EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2026-06-29 08:14:31
0001 /* This file is generated, please don't edit it directly. */ 0002 #ifndef KRB5_KRB5_H_INCLUDED 0003 #define KRB5_KRB5_H_INCLUDED 0004 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 0005 /* General definitions for Kerberos version 5. */ 0006 /* 0007 * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts 0008 * Institute of Technology. All Rights Reserved. 0009 * 0010 * Export of this software from the United States of America may 0011 * require a specific license from the United States Government. 0012 * It is the responsibility of any person or organization contemplating 0013 * export to obtain such a license before exporting. 0014 * 0015 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 0016 * distribute this software and its documentation for any purpose and 0017 * without fee is hereby granted, provided that the above copyright 0018 * notice appear in all copies and that both that copyright notice and 0019 * this permission notice appear in supporting documentation, and that 0020 * the name of M.I.T. not be used in advertising or publicity pertaining 0021 * to distribution of the software without specific, written prior 0022 * permission. Furthermore if you modify this software you must label 0023 * your software as modified software and not distribute it in such a 0024 * fashion that it might be confused with the original M.I.T. software. 0025 * M.I.T. makes no representations about the suitability of 0026 * this software for any purpose. It is provided "as is" without express 0027 * or implied warranty. 0028 */ 0029 /* 0030 * Copyright (C) 1998 by the FundsXpress, INC. 0031 * 0032 * All rights reserved. 0033 * 0034 * Export of this software from the United States of America may require 0035 * a specific license from the United States Government. It is the 0036 * responsibility of any person or organization contemplating export to 0037 * obtain such a license before exporting. 0038 * 0039 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 0040 * distribute this software and its documentation for any purpose and 0041 * without fee is hereby granted, provided that the above copyright 0042 * notice appear in all copies and that both that copyright notice and 0043 * this permission notice appear in supporting documentation, and that 0044 * the name of FundsXpress. not be used in advertising or publicity pertaining 0045 * to distribution of the software without specific, written prior 0046 * permission. FundsXpress makes no representations about the suitability of 0047 * this software for any purpose. It is provided "as is" without express 0048 * or implied warranty. 0049 * 0050 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 0051 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 0052 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 0053 */ 0054 0055 #ifndef KRB5_GENERAL__ 0056 #define KRB5_GENERAL__ 0057 0058 /* By default, do not expose deprecated interfaces. */ 0059 #ifndef KRB5_DEPRECATED 0060 #define KRB5_DEPRECATED 0 0061 #endif 0062 0063 #if defined(__MACH__) && defined(__APPLE__) 0064 # include <TargetConditionals.h> 0065 # if TARGET_RT_MAC_CFM 0066 # error "Use KfM 4.0 SDK headers for CFM compilation." 0067 # endif 0068 #endif 0069 0070 #if defined(_MSDOS) || defined(_WIN32) 0071 #include <win-mac.h> 0072 #endif 0073 0074 #ifndef KRB5_CONFIG__ 0075 #ifndef KRB5_CALLCONV 0076 #define KRB5_CALLCONV 0077 #define KRB5_CALLCONV_C 0078 #endif /* !KRB5_CALLCONV */ 0079 #endif /* !KRB5_CONFIG__ */ 0080 0081 #ifndef KRB5_CALLCONV_WRONG 0082 #define KRB5_CALLCONV_WRONG 0083 #endif 0084 0085 #ifndef THREEPARAMOPEN 0086 #define THREEPARAMOPEN(x,y,z) open(x,y,z) 0087 #endif 0088 0089 #define KRB5_OLD_CRYPTO 0090 0091 #include <stdlib.h> 0092 #include <limits.h> /* for *_MAX */ 0093 #include <stdarg.h> 0094 #include <stdint.h> 0095 0096 #ifndef KRB5INT_BEGIN_DECLS 0097 #if defined(__cplusplus) 0098 #define KRB5INT_BEGIN_DECLS extern "C" { 0099 #define KRB5INT_END_DECLS } 0100 #else 0101 #define KRB5INT_BEGIN_DECLS 0102 #define KRB5INT_END_DECLS 0103 #endif 0104 #endif 0105 0106 KRB5INT_BEGIN_DECLS 0107 0108 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) 0109 #pragma pack(push,2) 0110 #endif 0111 0112 #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203 0113 # define KRB5_ATTR_DEPRECATED __attribute__((deprecated)) 0114 #elif defined _WIN32 0115 # define KRB5_ATTR_DEPRECATED __declspec(deprecated) 0116 #else 0117 # define KRB5_ATTR_DEPRECATED 0118 #endif 0119 0120 /* from profile.h */ 0121 struct _profile_t; 0122 /* typedef struct _profile_t *profile_t; */ 0123 0124 /* 0125 * begin wordsize.h 0126 */ 0127 0128 /* 0129 * Word-size related definition. 0130 */ 0131 0132 typedef uint8_t krb5_octet; 0133 typedef int16_t krb5_int16; 0134 typedef uint16_t krb5_ui_2; 0135 typedef int32_t krb5_int32; 0136 typedef uint32_t krb5_ui_4; 0137 0138 #define VALID_INT_BITS INT_MAX 0139 #define VALID_UINT_BITS UINT_MAX 0140 0141 #define KRB5_INT32_MAX 2147483647 0142 /* this strange form is necessary since - is a unary operator, not a sign 0143 indicator */ 0144 #define KRB5_INT32_MIN (-KRB5_INT32_MAX-1) 0145 0146 #define KRB5_INT16_MAX 65535 0147 /* this strange form is necessary since - is a unary operator, not a sign 0148 indicator */ 0149 #define KRB5_INT16_MIN (-KRB5_INT16_MAX-1) 0150 0151 /* 0152 * end wordsize.h 0153 */ 0154 0155 /* 0156 * begin "base-defs.h" 0157 */ 0158 0159 /* 0160 * Basic definitions for Kerberos V5 library 0161 */ 0162 0163 #ifndef FALSE 0164 #define FALSE 0 0165 #endif 0166 #ifndef TRUE 0167 #define TRUE 1 0168 #endif 0169 0170 typedef unsigned int krb5_boolean; 0171 typedef unsigned int krb5_msgtype; 0172 typedef unsigned int krb5_kvno; 0173 0174 typedef krb5_int32 krb5_addrtype; 0175 typedef krb5_int32 krb5_enctype; 0176 typedef krb5_int32 krb5_cksumtype; 0177 typedef krb5_int32 krb5_authdatatype; 0178 typedef krb5_int32 krb5_keyusage; 0179 typedef krb5_int32 krb5_cryptotype; 0180 0181 typedef krb5_int32 krb5_preauthtype; /* This may change, later on */ 0182 typedef krb5_int32 krb5_flags; 0183 0184 /** 0185 * Represents a timestamp in seconds since the POSIX epoch. This legacy type 0186 * is used frequently in the ABI, but cannot represent timestamps after 2038 as 0187 * a positive number. Code which uses this type should cast values of it to 0188 * uint32_t so that negative values are treated as timestamps between 2038 and 0189 * 2106 on platforms with 64-bit time_t. 0190 */ 0191 typedef krb5_int32 krb5_timestamp; 0192 0193 typedef krb5_int32 krb5_deltat; 0194 0195 /** 0196 * Used to convey an operation status. The value 0 indicates success; any 0197 * other values are com_err codes. Use krb5_get_error_message() to obtain a 0198 * string describing the error. 0199 */ 0200 typedef krb5_int32 krb5_error_code; 0201 0202 typedef krb5_error_code krb5_magic; 0203 0204 typedef struct _krb5_data { 0205 krb5_magic magic; 0206 unsigned int length; 0207 char *data; 0208 } krb5_data; 0209 0210 /* Originally introduced for PKINIT; now unused. Do not use this. */ 0211 typedef struct _krb5_octet_data { 0212 krb5_magic magic; 0213 unsigned int length; 0214 krb5_octet *data; 0215 } krb5_octet_data; 0216 0217 /* Originally used to recognize AFS and default salts. No longer used. */ 0218 #define SALT_TYPE_AFS_LENGTH UINT_MAX 0219 #define SALT_TYPE_NO_LENGTH UINT_MAX 0220 0221 typedef void * krb5_pointer; 0222 typedef void const * krb5_const_pointer; 0223 0224 typedef struct krb5_principal_data { 0225 krb5_magic magic; 0226 krb5_data realm; 0227 krb5_data *data; /**< An array of strings */ 0228 krb5_int32 length; 0229 krb5_int32 type; 0230 } krb5_principal_data; 0231 0232 typedef krb5_principal_data * krb5_principal; 0233 0234 /* 0235 * Per V5 spec on definition of principal types 0236 */ 0237 0238 #define KRB5_NT_UNKNOWN 0 /**< Name type not known */ 0239 #define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal 0240 as in DCE, or for users */ 0241 #define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */ 0242 #define KRB5_NT_SRV_HST 3 /**< Service with host name as instance 0243 (telnet, rcommands) */ 0244 #define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */ 0245 #define KRB5_NT_UID 5 /**< Unique ID */ 0246 #define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */ 0247 #define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */ 0248 #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */ 0249 #define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */ 0250 #define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of 0251 NT_WELLKNOWN principals */ 0252 #define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */ 0253 #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */ 0254 #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */ 0255 0256 /** Constant version of krb5_principal_data. */ 0257 typedef const krb5_principal_data *krb5_const_principal; 0258 0259 #define krb5_princ_realm(context, princ) (&(princ)->realm) 0260 #define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value)) 0261 #define krb5_princ_set_realm_length(context, princ,value) (princ)->realm.length = (value) 0262 #define krb5_princ_set_realm_data(context, princ,value) (princ)->realm.data = (value) 0263 #define krb5_princ_size(context, princ) (princ)->length 0264 #define krb5_princ_type(context, princ) (princ)->type 0265 #define krb5_princ_name(context, princ) (princ)->data 0266 #define krb5_princ_component(context, princ,i) \ 0267 (((i) < krb5_princ_size(context, princ)) \ 0268 ? (princ)->data + (i) \ 0269 : NULL) 0270 0271 /** Constant for realm referrals. */ 0272 #define KRB5_REFERRAL_REALM "" 0273 0274 /* 0275 * Referral-specific functions. 0276 */ 0277 0278 /** 0279 * Check for a match with KRB5_REFERRAL_REALM. 0280 * 0281 * @param [in] r Realm to check 0282 * 0283 * @return @c TRUE if @a r is zero-length, @c FALSE otherwise 0284 */ 0285 krb5_boolean KRB5_CALLCONV 0286 krb5_is_referral_realm(const krb5_data *r); 0287 0288 /** 0289 * Return an anonymous realm data. 0290 * 0291 * This function returns constant storage that must not be freed. 0292 * 0293 * @sa #KRB5_ANONYMOUS_REALMSTR 0294 */ 0295 const krb5_data *KRB5_CALLCONV 0296 krb5_anonymous_realm(void); 0297 0298 /** 0299 * Build an anonymous principal. 0300 * 0301 * This function returns constant storage that must not be freed. 0302 * 0303 * @sa #KRB5_ANONYMOUS_PRINCSTR 0304 */ 0305 krb5_const_principal KRB5_CALLCONV 0306 krb5_anonymous_principal(void); 0307 0308 #define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */ 0309 #define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */ 0310 /* 0311 * end "base-defs.h" 0312 */ 0313 0314 /* 0315 * begin "hostaddr.h" 0316 */ 0317 0318 /** Structure for address */ 0319 typedef struct _krb5_address { 0320 krb5_magic magic; 0321 krb5_addrtype addrtype; 0322 unsigned int length; 0323 krb5_octet *contents; 0324 } krb5_address; 0325 0326 /* per Kerberos v5 protocol spec */ 0327 #define ADDRTYPE_INET 0x0002 0328 #define ADDRTYPE_DIRECTIONAL 0x0003 0329 #define ADDRTYPE_CHAOS 0x0005 0330 #define ADDRTYPE_XNS 0x0006 0331 #define ADDRTYPE_ISO 0x0007 0332 #define ADDRTYPE_DDP 0x0010 0333 #define ADDRTYPE_NETBIOS 0x0014 0334 #define ADDRTYPE_INET6 0x0018 0335 /* not yet in the spec... */ 0336 #define ADDRTYPE_ADDRPORT 0x0100 0337 #define ADDRTYPE_IPPORT 0x0101 0338 0339 /* 0340 * Negative values for the host address type are reserved for local use. Do 0341 * not use these types in Kerberos protocol elements. 0342 */ 0343 0344 /* The contents field contains a UNIX domain socket path. */ 0345 #define ADDRTYPE_UNIXSOCK (0x8000 | 0x0001) 0346 0347 /* macros to determine if a type is a local type */ 0348 #define ADDRTYPE_IS_LOCAL(addrtype) (addrtype & 0x8000) 0349 0350 /* 0351 * end "hostaddr.h" 0352 */ 0353 0354 0355 struct _krb5_context; 0356 typedef struct _krb5_context * krb5_context; 0357 0358 struct _krb5_auth_context; 0359 typedef struct _krb5_auth_context * krb5_auth_context; 0360 0361 struct _krb5_cryptosystem_entry; 0362 0363 /* 0364 * begin "encryption.h" 0365 */ 0366 0367 /** Exposed contents of a key. */ 0368 typedef struct _krb5_keyblock { 0369 krb5_magic magic; 0370 krb5_enctype enctype; 0371 unsigned int length; 0372 krb5_octet *contents; 0373 } krb5_keyblock; 0374 0375 struct krb5_key_st; 0376 /** 0377 * Opaque identifier for a key. 0378 * 0379 * Use with the krb5_k APIs for better performance for repeated operations with 0380 * the same key and usage. Key identifiers must not be used simultaneously 0381 * within multiple threads, as they may contain mutable internal state and are 0382 * not mutex-protected. 0383 */ 0384 typedef struct krb5_key_st *krb5_key; 0385 0386 #ifdef KRB5_OLD_CRYPTO 0387 typedef struct _krb5_encrypt_block { 0388 krb5_magic magic; 0389 krb5_enctype crypto_entry; /* to call krb5_encrypt_size, you need 0390 this. it was a pointer, but it 0391 doesn't have to be. gross. */ 0392 krb5_keyblock *key; 0393 } krb5_encrypt_block; 0394 #endif 0395 0396 typedef struct _krb5_checksum { 0397 krb5_magic magic; 0398 krb5_cksumtype checksum_type; /* checksum type */ 0399 unsigned int length; 0400 krb5_octet *contents; 0401 } krb5_checksum; 0402 0403 typedef struct _krb5_enc_data { 0404 krb5_magic magic; 0405 krb5_enctype enctype; 0406 krb5_kvno kvno; 0407 krb5_data ciphertext; 0408 } krb5_enc_data; 0409 0410 /** 0411 * Structure to describe a region of text to be encrypted or decrypted. 0412 * 0413 * The @a flags member describes the type of the iov. 0414 * The @a data member points to the memory that will be manipulated. 0415 * All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's 0416 * along with the size of that array. Buffer contents are manipulated in-place; 0417 * data is overwritten. Callers must allocate the right number of krb5_crypto_iov 0418 * structures before calling into an iov API. 0419 */ 0420 typedef struct _krb5_crypto_iov { 0421 krb5_cryptotype flags; /**< iov type (see KRB5_CRYPTO_TYPE macros) */ 0422 krb5_data data; 0423 } krb5_crypto_iov; 0424 0425 /* per Kerberos v5 protocol spec */ 0426 #define ENCTYPE_NULL 0x0000 0427 #define ENCTYPE_DES_CBC_CRC 0x0001 /**< @deprecated no longer supported */ 0428 #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ 0429 #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ 0430 #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ 0431 #define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */ 0432 #define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */ 0433 #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ 0434 /* PKINIT */ 0435 #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ 0436 #define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */ 0437 #define ENCTYPE_SHA1_RSA_CMS 0x000b /**< SHA1 with RSA, CMS signature */ 0438 #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */ 0439 #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */ 0440 #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */ 0441 #define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */ 0442 0443 #define ENCTYPE_DES3_CBC_SHA1 0x0010 0444 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ 0445 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ 0446 #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ 0447 #define ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014 /**< RFC 8009 */ 0448 #define ENCTYPE_ARCFOUR_HMAC 0x0017 /**< RFC 4757 */ 0449 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 /**< RFC 4757 */ 0450 #define ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019 /**< RFC 6803 */ 0451 #define ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a /**< RFC 6803 */ 0452 #define ENCTYPE_UNKNOWN 0x01ff 0453 0454 /* 0455 * Historically we used the value 9 for unkeyed SHA-1. RFC 3961 assigns this 0456 * value to rsa-md5-des3, which fortunately is unused. For ABI compatibility 0457 * we allow either 9 or 14 for SHA-1. 0458 */ 0459 #define CKSUMTYPE_CRC32 0x0001 0460 #define CKSUMTYPE_RSA_MD4 0x0002 0461 #define CKSUMTYPE_RSA_MD4_DES 0x0003 0462 #define CKSUMTYPE_DESCBC 0x0004 0463 /* des-mac-k */ 0464 /* rsa-md4-des-k */ 0465 #define CKSUMTYPE_RSA_MD5 0x0007 0466 #define CKSUMTYPE_RSA_MD5_DES 0x0008 0467 #define CKSUMTYPE_NIST_SHA 0x0009 0468 #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c 0469 #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */ 0470 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with 0471 ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ 0472 #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with 0473 ENCTYPE_AES256_CTS_HMAC_SHA1_96 */ 0474 #define CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013 /**< RFC 8009 */ 0475 #define CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014 /**< RFC 8009 */ 0476 #define CKSUMTYPE_CMAC_CAMELLIA128 0x0011 /**< RFC 6803 */ 0477 #define CKSUMTYPE_CMAC_CAMELLIA256 0x0012 /**< RFC 6803 */ 0478 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /* Microsoft netlogon */ 0479 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /**< RFC 4757 */ 0480 0481 /* Constants for the deprecated krb5_c_random_add_entropy() */ 0482 enum { 0483 KRB5_C_RANDSOURCE_OLDAPI = 0, 0484 KRB5_C_RANDSOURCE_OSRAND = 1, 0485 KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, 0486 KRB5_C_RANDSOURCE_TIMING = 3, 0487 KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, 0488 KRB5_C_RANDSOURCE_MAX = 5 0489 }; 0490 0491 #ifndef krb5_roundup 0492 /* round x up to nearest multiple of y */ 0493 #define krb5_roundup(x, y) ((((x) + (y) - 1)/(y))*(y)) 0494 #endif /* roundup */ 0495 0496 /* macro function definitions to help clean up code */ 0497 0498 #if 1 0499 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 0500 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 0501 #else 0502 #define krb5_x(ptr,args) ((*(ptr)) args) 0503 #define krb5_xc(ptr,args) ((*(ptr)) args) 0504 #endif 0505 0506 /** 0507 * Encrypt data using a key (operates on keyblock). 0508 * 0509 * @param [in] context Library context 0510 * @param [in] key Encryption key 0511 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0512 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 0513 * @param [in] input Data to be encrypted 0514 * @param [out] output Encrypted data 0515 * 0516 * This function encrypts the data block @a input and stores the output into @a 0517 * output. The actual encryption key will be derived from @a key and @a usage 0518 * if key derivation is specified for the encryption type. If non-null, @a 0519 * cipher_state specifies the beginning state for the encryption operation, and 0520 * is updated with the state to be passed as input to the next operation. 0521 * 0522 * @note The caller must initialize @a output and allocate at least enough 0523 * space for the result (using krb5_c_encrypt_length() to determine the amount 0524 * of space needed). @a output->length will be set to the actual length of the 0525 * ciphertext. 0526 * 0527 * @retval 0 Success; otherwise - Kerberos error codes 0528 */ 0529 krb5_error_code KRB5_CALLCONV 0530 krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, 0531 krb5_keyusage usage, const krb5_data *cipher_state, 0532 const krb5_data *input, krb5_enc_data *output); 0533 0534 /** 0535 * Decrypt data using a key (operates on keyblock). 0536 * 0537 * @param [in] context Library context 0538 * @param [in] key Encryption key 0539 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0540 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 0541 * @param [in] input Encrypted data 0542 * @param [out] output Decrypted data 0543 * 0544 * This function decrypts the data block @a input and stores the output into @a 0545 * output. The actual decryption key will be derived from @a key and @a usage 0546 * if key derivation is specified for the encryption type. If non-null, @a 0547 * cipher_state specifies the beginning state for the decryption operation, and 0548 * is updated with the state to be passed as input to the next operation. 0549 * 0550 * @note The caller must initialize @a output and allocate at least enough 0551 * space for the result. The usual practice is to allocate an output buffer as 0552 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. 0553 * For some enctypes, the resulting @a output->length may include padding 0554 * bytes. 0555 * 0556 * @retval 0 Success; otherwise - Kerberos error codes 0557 */ 0558 krb5_error_code KRB5_CALLCONV 0559 krb5_c_decrypt(krb5_context context, const krb5_keyblock *key, 0560 krb5_keyusage usage, const krb5_data *cipher_state, 0561 const krb5_enc_data *input, krb5_data *output); 0562 0563 /** 0564 * Compute encrypted data length. 0565 * 0566 * @param [in] context Library context 0567 * @param [in] enctype Encryption type 0568 * @param [in] inputlen Length of the data to be encrypted 0569 * @param [out] length Length of the encrypted data 0570 * 0571 * This function computes the length of the ciphertext produced by encrypting 0572 * @a inputlen bytes including padding, confounder, and checksum. 0573 * 0574 * @retval 0 Success; otherwise - Kerberos error codes 0575 */ 0576 krb5_error_code KRB5_CALLCONV 0577 krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, 0578 size_t inputlen, size_t *length); 0579 0580 /** 0581 * Return cipher block size. 0582 * 0583 * @param [in] context Library context 0584 * @param [in] enctype Encryption type 0585 * @param [out] blocksize Block size for @a enctype 0586 * 0587 * @retval 0 Success; otherwise - Kerberos error codes 0588 */ 0589 krb5_error_code KRB5_CALLCONV 0590 krb5_c_block_size(krb5_context context, krb5_enctype enctype, 0591 size_t *blocksize); 0592 0593 /** 0594 * Return length of the specified key in bytes. 0595 * 0596 * @param [in] context Library context 0597 * @param [in] enctype Encryption type 0598 * @param [out] keybytes Number of bytes required to make a key 0599 * @param [out] keylength Length of final key 0600 * 0601 * @retval 0 Success; otherwise - Kerberos error codes 0602 */ 0603 krb5_error_code KRB5_CALLCONV 0604 krb5_c_keylengths(krb5_context context, krb5_enctype enctype, 0605 size_t *keybytes, size_t *keylength); 0606 0607 /** 0608 * Initialize a new cipher state. 0609 * 0610 * @param [in] context Library context 0611 * @param [in] key Key 0612 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0613 * @param [out] new_state New cipher state 0614 * 0615 * @retval 0 Success; otherwise - Kerberos error codes 0616 */ 0617 krb5_error_code KRB5_CALLCONV 0618 krb5_c_init_state(krb5_context context, const krb5_keyblock *key, 0619 krb5_keyusage usage, krb5_data *new_state); 0620 0621 /** 0622 * Free a cipher state previously allocated by krb5_c_init_state(). 0623 * 0624 * @param [in] context Library context 0625 * @param [in] key Key 0626 * @param [in] state Cipher state to be freed 0627 * 0628 * @retval 0 Success; otherwise - Kerberos error codes 0629 */ 0630 krb5_error_code KRB5_CALLCONV 0631 krb5_c_free_state(krb5_context context, const krb5_keyblock *key, 0632 krb5_data *state); 0633 0634 /** 0635 * Generate enctype-specific pseudo-random bytes. 0636 * 0637 * @param [in] context Library context 0638 * @param [in] keyblock Key 0639 * @param [in] input Input data 0640 * @param [out] output Output data 0641 * 0642 * This function selects a pseudo-random function based on @a keyblock and 0643 * computes its value over @a input, placing the result into @a output. 0644 * The caller must preinitialize @a output and allocate space for the 0645 * result, using krb5_c_prf_length() to determine the required length. 0646 * 0647 * @retval 0 Success; otherwise - Kerberos error codes 0648 */ 0649 krb5_error_code KRB5_CALLCONV 0650 krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock, 0651 krb5_data *input, krb5_data *output); 0652 0653 /** 0654 * Get the output length of pseudo-random functions for an encryption type. 0655 * 0656 * @param [in] context Library context 0657 * @param [in] enctype Encryption type 0658 * @param [out] len Length of PRF output 0659 * 0660 * @retval 0 Success; otherwise - Kerberos error codes 0661 */ 0662 krb5_error_code KRB5_CALLCONV 0663 krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len); 0664 0665 /** 0666 * Generate pseudo-random bytes using RFC 6113 PRF+. 0667 * 0668 * @param [in] context Library context 0669 * @param [in] k KDC contribution key 0670 * @param [in] input Input data 0671 * @param [out] output Pseudo-random output buffer 0672 * 0673 * This function fills @a output with PRF+(k, input) as defined in RFC 6113 0674 * section 5.1. The caller must preinitialize @a output and allocate the 0675 * desired amount of space. The length of the pseudo-random output will match 0676 * the length of @a output. 0677 * 0678 * @note RFC 4402 defines a different PRF+ operation. This function does not 0679 * implement that operation. 0680 * 0681 * @return 0 on success, @c E2BIG if output->length is too large for PRF+ to 0682 * generate, @c ENOMEM on allocation failure, or an error code from 0683 * krb5_c_prf() 0684 */ 0685 krb5_error_code KRB5_CALLCONV 0686 krb5_c_prfplus(krb5_context context, const krb5_keyblock *k, 0687 const krb5_data *input, krb5_data *output); 0688 0689 /** 0690 * Derive a key using some input data (via RFC 6113 PRF+). 0691 * 0692 * @param [in] context Library context 0693 * @param [in] k KDC contribution key 0694 * @param [in] input Input string 0695 * @param [in] enctype Output key enctype (or @c ENCTYPE_NULL) 0696 * @param [out] out Derived keyblock 0697 * 0698 * This function uses PRF+ as defined in RFC 6113 to derive a key from another 0699 * key and an input string. If @a enctype is @c ENCTYPE_NULL, the output key 0700 * will have the same enctype as the input key. 0701 */ 0702 krb5_error_code KRB5_CALLCONV 0703 krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k, 0704 const krb5_data *input, krb5_enctype enctype, 0705 krb5_keyblock **out); 0706 0707 /** 0708 * Compute the KRB-FX-CF2 combination of two keys and pepper strings. 0709 * 0710 * @param [in] context Library context 0711 * @param [in] k1 KDC contribution key 0712 * @param [in] pepper1 String "PKINIT" 0713 * @param [in] k2 Reply key 0714 * @param [in] pepper2 String "KeyExchange" 0715 * @param [out] out Output key 0716 * 0717 * This function computes the KRB-FX-CF2 function over its inputs and places 0718 * the results in a newly allocated keyblock. This function is simple in that 0719 * it assumes that @a pepper1 and @a pepper2 are C strings with no internal 0720 * nulls and that the enctype of the result will be the same as that of @a k1. 0721 * @a k1 and @a k2 may be of different enctypes. 0722 * 0723 * @retval 0 Success; otherwise - Kerberos error codes 0724 */ 0725 krb5_error_code KRB5_CALLCONV 0726 krb5_c_fx_cf2_simple(krb5_context context, 0727 const krb5_keyblock *k1, const char *pepper1, 0728 const krb5_keyblock *k2, const char *pepper2, 0729 krb5_keyblock **out); 0730 0731 /** 0732 * Generate an enctype-specific random encryption key. 0733 * 0734 * @param [in] context Library context 0735 * @param [in] enctype Encryption type of the generated key 0736 * @param [out] k5_random_key An allocated and initialized keyblock 0737 * 0738 * Use krb5_free_keyblock_contents() to free @a k5_random_key when 0739 * no longer needed. 0740 * 0741 * @retval 0 Success; otherwise - Kerberos error codes 0742 */ 0743 krb5_error_code KRB5_CALLCONV 0744 krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, 0745 krb5_keyblock *k5_random_key); 0746 0747 /** 0748 * Generate an enctype-specific key from random data. 0749 * 0750 * @param [in] context Library context 0751 * @param [in] enctype Encryption type 0752 * @param [in] random_data Random input data 0753 * @param [out] k5_random_key Resulting key 0754 * 0755 * This function takes random input data @a random_data and produces a valid 0756 * key @a k5_random_key for a given @a enctype. 0757 * 0758 * @note It is assumed that @a k5_random_key has already been initialized and 0759 * @a k5_random_key->contents has been allocated with the correct length. 0760 * 0761 * @sa krb5_c_keylengths() 0762 * 0763 * @retval 0 Success; otherwise - Kerberos error codes 0764 */ 0765 krb5_error_code KRB5_CALLCONV 0766 krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, 0767 krb5_data *random_data, krb5_keyblock *k5_random_key); 0768 0769 /** @deprecated This call is no longer necessary. */ 0770 krb5_error_code KRB5_CALLCONV 0771 krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, 0772 const krb5_data *data); 0773 0774 /** 0775 * Generate pseudo-random bytes. 0776 * 0777 * @param [in] context Library context 0778 * @param [out] data Random data 0779 * 0780 * Fills in @a data with bytes from the PRNG used by krb5 crypto operations. 0781 * The caller must preinitialize @a data and allocate the desired amount of 0782 * space. 0783 * 0784 * @retval 0 Success; otherwise - Kerberos error codes 0785 */ 0786 krb5_error_code KRB5_CALLCONV 0787 krb5_c_random_make_octets(krb5_context context, krb5_data *data); 0788 0789 /** @deprecated This call is no longer necessary. */ 0790 krb5_error_code KRB5_CALLCONV 0791 krb5_c_random_os_entropy(krb5_context context, int strong, int *success); 0792 0793 /** @deprecated This call is no longer necessary. */ 0794 krb5_error_code KRB5_CALLCONV 0795 krb5_c_random_seed(krb5_context context, krb5_data *data); 0796 0797 /** 0798 * Convert a string (such a password) to a key. 0799 * 0800 * @param [in] context Library context 0801 * @param [in] enctype Encryption type 0802 * @param [in] string String to be converted 0803 * @param [in] salt Salt value 0804 * @param [out] key Generated key 0805 * 0806 * This function converts @a string to a @a key of encryption type @a enctype, 0807 * using the specified @a salt. The newly created @a key must be released by 0808 * calling krb5_free_keyblock_contents() when it is no longer needed. 0809 * 0810 * @retval 0 Success; otherwise - Kerberos error codes 0811 */ 0812 krb5_error_code KRB5_CALLCONV 0813 krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, 0814 const krb5_data *string, const krb5_data *salt, 0815 krb5_keyblock *key); 0816 0817 /** 0818 * Convert a string (such as a password) to a key with additional parameters. 0819 * 0820 * @param [in] context Library context 0821 * @param [in] enctype Encryption type 0822 * @param [in] string String to be converted 0823 * @param [in] salt Salt value 0824 * @param [in] params Parameters 0825 * @param [out] key Generated key 0826 * 0827 * This function is similar to krb5_c_string_to_key(), but also takes 0828 * parameters which may affect the algorithm in an enctype-dependent way. The 0829 * newly created @a key must be released by calling 0830 * krb5_free_keyblock_contents() when it is no longer needed. 0831 * 0832 * @retval 0 Success; otherwise - Kerberos error codes 0833 */ 0834 krb5_error_code KRB5_CALLCONV 0835 krb5_c_string_to_key_with_params(krb5_context context, 0836 krb5_enctype enctype, 0837 const krb5_data *string, 0838 const krb5_data *salt, 0839 const krb5_data *params, 0840 krb5_keyblock *key); 0841 0842 /** 0843 * Compare two encryption types. 0844 * 0845 * @param [in] context Library context 0846 * @param [in] e1 First encryption type 0847 * @param [in] e2 Second encryption type 0848 * @param [out] similar @c TRUE if types are similar, @c FALSE if not 0849 * 0850 * This function determines whether two encryption types use the same kind of 0851 * keys. 0852 * 0853 * @retval 0 Success; otherwise - Kerberos error codes 0854 */ 0855 krb5_error_code KRB5_CALLCONV 0856 krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, 0857 krb5_boolean *similar); 0858 0859 /** 0860 * Compute a checksum (operates on keyblock). 0861 * 0862 * @param [in] context Library context 0863 * @param [in] cksumtype Checksum type (0 for mandatory type) 0864 * @param [in] key Encryption key for a keyed checksum 0865 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 0866 * @param [in] input Input data 0867 * @param [out] cksum Generated checksum 0868 * 0869 * This function computes a checksum of type @a cksumtype over @a input, using 0870 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and 0871 * @a key is non-null, the checksum type will be the mandatory-to-implement 0872 * checksum type for the key's encryption type. The actual checksum key will 0873 * be derived from @a key and @a usage if key derivation is specified for the 0874 * checksum type. The newly created @a cksum must be released by calling 0875 * krb5_free_checksum_contents() when it is no longer needed. 0876 * 0877 * @note This function is similar to krb5_k_make_checksum(), but operates 0878 * on keyblock @a key. 0879 * 0880 * @sa krb5_c_verify_checksum() 0881 * 0882 * @retval 0 Success; otherwise - Kerberos error codes 0883 */ 0884 krb5_error_code KRB5_CALLCONV 0885 krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, 0886 const krb5_keyblock *key, krb5_keyusage usage, 0887 const krb5_data *input, krb5_checksum *cksum); 0888 0889 /** 0890 * Verify a checksum (operates on keyblock). 0891 * 0892 * @param [in] context Library context 0893 * @param [in] key Encryption key for a keyed checksum 0894 * @param [in] usage @a key usage 0895 * @param [in] data Data to be used to compute a new checksum 0896 * using @a key to compare @a cksum against 0897 * @param [in] cksum Checksum to be verified 0898 * @param [out] valid Non-zero for success, zero for failure 0899 * 0900 * This function verifies that @a cksum is a valid checksum for @a data. If 0901 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify 0902 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, 0903 * the mandatory checksum type for @a key will be used. The actual checksum 0904 * key will be derived from @a key and @a usage if key derivation is specified 0905 * for the checksum type. 0906 * 0907 * @note This function is similar to krb5_k_verify_checksum(), but operates 0908 * on keyblock @a key. 0909 * 0910 * @retval 0 Success; otherwise - Kerberos error codes 0911 */ 0912 krb5_error_code KRB5_CALLCONV 0913 krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, 0914 krb5_keyusage usage, const krb5_data *data, 0915 const krb5_checksum *cksum, krb5_boolean *valid); 0916 0917 /** 0918 * Return the length of checksums for a checksum type. 0919 * 0920 * @param [in] context Library context 0921 * @param [in] cksumtype Checksum type 0922 * @param [out] length Checksum length 0923 * 0924 * @retval 0 Success; otherwise - Kerberos error codes 0925 */ 0926 krb5_error_code KRB5_CALLCONV 0927 krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, 0928 size_t *length); 0929 0930 /** 0931 * Return a list of keyed checksum types usable with an encryption type. 0932 * 0933 * @param [in] context Library context 0934 * @param [in] enctype Encryption type 0935 * @param [out] count Count of allowable checksum types 0936 * @param [out] cksumtypes Array of allowable checksum types 0937 * 0938 * Use krb5_free_cksumtypes() to free @a cksumtypes when it is no longer 0939 * needed. 0940 * 0941 * @retval 0 Success; otherwise - Kerberos error codes 0942 */ 0943 krb5_error_code KRB5_CALLCONV 0944 krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, 0945 unsigned int *count, krb5_cksumtype **cksumtypes); 0946 0947 #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1 0948 #define KRB5_KEYUSAGE_KDC_REP_TICKET 2 0949 #define KRB5_KEYUSAGE_AS_REP_ENCPART 3 0950 #define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY 4 0951 #define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY 5 0952 #define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM 6 0953 #define KRB5_KEYUSAGE_TGS_REQ_AUTH 7 0954 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY 8 0955 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY 9 0956 #define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM 10 0957 #define KRB5_KEYUSAGE_AP_REQ_AUTH 11 0958 #define KRB5_KEYUSAGE_AP_REP_ENCPART 12 0959 #define KRB5_KEYUSAGE_KRB_PRIV_ENCPART 13 0960 #define KRB5_KEYUSAGE_KRB_CRED_ENCPART 14 0961 #define KRB5_KEYUSAGE_KRB_SAFE_CKSUM 15 0962 #define KRB5_KEYUSAGE_APP_DATA_ENCRYPT 16 0963 #define KRB5_KEYUSAGE_APP_DATA_CKSUM 17 0964 #define KRB5_KEYUSAGE_KRB_ERROR_CKSUM 18 0965 #define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM 19 0966 #define KRB5_KEYUSAGE_AD_MTE 20 0967 #define KRB5_KEYUSAGE_AD_ITE 21 0968 0969 /* XXX need to register these */ 0970 0971 #define KRB5_KEYUSAGE_GSS_TOK_MIC 22 0972 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23 0973 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24 0974 0975 /* Defined in Integrating SAM Mechanisms with Kerberos draft */ 0976 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25 0977 /* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */ 0978 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 0979 /* Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */ 0980 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 0981 0982 /* Defined in [MS-SFU] */ 0983 /* Note conflict with KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */ 0984 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26 0985 /* Note conflict with KRB5_KEYUSAGE_PA_SAM_RESPONSE */ 0986 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 0987 0988 /* unused */ 0989 #define KRB5_KEYUSAGE_PA_REFERRAL 26 0990 0991 #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 0992 #define KRB5_KEYUSAGE_FINISHED 41 0993 #define KRB5_KEYUSAGE_IAKERB_FINISHED 42 0994 #define KRB5_KEYUSAGE_PA_PKINIT_KX 44 0995 #define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */ 0996 /* define in draft-ietf-krb-wg-preauth-framework*/ 0997 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 0998 #define KRB5_KEYUSAGE_FAST_ENC 51 0999 #define KRB5_KEYUSAGE_FAST_REP 52 1000 #define KRB5_KEYUSAGE_FAST_FINISHED 53 1001 #define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 1002 #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 1003 #define KRB5_KEYUSAGE_AS_REQ 56 1004 #define KRB5_KEYUSAGE_CAMMAC 64 1005 #define KRB5_KEYUSAGE_SPAKE 65 1006 1007 /* Key usage values 512-1023 are reserved for uses internal to a Kerberos 1008 * implementation. */ 1009 #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ 1010 #define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */ 1011 1012 /** 1013 * Verify that a specified encryption type is a valid Kerberos encryption type. 1014 * 1015 * @param [in] ktype Encryption type 1016 * 1017 * @return @c TRUE if @a ktype is valid, @c FALSE if not 1018 */ 1019 krb5_boolean KRB5_CALLCONV 1020 krb5_c_valid_enctype(krb5_enctype ktype); 1021 1022 /** 1023 * Verify that specified checksum type is a valid Kerberos checksum type. 1024 * 1025 * @param [in] ctype Checksum type 1026 * 1027 * @return @c TRUE if @a ctype is valid, @c FALSE if not 1028 */ 1029 krb5_boolean KRB5_CALLCONV 1030 krb5_c_valid_cksumtype(krb5_cksumtype ctype); 1031 1032 /** 1033 * Test whether a checksum type is collision-proof. 1034 * 1035 * @param [in] ctype Checksum type 1036 * 1037 * @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not 1038 * collision-proof or not a valid checksum type. 1039 */ 1040 krb5_boolean KRB5_CALLCONV 1041 krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype); 1042 1043 /** 1044 * Test whether a checksum type is keyed. 1045 * 1046 * @param [in] ctype Checksum type 1047 * 1048 * @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise. 1049 */ 1050 krb5_boolean KRB5_CALLCONV 1051 krb5_c_is_keyed_cksum(krb5_cksumtype ctype); 1052 1053 /* AEAD APIs */ 1054 #define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */ 1055 #define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */ 1056 #define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */ 1057 #define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */ 1058 #define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */ 1059 #define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */ 1060 #define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */ 1061 #define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without 1062 decomposing the structure into 1063 header, data and trailer buffers */ 1064 1065 /** 1066 * Fill in a checksum element in IOV array (operates on keyblock) 1067 * 1068 * @param [in] context Library context 1069 * @param [in] cksumtype Checksum type (0 for mandatory type) 1070 * @param [in] key Encryption key for a keyed checksum 1071 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1072 * @param [in,out] data IOV array 1073 * @param [in] num_data Size of @a data 1074 * 1075 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over 1076 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. 1077 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. 1078 * 1079 * @note This function is similar to krb5_k_make_checksum_iov(), but operates 1080 * on keyblock @a key. 1081 * 1082 * @sa krb5_c_verify_checksum_iov() 1083 * 1084 * @retval 0 Success; otherwise - Kerberos error codes 1085 */ 1086 krb5_error_code KRB5_CALLCONV 1087 krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1088 const krb5_keyblock *key, krb5_keyusage usage, 1089 krb5_crypto_iov *data, size_t num_data); 1090 1091 /** 1092 * Validate a checksum element in IOV array (operates on keyblock). 1093 * 1094 * @param [in] context Library context 1095 * @param [in] cksumtype Checksum type (0 for mandatory type) 1096 * @param [in] key Encryption key for a keyed checksum 1097 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1098 * @param [in] data IOV array 1099 * @param [in] num_data Size of @a data 1100 * @param [out] valid Non-zero for success, zero for failure 1101 * 1102 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a 1103 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY 1104 * regions in the iov. 1105 * 1106 * @note This function is similar to krb5_k_verify_checksum_iov(), but operates 1107 * on keyblock @a key. 1108 * 1109 * @sa krb5_c_make_checksum_iov() 1110 * 1111 * @retval 0 Success; otherwise - Kerberos error codes 1112 */ 1113 krb5_error_code KRB5_CALLCONV 1114 krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1115 const krb5_keyblock *key, krb5_keyusage usage, 1116 const krb5_crypto_iov *data, size_t num_data, 1117 krb5_boolean *valid); 1118 1119 /** 1120 * Encrypt data in place supporting AEAD (operates on keyblock). 1121 * 1122 * @param [in] context Library context 1123 * @param [in] keyblock Encryption key 1124 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1125 * @param [in] cipher_state Cipher state; specify NULL if not needed 1126 * @param [in,out] data IOV array. Modified in-place. 1127 * @param [in] num_data Size of @a data 1128 * 1129 * This function encrypts the data block @a data and stores the output in-place. 1130 * The actual encryption key will be derived from @a keyblock and @a usage 1131 * if key derivation is specified for the encryption type. If non-null, @a 1132 * cipher_state specifies the beginning state for the encryption operation, and 1133 * is updated with the state to be passed as input to the next operation. 1134 * The caller must allocate the right number of krb5_crypto_iov 1135 * structures before calling into this API. 1136 * 1137 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the 1138 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1139 * For example, if the padding length is too large, the length will be reduced. 1140 * Lengths are never increased. 1141 * 1142 * @note This function is similar to krb5_k_encrypt_iov(), but operates 1143 * on keyblock @a keyblock. 1144 * 1145 * @sa krb5_c_decrypt_iov() 1146 * 1147 * @retval 0 Success; otherwise - Kerberos error codes 1148 */ 1149 krb5_error_code KRB5_CALLCONV 1150 krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, 1151 krb5_keyusage usage, const krb5_data *cipher_state, 1152 krb5_crypto_iov *data, size_t num_data); 1153 1154 /** 1155 * Decrypt data in place supporting AEAD (operates on keyblock). 1156 * 1157 * @param [in] context Library context 1158 * @param [in] keyblock Encryption key 1159 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1160 * @param [in] cipher_state Cipher state; specify NULL if not needed 1161 * @param [in,out] data IOV array. Modified in-place. 1162 * @param [in] num_data Size of @a data 1163 * 1164 * This function decrypts the data block @a data and stores the output in-place. 1165 * The actual decryption key will be derived from @a keyblock and @a usage 1166 * if key derivation is specified for the encryption type. If non-null, @a 1167 * cipher_state specifies the beginning state for the decryption operation, and 1168 * is updated with the state to be passed as input to the next operation. 1169 * The caller must allocate the right number of krb5_crypto_iov 1170 * structures before calling into this API. 1171 * 1172 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the 1173 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1174 * For example, if the padding length is too large, the length will be reduced. 1175 * Lengths are never increased. 1176 * 1177 * @note This function is similar to krb5_k_decrypt_iov(), but operates 1178 * on keyblock @a keyblock. 1179 * 1180 * @sa krb5_c_decrypt_iov() 1181 * 1182 * @retval 0 Success; otherwise - Kerberos error codes 1183 */ 1184 krb5_error_code KRB5_CALLCONV 1185 krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, 1186 krb5_keyusage usage, const krb5_data *cipher_state, 1187 krb5_crypto_iov *data, size_t num_data); 1188 1189 /** 1190 * Return a length of a message field specific to the encryption type. 1191 * 1192 * @param [in] context Library context 1193 * @param [in] enctype Encryption type 1194 * @param [in] type Type field (See KRB5_CRYPTO_TYPE macros) 1195 * @param [out] size Length of the @a type specific to @a enctype 1196 * 1197 * @retval 0 Success; otherwise - Kerberos error codes 1198 */ 1199 krb5_error_code KRB5_CALLCONV 1200 krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, 1201 krb5_cryptotype type, unsigned int *size); 1202 1203 /** 1204 * Fill in lengths for header, trailer and padding in a IOV array. 1205 * 1206 * @param [in] context Library context 1207 * @param [in] enctype Encryption type 1208 * @param [in,out] data IOV array 1209 * @param [in] num_data Size of @a data 1210 * 1211 * Padding is set to the actual padding required based on the provided 1212 * @a data buffers. Typically this API is used after setting up the data 1213 * buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually 1214 * allocating header, trailer and padding. 1215 * 1216 * @retval 0 Success; otherwise - Kerberos error codes 1217 */ 1218 krb5_error_code KRB5_CALLCONV 1219 krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, 1220 krb5_crypto_iov *data, size_t num_data); 1221 1222 /** 1223 * Return a number of padding octets. 1224 * 1225 * @param [in] context Library context 1226 * @param [in] enctype Encryption type 1227 * @param [in] data_length Length of the plaintext to pad 1228 * @param [out] size Number of padding octets 1229 * 1230 * This function returns the number of the padding octets required to pad 1231 * @a data_length octets of plaintext. 1232 * 1233 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE 1234 */ 1235 krb5_error_code KRB5_CALLCONV 1236 krb5_c_padding_length(krb5_context context, krb5_enctype enctype, 1237 size_t data_length, unsigned int *size); 1238 1239 /** 1240 * Create a krb5_key from the enctype and key data in a keyblock. 1241 * 1242 * @param [in] context Library context 1243 * @param [in] key_data Keyblock 1244 * @param [out] out Opaque key 1245 * 1246 * The reference count on a key @a out is set to 1. 1247 * Use krb5_k_free_key() to free @a out when it is no longer needed. 1248 * 1249 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE 1250 */ 1251 krb5_error_code KRB5_CALLCONV 1252 krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data, 1253 krb5_key *out); 1254 1255 /** Increment the reference count on a key. */ 1256 void KRB5_CALLCONV 1257 krb5_k_reference_key(krb5_context context, krb5_key key); 1258 1259 /** Decrement the reference count on a key and free it if it hits zero. */ 1260 void KRB5_CALLCONV 1261 krb5_k_free_key(krb5_context context, krb5_key key); 1262 1263 /** Retrieve a copy of the keyblock from a krb5_key structure. */ 1264 krb5_error_code KRB5_CALLCONV 1265 krb5_k_key_keyblock(krb5_context context, krb5_key key, 1266 krb5_keyblock **key_data); 1267 1268 /** Retrieve the enctype of a krb5_key structure. */ 1269 krb5_enctype KRB5_CALLCONV 1270 krb5_k_key_enctype(krb5_context context, krb5_key key); 1271 1272 /** 1273 * Encrypt data using a key (operates on opaque key). 1274 * 1275 * @param [in] context Library context 1276 * @param [in] key Encryption key 1277 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1278 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 1279 * @param [in] input Data to be encrypted 1280 * @param [out] output Encrypted data 1281 * 1282 * This function encrypts the data block @a input and stores the output into @a 1283 * output. The actual encryption key will be derived from @a key and @a usage 1284 * if key derivation is specified for the encryption type. If non-null, @a 1285 * cipher_state specifies the beginning state for the encryption operation, and 1286 * is updated with the state to be passed as input to the next operation. 1287 * 1288 * @note The caller must initialize @a output and allocate at least enough 1289 * space for the result (using krb5_c_encrypt_length() to determine the amount 1290 * of space needed). @a output->length will be set to the actual length of the 1291 * ciphertext. 1292 * 1293 * @retval 0 Success; otherwise - Kerberos error codes 1294 */ 1295 krb5_error_code KRB5_CALLCONV 1296 krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, 1297 const krb5_data *cipher_state, const krb5_data *input, 1298 krb5_enc_data *output); 1299 1300 /** 1301 * Encrypt data in place supporting AEAD (operates on opaque key). 1302 * 1303 * @param [in] context Library context 1304 * @param [in] key Encryption key 1305 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1306 * @param [in] cipher_state Cipher state; specify NULL if not needed 1307 * @param [in,out] data IOV array. Modified in-place. 1308 * @param [in] num_data Size of @a data 1309 * 1310 * This function encrypts the data block @a data and stores the output in-place. 1311 * The actual encryption key will be derived from @a key and @a usage 1312 * if key derivation is specified for the encryption type. If non-null, @a 1313 * cipher_state specifies the beginning state for the encryption operation, and 1314 * is updated with the state to be passed as input to the next operation. 1315 * The caller must allocate the right number of krb5_crypto_iov 1316 * structures before calling into this API. 1317 * 1318 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the 1319 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1320 * For example, if the padding length is too large, the length will be reduced. 1321 * Lengths are never increased. 1322 * 1323 * @note This function is similar to krb5_c_encrypt_iov(), but operates 1324 * on opaque key @a key. 1325 * 1326 * @sa krb5_k_decrypt_iov() 1327 * 1328 * @retval 0 Success; otherwise - Kerberos error codes 1329 */ 1330 krb5_error_code KRB5_CALLCONV 1331 krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, 1332 const krb5_data *cipher_state, krb5_crypto_iov *data, 1333 size_t num_data); 1334 1335 /** 1336 * Decrypt data using a key (operates on opaque key). 1337 * 1338 * @param [in] context Library context 1339 * @param [in] key Encryption key 1340 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1341 * @param [in,out] cipher_state Cipher state; specify NULL if not needed 1342 * @param [in] input Encrypted data 1343 * @param [out] output Decrypted data 1344 * 1345 * This function decrypts the data block @a input and stores the output into @a 1346 * output. The actual decryption key will be derived from @a key and @a usage 1347 * if key derivation is specified for the encryption type. If non-null, @a 1348 * cipher_state specifies the beginning state for the decryption operation, and 1349 * is updated with the state to be passed as input to the next operation. 1350 * 1351 * @note The caller must initialize @a output and allocate at least enough 1352 * space for the result. The usual practice is to allocate an output buffer as 1353 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. 1354 * For some enctypes, the resulting @a output->length may include padding 1355 * bytes. 1356 * 1357 * @retval 0 Success; otherwise - Kerberos error codes 1358 */ 1359 krb5_error_code KRB5_CALLCONV 1360 krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, 1361 const krb5_data *cipher_state, const krb5_enc_data *input, 1362 krb5_data *output); 1363 1364 /** 1365 * Decrypt data in place supporting AEAD (operates on opaque key). 1366 * 1367 * @param [in] context Library context 1368 * @param [in] key Encryption key 1369 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1370 * @param [in] cipher_state Cipher state; specify NULL if not needed 1371 * @param [in,out] data IOV array. Modified in-place. 1372 * @param [in] num_data Size of @a data 1373 * 1374 * This function decrypts the data block @a data and stores the output in-place. 1375 * The actual decryption key will be derived from @a key and @a usage 1376 * if key derivation is specified for the encryption type. If non-null, @a 1377 * cipher_state specifies the beginning state for the decryption operation, and 1378 * is updated with the state to be passed as input to the next operation. 1379 * The caller must allocate the right number of krb5_crypto_iov 1380 * structures before calling into this API. 1381 * 1382 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the 1383 * iov structure are adjusted to reflect actual lengths of the ciphertext used. 1384 * For example, if the padding length is too large, the length will be reduced. 1385 * Lengths are never increased. 1386 * 1387 * @note This function is similar to krb5_c_decrypt_iov(), but operates 1388 * on opaque key @a key. 1389 * 1390 * @sa krb5_k_encrypt_iov() 1391 * 1392 * @retval 0 Success; otherwise - Kerberos error codes 1393 */ 1394 krb5_error_code KRB5_CALLCONV 1395 krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, 1396 const krb5_data *cipher_state, krb5_crypto_iov *data, 1397 size_t num_data); 1398 /** 1399 * Compute a checksum (operates on opaque key). 1400 * 1401 * @param [in] context Library context 1402 * @param [in] cksumtype Checksum type (0 for mandatory type) 1403 * @param [in] key Encryption key for a keyed checksum 1404 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1405 * @param [in] input Input data 1406 * @param [out] cksum Generated checksum 1407 * 1408 * This function computes a checksum of type @a cksumtype over @a input, using 1409 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and 1410 * @a key is non-null, the checksum type will be the mandatory-to-implement 1411 * checksum type for the key's encryption type. The actual checksum key will 1412 * be derived from @a key and @a usage if key derivation is specified for the 1413 * checksum type. The newly created @a cksum must be released by calling 1414 * krb5_free_checksum_contents() when it is no longer needed. 1415 * 1416 * @note This function is similar to krb5_c_make_checksum(), but operates 1417 * on opaque @a key. 1418 * 1419 * @sa krb5_c_verify_checksum() 1420 * 1421 * @retval 0 Success; otherwise - Kerberos error codes 1422 */ 1423 krb5_error_code KRB5_CALLCONV 1424 krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, 1425 krb5_key key, krb5_keyusage usage, const krb5_data *input, 1426 krb5_checksum *cksum); 1427 1428 /** 1429 * Fill in a checksum element in IOV array (operates on opaque key) 1430 * 1431 * @param [in] context Library context 1432 * @param [in] cksumtype Checksum type (0 for mandatory type) 1433 * @param [in] key Encryption key for a keyed checksum 1434 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1435 * @param [in,out] data IOV array 1436 * @param [in] num_data Size of @a data 1437 * 1438 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over 1439 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. 1440 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. 1441 * 1442 * @note This function is similar to krb5_c_make_checksum_iov(), but operates 1443 * on opaque @a key. 1444 * 1445 * @sa krb5_k_verify_checksum_iov() 1446 * 1447 * @retval 0 Success; otherwise - Kerberos error codes 1448 */ 1449 krb5_error_code KRB5_CALLCONV 1450 krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1451 krb5_key key, krb5_keyusage usage, 1452 krb5_crypto_iov *data, size_t num_data); 1453 1454 /** 1455 * Verify a checksum (operates on opaque key). 1456 * 1457 * @param [in] context Library context 1458 * @param [in] key Encryption key for a keyed checksum 1459 * @param [in] usage @a key usage 1460 * @param [in] data Data to be used to compute a new checksum 1461 * using @a key to compare @a cksum against 1462 * @param [in] cksum Checksum to be verified 1463 * @param [out] valid Non-zero for success, zero for failure 1464 * 1465 * This function verifies that @a cksum is a valid checksum for @a data. If 1466 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify 1467 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, 1468 * the mandatory checksum type for @a key will be used. The actual checksum 1469 * key will be derived from @a key and @a usage if key derivation is specified 1470 * for the checksum type. 1471 * 1472 * @note This function is similar to krb5_c_verify_checksum(), but operates 1473 * on opaque @a key. 1474 * 1475 * @retval 0 Success; otherwise - Kerberos error codes 1476 */ 1477 krb5_error_code KRB5_CALLCONV 1478 krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, 1479 const krb5_data *data, const krb5_checksum *cksum, 1480 krb5_boolean *valid); 1481 1482 /** 1483 * Validate a checksum element in IOV array (operates on opaque key). 1484 * 1485 * @param [in] context Library context 1486 * @param [in] cksumtype Checksum type (0 for mandatory type) 1487 * @param [in] key Encryption key for a keyed checksum 1488 * @param [in] usage Key usage (see KRB5_KEYUSAGE macros) 1489 * @param [in] data IOV array 1490 * @param [in] num_data Size of @a data 1491 * @param [out] valid Non-zero for success, zero for failure 1492 * 1493 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a 1494 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY 1495 * regions in the iov. 1496 * 1497 * @note This function is similar to krb5_c_verify_checksum_iov(), but operates 1498 * on opaque @a key. 1499 * 1500 * @sa krb5_k_make_checksum_iov() 1501 * 1502 * @retval 0 Success; otherwise - Kerberos error codes 1503 */ 1504 krb5_error_code KRB5_CALLCONV 1505 krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, 1506 krb5_key key, krb5_keyusage usage, 1507 const krb5_crypto_iov *data, size_t num_data, 1508 krb5_boolean *valid); 1509 1510 /** 1511 * Generate enctype-specific pseudo-random bytes (operates on opaque key). 1512 * 1513 * @param [in] context Library context 1514 * @param [in] key Key 1515 * @param [in] input Input data 1516 * @param [out] output Output data 1517 * 1518 * This function selects a pseudo-random function based on @a key and 1519 * computes its value over @a input, placing the result into @a output. 1520 * The caller must preinitialize @a output and allocate space for the 1521 * result. 1522 * 1523 * @note This function is similar to krb5_c_prf(), but operates 1524 * on opaque @a key. 1525 * 1526 * @retval 0 Success; otherwise - Kerberos error codes 1527 */ 1528 krb5_error_code KRB5_CALLCONV 1529 krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output); 1530 1531 #ifdef KRB5_OLD_CRYPTO 1532 /* 1533 * old cryptosystem routine prototypes. These are now layered 1534 * on top of the functions above. 1535 */ 1536 /** @deprecated Replaced by krb5_c_* API family.*/ 1537 krb5_error_code KRB5_CALLCONV 1538 krb5_encrypt(krb5_context context, krb5_const_pointer inptr, 1539 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, 1540 krb5_pointer ivec); 1541 1542 /** @deprecated Replaced by krb5_c_* API family. */ 1543 krb5_error_code KRB5_CALLCONV 1544 krb5_decrypt(krb5_context context, krb5_const_pointer inptr, 1545 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, 1546 krb5_pointer ivec); 1547 1548 /** @deprecated Replaced by krb5_c_* API family. */ 1549 krb5_error_code KRB5_CALLCONV 1550 krb5_process_key(krb5_context context, krb5_encrypt_block *eblock, 1551 const krb5_keyblock * key); 1552 1553 /** @deprecated Replaced by krb5_c_* API family. */ 1554 krb5_error_code KRB5_CALLCONV 1555 krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock); 1556 1557 /** @deprecated See krb5_c_string_to_key() */ 1558 krb5_error_code KRB5_CALLCONV 1559 krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock, 1560 krb5_keyblock * keyblock, const krb5_data *data, 1561 const krb5_data *salt); 1562 1563 /** @deprecated Replaced by krb5_c_* API family. */ 1564 krb5_error_code KRB5_CALLCONV 1565 krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1566 const krb5_keyblock *keyblock, krb5_pointer *ptr); 1567 1568 /** @deprecated Replaced by krb5_c_* API family. */ 1569 krb5_error_code KRB5_CALLCONV 1570 krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1571 krb5_pointer *ptr); 1572 1573 /** @deprecated Replaced by krb5_c_* API family. */ 1574 krb5_error_code KRB5_CALLCONV 1575 krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock, 1576 krb5_pointer ptr, krb5_keyblock **keyblock); 1577 1578 /** @deprecated Replaced by krb5_c_* API family. */ 1579 krb5_enctype KRB5_CALLCONV 1580 krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock); 1581 1582 /** @deprecated Replaced by krb5_c_* API family. */ 1583 krb5_error_code KRB5_CALLCONV 1584 krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock, 1585 krb5_enctype enctype); 1586 1587 /** @deprecated Replaced by krb5_c_* API family. */ 1588 size_t KRB5_CALLCONV 1589 krb5_encrypt_size(size_t length, krb5_enctype crypto); 1590 1591 /** @deprecated See krb5_c_checksum_length() */ 1592 size_t KRB5_CALLCONV 1593 krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); 1594 1595 /** @deprecated See krb5_c_make_checksum() */ 1596 krb5_error_code KRB5_CALLCONV 1597 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, 1598 krb5_const_pointer in, size_t in_length, 1599 krb5_const_pointer seed, size_t seed_length, 1600 krb5_checksum * outcksum); 1601 1602 /** @deprecated See krb5_c_verify_checksum() */ 1603 krb5_error_code KRB5_CALLCONV 1604 krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, 1605 const krb5_checksum * cksum, krb5_const_pointer in, 1606 size_t in_length, krb5_const_pointer seed, 1607 size_t seed_length); 1608 1609 #endif /* KRB5_OLD_CRYPTO */ 1610 1611 /* 1612 * end "encryption.h" 1613 */ 1614 1615 /* 1616 * begin "fieldbits.h" 1617 */ 1618 1619 /* kdc_options for kdc_request */ 1620 /* options is 32 bits; each host is responsible to put the 4 bytes 1621 representing these bits into net order before transmission */ 1622 /* #define KDC_OPT_RESERVED 0x80000000 */ 1623 #define KDC_OPT_FORWARDABLE 0x40000000 1624 #define KDC_OPT_FORWARDED 0x20000000 1625 #define KDC_OPT_PROXIABLE 0x10000000 1626 #define KDC_OPT_PROXY 0x08000000 1627 #define KDC_OPT_ALLOW_POSTDATE 0x04000000 1628 #define KDC_OPT_POSTDATED 0x02000000 1629 /* #define KDC_OPT_UNUSED 0x01000000 */ 1630 #define KDC_OPT_RENEWABLE 0x00800000 1631 /* #define KDC_OPT_UNUSED 0x00400000 */ 1632 /* #define KDC_OPT_RESERVED 0x00200000 */ 1633 /* #define KDC_OPT_RESERVED 0x00100000 */ 1634 /* #define KDC_OPT_RESERVED 0x00080000 */ 1635 /* #define KDC_OPT_RESERVED 0x00040000 */ 1636 #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000 1637 #define KDC_OPT_CANONICALIZE 0x00010000 1638 #define KDC_OPT_REQUEST_ANONYMOUS 0x00008000 1639 /* #define KDC_OPT_RESERVED 0x00004000 */ 1640 /* #define KDC_OPT_RESERVED 0x00002000 */ 1641 /* #define KDC_OPT_RESERVED 0x00001000 */ 1642 /* #define KDC_OPT_RESERVED 0x00000800 */ 1643 /* #define KDC_OPT_RESERVED 0x00000400 */ 1644 /* #define KDC_OPT_RESERVED 0x00000200 */ 1645 /* #define KDC_OPT_RESERVED 0x00000100 */ 1646 /* #define KDC_OPT_RESERVED 0x00000080 */ 1647 /* #define KDC_OPT_RESERVED 0x00000040 */ 1648 #define KDC_OPT_DISABLE_TRANSITED_CHECK 0x00000020 1649 #define KDC_OPT_RENEWABLE_OK 0x00000010 1650 #define KDC_OPT_ENC_TKT_IN_SKEY 0x00000008 1651 /* #define KDC_OPT_UNUSED 0x00000004 */ 1652 #define KDC_OPT_RENEW 0x00000002 1653 #define KDC_OPT_VALIDATE 0x00000001 1654 1655 /* 1656 * Mask of ticket flags in the TGT which should be converted into KDC 1657 * options when using the TGT to get derivative tickets. 1658 * 1659 * New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | 1660 * KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE 1661 */ 1662 #define KDC_TKT_COMMON_MASK 0x54800000 1663 1664 /* definitions for ap_options fields */ 1665 1666 /* 1667 * ap_options are 32 bits; each host is responsible to put the 4 bytes 1668 * representing these bits into net order before transmission 1669 */ 1670 #define AP_OPTS_RESERVED 0x80000000 1671 #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */ 1672 #define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual 1673 authentication exchange */ 1674 #define AP_OPTS_CBT_FLAG 0x00000004 /* include KERB_AP_OPTIONS_CBT */ 1675 #define AP_OPTS_ETYPE_NEGOTIATION 0x00000002 1676 #define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key 1677 from the current session key 1678 obtained from the 1679 credentials */ 1680 /* #define AP_OPTS_RESERVED 0x10000000 */ 1681 /* #define AP_OPTS_RESERVED 0x08000000 */ 1682 /* #define AP_OPTS_RESERVED 0x04000000 */ 1683 /* #define AP_OPTS_RESERVED 0x02000000 */ 1684 /* #define AP_OPTS_RESERVED 0x01000000 */ 1685 /* #define AP_OPTS_RESERVED 0x00800000 */ 1686 /* #define AP_OPTS_RESERVED 0x00400000 */ 1687 /* #define AP_OPTS_RESERVED 0x00200000 */ 1688 /* #define AP_OPTS_RESERVED 0x00100000 */ 1689 /* #define AP_OPTS_RESERVED 0x00080000 */ 1690 /* #define AP_OPTS_RESERVED 0x00040000 */ 1691 /* #define AP_OPTS_RESERVED 0x00020000 */ 1692 /* #define AP_OPTS_RESERVED 0x00010000 */ 1693 /* #define AP_OPTS_RESERVED 0x00008000 */ 1694 /* #define AP_OPTS_RESERVED 0x00004000 */ 1695 /* #define AP_OPTS_RESERVED 0x00002000 */ 1696 /* #define AP_OPTS_RESERVED 0x00001000 */ 1697 /* #define AP_OPTS_RESERVED 0x00000800 */ 1698 /* #define AP_OPTS_RESERVED 0x00000400 */ 1699 /* #define AP_OPTS_RESERVED 0x00000200 */ 1700 /* #define AP_OPTS_RESERVED 0x00000100 */ 1701 /* #define AP_OPTS_RESERVED 0x00000080 */ 1702 /* #define AP_OPTS_RESERVED 0x00000040 */ 1703 /* #define AP_OPTS_RESERVED 0x00000020 */ 1704 /* #define AP_OPTS_RESERVED 0x00000010 */ 1705 /* #define AP_OPTS_RESERVED 0x00000008 */ 1706 1707 1708 #define AP_OPTS_WIRE_MASK 0xfffffff0 1709 1710 /* definitions for ad_type fields. */ 1711 #define AD_TYPE_RESERVED 0x8000 1712 #define AD_TYPE_EXTERNAL 0x4000 1713 #define AD_TYPE_REGISTERED 0x2000 1714 1715 #define AD_TYPE_FIELD_TYPE_MASK 0x1fff 1716 1717 /* Ticket flags */ 1718 /* flags are 32 bits; each host is responsible to put the 4 bytes 1719 representing these bits into net order before transmission */ 1720 /* #define TKT_FLG_RESERVED 0x80000000 */ 1721 #define TKT_FLG_FORWARDABLE 0x40000000 1722 #define TKT_FLG_FORWARDED 0x20000000 1723 #define TKT_FLG_PROXIABLE 0x10000000 1724 #define TKT_FLG_PROXY 0x08000000 1725 #define TKT_FLG_MAY_POSTDATE 0x04000000 1726 #define TKT_FLG_POSTDATED 0x02000000 1727 #define TKT_FLG_INVALID 0x01000000 1728 #define TKT_FLG_RENEWABLE 0x00800000 1729 #define TKT_FLG_INITIAL 0x00400000 1730 #define TKT_FLG_PRE_AUTH 0x00200000 1731 #define TKT_FLG_HW_AUTH 0x00100000 1732 #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 1733 #define TKT_FLG_OK_AS_DELEGATE 0x00040000 1734 #define TKT_FLG_ENC_PA_REP 0x00010000 1735 #define TKT_FLG_ANONYMOUS 0x00008000 1736 /* #define TKT_FLG_RESERVED 0x00004000 */ 1737 /* #define TKT_FLG_RESERVED 0x00002000 */ 1738 /* #define TKT_FLG_RESERVED 0x00001000 */ 1739 /* #define TKT_FLG_RESERVED 0x00000800 */ 1740 /* #define TKT_FLG_RESERVED 0x00000400 */ 1741 /* #define TKT_FLG_RESERVED 0x00000200 */ 1742 /* #define TKT_FLG_RESERVED 0x00000100 */ 1743 /* #define TKT_FLG_RESERVED 0x00000080 */ 1744 /* #define TKT_FLG_RESERVED 0x00000040 */ 1745 /* #define TKT_FLG_RESERVED 0x00000020 */ 1746 /* #define TKT_FLG_RESERVED 0x00000010 */ 1747 /* #define TKT_FLG_RESERVED 0x00000008 */ 1748 /* #define TKT_FLG_RESERVED 0x00000004 */ 1749 /* #define TKT_FLG_RESERVED 0x00000002 */ 1750 /* #define TKT_FLG_RESERVED 0x00000001 */ 1751 1752 /* definitions for lr_type fields. */ 1753 #define LR_TYPE_THIS_SERVER_ONLY 0x8000 1754 1755 #define LR_TYPE_INTERPRETATION_MASK 0x7fff 1756 1757 /* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */ 1758 #define MSEC_DIRBIT 0x8000 1759 #define MSEC_VAL_MASK 0x7fff 1760 1761 /* 1762 * end "fieldbits.h" 1763 */ 1764 1765 /* 1766 * begin "proto.h" 1767 */ 1768 1769 /** Protocol version number */ 1770 #define KRB5_PVNO 5 1771 1772 /* Message types */ 1773 1774 #define KRB5_AS_REQ ((krb5_msgtype)10) /**< Initial authentication request */ 1775 #define KRB5_AS_REP ((krb5_msgtype)11) /**< Response to AS request */ 1776 #define KRB5_TGS_REQ ((krb5_msgtype)12) /**< Ticket granting server request */ 1777 #define KRB5_TGS_REP ((krb5_msgtype)13) /**< Response to TGS request */ 1778 #define KRB5_AP_REQ ((krb5_msgtype)14) /**< Auth req to application server */ 1779 #define KRB5_AP_REP ((krb5_msgtype)15) /**< Response to mutual AP request */ 1780 #define KRB5_SAFE ((krb5_msgtype)20) /**< Safe application message */ 1781 #define KRB5_PRIV ((krb5_msgtype)21) /**< Private application message */ 1782 #define KRB5_CRED ((krb5_msgtype)22) /**< Cred forwarding message */ 1783 #define KRB5_ERROR ((krb5_msgtype)30) /**< Error response */ 1784 1785 /* LastReq types */ 1786 #define KRB5_LRQ_NONE 0 1787 #define KRB5_LRQ_ALL_LAST_TGT 1 1788 #define KRB5_LRQ_ONE_LAST_TGT (-1) 1789 #define KRB5_LRQ_ALL_LAST_INITIAL 2 1790 #define KRB5_LRQ_ONE_LAST_INITIAL (-2) 1791 #define KRB5_LRQ_ALL_LAST_TGT_ISSUED 3 1792 #define KRB5_LRQ_ONE_LAST_TGT_ISSUED (-3) 1793 #define KRB5_LRQ_ALL_LAST_RENEWAL 4 1794 #define KRB5_LRQ_ONE_LAST_RENEWAL (-4) 1795 #define KRB5_LRQ_ALL_LAST_REQ 5 1796 #define KRB5_LRQ_ONE_LAST_REQ (-5) 1797 #define KRB5_LRQ_ALL_PW_EXPTIME 6 1798 #define KRB5_LRQ_ONE_PW_EXPTIME (-6) 1799 #define KRB5_LRQ_ALL_ACCT_EXPTIME 7 1800 #define KRB5_LRQ_ONE_ACCT_EXPTIME (-7) 1801 1802 /* PADATA types */ 1803 #define KRB5_PADATA_NONE 0 1804 #define KRB5_PADATA_AP_REQ 1 1805 #define KRB5_PADATA_TGS_REQ KRB5_PADATA_AP_REQ 1806 #define KRB5_PADATA_ENC_TIMESTAMP 2 /**< RFC 4120 */ 1807 #define KRB5_PADATA_PW_SALT 3 /**< RFC 4120 */ 1808 #if 0 /* Not used */ 1809 #define KRB5_PADATA_ENC_ENCKEY 4 /* Key encrypted within itself */ 1810 #endif 1811 #define KRB5_PADATA_ENC_UNIX_TIME 5 /**< timestamp encrypted in key. RFC 4120 */ 1812 #define KRB5_PADATA_ENC_SANDIA_SECURID 6 /**< SecurId passcode. RFC 4120 */ 1813 #define KRB5_PADATA_SESAME 7 /**< Sesame project. RFC 4120 */ 1814 #define KRB5_PADATA_OSF_DCE 8 /**< OSF DCE. RFC 4120 */ 1815 #define KRB5_CYBERSAFE_SECUREID 9 /**< Cybersafe. RFC 4120 */ 1816 #define KRB5_PADATA_AFS3_SALT 10 /**< Cygnus. RFC 4120, 3961 */ 1817 #define KRB5_PADATA_ETYPE_INFO 11 /**< Etype info for preauth. RFC 4120 */ 1818 #define KRB5_PADATA_SAM_CHALLENGE 12 /**< SAM/OTP */ 1819 #define KRB5_PADATA_SAM_RESPONSE 13 /**< SAM/OTP */ 1820 #define KRB5_PADATA_PK_AS_REQ_OLD 14 /**< PKINIT */ 1821 #define KRB5_PADATA_PK_AS_REP_OLD 15 /**< PKINIT */ 1822 #define KRB5_PADATA_PK_AS_REQ 16 /**< PKINIT. RFC 4556 */ 1823 #define KRB5_PADATA_PK_AS_REP 17 /**< PKINIT. RFC 4556 */ 1824 #define KRB5_PADATA_ETYPE_INFO2 19 /**< RFC 4120 */ 1825 #define KRB5_PADATA_USE_SPECIFIED_KVNO 20 /**< RFC 4120 */ 1826 #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /**< Windows 2000 referrals. RFC 6820 */ 1827 #define KRB5_PADATA_SAM_REDIRECT 21 /**< SAM/OTP. RFC 4120 */ 1828 #define KRB5_PADATA_GET_FROM_TYPED_DATA 22 /**< Embedded in typed data. RFC 4120 */ 1829 #define KRB5_PADATA_REFERRAL 25 /**< draft referral system */ 1830 #define KRB5_PADATA_SAM_CHALLENGE_2 30 /**< draft challenge system, updated */ 1831 #define KRB5_PADATA_SAM_RESPONSE_2 31 /**< draft challenge system, updated */ 1832 /* MS-KILE */ 1833 #define KRB5_PADATA_PAC_REQUEST 128 /**< include Windows PAC */ 1834 #define KRB5_PADATA_FOR_USER 129 /**< username protocol transition request */ 1835 #define KRB5_PADATA_S4U_X509_USER 130 /**< certificate protocol transition request */ 1836 #define KRB5_PADATA_AS_CHECKSUM 132 /**< AS checksum */ 1837 #define KRB5_PADATA_FX_COOKIE 133 /**< RFC 6113 */ 1838 #define KRB5_PADATA_FX_FAST 136 /**< RFC 6113 */ 1839 #define KRB5_PADATA_FX_ERROR 137 /**< RFC 6113 */ 1840 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 /**< RFC 6113 */ 1841 #define KRB5_PADATA_OTP_CHALLENGE 141 /**< RFC 6560 section 4.1 */ 1842 #define KRB5_PADATA_OTP_REQUEST 142 /**< RFC 6560 section 4.2 */ 1843 #define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */ 1844 #define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */ 1845 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */ 1846 #define KRB5_PADATA_AS_FRESHNESS 150 /**< RFC 8070 */ 1847 #define KRB5_PADATA_SPAKE 151 1848 #define KRB5_PADATA_REDHAT_IDP_OAUTH2 152 /**< Red Hat IdP mechanism */ 1849 #define KRB5_PADATA_REDHAT_PASSKEY 153 /**< Red Hat Passkey mechanism */ 1850 #define KRB5_PADATA_PAC_OPTIONS 167 /**< MS-KILE and MS-SFU */ 1851 1852 #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 1853 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 1854 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /**< currently must be zero */ 1855 1856 /** Transited encoding types */ 1857 #define KRB5_DOMAIN_X500_COMPRESS 1 1858 1859 /** alternate authentication types */ 1860 #define KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE 64 1861 1862 /* authorization data types. See RFC 4120 section 5.2.6 */ 1863 1864 #define KRB5_AUTHDATA_IF_RELEVANT 1 1865 #define KRB5_AUTHDATA_KDC_ISSUED 4 1866 #define KRB5_AUTHDATA_AND_OR 5 1867 #define KRB5_AUTHDATA_MANDATORY_FOR_KDC 8 1868 #define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9 1869 #define KRB5_AUTHDATA_OSF_DCE 64 1870 #define KRB5_AUTHDATA_SESAME 65 1871 #define KRB5_AUTHDATA_CAMMAC 96 1872 #define KRB5_AUTHDATA_WIN2K_PAC 128 1873 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /**< RFC 4537 */ 1874 #define KRB5_AUTHDATA_SIGNTICKET 512 /**< @deprecated use PAC */ 1875 #define KRB5_AUTHDATA_FX_ARMOR 71 1876 #define KRB5_AUTHDATA_AUTH_INDICATOR 97 1877 #define KRB5_AUTHDATA_AP_OPTIONS 143 1878 1879 /* password change constants */ 1880 #define KRB5_KPASSWD_SUCCESS 0 /**< Success */ 1881 #define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */ 1882 #define KRB5_KPASSWD_HARDERROR 2 /**< Server error */ 1883 #define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */ 1884 #define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */ 1885 /* These are Microsoft's extensions in RFC 3244, and it looks like 1886 they'll become standardized, possibly with other additions. */ 1887 #define KRB5_KPASSWD_ACCESSDENIED 5 /**< Not authorized */ 1888 #define KRB5_KPASSWD_BAD_VERSION 6 /**< Unknown RPC version */ 1889 /** The presented credentials were not obtained using a password directly */ 1890 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 1891 1892 /* 1893 * end "proto.h" 1894 */ 1895 1896 /* Time set */ 1897 /** Ticket start time, end time, and renewal duration. */ 1898 typedef struct _krb5_ticket_times { 1899 krb5_timestamp authtime; /**< Time at which KDC issued the initial ticket that corresponds to this ticket */ 1900 /* XXX ? should ktime in KDC_REP == authtime 1901 in ticket? otherwise client can't get this */ 1902 krb5_timestamp starttime; /**< optional in ticket, if not present, use @a authtime */ 1903 krb5_timestamp endtime; /**< Ticket expiration time */ 1904 krb5_timestamp renew_till; /**< Latest time at which renewal of ticket can be valid */ 1905 } krb5_ticket_times; 1906 1907 /** Structure for auth data */ 1908 typedef struct _krb5_authdata { 1909 krb5_magic magic; 1910 krb5_authdatatype ad_type; /**< ADTYPE */ 1911 unsigned int length; /**< Length of data */ 1912 krb5_octet *contents; /**< Data */ 1913 } krb5_authdata; 1914 1915 /** Structure for transited encoding */ 1916 typedef struct _krb5_transited { 1917 krb5_magic magic; 1918 krb5_octet tr_type; /**< Transited encoding type */ 1919 krb5_data tr_contents; /**< Contents */ 1920 } krb5_transited; 1921 1922 /** Encrypted part of ticket. */ 1923 typedef struct _krb5_enc_tkt_part { 1924 krb5_magic magic; 1925 /* to-be-encrypted portion */ 1926 krb5_flags flags; /**< flags */ 1927 krb5_keyblock *session; /**< session key: includes enctype */ 1928 krb5_principal client; /**< client name/realm */ 1929 krb5_transited transited; /**< list of transited realms */ 1930 krb5_ticket_times times; /**< auth, start, end, renew_till */ 1931 krb5_address **caddrs; /**< array of ptrs to addresses */ 1932 krb5_authdata **authorization_data; /**< auth data */ 1933 } krb5_enc_tkt_part; 1934 1935 /** 1936 * Ticket structure. 1937 * 1938 * The C representation of the ticket message, with a pointer to the 1939 * C representation of the encrypted part. 1940 */ 1941 typedef struct _krb5_ticket { 1942 krb5_magic magic; 1943 /* cleartext portion */ 1944 krb5_principal server; /**< server name/realm */ 1945 krb5_enc_data enc_part; /**< encryption type, kvno, encrypted encoding */ 1946 krb5_enc_tkt_part *enc_part2; /**< ptr to decrypted version, if available */ 1947 } krb5_ticket; 1948 1949 /* the unencrypted version */ 1950 /** 1951 * Ticket authenticator. 1952 * 1953 * The C representation of an unencrypted authenticator. 1954 */ 1955 typedef struct _krb5_authenticator { 1956 krb5_magic magic; 1957 krb5_principal client; /**< client name/realm */ 1958 krb5_checksum *checksum; /**< checksum, includes type, optional */ 1959 krb5_int32 cusec; /**< client usec portion */ 1960 krb5_timestamp ctime; /**< client sec portion */ 1961 krb5_keyblock *subkey; /**< true session key, optional */ 1962 krb5_ui_4 seq_number; /**< sequence #, optional */ 1963 krb5_authdata **authorization_data; /**< authoriazation data */ 1964 } krb5_authenticator; 1965 1966 /** Ticket authentication data. */ 1967 typedef struct _krb5_tkt_authent { 1968 krb5_magic magic; 1969 krb5_ticket *ticket; 1970 krb5_authenticator *authenticator; 1971 krb5_flags ap_options; 1972 } krb5_tkt_authent; 1973 1974 /** Credentials structure including ticket, session key, and lifetime info. */ 1975 typedef struct _krb5_creds { 1976 krb5_magic magic; 1977 krb5_principal client; /**< client's principal identifier */ 1978 krb5_principal server; /**< server's principal identifier */ 1979 krb5_keyblock keyblock; /**< session encryption key info */ 1980 krb5_ticket_times times; /**< lifetime info */ 1981 krb5_boolean is_skey; /**< true if ticket is encrypted in 1982 another ticket's skey */ 1983 krb5_flags ticket_flags; /**< flags in ticket */ 1984 krb5_address **addresses; /**< addrs in ticket */ 1985 krb5_data ticket; /**< ticket string itself */ 1986 krb5_data second_ticket; /**< second ticket, if related to 1987 ticket (via DUPLICATE-SKEY or 1988 ENC-TKT-IN-SKEY) */ 1989 krb5_authdata **authdata; /**< authorization data */ 1990 } krb5_creds; 1991 1992 /** Last request entry */ 1993 typedef struct _krb5_last_req_entry { 1994 krb5_magic magic; 1995 krb5_int32 lr_type; /**< LR type */ 1996 krb5_timestamp value; /**< Timestamp */ 1997 } krb5_last_req_entry; 1998 1999 /** Pre-authentication data */ 2000 typedef struct _krb5_pa_data { 2001 krb5_magic magic; 2002 krb5_preauthtype pa_type; /**< Preauthentication data type */ 2003 unsigned int length; /**< Length of data */ 2004 krb5_octet *contents; /**< Data */ 2005 } krb5_pa_data; 2006 2007 /* Don't use this; use krb5_pa_data instead. */ 2008 typedef struct _krb5_typed_data { 2009 krb5_magic magic; 2010 krb5_int32 type; 2011 unsigned int length; 2012 krb5_octet *data; 2013 } krb5_typed_data; 2014 2015 /** C representation of KDC-REQ protocol message, including KDC-REQ-BODY */ 2016 typedef struct _krb5_kdc_req { 2017 krb5_magic magic; 2018 krb5_msgtype msg_type; /**< KRB5_AS_REQ or KRB5_TGS_REQ */ 2019 krb5_pa_data **padata; /**< Preauthentication data */ 2020 /* real body */ 2021 krb5_flags kdc_options; /**< Requested options */ 2022 krb5_principal client; /**< Client principal and realm */ 2023 krb5_principal server; /**< Server principal and realm */ 2024 krb5_timestamp from; /**< Requested start time */ 2025 krb5_timestamp till; /**< Requested end time */ 2026 krb5_timestamp rtime; /**< Requested renewable end time */ 2027 krb5_int32 nonce; /**< Nonce to match request and response */ 2028 int nktypes; /**< Number of enctypes */ 2029 krb5_enctype *ktype; /**< Requested enctypes */ 2030 krb5_address **addresses; /**< Requested addresses (optional) */ 2031 krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */ 2032 krb5_authdata **unenc_authdata; /**< Unencrypted authz data */ 2033 krb5_ticket **second_ticket; /**< Second ticket array (optional) */ 2034 } krb5_kdc_req; 2035 2036 /** 2037 * C representation of @c EncKDCRepPart protocol message. 2038 * 2039 * This is the cleartext message that is encrypted and inserted in @c KDC-REP. 2040 */ 2041 typedef struct _krb5_enc_kdc_rep_part { 2042 krb5_magic magic; 2043 /* encrypted part: */ 2044 krb5_msgtype msg_type; /**< krb5 message type */ 2045 krb5_keyblock *session; /**< Session key */ 2046 krb5_last_req_entry **last_req; /**< Array of pointers to entries */ 2047 krb5_int32 nonce; /**< Nonce from request */ 2048 krb5_timestamp key_exp; /**< Expiration date */ 2049 krb5_flags flags; /**< Ticket flags */ 2050 krb5_ticket_times times; /**< Lifetime info */ 2051 krb5_principal server; /**< Server's principal identifier */ 2052 krb5_address **caddrs; /**< Array of ptrs to addrs, optional */ 2053 krb5_pa_data **enc_padata; /**< Encrypted preauthentication data */ 2054 } krb5_enc_kdc_rep_part; 2055 2056 /** Representation of the @c KDC-REP protocol message. */ 2057 typedef struct _krb5_kdc_rep { 2058 krb5_magic magic; 2059 /* cleartext part: */ 2060 krb5_msgtype msg_type; /**< KRB5_AS_REP or KRB5_KDC_REP */ 2061 krb5_pa_data **padata; /**< Preauthentication data from KDC */ 2062 krb5_principal client; /**< Client principal and realm */ 2063 krb5_ticket *ticket; /**< Ticket */ 2064 krb5_enc_data enc_part; /**< Encrypted part of reply */ 2065 krb5_enc_kdc_rep_part *enc_part2; /**< Unencrypted version, if available */ 2066 } krb5_kdc_rep; 2067 2068 /** Error message structure */ 2069 typedef struct _krb5_error { 2070 krb5_magic magic; 2071 /* some of these may be meaningless in certain contexts */ 2072 krb5_timestamp ctime; /**< Client sec portion; optional */ 2073 krb5_int32 cusec; /**< Client usec portion; optional */ 2074 krb5_int32 susec; /**< Server usec portion */ 2075 krb5_timestamp stime; /**< Server sec portion */ 2076 krb5_ui_4 error; /**< Error code (protocol error #'s) */ 2077 krb5_principal client; /**< Client principal and realm */ 2078 krb5_principal server; /**< Server principal and realm */ 2079 krb5_data text; /**< Descriptive text */ 2080 krb5_data e_data; /**< Additional error-describing data */ 2081 } krb5_error; 2082 2083 /** Authentication header. */ 2084 typedef struct _krb5_ap_req { 2085 krb5_magic magic; 2086 krb5_flags ap_options; /**< Requested options */ 2087 krb5_ticket *ticket; /**< Ticket */ 2088 krb5_enc_data authenticator; /**< Encrypted authenticator */ 2089 } krb5_ap_req; 2090 2091 /** 2092 * C representaton of AP-REP message. 2093 * 2094 * The server's response to a client's request for mutual authentication. 2095 */ 2096 typedef struct _krb5_ap_rep { 2097 krb5_magic magic; 2098 krb5_enc_data enc_part; /**< Ciphertext of ApRepEncPart */ 2099 } krb5_ap_rep; 2100 2101 /** Cleartext that is encrypted and put into @c _krb5_ap_rep. */ 2102 typedef struct _krb5_ap_rep_enc_part { 2103 krb5_magic magic; 2104 krb5_timestamp ctime; /**< Client time, seconds portion */ 2105 krb5_int32 cusec; /**< Client time, microseconds portion */ 2106 krb5_keyblock *subkey; /**< Subkey (optional) */ 2107 krb5_ui_4 seq_number; /**< Sequence number */ 2108 } krb5_ap_rep_enc_part; 2109 2110 /* Unused */ 2111 typedef struct _krb5_response { 2112 krb5_magic magic; 2113 krb5_octet message_type; 2114 krb5_data response; 2115 krb5_int32 expected_nonce; 2116 krb5_timestamp request_time; 2117 } krb5_response; 2118 2119 /** Credentials information inserted into @c EncKrbCredPart. */ 2120 typedef struct _krb5_cred_info { 2121 krb5_magic magic; 2122 krb5_keyblock *session; /**< Session key used to encrypt ticket */ 2123 krb5_principal client; /**< Client principal and realm */ 2124 krb5_principal server; /**< Server principal and realm */ 2125 krb5_flags flags; /**< Ticket flags */ 2126 krb5_ticket_times times; /**< Auth, start, end, renew_till */ 2127 krb5_address **caddrs; /**< Array of pointers to addrs (optional) */ 2128 } krb5_cred_info; 2129 2130 /** Cleartext credentials information. */ 2131 typedef struct _krb5_cred_enc_part { 2132 krb5_magic magic; 2133 krb5_int32 nonce; /**< Nonce (optional) */ 2134 krb5_timestamp timestamp; /**< Generation time, seconds portion */ 2135 krb5_int32 usec; /**< Generation time, microseconds portion */ 2136 krb5_address *s_address; /**< Sender address (optional) */ 2137 krb5_address *r_address; /**< Recipient address (optional) */ 2138 krb5_cred_info **ticket_info; 2139 } krb5_cred_enc_part; 2140 2141 /** Credentials data structure.*/ 2142 typedef struct _krb5_cred { 2143 krb5_magic magic; 2144 krb5_ticket **tickets; /**< Tickets */ 2145 krb5_enc_data enc_part; /**< Encrypted part */ 2146 krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */ 2147 } krb5_cred; 2148 2149 /* Unused, but here for API compatibility. */ 2150 typedef struct _passwd_phrase_element { 2151 krb5_magic magic; 2152 krb5_data *passwd; 2153 krb5_data *phrase; 2154 } passwd_phrase_element; 2155 2156 /* Unused, but here for API compatibility. */ 2157 typedef struct _krb5_pwd_data { 2158 krb5_magic magic; 2159 int sequence_count; 2160 passwd_phrase_element **element; 2161 } krb5_pwd_data; 2162 2163 /* Unused, but here for API compatibility. */ 2164 typedef struct _krb5_pa_svr_referral_data { 2165 /** Referred name, only realm is required */ 2166 krb5_principal principal; 2167 } krb5_pa_svr_referral_data; 2168 2169 /* Unused, but here for API compatibility. */ 2170 typedef struct _krb5_pa_server_referral_data { 2171 krb5_data *referred_realm; 2172 krb5_principal true_principal_name; 2173 krb5_principal requested_principal_name; 2174 krb5_timestamp referral_valid_until; 2175 krb5_checksum rep_cksum; 2176 } krb5_pa_server_referral_data; 2177 2178 typedef struct _krb5_pa_pac_req { 2179 /** TRUE if a PAC should be included in TGS-REP */ 2180 krb5_boolean include_pac; 2181 } krb5_pa_pac_req; 2182 2183 /* 2184 * begin "safepriv.h" 2185 */ 2186 2187 /** Prevent replays with timestamps and replay cache. */ 2188 #define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 2189 /** Save timestamps for application. */ 2190 #define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002 2191 /** Prevent replays with sequence numbers. */ 2192 #define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 2193 /** Save sequence numbers for application. */ 2194 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 2195 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 2196 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 2197 2198 /** 2199 * Replay data. 2200 * 2201 * Sequence number and timestamp information output by krb5_rd_priv() and 2202 * krb5_rd_safe(). 2203 */ 2204 typedef struct krb5_replay_data { 2205 krb5_timestamp timestamp; /**< Timestamp, seconds portion */ 2206 krb5_int32 usec; /**< Timestamp, microseconds portion */ 2207 krb5_ui_4 seq; /**< Sequence number */ 2208 } krb5_replay_data; 2209 2210 /* Flags for krb5_auth_con_genaddrs(). */ 2211 2212 /** Generate the local network address. */ 2213 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR 0x00000001 2214 /** Generate the remote network address. */ 2215 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR 0x00000002 2216 /** Generate the local network address and the local port. */ 2217 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR 0x00000004 2218 /** Generate the remote network address and the remote port. */ 2219 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008 2220 2221 /** Type of function used as a callback to generate checksum data for mk_req */ 2222 typedef krb5_error_code 2223 (KRB5_CALLCONV * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context, 2224 void *, krb5_data **); 2225 2226 /* 2227 * end "safepriv.h" 2228 */ 2229 2230 2231 /* 2232 * begin "ccache.h" 2233 */ 2234 2235 /** Cursor for sequential lookup */ 2236 typedef krb5_pointer krb5_cc_cursor; 2237 2238 struct _krb5_ccache; 2239 typedef struct _krb5_ccache *krb5_ccache; 2240 struct _krb5_cc_ops; 2241 typedef struct _krb5_cc_ops krb5_cc_ops; 2242 2243 struct _krb5_cccol_cursor; 2244 /** Cursor for iterating over all ccaches */ 2245 typedef struct _krb5_cccol_cursor *krb5_cccol_cursor; 2246 2247 /* Flags for krb5_cc_retrieve_cred. */ 2248 /** The requested lifetime must be at least as great as the time specified. */ 2249 #define KRB5_TC_MATCH_TIMES 0x00000001 2250 /** The is_skey field must match exactly. */ 2251 #define KRB5_TC_MATCH_IS_SKEY 0x00000002 2252 /** All the flags set in the match credentials must be set. */ 2253 #define KRB5_TC_MATCH_FLAGS 0x00000004 2254 /** All the time fields must match exactly. */ 2255 #define KRB5_TC_MATCH_TIMES_EXACT 0x00000008 2256 /** All the flags must match exactly. */ 2257 #define KRB5_TC_MATCH_FLAGS_EXACT 0x00000010 2258 /** The authorization data must match. */ 2259 #define KRB5_TC_MATCH_AUTHDATA 0x00000020 2260 /** Only the name portion of the principal name must match. */ 2261 #define KRB5_TC_MATCH_SRV_NAMEONLY 0x00000040 2262 /** The second ticket must match. */ 2263 #define KRB5_TC_MATCH_2ND_TKT 0x00000080 2264 /** The encryption key type must match. */ 2265 #define KRB5_TC_MATCH_KTYPE 0x00000100 2266 /** The supported key types must match. */ 2267 #define KRB5_TC_SUPPORTED_KTYPES 0x00000200 2268 2269 /* Flags for krb5_cc_set_flags and similar. */ 2270 /** Open and close the file for each cache operation. */ 2271 #define KRB5_TC_OPENCLOSE 0x00000001 /**< @deprecated has no effect */ 2272 #define KRB5_TC_NOTICKET 0x00000002 2273 2274 /** 2275 * Retrieve the name, but not type of a credential cache. 2276 * 2277 * @param [in] context Library context 2278 * @param [in] cache Credential cache handle 2279 * 2280 * @warning Returns the name of the credential cache. The result is an alias 2281 * into @a cache and should not be freed or modified by the caller. This name 2282 * does not include the cache type, so should not be used as input to 2283 * krb5_cc_resolve(). 2284 * 2285 * @return 2286 * On success - the name of the credential cache. 2287 */ 2288 const char * KRB5_CALLCONV 2289 krb5_cc_get_name(krb5_context context, krb5_ccache cache); 2290 2291 /** 2292 * Retrieve the full name of a credential cache. 2293 * 2294 * @param [in] context Library context 2295 * @param [in] cache Credential cache handle 2296 * @param [out] fullname_out Full name of cache 2297 * 2298 * Use krb5_free_string() to free @a fullname_out when it is no longer needed. 2299 * 2300 * @version New in 1.10 2301 */ 2302 krb5_error_code KRB5_CALLCONV 2303 krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, 2304 char **fullname_out); 2305 2306 #if KRB5_DEPRECATED 2307 krb5_error_code KRB5_CALLCONV 2308 krb5_cc_gen_new(krb5_context context, krb5_ccache *cache); 2309 #endif /* KRB5_DEPRECATED */ 2310 2311 /** 2312 * Initialize a credential cache. 2313 * 2314 * @param [in] context Library context 2315 * @param [in] cache Credential cache handle 2316 * @param [in] principal Default principal name 2317 * 2318 * Destroy any existing contents of @a cache and initialize it for the default 2319 * principal @a principal. 2320 * 2321 * @retval 2322 * 0 Success 2323 * @return 2324 * System errors; Permission errors; Kerberos error codes 2325 */ 2326 krb5_error_code KRB5_CALLCONV 2327 krb5_cc_initialize(krb5_context context, krb5_ccache cache, 2328 krb5_principal principal); 2329 2330 /** 2331 * Destroy a credential cache. 2332 * 2333 * @param [in] context Library context 2334 * @param [in] cache Credential cache handle 2335 * 2336 * This function destroys any existing contents of @a cache and closes the 2337 * handle to it. 2338 * 2339 * @retval 2340 * 0 Success 2341 * @return 2342 * Permission errors 2343 */ 2344 krb5_error_code KRB5_CALLCONV 2345 krb5_cc_destroy(krb5_context context, krb5_ccache cache); 2346 2347 /** 2348 * Close a credential cache handle. 2349 * 2350 * @param [in] context Library context 2351 * @param [in] cache Credential cache handle 2352 * 2353 * This function closes a credential cache handle @a cache without affecting 2354 * the contents of the cache. 2355 * 2356 * @retval 2357 * 0 Success 2358 * @return 2359 * Kerberos error codes 2360 */ 2361 krb5_error_code KRB5_CALLCONV 2362 krb5_cc_close(krb5_context context, krb5_ccache cache); 2363 2364 /** 2365 * Store credentials in a credential cache. 2366 * 2367 * @param [in] context Library context 2368 * @param [in] cache Credential cache handle 2369 * @param [in] creds Credentials to be stored in cache 2370 * 2371 * This function stores @a creds into @a cache. If @a creds->server and the 2372 * server in the decoded ticket @a creds->ticket differ, the credentials will 2373 * be stored under both server principal names. 2374 * 2375 * @retval 2376 * 0 Success 2377 * @return Permission errors; storage failure errors; Kerberos error codes 2378 */ 2379 krb5_error_code KRB5_CALLCONV 2380 krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds); 2381 2382 /** 2383 * Retrieve a specified credentials from a credential cache. 2384 * 2385 * @param [in] context Library context 2386 * @param [in] cache Credential cache handle 2387 * @param [in] flags Flags bit mask 2388 * @param [in] mcreds Credentials to match 2389 * @param [out] creds Credentials matching the requested value 2390 * 2391 * This function searches a credential cache for credentials matching @a mcreds 2392 * and returns it if found. 2393 * 2394 * Valid values for @a flags are: 2395 * 2396 * @li #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as 2397 * great as in @a mcreds . 2398 * @li #KRB5_TC_MATCH_IS_SKEY The @a is_skey field much match exactly. 2399 * @li #KRB5_TC_MATCH_FLAGS Flags set in @a mcreds must be set. 2400 * @li #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. 2401 * @li #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. 2402 * @li #KRB5_TC_MATCH_AUTHDATA The authorization data must match. 2403 * @li #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal 2404 * name must match, not the realm. 2405 * @li #KRB5_TC_MATCH_2ND_TKT The second tickets must match. 2406 * @li #KRB5_TC_MATCH_KTYPE The encryption key types must match. 2407 * @li #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any 2408 * supported encryption type and return the 2409 * one with the encryption type listed earliest. 2410 * 2411 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. 2412 * 2413 * @retval 0 Success; otherwise - Kerberos error codes 2414 */ 2415 krb5_error_code KRB5_CALLCONV 2416 krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, 2417 krb5_flags flags, krb5_creds *mcreds, 2418 krb5_creds *creds); 2419 2420 /** 2421 * Get the default principal of a credential cache. 2422 * 2423 * @param [in] context Library context 2424 * @param [in] cache Credential cache handle 2425 * @param [out] principal Primary principal 2426 * 2427 * Returns the default client principal of a credential cache as set by 2428 * krb5_cc_initialize(). 2429 * 2430 * Use krb5_free_principal() to free @a principal when it is no longer needed. 2431 * 2432 * @retval 2433 * 0 Success 2434 * @return 2435 * Kerberos error codes 2436 */ 2437 krb5_error_code KRB5_CALLCONV 2438 krb5_cc_get_principal(krb5_context context, krb5_ccache cache, 2439 krb5_principal *principal); 2440 2441 /** 2442 * Prepare to sequentially read every credential in a credential cache. 2443 * 2444 * @param [in] context Library context 2445 * @param [in] cache Credential cache handle 2446 * @param [out] cursor Cursor 2447 * 2448 * krb5_cc_end_seq_get() must be called to complete the retrieve operation. 2449 * 2450 * @note If the cache represented by @a cache is modified between the time of 2451 * the call to this function and the time of the final krb5_cc_end_seq_get(), 2452 * these changes may not be reflected in the results of krb5_cc_next_cred() 2453 * calls. 2454 * 2455 * @retval 0 Success; otherwise - Kerberos error codes 2456 */ 2457 krb5_error_code KRB5_CALLCONV 2458 krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, 2459 krb5_cc_cursor *cursor); 2460 2461 /** 2462 * Retrieve the next entry from the credential cache. 2463 * 2464 * @param [in] context Library context 2465 * @param [in] cache Credential cache handle 2466 * @param [in] cursor Cursor 2467 * @param [out] creds Next credential cache entry 2468 * 2469 * This function fills in @a creds with the next entry in @a cache and advances 2470 * @a cursor. 2471 * 2472 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. 2473 * 2474 * @sa krb5_cc_start_seq_get(), krb5_end_seq_get() 2475 * 2476 * @retval 0 Success; otherwise - Kerberos error codes 2477 */ 2478 krb5_error_code KRB5_CALLCONV 2479 krb5_cc_next_cred(krb5_context context, krb5_ccache cache, 2480 krb5_cc_cursor *cursor, krb5_creds *creds); 2481 2482 /** 2483 * Finish a series of sequential processing credential cache entries. 2484 * 2485 * @param [in] context Library context 2486 * @param [in] cache Credential cache handle 2487 * @param [in] cursor Cursor 2488 * 2489 * This function finishes processing credential cache entries and invalidates 2490 * @a cursor. 2491 * 2492 * @sa krb5_cc_start_seq_get(), krb5_cc_next_cred() 2493 * 2494 * @retval 0 (always) 2495 */ 2496 krb5_error_code KRB5_CALLCONV 2497 krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, 2498 krb5_cc_cursor *cursor); 2499 2500 /** 2501 * Remove credentials from a credential cache. 2502 * 2503 * @param [in] context Library context 2504 * @param [in] cache Credential cache handle 2505 * @param [in] flags Bitwise-ORed search flags 2506 * @param [in] creds Credentials to be matched 2507 * 2508 * @warning This function is not implemented for some cache types. 2509 * 2510 * This function accepts the same flag values as krb5_cc_retrieve_cred(). 2511 * 2512 * @retval KRB5_CC_NOSUPP Not implemented for this cache type 2513 * @return No matches found; Data cannot be deleted; Kerberos error codes 2514 */ 2515 krb5_error_code KRB5_CALLCONV 2516 krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, 2517 krb5_creds *creds); 2518 2519 /** 2520 * Set options flags on a credential cache. 2521 * 2522 * @param [in] context Library context 2523 * @param [in] cache Credential cache handle 2524 * @param [in] flags Flag bit mask 2525 * 2526 * This function resets @a cache flags to @a flags. 2527 * 2528 * @retval 0 Success; otherwise - Kerberos error codes 2529 */ 2530 krb5_error_code KRB5_CALLCONV 2531 krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags); 2532 2533 /** 2534 * Retrieve flags from a credential cache structure. 2535 * 2536 * @param [in] context Library context 2537 * @param [in] cache Credential cache handle 2538 * @param [out] flags Flag bit mask 2539 * 2540 * @warning For memory credential cache always returns a flag mask of 0. 2541 * 2542 * @retval 0 Success; otherwise - Kerberos error codes 2543 */ 2544 krb5_error_code KRB5_CALLCONV 2545 krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags); 2546 2547 /** 2548 * Retrieve the type of a credential cache. 2549 * 2550 * @param [in] context Library context 2551 * @param [in] cache Credential cache handle 2552 * 2553 * @return The type of a credential cache as an alias that must not be modified 2554 * or freed by the caller. 2555 */ 2556 const char * KRB5_CALLCONV 2557 krb5_cc_get_type(krb5_context context, krb5_ccache cache); 2558 2559 /** 2560 * Move a credential cache. 2561 * 2562 * @param [in] context Library context 2563 * @param [in] src The credential cache to move the content from 2564 * @param [in] dst The credential cache to move the content to 2565 * 2566 * This function reinitializes @a dst and populates it with the credentials and 2567 * default principal of @a src; then, if successful, destroys @a src. 2568 * 2569 * @retval 2570 * 0 Success; @a src is closed. 2571 * @return 2572 * Kerberos error codes; @a src is still allocated. 2573 */ 2574 krb5_error_code KRB5_CALLCONV 2575 krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst); 2576 2577 /** 2578 * Prepare to iterate over the collection of known credential caches. 2579 * 2580 * @param [in] context Library context 2581 * @param [out] cursor Cursor 2582 * 2583 * Get a new cache iteration @a cursor that will iterate over all known 2584 * credential caches independent of type. 2585 * 2586 * Use krb5_cccol_cursor_free() to release @a cursor when it is no longer 2587 * needed. 2588 * 2589 * @sa krb5_cccol_cursor_next() 2590 * 2591 * @retval 0 Success; otherwise - Kerberos error codes 2592 */ 2593 krb5_error_code KRB5_CALLCONV 2594 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor); 2595 2596 /** 2597 * Get the next credential cache in the collection. 2598 * 2599 * @param [in] context Library context 2600 * @param [in] cursor Cursor 2601 * @param [out] ccache Credential cache handle 2602 * 2603 * @note When all caches are iterated over and the end of the list is reached, 2604 * @a ccache is set to NULL. 2605 * 2606 * Use krb5_cc_close() to close @a ccache when it is no longer needed. 2607 * 2608 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_free() 2609 * 2610 * @retval 0 Success; otherwise - Kerberos error codes 2611 */ 2612 krb5_error_code KRB5_CALLCONV 2613 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, 2614 krb5_ccache *ccache); 2615 2616 /** 2617 * Free a credential cache collection cursor. 2618 * 2619 * @param [in] context Library context 2620 * @param [in] cursor Cursor 2621 * 2622 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_next() 2623 * 2624 * @retval 0 Success; otherwise - Kerberos error codes 2625 */ 2626 krb5_error_code KRB5_CALLCONV 2627 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor); 2628 2629 /** 2630 * Check if the credential cache collection contains any initialized caches. 2631 * 2632 * @param [in] context Library context 2633 * 2634 * @version New in 1.11 2635 * 2636 * @retval 0 At least one initialized cache is present in the collection 2637 * @retval KRB5_CC_NOTFOUND The collection contains no caches 2638 */ 2639 krb5_error_code KRB5_CALLCONV 2640 krb5_cccol_have_content(krb5_context context); 2641 2642 /** 2643 * Create a new credential cache of the specified type with a unique name. 2644 * 2645 * @param [in] context Library context 2646 * @param [in] type Credential cache type name 2647 * @param [in] hint Unused 2648 * @param [out] id Credential cache handle 2649 * 2650 * @retval 2651 * 0 Success 2652 * @return 2653 * Kerberos error codes 2654 */ 2655 krb5_error_code KRB5_CALLCONV 2656 krb5_cc_new_unique(krb5_context context, const char *type, const char *hint, 2657 krb5_ccache *id); 2658 2659 /* 2660 * end "ccache.h" 2661 */ 2662 2663 /* 2664 * begin "rcache.h" 2665 */ 2666 2667 struct krb5_rc_st; 2668 typedef struct krb5_rc_st *krb5_rcache; 2669 2670 /* 2671 * end "rcache.h" 2672 */ 2673 2674 /* 2675 * begin "keytab.h" 2676 */ 2677 2678 2679 /* XXX */ 2680 #define MAX_KEYTAB_NAME_LEN 1100 /**< Long enough for MAXPATHLEN + some extra */ 2681 2682 typedef krb5_pointer krb5_kt_cursor; 2683 2684 /** A key table entry. */ 2685 typedef struct krb5_keytab_entry_st { 2686 krb5_magic magic; 2687 krb5_principal principal; /**< Principal of this key */ 2688 krb5_timestamp timestamp; /**< Time entry written to keytable */ 2689 krb5_kvno vno; /**< Key version number */ 2690 krb5_keyblock key; /**< The secret key */ 2691 } krb5_keytab_entry; 2692 2693 struct _krb5_kt; 2694 typedef struct _krb5_kt *krb5_keytab; 2695 2696 /** 2697 * Return the type of a key table. 2698 * 2699 * @param [in] context Library context 2700 * @param [in] keytab Key table handle 2701 * 2702 * @return The type of a key table as an alias that must not be modified or 2703 * freed by the caller. 2704 */ 2705 const char * KRB5_CALLCONV 2706 krb5_kt_get_type(krb5_context context, krb5_keytab keytab); 2707 2708 /** 2709 * Get a key table name. 2710 * 2711 * @param [in] context Library context 2712 * @param [in] keytab Key table handle 2713 * @param [out] name Key table name 2714 * @param [in] namelen Maximum length to fill in name 2715 * 2716 * Fill @a name with the name of @a keytab including the type and delimiter. 2717 * 2718 * @sa MAX_KEYTAB_NAME_LEN 2719 * 2720 * @retval 2721 * 0 Success 2722 * @retval 2723 * KRB5_KT_NAME_TOOLONG Key table name does not fit in @a namelen bytes 2724 * 2725 * @return 2726 * Kerberos error codes 2727 */ 2728 krb5_error_code KRB5_CALLCONV 2729 krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, 2730 unsigned int namelen); 2731 2732 /** 2733 * Close a key table handle. 2734 * 2735 * @param [in] context Library context 2736 * @param [in] keytab Key table handle 2737 * 2738 * @retval 0 2739 */ 2740 krb5_error_code KRB5_CALLCONV 2741 krb5_kt_close(krb5_context context, krb5_keytab keytab); 2742 2743 /** 2744 * Get an entry from a key table. 2745 * 2746 * @param [in] context Library context 2747 * @param [in] keytab Key table handle 2748 * @param [in] principal Principal name 2749 * @param [in] vno Key version number (0 for highest available) 2750 * @param [in] enctype Encryption type (0 zero for any enctype) 2751 * @param [out] entry Returned entry from key table 2752 * 2753 * Retrieve an entry from a key table which matches the @a keytab, @a 2754 * principal, @a vno, and @a enctype. If @a vno is zero, retrieve the 2755 * highest-numbered kvno matching the other fields. If @a enctype is 0, match 2756 * any enctype. 2757 * 2758 * Use krb5_free_keytab_entry_contents() to free @a entry when it is no longer 2759 * needed. 2760 * 2761 * @note If @a vno is zero, the function retrieves the highest-numbered-kvno 2762 * entry that matches the specified principal. 2763 * 2764 * @retval 2765 * 0 Success 2766 * @retval 2767 * Kerberos error codes on failure 2768 */ 2769 krb5_error_code KRB5_CALLCONV 2770 krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 2771 krb5_const_principal principal, krb5_kvno vno, 2772 krb5_enctype enctype, krb5_keytab_entry *entry); 2773 2774 /** 2775 * Start a sequential retrieval of key table entries. 2776 * 2777 * @param [in] context Library context 2778 * @param [in] keytab Key table handle 2779 * @param [out] cursor Cursor 2780 * 2781 * Prepare to read sequentially every key in the specified key table. Use 2782 * krb5_kt_end_seq_get() to release the cursor when it is no longer needed. 2783 * 2784 * @sa krb5_kt_next_entry(), krb5_kt_end_seq_get() 2785 * 2786 * @retval 2787 * 0 Success 2788 * @return 2789 * Kerberos error codes 2790 */ 2791 krb5_error_code KRB5_CALLCONV 2792 krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, 2793 krb5_kt_cursor *cursor); 2794 2795 /** 2796 * Retrieve the next entry from the key table. 2797 * 2798 * @param [in] context Library context 2799 * @param [in] keytab Key table handle 2800 * @param [out] entry Returned key table entry 2801 * @param [in] cursor Key table cursor 2802 * 2803 * Return the next sequential entry in @a keytab and advance @a cursor. 2804 * Callers must release the returned entry with krb5_kt_free_entry(). 2805 * 2806 * @sa krb5_kt_start_seq_get(), krb5_kt_end_seq_get() 2807 * 2808 * @retval 2809 * 0 Success 2810 * @retval 2811 * KRB5_KT_END - if the last entry was reached 2812 * @return 2813 * Kerberos error codes 2814 */ 2815 krb5_error_code KRB5_CALLCONV 2816 krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, 2817 krb5_keytab_entry *entry, krb5_kt_cursor *cursor); 2818 2819 /** 2820 * Release a keytab cursor. 2821 * 2822 * @param [in] context Library context 2823 * @param [in] keytab Key table handle 2824 * @param [out] cursor Cursor 2825 * 2826 * This function should be called to release the cursor created by 2827 * krb5_kt_start_seq_get(). 2828 * 2829 * @retval 2830 * 0 Success 2831 * @return 2832 * Kerberos error codes 2833 */ 2834 krb5_error_code KRB5_CALLCONV 2835 krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, 2836 krb5_kt_cursor *cursor); 2837 2838 /** 2839 * Check if a keytab exists and contains entries. 2840 * 2841 * @param [in] context Library context 2842 * @param [in] keytab Key table handle 2843 * 2844 * @version New in 1.11 2845 * 2846 * @retval 0 Keytab exists and contains entries 2847 * @retval KRB5_KT_NOTFOUND Keytab does not contain entries 2848 */ 2849 krb5_error_code KRB5_CALLCONV 2850 krb5_kt_have_content(krb5_context context, krb5_keytab keytab); 2851 2852 /* 2853 * end "keytab.h" 2854 */ 2855 2856 /* 2857 * begin "func-proto.h" 2858 */ 2859 2860 #define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */ 2861 #define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */ 2862 2863 /** 2864 * Create a krb5 library context. 2865 * 2866 * @param [out] context Library context 2867 * 2868 * The @a context must be released by calling krb5_free_context() when 2869 * it is no longer needed. 2870 * 2871 * @warning Any program or module that needs the Kerberos code to not trust the 2872 * environment must use krb5_init_secure_context(), or clean out the 2873 * environment. 2874 * 2875 * @retval 2876 * 0 Success 2877 * @return 2878 * Kerberos error codes 2879 */ 2880 krb5_error_code KRB5_CALLCONV 2881 krb5_init_context(krb5_context *context); 2882 2883 /** 2884 * Create a krb5 library context using only configuration files. 2885 * 2886 * @param [out] context Library context 2887 * 2888 * Create a context structure, using only system configuration files. All 2889 * information passed through the environment variables is ignored. 2890 * 2891 * The @a context must be released by calling krb5_free_context() when 2892 * it is no longer needed. 2893 * 2894 * @retval 2895 * 0 Success 2896 * @return 2897 * Kerberos error codes 2898 */ 2899 krb5_error_code KRB5_CALLCONV 2900 krb5_init_secure_context(krb5_context *context); 2901 2902 /** 2903 * Create a krb5 library context using a specified profile. 2904 * 2905 * @param [in] profile Profile object (NULL to create default profile) 2906 * @param [in] flags Context initialization flags 2907 * @param [out] context Library context 2908 * 2909 * Create a context structure, optionally using a specified profile and 2910 * initialization flags. If @a profile is NULL, the default profile will be 2911 * created from config files. If @a profile is non-null, a copy of it will be 2912 * made for the new context; the caller should still clean up its copy. Valid 2913 * flag values are: 2914 * 2915 * @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables 2916 * @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile 2917 */ 2918 krb5_error_code KRB5_CALLCONV 2919 krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags, 2920 krb5_context *context); 2921 2922 /** 2923 * Free a krb5 library context. 2924 * 2925 * @param [in] context Library context 2926 * 2927 * This function frees a @a context that was created by krb5_init_context() 2928 * or krb5_init_secure_context(). 2929 */ 2930 void KRB5_CALLCONV 2931 krb5_free_context(krb5_context context); 2932 2933 /** 2934 * Copy a krb5_context structure. 2935 * 2936 * @param [in] ctx Library context 2937 * @param [out] nctx_out New context structure 2938 * 2939 * The newly created context must be released by calling krb5_free_context() 2940 * when it is no longer needed. 2941 * 2942 * @retval 2943 * 0 Success 2944 * @return 2945 * Kerberos error codes 2946 */ 2947 krb5_error_code KRB5_CALLCONV 2948 krb5_copy_context(krb5_context ctx, krb5_context *nctx_out); 2949 2950 /** 2951 * Return a list of default configuration filenames 2952 * 2953 * @param [out] filenames Configuration filename list 2954 * 2955 * Fill in @a filenames with a null-terminated list of configuration files 2956 * which will be read by krb5_init_context() in the current process 2957 * environment. 2958 * 2959 * Use krb5_free_config_files() to free @a filenames when it is no longer 2960 * needed. 2961 * 2962 * @version New in 1.22 2963 */ 2964 krb5_error_code KRB5_CALLCONV 2965 krb5_get_default_config_files(char ***filenames); 2966 2967 /** 2968 * Free a list allocated by krb5_get_default_config_files() 2969 * 2970 * @param [in] filenames Configuration filename list 2971 * 2972 * @version New in 1.22 2973 */ 2974 void KRB5_CALLCONV 2975 krb5_free_config_files(char **filenames); 2976 2977 /** 2978 * Set default TGS encryption types in a krb5_context structure. 2979 * 2980 * @param [in] context Library context 2981 * @param [in] etypes Encryption type(s) to set 2982 * 2983 * This function sets the default enctype list for TGS requests 2984 * made using @a context to @a etypes. 2985 * 2986 * @note This overrides the default list (from config file or built-in). 2987 * 2988 * @retval 2989 * 0 Success 2990 * @retval 2991 * KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type 2992 * @return 2993 * Kerberos error codes 2994 */ 2995 krb5_error_code KRB5_CALLCONV 2996 krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes); 2997 2998 /** 2999 * Return a list of encryption types permitted for session keys. 3000 * 3001 * @param [in] context Library context 3002 * @param [out] ktypes Zero-terminated list of encryption types 3003 * 3004 * This function returns the list of encryption types permitted for session 3005 * keys within @a context, as determined by configuration or by a previous call 3006 * to krb5_set_default_tgs_enctypes(). 3007 * 3008 * Use krb5_free_enctypes() to free @a ktypes when it is no longer needed. 3009 * 3010 * @retval 0 Success; otherwise - Kerberos error codes 3011 */ 3012 krb5_error_code KRB5_CALLCONV 3013 krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes); 3014 3015 /** 3016 * Test whether the Kerberos library was built with multithread support. 3017 * 3018 * @retval 3019 * TRUE if the library is threadsafe; FALSE otherwise 3020 */ 3021 krb5_boolean KRB5_CALLCONV 3022 krb5_is_thread_safe(void); 3023 3024 /* libkrb.spec */ 3025 3026 /** 3027 * Decrypt a ticket using the specified key table. 3028 * 3029 * @param [in] context Library context 3030 * @param [in] kt Key table 3031 * @param [in] ticket Ticket to be decrypted 3032 * 3033 * This function takes a @a ticket as input and decrypts it using 3034 * key data from @a kt. The result is placed into @a ticket->enc_part2. 3035 * 3036 * @retval 0 Success; otherwise - Kerberos error codes 3037 */ 3038 krb5_error_code KRB5_CALLCONV 3039 krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, 3040 krb5_ticket *ticket); 3041 3042 /** 3043 * Free an array of credential structures. 3044 * 3045 * @param [in] context Library context 3046 * @param [in] tgts Null-terminated array of credentials to free 3047 * 3048 * @note The last entry in the array @a tgts must be a NULL pointer. 3049 */ 3050 void KRB5_CALLCONV 3051 krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); 3052 3053 #define KRB5_GC_USER_USER 1 /**< Want user-user ticket */ 3054 #define KRB5_GC_CACHED 2 /**< Want cached ticket only */ 3055 #define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */ 3056 #define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */ 3057 #define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */ 3058 #define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */ 3059 #define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */ 3060 3061 /** 3062 * Get an additional ticket. 3063 * 3064 * @param [in] context Library context 3065 * @param [in] options Options 3066 * @param [in] ccache Credential cache handle 3067 * @param [in] in_creds Input credentials 3068 * @param [out] out_creds Output updated credentials 3069 * 3070 * Use @a ccache or a TGS exchange to get a service ticket matching @a 3071 * in_creds. 3072 * 3073 * Valid values for @a options are: 3074 * @li #KRB5_GC_CACHED Search only credential cache for the ticket 3075 * @li #KRB5_GC_USER_USER Return a user to user authentication ticket 3076 * 3077 * @a in_creds must be non-null. @a in_creds->client and @a in_creds->server 3078 * must be filled in to specify the client and the server respectively. If any 3079 * authorization data needs to be requested for the service ticket (such as 3080 * restrictions on how the ticket can be used), specify it in @a 3081 * in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The 3082 * session key type is specified in @a in_creds->keyblock.enctype, if it is 3083 * nonzero. 3084 * 3085 * If @a in_creds->times.endtime is specified, it is used as the requested 3086 * expiration date if a TGS request is made. If @a in_creds->times.endtime is 3087 * set to 0, the latest possible expiration date will be requested. The KDC or 3088 * cache may return a ticket with an earlier expiration date. 3089 * 3090 * Any returned ticket and intermediate ticket-granting tickets are stored 3091 * in @a ccache. 3092 * 3093 * Use krb5_free_creds() to free @a out_creds when it is no longer needed. 3094 * 3095 * @retval 3096 * 0 Success 3097 * @return 3098 * Kerberos error codes 3099 */ 3100 krb5_error_code KRB5_CALLCONV 3101 krb5_get_credentials(krb5_context context, krb5_flags options, 3102 krb5_ccache ccache, krb5_creds *in_creds, 3103 krb5_creds **out_creds); 3104 3105 /** 3106 * Serialize a @c krb5_creds object. 3107 * 3108 * @param [in] context Library context 3109 * @param [in] in_creds The credentials object to serialize 3110 * @param [out] data_out The serialized credentials 3111 * 3112 * Serialize @a creds in the format used by the FILE ccache format (vesion 4) 3113 * and KCM ccache protocol. 3114 * 3115 * Use krb5_free_data() to free @a data_out when it is no longer needed. 3116 * 3117 * @retval 0 Success; otherwise - Kerberos error codes 3118 */ 3119 krb5_error_code KRB5_CALLCONV 3120 krb5_marshal_credentials(krb5_context context, krb5_creds *in_creds, 3121 krb5_data **data_out); 3122 3123 /** 3124 * Deserialize a @c krb5_creds object. 3125 * 3126 * @param [in] context Library context 3127 * @param [in] data The serialized credentials 3128 * @param [out] creds_out The resulting creds object 3129 * 3130 * Deserialize @a data to credentials in the format used by the FILE ccache 3131 * format (vesion 4) and KCM ccache protocol. 3132 * 3133 * Use krb5_free_creds() to free @a creds_out when it is no longer needed. 3134 * 3135 * @retval 0 Success; otherwise - Kerberos error codes 3136 */ 3137 krb5_error_code KRB5_CALLCONV 3138 krb5_unmarshal_credentials(krb5_context context, const krb5_data *data, 3139 krb5_creds **creds_out); 3140 3141 /** @deprecated Replaced by krb5_get_validated_creds. */ 3142 krb5_error_code KRB5_CALLCONV 3143 krb5_get_credentials_validate(krb5_context context, krb5_flags options, 3144 krb5_ccache ccache, krb5_creds *in_creds, 3145 krb5_creds **out_creds); 3146 3147 /** @deprecated Replaced by krb5_get_renewed_creds. */ 3148 krb5_error_code KRB5_CALLCONV 3149 krb5_get_credentials_renew(krb5_context context, krb5_flags options, 3150 krb5_ccache ccache, krb5_creds *in_creds, 3151 krb5_creds **out_creds); 3152 3153 /** 3154 * Create a @c KRB_AP_REQ message. 3155 * 3156 * @param [in] context Library context 3157 * @param [in,out] auth_context Pre-existing or newly created auth context 3158 * @param [in] ap_req_options Options (see AP_OPTS macros) 3159 * @param [in] service Service name, or NULL to use @c "host" 3160 * @param [in] hostname Host name, or NULL to use local hostname 3161 * @param [in] in_data Application data to be checksummed in the 3162 * authenticator, or NULL 3163 * @param [in] ccache Credential cache used to obtain credentials 3164 * for the desired service. 3165 * @param [out] outbuf @c AP-REQ message 3166 * 3167 * This function is similar to krb5_mk_req_extended() except that it uses a 3168 * given @a hostname, @a service, and @a ccache to construct a service 3169 * principal name and obtain credentials. 3170 * 3171 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3172 * 3173 * @retval 0 Success; otherwise - Kerberos error codes 3174 */ 3175 krb5_error_code KRB5_CALLCONV 3176 krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, 3177 krb5_flags ap_req_options, const char *service, 3178 const char *hostname, krb5_data *in_data, krb5_ccache ccache, 3179 krb5_data *outbuf); 3180 3181 /** 3182 * Create a @c KRB_AP_REQ message using supplied credentials. 3183 * 3184 * @param [in] context Library context 3185 * @param [in,out] auth_context Pre-existing or newly created auth context 3186 * @param [in] ap_req_options Options (see AP_OPTS macros) 3187 * @param [in] in_data Application data to be checksummed in the 3188 * authenticator, or NULL 3189 * @param [in] in_creds Credentials for the service with valid ticket 3190 * and key 3191 * @param [out] outbuf @c AP-REQ message 3192 * 3193 * Valid @a ap_req_options are: 3194 * @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the 3195 * request used for user to user 3196 * authentication. 3197 * @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from 3198 * the receiver. 3199 * @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current 3200 * session key obtained from the credentials. 3201 * 3202 * This function creates a KRB_AP_REQ message using supplied credentials @a 3203 * in_creds. @a auth_context may point to an existing auth context or to NULL, 3204 * in which case a new one will be created. If @a in_data is non-null, a 3205 * checksum of it will be included in the authenticator contained in the 3206 * KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it 3207 * is no longer needed. 3208 * 3209 * On successful return, the authenticator is stored in @a auth_context with 3210 * the @a client and @a checksum fields nulled out. (This is to prevent 3211 * pointer-sharing problems; the caller should not need these fields anyway, 3212 * since the caller supplied them.) 3213 * 3214 * @sa krb5_mk_req() 3215 * 3216 * @retval 0 Success; otherwise - Kerberos error codes 3217 */ 3218 krb5_error_code KRB5_CALLCONV 3219 krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, 3220 krb5_flags ap_req_options, krb5_data *in_data, 3221 krb5_creds *in_creds, krb5_data *outbuf); 3222 3223 /** 3224 * Format and encrypt a @c KRB_AP_REP message. 3225 * 3226 * @param [in] context Library context 3227 * @param [in] auth_context Authentication context 3228 * @param [out] outbuf @c AP-REP message 3229 * 3230 * This function fills in @a outbuf with an AP-REP message using information 3231 * from @a auth_context. 3232 * 3233 * If the flags in @a auth_context indicate that a sequence number should be 3234 * used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or 3235 * #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a 3236 * auth_context is 0, a new number will be generated with 3237 * krb5_generate_seq_number(). 3238 * 3239 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3240 * 3241 * @retval 0 Success; otherwise - Kerberos error codes 3242 */ 3243 krb5_error_code KRB5_CALLCONV 3244 krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); 3245 3246 /** 3247 * Format and encrypt a @c KRB_AP_REP message for DCE RPC. 3248 * 3249 * @param [in] context Library context 3250 * @param [in] auth_context Authentication context 3251 * @param [out] outbuf @c AP-REP message 3252 * 3253 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. 3254 * 3255 * @retval 0 Success; otherwise - Kerberos error codes 3256 */ 3257 krb5_error_code KRB5_CALLCONV 3258 krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); 3259 3260 /** 3261 * Parse and decrypt a @c KRB_AP_REP message. 3262 * 3263 * @param [in] context Library context 3264 * @param [in] auth_context Authentication context 3265 * @param [in] inbuf AP-REP message 3266 * @param [out] repl Decrypted reply message 3267 * 3268 * This function parses, decrypts and verifies a message from @a inbuf and 3269 * fills in @a repl with a pointer to allocated memory containing the fields 3270 * from the encrypted response. 3271 * 3272 * Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed. 3273 * 3274 * @retval 0 Success; otherwise - Kerberos error codes 3275 */ 3276 krb5_error_code KRB5_CALLCONV 3277 krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, 3278 const krb5_data *inbuf, krb5_ap_rep_enc_part **repl); 3279 3280 /** 3281 * Parse and decrypt a @c KRB_AP_REP message for DCE RPC. 3282 * 3283 * @param [in] context Library context 3284 * @param [in] auth_context Authentication context 3285 * @param [in] inbuf AP-REP message 3286 * @param [out] nonce Sequence number from the decrypted reply 3287 * 3288 * This function parses, decrypts and verifies a message from @a inbuf and 3289 * fills in @a nonce with a decrypted reply sequence number. 3290 * 3291 * @retval 0 Success; otherwise - Kerberos error codes 3292 */ 3293 krb5_error_code KRB5_CALLCONV 3294 krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, 3295 const krb5_data *inbuf, krb5_ui_4 *nonce); 3296 3297 /** 3298 * Format and encode a @c KRB_ERROR message. 3299 * 3300 * @param [in] context Library context 3301 * @param [in] dec_err Error structure to be encoded 3302 * @param [out] enc_err Encoded error structure 3303 * 3304 * This function creates a @c KRB_ERROR message in @a enc_err. Use 3305 * krb5_free_data_contents() to free @a enc_err when it is no longer needed. 3306 * 3307 * @retval 0 Success; otherwise - Kerberos error codes 3308 */ 3309 krb5_error_code KRB5_CALLCONV 3310 krb5_mk_error(krb5_context context, const krb5_error *dec_err, 3311 krb5_data *enc_err); 3312 3313 /** 3314 * Decode a @c KRB-ERROR message. 3315 * 3316 * @param [in] context Library context 3317 * @param [in] enc_errbuf Encoded error message 3318 * @param [out] dec_error Decoded error message 3319 * 3320 * This function processes @c KRB-ERROR message @a enc_errbuf and returns 3321 * an allocated structure @a dec_error containing the error message. 3322 * Use krb5_free_error() to free @a dec_error when it is no longer needed. 3323 * 3324 * @retval 0 Success; otherwise - Kerberos error codes 3325 */ 3326 krb5_error_code KRB5_CALLCONV 3327 krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, 3328 krb5_error **dec_error); 3329 3330 /** 3331 * Process @c KRB-SAFE message. 3332 * 3333 * @param [in] context Library context 3334 * @param [in] auth_context Authentication context 3335 * @param [in] inbuf @c KRB-SAFE message to be parsed 3336 * @param [out] userdata_out Data parsed from @c KRB-SAFE message 3337 * @param [out] rdata_out Replay data. Specify NULL if not needed 3338 * 3339 * This function parses a @c KRB-SAFE message, verifies its integrity, and 3340 * stores its data into @a userdata_out. 3341 * 3342 * @note The @a rdata_out argument is required if the 3343 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 3344 * in @a auth_context. 3345 * 3346 * If @a auth_context has a remote address set, the address will be used to 3347 * verify the sender address in the KRB-SAFE message. If @a auth_context has a 3348 * local address set, it will be used to verify the receiver address in the 3349 * KRB-SAFE message if the message contains one. 3350 * 3351 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the 3352 * sequence number of the KRB-SAFE message is checked against the remote 3353 * sequence number field of @a auth_context. Otherwise, the sequence number is 3354 * not used. 3355 * 3356 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the 3357 * timestamp in the message is verified to be within the permitted clock skew 3358 * of the current time, and the message is checked against an in-memory replay 3359 * cache to detect reflections or replays. 3360 * 3361 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer 3362 * needed. 3363 * 3364 * @retval 0 Success; otherwise - Kerberos error codes 3365 */ 3366 krb5_error_code KRB5_CALLCONV 3367 krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, 3368 const krb5_data *inbuf, krb5_data *userdata_out, 3369 krb5_replay_data *rdata_out); 3370 3371 /** 3372 * Process a @c KRB-PRIV message. 3373 * 3374 * @param [in] context Library context 3375 * @param [in] auth_context Authentication structure 3376 * @param [in] inbuf @c KRB-PRIV message to be parsed 3377 * @param [out] userdata_out Data parsed from @c KRB-PRIV message 3378 * @param [out] rdata_out Replay data. Specify NULL if not needed 3379 * 3380 * This function parses a @c KRB-PRIV message, verifies its integrity, and 3381 * stores its unencrypted data into @a userdata_out. 3382 * 3383 * @note The @a rdata_out argument is required if the 3384 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 3385 * in @a auth_context. 3386 * 3387 * If @a auth_context has a remote address set, the address will be used to 3388 * verify the sender address in the KRB-PRIV message. If @a auth_context has a 3389 * local address set, it will be used to verify the receiver address in the 3390 * KRB-PRIV message if the message contains one. 3391 * 3392 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the 3393 * sequence number of the KRB-PRIV message is checked against the remote 3394 * sequence number field of @a auth_context. Otherwise, the sequence number is 3395 * not used. 3396 * 3397 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the 3398 * timestamp in the message is verified to be within the permitted clock skew 3399 * of the current time, and the message is checked against an in-memory replay 3400 * cache to detect reflections or replays. 3401 * 3402 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer 3403 * needed. 3404 * 3405 * @retval 0 Success; otherwise - Kerberos error codes 3406 */ 3407 krb5_error_code KRB5_CALLCONV 3408 krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, 3409 const krb5_data *inbuf, krb5_data *userdata_out, 3410 krb5_replay_data *rdata_out); 3411 3412 /** 3413 * Convert a string principal name to a krb5_principal structure. 3414 * 3415 * @param [in] context Library context 3416 * @param [in] name String representation of a principal name 3417 * @param [out] principal_out New principal 3418 * 3419 * Convert a string representation of a principal name to a krb5_principal 3420 * structure. 3421 * 3422 * A string representation of a Kerberos name consists of one or more principal 3423 * name components, separated by slashes, optionally followed by the \@ 3424 * character and a realm name. If the realm name is not specified, the local 3425 * realm is used. 3426 * 3427 * To use the slash and \@ symbols as part of a component (quoted) instead of 3428 * using them as a component separator or as a realm prefix), put a backslash 3429 * (\) character in front of the symbol. Similarly, newline, tab, backspace, 3430 * and NULL characters can be included in a component by using @c n, @c t, @c b 3431 * or @c 0, respectively. 3432 * 3433 * @note The realm in a Kerberos @a name cannot contain slash, colon, 3434 * or NULL characters. 3435 * 3436 * Beginning with release 1.20, the name type of the principal will be inferred 3437 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 3438 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 3439 * 3440 * Use krb5_free_principal() to free @a principal_out when it is no longer 3441 * needed. 3442 * 3443 * @retval 3444 * 0 Success 3445 * @return 3446 * Kerberos error codes 3447 */ 3448 krb5_error_code KRB5_CALLCONV 3449 krb5_parse_name(krb5_context context, const char *name, 3450 krb5_principal *principal_out); 3451 3452 #define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */ 3453 #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */ 3454 #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component 3455 enterprise principle */ 3456 #define KRB5_PRINCIPAL_PARSE_IGNORE_REALM 0x8 /**< Ignore realm if present */ 3457 #define KRB5_PRINCIPAL_PARSE_NO_DEF_REALM 0x10 /**< Don't add default realm */ 3458 3459 /** 3460 * Convert a string principal name to a krb5_principal with flags. 3461 * 3462 * @param [in] context Library context 3463 * @param [in] name String representation of a principal name 3464 * @param [in] flags Flag 3465 * @param [out] principal_out New principal 3466 * 3467 * Similar to krb5_parse_name(), this function converts a single-string 3468 * representation of a principal name to a krb5_principal structure. 3469 * 3470 * The following flags are valid: 3471 * @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name 3472 * @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name 3473 * @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise 3474 * principal 3475 * @li #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in @a name 3476 * 3477 * If @c KRB5_PRINCIPAL_PARSE_NO_REALM or @c KRB5_PRINCIPAL_PARSE_IGNORE_REALM 3478 * is specified in @a flags, the realm of the new principal will be empty. 3479 * Otherwise, the default realm for @a context will be used if @a name does not 3480 * specify a realm. 3481 * 3482 * Use krb5_free_principal() to free @a principal_out when it is no longer 3483 * needed. 3484 * 3485 * @retval 3486 * 0 Success 3487 * @return 3488 * Kerberos error codes 3489 */ 3490 krb5_error_code KRB5_CALLCONV 3491 krb5_parse_name_flags(krb5_context context, const char *name, 3492 int flags, krb5_principal *principal_out); 3493 3494 /** 3495 * Convert a krb5_principal structure to a string representation. 3496 * 3497 * @param [in] context Library context 3498 * @param [in] principal Principal 3499 * @param [out] name String representation of principal name 3500 * 3501 * The resulting string representation uses the format and quoting conventions 3502 * described for krb5_parse_name(). 3503 * 3504 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. 3505 * 3506 * @retval 3507 * 0 Success 3508 * @return 3509 * Kerberos error codes 3510 */ 3511 krb5_error_code KRB5_CALLCONV 3512 krb5_unparse_name(krb5_context context, krb5_const_principal principal, 3513 char **name); 3514 3515 /** 3516 * Convert krb5_principal structure to string and length. 3517 * 3518 * @param [in] context Library context 3519 * @param [in] principal Principal 3520 * @param [in,out] name String representation of principal name 3521 * @param [in,out] size Size of unparsed name 3522 * 3523 * This function is similar to krb5_unparse_name(), but allows the use of an 3524 * existing buffer for the result. If size is not NULL, then @a name must 3525 * point to either NULL or an existing buffer of at least the size pointed to 3526 * by @a size. The buffer will be allocated or resized if necessary, with the 3527 * new pointer stored into @a name. Whether or not the buffer is resized, the 3528 * necessary space for the result, including null terminator, will be stored 3529 * into @a size. 3530 * 3531 * If size is NULL, this function behaves exactly as krb5_unparse_name(). 3532 * 3533 * @retval 3534 * 0 Success 3535 * @return 3536 * Kerberos error codes. On failure @a name is set to NULL 3537 */ 3538 krb5_error_code KRB5_CALLCONV 3539 krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, 3540 char **name, unsigned int *size); 3541 3542 #define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */ 3543 #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */ 3544 #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */ 3545 3546 /** 3547 * Convert krb5_principal structure to a string with flags. 3548 * 3549 * @param [in] context Library context 3550 * @param [in] principal Principal 3551 * @param [in] flags Flags 3552 * @param [out] name String representation of principal name 3553 * 3554 * Similar to krb5_unparse_name(), this function converts a krb5_principal 3555 * structure to a string representation. 3556 * 3557 * The following flags are valid: 3558 * @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm 3559 * @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm 3560 * @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters 3561 * 3562 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. 3563 * 3564 * @retval 3565 * 0 Success 3566 * @return 3567 * Kerberos error codes. On failure @a name is set to NULL 3568 */ 3569 krb5_error_code KRB5_CALLCONV 3570 krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, 3571 int flags, char **name); 3572 3573 /** 3574 * Convert krb5_principal structure to string format with flags. 3575 * 3576 * @param [in] context Library context 3577 * @param [in] principal Principal 3578 * @param [in] flags Flags 3579 * @param [out] name Single string format of principal name 3580 * @param [out] size Size of unparsed name buffer 3581 * 3582 * @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext() 3583 * 3584 * @retval 3585 * 0 Success 3586 * @return 3587 * Kerberos error codes. On failure @a name is set to NULL 3588 */ 3589 krb5_error_code KRB5_CALLCONV 3590 krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, 3591 int flags, char **name, unsigned int *size); 3592 3593 /** 3594 * Set the realm field of a principal 3595 * 3596 * @param [in] context Library context 3597 * @param [in] principal Principal name 3598 * @param [in] realm Realm name 3599 * 3600 * Set the realm name part of @a principal to @a realm, overwriting the 3601 * previous realm. 3602 * 3603 * @retval 3604 * 0 Success 3605 * @return 3606 * Kerberos error codes 3607 */ 3608 krb5_error_code KRB5_CALLCONV 3609 krb5_set_principal_realm(krb5_context context, krb5_principal principal, 3610 const char *realm); 3611 3612 /** 3613 * Search a list of addresses for a specified address. 3614 * 3615 * @param [in] context Library context 3616 * @param [in] addr Address to search for 3617 * @param [in] addrlist Address list to be searched (or NULL) 3618 * 3619 * @note If @a addrlist contains only a NetBIOS addresses, it will be treated 3620 * as a null list. 3621 * 3622 * @return 3623 * TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE 3624 * otherwise 3625 */ 3626 krb5_boolean KRB5_CALLCONV_WRONG 3627 krb5_address_search(krb5_context context, const krb5_address *addr, 3628 krb5_address *const *addrlist); 3629 3630 /** 3631 * Compare two Kerberos addresses. 3632 * 3633 * @param [in] context Library context 3634 * @param [in] addr1 First address to be compared 3635 * @param [in] addr2 Second address to be compared 3636 * 3637 * @return 3638 * TRUE if the addresses are the same, FALSE otherwise 3639 */ 3640 krb5_boolean KRB5_CALLCONV 3641 krb5_address_compare(krb5_context context, const krb5_address *addr1, 3642 const krb5_address *addr2); 3643 3644 /** 3645 * Return an ordering of the specified addresses. 3646 * 3647 * @param [in] context Library context 3648 * @param [in] addr1 First address 3649 * @param [in] addr2 Second address 3650 * 3651 * @retval 0 if The two addresses are the same 3652 * @retval < 0 First address is less than second 3653 * @retval > 0 First address is greater than second 3654 */ 3655 int KRB5_CALLCONV 3656 krb5_address_order(krb5_context context, const krb5_address *addr1, 3657 const krb5_address *addr2); 3658 3659 /** 3660 * Compare the realms of two principals. 3661 * 3662 * @param [in] context Library context 3663 * @param [in] princ1 First principal 3664 * @param [in] princ2 Second principal 3665 * 3666 * @retval 3667 * TRUE if the realm names are the same; FALSE otherwise 3668 */ 3669 krb5_boolean KRB5_CALLCONV 3670 krb5_realm_compare(krb5_context context, krb5_const_principal princ1, 3671 krb5_const_principal princ2); 3672 3673 /** 3674 * Compare two principals. 3675 * 3676 * @param [in] context Library context 3677 * @param [in] princ1 First principal 3678 * @param [in] princ2 Second principal 3679 * 3680 * @retval 3681 * TRUE if the principals are the same; FALSE otherwise 3682 */ 3683 krb5_boolean KRB5_CALLCONV 3684 krb5_principal_compare(krb5_context context, 3685 krb5_const_principal princ1, 3686 krb5_const_principal princ2); 3687 3688 /** 3689 * Compare two principals ignoring realm components. 3690 * 3691 * @param [in] context Library context 3692 * @param [in] princ1 First principal 3693 * @param [in] princ2 Second principal 3694 * 3695 * Similar to krb5_principal_compare(), but do not compare the realm 3696 * components of the principals. 3697 * 3698 * @retval 3699 * TRUE if the principals are the same; FALSE otherwise 3700 */ 3701 krb5_boolean KRB5_CALLCONV 3702 krb5_principal_compare_any_realm(krb5_context context, 3703 krb5_const_principal princ1, 3704 krb5_const_principal princ2); 3705 3706 #define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */ 3707 #define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */ 3708 #define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */ 3709 #define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */ 3710 3711 /** 3712 * Compare two principals with additional flags. 3713 * 3714 * @param [in] context Library context 3715 * @param [in] princ1 First principal 3716 * @param [in] princ2 Second principal 3717 * @param [in] flags Flags 3718 * 3719 * Valid flags are: 3720 * @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component 3721 * @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals 3722 * @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive 3723 * @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 3724 * 3725 * @sa krb5_principal_compare() 3726 * 3727 * @retval 3728 * TRUE if the principal names are the same; FALSE otherwise 3729 */ 3730 krb5_boolean KRB5_CALLCONV 3731 krb5_principal_compare_flags(krb5_context context, 3732 krb5_const_principal princ1, 3733 krb5_const_principal princ2, 3734 int flags); 3735 3736 /** 3737 * Initialize an empty @c krb5_keyblock. 3738 * 3739 * @param [in] context Library context 3740 * @param [in] enctype Encryption type 3741 * @param [in] length Length of keyblock (or 0) 3742 * @param [out] out New keyblock structure 3743 * 3744 * Initialize a new keyblock and allocate storage for the contents of the key. 3745 * It is legal to pass in a length of 0, in which case contents are left 3746 * unallocated. Use krb5_free_keyblock() to free @a out when it is no longer 3747 * needed. 3748 * 3749 * @note If @a length is set to 0, contents are left unallocated. 3750 * 3751 * @retval 0 Success; otherwise - Kerberos error codes 3752 */ 3753 krb5_error_code KRB5_CALLCONV 3754 krb5_init_keyblock(krb5_context context, krb5_enctype enctype, 3755 size_t length, krb5_keyblock **out); 3756 3757 /** 3758 * Copy a keyblock. 3759 * 3760 * @param [in] context Library context 3761 * @param [in] from Keyblock to be copied 3762 * @param [out] to Copy of keyblock @a from 3763 * 3764 * This function creates a new keyblock with the same contents as @a from. Use 3765 * krb5_free_keyblock() to free @a to when it is no longer needed. 3766 * 3767 * @retval 0 Success; otherwise - Kerberos error codes 3768 */ 3769 krb5_error_code KRB5_CALLCONV 3770 krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from, 3771 krb5_keyblock **to); 3772 3773 /** 3774 * Copy the contents of a keyblock. 3775 * 3776 * @param [in] context Library context 3777 * @param [in] from Key to be copied 3778 * @param [out] to Output key 3779 * 3780 * This function copies the contents of @a from to @a to. Use 3781 * krb5_free_keyblock_contents() to free @a to when it is no longer needed. 3782 * 3783 * @retval 0 Success; otherwise - Kerberos error codes 3784 */ 3785 krb5_error_code KRB5_CALLCONV 3786 krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from, 3787 krb5_keyblock *to); 3788 3789 /** 3790 * Copy a krb5_creds structure. 3791 * 3792 * @param [in] context Library context 3793 * @param [in] incred Credentials structure to be copied 3794 * @param [out] outcred Copy of @a incred 3795 * 3796 * This function creates a new credential with the contents of @a incred. Use 3797 * krb5_free_creds() to free @a outcred when it is no longer needed. 3798 * 3799 * @retval 0 Success; otherwise - Kerberos error codes 3800 */ 3801 krb5_error_code KRB5_CALLCONV 3802 krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred); 3803 3804 /** 3805 * Copy a krb5_data object. 3806 * 3807 * @param [in] context Library context 3808 * @param [in] indata Data object to be copied 3809 * @param [out] outdata Copy of @a indata 3810 * 3811 * This function creates a new krb5_data object with the contents of @a indata. 3812 * Use krb5_free_data() to free @a outdata when it is no longer needed. 3813 * 3814 * @retval 0 Success; otherwise - Kerberos error codes 3815 */ 3816 krb5_error_code KRB5_CALLCONV 3817 krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata); 3818 3819 /** 3820 * Copy a principal. 3821 * 3822 * @param [in] context Library context 3823 * @param [in] inprinc Principal to be copied 3824 * @param [out] outprinc Copy of @a inprinc 3825 * 3826 * This function creates a new principal structure with the contents of @a 3827 * inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer 3828 * needed. 3829 * 3830 * @retval 0 Success; otherwise - Kerberos error codes 3831 */ 3832 krb5_error_code KRB5_CALLCONV 3833 krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, 3834 krb5_principal *outprinc); 3835 3836 /** 3837 * Copy an array of addresses. 3838 * 3839 * @param [in] context Library context 3840 * @param [in] inaddr Array of addresses to be copied 3841 * @param [out] outaddr Copy of array of addresses 3842 * 3843 * This function creates a new address array containing a copy of @a inaddr. 3844 * Use krb5_free_addresses() to free @a outaddr when it is no longer needed. 3845 * 3846 * @retval 0 Success; otherwise - Kerberos error codes 3847 */ 3848 krb5_error_code KRB5_CALLCONV 3849 krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, 3850 krb5_address ***outaddr); 3851 3852 /** 3853 * Copy a krb5_ticket structure. 3854 * 3855 * @param [in] context Library context 3856 * @param [in] from Ticket to be copied 3857 * @param [out] pto Copy of ticket 3858 * 3859 * This function creates a new krb5_ticket structure containing the contents of 3860 * @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed. 3861 * 3862 * @retval 0 Success; otherwise - Kerberos error codes 3863 */ 3864 krb5_error_code KRB5_CALLCONV 3865 krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto); 3866 3867 /** 3868 * Copy an authorization data list. 3869 * 3870 * @param [in] context Library context 3871 * @param [in] in_authdat List of @a krb5_authdata structures 3872 * @param [out] out New array of @a krb5_authdata structures 3873 * 3874 * This function creates a new authorization data list containing a copy of @a 3875 * in_authdat, which must be null-terminated. Use krb5_free_authdata() to free 3876 * @a out when it is no longer needed. 3877 * 3878 * @note The last array entry in @a in_authdat must be a NULL pointer. 3879 * 3880 * @retval 0 Success; otherwise - Kerberos error codes 3881 */ 3882 krb5_error_code KRB5_CALLCONV 3883 krb5_copy_authdata(krb5_context context, 3884 krb5_authdata *const *in_authdat, krb5_authdata ***out); 3885 3886 /** 3887 * Find authorization data elements. 3888 * 3889 * @param [in] context Library context 3890 * @param [in] ticket_authdata Authorization data list from ticket 3891 * @param [in] ap_req_authdata Authorization data list from AP request 3892 * @param [in] ad_type Authorization data type to find 3893 * @param [out] results List of matching entries 3894 * 3895 * This function searches @a ticket_authdata and @a ap_req_authdata for 3896 * elements of type @a ad_type. Either input list may be NULL, in which case 3897 * it will not be searched; otherwise, the input lists must be terminated by 3898 * NULL entries. This function will search inside AD-IF-RELEVANT containers if 3899 * found in either list. Use krb5_free_authdata() to free @a results when it 3900 * is no longer needed. 3901 * 3902 * @version New in 1.10 3903 */ 3904 krb5_error_code KRB5_CALLCONV 3905 krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, 3906 krb5_authdata *const *ap_req_authdata, 3907 krb5_authdatatype ad_type, krb5_authdata ***results); 3908 3909 /** 3910 * Merge two authorization data lists into a new list. 3911 * 3912 * @param [in] context Library context 3913 * @param [in] inauthdat1 First list of @a krb5_authdata structures 3914 * @param [in] inauthdat2 Second list of @a krb5_authdata structures 3915 * @param [out] outauthdat Merged list of @a krb5_authdata structures 3916 * 3917 * Merge two authdata arrays, such as the array from a ticket 3918 * and authenticator. 3919 * Use krb5_free_authdata() to free @a outauthdat when it is no longer needed. 3920 * 3921 * @note The last array entry in @a inauthdat1 and @a inauthdat2 3922 * must be a NULL pointer. 3923 * 3924 * @retval 0 Success; otherwise - Kerberos error codes 3925 */ 3926 krb5_error_code KRB5_CALLCONV 3927 krb5_merge_authdata(krb5_context context, 3928 krb5_authdata *const *inauthdat1, 3929 krb5_authdata * const *inauthdat2, 3930 krb5_authdata ***outauthdat); 3931 3932 /** 3933 * Copy a krb5_authenticator structure. 3934 * 3935 * @param [in] context Library context 3936 * @param [in] authfrom krb5_authenticator structure to be copied 3937 * @param [out] authto Copy of krb5_authenticator structure 3938 * 3939 * This function creates a new krb5_authenticator structure with the content of 3940 * @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no 3941 * longer needed. 3942 * 3943 * @retval 0 Success; otherwise - Kerberos error codes 3944 */ 3945 krb5_error_code KRB5_CALLCONV 3946 krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, 3947 krb5_authenticator **authto); 3948 3949 /** 3950 * Copy a krb5_checksum structure. 3951 * 3952 * @param [in] context Library context 3953 * @param [in] ckfrom Checksum to be copied 3954 * @param [out] ckto Copy of krb5_checksum structure 3955 * 3956 * This function creates a new krb5_checksum structure with the contents of @a 3957 * ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer 3958 * needed. 3959 * 3960 * @retval 0 Success; otherwise - Kerberos error codes 3961 */ 3962 krb5_error_code KRB5_CALLCONV 3963 krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, 3964 krb5_checksum **ckto); 3965 3966 /** 3967 * Generate a replay cache object for server use and open it. 3968 * 3969 * @param [in] context Library context 3970 * @param [in] piece Unused (replay cache identifier) 3971 * @param [out] rcptr Handle to an open rcache 3972 * 3973 * This function creates a handle to the default replay cache. Use 3974 * krb5_rc_close() to close @a rcptr when it is no longer needed. 3975 * 3976 * @version Prior to release 1.18, this function creates a handle to a 3977 * different replay cache for each unique value of @a piece. 3978 * 3979 * @retval 0 Success; otherwise - Kerberos error codes 3980 */ 3981 krb5_error_code KRB5_CALLCONV 3982 krb5_get_server_rcache(krb5_context context, const krb5_data *piece, 3983 krb5_rcache *rcptr); 3984 3985 /** 3986 * Build a principal name using length-counted strings. 3987 * 3988 * @param [in] context Library context 3989 * @param [out] princ Principal name 3990 * @param [in] rlen Realm name length 3991 * @param [in] realm Realm name 3992 * @param [in] ... List of unsigned int/char * components, followed by 0 3993 * 3994 * This function creates a principal from a length-counted string and a 3995 * variable-length list of length-counted components. The list of components 3996 * ends with the first 0 length argument (so it is not possible to specify an 3997 * empty component with this function). Call krb5_free_principal() to free 3998 * allocated memory for principal when it is no longer needed. 3999 * 4000 * Beginning with release 1.20, the name type of the principal will be inferred 4001 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 4002 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 4003 * 4004 * @code 4005 * Example of how to build principal WELLKNOWN/ANONYMOUS@R 4006 * krb5_build_principal_ext(context, &principal, strlen("R"), "R", 4007 * (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR), 4008 * KRB5_WELLKNOWN_NAMESTR, 4009 * (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR), 4010 * KRB5_ANONYMOUS_PRINCSTR, 0); 4011 * @endcode 4012 * 4013 * @retval 4014 * 0 Success 4015 * @return 4016 * Kerberos error codes 4017 */ 4018 krb5_error_code KRB5_CALLCONV_C 4019 krb5_build_principal_ext(krb5_context context, krb5_principal * princ, 4020 unsigned int rlen, const char * realm, ...); 4021 4022 /** 4023 * Build a principal name using null-terminated strings. 4024 * 4025 * @param [in] context Library context 4026 * @param [out] princ Principal name 4027 * @param [in] rlen Realm name length 4028 * @param [in] realm Realm name 4029 * @param [in] ... List of char * components, ending with NULL 4030 * 4031 * Call krb5_free_principal() to free @a princ when it is no longer needed. 4032 * 4033 * Beginning with release 1.20, the name type of the principal will be inferred 4034 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. 4035 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. 4036 * 4037 * @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the 4038 * same task. krb5_build_principal() takes variadic arguments. 4039 * krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer. 4040 * 4041 * @code 4042 * Example of how to build principal H/S@R 4043 * krb5_build_principal(context, &principal, 4044 * strlen("R"), "R", "H", "S", (char*)NULL); 4045 * @endcode 4046 * 4047 * @retval 4048 * 0 Success 4049 * @return 4050 * Kerberos error codes 4051 */ 4052 krb5_error_code KRB5_CALLCONV_C 4053 krb5_build_principal(krb5_context context, 4054 krb5_principal * princ, 4055 unsigned int rlen, 4056 const char * realm, ...) 4057 #if __GNUC__ >= 4 4058 __attribute__ ((sentinel)) 4059 #endif 4060 ; 4061 #if KRB5_DEPRECATED 4062 /** @deprecated Replaced by krb5_build_principal_alloc_va(). */ 4063 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 4064 krb5_build_principal_va(krb5_context context, 4065 krb5_principal princ, 4066 unsigned int rlen, 4067 const char *realm, 4068 va_list ap); 4069 #endif 4070 4071 /** 4072 * Build a principal name, using a precomputed variable argument list 4073 * 4074 * @param [in] context Library context 4075 * @param [out] princ Principal structure 4076 * @param [in] rlen Realm name length 4077 * @param [in] realm Realm name 4078 * @param [in] ap List of char * components, ending with NULL 4079 * 4080 * Similar to krb5_build_principal(), this function builds a principal name, 4081 * but its name components are specified as a va_list. 4082 * 4083 * Use krb5_free_principal() to deallocate @a princ when it is no longer 4084 * needed. 4085 * 4086 * @code 4087 * Function usage example: 4088 * va_list ap; 4089 * va_start(ap, realm); 4090 * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); 4091 * va_end(ap); 4092 * @endcode 4093 * 4094 * @retval 4095 * 0 Success 4096 * @return 4097 * Kerberos error codes 4098 */ 4099 krb5_error_code KRB5_CALLCONV 4100 krb5_build_principal_alloc_va(krb5_context context, 4101 krb5_principal *princ, 4102 unsigned int rlen, 4103 const char *realm, 4104 va_list ap); 4105 4106 /** 4107 * Convert a Kerberos V4 principal to a Kerberos V5 principal. 4108 * 4109 * @param [in] context Library context 4110 * @param [in] name V4 name 4111 * @param [in] instance V4 instance 4112 * @param [in] realm Realm 4113 * @param [out] princ V5 principal 4114 * 4115 * This function builds a @a princ from V4 specification based on given input 4116 * @a name.instance\@realm. 4117 * 4118 * Use krb5_free_principal() to free @a princ when it is no longer needed. 4119 * 4120 * @retval 0 Success; otherwise - Kerberos error codes 4121 */ 4122 krb5_error_code KRB5_CALLCONV 4123 krb5_425_conv_principal(krb5_context context, const char *name, 4124 const char *instance, const char *realm, 4125 krb5_principal *princ); 4126 4127 /** 4128 * Convert a Kerberos V5 principal to a Kerberos V4 principal. 4129 * 4130 * @param [in] context Library context 4131 * @param [in] princ V5 Principal 4132 * @param [out] name V4 principal's name to be filled in 4133 * @param [out] inst V4 principal's instance name to be filled in 4134 * @param [out] realm Principal's realm name to be filled in 4135 * 4136 * This function separates a V5 principal @a princ into @a name, @a instance, 4137 * and @a realm. 4138 * 4139 * @retval 4140 * 0 Success 4141 * @retval 4142 * KRB5_INVALID_PRINCIPAL Invalid principal name 4143 * @retval 4144 * KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file 4145 * @return 4146 * Kerberos error codes 4147 */ 4148 krb5_error_code KRB5_CALLCONV 4149 krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, 4150 char *name, char *inst, char *realm); 4151 /** 4152 *@deprecated 4153 */ 4154 struct credentials; 4155 4156 /** 4157 * Convert a Kerberos V5 credentials to a Kerberos V4 credentials 4158 * 4159 * @note Not implemented 4160 * 4161 * @retval KRB524_KRB4_DISABLED (always) 4162 */ 4163 int KRB5_CALLCONV 4164 krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, 4165 struct credentials *v4creds); 4166 4167 #if KRB5_DEPRECATED 4168 #define krb524_convert_creds_kdc krb5_524_convert_creds 4169 #define krb524_init_ets(x) (0) 4170 #endif 4171 4172 /* libkt.spec */ 4173 4174 /** 4175 * Get a handle for a key table. 4176 * 4177 * @param [in] context Library context 4178 * @param [in] name Name of the key table 4179 * @param [out] ktid Key table handle 4180 * 4181 * Resolve the key table name @a name and set @a ktid to a handle identifying 4182 * the key table. Use krb5_kt_close() to free @a ktid when it is no longer 4183 * needed. 4184 * 4185 * @a name must be of the form @c type:residual, where @a type must be a type 4186 * known to the library and @a residual portion should be specific to the 4187 * particular keytab type. If no @a type is given, the default is @c FILE. 4188 * 4189 * If @a name is of type @c FILE, the keytab file is not opened by this call. 4190 * 4191 * @code 4192 * Example: krb5_kt_resolve(context, "FILE:/tmp/filename", &ktid); 4193 * @endcode 4194 * 4195 * @retval 4196 * 0 Success 4197 * @return 4198 * Kerberos error codes 4199 */ 4200 krb5_error_code KRB5_CALLCONV 4201 krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid); 4202 4203 /** 4204 * Duplicate keytab handle. 4205 * 4206 * @param [in] context Library context 4207 * @param [in] in Key table handle to be duplicated 4208 * @param [out] out Key table handle 4209 * 4210 * Create a new handle referring to the same key table as @a in. The new 4211 * handle and @a in can be closed independently. 4212 * 4213 * @version New in 1.12 4214 */ 4215 krb5_error_code KRB5_CALLCONV 4216 krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out); 4217 4218 /** 4219 * Get the default key table name. 4220 * 4221 * @param [in] context Library context 4222 * @param [out] name Default key table name 4223 * @param [in] name_size Space available in @a name 4224 * 4225 * Fill @a name with the name of the default key table for @a context. 4226 * 4227 * @sa MAX_KEYTAB_NAME_LEN 4228 * 4229 * @retval 4230 * 0 Success 4231 * @retval 4232 * KRB5_CONFIG_NOTENUFSPACE Buffer is too short 4233 * @return 4234 * Kerberos error codes 4235 */ 4236 krb5_error_code KRB5_CALLCONV 4237 krb5_kt_default_name(krb5_context context, char *name, int name_size); 4238 4239 /** 4240 * Resolve the default key table. 4241 * 4242 * @param [in] context Library context 4243 * @param [out] id Key table handle 4244 * 4245 * Set @a id to a handle to the default key table. The key table is not 4246 * opened. 4247 * 4248 * @retval 4249 * 0 Success 4250 * @return 4251 * Kerberos error codes 4252 */ 4253 krb5_error_code KRB5_CALLCONV 4254 krb5_kt_default(krb5_context context, krb5_keytab *id); 4255 4256 /** 4257 * Resolve the default client key table. 4258 * 4259 * @param [in] context Library context 4260 * @param [out] keytab_out Key table handle 4261 * 4262 * Fill @a keytab_out with a handle to the default client key table. 4263 * 4264 * @version New in 1.11 4265 * 4266 * @retval 4267 * 0 Success 4268 * @return 4269 * Kerberos error codes 4270 */ 4271 krb5_error_code KRB5_CALLCONV 4272 krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out); 4273 4274 /** 4275 * Free the contents of a key table entry. 4276 * 4277 * @param [in] context Library context 4278 * @param [in] entry Key table entry whose contents are to be freed 4279 * 4280 * @note The pointer is not freed. 4281 * 4282 * @retval 0 Success; otherwise - Kerberos error codes 4283 */ 4284 krb5_error_code KRB5_CALLCONV 4285 krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry); 4286 4287 /** @deprecated Use krb5_free_keytab_entry_contents instead. */ 4288 krb5_error_code KRB5_CALLCONV 4289 krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry); 4290 4291 4292 /* remove and add are functions, so that they can return NOWRITE 4293 if not a writable keytab */ 4294 4295 /** 4296 * Remove an entry from a key table. 4297 * 4298 * @param [in] context Library context 4299 * @param [in] id Key table handle 4300 * @param [in] entry Entry to remove from key table 4301 * 4302 * @retval 4303 * 0 Success 4304 * @retval 4305 * KRB5_KT_NOWRITE Key table is not writable 4306 * @return 4307 * Kerberos error codes 4308 */ 4309 krb5_error_code KRB5_CALLCONV 4310 krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); 4311 4312 /** 4313 * Add a new entry to a key table. 4314 * 4315 * @param [in] context Library context 4316 * @param [in] id Key table handle 4317 * @param [in] entry Entry to be added 4318 * 4319 * @retval 4320 * 0 Success 4321 * @retval 4322 * ENOMEM Insufficient memory 4323 * @retval 4324 * KRB5_KT_NOWRITE Key table is not writeable 4325 * @return 4326 * Kerberos error codes 4327 */ 4328 krb5_error_code KRB5_CALLCONV 4329 krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); 4330 4331 /** 4332 * Convert a principal name into the default salt for that principal. 4333 * 4334 * @param [in] context Library context 4335 * @param [in] pr Principal name 4336 * @param [out] ret Default salt for @a pr to be filled in 4337 * 4338 * @retval 0 Success; otherwise - Kerberos error codes 4339 */ 4340 krb5_error_code KRB5_CALLCONV_WRONG 4341 krb5_principal2salt(krb5_context context, 4342 krb5_const_principal pr, krb5_data *ret); 4343 /* librc.spec--see rcache.h */ 4344 4345 /* libcc.spec */ 4346 4347 /** 4348 * Resolve a credential cache name. 4349 * 4350 * @param [in] context Library context 4351 * @param [in] name Credential cache name to be resolved 4352 * @param [out] cache Credential cache handle 4353 * 4354 * Fills in @a cache with a @a cache handle that corresponds to the name in @a 4355 * name. @a name should be of the form @c type:residual, and @a type must be a 4356 * type known to the library. If the @a name does not contain a colon, 4357 * interpret it as a file name. 4358 * 4359 * @code 4360 * Example: krb5_cc_resolve(context, "MEMORY:C_", &cache); 4361 * @endcode 4362 * 4363 * @retval 4364 * 0 Success 4365 * @return 4366 * Kerberos error codes 4367 */ 4368 krb5_error_code KRB5_CALLCONV 4369 krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache); 4370 4371 /** 4372 * Duplicate ccache handle. 4373 * 4374 * @param [in] context Library context 4375 * @param [in] in Credential cache handle to be duplicated 4376 * @param [out] out Credential cache handle 4377 * 4378 * Create a new handle referring to the same cache as @a in. 4379 * The new handle and @a in can be closed independently. 4380 */ 4381 krb5_error_code KRB5_CALLCONV 4382 krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out); 4383 4384 /** 4385 * Return the name of the default credential cache. 4386 * 4387 * @param [in] context Library context 4388 * 4389 * Return a pointer to the default credential cache name for @a context, as 4390 * determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME 4391 * environment variable, by the default_ccache_name profile variable, or by the 4392 * operating system or build-time default value. The returned value must not 4393 * be modified or freed by the caller. The returned value becomes invalid when 4394 * @a context is destroyed krb5_free_context() or if a subsequent call to 4395 * krb5_cc_set_default_name() is made on @a context. 4396 * 4397 * The default credential cache name is cached in @a context between calls to 4398 * this function, so if the value of KRB5CCNAME changes in the process 4399 * environment after the first call to this function on, that change will not 4400 * be reflected in later calls with the same context. The caller can invoke 4401 * krb5_cc_set_default_name() with a NULL value of @a name to clear the cached 4402 * value and force the default name to be recomputed. 4403 * 4404 * @return 4405 * Name of default credential cache for the current user. 4406 */ 4407 const char *KRB5_CALLCONV 4408 krb5_cc_default_name(krb5_context context); 4409 4410 /** 4411 * Set the default credential cache name. 4412 * 4413 * @param [in] context Library context 4414 * @param [in] name Default credential cache name or NULL 4415 * 4416 * Set the default credential cache name to @a name for future operations using 4417 * @a context. If @a name is NULL, clear any previous application-set default 4418 * name and forget any cached value of the default name for @a context. 4419 * 4420 * Calls to this function invalidate the result of any previous calls to 4421 * krb5_cc_default_name() using @a context. 4422 * 4423 * @retval 4424 * 0 Success 4425 * @retval 4426 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure 4427 * @return 4428 * Kerberos error codes 4429 */ 4430 krb5_error_code KRB5_CALLCONV 4431 krb5_cc_set_default_name(krb5_context context, const char *name); 4432 4433 /** 4434 * Resolve the default credential cache name. 4435 * 4436 * @param [in] context Library context 4437 * @param [out] ccache Pointer to credential cache name 4438 * 4439 * Create a handle to the default credential cache as given by 4440 * krb5_cc_default_name(). 4441 * 4442 * @retval 4443 * 0 Success 4444 * @retval 4445 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure 4446 * @retval 4447 * KRB5_FCC_INTERNAL The name of the default credential cache cannot be 4448 * obtained 4449 * @return 4450 * Kerberos error codes 4451 */ 4452 krb5_error_code KRB5_CALLCONV 4453 krb5_cc_default(krb5_context context, krb5_ccache *ccache); 4454 4455 /** 4456 * Copy a credential cache. 4457 * 4458 * @param [in] context Library context 4459 * @param [in] incc Credential cache to be copied 4460 * @param [out] outcc Copy of credential cache to be filled in 4461 * 4462 * @retval 0 Success; otherwise - Kerberos error codes 4463 */ 4464 krb5_error_code KRB5_CALLCONV 4465 krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc); 4466 4467 /** 4468 * Get a configuration value from a credential cache. 4469 * 4470 * @param [in] context Library context 4471 * @param [in] id Credential cache handle 4472 * @param [in] principal Configuration for this principal; 4473 * if NULL, global for the whole cache 4474 * @param [in] key Name of config variable 4475 * @param [out] data Data to be fetched 4476 * 4477 * Use krb5_free_data_contents() to free @a data when it is no longer needed. 4478 * 4479 * @retval 4480 * 0 Success 4481 * @return 4482 * Kerberos error codes 4483 */ 4484 krb5_error_code KRB5_CALLCONV 4485 krb5_cc_get_config(krb5_context context, krb5_ccache id, 4486 krb5_const_principal principal, 4487 const char *key, krb5_data *data); 4488 4489 /** 4490 * Store a configuration value in a credential cache. 4491 * 4492 * @param [in] context Library context 4493 * @param [in] id Credential cache handle 4494 * @param [in] principal Configuration for a specific principal; 4495 * if NULL, global for the whole cache 4496 * @param [in] key Name of config variable 4497 * @param [in] data Data to store, or NULL to remove 4498 * 4499 * @note Existing configuration under the same key is over-written. 4500 * 4501 * @warning Before version 1.10 @a data was assumed to be always non-null. 4502 * 4503 * @retval 4504 * 0 Success 4505 * @return 4506 * Kerberos error codes 4507 */ 4508 krb5_error_code KRB5_CALLCONV 4509 krb5_cc_set_config(krb5_context context, krb5_ccache id, 4510 krb5_const_principal principal, 4511 const char *key, krb5_data *data); 4512 4513 /** 4514 * Test whether a principal is a configuration principal. 4515 * 4516 * @param [in] context Library context 4517 * @param [in] principal Principal to check 4518 * 4519 * @return 4520 * @c TRUE if the principal is a configuration principal (generated part of 4521 * krb5_cc_set_config()); @c FALSE otherwise. 4522 */ 4523 krb5_boolean KRB5_CALLCONV 4524 krb5_is_config_principal(krb5_context context, krb5_const_principal principal); 4525 4526 /** 4527 * Make a credential cache the primary cache for its collection. 4528 * 4529 * @param [in] context Library context 4530 * @param [in] cache Credential cache handle 4531 * 4532 * If the type of @a cache supports it, set @a cache to be the primary 4533 * credential cache for the collection it belongs to. 4534 * 4535 * @retval 4536 * 0 Success, or the type of @a cache doesn't support switching 4537 * @return 4538 * Kerberos error codes 4539 */ 4540 krb5_error_code KRB5_CALLCONV 4541 krb5_cc_switch(krb5_context context, krb5_ccache cache); 4542 4543 /** 4544 * Determine whether a credential cache type supports switching. 4545 * 4546 * @param [in] context Library context 4547 * @param [in] type Credential cache type 4548 * 4549 * @version New in 1.10 4550 * 4551 * @retval TRUE if @a type supports switching 4552 * @retval FALSE if it does not or is not a valid credential cache type. 4553 */ 4554 krb5_boolean KRB5_CALLCONV 4555 krb5_cc_support_switch(krb5_context context, const char *type); 4556 4557 /** 4558 * Find a credential cache with a specified client principal. 4559 * 4560 * @param [in] context Library context 4561 * @param [in] client Client principal 4562 * @param [out] cache_out Credential cache handle 4563 * 4564 * Find a cache within the collection whose default principal is @a client. 4565 * Use @a krb5_cc_close to close @a ccache when it is no longer needed. 4566 * 4567 * @retval 0 Success 4568 * @retval KRB5_CC_NOTFOUND 4569 * 4570 * @sa krb5_cccol_cursor_new 4571 * 4572 * @version New in 1.10 4573 */ 4574 krb5_error_code KRB5_CALLCONV 4575 krb5_cc_cache_match(krb5_context context, krb5_principal client, 4576 krb5_ccache *cache_out); 4577 4578 /** 4579 * Select a credential cache to use with a server principal. 4580 * 4581 * @param [in] context Library context 4582 * @param [in] server Server principal 4583 * @param [out] cache_out Credential cache handle 4584 * @param [out] princ_out Client principal 4585 * 4586 * Select a cache within the collection containing credentials most appropriate 4587 * for use with @a server, according to configured rules and heuristics. 4588 * 4589 * Use krb5_cc_close() to release @a cache_out when it is no longer needed. 4590 * Use krb5_free_principal() to release @a princ_out when it is no longer 4591 * needed. Note that @a princ_out is set in some error conditions. 4592 * 4593 * @return 4594 * If an appropriate cache is found, 0 is returned, @a cache_out is set to the 4595 * selected cache, and @a princ_out is set to the default principal of that 4596 * cache. 4597 * 4598 * If the appropriate client principal can be authoritatively determined but 4599 * the cache collection contains no credentials for that principal, then 4600 * KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out 4601 * is set to the appropriate client principal. 4602 * 4603 * If no configured mechanism can determine the appropriate cache or principal, 4604 * KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to 4605 * NULL. 4606 * 4607 * Any other error code indicates a fatal error in the processing of a cache 4608 * selection mechanism. 4609 * 4610 * @version New in 1.10 4611 */ 4612 krb5_error_code KRB5_CALLCONV 4613 krb5_cc_select(krb5_context context, krb5_principal server, 4614 krb5_ccache *cache_out, krb5_principal *princ_out); 4615 4616 /* krb5_free.c */ 4617 /** 4618 * Free the storage assigned to a principal. 4619 * 4620 * @param [in] context Library context 4621 * @param [in] val Principal to be freed 4622 */ 4623 void KRB5_CALLCONV 4624 krb5_free_principal(krb5_context context, krb5_principal val); 4625 4626 /** 4627 * Free a krb5_authenticator structure. 4628 * 4629 * @param [in] context Library context 4630 * @param [in] val Authenticator structure to be freed 4631 * 4632 * This function frees the contents of @a val and the structure itself. 4633 */ 4634 void KRB5_CALLCONV 4635 krb5_free_authenticator(krb5_context context, krb5_authenticator *val); 4636 4637 /** 4638 * Free the data stored in array of addresses. 4639 * 4640 * @param [in] context Library context 4641 * @param [in] val Array of addresses to be freed 4642 * 4643 * This function frees the contents of @a val and the array itself. 4644 * 4645 * @note The last entry in the array must be a NULL pointer. 4646 */ 4647 void KRB5_CALLCONV 4648 krb5_free_addresses(krb5_context context, krb5_address **val); 4649 4650 /** 4651 * Free the storage assigned to array of authentication data. 4652 * 4653 * @param [in] context Library context 4654 * @param [in] val Array of authentication data to be freed 4655 * 4656 * This function frees the contents of @a val and the array itself. 4657 * 4658 * @note The last entry in the array must be a NULL pointer. 4659 */ 4660 void KRB5_CALLCONV 4661 krb5_free_authdata(krb5_context context, krb5_authdata **val); 4662 4663 /** 4664 * Free a ticket. 4665 * 4666 * @param [in] context Library context 4667 * @param [in] val Ticket to be freed 4668 * 4669 * This function frees the contents of @a val and the structure itself. 4670 */ 4671 void KRB5_CALLCONV 4672 krb5_free_ticket(krb5_context context, krb5_ticket *val); 4673 4674 /** 4675 * Free an error allocated by krb5_read_error() or krb5_sendauth(). 4676 * 4677 * @param [in] context Library context 4678 * @param [in] val Error data structure to be freed 4679 * 4680 * This function frees the contents of @a val and the structure itself. 4681 */ 4682 void KRB5_CALLCONV 4683 krb5_free_error(krb5_context context, krb5_error *val); 4684 4685 /** 4686 * Free a krb5_creds structure. 4687 * 4688 * @param [in] context Library context 4689 * @param [in] val Credential structure to be freed. 4690 * 4691 * This function frees the contents of @a val and the structure itself. 4692 */ 4693 void KRB5_CALLCONV 4694 krb5_free_creds(krb5_context context, krb5_creds *val); 4695 4696 /** 4697 * Free the contents of a krb5_creds structure. 4698 * 4699 * @param [in] context Library context 4700 * @param [in] val Credential structure to free contents of 4701 * 4702 * This function frees the contents of @a val, but not the structure itself. 4703 */ 4704 void KRB5_CALLCONV 4705 krb5_free_cred_contents(krb5_context context, krb5_creds *val); 4706 4707 /** 4708 * Free a krb5_checksum structure. 4709 * 4710 * @param [in] context Library context 4711 * @param [in] val Checksum structure to be freed 4712 * 4713 * This function frees the contents of @a val and the structure itself. 4714 */ 4715 void KRB5_CALLCONV 4716 krb5_free_checksum(krb5_context context, krb5_checksum *val); 4717 4718 /** 4719 * Free the contents of a krb5_checksum structure. 4720 * 4721 * @param [in] context Library context 4722 * @param [in] val Checksum structure to free contents of 4723 * 4724 * This function frees the contents of @a val, but not the structure itself. 4725 * It sets the checksum's data pointer to null and (beginning in release 1.19) 4726 * sets its length to zero. 4727 */ 4728 void KRB5_CALLCONV 4729 krb5_free_checksum_contents(krb5_context context, krb5_checksum *val); 4730 4731 /** 4732 * Free a krb5_keyblock structure. 4733 * 4734 * @param [in] context Library context 4735 * @param [in] val Keyblock to be freed 4736 * 4737 * This function frees the contents of @a val and the structure itself. 4738 */ 4739 void KRB5_CALLCONV 4740 krb5_free_keyblock(krb5_context context, krb5_keyblock *val); 4741 4742 /** 4743 * Free the contents of a krb5_keyblock structure. 4744 * 4745 * @param [in] context Library context 4746 * @param [in] key Keyblock to be freed 4747 * 4748 * This function frees the contents of @a key, but not the structure itself. 4749 */ 4750 void KRB5_CALLCONV 4751 krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key); 4752 4753 /** 4754 * Free a krb5_ap_rep_enc_part structure. 4755 * 4756 * @param [in] context Library context 4757 * @param [in] val AP-REP enc part to be freed 4758 * 4759 * This function frees the contents of @a val and the structure itself. 4760 */ 4761 void KRB5_CALLCONV 4762 krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); 4763 4764 /** 4765 * Free a krb5_data structure. 4766 * 4767 * @param [in] context Library context 4768 * @param [in] val Data structure to be freed 4769 * 4770 * This function frees the contents of @a val and the structure itself. 4771 */ 4772 void KRB5_CALLCONV 4773 krb5_free_data(krb5_context context, krb5_data *val); 4774 4775 /* Free a krb5_octet_data structure (should be unused). */ 4776 void KRB5_CALLCONV 4777 krb5_free_octet_data(krb5_context context, krb5_octet_data *val); 4778 4779 /** 4780 * Free the contents of a krb5_data structure and zero the data field. 4781 * 4782 * @param [in] context Library context 4783 * @param [in] val Data structure to free contents of 4784 * 4785 * This function frees the contents of @a val, but not the structure itself. 4786 * It sets the structure's data pointer to null and (beginning in release 1.19) 4787 * sets its length to zero. 4788 */ 4789 void KRB5_CALLCONV 4790 krb5_free_data_contents(krb5_context context, krb5_data *val); 4791 4792 /** 4793 * Free a string representation of a principal. 4794 * 4795 * @param [in] context Library context 4796 * @param [in] val Name string to be freed 4797 */ 4798 void KRB5_CALLCONV 4799 krb5_free_unparsed_name(krb5_context context, char *val); 4800 4801 /** 4802 * Free a string allocated by a krb5 function. 4803 * 4804 * @param [in] context Library context 4805 * @param [in] val String to be freed 4806 * 4807 * @version New in 1.10 4808 */ 4809 void KRB5_CALLCONV 4810 krb5_free_string(krb5_context context, char *val); 4811 4812 /** 4813 * Free an array of encryption types. 4814 * 4815 * @param [in] context Library context 4816 * @param [in] val Array of enctypes to be freed 4817 * 4818 * @version New in 1.12 4819 */ 4820 void KRB5_CALLCONV 4821 krb5_free_enctypes(krb5_context context, krb5_enctype *val); 4822 4823 /** 4824 * Free an array of checksum types. 4825 * 4826 * @param [in] context Library context 4827 * @param [in] val Array of checksum types to be freed 4828 */ 4829 void KRB5_CALLCONV 4830 krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val); 4831 4832 /* From krb5/os, but needed by the outside world */ 4833 /** 4834 * Retrieve the system time of day, in sec and ms, since the epoch. 4835 * 4836 * @param [in] context Library context 4837 * @param [out] seconds System timeofday, seconds portion 4838 * @param [out] microseconds System timeofday, microseconds portion 4839 * 4840 * This function retrieves the system time of day with the context 4841 * specific time offset adjustment. 4842 * 4843 * @sa krb5_crypto_us_timeofday() 4844 * 4845 * @retval 4846 * 0 Success 4847 * @return 4848 * Kerberos error codes 4849 */ 4850 krb5_error_code KRB5_CALLCONV 4851 krb5_us_timeofday(krb5_context context, 4852 krb5_timestamp *seconds, krb5_int32 *microseconds); 4853 4854 /** 4855 * Retrieve the current time with context specific time offset adjustment. 4856 * 4857 * @param [in] context Library context 4858 * @param [out] timeret Timestamp to fill in 4859 * 4860 * This function retrieves the system time of day with the context specific 4861 * time offset adjustment. 4862 * 4863 * @retval 4864 * 0 Success 4865 * @return 4866 * Kerberos error codes 4867 */ 4868 krb5_error_code KRB5_CALLCONV 4869 krb5_timeofday(krb5_context context, krb5_timestamp *timeret); 4870 4871 /** 4872 * Check if a timestamp is within the allowed clock skew of the current time. 4873 * 4874 * @param [in] context Library context 4875 * @param [in] date Timestamp to check 4876 * 4877 * This function checks if @a date is close enough to the current time 4878 * according to the configured allowable clock skew. 4879 * 4880 * @version New in 1.10 4881 * 4882 * @retval 0 Success 4883 * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew 4884 */ 4885 krb5_error_code KRB5_CALLCONV 4886 krb5_check_clockskew(krb5_context context, krb5_timestamp date); 4887 4888 /** 4889 * Return all interface addresses for this host. 4890 * 4891 * @param [in] context Library context 4892 * @param [out] addr Array of krb5_address pointers, ending with 4893 * NULL 4894 * 4895 * Use krb5_free_addresses() to free @a addr when it is no longer needed. 4896 * 4897 * @retval 0 Success; otherwise - Kerberos error codes 4898 */ 4899 krb5_error_code KRB5_CALLCONV 4900 krb5_os_localaddr(krb5_context context, krb5_address ***addr); 4901 4902 /** 4903 * Retrieve the default realm. 4904 * 4905 * @param [in] context Library context 4906 * @param [out] lrealm Default realm name 4907 * 4908 * Retrieves the default realm to be used if no user-specified realm is 4909 * available. 4910 * 4911 * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed. 4912 * 4913 * @retval 4914 * 0 Success 4915 * @return 4916 * Kerberos error codes 4917 */ 4918 krb5_error_code KRB5_CALLCONV 4919 krb5_get_default_realm(krb5_context context, char **lrealm); 4920 4921 /** 4922 * Override the default realm for the specified context. 4923 * 4924 * @param [in] context Library context 4925 * @param [in] lrealm Realm name for the default realm 4926 * 4927 * If @a lrealm is NULL, clear the default realm setting. 4928 * 4929 * @retval 4930 * 0 Success 4931 * @return 4932 * Kerberos error codes 4933 */ 4934 krb5_error_code KRB5_CALLCONV 4935 krb5_set_default_realm(krb5_context context, const char *lrealm); 4936 4937 /** 4938 * Free a default realm string returned by krb5_get_default_realm(). 4939 * 4940 * @param [in] context Library context 4941 * @param [in] lrealm Realm to be freed 4942 */ 4943 void KRB5_CALLCONV 4944 krb5_free_default_realm(krb5_context context, char *lrealm); 4945 4946 /** 4947 * Canonicalize a hostname, possibly using name service. 4948 * 4949 * @param [in] context Library context 4950 * @param [in] host Input hostname 4951 * @param [out] canonhost_out Canonicalized hostname 4952 * 4953 * This function canonicalizes orig_hostname, possibly using name service 4954 * lookups if configuration permits. Use krb5_free_string() to free @a 4955 * canonhost_out when it is no longer needed. 4956 * 4957 * @version New in 1.15 4958 */ 4959 krb5_error_code KRB5_CALLCONV 4960 krb5_expand_hostname(krb5_context context, const char *host, 4961 char **canonhost_out); 4962 4963 /** 4964 * Generate a full principal name from a service name. 4965 * 4966 * @param [in] context Library context 4967 * @param [in] hostname Host name, or NULL to use local host 4968 * @param [in] sname Service name, or NULL to use @c "host" 4969 * @param [in] type Principal type 4970 * @param [out] ret_princ Generated principal 4971 * 4972 * This function converts a @a hostname and @a sname into @a krb5_principal 4973 * structure @a ret_princ. The returned principal will be of the form @a 4974 * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm(). 4975 * In some cases this may be the referral (empty) realm. 4976 * 4977 * The @a type can be one of the following: 4978 * 4979 * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the 4980 * realm and generating the principal. 4981 * 4982 * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not 4983 * canonicalize it. 4984 * 4985 * Use krb5_free_principal to free @a ret_princ when it is no longer needed. 4986 * 4987 * @retval 4988 * 0 Success 4989 * @return 4990 * Kerberos error codes 4991 */ 4992 krb5_error_code KRB5_CALLCONV 4993 krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, 4994 krb5_int32 type, krb5_principal *ret_princ); 4995 4996 /** 4997 * Test whether a principal matches a matching principal. 4998 * 4999 * @param [in] context Library context 5000 * @param [in] matching Matching principal 5001 * @param [in] princ Principal to test 5002 * 5003 * @note A matching principal is a host-based principal with an empty realm 5004 * and/or second data component (hostname). Profile configuration may cause 5005 * the hostname to be ignored even if it is present. A principal matches a 5006 * matching principal if the former has the same non-empty (and non-ignored) 5007 * components of the latter. 5008 * 5009 * If @a matching is NULL, return TRUE. If @a matching is not a matching 5010 * principal, return the value of krb5_principal_compare(context, matching, 5011 * princ). 5012 * 5013 * @return 5014 * TRUE if @a princ matches @a matching, FALSE otherwise. 5015 */ 5016 krb5_boolean KRB5_CALLCONV 5017 krb5_sname_match(krb5_context context, krb5_const_principal matching, 5018 krb5_const_principal princ); 5019 5020 /** 5021 * Change a password for an existing Kerberos account. 5022 * 5023 * @param [in] context Library context 5024 * @param [in] creds Credentials for kadmin/changepw service 5025 * @param [in] newpw New password 5026 * @param [out] result_code Numeric error code from server 5027 * @param [out] result_code_string String equivalent to @a result_code 5028 * @param [out] result_string Change password response from the KDC 5029 * 5030 * Change the password for the existing principal identified by @a creds. 5031 * 5032 * The possible values of the output @a result_code are: 5033 * 5034 * @li #KRB5_KPASSWD_SUCCESS (0) - success 5035 * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error 5036 * @li #KRB5_KPASSWD_HARDERROR (2) - Server error 5037 * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error 5038 * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected 5039 * 5040 * @retval 0 Success; otherwise - Kerberos error codes 5041 */ 5042 krb5_error_code KRB5_CALLCONV 5043 krb5_change_password(krb5_context context, krb5_creds *creds, 5044 const char *newpw, int *result_code, 5045 krb5_data *result_code_string, krb5_data *result_string); 5046 5047 /** 5048 * Set a password for a principal using specified credentials. 5049 * 5050 * @param [in] context Library context 5051 * @param [in] creds Credentials for kadmin/changepw service 5052 * @param [in] newpw New password 5053 * @param [in] change_password_for Change the password for this principal 5054 * @param [out] result_code Numeric error code from server 5055 * @param [out] result_code_string String equivalent to @a result_code 5056 * @param [out] result_string Data returned from the remote system 5057 * 5058 * This function uses the credentials @a creds to set the password @a newpw for 5059 * the principal @a change_password_for. It implements the set password 5060 * operation of RFC 3244, for interoperability with Microsoft Windows 5061 * implementations. 5062 * 5063 * @note If @a change_password_for is NULL, the change is performed on the 5064 * current principal. If @a change_password_for is non-null, the change is 5065 * performed on the principal name passed in @a change_password_for. 5066 * 5067 * The error code and strings are returned in @a result_code, 5068 * @a result_code_string and @a result_string. 5069 * 5070 * @sa krb5_set_password_using_ccache() 5071 * 5072 * @retval 5073 * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS. 5074 * @return 5075 * Kerberos error codes. 5076 */ 5077 krb5_error_code KRB5_CALLCONV 5078 krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw, 5079 krb5_principal change_password_for, int *result_code, 5080 krb5_data *result_code_string, krb5_data *result_string); 5081 5082 /** 5083 * Set a password for a principal using cached credentials. 5084 * 5085 * @param [in] context Library context 5086 * @param [in] ccache Credential cache 5087 * @param [in] newpw New password 5088 * @param [in] change_password_for Change the password for this principal 5089 * @param [out] result_code Numeric error code from server 5090 * @param [out] result_code_string String equivalent to @a result_code 5091 * @param [out] result_string Data returned from the remote system 5092 * 5093 * This function uses the cached credentials from @a ccache to set the password 5094 * @a newpw for the principal @a change_password_for. It implements RFC 3244 5095 * set password operation (interoperable with MS Windows implementations) using 5096 * the credential cache. 5097 * 5098 * The error code and strings are returned in @a result_code, 5099 * @a result_code_string and @a result_string. 5100 * 5101 * @note If @a change_password_for is set to NULL, the change is performed on 5102 * the default principal in @a ccache. If @a change_password_for is non null, 5103 * the change is performed on the specified principal. 5104 * 5105 * @sa krb5_set_password() 5106 * 5107 * @retval 5108 * 0 Success 5109 * @return 5110 * Kerberos error codes 5111 */ 5112 krb5_error_code KRB5_CALLCONV 5113 krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, 5114 const char *newpw, 5115 krb5_principal change_password_for, 5116 int *result_code, krb5_data *result_code_string, 5117 krb5_data *result_string); 5118 5119 /** 5120 * Get a result message for changing or setting a password. 5121 * 5122 * @param [in] context Library context 5123 * @param [in] server_string Data returned from the remote system 5124 * @param [out] message_out A message displayable to the user 5125 * 5126 * This function processes the @a server_string returned in the @a 5127 * result_string parameter of krb5_change_password(), krb5_set_password(), and 5128 * related functions, and returns a displayable string. If @a server_string 5129 * contains Active Directory structured policy information, it will be 5130 * converted into human-readable text. 5131 * 5132 * Use krb5_free_string() to free @a message_out when it is no longer needed. 5133 * 5134 * @retval 5135 * 0 Success 5136 * @return 5137 * Kerberos error codes 5138 * 5139 * @version New in 1.11 5140 */ 5141 krb5_error_code KRB5_CALLCONV 5142 krb5_chpw_message(krb5_context context, const krb5_data *server_string, 5143 char **message_out); 5144 5145 /** 5146 * Retrieve configuration profile from the context. 5147 * 5148 * @param [in] context Library context 5149 * @param [out] profile Pointer to data read from a configuration file 5150 * 5151 * This function creates a new @a profile object that reflects profile 5152 * in the supplied @a context. 5153 * 5154 * The @a profile object may be freed with profile_release() function. 5155 * See profile.h and profile API for more details. 5156 * 5157 * @retval 5158 * 0 Success 5159 * @return 5160 * Kerberos error codes 5161 */ 5162 krb5_error_code KRB5_CALLCONV 5163 krb5_get_profile(krb5_context context, struct _profile_t ** profile); 5164 5165 #if KRB5_DEPRECATED 5166 /** @deprecated Replaced by krb5_get_init_creds_password().*/ 5167 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5168 krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, 5169 krb5_address *const *addrs, krb5_enctype *ktypes, 5170 krb5_preauthtype *pre_auth_types, 5171 const char *password, krb5_ccache ccache, 5172 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5173 5174 /** @deprecated Replaced by krb5_get_init_creds(). */ 5175 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5176 krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, 5177 krb5_address *const *addrs, krb5_enctype *ktypes, 5178 krb5_preauthtype *pre_auth_types, 5179 const krb5_keyblock *key, krb5_ccache ccache, 5180 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5181 5182 /** @deprecated Replaced by krb5_get_init_creds_keytab(). */ 5183 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5184 krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, 5185 krb5_address *const *addrs, krb5_enctype *ktypes, 5186 krb5_preauthtype *pre_auth_types, 5187 krb5_keytab arg_keytab, krb5_ccache ccache, 5188 krb5_creds *creds, krb5_kdc_rep **ret_as_reply); 5189 5190 #endif /* KRB5_DEPRECATED */ 5191 5192 /** 5193 * Parse and decrypt a @c KRB_AP_REQ message. 5194 * 5195 * @param [in] context Library context 5196 * @param [in,out] auth_context Pre-existing or newly created auth context 5197 * @param [in] inbuf AP-REQ message to be parsed 5198 * @param [in] server Matching principal for server, or NULL to 5199 * allow any principal in keytab 5200 * @param [in] keytab Key table, or NULL to use the default 5201 * @param [out] ap_req_options If non-null, the AP-REQ flags on output 5202 * @param [out] ticket If non-null, ticket from the AP-REQ message 5203 * 5204 * This function parses, decrypts and verifies a AP-REQ message from @a inbuf 5205 * and stores the authenticator in @a auth_context. 5206 * 5207 * If a keyblock was specified in @a auth_context using 5208 * krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in 5209 * AP-REQ message and @a keytab is ignored. In this case, @a server should be 5210 * specified as a complete principal name to allow for proper transited-path 5211 * checking and replay cache selection. 5212 * 5213 * Otherwise, the decryption key is obtained from @a keytab, or from the 5214 * default keytab if it is NULL. In this case, @a server may be a complete 5215 * principal name, a matching principal (see krb5_sname_match()), or NULL to 5216 * match any principal name. The keys tried against the encrypted part of the 5217 * ticket are determined as follows: 5218 * 5219 * - If @a server is a complete principal name, then its entry in @a keytab is 5220 * tried. 5221 * - Otherwise, if @a keytab is iterable, then all entries in @a keytab which 5222 * match @a server are tried. 5223 * - Otherwise, the server principal in the ticket must match @a server, and 5224 * its entry in @a keytab is tried. 5225 * 5226 * The client specified in the decrypted authenticator must match the client 5227 * specified in the decrypted ticket. 5228 * 5229 * If the @a remote_addr field of @a auth_context is set, the request must come 5230 * from that address. 5231 * 5232 * If a replay cache handle is provided in the @a auth_context, the 5233 * authenticator and ticket are verified against it. If no conflict is found, 5234 * the new authenticator is then stored in the replay cache of @a auth_context. 5235 * 5236 * Various other checks are performed on the decoded data, including 5237 * cross-realm policy, clockskew, and ticket validation times. 5238 * 5239 * On success the authenticator, subkey, and remote sequence number of the 5240 * request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED 5241 * bit is set, the local sequence number is XORed with the remote sequence 5242 * number in the request. 5243 * 5244 * Use krb5_free_ticket() to free @a ticket when it is no longer needed. 5245 * 5246 * @retval 0 Success; otherwise - Kerberos error codes 5247 */ 5248 krb5_error_code KRB5_CALLCONV 5249 krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, 5250 const krb5_data *inbuf, krb5_const_principal server, 5251 krb5_keytab keytab, krb5_flags *ap_req_options, 5252 krb5_ticket **ticket); 5253 5254 /** 5255 * Retrieve a service key from a key table. 5256 * 5257 * @param [in] context Library context 5258 * @param [in] keyprocarg Name of a key table (NULL to use default name) 5259 * @param [in] principal Service principal 5260 * @param [in] vno Key version number (0 for highest available) 5261 * @param [in] enctype Encryption type (0 for any type) 5262 * @param [out] key Service key from key table 5263 * 5264 * Open and search the specified key table for the entry identified by @a 5265 * principal, @a enctype, and @a vno. If no key is found, return an error code. 5266 * 5267 * The default key table is used, unless @a keyprocarg is non-null. 5268 * @a keyprocarg designates a specific key table. 5269 * 5270 * Use krb5_free_keyblock() to free @a key when it is no longer needed. 5271 * 5272 * @retval 5273 * 0 Success 5274 * @return Kerberos error code if not found or @a keyprocarg is invalid. 5275 */ 5276 krb5_error_code KRB5_CALLCONV 5277 krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, 5278 krb5_principal principal, krb5_kvno vno, 5279 krb5_enctype enctype, krb5_keyblock **key); 5280 5281 /** 5282 * Format a @c KRB-SAFE message. 5283 * 5284 * @param [in] context Library context 5285 * @param [in] auth_context Authentication context 5286 * @param [in] userdata User data in the message 5287 * @param [out] der_out Formatted @c KRB-SAFE buffer 5288 * @param [out] rdata_out Replay data. Specify NULL if not needed 5289 * 5290 * This function creates an integrity protected @c KRB-SAFE message 5291 * using data supplied by the application. 5292 * 5293 * Fields in @a auth_context specify the checksum type, the keyblock that 5294 * can be used to seed the checksum, full addresses (host and port) for 5295 * the sender and receiver, and KRB5_AUTH_CONTEXT flags. 5296 * 5297 * The local address in @a auth_context must be set, and is used to form the 5298 * sender address used in the KRB-SAFE message. The remote address is 5299 * optional; if specified, it will be used to form the receiver address used in 5300 * the message. 5301 * 5302 * @note The @a rdata_out argument is required if the 5303 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5304 * in @a auth_context. 5305 * 5306 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a 5307 * timestamp is included in the KRB-SAFE message, and an entry for the message 5308 * is entered in an in-memory replay cache to detect if the message is 5309 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no 5310 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5311 * auth_context, a timestamp is included in the KRB-SAFE message and is stored 5312 * in @a rdata_out. 5313 * 5314 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5315 * is set, the @a auth_context local sequence number is included in the 5316 * KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5317 * is set, the sequence number used is stored in @a rdata_out. 5318 * 5319 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5320 * needed. 5321 * 5322 * @retval 0 Success; otherwise - Kerberos error codes 5323 */ 5324 krb5_error_code KRB5_CALLCONV 5325 krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, 5326 const krb5_data *userdata, krb5_data *der_out, 5327 krb5_replay_data *rdata_out); 5328 5329 /** 5330 * Format a @c KRB-PRIV message. 5331 * 5332 * @param [in] context Library context 5333 * @param [in] auth_context Authentication context 5334 * @param [in] userdata User data for @c KRB-PRIV message 5335 * @param [out] der_out Formatted @c KRB-PRIV message 5336 * @param [out] rdata_out Replay data (NULL if not needed) 5337 * 5338 * This function is similar to krb5_mk_safe(), but the message is encrypted and 5339 * integrity-protected, not just integrity-protected. 5340 * 5341 * The local address in @a auth_context must be set, and is used to form the 5342 * sender address used in the KRB-PRIV message. The remote address is 5343 * optional; if specified, it will be used to form the receiver address used in 5344 * the message. 5345 * 5346 * @note The @a rdata_out argument is required if the 5347 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5348 * in @a auth_context. 5349 * 5350 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a 5351 * timestamp is included in the KRB-PRIV message, and an entry for the message 5352 * is entered in an in-memory replay cache to detect if the message is 5353 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no 5354 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5355 * auth_context, a timestamp is included in the KRB-PRIV message and is stored 5356 * in @a rdata_out. 5357 * 5358 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5359 * is set, the @a auth_context local sequence number is included in the 5360 * KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5361 * is set, the sequence number used is stored in @a rdata_out. 5362 * 5363 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5364 * needed. 5365 * 5366 * @retval 0 Success; otherwise - Kerberos error codes 5367 */ 5368 krb5_error_code KRB5_CALLCONV 5369 krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, 5370 const krb5_data *userdata, krb5_data *der_out, 5371 krb5_replay_data *rdata_out); 5372 5373 /** 5374 * Client function for @c sendauth protocol. 5375 * 5376 * @param [in] context Library context 5377 * @param [in,out] auth_context Pre-existing or newly created auth context 5378 * @param [in] fd File descriptor that describes network socket 5379 * @param [in] appl_version Application protocol version to be matched 5380 * with the receiver's application version 5381 * @param [in] client Client principal 5382 * @param [in] server Server principal 5383 * @param [in] ap_req_options Options (see AP_OPTS macros) 5384 * @param [in] in_data Data to be sent to the server 5385 * @param [in] in_creds Input credentials, or NULL to use @a ccache 5386 * @param [in] ccache Credential cache 5387 * @param [out] error If non-null, contains KRB_ERROR message 5388 * returned from server 5389 * @param [out] rep_result If non-null and @a ap_req_options is 5390 * #AP_OPTS_MUTUAL_REQUIRED, contains the result 5391 * of mutual authentication exchange 5392 * @param [out] out_creds If non-null, the retrieved credentials 5393 * 5394 * This function performs the client side of a sendauth/recvauth exchange by 5395 * sending and receiving messages over @a fd. 5396 * 5397 * Credentials may be specified in three ways: 5398 * 5399 * @li If @a in_creds is NULL, credentials are obtained with 5400 * krb5_get_credentials() using the principals @a client and @a server. @a 5401 * server must be non-null; @a client may NULL to use the default principal of 5402 * @a ccache. 5403 * 5404 * @li If @a in_creds is non-null, but does not contain a ticket, credentials 5405 * for the exchange are obtained with krb5_get_credentials() using @a in_creds. 5406 * In this case, the values of @a client and @a server are unused. 5407 * 5408 * @li If @a in_creds is a complete credentials structure, it used directly. 5409 * In this case, the values of @a client, @a server, and @a ccache are unused. 5410 * 5411 * If the server is using a different application protocol than that specified 5412 * in @a appl_version, an error will be returned. 5413 * 5414 * Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to 5415 * free @a rep_result, and krb5_free_error() to free @a error when they are no 5416 * longer needed. 5417 * 5418 * @sa krb5_recvauth() 5419 * 5420 * @retval 0 Success; otherwise - Kerberos error codes 5421 */ 5422 krb5_error_code KRB5_CALLCONV 5423 krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, 5424 krb5_pointer fd, char *appl_version, krb5_principal client, 5425 krb5_principal server, krb5_flags ap_req_options, 5426 krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, 5427 krb5_error **error, krb5_ap_rep_enc_part **rep_result, 5428 krb5_creds **out_creds); 5429 5430 /** 5431 * Server function for @a sendauth protocol. 5432 * 5433 * @param [in] context Library context 5434 * @param [in,out] auth_context Pre-existing or newly created auth context 5435 * @param [in] fd File descriptor 5436 * @param [in] appl_version Application protocol version to be matched 5437 * against the client's application version 5438 * @param [in] server Server principal (NULL for any in @a keytab) 5439 * @param [in] flags Additional specifications 5440 * @param [in] keytab Key table containing service keys 5441 * @param [out] ticket Ticket (NULL if not needed) 5442 * 5443 * This function performs the server side of a sendauth/recvauth exchange by 5444 * sending and receiving messages over @a fd. 5445 * 5446 * Use krb5_free_ticket() to free @a ticket when it is no longer needed. 5447 * 5448 * @sa krb5_sendauth() 5449 * 5450 * @retval 0 Success; otherwise - Kerberos error codes 5451 */ 5452 krb5_error_code KRB5_CALLCONV 5453 krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, 5454 krb5_pointer fd, char *appl_version, krb5_principal server, 5455 krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket); 5456 5457 /** 5458 * Server function for @a sendauth protocol with version parameter. 5459 * 5460 * @param [in] context Library context 5461 * @param [in,out] auth_context Pre-existing or newly created auth context 5462 * @param [in] fd File descriptor 5463 * @param [in] server Server principal (NULL for any in @a keytab) 5464 * @param [in] flags Additional specifications 5465 * @param [in] keytab Decryption key 5466 * @param [out] ticket Ticket (NULL if not needed) 5467 * @param [out] version sendauth protocol version (NULL if not needed) 5468 * 5469 * This function is similar to krb5_recvauth() with the additional output 5470 * information place into @a version. 5471 * 5472 * @retval 0 Success; otherwise - Kerberos error codes 5473 */ 5474 krb5_error_code KRB5_CALLCONV 5475 krb5_recvauth_version(krb5_context context, 5476 krb5_auth_context *auth_context, 5477 krb5_pointer fd, 5478 krb5_principal server, 5479 krb5_int32 flags, 5480 krb5_keytab keytab, 5481 krb5_ticket **ticket, 5482 krb5_data *version); 5483 5484 /** 5485 * Format a @c KRB-CRED message for an array of credentials. 5486 * 5487 * @param [in] context Library context 5488 * @param [in] auth_context Authentication context 5489 * @param [in] creds Null-terminated array of credentials 5490 * @param [out] der_out Encoded credentials 5491 * @param [out] rdata_out Replay cache information (NULL if not needed) 5492 * 5493 * This function takes an array of credentials @a creds and formats 5494 * a @c KRB-CRED message @a der_out to pass to krb5_rd_cred(). 5495 * 5496 * The local and remote addresses in @a auth_context are optional; if either is 5497 * specified, they are used to form the sender and receiver addresses in the 5498 * KRB-CRED message. 5499 * 5500 * @note The @a rdata_out argument is required if the 5501 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5502 * in @a auth_context. 5503 * 5504 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, an entry 5505 * for the message is entered in an in-memory replay cache to detect if the 5506 * message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not 5507 * set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a 5508 * auth_context, the timestamp used for the KRB-CRED message is stored in @a 5509 * rdata_out. 5510 * 5511 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5512 * is set, the @a auth_context local sequence number is included in the 5513 * KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE 5514 * is set, the sequence number used is stored in @a rdata_out. 5515 * 5516 * Use krb5_free_data_contents() to free @a der_out when it is no longer 5517 * needed. 5518 * 5519 * The message will be encrypted using the send subkey of @a auth_context if it 5520 * is present, or the session key otherwise. If neither key is present, the 5521 * credentials will not be encrypted, and the message should only be sent over 5522 * a secure channel. No replay cache entry is used in this case. 5523 * 5524 * @retval 5525 * 0 Success 5526 * @retval 5527 * ENOMEM Insufficient memory 5528 * @retval 5529 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter 5530 * @return 5531 * Kerberos error codes 5532 */ 5533 krb5_error_code KRB5_CALLCONV 5534 krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, 5535 krb5_creds **creds, krb5_data **der_out, 5536 krb5_replay_data *rdata_out); 5537 5538 /** 5539 * Format a @c KRB-CRED message for a single set of credentials. 5540 * 5541 * @param [in] context Library context 5542 * @param [in] auth_context Authentication context 5543 * @param [in] creds Pointer to credentials 5544 * @param [out] der_out Encoded credentials 5545 * @param [out] rdata_out Replay cache data (NULL if not needed) 5546 * 5547 * This is a convenience function that calls krb5_mk_ncred() with a single set 5548 * of credentials. 5549 * 5550 * @retval 5551 * 0 Success 5552 * @retval 5553 * ENOMEM Insufficient memory 5554 * @retval 5555 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter 5556 * @return 5557 * Kerberos error codes 5558 */ 5559 krb5_error_code KRB5_CALLCONV 5560 krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, 5561 krb5_creds *creds, krb5_data **der_out, 5562 krb5_replay_data *rdata_out); 5563 5564 /** 5565 * Read and validate a @c KRB-CRED message. 5566 * 5567 * @param [in] context Library context 5568 * @param [in] auth_context Authentication context 5569 * @param [in] creddata @c KRB-CRED message 5570 * @param [out] creds_out Null-terminated array of forwarded credentials 5571 * @param [out] rdata_out Replay data (NULL if not needed) 5572 * 5573 * @note The @a rdata_out argument is required if the 5574 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set 5575 * in @a auth_context.` 5576 * 5577 * @a creddata will be decrypted using the receiving subkey if it is present in 5578 * @a auth_context, or the session key if the receiving subkey is not present 5579 * or fails to decrypt the message. 5580 * 5581 * Use krb5_free_tgt_creds() to free @a creds_out when it is no longer needed. 5582 * 5583 * @retval 0 Success; otherwise - Kerberos error codes 5584 */ 5585 krb5_error_code KRB5_CALLCONV 5586 krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, 5587 krb5_data *creddata, krb5_creds ***creds_out, 5588 krb5_replay_data *rdata_out); 5589 5590 /** 5591 * Get a forwarded TGT and format a @c KRB-CRED message. 5592 * 5593 * @param [in] context Library context 5594 * @param [in] auth_context Authentication context 5595 * @param [in] rhost Remote host 5596 * @param [in] client Client principal of TGT 5597 * @param [in] server Principal of server to receive TGT 5598 * @param [in] cc Credential cache handle (NULL to use default) 5599 * @param [in] forwardable Whether TGT should be forwardable 5600 * @param [out] outbuf KRB-CRED message 5601 * 5602 * Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED 5603 * message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST, 5604 * the second component of @a server will be used. 5605 * 5606 * @retval 5607 * 0 Success 5608 * @retval 5609 * ENOMEM Insufficient memory 5610 * @retval 5611 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match 5612 * @retval 5613 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket 5614 * @retval 5615 * KRB5_CC_BADNAME Credential cache name or principal name malformed 5616 * @return 5617 * Kerberos error codes 5618 */ 5619 krb5_error_code KRB5_CALLCONV 5620 krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, 5621 const char *rhost, krb5_principal client, 5622 krb5_principal server, krb5_ccache cc, int forwardable, 5623 krb5_data *outbuf); 5624 5625 /** 5626 * Create and initialize an authentication context. 5627 * 5628 * @param [in] context Library context 5629 * @param [out] auth_context Authentication context 5630 * 5631 * This function creates an authentication context to hold configuration and 5632 * state relevant to krb5 functions for authenticating principals and 5633 * protecting messages once authentication has occurred. 5634 * 5635 * By default, flags for the context are set to enable the use of the replay 5636 * cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use 5637 * krb5_auth_con_setflags() to change the flags. 5638 * 5639 * The allocated @a auth_context must be freed with krb5_auth_con_free() when 5640 * it is no longer needed. 5641 * 5642 * @retval 0 Success; otherwise - Kerberos error codes 5643 */ 5644 krb5_error_code KRB5_CALLCONV 5645 krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context); 5646 5647 /** 5648 * Free a krb5_auth_context structure. 5649 * 5650 * @param [in] context Library context 5651 * @param [in] auth_context Authentication context to be freed 5652 * 5653 * This function frees an auth context allocated by krb5_auth_con_init(). 5654 * 5655 * @retval 0 (always) 5656 */ 5657 krb5_error_code KRB5_CALLCONV 5658 krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context); 5659 5660 /** 5661 * Set a flags field in a krb5_auth_context structure. 5662 * 5663 * @param [in] context Library context 5664 * @param [in] auth_context Authentication context 5665 * @param [in] flags Flags bit mask 5666 * 5667 * Valid values for @a flags are: 5668 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps 5669 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps 5670 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers 5671 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers 5672 * 5673 * @retval 0 (always) 5674 */ 5675 krb5_error_code KRB5_CALLCONV 5676 krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags); 5677 5678 /** 5679 * Retrieve flags from a krb5_auth_context structure. 5680 * 5681 * @param [in] context Library context 5682 * @param [in] auth_context Authentication context 5683 * @param [out] flags Flags bit mask 5684 * 5685 * Valid values for @a flags are: 5686 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps 5687 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps 5688 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers 5689 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers 5690 * 5691 * @retval 0 (always) 5692 */ 5693 krb5_error_code KRB5_CALLCONV 5694 krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, 5695 krb5_int32 *flags); 5696 5697 /** 5698 * Set a checksum callback in an auth context. 5699 * 5700 * @param [in] context Library context 5701 * @param [in] auth_context Authentication context 5702 * @param [in] func Checksum callback 5703 * @param [in] data Callback argument 5704 * 5705 * Set a callback to obtain checksum data in krb5_mk_req(). The callback will 5706 * be invoked after the subkey and local sequence number are stored in @a 5707 * auth_context. 5708 * 5709 * @retval 0 (always) 5710 */ 5711 krb5_error_code KRB5_CALLCONV 5712 krb5_auth_con_set_checksum_func( krb5_context context, 5713 krb5_auth_context auth_context, 5714 krb5_mk_req_checksum_func func, 5715 void *data); 5716 5717 /** 5718 * Get the checksum callback from an auth context. 5719 * 5720 * @param [in] context Library context 5721 * @param [in] auth_context Authentication context 5722 * @param [out] func Checksum callback 5723 * @param [out] data Callback argument 5724 * 5725 * @retval 0 (always) 5726 */ 5727 krb5_error_code KRB5_CALLCONV 5728 krb5_auth_con_get_checksum_func( krb5_context context, 5729 krb5_auth_context auth_context, 5730 krb5_mk_req_checksum_func *func, 5731 void **data); 5732 5733 /** 5734 * Set the local and remote addresses in an auth context. 5735 * 5736 * @param [in] context Library context 5737 * @param [in] auth_context Authentication context 5738 * @param [in] local_addr Local address 5739 * @param [in] remote_addr Remote address 5740 * 5741 * This function releases the storage assigned to the contents of the local and 5742 * remote addresses of @a auth_context and then sets them to @a local_addr and 5743 * @a remote_addr respectively. 5744 * 5745 * @sa krb5_auth_con_genaddrs() 5746 * 5747 * @retval 0 Success; otherwise - Kerberos error codes 5748 */ 5749 krb5_error_code KRB5_CALLCONV_WRONG 5750 krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, 5751 krb5_address *local_addr, krb5_address *remote_addr); 5752 5753 /** 5754 * Retrieve address fields from an auth context. 5755 * 5756 * @param [in] context Library context 5757 * @param [in] auth_context Authentication context 5758 * @param [out] local_addr Local address (NULL if not needed) 5759 * @param [out] remote_addr Remote address (NULL if not needed) 5760 * 5761 * @retval 0 Success; otherwise - Kerberos error codes 5762 */ 5763 krb5_error_code KRB5_CALLCONV 5764 krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, 5765 krb5_address **local_addr, krb5_address **remote_addr); 5766 5767 /** 5768 * Set local and remote port fields in an auth context. 5769 * 5770 * @param [in] context Library context 5771 * @param [in] auth_context Authentication context 5772 * @param [in] local_port Local port 5773 * @param [in] remote_port Remote port 5774 * 5775 * This function releases the storage assigned to the contents of the local and 5776 * remote ports of @a auth_context and then sets them to @a local_port and @a 5777 * remote_port respectively. 5778 * 5779 * @sa krb5_auth_con_genaddrs() 5780 * 5781 * @retval 0 Success; otherwise - Kerberos error codes 5782 */ 5783 krb5_error_code KRB5_CALLCONV 5784 krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, 5785 krb5_address *local_port, krb5_address *remote_port); 5786 5787 /** 5788 * Set the session key in an auth context. 5789 * 5790 * @param [in] context Library context 5791 * @param [in] auth_context Authentication context 5792 * @param [in] keyblock User key 5793 * 5794 * @retval 0 Success; otherwise - Kerberos error codes 5795 */ 5796 krb5_error_code KRB5_CALLCONV 5797 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, 5798 krb5_keyblock *keyblock); 5799 5800 /** 5801 * Retrieve the session key from an auth context as a keyblock. 5802 * 5803 * @param [in] context Library context 5804 * @param [in] auth_context Authentication context 5805 * @param [out] keyblock Session key 5806 * 5807 * This function creates a keyblock containing the session key from @a 5808 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5809 * longer needed 5810 * 5811 * @retval 0 Success. Otherwise - Kerberos error codes 5812 */ 5813 krb5_error_code KRB5_CALLCONV 5814 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, 5815 krb5_keyblock **keyblock); 5816 5817 /** 5818 * Retrieve the session key from an auth context. 5819 * 5820 * @param [in] context Library context 5821 * @param [in] auth_context Authentication context 5822 * @param [out] key Session key 5823 * 5824 * This function sets @a key to the session key from @a auth_context. Use 5825 * krb5_k_free_key() to release @a key when it is no longer needed. 5826 * 5827 * @retval 0 (always) 5828 */ 5829 krb5_error_code KRB5_CALLCONV 5830 krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, 5831 krb5_key *key); 5832 5833 /** 5834 * Retrieve the send subkey from an auth context as a keyblock. 5835 * 5836 * @param [in] ctx Library context 5837 * @param [in] ac Authentication context 5838 * @param [out] keyblock Send subkey 5839 * 5840 * This function creates a keyblock containing the send subkey from @a 5841 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5842 * longer needed. 5843 * 5844 * @retval 0 Success; otherwise - Kerberos error codes 5845 */ 5846 krb5_error_code KRB5_CALLCONV 5847 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); 5848 5849 /** 5850 * Retrieve the send subkey from an auth context. 5851 * 5852 * @param [in] ctx Library context 5853 * @param [in] ac Authentication context 5854 * @param [out] key Send subkey 5855 * 5856 * This function sets @a key to the send subkey from @a auth_context. Use 5857 * krb5_k_free_key() to release @a key when it is no longer needed. 5858 * 5859 * @retval 0 Success; otherwise - Kerberos error codes 5860 */ 5861 krb5_error_code KRB5_CALLCONV 5862 krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, 5863 krb5_key *key); 5864 5865 /** 5866 * Retrieve the receiving subkey from an auth context as a keyblock. 5867 * 5868 * @param [in] ctx Library context 5869 * @param [in] ac Authentication context 5870 * @param [out] keyblock Receiving subkey 5871 * 5872 * This function creates a keyblock containing the receiving subkey from @a 5873 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no 5874 * longer needed. 5875 * 5876 * @retval 0 Success; otherwise - Kerberos error codes 5877 */ 5878 krb5_error_code KRB5_CALLCONV 5879 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); 5880 5881 /** 5882 * Retrieve the receiving subkey from an auth context as a keyblock. 5883 * 5884 * @param [in] ctx Library context 5885 * @param [in] ac Authentication context 5886 * @param [out] key Receiving subkey 5887 * 5888 * This function sets @a key to the receiving subkey from @a auth_context. Use 5889 * krb5_k_free_key() to release @a key when it is no longer needed. 5890 * 5891 * @retval 0 Success; otherwise - Kerberos error codes 5892 */ 5893 krb5_error_code KRB5_CALLCONV 5894 krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key); 5895 5896 /** 5897 * Set the send subkey in an auth context with a keyblock. 5898 * 5899 * @param [in] ctx Library context 5900 * @param [in] ac Authentication context 5901 * @param [in] keyblock Send subkey 5902 * 5903 * This function sets the send subkey in @a ac to a copy of @a keyblock. 5904 * 5905 * @retval 0 Success. Otherwise - Kerberos error codes 5906 */ 5907 krb5_error_code KRB5_CALLCONV 5908 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, 5909 krb5_keyblock *keyblock); 5910 5911 /** 5912 * Set the send subkey in an auth context. 5913 * 5914 * @param [in] ctx Library context 5915 * @param [in] ac Authentication context 5916 * @param [out] key Send subkey 5917 * 5918 * This function sets the send subkey in @a ac to @a key, incrementing its 5919 * reference count. 5920 * 5921 * @version New in 1.9 5922 * 5923 * @retval 0 Success; otherwise - Kerberos error codes 5924 */ 5925 krb5_error_code KRB5_CALLCONV 5926 krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key); 5927 5928 /** 5929 * Set the receiving subkey in an auth context with a keyblock. 5930 * 5931 * @param [in] ctx Library context 5932 * @param [in] ac Authentication context 5933 * @param [in] keyblock Receiving subkey 5934 * 5935 * This function sets the receiving subkey in @a ac to a copy of @a keyblock. 5936 * 5937 * @retval 0 Success; otherwise - Kerberos error codes 5938 */ 5939 krb5_error_code KRB5_CALLCONV 5940 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, 5941 krb5_keyblock *keyblock); 5942 5943 /** 5944 * Set the receiving subkey in an auth context. 5945 * 5946 * @param [in] ctx Library context 5947 * @param [in] ac Authentication context 5948 * @param [in] key Receiving subkey 5949 * 5950 * This function sets the receiving subkey in @a ac to @a key, incrementing its 5951 * reference count. 5952 * 5953 * @version New in 1.9 5954 * 5955 * @retval 0 Success; otherwise - Kerberos error codes 5956 */ 5957 krb5_error_code KRB5_CALLCONV 5958 krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, 5959 krb5_key key); 5960 5961 #if KRB5_DEPRECATED 5962 /** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */ 5963 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5964 krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, 5965 krb5_keyblock **keyblock); 5966 5967 /** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */ 5968 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV 5969 krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, 5970 krb5_keyblock **keyblock); 5971 #endif 5972 5973 /** 5974 * Retrieve the local sequence number from an auth context. 5975 * 5976 * @param [in] context Library context 5977 * @param [in] auth_context Authentication context 5978 * @param [out] seqnumber Local sequence number 5979 * 5980 * Retrieve the local sequence number from @a auth_context and return it in @a 5981 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a 5982 * auth_context for this function to be useful. 5983 * 5984 * @retval 0 Success; otherwise - Kerberos error codes 5985 */ 5986 krb5_error_code KRB5_CALLCONV 5987 krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, 5988 krb5_int32 *seqnumber); 5989 5990 /** 5991 * Retrieve the remote sequence number from an auth context. 5992 * 5993 * @param [in] context Library context 5994 * @param [in] auth_context Authentication context 5995 * @param [out] seqnumber Remote sequence number 5996 * 5997 * Retrieve the remote sequence number from @a auth_context and return it in @a 5998 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a 5999 * auth_context for this function to be useful. 6000 * 6001 * @retval 0 Success; otherwise - Kerberos error codes 6002 */ 6003 krb5_error_code KRB5_CALLCONV 6004 krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, 6005 krb5_int32 *seqnumber); 6006 6007 /** 6008 * Cause an auth context to use cipher state. 6009 * 6010 * @param [in] context Library context 6011 * @param [in] auth_context Authentication context 6012 * 6013 * Prepare @a auth_context to use cipher state when krb5_mk_priv() or 6014 * krb5_rd_priv() encrypt or decrypt data. 6015 * 6016 * @retval 0 Success; otherwise - Kerberos error codes 6017 */ 6018 krb5_error_code KRB5_CALLCONV 6019 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context); 6020 6021 /** 6022 * Set the replay cache in an auth context. 6023 * 6024 * @param [in] context Library context 6025 * @param [in] auth_context Authentication context 6026 * @param [in] rcache Replay cache haddle 6027 * 6028 * This function sets the replay cache in @a auth_context to @a rcache. @a 6029 * rcache will be closed when @a auth_context is freed, so the caller should 6030 * relinquish that responsibility. 6031 * 6032 * @retval 0 Success; otherwise - Kerberos error codes 6033 */ 6034 krb5_error_code KRB5_CALLCONV 6035 krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, 6036 krb5_rcache rcache); 6037 6038 /** 6039 * Retrieve the replay cache from an auth context. 6040 * 6041 * @param [in] context Library context 6042 * @param [in] auth_context Authentication context 6043 * @param [out] rcache Replay cache handle 6044 * 6045 * This function fetches the replay cache from @a auth_context. The caller 6046 * should not close @a rcache. 6047 * 6048 * @retval 0 (always) 6049 */ 6050 krb5_error_code KRB5_CALLCONV_WRONG 6051 krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, 6052 krb5_rcache *rcache); 6053 6054 /** 6055 * Retrieve the authenticator from an auth context. 6056 * 6057 * @param [in] context Library context 6058 * @param [in] auth_context Authentication context 6059 * @param [out] authenticator Authenticator 6060 * 6061 * Use krb5_free_authenticator() to free @a authenticator when it is no longer 6062 * needed. 6063 * 6064 * @retval 0 Success. Otherwise - Kerberos error codes 6065 */ 6066 krb5_error_code KRB5_CALLCONV 6067 krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, 6068 krb5_authenticator **authenticator); 6069 6070 /** 6071 * Set checksum type in an an auth context. 6072 * 6073 * @param [in] context Library context 6074 * @param [in] auth_context Authentication context 6075 * @param [in] cksumtype Checksum type 6076 * 6077 * This function sets the checksum type in @a auth_context to be used by 6078 * krb5_mk_req() for the authenticator checksum. 6079 * 6080 * @retval 0 Success. Otherwise - Kerberos error codes 6081 */ 6082 krb5_error_code KRB5_CALLCONV 6083 krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, 6084 krb5_cksumtype cksumtype); 6085 6086 #define KRB5_REALM_BRANCH_CHAR '.' 6087 6088 /* 6089 * end "func-proto.h" 6090 */ 6091 6092 /* 6093 * begin stuff from libos.h 6094 */ 6095 6096 /** 6097 * @brief Read a password from keyboard input. 6098 * 6099 * @param [in] context Library context 6100 * @param [in] prompt First user prompt when reading password 6101 * @param [in] prompt2 Second user prompt (NULL to prompt only once) 6102 * @param [out] return_pwd Returned password 6103 * @param [in,out] size_return On input, maximum size of password; on output, 6104 * size of password read 6105 * 6106 * This function reads a password from keyboard input and stores it in @a 6107 * return_pwd. @a size_return should be set by the caller to the amount of 6108 * storage space available in @a return_pwd; on successful return, it will be 6109 * set to the length of the password read. 6110 * 6111 * @a prompt is printed to the terminal, followed by ": ", and then a password 6112 * is read from the keyboard. 6113 * 6114 * If @a prompt2 is NULL, the password is read only once. Otherwise, @a 6115 * prompt2 is printed to the terminal and a second password is read. If the 6116 * two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. 6117 * 6118 * Echoing is turned off when the password is read. 6119 * 6120 * @retval 6121 * 0 Success 6122 * @return 6123 * Error in reading or verifying the password 6124 * @return 6125 * Kerberos error codes 6126 */ 6127 krb5_error_code KRB5_CALLCONV 6128 krb5_read_password(krb5_context context, 6129 const char *prompt, const char *prompt2, 6130 char *return_pwd, unsigned int *size_return); 6131 6132 /** 6133 * Convert a principal name to a local name. 6134 * 6135 * @param [in] context Library context 6136 * @param [in] aname Principal name 6137 * @param [in] lnsize_in Space available in @a lname 6138 * @param [out] lname Local name buffer to be filled in 6139 * 6140 * If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is 6141 * returned. If @a lnsize_in is too small for the local name, 6142 * KRB5_CONFIG_NOTENUFSPACE is returned. 6143 * 6144 * Local names, rather than principal names, can be used by programs that 6145 * translate to an environment-specific name (for example, a user account 6146 * name). 6147 * 6148 * @retval 6149 * 0 Success 6150 * @retval 6151 * System errors 6152 * @return 6153 * Kerberos error codes 6154 */ 6155 krb5_error_code KRB5_CALLCONV 6156 krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, 6157 int lnsize_in, char *lname); 6158 6159 /** 6160 * Get the Kerberos realm names for a host. 6161 * 6162 * @param [in] context Library context 6163 * @param [in] host Host name (or NULL) 6164 * @param [out] realmsp Null-terminated list of realm names 6165 * 6166 * Fill in @a realmsp with a pointer to a null-terminated list of realm names. 6167 * If there are no known realms for the host, a list containing the referral 6168 * (empty) realm is returned. 6169 * 6170 * If @a host is NULL, the local host's realms are determined. 6171 * 6172 * Use krb5_free_host_realm() to release @a realmsp when it is no longer 6173 * needed. 6174 * 6175 * @retval 6176 * 0 Success 6177 * @retval 6178 * ENOMEM Insufficient memory 6179 * @return 6180 * Kerberos error codes 6181 */ 6182 krb5_error_code KRB5_CALLCONV 6183 krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp); 6184 6185 /** 6186 * 6187 * @param [in] context Library context 6188 * @param [in] hdata Host name (or NULL) 6189 * @param [out] realmsp Null-terminated list of realm names 6190 * 6191 * Fill in @a realmsp with a pointer to a null-terminated list of realm names 6192 * obtained through heuristics or insecure resolution methods which have lower 6193 * priority than KDC referrals. 6194 * 6195 * If @a host is NULL, the local host's realms are determined. 6196 * 6197 * Use krb5_free_host_realm() to release @a realmsp when it is no longer 6198 * needed. 6199 */ 6200 krb5_error_code KRB5_CALLCONV 6201 krb5_get_fallback_host_realm(krb5_context context, 6202 krb5_data *hdata, char ***realmsp); 6203 6204 /** 6205 * Free the memory allocated by krb5_get_host_realm(). 6206 * 6207 * @param [in] context Library context 6208 * @param [in] realmlist List of realm names to be released 6209 * 6210 * @retval 6211 * 0 Success 6212 * @return 6213 * Kerberos error codes 6214 */ 6215 krb5_error_code KRB5_CALLCONV 6216 krb5_free_host_realm(krb5_context context, char *const *realmlist); 6217 6218 /** 6219 * Determine if a principal is authorized to log in as a local user. 6220 * 6221 * @param [in] context Library context 6222 * @param [in] principal Principal name 6223 * @param [in] luser Local username 6224 * 6225 * Determine whether @a principal is authorized to log in as a local user @a 6226 * luser. 6227 * 6228 * @retval 6229 * TRUE Principal is authorized to log in as user; FALSE otherwise. 6230 */ 6231 krb5_boolean KRB5_CALLCONV 6232 krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser); 6233 6234 /** 6235 * Generate auth context addresses from a connected socket. 6236 * 6237 * @param [in] context Library context 6238 * @param [in] auth_context Authentication context 6239 * @param [in] infd Connected socket descriptor 6240 * @param [in] flags Flags 6241 * 6242 * This function sets the local and/or remote addresses in @a auth_context 6243 * based on the local and remote endpoints of the socket @a infd. The 6244 * following flags determine the operations performed: 6245 * 6246 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. 6247 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. 6248 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. 6249 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. 6250 * 6251 * @retval 0 Success; otherwise - Kerberos error codes 6252 */ 6253 krb5_error_code KRB5_CALLCONV 6254 krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, 6255 int infd, int flags); 6256 6257 /** 6258 * Set time offset field in a krb5_context structure. 6259 * 6260 * @param [in] context Library context 6261 * @param [in] seconds Real time, seconds portion 6262 * @param [in] microseconds Real time, microseconds portion 6263 * 6264 * This function sets the time offset in @a context to the difference between 6265 * the system time and the real time as determined by @a seconds and @a 6266 * microseconds. 6267 * 6268 * @retval 0 Success; otherwise - Kerberos error codes 6269 */ 6270 krb5_error_code KRB5_CALLCONV 6271 krb5_set_real_time(krb5_context context, krb5_timestamp seconds, 6272 krb5_int32 microseconds); 6273 6274 /** 6275 * Return the time offsets from the os context. 6276 * 6277 * @param [in] context Library context 6278 * @param [out] seconds Time offset, seconds portion 6279 * @param [out] microseconds Time offset, microseconds portion 6280 * 6281 * This function returns the time offsets in @a context. 6282 * 6283 * @retval 0 Success; otherwise - Kerberos error codes 6284 */ 6285 krb5_error_code KRB5_CALLCONV 6286 krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds); 6287 6288 /* str_conv.c */ 6289 /** 6290 * Convert a string to an encryption type. 6291 * 6292 * @param [in] string String to convert to an encryption type 6293 * @param [out] enctypep Encryption type 6294 * 6295 * @retval 0 Success; otherwise - EINVAL 6296 */ 6297 krb5_error_code KRB5_CALLCONV 6298 krb5_string_to_enctype(char *string, krb5_enctype *enctypep); 6299 6300 /** 6301 * Convert a string to a salt type. 6302 * 6303 * @param [in] string String to convert to an encryption type 6304 * @param [out] salttypep Salt type to be filled in 6305 * 6306 * @retval 0 Success; otherwise - EINVAL 6307 */ 6308 krb5_error_code KRB5_CALLCONV 6309 krb5_string_to_salttype(char *string, krb5_int32 *salttypep); 6310 6311 /** 6312 * Convert a string to a checksum type. 6313 * 6314 * @param [in] string String to be converted 6315 * @param [out] cksumtypep Checksum type to be filled in 6316 * 6317 * @retval 0 Success; otherwise - EINVAL 6318 */ 6319 krb5_error_code KRB5_CALLCONV 6320 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep); 6321 6322 /** 6323 * Convert a string to a timestamp. 6324 * 6325 * @param [in] string String to be converted 6326 * @param [out] timestampp Pointer to timestamp 6327 * 6328 * @retval 0 Success; otherwise - EINVAL 6329 */ 6330 krb5_error_code KRB5_CALLCONV 6331 krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp); 6332 6333 /** 6334 * Convert a string to a delta time value. 6335 * 6336 * @param [in] string String to be converted 6337 * @param [out] deltatp Delta time to be filled in 6338 * 6339 * @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT 6340 */ 6341 krb5_error_code KRB5_CALLCONV 6342 krb5_string_to_deltat(char *string, krb5_deltat *deltatp); 6343 6344 /** 6345 * Convert an encryption type to a string. 6346 * 6347 * @param [in] enctype Encryption type 6348 * @param [out] buffer Buffer to hold encryption type string 6349 * @param [in] buflen Storage available in @a buffer 6350 * 6351 * @retval 0 Success; otherwise - Kerberos error codes 6352 */ 6353 krb5_error_code KRB5_CALLCONV 6354 krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen); 6355 6356 /** 6357 * Convert an encryption type to a name or alias. 6358 * 6359 * @param [in] enctype Encryption type 6360 * @param [in] shortest Flag 6361 * @param [out] buffer Buffer to hold encryption type string 6362 * @param [in] buflen Storage available in @a buffer 6363 * 6364 * If @a shortest is FALSE, this function returns the enctype's canonical name 6365 * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the 6366 * enctype's shortest alias (like "aes128-cts"). 6367 * 6368 * @version New in 1.9 6369 * 6370 * @retval 0 Success; otherwise - Kerberos error codes 6371 */ 6372 krb5_error_code KRB5_CALLCONV 6373 krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, 6374 char *buffer, size_t buflen); 6375 6376 /** 6377 * Convert a salt type to a string. 6378 * 6379 * @param [in] salttype Salttype to convert 6380 * @param [out] buffer Buffer to receive the converted string 6381 * @param [in] buflen Storage available in @a buffer 6382 * 6383 * @retval 0 Success; otherwise - Kerberos error codes 6384 */ 6385 krb5_error_code KRB5_CALLCONV 6386 krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen); 6387 6388 /** 6389 * Convert a checksum type to a string. 6390 * 6391 * @param [in] cksumtype Checksum type 6392 * @param [out] buffer Buffer to hold converted checksum type 6393 * @param [in] buflen Storage available in @a buffer 6394 * 6395 * @retval 0 Success; otherwise - Kerberos error codes 6396 */ 6397 krb5_error_code KRB5_CALLCONV 6398 krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen); 6399 6400 /** 6401 * Convert a timestamp to a string. 6402 * 6403 * @param [in] timestamp Timestamp to convert 6404 * @param [out] buffer Buffer to hold converted timestamp 6405 * @param [in] buflen Storage available in @a buffer 6406 * 6407 * The string is returned in the locale's appropriate date and time 6408 * representation. 6409 * 6410 * @retval 0 Success; otherwise - Kerberos error codes 6411 */ 6412 krb5_error_code KRB5_CALLCONV 6413 krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen); 6414 6415 /** 6416 * Convert a timestamp to a string, with optional output padding 6417 * 6418 * @param [in] timestamp Timestamp to convert 6419 * @param [out] buffer Buffer to hold the converted timestamp 6420 * @param [in] buflen Length of buffer 6421 * @param [in] pad Optional value to pad @a buffer if converted 6422 * timestamp does not fill it 6423 * 6424 * If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters 6425 * with the value of *@a pad. 6426 * 6427 * @retval 0 Success; otherwise - Kerberos error codes 6428 */ 6429 krb5_error_code KRB5_CALLCONV 6430 krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, 6431 size_t buflen, char *pad); 6432 6433 /** 6434 * Convert a relative time value to a string. 6435 * 6436 * @param [in] deltat Relative time value to convert 6437 * @param [out] buffer Buffer to hold time string 6438 * @param [in] buflen Storage available in @a buffer 6439 * 6440 * @retval 0 Success; otherwise - Kerberos error codes 6441 */ 6442 krb5_error_code KRB5_CALLCONV 6443 krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen); 6444 6445 /* The name of the Kerberos ticket granting service... and its size */ 6446 #define KRB5_TGS_NAME "krbtgt" 6447 #define KRB5_TGS_NAME_SIZE 6 6448 6449 /* flags for recvauth */ 6450 #define KRB5_RECVAUTH_SKIP_VERSION 0x0001 6451 #define KRB5_RECVAUTH_BADAUTHVERS 0x0002 6452 /* initial ticket api functions */ 6453 6454 /** Text for prompt used in prompter callback function. */ 6455 typedef struct _krb5_prompt { 6456 char *prompt; /**< The prompt to show to the user */ 6457 int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */ 6458 krb5_data *reply; /**< Must be allocated before call to prompt routine */ 6459 } krb5_prompt; 6460 6461 /** Pointer to a prompter callback function. */ 6462 typedef krb5_error_code 6463 (KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context, void *data, 6464 const char *name, const char *banner, 6465 int num_prompts, krb5_prompt prompts[]); 6466 6467 /** 6468 * Prompt user for password. 6469 * 6470 * @param [in] context Library context 6471 * @param data Unused (callback argument) 6472 * @param [in] name Name to output during prompt 6473 * @param [in] banner Banner to output during prompt 6474 * @param [in] num_prompts Number of prompts in @a prompts 6475 * @param [in] prompts Array of prompts and replies 6476 * 6477 * This function is intended to be used as a prompter callback for 6478 * krb5_get_init_creds_password() or krb5_init_creds_init(). 6479 * 6480 * Writes @a name and @a banner to stdout, each followed by a newline, then 6481 * writes each prompt field in the @a prompts array, followed by ": ", and sets 6482 * the reply field of the entry to a line of input read from stdin. If the 6483 * hidden flag is set for a prompt, then terminal echoing is turned off when 6484 * input is read. 6485 * 6486 * @retval 6487 * 0 Success 6488 * @return 6489 * Kerberos error codes 6490 * 6491 */ 6492 krb5_error_code KRB5_CALLCONV 6493 krb5_prompter_posix(krb5_context context, void *data, const char *name, 6494 const char *banner, int num_prompts, 6495 krb5_prompt prompts[]); 6496 6497 /** 6498 * Long-term password responder question 6499 * 6500 * This question is asked when the long-term password is needed. It has no 6501 * challenge and the response is simply the password string. 6502 * 6503 * @version New in 1.11 6504 */ 6505 #define KRB5_RESPONDER_QUESTION_PASSWORD "password" 6506 6507 /** 6508 * OTP responder question 6509 * 6510 * The OTP responder question is asked when the KDC indicates that an OTP 6511 * value is required in order to complete the authentication. The JSON format 6512 * of the challenge is: 6513 * 6514 * { 6515 * "service": <string (optional)>, 6516 * "tokenInfo": [ 6517 * { 6518 * "flags": <number>, 6519 * "vendor": <string (optional)>, 6520 * "challenge": <string (optional)>, 6521 * "length": <number (optional)>, 6522 * "format": <number (optional)>, 6523 * "tokenID": <string (optional)>, 6524 * "algID": <string (optional)>, 6525 * }, 6526 * ... 6527 * ] 6528 * } 6529 * 6530 * The answer to the question MUST be JSON formatted: 6531 * 6532 * { 6533 * "tokeninfo": <number>, 6534 * "value": <string (optional)>, 6535 * "pin": <string (optional)>, 6536 * } 6537 * 6538 * For more detail, please see RFC 6560. 6539 * 6540 * @version New in 1.11 6541 */ 6542 #define KRB5_RESPONDER_QUESTION_OTP "otp" 6543 6544 /** 6545 * These format constants identify the format of the token value. 6546 */ 6547 #define KRB5_RESPONDER_OTP_FORMAT_DECIMAL 0 6548 #define KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL 1 6549 #define KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC 2 6550 6551 /** 6552 * This flag indicates that the token value MUST be collected. 6553 */ 6554 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN 0x0001 6555 6556 /** 6557 * This flag indicates that the PIN value MUST be collected. 6558 */ 6559 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN 0x0002 6560 6561 /** 6562 * This flag indicates that the token is now in re-synchronization mode with 6563 * the server. The user is expected to reply with the next code displayed on 6564 * the token. 6565 */ 6566 #define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP 0x0004 6567 6568 /** 6569 * This flag indicates that the PIN MUST be returned as a separate item. This 6570 * flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If 6571 * this flag is not set, the responder may either concatenate PIN + token value 6572 * and store it as "value" in the answer or it may return them separately. If 6573 * they are returned separately, they will be concatenated internally. 6574 */ 6575 #define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008 6576 6577 /** 6578 * PKINIT responder question 6579 * 6580 * The PKINIT responder question is asked when the client needs a password 6581 * that's being used to protect key information, and is formatted as a JSON 6582 * object. A specific identity's flags value, if not zero, is the bitwise-OR 6583 * of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined 6584 * below, and possibly other flags to be added later. Any resemblance to 6585 * similarly-named CKF_* values in the PKCS#11 API should not be depended on. 6586 * 6587 * { 6588 * identity <string> : flags <number>, 6589 * ... 6590 * } 6591 * 6592 * The answer to the question MUST be JSON formatted: 6593 * 6594 * { 6595 * identity <string> : password <string>, 6596 * ... 6597 * } 6598 * 6599 * @version New in 1.12 6600 */ 6601 #define KRB5_RESPONDER_QUESTION_PKINIT "pkinit" 6602 6603 /** 6604 * This flag indicates that an incorrect PIN was supplied at least once since 6605 * the last time the correct PIN was supplied. 6606 */ 6607 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0) 6608 6609 /** 6610 * This flag indicates that supplying an incorrect PIN will cause the token to 6611 * lock itself. 6612 */ 6613 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1) 6614 6615 /** 6616 * This flag indicates that the user PIN is locked, and you can't log in to the 6617 * token with it. 6618 */ 6619 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2) 6620 6621 /** 6622 * A container for a set of preauthentication questions and answers 6623 * 6624 * A responder context is supplied by the krb5 authentication system to a 6625 * krb5_responder_fn callback. It contains a list of questions and can receive 6626 * answers. Questions contained in a responder context can be listed using 6627 * krb5_responder_list_questions(), retrieved using 6628 * krb5_responder_get_challenge(), or answered using 6629 * krb5_responder_set_answer(). The form of a question's challenge and answer 6630 * depend on the question name. 6631 * 6632 * @version New in 1.11 6633 */ 6634 typedef struct krb5_responder_context_st *krb5_responder_context; 6635 6636 /** 6637 * List the question names contained in the responder context. 6638 * 6639 * @param [in] ctx Library context 6640 * @param [in] rctx Responder context 6641 * 6642 * Return a pointer to a null-terminated list of question names which are 6643 * present in @a rctx. The pointer is an alias, valid only as long as the 6644 * lifetime of @a rctx, and should not be modified or freed by the caller. A 6645 * question's challenge can be retrieved using krb5_responder_get_challenge() 6646 * and answered using krb5_responder_set_answer(). 6647 * 6648 * @version New in 1.11 6649 */ 6650 const char * const * KRB5_CALLCONV 6651 krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx); 6652 6653 /** 6654 * Retrieve the challenge data for a given question in the responder context. 6655 * 6656 * @param [in] ctx Library context 6657 * @param [in] rctx Responder context 6658 * @param [in] question Question name 6659 * 6660 * Return a pointer to a C string containing the challenge for @a question 6661 * within @a rctx, or NULL if the question is not present in @a rctx. The 6662 * structure of the question depends on the question name, but will always be 6663 * printable UTF-8 text. The returned pointer is an alias, valid only as long 6664 * as the lifetime of @a rctx, and should not be modified or freed by the 6665 * caller. 6666 * 6667 * @version New in 1.11 6668 */ 6669 const char * KRB5_CALLCONV 6670 krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, 6671 const char *question); 6672 6673 /** 6674 * Answer a named question in the responder context. 6675 * 6676 * @param [in] ctx Library context 6677 * @param [in] rctx Responder context 6678 * @param [in] question Question name 6679 * @param [in] answer The string to set (MUST be printable UTF-8) 6680 * 6681 * This function supplies an answer to @a question within @a rctx. The 6682 * appropriate form of the answer depends on the question name. 6683 * 6684 * @retval EINVAL @a question is not present within @a rctx 6685 * 6686 * @version New in 1.11 6687 */ 6688 krb5_error_code KRB5_CALLCONV 6689 krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, 6690 const char *question, const char *answer); 6691 6692 /** 6693 * Responder function for an initial credential exchange. 6694 * 6695 * @param [in] ctx Library context 6696 * @param [in] data Callback data 6697 * @param [in] rctx Responder context 6698 * 6699 * A responder function is like a prompter function, but is used for handling 6700 * questions and answers as potentially complex data types. Client 6701 * preauthentication modules will insert a set of named "questions" into 6702 * the responder context. Each question may optionally contain a challenge. 6703 * This challenge is printable UTF-8, but may be an encoded value. The 6704 * precise encoding and contents of the challenge are specific to the question 6705 * asked. When the responder is called, it should answer all the questions it 6706 * understands. Like the challenge, the answer MUST be printable UTF-8, but 6707 * may contain structured/encoded data formatted to the expected answer format 6708 * of the question. 6709 * 6710 * If a required question is unanswered, the prompter may be called. 6711 */ 6712 typedef krb5_error_code 6713 (KRB5_CALLCONV *krb5_responder_fn)(krb5_context ctx, void *data, 6714 krb5_responder_context rctx); 6715 6716 typedef struct _krb5_responder_otp_tokeninfo { 6717 krb5_flags flags; 6718 krb5_int32 format; /* -1 when not specified. */ 6719 krb5_int32 length; /* -1 when not specified. */ 6720 char *vendor; 6721 char *challenge; 6722 char *token_id; 6723 char *alg_id; 6724 } krb5_responder_otp_tokeninfo; 6725 6726 typedef struct _krb5_responder_otp_challenge { 6727 char *service; 6728 krb5_responder_otp_tokeninfo **tokeninfo; 6729 } krb5_responder_otp_challenge; 6730 6731 /** 6732 * Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. 6733 * 6734 * A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP 6735 * question challenge data, making it available in native C. The main feature 6736 * of this function is the ability to interact with OTP tokens without parsing 6737 * the JSON. 6738 * 6739 * The returned value must be passed to krb5_responder_otp_challenge_free() to 6740 * be freed. 6741 * 6742 * @param [in] ctx Library context 6743 * @param [in] rctx Responder context 6744 * @param [out] chl Challenge structure 6745 * 6746 * @version New in 1.11 6747 */ 6748 krb5_error_code KRB5_CALLCONV 6749 krb5_responder_otp_get_challenge(krb5_context ctx, 6750 krb5_responder_context rctx, 6751 krb5_responder_otp_challenge **chl); 6752 6753 /** 6754 * Answer the KRB5_RESPONDER_QUESTION_OTP question. 6755 * 6756 * @param [in] ctx Library context 6757 * @param [in] rctx Responder context 6758 * @param [in] ti The index of the tokeninfo selected 6759 * @param [in] value The value to set, or NULL for none 6760 * @param [in] pin The pin to set, or NULL for none 6761 * 6762 * @version New in 1.11 6763 */ 6764 krb5_error_code KRB5_CALLCONV 6765 krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, 6766 size_t ti, const char *value, const char *pin); 6767 6768 /** 6769 * Free the value returned by krb5_responder_otp_get_challenge(). 6770 * 6771 * @param [in] ctx Library context 6772 * @param [in] rctx Responder context 6773 * @param [in] chl The challenge to free 6774 * 6775 * @version New in 1.11 6776 */ 6777 void KRB5_CALLCONV 6778 krb5_responder_otp_challenge_free(krb5_context ctx, 6779 krb5_responder_context rctx, 6780 krb5_responder_otp_challenge *chl); 6781 6782 typedef struct _krb5_responder_pkinit_identity { 6783 char *identity; 6784 krb5_int32 token_flags; /* 0 when not specified or not applicable. */ 6785 } krb5_responder_pkinit_identity; 6786 6787 typedef struct _krb5_responder_pkinit_challenge { 6788 krb5_responder_pkinit_identity **identities; 6789 } krb5_responder_pkinit_challenge; 6790 6791 /** 6792 * Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. 6793 * 6794 * A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT 6795 * question challenge data, making it available in native C. The main feature 6796 * of this function is the ability to read the challenge without parsing 6797 * the JSON. 6798 * 6799 * The returned value must be passed to krb5_responder_pkinit_challenge_free() 6800 * to be freed. 6801 * 6802 * @param [in] ctx Library context 6803 * @param [in] rctx Responder context 6804 * @param [out] chl_out Challenge structure 6805 * 6806 * @version New in 1.12 6807 */ 6808 krb5_error_code KRB5_CALLCONV 6809 krb5_responder_pkinit_get_challenge(krb5_context ctx, 6810 krb5_responder_context rctx, 6811 krb5_responder_pkinit_challenge **chl_out); 6812 6813 /** 6814 * Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. 6815 * 6816 * @param [in] ctx Library context 6817 * @param [in] rctx Responder context 6818 * @param [in] identity The identity for which a PIN is being supplied 6819 * @param [in] pin The provided PIN, or NULL for none 6820 * 6821 * @version New in 1.12 6822 */ 6823 krb5_error_code KRB5_CALLCONV 6824 krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, 6825 const char *identity, const char *pin); 6826 6827 /** 6828 * Free the value returned by krb5_responder_pkinit_get_challenge(). 6829 * 6830 * @param [in] ctx Library context 6831 * @param [in] rctx Responder context 6832 * @param [in] chl The challenge to free 6833 * 6834 * @version New in 1.12 6835 */ 6836 void KRB5_CALLCONV 6837 krb5_responder_pkinit_challenge_free(krb5_context ctx, 6838 krb5_responder_context rctx, 6839 krb5_responder_pkinit_challenge *chl); 6840 6841 /** Store options for @c _krb5_get_init_creds */ 6842 typedef struct _krb5_get_init_creds_opt { 6843 krb5_flags flags; 6844 krb5_deltat tkt_life; 6845 krb5_deltat renew_life; 6846 int forwardable; 6847 int proxiable; 6848 krb5_enctype *etype_list; 6849 int etype_list_length; 6850 krb5_address **address_list; 6851 krb5_preauthtype *preauth_list; 6852 int preauth_list_length; 6853 krb5_data *salt; 6854 } krb5_get_init_creds_opt; 6855 6856 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 6857 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 6858 #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 6859 #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 6860 #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 6861 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 6862 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 6863 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 6864 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100 6865 #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200 6866 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400 6867 6868 6869 /** 6870 * Allocate a new initial credential options structure. 6871 * 6872 * @param [in] context Library context 6873 * @param [out] opt New options structure 6874 * 6875 * This function is the preferred way to create an options structure for 6876 * getting initial credentials, and is required to make use of certain options. 6877 * Use krb5_get_init_creds_opt_free() to free @a opt when it is no longer 6878 * needed. 6879 * 6880 * @retval 0 - Success; Kerberos errors otherwise. 6881 */ 6882 krb5_error_code KRB5_CALLCONV 6883 krb5_get_init_creds_opt_alloc(krb5_context context, 6884 krb5_get_init_creds_opt **opt); 6885 6886 /** 6887 * Free initial credential options. 6888 * 6889 * @param [in] context Library context 6890 * @param [in] opt Options structure to free 6891 * 6892 * @sa krb5_get_init_creds_opt_alloc() 6893 */ 6894 void KRB5_CALLCONV 6895 krb5_get_init_creds_opt_free(krb5_context context, 6896 krb5_get_init_creds_opt *opt); 6897 6898 /** @deprecated Use krb5_get_init_creds_opt_alloc() instead. */ 6899 void KRB5_CALLCONV 6900 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt); 6901 6902 /** 6903 * Set the ticket lifetime in initial credential options. 6904 * 6905 * @param [in] opt Options structure 6906 * @param [in] tkt_life Ticket lifetime 6907 */ 6908 void KRB5_CALLCONV 6909 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, 6910 krb5_deltat tkt_life); 6911 6912 /** 6913 * Set the ticket renewal lifetime in initial credential options. 6914 * 6915 * @param [in] opt Pointer to @a options field 6916 * @param [in] renew_life Ticket renewal lifetime 6917 */ 6918 void KRB5_CALLCONV 6919 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, 6920 krb5_deltat renew_life); 6921 6922 /** 6923 * Set or unset the forwardable flag in initial credential options. 6924 * 6925 * @param [in] opt Options structure 6926 * @param [in] forwardable Whether credentials should be forwardable 6927 */ 6928 void KRB5_CALLCONV 6929 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, 6930 int forwardable); 6931 6932 /** 6933 * Set or unset the proxiable flag in initial credential options. 6934 * 6935 * @param [in] opt Options structure 6936 * @param [in] proxiable Whether credentials should be proxiable 6937 */ 6938 void KRB5_CALLCONV 6939 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, 6940 int proxiable); 6941 6942 /** 6943 * Set or unset the canonicalize flag in initial credential options. 6944 * 6945 * @param [in] opt Options structure 6946 * @param [in] canonicalize Whether to canonicalize client principal 6947 */ 6948 void KRB5_CALLCONV 6949 krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, 6950 int canonicalize); 6951 6952 /** 6953 * Set or unset the anonymous flag in initial credential options. 6954 * 6955 * @param [in] opt Options structure 6956 * @param [in] anonymous Whether to make an anonymous request 6957 * 6958 * This function may be used to request anonymous credentials from the KDC by 6959 * setting @a anonymous to non-zero. Note that anonymous credentials are only 6960 * a request; clients must verify that credentials are anonymous if that is a 6961 * requirement. 6962 */ 6963 void KRB5_CALLCONV 6964 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, 6965 int anonymous); 6966 6967 /** 6968 * Set allowable encryption types in initial credential options. 6969 * 6970 * @param [in] opt Options structure 6971 * @param [in] etype_list Array of encryption types 6972 * @param [in] etype_list_length Length of @a etype_list 6973 */ 6974 void KRB5_CALLCONV 6975 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, 6976 krb5_enctype *etype_list, 6977 int etype_list_length); 6978 6979 /** 6980 * Set address restrictions in initial credential options. 6981 * 6982 * @param [in] opt Options structure 6983 * @param [in] addresses Null-terminated array of addresses 6984 */ 6985 void KRB5_CALLCONV 6986 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, 6987 krb5_address **addresses); 6988 6989 /** 6990 * Set preauthentication types in initial credential options. 6991 * 6992 * @param [in] opt Options structure 6993 * @param [in] preauth_list Array of preauthentication types 6994 * @param [in] preauth_list_length Length of @a preauth_list 6995 * 6996 * This function can be used to perform optimistic preauthentication when 6997 * getting initial credentials, in combination with 6998 * krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa(). 6999 */ 7000 void KRB5_CALLCONV 7001 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, 7002 krb5_preauthtype *preauth_list, 7003 int preauth_list_length); 7004 7005 /** 7006 * Set salt for optimistic preauthentication in initial credential options. 7007 * 7008 * @param [in] opt Options structure 7009 * @param [in] salt Salt data 7010 * 7011 * When getting initial credentials with a password, a salt string it used to 7012 * convert the password to a key. Normally this salt is obtained from the 7013 * first KDC reply, but when performing optimistic preauthentication, the 7014 * client may need to supply the salt string with this function. 7015 */ 7016 void KRB5_CALLCONV 7017 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, 7018 krb5_data *salt); 7019 7020 /** 7021 * Set or unset change-password-prompt flag in initial credential options. 7022 * 7023 * @param [in] opt Options structure 7024 * @param [in] prompt Whether to prompt to change password 7025 * 7026 * This flag is on by default. It controls whether 7027 * krb5_get_init_creds_password() will react to an expired-password error by 7028 * prompting for a new password and attempting to change the old one. 7029 */ 7030 void KRB5_CALLCONV 7031 krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, 7032 int prompt); 7033 7034 /** Generic preauth option attribute/value pairs */ 7035 typedef struct _krb5_gic_opt_pa_data { 7036 char *attr; 7037 char *value; 7038 } krb5_gic_opt_pa_data; 7039 7040 /** 7041 * Supply options for preauthentication in initial credential options. 7042 * 7043 * @param [in] context Library context 7044 * @param [in] opt Options structure 7045 * @param [in] attr Preauthentication option name 7046 * @param [in] value Preauthentication option value 7047 * 7048 * This function allows the caller to supply options for preauthentication. 7049 * The values of @a attr and @a value are supplied to each preauthentication 7050 * module available within @a context. 7051 */ 7052 krb5_error_code KRB5_CALLCONV 7053 krb5_get_init_creds_opt_set_pa(krb5_context context, 7054 krb5_get_init_creds_opt *opt, const char *attr, 7055 const char *value); 7056 7057 /** 7058 * Set location of FAST armor ccache in initial credential options. 7059 * 7060 * @param [in] context Library context 7061 * @param [in] opt Options 7062 * @param [in] fast_ccache_name Credential cache name 7063 * 7064 * Sets the location of a credential cache containing an armor ticket to 7065 * protect an initial credential exchange using the FAST protocol extension. 7066 * 7067 * In version 1.7, setting an armor ccache requires that FAST be used for the 7068 * exchange. In version 1.8 or later, setting the armor ccache causes FAST to 7069 * be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() 7070 * must be used to require that FAST be used. 7071 */ 7072 krb5_error_code KRB5_CALLCONV 7073 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, 7074 krb5_get_init_creds_opt *opt, 7075 const char *fast_ccache_name); 7076 7077 /** 7078 * Set FAST armor cache in initial credential options. 7079 * 7080 * @param [in] context Library context 7081 * @param [in] opt Options 7082 * @param [in] ccache Credential cache handle 7083 * 7084 * This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), 7085 * but uses a credential cache handle instead of a name. 7086 * 7087 * @version New in 1.9 7088 */ 7089 krb5_error_code KRB5_CALLCONV 7090 krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, 7091 krb5_get_init_creds_opt *opt, 7092 krb5_ccache ccache); 7093 7094 /** 7095 * Set an input credential cache in initial credential options. 7096 * 7097 * @param [in] context Library context 7098 * @param [in] opt Options 7099 * @param [in] ccache Credential cache handle 7100 * 7101 * If an input credential cache is set, then the krb5_get_init_creds family of 7102 * APIs will read settings from it. Setting an input ccache is desirable when 7103 * the application wishes to perform authentication in the same way (using the 7104 * same preauthentication mechanisms, and making the same non-security- 7105 * sensitive choices) as the previous authentication attempt, which stored 7106 * information in the passed-in ccache. 7107 * 7108 * @version New in 1.11 7109 */ 7110 krb5_error_code KRB5_CALLCONV 7111 krb5_get_init_creds_opt_set_in_ccache(krb5_context context, 7112 krb5_get_init_creds_opt *opt, 7113 krb5_ccache ccache); 7114 7115 /** 7116 * Set an output credential cache in initial credential options. 7117 * 7118 * @param [in] context Library context 7119 * @param [in] opt Options 7120 * @param [in] ccache Credential cache handle 7121 * 7122 * If an output credential cache is set, then the krb5_get_init_creds family of 7123 * APIs will write credentials to it. Setting an output ccache is desirable 7124 * both because it simplifies calling code and because it permits the 7125 * krb5_get_init_creds APIs to write out configuration information about the 7126 * realm to the ccache. 7127 */ 7128 krb5_error_code KRB5_CALLCONV 7129 krb5_get_init_creds_opt_set_out_ccache(krb5_context context, 7130 krb5_get_init_creds_opt *opt, 7131 krb5_ccache ccache); 7132 7133 /** 7134 * @brief Ask the KDC to include or not include a PAC in the ticket 7135 * 7136 * @param [in] context Library context 7137 * @param [in] opt Options structure 7138 * @param [in] req_pac Whether to request a PAC or not 7139 * 7140 * If this option is set, the AS request will include a PAC-REQUEST pa-data 7141 * item explicitly asking the KDC to either include or not include a privilege 7142 * attribute certificate in the ticket authorization data. By default, no 7143 * request is made; typically the KDC will default to including a PAC if it 7144 * supports them. 7145 * 7146 * @version New in 1.15 7147 */ 7148 krb5_error_code KRB5_CALLCONV 7149 krb5_get_init_creds_opt_set_pac_request(krb5_context context, 7150 krb5_get_init_creds_opt *opt, 7151 krb5_boolean req_pac); 7152 7153 /** 7154 * Set FAST flags in initial credential options. 7155 * 7156 * @param [in] context Library context 7157 * @param [in] opt Options 7158 * @param [in] flags FAST flags 7159 * 7160 * The following flag values are valid: 7161 * @li #KRB5_FAST_REQUIRED - Require FAST to be used 7162 * 7163 * @retval 7164 * 0 - Success; Kerberos errors otherwise. 7165 */ 7166 krb5_error_code KRB5_CALLCONV 7167 krb5_get_init_creds_opt_set_fast_flags(krb5_context context, 7168 krb5_get_init_creds_opt *opt, 7169 krb5_flags flags); 7170 7171 /** 7172 * Retrieve FAST flags from initial credential options. 7173 * 7174 * @param [in] context Library context 7175 * @param [in] opt Options 7176 * @param [out] out_flags FAST flags 7177 * 7178 * @retval 7179 * 0 - Success; Kerberos errors otherwise. 7180 */ 7181 krb5_error_code KRB5_CALLCONV 7182 krb5_get_init_creds_opt_get_fast_flags(krb5_context context, 7183 krb5_get_init_creds_opt *opt, 7184 krb5_flags *out_flags); 7185 7186 /* Fast flags*/ 7187 #define KRB5_FAST_REQUIRED 0x0001 /**< Require KDC to support FAST*/ 7188 7189 typedef void 7190 (KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data, 7191 krb5_timestamp password_expiration, 7192 krb5_timestamp account_expiration, 7193 krb5_boolean is_last_req); 7194 7195 /** 7196 * Set an expiration callback in initial credential options. 7197 * 7198 * @param [in] context Library context 7199 * @param [in] opt Options structure 7200 * @param [in] cb Callback function 7201 * @param [in] data Callback argument 7202 * 7203 * Set a callback to receive password and account expiration times. 7204 * 7205 * @a cb will be invoked if and only if credentials are successfully acquired. 7206 * The callback will receive the @a context from the calling function and the 7207 * @a data argument supplied with this API. The remaining arguments should be 7208 * interpreted as follows: 7209 * 7210 * If @a is_last_req is true, then the KDC reply contained last-req entries 7211 * which unambiguously indicated the password expiration, account expiration, 7212 * or both. (If either value was not present, the corresponding argument will 7213 * be 0.) Furthermore, a non-zero @a password_expiration should be taken as a 7214 * suggestion from the KDC that a warning be displayed. 7215 * 7216 * If @a is_last_req is false, then @a account_expiration will be 0 and @a 7217 * password_expiration will contain the expiration time of either the password 7218 * or account, or 0 if no expiration time was indicated in the KDC reply. The 7219 * callback should independently decide whether to display a password 7220 * expiration warning. 7221 * 7222 * Note that @a cb may be invoked even if credentials are being acquired for 7223 * the kadmin/changepw service in order to change the password. It is the 7224 * caller's responsibility to avoid displaying a password expiry warning in 7225 * this case. 7226 * 7227 * @warning Setting an expire callback with this API will cause 7228 * krb5_get_init_creds_password() not to send password expiry warnings to the 7229 * prompter, as it ordinarily may. 7230 * 7231 * @version New in 1.9 7232 */ 7233 krb5_error_code KRB5_CALLCONV 7234 krb5_get_init_creds_opt_set_expire_callback(krb5_context context, 7235 krb5_get_init_creds_opt *opt, 7236 krb5_expire_callback_func cb, 7237 void *data); 7238 7239 /** 7240 * Set the responder function in initial credential options. 7241 * 7242 * @param [in] context Library context 7243 * @param [in] opt Options structure 7244 * @param [in] responder Responder function 7245 * @param [in] data Responder data argument 7246 * 7247 * @version New in 1.11 7248 */ 7249 krb5_error_code KRB5_CALLCONV 7250 krb5_get_init_creds_opt_set_responder(krb5_context context, 7251 krb5_get_init_creds_opt *opt, 7252 krb5_responder_fn responder, void *data); 7253 7254 /** 7255 * Get initial credentials using a password. 7256 * 7257 * @param [in] context Library context 7258 * @param [out] creds New credentials 7259 * @param [in] client Client principal 7260 * @param [in] password Password (or NULL) 7261 * @param [in] prompter Prompter function 7262 * @param [in] data Prompter callback data 7263 * @param [in] start_time Time when ticket becomes valid (0 for now) 7264 * @param [in] in_tkt_service Service name of initial credentials (or NULL) 7265 * @param [in] k5_gic_options Initial credential options 7266 * 7267 * This function requests KDC for an initial credentials for @a client using @a 7268 * password. If @a password is NULL, a password will be prompted for using @a 7269 * prompter if necessary. If @a in_tkt_service is specified, it is parsed as a 7270 * principal name (with the realm ignored) and used as the service principal 7271 * for the request; otherwise the ticket-granting service is used. 7272 * 7273 * @sa krb5_verify_init_creds() 7274 * 7275 * @retval 7276 * 0 Success 7277 * @retval 7278 * EINVAL Invalid argument 7279 * @retval 7280 * KRB5_KDC_UNREACH Cannot contact any KDC for requested realm 7281 * @retval 7282 * KRB5_PREAUTH_FAILED Generic Pre-athentication failure 7283 * @retval 7284 * KRB5_LIBOS_PWDINTR Password read interrupted 7285 * @retval 7286 * KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm 7287 * @retval 7288 * KRB5KDC_ERR_KEY_EXP Password has expired 7289 * @retval 7290 * KRB5_LIBOS_BADPWDMATCH Password mismatch 7291 * @retval 7292 * KRB5_CHPW_PWDNULL New password cannot be zero length 7293 * @retval 7294 * KRB5_CHPW_FAIL Password change failed 7295 * @return 7296 * Kerberos error codes 7297 */ 7298 krb5_error_code KRB5_CALLCONV 7299 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, 7300 krb5_principal client, const char *password, 7301 krb5_prompter_fct prompter, void *data, 7302 krb5_deltat start_time, 7303 const char *in_tkt_service, 7304 krb5_get_init_creds_opt *k5_gic_options); 7305 7306 /** 7307 * Retrieve enctype, salt and s2kparams from KDC 7308 * 7309 * @param [in] context Library context 7310 * @param [in] principal Principal whose information is requested 7311 * @param [in] opt Initial credential options 7312 * @param [out] enctype_out The enctype chosen by KDC 7313 * @param [out] salt_out Salt returned from KDC 7314 * @param [out] s2kparams_out String-to-key parameters returned from KDC 7315 * 7316 * Send an initial ticket request for @a principal and extract the encryption 7317 * type, salt type, and string-to-key parameters from the KDC response. If the 7318 * KDC provides no etype-info, set @a enctype_out to @c ENCTYPE_NULL and set @a 7319 * salt_out and @a s2kparams_out to empty. If the KDC etype-info provides no 7320 * salt, compute the default salt and place it in @a salt_out. If the KDC 7321 * etype-info provides no string-to-key parameters, set @a s2kparams_out to 7322 * empty. 7323 * 7324 * @a opt may be used to specify options which affect the initial request, such 7325 * as request encryption types or a FAST armor cache (see 7326 * krb5_get_init_creds_opt_set_etype_list() and 7327 * krb5_get_init_creds_opt_set_fast_ccache_name()). 7328 * 7329 * Use krb5_free_data_contents() to free @a salt_out and @a s2kparams_out when 7330 * they are no longer needed. 7331 * 7332 * @version New in 1.17 7333 * 7334 * @retval 0 Success 7335 * @return A Kerberos error code 7336 */ 7337 krb5_error_code KRB5_CALLCONV 7338 krb5_get_etype_info(krb5_context context, krb5_principal principal, 7339 krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, 7340 krb5_data *salt_out, krb5_data *s2kparams_out); 7341 7342 struct _krb5_init_creds_context; 7343 typedef struct _krb5_init_creds_context *krb5_init_creds_context; 7344 7345 #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ 7346 7347 /** 7348 * Free an initial credentials context. 7349 * 7350 * @param [in] context Library context 7351 * @param [in] ctx Initial credentials context 7352 * 7353 * @a context must be the same as the one passed to krb5_init_creds_init() for 7354 * this initial credentials context. 7355 */ 7356 void KRB5_CALLCONV 7357 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); 7358 7359 /** 7360 * Acquire credentials using an initial credentials context. 7361 * 7362 * @param [in] context Library context 7363 * @param [in] ctx Initial credentials context 7364 * 7365 * This function synchronously obtains credentials using a context created by 7366 * krb5_init_creds_init(). On successful return, the credentials can be 7367 * retrieved with krb5_init_creds_get_creds(). 7368 * 7369 * @a context must be the same as the one passed to krb5_init_creds_init() for 7370 * this initial credentials context. 7371 * 7372 * @retval 0 Success; otherwise - Kerberos error codes 7373 */ 7374 krb5_error_code KRB5_CALLCONV 7375 krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx); 7376 7377 /** 7378 * Retrieve acquired credentials from an initial credentials context. 7379 * 7380 * @param [in] context Library context 7381 * @param [in] ctx Initial credentials context 7382 * @param [out] creds Acquired credentials 7383 * 7384 * This function copies the acquired initial credentials from @a ctx into @a 7385 * creds, after the successful completion of krb5_init_creds_get() or 7386 * krb5_init_creds_step(). Use krb5_free_cred_contents() to free @a creds when 7387 * it is no longer needed. 7388 * 7389 * @retval 0 Success; otherwise - Kerberos error codes 7390 */ 7391 krb5_error_code KRB5_CALLCONV 7392 krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, 7393 krb5_creds *creds); 7394 7395 /** 7396 * Get the last error from KDC from an initial credentials context. 7397 * 7398 * @param [in] context Library context 7399 * @param [in] ctx Initial credentials context 7400 * @param [out] error Error from KDC, or NULL if none was received 7401 * 7402 * @retval 0 Success; otherwise - Kerberos error codes 7403 */ 7404 krb5_error_code KRB5_CALLCONV 7405 krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, 7406 krb5_error **error); 7407 7408 /** 7409 * Create a context for acquiring initial credentials. 7410 * 7411 * @param [in] context Library context 7412 * @param [in] client Client principal to get initial creds for 7413 * @param [in] prompter Prompter callback 7414 * @param [in] data Prompter callback argument 7415 * @param [in] start_time Time when credentials become valid (0 for now) 7416 * @param [in] options Options structure (NULL for default) 7417 * @param [out] ctx New initial credentials context 7418 * 7419 * This function creates a new context for acquiring initial credentials. Use 7420 * krb5_init_creds_free() to free @a ctx when it is no longer needed. 7421 * 7422 * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or 7423 * krb5_init_creds_free() for this initial credentials context must use the 7424 * same @a context argument as the one passed to this function. 7425 * 7426 * @retval 0 Success; otherwise - Kerberos error codes 7427 */ 7428 krb5_error_code KRB5_CALLCONV 7429 krb5_init_creds_init(krb5_context context, krb5_principal client, 7430 krb5_prompter_fct prompter, void *data, 7431 krb5_deltat start_time, krb5_get_init_creds_opt *options, 7432 krb5_init_creds_context *ctx); 7433 7434 /** 7435 * Specify a keytab to use for acquiring initial credentials. 7436 * 7437 * @param [in] context Library context 7438 * @param [in] ctx Initial credentials context 7439 * @param [in] keytab Key table handle 7440 * 7441 * This function supplies a keytab containing the client key for an initial 7442 * credentials request. 7443 * 7444 * @retval 0 Success; otherwise - Kerberos error codes 7445 */ 7446 krb5_error_code KRB5_CALLCONV 7447 krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, 7448 krb5_keytab keytab); 7449 7450 /** 7451 * Get the next KDC request for acquiring initial credentials. 7452 * 7453 * @param [in] context Library context 7454 * @param [in] ctx Initial credentials context 7455 * @param [in] in KDC response (empty on the first call) 7456 * @param [out] out Next KDC request 7457 * @param [out] realm Realm for next KDC request 7458 * @param [out] flags Output flags 7459 * 7460 * This function constructs the next KDC request in an initial credential 7461 * exchange, allowing the caller to control the transport of KDC requests and 7462 * replies. On the first call, @a in should be set to an empty buffer; on 7463 * subsequent calls, it should be set to the KDC's reply to the previous 7464 * request. 7465 * 7466 * If more requests are needed, @a flags will be set to 7467 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in 7468 * @a out. If no more requests are needed, @a flags will not contain 7469 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. 7470 * 7471 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should 7472 * transmit the next request using TCP rather than UDP. If this function 7473 * returns any other error, the initial credential exchange has failed. 7474 * 7475 * @a context must be the same as the one passed to krb5_init_creds_init() for 7476 * this initial credentials context. 7477 * 7478 * @retval 0 Success; otherwise - Kerberos error codes 7479 */ 7480 krb5_error_code KRB5_CALLCONV 7481 krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, 7482 krb5_data *in, krb5_data *out, krb5_data *realm, 7483 unsigned int *flags); 7484 7485 /** 7486 * Set a password for acquiring initial credentials. 7487 * 7488 * @param [in] context Library context 7489 * @param [in] ctx Initial credentials context 7490 * @param [in] password Password 7491 * 7492 * This function supplies a password to be used to construct the client key for 7493 * an initial credentials request. 7494 * 7495 * @retval 0 Success; otherwise - Kerberos error codes 7496 */ 7497 krb5_error_code KRB5_CALLCONV 7498 krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, 7499 const char *password); 7500 7501 /** 7502 * Specify a service principal for acquiring initial credentials. 7503 * 7504 * @param [in] context Library context 7505 * @param [in] ctx Initial credentials context 7506 * @param [in] service Service principal string 7507 * 7508 * This function supplies a service principal string to acquire initial 7509 * credentials for instead of the default krbtgt service. @a service is parsed 7510 * as a principal name; any realm part is ignored. 7511 * 7512 * @retval 0 Success; otherwise - Kerberos error codes 7513 */ 7514 krb5_error_code KRB5_CALLCONV 7515 krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, 7516 const char *service); 7517 7518 /** 7519 * Retrieve ticket times from an initial credentials context. 7520 * 7521 * @param [in] context Library context 7522 * @param [in] ctx Initial credentials context 7523 * @param [out] times Ticket times for acquired credentials 7524 * 7525 * The initial credentials context must have completed obtaining credentials 7526 * via either krb5_init_creds_get() or krb5_init_creds_step(). 7527 * 7528 * @retval 0 Success; otherwise - Kerberos error codes 7529 */ 7530 krb5_error_code KRB5_CALLCONV 7531 krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, 7532 krb5_ticket_times *times); 7533 7534 struct _krb5_tkt_creds_context; 7535 typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context; 7536 7537 /** 7538 * Create a context to get credentials from a KDC's Ticket Granting Service. 7539 * 7540 * @param[in] context Library context 7541 * @param[in] ccache Credential cache handle 7542 * @param[in] creds Input credentials 7543 * @param[in] options Options (see KRB5_GC macros) 7544 * @param[out] ctx New TGS request context 7545 * 7546 * This function prepares to obtain credentials matching @a creds, either by 7547 * retrieving them from @a ccache or by making requests to ticket-granting 7548 * services beginning with a ticket-granting ticket for the client principal's 7549 * realm. 7550 * 7551 * The resulting TGS acquisition context can be used asynchronously with 7552 * krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also 7553 * krb5_get_credentials() for synchronous use. 7554 * 7555 * Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed. 7556 * 7557 * @version New in 1.9 7558 * 7559 * @retval 0 Success; otherwise - Kerberos error codes 7560 */ 7561 krb5_error_code KRB5_CALLCONV 7562 krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, 7563 krb5_creds *creds, krb5_flags options, 7564 krb5_tkt_creds_context *ctx); 7565 7566 /** 7567 * Synchronously obtain credentials using a TGS request context. 7568 * 7569 * @param[in] context Library context 7570 * @param[in] ctx TGS request context 7571 * 7572 * This function synchronously obtains credentials using a context created by 7573 * krb5_tkt_creds_init(). On successful return, the credentials can be 7574 * retrieved with krb5_tkt_creds_get_creds(). 7575 * 7576 * @version New in 1.9 7577 * 7578 * @retval 0 Success; otherwise - Kerberos error codes 7579 */ 7580 krb5_error_code KRB5_CALLCONV 7581 krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx); 7582 7583 /** 7584 * Retrieve acquired credentials from a TGS request context. 7585 * 7586 * @param[in] context Library context 7587 * @param[in] ctx TGS request context 7588 * @param[out] creds Acquired credentials 7589 * 7590 * This function copies the acquired initial credentials from @a ctx into @a 7591 * creds, after the successful completion of krb5_tkt_creds_get() or 7592 * krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when 7593 * it is no longer needed. 7594 * 7595 * @version New in 1.9 7596 * 7597 * @retval 0 Success; otherwise - Kerberos error codes 7598 */ 7599 krb5_error_code KRB5_CALLCONV 7600 krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, 7601 krb5_creds *creds); 7602 7603 /** 7604 * Free a TGS request context. 7605 * 7606 * @param[in] context Library context 7607 * @param[in] ctx TGS request context 7608 * 7609 * @version New in 1.9 7610 */ 7611 void KRB5_CALLCONV 7612 krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx); 7613 7614 #define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ 7615 7616 /** 7617 * Get the next KDC request in a TGS exchange. 7618 * 7619 * @param[in] context Library context 7620 * @param[in] ctx TGS request context 7621 * @param[in] in KDC response (empty on the first call) 7622 * @param[out] out Next KDC request 7623 * @param[out] realm Realm for next KDC request 7624 * @param[out] flags Output flags 7625 * 7626 * This function constructs the next KDC request for a TGS exchange, allowing 7627 * the caller to control the transport of KDC requests and replies. On the 7628 * first call, @a in should be set to an empty buffer; on subsequent calls, it 7629 * should be set to the KDC's reply to the previous request. 7630 * 7631 * If more requests are needed, @a flags will be set to 7632 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in @a 7633 * out. If no more requests are needed, @a flags will not contain 7634 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. 7635 * 7636 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should 7637 * transmit the next request using TCP rather than UDP. If this function 7638 * returns any other error, the TGS exchange has failed. 7639 * 7640 * @version New in 1.9 7641 * 7642 * @retval 0 Success; otherwise - Kerberos error codes 7643 */ 7644 krb5_error_code KRB5_CALLCONV 7645 krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, 7646 krb5_data *in, krb5_data *out, krb5_data *realm, 7647 unsigned int *flags); 7648 7649 /** 7650 * Retrieve ticket times from a TGS request context. 7651 * 7652 * @param[in] context Library context 7653 * @param[in] ctx TGS request context 7654 * @param[out] times Ticket times for acquired credentials 7655 * 7656 * The TGS request context must have completed obtaining credentials via either 7657 * krb5_tkt_creds_get() or krb5_tkt_creds_step(). 7658 * 7659 * @version New in 1.9 7660 * 7661 * @retval 0 Success; otherwise - Kerberos error codes 7662 */ 7663 krb5_error_code KRB5_CALLCONV 7664 krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, 7665 krb5_ticket_times *times); 7666 7667 /** 7668 * Get initial credentials using a key table. 7669 * 7670 * @param [in] context Library context 7671 * @param [out] creds New credentials 7672 * @param [in] client Client principal 7673 * @param [in] arg_keytab Key table handle 7674 * @param [in] start_time Time when ticket becomes valid (0 for now) 7675 * @param [in] in_tkt_service Service name of initial credentials (or NULL) 7676 * @param [in] k5_gic_options Initial credential options 7677 * 7678 * This function requests KDC for an initial credentials for @a client using a 7679 * client key stored in @a arg_keytab. If @a in_tkt_service is specified, it 7680 * is parsed as a principal name (with the realm ignored) and used as the 7681 * service principal for the request; otherwise the ticket-granting service is 7682 * used. 7683 * 7684 * @sa krb5_verify_init_creds() 7685 * 7686 * @retval 7687 * 0 Success 7688 * @return 7689 * Kerberos error codes 7690 */ 7691 krb5_error_code KRB5_CALLCONV 7692 krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds, 7693 krb5_principal client, krb5_keytab arg_keytab, 7694 krb5_deltat start_time, const char *in_tkt_service, 7695 krb5_get_init_creds_opt *k5_gic_options); 7696 7697 typedef struct _krb5_verify_init_creds_opt { 7698 krb5_flags flags; 7699 int ap_req_nofail; /**< boolean */ 7700 } krb5_verify_init_creds_opt; 7701 7702 #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 7703 7704 /** 7705 * Initialize a credential verification options structure. 7706 * 7707 * @param [in] k5_vic_options Verification options structure 7708 */ 7709 void KRB5_CALLCONV 7710 krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options); 7711 7712 /** 7713 * Set whether credential verification is required. 7714 * 7715 * @param [in] k5_vic_options Verification options structure 7716 * @param [in] ap_req_nofail Whether to require successful verification 7717 * 7718 * This function determines how krb5_verify_init_creds() behaves if no keytab 7719 * information is available. If @a ap_req_nofail is @c FALSE, verification 7720 * will be skipped in this case and krb5_verify_init_creds() will return 7721 * successfully. If @a ap_req_nofail is @c TRUE, krb5_verify_init_creds() will 7722 * not return successfully unless verification can be performed. 7723 * 7724 * If this function is not used, the behavior of krb5_verify_init_creds() is 7725 * determined through configuration. 7726 */ 7727 void KRB5_CALLCONV 7728 krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, 7729 int ap_req_nofail); 7730 7731 /** 7732 * Verify initial credentials against a keytab. 7733 * 7734 * @param [in] context Library context 7735 * @param [in] creds Initial credentials to be verified 7736 * @param [in] server Server principal (or NULL) 7737 * @param [in] keytab Key table (NULL to use default keytab) 7738 * @param [in] ccache Credential cache for fetched creds (or NULL) 7739 * @param [in] options Verification options (NULL for default options) 7740 * 7741 * This function attempts to verify that @a creds were obtained from a KDC with 7742 * knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL. 7743 * If @a server is provided, the highest-kvno key entry for that principal name 7744 * is used to verify the credentials; otherwise, all unique "host" service 7745 * principals in the keytab are tried. 7746 * 7747 * If the specified keytab does not exist, or is empty, or cannot be read, or 7748 * does not contain an entry for @a server, then credential verification may be 7749 * skipped unless configuration demands that it succeed. The caller can 7750 * control this behavior by providing a verification options structure; see 7751 * krb5_verify_init_creds_opt_init() and 7752 * krb5_verify_init_creds_opt_set_ap_req_nofail(). 7753 * 7754 * If @a ccache is NULL, any additional credentials fetched during the 7755 * verification process will be destroyed. If @a ccache points to NULL, a 7756 * memory ccache will be created for the additional credentials and returned in 7757 * @a ccache. If @a ccache points to a valid credential cache handle, the 7758 * additional credentials will be stored in that cache. 7759 * 7760 * @retval 0 Success; otherwise - Kerberos error codes 7761 */ 7762 krb5_error_code KRB5_CALLCONV 7763 krb5_verify_init_creds(krb5_context context, krb5_creds *creds, 7764 krb5_principal server, krb5_keytab keytab, 7765 krb5_ccache *ccache, 7766 krb5_verify_init_creds_opt *options); 7767 7768 /** 7769 * Get validated credentials from the KDC. 7770 * 7771 * @param [in] context Library context 7772 * @param [out] creds Validated credentials 7773 * @param [in] client Client principal name 7774 * @param [in] ccache Credential cache 7775 * @param [in] in_tkt_service Server principal string (or NULL) 7776 * 7777 * This function gets a validated credential using a postdated credential from 7778 * @a ccache. If @a in_tkt_service is specified, it is parsed (with the realm 7779 * part ignored) and used as the server principal of the credential; 7780 * otherwise, the ticket-granting service is used. 7781 * 7782 * If successful, the validated credential is placed in @a creds. 7783 * 7784 * @sa krb5_get_renewed_creds() 7785 * 7786 * @retval 7787 * 0 Success 7788 * @retval 7789 * KRB5_NO_2ND_TKT Request missing second ticket 7790 * @retval 7791 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket 7792 * @retval 7793 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match 7794 * @retval 7795 * KRB5_KDCREP_MODIFIED KDC reply did not match expectations 7796 * @retval 7797 * KRB5_KDCREP_SKEW Clock skew too great in KDC reply 7798 * @return 7799 * Kerberos error codes 7800 */ 7801 krb5_error_code KRB5_CALLCONV 7802 krb5_get_validated_creds(krb5_context context, krb5_creds *creds, 7803 krb5_principal client, krb5_ccache ccache, 7804 const char *in_tkt_service); 7805 7806 /** 7807 * Get renewed credential from KDC using an existing credential. 7808 * 7809 * @param [in] context Library context 7810 * @param [out] creds Renewed credentials 7811 * @param [in] client Client principal name 7812 * @param [in] ccache Credential cache 7813 * @param [in] in_tkt_service Server principal string (or NULL) 7814 * 7815 * This function gets a renewed credential using an existing one from @a 7816 * ccache. If @a in_tkt_service is specified, it is parsed (with the realm 7817 * part ignored) and used as the server principal of the credential; otherwise, 7818 * the ticket-granting service is used. 7819 * 7820 * If successful, the renewed credential is placed in @a creds. 7821 * 7822 * @retval 7823 * 0 Success 7824 * @return 7825 * Kerberos error codes 7826 */ 7827 krb5_error_code KRB5_CALLCONV 7828 krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, 7829 krb5_principal client, krb5_ccache ccache, 7830 const char *in_tkt_service); 7831 7832 /** 7833 * Decode an ASN.1-formatted ticket. 7834 * 7835 * @param [in] code ASN.1-formatted ticket 7836 * @param [out] rep Decoded ticket information 7837 * 7838 * @retval 0 Success; otherwise - Kerberos error codes 7839 */ 7840 krb5_error_code KRB5_CALLCONV 7841 krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep); 7842 7843 /** 7844 * Retrieve a string value from the appdefaults section of krb5.conf. 7845 * 7846 * @param [in] context Library context 7847 * @param [in] appname Application name 7848 * @param [in] realm Realm name 7849 * @param [in] option Option to be checked 7850 * @param [in] default_value Default value to return if no match is found 7851 * @param [out] ret_value String value of @a option 7852 * 7853 * This function gets the application defaults for @a option based on the given 7854 * @a appname and/or @a realm. 7855 * 7856 * @sa krb5_appdefault_boolean() 7857 */ 7858 void KRB5_CALLCONV 7859 krb5_appdefault_string(krb5_context context, const char *appname, 7860 const krb5_data *realm, const char *option, 7861 const char *default_value, char ** ret_value); 7862 7863 /** 7864 * Retrieve a boolean value from the appdefaults section of krb5.conf. 7865 * 7866 * @param [in] context Library context 7867 * @param [in] appname Application name 7868 * @param [in] realm Realm name 7869 * @param [in] option Option to be checked 7870 * @param [in] default_value Default value to return if no match is found 7871 * @param [out] ret_value Boolean value of @a option 7872 * 7873 * This function gets the application defaults for @a option based on the given 7874 * @a appname and/or @a realm. 7875 * 7876 * @sa krb5_appdefault_string() 7877 */ 7878 void KRB5_CALLCONV 7879 krb5_appdefault_boolean(krb5_context context, const char *appname, 7880 const krb5_data *realm, const char *option, 7881 int default_value, int *ret_value); 7882 7883 /* 7884 * Prompter enhancements 7885 */ 7886 /** Prompt for password */ 7887 #define KRB5_PROMPT_TYPE_PASSWORD 0x1 7888 /** Prompt for new password (during password change) */ 7889 #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2 7890 /** Prompt for new password again */ 7891 #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3 7892 /** Prompt for preauthentication data (such as an OTP value) */ 7893 #define KRB5_PROMPT_TYPE_PREAUTH 0x4 7894 7895 typedef krb5_int32 krb5_prompt_type; 7896 7897 /** 7898 * Get prompt types array from a context. 7899 * 7900 * @param [in] context Library context 7901 * 7902 * @return 7903 * Pointer to an array of prompt types corresponding to the prompter's @a 7904 * prompts arguments. Each type has one of the following values: 7905 * @li #KRB5_PROMPT_TYPE_PASSWORD 7906 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD 7907 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 7908 * @li #KRB5_PROMPT_TYPE_PREAUTH 7909 */ 7910 krb5_prompt_type* KRB5_CALLCONV 7911 krb5_get_prompt_types(krb5_context context); 7912 7913 /* Error reporting */ 7914 /** 7915 * Set an extended error message for an error code. 7916 * 7917 * @param [in] ctx Library context 7918 * @param [in] code Error code 7919 * @param [in] fmt Error string for the error code 7920 * @param [in] ... printf(3) style parameters 7921 */ 7922 void KRB5_CALLCONV_C 7923 krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...) 7924 #if !defined(__cplusplus) && (__GNUC__ > 2) 7925 __attribute__((__format__(__printf__, 3, 4))) 7926 #endif 7927 ; 7928 7929 /** 7930 * Set an extended error message for an error code using a va_list. 7931 * 7932 * @param [in] ctx Library context 7933 * @param [in] code Error code 7934 * @param [in] fmt Error string for the error code 7935 * @param [in] args List of vprintf(3) style arguments 7936 */ 7937 void KRB5_CALLCONV 7938 krb5_vset_error_message(krb5_context ctx, krb5_error_code code, 7939 const char *fmt, va_list args) 7940 #if !defined(__cplusplus) && (__GNUC__ > 2) 7941 __attribute__((__format__(__printf__, 3, 0))) 7942 #endif 7943 ; 7944 7945 /** 7946 * Add a prefix to the message for an error code. 7947 * 7948 * @param [in] ctx Library context 7949 * @param [in] code Error code 7950 * @param [in] fmt Format string for error message prefix 7951 * @param [in] ... printf(3) style parameters 7952 * 7953 * Format a message and prepend it to the current message for @a code. The 7954 * prefix will be separated from the old message with a colon and space. 7955 */ 7956 void KRB5_CALLCONV_C 7957 krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, 7958 const char *fmt, ...) 7959 #if !defined(__cplusplus) && (__GNUC__ > 2) 7960 __attribute__((__format__(__printf__, 3, 4))) 7961 #endif 7962 ; 7963 7964 /** 7965 * Add a prefix to the message for an error code using a va_list. 7966 * 7967 * @param [in] ctx Library context 7968 * @param [in] code Error code 7969 * @param [in] fmt Format string for error message prefix 7970 * @param [in] args List of vprintf(3) style arguments 7971 * 7972 * This function is similar to krb5_prepend_error_message(), but uses a 7973 * va_list instead of variadic arguments. 7974 */ 7975 void KRB5_CALLCONV 7976 krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, 7977 const char *fmt, va_list args) 7978 #if !defined(__cplusplus) && (__GNUC__ > 2) 7979 __attribute__((__format__(__printf__, 3, 0))) 7980 #endif 7981 ; 7982 7983 /** 7984 * Add a prefix to a different error code's message. 7985 * 7986 * @param [in] ctx Library context 7987 * @param [in] old_code Previous error code 7988 * @param [in] code Error code 7989 * @param [in] fmt Format string for error message prefix 7990 * @param [in] ... printf(3) style parameters 7991 * 7992 * Format a message and prepend it to the message for @a old_code. The prefix 7993 * will be separated from the old message with a colon and space. Set the 7994 * resulting message as the extended error message for @a code. 7995 */ 7996 void KRB5_CALLCONV_C 7997 krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, 7998 krb5_error_code code, const char *fmt, ...) 7999 #if !defined(__cplusplus) && (__GNUC__ > 2) 8000 __attribute__((__format__(__printf__, 4, 5))) 8001 #endif 8002 ; 8003 8004 /** 8005 * Add a prefix to a different error code's message using a va_list. 8006 * 8007 * @param [in] ctx Library context 8008 * @param [in] old_code Previous error code 8009 * @param [in] code Error code 8010 * @param [in] fmt Format string for error message prefix 8011 * @param [in] args List of vprintf(3) style arguments 8012 * 8013 * This function is similar to krb5_wrap_error_message(), but uses a 8014 * va_list instead of variadic arguments. 8015 */ 8016 void KRB5_CALLCONV 8017 krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, 8018 krb5_error_code code, const char *fmt, va_list args) 8019 #if !defined(__cplusplus) && (__GNUC__ > 2) 8020 __attribute__((__format__(__printf__, 4, 0))) 8021 #endif 8022 ; 8023 8024 /** 8025 * Copy the most recent extended error message from one context to another. 8026 * 8027 * @param [in] dest_ctx Library context to copy message to 8028 * @param [in] src_ctx Library context with current message 8029 */ 8030 void KRB5_CALLCONV 8031 krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx); 8032 8033 /** 8034 * Get the (possibly extended) error message for a code. 8035 * 8036 * @param [in] ctx Library context 8037 * @param [in] code Error code 8038 * 8039 * The behavior of krb5_get_error_message() is only defined the first time it 8040 * is called after a failed call to a krb5 function using the same context, and 8041 * only when the error code passed in is the same as that returned by the krb5 8042 * function. 8043 * 8044 * This function never returns NULL, so its result may be used unconditionally 8045 * as a C string. 8046 * 8047 * The string returned by this function must be freed using 8048 * krb5_free_error_message() 8049 * 8050 * @note Future versions may return the same string for the second 8051 * and following calls. 8052 */ 8053 const char * KRB5_CALLCONV 8054 krb5_get_error_message(krb5_context ctx, krb5_error_code code); 8055 8056 /** 8057 * Free an error message generated by krb5_get_error_message(). 8058 * 8059 * @param [in] ctx Library context 8060 * @param [in] msg Pointer to error message 8061 */ 8062 void KRB5_CALLCONV 8063 krb5_free_error_message(krb5_context ctx, const char *msg); 8064 8065 /** 8066 * Clear the extended error message in a context. 8067 * 8068 * @param [in] ctx Library context 8069 * 8070 * This function unsets the extended error message in a context, to ensure that 8071 * it is not mistakenly applied to another occurrence of the same error code. 8072 */ 8073 void KRB5_CALLCONV 8074 krb5_clear_error_message(krb5_context ctx); 8075 8076 /** 8077 * Unwrap authorization data. 8078 * 8079 * @param [in] context Library context 8080 * @param [in] type Container type (see KRB5_AUTHDATA macros) 8081 * @param [in] container Authorization data to be decoded 8082 * @param [out] authdata List of decoded authorization data 8083 * 8084 * @sa krb5_encode_authdata_container() 8085 * 8086 * @retval 0 Success; otherwise - Kerberos error codes 8087 */ 8088 krb5_error_code KRB5_CALLCONV 8089 krb5_decode_authdata_container(krb5_context context, 8090 krb5_authdatatype type, 8091 const krb5_authdata *container, 8092 krb5_authdata ***authdata); 8093 /** 8094 * Wrap authorization data in a container. 8095 * 8096 * @param [in] context Library context 8097 * @param [in] type Container type (see KRB5_AUTHDATA macros) 8098 * @param [in] authdata List of authorization data to be encoded 8099 * @param [out] container List of encoded authorization data 8100 * 8101 * The result is returned in @a container as a single-element list. 8102 * 8103 * @sa krb5_decode_authdata_container() 8104 * 8105 * @retval 0 Success; otherwise - Kerberos error codes 8106 */ 8107 krb5_error_code KRB5_CALLCONV 8108 krb5_encode_authdata_container(krb5_context context, 8109 krb5_authdatatype type, 8110 krb5_authdata * const*authdata, 8111 krb5_authdata ***container); 8112 8113 /* 8114 * AD-KDCIssued 8115 */ 8116 /** 8117 * Encode and sign AD-KDCIssued authorization data. 8118 * 8119 * @param [in] context Library context 8120 * @param [in] key Session key 8121 * @param [in] issuer The name of the issuing principal 8122 * @param [in] authdata List of authorization data to be signed 8123 * @param [out] ad_kdcissued List containing AD-KDCIssued authdata 8124 * 8125 * This function wraps a list of authorization data entries @a authdata in an 8126 * AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with @a key. 8127 * The result is returned in @a ad_kdcissued as a single-element list. 8128 */ 8129 krb5_error_code KRB5_CALLCONV 8130 krb5_make_authdata_kdc_issued(krb5_context context, 8131 const krb5_keyblock *key, 8132 krb5_const_principal issuer, 8133 krb5_authdata *const *authdata, 8134 krb5_authdata ***ad_kdcissued); 8135 8136 /** 8137 * Unwrap and verify AD-KDCIssued authorization data. 8138 * 8139 * @param [in] context Library context 8140 * @param [in] key Session key 8141 * @param [in] ad_kdcissued AD-KDCIssued authorization data to be unwrapped 8142 * @param [out] issuer Name of issuing principal (or NULL) 8143 * @param [out] authdata Unwrapped list of authorization data 8144 * 8145 * This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 8146 * 5.2.6.2) and verifies its signature against @a key. The issuer field of the 8147 * authdatum element is returned in @a issuer, and the unwrapped list of 8148 * authdata is returned in @a authdata. 8149 */ 8150 krb5_error_code KRB5_CALLCONV 8151 krb5_verify_authdata_kdc_issued(krb5_context context, 8152 const krb5_keyblock *key, 8153 const krb5_authdata *ad_kdcissued, 8154 krb5_principal *issuer, 8155 krb5_authdata ***authdata); 8156 8157 /* 8158 * Windows PAC 8159 */ 8160 8161 /* Microsoft defined types of data */ 8162 #define KRB5_PAC_LOGON_INFO 1 /**< Logon information */ 8163 #define KRB5_PAC_CREDENTIALS_INFO 2 /**< Credentials information */ 8164 #define KRB5_PAC_SERVER_CHECKSUM 6 /**< Server checksum */ 8165 #define KRB5_PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */ 8166 #define KRB5_PAC_CLIENT_INFO 10 /**< Client name and ticket info */ 8167 #define KRB5_PAC_DELEGATION_INFO 11 /**< Constrained delegation info */ 8168 #define KRB5_PAC_UPN_DNS_INFO 12 /**< User principal name and DNS info */ 8169 #define KRB5_PAC_CLIENT_CLAIMS 13 /**< Client claims information */ 8170 #define KRB5_PAC_DEVICE_INFO 14 /**< Device information */ 8171 #define KRB5_PAC_DEVICE_CLAIMS 15 /**< Device claims information */ 8172 #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ 8173 #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ 8174 #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ 8175 #define KRB5_PAC_FULL_CHECKSUM 19 /**< KDC full checksum */ 8176 8177 struct krb5_pac_data; 8178 /** PAC data structure to convey authorization information */ 8179 typedef struct krb5_pac_data *krb5_pac; 8180 8181 /** 8182 * Add a buffer to a PAC handle. 8183 * 8184 * @param [in] context Library context 8185 * @param [in] pac PAC handle 8186 * @param [in] type Buffer type 8187 * @param [in] data contents 8188 * 8189 * This function adds a buffer of type @a type and contents @a data to @a pac 8190 * if there isn't already a buffer of this type present. 8191 * 8192 * The valid values of @a type is one of the following: 8193 * @li #KRB5_PAC_LOGON_INFO - Logon information 8194 * @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information 8195 * @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum 8196 * @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum 8197 * @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information 8198 * @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information 8199 * @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information 8200 * 8201 * @retval 0 Success; otherwise - Kerberos error codes 8202 */ 8203 krb5_error_code KRB5_CALLCONV 8204 krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, 8205 const krb5_data *data); 8206 8207 /** 8208 * Free a PAC handle. 8209 * 8210 * @param [in] context Library context 8211 * @param [in] pac PAC to be freed 8212 * 8213 * This function frees the contents of @a pac and the structure itself. 8214 */ 8215 void KRB5_CALLCONV 8216 krb5_pac_free(krb5_context context, krb5_pac pac); 8217 8218 /** 8219 * Retrieve a buffer value from a PAC. 8220 * 8221 * @param [in] context Library context 8222 * @param [in] pac PAC handle 8223 * @param [in] type Type of buffer to retrieve 8224 * @param [out] data Buffer value 8225 * 8226 * Use krb5_free_data_contents() to free @a data when it is no longer needed. 8227 * 8228 * @retval 0 Success; otherwise - Kerberos error codes 8229 */ 8230 krb5_error_code KRB5_CALLCONV 8231 krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, 8232 krb5_data *data); 8233 8234 /** 8235 * Return an array of buffer types in a PAC handle. 8236 * 8237 * @param [in] context Library context 8238 * @param [in] pac PAC handle 8239 * @param [out] len Number of entries in @a types 8240 * @param [out] types Array of buffer types 8241 * 8242 * @retval 0 Success; otherwise - Kerberos error codes 8243 */ 8244 krb5_error_code KRB5_CALLCONV 8245 krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len, 8246 krb5_ui_4 **types); 8247 8248 /** 8249 * Create an empty Privilege Attribute Certificate (PAC) handle. 8250 * 8251 * @param [in] context Library context 8252 * @param [out] pac New PAC handle 8253 * 8254 * Use krb5_pac_free() to free @a pac when it is no longer needed. 8255 * 8256 * @retval 0 Success; otherwise - Kerberos error codes 8257 */ 8258 krb5_error_code KRB5_CALLCONV 8259 krb5_pac_init(krb5_context context, krb5_pac *pac); 8260 8261 /** 8262 * Unparse an encoded PAC into a new handle. 8263 * 8264 * @param [in] context Library context 8265 * @param [in] ptr PAC buffer 8266 * @param [in] len Length of @a ptr 8267 * @param [out] pac PAC handle 8268 * 8269 * Use krb5_pac_free() to free @a pac when it is no longer needed. 8270 * 8271 * @retval 0 Success; otherwise - Kerberos error codes 8272 */ 8273 krb5_error_code KRB5_CALLCONV 8274 krb5_pac_parse(krb5_context context, const void *ptr, size_t len, 8275 krb5_pac *pac); 8276 8277 /** 8278 * Verify a PAC. 8279 * 8280 * @param [in] context Library context 8281 * @param [in] pac PAC handle 8282 * @param [in] authtime Expected timestamp 8283 * @param [in] principal Expected principal name (or NULL) 8284 * @param [in] server Key to validate server checksum (or NULL) 8285 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8286 * 8287 * This function validates @a pac against the supplied @a server, @a privsvr, 8288 * @a principal and @a authtime. If @a principal is NULL, the principal and 8289 * authtime are not verified. If @a server or @a privsvr is NULL, the 8290 * corresponding checksum is not verified. 8291 * 8292 * If successful, @a pac is marked as verified. 8293 * 8294 * @note A checksum mismatch can occur if the PAC was copied from a cross-realm 8295 * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) 8296 * generates PACs with no server checksum at all. One should consider not 8297 * failing the whole authentication because of this reason, but, instead, 8298 * treating the ticket as if it did not contain a PAC or marking the PAC 8299 * information as non-verified. 8300 * 8301 * @retval 0 Success; otherwise - Kerberos error codes 8302 */ 8303 krb5_error_code KRB5_CALLCONV 8304 krb5_pac_verify(krb5_context context, const krb5_pac pac, 8305 krb5_timestamp authtime, krb5_const_principal principal, 8306 const krb5_keyblock *server, const krb5_keyblock *privsvr); 8307 8308 /** 8309 * Verify a PAC, possibly from a specified realm. 8310 * 8311 * @param [in] context Library context 8312 * @param [in] pac PAC handle 8313 * @param [in] authtime Expected timestamp 8314 * @param [in] principal Expected principal name (or NULL) 8315 * @param [in] server Key to validate server checksum (or NULL) 8316 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8317 * @param [in] with_realm If true, expect the realm of @a principal 8318 * 8319 * This function is similar to krb5_pac_verify(), but adds a parameter 8320 * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field is 8321 * expected to include the realm of @a principal as well as the name. This 8322 * flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. 8323 * 8324 * @version New in 1.17 8325 */ 8326 krb5_error_code KRB5_CALLCONV 8327 krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, 8328 krb5_timestamp authtime, krb5_const_principal principal, 8329 const krb5_keyblock *server, const krb5_keyblock *privsvr, 8330 krb5_boolean with_realm); 8331 8332 /** 8333 * Verify a PAC, possibly including ticket signature 8334 * 8335 * @param [in] context Library context 8336 * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC 8337 * @param [in] server_princ Canonicalized name of ticket server 8338 * @param [in] server Key to validate server checksum (or NULL) 8339 * @param [in] privsvr Key to validate KDC checksum (or NULL) 8340 * @param [out] pac_out Verified PAC (NULL if no PAC included) 8341 * 8342 * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is 8343 * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service, 8344 * require a ticket signature over @a enc_tkt in addition to the KDC signature. 8345 * Place the verified PAC in @a pac_out. If an invalid PAC signature is found, 8346 * return an error matching the Windows KDC protocol code for that condition as 8347 * closely as possible. 8348 * 8349 * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return 8350 * successfully. 8351 * 8352 * @note This function does not validate the PAC_CLIENT_INFO buffer. If a 8353 * specific value is expected, the caller can make a separate call to 8354 * krb5_pac_verify_ext() with a principal but no keys. 8355 * 8356 * @retval 0 Success; otherwise - Kerberos error codes 8357 * 8358 * @version New in 1.20 8359 */ 8360 krb5_error_code KRB5_CALLCONV 8361 krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, 8362 krb5_const_principal server_princ, 8363 const krb5_keyblock *server, 8364 const krb5_keyblock *privsvr, krb5_pac *pac_out); 8365 8366 /** @deprecated Use krb5_kdc_sign_ticket() instead. */ 8367 krb5_error_code KRB5_CALLCONV 8368 krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, 8369 krb5_const_principal principal, const krb5_keyblock *server_key, 8370 const krb5_keyblock *privsvr_key, krb5_data *data); 8371 8372 /** @deprecated Use krb5_kdc_sign_ticket() instead. */ 8373 krb5_error_code KRB5_CALLCONV 8374 krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, 8375 krb5_const_principal principal, 8376 const krb5_keyblock *server_key, 8377 const krb5_keyblock *privsvr_key, krb5_boolean with_realm, 8378 krb5_data *data); 8379 8380 /** 8381 * Sign a PAC, possibly including a ticket signature 8382 * 8383 * @param [in] context Library context 8384 * @param [in] enc_tkt The ticket for the signature 8385 * @param [in] pac PAC handle 8386 * @param [in] server_princ Canonical ticket server name 8387 * @param [in] client_princ PAC_CLIENT_INFO principal (or NULL) 8388 * @param [in] server Key for server checksum 8389 * @param [in] privsvr Key for KDC and ticket checksum 8390 * @param [in] with_realm If true, include the realm of @a principal 8391 * 8392 * Sign @a pac using the keys @a server and @a privsvr. Include a ticket 8393 * signature over @a enc_tkt if @a server_princ is not a TGS or kadmin/changepw 8394 * principal name. Add the signed PAC's encoding to the authorization data of 8395 * @a enc_tkt in the first slot, wrapped in an AD-IF-RELEVANT container. If @a 8396 * client_princ is non-null, add a PAC_CLIENT_INFO buffer, including the realm 8397 * if @a with_realm is true. 8398 * 8399 * @retval 0 on success, otherwise - Kerberos error codes 8400 * 8401 * @version New in 1.20 8402 */ 8403 krb5_error_code KRB5_CALLCONV 8404 krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, 8405 const krb5_pac pac, krb5_const_principal server_princ, 8406 krb5_const_principal client_princ, 8407 const krb5_keyblock *server, const krb5_keyblock *privsvr, 8408 krb5_boolean with_realm); 8409 8410 /** 8411 * Read client information from a PAC. 8412 * 8413 * @param [in] context Library context 8414 * @param [in] pac PAC handle 8415 * @param [out] authtime_out Authentication timestamp (NULL if not needed) 8416 * @param [out] princname_out Client account name 8417 * 8418 * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as 8419 * a string in @a princname_out. If @a authtime_out is not NULL, place the 8420 * initial authentication timestamp in @a authtime_out. 8421 * 8422 * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a 8423 * pac, ERANGE if the buffer contains invalid lengths. 8424 * 8425 * @version New in 1.18 8426 */ 8427 krb5_error_code KRB5_CALLCONV 8428 krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, 8429 krb5_timestamp *authtime_out, char **princname_out); 8430 8431 /** 8432 * Allow the application to override the profile's allow_weak_crypto setting. 8433 * 8434 * @param [in] context Library context 8435 * @param [in] enable Boolean flag 8436 * 8437 * This function allows an application to override the allow_weak_crypto 8438 * setting. It is primarily for use by aklog. 8439 * 8440 * @retval 0 (always) 8441 */ 8442 krb5_error_code KRB5_CALLCONV 8443 krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable); 8444 8445 /** 8446 * A wrapper for passing information to a @c krb5_trace_callback. 8447 * 8448 * Currently, it only contains the formatted message as determined 8449 * the the format string and arguments of the tracing macro, but it 8450 * may be extended to contain more fields in the future. 8451 */ 8452 typedef struct _krb5_trace_info { 8453 const char *message; 8454 } krb5_trace_info; 8455 8456 typedef void 8457 (KRB5_CALLCONV *krb5_trace_callback)(krb5_context context, 8458 const krb5_trace_info *info, 8459 void *cb_data); 8460 8461 /** 8462 * Specify a callback function for trace events. 8463 * 8464 * @param [in] context Library context 8465 * @param [in] fn Callback function 8466 * @param [in] cb_data Callback data 8467 * 8468 * Specify a callback for trace events occurring in krb5 operations performed 8469 * within @a context. @a fn will be invoked with @a context as the first 8470 * argument, @a cb_data as the last argument, and a pointer to a 8471 * krb5_trace_info as the second argument. If the trace callback is reset via 8472 * this function or @a context is destroyed, @a fn will be invoked with a NULL 8473 * second argument so it can clean up @a cb_data. Supply a NULL value for @a 8474 * fn to disable trace callbacks within @a context. 8475 * 8476 * @note This function overrides the information passed through the 8477 * @a KRB5_TRACE environment variable. 8478 * 8479 * @version New in 1.9 8480 * 8481 * @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library 8482 * (unless @a fn is NULL). 8483 */ 8484 krb5_error_code KRB5_CALLCONV 8485 krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, 8486 void *cb_data); 8487 8488 /** 8489 * Specify a file name for directing trace events. 8490 * 8491 * @param [in] context Library context 8492 * @param [in] filename File name 8493 * 8494 * Open @a filename for appending (creating it, if necessary) and set up a 8495 * callback to write trace events to it. 8496 * 8497 * @note This function overrides the information passed through the 8498 * @a KRB5_TRACE environment variable. 8499 * 8500 * @version New in 1.9 8501 * 8502 * @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library. 8503 */ 8504 krb5_error_code KRB5_CALLCONV 8505 krb5_set_trace_filename(krb5_context context, const char *filename); 8506 8507 8508 /** 8509 * Hook function for inspecting or modifying messages sent to KDCs. 8510 * 8511 * @param [in] context Library context 8512 * @param [in] data Callback data 8513 * @param [in] realm The realm the message will be sent to 8514 * @param [in] message The original message to be sent to the KDC 8515 * @param [out] new_message_out Optional replacement message to be sent 8516 * @param [out] new_reply_out Optional synthetic reply 8517 * 8518 * If the hook function returns an error code, the KDC communication will be 8519 * aborted and the error code will be returned to the library operation which 8520 * initiated the communication. 8521 * 8522 * If the hook function sets @a new_reply_out, @a message will not be sent to 8523 * the KDC, and the given reply will used instead. 8524 * 8525 * If the hook function sets @a new_message_out, the given message will be sent 8526 * to the KDC in place of @a message. 8527 * 8528 * If the hook function returns successfully without setting either output, 8529 * @a message will be sent to the KDC normally. 8530 * 8531 * The hook function should use krb5_copy_data() to construct the value for 8532 * @a new_message_out or @a reply_out, to ensure that it can be freed correctly 8533 * by the library. 8534 * 8535 * @version New in 1.15 8536 * 8537 * @retval 0 Success 8538 * @return A Kerberos error code 8539 */ 8540 typedef krb5_error_code 8541 (KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, 8542 const krb5_data *realm, 8543 const krb5_data *message, 8544 krb5_data **new_message_out, 8545 krb5_data **new_reply_out); 8546 8547 /** 8548 * Hook function for inspecting or overriding KDC replies. 8549 * 8550 * @param [in] context Library context 8551 * @param [in] data Callback data 8552 * @param [in] code Status of KDC communication 8553 * @param [in] realm The realm the reply was received from 8554 * @param [in] message The message sent to the realm's KDC 8555 * @param [in] reply The reply received from the KDC 8556 * @param [out] new_reply_out Optional replacement reply 8557 * 8558 * If @a code is zero, @a reply contains the reply received from the KDC. The 8559 * hook function may return an error code to simulate an error, may synthesize 8560 * a different reply by setting @a new_reply_out, or may simply return 8561 * successfully to do nothing. 8562 * 8563 * If @a code is non-zero, KDC communication failed and @a reply should be 8564 * ignored. The hook function may return @a code or a different error code, or 8565 * may synthesize a reply by setting @a new_reply_out and return successfully. 8566 * 8567 * The hook function should use krb5_copy_data() to construct the value for 8568 * @a new_reply_out, to ensure that it can be freed correctly by the library. 8569 * 8570 * @version New in 1.15 8571 * 8572 * @retval 0 Success 8573 * @return A Kerberos error code 8574 */ 8575 typedef krb5_error_code 8576 (KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, 8577 krb5_error_code code, 8578 const krb5_data *realm, 8579 const krb5_data *message, 8580 const krb5_data *reply, 8581 krb5_data **new_reply_out); 8582 8583 /** 8584 * Set a KDC pre-send hook function. 8585 * 8586 * @param [in] context Library context 8587 * @param [in] send_hook Hook function (or NULL to disable the hook) 8588 * @param [in] data Callback data to be passed to @a send_hook 8589 * 8590 * @a send_hook will be called before messages are sent to KDCs by library 8591 * functions such as krb5_get_credentials(). The hook function may inspect, 8592 * override, or synthesize its own reply to the message. 8593 * 8594 * @version New in 1.15 8595 */ 8596 void KRB5_CALLCONV 8597 krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, 8598 void *data); 8599 8600 /** 8601 * Set a KDC post-receive hook function. 8602 * 8603 * @param [in] context The library context. 8604 * @param [in] recv_hook Hook function (or NULL to disable the hook) 8605 * @param [in] data Callback data to be passed to @a recv_hook 8606 * 8607 * @a recv_hook will be called after a reply is received from a KDC during a 8608 * call to a library function such as krb5_get_credentials(). The hook 8609 * function may inspect or override the reply. This hook will not be executed 8610 * if the pre-send hook returns a synthetic reply. 8611 * 8612 * @version New in 1.15 8613 */ 8614 void KRB5_CALLCONV 8615 krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, 8616 void *data); 8617 8618 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) 8619 #pragma pack(pop) 8620 #endif 8621 8622 KRB5INT_END_DECLS 8623 8624 /* Don't use this! We're going to phase it out. It's just here to keep 8625 applications from breaking right away. */ 8626 #define krb5_const const 8627 8628 #undef KRB5_ATTR_DEPRECATED 8629 8630 #endif /* KRB5_GENERAL__ */ 8631 /* 8632 * et-h-krb5_err.h: 8633 * This file is automatically generated; please do not edit it. 8634 */ 8635 8636 #include <com_err.h> 8637 8638 #define KRB5KDC_ERR_NONE (-1765328384L) 8639 #define KRB5KDC_ERR_NAME_EXP (-1765328383L) 8640 #define KRB5KDC_ERR_SERVICE_EXP (-1765328382L) 8641 #define KRB5KDC_ERR_BAD_PVNO (-1765328381L) 8642 #define KRB5KDC_ERR_C_OLD_MAST_KVNO (-1765328380L) 8643 #define KRB5KDC_ERR_S_OLD_MAST_KVNO (-1765328379L) 8644 #define KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (-1765328378L) 8645 #define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) 8646 #define KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE (-1765328376L) 8647 #define KRB5KDC_ERR_NULL_KEY (-1765328375L) 8648 #define KRB5KDC_ERR_CANNOT_POSTDATE (-1765328374L) 8649 #define KRB5KDC_ERR_NEVER_VALID (-1765328373L) 8650 #define KRB5KDC_ERR_POLICY (-1765328372L) 8651 #define KRB5KDC_ERR_BADOPTION (-1765328371L) 8652 #define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L) 8653 #define KRB5KDC_ERR_SUMTYPE_NOSUPP (-1765328369L) 8654 #define KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368L) 8655 #define KRB5KDC_ERR_TRTYPE_NOSUPP (-1765328367L) 8656 #define KRB5KDC_ERR_CLIENT_REVOKED (-1765328366L) 8657 #define KRB5KDC_ERR_SERVICE_REVOKED (-1765328365L) 8658 #define KRB5KDC_ERR_TGT_REVOKED (-1765328364L) 8659 #define KRB5KDC_ERR_CLIENT_NOTYET (-1765328363L) 8660 #define KRB5KDC_ERR_SERVICE_NOTYET (-1765328362L) 8661 #define KRB5KDC_ERR_KEY_EXP (-1765328361L) 8662 #define KRB5KDC_ERR_PREAUTH_FAILED (-1765328360L) 8663 #define KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359L) 8664 #define KRB5KDC_ERR_SERVER_NOMATCH (-1765328358L) 8665 #define KRB5KDC_ERR_MUST_USE_USER2USER (-1765328357L) 8666 #define KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356L) 8667 #define KRB5KDC_ERR_SVC_UNAVAILABLE (-1765328355L) 8668 #define KRB5PLACEHOLD_30 (-1765328354L) 8669 #define KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353L) 8670 #define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L) 8671 #define KRB5KRB_AP_ERR_TKT_NYV (-1765328351L) 8672 #define KRB5KRB_AP_ERR_REPEAT (-1765328350L) 8673 #define KRB5KRB_AP_ERR_NOT_US (-1765328349L) 8674 #define KRB5KRB_AP_ERR_BADMATCH (-1765328348L) 8675 #define KRB5KRB_AP_ERR_SKEW (-1765328347L) 8676 #define KRB5KRB_AP_ERR_BADADDR (-1765328346L) 8677 #define KRB5KRB_AP_ERR_BADVERSION (-1765328345L) 8678 #define KRB5KRB_AP_ERR_MSG_TYPE (-1765328344L) 8679 #define KRB5KRB_AP_ERR_MODIFIED (-1765328343L) 8680 #define KRB5KRB_AP_ERR_BADORDER (-1765328342L) 8681 #define KRB5KRB_AP_ERR_ILL_CR_TKT (-1765328341L) 8682 #define KRB5KRB_AP_ERR_BADKEYVER (-1765328340L) 8683 #define KRB5KRB_AP_ERR_NOKEY (-1765328339L) 8684 #define KRB5KRB_AP_ERR_MUT_FAIL (-1765328338L) 8685 #define KRB5KRB_AP_ERR_BADDIRECTION (-1765328337L) 8686 #define KRB5KRB_AP_ERR_METHOD (-1765328336L) 8687 #define KRB5KRB_AP_ERR_BADSEQ (-1765328335L) 8688 #define KRB5KRB_AP_ERR_INAPP_CKSUM (-1765328334L) 8689 #define KRB5KRB_AP_PATH_NOT_ACCEPTED (-1765328333L) 8690 #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) 8691 #define KRB5PLACEHOLD_53 (-1765328331L) 8692 #define KRB5PLACEHOLD_54 (-1765328330L) 8693 #define KRB5PLACEHOLD_55 (-1765328329L) 8694 #define KRB5PLACEHOLD_56 (-1765328328L) 8695 #define KRB5PLACEHOLD_57 (-1765328327L) 8696 #define KRB5PLACEHOLD_58 (-1765328326L) 8697 #define KRB5PLACEHOLD_59 (-1765328325L) 8698 #define KRB5KRB_ERR_GENERIC (-1765328324L) 8699 #define KRB5KRB_ERR_FIELD_TOOLONG (-1765328323L) 8700 #define KRB5KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322L) 8701 #define KRB5KDC_ERR_KDC_NOT_TRUSTED (-1765328321L) 8702 #define KRB5KDC_ERR_INVALID_SIG (-1765328320L) 8703 #define KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (-1765328319L) 8704 #define KRB5KDC_ERR_CERTIFICATE_MISMATCH (-1765328318L) 8705 #define KRB5KRB_AP_ERR_NO_TGT (-1765328317L) 8706 #define KRB5KDC_ERR_WRONG_REALM (-1765328316L) 8707 #define KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED (-1765328315L) 8708 #define KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE (-1765328314L) 8709 #define KRB5KDC_ERR_INVALID_CERTIFICATE (-1765328313L) 8710 #define KRB5KDC_ERR_REVOKED_CERTIFICATE (-1765328312L) 8711 #define KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN (-1765328311L) 8712 #define KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (-1765328310L) 8713 #define KRB5KDC_ERR_CLIENT_NAME_MISMATCH (-1765328309L) 8714 #define KRB5KDC_ERR_KDC_NAME_MISMATCH (-1765328308L) 8715 #define KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE (-1765328307L) 8716 #define KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (-1765328306L) 8717 #define KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305L) 8718 #define KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (-1765328304L) 8719 #define KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (-1765328303L) 8720 #define KRB5PLACEHOLD_82 (-1765328302L) 8721 #define KRB5PLACEHOLD_83 (-1765328301L) 8722 #define KRB5PLACEHOLD_84 (-1765328300L) 8723 #define KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND (-1765328299L) 8724 #define KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE (-1765328298L) 8725 #define KRB5PLACEHOLD_87 (-1765328297L) 8726 #define KRB5PLACEHOLD_88 (-1765328296L) 8727 #define KRB5PLACEHOLD_89 (-1765328295L) 8728 #define KRB5KDC_ERR_PREAUTH_EXPIRED (-1765328294L) 8729 #define KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (-1765328293L) 8730 #define KRB5PLACEHOLD_92 (-1765328292L) 8731 #define KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION (-1765328291L) 8732 #define KRB5PLACEHOLD_94 (-1765328290L) 8733 #define KRB5PLACEHOLD_95 (-1765328289L) 8734 #define KRB5PLACEHOLD_96 (-1765328288L) 8735 #define KRB5PLACEHOLD_97 (-1765328287L) 8736 #define KRB5PLACEHOLD_98 (-1765328286L) 8737 #define KRB5PLACEHOLD_99 (-1765328285L) 8738 #define KRB5KDC_ERR_NO_ACCEPTABLE_KDF (-1765328284L) 8739 #define KRB5PLACEHOLD_101 (-1765328283L) 8740 #define KRB5PLACEHOLD_102 (-1765328282L) 8741 #define KRB5PLACEHOLD_103 (-1765328281L) 8742 #define KRB5PLACEHOLD_104 (-1765328280L) 8743 #define KRB5PLACEHOLD_105 (-1765328279L) 8744 #define KRB5PLACEHOLD_106 (-1765328278L) 8745 #define KRB5PLACEHOLD_107 (-1765328277L) 8746 #define KRB5PLACEHOLD_108 (-1765328276L) 8747 #define KRB5PLACEHOLD_109 (-1765328275L) 8748 #define KRB5PLACEHOLD_110 (-1765328274L) 8749 #define KRB5PLACEHOLD_111 (-1765328273L) 8750 #define KRB5PLACEHOLD_112 (-1765328272L) 8751 #define KRB5PLACEHOLD_113 (-1765328271L) 8752 #define KRB5PLACEHOLD_114 (-1765328270L) 8753 #define KRB5PLACEHOLD_115 (-1765328269L) 8754 #define KRB5PLACEHOLD_116 (-1765328268L) 8755 #define KRB5PLACEHOLD_117 (-1765328267L) 8756 #define KRB5PLACEHOLD_118 (-1765328266L) 8757 #define KRB5PLACEHOLD_119 (-1765328265L) 8758 #define KRB5PLACEHOLD_120 (-1765328264L) 8759 #define KRB5PLACEHOLD_121 (-1765328263L) 8760 #define KRB5PLACEHOLD_122 (-1765328262L) 8761 #define KRB5PLACEHOLD_123 (-1765328261L) 8762 #define KRB5PLACEHOLD_124 (-1765328260L) 8763 #define KRB5PLACEHOLD_125 (-1765328259L) 8764 #define KRB5PLACEHOLD_126 (-1765328258L) 8765 #define KRB5PLACEHOLD_127 (-1765328257L) 8766 #define KRB5_ERR_RCSID (-1765328256L) 8767 #define KRB5_LIBOS_BADLOCKFLAG (-1765328255L) 8768 #define KRB5_LIBOS_CANTREADPWD (-1765328254L) 8769 #define KRB5_LIBOS_BADPWDMATCH (-1765328253L) 8770 #define KRB5_LIBOS_PWDINTR (-1765328252L) 8771 #define KRB5_PARSE_ILLCHAR (-1765328251L) 8772 #define KRB5_PARSE_MALFORMED (-1765328250L) 8773 #define KRB5_CONFIG_CANTOPEN (-1765328249L) 8774 #define KRB5_CONFIG_BADFORMAT (-1765328248L) 8775 #define KRB5_CONFIG_NOTENUFSPACE (-1765328247L) 8776 #define KRB5_BADMSGTYPE (-1765328246L) 8777 #define KRB5_CC_BADNAME (-1765328245L) 8778 #define KRB5_CC_UNKNOWN_TYPE (-1765328244L) 8779 #define KRB5_CC_NOTFOUND (-1765328243L) 8780 #define KRB5_CC_END (-1765328242L) 8781 #define KRB5_NO_TKT_SUPPLIED (-1765328241L) 8782 #define KRB5KRB_AP_WRONG_PRINC (-1765328240L) 8783 #define KRB5KRB_AP_ERR_TKT_INVALID (-1765328239L) 8784 #define KRB5_PRINC_NOMATCH (-1765328238L) 8785 #define KRB5_KDCREP_MODIFIED (-1765328237L) 8786 #define KRB5_KDCREP_SKEW (-1765328236L) 8787 #define KRB5_IN_TKT_REALM_MISMATCH (-1765328235L) 8788 #define KRB5_PROG_ETYPE_NOSUPP (-1765328234L) 8789 #define KRB5_PROG_KEYTYPE_NOSUPP (-1765328233L) 8790 #define KRB5_WRONG_ETYPE (-1765328232L) 8791 #define KRB5_PROG_SUMTYPE_NOSUPP (-1765328231L) 8792 #define KRB5_REALM_UNKNOWN (-1765328230L) 8793 #define KRB5_SERVICE_UNKNOWN (-1765328229L) 8794 #define KRB5_KDC_UNREACH (-1765328228L) 8795 #define KRB5_NO_LOCALNAME (-1765328227L) 8796 #define KRB5_MUTUAL_FAILED (-1765328226L) 8797 #define KRB5_RC_TYPE_EXISTS (-1765328225L) 8798 #define KRB5_RC_MALLOC (-1765328224L) 8799 #define KRB5_RC_TYPE_NOTFOUND (-1765328223L) 8800 #define KRB5_RC_UNKNOWN (-1765328222L) 8801 #define KRB5_RC_REPLAY (-1765328221L) 8802 #define KRB5_RC_IO (-1765328220L) 8803 #define KRB5_RC_NOIO (-1765328219L) 8804 #define KRB5_RC_PARSE (-1765328218L) 8805 #define KRB5_RC_IO_EOF (-1765328217L) 8806 #define KRB5_RC_IO_MALLOC (-1765328216L) 8807 #define KRB5_RC_IO_PERM (-1765328215L) 8808 #define KRB5_RC_IO_IO (-1765328214L) 8809 #define KRB5_RC_IO_UNKNOWN (-1765328213L) 8810 #define KRB5_RC_IO_SPACE (-1765328212L) 8811 #define KRB5_TRANS_CANTOPEN (-1765328211L) 8812 #define KRB5_TRANS_BADFORMAT (-1765328210L) 8813 #define KRB5_LNAME_CANTOPEN (-1765328209L) 8814 #define KRB5_LNAME_NOTRANS (-1765328208L) 8815 #define KRB5_LNAME_BADFORMAT (-1765328207L) 8816 #define KRB5_CRYPTO_INTERNAL (-1765328206L) 8817 #define KRB5_KT_BADNAME (-1765328205L) 8818 #define KRB5_KT_UNKNOWN_TYPE (-1765328204L) 8819 #define KRB5_KT_NOTFOUND (-1765328203L) 8820 #define KRB5_KT_END (-1765328202L) 8821 #define KRB5_KT_NOWRITE (-1765328201L) 8822 #define KRB5_KT_IOERR (-1765328200L) 8823 #define KRB5_NO_TKT_IN_RLM (-1765328199L) 8824 #define KRB5DES_BAD_KEYPAR (-1765328198L) 8825 #define KRB5DES_WEAK_KEY (-1765328197L) 8826 #define KRB5_BAD_ENCTYPE (-1765328196L) 8827 #define KRB5_BAD_KEYSIZE (-1765328195L) 8828 #define KRB5_BAD_MSIZE (-1765328194L) 8829 #define KRB5_CC_TYPE_EXISTS (-1765328193L) 8830 #define KRB5_KT_TYPE_EXISTS (-1765328192L) 8831 #define KRB5_CC_IO (-1765328191L) 8832 #define KRB5_FCC_PERM (-1765328190L) 8833 #define KRB5_FCC_NOFILE (-1765328189L) 8834 #define KRB5_FCC_INTERNAL (-1765328188L) 8835 #define KRB5_CC_WRITE (-1765328187L) 8836 #define KRB5_CC_NOMEM (-1765328186L) 8837 #define KRB5_CC_FORMAT (-1765328185L) 8838 #define KRB5_CC_NOT_KTYPE (-1765328184L) 8839 #define KRB5_INVALID_FLAGS (-1765328183L) 8840 #define KRB5_NO_2ND_TKT (-1765328182L) 8841 #define KRB5_NOCREDS_SUPPLIED (-1765328181L) 8842 #define KRB5_SENDAUTH_BADAUTHVERS (-1765328180L) 8843 #define KRB5_SENDAUTH_BADAPPLVERS (-1765328179L) 8844 #define KRB5_SENDAUTH_BADRESPONSE (-1765328178L) 8845 #define KRB5_SENDAUTH_REJECTED (-1765328177L) 8846 #define KRB5_PREAUTH_BAD_TYPE (-1765328176L) 8847 #define KRB5_PREAUTH_NO_KEY (-1765328175L) 8848 #define KRB5_PREAUTH_FAILED (-1765328174L) 8849 #define KRB5_RCACHE_BADVNO (-1765328173L) 8850 #define KRB5_CCACHE_BADVNO (-1765328172L) 8851 #define KRB5_KEYTAB_BADVNO (-1765328171L) 8852 #define KRB5_PROG_ATYPE_NOSUPP (-1765328170L) 8853 #define KRB5_RC_REQUIRED (-1765328169L) 8854 #define KRB5_ERR_BAD_HOSTNAME (-1765328168L) 8855 #define KRB5_ERR_HOST_REALM_UNKNOWN (-1765328167L) 8856 #define KRB5_SNAME_UNSUPP_NAMETYPE (-1765328166L) 8857 #define KRB5KRB_AP_ERR_V4_REPLY (-1765328165L) 8858 #define KRB5_REALM_CANT_RESOLVE (-1765328164L) 8859 #define KRB5_TKT_NOT_FORWARDABLE (-1765328163L) 8860 #define KRB5_FWD_BAD_PRINCIPAL (-1765328162L) 8861 #define KRB5_GET_IN_TKT_LOOP (-1765328161L) 8862 #define KRB5_CONFIG_NODEFREALM (-1765328160L) 8863 #define KRB5_SAM_UNSUPPORTED (-1765328159L) 8864 #define KRB5_SAM_INVALID_ETYPE (-1765328158L) 8865 #define KRB5_SAM_NO_CHECKSUM (-1765328157L) 8866 #define KRB5_SAM_BAD_CHECKSUM (-1765328156L) 8867 #define KRB5_KT_NAME_TOOLONG (-1765328155L) 8868 #define KRB5_KT_KVNONOTFOUND (-1765328154L) 8869 #define KRB5_APPL_EXPIRED (-1765328153L) 8870 #define KRB5_LIB_EXPIRED (-1765328152L) 8871 #define KRB5_CHPW_PWDNULL (-1765328151L) 8872 #define KRB5_CHPW_FAIL (-1765328150L) 8873 #define KRB5_KT_FORMAT (-1765328149L) 8874 #define KRB5_NOPERM_ETYPE (-1765328148L) 8875 #define KRB5_CONFIG_ETYPE_NOSUPP (-1765328147L) 8876 #define KRB5_OBSOLETE_FN (-1765328146L) 8877 #define KRB5_EAI_FAIL (-1765328145L) 8878 #define KRB5_EAI_NODATA (-1765328144L) 8879 #define KRB5_EAI_NONAME (-1765328143L) 8880 #define KRB5_EAI_SERVICE (-1765328142L) 8881 #define KRB5_ERR_NUMERIC_REALM (-1765328141L) 8882 #define KRB5_ERR_BAD_S2K_PARAMS (-1765328140L) 8883 #define KRB5_ERR_NO_SERVICE (-1765328139L) 8884 #define KRB5_CC_READONLY (-1765328138L) 8885 #define KRB5_CC_NOSUPP (-1765328137L) 8886 #define KRB5_DELTAT_BADFORMAT (-1765328136L) 8887 #define KRB5_PLUGIN_NO_HANDLE (-1765328135L) 8888 #define KRB5_PLUGIN_OP_NOTSUPP (-1765328134L) 8889 #define KRB5_ERR_INVALID_UTF8 (-1765328133L) 8890 #define KRB5_ERR_FAST_REQUIRED (-1765328132L) 8891 #define KRB5_LOCAL_ADDR_REQUIRED (-1765328131L) 8892 #define KRB5_REMOTE_ADDR_REQUIRED (-1765328130L) 8893 #define KRB5_TRACE_NOSUPP (-1765328129L) 8894 #define ERROR_TABLE_BASE_krb5 (-1765328384L) 8895 8896 extern const struct error_table et_krb5_error_table; 8897 8898 #if !defined(_WIN32) 8899 /* for compatibility with older versions... */ 8900 extern void initialize_krb5_error_table (void) /*@modifies internalState@*/; 8901 #else 8902 #define initialize_krb5_error_table() 8903 #endif 8904 8905 #if !defined(_WIN32) 8906 #define init_krb5_err_tbl initialize_krb5_error_table 8907 #define krb5_err_base ERROR_TABLE_BASE_krb5 8908 #endif 8909 /* 8910 * et-h-k5e1_err.h: 8911 * This file is automatically generated; please do not edit it. 8912 */ 8913 8914 #include <com_err.h> 8915 8916 #define KRB5_PLUGIN_VER_NOTSUPP (-1750600192L) 8917 #define KRB5_PLUGIN_BAD_MODULE_SPEC (-1750600191L) 8918 #define KRB5_PLUGIN_NAME_NOTFOUND (-1750600190L) 8919 #define KRB5KDC_ERR_DISCARD (-1750600189L) 8920 #define KRB5_DCC_CANNOT_CREATE (-1750600188L) 8921 #define KRB5_KCC_INVALID_ANCHOR (-1750600187L) 8922 #define KRB5_KCC_UNKNOWN_VERSION (-1750600186L) 8923 #define KRB5_KCC_INVALID_UID (-1750600185L) 8924 #define KRB5_KCM_MALFORMED_REPLY (-1750600184L) 8925 #define KRB5_KCM_RPC_ERROR (-1750600183L) 8926 #define KRB5_KCM_REPLY_TOO_BIG (-1750600182L) 8927 #define KRB5_KCM_NO_SERVER (-1750600181L) 8928 #define KRB5_CERTAUTH_HWAUTH (-1750600180L) 8929 #define KRB5_CERTAUTH_HWAUTH_PASS (-1750600179L) 8930 #define ERROR_TABLE_BASE_k5e1 (-1750600192L) 8931 8932 extern const struct error_table et_k5e1_error_table; 8933 8934 #if !defined(_WIN32) 8935 /* for compatibility with older versions... */ 8936 extern void initialize_k5e1_error_table (void) /*@modifies internalState@*/; 8937 #else 8938 #define initialize_k5e1_error_table() 8939 #endif 8940 8941 #if !defined(_WIN32) 8942 #define init_k5e1_err_tbl initialize_k5e1_error_table 8943 #define k5e1_err_base ERROR_TABLE_BASE_k5e1 8944 #endif 8945 /* 8946 * et-h-kdb5_err.h: 8947 * This file is automatically generated; please do not edit it. 8948 */ 8949 8950 #include <com_err.h> 8951 8952 #define KRB5_KDB_RCSID (-1780008448L) 8953 #define KRB5_KDB_INUSE (-1780008447L) 8954 #define KRB5_KDB_UK_SERROR (-1780008446L) 8955 #define KRB5_KDB_UK_RERROR (-1780008445L) 8956 #define KRB5_KDB_UNAUTH (-1780008444L) 8957 #define KRB5_KDB_NOENTRY (-1780008443L) 8958 #define KRB5_KDB_ILL_WILDCARD (-1780008442L) 8959 #define KRB5_KDB_DB_INUSE (-1780008441L) 8960 #define KRB5_KDB_DB_CHANGED (-1780008440L) 8961 #define KRB5_KDB_TRUNCATED_RECORD (-1780008439L) 8962 #define KRB5_KDB_RECURSIVELOCK (-1780008438L) 8963 #define KRB5_KDB_NOTLOCKED (-1780008437L) 8964 #define KRB5_KDB_BADLOCKMODE (-1780008436L) 8965 #define KRB5_KDB_DBNOTINITED (-1780008435L) 8966 #define KRB5_KDB_DBINITED (-1780008434L) 8967 #define KRB5_KDB_ILLDIRECTION (-1780008433L) 8968 #define KRB5_KDB_NOMASTERKEY (-1780008432L) 8969 #define KRB5_KDB_BADMASTERKEY (-1780008431L) 8970 #define KRB5_KDB_INVALIDKEYSIZE (-1780008430L) 8971 #define KRB5_KDB_CANTREAD_STORED (-1780008429L) 8972 #define KRB5_KDB_BADSTORED_MKEY (-1780008428L) 8973 #define KRB5_KDB_NOACTMASTERKEY (-1780008427L) 8974 #define KRB5_KDB_KVNONOMATCH (-1780008426L) 8975 #define KRB5_KDB_STORED_MKEY_NOTCURRENT (-1780008425L) 8976 #define KRB5_KDB_CANTLOCK_DB (-1780008424L) 8977 #define KRB5_KDB_DB_CORRUPT (-1780008423L) 8978 #define KRB5_KDB_BAD_VERSION (-1780008422L) 8979 #define KRB5_KDB_BAD_SALTTYPE (-1780008421L) 8980 #define KRB5_KDB_BAD_ENCTYPE (-1780008420L) 8981 #define KRB5_KDB_BAD_CREATEFLAGS (-1780008419L) 8982 #define KRB5_KDB_NO_PERMITTED_KEY (-1780008418L) 8983 #define KRB5_KDB_NO_MATCHING_KEY (-1780008417L) 8984 #define KRB5_KDB_DBTYPE_NOTFOUND (-1780008416L) 8985 #define KRB5_KDB_DBTYPE_NOSUP (-1780008415L) 8986 #define KRB5_KDB_DBTYPE_INIT (-1780008414L) 8987 #define KRB5_KDB_SERVER_INTERNAL_ERR (-1780008413L) 8988 #define KRB5_KDB_ACCESS_ERROR (-1780008412L) 8989 #define KRB5_KDB_INTERNAL_ERROR (-1780008411L) 8990 #define KRB5_KDB_CONSTRAINT_VIOLATION (-1780008410L) 8991 #define KRB5_LOG_CONV (-1780008409L) 8992 #define KRB5_LOG_UNSTABLE (-1780008408L) 8993 #define KRB5_LOG_CORRUPT (-1780008407L) 8994 #define KRB5_LOG_ERROR (-1780008406L) 8995 #define KRB5_KDB_DBTYPE_MISMATCH (-1780008405L) 8996 #define KRB5_KDB_POLICY_REF (-1780008404L) 8997 #define KRB5_KDB_STRINGS_TOOLONG (-1780008403L) 8998 #define KRB5_KDB_ALIAS_UNSUPPORTED (-1780008402L) 8999 #define ERROR_TABLE_BASE_kdb5 (-1780008448L) 9000 9001 extern const struct error_table et_kdb5_error_table; 9002 9003 #if !defined(_WIN32) 9004 /* for compatibility with older versions... */ 9005 extern void initialize_kdb5_error_table (void) /*@modifies internalState@*/; 9006 #else 9007 #define initialize_kdb5_error_table() 9008 #endif 9009 9010 #if !defined(_WIN32) 9011 #define init_kdb5_err_tbl initialize_kdb5_error_table 9012 #define kdb5_err_base ERROR_TABLE_BASE_kdb5 9013 #endif 9014 /* 9015 * et-h-kv5m_err.h: 9016 * This file is automatically generated; please do not edit it. 9017 */ 9018 9019 #include <com_err.h> 9020 9021 #define KV5M_NONE (-1760647424L) 9022 #define KV5M_PRINCIPAL (-1760647423L) 9023 #define KV5M_DATA (-1760647422L) 9024 #define KV5M_KEYBLOCK (-1760647421L) 9025 #define KV5M_CHECKSUM (-1760647420L) 9026 #define KV5M_ENCRYPT_BLOCK (-1760647419L) 9027 #define KV5M_ENC_DATA (-1760647418L) 9028 #define KV5M_CRYPTOSYSTEM_ENTRY (-1760647417L) 9029 #define KV5M_CS_TABLE_ENTRY (-1760647416L) 9030 #define KV5M_CHECKSUM_ENTRY (-1760647415L) 9031 #define KV5M_AUTHDATA (-1760647414L) 9032 #define KV5M_TRANSITED (-1760647413L) 9033 #define KV5M_ENC_TKT_PART (-1760647412L) 9034 #define KV5M_TICKET (-1760647411L) 9035 #define KV5M_AUTHENTICATOR (-1760647410L) 9036 #define KV5M_TKT_AUTHENT (-1760647409L) 9037 #define KV5M_CREDS (-1760647408L) 9038 #define KV5M_LAST_REQ_ENTRY (-1760647407L) 9039 #define KV5M_PA_DATA (-1760647406L) 9040 #define KV5M_KDC_REQ (-1760647405L) 9041 #define KV5M_ENC_KDC_REP_PART (-1760647404L) 9042 #define KV5M_KDC_REP (-1760647403L) 9043 #define KV5M_ERROR (-1760647402L) 9044 #define KV5M_AP_REQ (-1760647401L) 9045 #define KV5M_AP_REP (-1760647400L) 9046 #define KV5M_AP_REP_ENC_PART (-1760647399L) 9047 #define KV5M_RESPONSE (-1760647398L) 9048 #define KV5M_SAFE (-1760647397L) 9049 #define KV5M_PRIV (-1760647396L) 9050 #define KV5M_PRIV_ENC_PART (-1760647395L) 9051 #define KV5M_CRED (-1760647394L) 9052 #define KV5M_CRED_INFO (-1760647393L) 9053 #define KV5M_CRED_ENC_PART (-1760647392L) 9054 #define KV5M_PWD_DATA (-1760647391L) 9055 #define KV5M_ADDRESS (-1760647390L) 9056 #define KV5M_KEYTAB_ENTRY (-1760647389L) 9057 #define KV5M_CONTEXT (-1760647388L) 9058 #define KV5M_OS_CONTEXT (-1760647387L) 9059 #define KV5M_ALT_METHOD (-1760647386L) 9060 #define KV5M_ETYPE_INFO_ENTRY (-1760647385L) 9061 #define KV5M_DB_CONTEXT (-1760647384L) 9062 #define KV5M_AUTH_CONTEXT (-1760647383L) 9063 #define KV5M_KEYTAB (-1760647382L) 9064 #define KV5M_RCACHE (-1760647381L) 9065 #define KV5M_CCACHE (-1760647380L) 9066 #define KV5M_PREAUTH_OPS (-1760647379L) 9067 #define KV5M_SAM_CHALLENGE (-1760647378L) 9068 #define KV5M_SAM_CHALLENGE_2 (-1760647377L) 9069 #define KV5M_SAM_KEY (-1760647376L) 9070 #define KV5M_ENC_SAM_RESPONSE_ENC (-1760647375L) 9071 #define KV5M_ENC_SAM_RESPONSE_ENC_2 (-1760647374L) 9072 #define KV5M_SAM_RESPONSE (-1760647373L) 9073 #define KV5M_SAM_RESPONSE_2 (-1760647372L) 9074 #define KV5M_PREDICTED_SAM_RESPONSE (-1760647371L) 9075 #define KV5M_PASSWD_PHRASE_ELEMENT (-1760647370L) 9076 #define KV5M_GSS_OID (-1760647369L) 9077 #define KV5M_GSS_QUEUE (-1760647368L) 9078 #define KV5M_FAST_ARMORED_REQ (-1760647367L) 9079 #define KV5M_FAST_REQ (-1760647366L) 9080 #define KV5M_FAST_RESPONSE (-1760647365L) 9081 #define KV5M_AUTHDATA_CONTEXT (-1760647364L) 9082 #define ERROR_TABLE_BASE_kv5m (-1760647424L) 9083 9084 extern const struct error_table et_kv5m_error_table; 9085 9086 #if !defined(_WIN32) 9087 /* for compatibility with older versions... */ 9088 extern void initialize_kv5m_error_table (void) /*@modifies internalState@*/; 9089 #else 9090 #define initialize_kv5m_error_table() 9091 #endif 9092 9093 #if !defined(_WIN32) 9094 #define init_kv5m_err_tbl initialize_kv5m_error_table 9095 #define kv5m_err_base ERROR_TABLE_BASE_kv5m 9096 #endif 9097 /* 9098 * et-h-krb524_err.h: 9099 * This file is automatically generated; please do not edit it. 9100 */ 9101 9102 #include <com_err.h> 9103 9104 #define KRB524_BADKEY (-1750206208L) 9105 #define KRB524_BADADDR (-1750206207L) 9106 #define KRB524_BADPRINC (-1750206206L) 9107 #define KRB524_BADREALM (-1750206205L) 9108 #define KRB524_V4ERR (-1750206204L) 9109 #define KRB524_ENCFULL (-1750206203L) 9110 #define KRB524_DECEMPTY (-1750206202L) 9111 #define KRB524_NOTRESP (-1750206201L) 9112 #define KRB524_KRB4_DISABLED (-1750206200L) 9113 #define ERROR_TABLE_BASE_k524 (-1750206208L) 9114 9115 extern const struct error_table et_k524_error_table; 9116 9117 #if !defined(_WIN32) 9118 /* for compatibility with older versions... */ 9119 extern void initialize_k524_error_table (void) /*@modifies internalState@*/; 9120 #else 9121 #define initialize_k524_error_table() 9122 #endif 9123 9124 #if !defined(_WIN32) 9125 #define init_k524_err_tbl initialize_k524_error_table 9126 #define k524_err_base ERROR_TABLE_BASE_k524 9127 #endif 9128 /* 9129 * et-h-asn1_err.h: 9130 * This file is automatically generated; please do not edit it. 9131 */ 9132 9133 #include <com_err.h> 9134 9135 #define ASN1_BAD_TIMEFORMAT (1859794432L) 9136 #define ASN1_MISSING_FIELD (1859794433L) 9137 #define ASN1_MISPLACED_FIELD (1859794434L) 9138 #define ASN1_TYPE_MISMATCH (1859794435L) 9139 #define ASN1_OVERFLOW (1859794436L) 9140 #define ASN1_OVERRUN (1859794437L) 9141 #define ASN1_BAD_ID (1859794438L) 9142 #define ASN1_BAD_LENGTH (1859794439L) 9143 #define ASN1_BAD_FORMAT (1859794440L) 9144 #define ASN1_PARSE_ERROR (1859794441L) 9145 #define ASN1_BAD_GMTIME (1859794442L) 9146 #define ASN1_INDEF (1859794443L) 9147 #define ASN1_MISSING_EOC (1859794444L) 9148 #define ASN1_OMITTED (1859794445L) 9149 #define ERROR_TABLE_BASE_asn1 (1859794432L) 9150 9151 extern const struct error_table et_asn1_error_table; 9152 9153 #if !defined(_WIN32) 9154 /* for compatibility with older versions... */ 9155 extern void initialize_asn1_error_table (void) /*@modifies internalState@*/; 9156 #else 9157 #define initialize_asn1_error_table() 9158 #endif 9159 9160 #if !defined(_WIN32) 9161 #define init_asn1_err_tbl initialize_asn1_error_table 9162 #define asn1_err_base ERROR_TABLE_BASE_asn1 9163 #endif 9164 #endif /* KRB5_KRB5_H_INCLUDED */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|