/usr/include/mit-krb5/krb5/krb5.h is in krb5-multidev 1.12+dfsg-2ubuntu5.4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780 3781 3782 3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 3951 3952 3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988 3989 3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020 4021 4022 4023 4024 4025 4026 4027 4028 4029 4030 4031 4032 4033 4034 4035 4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 4059 4060 4061 4062 4063 4064 4065 4066 4067 4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088 4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 4231 4232 4233 4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249 4250 4251 4252 4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 4334 4335 4336 4337 4338 4339 4340 4341 4342 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451 4452 4453 4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486 4487 4488 4489 4490 4491 4492 4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513 4514 4515 4516 4517 4518 4519 4520 4521 4522 4523 4524 4525 4526 4527 4528 4529 4530 4531 4532 4533 4534 4535 4536 4537 4538 4539 4540 4541 4542 4543 4544 4545 4546 4547 4548 4549 4550 4551 4552 4553 4554 4555 4556 4557 4558 4559 4560 4561 4562 4563 4564 4565 4566 4567 4568 4569 4570 4571 4572 4573 4574 4575 4576 4577 4578 4579 4580 4581 4582 4583 4584 4585 4586 4587 4588 4589 4590 4591 4592 4593 4594 4595 4596 4597 4598 4599 4600 4601 4602 4603 4604 4605 4606 4607 4608 4609 4610 4611 4612 4613 4614 4615 4616 4617 4618 4619 4620 4621 4622 4623 4624 4625 4626 4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4736 4737 4738 4739 4740 4741 4742 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4915 4916 4917 4918 4919 4920 4921 4922 4923 4924 4925 4926 4927 4928 4929 4930 4931 4932 4933 4934 4935 4936 4937 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5454 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5545 5546 5547 5548 5549 5550 5551 5552 5553 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611 5612 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5626 5627 5628 5629 5630 5631 5632 5633 5634 5635 5636 5637 5638 5639 5640 5641 5642 5643 5644 5645 5646 5647 5648 5649 5650 5651 5652 5653 5654 5655 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5758 5759 5760 5761 5762 5763 5764 5765 5766 5767 5768 5769 5770 5771 5772 5773 5774 5775 5776 5777 5778 5779 5780 5781 5782 5783 5784 5785 5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796 5797 5798 5799 5800 5801 5802 5803 5804 5805 5806 5807 5808 5809 5810 5811 5812 5813 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5824 5825 5826 5827 5828 5829 5830 5831 5832 5833 5834 5835 5836 5837 5838 5839 5840 5841 5842 5843 5844 5845 5846 5847 5848 5849 5850 5851 5852 5853 5854 5855 5856 5857 5858 5859 5860 5861 5862 5863 5864 5865 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5879 5880 5881 5882 5883 5884 5885 5886 5887 5888 5889 5890 5891 5892 5893 5894 5895 5896 5897 5898 5899 5900 5901 5902 5903 5904 5905 5906 5907 5908 5909 5910 5911 5912 5913 5914 5915 5916 5917 5918 5919 5920 5921 5922 5923 5924 5925 5926 5927 5928 5929 5930 5931 5932 5933 5934 5935 5936 5937 5938 5939 5940 5941 5942 5943 5944 5945 5946 5947 5948 5949 5950 5951 5952 5953 5954 5955 5956 5957 5958 5959 5960 5961 5962 5963 5964 5965 5966 5967 5968 5969 5970 5971 5972 5973 5974 5975 5976 5977 5978 5979 5980 5981 5982 5983 5984 5985 5986 5987 5988 5989 5990 5991 5992 5993 5994 5995 5996 5997 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6015 6016 6017 6018 6019 6020 6021 6022 6023 6024 6025 6026 6027 6028 6029 6030 6031 6032 6033 6034 6035 6036 6037 6038 6039 6040 6041 6042 6043 6044 6045 6046 6047 6048 6049 6050 6051 6052 6053 6054 6055 6056 6057 6058 6059 6060 6061 6062 6063 6064 6065 6066 6067 6068 6069 6070 6071 6072 6073 6074 6075 6076 6077 6078 6079 6080 6081 6082 6083 6084 6085 6086 6087 6088 6089 6090 6091 6092 6093 6094 6095 6096 6097 6098 6099 6100 6101 6102 6103 6104 6105 6106 6107 6108 6109 6110 6111 6112 6113 6114 6115 6116 6117 6118 6119 6120 6121 6122 6123 6124 6125 6126 6127 6128 6129 6130 6131 6132 6133 6134 6135 6136 6137 6138 6139 6140 6141 6142 6143 6144 6145 6146 6147 6148 6149 6150 6151 6152 6153 6154 6155 6156 6157 6158 6159 6160 6161 6162 6163 6164 6165 6166 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6178 6179 6180 6181 6182 6183 6184 6185 6186 6187 6188 6189 6190 6191 6192 6193 6194 6195 6196 6197 6198 6199 6200 6201 6202 6203 6204 6205 6206 6207 6208 6209 6210 6211 6212 6213 6214 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6232 6233 6234 6235 6236 6237 6238 6239 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6256 6257 6258 6259 6260 6261 6262 6263 6264 6265 6266 6267 6268 6269 6270 6271 6272 6273 6274 6275 6276 6277 6278 6279 6280 6281 6282 6283 6284 6285 6286 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6301 6302 6303 6304 6305 6306 6307 6308 6309 6310 6311 6312 6313 6314 6315 6316 6317 6318 6319 6320 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6331 6332 6333 6334 6335 6336 6337 6338 6339 6340 6341 6342 6343 6344 6345 6346 6347 6348 6349 6350 6351 6352 6353 6354 6355 6356 6357 6358 6359 6360 6361 6362 6363 6364 6365 6366 6367 6368 6369 6370 6371 6372 6373 6374 6375 6376 6377 6378 6379 6380 6381 6382 6383 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6397 6398 6399 6400 6401 6402 6403 6404 6405 6406 6407 6408 6409 6410 6411 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6438 6439 6440 6441 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6471 6472 6473 6474 6475 6476 6477 6478 6479 6480 6481 6482 6483 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6502 6503 6504 6505 6506 6507 6508 6509 6510 6511 6512 6513 6514 6515 6516 6517 6518 6519 6520 6521 6522 6523 6524 6525 6526 6527 6528 6529 6530 6531 6532 6533 6534 6535 6536 6537 6538 6539 6540 6541 6542 6543 6544 6545 6546 6547 6548 6549 6550 6551 6552 6553 6554 6555 6556 6557 6558 6559 6560 6561 6562 6563 6564 6565 6566 6567 6568 6569 6570 6571 6572 6573 6574 6575 6576 6577 6578 6579 6580 6581 6582 6583 6584 6585 6586 6587 6588 6589 6590 6591 6592 6593 6594 6595 6596 6597 6598 6599 6600 6601 6602 6603 6604 6605 6606 6607 6608 6609 6610 6611 6612 6613 6614 6615 6616 6617 6618 6619 6620 6621 6622 6623 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6638 6639 6640 6641 6642 6643 6644 6645 6646 6647 6648 6649 6650 6651 6652 6653 6654 6655 6656 6657 6658 6659 6660 6661 6662 6663 6664 6665 6666 6667 6668 6669 6670 6671 6672 6673 6674 6675 6676 6677 6678 6679 6680 6681 6682 6683 6684 6685 6686 6687 6688 6689 6690 6691 6692 6693 6694 6695 6696 6697 6698 6699 6700 6701 6702 6703 6704 6705 6706 6707 6708 6709 6710 6711 6712 6713 6714 6715 6716 6717 6718 6719 6720 6721 6722 6723 6724 6725 6726 6727 6728 6729 6730 6731 6732 6733 6734 6735 6736 6737 6738 6739 6740 6741 6742 6743 6744 6745 6746 6747 6748 6749 6750 6751 6752 6753 6754 6755 6756 6757 6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 6773 6774 6775 6776 6777 6778 6779 6780 6781 6782 6783 6784 6785 6786 6787 6788 6789 6790 6791 6792 6793 6794 6795 6796 6797 6798 6799 6800 6801 6802 6803 6804 6805 6806 6807 6808 6809 6810 6811 6812 6813 6814 6815 6816 6817 6818 6819 6820 6821 6822 6823 6824 6825 6826 6827 6828 6829 6830 6831 6832 6833 6834 6835 6836 6837 6838 6839 6840 6841 6842 6843 6844 6845 6846 6847 6848 6849 6850 6851 6852 6853 6854 6855 6856 6857 6858 6859 6860 6861 6862 6863 6864 6865 6866 6867 6868 6869 6870 6871 6872 6873 6874 6875 6876 6877 6878 6879 6880 6881 6882 6883 6884 6885 6886 6887 6888 6889 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901 6902 6903 6904 6905 6906 6907 6908 6909 6910 6911 6912 6913 6914 6915 6916 6917 6918 6919 6920 6921 6922 6923 6924 6925 6926 6927 6928 6929 6930 6931 6932 6933 6934 6935 6936 6937 6938 6939 6940 6941 6942 6943 6944 6945 6946 6947 6948 6949 6950 6951 6952 6953 6954 6955 6956 6957 6958 6959 6960 6961 6962 6963 6964 6965 6966 6967 6968 6969 6970 6971 6972 6973 6974 6975 6976 6977 6978 6979 6980 6981 6982 6983 6984 6985 6986 6987 6988 6989 6990 6991 6992 6993 6994 6995 6996 6997 6998 6999 7000 7001 7002 7003 7004 7005 7006 7007 7008 7009 7010 7011 7012 7013 7014 7015 7016 7017 7018 7019 7020 7021 7022 7023 7024 7025 7026 7027 7028 7029 7030 7031 7032 7033 7034 7035 7036 7037 7038 7039 7040 7041 7042 7043 7044 7045 7046 7047 7048 7049 7050 7051 7052 7053 7054 7055 7056 7057 7058 7059 7060 7061 7062 7063 7064 7065 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7078 7079 7080 7081 7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7113 7114 7115 7116 7117 7118 7119 7120 7121 7122 7123 7124 7125 7126 7127 7128 7129 7130 7131 7132 7133 7134 7135 7136 7137 7138 7139 7140 7141 7142 7143 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7156 7157 7158 7159 7160 7161 7162 7163 7164 7165 7166 7167 7168 7169 7170 7171 7172 7173 7174 7175 7176 7177 7178 7179 7180 7181 7182 7183 7184 7185 7186 7187 7188 7189 7190 7191 7192 7193 7194 7195 7196 7197 7198 7199 7200 7201 7202 7203 7204 7205 7206 7207 7208 7209 7210 7211 7212 7213 7214 7215 7216 7217 7218 7219 7220 7221 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7322 7323 7324 7325 7326 7327 7328 7329 7330 7331 7332 7333 7334 7335 7336 7337 7338 7339 7340 7341 7342 7343 7344 7345 7346 7347 7348 7349 7350 7351 7352 7353 7354 7355 7356 7357 7358 7359 7360 7361 7362 7363 7364 7365 7366 7367 7368 7369 7370 7371 7372 7373 7374 7375 7376 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 7388 7389 7390 7391 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 7413 7414 7415 7416 7417 7418 7419 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 7440 7441 7442 7443 7444 7445 7446 7447 7448 7449 7450 7451 7452 7453 7454 7455 7456 7457 7458 7459 7460 7461 7462 7463 7464 7465 7466 7467 7468 7469 7470 7471 7472 7473 7474 7475 7476 7477 7478 7479 7480 7481 7482 7483 7484 7485 7486 7487 7488 7489 7490 7491 7492 7493 7494 7495 7496 7497 7498 7499 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 7510 7511 7512 7513 7514 7515 7516 7517 7518 7519 7520 7521 7522 7523 7524 7525 7526 7527 7528 7529 7530 7531 7532 7533 7534 7535 7536 7537 7538 7539 7540 7541 7542 7543 7544 7545 7546 7547 7548 7549 7550 7551 7552 7553 7554 7555 7556 7557 7558 7559 7560 7561 7562 7563 7564 7565 7566 7567 7568 7569 7570 7571 7572 7573 7574 7575 7576 7577 7578 7579 7580 7581 7582 7583 7584 7585 7586 7587 7588 7589 7590 7591 7592 7593 7594 7595 7596 7597 7598 7599 7600 7601 7602 7603 7604 7605 7606 7607 7608 7609 7610 7611 7612 7613 7614 7615 7616 7617 7618 7619 7620 7621 7622 7623 7624 7625 7626 7627 7628 7629 7630 7631 7632 7633 7634 7635 7636 7637 7638 7639 7640 7641 7642 7643 7644 7645 7646 7647 7648 7649 7650 7651 7652 7653 7654 7655 7656 7657 7658 7659 7660 7661 7662 7663 7664 7665 7666 7667 7668 7669 7670 7671 7672 7673 7674 7675 7676 7677 7678 7679 7680 7681 7682 7683 7684 7685 7686 7687 7688 7689 7690 7691 7692 7693 7694 7695 7696 7697 7698 7699 7700 7701 7702 7703 7704 7705 7706 7707 7708 7709 7710 7711 7712 7713 7714 7715 7716 7717 7718 7719 7720 7721 7722 7723 7724 7725 7726 7727 7728 7729 7730 7731 7732 7733 7734 7735 7736 7737 7738 7739 7740 7741 7742 7743 7744 7745 7746 7747 7748 7749 7750 7751 7752 7753 7754 7755 7756 7757 7758 7759 7760 7761 7762 7763 7764 7765 7766 7767 7768 7769 7770 7771 7772 7773 7774 7775 7776 7777 7778 7779 7780 7781 7782 7783 7784 7785 7786 7787 7788 7789 7790 7791 7792 7793 7794 7795 7796 7797 7798 7799 7800 7801 7802 7803 7804 7805 7806 7807 7808 7809 7810 7811 7812 7813 7814 7815 7816 7817 7818 7819 7820 7821 7822 7823 7824 7825 7826 7827 7828 7829 7830 7831 7832 7833 7834 7835 7836 7837 7838 7839 7840 7841 7842 7843 7844 7845 7846 7847 7848 7849 7850 7851 7852 7853 7854 7855 7856 7857 7858 7859 7860 7861 7862 7863 7864 7865 7866 7867 7868 7869 7870 7871 7872 7873 7874 7875 7876 7877 7878 7879 7880 7881 7882 7883 7884 7885 7886 7887 7888 7889 7890 7891 7892 7893 7894 7895 7896 7897 7898 7899 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 7921 7922 7923 7924 7925 7926 7927 7928 7929 7930 7931 7932 7933 7934 7935 7936 7937 7938 7939 7940 7941 7942 7943 7944 7945 7946 7947 7948 7949 7950 7951 7952 7953 7954 7955 7956 7957 7958 7959 7960 7961 7962 7963 7964 7965 7966 7967 7968 7969 7970 7971 7972 7973 7974 7975 7976 7977 7978 7979 7980 7981 7982 7983 7984 7985 7986 7987 7988 7989 7990 7991 7992 7993 7994 7995 7996 7997 7998 7999 8000 8001 8002 8003 8004 8005 8006 8007 8008 8009 8010 8011 8012 8013 8014 8015 8016 8017 8018 8019 8020 8021 8022 8023 8024 8025 8026 8027 8028 8029 8030 8031 8032 8033 8034 8035 8036 8037 8038 8039 8040 8041 8042 8043 8044 8045 8046 8047 8048 8049 8050 8051 8052 8053 8054 8055 8056 8057 8058 8059 8060 8061 8062 8063 8064 8065 8066 8067 8068 8069 8070 8071 8072 8073 8074 8075 8076 8077 8078 8079 8080 8081 8082 8083 8084 8085 8086 8087 8088 8089 8090 8091 8092 8093 8094 8095 8096 8097 8098 8099 8100 8101 8102 8103 8104 8105 8106 8107 8108 8109 8110 8111 8112 8113 8114 8115 8116 8117 8118 8119 8120 8121 8122 8123 8124 8125 8126 8127 8128 8129 8130 8131 8132 8133 8134 8135 8136 8137 8138 8139 8140 8141 8142 8143 8144 8145 8146 8147 8148 8149 8150 8151 8152 8153 8154 8155 8156 8157 8158 8159 8160 8161 8162 8163 8164 8165 8166 8167 8168 8169 8170 8171 8172 8173 8174 8175 8176 8177 8178 8179 8180 8181 8182 8183 8184 8185 8186 8187 8188 8189 8190 8191 8192 8193 8194 8195 8196 8197 8198 8199 8200 8201 8202 8203 8204 8205 8206 8207 8208 8209 8210 8211 8212 8213 8214 8215 8216 8217 8218 8219 8220 8221 8222 8223 8224 8225 8226 8227 8228 8229 8230 8231 8232 8233 8234 8235 8236 8237 8238 8239 8240 8241 8242 8243 8244 8245 8246 8247 8248 8249 8250 8251 8252 8253 8254 8255 8256 8257 8258 8259 8260 8261 8262 8263 8264 8265 8266 8267 8268 8269 8270 8271 8272 8273 8274 8275 8276 8277 8278 8279 8280 8281 8282 8283 8284 8285 8286 8287 8288 8289 8290 8291 8292 8293 8294 8295 8296 8297 8298 8299 8300 8301 8302 8303 8304 8305 8306 8307 8308 8309 8310 8311 8312 8313 8314 8315 8316 8317 8318 8319 8320 8321 8322 8323 8324 8325 8326 8327 8328 8329 8330 8331 8332 8333 8334 8335 8336 8337 8338 8339 8340 8341 8342 8343 8344 8345 8346 8347 8348 8349 8350 8351 8352 8353 8354 8355 8356 8357 8358 8359 8360 8361 8362 8363 8364 8365 8366 8367 8368 8369 8370 8371 8372 8373 8374 8375 8376 8377 8378 8379 8380 8381 8382 8383 8384 8385 8386 8387 8388 8389 8390 8391 8392 8393 8394 8395 8396 8397 8398 8399 8400 8401 8402 8403 8404 8405 8406 8407 8408 8409 8410 8411 8412 8413 8414 8415 8416 8417 8418 8419 8420 8421 8422 8423 8424 8425 8426 8427 8428 8429 8430 8431 8432 8433 8434 8435 8436 8437 8438 8439 8440 8441 8442 8443 8444 8445 8446 8447 8448 8449 8450 8451 8452 8453 8454 8455 8456 8457 8458 8459 8460 8461 8462 8463 8464 8465 8466 8467 8468 8469 8470 8471 8472 8473 8474 8475 8476 8477 8478 8479 8480 8481 8482 8483 8484 8485 8486 8487 8488 8489 8490 8491 8492 8493 8494 8495 8496 8497 8498 8499 8500 8501 8502 8503 8504 8505 8506 8507 8508 8509 8510 8511 8512 8513 8514 8515 8516 8517 8518 8519 8520 8521 8522 8523 8524 8525 8526 8527 8528 8529 8530 8531 8532 8533 8534 8535 8536 8537 8538 8539 8540 8541 8542 8543 8544 8545 8546 8547 8548 8549 8550 8551 8552 8553 8554 8555 8556 8557 8558 8559 8560 8561 8562 8563 8564 8565 8566 8567 8568 8569 8570 8571 8572 8573 8574 8575 8576 8577 8578 8579 8580 8581 8582 8583 8584 8585 8586 8587 8588 8589 8590 8591 8592 8593 8594 8595 8596 8597 8598 8599 8600 8601 8602 8603 8604 8605 8606 8607 8608 8609 8610 8611 8612 8613 8614 8615 8616 8617 8618 8619 8620 8621 8622 8623 8624 8625 8626 8627 8628 8629 8630 8631 8632 8633 8634 8635 8636 8637 8638 8639 8640 8641 8642 8643 8644 8645 8646 8647 8648 8649 8650 8651 8652 8653 8654 8655 8656 8657 8658 8659 8660 8661 8662 8663 8664 8665 8666 8667 8668 8669 8670 8671 8672 8673 8674 8675 8676 8677 8678 8679 8680 8681 8682 8683 8684 8685 8686 8687 8688 8689 8690 8691 8692 8693 8694 8695 8696 8697 8698 8699 8700 8701 8702 | /* This file is generated, please don't edit it directly. */
#ifndef KRB5_KRB5_H_INCLUDED
#define KRB5_KRB5_H_INCLUDED
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* General definitions for Kerberos version 5. */
/*
* Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts
* Institute of Technology. All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
* All rights reserved.
*
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of FundsXpress. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#ifndef KRB5_GENERAL__
#define KRB5_GENERAL__
/** @defgroup KRB5_H krb5 library API
* @{
*/
/* By default, do not expose deprecated interfaces. */
#ifndef KRB5_DEPRECATED
#define KRB5_DEPRECATED 0
#endif
#if defined(__MACH__) && defined(__APPLE__)
# include <TargetConditionals.h>
# if TARGET_RT_MAC_CFM
# error "Use KfM 4.0 SDK headers for CFM compilation."
# endif
#endif
#if defined(_MSDOS) || defined(_WIN32)
#include <win-mac.h>
#endif
#ifndef KRB5_CONFIG__
#ifndef KRB5_CALLCONV
#define KRB5_CALLCONV
#define KRB5_CALLCONV_C
#endif /* !KRB5_CALLCONV */
#endif /* !KRB5_CONFIG__ */
#ifndef KRB5_CALLCONV_WRONG
#define KRB5_CALLCONV_WRONG
#endif
#ifndef THREEPARAMOPEN
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
#include <limits.h> /* for *_MAX */
#include <stdarg.h>
#ifndef KRB5INT_BEGIN_DECLS
#if defined(__cplusplus)
#define KRB5INT_BEGIN_DECLS extern "C" {
#define KRB5INT_END_DECLS }
#else
#define KRB5INT_BEGIN_DECLS
#define KRB5INT_END_DECLS
#endif
#endif
KRB5INT_BEGIN_DECLS
#if TARGET_OS_MAC
# pragma pack(push,2)
#endif
#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203
# define KRB5_ATTR_DEPRECATED __attribute__((deprecated))
#elif defined _WIN32
# define KRB5_ATTR_DEPRECATED __declspec(deprecated)
#else
# define KRB5_ATTR_DEPRECATED
#endif
/* from profile.h */
struct _profile_t;
/* typedef struct _profile_t *profile_t; */
/*
* begin wordsize.h
*/
/*
* Word-size related definition.
*/
typedef unsigned char krb5_octet;
#if INT_MAX == 0x7fff
typedef int krb5_int16;
typedef unsigned int krb5_ui_2;
#elif SHRT_MAX == 0x7fff
typedef short krb5_int16;
typedef unsigned short krb5_ui_2;
#else
#error undefined 16 bit type
#endif
#if INT_MAX == 0x7fffffffL
typedef int krb5_int32;
typedef unsigned int krb5_ui_4;
#elif LONG_MAX == 0x7fffffffL
typedef long krb5_int32;
typedef unsigned long krb5_ui_4;
#elif SHRT_MAX == 0x7fffffffL
typedef short krb5_int32;
typedef unsigned short krb5_ui_4;
#else
#error: undefined 32 bit type
#endif
#define VALID_INT_BITS INT_MAX
#define VALID_UINT_BITS UINT_MAX
#define KRB5_INT32_MAX 2147483647
/* this strange form is necessary since - is a unary operator, not a sign
indicator */
#define KRB5_INT32_MIN (-KRB5_INT32_MAX-1)
#define KRB5_INT16_MAX 65535
/* this strange form is necessary since - is a unary operator, not a sign
indicator */
#define KRB5_INT16_MIN (-KRB5_INT16_MAX-1)
/*
* end wordsize.h
*/
/*
* begin "base-defs.h"
*/
/*
* Basic definitions for Kerberos V5 library
*/
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
typedef unsigned int krb5_boolean;
typedef unsigned int krb5_msgtype;
typedef unsigned int krb5_kvno;
typedef krb5_int32 krb5_addrtype;
typedef krb5_int32 krb5_enctype;
typedef krb5_int32 krb5_cksumtype;
typedef krb5_int32 krb5_authdatatype;
typedef krb5_int32 krb5_keyusage;
typedef krb5_int32 krb5_cryptotype;
typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
typedef krb5_int32 krb5_flags;
typedef krb5_int32 krb5_timestamp;
typedef krb5_int32 krb5_error_code;
typedef krb5_int32 krb5_deltat;
typedef krb5_error_code krb5_magic;
typedef struct _krb5_data {
krb5_magic magic;
unsigned int length;
char *data;
} krb5_data;
/* Originally introduced for PKINIT; now unused. Do not use this. */
typedef struct _krb5_octet_data {
krb5_magic magic;
unsigned int length;
krb5_octet *data;
} krb5_octet_data;
/* Originally used to recognize AFS and default salts. No longer used. */
#define SALT_TYPE_AFS_LENGTH UINT_MAX
#define SALT_TYPE_NO_LENGTH UINT_MAX
typedef void * krb5_pointer;
typedef void const * krb5_const_pointer;
typedef struct krb5_principal_data {
krb5_magic magic;
krb5_data realm;
krb5_data *data; /**< An array of strings */
krb5_int32 length;
krb5_int32 type;
} krb5_principal_data;
typedef krb5_principal_data * krb5_principal;
/*
* Per V5 spec on definition of principal types
*/
#define KRB5_NT_UNKNOWN 0 /**< Name type not known */
#define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal
as in DCE, or for users */
#define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */
#define KRB5_NT_SRV_HST 3 /**< Service with host name as instance
(telnet, rcommands) */
#define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */
#define KRB5_NT_UID 5 /**< Unique ID */
#define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */
#define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */
#define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */
#define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */
#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of
NT_WELLKNOWN principals */
#define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */
#define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */
#define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */
/** Constant version of krb5_principal_data */
typedef const krb5_principal_data *krb5_const_principal;
#define krb5_princ_realm(context, princ) (&(princ)->realm)
#define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value))
#define krb5_princ_set_realm_length(context, princ,value) (princ)->realm.length = (value)
#define krb5_princ_set_realm_data(context, princ,value) (princ)->realm.data = (value)
#define krb5_princ_size(context, princ) (princ)->length
#define krb5_princ_type(context, princ) (princ)->type
#define krb5_princ_name(context, princ) (princ)->data
#define krb5_princ_component(context, princ,i) \
(((i) < krb5_princ_size(context, princ)) \
? (princ)->data + (i) \
: NULL)
/** Constant for realm referrals. */
#define KRB5_REFERRAL_REALM ""
/*
* Referral-specific functions.
*/
/**
* Check for a match with KRB5_REFERRAL_REALM.
*
* @param [in] r Realm to check
*
* @return @c TRUE if @a r is zero-length, @c FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_is_referral_realm(const krb5_data *r);
/**
* Return an anonymous realm data.
*
* This function returns constant storage that must not be freed.
*
* @sa #KRB5_ANONYMOUS_REALMSTR
*/
const krb5_data *KRB5_CALLCONV
krb5_anonymous_realm(void);
/**
* Build an anonymous principal.
*
* This function returns constant storage that must not be freed.
*
* @sa #KRB5_ANONYMOUS_PRINCSTR
*/
krb5_const_principal KRB5_CALLCONV
krb5_anonymous_principal(void);
#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */
#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */
/*
* end "base-defs.h"
*/
/*
* begin "hostaddr.h"
*/
/** Structure for address */
typedef struct _krb5_address {
krb5_magic magic;
krb5_addrtype addrtype;
unsigned int length;
krb5_octet *contents;
} krb5_address;
/* per Kerberos v5 protocol spec */
#define ADDRTYPE_INET 0x0002
#define ADDRTYPE_CHAOS 0x0005
#define ADDRTYPE_XNS 0x0006
#define ADDRTYPE_ISO 0x0007
#define ADDRTYPE_DDP 0x0010
#define ADDRTYPE_NETBIOS 0x0014
#define ADDRTYPE_INET6 0x0018
/* not yet in the spec... */
#define ADDRTYPE_ADDRPORT 0x0100
#define ADDRTYPE_IPPORT 0x0101
/* macros to determine if a type is a local type */
#define ADDRTYPE_IS_LOCAL(addrtype) (addrtype & 0x8000)
/*
* end "hostaddr.h"
*/
struct _krb5_context;
typedef struct _krb5_context * krb5_context;
struct _krb5_auth_context;
typedef struct _krb5_auth_context * krb5_auth_context;
struct _krb5_cryptosystem_entry;
/*
* begin "encryption.h"
*/
/** Exposed contents of a key. */
typedef struct _krb5_keyblock {
krb5_magic magic;
krb5_enctype enctype;
unsigned int length;
krb5_octet *contents;
} krb5_keyblock;
struct krb5_key_st;
/**
* Opaque identifier for a key.
*
* Use with the krb5_k APIs for better performance for repeated operations with
* the same key and usage. Key identifiers must not be used simultaneously
* within multiple threads, as they may contain mutable internal state and are
* not mutex-protected.
*/
typedef struct krb5_key_st *krb5_key;
#ifdef KRB5_OLD_CRYPTO
typedef struct _krb5_encrypt_block {
krb5_magic magic;
krb5_enctype crypto_entry; /* to call krb5_encrypt_size, you need
this. it was a pointer, but it
doesn't have to be. gross. */
krb5_keyblock *key;
} krb5_encrypt_block;
#endif
typedef struct _krb5_checksum {
krb5_magic magic;
krb5_cksumtype checksum_type; /* checksum type */
unsigned int length;
krb5_octet *contents;
} krb5_checksum;
typedef struct _krb5_enc_data {
krb5_magic magic;
krb5_enctype enctype;
krb5_kvno kvno;
krb5_data ciphertext;
} krb5_enc_data;
/**
* Structure to describe a region of text to be encrypted or decrypted.
*
* The @a flags member describes the type of the iov.
* The @a data member points to the memory that will be manipulated.
* All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's
* along with the size of that array. Buffer contents are manipulated in-place;
* data is overwritten. Callers must allocate the right number of krb5_crypto_iov
* structures before calling into an iov API.
*/
typedef struct _krb5_crypto_iov {
krb5_cryptotype flags; /**< @ref KRB5_CRYPTO_TYPE type of the iov */
krb5_data data;
} krb5_crypto_iov;
/* per Kerberos v5 protocol spec */
#define ENCTYPE_NULL 0x0000
#define ENCTYPE_DES_CBC_CRC 0x0001 /**< DES cbc mode with CRC-32 */
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< DES cbc mode with RSA-MD4 */
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< DES cbc mode with RSA-MD5 */
#define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated DES cbc mode raw */
#define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */
#define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */
#define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated */
/* PKINIT */
#define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */
#define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */
#define ENCTYPE_SHA1_RSA_CMS 0x000b /**< SHA1 with RSA, CMS signature */
#define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */
#define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */
#define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */
#define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */
#define ENCTYPE_DES3_CBC_SHA1 0x0010
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */
#define ENCTYPE_ARCFOUR_HMAC 0x0017
#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
#define ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019 /**< RFC 6803 */
#define ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a /**< RFC 6803 */
#define ENCTYPE_UNKNOWN 0x01ff
#define CKSUMTYPE_CRC32 0x0001
#define CKSUMTYPE_RSA_MD4 0x0002
#define CKSUMTYPE_RSA_MD4_DES 0x0003
#define CKSUMTYPE_DESCBC 0x0004
/* des-mac-k */
/* rsa-md4-des-k */
#define CKSUMTYPE_RSA_MD5 0x0007
#define CKSUMTYPE_RSA_MD5_DES 0x0008
#define CKSUMTYPE_NIST_SHA 0x0009
#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
#define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with
ENCTYPE_AES256_CTS_HMAC_SHA1_96 */
#define CKSUMTYPE_CMAC_CAMELLIA128 0x0011 /**< RFC 6803 */
#define CKSUMTYPE_CMAC_CAMELLIA256 0x0012 /**< RFC 6803 */
#define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/
#define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
/*
* The following are entropy source designations. Whenever
* krb5_C_random_add_entropy is called, one of these source ids is passed in.
* This allows the library to better estimate bits of entropy in the sample and
* to keep track of what sources of entropy have contributed enough entropy.
* Sources marked internal MUST NOT be used by applications outside the
* Kerberos library
*/
enum {
KRB5_C_RANDSOURCE_OLDAPI = 0, /*calls to krb5_C_RANDOM_SEED (INTERNAL)*/
KRB5_C_RANDSOURCE_OSRAND = 1, /* /dev/random or equivalent (internal)*/
KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, /* From KDC or other trusted party*/
/*
* This source should be used carefully; data in this category
* should be from a third party trusted to give random bits
* For example keys issued by the KDC in the application server.
*/
KRB5_C_RANDSOURCE_TIMING = 3, /* Timing of operations*/
KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, /*Protocol data possibly from attacker*/
KRB5_C_RANDSOURCE_MAX = 5 /*Do not use; maximum source ID*/
};
#ifndef krb5_roundup
/* round x up to nearest multiple of y */
#define krb5_roundup(x, y) ((((x) + (y) - 1)/(y))*(y))
#endif /* roundup */
/* macro function definitions to help clean up code */
#if 1
#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
#else
#define krb5_x(ptr,args) ((*(ptr)) args)
#define krb5_xc(ptr,args) ((*(ptr)) args)
#endif
/**
* Encrypt data using a key (operates on keyblock).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
* @param [in] input Data to be encrypted
* @param [out] output Encrypted data
*
* This function encrypts the data block @a input and stores the output into @a
* output. The actual encryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the encryption operation, and
* is updated with the state to be passed as input to the next operation.
*
* @note The caller must initialize @a output and allocate at least enough
* space for the result (using krb5_c_encrypt_length() to determine the amount
* of space needed). @a output->length will be set to the actual length of the
* ciphertext.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *cipher_state,
const krb5_data *input, krb5_enc_data *output);
/**
* Decrypt data using a key (operates on keyblock).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
* @param [in] input Encrypted data
* @param [out] output Decrypted data
*
* This function decrypts the data block @a input and stores the output into @a
* output. The actual decryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the decryption operation, and
* is updated with the state to be passed as input to the next operation.
*
* @note The caller must initialize @a output and allocate at least enough
* space for the result. The usual practice is to allocate an output buffer as
* long as the ciphertext, and let krb5_c_decrypt() trim @a output->length.
* For some enctypes, the resulting @a output->length may include padding
* bytes.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *cipher_state,
const krb5_enc_data *input, krb5_data *output);
/**
* Compute encrypted data length.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] inputlen Length of the data to be encrypted
* @param [out] length Length of the encrypted data
*
* This function computes the length of the ciphertext produced by encrypting
* @a inputlen bytes including padding, confounder, and checksum.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
size_t inputlen, size_t *length);
/**
* Return cipher block size.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [out] blocksize Block size for @a enctype
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_block_size(krb5_context context, krb5_enctype enctype,
size_t *blocksize);
/**
* Return length of the specified key in bytes.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [out] keybytes Number of bytes required to make a key
* @param [out] keylength Length of final key
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
size_t *keybytes, size_t *keylength);
/**
* Initialize a new cipher state.
*
* @param [in] context Library context
* @param [in] key Key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [out] new_state New cipher state
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_init_state(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, krb5_data *new_state);
/**
* Free a cipher state previously allocated by krb5_c_init_state().
*
* @param [in] context Library context
* @param [in] key Key
* @param [in] state Cipher state to be freed
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_free_state(krb5_context context, const krb5_keyblock *key,
krb5_data *state);
/**
* Generate enctype-specific pseudo-random bytes.
*
* @param [in] context Library context
* @param [in] keyblock Key
* @param [in] input Input data
* @param [out] output Output data
*
* This function selects a pseudo-random function based on @a keyblock and
* computes its value over @a input, placing the result into @a output.
* The caller must preinitialize @a output and allocate space for the
* result, using krb5_c_prf_length() to determine the required length.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock,
krb5_data *input, krb5_data *output);
/**
* Get the output length of pseudo-random functions for an encryption type.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [out] len Length of PRF output
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len);
/**
* Compute the KRB-FX-CF2 combination of two keys and pepper strings.
*
* @param [in] context Library context
* @param [in] k1 KDC contribution key
* @param [in] pepper1 String "PKINIT"
* @param [in] k2 Reply key
* @param [in] pepper2 String "KeyExchange"
* @param [out] out Output key
*
* This function computes the KRB-FX-CF2 function over its inputs and places
* the results in a newly allocated keyblock. This function is simple in that
* it assumes that @a pepper1 and @a pepper2 are C strings with no internal
* nulls and that the enctype of the result will be the same as that of @a k1.
* @a k1 and @a k2 may be of different enctypes.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_fx_cf2_simple(krb5_context context,
krb5_keyblock *k1, const char *pepper1,
krb5_keyblock *k2, const char *pepper2,
krb5_keyblock **out);
/**
* Generate an enctype-specific random encryption key.
*
* @param [in] context Library context
* @param [in] enctype Encryption type of the generated key
* @param [out] k5_random_key An allocated and initialized keyblock
*
* Use krb5_free_keyblock_contents() to free @a k5_random_key when
* no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
krb5_keyblock *k5_random_key);
/**
* Generate an enctype-specific key from random data.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] random_data Random input data
* @param [out] k5_random_key Resulting key
*
* This function takes random input data @a random_data and produces a valid
* key @a k5_random_key for a given @a enctype.
*
* @note It is assumed that @a k5_random_key has already been initialized and
* @a k5_random_key->contents has been allocated with the correct length.
*
* @sa krb5_c_keylengths()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_random_to_key(krb5_context context, krb5_enctype enctype,
krb5_data *random_data, krb5_keyblock *k5_random_key);
/**
* Add entropy to the pseudo-random number generator.
*
* @param [in] context Library context
* @param [in] randsource Entropy source (see KRB5_RANDSOURCE types)
* @param [in] data Data
*
* Contribute entropy to the PRNG used by krb5 crypto operations. This may or
* may not affect the output of the next crypto operation requiring random
* data.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
const krb5_data *data);
/**
* Generate pseudo-random bytes.
*
* @param [in] context Library context
* @param [out] data Random data
*
* Fills in @a data with bytes from the PRNG used by krb5 crypto operations.
* The caller must preinitialize @a data and allocate the desired amount of
* space.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_random_make_octets(krb5_context context, krb5_data *data);
/**
* Collect entropy from the OS if possible.
*
* @param [in] context Library context
* @param [in] strong Strongest available source of entropy
* @param [out] success 1 if OS provides entropy, 0 otherwise
*
* If @a strong is non-zero, this function attempts to use the strongest
* available source of entropy. Setting this flag may cause the function to
* block on some operating systems. Good uses include seeding the PRNG for
* kadmind and realm setup.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_random_os_entropy(krb5_context context, int strong, int *success);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_c_random_seed(krb5_context context, krb5_data *data);
/**
* Convert a string (such a password) to a key.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] string String to be converted
* @param [in] salt Salt value
* @param [out] key Generated key
*
* This function converts @a string to a @a key of encryption type @a enctype,
* using the specified @a salt. The newly created @a key must be released by
* calling krb5_free_keyblock_contents() when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_string_to_key(krb5_context context, krb5_enctype enctype,
const krb5_data *string, const krb5_data *salt,
krb5_keyblock *key);
/**
* Convert a string (such as a password) to a key with additional parameters.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] string String to be converted
* @param [in] salt Salt value
* @param [in] params Parameters
* @param [out] key Generated key
*
* This function is similar to krb5_c_string_to_key(), but also takes
* parameters which may affect the algorithm in an enctype-dependent way. The
* newly created @a key must be released by calling
* krb5_free_keyblock_contents() when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_string_to_key_with_params(krb5_context context,
krb5_enctype enctype,
const krb5_data *string,
const krb5_data *salt,
const krb5_data *params,
krb5_keyblock *key);
/**
* Compare two encryption types.
*
* @param [in] context Library context
* @param [in] e1 First encryption type
* @param [in] e2 Second encryption type
* @param [out] similar @c TRUE if types are similar, @c FALSE if not
*
* This function determines whether two encryption types use the same kind of
* keys.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
krb5_boolean *similar);
/**
* Compute a checksum (operates on keyblock).
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] input Input data
* @param [out] cksum Generated checksum
*
* This function computes a checksum of type @a cksumtype over @a input, using
* @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and
* @a key is non-null, the checksum type will be the mandatory-to-implement
* checksum type for the key's encryption type. The actual checksum key will
* be derived from @a key and @a usage if key derivation is specified for the
* checksum type. The newly created @a cksum must be released by calling
* krb5_free_checksum_contents() when it is no longer needed.
*
* @note This function is similar to krb5_k_make_checksum(), but operates
* on keyblock @a key.
*
* @sa krb5_c_verify_checksum()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
const krb5_keyblock *key, krb5_keyusage usage,
const krb5_data *input, krb5_checksum *cksum);
/**
* Verify a checksum (operates on keyblock).
*
* @param [in] context Library context
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage @a key usage
* @param [in] data Data to be used to compute a new checksum
* using @a key to compare @a cksum against
* @param [in] cksum Checksum to be verified
* @param [out] valid Non-zero for success, zero for failure
*
* This function verifies that @a cksum is a valid checksum for @a data. If
* the checksum type of @a cksum is a keyed checksum, @a key is used to verify
* the checksum. The actual checksum key will be derived from @a key and @a
* usage if key derivation is specified for the checksum type.
*
* @note This function is similar to krb5_k_verify_checksum(), but operates
* on keyblock @a key.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *data,
const krb5_checksum *cksum, krb5_boolean *valid);
/**
* Return the length of checksums for a checksum type.
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type
* @param [out] length Checksum length
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
size_t *length);
/**
* Return a list of keyed checksum types usable with an encryption type.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [out] count Count of allowable checksum types
* @param [out] cksumtypes Array of allowable checksum types
*
* Use krb5_free_cksumtypes() to free @a cksumtypes when it is no longer
* needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
unsigned int *count, krb5_cksumtype **cksumtypes);
/** @defgroup KRB5_KEYUSAGE KRB5_KEYUSAGE
* @{
*/
#define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1
#define KRB5_KEYUSAGE_KDC_REP_TICKET 2
#define KRB5_KEYUSAGE_AS_REP_ENCPART 3
#define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY 4
#define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY 5
#define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM 6
#define KRB5_KEYUSAGE_TGS_REQ_AUTH 7
#define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY 8
#define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY 9
#define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM 10
#define KRB5_KEYUSAGE_AP_REQ_AUTH 11
#define KRB5_KEYUSAGE_AP_REP_ENCPART 12
#define KRB5_KEYUSAGE_KRB_PRIV_ENCPART 13
#define KRB5_KEYUSAGE_KRB_CRED_ENCPART 14
#define KRB5_KEYUSAGE_KRB_SAFE_CKSUM 15
#define KRB5_KEYUSAGE_APP_DATA_ENCRYPT 16
#define KRB5_KEYUSAGE_APP_DATA_CKSUM 17
#define KRB5_KEYUSAGE_KRB_ERROR_CKSUM 18
#define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM 19
#define KRB5_KEYUSAGE_AD_MTE 20
#define KRB5_KEYUSAGE_AD_ITE 21
/* XXX need to register these */
#define KRB5_KEYUSAGE_GSS_TOK_MIC 22
#define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23
#define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24
/* Defined in Integrating SAM Mechanisms with Kerberos draft */
#define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25
/** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */
#define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26
/** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */
#define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27
/* Defined in [MS-SFU] */
/** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */
#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26
/** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_RESPONSE */
#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27
/* unused */
#define KRB5_KEYUSAGE_PA_REFERRAL 26
#define KRB5_KEYUSAGE_AD_SIGNEDPATH -21
#define KRB5_KEYUSAGE_IAKERB_FINISHED 42
#define KRB5_KEYUSAGE_PA_PKINIT_KX 44
#define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */
/* define in draft-ietf-krb-wg-preauth-framework*/
#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
#define KRB5_KEYUSAGE_FAST_ENC 51
#define KRB5_KEYUSAGE_FAST_REP 52
#define KRB5_KEYUSAGE_FAST_FINISHED 53
#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54
#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55
#define KRB5_KEYUSAGE_AS_REQ 56
/** @} */ /* end of KRB5_KEYUSAGE group */
/**
* Verify that a specified encryption type is a valid Kerberos encryption type.
*
* @param [in] ktype Encryption type
*
* @return @c TRUE if @a ktype is valid, @c FALSE if not
*/
krb5_boolean KRB5_CALLCONV
krb5_c_valid_enctype(krb5_enctype ktype);
/**
* Verify that specified checksum type is a valid Kerberos checksum type.
*
* @param [in] ctype Checksum type
*
* @return @c TRUE if @a ctype is valid, @c FALSE if not
*/
krb5_boolean KRB5_CALLCONV
krb5_c_valid_cksumtype(krb5_cksumtype ctype);
/**
* Test whether a checksum type is collision-proof.
*
* @param [in] ctype Checksum type
*
* @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not
* collision-proof or not a valid checksum type.
*/
krb5_boolean KRB5_CALLCONV
krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
/**
* Test whether a checksum type is keyed.
*
* @param [in] ctype Checksum type
*
* @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise.
*/
krb5_boolean KRB5_CALLCONV
krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
/* AEAD APIs */
/** @defgroup KRB5_CRYPTO_TYPE KRB5_CRYPTO_TYPE
* @{
*/
#define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */
#define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */
#define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */
#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */
#define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */
#define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */
#define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */
#define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without
decomposing the structure into
header, data and trailer buffers */
/** @} */ /* end of KRB5_CRYPTO_TYPE group */
/**
* Fill in a checksum element in IOV array (operates on keyblock)
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] data IOV array
* @param [in] num_data Size of @a data
*
* Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
* #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
* Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
*
* @note This function is similar to krb5_k_make_checksum_iov(), but operates
* on keyblock @a key.
*
* @sa krb5_c_verify_checksum_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
const krb5_keyblock *key, krb5_keyusage usage,
krb5_crypto_iov *data, size_t num_data);
/**
* Validate a checksum element in IOV array (operates on keyblock).
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] data IOV array
* @param [in] num_data Size of @a data
* @param [out] valid Non-zero for success, zero for failure
*
* Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
* valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
* regions in the iov.
*
* @note This function is similar to krb5_k_verify_checksum_iov(), but operates
* on keyblock @a key.
*
* @sa krb5_c_make_checksum_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
const krb5_keyblock *key, krb5_keyusage usage,
const krb5_crypto_iov *data, size_t num_data,
krb5_boolean *valid);
/**
* Encrypt data in place supporting AEAD (operates on keyblock).
*
* @param [in] context Library context
* @param [in] keyblock Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] cipher_state Cipher state; specify NULL if not needed
* @param [in,out] data IOV array. Modified in-place.
* @param [in] num_data Size of @a data
*
* This function encrypts the data block @a data and stores the output in-place.
* The actual encryption key will be derived from @a keyblock and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the encryption operation, and
* is updated with the state to be passed as input to the next operation.
* The caller must allocate the right number of krb5_crypto_iov
* structures before calling into this API.
*
* @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
* For example, if the padding length is too large, the length will be reduced.
* Lengths are never increased.
*
* @note This function is similar to krb5_k_encrypt_iov(), but operates
* on keyblock @a keyblock.
*
* @sa krb5_c_decrypt_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
krb5_keyusage usage, const krb5_data *cipher_state,
krb5_crypto_iov *data, size_t num_data);
/**
* Decrypt data in place supporting AEAD (operates on keyblock).
*
* @param [in] context Library context
* @param [in] keyblock Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] cipher_state Cipher state; specify NULL if not needed
* @param [in,out] data IOV array. Modified in-place.
* @param [in] num_data Size of @a data
*
* This function decrypts the data block @a data and stores the output in-place.
* The actual decryption key will be derived from @a keyblock and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the decryption operation, and
* is updated with the state to be passed as input to the next operation.
* The caller must allocate the right number of krb5_crypto_iov
* structures before calling into this API.
*
* @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
* For example, if the padding length is too large, the length will be reduced.
* Lengths are never increased.
*
* @note This function is similar to krb5_k_decrypt_iov(), but operates
* on keyblock @a keyblock.
*
* @sa krb5_c_decrypt_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
krb5_keyusage usage, const krb5_data *cipher_state,
krb5_crypto_iov *data, size_t num_data);
/**
* Return a length of a message field specific to the encryption type.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] type Type field (See @ref KRB5_CRYPTO_TYPE types)
* @param [out] size Length of the @a type specific to @a enctype
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_crypto_length(krb5_context context, krb5_enctype enctype,
krb5_cryptotype type, unsigned int *size);
/**
* Fill in lengths for header, trailer and padding in a IOV array.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in,out] data IOV array
* @param [in] num_data Size of @a data
*
* Padding is set to the actual padding required based on the provided
* @a data buffers. Typically this API is used after setting up the data
* buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually
* allocating header, trailer and padding.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype,
krb5_crypto_iov *data, size_t num_data);
/**
* Return a number of padding octets.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] data_length Length of the plaintext to pad
* @param [out] size Number of padding octets
*
* This function returns the number of the padding octets required to pad
* @a data_length octets of plaintext.
*
* @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
*/
krb5_error_code KRB5_CALLCONV
krb5_c_padding_length(krb5_context context, krb5_enctype enctype,
size_t data_length, unsigned int *size);
/**
* Create a krb5_key from the enctype and key data in a keyblock.
*
* @param [in] context Library context
* @param [in] key_data Keyblock
* @param [out] out Opaque key
*
* The reference count on a key @a out is set to 1.
* Use krb5_k_free_key() to free @a out when it is no longer needed.
*
* @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
*/
krb5_error_code KRB5_CALLCONV
krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
krb5_key *out);
/** Increment the reference count on a key. */
void KRB5_CALLCONV
krb5_k_reference_key(krb5_context context, krb5_key key);
/** Decrement the reference count on a key and free it if it hits zero. */
void KRB5_CALLCONV
krb5_k_free_key(krb5_context context, krb5_key key);
/** Retrieve a copy of the keyblock from a krb5_key structure. */
krb5_error_code KRB5_CALLCONV
krb5_k_key_keyblock(krb5_context context, krb5_key key,
krb5_keyblock **key_data);
/** Retrieve the enctype of a krb5_key structure. */
krb5_enctype KRB5_CALLCONV
krb5_k_key_enctype(krb5_context context, krb5_key key);
/**
* Encrypt data using a key (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
* @param [in] input Data to be encrypted
* @param [out] output Encrypted data
*
* This function encrypts the data block @a input and stores the output into @a
* output. The actual encryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the encryption operation, and
* is updated with the state to be passed as input to the next operation.
*
* @note The caller must initialize @a output and allocate at least enough
* space for the result (using krb5_c_encrypt_length() to determine the amount
* of space needed). @a output->length will be set to the actual length of the
* ciphertext.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
const krb5_data *cipher_state, const krb5_data *input,
krb5_enc_data *output);
/**
* Encrypt data in place supporting AEAD (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] cipher_state Cipher state; specify NULL if not needed
* @param [in,out] data IOV array. Modified in-place.
* @param [in] num_data Size of @a data
*
* This function encrypts the data block @a data and stores the output in-place.
* The actual encryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the encryption operation, and
* is updated with the state to be passed as input to the next operation.
* The caller must allocate the right number of krb5_crypto_iov
* structures before calling into this API.
*
* @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
* For example, if the padding length is too large, the length will be reduced.
* Lengths are never increased.
*
* @note This function is similar to krb5_c_encrypt_iov(), but operates
* on opaque key @a key.
*
* @sa krb5_k_decrypt_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
const krb5_data *cipher_state, krb5_crypto_iov *data,
size_t num_data);
/**
* Decrypt data using a key (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
* @param [in] input Encrypted data
* @param [out] output Decrypted data
*
* This function decrypts the data block @a input and stores the output into @a
* output. The actual decryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the decryption operation, and
* is updated with the state to be passed as input to the next operation.
*
* @note The caller must initialize @a output and allocate at least enough
* space for the result. The usual practice is to allocate an output buffer as
* long as the ciphertext, and let krb5_c_decrypt() trim @a output->length.
* For some enctypes, the resulting @a output->length may include padding
* bytes.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
const krb5_data *cipher_state, const krb5_enc_data *input,
krb5_data *output);
/**
* Decrypt data in place supporting AEAD (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Encryption key
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] cipher_state Cipher state; specify NULL if not needed
* @param [in,out] data IOV array. Modified in-place.
* @param [in] num_data Size of @a data
*
* This function decrypts the data block @a data and stores the output in-place.
* The actual decryption key will be derived from @a key and @a usage
* if key derivation is specified for the encryption type. If non-null, @a
* cipher_state specifies the beginning state for the decryption operation, and
* is updated with the state to be passed as input to the next operation.
* The caller must allocate the right number of krb5_crypto_iov
* structures before calling into this API.
*
* @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
* For example, if the padding length is too large, the length will be reduced.
* Lengths are never increased.
*
* @note This function is similar to krb5_c_decrypt_iov(), but operates
* on opaque key @a key.
*
* @sa krb5_k_encrypt_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
const krb5_data *cipher_state, krb5_crypto_iov *data,
size_t num_data);
/**
* Compute a checksum (operates on opaque key).
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] input Input data
* @param [out] cksum Generated checksum
*
* This function computes a checksum of type @a cksumtype over @a input, using
* @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and
* @a key is non-null, the checksum type will be the mandatory-to-implement
* checksum type for the key's encryption type. The actual checksum key will
* be derived from @a key and @a usage if key derivation is specified for the
* checksum type. The newly created @a cksum must be released by calling
* krb5_free_checksum_contents() when it is no longer needed.
*
* @note This function is similar to krb5_c_make_checksum(), but operates
* on opaque @a key.
*
* @sa krb5_c_verify_checksum()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
krb5_key key, krb5_keyusage usage, const krb5_data *input,
krb5_checksum *cksum);
/**
* Fill in a checksum element in IOV array (operates on opaque key)
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in,out] data IOV array
* @param [in] num_data Size of @a data
*
* Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
* #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
* Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
*
* @note This function is similar to krb5_c_make_checksum_iov(), but operates
* on opaque @a key.
*
* @sa krb5_k_verify_checksum_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
krb5_key key, krb5_keyusage usage,
krb5_crypto_iov *data, size_t num_data);
/**
* Verify a checksum (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage @a key usage
* @param [in] data Data to be used to compute a new checksum
* using @a key to compare @a cksum against
* @param [in] cksum Checksum to be verified
* @param [out] valid Non-zero for success, zero for failure
*
* This function verifies that @a cksum is a valid checksum for @a data. If
* the checksum type of @a cksum is a keyed checksum, @a key is used to verify
* the checksum. The actual checksum key will be derived from @a key and @a
* usage if key derivation is specified for the checksum type.
*
* @note This function is similar to krb5_c_verify_checksum(), but operates
* on opaque @a key.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage,
const krb5_data *data, const krb5_checksum *cksum,
krb5_boolean *valid);
/**
* Validate a checksum element in IOV array (operates on opaque key).
*
* @param [in] context Library context
* @param [in] cksumtype Checksum type (0 for mandatory type)
* @param [in] key Encryption key for a keyed checksum
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
* @param [in] data IOV array
* @param [in] num_data Size of @a data
* @param [out] valid Non-zero for success, zero for failure
*
* Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
* valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
* regions in the iov.
*
* @note This function is similar to krb5_c_verify_checksum_iov(), but operates
* on opaque @a key.
*
* @sa krb5_k_make_checksum_iov()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data, size_t num_data,
krb5_boolean *valid);
/**
* Generate enctype-specific pseudo-random bytes (operates on opaque key).
*
* @param [in] context Library context
* @param [in] key Key
* @param [in] input Input data
* @param [out] output Output data
*
* This function selects a pseudo-random function based on @a key and
* computes its value over @a input, placing the result into @a output.
* The caller must preinitialize @a output and allocate space for the
* result.
*
* @note This function is similar to krb5_c_prf(), but operates
* on opaque @a key.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output);
#ifdef KRB5_OLD_CRYPTO
/*
* old cryptosystem routine prototypes. These are now layered
* on top of the functions above.
*/
/** @deprecated Replaced by krb5_c_* API family.*/
krb5_error_code KRB5_CALLCONV
krb5_encrypt(krb5_context context, krb5_const_pointer inptr,
krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
krb5_pointer ivec);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_decrypt(krb5_context context, krb5_const_pointer inptr,
krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
krb5_pointer ivec);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_process_key(krb5_context context, krb5_encrypt_block *eblock,
const krb5_keyblock * key);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock);
/** @deprecated See krb5_c_string_to_key() */
krb5_error_code KRB5_CALLCONV
krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock,
krb5_keyblock * keyblock, const krb5_data *data,
const krb5_data *salt);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock,
const krb5_keyblock *keyblock, krb5_pointer *ptr);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock,
krb5_pointer *ptr);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock,
krb5_pointer ptr, krb5_keyblock **keyblock);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_enctype KRB5_CALLCONV
krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock);
/** @deprecated Replaced by krb5_c_* API family. */
krb5_error_code KRB5_CALLCONV
krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock,
krb5_enctype enctype);
/** @deprecated Replaced by krb5_c_* API family. */
size_t KRB5_CALLCONV
krb5_encrypt_size(size_t length, krb5_enctype crypto);
/** @deprecated See krb5_c_checksum_length() */
size_t KRB5_CALLCONV
krb5_checksum_size(krb5_context context, krb5_cksumtype ctype);
/** @deprecated See krb5_c_make_checksum() */
krb5_error_code KRB5_CALLCONV
krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
krb5_const_pointer in, size_t in_length,
krb5_const_pointer seed, size_t seed_length,
krb5_checksum * outcksum);
/** @deprecated See krb5_c_verify_checksum() */
krb5_error_code KRB5_CALLCONV
krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
const krb5_checksum * cksum, krb5_const_pointer in,
size_t in_length, krb5_const_pointer seed,
size_t seed_length);
#endif /* KRB5_OLD_CRYPTO */
/*
* end "encryption.h"
*/
/*
* begin "fieldbits.h"
*/
/* kdc_options for kdc_request */
/* options is 32 bits; each host is responsible to put the 4 bytes
representing these bits into net order before transmission */
/* #define KDC_OPT_RESERVED 0x80000000 */
#define KDC_OPT_FORWARDABLE 0x40000000
#define KDC_OPT_FORWARDED 0x20000000
#define KDC_OPT_PROXIABLE 0x10000000
#define KDC_OPT_PROXY 0x08000000
#define KDC_OPT_ALLOW_POSTDATE 0x04000000
#define KDC_OPT_POSTDATED 0x02000000
/* #define KDC_OPT_UNUSED 0x01000000 */
#define KDC_OPT_RENEWABLE 0x00800000
/* #define KDC_OPT_UNUSED 0x00400000 */
/* #define KDC_OPT_RESERVED 0x00200000 */
/* #define KDC_OPT_RESERVED 0x00100000 */
/* #define KDC_OPT_RESERVED 0x00080000 */
/* #define KDC_OPT_RESERVED 0x00040000 */
#define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000
#define KDC_OPT_CANONICALIZE 0x00010000
#define KDC_OPT_REQUEST_ANONYMOUS 0x00008000
/* #define KDC_OPT_RESERVED 0x00004000 */
/* #define KDC_OPT_RESERVED 0x00002000 */
/* #define KDC_OPT_RESERVED 0x00001000 */
/* #define KDC_OPT_RESERVED 0x00000800 */
/* #define KDC_OPT_RESERVED 0x00000400 */
/* #define KDC_OPT_RESERVED 0x00000200 */
/* #define KDC_OPT_RESERVED 0x00000100 */
/* #define KDC_OPT_RESERVED 0x00000080 */
/* #define KDC_OPT_RESERVED 0x00000040 */
#define KDC_OPT_DISABLE_TRANSITED_CHECK 0x00000020
#define KDC_OPT_RENEWABLE_OK 0x00000010
#define KDC_OPT_ENC_TKT_IN_SKEY 0x00000008
/* #define KDC_OPT_UNUSED 0x00000004 */
#define KDC_OPT_RENEW 0x00000002
#define KDC_OPT_VALIDATE 0x00000001
/*
* Mask of ticket flags in the TGT which should be converted into KDC
* options when using the TGT to get derivitive tickets.
*
* New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE |
* KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE
*/
#define KDC_TKT_COMMON_MASK 0x54800000
/* definitions for ap_options fields */
/** @defgroup AP_OPTS AP_OPTS
*
* ap_options are 32 bits; each host is responsible to put the 4 bytes
* representing these bits into net order before transmission
* @{
*/
#define AP_OPTS_RESERVED 0x80000000
#define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */
#define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual
authentication exchange */
#define AP_OPTS_ETYPE_NEGOTIATION 0x00000002
#define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key
from the current session key
obtained from the
credentials */
/* #define AP_OPTS_RESERVED 0x10000000 */
/* #define AP_OPTS_RESERVED 0x08000000 */
/* #define AP_OPTS_RESERVED 0x04000000 */
/* #define AP_OPTS_RESERVED 0x02000000 */
/* #define AP_OPTS_RESERVED 0x01000000 */
/* #define AP_OPTS_RESERVED 0x00800000 */
/* #define AP_OPTS_RESERVED 0x00400000 */
/* #define AP_OPTS_RESERVED 0x00200000 */
/* #define AP_OPTS_RESERVED 0x00100000 */
/* #define AP_OPTS_RESERVED 0x00080000 */
/* #define AP_OPTS_RESERVED 0x00040000 */
/* #define AP_OPTS_RESERVED 0x00020000 */
/* #define AP_OPTS_RESERVED 0x00010000 */
/* #define AP_OPTS_RESERVED 0x00008000 */
/* #define AP_OPTS_RESERVED 0x00004000 */
/* #define AP_OPTS_RESERVED 0x00002000 */
/* #define AP_OPTS_RESERVED 0x00001000 */
/* #define AP_OPTS_RESERVED 0x00000800 */
/* #define AP_OPTS_RESERVED 0x00000400 */
/* #define AP_OPTS_RESERVED 0x00000200 */
/* #define AP_OPTS_RESERVED 0x00000100 */
/* #define AP_OPTS_RESERVED 0x00000080 */
/* #define AP_OPTS_RESERVED 0x00000040 */
/* #define AP_OPTS_RESERVED 0x00000020 */
/* #define AP_OPTS_RESERVED 0x00000010 */
/* #define AP_OPTS_RESERVED 0x00000008 */
/* #define AP_OPTS_RESERVED 0x00000004 */
#define AP_OPTS_WIRE_MASK 0xfffffff0
/** @} */ /* end of AP_OPTS group */
/* definitions for ad_type fields. */
#define AD_TYPE_RESERVED 0x8000
#define AD_TYPE_EXTERNAL 0x4000
#define AD_TYPE_REGISTERED 0x2000
#define AD_TYPE_FIELD_TYPE_MASK 0x1fff
/* Ticket flags */
/* flags are 32 bits; each host is responsible to put the 4 bytes
representing these bits into net order before transmission */
/* #define TKT_FLG_RESERVED 0x80000000 */
#define TKT_FLG_FORWARDABLE 0x40000000
#define TKT_FLG_FORWARDED 0x20000000
#define TKT_FLG_PROXIABLE 0x10000000
#define TKT_FLG_PROXY 0x08000000
#define TKT_FLG_MAY_POSTDATE 0x04000000
#define TKT_FLG_POSTDATED 0x02000000
#define TKT_FLG_INVALID 0x01000000
#define TKT_FLG_RENEWABLE 0x00800000
#define TKT_FLG_INITIAL 0x00400000
#define TKT_FLG_PRE_AUTH 0x00200000
#define TKT_FLG_HW_AUTH 0x00100000
#define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000
#define TKT_FLG_OK_AS_DELEGATE 0x00040000
#define TKT_FLG_ENC_PA_REP 0x00010000
#define TKT_FLG_ANONYMOUS 0x00008000
/* #define TKT_FLG_RESERVED 0x00004000 */
/* #define TKT_FLG_RESERVED 0x00002000 */
/* #define TKT_FLG_RESERVED 0x00001000 */
/* #define TKT_FLG_RESERVED 0x00000800 */
/* #define TKT_FLG_RESERVED 0x00000400 */
/* #define TKT_FLG_RESERVED 0x00000200 */
/* #define TKT_FLG_RESERVED 0x00000100 */
/* #define TKT_FLG_RESERVED 0x00000080 */
/* #define TKT_FLG_RESERVED 0x00000040 */
/* #define TKT_FLG_RESERVED 0x00000020 */
/* #define TKT_FLG_RESERVED 0x00000010 */
/* #define TKT_FLG_RESERVED 0x00000008 */
/* #define TKT_FLG_RESERVED 0x00000004 */
/* #define TKT_FLG_RESERVED 0x00000002 */
/* #define TKT_FLG_RESERVED 0x00000001 */
/* definitions for lr_type fields. */
#define LR_TYPE_THIS_SERVER_ONLY 0x8000
#define LR_TYPE_INTERPRETATION_MASK 0x7fff
/* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */
#define MSEC_DIRBIT 0x8000
#define MSEC_VAL_MASK 0x7fff
/*
* end "fieldbits.h"
*/
/*
* begin "proto.h"
*/
/** Protocol version number */
#define KRB5_PVNO 5
/* Message types */
#define KRB5_AS_REQ ((krb5_msgtype)10) /**< Initial authentication request */
#define KRB5_AS_REP ((krb5_msgtype)11) /**< Response to AS request */
#define KRB5_TGS_REQ ((krb5_msgtype)12) /**< Ticket granting server request */
#define KRB5_TGS_REP ((krb5_msgtype)13) /**< Response to TGS request */
#define KRB5_AP_REQ ((krb5_msgtype)14) /**< Auth req to application server */
#define KRB5_AP_REP ((krb5_msgtype)15) /**< Response to mutual AP request */
#define KRB5_SAFE ((krb5_msgtype)20) /**< Safe application message */
#define KRB5_PRIV ((krb5_msgtype)21) /**< Private application message */
#define KRB5_CRED ((krb5_msgtype)22) /**< Cred forwarding message */
#define KRB5_ERROR ((krb5_msgtype)30) /**< Error response */
/* LastReq types */
#define KRB5_LRQ_NONE 0
#define KRB5_LRQ_ALL_LAST_TGT 1
#define KRB5_LRQ_ONE_LAST_TGT (-1)
#define KRB5_LRQ_ALL_LAST_INITIAL 2
#define KRB5_LRQ_ONE_LAST_INITIAL (-2)
#define KRB5_LRQ_ALL_LAST_TGT_ISSUED 3
#define KRB5_LRQ_ONE_LAST_TGT_ISSUED (-3)
#define KRB5_LRQ_ALL_LAST_RENEWAL 4
#define KRB5_LRQ_ONE_LAST_RENEWAL (-4)
#define KRB5_LRQ_ALL_LAST_REQ 5
#define KRB5_LRQ_ONE_LAST_REQ (-5)
#define KRB5_LRQ_ALL_PW_EXPTIME 6
#define KRB5_LRQ_ONE_PW_EXPTIME (-6)
#define KRB5_LRQ_ALL_ACCT_EXPTIME 7
#define KRB5_LRQ_ONE_ACCT_EXPTIME (-7)
/* PADATA types */
#define KRB5_PADATA_NONE 0
#define KRB5_PADATA_AP_REQ 1
#define KRB5_PADATA_TGS_REQ KRB5_PADATA_AP_REQ
#define KRB5_PADATA_ENC_TIMESTAMP 2 /**< RFC 4120 */
#define KRB5_PADATA_PW_SALT 3 /**< RFC 4120 */
#if 0 /* Not used */
#define KRB5_PADATA_ENC_ENCKEY 4 /* Key encrypted within itself */
#endif
#define KRB5_PADATA_ENC_UNIX_TIME 5 /**< timestamp encrypted in key. RFC 4120 */
#define KRB5_PADATA_ENC_SANDIA_SECURID 6 /**< SecurId passcode. RFC 4120 */
#define KRB5_PADATA_SESAME 7 /**< Sesame project. RFC 4120 */
#define KRB5_PADATA_OSF_DCE 8 /**< OSF DCE. RFC 4120 */
#define KRB5_CYBERSAFE_SECUREID 9 /**< Cybersafe. RFC 4120 */
#define KRB5_PADATA_AFS3_SALT 10 /**< Cygnus. RFC 4120, 3961 */
#define KRB5_PADATA_ETYPE_INFO 11 /**< Etype info for preauth. RFC 4120 */
#define KRB5_PADATA_SAM_CHALLENGE 12 /**< SAM/OTP */
#define KRB5_PADATA_SAM_RESPONSE 13 /**< SAM/OTP */
#define KRB5_PADATA_PK_AS_REQ_OLD 14 /**< PKINIT */
#define KRB5_PADATA_PK_AS_REP_OLD 15 /**< PKINIT */
#define KRB5_PADATA_PK_AS_REQ 16 /**< PKINIT. RFC 4556 */
#define KRB5_PADATA_PK_AS_REP 17 /**< PKINIT. RFC 4556 */
#define KRB5_PADATA_ETYPE_INFO2 19 /**< RFC 4120 */
#define KRB5_PADATA_USE_SPECIFIED_KVNO 20 /**< RFC 4120 */
#define KRB5_PADATA_SVR_REFERRAL_INFO 20 /**< Windows 2000 referrals. RFC 6820 */
#define KRB5_PADATA_SAM_REDIRECT 21 /**< SAM/OTP. RFC 4120 */
#define KRB5_PADATA_GET_FROM_TYPED_DATA 22 /**< Embedded in typed data. RFC 4120 */
#define KRB5_PADATA_REFERRAL 25 /**< draft referral system */
#define KRB5_PADATA_SAM_CHALLENGE_2 30 /**< draft challenge system, updated */
#define KRB5_PADATA_SAM_RESPONSE_2 31 /**< draft challenge system, updated */
/* MS-KILE */
#define KRB5_PADATA_PAC_REQUEST 128 /**< include Windows PAC */
#define KRB5_PADATA_FOR_USER 129 /**< username protocol transition request */
#define KRB5_PADATA_S4U_X509_USER 130 /**< certificate protocol transition request */
#define KRB5_PADATA_AS_CHECKSUM 132 /**< AS checksum */
#define KRB5_PADATA_FX_COOKIE 133 /**< RFC 6113 */
#define KRB5_PADATA_FX_FAST 136 /**< RFC 6113 */
#define KRB5_PADATA_FX_ERROR 137 /**< RFC 6113 */
#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 /**< RFC 6113 */
#define KRB5_PADATA_OTP_CHALLENGE 141 /**< RFC 6560 section 4.1 */
#define KRB5_PADATA_OTP_REQUEST 142 /**< RFC 6560 section 4.2 */
#define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */
#define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */
#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */
#define KRB5_SAM_USE_SAD_AS_KEY 0x80000000
#define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000
#define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /**< currently must be zero */
/** Transited encoding types */
#define KRB5_DOMAIN_X500_COMPRESS 1
/** alternate authentication types */
#define KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE 64
/* authorization data types. See RFC 4120 section 5.2.6 */
/** @defgroup KRB5_AUTHDATA KRB5_AUTHDATA
* @{
*/
#define KRB5_AUTHDATA_IF_RELEVANT 1
#define KRB5_AUTHDATA_KDC_ISSUED 4
#define KRB5_AUTHDATA_AND_OR 5
#define KRB5_AUTHDATA_MANDATORY_FOR_KDC 8
#define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9
#define KRB5_AUTHDATA_OSF_DCE 64
#define KRB5_AUTHDATA_SESAME 65
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /**< RFC 4537 */
#define KRB5_AUTHDATA_SIGNTICKET 512 /**< formerly 142 in krb5 1.8 */
#define KRB5_AUTHDATA_FX_ARMOR 71
/** @} */ /* end of KRB5_AUTHDATA group */
/* password change constants */
#define KRB5_KPASSWD_SUCCESS 0 /**< Success */
#define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */
#define KRB5_KPASSWD_HARDERROR 2 /**< Server error */
#define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */
#define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */
/* These are Microsoft's extensions in RFC 3244, and it looks like
they'll become standardized, possibly with other additions. */
#define KRB5_KPASSWD_ACCESSDENIED 5 /**< Not authorized */
#define KRB5_KPASSWD_BAD_VERSION 6 /**< Unknown RPC version */
/** The presented credentials were not obtained using a password directly */
#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
/*
* end "proto.h"
*/
/* Time set */
/** Ticket start time, end time, and renewal duration. */
typedef struct _krb5_ticket_times {
krb5_timestamp authtime; /**< Time at which KDC issued the initial ticket that corresponds to this ticket */
/* XXX ? should ktime in KDC_REP == authtime
in ticket? otherwise client can't get this */
krb5_timestamp starttime; /**< optional in ticket, if not present, use @a authtime */
krb5_timestamp endtime; /**< Ticket expiration time */
krb5_timestamp renew_till; /**< Latest time at which renewal of ticket can be valid */
} krb5_ticket_times;
/** Structure for auth data */
typedef struct _krb5_authdata {
krb5_magic magic;
krb5_authdatatype ad_type; /**< ADTYPE */
unsigned int length; /**< Length of data */
krb5_octet *contents; /**< Data */
} krb5_authdata;
/** Structure for transited encoding */
typedef struct _krb5_transited {
krb5_magic magic;
krb5_octet tr_type; /**< Transited encoding type */
krb5_data tr_contents; /**< Contents */
} krb5_transited;
/** Encrypted part of ticket. */
typedef struct _krb5_enc_tkt_part {
krb5_magic magic;
/* to-be-encrypted portion */
krb5_flags flags; /**< flags */
krb5_keyblock *session; /**< session key: includes enctype */
krb5_principal client; /**< client name/realm */
krb5_transited transited; /**< list of transited realms */
krb5_ticket_times times; /**< auth, start, end, renew_till */
krb5_address **caddrs; /**< array of ptrs to addresses */
krb5_authdata **authorization_data; /**< auth data */
} krb5_enc_tkt_part;
/**
* Ticket structure.
*
* The C representation of the ticket message, with a pointer to the
* C representation of the encrypted part.
*/
typedef struct _krb5_ticket {
krb5_magic magic;
/* cleartext portion */
krb5_principal server; /**< server name/realm */
krb5_enc_data enc_part; /**< encryption type, kvno, encrypted encoding */
krb5_enc_tkt_part *enc_part2; /**< ptr to decrypted version, if available */
} krb5_ticket;
/* the unencrypted version */
/**
* Ticket authenticator.
*
* The C representation of an unencrypted authenticator.
*/
typedef struct _krb5_authenticator {
krb5_magic magic;
krb5_principal client; /**< client name/realm */
krb5_checksum *checksum; /**< checksum, includes type, optional */
krb5_int32 cusec; /**< client usec portion */
krb5_timestamp ctime; /**< client sec portion */
krb5_keyblock *subkey; /**< true session key, optional */
krb5_ui_4 seq_number; /**< sequence #, optional */
krb5_authdata **authorization_data; /**< authoriazation data */
} krb5_authenticator;
/** Ticket authentication data. */
typedef struct _krb5_tkt_authent {
krb5_magic magic;
krb5_ticket *ticket;
krb5_authenticator *authenticator;
krb5_flags ap_options;
} krb5_tkt_authent;
/** Credentials structure including ticket, session key, and lifetime info. */
typedef struct _krb5_creds {
krb5_magic magic;
krb5_principal client; /**< client's principal identifier */
krb5_principal server; /**< server's principal identifier */
krb5_keyblock keyblock; /**< session encryption key info */
krb5_ticket_times times; /**< lifetime info */
krb5_boolean is_skey; /**< true if ticket is encrypted in
another ticket's skey */
krb5_flags ticket_flags; /**< flags in ticket */
krb5_address **addresses; /**< addrs in ticket */
krb5_data ticket; /**< ticket string itself */
krb5_data second_ticket; /**< second ticket, if related to
ticket (via DUPLICATE-SKEY or
ENC-TKT-IN-SKEY) */
krb5_authdata **authdata; /**< authorization data */
} krb5_creds;
/** Last request entry */
typedef struct _krb5_last_req_entry {
krb5_magic magic;
krb5_int32 lr_type; /**< LR type */
krb5_timestamp value; /**< Timestamp */
} krb5_last_req_entry;
/** Pre-authentication data */
typedef struct _krb5_pa_data {
krb5_magic magic;
krb5_preauthtype pa_type; /**< Preauthentication data type */
unsigned int length; /**< Length of data */
krb5_octet *contents; /**< Data */
} krb5_pa_data;
/* Don't use this; use krb5_pa_data instead. */
typedef struct _krb5_typed_data {
krb5_magic magic;
krb5_int32 type;
unsigned int length;
krb5_octet *data;
} krb5_typed_data;
/** C representation of KDC-REQ protocol message, including KDC-REQ-BODY */
typedef struct _krb5_kdc_req {
krb5_magic magic;
krb5_msgtype msg_type; /**< KRB5_AS_REQ or KRB5_TGS_REQ */
krb5_pa_data **padata; /**< Preauthentication data */
/* real body */
krb5_flags kdc_options; /**< Requested options */
krb5_principal client; /**< Client principal and realm */
krb5_principal server; /**< Server principal and realm */
krb5_timestamp from; /**< Requested start time */
krb5_timestamp till; /**< Requested end time */
krb5_timestamp rtime; /**< Requested renewable end time */
krb5_int32 nonce; /**< Nonce to match request and response */
int nktypes; /**< Number of enctypes */
krb5_enctype *ktype; /**< Requested enctypes */
krb5_address **addresses; /**< Requested addresses (optional) */
krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */
krb5_authdata **unenc_authdata; /**< Unencrypted authz data */
krb5_ticket **second_ticket; /**< Second ticket array (optional) */
} krb5_kdc_req;
/**
* C representation of @c EncKDCRepPart protocol message.
*
* This is the cleartext message that is encrypted and inserted in @c KDC-REP.
*/
typedef struct _krb5_enc_kdc_rep_part {
krb5_magic magic;
/* encrypted part: */
krb5_msgtype msg_type; /**< krb5 message type */
krb5_keyblock *session; /**< Session key */
krb5_last_req_entry **last_req; /**< Array of pointers to entries */
krb5_int32 nonce; /**< Nonce from request */
krb5_timestamp key_exp; /**< Expiration date */
krb5_flags flags; /**< Ticket flags */
krb5_ticket_times times; /**< Lifetime info */
krb5_principal server; /**< Server's principal identifier */
krb5_address **caddrs; /**< Array of ptrs to addrs, optional */
krb5_pa_data **enc_padata; /**< Encrypted preauthentication data */
} krb5_enc_kdc_rep_part;
/** Representation of the @c KDC-REP protocol message. */
typedef struct _krb5_kdc_rep {
krb5_magic magic;
/* cleartext part: */
krb5_msgtype msg_type; /**< KRB5_AS_REP or KRB5_KDC_REP */
krb5_pa_data **padata; /**< Preauthentication data from KDC */
krb5_principal client; /**< Client principal and realm */
krb5_ticket *ticket; /**< Ticket */
krb5_enc_data enc_part; /**< Encrypted part of reply */
krb5_enc_kdc_rep_part *enc_part2; /**< Unencrypted version, if available */
} krb5_kdc_rep;
/** Error message structure */
typedef struct _krb5_error {
krb5_magic magic;
/* some of these may be meaningless in certain contexts */
krb5_timestamp ctime; /**< Client sec portion; optional */
krb5_int32 cusec; /**< Client usec portion; optional */
krb5_int32 susec; /**< Server usec portion */
krb5_timestamp stime; /**< Server sec portion */
krb5_ui_4 error; /**< Error code (protocol error #'s) */
krb5_principal client; /**< Client principal and realm */
krb5_principal server; /**< Server principal and realm */
krb5_data text; /**< Descriptive text */
krb5_data e_data; /**< Additional error-describing data */
} krb5_error;
/** Authentication header. */
typedef struct _krb5_ap_req {
krb5_magic magic;
krb5_flags ap_options; /**< Requested options */
krb5_ticket *ticket; /**< Ticket */
krb5_enc_data authenticator; /**< Encrypted authenticator */
} krb5_ap_req;
/**
* C representaton of AP-REP message.
*
* The server's response to a client's request for mutual authentication.
*/
typedef struct _krb5_ap_rep {
krb5_magic magic;
krb5_enc_data enc_part; /**< Ciphertext of ApRepEncPart */
} krb5_ap_rep;
/** Cleartext that is encrypted and put into @c _krb5_ap_rep. */
typedef struct _krb5_ap_rep_enc_part {
krb5_magic magic;
krb5_timestamp ctime; /**< Client time, seconds portion */
krb5_int32 cusec; /**< Client time, microseconds portion */
krb5_keyblock *subkey; /**< Subkey (optional) */
krb5_ui_4 seq_number; /**< Sequence number */
} krb5_ap_rep_enc_part;
/* Unused */
typedef struct _krb5_response {
krb5_magic magic;
krb5_octet message_type;
krb5_data response;
krb5_int32 expected_nonce;
krb5_timestamp request_time;
} krb5_response;
/** Credentials information inserted into @c EncKrbCredPart. */
typedef struct _krb5_cred_info {
krb5_magic magic;
krb5_keyblock *session; /**< Session key used to encrypt ticket */
krb5_principal client; /**< Client principal and realm */
krb5_principal server; /**< Server principal and realm */
krb5_flags flags; /**< Ticket flags */
krb5_ticket_times times; /**< Auth, start, end, renew_till */
krb5_address **caddrs; /**< Array of pointers to addrs (optional) */
} krb5_cred_info;
/** Cleartext credentials information. */
typedef struct _krb5_cred_enc_part {
krb5_magic magic;
krb5_int32 nonce; /**< Nonce (optional) */
krb5_timestamp timestamp; /**< Generation time, seconds portion */
krb5_int32 usec; /**< Generation time, microseconds portion */
krb5_address *s_address; /**< Sender address (optional) */
krb5_address *r_address; /**< Recipient address (optional) */
krb5_cred_info **ticket_info;
} krb5_cred_enc_part;
/** Credentials data structure.*/
typedef struct _krb5_cred {
krb5_magic magic;
krb5_ticket **tickets; /**< Tickets */
krb5_enc_data enc_part; /**< Encrypted part */
krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */
} krb5_cred;
/* Unused, but here for API compatibility. */
typedef struct _passwd_phrase_element {
krb5_magic magic;
krb5_data *passwd;
krb5_data *phrase;
} passwd_phrase_element;
/* Unused, but here for API compatibility. */
typedef struct _krb5_pwd_data {
krb5_magic magic;
int sequence_count;
passwd_phrase_element **element;
} krb5_pwd_data;
/* Unused, but here for API compatibility. */
typedef struct _krb5_pa_svr_referral_data {
/** Referred name, only realm is required */
krb5_principal principal;
} krb5_pa_svr_referral_data;
/* Unused, but here for API compatibility. */
typedef struct _krb5_pa_server_referral_data {
krb5_data *referred_realm;
krb5_principal true_principal_name;
krb5_principal requested_principal_name;
krb5_timestamp referral_valid_until;
krb5_checksum rep_cksum;
} krb5_pa_server_referral_data;
typedef struct _krb5_pa_pac_req {
/** TRUE if a PAC should be included in TGS-REP */
krb5_boolean include_pac;
} krb5_pa_pac_req;
/*
* begin "safepriv.h"
*/
/** @defgroup KRB5_AUTH_CONTEXT KRB5_AUTH_CONTEXT
* @{
*/
/** Prevent replays with timestamps and replay cache. */
#define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001
/** Save timestamps for application. */
#define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002
/** Prevent replays with sequence numbers. */
#define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004
/** Save sequence numbers for application. */
#define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008
#define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010
#define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020
/** @} */ /* end of KRB5_AUTH_CONTEXT group */
/**
* Replay data.
*
* Sequence number and timestamp information output by krb5_rd_priv() and
* krb5_rd_safe().
*/
typedef struct krb5_replay_data {
krb5_timestamp timestamp; /**< Timestamp, seconds portion */
krb5_int32 usec; /**< Timestamp, microseconds portion */
krb5_ui_4 seq; /**< Sequence number */
} krb5_replay_data;
/* Flags for krb5_auth_con_genaddrs(). */
/** Generate the local network address. */
#define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR 0x00000001
/** Generate the remote network address. */
#define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR 0x00000002
/** Generate the local network address and the local port. */
#define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR 0x00000004
/** Generate the remote network address and the remote port. */
#define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008
/** Type of function used as a callback to generate checksum data for mk_req */
typedef krb5_error_code
(KRB5_CALLCONV * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context,
void *, krb5_data **);
/*
* end "safepriv.h"
*/
/*
* begin "ccache.h"
*/
/** Cursor for sequential lookup */
typedef krb5_pointer krb5_cc_cursor;
struct _krb5_ccache;
typedef struct _krb5_ccache *krb5_ccache;
struct _krb5_cc_ops;
typedef struct _krb5_cc_ops krb5_cc_ops;
struct _krb5_cccol_cursor;
/** Cursor for iterating over all ccaches */
typedef struct _krb5_cccol_cursor *krb5_cccol_cursor;
/* Flags for krb5_cc_retrieve_cred. */
/** The requested lifetime must be at least as great as the time specified. */
#define KRB5_TC_MATCH_TIMES 0x00000001
/** The is_skey field must match exactly. */
#define KRB5_TC_MATCH_IS_SKEY 0x00000002
/** All the flags set in the match credentials must be set. */
#define KRB5_TC_MATCH_FLAGS 0x00000004
/** All the time fields must match exactly. */
#define KRB5_TC_MATCH_TIMES_EXACT 0x00000008
/** All the flags must match exactly. */
#define KRB5_TC_MATCH_FLAGS_EXACT 0x00000010
/** The authorization data must match. */
#define KRB5_TC_MATCH_AUTHDATA 0x00000020
/** Only the name portion of the principal name must match. */
#define KRB5_TC_MATCH_SRV_NAMEONLY 0x00000040
/** The second ticket must match. */
#define KRB5_TC_MATCH_2ND_TKT 0x00000080
/** The encryption key type must match. */
#define KRB5_TC_MATCH_KTYPE 0x00000100
/** The supported key types must match. */
#define KRB5_TC_SUPPORTED_KTYPES 0x00000200
/* Flags for krb5_cc_set_flags and similar. */
/** Open and close the file for each cache operation. */
#define KRB5_TC_OPENCLOSE 0x00000001
#define KRB5_TC_NOTICKET 0x00000002
/**
* Retrieve the name, but not type of a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
*
* @warning Returns the name of the credential cache. The result is an alias
* into @a cache and should not be freed or modified by the caller. This name
* does not include the cache type, so should not be used as input to
* krb5_cc_resolve().
*
* @return
* On success - the name of the credential cache.
*/
const char * KRB5_CALLCONV
krb5_cc_get_name(krb5_context context, krb5_ccache cache);
/**
* Retrieve the full name of a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [out] fullname_out Full name of cache
*
* Use krb5_free_string() to free @a fullname_out when it is no longer needed.
*
* @version New in 1.10
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_get_full_name(krb5_context context, krb5_ccache cache,
char **fullname_out);
#if KRB5_DEPRECATED
krb5_error_code KRB5_CALLCONV
krb5_cc_gen_new(krb5_context context, krb5_ccache *cache);
#endif /* KRB5_DEPRECATED */
/**
* Initialize a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] principal Default principal name
*
* Destroy any existing contents of @a cache and initialize it for the default
* principal @a principal.
*
* @retval
* 0 Success
* @return
* System errors; Permission errors; Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_initialize(krb5_context context, krb5_ccache cache,
krb5_principal principal);
/**
* Destroy a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
*
* This function destroys any existing contents of @a cache and closes the
* handle to it.
*
* @retval
* 0 Success
* @return
* Permission errors
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_destroy(krb5_context context, krb5_ccache cache);
/**
* Close a credential cache handle.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
*
* This function closes a credential cache handle @a cache without affecting
* the contents of the cache.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_close(krb5_context context, krb5_ccache cache);
/**
* Store credentials in a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] creds Credentials to be stored in cache
*
* This function stores @a creds into @a cache. If @a creds->server and the
* server in the decoded ticket @a creds->ticket differ, the credentials will
* be stored under both server principal names.
*
* @retval
* 0 Success
* @return Permission errors; storage failure errors; Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds);
/**
* Retrieve a specified credentials from a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] flags Flags bit mask
* @param [in] mcreds Credentials to match
* @param [out] creds Credentials matching the requested value
*
* This function searches a credential cache for credentials matching @a mcreds
* and returns it if found.
*
* Valid values for @a flags are:
*
* @li #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as
* great as in @a mcreds .
* @li #KRB5_TC_MATCH_IS_SKEY The @a is_skey field much match exactly.
* @li #KRB5_TC_MATCH_FLAGS Flags set in @a mcreds must be set.
* @li #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly.
* @li #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly.
* @li #KRB5_TC_MATCH_AUTHDATA The authorization data must match.
* @li #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal
* name must match, not the realm.
* @li #KRB5_TC_MATCH_2ND_TKT The second tickets must match.
* @li #KRB5_TC_MATCH_KTYPE The encryption key types must match.
* @li #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any
* supported encryption type and return the
* one with the encryption type listed earliest.
*
* Use krb5_free_cred_contents() to free @a creds when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache,
krb5_flags flags, krb5_creds *mcreds,
krb5_creds *creds);
/**
* Get the default principal of a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [out] principal Primary principal
*
* Returns the default client principal of a credential cache as set by
* krb5_cc_initialize().
*
* Use krb5_free_principal() to free @a principal when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_get_principal(krb5_context context, krb5_ccache cache,
krb5_principal *principal);
/**
* Prepare to sequentially read every credential in a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [out] cursor Cursor
*
* krb5_cc_end_seq_get() must be called to complete the retrieve operation.
*
* @note If @a cache is modified between the time of the call to this function
* and the time of the final krb5_cc_end_seq_get(), the results are undefined.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache,
krb5_cc_cursor *cursor);
/**
* Retrieve the next entry from the credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] cursor Cursor
* @param [out] creds Next credential cache entry
*
* This function fills in @a creds with the next entry in @a cache and advances
* @a cursor.
*
* Use krb5_free_cred_contents() to free @a creds when it is no longer needed.
*
* @sa krb5_cc_start_seq_get(), krb5_end_seq_get()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_next_cred(krb5_context context, krb5_ccache cache,
krb5_cc_cursor *cursor, krb5_creds *creds);
/**
* Finish a series of sequential processing credential cache entries.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] cursor Cursor
*
* This function finishes processing credential cache entries and invalidates
* @a cursor.
*
* @sa krb5_cc_start_seq_get(), krb5_cc_next_cred()
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache,
krb5_cc_cursor *cursor);
/**
* Remove credentials from a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] flags Bitwise-ORed search flags
* @param [in] creds Credentials to be matched
*
* @warning This function is not implemented for some cache types.
*
* This function accepts the same flag values as krb5_cc_retrieve_cred().
*
* @retval KRB5_CC_NOSUPP Not implemented for this cache type
* @return No matches found; Data cannot be deleted; Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
krb5_creds *creds);
/**
* Set options flags on a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [in] flags Flag bit mask
*
* This function resets @a cache flags to @a flags.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags);
/**
* Retrieve flags from a credential cache structure.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
* @param [out] flags Flag bit mask
*
* @warning For memory credential cache always returns a flag mask of 0.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags);
/**
* Retrieve the type of a credential cache.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
*
* @return The type of a credential cache as an alias that must not be modified
* or freed by the caller.
*/
const char * KRB5_CALLCONV
krb5_cc_get_type(krb5_context context, krb5_ccache cache);
/**
* Move a credential cache.
*
* @param [in] context Library context
* @param [in] src The credential cache to move the content from
* @param [in] dst The credential cache to move the content to
*
* This function reinitializes @a dst and populates it with the credentials and
* default principal of @a src; then, if successful, destroys @a src.
*
* @retval
* 0 Success; @a src is closed.
* @return
* Kerberos error codes; @a src is still allocated.
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst);
/**
* Return a timestamp of the last modification to a credential cache.
*
* @param [in] context Library context
* @param [in] ccache Credential cache handle
* @param [out] change_time The last change time of @a ccache
*
* If an error occurs, @a change_time is set to 0.
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_last_change_time(krb5_context context, krb5_ccache ccache,
krb5_timestamp *change_time);
/**
* Lock a credential cache.
*
* @param [in] context Library context
* @param [in] ccache Credential cache handle
*
* Use krb5_cc_unlock() to unlock the lock.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_lock(krb5_context context, krb5_ccache ccache);
/**
* Unlock a credential cache.
*
* @param [in] context Library context
* @param [in] ccache Credential cache handle
*
* This function unlocks the @a ccache locked by krb5_cc_lock().
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_unlock(krb5_context context, krb5_ccache ccache);
/**
* Prepare to iterate over the collection of known credential caches.
*
* @param [in] context Library context
* @param [out] cursor Cursor
*
* Get a new cache iteration @a cursor that will iterate over all known
* credential caches independent of type.
*
* Use krb5_cccol_cursor_free() to release @a cursor when it is no longer
* needed.
*
* @sa krb5_cccol_cursor_next()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor);
/**
* Get the next credential cache in the collection.
*
* @param [in] context Library context
* @param [in] cursor Cursor
* @param [out] ccache Credential cache handle
*
* @note When all caches are iterated over and the end of the list is reached,
* @a ccache is set to NULL.
*
* Use krb5_cc_close() to close @a ccache when it is no longer needed.
*
* @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_free()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
krb5_ccache *ccache);
/**
* Free a credential cache collection cursor.
*
* @param [in] context Library context
* @param [in] cursor Cursor
*
* @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_next()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor);
/**
* Check if the credential cache collection contains any credentials.
*
* @param [in] context Library context
*
* @version New in 1.11
*
* @retval 0 Credentials are available in the collection
* @retval KRB5_CC_NOTFOUND The collection contains no credentials
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context);
/**
* Return a timestamp of the last modification of any known credential cache.
*
* @param [in] context Library context
* @param [out] change_time Last modification timestamp
*
* This function returns the most recent modification time of any known
* credential cache, ignoring any caches which cannot supply a last
* modification time.
*
* If there are no known credential caches, @a change_time is set to 0.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_last_change_time(krb5_context context, krb5_timestamp *change_time);
/**
* Acquire a global lock for credential caches.
*
* @param [in] context Library context
*
* This function locks the global credential cache collection, ensuring
* that no ccaches are added to or removed from it until the collection
* lock is released.
*
* Use krb5_cccol_unlock() to unlock the lock.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_lock(krb5_context context);
/**
* Release a global lock for credential caches.
*
* @param [in] context Library context
*
* This function unlocks the lock from krb5_cccol_lock().
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cccol_unlock(krb5_context context);
/**
* Create a new credential cache of the specified type with a unique name.
*
* @param [in] context Library context
* @param [in] type Credential cache type name
* @param [in] hint Unused
* @param [out] id Credential cache handle
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_new_unique(krb5_context context, const char *type, const char *hint,
krb5_ccache *id);
/*
* end "ccache.h"
*/
/*
* begin "rcache.h"
*/
struct krb5_rc_st;
typedef struct krb5_rc_st *krb5_rcache;
/*
* end "rcache.h"
*/
/*
* begin "keytab.h"
*/
/* XXX */
#define MAX_KEYTAB_NAME_LEN 1100 /**< Long enough for MAXPATHLEN + some extra */
typedef krb5_pointer krb5_kt_cursor;
/** A key table entry. */
typedef struct krb5_keytab_entry_st {
krb5_magic magic;
krb5_principal principal; /**< Principal of this key */
krb5_timestamp timestamp; /**< Time entry written to keytable */
krb5_kvno vno; /**< Key version number */
krb5_keyblock key; /**< The secret key */
} krb5_keytab_entry;
struct _krb5_kt;
typedef struct _krb5_kt *krb5_keytab;
/**
* Return the type of a key table.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
*
* @return The type of a key table as an alias that must not be modified or
* freed by the caller.
*/
const char * KRB5_CALLCONV
krb5_kt_get_type(krb5_context context, krb5_keytab keytab);
/**
* Get a key table name.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
* @param [out] name Key table name
* @param [in] namelen Maximum length to fill in name
*
* Fill @a name with the name of @a keytab including the type and delimiter.
*
* @sa MAX_KEYTAB_NAME_LEN
*
* @retval
* 0 Success
* @retval
* KRB5_KT_NAME_TOOLONG Key table name does not fit in @a namelen bytes
*
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
unsigned int namelen);
/**
* Close a key table handle.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
*
* @retval 0
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_close(krb5_context context, krb5_keytab keytab);
/**
* Get an entry from a key table.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
* @param [in] principal Principal name
* @param [in] vno Key version number (0 for highest available)
* @param [in] enctype Encryption type (0 zero for any enctype)
* @param [out] entry Returned entry from key table
*
* Retrieve an entry from a key table which matches the @a keytab, @a
* principal, @a vno, and @a enctype. If @a vno is zero, retrieve the
* highest-numbered kvno matching the other fields. If @a enctype is 0, match
* any enctype.
*
* Use krb5_free_keytab_entry_contents() to free @a entry when it is no longer
* needed.
*
* @note If @a vno is zero, the function retrieves the highest-numbered-kvno
* entry that matches the specified principal.
*
* @retval
* 0 Success
* @retval
* Kerberos error codes on failure
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
krb5_const_principal principal, krb5_kvno vno,
krb5_enctype enctype, krb5_keytab_entry *entry);
/**
* Start a sequential retrieval of key table entries.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
* @param [out] cursor Cursor
*
* Prepare to read sequentially every key in the specified key table. Use
* krb5_kt_end_seq_get() to release the cursor when it is no longer needed.
*
* @sa krb5_kt_next_entry(), krb5_kt_end_seq_get()
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
krb5_kt_cursor *cursor);
/**
* Retrieve the next entry from the key table.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
* @param [out] entry Returned key table entry
* @param [in] cursor Key table cursor
*
* Return the next sequential entry in @a keytab and advance @a cursor.
*
* @sa krb5_kt_start_seq_get(), krb5_kt_end_seq_get()
*
* @retval
* 0 Success
* @retval
* KRB5_KT_END - if the last entry was reached
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
krb5_keytab_entry *entry, krb5_kt_cursor *cursor);
/**
* Release a keytab cursor.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
* @param [out] cursor Cursor
*
* This function should be called to release the cursor created by
* krb5_kt_start_seq_get().
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
krb5_kt_cursor *cursor);
/**
* Check if a keytab exists and contains entries.
*
* @param [in] context Library context
* @param [in] keytab Key table handle
*
* @version New in 1.11
*
* @retval 0 Keytab exists and contains entries
* @retval KRB5_KT_NOTFOUND Keytab does not contain entries
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_have_content(krb5_context context, krb5_keytab keytab);
/*
* end "keytab.h"
*/
/*
* begin "func-proto.h"
*/
#define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */
#define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */
/**
* Create a krb5 library context.
*
* @param [out] context Library context
*
* The @a context must be released by calling krb5_free_context() when
* it is no longer needed.
*
* @warning Any program or module that needs the Kerberos code to not trust the
* environment must use krb5_init_secure_context(), or clean out the
* environment.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_context(krb5_context *context);
/**
* Create a krb5 library context using only configuration files.
*
* @param [out] context Library context
*
* Create a context structure, using only system configuration files. All
* information passed through the environment variables is ignored.
*
* The @a context must be released by calling krb5_free_context() when
* it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_secure_context(krb5_context *context);
/**
* Create a krb5 library context using a specified profile.
*
* @param [in] profile Profile object (NULL to create default profile)
* @param [in] flags Context initialization flags
* @param [out] context Library context
*
* Create a context structure, optionally using a specified profile and
* initialization flags. If @a profile is NULL, the default profile will be
* created from config files. If @a profile is non-null, a copy of it will be
* made for the new context; the caller should still clean up its copy. Valid
* flag values are:
*
* @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables
* @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile
*/
krb5_error_code KRB5_CALLCONV
krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags,
krb5_context *context);
/**
* Free a krb5 library context.
*
* @param [in] context Library context
*
* This function frees a @a context that was created by krb5_init_context()
* or krb5_init_secure_context().
*/
void KRB5_CALLCONV
krb5_free_context(krb5_context context);
/**
* Copy a krb5_context structure.
*
* @param [in] ctx Library context
* @param [out] nctx_out New context structure
*
* The newly created context must be released by calling krb5_free_context()
* when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_context(krb5_context ctx, krb5_context *nctx_out);
/**
* Set default TGS encryption types in a krb5_context structure.
*
* @param [in] context Library context
* @param [in] etypes Encryption type(s) to set
*
* This function sets the default enctype list for TGS requests
* made using @a context to @a etypes.
*
* @note This overrides the default list (from config file or built-in).
*
* @retval
* 0 Success
* @retval
* KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes);
/**
* Return a list of encryption types permitted for session keys.
*
* @param [in] context Library context
* @param [out] ktypes Zero-terminated list of encryption types
*
* This function returns the list of encryption types permitted for session
* keys within @a context, as determined by configuration or by a previous call
* to krb5_set_default_tgs_enctypes().
*
* Use krb5_free_enctypes() to free @a ktypes when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes);
/**
* Test whether the Kerberos library was built with multithread support.
*
* @retval
* TRUE if the library is threadsafe; FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_is_thread_safe(void);
/* libkrb.spec */
/**
* Decrypt a ticket using the specified key table.
*
* @param [in] context Library context
* @param [in] kt Key table
* @param [in] ticket Ticket to be decrypted
*
* This function takes a @a ticket as input and decrypts it using
* key data from @a kt. The result is placed into @a ticket->enc_part2.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt,
krb5_ticket *ticket);
/**
* Free an array of credential structures.
*
* @param [in] context Library context
* @param [in] tgts Null-terminated array of credentials to free
*
* @note The last entry in the array @a tgts must be a NULL pointer.
*/
void KRB5_CALLCONV
krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
/** @defgroup KRB5_GC KRB5_GC
* @{
*/
#define KRB5_GC_USER_USER 1 /**< Want user-user ticket */
#define KRB5_GC_CACHED 2 /**< Want cached ticket only */
#define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */
#define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */
#define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */
#define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */
#define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */
/** @} */ /* end of KRB5_GC group */
/**
* Get an additional ticket.
*
* @param [in] context Library context
* @param [in] options Options
* @param [in] ccache Credential cache handle
* @param [in] in_creds Input credentials
* @param [out] out_creds Output updated credentials
*
* Use @a ccache or a TGS exchange to get a service ticket matching @a
* in_creds.
*
* Valid values for @a options are:
* @li #KRB5_GC_CACHED Search only credential cache for the ticket
* @li #KRB5_GC_USER_USER Return a user to user authentication ticket
*
* @a in_creds must be non-null. @a in_creds->client and @a in_creds->server
* must be filled in to specify the client and the server respectively. If any
* authorization data needs to be requested for the service ticket (such as
* restrictions on how the ticket can be used), specify it in @a
* in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The
* session key type is specified in @a in_creds->keyblock.enctype, if it is
* nonzero.
*
* The expiration date is specified in @a in_creds->times.endtime.
* The KDC may return tickets with an earlier expiration date.
* If @a in_creds->times.endtime is set to 0, the latest possible
* expiration date will be requested.
*
* Any returned ticket and intermediate ticket-granting tickets are stored
* in @a ccache.
*
* Use krb5_free_creds() to free @a out_creds when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_credentials(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
krb5_creds **out_creds);
/** @deprecated Replaced by krb5_get_validated_creds. */
krb5_error_code KRB5_CALLCONV
krb5_get_credentials_validate(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
krb5_creds **out_creds);
/** @deprecated Replaced by krb5_get_renewed_creds. */
krb5_error_code KRB5_CALLCONV
krb5_get_credentials_renew(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
krb5_creds **out_creds);
/**
* Create a @c KRB_AP_REQ message.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] ap_req_options @ref AP_OPTS options
* @param [in] service Service name, or NULL to use @c "host"
* @param [in] hostname Host name, or NULL to use local hostname
* @param [in] in_data Application data to be checksummed in the
* authenticator, or NULL
* @param [in] ccache Credential cache used to obtain credentials
* for the desired service.
* @param [out] outbuf @c AP-REQ message
*
* This function is similar to krb5_mk_req_extended() except that it uses a
* given @a hostname, @a service, and @a ccache to construct a service
* principal name and obtain credentials.
*
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, char *service, char *hostname,
krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf);
/**
* Create a @c KRB_AP_REQ message using supplied credentials.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] ap_req_options @ref AP_OPTS options
* @param [in] in_data Application data to be checksummed in the
* authenticator, or NULL
* @param [in] in_creds Credentials for the service with valid ticket
* and key
* @param [out] outbuf @c AP-REQ message
*
* Valid @a ap_req_options are:
* @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the
* request used for user to user
* authentication.
* @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from
* the reciever.
* @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current
* session key obtained from the credentials.
*
* This function creates a KRB_AP_REQ message using supplied credentials @a
* in_creds. @a auth_context may point to an existing auth context or to NULL,
* in which case a new one will be created. If @a in_data is non-null, a
* checksum of it will be included in the authenticator contained in the
* KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it
* is no longer needed.
*
* On successful return, the authenticator is stored in @a auth_context with
* the @a client and @a checksum fields nulled out. (This is to prevent
* pointer-sharing problems; the caller should not need these fields anyway,
* since the caller supplied them.)
*
* @sa krb5_mk_req()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
krb5_creds *in_creds, krb5_data *outbuf);
/**
* Format and encrypt a @c KRB_AP_REP message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] outbuf @c AP-REP message
*
* This function fills in @a outbuf with an AP-REP message using information
* from @a auth_context.
*
* If the flags in @a auth_context indicate that a sequence number should be
* used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a
* auth_context is 0, a new number will be generated with
* krb5_generate_seq_number().
*
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
/**
* Format and encrypt a @c KRB_AP_REP message for DCE RPC.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] outbuf @c AP-REP message
*
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
/**
* Parse and decrypt a @c KRB_AP_REP message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] inbuf AP-REP message
* @param [out] repl Decrypted reply message
*
* This function parses, decrypts and verifies a message from @a inbuf and
* fills in @a repl with a pointer to allocated memory containing the fields
* from the encrypted response.
*
* Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_ap_rep_enc_part **repl);
/**
* Parse and decrypt a @c KRB_AP_REP message for DCE RPC.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] inbuf AP-REP message
* @param [out] nonce Sequence number from the decrypted reply
*
* This function parses, decrypts and verifies a message from @a inbuf and
* fills in @a nonce with a decrypted reply sequence number.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_ui_4 *nonce);
/**
* Format and encode a @c KRB_ERROR message.
*
* @param [in] context Library context
* @param [in] dec_err Error structure to be encoded
* @param [out] enc_err Encoded error structure
*
* This function creates a @c KRB_ERROR message in @a enc_err. Use
* krb5_free_data_contents() to free @a enc_err when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_error(krb5_context context, const krb5_error *dec_err,
krb5_data *enc_err);
/**
* Decode a @c KRB-ERROR message.
*
* @param [in] context Library context
* @param [in] enc_errbuf Encoded error message
* @param [out] dec_error Decoded error message
*
* This function processes @c KRB-ERROR message @a enc_errbuf and returns
* an allocated structure @a dec_error containing the error message.
* Use krb5_free_error() to free @a dec_error when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf,
krb5_error **dec_error);
/**
* Process @c KRB-SAFE message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] inbuf @c KRB-SAFE message to be parsed
* @param [out] outbuf Data parsed from @c KRB-SAFE message
* @param [out] outdata Replay data. Specify NULL if not needed
*
* This function parses a @c KRB-SAFE message, verifies its integrity, and
* stores its data into @a outbuf.
*
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.
*
* @note @a auth_context must have a remote address set. This address will be
* used to verify the sender address in the KRB-SAFE message. If @a
* auth_context has a local address set, it will be used to verify the
* receiver address in the KRB-SAFE message if the message contains one.
* Both addresses must use type @c ADDRTYPE_ADDRPORT.
*
* If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
* sequence number of the KRB-SAFE message is checked against the remote
* sequence number field of @a auth_context. Otherwise, the sequence number is
* not used.
*
* If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context,
* then two additional checks are performed:
* @li The timestamp in the message must be within the permitted clock skew
* (which is usually five minutes).
* @li The message must not be a replayed message field in @a auth_context.
*
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_data *outbuf,
krb5_replay_data *outdata);
/**
* Process a @c KRB-PRIV message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication structure
* @param [in] inbuf @c KRB-PRIV message to be parsed
* @param [out] outbuf Data parsed from @c KRB-PRIV message
* @param [out] outdata Replay data. Specify NULL if not needed
*
* This function parses a @c KRB-PRIV message, verifies its integrity, and
* stores its unencrypted data into @a outbuf.
*
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in @a auth_context, @a
* outdata is required.
*
* @note @a auth_context must have a remote address set. This address will be
* used to verify the sender address in the KRB-PRIV message. If @a
* auth_context has a local address set, it will be used to verify the
* receiver address in the KRB-PRIV message if the message contains one.
* Both addresses must use type @c ADDRTYPE_ADDRPORT.
*
* If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
* sequence number of the KRB-SAFE message is checked against the remote
* sequence number field of @a auth_context. Otherwise, the sequence number is
* not used.
*
* If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context,
* then two additional checks are performed:
* @li The timestamp in the message must be within the permitted clock skew
* (which is usually five minutes).
* @li The message must not be a replayed message field in @a auth_context.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
const krb5_data *inbuf, krb5_data *outbuf,
krb5_replay_data *outdata);
/**
* Convert a string principal name to a krb5_principal structure.
*
* @param [in] context Library context
* @param [in] name String representation of a principal name
* @param [out] principal_out New principal
*
* Convert a string representation of a principal name to a krb5_principal
* structure.
*
* A string representation of a Kerberos name consists of one or more principal
* name components, separated by slashes, optionally followed by the \@
* character and a realm name. If the realm name is not specified, the local
* realm is used.
*
* To use the slash and \@ symbols as part of a component (quoted) instead of
* using them as a component separator or as a realm prefix), put a backslash
* (\) character in front of the symbol. Similarly, newline, tab, backspace,
* and NULL characters can be included in a component by using @c n, @c t, @c b
* or @c 0, respectively.
*
* @note The realm in a Kerberos @a name cannot contain slash, colon,
* or NULL characters.
*
* Use krb5_free_principal() to free @a principal_out when it is no longer
* needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_parse_name(krb5_context context, const char *name,
krb5_principal *principal_out);
#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */
#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component
enterprise principle */
#define KRB5_PRINCIPAL_PARSE_IGNORE_REALM 0x8 /**< Ignore realm if present */
/**
* Convert a string principal name to a krb5_principal with flags.
*
* @param [in] context Library context
* @param [in] name String representation of a principal name
* @param [in] flags Flag
* @param [out] principal_out New principal
*
* Similar to krb5_parse_name(), this function converts a single-string
* representation of a principal name to a krb5_principal structure.
*
* The following flags are valid:
* @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name
* @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name
* @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise
* principal
* @li #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in @a name
*
* If @c KRB5_PRINCIPAL_PARSE_NO_REALM or @c KRB5_PRINCIPAL_PARSE_IGNORE_REALM
* is specified in @a flags, the realm of the new principal will be empty.
* Otherwise, the default realm for @a context will be used if @a name does not
* specify a realm.
*
* Use krb5_free_principal() to free @a principal_out when it is no longer
* needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_parse_name_flags(krb5_context context, const char *name,
int flags, krb5_principal *principal_out);
/**
* Convert a krb5_principal structure to a string representation.
*
* @param [in] context Library context
* @param [in] principal Principal
* @param [out] name String representation of principal name
*
* The resulting string representation uses the format and quoting conventions
* described for krb5_parse_name().
*
* Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_unparse_name(krb5_context context, krb5_const_principal principal,
register char **name);
/**
* Convert krb5_principal structure to string and length.
*
* @param [in] context Library context
* @param [in] principal Principal
* @param [in,out] name String representation of principal name
* @param [in,out] size Size of unparsed name
*
* This function is similar to krb5_unparse_name(), but allows the use of an
* existing buffer for the result. If size is not NULL, then @a name must
* point to either NULL or an existing buffer of at least the size pointed to
* by @a size. The buffer will be allocated or resized if necessary, with the
* new pointer stored into @a name. Whether or not the buffer is resized, the
* necessary space for the result, including null terminator, will be stored
* into @a size.
*
* If size is NULL, this function behaves exactly as krb5_unparse_name().
*
* @retval
* 0 Success
* @return
* Kerberos error codes. On failure @a name is set to NULL
*/
krb5_error_code KRB5_CALLCONV
krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal,
char **name, unsigned int *size);
#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */
/**
* Convert krb5_principal structure to a string with flags.
*
* @param [in] context Library context
* @param [in] principal Principal
* @param [in] flags Flags
* @param [out] name String representation of principal name
*
* Similar to krb5_unparse_name(), this function converts a krb5_principal
* structure to a string representation.
*
* The following flags are valid:
* @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm
* @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm
* @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters
*
* Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes. On failure @a name is set to NULL
*/
krb5_error_code KRB5_CALLCONV
krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
int flags, char **name);
/**
* Convert krb5_principal structure to string format with flags.
*
* @param [in] context Library context
* @param [in] principal Principal
* @param [in] flags Flags
* @param [out] name Single string format of principal name
* @param [out] size Size of unparsed name buffer
*
* @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext()
*
* @retval
* 0 Success
* @return
* Kerberos error codes. On failure @a name is set to NULL
*/
krb5_error_code KRB5_CALLCONV
krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal,
int flags, char **name, unsigned int *size);
/**
* Set the realm field of a principal
*
* @param [in] context Library context
* @param [in] principal Principal name
* @param [in] realm Realm name
*
* Set the realm name part of @a principal to @a realm, overwriting the
* previous realm.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_set_principal_realm(krb5_context context, krb5_principal principal,
const char *realm);
/**
* Search a list of addresses for a specified address.
*
* @param [in] context Library context
* @param [in] addr Address to search for
* @param [in] addrlist Address list to be searched (or NULL)
*
* @note If @a addrlist contains only a NetBIOS addresses, it will be treated
* as a null list.
*
* @return
* TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE
* otherwise
*/
krb5_boolean KRB5_CALLCONV_WRONG
krb5_address_search(krb5_context context, const krb5_address *addr,
krb5_address *const *addrlist);
/**
* Compare two Kerberos addresses.
*
* @param [in] context Library context
* @param [in] addr1 First address to be compared
* @param [in] addr2 Second address to be compared
*
* @return
* TRUE if the addresses are the same, FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_address_compare(krb5_context context, const krb5_address *addr1,
const krb5_address *addr2);
/**
* Return an ordering of the specified addresses.
*
* @param [in] context Library context
* @param [in] addr1 First address
* @param [in] addr2 Second address
*
* @retval
* 0 The two addresses are the same
* @retval
* \< 0 First address is less than second
* @retval
* \> 0 First address is greater than second
*/
int KRB5_CALLCONV
krb5_address_order(krb5_context context, const krb5_address *addr1,
const krb5_address *addr2);
/**
* Compare the realms of two principals.
*
* @param [in] context Library context
* @param [in] princ1 First principal
* @param [in] princ2 Second principal
*
* @retval
* TRUE if the realm names are the same; FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
krb5_const_principal princ2);
/**
* Compare two principals.
*
* @param [in] context Library context
* @param [in] princ1 First principal
* @param [in] princ2 Second principal
*
* @retval
* TRUE if the principals are the same; FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_principal_compare(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2);
/**
* Compare two principals ignoring realm components.
*
* @param [in] context Library context
* @param [in] princ1 First principal
* @param [in] princ2 Second principal
*
* Similar to krb5_principal_compare(), but do not compare the realm
* components of the principals.
*
* @retval
* TRUE if the principals are the same; FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_principal_compare_any_realm(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2);
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */
#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */
/**
* Compare two principals with additional flags.
*
* @param [in] context Library context
* @param [in] princ1 First principal
* @param [in] princ2 Second principal
* @param [in] flags Flags
*
* Valid flags are:
* @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component
* @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals
* @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive
* @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8
*
* @sa krb5_principal_compare()
*
* @retval
* TRUE if the principal names are the same; FALSE otherwise
*/
krb5_boolean KRB5_CALLCONV
krb5_principal_compare_flags(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2,
int flags);
/**
* Initialize an empty @c krb5_keyblock.
*
* @param [in] context Library context
* @param [in] enctype Encryption type
* @param [in] length Length of keyblock (or 0)
* @param [out] out New keyblock structure
*
* Initialize a new keyblock and allocate storage for the contents of the key.
* It is legal to pass in a length of 0, in which case contents are left
* unallocated. Use krb5_free_keyblock() to free @a out when it is no longer
* needed.
*
* @note If @a length is set to 0, contents are left unallocated.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
size_t length, krb5_keyblock **out);
/**
* Copy a keyblock.
*
* @param [in] context Library context
* @param [in] from Keyblock to be copied
* @param [out] to Copy of keyblock @a from
*
* This function creates a new keyblock with the same contents as @a from. Use
* krb5_free_keyblock() to free @a to when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from,
krb5_keyblock **to);
/**
* Copy the contents of a keyblock.
*
* @param [in] context Library context
* @param [in] from Key to be copied
* @param [out] to Output key
*
* This function copies the contents of @a from to @a to. Use
* krb5_free_keyblock_contents() to free @a to when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from,
krb5_keyblock *to);
/**
* Copy a krb5_creds structure.
*
* @param [in] context Library context
* @param [in] incred Credentials structure to be copied
* @param [out] outcred Copy of @a incred
*
* This function creates a new credential with the contents of @a incred. Use
* krb5_free_creds() to free @a outcred when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred);
/**
* Copy a krb5_data object.
*
* @param [in] context Library context
* @param [in] indata Data object to be copied
* @param [out] outdata Copy of @a indata
*
* This function creates a new krb5_data object with the contents of @a indata.
* Use krb5_free_data() to free @a outdata when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata);
/**
* Copy a principal.
*
* @param [in] context Library context
* @param [in] inprinc Principal to be copied
* @param [out] outprinc Copy of @a inprinc
*
* This function creates a new principal structure with the contents of @a
* inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer
* needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
krb5_principal *outprinc);
/**
* Copy an array of addresses.
*
* @param [in] context Library context
* @param [in] inaddr Array of addresses to be copied
* @param [out] outaddr Copy of array of addresses
*
* This function creates a new address array containing a copy of @a inaddr.
* Use krb5_free_addresses() to free @a outaddr when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr,
krb5_address ***outaddr);
/**
* Copy a krb5_ticket structure.
*
* @param [in] context Library context
* @param [in] from Ticket to be copied
* @param [out] pto Copy of ticket
*
* This function creates a new krb5_ticket structure containing the contents of
* @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto);
/**
* Copy an authorization data list.
*
* @param [in] context Library context
* @param [in] in_authdat List of @a krb5_authdata structures
* @param [out] out New array of @a krb5_authdata structures
*
* This function creates a new authorization data list containing a copy of @a
* in_authdat, which must be null-terminated. Use krb5_free_authdata() to free
* @a out when it is no longer needed.
*
* @note The last array entry in @a in_authdat must be a NULL pointer.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_authdata(krb5_context context,
krb5_authdata *const *in_authdat, krb5_authdata ***out);
/**
* Find authorization data elements.
*
* @param [in] context Library context
* @param [in] ticket_authdata Authorization data list from ticket
* @param [in] ap_req_authdata Authorization data list from AP request
* @param [in] ad_type Authorization data type to find
* @param [out] results List of matching entries
*
* This function searches @a ticket_authdata and @a ap_req_authdata for
* elements of type @a ad_type. Either input list may be NULL, in which case
* it will not be searched; otherwise, the input lists must be terminated by
* NULL entries. This function will search inside AD-IF-RELEVANT containers if
* found in either list. Use krb5_free_authdata() to free @a results when it
* is no longer needed.
*
* @version New in 1.10
*/
krb5_error_code KRB5_CALLCONV
krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata,
krb5_authdata *const *ap_req_authdata,
krb5_authdatatype ad_type, krb5_authdata ***results);
/**
* Merge two authorization data lists into a new list.
*
* @param [in] context Library context
* @param [in] inauthdat1 First list of @a krb5_authdata structures
* @param [in] inauthdat2 Second list of @a krb5_authdata structures
* @param [out] outauthdat Merged list of @a krb5_authdata structures
*
* Merge two authdata arrays, such as the array from a ticket
* and authenticator.
* Use krb5_free_authdata() to free @a outauthdat when it is no longer needed.
*
* @note The last array entry in @a inauthdat1 and @a inauthdat2
* must be a NULL pointer.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_merge_authdata(krb5_context context,
krb5_authdata *const *inauthdat1,
krb5_authdata * const *inauthdat2,
krb5_authdata ***outauthdat);
/**
* Copy a krb5_authenticator structure.
*
* @param [in] context Library context
* @param [in] authfrom krb5_authenticator structure to be copied
* @param [out] authto Copy of krb5_authenticator structure
*
* This function creates a new krb5_authenticator structure with the content of
* @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no
* longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom,
krb5_authenticator **authto);
/**
* Copy a krb5_checksum structure.
*
* @param [in] context Library context
* @param [in] ckfrom Checksum to be copied
* @param [out] ckto Copy of krb5_checksum structure
*
* This function creates a new krb5_checksum structure with the contents of @a
* ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer
* needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom,
krb5_checksum **ckto);
/**
* Generate a replay cache object for server use and open it.
*
* @param [in] context Library context
* @param [in] piece Unique identifier for replay cache
* @param [out] rcptr Handle to an open rcache
*
* This function generates a replay cache name based on @a piece and opens a
* handle to it. Typically @a piece is the first component of the service
* principal name. Use krb5_rc_close() to close @a rcptr when it is no longer
* needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
krb5_rcache *rcptr);
/**
* Build a principal name using length-counted strings.
*
* @param [in] context Library context
* @param [out] princ Principal name
* @param [in] rlen Realm name length
* @param [in] realm Realm name
* @param [in] ... List of unsigned int/char * components, followed by 0
*
* This function creates a principal from a length-counted string and a
* variable-length list of length-counted components. The list of components
* ends with the first 0 length argument (so it is not possible to specify an
* empty component with this function). Call krb5_free_principal() to free
* allocated memory for principal when it is no longer needed.
*
* @code
* Example of how to build principal WELLKNOWN/ANONYMOUS@R
* krb5_build_principal_ext(context, &principal, strlen("R"), "R",
* (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR),
* KRB5_WELLKNOWN_NAMESTR,
* (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR),
* KRB5_ANONYMOUS_PRINCSTR, 0);
* @endcode
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV_C
krb5_build_principal_ext(krb5_context context, krb5_principal * princ,
unsigned int rlen, const char * realm, ...);
/**
* Build a principal name using null-terminated strings.
*
* @param [in] context Library context
* @param [out] princ Principal name
* @param [in] rlen Realm name length
* @param [in] realm Realm name
* @param [in] ... List of char * components, ending with NULL
*
* Call krb5_free_principal() to free @a princ when it is no longer needed.
*
* @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the
* same task. krb5_build_principal() takes variadic arguments.
* krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer.
*
* @code
* Example of how to build principal H/S@R
* krb5_build_principal(context, &principal,
* strlen("R"), "R", "H", "S", (char*)NULL);
* @endcode
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV_C
krb5_build_principal(krb5_context context,
krb5_principal * princ,
unsigned int rlen,
const char * realm, ...)
#if __GNUC__ >= 4
__attribute__ ((sentinel))
#endif
;
#if KRB5_DEPRECATED
/** @deprecated Replaced by krb5_build_principal_alloc_va(). */
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_build_principal_va(krb5_context context,
krb5_principal princ,
unsigned int rlen,
const char *realm,
va_list ap);
#endif
/**
* Build a principal name, using a precomputed variable argument list
*
* @param [in] context Library context
* @param [out] princ Principal structure
* @param [in] rlen Realm name length
* @param [in] realm Realm name
* @param [in] ap List of char * components, ending with NULL
*
* Similar to krb5_build_principal(), this function builds a principal name,
* but its name components are specified as a va_list.
*
* Use krb5_free_principal() to deallocate @a princ when it is no longer
* needed.
*
* @code
* Function usage example:
* va_list ap;
* va_start(ap, realm);
* krb5_build_principal_alloc_va(context, princ, rlen, realm, ap);
* va_end(ap);
* @endcode
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_build_principal_alloc_va(krb5_context context,
krb5_principal *princ,
unsigned int rlen,
const char *realm,
va_list ap);
/**
* Convert a Kerberos V4 principal to a Kerberos V5 principal.
*
* @param [in] context Library context
* @param [in] name V4 name
* @param [in] instance V4 instance
* @param [in] realm Realm
* @param [out] princ V5 principal
*
* This function builds a @a princ from V4 specification based on given input
* @a name.instance\@realm.
*
* Use krb5_free_principal() to free @a princ when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_425_conv_principal(krb5_context context, const char *name,
const char *instance, const char *realm,
krb5_principal *princ);
/**
* Convert a Kerberos V5 principal to a Kerberos V4 principal.
*
* @param [in] context Library context
* @param [in] princ V5 Principal
* @param [out] name V4 principal's name to be filled in
* @param [out] inst V4 principal's instance name to be filled in
* @param [out] realm Principal's realm name to be filled in
*
* This function separates a V5 principal @a princ into @a name, @a instance,
* and @a realm.
*
* @retval
* 0 Success
* @retval
* KRB5_INVALID_PRINCIPAL Invalid principal name
* @retval
* KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
char *name, char *inst, char *realm);
/**
*@deprecated
*/
struct credentials;
/**
* Convert a Kerberos V5 credentials to a Kerberos V4 credentials
*
* @note Not implemented
*
* @retval KRB524_KRB4_DISABLED (always)
*/
int KRB5_CALLCONV
krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
struct credentials *v4creds);
#if KRB5_DEPRECATED
#define krb524_convert_creds_kdc krb5_524_convert_creds
#define krb524_init_ets(x) (0)
#endif
/* libkt.spec */
/**
* Get a handle for a key table.
*
* @param [in] context Library context
* @param [in] name Name of the key table
* @param [out] ktid Key table handle
*
* Resolve the key table name @a name and set @a ktid to a handle identifying
* the key table. The key table is not opened.
*
* @note @a name must be of the form @c type:residual, where @a type must be a
* type known to the library and @a residual portion should be specific to the
* particular keytab type.
*
* @sa krb5_kt_close()
*
* @code
* Example: krb5_kt_resolve(context, "FILE:/tmp/filename", &ktid);
* @endcode
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid);
/**
* Duplicate keytab handle.
*
* @param [in] context Library context
* @param [in] in Key table handle to be duplicated
* @param [out] out Key table handle
*
* Create a new handle referring to the same key table as @a in. The new
* handle and @a in can be closed independently.
*
* @version New in 1.12
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out);
/**
* Get the default key table name.
*
* @param [in] context Library context
* @param [out] name Default key table name
* @param [in] name_size Space available in @a name
*
* Fill @a name with the name of the default key table for @a context.
*
* @sa MAX_KEYTAB_NAME_LEN
*
* @retval
* 0 Success
* @retval
* KRB5_CONFIG_NOTENUFSPACE Buffer is too short
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_default_name(krb5_context context, char *name, int name_size);
/**
* Resolve the default key table.
*
* @param [in] context Library context
* @param [out] id Key table handle
*
* Set @a id to a handle to the default key table. The key table is not
* opened.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_default(krb5_context context, krb5_keytab *id);
/**
* Resolve the default client key table.
*
* @param [in] context Library context
* @param [out] keytab_out Key table handle
*
* Fill @a keytab_out with a handle to the default client key table.
*
* @version New in 1.11
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out);
/**
* Free the contents of a key table entry.
*
* @param [in] context Library context
* @param [in] entry Key table entry whose contents are to be freed
*
* @note The pointer is not freed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry);
/** @deprecated Use krb5_free_keytab_entry_contents instead. */
krb5_error_code KRB5_CALLCONV
krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry);
/* remove and add are functions, so that they can return NOWRITE
if not a writable keytab */
/**
* Remove an entry from a key table.
*
* @param [in] context Library context
* @param [in] id Key table handle
* @param [in] entry Entry to remove from key table
*
* @retval
* 0 Success
* @retval
* KRB5_KT_NOWRITE Key table is not writable
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
/**
* Add a new entry to a key table.
*
* @param [in] context Library context
* @param [in] id Key table handle
* @param [in] entry Entry to be added
*
* @retval
* 0 Success
* @retval
* ENOMEM Insufficient memory
* @retval
* KRB5_KT_NOWRITE Key table is not writeable
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
/**
* Convert a principal name into the default salt for that principal.
*
* @param [in] context Library context
* @param [in] pr Principal name
* @param [out] ret Default salt for @a pr to be filled in
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV_WRONG
krb5_principal2salt(krb5_context context,
register krb5_const_principal pr, krb5_data *ret);
/* librc.spec--see rcache.h */
/* libcc.spec */
/**
* Resolve a credential cache name.
*
* @param [in] context Library context
* @param [in] name Credential cache name to be resolved
* @param [out] cache Credential cache handle
*
* Fills in @a cache with a @a cache handle that corresponds to the name in @a
* name. @a name should be of the form @c type:residual, and @a type must be a
* type known to the library. If the @a name does not contain a colon,
* interpret it as a file name.
*
* @code
* Example: krb5_cc_resolve(context, "MEMORY:C_", &cache);
* @endcode
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache);
/**
* Duplicate ccache handle.
*
* @param [in] context Library context
* @param [in] in Credential cache handle to be duplicated
* @param [out] out Credential cache handle
*
* Create a new handle referring to the same cache as @a in.
* The new handle and @a in can be closed independently.
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out);
/**
* Return the name of the default credential cache.
*
* @param [in] context Library context
*
* Return a pointer to the default credential cache name for @a context, as
* determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME
* environment variable, by the default_ccache_name profile variable, or by the
* operating system or build-time default value. The returned value must not
* be modified or freed by the caller. The returned value becomes invalid when
* @a context is destroyed krb5_free_context() or if a subsequent call to
* krb5_cc_set_default_name() is made on @a context.
*
* The default credential cache name is cached in @a context between calls to
* this function, so if the value of KRB5CCNAME changes in the process
* environment after the first call to this function on, that change will not
* be reflected in later calls with the same context. The caller can invoke
* krb5_cc_set_default_name() with a NULL value of @a name to clear the cached
* value and force the default name to be recomputed.
*
* @return
* Name of default credential cache for the current user.
*/
const char *KRB5_CALLCONV
krb5_cc_default_name(krb5_context context);
/**
* Set the default credential cache name.
*
* @param [in] context Library context
* @param [in] name Default credential cache name or NULL
*
* Set the default credential cache name to @a name for future operations using
* @a context. If @a name is NULL, clear any previous application-set default
* name and forget any cached value of the default name for @a context.
*
* Calls to this function invalidate the result of any previous calls to
* krb5_cc_default_name() using @a context.
*
* @retval
* 0 Success
* @retval
* KV5M_CONTEXT Bad magic number for @c _krb5_context structure
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_set_default_name(krb5_context context, const char *name);
/**
* Resolve the default credential cache name.
*
* @param [in] context Library context
* @param [out] ccache Pointer to credential cache name
*
* Create a handle to the default credential cache as given by
* krb5_cc_default_name().
*
* @retval
* 0 Success
* @retval
* KV5M_CONTEXT Bad magic number for @c _krb5_context structure
* @retval
* KRB5_FCC_INTERNAL The name of the default credential cache cannot be
* obtained
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_default(krb5_context context, krb5_ccache *ccache);
/**
* Copy a credential cache.
*
* @param [in] context Library context
* @param [in] incc Credential cache to be copied
* @param [out] outcc Copy of credential cache to be filled in
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
/**
* Get a configuration value from a credential cache.
*
* @param [in] context Library context
* @param [in] id Credential cache handle
* @param [in] principal Configuration for this principal;
* if NULL, global for the whole cache
* @param [in] key Name of config variable
* @param [out] data Data to be fetched
*
* Use krb5_free_data_contents() to free @a data when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_get_config(krb5_context context, krb5_ccache id,
krb5_const_principal principal,
const char *key, krb5_data *data);
/**
* Store a configuration value in a credential cache.
*
* @param [in] context Library context
* @param [in] id Credential cache handle
* @param [in] principal Configuration for a specific principal;
* if NULL, global for the whole cache
* @param [in] key Name of config variable
* @param [in] data Data to store, or NULL to remove
*
* @note Existing configuration under the same key is over-written.
*
* @warning Before version 1.10 @a data was assumed to be always non-null.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_set_config(krb5_context context, krb5_ccache id,
krb5_const_principal principal,
const char *key, krb5_data *data);
/**
* Test whether a principal is a configuration principal.
*
* @param [in] context Library context
* @param [in] principal Principal to check
*
* @return
* @c TRUE if the principal is a configuration principal (generated part of
* krb5_cc_set_config()); @c FALSE otherwise.
*/
krb5_boolean KRB5_CALLCONV
krb5_is_config_principal(krb5_context context, krb5_const_principal principal);
/**
* Make a credential cache the primary cache for its collection.
*
* @param [in] context Library context
* @param [in] cache Credential cache handle
*
* If the type of @a cache supports it, set @a cache to be the primary
* credential cache for the collection it belongs to.
*
* @retval
* 0 Success, or the type of @a cache doesn't support switching
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_switch(krb5_context context, krb5_ccache cache);
/**
* Determine whether a credential cache type supports switching.
*
* @param [in] context Library context
* @param [in] type Credential cache type
*
* @version New in 1.10
*
* @retval TRUE if @a type supports switching
* @retval FALSE if it does not or is not a valid credential cache type.
*/
krb5_boolean KRB5_CALLCONV
krb5_cc_support_switch(krb5_context context, const char *type);
/**
* Find a credential cache with a specified client principal.
*
* @param [in] context Library context
* @param [in] client Client principal
* @param [out] cache_out Credential cache handle
*
* Find a cache within the collection whose default principal is @a client.
* Use @a krb5_cc_close to close @a ccache when it is no longer needed.
*
* @retval 0 Success
* @retval KRB5_CC_NOTFOUND
*
* @sa krb5_cccol_cursor_new
*
* @version New in 1.10
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_cache_match(krb5_context context, krb5_principal client,
krb5_ccache *cache_out);
/**
* Select a credential cache to use with a server principal.
*
* @param [in] context Library context
* @param [in] server Server principal
* @param [out] cache_out Credential cache handle
* @param [out] princ_out Client principal
*
* Select a cache within the collection containing credentials most appropriate
* for use with @a server, according to configured rules and heuristics.
*
* Use krb5_cc_close() to release @a cache_out when it is no longer needed.
* Use krb5_free_principal() to release @a princ_out when it is no longer
* needed. Note that @a princ_out is set in some error conditions.
*
* @return
* If an appropriate cache is found, 0 is returned, @a cache_out is set to the
* selected cache, and @a princ_out is set to the default principal of that
* cache.
*
* If the appropriate client principal can be authoritatively determined but
* the cache collection contains no credentials for that principal, then
* KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out
* is set to the appropriate client principal.
*
* If no configured mechanism can determine the appropriate cache or principal,
* KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to
* NULL.
*
* Any other error code indicates a fatal error in the processing of a cache
* selection mechanism.
*
* @version New in 1.10
*/
krb5_error_code KRB5_CALLCONV
krb5_cc_select(krb5_context context, krb5_principal server,
krb5_ccache *cache_out, krb5_principal *princ_out);
/* krb5_free.c */
/**
* Free the storage assigned to a principal.
*
* @param [in] context Library context
* @param [in] val Principal to be freed
*/
void KRB5_CALLCONV
krb5_free_principal(krb5_context context, krb5_principal val);
/**
* Free a krb5_authenticator structure.
*
* @param [in] context Library context
* @param [in] val Authenticator structure to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_authenticator(krb5_context context, krb5_authenticator *val);
/**
* Free the data stored in array of addresses.
*
* @param [in] context Library context
* @param [in] val Array of addresses to be freed
*
* This function frees the contents of @a val and the array itself.
*
* @note The last entry in the array must be a NULL pointer.
*/
void KRB5_CALLCONV
krb5_free_addresses(krb5_context context, krb5_address **val);
/**
* Free the storage assigned to array of authentication data.
*
* @param [in] context Library context
* @param [in] val Array of authentication data to be freed
*
* This function frees the contents of @a val and the array itself.
*
* @note The last entry in the array must be a NULL pointer.
*/
void KRB5_CALLCONV
krb5_free_authdata(krb5_context context, krb5_authdata **val);
/**
* Free a ticket.
*
* @param [in] context Library context
* @param [in] val Ticket to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_ticket(krb5_context context, krb5_ticket *val);
/**
* Free an error allocated by krb5_read_error() or krb5_sendauth().
*
* @param [in] context Library context
* @param [in] val Error data structure to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_error(krb5_context context, register krb5_error *val);
/**
* Free a krb5_creds structure.
*
* @param [in] context Library context
* @param [in] val Credential structure to be freed.
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_creds(krb5_context context, krb5_creds *val);
/**
* Free the contents of a krb5_creds structure.
*
* @param [in] context Library context
* @param [in] val Credential structure to free contents of
*
* This function frees the contents of @a val, but not the structure itself.
*/
void KRB5_CALLCONV
krb5_free_cred_contents(krb5_context context, krb5_creds *val);
/**
* Free a krb5_checksum structure.
*
* @param [in] context Library context
* @param [in] val Checksum structure to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_checksum(krb5_context context, register krb5_checksum *val);
/**
* Free the contents of a krb5_checksum structure.
*
* @param [in] context Library context
* @param [in] val Checksum structure to free contents of
*
* This function frees the contents of @a val, but not the structure itself.
*/
void KRB5_CALLCONV
krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val);
/**
* Free a krb5_keyblock structure.
*
* @param [in] context Library context
* @param [in] val Keyblock to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_keyblock(krb5_context context, register krb5_keyblock *val);
/**
* Free the contents of a krb5_keyblock structure.
*
* @param [in] context Library context
* @param [in] key Keyblock to be freed
*
* This function frees the contents of @a key, but not the structure itself.
*/
void KRB5_CALLCONV
krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key);
/**
* Free a krb5_ap_rep_enc_part structure.
*
* @param [in] context Library context
* @param [in] val AP-REP enc part to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
/**
* Free a krb5_data structure.
*
* @param [in] context Library context
* @param [in] val Data structure to be freed
*
* This function frees the contents of @a val and the structure itself.
*/
void KRB5_CALLCONV
krb5_free_data(krb5_context context, krb5_data *val);
/* Free a krb5_octet_data structure (should be unused). */
void KRB5_CALLCONV
krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
/**
* Free the contents of a krb5_data structure and zero the data field.
*
* @param [in] context Library context
* @param [in] val Data structure to free contents of
*
* This function frees the contents of @a val, but not the structure itself.
*/
void KRB5_CALLCONV
krb5_free_data_contents(krb5_context context, krb5_data *val);
/**
* Free a string representation of a principal.
*
* @param [in] context Library context
* @param [in] val Name string to be freed
*/
void KRB5_CALLCONV
krb5_free_unparsed_name(krb5_context context, char *val);
/**
* Free a string allocated by a krb5 function.
*
* @param [in] context Library context
* @param [in] val String to be freed
*
* @version New in 1.10
*/
void KRB5_CALLCONV
krb5_free_string(krb5_context context, char *val);
/**
* Free an array of encryption types.
*
* @param [in] context Library context
* @param [in] val Array of enctypes to be freed
*
* @version New in 1.12
*/
void KRB5_CALLCONV
krb5_free_enctypes(krb5_context context, krb5_enctype *val);
/**
* Free an array of checksum types.
*
* @param [in] context Library context
* @param [in] val Array of checksum types to be freed
*/
void KRB5_CALLCONV
krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val);
/* From krb5/os, but needed by the outside world */
/**
* Retrieve the system time of day, in sec and ms, since the epoch.
*
* @param [in] context Library context
* @param [out] seconds System timeofday, seconds portion
* @param [out] microseconds System timeofday, microseconds portion
*
* This function retrieves the system time of day with the context
* specific time offset adjustment.
*
* @sa krb5_crypto_us_timeofday()
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_us_timeofday(krb5_context context,
krb5_timestamp *seconds, krb5_int32 *microseconds);
/**
* Retrieve the current time with context specific time offset adjustment.
*
* @param [in] context Library context
* @param [out] timeret Timestamp to fill in
*
* This function retrieves the system time of day with the context specific
* time offset adjustment.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_timeofday(krb5_context context, register krb5_timestamp *timeret);
/**
* Check if a timestamp is within the allowed clock skew of the current time.
*
* @param [in] context Library context
* @param [in] date Timestamp to check
*
* This function checks if @a date is close enough to the current time
* according to the configured allowable clock skew.
*
* @version New in 1.10
*
* @retval 0 Success
* @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew
*/
krb5_error_code KRB5_CALLCONV
krb5_check_clockskew(krb5_context context, krb5_timestamp date);
/**
* Return all interface addresses for this host.
*
* @param [in] context Library context
* @param [out] addr Array of krb5_address pointers, ending with
* NULL
*
* Use krb5_free_addresses() to free @a addr when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_os_localaddr(krb5_context context, krb5_address ***addr);
/**
* Retrieve the default realm.
*
* @param [in] context Library context
* @param [out] lrealm Default realm name
*
* Retrieves the default realm to be used if no user-specified realm is
* available.
*
* Use krb5_free_default_realm() to free @a lrealm when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_default_realm(krb5_context context, char **lrealm);
/**
* Override the default realm for the specified context.
*
* @param [in] context Library context
* @param [in] lrealm Realm name for the default realm
*
* If @a lrealm is NULL, clear the default realm setting.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_set_default_realm(krb5_context context, const char *lrealm);
/**
* Free a default realm string returned by krb5_get_default_realm().
*
* @param [in] context Library context
* @param [in] lrealm Realm to be freed
*/
void KRB5_CALLCONV
krb5_free_default_realm(krb5_context context, char *lrealm);
/**
* Generate a full principal name from a service name.
*
* @param [in] context Library context
* @param [in] hostname Host name, or NULL to use local host
* @param [in] sname Service name, or NULL to use @c "host"
* @param [in] type Principal type
* @param [out] ret_princ Generated principal
*
* This function converts a @a hostname and @a sname into @a krb5_principal
* structure @a ret_princ. The returned principal will be of the form @a
* sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm().
* In some cases this may be the referral (empty) realm.
*
* The @a type can be one of the following:
*
* @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the
* realm and generating the principal.
*
* @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not
* canonicalize it.
*
* Use krb5_free_principal to free @a ret_princ when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname,
krb5_int32 type, krb5_principal *ret_princ);
/**
* Test whether a principal matches a matching principal.
*
* @param [in] context Library context
* @param [in] matching Matching principal
* @param [in] princ Principal to test
*
* @note A matching principal is a host-based principal with an empty realm
* and/or second data component (hostname). Profile configuration may cause
* the hostname to be ignored even if it is present. A principal matches a
* matching principal if the former has the same non-empty (and non-ignored)
* components of the latter.
*
* If @a matching is NULL, return TRUE. If @a matching is not a matching
* principal, return the value of krb5_principal_compare(context, matching,
* princ).
*
* @return
* TRUE if @a princ matches @a matching, FALSE otherwise.
*/
krb5_boolean KRB5_CALLCONV
krb5_sname_match(krb5_context context, krb5_const_principal matching,
krb5_const_principal princ);
/**
* Change a password for an existing Kerberos account.
*
* @param [in] context Library context
* @param [in] creds Credentials for kadmin/changepw service
* @param [in] newpw New password
* @param [out] result_code Numeric error code from server
* @param [out] result_code_string String equivalent to @a result_code
* @param [out] result_string Change password response from the KDC
*
* Change the password for the existing principal identified by @a creds.
*
* The possible values of the output @a result_code are:
*
* @li #KRB5_KPASSWD_SUCCESS (0) - success
* @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error
* @li #KRB5_KPASSWD_HARDERROR (2) - Server error
* @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error
* @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw,
int *result_code, krb5_data *result_code_string,
krb5_data *result_string);
/**
* Set a password for a principal using specified credentials.
*
* @param [in] context Library context
* @param [in] creds Credentials for kadmin/changepw service
* @param [in] newpw New password
* @param [in] change_password_for Change the password for this principal
* @param [out] result_code Numeric error code from server
* @param [out] result_code_string String equivalent to @a result_code
* @param [out] result_string Data returned from the remote system
*
* This function uses the credentials @a creds to set the password @a newpw for
* the principal @a change_password_for. It implements the set password
* operation of RFC 3244, for interoperability with Microsoft Windows
* implementations.
*
* @note If @a change_password_for is NULL, the change is performed on the
* current principal. If @a change_password_for is non-null, the change is
* performed on the principal name passed in @a change_password_for.
*
* The error code and strings are returned in @a result_code,
* @a result_code_string and @a result_string.
*
* @sa krb5_set_password_using_ccache()
*
* @retval
* 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.
* @return
* Kerberos error codes.
*/
krb5_error_code KRB5_CALLCONV
krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
krb5_principal change_password_for, int *result_code,
krb5_data *result_code_string, krb5_data *result_string);
/**
* Set a password for a principal using cached credentials.
*
* @param [in] context Library context
* @param [in] ccache Credential cache
* @param [in] newpw New password
* @param [in] change_password_for Change the password for this principal
* @param [out] result_code Numeric error code from server
* @param [out] result_code_string String equivalent to @a result_code
* @param [out] result_string Data returned from the remote system
*
* This function uses the cached credentials from @a ccache to set the password
* @a newpw for the principal @a change_password_for. It implements RFC 3244
* set password operation (interoperable with MS Windows implementations) using
* the credential cache.
*
* The error code and strings are returned in @a result_code,
* @a result_code_string and @a result_string.
*
* @note If @a change_password_for is set to NULL, the change is performed on
* the default principal in @a ccache. If @a change_password_for is non null,
* the change is performed on the specified principal.
*
* @sa krb5_set_password()
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
char *newpw, krb5_principal change_password_for,
int *result_code, krb5_data *result_code_string,
krb5_data *result_string);
/**
* Get a result message for changing or setting a password.
*
* @param [in] context Library context
* @param [in] server_string Data returned from the remote system
* @param [out] message_out A message displayable to the user
*
* This function processes the @a server_string returned in the @a
* result_string parameter of krb5_change_password(), krb5_set_password(), and
* related functions, and returns a displayable string. If @a server_string
* contains Active Directory structured policy information, it will be
* converted into human-readable text.
*
* Use krb5_free_string() to free @a message_out when it is no longer needed.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_chpw_message(krb5_context context, const krb5_data *server_string,
char **message_out);
/**
* Retrieve configuration profile from the context.
*
* @param [in] context Library context
* @param [out] profile Pointer to data read from a configuration file
*
* This function creates a new @a profile object that reflects profile
* in the supplied @a context.
*
* The @a profile object may be freed with profile_release() function.
* See profile.h and profile API for more details.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_profile(krb5_context context, struct _profile_t ** profile);
#if KRB5_DEPRECATED
/** @deprecated Replaced by krb5_get_init_creds_password().*/
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
krb5_address *const *addrs, krb5_enctype *ktypes,
krb5_preauthtype *pre_auth_types,
const char *password, krb5_ccache ccache,
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
/** @deprecated Replaced by krb5_get_init_creds(). */
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
krb5_address *const *addrs, krb5_enctype *ktypes,
krb5_preauthtype *pre_auth_types,
const krb5_keyblock *key, krb5_ccache ccache,
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
/** @deprecated Replaced by krb5_get_init_creds_keytab(). */
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
krb5_address *const *addrs, krb5_enctype *ktypes,
krb5_preauthtype *pre_auth_types,
krb5_keytab arg_keytab, krb5_ccache ccache,
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
#endif /* KRB5_DEPRECATED */
/**
* Parse and decrypt a @c KRB_AP_REQ message.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] inbuf AP-REQ message to be parsed
* @param [in] server Matching principal for server, or NULL to
* allow any principal in keytab
* @param [in] keytab Key table, or NULL to use the default
* @param [out] ap_req_options If non-null, the AP-REQ flags on output
* @param [out] ticket If non-null, ticket from the AP-REQ message
*
* This function parses, decrypts and verifies a AP-REQ message from @a inbuf
* and stores the authenticator in @a auth_context.
*
* If a keyblock was specified in @a auth_context using
* krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in
* AP-REQ message and @a keytab is ignored. In this case, @a server should be
* specified as a complete principal name to allow for proper transited-path
* checking and replay cache selection.
*
* Otherwise, the decryption key is obtained from @a keytab, or from the
* default keytab if it is NULL. In this case, @a server may be a complete
* principal name, a matching principal (see krb5_sname_match()), or NULL to
* match any principal name. The keys tried against the encrypted part of the
* ticket are determined as follows:
*
* - If @a server is a complete principal name, then its entry in @a keytab is
* tried.
* - Otherwise, if @a keytab is iterable, then all entries in @a keytab which
* match @a server are tried.
* - Otherwise, the server principal in the ticket must match @a server, and
* its entry in @a keytab is tried.
*
* The client specified in the decrypted authenticator must match the client
* specified in the decrypted ticket.
*
* If the @a remote_addr field of @a auth_context is set, the request must come
* from that address.
*
* If a replay cache handle is provided in the @a auth_context, the
* authenticator and ticket are verified against it. If no conflict is found,
* the new authenticator is then stored in the replay cache of @a auth_context.
*
* Various other checks are performed on the decoded data, including
* cross-realm policy, clockskew, and ticket validation times.
*
* On success the authenticator, subkey, and remote sequence number of the
* request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED
* bit is set, the local sequence number is XORed with the remote sequence
* number in the request.
*
* Use krb5_free_ticket() to free @a ticket when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
const krb5_data *inbuf, krb5_const_principal server,
krb5_keytab keytab, krb5_flags *ap_req_options,
krb5_ticket **ticket);
/**
* Retrieve a service key from a key table.
*
* @param [in] context Library context
* @param [in] keyprocarg Name of a key table (NULL to use default name)
* @param [in] principal Service principal
* @param [in] vno Key version number (0 for highest available)
* @param [in] enctype Encryption type (0 for any type)
* @param [out] key Service key from key table
*
* Open and search the specified key table for the entry identified by @a
* principal, @a enctype, and @a vno. If no key is found, return an error code.
*
* The default key table is used, unless @a keyprocarg is non-null.
* @a keyprocarg designates a specific key table.
*
* Use krb5_free_keyblock() to free @a key when it is no longer needed.
*
* @retval
* 0 Success
* @return Kerberos error code if not found or @a keyprocarg is invalid.
*/
krb5_error_code KRB5_CALLCONV
krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg,
krb5_principal principal, krb5_kvno vno,
krb5_enctype enctype, krb5_keyblock **key);
/**
* Format a @c KRB-SAFE message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] userdata User data in the message
* @param [out] outbuf Formatted @c KRB-SAFE buffer
* @param [out] outdata Replay data. Specify NULL if not needed
*
* This function creates an integrity protected @c KRB-SAFE message
* using data supplied by the application.
*
* Fields in @a auth_context specify the checksum type, the keyblock that
* can be used to seed the checksum, full addresses (host and port) for
* the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags.
*
* The local address in @a auth_context must be set, and is used to form the
* sender address used in the KRB-SAFE message. The remote address is
* optional; if specified, it will be used to form the receiver address used in
* the message.
*
* If #KRB5_AUTH_CONTEXT_DO_TIME flag is set in the @a auth_context, an entry
* describing the message is entered in the replay cache @a
* auth_context->rcache which enables the caller to detect if this message is
* reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, the
* replay cache is not used.
*
* If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the @a auth_context local sequence
* number will be placed in @a outdata as its sequence number.
*
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.
*
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
const krb5_data *userdata, krb5_data *outbuf,
krb5_replay_data *outdata);
/**
* Format a @c KRB-PRIV message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] userdata User data for @c KRB-PRIV message
* @param [out] outbuf Formatted @c KRB-PRIV message
* @param [out] outdata Replay cache handle (NULL if not needed)
*
* This function is similar to krb5_mk_safe(), but the message is encrypted and
* integrity-protected, not just integrity-protected.
*
* The local address in @a auth_context must be set, and is used to form the
* sender address used in the KRB-SAFE message. The remote address is
* optional; if specified, it will be used to form the receiver address used in
* the message.
*
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in @a auth_context, the @a
* outdata is required.
*
* @note The flags from @a auth_context specify whether sequence numbers or
* timestamps will be used to identify the message. Valid values are:
*
* @li #KRB5_AUTH_CONTEXT_DO_TIME - Use timestamps in @a outdata
* @li #KRB5_AUTH_CONTEXT_RET_TIME - Copy timestamp to @a outdata.
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE - Use local sequence numbers from
* @a auth_context in replay cache.
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE - Use local sequence numbers from
* @a auth_context as a sequence number
* in the encrypted message @a outbuf.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
const krb5_data *userdata, krb5_data *outbuf,
krb5_replay_data *outdata);
/**
* Client function for @c sendauth protocol.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] fd File descriptor that describes network socket
* @param [in] appl_version Application protocol version to be matched
* with the receiver's application version
* @param [in] client Client principal
* @param [in] server Server principal
* @param [in] ap_req_options @ref AP_OPTS options
* @param [in] in_data Data to be sent to the server
* @param [in] in_creds Input credentials, or NULL to use @a ccache
* @param [in] ccache Credential cache
* @param [out] error If non-null, contains KRB_ERROR message
* returned from server
* @param [out] rep_result If non-null and @a ap_req_options is
* #AP_OPTS_MUTUAL_REQUIRED, contains the result
* of mutual authentication exchange
* @param [out] out_creds If non-null, the retrieved credentials
*
* This function performs the client side of a sendauth/recvauth exchange by
* sending and receiving messages over @a fd.
*
* Credentials may be specified in three ways:
*
* @li If @a in_creds is NULL, credentials are obtained with
* krb5_get_credentials() using the principals @a client and @a server. @a
* server must be non-null; @a client may NULL to use the default principal of
* @a ccache.
*
* @li If @a in_creds is non-null, but does not contain a ticket, credentials
* for the exchange are obtained with krb5_get_credentials() using @a in_creds.
* In this case, the values of @a client and @a server are unused.
*
* @li If @a in_creds is a complete credentials structure, it used directly.
* In this case, the values of @a client, @a server, and @a ccache are unused.
*
* If the server is using a different application protocol than that specified
* in @a appl_version, an error will be returned.
*
* Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to
* free @a rep_result, and krb5_free_error() to free @a error when they are no
* longer needed.
*
* @sa krb5_recvauth()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
krb5_pointer fd, char *appl_version, krb5_principal client,
krb5_principal server, krb5_flags ap_req_options,
krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
krb5_error **error, krb5_ap_rep_enc_part **rep_result,
krb5_creds **out_creds);
/**
* Server function for @a sendauth protocol.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] fd File descriptor
* @param [in] appl_version Application protocol version to be matched
* against the client's application version
* @param [in] server Server principal (NULL for any in @a keytab)
* @param [in] flags Additional specifications
* @param [in] keytab Key table containing service keys
* @param [out] ticket Ticket (NULL if not needed)
*
* This function performs the server side of a sendauth/recvauth exchange by
* sending and receiving messages over @a fd.
*
* Use krb5_free_ticket() to free @a ticket when it is no longer needed.
*
* @sa krb5_sendauth()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_recvauth(krb5_context context, krb5_auth_context *auth_context,
krb5_pointer fd, char *appl_version, krb5_principal server,
krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket);
/**
* Server function for @a sendauth protocol with version parameter.
*
* @param [in] context Library context
* @param [in,out] auth_context Pre-existing or newly created auth context
* @param [in] fd File descriptor
* @param [in] server Server principal (NULL for any in @a keytab)
* @param [in] flags Additional specifications
* @param [in] keytab Decryption key
* @param [out] ticket Ticket (NULL if not needed)
* @param [out] version sendauth protocol version (NULL if not needed)
*
* This function is similar to krb5_recvauth() with the additional output
* information place into @a version.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_recvauth_version(krb5_context context,
krb5_auth_context *auth_context,
krb5_pointer fd,
krb5_principal server,
krb5_int32 flags,
krb5_keytab keytab,
krb5_ticket **ticket,
krb5_data *version);
/**
* Format a @c KRB-CRED message for an array of credentials.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] ppcreds Null-terminated array of credentials
* @param [out] ppdata Encoded credentials
* @param [out] outdata Replay cache information (NULL if not needed)
*
* This function takes an array of credentials @a ppcreds and formats
* a @c KRB-CRED message @a ppdata to pass to krb5_rd_cred().
*
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
* flag is set in @a auth_context, @a outdata is required.
*
* The message will be encrypted using the send subkey of @a auth_context if it
* is present, or the session key otherwise.
*
* @retval
* 0 Success
* @retval
* ENOMEM Insufficient memory
* @retval
* KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
krb5_creds **ppcreds, krb5_data **ppdata,
krb5_replay_data *outdata);
/**
* Format a @c KRB-CRED message for a single set of credentials.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] pcreds Pointer to credentials
* @param [out] ppdata Encoded credentials
* @param [out] outdata Replay cache data (NULL if not needed)
*
* This is a convenience function that calls krb5_mk_ncred() with a single set
* of credentials.
*
* @retval
* 0 Success
* @retval
* ENOMEM Insufficient memory
* @retval
* KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
krb5_creds *pcreds, krb5_data **ppdata,
krb5_replay_data *outdata);
/**
* Read and validate a @c KRB-CRED message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] pcreddata @c KRB-CRED message
* @param [out] pppcreds Null-terminated array of forwarded credentials
* @param [out] outdata Replay data (NULL if not needed)
*
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.`
*
* @a pcreddata will be decrypted using the receiving subkey if it is present
* in @a auth_context, or the session key if the receiving subkey is not
* present or fails to decrypt the message.
*
* Use krb5_free_tgt_creds() to free @a pppcreds when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
krb5_data *pcreddata, krb5_creds ***pppcreds,
krb5_replay_data *outdata);
/**
* Get a forwarded TGT and format a @c KRB-CRED message.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] rhost Remote host
* @param [in] client Client principal of TGT
* @param [in] server Principal of server to receive TGT
* @param [in] cc Credential cache handle (NULL to use default)
* @param [in] forwardable Whether TGT should be forwardable
* @param [out] outbuf KRB-CRED message
*
* Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED
* message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST,
* the second component of @a server will be used.
*
* @retval
* 0 Success
* @retval
* ENOMEM Insufficient memory
* @retval
* KRB5_PRINC_NOMATCH Requested principal and ticket do not match
* @retval
* KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
* @retval
* KRB5_CC_BADNAME Credential cache name or principal name malformed
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
char *rhost, krb5_principal client, krb5_principal server,
krb5_ccache cc, int forwardable, krb5_data *outbuf);
/**
* Create and initialize an authentication context.
*
* @param [in] context Library context
* @param [out] auth_context Authentication context
*
* This function creates an authentication context to hold configuration and
* state relevant to krb5 functions for authenticating principals and
* protecting messages once authentication has occurred.
*
* By default, flags for the context are set to enable the use of the replay
* cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use
* krb5_auth_con_setflags() to change the flags.
*
* The allocated @a auth_context must be freed with krb5_auth_con_free() when
* it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);
/**
* Free a krb5_auth_context structure.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context to be freed
*
* This function frees an auth context allocated by krb5_auth_con_init().
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
/**
* Set a flags field in a krb5_auth_context structure.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] flags Flags bit mask
*
* Valid values for @a flags are:
* @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
* @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags);
/**
* Retrieve flags from a krb5_auth_context structure.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] flags Flags bit mask
*
* Valid values for @a flags are:
* @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
* @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
krb5_int32 *flags);
/**
* Set a checksum callback in an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] func Checksum callback
* @param [in] data Callback argument
*
* Set a callback to obtain checksum data in krb5_mk_req(). The callback will
* be invoked after the subkey and local sequence number are stored in @a
* auth_context.
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_set_checksum_func( krb5_context context,
krb5_auth_context auth_context,
krb5_mk_req_checksum_func func,
void *data);
/**
* Get the checksum callback from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] func Checksum callback
* @param [out] data Callback argument
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_get_checksum_func( krb5_context context,
krb5_auth_context auth_context,
krb5_mk_req_checksum_func *func,
void **data);
/**
* Set the local and remote addresses in an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] local_addr Local address
* @param [in] remote_addr Remote address
*
* This function releases the storage assigned to the contents of the local and
* remote addresses of @a auth_context and then sets them to @a local_addr and
* @a remote_addr respectively.
*
* @sa krb5_auth_con_genaddrs()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV_WRONG
krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
krb5_address *local_addr, krb5_address *remote_addr);
/**
* Retrieve address fields from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] local_addr Local address (NULL if not needed)
* @param [out] remote_addr Remote address (NULL if not needed)
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
krb5_address **local_addr, krb5_address **remote_addr);
/**
* Set local and remote port fields in an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] local_port Local port
* @param [in] remote_port Remote port
*
* This function releases the storage assigned to the contents of the local and
* remote ports of @a auth_context and then sets them to @a local_port and @a
* remote_port respectively.
*
* @sa krb5_auth_con_genaddrs()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context,
krb5_address *local_port, krb5_address *remote_port);
/**
* Set the session key in an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] keyblock User key
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock *keyblock);
/**
* Retrieve the session key from an auth context as a keyblock.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] keyblock Session key
*
* This function creates a keyblock containing the session key from @a
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
* longer needed
*
* @retval 0 Success. Otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
/**
* Retrieve the session key from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] key Session key
*
* This function sets @a key to the session key from @a auth_context. Use
* krb5_k_free_key() to release @a key when it is no longer needed.
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
krb5_key *key);
/**
* Retrieve the send subkey from an auth context as a keyblock.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [out] keyblock Send subkey
*
* This function creates a keyblock containing the send subkey from @a
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
* longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
/**
* Retrieve the send subkey from an auth context.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [out] key Send subkey
*
* This function sets @a key to the send subkey from @a auth_context. Use
* krb5_k_free_key() to release @a key when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
krb5_key *key);
/**
* Retrieve the receiving subkey from an auth context as a keyblock.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [out] keyblock Receiving subkey
*
* This function creates a keyblock containing the receiving subkey from @a
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
* longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
/**
* Retrieve the receiving subkey from an auth context as a keyblock.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [out] key Receiving subkey
*
* This function sets @a key to the receiving subkey from @a auth_context. Use
* krb5_k_free_key() to release @a key when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key);
/**
* Set the send subkey in an auth context with a keyblock.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [in] keyblock Send subkey
*
* This function sets the send subkey in @a ac to a copy of @a keyblock.
*
* @retval 0 Success. Otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac,
krb5_keyblock *keyblock);
/**
* Set the send subkey in an auth context.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [out] key Send subkey
*
* This function sets the send subkey in @a ac to @a key, incrementing its
* reference count.
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key);
/**
* Set the receiving subkey in an auth context with a keyblock.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [in] keyblock Receiving subkey
*
* This function sets the receiving subkey in @a ac to a copy of @a keyblock.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac,
krb5_keyblock *keyblock);
/**
* Set the receiving subkey in an auth context.
*
* @param [in] ctx Library context
* @param [in] ac Authentication context
* @param [in] key Receiving subkey
*
* This function sets the receiving subkey in @a ac to @a key, incrementing its
* reference count.
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
krb5_key key);
#if KRB5_DEPRECATED
/** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
/** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
#endif
/**
* Retrieve the local sequence number from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] seqnumber Local sequence number
*
* Retrieve the local sequence number from @a auth_context and return it in @a
* seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
* auth_context for this function to be useful.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context,
krb5_int32 *seqnumber);
/**
* Retrieve the remote sequence number from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] seqnumber Remote sequence number
*
* Retrieve the remote sequence number from @a auth_context and return it in @a
* seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
* auth_context for this function to be useful.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context,
krb5_int32 *seqnumber);
#if KRB5_DEPRECATED
/** @deprecated Not replaced.
*
* RFC 4120 doesn't have anything like the initvector concept;
* only really old protocols may need this API.
*/
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
#endif
/**
* Set the replay cache in an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] rcache Replay cache haddle
*
* This function sets the replay cache in @a auth_context to @a rcache. @a
* rcache will be closed when @a auth_context is freed, so the caller should
* relinguish that responsibility.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context,
krb5_rcache rcache);
/**
* Retrieve the replay cache from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] rcache Replay cache handle
*
* This function fetches the replay cache from @a auth_context. The caller
* should not close @a rcache.
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV_WRONG
krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context,
krb5_rcache *rcache);
/**
* Retrieve the authenticator from an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [out] authenticator Authenticator
*
* Use krb5_free_authenticator() to free @a authenticator when it is no longer
* needed.
*
* @retval 0 Success. Otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context,
krb5_authenticator **authenticator);
/**
* Set checksum type in an an auth context.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] cksumtype Checksum type
*
* This function sets the checksum type in @a auth_context to be used by
* krb5_mk_req() for the authenticator checksum.
*
* @retval 0 Success. Otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context,
krb5_cksumtype cksumtype);
#define KRB5_REALM_BRANCH_CHAR '.'
/*
* end "func-proto.h"
*/
/*
* begin stuff from libos.h
*/
/**
* @brief Read a password from keyboard input.
*
* @param [in] context Library context
* @param [in] prompt First user prompt when reading password
* @param [in] prompt2 Second user prompt (NULL to prompt only once)
* @param [out] return_pwd Returned password
* @param [in,out] size_return On input, maximum size of password; on output,
* size of password read
*
* This function reads a password from keyboard input and stores it in @a
* return_pwd. @a size_return should be set by the caller to the amount of
* storage space available in @a return_pwd; on successful return, it will be
* set to the length of the password read.
*
* @a prompt is printed to the terminal, followed by ": ", and then a password
* is read from the keyboard.
*
* If @a prompt2 is NULL, the password is read only once. Otherwise, @a
* prompt2 is printed to the terminal and a second password is read. If the
* two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned.
*
* Echoing is turned off when the password is read.
*
* @retval
* 0 Success
* @return
* Error in reading or verifying the password
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_read_password(krb5_context context,
const char *prompt, const char *prompt2,
char *return_pwd, unsigned int *size_return);
/**
* Convert a principal name to a local name.
*
* @param [in] context Library context
* @param [in] aname Principal name
* @param [in] lnsize_in Space available in @a lname
* @param [out] lname Local name buffer to be filled in
*
* If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is
* returned. If @a lnsize_in is too small for the local name,
* KRB5_CONFIG_NOTENUFSPACE is returned.
*
* Local names, rather than principal names, can be used by programs that
* translate to an environment-specific name (for example, a user account
* name).
*
* @retval
* 0 Success
* @retval
* System errors
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_aname_to_localname(krb5_context context, krb5_const_principal aname,
int lnsize_in, char *lname);
/**
* Get the Kerberos realm names for a host.
*
* @param [in] context Library context
* @param [in] host Host name (or NULL)
* @param [out] realmsp Null-terminated list of realm names
*
* Fill in @a realmsp with a pointer to a null-terminated list of realm names.
* If there are no known realms for the host, a list containing the referral
* (empty) realm is returned.
*
* If @a host is NULL, the local host's realms are determined.
*
* Use krb5_free_host_realm() to release @a realmsp when it is no longer
* needed.
*
* @retval
* 0 Success
* @retval
* ENOMEM Insufficient memory
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp);
/**
*
* @param [in] context Library context
* @param [in] hdata Host name (or NULL)
* @param [out] realmsp Null-terminated list of realm names
*
* Fill in @a realmsp with a pointer to a null-terminated list of realm names
* obtained through heuristics or insecure resolution methods which have lower
* priority than KDC referrals.
*
* If @a host is NULL, the local host's realms are determined.
*
* Use krb5_free_host_realm() to release @a realmsp when it is no longer
* needed.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_fallback_host_realm(krb5_context context,
krb5_data *hdata, char ***realmsp);
/**
* Free the memory allocated by krb5_get_host_realm().
*
* @param [in] context Library context
* @param [in] realmlist List of realm names to be released
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_free_host_realm(krb5_context context, char *const *realmlist);
/**
* Determine if a principal is authorized to log in as a local user.
*
* @param [in] context Library context
* @param [in] principal Principal name
* @param [in] luser Local username
*
* Determine whether @a principal is authorized to log in as a local user @a
* luser.
*
* @retval
* TRUE Principal is authorized to log in as user; FALSE otherwise.
*/
krb5_boolean KRB5_CALLCONV
krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser);
/**
* Generate auth context addresses from a connected socket.
*
* @param [in] context Library context
* @param [in] auth_context Authentication context
* @param [in] infd Connected socket descriptor
* @param [in] flags Flags
*
* This function sets the local and/or remote addresses in @a auth_context
* based on the local and remote endpoints of the socket @a infd. The
* following flags determine the operations performed:
*
* @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address.
* @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address.
* @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port.
* @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context,
int infd, int flags);
/**
* Set time offset field in a krb5_context structure.
*
* @param [in] context Library context
* @param [in] seconds Real time, seconds portion
* @param [in] microseconds Real time, microseconds portion
*
* This function sets the time offset in @a context to the difference between
* the system time and the real time as determined by @a seconds and @a
* microseconds.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_set_real_time(krb5_context context, krb5_timestamp seconds,
krb5_int32 microseconds);
/**
* Return the time offsets from the os context.
*
* @param [in] context Library context
* @param [out] seconds Time offset, seconds portion
* @param [out] microseconds Time offset, microseconds portion
*
* This function returns the time offsets in @a context.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds);
/* str_conv.c */
/**
* Convert a string to an encryption type.
*
* @param [in] string String to convert to an encryption type
* @param [out] enctypep Encryption type
*
* @retval 0 Success; otherwise - EINVAL
*/
krb5_error_code KRB5_CALLCONV
krb5_string_to_enctype(char *string, krb5_enctype *enctypep);
/**
* Convert a string to a salt type.
*
* @param [in] string String to convert to an encryption type
* @param [out] salttypep Salt type to be filled in
*
* @retval 0 Success; otherwise - EINVAL
*/
krb5_error_code KRB5_CALLCONV
krb5_string_to_salttype(char *string, krb5_int32 *salttypep);
/**
* Convert a string to a checksum type.
*
* @param [in] string String to be converted
* @param [out] cksumtypep Checksum type to be filled in
*
* @retval 0 Success; otherwise - EINVAL
*/
krb5_error_code KRB5_CALLCONV
krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep);
/**
* Convert a string to a timestamp.
*
* @param [in] string String to be converted
* @param [out] timestampp Pointer to timestamp
*
* @retval 0 Success; otherwise - EINVAL
*/
krb5_error_code KRB5_CALLCONV
krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp);
/**
* Convert a string to a delta time value.
*
* @param [in] string String to be converted
* @param [out] deltatp Delta time to be filled in
*
* @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT
*/
krb5_error_code KRB5_CALLCONV
krb5_string_to_deltat(char *string, krb5_deltat *deltatp);
/**
* Convert an encryption type to a string.
*
* @param [in] enctype Encryption type
* @param [out] buffer Buffer to hold encryption type string
* @param [in] buflen Storage available in @a buffer
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen);
/**
* Convert an encryption type to a name or alias.
*
* @param [in] enctype Encryption type
* @param [in] shortest Flag
* @param [out] buffer Buffer to hold encryption type string
* @param [in] buflen Storage available in @a buffer
*
* If @a shortest is FALSE, this function returns the enctype's canonical name
* (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the
* enctype's shortest alias (like "aes128-cts").
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
char *buffer, size_t buflen);
/**
* Convert a salt type to a string.
*
* @param [in] salttype Salttype to convert
* @param [out] buffer Buffer to receive the converted string
* @param [in] buflen Storage available in @a buffer
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen);
/**
* Convert a checksum type to a string.
*
* @param [in] cksumtype Checksum type
* @param [out] buffer Buffer to hold converted checksum type
* @param [in] buflen Storage available in @a buffer
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen);
/**
* Convert a timestamp to a string.
*
* @param [in] timestamp Timestamp to convert
* @param [out] buffer Buffer to hold converted timestamp
* @param [in] buflen Storage available in @a buffer
*
* The string is returned in the locale's appropriate date and time
* representation.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen);
/**
* Convert a timestamp to a string, with optional output padding
*
* @param [in] timestamp Timestamp to convert
* @param [out] buffer Buffer to hold the converted timestamp
* @param [in] buflen Length of buffer
* @param [in] pad Optional value to pad @a buffer if converted
* timestamp does not fill it
*
* If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters
* with the value of *@a pad.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer,
size_t buflen, char *pad);
/**
* Convert a relative time value to a string.
*
* @param [in] deltat Relative time value to convert
* @param [out] buffer Buffer to hold time string
* @param [in] buflen Storage available in @a buffer
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen);
/* The name of the Kerberos ticket granting service... and its size */
#define KRB5_TGS_NAME "krbtgt"
#define KRB5_TGS_NAME_SIZE 6
/* flags for recvauth */
#define KRB5_RECVAUTH_SKIP_VERSION 0x0001
#define KRB5_RECVAUTH_BADAUTHVERS 0x0002
/* initial ticket api functions */
/** Text for prompt used in prompter callback function. */
typedef struct _krb5_prompt {
char *prompt; /**< The prompt to show to the user */
int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */
krb5_data *reply; /**< Must be allocated before call to prompt routine */
} krb5_prompt;
/** Pointer to a prompter callback function. */
typedef krb5_error_code
(KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context, void *data,
const char *name, const char *banner,
int num_prompts, krb5_prompt prompts[]);
/**
* Prompt user for password.
*
* @param [in] context Library context
* @param data Unused (callback argument)
* @param [in] name Name to output during prompt
* @param [in] banner Banner to output during prompt
* @param [in] num_prompts Number of prompts in @a prompts
* @param [in] prompts Array of prompts and replies
*
* This function is intended to be used as a prompter callback for
* krb5_get_init_creds_password() or krb5_init_creds_init().
*
* Writes @a name and @a banner to stdout, each followed by a newline, then
* writes each prompt field in the @a prompts array, followed by ": ", and sets
* the reply field of the entry to a line of input read from stdin. If the
* hidden flag is set for a prompt, then terminal echoing is turned off when
* input is read.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*
*/
krb5_error_code KRB5_CALLCONV
krb5_prompter_posix(krb5_context context, void *data, const char *name,
const char *banner, int num_prompts,
krb5_prompt prompts[]);
/**
* Long-term password responder question
*
* This question is asked when the long-term password is needed. It has no
* challenge and the response is simply the password string.
*
* @version New in 1.11
*/
#define KRB5_RESPONDER_QUESTION_PASSWORD "password"
/**
* OTP responder question
*
* The OTP responder question is asked when the KDC indicates that an OTP
* value is required in order to complete the authentication. The JSON format
* of the challenge is:
*
* @n {
* @n "service": <string (optional)>,
* @n "tokenInfo": [
* @n {
* @n "flags": <number>,
* @n "vendor": <string (optional)>,
* @n "challenge": <string (optional)>,
* @n "length": <number (optional)>,
* @n "format": <number (optional)>,
* @n "tokenID": <string (optional)>,
* @n "algID": <string (optional)>,
* @n },
* @n ...
* @n ]
* @n }
*
* The answer to the question MUST be JSON formatted:
*
* @n {
* @n "tokeninfo": <number>,
* @n "value": <string (optional)>,
* @n "pin": <string (optional)>,
* @n }
*
* For more detail, please see RFC 6560.
*
* @version New in 1.11
*/
#define KRB5_RESPONDER_QUESTION_OTP "otp"
/**
* These format constants identify the format of the token value.
*/
#define KRB5_RESPONDER_OTP_FORMAT_DECIMAL 0
#define KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL 1
#define KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC 2
/**
* This flag indicates that the token value MUST be collected.
*/
#define KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN 0x0001
/**
* This flag indicates that the PIN value MUST be collected.
*/
#define KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN 0x0002
/**
* This flag indicates that the token is now in re-synchronization mode with
* the server. The user is expected to reply with the next code displayed on
* the token.
*/
#define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP 0x0004
/**
* This flag indicates that the PIN MUST be returned as a separate item. This
* flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If
* this flag is not set, the responder may either concatenate PIN + token value
* and store it as "value" in the answer or it may return them separately. If
* they are returned separately, they will be concatenated internally.
*/
#define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008
/**
* PKINIT responder question
*
* The PKINIT responder question is asked when the client needs a password
* that's being used to protect key information, and is formatted as a JSON
* object. A specific identity's flags value, if not zero, is the bitwise-OR
* of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined
* below, and possibly other flags to be added later. Any resemblance to
* similarly-named CKF_* values in the PKCS#11 API should not be depended on.
*
* @n {
* @n identity <string> : flags <number>,
* @n ...
* @n }
*
* The answer to the question MUST be JSON formatted:
*
* @n {
* @n identity <string> : password <string>,
* @n ...
* @n }
*
* @version New in 1.12
*/
#define KRB5_RESPONDER_QUESTION_PKINIT "pkinit"
/**
* This flag indicates that an incorrect PIN was supplied at least once since
* the last time the correct PIN was supplied.
*/
#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0)
/**
* This flag indicates that supplying an incorrect PIN will cause the token to
* lock itself.
*/
#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1)
/**
* This flag indicates that the user PIN is locked, and you can't log in to the
* token with it.
*/
#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2)
/**
* A container for a set of preauthentication questions and answers
*
* A responder context is supplied by the krb5 authentication system to a @ref
* krb5_responder_fn callback. It contains a list of questions and can receive
* answers. Questions contained in a responder context can be listed using
* krb5_responder_list_questions(), retrieved using
* krb5_responder_get_challenge(), or answered using
* krb5_responder_set_answer(). The form of a question's challenge and
* answer depend on the question name.
*
* @version New in 1.11
*/
typedef struct krb5_responder_context_st *krb5_responder_context;
/**
* List the question names contained in the responder context.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
*
* Return a pointer to a null-terminated list of question names which are
* present in @a rctx. The pointer is an alias, valid only as long as the
* lifetime of @a rctx, and should not be modified or freed by the caller. A
* question's challenge can be retrieved using krb5_responder_get_challenge()
* and answered using krb5_responder_set_answer().
*
* @version New in 1.11
*/
const char * const * KRB5_CALLCONV
krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx);
/**
* Retrieve the challenge data for a given question in the responder context.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] question Question name
*
* Return a pointer to a C string containing the challenge for @a question
* within @a rctx, or NULL if the question is not present in @a rctx. The
* structure of the question depends on the question name, but will always be
* printable UTF-8 text. The returned pointer is an alias, valid only as long
* as the lifetime of @a rctx, and should not be modified or freed by the
* caller.
*
* @version New in 1.11
*/
const char * KRB5_CALLCONV
krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx,
const char *question);
/**
* Answer a named question in the responder context.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] question Question name
* @param [in] answer The string to set (MUST be printable UTF-8)
*
* This function supplies an answer to @a question within @a rctx. The
* appropriate form of the answer depends on the question name.
*
* @retval EINVAL @a question is not present within @a rctx
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx,
const char *question, const char *answer);
/**
* Responder function for an initial credential exchange.
*
* @param [in] ctx Library context
* @param [in] data Callback data
* @param [in] rctx Responder context
*
* A responder function is like a prompter function, but is used for handling
* questions and answers as potentially complex data types. Client
* preauthentication modules will insert a set of named "questions" into
* the responder context. Each question may optionally contain a challenge.
* This challenge is printable UTF-8, but may be an encoded value. The
* precise encoding and contents of the challenge are specific to the question
* asked. When the responder is called, it should answer all the questions it
* understands. Like the challenge, the answer MUST be printable UTF-8, but
* may contain structured/encoded data formatted to the expected answer format
* of the question.
*
* If a required question is unanswered, the prompter may be called.
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5_responder_fn)(krb5_context ctx, void *data,
krb5_responder_context rctx);
typedef struct _krb5_responder_otp_tokeninfo {
krb5_flags flags;
krb5_int32 format; /* -1 when not specified. */
krb5_int32 length; /* -1 when not specified. */
char *vendor;
char *challenge;
char *token_id;
char *alg_id;
} krb5_responder_otp_tokeninfo;
typedef struct _krb5_responder_otp_challenge {
char *service;
krb5_responder_otp_tokeninfo **tokeninfo;
} krb5_responder_otp_challenge;
/**
* Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.
*
* A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP
* question challenge data, making it available in native C. The main feature
* of this function is the ability to interact with OTP tokens without parsing
* the JSON.
*
* The returned value must be passed to krb5_responder_otp_challenge_free() to
* be freed.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [out] chl Challenge structure
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_responder_otp_get_challenge(krb5_context ctx,
krb5_responder_context rctx,
krb5_responder_otp_challenge **chl);
/**
* Answer the KRB5_RESPONDER_QUESTION_OTP question.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] ti The index of the tokeninfo selected
* @param [in] value The value to set, or NULL for none
* @param [in] pin The pin to set, or NULL for none
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx,
size_t ti, const char *value, const char *pin);
/**
* Free the value returned by krb5_responder_otp_get_challenge().
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] chl The challenge to free
*
* @version New in 1.11
*/
void KRB5_CALLCONV
krb5_responder_otp_challenge_free(krb5_context ctx,
krb5_responder_context rctx,
krb5_responder_otp_challenge *chl);
typedef struct _krb5_responder_pkinit_identity {
char *identity;
krb5_int32 token_flags; /* 0 when not specified or not applicable. */
} krb5_responder_pkinit_identity;
typedef struct _krb5_responder_pkinit_challenge {
krb5_responder_pkinit_identity **identities;
} krb5_responder_pkinit_challenge;
/**
* Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.
*
* A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT
* question challenge data, making it available in native C. The main feature
* of this function is the ability to read the challenge without parsing
* the JSON.
*
* The returned value must be passed to krb5_responder_pkinit_challenge_free()
* to be freed.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [out] chl_out Challenge structure
*
* @version New in 1.12
*/
krb5_error_code KRB5_CALLCONV
krb5_responder_pkinit_get_challenge(krb5_context ctx,
krb5_responder_context rctx,
krb5_responder_pkinit_challenge **chl_out);
/**
* Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] identity The identity for which a PIN is being supplied
* @param [in] pin The provided PIN, or NULL for none
*
* @version New in 1.12
*/
krb5_error_code KRB5_CALLCONV
krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx,
const char *identity, const char *pin);
/**
* Free the value returned by krb5_responder_pkinit_get_challenge().
*
* @param [in] ctx Library context
* @param [in] rctx Responder context
* @param [in] chl The challenge to free
*
* @version New in 1.12
*/
void KRB5_CALLCONV
krb5_responder_pkinit_challenge_free(krb5_context ctx,
krb5_responder_context rctx,
krb5_responder_pkinit_challenge *chl);
/** Store options for @c _krb5_get_init_creds */
typedef struct _krb5_get_init_creds_opt {
krb5_flags flags;
krb5_deltat tkt_life;
krb5_deltat renew_life;
int forwardable;
int proxiable;
krb5_enctype *etype_list;
int etype_list_length;
krb5_address **address_list;
krb5_preauthtype *preauth_list;
int preauth_list_length;
krb5_data *salt;
} krb5_get_init_creds_opt;
#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001
#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002
#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004
#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008
#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010
#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020
#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040
#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080
#define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100
#define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200
#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400
/**
* Allocate a new initial credential options structure.
*
* @param [in] context Library context
* @param [out] opt New options structure
*
* This function is the preferred way to create an options structure for
* getting initial credentials, and is required to make use of certain options.
* Use krb5_get_init_creds_opt_free() to free @a opt when it is no longer
* needed.
*
* @retval 0 - Success; Kerberos errors otherwise.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_alloc(krb5_context context,
krb5_get_init_creds_opt **opt);
/**
* Free initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options structure to free
*
* @sa krb5_get_init_creds_opt_alloc()
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_free(krb5_context context,
krb5_get_init_creds_opt *opt);
/** @deprecated Use krb5_get_init_creds_opt_alloc() instead. */
void KRB5_CALLCONV
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
/**
* Set the ticket lifetime in initial credential options.
*
* @param [in] opt Options structure
* @param [in] tkt_life Ticket lifetime
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
krb5_deltat tkt_life);
/**
* Set the ticket renewal lifetime in initial credential options.
*
* @param [in] opt Pointer to @a options field
* @param [in] renew_life Ticket renewal lifetime
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
krb5_deltat renew_life);
/**
* Set or unset the forwardable flag in initial credential options.
*
* @param [in] opt Options structure
* @param [in] forwardable Whether credentials should be forwardable
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
int forwardable);
/**
* Set or unset the proxiable flag in initial credential options.
*
* @param [in] opt Options structure
* @param [in] proxiable Whether credentials should be proxiable
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
int proxiable);
/**
* Set or unset the canonicalize flag in initial credential options.
*
* @param [in] opt Options structure
* @param [in] canonicalize Whether to canonicalize client principal
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt,
int canonicalize);
/**
* Set or unset the anonymous flag in initial credential options.
*
* @param [in] opt Options structure
* @param [in] anonymous Whether to make an anonymous request
*
* This function may be used to request anonymous credentials from the KDC by
* setting @a anonymous to non-zero. Note that anonymous credentials are only
* a request; clients must verify that credentials are anonymous if that is a
* requirement.
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
int anonymous);
/**
* Set allowable encryption types in initial credential options.
*
* @param [in] opt Options structure
* @param [in] etype_list Array of encryption types
* @param [in] etype_list_length Length of @a etype_list
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
krb5_enctype *etype_list,
int etype_list_length);
/**
* Set address restrictions in initial credential options.
*
* @param [in] opt Options structure
* @param [in] addresses Null-terminated array of addresses
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
krb5_address **addresses);
/**
* Set preauthentication types in initial credential options.
*
* @param [in] opt Options structure
* @param [in] preauth_list Array of preauthentication types
* @param [in] preauth_list_length Length of @a preauth_list
*
* This function can be used to perform optimistic preauthentication when
* getting initial credentials, in combination with
* krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa().
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
krb5_preauthtype *preauth_list,
int preauth_list_length);
/**
* Set salt for optimistic preauthentication in initial credential options.
*
* @param [in] opt Options structure
* @param [in] salt Salt data
*
* When getting initial credentials with a password, a salt string it used to
* convert the password to a key. Normally this salt is obtained from the
* first KDC reply, but when performing optimistic preauthentication, the
* client may need to supply the salt string with this function.
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
krb5_data *salt);
/**
* Set or unset change-password-prompt flag in initial credential options.
*
* @param [in] opt Options structure
* @param [in] prompt Whether to prompt to change password
*
* This flag is on by default. It controls whether
* krb5_get_init_creds_password() will react to an expired-password error by
* prompting for a new password and attempting to change the old one.
*/
void KRB5_CALLCONV
krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
int prompt);
/** Generic preauth option attribute/value pairs */
typedef struct _krb5_gic_opt_pa_data {
char *attr;
char *value;
} krb5_gic_opt_pa_data;
/**
* Supply options for preauthentication in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options structure
* @param [in] attr Preauthentication option name
* @param [in] value Preauthentication option value
*
* This function allows the caller to supply options for preauthentication.
* The values of @a attr and @a value are supplied to each preauthentication
* module available within @a context.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_pa(krb5_context context,
krb5_get_init_creds_opt *opt, const char *attr,
const char *value);
/**
* Set location of FAST armor ccache in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [in] fast_ccache_name Credential cache name
*
* Sets the location of a credential cache containing an armor ticket to
* protect an initial credential exchange using the FAST protocol extension.
*
* In version 1.7, setting an armor ccache requires that FAST be used for the
* exchange. In version 1.8 or later, setting the armor ccache causes FAST to
* be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags()
* must be used to require that FAST be used.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
krb5_get_init_creds_opt *opt,
const char *fast_ccache_name);
/**
* Set FAST armor cache in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [in] ccache Credential cache handle
*
* This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(),
* but uses a credential cache handle instead of a name.
*
* @version New in 1.9
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_fast_ccache(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_ccache ccache);
/**
* Set an input credential cache in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [in] ccache Credential cache handle
*
* If an input credential cache is set, then the krb5_get_init_creds family of
* APIs will read settings from it. Setting an input ccache is desirable when
* the application wishes to perform authentication in the same way (using the
* same preauthentication mechanisms, and making the same non-security-
* sensitive choices) as the previous authentication attempt, which stored
* information in the passed-in ccache.
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_in_ccache(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_ccache ccache);
/**
* Set an output credential cache in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [in] ccache Credential cache handle
*
* If an output credential cache is set, then the krb5_get_init_creds family of
* APIs will write credentials to it. Setting an output ccache is desirable
* both because it simplifies calling code and because it permits the
* krb5_get_init_creds APIs to write out configuration information about the
* realm to the ccache.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_ccache ccache);
/**
* Set FAST flags in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [in] flags FAST flags
*
* The following flag values are valid:
* @li #KRB5_FAST_REQUIRED - Require FAST to be used
*
* @retval
* 0 - Success; Kerberos errors otherwise.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_flags flags);
/**
* Retrieve FAST flags from initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options
* @param [out] out_flags FAST flags
*
* @retval
* 0 - Success; Kerberos errors otherwise.
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_flags *out_flags);
/* Fast flags*/
#define KRB5_FAST_REQUIRED 0x0001 /**< Require KDC to support FAST*/
typedef void
(KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data,
krb5_timestamp password_expiration,
krb5_timestamp account_expiration,
krb5_boolean is_last_req);
/**
* Set an expiration callback in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options structure
* @param [in] cb Callback function
* @param [in] data Callback argument
*
* Set a callback to receive password and account expiration times.
*
* This option only applies to krb5_get_init_creds_password(). @a cb will be
* invoked if and only if credentials are successfully acquired. The callback
* will receive the @a context from the krb5_get_init_creds_password() call and
* the @a data argument supplied with this API. The remaining arguments should
* be interpreted as follows:
*
* If @a is_last_req is true, then the KDC reply contained last-req entries
* which unambiguously indicated the password expiration, account expiration,
* or both. (If either value was not present, the corresponding argument will
* be 0.) Furthermore, a non-zero @a password_expiration should be taken as a
* suggestion from the KDC that a warning be displayed.
*
* If @a is_last_req is false, then @a account_expiration will be 0 and @a
* password_expiration will contain the expiration time of either the password
* or account, or 0 if no expiration time was indicated in the KDC reply. The
* callback should independently decide whether to display a password
* expiration warning.
*
* Note that @a cb may be invoked even if credentials are being acquired for
* the kadmin/changepw service in order to change the password. It is the
* caller's responsibility to avoid displaying a password expiry warning in
* this case.
*
* @warning Setting an expire callback with this API will cause
* krb5_get_init_creds_password() not to send password expiry warnings to the
* prompter, as it ordinarily may.
*
* @version New in 1.9
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_expire_callback(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_expire_callback_func cb,
void *data);
/**
* Set the responder function in initial credential options.
*
* @param [in] context Library context
* @param [in] opt Options structure
* @param [in] responder Responder function
* @param [in] data Responder data argument
*
* @version New in 1.11
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_responder(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_responder_fn responder, void *data);
/**
* Get initial credentials using a password.
*
* @param [in] context Library context
* @param [out] creds New credentials
* @param [in] client Client principal
* @param [in] password Password (or NULL)
* @param [in] prompter Prompter function
* @param [in] data Prompter callback data
* @param [in] start_time Time when ticket becomes valid (0 for now)
* @param [in] in_tkt_service Service name of initial credentials (or NULL)
* @param [in] k5_gic_options Initial credential options
*
* This function requests KDC for an initial credentials for @a client using @a
* password. If @a password is NULL, a password will be prompted for using @a
* prompter if necessary. If @a in_tkt_service is specified, it is parsed as a
* principal name (with the realm ignored) and used as the service principal
* for the request; otherwise the ticket-granting service is used.
*
* @sa krb5_verify_init_creds()
*
* @retval
* 0 Success
* @retval
* EINVAL Invalid argument
* @retval
* KRB5_KDC_UNREACH Cannot contact any KDC for requested realm
* @retval
* KRB5_PREAUTH_FAILED Generic Pre-athentication failure
* @retval
* KRB5_LIBOS_PWDINTR Password read interrupted
* @retval
* KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm
* @retval
* KRB5KDC_ERR_KEY_EXP Password has expired
* @retval
* KRB5_LIBOS_BADPWDMATCH Password mismatch
* @retval
* KRB5_CHPW_PWDNULL New password cannot be zero length
* @retval
* KRB5_CHPW_FAIL Password change failed
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
krb5_principal client, const char *password,
krb5_prompter_fct prompter, void *data,
krb5_deltat start_time,
const char *in_tkt_service,
krb5_get_init_creds_opt *k5_gic_options);
struct _krb5_init_creds_context;
typedef struct _krb5_init_creds_context *krb5_init_creds_context;
#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */
/**
* Free an initial credentials context.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
*/
void KRB5_CALLCONV
krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
/**
* Acquire credentials using an initial credentials context.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
*
* This function synchronously obtains credentials using a context created by
* krb5_init_creds_init(). On successful return, the credentials can be
* retrieved with krb5_init_creds_get_creds().
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx);
/**
* Retrieve acquired credentials from an initial credentials context.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [out] creds Acquired credentials
*
* This function copies the acquired initial credentials from @a ctx into @a
* creds, after the successful completion of krb5_init_creds_get() or
* krb5_init_creds_step(). Use krb5_free_cred_contents() to free @a creds when
* it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx,
krb5_creds *creds);
/**
* Get the last error from KDC from an initial credentials context.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [out] error Error from KDC, or NULL if none was received
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
krb5_error **error);
/**
* Create a context for acquiring initial credentials.
*
* @param [in] context Library context
* @param [in] client Client principal to get initial creds for
* @param [in] prompter Prompter callback
* @param [in] data Prompter callback argument
* @param [in] start_time Time when credentials become valid (0 for now)
* @param [in] options Options structure (NULL for default)
* @param [out] ctx New initial credentials context
*
* This function creates a new context for acquiring initial credentials. Use
* krb5_init_creds_free() to free @a ctx when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_init(krb5_context context, krb5_principal client,
krb5_prompter_fct prompter, void *data,
krb5_deltat start_time, krb5_get_init_creds_opt *options,
krb5_init_creds_context *ctx);
/**
* Specify a keytab to use for acquiring initial credentials.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [in] keytab Key table handle
*
* This function supplies a keytab containing the client key for an initial
* credentials request.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
krb5_keytab keytab);
/**
* Get the next KDC request for acquiring initial credentials.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [in] in KDC response (empty on the first call)
* @param [out] out Next KDC request
* @param [out] realm Realm for next KDC request
* @param [out] flags Output flags
*
* This function constructs the next KDC request in an initial credential
* exchange, allowing the caller to control the transport of KDC requests and
* replies. On the first call, @a in should be set to an empty buffer; on
* subsequent calls, it should be set to the KDC's reply to the previous
* request.
*
* If more requests are needed, @a flags will be set to
* #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in
* @a out. If no more requests are needed, @a flags will not contain
* #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty.
*
* If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should
* transmit the next request using TCP rather than UDP. If this function
* returns any other error, the initial credential exchange has failed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx,
krb5_data *in, krb5_data *out, krb5_data *realm,
unsigned int *flags);
/**
* Set a password for acquiring initial credentials.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [in] password Password
*
* This function supplies a password to be used to construct the client key for
* an initial credentials request.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx,
const char *password);
/**
* Specify a service principal for acquiring initial credentials.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [in] service Service principal string
*
* This function supplies a service principal string to acquire initial
* credentials for instead of the default krbtgt service. @a service is parsed
* as a principal name; any realm part is ignored.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx,
const char *service);
/**
* Retrieve ticket times from an initial credentials context.
*
* @param [in] context Library context
* @param [in] ctx Initial credentials context
* @param [out] times Ticket times for acquired credentials
*
* The initial credentials context must have completed obtaining credentials
* via either krb5_init_creds_get() or krb5_init_creds_step().
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx,
krb5_ticket_times *times);
struct _krb5_tkt_creds_context;
typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context;
/**
* Create a context to get credentials from a KDC's Ticket Granting Service.
*
* @param[in] context Library context
* @param[in] ccache Credential cache handle
* @param[in] creds Input credentials
* @param[in] options @ref KRB5_GC options for this request.
* @param[out] ctx New TGS request context
*
* This function prepares to obtain credentials matching @a creds, either by
* retrieving them from @a ccache or by making requests to ticket-granting
* services beginning with a ticket-granting ticket for the client principal's
* realm.
*
* The resulting TGS acquisition context can be used asynchronously with
* krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also
* krb5_get_credentials() for synchronous use.
*
* Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed.
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache,
krb5_creds *creds, krb5_flags options,
krb5_tkt_creds_context *ctx);
/**
* Synchronously obtain credentials using a TGS request context.
*
* @param[in] context Library context
* @param[in] ctx TGS request context
*
* This function synchronously obtains credentials using a context created by
* krb5_tkt_creds_init(). On successful return, the credentials can be
* retrieved with krb5_tkt_creds_get_creds().
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx);
/**
* Retrieve acquired credentials from a TGS request context.
*
* @param[in] context Library context
* @param[in] ctx TGS request context
* @param[out] creds Acquired credentials
*
* This function copies the acquired initial credentials from @a ctx into @a
* creds, after the successful completion of krb5_tkt_creds_get() or
* krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when
* it is no longer needed.
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx,
krb5_creds *creds);
/**
* Free a TGS request context.
*
* @param[in] context Library context
* @param[in] ctx TGS request context
*
* @version New in 1.9
*/
void KRB5_CALLCONV
krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx);
#define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */
/**
* Get the next KDC request in a TGS exchange.
*
* @param[in] context Library context
* @param[in] ctx TGS request context
* @param[in] in KDC response (empty on the first call)
* @param[out] out Next KDC request
* @param[out] realm Realm for next KDC request
* @param[out] flags Output flags
*
* This function constructs the next KDC request for a TGS exchange, allowing
* the caller to control the transport of KDC requests and replies. On the
* first call, @a in should be set to an empty buffer; on subsequent calls, it
* should be set to the KDC's reply to the previous request.
*
* If more requests are needed, @a flags will be set to
* #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in @a
* out. If no more requests are needed, @a flags will not contain
* #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty.
*
* If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should
* transmit the next request using TCP rather than UDP. If this function
* returns any other error, the TGS exchange has failed.
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx,
krb5_data *in, krb5_data *out, krb5_data *realm,
unsigned int *flags);
/**
* Retrieve ticket times from a TGS request context.
*
* @param[in] context Library context
* @param[in] ctx TGS request context
* @param[out] times Ticket times for acquired credentials
*
* The TGS request context must have completed obtaining credentials via either
* krb5_tkt_creds_get() or krb5_tkt_creds_step().
*
* @version New in 1.9
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx,
krb5_ticket_times *times);
/**
* Get initial credentials using a key table.
*
* @param [in] context Library context
* @param [out] creds New credentials
* @param [in] client Client principal
* @param [in] arg_keytab Key table handle
* @param [in] start_time Time when ticket becomes valid (0 for now)
* @param [in] in_tkt_service Service name of initial credentials (or NLUL)
* @param [in] k5_gic_options Initial credential options
*
* This function requests KDC for an initial credentials for @a client using a
* client key stored in @a arg_keytab. If @a in_tkt_service is specified, it
* is parsed as a principal name (with the realm ignored) and used as the
* service principal for the request; otherwise the ticket-granting service is
* used.
*
* @sa krb5_verify_init_creds()
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
krb5_principal client, krb5_keytab arg_keytab,
krb5_deltat start_time, const char *in_tkt_service,
krb5_get_init_creds_opt *k5_gic_options);
typedef struct _krb5_verify_init_creds_opt {
krb5_flags flags;
int ap_req_nofail; /**< boolean */
} krb5_verify_init_creds_opt;
#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001
/**
* Initialize a credential verification options structure.
*
* @param [in] k5_vic_options Verification options structure
*/
void KRB5_CALLCONV
krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options);
/**
* Set whether credential verification is required.
*
* @param [in] k5_vic_options Verification options structure
* @param [in] ap_req_nofail Whether to require successful verification
*
* This function determines how krb5_verify_init_creds() behaves if no keytab
* information is available. If @a ap_req_nofail is @c FALSE, verification
* will be skipped in this case and krb5_verify_init_creds() will return
* successfully. If @a ap_req_nofail is @c TRUE, krb5_verify_init_creds() will
* not return successfully unless verification can be performed.
*
* If this function is not used, the behavior of krb5_verify_init_creds() is
* determined through configuration.
*/
void KRB5_CALLCONV
krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options,
int ap_req_nofail);
/**
* Verify initial credentials against a keytab.
*
* @param [in] context Library context
* @param [in] creds Initial credentials to be verified
* @param [in] server Server principal (or NULL)
* @param [in] keytab Key table (NULL to use default keytab)
* @param [in] ccache Credential cache for fetched creds (or NULL)
* @param [in] options Verification options (NULL for default options)
*
* This function attempts to verify that @a creds were obtained from a KDC with
* knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL.
* If @a server is provided, the highest-kvno key entry for that principal name
* is used to verify the credentials; otherwise, all unique "host" service
* principals in the keytab are tried.
*
* If the specified keytab does not exist, or is empty, or cannot be read, or
* does not contain an entry for @a server, then credential verification may be
* skipped unless configuration demands that it succeed. The caller can
* control this behavior by providing a verification options structure; see
* krb5_verify_init_creds_opt_init() and
* krb5_verify_init_creds_opt_set_ap_req_nofail().
*
* If @a ccache is NULL, any additional credentials fetched during the
* verification process will be destroyed. If @a ccache points to NULL, a
* memory ccache will be created for the additional credentials and returned in
* @a ccache. If @a ccache points to a valid credential cache handle, the
* additional credentials will be stored in that cache.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
krb5_principal server, krb5_keytab keytab,
krb5_ccache *ccache,
krb5_verify_init_creds_opt *options);
/**
* Get validated credentials from the KDC.
*
* @param [in] context Library context
* @param [out] creds Validated credentials
* @param [in] client Client principal name
* @param [in] ccache Credential cache
* @param [in] in_tkt_service Server principal string (or NULL)
*
* This function gets a validated credential using a postdated credential from
* @a ccache. If @a in_tkt_service is specified, it is parsed (with the realm
* part ignored) and used as the server principal of the credential;
* otherwise, the ticket-granting service is used.
*
* If successful, the validated credential is placed in @a creds.
*
* @sa krb5_get_renewed_creds()
*
* @retval
* 0 Success
* @retval
* KRB5_NO_2ND_TKT Request missing second ticket
* @retval
* KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
* @retval
* KRB5_PRINC_NOMATCH Requested principal and ticket do not match
* @retval
* KRB5_KDCREP_MODIFIED KDC reply did not match expectations
* @retval
* KRB5_KDCREP_SKEW Clock skew too great in KDC reply
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_validated_creds(krb5_context context, krb5_creds *creds,
krb5_principal client, krb5_ccache ccache,
const char *in_tkt_service);
/**
* Get renewed credential from KDC using an existing credential.
*
* @param [in] context Library context
* @param [out] creds Renewed credentials
* @param [in] client Client principal name
* @param [in] ccache Credential cache
* @param [in] in_tkt_service Server principal string (or NULL)
*
* This function gets a renewed credential using an existing one from @a
* ccache. If @a in_tkt_service is specified, it is parsed (with the realm
* part ignored) and used as the server principal of the credential; otherwise,
* the ticket-granting service is used.
*
* If successful, the renewed credential is placed in @a creds.
*
* @retval
* 0 Success
* @return
* Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_get_renewed_creds(krb5_context context, krb5_creds *creds,
krb5_principal client, krb5_ccache ccache,
const char *in_tkt_service);
/**
* Decode an ASN.1-formatted ticket.
*
* @param [in] code ASN.1-formatted ticket
* @param [out] rep Decoded ticket information
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep);
/**
* Retrieve a string value from the appdefaults section of krb5.conf.
*
* @param [in] context Library context
* @param [in] appname Application name
* @param [in] realm Realm name
* @param [in] option Option to be checked
* @param [in] default_value Default value to return if no match is found
* @param [out] ret_value String value of @a option
*
* This function gets the application defaults for @a option based on the given
* @a appname and/or @a realm.
*
* @sa krb5_appdefault_boolean()
*/
void KRB5_CALLCONV
krb5_appdefault_string(krb5_context context, const char *appname,
const krb5_data *realm, const char *option,
const char *default_value, char ** ret_value);
/**
* Retrieve a boolean value from the appdefaults section of krb5.conf.
*
* @param [in] context Library context
* @param [in] appname Application name
* @param [in] realm Realm name
* @param [in] option Option to be checked
* @param [in] default_value Default value to return if no match is found
* @param [out] ret_value Boolean value of @a option
*
* This function gets the application defaults for @a option based on the given
* @a appname and/or @a realm.
*
* @sa krb5_appdefault_string()
*/
void KRB5_CALLCONV
krb5_appdefault_boolean(krb5_context context, const char *appname,
const krb5_data *realm, const char *option,
int default_value, int *ret_value);
/*
* Prompter enhancements
*/
/** Prompt for password */
#define KRB5_PROMPT_TYPE_PASSWORD 0x1
/** Prompt for new password (during password change) */
#define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2
/** Prompt for new password again */
#define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3
/** Prompt for preauthentication data (such as an OTP value) */
#define KRB5_PROMPT_TYPE_PREAUTH 0x4
typedef krb5_int32 krb5_prompt_type;
/**
* Get prompt types array from a context.
*
* @param [in] context Library context
*
* @return
* Pointer to an array of prompt types corresponding to the prompter's @a
* prompts arguments. Each type has one of the following values:
* @li #KRB5_PROMPT_TYPE_PASSWORD
* @li #KRB5_PROMPT_TYPE_NEW_PASSWORD
* @li #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
* @li #KRB5_PROMPT_TYPE_PREAUTH
*/
krb5_prompt_type* KRB5_CALLCONV
krb5_get_prompt_types(krb5_context context);
/* Error reporting */
/**
* Set an extended error message for an error code.
*
* @param [in] ctx Library context
* @param [in] code Error code
* @param [in] fmt Error string for the error code
* @param [in] ... printf(3) style parameters
*/
void KRB5_CALLCONV_C
krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...)
#if !defined(__cplusplus) && (__GNUC__ > 2)
__attribute__((__format__(__printf__, 3, 4)))
#endif
;
/**
* Set an extended error message for an error code using a va_list.
*
* @param [in] ctx Library context
* @param [in] code Error code
* @param [in] fmt Error string for the error code
* @param [in] args List of vprintf(3) style arguments
*/
void KRB5_CALLCONV
krb5_vset_error_message(krb5_context ctx, krb5_error_code code,
const char *fmt, va_list args)
#if !defined(__cplusplus) && (__GNUC__ > 2)
__attribute__((__format__(__printf__, 3, 0)))
#endif
;
/**
* Copy the most recent extended error message from one context to another.
*
* @param [in] dest_ctx Library context to copy message to
* @param [in] src_ctx Library context with current message
*/
void KRB5_CALLCONV
krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx);
/**
* Get the (possibly extended) error message for a code.
*
* @param [in] ctx Library context
* @param [in] code Error code
*
* The behavior of krb5_get_error_message() is only defined the first time it
* is called after a failed call to a krb5 function using the same context, and
* only when the error code passed in is the same as that returned by the krb5
* function.
*
* This function never returns NULL, so its result may be used unconditionally
* as a C string.
*
* The string returned by this function must be freed using
* krb5_free_error_message()
*
* @note Future versions may return the same string for the second
* and following calls.
*/
const char * KRB5_CALLCONV
krb5_get_error_message(krb5_context ctx, krb5_error_code code);
/**
* Free an error message generated by krb5_get_error_message().
*
* @param [in] ctx Library context
* @param [in] msg Pointer to error message
*/
void KRB5_CALLCONV
krb5_free_error_message(krb5_context ctx, const char *msg);
/**
* Clear the extended error message in a context.
*
* @param [in] ctx Library context
*
* This function unsets the extended error message in a context, to ensure that
* it is not mistakenly applied to another occurrence of the same error code.
*/
void KRB5_CALLCONV
krb5_clear_error_message(krb5_context ctx);
/**
* Unwrap authorization data.
*
* @param [in] context Library context
* @param [in] type @ref KRB5_AUTHDATA type of @a container
* @param [in] container Authorization data to be decoded
* @param [out] authdata List of decoded authorization data
*
* @sa krb5_encode_authdata_container()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_decode_authdata_container(krb5_context context,
krb5_authdatatype type,
const krb5_authdata *container,
krb5_authdata ***authdata);
/**
* Wrap authorization data in a container.
*
* @param [in] context Library context
* @param [in] type @ref KRB5_AUTHDATA type of @a container
* @param [in] authdata List of authorization data to be encoded
* @param [out] container List of encoded authorization data
*
* The result is returned in @a container as a single-element list.
*
* @sa krb5_decode_authdata_container()
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_encode_authdata_container(krb5_context context,
krb5_authdatatype type,
krb5_authdata * const*authdata,
krb5_authdata ***container);
/*
* AD-KDCIssued
*/
/**
* Encode and sign AD-KDCIssued authorization data.
*
* @param [in] context Library context
* @param [in] key Session key
* @param [in] issuer The name of the issuing principal
* @param [in] authdata List of authorization data to be signed
* @param [out] ad_kdcissued List containing AD-KDCIssued authdata
*
* This function wraps a list of authorization data entries @a authdata in an
* AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with @a key.
* The result is returned in @a ad_kdcissued as a single-element list.
*/
krb5_error_code KRB5_CALLCONV
krb5_make_authdata_kdc_issued(krb5_context context,
const krb5_keyblock *key,
krb5_const_principal issuer,
krb5_authdata *const *authdata,
krb5_authdata ***ad_kdcissued);
/**
* Unwrap and verify AD-KDCIssued authorization data.
*
* @param [in] context Library context
* @param [in] key Session key
* @param [in] ad_kdcissued AD-KDCIssued authorization data to be unwrapped
* @param [out] issuer Name of issuing principal (or NULL)
* @param [out] authdata Unwrapped list of authorization data
*
* This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section
* 5.2.6.2) and verifies its signature against @a key. The issuer field of the
* authdatum element is returned in @a issuer, and the unwrapped list of
* authdata is returned in @a authdata.
*/
krb5_error_code KRB5_CALLCONV
krb5_verify_authdata_kdc_issued(krb5_context context,
const krb5_keyblock *key,
const krb5_authdata *ad_kdcissued,
krb5_principal *issuer,
krb5_authdata ***authdata);
/*
* Windows PAC
*/
/* Microsoft defined types of data */
#define KRB5_PAC_LOGON_INFO 1 /**< Logon information */
#define KRB5_PAC_CREDENTIALS_INFO 2 /**< Credentials information */
#define KRB5_PAC_SERVER_CHECKSUM 6 /**< Server checksum */
#define KRB5_PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */
#define KRB5_PAC_CLIENT_INFO 10 /**< Client name and ticket info */
#define KRB5_PAC_DELEGATION_INFO 11 /**< Constrained delegation info */
#define KRB5_PAC_UPN_DNS_INFO 12 /**< User principal name and DNS info */
struct krb5_pac_data;
/** PAC data structure to convey authorization information */
typedef struct krb5_pac_data *krb5_pac;
/**
* Add a buffer to a PAC handle.
*
* @param [in] context Library context
* @param [in] pac PAC handle
* @param [in] type Buffer type
* @param [in] data contents
*
* This function adds a buffer of type @a type and contents @a data to @a pac
* if there isn't already a buffer of this type present.
*
* The valid values of @a type is one of the following:
* @li #KRB5_PAC_LOGON_INFO - Logon information
* @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information
* @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum
* @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum
* @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information
* @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information
* @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type,
const krb5_data *data);
/**
* Free a PAC handle.
*
* @param [in] context Library context
* @param [in] pac PAC to be freed
*
* This function frees the contents of @a pac and the structure itself.
*/
void KRB5_CALLCONV
krb5_pac_free(krb5_context context, krb5_pac pac);
/**
* Retrieve a buffer value from a PAC.
*
* @param [in] context Library context
* @param [in] pac PAC handle
* @param [in] type Type of buffer to retrieve
* @param [out] data Buffer value
*
* Use krb5_free_data_contents() to free @a data when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type,
krb5_data *data);
/**
* Return an array of buffer types in a PAC handle.
*
* @param [in] context Library context
* @param [in] pac PAC handle
* @param [out] len Number of entries in @a types
* @param [out] types Array of buffer types
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len,
krb5_ui_4 **types);
/**
* Create an empty Privilege Attribute Certificate (PAC) handle.
*
* @param [in] context Library context
* @param [out] pac New PAC handle
*
* Use krb5_pac_free() to free @a pac when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_init(krb5_context context, krb5_pac *pac);
/**
* Unparse an encoded PAC into a new handle.
*
* @param [in] context Library context
* @param [in] ptr PAC buffer
* @param [in] len Length of @a ptr
* @param [out] pac PAC handle
*
* Use krb5_pac_free() to free @a pac when it is no longer needed.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
krb5_pac *pac);
/**
* Verify a PAC.
*
* @param [in] context Library context
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
* @param [in] server Key to validate server checksum (or NULL)
* @param [in] privsvr Key to validate KDC checksum (or NULL)
*
* This function validates @a pac against the supplied @a server, @a privsvr,
* @a principal and @a authtime. If @a principal is NULL, the principal and
* authtime are not verified. If @a server or @a privsvr is NULL, the
* corresponding checksum is not verified.
*
* If successful, @a pac is marked as verified.
*
* @note A checksum mismatch can occur if the PAC was copied from a cross-realm
* TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of
* 10.6) generates PACs with no server checksum at all. One should consider
* not failing the whole authentication because of this reason, but, instead,
* treating the ticket as if it did not contain a PAC or marking the PAC
* information as non-verified.
*
* @retval 0 Success; otherwise - Kerberos error codes
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_verify(krb5_context context, const krb5_pac pac,
krb5_timestamp authtime, krb5_const_principal principal,
const krb5_keyblock *server, const krb5_keyblock *privsvr);
/**
* Sign a PAC.
*
* @param [in] context Library context
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
* @param [in] server_key Key for server checksum
* @param [in] privsvr_key Key for KDC checksum
* @param [out] data Signed PAC encoding
*
* This function signs @a pac using the keys @a server_key and @a privsvr_key
* and returns the signed encoding in @a data. @a pac is modified to include
* the server and KDC checksum buffers. Use krb5_free_data_contents() to free
* @a data when it is no longer needed.
*
* @version New in 1.10
*/
krb5_error_code KRB5_CALLCONV
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
krb5_const_principal principal, const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key, krb5_data *data);
/**
* Allow the appplication to override the profile's allow_weak_crypto setting.
*
* @param [in] context Library context
* @param [in] enable Boolean flag
*
* This function allows an application to override the allow_weak_crypto
* setting. It is primarily for use by aklog.
*
* @retval 0 (always)
*/
krb5_error_code KRB5_CALLCONV
krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable);
/**
* A wrapper for passing information to a @c krb5_trace_callback.
*
* Currently, it only contains the formatted message as determined
* the the format string and arguments of the tracing macro, but it
* may be extended to contain more fields in the future.
*/
typedef struct _krb5_trace_info {
const char *message;
} krb5_trace_info;
typedef void
(KRB5_CALLCONV *krb5_trace_callback)(krb5_context context,
const krb5_trace_info *info,
void *cb_data);
/**
* Specify a callback function for trace events.
*
* @param [in] context Library context
* @param [in] fn Callback function
* @param [in] cb_data Callback data
*
* Specify a callback for trace events occurring in krb5 operations performed
* within @a context. @a fn will be invoked with @a context as the first
* argument, @a cb_data as the last argument, and a pointer to a
* krb5_trace_info as the second argument. If the trace callback is reset via
* this function or @a context is destroyed, @a fn will be invoked with a NULL
* second argument so it can clean up @a cb_data. Supply a NULL value for @a
* fn to disable trace callbacks within @a context.
*
* @note This function overrides the information passed through the
* @a KRB5_TRACE environment variable.
*
* @version New in 1.9
*
* @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library
* (unless @a fn is NULL).
*/
krb5_error_code KRB5_CALLCONV
krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
void *cb_data);
/**
* Specify a file name for directing trace events.
*
* @param [in] context Library context
* @param [in] filename File name
*
* Open @a filename for appending (creating it, if necessary) and set up a
* callback to write trace events to it.
*
* @note This function overrides the information passed through the
* @a KRB5_TRACE environment variable.
*
* @version New in 1.9
*
* @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library.
*/
krb5_error_code KRB5_CALLCONV
krb5_set_trace_filename(krb5_context context, const char *filename);
#if TARGET_OS_MAC
# pragma pack(pop)
#endif
KRB5INT_END_DECLS
/* Don't use this! We're going to phase it out. It's just here to keep
applications from breaking right away. */
#define krb5_const const
#undef KRB5_ATTR_DEPRECATED
/** @} */ /* end of KRB5_H group */
#endif /* KRB5_GENERAL__ */
/*
* et-h-krb5_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define KRB5KDC_ERR_NONE (-1765328384L)
#define KRB5KDC_ERR_NAME_EXP (-1765328383L)
#define KRB5KDC_ERR_SERVICE_EXP (-1765328382L)
#define KRB5KDC_ERR_BAD_PVNO (-1765328381L)
#define KRB5KDC_ERR_C_OLD_MAST_KVNO (-1765328380L)
#define KRB5KDC_ERR_S_OLD_MAST_KVNO (-1765328379L)
#define KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (-1765328378L)
#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L)
#define KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE (-1765328376L)
#define KRB5KDC_ERR_NULL_KEY (-1765328375L)
#define KRB5KDC_ERR_CANNOT_POSTDATE (-1765328374L)
#define KRB5KDC_ERR_NEVER_VALID (-1765328373L)
#define KRB5KDC_ERR_POLICY (-1765328372L)
#define KRB5KDC_ERR_BADOPTION (-1765328371L)
#define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L)
#define KRB5KDC_ERR_SUMTYPE_NOSUPP (-1765328369L)
#define KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368L)
#define KRB5KDC_ERR_TRTYPE_NOSUPP (-1765328367L)
#define KRB5KDC_ERR_CLIENT_REVOKED (-1765328366L)
#define KRB5KDC_ERR_SERVICE_REVOKED (-1765328365L)
#define KRB5KDC_ERR_TGT_REVOKED (-1765328364L)
#define KRB5KDC_ERR_CLIENT_NOTYET (-1765328363L)
#define KRB5KDC_ERR_SERVICE_NOTYET (-1765328362L)
#define KRB5KDC_ERR_KEY_EXP (-1765328361L)
#define KRB5KDC_ERR_PREAUTH_FAILED (-1765328360L)
#define KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359L)
#define KRB5KDC_ERR_SERVER_NOMATCH (-1765328358L)
#define KRB5KDC_ERR_MUST_USE_USER2USER (-1765328357L)
#define KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356L)
#define KRB5KDC_ERR_SVC_UNAVAILABLE (-1765328355L)
#define KRB5PLACEHOLD_30 (-1765328354L)
#define KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353L)
#define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L)
#define KRB5KRB_AP_ERR_TKT_NYV (-1765328351L)
#define KRB5KRB_AP_ERR_REPEAT (-1765328350L)
#define KRB5KRB_AP_ERR_NOT_US (-1765328349L)
#define KRB5KRB_AP_ERR_BADMATCH (-1765328348L)
#define KRB5KRB_AP_ERR_SKEW (-1765328347L)
#define KRB5KRB_AP_ERR_BADADDR (-1765328346L)
#define KRB5KRB_AP_ERR_BADVERSION (-1765328345L)
#define KRB5KRB_AP_ERR_MSG_TYPE (-1765328344L)
#define KRB5KRB_AP_ERR_MODIFIED (-1765328343L)
#define KRB5KRB_AP_ERR_BADORDER (-1765328342L)
#define KRB5KRB_AP_ERR_ILL_CR_TKT (-1765328341L)
#define KRB5KRB_AP_ERR_BADKEYVER (-1765328340L)
#define KRB5KRB_AP_ERR_NOKEY (-1765328339L)
#define KRB5KRB_AP_ERR_MUT_FAIL (-1765328338L)
#define KRB5KRB_AP_ERR_BADDIRECTION (-1765328337L)
#define KRB5KRB_AP_ERR_METHOD (-1765328336L)
#define KRB5KRB_AP_ERR_BADSEQ (-1765328335L)
#define KRB5KRB_AP_ERR_INAPP_CKSUM (-1765328334L)
#define KRB5KRB_AP_PATH_NOT_ACCEPTED (-1765328333L)
#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
#define KRB5PLACEHOLD_53 (-1765328331L)
#define KRB5PLACEHOLD_54 (-1765328330L)
#define KRB5PLACEHOLD_55 (-1765328329L)
#define KRB5PLACEHOLD_56 (-1765328328L)
#define KRB5PLACEHOLD_57 (-1765328327L)
#define KRB5PLACEHOLD_58 (-1765328326L)
#define KRB5PLACEHOLD_59 (-1765328325L)
#define KRB5KRB_ERR_GENERIC (-1765328324L)
#define KRB5KRB_ERR_FIELD_TOOLONG (-1765328323L)
#define KRB5KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322L)
#define KRB5KDC_ERR_KDC_NOT_TRUSTED (-1765328321L)
#define KRB5KDC_ERR_INVALID_SIG (-1765328320L)
#define KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (-1765328319L)
#define KRB5KDC_ERR_CERTIFICATE_MISMATCH (-1765328318L)
#define KRB5KRB_AP_ERR_NO_TGT (-1765328317L)
#define KRB5KDC_ERR_WRONG_REALM (-1765328316L)
#define KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED (-1765328315L)
#define KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE (-1765328314L)
#define KRB5KDC_ERR_INVALID_CERTIFICATE (-1765328313L)
#define KRB5KDC_ERR_REVOKED_CERTIFICATE (-1765328312L)
#define KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN (-1765328311L)
#define KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (-1765328310L)
#define KRB5KDC_ERR_CLIENT_NAME_MISMATCH (-1765328309L)
#define KRB5KDC_ERR_KDC_NAME_MISMATCH (-1765328308L)
#define KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE (-1765328307L)
#define KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (-1765328306L)
#define KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305L)
#define KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (-1765328304L)
#define KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (-1765328303L)
#define KRB5PLACEHOLD_82 (-1765328302L)
#define KRB5PLACEHOLD_83 (-1765328301L)
#define KRB5PLACEHOLD_84 (-1765328300L)
#define KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND (-1765328299L)
#define KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE (-1765328298L)
#define KRB5PLACEHOLD_87 (-1765328297L)
#define KRB5PLACEHOLD_88 (-1765328296L)
#define KRB5PLACEHOLD_89 (-1765328295L)
#define KRB5PLACEHOLD_90 (-1765328294L)
#define KRB5PLACEHOLD_91 (-1765328293L)
#define KRB5PLACEHOLD_92 (-1765328292L)
#define KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION (-1765328291L)
#define KRB5PLACEHOLD_94 (-1765328290L)
#define KRB5PLACEHOLD_95 (-1765328289L)
#define KRB5PLACEHOLD_96 (-1765328288L)
#define KRB5PLACEHOLD_97 (-1765328287L)
#define KRB5PLACEHOLD_98 (-1765328286L)
#define KRB5PLACEHOLD_99 (-1765328285L)
#define KRB5KDC_ERR_NO_ACCEPTABLE_KDF (-1765328284L)
#define KRB5PLACEHOLD_101 (-1765328283L)
#define KRB5PLACEHOLD_102 (-1765328282L)
#define KRB5PLACEHOLD_103 (-1765328281L)
#define KRB5PLACEHOLD_104 (-1765328280L)
#define KRB5PLACEHOLD_105 (-1765328279L)
#define KRB5PLACEHOLD_106 (-1765328278L)
#define KRB5PLACEHOLD_107 (-1765328277L)
#define KRB5PLACEHOLD_108 (-1765328276L)
#define KRB5PLACEHOLD_109 (-1765328275L)
#define KRB5PLACEHOLD_110 (-1765328274L)
#define KRB5PLACEHOLD_111 (-1765328273L)
#define KRB5PLACEHOLD_112 (-1765328272L)
#define KRB5PLACEHOLD_113 (-1765328271L)
#define KRB5PLACEHOLD_114 (-1765328270L)
#define KRB5PLACEHOLD_115 (-1765328269L)
#define KRB5PLACEHOLD_116 (-1765328268L)
#define KRB5PLACEHOLD_117 (-1765328267L)
#define KRB5PLACEHOLD_118 (-1765328266L)
#define KRB5PLACEHOLD_119 (-1765328265L)
#define KRB5PLACEHOLD_120 (-1765328264L)
#define KRB5PLACEHOLD_121 (-1765328263L)
#define KRB5PLACEHOLD_122 (-1765328262L)
#define KRB5PLACEHOLD_123 (-1765328261L)
#define KRB5PLACEHOLD_124 (-1765328260L)
#define KRB5PLACEHOLD_125 (-1765328259L)
#define KRB5PLACEHOLD_126 (-1765328258L)
#define KRB5PLACEHOLD_127 (-1765328257L)
#define KRB5_ERR_RCSID (-1765328256L)
#define KRB5_LIBOS_BADLOCKFLAG (-1765328255L)
#define KRB5_LIBOS_CANTREADPWD (-1765328254L)
#define KRB5_LIBOS_BADPWDMATCH (-1765328253L)
#define KRB5_LIBOS_PWDINTR (-1765328252L)
#define KRB5_PARSE_ILLCHAR (-1765328251L)
#define KRB5_PARSE_MALFORMED (-1765328250L)
#define KRB5_CONFIG_CANTOPEN (-1765328249L)
#define KRB5_CONFIG_BADFORMAT (-1765328248L)
#define KRB5_CONFIG_NOTENUFSPACE (-1765328247L)
#define KRB5_BADMSGTYPE (-1765328246L)
#define KRB5_CC_BADNAME (-1765328245L)
#define KRB5_CC_UNKNOWN_TYPE (-1765328244L)
#define KRB5_CC_NOTFOUND (-1765328243L)
#define KRB5_CC_END (-1765328242L)
#define KRB5_NO_TKT_SUPPLIED (-1765328241L)
#define KRB5KRB_AP_WRONG_PRINC (-1765328240L)
#define KRB5KRB_AP_ERR_TKT_INVALID (-1765328239L)
#define KRB5_PRINC_NOMATCH (-1765328238L)
#define KRB5_KDCREP_MODIFIED (-1765328237L)
#define KRB5_KDCREP_SKEW (-1765328236L)
#define KRB5_IN_TKT_REALM_MISMATCH (-1765328235L)
#define KRB5_PROG_ETYPE_NOSUPP (-1765328234L)
#define KRB5_PROG_KEYTYPE_NOSUPP (-1765328233L)
#define KRB5_WRONG_ETYPE (-1765328232L)
#define KRB5_PROG_SUMTYPE_NOSUPP (-1765328231L)
#define KRB5_REALM_UNKNOWN (-1765328230L)
#define KRB5_SERVICE_UNKNOWN (-1765328229L)
#define KRB5_KDC_UNREACH (-1765328228L)
#define KRB5_NO_LOCALNAME (-1765328227L)
#define KRB5_MUTUAL_FAILED (-1765328226L)
#define KRB5_RC_TYPE_EXISTS (-1765328225L)
#define KRB5_RC_MALLOC (-1765328224L)
#define KRB5_RC_TYPE_NOTFOUND (-1765328223L)
#define KRB5_RC_UNKNOWN (-1765328222L)
#define KRB5_RC_REPLAY (-1765328221L)
#define KRB5_RC_IO (-1765328220L)
#define KRB5_RC_NOIO (-1765328219L)
#define KRB5_RC_PARSE (-1765328218L)
#define KRB5_RC_IO_EOF (-1765328217L)
#define KRB5_RC_IO_MALLOC (-1765328216L)
#define KRB5_RC_IO_PERM (-1765328215L)
#define KRB5_RC_IO_IO (-1765328214L)
#define KRB5_RC_IO_UNKNOWN (-1765328213L)
#define KRB5_RC_IO_SPACE (-1765328212L)
#define KRB5_TRANS_CANTOPEN (-1765328211L)
#define KRB5_TRANS_BADFORMAT (-1765328210L)
#define KRB5_LNAME_CANTOPEN (-1765328209L)
#define KRB5_LNAME_NOTRANS (-1765328208L)
#define KRB5_LNAME_BADFORMAT (-1765328207L)
#define KRB5_CRYPTO_INTERNAL (-1765328206L)
#define KRB5_KT_BADNAME (-1765328205L)
#define KRB5_KT_UNKNOWN_TYPE (-1765328204L)
#define KRB5_KT_NOTFOUND (-1765328203L)
#define KRB5_KT_END (-1765328202L)
#define KRB5_KT_NOWRITE (-1765328201L)
#define KRB5_KT_IOERR (-1765328200L)
#define KRB5_NO_TKT_IN_RLM (-1765328199L)
#define KRB5DES_BAD_KEYPAR (-1765328198L)
#define KRB5DES_WEAK_KEY (-1765328197L)
#define KRB5_BAD_ENCTYPE (-1765328196L)
#define KRB5_BAD_KEYSIZE (-1765328195L)
#define KRB5_BAD_MSIZE (-1765328194L)
#define KRB5_CC_TYPE_EXISTS (-1765328193L)
#define KRB5_KT_TYPE_EXISTS (-1765328192L)
#define KRB5_CC_IO (-1765328191L)
#define KRB5_FCC_PERM (-1765328190L)
#define KRB5_FCC_NOFILE (-1765328189L)
#define KRB5_FCC_INTERNAL (-1765328188L)
#define KRB5_CC_WRITE (-1765328187L)
#define KRB5_CC_NOMEM (-1765328186L)
#define KRB5_CC_FORMAT (-1765328185L)
#define KRB5_CC_NOT_KTYPE (-1765328184L)
#define KRB5_INVALID_FLAGS (-1765328183L)
#define KRB5_NO_2ND_TKT (-1765328182L)
#define KRB5_NOCREDS_SUPPLIED (-1765328181L)
#define KRB5_SENDAUTH_BADAUTHVERS (-1765328180L)
#define KRB5_SENDAUTH_BADAPPLVERS (-1765328179L)
#define KRB5_SENDAUTH_BADRESPONSE (-1765328178L)
#define KRB5_SENDAUTH_REJECTED (-1765328177L)
#define KRB5_PREAUTH_BAD_TYPE (-1765328176L)
#define KRB5_PREAUTH_NO_KEY (-1765328175L)
#define KRB5_PREAUTH_FAILED (-1765328174L)
#define KRB5_RCACHE_BADVNO (-1765328173L)
#define KRB5_CCACHE_BADVNO (-1765328172L)
#define KRB5_KEYTAB_BADVNO (-1765328171L)
#define KRB5_PROG_ATYPE_NOSUPP (-1765328170L)
#define KRB5_RC_REQUIRED (-1765328169L)
#define KRB5_ERR_BAD_HOSTNAME (-1765328168L)
#define KRB5_ERR_HOST_REALM_UNKNOWN (-1765328167L)
#define KRB5_SNAME_UNSUPP_NAMETYPE (-1765328166L)
#define KRB5KRB_AP_ERR_V4_REPLY (-1765328165L)
#define KRB5_REALM_CANT_RESOLVE (-1765328164L)
#define KRB5_TKT_NOT_FORWARDABLE (-1765328163L)
#define KRB5_FWD_BAD_PRINCIPAL (-1765328162L)
#define KRB5_GET_IN_TKT_LOOP (-1765328161L)
#define KRB5_CONFIG_NODEFREALM (-1765328160L)
#define KRB5_SAM_UNSUPPORTED (-1765328159L)
#define KRB5_SAM_INVALID_ETYPE (-1765328158L)
#define KRB5_SAM_NO_CHECKSUM (-1765328157L)
#define KRB5_SAM_BAD_CHECKSUM (-1765328156L)
#define KRB5_KT_NAME_TOOLONG (-1765328155L)
#define KRB5_KT_KVNONOTFOUND (-1765328154L)
#define KRB5_APPL_EXPIRED (-1765328153L)
#define KRB5_LIB_EXPIRED (-1765328152L)
#define KRB5_CHPW_PWDNULL (-1765328151L)
#define KRB5_CHPW_FAIL (-1765328150L)
#define KRB5_KT_FORMAT (-1765328149L)
#define KRB5_NOPERM_ETYPE (-1765328148L)
#define KRB5_CONFIG_ETYPE_NOSUPP (-1765328147L)
#define KRB5_OBSOLETE_FN (-1765328146L)
#define KRB5_EAI_FAIL (-1765328145L)
#define KRB5_EAI_NODATA (-1765328144L)
#define KRB5_EAI_NONAME (-1765328143L)
#define KRB5_EAI_SERVICE (-1765328142L)
#define KRB5_ERR_NUMERIC_REALM (-1765328141L)
#define KRB5_ERR_BAD_S2K_PARAMS (-1765328140L)
#define KRB5_ERR_NO_SERVICE (-1765328139L)
#define KRB5_CC_READONLY (-1765328138L)
#define KRB5_CC_NOSUPP (-1765328137L)
#define KRB5_DELTAT_BADFORMAT (-1765328136L)
#define KRB5_PLUGIN_NO_HANDLE (-1765328135L)
#define KRB5_PLUGIN_OP_NOTSUPP (-1765328134L)
#define KRB5_ERR_INVALID_UTF8 (-1765328133L)
#define KRB5_ERR_FAST_REQUIRED (-1765328132L)
#define KRB5_LOCAL_ADDR_REQUIRED (-1765328131L)
#define KRB5_REMOTE_ADDR_REQUIRED (-1765328130L)
#define KRB5_TRACE_NOSUPP (-1765328129L)
extern const struct error_table et_krb5_error_table;
extern void initialize_krb5_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_krb5_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_krb5 (-1765328384L)
/* for compatibility with older versions... */
#define init_krb5_err_tbl initialize_krb5_error_table
#define krb5_err_base ERROR_TABLE_BASE_krb5
/*
* et-h-k5e1_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define KRB5_PLUGIN_VER_NOTSUPP (-1750600192L)
#define KRB5_PLUGIN_BAD_MODULE_SPEC (-1750600191L)
#define KRB5_PLUGIN_NAME_NOTFOUND (-1750600190L)
#define KRB5KDC_ERR_DISCARD (-1750600189L)
#define KRB5_DCC_CANNOT_CREATE (-1750600188L)
#define KRB5_KCC_INVALID_ANCHOR (-1750600187L)
#define KRB5_KCC_UNKNOWN_VERSION (-1750600186L)
#define KRB5_KCC_INVALID_UID (-1750600185L)
extern const struct error_table et_k5e1_error_table;
extern void initialize_k5e1_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_k5e1_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_k5e1 (-1750600192L)
/* for compatibility with older versions... */
#define init_k5e1_err_tbl initialize_k5e1_error_table
#define k5e1_err_base ERROR_TABLE_BASE_k5e1
/*
* et-h-kdb5_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define KRB5_KDB_RCSID (-1780008448L)
#define KRB5_KDB_INUSE (-1780008447L)
#define KRB5_KDB_UK_SERROR (-1780008446L)
#define KRB5_KDB_UK_RERROR (-1780008445L)
#define KRB5_KDB_UNAUTH (-1780008444L)
#define KRB5_KDB_NOENTRY (-1780008443L)
#define KRB5_KDB_ILL_WILDCARD (-1780008442L)
#define KRB5_KDB_DB_INUSE (-1780008441L)
#define KRB5_KDB_DB_CHANGED (-1780008440L)
#define KRB5_KDB_TRUNCATED_RECORD (-1780008439L)
#define KRB5_KDB_RECURSIVELOCK (-1780008438L)
#define KRB5_KDB_NOTLOCKED (-1780008437L)
#define KRB5_KDB_BADLOCKMODE (-1780008436L)
#define KRB5_KDB_DBNOTINITED (-1780008435L)
#define KRB5_KDB_DBINITED (-1780008434L)
#define KRB5_KDB_ILLDIRECTION (-1780008433L)
#define KRB5_KDB_NOMASTERKEY (-1780008432L)
#define KRB5_KDB_BADMASTERKEY (-1780008431L)
#define KRB5_KDB_INVALIDKEYSIZE (-1780008430L)
#define KRB5_KDB_CANTREAD_STORED (-1780008429L)
#define KRB5_KDB_BADSTORED_MKEY (-1780008428L)
#define KRB5_KDB_NOACTMASTERKEY (-1780008427L)
#define KRB5_KDB_KVNONOMATCH (-1780008426L)
#define KRB5_KDB_STORED_MKEY_NOTCURRENT (-1780008425L)
#define KRB5_KDB_CANTLOCK_DB (-1780008424L)
#define KRB5_KDB_DB_CORRUPT (-1780008423L)
#define KRB5_KDB_BAD_VERSION (-1780008422L)
#define KRB5_KDB_BAD_SALTTYPE (-1780008421L)
#define KRB5_KDB_BAD_ENCTYPE (-1780008420L)
#define KRB5_KDB_BAD_CREATEFLAGS (-1780008419L)
#define KRB5_KDB_NO_PERMITTED_KEY (-1780008418L)
#define KRB5_KDB_NO_MATCHING_KEY (-1780008417L)
#define KRB5_KDB_DBTYPE_NOTFOUND (-1780008416L)
#define KRB5_KDB_DBTYPE_NOSUP (-1780008415L)
#define KRB5_KDB_DBTYPE_INIT (-1780008414L)
#define KRB5_KDB_SERVER_INTERNAL_ERR (-1780008413L)
#define KRB5_KDB_ACCESS_ERROR (-1780008412L)
#define KRB5_KDB_INTERNAL_ERROR (-1780008411L)
#define KRB5_KDB_CONSTRAINT_VIOLATION (-1780008410L)
#define KRB5_LOG_CONV (-1780008409L)
#define KRB5_LOG_UNSTABLE (-1780008408L)
#define KRB5_LOG_CORRUPT (-1780008407L)
#define KRB5_LOG_ERROR (-1780008406L)
#define KRB5_KDB_DBTYPE_MISMATCH (-1780008405L)
#define KRB5_KDB_POLICY_REF (-1780008404L)
#define KRB5_KDB_STRINGS_TOOLONG (-1780008403L)
extern const struct error_table et_kdb5_error_table;
extern void initialize_kdb5_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_kdb5_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_kdb5 (-1780008448L)
/* for compatibility with older versions... */
#define init_kdb5_err_tbl initialize_kdb5_error_table
#define kdb5_err_base ERROR_TABLE_BASE_kdb5
/*
* et-h-kv5m_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define KV5M_NONE (-1760647424L)
#define KV5M_PRINCIPAL (-1760647423L)
#define KV5M_DATA (-1760647422L)
#define KV5M_KEYBLOCK (-1760647421L)
#define KV5M_CHECKSUM (-1760647420L)
#define KV5M_ENCRYPT_BLOCK (-1760647419L)
#define KV5M_ENC_DATA (-1760647418L)
#define KV5M_CRYPTOSYSTEM_ENTRY (-1760647417L)
#define KV5M_CS_TABLE_ENTRY (-1760647416L)
#define KV5M_CHECKSUM_ENTRY (-1760647415L)
#define KV5M_AUTHDATA (-1760647414L)
#define KV5M_TRANSITED (-1760647413L)
#define KV5M_ENC_TKT_PART (-1760647412L)
#define KV5M_TICKET (-1760647411L)
#define KV5M_AUTHENTICATOR (-1760647410L)
#define KV5M_TKT_AUTHENT (-1760647409L)
#define KV5M_CREDS (-1760647408L)
#define KV5M_LAST_REQ_ENTRY (-1760647407L)
#define KV5M_PA_DATA (-1760647406L)
#define KV5M_KDC_REQ (-1760647405L)
#define KV5M_ENC_KDC_REP_PART (-1760647404L)
#define KV5M_KDC_REP (-1760647403L)
#define KV5M_ERROR (-1760647402L)
#define KV5M_AP_REQ (-1760647401L)
#define KV5M_AP_REP (-1760647400L)
#define KV5M_AP_REP_ENC_PART (-1760647399L)
#define KV5M_RESPONSE (-1760647398L)
#define KV5M_SAFE (-1760647397L)
#define KV5M_PRIV (-1760647396L)
#define KV5M_PRIV_ENC_PART (-1760647395L)
#define KV5M_CRED (-1760647394L)
#define KV5M_CRED_INFO (-1760647393L)
#define KV5M_CRED_ENC_PART (-1760647392L)
#define KV5M_PWD_DATA (-1760647391L)
#define KV5M_ADDRESS (-1760647390L)
#define KV5M_KEYTAB_ENTRY (-1760647389L)
#define KV5M_CONTEXT (-1760647388L)
#define KV5M_OS_CONTEXT (-1760647387L)
#define KV5M_ALT_METHOD (-1760647386L)
#define KV5M_ETYPE_INFO_ENTRY (-1760647385L)
#define KV5M_DB_CONTEXT (-1760647384L)
#define KV5M_AUTH_CONTEXT (-1760647383L)
#define KV5M_KEYTAB (-1760647382L)
#define KV5M_RCACHE (-1760647381L)
#define KV5M_CCACHE (-1760647380L)
#define KV5M_PREAUTH_OPS (-1760647379L)
#define KV5M_SAM_CHALLENGE (-1760647378L)
#define KV5M_SAM_CHALLENGE_2 (-1760647377L)
#define KV5M_SAM_KEY (-1760647376L)
#define KV5M_ENC_SAM_RESPONSE_ENC (-1760647375L)
#define KV5M_ENC_SAM_RESPONSE_ENC_2 (-1760647374L)
#define KV5M_SAM_RESPONSE (-1760647373L)
#define KV5M_SAM_RESPONSE_2 (-1760647372L)
#define KV5M_PREDICTED_SAM_RESPONSE (-1760647371L)
#define KV5M_PASSWD_PHRASE_ELEMENT (-1760647370L)
#define KV5M_GSS_OID (-1760647369L)
#define KV5M_GSS_QUEUE (-1760647368L)
#define KV5M_FAST_ARMORED_REQ (-1760647367L)
#define KV5M_FAST_REQ (-1760647366L)
#define KV5M_FAST_RESPONSE (-1760647365L)
#define KV5M_AUTHDATA_CONTEXT (-1760647364L)
extern const struct error_table et_kv5m_error_table;
extern void initialize_kv5m_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_kv5m_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_kv5m (-1760647424L)
/* for compatibility with older versions... */
#define init_kv5m_err_tbl initialize_kv5m_error_table
#define kv5m_err_base ERROR_TABLE_BASE_kv5m
/*
* et-h-krb524_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define KRB524_BADKEY (-1750206208L)
#define KRB524_BADADDR (-1750206207L)
#define KRB524_BADPRINC (-1750206206L)
#define KRB524_BADREALM (-1750206205L)
#define KRB524_V4ERR (-1750206204L)
#define KRB524_ENCFULL (-1750206203L)
#define KRB524_DECEMPTY (-1750206202L)
#define KRB524_NOTRESP (-1750206201L)
#define KRB524_KRB4_DISABLED (-1750206200L)
extern const struct error_table et_k524_error_table;
extern void initialize_k524_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_k524_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_k524 (-1750206208L)
/* for compatibility with older versions... */
#define init_k524_err_tbl initialize_k524_error_table
#define k524_err_base ERROR_TABLE_BASE_k524
/*
* et-h-asn1_err.h:
* This file is automatically generated; please do not edit it.
*/
#include <et/com_err.h>
#define ASN1_BAD_TIMEFORMAT (1859794432L)
#define ASN1_MISSING_FIELD (1859794433L)
#define ASN1_MISPLACED_FIELD (1859794434L)
#define ASN1_TYPE_MISMATCH (1859794435L)
#define ASN1_OVERFLOW (1859794436L)
#define ASN1_OVERRUN (1859794437L)
#define ASN1_BAD_ID (1859794438L)
#define ASN1_BAD_LENGTH (1859794439L)
#define ASN1_BAD_FORMAT (1859794440L)
#define ASN1_PARSE_ERROR (1859794441L)
#define ASN1_BAD_GMTIME (1859794442L)
#define ASN1_MISMATCH_INDEF (1859794443L)
#define ASN1_MISSING_EOC (1859794444L)
#define ASN1_OMITTED (1859794445L)
extern const struct error_table et_asn1_error_table;
extern void initialize_asn1_error_table(void);
/* For compatibility with Heimdal */
extern void initialize_asn1_error_table_r(struct et_list **list);
#define ERROR_TABLE_BASE_asn1 (1859794432L)
/* for compatibility with older versions... */
#define init_asn1_err_tbl initialize_asn1_error_table
#define asn1_err_base ERROR_TABLE_BASE_asn1
#endif /* KRB5_KRB5_H_INCLUDED */
|