWAccessFeatures {
#if TARGET_RT_BIG_ENDIAN
int isDisabled:1; int isAdminUser:1; int newPasswordRequired:1; int usingHistory:1; int canModifyPasswordforSelf:1; int usingExpirationDate:1; int usingHardExpirationDate:1; int requiresAlpha:1; int requiresNumeric:1;
int passwordIsHash:1;
int passwordCannotBeName:1;
unsigned int historyCount:4;
int isSessionKeyAgent:1; #else
int requiresAlpha:1; int usingHardExpirationDate:1; int usingExpirationDate:1; int canModifyPasswordforSelf:1; int usingHistory:1; int newPasswordRequired:1; int isAdminUser:1; int isDisabled:1; int isSessionKeyAgent:1; unsigned int historyCount:4;
int passwordCannotBeName:1;
int passwordIsHash:1;
int requiresNumeric:1; #endif
BSDTimeStructCopy expirationDateGMT; BSDTimeStructCopy hardExpireDateGMT;
UInt32 maxMinutesUntilChangePassword; UInt32 maxMinutesUntilDisabled; UInt32 maxMinutesOfNonUse; UInt16 maxFailedLoginAttempts;
UInt16 minChars; UInt16 maxChars;
} PWAccessFeatures;
typedef struct PWMoreAccessFeatures {
UInt32 minutesUntilFailedLoginReset; UInt32 notGuessablePattern; char userkey[64]; UInt32 logOffTime; UInt32 kickOffTime;
#if TARGET_RT_BIG_ENDIAN
unsigned int recordIsDead:1; unsigned int doNotReplicate:1; unsigned int doNotMerge:1; unsigned int requiresMixedCase:1; unsigned int isComputerAccount:1; unsigned int unused:1;
unsigned int requiresSymbol:1; unsigned int adminNoChangePasswords:1;
unsigned int adminNoSetPolicies:1;
unsigned int adminNoCreate:1;
unsigned int adminNoDelete:1;
unsigned int adminNoClearState:1;
unsigned int adminNoPromoteAdmins:1;
unsigned int adminClass:3;
#else
unsigned int adminNoChangePasswords:1;
unsigned int requiresSymbol:1;
unsigned int unused:1;
unsigned int isComputerAccount:1; unsigned int requiresMixedCase:1; unsigned int doNotMerge:1; unsigned int doNotReplicate:1; unsigned int recordIsDead:1; unsigned int adminClass:3;
unsigned int adminNoPromoteAdmins:1;
unsigned int adminNoClearState:1;
unsigned int adminNoDelete:1;
unsigned int adminNoCreate:1;
unsigned int adminNoSetPolicies:1;
#endif
} PWMoreAccessFeatures;
typedef struct PWFileHeader {
UInt32 signature; UInt32 version; UInt32 entrySize; UInt32 sequenceNumber; UInt32 numberOfSlotsCurrentlyInFile; UInt32 deepestSlotUsed;
PWGlobalAccessFeatures access; AuthMethName weakAuthMethods[kPWFileMaxWeakMethods];
unsigned long publicKeyLen;
unsigned char publicKey[kPWFileMaxPublicKeyBytes];
unsigned long privateKeyLen;
unsigned char privateKey[kPWFileMaxPrivateKeyBytes];
char replicationName[kPWFileMaxReplicaName]; UInt32 deepestSlotUsedByThisServer; UInt32 accessModDate; PWGlobalMoreAccessFeatures extraAccess; char properShutdown; char unusedExtraData[3];
UInt32 fExtraData[243]; } PWFileHeader;
typedef struct PWFileEntry {
UInt32 time; UInt32 rnd; UInt32 sequenceNumber; UInt32 slot;
BSDTimeStructCopy creationDate; BSDTimeStructCopy modificationDate; BSDTimeStructCopy modDateOfPassword; BSDTimeStructCopy lastLogin; UInt16 failedLoginAttempts;
PWAccessFeatures access;
char passwordStr[512];
PasswordDigest digest[kPWFileMaxDigests];
char usernameStr[256]; uuid_t userGUID; PWAdminGroupList admingroup; SInt64 changeTransactionID; char changeNeedsKerberos; char userdata[380]; PWDisableReasonCode disableReason; PWMoreAccessFeatures extraAccess; } PWFileEntry;
int TimeIsStale( BSDTimeStructCopy *inTime );
int LoginTimeIsStale( BSDTimeStructCopy *inLastLogin, unsigned long inMaxMinutesOfNonUse );
void PWGlobalAccessFeaturesToString( PWGlobalAccessFeatures *inAccessFeatures, char *outString );
void PWGlobalAccessFeaturesToStringExtra( PWGlobalAccessFeatures *inAccessFeatures, PWGlobalMoreAccessFeatures *inExtraFeatures, int inMaxLen, char *outString );
void PWAccessFeaturesToString( PWAccessFeatures *inAccessFeatures, char *outString );
void PWAccessFeaturesToStringExtra( PWAccessFeatures *inAccessFeatures, PWMoreAccessFeatures *inExtraFeatures, int inMaxLen, char *outString );
void PWActualAccessFeaturesToString( PWGlobalAccessFeatures *inGAccessFeatures, PWAccessFeatures *inAccessFeatures, char *outString );
void PWActualAccessFeaturesToStringExtra( PWGlobalAccessFeatures *inGAccessFeatures, PWAccessFeatures *inAccessFeatures, PWMoreAccessFeatures *inExtraFeatures, int inMaxLen, char *outString );
void PWAccessFeaturesToStringWithoutStateInfo( PWAccessFeatures *inAccessFeatures, char *outString );
void PWAccessFeaturesToStringWithoutStateInfoExtra( PWAccessFeatures *inAccessFeatures, PWMoreAccessFeatures *inExtraFeatures, int inMaxLen, char *outString );
Boolean StringToPWGlobalAccessFeatures( const char *inString, PWGlobalAccessFeatures *inOutAccessFeatures );
Boolean StringToPWGlobalAccessFeaturesExtra( const char *inString, PWGlobalAccessFeatures *inOutAccessFeatures, PWGlobalMoreAccessFeatures *inOutExtraFeatures );
Boolean StringToPWAccessFeatures( const char *inString, PWAccessFeatures *inOutAccessFeatures );
Boolean StringToPWAccessFeaturesExtra( const char *inString, PWAccessFeatures *inOutAccessFeatures, PWMoreAccessFeatures *inOutExtraFeatures );
Boolean StringToPWAccessFeatures_GetValue( const char *inString, unsigned long *outValue );
void CrashIfBuiltWrong(void);
void pwsf_PreserveUnrepresentedPolicies( const char *inOriginalStr, int inMaxLen, char *inOutString );
int pwsf_GetPublicKey( char *outPublicKey );
int pwsf_GetPublicKeyFromFile( const char *inFile, char *outPublicKey );
void pwsf_CreateReplicaFile( const char *inIPStr, const char *inDNSStr, const char *inPublicKey );
void pwsf_ResetReplicaFile( const char *inPublicKey );
char* pwsf_GetPrincName( PWFileEntry *userRec );
int pwsf_ShadowHashDataToArray( const char *inAAData, CFMutableArrayRef *outHashTypeArray );
char * pwsf_ShadowHashArrayToData( CFArrayRef inHashTypeArray, long *outResultLen );
void pwsf_AppendUTF8StringToArray( const char *inUTF8Str, CFMutableArrayRef inArray );
void pwsf_EndianAdjustTimeStruct( BSDTimeStructCopy *inOutTimeStruct, int native );
void pwsf_EndianAdjustPWFileHeader( PWFileHeader *inOutHeader, int native );
void pwsf_EndianAdjustPWFileEntry( PWFileEntry *inOutEntry, int native );
void pwsf_AddHashesToPWRecord( const char *inRealm, bool inAddNT, bool inAddLM, PWFileEntry *inOutPasswordRec );
void pwsf_getHashCramMD5(const unsigned char *inPassword, long inPasswordLen, unsigned char *outHash, unsigned long *outHashLen);
void pwsf_getSaltedSHA1(const unsigned char *inPassword, long inPasswordLen, unsigned char *outHash, unsigned long *outHashLen);
long pwsf_slotToOffset(long slot);
void pwsf_getGMTime(struct tm *inOutGMT);
unsigned long pwsf_getTimeForRef(void);
unsigned long pwsf_getRandom(void);
void pwsf_passwordRecRefToString(PWFileEntry *inPasswordRec, char *outRefStr);
int pwsf_stringToPasswordRecRef(const char *inRefStr, PWFileEntry *outPasswordRec);
void pwsf_addHashDigestMD5( const char *inRealm, PWFileEntry *inOutPasswordRec );
void pwsf_addHashCramMD5( PWFileEntry *inOutPasswordRec );
void pwsf_addHashSaltedSHA1( PWFileEntry *inOutPasswordRec );
int pwsf_compress_header( PWFileHeader *inHeader, unsigned char **outCompressedHeader, unsigned int *outCompressedHeaderLength );
int pwsf_compress_slot( PWFileEntry *inPasswordRec, unsigned char **outCompressedRecord, unsigned int *outCompressedRecordLength );
int pwsf_expand_header( const unsigned char *inCompressedHeader, unsigned int inCompressedHeaderLength, PWFileHeader *outHeader );
int pwsf_expand_slot( const unsigned char *inCompressedRecord, unsigned int inCompressedRecordLength, PWFileEntry *inOutPasswordRec );
void pwsf_DESEncode(void *data, unsigned long inDataLen);
void pwsf_DESDecode(void *data, unsigned long inDataLen);
void pwsf_DESAutoDecode(void *data);
bool pwsf_is_guid( const char *inStr );
bool pwsf_uuid_for_group( const char *groupName, uuid_t uuid );
int pwsf_PolicyStringToGroupList( const char *inString, uuid_t *outGroupList[] );
CFMutableDictionaryRef pwsf_CreateAdditionalDataDictionaryWithUUIDList( int uuidCount, uuid_t *uuidList );
CFMutableDictionaryRef pwsf_CreateAdditionalDataDictionaryWithOwners( const char *inSlotIDList );
CFStringRef pwsf_UUIDToString( uuid_t uuid );
bool pwsf_UUIDStrToUUID(const char *inUUIDStr, uuid_t *outUUID);
int pwsf_GetGroupList( PWFileEntry *adminRec, uuid_t **outGroupList );
int pwsf_GetGroupListWithPath( const char *basePath, PWFileEntry *adminRec, uuid_t **outGroupList );
int pwsf_loadxml( const char *inFilePath, CFMutableDictionaryRef *outPList );
int pwsf_savexml(const char *inSaveFile, CFDictionaryRef inPList );
int pwsf_TestDisabledStatus( PWAccessFeatures *inAccess, PWGlobalAccessFeatures *inGAccess, struct tm *inCreationDate, struct tm *inLastLoginTime, UInt16 *inOutFailedLoginAttempts );
int pwsf_TestDisabledStatusWithReasonCode( PWAccessFeatures *inAccess, PWGlobalAccessFeatures *inGAccess, struct tm *inCreationDate, struct tm *inLastLoginTime, UInt16 *inOutFailedLoginAttempts, PWDisableReasonCode *outReasonCode );
int pwsf_ChangePasswordStatus( PWAccessFeatures *inAccess, PWGlobalAccessFeatures *inGAccess, struct tm *inModDateOfPassword );
int pwsf_RequiredCharacterStatus(PWAccessFeatures *access, PWGlobalAccessFeatures *inGAccess, const char *inUsername, const char *inPassword);
int pwsf_RequiredCharacterStatusExtra(PWAccessFeatures *access, PWGlobalAccessFeatures *inGAccess, const char *inUsername, const char *inPassword, PWMoreAccessFeatures *inExtraFeatures );
void pwsf_getHashCramMD5(const unsigned char *inPassword, long inPasswordLen, unsigned char *outHash, unsigned long *outHashLen );
CFDictionaryRef pwsf_GetStatusForReplicas( void );
bool pwsf_ConvertCFDateToBSDTime( CFDateRef inDateRef, struct tm *outBSDDate );
bool pwsf_ConvertBSDTimeToCFDate( struct tm *inBSDDate, CFDateRef *outDateRef );
int ConvertGlobalXMLPolicyToSpaceDelimited( const char *inXMLDataStr, char **outPolicyStr );
int ConvertGlobalSpaceDelimitedPolicyToXML( const char *inPolicyStr, char **outXMLDataStr );
int ConvertXMLPolicyToSpaceDelimited( const char *inXMLDataStr, char **outPolicyStr );
int ConvertSpaceDelimitedPolicyToXML( const char *inPolicyStr, char **outXMLDataStr );
int ConvertSpaceDelimitedPoliciesToXML( const char *inPolicyStr, int inPreserveStateInfo, char **outXMLDataStr );
void GetDefaultUserPolicies( PWAccessFeatures *inOutUserPolicies );
#ifdef __cplusplus
};
#endif
#endif