EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2025-02-21 10:04:40
0001 /* This file is generated, please don't edit it directly. */ 0002 #ifndef KRB5_KRB5_H_INCLUDED 0003 #define KRB5_KRB5_H_INCLUDED 0004 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 0005 /* General definitions for Kerberos version 5. */ 0006 /* 0007 * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts 0008 * Institute of Technology. All Rights Reserved. 0009 * 0010 * Export of this software from the United States of America may 0011 * require a specific license from the United States Government. 0012 * It is the responsibility of any person or organization contemplating 0013 * export to obtain such a license before exporting. 0014 * 0015 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 0016 * distribute this software and its documentation for any purpose and 0017 * without fee is hereby granted, provided that the above copyright 0018 * notice appear in all copies and that both that copyright notice and 0019 * this permission notice appear in supporting documentation, and that 0020 * the name of M.I.T. not be used in advertising or publicity pertaining 0021 * to distribution of the software without specific, written prior 0022 * permission. Furthermore if you modify this software you must label 0023 * your software as modified software and not distribute it in such a 0024 * fashion that it might be confused with the original M.I.T. software. 0025 * M.I.T. makes no representations about the suitability of 0026 * this software for any purpose. It is provided "as is" without express 0027 * or implied warranty. 0028 */ 0029 /* 0030 * Copyright (C) 1998 by the FundsXpress, INC. 0031 * 0032 * All rights reserved. 0033 * 0034 * Export of this software from the United States of America may require 0035 * a specific license from the United States Government. It is the 0036 * responsibility of any person or organization contemplating export to 0037 * obtain such a license before exporting. 0038 * 0039 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 0040 * distribute this software and its documentation for any purpose and 0041 * without fee is hereby granted, provided that the above copyright 0042 * notice appear in all copies and that both that copyright notice and 0043 * this permission notice appear in supporting documentation, and that 0044 * the name of FundsXpress. not be used in advertising or publicity pertaining 0045 * to distribution of the software without specific, written prior 0046 * permission. FundsXpress makes no representations about the suitability of 0047 * this software for any purpose. It is provided "as is" without express 0048 * or implied warranty. 0049 * 0050 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 0051 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 0052 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 0053 */ 0054 0055 #ifndef KRB5_GENERAL__ 0056 #define KRB5_GENERAL__ 0057 0058 /* By default, do not expose deprecated interfaces. */ 0059 #ifndef KRB5_DEPRECATED 0060 #define KRB5_DEPRECATED 0 0061 #endif 0062 0063 #if defined(__MACH__) && defined(__APPLE__) 0064 # include <TargetConditionals.h> 0065 # if TARGET_RT_MAC_CFM 0066 # error "Use KfM 4.0 SDK headers for CFM compilation." 0067 # endif 0068 #endif 0069 0070 #if defined(_MSDOS) || defined(_WIN32) 0071 #include <win-mac.h> 0072 #endif 0073 0074 #ifndef KRB5_CONFIG__ 0075 #ifndef KRB5_CALLCONV 0076 #define KRB5_CALLCONV 0077 #define KRB5_CALLCONV_C 0078 #endif /* !KRB5_CALLCONV */ 0079 #endif /* !KRB5_CONFIG__ */ 0080 0081 #ifndef KRB5_CALLCONV_WRONG 0082 #define KRB5_CALLCONV_WRONG 0083 #endif 0084 0085 #ifndef THREEPARAMOPEN 0086 #define THREEPARAMOPEN(x,y,z) open(x,y,z) 0087 #endif 0088 0089 #define KRB5_OLD_CRYPTO 0090 0091 #include <stdlib.h> 0092 #include <limits.h> /* for *_MAX */ 0093 #include <stdarg.h> 0094 #include <stdint.h> 0095 0096 #ifndef KRB5INT_BEGIN_DECLS 0097 #if defined(__cplusplus) 0098 #define KRB5INT_BEGIN_DECLS extern "C" { 0099 #define KRB5INT_END_DECLS } 0100 #else 0101 #define KRB5INT_BEGIN_DECLS 0102 #define KRB5INT_END_DECLS 0103 #endif 0104 #endif 0105 0106 KRB5INT_BEGIN_DECLS 0107 0108 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) 0109 #pragma pack(push,2) 0110 #endif 0111 0112 #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203 0113 # define KRB5_ATTR_DEPRECATED __attribute__((deprecated)) 0114 #elif defined _WIN32 0115 # define KRB5_ATTR_DEPRECATED __declspec(deprecated) 0116 #else 0117 # define KRB5_ATTR_DEPRECATED 0118 #endif 0119 0120 /* from profile.h */ 0121 struct _profile_t; 0122 /* typedef struct _profile_t *profile_t; */ 0123 0124 /* 0125 * begin wordsize.h 0126 */ 0127 0128 /* 0129 * Word-size related definition. 0130 */ 0131 0132 typedef uint8_t krb5_octet; 0133 typedef int16_t krb5_int16; 0134 typedef uint16_t krb5_ui_2; 0135 typedef int32_t krb5_int32; 0136 typedef uint32_t krb5_ui_4; 0137 0138 #define VALID_INT_BITS INT_MAX 0139 #define VALID_UINT_BITS UINT_MAX 0140 0141 #define KRB5_INT32_MAX 2147483647 0142 /* this strange form is necessary since - is a unary operator, not a sign 0143 indicator */ 0144 #define KRB5_INT32_MIN (-KRB5_INT32_MAX-1) 0145 0146 #define KRB5_INT16_MAX 65535 0147 /* this strange form is necessary since - is a unary operator, not a sign 0148 indicator */ 0149 #define KRB5_INT16_MIN (-KRB5_INT16_MAX-1) 0150 0151 /* 0152 * end wordsize.h 0153 */ 0154 0155 /* 0156 * begin "base-defs.h" 0157 */ 0158 0159 /* 0160 * Basic definitions for Kerberos V5 library 0161 */ 0162 0163 #ifndef FALSE 0164 #define FALSE 0 0165 #endif 0166 #ifndef TRUE 0167 #define TRUE 1 0168 #endif 0169 0170 typedef unsigned int krb5_boolean; 0171 typedef unsigned int krb5_msgtype; 0172 typedef unsigned int krb5_kvno; 0173 0174 typedef krb5_int32 krb5_addrtype; 0175 typedef krb5_int32 krb5_enctype; 0176 typedef krb5_int32 krb5_cksumtype; 0177 typedef krb5_int32 krb5_authdatatype; 0178 typedef krb5_int32 krb5_keyusage; 0179 typedef krb5_int32 krb5_cryptotype; 0180 0181 typedef krb5_int32 krb5_preauthtype; /* This may change, later on */ 0182 typedef krb5_int32 krb5_flags; 0183 0184 /** 0185 * Represents a timestamp in seconds since the POSIX epoch. This legacy type 0186 * is used frequently in the ABI, but cannot represent timestamps after 2038 as 0187 * a positive number. Code which uses this type should cast values of it to 0188 * uint32_t so that negative values are treated as timestamps between 2038 and 0189 * 2106 on platforms with 64-bit time_t. 0190 */ 0191 typedef krb5_int32 krb5_timestamp; 0192 0193 typedef krb5_int32 krb5_deltat; 0194 0195 /** 0196 * Used to convey an operation status. The value 0 indicates success; any 0197 * other values are com_err codes. Use krb5_get_error_message() to obtain a 0198 * string describing the error. 0199 */ 0200 typedef krb5_int32 krb5_error_code; 0201 0202 typedef krb5_error_code krb5_magic; 0203 0204 typedef struct _krb5_data { 0205 krb5_magic magic; 0206 unsigned int length; 0207 char *data; 0208 } krb5_data; 0209 0210 /* Originally introduced for PKINIT; now unused. Do not use this. */ 0211 typedef struct _krb5_octet_data { 0212 krb5_magic magic; 0213 unsigned int length; 0214 krb5_octet *data; 0215 } krb5_octet_data; 0216 0217 /* Originally used to recognize AFS and default salts. No longer used. */ 0218 #define SALT_TYPE_AFS_LENGTH UINT_MAX 0219 #define SALT_TYPE_NO_LENGTH UINT_MAX 0220 0221 typedef void * krb5_pointer; 0222 typedef void const * krb5_const_pointer; 0223 0224 typedef struct krb5_principal_data { 0225 krb5_magic magic; 0226 krb5_data realm; 0227 krb5_data *data; /**< An array of strings */ 0228 krb5_int32 length; 0229 krb5_int32 type; 0230 } krb5_principal_data; 0231 0232 typedef krb5_principal_data * krb5_principal; 0233 0234 /* 0235 * Per V5 spec on definition of principal types 0236 */ 0237 0238 #define KRB5_NT_UNKNOWN 0 /**< Name type not known */ 0239 #define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal 0240 as in DCE, or for users */ 0241 #define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */ 0242 #define KRB5_NT_SRV_HST 3 /**< Service with host name as instance 0243 (telnet, rcommands) */ 0244 #define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */ 0245 #define KRB5_NT_UID 5 /**< Unique ID */ 0246 #define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */ 0247 #define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */ 0248 #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */ 0249 #define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */ 0250 #define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of 0251 NT_WELLKNOWN principals */ 0252 #define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */ 0253 #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */ 0254 #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */ 0255 0256 /** Constant version of krb5_principal_data. */ 0257 typedef const krb5_principal_data *krb5_const_principal; 0258 0259 #define krb5_princ_realm(context, princ) (&(princ)->realm) 0260 #define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value)) 0261 #define krb5_princ_set_realm_length(context, princ,value) (princ)->realm.length = (value) 0262 #define krb5_princ_set_realm_data(context, princ,value) (princ)->realm.data = (value) 0263 #define krb5_princ_size(context, princ) (princ)->length 0264 #define krb5_princ_type(context, princ) (princ)->type 0265 #define krb5_princ_name(context, princ) (princ)->data 0266 #define krb5_princ_component(context, princ,i) \ 0267 (((i) < krb5_princ_size(context, princ)) \ 0268 ? (princ)->data + (i) \ 0269 : NULL) 0270 0271 /** Constant for realm referrals. */ 0272 #define KRB5_REFERRAL_REALM "" 0273 0274 /* 0275 * Referral-specific functions. 0276 */ 0277 0278 /** 0279 * Check for a match with KRB5_REFERRAL_REALM. 0280 * 0281 * @param [in] r Realm to check 0282 * 0283 * @return @c TRUE if @a r is zero-length, @c FALSE otherwise 0284 */ 0285 krb5_boolean KRB5_CALLCONV 0286 krb5_is_referral_realm(const krb5_data *r); 0287 0288 /** 0289 * Return an anonymous realm data. 0290 * 0291 * This function returns constant storage that must not be freed. 0292 * 0293 * @sa #KRB5_ANONYMOUS_REALMSTR 0294 */ 0295 const krb5_data *KRB5_CALLCONV 0296 krb5_anonymous_realm(void); 0297 0298 /** 0299 * Build an anonymous principal. 0300 * 0301 * This function returns constant storage that must not be freed. 0302 * 0303 * @sa #KRB5_ANONYMOUS_PRINCSTR 0304 */ 0305 krb5_const_principal KRB5_CALLCONV 0306 krb5_anonymous_principal(void); 0307 0308 #define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */ 0309 #define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */ 0310 /* 0311 * end "base-defs.h" 0312 */ 0313 0314 /* 0315 * begin "hostaddr.h" 0316 */ 0317 0318 /** Structure for address */ 0319 typedef struct _krb5_address { 0320 krb5_magic magic; 0321 krb5_addrtype addrtype; 0322 unsigned int length; 0323 krb5_octet *contents; 0324 } krb5_address; 0325 0326 /* per Kerberos v5 protocol spec */ 0327 #define ADDRTYPE_INET 0x0002 0328 #define ADDRTYPE_CHAOS 0x0005 0329 #define ADDRTYPE_XNS 0x0006 0330 #define ADDRTYPE_ISO 0x0007 0331 #define ADDRTYPE_DDP 0x0010 0332 #define ADDRTYPE_NETBIOS 0x0014 0333 #define ADDRTYPE_INET6 0x0018 0334 /* not yet in the spec... */ 0335 #define ADDRTYPE_ADDRPORT 0x0100 0336 #define ADDRTYPE_IPPORT 0x0101 0337 0338 /* macros to determine if a type is a local type */ 0339 #define ADDRTYPE_IS_LOCAL(addrtype) (addrtype & 0x8000) 0340 0341 /* 0342 * end "hostaddr.h" 0343 */ 0344 0345 0346 struct _krb5_context; 0347 typedef struct _krb5_context * krb5_context; 0348 0349 struct _krb5_auth_context; 0350 typedef struct _krb5_auth_context * krb5_auth_context; 0351 0352 struct _krb5_cryptosystem_entry; 0353 0354 /* 0355 * begin "encryption.h" 0356 */ 0357 0358 /** Exposed contents of a key. */ 0359 typedef struct _krb5_keyblock { 0360 krb5_magic magic; 0361 krb5_enctype enctype; 0362 unsigned int length; 0363 krb5_octet *contents; 0364 } krb5_keyblock; 0365 0366 struct krb5_key_st; 0367 /** 0368 * Opaque identifier for a key. 0369 * 0370 * Use with the krb5_k APIs for better performance for repeated operations with 0371 * the same key and usage. Key identifiers must not be used simultaneously 0372 * within multiple threads, as they may contain mutable internal state and are 0373 * not mutex-protected. 0374 */ 0375 typedef struct krb5_key_st *krb5_key; 0376 0377 #ifdef KRB5_OLD_CRYPTO 0378 typedef struct _krb5_encrypt_block { 0379 krb5_magic magic; 0380 krb5_enctype crypto_entry; /* to call krb5_encrypt_size, you need 0381 this. it was a pointer, but it 0382 doesn't have to be. gross. */ 0383 krb5_keyblock *key; 0384 } krb5_encrypt_block; 0385 #endif 0386 0387 typedef struct _krb5_checksum { 0388 krb5_magic magic; 0389 krb5_cksumtype checksum_type; /* checksum type */ 0390 unsigned int length; 0391 krb5_octet *contents; 0392 } krb5_checksum; 0393 0394 typedef struct _krb5_enc_data { 0395 krb5_magic magic; 0396 krb5_enctype enctype; 0397 krb5_kvno kvno; 0398 krb5_data ciphertext; 0399 } krb5_enc_data; 0400 0401 /** 0402 * Structure to describe a region of text to be encrypted or decrypted. 0403 * 0404 * The @a flags member describes the type of the iov. 0405 * The @a data member points to the memory that will be manipulated. 0406 * All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's 0407 * along with the size of that array. Buffer contents are manipulated in-place; 0408 * data is overwritten. Callers must allocate the right number of krb5_crypto_iov 0409 * structures before calling into an iov API. 0410 */ 0411 typedef struct _krb5_crypto_iov { 0412 krb5_cryptotype flags; /**< iov type (see KRB5_CRYPTO_TYPE macros) */ 0413 krb5_data data; 0414 } krb5_crypto_iov; 0415 0416 /* per Kerberos v5 protocol spec */ 0417 #define ENCTYPE_NULL 0x0000 0418 #define ENCTYPE_DES_CBC_CRC 0x0001 /**< @deprecated no longer supported */ 0419 #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ 0420 #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ 0421 #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ 0422 #define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */ 0423 #define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */ 0424 #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ 0425 /* PKINIT */ 0426 #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ 0427 #define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */ 0428 #define ENCTYPE_SHA1_RSA_CMS 0x000b /**< SHA1 with RSA, CMS signature */ 0429 #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */ 0430 #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */ 0431 #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */ 0432 #define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */ 0433 0434 #define ENCTYPE_DES3_CBC_SHA1 0x0010 0435 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ 0436 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ 0437 #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ 0438 #define ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014 /**< RFC 8009 */ 0439 #define ENCTYPE_ARCFOUR_HMAC 0x0017 /**< RFC 4757 */ 0440 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 /**< RFC 4757 */ 0441 #define ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019 /**< RFC 6803 */ 0442 #define ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a /**< RFC 6803 */ 0443 #define ENCTYPE_UNKNOWN 0x01ff 0444 0445 /* 0446 * Historically we used the value 9 for unkeyed SHA-1. RFC 3961 assigns this 0447 * value to rsa-md5-des3, which fortunately is unused. For ABI compatibility 0448 * we allow either 9 or 14 for SHA-1. 0449 */ 0450 #define CKSUMTYPE_CRC32 0x0001 0451 #define CKSUMTYPE_RSA_MD4 0x0002 0452 #define CKSUMTYPE_RSA_MD4_DES 0x0003 0453 #define CKSUMTYPE_DESCBC 0x0004 0454 /* des-mac-k */ 0455 /* rsa-md4-des-k */ 0456 #define CKSUMTYPE_RSA_MD5 0x0007 0457 #define CKSUMTYPE_RSA_MD5_DES 0x0008 0458 #define CKSUMTYPE_NIST_SHA 0x0009 0459 #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c 0460 #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */ 0461 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with 0462 ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ 0463 #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with 0464 ENCTYPE_AES256_CTS_HMAC_SHA1_96 */ 0465 #define CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013 /**< RFC 8009 */ 0466 #define CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014 /**< RFC 8009 */ 0467 #define CKSUMTYPE_CMAC_CAMELLIA128 0x0011 /**< RFC 6803 */ 0468 #define CKSUMTYPE_CMAC_CAMELLIA256 0x0012 /**< RFC 6803 */ 0469 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /* Microsoft netlogon */ 0470 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /**< RFC 4757 */ 0471 0472 /* Constants for the deprecated krb5_c_random_add_entropy() */ 0473 enum { 0474 KRB5_C_RANDSOURCE_OLDAPI = 0, 0475 KRB5_C_RANDSOURCE_OSRAND = 1, 0476 KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, 0477 KRB5_C_RANDSOURCE_TIMING = 3, 0478 KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, 0479 KRB5_C_RANDSOURCE_MAX = 5 0480 }; 0481 0482 #ifndef krb5_roundup 0483 /* round x up to nearest multiple of y */ 0484 #define krb5_roundup(x, y) ((((x) + (y) - 1)/(y))*(y)) 0485 #endif /* roundup */ 0486 0487 /* macro function definitions to help clean up code */ 0488 0489 #if 1 0490 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 0491 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 0492 #else 0493 #define krb5_x(ptr,args) ((*(ptr)) args) 0494 #define krb5_xc(ptr,args) ((*(ptr)) args) 0495 #endif 0496 0497 /** 0498 * Encrypt data using a key (operates on keyblock). 0499 * 0500 * @param [in] context Library context 0501 * @param [in] key Encryption key 0502 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0503 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 0504 * @param [in] input Data to be encrypted 0505 * @param [out] output Encrypted data 0506 * 0507 * This function encrypts the data block @a input and stores the output into @a 0508 * output. The actual encryption key will be derived from @a key and @a usage 0509 * if key derivation is specified for the encryption type. If non-null, @a 0510 * cipher_state specifies the beginning state for the encryption operation, and 0511 * is updated with the state to be passed as input to the next operation. 0512 * 0513 * @note The caller must initialize @a output and allocate at least enough 0514 * space for the result (using krb5_c_encrypt_length() to determine the amount 0515 * of space needed). @a output->length will be set to the actual length of the 0516 * ciphertext. 0517 * 0518 * @retval 0 Success; otherwise - Kerberos error codes 0519 */ 0520 krb5_error_code KRB5_CALLCONV 0521 krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, 0522 krb5_keyusage usage, const krb5_data *cipher_state, 0523 const krb5_data *input, krb5_enc_data *output); 0524 0525 /** 0526 * Decrypt data using a key (operates on keyblock). 0527 * 0528 * @param [in] context Library context 0529 * @param [in] key Encryption key 0530 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0531 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 0532 * @param [in] input Encrypted data 0533 * @param [out] output Decrypted data 0534 * 0535 * This function decrypts the data block @a input and stores the output into @a 0536 * output. The actual decryption key will be derived from @a key and @a usage 0537 * if key derivation is specified for the encryption type. If non-null, @a 0538 * cipher_state specifies the beginning state for the decryption operation, and 0539 * is updated with the state to be passed as input to the next operation. 0540 * 0541 * @note The caller must initialize @a output and allocate at least enough 0542 * space for the result. The usual practice is to allocate an output buffer as 0543 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. 0544 * For some enctypes, the resulting @a output->length may include padding 0545 * bytes. 0546 * 0547 * @retval 0 Success; otherwise - Kerberos error codes 0548 */ 0549 krb5_error_code KRB5_CALLCONV 0550 krb5_c_decrypt(krb5_context context, const krb5_keyblock *key, 0551 krb5_keyusage usage, const krb5_data *cipher_state, 0552 const krb5_enc_data *input, krb5_data *output); 0553 0554 /** 0555 * Compute encrypted data length. 0556 * 0557 * @param [in] context Library context 0558 * @param [in] enctype Encryption type 0559 * @param [in] inputlen Length of the data to be encrypted 0560 * @param [out] length Length of the encrypted data 0561 * 0562 * This function computes the length of the ciphertext produced by encrypting 0563 * @a inputlen bytes including padding, confounder, and checksum. 0564 * 0565 * @retval 0 Success; otherwise - Kerberos error codes 0566 */ 0567 krb5_error_code KRB5_CALLCONV 0568 krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, 0569 size_t inputlen, size_t *length); 0570 0571 /** 0572 * Return cipher block size. 0573 * 0574 * @param [in] context Library context 0575 * @param [in] enctype Encryption type 0576 * @param [out] blocksize Block size for @a enctype 0577 * 0578 * @retval 0 Success; otherwise - Kerberos error codes 0579 */ 0580 krb5_error_code KRB5_CALLCONV 0581 krb5_c_block_size(krb5_context context, krb5_enctype enctype, 0582 size_t *blocksize); 0583 0584 /** 0585 * Return length of the specified key in bytes. 0586 * 0587 * @param [in] context Library context 0588 * @param [in] enctype Encryption type 0589 * @param [out] keybytes Number of bytes required to make a key 0590 * @param [out] keylength Length of final key 0591 * 0592 * @retval 0 Success; otherwise - Kerberos error codes 0593 */ 0594 krb5_error_code KRB5_CALLCONV 0595 krb5_c_keylengths(krb5_context context, krb5_enctype enctype, 0596 size_t *keybytes, size_t *keylength); 0597 0598 /** 0599 * Initialize a new cipher state. 0600 * 0601 * @param [in] context Library context 0602 * @param [in] key Key 0603 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0604 * @param [out] new_state New cipher state 0605 * 0606 * @retval 0 Success; otherwise - Kerberos error codes 0607 */ 0608 krb5_error_code KRB5_CALLCONV 0609 krb5_c_init_state(krb5_context context, const krb5_keyblock *key, 0610 krb5_keyusage usage, krb5_data *new_state); 0611 0612 /** 0613 * Free a cipher state previously allocated by krb5_c_init_state(). 0614 * 0615 * @param [in] context Library context 0616 * @param [in] key Key 0617 * @param [in] state Cipher state to be freed 0618 * 0619 * @retval 0 Success; otherwise - Kerberos error codes 0620 */ 0621 krb5_error_code KRB5_CALLCONV 0622 krb5_c_free_state(krb5_context context, const krb5_keyblock *key, 0623 krb5_data *state); 0624 0625 /** 0626 * Generate enctype-specific pseudo-random bytes. 0627 * 0628 * @param [in] context Library context 0629 * @param [in] keyblock Key 0630 * @param [in] input Input data 0631 * @param [out] output Output data 0632 * 0633 * This function selects a pseudo-random function based on @a keyblock and 0634 * computes its value over @a input, placing the result into @a output. 0635 * The caller must preinitialize @a output and allocate space for the 0636 * result, using krb5_c_prf_length() to determine the required length. 0637 * 0638 * @retval 0 Success; otherwise - Kerberos error codes 0639 */ 0640 krb5_error_code KRB5_CALLCONV 0641 krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock, 0642 krb5_data *input, krb5_data *output); 0643 0644 /** 0645 * Get the output length of pseudo-random functions for an encryption type. 0646 * 0647 * @param [in] context Library context 0648 * @param [in] enctype Encryption type 0649 * @param [out] len Length of PRF output 0650 * 0651 * @retval 0 Success; otherwise - Kerberos error codes 0652 */ 0653 krb5_error_code KRB5_CALLCONV 0654 krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len); 0655 0656 /** 0657 * Generate pseudo-random bytes using RFC 6113 PRF+. 0658 * 0659 * @param [in] context Library context 0660 * @param [in] k KDC contribution key 0661 * @param [in] input Input data 0662 * @param [out] output Pseudo-random output buffer 0663 * 0664 * This function fills @a output with PRF+(k, input) as defined in RFC 6113 0665 * section 5.1. The caller must preinitialize @a output and allocate the 0666 * desired amount of space. The length of the pseudo-random output will match 0667 * the length of @a output. 0668 * 0669 * @note RFC 4402 defines a different PRF+ operation. This function does not 0670 * implement that operation. 0671 * 0672 * @return 0 on success, @c E2BIG if output->length is too large for PRF+ to 0673 * generate, @c ENOMEM on allocation failure, or an error code from 0674 * krb5_c_prf() 0675 */ 0676 krb5_error_code KRB5_CALLCONV 0677 krb5_c_prfplus(krb5_context context, const krb5_keyblock *k, 0678 const krb5_data *input, krb5_data *output); 0679 0680 /** 0681 * Derive a key using some input data (via RFC 6113 PRF+). 0682 * 0683 * @param [in] context Library context 0684 * @param [in] k KDC contribution key 0685 * @param [in] input Input string 0686 * @param [in] enctype Output key enctype (or @c ENCTYPE_NULL) 0687 * @param [out] out Derived keyblock 0688 * 0689 * This function uses PRF+ as defined in RFC 6113 to derive a key from another 0690 * key and an input string. If @a enctype is @c ENCTYPE_NULL, the output key 0691 * will have the same enctype as the input key. 0692 */ 0693 krb5_error_code KRB5_CALLCONV 0694 krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k, 0695 const krb5_data *input, krb5_enctype enctype, 0696 krb5_keyblock **out); 0697 0698 /** 0699 * Compute the KRB-FX-CF2 combination of two keys and pepper strings. 0700 * 0701 * @param [in] context Library context 0702 * @param [in] k1 KDC contribution key 0703 * @param [in] pepper1 String "PKINIT" 0704 * @param [in] k2 Reply key 0705 * @param [in] pepper2 String "KeyExchange" 0706 * @param [out] out Output key 0707 * 0708 * This function computes the KRB-FX-CF2 function over its inputs and places 0709 * the results in a newly allocated keyblock. This function is simple in that 0710 * it assumes that @a pepper1 and @a pepper2 are C strings with no internal 0711 * nulls and that the enctype of the result will be the same as that of @a k1. 0712 * @a k1 and @a k2 may be of different enctypes. 0713 * 0714 * @retval 0 Success; otherwise - Kerberos error codes 0715 */ 0716 krb5_error_code KRB5_CALLCONV 0717 krb5_c_fx_cf2_simple(krb5_context context, 0718 const krb5_keyblock *k1, const char *pepper1, 0719 const krb5_keyblock *k2, const char *pepper2, 0720 krb5_keyblock **out); 0721 0722 /** 0723 * Generate an enctype-specific random encryption key. 0724 * 0725 * @param [in] context Library context 0726 * @param [in] enctype Encryption type of the generated key 0727 * @param [out] k5_random_key An allocated and initialized keyblock 0728 * 0729 * Use krb5_free_keyblock_contents() to free @a k5_random_key when 0730 * no longer needed. 0731 * 0732 * @retval 0 Success; otherwise - Kerberos error codes 0733 */ 0734 krb5_error_code KRB5_CALLCONV 0735 krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, 0736 krb5_keyblock *k5_random_key); 0737 0738 /** 0739 * Generate an enctype-specific key from random data. 0740 * 0741 * @param [in] context Library context 0742 * @param [in] enctype Encryption type 0743 * @param [in] random_data Random input data 0744 * @param [out] k5_random_key Resulting key 0745 * 0746 * This function takes random input data @a random_data and produces a valid 0747 * key @a k5_random_key for a given @a enctype. 0748 * 0749 * @note It is assumed that @a k5_random_key has already been initialized and 0750 * @a k5_random_key->contents has been allocated with the correct length. 0751 * 0752 * @sa krb5_c_keylengths() 0753 * 0754 * @retval 0 Success; otherwise - Kerberos error codes 0755 */ 0756 krb5_error_code KRB5_CALLCONV 0757 krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, 0758 krb5_data *random_data, krb5_keyblock *k5_random_key); 0759 0760 /** @deprecated This call is no longer necessary. */ 0761 krb5_error_code KRB5_CALLCONV 0762 krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, 0763 const krb5_data *data); 0764 0765 /** 0766 * Generate pseudo-random bytes. 0767 * 0768 * @param [in] context Library context 0769 * @param [out] data Random data 0770 * 0771 * Fills in @a data with bytes from the PRNG used by krb5 crypto operations. 0772 * The caller must preinitialize @a data and allocate the desired amount of 0773 * space. 0774 * 0775 * @retval 0 Success; otherwise - Kerberos error codes 0776 */ 0777 krb5_error_code KRB5_CALLCONV 0778 krb5_c_random_make_octets(krb5_context context, krb5_data *data); 0779 0780 /** @deprecated This call is no longer necessary. */ 0781 krb5_error_code KRB5_CALLCONV 0782 krb5_c_random_os_entropy(krb5_context context, int strong, int *success); 0783 0784 /** @deprecated This call is no longer necessary. */ 0785 krb5_error_code KRB5_CALLCONV 0786 krb5_c_random_seed(krb5_context context, krb5_data *data); 0787 0788 /** 0789 * Convert a string (such a password) to a key. 0790 * 0791 * @param [in] context Library context 0792 * @param [in] enctype Encryption type 0793 * @param [in] string String to be converted 0794 * @param [in] salt Salt value 0795 * @param [out] key Generated key 0796 * 0797 * This function converts @a string to a @a key of encryption type @a enctype, 0798 * using the specified @a salt. The newly created @a key must be released by 0799 * calling krb5_free_keyblock_contents() when it is no longer needed. 0800 * 0801 * @retval 0 Success; otherwise - Kerberos error codes 0802 */ 0803 krb5_error_code KRB5_CALLCONV 0804 krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, 0805 const krb5_data *string, const krb5_data *salt, 0806 krb5_keyblock *key); 0807 0808 /** 0809 * Convert a string (such as a password) to a key with additional parameters. 0810 * 0811 * @param [in] context Library context 0812 * @param [in] enctype Encryption type 0813 * @param [in] string String to be converted 0814 * @param [in] salt Salt value 0815 * @param [in] params Parameters 0816 * @param [out] key Generated key 0817 * 0818 * This function is similar to krb5_c_string_to_key(), but also takes 0819 * parameters which may affect the algorithm in an enctype-dependent way. The 0820 * newly created @a key must be released by calling 0821 * krb5_free_keyblock_contents() when it is no longer needed. 0822 * 0823 * @retval 0 Success; otherwise - Kerberos error codes 0824 */ 0825 krb5_error_code KRB5_CALLCONV 0826 krb5_c_string_to_key_with_params(krb5_context context, 0827 krb5_enctype enctype, 0828 const krb5_data *string, 0829 const krb5_data *salt, 0830 const krb5_data *params, 0831 krb5_keyblock *key); 0832 0833 /** 0834 * Compare two encryption types. 0835 * 0836 * @param [in] context Library context 0837 * @param [in] e1 First encryption type 0838 * @param [in] e2 Second encryption type 0839 * @param [out] similar @c TRUE if types are similar, @c FALSE if not 0840 * 0841 * This function determines whether two encryption types use the same kind of 0842 * keys. 0843 * 0844 * @retval 0 Success; otherwise - Kerberos error codes 0845 */ 0846 krb5_error_code KRB5_CALLCONV 0847 krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, 0848 krb5_boolean *similar); 0849 0850 /** 0851 * Compute a checksum (operates on keyblock). 0852 * 0853 * @param [in] context Library context 0854 * @param [in] cksumtype Checksum type (0 for mandatory type) 0855 * @param [in] key Encryption key for a keyed checksum 0856 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0857 * @param [in] input Input data 0858 * @param [out] cksum Generated checksum 0859 * 0860 * This function computes a checksum of type @a cksumtype over @a input, using 0861 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and 0862 * @a key is non-null, the checksum type will be the mandatory-to-implement 0863 * checksum type for the key's encryption type. The actual checksum key will 0864 * be derived from @a key and @a usage if key derivation is specified for the 0865 * checksum type. The newly created @a cksum must be released by calling 0866 * krb5_free_checksum_contents() when it is no longer needed. 0867 * 0868 * @note This function is similar to krb5_k_make_checksum(), but operates 0869 * on keyblock @a key. 0870 * 0871 * @sa krb5_c_verify_checksum() 0872 * 0873 * @retval 0 Success; otherwise - Kerberos error codes 0874 */ 0875 krb5_error_code KRB5_CALLCONV 0876 krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, 0877 const krb5_keyblock *key, krb5_keyusage usage, 0878 const krb5_data *input, krb5_checksum *cksum); 0879 0880 /** 0881 * Verify a checksum (operates on keyblock). 0882 * 0883 * @param [in] context Library context 0884 * @param [in] key Encryption key for a keyed checksum 0885 * @param [in] usage @a key usage 0886 * @param [in] data Data to be used to compute a new checksum 0887 * using @a key to compare @a cksum against 0888 * @param [in] cksum Checksum to be verified 0889 * @param [out] valid Non-zero for success, zero for failure 0890 * 0891 * This function verifies that @a cksum is a valid checksum for @a data. If 0892 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify 0893 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, 0894 * the mandatory checksum type for @a key will be used. The actual checksum 0895 * key will be derived from @a key and @a usage if key derivation is specified 0896 * for the checksum type. 0897 * 0898 * @note This function is similar to krb5_k_verify_checksum(), but operates 0899 * on keyblock @a key. 0900 * 0901 * @retval 0 Success; otherwise - Kerberos error codes 0902 */ 0903 krb5_error_code KRB5_CALLCONV 0904 krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, 0905 krb5_keyusage usage, const krb5_data *data, 0906 const krb5_checksum *cksum, krb5_boolean *valid); 0907 0908 /** 0909 * Return the length of checksums for a checksum type. 0910 * 0911 * @param [in] context Library context 0912 * @param [in] cksumtype Checksum type 0913 * @param [out] length Checksum length 0914 * 0915 * @retval 0 Success; otherwise - Kerberos error codes 0916 */ 0917 krb5_error_code KRB5_CALLCONV 0918 krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, 0919 size_t *length); 0920 0921 /** 0922 * Return a list of keyed checksum types usable with an encryption type. 0923 * 0924 * @param [in] context Library context 0925 * @param [in] enctype Encryption type 0926 * @param [out] count Count of allowable checksum types 0927 * @param [out] cksumtypes Array of allowable checksum types 0928 * 0929 * Use krb5_free_cksumtypes() to free @a cksumtypes when it is no longer 0930 * needed. 0931 * 0932 * @retval 0 Success; otherwise - Kerberos error codes 0933 */ 0934 krb5_error_code KRB5_CALLCONV 0935 krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, 0936 unsigned int *count, krb5_cksumtype **cksumtypes); 0937 0938 #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1 0939 #define KRB5_KEYUSAGE_KDC_REP_TICKET 2 0940 #define KRB5_KEYUSAGE_AS_REP_ENCPART 3 0941 #define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY 4 0942 #define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY 5 0943 #define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM 6 0944 #define KRB5_KEYUSAGE_TGS_REQ_AUTH 7 0945 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY 8 0946 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY 9 0947 #define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM 10 0948 #define KRB5_KEYUSAGE_AP_REQ_AUTH 11 0949 #define KRB5_KEYUSAGE_AP_REP_ENCPART 12 0950 #define KRB5_KEYUSAGE_KRB_PRIV_ENCPART 13 0951 #define KRB5_KEYUSAGE_KRB_CRED_ENCPART 14 0952 #define KRB5_KEYUSAGE_KRB_SAFE_CKSUM 15 0953 #define KRB5_KEYUSAGE_APP_DATA_ENCRYPT 16 0954 #define KRB5_KEYUSAGE_APP_DATA_CKSUM 17 0955 #define KRB5_KEYUSAGE_KRB_ERROR_CKSUM 18 0956 #define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM 19 0957 #define KRB5_KEYUSAGE_AD_MTE 20 0958 #define KRB5_KEYUSAGE_AD_ITE 21 0959 0960 /* XXX need to register these */ 0961 0962 #define KRB5_KEYUSAGE_GSS_TOK_MIC 22 0963 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23 0964 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24 0965 0966 /* Defined in Integrating SAM Mechanisms with Kerberos draft */ 0967 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25 0968 /* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */ 0969 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 0970 /* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */ 0971 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 0972 0973 /* Defined in [MS-SFU] */ 0974 /* Note conflict with KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */ 0975 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26 0976 /* Note conflict with KRB5_KEYUSAGE_PA_SAM_RESPONSE */ 0977 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 0978 0979 /* unused */ 0980 #define KRB5_KEYUSAGE_PA_REFERRAL 26 0981 0982 #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 0983 #define KRB5_KEYUSAGE_IAKERB_FINISHED 42 0984 #define KRB5_KEYUSAGE_PA_PKINIT_KX 44 0985 #define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */ 0986 /* define in draft-ietf-krb-wg-preauth-framework*/ 0987 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 0988 #define KRB5_KEYUSAGE_FAST_ENC 51 0989 #define KRB5_KEYUSAGE_FAST_REP 52 0990 #define KRB5_KEYUSAGE_FAST_FINISHED 53 0991 #define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 0992 #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 0993 #define KRB5_KEYUSAGE_AS_REQ 56 0994 #define KRB5_KEYUSAGE_CAMMAC 64 0995 #define KRB5_KEYUSAGE_SPAKE 65 0996 0997 /* Key usage values 512-1023 are reserved for uses internal to a Kerberos 0998 * implementation. */ 0999 #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ 1000 #define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */ 1001 1002 /** 1003 * Verify that a specified encryption type is a valid Kerberos encryption type. 1004 * 1005 * @param [in] ktype Encryption type 1006 * 1007 * @return @c TRUE if @a ktype is valid, @c FALSE if not 1008 */ 1009 krb5_boolean KRB5_CALLCONV 1010 krb5_c_valid_enctype(krb5_enctype ktype); 1011 1012 /** 1013 * Verify that specified checksum type is a valid Kerberos checksum type. 1014 * 1015 * @param [in] ctype Checksum type 1016 * 1017 * @return @c TRUE if @a ctype is valid, @c FALSE if not 1018 */ 1019 krb5_boolean KRB5_CALLCONV 1020 krb5_c_valid_cksumtype(krb5_cksumtype ctype); 1021 1022 /** 1023 * Test whether a checksum type is collision-proof. 1024 * 1025 * @param [in] ctype Checksum type 1026 * 1027 * @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not 1028 * collision-proof or not a valid checksum type. 1029 */ 1030 krb5_boolean KRB5_CALLCONV 1031 krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype); 1032 1033 /** 1034 * Test whether a checksum type is keyed. 1035 * 1036 * @param [in] ctype Checksum type 1037 * 1038 * @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise. 1039 */ 1040 krb5_boolean KRB5_CALLCONV 1041 krb5_c_is_keyed_cksum(krb5_cksumtype ctype); 1042 1043 /* AEAD APIs */ 1044 #define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */ 1045 #define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */ 1046 #define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */ 1047 #define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */ 1048 #define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */ 1049 #define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */ 1050 #define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */ 1051 #define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without 1052 decomposing the structure into 1053 header, data and trailer buffers */ 1054 1055 /** 1056 * Fill in a checksum element in IOV array (operates on keyblock) 1057 * 1058 * @param [in] context Library context 1059 * @param [in] cksumtype Checksum type (0 for mandatory type) 1060 * @param [in] key Encryption key for a keyed checksum 1061 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1062 * @param [in,out] data IOV array 1063 * @param [in] num_data Size of @a data 1064 * 1065 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over 1066 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. 1067 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. 1068 * 1069 * @note This function is similar to krb5_k_make_checksum_iov(), but operates 1070 * on keyblock @a key. 1071 * 1072 * @sa krb5_c_verify_checksum_iov() 1073 * 1074 * @retval 0 Success; otherwise - Kerberos error codes 1075 */ 1076 krb5_error_code KRB5_CALLCONV 1077 krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1078 const krb5_keyblock *key, krb5_keyusage usage, 1079 krb5_crypto_iov *data, size_t num_data); 1080 1081 /** 1082 * Validate a checksum element in IOV array (operates on keyblock). 1083 * 1084 * @param [in] context Library context 1085 * @param [in] cksumtype Checksum type (0 for mandatory type) 1086 * @param [in] key Encryption key for a keyed checksum 1087 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1088 * @param [in] data IOV array 1089 * @param [in] num_data Size of @a data 1090 * @param [out] valid Non-zero for success, zero for failure 1091 * 1092 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a 1093 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY 1094 * regions in the iov. 1095 * 1096 * @note This function is similar to krb5_k_verify_checksum_iov(), but operates 1097 * on keyblock @a key. 1098 * 1099 * @sa krb5_c_make_checksum_iov() 1100 * 1101 * @retval 0 Success; otherwise - Kerberos error codes 1102 */ 1103 krb5_error_code KRB5_CALLCONV 1104 krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1105 const krb5_keyblock *key, krb5_keyusage usage, 1106 const krb5_crypto_iov *data, size_t num_data, 1107 krb5_boolean *valid); 1108 1109 /** 1110 * Encrypt data in place supporting AEAD (operates on keyblock). 1111 * 1112 * @param [in] context Library context 1113 * @param [in] keyblock Encryption key 1114 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1115 * @param [in] cipher_state Cipher state; specify NULL if not needed 1116 * @param [in,out] data IOV array. Modified in-place. 1117 * @param [in] num_data Size of @a data 1118 * 1119 * This function encrypts the data block @a data and stores the output in-place. 1120 * The actual encryption key will be derived from @a keyblock and @a usage 1121 * if key derivation is specified for the encryption type. If non-null, @a 1122 * cipher_state specifies the beginning state for the encryption operation, and 1123 * is updated with the state to be passed as input to the next operation. 1124 * The caller must allocate the right number of krb5_crypto_iov 1125 * structures before calling into this API. 1126 * 1127 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the 1128 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1129 * For example, if the padding length is too large, the length will be reduced. 1130 * Lengths are never increased. 1131 * 1132 * @note This function is similar to krb5_k_encrypt_iov(), but operates 1133 * on keyblock @a keyblock. 1134 * 1135 * @sa krb5_c_decrypt_iov() 1136 * 1137 * @retval 0 Success; otherwise - Kerberos error codes 1138 */ 1139 krb5_error_code KRB5_CALLCONV 1140 krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, 1141 krb5_keyusage usage, const krb5_data *cipher_state, 1142 krb5_crypto_iov *data, size_t num_data); 1143 1144 /** 1145 * Decrypt data in place supporting AEAD (operates on keyblock). 1146 * 1147 * @param [in] context Library context 1148 * @param [in] keyblock Encryption key 1149 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1150 * @param [in] cipher_state Cipher state; specify NULL if not needed 1151 * @param [in,out] data IOV array. Modified in-place. 1152 * @param [in] num_data Size of @a data 1153 * 1154 * This function decrypts the data block @a data and stores the output in-place. 1155 * The actual decryption key will be derived from @a keyblock and @a usage 1156 * if key derivation is specified for the encryption type. If non-null, @a 1157 * cipher_state specifies the beginning state for the decryption operation, and 1158 * is updated with the state to be passed as input to the next operation. 1159 * The caller must allocate the right number of krb5_crypto_iov 1160 * structures before calling into this API. 1161 * 1162 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the 1163 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1164 * For example, if the padding length is too large, the length will be reduced. 1165 * Lengths are never increased. 1166 * 1167 * @note This function is similar to krb5_k_decrypt_iov(), but operates 1168 * on keyblock @a keyblock. 1169 * 1170 * @sa krb5_c_decrypt_iov() 1171 * 1172 * @retval 0 Success; otherwise - Kerberos error codes 1173 */ 1174 krb5_error_code KRB5_CALLCONV 1175 krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, 1176 krb5_keyusage usage, const krb5_data *cipher_state, 1177 krb5_crypto_iov *data, size_t num_data); 1178 1179 /** 1180 * Return a length of a message field specific to the encryption type. 1181 * 1182 * @param [in] context Library context 1183 * @param [in] enctype Encryption type 1184 * @param [in] type Type field (See KRB5_CRYPTO_TYPE macros) 1185 * @param [out] size Length of the @a type specific to @a enctype 1186 * 1187 * @retval 0 Success; otherwise - Kerberos error codes 1188 */ 1189 krb5_error_code KRB5_CALLCONV 1190 krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, 1191 krb5_cryptotype type, unsigned int *size); 1192 1193 /** 1194 * Fill in lengths for header, trailer and padding in a IOV array. 1195 * 1196 * @param [in] context Library context 1197 * @param [in] enctype Encryption type 1198 * @param [in,out] data IOV array 1199 * @param [in] num_data Size of @a data 1200 * 1201 * Padding is set to the actual padding required based on the provided 1202 * @a data buffers. Typically this API is used after setting up the data 1203 * buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually 1204 * allocating header, trailer and padding. 1205 * 1206 * @retval 0 Success; otherwise - Kerberos error codes 1207 */ 1208 krb5_error_code KRB5_CALLCONV 1209 krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, 1210 krb5_crypto_iov *data, size_t num_data); 1211 1212 /** 1213 * Return a number of padding octets. 1214 * 1215 * @param [in] context Library context 1216 * @param [in] enctype Encryption type 1217 * @param [in] data_length Length of the plaintext to pad 1218 * @param [out] size Number of padding octets 1219 * 1220 * This function returns the number of the padding octets required to pad 1221 * @a data_length octets of plaintext. 1222 * 1223 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE 1224 */ 1225 krb5_error_code KRB5_CALLCONV 1226 krb5_c_padding_length(krb5_context context, krb5_enctype enctype, 1227 size_t data_length, unsigned int *size); 1228 1229 /** 1230 * Create a krb5_key from the enctype and key data in a keyblock. 1231 * 1232 * @param [in] context Library context 1233 * @param [in] key_data Keyblock 1234 * @param [out] out Opaque key 1235 * 1236 * The reference count on a key @a out is set to 1. 1237 * Use krb5_k_free_key() to free @a out when it is no longer needed. 1238 * 1239 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE 1240 */ 1241 krb5_error_code KRB5_CALLCONV 1242 krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data, 1243 krb5_key *out); 1244 1245 /** Increment the reference count on a key. */ 1246 void KRB5_CALLCONV 1247 krb5_k_reference_key(krb5_context context, krb5_key key); 1248 1249 /** Decrement the reference count on a key and free it if it hits zero. */ 1250 void KRB5_CALLCONV 1251 krb5_k_free_key(krb5_context context, krb5_key key); 1252 1253 /** Retrieve a copy of the keyblock from a krb5_key structure. */ 1254 krb5_error_code KRB5_CALLCONV 1255 krb5_k_key_keyblock(krb5_context context, krb5_key key, 1256 krb5_keyblock **key_data); 1257 1258 /** Retrieve the enctype of a krb5_key structure. */ 1259 krb5_enctype KRB5_CALLCONV 1260 krb5_k_key_enctype(krb5_context context, krb5_key key); 1261 1262 /** 1263 * Encrypt data using a key (operates on opaque key). 1264 * 1265 * @param [in] context Library context 1266 * @param [in] key Encryption key 1267 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1268 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 1269 * @param [in] input Data to be encrypted 1270 * @param [out] output Encrypted data 1271 * 1272 * This function encrypts the data block @a input and stores the output into @a 1273 * output. The actual encryption key will be derived from @a key and @a usage 1274 * if key derivation is specified for the encryption type. If non-null, @a 1275 * cipher_state specifies the beginning state for the encryption operation, and 1276 * is updated with the state to be passed as input to the next operation. 1277 * 1278 * @note The caller must initialize @a output and allocate at least enough 1279 * space for the result (using krb5_c_encrypt_length() to determine the amount 1280 * of space needed). @a output->length will be set to the actual length of the 1281 * ciphertext. 1282 * 1283 * @retval 0 Success; otherwise - Kerberos error codes 1284 */ 1285 krb5_error_code KRB5_CALLCONV 1286 krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, 1287 const krb5_data *cipher_state, const krb5_data *input, 1288 krb5_enc_data *output); 1289 1290 /** 1291 * Encrypt data in place supporting AEAD (operates on opaque key). 1292 * 1293 * @param [in] context Library context 1294 * @param [in] key Encryption key 1295 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1296 * @param [in] cipher_state Cipher state; specify NULL if not needed 1297 * @param [in,out] data IOV array. Modified in-place. 1298 * @param [in] num_data Size of @a data 1299 * 1300 * This function encrypts the data block @a data and stores the output in-place. 1301 * The actual encryption key will be derived from @a key and @a usage 1302 * if key derivation is specified for the encryption type. If non-null, @a 1303 * cipher_state specifies the beginning state for the encryption operation, and 1304 * is updated with the state to be passed as input to the next operation. 1305 * The caller must allocate the right number of krb5_crypto_iov 1306 * structures before calling into this API. 1307 * 1308 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the 1309 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1310 * For example, if the padding length is too large, the length will be reduced. 1311 * Lengths are never increased. 1312 * 1313 * @note This function is similar to krb5_c_encrypt_iov(), but operates 1314 * on opaque key @a key. 1315 * 1316 * @sa krb5_k_decrypt_iov() 1317 * 1318 * @retval 0 Success; otherwise - Kerberos error codes 1319 */ 1320 krb5_error_code KRB5_CALLCONV 1321 krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, 1322 const krb5_data *cipher_state, krb5_crypto_iov *data, 1323 size_t num_data); 1324 1325 /** 1326 * Decrypt data using a key (operates on opaque key). 1327 * 1328 * @param [in] context Library context 1329 * @param [in] key Encryption key 1330 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1331 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 1332 * @param [in] input Encrypted data 1333 * @param [out] output Decrypted data 1334 * 1335 * This function decrypts the data block @a input and stores the output into @a 1336 * output. The actual decryption key will be derived from @a key and @a usage 1337 * if key derivation is specified for the encryption type. If non-null, @a 1338 * cipher_state specifies the beginning state for the decryption operation, and 1339 * is updated with the state to be passed as input to the next operation. 1340 * 1341 * @note The caller must initialize @a output and allocate at least enough 1342 * space for the result. The usual practice is to allocate an output buffer as 1343 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. 1344 * For some enctypes, the resulting @a output->length may include padding 1345 * bytes. 1346 * 1347 * @retval 0 Success; otherwise - Kerberos error codes 1348 */ 1349 krb5_error_code KRB5_CALLCONV 1350 krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, 1351 const krb5_data *cipher_state, const krb5_enc_data *input, 1352 krb5_data *output); 1353 1354 /** 1355 * Decrypt data in place supporting AEAD (operates on opaque key). 1356 * 1357 * @param [in] context Library context 1358 * @param [in] key Encryption key 1359 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1360 * @param [in] cipher_state Cipher state; specify NULL if not needed 1361 * @param [in,out] data IOV array. Modified in-place. 1362 * @param [in] num_data Size of @a data 1363 * 1364 * This function decrypts the data block @a data and stores the output in-place. 1365 * The actual decryption key will be derived from @a key and @a usage 1366 * if key derivation is specified for the encryption type. If non-null, @a 1367 * cipher_state specifies the beginning state for the decryption operation, and 1368 * is updated with the state to be passed as input to the next operation. 1369 * The caller must allocate the right number of krb5_crypto_iov 1370 * structures before calling into this API. 1371 * 1372 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the 1373 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1374 * For example, if the padding length is too large, the length will be reduced. 1375 * Lengths are never increased. 1376 * 1377 * @note This function is similar to krb5_c_decrypt_iov(), but operates 1378 * on opaque key @a key. 1379 * 1380 * @sa krb5_k_encrypt_iov() 1381 * 1382 * @retval 0 Success; otherwise - Kerberos error codes 1383 */ 1384 krb5_error_code KRB5_CALLCONV 1385 krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, 1386 const krb5_data *cipher_state, krb5_crypto_iov *data, 1387 size_t num_data); 1388 /** 1389 * Compute a checksum (operates on opaque key). 1390 * 1391 * @param [in] context Library context 1392 * @param [in] cksumtype Checksum type (0 for mandatory type) 1393 * @param [in] key Encryption key for a keyed checksum 1394 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1395 * @param [in] input Input data 1396 * @param [out] cksum Generated checksum 1397 * 1398 * This function computes a checksum of type @a cksumtype over @a input, using 1399 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and 1400 * @a key is non-null, the checksum type will be the mandatory-to-implement 1401 * checksum type for the key's encryption type. The actual checksum key will 1402 * be derived from @a key and @a usage if key derivation is specified for the 1403 * checksum type. The newly created @a cksum must be released by calling 1404 * krb5_free_checksum_contents() when it is no longer needed. 1405 * 1406 * @note This function is similar to krb5_c_make_checksum(), but operates 1407 * on opaque @a key. 1408 * 1409 * @sa krb5_c_verify_checksum() 1410 * 1411 * @retval 0 Success; otherwise - Kerberos error codes 1412 */ 1413 krb5_error_code KRB5_CALLCONV 1414 krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, 1415 krb5_key key, krb5_keyusage usage, const krb5_data *input, 1416 krb5_checksum *cksum); 1417 1418 /** 1419 * Fill in a checksum element in IOV array (operates on opaque key) 1420 * 1421 * @param [in] context Library context 1422 * @param [in] cksumtype Checksum type (0 for mandatory type) 1423 * @param [in] key Encryption key for a keyed checksum 1424 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1425 * @param [in,out] data IOV array 1426 * @param [in] num_data Size of @a data 1427 * 1428 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over 1429 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. 1430 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. 1431 * 1432 * @note This function is similar to krb5_c_make_checksum_iov(), but operates 1433 * on opaque @a key. 1434 * 1435 * @sa krb5_k_verify_checksum_iov() 1436 * 1437 * @retval 0 Success; otherwise - Kerberos error codes 1438 */ 1439 krb5_error_code KRB5_CALLCONV 1440 krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1441 krb5_key key, krb5_keyusage usage, 1442 krb5_crypto_iov *data, size_t num_data); 1443 1444 /** 1445 * Verify a checksum (operates on opaque key). 1446 * 1447 * @param [in] context Library context 1448 * @param [in] key Encryption key for a keyed checksum 1449 * @param [in] usage @a key usage 1450 * @param [in] data Data to be used to compute a new checksum 1451 * using @a key to compare @a cksum against 1452 * @param [in] cksum Checksum to be verified 1453 * @param [out] valid Non-zero for success, zero for failure 1454 * 1455 * This function verifies that @a cksum is a valid checksum for @a data. If 1456 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify 1457 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, 1458 * the mandatory checksum type for @a key will be used. The actual checksum 1459 * key will be derived from @a key and @a usage if key derivation is specified 1460 * for the checksum type. 1461 * 1462 * @note This function is similar to krb5_c_verify_checksum(), but operates 1463 * on opaque @a key. 1464 * 1465 * @retval 0 Success; otherwise - Kerberos error codes 1466 */ 1467 krb5_error_code KRB5_CALLCONV 1468 krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, 1469 const krb5_data *data, const krb5_checksum *cksum, 1470 krb5_boolean *valid); 1471 1472 /** 1473 * Validate a checksum element in IOV array (operates on opaque key). 1474 * 1475 * @param [in] context Library context 1476 * @param [in] cksumtype Checksum type (0 for mandatory type) 1477 * @param [in] key Encryption key for a keyed checksum 1478 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1479 * @param [in] data IOV array 1480 * @param [in] num_data Size of @a data 1481 * @param [out] valid Non-zero for success, zero for failure 1482 * 1483 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a 1484 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY 1485 * regions in the iov. 1486 * 1487 * @note This function is similar to krb5_c_verify_checksum_iov(), but operates 1488 * on opaque @a key. 1489 * 1490 * @sa krb5_k_make_checksum_iov() 1491 * 1492 * @retval 0 Success; otherwise - Kerberos error codes 1493 */ 1494 krb5_error_code KRB5_CALLCONV 1495 krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1496 krb5_key key, krb5_keyusage usage, 1497 const krb5_crypto_iov *data, size_t num_data, 1498 krb5_boolean *valid); 1499 1500 /** 1501 * Generate enctype-specific pseudo-random bytes (operates on opaque key). 1502 * 1503 * @param [in] context Library context 1504 * @param [in] key Key 1505 * @param [in] input Input data 1506 * @param [out] output Output data 1507 * 1508 * This function selects a pseudo-random function based on @a key and 1509 * computes its value over @a input, placing the result into @a output. 1510 * The caller must preinitialize @a output and allocate space for the 1511 * result. 1512 * 1513 * @note This function is similar to krb5_c_prf(), but operates 1514 * on opaque @a key. 1515 * 1516 * @retval 0 Success; otherwise - Kerberos error codes 1517 */ 1518 krb5_error_code KRB5_CALLCONV 1519 krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output); 1520 1521 #ifdef KRB5_OLD_CRYPTO 1522 /* 1523 * old cryptosystem routine prototypes. These are now layered 1524 * on top of the functions above. 1525 */ 1526 /** @deprecated Replaced by krb5_c_* API family.*/ 1527 krb5_error_code KRB5_CALLCONV 1528 krb5_encrypt(krb5_context context, krb5_const_pointer inptr, 1529 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, 1530 krb5_pointer ivec); 1531 1532 /** @deprecated Replaced by krb5_c_* API family. */ 1533 krb5_error_code KRB5_CALLCONV 1534 krb5_decrypt(krb5_context context, krb5_const_pointer inptr, 1535 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, 1536 krb5_pointer ivec); 1537 1538 /** @deprecated Replaced by krb5_c_* API family. */ 1539 krb5_error_code KRB5_CALLCONV 1540 krb5_process_key(krb5_context context, krb5_encrypt_block *eblock, 1541 const krb5_keyblock * key); 1542 1543 /** @deprecated Replaced by krb5_c_* API family. */ 1544 krb5_error_code KRB5_CALLCONV 1545 krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock); 1546 1547 /** @deprecated See krb5_c_string_to_key() */ 1548 krb5_error_code KRB5_CALLCONV 1549 krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock, 1550 krb5_keyblock * keyblock, const krb5_data *data, 1551 const krb5_data *salt); 1552 1553 /** @deprecated Replaced by krb5_c_* API family. */ 1554 krb5_error_code KRB5_CALLCONV 1555 krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1556 const krb5_keyblock *keyblock, krb5_pointer *ptr); 1557 1558 /** @deprecated Replaced by krb5_c_* API family. */ 1559 krb5_error_code KRB5_CALLCONV 1560 krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1561 krb5_pointer *ptr); 1562 1563 /** @deprecated Replaced by krb5_c_* API family. */ 1564 krb5_error_code KRB5_CALLCONV 1565 krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1566 krb5_pointer ptr, krb5_keyblock **keyblock); 1567 1568 /** @deprecated Replaced by krb5_c_* API family. */ 1569 krb5_enctype KRB5_CALLCONV 1570 krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock); 1571 1572 /** @deprecated Replaced by krb5_c_* API family. */ 1573 krb5_error_code KRB5_CALLCONV 1574 krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock, 1575 krb5_enctype enctype); 1576 1577 /** @deprecated Replaced by krb5_c_* API family. */ 1578 size_t KRB5_CALLCONV 1579 krb5_encrypt_size(size_t length, krb5_enctype crypto); 1580 1581 /** @deprecated See krb5_c_checksum_length() */ 1582 size_t KRB5_CALLCONV 1583 krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); 1584 1585 /** @deprecated See krb5_c_make_checksum() */ 1586 krb5_error_code KRB5_CALLCONV 1587 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, 1588 krb5_const_pointer in, size_t in_length, 1589 krb5_const_pointer seed, size_t seed_length, 1590 krb5_checksum * outcksum); 1591 1592 /** @deprecated See krb5_c_verify_checksum() */ 1593 krb5_error_code KRB5_CALLCONV 1594 krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, 1595 const krb5_checksum * cksum, krb5_const_pointer in, 1596 size_t in_length, krb5_const_pointer seed, 1597 size_t seed_length); 1598 1599 #endif /* KRB5_OLD_CRYPTO */ 1600 1601 /* 1602 * end "encryption.h" 1603 */ 1604 1605 /* 1606 * begin "fieldbits.h" 1607 */ 1608 1609 /* kdc_options for kdc_request */ 1610 /* options is 32 bits; each host is responsible to put the 4 bytes 1611 representing these bits into net order before transmission */ 1612 /* #define KDC_OPT_RESERVED 0x80000000 */ 1613 #define KDC_OPT_FORWARDABLE 0x40000000 1614 #define KDC_OPT_FORWARDED 0x20000000 1615 #define KDC_OPT_PROXIABLE 0x10000000 1616 #define KDC_OPT_PROXY 0x08000000 1617 #define KDC_OPT_ALLOW_POSTDATE 0x04000000 1618 #define KDC_OPT_POSTDATED 0x02000000 1619 /* #define KDC_OPT_UNUSED 0x01000000 */ 1620 #define KDC_OPT_RENEWABLE 0x00800000 1621 /* #define KDC_OPT_UNUSED 0x00400000 */ 1622 /* #define KDC_OPT_RESERVED 0x00200000 */ 1623 /* #define KDC_OPT_RESERVED 0x00100000 */ 1624 /* #define KDC_OPT_RESERVED 0x00080000 */ 1625 /* #define KDC_OPT_RESERVED 0x00040000 */ 1626 #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000 1627 #define KDC_OPT_CANONICALIZE 0x00010000 1628 #define KDC_OPT_REQUEST_ANONYMOUS 0x00008000 1629 /* #define KDC_OPT_RESERVED 0x00004000 */ 1630 /* #define KDC_OPT_RESERVED 0x00002000 */ 1631 /* #define KDC_OPT_RESERVED 0x00001000 */ 1632 /* #define KDC_OPT_RESERVED 0x00000800 */ 1633 /* #define KDC_OPT_RESERVED 0x00000400 */ 1634 /* #define KDC_OPT_RESERVED 0x00000200 */ 1635 /* #define KDC_OPT_RESERVED 0x00000100 */ 1636 /* #define KDC_OPT_RESERVED 0x00000080 */ 1637 /* #define KDC_OPT_RESERVED 0x00000040 */ 1638 #define KDC_OPT_DISABLE_TRANSITED_CHECK 0x00000020 1639 #define KDC_OPT_RENEWABLE_OK 0x00000010 1640 #define KDC_OPT_ENC_TKT_IN_SKEY 0x00000008 1641 /* #define KDC_OPT_UNUSED 0x00000004 */ 1642 #define KDC_OPT_RENEW 0x00000002 1643 #define KDC_OPT_VALIDATE 0x00000001 1644 1645 /* 1646 * Mask of ticket flags in the TGT which should be converted into KDC 1647 * options when using the TGT to get derivative tickets. 1648 * 1649 * New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | 1650 * KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE 1651 */ 1652 #define KDC_TKT_COMMON_MASK 0x54800000 1653 1654 /* definitions for ap_options fields */ 1655 1656 /* 1657 * ap_options are 32 bits; each host is responsible to put the 4 bytes 1658 * representing these bits into net order before transmission 1659 */ 1660 #define AP_OPTS_RESERVED 0x80000000 1661 #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */ 1662 #define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual 1663 authentication exchange */ 1664 #define AP_OPTS_ETYPE_NEGOTIATION 0x00000002 1665 #define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key 1666 from the current session key 1667 obtained from the 1668 credentials */ 1669 /* #define AP_OPTS_RESERVED 0x10000000 */ 1670 /* #define AP_OPTS_RESERVED 0x08000000 */ 1671 /* #define AP_OPTS_RESERVED 0x04000000 */ 1672 /* #define AP_OPTS_RESERVED 0x02000000 */ 1673 /* #define AP_OPTS_RESERVED 0x01000000 */ 1674 /* #define AP_OPTS_RESERVED 0x00800000 */ 1675 /* #define AP_OPTS_RESERVED 0x00400000 */ 1676 /* #define AP_OPTS_RESERVED 0x00200000 */ 1677 /* #define AP_OPTS_RESERVED 0x00100000 */ 1678 /* #define AP_OPTS_RESERVED 0x00080000 */ 1679 /* #define AP_OPTS_RESERVED 0x00040000 */ 1680 /* #define AP_OPTS_RESERVED 0x00020000 */ 1681 /* #define AP_OPTS_RESERVED 0x00010000 */ 1682 /* #define AP_OPTS_RESERVED 0x00008000 */ 1683 /* #define AP_OPTS_RESERVED 0x00004000 */ 1684 /* #define AP_OPTS_RESERVED 0x00002000 */ 1685 /* #define AP_OPTS_RESERVED 0x00001000 */ 1686 /* #define AP_OPTS_RESERVED 0x00000800 */ 1687 /* #define AP_OPTS_RESERVED 0x00000400 */ 1688 /* #define AP_OPTS_RESERVED 0x00000200 */ 1689 /* #define AP_OPTS_RESERVED 0x00000100 */ 1690 /* #define AP_OPTS_RESERVED 0x00000080 */ 1691 /* #define AP_OPTS_RESERVED 0x00000040 */ 1692 /* #define AP_OPTS_RESERVED 0x00000020 */ 1693 /* #define AP_OPTS_RESERVED 0x00000010 */ 1694 /* #define AP_OPTS_RESERVED 0x00000008 */ 1695 /* #define AP_OPTS_RESERVED 0x00000004 */ 1696 1697 1698 #define AP_OPTS_WIRE_MASK 0xfffffff0 1699 1700 /* definitions for ad_type fields. */ 1701 #define AD_TYPE_RESERVED 0x8000 1702 #define AD_TYPE_EXTERNAL 0x4000 1703 #define AD_TYPE_REGISTERED 0x2000 1704 1705 #define AD_TYPE_FIELD_TYPE_MASK 0x1fff 1706 1707 /* Ticket flags */ 1708 /* flags are 32 bits; each host is responsible to put the 4 bytes 1709 representing these bits into net order before transmission */ 1710 /* #define TKT_FLG_RESERVED 0x80000000 */ 1711 #define TKT_FLG_FORWARDABLE 0x40000000 1712 #define TKT_FLG_FORWARDED 0x20000000 1713 #define TKT_FLG_PROXIABLE 0x10000000 1714 #define TKT_FLG_PROXY 0x08000000 1715 #define TKT_FLG_MAY_POSTDATE 0x04000000 1716 #define TKT_FLG_POSTDATED 0x02000000 1717 #define TKT_FLG_INVALID 0x01000000 1718 #define TKT_FLG_RENEWABLE 0x00800000 1719 #define TKT_FLG_INITIAL 0x00400000 1720 #define TKT_FLG_PRE_AUTH 0x00200000 1721 #define TKT_FLG_HW_AUTH 0x00100000 1722 #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 1723 #define TKT_FLG_OK_AS_DELEGATE 0x00040000 1724 #define TKT_FLG_ENC_PA_REP 0x00010000 1725 #define TKT_FLG_ANONYMOUS 0x00008000 1726 /* #define TKT_FLG_RESERVED 0x00004000 */ 1727 /* #define TKT_FLG_RESERVED 0x00002000 */ 1728 /* #define TKT_FLG_RESERVED 0x00001000 */ 1729 /* #define TKT_FLG_RESERVED 0x00000800 */ 1730 /* #define TKT_FLG_RESERVED 0x00000400 */ 1731 /* #define TKT_FLG_RESERVED 0x00000200 */ 1732 /* #define TKT_FLG_RESERVED 0x00000100 */ 1733 /* #define TKT_FLG_RESERVED 0x00000080 */ 1734 /* #define TKT_FLG_RESERVED 0x00000040 */ 1735 /* #define TKT_FLG_RESERVED 0x00000020 */ 1736 /* #define TKT_FLG_RESERVED 0x00000010 */ 1737 /* #define TKT_FLG_RESERVED 0x00000008 */ 1738 /* #define TKT_FLG_RESERVED 0x00000004 */ 1739 /* #define TKT_FLG_RESERVED 0x00000002 */ 1740 /* #define TKT_FLG_RESERVED 0x00000001 */ 1741 1742 /* definitions for lr_type fields. */ 1743 #define LR_TYPE_THIS_SERVER_ONLY 0x8000 1744 1745 #define LR_TYPE_INTERPRETATION_MASK 0x7fff 1746 1747 /* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */ 1748 #define MSEC_DIRBIT 0x8000 1749 #define MSEC_VAL_MASK 0x7fff 1750 1751 /* 1752 * end "fieldbits.h" 1753 */ 1754 1755 /* 1756 * begin "proto.h" 1757 */ 1758 1759 /** Protocol version number */ 1760 #define KRB5_PVNO 5 1761 1762 /* Message types */ 1763 1764 #define KRB5_AS_REQ ((krb5_msgtype)10) /**< Initial authentication request */ 1765 #define KRB5_AS_REP ((krb5_msgtype)11) /**< Response to AS request */ 1766 #define KRB5_TGS_REQ ((krb5_msgtype)12) /**< Ticket granting server request */ 1767 #define KRB5_TGS_REP ((krb5_msgtype)13) /**< Response to TGS request */ 1768 #define KRB5_AP_REQ ((krb5_msgtype)14) /**< Auth req to application server */ 1769 #define KRB5_AP_REP ((krb5_msgtype)15) /**< Response to mutual AP request */ 1770 #define KRB5_SAFE ((krb5_msgtype)20) /**< Safe application message */ 1771 #define KRB5_PRIV ((krb5_msgtype)21) /**< Private application message */ 1772 #define KRB5_CRED ((krb5_msgtype)22) /**< Cred forwarding message */ 1773 #define KRB5_ERROR ((krb5_msgtype)30) /**< Error response */ 1774 1775 /* LastReq types */ 1776 #define KRB5_LRQ_NONE 0 1777 #define KRB5_LRQ_ALL_LAST_TGT 1 1778 #define KRB5_LRQ_ONE_LAST_TGT (-1) 1779 #define KRB5_LRQ_ALL_LAST_INITIAL 2 1780 #define KRB5_LRQ_ONE_LAST_INITIAL (-2) 1781 #define KRB5_LRQ_ALL_LAST_TGT_ISSUED 3 1782 #define KRB5_LRQ_ONE_LAST_TGT_ISSUED (-3) 1783 #define KRB5_LRQ_ALL_LAST_RENEWAL 4 1784 #define KRB5_LRQ_ONE_LAST_RENEWAL (-4) 1785 #define KRB5_LRQ_ALL_LAST_REQ 5 1786 #define KRB5_LRQ_ONE_LAST_REQ (-5) 1787 #define KRB5_LRQ_ALL_PW_EXPTIME 6 1788 #define KRB5_LRQ_ONE_PW_EXPTIME (-6) 1789 #define KRB5_LRQ_ALL_ACCT_EXPTIME 7 1790 #define KRB5_LRQ_ONE_ACCT_EXPTIME (-7) 1791 1792 /* PADATA types */ 1793 #define KRB5_PADATA_NONE 0 1794 #define KRB5_PADATA_AP_REQ 1 1795 #define KRB5_PADATA_TGS_REQ KRB5_PADATA_AP_REQ 1796 #define KRB5_PADATA_ENC_TIMESTAMP 2 /**< RFC 4120 */ 1797 #define KRB5_PADATA_PW_SALT 3 /**< RFC 4120 */ 1798 #if 0 /* Not used */ 1799 #define KRB5_PADATA_ENC_ENCKEY 4 /* Key encrypted within itself */ 1800 #endif 1801 #define KRB5_PADATA_ENC_UNIX_TIME 5 /**< timestamp encrypted in key. RFC 4120 */ 1802 #define KRB5_PADATA_ENC_SANDIA_SECURID 6 /**< SecurId passcode. RFC 4120 */ 1803 #define KRB5_PADATA_SESAME 7 /**< Sesame project. RFC 4120 */ 1804 #define KRB5_PADATA_OSF_DCE 8 /**< OSF DCE. RFC 4120 */ 1805 #define KRB5_CYBERSAFE_SECUREID 9 /**< Cybersafe. RFC 4120 */ 1806 #define KRB5_PADATA_AFS3_SALT 10 /**< Cygnus. RFC 4120, 3961 */ 1807 #define KRB5_PADATA_ETYPE_INFO 11 /**< Etype info for preauth. RFC 4120 */ 1808 #define KRB5_PADATA_SAM_CHALLENGE 12 /**< SAM/OTP */ 1809 #define KRB5_PADATA_SAM_RESPONSE 13 /**< SAM/OTP */ 1810 #define KRB5_PADATA_PK_AS_REQ_OLD 14 /**< PKINIT */ 1811 #define KRB5_PADATA_PK_AS_REP_OLD 15 /**< PKINIT */ 1812 #define KRB5_PADATA_PK_AS_REQ 16 /**< PKINIT. RFC 4556 */ 1813 #define KRB5_PADATA_PK_AS_REP 17 /**< PKINIT. RFC 4556 */ 1814 #define KRB5_PADATA_ETYPE_INFO2 19 /**< RFC 4120 */ 1815 #define KRB5_PADATA_USE_SPECIFIED_KVNO 20 /**< RFC 4120 */ 1816 #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /**< Windows 2000 referrals. RFC 6820 */ 1817 #define KRB5_PADATA_SAM_REDIRECT 21 /**< SAM/OTP. RFC 4120 */ 1818 #define KRB5_PADATA_GET_FROM_TYPED_DATA 22 /**< Embedded in typed data. RFC 4120 */ 1819 #define KRB5_PADATA_REFERRAL 25 /**< draft referral system */ 1820 #define KRB5_PADATA_SAM_CHALLENGE_2 30 /**< draft challenge system, updated */ 1821 #define KRB5_PADATA_SAM_RESPONSE_2 31 /**< draft challenge system, updated */ 1822 /* MS-KILE */ 1823 #define KRB5_PADATA_PAC_REQUEST 128 /**< include Windows PAC */ 1824 #define KRB5_PADATA_FOR_USER 129 /**< username protocol transition request */ 1825 #define KRB5_PADATA_S4U_X509_USER 130 /**< certificate protocol transition request */ 1826 #define KRB5_PADATA_AS_CHECKSUM 132 /**< AS checksum */ 1827 #define KRB5_PADATA_FX_COOKIE 133 /**< RFC 6113 */ 1828 #define KRB5_PADATA_FX_FAST 136 /**< RFC 6113 */ 1829 #define KRB5_PADATA_FX_ERROR 137 /**< RFC 6113 */ 1830 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 /**< RFC 6113 */ 1831 #define KRB5_PADATA_OTP_CHALLENGE 141 /**< RFC 6560 section 4.1 */ 1832 #define KRB5_PADATA_OTP_REQUEST 142 /**< RFC 6560 section 4.2 */ 1833 #define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */ 1834 #define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */ 1835 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */ 1836 #define KRB5_PADATA_AS_FRESHNESS 150 /**< RFC 8070 */ 1837 #define KRB5_PADATA_SPAKE 151 1838 #define KRB5_PADATA_REDHAT_IDP_OAUTH2 152 /**< Red Hat IdP mechanism */ 1839 #define KRB5_PADATA_REDHAT_PASSKEY 153 /**< Red Hat Passkey mechanism */ 1840 #define KRB5_PADATA_PAC_OPTIONS 167 /**< MS-KILE and MS-SFU */ 1841 1842 #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 1843 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 1844 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /**< currently must be zero */ 1845 1846 /** Transited encoding types */ 1847 #define KRB5_DOMAIN_X500_COMPRESS 1 1848 1849 /** alternate authentication types */ 1850 #define KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE 64 1851 1852 /* authorization data types. See RFC 4120 section 5.2.6 */ 1853 1854 #define KRB5_AUTHDATA_IF_RELEVANT 1 1855 #define KRB5_AUTHDATA_KDC_ISSUED 4 1856 #define KRB5_AUTHDATA_AND_OR 5 1857 #define KRB5_AUTHDATA_MANDATORY_FOR_KDC 8 1858 #define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9 1859 #define KRB5_AUTHDATA_OSF_DCE 64 1860 #define KRB5_AUTHDATA_SESAME 65 1861 #define KRB5_AUTHDATA_CAMMAC 96 1862 #define KRB5_AUTHDATA_WIN2K_PAC 128 1863 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /**< RFC 4537 */ 1864 #define KRB5_AUTHDATA_SIGNTICKET 512 /**< @deprecated use PAC */ 1865 #define KRB5_AUTHDATA_FX_ARMOR 71 1866 #define KRB5_AUTHDATA_AUTH_INDICATOR 97 1867 #define KRB5_AUTHDATA_AP_OPTIONS 143 1868 1869 /* password change constants */ 1870 #define KRB5_KPASSWD_SUCCESS 0 /**< Success */ 1871 #define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */ 1872 #define KRB5_KPASSWD_HARDERROR 2 /**< Server error */ 1873 #define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */ 1874 #define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */ 1875 /* These are Microsoft's extensions in RFC 3244, and it looks like 1876 they'll become standardized, possibly with other additions. */ 1877 #define KRB5_KPASSWD_ACCESSDENIED 5 /**< Not authorized */ 1878 #define KRB5_KPASSWD_BAD_VERSION 6 /**< Unknown RPC version */ 1879 /** The presented credentials were not obtained using a password directly */ 1880 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 1881 1882 /* 1883 * end "proto.h" 1884 */ 1885 1886 /* Time set */ 1887 /** Ticket start time, end time, and renewal duration. */ 1888 typedef struct _krb5_ticket_times { 1889 krb5_timestamp authtime; /**< Time at which KDC issued the initial ticket that corresponds to this ticket */ 1890 /* XXX ? should ktime in KDC_REP == authtime 1891 in ticket? otherwise client can't get this */ 1892 krb5_timestamp starttime; /**< optional in ticket, if not present, use @a authtime */ 1893 krb5_timestamp endtime; /**< Ticket expiration time */ 1894 krb5_timestamp renew_till; /**< Latest time at which renewal of ticket can be valid */ 1895 } krb5_ticket_times; 1896 1897 /** Structure for auth data */ 1898 typedef struct _krb5_authdata { 1899 krb5_magic magic; 1900 krb5_authdatatype ad_type; /**< ADTYPE */ 1901 unsigned int length; /**< Length of data */ 1902 krb5_octet *contents; /**< Data */ 1903 } krb5_authdata; 1904 1905 /** Structure for transited encoding */ 1906 typedef struct _krb5_transited { 1907 krb5_magic magic; 1908 krb5_octet tr_type; /**< Transited encoding type */ 1909 krb5_data tr_contents; /**< Contents */ 1910 } krb5_transited; 1911 1912 /** Encrypted part of ticket. */ 1913 typedef struct _krb5_enc_tkt_part { 1914 krb5_magic magic; 1915 /* to-be-encrypted portion */ 1916 krb5_flags flags; /**< flags */ 1917 krb5_keyblock *session; /**< session key: includes enctype */ 1918 krb5_principal client; /**< client name/realm */ 1919 krb5_transited transited; /**< list of transited realms */ 1920 krb5_ticket_times times; /**< auth, start, end, renew_till */ 1921 krb5_address **caddrs; /**< array of ptrs to addresses */ 1922 krb5_authdata **authorization_data; /**< auth data */ 1923 } krb5_enc_tkt_part; 1924 1925 /** 1926 * Ticket structure. 1927 * 1928 * The C representation of the ticket message, with a pointer to the 1929 * C representation of the encrypted part. 1930 */ 1931 typedef struct _krb5_ticket { 1932 krb5_magic magic; 1933 /* cleartext portion */ 1934 krb5_principal server; /**< server name/realm */ 1935 krb5_enc_data enc_part; /**< encryption type, kvno, encrypted encoding */ 1936 krb5_enc_tkt_part *enc_part2; /**< ptr to decrypted version, if available */ 1937 } krb5_ticket; 1938 1939 /* the unencrypted version */ 1940 /** 1941 * Ticket authenticator. 1942 * 1943 * The C representation of an unencrypted authenticator. 1944 */ 1945 typedef struct _krb5_authenticator { 1946 krb5_magic magic; 1947 krb5_principal client; /**< client name/realm */ 1948 krb5_checksum *checksum; /**< checksum, includes type, optional */ 1949 krb5_int32 cusec; /**< client usec portion */ 1950 krb5_timestamp ctime; /**< client sec portion */ 1951 krb5_keyblock *subkey; /**< true session key, optional */ 1952 krb5_ui_4 seq_number; /**< sequence #, optional */ 1953 krb5_authdata **authorization_data; /**< authoriazation data */ 1954 } krb5_authenticator; 1955 1956 /** Ticket authentication data. */ 1957 typedef struct _krb5_tkt_authent { 1958 krb5_magic magic; 1959 krb5_ticket *ticket; 1960 krb5_authenticator *authenticator; 1961 krb5_flags ap_options; 1962 } krb5_tkt_authent; 1963 1964 /** Credentials structure including ticket, session key, and lifetime info. */ 1965 typedef struct _krb5_creds { 1966 krb5_magic magic; 1967 krb5_principal client; /**< client's principal identifier */ 1968 krb5_principal server; /**< server's principal identifier */ 1969 krb5_keyblock keyblock; /**< session encryption key info */ 1970 krb5_ticket_times times; /**< lifetime info */ 1971 krb5_boolean is_skey; /**< true if ticket is encrypted in 1972 another ticket's skey */ 1973 krb5_flags ticket_flags; /**< flags in ticket */ 1974 krb5_address **addresses; /**< addrs in ticket */ 1975 krb5_data ticket; /**< ticket string itself */ 1976 krb5_data second_ticket; /**< second ticket, if related to 1977 ticket (via DUPLICATE-SKEY or 1978 ENC-TKT-IN-SKEY) */ 1979 krb5_authdata **authdata; /**< authorization data */ 1980 } krb5_creds; 1981 1982 /** Last request entry */ 1983 typedef struct _krb5_last_req_entry { 1984 krb5_magic magic; 1985 krb5_int32 lr_type; /**< LR type */ 1986 krb5_timestamp value; /**< Timestamp */ 1987 } krb5_last_req_entry; 1988 1989 /** Pre-authentication data */ 1990 typedef struct _krb5_pa_data { 1991 krb5_magic magic; 1992 krb5_preauthtype pa_type; /**< Preauthentication data type */ 1993 unsigned int length; /**< Length of data */ 1994 krb5_octet *contents; /**< Data */ 1995 } krb5_pa_data; 1996 1997 /* Don't use this; use krb5_pa_data instead. */ 1998 typedef struct _krb5_typed_data { 1999 krb5_magic magic; 2000 krb5_int32 type; 2001 unsigned int length; 2002 krb5_octet *data; 2003 } krb5_typed_data; 2004 2005 /** C representation of KDC-REQ protocol message, including KDC-REQ-BODY */ 2006 typedef struct _krb5_kdc_req { 2007 krb5_magic magic; 2008 krb5_msgtype msg_type; /**< KRB5_AS_REQ or KRB5_TGS_REQ */ 2009 krb5_pa_data **padata; /**< Preauthentication data */ 2010 /* real body */ 2011 krb5_flags kdc_options; /**< Requested options */ 2012 krb5_principal client; /**< Client principal and realm */ 2013 krb5_principal server; /**< Server principal and realm */ 2014 krb5_timestamp from; /**< Requested start time */ 2015 krb5_timestamp till; /**< Requested end time */ 2016 krb5_timestamp rtime; /**< Requested renewable end time */ 2017 krb5_int32 nonce; /**< Nonce to match request and response */ 2018 int nktypes; /**< Number of enctypes */ 2019 krb5_enctype *ktype; /**< Requested enctypes */ 2020 krb5_address **addresses; /**< Requested addresses (optional) */ 2021 krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */ 2022 krb5_authdata **unenc_authdata; /**< Unencrypted authz data */ 2023 krb5_ticket **second_ticket; /**< Second ticket array (optional) */ 2024 } krb5_kdc_req; 2025 2026 /** 2027 * C representation of @c EncKDCRepPart protocol message. 2028 * 2029 * This is the cleartext message that is encrypted and inserted in @c KDC-REP. 2030 */ 2031 typedef struct _krb5_enc_kdc_rep_part { 2032 krb5_magic magic; 2033 /* encrypted part: */ 2034 krb5_msgtype msg_type; /**< krb5 message type */ 2035 krb5_keyblock *session; /**< Session key */ 2036 krb5_last_req_entry **last_req; /**< Array of pointers to entries */ 2037 krb5_int32 nonce; /**< Nonce from request */ 2038 krb5_timestamp key_exp; /**< Expiration date */ 2039 krb5_flags flags; /**< Ticket flags */ 2040 krb5_ticket_times times; /**< Lifetime info */ 2041 krb5_principal server; /**< Server's principal identifier */ 2042 krb5_address **caddrs; /**< Array of ptrs to addrs, optional */ 2043 krb5_pa_data **enc_padata; /**< Encrypted preauthentication data */ 2044 } krb5_enc_kdc_rep_part; 2045 2046 /** Representation of the @c KDC-REP protocol message. */ 2047 typedef struct _krb5_kdc_rep { 2048 krb5_magic magic; 2049 /* cleartext part: */ 2050 krb5_msgtype msg_type; /**< KRB5_AS_REP or KRB5_KDC_REP */ 2051 krb5_pa_data **padata; /**< Preauthentication data from KDC */ 2052 krb5_principal client; /**< Client principal and realm */ 2053 krb5_ticket *ticket; /**< Ticket */ 2054 krb5_enc_data enc_part; /**< Encrypted part of reply */ 2055 krb5_enc_kdc_rep_part *enc_part2; /**< Unencrypted version, if available */ 2056 } krb5_kdc_rep; 2057 2058 /** Error message structure */ 2059 typedef struct _krb5_error { 2060 krb5_magic magic; 2061 /* some of these may be meaningless in certain contexts */ 2062 krb5_timestamp ctime; /**< Client sec portion; optional */ 2063 krb5_int32 cusec; /**< Client usec portion; optional */ 2064 krb5_int32 susec; /**< Server usec portion */ 2065 krb5_timestamp stime; /**< Server sec portion */ 2066 krb5_ui_4 error; /**< Error code (protocol error #'s) */ 2067 krb5_principal client; /**< Client principal and realm */ 2068 krb5_principal server; /**< Server principal and realm */ 2069 krb5_data text; /**< Descriptive text */ 2070 krb5_data e_data; /**< Additional error-describing data */ 2071 } krb5_error; 2072 2073 /** Authentication header. */ 2074 typedef struct _krb5_ap_req { 2075 krb5_magic magic; 2076 krb5_flags ap_options; /**< Requested options */ 2077 krb5_ticket *ticket; /**< Ticket */ 2078 krb5_enc_data authenticator; /**< Encrypted authenticator */ 2079 } krb5_ap_req; 2080 2081 /** 2082 * C representaton of AP-REP message. 2083 * 2084 * The server's response to a client's request for mutual authentication. 2085 */ 2086 typedef struct _krb5_ap_rep { 2087 krb5_magic magic; 2088 krb5_enc_data enc_part; /**< Ciphertext of ApRepEncPart */ 2089 } krb5_ap_rep; 2090 2091 /** Cleartext that is encrypted and put into @c _krb5_ap_rep. */ 2092 typedef struct _krb5_ap_rep_enc_part { 2093 krb5_magic magic; 2094 krb5_timestamp ctime; /**< Client time, seconds portion */ 2095 krb5_int32 cusec; /**< Client time, microseconds portion */ 2096 krb5_keyblock *subkey; /**< Subkey (optional) */ 2097 krb5_ui_4 seq_number; /**< Sequence number */ 2098 } krb5_ap_rep_enc_part; 2099 2100 /* Unused */ 2101 typedef struct _krb5_response { 2102 krb5_magic magic; 2103 krb5_octet message_type; 2104 krb5_data response; 2105 krb5_int32 expected_nonce; 2106 krb5_timestamp request_time; 2107 } krb5_response; 2108 2109 /** Credentials information inserted into @c EncKrbCredPart. */ 2110 typedef struct _krb5_cred_info { 2111 krb5_magic magic; 2112 krb5_keyblock *session; /**< Session key used to encrypt ticket */ 2113 krb5_principal client; /**< Client principal and realm */ 2114 krb5_principal server; /**< Server principal and realm */ 2115 krb5_flags flags; /**< Ticket flags */ 2116 krb5_ticket_times times; /**< Auth, start, end, renew_till */ 2117 krb5_address **caddrs; /**< Array of pointers to addrs (optional) */ 2118 } krb5_cred_info; 2119 2120 /** Cleartext credentials information. */ 2121 typedef struct _krb5_cred_enc_part { 2122 krb5_magic magic; 2123 krb5_int32 nonce; /**< Nonce (optional) */ 2124 krb5_timestamp timestamp; /**< Generation time, seconds portion */ 2125 krb5_int32 usec; /**< Generation time, microseconds portion */ 2126 krb5_address *s_address; /**< Sender address (optional) */ 2127 krb5_address *r_address; /**< Recipient address (optional) */ 2128 krb5_cred_info **ticket_info; 2129 } krb5_cred_enc_part; 2130 2131 /** Credentials data structure.*/ 2132 typedef struct _krb5_cred { 2133 krb5_magic magic; 2134 krb5_ticket **tickets; /**< Tickets */ 2135 krb5_enc_data enc_part; /**< Encrypted part */ 2136 krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */ 2137 } krb5_cred; 2138 2139 /* Unused, but here for API compatibility. */ 2140 typedef struct _passwd_phrase_element { 2141 krb5_magic magic; 2142 krb5_data *passwd; 2143 krb5_data *phrase; 2144 } passwd_phrase_element; 2145 2146 /* Unused, but here for API compatibility. */ 2147 typedef struct _krb5_pwd_data { 2148 krb5_magic magic; 2149 int sequence_count; 2150 passwd_phrase_element **element; 2151 } krb5_pwd_data; 2152 2153 /* Unused, but here for API compatibility. */ 2154 typedef struct _krb5_pa_svr_referral_data { 2155 /** Referred name, only realm is required */ 2156 krb5_principal principal; 2157 } krb5_pa_svr_referral_data; 2158 2159 /* Unused, but here for API compatibility. */ 2160 typedef struct _krb5_pa_server_referral_data { 2161 krb5_data *referred_realm; 2162 krb5_principal true_principal_name; 2163 krb5_principal requested_principal_name; 2164 krb5_timestamp referral_valid_until; 2165 krb5_checksum rep_cksum; 2166 } krb5_pa_server_referral_data; 2167 2168 typedef struct _krb5_pa_pac_req { 2169 /** TRUE if a PAC should be included in TGS-REP */ 2170 krb5_boolean include_pac; 2171 } krb5_pa_pac_req; 2172 2173 /* 2174 * begin "safepriv.h" 2175 */ 2176 2177 /** Prevent replays with timestamps and replay cache. */ 2178 #define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 2179 /** Save timestamps for application. */ 2180 #define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002 2181 /** Prevent replays with sequence numbers. */ 2182 #define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 2183 /** Save sequence numbers for application. */ 2184 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 2185 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 2186 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 2187 2188 /** 2189 * Replay data. 2190 * 2191 * Sequence number and timestamp information output by krb5_rd_priv() and 2192 * krb5_rd_safe(). 2193 */ 2194 typedef struct krb5_replay_data { 2195 krb5_timestamp timestamp; /**< Timestamp, seconds portion */ 2196 krb5_int32 usec; /**< Timestamp, microseconds portion */ 2197 krb5_ui_4 seq; /**< Sequence number */ 2198 } krb5_replay_data; 2199 2200 /* Flags for krb5_auth_con_genaddrs(). */ 2201 2202 /** Generate the local network address. */ 2203 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR 0x00000001 2204 /** Generate the remote network address. */ 2205 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR 0x00000002 2206 /** Generate the local network address and the local port. */ 2207 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR 0x00000004 2208 /** Generate the remote network address and the remote port. */ 2209 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008 2210 2211 /** Type of function used as a callback to generate checksum data for mk_req */ 2212 typedef krb5_error_code 2213 (KRB5_CALLCONV * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context, 2214 void *, krb5_data **); 2215 2216 /* 2217 * end "safepriv.h" 2218 */ 2219 2220 2221 /* 2222 * begin "ccache.h" 2223 */ 2224 2225 /** Cursor for sequential lookup */ 2226 typedef krb5_pointer krb5_cc_cursor; 2227 2228 struct _krb5_ccache; 2229 typedef struct _krb5_ccache *krb5_ccache; 2230 struct _krb5_cc_ops; 2231 typedef struct _krb5_cc_ops krb5_cc_ops; 2232 2233 struct _krb5_cccol_cursor; 2234 /** Cursor for iterating over all ccaches */ 2235 typedef struct _krb5_cccol_cursor *krb5_cccol_cursor; 2236 2237 /* Flags for krb5_cc_retrieve_cred. */ 2238 /** The requested lifetime must be at least as great as the time specified. */ 2239 #define KRB5_TC_MATCH_TIMES 0x00000001 2240 /** The is_skey field must match exactly. */ 2241 #define KRB5_TC_MATCH_IS_SKEY 0x00000002 2242 /** All the flags set in the match credentials must be set. */ 2243 #define KRB5_TC_MATCH_FLAGS 0x00000004 2244 /** All the time fields must match exactly. */ 2245 #define KRB5_TC_MATCH_TIMES_EXACT 0x00000008 2246 /** All the flags must match exactly. */ 2247 #define KRB5_TC_MATCH_FLAGS_EXACT 0x00000010 2248 /** The authorization data must match. */ 2249 #define KRB5_TC_MATCH_AUTHDATA 0x00000020 2250 /** Only the name portion of the principal name must match. */ 2251 #define KRB5_TC_MATCH_SRV_NAMEONLY 0x00000040 2252 /** The second ticket must match. */ 2253 #define KRB5_TC_MATCH_2ND_TKT 0x00000080 2254 /** The encryption key type must match. */ 2255 #define KRB5_TC_MATCH_KTYPE 0x00000100 2256 /** The supported key types must match. */ 2257 #define KRB5_TC_SUPPORTED_KTYPES 0x00000200 2258 2259 /* Flags for krb5_cc_set_flags and similar. */ 2260 /** Open and close the file for each cache operation. */ 2261 #define KRB5_TC_OPENCLOSE 0x00000001 /**< @deprecated has no effect */ 2262 #define KRB5_TC_NOTICKET 0x00000002 2263 2264 /** 2265 * Retrieve the name, but not type of a credential cache. 2266 * 2267 * @param [in] context Library context 2268 * @param [in] cache Credential cache handle 2269 * 2270 * @warning Returns the name of the credential cache. The result is an alias 2271 * into @a cache and should not be freed or modified by the caller. This name 2272 * does not include the cache type, so should not be used as input to 2273 * krb5_cc_resolve(). 2274 * 2275 * @return 2276 * On success - the name of the credential cache. 2277 */ 2278 const char * KRB5_CALLCONV 2279 krb5_cc_get_name(krb5_context context, krb5_ccache cache); 2280 2281 /** 2282 * Retrieve the full name of a credential cache. 2283 * 2284 * @param [in] context Library context 2285 * @param [in] cache Credential cache handle 2286 * @param [out] fullname_out Full name of cache 2287 * 2288 * Use krb5_free_string() to free @a fullname_out when it is no longer needed. 2289 * 2290 * @version New in 1.10 2291 */ 2292 krb5_error_code KRB5_CALLCONV 2293 krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, 2294 char **fullname_out); 2295 2296 #if KRB5_DEPRECATED 2297 krb5_error_code KRB5_CALLCONV 2298 krb5_cc_gen_new(krb5_context context, krb5_ccache *cache); 2299 #endif /* KRB5_DEPRECATED */ 2300 2301 /** 2302 * Initialize a credential cache. 2303 * 2304 * @param [in] context Library context 2305 * @param [in] cache Credential cache handle 2306 * @param [in] principal Default principal name 2307 * 2308 * Destroy any existing contents of @a cache and initialize it for the default 2309 * principal @a principal. 2310 * 2311 * @retval 2312 * 0 Success 2313 * @return 2314 * System errors; Permission errors; Kerberos error codes 2315 */ 2316 krb5_error_code KRB5_CALLCONV 2317 krb5_cc_initialize(krb5_context context, krb5_ccache cache, 2318 krb5_principal principal); 2319 2320 /** 2321 * Destroy a credential cache. 2322 * 2323 * @param [in] context Library context 2324 * @param [in] cache Credential cache handle 2325 * 2326 * This function destroys any existing contents of @a cache and closes the 2327 * handle to it. 2328 * 2329 * @retval 2330 * 0 Success 2331 * @return 2332 * Permission errors 2333 */ 2334 krb5_error_code KRB5_CALLCONV 2335 krb5_cc_destroy(krb5_context context, krb5_ccache cache); 2336 2337 /** 2338 * Close a credential cache handle. 2339 * 2340 * @param [in] context Library context 2341 * @param [in] cache Credential cache handle 2342 * 2343 * This function closes a credential cache handle @a cache without affecting 2344 * the contents of the cache. 2345 * 2346 * @retval 2347 * 0 Success 2348 * @return 2349 * Kerberos error codes 2350 */ 2351 krb5_error_code KRB5_CALLCONV 2352 krb5_cc_close(krb5_context context, krb5_ccache cache); 2353 2354 /** 2355 * Store credentials in a credential cache. 2356 * 2357 * @param [in] context Library context 2358 * @param [in] cache Credential cache handle 2359 * @param [in] creds Credentials to be stored in cache 2360 * 2361 * This function stores @a creds into @a cache. If @a creds->server and the 2362 * server in the decoded ticket @a creds->ticket differ, the credentials will 2363 * be stored under both server principal names. 2364 * 2365 * @retval 2366 * 0 Success 2367 * @return Permission errors; storage failure errors; Kerberos error codes 2368 */ 2369 krb5_error_code KRB5_CALLCONV 2370 krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds); 2371 2372 /** 2373 * Retrieve a specified credentials from a credential cache. 2374 * 2375 * @param [in] context Library context 2376 * @param [in] cache Credential cache handle 2377 * @param [in] flags Flags bit mask 2378 * @param [in] mcreds Credentials to match 2379 * @param [out] creds Credentials matching the requested value 2380 * 2381 * This function searches a credential cache for credentials matching @a mcreds 2382 * and returns it if found. 2383 * 2384 * Valid values for @a flags are: 2385 * 2386 * @li #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as 2387 * great as in @a mcreds . 2388 * @li #KRB5_TC_MATCH_IS_SKEY The @a is_skey field much match exactly. 2389 * @li #KRB5_TC_MATCH_FLAGS Flags set in @a mcreds must be set. 2390 * @li #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. 2391 * @li #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. 2392 * @li #KRB5_TC_MATCH_AUTHDATA The authorization data must match. 2393 * @li #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal 2394 * name must match, not the realm. 2395 * @li #KRB5_TC_MATCH_2ND_TKT The second tickets must match. 2396 * @li #KRB5_TC_MATCH_KTYPE The encryption key types must match. 2397 * @li #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any 2398 * supported encryption type and return the 2399 * one with the encryption type listed earliest. 2400 * 2401 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. 2402 * 2403 * @retval 0 Success; otherwise - Kerberos error codes 2404 */ 2405 krb5_error_code KRB5_CALLCONV 2406 krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, 2407 krb5_flags flags, krb5_creds *mcreds, 2408 krb5_creds *creds); 2409 2410 /** 2411 * Get the default principal of a credential cache. 2412 * 2413 * @param [in] context Library context 2414 * @param [in] cache Credential cache handle 2415 * @param [out] principal Primary principal 2416 * 2417 * Returns the default client principal of a credential cache as set by 2418 * krb5_cc_initialize(). 2419 * 2420 * Use krb5_free_principal() to free @a principal when it is no longer needed. 2421 * 2422 * @retval 2423 * 0 Success 2424 * @return 2425 * Kerberos error codes 2426 */ 2427 krb5_error_code KRB5_CALLCONV 2428 krb5_cc_get_principal(krb5_context context, krb5_ccache cache, 2429 krb5_principal *principal); 2430 2431 /** 2432 * Prepare to sequentially read every credential in a credential cache. 2433 * 2434 * @param [in] context Library context 2435 * @param [in] cache Credential cache handle 2436 * @param [out] cursor Cursor 2437 * 2438 * krb5_cc_end_seq_get() must be called to complete the retrieve operation. 2439 * 2440 * @note If the cache represented by @a cache is modified between the time of 2441 * the call to this function and the time of the final krb5_cc_end_seq_get(), 2442 * these changes may not be reflected in the results of krb5_cc_next_cred() 2443 * calls. 2444 * 2445 * @retval 0 Success; otherwise - Kerberos error codes 2446 */ 2447 krb5_error_code KRB5_CALLCONV 2448 krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, 2449 krb5_cc_cursor *cursor); 2450 2451 /** 2452 * Retrieve the next entry from the credential cache. 2453 * 2454 * @param [in] context Library context 2455 * @param [in] cache Credential cache handle 2456 * @param [in] cursor Cursor 2457 * @param [out] creds Next credential cache entry 2458 * 2459 * This function fills in @a creds with the next entry in @a cache and advances 2460 * @a cursor. 2461 * 2462 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. 2463 * 2464 * @sa krb5_cc_start_seq_get(), krb5_end_seq_get() 2465 * 2466 * @retval 0 Success; otherwise - Kerberos error codes 2467 */ 2468 krb5_error_code KRB5_CALLCONV 2469 krb5_cc_next_cred(krb5_context context, krb5_ccache cache, 2470 krb5_cc_cursor *cursor, krb5_creds *creds); 2471 2472 /** 2473 * Finish a series of sequential processing credential cache entries. 2474 * 2475 * @param [in] context Library context 2476 * @param [in] cache Credential cache handle 2477 * @param [in] cursor Cursor 2478 * 2479 * This function finishes processing credential cache entries and invalidates 2480 * @a cursor. 2481 * 2482 * @sa krb5_cc_start_seq_get(), krb5_cc_next_cred() 2483 * 2484 * @retval 0 (always) 2485 */ 2486 krb5_error_code KRB5_CALLCONV 2487 krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, 2488 krb5_cc_cursor *cursor); 2489 2490 /** 2491 * Remove credentials from a credential cache. 2492 * 2493 * @param [in] context Library context 2494 * @param [in] cache Credential cache handle 2495 * @param [in] flags Bitwise-ORed search flags 2496 * @param [in] creds Credentials to be matched 2497 * 2498 * @warning This function is not implemented for some cache types. 2499 * 2500 * This function accepts the same flag values as krb5_cc_retrieve_cred(). 2501 * 2502 * @retval KRB5_CC_NOSUPP Not implemented for this cache type 2503 * @return No matches found; Data cannot be deleted; Kerberos error codes 2504 */ 2505 krb5_error_code KRB5_CALLCONV 2506 krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, 2507 krb5_creds *creds); 2508 2509 /** 2510 * Set options flags on a credential cache. 2511 * 2512 * @param [in] context Library context 2513 * @param [in] cache Credential cache handle 2514 * @param [in] flags Flag bit mask 2515 * 2516 * This function resets @a cache flags to @a flags. 2517 * 2518 * @retval 0 Success; otherwise - Kerberos error codes 2519 */ 2520 krb5_error_code KRB5_CALLCONV 2521 krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags); 2522 2523 /** 2524 * Retrieve flags from a credential cache structure. 2525 * 2526 * @param [in] context Library context 2527 * @param [in] cache Credential cache handle 2528 * @param [out] flags Flag bit mask 2529 * 2530 * @warning For memory credential cache always returns a flag mask of 0. 2531 * 2532 * @retval 0 Success; otherwise - Kerberos error codes 2533 */ 2534 krb5_error_code KRB5_CALLCONV 2535 krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags); 2536 2537 /** 2538 * Retrieve the type of a credential cache. 2539 * 2540 * @param [in] context Library context 2541 * @param [in] cache Credential cache handle 2542 * 2543 * @return The type of a credential cache as an alias that must not be modified 2544 * or freed by the caller. 2545 */ 2546 const char * KRB5_CALLCONV 2547 krb5_cc_get_type(krb5_context context, krb5_ccache cache); 2548 2549 /** 2550 * Move a credential cache. 2551 * 2552 * @param [in] context Library context 2553 * @param [in] src The credential cache to move the content from 2554 * @param [in] dst The credential cache to move the content to 2555 * 2556 * This function reinitializes @a dst and populates it with the credentials and 2557 * default principal of @a src; then, if successful, destroys @a src. 2558 * 2559 * @retval 2560 * 0 Success; @a src is closed. 2561 * @return 2562 * Kerberos error codes; @a src is still allocated. 2563 */ 2564 krb5_error_code KRB5_CALLCONV 2565 krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst); 2566 2567 /** 2568 * Prepare to iterate over the collection of known credential caches. 2569 * 2570 * @param [in] context Library context 2571 * @param [out] cursor Cursor 2572 * 2573 * Get a new cache iteration @a cursor that will iterate over all known 2574 * credential caches independent of type. 2575 * 2576 * Use krb5_cccol_cursor_free() to release @a cursor when it is no longer 2577 * needed. 2578 * 2579 * @sa krb5_cccol_cursor_next() 2580 * 2581 * @retval 0 Success; otherwise - Kerberos error codes 2582 */ 2583 krb5_error_code KRB5_CALLCONV 2584 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor); 2585 2586 /** 2587 * Get the next credential cache in the collection. 2588 * 2589 * @param [in] context Library context 2590 * @param [in] cursor Cursor 2591 * @param [out] ccache Credential cache handle 2592 * 2593 * @note When all caches are iterated over and the end of the list is reached, 2594 * @a ccache is set to NULL. 2595 * 2596 * Use krb5_cc_close() to close @a ccache when it is no longer needed. 2597 * 2598 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_free() 2599 * 2600 * @retval 0 Success; otherwise - Kerberos error codes 2601 */ 2602 krb5_error_code KRB5_CALLCONV 2603 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, 2604 krb5_ccache *ccache); 2605 2606 /** 2607 * Free a credential cache collection cursor. 2608 * 2609 * @param [in] context Library context 2610 * @param [in] cursor Cursor 2611 * 2612 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_next() 2613 * 2614 * @retval 0 Success; otherwise - Kerberos error codes 2615 */ 2616 krb5_error_code KRB5_CALLCONV 2617 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor); 2618 2619 /** 2620 * Check if the credential cache collection contains any initialized caches. 2621 * 2622 * @param [in] context Library context 2623 * 2624 * @version New in 1.11 2625 * 2626 * @retval 0 At least one initialized cache is present in the collection 2627 * @retval KRB5_CC_NOTFOUND The collection contains no caches 2628 */ 2629 krb5_error_code KRB5_CALLCONV 2630 krb5_cccol_have_content(krb5_context context); 2631 2632 /** 2633 * Create a new credential cache of the specified type with a unique name. 2634 * 2635 * @param [in] context Library context 2636 * @param [in] type Credential cache type name 2637 * @param [in] hint Unused 2638 * @param [out] id Credential cache handle 2639 * 2640 * @retval 2641 * 0 Success 2642 * @return 2643 * Kerberos error codes 2644 */ 2645 krb5_error_code KRB5_CALLCONV 2646 krb5_cc_new_unique(krb5_context context, const char *type, const char *hint, 2647 krb5_ccache *id); 2648 2649 /* 2650 * end "ccache.h" 2651 */ 2652 2653 /* 2654 * begin "rcache.h" 2655 */ 2656 2657 struct krb5_rc_st; 2658 typedef struct krb5_rc_st *krb5_rcache; 2659 2660 /* 2661 * end "rcache.h" 2662 */ 2663 2664 /* 2665 * begin "keytab.h" 2666 */ 2667 2668 2669 /* XXX */ 2670 #define MAX_KEYTAB_NAME_LEN 1100 /**< Long enough for MAXPATHLEN + some extra */ 2671 2672 typedef krb5_pointer krb5_kt_cursor; 2673 2674 /** A key table entry. */ 2675 typedef struct krb5_keytab_entry_st { 2676 krb5_magic magic; 2677 krb5_principal principal; /**< Principal of this key */ 2678 krb5_timestamp timestamp; /**< Time entry written to keytable */ 2679 krb5_kvno vno; /**< Key version number */ 2680 krb5_keyblock key; /**< The secret key */ 2681 } krb5_keytab_entry; 2682 2683 struct _krb5_kt; 2684 typedef struct _krb5_kt *krb5_keytab; 2685 2686 /** 2687 * Return the type of a key table. 2688 * 2689 * @param [in] context Library context 2690 * @param [in] keytab Key table handle 2691 * 2692 * @return The type of a key table as an alias that must not be modified or 2693 * freed by the caller. 2694 */ 2695 const char * KRB5_CALLCONV 2696 krb5_kt_get_type(krb5_context context, krb5_keytab keytab); 2697 2698 /** 2699 * Get a key table name. 2700 * 2701 * @param [in] context Library context 2702 * @param [in] keytab Key table handle 2703 * @param [out] name Key table name 2704 * @param [in] namelen Maximum length to fill in name 2705 * 2706 * Fill @a name with the name of @a keytab including the type and delimiter. 2707 * 2708 * @sa MAX_KEYTAB_NAME_LEN 2709 * 2710 * @retval 2711 * 0 Success 2712 * @retval 2713 * KRB5_KT_NAME_TOOLONG Key table name does not fit in @a namelen bytes 2714 * 2715 * @return 2716 * Kerberos error codes 2717 */ 2718 krb5_error_code KRB5_CALLCONV 2719 krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, 2720 unsigned int namelen); 2721 2722 /** 2723 * Close a key table handle. 2724 * 2725 * @param [in] context Library context 2726 * @param [in] keytab Key table handle 2727 * 2728 * @retval 0 2729 */ 2730 krb5_error_code KRB5_CALLCONV 2731 krb5_kt_close(krb5_context context, krb5_keytab keytab); 2732 2733 /** 2734 * Get an entry from a key table. 2735 * 2736 * @param [in] context Library context 2737 * @param [in] keytab Key table handle 2738 * @param [in] principal Principal name 2739 * @param [in] vno Key version number (0 for highest available) 2740 * @param [in] enctype Encryption type (0 zero for any enctype) 2741 * @param [out] entry Returned entry from key table 2742 * 2743 * Retrieve an entry from a key table which matches the @a keytab, @a 2744 * principal, @a vno, and @a enctype. If @a vno is zero, retrieve the 2745 * highest-numbered kvno matching the other fields. If @a enctype is 0, match 2746 * any enctype. 2747 * 2748 * Use krb5_free_keytab_entry_contents() to free @a entry when it is no longer 2749 * needed. 2750 * 2751 * @note If @a vno is zero, the function retrieves the highest-numbered-kvno 2752 * entry that matches the specified principal. 2753 * 2754 * @retval 2755 * 0 Success 2756 * @retval 2757 * Kerberos error codes on failure 2758 */ 2759 krb5_error_code KRB5_CALLCONV 2760 krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 2761 krb5_const_principal principal, krb5_kvno vno, 2762 krb5_enctype enctype, krb5_keytab_entry *entry); 2763 2764 /** 2765 * Start a sequential retrieval of key table entries. 2766 * 2767 * @param [in] context Library context 2768 * @param [in] keytab Key table handle 2769 * @param [out] cursor Cursor 2770 * 2771 * Prepare to read sequentially every key in the specified key table. Use 2772 * krb5_kt_end_seq_get() to release the cursor when it is no longer needed. 2773 * 2774 * @sa krb5_kt_next_entry(), krb5_kt_end_seq_get() 2775 * 2776 * @retval 2777 * 0 Success 2778 * @return 2779 * Kerberos error codes 2780 */ 2781 krb5_error_code KRB5_CALLCONV 2782 krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, 2783 krb5_kt_cursor *cursor); 2784 2785 /** 2786 * Retrieve the next entry from the key table. 2787 * 2788 * @param [in] context Library context 2789 * @param [in] keytab Key table handle 2790 * @param [out] entry Returned key table entry 2791 * @param [in] cursor Key table cursor 2792 * 2793 * Return the next sequential entry in @a keytab and advance @a cursor. 2794 * Callers must release the returned entry with krb5_kt_free_entry(). 2795 * 2796 * @sa krb5_kt_start_seq_get(), krb5_kt_end_seq_get() 2797 * 2798 * @retval 2799 * 0 Success 2800 * @retval 2801 * KRB5_KT_END - if the last entry was reached 2802 * @return 2803 * Kerberos error codes 2804 */ 2805 krb5_error_code KRB5_CALLCONV 2806 krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, 2807 krb5_keytab_entry *entry, krb5_kt_cursor *cursor); 2808 2809 /** 2810 * Release a keytab cursor. 2811 * 2812 * @param [in] context Library context 2813 * @param [in] keytab Key table handle 2814 * @param [out] cursor Cursor 2815 * 2816 * This function should be called to release the cursor created by 2817 * krb5_kt_start_seq_get(). 2818 * 2819 * @retval 2820 * 0 Success 2821 * @return 2822 * Kerberos error codes 2823 */ 2824 krb5_error_code KRB5_CALLCONV 2825 krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, 2826 krb5_kt_cursor *cursor); 2827 2828 /** 2829 * Check if a keytab exists and contains entries. 2830 * 2831 * @param [in] context Library context 2832 * @param [in] keytab Key table handle 2833 * 2834 * @version New in 1.11 2835 * 2836 * @retval 0 Keytab exists and contains entries 2837 * @retval KRB5_KT_NOTFOUND Keytab does not contain entries 2838 */ 2839 krb5_error_code KRB5_CALLCONV 2840 krb5_kt_have_content(krb5_context context, krb5_keytab keytab); 2841 2842 /* 2843 * end "keytab.h" 2844 */ 2845 2846 /* 2847 * begin "func-proto.h" 2848 */ 2849 2850 #define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */ 2851 #define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */ 2852 2853 /** 2854 * Create a krb5 library context. 2855 * 2856 * @param [out] context Library context 2857 * 2858 * The @a context must be released by calling krb5_free_context() when 2859 * it is no longer needed. 2860 * 2861 * @warning Any program or module that needs the Kerberos code to not trust the 2862 * environment must use krb5_init_secure_context(), or clean out the 2863 * environment. 2864 * 2865 * @retval 2866 * 0 Success 2867 * @return 2868 * Kerberos error codes 2869 */ 2870 krb5_error_code KRB5_CALLCONV 2871 krb5_init_context(krb5_context *context); 2872 2873 /** 2874 * Create a krb5 library context using only configuration files. 2875 * 2876 * @param [out] context Library context 2877 * 2878 * Create a context structure, using only system configuration files. All 2879 * information passed through the environment variables is ignored. 2880 * 2881 * The @a context must be released by calling krb5_free_context() when 2882 * it is no longer needed. 2883 * 2884 * @retval 2885 * 0 Success 2886 * @return 2887 * Kerberos error codes 2888 */ 2889 krb5_error_code KRB5_CALLCONV 2890 krb5_init_secure_context(krb5_context *context); 2891 2892 /** 2893 * Create a krb5 library context using a specified profile. 2894 * 2895 * @param [in] profile Profile object (NULL to create default profile) 2896 * @param [in] flags Context initialization flags 2897 * @param [out] context Library context 2898 * 2899 * Create a context structure, optionally using a specified profile and 2900 * initialization flags. If @a profile is NULL, the default profile will be 2901 * created from config files. If @a profile is non-null, a copy of it will be 2902 * made for the new context; the caller should still clean up its copy. Valid 2903 * flag values are: 2904 * 2905 * @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables 2906 * @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile 2907 */ 2908 krb5_error_code KRB5_CALLCONV 2909 krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags, 2910 krb5_context *context); 2911 2912 /** 2913 * Free a krb5 library context. 2914 * 2915 * @param [in] context Library context 2916 * 2917 * This function frees a @a context that was created by krb5_init_context() 2918 * or krb5_init_secure_context(). 2919 */ 2920 void KRB5_CALLCONV 2921 krb5_free_context(krb5_context context); 2922 2923 /** 2924 * Copy a krb5_context structure. 2925 * 2926 * @param [in] ctx Library context 2927 * @param [out] nctx_out New context structure 2928 * 2929 * The newly created context must be released by calling krb5_free_context() 2930 * when it is no longer needed. 2931 * 2932 * @retval 2933 * 0 Success 2934 * @return 2935 * Kerberos error codes 2936 */ 2937 krb5_error_code KRB5_CALLCONV 2938 krb5_copy_context(krb5_context ctx, krb5_context *nctx_out); 2939 2940 /** 2941 * Set default TGS encryption types in a krb5_context structure. 2942 * 2943 * @param [in] context Library context 2944 * @param [in] etypes Encryption type(s) to set 2945 * 2946 * This function sets the default enctype list for TGS requests 2947 * made using @a context to @a etypes. 2948 * 2949 * @note This overrides the default list (from config file or built-in). 2950 * 2951 * @retval 2952 * 0 Success 2953 * @retval 2954 * KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type 2955 * @return 2956 * Kerberos error codes 2957 */ 2958 krb5_error_code KRB5_CALLCONV 2959 krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes); 2960 2961 /** 2962 * Return a list of encryption types permitted for session keys. 2963 * 2964 * @param [in] context Library context 2965 * @param [out] ktypes Zero-terminated list of encryption types 2966 * 2967 * This function returns the list of encryption types permitted for session 2968 * keys within @a context, as determined by configuration or by a previous call 2969 * to krb5_set_default_tgs_enctypes(). 2970 * 2971 * Use krb5_free_enctypes() to free @a ktypes when it is no longer needed. 2972 * 2973 * @retval 0 Success; otherwise - Kerberos error codes 2974 */ 2975 krb5_error_code KRB5_CALLCONV 2976 krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes); 2977 2978 /** 2979 * Test whether the Kerberos library was built with multithread support. 2980 * 2981 * @retval 2982 * TRUE if the library is threadsafe; FALSE otherwise 2983 */ 2984 krb5_boolean KRB5_CALLCONV 2985 krb5_is_thread_safe(void); 2986 2987 /* libkrb.spec */ 2988 2989 /** 2990 * Decrypt a ticket using the specified key table. 2991 * 2992 * @param [in] context Library context 2993 * @param [in] kt Key table 2994 * @param [in] ticket Ticket to be decrypted 2995 * 2996 * This function takes a @a ticket as input and decrypts it using 2997 * key data from @a kt. The result is placed into @a ticket->enc_part2. 2998 * 2999 * @retval 0 Success; otherwise - Kerberos error codes 3000 */ 3001 krb5_error_code KRB5_CALLCONV 3002 krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, 3003 krb5_ticket *ticket); 3004 3005 /** 3006 * Free an array of credential structures. 3007 * 3008 * @param [in] context Library context 3009 * @param [in] tgts Null-terminated array of credentials to free 3010 * 3011 * @note The last entry in the array @a tgts must be a NULL pointer. 3012 */ 3013 void KRB5_CALLCONV 3014 krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); 3015 3016 #define KRB5_GC_USER_USER 1 /**< Want user-user ticket */ 3017 #define KRB5_GC_CACHED 2 /**< Want cached ticket only */ 3018 #define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */ 3019 #define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */ 3020 #define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */ 3021 #define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */ 3022 #define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */ 3023 3024 /** 3025 * Get an additional ticket. 3026 * 3027 * @param [in] context Library context 3028 * @param [in] options Options 3029 * @param [in] ccache Credential cache handle 3030 * @param [in] in_creds Input credentials 3031 * @param [out] out_creds Output updated credentials 3032 * 3033 * Use @a ccache or a TGS exchange to get a service ticket matching @a 3034 * in_creds. 3035 * 3036 * Valid values for @a options are: 3037 * @li #KRB5_GC_CACHED Search only credential cache for the ticket 3038 * @li #KRB5_GC_USER_USER Return a user to user authentication ticket 3039 * 3040 * @a in_creds must be non-null. @a in_creds->client and @a in_creds->server 3041 * must be filled in to specify the client and the server respectively. If any 3042 * authorization data needs to be requested for the service ticket (such as 3043 * restrictions on how the ticket can be used), specify it in @a 3044 * in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The 3045 * session key type is specified in @a in_creds->keyblock.enctype, if it is 3046 * nonzero. 3047 * 3048 * The expiration date is specified in @a in_creds->times.endtime. 3049 * The KDC may return tickets with an earlier expiration date. 3050 * If @a in_creds->times.endtime is set to 0, the latest possible 3051 * expiration date will be requested. 3052 * 3053 * Any returned ticket and intermediate ticket-granting tickets are stored 3054 * in @a ccache. 3055 * 3056 * Use krb5_free_creds() to free @a out_creds when it is no longer needed. 3057 * 3058 * @retval 3059 * 0 Success 3060 * @return 3061 * Kerberos error codes 3062 */ 3063 krb5_error_code KRB5_CALLCONV 3064 krb5_get_credentials(krb5_context context, krb5_flags options, 3065 krb5_ccache ccache, krb5_creds *in_creds, 3066 krb5_creds **out_creds); 3067 3068 /** 3069 * Serialize a @c krb5_creds object. 3070 * 3071 * @param [in] context Library context 3072 * @param [in] in_creds The credentials object to serialize 3073 * @param [out] data_out The serialized credentials 3074 * 3075 * Serialize @a creds in the format used by the FILE ccache format (vesion 4) 3076 * and KCM ccache protocol. 3077 * 3078 * Use krb5_free_data() to free @a data_out when it is no longer needed. 3079 * 3080 * @retval 0 Success; otherwise - Kerberos error codes 3081 */ 3082 krb5_error_code KRB5_CALLCONV 3083 krb5_marshal_credentials(krb5_context context, krb5_creds *in_creds, 3084 krb5_data **data_out); 3085 3086 /** 3087 * Deserialize a @c krb5_creds object. 3088 * 3089 * @param [in] context Library context 3090 * @param [in] data The serialized credentials 3091 * @param [out] creds_out The resulting creds object 3092 * 3093 * Deserialize @a data to credentials in the format used by the FILE ccache 3094 * format (vesion 4) and KCM ccache protocol. 3095 * 3096 * Use krb5_free_creds() to free @a creds_out when it is no longer needed. 3097 * 3098 * @retval 0 Success; otherwise - Kerberos error codes 3099 */ 3100 krb5_error_code KRB5_CALLCONV 3101 krb5_unmarshal_credentials(krb5_context context, const krb5_data *data, 3102 krb5_creds **creds_out); 3103 3104 /** @deprecated Replaced by krb5_get_validated_creds. */ 3105 krb5_error_code KRB5_CALLCONV 3106 krb5_get_credentials_validate(krb5_context context, krb5_flags options, 3107 krb5_ccache ccache, krb5_creds *in_creds, 3108 krb5_creds **out_creds); 3109 3110 /** @deprecated Replaced by krb5_get_renewed_creds. */ 3111 krb5_error_code KRB5_CALLCONV 3112 krb5_get_credentials_renew(krb5_context context, krb5_flags options, 3113 krb5_ccache ccache, krb5_creds *in_creds, 3114 krb5_creds **out_creds); 3115 3116 /** 3117 * Create a @c KRB_AP_REQ message. 3118 * 3119 * @param [in] context Library context 3120 * @param [in,out] auth_context Pre-existing or newly created auth context 3121 * @param [in] ap_req_options Options (see AP_OPTS macros) 3122 * @param [in] service Service name, or NULL to use @c "host" 3123 * @param [in] hostname Host name, or NULL to use local hostname 3124 * @param [in] in_data Application data to be checksummed in the 3125 * authenticator, or NULL 3126 * @param [in] ccache Credential cache used to obtain credentials 3127 * for the desired service. 3128 * @param [out] outbuf @c AP-REQ message 3129 * 3130 * This function is similar to krb5_mk_req_extended() except that it uses a 3131 * given @a hostname, @a service, and @a ccache to construct a service 3132 * principal name and obtain credentials. 3133 * 3134 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3135 * 3136 * @retval 0 Success; otherwise - Kerberos error codes 3137 */ 3138 krb5_error_code KRB5_CALLCONV 3139 krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, 3140 krb5_flags ap_req_options, const char *service, 3141 const char *hostname, krb5_data *in_data, krb5_ccache ccache, 3142 krb5_data *outbuf); 3143 3144 /** 3145 * Create a @c KRB_AP_REQ message using supplied credentials. 3146 * 3147 * @param [in] context Library context 3148 * @param [in,out] auth_context Pre-existing or newly created auth context 3149 * @param [in] ap_req_options Options (see AP_OPTS macros) 3150 * @param [in] in_data Application data to be checksummed in the 3151 * authenticator, or NULL 3152 * @param [in] in_creds Credentials for the service with valid ticket 3153 * and key 3154 * @param [out] outbuf @c AP-REQ message 3155 * 3156 * Valid @a ap_req_options are: 3157 * @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the 3158 * request used for user to user 3159 * authentication. 3160 * @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from 3161 * the receiver. 3162 * @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current 3163 * session key obtained from the credentials. 3164 * 3165 * This function creates a KRB_AP_REQ message using supplied credentials @a 3166 * in_creds. @a auth_context may point to an existing auth context or to NULL, 3167 * in which case a new one will be created. If @a in_data is non-null, a 3168 * checksum of it will be included in the authenticator contained in the 3169 * KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it 3170 * is no longer needed. 3171 * 3172 * On successful return, the authenticator is stored in @a auth_context with 3173 * the @a client and @a checksum fields nulled out. (This is to prevent 3174 * pointer-sharing problems; the caller should not need these fields anyway, 3175 * since the caller supplied them.) 3176 * 3177 * @sa krb5_mk_req() 3178 * 3179 * @retval 0 Success; otherwise - Kerberos error codes 3180 */ 3181 krb5_error_code KRB5_CALLCONV 3182 krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, 3183 krb5_flags ap_req_options, krb5_data *in_data, 3184 krb5_creds *in_creds, krb5_data *outbuf); 3185 3186 /** 3187 * Format and encrypt a @c KRB_AP_REP message. 3188 * 3189 * @param [in] context Library context 3190 * @param [in] auth_context Authentication context 3191 * @param [out] outbuf @c AP-REP message 3192 * 3193 * This function fills in @a outbuf with an AP-REP message using information 3194 * from @a auth_context. 3195 * 3196 * If the flags in @a auth_context indicate that a sequence number should be 3197 * used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or 3198 * #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a 3199 * auth_context is 0, a new number will be generated with 3200 * krb5_generate_seq_number(). 3201 * 3202 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3203 * 3204 * @retval 0 Success; otherwise - Kerberos error codes 3205 */ 3206 krb5_error_code KRB5_CALLCONV 3207 krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); 3208 3209 /** 3210 * Format and encrypt a @c KRB_AP_REP message for DCE RPC. 3211 * 3212 * @param [in] context Library context 3213 * @param [in] auth_context Authentication context 3214 * @param [out] outbuf @c AP-REP message 3215 * 3216 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3217 * 3218 * @retval 0 Success; otherwise - Kerberos error codes 3219 */ 3220 krb5_error_code KRB5_CALLCONV 3221 krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); 3222 3223 /** 3224 * Parse and decrypt a @c KRB_AP_REP message. 3225 * 3226 * @param [in] context Library context 3227 * @param [in] auth_context Authentication context 3228 * @param [in] inbuf AP-REP message 3229 * @param [out] repl Decrypted reply message 3230 * 3231 * This function parses, decrypts and verifies a message from @a inbuf and 3232 * fills in @a repl with a pointer to allocated memory containing the fields 3233 * from the encrypted response. 3234 * 3235 * Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed. 3236 * 3237 * @retval 0 Success; otherwise - Kerberos error codes 3238 */ 3239 krb5_error_code KRB5_CALLCONV 3240 krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, 3241 const krb5_data *inbuf, krb5_ap_rep_enc_part **repl); 3242 3243 /** 3244 * Parse and decrypt a @c KRB_AP_REP message for DCE RPC. 3245 * 3246 * @param [in] context Library context 3247 * @param [in] auth_context Authentication context 3248 * @param [in] inbuf AP-REP message 3249 * @param [out] nonce Sequence number from the decrypted reply 3250 * 3251 * This function parses, decrypts and verifies a message from @a inbuf and 3252 * fills in @a nonce with a decrypted reply sequence number. 3253 * 3254 * @retval 0 Success; otherwise - Kerberos error codes 3255 */ 3256 krb5_error_code KRB5_CALLCONV 3257 krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, 3258 const krb5_data *inbuf, krb5_ui_4 *nonce); 3259 3260 /** 3261 * Format and encode a @c KRB_ERROR message. 3262 * 3263 * @param [in] context Library context 3264 * @param [in] dec_err Error structure to be encoded 3265 * @param [out] enc_err Encoded error structure 3266 * 3267 * This function creates a @c KRB_ERROR message in @a enc_err. Use 3268 * krb5_free_data_contents() to free @a enc_err when it is no longer needed. 3269 * 3270 * @retval 0 Success; otherwise - Kerberos error codes 3271 */ 3272 krb5_error_code KRB5_CALLCONV 3273 krb5_mk_error(krb5_context context, const krb5_error *dec_err, 3274 krb5_data *enc_err); 3275 3276 /** 3277 * Decode a @c KRB-ERROR message. 3278 * 3279 * @param [in] context Library context 3280 * @param [in] enc_errbuf Encoded error message 3281 * @param [out] dec_error Decoded error message 3282 * 3283 * This function processes @c KRB-ERROR message @a enc_errbuf and returns 3284 * an allocated structure @a dec_error containing the error message. 3285 * Use krb5_free_error() to free @a dec_error when it is no longer needed. 3286 * 3287 * @retval 0 Success; otherwise - Kerberos error codes 3288 */ 3289 krb5_error_code KRB5_CALLCONV 3290 krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, 3291 krb5_error **dec_error); 3292 3293 /** 3294 * Process @c KRB-SAFE message. 3295 * 3296 * @param [in] context Library context 3297 * @param [in] auth_context Authentication context 3298 * @param [in] inbuf @c KRB-SAFE message to be parsed 3299 * @param [out] userdata_out Data parsed from @c KRB-SAFE message 3300 * @param [out] rdata_out Replay data. Specify NULL if not needed 3301 * 3302 * This function parses a @c KRB-SAFE message, verifies its integrity, and 3303 * stores its data into @a userdata_out. 3304 * 3305 * @note The @a rdata_out argument is required if the 3306 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 3307 * in @a auth_context. 3308 * 3309 * If @a auth_context has a remote address set, the address will be used to 3310 * verify the sender address in the KRB-SAFE message. If @a auth_context has a 3311 * local address set, it will be used to verify the receiver address in the 3312 * KRB-SAFE message if the message contains one. 3313 * 3314 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the 3315 * sequence number of the KRB-SAFE message is checked against the remote 3316 * sequence number field of @a auth_context. Otherwise, the sequence number is 3317 * not used. 3318 * 3319 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the 3320 * timestamp in the message is verified to be within the permitted clock skew 3321 * of the current time, and the message is checked against an in-memory replay 3322 * cache to detect reflections or replays. 3323 * 3324 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer 3325 * needed. 3326 * 3327 * @retval 0 Success; otherwise - Kerberos error codes 3328 */ 3329 krb5_error_code KRB5_CALLCONV 3330 krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, 3331 const krb5_data *inbuf, krb5_data *userdata_out, 3332 krb5_replay_data *rdata_out); 3333 3334 /** 3335 * Process a @c KRB-PRIV message. 3336 * 3337 * @param [in] context Library context 3338 * @param [in] auth_context Authentication structure 3339 * @param [in] inbuf @c KRB-PRIV message to be parsed 3340 * @param [out] userdata_out Data parsed from @c KRB-PRIV message 3341 * @param [out] rdata_out Replay data. Specify NULL if not needed 3342 * 3343 * This function parses a @c KRB-PRIV message, verifies its integrity, and 3344 * stores its unencrypted data into @a userdata_out. 3345 * 3346 * @note The @a rdata_out argument is required if the 3347 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 3348 * in @a auth_context. 3349 * 3350 * If @a auth_context has a remote address set, the address will be used to 3351 * verify the sender address in the KRB-PRIV message. If @a auth_context has a 3352 * local address set, it will be used to verify the receiver address in the 3353 * KRB-PRIV message if the message contains one. 3354 * 3355 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the 3356 * sequence number of the KRB-PRIV message is checked against the remote 3357 * sequence number field of @a auth_context. Otherwise, the sequence number is 3358 * not used. 3359 * 3360 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the 3361 * timestamp in the message is verified to be within the permitted clock skew 3362 * of the current time, and the message is checked against an in-memory replay 3363 * cache to detect reflections or replays. 3364 * 3365 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer 3366 * needed. 3367 * 3368 * @retval 0 Success; otherwise - Kerberos error codes 3369 */ 3370 krb5_error_code KRB5_CALLCONV 3371 krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, 3372 const krb5_data *inbuf, krb5_data *userdata_out, 3373 krb5_replay_data *rdata_out); 3374 3375 /** 3376 * Convert a string principal name to a krb5_principal structure. 3377 * 3378 * @param [in] context Library context 3379 * @param [in] name String representation of a principal name 3380 * @param [out] principal_out New principal 3381 * 3382 * Convert a string representation of a principal name to a krb5_principal 3383 * structure. 3384 * 3385 * A string representation of a Kerberos name consists of one or more principal 3386 * name components, separated by slashes, optionally followed by the \@ 3387 * character and a realm name. If the realm name is not specified, the local 3388 * realm is used. 3389 * 3390 * To use the slash and \@ symbols as part of a component (quoted) instead of 3391 * using them as a component separator or as a realm prefix), put a backslash 3392 * (\) character in front of the symbol. Similarly, newline, tab, backspace, 3393 * and NULL characters can be included in a component by using @c n, @c t, @c b 3394 * or @c 0, respectively. 3395 * 3396 * @note The realm in a Kerberos @a name cannot contain slash, colon, 3397 * or NULL characters. 3398 * 3399 * Beginning with release 1.20, the name type of the principal will be inferred 3400 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 3401 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 3402 * 3403 * Use krb5_free_principal() to free @a principal_out when it is no longer 3404 * needed. 3405 * 3406 * @retval 3407 * 0 Success 3408 * @return 3409 * Kerberos error codes 3410 */ 3411 krb5_error_code KRB5_CALLCONV 3412 krb5_parse_name(krb5_context context, const char *name, 3413 krb5_principal *principal_out); 3414 3415 #define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */ 3416 #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */ 3417 #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component 3418 enterprise principle */ 3419 #define KRB5_PRINCIPAL_PARSE_IGNORE_REALM 0x8 /**< Ignore realm if present */ 3420 #define KRB5_PRINCIPAL_PARSE_NO_DEF_REALM 0x10 /**< Don't add default realm */ 3421 3422 /** 3423 * Convert a string principal name to a krb5_principal with flags. 3424 * 3425 * @param [in] context Library context 3426 * @param [in] name String representation of a principal name 3427 * @param [in] flags Flag 3428 * @param [out] principal_out New principal 3429 * 3430 * Similar to krb5_parse_name(), this function converts a single-string 3431 * representation of a principal name to a krb5_principal structure. 3432 * 3433 * The following flags are valid: 3434 * @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name 3435 * @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name 3436 * @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise 3437 * principal 3438 * @li #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in @a name 3439 * 3440 * If @c KRB5_PRINCIPAL_PARSE_NO_REALM or @c KRB5_PRINCIPAL_PARSE_IGNORE_REALM 3441 * is specified in @a flags, the realm of the new principal will be empty. 3442 * Otherwise, the default realm for @a context will be used if @a name does not 3443 * specify a realm. 3444 * 3445 * Use krb5_free_principal() to free @a principal_out when it is no longer 3446 * needed. 3447 * 3448 * @retval 3449 * 0 Success 3450 * @return 3451 * Kerberos error codes 3452 */ 3453 krb5_error_code KRB5_CALLCONV 3454 krb5_parse_name_flags(krb5_context context, const char *name, 3455 int flags, krb5_principal *principal_out); 3456 3457 /** 3458 * Convert a krb5_principal structure to a string representation. 3459 * 3460 * @param [in] context Library context 3461 * @param [in] principal Principal 3462 * @param [out] name String representation of principal name 3463 * 3464 * The resulting string representation uses the format and quoting conventions 3465 * described for krb5_parse_name(). 3466 * 3467 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. 3468 * 3469 * @retval 3470 * 0 Success 3471 * @return 3472 * Kerberos error codes 3473 */ 3474 krb5_error_code KRB5_CALLCONV 3475 krb5_unparse_name(krb5_context context, krb5_const_principal principal, 3476 char **name); 3477 3478 /** 3479 * Convert krb5_principal structure to string and length. 3480 * 3481 * @param [in] context Library context 3482 * @param [in] principal Principal 3483 * @param [in,out] name String representation of principal name 3484 * @param [in,out] size Size of unparsed name 3485 * 3486 * This function is similar to krb5_unparse_name(), but allows the use of an 3487 * existing buffer for the result. If size is not NULL, then @a name must 3488 * point to either NULL or an existing buffer of at least the size pointed to 3489 * by @a size. The buffer will be allocated or resized if necessary, with the 3490 * new pointer stored into @a name. Whether or not the buffer is resized, the 3491 * necessary space for the result, including null terminator, will be stored 3492 * into @a size. 3493 * 3494 * If size is NULL, this function behaves exactly as krb5_unparse_name(). 3495 * 3496 * @retval 3497 * 0 Success 3498 * @return 3499 * Kerberos error codes. On failure @a name is set to NULL 3500 */ 3501 krb5_error_code KRB5_CALLCONV 3502 krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, 3503 char **name, unsigned int *size); 3504 3505 #define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */ 3506 #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */ 3507 #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */ 3508 3509 /** 3510 * Convert krb5_principal structure to a string with flags. 3511 * 3512 * @param [in] context Library context 3513 * @param [in] principal Principal 3514 * @param [in] flags Flags 3515 * @param [out] name String representation of principal name 3516 * 3517 * Similar to krb5_unparse_name(), this function converts a krb5_principal 3518 * structure to a string representation. 3519 * 3520 * The following flags are valid: 3521 * @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm 3522 * @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm 3523 * @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters 3524 * 3525 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. 3526 * 3527 * @retval 3528 * 0 Success 3529 * @return 3530 * Kerberos error codes. On failure @a name is set to NULL 3531 */ 3532 krb5_error_code KRB5_CALLCONV 3533 krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, 3534 int flags, char **name); 3535 3536 /** 3537 * Convert krb5_principal structure to string format with flags. 3538 * 3539 * @param [in] context Library context 3540 * @param [in] principal Principal 3541 * @param [in] flags Flags 3542 * @param [out] name Single string format of principal name 3543 * @param [out] size Size of unparsed name buffer 3544 * 3545 * @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext() 3546 * 3547 * @retval 3548 * 0 Success 3549 * @return 3550 * Kerberos error codes. On failure @a name is set to NULL 3551 */ 3552 krb5_error_code KRB5_CALLCONV 3553 krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, 3554 int flags, char **name, unsigned int *size); 3555 3556 /** 3557 * Set the realm field of a principal 3558 * 3559 * @param [in] context Library context 3560 * @param [in] principal Principal name 3561 * @param [in] realm Realm name 3562 * 3563 * Set the realm name part of @a principal to @a realm, overwriting the 3564 * previous realm. 3565 * 3566 * @retval 3567 * 0 Success 3568 * @return 3569 * Kerberos error codes 3570 */ 3571 krb5_error_code KRB5_CALLCONV 3572 krb5_set_principal_realm(krb5_context context, krb5_principal principal, 3573 const char *realm); 3574 3575 /** 3576 * Search a list of addresses for a specified address. 3577 * 3578 * @param [in] context Library context 3579 * @param [in] addr Address to search for 3580 * @param [in] addrlist Address list to be searched (or NULL) 3581 * 3582 * @note If @a addrlist contains only a NetBIOS addresses, it will be treated 3583 * as a null list. 3584 * 3585 * @return 3586 * TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE 3587 * otherwise 3588 */ 3589 krb5_boolean KRB5_CALLCONV_WRONG 3590 krb5_address_search(krb5_context context, const krb5_address *addr, 3591 krb5_address *const *addrlist); 3592 3593 /** 3594 * Compare two Kerberos addresses. 3595 * 3596 * @param [in] context Library context 3597 * @param [in] addr1 First address to be compared 3598 * @param [in] addr2 Second address to be compared 3599 * 3600 * @return 3601 * TRUE if the addresses are the same, FALSE otherwise 3602 */ 3603 krb5_boolean KRB5_CALLCONV 3604 krb5_address_compare(krb5_context context, const krb5_address *addr1, 3605 const krb5_address *addr2); 3606 3607 /** 3608 * Return an ordering of the specified addresses. 3609 * 3610 * @param [in] context Library context 3611 * @param [in] addr1 First address 3612 * @param [in] addr2 Second address 3613 * 3614 * @retval 0 if The two addresses are the same 3615 * @retval < 0 First address is less than second 3616 * @retval > 0 First address is greater than second 3617 */ 3618 int KRB5_CALLCONV 3619 krb5_address_order(krb5_context context, const krb5_address *addr1, 3620 const krb5_address *addr2); 3621 3622 /** 3623 * Compare the realms of two principals. 3624 * 3625 * @param [in] context Library context 3626 * @param [in] princ1 First principal 3627 * @param [in] princ2 Second principal 3628 * 3629 * @retval 3630 * TRUE if the realm names are the same; FALSE otherwise 3631 */ 3632 krb5_boolean KRB5_CALLCONV 3633 krb5_realm_compare(krb5_context context, krb5_const_principal princ1, 3634 krb5_const_principal princ2); 3635 3636 /** 3637 * Compare two principals. 3638 * 3639 * @param [in] context Library context 3640 * @param [in] princ1 First principal 3641 * @param [in] princ2 Second principal 3642 * 3643 * @retval 3644 * TRUE if the principals are the same; FALSE otherwise 3645 */ 3646 krb5_boolean KRB5_CALLCONV 3647 krb5_principal_compare(krb5_context context, 3648 krb5_const_principal princ1, 3649 krb5_const_principal princ2); 3650 3651 /** 3652 * Compare two principals ignoring realm components. 3653 * 3654 * @param [in] context Library context 3655 * @param [in] princ1 First principal 3656 * @param [in] princ2 Second principal 3657 * 3658 * Similar to krb5_principal_compare(), but do not compare the realm 3659 * components of the principals. 3660 * 3661 * @retval 3662 * TRUE if the principals are the same; FALSE otherwise 3663 */ 3664 krb5_boolean KRB5_CALLCONV 3665 krb5_principal_compare_any_realm(krb5_context context, 3666 krb5_const_principal princ1, 3667 krb5_const_principal princ2); 3668 3669 #define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */ 3670 #define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */ 3671 #define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */ 3672 #define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */ 3673 3674 /** 3675 * Compare two principals with additional flags. 3676 * 3677 * @param [in] context Library context 3678 * @param [in] princ1 First principal 3679 * @param [in] princ2 Second principal 3680 * @param [in] flags Flags 3681 * 3682 * Valid flags are: 3683 * @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component 3684 * @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals 3685 * @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive 3686 * @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 3687 * 3688 * @sa krb5_principal_compare() 3689 * 3690 * @retval 3691 * TRUE if the principal names are the same; FALSE otherwise 3692 */ 3693 krb5_boolean KRB5_CALLCONV 3694 krb5_principal_compare_flags(krb5_context context, 3695 krb5_const_principal princ1, 3696 krb5_const_principal princ2, 3697 int flags); 3698 3699 /** 3700 * Initialize an empty @c krb5_keyblock. 3701 * 3702 * @param [in] context Library context 3703 * @param [in] enctype Encryption type 3704 * @param [in] length Length of keyblock (or 0) 3705 * @param [out] out New keyblock structure 3706 * 3707 * Initialize a new keyblock and allocate storage for the contents of the key. 3708 * It is legal to pass in a length of 0, in which case contents are left 3709 * unallocated. Use krb5_free_keyblock() to free @a out when it is no longer 3710 * needed. 3711 * 3712 * @note If @a length is set to 0, contents are left unallocated. 3713 * 3714 * @retval 0 Success; otherwise - Kerberos error codes 3715 */ 3716 krb5_error_code KRB5_CALLCONV 3717 krb5_init_keyblock(krb5_context context, krb5_enctype enctype, 3718 size_t length, krb5_keyblock **out); 3719 3720 /** 3721 * Copy a keyblock. 3722 * 3723 * @param [in] context Library context 3724 * @param [in] from Keyblock to be copied 3725 * @param [out] to Copy of keyblock @a from 3726 * 3727 * This function creates a new keyblock with the same contents as @a from. Use 3728 * krb5_free_keyblock() to free @a to when it is no longer needed. 3729 * 3730 * @retval 0 Success; otherwise - Kerberos error codes 3731 */ 3732 krb5_error_code KRB5_CALLCONV 3733 krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from, 3734 krb5_keyblock **to); 3735 3736 /** 3737 * Copy the contents of a keyblock. 3738 * 3739 * @param [in] context Library context 3740 * @param [in] from Key to be copied 3741 * @param [out] to Output key 3742 * 3743 * This function copies the contents of @a from to @a to. Use 3744 * krb5_free_keyblock_contents() to free @a to when it is no longer needed. 3745 * 3746 * @retval 0 Success; otherwise - Kerberos error codes 3747 */ 3748 krb5_error_code KRB5_CALLCONV 3749 krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from, 3750 krb5_keyblock *to); 3751 3752 /** 3753 * Copy a krb5_creds structure. 3754 * 3755 * @param [in] context Library context 3756 * @param [in] incred Credentials structure to be copied 3757 * @param [out] outcred Copy of @a incred 3758 * 3759 * This function creates a new credential with the contents of @a incred. Use 3760 * krb5_free_creds() to free @a outcred when it is no longer needed. 3761 * 3762 * @retval 0 Success; otherwise - Kerberos error codes 3763 */ 3764 krb5_error_code KRB5_CALLCONV 3765 krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred); 3766 3767 /** 3768 * Copy a krb5_data object. 3769 * 3770 * @param [in] context Library context 3771 * @param [in] indata Data object to be copied 3772 * @param [out] outdata Copy of @a indata 3773 * 3774 * This function creates a new krb5_data object with the contents of @a indata. 3775 * Use krb5_free_data() to free @a outdata when it is no longer needed. 3776 * 3777 * @retval 0 Success; otherwise - Kerberos error codes 3778 */ 3779 krb5_error_code KRB5_CALLCONV 3780 krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata); 3781 3782 /** 3783 * Copy a principal. 3784 * 3785 * @param [in] context Library context 3786 * @param [in] inprinc Principal to be copied 3787 * @param [out] outprinc Copy of @a inprinc 3788 * 3789 * This function creates a new principal structure with the contents of @a 3790 * inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer 3791 * needed. 3792 * 3793 * @retval 0 Success; otherwise - Kerberos error codes 3794 */ 3795 krb5_error_code KRB5_CALLCONV 3796 krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, 3797 krb5_principal *outprinc); 3798 3799 /** 3800 * Copy an array of addresses. 3801 * 3802 * @param [in] context Library context 3803 * @param [in] inaddr Array of addresses to be copied 3804 * @param [out] outaddr Copy of array of addresses 3805 * 3806 * This function creates a new address array containing a copy of @a inaddr. 3807 * Use krb5_free_addresses() to free @a outaddr when it is no longer needed. 3808 * 3809 * @retval 0 Success; otherwise - Kerberos error codes 3810 */ 3811 krb5_error_code KRB5_CALLCONV 3812 krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, 3813 krb5_address ***outaddr); 3814 3815 /** 3816 * Copy a krb5_ticket structure. 3817 * 3818 * @param [in] context Library context 3819 * @param [in] from Ticket to be copied 3820 * @param [out] pto Copy of ticket 3821 * 3822 * This function creates a new krb5_ticket structure containing the contents of 3823 * @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed. 3824 * 3825 * @retval 0 Success; otherwise - Kerberos error codes 3826 */ 3827 krb5_error_code KRB5_CALLCONV 3828 krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto); 3829 3830 /** 3831 * Copy an authorization data list. 3832 * 3833 * @param [in] context Library context 3834 * @param [in] in_authdat List of @a krb5_authdata structures 3835 * @param [out] out New array of @a krb5_authdata structures 3836 * 3837 * This function creates a new authorization data list containing a copy of @a 3838 * in_authdat, which must be null-terminated. Use krb5_free_authdata() to free 3839 * @a out when it is no longer needed. 3840 * 3841 * @note The last array entry in @a in_authdat must be a NULL pointer. 3842 * 3843 * @retval 0 Success; otherwise - Kerberos error codes 3844 */ 3845 krb5_error_code KRB5_CALLCONV 3846 krb5_copy_authdata(krb5_context context, 3847 krb5_authdata *const *in_authdat, krb5_authdata ***out); 3848 3849 /** 3850 * Find authorization data elements. 3851 * 3852 * @param [in] context Library context 3853 * @param [in] ticket_authdata Authorization data list from ticket 3854 * @param [in] ap_req_authdata Authorization data list from AP request 3855 * @param [in] ad_type Authorization data type to find 3856 * @param [out] results List of matching entries 3857 * 3858 * This function searches @a ticket_authdata and @a ap_req_authdata for 3859 * elements of type @a ad_type. Either input list may be NULL, in which case 3860 * it will not be searched; otherwise, the input lists must be terminated by 3861 * NULL entries. This function will search inside AD-IF-RELEVANT containers if 3862 * found in either list. Use krb5_free_authdata() to free @a results when it 3863 * is no longer needed. 3864 * 3865 * @version New in 1.10 3866 */ 3867 krb5_error_code KRB5_CALLCONV 3868 krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, 3869 krb5_authdata *const *ap_req_authdata, 3870 krb5_authdatatype ad_type, krb5_authdata ***results); 3871 3872 /** 3873 * Merge two authorization data lists into a new list. 3874 * 3875 * @param [in] context Library context 3876 * @param [in] inauthdat1 First list of @a krb5_authdata structures 3877 * @param [in] inauthdat2 Second list of @a krb5_authdata structures 3878 * @param [out] outauthdat Merged list of @a krb5_authdata structures 3879 * 3880 * Merge two authdata arrays, such as the array from a ticket 3881 * and authenticator. 3882 * Use krb5_free_authdata() to free @a outauthdat when it is no longer needed. 3883 * 3884 * @note The last array entry in @a inauthdat1 and @a inauthdat2 3885 * must be a NULL pointer. 3886 * 3887 * @retval 0 Success; otherwise - Kerberos error codes 3888 */ 3889 krb5_error_code KRB5_CALLCONV 3890 krb5_merge_authdata(krb5_context context, 3891 krb5_authdata *const *inauthdat1, 3892 krb5_authdata * const *inauthdat2, 3893 krb5_authdata ***outauthdat); 3894 3895 /** 3896 * Copy a krb5_authenticator structure. 3897 * 3898 * @param [in] context Library context 3899 * @param [in] authfrom krb5_authenticator structure to be copied 3900 * @param [out] authto Copy of krb5_authenticator structure 3901 * 3902 * This function creates a new krb5_authenticator structure with the content of 3903 * @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no 3904 * longer needed. 3905 * 3906 * @retval 0 Success; otherwise - Kerberos error codes 3907 */ 3908 krb5_error_code KRB5_CALLCONV 3909 krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, 3910 krb5_authenticator **authto); 3911 3912 /** 3913 * Copy a krb5_checksum structure. 3914 * 3915 * @param [in] context Library context 3916 * @param [in] ckfrom Checksum to be copied 3917 * @param [out] ckto Copy of krb5_checksum structure 3918 * 3919 * This function creates a new krb5_checksum structure with the contents of @a 3920 * ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer 3921 * needed. 3922 * 3923 * @retval 0 Success; otherwise - Kerberos error codes 3924 */ 3925 krb5_error_code KRB5_CALLCONV 3926 krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, 3927 krb5_checksum **ckto); 3928 3929 /** 3930 * Generate a replay cache object for server use and open it. 3931 * 3932 * @param [in] context Library context 3933 * @param [in] piece Unused (replay cache identifier) 3934 * @param [out] rcptr Handle to an open rcache 3935 * 3936 * This function creates a handle to the default replay cache. Use 3937 * krb5_rc_close() to close @a rcptr when it is no longer needed. 3938 * 3939 * @version Prior to release 1.18, this function creates a handle to a 3940 * different replay cache for each unique value of @a piece. 3941 * 3942 * @retval 0 Success; otherwise - Kerberos error codes 3943 */ 3944 krb5_error_code KRB5_CALLCONV 3945 krb5_get_server_rcache(krb5_context context, const krb5_data *piece, 3946 krb5_rcache *rcptr); 3947 3948 /** 3949 * Build a principal name using length-counted strings. 3950 * 3951 * @param [in] context Library context 3952 * @param [out] princ Principal name 3953 * @param [in] rlen Realm name length 3954 * @param [in] realm Realm name 3955 * @param [in] ... List of unsigned int/char * components, followed by 0 3956 * 3957 * This function creates a principal from a length-counted string and a 3958 * variable-length list of length-counted components. The list of components 3959 * ends with the first 0 length argument (so it is not possible to specify an 3960 * empty component with this function). Call krb5_free_principal() to free 3961 * allocated memory for principal when it is no longer needed. 3962 * 3963 * Beginning with release 1.20, the name type of the principal will be inferred 3964 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 3965 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 3966 * 3967 * @code 3968 * Example of how to build principal WELLKNOWN/ANONYMOUS@R 3969 * krb5_build_principal_ext(context, &principal, strlen("R"), "R", 3970 * (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR), 3971 * KRB5_WELLKNOWN_NAMESTR, 3972 * (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR), 3973 * KRB5_ANONYMOUS_PRINCSTR, 0); 3974 * @endcode 3975 * 3976 * @retval 3977 * 0 Success 3978 * @return 3979 * Kerberos error codes 3980 */ 3981 krb5_error_code KRB5_CALLCONV_C 3982 krb5_build_principal_ext(krb5_context context, krb5_principal * princ, 3983 unsigned int rlen, const char * realm, ...); 3984 3985 /** 3986 * Build a principal name using null-terminated strings. 3987 * 3988 * @param [in] context Library context 3989 * @param [out] princ Principal name 3990 * @param [in] rlen Realm name length 3991 * @param [in] realm Realm name 3992 * @param [in] ... List of char * components, ending with NULL 3993 * 3994 * Call krb5_free_principal() to free @a princ when it is no longer needed. 3995 * 3996 * Beginning with release 1.20, the name type of the principal will be inferred 3997 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 3998 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 3999 * 4000 * @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the 4001 * same task. krb5_build_principal() takes variadic arguments. 4002 * krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer. 4003 * 4004 * @code 4005 * Example of how to build principal H/S@R 4006 * krb5_build_principal(context, &principal, 4007 * strlen("R"), "R", "H", "S", (char*)NULL); 4008 * @endcode 4009 * 4010 * @retval 4011 * 0 Success 4012 * @return 4013 * Kerberos error codes 4014 */ 4015 krb5_error_code KRB5_CALLCONV_C 4016 krb5_build_principal(krb5_context context, 4017 krb5_principal * princ, 4018 unsigned int rlen, 4019 const char * realm, ...) 4020 #if __GNUC__ >= 4 4021 __attribute__ ((sentinel)) 4022 #endif 4023 ; 4024 #if KRB5_DEPRECATED 4025 /** @deprecated Replaced by krb5_build_principal_alloc_va(). */ 4026 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 4027 krb5_build_principal_va(krb5_context context, 4028 krb5_principal princ, 4029 unsigned int rlen, 4030 const char *realm, 4031 va_list ap); 4032 #endif 4033 4034 /** 4035 * Build a principal name, using a precomputed variable argument list 4036 * 4037 * @param [in] context Library context 4038 * @param [out] princ Principal structure 4039 * @param [in] rlen Realm name length 4040 * @param [in] realm Realm name 4041 * @param [in] ap List of char * components, ending with NULL 4042 * 4043 * Similar to krb5_build_principal(), this function builds a principal name, 4044 * but its name components are specified as a va_list. 4045 * 4046 * Use krb5_free_principal() to deallocate @a princ when it is no longer 4047 * needed. 4048 * 4049 * @code 4050 * Function usage example: 4051 * va_list ap; 4052 * va_start(ap, realm); 4053 * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); 4054 * va_end(ap); 4055 * @endcode 4056 * 4057 * @retval 4058 * 0 Success 4059 * @return 4060 * Kerberos error codes 4061 */ 4062 krb5_error_code KRB5_CALLCONV 4063 krb5_build_principal_alloc_va(krb5_context context, 4064 krb5_principal *princ, 4065 unsigned int rlen, 4066 const char *realm, 4067 va_list ap); 4068 4069 /** 4070 * Convert a Kerberos V4 principal to a Kerberos V5 principal. 4071 * 4072 * @param [in] context Library context 4073 * @param [in] name V4 name 4074 * @param [in] instance V4 instance 4075 * @param [in] realm Realm 4076 * @param [out] princ V5 principal 4077 * 4078 * This function builds a @a princ from V4 specification based on given input 4079 * @a name.instance\@realm. 4080 * 4081 * Use krb5_free_principal() to free @a princ when it is no longer needed. 4082 * 4083 * @retval 0 Success; otherwise - Kerberos error codes 4084 */ 4085 krb5_error_code KRB5_CALLCONV 4086 krb5_425_conv_principal(krb5_context context, const char *name, 4087 const char *instance, const char *realm, 4088 krb5_principal *princ); 4089 4090 /** 4091 * Convert a Kerberos V5 principal to a Kerberos V4 principal. 4092 * 4093 * @param [in] context Library context 4094 * @param [in] princ V5 Principal 4095 * @param [out] name V4 principal's name to be filled in 4096 * @param [out] inst V4 principal's instance name to be filled in 4097 * @param [out] realm Principal's realm name to be filled in 4098 * 4099 * This function separates a V5 principal @a princ into @a name, @a instance, 4100 * and @a realm. 4101 * 4102 * @retval 4103 * 0 Success 4104 * @retval 4105 * KRB5_INVALID_PRINCIPAL Invalid principal name 4106 * @retval 4107 * KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file 4108 * @return 4109 * Kerberos error codes 4110 */ 4111 krb5_error_code KRB5_CALLCONV 4112 krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, 4113 char *name, char *inst, char *realm); 4114 /** 4115 *@deprecated 4116 */ 4117 struct credentials; 4118 4119 /** 4120 * Convert a Kerberos V5 credentials to a Kerberos V4 credentials 4121 * 4122 * @note Not implemented 4123 * 4124 * @retval KRB524_KRB4_DISABLED (always) 4125 */ 4126 int KRB5_CALLCONV 4127 krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, 4128 struct credentials *v4creds); 4129 4130 #if KRB5_DEPRECATED 4131 #define krb524_convert_creds_kdc krb5_524_convert_creds 4132 #define krb524_init_ets(x) (0) 4133 #endif 4134 4135 /* libkt.spec */ 4136 4137 /** 4138 * Get a handle for a key table. 4139 * 4140 * @param [in] context Library context 4141 * @param [in] name Name of the key table 4142 * @param [out] ktid Key table handle 4143 * 4144 * Resolve the key table name @a name and set @a ktid to a handle identifying 4145 * the key table. Use krb5_kt_close() to free @a ktid when it is no longer 4146 * needed. 4147 * 4148 * @a name must be of the form @c type:residual, where @a type must be a type 4149 * known to the library and @a residual portion should be specific to the 4150 * particular keytab type. If no @a type is given, the default is @c FILE. 4151 * 4152 * If @a name is of type @c FILE, the keytab file is not opened by this call. 4153 * 4154 * @code 4155 * Example: krb5_kt_resolve(context, "FILE:/tmp/filename", &ktid); 4156 * @endcode 4157 * 4158 * @retval 4159 * 0 Success 4160 * @return 4161 * Kerberos error codes 4162 */ 4163 krb5_error_code KRB5_CALLCONV 4164 krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid); 4165 4166 /** 4167 * Duplicate keytab handle. 4168 * 4169 * @param [in] context Library context 4170 * @param [in] in Key table handle to be duplicated 4171 * @param [out] out Key table handle 4172 * 4173 * Create a new handle referring to the same key table as @a in. The new 4174 * handle and @a in can be closed independently. 4175 * 4176 * @version New in 1.12 4177 */ 4178 krb5_error_code KRB5_CALLCONV 4179 krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out); 4180 4181 /** 4182 * Get the default key table name. 4183 * 4184 * @param [in] context Library context 4185 * @param [out] name Default key table name 4186 * @param [in] name_size Space available in @a name 4187 * 4188 * Fill @a name with the name of the default key table for @a context. 4189 * 4190 * @sa MAX_KEYTAB_NAME_LEN 4191 * 4192 * @retval 4193 * 0 Success 4194 * @retval 4195 * KRB5_CONFIG_NOTENUFSPACE Buffer is too short 4196 * @return 4197 * Kerberos error codes 4198 */ 4199 krb5_error_code KRB5_CALLCONV 4200 krb5_kt_default_name(krb5_context context, char *name, int name_size); 4201 4202 /** 4203 * Resolve the default key table. 4204 * 4205 * @param [in] context Library context 4206 * @param [out] id Key table handle 4207 * 4208 * Set @a id to a handle to the default key table. The key table is not 4209 * opened. 4210 * 4211 * @retval 4212 * 0 Success 4213 * @return 4214 * Kerberos error codes 4215 */ 4216 krb5_error_code KRB5_CALLCONV 4217 krb5_kt_default(krb5_context context, krb5_keytab *id); 4218 4219 /** 4220 * Resolve the default client key table. 4221 * 4222 * @param [in] context Library context 4223 * @param [out] keytab_out Key table handle 4224 * 4225 * Fill @a keytab_out with a handle to the default client key table. 4226 * 4227 * @version New in 1.11 4228 * 4229 * @retval 4230 * 0 Success 4231 * @return 4232 * Kerberos error codes 4233 */ 4234 krb5_error_code KRB5_CALLCONV 4235 krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out); 4236 4237 /** 4238 * Free the contents of a key table entry. 4239 * 4240 * @param [in] context Library context 4241 * @param [in] entry Key table entry whose contents are to be freed 4242 * 4243 * @note The pointer is not freed. 4244 * 4245 * @retval 0 Success; otherwise - Kerberos error codes 4246 */ 4247 krb5_error_code KRB5_CALLCONV 4248 krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry); 4249 4250 /** @deprecated Use krb5_free_keytab_entry_contents instead. */ 4251 krb5_error_code KRB5_CALLCONV 4252 krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry); 4253 4254 4255 /* remove and add are functions, so that they can return NOWRITE 4256 if not a writable keytab */ 4257 4258 /** 4259 * Remove an entry from a key table. 4260 * 4261 * @param [in] context Library context 4262 * @param [in] id Key table handle 4263 * @param [in] entry Entry to remove from key table 4264 * 4265 * @retval 4266 * 0 Success 4267 * @retval 4268 * KRB5_KT_NOWRITE Key table is not writable 4269 * @return 4270 * Kerberos error codes 4271 */ 4272 krb5_error_code KRB5_CALLCONV 4273 krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); 4274 4275 /** 4276 * Add a new entry to a key table. 4277 * 4278 * @param [in] context Library context 4279 * @param [in] id Key table handle 4280 * @param [in] entry Entry to be added 4281 * 4282 * @retval 4283 * 0 Success 4284 * @retval 4285 * ENOMEM Insufficient memory 4286 * @retval 4287 * KRB5_KT_NOWRITE Key table is not writeable 4288 * @return 4289 * Kerberos error codes 4290 */ 4291 krb5_error_code KRB5_CALLCONV 4292 krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); 4293 4294 /** 4295 * Convert a principal name into the default salt for that principal. 4296 * 4297 * @param [in] context Library context 4298 * @param [in] pr Principal name 4299 * @param [out] ret Default salt for @a pr to be filled in 4300 * 4301 * @retval 0 Success; otherwise - Kerberos error codes 4302 */ 4303 krb5_error_code KRB5_CALLCONV_WRONG 4304 krb5_principal2salt(krb5_context context, 4305 krb5_const_principal pr, krb5_data *ret); 4306 /* librc.spec--see rcache.h */ 4307 4308 /* libcc.spec */ 4309 4310 /** 4311 * Resolve a credential cache name. 4312 * 4313 * @param [in] context Library context 4314 * @param [in] name Credential cache name to be resolved 4315 * @param [out] cache Credential cache handle 4316 * 4317 * Fills in @a cache with a @a cache handle that corresponds to the name in @a 4318 * name. @a name should be of the form @c type:residual, and @a type must be a 4319 * type known to the library. If the @a name does not contain a colon, 4320 * interpret it as a file name. 4321 * 4322 * @code 4323 * Example: krb5_cc_resolve(context, "MEMORY:C_", &cache); 4324 * @endcode 4325 * 4326 * @retval 4327 * 0 Success 4328 * @return 4329 * Kerberos error codes 4330 */ 4331 krb5_error_code KRB5_CALLCONV 4332 krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache); 4333 4334 /** 4335 * Duplicate ccache handle. 4336 * 4337 * @param [in] context Library context 4338 * @param [in] in Credential cache handle to be duplicated 4339 * @param [out] out Credential cache handle 4340 * 4341 * Create a new handle referring to the same cache as @a in. 4342 * The new handle and @a in can be closed independently. 4343 */ 4344 krb5_error_code KRB5_CALLCONV 4345 krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out); 4346 4347 /** 4348 * Return the name of the default credential cache. 4349 * 4350 * @param [in] context Library context 4351 * 4352 * Return a pointer to the default credential cache name for @a context, as 4353 * determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME 4354 * environment variable, by the default_ccache_name profile variable, or by the 4355 * operating system or build-time default value. The returned value must not 4356 * be modified or freed by the caller. The returned value becomes invalid when 4357 * @a context is destroyed krb5_free_context() or if a subsequent call to 4358 * krb5_cc_set_default_name() is made on @a context. 4359 * 4360 * The default credential cache name is cached in @a context between calls to 4361 * this function, so if the value of KRB5CCNAME changes in the process 4362 * environment after the first call to this function on, that change will not 4363 * be reflected in later calls with the same context. The caller can invoke 4364 * krb5_cc_set_default_name() with a NULL value of @a name to clear the cached 4365 * value and force the default name to be recomputed. 4366 * 4367 * @return 4368 * Name of default credential cache for the current user. 4369 */ 4370 const char *KRB5_CALLCONV 4371 krb5_cc_default_name(krb5_context context); 4372 4373 /** 4374 * Set the default credential cache name. 4375 * 4376 * @param [in] context Library context 4377 * @param [in] name Default credential cache name or NULL 4378 * 4379 * Set the default credential cache name to @a name for future operations using 4380 * @a context. If @a name is NULL, clear any previous application-set default 4381 * name and forget any cached value of the default name for @a context. 4382 * 4383 * Calls to this function invalidate the result of any previous calls to 4384 * krb5_cc_default_name() using @a context. 4385 * 4386 * @retval 4387 * 0 Success 4388 * @retval 4389 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure 4390 * @return 4391 * Kerberos error codes 4392 */ 4393 krb5_error_code KRB5_CALLCONV 4394 krb5_cc_set_default_name(krb5_context context, const char *name); 4395 4396 /** 4397 * Resolve the default credential cache name. 4398 * 4399 * @param [in] context Library context 4400 * @param [out] ccache Pointer to credential cache name 4401 * 4402 * Create a handle to the default credential cache as given by 4403 * krb5_cc_default_name(). 4404 * 4405 * @retval 4406 * 0 Success 4407 * @retval 4408 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure 4409 * @retval 4410 * KRB5_FCC_INTERNAL The name of the default credential cache cannot be 4411 * obtained 4412 * @return 4413 * Kerberos error codes 4414 */ 4415 krb5_error_code KRB5_CALLCONV 4416 krb5_cc_default(krb5_context context, krb5_ccache *ccache); 4417 4418 /** 4419 * Copy a credential cache. 4420 * 4421 * @param [in] context Library context 4422 * @param [in] incc Credential cache to be copied 4423 * @param [out] outcc Copy of credential cache to be filled in 4424 * 4425 * @retval 0 Success; otherwise - Kerberos error codes 4426 */ 4427 krb5_error_code KRB5_CALLCONV 4428 krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc); 4429 4430 /** 4431 * Get a configuration value from a credential cache. 4432 * 4433 * @param [in] context Library context 4434 * @param [in] id Credential cache handle 4435 * @param [in] principal Configuration for this principal; 4436 * if NULL, global for the whole cache 4437 * @param [in] key Name of config variable 4438 * @param [out] data Data to be fetched 4439 * 4440 * Use krb5_free_data_contents() to free @a data when it is no longer needed. 4441 * 4442 * @retval 4443 * 0 Success 4444 * @return 4445 * Kerberos error codes 4446 */ 4447 krb5_error_code KRB5_CALLCONV 4448 krb5_cc_get_config(krb5_context context, krb5_ccache id, 4449 krb5_const_principal principal, 4450 const char *key, krb5_data *data); 4451 4452 /** 4453 * Store a configuration value in a credential cache. 4454 * 4455 * @param [in] context Library context 4456 * @param [in] id Credential cache handle 4457 * @param [in] principal Configuration for a specific principal; 4458 * if NULL, global for the whole cache 4459 * @param [in] key Name of config variable 4460 * @param [in] data Data to store, or NULL to remove 4461 * 4462 * @note Existing configuration under the same key is over-written. 4463 * 4464 * @warning Before version 1.10 @a data was assumed to be always non-null. 4465 * 4466 * @retval 4467 * 0 Success 4468 * @return 4469 * Kerberos error codes 4470 */ 4471 krb5_error_code KRB5_CALLCONV 4472 krb5_cc_set_config(krb5_context context, krb5_ccache id, 4473 krb5_const_principal principal, 4474 const char *key, krb5_data *data); 4475 4476 /** 4477 * Test whether a principal is a configuration principal. 4478 * 4479 * @param [in] context Library context 4480 * @param [in] principal Principal to check 4481 * 4482 * @return 4483 * @c TRUE if the principal is a configuration principal (generated part of 4484 * krb5_cc_set_config()); @c FALSE otherwise. 4485 */ 4486 krb5_boolean KRB5_CALLCONV 4487 krb5_is_config_principal(krb5_context context, krb5_const_principal principal); 4488 4489 /** 4490 * Make a credential cache the primary cache for its collection. 4491 * 4492 * @param [in] context Library context 4493 * @param [in] cache Credential cache handle 4494 * 4495 * If the type of @a cache supports it, set @a cache to be the primary 4496 * credential cache for the collection it belongs to. 4497 * 4498 * @retval 4499 * 0 Success, or the type of @a cache doesn't support switching 4500 * @return 4501 * Kerberos error codes 4502 */ 4503 krb5_error_code KRB5_CALLCONV 4504 krb5_cc_switch(krb5_context context, krb5_ccache cache); 4505 4506 /** 4507 * Determine whether a credential cache type supports switching. 4508 * 4509 * @param [in] context Library context 4510 * @param [in] type Credential cache type 4511 * 4512 * @version New in 1.10 4513 * 4514 * @retval TRUE if @a type supports switching 4515 * @retval FALSE if it does not or is not a valid credential cache type. 4516 */ 4517 krb5_boolean KRB5_CALLCONV 4518 krb5_cc_support_switch(krb5_context context, const char *type); 4519 4520 /** 4521 * Find a credential cache with a specified client principal. 4522 * 4523 * @param [in] context Library context 4524 * @param [in] client Client principal 4525 * @param [out] cache_out Credential cache handle 4526 * 4527 * Find a cache within the collection whose default principal is @a client. 4528 * Use @a krb5_cc_close to close @a ccache when it is no longer needed. 4529 * 4530 * @retval 0 Success 4531 * @retval KRB5_CC_NOTFOUND 4532 * 4533 * @sa krb5_cccol_cursor_new 4534 * 4535 * @version New in 1.10 4536 */ 4537 krb5_error_code KRB5_CALLCONV 4538 krb5_cc_cache_match(krb5_context context, krb5_principal client, 4539 krb5_ccache *cache_out); 4540 4541 /** 4542 * Select a credential cache to use with a server principal. 4543 * 4544 * @param [in] context Library context 4545 * @param [in] server Server principal 4546 * @param [out] cache_out Credential cache handle 4547 * @param [out] princ_out Client principal 4548 * 4549 * Select a cache within the collection containing credentials most appropriate 4550 * for use with @a server, according to configured rules and heuristics. 4551 * 4552 * Use krb5_cc_close() to release @a cache_out when it is no longer needed. 4553 * Use krb5_free_principal() to release @a princ_out when it is no longer 4554 * needed. Note that @a princ_out is set in some error conditions. 4555 * 4556 * @return 4557 * If an appropriate cache is found, 0 is returned, @a cache_out is set to the 4558 * selected cache, and @a princ_out is set to the default principal of that 4559 * cache. 4560 * 4561 * If the appropriate client principal can be authoritatively determined but 4562 * the cache collection contains no credentials for that principal, then 4563 * KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out 4564 * is set to the appropriate client principal. 4565 * 4566 * If no configured mechanism can determine the appropriate cache or principal, 4567 * KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to 4568 * NULL. 4569 * 4570 * Any other error code indicates a fatal error in the processing of a cache 4571 * selection mechanism. 4572 * 4573 * @version New in 1.10 4574 */ 4575 krb5_error_code KRB5_CALLCONV 4576 krb5_cc_select(krb5_context context, krb5_principal server, 4577 krb5_ccache *cache_out, krb5_principal *princ_out); 4578 4579 /* krb5_free.c */ 4580 /** 4581 * Free the storage assigned to a principal. 4582 * 4583 * @param [in] context Library context 4584 * @param [in] val Principal to be freed 4585 */ 4586 void KRB5_CALLCONV 4587 krb5_free_principal(krb5_context context, krb5_principal val); 4588 4589 /** 4590 * Free a krb5_authenticator structure. 4591 * 4592 * @param [in] context Library context 4593 * @param [in] val Authenticator structure to be freed 4594 * 4595 * This function frees the contents of @a val and the structure itself. 4596 */ 4597 void KRB5_CALLCONV 4598 krb5_free_authenticator(krb5_context context, krb5_authenticator *val); 4599 4600 /** 4601 * Free the data stored in array of addresses. 4602 * 4603 * @param [in] context Library context 4604 * @param [in] val Array of addresses to be freed 4605 * 4606 * This function frees the contents of @a val and the array itself. 4607 * 4608 * @note The last entry in the array must be a NULL pointer. 4609 */ 4610 void KRB5_CALLCONV 4611 krb5_free_addresses(krb5_context context, krb5_address **val); 4612 4613 /** 4614 * Free the storage assigned to array of authentication data. 4615 * 4616 * @param [in] context Library context 4617 * @param [in] val Array of authentication data to be freed 4618 * 4619 * This function frees the contents of @a val and the array itself. 4620 * 4621 * @note The last entry in the array must be a NULL pointer. 4622 */ 4623 void KRB5_CALLCONV 4624 krb5_free_authdata(krb5_context context, krb5_authdata **val); 4625 4626 /** 4627 * Free a ticket. 4628 * 4629 * @param [in] context Library context 4630 * @param [in] val Ticket to be freed 4631 * 4632 * This function frees the contents of @a val and the structure itself. 4633 */ 4634 void KRB5_CALLCONV 4635 krb5_free_ticket(krb5_context context, krb5_ticket *val); 4636 4637 /** 4638 * Free an error allocated by krb5_read_error() or krb5_sendauth(). 4639 * 4640 * @param [in] context Library context 4641 * @param [in] val Error data structure to be freed 4642 * 4643 * This function frees the contents of @a val and the structure itself. 4644 */ 4645 void KRB5_CALLCONV 4646 krb5_free_error(krb5_context context, krb5_error *val); 4647 4648 /** 4649 * Free a krb5_creds structure. 4650 * 4651 * @param [in] context Library context 4652 * @param [in] val Credential structure to be freed. 4653 * 4654 * This function frees the contents of @a val and the structure itself. 4655 */ 4656 void KRB5_CALLCONV 4657 krb5_free_creds(krb5_context context, krb5_creds *val); 4658 4659 /** 4660 * Free the contents of a krb5_creds structure. 4661 * 4662 * @param [in] context Library context 4663 * @param [in] val Credential structure to free contents of 4664 * 4665 * This function frees the contents of @a val, but not the structure itself. 4666 */ 4667 void KRB5_CALLCONV 4668 krb5_free_cred_contents(krb5_context context, krb5_creds *val); 4669 4670 /** 4671 * Free a krb5_checksum structure. 4672 * 4673 * @param [in] context Library context 4674 * @param [in] val Checksum structure to be freed 4675 * 4676 * This function frees the contents of @a val and the structure itself. 4677 */ 4678 void KRB5_CALLCONV 4679 krb5_free_checksum(krb5_context context, krb5_checksum *val); 4680 4681 /** 4682 * Free the contents of a krb5_checksum structure. 4683 * 4684 * @param [in] context Library context 4685 * @param [in] val Checksum structure to free contents of 4686 * 4687 * This function frees the contents of @a val, but not the structure itself. 4688 * It sets the checksum's data pointer to null and (beginning in release 1.19) 4689 * sets its length to zero. 4690 */ 4691 void KRB5_CALLCONV 4692 krb5_free_checksum_contents(krb5_context context, krb5_checksum *val); 4693 4694 /** 4695 * Free a krb5_keyblock structure. 4696 * 4697 * @param [in] context Library context 4698 * @param [in] val Keyblock to be freed 4699 * 4700 * This function frees the contents of @a val and the structure itself. 4701 */ 4702 void KRB5_CALLCONV 4703 krb5_free_keyblock(krb5_context context, krb5_keyblock *val); 4704 4705 /** 4706 * Free the contents of a krb5_keyblock structure. 4707 * 4708 * @param [in] context Library context 4709 * @param [in] key Keyblock to be freed 4710 * 4711 * This function frees the contents of @a key, but not the structure itself. 4712 */ 4713 void KRB5_CALLCONV 4714 krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key); 4715 4716 /** 4717 * Free a krb5_ap_rep_enc_part structure. 4718 * 4719 * @param [in] context Library context 4720 * @param [in] val AP-REP enc part to be freed 4721 * 4722 * This function frees the contents of @a val and the structure itself. 4723 */ 4724 void KRB5_CALLCONV 4725 krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); 4726 4727 /** 4728 * Free a krb5_data structure. 4729 * 4730 * @param [in] context Library context 4731 * @param [in] val Data structure to be freed 4732 * 4733 * This function frees the contents of @a val and the structure itself. 4734 */ 4735 void KRB5_CALLCONV 4736 krb5_free_data(krb5_context context, krb5_data *val); 4737 4738 /* Free a krb5_octet_data structure (should be unused). */ 4739 void KRB5_CALLCONV 4740 krb5_free_octet_data(krb5_context context, krb5_octet_data *val); 4741 4742 /** 4743 * Free the contents of a krb5_data structure and zero the data field. 4744 * 4745 * @param [in] context Library context 4746 * @param [in] val Data structure to free contents of 4747 * 4748 * This function frees the contents of @a val, but not the structure itself. 4749 * It sets the structure's data pointer to null and (beginning in release 1.19) 4750 * sets its length to zero. 4751 */ 4752 void KRB5_CALLCONV 4753 krb5_free_data_contents(krb5_context context, krb5_data *val); 4754 4755 /** 4756 * Free a string representation of a principal. 4757 * 4758 * @param [in] context Library context 4759 * @param [in] val Name string to be freed 4760 */ 4761 void KRB5_CALLCONV 4762 krb5_free_unparsed_name(krb5_context context, char *val); 4763 4764 /** 4765 * Free a string allocated by a krb5 function. 4766 * 4767 * @param [in] context Library context 4768 * @param [in] val String to be freed 4769 * 4770 * @version New in 1.10 4771 */ 4772 void KRB5_CALLCONV 4773 krb5_free_string(krb5_context context, char *val); 4774 4775 /** 4776 * Free an array of encryption types. 4777 * 4778 * @param [in] context Library context 4779 * @param [in] val Array of enctypes to be freed 4780 * 4781 * @version New in 1.12 4782 */ 4783 void KRB5_CALLCONV 4784 krb5_free_enctypes(krb5_context context, krb5_enctype *val); 4785 4786 /** 4787 * Free an array of checksum types. 4788 * 4789 * @param [in] context Library context 4790 * @param [in] val Array of checksum types to be freed 4791 */ 4792 void KRB5_CALLCONV 4793 krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val); 4794 4795 /* From krb5/os, but needed by the outside world */ 4796 /** 4797 * Retrieve the system time of day, in sec and ms, since the epoch. 4798 * 4799 * @param [in] context Library context 4800 * @param [out] seconds System timeofday, seconds portion 4801 * @param [out] microseconds System timeofday, microseconds portion 4802 * 4803 * This function retrieves the system time of day with the context 4804 * specific time offset adjustment. 4805 * 4806 * @sa krb5_crypto_us_timeofday() 4807 * 4808 * @retval 4809 * 0 Success 4810 * @return 4811 * Kerberos error codes 4812 */ 4813 krb5_error_code KRB5_CALLCONV 4814 krb5_us_timeofday(krb5_context context, 4815 krb5_timestamp *seconds, krb5_int32 *microseconds); 4816 4817 /** 4818 * Retrieve the current time with context specific time offset adjustment. 4819 * 4820 * @param [in] context Library context 4821 * @param [out] timeret Timestamp to fill in 4822 * 4823 * This function retrieves the system time of day with the context specific 4824 * time offset adjustment. 4825 * 4826 * @retval 4827 * 0 Success 4828 * @return 4829 * Kerberos error codes 4830 */ 4831 krb5_error_code KRB5_CALLCONV 4832 krb5_timeofday(krb5_context context, krb5_timestamp *timeret); 4833 4834 /** 4835 * Check if a timestamp is within the allowed clock skew of the current time. 4836 * 4837 * @param [in] context Library context 4838 * @param [in] date Timestamp to check 4839 * 4840 * This function checks if @a date is close enough to the current time 4841 * according to the configured allowable clock skew. 4842 * 4843 * @version New in 1.10 4844 * 4845 * @retval 0 Success 4846 * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew 4847 */ 4848 krb5_error_code KRB5_CALLCONV 4849 krb5_check_clockskew(krb5_context context, krb5_timestamp date); 4850 4851 /** 4852 * Return all interface addresses for this host. 4853 * 4854 * @param [in] context Library context 4855 * @param [out] addr Array of krb5_address pointers, ending with 4856 * NULL 4857 * 4858 * Use krb5_free_addresses() to free @a addr when it is no longer needed. 4859 * 4860 * @retval 0 Success; otherwise - Kerberos error codes 4861 */ 4862 krb5_error_code KRB5_CALLCONV 4863 krb5_os_localaddr(krb5_context context, krb5_address ***addr); 4864 4865 /** 4866 * Retrieve the default realm. 4867 * 4868 * @param [in] context Library context 4869 * @param [out] lrealm Default realm name 4870 * 4871 * Retrieves the default realm to be used if no user-specified realm is 4872 * available. 4873 * 4874 * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed. 4875 * 4876 * @retval 4877 * 0 Success 4878 * @return 4879 * Kerberos error codes 4880 */ 4881 krb5_error_code KRB5_CALLCONV 4882 krb5_get_default_realm(krb5_context context, char **lrealm); 4883 4884 /** 4885 * Override the default realm for the specified context. 4886 * 4887 * @param [in] context Library context 4888 * @param [in] lrealm Realm name for the default realm 4889 * 4890 * If @a lrealm is NULL, clear the default realm setting. 4891 * 4892 * @retval 4893 * 0 Success 4894 * @return 4895 * Kerberos error codes 4896 */ 4897 krb5_error_code KRB5_CALLCONV 4898 krb5_set_default_realm(krb5_context context, const char *lrealm); 4899 4900 /** 4901 * Free a default realm string returned by krb5_get_default_realm(). 4902 * 4903 * @param [in] context Library context 4904 * @param [in] lrealm Realm to be freed 4905 */ 4906 void KRB5_CALLCONV 4907 krb5_free_default_realm(krb5_context context, char *lrealm); 4908 4909 /** 4910 * Canonicalize a hostname, possibly using name service. 4911 * 4912 * @param [in] context Library context 4913 * @param [in] host Input hostname 4914 * @param [out] canonhost_out Canonicalized hostname 4915 * 4916 * This function canonicalizes orig_hostname, possibly using name service 4917 * lookups if configuration permits. Use krb5_free_string() to free @a 4918 * canonhost_out when it is no longer needed. 4919 * 4920 * @version New in 1.15 4921 */ 4922 krb5_error_code KRB5_CALLCONV 4923 krb5_expand_hostname(krb5_context context, const char *host, 4924 char **canonhost_out); 4925 4926 /** 4927 * Generate a full principal name from a service name. 4928 * 4929 * @param [in] context Library context 4930 * @param [in] hostname Host name, or NULL to use local host 4931 * @param [in] sname Service name, or NULL to use @c "host" 4932 * @param [in] type Principal type 4933 * @param [out] ret_princ Generated principal 4934 * 4935 * This function converts a @a hostname and @a sname into @a krb5_principal 4936 * structure @a ret_princ. The returned principal will be of the form @a 4937 * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm(). 4938 * In some cases this may be the referral (empty) realm. 4939 * 4940 * The @a type can be one of the following: 4941 * 4942 * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the 4943 * realm and generating the principal. 4944 * 4945 * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not 4946 * canonicalize it. 4947 * 4948 * Use krb5_free_principal to free @a ret_princ when it is no longer needed. 4949 * 4950 * @retval 4951 * 0 Success 4952 * @return 4953 * Kerberos error codes 4954 */ 4955 krb5_error_code KRB5_CALLCONV 4956 krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, 4957 krb5_int32 type, krb5_principal *ret_princ); 4958 4959 /** 4960 * Test whether a principal matches a matching principal. 4961 * 4962 * @param [in] context Library context 4963 * @param [in] matching Matching principal 4964 * @param [in] princ Principal to test 4965 * 4966 * @note A matching principal is a host-based principal with an empty realm 4967 * and/or second data component (hostname). Profile configuration may cause 4968 * the hostname to be ignored even if it is present. A principal matches a 4969 * matching principal if the former has the same non-empty (and non-ignored) 4970 * components of the latter. 4971 * 4972 * If @a matching is NULL, return TRUE. If @a matching is not a matching 4973 * principal, return the value of krb5_principal_compare(context, matching, 4974 * princ). 4975 * 4976 * @return 4977 * TRUE if @a princ matches @a matching, FALSE otherwise. 4978 */ 4979 krb5_boolean KRB5_CALLCONV 4980 krb5_sname_match(krb5_context context, krb5_const_principal matching, 4981 krb5_const_principal princ); 4982 4983 /** 4984 * Change a password for an existing Kerberos account. 4985 * 4986 * @param [in] context Library context 4987 * @param [in] creds Credentials for kadmin/changepw service 4988 * @param [in] newpw New password 4989 * @param [out] result_code Numeric error code from server 4990 * @param [out] result_code_string String equivalent to @a result_code 4991 * @param [out] result_string Change password response from the KDC 4992 * 4993 * Change the password for the existing principal identified by @a creds. 4994 * 4995 * The possible values of the output @a result_code are: 4996 * 4997 * @li #KRB5_KPASSWD_SUCCESS (0) - success 4998 * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error 4999 * @li #KRB5_KPASSWD_HARDERROR (2) - Server error 5000 * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error 5001 * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected 5002 * 5003 * @retval 0 Success; otherwise - Kerberos error codes 5004 */ 5005 krb5_error_code KRB5_CALLCONV 5006 krb5_change_password(krb5_context context, krb5_creds *creds, 5007 const char *newpw, int *result_code, 5008 krb5_data *result_code_string, krb5_data *result_string); 5009 5010 /** 5011 * Set a password for a principal using specified credentials. 5012 * 5013 * @param [in] context Library context 5014 * @param [in] creds Credentials for kadmin/changepw service 5015 * @param [in] newpw New password 5016 * @param [in] change_password_for Change the password for this principal 5017 * @param [out] result_code Numeric error code from server 5018 * @param [out] result_code_string String equivalent to @a result_code 5019 * @param [out] result_string Data returned from the remote system 5020 * 5021 * This function uses the credentials @a creds to set the password @a newpw for 5022 * the principal @a change_password_for. It implements the set password 5023 * operation of RFC 3244, for interoperability with Microsoft Windows 5024 * implementations. 5025 * 5026 * @note If @a change_password_for is NULL, the change is performed on the 5027 * current principal. If @a change_password_for is non-null, the change is 5028 * performed on the principal name passed in @a change_password_for. 5029 * 5030 * The error code and strings are returned in @a result_code, 5031 * @a result_code_string and @a result_string. 5032 * 5033 * @sa krb5_set_password_using_ccache() 5034 * 5035 * @retval 5036 * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS. 5037 * @return 5038 * Kerberos error codes. 5039 */ 5040 krb5_error_code KRB5_CALLCONV 5041 krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw, 5042 krb5_principal change_password_for, int *result_code, 5043 krb5_data *result_code_string, krb5_data *result_string); 5044 5045 /** 5046 * Set a password for a principal using cached credentials. 5047 * 5048 * @param [in] context Library context 5049 * @param [in] ccache Credential cache 5050 * @param [in] newpw New password 5051 * @param [in] change_password_for Change the password for this principal 5052 * @param [out] result_code Numeric error code from server 5053 * @param [out] result_code_string String equivalent to @a result_code 5054 * @param [out] result_string Data returned from the remote system 5055 * 5056 * This function uses the cached credentials from @a ccache to set the password 5057 * @a newpw for the principal @a change_password_for. It implements RFC 3244 5058 * set password operation (interoperable with MS Windows implementations) using 5059 * the credential cache. 5060 * 5061 * The error code and strings are returned in @a result_code, 5062 * @a result_code_string and @a result_string. 5063 * 5064 * @note If @a change_password_for is set to NULL, the change is performed on 5065 * the default principal in @a ccache. If @a change_password_for is non null, 5066 * the change is performed on the specified principal. 5067 * 5068 * @sa krb5_set_password() 5069 * 5070 * @retval 5071 * 0 Success 5072 * @return 5073 * Kerberos error codes 5074 */ 5075 krb5_error_code KRB5_CALLCONV 5076 krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, 5077 const char *newpw, 5078 krb5_principal change_password_for, 5079 int *result_code, krb5_data *result_code_string, 5080 krb5_data *result_string); 5081 5082 /** 5083 * Get a result message for changing or setting a password. 5084 * 5085 * @param [in] context Library context 5086 * @param [in] server_string Data returned from the remote system 5087 * @param [out] message_out A message displayable to the user 5088 * 5089 * This function processes the @a server_string returned in the @a 5090 * result_string parameter of krb5_change_password(), krb5_set_password(), and 5091 * related functions, and returns a displayable string. If @a server_string 5092 * contains Active Directory structured policy information, it will be 5093 * converted into human-readable text. 5094 * 5095 * Use krb5_free_string() to free @a message_out when it is no longer needed. 5096 * 5097 * @retval 5098 * 0 Success 5099 * @return 5100 * Kerberos error codes 5101 * 5102 * @version New in 1.11 5103 */ 5104 krb5_error_code KRB5_CALLCONV 5105 krb5_chpw_message(krb5_context context, const krb5_data *server_string, 5106 char **message_out); 5107 5108 /** 5109 * Retrieve configuration profile from the context. 5110 * 5111 * @param [in] context Library context 5112 * @param [out] profile Pointer to data read from a configuration file 5113 * 5114 * This function creates a new @a profile object that reflects profile 5115 * in the supplied @a context. 5116 * 5117 * The @a profile object may be freed with profile_release() function. 5118 * See profile.h and profile API for more details. 5119 * 5120 * @retval 5121 * 0 Success 5122 * @return 5123 * Kerberos error codes 5124 */ 5125 krb5_error_code KRB5_CALLCONV 5126 krb5_get_profile(krb5_context context, struct _profile_t ** profile); 5127 5128 #if KRB5_DEPRECATED 5129 /** @deprecated Replaced by krb5_get_init_creds_password().*/ 5130 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5131 krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, 5132 krb5_address *const *addrs, krb5_enctype *ktypes, 5133 krb5_preauthtype *pre_auth_types, 5134 const char *password, krb5_ccache ccache, 5135 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5136 5137 /** @deprecated Replaced by krb5_get_init_creds(). */ 5138 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5139 krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, 5140 krb5_address *const *addrs, krb5_enctype *ktypes, 5141 krb5_preauthtype *pre_auth_types, 5142 const krb5_keyblock *key, krb5_ccache ccache, 5143 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5144 5145 /** @deprecated Replaced by krb5_get_init_creds_keytab(). */ 5146 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5147 krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, 5148 krb5_address *const *addrs, krb5_enctype *ktypes, 5149 krb5_preauthtype *pre_auth_types, 5150 krb5_keytab arg_keytab, krb5_ccache ccache, 5151 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5152 5153 #endif /* KRB5_DEPRECATED */ 5154 5155 /** 5156 * Parse and decrypt a @c KRB_AP_REQ message. 5157 * 5158 * @param [in] context Library context 5159 * @param [in,out] auth_context Pre-existing or newly created auth context 5160 * @param [in] inbuf AP-REQ message to be parsed 5161 * @param [in] server Matching principal for server, or NULL to 5162 * allow any principal in keytab 5163 * @param [in] keytab Key table, or NULL to use the default 5164 * @param [out] ap_req_options If non-null, the AP-REQ flags on output 5165 * @param [out] ticket If non-null, ticket from the AP-REQ message 5166 * 5167 * This function parses, decrypts and verifies a AP-REQ message from @a inbuf 5168 * and stores the authenticator in @a auth_context. 5169 * 5170 * If a keyblock was specified in @a auth_context using 5171 * krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in 5172 * AP-REQ message and @a keytab is ignored. In this case, @a server should be 5173 * specified as a complete principal name to allow for proper transited-path 5174 * checking and replay cache selection. 5175 * 5176 * Otherwise, the decryption key is obtained from @a keytab, or from the 5177 * default keytab if it is NULL. In this case, @a server may be a complete 5178 * principal name, a matching principal (see krb5_sname_match()), or NULL to 5179 * match any principal name. The keys tried against the encrypted part of the 5180 * ticket are determined as follows: 5181 * 5182 * - If @a server is a complete principal name, then its entry in @a keytab is 5183 * tried. 5184 * - Otherwise, if @a keytab is iterable, then all entries in @a keytab which 5185 * match @a server are tried. 5186 * - Otherwise, the server principal in the ticket must match @a server, and 5187 * its entry in @a keytab is tried. 5188 * 5189 * The client specified in the decrypted authenticator must match the client 5190 * specified in the decrypted ticket. 5191 * 5192 * If the @a remote_addr field of @a auth_context is set, the request must come 5193 * from that address. 5194 * 5195 * If a replay cache handle is provided in the @a auth_context, the 5196 * authenticator and ticket are verified against it. If no conflict is found, 5197 * the new authenticator is then stored in the replay cache of @a auth_context. 5198 * 5199 * Various other checks are performed on the decoded data, including 5200 * cross-realm policy, clockskew, and ticket validation times. 5201 * 5202 * On success the authenticator, subkey, and remote sequence number of the 5203 * request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED 5204 * bit is set, the local sequence number is XORed with the remote sequence 5205 * number in the request. 5206 * 5207 * Use krb5_free_ticket() to free @a ticket when it is no longer needed. 5208 * 5209 * @retval 0 Success; otherwise - Kerberos error codes 5210 */ 5211 krb5_error_code KRB5_CALLCONV 5212 krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, 5213 const krb5_data *inbuf, krb5_const_principal server, 5214 krb5_keytab keytab, krb5_flags *ap_req_options, 5215 krb5_ticket **ticket); 5216 5217 /** 5218 * Retrieve a service key from a key table. 5219 * 5220 * @param [in] context Library context 5221 * @param [in] keyprocarg Name of a key table (NULL to use default name) 5222 * @param [in] principal Service principal 5223 * @param [in] vno Key version number (0 for highest available) 5224 * @param [in] enctype Encryption type (0 for any type) 5225 * @param [out] key Service key from key table 5226 * 5227 * Open and search the specified key table for the entry identified by @a 5228 * principal, @a enctype, and @a vno. If no key is found, return an error code. 5229 * 5230 * The default key table is used, unless @a keyprocarg is non-null. 5231 * @a keyprocarg designates a specific key table. 5232 * 5233 * Use krb5_free_keyblock() to free @a key when it is no longer needed. 5234 * 5235 * @retval 5236 * 0 Success 5237 * @return Kerberos error code if not found or @a keyprocarg is invalid. 5238 */ 5239 krb5_error_code KRB5_CALLCONV 5240 krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, 5241 krb5_principal principal, krb5_kvno vno, 5242 krb5_enctype enctype, krb5_keyblock **key); 5243 5244 /** 5245 * Format a @c KRB-SAFE message. 5246 * 5247 * @param [in] context Library context 5248 * @param [in] auth_context Authentication context 5249 * @param [in] userdata User data in the message 5250 * @param [out] der_out Formatted @c KRB-SAFE buffer 5251 * @param [out] rdata_out Replay data. Specify NULL if not needed 5252 * 5253 * This function creates an integrity protected @c KRB-SAFE message 5254 * using data supplied by the application. 5255 * 5256 * Fields in @a auth_context specify the checksum type, the keyblock that 5257 * can be used to seed the checksum, full addresses (host and port) for 5258 * the sender and receiver, and KRB5_AUTH_CONTEXT flags. 5259 * 5260 * The local address in @a auth_context must be set, and is used to form the 5261 * sender address used in the KRB-SAFE message. The remote address is 5262 * optional; if specified, it will be used to form the receiver address used in 5263 * the message. 5264 * 5265 * @note The @a rdata_out argument is required if the 5266 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5267 * in @a auth_context. 5268 * 5269 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a 5270 * timestamp is included in the KRB-SAFE message, and an entry for the message 5271 * is entered in an in-memory replay cache to detect if the message is 5272 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no 5273 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5274 * auth_context, a timestamp is included in the KRB-SAFE message and is stored 5275 * in @a rdata_out. 5276 * 5277 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5278 * is set, the @a auth_context local sequence number is included in the 5279 * KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5280 * is set, the sequence number used is stored in @a rdata_out. 5281 * 5282 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5283 * needed. 5284 * 5285 * @retval 0 Success; otherwise - Kerberos error codes 5286 */ 5287 krb5_error_code KRB5_CALLCONV 5288 krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, 5289 const krb5_data *userdata, krb5_data *der_out, 5290 krb5_replay_data *rdata_out); 5291 5292 /** 5293 * Format a @c KRB-PRIV message. 5294 * 5295 * @param [in] context Library context 5296 * @param [in] auth_context Authentication context 5297 * @param [in] userdata User data for @c KRB-PRIV message 5298 * @param [out] der_out Formatted @c KRB-PRIV message 5299 * @param [out] rdata_out Replay data (NULL if not needed) 5300 * 5301 * This function is similar to krb5_mk_safe(), but the message is encrypted and 5302 * integrity-protected, not just integrity-protected. 5303 * 5304 * The local address in @a auth_context must be set, and is used to form the 5305 * sender address used in the KRB-PRIV message. The remote address is 5306 * optional; if specified, it will be used to form the receiver address used in 5307 * the message. 5308 * 5309 * @note The @a rdata_out argument is required if the 5310 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5311 * in @a auth_context. 5312 * 5313 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a 5314 * timestamp is included in the KRB-PRIV message, and an entry for the message 5315 * is entered in an in-memory replay cache to detect if the message is 5316 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no 5317 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5318 * auth_context, a timestamp is included in the KRB-PRIV message and is stored 5319 * in @a rdata_out. 5320 * 5321 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5322 * is set, the @a auth_context local sequence number is included in the 5323 * KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5324 * is set, the sequence number used is stored in @a rdata_out. 5325 * 5326 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5327 * needed. 5328 * 5329 * @retval 0 Success; otherwise - Kerberos error codes 5330 */ 5331 krb5_error_code KRB5_CALLCONV 5332 krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, 5333 const krb5_data *userdata, krb5_data *der_out, 5334 krb5_replay_data *rdata_out); 5335 5336 /** 5337 * Client function for @c sendauth protocol. 5338 * 5339 * @param [in] context Library context 5340 * @param [in,out] auth_context Pre-existing or newly created auth context 5341 * @param [in] fd File descriptor that describes network socket 5342 * @param [in] appl_version Application protocol version to be matched 5343 * with the receiver's application version 5344 * @param [in] client Client principal 5345 * @param [in] server Server principal 5346 * @param [in] ap_req_options Options (see AP_OPTS macros) 5347 * @param [in] in_data Data to be sent to the server 5348 * @param [in] in_creds Input credentials, or NULL to use @a ccache 5349 * @param [in] ccache Credential cache 5350 * @param [out] error If non-null, contains KRB_ERROR message 5351 * returned from server 5352 * @param [out] rep_result If non-null and @a ap_req_options is 5353 * #AP_OPTS_MUTUAL_REQUIRED, contains the result 5354 * of mutual authentication exchange 5355 * @param [out] out_creds If non-null, the retrieved credentials 5356 * 5357 * This function performs the client side of a sendauth/recvauth exchange by 5358 * sending and receiving messages over @a fd. 5359 * 5360 * Credentials may be specified in three ways: 5361 * 5362 * @li If @a in_creds is NULL, credentials are obtained with 5363 * krb5_get_credentials() using the principals @a client and @a server. @a 5364 * server must be non-null; @a client may NULL to use the default principal of 5365 * @a ccache. 5366 * 5367 * @li If @a in_creds is non-null, but does not contain a ticket, credentials 5368 * for the exchange are obtained with krb5_get_credentials() using @a in_creds. 5369 * In this case, the values of @a client and @a server are unused. 5370 * 5371 * @li If @a in_creds is a complete credentials structure, it used directly. 5372 * In this case, the values of @a client, @a server, and @a ccache are unused. 5373 * 5374 * If the server is using a different application protocol than that specified 5375 * in @a appl_version, an error will be returned. 5376 * 5377 * Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to 5378 * free @a rep_result, and krb5_free_error() to free @a error when they are no 5379 * longer needed. 5380 * 5381 * @sa krb5_recvauth() 5382 * 5383 * @retval 0 Success; otherwise - Kerberos error codes 5384 */ 5385 krb5_error_code KRB5_CALLCONV 5386 krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, 5387 krb5_pointer fd, char *appl_version, krb5_principal client, 5388 krb5_principal server, krb5_flags ap_req_options, 5389 krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, 5390 krb5_error **error, krb5_ap_rep_enc_part **rep_result, 5391 krb5_creds **out_creds); 5392 5393 /** 5394 * Server function for @a sendauth protocol. 5395 * 5396 * @param [in] context Library context 5397 * @param [in,out] auth_context Pre-existing or newly created auth context 5398 * @param [in] fd File descriptor 5399 * @param [in] appl_version Application protocol version to be matched 5400 * against the client's application version 5401 * @param [in] server Server principal (NULL for any in @a keytab) 5402 * @param [in] flags Additional specifications 5403 * @param [in] keytab Key table containing service keys 5404 * @param [out] ticket Ticket (NULL if not needed) 5405 * 5406 * This function performs the server side of a sendauth/recvauth exchange by 5407 * sending and receiving messages over @a fd. 5408 * 5409 * Use krb5_free_ticket() to free @a ticket when it is no longer needed. 5410 * 5411 * @sa krb5_sendauth() 5412 * 5413 * @retval 0 Success; otherwise - Kerberos error codes 5414 */ 5415 krb5_error_code KRB5_CALLCONV 5416 krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, 5417 krb5_pointer fd, char *appl_version, krb5_principal server, 5418 krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket); 5419 5420 /** 5421 * Server function for @a sendauth protocol with version parameter. 5422 * 5423 * @param [in] context Library context 5424 * @param [in,out] auth_context Pre-existing or newly created auth context 5425 * @param [in] fd File descriptor 5426 * @param [in] server Server principal (NULL for any in @a keytab) 5427 * @param [in] flags Additional specifications 5428 * @param [in] keytab Decryption key 5429 * @param [out] ticket Ticket (NULL if not needed) 5430 * @param [out] version sendauth protocol version (NULL if not needed) 5431 * 5432 * This function is similar to krb5_recvauth() with the additional output 5433 * information place into @a version. 5434 * 5435 * @retval 0 Success; otherwise - Kerberos error codes 5436 */ 5437 krb5_error_code KRB5_CALLCONV 5438 krb5_recvauth_version(krb5_context context, 5439 krb5_auth_context *auth_context, 5440 krb5_pointer fd, 5441 krb5_principal server, 5442 krb5_int32 flags, 5443 krb5_keytab keytab, 5444 krb5_ticket **ticket, 5445 krb5_data *version); 5446 5447 /** 5448 * Format a @c KRB-CRED message for an array of credentials. 5449 * 5450 * @param [in] context Library context 5451 * @param [in] auth_context Authentication context 5452 * @param [in] creds Null-terminated array of credentials 5453 * @param [out] der_out Encoded credentials 5454 * @param [out] rdata_out Replay cache information (NULL if not needed) 5455 * 5456 * This function takes an array of credentials @a creds and formats 5457 * a @c KRB-CRED message @a der_out to pass to krb5_rd_cred(). 5458 * 5459 * The local and remote addresses in @a auth_context are optional; if either is 5460 * specified, they are used to form the sender and receiver addresses in the 5461 * KRB-CRED message. 5462 * 5463 * @note The @a rdata_out argument is required if the 5464 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5465 * in @a auth_context. 5466 * 5467 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, an entry 5468 * for the message is entered in an in-memory replay cache to detect if the 5469 * message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not 5470 * set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5471 * auth_context, the timestamp used for the KRB-CRED message is stored in @a 5472 * rdata_out. 5473 * 5474 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5475 * is set, the @a auth_context local sequence number is included in the 5476 * KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5477 * is set, the sequence number used is stored in @a rdata_out. 5478 * 5479 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5480 * needed. 5481 * 5482 * The message will be encrypted using the send subkey of @a auth_context if it 5483 * is present, or the session key otherwise. If neither key is present, the 5484 * credentials will not be encrypted, and the message should only be sent over 5485 * a secure channel. No replay cache entry is used in this case. 5486 * 5487 * @retval 5488 * 0 Success 5489 * @retval 5490 * ENOMEM Insufficient memory 5491 * @retval 5492 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter 5493 * @return 5494 * Kerberos error codes 5495 */ 5496 krb5_error_code KRB5_CALLCONV 5497 krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, 5498 krb5_creds **creds, krb5_data **der_out, 5499 krb5_replay_data *rdata_out); 5500 5501 /** 5502 * Format a @c KRB-CRED message for a single set of credentials. 5503 * 5504 * @param [in] context Library context 5505 * @param [in] auth_context Authentication context 5506 * @param [in] creds Pointer to credentials 5507 * @param [out] der_out Encoded credentials 5508 * @param [out] rdata_out Replay cache data (NULL if not needed) 5509 * 5510 * This is a convenience function that calls krb5_mk_ncred() with a single set 5511 * of credentials. 5512 * 5513 * @retval 5514 * 0 Success 5515 * @retval 5516 * ENOMEM Insufficient memory 5517 * @retval 5518 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter 5519 * @return 5520 * Kerberos error codes 5521 */ 5522 krb5_error_code KRB5_CALLCONV 5523 krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, 5524 krb5_creds *creds, krb5_data **der_out, 5525 krb5_replay_data *rdata_out); 5526 5527 /** 5528 * Read and validate a @c KRB-CRED message. 5529 * 5530 * @param [in] context Library context 5531 * @param [in] auth_context Authentication context 5532 * @param [in] creddata @c KRB-CRED message 5533 * @param [out] creds_out Null-terminated array of forwarded credentials 5534 * @param [out] rdata_out Replay data (NULL if not needed) 5535 * 5536 * @note The @a rdata_out argument is required if the 5537 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5538 * in @a auth_context.` 5539 * 5540 * @a creddata will be decrypted using the receiving subkey if it is present in 5541 * @a auth_context, or the session key if the receiving subkey is not present 5542 * or fails to decrypt the message. 5543 * 5544 * Use krb5_free_tgt_creds() to free @a creds_out when it is no longer needed. 5545 * 5546 * @retval 0 Success; otherwise - Kerberos error codes 5547 */ 5548 krb5_error_code KRB5_CALLCONV 5549 krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, 5550 krb5_data *creddata, krb5_creds ***creds_out, 5551 krb5_replay_data *rdata_out); 5552 5553 /** 5554 * Get a forwarded TGT and format a @c KRB-CRED message. 5555 * 5556 * @param [in] context Library context 5557 * @param [in] auth_context Authentication context 5558 * @param [in] rhost Remote host 5559 * @param [in] client Client principal of TGT 5560 * @param [in] server Principal of server to receive TGT 5561 * @param [in] cc Credential cache handle (NULL to use default) 5562 * @param [in] forwardable Whether TGT should be forwardable 5563 * @param [out] outbuf KRB-CRED message 5564 * 5565 * Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED 5566 * message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST, 5567 * the second component of @a server will be used. 5568 * 5569 * @retval 5570 * 0 Success 5571 * @retval 5572 * ENOMEM Insufficient memory 5573 * @retval 5574 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match 5575 * @retval 5576 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket 5577 * @retval 5578 * KRB5_CC_BADNAME Credential cache name or principal name malformed 5579 * @return 5580 * Kerberos error codes 5581 */ 5582 krb5_error_code KRB5_CALLCONV 5583 krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, 5584 const char *rhost, krb5_principal client, 5585 krb5_principal server, krb5_ccache cc, int forwardable, 5586 krb5_data *outbuf); 5587 5588 /** 5589 * Create and initialize an authentication context. 5590 * 5591 * @param [in] context Library context 5592 * @param [out] auth_context Authentication context 5593 * 5594 * This function creates an authentication context to hold configuration and 5595 * state relevant to krb5 functions for authenticating principals and 5596 * protecting messages once authentication has occurred. 5597 * 5598 * By default, flags for the context are set to enable the use of the replay 5599 * cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use 5600 * krb5_auth_con_setflags() to change the flags. 5601 * 5602 * The allocated @a auth_context must be freed with krb5_auth_con_free() when 5603 * it is no longer needed. 5604 * 5605 * @retval 0 Success; otherwise - Kerberos error codes 5606 */ 5607 krb5_error_code KRB5_CALLCONV 5608 krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context); 5609 5610 /** 5611 * Free a krb5_auth_context structure. 5612 * 5613 * @param [in] context Library context 5614 * @param [in] auth_context Authentication context to be freed 5615 * 5616 * This function frees an auth context allocated by krb5_auth_con_init(). 5617 * 5618 * @retval 0 (always) 5619 */ 5620 krb5_error_code KRB5_CALLCONV 5621 krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context); 5622 5623 /** 5624 * Set a flags field in a krb5_auth_context structure. 5625 * 5626 * @param [in] context Library context 5627 * @param [in] auth_context Authentication context 5628 * @param [in] flags Flags bit mask 5629 * 5630 * Valid values for @a flags are: 5631 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps 5632 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps 5633 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers 5634 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers 5635 * 5636 * @retval 0 (always) 5637 */ 5638 krb5_error_code KRB5_CALLCONV 5639 krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags); 5640 5641 /** 5642 * Retrieve flags from a krb5_auth_context structure. 5643 * 5644 * @param [in] context Library context 5645 * @param [in] auth_context Authentication context 5646 * @param [out] flags Flags bit mask 5647 * 5648 * Valid values for @a flags are: 5649 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps 5650 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps 5651 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers 5652 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers 5653 * 5654 * @retval 0 (always) 5655 */ 5656 krb5_error_code KRB5_CALLCONV 5657 krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, 5658 krb5_int32 *flags); 5659 5660 /** 5661 * Set a checksum callback in an auth context. 5662 * 5663 * @param [in] context Library context 5664 * @param [in] auth_context Authentication context 5665 * @param [in] func Checksum callback 5666 * @param [in] data Callback argument 5667 * 5668 * Set a callback to obtain checksum data in krb5_mk_req(). The callback will 5669 * be invoked after the subkey and local sequence number are stored in @a 5670 * auth_context. 5671 * 5672 * @retval 0 (always) 5673 */ 5674 krb5_error_code KRB5_CALLCONV 5675 krb5_auth_con_set_checksum_func( krb5_context context, 5676 krb5_auth_context auth_context, 5677 krb5_mk_req_checksum_func func, 5678 void *data); 5679 5680 /** 5681 * Get the checksum callback from an auth context. 5682 * 5683 * @param [in] context Library context 5684 * @param [in] auth_context Authentication context 5685 * @param [out] func Checksum callback 5686 * @param [out] data Callback argument 5687 * 5688 * @retval 0 (always) 5689 */ 5690 krb5_error_code KRB5_CALLCONV 5691 krb5_auth_con_get_checksum_func( krb5_context context, 5692 krb5_auth_context auth_context, 5693 krb5_mk_req_checksum_func *func, 5694 void **data); 5695 5696 /** 5697 * Set the local and remote addresses in an auth context. 5698 * 5699 * @param [in] context Library context 5700 * @param [in] auth_context Authentication context 5701 * @param [in] local_addr Local address 5702 * @param [in] remote_addr Remote address 5703 * 5704 * This function releases the storage assigned to the contents of the local and 5705 * remote addresses of @a auth_context and then sets them to @a local_addr and 5706 * @a remote_addr respectively. 5707 * 5708 * @sa krb5_auth_con_genaddrs() 5709 * 5710 * @retval 0 Success; otherwise - Kerberos error codes 5711 */ 5712 krb5_error_code KRB5_CALLCONV_WRONG 5713 krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, 5714 krb5_address *local_addr, krb5_address *remote_addr); 5715 5716 /** 5717 * Retrieve address fields from an auth context. 5718 * 5719 * @param [in] context Library context 5720 * @param [in] auth_context Authentication context 5721 * @param [out] local_addr Local address (NULL if not needed) 5722 * @param [out] remote_addr Remote address (NULL if not needed) 5723 * 5724 * @retval 0 Success; otherwise - Kerberos error codes 5725 */ 5726 krb5_error_code KRB5_CALLCONV 5727 krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, 5728 krb5_address **local_addr, krb5_address **remote_addr); 5729 5730 /** 5731 * Set local and remote port fields in an auth context. 5732 * 5733 * @param [in] context Library context 5734 * @param [in] auth_context Authentication context 5735 * @param [in] local_port Local port 5736 * @param [in] remote_port Remote port 5737 * 5738 * This function releases the storage assigned to the contents of the local and 5739 * remote ports of @a auth_context and then sets them to @a local_port and @a 5740 * remote_port respectively. 5741 * 5742 * @sa krb5_auth_con_genaddrs() 5743 * 5744 * @retval 0 Success; otherwise - Kerberos error codes 5745 */ 5746 krb5_error_code KRB5_CALLCONV 5747 krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, 5748 krb5_address *local_port, krb5_address *remote_port); 5749 5750 /** 5751 * Set the session key in an auth context. 5752 * 5753 * @param [in] context Library context 5754 * @param [in] auth_context Authentication context 5755 * @param [in] keyblock User key 5756 * 5757 * @retval 0 Success; otherwise - Kerberos error codes 5758 */ 5759 krb5_error_code KRB5_CALLCONV 5760 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, 5761 krb5_keyblock *keyblock); 5762 5763 /** 5764 * Retrieve the session key from an auth context as a keyblock. 5765 * 5766 * @param [in] context Library context 5767 * @param [in] auth_context Authentication context 5768 * @param [out] keyblock Session key 5769 * 5770 * This function creates a keyblock containing the session key from @a 5771 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5772 * longer needed 5773 * 5774 * @retval 0 Success. Otherwise - Kerberos error codes 5775 */ 5776 krb5_error_code KRB5_CALLCONV 5777 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, 5778 krb5_keyblock **keyblock); 5779 5780 /** 5781 * Retrieve the session key from an auth context. 5782 * 5783 * @param [in] context Library context 5784 * @param [in] auth_context Authentication context 5785 * @param [out] key Session key 5786 * 5787 * This function sets @a key to the session key from @a auth_context. Use 5788 * krb5_k_free_key() to release @a key when it is no longer needed. 5789 * 5790 * @retval 0 (always) 5791 */ 5792 krb5_error_code KRB5_CALLCONV 5793 krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, 5794 krb5_key *key); 5795 5796 /** 5797 * Retrieve the send subkey from an auth context as a keyblock. 5798 * 5799 * @param [in] ctx Library context 5800 * @param [in] ac Authentication context 5801 * @param [out] keyblock Send subkey 5802 * 5803 * This function creates a keyblock containing the send subkey from @a 5804 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5805 * longer needed. 5806 * 5807 * @retval 0 Success; otherwise - Kerberos error codes 5808 */ 5809 krb5_error_code KRB5_CALLCONV 5810 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); 5811 5812 /** 5813 * Retrieve the send subkey from an auth context. 5814 * 5815 * @param [in] ctx Library context 5816 * @param [in] ac Authentication context 5817 * @param [out] key Send subkey 5818 * 5819 * This function sets @a key to the send subkey from @a auth_context. Use 5820 * krb5_k_free_key() to release @a key when it is no longer needed. 5821 * 5822 * @retval 0 Success; otherwise - Kerberos error codes 5823 */ 5824 krb5_error_code KRB5_CALLCONV 5825 krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, 5826 krb5_key *key); 5827 5828 /** 5829 * Retrieve the receiving subkey from an auth context as a keyblock. 5830 * 5831 * @param [in] ctx Library context 5832 * @param [in] ac Authentication context 5833 * @param [out] keyblock Receiving subkey 5834 * 5835 * This function creates a keyblock containing the receiving subkey from @a 5836 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5837 * longer needed. 5838 * 5839 * @retval 0 Success; otherwise - Kerberos error codes 5840 */ 5841 krb5_error_code KRB5_CALLCONV 5842 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); 5843 5844 /** 5845 * Retrieve the receiving subkey from an auth context as a keyblock. 5846 * 5847 * @param [in] ctx Library context 5848 * @param [in] ac Authentication context 5849 * @param [out] key Receiving subkey 5850 * 5851 * This function sets @a key to the receiving subkey from @a auth_context. Use 5852 * krb5_k_free_key() to release @a key when it is no longer needed. 5853 * 5854 * @retval 0 Success; otherwise - Kerberos error codes 5855 */ 5856 krb5_error_code KRB5_CALLCONV 5857 krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key); 5858 5859 /** 5860 * Set the send subkey in an auth context with a keyblock. 5861 * 5862 * @param [in] ctx Library context 5863 * @param [in] ac Authentication context 5864 * @param [in] keyblock Send subkey 5865 * 5866 * This function sets the send subkey in @a ac to a copy of @a keyblock. 5867 * 5868 * @retval 0 Success. Otherwise - Kerberos error codes 5869 */ 5870 krb5_error_code KRB5_CALLCONV 5871 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, 5872 krb5_keyblock *keyblock); 5873 5874 /** 5875 * Set the send subkey in an auth context. 5876 * 5877 * @param [in] ctx Library context 5878 * @param [in] ac Authentication context 5879 * @param [out] key Send subkey 5880 * 5881 * This function sets the send subkey in @a ac to @a key, incrementing its 5882 * reference count. 5883 * 5884 * @version New in 1.9 5885 * 5886 * @retval 0 Success; otherwise - Kerberos error codes 5887 */ 5888 krb5_error_code KRB5_CALLCONV 5889 krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key); 5890 5891 /** 5892 * Set the receiving subkey in an auth context with a keyblock. 5893 * 5894 * @param [in] ctx Library context 5895 * @param [in] ac Authentication context 5896 * @param [in] keyblock Receiving subkey 5897 * 5898 * This function sets the receiving subkey in @a ac to a copy of @a keyblock. 5899 * 5900 * @retval 0 Success; otherwise - Kerberos error codes 5901 */ 5902 krb5_error_code KRB5_CALLCONV 5903 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, 5904 krb5_keyblock *keyblock); 5905 5906 /** 5907 * Set the receiving subkey in an auth context. 5908 * 5909 * @param [in] ctx Library context 5910 * @param [in] ac Authentication context 5911 * @param [in] key Receiving subkey 5912 * 5913 * This function sets the receiving subkey in @a ac to @a key, incrementing its 5914 * reference count. 5915 * 5916 * @version New in 1.9 5917 * 5918 * @retval 0 Success; otherwise - Kerberos error codes 5919 */ 5920 krb5_error_code KRB5_CALLCONV 5921 krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, 5922 krb5_key key); 5923 5924 #if KRB5_DEPRECATED 5925 /** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */ 5926 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5927 krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, 5928 krb5_keyblock **keyblock); 5929 5930 /** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */ 5931 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5932 krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, 5933 krb5_keyblock **keyblock); 5934 #endif 5935 5936 /** 5937 * Retrieve the local sequence number from an auth context. 5938 * 5939 * @param [in] context Library context 5940 * @param [in] auth_context Authentication context 5941 * @param [out] seqnumber Local sequence number 5942 * 5943 * Retrieve the local sequence number from @a auth_context and return it in @a 5944 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a 5945 * auth_context for this function to be useful. 5946 * 5947 * @retval 0 Success; otherwise - Kerberos error codes 5948 */ 5949 krb5_error_code KRB5_CALLCONV 5950 krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, 5951 krb5_int32 *seqnumber); 5952 5953 /** 5954 * Retrieve the remote sequence number from an auth context. 5955 * 5956 * @param [in] context Library context 5957 * @param [in] auth_context Authentication context 5958 * @param [out] seqnumber Remote sequence number 5959 * 5960 * Retrieve the remote sequence number from @a auth_context and return it in @a 5961 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a 5962 * auth_context for this function to be useful. 5963 * 5964 * @retval 0 Success; otherwise - Kerberos error codes 5965 */ 5966 krb5_error_code KRB5_CALLCONV 5967 krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, 5968 krb5_int32 *seqnumber); 5969 5970 /** 5971 * Cause an auth context to use cipher state. 5972 * 5973 * @param [in] context Library context 5974 * @param [in] auth_context Authentication context 5975 * 5976 * Prepare @a auth_context to use cipher state when krb5_mk_priv() or 5977 * krb5_rd_priv() encrypt or decrypt data. 5978 * 5979 * @retval 0 Success; otherwise - Kerberos error codes 5980 */ 5981 krb5_error_code KRB5_CALLCONV 5982 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context); 5983 5984 /** 5985 * Set the replay cache in an auth context. 5986 * 5987 * @param [in] context Library context 5988 * @param [in] auth_context Authentication context 5989 * @param [in] rcache Replay cache haddle 5990 * 5991 * This function sets the replay cache in @a auth_context to @a rcache. @a 5992 * rcache will be closed when @a auth_context is freed, so the caller should 5993 * relinquish that responsibility. 5994 * 5995 * @retval 0 Success; otherwise - Kerberos error codes 5996 */ 5997 krb5_error_code KRB5_CALLCONV 5998 krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, 5999 krb5_rcache rcache); 6000 6001 /** 6002 * Retrieve the replay cache from an auth context. 6003 * 6004 * @param [in] context Library context 6005 * @param [in] auth_context Authentication context 6006 * @param [out] rcache Replay cache handle 6007 * 6008 * This function fetches the replay cache from @a auth_context. The caller 6009 * should not close @a rcache. 6010 * 6011 * @retval 0 (always) 6012 */ 6013 krb5_error_code KRB5_CALLCONV_WRONG 6014 krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, 6015 krb5_rcache *rcache); 6016 6017 /** 6018 * Retrieve the authenticator from an auth context. 6019 * 6020 * @param [in] context Library context 6021 * @param [in] auth_context Authentication context 6022 * @param [out] authenticator Authenticator 6023 * 6024 * Use krb5_free_authenticator() to free @a authenticator when it is no longer 6025 * needed. 6026 * 6027 * @retval 0 Success. Otherwise - Kerberos error codes 6028 */ 6029 krb5_error_code KRB5_CALLCONV 6030 krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, 6031 krb5_authenticator **authenticator); 6032 6033 /** 6034 * Set checksum type in an an auth context. 6035 * 6036 * @param [in] context Library context 6037 * @param [in] auth_context Authentication context 6038 * @param [in] cksumtype Checksum type 6039 * 6040 * This function sets the checksum type in @a auth_context to be used by 6041 * krb5_mk_req() for the authenticator checksum. 6042 * 6043 * @retval 0 Success. Otherwise - Kerberos error codes 6044 */ 6045 krb5_error_code KRB5_CALLCONV 6046 krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, 6047 krb5_cksumtype cksumtype); 6048 6049 #define KRB5_REALM_BRANCH_CHAR '.' 6050 6051 /* 6052 * end "func-proto.h" 6053 */ 6054 6055 /* 6056 * begin stuff from libos.h 6057 */ 6058 6059 /** 6060 * @brief Read a password from keyboard input. 6061 * 6062 * @param [in] context Library context 6063 * @param [in] prompt First user prompt when reading password 6064 * @param [in] prompt2 Second user prompt (NULL to prompt only once) 6065 * @param [out] return_pwd Returned password 6066 * @param [in,out] size_return On input, maximum size of password; on output, 6067 * size of password read 6068 * 6069 * This function reads a password from keyboard input and stores it in @a 6070 * return_pwd. @a size_return should be set by the caller to the amount of 6071 * storage space available in @a return_pwd; on successful return, it will be 6072 * set to the length of the password read. 6073 * 6074 * @a prompt is printed to the terminal, followed by ": ", and then a password 6075 * is read from the keyboard. 6076 * 6077 * If @a prompt2 is NULL, the password is read only once. Otherwise, @a 6078 * prompt2 is printed to the terminal and a second password is read. If the 6079 * two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. 6080 * 6081 * Echoing is turned off when the password is read. 6082 * 6083 * @retval 6084 * 0 Success 6085 * @return 6086 * Error in reading or verifying the password 6087 * @return 6088 * Kerberos error codes 6089 */ 6090 krb5_error_code KRB5_CALLCONV 6091 krb5_read_password(krb5_context context, 6092 const char *prompt, const char *prompt2, 6093 char *return_pwd, unsigned int *size_return); 6094 6095 /** 6096 * Convert a principal name to a local name. 6097 * 6098 * @param [in] context Library context 6099 * @param [in] aname Principal name 6100 * @param [in] lnsize_in Space available in @a lname 6101 * @param [out] lname Local name buffer to be filled in 6102 * 6103 * If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is 6104 * returned. If @a lnsize_in is too small for the local name, 6105 * KRB5_CONFIG_NOTENUFSPACE is returned. 6106 * 6107 * Local names, rather than principal names, can be used by programs that 6108 * translate to an environment-specific name (for example, a user account 6109 * name). 6110 * 6111 * @retval 6112 * 0 Success 6113 * @retval 6114 * System errors 6115 * @return 6116 * Kerberos error codes 6117 */ 6118 krb5_error_code KRB5_CALLCONV 6119 krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, 6120 int lnsize_in, char *lname); 6121 6122 /** 6123 * Get the Kerberos realm names for a host. 6124 * 6125 * @param [in] context Library context 6126 * @param [in] host Host name (or NULL) 6127 * @param [out] realmsp Null-terminated list of realm names 6128 * 6129 * Fill in @a realmsp with a pointer to a null-terminated list of realm names. 6130 * If there are no known realms for the host, a list containing the referral 6131 * (empty) realm is returned. 6132 * 6133 * If @a host is NULL, the local host's realms are determined. 6134 * 6135 * Use krb5_free_host_realm() to release @a realmsp when it is no longer 6136 * needed. 6137 * 6138 * @retval 6139 * 0 Success 6140 * @retval 6141 * ENOMEM Insufficient memory 6142 * @return 6143 * Kerberos error codes 6144 */ 6145 krb5_error_code KRB5_CALLCONV 6146 krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp); 6147 6148 /** 6149 * 6150 * @param [in] context Library context 6151 * @param [in] hdata Host name (or NULL) 6152 * @param [out] realmsp Null-terminated list of realm names 6153 * 6154 * Fill in @a realmsp with a pointer to a null-terminated list of realm names 6155 * obtained through heuristics or insecure resolution methods which have lower 6156 * priority than KDC referrals. 6157 * 6158 * If @a host is NULL, the local host's realms are determined. 6159 * 6160 * Use krb5_free_host_realm() to release @a realmsp when it is no longer 6161 * needed. 6162 */ 6163 krb5_error_code KRB5_CALLCONV 6164 krb5_get_fallback_host_realm(krb5_context context, 6165 krb5_data *hdata, char ***realmsp); 6166 6167 /** 6168 * Free the memory allocated by krb5_get_host_realm(). 6169 * 6170 * @param [in] context Library context 6171 * @param [in] realmlist List of realm names to be released 6172 * 6173 * @retval 6174 * 0 Success 6175 * @return 6176 * Kerberos error codes 6177 */ 6178 krb5_error_code KRB5_CALLCONV 6179 krb5_free_host_realm(krb5_context context, char *const *realmlist); 6180 6181 /** 6182 * Determine if a principal is authorized to log in as a local user. 6183 * 6184 * @param [in] context Library context 6185 * @param [in] principal Principal name 6186 * @param [in] luser Local username 6187 * 6188 * Determine whether @a principal is authorized to log in as a local user @a 6189 * luser. 6190 * 6191 * @retval 6192 * TRUE Principal is authorized to log in as user; FALSE otherwise. 6193 */ 6194 krb5_boolean KRB5_CALLCONV 6195 krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser); 6196 6197 /** 6198 * Generate auth context addresses from a connected socket. 6199 * 6200 * @param [in] context Library context 6201 * @param [in] auth_context Authentication context 6202 * @param [in] infd Connected socket descriptor 6203 * @param [in] flags Flags 6204 * 6205 * This function sets the local and/or remote addresses in @a auth_context 6206 * based on the local and remote endpoints of the socket @a infd. The 6207 * following flags determine the operations performed: 6208 * 6209 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. 6210 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. 6211 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. 6212 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. 6213 * 6214 * @retval 0 Success; otherwise - Kerberos error codes 6215 */ 6216 krb5_error_code KRB5_CALLCONV 6217 krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, 6218 int infd, int flags); 6219 6220 /** 6221 * Set time offset field in a krb5_context structure. 6222 * 6223 * @param [in] context Library context 6224 * @param [in] seconds Real time, seconds portion 6225 * @param [in] microseconds Real time, microseconds portion 6226 * 6227 * This function sets the time offset in @a context to the difference between 6228 * the system time and the real time as determined by @a seconds and @a 6229 * microseconds. 6230 * 6231 * @retval 0 Success; otherwise - Kerberos error codes 6232 */ 6233 krb5_error_code KRB5_CALLCONV 6234 krb5_set_real_time(krb5_context context, krb5_timestamp seconds, 6235 krb5_int32 microseconds); 6236 6237 /** 6238 * Return the time offsets from the os context. 6239 * 6240 * @param [in] context Library context 6241 * @param [out] seconds Time offset, seconds portion 6242 * @param [out] microseconds Time offset, microseconds portion 6243 * 6244 * This function returns the time offsets in @a context. 6245 * 6246 * @retval 0 Success; otherwise - Kerberos error codes 6247 */ 6248 krb5_error_code KRB5_CALLCONV 6249 krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds); 6250 6251 /* str_conv.c */ 6252 /** 6253 * Convert a string to an encryption type. 6254 * 6255 * @param [in] string String to convert to an encryption type 6256 * @param [out] enctypep Encryption type 6257 * 6258 * @retval 0 Success; otherwise - EINVAL 6259 */ 6260 krb5_error_code KRB5_CALLCONV 6261 krb5_string_to_enctype(char *string, krb5_enctype *enctypep); 6262 6263 /** 6264 * Convert a string to a salt type. 6265 * 6266 * @param [in] string String to convert to an encryption type 6267 * @param [out] salttypep Salt type to be filled in 6268 * 6269 * @retval 0 Success; otherwise - EINVAL 6270 */ 6271 krb5_error_code KRB5_CALLCONV 6272 krb5_string_to_salttype(char *string, krb5_int32 *salttypep); 6273 6274 /** 6275 * Convert a string to a checksum type. 6276 * 6277 * @param [in] string String to be converted 6278 * @param [out] cksumtypep Checksum type to be filled in 6279 * 6280 * @retval 0 Success; otherwise - EINVAL 6281 */ 6282 krb5_error_code KRB5_CALLCONV 6283 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep); 6284 6285 /** 6286 * Convert a string to a timestamp. 6287 * 6288 * @param [in] string String to be converted 6289 * @param [out] timestampp Pointer to timestamp 6290 * 6291 * @retval 0 Success; otherwise - EINVAL 6292 */ 6293 krb5_error_code KRB5_CALLCONV 6294 krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp); 6295 6296 /** 6297 * Convert a string to a delta time value. 6298 * 6299 * @param [in] string String to be converted 6300 * @param [out] deltatp Delta time to be filled in 6301 * 6302 * @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT 6303 */ 6304 krb5_error_code KRB5_CALLCONV 6305 krb5_string_to_deltat(char *string, krb5_deltat *deltatp); 6306 6307 /** 6308 * Convert an encryption type to a string. 6309 * 6310 * @param [in] enctype Encryption type 6311 * @param [out] buffer Buffer to hold encryption type string 6312 * @param [in] buflen Storage available in @a buffer 6313 * 6314 * @retval 0 Success; otherwise - Kerberos error codes 6315 */ 6316 krb5_error_code KRB5_CALLCONV 6317 krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen); 6318 6319 /** 6320 * Convert an encryption type to a name or alias. 6321 * 6322 * @param [in] enctype Encryption type 6323 * @param [in] shortest Flag 6324 * @param [out] buffer Buffer to hold encryption type string 6325 * @param [in] buflen Storage available in @a buffer 6326 * 6327 * If @a shortest is FALSE, this function returns the enctype's canonical name 6328 * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the 6329 * enctype's shortest alias (like "aes128-cts"). 6330 * 6331 * @version New in 1.9 6332 * 6333 * @retval 0 Success; otherwise - Kerberos error codes 6334 */ 6335 krb5_error_code KRB5_CALLCONV 6336 krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, 6337 char *buffer, size_t buflen); 6338 6339 /** 6340 * Convert a salt type to a string. 6341 * 6342 * @param [in] salttype Salttype to convert 6343 * @param [out] buffer Buffer to receive the converted string 6344 * @param [in] buflen Storage available in @a buffer 6345 * 6346 * @retval 0 Success; otherwise - Kerberos error codes 6347 */ 6348 krb5_error_code KRB5_CALLCONV 6349 krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen); 6350 6351 /** 6352 * Convert a checksum type to a string. 6353 * 6354 * @param [in] cksumtype Checksum type 6355 * @param [out] buffer Buffer to hold converted checksum type 6356 * @param [in] buflen Storage available in @a buffer 6357 * 6358 * @retval 0 Success; otherwise - Kerberos error codes 6359 */ 6360 krb5_error_code KRB5_CALLCONV 6361 krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen); 6362 6363 /** 6364 * Convert a timestamp to a string. 6365 * 6366 * @param [in] timestamp Timestamp to convert 6367 * @param [out] buffer Buffer to hold converted timestamp 6368 * @param [in] buflen Storage available in @a buffer 6369 * 6370 * The string is returned in the locale's appropriate date and time 6371 * representation. 6372 * 6373 * @retval 0 Success; otherwise - Kerberos error codes 6374 */ 6375 krb5_error_code KRB5_CALLCONV 6376 krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen); 6377 6378 /** 6379 * Convert a timestamp to a string, with optional output padding 6380 * 6381 * @param [in] timestamp Timestamp to convert 6382 * @param [out] buffer Buffer to hold the converted timestamp 6383 * @param [in] buflen Length of buffer 6384 * @param [in] pad Optional value to pad @a buffer if converted 6385 * timestamp does not fill it 6386 * 6387 * If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters 6388 * with the value of *@a pad. 6389 * 6390 * @retval 0 Success; otherwise - Kerberos error codes 6391 */ 6392 krb5_error_code KRB5_CALLCONV 6393 krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, 6394 size_t buflen, char *pad); 6395 6396 /** 6397 * Convert a relative time value to a string. 6398 * 6399 * @param [in] deltat Relative time value to convert 6400 * @param [out] buffer Buffer to hold time string 6401 * @param [in] buflen Storage available in @a buffer 6402 * 6403 * @retval 0 Success; otherwise - Kerberos error codes 6404 */ 6405 krb5_error_code KRB5_CALLCONV 6406 krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen); 6407 6408 /* The name of the Kerberos ticket granting service... and its size */ 6409 #define KRB5_TGS_NAME "krbtgt" 6410 #define KRB5_TGS_NAME_SIZE 6 6411 6412 /* flags for recvauth */ 6413 #define KRB5_RECVAUTH_SKIP_VERSION 0x0001 6414 #define KRB5_RECVAUTH_BADAUTHVERS 0x0002 6415 /* initial ticket api functions */ 6416 6417 /** Text for prompt used in prompter callback function. */ 6418 typedef struct _krb5_prompt { 6419 char *prompt; /**< The prompt to show to the user */ 6420 int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */ 6421 krb5_data *reply; /**< Must be allocated before call to prompt routine */ 6422 } krb5_prompt; 6423 6424 /** Pointer to a prompter callback function. */ 6425 typedef krb5_error_code 6426 (KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context, void *data, 6427 const char *name, const char *banner, 6428 int num_prompts, krb5_prompt prompts[]); 6429 6430 /** 6431 * Prompt user for password. 6432 * 6433 * @param [in] context Library context 6434 * @param data Unused (callback argument) 6435 * @param [in] name Name to output during prompt 6436 * @param [in] banner Banner to output during prompt 6437 * @param [in] num_prompts Number of prompts in @a prompts 6438 * @param [in] prompts Array of prompts and replies 6439 * 6440 * This function is intended to be used as a prompter callback for 6441 * krb5_get_init_creds_password() or krb5_init_creds_init(). 6442 * 6443 * Writes @a name and @a banner to stdout, each followed by a newline, then 6444 * writes each prompt field in the @a prompts array, followed by ": ", and sets 6445 * the reply field of the entry to a line of input read from stdin. If the 6446 * hidden flag is set for a prompt, then terminal echoing is turned off when 6447 * input is read. 6448 * 6449 * @retval 6450 * 0 Success 6451 * @return 6452 * Kerberos error codes 6453 * 6454 */ 6455 krb5_error_code KRB5_CALLCONV 6456 krb5_prompter_posix(krb5_context context, void *data, const char *name, 6457 const char *banner, int num_prompts, 6458 krb5_prompt prompts[]); 6459 6460 /** 6461 * Long-term password responder question 6462 * 6463 * This question is asked when the long-term password is needed. It has no 6464 * challenge and the response is simply the password string. 6465 * 6466 * @version New in 1.11 6467 */ 6468 #define KRB5_RESPONDER_QUESTION_PASSWORD "password" 6469 6470 /** 6471 * OTP responder question 6472 * 6473 * The OTP responder question is asked when the KDC indicates that an OTP 6474 * value is required in order to complete the authentication. The JSON format 6475 * of the challenge is: 6476 * 6477 * { 6478 * "service": <string (optional)>, 6479 * "tokenInfo": [ 6480 * { 6481 * "flags": <number>, 6482 * "vendor": <string (optional)>, 6483 * "challenge": <string (optional)>, 6484 * "length": <number (optional)>, 6485 * "format": <number (optional)>, 6486 * "tokenID": <string (optional)>, 6487 * "algID": <string (optional)>, 6488 * }, 6489 * ... 6490 * ] 6491 * } 6492 * 6493 * The answer to the question MUST be JSON formatted: 6494 * 6495 * { 6496 * "tokeninfo": <number>, 6497 * "value": <string (optional)>, 6498 * "pin": <string (optional)>, 6499 * } 6500 * 6501 * For more detail, please see RFC 6560. 6502 * 6503 * @version New in 1.11 6504 */ 6505 #define KRB5_RESPONDER_QUESTION_OTP "otp" 6506 6507 /** 6508 * These format constants identify the format of the token value. 6509 */ 6510 #define KRB5_RESPONDER_OTP_FORMAT_DECIMAL 0 6511 #define KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL 1 6512 #define KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC 2 6513 6514 /** 6515 * This flag indicates that the token value MUST be collected. 6516 */ 6517 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN 0x0001 6518 6519 /** 6520 * This flag indicates that the PIN value MUST be collected. 6521 */ 6522 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN 0x0002 6523 6524 /** 6525 * This flag indicates that the token is now in re-synchronization mode with 6526 * the server. The user is expected to reply with the next code displayed on 6527 * the token. 6528 */ 6529 #define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP 0x0004 6530 6531 /** 6532 * This flag indicates that the PIN MUST be returned as a separate item. This 6533 * flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If 6534 * this flag is not set, the responder may either concatenate PIN + token value 6535 * and store it as "value" in the answer or it may return them separately. If 6536 * they are returned separately, they will be concatenated internally. 6537 */ 6538 #define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008 6539 6540 /** 6541 * PKINIT responder question 6542 * 6543 * The PKINIT responder question is asked when the client needs a password 6544 * that's being used to protect key information, and is formatted as a JSON 6545 * object. A specific identity's flags value, if not zero, is the bitwise-OR 6546 * of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined 6547 * below, and possibly other flags to be added later. Any resemblance to 6548 * similarly-named CKF_* values in the PKCS#11 API should not be depended on. 6549 * 6550 * { 6551 * identity <string> : flags <number>, 6552 * ... 6553 * } 6554 * 6555 * The answer to the question MUST be JSON formatted: 6556 * 6557 * { 6558 * identity <string> : password <string>, 6559 * ... 6560 * } 6561 * 6562 * @version New in 1.12 6563 */ 6564 #define KRB5_RESPONDER_QUESTION_PKINIT "pkinit" 6565 6566 /** 6567 * This flag indicates that an incorrect PIN was supplied at least once since 6568 * the last time the correct PIN was supplied. 6569 */ 6570 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0) 6571 6572 /** 6573 * This flag indicates that supplying an incorrect PIN will cause the token to 6574 * lock itself. 6575 */ 6576 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1) 6577 6578 /** 6579 * This flag indicates that the user PIN is locked, and you can't log in to the 6580 * token with it. 6581 */ 6582 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2) 6583 6584 /** 6585 * A container for a set of preauthentication questions and answers 6586 * 6587 * A responder context is supplied by the krb5 authentication system to a 6588 * krb5_responder_fn callback. It contains a list of questions and can receive 6589 * answers. Questions contained in a responder context can be listed using 6590 * krb5_responder_list_questions(), retrieved using 6591 * krb5_responder_get_challenge(), or answered using 6592 * krb5_responder_set_answer(). The form of a question's challenge and answer 6593 * depend on the question name. 6594 * 6595 * @version New in 1.11 6596 */ 6597 typedef struct krb5_responder_context_st *krb5_responder_context; 6598 6599 /** 6600 * List the question names contained in the responder context. 6601 * 6602 * @param [in] ctx Library context 6603 * @param [in] rctx Responder context 6604 * 6605 * Return a pointer to a null-terminated list of question names which are 6606 * present in @a rctx. The pointer is an alias, valid only as long as the 6607 * lifetime of @a rctx, and should not be modified or freed by the caller. A 6608 * question's challenge can be retrieved using krb5_responder_get_challenge() 6609 * and answered using krb5_responder_set_answer(). 6610 * 6611 * @version New in 1.11 6612 */ 6613 const char * const * KRB5_CALLCONV 6614 krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx); 6615 6616 /** 6617 * Retrieve the challenge data for a given question in the responder context. 6618 * 6619 * @param [in] ctx Library context 6620 * @param [in] rctx Responder context 6621 * @param [in] question Question name 6622 * 6623 * Return a pointer to a C string containing the challenge for @a question 6624 * within @a rctx, or NULL if the question is not present in @a rctx. The 6625 * structure of the question depends on the question name, but will always be 6626 * printable UTF-8 text. The returned pointer is an alias, valid only as long 6627 * as the lifetime of @a rctx, and should not be modified or freed by the 6628 * caller. 6629 * 6630 * @version New in 1.11 6631 */ 6632 const char * KRB5_CALLCONV 6633 krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, 6634 const char *question); 6635 6636 /** 6637 * Answer a named question in the responder context. 6638 * 6639 * @param [in] ctx Library context 6640 * @param [in] rctx Responder context 6641 * @param [in] question Question name 6642 * @param [in] answer The string to set (MUST be printable UTF-8) 6643 * 6644 * This function supplies an answer to @a question within @a rctx. The 6645 * appropriate form of the answer depends on the question name. 6646 * 6647 * @retval EINVAL @a question is not present within @a rctx 6648 * 6649 * @version New in 1.11 6650 */ 6651 krb5_error_code KRB5_CALLCONV 6652 krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, 6653 const char *question, const char *answer); 6654 6655 /** 6656 * Responder function for an initial credential exchange. 6657 * 6658 * @param [in] ctx Library context 6659 * @param [in] data Callback data 6660 * @param [in] rctx Responder context 6661 * 6662 * A responder function is like a prompter function, but is used for handling 6663 * questions and answers as potentially complex data types. Client 6664 * preauthentication modules will insert a set of named "questions" into 6665 * the responder context. Each question may optionally contain a challenge. 6666 * This challenge is printable UTF-8, but may be an encoded value. The 6667 * precise encoding and contents of the challenge are specific to the question 6668 * asked. When the responder is called, it should answer all the questions it 6669 * understands. Like the challenge, the answer MUST be printable UTF-8, but 6670 * may contain structured/encoded data formatted to the expected answer format 6671 * of the question. 6672 * 6673 * If a required question is unanswered, the prompter may be called. 6674 */ 6675 typedef krb5_error_code 6676 (KRB5_CALLCONV *krb5_responder_fn)(krb5_context ctx, void *data, 6677 krb5_responder_context rctx); 6678 6679 typedef struct _krb5_responder_otp_tokeninfo { 6680 krb5_flags flags; 6681 krb5_int32 format; /* -1 when not specified. */ 6682 krb5_int32 length; /* -1 when not specified. */ 6683 char *vendor; 6684 char *challenge; 6685 char *token_id; 6686 char *alg_id; 6687 } krb5_responder_otp_tokeninfo; 6688 6689 typedef struct _krb5_responder_otp_challenge { 6690 char *service; 6691 krb5_responder_otp_tokeninfo **tokeninfo; 6692 } krb5_responder_otp_challenge; 6693 6694 /** 6695 * Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. 6696 * 6697 * A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP 6698 * question challenge data, making it available in native C. The main feature 6699 * of this function is the ability to interact with OTP tokens without parsing 6700 * the JSON. 6701 * 6702 * The returned value must be passed to krb5_responder_otp_challenge_free() to 6703 * be freed. 6704 * 6705 * @param [in] ctx Library context 6706 * @param [in] rctx Responder context 6707 * @param [out] chl Challenge structure 6708 * 6709 * @version New in 1.11 6710 */ 6711 krb5_error_code KRB5_CALLCONV 6712 krb5_responder_otp_get_challenge(krb5_context ctx, 6713 krb5_responder_context rctx, 6714 krb5_responder_otp_challenge **chl); 6715 6716 /** 6717 * Answer the KRB5_RESPONDER_QUESTION_OTP question. 6718 * 6719 * @param [in] ctx Library context 6720 * @param [in] rctx Responder context 6721 * @param [in] ti The index of the tokeninfo selected 6722 * @param [in] value The value to set, or NULL for none 6723 * @param [in] pin The pin to set, or NULL for none 6724 * 6725 * @version New in 1.11 6726 */ 6727 krb5_error_code KRB5_CALLCONV 6728 krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, 6729 size_t ti, const char *value, const char *pin); 6730 6731 /** 6732 * Free the value returned by krb5_responder_otp_get_challenge(). 6733 * 6734 * @param [in] ctx Library context 6735 * @param [in] rctx Responder context 6736 * @param [in] chl The challenge to free 6737 * 6738 * @version New in 1.11 6739 */ 6740 void KRB5_CALLCONV 6741 krb5_responder_otp_challenge_free(krb5_context ctx, 6742 krb5_responder_context rctx, 6743 krb5_responder_otp_challenge *chl); 6744 6745 typedef struct _krb5_responder_pkinit_identity { 6746 char *identity; 6747 krb5_int32 token_flags; /* 0 when not specified or not applicable. */ 6748 } krb5_responder_pkinit_identity; 6749 6750 typedef struct _krb5_responder_pkinit_challenge { 6751 krb5_responder_pkinit_identity **identities; 6752 } krb5_responder_pkinit_challenge; 6753 6754 /** 6755 * Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. 6756 * 6757 * A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT 6758 * question challenge data, making it available in native C. The main feature 6759 * of this function is the ability to read the challenge without parsing 6760 * the JSON. 6761 * 6762 * The returned value must be passed to krb5_responder_pkinit_challenge_free() 6763 * to be freed. 6764 * 6765 * @param [in] ctx Library context 6766 * @param [in] rctx Responder context 6767 * @param [out] chl_out Challenge structure 6768 * 6769 * @version New in 1.12 6770 */ 6771 krb5_error_code KRB5_CALLCONV 6772 krb5_responder_pkinit_get_challenge(krb5_context ctx, 6773 krb5_responder_context rctx, 6774 krb5_responder_pkinit_challenge **chl_out); 6775 6776 /** 6777 * Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. 6778 * 6779 * @param [in] ctx Library context 6780 * @param [in] rctx Responder context 6781 * @param [in] identity The identity for which a PIN is being supplied 6782 * @param [in] pin The provided PIN, or NULL for none 6783 * 6784 * @version New in 1.12 6785 */ 6786 krb5_error_code KRB5_CALLCONV 6787 krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, 6788 const char *identity, const char *pin); 6789 6790 /** 6791 * Free the value returned by krb5_responder_pkinit_get_challenge(). 6792 * 6793 * @param [in] ctx Library context 6794 * @param [in] rctx Responder context 6795 * @param [in] chl The challenge to free 6796 * 6797 * @version New in 1.12 6798 */ 6799 void KRB5_CALLCONV 6800 krb5_responder_pkinit_challenge_free(krb5_context ctx, 6801 krb5_responder_context rctx, 6802 krb5_responder_pkinit_challenge *chl); 6803 6804 /** Store options for @c _krb5_get_init_creds */ 6805 typedef struct _krb5_get_init_creds_opt { 6806 krb5_flags flags; 6807 krb5_deltat tkt_life; 6808 krb5_deltat renew_life; 6809 int forwardable; 6810 int proxiable; 6811 krb5_enctype *etype_list; 6812 int etype_list_length; 6813 krb5_address **address_list; 6814 krb5_preauthtype *preauth_list; 6815 int preauth_list_length; 6816 krb5_data *salt; 6817 } krb5_get_init_creds_opt; 6818 6819 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 6820 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 6821 #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 6822 #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 6823 #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 6824 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 6825 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 6826 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 6827 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100 6828 #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200 6829 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400 6830 6831 6832 /** 6833 * Allocate a new initial credential options structure. 6834 * 6835 * @param [in] context Library context 6836 * @param [out] opt New options structure 6837 * 6838 * This function is the preferred way to create an options structure for 6839 * getting initial credentials, and is required to make use of certain options. 6840 * Use krb5_get_init_creds_opt_free() to free @a opt when it is no longer 6841 * needed. 6842 * 6843 * @retval 0 - Success; Kerberos errors otherwise. 6844 */ 6845 krb5_error_code KRB5_CALLCONV 6846 krb5_get_init_creds_opt_alloc(krb5_context context, 6847 krb5_get_init_creds_opt **opt); 6848 6849 /** 6850 * Free initial credential options. 6851 * 6852 * @param [in] context Library context 6853 * @param [in] opt Options structure to free 6854 * 6855 * @sa krb5_get_init_creds_opt_alloc() 6856 */ 6857 void KRB5_CALLCONV 6858 krb5_get_init_creds_opt_free(krb5_context context, 6859 krb5_get_init_creds_opt *opt); 6860 6861 /** @deprecated Use krb5_get_init_creds_opt_alloc() instead. */ 6862 void KRB5_CALLCONV 6863 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt); 6864 6865 /** 6866 * Set the ticket lifetime in initial credential options. 6867 * 6868 * @param [in] opt Options structure 6869 * @param [in] tkt_life Ticket lifetime 6870 */ 6871 void KRB5_CALLCONV 6872 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, 6873 krb5_deltat tkt_life); 6874 6875 /** 6876 * Set the ticket renewal lifetime in initial credential options. 6877 * 6878 * @param [in] opt Pointer to @a options field 6879 * @param [in] renew_life Ticket renewal lifetime 6880 */ 6881 void KRB5_CALLCONV 6882 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, 6883 krb5_deltat renew_life); 6884 6885 /** 6886 * Set or unset the forwardable flag in initial credential options. 6887 * 6888 * @param [in] opt Options structure 6889 * @param [in] forwardable Whether credentials should be forwardable 6890 */ 6891 void KRB5_CALLCONV 6892 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, 6893 int forwardable); 6894 6895 /** 6896 * Set or unset the proxiable flag in initial credential options. 6897 * 6898 * @param [in] opt Options structure 6899 * @param [in] proxiable Whether credentials should be proxiable 6900 */ 6901 void KRB5_CALLCONV 6902 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, 6903 int proxiable); 6904 6905 /** 6906 * Set or unset the canonicalize flag in initial credential options. 6907 * 6908 * @param [in] opt Options structure 6909 * @param [in] canonicalize Whether to canonicalize client principal 6910 */ 6911 void KRB5_CALLCONV 6912 krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, 6913 int canonicalize); 6914 6915 /** 6916 * Set or unset the anonymous flag in initial credential options. 6917 * 6918 * @param [in] opt Options structure 6919 * @param [in] anonymous Whether to make an anonymous request 6920 * 6921 * This function may be used to request anonymous credentials from the KDC by 6922 * setting @a anonymous to non-zero. Note that anonymous credentials are only 6923 * a request; clients must verify that credentials are anonymous if that is a 6924 * requirement. 6925 */ 6926 void KRB5_CALLCONV 6927 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, 6928 int anonymous); 6929 6930 /** 6931 * Set allowable encryption types in initial credential options. 6932 * 6933 * @param [in] opt Options structure 6934 * @param [in] etype_list Array of encryption types 6935 * @param [in] etype_list_length Length of @a etype_list 6936 */ 6937 void KRB5_CALLCONV 6938 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, 6939 krb5_enctype *etype_list, 6940 int etype_list_length); 6941 6942 /** 6943 * Set address restrictions in initial credential options. 6944 * 6945 * @param [in] opt Options structure 6946 * @param [in] addresses Null-terminated array of addresses 6947 */ 6948 void KRB5_CALLCONV 6949 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, 6950 krb5_address **addresses); 6951 6952 /** 6953 * Set preauthentication types in initial credential options. 6954 * 6955 * @param [in] opt Options structure 6956 * @param [in] preauth_list Array of preauthentication types 6957 * @param [in] preauth_list_length Length of @a preauth_list 6958 * 6959 * This function can be used to perform optimistic preauthentication when 6960 * getting initial credentials, in combination with 6961 * krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa(). 6962 */ 6963 void KRB5_CALLCONV 6964 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, 6965 krb5_preauthtype *preauth_list, 6966 int preauth_list_length); 6967 6968 /** 6969 * Set salt for optimistic preauthentication in initial credential options. 6970 * 6971 * @param [in] opt Options structure 6972 * @param [in] salt Salt data 6973 * 6974 * When getting initial credentials with a password, a salt string it used to 6975 * convert the password to a key. Normally this salt is obtained from the 6976 * first KDC reply, but when performing optimistic preauthentication, the 6977 * client may need to supply the salt string with this function. 6978 */ 6979 void KRB5_CALLCONV 6980 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, 6981 krb5_data *salt); 6982 6983 /** 6984 * Set or unset change-password-prompt flag in initial credential options. 6985 * 6986 * @param [in] opt Options structure 6987 * @param [in] prompt Whether to prompt to change password 6988 * 6989 * This flag is on by default. It controls whether 6990 * krb5_get_init_creds_password() will react to an expired-password error by 6991 * prompting for a new password and attempting to change the old one. 6992 */ 6993 void KRB5_CALLCONV 6994 krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, 6995 int prompt); 6996 6997 /** Generic preauth option attribute/value pairs */ 6998 typedef struct _krb5_gic_opt_pa_data { 6999 char *attr; 7000 char *value; 7001 } krb5_gic_opt_pa_data; 7002 7003 /** 7004 * Supply options for preauthentication in initial credential options. 7005 * 7006 * @param [in] context Library context 7007 * @param [in] opt Options structure 7008 * @param [in] attr Preauthentication option name 7009 * @param [in] value Preauthentication option value 7010 * 7011 * This function allows the caller to supply options for preauthentication. 7012 * The values of @a attr and @a value are supplied to each preauthentication 7013 * module available within @a context. 7014 */ 7015 krb5_error_code KRB5_CALLCONV 7016 krb5_get_init_creds_opt_set_pa(krb5_context context, 7017 krb5_get_init_creds_opt *opt, const char *attr, 7018 const char *value); 7019 7020 /** 7021 * Set location of FAST armor ccache in initial credential options. 7022 * 7023 * @param [in] context Library context 7024 * @param [in] opt Options 7025 * @param [in] fast_ccache_name Credential cache name 7026 * 7027 * Sets the location of a credential cache containing an armor ticket to 7028 * protect an initial credential exchange using the FAST protocol extension. 7029 * 7030 * In version 1.7, setting an armor ccache requires that FAST be used for the 7031 * exchange. In version 1.8 or later, setting the armor ccache causes FAST to 7032 * be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() 7033 * must be used to require that FAST be used. 7034 */ 7035 krb5_error_code KRB5_CALLCONV 7036 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, 7037 krb5_get_init_creds_opt *opt, 7038 const char *fast_ccache_name); 7039 7040 /** 7041 * Set FAST armor cache in initial credential options. 7042 * 7043 * @param [in] context Library context 7044 * @param [in] opt Options 7045 * @param [in] ccache Credential cache handle 7046 * 7047 * This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), 7048 * but uses a credential cache handle instead of a name. 7049 * 7050 * @version New in 1.9 7051 */ 7052 krb5_error_code KRB5_CALLCONV 7053 krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, 7054 krb5_get_init_creds_opt *opt, 7055 krb5_ccache ccache); 7056 7057 /** 7058 * Set an input credential cache in initial credential options. 7059 * 7060 * @param [in] context Library context 7061 * @param [in] opt Options 7062 * @param [in] ccache Credential cache handle 7063 * 7064 * If an input credential cache is set, then the krb5_get_init_creds family of 7065 * APIs will read settings from it. Setting an input ccache is desirable when 7066 * the application wishes to perform authentication in the same way (using the 7067 * same preauthentication mechanisms, and making the same non-security- 7068 * sensitive choices) as the previous authentication attempt, which stored 7069 * information in the passed-in ccache. 7070 * 7071 * @version New in 1.11 7072 */ 7073 krb5_error_code KRB5_CALLCONV 7074 krb5_get_init_creds_opt_set_in_ccache(krb5_context context, 7075 krb5_get_init_creds_opt *opt, 7076 krb5_ccache ccache); 7077 7078 /** 7079 * Set an output credential cache in initial credential options. 7080 * 7081 * @param [in] context Library context 7082 * @param [in] opt Options 7083 * @param [in] ccache Credential cache handle 7084 * 7085 * If an output credential cache is set, then the krb5_get_init_creds family of 7086 * APIs will write credentials to it. Setting an output ccache is desirable 7087 * both because it simplifies calling code and because it permits the 7088 * krb5_get_init_creds APIs to write out configuration information about the 7089 * realm to the ccache. 7090 */ 7091 krb5_error_code KRB5_CALLCONV 7092 krb5_get_init_creds_opt_set_out_ccache(krb5_context context, 7093 krb5_get_init_creds_opt *opt, 7094 krb5_ccache ccache); 7095 7096 /** 7097 * @brief Ask the KDC to include or not include a PAC in the ticket 7098 * 7099 * @param [in] context Library context 7100 * @param [in] opt Options structure 7101 * @param [in] req_pac Whether to request a PAC or not 7102 * 7103 * If this option is set, the AS request will include a PAC-REQUEST pa-data 7104 * item explicitly asking the KDC to either include or not include a privilege 7105 * attribute certificate in the ticket authorization data. By default, no 7106 * request is made; typically the KDC will default to including a PAC if it 7107 * supports them. 7108 * 7109 * @version New in 1.15 7110 */ 7111 krb5_error_code KRB5_CALLCONV 7112 krb5_get_init_creds_opt_set_pac_request(krb5_context context, 7113 krb5_get_init_creds_opt *opt, 7114 krb5_boolean req_pac); 7115 7116 /** 7117 * Set FAST flags in initial credential options. 7118 * 7119 * @param [in] context Library context 7120 * @param [in] opt Options 7121 * @param [in] flags FAST flags 7122 * 7123 * The following flag values are valid: 7124 * @li #KRB5_FAST_REQUIRED - Require FAST to be used 7125 * 7126 * @retval 7127 * 0 - Success; Kerberos errors otherwise. 7128 */ 7129 krb5_error_code KRB5_CALLCONV 7130 krb5_get_init_creds_opt_set_fast_flags(krb5_context context, 7131 krb5_get_init_creds_opt *opt, 7132 krb5_flags flags); 7133 7134 /** 7135 * Retrieve FAST flags from initial credential options. 7136 * 7137 * @param [in] context Library context 7138 * @param [in] opt Options 7139 * @param [out] out_flags FAST flags 7140 * 7141 * @retval 7142 * 0 - Success; Kerberos errors otherwise. 7143 */ 7144 krb5_error_code KRB5_CALLCONV 7145 krb5_get_init_creds_opt_get_fast_flags(krb5_context context, 7146 krb5_get_init_creds_opt *opt, 7147 krb5_flags *out_flags); 7148 7149 /* Fast flags*/ 7150 #define KRB5_FAST_REQUIRED 0x0001 /**< Require KDC to support FAST*/ 7151 7152 typedef void 7153 (KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data, 7154 krb5_timestamp password_expiration, 7155 krb5_timestamp account_expiration, 7156 krb5_boolean is_last_req); 7157 7158 /** 7159 * Set an expiration callback in initial credential options. 7160 * 7161 * @param [in] context Library context 7162 * @param [in] opt Options structure 7163 * @param [in] cb Callback function 7164 * @param [in] data Callback argument 7165 * 7166 * Set a callback to receive password and account expiration times. 7167 * 7168 * @a cb will be invoked if and only if credentials are successfully acquired. 7169 * The callback will receive the @a context from the calling function and the 7170 * @a data argument supplied with this API. The remaining arguments should be 7171 * interpreted as follows: 7172 * 7173 * If @a is_last_req is true, then the KDC reply contained last-req entries 7174 * which unambiguously indicated the password expiration, account expiration, 7175 * or both. (If either value was not present, the corresponding argument will 7176 * be 0.) Furthermore, a non-zero @a password_expiration should be taken as a 7177 * suggestion from the KDC that a warning be displayed. 7178 * 7179 * If @a is_last_req is false, then @a account_expiration will be 0 and @a 7180 * password_expiration will contain the expiration time of either the password 7181 * or account, or 0 if no expiration time was indicated in the KDC reply. The 7182 * callback should independently decide whether to display a password 7183 * expiration warning. 7184 * 7185 * Note that @a cb may be invoked even if credentials are being acquired for 7186 * the kadmin/changepw service in order to change the password. It is the 7187 * caller's responsibility to avoid displaying a password expiry warning in 7188 * this case. 7189 * 7190 * @warning Setting an expire callback with this API will cause 7191 * krb5_get_init_creds_password() not to send password expiry warnings to the 7192 * prompter, as it ordinarily may. 7193 * 7194 * @version New in 1.9 7195 */ 7196 krb5_error_code KRB5_CALLCONV 7197 krb5_get_init_creds_opt_set_expire_callback(krb5_context context, 7198 krb5_get_init_creds_opt *opt, 7199 krb5_expire_callback_func cb, 7200 void *data); 7201 7202 /** 7203 * Set the responder function in initial credential options. 7204 * 7205 * @param [in] context Library context 7206 * @param [in] opt Options structure 7207 * @param [in] responder Responder function 7208 * @param [in] data Responder data argument 7209 * 7210 * @version New in 1.11 7211 */ 7212 krb5_error_code KRB5_CALLCONV 7213 krb5_get_init_creds_opt_set_responder(krb5_context context, 7214 krb5_get_init_creds_opt *opt, 7215 krb5_responder_fn responder, void *data); 7216 7217 /** 7218 * Get initial credentials using a password. 7219 * 7220 * @param [in] context Library context 7221 * @param [out] creds New credentials 7222 * @param [in] client Client principal 7223 * @param [in] password Password (or NULL) 7224 * @param [in] prompter Prompter function 7225 * @param [in] data Prompter callback data 7226 * @param [in] start_time Time when ticket becomes valid (0 for now) 7227 * @param [in] in_tkt_service Service name of initial credentials (or NULL) 7228 * @param [in] k5_gic_options Initial credential options 7229 * 7230 * This function requests KDC for an initial credentials for @a client using @a 7231 * password. If @a password is NULL, a password will be prompted for using @a 7232 * prompter if necessary. If @a in_tkt_service is specified, it is parsed as a 7233 * principal name (with the realm ignored) and used as the service principal 7234 * for the request; otherwise the ticket-granting service is used. 7235 * 7236 * @sa krb5_verify_init_creds() 7237 * 7238 * @retval 7239 * 0 Success 7240 * @retval 7241 * EINVAL Invalid argument 7242 * @retval 7243 * KRB5_KDC_UNREACH Cannot contact any KDC for requested realm 7244 * @retval 7245 * KRB5_PREAUTH_FAILED Generic Pre-athentication failure 7246 * @retval 7247 * KRB5_LIBOS_PWDINTR Password read interrupted 7248 * @retval 7249 * KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm 7250 * @retval 7251 * KRB5KDC_ERR_KEY_EXP Password has expired 7252 * @retval 7253 * KRB5_LIBOS_BADPWDMATCH Password mismatch 7254 * @retval 7255 * KRB5_CHPW_PWDNULL New password cannot be zero length 7256 * @retval 7257 * KRB5_CHPW_FAIL Password change failed 7258 * @return 7259 * Kerberos error codes 7260 */ 7261 krb5_error_code KRB5_CALLCONV 7262 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, 7263 krb5_principal client, const char *password, 7264 krb5_prompter_fct prompter, void *data, 7265 krb5_deltat start_time, 7266 const char *in_tkt_service, 7267 krb5_get_init_creds_opt *k5_gic_options); 7268 7269 /** 7270 * Retrieve enctype, salt and s2kparams from KDC 7271 * 7272 * @param [in] context Library context 7273 * @param [in] principal Principal whose information is requested 7274 * @param [in] opt Initial credential options 7275 * @param [out] enctype_out The enctype chosen by KDC 7276 * @param [out] salt_out Salt returned from KDC 7277 * @param [out] s2kparams_out String-to-key parameters returned from KDC 7278 * 7279 * Send an initial ticket request for @a principal and extract the encryption 7280 * type, salt type, and string-to-key parameters from the KDC response. If the 7281 * KDC provides no etype-info, set @a enctype_out to @c ENCTYPE_NULL and set @a 7282 * salt_out and @a s2kparams_out to empty. If the KDC etype-info provides no 7283 * salt, compute the default salt and place it in @a salt_out. If the KDC 7284 * etype-info provides no string-to-key parameters, set @a s2kparams_out to 7285 * empty. 7286 * 7287 * @a opt may be used to specify options which affect the initial request, such 7288 * as request encryption types or a FAST armor cache (see 7289 * krb5_get_init_creds_opt_set_etype_list() and 7290 * krb5_get_init_creds_opt_set_fast_ccache_name()). 7291 * 7292 * Use krb5_free_data_contents() to free @a salt_out and @a s2kparams_out when 7293 * they are no longer needed. 7294 * 7295 * @version New in 1.17 7296 * 7297 * @retval 0 Success 7298 * @return A Kerberos error code 7299 */ 7300 krb5_error_code KRB5_CALLCONV 7301 krb5_get_etype_info(krb5_context context, krb5_principal principal, 7302 krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, 7303 krb5_data *salt_out, krb5_data *s2kparams_out); 7304 7305 struct _krb5_init_creds_context; 7306 typedef struct _krb5_init_creds_context *krb5_init_creds_context; 7307 7308 #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ 7309 7310 /** 7311 * Free an initial credentials context. 7312 * 7313 * @param [in] context Library context 7314 * @param [in] ctx Initial credentials context 7315 * 7316 * @a context must be the same as the one passed to krb5_init_creds_init() for 7317 * this initial credentials context. 7318 */ 7319 void KRB5_CALLCONV 7320 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); 7321 7322 /** 7323 * Acquire credentials using an initial credentials context. 7324 * 7325 * @param [in] context Library context 7326 * @param [in] ctx Initial credentials context 7327 * 7328 * This function synchronously obtains credentials using a context created by 7329 * krb5_init_creds_init(). On successful return, the credentials can be 7330 * retrieved with krb5_init_creds_get_creds(). 7331 * 7332 * @a context must be the same as the one passed to krb5_init_creds_init() for 7333 * this initial credentials context. 7334 * 7335 * @retval 0 Success; otherwise - Kerberos error codes 7336 */ 7337 krb5_error_code KRB5_CALLCONV 7338 krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx); 7339 7340 /** 7341 * Retrieve acquired credentials from an initial credentials context. 7342 * 7343 * @param [in] context Library context 7344 * @param [in] ctx Initial credentials context 7345 * @param [out] creds Acquired credentials 7346 * 7347 * This function copies the acquired initial credentials from @a ctx into @a 7348 * creds, after the successful completion of krb5_init_creds_get() or 7349 * krb5_init_creds_step(). Use krb5_free_cred_contents() to free @a creds when 7350 * it is no longer needed. 7351 * 7352 * @retval 0 Success; otherwise - Kerberos error codes 7353 */ 7354 krb5_error_code KRB5_CALLCONV 7355 krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, 7356 krb5_creds *creds); 7357 7358 /** 7359 * Get the last error from KDC from an initial credentials context. 7360 * 7361 * @param [in] context Library context 7362 * @param [in] ctx Initial credentials context 7363 * @param [out] error Error from KDC, or NULL if none was received 7364 * 7365 * @retval 0 Success; otherwise - Kerberos error codes 7366 */ 7367 krb5_error_code KRB5_CALLCONV 7368 krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, 7369 krb5_error **error); 7370 7371 /** 7372 * Create a context for acquiring initial credentials. 7373 * 7374 * @param [in] context Library context 7375 * @param [in] client Client principal to get initial creds for 7376 * @param [in] prompter Prompter callback 7377 * @param [in] data Prompter callback argument 7378 * @param [in] start_time Time when credentials become valid (0 for now) 7379 * @param [in] options Options structure (NULL for default) 7380 * @param [out] ctx New initial credentials context 7381 * 7382 * This function creates a new context for acquiring initial credentials. Use 7383 * krb5_init_creds_free() to free @a ctx when it is no longer needed. 7384 * 7385 * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or 7386 * krb5_init_creds_free() for this initial credentials context must use the 7387 * same @a context argument as the one passed to this function. 7388 * 7389 * @retval 0 Success; otherwise - Kerberos error codes 7390 */ 7391 krb5_error_code KRB5_CALLCONV 7392 krb5_init_creds_init(krb5_context context, krb5_principal client, 7393 krb5_prompter_fct prompter, void *data, 7394 krb5_deltat start_time, krb5_get_init_creds_opt *options, 7395 krb5_init_creds_context *ctx); 7396 7397 /** 7398 * Specify a keytab to use for acquiring initial credentials. 7399 * 7400 * @param [in] context Library context 7401 * @param [in] ctx Initial credentials context 7402 * @param [in] keytab Key table handle 7403 * 7404 * This function supplies a keytab containing the client key for an initial 7405 * credentials request. 7406 * 7407 * @retval 0 Success; otherwise - Kerberos error codes 7408 */ 7409 krb5_error_code KRB5_CALLCONV 7410 krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, 7411 krb5_keytab keytab); 7412 7413 /** 7414 * Get the next KDC request for acquiring initial credentials. 7415 * 7416 * @param [in] context Library context 7417 * @param [in] ctx Initial credentials context 7418 * @param [in] in KDC response (empty on the first call) 7419 * @param [out] out Next KDC request 7420 * @param [out] realm Realm for next KDC request 7421 * @param [out] flags Output flags 7422 * 7423 * This function constructs the next KDC request in an initial credential 7424 * exchange, allowing the caller to control the transport of KDC requests and 7425 * replies. On the first call, @a in should be set to an empty buffer; on 7426 * subsequent calls, it should be set to the KDC's reply to the previous 7427 * request. 7428 * 7429 * If more requests are needed, @a flags will be set to 7430 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in 7431 * @a out. If no more requests are needed, @a flags will not contain 7432 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. 7433 * 7434 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should 7435 * transmit the next request using TCP rather than UDP. If this function 7436 * returns any other error, the initial credential exchange has failed. 7437 * 7438 * @a context must be the same as the one passed to krb5_init_creds_init() for 7439 * this initial credentials context. 7440 * 7441 * @retval 0 Success; otherwise - Kerberos error codes 7442 */ 7443 krb5_error_code KRB5_CALLCONV 7444 krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, 7445 krb5_data *in, krb5_data *out, krb5_data *realm, 7446 unsigned int *flags); 7447 7448 /** 7449 * Set a password for acquiring initial credentials. 7450 * 7451 * @param [in] context Library context 7452 * @param [in] ctx Initial credentials context 7453 * @param [in] password Password 7454 * 7455 * This function supplies a password to be used to construct the client key for 7456 * an initial credentials request. 7457 * 7458 * @retval 0 Success; otherwise - Kerberos error codes 7459 */ 7460 krb5_error_code KRB5_CALLCONV 7461 krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, 7462 const char *password); 7463 7464 /** 7465 * Specify a service principal for acquiring initial credentials. 7466 * 7467 * @param [in] context Library context 7468 * @param [in] ctx Initial credentials context 7469 * @param [in] service Service principal string 7470 * 7471 * This function supplies a service principal string to acquire initial 7472 * credentials for instead of the default krbtgt service. @a service is parsed 7473 * as a principal name; any realm part is ignored. 7474 * 7475 * @retval 0 Success; otherwise - Kerberos error codes 7476 */ 7477 krb5_error_code KRB5_CALLCONV 7478 krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, 7479 const char *service); 7480 7481 /** 7482 * Retrieve ticket times from an initial credentials context. 7483 * 7484 * @param [in] context Library context 7485 * @param [in] ctx Initial credentials context 7486 * @param [out] times Ticket times for acquired credentials 7487 * 7488 * The initial credentials context must have completed obtaining credentials 7489 * via either krb5_init_creds_get() or krb5_init_creds_step(). 7490 * 7491 * @retval 0 Success; otherwise - Kerberos error codes 7492 */ 7493 krb5_error_code KRB5_CALLCONV 7494 krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, 7495 krb5_ticket_times *times); 7496 7497 struct _krb5_tkt_creds_context; 7498 typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context; 7499 7500 /** 7501 * Create a context to get credentials from a KDC's Ticket Granting Service. 7502 * 7503 * @param[in] context Library context 7504 * @param[in] ccache Credential cache handle 7505 * @param[in] creds Input credentials 7506 * @param[in] options Options (see KRB5_GC macros) 7507 * @param[out] ctx New TGS request context 7508 * 7509 * This function prepares to obtain credentials matching @a creds, either by 7510 * retrieving them from @a ccache or by making requests to ticket-granting 7511 * services beginning with a ticket-granting ticket for the client principal's 7512 * realm. 7513 * 7514 * The resulting TGS acquisition context can be used asynchronously with 7515 * krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also 7516 * krb5_get_credentials() for synchronous use. 7517 * 7518 * Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed. 7519 * 7520 * @version New in 1.9 7521 * 7522 * @retval 0 Success; otherwise - Kerberos error codes 7523 */ 7524 krb5_error_code KRB5_CALLCONV 7525 krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, 7526 krb5_creds *creds, krb5_flags options, 7527 krb5_tkt_creds_context *ctx); 7528 7529 /** 7530 * Synchronously obtain credentials using a TGS request context. 7531 * 7532 * @param[in] context Library context 7533 * @param[in] ctx TGS request context 7534 * 7535 * This function synchronously obtains credentials using a context created by 7536 * krb5_tkt_creds_init(). On successful return, the credentials can be 7537 * retrieved with krb5_tkt_creds_get_creds(). 7538 * 7539 * @version New in 1.9 7540 * 7541 * @retval 0 Success; otherwise - Kerberos error codes 7542 */ 7543 krb5_error_code KRB5_CALLCONV 7544 krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx); 7545 7546 /** 7547 * Retrieve acquired credentials from a TGS request context. 7548 * 7549 * @param[in] context Library context 7550 * @param[in] ctx TGS request context 7551 * @param[out] creds Acquired credentials 7552 * 7553 * This function copies the acquired initial credentials from @a ctx into @a 7554 * creds, after the successful completion of krb5_tkt_creds_get() or 7555 * krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when 7556 * it is no longer needed. 7557 * 7558 * @version New in 1.9 7559 * 7560 * @retval 0 Success; otherwise - Kerberos error codes 7561 */ 7562 krb5_error_code KRB5_CALLCONV 7563 krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, 7564 krb5_creds *creds); 7565 7566 /** 7567 * Free a TGS request context. 7568 * 7569 * @param[in] context Library context 7570 * @param[in] ctx TGS request context 7571 * 7572 * @version New in 1.9 7573 */ 7574 void KRB5_CALLCONV 7575 krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx); 7576 7577 #define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ 7578 7579 /** 7580 * Get the next KDC request in a TGS exchange. 7581 * 7582 * @param[in] context Library context 7583 * @param[in] ctx TGS request context 7584 * @param[in] in KDC response (empty on the first call) 7585 * @param[out] out Next KDC request 7586 * @param[out] realm Realm for next KDC request 7587 * @param[out] flags Output flags 7588 * 7589 * This function constructs the next KDC request for a TGS exchange, allowing 7590 * the caller to control the transport of KDC requests and replies. On the 7591 * first call, @a in should be set to an empty buffer; on subsequent calls, it 7592 * should be set to the KDC's reply to the previous request. 7593 * 7594 * If more requests are needed, @a flags will be set to 7595 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in @a 7596 * out. If no more requests are needed, @a flags will not contain 7597 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. 7598 * 7599 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should 7600 * transmit the next request using TCP rather than UDP. If this function 7601 * returns any other error, the TGS exchange has failed. 7602 * 7603 * @version New in 1.9 7604 * 7605 * @retval 0 Success; otherwise - Kerberos error codes 7606 */ 7607 krb5_error_code KRB5_CALLCONV 7608 krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, 7609 krb5_data *in, krb5_data *out, krb5_data *realm, 7610 unsigned int *flags); 7611 7612 /** 7613 * Retrieve ticket times from a TGS request context. 7614 * 7615 * @param[in] context Library context 7616 * @param[in] ctx TGS request context 7617 * @param[out] times Ticket times for acquired credentials 7618 * 7619 * The TGS request context must have completed obtaining credentials via either 7620 * krb5_tkt_creds_get() or krb5_tkt_creds_step(). 7621 * 7622 * @version New in 1.9 7623 * 7624 * @retval 0 Success; otherwise - Kerberos error codes 7625 */ 7626 krb5_error_code KRB5_CALLCONV 7627 krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, 7628 krb5_ticket_times *times); 7629 7630 /** 7631 * Get initial credentials using a key table. 7632 * 7633 * @param [in] context Library context 7634 * @param [out] creds New credentials 7635 * @param [in] client Client principal 7636 * @param [in] arg_keytab Key table handle 7637 * @param [in] start_time Time when ticket becomes valid (0 for now) 7638 * @param [in] in_tkt_service Service name of initial credentials (or NULL) 7639 * @param [in] k5_gic_options Initial credential options 7640 * 7641 * This function requests KDC for an initial credentials for @a client using a 7642 * client key stored in @a arg_keytab. If @a in_tkt_service is specified, it 7643 * is parsed as a principal name (with the realm ignored) and used as the 7644 * service principal for the request; otherwise the ticket-granting service is 7645 * used. 7646 * 7647 * @sa krb5_verify_init_creds() 7648 * 7649 * @retval 7650 * 0 Success 7651 * @return 7652 * Kerberos error codes 7653 */ 7654 krb5_error_code KRB5_CALLCONV 7655 krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds, 7656 krb5_principal client, krb5_keytab arg_keytab, 7657 krb5_deltat start_time, const char *in_tkt_service, 7658 krb5_get_init_creds_opt *k5_gic_options); 7659 7660 typedef struct _krb5_verify_init_creds_opt { 7661 krb5_flags flags; 7662 int ap_req_nofail; /**< boolean */ 7663 } krb5_verify_init_creds_opt; 7664 7665 #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 7666 7667 /** 7668 * Initialize a credential verification options structure. 7669 * 7670 * @param [in] k5_vic_options Verification options structure 7671 */ 7672 void KRB5_CALLCONV 7673 krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options); 7674 7675 /** 7676 * Set whether credential verification is required. 7677 * 7678 * @param [in] k5_vic_options Verification options structure 7679 * @param [in] ap_req_nofail Whether to require successful verification 7680 * 7681 * This function determines how krb5_verify_init_creds() behaves if no keytab 7682 * information is available. If @a ap_req_nofail is @c FALSE, verification 7683 * will be skipped in this case and krb5_verify_init_creds() will return 7684 * successfully. If @a ap_req_nofail is @c TRUE, krb5_verify_init_creds() will 7685 * not return successfully unless verification can be performed. 7686 * 7687 * If this function is not used, the behavior of krb5_verify_init_creds() is 7688 * determined through configuration. 7689 */ 7690 void KRB5_CALLCONV 7691 krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, 7692 int ap_req_nofail); 7693 7694 /** 7695 * Verify initial credentials against a keytab. 7696 * 7697 * @param [in] context Library context 7698 * @param [in] creds Initial credentials to be verified 7699 * @param [in] server Server principal (or NULL) 7700 * @param [in] keytab Key table (NULL to use default keytab) 7701 * @param [in] ccache Credential cache for fetched creds (or NULL) 7702 * @param [in] options Verification options (NULL for default options) 7703 * 7704 * This function attempts to verify that @a creds were obtained from a KDC with 7705 * knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL. 7706 * If @a server is provided, the highest-kvno key entry for that principal name 7707 * is used to verify the credentials; otherwise, all unique "host" service 7708 * principals in the keytab are tried. 7709 * 7710 * If the specified keytab does not exist, or is empty, or cannot be read, or 7711 * does not contain an entry for @a server, then credential verification may be 7712 * skipped unless configuration demands that it succeed. The caller can 7713 * control this behavior by providing a verification options structure; see 7714 * krb5_verify_init_creds_opt_init() and 7715 * krb5_verify_init_creds_opt_set_ap_req_nofail(). 7716 * 7717 * If @a ccache is NULL, any additional credentials fetched during the 7718 * verification process will be destroyed. If @a ccache points to NULL, a 7719 * memory ccache will be created for the additional credentials and returned in 7720 * @a ccache. If @a ccache points to a valid credential cache handle, the 7721 * additional credentials will be stored in that cache. 7722 * 7723 * @retval 0 Success; otherwise - Kerberos error codes 7724 */ 7725 krb5_error_code KRB5_CALLCONV 7726 krb5_verify_init_creds(krb5_context context, krb5_creds *creds, 7727 krb5_principal server, krb5_keytab keytab, 7728 krb5_ccache *ccache, 7729 krb5_verify_init_creds_opt *options); 7730 7731 /** 7732 * Get validated credentials from the KDC. 7733 * 7734 * @param [in] context Library context 7735 * @param [out] creds Validated credentials 7736 * @param [in] client Client principal name 7737 * @param [in] ccache Credential cache 7738 * @param [in] in_tkt_service Server principal string (or NULL) 7739 * 7740 * This function gets a validated credential using a postdated credential from 7741 * @a ccache. If @a in_tkt_service is specified, it is parsed (with the realm 7742 * part ignored) and used as the server principal of the credential; 7743 * otherwise, the ticket-granting service is used. 7744 * 7745 * If successful, the validated credential is placed in @a creds. 7746 * 7747 * @sa krb5_get_renewed_creds() 7748 * 7749 * @retval 7750 * 0 Success 7751 * @retval 7752 * KRB5_NO_2ND_TKT Request missing second ticket 7753 * @retval 7754 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket 7755 * @retval 7756 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match 7757 * @retval 7758 * KRB5_KDCREP_MODIFIED KDC reply did not match expectations 7759 * @retval 7760 * KRB5_KDCREP_SKEW Clock skew too great in KDC reply 7761 * @return 7762 * Kerberos error codes 7763 */ 7764 krb5_error_code KRB5_CALLCONV 7765 krb5_get_validated_creds(krb5_context context, krb5_creds *creds, 7766 krb5_principal client, krb5_ccache ccache, 7767 const char *in_tkt_service); 7768 7769 /** 7770 * Get renewed credential from KDC using an existing credential. 7771 * 7772 * @param [in] context Library context 7773 * @param [out] creds Renewed credentials 7774 * @param [in] client Client principal name 7775 * @param [in] ccache Credential cache 7776 * @param [in] in_tkt_service Server principal string (or NULL) 7777 * 7778 * This function gets a renewed credential using an existing one from @a 7779 * ccache. If @a in_tkt_service is specified, it is parsed (with the realm 7780 * part ignored) and used as the server principal of the credential; otherwise, 7781 * the ticket-granting service is used. 7782 * 7783 * If successful, the renewed credential is placed in @a creds. 7784 * 7785 * @retval 7786 * 0 Success 7787 * @return 7788 * Kerberos error codes 7789 */ 7790 krb5_error_code KRB5_CALLCONV 7791 krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, 7792 krb5_principal client, krb5_ccache ccache, 7793 const char *in_tkt_service); 7794 7795 /** 7796 * Decode an ASN.1-formatted ticket. 7797 * 7798 * @param [in] code ASN.1-formatted ticket 7799 * @param [out] rep Decoded ticket information 7800 * 7801 * @retval 0 Success; otherwise - Kerberos error codes 7802 */ 7803 krb5_error_code KRB5_CALLCONV 7804 krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep); 7805 7806 /** 7807 * Retrieve a string value from the appdefaults section of krb5.conf. 7808 * 7809 * @param [in] context Library context 7810 * @param [in] appname Application name 7811 * @param [in] realm Realm name 7812 * @param [in] option Option to be checked 7813 * @param [in] default_value Default value to return if no match is found 7814 * @param [out] ret_value String value of @a option 7815 * 7816 * This function gets the application defaults for @a option based on the given 7817 * @a appname and/or @a realm. 7818 * 7819 * @sa krb5_appdefault_boolean() 7820 */ 7821 void KRB5_CALLCONV 7822 krb5_appdefault_string(krb5_context context, const char *appname, 7823 const krb5_data *realm, const char *option, 7824 const char *default_value, char ** ret_value); 7825 7826 /** 7827 * Retrieve a boolean value from the appdefaults section of krb5.conf. 7828 * 7829 * @param [in] context Library context 7830 * @param [in] appname Application name 7831 * @param [in] realm Realm name 7832 * @param [in] option Option to be checked 7833 * @param [in] default_value Default value to return if no match is found 7834 * @param [out] ret_value Boolean value of @a option 7835 * 7836 * This function gets the application defaults for @a option based on the given 7837 * @a appname and/or @a realm. 7838 * 7839 * @sa krb5_appdefault_string() 7840 */ 7841 void KRB5_CALLCONV 7842 krb5_appdefault_boolean(krb5_context context, const char *appname, 7843 const krb5_data *realm, const char *option, 7844 int default_value, int *ret_value); 7845 7846 /* 7847 * Prompter enhancements 7848 */ 7849 /** Prompt for password */ 7850 #define KRB5_PROMPT_TYPE_PASSWORD 0x1 7851 /** Prompt for new password (during password change) */ 7852 #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2 7853 /** Prompt for new password again */ 7854 #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3 7855 /** Prompt for preauthentication data (such as an OTP value) */ 7856 #define KRB5_PROMPT_TYPE_PREAUTH 0x4 7857 7858 typedef krb5_int32 krb5_prompt_type; 7859 7860 /** 7861 * Get prompt types array from a context. 7862 * 7863 * @param [in] context Library context 7864 * 7865 * @return 7866 * Pointer to an array of prompt types corresponding to the prompter's @a 7867 * prompts arguments. Each type has one of the following values: 7868 * @li #KRB5_PROMPT_TYPE_PASSWORD 7869 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD 7870 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 7871 * @li #KRB5_PROMPT_TYPE_PREAUTH 7872 */ 7873 krb5_prompt_type* KRB5_CALLCONV 7874 krb5_get_prompt_types(krb5_context context); 7875 7876 /* Error reporting */ 7877 /** 7878 * Set an extended error message for an error code. 7879 * 7880 * @param [in] ctx Library context 7881 * @param [in] code Error code 7882 * @param [in] fmt Error string for the error code 7883 * @param [in] ... printf(3) style parameters 7884 */ 7885 void KRB5_CALLCONV_C 7886 krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...) 7887 #if !defined(__cplusplus) && (__GNUC__ > 2) 7888 __attribute__((__format__(__printf__, 3, 4))) 7889 #endif 7890 ; 7891 7892 /** 7893 * Set an extended error message for an error code using a va_list. 7894 * 7895 * @param [in] ctx Library context 7896 * @param [in] code Error code 7897 * @param [in] fmt Error string for the error code 7898 * @param [in] args List of vprintf(3) style arguments 7899 */ 7900 void KRB5_CALLCONV 7901 krb5_vset_error_message(krb5_context ctx, krb5_error_code code, 7902 const char *fmt, va_list args) 7903 #if !defined(__cplusplus) && (__GNUC__ > 2) 7904 __attribute__((__format__(__printf__, 3, 0))) 7905 #endif 7906 ; 7907 7908 /** 7909 * Add a prefix to the message for an error code. 7910 * 7911 * @param [in] ctx Library context 7912 * @param [in] code Error code 7913 * @param [in] fmt Format string for error message prefix 7914 * @param [in] ... printf(3) style parameters 7915 * 7916 * Format a message and prepend it to the current message for @a code. The 7917 * prefix will be separated from the old message with a colon and space. 7918 */ 7919 void KRB5_CALLCONV_C 7920 krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, 7921 const char *fmt, ...) 7922 #if !defined(__cplusplus) && (__GNUC__ > 2) 7923 __attribute__((__format__(__printf__, 3, 4))) 7924 #endif 7925 ; 7926 7927 /** 7928 * Add a prefix to the message for an error code using a va_list. 7929 * 7930 * @param [in] ctx Library context 7931 * @param [in] code Error code 7932 * @param [in] fmt Format string for error message prefix 7933 * @param [in] args List of vprintf(3) style arguments 7934 * 7935 * This function is similar to krb5_prepend_error_message(), but uses a 7936 * va_list instead of variadic arguments. 7937 */ 7938 void KRB5_CALLCONV 7939 krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, 7940 const char *fmt, va_list args) 7941 #if !defined(__cplusplus) && (__GNUC__ > 2) 7942 __attribute__((__format__(__printf__, 3, 0))) 7943 #endif 7944 ; 7945 7946 /** 7947 * Add a prefix to a different error code's message. 7948 * 7949 * @param [in] ctx Library context 7950 * @param [in] old_code Previous error code 7951 * @param [in] code Error code 7952 * @param [in] fmt Format string for error message prefix 7953 * @param [in] ... printf(3) style parameters 7954 * 7955 * Format a message and prepend it to the message for @a old_code. The prefix 7956 * will be separated from the old message with a colon and space. Set the 7957 * resulting message as the extended error message for @a code. 7958 */ 7959 void KRB5_CALLCONV_C 7960 krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, 7961 krb5_error_code code, const char *fmt, ...) 7962 #if !defined(__cplusplus) && (__GNUC__ > 2) 7963 __attribute__((__format__(__printf__, 4, 5))) 7964 #endif 7965 ; 7966 7967 /** 7968 * Add a prefix to a different error code's message using a va_list. 7969 * 7970 * @param [in] ctx Library context 7971 * @param [in] old_code Previous error code 7972 * @param [in] code Error code 7973 * @param [in] fmt Format string for error message prefix 7974 * @param [in] args List of vprintf(3) style arguments 7975 * 7976 * This function is similar to krb5_wrap_error_message(), but uses a 7977 * va_list instead of variadic arguments. 7978 */ 7979 void KRB5_CALLCONV 7980 krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, 7981 krb5_error_code code, const char *fmt, va_list args) 7982 #if !defined(__cplusplus) && (__GNUC__ > 2) 7983 __attribute__((__format__(__printf__, 4, 0))) 7984 #endif 7985 ; 7986 7987 /** 7988 * Copy the most recent extended error message from one context to another. 7989 * 7990 * @param [in] dest_ctx Library context to copy message to 7991 * @param [in] src_ctx Library context with current message 7992 */ 7993 void KRB5_CALLCONV 7994 krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx); 7995 7996 /** 7997 * Get the (possibly extended) error message for a code. 7998 * 7999 * @param [in] ctx Library context 8000 * @param [in] code Error code 8001 * 8002 * The behavior of krb5_get_error_message() is only defined the first time it 8003 * is called after a failed call to a krb5 function using the same context, and 8004 * only when the error code passed in is the same as that returned by the krb5 8005 * function. 8006 * 8007 * This function never returns NULL, so its result may be used unconditionally 8008 * as a C string. 8009 * 8010 * The string returned by this function must be freed using 8011 * krb5_free_error_message() 8012 * 8013 * @note Future versions may return the same string for the second 8014 * and following calls. 8015 */ 8016 const char * KRB5_CALLCONV 8017 krb5_get_error_message(krb5_context ctx, krb5_error_code code); 8018 8019 /** 8020 * Free an error message generated by krb5_get_error_message(). 8021 * 8022 * @param [in] ctx Library context 8023 * @param [in] msg Pointer to error message 8024 */ 8025 void KRB5_CALLCONV 8026 krb5_free_error_message(krb5_context ctx, const char *msg); 8027 8028 /** 8029 * Clear the extended error message in a context. 8030 * 8031 * @param [in] ctx Library context 8032 * 8033 * This function unsets the extended error message in a context, to ensure that 8034 * it is not mistakenly applied to another occurrence of the same error code. 8035 */ 8036 void KRB5_CALLCONV 8037 krb5_clear_error_message(krb5_context ctx); 8038 8039 /** 8040 * Unwrap authorization data. 8041 * 8042 * @param [in] context Library context 8043 * @param [in] type Container type (see KRB5_AUTHDATA macros) 8044 * @param [in] container Authorization data to be decoded 8045 * @param [out] authdata List of decoded authorization data 8046 * 8047 * @sa krb5_encode_authdata_container() 8048 * 8049 * @retval 0 Success; otherwise - Kerberos error codes 8050 */ 8051 krb5_error_code KRB5_CALLCONV 8052 krb5_decode_authdata_container(krb5_context context, 8053 krb5_authdatatype type, 8054 const krb5_authdata *container, 8055 krb5_authdata ***authdata); 8056 /** 8057 * Wrap authorization data in a container. 8058 * 8059 * @param [in] context Library context 8060 * @param [in] type Container type (see KRB5_AUTHDATA macros) 8061 * @param [in] authdata List of authorization data to be encoded 8062 * @param [out] container List of encoded authorization data 8063 * 8064 * The result is returned in @a container as a single-element list. 8065 * 8066 * @sa krb5_decode_authdata_container() 8067 * 8068 * @retval 0 Success; otherwise - Kerberos error codes 8069 */ 8070 krb5_error_code KRB5_CALLCONV 8071 krb5_encode_authdata_container(krb5_context context, 8072 krb5_authdatatype type, 8073 krb5_authdata * const*authdata, 8074 krb5_authdata ***container); 8075 8076 /* 8077 * AD-KDCIssued 8078 */ 8079 /** 8080 * Encode and sign AD-KDCIssued authorization data. 8081 * 8082 * @param [in] context Library context 8083 * @param [in] key Session key 8084 * @param [in] issuer The name of the issuing principal 8085 * @param [in] authdata List of authorization data to be signed 8086 * @param [out] ad_kdcissued List containing AD-KDCIssued authdata 8087 * 8088 * This function wraps a list of authorization data entries @a authdata in an 8089 * AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with @a key. 8090 * The result is returned in @a ad_kdcissued as a single-element list. 8091 */ 8092 krb5_error_code KRB5_CALLCONV 8093 krb5_make_authdata_kdc_issued(krb5_context context, 8094 const krb5_keyblock *key, 8095 krb5_const_principal issuer, 8096 krb5_authdata *const *authdata, 8097 krb5_authdata ***ad_kdcissued); 8098 8099 /** 8100 * Unwrap and verify AD-KDCIssued authorization data. 8101 * 8102 * @param [in] context Library context 8103 * @param [in] key Session key 8104 * @param [in] ad_kdcissued AD-KDCIssued authorization data to be unwrapped 8105 * @param [out] issuer Name of issuing principal (or NULL) 8106 * @param [out] authdata Unwrapped list of authorization data 8107 * 8108 * This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 8109 * 5.2.6.2) and verifies its signature against @a key. The issuer field of the 8110 * authdatum element is returned in @a issuer, and the unwrapped list of 8111 * authdata is returned in @a authdata. 8112 */ 8113 krb5_error_code KRB5_CALLCONV 8114 krb5_verify_authdata_kdc_issued(krb5_context context, 8115 const krb5_keyblock *key, 8116 const krb5_authdata *ad_kdcissued, 8117 krb5_principal *issuer, 8118 krb5_authdata ***authdata); 8119 8120 /* 8121 * Windows PAC 8122 */ 8123 8124 /* Microsoft defined types of data */ 8125 #define KRB5_PAC_LOGON_INFO 1 /**< Logon information */ 8126 #define KRB5_PAC_CREDENTIALS_INFO 2 /**< Credentials information */ 8127 #define KRB5_PAC_SERVER_CHECKSUM 6 /**< Server checksum */ 8128 #define KRB5_PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */ 8129 #define KRB5_PAC_CLIENT_INFO 10 /**< Client name and ticket info */ 8130 #define KRB5_PAC_DELEGATION_INFO 11 /**< Constrained delegation info */ 8131 #define KRB5_PAC_UPN_DNS_INFO 12 /**< User principal name and DNS info */ 8132 #define KRB5_PAC_CLIENT_CLAIMS 13 /**< Client claims information */ 8133 #define KRB5_PAC_DEVICE_INFO 14 /**< Device information */ 8134 #define KRB5_PAC_DEVICE_CLAIMS 15 /**< Device claims information */ 8135 #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ 8136 #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ 8137 #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ 8138 #define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */ 8139 8140 struct krb5_pac_data; 8141 /** PAC data structure to convey authorization information */ 8142 typedef struct krb5_pac_data *krb5_pac; 8143 8144 /** 8145 * Add a buffer to a PAC handle. 8146 * 8147 * @param [in] context Library context 8148 * @param [in] pac PAC handle 8149 * @param [in] type Buffer type 8150 * @param [in] data contents 8151 * 8152 * This function adds a buffer of type @a type and contents @a data to @a pac 8153 * if there isn't already a buffer of this type present. 8154 * 8155 * The valid values of @a type is one of the following: 8156 * @li #KRB5_PAC_LOGON_INFO - Logon information 8157 * @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information 8158 * @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum 8159 * @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum 8160 * @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information 8161 * @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information 8162 * @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information 8163 * 8164 * @retval 0 Success; otherwise - Kerberos error codes 8165 */ 8166 krb5_error_code KRB5_CALLCONV 8167 krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, 8168 const krb5_data *data); 8169 8170 /** 8171 * Free a PAC handle. 8172 * 8173 * @param [in] context Library context 8174 * @param [in] pac PAC to be freed 8175 * 8176 * This function frees the contents of @a pac and the structure itself. 8177 */ 8178 void KRB5_CALLCONV 8179 krb5_pac_free(krb5_context context, krb5_pac pac); 8180 8181 /** 8182 * Retrieve a buffer value from a PAC. 8183 * 8184 * @param [in] context Library context 8185 * @param [in] pac PAC handle 8186 * @param [in] type Type of buffer to retrieve 8187 * @param [out] data Buffer value 8188 * 8189 * Use krb5_free_data_contents() to free @a data when it is no longer needed. 8190 * 8191 * @retval 0 Success; otherwise - Kerberos error codes 8192 */ 8193 krb5_error_code KRB5_CALLCONV 8194 krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, 8195 krb5_data *data); 8196 8197 /** 8198 * Return an array of buffer types in a PAC handle. 8199 * 8200 * @param [in] context Library context 8201 * @param [in] pac PAC handle 8202 * @param [out] len Number of entries in @a types 8203 * @param [out] types Array of buffer types 8204 * 8205 * @retval 0 Success; otherwise - Kerberos error codes 8206 */ 8207 krb5_error_code KRB5_CALLCONV 8208 krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len, 8209 krb5_ui_4 **types); 8210 8211 /** 8212 * Create an empty Privilege Attribute Certificate (PAC) handle. 8213 * 8214 * @param [in] context Library context 8215 * @param [out] pac New PAC handle 8216 * 8217 * Use krb5_pac_free() to free @a pac when it is no longer needed. 8218 * 8219 * @retval 0 Success; otherwise - Kerberos error codes 8220 */ 8221 krb5_error_code KRB5_CALLCONV 8222 krb5_pac_init(krb5_context context, krb5_pac *pac); 8223 8224 /** 8225 * Unparse an encoded PAC into a new handle. 8226 * 8227 * @param [in] context Library context 8228 * @param [in] ptr PAC buffer 8229 * @param [in] len Length of @a ptr 8230 * @param [out] pac PAC handle 8231 * 8232 * Use krb5_pac_free() to free @a pac when it is no longer needed. 8233 * 8234 * @retval 0 Success; otherwise - Kerberos error codes 8235 */ 8236 krb5_error_code KRB5_CALLCONV 8237 krb5_pac_parse(krb5_context context, const void *ptr, size_t len, 8238 krb5_pac *pac); 8239 8240 /** 8241 * Verify a PAC. 8242 * 8243 * @param [in] context Library context 8244 * @param [in] pac PAC handle 8245 * @param [in] authtime Expected timestamp 8246 * @param [in] principal Expected principal name (or NULL) 8247 * @param [in] server Key to validate server checksum (or NULL) 8248 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8249 * 8250 * This function validates @a pac against the supplied @a server, @a privsvr, 8251 * @a principal and @a authtime. If @a principal is NULL, the principal and 8252 * authtime are not verified. If @a server or @a privsvr is NULL, the 8253 * corresponding checksum is not verified. 8254 * 8255 * If successful, @a pac is marked as verified. 8256 * 8257 * @note A checksum mismatch can occur if the PAC was copied from a cross-realm 8258 * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) 8259 * generates PACs with no server checksum at all. One should consider not 8260 * failing the whole authentication because of this reason, but, instead, 8261 * treating the ticket as if it did not contain a PAC or marking the PAC 8262 * information as non-verified. 8263 * 8264 * @retval 0 Success; otherwise - Kerberos error codes 8265 */ 8266 krb5_error_code KRB5_CALLCONV 8267 krb5_pac_verify(krb5_context context, const krb5_pac pac, 8268 krb5_timestamp authtime, krb5_const_principal principal, 8269 const krb5_keyblock *server, const krb5_keyblock *privsvr); 8270 8271 /** 8272 * Verify a PAC, possibly from a specified realm. 8273 * 8274 * @param [in] context Library context 8275 * @param [in] pac PAC handle 8276 * @param [in] authtime Expected timestamp 8277 * @param [in] principal Expected principal name (or NULL) 8278 * @param [in] server Key to validate server checksum (or NULL) 8279 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8280 * @param [in] with_realm If true, expect the realm of @a principal 8281 * 8282 * This function is similar to krb5_pac_verify(), but adds a parameter 8283 * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field is 8284 * expected to include the realm of @a principal as well as the name. This 8285 * flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. 8286 * 8287 * @version New in 1.17 8288 */ 8289 krb5_error_code KRB5_CALLCONV 8290 krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, 8291 krb5_timestamp authtime, krb5_const_principal principal, 8292 const krb5_keyblock *server, const krb5_keyblock *privsvr, 8293 krb5_boolean with_realm); 8294 8295 /** 8296 * Verify a PAC, possibly including ticket signature 8297 * 8298 * @param [in] context Library context 8299 * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC 8300 * @param [in] server_princ Canonicalized name of ticket server 8301 * @param [in] server Key to validate server checksum (or NULL) 8302 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8303 * @param [out] pac_out Verified PAC (NULL if no PAC included) 8304 * 8305 * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is 8306 * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service, 8307 * require a ticket signature over @a enc_tkt in addition to the KDC signature. 8308 * Place the verified PAC in @a pac_out. If an invalid PAC signature is found, 8309 * return an error matching the Windows KDC protocol code for that condition as 8310 * closely as possible. 8311 * 8312 * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return 8313 * successfully. 8314 * 8315 * @note This function does not validate the PAC_CLIENT_INFO buffer. If a 8316 * specific value is expected, the caller can make a separate call to 8317 * krb5_pac_verify_ext() with a principal but no keys. 8318 * 8319 * @retval 0 Success; otherwise - Kerberos error codes 8320 * 8321 * @version New in 1.20 8322 */ 8323 krb5_error_code KRB5_CALLCONV 8324 krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, 8325 krb5_const_principal server_princ, 8326 const krb5_keyblock *server, 8327 const krb5_keyblock *privsvr, krb5_pac *pac_out); 8328 8329 /** @deprecated Use krb5_kdc_sign_ticket() instead. */ 8330 krb5_error_code KRB5_CALLCONV 8331 krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, 8332 krb5_const_principal principal, const krb5_keyblock *server_key, 8333 const krb5_keyblock *privsvr_key, krb5_data *data); 8334 8335 /** @deprecated Use krb5_kdc_sign_ticket() instead. */ 8336 krb5_error_code KRB5_CALLCONV 8337 krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, 8338 krb5_const_principal principal, 8339 const krb5_keyblock *server_key, 8340 const krb5_keyblock *privsvr_key, krb5_boolean with_realm, 8341 krb5_data *data); 8342 8343 /** 8344 * Sign a PAC, possibly including a ticket signature 8345 * 8346 * @param [in] context Library context 8347 * @param [in] enc_tkt The ticket for the signature 8348 * @param [in] pac PAC handle 8349 * @param [in] server_princ Canonical ticket server name 8350 * @param [in] client_princ PAC_CLIENT_INFO principal (or NULL) 8351 * @param [in] server Key for server checksum 8352 * @param [in] privsvr Key for KDC and ticket checksum 8353 * @param [in] with_realm If true, include the realm of @a principal 8354 * 8355 * Sign @a pac using the keys @a server and @a privsvr. Include a ticket 8356 * signature over @a enc_tkt if @a server_princ is not a TGS or kadmin/changepw 8357 * principal name. Add the signed PAC's encoding to the authorization data of 8358 * @a enc_tkt in the first slot, wrapped in an AD-IF-RELEVANT container. If @a 8359 * client_princ is non-null, add a PAC_CLIENT_INFO buffer, including the realm 8360 * if @a with_realm is true. 8361 * 8362 * @retval 0 on success, otherwise - Kerberos error codes 8363 * 8364 * @version New in 1.20 8365 */ 8366 krb5_error_code KRB5_CALLCONV 8367 krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, 8368 const krb5_pac pac, krb5_const_principal server_princ, 8369 krb5_const_principal client_princ, 8370 const krb5_keyblock *server, const krb5_keyblock *privsvr, 8371 krb5_boolean with_realm); 8372 8373 /** 8374 * Read client information from a PAC. 8375 * 8376 * @param [in] context Library context 8377 * @param [in] pac PAC handle 8378 * @param [out] authtime_out Authentication timestamp (NULL if not needed) 8379 * @param [out] princname_out Client account name 8380 * 8381 * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as 8382 * a string in @a princname_out. If @a authtime_out is not NULL, place the 8383 * initial authentication timestamp in @a authtime_out. 8384 * 8385 * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a 8386 * pac, ERANGE if the buffer contains invalid lengths. 8387 * 8388 * @version New in 1.18 8389 */ 8390 krb5_error_code KRB5_CALLCONV 8391 krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, 8392 krb5_timestamp *authtime_out, char **princname_out); 8393 8394 /** 8395 * Allow the application to override the profile's allow_weak_crypto setting. 8396 * 8397 * @param [in] context Library context 8398 * @param [in] enable Boolean flag 8399 * 8400 * This function allows an application to override the allow_weak_crypto 8401 * setting. It is primarily for use by aklog. 8402 * 8403 * @retval 0 (always) 8404 */ 8405 krb5_error_code KRB5_CALLCONV 8406 krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable); 8407 8408 /** 8409 * A wrapper for passing information to a @c krb5_trace_callback. 8410 * 8411 * Currently, it only contains the formatted message as determined 8412 * the the format string and arguments of the tracing macro, but it 8413 * may be extended to contain more fields in the future. 8414 */ 8415 typedef struct _krb5_trace_info { 8416 const char *message; 8417 } krb5_trace_info; 8418 8419 typedef void 8420 (KRB5_CALLCONV *krb5_trace_callback)(krb5_context context, 8421 const krb5_trace_info *info, 8422 void *cb_data); 8423 8424 /** 8425 * Specify a callback function for trace events. 8426 * 8427 * @param [in] context Library context 8428 * @param [in] fn Callback function 8429 * @param [in] cb_data Callback data 8430 * 8431 * Specify a callback for trace events occurring in krb5 operations performed 8432 * within @a context. @a fn will be invoked with @a context as the first 8433 * argument, @a cb_data as the last argument, and a pointer to a 8434 * krb5_trace_info as the second argument. If the trace callback is reset via 8435 * this function or @a context is destroyed, @a fn will be invoked with a NULL 8436 * second argument so it can clean up @a cb_data. Supply a NULL value for @a 8437 * fn to disable trace callbacks within @a context. 8438 * 8439 * @note This function overrides the information passed through the 8440 * @a KRB5_TRACE environment variable. 8441 * 8442 * @version New in 1.9 8443 * 8444 * @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library 8445 * (unless @a fn is NULL). 8446 */ 8447 krb5_error_code KRB5_CALLCONV 8448 krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, 8449 void *cb_data); 8450 8451 /** 8452 * Specify a file name for directing trace events. 8453 * 8454 * @param [in] context Library context 8455 * @param [in] filename File name 8456 * 8457 * Open @a filename for appending (creating it, if necessary) and set up a 8458 * callback to write trace events to it. 8459 * 8460 * @note This function overrides the information passed through the 8461 * @a KRB5_TRACE environment variable. 8462 * 8463 * @version New in 1.9 8464 * 8465 * @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library. 8466 */ 8467 krb5_error_code KRB5_CALLCONV 8468 krb5_set_trace_filename(krb5_context context, const char *filename); 8469 8470 8471 /** 8472 * Hook function for inspecting or modifying messages sent to KDCs. 8473 * 8474 * @param [in] context Library context 8475 * @param [in] data Callback data 8476 * @param [in] realm The realm the message will be sent to 8477 * @param [in] message The original message to be sent to the KDC 8478 * @param [out] new_message_out Optional replacement message to be sent 8479 * @param [out] new_reply_out Optional synthetic reply 8480 * 8481 * If the hook function returns an error code, the KDC communication will be 8482 * aborted and the error code will be returned to the library operation which 8483 * initiated the communication. 8484 * 8485 * If the hook function sets @a new_reply_out, @a message will not be sent to 8486 * the KDC, and the given reply will used instead. 8487 * 8488 * If the hook function sets @a new_message_out, the given message will be sent 8489 * to the KDC in place of @a message. 8490 * 8491 * If the hook function returns successfully without setting either output, 8492 * @a message will be sent to the KDC normally. 8493 * 8494 * The hook function should use krb5_copy_data() to construct the value for 8495 * @a new_message_out or @a reply_out, to ensure that it can be freed correctly 8496 * by the library. 8497 * 8498 * @version New in 1.15 8499 * 8500 * @retval 0 Success 8501 * @return A Kerberos error code 8502 */ 8503 typedef krb5_error_code 8504 (KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, 8505 const krb5_data *realm, 8506 const krb5_data *message, 8507 krb5_data **new_message_out, 8508 krb5_data **new_reply_out); 8509 8510 /** 8511 * Hook function for inspecting or overriding KDC replies. 8512 * 8513 * @param [in] context Library context 8514 * @param [in] data Callback data 8515 * @param [in] code Status of KDC communication 8516 * @param [in] realm The realm the reply was received from 8517 * @param [in] message The message sent to the realm's KDC 8518 * @param [in] reply The reply received from the KDC 8519 * @param [out] new_reply_out Optional replacement reply 8520 * 8521 * If @a code is zero, @a reply contains the reply received from the KDC. The 8522 * hook function may return an error code to simulate an error, may synthesize 8523 * a different reply by setting @a new_reply_out, or may simply return 8524 * successfully to do nothing. 8525 * 8526 * If @a code is non-zero, KDC communication failed and @a reply should be 8527 * ignored. The hook function may return @a code or a different error code, or 8528 * may synthesize a reply by setting @a new_reply_out and return successfully. 8529 * 8530 * The hook function should use krb5_copy_data() to construct the value for 8531 * @a new_reply_out, to ensure that it can be freed correctly by the library. 8532 * 8533 * @version New in 1.15 8534 * 8535 * @retval 0 Success 8536 * @return A Kerberos error code 8537 */ 8538 typedef krb5_error_code 8539 (KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, 8540 krb5_error_code code, 8541 const krb5_data *realm, 8542 const krb5_data *message, 8543 const krb5_data *reply, 8544 krb5_data **new_reply_out); 8545 8546 /** 8547 * Set a KDC pre-send hook function. 8548 * 8549 * @param [in] context Library context 8550 * @param [in] send_hook Hook function (or NULL to disable the hook) 8551 * @param [in] data Callback data to be passed to @a send_hook 8552 * 8553 * @a send_hook will be called before messages are sent to KDCs by library 8554 * functions such as krb5_get_credentials(). The hook function may inspect, 8555 * override, or synthesize its own reply to the message. 8556 * 8557 * @version New in 1.15 8558 */ 8559 void KRB5_CALLCONV 8560 krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, 8561 void *data); 8562 8563 /** 8564 * Set a KDC post-receive hook function. 8565 * 8566 * @param [in] context The library context. 8567 * @param [in] recv_hook Hook function (or NULL to disable the hook) 8568 * @param [in] data Callback data to be passed to @a recv_hook 8569 * 8570 * @a recv_hook will be called after a reply is received from a KDC during a 8571 * call to a library function such as krb5_get_credentials(). The hook 8572 * function may inspect or override the reply. This hook will not be executed 8573 * if the pre-send hook returns a synthetic reply. 8574 * 8575 * @version New in 1.15 8576 */ 8577 void KRB5_CALLCONV 8578 krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, 8579 void *data); 8580 8581 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) 8582 #pragma pack(pop) 8583 #endif 8584 8585 KRB5INT_END_DECLS 8586 8587 /* Don't use this! We're going to phase it out. It's just here to keep 8588 applications from breaking right away. */ 8589 #define krb5_const const 8590 8591 #undef KRB5_ATTR_DEPRECATED 8592 8593 #endif /* KRB5_GENERAL__ */ 8594 /* 8595 * et-h-krb5_err.h: 8596 * This file is automatically generated; please do not edit it. 8597 */ 8598 8599 #include <com_err.h> 8600 8601 #define KRB5KDC_ERR_NONE (-1765328384L) 8602 #define KRB5KDC_ERR_NAME_EXP (-1765328383L) 8603 #define KRB5KDC_ERR_SERVICE_EXP (-1765328382L) 8604 #define KRB5KDC_ERR_BAD_PVNO (-1765328381L) 8605 #define KRB5KDC_ERR_C_OLD_MAST_KVNO (-1765328380L) 8606 #define KRB5KDC_ERR_S_OLD_MAST_KVNO (-1765328379L) 8607 #define KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (-1765328378L) 8608 #define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) 8609 #define KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE (-1765328376L) 8610 #define KRB5KDC_ERR_NULL_KEY (-1765328375L) 8611 #define KRB5KDC_ERR_CANNOT_POSTDATE (-1765328374L) 8612 #define KRB5KDC_ERR_NEVER_VALID (-1765328373L) 8613 #define KRB5KDC_ERR_POLICY (-1765328372L) 8614 #define KRB5KDC_ERR_BADOPTION (-1765328371L) 8615 #define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L) 8616 #define KRB5KDC_ERR_SUMTYPE_NOSUPP (-1765328369L) 8617 #define KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368L) 8618 #define KRB5KDC_ERR_TRTYPE_NOSUPP (-1765328367L) 8619 #define KRB5KDC_ERR_CLIENT_REVOKED (-1765328366L) 8620 #define KRB5KDC_ERR_SERVICE_REVOKED (-1765328365L) 8621 #define KRB5KDC_ERR_TGT_REVOKED (-1765328364L) 8622 #define KRB5KDC_ERR_CLIENT_NOTYET (-1765328363L) 8623 #define KRB5KDC_ERR_SERVICE_NOTYET (-1765328362L) 8624 #define KRB5KDC_ERR_KEY_EXP (-1765328361L) 8625 #define KRB5KDC_ERR_PREAUTH_FAILED (-1765328360L) 8626 #define KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359L) 8627 #define KRB5KDC_ERR_SERVER_NOMATCH (-1765328358L) 8628 #define KRB5KDC_ERR_MUST_USE_USER2USER (-1765328357L) 8629 #define KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356L) 8630 #define KRB5KDC_ERR_SVC_UNAVAILABLE (-1765328355L) 8631 #define KRB5PLACEHOLD_30 (-1765328354L) 8632 #define KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353L) 8633 #define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L) 8634 #define KRB5KRB_AP_ERR_TKT_NYV (-1765328351L) 8635 #define KRB5KRB_AP_ERR_REPEAT (-1765328350L) 8636 #define KRB5KRB_AP_ERR_NOT_US (-1765328349L) 8637 #define KRB5KRB_AP_ERR_BADMATCH (-1765328348L) 8638 #define KRB5KRB_AP_ERR_SKEW (-1765328347L) 8639 #define KRB5KRB_AP_ERR_BADADDR (-1765328346L) 8640 #define KRB5KRB_AP_ERR_BADVERSION (-1765328345L) 8641 #define KRB5KRB_AP_ERR_MSG_TYPE (-1765328344L) 8642 #define KRB5KRB_AP_ERR_MODIFIED (-1765328343L) 8643 #define KRB5KRB_AP_ERR_BADORDER (-1765328342L) 8644 #define KRB5KRB_AP_ERR_ILL_CR_TKT (-1765328341L) 8645 #define KRB5KRB_AP_ERR_BADKEYVER (-1765328340L) 8646 #define KRB5KRB_AP_ERR_NOKEY (-1765328339L) 8647 #define KRB5KRB_AP_ERR_MUT_FAIL (-1765328338L) 8648 #define KRB5KRB_AP_ERR_BADDIRECTION (-1765328337L) 8649 #define KRB5KRB_AP_ERR_METHOD (-1765328336L) 8650 #define KRB5KRB_AP_ERR_BADSEQ (-1765328335L) 8651 #define KRB5KRB_AP_ERR_INAPP_CKSUM (-1765328334L) 8652 #define KRB5KRB_AP_PATH_NOT_ACCEPTED (-1765328333L) 8653 #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) 8654 #define KRB5PLACEHOLD_53 (-1765328331L) 8655 #define KRB5PLACEHOLD_54 (-1765328330L) 8656 #define KRB5PLACEHOLD_55 (-1765328329L) 8657 #define KRB5PLACEHOLD_56 (-1765328328L) 8658 #define KRB5PLACEHOLD_57 (-1765328327L) 8659 #define KRB5PLACEHOLD_58 (-1765328326L) 8660 #define KRB5PLACEHOLD_59 (-1765328325L) 8661 #define KRB5KRB_ERR_GENERIC (-1765328324L) 8662 #define KRB5KRB_ERR_FIELD_TOOLONG (-1765328323L) 8663 #define KRB5KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322L) 8664 #define KRB5KDC_ERR_KDC_NOT_TRUSTED (-1765328321L) 8665 #define KRB5KDC_ERR_INVALID_SIG (-1765328320L) 8666 #define KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (-1765328319L) 8667 #define KRB5KDC_ERR_CERTIFICATE_MISMATCH (-1765328318L) 8668 #define KRB5KRB_AP_ERR_NO_TGT (-1765328317L) 8669 #define KRB5KDC_ERR_WRONG_REALM (-1765328316L) 8670 #define KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED (-1765328315L) 8671 #define KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE (-1765328314L) 8672 #define KRB5KDC_ERR_INVALID_CERTIFICATE (-1765328313L) 8673 #define KRB5KDC_ERR_REVOKED_CERTIFICATE (-1765328312L) 8674 #define KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN (-1765328311L) 8675 #define KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (-1765328310L) 8676 #define KRB5KDC_ERR_CLIENT_NAME_MISMATCH (-1765328309L) 8677 #define KRB5KDC_ERR_KDC_NAME_MISMATCH (-1765328308L) 8678 #define KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE (-1765328307L) 8679 #define KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (-1765328306L) 8680 #define KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305L) 8681 #define KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (-1765328304L) 8682 #define KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (-1765328303L) 8683 #define KRB5PLACEHOLD_82 (-1765328302L) 8684 #define KRB5PLACEHOLD_83 (-1765328301L) 8685 #define KRB5PLACEHOLD_84 (-1765328300L) 8686 #define KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND (-1765328299L) 8687 #define KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE (-1765328298L) 8688 #define KRB5PLACEHOLD_87 (-1765328297L) 8689 #define KRB5PLACEHOLD_88 (-1765328296L) 8690 #define KRB5PLACEHOLD_89 (-1765328295L) 8691 #define KRB5KDC_ERR_PREAUTH_EXPIRED (-1765328294L) 8692 #define KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (-1765328293L) 8693 #define KRB5PLACEHOLD_92 (-1765328292L) 8694 #define KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION (-1765328291L) 8695 #define KRB5PLACEHOLD_94 (-1765328290L) 8696 #define KRB5PLACEHOLD_95 (-1765328289L) 8697 #define KRB5PLACEHOLD_96 (-1765328288L) 8698 #define KRB5PLACEHOLD_97 (-1765328287L) 8699 #define KRB5PLACEHOLD_98 (-1765328286L) 8700 #define KRB5PLACEHOLD_99 (-1765328285L) 8701 #define KRB5KDC_ERR_NO_ACCEPTABLE_KDF (-1765328284L) 8702 #define KRB5PLACEHOLD_101 (-1765328283L) 8703 #define KRB5PLACEHOLD_102 (-1765328282L) 8704 #define KRB5PLACEHOLD_103 (-1765328281L) 8705 #define KRB5PLACEHOLD_104 (-1765328280L) 8706 #define KRB5PLACEHOLD_105 (-1765328279L) 8707 #define KRB5PLACEHOLD_106 (-1765328278L) 8708 #define KRB5PLACEHOLD_107 (-1765328277L) 8709 #define KRB5PLACEHOLD_108 (-1765328276L) 8710 #define KRB5PLACEHOLD_109 (-1765328275L) 8711 #define KRB5PLACEHOLD_110 (-1765328274L) 8712 #define KRB5PLACEHOLD_111 (-1765328273L) 8713 #define KRB5PLACEHOLD_112 (-1765328272L) 8714 #define KRB5PLACEHOLD_113 (-1765328271L) 8715 #define KRB5PLACEHOLD_114 (-1765328270L) 8716 #define KRB5PLACEHOLD_115 (-1765328269L) 8717 #define KRB5PLACEHOLD_116 (-1765328268L) 8718 #define KRB5PLACEHOLD_117 (-1765328267L) 8719 #define KRB5PLACEHOLD_118 (-1765328266L) 8720 #define KRB5PLACEHOLD_119 (-1765328265L) 8721 #define KRB5PLACEHOLD_120 (-1765328264L) 8722 #define KRB5PLACEHOLD_121 (-1765328263L) 8723 #define KRB5PLACEHOLD_122 (-1765328262L) 8724 #define KRB5PLACEHOLD_123 (-1765328261L) 8725 #define KRB5PLACEHOLD_124 (-1765328260L) 8726 #define KRB5PLACEHOLD_125 (-1765328259L) 8727 #define KRB5PLACEHOLD_126 (-1765328258L) 8728 #define KRB5PLACEHOLD_127 (-1765328257L) 8729 #define KRB5_ERR_RCSID (-1765328256L) 8730 #define KRB5_LIBOS_BADLOCKFLAG (-1765328255L) 8731 #define KRB5_LIBOS_CANTREADPWD (-1765328254L) 8732 #define KRB5_LIBOS_BADPWDMATCH (-1765328253L) 8733 #define KRB5_LIBOS_PWDINTR (-1765328252L) 8734 #define KRB5_PARSE_ILLCHAR (-1765328251L) 8735 #define KRB5_PARSE_MALFORMED (-1765328250L) 8736 #define KRB5_CONFIG_CANTOPEN (-1765328249L) 8737 #define KRB5_CONFIG_BADFORMAT (-1765328248L) 8738 #define KRB5_CONFIG_NOTENUFSPACE (-1765328247L) 8739 #define KRB5_BADMSGTYPE (-1765328246L) 8740 #define KRB5_CC_BADNAME (-1765328245L) 8741 #define KRB5_CC_UNKNOWN_TYPE (-1765328244L) 8742 #define KRB5_CC_NOTFOUND (-1765328243L) 8743 #define KRB5_CC_END (-1765328242L) 8744 #define KRB5_NO_TKT_SUPPLIED (-1765328241L) 8745 #define KRB5KRB_AP_WRONG_PRINC (-1765328240L) 8746 #define KRB5KRB_AP_ERR_TKT_INVALID (-1765328239L) 8747 #define KRB5_PRINC_NOMATCH (-1765328238L) 8748 #define KRB5_KDCREP_MODIFIED (-1765328237L) 8749 #define KRB5_KDCREP_SKEW (-1765328236L) 8750 #define KRB5_IN_TKT_REALM_MISMATCH (-1765328235L) 8751 #define KRB5_PROG_ETYPE_NOSUPP (-1765328234L) 8752 #define KRB5_PROG_KEYTYPE_NOSUPP (-1765328233L) 8753 #define KRB5_WRONG_ETYPE (-1765328232L) 8754 #define KRB5_PROG_SUMTYPE_NOSUPP (-1765328231L) 8755 #define KRB5_REALM_UNKNOWN (-1765328230L) 8756 #define KRB5_SERVICE_UNKNOWN (-1765328229L) 8757 #define KRB5_KDC_UNREACH (-1765328228L) 8758 #define KRB5_NO_LOCALNAME (-1765328227L) 8759 #define KRB5_MUTUAL_FAILED (-1765328226L) 8760 #define KRB5_RC_TYPE_EXISTS (-1765328225L) 8761 #define KRB5_RC_MALLOC (-1765328224L) 8762 #define KRB5_RC_TYPE_NOTFOUND (-1765328223L) 8763 #define KRB5_RC_UNKNOWN (-1765328222L) 8764 #define KRB5_RC_REPLAY (-1765328221L) 8765 #define KRB5_RC_IO (-1765328220L) 8766 #define KRB5_RC_NOIO (-1765328219L) 8767 #define KRB5_RC_PARSE (-1765328218L) 8768 #define KRB5_RC_IO_EOF (-1765328217L) 8769 #define KRB5_RC_IO_MALLOC (-1765328216L) 8770 #define KRB5_RC_IO_PERM (-1765328215L) 8771 #define KRB5_RC_IO_IO (-1765328214L) 8772 #define KRB5_RC_IO_UNKNOWN (-1765328213L) 8773 #define KRB5_RC_IO_SPACE (-1765328212L) 8774 #define KRB5_TRANS_CANTOPEN (-1765328211L) 8775 #define KRB5_TRANS_BADFORMAT (-1765328210L) 8776 #define KRB5_LNAME_CANTOPEN (-1765328209L) 8777 #define KRB5_LNAME_NOTRANS (-1765328208L) 8778 #define KRB5_LNAME_BADFORMAT (-1765328207L) 8779 #define KRB5_CRYPTO_INTERNAL (-1765328206L) 8780 #define KRB5_KT_BADNAME (-1765328205L) 8781 #define KRB5_KT_UNKNOWN_TYPE (-1765328204L) 8782 #define KRB5_KT_NOTFOUND (-1765328203L) 8783 #define KRB5_KT_END (-1765328202L) 8784 #define KRB5_KT_NOWRITE (-1765328201L) 8785 #define KRB5_KT_IOERR (-1765328200L) 8786 #define KRB5_NO_TKT_IN_RLM (-1765328199L) 8787 #define KRB5DES_BAD_KEYPAR (-1765328198L) 8788 #define KRB5DES_WEAK_KEY (-1765328197L) 8789 #define KRB5_BAD_ENCTYPE (-1765328196L) 8790 #define KRB5_BAD_KEYSIZE (-1765328195L) 8791 #define KRB5_BAD_MSIZE (-1765328194L) 8792 #define KRB5_CC_TYPE_EXISTS (-1765328193L) 8793 #define KRB5_KT_TYPE_EXISTS (-1765328192L) 8794 #define KRB5_CC_IO (-1765328191L) 8795 #define KRB5_FCC_PERM (-1765328190L) 8796 #define KRB5_FCC_NOFILE (-1765328189L) 8797 #define KRB5_FCC_INTERNAL (-1765328188L) 8798 #define KRB5_CC_WRITE (-1765328187L) 8799 #define KRB5_CC_NOMEM (-1765328186L) 8800 #define KRB5_CC_FORMAT (-1765328185L) 8801 #define KRB5_CC_NOT_KTYPE (-1765328184L) 8802 #define KRB5_INVALID_FLAGS (-1765328183L) 8803 #define KRB5_NO_2ND_TKT (-1765328182L) 8804 #define KRB5_NOCREDS_SUPPLIED (-1765328181L) 8805 #define KRB5_SENDAUTH_BADAUTHVERS (-1765328180L) 8806 #define KRB5_SENDAUTH_BADAPPLVERS (-1765328179L) 8807 #define KRB5_SENDAUTH_BADRESPONSE (-1765328178L) 8808 #define KRB5_SENDAUTH_REJECTED (-1765328177L) 8809 #define KRB5_PREAUTH_BAD_TYPE (-1765328176L) 8810 #define KRB5_PREAUTH_NO_KEY (-1765328175L) 8811 #define KRB5_PREAUTH_FAILED (-1765328174L) 8812 #define KRB5_RCACHE_BADVNO (-1765328173L) 8813 #define KRB5_CCACHE_BADVNO (-1765328172L) 8814 #define KRB5_KEYTAB_BADVNO (-1765328171L) 8815 #define KRB5_PROG_ATYPE_NOSUPP (-1765328170L) 8816 #define KRB5_RC_REQUIRED (-1765328169L) 8817 #define KRB5_ERR_BAD_HOSTNAME (-1765328168L) 8818 #define KRB5_ERR_HOST_REALM_UNKNOWN (-1765328167L) 8819 #define KRB5_SNAME_UNSUPP_NAMETYPE (-1765328166L) 8820 #define KRB5KRB_AP_ERR_V4_REPLY (-1765328165L) 8821 #define KRB5_REALM_CANT_RESOLVE (-1765328164L) 8822 #define KRB5_TKT_NOT_FORWARDABLE (-1765328163L) 8823 #define KRB5_FWD_BAD_PRINCIPAL (-1765328162L) 8824 #define KRB5_GET_IN_TKT_LOOP (-1765328161L) 8825 #define KRB5_CONFIG_NODEFREALM (-1765328160L) 8826 #define KRB5_SAM_UNSUPPORTED (-1765328159L) 8827 #define KRB5_SAM_INVALID_ETYPE (-1765328158L) 8828 #define KRB5_SAM_NO_CHECKSUM (-1765328157L) 8829 #define KRB5_SAM_BAD_CHECKSUM (-1765328156L) 8830 #define KRB5_KT_NAME_TOOLONG (-1765328155L) 8831 #define KRB5_KT_KVNONOTFOUND (-1765328154L) 8832 #define KRB5_APPL_EXPIRED (-1765328153L) 8833 #define KRB5_LIB_EXPIRED (-1765328152L) 8834 #define KRB5_CHPW_PWDNULL (-1765328151L) 8835 #define KRB5_CHPW_FAIL (-1765328150L) 8836 #define KRB5_KT_FORMAT (-1765328149L) 8837 #define KRB5_NOPERM_ETYPE (-1765328148L) 8838 #define KRB5_CONFIG_ETYPE_NOSUPP (-1765328147L) 8839 #define KRB5_OBSOLETE_FN (-1765328146L) 8840 #define KRB5_EAI_FAIL (-1765328145L) 8841 #define KRB5_EAI_NODATA (-1765328144L) 8842 #define KRB5_EAI_NONAME (-1765328143L) 8843 #define KRB5_EAI_SERVICE (-1765328142L) 8844 #define KRB5_ERR_NUMERIC_REALM (-1765328141L) 8845 #define KRB5_ERR_BAD_S2K_PARAMS (-1765328140L) 8846 #define KRB5_ERR_NO_SERVICE (-1765328139L) 8847 #define KRB5_CC_READONLY (-1765328138L) 8848 #define KRB5_CC_NOSUPP (-1765328137L) 8849 #define KRB5_DELTAT_BADFORMAT (-1765328136L) 8850 #define KRB5_PLUGIN_NO_HANDLE (-1765328135L) 8851 #define KRB5_PLUGIN_OP_NOTSUPP (-1765328134L) 8852 #define KRB5_ERR_INVALID_UTF8 (-1765328133L) 8853 #define KRB5_ERR_FAST_REQUIRED (-1765328132L) 8854 #define KRB5_LOCAL_ADDR_REQUIRED (-1765328131L) 8855 #define KRB5_REMOTE_ADDR_REQUIRED (-1765328130L) 8856 #define KRB5_TRACE_NOSUPP (-1765328129L) 8857 #define ERROR_TABLE_BASE_krb5 (-1765328384L) 8858 8859 extern const struct error_table et_krb5_error_table; 8860 8861 #if !defined(_WIN32) 8862 /* for compatibility with older versions... */ 8863 extern void initialize_krb5_error_table (void) /*@modifies internalState@*/; 8864 #else 8865 #define initialize_krb5_error_table() 8866 #endif 8867 8868 #if !defined(_WIN32) 8869 #define init_krb5_err_tbl initialize_krb5_error_table 8870 #define krb5_err_base ERROR_TABLE_BASE_krb5 8871 #endif 8872 /* 8873 * et-h-k5e1_err.h: 8874 * This file is automatically generated; please do not edit it. 8875 */ 8876 8877 #include <com_err.h> 8878 8879 #define KRB5_PLUGIN_VER_NOTSUPP (-1750600192L) 8880 #define KRB5_PLUGIN_BAD_MODULE_SPEC (-1750600191L) 8881 #define KRB5_PLUGIN_NAME_NOTFOUND (-1750600190L) 8882 #define KRB5KDC_ERR_DISCARD (-1750600189L) 8883 #define KRB5_DCC_CANNOT_CREATE (-1750600188L) 8884 #define KRB5_KCC_INVALID_ANCHOR (-1750600187L) 8885 #define KRB5_KCC_UNKNOWN_VERSION (-1750600186L) 8886 #define KRB5_KCC_INVALID_UID (-1750600185L) 8887 #define KRB5_KCM_MALFORMED_REPLY (-1750600184L) 8888 #define KRB5_KCM_RPC_ERROR (-1750600183L) 8889 #define KRB5_KCM_REPLY_TOO_BIG (-1750600182L) 8890 #define KRB5_KCM_NO_SERVER (-1750600181L) 8891 #define KRB5_CERTAUTH_HWAUTH (-1750600180L) 8892 #define KRB5_CERTAUTH_HWAUTH_PASS (-1750600179L) 8893 #define ERROR_TABLE_BASE_k5e1 (-1750600192L) 8894 8895 extern const struct error_table et_k5e1_error_table; 8896 8897 #if !defined(_WIN32) 8898 /* for compatibility with older versions... */ 8899 extern void initialize_k5e1_error_table (void) /*@modifies internalState@*/; 8900 #else 8901 #define initialize_k5e1_error_table() 8902 #endif 8903 8904 #if !defined(_WIN32) 8905 #define init_k5e1_err_tbl initialize_k5e1_error_table 8906 #define k5e1_err_base ERROR_TABLE_BASE_k5e1 8907 #endif 8908 /* 8909 * et-h-kdb5_err.h: 8910 * This file is automatically generated; please do not edit it. 8911 */ 8912 8913 #include <com_err.h> 8914 8915 #define KRB5_KDB_RCSID (-1780008448L) 8916 #define KRB5_KDB_INUSE (-1780008447L) 8917 #define KRB5_KDB_UK_SERROR (-1780008446L) 8918 #define KRB5_KDB_UK_RERROR (-1780008445L) 8919 #define KRB5_KDB_UNAUTH (-1780008444L) 8920 #define KRB5_KDB_NOENTRY (-1780008443L) 8921 #define KRB5_KDB_ILL_WILDCARD (-1780008442L) 8922 #define KRB5_KDB_DB_INUSE (-1780008441L) 8923 #define KRB5_KDB_DB_CHANGED (-1780008440L) 8924 #define KRB5_KDB_TRUNCATED_RECORD (-1780008439L) 8925 #define KRB5_KDB_RECURSIVELOCK (-1780008438L) 8926 #define KRB5_KDB_NOTLOCKED (-1780008437L) 8927 #define KRB5_KDB_BADLOCKMODE (-1780008436L) 8928 #define KRB5_KDB_DBNOTINITED (-1780008435L) 8929 #define KRB5_KDB_DBINITED (-1780008434L) 8930 #define KRB5_KDB_ILLDIRECTION (-1780008433L) 8931 #define KRB5_KDB_NOMASTERKEY (-1780008432L) 8932 #define KRB5_KDB_BADMASTERKEY (-1780008431L) 8933 #define KRB5_KDB_INVALIDKEYSIZE (-1780008430L) 8934 #define KRB5_KDB_CANTREAD_STORED (-1780008429L) 8935 #define KRB5_KDB_BADSTORED_MKEY (-1780008428L) 8936 #define KRB5_KDB_NOACTMASTERKEY (-1780008427L) 8937 #define KRB5_KDB_KVNONOMATCH (-1780008426L) 8938 #define KRB5_KDB_STORED_MKEY_NOTCURRENT (-1780008425L) 8939 #define KRB5_KDB_CANTLOCK_DB (-1780008424L) 8940 #define KRB5_KDB_DB_CORRUPT (-1780008423L) 8941 #define KRB5_KDB_BAD_VERSION (-1780008422L) 8942 #define KRB5_KDB_BAD_SALTTYPE (-1780008421L) 8943 #define KRB5_KDB_BAD_ENCTYPE (-1780008420L) 8944 #define KRB5_KDB_BAD_CREATEFLAGS (-1780008419L) 8945 #define KRB5_KDB_NO_PERMITTED_KEY (-1780008418L) 8946 #define KRB5_KDB_NO_MATCHING_KEY (-1780008417L) 8947 #define KRB5_KDB_DBTYPE_NOTFOUND (-1780008416L) 8948 #define KRB5_KDB_DBTYPE_NOSUP (-1780008415L) 8949 #define KRB5_KDB_DBTYPE_INIT (-1780008414L) 8950 #define KRB5_KDB_SERVER_INTERNAL_ERR (-1780008413L) 8951 #define KRB5_KDB_ACCESS_ERROR (-1780008412L) 8952 #define KRB5_KDB_INTERNAL_ERROR (-1780008411L) 8953 #define KRB5_KDB_CONSTRAINT_VIOLATION (-1780008410L) 8954 #define KRB5_LOG_CONV (-1780008409L) 8955 #define KRB5_LOG_UNSTABLE (-1780008408L) 8956 #define KRB5_LOG_CORRUPT (-1780008407L) 8957 #define KRB5_LOG_ERROR (-1780008406L) 8958 #define KRB5_KDB_DBTYPE_MISMATCH (-1780008405L) 8959 #define KRB5_KDB_POLICY_REF (-1780008404L) 8960 #define KRB5_KDB_STRINGS_TOOLONG (-1780008403L) 8961 #define ERROR_TABLE_BASE_kdb5 (-1780008448L) 8962 8963 extern const struct error_table et_kdb5_error_table; 8964 8965 #if !defined(_WIN32) 8966 /* for compatibility with older versions... */ 8967 extern void initialize_kdb5_error_table (void) /*@modifies internalState@*/; 8968 #else 8969 #define initialize_kdb5_error_table() 8970 #endif 8971 8972 #if !defined(_WIN32) 8973 #define init_kdb5_err_tbl initialize_kdb5_error_table 8974 #define kdb5_err_base ERROR_TABLE_BASE_kdb5 8975 #endif 8976 /* 8977 * et-h-kv5m_err.h: 8978 * This file is automatically generated; please do not edit it. 8979 */ 8980 8981 #include <com_err.h> 8982 8983 #define KV5M_NONE (-1760647424L) 8984 #define KV5M_PRINCIPAL (-1760647423L) 8985 #define KV5M_DATA (-1760647422L) 8986 #define KV5M_KEYBLOCK (-1760647421L) 8987 #define KV5M_CHECKSUM (-1760647420L) 8988 #define KV5M_ENCRYPT_BLOCK (-1760647419L) 8989 #define KV5M_ENC_DATA (-1760647418L) 8990 #define KV5M_CRYPTOSYSTEM_ENTRY (-1760647417L) 8991 #define KV5M_CS_TABLE_ENTRY (-1760647416L) 8992 #define KV5M_CHECKSUM_ENTRY (-1760647415L) 8993 #define KV5M_AUTHDATA (-1760647414L) 8994 #define KV5M_TRANSITED (-1760647413L) 8995 #define KV5M_ENC_TKT_PART (-1760647412L) 8996 #define KV5M_TICKET (-1760647411L) 8997 #define KV5M_AUTHENTICATOR (-1760647410L) 8998 #define KV5M_TKT_AUTHENT (-1760647409L) 8999 #define KV5M_CREDS (-1760647408L) 9000 #define KV5M_LAST_REQ_ENTRY (-1760647407L) 9001 #define KV5M_PA_DATA (-1760647406L) 9002 #define KV5M_KDC_REQ (-1760647405L) 9003 #define KV5M_ENC_KDC_REP_PART (-1760647404L) 9004 #define KV5M_KDC_REP (-1760647403L) 9005 #define KV5M_ERROR (-1760647402L) 9006 #define KV5M_AP_REQ (-1760647401L) 9007 #define KV5M_AP_REP (-1760647400L) 9008 #define KV5M_AP_REP_ENC_PART (-1760647399L) 9009 #define KV5M_RESPONSE (-1760647398L) 9010 #define KV5M_SAFE (-1760647397L) 9011 #define KV5M_PRIV (-1760647396L) 9012 #define KV5M_PRIV_ENC_PART (-1760647395L) 9013 #define KV5M_CRED (-1760647394L) 9014 #define KV5M_CRED_INFO (-1760647393L) 9015 #define KV5M_CRED_ENC_PART (-1760647392L) 9016 #define KV5M_PWD_DATA (-1760647391L) 9017 #define KV5M_ADDRESS (-1760647390L) 9018 #define KV5M_KEYTAB_ENTRY (-1760647389L) 9019 #define KV5M_CONTEXT (-1760647388L) 9020 #define KV5M_OS_CONTEXT (-1760647387L) 9021 #define KV5M_ALT_METHOD (-1760647386L) 9022 #define KV5M_ETYPE_INFO_ENTRY (-1760647385L) 9023 #define KV5M_DB_CONTEXT (-1760647384L) 9024 #define KV5M_AUTH_CONTEXT (-1760647383L) 9025 #define KV5M_KEYTAB (-1760647382L) 9026 #define KV5M_RCACHE (-1760647381L) 9027 #define KV5M_CCACHE (-1760647380L) 9028 #define KV5M_PREAUTH_OPS (-1760647379L) 9029 #define KV5M_SAM_CHALLENGE (-1760647378L) 9030 #define KV5M_SAM_CHALLENGE_2 (-1760647377L) 9031 #define KV5M_SAM_KEY (-1760647376L) 9032 #define KV5M_ENC_SAM_RESPONSE_ENC (-1760647375L) 9033 #define KV5M_ENC_SAM_RESPONSE_ENC_2 (-1760647374L) 9034 #define KV5M_SAM_RESPONSE (-1760647373L) 9035 #define KV5M_SAM_RESPONSE_2 (-1760647372L) 9036 #define KV5M_PREDICTED_SAM_RESPONSE (-1760647371L) 9037 #define KV5M_PASSWD_PHRASE_ELEMENT (-1760647370L) 9038 #define KV5M_GSS_OID (-1760647369L) 9039 #define KV5M_GSS_QUEUE (-1760647368L) 9040 #define KV5M_FAST_ARMORED_REQ (-1760647367L) 9041 #define KV5M_FAST_REQ (-1760647366L) 9042 #define KV5M_FAST_RESPONSE (-1760647365L) 9043 #define KV5M_AUTHDATA_CONTEXT (-1760647364L) 9044 #define ERROR_TABLE_BASE_kv5m (-1760647424L) 9045 9046 extern const struct error_table et_kv5m_error_table; 9047 9048 #if !defined(_WIN32) 9049 /* for compatibility with older versions... */ 9050 extern void initialize_kv5m_error_table (void) /*@modifies internalState@*/; 9051 #else 9052 #define initialize_kv5m_error_table() 9053 #endif 9054 9055 #if !defined(_WIN32) 9056 #define init_kv5m_err_tbl initialize_kv5m_error_table 9057 #define kv5m_err_base ERROR_TABLE_BASE_kv5m 9058 #endif 9059 /* 9060 * et-h-krb524_err.h: 9061 * This file is automatically generated; please do not edit it. 9062 */ 9063 9064 #include <com_err.h> 9065 9066 #define KRB524_BADKEY (-1750206208L) 9067 #define KRB524_BADADDR (-1750206207L) 9068 #define KRB524_BADPRINC (-1750206206L) 9069 #define KRB524_BADREALM (-1750206205L) 9070 #define KRB524_V4ERR (-1750206204L) 9071 #define KRB524_ENCFULL (-1750206203L) 9072 #define KRB524_DECEMPTY (-1750206202L) 9073 #define KRB524_NOTRESP (-1750206201L) 9074 #define KRB524_KRB4_DISABLED (-1750206200L) 9075 #define ERROR_TABLE_BASE_k524 (-1750206208L) 9076 9077 extern const struct error_table et_k524_error_table; 9078 9079 #if !defined(_WIN32) 9080 /* for compatibility with older versions... */ 9081 extern void initialize_k524_error_table (void) /*@modifies internalState@*/; 9082 #else 9083 #define initialize_k524_error_table() 9084 #endif 9085 9086 #if !defined(_WIN32) 9087 #define init_k524_err_tbl initialize_k524_error_table 9088 #define k524_err_base ERROR_TABLE_BASE_k524 9089 #endif 9090 /* 9091 * et-h-asn1_err.h: 9092 * This file is automatically generated; please do not edit it. 9093 */ 9094 9095 #include <com_err.h> 9096 9097 #define ASN1_BAD_TIMEFORMAT (1859794432L) 9098 #define ASN1_MISSING_FIELD (1859794433L) 9099 #define ASN1_MISPLACED_FIELD (1859794434L) 9100 #define ASN1_TYPE_MISMATCH (1859794435L) 9101 #define ASN1_OVERFLOW (1859794436L) 9102 #define ASN1_OVERRUN (1859794437L) 9103 #define ASN1_BAD_ID (1859794438L) 9104 #define ASN1_BAD_LENGTH (1859794439L) 9105 #define ASN1_BAD_FORMAT (1859794440L) 9106 #define ASN1_PARSE_ERROR (1859794441L) 9107 #define ASN1_BAD_GMTIME (1859794442L) 9108 #define ASN1_INDEF (1859794443L) 9109 #define ASN1_MISSING_EOC (1859794444L) 9110 #define ASN1_OMITTED (1859794445L) 9111 #define ERROR_TABLE_BASE_asn1 (1859794432L) 9112 9113 extern const struct error_table et_asn1_error_table; 9114 9115 #if !defined(_WIN32) 9116 /* for compatibility with older versions... */ 9117 extern void initialize_asn1_error_table (void) /*@modifies internalState@*/; 9118 #else 9119 #define initialize_asn1_error_table() 9120 #endif 9121 9122 #if !defined(_WIN32) 9123 #define init_asn1_err_tbl initialize_asn1_error_table 9124 #define asn1_err_base ERROR_TABLE_BASE_asn1 9125 #endif 9126 #endif /* KRB5_KRB5_H_INCLUDED */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|