|
jpayne@69
|
1 /* This file is generated, please don't edit it directly. */
|
|
jpayne@69
|
2 #ifndef KRB5_KRB5_H_INCLUDED
|
|
jpayne@69
|
3 #define KRB5_KRB5_H_INCLUDED
|
|
jpayne@69
|
4 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
jpayne@69
|
5 /* General definitions for Kerberos version 5. */
|
|
jpayne@69
|
6 /*
|
|
jpayne@69
|
7 * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts
|
|
jpayne@69
|
8 * Institute of Technology. All Rights Reserved.
|
|
jpayne@69
|
9 *
|
|
jpayne@69
|
10 * Export of this software from the United States of America may
|
|
jpayne@69
|
11 * require a specific license from the United States Government.
|
|
jpayne@69
|
12 * It is the responsibility of any person or organization contemplating
|
|
jpayne@69
|
13 * export to obtain such a license before exporting.
|
|
jpayne@69
|
14 *
|
|
jpayne@69
|
15 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
jpayne@69
|
16 * distribute this software and its documentation for any purpose and
|
|
jpayne@69
|
17 * without fee is hereby granted, provided that the above copyright
|
|
jpayne@69
|
18 * notice appear in all copies and that both that copyright notice and
|
|
jpayne@69
|
19 * this permission notice appear in supporting documentation, and that
|
|
jpayne@69
|
20 * the name of M.I.T. not be used in advertising or publicity pertaining
|
|
jpayne@69
|
21 * to distribution of the software without specific, written prior
|
|
jpayne@69
|
22 * permission. Furthermore if you modify this software you must label
|
|
jpayne@69
|
23 * your software as modified software and not distribute it in such a
|
|
jpayne@69
|
24 * fashion that it might be confused with the original M.I.T. software.
|
|
jpayne@69
|
25 * M.I.T. makes no representations about the suitability of
|
|
jpayne@69
|
26 * this software for any purpose. It is provided "as is" without express
|
|
jpayne@69
|
27 * or implied warranty.
|
|
jpayne@69
|
28 */
|
|
jpayne@69
|
29 /*
|
|
jpayne@69
|
30 * Copyright (C) 1998 by the FundsXpress, INC.
|
|
jpayne@69
|
31 *
|
|
jpayne@69
|
32 * All rights reserved.
|
|
jpayne@69
|
33 *
|
|
jpayne@69
|
34 * Export of this software from the United States of America may require
|
|
jpayne@69
|
35 * a specific license from the United States Government. It is the
|
|
jpayne@69
|
36 * responsibility of any person or organization contemplating export to
|
|
jpayne@69
|
37 * obtain such a license before exporting.
|
|
jpayne@69
|
38 *
|
|
jpayne@69
|
39 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
jpayne@69
|
40 * distribute this software and its documentation for any purpose and
|
|
jpayne@69
|
41 * without fee is hereby granted, provided that the above copyright
|
|
jpayne@69
|
42 * notice appear in all copies and that both that copyright notice and
|
|
jpayne@69
|
43 * this permission notice appear in supporting documentation, and that
|
|
jpayne@69
|
44 * the name of FundsXpress. not be used in advertising or publicity pertaining
|
|
jpayne@69
|
45 * to distribution of the software without specific, written prior
|
|
jpayne@69
|
46 * permission. FundsXpress makes no representations about the suitability of
|
|
jpayne@69
|
47 * this software for any purpose. It is provided "as is" without express
|
|
jpayne@69
|
48 * or implied warranty.
|
|
jpayne@69
|
49 *
|
|
jpayne@69
|
50 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
|
jpayne@69
|
51 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
|
jpayne@69
|
52 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
jpayne@69
|
53 */
|
|
jpayne@69
|
54
|
|
jpayne@69
|
55 #ifndef KRB5_GENERAL__
|
|
jpayne@69
|
56 #define KRB5_GENERAL__
|
|
jpayne@69
|
57
|
|
jpayne@69
|
58 /** @defgroup KRB5_H krb5 library API
|
|
jpayne@69
|
59 * @{
|
|
jpayne@69
|
60 */
|
|
jpayne@69
|
61
|
|
jpayne@69
|
62 /* By default, do not expose deprecated interfaces. */
|
|
jpayne@69
|
63 #ifndef KRB5_DEPRECATED
|
|
jpayne@69
|
64 #define KRB5_DEPRECATED 0
|
|
jpayne@69
|
65 #endif
|
|
jpayne@69
|
66
|
|
jpayne@69
|
67 #if defined(__MACH__) && defined(__APPLE__)
|
|
jpayne@69
|
68 # include <TargetConditionals.h>
|
|
jpayne@69
|
69 # if TARGET_RT_MAC_CFM
|
|
jpayne@69
|
70 # error "Use KfM 4.0 SDK headers for CFM compilation."
|
|
jpayne@69
|
71 # endif
|
|
jpayne@69
|
72 #endif
|
|
jpayne@69
|
73
|
|
jpayne@69
|
74 #if defined(_MSDOS) || defined(_WIN32)
|
|
jpayne@69
|
75 #include <win-mac.h>
|
|
jpayne@69
|
76 #endif
|
|
jpayne@69
|
77
|
|
jpayne@69
|
78 #ifndef KRB5_CONFIG__
|
|
jpayne@69
|
79 #ifndef KRB5_CALLCONV
|
|
jpayne@69
|
80 #define KRB5_CALLCONV
|
|
jpayne@69
|
81 #define KRB5_CALLCONV_C
|
|
jpayne@69
|
82 #endif /* !KRB5_CALLCONV */
|
|
jpayne@69
|
83 #endif /* !KRB5_CONFIG__ */
|
|
jpayne@69
|
84
|
|
jpayne@69
|
85 #ifndef KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
86 #define KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
87 #endif
|
|
jpayne@69
|
88
|
|
jpayne@69
|
89 #ifndef THREEPARAMOPEN
|
|
jpayne@69
|
90 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
|
jpayne@69
|
91 #endif
|
|
jpayne@69
|
92
|
|
jpayne@69
|
93 #define KRB5_OLD_CRYPTO
|
|
jpayne@69
|
94
|
|
jpayne@69
|
95 #include <stdlib.h>
|
|
jpayne@69
|
96 #include <limits.h> /* for *_MAX */
|
|
jpayne@69
|
97 #include <stdarg.h>
|
|
jpayne@69
|
98 #include <stdint.h>
|
|
jpayne@69
|
99
|
|
jpayne@69
|
100 #ifndef KRB5INT_BEGIN_DECLS
|
|
jpayne@69
|
101 #if defined(__cplusplus)
|
|
jpayne@69
|
102 #define KRB5INT_BEGIN_DECLS extern "C" {
|
|
jpayne@69
|
103 #define KRB5INT_END_DECLS }
|
|
jpayne@69
|
104 #else
|
|
jpayne@69
|
105 #define KRB5INT_BEGIN_DECLS
|
|
jpayne@69
|
106 #define KRB5INT_END_DECLS
|
|
jpayne@69
|
107 #endif
|
|
jpayne@69
|
108 #endif
|
|
jpayne@69
|
109
|
|
jpayne@69
|
110 KRB5INT_BEGIN_DECLS
|
|
jpayne@69
|
111
|
|
jpayne@69
|
112 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
|
|
jpayne@69
|
113 #pragma pack(push,2)
|
|
jpayne@69
|
114 #endif
|
|
jpayne@69
|
115
|
|
jpayne@69
|
116 #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203
|
|
jpayne@69
|
117 # define KRB5_ATTR_DEPRECATED __attribute__((deprecated))
|
|
jpayne@69
|
118 #elif defined _WIN32
|
|
jpayne@69
|
119 # define KRB5_ATTR_DEPRECATED __declspec(deprecated)
|
|
jpayne@69
|
120 #else
|
|
jpayne@69
|
121 # define KRB5_ATTR_DEPRECATED
|
|
jpayne@69
|
122 #endif
|
|
jpayne@69
|
123
|
|
jpayne@69
|
124 /* from profile.h */
|
|
jpayne@69
|
125 struct _profile_t;
|
|
jpayne@69
|
126 /* typedef struct _profile_t *profile_t; */
|
|
jpayne@69
|
127
|
|
jpayne@69
|
128 /*
|
|
jpayne@69
|
129 * begin wordsize.h
|
|
jpayne@69
|
130 */
|
|
jpayne@69
|
131
|
|
jpayne@69
|
132 /*
|
|
jpayne@69
|
133 * Word-size related definition.
|
|
jpayne@69
|
134 */
|
|
jpayne@69
|
135
|
|
jpayne@69
|
136 typedef uint8_t krb5_octet;
|
|
jpayne@69
|
137 typedef int16_t krb5_int16;
|
|
jpayne@69
|
138 typedef uint16_t krb5_ui_2;
|
|
jpayne@69
|
139 typedef int32_t krb5_int32;
|
|
jpayne@69
|
140 typedef uint32_t krb5_ui_4;
|
|
jpayne@69
|
141
|
|
jpayne@69
|
142 #define VALID_INT_BITS INT_MAX
|
|
jpayne@69
|
143 #define VALID_UINT_BITS UINT_MAX
|
|
jpayne@69
|
144
|
|
jpayne@69
|
145 #define KRB5_INT32_MAX 2147483647
|
|
jpayne@69
|
146 /* this strange form is necessary since - is a unary operator, not a sign
|
|
jpayne@69
|
147 indicator */
|
|
jpayne@69
|
148 #define KRB5_INT32_MIN (-KRB5_INT32_MAX-1)
|
|
jpayne@69
|
149
|
|
jpayne@69
|
150 #define KRB5_INT16_MAX 65535
|
|
jpayne@69
|
151 /* this strange form is necessary since - is a unary operator, not a sign
|
|
jpayne@69
|
152 indicator */
|
|
jpayne@69
|
153 #define KRB5_INT16_MIN (-KRB5_INT16_MAX-1)
|
|
jpayne@69
|
154
|
|
jpayne@69
|
155 /*
|
|
jpayne@69
|
156 * end wordsize.h
|
|
jpayne@69
|
157 */
|
|
jpayne@69
|
158
|
|
jpayne@69
|
159 /*
|
|
jpayne@69
|
160 * begin "base-defs.h"
|
|
jpayne@69
|
161 */
|
|
jpayne@69
|
162
|
|
jpayne@69
|
163 /*
|
|
jpayne@69
|
164 * Basic definitions for Kerberos V5 library
|
|
jpayne@69
|
165 */
|
|
jpayne@69
|
166
|
|
jpayne@69
|
167 #ifndef FALSE
|
|
jpayne@69
|
168 #define FALSE 0
|
|
jpayne@69
|
169 #endif
|
|
jpayne@69
|
170 #ifndef TRUE
|
|
jpayne@69
|
171 #define TRUE 1
|
|
jpayne@69
|
172 #endif
|
|
jpayne@69
|
173
|
|
jpayne@69
|
174 typedef unsigned int krb5_boolean;
|
|
jpayne@69
|
175 typedef unsigned int krb5_msgtype;
|
|
jpayne@69
|
176 typedef unsigned int krb5_kvno;
|
|
jpayne@69
|
177
|
|
jpayne@69
|
178 typedef krb5_int32 krb5_addrtype;
|
|
jpayne@69
|
179 typedef krb5_int32 krb5_enctype;
|
|
jpayne@69
|
180 typedef krb5_int32 krb5_cksumtype;
|
|
jpayne@69
|
181 typedef krb5_int32 krb5_authdatatype;
|
|
jpayne@69
|
182 typedef krb5_int32 krb5_keyusage;
|
|
jpayne@69
|
183 typedef krb5_int32 krb5_cryptotype;
|
|
jpayne@69
|
184
|
|
jpayne@69
|
185 typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
|
|
jpayne@69
|
186 typedef krb5_int32 krb5_flags;
|
|
jpayne@69
|
187
|
|
jpayne@69
|
188 /**
|
|
jpayne@69
|
189 * Represents a timestamp in seconds since the POSIX epoch. This legacy type
|
|
jpayne@69
|
190 * is used frequently in the ABI, but cannot represent timestamps after 2038 as
|
|
jpayne@69
|
191 * a positive number. Code which uses this type should cast values of it to
|
|
jpayne@69
|
192 * uint32_t so that negative values are treated as timestamps between 2038 and
|
|
jpayne@69
|
193 * 2106 on platforms with 64-bit time_t.
|
|
jpayne@69
|
194 */
|
|
jpayne@69
|
195 typedef krb5_int32 krb5_timestamp;
|
|
jpayne@69
|
196
|
|
jpayne@69
|
197 typedef krb5_int32 krb5_deltat;
|
|
jpayne@69
|
198
|
|
jpayne@69
|
199 /**
|
|
jpayne@69
|
200 * Used to convey an operation status. The value 0 indicates success; any
|
|
jpayne@69
|
201 * other values are com_err codes. Use krb5_get_error_message() to obtain a
|
|
jpayne@69
|
202 * string describing the error.
|
|
jpayne@69
|
203 */
|
|
jpayne@69
|
204 typedef krb5_int32 krb5_error_code;
|
|
jpayne@69
|
205
|
|
jpayne@69
|
206 typedef krb5_error_code krb5_magic;
|
|
jpayne@69
|
207
|
|
jpayne@69
|
208 typedef struct _krb5_data {
|
|
jpayne@69
|
209 krb5_magic magic;
|
|
jpayne@69
|
210 unsigned int length;
|
|
jpayne@69
|
211 char *data;
|
|
jpayne@69
|
212 } krb5_data;
|
|
jpayne@69
|
213
|
|
jpayne@69
|
214 /* Originally introduced for PKINIT; now unused. Do not use this. */
|
|
jpayne@69
|
215 typedef struct _krb5_octet_data {
|
|
jpayne@69
|
216 krb5_magic magic;
|
|
jpayne@69
|
217 unsigned int length;
|
|
jpayne@69
|
218 krb5_octet *data;
|
|
jpayne@69
|
219 } krb5_octet_data;
|
|
jpayne@69
|
220
|
|
jpayne@69
|
221 /* Originally used to recognize AFS and default salts. No longer used. */
|
|
jpayne@69
|
222 #define SALT_TYPE_AFS_LENGTH UINT_MAX
|
|
jpayne@69
|
223 #define SALT_TYPE_NO_LENGTH UINT_MAX
|
|
jpayne@69
|
224
|
|
jpayne@69
|
225 typedef void * krb5_pointer;
|
|
jpayne@69
|
226 typedef void const * krb5_const_pointer;
|
|
jpayne@69
|
227
|
|
jpayne@69
|
228 typedef struct krb5_principal_data {
|
|
jpayne@69
|
229 krb5_magic magic;
|
|
jpayne@69
|
230 krb5_data realm;
|
|
jpayne@69
|
231 krb5_data *data; /**< An array of strings */
|
|
jpayne@69
|
232 krb5_int32 length;
|
|
jpayne@69
|
233 krb5_int32 type;
|
|
jpayne@69
|
234 } krb5_principal_data;
|
|
jpayne@69
|
235
|
|
jpayne@69
|
236 typedef krb5_principal_data * krb5_principal;
|
|
jpayne@69
|
237
|
|
jpayne@69
|
238 /*
|
|
jpayne@69
|
239 * Per V5 spec on definition of principal types
|
|
jpayne@69
|
240 */
|
|
jpayne@69
|
241
|
|
jpayne@69
|
242 #define KRB5_NT_UNKNOWN 0 /**< Name type not known */
|
|
jpayne@69
|
243 #define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal
|
|
jpayne@69
|
244 as in DCE, or for users */
|
|
jpayne@69
|
245 #define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */
|
|
jpayne@69
|
246 #define KRB5_NT_SRV_HST 3 /**< Service with host name as instance
|
|
jpayne@69
|
247 (telnet, rcommands) */
|
|
jpayne@69
|
248 #define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */
|
|
jpayne@69
|
249 #define KRB5_NT_UID 5 /**< Unique ID */
|
|
jpayne@69
|
250 #define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */
|
|
jpayne@69
|
251 #define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */
|
|
jpayne@69
|
252 #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */
|
|
jpayne@69
|
253 #define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */
|
|
jpayne@69
|
254 #define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of
|
|
jpayne@69
|
255 NT_WELLKNOWN principals */
|
|
jpayne@69
|
256 #define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */
|
|
jpayne@69
|
257 #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */
|
|
jpayne@69
|
258 #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */
|
|
jpayne@69
|
259
|
|
jpayne@69
|
260 /** Constant version of krb5_principal_data. */
|
|
jpayne@69
|
261 typedef const krb5_principal_data *krb5_const_principal;
|
|
jpayne@69
|
262
|
|
jpayne@69
|
263 #define krb5_princ_realm(context, princ) (&(princ)->realm)
|
|
jpayne@69
|
264 #define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value))
|
|
jpayne@69
|
265 #define krb5_princ_set_realm_length(context, princ,value) (princ)->realm.length = (value)
|
|
jpayne@69
|
266 #define krb5_princ_set_realm_data(context, princ,value) (princ)->realm.data = (value)
|
|
jpayne@69
|
267 #define krb5_princ_size(context, princ) (princ)->length
|
|
jpayne@69
|
268 #define krb5_princ_type(context, princ) (princ)->type
|
|
jpayne@69
|
269 #define krb5_princ_name(context, princ) (princ)->data
|
|
jpayne@69
|
270 #define krb5_princ_component(context, princ,i) \
|
|
jpayne@69
|
271 (((i) < krb5_princ_size(context, princ)) \
|
|
jpayne@69
|
272 ? (princ)->data + (i) \
|
|
jpayne@69
|
273 : NULL)
|
|
jpayne@69
|
274
|
|
jpayne@69
|
275 /** Constant for realm referrals. */
|
|
jpayne@69
|
276 #define KRB5_REFERRAL_REALM ""
|
|
jpayne@69
|
277
|
|
jpayne@69
|
278 /*
|
|
jpayne@69
|
279 * Referral-specific functions.
|
|
jpayne@69
|
280 */
|
|
jpayne@69
|
281
|
|
jpayne@69
|
282 /**
|
|
jpayne@69
|
283 * Check for a match with KRB5_REFERRAL_REALM.
|
|
jpayne@69
|
284 *
|
|
jpayne@69
|
285 * @param [in] r Realm to check
|
|
jpayne@69
|
286 *
|
|
jpayne@69
|
287 * @return @c TRUE if @a r is zero-length, @c FALSE otherwise
|
|
jpayne@69
|
288 */
|
|
jpayne@69
|
289 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
290 krb5_is_referral_realm(const krb5_data *r);
|
|
jpayne@69
|
291
|
|
jpayne@69
|
292 /**
|
|
jpayne@69
|
293 * Return an anonymous realm data.
|
|
jpayne@69
|
294 *
|
|
jpayne@69
|
295 * This function returns constant storage that must not be freed.
|
|
jpayne@69
|
296 *
|
|
jpayne@69
|
297 * @sa #KRB5_ANONYMOUS_REALMSTR
|
|
jpayne@69
|
298 */
|
|
jpayne@69
|
299 const krb5_data *KRB5_CALLCONV
|
|
jpayne@69
|
300 krb5_anonymous_realm(void);
|
|
jpayne@69
|
301
|
|
jpayne@69
|
302 /**
|
|
jpayne@69
|
303 * Build an anonymous principal.
|
|
jpayne@69
|
304 *
|
|
jpayne@69
|
305 * This function returns constant storage that must not be freed.
|
|
jpayne@69
|
306 *
|
|
jpayne@69
|
307 * @sa #KRB5_ANONYMOUS_PRINCSTR
|
|
jpayne@69
|
308 */
|
|
jpayne@69
|
309 krb5_const_principal KRB5_CALLCONV
|
|
jpayne@69
|
310 krb5_anonymous_principal(void);
|
|
jpayne@69
|
311
|
|
jpayne@69
|
312 #define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */
|
|
jpayne@69
|
313 #define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */
|
|
jpayne@69
|
314 /*
|
|
jpayne@69
|
315 * end "base-defs.h"
|
|
jpayne@69
|
316 */
|
|
jpayne@69
|
317
|
|
jpayne@69
|
318 /*
|
|
jpayne@69
|
319 * begin "hostaddr.h"
|
|
jpayne@69
|
320 */
|
|
jpayne@69
|
321
|
|
jpayne@69
|
322 /** Structure for address */
|
|
jpayne@69
|
323 typedef struct _krb5_address {
|
|
jpayne@69
|
324 krb5_magic magic;
|
|
jpayne@69
|
325 krb5_addrtype addrtype;
|
|
jpayne@69
|
326 unsigned int length;
|
|
jpayne@69
|
327 krb5_octet *contents;
|
|
jpayne@69
|
328 } krb5_address;
|
|
jpayne@69
|
329
|
|
jpayne@69
|
330 /* per Kerberos v5 protocol spec */
|
|
jpayne@69
|
331 #define ADDRTYPE_INET 0x0002
|
|
jpayne@69
|
332 #define ADDRTYPE_CHAOS 0x0005
|
|
jpayne@69
|
333 #define ADDRTYPE_XNS 0x0006
|
|
jpayne@69
|
334 #define ADDRTYPE_ISO 0x0007
|
|
jpayne@69
|
335 #define ADDRTYPE_DDP 0x0010
|
|
jpayne@69
|
336 #define ADDRTYPE_NETBIOS 0x0014
|
|
jpayne@69
|
337 #define ADDRTYPE_INET6 0x0018
|
|
jpayne@69
|
338 /* not yet in the spec... */
|
|
jpayne@69
|
339 #define ADDRTYPE_ADDRPORT 0x0100
|
|
jpayne@69
|
340 #define ADDRTYPE_IPPORT 0x0101
|
|
jpayne@69
|
341
|
|
jpayne@69
|
342 /* macros to determine if a type is a local type */
|
|
jpayne@69
|
343 #define ADDRTYPE_IS_LOCAL(addrtype) (addrtype & 0x8000)
|
|
jpayne@69
|
344
|
|
jpayne@69
|
345 /*
|
|
jpayne@69
|
346 * end "hostaddr.h"
|
|
jpayne@69
|
347 */
|
|
jpayne@69
|
348
|
|
jpayne@69
|
349
|
|
jpayne@69
|
350 struct _krb5_context;
|
|
jpayne@69
|
351 typedef struct _krb5_context * krb5_context;
|
|
jpayne@69
|
352
|
|
jpayne@69
|
353 struct _krb5_auth_context;
|
|
jpayne@69
|
354 typedef struct _krb5_auth_context * krb5_auth_context;
|
|
jpayne@69
|
355
|
|
jpayne@69
|
356 struct _krb5_cryptosystem_entry;
|
|
jpayne@69
|
357
|
|
jpayne@69
|
358 /*
|
|
jpayne@69
|
359 * begin "encryption.h"
|
|
jpayne@69
|
360 */
|
|
jpayne@69
|
361
|
|
jpayne@69
|
362 /** Exposed contents of a key. */
|
|
jpayne@69
|
363 typedef struct _krb5_keyblock {
|
|
jpayne@69
|
364 krb5_magic magic;
|
|
jpayne@69
|
365 krb5_enctype enctype;
|
|
jpayne@69
|
366 unsigned int length;
|
|
jpayne@69
|
367 krb5_octet *contents;
|
|
jpayne@69
|
368 } krb5_keyblock;
|
|
jpayne@69
|
369
|
|
jpayne@69
|
370 struct krb5_key_st;
|
|
jpayne@69
|
371 /**
|
|
jpayne@69
|
372 * Opaque identifier for a key.
|
|
jpayne@69
|
373 *
|
|
jpayne@69
|
374 * Use with the krb5_k APIs for better performance for repeated operations with
|
|
jpayne@69
|
375 * the same key and usage. Key identifiers must not be used simultaneously
|
|
jpayne@69
|
376 * within multiple threads, as they may contain mutable internal state and are
|
|
jpayne@69
|
377 * not mutex-protected.
|
|
jpayne@69
|
378 */
|
|
jpayne@69
|
379 typedef struct krb5_key_st *krb5_key;
|
|
jpayne@69
|
380
|
|
jpayne@69
|
381 #ifdef KRB5_OLD_CRYPTO
|
|
jpayne@69
|
382 typedef struct _krb5_encrypt_block {
|
|
jpayne@69
|
383 krb5_magic magic;
|
|
jpayne@69
|
384 krb5_enctype crypto_entry; /* to call krb5_encrypt_size, you need
|
|
jpayne@69
|
385 this. it was a pointer, but it
|
|
jpayne@69
|
386 doesn't have to be. gross. */
|
|
jpayne@69
|
387 krb5_keyblock *key;
|
|
jpayne@69
|
388 } krb5_encrypt_block;
|
|
jpayne@69
|
389 #endif
|
|
jpayne@69
|
390
|
|
jpayne@69
|
391 typedef struct _krb5_checksum {
|
|
jpayne@69
|
392 krb5_magic magic;
|
|
jpayne@69
|
393 krb5_cksumtype checksum_type; /* checksum type */
|
|
jpayne@69
|
394 unsigned int length;
|
|
jpayne@69
|
395 krb5_octet *contents;
|
|
jpayne@69
|
396 } krb5_checksum;
|
|
jpayne@69
|
397
|
|
jpayne@69
|
398 typedef struct _krb5_enc_data {
|
|
jpayne@69
|
399 krb5_magic magic;
|
|
jpayne@69
|
400 krb5_enctype enctype;
|
|
jpayne@69
|
401 krb5_kvno kvno;
|
|
jpayne@69
|
402 krb5_data ciphertext;
|
|
jpayne@69
|
403 } krb5_enc_data;
|
|
jpayne@69
|
404
|
|
jpayne@69
|
405 /**
|
|
jpayne@69
|
406 * Structure to describe a region of text to be encrypted or decrypted.
|
|
jpayne@69
|
407 *
|
|
jpayne@69
|
408 * The @a flags member describes the type of the iov.
|
|
jpayne@69
|
409 * The @a data member points to the memory that will be manipulated.
|
|
jpayne@69
|
410 * All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's
|
|
jpayne@69
|
411 * along with the size of that array. Buffer contents are manipulated in-place;
|
|
jpayne@69
|
412 * data is overwritten. Callers must allocate the right number of krb5_crypto_iov
|
|
jpayne@69
|
413 * structures before calling into an iov API.
|
|
jpayne@69
|
414 */
|
|
jpayne@69
|
415 typedef struct _krb5_crypto_iov {
|
|
jpayne@69
|
416 krb5_cryptotype flags; /**< @ref KRB5_CRYPTO_TYPE type of the iov */
|
|
jpayne@69
|
417 krb5_data data;
|
|
jpayne@69
|
418 } krb5_crypto_iov;
|
|
jpayne@69
|
419
|
|
jpayne@69
|
420 /* per Kerberos v5 protocol spec */
|
|
jpayne@69
|
421 #define ENCTYPE_NULL 0x0000
|
|
jpayne@69
|
422 #define ENCTYPE_DES_CBC_CRC 0x0001 /**< @deprecated no longer supported */
|
|
jpayne@69
|
423 #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
|
|
jpayne@69
|
424 #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
|
|
jpayne@69
|
425 #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */
|
|
jpayne@69
|
426 #define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */
|
|
jpayne@69
|
427 #define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */
|
|
jpayne@69
|
428 #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */
|
|
jpayne@69
|
429 /* PKINIT */
|
|
jpayne@69
|
430 #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */
|
|
jpayne@69
|
431 #define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */
|
|
jpayne@69
|
432 #define ENCTYPE_SHA1_RSA_CMS 0x000b /**< SHA1 with RSA, CMS signature */
|
|
jpayne@69
|
433 #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */
|
|
jpayne@69
|
434 #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */
|
|
jpayne@69
|
435 #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */
|
|
jpayne@69
|
436 #define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */
|
|
jpayne@69
|
437
|
|
jpayne@69
|
438 #define ENCTYPE_DES3_CBC_SHA1 0x0010
|
|
jpayne@69
|
439 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */
|
|
jpayne@69
|
440 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */
|
|
jpayne@69
|
441 #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */
|
|
jpayne@69
|
442 #define ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014 /**< RFC 8009 */
|
|
jpayne@69
|
443 #define ENCTYPE_ARCFOUR_HMAC 0x0017 /**< RFC 4757 */
|
|
jpayne@69
|
444 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 /**< RFC 4757 */
|
|
jpayne@69
|
445 #define ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019 /**< RFC 6803 */
|
|
jpayne@69
|
446 #define ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a /**< RFC 6803 */
|
|
jpayne@69
|
447 #define ENCTYPE_UNKNOWN 0x01ff
|
|
jpayne@69
|
448
|
|
jpayne@69
|
449 /*
|
|
jpayne@69
|
450 * Historically we used the value 9 for unkeyed SHA-1. RFC 3961 assigns this
|
|
jpayne@69
|
451 * value to rsa-md5-des3, which fortunately is unused. For ABI compatibility
|
|
jpayne@69
|
452 * we allow either 9 or 14 for SHA-1.
|
|
jpayne@69
|
453 */
|
|
jpayne@69
|
454 #define CKSUMTYPE_CRC32 0x0001
|
|
jpayne@69
|
455 #define CKSUMTYPE_RSA_MD4 0x0002
|
|
jpayne@69
|
456 #define CKSUMTYPE_RSA_MD4_DES 0x0003
|
|
jpayne@69
|
457 #define CKSUMTYPE_DESCBC 0x0004
|
|
jpayne@69
|
458 /* des-mac-k */
|
|
jpayne@69
|
459 /* rsa-md4-des-k */
|
|
jpayne@69
|
460 #define CKSUMTYPE_RSA_MD5 0x0007
|
|
jpayne@69
|
461 #define CKSUMTYPE_RSA_MD5_DES 0x0008
|
|
jpayne@69
|
462 #define CKSUMTYPE_NIST_SHA 0x0009
|
|
jpayne@69
|
463 #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
|
|
jpayne@69
|
464 #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */
|
|
jpayne@69
|
465 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
|
|
jpayne@69
|
466 ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
|
|
jpayne@69
|
467 #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with
|
|
jpayne@69
|
468 ENCTYPE_AES256_CTS_HMAC_SHA1_96 */
|
|
jpayne@69
|
469 #define CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013 /**< RFC 8009 */
|
|
jpayne@69
|
470 #define CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014 /**< RFC 8009 */
|
|
jpayne@69
|
471 #define CKSUMTYPE_CMAC_CAMELLIA128 0x0011 /**< RFC 6803 */
|
|
jpayne@69
|
472 #define CKSUMTYPE_CMAC_CAMELLIA256 0x0012 /**< RFC 6803 */
|
|
jpayne@69
|
473 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /* Microsoft netlogon */
|
|
jpayne@69
|
474 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /**< RFC 4757 */
|
|
jpayne@69
|
475
|
|
jpayne@69
|
476 /* Constants for the deprecated krb5_c_random_add_entropy() */
|
|
jpayne@69
|
477 enum {
|
|
jpayne@69
|
478 KRB5_C_RANDSOURCE_OLDAPI = 0,
|
|
jpayne@69
|
479 KRB5_C_RANDSOURCE_OSRAND = 1,
|
|
jpayne@69
|
480 KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2,
|
|
jpayne@69
|
481 KRB5_C_RANDSOURCE_TIMING = 3,
|
|
jpayne@69
|
482 KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4,
|
|
jpayne@69
|
483 KRB5_C_RANDSOURCE_MAX = 5
|
|
jpayne@69
|
484 };
|
|
jpayne@69
|
485
|
|
jpayne@69
|
486 #ifndef krb5_roundup
|
|
jpayne@69
|
487 /* round x up to nearest multiple of y */
|
|
jpayne@69
|
488 #define krb5_roundup(x, y) ((((x) + (y) - 1)/(y))*(y))
|
|
jpayne@69
|
489 #endif /* roundup */
|
|
jpayne@69
|
490
|
|
jpayne@69
|
491 /* macro function definitions to help clean up code */
|
|
jpayne@69
|
492
|
|
jpayne@69
|
493 #if 1
|
|
jpayne@69
|
494 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
|
|
jpayne@69
|
495 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
|
|
jpayne@69
|
496 #else
|
|
jpayne@69
|
497 #define krb5_x(ptr,args) ((*(ptr)) args)
|
|
jpayne@69
|
498 #define krb5_xc(ptr,args) ((*(ptr)) args)
|
|
jpayne@69
|
499 #endif
|
|
jpayne@69
|
500
|
|
jpayne@69
|
501 /**
|
|
jpayne@69
|
502 * Encrypt data using a key (operates on keyblock).
|
|
jpayne@69
|
503 *
|
|
jpayne@69
|
504 * @param [in] context Library context
|
|
jpayne@69
|
505 * @param [in] key Encryption key
|
|
jpayne@69
|
506 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
507 * @param [in,out] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
508 * @param [in] input Data to be encrypted
|
|
jpayne@69
|
509 * @param [out] output Encrypted data
|
|
jpayne@69
|
510 *
|
|
jpayne@69
|
511 * This function encrypts the data block @a input and stores the output into @a
|
|
jpayne@69
|
512 * output. The actual encryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
513 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
514 * cipher_state specifies the beginning state for the encryption operation, and
|
|
jpayne@69
|
515 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
516 *
|
|
jpayne@69
|
517 * @note The caller must initialize @a output and allocate at least enough
|
|
jpayne@69
|
518 * space for the result (using krb5_c_encrypt_length() to determine the amount
|
|
jpayne@69
|
519 * of space needed). @a output->length will be set to the actual length of the
|
|
jpayne@69
|
520 * ciphertext.
|
|
jpayne@69
|
521 *
|
|
jpayne@69
|
522 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
523 */
|
|
jpayne@69
|
524 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
525 krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
|
|
jpayne@69
|
526 krb5_keyusage usage, const krb5_data *cipher_state,
|
|
jpayne@69
|
527 const krb5_data *input, krb5_enc_data *output);
|
|
jpayne@69
|
528
|
|
jpayne@69
|
529 /**
|
|
jpayne@69
|
530 * Decrypt data using a key (operates on keyblock).
|
|
jpayne@69
|
531 *
|
|
jpayne@69
|
532 * @param [in] context Library context
|
|
jpayne@69
|
533 * @param [in] key Encryption key
|
|
jpayne@69
|
534 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
535 * @param [in,out] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
536 * @param [in] input Encrypted data
|
|
jpayne@69
|
537 * @param [out] output Decrypted data
|
|
jpayne@69
|
538 *
|
|
jpayne@69
|
539 * This function decrypts the data block @a input and stores the output into @a
|
|
jpayne@69
|
540 * output. The actual decryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
541 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
542 * cipher_state specifies the beginning state for the decryption operation, and
|
|
jpayne@69
|
543 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
544 *
|
|
jpayne@69
|
545 * @note The caller must initialize @a output and allocate at least enough
|
|
jpayne@69
|
546 * space for the result. The usual practice is to allocate an output buffer as
|
|
jpayne@69
|
547 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length.
|
|
jpayne@69
|
548 * For some enctypes, the resulting @a output->length may include padding
|
|
jpayne@69
|
549 * bytes.
|
|
jpayne@69
|
550 *
|
|
jpayne@69
|
551 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
552 */
|
|
jpayne@69
|
553 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
554 krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
|
|
jpayne@69
|
555 krb5_keyusage usage, const krb5_data *cipher_state,
|
|
jpayne@69
|
556 const krb5_enc_data *input, krb5_data *output);
|
|
jpayne@69
|
557
|
|
jpayne@69
|
558 /**
|
|
jpayne@69
|
559 * Compute encrypted data length.
|
|
jpayne@69
|
560 *
|
|
jpayne@69
|
561 * @param [in] context Library context
|
|
jpayne@69
|
562 * @param [in] enctype Encryption type
|
|
jpayne@69
|
563 * @param [in] inputlen Length of the data to be encrypted
|
|
jpayne@69
|
564 * @param [out] length Length of the encrypted data
|
|
jpayne@69
|
565 *
|
|
jpayne@69
|
566 * This function computes the length of the ciphertext produced by encrypting
|
|
jpayne@69
|
567 * @a inputlen bytes including padding, confounder, and checksum.
|
|
jpayne@69
|
568 *
|
|
jpayne@69
|
569 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
570 */
|
|
jpayne@69
|
571 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
572 krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
573 size_t inputlen, size_t *length);
|
|
jpayne@69
|
574
|
|
jpayne@69
|
575 /**
|
|
jpayne@69
|
576 * Return cipher block size.
|
|
jpayne@69
|
577 *
|
|
jpayne@69
|
578 * @param [in] context Library context
|
|
jpayne@69
|
579 * @param [in] enctype Encryption type
|
|
jpayne@69
|
580 * @param [out] blocksize Block size for @a enctype
|
|
jpayne@69
|
581 *
|
|
jpayne@69
|
582 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
583 */
|
|
jpayne@69
|
584 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
585 krb5_c_block_size(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
586 size_t *blocksize);
|
|
jpayne@69
|
587
|
|
jpayne@69
|
588 /**
|
|
jpayne@69
|
589 * Return length of the specified key in bytes.
|
|
jpayne@69
|
590 *
|
|
jpayne@69
|
591 * @param [in] context Library context
|
|
jpayne@69
|
592 * @param [in] enctype Encryption type
|
|
jpayne@69
|
593 * @param [out] keybytes Number of bytes required to make a key
|
|
jpayne@69
|
594 * @param [out] keylength Length of final key
|
|
jpayne@69
|
595 *
|
|
jpayne@69
|
596 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
597 */
|
|
jpayne@69
|
598 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
599 krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
600 size_t *keybytes, size_t *keylength);
|
|
jpayne@69
|
601
|
|
jpayne@69
|
602 /**
|
|
jpayne@69
|
603 * Initialize a new cipher state.
|
|
jpayne@69
|
604 *
|
|
jpayne@69
|
605 * @param [in] context Library context
|
|
jpayne@69
|
606 * @param [in] key Key
|
|
jpayne@69
|
607 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
608 * @param [out] new_state New cipher state
|
|
jpayne@69
|
609 *
|
|
jpayne@69
|
610 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
611 */
|
|
jpayne@69
|
612 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
613 krb5_c_init_state(krb5_context context, const krb5_keyblock *key,
|
|
jpayne@69
|
614 krb5_keyusage usage, krb5_data *new_state);
|
|
jpayne@69
|
615
|
|
jpayne@69
|
616 /**
|
|
jpayne@69
|
617 * Free a cipher state previously allocated by krb5_c_init_state().
|
|
jpayne@69
|
618 *
|
|
jpayne@69
|
619 * @param [in] context Library context
|
|
jpayne@69
|
620 * @param [in] key Key
|
|
jpayne@69
|
621 * @param [in] state Cipher state to be freed
|
|
jpayne@69
|
622 *
|
|
jpayne@69
|
623 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
624 */
|
|
jpayne@69
|
625 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
626 krb5_c_free_state(krb5_context context, const krb5_keyblock *key,
|
|
jpayne@69
|
627 krb5_data *state);
|
|
jpayne@69
|
628
|
|
jpayne@69
|
629 /**
|
|
jpayne@69
|
630 * Generate enctype-specific pseudo-random bytes.
|
|
jpayne@69
|
631 *
|
|
jpayne@69
|
632 * @param [in] context Library context
|
|
jpayne@69
|
633 * @param [in] keyblock Key
|
|
jpayne@69
|
634 * @param [in] input Input data
|
|
jpayne@69
|
635 * @param [out] output Output data
|
|
jpayne@69
|
636 *
|
|
jpayne@69
|
637 * This function selects a pseudo-random function based on @a keyblock and
|
|
jpayne@69
|
638 * computes its value over @a input, placing the result into @a output.
|
|
jpayne@69
|
639 * The caller must preinitialize @a output and allocate space for the
|
|
jpayne@69
|
640 * result, using krb5_c_prf_length() to determine the required length.
|
|
jpayne@69
|
641 *
|
|
jpayne@69
|
642 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
643 */
|
|
jpayne@69
|
644 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
645 krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock,
|
|
jpayne@69
|
646 krb5_data *input, krb5_data *output);
|
|
jpayne@69
|
647
|
|
jpayne@69
|
648 /**
|
|
jpayne@69
|
649 * Get the output length of pseudo-random functions for an encryption type.
|
|
jpayne@69
|
650 *
|
|
jpayne@69
|
651 * @param [in] context Library context
|
|
jpayne@69
|
652 * @param [in] enctype Encryption type
|
|
jpayne@69
|
653 * @param [out] len Length of PRF output
|
|
jpayne@69
|
654 *
|
|
jpayne@69
|
655 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
656 */
|
|
jpayne@69
|
657 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
658 krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len);
|
|
jpayne@69
|
659
|
|
jpayne@69
|
660 /**
|
|
jpayne@69
|
661 * Generate pseudo-random bytes using RFC 6113 PRF+.
|
|
jpayne@69
|
662 *
|
|
jpayne@69
|
663 * @param [in] context Library context
|
|
jpayne@69
|
664 * @param [in] k KDC contribution key
|
|
jpayne@69
|
665 * @param [in] input Input data
|
|
jpayne@69
|
666 * @param [out] output Pseudo-random output buffer
|
|
jpayne@69
|
667 *
|
|
jpayne@69
|
668 * This function fills @a output with PRF+(k, input) as defined in RFC 6113
|
|
jpayne@69
|
669 * section 5.1. The caller must preinitialize @a output and allocate the
|
|
jpayne@69
|
670 * desired amount of space. The length of the pseudo-random output will match
|
|
jpayne@69
|
671 * the length of @a output.
|
|
jpayne@69
|
672 *
|
|
jpayne@69
|
673 * @note RFC 4402 defines a different PRF+ operation. This function does not
|
|
jpayne@69
|
674 * implement that operation.
|
|
jpayne@69
|
675 *
|
|
jpayne@69
|
676 * @return 0 on success, @c E2BIG if output->length is too large for PRF+ to
|
|
jpayne@69
|
677 * generate, @c ENOMEM on allocation failure, or an error code from
|
|
jpayne@69
|
678 * krb5_c_prf()
|
|
jpayne@69
|
679 */
|
|
jpayne@69
|
680 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
681 krb5_c_prfplus(krb5_context context, const krb5_keyblock *k,
|
|
jpayne@69
|
682 const krb5_data *input, krb5_data *output);
|
|
jpayne@69
|
683
|
|
jpayne@69
|
684 /**
|
|
jpayne@69
|
685 * Derive a key using some input data (via RFC 6113 PRF+).
|
|
jpayne@69
|
686 *
|
|
jpayne@69
|
687 * @param [in] context Library context
|
|
jpayne@69
|
688 * @param [in] k KDC contribution key
|
|
jpayne@69
|
689 * @param [in] input Input string
|
|
jpayne@69
|
690 * @param [in] enctype Output key enctype (or @c ENCTYPE_NULL)
|
|
jpayne@69
|
691 * @param [out] out Derived keyblock
|
|
jpayne@69
|
692 *
|
|
jpayne@69
|
693 * This function uses PRF+ as defined in RFC 6113 to derive a key from another
|
|
jpayne@69
|
694 * key and an input string. If @a enctype is @c ENCTYPE_NULL, the output key
|
|
jpayne@69
|
695 * will have the same enctype as the input key.
|
|
jpayne@69
|
696 */
|
|
jpayne@69
|
697 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
698 krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k,
|
|
jpayne@69
|
699 const krb5_data *input, krb5_enctype enctype,
|
|
jpayne@69
|
700 krb5_keyblock **out);
|
|
jpayne@69
|
701
|
|
jpayne@69
|
702 /**
|
|
jpayne@69
|
703 * Compute the KRB-FX-CF2 combination of two keys and pepper strings.
|
|
jpayne@69
|
704 *
|
|
jpayne@69
|
705 * @param [in] context Library context
|
|
jpayne@69
|
706 * @param [in] k1 KDC contribution key
|
|
jpayne@69
|
707 * @param [in] pepper1 String "PKINIT"
|
|
jpayne@69
|
708 * @param [in] k2 Reply key
|
|
jpayne@69
|
709 * @param [in] pepper2 String "KeyExchange"
|
|
jpayne@69
|
710 * @param [out] out Output key
|
|
jpayne@69
|
711 *
|
|
jpayne@69
|
712 * This function computes the KRB-FX-CF2 function over its inputs and places
|
|
jpayne@69
|
713 * the results in a newly allocated keyblock. This function is simple in that
|
|
jpayne@69
|
714 * it assumes that @a pepper1 and @a pepper2 are C strings with no internal
|
|
jpayne@69
|
715 * nulls and that the enctype of the result will be the same as that of @a k1.
|
|
jpayne@69
|
716 * @a k1 and @a k2 may be of different enctypes.
|
|
jpayne@69
|
717 *
|
|
jpayne@69
|
718 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
719 */
|
|
jpayne@69
|
720 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
721 krb5_c_fx_cf2_simple(krb5_context context,
|
|
jpayne@69
|
722 const krb5_keyblock *k1, const char *pepper1,
|
|
jpayne@69
|
723 const krb5_keyblock *k2, const char *pepper2,
|
|
jpayne@69
|
724 krb5_keyblock **out);
|
|
jpayne@69
|
725
|
|
jpayne@69
|
726 /**
|
|
jpayne@69
|
727 * Generate an enctype-specific random encryption key.
|
|
jpayne@69
|
728 *
|
|
jpayne@69
|
729 * @param [in] context Library context
|
|
jpayne@69
|
730 * @param [in] enctype Encryption type of the generated key
|
|
jpayne@69
|
731 * @param [out] k5_random_key An allocated and initialized keyblock
|
|
jpayne@69
|
732 *
|
|
jpayne@69
|
733 * Use krb5_free_keyblock_contents() to free @a k5_random_key when
|
|
jpayne@69
|
734 * no longer needed.
|
|
jpayne@69
|
735 *
|
|
jpayne@69
|
736 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
737 */
|
|
jpayne@69
|
738 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
739 krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
740 krb5_keyblock *k5_random_key);
|
|
jpayne@69
|
741
|
|
jpayne@69
|
742 /**
|
|
jpayne@69
|
743 * Generate an enctype-specific key from random data.
|
|
jpayne@69
|
744 *
|
|
jpayne@69
|
745 * @param [in] context Library context
|
|
jpayne@69
|
746 * @param [in] enctype Encryption type
|
|
jpayne@69
|
747 * @param [in] random_data Random input data
|
|
jpayne@69
|
748 * @param [out] k5_random_key Resulting key
|
|
jpayne@69
|
749 *
|
|
jpayne@69
|
750 * This function takes random input data @a random_data and produces a valid
|
|
jpayne@69
|
751 * key @a k5_random_key for a given @a enctype.
|
|
jpayne@69
|
752 *
|
|
jpayne@69
|
753 * @note It is assumed that @a k5_random_key has already been initialized and
|
|
jpayne@69
|
754 * @a k5_random_key->contents has been allocated with the correct length.
|
|
jpayne@69
|
755 *
|
|
jpayne@69
|
756 * @sa krb5_c_keylengths()
|
|
jpayne@69
|
757 *
|
|
jpayne@69
|
758 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
759 */
|
|
jpayne@69
|
760 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
761 krb5_c_random_to_key(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
762 krb5_data *random_data, krb5_keyblock *k5_random_key);
|
|
jpayne@69
|
763
|
|
jpayne@69
|
764 /** @deprecated This call is no longer necessary. */
|
|
jpayne@69
|
765 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
766 krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
|
|
jpayne@69
|
767 const krb5_data *data);
|
|
jpayne@69
|
768
|
|
jpayne@69
|
769 /**
|
|
jpayne@69
|
770 * Generate pseudo-random bytes.
|
|
jpayne@69
|
771 *
|
|
jpayne@69
|
772 * @param [in] context Library context
|
|
jpayne@69
|
773 * @param [out] data Random data
|
|
jpayne@69
|
774 *
|
|
jpayne@69
|
775 * Fills in @a data with bytes from the PRNG used by krb5 crypto operations.
|
|
jpayne@69
|
776 * The caller must preinitialize @a data and allocate the desired amount of
|
|
jpayne@69
|
777 * space.
|
|
jpayne@69
|
778 *
|
|
jpayne@69
|
779 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
780 */
|
|
jpayne@69
|
781 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
782 krb5_c_random_make_octets(krb5_context context, krb5_data *data);
|
|
jpayne@69
|
783
|
|
jpayne@69
|
784 /** @deprecated This call is no longer necessary. */
|
|
jpayne@69
|
785 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
786 krb5_c_random_os_entropy(krb5_context context, int strong, int *success);
|
|
jpayne@69
|
787
|
|
jpayne@69
|
788 /** @deprecated This call is no longer necessary. */
|
|
jpayne@69
|
789 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
790 krb5_c_random_seed(krb5_context context, krb5_data *data);
|
|
jpayne@69
|
791
|
|
jpayne@69
|
792 /**
|
|
jpayne@69
|
793 * Convert a string (such a password) to a key.
|
|
jpayne@69
|
794 *
|
|
jpayne@69
|
795 * @param [in] context Library context
|
|
jpayne@69
|
796 * @param [in] enctype Encryption type
|
|
jpayne@69
|
797 * @param [in] string String to be converted
|
|
jpayne@69
|
798 * @param [in] salt Salt value
|
|
jpayne@69
|
799 * @param [out] key Generated key
|
|
jpayne@69
|
800 *
|
|
jpayne@69
|
801 * This function converts @a string to a @a key of encryption type @a enctype,
|
|
jpayne@69
|
802 * using the specified @a salt. The newly created @a key must be released by
|
|
jpayne@69
|
803 * calling krb5_free_keyblock_contents() when it is no longer needed.
|
|
jpayne@69
|
804 *
|
|
jpayne@69
|
805 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
806 */
|
|
jpayne@69
|
807 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
808 krb5_c_string_to_key(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
809 const krb5_data *string, const krb5_data *salt,
|
|
jpayne@69
|
810 krb5_keyblock *key);
|
|
jpayne@69
|
811
|
|
jpayne@69
|
812 /**
|
|
jpayne@69
|
813 * Convert a string (such as a password) to a key with additional parameters.
|
|
jpayne@69
|
814 *
|
|
jpayne@69
|
815 * @param [in] context Library context
|
|
jpayne@69
|
816 * @param [in] enctype Encryption type
|
|
jpayne@69
|
817 * @param [in] string String to be converted
|
|
jpayne@69
|
818 * @param [in] salt Salt value
|
|
jpayne@69
|
819 * @param [in] params Parameters
|
|
jpayne@69
|
820 * @param [out] key Generated key
|
|
jpayne@69
|
821 *
|
|
jpayne@69
|
822 * This function is similar to krb5_c_string_to_key(), but also takes
|
|
jpayne@69
|
823 * parameters which may affect the algorithm in an enctype-dependent way. The
|
|
jpayne@69
|
824 * newly created @a key must be released by calling
|
|
jpayne@69
|
825 * krb5_free_keyblock_contents() when it is no longer needed.
|
|
jpayne@69
|
826 *
|
|
jpayne@69
|
827 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
828 */
|
|
jpayne@69
|
829 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
830 krb5_c_string_to_key_with_params(krb5_context context,
|
|
jpayne@69
|
831 krb5_enctype enctype,
|
|
jpayne@69
|
832 const krb5_data *string,
|
|
jpayne@69
|
833 const krb5_data *salt,
|
|
jpayne@69
|
834 const krb5_data *params,
|
|
jpayne@69
|
835 krb5_keyblock *key);
|
|
jpayne@69
|
836
|
|
jpayne@69
|
837 /**
|
|
jpayne@69
|
838 * Compare two encryption types.
|
|
jpayne@69
|
839 *
|
|
jpayne@69
|
840 * @param [in] context Library context
|
|
jpayne@69
|
841 * @param [in] e1 First encryption type
|
|
jpayne@69
|
842 * @param [in] e2 Second encryption type
|
|
jpayne@69
|
843 * @param [out] similar @c TRUE if types are similar, @c FALSE if not
|
|
jpayne@69
|
844 *
|
|
jpayne@69
|
845 * This function determines whether two encryption types use the same kind of
|
|
jpayne@69
|
846 * keys.
|
|
jpayne@69
|
847 *
|
|
jpayne@69
|
848 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
849 */
|
|
jpayne@69
|
850 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
851 krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
|
|
jpayne@69
|
852 krb5_boolean *similar);
|
|
jpayne@69
|
853
|
|
jpayne@69
|
854 /**
|
|
jpayne@69
|
855 * Compute a checksum (operates on keyblock).
|
|
jpayne@69
|
856 *
|
|
jpayne@69
|
857 * @param [in] context Library context
|
|
jpayne@69
|
858 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
859 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
860 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
861 * @param [in] input Input data
|
|
jpayne@69
|
862 * @param [out] cksum Generated checksum
|
|
jpayne@69
|
863 *
|
|
jpayne@69
|
864 * This function computes a checksum of type @a cksumtype over @a input, using
|
|
jpayne@69
|
865 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and
|
|
jpayne@69
|
866 * @a key is non-null, the checksum type will be the mandatory-to-implement
|
|
jpayne@69
|
867 * checksum type for the key's encryption type. The actual checksum key will
|
|
jpayne@69
|
868 * be derived from @a key and @a usage if key derivation is specified for the
|
|
jpayne@69
|
869 * checksum type. The newly created @a cksum must be released by calling
|
|
jpayne@69
|
870 * krb5_free_checksum_contents() when it is no longer needed.
|
|
jpayne@69
|
871 *
|
|
jpayne@69
|
872 * @note This function is similar to krb5_k_make_checksum(), but operates
|
|
jpayne@69
|
873 * on keyblock @a key.
|
|
jpayne@69
|
874 *
|
|
jpayne@69
|
875 * @sa krb5_c_verify_checksum()
|
|
jpayne@69
|
876 *
|
|
jpayne@69
|
877 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
878 */
|
|
jpayne@69
|
879 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
880 krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
881 const krb5_keyblock *key, krb5_keyusage usage,
|
|
jpayne@69
|
882 const krb5_data *input, krb5_checksum *cksum);
|
|
jpayne@69
|
883
|
|
jpayne@69
|
884 /**
|
|
jpayne@69
|
885 * Verify a checksum (operates on keyblock).
|
|
jpayne@69
|
886 *
|
|
jpayne@69
|
887 * @param [in] context Library context
|
|
jpayne@69
|
888 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
889 * @param [in] usage @a key usage
|
|
jpayne@69
|
890 * @param [in] data Data to be used to compute a new checksum
|
|
jpayne@69
|
891 * using @a key to compare @a cksum against
|
|
jpayne@69
|
892 * @param [in] cksum Checksum to be verified
|
|
jpayne@69
|
893 * @param [out] valid Non-zero for success, zero for failure
|
|
jpayne@69
|
894 *
|
|
jpayne@69
|
895 * This function verifies that @a cksum is a valid checksum for @a data. If
|
|
jpayne@69
|
896 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify
|
|
jpayne@69
|
897 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL,
|
|
jpayne@69
|
898 * the mandatory checksum type for @a key will be used. The actual checksum
|
|
jpayne@69
|
899 * key will be derived from @a key and @a usage if key derivation is specified
|
|
jpayne@69
|
900 * for the checksum type.
|
|
jpayne@69
|
901 *
|
|
jpayne@69
|
902 * @note This function is similar to krb5_k_verify_checksum(), but operates
|
|
jpayne@69
|
903 * on keyblock @a key.
|
|
jpayne@69
|
904 *
|
|
jpayne@69
|
905 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
906 */
|
|
jpayne@69
|
907 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
908 krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
|
|
jpayne@69
|
909 krb5_keyusage usage, const krb5_data *data,
|
|
jpayne@69
|
910 const krb5_checksum *cksum, krb5_boolean *valid);
|
|
jpayne@69
|
911
|
|
jpayne@69
|
912 /**
|
|
jpayne@69
|
913 * Return the length of checksums for a checksum type.
|
|
jpayne@69
|
914 *
|
|
jpayne@69
|
915 * @param [in] context Library context
|
|
jpayne@69
|
916 * @param [in] cksumtype Checksum type
|
|
jpayne@69
|
917 * @param [out] length Checksum length
|
|
jpayne@69
|
918 *
|
|
jpayne@69
|
919 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
920 */
|
|
jpayne@69
|
921 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
922 krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
923 size_t *length);
|
|
jpayne@69
|
924
|
|
jpayne@69
|
925 /**
|
|
jpayne@69
|
926 * Return a list of keyed checksum types usable with an encryption type.
|
|
jpayne@69
|
927 *
|
|
jpayne@69
|
928 * @param [in] context Library context
|
|
jpayne@69
|
929 * @param [in] enctype Encryption type
|
|
jpayne@69
|
930 * @param [out] count Count of allowable checksum types
|
|
jpayne@69
|
931 * @param [out] cksumtypes Array of allowable checksum types
|
|
jpayne@69
|
932 *
|
|
jpayne@69
|
933 * Use krb5_free_cksumtypes() to free @a cksumtypes when it is no longer
|
|
jpayne@69
|
934 * needed.
|
|
jpayne@69
|
935 *
|
|
jpayne@69
|
936 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
937 */
|
|
jpayne@69
|
938 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
939 krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
940 unsigned int *count, krb5_cksumtype **cksumtypes);
|
|
jpayne@69
|
941
|
|
jpayne@69
|
942 /** @defgroup KRB5_KEYUSAGE KRB5_KEYUSAGE
|
|
jpayne@69
|
943 * @{
|
|
jpayne@69
|
944 */
|
|
jpayne@69
|
945 #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1
|
|
jpayne@69
|
946 #define KRB5_KEYUSAGE_KDC_REP_TICKET 2
|
|
jpayne@69
|
947 #define KRB5_KEYUSAGE_AS_REP_ENCPART 3
|
|
jpayne@69
|
948 #define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY 4
|
|
jpayne@69
|
949 #define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY 5
|
|
jpayne@69
|
950 #define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM 6
|
|
jpayne@69
|
951 #define KRB5_KEYUSAGE_TGS_REQ_AUTH 7
|
|
jpayne@69
|
952 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY 8
|
|
jpayne@69
|
953 #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY 9
|
|
jpayne@69
|
954 #define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM 10
|
|
jpayne@69
|
955 #define KRB5_KEYUSAGE_AP_REQ_AUTH 11
|
|
jpayne@69
|
956 #define KRB5_KEYUSAGE_AP_REP_ENCPART 12
|
|
jpayne@69
|
957 #define KRB5_KEYUSAGE_KRB_PRIV_ENCPART 13
|
|
jpayne@69
|
958 #define KRB5_KEYUSAGE_KRB_CRED_ENCPART 14
|
|
jpayne@69
|
959 #define KRB5_KEYUSAGE_KRB_SAFE_CKSUM 15
|
|
jpayne@69
|
960 #define KRB5_KEYUSAGE_APP_DATA_ENCRYPT 16
|
|
jpayne@69
|
961 #define KRB5_KEYUSAGE_APP_DATA_CKSUM 17
|
|
jpayne@69
|
962 #define KRB5_KEYUSAGE_KRB_ERROR_CKSUM 18
|
|
jpayne@69
|
963 #define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM 19
|
|
jpayne@69
|
964 #define KRB5_KEYUSAGE_AD_MTE 20
|
|
jpayne@69
|
965 #define KRB5_KEYUSAGE_AD_ITE 21
|
|
jpayne@69
|
966
|
|
jpayne@69
|
967 /* XXX need to register these */
|
|
jpayne@69
|
968
|
|
jpayne@69
|
969 #define KRB5_KEYUSAGE_GSS_TOK_MIC 22
|
|
jpayne@69
|
970 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23
|
|
jpayne@69
|
971 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24
|
|
jpayne@69
|
972
|
|
jpayne@69
|
973 /* Defined in Integrating SAM Mechanisms with Kerberos draft */
|
|
jpayne@69
|
974 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25
|
|
jpayne@69
|
975 /** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */
|
|
jpayne@69
|
976 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26
|
|
jpayne@69
|
977 /** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */
|
|
jpayne@69
|
978 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27
|
|
jpayne@69
|
979
|
|
jpayne@69
|
980 /* Defined in [MS-SFU] */
|
|
jpayne@69
|
981 /** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */
|
|
jpayne@69
|
982 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26
|
|
jpayne@69
|
983 /** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_RESPONSE */
|
|
jpayne@69
|
984 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27
|
|
jpayne@69
|
985
|
|
jpayne@69
|
986 /* unused */
|
|
jpayne@69
|
987 #define KRB5_KEYUSAGE_PA_REFERRAL 26
|
|
jpayne@69
|
988
|
|
jpayne@69
|
989 #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21
|
|
jpayne@69
|
990 #define KRB5_KEYUSAGE_IAKERB_FINISHED 42
|
|
jpayne@69
|
991 #define KRB5_KEYUSAGE_PA_PKINIT_KX 44
|
|
jpayne@69
|
992 #define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */
|
|
jpayne@69
|
993 /* define in draft-ietf-krb-wg-preauth-framework*/
|
|
jpayne@69
|
994 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
|
|
jpayne@69
|
995 #define KRB5_KEYUSAGE_FAST_ENC 51
|
|
jpayne@69
|
996 #define KRB5_KEYUSAGE_FAST_REP 52
|
|
jpayne@69
|
997 #define KRB5_KEYUSAGE_FAST_FINISHED 53
|
|
jpayne@69
|
998 #define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54
|
|
jpayne@69
|
999 #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55
|
|
jpayne@69
|
1000 #define KRB5_KEYUSAGE_AS_REQ 56
|
|
jpayne@69
|
1001 #define KRB5_KEYUSAGE_CAMMAC 64
|
|
jpayne@69
|
1002 #define KRB5_KEYUSAGE_SPAKE 65
|
|
jpayne@69
|
1003
|
|
jpayne@69
|
1004 /* Key usage values 512-1023 are reserved for uses internal to a Kerberos
|
|
jpayne@69
|
1005 * implementation. */
|
|
jpayne@69
|
1006 #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */
|
|
jpayne@69
|
1007 #define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */
|
|
jpayne@69
|
1008 /** @} */ /* end of KRB5_KEYUSAGE group */
|
|
jpayne@69
|
1009
|
|
jpayne@69
|
1010 /**
|
|
jpayne@69
|
1011 * Verify that a specified encryption type is a valid Kerberos encryption type.
|
|
jpayne@69
|
1012 *
|
|
jpayne@69
|
1013 * @param [in] ktype Encryption type
|
|
jpayne@69
|
1014 *
|
|
jpayne@69
|
1015 * @return @c TRUE if @a ktype is valid, @c FALSE if not
|
|
jpayne@69
|
1016 */
|
|
jpayne@69
|
1017 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
1018 krb5_c_valid_enctype(krb5_enctype ktype);
|
|
jpayne@69
|
1019
|
|
jpayne@69
|
1020 /**
|
|
jpayne@69
|
1021 * Verify that specified checksum type is a valid Kerberos checksum type.
|
|
jpayne@69
|
1022 *
|
|
jpayne@69
|
1023 * @param [in] ctype Checksum type
|
|
jpayne@69
|
1024 *
|
|
jpayne@69
|
1025 * @return @c TRUE if @a ctype is valid, @c FALSE if not
|
|
jpayne@69
|
1026 */
|
|
jpayne@69
|
1027 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
1028 krb5_c_valid_cksumtype(krb5_cksumtype ctype);
|
|
jpayne@69
|
1029
|
|
jpayne@69
|
1030 /**
|
|
jpayne@69
|
1031 * Test whether a checksum type is collision-proof.
|
|
jpayne@69
|
1032 *
|
|
jpayne@69
|
1033 * @param [in] ctype Checksum type
|
|
jpayne@69
|
1034 *
|
|
jpayne@69
|
1035 * @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not
|
|
jpayne@69
|
1036 * collision-proof or not a valid checksum type.
|
|
jpayne@69
|
1037 */
|
|
jpayne@69
|
1038 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
1039 krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
|
|
jpayne@69
|
1040
|
|
jpayne@69
|
1041 /**
|
|
jpayne@69
|
1042 * Test whether a checksum type is keyed.
|
|
jpayne@69
|
1043 *
|
|
jpayne@69
|
1044 * @param [in] ctype Checksum type
|
|
jpayne@69
|
1045 *
|
|
jpayne@69
|
1046 * @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise.
|
|
jpayne@69
|
1047 */
|
|
jpayne@69
|
1048 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
1049 krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
|
|
jpayne@69
|
1050
|
|
jpayne@69
|
1051 /* AEAD APIs */
|
|
jpayne@69
|
1052 /** @defgroup KRB5_CRYPTO_TYPE KRB5_CRYPTO_TYPE
|
|
jpayne@69
|
1053 * @{
|
|
jpayne@69
|
1054 */
|
|
jpayne@69
|
1055 #define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */
|
|
jpayne@69
|
1056 #define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */
|
|
jpayne@69
|
1057 #define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */
|
|
jpayne@69
|
1058 #define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */
|
|
jpayne@69
|
1059 #define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */
|
|
jpayne@69
|
1060 #define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */
|
|
jpayne@69
|
1061 #define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */
|
|
jpayne@69
|
1062 #define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without
|
|
jpayne@69
|
1063 decomposing the structure into
|
|
jpayne@69
|
1064 header, data and trailer buffers */
|
|
jpayne@69
|
1065 /** @} */ /* end of KRB5_CRYPTO_TYPE group */
|
|
jpayne@69
|
1066
|
|
jpayne@69
|
1067 /**
|
|
jpayne@69
|
1068 * Fill in a checksum element in IOV array (operates on keyblock)
|
|
jpayne@69
|
1069 *
|
|
jpayne@69
|
1070 * @param [in] context Library context
|
|
jpayne@69
|
1071 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
1072 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1073 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1074 * @param [in,out] data IOV array
|
|
jpayne@69
|
1075 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1076 *
|
|
jpayne@69
|
1077 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
|
|
jpayne@69
|
1078 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
|
|
jpayne@69
|
1079 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
|
|
jpayne@69
|
1080 *
|
|
jpayne@69
|
1081 * @note This function is similar to krb5_k_make_checksum_iov(), but operates
|
|
jpayne@69
|
1082 * on keyblock @a key.
|
|
jpayne@69
|
1083 *
|
|
jpayne@69
|
1084 * @sa krb5_c_verify_checksum_iov()
|
|
jpayne@69
|
1085 *
|
|
jpayne@69
|
1086 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1087 */
|
|
jpayne@69
|
1088 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1089 krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
1090 const krb5_keyblock *key, krb5_keyusage usage,
|
|
jpayne@69
|
1091 krb5_crypto_iov *data, size_t num_data);
|
|
jpayne@69
|
1092
|
|
jpayne@69
|
1093 /**
|
|
jpayne@69
|
1094 * Validate a checksum element in IOV array (operates on keyblock).
|
|
jpayne@69
|
1095 *
|
|
jpayne@69
|
1096 * @param [in] context Library context
|
|
jpayne@69
|
1097 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
1098 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1099 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1100 * @param [in] data IOV array
|
|
jpayne@69
|
1101 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1102 * @param [out] valid Non-zero for success, zero for failure
|
|
jpayne@69
|
1103 *
|
|
jpayne@69
|
1104 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
|
|
jpayne@69
|
1105 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
|
|
jpayne@69
|
1106 * regions in the iov.
|
|
jpayne@69
|
1107 *
|
|
jpayne@69
|
1108 * @note This function is similar to krb5_k_verify_checksum_iov(), but operates
|
|
jpayne@69
|
1109 * on keyblock @a key.
|
|
jpayne@69
|
1110 *
|
|
jpayne@69
|
1111 * @sa krb5_c_make_checksum_iov()
|
|
jpayne@69
|
1112 *
|
|
jpayne@69
|
1113 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1114 */
|
|
jpayne@69
|
1115 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1116 krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
1117 const krb5_keyblock *key, krb5_keyusage usage,
|
|
jpayne@69
|
1118 const krb5_crypto_iov *data, size_t num_data,
|
|
jpayne@69
|
1119 krb5_boolean *valid);
|
|
jpayne@69
|
1120
|
|
jpayne@69
|
1121 /**
|
|
jpayne@69
|
1122 * Encrypt data in place supporting AEAD (operates on keyblock).
|
|
jpayne@69
|
1123 *
|
|
jpayne@69
|
1124 * @param [in] context Library context
|
|
jpayne@69
|
1125 * @param [in] keyblock Encryption key
|
|
jpayne@69
|
1126 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1127 * @param [in] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1128 * @param [in,out] data IOV array. Modified in-place.
|
|
jpayne@69
|
1129 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1130 *
|
|
jpayne@69
|
1131 * This function encrypts the data block @a data and stores the output in-place.
|
|
jpayne@69
|
1132 * The actual encryption key will be derived from @a keyblock and @a usage
|
|
jpayne@69
|
1133 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1134 * cipher_state specifies the beginning state for the encryption operation, and
|
|
jpayne@69
|
1135 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1136 * The caller must allocate the right number of krb5_crypto_iov
|
|
jpayne@69
|
1137 * structures before calling into this API.
|
|
jpayne@69
|
1138 *
|
|
jpayne@69
|
1139 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
|
|
jpayne@69
|
1140 * iov structure are adjusted to reflect actual lengths of the ciphertext used.
|
|
jpayne@69
|
1141 * For example, if the padding length is too large, the length will be reduced.
|
|
jpayne@69
|
1142 * Lengths are never increased.
|
|
jpayne@69
|
1143 *
|
|
jpayne@69
|
1144 * @note This function is similar to krb5_k_encrypt_iov(), but operates
|
|
jpayne@69
|
1145 * on keyblock @a keyblock.
|
|
jpayne@69
|
1146 *
|
|
jpayne@69
|
1147 * @sa krb5_c_decrypt_iov()
|
|
jpayne@69
|
1148 *
|
|
jpayne@69
|
1149 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1150 */
|
|
jpayne@69
|
1151 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1152 krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
|
|
jpayne@69
|
1153 krb5_keyusage usage, const krb5_data *cipher_state,
|
|
jpayne@69
|
1154 krb5_crypto_iov *data, size_t num_data);
|
|
jpayne@69
|
1155
|
|
jpayne@69
|
1156 /**
|
|
jpayne@69
|
1157 * Decrypt data in place supporting AEAD (operates on keyblock).
|
|
jpayne@69
|
1158 *
|
|
jpayne@69
|
1159 * @param [in] context Library context
|
|
jpayne@69
|
1160 * @param [in] keyblock Encryption key
|
|
jpayne@69
|
1161 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1162 * @param [in] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1163 * @param [in,out] data IOV array. Modified in-place.
|
|
jpayne@69
|
1164 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1165 *
|
|
jpayne@69
|
1166 * This function decrypts the data block @a data and stores the output in-place.
|
|
jpayne@69
|
1167 * The actual decryption key will be derived from @a keyblock and @a usage
|
|
jpayne@69
|
1168 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1169 * cipher_state specifies the beginning state for the decryption operation, and
|
|
jpayne@69
|
1170 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1171 * The caller must allocate the right number of krb5_crypto_iov
|
|
jpayne@69
|
1172 * structures before calling into this API.
|
|
jpayne@69
|
1173 *
|
|
jpayne@69
|
1174 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
|
|
jpayne@69
|
1175 * iov structure are adjusted to reflect actual lengths of the ciphertext used.
|
|
jpayne@69
|
1176 * For example, if the padding length is too large, the length will be reduced.
|
|
jpayne@69
|
1177 * Lengths are never increased.
|
|
jpayne@69
|
1178 *
|
|
jpayne@69
|
1179 * @note This function is similar to krb5_k_decrypt_iov(), but operates
|
|
jpayne@69
|
1180 * on keyblock @a keyblock.
|
|
jpayne@69
|
1181 *
|
|
jpayne@69
|
1182 * @sa krb5_c_decrypt_iov()
|
|
jpayne@69
|
1183 *
|
|
jpayne@69
|
1184 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1185 */
|
|
jpayne@69
|
1186 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1187 krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
|
|
jpayne@69
|
1188 krb5_keyusage usage, const krb5_data *cipher_state,
|
|
jpayne@69
|
1189 krb5_crypto_iov *data, size_t num_data);
|
|
jpayne@69
|
1190
|
|
jpayne@69
|
1191 /**
|
|
jpayne@69
|
1192 * Return a length of a message field specific to the encryption type.
|
|
jpayne@69
|
1193 *
|
|
jpayne@69
|
1194 * @param [in] context Library context
|
|
jpayne@69
|
1195 * @param [in] enctype Encryption type
|
|
jpayne@69
|
1196 * @param [in] type Type field (See @ref KRB5_CRYPTO_TYPE types)
|
|
jpayne@69
|
1197 * @param [out] size Length of the @a type specific to @a enctype
|
|
jpayne@69
|
1198 *
|
|
jpayne@69
|
1199 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1200 */
|
|
jpayne@69
|
1201 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1202 krb5_c_crypto_length(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
1203 krb5_cryptotype type, unsigned int *size);
|
|
jpayne@69
|
1204
|
|
jpayne@69
|
1205 /**
|
|
jpayne@69
|
1206 * Fill in lengths for header, trailer and padding in a IOV array.
|
|
jpayne@69
|
1207 *
|
|
jpayne@69
|
1208 * @param [in] context Library context
|
|
jpayne@69
|
1209 * @param [in] enctype Encryption type
|
|
jpayne@69
|
1210 * @param [in,out] data IOV array
|
|
jpayne@69
|
1211 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1212 *
|
|
jpayne@69
|
1213 * Padding is set to the actual padding required based on the provided
|
|
jpayne@69
|
1214 * @a data buffers. Typically this API is used after setting up the data
|
|
jpayne@69
|
1215 * buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually
|
|
jpayne@69
|
1216 * allocating header, trailer and padding.
|
|
jpayne@69
|
1217 *
|
|
jpayne@69
|
1218 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1219 */
|
|
jpayne@69
|
1220 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1221 krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
1222 krb5_crypto_iov *data, size_t num_data);
|
|
jpayne@69
|
1223
|
|
jpayne@69
|
1224 /**
|
|
jpayne@69
|
1225 * Return a number of padding octets.
|
|
jpayne@69
|
1226 *
|
|
jpayne@69
|
1227 * @param [in] context Library context
|
|
jpayne@69
|
1228 * @param [in] enctype Encryption type
|
|
jpayne@69
|
1229 * @param [in] data_length Length of the plaintext to pad
|
|
jpayne@69
|
1230 * @param [out] size Number of padding octets
|
|
jpayne@69
|
1231 *
|
|
jpayne@69
|
1232 * This function returns the number of the padding octets required to pad
|
|
jpayne@69
|
1233 * @a data_length octets of plaintext.
|
|
jpayne@69
|
1234 *
|
|
jpayne@69
|
1235 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
|
|
jpayne@69
|
1236 */
|
|
jpayne@69
|
1237 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1238 krb5_c_padding_length(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
1239 size_t data_length, unsigned int *size);
|
|
jpayne@69
|
1240
|
|
jpayne@69
|
1241 /**
|
|
jpayne@69
|
1242 * Create a krb5_key from the enctype and key data in a keyblock.
|
|
jpayne@69
|
1243 *
|
|
jpayne@69
|
1244 * @param [in] context Library context
|
|
jpayne@69
|
1245 * @param [in] key_data Keyblock
|
|
jpayne@69
|
1246 * @param [out] out Opaque key
|
|
jpayne@69
|
1247 *
|
|
jpayne@69
|
1248 * The reference count on a key @a out is set to 1.
|
|
jpayne@69
|
1249 * Use krb5_k_free_key() to free @a out when it is no longer needed.
|
|
jpayne@69
|
1250 *
|
|
jpayne@69
|
1251 * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
|
|
jpayne@69
|
1252 */
|
|
jpayne@69
|
1253 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1254 krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
|
|
jpayne@69
|
1255 krb5_key *out);
|
|
jpayne@69
|
1256
|
|
jpayne@69
|
1257 /** Increment the reference count on a key. */
|
|
jpayne@69
|
1258 void KRB5_CALLCONV
|
|
jpayne@69
|
1259 krb5_k_reference_key(krb5_context context, krb5_key key);
|
|
jpayne@69
|
1260
|
|
jpayne@69
|
1261 /** Decrement the reference count on a key and free it if it hits zero. */
|
|
jpayne@69
|
1262 void KRB5_CALLCONV
|
|
jpayne@69
|
1263 krb5_k_free_key(krb5_context context, krb5_key key);
|
|
jpayne@69
|
1264
|
|
jpayne@69
|
1265 /** Retrieve a copy of the keyblock from a krb5_key structure. */
|
|
jpayne@69
|
1266 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1267 krb5_k_key_keyblock(krb5_context context, krb5_key key,
|
|
jpayne@69
|
1268 krb5_keyblock **key_data);
|
|
jpayne@69
|
1269
|
|
jpayne@69
|
1270 /** Retrieve the enctype of a krb5_key structure. */
|
|
jpayne@69
|
1271 krb5_enctype KRB5_CALLCONV
|
|
jpayne@69
|
1272 krb5_k_key_enctype(krb5_context context, krb5_key key);
|
|
jpayne@69
|
1273
|
|
jpayne@69
|
1274 /**
|
|
jpayne@69
|
1275 * Encrypt data using a key (operates on opaque key).
|
|
jpayne@69
|
1276 *
|
|
jpayne@69
|
1277 * @param [in] context Library context
|
|
jpayne@69
|
1278 * @param [in] key Encryption key
|
|
jpayne@69
|
1279 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1280 * @param [in,out] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1281 * @param [in] input Data to be encrypted
|
|
jpayne@69
|
1282 * @param [out] output Encrypted data
|
|
jpayne@69
|
1283 *
|
|
jpayne@69
|
1284 * This function encrypts the data block @a input and stores the output into @a
|
|
jpayne@69
|
1285 * output. The actual encryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
1286 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1287 * cipher_state specifies the beginning state for the encryption operation, and
|
|
jpayne@69
|
1288 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1289 *
|
|
jpayne@69
|
1290 * @note The caller must initialize @a output and allocate at least enough
|
|
jpayne@69
|
1291 * space for the result (using krb5_c_encrypt_length() to determine the amount
|
|
jpayne@69
|
1292 * of space needed). @a output->length will be set to the actual length of the
|
|
jpayne@69
|
1293 * ciphertext.
|
|
jpayne@69
|
1294 *
|
|
jpayne@69
|
1295 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1296 */
|
|
jpayne@69
|
1297 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1298 krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1299 const krb5_data *cipher_state, const krb5_data *input,
|
|
jpayne@69
|
1300 krb5_enc_data *output);
|
|
jpayne@69
|
1301
|
|
jpayne@69
|
1302 /**
|
|
jpayne@69
|
1303 * Encrypt data in place supporting AEAD (operates on opaque key).
|
|
jpayne@69
|
1304 *
|
|
jpayne@69
|
1305 * @param [in] context Library context
|
|
jpayne@69
|
1306 * @param [in] key Encryption key
|
|
jpayne@69
|
1307 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1308 * @param [in] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1309 * @param [in,out] data IOV array. Modified in-place.
|
|
jpayne@69
|
1310 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1311 *
|
|
jpayne@69
|
1312 * This function encrypts the data block @a data and stores the output in-place.
|
|
jpayne@69
|
1313 * The actual encryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
1314 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1315 * cipher_state specifies the beginning state for the encryption operation, and
|
|
jpayne@69
|
1316 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1317 * The caller must allocate the right number of krb5_crypto_iov
|
|
jpayne@69
|
1318 * structures before calling into this API.
|
|
jpayne@69
|
1319 *
|
|
jpayne@69
|
1320 * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
|
|
jpayne@69
|
1321 * iov structure are adjusted to reflect actual lengths of the ciphertext used.
|
|
jpayne@69
|
1322 * For example, if the padding length is too large, the length will be reduced.
|
|
jpayne@69
|
1323 * Lengths are never increased.
|
|
jpayne@69
|
1324 *
|
|
jpayne@69
|
1325 * @note This function is similar to krb5_c_encrypt_iov(), but operates
|
|
jpayne@69
|
1326 * on opaque key @a key.
|
|
jpayne@69
|
1327 *
|
|
jpayne@69
|
1328 * @sa krb5_k_decrypt_iov()
|
|
jpayne@69
|
1329 *
|
|
jpayne@69
|
1330 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1331 */
|
|
jpayne@69
|
1332 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1333 krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1334 const krb5_data *cipher_state, krb5_crypto_iov *data,
|
|
jpayne@69
|
1335 size_t num_data);
|
|
jpayne@69
|
1336
|
|
jpayne@69
|
1337 /**
|
|
jpayne@69
|
1338 * Decrypt data using a key (operates on opaque key).
|
|
jpayne@69
|
1339 *
|
|
jpayne@69
|
1340 * @param [in] context Library context
|
|
jpayne@69
|
1341 * @param [in] key Encryption key
|
|
jpayne@69
|
1342 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1343 * @param [in,out] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1344 * @param [in] input Encrypted data
|
|
jpayne@69
|
1345 * @param [out] output Decrypted data
|
|
jpayne@69
|
1346 *
|
|
jpayne@69
|
1347 * This function decrypts the data block @a input and stores the output into @a
|
|
jpayne@69
|
1348 * output. The actual decryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
1349 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1350 * cipher_state specifies the beginning state for the decryption operation, and
|
|
jpayne@69
|
1351 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1352 *
|
|
jpayne@69
|
1353 * @note The caller must initialize @a output and allocate at least enough
|
|
jpayne@69
|
1354 * space for the result. The usual practice is to allocate an output buffer as
|
|
jpayne@69
|
1355 * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length.
|
|
jpayne@69
|
1356 * For some enctypes, the resulting @a output->length may include padding
|
|
jpayne@69
|
1357 * bytes.
|
|
jpayne@69
|
1358 *
|
|
jpayne@69
|
1359 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1360 */
|
|
jpayne@69
|
1361 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1362 krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1363 const krb5_data *cipher_state, const krb5_enc_data *input,
|
|
jpayne@69
|
1364 krb5_data *output);
|
|
jpayne@69
|
1365
|
|
jpayne@69
|
1366 /**
|
|
jpayne@69
|
1367 * Decrypt data in place supporting AEAD (operates on opaque key).
|
|
jpayne@69
|
1368 *
|
|
jpayne@69
|
1369 * @param [in] context Library context
|
|
jpayne@69
|
1370 * @param [in] key Encryption key
|
|
jpayne@69
|
1371 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1372 * @param [in] cipher_state Cipher state; specify NULL if not needed
|
|
jpayne@69
|
1373 * @param [in,out] data IOV array. Modified in-place.
|
|
jpayne@69
|
1374 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1375 *
|
|
jpayne@69
|
1376 * This function decrypts the data block @a data and stores the output in-place.
|
|
jpayne@69
|
1377 * The actual decryption key will be derived from @a key and @a usage
|
|
jpayne@69
|
1378 * if key derivation is specified for the encryption type. If non-null, @a
|
|
jpayne@69
|
1379 * cipher_state specifies the beginning state for the decryption operation, and
|
|
jpayne@69
|
1380 * is updated with the state to be passed as input to the next operation.
|
|
jpayne@69
|
1381 * The caller must allocate the right number of krb5_crypto_iov
|
|
jpayne@69
|
1382 * structures before calling into this API.
|
|
jpayne@69
|
1383 *
|
|
jpayne@69
|
1384 * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
|
|
jpayne@69
|
1385 * iov structure are adjusted to reflect actual lengths of the ciphertext used.
|
|
jpayne@69
|
1386 * For example, if the padding length is too large, the length will be reduced.
|
|
jpayne@69
|
1387 * Lengths are never increased.
|
|
jpayne@69
|
1388 *
|
|
jpayne@69
|
1389 * @note This function is similar to krb5_c_decrypt_iov(), but operates
|
|
jpayne@69
|
1390 * on opaque key @a key.
|
|
jpayne@69
|
1391 *
|
|
jpayne@69
|
1392 * @sa krb5_k_encrypt_iov()
|
|
jpayne@69
|
1393 *
|
|
jpayne@69
|
1394 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1395 */
|
|
jpayne@69
|
1396 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1397 krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1398 const krb5_data *cipher_state, krb5_crypto_iov *data,
|
|
jpayne@69
|
1399 size_t num_data);
|
|
jpayne@69
|
1400 /**
|
|
jpayne@69
|
1401 * Compute a checksum (operates on opaque key).
|
|
jpayne@69
|
1402 *
|
|
jpayne@69
|
1403 * @param [in] context Library context
|
|
jpayne@69
|
1404 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
1405 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1406 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1407 * @param [in] input Input data
|
|
jpayne@69
|
1408 * @param [out] cksum Generated checksum
|
|
jpayne@69
|
1409 *
|
|
jpayne@69
|
1410 * This function computes a checksum of type @a cksumtype over @a input, using
|
|
jpayne@69
|
1411 * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and
|
|
jpayne@69
|
1412 * @a key is non-null, the checksum type will be the mandatory-to-implement
|
|
jpayne@69
|
1413 * checksum type for the key's encryption type. The actual checksum key will
|
|
jpayne@69
|
1414 * be derived from @a key and @a usage if key derivation is specified for the
|
|
jpayne@69
|
1415 * checksum type. The newly created @a cksum must be released by calling
|
|
jpayne@69
|
1416 * krb5_free_checksum_contents() when it is no longer needed.
|
|
jpayne@69
|
1417 *
|
|
jpayne@69
|
1418 * @note This function is similar to krb5_c_make_checksum(), but operates
|
|
jpayne@69
|
1419 * on opaque @a key.
|
|
jpayne@69
|
1420 *
|
|
jpayne@69
|
1421 * @sa krb5_c_verify_checksum()
|
|
jpayne@69
|
1422 *
|
|
jpayne@69
|
1423 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1424 */
|
|
jpayne@69
|
1425 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1426 krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
1427 krb5_key key, krb5_keyusage usage, const krb5_data *input,
|
|
jpayne@69
|
1428 krb5_checksum *cksum);
|
|
jpayne@69
|
1429
|
|
jpayne@69
|
1430 /**
|
|
jpayne@69
|
1431 * Fill in a checksum element in IOV array (operates on opaque key)
|
|
jpayne@69
|
1432 *
|
|
jpayne@69
|
1433 * @param [in] context Library context
|
|
jpayne@69
|
1434 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
1435 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1436 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1437 * @param [in,out] data IOV array
|
|
jpayne@69
|
1438 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1439 *
|
|
jpayne@69
|
1440 * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
|
|
jpayne@69
|
1441 * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
|
|
jpayne@69
|
1442 * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
|
|
jpayne@69
|
1443 *
|
|
jpayne@69
|
1444 * @note This function is similar to krb5_c_make_checksum_iov(), but operates
|
|
jpayne@69
|
1445 * on opaque @a key.
|
|
jpayne@69
|
1446 *
|
|
jpayne@69
|
1447 * @sa krb5_k_verify_checksum_iov()
|
|
jpayne@69
|
1448 *
|
|
jpayne@69
|
1449 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1450 */
|
|
jpayne@69
|
1451 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1452 krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
1453 krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1454 krb5_crypto_iov *data, size_t num_data);
|
|
jpayne@69
|
1455
|
|
jpayne@69
|
1456 /**
|
|
jpayne@69
|
1457 * Verify a checksum (operates on opaque key).
|
|
jpayne@69
|
1458 *
|
|
jpayne@69
|
1459 * @param [in] context Library context
|
|
jpayne@69
|
1460 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1461 * @param [in] usage @a key usage
|
|
jpayne@69
|
1462 * @param [in] data Data to be used to compute a new checksum
|
|
jpayne@69
|
1463 * using @a key to compare @a cksum against
|
|
jpayne@69
|
1464 * @param [in] cksum Checksum to be verified
|
|
jpayne@69
|
1465 * @param [out] valid Non-zero for success, zero for failure
|
|
jpayne@69
|
1466 *
|
|
jpayne@69
|
1467 * This function verifies that @a cksum is a valid checksum for @a data. If
|
|
jpayne@69
|
1468 * the checksum type of @a cksum is a keyed checksum, @a key is used to verify
|
|
jpayne@69
|
1469 * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL,
|
|
jpayne@69
|
1470 * the mandatory checksum type for @a key will be used. The actual checksum
|
|
jpayne@69
|
1471 * key will be derived from @a key and @a usage if key derivation is specified
|
|
jpayne@69
|
1472 * for the checksum type.
|
|
jpayne@69
|
1473 *
|
|
jpayne@69
|
1474 * @note This function is similar to krb5_c_verify_checksum(), but operates
|
|
jpayne@69
|
1475 * on opaque @a key.
|
|
jpayne@69
|
1476 *
|
|
jpayne@69
|
1477 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1478 */
|
|
jpayne@69
|
1479 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1480 krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1481 const krb5_data *data, const krb5_checksum *cksum,
|
|
jpayne@69
|
1482 krb5_boolean *valid);
|
|
jpayne@69
|
1483
|
|
jpayne@69
|
1484 /**
|
|
jpayne@69
|
1485 * Validate a checksum element in IOV array (operates on opaque key).
|
|
jpayne@69
|
1486 *
|
|
jpayne@69
|
1487 * @param [in] context Library context
|
|
jpayne@69
|
1488 * @param [in] cksumtype Checksum type (0 for mandatory type)
|
|
jpayne@69
|
1489 * @param [in] key Encryption key for a keyed checksum
|
|
jpayne@69
|
1490 * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
|
|
jpayne@69
|
1491 * @param [in] data IOV array
|
|
jpayne@69
|
1492 * @param [in] num_data Size of @a data
|
|
jpayne@69
|
1493 * @param [out] valid Non-zero for success, zero for failure
|
|
jpayne@69
|
1494 *
|
|
jpayne@69
|
1495 * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
|
|
jpayne@69
|
1496 * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
|
|
jpayne@69
|
1497 * regions in the iov.
|
|
jpayne@69
|
1498 *
|
|
jpayne@69
|
1499 * @note This function is similar to krb5_c_verify_checksum_iov(), but operates
|
|
jpayne@69
|
1500 * on opaque @a key.
|
|
jpayne@69
|
1501 *
|
|
jpayne@69
|
1502 * @sa krb5_k_make_checksum_iov()
|
|
jpayne@69
|
1503 *
|
|
jpayne@69
|
1504 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1505 */
|
|
jpayne@69
|
1506 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1507 krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
|
|
jpayne@69
|
1508 krb5_key key, krb5_keyusage usage,
|
|
jpayne@69
|
1509 const krb5_crypto_iov *data, size_t num_data,
|
|
jpayne@69
|
1510 krb5_boolean *valid);
|
|
jpayne@69
|
1511
|
|
jpayne@69
|
1512 /**
|
|
jpayne@69
|
1513 * Generate enctype-specific pseudo-random bytes (operates on opaque key).
|
|
jpayne@69
|
1514 *
|
|
jpayne@69
|
1515 * @param [in] context Library context
|
|
jpayne@69
|
1516 * @param [in] key Key
|
|
jpayne@69
|
1517 * @param [in] input Input data
|
|
jpayne@69
|
1518 * @param [out] output Output data
|
|
jpayne@69
|
1519 *
|
|
jpayne@69
|
1520 * This function selects a pseudo-random function based on @a key and
|
|
jpayne@69
|
1521 * computes its value over @a input, placing the result into @a output.
|
|
jpayne@69
|
1522 * The caller must preinitialize @a output and allocate space for the
|
|
jpayne@69
|
1523 * result.
|
|
jpayne@69
|
1524 *
|
|
jpayne@69
|
1525 * @note This function is similar to krb5_c_prf(), but operates
|
|
jpayne@69
|
1526 * on opaque @a key.
|
|
jpayne@69
|
1527 *
|
|
jpayne@69
|
1528 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
1529 */
|
|
jpayne@69
|
1530 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1531 krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output);
|
|
jpayne@69
|
1532
|
|
jpayne@69
|
1533 #ifdef KRB5_OLD_CRYPTO
|
|
jpayne@69
|
1534 /*
|
|
jpayne@69
|
1535 * old cryptosystem routine prototypes. These are now layered
|
|
jpayne@69
|
1536 * on top of the functions above.
|
|
jpayne@69
|
1537 */
|
|
jpayne@69
|
1538 /** @deprecated Replaced by krb5_c_* API family.*/
|
|
jpayne@69
|
1539 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1540 krb5_encrypt(krb5_context context, krb5_const_pointer inptr,
|
|
jpayne@69
|
1541 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1542 krb5_pointer ivec);
|
|
jpayne@69
|
1543
|
|
jpayne@69
|
1544 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1545 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1546 krb5_decrypt(krb5_context context, krb5_const_pointer inptr,
|
|
jpayne@69
|
1547 krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1548 krb5_pointer ivec);
|
|
jpayne@69
|
1549
|
|
jpayne@69
|
1550 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1551 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1552 krb5_process_key(krb5_context context, krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1553 const krb5_keyblock * key);
|
|
jpayne@69
|
1554
|
|
jpayne@69
|
1555 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1556 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1557 krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock);
|
|
jpayne@69
|
1558
|
|
jpayne@69
|
1559 /** @deprecated See krb5_c_string_to_key() */
|
|
jpayne@69
|
1560 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1561 krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1562 krb5_keyblock * keyblock, const krb5_data *data,
|
|
jpayne@69
|
1563 const krb5_data *salt);
|
|
jpayne@69
|
1564
|
|
jpayne@69
|
1565 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1566 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1567 krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1568 const krb5_keyblock *keyblock, krb5_pointer *ptr);
|
|
jpayne@69
|
1569
|
|
jpayne@69
|
1570 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1571 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1572 krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1573 krb5_pointer *ptr);
|
|
jpayne@69
|
1574
|
|
jpayne@69
|
1575 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1576 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1577 krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1578 krb5_pointer ptr, krb5_keyblock **keyblock);
|
|
jpayne@69
|
1579
|
|
jpayne@69
|
1580 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1581 krb5_enctype KRB5_CALLCONV
|
|
jpayne@69
|
1582 krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock);
|
|
jpayne@69
|
1583
|
|
jpayne@69
|
1584 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1585 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1586 krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock,
|
|
jpayne@69
|
1587 krb5_enctype enctype);
|
|
jpayne@69
|
1588
|
|
jpayne@69
|
1589 /** @deprecated Replaced by krb5_c_* API family. */
|
|
jpayne@69
|
1590 size_t KRB5_CALLCONV
|
|
jpayne@69
|
1591 krb5_encrypt_size(size_t length, krb5_enctype crypto);
|
|
jpayne@69
|
1592
|
|
jpayne@69
|
1593 /** @deprecated See krb5_c_checksum_length() */
|
|
jpayne@69
|
1594 size_t KRB5_CALLCONV
|
|
jpayne@69
|
1595 krb5_checksum_size(krb5_context context, krb5_cksumtype ctype);
|
|
jpayne@69
|
1596
|
|
jpayne@69
|
1597 /** @deprecated See krb5_c_make_checksum() */
|
|
jpayne@69
|
1598 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1599 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
|
|
jpayne@69
|
1600 krb5_const_pointer in, size_t in_length,
|
|
jpayne@69
|
1601 krb5_const_pointer seed, size_t seed_length,
|
|
jpayne@69
|
1602 krb5_checksum * outcksum);
|
|
jpayne@69
|
1603
|
|
jpayne@69
|
1604 /** @deprecated See krb5_c_verify_checksum() */
|
|
jpayne@69
|
1605 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
1606 krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
|
|
jpayne@69
|
1607 const krb5_checksum * cksum, krb5_const_pointer in,
|
|
jpayne@69
|
1608 size_t in_length, krb5_const_pointer seed,
|
|
jpayne@69
|
1609 size_t seed_length);
|
|
jpayne@69
|
1610
|
|
jpayne@69
|
1611 #endif /* KRB5_OLD_CRYPTO */
|
|
jpayne@69
|
1612
|
|
jpayne@69
|
1613 /*
|
|
jpayne@69
|
1614 * end "encryption.h"
|
|
jpayne@69
|
1615 */
|
|
jpayne@69
|
1616
|
|
jpayne@69
|
1617 /*
|
|
jpayne@69
|
1618 * begin "fieldbits.h"
|
|
jpayne@69
|
1619 */
|
|
jpayne@69
|
1620
|
|
jpayne@69
|
1621 /* kdc_options for kdc_request */
|
|
jpayne@69
|
1622 /* options is 32 bits; each host is responsible to put the 4 bytes
|
|
jpayne@69
|
1623 representing these bits into net order before transmission */
|
|
jpayne@69
|
1624 /* #define KDC_OPT_RESERVED 0x80000000 */
|
|
jpayne@69
|
1625 #define KDC_OPT_FORWARDABLE 0x40000000
|
|
jpayne@69
|
1626 #define KDC_OPT_FORWARDED 0x20000000
|
|
jpayne@69
|
1627 #define KDC_OPT_PROXIABLE 0x10000000
|
|
jpayne@69
|
1628 #define KDC_OPT_PROXY 0x08000000
|
|
jpayne@69
|
1629 #define KDC_OPT_ALLOW_POSTDATE 0x04000000
|
|
jpayne@69
|
1630 #define KDC_OPT_POSTDATED 0x02000000
|
|
jpayne@69
|
1631 /* #define KDC_OPT_UNUSED 0x01000000 */
|
|
jpayne@69
|
1632 #define KDC_OPT_RENEWABLE 0x00800000
|
|
jpayne@69
|
1633 /* #define KDC_OPT_UNUSED 0x00400000 */
|
|
jpayne@69
|
1634 /* #define KDC_OPT_RESERVED 0x00200000 */
|
|
jpayne@69
|
1635 /* #define KDC_OPT_RESERVED 0x00100000 */
|
|
jpayne@69
|
1636 /* #define KDC_OPT_RESERVED 0x00080000 */
|
|
jpayne@69
|
1637 /* #define KDC_OPT_RESERVED 0x00040000 */
|
|
jpayne@69
|
1638 #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000
|
|
jpayne@69
|
1639 #define KDC_OPT_CANONICALIZE 0x00010000
|
|
jpayne@69
|
1640 #define KDC_OPT_REQUEST_ANONYMOUS 0x00008000
|
|
jpayne@69
|
1641 /* #define KDC_OPT_RESERVED 0x00004000 */
|
|
jpayne@69
|
1642 /* #define KDC_OPT_RESERVED 0x00002000 */
|
|
jpayne@69
|
1643 /* #define KDC_OPT_RESERVED 0x00001000 */
|
|
jpayne@69
|
1644 /* #define KDC_OPT_RESERVED 0x00000800 */
|
|
jpayne@69
|
1645 /* #define KDC_OPT_RESERVED 0x00000400 */
|
|
jpayne@69
|
1646 /* #define KDC_OPT_RESERVED 0x00000200 */
|
|
jpayne@69
|
1647 /* #define KDC_OPT_RESERVED 0x00000100 */
|
|
jpayne@69
|
1648 /* #define KDC_OPT_RESERVED 0x00000080 */
|
|
jpayne@69
|
1649 /* #define KDC_OPT_RESERVED 0x00000040 */
|
|
jpayne@69
|
1650 #define KDC_OPT_DISABLE_TRANSITED_CHECK 0x00000020
|
|
jpayne@69
|
1651 #define KDC_OPT_RENEWABLE_OK 0x00000010
|
|
jpayne@69
|
1652 #define KDC_OPT_ENC_TKT_IN_SKEY 0x00000008
|
|
jpayne@69
|
1653 /* #define KDC_OPT_UNUSED 0x00000004 */
|
|
jpayne@69
|
1654 #define KDC_OPT_RENEW 0x00000002
|
|
jpayne@69
|
1655 #define KDC_OPT_VALIDATE 0x00000001
|
|
jpayne@69
|
1656
|
|
jpayne@69
|
1657 /*
|
|
jpayne@69
|
1658 * Mask of ticket flags in the TGT which should be converted into KDC
|
|
jpayne@69
|
1659 * options when using the TGT to get derivative tickets.
|
|
jpayne@69
|
1660 *
|
|
jpayne@69
|
1661 * New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE |
|
|
jpayne@69
|
1662 * KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE
|
|
jpayne@69
|
1663 */
|
|
jpayne@69
|
1664 #define KDC_TKT_COMMON_MASK 0x54800000
|
|
jpayne@69
|
1665
|
|
jpayne@69
|
1666 /* definitions for ap_options fields */
|
|
jpayne@69
|
1667
|
|
jpayne@69
|
1668 /** @defgroup AP_OPTS AP_OPTS
|
|
jpayne@69
|
1669 *
|
|
jpayne@69
|
1670 * ap_options are 32 bits; each host is responsible to put the 4 bytes
|
|
jpayne@69
|
1671 * representing these bits into net order before transmission
|
|
jpayne@69
|
1672 * @{
|
|
jpayne@69
|
1673 */
|
|
jpayne@69
|
1674 #define AP_OPTS_RESERVED 0x80000000
|
|
jpayne@69
|
1675 #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */
|
|
jpayne@69
|
1676 #define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual
|
|
jpayne@69
|
1677 authentication exchange */
|
|
jpayne@69
|
1678 #define AP_OPTS_ETYPE_NEGOTIATION 0x00000002
|
|
jpayne@69
|
1679 #define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key
|
|
jpayne@69
|
1680 from the current session key
|
|
jpayne@69
|
1681 obtained from the
|
|
jpayne@69
|
1682 credentials */
|
|
jpayne@69
|
1683 /* #define AP_OPTS_RESERVED 0x10000000 */
|
|
jpayne@69
|
1684 /* #define AP_OPTS_RESERVED 0x08000000 */
|
|
jpayne@69
|
1685 /* #define AP_OPTS_RESERVED 0x04000000 */
|
|
jpayne@69
|
1686 /* #define AP_OPTS_RESERVED 0x02000000 */
|
|
jpayne@69
|
1687 /* #define AP_OPTS_RESERVED 0x01000000 */
|
|
jpayne@69
|
1688 /* #define AP_OPTS_RESERVED 0x00800000 */
|
|
jpayne@69
|
1689 /* #define AP_OPTS_RESERVED 0x00400000 */
|
|
jpayne@69
|
1690 /* #define AP_OPTS_RESERVED 0x00200000 */
|
|
jpayne@69
|
1691 /* #define AP_OPTS_RESERVED 0x00100000 */
|
|
jpayne@69
|
1692 /* #define AP_OPTS_RESERVED 0x00080000 */
|
|
jpayne@69
|
1693 /* #define AP_OPTS_RESERVED 0x00040000 */
|
|
jpayne@69
|
1694 /* #define AP_OPTS_RESERVED 0x00020000 */
|
|
jpayne@69
|
1695 /* #define AP_OPTS_RESERVED 0x00010000 */
|
|
jpayne@69
|
1696 /* #define AP_OPTS_RESERVED 0x00008000 */
|
|
jpayne@69
|
1697 /* #define AP_OPTS_RESERVED 0x00004000 */
|
|
jpayne@69
|
1698 /* #define AP_OPTS_RESERVED 0x00002000 */
|
|
jpayne@69
|
1699 /* #define AP_OPTS_RESERVED 0x00001000 */
|
|
jpayne@69
|
1700 /* #define AP_OPTS_RESERVED 0x00000800 */
|
|
jpayne@69
|
1701 /* #define AP_OPTS_RESERVED 0x00000400 */
|
|
jpayne@69
|
1702 /* #define AP_OPTS_RESERVED 0x00000200 */
|
|
jpayne@69
|
1703 /* #define AP_OPTS_RESERVED 0x00000100 */
|
|
jpayne@69
|
1704 /* #define AP_OPTS_RESERVED 0x00000080 */
|
|
jpayne@69
|
1705 /* #define AP_OPTS_RESERVED 0x00000040 */
|
|
jpayne@69
|
1706 /* #define AP_OPTS_RESERVED 0x00000020 */
|
|
jpayne@69
|
1707 /* #define AP_OPTS_RESERVED 0x00000010 */
|
|
jpayne@69
|
1708 /* #define AP_OPTS_RESERVED 0x00000008 */
|
|
jpayne@69
|
1709 /* #define AP_OPTS_RESERVED 0x00000004 */
|
|
jpayne@69
|
1710
|
|
jpayne@69
|
1711
|
|
jpayne@69
|
1712 #define AP_OPTS_WIRE_MASK 0xfffffff0
|
|
jpayne@69
|
1713 /** @} */ /* end of AP_OPTS group */
|
|
jpayne@69
|
1714
|
|
jpayne@69
|
1715 /* definitions for ad_type fields. */
|
|
jpayne@69
|
1716 #define AD_TYPE_RESERVED 0x8000
|
|
jpayne@69
|
1717 #define AD_TYPE_EXTERNAL 0x4000
|
|
jpayne@69
|
1718 #define AD_TYPE_REGISTERED 0x2000
|
|
jpayne@69
|
1719
|
|
jpayne@69
|
1720 #define AD_TYPE_FIELD_TYPE_MASK 0x1fff
|
|
jpayne@69
|
1721
|
|
jpayne@69
|
1722 /* Ticket flags */
|
|
jpayne@69
|
1723 /* flags are 32 bits; each host is responsible to put the 4 bytes
|
|
jpayne@69
|
1724 representing these bits into net order before transmission */
|
|
jpayne@69
|
1725 /* #define TKT_FLG_RESERVED 0x80000000 */
|
|
jpayne@69
|
1726 #define TKT_FLG_FORWARDABLE 0x40000000
|
|
jpayne@69
|
1727 #define TKT_FLG_FORWARDED 0x20000000
|
|
jpayne@69
|
1728 #define TKT_FLG_PROXIABLE 0x10000000
|
|
jpayne@69
|
1729 #define TKT_FLG_PROXY 0x08000000
|
|
jpayne@69
|
1730 #define TKT_FLG_MAY_POSTDATE 0x04000000
|
|
jpayne@69
|
1731 #define TKT_FLG_POSTDATED 0x02000000
|
|
jpayne@69
|
1732 #define TKT_FLG_INVALID 0x01000000
|
|
jpayne@69
|
1733 #define TKT_FLG_RENEWABLE 0x00800000
|
|
jpayne@69
|
1734 #define TKT_FLG_INITIAL 0x00400000
|
|
jpayne@69
|
1735 #define TKT_FLG_PRE_AUTH 0x00200000
|
|
jpayne@69
|
1736 #define TKT_FLG_HW_AUTH 0x00100000
|
|
jpayne@69
|
1737 #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000
|
|
jpayne@69
|
1738 #define TKT_FLG_OK_AS_DELEGATE 0x00040000
|
|
jpayne@69
|
1739 #define TKT_FLG_ENC_PA_REP 0x00010000
|
|
jpayne@69
|
1740 #define TKT_FLG_ANONYMOUS 0x00008000
|
|
jpayne@69
|
1741 /* #define TKT_FLG_RESERVED 0x00004000 */
|
|
jpayne@69
|
1742 /* #define TKT_FLG_RESERVED 0x00002000 */
|
|
jpayne@69
|
1743 /* #define TKT_FLG_RESERVED 0x00001000 */
|
|
jpayne@69
|
1744 /* #define TKT_FLG_RESERVED 0x00000800 */
|
|
jpayne@69
|
1745 /* #define TKT_FLG_RESERVED 0x00000400 */
|
|
jpayne@69
|
1746 /* #define TKT_FLG_RESERVED 0x00000200 */
|
|
jpayne@69
|
1747 /* #define TKT_FLG_RESERVED 0x00000100 */
|
|
jpayne@69
|
1748 /* #define TKT_FLG_RESERVED 0x00000080 */
|
|
jpayne@69
|
1749 /* #define TKT_FLG_RESERVED 0x00000040 */
|
|
jpayne@69
|
1750 /* #define TKT_FLG_RESERVED 0x00000020 */
|
|
jpayne@69
|
1751 /* #define TKT_FLG_RESERVED 0x00000010 */
|
|
jpayne@69
|
1752 /* #define TKT_FLG_RESERVED 0x00000008 */
|
|
jpayne@69
|
1753 /* #define TKT_FLG_RESERVED 0x00000004 */
|
|
jpayne@69
|
1754 /* #define TKT_FLG_RESERVED 0x00000002 */
|
|
jpayne@69
|
1755 /* #define TKT_FLG_RESERVED 0x00000001 */
|
|
jpayne@69
|
1756
|
|
jpayne@69
|
1757 /* definitions for lr_type fields. */
|
|
jpayne@69
|
1758 #define LR_TYPE_THIS_SERVER_ONLY 0x8000
|
|
jpayne@69
|
1759
|
|
jpayne@69
|
1760 #define LR_TYPE_INTERPRETATION_MASK 0x7fff
|
|
jpayne@69
|
1761
|
|
jpayne@69
|
1762 /* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */
|
|
jpayne@69
|
1763 #define MSEC_DIRBIT 0x8000
|
|
jpayne@69
|
1764 #define MSEC_VAL_MASK 0x7fff
|
|
jpayne@69
|
1765
|
|
jpayne@69
|
1766 /*
|
|
jpayne@69
|
1767 * end "fieldbits.h"
|
|
jpayne@69
|
1768 */
|
|
jpayne@69
|
1769
|
|
jpayne@69
|
1770 /*
|
|
jpayne@69
|
1771 * begin "proto.h"
|
|
jpayne@69
|
1772 */
|
|
jpayne@69
|
1773
|
|
jpayne@69
|
1774 /** Protocol version number */
|
|
jpayne@69
|
1775 #define KRB5_PVNO 5
|
|
jpayne@69
|
1776
|
|
jpayne@69
|
1777 /* Message types */
|
|
jpayne@69
|
1778
|
|
jpayne@69
|
1779 #define KRB5_AS_REQ ((krb5_msgtype)10) /**< Initial authentication request */
|
|
jpayne@69
|
1780 #define KRB5_AS_REP ((krb5_msgtype)11) /**< Response to AS request */
|
|
jpayne@69
|
1781 #define KRB5_TGS_REQ ((krb5_msgtype)12) /**< Ticket granting server request */
|
|
jpayne@69
|
1782 #define KRB5_TGS_REP ((krb5_msgtype)13) /**< Response to TGS request */
|
|
jpayne@69
|
1783 #define KRB5_AP_REQ ((krb5_msgtype)14) /**< Auth req to application server */
|
|
jpayne@69
|
1784 #define KRB5_AP_REP ((krb5_msgtype)15) /**< Response to mutual AP request */
|
|
jpayne@69
|
1785 #define KRB5_SAFE ((krb5_msgtype)20) /**< Safe application message */
|
|
jpayne@69
|
1786 #define KRB5_PRIV ((krb5_msgtype)21) /**< Private application message */
|
|
jpayne@69
|
1787 #define KRB5_CRED ((krb5_msgtype)22) /**< Cred forwarding message */
|
|
jpayne@69
|
1788 #define KRB5_ERROR ((krb5_msgtype)30) /**< Error response */
|
|
jpayne@69
|
1789
|
|
jpayne@69
|
1790 /* LastReq types */
|
|
jpayne@69
|
1791 #define KRB5_LRQ_NONE 0
|
|
jpayne@69
|
1792 #define KRB5_LRQ_ALL_LAST_TGT 1
|
|
jpayne@69
|
1793 #define KRB5_LRQ_ONE_LAST_TGT (-1)
|
|
jpayne@69
|
1794 #define KRB5_LRQ_ALL_LAST_INITIAL 2
|
|
jpayne@69
|
1795 #define KRB5_LRQ_ONE_LAST_INITIAL (-2)
|
|
jpayne@69
|
1796 #define KRB5_LRQ_ALL_LAST_TGT_ISSUED 3
|
|
jpayne@69
|
1797 #define KRB5_LRQ_ONE_LAST_TGT_ISSUED (-3)
|
|
jpayne@69
|
1798 #define KRB5_LRQ_ALL_LAST_RENEWAL 4
|
|
jpayne@69
|
1799 #define KRB5_LRQ_ONE_LAST_RENEWAL (-4)
|
|
jpayne@69
|
1800 #define KRB5_LRQ_ALL_LAST_REQ 5
|
|
jpayne@69
|
1801 #define KRB5_LRQ_ONE_LAST_REQ (-5)
|
|
jpayne@69
|
1802 #define KRB5_LRQ_ALL_PW_EXPTIME 6
|
|
jpayne@69
|
1803 #define KRB5_LRQ_ONE_PW_EXPTIME (-6)
|
|
jpayne@69
|
1804 #define KRB5_LRQ_ALL_ACCT_EXPTIME 7
|
|
jpayne@69
|
1805 #define KRB5_LRQ_ONE_ACCT_EXPTIME (-7)
|
|
jpayne@69
|
1806
|
|
jpayne@69
|
1807 /* PADATA types */
|
|
jpayne@69
|
1808 #define KRB5_PADATA_NONE 0
|
|
jpayne@69
|
1809 #define KRB5_PADATA_AP_REQ 1
|
|
jpayne@69
|
1810 #define KRB5_PADATA_TGS_REQ KRB5_PADATA_AP_REQ
|
|
jpayne@69
|
1811 #define KRB5_PADATA_ENC_TIMESTAMP 2 /**< RFC 4120 */
|
|
jpayne@69
|
1812 #define KRB5_PADATA_PW_SALT 3 /**< RFC 4120 */
|
|
jpayne@69
|
1813 #if 0 /* Not used */
|
|
jpayne@69
|
1814 #define KRB5_PADATA_ENC_ENCKEY 4 /* Key encrypted within itself */
|
|
jpayne@69
|
1815 #endif
|
|
jpayne@69
|
1816 #define KRB5_PADATA_ENC_UNIX_TIME 5 /**< timestamp encrypted in key. RFC 4120 */
|
|
jpayne@69
|
1817 #define KRB5_PADATA_ENC_SANDIA_SECURID 6 /**< SecurId passcode. RFC 4120 */
|
|
jpayne@69
|
1818 #define KRB5_PADATA_SESAME 7 /**< Sesame project. RFC 4120 */
|
|
jpayne@69
|
1819 #define KRB5_PADATA_OSF_DCE 8 /**< OSF DCE. RFC 4120 */
|
|
jpayne@69
|
1820 #define KRB5_CYBERSAFE_SECUREID 9 /**< Cybersafe. RFC 4120 */
|
|
jpayne@69
|
1821 #define KRB5_PADATA_AFS3_SALT 10 /**< Cygnus. RFC 4120, 3961 */
|
|
jpayne@69
|
1822 #define KRB5_PADATA_ETYPE_INFO 11 /**< Etype info for preauth. RFC 4120 */
|
|
jpayne@69
|
1823 #define KRB5_PADATA_SAM_CHALLENGE 12 /**< SAM/OTP */
|
|
jpayne@69
|
1824 #define KRB5_PADATA_SAM_RESPONSE 13 /**< SAM/OTP */
|
|
jpayne@69
|
1825 #define KRB5_PADATA_PK_AS_REQ_OLD 14 /**< PKINIT */
|
|
jpayne@69
|
1826 #define KRB5_PADATA_PK_AS_REP_OLD 15 /**< PKINIT */
|
|
jpayne@69
|
1827 #define KRB5_PADATA_PK_AS_REQ 16 /**< PKINIT. RFC 4556 */
|
|
jpayne@69
|
1828 #define KRB5_PADATA_PK_AS_REP 17 /**< PKINIT. RFC 4556 */
|
|
jpayne@69
|
1829 #define KRB5_PADATA_ETYPE_INFO2 19 /**< RFC 4120 */
|
|
jpayne@69
|
1830 #define KRB5_PADATA_USE_SPECIFIED_KVNO 20 /**< RFC 4120 */
|
|
jpayne@69
|
1831 #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /**< Windows 2000 referrals. RFC 6820 */
|
|
jpayne@69
|
1832 #define KRB5_PADATA_SAM_REDIRECT 21 /**< SAM/OTP. RFC 4120 */
|
|
jpayne@69
|
1833 #define KRB5_PADATA_GET_FROM_TYPED_DATA 22 /**< Embedded in typed data. RFC 4120 */
|
|
jpayne@69
|
1834 #define KRB5_PADATA_REFERRAL 25 /**< draft referral system */
|
|
jpayne@69
|
1835 #define KRB5_PADATA_SAM_CHALLENGE_2 30 /**< draft challenge system, updated */
|
|
jpayne@69
|
1836 #define KRB5_PADATA_SAM_RESPONSE_2 31 /**< draft challenge system, updated */
|
|
jpayne@69
|
1837 /* MS-KILE */
|
|
jpayne@69
|
1838 #define KRB5_PADATA_PAC_REQUEST 128 /**< include Windows PAC */
|
|
jpayne@69
|
1839 #define KRB5_PADATA_FOR_USER 129 /**< username protocol transition request */
|
|
jpayne@69
|
1840 #define KRB5_PADATA_S4U_X509_USER 130 /**< certificate protocol transition request */
|
|
jpayne@69
|
1841 #define KRB5_PADATA_AS_CHECKSUM 132 /**< AS checksum */
|
|
jpayne@69
|
1842 #define KRB5_PADATA_FX_COOKIE 133 /**< RFC 6113 */
|
|
jpayne@69
|
1843 #define KRB5_PADATA_FX_FAST 136 /**< RFC 6113 */
|
|
jpayne@69
|
1844 #define KRB5_PADATA_FX_ERROR 137 /**< RFC 6113 */
|
|
jpayne@69
|
1845 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 /**< RFC 6113 */
|
|
jpayne@69
|
1846 #define KRB5_PADATA_OTP_CHALLENGE 141 /**< RFC 6560 section 4.1 */
|
|
jpayne@69
|
1847 #define KRB5_PADATA_OTP_REQUEST 142 /**< RFC 6560 section 4.2 */
|
|
jpayne@69
|
1848 #define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */
|
|
jpayne@69
|
1849 #define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */
|
|
jpayne@69
|
1850 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */
|
|
jpayne@69
|
1851 #define KRB5_PADATA_AS_FRESHNESS 150 /**< RFC 8070 */
|
|
jpayne@69
|
1852 #define KRB5_PADATA_SPAKE 151
|
|
jpayne@69
|
1853 #define KRB5_PADATA_REDHAT_IDP_OAUTH2 152 /**< Red Hat IdP mechanism */
|
|
jpayne@69
|
1854 #define KRB5_PADATA_PAC_OPTIONS 167 /**< MS-KILE and MS-SFU */
|
|
jpayne@69
|
1855
|
|
jpayne@69
|
1856 #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000
|
|
jpayne@69
|
1857 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000
|
|
jpayne@69
|
1858 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /**< currently must be zero */
|
|
jpayne@69
|
1859
|
|
jpayne@69
|
1860 /** Transited encoding types */
|
|
jpayne@69
|
1861 #define KRB5_DOMAIN_X500_COMPRESS 1
|
|
jpayne@69
|
1862
|
|
jpayne@69
|
1863 /** alternate authentication types */
|
|
jpayne@69
|
1864 #define KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE 64
|
|
jpayne@69
|
1865
|
|
jpayne@69
|
1866 /* authorization data types. See RFC 4120 section 5.2.6 */
|
|
jpayne@69
|
1867
|
|
jpayne@69
|
1868 /** @defgroup KRB5_AUTHDATA KRB5_AUTHDATA
|
|
jpayne@69
|
1869 * @{
|
|
jpayne@69
|
1870 */
|
|
jpayne@69
|
1871 #define KRB5_AUTHDATA_IF_RELEVANT 1
|
|
jpayne@69
|
1872 #define KRB5_AUTHDATA_KDC_ISSUED 4
|
|
jpayne@69
|
1873 #define KRB5_AUTHDATA_AND_OR 5
|
|
jpayne@69
|
1874 #define KRB5_AUTHDATA_MANDATORY_FOR_KDC 8
|
|
jpayne@69
|
1875 #define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9
|
|
jpayne@69
|
1876 #define KRB5_AUTHDATA_OSF_DCE 64
|
|
jpayne@69
|
1877 #define KRB5_AUTHDATA_SESAME 65
|
|
jpayne@69
|
1878 #define KRB5_AUTHDATA_CAMMAC 96
|
|
jpayne@69
|
1879 #define KRB5_AUTHDATA_WIN2K_PAC 128
|
|
jpayne@69
|
1880 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /**< RFC 4537 */
|
|
jpayne@69
|
1881 #define KRB5_AUTHDATA_SIGNTICKET 512 /**< @deprecated use PAC */
|
|
jpayne@69
|
1882 #define KRB5_AUTHDATA_FX_ARMOR 71
|
|
jpayne@69
|
1883 #define KRB5_AUTHDATA_AUTH_INDICATOR 97
|
|
jpayne@69
|
1884 #define KRB5_AUTHDATA_AP_OPTIONS 143
|
|
jpayne@69
|
1885 /** @} */ /* end of KRB5_AUTHDATA group */
|
|
jpayne@69
|
1886
|
|
jpayne@69
|
1887 /* password change constants */
|
|
jpayne@69
|
1888 #define KRB5_KPASSWD_SUCCESS 0 /**< Success */
|
|
jpayne@69
|
1889 #define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */
|
|
jpayne@69
|
1890 #define KRB5_KPASSWD_HARDERROR 2 /**< Server error */
|
|
jpayne@69
|
1891 #define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */
|
|
jpayne@69
|
1892 #define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */
|
|
jpayne@69
|
1893 /* These are Microsoft's extensions in RFC 3244, and it looks like
|
|
jpayne@69
|
1894 they'll become standardized, possibly with other additions. */
|
|
jpayne@69
|
1895 #define KRB5_KPASSWD_ACCESSDENIED 5 /**< Not authorized */
|
|
jpayne@69
|
1896 #define KRB5_KPASSWD_BAD_VERSION 6 /**< Unknown RPC version */
|
|
jpayne@69
|
1897 /** The presented credentials were not obtained using a password directly */
|
|
jpayne@69
|
1898 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
|
|
jpayne@69
|
1899
|
|
jpayne@69
|
1900 /*
|
|
jpayne@69
|
1901 * end "proto.h"
|
|
jpayne@69
|
1902 */
|
|
jpayne@69
|
1903
|
|
jpayne@69
|
1904 /* Time set */
|
|
jpayne@69
|
1905 /** Ticket start time, end time, and renewal duration. */
|
|
jpayne@69
|
1906 typedef struct _krb5_ticket_times {
|
|
jpayne@69
|
1907 krb5_timestamp authtime; /**< Time at which KDC issued the initial ticket that corresponds to this ticket */
|
|
jpayne@69
|
1908 /* XXX ? should ktime in KDC_REP == authtime
|
|
jpayne@69
|
1909 in ticket? otherwise client can't get this */
|
|
jpayne@69
|
1910 krb5_timestamp starttime; /**< optional in ticket, if not present, use @a authtime */
|
|
jpayne@69
|
1911 krb5_timestamp endtime; /**< Ticket expiration time */
|
|
jpayne@69
|
1912 krb5_timestamp renew_till; /**< Latest time at which renewal of ticket can be valid */
|
|
jpayne@69
|
1913 } krb5_ticket_times;
|
|
jpayne@69
|
1914
|
|
jpayne@69
|
1915 /** Structure for auth data */
|
|
jpayne@69
|
1916 typedef struct _krb5_authdata {
|
|
jpayne@69
|
1917 krb5_magic magic;
|
|
jpayne@69
|
1918 krb5_authdatatype ad_type; /**< ADTYPE */
|
|
jpayne@69
|
1919 unsigned int length; /**< Length of data */
|
|
jpayne@69
|
1920 krb5_octet *contents; /**< Data */
|
|
jpayne@69
|
1921 } krb5_authdata;
|
|
jpayne@69
|
1922
|
|
jpayne@69
|
1923 /** Structure for transited encoding */
|
|
jpayne@69
|
1924 typedef struct _krb5_transited {
|
|
jpayne@69
|
1925 krb5_magic magic;
|
|
jpayne@69
|
1926 krb5_octet tr_type; /**< Transited encoding type */
|
|
jpayne@69
|
1927 krb5_data tr_contents; /**< Contents */
|
|
jpayne@69
|
1928 } krb5_transited;
|
|
jpayne@69
|
1929
|
|
jpayne@69
|
1930 /** Encrypted part of ticket. */
|
|
jpayne@69
|
1931 typedef struct _krb5_enc_tkt_part {
|
|
jpayne@69
|
1932 krb5_magic magic;
|
|
jpayne@69
|
1933 /* to-be-encrypted portion */
|
|
jpayne@69
|
1934 krb5_flags flags; /**< flags */
|
|
jpayne@69
|
1935 krb5_keyblock *session; /**< session key: includes enctype */
|
|
jpayne@69
|
1936 krb5_principal client; /**< client name/realm */
|
|
jpayne@69
|
1937 krb5_transited transited; /**< list of transited realms */
|
|
jpayne@69
|
1938 krb5_ticket_times times; /**< auth, start, end, renew_till */
|
|
jpayne@69
|
1939 krb5_address **caddrs; /**< array of ptrs to addresses */
|
|
jpayne@69
|
1940 krb5_authdata **authorization_data; /**< auth data */
|
|
jpayne@69
|
1941 } krb5_enc_tkt_part;
|
|
jpayne@69
|
1942
|
|
jpayne@69
|
1943 /**
|
|
jpayne@69
|
1944 * Ticket structure.
|
|
jpayne@69
|
1945 *
|
|
jpayne@69
|
1946 * The C representation of the ticket message, with a pointer to the
|
|
jpayne@69
|
1947 * C representation of the encrypted part.
|
|
jpayne@69
|
1948 */
|
|
jpayne@69
|
1949 typedef struct _krb5_ticket {
|
|
jpayne@69
|
1950 krb5_magic magic;
|
|
jpayne@69
|
1951 /* cleartext portion */
|
|
jpayne@69
|
1952 krb5_principal server; /**< server name/realm */
|
|
jpayne@69
|
1953 krb5_enc_data enc_part; /**< encryption type, kvno, encrypted encoding */
|
|
jpayne@69
|
1954 krb5_enc_tkt_part *enc_part2; /**< ptr to decrypted version, if available */
|
|
jpayne@69
|
1955 } krb5_ticket;
|
|
jpayne@69
|
1956
|
|
jpayne@69
|
1957 /* the unencrypted version */
|
|
jpayne@69
|
1958 /**
|
|
jpayne@69
|
1959 * Ticket authenticator.
|
|
jpayne@69
|
1960 *
|
|
jpayne@69
|
1961 * The C representation of an unencrypted authenticator.
|
|
jpayne@69
|
1962 */
|
|
jpayne@69
|
1963 typedef struct _krb5_authenticator {
|
|
jpayne@69
|
1964 krb5_magic magic;
|
|
jpayne@69
|
1965 krb5_principal client; /**< client name/realm */
|
|
jpayne@69
|
1966 krb5_checksum *checksum; /**< checksum, includes type, optional */
|
|
jpayne@69
|
1967 krb5_int32 cusec; /**< client usec portion */
|
|
jpayne@69
|
1968 krb5_timestamp ctime; /**< client sec portion */
|
|
jpayne@69
|
1969 krb5_keyblock *subkey; /**< true session key, optional */
|
|
jpayne@69
|
1970 krb5_ui_4 seq_number; /**< sequence #, optional */
|
|
jpayne@69
|
1971 krb5_authdata **authorization_data; /**< authoriazation data */
|
|
jpayne@69
|
1972 } krb5_authenticator;
|
|
jpayne@69
|
1973
|
|
jpayne@69
|
1974 /** Ticket authentication data. */
|
|
jpayne@69
|
1975 typedef struct _krb5_tkt_authent {
|
|
jpayne@69
|
1976 krb5_magic magic;
|
|
jpayne@69
|
1977 krb5_ticket *ticket;
|
|
jpayne@69
|
1978 krb5_authenticator *authenticator;
|
|
jpayne@69
|
1979 krb5_flags ap_options;
|
|
jpayne@69
|
1980 } krb5_tkt_authent;
|
|
jpayne@69
|
1981
|
|
jpayne@69
|
1982 /** Credentials structure including ticket, session key, and lifetime info. */
|
|
jpayne@69
|
1983 typedef struct _krb5_creds {
|
|
jpayne@69
|
1984 krb5_magic magic;
|
|
jpayne@69
|
1985 krb5_principal client; /**< client's principal identifier */
|
|
jpayne@69
|
1986 krb5_principal server; /**< server's principal identifier */
|
|
jpayne@69
|
1987 krb5_keyblock keyblock; /**< session encryption key info */
|
|
jpayne@69
|
1988 krb5_ticket_times times; /**< lifetime info */
|
|
jpayne@69
|
1989 krb5_boolean is_skey; /**< true if ticket is encrypted in
|
|
jpayne@69
|
1990 another ticket's skey */
|
|
jpayne@69
|
1991 krb5_flags ticket_flags; /**< flags in ticket */
|
|
jpayne@69
|
1992 krb5_address **addresses; /**< addrs in ticket */
|
|
jpayne@69
|
1993 krb5_data ticket; /**< ticket string itself */
|
|
jpayne@69
|
1994 krb5_data second_ticket; /**< second ticket, if related to
|
|
jpayne@69
|
1995 ticket (via DUPLICATE-SKEY or
|
|
jpayne@69
|
1996 ENC-TKT-IN-SKEY) */
|
|
jpayne@69
|
1997 krb5_authdata **authdata; /**< authorization data */
|
|
jpayne@69
|
1998 } krb5_creds;
|
|
jpayne@69
|
1999
|
|
jpayne@69
|
2000 /** Last request entry */
|
|
jpayne@69
|
2001 typedef struct _krb5_last_req_entry {
|
|
jpayne@69
|
2002 krb5_magic magic;
|
|
jpayne@69
|
2003 krb5_int32 lr_type; /**< LR type */
|
|
jpayne@69
|
2004 krb5_timestamp value; /**< Timestamp */
|
|
jpayne@69
|
2005 } krb5_last_req_entry;
|
|
jpayne@69
|
2006
|
|
jpayne@69
|
2007 /** Pre-authentication data */
|
|
jpayne@69
|
2008 typedef struct _krb5_pa_data {
|
|
jpayne@69
|
2009 krb5_magic magic;
|
|
jpayne@69
|
2010 krb5_preauthtype pa_type; /**< Preauthentication data type */
|
|
jpayne@69
|
2011 unsigned int length; /**< Length of data */
|
|
jpayne@69
|
2012 krb5_octet *contents; /**< Data */
|
|
jpayne@69
|
2013 } krb5_pa_data;
|
|
jpayne@69
|
2014
|
|
jpayne@69
|
2015 /* Don't use this; use krb5_pa_data instead. */
|
|
jpayne@69
|
2016 typedef struct _krb5_typed_data {
|
|
jpayne@69
|
2017 krb5_magic magic;
|
|
jpayne@69
|
2018 krb5_int32 type;
|
|
jpayne@69
|
2019 unsigned int length;
|
|
jpayne@69
|
2020 krb5_octet *data;
|
|
jpayne@69
|
2021 } krb5_typed_data;
|
|
jpayne@69
|
2022
|
|
jpayne@69
|
2023 /** C representation of KDC-REQ protocol message, including KDC-REQ-BODY */
|
|
jpayne@69
|
2024 typedef struct _krb5_kdc_req {
|
|
jpayne@69
|
2025 krb5_magic magic;
|
|
jpayne@69
|
2026 krb5_msgtype msg_type; /**< KRB5_AS_REQ or KRB5_TGS_REQ */
|
|
jpayne@69
|
2027 krb5_pa_data **padata; /**< Preauthentication data */
|
|
jpayne@69
|
2028 /* real body */
|
|
jpayne@69
|
2029 krb5_flags kdc_options; /**< Requested options */
|
|
jpayne@69
|
2030 krb5_principal client; /**< Client principal and realm */
|
|
jpayne@69
|
2031 krb5_principal server; /**< Server principal and realm */
|
|
jpayne@69
|
2032 krb5_timestamp from; /**< Requested start time */
|
|
jpayne@69
|
2033 krb5_timestamp till; /**< Requested end time */
|
|
jpayne@69
|
2034 krb5_timestamp rtime; /**< Requested renewable end time */
|
|
jpayne@69
|
2035 krb5_int32 nonce; /**< Nonce to match request and response */
|
|
jpayne@69
|
2036 int nktypes; /**< Number of enctypes */
|
|
jpayne@69
|
2037 krb5_enctype *ktype; /**< Requested enctypes */
|
|
jpayne@69
|
2038 krb5_address **addresses; /**< Requested addresses (optional) */
|
|
jpayne@69
|
2039 krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */
|
|
jpayne@69
|
2040 krb5_authdata **unenc_authdata; /**< Unencrypted authz data */
|
|
jpayne@69
|
2041 krb5_ticket **second_ticket; /**< Second ticket array (optional) */
|
|
jpayne@69
|
2042 } krb5_kdc_req;
|
|
jpayne@69
|
2043
|
|
jpayne@69
|
2044 /**
|
|
jpayne@69
|
2045 * C representation of @c EncKDCRepPart protocol message.
|
|
jpayne@69
|
2046 *
|
|
jpayne@69
|
2047 * This is the cleartext message that is encrypted and inserted in @c KDC-REP.
|
|
jpayne@69
|
2048 */
|
|
jpayne@69
|
2049 typedef struct _krb5_enc_kdc_rep_part {
|
|
jpayne@69
|
2050 krb5_magic magic;
|
|
jpayne@69
|
2051 /* encrypted part: */
|
|
jpayne@69
|
2052 krb5_msgtype msg_type; /**< krb5 message type */
|
|
jpayne@69
|
2053 krb5_keyblock *session; /**< Session key */
|
|
jpayne@69
|
2054 krb5_last_req_entry **last_req; /**< Array of pointers to entries */
|
|
jpayne@69
|
2055 krb5_int32 nonce; /**< Nonce from request */
|
|
jpayne@69
|
2056 krb5_timestamp key_exp; /**< Expiration date */
|
|
jpayne@69
|
2057 krb5_flags flags; /**< Ticket flags */
|
|
jpayne@69
|
2058 krb5_ticket_times times; /**< Lifetime info */
|
|
jpayne@69
|
2059 krb5_principal server; /**< Server's principal identifier */
|
|
jpayne@69
|
2060 krb5_address **caddrs; /**< Array of ptrs to addrs, optional */
|
|
jpayne@69
|
2061 krb5_pa_data **enc_padata; /**< Encrypted preauthentication data */
|
|
jpayne@69
|
2062 } krb5_enc_kdc_rep_part;
|
|
jpayne@69
|
2063
|
|
jpayne@69
|
2064 /** Representation of the @c KDC-REP protocol message. */
|
|
jpayne@69
|
2065 typedef struct _krb5_kdc_rep {
|
|
jpayne@69
|
2066 krb5_magic magic;
|
|
jpayne@69
|
2067 /* cleartext part: */
|
|
jpayne@69
|
2068 krb5_msgtype msg_type; /**< KRB5_AS_REP or KRB5_KDC_REP */
|
|
jpayne@69
|
2069 krb5_pa_data **padata; /**< Preauthentication data from KDC */
|
|
jpayne@69
|
2070 krb5_principal client; /**< Client principal and realm */
|
|
jpayne@69
|
2071 krb5_ticket *ticket; /**< Ticket */
|
|
jpayne@69
|
2072 krb5_enc_data enc_part; /**< Encrypted part of reply */
|
|
jpayne@69
|
2073 krb5_enc_kdc_rep_part *enc_part2; /**< Unencrypted version, if available */
|
|
jpayne@69
|
2074 } krb5_kdc_rep;
|
|
jpayne@69
|
2075
|
|
jpayne@69
|
2076 /** Error message structure */
|
|
jpayne@69
|
2077 typedef struct _krb5_error {
|
|
jpayne@69
|
2078 krb5_magic magic;
|
|
jpayne@69
|
2079 /* some of these may be meaningless in certain contexts */
|
|
jpayne@69
|
2080 krb5_timestamp ctime; /**< Client sec portion; optional */
|
|
jpayne@69
|
2081 krb5_int32 cusec; /**< Client usec portion; optional */
|
|
jpayne@69
|
2082 krb5_int32 susec; /**< Server usec portion */
|
|
jpayne@69
|
2083 krb5_timestamp stime; /**< Server sec portion */
|
|
jpayne@69
|
2084 krb5_ui_4 error; /**< Error code (protocol error #'s) */
|
|
jpayne@69
|
2085 krb5_principal client; /**< Client principal and realm */
|
|
jpayne@69
|
2086 krb5_principal server; /**< Server principal and realm */
|
|
jpayne@69
|
2087 krb5_data text; /**< Descriptive text */
|
|
jpayne@69
|
2088 krb5_data e_data; /**< Additional error-describing data */
|
|
jpayne@69
|
2089 } krb5_error;
|
|
jpayne@69
|
2090
|
|
jpayne@69
|
2091 /** Authentication header. */
|
|
jpayne@69
|
2092 typedef struct _krb5_ap_req {
|
|
jpayne@69
|
2093 krb5_magic magic;
|
|
jpayne@69
|
2094 krb5_flags ap_options; /**< Requested options */
|
|
jpayne@69
|
2095 krb5_ticket *ticket; /**< Ticket */
|
|
jpayne@69
|
2096 krb5_enc_data authenticator; /**< Encrypted authenticator */
|
|
jpayne@69
|
2097 } krb5_ap_req;
|
|
jpayne@69
|
2098
|
|
jpayne@69
|
2099 /**
|
|
jpayne@69
|
2100 * C representaton of AP-REP message.
|
|
jpayne@69
|
2101 *
|
|
jpayne@69
|
2102 * The server's response to a client's request for mutual authentication.
|
|
jpayne@69
|
2103 */
|
|
jpayne@69
|
2104 typedef struct _krb5_ap_rep {
|
|
jpayne@69
|
2105 krb5_magic magic;
|
|
jpayne@69
|
2106 krb5_enc_data enc_part; /**< Ciphertext of ApRepEncPart */
|
|
jpayne@69
|
2107 } krb5_ap_rep;
|
|
jpayne@69
|
2108
|
|
jpayne@69
|
2109 /** Cleartext that is encrypted and put into @c _krb5_ap_rep. */
|
|
jpayne@69
|
2110 typedef struct _krb5_ap_rep_enc_part {
|
|
jpayne@69
|
2111 krb5_magic magic;
|
|
jpayne@69
|
2112 krb5_timestamp ctime; /**< Client time, seconds portion */
|
|
jpayne@69
|
2113 krb5_int32 cusec; /**< Client time, microseconds portion */
|
|
jpayne@69
|
2114 krb5_keyblock *subkey; /**< Subkey (optional) */
|
|
jpayne@69
|
2115 krb5_ui_4 seq_number; /**< Sequence number */
|
|
jpayne@69
|
2116 } krb5_ap_rep_enc_part;
|
|
jpayne@69
|
2117
|
|
jpayne@69
|
2118 /* Unused */
|
|
jpayne@69
|
2119 typedef struct _krb5_response {
|
|
jpayne@69
|
2120 krb5_magic magic;
|
|
jpayne@69
|
2121 krb5_octet message_type;
|
|
jpayne@69
|
2122 krb5_data response;
|
|
jpayne@69
|
2123 krb5_int32 expected_nonce;
|
|
jpayne@69
|
2124 krb5_timestamp request_time;
|
|
jpayne@69
|
2125 } krb5_response;
|
|
jpayne@69
|
2126
|
|
jpayne@69
|
2127 /** Credentials information inserted into @c EncKrbCredPart. */
|
|
jpayne@69
|
2128 typedef struct _krb5_cred_info {
|
|
jpayne@69
|
2129 krb5_magic magic;
|
|
jpayne@69
|
2130 krb5_keyblock *session; /**< Session key used to encrypt ticket */
|
|
jpayne@69
|
2131 krb5_principal client; /**< Client principal and realm */
|
|
jpayne@69
|
2132 krb5_principal server; /**< Server principal and realm */
|
|
jpayne@69
|
2133 krb5_flags flags; /**< Ticket flags */
|
|
jpayne@69
|
2134 krb5_ticket_times times; /**< Auth, start, end, renew_till */
|
|
jpayne@69
|
2135 krb5_address **caddrs; /**< Array of pointers to addrs (optional) */
|
|
jpayne@69
|
2136 } krb5_cred_info;
|
|
jpayne@69
|
2137
|
|
jpayne@69
|
2138 /** Cleartext credentials information. */
|
|
jpayne@69
|
2139 typedef struct _krb5_cred_enc_part {
|
|
jpayne@69
|
2140 krb5_magic magic;
|
|
jpayne@69
|
2141 krb5_int32 nonce; /**< Nonce (optional) */
|
|
jpayne@69
|
2142 krb5_timestamp timestamp; /**< Generation time, seconds portion */
|
|
jpayne@69
|
2143 krb5_int32 usec; /**< Generation time, microseconds portion */
|
|
jpayne@69
|
2144 krb5_address *s_address; /**< Sender address (optional) */
|
|
jpayne@69
|
2145 krb5_address *r_address; /**< Recipient address (optional) */
|
|
jpayne@69
|
2146 krb5_cred_info **ticket_info;
|
|
jpayne@69
|
2147 } krb5_cred_enc_part;
|
|
jpayne@69
|
2148
|
|
jpayne@69
|
2149 /** Credentials data structure.*/
|
|
jpayne@69
|
2150 typedef struct _krb5_cred {
|
|
jpayne@69
|
2151 krb5_magic magic;
|
|
jpayne@69
|
2152 krb5_ticket **tickets; /**< Tickets */
|
|
jpayne@69
|
2153 krb5_enc_data enc_part; /**< Encrypted part */
|
|
jpayne@69
|
2154 krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */
|
|
jpayne@69
|
2155 } krb5_cred;
|
|
jpayne@69
|
2156
|
|
jpayne@69
|
2157 /* Unused, but here for API compatibility. */
|
|
jpayne@69
|
2158 typedef struct _passwd_phrase_element {
|
|
jpayne@69
|
2159 krb5_magic magic;
|
|
jpayne@69
|
2160 krb5_data *passwd;
|
|
jpayne@69
|
2161 krb5_data *phrase;
|
|
jpayne@69
|
2162 } passwd_phrase_element;
|
|
jpayne@69
|
2163
|
|
jpayne@69
|
2164 /* Unused, but here for API compatibility. */
|
|
jpayne@69
|
2165 typedef struct _krb5_pwd_data {
|
|
jpayne@69
|
2166 krb5_magic magic;
|
|
jpayne@69
|
2167 int sequence_count;
|
|
jpayne@69
|
2168 passwd_phrase_element **element;
|
|
jpayne@69
|
2169 } krb5_pwd_data;
|
|
jpayne@69
|
2170
|
|
jpayne@69
|
2171 /* Unused, but here for API compatibility. */
|
|
jpayne@69
|
2172 typedef struct _krb5_pa_svr_referral_data {
|
|
jpayne@69
|
2173 /** Referred name, only realm is required */
|
|
jpayne@69
|
2174 krb5_principal principal;
|
|
jpayne@69
|
2175 } krb5_pa_svr_referral_data;
|
|
jpayne@69
|
2176
|
|
jpayne@69
|
2177 /* Unused, but here for API compatibility. */
|
|
jpayne@69
|
2178 typedef struct _krb5_pa_server_referral_data {
|
|
jpayne@69
|
2179 krb5_data *referred_realm;
|
|
jpayne@69
|
2180 krb5_principal true_principal_name;
|
|
jpayne@69
|
2181 krb5_principal requested_principal_name;
|
|
jpayne@69
|
2182 krb5_timestamp referral_valid_until;
|
|
jpayne@69
|
2183 krb5_checksum rep_cksum;
|
|
jpayne@69
|
2184 } krb5_pa_server_referral_data;
|
|
jpayne@69
|
2185
|
|
jpayne@69
|
2186 typedef struct _krb5_pa_pac_req {
|
|
jpayne@69
|
2187 /** TRUE if a PAC should be included in TGS-REP */
|
|
jpayne@69
|
2188 krb5_boolean include_pac;
|
|
jpayne@69
|
2189 } krb5_pa_pac_req;
|
|
jpayne@69
|
2190
|
|
jpayne@69
|
2191 /*
|
|
jpayne@69
|
2192 * begin "safepriv.h"
|
|
jpayne@69
|
2193 */
|
|
jpayne@69
|
2194
|
|
jpayne@69
|
2195 /** @defgroup KRB5_AUTH_CONTEXT KRB5_AUTH_CONTEXT
|
|
jpayne@69
|
2196 * @{
|
|
jpayne@69
|
2197 */
|
|
jpayne@69
|
2198 /** Prevent replays with timestamps and replay cache. */
|
|
jpayne@69
|
2199 #define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001
|
|
jpayne@69
|
2200 /** Save timestamps for application. */
|
|
jpayne@69
|
2201 #define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002
|
|
jpayne@69
|
2202 /** Prevent replays with sequence numbers. */
|
|
jpayne@69
|
2203 #define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004
|
|
jpayne@69
|
2204 /** Save sequence numbers for application. */
|
|
jpayne@69
|
2205 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008
|
|
jpayne@69
|
2206 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010
|
|
jpayne@69
|
2207 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020
|
|
jpayne@69
|
2208 /** @} */ /* end of KRB5_AUTH_CONTEXT group */
|
|
jpayne@69
|
2209
|
|
jpayne@69
|
2210 /**
|
|
jpayne@69
|
2211 * Replay data.
|
|
jpayne@69
|
2212 *
|
|
jpayne@69
|
2213 * Sequence number and timestamp information output by krb5_rd_priv() and
|
|
jpayne@69
|
2214 * krb5_rd_safe().
|
|
jpayne@69
|
2215 */
|
|
jpayne@69
|
2216 typedef struct krb5_replay_data {
|
|
jpayne@69
|
2217 krb5_timestamp timestamp; /**< Timestamp, seconds portion */
|
|
jpayne@69
|
2218 krb5_int32 usec; /**< Timestamp, microseconds portion */
|
|
jpayne@69
|
2219 krb5_ui_4 seq; /**< Sequence number */
|
|
jpayne@69
|
2220 } krb5_replay_data;
|
|
jpayne@69
|
2221
|
|
jpayne@69
|
2222 /* Flags for krb5_auth_con_genaddrs(). */
|
|
jpayne@69
|
2223
|
|
jpayne@69
|
2224 /** Generate the local network address. */
|
|
jpayne@69
|
2225 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR 0x00000001
|
|
jpayne@69
|
2226 /** Generate the remote network address. */
|
|
jpayne@69
|
2227 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR 0x00000002
|
|
jpayne@69
|
2228 /** Generate the local network address and the local port. */
|
|
jpayne@69
|
2229 #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR 0x00000004
|
|
jpayne@69
|
2230 /** Generate the remote network address and the remote port. */
|
|
jpayne@69
|
2231 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008
|
|
jpayne@69
|
2232
|
|
jpayne@69
|
2233 /** Type of function used as a callback to generate checksum data for mk_req */
|
|
jpayne@69
|
2234 typedef krb5_error_code
|
|
jpayne@69
|
2235 (KRB5_CALLCONV * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context,
|
|
jpayne@69
|
2236 void *, krb5_data **);
|
|
jpayne@69
|
2237
|
|
jpayne@69
|
2238 /*
|
|
jpayne@69
|
2239 * end "safepriv.h"
|
|
jpayne@69
|
2240 */
|
|
jpayne@69
|
2241
|
|
jpayne@69
|
2242
|
|
jpayne@69
|
2243 /*
|
|
jpayne@69
|
2244 * begin "ccache.h"
|
|
jpayne@69
|
2245 */
|
|
jpayne@69
|
2246
|
|
jpayne@69
|
2247 /** Cursor for sequential lookup */
|
|
jpayne@69
|
2248 typedef krb5_pointer krb5_cc_cursor;
|
|
jpayne@69
|
2249
|
|
jpayne@69
|
2250 struct _krb5_ccache;
|
|
jpayne@69
|
2251 typedef struct _krb5_ccache *krb5_ccache;
|
|
jpayne@69
|
2252 struct _krb5_cc_ops;
|
|
jpayne@69
|
2253 typedef struct _krb5_cc_ops krb5_cc_ops;
|
|
jpayne@69
|
2254
|
|
jpayne@69
|
2255 struct _krb5_cccol_cursor;
|
|
jpayne@69
|
2256 /** Cursor for iterating over all ccaches */
|
|
jpayne@69
|
2257 typedef struct _krb5_cccol_cursor *krb5_cccol_cursor;
|
|
jpayne@69
|
2258
|
|
jpayne@69
|
2259 /* Flags for krb5_cc_retrieve_cred. */
|
|
jpayne@69
|
2260 /** The requested lifetime must be at least as great as the time specified. */
|
|
jpayne@69
|
2261 #define KRB5_TC_MATCH_TIMES 0x00000001
|
|
jpayne@69
|
2262 /** The is_skey field must match exactly. */
|
|
jpayne@69
|
2263 #define KRB5_TC_MATCH_IS_SKEY 0x00000002
|
|
jpayne@69
|
2264 /** All the flags set in the match credentials must be set. */
|
|
jpayne@69
|
2265 #define KRB5_TC_MATCH_FLAGS 0x00000004
|
|
jpayne@69
|
2266 /** All the time fields must match exactly. */
|
|
jpayne@69
|
2267 #define KRB5_TC_MATCH_TIMES_EXACT 0x00000008
|
|
jpayne@69
|
2268 /** All the flags must match exactly. */
|
|
jpayne@69
|
2269 #define KRB5_TC_MATCH_FLAGS_EXACT 0x00000010
|
|
jpayne@69
|
2270 /** The authorization data must match. */
|
|
jpayne@69
|
2271 #define KRB5_TC_MATCH_AUTHDATA 0x00000020
|
|
jpayne@69
|
2272 /** Only the name portion of the principal name must match. */
|
|
jpayne@69
|
2273 #define KRB5_TC_MATCH_SRV_NAMEONLY 0x00000040
|
|
jpayne@69
|
2274 /** The second ticket must match. */
|
|
jpayne@69
|
2275 #define KRB5_TC_MATCH_2ND_TKT 0x00000080
|
|
jpayne@69
|
2276 /** The encryption key type must match. */
|
|
jpayne@69
|
2277 #define KRB5_TC_MATCH_KTYPE 0x00000100
|
|
jpayne@69
|
2278 /** The supported key types must match. */
|
|
jpayne@69
|
2279 #define KRB5_TC_SUPPORTED_KTYPES 0x00000200
|
|
jpayne@69
|
2280
|
|
jpayne@69
|
2281 /* Flags for krb5_cc_set_flags and similar. */
|
|
jpayne@69
|
2282 /** Open and close the file for each cache operation. */
|
|
jpayne@69
|
2283 #define KRB5_TC_OPENCLOSE 0x00000001 /**< @deprecated has no effect */
|
|
jpayne@69
|
2284 #define KRB5_TC_NOTICKET 0x00000002
|
|
jpayne@69
|
2285
|
|
jpayne@69
|
2286 /**
|
|
jpayne@69
|
2287 * Retrieve the name, but not type of a credential cache.
|
|
jpayne@69
|
2288 *
|
|
jpayne@69
|
2289 * @param [in] context Library context
|
|
jpayne@69
|
2290 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2291 *
|
|
jpayne@69
|
2292 * @warning Returns the name of the credential cache. The result is an alias
|
|
jpayne@69
|
2293 * into @a cache and should not be freed or modified by the caller. This name
|
|
jpayne@69
|
2294 * does not include the cache type, so should not be used as input to
|
|
jpayne@69
|
2295 * krb5_cc_resolve().
|
|
jpayne@69
|
2296 *
|
|
jpayne@69
|
2297 * @return
|
|
jpayne@69
|
2298 * On success - the name of the credential cache.
|
|
jpayne@69
|
2299 */
|
|
jpayne@69
|
2300 const char * KRB5_CALLCONV
|
|
jpayne@69
|
2301 krb5_cc_get_name(krb5_context context, krb5_ccache cache);
|
|
jpayne@69
|
2302
|
|
jpayne@69
|
2303 /**
|
|
jpayne@69
|
2304 * Retrieve the full name of a credential cache.
|
|
jpayne@69
|
2305 *
|
|
jpayne@69
|
2306 * @param [in] context Library context
|
|
jpayne@69
|
2307 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2308 * @param [out] fullname_out Full name of cache
|
|
jpayne@69
|
2309 *
|
|
jpayne@69
|
2310 * Use krb5_free_string() to free @a fullname_out when it is no longer needed.
|
|
jpayne@69
|
2311 *
|
|
jpayne@69
|
2312 * @version New in 1.10
|
|
jpayne@69
|
2313 */
|
|
jpayne@69
|
2314 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2315 krb5_cc_get_full_name(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2316 char **fullname_out);
|
|
jpayne@69
|
2317
|
|
jpayne@69
|
2318 #if KRB5_DEPRECATED
|
|
jpayne@69
|
2319 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2320 krb5_cc_gen_new(krb5_context context, krb5_ccache *cache);
|
|
jpayne@69
|
2321 #endif /* KRB5_DEPRECATED */
|
|
jpayne@69
|
2322
|
|
jpayne@69
|
2323 /**
|
|
jpayne@69
|
2324 * Initialize a credential cache.
|
|
jpayne@69
|
2325 *
|
|
jpayne@69
|
2326 * @param [in] context Library context
|
|
jpayne@69
|
2327 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2328 * @param [in] principal Default principal name
|
|
jpayne@69
|
2329 *
|
|
jpayne@69
|
2330 * Destroy any existing contents of @a cache and initialize it for the default
|
|
jpayne@69
|
2331 * principal @a principal.
|
|
jpayne@69
|
2332 *
|
|
jpayne@69
|
2333 * @retval
|
|
jpayne@69
|
2334 * 0 Success
|
|
jpayne@69
|
2335 * @return
|
|
jpayne@69
|
2336 * System errors; Permission errors; Kerberos error codes
|
|
jpayne@69
|
2337 */
|
|
jpayne@69
|
2338 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2339 krb5_cc_initialize(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2340 krb5_principal principal);
|
|
jpayne@69
|
2341
|
|
jpayne@69
|
2342 /**
|
|
jpayne@69
|
2343 * Destroy a credential cache.
|
|
jpayne@69
|
2344 *
|
|
jpayne@69
|
2345 * @param [in] context Library context
|
|
jpayne@69
|
2346 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2347 *
|
|
jpayne@69
|
2348 * This function destroys any existing contents of @a cache and closes the
|
|
jpayne@69
|
2349 * handle to it.
|
|
jpayne@69
|
2350 *
|
|
jpayne@69
|
2351 * @retval
|
|
jpayne@69
|
2352 * 0 Success
|
|
jpayne@69
|
2353 * @return
|
|
jpayne@69
|
2354 * Permission errors
|
|
jpayne@69
|
2355 */
|
|
jpayne@69
|
2356 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2357 krb5_cc_destroy(krb5_context context, krb5_ccache cache);
|
|
jpayne@69
|
2358
|
|
jpayne@69
|
2359 /**
|
|
jpayne@69
|
2360 * Close a credential cache handle.
|
|
jpayne@69
|
2361 *
|
|
jpayne@69
|
2362 * @param [in] context Library context
|
|
jpayne@69
|
2363 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2364 *
|
|
jpayne@69
|
2365 * This function closes a credential cache handle @a cache without affecting
|
|
jpayne@69
|
2366 * the contents of the cache.
|
|
jpayne@69
|
2367 *
|
|
jpayne@69
|
2368 * @retval
|
|
jpayne@69
|
2369 * 0 Success
|
|
jpayne@69
|
2370 * @return
|
|
jpayne@69
|
2371 * Kerberos error codes
|
|
jpayne@69
|
2372 */
|
|
jpayne@69
|
2373 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2374 krb5_cc_close(krb5_context context, krb5_ccache cache);
|
|
jpayne@69
|
2375
|
|
jpayne@69
|
2376 /**
|
|
jpayne@69
|
2377 * Store credentials in a credential cache.
|
|
jpayne@69
|
2378 *
|
|
jpayne@69
|
2379 * @param [in] context Library context
|
|
jpayne@69
|
2380 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2381 * @param [in] creds Credentials to be stored in cache
|
|
jpayne@69
|
2382 *
|
|
jpayne@69
|
2383 * This function stores @a creds into @a cache. If @a creds->server and the
|
|
jpayne@69
|
2384 * server in the decoded ticket @a creds->ticket differ, the credentials will
|
|
jpayne@69
|
2385 * be stored under both server principal names.
|
|
jpayne@69
|
2386 *
|
|
jpayne@69
|
2387 * @retval
|
|
jpayne@69
|
2388 * 0 Success
|
|
jpayne@69
|
2389 * @return Permission errors; storage failure errors; Kerberos error codes
|
|
jpayne@69
|
2390 */
|
|
jpayne@69
|
2391 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2392 krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds);
|
|
jpayne@69
|
2393
|
|
jpayne@69
|
2394 /**
|
|
jpayne@69
|
2395 * Retrieve a specified credentials from a credential cache.
|
|
jpayne@69
|
2396 *
|
|
jpayne@69
|
2397 * @param [in] context Library context
|
|
jpayne@69
|
2398 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2399 * @param [in] flags Flags bit mask
|
|
jpayne@69
|
2400 * @param [in] mcreds Credentials to match
|
|
jpayne@69
|
2401 * @param [out] creds Credentials matching the requested value
|
|
jpayne@69
|
2402 *
|
|
jpayne@69
|
2403 * This function searches a credential cache for credentials matching @a mcreds
|
|
jpayne@69
|
2404 * and returns it if found.
|
|
jpayne@69
|
2405 *
|
|
jpayne@69
|
2406 * Valid values for @a flags are:
|
|
jpayne@69
|
2407 *
|
|
jpayne@69
|
2408 * @li #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as
|
|
jpayne@69
|
2409 * great as in @a mcreds .
|
|
jpayne@69
|
2410 * @li #KRB5_TC_MATCH_IS_SKEY The @a is_skey field much match exactly.
|
|
jpayne@69
|
2411 * @li #KRB5_TC_MATCH_FLAGS Flags set in @a mcreds must be set.
|
|
jpayne@69
|
2412 * @li #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly.
|
|
jpayne@69
|
2413 * @li #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly.
|
|
jpayne@69
|
2414 * @li #KRB5_TC_MATCH_AUTHDATA The authorization data must match.
|
|
jpayne@69
|
2415 * @li #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal
|
|
jpayne@69
|
2416 * name must match, not the realm.
|
|
jpayne@69
|
2417 * @li #KRB5_TC_MATCH_2ND_TKT The second tickets must match.
|
|
jpayne@69
|
2418 * @li #KRB5_TC_MATCH_KTYPE The encryption key types must match.
|
|
jpayne@69
|
2419 * @li #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any
|
|
jpayne@69
|
2420 * supported encryption type and return the
|
|
jpayne@69
|
2421 * one with the encryption type listed earliest.
|
|
jpayne@69
|
2422 *
|
|
jpayne@69
|
2423 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed.
|
|
jpayne@69
|
2424 *
|
|
jpayne@69
|
2425 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2426 */
|
|
jpayne@69
|
2427 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2428 krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2429 krb5_flags flags, krb5_creds *mcreds,
|
|
jpayne@69
|
2430 krb5_creds *creds);
|
|
jpayne@69
|
2431
|
|
jpayne@69
|
2432 /**
|
|
jpayne@69
|
2433 * Get the default principal of a credential cache.
|
|
jpayne@69
|
2434 *
|
|
jpayne@69
|
2435 * @param [in] context Library context
|
|
jpayne@69
|
2436 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2437 * @param [out] principal Primary principal
|
|
jpayne@69
|
2438 *
|
|
jpayne@69
|
2439 * Returns the default client principal of a credential cache as set by
|
|
jpayne@69
|
2440 * krb5_cc_initialize().
|
|
jpayne@69
|
2441 *
|
|
jpayne@69
|
2442 * Use krb5_free_principal() to free @a principal when it is no longer needed.
|
|
jpayne@69
|
2443 *
|
|
jpayne@69
|
2444 * @retval
|
|
jpayne@69
|
2445 * 0 Success
|
|
jpayne@69
|
2446 * @return
|
|
jpayne@69
|
2447 * Kerberos error codes
|
|
jpayne@69
|
2448 */
|
|
jpayne@69
|
2449 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2450 krb5_cc_get_principal(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2451 krb5_principal *principal);
|
|
jpayne@69
|
2452
|
|
jpayne@69
|
2453 /**
|
|
jpayne@69
|
2454 * Prepare to sequentially read every credential in a credential cache.
|
|
jpayne@69
|
2455 *
|
|
jpayne@69
|
2456 * @param [in] context Library context
|
|
jpayne@69
|
2457 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2458 * @param [out] cursor Cursor
|
|
jpayne@69
|
2459 *
|
|
jpayne@69
|
2460 * krb5_cc_end_seq_get() must be called to complete the retrieve operation.
|
|
jpayne@69
|
2461 *
|
|
jpayne@69
|
2462 * @note If the cache represented by @a cache is modified between the time of
|
|
jpayne@69
|
2463 * the call to this function and the time of the final krb5_cc_end_seq_get(),
|
|
jpayne@69
|
2464 * these changes may not be reflected in the results of krb5_cc_next_cred()
|
|
jpayne@69
|
2465 * calls.
|
|
jpayne@69
|
2466 *
|
|
jpayne@69
|
2467 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2468 */
|
|
jpayne@69
|
2469 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2470 krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2471 krb5_cc_cursor *cursor);
|
|
jpayne@69
|
2472
|
|
jpayne@69
|
2473 /**
|
|
jpayne@69
|
2474 * Retrieve the next entry from the credential cache.
|
|
jpayne@69
|
2475 *
|
|
jpayne@69
|
2476 * @param [in] context Library context
|
|
jpayne@69
|
2477 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2478 * @param [in] cursor Cursor
|
|
jpayne@69
|
2479 * @param [out] creds Next credential cache entry
|
|
jpayne@69
|
2480 *
|
|
jpayne@69
|
2481 * This function fills in @a creds with the next entry in @a cache and advances
|
|
jpayne@69
|
2482 * @a cursor.
|
|
jpayne@69
|
2483 *
|
|
jpayne@69
|
2484 * Use krb5_free_cred_contents() to free @a creds when it is no longer needed.
|
|
jpayne@69
|
2485 *
|
|
jpayne@69
|
2486 * @sa krb5_cc_start_seq_get(), krb5_end_seq_get()
|
|
jpayne@69
|
2487 *
|
|
jpayne@69
|
2488 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2489 */
|
|
jpayne@69
|
2490 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2491 krb5_cc_next_cred(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2492 krb5_cc_cursor *cursor, krb5_creds *creds);
|
|
jpayne@69
|
2493
|
|
jpayne@69
|
2494 /**
|
|
jpayne@69
|
2495 * Finish a series of sequential processing credential cache entries.
|
|
jpayne@69
|
2496 *
|
|
jpayne@69
|
2497 * @param [in] context Library context
|
|
jpayne@69
|
2498 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2499 * @param [in] cursor Cursor
|
|
jpayne@69
|
2500 *
|
|
jpayne@69
|
2501 * This function finishes processing credential cache entries and invalidates
|
|
jpayne@69
|
2502 * @a cursor.
|
|
jpayne@69
|
2503 *
|
|
jpayne@69
|
2504 * @sa krb5_cc_start_seq_get(), krb5_cc_next_cred()
|
|
jpayne@69
|
2505 *
|
|
jpayne@69
|
2506 * @retval 0 (always)
|
|
jpayne@69
|
2507 */
|
|
jpayne@69
|
2508 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2509 krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache,
|
|
jpayne@69
|
2510 krb5_cc_cursor *cursor);
|
|
jpayne@69
|
2511
|
|
jpayne@69
|
2512 /**
|
|
jpayne@69
|
2513 * Remove credentials from a credential cache.
|
|
jpayne@69
|
2514 *
|
|
jpayne@69
|
2515 * @param [in] context Library context
|
|
jpayne@69
|
2516 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2517 * @param [in] flags Bitwise-ORed search flags
|
|
jpayne@69
|
2518 * @param [in] creds Credentials to be matched
|
|
jpayne@69
|
2519 *
|
|
jpayne@69
|
2520 * @warning This function is not implemented for some cache types.
|
|
jpayne@69
|
2521 *
|
|
jpayne@69
|
2522 * This function accepts the same flag values as krb5_cc_retrieve_cred().
|
|
jpayne@69
|
2523 *
|
|
jpayne@69
|
2524 * @retval KRB5_CC_NOSUPP Not implemented for this cache type
|
|
jpayne@69
|
2525 * @return No matches found; Data cannot be deleted; Kerberos error codes
|
|
jpayne@69
|
2526 */
|
|
jpayne@69
|
2527 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2528 krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
|
|
jpayne@69
|
2529 krb5_creds *creds);
|
|
jpayne@69
|
2530
|
|
jpayne@69
|
2531 /**
|
|
jpayne@69
|
2532 * Set options flags on a credential cache.
|
|
jpayne@69
|
2533 *
|
|
jpayne@69
|
2534 * @param [in] context Library context
|
|
jpayne@69
|
2535 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2536 * @param [in] flags Flag bit mask
|
|
jpayne@69
|
2537 *
|
|
jpayne@69
|
2538 * This function resets @a cache flags to @a flags.
|
|
jpayne@69
|
2539 *
|
|
jpayne@69
|
2540 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2541 */
|
|
jpayne@69
|
2542 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2543 krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags);
|
|
jpayne@69
|
2544
|
|
jpayne@69
|
2545 /**
|
|
jpayne@69
|
2546 * Retrieve flags from a credential cache structure.
|
|
jpayne@69
|
2547 *
|
|
jpayne@69
|
2548 * @param [in] context Library context
|
|
jpayne@69
|
2549 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2550 * @param [out] flags Flag bit mask
|
|
jpayne@69
|
2551 *
|
|
jpayne@69
|
2552 * @warning For memory credential cache always returns a flag mask of 0.
|
|
jpayne@69
|
2553 *
|
|
jpayne@69
|
2554 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2555 */
|
|
jpayne@69
|
2556 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2557 krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags);
|
|
jpayne@69
|
2558
|
|
jpayne@69
|
2559 /**
|
|
jpayne@69
|
2560 * Retrieve the type of a credential cache.
|
|
jpayne@69
|
2561 *
|
|
jpayne@69
|
2562 * @param [in] context Library context
|
|
jpayne@69
|
2563 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
2564 *
|
|
jpayne@69
|
2565 * @return The type of a credential cache as an alias that must not be modified
|
|
jpayne@69
|
2566 * or freed by the caller.
|
|
jpayne@69
|
2567 */
|
|
jpayne@69
|
2568 const char * KRB5_CALLCONV
|
|
jpayne@69
|
2569 krb5_cc_get_type(krb5_context context, krb5_ccache cache);
|
|
jpayne@69
|
2570
|
|
jpayne@69
|
2571 /**
|
|
jpayne@69
|
2572 * Move a credential cache.
|
|
jpayne@69
|
2573 *
|
|
jpayne@69
|
2574 * @param [in] context Library context
|
|
jpayne@69
|
2575 * @param [in] src The credential cache to move the content from
|
|
jpayne@69
|
2576 * @param [in] dst The credential cache to move the content to
|
|
jpayne@69
|
2577 *
|
|
jpayne@69
|
2578 * This function reinitializes @a dst and populates it with the credentials and
|
|
jpayne@69
|
2579 * default principal of @a src; then, if successful, destroys @a src.
|
|
jpayne@69
|
2580 *
|
|
jpayne@69
|
2581 * @retval
|
|
jpayne@69
|
2582 * 0 Success; @a src is closed.
|
|
jpayne@69
|
2583 * @return
|
|
jpayne@69
|
2584 * Kerberos error codes; @a src is still allocated.
|
|
jpayne@69
|
2585 */
|
|
jpayne@69
|
2586 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2587 krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst);
|
|
jpayne@69
|
2588
|
|
jpayne@69
|
2589 /**
|
|
jpayne@69
|
2590 * Prepare to iterate over the collection of known credential caches.
|
|
jpayne@69
|
2591 *
|
|
jpayne@69
|
2592 * @param [in] context Library context
|
|
jpayne@69
|
2593 * @param [out] cursor Cursor
|
|
jpayne@69
|
2594 *
|
|
jpayne@69
|
2595 * Get a new cache iteration @a cursor that will iterate over all known
|
|
jpayne@69
|
2596 * credential caches independent of type.
|
|
jpayne@69
|
2597 *
|
|
jpayne@69
|
2598 * Use krb5_cccol_cursor_free() to release @a cursor when it is no longer
|
|
jpayne@69
|
2599 * needed.
|
|
jpayne@69
|
2600 *
|
|
jpayne@69
|
2601 * @sa krb5_cccol_cursor_next()
|
|
jpayne@69
|
2602 *
|
|
jpayne@69
|
2603 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2604 */
|
|
jpayne@69
|
2605 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2606 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor);
|
|
jpayne@69
|
2607
|
|
jpayne@69
|
2608 /**
|
|
jpayne@69
|
2609 * Get the next credential cache in the collection.
|
|
jpayne@69
|
2610 *
|
|
jpayne@69
|
2611 * @param [in] context Library context
|
|
jpayne@69
|
2612 * @param [in] cursor Cursor
|
|
jpayne@69
|
2613 * @param [out] ccache Credential cache handle
|
|
jpayne@69
|
2614 *
|
|
jpayne@69
|
2615 * @note When all caches are iterated over and the end of the list is reached,
|
|
jpayne@69
|
2616 * @a ccache is set to NULL.
|
|
jpayne@69
|
2617 *
|
|
jpayne@69
|
2618 * Use krb5_cc_close() to close @a ccache when it is no longer needed.
|
|
jpayne@69
|
2619 *
|
|
jpayne@69
|
2620 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_free()
|
|
jpayne@69
|
2621 *
|
|
jpayne@69
|
2622 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2623 */
|
|
jpayne@69
|
2624 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2625 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
|
|
jpayne@69
|
2626 krb5_ccache *ccache);
|
|
jpayne@69
|
2627
|
|
jpayne@69
|
2628 /**
|
|
jpayne@69
|
2629 * Free a credential cache collection cursor.
|
|
jpayne@69
|
2630 *
|
|
jpayne@69
|
2631 * @param [in] context Library context
|
|
jpayne@69
|
2632 * @param [in] cursor Cursor
|
|
jpayne@69
|
2633 *
|
|
jpayne@69
|
2634 * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_next()
|
|
jpayne@69
|
2635 *
|
|
jpayne@69
|
2636 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2637 */
|
|
jpayne@69
|
2638 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2639 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor);
|
|
jpayne@69
|
2640
|
|
jpayne@69
|
2641 /**
|
|
jpayne@69
|
2642 * Check if the credential cache collection contains any initialized caches.
|
|
jpayne@69
|
2643 *
|
|
jpayne@69
|
2644 * @param [in] context Library context
|
|
jpayne@69
|
2645 *
|
|
jpayne@69
|
2646 * @version New in 1.11
|
|
jpayne@69
|
2647 *
|
|
jpayne@69
|
2648 * @retval 0 At least one initialized cache is present in the collection
|
|
jpayne@69
|
2649 * @retval KRB5_CC_NOTFOUND The collection contains no caches
|
|
jpayne@69
|
2650 */
|
|
jpayne@69
|
2651 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2652 krb5_cccol_have_content(krb5_context context);
|
|
jpayne@69
|
2653
|
|
jpayne@69
|
2654 /**
|
|
jpayne@69
|
2655 * Create a new credential cache of the specified type with a unique name.
|
|
jpayne@69
|
2656 *
|
|
jpayne@69
|
2657 * @param [in] context Library context
|
|
jpayne@69
|
2658 * @param [in] type Credential cache type name
|
|
jpayne@69
|
2659 * @param [in] hint Unused
|
|
jpayne@69
|
2660 * @param [out] id Credential cache handle
|
|
jpayne@69
|
2661 *
|
|
jpayne@69
|
2662 * @retval
|
|
jpayne@69
|
2663 * 0 Success
|
|
jpayne@69
|
2664 * @return
|
|
jpayne@69
|
2665 * Kerberos error codes
|
|
jpayne@69
|
2666 */
|
|
jpayne@69
|
2667 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2668 krb5_cc_new_unique(krb5_context context, const char *type, const char *hint,
|
|
jpayne@69
|
2669 krb5_ccache *id);
|
|
jpayne@69
|
2670
|
|
jpayne@69
|
2671 /*
|
|
jpayne@69
|
2672 * end "ccache.h"
|
|
jpayne@69
|
2673 */
|
|
jpayne@69
|
2674
|
|
jpayne@69
|
2675 /*
|
|
jpayne@69
|
2676 * begin "rcache.h"
|
|
jpayne@69
|
2677 */
|
|
jpayne@69
|
2678
|
|
jpayne@69
|
2679 struct krb5_rc_st;
|
|
jpayne@69
|
2680 typedef struct krb5_rc_st *krb5_rcache;
|
|
jpayne@69
|
2681
|
|
jpayne@69
|
2682 /*
|
|
jpayne@69
|
2683 * end "rcache.h"
|
|
jpayne@69
|
2684 */
|
|
jpayne@69
|
2685
|
|
jpayne@69
|
2686 /*
|
|
jpayne@69
|
2687 * begin "keytab.h"
|
|
jpayne@69
|
2688 */
|
|
jpayne@69
|
2689
|
|
jpayne@69
|
2690
|
|
jpayne@69
|
2691 /* XXX */
|
|
jpayne@69
|
2692 #define MAX_KEYTAB_NAME_LEN 1100 /**< Long enough for MAXPATHLEN + some extra */
|
|
jpayne@69
|
2693
|
|
jpayne@69
|
2694 typedef krb5_pointer krb5_kt_cursor;
|
|
jpayne@69
|
2695
|
|
jpayne@69
|
2696 /** A key table entry. */
|
|
jpayne@69
|
2697 typedef struct krb5_keytab_entry_st {
|
|
jpayne@69
|
2698 krb5_magic magic;
|
|
jpayne@69
|
2699 krb5_principal principal; /**< Principal of this key */
|
|
jpayne@69
|
2700 krb5_timestamp timestamp; /**< Time entry written to keytable */
|
|
jpayne@69
|
2701 krb5_kvno vno; /**< Key version number */
|
|
jpayne@69
|
2702 krb5_keyblock key; /**< The secret key */
|
|
jpayne@69
|
2703 } krb5_keytab_entry;
|
|
jpayne@69
|
2704
|
|
jpayne@69
|
2705 struct _krb5_kt;
|
|
jpayne@69
|
2706 typedef struct _krb5_kt *krb5_keytab;
|
|
jpayne@69
|
2707
|
|
jpayne@69
|
2708 /**
|
|
jpayne@69
|
2709 * Return the type of a key table.
|
|
jpayne@69
|
2710 *
|
|
jpayne@69
|
2711 * @param [in] context Library context
|
|
jpayne@69
|
2712 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2713 *
|
|
jpayne@69
|
2714 * @return The type of a key table as an alias that must not be modified or
|
|
jpayne@69
|
2715 * freed by the caller.
|
|
jpayne@69
|
2716 */
|
|
jpayne@69
|
2717 const char * KRB5_CALLCONV
|
|
jpayne@69
|
2718 krb5_kt_get_type(krb5_context context, krb5_keytab keytab);
|
|
jpayne@69
|
2719
|
|
jpayne@69
|
2720 /**
|
|
jpayne@69
|
2721 * Get a key table name.
|
|
jpayne@69
|
2722 *
|
|
jpayne@69
|
2723 * @param [in] context Library context
|
|
jpayne@69
|
2724 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2725 * @param [out] name Key table name
|
|
jpayne@69
|
2726 * @param [in] namelen Maximum length to fill in name
|
|
jpayne@69
|
2727 *
|
|
jpayne@69
|
2728 * Fill @a name with the name of @a keytab including the type and delimiter.
|
|
jpayne@69
|
2729 *
|
|
jpayne@69
|
2730 * @sa MAX_KEYTAB_NAME_LEN
|
|
jpayne@69
|
2731 *
|
|
jpayne@69
|
2732 * @retval
|
|
jpayne@69
|
2733 * 0 Success
|
|
jpayne@69
|
2734 * @retval
|
|
jpayne@69
|
2735 * KRB5_KT_NAME_TOOLONG Key table name does not fit in @a namelen bytes
|
|
jpayne@69
|
2736 *
|
|
jpayne@69
|
2737 * @return
|
|
jpayne@69
|
2738 * Kerberos error codes
|
|
jpayne@69
|
2739 */
|
|
jpayne@69
|
2740 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2741 krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
|
|
jpayne@69
|
2742 unsigned int namelen);
|
|
jpayne@69
|
2743
|
|
jpayne@69
|
2744 /**
|
|
jpayne@69
|
2745 * Close a key table handle.
|
|
jpayne@69
|
2746 *
|
|
jpayne@69
|
2747 * @param [in] context Library context
|
|
jpayne@69
|
2748 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2749 *
|
|
jpayne@69
|
2750 * @retval 0
|
|
jpayne@69
|
2751 */
|
|
jpayne@69
|
2752 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2753 krb5_kt_close(krb5_context context, krb5_keytab keytab);
|
|
jpayne@69
|
2754
|
|
jpayne@69
|
2755 /**
|
|
jpayne@69
|
2756 * Get an entry from a key table.
|
|
jpayne@69
|
2757 *
|
|
jpayne@69
|
2758 * @param [in] context Library context
|
|
jpayne@69
|
2759 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2760 * @param [in] principal Principal name
|
|
jpayne@69
|
2761 * @param [in] vno Key version number (0 for highest available)
|
|
jpayne@69
|
2762 * @param [in] enctype Encryption type (0 zero for any enctype)
|
|
jpayne@69
|
2763 * @param [out] entry Returned entry from key table
|
|
jpayne@69
|
2764 *
|
|
jpayne@69
|
2765 * Retrieve an entry from a key table which matches the @a keytab, @a
|
|
jpayne@69
|
2766 * principal, @a vno, and @a enctype. If @a vno is zero, retrieve the
|
|
jpayne@69
|
2767 * highest-numbered kvno matching the other fields. If @a enctype is 0, match
|
|
jpayne@69
|
2768 * any enctype.
|
|
jpayne@69
|
2769 *
|
|
jpayne@69
|
2770 * Use krb5_free_keytab_entry_contents() to free @a entry when it is no longer
|
|
jpayne@69
|
2771 * needed.
|
|
jpayne@69
|
2772 *
|
|
jpayne@69
|
2773 * @note If @a vno is zero, the function retrieves the highest-numbered-kvno
|
|
jpayne@69
|
2774 * entry that matches the specified principal.
|
|
jpayne@69
|
2775 *
|
|
jpayne@69
|
2776 * @retval
|
|
jpayne@69
|
2777 * 0 Success
|
|
jpayne@69
|
2778 * @retval
|
|
jpayne@69
|
2779 * Kerberos error codes on failure
|
|
jpayne@69
|
2780 */
|
|
jpayne@69
|
2781 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2782 krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
|
|
jpayne@69
|
2783 krb5_const_principal principal, krb5_kvno vno,
|
|
jpayne@69
|
2784 krb5_enctype enctype, krb5_keytab_entry *entry);
|
|
jpayne@69
|
2785
|
|
jpayne@69
|
2786 /**
|
|
jpayne@69
|
2787 * Start a sequential retrieval of key table entries.
|
|
jpayne@69
|
2788 *
|
|
jpayne@69
|
2789 * @param [in] context Library context
|
|
jpayne@69
|
2790 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2791 * @param [out] cursor Cursor
|
|
jpayne@69
|
2792 *
|
|
jpayne@69
|
2793 * Prepare to read sequentially every key in the specified key table. Use
|
|
jpayne@69
|
2794 * krb5_kt_end_seq_get() to release the cursor when it is no longer needed.
|
|
jpayne@69
|
2795 *
|
|
jpayne@69
|
2796 * @sa krb5_kt_next_entry(), krb5_kt_end_seq_get()
|
|
jpayne@69
|
2797 *
|
|
jpayne@69
|
2798 * @retval
|
|
jpayne@69
|
2799 * 0 Success
|
|
jpayne@69
|
2800 * @return
|
|
jpayne@69
|
2801 * Kerberos error codes
|
|
jpayne@69
|
2802 */
|
|
jpayne@69
|
2803 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2804 krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
|
|
jpayne@69
|
2805 krb5_kt_cursor *cursor);
|
|
jpayne@69
|
2806
|
|
jpayne@69
|
2807 /**
|
|
jpayne@69
|
2808 * Retrieve the next entry from the key table.
|
|
jpayne@69
|
2809 *
|
|
jpayne@69
|
2810 * @param [in] context Library context
|
|
jpayne@69
|
2811 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2812 * @param [out] entry Returned key table entry
|
|
jpayne@69
|
2813 * @param [in] cursor Key table cursor
|
|
jpayne@69
|
2814 *
|
|
jpayne@69
|
2815 * Return the next sequential entry in @a keytab and advance @a cursor.
|
|
jpayne@69
|
2816 * Callers must release the returned entry with krb5_kt_free_entry().
|
|
jpayne@69
|
2817 *
|
|
jpayne@69
|
2818 * @sa krb5_kt_start_seq_get(), krb5_kt_end_seq_get()
|
|
jpayne@69
|
2819 *
|
|
jpayne@69
|
2820 * @retval
|
|
jpayne@69
|
2821 * 0 Success
|
|
jpayne@69
|
2822 * @retval
|
|
jpayne@69
|
2823 * KRB5_KT_END - if the last entry was reached
|
|
jpayne@69
|
2824 * @return
|
|
jpayne@69
|
2825 * Kerberos error codes
|
|
jpayne@69
|
2826 */
|
|
jpayne@69
|
2827 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2828 krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
|
|
jpayne@69
|
2829 krb5_keytab_entry *entry, krb5_kt_cursor *cursor);
|
|
jpayne@69
|
2830
|
|
jpayne@69
|
2831 /**
|
|
jpayne@69
|
2832 * Release a keytab cursor.
|
|
jpayne@69
|
2833 *
|
|
jpayne@69
|
2834 * @param [in] context Library context
|
|
jpayne@69
|
2835 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2836 * @param [out] cursor Cursor
|
|
jpayne@69
|
2837 *
|
|
jpayne@69
|
2838 * This function should be called to release the cursor created by
|
|
jpayne@69
|
2839 * krb5_kt_start_seq_get().
|
|
jpayne@69
|
2840 *
|
|
jpayne@69
|
2841 * @retval
|
|
jpayne@69
|
2842 * 0 Success
|
|
jpayne@69
|
2843 * @return
|
|
jpayne@69
|
2844 * Kerberos error codes
|
|
jpayne@69
|
2845 */
|
|
jpayne@69
|
2846 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2847 krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
|
|
jpayne@69
|
2848 krb5_kt_cursor *cursor);
|
|
jpayne@69
|
2849
|
|
jpayne@69
|
2850 /**
|
|
jpayne@69
|
2851 * Check if a keytab exists and contains entries.
|
|
jpayne@69
|
2852 *
|
|
jpayne@69
|
2853 * @param [in] context Library context
|
|
jpayne@69
|
2854 * @param [in] keytab Key table handle
|
|
jpayne@69
|
2855 *
|
|
jpayne@69
|
2856 * @version New in 1.11
|
|
jpayne@69
|
2857 *
|
|
jpayne@69
|
2858 * @retval 0 Keytab exists and contains entries
|
|
jpayne@69
|
2859 * @retval KRB5_KT_NOTFOUND Keytab does not contain entries
|
|
jpayne@69
|
2860 */
|
|
jpayne@69
|
2861 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2862 krb5_kt_have_content(krb5_context context, krb5_keytab keytab);
|
|
jpayne@69
|
2863
|
|
jpayne@69
|
2864 /*
|
|
jpayne@69
|
2865 * end "keytab.h"
|
|
jpayne@69
|
2866 */
|
|
jpayne@69
|
2867
|
|
jpayne@69
|
2868 /*
|
|
jpayne@69
|
2869 * begin "func-proto.h"
|
|
jpayne@69
|
2870 */
|
|
jpayne@69
|
2871
|
|
jpayne@69
|
2872 #define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */
|
|
jpayne@69
|
2873 #define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */
|
|
jpayne@69
|
2874
|
|
jpayne@69
|
2875 /**
|
|
jpayne@69
|
2876 * Create a krb5 library context.
|
|
jpayne@69
|
2877 *
|
|
jpayne@69
|
2878 * @param [out] context Library context
|
|
jpayne@69
|
2879 *
|
|
jpayne@69
|
2880 * The @a context must be released by calling krb5_free_context() when
|
|
jpayne@69
|
2881 * it is no longer needed.
|
|
jpayne@69
|
2882 *
|
|
jpayne@69
|
2883 * @warning Any program or module that needs the Kerberos code to not trust the
|
|
jpayne@69
|
2884 * environment must use krb5_init_secure_context(), or clean out the
|
|
jpayne@69
|
2885 * environment.
|
|
jpayne@69
|
2886 *
|
|
jpayne@69
|
2887 * @retval
|
|
jpayne@69
|
2888 * 0 Success
|
|
jpayne@69
|
2889 * @return
|
|
jpayne@69
|
2890 * Kerberos error codes
|
|
jpayne@69
|
2891 */
|
|
jpayne@69
|
2892 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2893 krb5_init_context(krb5_context *context);
|
|
jpayne@69
|
2894
|
|
jpayne@69
|
2895 /**
|
|
jpayne@69
|
2896 * Create a krb5 library context using only configuration files.
|
|
jpayne@69
|
2897 *
|
|
jpayne@69
|
2898 * @param [out] context Library context
|
|
jpayne@69
|
2899 *
|
|
jpayne@69
|
2900 * Create a context structure, using only system configuration files. All
|
|
jpayne@69
|
2901 * information passed through the environment variables is ignored.
|
|
jpayne@69
|
2902 *
|
|
jpayne@69
|
2903 * The @a context must be released by calling krb5_free_context() when
|
|
jpayne@69
|
2904 * it is no longer needed.
|
|
jpayne@69
|
2905 *
|
|
jpayne@69
|
2906 * @retval
|
|
jpayne@69
|
2907 * 0 Success
|
|
jpayne@69
|
2908 * @return
|
|
jpayne@69
|
2909 * Kerberos error codes
|
|
jpayne@69
|
2910 */
|
|
jpayne@69
|
2911 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2912 krb5_init_secure_context(krb5_context *context);
|
|
jpayne@69
|
2913
|
|
jpayne@69
|
2914 /**
|
|
jpayne@69
|
2915 * Create a krb5 library context using a specified profile.
|
|
jpayne@69
|
2916 *
|
|
jpayne@69
|
2917 * @param [in] profile Profile object (NULL to create default profile)
|
|
jpayne@69
|
2918 * @param [in] flags Context initialization flags
|
|
jpayne@69
|
2919 * @param [out] context Library context
|
|
jpayne@69
|
2920 *
|
|
jpayne@69
|
2921 * Create a context structure, optionally using a specified profile and
|
|
jpayne@69
|
2922 * initialization flags. If @a profile is NULL, the default profile will be
|
|
jpayne@69
|
2923 * created from config files. If @a profile is non-null, a copy of it will be
|
|
jpayne@69
|
2924 * made for the new context; the caller should still clean up its copy. Valid
|
|
jpayne@69
|
2925 * flag values are:
|
|
jpayne@69
|
2926 *
|
|
jpayne@69
|
2927 * @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables
|
|
jpayne@69
|
2928 * @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile
|
|
jpayne@69
|
2929 */
|
|
jpayne@69
|
2930 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2931 krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags,
|
|
jpayne@69
|
2932 krb5_context *context);
|
|
jpayne@69
|
2933
|
|
jpayne@69
|
2934 /**
|
|
jpayne@69
|
2935 * Free a krb5 library context.
|
|
jpayne@69
|
2936 *
|
|
jpayne@69
|
2937 * @param [in] context Library context
|
|
jpayne@69
|
2938 *
|
|
jpayne@69
|
2939 * This function frees a @a context that was created by krb5_init_context()
|
|
jpayne@69
|
2940 * or krb5_init_secure_context().
|
|
jpayne@69
|
2941 */
|
|
jpayne@69
|
2942 void KRB5_CALLCONV
|
|
jpayne@69
|
2943 krb5_free_context(krb5_context context);
|
|
jpayne@69
|
2944
|
|
jpayne@69
|
2945 /**
|
|
jpayne@69
|
2946 * Copy a krb5_context structure.
|
|
jpayne@69
|
2947 *
|
|
jpayne@69
|
2948 * @param [in] ctx Library context
|
|
jpayne@69
|
2949 * @param [out] nctx_out New context structure
|
|
jpayne@69
|
2950 *
|
|
jpayne@69
|
2951 * The newly created context must be released by calling krb5_free_context()
|
|
jpayne@69
|
2952 * when it is no longer needed.
|
|
jpayne@69
|
2953 *
|
|
jpayne@69
|
2954 * @retval
|
|
jpayne@69
|
2955 * 0 Success
|
|
jpayne@69
|
2956 * @return
|
|
jpayne@69
|
2957 * Kerberos error codes
|
|
jpayne@69
|
2958 */
|
|
jpayne@69
|
2959 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2960 krb5_copy_context(krb5_context ctx, krb5_context *nctx_out);
|
|
jpayne@69
|
2961
|
|
jpayne@69
|
2962 /**
|
|
jpayne@69
|
2963 * Set default TGS encryption types in a krb5_context structure.
|
|
jpayne@69
|
2964 *
|
|
jpayne@69
|
2965 * @param [in] context Library context
|
|
jpayne@69
|
2966 * @param [in] etypes Encryption type(s) to set
|
|
jpayne@69
|
2967 *
|
|
jpayne@69
|
2968 * This function sets the default enctype list for TGS requests
|
|
jpayne@69
|
2969 * made using @a context to @a etypes.
|
|
jpayne@69
|
2970 *
|
|
jpayne@69
|
2971 * @note This overrides the default list (from config file or built-in).
|
|
jpayne@69
|
2972 *
|
|
jpayne@69
|
2973 * @retval
|
|
jpayne@69
|
2974 * 0 Success
|
|
jpayne@69
|
2975 * @retval
|
|
jpayne@69
|
2976 * KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type
|
|
jpayne@69
|
2977 * @return
|
|
jpayne@69
|
2978 * Kerberos error codes
|
|
jpayne@69
|
2979 */
|
|
jpayne@69
|
2980 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2981 krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes);
|
|
jpayne@69
|
2982
|
|
jpayne@69
|
2983 /**
|
|
jpayne@69
|
2984 * Return a list of encryption types permitted for session keys.
|
|
jpayne@69
|
2985 *
|
|
jpayne@69
|
2986 * @param [in] context Library context
|
|
jpayne@69
|
2987 * @param [out] ktypes Zero-terminated list of encryption types
|
|
jpayne@69
|
2988 *
|
|
jpayne@69
|
2989 * This function returns the list of encryption types permitted for session
|
|
jpayne@69
|
2990 * keys within @a context, as determined by configuration or by a previous call
|
|
jpayne@69
|
2991 * to krb5_set_default_tgs_enctypes().
|
|
jpayne@69
|
2992 *
|
|
jpayne@69
|
2993 * Use krb5_free_enctypes() to free @a ktypes when it is no longer needed.
|
|
jpayne@69
|
2994 *
|
|
jpayne@69
|
2995 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
2996 */
|
|
jpayne@69
|
2997 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
2998 krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes);
|
|
jpayne@69
|
2999
|
|
jpayne@69
|
3000 /**
|
|
jpayne@69
|
3001 * Test whether the Kerberos library was built with multithread support.
|
|
jpayne@69
|
3002 *
|
|
jpayne@69
|
3003 * @retval
|
|
jpayne@69
|
3004 * TRUE if the library is threadsafe; FALSE otherwise
|
|
jpayne@69
|
3005 */
|
|
jpayne@69
|
3006 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3007 krb5_is_thread_safe(void);
|
|
jpayne@69
|
3008
|
|
jpayne@69
|
3009 /* libkrb.spec */
|
|
jpayne@69
|
3010
|
|
jpayne@69
|
3011 /**
|
|
jpayne@69
|
3012 * Decrypt a ticket using the specified key table.
|
|
jpayne@69
|
3013 *
|
|
jpayne@69
|
3014 * @param [in] context Library context
|
|
jpayne@69
|
3015 * @param [in] kt Key table
|
|
jpayne@69
|
3016 * @param [in] ticket Ticket to be decrypted
|
|
jpayne@69
|
3017 *
|
|
jpayne@69
|
3018 * This function takes a @a ticket as input and decrypts it using
|
|
jpayne@69
|
3019 * key data from @a kt. The result is placed into @a ticket->enc_part2.
|
|
jpayne@69
|
3020 *
|
|
jpayne@69
|
3021 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3022 */
|
|
jpayne@69
|
3023 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3024 krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt,
|
|
jpayne@69
|
3025 krb5_ticket *ticket);
|
|
jpayne@69
|
3026
|
|
jpayne@69
|
3027 /**
|
|
jpayne@69
|
3028 * Free an array of credential structures.
|
|
jpayne@69
|
3029 *
|
|
jpayne@69
|
3030 * @param [in] context Library context
|
|
jpayne@69
|
3031 * @param [in] tgts Null-terminated array of credentials to free
|
|
jpayne@69
|
3032 *
|
|
jpayne@69
|
3033 * @note The last entry in the array @a tgts must be a NULL pointer.
|
|
jpayne@69
|
3034 */
|
|
jpayne@69
|
3035 void KRB5_CALLCONV
|
|
jpayne@69
|
3036 krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
|
|
jpayne@69
|
3037
|
|
jpayne@69
|
3038 /** @defgroup KRB5_GC KRB5_GC
|
|
jpayne@69
|
3039 * @{
|
|
jpayne@69
|
3040 */
|
|
jpayne@69
|
3041 #define KRB5_GC_USER_USER 1 /**< Want user-user ticket */
|
|
jpayne@69
|
3042 #define KRB5_GC_CACHED 2 /**< Want cached ticket only */
|
|
jpayne@69
|
3043 #define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */
|
|
jpayne@69
|
3044 #define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */
|
|
jpayne@69
|
3045 #define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */
|
|
jpayne@69
|
3046 #define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */
|
|
jpayne@69
|
3047 #define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */
|
|
jpayne@69
|
3048 /** @} */ /* end of KRB5_GC group */
|
|
jpayne@69
|
3049
|
|
jpayne@69
|
3050 /**
|
|
jpayne@69
|
3051 * Get an additional ticket.
|
|
jpayne@69
|
3052 *
|
|
jpayne@69
|
3053 * @param [in] context Library context
|
|
jpayne@69
|
3054 * @param [in] options Options
|
|
jpayne@69
|
3055 * @param [in] ccache Credential cache handle
|
|
jpayne@69
|
3056 * @param [in] in_creds Input credentials
|
|
jpayne@69
|
3057 * @param [out] out_creds Output updated credentials
|
|
jpayne@69
|
3058 *
|
|
jpayne@69
|
3059 * Use @a ccache or a TGS exchange to get a service ticket matching @a
|
|
jpayne@69
|
3060 * in_creds.
|
|
jpayne@69
|
3061 *
|
|
jpayne@69
|
3062 * Valid values for @a options are:
|
|
jpayne@69
|
3063 * @li #KRB5_GC_CACHED Search only credential cache for the ticket
|
|
jpayne@69
|
3064 * @li #KRB5_GC_USER_USER Return a user to user authentication ticket
|
|
jpayne@69
|
3065 *
|
|
jpayne@69
|
3066 * @a in_creds must be non-null. @a in_creds->client and @a in_creds->server
|
|
jpayne@69
|
3067 * must be filled in to specify the client and the server respectively. If any
|
|
jpayne@69
|
3068 * authorization data needs to be requested for the service ticket (such as
|
|
jpayne@69
|
3069 * restrictions on how the ticket can be used), specify it in @a
|
|
jpayne@69
|
3070 * in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The
|
|
jpayne@69
|
3071 * session key type is specified in @a in_creds->keyblock.enctype, if it is
|
|
jpayne@69
|
3072 * nonzero.
|
|
jpayne@69
|
3073 *
|
|
jpayne@69
|
3074 * The expiration date is specified in @a in_creds->times.endtime.
|
|
jpayne@69
|
3075 * The KDC may return tickets with an earlier expiration date.
|
|
jpayne@69
|
3076 * If @a in_creds->times.endtime is set to 0, the latest possible
|
|
jpayne@69
|
3077 * expiration date will be requested.
|
|
jpayne@69
|
3078 *
|
|
jpayne@69
|
3079 * Any returned ticket and intermediate ticket-granting tickets are stored
|
|
jpayne@69
|
3080 * in @a ccache.
|
|
jpayne@69
|
3081 *
|
|
jpayne@69
|
3082 * Use krb5_free_creds() to free @a out_creds when it is no longer needed.
|
|
jpayne@69
|
3083 *
|
|
jpayne@69
|
3084 * @retval
|
|
jpayne@69
|
3085 * 0 Success
|
|
jpayne@69
|
3086 * @return
|
|
jpayne@69
|
3087 * Kerberos error codes
|
|
jpayne@69
|
3088 */
|
|
jpayne@69
|
3089 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3090 krb5_get_credentials(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
3091 krb5_ccache ccache, krb5_creds *in_creds,
|
|
jpayne@69
|
3092 krb5_creds **out_creds);
|
|
jpayne@69
|
3093
|
|
jpayne@69
|
3094 /**
|
|
jpayne@69
|
3095 * Serialize a @c krb5_creds object.
|
|
jpayne@69
|
3096 *
|
|
jpayne@69
|
3097 * @param [in] context Library context
|
|
jpayne@69
|
3098 * @param [in] in_creds The credentials object to serialize
|
|
jpayne@69
|
3099 * @param [out] data_out The serialized credentials
|
|
jpayne@69
|
3100 *
|
|
jpayne@69
|
3101 * Serialize @a creds in the format used by the FILE ccache format (vesion 4)
|
|
jpayne@69
|
3102 * and KCM ccache protocol.
|
|
jpayne@69
|
3103 *
|
|
jpayne@69
|
3104 * Use krb5_free_data() to free @a data_out when it is no longer needed.
|
|
jpayne@69
|
3105 *
|
|
jpayne@69
|
3106 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3107 */
|
|
jpayne@69
|
3108 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3109 krb5_marshal_credentials(krb5_context context, krb5_creds *in_creds,
|
|
jpayne@69
|
3110 krb5_data **data_out);
|
|
jpayne@69
|
3111
|
|
jpayne@69
|
3112 /**
|
|
jpayne@69
|
3113 * Deserialize a @c krb5_creds object.
|
|
jpayne@69
|
3114 *
|
|
jpayne@69
|
3115 * @param [in] context Library context
|
|
jpayne@69
|
3116 * @param [in] data The serialized credentials
|
|
jpayne@69
|
3117 * @param [out] creds_out The resulting creds object
|
|
jpayne@69
|
3118 *
|
|
jpayne@69
|
3119 * Deserialize @a data to credentials in the format used by the FILE ccache
|
|
jpayne@69
|
3120 * format (vesion 4) and KCM ccache protocol.
|
|
jpayne@69
|
3121 *
|
|
jpayne@69
|
3122 * Use krb5_free_creds() to free @a creds_out when it is no longer needed.
|
|
jpayne@69
|
3123 *
|
|
jpayne@69
|
3124 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3125 */
|
|
jpayne@69
|
3126 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3127 krb5_unmarshal_credentials(krb5_context context, const krb5_data *data,
|
|
jpayne@69
|
3128 krb5_creds **creds_out);
|
|
jpayne@69
|
3129
|
|
jpayne@69
|
3130 /** @deprecated Replaced by krb5_get_validated_creds. */
|
|
jpayne@69
|
3131 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3132 krb5_get_credentials_validate(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
3133 krb5_ccache ccache, krb5_creds *in_creds,
|
|
jpayne@69
|
3134 krb5_creds **out_creds);
|
|
jpayne@69
|
3135
|
|
jpayne@69
|
3136 /** @deprecated Replaced by krb5_get_renewed_creds. */
|
|
jpayne@69
|
3137 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3138 krb5_get_credentials_renew(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
3139 krb5_ccache ccache, krb5_creds *in_creds,
|
|
jpayne@69
|
3140 krb5_creds **out_creds);
|
|
jpayne@69
|
3141
|
|
jpayne@69
|
3142 /**
|
|
jpayne@69
|
3143 * Create a @c KRB_AP_REQ message.
|
|
jpayne@69
|
3144 *
|
|
jpayne@69
|
3145 * @param [in] context Library context
|
|
jpayne@69
|
3146 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
3147 * @param [in] ap_req_options @ref AP_OPTS options
|
|
jpayne@69
|
3148 * @param [in] service Service name, or NULL to use @c "host"
|
|
jpayne@69
|
3149 * @param [in] hostname Host name, or NULL to use local hostname
|
|
jpayne@69
|
3150 * @param [in] in_data Application data to be checksummed in the
|
|
jpayne@69
|
3151 * authenticator, or NULL
|
|
jpayne@69
|
3152 * @param [in] ccache Credential cache used to obtain credentials
|
|
jpayne@69
|
3153 * for the desired service.
|
|
jpayne@69
|
3154 * @param [out] outbuf @c AP-REQ message
|
|
jpayne@69
|
3155 *
|
|
jpayne@69
|
3156 * This function is similar to krb5_mk_req_extended() except that it uses a
|
|
jpayne@69
|
3157 * given @a hostname, @a service, and @a ccache to construct a service
|
|
jpayne@69
|
3158 * principal name and obtain credentials.
|
|
jpayne@69
|
3159 *
|
|
jpayne@69
|
3160 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
|
|
jpayne@69
|
3161 *
|
|
jpayne@69
|
3162 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3163 */
|
|
jpayne@69
|
3164 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3165 krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
|
|
jpayne@69
|
3166 krb5_flags ap_req_options, const char *service,
|
|
jpayne@69
|
3167 const char *hostname, krb5_data *in_data, krb5_ccache ccache,
|
|
jpayne@69
|
3168 krb5_data *outbuf);
|
|
jpayne@69
|
3169
|
|
jpayne@69
|
3170 /**
|
|
jpayne@69
|
3171 * Create a @c KRB_AP_REQ message using supplied credentials.
|
|
jpayne@69
|
3172 *
|
|
jpayne@69
|
3173 * @param [in] context Library context
|
|
jpayne@69
|
3174 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
3175 * @param [in] ap_req_options @ref AP_OPTS options
|
|
jpayne@69
|
3176 * @param [in] in_data Application data to be checksummed in the
|
|
jpayne@69
|
3177 * authenticator, or NULL
|
|
jpayne@69
|
3178 * @param [in] in_creds Credentials for the service with valid ticket
|
|
jpayne@69
|
3179 * and key
|
|
jpayne@69
|
3180 * @param [out] outbuf @c AP-REQ message
|
|
jpayne@69
|
3181 *
|
|
jpayne@69
|
3182 * Valid @a ap_req_options are:
|
|
jpayne@69
|
3183 * @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the
|
|
jpayne@69
|
3184 * request used for user to user
|
|
jpayne@69
|
3185 * authentication.
|
|
jpayne@69
|
3186 * @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from
|
|
jpayne@69
|
3187 * the receiver.
|
|
jpayne@69
|
3188 * @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current
|
|
jpayne@69
|
3189 * session key obtained from the credentials.
|
|
jpayne@69
|
3190 *
|
|
jpayne@69
|
3191 * This function creates a KRB_AP_REQ message using supplied credentials @a
|
|
jpayne@69
|
3192 * in_creds. @a auth_context may point to an existing auth context or to NULL,
|
|
jpayne@69
|
3193 * in which case a new one will be created. If @a in_data is non-null, a
|
|
jpayne@69
|
3194 * checksum of it will be included in the authenticator contained in the
|
|
jpayne@69
|
3195 * KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it
|
|
jpayne@69
|
3196 * is no longer needed.
|
|
jpayne@69
|
3197 *
|
|
jpayne@69
|
3198 * On successful return, the authenticator is stored in @a auth_context with
|
|
jpayne@69
|
3199 * the @a client and @a checksum fields nulled out. (This is to prevent
|
|
jpayne@69
|
3200 * pointer-sharing problems; the caller should not need these fields anyway,
|
|
jpayne@69
|
3201 * since the caller supplied them.)
|
|
jpayne@69
|
3202 *
|
|
jpayne@69
|
3203 * @sa krb5_mk_req()
|
|
jpayne@69
|
3204 *
|
|
jpayne@69
|
3205 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3206 */
|
|
jpayne@69
|
3207 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3208 krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
|
|
jpayne@69
|
3209 krb5_flags ap_req_options, krb5_data *in_data,
|
|
jpayne@69
|
3210 krb5_creds *in_creds, krb5_data *outbuf);
|
|
jpayne@69
|
3211
|
|
jpayne@69
|
3212 /**
|
|
jpayne@69
|
3213 * Format and encrypt a @c KRB_AP_REP message.
|
|
jpayne@69
|
3214 *
|
|
jpayne@69
|
3215 * @param [in] context Library context
|
|
jpayne@69
|
3216 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
3217 * @param [out] outbuf @c AP-REP message
|
|
jpayne@69
|
3218 *
|
|
jpayne@69
|
3219 * This function fills in @a outbuf with an AP-REP message using information
|
|
jpayne@69
|
3220 * from @a auth_context.
|
|
jpayne@69
|
3221 *
|
|
jpayne@69
|
3222 * If the flags in @a auth_context indicate that a sequence number should be
|
|
jpayne@69
|
3223 * used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
|
|
jpayne@69
|
3224 * #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a
|
|
jpayne@69
|
3225 * auth_context is 0, a new number will be generated with
|
|
jpayne@69
|
3226 * krb5_generate_seq_number().
|
|
jpayne@69
|
3227 *
|
|
jpayne@69
|
3228 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
|
|
jpayne@69
|
3229 *
|
|
jpayne@69
|
3230 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3231 */
|
|
jpayne@69
|
3232 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3233 krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
|
|
jpayne@69
|
3234
|
|
jpayne@69
|
3235 /**
|
|
jpayne@69
|
3236 * Format and encrypt a @c KRB_AP_REP message for DCE RPC.
|
|
jpayne@69
|
3237 *
|
|
jpayne@69
|
3238 * @param [in] context Library context
|
|
jpayne@69
|
3239 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
3240 * @param [out] outbuf @c AP-REP message
|
|
jpayne@69
|
3241 *
|
|
jpayne@69
|
3242 * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
|
|
jpayne@69
|
3243 *
|
|
jpayne@69
|
3244 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3245 */
|
|
jpayne@69
|
3246 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3247 krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
|
|
jpayne@69
|
3248
|
|
jpayne@69
|
3249 /**
|
|
jpayne@69
|
3250 * Parse and decrypt a @c KRB_AP_REP message.
|
|
jpayne@69
|
3251 *
|
|
jpayne@69
|
3252 * @param [in] context Library context
|
|
jpayne@69
|
3253 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
3254 * @param [in] inbuf AP-REP message
|
|
jpayne@69
|
3255 * @param [out] repl Decrypted reply message
|
|
jpayne@69
|
3256 *
|
|
jpayne@69
|
3257 * This function parses, decrypts and verifies a message from @a inbuf and
|
|
jpayne@69
|
3258 * fills in @a repl with a pointer to allocated memory containing the fields
|
|
jpayne@69
|
3259 * from the encrypted response.
|
|
jpayne@69
|
3260 *
|
|
jpayne@69
|
3261 * Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed.
|
|
jpayne@69
|
3262 *
|
|
jpayne@69
|
3263 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3264 */
|
|
jpayne@69
|
3265 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3266 krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
3267 const krb5_data *inbuf, krb5_ap_rep_enc_part **repl);
|
|
jpayne@69
|
3268
|
|
jpayne@69
|
3269 /**
|
|
jpayne@69
|
3270 * Parse and decrypt a @c KRB_AP_REP message for DCE RPC.
|
|
jpayne@69
|
3271 *
|
|
jpayne@69
|
3272 * @param [in] context Library context
|
|
jpayne@69
|
3273 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
3274 * @param [in] inbuf AP-REP message
|
|
jpayne@69
|
3275 * @param [out] nonce Sequence number from the decrypted reply
|
|
jpayne@69
|
3276 *
|
|
jpayne@69
|
3277 * This function parses, decrypts and verifies a message from @a inbuf and
|
|
jpayne@69
|
3278 * fills in @a nonce with a decrypted reply sequence number.
|
|
jpayne@69
|
3279 *
|
|
jpayne@69
|
3280 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3281 */
|
|
jpayne@69
|
3282 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3283 krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
3284 const krb5_data *inbuf, krb5_ui_4 *nonce);
|
|
jpayne@69
|
3285
|
|
jpayne@69
|
3286 /**
|
|
jpayne@69
|
3287 * Format and encode a @c KRB_ERROR message.
|
|
jpayne@69
|
3288 *
|
|
jpayne@69
|
3289 * @param [in] context Library context
|
|
jpayne@69
|
3290 * @param [in] dec_err Error structure to be encoded
|
|
jpayne@69
|
3291 * @param [out] enc_err Encoded error structure
|
|
jpayne@69
|
3292 *
|
|
jpayne@69
|
3293 * This function creates a @c KRB_ERROR message in @a enc_err. Use
|
|
jpayne@69
|
3294 * krb5_free_data_contents() to free @a enc_err when it is no longer needed.
|
|
jpayne@69
|
3295 *
|
|
jpayne@69
|
3296 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3297 */
|
|
jpayne@69
|
3298 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3299 krb5_mk_error(krb5_context context, const krb5_error *dec_err,
|
|
jpayne@69
|
3300 krb5_data *enc_err);
|
|
jpayne@69
|
3301
|
|
jpayne@69
|
3302 /**
|
|
jpayne@69
|
3303 * Decode a @c KRB-ERROR message.
|
|
jpayne@69
|
3304 *
|
|
jpayne@69
|
3305 * @param [in] context Library context
|
|
jpayne@69
|
3306 * @param [in] enc_errbuf Encoded error message
|
|
jpayne@69
|
3307 * @param [out] dec_error Decoded error message
|
|
jpayne@69
|
3308 *
|
|
jpayne@69
|
3309 * This function processes @c KRB-ERROR message @a enc_errbuf and returns
|
|
jpayne@69
|
3310 * an allocated structure @a dec_error containing the error message.
|
|
jpayne@69
|
3311 * Use krb5_free_error() to free @a dec_error when it is no longer needed.
|
|
jpayne@69
|
3312 *
|
|
jpayne@69
|
3313 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3314 */
|
|
jpayne@69
|
3315 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3316 krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf,
|
|
jpayne@69
|
3317 krb5_error **dec_error);
|
|
jpayne@69
|
3318
|
|
jpayne@69
|
3319 /**
|
|
jpayne@69
|
3320 * Process @c KRB-SAFE message.
|
|
jpayne@69
|
3321 *
|
|
jpayne@69
|
3322 * @param [in] context Library context
|
|
jpayne@69
|
3323 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
3324 * @param [in] inbuf @c KRB-SAFE message to be parsed
|
|
jpayne@69
|
3325 * @param [out] userdata_out Data parsed from @c KRB-SAFE message
|
|
jpayne@69
|
3326 * @param [out] rdata_out Replay data. Specify NULL if not needed
|
|
jpayne@69
|
3327 *
|
|
jpayne@69
|
3328 * This function parses a @c KRB-SAFE message, verifies its integrity, and
|
|
jpayne@69
|
3329 * stores its data into @a userdata_out.
|
|
jpayne@69
|
3330 *
|
|
jpayne@69
|
3331 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
3332 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
3333 * in @a auth_context.
|
|
jpayne@69
|
3334 *
|
|
jpayne@69
|
3335 * If @a auth_context has a remote address set, the address will be used to
|
|
jpayne@69
|
3336 * verify the sender address in the KRB-SAFE message. If @a auth_context has a
|
|
jpayne@69
|
3337 * local address set, it will be used to verify the receiver address in the
|
|
jpayne@69
|
3338 * KRB-SAFE message if the message contains one.
|
|
jpayne@69
|
3339 *
|
|
jpayne@69
|
3340 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
|
|
jpayne@69
|
3341 * sequence number of the KRB-SAFE message is checked against the remote
|
|
jpayne@69
|
3342 * sequence number field of @a auth_context. Otherwise, the sequence number is
|
|
jpayne@69
|
3343 * not used.
|
|
jpayne@69
|
3344 *
|
|
jpayne@69
|
3345 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the
|
|
jpayne@69
|
3346 * timestamp in the message is verified to be within the permitted clock skew
|
|
jpayne@69
|
3347 * of the current time, and the message is checked against an in-memory replay
|
|
jpayne@69
|
3348 * cache to detect reflections or replays.
|
|
jpayne@69
|
3349 *
|
|
jpayne@69
|
3350 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer
|
|
jpayne@69
|
3351 * needed.
|
|
jpayne@69
|
3352 *
|
|
jpayne@69
|
3353 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3354 */
|
|
jpayne@69
|
3355 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3356 krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
3357 const krb5_data *inbuf, krb5_data *userdata_out,
|
|
jpayne@69
|
3358 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
3359
|
|
jpayne@69
|
3360 /**
|
|
jpayne@69
|
3361 * Process a @c KRB-PRIV message.
|
|
jpayne@69
|
3362 *
|
|
jpayne@69
|
3363 * @param [in] context Library context
|
|
jpayne@69
|
3364 * @param [in] auth_context Authentication structure
|
|
jpayne@69
|
3365 * @param [in] inbuf @c KRB-PRIV message to be parsed
|
|
jpayne@69
|
3366 * @param [out] userdata_out Data parsed from @c KRB-PRIV message
|
|
jpayne@69
|
3367 * @param [out] rdata_out Replay data. Specify NULL if not needed
|
|
jpayne@69
|
3368 *
|
|
jpayne@69
|
3369 * This function parses a @c KRB-PRIV message, verifies its integrity, and
|
|
jpayne@69
|
3370 * stores its unencrypted data into @a userdata_out.
|
|
jpayne@69
|
3371 *
|
|
jpayne@69
|
3372 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
3373 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
3374 * in @a auth_context.
|
|
jpayne@69
|
3375 *
|
|
jpayne@69
|
3376 * If @a auth_context has a remote address set, the address will be used to
|
|
jpayne@69
|
3377 * verify the sender address in the KRB-PRIV message. If @a auth_context has a
|
|
jpayne@69
|
3378 * local address set, it will be used to verify the receiver address in the
|
|
jpayne@69
|
3379 * KRB-PRIV message if the message contains one.
|
|
jpayne@69
|
3380 *
|
|
jpayne@69
|
3381 * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
|
|
jpayne@69
|
3382 * sequence number of the KRB-PRIV message is checked against the remote
|
|
jpayne@69
|
3383 * sequence number field of @a auth_context. Otherwise, the sequence number is
|
|
jpayne@69
|
3384 * not used.
|
|
jpayne@69
|
3385 *
|
|
jpayne@69
|
3386 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the
|
|
jpayne@69
|
3387 * timestamp in the message is verified to be within the permitted clock skew
|
|
jpayne@69
|
3388 * of the current time, and the message is checked against an in-memory replay
|
|
jpayne@69
|
3389 * cache to detect reflections or replays.
|
|
jpayne@69
|
3390 *
|
|
jpayne@69
|
3391 * Use krb5_free_data_contents() to free @a userdata_out when it is no longer
|
|
jpayne@69
|
3392 * needed.
|
|
jpayne@69
|
3393 *
|
|
jpayne@69
|
3394 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3395 */
|
|
jpayne@69
|
3396 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3397 krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
3398 const krb5_data *inbuf, krb5_data *userdata_out,
|
|
jpayne@69
|
3399 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
3400
|
|
jpayne@69
|
3401 /**
|
|
jpayne@69
|
3402 * Convert a string principal name to a krb5_principal structure.
|
|
jpayne@69
|
3403 *
|
|
jpayne@69
|
3404 * @param [in] context Library context
|
|
jpayne@69
|
3405 * @param [in] name String representation of a principal name
|
|
jpayne@69
|
3406 * @param [out] principal_out New principal
|
|
jpayne@69
|
3407 *
|
|
jpayne@69
|
3408 * Convert a string representation of a principal name to a krb5_principal
|
|
jpayne@69
|
3409 * structure.
|
|
jpayne@69
|
3410 *
|
|
jpayne@69
|
3411 * A string representation of a Kerberos name consists of one or more principal
|
|
jpayne@69
|
3412 * name components, separated by slashes, optionally followed by the \@
|
|
jpayne@69
|
3413 * character and a realm name. If the realm name is not specified, the local
|
|
jpayne@69
|
3414 * realm is used.
|
|
jpayne@69
|
3415 *
|
|
jpayne@69
|
3416 * To use the slash and \@ symbols as part of a component (quoted) instead of
|
|
jpayne@69
|
3417 * using them as a component separator or as a realm prefix), put a backslash
|
|
jpayne@69
|
3418 * (\) character in front of the symbol. Similarly, newline, tab, backspace,
|
|
jpayne@69
|
3419 * and NULL characters can be included in a component by using @c n, @c t, @c b
|
|
jpayne@69
|
3420 * or @c 0, respectively.
|
|
jpayne@69
|
3421 *
|
|
jpayne@69
|
3422 * @note The realm in a Kerberos @a name cannot contain slash, colon,
|
|
jpayne@69
|
3423 * or NULL characters.
|
|
jpayne@69
|
3424 *
|
|
jpayne@69
|
3425 * Beginning with release 1.20, the name type of the principal will be inferred
|
|
jpayne@69
|
3426 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name.
|
|
jpayne@69
|
3427 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred.
|
|
jpayne@69
|
3428 *
|
|
jpayne@69
|
3429 * Use krb5_free_principal() to free @a principal_out when it is no longer
|
|
jpayne@69
|
3430 * needed.
|
|
jpayne@69
|
3431 *
|
|
jpayne@69
|
3432 * @retval
|
|
jpayne@69
|
3433 * 0 Success
|
|
jpayne@69
|
3434 * @return
|
|
jpayne@69
|
3435 * Kerberos error codes
|
|
jpayne@69
|
3436 */
|
|
jpayne@69
|
3437 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3438 krb5_parse_name(krb5_context context, const char *name,
|
|
jpayne@69
|
3439 krb5_principal *principal_out);
|
|
jpayne@69
|
3440
|
|
jpayne@69
|
3441 #define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */
|
|
jpayne@69
|
3442 #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */
|
|
jpayne@69
|
3443 #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component
|
|
jpayne@69
|
3444 enterprise principle */
|
|
jpayne@69
|
3445 #define KRB5_PRINCIPAL_PARSE_IGNORE_REALM 0x8 /**< Ignore realm if present */
|
|
jpayne@69
|
3446 #define KRB5_PRINCIPAL_PARSE_NO_DEF_REALM 0x10 /**< Don't add default realm */
|
|
jpayne@69
|
3447
|
|
jpayne@69
|
3448 /**
|
|
jpayne@69
|
3449 * Convert a string principal name to a krb5_principal with flags.
|
|
jpayne@69
|
3450 *
|
|
jpayne@69
|
3451 * @param [in] context Library context
|
|
jpayne@69
|
3452 * @param [in] name String representation of a principal name
|
|
jpayne@69
|
3453 * @param [in] flags Flag
|
|
jpayne@69
|
3454 * @param [out] principal_out New principal
|
|
jpayne@69
|
3455 *
|
|
jpayne@69
|
3456 * Similar to krb5_parse_name(), this function converts a single-string
|
|
jpayne@69
|
3457 * representation of a principal name to a krb5_principal structure.
|
|
jpayne@69
|
3458 *
|
|
jpayne@69
|
3459 * The following flags are valid:
|
|
jpayne@69
|
3460 * @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name
|
|
jpayne@69
|
3461 * @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name
|
|
jpayne@69
|
3462 * @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise
|
|
jpayne@69
|
3463 * principal
|
|
jpayne@69
|
3464 * @li #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in @a name
|
|
jpayne@69
|
3465 *
|
|
jpayne@69
|
3466 * If @c KRB5_PRINCIPAL_PARSE_NO_REALM or @c KRB5_PRINCIPAL_PARSE_IGNORE_REALM
|
|
jpayne@69
|
3467 * is specified in @a flags, the realm of the new principal will be empty.
|
|
jpayne@69
|
3468 * Otherwise, the default realm for @a context will be used if @a name does not
|
|
jpayne@69
|
3469 * specify a realm.
|
|
jpayne@69
|
3470 *
|
|
jpayne@69
|
3471 * Use krb5_free_principal() to free @a principal_out when it is no longer
|
|
jpayne@69
|
3472 * needed.
|
|
jpayne@69
|
3473 *
|
|
jpayne@69
|
3474 * @retval
|
|
jpayne@69
|
3475 * 0 Success
|
|
jpayne@69
|
3476 * @return
|
|
jpayne@69
|
3477 * Kerberos error codes
|
|
jpayne@69
|
3478 */
|
|
jpayne@69
|
3479 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3480 krb5_parse_name_flags(krb5_context context, const char *name,
|
|
jpayne@69
|
3481 int flags, krb5_principal *principal_out);
|
|
jpayne@69
|
3482
|
|
jpayne@69
|
3483 /**
|
|
jpayne@69
|
3484 * Convert a krb5_principal structure to a string representation.
|
|
jpayne@69
|
3485 *
|
|
jpayne@69
|
3486 * @param [in] context Library context
|
|
jpayne@69
|
3487 * @param [in] principal Principal
|
|
jpayne@69
|
3488 * @param [out] name String representation of principal name
|
|
jpayne@69
|
3489 *
|
|
jpayne@69
|
3490 * The resulting string representation uses the format and quoting conventions
|
|
jpayne@69
|
3491 * described for krb5_parse_name().
|
|
jpayne@69
|
3492 *
|
|
jpayne@69
|
3493 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
|
|
jpayne@69
|
3494 *
|
|
jpayne@69
|
3495 * @retval
|
|
jpayne@69
|
3496 * 0 Success
|
|
jpayne@69
|
3497 * @return
|
|
jpayne@69
|
3498 * Kerberos error codes
|
|
jpayne@69
|
3499 */
|
|
jpayne@69
|
3500 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3501 krb5_unparse_name(krb5_context context, krb5_const_principal principal,
|
|
jpayne@69
|
3502 char **name);
|
|
jpayne@69
|
3503
|
|
jpayne@69
|
3504 /**
|
|
jpayne@69
|
3505 * Convert krb5_principal structure to string and length.
|
|
jpayne@69
|
3506 *
|
|
jpayne@69
|
3507 * @param [in] context Library context
|
|
jpayne@69
|
3508 * @param [in] principal Principal
|
|
jpayne@69
|
3509 * @param [in,out] name String representation of principal name
|
|
jpayne@69
|
3510 * @param [in,out] size Size of unparsed name
|
|
jpayne@69
|
3511 *
|
|
jpayne@69
|
3512 * This function is similar to krb5_unparse_name(), but allows the use of an
|
|
jpayne@69
|
3513 * existing buffer for the result. If size is not NULL, then @a name must
|
|
jpayne@69
|
3514 * point to either NULL or an existing buffer of at least the size pointed to
|
|
jpayne@69
|
3515 * by @a size. The buffer will be allocated or resized if necessary, with the
|
|
jpayne@69
|
3516 * new pointer stored into @a name. Whether or not the buffer is resized, the
|
|
jpayne@69
|
3517 * necessary space for the result, including null terminator, will be stored
|
|
jpayne@69
|
3518 * into @a size.
|
|
jpayne@69
|
3519 *
|
|
jpayne@69
|
3520 * If size is NULL, this function behaves exactly as krb5_unparse_name().
|
|
jpayne@69
|
3521 *
|
|
jpayne@69
|
3522 * @retval
|
|
jpayne@69
|
3523 * 0 Success
|
|
jpayne@69
|
3524 * @return
|
|
jpayne@69
|
3525 * Kerberos error codes. On failure @a name is set to NULL
|
|
jpayne@69
|
3526 */
|
|
jpayne@69
|
3527 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3528 krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal,
|
|
jpayne@69
|
3529 char **name, unsigned int *size);
|
|
jpayne@69
|
3530
|
|
jpayne@69
|
3531 #define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */
|
|
jpayne@69
|
3532 #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */
|
|
jpayne@69
|
3533 #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */
|
|
jpayne@69
|
3534
|
|
jpayne@69
|
3535 /**
|
|
jpayne@69
|
3536 * Convert krb5_principal structure to a string with flags.
|
|
jpayne@69
|
3537 *
|
|
jpayne@69
|
3538 * @param [in] context Library context
|
|
jpayne@69
|
3539 * @param [in] principal Principal
|
|
jpayne@69
|
3540 * @param [in] flags Flags
|
|
jpayne@69
|
3541 * @param [out] name String representation of principal name
|
|
jpayne@69
|
3542 *
|
|
jpayne@69
|
3543 * Similar to krb5_unparse_name(), this function converts a krb5_principal
|
|
jpayne@69
|
3544 * structure to a string representation.
|
|
jpayne@69
|
3545 *
|
|
jpayne@69
|
3546 * The following flags are valid:
|
|
jpayne@69
|
3547 * @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm
|
|
jpayne@69
|
3548 * @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm
|
|
jpayne@69
|
3549 * @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters
|
|
jpayne@69
|
3550 *
|
|
jpayne@69
|
3551 * Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
|
|
jpayne@69
|
3552 *
|
|
jpayne@69
|
3553 * @retval
|
|
jpayne@69
|
3554 * 0 Success
|
|
jpayne@69
|
3555 * @return
|
|
jpayne@69
|
3556 * Kerberos error codes. On failure @a name is set to NULL
|
|
jpayne@69
|
3557 */
|
|
jpayne@69
|
3558 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3559 krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
|
|
jpayne@69
|
3560 int flags, char **name);
|
|
jpayne@69
|
3561
|
|
jpayne@69
|
3562 /**
|
|
jpayne@69
|
3563 * Convert krb5_principal structure to string format with flags.
|
|
jpayne@69
|
3564 *
|
|
jpayne@69
|
3565 * @param [in] context Library context
|
|
jpayne@69
|
3566 * @param [in] principal Principal
|
|
jpayne@69
|
3567 * @param [in] flags Flags
|
|
jpayne@69
|
3568 * @param [out] name Single string format of principal name
|
|
jpayne@69
|
3569 * @param [out] size Size of unparsed name buffer
|
|
jpayne@69
|
3570 *
|
|
jpayne@69
|
3571 * @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext()
|
|
jpayne@69
|
3572 *
|
|
jpayne@69
|
3573 * @retval
|
|
jpayne@69
|
3574 * 0 Success
|
|
jpayne@69
|
3575 * @return
|
|
jpayne@69
|
3576 * Kerberos error codes. On failure @a name is set to NULL
|
|
jpayne@69
|
3577 */
|
|
jpayne@69
|
3578 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3579 krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal,
|
|
jpayne@69
|
3580 int flags, char **name, unsigned int *size);
|
|
jpayne@69
|
3581
|
|
jpayne@69
|
3582 /**
|
|
jpayne@69
|
3583 * Set the realm field of a principal
|
|
jpayne@69
|
3584 *
|
|
jpayne@69
|
3585 * @param [in] context Library context
|
|
jpayne@69
|
3586 * @param [in] principal Principal name
|
|
jpayne@69
|
3587 * @param [in] realm Realm name
|
|
jpayne@69
|
3588 *
|
|
jpayne@69
|
3589 * Set the realm name part of @a principal to @a realm, overwriting the
|
|
jpayne@69
|
3590 * previous realm.
|
|
jpayne@69
|
3591 *
|
|
jpayne@69
|
3592 * @retval
|
|
jpayne@69
|
3593 * 0 Success
|
|
jpayne@69
|
3594 * @return
|
|
jpayne@69
|
3595 * Kerberos error codes
|
|
jpayne@69
|
3596 */
|
|
jpayne@69
|
3597 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3598 krb5_set_principal_realm(krb5_context context, krb5_principal principal,
|
|
jpayne@69
|
3599 const char *realm);
|
|
jpayne@69
|
3600
|
|
jpayne@69
|
3601 /**
|
|
jpayne@69
|
3602 * Search a list of addresses for a specified address.
|
|
jpayne@69
|
3603 *
|
|
jpayne@69
|
3604 * @param [in] context Library context
|
|
jpayne@69
|
3605 * @param [in] addr Address to search for
|
|
jpayne@69
|
3606 * @param [in] addrlist Address list to be searched (or NULL)
|
|
jpayne@69
|
3607 *
|
|
jpayne@69
|
3608 * @note If @a addrlist contains only a NetBIOS addresses, it will be treated
|
|
jpayne@69
|
3609 * as a null list.
|
|
jpayne@69
|
3610 *
|
|
jpayne@69
|
3611 * @return
|
|
jpayne@69
|
3612 * TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE
|
|
jpayne@69
|
3613 * otherwise
|
|
jpayne@69
|
3614 */
|
|
jpayne@69
|
3615 krb5_boolean KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
3616 krb5_address_search(krb5_context context, const krb5_address *addr,
|
|
jpayne@69
|
3617 krb5_address *const *addrlist);
|
|
jpayne@69
|
3618
|
|
jpayne@69
|
3619 /**
|
|
jpayne@69
|
3620 * Compare two Kerberos addresses.
|
|
jpayne@69
|
3621 *
|
|
jpayne@69
|
3622 * @param [in] context Library context
|
|
jpayne@69
|
3623 * @param [in] addr1 First address to be compared
|
|
jpayne@69
|
3624 * @param [in] addr2 Second address to be compared
|
|
jpayne@69
|
3625 *
|
|
jpayne@69
|
3626 * @return
|
|
jpayne@69
|
3627 * TRUE if the addresses are the same, FALSE otherwise
|
|
jpayne@69
|
3628 */
|
|
jpayne@69
|
3629 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3630 krb5_address_compare(krb5_context context, const krb5_address *addr1,
|
|
jpayne@69
|
3631 const krb5_address *addr2);
|
|
jpayne@69
|
3632
|
|
jpayne@69
|
3633 /**
|
|
jpayne@69
|
3634 * Return an ordering of the specified addresses.
|
|
jpayne@69
|
3635 *
|
|
jpayne@69
|
3636 * @param [in] context Library context
|
|
jpayne@69
|
3637 * @param [in] addr1 First address
|
|
jpayne@69
|
3638 * @param [in] addr2 Second address
|
|
jpayne@69
|
3639 *
|
|
jpayne@69
|
3640 * @retval 0 if The two addresses are the same
|
|
jpayne@69
|
3641 * @retval < 0 First address is less than second
|
|
jpayne@69
|
3642 * @retval > 0 First address is greater than second
|
|
jpayne@69
|
3643 */
|
|
jpayne@69
|
3644 int KRB5_CALLCONV
|
|
jpayne@69
|
3645 krb5_address_order(krb5_context context, const krb5_address *addr1,
|
|
jpayne@69
|
3646 const krb5_address *addr2);
|
|
jpayne@69
|
3647
|
|
jpayne@69
|
3648 /**
|
|
jpayne@69
|
3649 * Compare the realms of two principals.
|
|
jpayne@69
|
3650 *
|
|
jpayne@69
|
3651 * @param [in] context Library context
|
|
jpayne@69
|
3652 * @param [in] princ1 First principal
|
|
jpayne@69
|
3653 * @param [in] princ2 Second principal
|
|
jpayne@69
|
3654 *
|
|
jpayne@69
|
3655 * @retval
|
|
jpayne@69
|
3656 * TRUE if the realm names are the same; FALSE otherwise
|
|
jpayne@69
|
3657 */
|
|
jpayne@69
|
3658 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3659 krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
|
|
jpayne@69
|
3660 krb5_const_principal princ2);
|
|
jpayne@69
|
3661
|
|
jpayne@69
|
3662 /**
|
|
jpayne@69
|
3663 * Compare two principals.
|
|
jpayne@69
|
3664 *
|
|
jpayne@69
|
3665 * @param [in] context Library context
|
|
jpayne@69
|
3666 * @param [in] princ1 First principal
|
|
jpayne@69
|
3667 * @param [in] princ2 Second principal
|
|
jpayne@69
|
3668 *
|
|
jpayne@69
|
3669 * @retval
|
|
jpayne@69
|
3670 * TRUE if the principals are the same; FALSE otherwise
|
|
jpayne@69
|
3671 */
|
|
jpayne@69
|
3672 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3673 krb5_principal_compare(krb5_context context,
|
|
jpayne@69
|
3674 krb5_const_principal princ1,
|
|
jpayne@69
|
3675 krb5_const_principal princ2);
|
|
jpayne@69
|
3676
|
|
jpayne@69
|
3677 /**
|
|
jpayne@69
|
3678 * Compare two principals ignoring realm components.
|
|
jpayne@69
|
3679 *
|
|
jpayne@69
|
3680 * @param [in] context Library context
|
|
jpayne@69
|
3681 * @param [in] princ1 First principal
|
|
jpayne@69
|
3682 * @param [in] princ2 Second principal
|
|
jpayne@69
|
3683 *
|
|
jpayne@69
|
3684 * Similar to krb5_principal_compare(), but do not compare the realm
|
|
jpayne@69
|
3685 * components of the principals.
|
|
jpayne@69
|
3686 *
|
|
jpayne@69
|
3687 * @retval
|
|
jpayne@69
|
3688 * TRUE if the principals are the same; FALSE otherwise
|
|
jpayne@69
|
3689 */
|
|
jpayne@69
|
3690 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3691 krb5_principal_compare_any_realm(krb5_context context,
|
|
jpayne@69
|
3692 krb5_const_principal princ1,
|
|
jpayne@69
|
3693 krb5_const_principal princ2);
|
|
jpayne@69
|
3694
|
|
jpayne@69
|
3695 #define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */
|
|
jpayne@69
|
3696 #define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */
|
|
jpayne@69
|
3697 #define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */
|
|
jpayne@69
|
3698 #define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */
|
|
jpayne@69
|
3699
|
|
jpayne@69
|
3700 /**
|
|
jpayne@69
|
3701 * Compare two principals with additional flags.
|
|
jpayne@69
|
3702 *
|
|
jpayne@69
|
3703 * @param [in] context Library context
|
|
jpayne@69
|
3704 * @param [in] princ1 First principal
|
|
jpayne@69
|
3705 * @param [in] princ2 Second principal
|
|
jpayne@69
|
3706 * @param [in] flags Flags
|
|
jpayne@69
|
3707 *
|
|
jpayne@69
|
3708 * Valid flags are:
|
|
jpayne@69
|
3709 * @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component
|
|
jpayne@69
|
3710 * @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals
|
|
jpayne@69
|
3711 * @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive
|
|
jpayne@69
|
3712 * @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8
|
|
jpayne@69
|
3713 *
|
|
jpayne@69
|
3714 * @sa krb5_principal_compare()
|
|
jpayne@69
|
3715 *
|
|
jpayne@69
|
3716 * @retval
|
|
jpayne@69
|
3717 * TRUE if the principal names are the same; FALSE otherwise
|
|
jpayne@69
|
3718 */
|
|
jpayne@69
|
3719 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
3720 krb5_principal_compare_flags(krb5_context context,
|
|
jpayne@69
|
3721 krb5_const_principal princ1,
|
|
jpayne@69
|
3722 krb5_const_principal princ2,
|
|
jpayne@69
|
3723 int flags);
|
|
jpayne@69
|
3724
|
|
jpayne@69
|
3725 /**
|
|
jpayne@69
|
3726 * Initialize an empty @c krb5_keyblock.
|
|
jpayne@69
|
3727 *
|
|
jpayne@69
|
3728 * @param [in] context Library context
|
|
jpayne@69
|
3729 * @param [in] enctype Encryption type
|
|
jpayne@69
|
3730 * @param [in] length Length of keyblock (or 0)
|
|
jpayne@69
|
3731 * @param [out] out New keyblock structure
|
|
jpayne@69
|
3732 *
|
|
jpayne@69
|
3733 * Initialize a new keyblock and allocate storage for the contents of the key.
|
|
jpayne@69
|
3734 * It is legal to pass in a length of 0, in which case contents are left
|
|
jpayne@69
|
3735 * unallocated. Use krb5_free_keyblock() to free @a out when it is no longer
|
|
jpayne@69
|
3736 * needed.
|
|
jpayne@69
|
3737 *
|
|
jpayne@69
|
3738 * @note If @a length is set to 0, contents are left unallocated.
|
|
jpayne@69
|
3739 *
|
|
jpayne@69
|
3740 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3741 */
|
|
jpayne@69
|
3742 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3743 krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
|
|
jpayne@69
|
3744 size_t length, krb5_keyblock **out);
|
|
jpayne@69
|
3745
|
|
jpayne@69
|
3746 /**
|
|
jpayne@69
|
3747 * Copy a keyblock.
|
|
jpayne@69
|
3748 *
|
|
jpayne@69
|
3749 * @param [in] context Library context
|
|
jpayne@69
|
3750 * @param [in] from Keyblock to be copied
|
|
jpayne@69
|
3751 * @param [out] to Copy of keyblock @a from
|
|
jpayne@69
|
3752 *
|
|
jpayne@69
|
3753 * This function creates a new keyblock with the same contents as @a from. Use
|
|
jpayne@69
|
3754 * krb5_free_keyblock() to free @a to when it is no longer needed.
|
|
jpayne@69
|
3755 *
|
|
jpayne@69
|
3756 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3757 */
|
|
jpayne@69
|
3758 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3759 krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from,
|
|
jpayne@69
|
3760 krb5_keyblock **to);
|
|
jpayne@69
|
3761
|
|
jpayne@69
|
3762 /**
|
|
jpayne@69
|
3763 * Copy the contents of a keyblock.
|
|
jpayne@69
|
3764 *
|
|
jpayne@69
|
3765 * @param [in] context Library context
|
|
jpayne@69
|
3766 * @param [in] from Key to be copied
|
|
jpayne@69
|
3767 * @param [out] to Output key
|
|
jpayne@69
|
3768 *
|
|
jpayne@69
|
3769 * This function copies the contents of @a from to @a to. Use
|
|
jpayne@69
|
3770 * krb5_free_keyblock_contents() to free @a to when it is no longer needed.
|
|
jpayne@69
|
3771 *
|
|
jpayne@69
|
3772 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3773 */
|
|
jpayne@69
|
3774 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3775 krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from,
|
|
jpayne@69
|
3776 krb5_keyblock *to);
|
|
jpayne@69
|
3777
|
|
jpayne@69
|
3778 /**
|
|
jpayne@69
|
3779 * Copy a krb5_creds structure.
|
|
jpayne@69
|
3780 *
|
|
jpayne@69
|
3781 * @param [in] context Library context
|
|
jpayne@69
|
3782 * @param [in] incred Credentials structure to be copied
|
|
jpayne@69
|
3783 * @param [out] outcred Copy of @a incred
|
|
jpayne@69
|
3784 *
|
|
jpayne@69
|
3785 * This function creates a new credential with the contents of @a incred. Use
|
|
jpayne@69
|
3786 * krb5_free_creds() to free @a outcred when it is no longer needed.
|
|
jpayne@69
|
3787 *
|
|
jpayne@69
|
3788 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3789 */
|
|
jpayne@69
|
3790 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3791 krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred);
|
|
jpayne@69
|
3792
|
|
jpayne@69
|
3793 /**
|
|
jpayne@69
|
3794 * Copy a krb5_data object.
|
|
jpayne@69
|
3795 *
|
|
jpayne@69
|
3796 * @param [in] context Library context
|
|
jpayne@69
|
3797 * @param [in] indata Data object to be copied
|
|
jpayne@69
|
3798 * @param [out] outdata Copy of @a indata
|
|
jpayne@69
|
3799 *
|
|
jpayne@69
|
3800 * This function creates a new krb5_data object with the contents of @a indata.
|
|
jpayne@69
|
3801 * Use krb5_free_data() to free @a outdata when it is no longer needed.
|
|
jpayne@69
|
3802 *
|
|
jpayne@69
|
3803 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3804 */
|
|
jpayne@69
|
3805 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3806 krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata);
|
|
jpayne@69
|
3807
|
|
jpayne@69
|
3808 /**
|
|
jpayne@69
|
3809 * Copy a principal.
|
|
jpayne@69
|
3810 *
|
|
jpayne@69
|
3811 * @param [in] context Library context
|
|
jpayne@69
|
3812 * @param [in] inprinc Principal to be copied
|
|
jpayne@69
|
3813 * @param [out] outprinc Copy of @a inprinc
|
|
jpayne@69
|
3814 *
|
|
jpayne@69
|
3815 * This function creates a new principal structure with the contents of @a
|
|
jpayne@69
|
3816 * inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer
|
|
jpayne@69
|
3817 * needed.
|
|
jpayne@69
|
3818 *
|
|
jpayne@69
|
3819 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3820 */
|
|
jpayne@69
|
3821 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3822 krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
|
|
jpayne@69
|
3823 krb5_principal *outprinc);
|
|
jpayne@69
|
3824
|
|
jpayne@69
|
3825 /**
|
|
jpayne@69
|
3826 * Copy an array of addresses.
|
|
jpayne@69
|
3827 *
|
|
jpayne@69
|
3828 * @param [in] context Library context
|
|
jpayne@69
|
3829 * @param [in] inaddr Array of addresses to be copied
|
|
jpayne@69
|
3830 * @param [out] outaddr Copy of array of addresses
|
|
jpayne@69
|
3831 *
|
|
jpayne@69
|
3832 * This function creates a new address array containing a copy of @a inaddr.
|
|
jpayne@69
|
3833 * Use krb5_free_addresses() to free @a outaddr when it is no longer needed.
|
|
jpayne@69
|
3834 *
|
|
jpayne@69
|
3835 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3836 */
|
|
jpayne@69
|
3837 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3838 krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr,
|
|
jpayne@69
|
3839 krb5_address ***outaddr);
|
|
jpayne@69
|
3840
|
|
jpayne@69
|
3841 /**
|
|
jpayne@69
|
3842 * Copy a krb5_ticket structure.
|
|
jpayne@69
|
3843 *
|
|
jpayne@69
|
3844 * @param [in] context Library context
|
|
jpayne@69
|
3845 * @param [in] from Ticket to be copied
|
|
jpayne@69
|
3846 * @param [out] pto Copy of ticket
|
|
jpayne@69
|
3847 *
|
|
jpayne@69
|
3848 * This function creates a new krb5_ticket structure containing the contents of
|
|
jpayne@69
|
3849 * @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed.
|
|
jpayne@69
|
3850 *
|
|
jpayne@69
|
3851 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3852 */
|
|
jpayne@69
|
3853 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3854 krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto);
|
|
jpayne@69
|
3855
|
|
jpayne@69
|
3856 /**
|
|
jpayne@69
|
3857 * Copy an authorization data list.
|
|
jpayne@69
|
3858 *
|
|
jpayne@69
|
3859 * @param [in] context Library context
|
|
jpayne@69
|
3860 * @param [in] in_authdat List of @a krb5_authdata structures
|
|
jpayne@69
|
3861 * @param [out] out New array of @a krb5_authdata structures
|
|
jpayne@69
|
3862 *
|
|
jpayne@69
|
3863 * This function creates a new authorization data list containing a copy of @a
|
|
jpayne@69
|
3864 * in_authdat, which must be null-terminated. Use krb5_free_authdata() to free
|
|
jpayne@69
|
3865 * @a out when it is no longer needed.
|
|
jpayne@69
|
3866 *
|
|
jpayne@69
|
3867 * @note The last array entry in @a in_authdat must be a NULL pointer.
|
|
jpayne@69
|
3868 *
|
|
jpayne@69
|
3869 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3870 */
|
|
jpayne@69
|
3871 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3872 krb5_copy_authdata(krb5_context context,
|
|
jpayne@69
|
3873 krb5_authdata *const *in_authdat, krb5_authdata ***out);
|
|
jpayne@69
|
3874
|
|
jpayne@69
|
3875 /**
|
|
jpayne@69
|
3876 * Find authorization data elements.
|
|
jpayne@69
|
3877 *
|
|
jpayne@69
|
3878 * @param [in] context Library context
|
|
jpayne@69
|
3879 * @param [in] ticket_authdata Authorization data list from ticket
|
|
jpayne@69
|
3880 * @param [in] ap_req_authdata Authorization data list from AP request
|
|
jpayne@69
|
3881 * @param [in] ad_type Authorization data type to find
|
|
jpayne@69
|
3882 * @param [out] results List of matching entries
|
|
jpayne@69
|
3883 *
|
|
jpayne@69
|
3884 * This function searches @a ticket_authdata and @a ap_req_authdata for
|
|
jpayne@69
|
3885 * elements of type @a ad_type. Either input list may be NULL, in which case
|
|
jpayne@69
|
3886 * it will not be searched; otherwise, the input lists must be terminated by
|
|
jpayne@69
|
3887 * NULL entries. This function will search inside AD-IF-RELEVANT containers if
|
|
jpayne@69
|
3888 * found in either list. Use krb5_free_authdata() to free @a results when it
|
|
jpayne@69
|
3889 * is no longer needed.
|
|
jpayne@69
|
3890 *
|
|
jpayne@69
|
3891 * @version New in 1.10
|
|
jpayne@69
|
3892 */
|
|
jpayne@69
|
3893 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3894 krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata,
|
|
jpayne@69
|
3895 krb5_authdata *const *ap_req_authdata,
|
|
jpayne@69
|
3896 krb5_authdatatype ad_type, krb5_authdata ***results);
|
|
jpayne@69
|
3897
|
|
jpayne@69
|
3898 /**
|
|
jpayne@69
|
3899 * Merge two authorization data lists into a new list.
|
|
jpayne@69
|
3900 *
|
|
jpayne@69
|
3901 * @param [in] context Library context
|
|
jpayne@69
|
3902 * @param [in] inauthdat1 First list of @a krb5_authdata structures
|
|
jpayne@69
|
3903 * @param [in] inauthdat2 Second list of @a krb5_authdata structures
|
|
jpayne@69
|
3904 * @param [out] outauthdat Merged list of @a krb5_authdata structures
|
|
jpayne@69
|
3905 *
|
|
jpayne@69
|
3906 * Merge two authdata arrays, such as the array from a ticket
|
|
jpayne@69
|
3907 * and authenticator.
|
|
jpayne@69
|
3908 * Use krb5_free_authdata() to free @a outauthdat when it is no longer needed.
|
|
jpayne@69
|
3909 *
|
|
jpayne@69
|
3910 * @note The last array entry in @a inauthdat1 and @a inauthdat2
|
|
jpayne@69
|
3911 * must be a NULL pointer.
|
|
jpayne@69
|
3912 *
|
|
jpayne@69
|
3913 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3914 */
|
|
jpayne@69
|
3915 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3916 krb5_merge_authdata(krb5_context context,
|
|
jpayne@69
|
3917 krb5_authdata *const *inauthdat1,
|
|
jpayne@69
|
3918 krb5_authdata * const *inauthdat2,
|
|
jpayne@69
|
3919 krb5_authdata ***outauthdat);
|
|
jpayne@69
|
3920
|
|
jpayne@69
|
3921 /**
|
|
jpayne@69
|
3922 * Copy a krb5_authenticator structure.
|
|
jpayne@69
|
3923 *
|
|
jpayne@69
|
3924 * @param [in] context Library context
|
|
jpayne@69
|
3925 * @param [in] authfrom krb5_authenticator structure to be copied
|
|
jpayne@69
|
3926 * @param [out] authto Copy of krb5_authenticator structure
|
|
jpayne@69
|
3927 *
|
|
jpayne@69
|
3928 * This function creates a new krb5_authenticator structure with the content of
|
|
jpayne@69
|
3929 * @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no
|
|
jpayne@69
|
3930 * longer needed.
|
|
jpayne@69
|
3931 *
|
|
jpayne@69
|
3932 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3933 */
|
|
jpayne@69
|
3934 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3935 krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom,
|
|
jpayne@69
|
3936 krb5_authenticator **authto);
|
|
jpayne@69
|
3937
|
|
jpayne@69
|
3938 /**
|
|
jpayne@69
|
3939 * Copy a krb5_checksum structure.
|
|
jpayne@69
|
3940 *
|
|
jpayne@69
|
3941 * @param [in] context Library context
|
|
jpayne@69
|
3942 * @param [in] ckfrom Checksum to be copied
|
|
jpayne@69
|
3943 * @param [out] ckto Copy of krb5_checksum structure
|
|
jpayne@69
|
3944 *
|
|
jpayne@69
|
3945 * This function creates a new krb5_checksum structure with the contents of @a
|
|
jpayne@69
|
3946 * ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer
|
|
jpayne@69
|
3947 * needed.
|
|
jpayne@69
|
3948 *
|
|
jpayne@69
|
3949 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3950 */
|
|
jpayne@69
|
3951 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3952 krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom,
|
|
jpayne@69
|
3953 krb5_checksum **ckto);
|
|
jpayne@69
|
3954
|
|
jpayne@69
|
3955 /**
|
|
jpayne@69
|
3956 * Generate a replay cache object for server use and open it.
|
|
jpayne@69
|
3957 *
|
|
jpayne@69
|
3958 * @param [in] context Library context
|
|
jpayne@69
|
3959 * @param [in] piece Unused (replay cache identifier)
|
|
jpayne@69
|
3960 * @param [out] rcptr Handle to an open rcache
|
|
jpayne@69
|
3961 *
|
|
jpayne@69
|
3962 * This function creates a handle to the default replay cache. Use
|
|
jpayne@69
|
3963 * krb5_rc_close() to close @a rcptr when it is no longer needed.
|
|
jpayne@69
|
3964 *
|
|
jpayne@69
|
3965 * @version Prior to release 1.18, this function creates a handle to a
|
|
jpayne@69
|
3966 * different replay cache for each unique value of @a piece.
|
|
jpayne@69
|
3967 *
|
|
jpayne@69
|
3968 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
3969 */
|
|
jpayne@69
|
3970 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
3971 krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
|
|
jpayne@69
|
3972 krb5_rcache *rcptr);
|
|
jpayne@69
|
3973
|
|
jpayne@69
|
3974 /**
|
|
jpayne@69
|
3975 * Build a principal name using length-counted strings.
|
|
jpayne@69
|
3976 *
|
|
jpayne@69
|
3977 * @param [in] context Library context
|
|
jpayne@69
|
3978 * @param [out] princ Principal name
|
|
jpayne@69
|
3979 * @param [in] rlen Realm name length
|
|
jpayne@69
|
3980 * @param [in] realm Realm name
|
|
jpayne@69
|
3981 * @param [in] ... List of unsigned int/char * components, followed by 0
|
|
jpayne@69
|
3982 *
|
|
jpayne@69
|
3983 * This function creates a principal from a length-counted string and a
|
|
jpayne@69
|
3984 * variable-length list of length-counted components. The list of components
|
|
jpayne@69
|
3985 * ends with the first 0 length argument (so it is not possible to specify an
|
|
jpayne@69
|
3986 * empty component with this function). Call krb5_free_principal() to free
|
|
jpayne@69
|
3987 * allocated memory for principal when it is no longer needed.
|
|
jpayne@69
|
3988 *
|
|
jpayne@69
|
3989 * Beginning with release 1.20, the name type of the principal will be inferred
|
|
jpayne@69
|
3990 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name.
|
|
jpayne@69
|
3991 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred.
|
|
jpayne@69
|
3992 *
|
|
jpayne@69
|
3993 * @code
|
|
jpayne@69
|
3994 * Example of how to build principal WELLKNOWN/ANONYMOUS@R
|
|
jpayne@69
|
3995 * krb5_build_principal_ext(context, &principal, strlen("R"), "R",
|
|
jpayne@69
|
3996 * (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR),
|
|
jpayne@69
|
3997 * KRB5_WELLKNOWN_NAMESTR,
|
|
jpayne@69
|
3998 * (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR),
|
|
jpayne@69
|
3999 * KRB5_ANONYMOUS_PRINCSTR, 0);
|
|
jpayne@69
|
4000 * @endcode
|
|
jpayne@69
|
4001 *
|
|
jpayne@69
|
4002 * @retval
|
|
jpayne@69
|
4003 * 0 Success
|
|
jpayne@69
|
4004 * @return
|
|
jpayne@69
|
4005 * Kerberos error codes
|
|
jpayne@69
|
4006 */
|
|
jpayne@69
|
4007 krb5_error_code KRB5_CALLCONV_C
|
|
jpayne@69
|
4008 krb5_build_principal_ext(krb5_context context, krb5_principal * princ,
|
|
jpayne@69
|
4009 unsigned int rlen, const char * realm, ...);
|
|
jpayne@69
|
4010
|
|
jpayne@69
|
4011 /**
|
|
jpayne@69
|
4012 * Build a principal name using null-terminated strings.
|
|
jpayne@69
|
4013 *
|
|
jpayne@69
|
4014 * @param [in] context Library context
|
|
jpayne@69
|
4015 * @param [out] princ Principal name
|
|
jpayne@69
|
4016 * @param [in] rlen Realm name length
|
|
jpayne@69
|
4017 * @param [in] realm Realm name
|
|
jpayne@69
|
4018 * @param [in] ... List of char * components, ending with NULL
|
|
jpayne@69
|
4019 *
|
|
jpayne@69
|
4020 * Call krb5_free_principal() to free @a princ when it is no longer needed.
|
|
jpayne@69
|
4021 *
|
|
jpayne@69
|
4022 * Beginning with release 1.20, the name type of the principal will be inferred
|
|
jpayne@69
|
4023 * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name.
|
|
jpayne@69
|
4024 * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred.
|
|
jpayne@69
|
4025 *
|
|
jpayne@69
|
4026 * @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the
|
|
jpayne@69
|
4027 * same task. krb5_build_principal() takes variadic arguments.
|
|
jpayne@69
|
4028 * krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer.
|
|
jpayne@69
|
4029 *
|
|
jpayne@69
|
4030 * @code
|
|
jpayne@69
|
4031 * Example of how to build principal H/S@R
|
|
jpayne@69
|
4032 * krb5_build_principal(context, &principal,
|
|
jpayne@69
|
4033 * strlen("R"), "R", "H", "S", (char*)NULL);
|
|
jpayne@69
|
4034 * @endcode
|
|
jpayne@69
|
4035 *
|
|
jpayne@69
|
4036 * @retval
|
|
jpayne@69
|
4037 * 0 Success
|
|
jpayne@69
|
4038 * @return
|
|
jpayne@69
|
4039 * Kerberos error codes
|
|
jpayne@69
|
4040 */
|
|
jpayne@69
|
4041 krb5_error_code KRB5_CALLCONV_C
|
|
jpayne@69
|
4042 krb5_build_principal(krb5_context context,
|
|
jpayne@69
|
4043 krb5_principal * princ,
|
|
jpayne@69
|
4044 unsigned int rlen,
|
|
jpayne@69
|
4045 const char * realm, ...)
|
|
jpayne@69
|
4046 #if __GNUC__ >= 4
|
|
jpayne@69
|
4047 __attribute__ ((sentinel))
|
|
jpayne@69
|
4048 #endif
|
|
jpayne@69
|
4049 ;
|
|
jpayne@69
|
4050 #if KRB5_DEPRECATED
|
|
jpayne@69
|
4051 /** @deprecated Replaced by krb5_build_principal_alloc_va(). */
|
|
jpayne@69
|
4052 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4053 krb5_build_principal_va(krb5_context context,
|
|
jpayne@69
|
4054 krb5_principal princ,
|
|
jpayne@69
|
4055 unsigned int rlen,
|
|
jpayne@69
|
4056 const char *realm,
|
|
jpayne@69
|
4057 va_list ap);
|
|
jpayne@69
|
4058 #endif
|
|
jpayne@69
|
4059
|
|
jpayne@69
|
4060 /**
|
|
jpayne@69
|
4061 * Build a principal name, using a precomputed variable argument list
|
|
jpayne@69
|
4062 *
|
|
jpayne@69
|
4063 * @param [in] context Library context
|
|
jpayne@69
|
4064 * @param [out] princ Principal structure
|
|
jpayne@69
|
4065 * @param [in] rlen Realm name length
|
|
jpayne@69
|
4066 * @param [in] realm Realm name
|
|
jpayne@69
|
4067 * @param [in] ap List of char * components, ending with NULL
|
|
jpayne@69
|
4068 *
|
|
jpayne@69
|
4069 * Similar to krb5_build_principal(), this function builds a principal name,
|
|
jpayne@69
|
4070 * but its name components are specified as a va_list.
|
|
jpayne@69
|
4071 *
|
|
jpayne@69
|
4072 * Use krb5_free_principal() to deallocate @a princ when it is no longer
|
|
jpayne@69
|
4073 * needed.
|
|
jpayne@69
|
4074 *
|
|
jpayne@69
|
4075 * @code
|
|
jpayne@69
|
4076 * Function usage example:
|
|
jpayne@69
|
4077 * va_list ap;
|
|
jpayne@69
|
4078 * va_start(ap, realm);
|
|
jpayne@69
|
4079 * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap);
|
|
jpayne@69
|
4080 * va_end(ap);
|
|
jpayne@69
|
4081 * @endcode
|
|
jpayne@69
|
4082 *
|
|
jpayne@69
|
4083 * @retval
|
|
jpayne@69
|
4084 * 0 Success
|
|
jpayne@69
|
4085 * @return
|
|
jpayne@69
|
4086 * Kerberos error codes
|
|
jpayne@69
|
4087 */
|
|
jpayne@69
|
4088 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4089 krb5_build_principal_alloc_va(krb5_context context,
|
|
jpayne@69
|
4090 krb5_principal *princ,
|
|
jpayne@69
|
4091 unsigned int rlen,
|
|
jpayne@69
|
4092 const char *realm,
|
|
jpayne@69
|
4093 va_list ap);
|
|
jpayne@69
|
4094
|
|
jpayne@69
|
4095 /**
|
|
jpayne@69
|
4096 * Convert a Kerberos V4 principal to a Kerberos V5 principal.
|
|
jpayne@69
|
4097 *
|
|
jpayne@69
|
4098 * @param [in] context Library context
|
|
jpayne@69
|
4099 * @param [in] name V4 name
|
|
jpayne@69
|
4100 * @param [in] instance V4 instance
|
|
jpayne@69
|
4101 * @param [in] realm Realm
|
|
jpayne@69
|
4102 * @param [out] princ V5 principal
|
|
jpayne@69
|
4103 *
|
|
jpayne@69
|
4104 * This function builds a @a princ from V4 specification based on given input
|
|
jpayne@69
|
4105 * @a name.instance\@realm.
|
|
jpayne@69
|
4106 *
|
|
jpayne@69
|
4107 * Use krb5_free_principal() to free @a princ when it is no longer needed.
|
|
jpayne@69
|
4108 *
|
|
jpayne@69
|
4109 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
4110 */
|
|
jpayne@69
|
4111 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4112 krb5_425_conv_principal(krb5_context context, const char *name,
|
|
jpayne@69
|
4113 const char *instance, const char *realm,
|
|
jpayne@69
|
4114 krb5_principal *princ);
|
|
jpayne@69
|
4115
|
|
jpayne@69
|
4116 /**
|
|
jpayne@69
|
4117 * Convert a Kerberos V5 principal to a Kerberos V4 principal.
|
|
jpayne@69
|
4118 *
|
|
jpayne@69
|
4119 * @param [in] context Library context
|
|
jpayne@69
|
4120 * @param [in] princ V5 Principal
|
|
jpayne@69
|
4121 * @param [out] name V4 principal's name to be filled in
|
|
jpayne@69
|
4122 * @param [out] inst V4 principal's instance name to be filled in
|
|
jpayne@69
|
4123 * @param [out] realm Principal's realm name to be filled in
|
|
jpayne@69
|
4124 *
|
|
jpayne@69
|
4125 * This function separates a V5 principal @a princ into @a name, @a instance,
|
|
jpayne@69
|
4126 * and @a realm.
|
|
jpayne@69
|
4127 *
|
|
jpayne@69
|
4128 * @retval
|
|
jpayne@69
|
4129 * 0 Success
|
|
jpayne@69
|
4130 * @retval
|
|
jpayne@69
|
4131 * KRB5_INVALID_PRINCIPAL Invalid principal name
|
|
jpayne@69
|
4132 * @retval
|
|
jpayne@69
|
4133 * KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file
|
|
jpayne@69
|
4134 * @return
|
|
jpayne@69
|
4135 * Kerberos error codes
|
|
jpayne@69
|
4136 */
|
|
jpayne@69
|
4137 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4138 krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
|
|
jpayne@69
|
4139 char *name, char *inst, char *realm);
|
|
jpayne@69
|
4140 /**
|
|
jpayne@69
|
4141 *@deprecated
|
|
jpayne@69
|
4142 */
|
|
jpayne@69
|
4143 struct credentials;
|
|
jpayne@69
|
4144
|
|
jpayne@69
|
4145 /**
|
|
jpayne@69
|
4146 * Convert a Kerberos V5 credentials to a Kerberos V4 credentials
|
|
jpayne@69
|
4147 *
|
|
jpayne@69
|
4148 * @note Not implemented
|
|
jpayne@69
|
4149 *
|
|
jpayne@69
|
4150 * @retval KRB524_KRB4_DISABLED (always)
|
|
jpayne@69
|
4151 */
|
|
jpayne@69
|
4152 int KRB5_CALLCONV
|
|
jpayne@69
|
4153 krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
|
|
jpayne@69
|
4154 struct credentials *v4creds);
|
|
jpayne@69
|
4155
|
|
jpayne@69
|
4156 #if KRB5_DEPRECATED
|
|
jpayne@69
|
4157 #define krb524_convert_creds_kdc krb5_524_convert_creds
|
|
jpayne@69
|
4158 #define krb524_init_ets(x) (0)
|
|
jpayne@69
|
4159 #endif
|
|
jpayne@69
|
4160
|
|
jpayne@69
|
4161 /* libkt.spec */
|
|
jpayne@69
|
4162
|
|
jpayne@69
|
4163 /**
|
|
jpayne@69
|
4164 * Get a handle for a key table.
|
|
jpayne@69
|
4165 *
|
|
jpayne@69
|
4166 * @param [in] context Library context
|
|
jpayne@69
|
4167 * @param [in] name Name of the key table
|
|
jpayne@69
|
4168 * @param [out] ktid Key table handle
|
|
jpayne@69
|
4169 *
|
|
jpayne@69
|
4170 * Resolve the key table name @a name and set @a ktid to a handle identifying
|
|
jpayne@69
|
4171 * the key table. Use krb5_kt_close() to free @a ktid when it is no longer
|
|
jpayne@69
|
4172 * needed.
|
|
jpayne@69
|
4173 *
|
|
jpayne@69
|
4174 * @a name must be of the form @c type:residual, where @a type must be a type
|
|
jpayne@69
|
4175 * known to the library and @a residual portion should be specific to the
|
|
jpayne@69
|
4176 * particular keytab type. If no @a type is given, the default is @c FILE.
|
|
jpayne@69
|
4177 *
|
|
jpayne@69
|
4178 * If @a name is of type @c FILE, the keytab file is not opened by this call.
|
|
jpayne@69
|
4179 *
|
|
jpayne@69
|
4180 * @code
|
|
jpayne@69
|
4181 * Example: krb5_kt_resolve(context, "FILE:/tmp/filename", &ktid);
|
|
jpayne@69
|
4182 * @endcode
|
|
jpayne@69
|
4183 *
|
|
jpayne@69
|
4184 * @retval
|
|
jpayne@69
|
4185 * 0 Success
|
|
jpayne@69
|
4186 * @return
|
|
jpayne@69
|
4187 * Kerberos error codes
|
|
jpayne@69
|
4188 */
|
|
jpayne@69
|
4189 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4190 krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid);
|
|
jpayne@69
|
4191
|
|
jpayne@69
|
4192 /**
|
|
jpayne@69
|
4193 * Duplicate keytab handle.
|
|
jpayne@69
|
4194 *
|
|
jpayne@69
|
4195 * @param [in] context Library context
|
|
jpayne@69
|
4196 * @param [in] in Key table handle to be duplicated
|
|
jpayne@69
|
4197 * @param [out] out Key table handle
|
|
jpayne@69
|
4198 *
|
|
jpayne@69
|
4199 * Create a new handle referring to the same key table as @a in. The new
|
|
jpayne@69
|
4200 * handle and @a in can be closed independently.
|
|
jpayne@69
|
4201 *
|
|
jpayne@69
|
4202 * @version New in 1.12
|
|
jpayne@69
|
4203 */
|
|
jpayne@69
|
4204 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4205 krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out);
|
|
jpayne@69
|
4206
|
|
jpayne@69
|
4207 /**
|
|
jpayne@69
|
4208 * Get the default key table name.
|
|
jpayne@69
|
4209 *
|
|
jpayne@69
|
4210 * @param [in] context Library context
|
|
jpayne@69
|
4211 * @param [out] name Default key table name
|
|
jpayne@69
|
4212 * @param [in] name_size Space available in @a name
|
|
jpayne@69
|
4213 *
|
|
jpayne@69
|
4214 * Fill @a name with the name of the default key table for @a context.
|
|
jpayne@69
|
4215 *
|
|
jpayne@69
|
4216 * @sa MAX_KEYTAB_NAME_LEN
|
|
jpayne@69
|
4217 *
|
|
jpayne@69
|
4218 * @retval
|
|
jpayne@69
|
4219 * 0 Success
|
|
jpayne@69
|
4220 * @retval
|
|
jpayne@69
|
4221 * KRB5_CONFIG_NOTENUFSPACE Buffer is too short
|
|
jpayne@69
|
4222 * @return
|
|
jpayne@69
|
4223 * Kerberos error codes
|
|
jpayne@69
|
4224 */
|
|
jpayne@69
|
4225 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4226 krb5_kt_default_name(krb5_context context, char *name, int name_size);
|
|
jpayne@69
|
4227
|
|
jpayne@69
|
4228 /**
|
|
jpayne@69
|
4229 * Resolve the default key table.
|
|
jpayne@69
|
4230 *
|
|
jpayne@69
|
4231 * @param [in] context Library context
|
|
jpayne@69
|
4232 * @param [out] id Key table handle
|
|
jpayne@69
|
4233 *
|
|
jpayne@69
|
4234 * Set @a id to a handle to the default key table. The key table is not
|
|
jpayne@69
|
4235 * opened.
|
|
jpayne@69
|
4236 *
|
|
jpayne@69
|
4237 * @retval
|
|
jpayne@69
|
4238 * 0 Success
|
|
jpayne@69
|
4239 * @return
|
|
jpayne@69
|
4240 * Kerberos error codes
|
|
jpayne@69
|
4241 */
|
|
jpayne@69
|
4242 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4243 krb5_kt_default(krb5_context context, krb5_keytab *id);
|
|
jpayne@69
|
4244
|
|
jpayne@69
|
4245 /**
|
|
jpayne@69
|
4246 * Resolve the default client key table.
|
|
jpayne@69
|
4247 *
|
|
jpayne@69
|
4248 * @param [in] context Library context
|
|
jpayne@69
|
4249 * @param [out] keytab_out Key table handle
|
|
jpayne@69
|
4250 *
|
|
jpayne@69
|
4251 * Fill @a keytab_out with a handle to the default client key table.
|
|
jpayne@69
|
4252 *
|
|
jpayne@69
|
4253 * @version New in 1.11
|
|
jpayne@69
|
4254 *
|
|
jpayne@69
|
4255 * @retval
|
|
jpayne@69
|
4256 * 0 Success
|
|
jpayne@69
|
4257 * @return
|
|
jpayne@69
|
4258 * Kerberos error codes
|
|
jpayne@69
|
4259 */
|
|
jpayne@69
|
4260 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4261 krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out);
|
|
jpayne@69
|
4262
|
|
jpayne@69
|
4263 /**
|
|
jpayne@69
|
4264 * Free the contents of a key table entry.
|
|
jpayne@69
|
4265 *
|
|
jpayne@69
|
4266 * @param [in] context Library context
|
|
jpayne@69
|
4267 * @param [in] entry Key table entry whose contents are to be freed
|
|
jpayne@69
|
4268 *
|
|
jpayne@69
|
4269 * @note The pointer is not freed.
|
|
jpayne@69
|
4270 *
|
|
jpayne@69
|
4271 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
4272 */
|
|
jpayne@69
|
4273 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4274 krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry);
|
|
jpayne@69
|
4275
|
|
jpayne@69
|
4276 /** @deprecated Use krb5_free_keytab_entry_contents instead. */
|
|
jpayne@69
|
4277 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4278 krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry);
|
|
jpayne@69
|
4279
|
|
jpayne@69
|
4280
|
|
jpayne@69
|
4281 /* remove and add are functions, so that they can return NOWRITE
|
|
jpayne@69
|
4282 if not a writable keytab */
|
|
jpayne@69
|
4283
|
|
jpayne@69
|
4284 /**
|
|
jpayne@69
|
4285 * Remove an entry from a key table.
|
|
jpayne@69
|
4286 *
|
|
jpayne@69
|
4287 * @param [in] context Library context
|
|
jpayne@69
|
4288 * @param [in] id Key table handle
|
|
jpayne@69
|
4289 * @param [in] entry Entry to remove from key table
|
|
jpayne@69
|
4290 *
|
|
jpayne@69
|
4291 * @retval
|
|
jpayne@69
|
4292 * 0 Success
|
|
jpayne@69
|
4293 * @retval
|
|
jpayne@69
|
4294 * KRB5_KT_NOWRITE Key table is not writable
|
|
jpayne@69
|
4295 * @return
|
|
jpayne@69
|
4296 * Kerberos error codes
|
|
jpayne@69
|
4297 */
|
|
jpayne@69
|
4298 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4299 krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
|
|
jpayne@69
|
4300
|
|
jpayne@69
|
4301 /**
|
|
jpayne@69
|
4302 * Add a new entry to a key table.
|
|
jpayne@69
|
4303 *
|
|
jpayne@69
|
4304 * @param [in] context Library context
|
|
jpayne@69
|
4305 * @param [in] id Key table handle
|
|
jpayne@69
|
4306 * @param [in] entry Entry to be added
|
|
jpayne@69
|
4307 *
|
|
jpayne@69
|
4308 * @retval
|
|
jpayne@69
|
4309 * 0 Success
|
|
jpayne@69
|
4310 * @retval
|
|
jpayne@69
|
4311 * ENOMEM Insufficient memory
|
|
jpayne@69
|
4312 * @retval
|
|
jpayne@69
|
4313 * KRB5_KT_NOWRITE Key table is not writeable
|
|
jpayne@69
|
4314 * @return
|
|
jpayne@69
|
4315 * Kerberos error codes
|
|
jpayne@69
|
4316 */
|
|
jpayne@69
|
4317 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4318 krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
|
|
jpayne@69
|
4319
|
|
jpayne@69
|
4320 /**
|
|
jpayne@69
|
4321 * Convert a principal name into the default salt for that principal.
|
|
jpayne@69
|
4322 *
|
|
jpayne@69
|
4323 * @param [in] context Library context
|
|
jpayne@69
|
4324 * @param [in] pr Principal name
|
|
jpayne@69
|
4325 * @param [out] ret Default salt for @a pr to be filled in
|
|
jpayne@69
|
4326 *
|
|
jpayne@69
|
4327 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
4328 */
|
|
jpayne@69
|
4329 krb5_error_code KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
4330 krb5_principal2salt(krb5_context context,
|
|
jpayne@69
|
4331 krb5_const_principal pr, krb5_data *ret);
|
|
jpayne@69
|
4332 /* librc.spec--see rcache.h */
|
|
jpayne@69
|
4333
|
|
jpayne@69
|
4334 /* libcc.spec */
|
|
jpayne@69
|
4335
|
|
jpayne@69
|
4336 /**
|
|
jpayne@69
|
4337 * Resolve a credential cache name.
|
|
jpayne@69
|
4338 *
|
|
jpayne@69
|
4339 * @param [in] context Library context
|
|
jpayne@69
|
4340 * @param [in] name Credential cache name to be resolved
|
|
jpayne@69
|
4341 * @param [out] cache Credential cache handle
|
|
jpayne@69
|
4342 *
|
|
jpayne@69
|
4343 * Fills in @a cache with a @a cache handle that corresponds to the name in @a
|
|
jpayne@69
|
4344 * name. @a name should be of the form @c type:residual, and @a type must be a
|
|
jpayne@69
|
4345 * type known to the library. If the @a name does not contain a colon,
|
|
jpayne@69
|
4346 * interpret it as a file name.
|
|
jpayne@69
|
4347 *
|
|
jpayne@69
|
4348 * @code
|
|
jpayne@69
|
4349 * Example: krb5_cc_resolve(context, "MEMORY:C_", &cache);
|
|
jpayne@69
|
4350 * @endcode
|
|
jpayne@69
|
4351 *
|
|
jpayne@69
|
4352 * @retval
|
|
jpayne@69
|
4353 * 0 Success
|
|
jpayne@69
|
4354 * @return
|
|
jpayne@69
|
4355 * Kerberos error codes
|
|
jpayne@69
|
4356 */
|
|
jpayne@69
|
4357 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4358 krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache);
|
|
jpayne@69
|
4359
|
|
jpayne@69
|
4360 /**
|
|
jpayne@69
|
4361 * Duplicate ccache handle.
|
|
jpayne@69
|
4362 *
|
|
jpayne@69
|
4363 * @param [in] context Library context
|
|
jpayne@69
|
4364 * @param [in] in Credential cache handle to be duplicated
|
|
jpayne@69
|
4365 * @param [out] out Credential cache handle
|
|
jpayne@69
|
4366 *
|
|
jpayne@69
|
4367 * Create a new handle referring to the same cache as @a in.
|
|
jpayne@69
|
4368 * The new handle and @a in can be closed independently.
|
|
jpayne@69
|
4369 */
|
|
jpayne@69
|
4370 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4371 krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out);
|
|
jpayne@69
|
4372
|
|
jpayne@69
|
4373 /**
|
|
jpayne@69
|
4374 * Return the name of the default credential cache.
|
|
jpayne@69
|
4375 *
|
|
jpayne@69
|
4376 * @param [in] context Library context
|
|
jpayne@69
|
4377 *
|
|
jpayne@69
|
4378 * Return a pointer to the default credential cache name for @a context, as
|
|
jpayne@69
|
4379 * determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME
|
|
jpayne@69
|
4380 * environment variable, by the default_ccache_name profile variable, or by the
|
|
jpayne@69
|
4381 * operating system or build-time default value. The returned value must not
|
|
jpayne@69
|
4382 * be modified or freed by the caller. The returned value becomes invalid when
|
|
jpayne@69
|
4383 * @a context is destroyed krb5_free_context() or if a subsequent call to
|
|
jpayne@69
|
4384 * krb5_cc_set_default_name() is made on @a context.
|
|
jpayne@69
|
4385 *
|
|
jpayne@69
|
4386 * The default credential cache name is cached in @a context between calls to
|
|
jpayne@69
|
4387 * this function, so if the value of KRB5CCNAME changes in the process
|
|
jpayne@69
|
4388 * environment after the first call to this function on, that change will not
|
|
jpayne@69
|
4389 * be reflected in later calls with the same context. The caller can invoke
|
|
jpayne@69
|
4390 * krb5_cc_set_default_name() with a NULL value of @a name to clear the cached
|
|
jpayne@69
|
4391 * value and force the default name to be recomputed.
|
|
jpayne@69
|
4392 *
|
|
jpayne@69
|
4393 * @return
|
|
jpayne@69
|
4394 * Name of default credential cache for the current user.
|
|
jpayne@69
|
4395 */
|
|
jpayne@69
|
4396 const char *KRB5_CALLCONV
|
|
jpayne@69
|
4397 krb5_cc_default_name(krb5_context context);
|
|
jpayne@69
|
4398
|
|
jpayne@69
|
4399 /**
|
|
jpayne@69
|
4400 * Set the default credential cache name.
|
|
jpayne@69
|
4401 *
|
|
jpayne@69
|
4402 * @param [in] context Library context
|
|
jpayne@69
|
4403 * @param [in] name Default credential cache name or NULL
|
|
jpayne@69
|
4404 *
|
|
jpayne@69
|
4405 * Set the default credential cache name to @a name for future operations using
|
|
jpayne@69
|
4406 * @a context. If @a name is NULL, clear any previous application-set default
|
|
jpayne@69
|
4407 * name and forget any cached value of the default name for @a context.
|
|
jpayne@69
|
4408 *
|
|
jpayne@69
|
4409 * Calls to this function invalidate the result of any previous calls to
|
|
jpayne@69
|
4410 * krb5_cc_default_name() using @a context.
|
|
jpayne@69
|
4411 *
|
|
jpayne@69
|
4412 * @retval
|
|
jpayne@69
|
4413 * 0 Success
|
|
jpayne@69
|
4414 * @retval
|
|
jpayne@69
|
4415 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure
|
|
jpayne@69
|
4416 * @return
|
|
jpayne@69
|
4417 * Kerberos error codes
|
|
jpayne@69
|
4418 */
|
|
jpayne@69
|
4419 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4420 krb5_cc_set_default_name(krb5_context context, const char *name);
|
|
jpayne@69
|
4421
|
|
jpayne@69
|
4422 /**
|
|
jpayne@69
|
4423 * Resolve the default credential cache name.
|
|
jpayne@69
|
4424 *
|
|
jpayne@69
|
4425 * @param [in] context Library context
|
|
jpayne@69
|
4426 * @param [out] ccache Pointer to credential cache name
|
|
jpayne@69
|
4427 *
|
|
jpayne@69
|
4428 * Create a handle to the default credential cache as given by
|
|
jpayne@69
|
4429 * krb5_cc_default_name().
|
|
jpayne@69
|
4430 *
|
|
jpayne@69
|
4431 * @retval
|
|
jpayne@69
|
4432 * 0 Success
|
|
jpayne@69
|
4433 * @retval
|
|
jpayne@69
|
4434 * KV5M_CONTEXT Bad magic number for @c _krb5_context structure
|
|
jpayne@69
|
4435 * @retval
|
|
jpayne@69
|
4436 * KRB5_FCC_INTERNAL The name of the default credential cache cannot be
|
|
jpayne@69
|
4437 * obtained
|
|
jpayne@69
|
4438 * @return
|
|
jpayne@69
|
4439 * Kerberos error codes
|
|
jpayne@69
|
4440 */
|
|
jpayne@69
|
4441 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4442 krb5_cc_default(krb5_context context, krb5_ccache *ccache);
|
|
jpayne@69
|
4443
|
|
jpayne@69
|
4444 /**
|
|
jpayne@69
|
4445 * Copy a credential cache.
|
|
jpayne@69
|
4446 *
|
|
jpayne@69
|
4447 * @param [in] context Library context
|
|
jpayne@69
|
4448 * @param [in] incc Credential cache to be copied
|
|
jpayne@69
|
4449 * @param [out] outcc Copy of credential cache to be filled in
|
|
jpayne@69
|
4450 *
|
|
jpayne@69
|
4451 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
4452 */
|
|
jpayne@69
|
4453 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4454 krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
|
|
jpayne@69
|
4455
|
|
jpayne@69
|
4456 /**
|
|
jpayne@69
|
4457 * Get a configuration value from a credential cache.
|
|
jpayne@69
|
4458 *
|
|
jpayne@69
|
4459 * @param [in] context Library context
|
|
jpayne@69
|
4460 * @param [in] id Credential cache handle
|
|
jpayne@69
|
4461 * @param [in] principal Configuration for this principal;
|
|
jpayne@69
|
4462 * if NULL, global for the whole cache
|
|
jpayne@69
|
4463 * @param [in] key Name of config variable
|
|
jpayne@69
|
4464 * @param [out] data Data to be fetched
|
|
jpayne@69
|
4465 *
|
|
jpayne@69
|
4466 * Use krb5_free_data_contents() to free @a data when it is no longer needed.
|
|
jpayne@69
|
4467 *
|
|
jpayne@69
|
4468 * @retval
|
|
jpayne@69
|
4469 * 0 Success
|
|
jpayne@69
|
4470 * @return
|
|
jpayne@69
|
4471 * Kerberos error codes
|
|
jpayne@69
|
4472 */
|
|
jpayne@69
|
4473 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4474 krb5_cc_get_config(krb5_context context, krb5_ccache id,
|
|
jpayne@69
|
4475 krb5_const_principal principal,
|
|
jpayne@69
|
4476 const char *key, krb5_data *data);
|
|
jpayne@69
|
4477
|
|
jpayne@69
|
4478 /**
|
|
jpayne@69
|
4479 * Store a configuration value in a credential cache.
|
|
jpayne@69
|
4480 *
|
|
jpayne@69
|
4481 * @param [in] context Library context
|
|
jpayne@69
|
4482 * @param [in] id Credential cache handle
|
|
jpayne@69
|
4483 * @param [in] principal Configuration for a specific principal;
|
|
jpayne@69
|
4484 * if NULL, global for the whole cache
|
|
jpayne@69
|
4485 * @param [in] key Name of config variable
|
|
jpayne@69
|
4486 * @param [in] data Data to store, or NULL to remove
|
|
jpayne@69
|
4487 *
|
|
jpayne@69
|
4488 * @note Existing configuration under the same key is over-written.
|
|
jpayne@69
|
4489 *
|
|
jpayne@69
|
4490 * @warning Before version 1.10 @a data was assumed to be always non-null.
|
|
jpayne@69
|
4491 *
|
|
jpayne@69
|
4492 * @retval
|
|
jpayne@69
|
4493 * 0 Success
|
|
jpayne@69
|
4494 * @return
|
|
jpayne@69
|
4495 * Kerberos error codes
|
|
jpayne@69
|
4496 */
|
|
jpayne@69
|
4497 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4498 krb5_cc_set_config(krb5_context context, krb5_ccache id,
|
|
jpayne@69
|
4499 krb5_const_principal principal,
|
|
jpayne@69
|
4500 const char *key, krb5_data *data);
|
|
jpayne@69
|
4501
|
|
jpayne@69
|
4502 /**
|
|
jpayne@69
|
4503 * Test whether a principal is a configuration principal.
|
|
jpayne@69
|
4504 *
|
|
jpayne@69
|
4505 * @param [in] context Library context
|
|
jpayne@69
|
4506 * @param [in] principal Principal to check
|
|
jpayne@69
|
4507 *
|
|
jpayne@69
|
4508 * @return
|
|
jpayne@69
|
4509 * @c TRUE if the principal is a configuration principal (generated part of
|
|
jpayne@69
|
4510 * krb5_cc_set_config()); @c FALSE otherwise.
|
|
jpayne@69
|
4511 */
|
|
jpayne@69
|
4512 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
4513 krb5_is_config_principal(krb5_context context, krb5_const_principal principal);
|
|
jpayne@69
|
4514
|
|
jpayne@69
|
4515 /**
|
|
jpayne@69
|
4516 * Make a credential cache the primary cache for its collection.
|
|
jpayne@69
|
4517 *
|
|
jpayne@69
|
4518 * @param [in] context Library context
|
|
jpayne@69
|
4519 * @param [in] cache Credential cache handle
|
|
jpayne@69
|
4520 *
|
|
jpayne@69
|
4521 * If the type of @a cache supports it, set @a cache to be the primary
|
|
jpayne@69
|
4522 * credential cache for the collection it belongs to.
|
|
jpayne@69
|
4523 *
|
|
jpayne@69
|
4524 * @retval
|
|
jpayne@69
|
4525 * 0 Success, or the type of @a cache doesn't support switching
|
|
jpayne@69
|
4526 * @return
|
|
jpayne@69
|
4527 * Kerberos error codes
|
|
jpayne@69
|
4528 */
|
|
jpayne@69
|
4529 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4530 krb5_cc_switch(krb5_context context, krb5_ccache cache);
|
|
jpayne@69
|
4531
|
|
jpayne@69
|
4532 /**
|
|
jpayne@69
|
4533 * Determine whether a credential cache type supports switching.
|
|
jpayne@69
|
4534 *
|
|
jpayne@69
|
4535 * @param [in] context Library context
|
|
jpayne@69
|
4536 * @param [in] type Credential cache type
|
|
jpayne@69
|
4537 *
|
|
jpayne@69
|
4538 * @version New in 1.10
|
|
jpayne@69
|
4539 *
|
|
jpayne@69
|
4540 * @retval TRUE if @a type supports switching
|
|
jpayne@69
|
4541 * @retval FALSE if it does not or is not a valid credential cache type.
|
|
jpayne@69
|
4542 */
|
|
jpayne@69
|
4543 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
4544 krb5_cc_support_switch(krb5_context context, const char *type);
|
|
jpayne@69
|
4545
|
|
jpayne@69
|
4546 /**
|
|
jpayne@69
|
4547 * Find a credential cache with a specified client principal.
|
|
jpayne@69
|
4548 *
|
|
jpayne@69
|
4549 * @param [in] context Library context
|
|
jpayne@69
|
4550 * @param [in] client Client principal
|
|
jpayne@69
|
4551 * @param [out] cache_out Credential cache handle
|
|
jpayne@69
|
4552 *
|
|
jpayne@69
|
4553 * Find a cache within the collection whose default principal is @a client.
|
|
jpayne@69
|
4554 * Use @a krb5_cc_close to close @a ccache when it is no longer needed.
|
|
jpayne@69
|
4555 *
|
|
jpayne@69
|
4556 * @retval 0 Success
|
|
jpayne@69
|
4557 * @retval KRB5_CC_NOTFOUND
|
|
jpayne@69
|
4558 *
|
|
jpayne@69
|
4559 * @sa krb5_cccol_cursor_new
|
|
jpayne@69
|
4560 *
|
|
jpayne@69
|
4561 * @version New in 1.10
|
|
jpayne@69
|
4562 */
|
|
jpayne@69
|
4563 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4564 krb5_cc_cache_match(krb5_context context, krb5_principal client,
|
|
jpayne@69
|
4565 krb5_ccache *cache_out);
|
|
jpayne@69
|
4566
|
|
jpayne@69
|
4567 /**
|
|
jpayne@69
|
4568 * Select a credential cache to use with a server principal.
|
|
jpayne@69
|
4569 *
|
|
jpayne@69
|
4570 * @param [in] context Library context
|
|
jpayne@69
|
4571 * @param [in] server Server principal
|
|
jpayne@69
|
4572 * @param [out] cache_out Credential cache handle
|
|
jpayne@69
|
4573 * @param [out] princ_out Client principal
|
|
jpayne@69
|
4574 *
|
|
jpayne@69
|
4575 * Select a cache within the collection containing credentials most appropriate
|
|
jpayne@69
|
4576 * for use with @a server, according to configured rules and heuristics.
|
|
jpayne@69
|
4577 *
|
|
jpayne@69
|
4578 * Use krb5_cc_close() to release @a cache_out when it is no longer needed.
|
|
jpayne@69
|
4579 * Use krb5_free_principal() to release @a princ_out when it is no longer
|
|
jpayne@69
|
4580 * needed. Note that @a princ_out is set in some error conditions.
|
|
jpayne@69
|
4581 *
|
|
jpayne@69
|
4582 * @return
|
|
jpayne@69
|
4583 * If an appropriate cache is found, 0 is returned, @a cache_out is set to the
|
|
jpayne@69
|
4584 * selected cache, and @a princ_out is set to the default principal of that
|
|
jpayne@69
|
4585 * cache.
|
|
jpayne@69
|
4586 *
|
|
jpayne@69
|
4587 * If the appropriate client principal can be authoritatively determined but
|
|
jpayne@69
|
4588 * the cache collection contains no credentials for that principal, then
|
|
jpayne@69
|
4589 * KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out
|
|
jpayne@69
|
4590 * is set to the appropriate client principal.
|
|
jpayne@69
|
4591 *
|
|
jpayne@69
|
4592 * If no configured mechanism can determine the appropriate cache or principal,
|
|
jpayne@69
|
4593 * KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to
|
|
jpayne@69
|
4594 * NULL.
|
|
jpayne@69
|
4595 *
|
|
jpayne@69
|
4596 * Any other error code indicates a fatal error in the processing of a cache
|
|
jpayne@69
|
4597 * selection mechanism.
|
|
jpayne@69
|
4598 *
|
|
jpayne@69
|
4599 * @version New in 1.10
|
|
jpayne@69
|
4600 */
|
|
jpayne@69
|
4601 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4602 krb5_cc_select(krb5_context context, krb5_principal server,
|
|
jpayne@69
|
4603 krb5_ccache *cache_out, krb5_principal *princ_out);
|
|
jpayne@69
|
4604
|
|
jpayne@69
|
4605 /* krb5_free.c */
|
|
jpayne@69
|
4606 /**
|
|
jpayne@69
|
4607 * Free the storage assigned to a principal.
|
|
jpayne@69
|
4608 *
|
|
jpayne@69
|
4609 * @param [in] context Library context
|
|
jpayne@69
|
4610 * @param [in] val Principal to be freed
|
|
jpayne@69
|
4611 */
|
|
jpayne@69
|
4612 void KRB5_CALLCONV
|
|
jpayne@69
|
4613 krb5_free_principal(krb5_context context, krb5_principal val);
|
|
jpayne@69
|
4614
|
|
jpayne@69
|
4615 /**
|
|
jpayne@69
|
4616 * Free a krb5_authenticator structure.
|
|
jpayne@69
|
4617 *
|
|
jpayne@69
|
4618 * @param [in] context Library context
|
|
jpayne@69
|
4619 * @param [in] val Authenticator structure to be freed
|
|
jpayne@69
|
4620 *
|
|
jpayne@69
|
4621 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4622 */
|
|
jpayne@69
|
4623 void KRB5_CALLCONV
|
|
jpayne@69
|
4624 krb5_free_authenticator(krb5_context context, krb5_authenticator *val);
|
|
jpayne@69
|
4625
|
|
jpayne@69
|
4626 /**
|
|
jpayne@69
|
4627 * Free the data stored in array of addresses.
|
|
jpayne@69
|
4628 *
|
|
jpayne@69
|
4629 * @param [in] context Library context
|
|
jpayne@69
|
4630 * @param [in] val Array of addresses to be freed
|
|
jpayne@69
|
4631 *
|
|
jpayne@69
|
4632 * This function frees the contents of @a val and the array itself.
|
|
jpayne@69
|
4633 *
|
|
jpayne@69
|
4634 * @note The last entry in the array must be a NULL pointer.
|
|
jpayne@69
|
4635 */
|
|
jpayne@69
|
4636 void KRB5_CALLCONV
|
|
jpayne@69
|
4637 krb5_free_addresses(krb5_context context, krb5_address **val);
|
|
jpayne@69
|
4638
|
|
jpayne@69
|
4639 /**
|
|
jpayne@69
|
4640 * Free the storage assigned to array of authentication data.
|
|
jpayne@69
|
4641 *
|
|
jpayne@69
|
4642 * @param [in] context Library context
|
|
jpayne@69
|
4643 * @param [in] val Array of authentication data to be freed
|
|
jpayne@69
|
4644 *
|
|
jpayne@69
|
4645 * This function frees the contents of @a val and the array itself.
|
|
jpayne@69
|
4646 *
|
|
jpayne@69
|
4647 * @note The last entry in the array must be a NULL pointer.
|
|
jpayne@69
|
4648 */
|
|
jpayne@69
|
4649 void KRB5_CALLCONV
|
|
jpayne@69
|
4650 krb5_free_authdata(krb5_context context, krb5_authdata **val);
|
|
jpayne@69
|
4651
|
|
jpayne@69
|
4652 /**
|
|
jpayne@69
|
4653 * Free a ticket.
|
|
jpayne@69
|
4654 *
|
|
jpayne@69
|
4655 * @param [in] context Library context
|
|
jpayne@69
|
4656 * @param [in] val Ticket to be freed
|
|
jpayne@69
|
4657 *
|
|
jpayne@69
|
4658 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4659 */
|
|
jpayne@69
|
4660 void KRB5_CALLCONV
|
|
jpayne@69
|
4661 krb5_free_ticket(krb5_context context, krb5_ticket *val);
|
|
jpayne@69
|
4662
|
|
jpayne@69
|
4663 /**
|
|
jpayne@69
|
4664 * Free an error allocated by krb5_read_error() or krb5_sendauth().
|
|
jpayne@69
|
4665 *
|
|
jpayne@69
|
4666 * @param [in] context Library context
|
|
jpayne@69
|
4667 * @param [in] val Error data structure to be freed
|
|
jpayne@69
|
4668 *
|
|
jpayne@69
|
4669 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4670 */
|
|
jpayne@69
|
4671 void KRB5_CALLCONV
|
|
jpayne@69
|
4672 krb5_free_error(krb5_context context, krb5_error *val);
|
|
jpayne@69
|
4673
|
|
jpayne@69
|
4674 /**
|
|
jpayne@69
|
4675 * Free a krb5_creds structure.
|
|
jpayne@69
|
4676 *
|
|
jpayne@69
|
4677 * @param [in] context Library context
|
|
jpayne@69
|
4678 * @param [in] val Credential structure to be freed.
|
|
jpayne@69
|
4679 *
|
|
jpayne@69
|
4680 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4681 */
|
|
jpayne@69
|
4682 void KRB5_CALLCONV
|
|
jpayne@69
|
4683 krb5_free_creds(krb5_context context, krb5_creds *val);
|
|
jpayne@69
|
4684
|
|
jpayne@69
|
4685 /**
|
|
jpayne@69
|
4686 * Free the contents of a krb5_creds structure.
|
|
jpayne@69
|
4687 *
|
|
jpayne@69
|
4688 * @param [in] context Library context
|
|
jpayne@69
|
4689 * @param [in] val Credential structure to free contents of
|
|
jpayne@69
|
4690 *
|
|
jpayne@69
|
4691 * This function frees the contents of @a val, but not the structure itself.
|
|
jpayne@69
|
4692 */
|
|
jpayne@69
|
4693 void KRB5_CALLCONV
|
|
jpayne@69
|
4694 krb5_free_cred_contents(krb5_context context, krb5_creds *val);
|
|
jpayne@69
|
4695
|
|
jpayne@69
|
4696 /**
|
|
jpayne@69
|
4697 * Free a krb5_checksum structure.
|
|
jpayne@69
|
4698 *
|
|
jpayne@69
|
4699 * @param [in] context Library context
|
|
jpayne@69
|
4700 * @param [in] val Checksum structure to be freed
|
|
jpayne@69
|
4701 *
|
|
jpayne@69
|
4702 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4703 */
|
|
jpayne@69
|
4704 void KRB5_CALLCONV
|
|
jpayne@69
|
4705 krb5_free_checksum(krb5_context context, krb5_checksum *val);
|
|
jpayne@69
|
4706
|
|
jpayne@69
|
4707 /**
|
|
jpayne@69
|
4708 * Free the contents of a krb5_checksum structure.
|
|
jpayne@69
|
4709 *
|
|
jpayne@69
|
4710 * @param [in] context Library context
|
|
jpayne@69
|
4711 * @param [in] val Checksum structure to free contents of
|
|
jpayne@69
|
4712 *
|
|
jpayne@69
|
4713 * This function frees the contents of @a val, but not the structure itself.
|
|
jpayne@69
|
4714 * It sets the checksum's data pointer to null and (beginning in release 1.19)
|
|
jpayne@69
|
4715 * sets its length to zero.
|
|
jpayne@69
|
4716 */
|
|
jpayne@69
|
4717 void KRB5_CALLCONV
|
|
jpayne@69
|
4718 krb5_free_checksum_contents(krb5_context context, krb5_checksum *val);
|
|
jpayne@69
|
4719
|
|
jpayne@69
|
4720 /**
|
|
jpayne@69
|
4721 * Free a krb5_keyblock structure.
|
|
jpayne@69
|
4722 *
|
|
jpayne@69
|
4723 * @param [in] context Library context
|
|
jpayne@69
|
4724 * @param [in] val Keyblock to be freed
|
|
jpayne@69
|
4725 *
|
|
jpayne@69
|
4726 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4727 */
|
|
jpayne@69
|
4728 void KRB5_CALLCONV
|
|
jpayne@69
|
4729 krb5_free_keyblock(krb5_context context, krb5_keyblock *val);
|
|
jpayne@69
|
4730
|
|
jpayne@69
|
4731 /**
|
|
jpayne@69
|
4732 * Free the contents of a krb5_keyblock structure.
|
|
jpayne@69
|
4733 *
|
|
jpayne@69
|
4734 * @param [in] context Library context
|
|
jpayne@69
|
4735 * @param [in] key Keyblock to be freed
|
|
jpayne@69
|
4736 *
|
|
jpayne@69
|
4737 * This function frees the contents of @a key, but not the structure itself.
|
|
jpayne@69
|
4738 */
|
|
jpayne@69
|
4739 void KRB5_CALLCONV
|
|
jpayne@69
|
4740 krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key);
|
|
jpayne@69
|
4741
|
|
jpayne@69
|
4742 /**
|
|
jpayne@69
|
4743 * Free a krb5_ap_rep_enc_part structure.
|
|
jpayne@69
|
4744 *
|
|
jpayne@69
|
4745 * @param [in] context Library context
|
|
jpayne@69
|
4746 * @param [in] val AP-REP enc part to be freed
|
|
jpayne@69
|
4747 *
|
|
jpayne@69
|
4748 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4749 */
|
|
jpayne@69
|
4750 void KRB5_CALLCONV
|
|
jpayne@69
|
4751 krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
|
|
jpayne@69
|
4752
|
|
jpayne@69
|
4753 /**
|
|
jpayne@69
|
4754 * Free a krb5_data structure.
|
|
jpayne@69
|
4755 *
|
|
jpayne@69
|
4756 * @param [in] context Library context
|
|
jpayne@69
|
4757 * @param [in] val Data structure to be freed
|
|
jpayne@69
|
4758 *
|
|
jpayne@69
|
4759 * This function frees the contents of @a val and the structure itself.
|
|
jpayne@69
|
4760 */
|
|
jpayne@69
|
4761 void KRB5_CALLCONV
|
|
jpayne@69
|
4762 krb5_free_data(krb5_context context, krb5_data *val);
|
|
jpayne@69
|
4763
|
|
jpayne@69
|
4764 /* Free a krb5_octet_data structure (should be unused). */
|
|
jpayne@69
|
4765 void KRB5_CALLCONV
|
|
jpayne@69
|
4766 krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
|
|
jpayne@69
|
4767
|
|
jpayne@69
|
4768 /**
|
|
jpayne@69
|
4769 * Free the contents of a krb5_data structure and zero the data field.
|
|
jpayne@69
|
4770 *
|
|
jpayne@69
|
4771 * @param [in] context Library context
|
|
jpayne@69
|
4772 * @param [in] val Data structure to free contents of
|
|
jpayne@69
|
4773 *
|
|
jpayne@69
|
4774 * This function frees the contents of @a val, but not the structure itself.
|
|
jpayne@69
|
4775 * It sets the structure's data pointer to null and (beginning in release 1.19)
|
|
jpayne@69
|
4776 * sets its length to zero.
|
|
jpayne@69
|
4777 */
|
|
jpayne@69
|
4778 void KRB5_CALLCONV
|
|
jpayne@69
|
4779 krb5_free_data_contents(krb5_context context, krb5_data *val);
|
|
jpayne@69
|
4780
|
|
jpayne@69
|
4781 /**
|
|
jpayne@69
|
4782 * Free a string representation of a principal.
|
|
jpayne@69
|
4783 *
|
|
jpayne@69
|
4784 * @param [in] context Library context
|
|
jpayne@69
|
4785 * @param [in] val Name string to be freed
|
|
jpayne@69
|
4786 */
|
|
jpayne@69
|
4787 void KRB5_CALLCONV
|
|
jpayne@69
|
4788 krb5_free_unparsed_name(krb5_context context, char *val);
|
|
jpayne@69
|
4789
|
|
jpayne@69
|
4790 /**
|
|
jpayne@69
|
4791 * Free a string allocated by a krb5 function.
|
|
jpayne@69
|
4792 *
|
|
jpayne@69
|
4793 * @param [in] context Library context
|
|
jpayne@69
|
4794 * @param [in] val String to be freed
|
|
jpayne@69
|
4795 *
|
|
jpayne@69
|
4796 * @version New in 1.10
|
|
jpayne@69
|
4797 */
|
|
jpayne@69
|
4798 void KRB5_CALLCONV
|
|
jpayne@69
|
4799 krb5_free_string(krb5_context context, char *val);
|
|
jpayne@69
|
4800
|
|
jpayne@69
|
4801 /**
|
|
jpayne@69
|
4802 * Free an array of encryption types.
|
|
jpayne@69
|
4803 *
|
|
jpayne@69
|
4804 * @param [in] context Library context
|
|
jpayne@69
|
4805 * @param [in] val Array of enctypes to be freed
|
|
jpayne@69
|
4806 *
|
|
jpayne@69
|
4807 * @version New in 1.12
|
|
jpayne@69
|
4808 */
|
|
jpayne@69
|
4809 void KRB5_CALLCONV
|
|
jpayne@69
|
4810 krb5_free_enctypes(krb5_context context, krb5_enctype *val);
|
|
jpayne@69
|
4811
|
|
jpayne@69
|
4812 /**
|
|
jpayne@69
|
4813 * Free an array of checksum types.
|
|
jpayne@69
|
4814 *
|
|
jpayne@69
|
4815 * @param [in] context Library context
|
|
jpayne@69
|
4816 * @param [in] val Array of checksum types to be freed
|
|
jpayne@69
|
4817 */
|
|
jpayne@69
|
4818 void KRB5_CALLCONV
|
|
jpayne@69
|
4819 krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val);
|
|
jpayne@69
|
4820
|
|
jpayne@69
|
4821 /* From krb5/os, but needed by the outside world */
|
|
jpayne@69
|
4822 /**
|
|
jpayne@69
|
4823 * Retrieve the system time of day, in sec and ms, since the epoch.
|
|
jpayne@69
|
4824 *
|
|
jpayne@69
|
4825 * @param [in] context Library context
|
|
jpayne@69
|
4826 * @param [out] seconds System timeofday, seconds portion
|
|
jpayne@69
|
4827 * @param [out] microseconds System timeofday, microseconds portion
|
|
jpayne@69
|
4828 *
|
|
jpayne@69
|
4829 * This function retrieves the system time of day with the context
|
|
jpayne@69
|
4830 * specific time offset adjustment.
|
|
jpayne@69
|
4831 *
|
|
jpayne@69
|
4832 * @sa krb5_crypto_us_timeofday()
|
|
jpayne@69
|
4833 *
|
|
jpayne@69
|
4834 * @retval
|
|
jpayne@69
|
4835 * 0 Success
|
|
jpayne@69
|
4836 * @return
|
|
jpayne@69
|
4837 * Kerberos error codes
|
|
jpayne@69
|
4838 */
|
|
jpayne@69
|
4839 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4840 krb5_us_timeofday(krb5_context context,
|
|
jpayne@69
|
4841 krb5_timestamp *seconds, krb5_int32 *microseconds);
|
|
jpayne@69
|
4842
|
|
jpayne@69
|
4843 /**
|
|
jpayne@69
|
4844 * Retrieve the current time with context specific time offset adjustment.
|
|
jpayne@69
|
4845 *
|
|
jpayne@69
|
4846 * @param [in] context Library context
|
|
jpayne@69
|
4847 * @param [out] timeret Timestamp to fill in
|
|
jpayne@69
|
4848 *
|
|
jpayne@69
|
4849 * This function retrieves the system time of day with the context specific
|
|
jpayne@69
|
4850 * time offset adjustment.
|
|
jpayne@69
|
4851 *
|
|
jpayne@69
|
4852 * @retval
|
|
jpayne@69
|
4853 * 0 Success
|
|
jpayne@69
|
4854 * @return
|
|
jpayne@69
|
4855 * Kerberos error codes
|
|
jpayne@69
|
4856 */
|
|
jpayne@69
|
4857 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4858 krb5_timeofday(krb5_context context, krb5_timestamp *timeret);
|
|
jpayne@69
|
4859
|
|
jpayne@69
|
4860 /**
|
|
jpayne@69
|
4861 * Check if a timestamp is within the allowed clock skew of the current time.
|
|
jpayne@69
|
4862 *
|
|
jpayne@69
|
4863 * @param [in] context Library context
|
|
jpayne@69
|
4864 * @param [in] date Timestamp to check
|
|
jpayne@69
|
4865 *
|
|
jpayne@69
|
4866 * This function checks if @a date is close enough to the current time
|
|
jpayne@69
|
4867 * according to the configured allowable clock skew.
|
|
jpayne@69
|
4868 *
|
|
jpayne@69
|
4869 * @version New in 1.10
|
|
jpayne@69
|
4870 *
|
|
jpayne@69
|
4871 * @retval 0 Success
|
|
jpayne@69
|
4872 * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew
|
|
jpayne@69
|
4873 */
|
|
jpayne@69
|
4874 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4875 krb5_check_clockskew(krb5_context context, krb5_timestamp date);
|
|
jpayne@69
|
4876
|
|
jpayne@69
|
4877 /**
|
|
jpayne@69
|
4878 * Return all interface addresses for this host.
|
|
jpayne@69
|
4879 *
|
|
jpayne@69
|
4880 * @param [in] context Library context
|
|
jpayne@69
|
4881 * @param [out] addr Array of krb5_address pointers, ending with
|
|
jpayne@69
|
4882 * NULL
|
|
jpayne@69
|
4883 *
|
|
jpayne@69
|
4884 * Use krb5_free_addresses() to free @a addr when it is no longer needed.
|
|
jpayne@69
|
4885 *
|
|
jpayne@69
|
4886 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
4887 */
|
|
jpayne@69
|
4888 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4889 krb5_os_localaddr(krb5_context context, krb5_address ***addr);
|
|
jpayne@69
|
4890
|
|
jpayne@69
|
4891 /**
|
|
jpayne@69
|
4892 * Retrieve the default realm.
|
|
jpayne@69
|
4893 *
|
|
jpayne@69
|
4894 * @param [in] context Library context
|
|
jpayne@69
|
4895 * @param [out] lrealm Default realm name
|
|
jpayne@69
|
4896 *
|
|
jpayne@69
|
4897 * Retrieves the default realm to be used if no user-specified realm is
|
|
jpayne@69
|
4898 * available.
|
|
jpayne@69
|
4899 *
|
|
jpayne@69
|
4900 * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed.
|
|
jpayne@69
|
4901 *
|
|
jpayne@69
|
4902 * @retval
|
|
jpayne@69
|
4903 * 0 Success
|
|
jpayne@69
|
4904 * @return
|
|
jpayne@69
|
4905 * Kerberos error codes
|
|
jpayne@69
|
4906 */
|
|
jpayne@69
|
4907 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4908 krb5_get_default_realm(krb5_context context, char **lrealm);
|
|
jpayne@69
|
4909
|
|
jpayne@69
|
4910 /**
|
|
jpayne@69
|
4911 * Override the default realm for the specified context.
|
|
jpayne@69
|
4912 *
|
|
jpayne@69
|
4913 * @param [in] context Library context
|
|
jpayne@69
|
4914 * @param [in] lrealm Realm name for the default realm
|
|
jpayne@69
|
4915 *
|
|
jpayne@69
|
4916 * If @a lrealm is NULL, clear the default realm setting.
|
|
jpayne@69
|
4917 *
|
|
jpayne@69
|
4918 * @retval
|
|
jpayne@69
|
4919 * 0 Success
|
|
jpayne@69
|
4920 * @return
|
|
jpayne@69
|
4921 * Kerberos error codes
|
|
jpayne@69
|
4922 */
|
|
jpayne@69
|
4923 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4924 krb5_set_default_realm(krb5_context context, const char *lrealm);
|
|
jpayne@69
|
4925
|
|
jpayne@69
|
4926 /**
|
|
jpayne@69
|
4927 * Free a default realm string returned by krb5_get_default_realm().
|
|
jpayne@69
|
4928 *
|
|
jpayne@69
|
4929 * @param [in] context Library context
|
|
jpayne@69
|
4930 * @param [in] lrealm Realm to be freed
|
|
jpayne@69
|
4931 */
|
|
jpayne@69
|
4932 void KRB5_CALLCONV
|
|
jpayne@69
|
4933 krb5_free_default_realm(krb5_context context, char *lrealm);
|
|
jpayne@69
|
4934
|
|
jpayne@69
|
4935 /**
|
|
jpayne@69
|
4936 * Canonicalize a hostname, possibly using name service.
|
|
jpayne@69
|
4937 *
|
|
jpayne@69
|
4938 * @param [in] context Library context
|
|
jpayne@69
|
4939 * @param [in] host Input hostname
|
|
jpayne@69
|
4940 * @param [out] canonhost_out Canonicalized hostname
|
|
jpayne@69
|
4941 *
|
|
jpayne@69
|
4942 * This function canonicalizes orig_hostname, possibly using name service
|
|
jpayne@69
|
4943 * lookups if configuration permits. Use krb5_free_string() to free @a
|
|
jpayne@69
|
4944 * canonhost_out when it is no longer needed.
|
|
jpayne@69
|
4945 *
|
|
jpayne@69
|
4946 * @version New in 1.15
|
|
jpayne@69
|
4947 */
|
|
jpayne@69
|
4948 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4949 krb5_expand_hostname(krb5_context context, const char *host,
|
|
jpayne@69
|
4950 char **canonhost_out);
|
|
jpayne@69
|
4951
|
|
jpayne@69
|
4952 /**
|
|
jpayne@69
|
4953 * Generate a full principal name from a service name.
|
|
jpayne@69
|
4954 *
|
|
jpayne@69
|
4955 * @param [in] context Library context
|
|
jpayne@69
|
4956 * @param [in] hostname Host name, or NULL to use local host
|
|
jpayne@69
|
4957 * @param [in] sname Service name, or NULL to use @c "host"
|
|
jpayne@69
|
4958 * @param [in] type Principal type
|
|
jpayne@69
|
4959 * @param [out] ret_princ Generated principal
|
|
jpayne@69
|
4960 *
|
|
jpayne@69
|
4961 * This function converts a @a hostname and @a sname into @a krb5_principal
|
|
jpayne@69
|
4962 * structure @a ret_princ. The returned principal will be of the form @a
|
|
jpayne@69
|
4963 * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm().
|
|
jpayne@69
|
4964 * In some cases this may be the referral (empty) realm.
|
|
jpayne@69
|
4965 *
|
|
jpayne@69
|
4966 * The @a type can be one of the following:
|
|
jpayne@69
|
4967 *
|
|
jpayne@69
|
4968 * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the
|
|
jpayne@69
|
4969 * realm and generating the principal.
|
|
jpayne@69
|
4970 *
|
|
jpayne@69
|
4971 * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not
|
|
jpayne@69
|
4972 * canonicalize it.
|
|
jpayne@69
|
4973 *
|
|
jpayne@69
|
4974 * Use krb5_free_principal to free @a ret_princ when it is no longer needed.
|
|
jpayne@69
|
4975 *
|
|
jpayne@69
|
4976 * @retval
|
|
jpayne@69
|
4977 * 0 Success
|
|
jpayne@69
|
4978 * @return
|
|
jpayne@69
|
4979 * Kerberos error codes
|
|
jpayne@69
|
4980 */
|
|
jpayne@69
|
4981 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
4982 krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname,
|
|
jpayne@69
|
4983 krb5_int32 type, krb5_principal *ret_princ);
|
|
jpayne@69
|
4984
|
|
jpayne@69
|
4985 /**
|
|
jpayne@69
|
4986 * Test whether a principal matches a matching principal.
|
|
jpayne@69
|
4987 *
|
|
jpayne@69
|
4988 * @param [in] context Library context
|
|
jpayne@69
|
4989 * @param [in] matching Matching principal
|
|
jpayne@69
|
4990 * @param [in] princ Principal to test
|
|
jpayne@69
|
4991 *
|
|
jpayne@69
|
4992 * @note A matching principal is a host-based principal with an empty realm
|
|
jpayne@69
|
4993 * and/or second data component (hostname). Profile configuration may cause
|
|
jpayne@69
|
4994 * the hostname to be ignored even if it is present. A principal matches a
|
|
jpayne@69
|
4995 * matching principal if the former has the same non-empty (and non-ignored)
|
|
jpayne@69
|
4996 * components of the latter.
|
|
jpayne@69
|
4997 *
|
|
jpayne@69
|
4998 * If @a matching is NULL, return TRUE. If @a matching is not a matching
|
|
jpayne@69
|
4999 * principal, return the value of krb5_principal_compare(context, matching,
|
|
jpayne@69
|
5000 * princ).
|
|
jpayne@69
|
5001 *
|
|
jpayne@69
|
5002 * @return
|
|
jpayne@69
|
5003 * TRUE if @a princ matches @a matching, FALSE otherwise.
|
|
jpayne@69
|
5004 */
|
|
jpayne@69
|
5005 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
5006 krb5_sname_match(krb5_context context, krb5_const_principal matching,
|
|
jpayne@69
|
5007 krb5_const_principal princ);
|
|
jpayne@69
|
5008
|
|
jpayne@69
|
5009 /**
|
|
jpayne@69
|
5010 * Change a password for an existing Kerberos account.
|
|
jpayne@69
|
5011 *
|
|
jpayne@69
|
5012 * @param [in] context Library context
|
|
jpayne@69
|
5013 * @param [in] creds Credentials for kadmin/changepw service
|
|
jpayne@69
|
5014 * @param [in] newpw New password
|
|
jpayne@69
|
5015 * @param [out] result_code Numeric error code from server
|
|
jpayne@69
|
5016 * @param [out] result_code_string String equivalent to @a result_code
|
|
jpayne@69
|
5017 * @param [out] result_string Change password response from the KDC
|
|
jpayne@69
|
5018 *
|
|
jpayne@69
|
5019 * Change the password for the existing principal identified by @a creds.
|
|
jpayne@69
|
5020 *
|
|
jpayne@69
|
5021 * The possible values of the output @a result_code are:
|
|
jpayne@69
|
5022 *
|
|
jpayne@69
|
5023 * @li #KRB5_KPASSWD_SUCCESS (0) - success
|
|
jpayne@69
|
5024 * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error
|
|
jpayne@69
|
5025 * @li #KRB5_KPASSWD_HARDERROR (2) - Server error
|
|
jpayne@69
|
5026 * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error
|
|
jpayne@69
|
5027 * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected
|
|
jpayne@69
|
5028 *
|
|
jpayne@69
|
5029 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5030 */
|
|
jpayne@69
|
5031 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5032 krb5_change_password(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
5033 const char *newpw, int *result_code,
|
|
jpayne@69
|
5034 krb5_data *result_code_string, krb5_data *result_string);
|
|
jpayne@69
|
5035
|
|
jpayne@69
|
5036 /**
|
|
jpayne@69
|
5037 * Set a password for a principal using specified credentials.
|
|
jpayne@69
|
5038 *
|
|
jpayne@69
|
5039 * @param [in] context Library context
|
|
jpayne@69
|
5040 * @param [in] creds Credentials for kadmin/changepw service
|
|
jpayne@69
|
5041 * @param [in] newpw New password
|
|
jpayne@69
|
5042 * @param [in] change_password_for Change the password for this principal
|
|
jpayne@69
|
5043 * @param [out] result_code Numeric error code from server
|
|
jpayne@69
|
5044 * @param [out] result_code_string String equivalent to @a result_code
|
|
jpayne@69
|
5045 * @param [out] result_string Data returned from the remote system
|
|
jpayne@69
|
5046 *
|
|
jpayne@69
|
5047 * This function uses the credentials @a creds to set the password @a newpw for
|
|
jpayne@69
|
5048 * the principal @a change_password_for. It implements the set password
|
|
jpayne@69
|
5049 * operation of RFC 3244, for interoperability with Microsoft Windows
|
|
jpayne@69
|
5050 * implementations.
|
|
jpayne@69
|
5051 *
|
|
jpayne@69
|
5052 * @note If @a change_password_for is NULL, the change is performed on the
|
|
jpayne@69
|
5053 * current principal. If @a change_password_for is non-null, the change is
|
|
jpayne@69
|
5054 * performed on the principal name passed in @a change_password_for.
|
|
jpayne@69
|
5055 *
|
|
jpayne@69
|
5056 * The error code and strings are returned in @a result_code,
|
|
jpayne@69
|
5057 * @a result_code_string and @a result_string.
|
|
jpayne@69
|
5058 *
|
|
jpayne@69
|
5059 * @sa krb5_set_password_using_ccache()
|
|
jpayne@69
|
5060 *
|
|
jpayne@69
|
5061 * @retval
|
|
jpayne@69
|
5062 * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.
|
|
jpayne@69
|
5063 * @return
|
|
jpayne@69
|
5064 * Kerberos error codes.
|
|
jpayne@69
|
5065 */
|
|
jpayne@69
|
5066 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5067 krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw,
|
|
jpayne@69
|
5068 krb5_principal change_password_for, int *result_code,
|
|
jpayne@69
|
5069 krb5_data *result_code_string, krb5_data *result_string);
|
|
jpayne@69
|
5070
|
|
jpayne@69
|
5071 /**
|
|
jpayne@69
|
5072 * Set a password for a principal using cached credentials.
|
|
jpayne@69
|
5073 *
|
|
jpayne@69
|
5074 * @param [in] context Library context
|
|
jpayne@69
|
5075 * @param [in] ccache Credential cache
|
|
jpayne@69
|
5076 * @param [in] newpw New password
|
|
jpayne@69
|
5077 * @param [in] change_password_for Change the password for this principal
|
|
jpayne@69
|
5078 * @param [out] result_code Numeric error code from server
|
|
jpayne@69
|
5079 * @param [out] result_code_string String equivalent to @a result_code
|
|
jpayne@69
|
5080 * @param [out] result_string Data returned from the remote system
|
|
jpayne@69
|
5081 *
|
|
jpayne@69
|
5082 * This function uses the cached credentials from @a ccache to set the password
|
|
jpayne@69
|
5083 * @a newpw for the principal @a change_password_for. It implements RFC 3244
|
|
jpayne@69
|
5084 * set password operation (interoperable with MS Windows implementations) using
|
|
jpayne@69
|
5085 * the credential cache.
|
|
jpayne@69
|
5086 *
|
|
jpayne@69
|
5087 * The error code and strings are returned in @a result_code,
|
|
jpayne@69
|
5088 * @a result_code_string and @a result_string.
|
|
jpayne@69
|
5089 *
|
|
jpayne@69
|
5090 * @note If @a change_password_for is set to NULL, the change is performed on
|
|
jpayne@69
|
5091 * the default principal in @a ccache. If @a change_password_for is non null,
|
|
jpayne@69
|
5092 * the change is performed on the specified principal.
|
|
jpayne@69
|
5093 *
|
|
jpayne@69
|
5094 * @sa krb5_set_password()
|
|
jpayne@69
|
5095 *
|
|
jpayne@69
|
5096 * @retval
|
|
jpayne@69
|
5097 * 0 Success
|
|
jpayne@69
|
5098 * @return
|
|
jpayne@69
|
5099 * Kerberos error codes
|
|
jpayne@69
|
5100 */
|
|
jpayne@69
|
5101 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5102 krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
|
|
jpayne@69
|
5103 const char *newpw,
|
|
jpayne@69
|
5104 krb5_principal change_password_for,
|
|
jpayne@69
|
5105 int *result_code, krb5_data *result_code_string,
|
|
jpayne@69
|
5106 krb5_data *result_string);
|
|
jpayne@69
|
5107
|
|
jpayne@69
|
5108 /**
|
|
jpayne@69
|
5109 * Get a result message for changing or setting a password.
|
|
jpayne@69
|
5110 *
|
|
jpayne@69
|
5111 * @param [in] context Library context
|
|
jpayne@69
|
5112 * @param [in] server_string Data returned from the remote system
|
|
jpayne@69
|
5113 * @param [out] message_out A message displayable to the user
|
|
jpayne@69
|
5114 *
|
|
jpayne@69
|
5115 * This function processes the @a server_string returned in the @a
|
|
jpayne@69
|
5116 * result_string parameter of krb5_change_password(), krb5_set_password(), and
|
|
jpayne@69
|
5117 * related functions, and returns a displayable string. If @a server_string
|
|
jpayne@69
|
5118 * contains Active Directory structured policy information, it will be
|
|
jpayne@69
|
5119 * converted into human-readable text.
|
|
jpayne@69
|
5120 *
|
|
jpayne@69
|
5121 * Use krb5_free_string() to free @a message_out when it is no longer needed.
|
|
jpayne@69
|
5122 *
|
|
jpayne@69
|
5123 * @retval
|
|
jpayne@69
|
5124 * 0 Success
|
|
jpayne@69
|
5125 * @return
|
|
jpayne@69
|
5126 * Kerberos error codes
|
|
jpayne@69
|
5127 *
|
|
jpayne@69
|
5128 * @version New in 1.11
|
|
jpayne@69
|
5129 */
|
|
jpayne@69
|
5130 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5131 krb5_chpw_message(krb5_context context, const krb5_data *server_string,
|
|
jpayne@69
|
5132 char **message_out);
|
|
jpayne@69
|
5133
|
|
jpayne@69
|
5134 /**
|
|
jpayne@69
|
5135 * Retrieve configuration profile from the context.
|
|
jpayne@69
|
5136 *
|
|
jpayne@69
|
5137 * @param [in] context Library context
|
|
jpayne@69
|
5138 * @param [out] profile Pointer to data read from a configuration file
|
|
jpayne@69
|
5139 *
|
|
jpayne@69
|
5140 * This function creates a new @a profile object that reflects profile
|
|
jpayne@69
|
5141 * in the supplied @a context.
|
|
jpayne@69
|
5142 *
|
|
jpayne@69
|
5143 * The @a profile object may be freed with profile_release() function.
|
|
jpayne@69
|
5144 * See profile.h and profile API for more details.
|
|
jpayne@69
|
5145 *
|
|
jpayne@69
|
5146 * @retval
|
|
jpayne@69
|
5147 * 0 Success
|
|
jpayne@69
|
5148 * @return
|
|
jpayne@69
|
5149 * Kerberos error codes
|
|
jpayne@69
|
5150 */
|
|
jpayne@69
|
5151 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5152 krb5_get_profile(krb5_context context, struct _profile_t ** profile);
|
|
jpayne@69
|
5153
|
|
jpayne@69
|
5154 #if KRB5_DEPRECATED
|
|
jpayne@69
|
5155 /** @deprecated Replaced by krb5_get_init_creds_password().*/
|
|
jpayne@69
|
5156 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5157 krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
5158 krb5_address *const *addrs, krb5_enctype *ktypes,
|
|
jpayne@69
|
5159 krb5_preauthtype *pre_auth_types,
|
|
jpayne@69
|
5160 const char *password, krb5_ccache ccache,
|
|
jpayne@69
|
5161 krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
|
|
jpayne@69
|
5162
|
|
jpayne@69
|
5163 /** @deprecated Replaced by krb5_get_init_creds(). */
|
|
jpayne@69
|
5164 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5165 krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
5166 krb5_address *const *addrs, krb5_enctype *ktypes,
|
|
jpayne@69
|
5167 krb5_preauthtype *pre_auth_types,
|
|
jpayne@69
|
5168 const krb5_keyblock *key, krb5_ccache ccache,
|
|
jpayne@69
|
5169 krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
|
|
jpayne@69
|
5170
|
|
jpayne@69
|
5171 /** @deprecated Replaced by krb5_get_init_creds_keytab(). */
|
|
jpayne@69
|
5172 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5173 krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
|
|
jpayne@69
|
5174 krb5_address *const *addrs, krb5_enctype *ktypes,
|
|
jpayne@69
|
5175 krb5_preauthtype *pre_auth_types,
|
|
jpayne@69
|
5176 krb5_keytab arg_keytab, krb5_ccache ccache,
|
|
jpayne@69
|
5177 krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
|
|
jpayne@69
|
5178
|
|
jpayne@69
|
5179 #endif /* KRB5_DEPRECATED */
|
|
jpayne@69
|
5180
|
|
jpayne@69
|
5181 /**
|
|
jpayne@69
|
5182 * Parse and decrypt a @c KRB_AP_REQ message.
|
|
jpayne@69
|
5183 *
|
|
jpayne@69
|
5184 * @param [in] context Library context
|
|
jpayne@69
|
5185 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
5186 * @param [in] inbuf AP-REQ message to be parsed
|
|
jpayne@69
|
5187 * @param [in] server Matching principal for server, or NULL to
|
|
jpayne@69
|
5188 * allow any principal in keytab
|
|
jpayne@69
|
5189 * @param [in] keytab Key table, or NULL to use the default
|
|
jpayne@69
|
5190 * @param [out] ap_req_options If non-null, the AP-REQ flags on output
|
|
jpayne@69
|
5191 * @param [out] ticket If non-null, ticket from the AP-REQ message
|
|
jpayne@69
|
5192 *
|
|
jpayne@69
|
5193 * This function parses, decrypts and verifies a AP-REQ message from @a inbuf
|
|
jpayne@69
|
5194 * and stores the authenticator in @a auth_context.
|
|
jpayne@69
|
5195 *
|
|
jpayne@69
|
5196 * If a keyblock was specified in @a auth_context using
|
|
jpayne@69
|
5197 * krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in
|
|
jpayne@69
|
5198 * AP-REQ message and @a keytab is ignored. In this case, @a server should be
|
|
jpayne@69
|
5199 * specified as a complete principal name to allow for proper transited-path
|
|
jpayne@69
|
5200 * checking and replay cache selection.
|
|
jpayne@69
|
5201 *
|
|
jpayne@69
|
5202 * Otherwise, the decryption key is obtained from @a keytab, or from the
|
|
jpayne@69
|
5203 * default keytab if it is NULL. In this case, @a server may be a complete
|
|
jpayne@69
|
5204 * principal name, a matching principal (see krb5_sname_match()), or NULL to
|
|
jpayne@69
|
5205 * match any principal name. The keys tried against the encrypted part of the
|
|
jpayne@69
|
5206 * ticket are determined as follows:
|
|
jpayne@69
|
5207 *
|
|
jpayne@69
|
5208 * - If @a server is a complete principal name, then its entry in @a keytab is
|
|
jpayne@69
|
5209 * tried.
|
|
jpayne@69
|
5210 * - Otherwise, if @a keytab is iterable, then all entries in @a keytab which
|
|
jpayne@69
|
5211 * match @a server are tried.
|
|
jpayne@69
|
5212 * - Otherwise, the server principal in the ticket must match @a server, and
|
|
jpayne@69
|
5213 * its entry in @a keytab is tried.
|
|
jpayne@69
|
5214 *
|
|
jpayne@69
|
5215 * The client specified in the decrypted authenticator must match the client
|
|
jpayne@69
|
5216 * specified in the decrypted ticket.
|
|
jpayne@69
|
5217 *
|
|
jpayne@69
|
5218 * If the @a remote_addr field of @a auth_context is set, the request must come
|
|
jpayne@69
|
5219 * from that address.
|
|
jpayne@69
|
5220 *
|
|
jpayne@69
|
5221 * If a replay cache handle is provided in the @a auth_context, the
|
|
jpayne@69
|
5222 * authenticator and ticket are verified against it. If no conflict is found,
|
|
jpayne@69
|
5223 * the new authenticator is then stored in the replay cache of @a auth_context.
|
|
jpayne@69
|
5224 *
|
|
jpayne@69
|
5225 * Various other checks are performed on the decoded data, including
|
|
jpayne@69
|
5226 * cross-realm policy, clockskew, and ticket validation times.
|
|
jpayne@69
|
5227 *
|
|
jpayne@69
|
5228 * On success the authenticator, subkey, and remote sequence number of the
|
|
jpayne@69
|
5229 * request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED
|
|
jpayne@69
|
5230 * bit is set, the local sequence number is XORed with the remote sequence
|
|
jpayne@69
|
5231 * number in the request.
|
|
jpayne@69
|
5232 *
|
|
jpayne@69
|
5233 * Use krb5_free_ticket() to free @a ticket when it is no longer needed.
|
|
jpayne@69
|
5234 *
|
|
jpayne@69
|
5235 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5236 */
|
|
jpayne@69
|
5237 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5238 krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
|
|
jpayne@69
|
5239 const krb5_data *inbuf, krb5_const_principal server,
|
|
jpayne@69
|
5240 krb5_keytab keytab, krb5_flags *ap_req_options,
|
|
jpayne@69
|
5241 krb5_ticket **ticket);
|
|
jpayne@69
|
5242
|
|
jpayne@69
|
5243 /**
|
|
jpayne@69
|
5244 * Retrieve a service key from a key table.
|
|
jpayne@69
|
5245 *
|
|
jpayne@69
|
5246 * @param [in] context Library context
|
|
jpayne@69
|
5247 * @param [in] keyprocarg Name of a key table (NULL to use default name)
|
|
jpayne@69
|
5248 * @param [in] principal Service principal
|
|
jpayne@69
|
5249 * @param [in] vno Key version number (0 for highest available)
|
|
jpayne@69
|
5250 * @param [in] enctype Encryption type (0 for any type)
|
|
jpayne@69
|
5251 * @param [out] key Service key from key table
|
|
jpayne@69
|
5252 *
|
|
jpayne@69
|
5253 * Open and search the specified key table for the entry identified by @a
|
|
jpayne@69
|
5254 * principal, @a enctype, and @a vno. If no key is found, return an error code.
|
|
jpayne@69
|
5255 *
|
|
jpayne@69
|
5256 * The default key table is used, unless @a keyprocarg is non-null.
|
|
jpayne@69
|
5257 * @a keyprocarg designates a specific key table.
|
|
jpayne@69
|
5258 *
|
|
jpayne@69
|
5259 * Use krb5_free_keyblock() to free @a key when it is no longer needed.
|
|
jpayne@69
|
5260 *
|
|
jpayne@69
|
5261 * @retval
|
|
jpayne@69
|
5262 * 0 Success
|
|
jpayne@69
|
5263 * @return Kerberos error code if not found or @a keyprocarg is invalid.
|
|
jpayne@69
|
5264 */
|
|
jpayne@69
|
5265 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5266 krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg,
|
|
jpayne@69
|
5267 krb5_principal principal, krb5_kvno vno,
|
|
jpayne@69
|
5268 krb5_enctype enctype, krb5_keyblock **key);
|
|
jpayne@69
|
5269
|
|
jpayne@69
|
5270 /**
|
|
jpayne@69
|
5271 * Format a @c KRB-SAFE message.
|
|
jpayne@69
|
5272 *
|
|
jpayne@69
|
5273 * @param [in] context Library context
|
|
jpayne@69
|
5274 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5275 * @param [in] userdata User data in the message
|
|
jpayne@69
|
5276 * @param [out] der_out Formatted @c KRB-SAFE buffer
|
|
jpayne@69
|
5277 * @param [out] rdata_out Replay data. Specify NULL if not needed
|
|
jpayne@69
|
5278 *
|
|
jpayne@69
|
5279 * This function creates an integrity protected @c KRB-SAFE message
|
|
jpayne@69
|
5280 * using data supplied by the application.
|
|
jpayne@69
|
5281 *
|
|
jpayne@69
|
5282 * Fields in @a auth_context specify the checksum type, the keyblock that
|
|
jpayne@69
|
5283 * can be used to seed the checksum, full addresses (host and port) for
|
|
jpayne@69
|
5284 * the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags.
|
|
jpayne@69
|
5285 *
|
|
jpayne@69
|
5286 * The local address in @a auth_context must be set, and is used to form the
|
|
jpayne@69
|
5287 * sender address used in the KRB-SAFE message. The remote address is
|
|
jpayne@69
|
5288 * optional; if specified, it will be used to form the receiver address used in
|
|
jpayne@69
|
5289 * the message.
|
|
jpayne@69
|
5290 *
|
|
jpayne@69
|
5291 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
5292 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
5293 * in @a auth_context.
|
|
jpayne@69
|
5294 *
|
|
jpayne@69
|
5295 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a
|
|
jpayne@69
|
5296 * timestamp is included in the KRB-SAFE message, and an entry for the message
|
|
jpayne@69
|
5297 * is entered in an in-memory replay cache to detect if the message is
|
|
jpayne@69
|
5298 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no
|
|
jpayne@69
|
5299 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a
|
|
jpayne@69
|
5300 * auth_context, a timestamp is included in the KRB-SAFE message and is stored
|
|
jpayne@69
|
5301 * in @a rdata_out.
|
|
jpayne@69
|
5302 *
|
|
jpayne@69
|
5303 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5304 * is set, the @a auth_context local sequence number is included in the
|
|
jpayne@69
|
5305 * KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5306 * is set, the sequence number used is stored in @a rdata_out.
|
|
jpayne@69
|
5307 *
|
|
jpayne@69
|
5308 * Use krb5_free_data_contents() to free @a der_out when it is no longer
|
|
jpayne@69
|
5309 * needed.
|
|
jpayne@69
|
5310 *
|
|
jpayne@69
|
5311 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5312 */
|
|
jpayne@69
|
5313 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5314 krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5315 const krb5_data *userdata, krb5_data *der_out,
|
|
jpayne@69
|
5316 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
5317
|
|
jpayne@69
|
5318 /**
|
|
jpayne@69
|
5319 * Format a @c KRB-PRIV message.
|
|
jpayne@69
|
5320 *
|
|
jpayne@69
|
5321 * @param [in] context Library context
|
|
jpayne@69
|
5322 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5323 * @param [in] userdata User data for @c KRB-PRIV message
|
|
jpayne@69
|
5324 * @param [out] der_out Formatted @c KRB-PRIV message
|
|
jpayne@69
|
5325 * @param [out] rdata_out Replay data (NULL if not needed)
|
|
jpayne@69
|
5326 *
|
|
jpayne@69
|
5327 * This function is similar to krb5_mk_safe(), but the message is encrypted and
|
|
jpayne@69
|
5328 * integrity-protected, not just integrity-protected.
|
|
jpayne@69
|
5329 *
|
|
jpayne@69
|
5330 * The local address in @a auth_context must be set, and is used to form the
|
|
jpayne@69
|
5331 * sender address used in the KRB-PRIV message. The remote address is
|
|
jpayne@69
|
5332 * optional; if specified, it will be used to form the receiver address used in
|
|
jpayne@69
|
5333 * the message.
|
|
jpayne@69
|
5334 *
|
|
jpayne@69
|
5335 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
5336 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
5337 * in @a auth_context.
|
|
jpayne@69
|
5338 *
|
|
jpayne@69
|
5339 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a
|
|
jpayne@69
|
5340 * timestamp is included in the KRB-PRIV message, and an entry for the message
|
|
jpayne@69
|
5341 * is entered in an in-memory replay cache to detect if the message is
|
|
jpayne@69
|
5342 * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no
|
|
jpayne@69
|
5343 * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a
|
|
jpayne@69
|
5344 * auth_context, a timestamp is included in the KRB-PRIV message and is stored
|
|
jpayne@69
|
5345 * in @a rdata_out.
|
|
jpayne@69
|
5346 *
|
|
jpayne@69
|
5347 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5348 * is set, the @a auth_context local sequence number is included in the
|
|
jpayne@69
|
5349 * KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5350 * is set, the sequence number used is stored in @a rdata_out.
|
|
jpayne@69
|
5351 *
|
|
jpayne@69
|
5352 * Use krb5_free_data_contents() to free @a der_out when it is no longer
|
|
jpayne@69
|
5353 * needed.
|
|
jpayne@69
|
5354 *
|
|
jpayne@69
|
5355 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5356 */
|
|
jpayne@69
|
5357 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5358 krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5359 const krb5_data *userdata, krb5_data *der_out,
|
|
jpayne@69
|
5360 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
5361
|
|
jpayne@69
|
5362 /**
|
|
jpayne@69
|
5363 * Client function for @c sendauth protocol.
|
|
jpayne@69
|
5364 *
|
|
jpayne@69
|
5365 * @param [in] context Library context
|
|
jpayne@69
|
5366 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
5367 * @param [in] fd File descriptor that describes network socket
|
|
jpayne@69
|
5368 * @param [in] appl_version Application protocol version to be matched
|
|
jpayne@69
|
5369 * with the receiver's application version
|
|
jpayne@69
|
5370 * @param [in] client Client principal
|
|
jpayne@69
|
5371 * @param [in] server Server principal
|
|
jpayne@69
|
5372 * @param [in] ap_req_options @ref AP_OPTS options
|
|
jpayne@69
|
5373 * @param [in] in_data Data to be sent to the server
|
|
jpayne@69
|
5374 * @param [in] in_creds Input credentials, or NULL to use @a ccache
|
|
jpayne@69
|
5375 * @param [in] ccache Credential cache
|
|
jpayne@69
|
5376 * @param [out] error If non-null, contains KRB_ERROR message
|
|
jpayne@69
|
5377 * returned from server
|
|
jpayne@69
|
5378 * @param [out] rep_result If non-null and @a ap_req_options is
|
|
jpayne@69
|
5379 * #AP_OPTS_MUTUAL_REQUIRED, contains the result
|
|
jpayne@69
|
5380 * of mutual authentication exchange
|
|
jpayne@69
|
5381 * @param [out] out_creds If non-null, the retrieved credentials
|
|
jpayne@69
|
5382 *
|
|
jpayne@69
|
5383 * This function performs the client side of a sendauth/recvauth exchange by
|
|
jpayne@69
|
5384 * sending and receiving messages over @a fd.
|
|
jpayne@69
|
5385 *
|
|
jpayne@69
|
5386 * Credentials may be specified in three ways:
|
|
jpayne@69
|
5387 *
|
|
jpayne@69
|
5388 * @li If @a in_creds is NULL, credentials are obtained with
|
|
jpayne@69
|
5389 * krb5_get_credentials() using the principals @a client and @a server. @a
|
|
jpayne@69
|
5390 * server must be non-null; @a client may NULL to use the default principal of
|
|
jpayne@69
|
5391 * @a ccache.
|
|
jpayne@69
|
5392 *
|
|
jpayne@69
|
5393 * @li If @a in_creds is non-null, but does not contain a ticket, credentials
|
|
jpayne@69
|
5394 * for the exchange are obtained with krb5_get_credentials() using @a in_creds.
|
|
jpayne@69
|
5395 * In this case, the values of @a client and @a server are unused.
|
|
jpayne@69
|
5396 *
|
|
jpayne@69
|
5397 * @li If @a in_creds is a complete credentials structure, it used directly.
|
|
jpayne@69
|
5398 * In this case, the values of @a client, @a server, and @a ccache are unused.
|
|
jpayne@69
|
5399 *
|
|
jpayne@69
|
5400 * If the server is using a different application protocol than that specified
|
|
jpayne@69
|
5401 * in @a appl_version, an error will be returned.
|
|
jpayne@69
|
5402 *
|
|
jpayne@69
|
5403 * Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to
|
|
jpayne@69
|
5404 * free @a rep_result, and krb5_free_error() to free @a error when they are no
|
|
jpayne@69
|
5405 * longer needed.
|
|
jpayne@69
|
5406 *
|
|
jpayne@69
|
5407 * @sa krb5_recvauth()
|
|
jpayne@69
|
5408 *
|
|
jpayne@69
|
5409 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5410 */
|
|
jpayne@69
|
5411 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5412 krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
|
|
jpayne@69
|
5413 krb5_pointer fd, char *appl_version, krb5_principal client,
|
|
jpayne@69
|
5414 krb5_principal server, krb5_flags ap_req_options,
|
|
jpayne@69
|
5415 krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
|
|
jpayne@69
|
5416 krb5_error **error, krb5_ap_rep_enc_part **rep_result,
|
|
jpayne@69
|
5417 krb5_creds **out_creds);
|
|
jpayne@69
|
5418
|
|
jpayne@69
|
5419 /**
|
|
jpayne@69
|
5420 * Server function for @a sendauth protocol.
|
|
jpayne@69
|
5421 *
|
|
jpayne@69
|
5422 * @param [in] context Library context
|
|
jpayne@69
|
5423 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
5424 * @param [in] fd File descriptor
|
|
jpayne@69
|
5425 * @param [in] appl_version Application protocol version to be matched
|
|
jpayne@69
|
5426 * against the client's application version
|
|
jpayne@69
|
5427 * @param [in] server Server principal (NULL for any in @a keytab)
|
|
jpayne@69
|
5428 * @param [in] flags Additional specifications
|
|
jpayne@69
|
5429 * @param [in] keytab Key table containing service keys
|
|
jpayne@69
|
5430 * @param [out] ticket Ticket (NULL if not needed)
|
|
jpayne@69
|
5431 *
|
|
jpayne@69
|
5432 * This function performs the server side of a sendauth/recvauth exchange by
|
|
jpayne@69
|
5433 * sending and receiving messages over @a fd.
|
|
jpayne@69
|
5434 *
|
|
jpayne@69
|
5435 * Use krb5_free_ticket() to free @a ticket when it is no longer needed.
|
|
jpayne@69
|
5436 *
|
|
jpayne@69
|
5437 * @sa krb5_sendauth()
|
|
jpayne@69
|
5438 *
|
|
jpayne@69
|
5439 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5440 */
|
|
jpayne@69
|
5441 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5442 krb5_recvauth(krb5_context context, krb5_auth_context *auth_context,
|
|
jpayne@69
|
5443 krb5_pointer fd, char *appl_version, krb5_principal server,
|
|
jpayne@69
|
5444 krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket);
|
|
jpayne@69
|
5445
|
|
jpayne@69
|
5446 /**
|
|
jpayne@69
|
5447 * Server function for @a sendauth protocol with version parameter.
|
|
jpayne@69
|
5448 *
|
|
jpayne@69
|
5449 * @param [in] context Library context
|
|
jpayne@69
|
5450 * @param [in,out] auth_context Pre-existing or newly created auth context
|
|
jpayne@69
|
5451 * @param [in] fd File descriptor
|
|
jpayne@69
|
5452 * @param [in] server Server principal (NULL for any in @a keytab)
|
|
jpayne@69
|
5453 * @param [in] flags Additional specifications
|
|
jpayne@69
|
5454 * @param [in] keytab Decryption key
|
|
jpayne@69
|
5455 * @param [out] ticket Ticket (NULL if not needed)
|
|
jpayne@69
|
5456 * @param [out] version sendauth protocol version (NULL if not needed)
|
|
jpayne@69
|
5457 *
|
|
jpayne@69
|
5458 * This function is similar to krb5_recvauth() with the additional output
|
|
jpayne@69
|
5459 * information place into @a version.
|
|
jpayne@69
|
5460 *
|
|
jpayne@69
|
5461 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5462 */
|
|
jpayne@69
|
5463 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5464 krb5_recvauth_version(krb5_context context,
|
|
jpayne@69
|
5465 krb5_auth_context *auth_context,
|
|
jpayne@69
|
5466 krb5_pointer fd,
|
|
jpayne@69
|
5467 krb5_principal server,
|
|
jpayne@69
|
5468 krb5_int32 flags,
|
|
jpayne@69
|
5469 krb5_keytab keytab,
|
|
jpayne@69
|
5470 krb5_ticket **ticket,
|
|
jpayne@69
|
5471 krb5_data *version);
|
|
jpayne@69
|
5472
|
|
jpayne@69
|
5473 /**
|
|
jpayne@69
|
5474 * Format a @c KRB-CRED message for an array of credentials.
|
|
jpayne@69
|
5475 *
|
|
jpayne@69
|
5476 * @param [in] context Library context
|
|
jpayne@69
|
5477 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5478 * @param [in] creds Null-terminated array of credentials
|
|
jpayne@69
|
5479 * @param [out] der_out Encoded credentials
|
|
jpayne@69
|
5480 * @param [out] rdata_out Replay cache information (NULL if not needed)
|
|
jpayne@69
|
5481 *
|
|
jpayne@69
|
5482 * This function takes an array of credentials @a creds and formats
|
|
jpayne@69
|
5483 * a @c KRB-CRED message @a der_out to pass to krb5_rd_cred().
|
|
jpayne@69
|
5484 *
|
|
jpayne@69
|
5485 * The local and remote addresses in @a auth_context are optional; if either is
|
|
jpayne@69
|
5486 * specified, they are used to form the sender and receiver addresses in the
|
|
jpayne@69
|
5487 * KRB-CRED message.
|
|
jpayne@69
|
5488 *
|
|
jpayne@69
|
5489 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
5490 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
5491 * in @a auth_context.
|
|
jpayne@69
|
5492 *
|
|
jpayne@69
|
5493 * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, an entry
|
|
jpayne@69
|
5494 * for the message is entered in an in-memory replay cache to detect if the
|
|
jpayne@69
|
5495 * message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not
|
|
jpayne@69
|
5496 * set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a
|
|
jpayne@69
|
5497 * auth_context, the timestamp used for the KRB-CRED message is stored in @a
|
|
jpayne@69
|
5498 * rdata_out.
|
|
jpayne@69
|
5499 *
|
|
jpayne@69
|
5500 * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5501 * is set, the @a auth_context local sequence number is included in the
|
|
jpayne@69
|
5502 * KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
|
jpayne@69
|
5503 * is set, the sequence number used is stored in @a rdata_out.
|
|
jpayne@69
|
5504 *
|
|
jpayne@69
|
5505 * Use krb5_free_data_contents() to free @a der_out when it is no longer
|
|
jpayne@69
|
5506 * needed.
|
|
jpayne@69
|
5507 *
|
|
jpayne@69
|
5508 * The message will be encrypted using the send subkey of @a auth_context if it
|
|
jpayne@69
|
5509 * is present, or the session key otherwise. If neither key is present, the
|
|
jpayne@69
|
5510 * credentials will not be encrypted, and the message should only be sent over
|
|
jpayne@69
|
5511 * a secure channel. No replay cache entry is used in this case.
|
|
jpayne@69
|
5512 *
|
|
jpayne@69
|
5513 * @retval
|
|
jpayne@69
|
5514 * 0 Success
|
|
jpayne@69
|
5515 * @retval
|
|
jpayne@69
|
5516 * ENOMEM Insufficient memory
|
|
jpayne@69
|
5517 * @retval
|
|
jpayne@69
|
5518 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
|
|
jpayne@69
|
5519 * @return
|
|
jpayne@69
|
5520 * Kerberos error codes
|
|
jpayne@69
|
5521 */
|
|
jpayne@69
|
5522 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5523 krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5524 krb5_creds **creds, krb5_data **der_out,
|
|
jpayne@69
|
5525 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
5526
|
|
jpayne@69
|
5527 /**
|
|
jpayne@69
|
5528 * Format a @c KRB-CRED message for a single set of credentials.
|
|
jpayne@69
|
5529 *
|
|
jpayne@69
|
5530 * @param [in] context Library context
|
|
jpayne@69
|
5531 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5532 * @param [in] creds Pointer to credentials
|
|
jpayne@69
|
5533 * @param [out] der_out Encoded credentials
|
|
jpayne@69
|
5534 * @param [out] rdata_out Replay cache data (NULL if not needed)
|
|
jpayne@69
|
5535 *
|
|
jpayne@69
|
5536 * This is a convenience function that calls krb5_mk_ncred() with a single set
|
|
jpayne@69
|
5537 * of credentials.
|
|
jpayne@69
|
5538 *
|
|
jpayne@69
|
5539 * @retval
|
|
jpayne@69
|
5540 * 0 Success
|
|
jpayne@69
|
5541 * @retval
|
|
jpayne@69
|
5542 * ENOMEM Insufficient memory
|
|
jpayne@69
|
5543 * @retval
|
|
jpayne@69
|
5544 * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
|
|
jpayne@69
|
5545 * @return
|
|
jpayne@69
|
5546 * Kerberos error codes
|
|
jpayne@69
|
5547 */
|
|
jpayne@69
|
5548 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5549 krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5550 krb5_creds *creds, krb5_data **der_out,
|
|
jpayne@69
|
5551 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
5552
|
|
jpayne@69
|
5553 /**
|
|
jpayne@69
|
5554 * Read and validate a @c KRB-CRED message.
|
|
jpayne@69
|
5555 *
|
|
jpayne@69
|
5556 * @param [in] context Library context
|
|
jpayne@69
|
5557 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5558 * @param [in] creddata @c KRB-CRED message
|
|
jpayne@69
|
5559 * @param [out] creds_out Null-terminated array of forwarded credentials
|
|
jpayne@69
|
5560 * @param [out] rdata_out Replay data (NULL if not needed)
|
|
jpayne@69
|
5561 *
|
|
jpayne@69
|
5562 * @note The @a rdata_out argument is required if the
|
|
jpayne@69
|
5563 * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set
|
|
jpayne@69
|
5564 * in @a auth_context.`
|
|
jpayne@69
|
5565 *
|
|
jpayne@69
|
5566 * @a creddata will be decrypted using the receiving subkey if it is present in
|
|
jpayne@69
|
5567 * @a auth_context, or the session key if the receiving subkey is not present
|
|
jpayne@69
|
5568 * or fails to decrypt the message.
|
|
jpayne@69
|
5569 *
|
|
jpayne@69
|
5570 * Use krb5_free_tgt_creds() to free @a creds_out when it is no longer needed.
|
|
jpayne@69
|
5571 *
|
|
jpayne@69
|
5572 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5573 */
|
|
jpayne@69
|
5574 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5575 krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5576 krb5_data *creddata, krb5_creds ***creds_out,
|
|
jpayne@69
|
5577 krb5_replay_data *rdata_out);
|
|
jpayne@69
|
5578
|
|
jpayne@69
|
5579 /**
|
|
jpayne@69
|
5580 * Get a forwarded TGT and format a @c KRB-CRED message.
|
|
jpayne@69
|
5581 *
|
|
jpayne@69
|
5582 * @param [in] context Library context
|
|
jpayne@69
|
5583 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5584 * @param [in] rhost Remote host
|
|
jpayne@69
|
5585 * @param [in] client Client principal of TGT
|
|
jpayne@69
|
5586 * @param [in] server Principal of server to receive TGT
|
|
jpayne@69
|
5587 * @param [in] cc Credential cache handle (NULL to use default)
|
|
jpayne@69
|
5588 * @param [in] forwardable Whether TGT should be forwardable
|
|
jpayne@69
|
5589 * @param [out] outbuf KRB-CRED message
|
|
jpayne@69
|
5590 *
|
|
jpayne@69
|
5591 * Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED
|
|
jpayne@69
|
5592 * message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST,
|
|
jpayne@69
|
5593 * the second component of @a server will be used.
|
|
jpayne@69
|
5594 *
|
|
jpayne@69
|
5595 * @retval
|
|
jpayne@69
|
5596 * 0 Success
|
|
jpayne@69
|
5597 * @retval
|
|
jpayne@69
|
5598 * ENOMEM Insufficient memory
|
|
jpayne@69
|
5599 * @retval
|
|
jpayne@69
|
5600 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match
|
|
jpayne@69
|
5601 * @retval
|
|
jpayne@69
|
5602 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
|
|
jpayne@69
|
5603 * @retval
|
|
jpayne@69
|
5604 * KRB5_CC_BADNAME Credential cache name or principal name malformed
|
|
jpayne@69
|
5605 * @return
|
|
jpayne@69
|
5606 * Kerberos error codes
|
|
jpayne@69
|
5607 */
|
|
jpayne@69
|
5608 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5609 krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5610 const char *rhost, krb5_principal client,
|
|
jpayne@69
|
5611 krb5_principal server, krb5_ccache cc, int forwardable,
|
|
jpayne@69
|
5612 krb5_data *outbuf);
|
|
jpayne@69
|
5613
|
|
jpayne@69
|
5614 /**
|
|
jpayne@69
|
5615 * Create and initialize an authentication context.
|
|
jpayne@69
|
5616 *
|
|
jpayne@69
|
5617 * @param [in] context Library context
|
|
jpayne@69
|
5618 * @param [out] auth_context Authentication context
|
|
jpayne@69
|
5619 *
|
|
jpayne@69
|
5620 * This function creates an authentication context to hold configuration and
|
|
jpayne@69
|
5621 * state relevant to krb5 functions for authenticating principals and
|
|
jpayne@69
|
5622 * protecting messages once authentication has occurred.
|
|
jpayne@69
|
5623 *
|
|
jpayne@69
|
5624 * By default, flags for the context are set to enable the use of the replay
|
|
jpayne@69
|
5625 * cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use
|
|
jpayne@69
|
5626 * krb5_auth_con_setflags() to change the flags.
|
|
jpayne@69
|
5627 *
|
|
jpayne@69
|
5628 * The allocated @a auth_context must be freed with krb5_auth_con_free() when
|
|
jpayne@69
|
5629 * it is no longer needed.
|
|
jpayne@69
|
5630 *
|
|
jpayne@69
|
5631 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5632 */
|
|
jpayne@69
|
5633 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5634 krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);
|
|
jpayne@69
|
5635
|
|
jpayne@69
|
5636 /**
|
|
jpayne@69
|
5637 * Free a krb5_auth_context structure.
|
|
jpayne@69
|
5638 *
|
|
jpayne@69
|
5639 * @param [in] context Library context
|
|
jpayne@69
|
5640 * @param [in] auth_context Authentication context to be freed
|
|
jpayne@69
|
5641 *
|
|
jpayne@69
|
5642 * This function frees an auth context allocated by krb5_auth_con_init().
|
|
jpayne@69
|
5643 *
|
|
jpayne@69
|
5644 * @retval 0 (always)
|
|
jpayne@69
|
5645 */
|
|
jpayne@69
|
5646 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5647 krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
|
|
jpayne@69
|
5648
|
|
jpayne@69
|
5649 /**
|
|
jpayne@69
|
5650 * Set a flags field in a krb5_auth_context structure.
|
|
jpayne@69
|
5651 *
|
|
jpayne@69
|
5652 * @param [in] context Library context
|
|
jpayne@69
|
5653 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5654 * @param [in] flags Flags bit mask
|
|
jpayne@69
|
5655 *
|
|
jpayne@69
|
5656 * Valid values for @a flags are:
|
|
jpayne@69
|
5657 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
|
|
jpayne@69
|
5658 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
|
|
jpayne@69
|
5659 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
|
|
jpayne@69
|
5660 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
|
|
jpayne@69
|
5661 *
|
|
jpayne@69
|
5662 * @retval 0 (always)
|
|
jpayne@69
|
5663 */
|
|
jpayne@69
|
5664 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5665 krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags);
|
|
jpayne@69
|
5666
|
|
jpayne@69
|
5667 /**
|
|
jpayne@69
|
5668 * Retrieve flags from a krb5_auth_context structure.
|
|
jpayne@69
|
5669 *
|
|
jpayne@69
|
5670 * @param [in] context Library context
|
|
jpayne@69
|
5671 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5672 * @param [out] flags Flags bit mask
|
|
jpayne@69
|
5673 *
|
|
jpayne@69
|
5674 * Valid values for @a flags are:
|
|
jpayne@69
|
5675 * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
|
|
jpayne@69
|
5676 * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
|
|
jpayne@69
|
5677 * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
|
|
jpayne@69
|
5678 * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
|
|
jpayne@69
|
5679 *
|
|
jpayne@69
|
5680 * @retval 0 (always)
|
|
jpayne@69
|
5681 */
|
|
jpayne@69
|
5682 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5683 krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5684 krb5_int32 *flags);
|
|
jpayne@69
|
5685
|
|
jpayne@69
|
5686 /**
|
|
jpayne@69
|
5687 * Set a checksum callback in an auth context.
|
|
jpayne@69
|
5688 *
|
|
jpayne@69
|
5689 * @param [in] context Library context
|
|
jpayne@69
|
5690 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5691 * @param [in] func Checksum callback
|
|
jpayne@69
|
5692 * @param [in] data Callback argument
|
|
jpayne@69
|
5693 *
|
|
jpayne@69
|
5694 * Set a callback to obtain checksum data in krb5_mk_req(). The callback will
|
|
jpayne@69
|
5695 * be invoked after the subkey and local sequence number are stored in @a
|
|
jpayne@69
|
5696 * auth_context.
|
|
jpayne@69
|
5697 *
|
|
jpayne@69
|
5698 * @retval 0 (always)
|
|
jpayne@69
|
5699 */
|
|
jpayne@69
|
5700 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5701 krb5_auth_con_set_checksum_func( krb5_context context,
|
|
jpayne@69
|
5702 krb5_auth_context auth_context,
|
|
jpayne@69
|
5703 krb5_mk_req_checksum_func func,
|
|
jpayne@69
|
5704 void *data);
|
|
jpayne@69
|
5705
|
|
jpayne@69
|
5706 /**
|
|
jpayne@69
|
5707 * Get the checksum callback from an auth context.
|
|
jpayne@69
|
5708 *
|
|
jpayne@69
|
5709 * @param [in] context Library context
|
|
jpayne@69
|
5710 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5711 * @param [out] func Checksum callback
|
|
jpayne@69
|
5712 * @param [out] data Callback argument
|
|
jpayne@69
|
5713 *
|
|
jpayne@69
|
5714 * @retval 0 (always)
|
|
jpayne@69
|
5715 */
|
|
jpayne@69
|
5716 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5717 krb5_auth_con_get_checksum_func( krb5_context context,
|
|
jpayne@69
|
5718 krb5_auth_context auth_context,
|
|
jpayne@69
|
5719 krb5_mk_req_checksum_func *func,
|
|
jpayne@69
|
5720 void **data);
|
|
jpayne@69
|
5721
|
|
jpayne@69
|
5722 /**
|
|
jpayne@69
|
5723 * Set the local and remote addresses in an auth context.
|
|
jpayne@69
|
5724 *
|
|
jpayne@69
|
5725 * @param [in] context Library context
|
|
jpayne@69
|
5726 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5727 * @param [in] local_addr Local address
|
|
jpayne@69
|
5728 * @param [in] remote_addr Remote address
|
|
jpayne@69
|
5729 *
|
|
jpayne@69
|
5730 * This function releases the storage assigned to the contents of the local and
|
|
jpayne@69
|
5731 * remote addresses of @a auth_context and then sets them to @a local_addr and
|
|
jpayne@69
|
5732 * @a remote_addr respectively.
|
|
jpayne@69
|
5733 *
|
|
jpayne@69
|
5734 * @sa krb5_auth_con_genaddrs()
|
|
jpayne@69
|
5735 *
|
|
jpayne@69
|
5736 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5737 */
|
|
jpayne@69
|
5738 krb5_error_code KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
5739 krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5740 krb5_address *local_addr, krb5_address *remote_addr);
|
|
jpayne@69
|
5741
|
|
jpayne@69
|
5742 /**
|
|
jpayne@69
|
5743 * Retrieve address fields from an auth context.
|
|
jpayne@69
|
5744 *
|
|
jpayne@69
|
5745 * @param [in] context Library context
|
|
jpayne@69
|
5746 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5747 * @param [out] local_addr Local address (NULL if not needed)
|
|
jpayne@69
|
5748 * @param [out] remote_addr Remote address (NULL if not needed)
|
|
jpayne@69
|
5749 *
|
|
jpayne@69
|
5750 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5751 */
|
|
jpayne@69
|
5752 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5753 krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5754 krb5_address **local_addr, krb5_address **remote_addr);
|
|
jpayne@69
|
5755
|
|
jpayne@69
|
5756 /**
|
|
jpayne@69
|
5757 * Set local and remote port fields in an auth context.
|
|
jpayne@69
|
5758 *
|
|
jpayne@69
|
5759 * @param [in] context Library context
|
|
jpayne@69
|
5760 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5761 * @param [in] local_port Local port
|
|
jpayne@69
|
5762 * @param [in] remote_port Remote port
|
|
jpayne@69
|
5763 *
|
|
jpayne@69
|
5764 * This function releases the storage assigned to the contents of the local and
|
|
jpayne@69
|
5765 * remote ports of @a auth_context and then sets them to @a local_port and @a
|
|
jpayne@69
|
5766 * remote_port respectively.
|
|
jpayne@69
|
5767 *
|
|
jpayne@69
|
5768 * @sa krb5_auth_con_genaddrs()
|
|
jpayne@69
|
5769 *
|
|
jpayne@69
|
5770 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5771 */
|
|
jpayne@69
|
5772 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5773 krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5774 krb5_address *local_port, krb5_address *remote_port);
|
|
jpayne@69
|
5775
|
|
jpayne@69
|
5776 /**
|
|
jpayne@69
|
5777 * Set the session key in an auth context.
|
|
jpayne@69
|
5778 *
|
|
jpayne@69
|
5779 * @param [in] context Library context
|
|
jpayne@69
|
5780 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5781 * @param [in] keyblock User key
|
|
jpayne@69
|
5782 *
|
|
jpayne@69
|
5783 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5784 */
|
|
jpayne@69
|
5785 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5786 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5787 krb5_keyblock *keyblock);
|
|
jpayne@69
|
5788
|
|
jpayne@69
|
5789 /**
|
|
jpayne@69
|
5790 * Retrieve the session key from an auth context as a keyblock.
|
|
jpayne@69
|
5791 *
|
|
jpayne@69
|
5792 * @param [in] context Library context
|
|
jpayne@69
|
5793 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5794 * @param [out] keyblock Session key
|
|
jpayne@69
|
5795 *
|
|
jpayne@69
|
5796 * This function creates a keyblock containing the session key from @a
|
|
jpayne@69
|
5797 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
|
|
jpayne@69
|
5798 * longer needed
|
|
jpayne@69
|
5799 *
|
|
jpayne@69
|
5800 * @retval 0 Success. Otherwise - Kerberos error codes
|
|
jpayne@69
|
5801 */
|
|
jpayne@69
|
5802 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5803 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5804 krb5_keyblock **keyblock);
|
|
jpayne@69
|
5805
|
|
jpayne@69
|
5806 /**
|
|
jpayne@69
|
5807 * Retrieve the session key from an auth context.
|
|
jpayne@69
|
5808 *
|
|
jpayne@69
|
5809 * @param [in] context Library context
|
|
jpayne@69
|
5810 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5811 * @param [out] key Session key
|
|
jpayne@69
|
5812 *
|
|
jpayne@69
|
5813 * This function sets @a key to the session key from @a auth_context. Use
|
|
jpayne@69
|
5814 * krb5_k_free_key() to release @a key when it is no longer needed.
|
|
jpayne@69
|
5815 *
|
|
jpayne@69
|
5816 * @retval 0 (always)
|
|
jpayne@69
|
5817 */
|
|
jpayne@69
|
5818 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5819 krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5820 krb5_key *key);
|
|
jpayne@69
|
5821
|
|
jpayne@69
|
5822 /**
|
|
jpayne@69
|
5823 * Retrieve the send subkey from an auth context as a keyblock.
|
|
jpayne@69
|
5824 *
|
|
jpayne@69
|
5825 * @param [in] ctx Library context
|
|
jpayne@69
|
5826 * @param [in] ac Authentication context
|
|
jpayne@69
|
5827 * @param [out] keyblock Send subkey
|
|
jpayne@69
|
5828 *
|
|
jpayne@69
|
5829 * This function creates a keyblock containing the send subkey from @a
|
|
jpayne@69
|
5830 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
|
|
jpayne@69
|
5831 * longer needed.
|
|
jpayne@69
|
5832 *
|
|
jpayne@69
|
5833 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5834 */
|
|
jpayne@69
|
5835 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5836 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
|
|
jpayne@69
|
5837
|
|
jpayne@69
|
5838 /**
|
|
jpayne@69
|
5839 * Retrieve the send subkey from an auth context.
|
|
jpayne@69
|
5840 *
|
|
jpayne@69
|
5841 * @param [in] ctx Library context
|
|
jpayne@69
|
5842 * @param [in] ac Authentication context
|
|
jpayne@69
|
5843 * @param [out] key Send subkey
|
|
jpayne@69
|
5844 *
|
|
jpayne@69
|
5845 * This function sets @a key to the send subkey from @a auth_context. Use
|
|
jpayne@69
|
5846 * krb5_k_free_key() to release @a key when it is no longer needed.
|
|
jpayne@69
|
5847 *
|
|
jpayne@69
|
5848 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5849 */
|
|
jpayne@69
|
5850 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5851 krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
|
|
jpayne@69
|
5852 krb5_key *key);
|
|
jpayne@69
|
5853
|
|
jpayne@69
|
5854 /**
|
|
jpayne@69
|
5855 * Retrieve the receiving subkey from an auth context as a keyblock.
|
|
jpayne@69
|
5856 *
|
|
jpayne@69
|
5857 * @param [in] ctx Library context
|
|
jpayne@69
|
5858 * @param [in] ac Authentication context
|
|
jpayne@69
|
5859 * @param [out] keyblock Receiving subkey
|
|
jpayne@69
|
5860 *
|
|
jpayne@69
|
5861 * This function creates a keyblock containing the receiving subkey from @a
|
|
jpayne@69
|
5862 * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
|
|
jpayne@69
|
5863 * longer needed.
|
|
jpayne@69
|
5864 *
|
|
jpayne@69
|
5865 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5866 */
|
|
jpayne@69
|
5867 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5868 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
|
|
jpayne@69
|
5869
|
|
jpayne@69
|
5870 /**
|
|
jpayne@69
|
5871 * Retrieve the receiving subkey from an auth context as a keyblock.
|
|
jpayne@69
|
5872 *
|
|
jpayne@69
|
5873 * @param [in] ctx Library context
|
|
jpayne@69
|
5874 * @param [in] ac Authentication context
|
|
jpayne@69
|
5875 * @param [out] key Receiving subkey
|
|
jpayne@69
|
5876 *
|
|
jpayne@69
|
5877 * This function sets @a key to the receiving subkey from @a auth_context. Use
|
|
jpayne@69
|
5878 * krb5_k_free_key() to release @a key when it is no longer needed.
|
|
jpayne@69
|
5879 *
|
|
jpayne@69
|
5880 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5881 */
|
|
jpayne@69
|
5882 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5883 krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key);
|
|
jpayne@69
|
5884
|
|
jpayne@69
|
5885 /**
|
|
jpayne@69
|
5886 * Set the send subkey in an auth context with a keyblock.
|
|
jpayne@69
|
5887 *
|
|
jpayne@69
|
5888 * @param [in] ctx Library context
|
|
jpayne@69
|
5889 * @param [in] ac Authentication context
|
|
jpayne@69
|
5890 * @param [in] keyblock Send subkey
|
|
jpayne@69
|
5891 *
|
|
jpayne@69
|
5892 * This function sets the send subkey in @a ac to a copy of @a keyblock.
|
|
jpayne@69
|
5893 *
|
|
jpayne@69
|
5894 * @retval 0 Success. Otherwise - Kerberos error codes
|
|
jpayne@69
|
5895 */
|
|
jpayne@69
|
5896 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5897 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac,
|
|
jpayne@69
|
5898 krb5_keyblock *keyblock);
|
|
jpayne@69
|
5899
|
|
jpayne@69
|
5900 /**
|
|
jpayne@69
|
5901 * Set the send subkey in an auth context.
|
|
jpayne@69
|
5902 *
|
|
jpayne@69
|
5903 * @param [in] ctx Library context
|
|
jpayne@69
|
5904 * @param [in] ac Authentication context
|
|
jpayne@69
|
5905 * @param [out] key Send subkey
|
|
jpayne@69
|
5906 *
|
|
jpayne@69
|
5907 * This function sets the send subkey in @a ac to @a key, incrementing its
|
|
jpayne@69
|
5908 * reference count.
|
|
jpayne@69
|
5909 *
|
|
jpayne@69
|
5910 * @version New in 1.9
|
|
jpayne@69
|
5911 *
|
|
jpayne@69
|
5912 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5913 */
|
|
jpayne@69
|
5914 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5915 krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key);
|
|
jpayne@69
|
5916
|
|
jpayne@69
|
5917 /**
|
|
jpayne@69
|
5918 * Set the receiving subkey in an auth context with a keyblock.
|
|
jpayne@69
|
5919 *
|
|
jpayne@69
|
5920 * @param [in] ctx Library context
|
|
jpayne@69
|
5921 * @param [in] ac Authentication context
|
|
jpayne@69
|
5922 * @param [in] keyblock Receiving subkey
|
|
jpayne@69
|
5923 *
|
|
jpayne@69
|
5924 * This function sets the receiving subkey in @a ac to a copy of @a keyblock.
|
|
jpayne@69
|
5925 *
|
|
jpayne@69
|
5926 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5927 */
|
|
jpayne@69
|
5928 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5929 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac,
|
|
jpayne@69
|
5930 krb5_keyblock *keyblock);
|
|
jpayne@69
|
5931
|
|
jpayne@69
|
5932 /**
|
|
jpayne@69
|
5933 * Set the receiving subkey in an auth context.
|
|
jpayne@69
|
5934 *
|
|
jpayne@69
|
5935 * @param [in] ctx Library context
|
|
jpayne@69
|
5936 * @param [in] ac Authentication context
|
|
jpayne@69
|
5937 * @param [in] key Receiving subkey
|
|
jpayne@69
|
5938 *
|
|
jpayne@69
|
5939 * This function sets the receiving subkey in @a ac to @a key, incrementing its
|
|
jpayne@69
|
5940 * reference count.
|
|
jpayne@69
|
5941 *
|
|
jpayne@69
|
5942 * @version New in 1.9
|
|
jpayne@69
|
5943 *
|
|
jpayne@69
|
5944 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5945 */
|
|
jpayne@69
|
5946 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5947 krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
|
|
jpayne@69
|
5948 krb5_key key);
|
|
jpayne@69
|
5949
|
|
jpayne@69
|
5950 #if KRB5_DEPRECATED
|
|
jpayne@69
|
5951 /** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */
|
|
jpayne@69
|
5952 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5953 krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5954 krb5_keyblock **keyblock);
|
|
jpayne@69
|
5955
|
|
jpayne@69
|
5956 /** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */
|
|
jpayne@69
|
5957 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5958 krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5959 krb5_keyblock **keyblock);
|
|
jpayne@69
|
5960 #endif
|
|
jpayne@69
|
5961
|
|
jpayne@69
|
5962 /**
|
|
jpayne@69
|
5963 * Retrieve the local sequence number from an auth context.
|
|
jpayne@69
|
5964 *
|
|
jpayne@69
|
5965 * @param [in] context Library context
|
|
jpayne@69
|
5966 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5967 * @param [out] seqnumber Local sequence number
|
|
jpayne@69
|
5968 *
|
|
jpayne@69
|
5969 * Retrieve the local sequence number from @a auth_context and return it in @a
|
|
jpayne@69
|
5970 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
|
|
jpayne@69
|
5971 * auth_context for this function to be useful.
|
|
jpayne@69
|
5972 *
|
|
jpayne@69
|
5973 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5974 */
|
|
jpayne@69
|
5975 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5976 krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5977 krb5_int32 *seqnumber);
|
|
jpayne@69
|
5978
|
|
jpayne@69
|
5979 /**
|
|
jpayne@69
|
5980 * Retrieve the remote sequence number from an auth context.
|
|
jpayne@69
|
5981 *
|
|
jpayne@69
|
5982 * @param [in] context Library context
|
|
jpayne@69
|
5983 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
5984 * @param [out] seqnumber Remote sequence number
|
|
jpayne@69
|
5985 *
|
|
jpayne@69
|
5986 * Retrieve the remote sequence number from @a auth_context and return it in @a
|
|
jpayne@69
|
5987 * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
|
|
jpayne@69
|
5988 * auth_context for this function to be useful.
|
|
jpayne@69
|
5989 *
|
|
jpayne@69
|
5990 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
5991 */
|
|
jpayne@69
|
5992 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
5993 krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
5994 krb5_int32 *seqnumber);
|
|
jpayne@69
|
5995
|
|
jpayne@69
|
5996 /**
|
|
jpayne@69
|
5997 * Cause an auth context to use cipher state.
|
|
jpayne@69
|
5998 *
|
|
jpayne@69
|
5999 * @param [in] context Library context
|
|
jpayne@69
|
6000 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6001 *
|
|
jpayne@69
|
6002 * Prepare @a auth_context to use cipher state when krb5_mk_priv() or
|
|
jpayne@69
|
6003 * krb5_rd_priv() encrypt or decrypt data.
|
|
jpayne@69
|
6004 *
|
|
jpayne@69
|
6005 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6006 */
|
|
jpayne@69
|
6007 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6008 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
|
|
jpayne@69
|
6009
|
|
jpayne@69
|
6010 /**
|
|
jpayne@69
|
6011 * Set the replay cache in an auth context.
|
|
jpayne@69
|
6012 *
|
|
jpayne@69
|
6013 * @param [in] context Library context
|
|
jpayne@69
|
6014 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6015 * @param [in] rcache Replay cache haddle
|
|
jpayne@69
|
6016 *
|
|
jpayne@69
|
6017 * This function sets the replay cache in @a auth_context to @a rcache. @a
|
|
jpayne@69
|
6018 * rcache will be closed when @a auth_context is freed, so the caller should
|
|
jpayne@69
|
6019 * relinquish that responsibility.
|
|
jpayne@69
|
6020 *
|
|
jpayne@69
|
6021 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6022 */
|
|
jpayne@69
|
6023 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6024 krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
6025 krb5_rcache rcache);
|
|
jpayne@69
|
6026
|
|
jpayne@69
|
6027 /**
|
|
jpayne@69
|
6028 * Retrieve the replay cache from an auth context.
|
|
jpayne@69
|
6029 *
|
|
jpayne@69
|
6030 * @param [in] context Library context
|
|
jpayne@69
|
6031 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6032 * @param [out] rcache Replay cache handle
|
|
jpayne@69
|
6033 *
|
|
jpayne@69
|
6034 * This function fetches the replay cache from @a auth_context. The caller
|
|
jpayne@69
|
6035 * should not close @a rcache.
|
|
jpayne@69
|
6036 *
|
|
jpayne@69
|
6037 * @retval 0 (always)
|
|
jpayne@69
|
6038 */
|
|
jpayne@69
|
6039 krb5_error_code KRB5_CALLCONV_WRONG
|
|
jpayne@69
|
6040 krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
6041 krb5_rcache *rcache);
|
|
jpayne@69
|
6042
|
|
jpayne@69
|
6043 /**
|
|
jpayne@69
|
6044 * Retrieve the authenticator from an auth context.
|
|
jpayne@69
|
6045 *
|
|
jpayne@69
|
6046 * @param [in] context Library context
|
|
jpayne@69
|
6047 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6048 * @param [out] authenticator Authenticator
|
|
jpayne@69
|
6049 *
|
|
jpayne@69
|
6050 * Use krb5_free_authenticator() to free @a authenticator when it is no longer
|
|
jpayne@69
|
6051 * needed.
|
|
jpayne@69
|
6052 *
|
|
jpayne@69
|
6053 * @retval 0 Success. Otherwise - Kerberos error codes
|
|
jpayne@69
|
6054 */
|
|
jpayne@69
|
6055 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6056 krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
6057 krb5_authenticator **authenticator);
|
|
jpayne@69
|
6058
|
|
jpayne@69
|
6059 /**
|
|
jpayne@69
|
6060 * Set checksum type in an an auth context.
|
|
jpayne@69
|
6061 *
|
|
jpayne@69
|
6062 * @param [in] context Library context
|
|
jpayne@69
|
6063 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6064 * @param [in] cksumtype Checksum type
|
|
jpayne@69
|
6065 *
|
|
jpayne@69
|
6066 * This function sets the checksum type in @a auth_context to be used by
|
|
jpayne@69
|
6067 * krb5_mk_req() for the authenticator checksum.
|
|
jpayne@69
|
6068 *
|
|
jpayne@69
|
6069 * @retval 0 Success. Otherwise - Kerberos error codes
|
|
jpayne@69
|
6070 */
|
|
jpayne@69
|
6071 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6072 krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
6073 krb5_cksumtype cksumtype);
|
|
jpayne@69
|
6074
|
|
jpayne@69
|
6075 #define KRB5_REALM_BRANCH_CHAR '.'
|
|
jpayne@69
|
6076
|
|
jpayne@69
|
6077 /*
|
|
jpayne@69
|
6078 * end "func-proto.h"
|
|
jpayne@69
|
6079 */
|
|
jpayne@69
|
6080
|
|
jpayne@69
|
6081 /*
|
|
jpayne@69
|
6082 * begin stuff from libos.h
|
|
jpayne@69
|
6083 */
|
|
jpayne@69
|
6084
|
|
jpayne@69
|
6085 /**
|
|
jpayne@69
|
6086 * @brief Read a password from keyboard input.
|
|
jpayne@69
|
6087 *
|
|
jpayne@69
|
6088 * @param [in] context Library context
|
|
jpayne@69
|
6089 * @param [in] prompt First user prompt when reading password
|
|
jpayne@69
|
6090 * @param [in] prompt2 Second user prompt (NULL to prompt only once)
|
|
jpayne@69
|
6091 * @param [out] return_pwd Returned password
|
|
jpayne@69
|
6092 * @param [in,out] size_return On input, maximum size of password; on output,
|
|
jpayne@69
|
6093 * size of password read
|
|
jpayne@69
|
6094 *
|
|
jpayne@69
|
6095 * This function reads a password from keyboard input and stores it in @a
|
|
jpayne@69
|
6096 * return_pwd. @a size_return should be set by the caller to the amount of
|
|
jpayne@69
|
6097 * storage space available in @a return_pwd; on successful return, it will be
|
|
jpayne@69
|
6098 * set to the length of the password read.
|
|
jpayne@69
|
6099 *
|
|
jpayne@69
|
6100 * @a prompt is printed to the terminal, followed by ": ", and then a password
|
|
jpayne@69
|
6101 * is read from the keyboard.
|
|
jpayne@69
|
6102 *
|
|
jpayne@69
|
6103 * If @a prompt2 is NULL, the password is read only once. Otherwise, @a
|
|
jpayne@69
|
6104 * prompt2 is printed to the terminal and a second password is read. If the
|
|
jpayne@69
|
6105 * two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned.
|
|
jpayne@69
|
6106 *
|
|
jpayne@69
|
6107 * Echoing is turned off when the password is read.
|
|
jpayne@69
|
6108 *
|
|
jpayne@69
|
6109 * @retval
|
|
jpayne@69
|
6110 * 0 Success
|
|
jpayne@69
|
6111 * @return
|
|
jpayne@69
|
6112 * Error in reading or verifying the password
|
|
jpayne@69
|
6113 * @return
|
|
jpayne@69
|
6114 * Kerberos error codes
|
|
jpayne@69
|
6115 */
|
|
jpayne@69
|
6116 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6117 krb5_read_password(krb5_context context,
|
|
jpayne@69
|
6118 const char *prompt, const char *prompt2,
|
|
jpayne@69
|
6119 char *return_pwd, unsigned int *size_return);
|
|
jpayne@69
|
6120
|
|
jpayne@69
|
6121 /**
|
|
jpayne@69
|
6122 * Convert a principal name to a local name.
|
|
jpayne@69
|
6123 *
|
|
jpayne@69
|
6124 * @param [in] context Library context
|
|
jpayne@69
|
6125 * @param [in] aname Principal name
|
|
jpayne@69
|
6126 * @param [in] lnsize_in Space available in @a lname
|
|
jpayne@69
|
6127 * @param [out] lname Local name buffer to be filled in
|
|
jpayne@69
|
6128 *
|
|
jpayne@69
|
6129 * If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is
|
|
jpayne@69
|
6130 * returned. If @a lnsize_in is too small for the local name,
|
|
jpayne@69
|
6131 * KRB5_CONFIG_NOTENUFSPACE is returned.
|
|
jpayne@69
|
6132 *
|
|
jpayne@69
|
6133 * Local names, rather than principal names, can be used by programs that
|
|
jpayne@69
|
6134 * translate to an environment-specific name (for example, a user account
|
|
jpayne@69
|
6135 * name).
|
|
jpayne@69
|
6136 *
|
|
jpayne@69
|
6137 * @retval
|
|
jpayne@69
|
6138 * 0 Success
|
|
jpayne@69
|
6139 * @retval
|
|
jpayne@69
|
6140 * System errors
|
|
jpayne@69
|
6141 * @return
|
|
jpayne@69
|
6142 * Kerberos error codes
|
|
jpayne@69
|
6143 */
|
|
jpayne@69
|
6144 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6145 krb5_aname_to_localname(krb5_context context, krb5_const_principal aname,
|
|
jpayne@69
|
6146 int lnsize_in, char *lname);
|
|
jpayne@69
|
6147
|
|
jpayne@69
|
6148 /**
|
|
jpayne@69
|
6149 * Get the Kerberos realm names for a host.
|
|
jpayne@69
|
6150 *
|
|
jpayne@69
|
6151 * @param [in] context Library context
|
|
jpayne@69
|
6152 * @param [in] host Host name (or NULL)
|
|
jpayne@69
|
6153 * @param [out] realmsp Null-terminated list of realm names
|
|
jpayne@69
|
6154 *
|
|
jpayne@69
|
6155 * Fill in @a realmsp with a pointer to a null-terminated list of realm names.
|
|
jpayne@69
|
6156 * If there are no known realms for the host, a list containing the referral
|
|
jpayne@69
|
6157 * (empty) realm is returned.
|
|
jpayne@69
|
6158 *
|
|
jpayne@69
|
6159 * If @a host is NULL, the local host's realms are determined.
|
|
jpayne@69
|
6160 *
|
|
jpayne@69
|
6161 * Use krb5_free_host_realm() to release @a realmsp when it is no longer
|
|
jpayne@69
|
6162 * needed.
|
|
jpayne@69
|
6163 *
|
|
jpayne@69
|
6164 * @retval
|
|
jpayne@69
|
6165 * 0 Success
|
|
jpayne@69
|
6166 * @retval
|
|
jpayne@69
|
6167 * ENOMEM Insufficient memory
|
|
jpayne@69
|
6168 * @return
|
|
jpayne@69
|
6169 * Kerberos error codes
|
|
jpayne@69
|
6170 */
|
|
jpayne@69
|
6171 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6172 krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp);
|
|
jpayne@69
|
6173
|
|
jpayne@69
|
6174 /**
|
|
jpayne@69
|
6175 *
|
|
jpayne@69
|
6176 * @param [in] context Library context
|
|
jpayne@69
|
6177 * @param [in] hdata Host name (or NULL)
|
|
jpayne@69
|
6178 * @param [out] realmsp Null-terminated list of realm names
|
|
jpayne@69
|
6179 *
|
|
jpayne@69
|
6180 * Fill in @a realmsp with a pointer to a null-terminated list of realm names
|
|
jpayne@69
|
6181 * obtained through heuristics or insecure resolution methods which have lower
|
|
jpayne@69
|
6182 * priority than KDC referrals.
|
|
jpayne@69
|
6183 *
|
|
jpayne@69
|
6184 * If @a host is NULL, the local host's realms are determined.
|
|
jpayne@69
|
6185 *
|
|
jpayne@69
|
6186 * Use krb5_free_host_realm() to release @a realmsp when it is no longer
|
|
jpayne@69
|
6187 * needed.
|
|
jpayne@69
|
6188 */
|
|
jpayne@69
|
6189 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6190 krb5_get_fallback_host_realm(krb5_context context,
|
|
jpayne@69
|
6191 krb5_data *hdata, char ***realmsp);
|
|
jpayne@69
|
6192
|
|
jpayne@69
|
6193 /**
|
|
jpayne@69
|
6194 * Free the memory allocated by krb5_get_host_realm().
|
|
jpayne@69
|
6195 *
|
|
jpayne@69
|
6196 * @param [in] context Library context
|
|
jpayne@69
|
6197 * @param [in] realmlist List of realm names to be released
|
|
jpayne@69
|
6198 *
|
|
jpayne@69
|
6199 * @retval
|
|
jpayne@69
|
6200 * 0 Success
|
|
jpayne@69
|
6201 * @return
|
|
jpayne@69
|
6202 * Kerberos error codes
|
|
jpayne@69
|
6203 */
|
|
jpayne@69
|
6204 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6205 krb5_free_host_realm(krb5_context context, char *const *realmlist);
|
|
jpayne@69
|
6206
|
|
jpayne@69
|
6207 /**
|
|
jpayne@69
|
6208 * Determine if a principal is authorized to log in as a local user.
|
|
jpayne@69
|
6209 *
|
|
jpayne@69
|
6210 * @param [in] context Library context
|
|
jpayne@69
|
6211 * @param [in] principal Principal name
|
|
jpayne@69
|
6212 * @param [in] luser Local username
|
|
jpayne@69
|
6213 *
|
|
jpayne@69
|
6214 * Determine whether @a principal is authorized to log in as a local user @a
|
|
jpayne@69
|
6215 * luser.
|
|
jpayne@69
|
6216 *
|
|
jpayne@69
|
6217 * @retval
|
|
jpayne@69
|
6218 * TRUE Principal is authorized to log in as user; FALSE otherwise.
|
|
jpayne@69
|
6219 */
|
|
jpayne@69
|
6220 krb5_boolean KRB5_CALLCONV
|
|
jpayne@69
|
6221 krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser);
|
|
jpayne@69
|
6222
|
|
jpayne@69
|
6223 /**
|
|
jpayne@69
|
6224 * Generate auth context addresses from a connected socket.
|
|
jpayne@69
|
6225 *
|
|
jpayne@69
|
6226 * @param [in] context Library context
|
|
jpayne@69
|
6227 * @param [in] auth_context Authentication context
|
|
jpayne@69
|
6228 * @param [in] infd Connected socket descriptor
|
|
jpayne@69
|
6229 * @param [in] flags Flags
|
|
jpayne@69
|
6230 *
|
|
jpayne@69
|
6231 * This function sets the local and/or remote addresses in @a auth_context
|
|
jpayne@69
|
6232 * based on the local and remote endpoints of the socket @a infd. The
|
|
jpayne@69
|
6233 * following flags determine the operations performed:
|
|
jpayne@69
|
6234 *
|
|
jpayne@69
|
6235 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address.
|
|
jpayne@69
|
6236 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address.
|
|
jpayne@69
|
6237 * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port.
|
|
jpayne@69
|
6238 * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port.
|
|
jpayne@69
|
6239 *
|
|
jpayne@69
|
6240 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6241 */
|
|
jpayne@69
|
6242 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6243 krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context,
|
|
jpayne@69
|
6244 int infd, int flags);
|
|
jpayne@69
|
6245
|
|
jpayne@69
|
6246 /**
|
|
jpayne@69
|
6247 * Set time offset field in a krb5_context structure.
|
|
jpayne@69
|
6248 *
|
|
jpayne@69
|
6249 * @param [in] context Library context
|
|
jpayne@69
|
6250 * @param [in] seconds Real time, seconds portion
|
|
jpayne@69
|
6251 * @param [in] microseconds Real time, microseconds portion
|
|
jpayne@69
|
6252 *
|
|
jpayne@69
|
6253 * This function sets the time offset in @a context to the difference between
|
|
jpayne@69
|
6254 * the system time and the real time as determined by @a seconds and @a
|
|
jpayne@69
|
6255 * microseconds.
|
|
jpayne@69
|
6256 *
|
|
jpayne@69
|
6257 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6258 */
|
|
jpayne@69
|
6259 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6260 krb5_set_real_time(krb5_context context, krb5_timestamp seconds,
|
|
jpayne@69
|
6261 krb5_int32 microseconds);
|
|
jpayne@69
|
6262
|
|
jpayne@69
|
6263 /**
|
|
jpayne@69
|
6264 * Return the time offsets from the os context.
|
|
jpayne@69
|
6265 *
|
|
jpayne@69
|
6266 * @param [in] context Library context
|
|
jpayne@69
|
6267 * @param [out] seconds Time offset, seconds portion
|
|
jpayne@69
|
6268 * @param [out] microseconds Time offset, microseconds portion
|
|
jpayne@69
|
6269 *
|
|
jpayne@69
|
6270 * This function returns the time offsets in @a context.
|
|
jpayne@69
|
6271 *
|
|
jpayne@69
|
6272 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6273 */
|
|
jpayne@69
|
6274 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6275 krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds);
|
|
jpayne@69
|
6276
|
|
jpayne@69
|
6277 /* str_conv.c */
|
|
jpayne@69
|
6278 /**
|
|
jpayne@69
|
6279 * Convert a string to an encryption type.
|
|
jpayne@69
|
6280 *
|
|
jpayne@69
|
6281 * @param [in] string String to convert to an encryption type
|
|
jpayne@69
|
6282 * @param [out] enctypep Encryption type
|
|
jpayne@69
|
6283 *
|
|
jpayne@69
|
6284 * @retval 0 Success; otherwise - EINVAL
|
|
jpayne@69
|
6285 */
|
|
jpayne@69
|
6286 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6287 krb5_string_to_enctype(char *string, krb5_enctype *enctypep);
|
|
jpayne@69
|
6288
|
|
jpayne@69
|
6289 /**
|
|
jpayne@69
|
6290 * Convert a string to a salt type.
|
|
jpayne@69
|
6291 *
|
|
jpayne@69
|
6292 * @param [in] string String to convert to an encryption type
|
|
jpayne@69
|
6293 * @param [out] salttypep Salt type to be filled in
|
|
jpayne@69
|
6294 *
|
|
jpayne@69
|
6295 * @retval 0 Success; otherwise - EINVAL
|
|
jpayne@69
|
6296 */
|
|
jpayne@69
|
6297 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6298 krb5_string_to_salttype(char *string, krb5_int32 *salttypep);
|
|
jpayne@69
|
6299
|
|
jpayne@69
|
6300 /**
|
|
jpayne@69
|
6301 * Convert a string to a checksum type.
|
|
jpayne@69
|
6302 *
|
|
jpayne@69
|
6303 * @param [in] string String to be converted
|
|
jpayne@69
|
6304 * @param [out] cksumtypep Checksum type to be filled in
|
|
jpayne@69
|
6305 *
|
|
jpayne@69
|
6306 * @retval 0 Success; otherwise - EINVAL
|
|
jpayne@69
|
6307 */
|
|
jpayne@69
|
6308 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6309 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep);
|
|
jpayne@69
|
6310
|
|
jpayne@69
|
6311 /**
|
|
jpayne@69
|
6312 * Convert a string to a timestamp.
|
|
jpayne@69
|
6313 *
|
|
jpayne@69
|
6314 * @param [in] string String to be converted
|
|
jpayne@69
|
6315 * @param [out] timestampp Pointer to timestamp
|
|
jpayne@69
|
6316 *
|
|
jpayne@69
|
6317 * @retval 0 Success; otherwise - EINVAL
|
|
jpayne@69
|
6318 */
|
|
jpayne@69
|
6319 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6320 krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp);
|
|
jpayne@69
|
6321
|
|
jpayne@69
|
6322 /**
|
|
jpayne@69
|
6323 * Convert a string to a delta time value.
|
|
jpayne@69
|
6324 *
|
|
jpayne@69
|
6325 * @param [in] string String to be converted
|
|
jpayne@69
|
6326 * @param [out] deltatp Delta time to be filled in
|
|
jpayne@69
|
6327 *
|
|
jpayne@69
|
6328 * @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT
|
|
jpayne@69
|
6329 */
|
|
jpayne@69
|
6330 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6331 krb5_string_to_deltat(char *string, krb5_deltat *deltatp);
|
|
jpayne@69
|
6332
|
|
jpayne@69
|
6333 /**
|
|
jpayne@69
|
6334 * Convert an encryption type to a string.
|
|
jpayne@69
|
6335 *
|
|
jpayne@69
|
6336 * @param [in] enctype Encryption type
|
|
jpayne@69
|
6337 * @param [out] buffer Buffer to hold encryption type string
|
|
jpayne@69
|
6338 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6339 *
|
|
jpayne@69
|
6340 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6341 */
|
|
jpayne@69
|
6342 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6343 krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen);
|
|
jpayne@69
|
6344
|
|
jpayne@69
|
6345 /**
|
|
jpayne@69
|
6346 * Convert an encryption type to a name or alias.
|
|
jpayne@69
|
6347 *
|
|
jpayne@69
|
6348 * @param [in] enctype Encryption type
|
|
jpayne@69
|
6349 * @param [in] shortest Flag
|
|
jpayne@69
|
6350 * @param [out] buffer Buffer to hold encryption type string
|
|
jpayne@69
|
6351 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6352 *
|
|
jpayne@69
|
6353 * If @a shortest is FALSE, this function returns the enctype's canonical name
|
|
jpayne@69
|
6354 * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the
|
|
jpayne@69
|
6355 * enctype's shortest alias (like "aes128-cts").
|
|
jpayne@69
|
6356 *
|
|
jpayne@69
|
6357 * @version New in 1.9
|
|
jpayne@69
|
6358 *
|
|
jpayne@69
|
6359 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6360 */
|
|
jpayne@69
|
6361 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6362 krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
|
|
jpayne@69
|
6363 char *buffer, size_t buflen);
|
|
jpayne@69
|
6364
|
|
jpayne@69
|
6365 /**
|
|
jpayne@69
|
6366 * Convert a salt type to a string.
|
|
jpayne@69
|
6367 *
|
|
jpayne@69
|
6368 * @param [in] salttype Salttype to convert
|
|
jpayne@69
|
6369 * @param [out] buffer Buffer to receive the converted string
|
|
jpayne@69
|
6370 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6371 *
|
|
jpayne@69
|
6372 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6373 */
|
|
jpayne@69
|
6374 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6375 krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen);
|
|
jpayne@69
|
6376
|
|
jpayne@69
|
6377 /**
|
|
jpayne@69
|
6378 * Convert a checksum type to a string.
|
|
jpayne@69
|
6379 *
|
|
jpayne@69
|
6380 * @param [in] cksumtype Checksum type
|
|
jpayne@69
|
6381 * @param [out] buffer Buffer to hold converted checksum type
|
|
jpayne@69
|
6382 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6383 *
|
|
jpayne@69
|
6384 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6385 */
|
|
jpayne@69
|
6386 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6387 krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen);
|
|
jpayne@69
|
6388
|
|
jpayne@69
|
6389 /**
|
|
jpayne@69
|
6390 * Convert a timestamp to a string.
|
|
jpayne@69
|
6391 *
|
|
jpayne@69
|
6392 * @param [in] timestamp Timestamp to convert
|
|
jpayne@69
|
6393 * @param [out] buffer Buffer to hold converted timestamp
|
|
jpayne@69
|
6394 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6395 *
|
|
jpayne@69
|
6396 * The string is returned in the locale's appropriate date and time
|
|
jpayne@69
|
6397 * representation.
|
|
jpayne@69
|
6398 *
|
|
jpayne@69
|
6399 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6400 */
|
|
jpayne@69
|
6401 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6402 krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen);
|
|
jpayne@69
|
6403
|
|
jpayne@69
|
6404 /**
|
|
jpayne@69
|
6405 * Convert a timestamp to a string, with optional output padding
|
|
jpayne@69
|
6406 *
|
|
jpayne@69
|
6407 * @param [in] timestamp Timestamp to convert
|
|
jpayne@69
|
6408 * @param [out] buffer Buffer to hold the converted timestamp
|
|
jpayne@69
|
6409 * @param [in] buflen Length of buffer
|
|
jpayne@69
|
6410 * @param [in] pad Optional value to pad @a buffer if converted
|
|
jpayne@69
|
6411 * timestamp does not fill it
|
|
jpayne@69
|
6412 *
|
|
jpayne@69
|
6413 * If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters
|
|
jpayne@69
|
6414 * with the value of *@a pad.
|
|
jpayne@69
|
6415 *
|
|
jpayne@69
|
6416 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6417 */
|
|
jpayne@69
|
6418 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6419 krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer,
|
|
jpayne@69
|
6420 size_t buflen, char *pad);
|
|
jpayne@69
|
6421
|
|
jpayne@69
|
6422 /**
|
|
jpayne@69
|
6423 * Convert a relative time value to a string.
|
|
jpayne@69
|
6424 *
|
|
jpayne@69
|
6425 * @param [in] deltat Relative time value to convert
|
|
jpayne@69
|
6426 * @param [out] buffer Buffer to hold time string
|
|
jpayne@69
|
6427 * @param [in] buflen Storage available in @a buffer
|
|
jpayne@69
|
6428 *
|
|
jpayne@69
|
6429 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
6430 */
|
|
jpayne@69
|
6431 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6432 krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen);
|
|
jpayne@69
|
6433
|
|
jpayne@69
|
6434 /* The name of the Kerberos ticket granting service... and its size */
|
|
jpayne@69
|
6435 #define KRB5_TGS_NAME "krbtgt"
|
|
jpayne@69
|
6436 #define KRB5_TGS_NAME_SIZE 6
|
|
jpayne@69
|
6437
|
|
jpayne@69
|
6438 /* flags for recvauth */
|
|
jpayne@69
|
6439 #define KRB5_RECVAUTH_SKIP_VERSION 0x0001
|
|
jpayne@69
|
6440 #define KRB5_RECVAUTH_BADAUTHVERS 0x0002
|
|
jpayne@69
|
6441 /* initial ticket api functions */
|
|
jpayne@69
|
6442
|
|
jpayne@69
|
6443 /** Text for prompt used in prompter callback function. */
|
|
jpayne@69
|
6444 typedef struct _krb5_prompt {
|
|
jpayne@69
|
6445 char *prompt; /**< The prompt to show to the user */
|
|
jpayne@69
|
6446 int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */
|
|
jpayne@69
|
6447 krb5_data *reply; /**< Must be allocated before call to prompt routine */
|
|
jpayne@69
|
6448 } krb5_prompt;
|
|
jpayne@69
|
6449
|
|
jpayne@69
|
6450 /** Pointer to a prompter callback function. */
|
|
jpayne@69
|
6451 typedef krb5_error_code
|
|
jpayne@69
|
6452 (KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context, void *data,
|
|
jpayne@69
|
6453 const char *name, const char *banner,
|
|
jpayne@69
|
6454 int num_prompts, krb5_prompt prompts[]);
|
|
jpayne@69
|
6455
|
|
jpayne@69
|
6456 /**
|
|
jpayne@69
|
6457 * Prompt user for password.
|
|
jpayne@69
|
6458 *
|
|
jpayne@69
|
6459 * @param [in] context Library context
|
|
jpayne@69
|
6460 * @param data Unused (callback argument)
|
|
jpayne@69
|
6461 * @param [in] name Name to output during prompt
|
|
jpayne@69
|
6462 * @param [in] banner Banner to output during prompt
|
|
jpayne@69
|
6463 * @param [in] num_prompts Number of prompts in @a prompts
|
|
jpayne@69
|
6464 * @param [in] prompts Array of prompts and replies
|
|
jpayne@69
|
6465 *
|
|
jpayne@69
|
6466 * This function is intended to be used as a prompter callback for
|
|
jpayne@69
|
6467 * krb5_get_init_creds_password() or krb5_init_creds_init().
|
|
jpayne@69
|
6468 *
|
|
jpayne@69
|
6469 * Writes @a name and @a banner to stdout, each followed by a newline, then
|
|
jpayne@69
|
6470 * writes each prompt field in the @a prompts array, followed by ": ", and sets
|
|
jpayne@69
|
6471 * the reply field of the entry to a line of input read from stdin. If the
|
|
jpayne@69
|
6472 * hidden flag is set for a prompt, then terminal echoing is turned off when
|
|
jpayne@69
|
6473 * input is read.
|
|
jpayne@69
|
6474 *
|
|
jpayne@69
|
6475 * @retval
|
|
jpayne@69
|
6476 * 0 Success
|
|
jpayne@69
|
6477 * @return
|
|
jpayne@69
|
6478 * Kerberos error codes
|
|
jpayne@69
|
6479 *
|
|
jpayne@69
|
6480 */
|
|
jpayne@69
|
6481 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6482 krb5_prompter_posix(krb5_context context, void *data, const char *name,
|
|
jpayne@69
|
6483 const char *banner, int num_prompts,
|
|
jpayne@69
|
6484 krb5_prompt prompts[]);
|
|
jpayne@69
|
6485
|
|
jpayne@69
|
6486 /**
|
|
jpayne@69
|
6487 * Long-term password responder question
|
|
jpayne@69
|
6488 *
|
|
jpayne@69
|
6489 * This question is asked when the long-term password is needed. It has no
|
|
jpayne@69
|
6490 * challenge and the response is simply the password string.
|
|
jpayne@69
|
6491 *
|
|
jpayne@69
|
6492 * @version New in 1.11
|
|
jpayne@69
|
6493 */
|
|
jpayne@69
|
6494 #define KRB5_RESPONDER_QUESTION_PASSWORD "password"
|
|
jpayne@69
|
6495
|
|
jpayne@69
|
6496 /**
|
|
jpayne@69
|
6497 * OTP responder question
|
|
jpayne@69
|
6498 *
|
|
jpayne@69
|
6499 * The OTP responder question is asked when the KDC indicates that an OTP
|
|
jpayne@69
|
6500 * value is required in order to complete the authentication. The JSON format
|
|
jpayne@69
|
6501 * of the challenge is:
|
|
jpayne@69
|
6502 *
|
|
jpayne@69
|
6503 * {
|
|
jpayne@69
|
6504 * "service": <string (optional)>,
|
|
jpayne@69
|
6505 * "tokenInfo": [
|
|
jpayne@69
|
6506 * {
|
|
jpayne@69
|
6507 * "flags": <number>,
|
|
jpayne@69
|
6508 * "vendor": <string (optional)>,
|
|
jpayne@69
|
6509 * "challenge": <string (optional)>,
|
|
jpayne@69
|
6510 * "length": <number (optional)>,
|
|
jpayne@69
|
6511 * "format": <number (optional)>,
|
|
jpayne@69
|
6512 * "tokenID": <string (optional)>,
|
|
jpayne@69
|
6513 * "algID": <string (optional)>,
|
|
jpayne@69
|
6514 * },
|
|
jpayne@69
|
6515 * ...
|
|
jpayne@69
|
6516 * ]
|
|
jpayne@69
|
6517 * }
|
|
jpayne@69
|
6518 *
|
|
jpayne@69
|
6519 * The answer to the question MUST be JSON formatted:
|
|
jpayne@69
|
6520 *
|
|
jpayne@69
|
6521 * {
|
|
jpayne@69
|
6522 * "tokeninfo": <number>,
|
|
jpayne@69
|
6523 * "value": <string (optional)>,
|
|
jpayne@69
|
6524 * "pin": <string (optional)>,
|
|
jpayne@69
|
6525 * }
|
|
jpayne@69
|
6526 *
|
|
jpayne@69
|
6527 * For more detail, please see RFC 6560.
|
|
jpayne@69
|
6528 *
|
|
jpayne@69
|
6529 * @version New in 1.11
|
|
jpayne@69
|
6530 */
|
|
jpayne@69
|
6531 #define KRB5_RESPONDER_QUESTION_OTP "otp"
|
|
jpayne@69
|
6532
|
|
jpayne@69
|
6533 /**
|
|
jpayne@69
|
6534 * These format constants identify the format of the token value.
|
|
jpayne@69
|
6535 */
|
|
jpayne@69
|
6536 #define KRB5_RESPONDER_OTP_FORMAT_DECIMAL 0
|
|
jpayne@69
|
6537 #define KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL 1
|
|
jpayne@69
|
6538 #define KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC 2
|
|
jpayne@69
|
6539
|
|
jpayne@69
|
6540 /**
|
|
jpayne@69
|
6541 * This flag indicates that the token value MUST be collected.
|
|
jpayne@69
|
6542 */
|
|
jpayne@69
|
6543 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN 0x0001
|
|
jpayne@69
|
6544
|
|
jpayne@69
|
6545 /**
|
|
jpayne@69
|
6546 * This flag indicates that the PIN value MUST be collected.
|
|
jpayne@69
|
6547 */
|
|
jpayne@69
|
6548 #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN 0x0002
|
|
jpayne@69
|
6549
|
|
jpayne@69
|
6550 /**
|
|
jpayne@69
|
6551 * This flag indicates that the token is now in re-synchronization mode with
|
|
jpayne@69
|
6552 * the server. The user is expected to reply with the next code displayed on
|
|
jpayne@69
|
6553 * the token.
|
|
jpayne@69
|
6554 */
|
|
jpayne@69
|
6555 #define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP 0x0004
|
|
jpayne@69
|
6556
|
|
jpayne@69
|
6557 /**
|
|
jpayne@69
|
6558 * This flag indicates that the PIN MUST be returned as a separate item. This
|
|
jpayne@69
|
6559 * flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If
|
|
jpayne@69
|
6560 * this flag is not set, the responder may either concatenate PIN + token value
|
|
jpayne@69
|
6561 * and store it as "value" in the answer or it may return them separately. If
|
|
jpayne@69
|
6562 * they are returned separately, they will be concatenated internally.
|
|
jpayne@69
|
6563 */
|
|
jpayne@69
|
6564 #define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008
|
|
jpayne@69
|
6565
|
|
jpayne@69
|
6566 /**
|
|
jpayne@69
|
6567 * PKINIT responder question
|
|
jpayne@69
|
6568 *
|
|
jpayne@69
|
6569 * The PKINIT responder question is asked when the client needs a password
|
|
jpayne@69
|
6570 * that's being used to protect key information, and is formatted as a JSON
|
|
jpayne@69
|
6571 * object. A specific identity's flags value, if not zero, is the bitwise-OR
|
|
jpayne@69
|
6572 * of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined
|
|
jpayne@69
|
6573 * below, and possibly other flags to be added later. Any resemblance to
|
|
jpayne@69
|
6574 * similarly-named CKF_* values in the PKCS#11 API should not be depended on.
|
|
jpayne@69
|
6575 *
|
|
jpayne@69
|
6576 * {
|
|
jpayne@69
|
6577 * identity <string> : flags <number>,
|
|
jpayne@69
|
6578 * ...
|
|
jpayne@69
|
6579 * }
|
|
jpayne@69
|
6580 *
|
|
jpayne@69
|
6581 * The answer to the question MUST be JSON formatted:
|
|
jpayne@69
|
6582 *
|
|
jpayne@69
|
6583 * {
|
|
jpayne@69
|
6584 * identity <string> : password <string>,
|
|
jpayne@69
|
6585 * ...
|
|
jpayne@69
|
6586 * }
|
|
jpayne@69
|
6587 *
|
|
jpayne@69
|
6588 * @version New in 1.12
|
|
jpayne@69
|
6589 */
|
|
jpayne@69
|
6590 #define KRB5_RESPONDER_QUESTION_PKINIT "pkinit"
|
|
jpayne@69
|
6591
|
|
jpayne@69
|
6592 /**
|
|
jpayne@69
|
6593 * This flag indicates that an incorrect PIN was supplied at least once since
|
|
jpayne@69
|
6594 * the last time the correct PIN was supplied.
|
|
jpayne@69
|
6595 */
|
|
jpayne@69
|
6596 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0)
|
|
jpayne@69
|
6597
|
|
jpayne@69
|
6598 /**
|
|
jpayne@69
|
6599 * This flag indicates that supplying an incorrect PIN will cause the token to
|
|
jpayne@69
|
6600 * lock itself.
|
|
jpayne@69
|
6601 */
|
|
jpayne@69
|
6602 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1)
|
|
jpayne@69
|
6603
|
|
jpayne@69
|
6604 /**
|
|
jpayne@69
|
6605 * This flag indicates that the user PIN is locked, and you can't log in to the
|
|
jpayne@69
|
6606 * token with it.
|
|
jpayne@69
|
6607 */
|
|
jpayne@69
|
6608 #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2)
|
|
jpayne@69
|
6609
|
|
jpayne@69
|
6610 /**
|
|
jpayne@69
|
6611 * A container for a set of preauthentication questions and answers
|
|
jpayne@69
|
6612 *
|
|
jpayne@69
|
6613 * A responder context is supplied by the krb5 authentication system to a @ref
|
|
jpayne@69
|
6614 * krb5_responder_fn callback. It contains a list of questions and can receive
|
|
jpayne@69
|
6615 * answers. Questions contained in a responder context can be listed using
|
|
jpayne@69
|
6616 * krb5_responder_list_questions(), retrieved using
|
|
jpayne@69
|
6617 * krb5_responder_get_challenge(), or answered using
|
|
jpayne@69
|
6618 * krb5_responder_set_answer(). The form of a question's challenge and
|
|
jpayne@69
|
6619 * answer depend on the question name.
|
|
jpayne@69
|
6620 *
|
|
jpayne@69
|
6621 * @version New in 1.11
|
|
jpayne@69
|
6622 */
|
|
jpayne@69
|
6623 typedef struct krb5_responder_context_st *krb5_responder_context;
|
|
jpayne@69
|
6624
|
|
jpayne@69
|
6625 /**
|
|
jpayne@69
|
6626 * List the question names contained in the responder context.
|
|
jpayne@69
|
6627 *
|
|
jpayne@69
|
6628 * @param [in] ctx Library context
|
|
jpayne@69
|
6629 * @param [in] rctx Responder context
|
|
jpayne@69
|
6630 *
|
|
jpayne@69
|
6631 * Return a pointer to a null-terminated list of question names which are
|
|
jpayne@69
|
6632 * present in @a rctx. The pointer is an alias, valid only as long as the
|
|
jpayne@69
|
6633 * lifetime of @a rctx, and should not be modified or freed by the caller. A
|
|
jpayne@69
|
6634 * question's challenge can be retrieved using krb5_responder_get_challenge()
|
|
jpayne@69
|
6635 * and answered using krb5_responder_set_answer().
|
|
jpayne@69
|
6636 *
|
|
jpayne@69
|
6637 * @version New in 1.11
|
|
jpayne@69
|
6638 */
|
|
jpayne@69
|
6639 const char * const * KRB5_CALLCONV
|
|
jpayne@69
|
6640 krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx);
|
|
jpayne@69
|
6641
|
|
jpayne@69
|
6642 /**
|
|
jpayne@69
|
6643 * Retrieve the challenge data for a given question in the responder context.
|
|
jpayne@69
|
6644 *
|
|
jpayne@69
|
6645 * @param [in] ctx Library context
|
|
jpayne@69
|
6646 * @param [in] rctx Responder context
|
|
jpayne@69
|
6647 * @param [in] question Question name
|
|
jpayne@69
|
6648 *
|
|
jpayne@69
|
6649 * Return a pointer to a C string containing the challenge for @a question
|
|
jpayne@69
|
6650 * within @a rctx, or NULL if the question is not present in @a rctx. The
|
|
jpayne@69
|
6651 * structure of the question depends on the question name, but will always be
|
|
jpayne@69
|
6652 * printable UTF-8 text. The returned pointer is an alias, valid only as long
|
|
jpayne@69
|
6653 * as the lifetime of @a rctx, and should not be modified or freed by the
|
|
jpayne@69
|
6654 * caller.
|
|
jpayne@69
|
6655 *
|
|
jpayne@69
|
6656 * @version New in 1.11
|
|
jpayne@69
|
6657 */
|
|
jpayne@69
|
6658 const char * KRB5_CALLCONV
|
|
jpayne@69
|
6659 krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx,
|
|
jpayne@69
|
6660 const char *question);
|
|
jpayne@69
|
6661
|
|
jpayne@69
|
6662 /**
|
|
jpayne@69
|
6663 * Answer a named question in the responder context.
|
|
jpayne@69
|
6664 *
|
|
jpayne@69
|
6665 * @param [in] ctx Library context
|
|
jpayne@69
|
6666 * @param [in] rctx Responder context
|
|
jpayne@69
|
6667 * @param [in] question Question name
|
|
jpayne@69
|
6668 * @param [in] answer The string to set (MUST be printable UTF-8)
|
|
jpayne@69
|
6669 *
|
|
jpayne@69
|
6670 * This function supplies an answer to @a question within @a rctx. The
|
|
jpayne@69
|
6671 * appropriate form of the answer depends on the question name.
|
|
jpayne@69
|
6672 *
|
|
jpayne@69
|
6673 * @retval EINVAL @a question is not present within @a rctx
|
|
jpayne@69
|
6674 *
|
|
jpayne@69
|
6675 * @version New in 1.11
|
|
jpayne@69
|
6676 */
|
|
jpayne@69
|
6677 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6678 krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx,
|
|
jpayne@69
|
6679 const char *question, const char *answer);
|
|
jpayne@69
|
6680
|
|
jpayne@69
|
6681 /**
|
|
jpayne@69
|
6682 * Responder function for an initial credential exchange.
|
|
jpayne@69
|
6683 *
|
|
jpayne@69
|
6684 * @param [in] ctx Library context
|
|
jpayne@69
|
6685 * @param [in] data Callback data
|
|
jpayne@69
|
6686 * @param [in] rctx Responder context
|
|
jpayne@69
|
6687 *
|
|
jpayne@69
|
6688 * A responder function is like a prompter function, but is used for handling
|
|
jpayne@69
|
6689 * questions and answers as potentially complex data types. Client
|
|
jpayne@69
|
6690 * preauthentication modules will insert a set of named "questions" into
|
|
jpayne@69
|
6691 * the responder context. Each question may optionally contain a challenge.
|
|
jpayne@69
|
6692 * This challenge is printable UTF-8, but may be an encoded value. The
|
|
jpayne@69
|
6693 * precise encoding and contents of the challenge are specific to the question
|
|
jpayne@69
|
6694 * asked. When the responder is called, it should answer all the questions it
|
|
jpayne@69
|
6695 * understands. Like the challenge, the answer MUST be printable UTF-8, but
|
|
jpayne@69
|
6696 * may contain structured/encoded data formatted to the expected answer format
|
|
jpayne@69
|
6697 * of the question.
|
|
jpayne@69
|
6698 *
|
|
jpayne@69
|
6699 * If a required question is unanswered, the prompter may be called.
|
|
jpayne@69
|
6700 */
|
|
jpayne@69
|
6701 typedef krb5_error_code
|
|
jpayne@69
|
6702 (KRB5_CALLCONV *krb5_responder_fn)(krb5_context ctx, void *data,
|
|
jpayne@69
|
6703 krb5_responder_context rctx);
|
|
jpayne@69
|
6704
|
|
jpayne@69
|
6705 typedef struct _krb5_responder_otp_tokeninfo {
|
|
jpayne@69
|
6706 krb5_flags flags;
|
|
jpayne@69
|
6707 krb5_int32 format; /* -1 when not specified. */
|
|
jpayne@69
|
6708 krb5_int32 length; /* -1 when not specified. */
|
|
jpayne@69
|
6709 char *vendor;
|
|
jpayne@69
|
6710 char *challenge;
|
|
jpayne@69
|
6711 char *token_id;
|
|
jpayne@69
|
6712 char *alg_id;
|
|
jpayne@69
|
6713 } krb5_responder_otp_tokeninfo;
|
|
jpayne@69
|
6714
|
|
jpayne@69
|
6715 typedef struct _krb5_responder_otp_challenge {
|
|
jpayne@69
|
6716 char *service;
|
|
jpayne@69
|
6717 krb5_responder_otp_tokeninfo **tokeninfo;
|
|
jpayne@69
|
6718 } krb5_responder_otp_challenge;
|
|
jpayne@69
|
6719
|
|
jpayne@69
|
6720 /**
|
|
jpayne@69
|
6721 * Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.
|
|
jpayne@69
|
6722 *
|
|
jpayne@69
|
6723 * A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP
|
|
jpayne@69
|
6724 * question challenge data, making it available in native C. The main feature
|
|
jpayne@69
|
6725 * of this function is the ability to interact with OTP tokens without parsing
|
|
jpayne@69
|
6726 * the JSON.
|
|
jpayne@69
|
6727 *
|
|
jpayne@69
|
6728 * The returned value must be passed to krb5_responder_otp_challenge_free() to
|
|
jpayne@69
|
6729 * be freed.
|
|
jpayne@69
|
6730 *
|
|
jpayne@69
|
6731 * @param [in] ctx Library context
|
|
jpayne@69
|
6732 * @param [in] rctx Responder context
|
|
jpayne@69
|
6733 * @param [out] chl Challenge structure
|
|
jpayne@69
|
6734 *
|
|
jpayne@69
|
6735 * @version New in 1.11
|
|
jpayne@69
|
6736 */
|
|
jpayne@69
|
6737 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6738 krb5_responder_otp_get_challenge(krb5_context ctx,
|
|
jpayne@69
|
6739 krb5_responder_context rctx,
|
|
jpayne@69
|
6740 krb5_responder_otp_challenge **chl);
|
|
jpayne@69
|
6741
|
|
jpayne@69
|
6742 /**
|
|
jpayne@69
|
6743 * Answer the KRB5_RESPONDER_QUESTION_OTP question.
|
|
jpayne@69
|
6744 *
|
|
jpayne@69
|
6745 * @param [in] ctx Library context
|
|
jpayne@69
|
6746 * @param [in] rctx Responder context
|
|
jpayne@69
|
6747 * @param [in] ti The index of the tokeninfo selected
|
|
jpayne@69
|
6748 * @param [in] value The value to set, or NULL for none
|
|
jpayne@69
|
6749 * @param [in] pin The pin to set, or NULL for none
|
|
jpayne@69
|
6750 *
|
|
jpayne@69
|
6751 * @version New in 1.11
|
|
jpayne@69
|
6752 */
|
|
jpayne@69
|
6753 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6754 krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx,
|
|
jpayne@69
|
6755 size_t ti, const char *value, const char *pin);
|
|
jpayne@69
|
6756
|
|
jpayne@69
|
6757 /**
|
|
jpayne@69
|
6758 * Free the value returned by krb5_responder_otp_get_challenge().
|
|
jpayne@69
|
6759 *
|
|
jpayne@69
|
6760 * @param [in] ctx Library context
|
|
jpayne@69
|
6761 * @param [in] rctx Responder context
|
|
jpayne@69
|
6762 * @param [in] chl The challenge to free
|
|
jpayne@69
|
6763 *
|
|
jpayne@69
|
6764 * @version New in 1.11
|
|
jpayne@69
|
6765 */
|
|
jpayne@69
|
6766 void KRB5_CALLCONV
|
|
jpayne@69
|
6767 krb5_responder_otp_challenge_free(krb5_context ctx,
|
|
jpayne@69
|
6768 krb5_responder_context rctx,
|
|
jpayne@69
|
6769 krb5_responder_otp_challenge *chl);
|
|
jpayne@69
|
6770
|
|
jpayne@69
|
6771 typedef struct _krb5_responder_pkinit_identity {
|
|
jpayne@69
|
6772 char *identity;
|
|
jpayne@69
|
6773 krb5_int32 token_flags; /* 0 when not specified or not applicable. */
|
|
jpayne@69
|
6774 } krb5_responder_pkinit_identity;
|
|
jpayne@69
|
6775
|
|
jpayne@69
|
6776 typedef struct _krb5_responder_pkinit_challenge {
|
|
jpayne@69
|
6777 krb5_responder_pkinit_identity **identities;
|
|
jpayne@69
|
6778 } krb5_responder_pkinit_challenge;
|
|
jpayne@69
|
6779
|
|
jpayne@69
|
6780 /**
|
|
jpayne@69
|
6781 * Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.
|
|
jpayne@69
|
6782 *
|
|
jpayne@69
|
6783 * A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT
|
|
jpayne@69
|
6784 * question challenge data, making it available in native C. The main feature
|
|
jpayne@69
|
6785 * of this function is the ability to read the challenge without parsing
|
|
jpayne@69
|
6786 * the JSON.
|
|
jpayne@69
|
6787 *
|
|
jpayne@69
|
6788 * The returned value must be passed to krb5_responder_pkinit_challenge_free()
|
|
jpayne@69
|
6789 * to be freed.
|
|
jpayne@69
|
6790 *
|
|
jpayne@69
|
6791 * @param [in] ctx Library context
|
|
jpayne@69
|
6792 * @param [in] rctx Responder context
|
|
jpayne@69
|
6793 * @param [out] chl_out Challenge structure
|
|
jpayne@69
|
6794 *
|
|
jpayne@69
|
6795 * @version New in 1.12
|
|
jpayne@69
|
6796 */
|
|
jpayne@69
|
6797 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6798 krb5_responder_pkinit_get_challenge(krb5_context ctx,
|
|
jpayne@69
|
6799 krb5_responder_context rctx,
|
|
jpayne@69
|
6800 krb5_responder_pkinit_challenge **chl_out);
|
|
jpayne@69
|
6801
|
|
jpayne@69
|
6802 /**
|
|
jpayne@69
|
6803 * Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.
|
|
jpayne@69
|
6804 *
|
|
jpayne@69
|
6805 * @param [in] ctx Library context
|
|
jpayne@69
|
6806 * @param [in] rctx Responder context
|
|
jpayne@69
|
6807 * @param [in] identity The identity for which a PIN is being supplied
|
|
jpayne@69
|
6808 * @param [in] pin The provided PIN, or NULL for none
|
|
jpayne@69
|
6809 *
|
|
jpayne@69
|
6810 * @version New in 1.12
|
|
jpayne@69
|
6811 */
|
|
jpayne@69
|
6812 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6813 krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx,
|
|
jpayne@69
|
6814 const char *identity, const char *pin);
|
|
jpayne@69
|
6815
|
|
jpayne@69
|
6816 /**
|
|
jpayne@69
|
6817 * Free the value returned by krb5_responder_pkinit_get_challenge().
|
|
jpayne@69
|
6818 *
|
|
jpayne@69
|
6819 * @param [in] ctx Library context
|
|
jpayne@69
|
6820 * @param [in] rctx Responder context
|
|
jpayne@69
|
6821 * @param [in] chl The challenge to free
|
|
jpayne@69
|
6822 *
|
|
jpayne@69
|
6823 * @version New in 1.12
|
|
jpayne@69
|
6824 */
|
|
jpayne@69
|
6825 void KRB5_CALLCONV
|
|
jpayne@69
|
6826 krb5_responder_pkinit_challenge_free(krb5_context ctx,
|
|
jpayne@69
|
6827 krb5_responder_context rctx,
|
|
jpayne@69
|
6828 krb5_responder_pkinit_challenge *chl);
|
|
jpayne@69
|
6829
|
|
jpayne@69
|
6830 /** Store options for @c _krb5_get_init_creds */
|
|
jpayne@69
|
6831 typedef struct _krb5_get_init_creds_opt {
|
|
jpayne@69
|
6832 krb5_flags flags;
|
|
jpayne@69
|
6833 krb5_deltat tkt_life;
|
|
jpayne@69
|
6834 krb5_deltat renew_life;
|
|
jpayne@69
|
6835 int forwardable;
|
|
jpayne@69
|
6836 int proxiable;
|
|
jpayne@69
|
6837 krb5_enctype *etype_list;
|
|
jpayne@69
|
6838 int etype_list_length;
|
|
jpayne@69
|
6839 krb5_address **address_list;
|
|
jpayne@69
|
6840 krb5_preauthtype *preauth_list;
|
|
jpayne@69
|
6841 int preauth_list_length;
|
|
jpayne@69
|
6842 krb5_data *salt;
|
|
jpayne@69
|
6843 } krb5_get_init_creds_opt;
|
|
jpayne@69
|
6844
|
|
jpayne@69
|
6845 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001
|
|
jpayne@69
|
6846 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002
|
|
jpayne@69
|
6847 #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004
|
|
jpayne@69
|
6848 #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008
|
|
jpayne@69
|
6849 #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010
|
|
jpayne@69
|
6850 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020
|
|
jpayne@69
|
6851 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040
|
|
jpayne@69
|
6852 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080
|
|
jpayne@69
|
6853 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100
|
|
jpayne@69
|
6854 #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200
|
|
jpayne@69
|
6855 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400
|
|
jpayne@69
|
6856
|
|
jpayne@69
|
6857
|
|
jpayne@69
|
6858 /**
|
|
jpayne@69
|
6859 * Allocate a new initial credential options structure.
|
|
jpayne@69
|
6860 *
|
|
jpayne@69
|
6861 * @param [in] context Library context
|
|
jpayne@69
|
6862 * @param [out] opt New options structure
|
|
jpayne@69
|
6863 *
|
|
jpayne@69
|
6864 * This function is the preferred way to create an options structure for
|
|
jpayne@69
|
6865 * getting initial credentials, and is required to make use of certain options.
|
|
jpayne@69
|
6866 * Use krb5_get_init_creds_opt_free() to free @a opt when it is no longer
|
|
jpayne@69
|
6867 * needed.
|
|
jpayne@69
|
6868 *
|
|
jpayne@69
|
6869 * @retval 0 - Success; Kerberos errors otherwise.
|
|
jpayne@69
|
6870 */
|
|
jpayne@69
|
6871 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
6872 krb5_get_init_creds_opt_alloc(krb5_context context,
|
|
jpayne@69
|
6873 krb5_get_init_creds_opt **opt);
|
|
jpayne@69
|
6874
|
|
jpayne@69
|
6875 /**
|
|
jpayne@69
|
6876 * Free initial credential options.
|
|
jpayne@69
|
6877 *
|
|
jpayne@69
|
6878 * @param [in] context Library context
|
|
jpayne@69
|
6879 * @param [in] opt Options structure to free
|
|
jpayne@69
|
6880 *
|
|
jpayne@69
|
6881 * @sa krb5_get_init_creds_opt_alloc()
|
|
jpayne@69
|
6882 */
|
|
jpayne@69
|
6883 void KRB5_CALLCONV
|
|
jpayne@69
|
6884 krb5_get_init_creds_opt_free(krb5_context context,
|
|
jpayne@69
|
6885 krb5_get_init_creds_opt *opt);
|
|
jpayne@69
|
6886
|
|
jpayne@69
|
6887 /** @deprecated Use krb5_get_init_creds_opt_alloc() instead. */
|
|
jpayne@69
|
6888 void KRB5_CALLCONV
|
|
jpayne@69
|
6889 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
|
|
jpayne@69
|
6890
|
|
jpayne@69
|
6891 /**
|
|
jpayne@69
|
6892 * Set the ticket lifetime in initial credential options.
|
|
jpayne@69
|
6893 *
|
|
jpayne@69
|
6894 * @param [in] opt Options structure
|
|
jpayne@69
|
6895 * @param [in] tkt_life Ticket lifetime
|
|
jpayne@69
|
6896 */
|
|
jpayne@69
|
6897 void KRB5_CALLCONV
|
|
jpayne@69
|
6898 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6899 krb5_deltat tkt_life);
|
|
jpayne@69
|
6900
|
|
jpayne@69
|
6901 /**
|
|
jpayne@69
|
6902 * Set the ticket renewal lifetime in initial credential options.
|
|
jpayne@69
|
6903 *
|
|
jpayne@69
|
6904 * @param [in] opt Pointer to @a options field
|
|
jpayne@69
|
6905 * @param [in] renew_life Ticket renewal lifetime
|
|
jpayne@69
|
6906 */
|
|
jpayne@69
|
6907 void KRB5_CALLCONV
|
|
jpayne@69
|
6908 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6909 krb5_deltat renew_life);
|
|
jpayne@69
|
6910
|
|
jpayne@69
|
6911 /**
|
|
jpayne@69
|
6912 * Set or unset the forwardable flag in initial credential options.
|
|
jpayne@69
|
6913 *
|
|
jpayne@69
|
6914 * @param [in] opt Options structure
|
|
jpayne@69
|
6915 * @param [in] forwardable Whether credentials should be forwardable
|
|
jpayne@69
|
6916 */
|
|
jpayne@69
|
6917 void KRB5_CALLCONV
|
|
jpayne@69
|
6918 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6919 int forwardable);
|
|
jpayne@69
|
6920
|
|
jpayne@69
|
6921 /**
|
|
jpayne@69
|
6922 * Set or unset the proxiable flag in initial credential options.
|
|
jpayne@69
|
6923 *
|
|
jpayne@69
|
6924 * @param [in] opt Options structure
|
|
jpayne@69
|
6925 * @param [in] proxiable Whether credentials should be proxiable
|
|
jpayne@69
|
6926 */
|
|
jpayne@69
|
6927 void KRB5_CALLCONV
|
|
jpayne@69
|
6928 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6929 int proxiable);
|
|
jpayne@69
|
6930
|
|
jpayne@69
|
6931 /**
|
|
jpayne@69
|
6932 * Set or unset the canonicalize flag in initial credential options.
|
|
jpayne@69
|
6933 *
|
|
jpayne@69
|
6934 * @param [in] opt Options structure
|
|
jpayne@69
|
6935 * @param [in] canonicalize Whether to canonicalize client principal
|
|
jpayne@69
|
6936 */
|
|
jpayne@69
|
6937 void KRB5_CALLCONV
|
|
jpayne@69
|
6938 krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6939 int canonicalize);
|
|
jpayne@69
|
6940
|
|
jpayne@69
|
6941 /**
|
|
jpayne@69
|
6942 * Set or unset the anonymous flag in initial credential options.
|
|
jpayne@69
|
6943 *
|
|
jpayne@69
|
6944 * @param [in] opt Options structure
|
|
jpayne@69
|
6945 * @param [in] anonymous Whether to make an anonymous request
|
|
jpayne@69
|
6946 *
|
|
jpayne@69
|
6947 * This function may be used to request anonymous credentials from the KDC by
|
|
jpayne@69
|
6948 * setting @a anonymous to non-zero. Note that anonymous credentials are only
|
|
jpayne@69
|
6949 * a request; clients must verify that credentials are anonymous if that is a
|
|
jpayne@69
|
6950 * requirement.
|
|
jpayne@69
|
6951 */
|
|
jpayne@69
|
6952 void KRB5_CALLCONV
|
|
jpayne@69
|
6953 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6954 int anonymous);
|
|
jpayne@69
|
6955
|
|
jpayne@69
|
6956 /**
|
|
jpayne@69
|
6957 * Set allowable encryption types in initial credential options.
|
|
jpayne@69
|
6958 *
|
|
jpayne@69
|
6959 * @param [in] opt Options structure
|
|
jpayne@69
|
6960 * @param [in] etype_list Array of encryption types
|
|
jpayne@69
|
6961 * @param [in] etype_list_length Length of @a etype_list
|
|
jpayne@69
|
6962 */
|
|
jpayne@69
|
6963 void KRB5_CALLCONV
|
|
jpayne@69
|
6964 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6965 krb5_enctype *etype_list,
|
|
jpayne@69
|
6966 int etype_list_length);
|
|
jpayne@69
|
6967
|
|
jpayne@69
|
6968 /**
|
|
jpayne@69
|
6969 * Set address restrictions in initial credential options.
|
|
jpayne@69
|
6970 *
|
|
jpayne@69
|
6971 * @param [in] opt Options structure
|
|
jpayne@69
|
6972 * @param [in] addresses Null-terminated array of addresses
|
|
jpayne@69
|
6973 */
|
|
jpayne@69
|
6974 void KRB5_CALLCONV
|
|
jpayne@69
|
6975 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6976 krb5_address **addresses);
|
|
jpayne@69
|
6977
|
|
jpayne@69
|
6978 /**
|
|
jpayne@69
|
6979 * Set preauthentication types in initial credential options.
|
|
jpayne@69
|
6980 *
|
|
jpayne@69
|
6981 * @param [in] opt Options structure
|
|
jpayne@69
|
6982 * @param [in] preauth_list Array of preauthentication types
|
|
jpayne@69
|
6983 * @param [in] preauth_list_length Length of @a preauth_list
|
|
jpayne@69
|
6984 *
|
|
jpayne@69
|
6985 * This function can be used to perform optimistic preauthentication when
|
|
jpayne@69
|
6986 * getting initial credentials, in combination with
|
|
jpayne@69
|
6987 * krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa().
|
|
jpayne@69
|
6988 */
|
|
jpayne@69
|
6989 void KRB5_CALLCONV
|
|
jpayne@69
|
6990 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
6991 krb5_preauthtype *preauth_list,
|
|
jpayne@69
|
6992 int preauth_list_length);
|
|
jpayne@69
|
6993
|
|
jpayne@69
|
6994 /**
|
|
jpayne@69
|
6995 * Set salt for optimistic preauthentication in initial credential options.
|
|
jpayne@69
|
6996 *
|
|
jpayne@69
|
6997 * @param [in] opt Options structure
|
|
jpayne@69
|
6998 * @param [in] salt Salt data
|
|
jpayne@69
|
6999 *
|
|
jpayne@69
|
7000 * When getting initial credentials with a password, a salt string it used to
|
|
jpayne@69
|
7001 * convert the password to a key. Normally this salt is obtained from the
|
|
jpayne@69
|
7002 * first KDC reply, but when performing optimistic preauthentication, the
|
|
jpayne@69
|
7003 * client may need to supply the salt string with this function.
|
|
jpayne@69
|
7004 */
|
|
jpayne@69
|
7005 void KRB5_CALLCONV
|
|
jpayne@69
|
7006 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7007 krb5_data *salt);
|
|
jpayne@69
|
7008
|
|
jpayne@69
|
7009 /**
|
|
jpayne@69
|
7010 * Set or unset change-password-prompt flag in initial credential options.
|
|
jpayne@69
|
7011 *
|
|
jpayne@69
|
7012 * @param [in] opt Options structure
|
|
jpayne@69
|
7013 * @param [in] prompt Whether to prompt to change password
|
|
jpayne@69
|
7014 *
|
|
jpayne@69
|
7015 * This flag is on by default. It controls whether
|
|
jpayne@69
|
7016 * krb5_get_init_creds_password() will react to an expired-password error by
|
|
jpayne@69
|
7017 * prompting for a new password and attempting to change the old one.
|
|
jpayne@69
|
7018 */
|
|
jpayne@69
|
7019 void KRB5_CALLCONV
|
|
jpayne@69
|
7020 krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7021 int prompt);
|
|
jpayne@69
|
7022
|
|
jpayne@69
|
7023 /** Generic preauth option attribute/value pairs */
|
|
jpayne@69
|
7024 typedef struct _krb5_gic_opt_pa_data {
|
|
jpayne@69
|
7025 char *attr;
|
|
jpayne@69
|
7026 char *value;
|
|
jpayne@69
|
7027 } krb5_gic_opt_pa_data;
|
|
jpayne@69
|
7028
|
|
jpayne@69
|
7029 /**
|
|
jpayne@69
|
7030 * Supply options for preauthentication in initial credential options.
|
|
jpayne@69
|
7031 *
|
|
jpayne@69
|
7032 * @param [in] context Library context
|
|
jpayne@69
|
7033 * @param [in] opt Options structure
|
|
jpayne@69
|
7034 * @param [in] attr Preauthentication option name
|
|
jpayne@69
|
7035 * @param [in] value Preauthentication option value
|
|
jpayne@69
|
7036 *
|
|
jpayne@69
|
7037 * This function allows the caller to supply options for preauthentication.
|
|
jpayne@69
|
7038 * The values of @a attr and @a value are supplied to each preauthentication
|
|
jpayne@69
|
7039 * module available within @a context.
|
|
jpayne@69
|
7040 */
|
|
jpayne@69
|
7041 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7042 krb5_get_init_creds_opt_set_pa(krb5_context context,
|
|
jpayne@69
|
7043 krb5_get_init_creds_opt *opt, const char *attr,
|
|
jpayne@69
|
7044 const char *value);
|
|
jpayne@69
|
7045
|
|
jpayne@69
|
7046 /**
|
|
jpayne@69
|
7047 * Set location of FAST armor ccache in initial credential options.
|
|
jpayne@69
|
7048 *
|
|
jpayne@69
|
7049 * @param [in] context Library context
|
|
jpayne@69
|
7050 * @param [in] opt Options
|
|
jpayne@69
|
7051 * @param [in] fast_ccache_name Credential cache name
|
|
jpayne@69
|
7052 *
|
|
jpayne@69
|
7053 * Sets the location of a credential cache containing an armor ticket to
|
|
jpayne@69
|
7054 * protect an initial credential exchange using the FAST protocol extension.
|
|
jpayne@69
|
7055 *
|
|
jpayne@69
|
7056 * In version 1.7, setting an armor ccache requires that FAST be used for the
|
|
jpayne@69
|
7057 * exchange. In version 1.8 or later, setting the armor ccache causes FAST to
|
|
jpayne@69
|
7058 * be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags()
|
|
jpayne@69
|
7059 * must be used to require that FAST be used.
|
|
jpayne@69
|
7060 */
|
|
jpayne@69
|
7061 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7062 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
|
|
jpayne@69
|
7063 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7064 const char *fast_ccache_name);
|
|
jpayne@69
|
7065
|
|
jpayne@69
|
7066 /**
|
|
jpayne@69
|
7067 * Set FAST armor cache in initial credential options.
|
|
jpayne@69
|
7068 *
|
|
jpayne@69
|
7069 * @param [in] context Library context
|
|
jpayne@69
|
7070 * @param [in] opt Options
|
|
jpayne@69
|
7071 * @param [in] ccache Credential cache handle
|
|
jpayne@69
|
7072 *
|
|
jpayne@69
|
7073 * This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(),
|
|
jpayne@69
|
7074 * but uses a credential cache handle instead of a name.
|
|
jpayne@69
|
7075 *
|
|
jpayne@69
|
7076 * @version New in 1.9
|
|
jpayne@69
|
7077 */
|
|
jpayne@69
|
7078 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7079 krb5_get_init_creds_opt_set_fast_ccache(krb5_context context,
|
|
jpayne@69
|
7080 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7081 krb5_ccache ccache);
|
|
jpayne@69
|
7082
|
|
jpayne@69
|
7083 /**
|
|
jpayne@69
|
7084 * Set an input credential cache in initial credential options.
|
|
jpayne@69
|
7085 *
|
|
jpayne@69
|
7086 * @param [in] context Library context
|
|
jpayne@69
|
7087 * @param [in] opt Options
|
|
jpayne@69
|
7088 * @param [in] ccache Credential cache handle
|
|
jpayne@69
|
7089 *
|
|
jpayne@69
|
7090 * If an input credential cache is set, then the krb5_get_init_creds family of
|
|
jpayne@69
|
7091 * APIs will read settings from it. Setting an input ccache is desirable when
|
|
jpayne@69
|
7092 * the application wishes to perform authentication in the same way (using the
|
|
jpayne@69
|
7093 * same preauthentication mechanisms, and making the same non-security-
|
|
jpayne@69
|
7094 * sensitive choices) as the previous authentication attempt, which stored
|
|
jpayne@69
|
7095 * information in the passed-in ccache.
|
|
jpayne@69
|
7096 *
|
|
jpayne@69
|
7097 * @version New in 1.11
|
|
jpayne@69
|
7098 */
|
|
jpayne@69
|
7099 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7100 krb5_get_init_creds_opt_set_in_ccache(krb5_context context,
|
|
jpayne@69
|
7101 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7102 krb5_ccache ccache);
|
|
jpayne@69
|
7103
|
|
jpayne@69
|
7104 /**
|
|
jpayne@69
|
7105 * Set an output credential cache in initial credential options.
|
|
jpayne@69
|
7106 *
|
|
jpayne@69
|
7107 * @param [in] context Library context
|
|
jpayne@69
|
7108 * @param [in] opt Options
|
|
jpayne@69
|
7109 * @param [in] ccache Credential cache handle
|
|
jpayne@69
|
7110 *
|
|
jpayne@69
|
7111 * If an output credential cache is set, then the krb5_get_init_creds family of
|
|
jpayne@69
|
7112 * APIs will write credentials to it. Setting an output ccache is desirable
|
|
jpayne@69
|
7113 * both because it simplifies calling code and because it permits the
|
|
jpayne@69
|
7114 * krb5_get_init_creds APIs to write out configuration information about the
|
|
jpayne@69
|
7115 * realm to the ccache.
|
|
jpayne@69
|
7116 */
|
|
jpayne@69
|
7117 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7118 krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
|
|
jpayne@69
|
7119 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7120 krb5_ccache ccache);
|
|
jpayne@69
|
7121
|
|
jpayne@69
|
7122 /**
|
|
jpayne@69
|
7123 * @brief Ask the KDC to include or not include a PAC in the ticket
|
|
jpayne@69
|
7124 *
|
|
jpayne@69
|
7125 * @param [in] context Library context
|
|
jpayne@69
|
7126 * @param [in] opt Options structure
|
|
jpayne@69
|
7127 * @param [in] req_pac Whether to request a PAC or not
|
|
jpayne@69
|
7128 *
|
|
jpayne@69
|
7129 * If this option is set, the AS request will include a PAC-REQUEST pa-data
|
|
jpayne@69
|
7130 * item explicitly asking the KDC to either include or not include a privilege
|
|
jpayne@69
|
7131 * attribute certificate in the ticket authorization data. By default, no
|
|
jpayne@69
|
7132 * request is made; typically the KDC will default to including a PAC if it
|
|
jpayne@69
|
7133 * supports them.
|
|
jpayne@69
|
7134 *
|
|
jpayne@69
|
7135 * @version New in 1.15
|
|
jpayne@69
|
7136 */
|
|
jpayne@69
|
7137 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7138 krb5_get_init_creds_opt_set_pac_request(krb5_context context,
|
|
jpayne@69
|
7139 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7140 krb5_boolean req_pac);
|
|
jpayne@69
|
7141
|
|
jpayne@69
|
7142 /**
|
|
jpayne@69
|
7143 * Set FAST flags in initial credential options.
|
|
jpayne@69
|
7144 *
|
|
jpayne@69
|
7145 * @param [in] context Library context
|
|
jpayne@69
|
7146 * @param [in] opt Options
|
|
jpayne@69
|
7147 * @param [in] flags FAST flags
|
|
jpayne@69
|
7148 *
|
|
jpayne@69
|
7149 * The following flag values are valid:
|
|
jpayne@69
|
7150 * @li #KRB5_FAST_REQUIRED - Require FAST to be used
|
|
jpayne@69
|
7151 *
|
|
jpayne@69
|
7152 * @retval
|
|
jpayne@69
|
7153 * 0 - Success; Kerberos errors otherwise.
|
|
jpayne@69
|
7154 */
|
|
jpayne@69
|
7155 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7156 krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
|
|
jpayne@69
|
7157 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7158 krb5_flags flags);
|
|
jpayne@69
|
7159
|
|
jpayne@69
|
7160 /**
|
|
jpayne@69
|
7161 * Retrieve FAST flags from initial credential options.
|
|
jpayne@69
|
7162 *
|
|
jpayne@69
|
7163 * @param [in] context Library context
|
|
jpayne@69
|
7164 * @param [in] opt Options
|
|
jpayne@69
|
7165 * @param [out] out_flags FAST flags
|
|
jpayne@69
|
7166 *
|
|
jpayne@69
|
7167 * @retval
|
|
jpayne@69
|
7168 * 0 - Success; Kerberos errors otherwise.
|
|
jpayne@69
|
7169 */
|
|
jpayne@69
|
7170 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7171 krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
|
|
jpayne@69
|
7172 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7173 krb5_flags *out_flags);
|
|
jpayne@69
|
7174
|
|
jpayne@69
|
7175 /* Fast flags*/
|
|
jpayne@69
|
7176 #define KRB5_FAST_REQUIRED 0x0001 /**< Require KDC to support FAST*/
|
|
jpayne@69
|
7177
|
|
jpayne@69
|
7178 typedef void
|
|
jpayne@69
|
7179 (KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data,
|
|
jpayne@69
|
7180 krb5_timestamp password_expiration,
|
|
jpayne@69
|
7181 krb5_timestamp account_expiration,
|
|
jpayne@69
|
7182 krb5_boolean is_last_req);
|
|
jpayne@69
|
7183
|
|
jpayne@69
|
7184 /**
|
|
jpayne@69
|
7185 * Set an expiration callback in initial credential options.
|
|
jpayne@69
|
7186 *
|
|
jpayne@69
|
7187 * @param [in] context Library context
|
|
jpayne@69
|
7188 * @param [in] opt Options structure
|
|
jpayne@69
|
7189 * @param [in] cb Callback function
|
|
jpayne@69
|
7190 * @param [in] data Callback argument
|
|
jpayne@69
|
7191 *
|
|
jpayne@69
|
7192 * Set a callback to receive password and account expiration times.
|
|
jpayne@69
|
7193 *
|
|
jpayne@69
|
7194 * @a cb will be invoked if and only if credentials are successfully acquired.
|
|
jpayne@69
|
7195 * The callback will receive the @a context from the calling function and the
|
|
jpayne@69
|
7196 * @a data argument supplied with this API. The remaining arguments should be
|
|
jpayne@69
|
7197 * interpreted as follows:
|
|
jpayne@69
|
7198 *
|
|
jpayne@69
|
7199 * If @a is_last_req is true, then the KDC reply contained last-req entries
|
|
jpayne@69
|
7200 * which unambiguously indicated the password expiration, account expiration,
|
|
jpayne@69
|
7201 * or both. (If either value was not present, the corresponding argument will
|
|
jpayne@69
|
7202 * be 0.) Furthermore, a non-zero @a password_expiration should be taken as a
|
|
jpayne@69
|
7203 * suggestion from the KDC that a warning be displayed.
|
|
jpayne@69
|
7204 *
|
|
jpayne@69
|
7205 * If @a is_last_req is false, then @a account_expiration will be 0 and @a
|
|
jpayne@69
|
7206 * password_expiration will contain the expiration time of either the password
|
|
jpayne@69
|
7207 * or account, or 0 if no expiration time was indicated in the KDC reply. The
|
|
jpayne@69
|
7208 * callback should independently decide whether to display a password
|
|
jpayne@69
|
7209 * expiration warning.
|
|
jpayne@69
|
7210 *
|
|
jpayne@69
|
7211 * Note that @a cb may be invoked even if credentials are being acquired for
|
|
jpayne@69
|
7212 * the kadmin/changepw service in order to change the password. It is the
|
|
jpayne@69
|
7213 * caller's responsibility to avoid displaying a password expiry warning in
|
|
jpayne@69
|
7214 * this case.
|
|
jpayne@69
|
7215 *
|
|
jpayne@69
|
7216 * @warning Setting an expire callback with this API will cause
|
|
jpayne@69
|
7217 * krb5_get_init_creds_password() not to send password expiry warnings to the
|
|
jpayne@69
|
7218 * prompter, as it ordinarily may.
|
|
jpayne@69
|
7219 *
|
|
jpayne@69
|
7220 * @version New in 1.9
|
|
jpayne@69
|
7221 */
|
|
jpayne@69
|
7222 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7223 krb5_get_init_creds_opt_set_expire_callback(krb5_context context,
|
|
jpayne@69
|
7224 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7225 krb5_expire_callback_func cb,
|
|
jpayne@69
|
7226 void *data);
|
|
jpayne@69
|
7227
|
|
jpayne@69
|
7228 /**
|
|
jpayne@69
|
7229 * Set the responder function in initial credential options.
|
|
jpayne@69
|
7230 *
|
|
jpayne@69
|
7231 * @param [in] context Library context
|
|
jpayne@69
|
7232 * @param [in] opt Options structure
|
|
jpayne@69
|
7233 * @param [in] responder Responder function
|
|
jpayne@69
|
7234 * @param [in] data Responder data argument
|
|
jpayne@69
|
7235 *
|
|
jpayne@69
|
7236 * @version New in 1.11
|
|
jpayne@69
|
7237 */
|
|
jpayne@69
|
7238 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7239 krb5_get_init_creds_opt_set_responder(krb5_context context,
|
|
jpayne@69
|
7240 krb5_get_init_creds_opt *opt,
|
|
jpayne@69
|
7241 krb5_responder_fn responder, void *data);
|
|
jpayne@69
|
7242
|
|
jpayne@69
|
7243 /**
|
|
jpayne@69
|
7244 * Get initial credentials using a password.
|
|
jpayne@69
|
7245 *
|
|
jpayne@69
|
7246 * @param [in] context Library context
|
|
jpayne@69
|
7247 * @param [out] creds New credentials
|
|
jpayne@69
|
7248 * @param [in] client Client principal
|
|
jpayne@69
|
7249 * @param [in] password Password (or NULL)
|
|
jpayne@69
|
7250 * @param [in] prompter Prompter function
|
|
jpayne@69
|
7251 * @param [in] data Prompter callback data
|
|
jpayne@69
|
7252 * @param [in] start_time Time when ticket becomes valid (0 for now)
|
|
jpayne@69
|
7253 * @param [in] in_tkt_service Service name of initial credentials (or NULL)
|
|
jpayne@69
|
7254 * @param [in] k5_gic_options Initial credential options
|
|
jpayne@69
|
7255 *
|
|
jpayne@69
|
7256 * This function requests KDC for an initial credentials for @a client using @a
|
|
jpayne@69
|
7257 * password. If @a password is NULL, a password will be prompted for using @a
|
|
jpayne@69
|
7258 * prompter if necessary. If @a in_tkt_service is specified, it is parsed as a
|
|
jpayne@69
|
7259 * principal name (with the realm ignored) and used as the service principal
|
|
jpayne@69
|
7260 * for the request; otherwise the ticket-granting service is used.
|
|
jpayne@69
|
7261 *
|
|
jpayne@69
|
7262 * @sa krb5_verify_init_creds()
|
|
jpayne@69
|
7263 *
|
|
jpayne@69
|
7264 * @retval
|
|
jpayne@69
|
7265 * 0 Success
|
|
jpayne@69
|
7266 * @retval
|
|
jpayne@69
|
7267 * EINVAL Invalid argument
|
|
jpayne@69
|
7268 * @retval
|
|
jpayne@69
|
7269 * KRB5_KDC_UNREACH Cannot contact any KDC for requested realm
|
|
jpayne@69
|
7270 * @retval
|
|
jpayne@69
|
7271 * KRB5_PREAUTH_FAILED Generic Pre-athentication failure
|
|
jpayne@69
|
7272 * @retval
|
|
jpayne@69
|
7273 * KRB5_LIBOS_PWDINTR Password read interrupted
|
|
jpayne@69
|
7274 * @retval
|
|
jpayne@69
|
7275 * KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm
|
|
jpayne@69
|
7276 * @retval
|
|
jpayne@69
|
7277 * KRB5KDC_ERR_KEY_EXP Password has expired
|
|
jpayne@69
|
7278 * @retval
|
|
jpayne@69
|
7279 * KRB5_LIBOS_BADPWDMATCH Password mismatch
|
|
jpayne@69
|
7280 * @retval
|
|
jpayne@69
|
7281 * KRB5_CHPW_PWDNULL New password cannot be zero length
|
|
jpayne@69
|
7282 * @retval
|
|
jpayne@69
|
7283 * KRB5_CHPW_FAIL Password change failed
|
|
jpayne@69
|
7284 * @return
|
|
jpayne@69
|
7285 * Kerberos error codes
|
|
jpayne@69
|
7286 */
|
|
jpayne@69
|
7287 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7288 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
7289 krb5_principal client, const char *password,
|
|
jpayne@69
|
7290 krb5_prompter_fct prompter, void *data,
|
|
jpayne@69
|
7291 krb5_deltat start_time,
|
|
jpayne@69
|
7292 const char *in_tkt_service,
|
|
jpayne@69
|
7293 krb5_get_init_creds_opt *k5_gic_options);
|
|
jpayne@69
|
7294
|
|
jpayne@69
|
7295 /**
|
|
jpayne@69
|
7296 * Retrieve enctype, salt and s2kparams from KDC
|
|
jpayne@69
|
7297 *
|
|
jpayne@69
|
7298 * @param [in] context Library context
|
|
jpayne@69
|
7299 * @param [in] principal Principal whose information is requested
|
|
jpayne@69
|
7300 * @param [in] opt Initial credential options
|
|
jpayne@69
|
7301 * @param [out] enctype_out The enctype chosen by KDC
|
|
jpayne@69
|
7302 * @param [out] salt_out Salt returned from KDC
|
|
jpayne@69
|
7303 * @param [out] s2kparams_out String-to-key parameters returned from KDC
|
|
jpayne@69
|
7304 *
|
|
jpayne@69
|
7305 * Send an initial ticket request for @a principal and extract the encryption
|
|
jpayne@69
|
7306 * type, salt type, and string-to-key parameters from the KDC response. If the
|
|
jpayne@69
|
7307 * KDC provides no etype-info, set @a enctype_out to @c ENCTYPE_NULL and set @a
|
|
jpayne@69
|
7308 * salt_out and @a s2kparams_out to empty. If the KDC etype-info provides no
|
|
jpayne@69
|
7309 * salt, compute the default salt and place it in @a salt_out. If the KDC
|
|
jpayne@69
|
7310 * etype-info provides no string-to-key parameters, set @a s2kparams_out to
|
|
jpayne@69
|
7311 * empty.
|
|
jpayne@69
|
7312 *
|
|
jpayne@69
|
7313 * @a opt may be used to specify options which affect the initial request, such
|
|
jpayne@69
|
7314 * as request encryption types or a FAST armor cache (see
|
|
jpayne@69
|
7315 * krb5_get_init_creds_opt_set_etype_list() and
|
|
jpayne@69
|
7316 * krb5_get_init_creds_opt_set_fast_ccache_name()).
|
|
jpayne@69
|
7317 *
|
|
jpayne@69
|
7318 * Use krb5_free_data_contents() to free @a salt_out and @a s2kparams_out when
|
|
jpayne@69
|
7319 * they are no longer needed.
|
|
jpayne@69
|
7320 *
|
|
jpayne@69
|
7321 * @version New in 1.17
|
|
jpayne@69
|
7322 *
|
|
jpayne@69
|
7323 * @retval 0 Success
|
|
jpayne@69
|
7324 * @return A Kerberos error code
|
|
jpayne@69
|
7325 */
|
|
jpayne@69
|
7326 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7327 krb5_get_etype_info(krb5_context context, krb5_principal principal,
|
|
jpayne@69
|
7328 krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out,
|
|
jpayne@69
|
7329 krb5_data *salt_out, krb5_data *s2kparams_out);
|
|
jpayne@69
|
7330
|
|
jpayne@69
|
7331 struct _krb5_init_creds_context;
|
|
jpayne@69
|
7332 typedef struct _krb5_init_creds_context *krb5_init_creds_context;
|
|
jpayne@69
|
7333
|
|
jpayne@69
|
7334 #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */
|
|
jpayne@69
|
7335
|
|
jpayne@69
|
7336 /**
|
|
jpayne@69
|
7337 * Free an initial credentials context.
|
|
jpayne@69
|
7338 *
|
|
jpayne@69
|
7339 * @param [in] context Library context
|
|
jpayne@69
|
7340 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7341 *
|
|
jpayne@69
|
7342 * @a context must be the same as the one passed to krb5_init_creds_init() for
|
|
jpayne@69
|
7343 * this initial credentials context.
|
|
jpayne@69
|
7344 */
|
|
jpayne@69
|
7345 void KRB5_CALLCONV
|
|
jpayne@69
|
7346 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
|
|
jpayne@69
|
7347
|
|
jpayne@69
|
7348 /**
|
|
jpayne@69
|
7349 * Acquire credentials using an initial credentials context.
|
|
jpayne@69
|
7350 *
|
|
jpayne@69
|
7351 * @param [in] context Library context
|
|
jpayne@69
|
7352 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7353 *
|
|
jpayne@69
|
7354 * This function synchronously obtains credentials using a context created by
|
|
jpayne@69
|
7355 * krb5_init_creds_init(). On successful return, the credentials can be
|
|
jpayne@69
|
7356 * retrieved with krb5_init_creds_get_creds().
|
|
jpayne@69
|
7357 *
|
|
jpayne@69
|
7358 * @a context must be the same as the one passed to krb5_init_creds_init() for
|
|
jpayne@69
|
7359 * this initial credentials context.
|
|
jpayne@69
|
7360 *
|
|
jpayne@69
|
7361 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7362 */
|
|
jpayne@69
|
7363 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7364 krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx);
|
|
jpayne@69
|
7365
|
|
jpayne@69
|
7366 /**
|
|
jpayne@69
|
7367 * Retrieve acquired credentials from an initial credentials context.
|
|
jpayne@69
|
7368 *
|
|
jpayne@69
|
7369 * @param [in] context Library context
|
|
jpayne@69
|
7370 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7371 * @param [out] creds Acquired credentials
|
|
jpayne@69
|
7372 *
|
|
jpayne@69
|
7373 * This function copies the acquired initial credentials from @a ctx into @a
|
|
jpayne@69
|
7374 * creds, after the successful completion of krb5_init_creds_get() or
|
|
jpayne@69
|
7375 * krb5_init_creds_step(). Use krb5_free_cred_contents() to free @a creds when
|
|
jpayne@69
|
7376 * it is no longer needed.
|
|
jpayne@69
|
7377 *
|
|
jpayne@69
|
7378 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7379 */
|
|
jpayne@69
|
7380 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7381 krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7382 krb5_creds *creds);
|
|
jpayne@69
|
7383
|
|
jpayne@69
|
7384 /**
|
|
jpayne@69
|
7385 * Get the last error from KDC from an initial credentials context.
|
|
jpayne@69
|
7386 *
|
|
jpayne@69
|
7387 * @param [in] context Library context
|
|
jpayne@69
|
7388 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7389 * @param [out] error Error from KDC, or NULL if none was received
|
|
jpayne@69
|
7390 *
|
|
jpayne@69
|
7391 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7392 */
|
|
jpayne@69
|
7393 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7394 krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7395 krb5_error **error);
|
|
jpayne@69
|
7396
|
|
jpayne@69
|
7397 /**
|
|
jpayne@69
|
7398 * Create a context for acquiring initial credentials.
|
|
jpayne@69
|
7399 *
|
|
jpayne@69
|
7400 * @param [in] context Library context
|
|
jpayne@69
|
7401 * @param [in] client Client principal to get initial creds for
|
|
jpayne@69
|
7402 * @param [in] prompter Prompter callback
|
|
jpayne@69
|
7403 * @param [in] data Prompter callback argument
|
|
jpayne@69
|
7404 * @param [in] start_time Time when credentials become valid (0 for now)
|
|
jpayne@69
|
7405 * @param [in] options Options structure (NULL for default)
|
|
jpayne@69
|
7406 * @param [out] ctx New initial credentials context
|
|
jpayne@69
|
7407 *
|
|
jpayne@69
|
7408 * This function creates a new context for acquiring initial credentials. Use
|
|
jpayne@69
|
7409 * krb5_init_creds_free() to free @a ctx when it is no longer needed.
|
|
jpayne@69
|
7410 *
|
|
jpayne@69
|
7411 * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
|
|
jpayne@69
|
7412 * krb5_init_creds_free() for this initial credentials context must use the
|
|
jpayne@69
|
7413 * same @a context argument as the one passed to this function.
|
|
jpayne@69
|
7414 *
|
|
jpayne@69
|
7415 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7416 */
|
|
jpayne@69
|
7417 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7418 krb5_init_creds_init(krb5_context context, krb5_principal client,
|
|
jpayne@69
|
7419 krb5_prompter_fct prompter, void *data,
|
|
jpayne@69
|
7420 krb5_deltat start_time, krb5_get_init_creds_opt *options,
|
|
jpayne@69
|
7421 krb5_init_creds_context *ctx);
|
|
jpayne@69
|
7422
|
|
jpayne@69
|
7423 /**
|
|
jpayne@69
|
7424 * Specify a keytab to use for acquiring initial credentials.
|
|
jpayne@69
|
7425 *
|
|
jpayne@69
|
7426 * @param [in] context Library context
|
|
jpayne@69
|
7427 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7428 * @param [in] keytab Key table handle
|
|
jpayne@69
|
7429 *
|
|
jpayne@69
|
7430 * This function supplies a keytab containing the client key for an initial
|
|
jpayne@69
|
7431 * credentials request.
|
|
jpayne@69
|
7432 *
|
|
jpayne@69
|
7433 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7434 */
|
|
jpayne@69
|
7435 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7436 krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7437 krb5_keytab keytab);
|
|
jpayne@69
|
7438
|
|
jpayne@69
|
7439 /**
|
|
jpayne@69
|
7440 * Get the next KDC request for acquiring initial credentials.
|
|
jpayne@69
|
7441 *
|
|
jpayne@69
|
7442 * @param [in] context Library context
|
|
jpayne@69
|
7443 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7444 * @param [in] in KDC response (empty on the first call)
|
|
jpayne@69
|
7445 * @param [out] out Next KDC request
|
|
jpayne@69
|
7446 * @param [out] realm Realm for next KDC request
|
|
jpayne@69
|
7447 * @param [out] flags Output flags
|
|
jpayne@69
|
7448 *
|
|
jpayne@69
|
7449 * This function constructs the next KDC request in an initial credential
|
|
jpayne@69
|
7450 * exchange, allowing the caller to control the transport of KDC requests and
|
|
jpayne@69
|
7451 * replies. On the first call, @a in should be set to an empty buffer; on
|
|
jpayne@69
|
7452 * subsequent calls, it should be set to the KDC's reply to the previous
|
|
jpayne@69
|
7453 * request.
|
|
jpayne@69
|
7454 *
|
|
jpayne@69
|
7455 * If more requests are needed, @a flags will be set to
|
|
jpayne@69
|
7456 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in
|
|
jpayne@69
|
7457 * @a out. If no more requests are needed, @a flags will not contain
|
|
jpayne@69
|
7458 * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty.
|
|
jpayne@69
|
7459 *
|
|
jpayne@69
|
7460 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should
|
|
jpayne@69
|
7461 * transmit the next request using TCP rather than UDP. If this function
|
|
jpayne@69
|
7462 * returns any other error, the initial credential exchange has failed.
|
|
jpayne@69
|
7463 *
|
|
jpayne@69
|
7464 * @a context must be the same as the one passed to krb5_init_creds_init() for
|
|
jpayne@69
|
7465 * this initial credentials context.
|
|
jpayne@69
|
7466 *
|
|
jpayne@69
|
7467 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7468 */
|
|
jpayne@69
|
7469 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7470 krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7471 krb5_data *in, krb5_data *out, krb5_data *realm,
|
|
jpayne@69
|
7472 unsigned int *flags);
|
|
jpayne@69
|
7473
|
|
jpayne@69
|
7474 /**
|
|
jpayne@69
|
7475 * Set a password for acquiring initial credentials.
|
|
jpayne@69
|
7476 *
|
|
jpayne@69
|
7477 * @param [in] context Library context
|
|
jpayne@69
|
7478 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7479 * @param [in] password Password
|
|
jpayne@69
|
7480 *
|
|
jpayne@69
|
7481 * This function supplies a password to be used to construct the client key for
|
|
jpayne@69
|
7482 * an initial credentials request.
|
|
jpayne@69
|
7483 *
|
|
jpayne@69
|
7484 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7485 */
|
|
jpayne@69
|
7486 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7487 krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7488 const char *password);
|
|
jpayne@69
|
7489
|
|
jpayne@69
|
7490 /**
|
|
jpayne@69
|
7491 * Specify a service principal for acquiring initial credentials.
|
|
jpayne@69
|
7492 *
|
|
jpayne@69
|
7493 * @param [in] context Library context
|
|
jpayne@69
|
7494 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7495 * @param [in] service Service principal string
|
|
jpayne@69
|
7496 *
|
|
jpayne@69
|
7497 * This function supplies a service principal string to acquire initial
|
|
jpayne@69
|
7498 * credentials for instead of the default krbtgt service. @a service is parsed
|
|
jpayne@69
|
7499 * as a principal name; any realm part is ignored.
|
|
jpayne@69
|
7500 *
|
|
jpayne@69
|
7501 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7502 */
|
|
jpayne@69
|
7503 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7504 krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7505 const char *service);
|
|
jpayne@69
|
7506
|
|
jpayne@69
|
7507 /**
|
|
jpayne@69
|
7508 * Retrieve ticket times from an initial credentials context.
|
|
jpayne@69
|
7509 *
|
|
jpayne@69
|
7510 * @param [in] context Library context
|
|
jpayne@69
|
7511 * @param [in] ctx Initial credentials context
|
|
jpayne@69
|
7512 * @param [out] times Ticket times for acquired credentials
|
|
jpayne@69
|
7513 *
|
|
jpayne@69
|
7514 * The initial credentials context must have completed obtaining credentials
|
|
jpayne@69
|
7515 * via either krb5_init_creds_get() or krb5_init_creds_step().
|
|
jpayne@69
|
7516 *
|
|
jpayne@69
|
7517 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7518 */
|
|
jpayne@69
|
7519 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7520 krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx,
|
|
jpayne@69
|
7521 krb5_ticket_times *times);
|
|
jpayne@69
|
7522
|
|
jpayne@69
|
7523 struct _krb5_tkt_creds_context;
|
|
jpayne@69
|
7524 typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context;
|
|
jpayne@69
|
7525
|
|
jpayne@69
|
7526 /**
|
|
jpayne@69
|
7527 * Create a context to get credentials from a KDC's Ticket Granting Service.
|
|
jpayne@69
|
7528 *
|
|
jpayne@69
|
7529 * @param[in] context Library context
|
|
jpayne@69
|
7530 * @param[in] ccache Credential cache handle
|
|
jpayne@69
|
7531 * @param[in] creds Input credentials
|
|
jpayne@69
|
7532 * @param[in] options @ref KRB5_GC options for this request.
|
|
jpayne@69
|
7533 * @param[out] ctx New TGS request context
|
|
jpayne@69
|
7534 *
|
|
jpayne@69
|
7535 * This function prepares to obtain credentials matching @a creds, either by
|
|
jpayne@69
|
7536 * retrieving them from @a ccache or by making requests to ticket-granting
|
|
jpayne@69
|
7537 * services beginning with a ticket-granting ticket for the client principal's
|
|
jpayne@69
|
7538 * realm.
|
|
jpayne@69
|
7539 *
|
|
jpayne@69
|
7540 * The resulting TGS acquisition context can be used asynchronously with
|
|
jpayne@69
|
7541 * krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also
|
|
jpayne@69
|
7542 * krb5_get_credentials() for synchronous use.
|
|
jpayne@69
|
7543 *
|
|
jpayne@69
|
7544 * Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed.
|
|
jpayne@69
|
7545 *
|
|
jpayne@69
|
7546 * @version New in 1.9
|
|
jpayne@69
|
7547 *
|
|
jpayne@69
|
7548 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7549 */
|
|
jpayne@69
|
7550 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7551 krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache,
|
|
jpayne@69
|
7552 krb5_creds *creds, krb5_flags options,
|
|
jpayne@69
|
7553 krb5_tkt_creds_context *ctx);
|
|
jpayne@69
|
7554
|
|
jpayne@69
|
7555 /**
|
|
jpayne@69
|
7556 * Synchronously obtain credentials using a TGS request context.
|
|
jpayne@69
|
7557 *
|
|
jpayne@69
|
7558 * @param[in] context Library context
|
|
jpayne@69
|
7559 * @param[in] ctx TGS request context
|
|
jpayne@69
|
7560 *
|
|
jpayne@69
|
7561 * This function synchronously obtains credentials using a context created by
|
|
jpayne@69
|
7562 * krb5_tkt_creds_init(). On successful return, the credentials can be
|
|
jpayne@69
|
7563 * retrieved with krb5_tkt_creds_get_creds().
|
|
jpayne@69
|
7564 *
|
|
jpayne@69
|
7565 * @version New in 1.9
|
|
jpayne@69
|
7566 *
|
|
jpayne@69
|
7567 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7568 */
|
|
jpayne@69
|
7569 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7570 krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx);
|
|
jpayne@69
|
7571
|
|
jpayne@69
|
7572 /**
|
|
jpayne@69
|
7573 * Retrieve acquired credentials from a TGS request context.
|
|
jpayne@69
|
7574 *
|
|
jpayne@69
|
7575 * @param[in] context Library context
|
|
jpayne@69
|
7576 * @param[in] ctx TGS request context
|
|
jpayne@69
|
7577 * @param[out] creds Acquired credentials
|
|
jpayne@69
|
7578 *
|
|
jpayne@69
|
7579 * This function copies the acquired initial credentials from @a ctx into @a
|
|
jpayne@69
|
7580 * creds, after the successful completion of krb5_tkt_creds_get() or
|
|
jpayne@69
|
7581 * krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when
|
|
jpayne@69
|
7582 * it is no longer needed.
|
|
jpayne@69
|
7583 *
|
|
jpayne@69
|
7584 * @version New in 1.9
|
|
jpayne@69
|
7585 *
|
|
jpayne@69
|
7586 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7587 */
|
|
jpayne@69
|
7588 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7589 krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx,
|
|
jpayne@69
|
7590 krb5_creds *creds);
|
|
jpayne@69
|
7591
|
|
jpayne@69
|
7592 /**
|
|
jpayne@69
|
7593 * Free a TGS request context.
|
|
jpayne@69
|
7594 *
|
|
jpayne@69
|
7595 * @param[in] context Library context
|
|
jpayne@69
|
7596 * @param[in] ctx TGS request context
|
|
jpayne@69
|
7597 *
|
|
jpayne@69
|
7598 * @version New in 1.9
|
|
jpayne@69
|
7599 */
|
|
jpayne@69
|
7600 void KRB5_CALLCONV
|
|
jpayne@69
|
7601 krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx);
|
|
jpayne@69
|
7602
|
|
jpayne@69
|
7603 #define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */
|
|
jpayne@69
|
7604
|
|
jpayne@69
|
7605 /**
|
|
jpayne@69
|
7606 * Get the next KDC request in a TGS exchange.
|
|
jpayne@69
|
7607 *
|
|
jpayne@69
|
7608 * @param[in] context Library context
|
|
jpayne@69
|
7609 * @param[in] ctx TGS request context
|
|
jpayne@69
|
7610 * @param[in] in KDC response (empty on the first call)
|
|
jpayne@69
|
7611 * @param[out] out Next KDC request
|
|
jpayne@69
|
7612 * @param[out] realm Realm for next KDC request
|
|
jpayne@69
|
7613 * @param[out] flags Output flags
|
|
jpayne@69
|
7614 *
|
|
jpayne@69
|
7615 * This function constructs the next KDC request for a TGS exchange, allowing
|
|
jpayne@69
|
7616 * the caller to control the transport of KDC requests and replies. On the
|
|
jpayne@69
|
7617 * first call, @a in should be set to an empty buffer; on subsequent calls, it
|
|
jpayne@69
|
7618 * should be set to the KDC's reply to the previous request.
|
|
jpayne@69
|
7619 *
|
|
jpayne@69
|
7620 * If more requests are needed, @a flags will be set to
|
|
jpayne@69
|
7621 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in @a
|
|
jpayne@69
|
7622 * out. If no more requests are needed, @a flags will not contain
|
|
jpayne@69
|
7623 * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty.
|
|
jpayne@69
|
7624 *
|
|
jpayne@69
|
7625 * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should
|
|
jpayne@69
|
7626 * transmit the next request using TCP rather than UDP. If this function
|
|
jpayne@69
|
7627 * returns any other error, the TGS exchange has failed.
|
|
jpayne@69
|
7628 *
|
|
jpayne@69
|
7629 * @version New in 1.9
|
|
jpayne@69
|
7630 *
|
|
jpayne@69
|
7631 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7632 */
|
|
jpayne@69
|
7633 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7634 krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx,
|
|
jpayne@69
|
7635 krb5_data *in, krb5_data *out, krb5_data *realm,
|
|
jpayne@69
|
7636 unsigned int *flags);
|
|
jpayne@69
|
7637
|
|
jpayne@69
|
7638 /**
|
|
jpayne@69
|
7639 * Retrieve ticket times from a TGS request context.
|
|
jpayne@69
|
7640 *
|
|
jpayne@69
|
7641 * @param[in] context Library context
|
|
jpayne@69
|
7642 * @param[in] ctx TGS request context
|
|
jpayne@69
|
7643 * @param[out] times Ticket times for acquired credentials
|
|
jpayne@69
|
7644 *
|
|
jpayne@69
|
7645 * The TGS request context must have completed obtaining credentials via either
|
|
jpayne@69
|
7646 * krb5_tkt_creds_get() or krb5_tkt_creds_step().
|
|
jpayne@69
|
7647 *
|
|
jpayne@69
|
7648 * @version New in 1.9
|
|
jpayne@69
|
7649 *
|
|
jpayne@69
|
7650 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7651 */
|
|
jpayne@69
|
7652 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7653 krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx,
|
|
jpayne@69
|
7654 krb5_ticket_times *times);
|
|
jpayne@69
|
7655
|
|
jpayne@69
|
7656 /**
|
|
jpayne@69
|
7657 * Get initial credentials using a key table.
|
|
jpayne@69
|
7658 *
|
|
jpayne@69
|
7659 * @param [in] context Library context
|
|
jpayne@69
|
7660 * @param [out] creds New credentials
|
|
jpayne@69
|
7661 * @param [in] client Client principal
|
|
jpayne@69
|
7662 * @param [in] arg_keytab Key table handle
|
|
jpayne@69
|
7663 * @param [in] start_time Time when ticket becomes valid (0 for now)
|
|
jpayne@69
|
7664 * @param [in] in_tkt_service Service name of initial credentials (or NULL)
|
|
jpayne@69
|
7665 * @param [in] k5_gic_options Initial credential options
|
|
jpayne@69
|
7666 *
|
|
jpayne@69
|
7667 * This function requests KDC for an initial credentials for @a client using a
|
|
jpayne@69
|
7668 * client key stored in @a arg_keytab. If @a in_tkt_service is specified, it
|
|
jpayne@69
|
7669 * is parsed as a principal name (with the realm ignored) and used as the
|
|
jpayne@69
|
7670 * service principal for the request; otherwise the ticket-granting service is
|
|
jpayne@69
|
7671 * used.
|
|
jpayne@69
|
7672 *
|
|
jpayne@69
|
7673 * @sa krb5_verify_init_creds()
|
|
jpayne@69
|
7674 *
|
|
jpayne@69
|
7675 * @retval
|
|
jpayne@69
|
7676 * 0 Success
|
|
jpayne@69
|
7677 * @return
|
|
jpayne@69
|
7678 * Kerberos error codes
|
|
jpayne@69
|
7679 */
|
|
jpayne@69
|
7680 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7681 krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
7682 krb5_principal client, krb5_keytab arg_keytab,
|
|
jpayne@69
|
7683 krb5_deltat start_time, const char *in_tkt_service,
|
|
jpayne@69
|
7684 krb5_get_init_creds_opt *k5_gic_options);
|
|
jpayne@69
|
7685
|
|
jpayne@69
|
7686 typedef struct _krb5_verify_init_creds_opt {
|
|
jpayne@69
|
7687 krb5_flags flags;
|
|
jpayne@69
|
7688 int ap_req_nofail; /**< boolean */
|
|
jpayne@69
|
7689 } krb5_verify_init_creds_opt;
|
|
jpayne@69
|
7690
|
|
jpayne@69
|
7691 #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001
|
|
jpayne@69
|
7692
|
|
jpayne@69
|
7693 /**
|
|
jpayne@69
|
7694 * Initialize a credential verification options structure.
|
|
jpayne@69
|
7695 *
|
|
jpayne@69
|
7696 * @param [in] k5_vic_options Verification options structure
|
|
jpayne@69
|
7697 */
|
|
jpayne@69
|
7698 void KRB5_CALLCONV
|
|
jpayne@69
|
7699 krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options);
|
|
jpayne@69
|
7700
|
|
jpayne@69
|
7701 /**
|
|
jpayne@69
|
7702 * Set whether credential verification is required.
|
|
jpayne@69
|
7703 *
|
|
jpayne@69
|
7704 * @param [in] k5_vic_options Verification options structure
|
|
jpayne@69
|
7705 * @param [in] ap_req_nofail Whether to require successful verification
|
|
jpayne@69
|
7706 *
|
|
jpayne@69
|
7707 * This function determines how krb5_verify_init_creds() behaves if no keytab
|
|
jpayne@69
|
7708 * information is available. If @a ap_req_nofail is @c FALSE, verification
|
|
jpayne@69
|
7709 * will be skipped in this case and krb5_verify_init_creds() will return
|
|
jpayne@69
|
7710 * successfully. If @a ap_req_nofail is @c TRUE, krb5_verify_init_creds() will
|
|
jpayne@69
|
7711 * not return successfully unless verification can be performed.
|
|
jpayne@69
|
7712 *
|
|
jpayne@69
|
7713 * If this function is not used, the behavior of krb5_verify_init_creds() is
|
|
jpayne@69
|
7714 * determined through configuration.
|
|
jpayne@69
|
7715 */
|
|
jpayne@69
|
7716 void KRB5_CALLCONV
|
|
jpayne@69
|
7717 krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options,
|
|
jpayne@69
|
7718 int ap_req_nofail);
|
|
jpayne@69
|
7719
|
|
jpayne@69
|
7720 /**
|
|
jpayne@69
|
7721 * Verify initial credentials against a keytab.
|
|
jpayne@69
|
7722 *
|
|
jpayne@69
|
7723 * @param [in] context Library context
|
|
jpayne@69
|
7724 * @param [in] creds Initial credentials to be verified
|
|
jpayne@69
|
7725 * @param [in] server Server principal (or NULL)
|
|
jpayne@69
|
7726 * @param [in] keytab Key table (NULL to use default keytab)
|
|
jpayne@69
|
7727 * @param [in] ccache Credential cache for fetched creds (or NULL)
|
|
jpayne@69
|
7728 * @param [in] options Verification options (NULL for default options)
|
|
jpayne@69
|
7729 *
|
|
jpayne@69
|
7730 * This function attempts to verify that @a creds were obtained from a KDC with
|
|
jpayne@69
|
7731 * knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL.
|
|
jpayne@69
|
7732 * If @a server is provided, the highest-kvno key entry for that principal name
|
|
jpayne@69
|
7733 * is used to verify the credentials; otherwise, all unique "host" service
|
|
jpayne@69
|
7734 * principals in the keytab are tried.
|
|
jpayne@69
|
7735 *
|
|
jpayne@69
|
7736 * If the specified keytab does not exist, or is empty, or cannot be read, or
|
|
jpayne@69
|
7737 * does not contain an entry for @a server, then credential verification may be
|
|
jpayne@69
|
7738 * skipped unless configuration demands that it succeed. The caller can
|
|
jpayne@69
|
7739 * control this behavior by providing a verification options structure; see
|
|
jpayne@69
|
7740 * krb5_verify_init_creds_opt_init() and
|
|
jpayne@69
|
7741 * krb5_verify_init_creds_opt_set_ap_req_nofail().
|
|
jpayne@69
|
7742 *
|
|
jpayne@69
|
7743 * If @a ccache is NULL, any additional credentials fetched during the
|
|
jpayne@69
|
7744 * verification process will be destroyed. If @a ccache points to NULL, a
|
|
jpayne@69
|
7745 * memory ccache will be created for the additional credentials and returned in
|
|
jpayne@69
|
7746 * @a ccache. If @a ccache points to a valid credential cache handle, the
|
|
jpayne@69
|
7747 * additional credentials will be stored in that cache.
|
|
jpayne@69
|
7748 *
|
|
jpayne@69
|
7749 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7750 */
|
|
jpayne@69
|
7751 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7752 krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
7753 krb5_principal server, krb5_keytab keytab,
|
|
jpayne@69
|
7754 krb5_ccache *ccache,
|
|
jpayne@69
|
7755 krb5_verify_init_creds_opt *options);
|
|
jpayne@69
|
7756
|
|
jpayne@69
|
7757 /**
|
|
jpayne@69
|
7758 * Get validated credentials from the KDC.
|
|
jpayne@69
|
7759 *
|
|
jpayne@69
|
7760 * @param [in] context Library context
|
|
jpayne@69
|
7761 * @param [out] creds Validated credentials
|
|
jpayne@69
|
7762 * @param [in] client Client principal name
|
|
jpayne@69
|
7763 * @param [in] ccache Credential cache
|
|
jpayne@69
|
7764 * @param [in] in_tkt_service Server principal string (or NULL)
|
|
jpayne@69
|
7765 *
|
|
jpayne@69
|
7766 * This function gets a validated credential using a postdated credential from
|
|
jpayne@69
|
7767 * @a ccache. If @a in_tkt_service is specified, it is parsed (with the realm
|
|
jpayne@69
|
7768 * part ignored) and used as the server principal of the credential;
|
|
jpayne@69
|
7769 * otherwise, the ticket-granting service is used.
|
|
jpayne@69
|
7770 *
|
|
jpayne@69
|
7771 * If successful, the validated credential is placed in @a creds.
|
|
jpayne@69
|
7772 *
|
|
jpayne@69
|
7773 * @sa krb5_get_renewed_creds()
|
|
jpayne@69
|
7774 *
|
|
jpayne@69
|
7775 * @retval
|
|
jpayne@69
|
7776 * 0 Success
|
|
jpayne@69
|
7777 * @retval
|
|
jpayne@69
|
7778 * KRB5_NO_2ND_TKT Request missing second ticket
|
|
jpayne@69
|
7779 * @retval
|
|
jpayne@69
|
7780 * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
|
|
jpayne@69
|
7781 * @retval
|
|
jpayne@69
|
7782 * KRB5_PRINC_NOMATCH Requested principal and ticket do not match
|
|
jpayne@69
|
7783 * @retval
|
|
jpayne@69
|
7784 * KRB5_KDCREP_MODIFIED KDC reply did not match expectations
|
|
jpayne@69
|
7785 * @retval
|
|
jpayne@69
|
7786 * KRB5_KDCREP_SKEW Clock skew too great in KDC reply
|
|
jpayne@69
|
7787 * @return
|
|
jpayne@69
|
7788 * Kerberos error codes
|
|
jpayne@69
|
7789 */
|
|
jpayne@69
|
7790 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7791 krb5_get_validated_creds(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
7792 krb5_principal client, krb5_ccache ccache,
|
|
jpayne@69
|
7793 const char *in_tkt_service);
|
|
jpayne@69
|
7794
|
|
jpayne@69
|
7795 /**
|
|
jpayne@69
|
7796 * Get renewed credential from KDC using an existing credential.
|
|
jpayne@69
|
7797 *
|
|
jpayne@69
|
7798 * @param [in] context Library context
|
|
jpayne@69
|
7799 * @param [out] creds Renewed credentials
|
|
jpayne@69
|
7800 * @param [in] client Client principal name
|
|
jpayne@69
|
7801 * @param [in] ccache Credential cache
|
|
jpayne@69
|
7802 * @param [in] in_tkt_service Server principal string (or NULL)
|
|
jpayne@69
|
7803 *
|
|
jpayne@69
|
7804 * This function gets a renewed credential using an existing one from @a
|
|
jpayne@69
|
7805 * ccache. If @a in_tkt_service is specified, it is parsed (with the realm
|
|
jpayne@69
|
7806 * part ignored) and used as the server principal of the credential; otherwise,
|
|
jpayne@69
|
7807 * the ticket-granting service is used.
|
|
jpayne@69
|
7808 *
|
|
jpayne@69
|
7809 * If successful, the renewed credential is placed in @a creds.
|
|
jpayne@69
|
7810 *
|
|
jpayne@69
|
7811 * @retval
|
|
jpayne@69
|
7812 * 0 Success
|
|
jpayne@69
|
7813 * @return
|
|
jpayne@69
|
7814 * Kerberos error codes
|
|
jpayne@69
|
7815 */
|
|
jpayne@69
|
7816 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7817 krb5_get_renewed_creds(krb5_context context, krb5_creds *creds,
|
|
jpayne@69
|
7818 krb5_principal client, krb5_ccache ccache,
|
|
jpayne@69
|
7819 const char *in_tkt_service);
|
|
jpayne@69
|
7820
|
|
jpayne@69
|
7821 /**
|
|
jpayne@69
|
7822 * Decode an ASN.1-formatted ticket.
|
|
jpayne@69
|
7823 *
|
|
jpayne@69
|
7824 * @param [in] code ASN.1-formatted ticket
|
|
jpayne@69
|
7825 * @param [out] rep Decoded ticket information
|
|
jpayne@69
|
7826 *
|
|
jpayne@69
|
7827 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
7828 */
|
|
jpayne@69
|
7829 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
7830 krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep);
|
|
jpayne@69
|
7831
|
|
jpayne@69
|
7832 /**
|
|
jpayne@69
|
7833 * Retrieve a string value from the appdefaults section of krb5.conf.
|
|
jpayne@69
|
7834 *
|
|
jpayne@69
|
7835 * @param [in] context Library context
|
|
jpayne@69
|
7836 * @param [in] appname Application name
|
|
jpayne@69
|
7837 * @param [in] realm Realm name
|
|
jpayne@69
|
7838 * @param [in] option Option to be checked
|
|
jpayne@69
|
7839 * @param [in] default_value Default value to return if no match is found
|
|
jpayne@69
|
7840 * @param [out] ret_value String value of @a option
|
|
jpayne@69
|
7841 *
|
|
jpayne@69
|
7842 * This function gets the application defaults for @a option based on the given
|
|
jpayne@69
|
7843 * @a appname and/or @a realm.
|
|
jpayne@69
|
7844 *
|
|
jpayne@69
|
7845 * @sa krb5_appdefault_boolean()
|
|
jpayne@69
|
7846 */
|
|
jpayne@69
|
7847 void KRB5_CALLCONV
|
|
jpayne@69
|
7848 krb5_appdefault_string(krb5_context context, const char *appname,
|
|
jpayne@69
|
7849 const krb5_data *realm, const char *option,
|
|
jpayne@69
|
7850 const char *default_value, char ** ret_value);
|
|
jpayne@69
|
7851
|
|
jpayne@69
|
7852 /**
|
|
jpayne@69
|
7853 * Retrieve a boolean value from the appdefaults section of krb5.conf.
|
|
jpayne@69
|
7854 *
|
|
jpayne@69
|
7855 * @param [in] context Library context
|
|
jpayne@69
|
7856 * @param [in] appname Application name
|
|
jpayne@69
|
7857 * @param [in] realm Realm name
|
|
jpayne@69
|
7858 * @param [in] option Option to be checked
|
|
jpayne@69
|
7859 * @param [in] default_value Default value to return if no match is found
|
|
jpayne@69
|
7860 * @param [out] ret_value Boolean value of @a option
|
|
jpayne@69
|
7861 *
|
|
jpayne@69
|
7862 * This function gets the application defaults for @a option based on the given
|
|
jpayne@69
|
7863 * @a appname and/or @a realm.
|
|
jpayne@69
|
7864 *
|
|
jpayne@69
|
7865 * @sa krb5_appdefault_string()
|
|
jpayne@69
|
7866 */
|
|
jpayne@69
|
7867 void KRB5_CALLCONV
|
|
jpayne@69
|
7868 krb5_appdefault_boolean(krb5_context context, const char *appname,
|
|
jpayne@69
|
7869 const krb5_data *realm, const char *option,
|
|
jpayne@69
|
7870 int default_value, int *ret_value);
|
|
jpayne@69
|
7871
|
|
jpayne@69
|
7872 /*
|
|
jpayne@69
|
7873 * Prompter enhancements
|
|
jpayne@69
|
7874 */
|
|
jpayne@69
|
7875 /** Prompt for password */
|
|
jpayne@69
|
7876 #define KRB5_PROMPT_TYPE_PASSWORD 0x1
|
|
jpayne@69
|
7877 /** Prompt for new password (during password change) */
|
|
jpayne@69
|
7878 #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2
|
|
jpayne@69
|
7879 /** Prompt for new password again */
|
|
jpayne@69
|
7880 #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3
|
|
jpayne@69
|
7881 /** Prompt for preauthentication data (such as an OTP value) */
|
|
jpayne@69
|
7882 #define KRB5_PROMPT_TYPE_PREAUTH 0x4
|
|
jpayne@69
|
7883
|
|
jpayne@69
|
7884 typedef krb5_int32 krb5_prompt_type;
|
|
jpayne@69
|
7885
|
|
jpayne@69
|
7886 /**
|
|
jpayne@69
|
7887 * Get prompt types array from a context.
|
|
jpayne@69
|
7888 *
|
|
jpayne@69
|
7889 * @param [in] context Library context
|
|
jpayne@69
|
7890 *
|
|
jpayne@69
|
7891 * @return
|
|
jpayne@69
|
7892 * Pointer to an array of prompt types corresponding to the prompter's @a
|
|
jpayne@69
|
7893 * prompts arguments. Each type has one of the following values:
|
|
jpayne@69
|
7894 * @li #KRB5_PROMPT_TYPE_PASSWORD
|
|
jpayne@69
|
7895 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD
|
|
jpayne@69
|
7896 * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
|
|
jpayne@69
|
7897 * @li #KRB5_PROMPT_TYPE_PREAUTH
|
|
jpayne@69
|
7898 */
|
|
jpayne@69
|
7899 krb5_prompt_type* KRB5_CALLCONV
|
|
jpayne@69
|
7900 krb5_get_prompt_types(krb5_context context);
|
|
jpayne@69
|
7901
|
|
jpayne@69
|
7902 /* Error reporting */
|
|
jpayne@69
|
7903 /**
|
|
jpayne@69
|
7904 * Set an extended error message for an error code.
|
|
jpayne@69
|
7905 *
|
|
jpayne@69
|
7906 * @param [in] ctx Library context
|
|
jpayne@69
|
7907 * @param [in] code Error code
|
|
jpayne@69
|
7908 * @param [in] fmt Error string for the error code
|
|
jpayne@69
|
7909 * @param [in] ... printf(3) style parameters
|
|
jpayne@69
|
7910 */
|
|
jpayne@69
|
7911 void KRB5_CALLCONV_C
|
|
jpayne@69
|
7912 krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...)
|
|
jpayne@69
|
7913 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
7914 __attribute__((__format__(__printf__, 3, 4)))
|
|
jpayne@69
|
7915 #endif
|
|
jpayne@69
|
7916 ;
|
|
jpayne@69
|
7917
|
|
jpayne@69
|
7918 /**
|
|
jpayne@69
|
7919 * Set an extended error message for an error code using a va_list.
|
|
jpayne@69
|
7920 *
|
|
jpayne@69
|
7921 * @param [in] ctx Library context
|
|
jpayne@69
|
7922 * @param [in] code Error code
|
|
jpayne@69
|
7923 * @param [in] fmt Error string for the error code
|
|
jpayne@69
|
7924 * @param [in] args List of vprintf(3) style arguments
|
|
jpayne@69
|
7925 */
|
|
jpayne@69
|
7926 void KRB5_CALLCONV
|
|
jpayne@69
|
7927 krb5_vset_error_message(krb5_context ctx, krb5_error_code code,
|
|
jpayne@69
|
7928 const char *fmt, va_list args)
|
|
jpayne@69
|
7929 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
7930 __attribute__((__format__(__printf__, 3, 0)))
|
|
jpayne@69
|
7931 #endif
|
|
jpayne@69
|
7932 ;
|
|
jpayne@69
|
7933
|
|
jpayne@69
|
7934 /**
|
|
jpayne@69
|
7935 * Add a prefix to the message for an error code.
|
|
jpayne@69
|
7936 *
|
|
jpayne@69
|
7937 * @param [in] ctx Library context
|
|
jpayne@69
|
7938 * @param [in] code Error code
|
|
jpayne@69
|
7939 * @param [in] fmt Format string for error message prefix
|
|
jpayne@69
|
7940 * @param [in] ... printf(3) style parameters
|
|
jpayne@69
|
7941 *
|
|
jpayne@69
|
7942 * Format a message and prepend it to the current message for @a code. The
|
|
jpayne@69
|
7943 * prefix will be separated from the old message with a colon and space.
|
|
jpayne@69
|
7944 */
|
|
jpayne@69
|
7945 void KRB5_CALLCONV_C
|
|
jpayne@69
|
7946 krb5_prepend_error_message(krb5_context ctx, krb5_error_code code,
|
|
jpayne@69
|
7947 const char *fmt, ...)
|
|
jpayne@69
|
7948 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
7949 __attribute__((__format__(__printf__, 3, 4)))
|
|
jpayne@69
|
7950 #endif
|
|
jpayne@69
|
7951 ;
|
|
jpayne@69
|
7952
|
|
jpayne@69
|
7953 /**
|
|
jpayne@69
|
7954 * Add a prefix to the message for an error code using a va_list.
|
|
jpayne@69
|
7955 *
|
|
jpayne@69
|
7956 * @param [in] ctx Library context
|
|
jpayne@69
|
7957 * @param [in] code Error code
|
|
jpayne@69
|
7958 * @param [in] fmt Format string for error message prefix
|
|
jpayne@69
|
7959 * @param [in] args List of vprintf(3) style arguments
|
|
jpayne@69
|
7960 *
|
|
jpayne@69
|
7961 * This function is similar to krb5_prepend_error_message(), but uses a
|
|
jpayne@69
|
7962 * va_list instead of variadic arguments.
|
|
jpayne@69
|
7963 */
|
|
jpayne@69
|
7964 void KRB5_CALLCONV
|
|
jpayne@69
|
7965 krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code,
|
|
jpayne@69
|
7966 const char *fmt, va_list args)
|
|
jpayne@69
|
7967 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
7968 __attribute__((__format__(__printf__, 3, 0)))
|
|
jpayne@69
|
7969 #endif
|
|
jpayne@69
|
7970 ;
|
|
jpayne@69
|
7971
|
|
jpayne@69
|
7972 /**
|
|
jpayne@69
|
7973 * Add a prefix to a different error code's message.
|
|
jpayne@69
|
7974 *
|
|
jpayne@69
|
7975 * @param [in] ctx Library context
|
|
jpayne@69
|
7976 * @param [in] old_code Previous error code
|
|
jpayne@69
|
7977 * @param [in] code Error code
|
|
jpayne@69
|
7978 * @param [in] fmt Format string for error message prefix
|
|
jpayne@69
|
7979 * @param [in] ... printf(3) style parameters
|
|
jpayne@69
|
7980 *
|
|
jpayne@69
|
7981 * Format a message and prepend it to the message for @a old_code. The prefix
|
|
jpayne@69
|
7982 * will be separated from the old message with a colon and space. Set the
|
|
jpayne@69
|
7983 * resulting message as the extended error message for @a code.
|
|
jpayne@69
|
7984 */
|
|
jpayne@69
|
7985 void KRB5_CALLCONV_C
|
|
jpayne@69
|
7986 krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code,
|
|
jpayne@69
|
7987 krb5_error_code code, const char *fmt, ...)
|
|
jpayne@69
|
7988 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
7989 __attribute__((__format__(__printf__, 4, 5)))
|
|
jpayne@69
|
7990 #endif
|
|
jpayne@69
|
7991 ;
|
|
jpayne@69
|
7992
|
|
jpayne@69
|
7993 /**
|
|
jpayne@69
|
7994 * Add a prefix to a different error code's message using a va_list.
|
|
jpayne@69
|
7995 *
|
|
jpayne@69
|
7996 * @param [in] ctx Library context
|
|
jpayne@69
|
7997 * @param [in] old_code Previous error code
|
|
jpayne@69
|
7998 * @param [in] code Error code
|
|
jpayne@69
|
7999 * @param [in] fmt Format string for error message prefix
|
|
jpayne@69
|
8000 * @param [in] args List of vprintf(3) style arguments
|
|
jpayne@69
|
8001 *
|
|
jpayne@69
|
8002 * This function is similar to krb5_wrap_error_message(), but uses a
|
|
jpayne@69
|
8003 * va_list instead of variadic arguments.
|
|
jpayne@69
|
8004 */
|
|
jpayne@69
|
8005 void KRB5_CALLCONV
|
|
jpayne@69
|
8006 krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code,
|
|
jpayne@69
|
8007 krb5_error_code code, const char *fmt, va_list args)
|
|
jpayne@69
|
8008 #if !defined(__cplusplus) && (__GNUC__ > 2)
|
|
jpayne@69
|
8009 __attribute__((__format__(__printf__, 4, 0)))
|
|
jpayne@69
|
8010 #endif
|
|
jpayne@69
|
8011 ;
|
|
jpayne@69
|
8012
|
|
jpayne@69
|
8013 /**
|
|
jpayne@69
|
8014 * Copy the most recent extended error message from one context to another.
|
|
jpayne@69
|
8015 *
|
|
jpayne@69
|
8016 * @param [in] dest_ctx Library context to copy message to
|
|
jpayne@69
|
8017 * @param [in] src_ctx Library context with current message
|
|
jpayne@69
|
8018 */
|
|
jpayne@69
|
8019 void KRB5_CALLCONV
|
|
jpayne@69
|
8020 krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx);
|
|
jpayne@69
|
8021
|
|
jpayne@69
|
8022 /**
|
|
jpayne@69
|
8023 * Get the (possibly extended) error message for a code.
|
|
jpayne@69
|
8024 *
|
|
jpayne@69
|
8025 * @param [in] ctx Library context
|
|
jpayne@69
|
8026 * @param [in] code Error code
|
|
jpayne@69
|
8027 *
|
|
jpayne@69
|
8028 * The behavior of krb5_get_error_message() is only defined the first time it
|
|
jpayne@69
|
8029 * is called after a failed call to a krb5 function using the same context, and
|
|
jpayne@69
|
8030 * only when the error code passed in is the same as that returned by the krb5
|
|
jpayne@69
|
8031 * function.
|
|
jpayne@69
|
8032 *
|
|
jpayne@69
|
8033 * This function never returns NULL, so its result may be used unconditionally
|
|
jpayne@69
|
8034 * as a C string.
|
|
jpayne@69
|
8035 *
|
|
jpayne@69
|
8036 * The string returned by this function must be freed using
|
|
jpayne@69
|
8037 * krb5_free_error_message()
|
|
jpayne@69
|
8038 *
|
|
jpayne@69
|
8039 * @note Future versions may return the same string for the second
|
|
jpayne@69
|
8040 * and following calls.
|
|
jpayne@69
|
8041 */
|
|
jpayne@69
|
8042 const char * KRB5_CALLCONV
|
|
jpayne@69
|
8043 krb5_get_error_message(krb5_context ctx, krb5_error_code code);
|
|
jpayne@69
|
8044
|
|
jpayne@69
|
8045 /**
|
|
jpayne@69
|
8046 * Free an error message generated by krb5_get_error_message().
|
|
jpayne@69
|
8047 *
|
|
jpayne@69
|
8048 * @param [in] ctx Library context
|
|
jpayne@69
|
8049 * @param [in] msg Pointer to error message
|
|
jpayne@69
|
8050 */
|
|
jpayne@69
|
8051 void KRB5_CALLCONV
|
|
jpayne@69
|
8052 krb5_free_error_message(krb5_context ctx, const char *msg);
|
|
jpayne@69
|
8053
|
|
jpayne@69
|
8054 /**
|
|
jpayne@69
|
8055 * Clear the extended error message in a context.
|
|
jpayne@69
|
8056 *
|
|
jpayne@69
|
8057 * @param [in] ctx Library context
|
|
jpayne@69
|
8058 *
|
|
jpayne@69
|
8059 * This function unsets the extended error message in a context, to ensure that
|
|
jpayne@69
|
8060 * it is not mistakenly applied to another occurrence of the same error code.
|
|
jpayne@69
|
8061 */
|
|
jpayne@69
|
8062 void KRB5_CALLCONV
|
|
jpayne@69
|
8063 krb5_clear_error_message(krb5_context ctx);
|
|
jpayne@69
|
8064
|
|
jpayne@69
|
8065 /**
|
|
jpayne@69
|
8066 * Unwrap authorization data.
|
|
jpayne@69
|
8067 *
|
|
jpayne@69
|
8068 * @param [in] context Library context
|
|
jpayne@69
|
8069 * @param [in] type @ref KRB5_AUTHDATA type of @a container
|
|
jpayne@69
|
8070 * @param [in] container Authorization data to be decoded
|
|
jpayne@69
|
8071 * @param [out] authdata List of decoded authorization data
|
|
jpayne@69
|
8072 *
|
|
jpayne@69
|
8073 * @sa krb5_encode_authdata_container()
|
|
jpayne@69
|
8074 *
|
|
jpayne@69
|
8075 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8076 */
|
|
jpayne@69
|
8077 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8078 krb5_decode_authdata_container(krb5_context context,
|
|
jpayne@69
|
8079 krb5_authdatatype type,
|
|
jpayne@69
|
8080 const krb5_authdata *container,
|
|
jpayne@69
|
8081 krb5_authdata ***authdata);
|
|
jpayne@69
|
8082 /**
|
|
jpayne@69
|
8083 * Wrap authorization data in a container.
|
|
jpayne@69
|
8084 *
|
|
jpayne@69
|
8085 * @param [in] context Library context
|
|
jpayne@69
|
8086 * @param [in] type @ref KRB5_AUTHDATA type of @a container
|
|
jpayne@69
|
8087 * @param [in] authdata List of authorization data to be encoded
|
|
jpayne@69
|
8088 * @param [out] container List of encoded authorization data
|
|
jpayne@69
|
8089 *
|
|
jpayne@69
|
8090 * The result is returned in @a container as a single-element list.
|
|
jpayne@69
|
8091 *
|
|
jpayne@69
|
8092 * @sa krb5_decode_authdata_container()
|
|
jpayne@69
|
8093 *
|
|
jpayne@69
|
8094 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8095 */
|
|
jpayne@69
|
8096 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8097 krb5_encode_authdata_container(krb5_context context,
|
|
jpayne@69
|
8098 krb5_authdatatype type,
|
|
jpayne@69
|
8099 krb5_authdata * const*authdata,
|
|
jpayne@69
|
8100 krb5_authdata ***container);
|
|
jpayne@69
|
8101
|
|
jpayne@69
|
8102 /*
|
|
jpayne@69
|
8103 * AD-KDCIssued
|
|
jpayne@69
|
8104 */
|
|
jpayne@69
|
8105 /**
|
|
jpayne@69
|
8106 * Encode and sign AD-KDCIssued authorization data.
|
|
jpayne@69
|
8107 *
|
|
jpayne@69
|
8108 * @param [in] context Library context
|
|
jpayne@69
|
8109 * @param [in] key Session key
|
|
jpayne@69
|
8110 * @param [in] issuer The name of the issuing principal
|
|
jpayne@69
|
8111 * @param [in] authdata List of authorization data to be signed
|
|
jpayne@69
|
8112 * @param [out] ad_kdcissued List containing AD-KDCIssued authdata
|
|
jpayne@69
|
8113 *
|
|
jpayne@69
|
8114 * This function wraps a list of authorization data entries @a authdata in an
|
|
jpayne@69
|
8115 * AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with @a key.
|
|
jpayne@69
|
8116 * The result is returned in @a ad_kdcissued as a single-element list.
|
|
jpayne@69
|
8117 */
|
|
jpayne@69
|
8118 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8119 krb5_make_authdata_kdc_issued(krb5_context context,
|
|
jpayne@69
|
8120 const krb5_keyblock *key,
|
|
jpayne@69
|
8121 krb5_const_principal issuer,
|
|
jpayne@69
|
8122 krb5_authdata *const *authdata,
|
|
jpayne@69
|
8123 krb5_authdata ***ad_kdcissued);
|
|
jpayne@69
|
8124
|
|
jpayne@69
|
8125 /**
|
|
jpayne@69
|
8126 * Unwrap and verify AD-KDCIssued authorization data.
|
|
jpayne@69
|
8127 *
|
|
jpayne@69
|
8128 * @param [in] context Library context
|
|
jpayne@69
|
8129 * @param [in] key Session key
|
|
jpayne@69
|
8130 * @param [in] ad_kdcissued AD-KDCIssued authorization data to be unwrapped
|
|
jpayne@69
|
8131 * @param [out] issuer Name of issuing principal (or NULL)
|
|
jpayne@69
|
8132 * @param [out] authdata Unwrapped list of authorization data
|
|
jpayne@69
|
8133 *
|
|
jpayne@69
|
8134 * This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section
|
|
jpayne@69
|
8135 * 5.2.6.2) and verifies its signature against @a key. The issuer field of the
|
|
jpayne@69
|
8136 * authdatum element is returned in @a issuer, and the unwrapped list of
|
|
jpayne@69
|
8137 * authdata is returned in @a authdata.
|
|
jpayne@69
|
8138 */
|
|
jpayne@69
|
8139 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8140 krb5_verify_authdata_kdc_issued(krb5_context context,
|
|
jpayne@69
|
8141 const krb5_keyblock *key,
|
|
jpayne@69
|
8142 const krb5_authdata *ad_kdcissued,
|
|
jpayne@69
|
8143 krb5_principal *issuer,
|
|
jpayne@69
|
8144 krb5_authdata ***authdata);
|
|
jpayne@69
|
8145
|
|
jpayne@69
|
8146 /*
|
|
jpayne@69
|
8147 * Windows PAC
|
|
jpayne@69
|
8148 */
|
|
jpayne@69
|
8149
|
|
jpayne@69
|
8150 /* Microsoft defined types of data */
|
|
jpayne@69
|
8151 #define KRB5_PAC_LOGON_INFO 1 /**< Logon information */
|
|
jpayne@69
|
8152 #define KRB5_PAC_CREDENTIALS_INFO 2 /**< Credentials information */
|
|
jpayne@69
|
8153 #define KRB5_PAC_SERVER_CHECKSUM 6 /**< Server checksum */
|
|
jpayne@69
|
8154 #define KRB5_PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */
|
|
jpayne@69
|
8155 #define KRB5_PAC_CLIENT_INFO 10 /**< Client name and ticket info */
|
|
jpayne@69
|
8156 #define KRB5_PAC_DELEGATION_INFO 11 /**< Constrained delegation info */
|
|
jpayne@69
|
8157 #define KRB5_PAC_UPN_DNS_INFO 12 /**< User principal name and DNS info */
|
|
jpayne@69
|
8158 #define KRB5_PAC_CLIENT_CLAIMS 13 /**< Client claims information */
|
|
jpayne@69
|
8159 #define KRB5_PAC_DEVICE_INFO 14 /**< Device information */
|
|
jpayne@69
|
8160 #define KRB5_PAC_DEVICE_CLAIMS 15 /**< Device claims information */
|
|
jpayne@69
|
8161 #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */
|
|
jpayne@69
|
8162 #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */
|
|
jpayne@69
|
8163 #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */
|
|
jpayne@69
|
8164
|
|
jpayne@69
|
8165 struct krb5_pac_data;
|
|
jpayne@69
|
8166 /** PAC data structure to convey authorization information */
|
|
jpayne@69
|
8167 typedef struct krb5_pac_data *krb5_pac;
|
|
jpayne@69
|
8168
|
|
jpayne@69
|
8169 /**
|
|
jpayne@69
|
8170 * Add a buffer to a PAC handle.
|
|
jpayne@69
|
8171 *
|
|
jpayne@69
|
8172 * @param [in] context Library context
|
|
jpayne@69
|
8173 * @param [in] pac PAC handle
|
|
jpayne@69
|
8174 * @param [in] type Buffer type
|
|
jpayne@69
|
8175 * @param [in] data contents
|
|
jpayne@69
|
8176 *
|
|
jpayne@69
|
8177 * This function adds a buffer of type @a type and contents @a data to @a pac
|
|
jpayne@69
|
8178 * if there isn't already a buffer of this type present.
|
|
jpayne@69
|
8179 *
|
|
jpayne@69
|
8180 * The valid values of @a type is one of the following:
|
|
jpayne@69
|
8181 * @li #KRB5_PAC_LOGON_INFO - Logon information
|
|
jpayne@69
|
8182 * @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information
|
|
jpayne@69
|
8183 * @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum
|
|
jpayne@69
|
8184 * @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum
|
|
jpayne@69
|
8185 * @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information
|
|
jpayne@69
|
8186 * @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information
|
|
jpayne@69
|
8187 * @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information
|
|
jpayne@69
|
8188 *
|
|
jpayne@69
|
8189 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8190 */
|
|
jpayne@69
|
8191 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8192 krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type,
|
|
jpayne@69
|
8193 const krb5_data *data);
|
|
jpayne@69
|
8194
|
|
jpayne@69
|
8195 /**
|
|
jpayne@69
|
8196 * Free a PAC handle.
|
|
jpayne@69
|
8197 *
|
|
jpayne@69
|
8198 * @param [in] context Library context
|
|
jpayne@69
|
8199 * @param [in] pac PAC to be freed
|
|
jpayne@69
|
8200 *
|
|
jpayne@69
|
8201 * This function frees the contents of @a pac and the structure itself.
|
|
jpayne@69
|
8202 */
|
|
jpayne@69
|
8203 void KRB5_CALLCONV
|
|
jpayne@69
|
8204 krb5_pac_free(krb5_context context, krb5_pac pac);
|
|
jpayne@69
|
8205
|
|
jpayne@69
|
8206 /**
|
|
jpayne@69
|
8207 * Retrieve a buffer value from a PAC.
|
|
jpayne@69
|
8208 *
|
|
jpayne@69
|
8209 * @param [in] context Library context
|
|
jpayne@69
|
8210 * @param [in] pac PAC handle
|
|
jpayne@69
|
8211 * @param [in] type Type of buffer to retrieve
|
|
jpayne@69
|
8212 * @param [out] data Buffer value
|
|
jpayne@69
|
8213 *
|
|
jpayne@69
|
8214 * Use krb5_free_data_contents() to free @a data when it is no longer needed.
|
|
jpayne@69
|
8215 *
|
|
jpayne@69
|
8216 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8217 */
|
|
jpayne@69
|
8218 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8219 krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type,
|
|
jpayne@69
|
8220 krb5_data *data);
|
|
jpayne@69
|
8221
|
|
jpayne@69
|
8222 /**
|
|
jpayne@69
|
8223 * Return an array of buffer types in a PAC handle.
|
|
jpayne@69
|
8224 *
|
|
jpayne@69
|
8225 * @param [in] context Library context
|
|
jpayne@69
|
8226 * @param [in] pac PAC handle
|
|
jpayne@69
|
8227 * @param [out] len Number of entries in @a types
|
|
jpayne@69
|
8228 * @param [out] types Array of buffer types
|
|
jpayne@69
|
8229 *
|
|
jpayne@69
|
8230 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8231 */
|
|
jpayne@69
|
8232 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8233 krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len,
|
|
jpayne@69
|
8234 krb5_ui_4 **types);
|
|
jpayne@69
|
8235
|
|
jpayne@69
|
8236 /**
|
|
jpayne@69
|
8237 * Create an empty Privilege Attribute Certificate (PAC) handle.
|
|
jpayne@69
|
8238 *
|
|
jpayne@69
|
8239 * @param [in] context Library context
|
|
jpayne@69
|
8240 * @param [out] pac New PAC handle
|
|
jpayne@69
|
8241 *
|
|
jpayne@69
|
8242 * Use krb5_pac_free() to free @a pac when it is no longer needed.
|
|
jpayne@69
|
8243 *
|
|
jpayne@69
|
8244 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8245 */
|
|
jpayne@69
|
8246 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8247 krb5_pac_init(krb5_context context, krb5_pac *pac);
|
|
jpayne@69
|
8248
|
|
jpayne@69
|
8249 /**
|
|
jpayne@69
|
8250 * Unparse an encoded PAC into a new handle.
|
|
jpayne@69
|
8251 *
|
|
jpayne@69
|
8252 * @param [in] context Library context
|
|
jpayne@69
|
8253 * @param [in] ptr PAC buffer
|
|
jpayne@69
|
8254 * @param [in] len Length of @a ptr
|
|
jpayne@69
|
8255 * @param [out] pac PAC handle
|
|
jpayne@69
|
8256 *
|
|
jpayne@69
|
8257 * Use krb5_pac_free() to free @a pac when it is no longer needed.
|
|
jpayne@69
|
8258 *
|
|
jpayne@69
|
8259 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8260 */
|
|
jpayne@69
|
8261 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8262 krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
|
|
jpayne@69
|
8263 krb5_pac *pac);
|
|
jpayne@69
|
8264
|
|
jpayne@69
|
8265 /**
|
|
jpayne@69
|
8266 * Verify a PAC.
|
|
jpayne@69
|
8267 *
|
|
jpayne@69
|
8268 * @param [in] context Library context
|
|
jpayne@69
|
8269 * @param [in] pac PAC handle
|
|
jpayne@69
|
8270 * @param [in] authtime Expected timestamp
|
|
jpayne@69
|
8271 * @param [in] principal Expected principal name (or NULL)
|
|
jpayne@69
|
8272 * @param [in] server Key to validate server checksum (or NULL)
|
|
jpayne@69
|
8273 * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
|
jpayne@69
|
8274 *
|
|
jpayne@69
|
8275 * This function validates @a pac against the supplied @a server, @a privsvr,
|
|
jpayne@69
|
8276 * @a principal and @a authtime. If @a principal is NULL, the principal and
|
|
jpayne@69
|
8277 * authtime are not verified. If @a server or @a privsvr is NULL, the
|
|
jpayne@69
|
8278 * corresponding checksum is not verified.
|
|
jpayne@69
|
8279 *
|
|
jpayne@69
|
8280 * If successful, @a pac is marked as verified.
|
|
jpayne@69
|
8281 *
|
|
jpayne@69
|
8282 * @note A checksum mismatch can occur if the PAC was copied from a cross-realm
|
|
jpayne@69
|
8283 * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6)
|
|
jpayne@69
|
8284 * generates PACs with no server checksum at all. One should consider not
|
|
jpayne@69
|
8285 * failing the whole authentication because of this reason, but, instead,
|
|
jpayne@69
|
8286 * treating the ticket as if it did not contain a PAC or marking the PAC
|
|
jpayne@69
|
8287 * information as non-verified.
|
|
jpayne@69
|
8288 *
|
|
jpayne@69
|
8289 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8290 */
|
|
jpayne@69
|
8291 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8292 krb5_pac_verify(krb5_context context, const krb5_pac pac,
|
|
jpayne@69
|
8293 krb5_timestamp authtime, krb5_const_principal principal,
|
|
jpayne@69
|
8294 const krb5_keyblock *server, const krb5_keyblock *privsvr);
|
|
jpayne@69
|
8295
|
|
jpayne@69
|
8296 /**
|
|
jpayne@69
|
8297 * Verify a PAC, possibly from a specified realm.
|
|
jpayne@69
|
8298 *
|
|
jpayne@69
|
8299 * @param [in] context Library context
|
|
jpayne@69
|
8300 * @param [in] pac PAC handle
|
|
jpayne@69
|
8301 * @param [in] authtime Expected timestamp
|
|
jpayne@69
|
8302 * @param [in] principal Expected principal name (or NULL)
|
|
jpayne@69
|
8303 * @param [in] server Key to validate server checksum (or NULL)
|
|
jpayne@69
|
8304 * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
|
jpayne@69
|
8305 * @param [in] with_realm If true, expect the realm of @a principal
|
|
jpayne@69
|
8306 *
|
|
jpayne@69
|
8307 * This function is similar to krb5_pac_verify(), but adds a parameter
|
|
jpayne@69
|
8308 * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field is
|
|
jpayne@69
|
8309 * expected to include the realm of @a principal as well as the name. This
|
|
jpayne@69
|
8310 * flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs.
|
|
jpayne@69
|
8311 *
|
|
jpayne@69
|
8312 * @version New in 1.17
|
|
jpayne@69
|
8313 */
|
|
jpayne@69
|
8314 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8315 krb5_pac_verify_ext(krb5_context context, const krb5_pac pac,
|
|
jpayne@69
|
8316 krb5_timestamp authtime, krb5_const_principal principal,
|
|
jpayne@69
|
8317 const krb5_keyblock *server, const krb5_keyblock *privsvr,
|
|
jpayne@69
|
8318 krb5_boolean with_realm);
|
|
jpayne@69
|
8319
|
|
jpayne@69
|
8320 /**
|
|
jpayne@69
|
8321 * Verify a PAC, possibly including ticket signature
|
|
jpayne@69
|
8322 *
|
|
jpayne@69
|
8323 * @param [in] context Library context
|
|
jpayne@69
|
8324 * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC
|
|
jpayne@69
|
8325 * @param [in] server_princ Canonicalized name of ticket server
|
|
jpayne@69
|
8326 * @param [in] server Key to validate server checksum (or NULL)
|
|
jpayne@69
|
8327 * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
|
jpayne@69
|
8328 * @param [out] pac_out Verified PAC (NULL if no PAC included)
|
|
jpayne@69
|
8329 *
|
|
jpayne@69
|
8330 * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is
|
|
jpayne@69
|
8331 * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service,
|
|
jpayne@69
|
8332 * require a ticket signature over @a enc_tkt in addition to the KDC signature.
|
|
jpayne@69
|
8333 * Place the verified PAC in @a pac_out. If an invalid PAC signature is found,
|
|
jpayne@69
|
8334 * return an error matching the Windows KDC protocol code for that condition as
|
|
jpayne@69
|
8335 * closely as possible.
|
|
jpayne@69
|
8336 *
|
|
jpayne@69
|
8337 * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return
|
|
jpayne@69
|
8338 * successfully.
|
|
jpayne@69
|
8339 *
|
|
jpayne@69
|
8340 * @note This function does not validate the PAC_CLIENT_INFO buffer. If a
|
|
jpayne@69
|
8341 * specific value is expected, the caller can make a separate call to
|
|
jpayne@69
|
8342 * krb5_pac_verify_ext() with a principal but no keys.
|
|
jpayne@69
|
8343 *
|
|
jpayne@69
|
8344 * @retval 0 Success; otherwise - Kerberos error codes
|
|
jpayne@69
|
8345 *
|
|
jpayne@69
|
8346 * @version New in 1.20
|
|
jpayne@69
|
8347 */
|
|
jpayne@69
|
8348 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8349 krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
jpayne@69
|
8350 krb5_const_principal server_princ,
|
|
jpayne@69
|
8351 const krb5_keyblock *server,
|
|
jpayne@69
|
8352 const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
|
jpayne@69
|
8353
|
|
jpayne@69
|
8354 /** @deprecated Use krb5_kdc_sign_ticket() instead. */
|
|
jpayne@69
|
8355 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8356 krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
jpayne@69
|
8357 krb5_const_principal principal, const krb5_keyblock *server_key,
|
|
jpayne@69
|
8358 const krb5_keyblock *privsvr_key, krb5_data *data);
|
|
jpayne@69
|
8359
|
|
jpayne@69
|
8360 /** @deprecated Use krb5_kdc_sign_ticket() instead. */
|
|
jpayne@69
|
8361 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8362 krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
jpayne@69
|
8363 krb5_const_principal principal,
|
|
jpayne@69
|
8364 const krb5_keyblock *server_key,
|
|
jpayne@69
|
8365 const krb5_keyblock *privsvr_key, krb5_boolean with_realm,
|
|
jpayne@69
|
8366 krb5_data *data);
|
|
jpayne@69
|
8367
|
|
jpayne@69
|
8368 /**
|
|
jpayne@69
|
8369 * Sign a PAC, possibly including a ticket signature
|
|
jpayne@69
|
8370 *
|
|
jpayne@69
|
8371 * @param [in] context Library context
|
|
jpayne@69
|
8372 * @param [in] enc_tkt The ticket for the signature
|
|
jpayne@69
|
8373 * @param [in] pac PAC handle
|
|
jpayne@69
|
8374 * @param [in] server_princ Canonical ticket server name
|
|
jpayne@69
|
8375 * @param [in] client_princ PAC_CLIENT_INFO principal (or NULL)
|
|
jpayne@69
|
8376 * @param [in] server Key for server checksum
|
|
jpayne@69
|
8377 * @param [in] privsvr Key for KDC and ticket checksum
|
|
jpayne@69
|
8378 * @param [in] with_realm If true, include the realm of @a principal
|
|
jpayne@69
|
8379 *
|
|
jpayne@69
|
8380 * Sign @a pac using the keys @a server and @a privsvr. Include a ticket
|
|
jpayne@69
|
8381 * signature over @a enc_tkt if @a server_princ is not a TGS or kadmin/changepw
|
|
jpayne@69
|
8382 * principal name. Add the signed PAC's encoding to the authorization data of
|
|
jpayne@69
|
8383 * @a enc_tkt in the first slot, wrapped in an AD-IF-RELEVANT container. If @a
|
|
jpayne@69
|
8384 * client_princ is non-null, add a PAC_CLIENT_INFO buffer, including the realm
|
|
jpayne@69
|
8385 * if @a with_realm is true.
|
|
jpayne@69
|
8386 *
|
|
jpayne@69
|
8387 * @retval 0 on success, otherwise - Kerberos error codes
|
|
jpayne@69
|
8388 *
|
|
jpayne@69
|
8389 * @version New in 1.20
|
|
jpayne@69
|
8390 */
|
|
jpayne@69
|
8391 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8392 krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt,
|
|
jpayne@69
|
8393 const krb5_pac pac, krb5_const_principal server_princ,
|
|
jpayne@69
|
8394 krb5_const_principal client_princ,
|
|
jpayne@69
|
8395 const krb5_keyblock *server, const krb5_keyblock *privsvr,
|
|
jpayne@69
|
8396 krb5_boolean with_realm);
|
|
jpayne@69
|
8397
|
|
jpayne@69
|
8398 /**
|
|
jpayne@69
|
8399 * Read client information from a PAC.
|
|
jpayne@69
|
8400 *
|
|
jpayne@69
|
8401 * @param [in] context Library context
|
|
jpayne@69
|
8402 * @param [in] pac PAC handle
|
|
jpayne@69
|
8403 * @param [out] authtime_out Authentication timestamp (NULL if not needed)
|
|
jpayne@69
|
8404 * @param [out] princname_out Client account name
|
|
jpayne@69
|
8405 *
|
|
jpayne@69
|
8406 * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as
|
|
jpayne@69
|
8407 * a string in @a princname_out. If @a authtime_out is not NULL, place the
|
|
jpayne@69
|
8408 * initial authentication timestamp in @a authtime_out.
|
|
jpayne@69
|
8409 *
|
|
jpayne@69
|
8410 * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a
|
|
jpayne@69
|
8411 * pac, ERANGE if the buffer contains invalid lengths.
|
|
jpayne@69
|
8412 *
|
|
jpayne@69
|
8413 * @version New in 1.18
|
|
jpayne@69
|
8414 */
|
|
jpayne@69
|
8415 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8416 krb5_pac_get_client_info(krb5_context context, const krb5_pac pac,
|
|
jpayne@69
|
8417 krb5_timestamp *authtime_out, char **princname_out);
|
|
jpayne@69
|
8418
|
|
jpayne@69
|
8419 /**
|
|
jpayne@69
|
8420 * Allow the application to override the profile's allow_weak_crypto setting.
|
|
jpayne@69
|
8421 *
|
|
jpayne@69
|
8422 * @param [in] context Library context
|
|
jpayne@69
|
8423 * @param [in] enable Boolean flag
|
|
jpayne@69
|
8424 *
|
|
jpayne@69
|
8425 * This function allows an application to override the allow_weak_crypto
|
|
jpayne@69
|
8426 * setting. It is primarily for use by aklog.
|
|
jpayne@69
|
8427 *
|
|
jpayne@69
|
8428 * @retval 0 (always)
|
|
jpayne@69
|
8429 */
|
|
jpayne@69
|
8430 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8431 krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable);
|
|
jpayne@69
|
8432
|
|
jpayne@69
|
8433 /**
|
|
jpayne@69
|
8434 * A wrapper for passing information to a @c krb5_trace_callback.
|
|
jpayne@69
|
8435 *
|
|
jpayne@69
|
8436 * Currently, it only contains the formatted message as determined
|
|
jpayne@69
|
8437 * the the format string and arguments of the tracing macro, but it
|
|
jpayne@69
|
8438 * may be extended to contain more fields in the future.
|
|
jpayne@69
|
8439 */
|
|
jpayne@69
|
8440 typedef struct _krb5_trace_info {
|
|
jpayne@69
|
8441 const char *message;
|
|
jpayne@69
|
8442 } krb5_trace_info;
|
|
jpayne@69
|
8443
|
|
jpayne@69
|
8444 typedef void
|
|
jpayne@69
|
8445 (KRB5_CALLCONV *krb5_trace_callback)(krb5_context context,
|
|
jpayne@69
|
8446 const krb5_trace_info *info,
|
|
jpayne@69
|
8447 void *cb_data);
|
|
jpayne@69
|
8448
|
|
jpayne@69
|
8449 /**
|
|
jpayne@69
|
8450 * Specify a callback function for trace events.
|
|
jpayne@69
|
8451 *
|
|
jpayne@69
|
8452 * @param [in] context Library context
|
|
jpayne@69
|
8453 * @param [in] fn Callback function
|
|
jpayne@69
|
8454 * @param [in] cb_data Callback data
|
|
jpayne@69
|
8455 *
|
|
jpayne@69
|
8456 * Specify a callback for trace events occurring in krb5 operations performed
|
|
jpayne@69
|
8457 * within @a context. @a fn will be invoked with @a context as the first
|
|
jpayne@69
|
8458 * argument, @a cb_data as the last argument, and a pointer to a
|
|
jpayne@69
|
8459 * krb5_trace_info as the second argument. If the trace callback is reset via
|
|
jpayne@69
|
8460 * this function or @a context is destroyed, @a fn will be invoked with a NULL
|
|
jpayne@69
|
8461 * second argument so it can clean up @a cb_data. Supply a NULL value for @a
|
|
jpayne@69
|
8462 * fn to disable trace callbacks within @a context.
|
|
jpayne@69
|
8463 *
|
|
jpayne@69
|
8464 * @note This function overrides the information passed through the
|
|
jpayne@69
|
8465 * @a KRB5_TRACE environment variable.
|
|
jpayne@69
|
8466 *
|
|
jpayne@69
|
8467 * @version New in 1.9
|
|
jpayne@69
|
8468 *
|
|
jpayne@69
|
8469 * @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library
|
|
jpayne@69
|
8470 * (unless @a fn is NULL).
|
|
jpayne@69
|
8471 */
|
|
jpayne@69
|
8472 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8473 krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
|
|
jpayne@69
|
8474 void *cb_data);
|
|
jpayne@69
|
8475
|
|
jpayne@69
|
8476 /**
|
|
jpayne@69
|
8477 * Specify a file name for directing trace events.
|
|
jpayne@69
|
8478 *
|
|
jpayne@69
|
8479 * @param [in] context Library context
|
|
jpayne@69
|
8480 * @param [in] filename File name
|
|
jpayne@69
|
8481 *
|
|
jpayne@69
|
8482 * Open @a filename for appending (creating it, if necessary) and set up a
|
|
jpayne@69
|
8483 * callback to write trace events to it.
|
|
jpayne@69
|
8484 *
|
|
jpayne@69
|
8485 * @note This function overrides the information passed through the
|
|
jpayne@69
|
8486 * @a KRB5_TRACE environment variable.
|
|
jpayne@69
|
8487 *
|
|
jpayne@69
|
8488 * @version New in 1.9
|
|
jpayne@69
|
8489 *
|
|
jpayne@69
|
8490 * @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library.
|
|
jpayne@69
|
8491 */
|
|
jpayne@69
|
8492 krb5_error_code KRB5_CALLCONV
|
|
jpayne@69
|
8493 krb5_set_trace_filename(krb5_context context, const char *filename);
|
|
jpayne@69
|
8494
|
|
jpayne@69
|
8495
|
|
jpayne@69
|
8496 /**
|
|
jpayne@69
|
8497 * Hook function for inspecting or modifying messages sent to KDCs.
|
|
jpayne@69
|
8498 *
|
|
jpayne@69
|
8499 * @param [in] context Library context
|
|
jpayne@69
|
8500 * @param [in] data Callback data
|
|
jpayne@69
|
8501 * @param [in] realm The realm the message will be sent to
|
|
jpayne@69
|
8502 * @param [in] message The original message to be sent to the KDC
|
|
jpayne@69
|
8503 * @param [out] new_message_out Optional replacement message to be sent
|
|
jpayne@69
|
8504 * @param [out] new_reply_out Optional synthetic reply
|
|
jpayne@69
|
8505 *
|
|
jpayne@69
|
8506 * If the hook function returns an error code, the KDC communication will be
|
|
jpayne@69
|
8507 * aborted and the error code will be returned to the library operation which
|
|
jpayne@69
|
8508 * initiated the communication.
|
|
jpayne@69
|
8509 *
|
|
jpayne@69
|
8510 * If the hook function sets @a new_reply_out, @a message will not be sent to
|
|
jpayne@69
|
8511 * the KDC, and the given reply will used instead.
|
|
jpayne@69
|
8512 *
|
|
jpayne@69
|
8513 * If the hook function sets @a new_message_out, the given message will be sent
|
|
jpayne@69
|
8514 * to the KDC in place of @a message.
|
|
jpayne@69
|
8515 *
|
|
jpayne@69
|
8516 * If the hook function returns successfully without setting either output,
|
|
jpayne@69
|
8517 * @a message will be sent to the KDC normally.
|
|
jpayne@69
|
8518 *
|
|
jpayne@69
|
8519 * The hook function should use krb5_copy_data() to construct the value for
|
|
jpayne@69
|
8520 * @a new_message_out or @a reply_out, to ensure that it can be freed correctly
|
|
jpayne@69
|
8521 * by the library.
|
|
jpayne@69
|
8522 *
|
|
jpayne@69
|
8523 * @version New in 1.15
|
|
jpayne@69
|
8524 *
|
|
jpayne@69
|
8525 * @retval 0 Success
|
|
jpayne@69
|
8526 * @return A Kerberos error code
|
|
jpayne@69
|
8527 */
|
|
jpayne@69
|
8528 typedef krb5_error_code
|
|
jpayne@69
|
8529 (KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data,
|
|
jpayne@69
|
8530 const krb5_data *realm,
|
|
jpayne@69
|
8531 const krb5_data *message,
|
|
jpayne@69
|
8532 krb5_data **new_message_out,
|
|
jpayne@69
|
8533 krb5_data **new_reply_out);
|
|
jpayne@69
|
8534
|
|
jpayne@69
|
8535 /**
|
|
jpayne@69
|
8536 * Hook function for inspecting or overriding KDC replies.
|
|
jpayne@69
|
8537 *
|
|
jpayne@69
|
8538 * @param [in] context Library context
|
|
jpayne@69
|
8539 * @param [in] data Callback data
|
|
jpayne@69
|
8540 * @param [in] code Status of KDC communication
|
|
jpayne@69
|
8541 * @param [in] realm The realm the reply was received from
|
|
jpayne@69
|
8542 * @param [in] message The message sent to the realm's KDC
|
|
jpayne@69
|
8543 * @param [in] reply The reply received from the KDC
|
|
jpayne@69
|
8544 * @param [out] new_reply_out Optional replacement reply
|
|
jpayne@69
|
8545 *
|
|
jpayne@69
|
8546 * If @a code is zero, @a reply contains the reply received from the KDC. The
|
|
jpayne@69
|
8547 * hook function may return an error code to simulate an error, may synthesize
|
|
jpayne@69
|
8548 * a different reply by setting @a new_reply_out, or may simply return
|
|
jpayne@69
|
8549 * successfully to do nothing.
|
|
jpayne@69
|
8550 *
|
|
jpayne@69
|
8551 * If @a code is non-zero, KDC communication failed and @a reply should be
|
|
jpayne@69
|
8552 * ignored. The hook function may return @a code or a different error code, or
|
|
jpayne@69
|
8553 * may synthesize a reply by setting @a new_reply_out and return successfully.
|
|
jpayne@69
|
8554 *
|
|
jpayne@69
|
8555 * The hook function should use krb5_copy_data() to construct the value for
|
|
jpayne@69
|
8556 * @a new_reply_out, to ensure that it can be freed correctly by the library.
|
|
jpayne@69
|
8557 *
|
|
jpayne@69
|
8558 * @version New in 1.15
|
|
jpayne@69
|
8559 *
|
|
jpayne@69
|
8560 * @retval 0 Success
|
|
jpayne@69
|
8561 * @return A Kerberos error code
|
|
jpayne@69
|
8562 */
|
|
jpayne@69
|
8563 typedef krb5_error_code
|
|
jpayne@69
|
8564 (KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data,
|
|
jpayne@69
|
8565 krb5_error_code code,
|
|
jpayne@69
|
8566 const krb5_data *realm,
|
|
jpayne@69
|
8567 const krb5_data *message,
|
|
jpayne@69
|
8568 const krb5_data *reply,
|
|
jpayne@69
|
8569 krb5_data **new_reply_out);
|
|
jpayne@69
|
8570
|
|
jpayne@69
|
8571 /**
|
|
jpayne@69
|
8572 * Set a KDC pre-send hook function.
|
|
jpayne@69
|
8573 *
|
|
jpayne@69
|
8574 * @param [in] context Library context
|
|
jpayne@69
|
8575 * @param [in] send_hook Hook function (or NULL to disable the hook)
|
|
jpayne@69
|
8576 * @param [in] data Callback data to be passed to @a send_hook
|
|
jpayne@69
|
8577 *
|
|
jpayne@69
|
8578 * @a send_hook will be called before messages are sent to KDCs by library
|
|
jpayne@69
|
8579 * functions such as krb5_get_credentials(). The hook function may inspect,
|
|
jpayne@69
|
8580 * override, or synthesize its own reply to the message.
|
|
jpayne@69
|
8581 *
|
|
jpayne@69
|
8582 * @version New in 1.15
|
|
jpayne@69
|
8583 */
|
|
jpayne@69
|
8584 void KRB5_CALLCONV
|
|
jpayne@69
|
8585 krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
|
|
jpayne@69
|
8586 void *data);
|
|
jpayne@69
|
8587
|
|
jpayne@69
|
8588 /**
|
|
jpayne@69
|
8589 * Set a KDC post-receive hook function.
|
|
jpayne@69
|
8590 *
|
|
jpayne@69
|
8591 * @param [in] context The library context.
|
|
jpayne@69
|
8592 * @param [in] recv_hook Hook function (or NULL to disable the hook)
|
|
jpayne@69
|
8593 * @param [in] data Callback data to be passed to @a recv_hook
|
|
jpayne@69
|
8594 *
|
|
jpayne@69
|
8595 * @a recv_hook will be called after a reply is received from a KDC during a
|
|
jpayne@69
|
8596 * call to a library function such as krb5_get_credentials(). The hook
|
|
jpayne@69
|
8597 * function may inspect or override the reply. This hook will not be executed
|
|
jpayne@69
|
8598 * if the pre-send hook returns a synthetic reply.
|
|
jpayne@69
|
8599 *
|
|
jpayne@69
|
8600 * @version New in 1.15
|
|
jpayne@69
|
8601 */
|
|
jpayne@69
|
8602 void KRB5_CALLCONV
|
|
jpayne@69
|
8603 krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
|
|
jpayne@69
|
8604 void *data);
|
|
jpayne@69
|
8605
|
|
jpayne@69
|
8606 #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
|
|
jpayne@69
|
8607 #pragma pack(pop)
|
|
jpayne@69
|
8608 #endif
|
|
jpayne@69
|
8609
|
|
jpayne@69
|
8610 KRB5INT_END_DECLS
|
|
jpayne@69
|
8611
|
|
jpayne@69
|
8612 /* Don't use this! We're going to phase it out. It's just here to keep
|
|
jpayne@69
|
8613 applications from breaking right away. */
|
|
jpayne@69
|
8614 #define krb5_const const
|
|
jpayne@69
|
8615
|
|
jpayne@69
|
8616 #undef KRB5_ATTR_DEPRECATED
|
|
jpayne@69
|
8617
|
|
jpayne@69
|
8618 /** @} */ /* end of KRB5_H group */
|
|
jpayne@69
|
8619
|
|
jpayne@69
|
8620 #endif /* KRB5_GENERAL__ */
|
|
jpayne@69
|
8621 /*
|
|
jpayne@69
|
8622 * et-h-krb5_err.h:
|
|
jpayne@69
|
8623 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
8624 */
|
|
jpayne@69
|
8625
|
|
jpayne@69
|
8626 #include <com_err.h>
|
|
jpayne@69
|
8627
|
|
jpayne@69
|
8628 #define KRB5KDC_ERR_NONE (-1765328384L)
|
|
jpayne@69
|
8629 #define KRB5KDC_ERR_NAME_EXP (-1765328383L)
|
|
jpayne@69
|
8630 #define KRB5KDC_ERR_SERVICE_EXP (-1765328382L)
|
|
jpayne@69
|
8631 #define KRB5KDC_ERR_BAD_PVNO (-1765328381L)
|
|
jpayne@69
|
8632 #define KRB5KDC_ERR_C_OLD_MAST_KVNO (-1765328380L)
|
|
jpayne@69
|
8633 #define KRB5KDC_ERR_S_OLD_MAST_KVNO (-1765328379L)
|
|
jpayne@69
|
8634 #define KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (-1765328378L)
|
|
jpayne@69
|
8635 #define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L)
|
|
jpayne@69
|
8636 #define KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE (-1765328376L)
|
|
jpayne@69
|
8637 #define KRB5KDC_ERR_NULL_KEY (-1765328375L)
|
|
jpayne@69
|
8638 #define KRB5KDC_ERR_CANNOT_POSTDATE (-1765328374L)
|
|
jpayne@69
|
8639 #define KRB5KDC_ERR_NEVER_VALID (-1765328373L)
|
|
jpayne@69
|
8640 #define KRB5KDC_ERR_POLICY (-1765328372L)
|
|
jpayne@69
|
8641 #define KRB5KDC_ERR_BADOPTION (-1765328371L)
|
|
jpayne@69
|
8642 #define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L)
|
|
jpayne@69
|
8643 #define KRB5KDC_ERR_SUMTYPE_NOSUPP (-1765328369L)
|
|
jpayne@69
|
8644 #define KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368L)
|
|
jpayne@69
|
8645 #define KRB5KDC_ERR_TRTYPE_NOSUPP (-1765328367L)
|
|
jpayne@69
|
8646 #define KRB5KDC_ERR_CLIENT_REVOKED (-1765328366L)
|
|
jpayne@69
|
8647 #define KRB5KDC_ERR_SERVICE_REVOKED (-1765328365L)
|
|
jpayne@69
|
8648 #define KRB5KDC_ERR_TGT_REVOKED (-1765328364L)
|
|
jpayne@69
|
8649 #define KRB5KDC_ERR_CLIENT_NOTYET (-1765328363L)
|
|
jpayne@69
|
8650 #define KRB5KDC_ERR_SERVICE_NOTYET (-1765328362L)
|
|
jpayne@69
|
8651 #define KRB5KDC_ERR_KEY_EXP (-1765328361L)
|
|
jpayne@69
|
8652 #define KRB5KDC_ERR_PREAUTH_FAILED (-1765328360L)
|
|
jpayne@69
|
8653 #define KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359L)
|
|
jpayne@69
|
8654 #define KRB5KDC_ERR_SERVER_NOMATCH (-1765328358L)
|
|
jpayne@69
|
8655 #define KRB5KDC_ERR_MUST_USE_USER2USER (-1765328357L)
|
|
jpayne@69
|
8656 #define KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356L)
|
|
jpayne@69
|
8657 #define KRB5KDC_ERR_SVC_UNAVAILABLE (-1765328355L)
|
|
jpayne@69
|
8658 #define KRB5PLACEHOLD_30 (-1765328354L)
|
|
jpayne@69
|
8659 #define KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353L)
|
|
jpayne@69
|
8660 #define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L)
|
|
jpayne@69
|
8661 #define KRB5KRB_AP_ERR_TKT_NYV (-1765328351L)
|
|
jpayne@69
|
8662 #define KRB5KRB_AP_ERR_REPEAT (-1765328350L)
|
|
jpayne@69
|
8663 #define KRB5KRB_AP_ERR_NOT_US (-1765328349L)
|
|
jpayne@69
|
8664 #define KRB5KRB_AP_ERR_BADMATCH (-1765328348L)
|
|
jpayne@69
|
8665 #define KRB5KRB_AP_ERR_SKEW (-1765328347L)
|
|
jpayne@69
|
8666 #define KRB5KRB_AP_ERR_BADADDR (-1765328346L)
|
|
jpayne@69
|
8667 #define KRB5KRB_AP_ERR_BADVERSION (-1765328345L)
|
|
jpayne@69
|
8668 #define KRB5KRB_AP_ERR_MSG_TYPE (-1765328344L)
|
|
jpayne@69
|
8669 #define KRB5KRB_AP_ERR_MODIFIED (-1765328343L)
|
|
jpayne@69
|
8670 #define KRB5KRB_AP_ERR_BADORDER (-1765328342L)
|
|
jpayne@69
|
8671 #define KRB5KRB_AP_ERR_ILL_CR_TKT (-1765328341L)
|
|
jpayne@69
|
8672 #define KRB5KRB_AP_ERR_BADKEYVER (-1765328340L)
|
|
jpayne@69
|
8673 #define KRB5KRB_AP_ERR_NOKEY (-1765328339L)
|
|
jpayne@69
|
8674 #define KRB5KRB_AP_ERR_MUT_FAIL (-1765328338L)
|
|
jpayne@69
|
8675 #define KRB5KRB_AP_ERR_BADDIRECTION (-1765328337L)
|
|
jpayne@69
|
8676 #define KRB5KRB_AP_ERR_METHOD (-1765328336L)
|
|
jpayne@69
|
8677 #define KRB5KRB_AP_ERR_BADSEQ (-1765328335L)
|
|
jpayne@69
|
8678 #define KRB5KRB_AP_ERR_INAPP_CKSUM (-1765328334L)
|
|
jpayne@69
|
8679 #define KRB5KRB_AP_PATH_NOT_ACCEPTED (-1765328333L)
|
|
jpayne@69
|
8680 #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
|
|
jpayne@69
|
8681 #define KRB5PLACEHOLD_53 (-1765328331L)
|
|
jpayne@69
|
8682 #define KRB5PLACEHOLD_54 (-1765328330L)
|
|
jpayne@69
|
8683 #define KRB5PLACEHOLD_55 (-1765328329L)
|
|
jpayne@69
|
8684 #define KRB5PLACEHOLD_56 (-1765328328L)
|
|
jpayne@69
|
8685 #define KRB5PLACEHOLD_57 (-1765328327L)
|
|
jpayne@69
|
8686 #define KRB5PLACEHOLD_58 (-1765328326L)
|
|
jpayne@69
|
8687 #define KRB5PLACEHOLD_59 (-1765328325L)
|
|
jpayne@69
|
8688 #define KRB5KRB_ERR_GENERIC (-1765328324L)
|
|
jpayne@69
|
8689 #define KRB5KRB_ERR_FIELD_TOOLONG (-1765328323L)
|
|
jpayne@69
|
8690 #define KRB5KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322L)
|
|
jpayne@69
|
8691 #define KRB5KDC_ERR_KDC_NOT_TRUSTED (-1765328321L)
|
|
jpayne@69
|
8692 #define KRB5KDC_ERR_INVALID_SIG (-1765328320L)
|
|
jpayne@69
|
8693 #define KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (-1765328319L)
|
|
jpayne@69
|
8694 #define KRB5KDC_ERR_CERTIFICATE_MISMATCH (-1765328318L)
|
|
jpayne@69
|
8695 #define KRB5KRB_AP_ERR_NO_TGT (-1765328317L)
|
|
jpayne@69
|
8696 #define KRB5KDC_ERR_WRONG_REALM (-1765328316L)
|
|
jpayne@69
|
8697 #define KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED (-1765328315L)
|
|
jpayne@69
|
8698 #define KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE (-1765328314L)
|
|
jpayne@69
|
8699 #define KRB5KDC_ERR_INVALID_CERTIFICATE (-1765328313L)
|
|
jpayne@69
|
8700 #define KRB5KDC_ERR_REVOKED_CERTIFICATE (-1765328312L)
|
|
jpayne@69
|
8701 #define KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN (-1765328311L)
|
|
jpayne@69
|
8702 #define KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (-1765328310L)
|
|
jpayne@69
|
8703 #define KRB5KDC_ERR_CLIENT_NAME_MISMATCH (-1765328309L)
|
|
jpayne@69
|
8704 #define KRB5KDC_ERR_KDC_NAME_MISMATCH (-1765328308L)
|
|
jpayne@69
|
8705 #define KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE (-1765328307L)
|
|
jpayne@69
|
8706 #define KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (-1765328306L)
|
|
jpayne@69
|
8707 #define KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305L)
|
|
jpayne@69
|
8708 #define KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (-1765328304L)
|
|
jpayne@69
|
8709 #define KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (-1765328303L)
|
|
jpayne@69
|
8710 #define KRB5PLACEHOLD_82 (-1765328302L)
|
|
jpayne@69
|
8711 #define KRB5PLACEHOLD_83 (-1765328301L)
|
|
jpayne@69
|
8712 #define KRB5PLACEHOLD_84 (-1765328300L)
|
|
jpayne@69
|
8713 #define KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND (-1765328299L)
|
|
jpayne@69
|
8714 #define KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE (-1765328298L)
|
|
jpayne@69
|
8715 #define KRB5PLACEHOLD_87 (-1765328297L)
|
|
jpayne@69
|
8716 #define KRB5PLACEHOLD_88 (-1765328296L)
|
|
jpayne@69
|
8717 #define KRB5PLACEHOLD_89 (-1765328295L)
|
|
jpayne@69
|
8718 #define KRB5KDC_ERR_PREAUTH_EXPIRED (-1765328294L)
|
|
jpayne@69
|
8719 #define KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (-1765328293L)
|
|
jpayne@69
|
8720 #define KRB5PLACEHOLD_92 (-1765328292L)
|
|
jpayne@69
|
8721 #define KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION (-1765328291L)
|
|
jpayne@69
|
8722 #define KRB5PLACEHOLD_94 (-1765328290L)
|
|
jpayne@69
|
8723 #define KRB5PLACEHOLD_95 (-1765328289L)
|
|
jpayne@69
|
8724 #define KRB5PLACEHOLD_96 (-1765328288L)
|
|
jpayne@69
|
8725 #define KRB5PLACEHOLD_97 (-1765328287L)
|
|
jpayne@69
|
8726 #define KRB5PLACEHOLD_98 (-1765328286L)
|
|
jpayne@69
|
8727 #define KRB5PLACEHOLD_99 (-1765328285L)
|
|
jpayne@69
|
8728 #define KRB5KDC_ERR_NO_ACCEPTABLE_KDF (-1765328284L)
|
|
jpayne@69
|
8729 #define KRB5PLACEHOLD_101 (-1765328283L)
|
|
jpayne@69
|
8730 #define KRB5PLACEHOLD_102 (-1765328282L)
|
|
jpayne@69
|
8731 #define KRB5PLACEHOLD_103 (-1765328281L)
|
|
jpayne@69
|
8732 #define KRB5PLACEHOLD_104 (-1765328280L)
|
|
jpayne@69
|
8733 #define KRB5PLACEHOLD_105 (-1765328279L)
|
|
jpayne@69
|
8734 #define KRB5PLACEHOLD_106 (-1765328278L)
|
|
jpayne@69
|
8735 #define KRB5PLACEHOLD_107 (-1765328277L)
|
|
jpayne@69
|
8736 #define KRB5PLACEHOLD_108 (-1765328276L)
|
|
jpayne@69
|
8737 #define KRB5PLACEHOLD_109 (-1765328275L)
|
|
jpayne@69
|
8738 #define KRB5PLACEHOLD_110 (-1765328274L)
|
|
jpayne@69
|
8739 #define KRB5PLACEHOLD_111 (-1765328273L)
|
|
jpayne@69
|
8740 #define KRB5PLACEHOLD_112 (-1765328272L)
|
|
jpayne@69
|
8741 #define KRB5PLACEHOLD_113 (-1765328271L)
|
|
jpayne@69
|
8742 #define KRB5PLACEHOLD_114 (-1765328270L)
|
|
jpayne@69
|
8743 #define KRB5PLACEHOLD_115 (-1765328269L)
|
|
jpayne@69
|
8744 #define KRB5PLACEHOLD_116 (-1765328268L)
|
|
jpayne@69
|
8745 #define KRB5PLACEHOLD_117 (-1765328267L)
|
|
jpayne@69
|
8746 #define KRB5PLACEHOLD_118 (-1765328266L)
|
|
jpayne@69
|
8747 #define KRB5PLACEHOLD_119 (-1765328265L)
|
|
jpayne@69
|
8748 #define KRB5PLACEHOLD_120 (-1765328264L)
|
|
jpayne@69
|
8749 #define KRB5PLACEHOLD_121 (-1765328263L)
|
|
jpayne@69
|
8750 #define KRB5PLACEHOLD_122 (-1765328262L)
|
|
jpayne@69
|
8751 #define KRB5PLACEHOLD_123 (-1765328261L)
|
|
jpayne@69
|
8752 #define KRB5PLACEHOLD_124 (-1765328260L)
|
|
jpayne@69
|
8753 #define KRB5PLACEHOLD_125 (-1765328259L)
|
|
jpayne@69
|
8754 #define KRB5PLACEHOLD_126 (-1765328258L)
|
|
jpayne@69
|
8755 #define KRB5PLACEHOLD_127 (-1765328257L)
|
|
jpayne@69
|
8756 #define KRB5_ERR_RCSID (-1765328256L)
|
|
jpayne@69
|
8757 #define KRB5_LIBOS_BADLOCKFLAG (-1765328255L)
|
|
jpayne@69
|
8758 #define KRB5_LIBOS_CANTREADPWD (-1765328254L)
|
|
jpayne@69
|
8759 #define KRB5_LIBOS_BADPWDMATCH (-1765328253L)
|
|
jpayne@69
|
8760 #define KRB5_LIBOS_PWDINTR (-1765328252L)
|
|
jpayne@69
|
8761 #define KRB5_PARSE_ILLCHAR (-1765328251L)
|
|
jpayne@69
|
8762 #define KRB5_PARSE_MALFORMED (-1765328250L)
|
|
jpayne@69
|
8763 #define KRB5_CONFIG_CANTOPEN (-1765328249L)
|
|
jpayne@69
|
8764 #define KRB5_CONFIG_BADFORMAT (-1765328248L)
|
|
jpayne@69
|
8765 #define KRB5_CONFIG_NOTENUFSPACE (-1765328247L)
|
|
jpayne@69
|
8766 #define KRB5_BADMSGTYPE (-1765328246L)
|
|
jpayne@69
|
8767 #define KRB5_CC_BADNAME (-1765328245L)
|
|
jpayne@69
|
8768 #define KRB5_CC_UNKNOWN_TYPE (-1765328244L)
|
|
jpayne@69
|
8769 #define KRB5_CC_NOTFOUND (-1765328243L)
|
|
jpayne@69
|
8770 #define KRB5_CC_END (-1765328242L)
|
|
jpayne@69
|
8771 #define KRB5_NO_TKT_SUPPLIED (-1765328241L)
|
|
jpayne@69
|
8772 #define KRB5KRB_AP_WRONG_PRINC (-1765328240L)
|
|
jpayne@69
|
8773 #define KRB5KRB_AP_ERR_TKT_INVALID (-1765328239L)
|
|
jpayne@69
|
8774 #define KRB5_PRINC_NOMATCH (-1765328238L)
|
|
jpayne@69
|
8775 #define KRB5_KDCREP_MODIFIED (-1765328237L)
|
|
jpayne@69
|
8776 #define KRB5_KDCREP_SKEW (-1765328236L)
|
|
jpayne@69
|
8777 #define KRB5_IN_TKT_REALM_MISMATCH (-1765328235L)
|
|
jpayne@69
|
8778 #define KRB5_PROG_ETYPE_NOSUPP (-1765328234L)
|
|
jpayne@69
|
8779 #define KRB5_PROG_KEYTYPE_NOSUPP (-1765328233L)
|
|
jpayne@69
|
8780 #define KRB5_WRONG_ETYPE (-1765328232L)
|
|
jpayne@69
|
8781 #define KRB5_PROG_SUMTYPE_NOSUPP (-1765328231L)
|
|
jpayne@69
|
8782 #define KRB5_REALM_UNKNOWN (-1765328230L)
|
|
jpayne@69
|
8783 #define KRB5_SERVICE_UNKNOWN (-1765328229L)
|
|
jpayne@69
|
8784 #define KRB5_KDC_UNREACH (-1765328228L)
|
|
jpayne@69
|
8785 #define KRB5_NO_LOCALNAME (-1765328227L)
|
|
jpayne@69
|
8786 #define KRB5_MUTUAL_FAILED (-1765328226L)
|
|
jpayne@69
|
8787 #define KRB5_RC_TYPE_EXISTS (-1765328225L)
|
|
jpayne@69
|
8788 #define KRB5_RC_MALLOC (-1765328224L)
|
|
jpayne@69
|
8789 #define KRB5_RC_TYPE_NOTFOUND (-1765328223L)
|
|
jpayne@69
|
8790 #define KRB5_RC_UNKNOWN (-1765328222L)
|
|
jpayne@69
|
8791 #define KRB5_RC_REPLAY (-1765328221L)
|
|
jpayne@69
|
8792 #define KRB5_RC_IO (-1765328220L)
|
|
jpayne@69
|
8793 #define KRB5_RC_NOIO (-1765328219L)
|
|
jpayne@69
|
8794 #define KRB5_RC_PARSE (-1765328218L)
|
|
jpayne@69
|
8795 #define KRB5_RC_IO_EOF (-1765328217L)
|
|
jpayne@69
|
8796 #define KRB5_RC_IO_MALLOC (-1765328216L)
|
|
jpayne@69
|
8797 #define KRB5_RC_IO_PERM (-1765328215L)
|
|
jpayne@69
|
8798 #define KRB5_RC_IO_IO (-1765328214L)
|
|
jpayne@69
|
8799 #define KRB5_RC_IO_UNKNOWN (-1765328213L)
|
|
jpayne@69
|
8800 #define KRB5_RC_IO_SPACE (-1765328212L)
|
|
jpayne@69
|
8801 #define KRB5_TRANS_CANTOPEN (-1765328211L)
|
|
jpayne@69
|
8802 #define KRB5_TRANS_BADFORMAT (-1765328210L)
|
|
jpayne@69
|
8803 #define KRB5_LNAME_CANTOPEN (-1765328209L)
|
|
jpayne@69
|
8804 #define KRB5_LNAME_NOTRANS (-1765328208L)
|
|
jpayne@69
|
8805 #define KRB5_LNAME_BADFORMAT (-1765328207L)
|
|
jpayne@69
|
8806 #define KRB5_CRYPTO_INTERNAL (-1765328206L)
|
|
jpayne@69
|
8807 #define KRB5_KT_BADNAME (-1765328205L)
|
|
jpayne@69
|
8808 #define KRB5_KT_UNKNOWN_TYPE (-1765328204L)
|
|
jpayne@69
|
8809 #define KRB5_KT_NOTFOUND (-1765328203L)
|
|
jpayne@69
|
8810 #define KRB5_KT_END (-1765328202L)
|
|
jpayne@69
|
8811 #define KRB5_KT_NOWRITE (-1765328201L)
|
|
jpayne@69
|
8812 #define KRB5_KT_IOERR (-1765328200L)
|
|
jpayne@69
|
8813 #define KRB5_NO_TKT_IN_RLM (-1765328199L)
|
|
jpayne@69
|
8814 #define KRB5DES_BAD_KEYPAR (-1765328198L)
|
|
jpayne@69
|
8815 #define KRB5DES_WEAK_KEY (-1765328197L)
|
|
jpayne@69
|
8816 #define KRB5_BAD_ENCTYPE (-1765328196L)
|
|
jpayne@69
|
8817 #define KRB5_BAD_KEYSIZE (-1765328195L)
|
|
jpayne@69
|
8818 #define KRB5_BAD_MSIZE (-1765328194L)
|
|
jpayne@69
|
8819 #define KRB5_CC_TYPE_EXISTS (-1765328193L)
|
|
jpayne@69
|
8820 #define KRB5_KT_TYPE_EXISTS (-1765328192L)
|
|
jpayne@69
|
8821 #define KRB5_CC_IO (-1765328191L)
|
|
jpayne@69
|
8822 #define KRB5_FCC_PERM (-1765328190L)
|
|
jpayne@69
|
8823 #define KRB5_FCC_NOFILE (-1765328189L)
|
|
jpayne@69
|
8824 #define KRB5_FCC_INTERNAL (-1765328188L)
|
|
jpayne@69
|
8825 #define KRB5_CC_WRITE (-1765328187L)
|
|
jpayne@69
|
8826 #define KRB5_CC_NOMEM (-1765328186L)
|
|
jpayne@69
|
8827 #define KRB5_CC_FORMAT (-1765328185L)
|
|
jpayne@69
|
8828 #define KRB5_CC_NOT_KTYPE (-1765328184L)
|
|
jpayne@69
|
8829 #define KRB5_INVALID_FLAGS (-1765328183L)
|
|
jpayne@69
|
8830 #define KRB5_NO_2ND_TKT (-1765328182L)
|
|
jpayne@69
|
8831 #define KRB5_NOCREDS_SUPPLIED (-1765328181L)
|
|
jpayne@69
|
8832 #define KRB5_SENDAUTH_BADAUTHVERS (-1765328180L)
|
|
jpayne@69
|
8833 #define KRB5_SENDAUTH_BADAPPLVERS (-1765328179L)
|
|
jpayne@69
|
8834 #define KRB5_SENDAUTH_BADRESPONSE (-1765328178L)
|
|
jpayne@69
|
8835 #define KRB5_SENDAUTH_REJECTED (-1765328177L)
|
|
jpayne@69
|
8836 #define KRB5_PREAUTH_BAD_TYPE (-1765328176L)
|
|
jpayne@69
|
8837 #define KRB5_PREAUTH_NO_KEY (-1765328175L)
|
|
jpayne@69
|
8838 #define KRB5_PREAUTH_FAILED (-1765328174L)
|
|
jpayne@69
|
8839 #define KRB5_RCACHE_BADVNO (-1765328173L)
|
|
jpayne@69
|
8840 #define KRB5_CCACHE_BADVNO (-1765328172L)
|
|
jpayne@69
|
8841 #define KRB5_KEYTAB_BADVNO (-1765328171L)
|
|
jpayne@69
|
8842 #define KRB5_PROG_ATYPE_NOSUPP (-1765328170L)
|
|
jpayne@69
|
8843 #define KRB5_RC_REQUIRED (-1765328169L)
|
|
jpayne@69
|
8844 #define KRB5_ERR_BAD_HOSTNAME (-1765328168L)
|
|
jpayne@69
|
8845 #define KRB5_ERR_HOST_REALM_UNKNOWN (-1765328167L)
|
|
jpayne@69
|
8846 #define KRB5_SNAME_UNSUPP_NAMETYPE (-1765328166L)
|
|
jpayne@69
|
8847 #define KRB5KRB_AP_ERR_V4_REPLY (-1765328165L)
|
|
jpayne@69
|
8848 #define KRB5_REALM_CANT_RESOLVE (-1765328164L)
|
|
jpayne@69
|
8849 #define KRB5_TKT_NOT_FORWARDABLE (-1765328163L)
|
|
jpayne@69
|
8850 #define KRB5_FWD_BAD_PRINCIPAL (-1765328162L)
|
|
jpayne@69
|
8851 #define KRB5_GET_IN_TKT_LOOP (-1765328161L)
|
|
jpayne@69
|
8852 #define KRB5_CONFIG_NODEFREALM (-1765328160L)
|
|
jpayne@69
|
8853 #define KRB5_SAM_UNSUPPORTED (-1765328159L)
|
|
jpayne@69
|
8854 #define KRB5_SAM_INVALID_ETYPE (-1765328158L)
|
|
jpayne@69
|
8855 #define KRB5_SAM_NO_CHECKSUM (-1765328157L)
|
|
jpayne@69
|
8856 #define KRB5_SAM_BAD_CHECKSUM (-1765328156L)
|
|
jpayne@69
|
8857 #define KRB5_KT_NAME_TOOLONG (-1765328155L)
|
|
jpayne@69
|
8858 #define KRB5_KT_KVNONOTFOUND (-1765328154L)
|
|
jpayne@69
|
8859 #define KRB5_APPL_EXPIRED (-1765328153L)
|
|
jpayne@69
|
8860 #define KRB5_LIB_EXPIRED (-1765328152L)
|
|
jpayne@69
|
8861 #define KRB5_CHPW_PWDNULL (-1765328151L)
|
|
jpayne@69
|
8862 #define KRB5_CHPW_FAIL (-1765328150L)
|
|
jpayne@69
|
8863 #define KRB5_KT_FORMAT (-1765328149L)
|
|
jpayne@69
|
8864 #define KRB5_NOPERM_ETYPE (-1765328148L)
|
|
jpayne@69
|
8865 #define KRB5_CONFIG_ETYPE_NOSUPP (-1765328147L)
|
|
jpayne@69
|
8866 #define KRB5_OBSOLETE_FN (-1765328146L)
|
|
jpayne@69
|
8867 #define KRB5_EAI_FAIL (-1765328145L)
|
|
jpayne@69
|
8868 #define KRB5_EAI_NODATA (-1765328144L)
|
|
jpayne@69
|
8869 #define KRB5_EAI_NONAME (-1765328143L)
|
|
jpayne@69
|
8870 #define KRB5_EAI_SERVICE (-1765328142L)
|
|
jpayne@69
|
8871 #define KRB5_ERR_NUMERIC_REALM (-1765328141L)
|
|
jpayne@69
|
8872 #define KRB5_ERR_BAD_S2K_PARAMS (-1765328140L)
|
|
jpayne@69
|
8873 #define KRB5_ERR_NO_SERVICE (-1765328139L)
|
|
jpayne@69
|
8874 #define KRB5_CC_READONLY (-1765328138L)
|
|
jpayne@69
|
8875 #define KRB5_CC_NOSUPP (-1765328137L)
|
|
jpayne@69
|
8876 #define KRB5_DELTAT_BADFORMAT (-1765328136L)
|
|
jpayne@69
|
8877 #define KRB5_PLUGIN_NO_HANDLE (-1765328135L)
|
|
jpayne@69
|
8878 #define KRB5_PLUGIN_OP_NOTSUPP (-1765328134L)
|
|
jpayne@69
|
8879 #define KRB5_ERR_INVALID_UTF8 (-1765328133L)
|
|
jpayne@69
|
8880 #define KRB5_ERR_FAST_REQUIRED (-1765328132L)
|
|
jpayne@69
|
8881 #define KRB5_LOCAL_ADDR_REQUIRED (-1765328131L)
|
|
jpayne@69
|
8882 #define KRB5_REMOTE_ADDR_REQUIRED (-1765328130L)
|
|
jpayne@69
|
8883 #define KRB5_TRACE_NOSUPP (-1765328129L)
|
|
jpayne@69
|
8884 #define ERROR_TABLE_BASE_krb5 (-1765328384L)
|
|
jpayne@69
|
8885
|
|
jpayne@69
|
8886 extern const struct error_table et_krb5_error_table;
|
|
jpayne@69
|
8887
|
|
jpayne@69
|
8888 #if !defined(_WIN32)
|
|
jpayne@69
|
8889 /* for compatibility with older versions... */
|
|
jpayne@69
|
8890 extern void initialize_krb5_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
8891 #else
|
|
jpayne@69
|
8892 #define initialize_krb5_error_table()
|
|
jpayne@69
|
8893 #endif
|
|
jpayne@69
|
8894
|
|
jpayne@69
|
8895 #if !defined(_WIN32)
|
|
jpayne@69
|
8896 #define init_krb5_err_tbl initialize_krb5_error_table
|
|
jpayne@69
|
8897 #define krb5_err_base ERROR_TABLE_BASE_krb5
|
|
jpayne@69
|
8898 #endif
|
|
jpayne@69
|
8899 /*
|
|
jpayne@69
|
8900 * et-h-k5e1_err.h:
|
|
jpayne@69
|
8901 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
8902 */
|
|
jpayne@69
|
8903
|
|
jpayne@69
|
8904 #include <com_err.h>
|
|
jpayne@69
|
8905
|
|
jpayne@69
|
8906 #define KRB5_PLUGIN_VER_NOTSUPP (-1750600192L)
|
|
jpayne@69
|
8907 #define KRB5_PLUGIN_BAD_MODULE_SPEC (-1750600191L)
|
|
jpayne@69
|
8908 #define KRB5_PLUGIN_NAME_NOTFOUND (-1750600190L)
|
|
jpayne@69
|
8909 #define KRB5KDC_ERR_DISCARD (-1750600189L)
|
|
jpayne@69
|
8910 #define KRB5_DCC_CANNOT_CREATE (-1750600188L)
|
|
jpayne@69
|
8911 #define KRB5_KCC_INVALID_ANCHOR (-1750600187L)
|
|
jpayne@69
|
8912 #define KRB5_KCC_UNKNOWN_VERSION (-1750600186L)
|
|
jpayne@69
|
8913 #define KRB5_KCC_INVALID_UID (-1750600185L)
|
|
jpayne@69
|
8914 #define KRB5_KCM_MALFORMED_REPLY (-1750600184L)
|
|
jpayne@69
|
8915 #define KRB5_KCM_RPC_ERROR (-1750600183L)
|
|
jpayne@69
|
8916 #define KRB5_KCM_REPLY_TOO_BIG (-1750600182L)
|
|
jpayne@69
|
8917 #define KRB5_KCM_NO_SERVER (-1750600181L)
|
|
jpayne@69
|
8918 #define KRB5_CERTAUTH_HWAUTH (-1750600180L)
|
|
jpayne@69
|
8919 #define KRB5_CERTAUTH_HWAUTH_PASS (-1750600179L)
|
|
jpayne@69
|
8920 #define ERROR_TABLE_BASE_k5e1 (-1750600192L)
|
|
jpayne@69
|
8921
|
|
jpayne@69
|
8922 extern const struct error_table et_k5e1_error_table;
|
|
jpayne@69
|
8923
|
|
jpayne@69
|
8924 #if !defined(_WIN32)
|
|
jpayne@69
|
8925 /* for compatibility with older versions... */
|
|
jpayne@69
|
8926 extern void initialize_k5e1_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
8927 #else
|
|
jpayne@69
|
8928 #define initialize_k5e1_error_table()
|
|
jpayne@69
|
8929 #endif
|
|
jpayne@69
|
8930
|
|
jpayne@69
|
8931 #if !defined(_WIN32)
|
|
jpayne@69
|
8932 #define init_k5e1_err_tbl initialize_k5e1_error_table
|
|
jpayne@69
|
8933 #define k5e1_err_base ERROR_TABLE_BASE_k5e1
|
|
jpayne@69
|
8934 #endif
|
|
jpayne@69
|
8935 /*
|
|
jpayne@69
|
8936 * et-h-kdb5_err.h:
|
|
jpayne@69
|
8937 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
8938 */
|
|
jpayne@69
|
8939
|
|
jpayne@69
|
8940 #include <com_err.h>
|
|
jpayne@69
|
8941
|
|
jpayne@69
|
8942 #define KRB5_KDB_RCSID (-1780008448L)
|
|
jpayne@69
|
8943 #define KRB5_KDB_INUSE (-1780008447L)
|
|
jpayne@69
|
8944 #define KRB5_KDB_UK_SERROR (-1780008446L)
|
|
jpayne@69
|
8945 #define KRB5_KDB_UK_RERROR (-1780008445L)
|
|
jpayne@69
|
8946 #define KRB5_KDB_UNAUTH (-1780008444L)
|
|
jpayne@69
|
8947 #define KRB5_KDB_NOENTRY (-1780008443L)
|
|
jpayne@69
|
8948 #define KRB5_KDB_ILL_WILDCARD (-1780008442L)
|
|
jpayne@69
|
8949 #define KRB5_KDB_DB_INUSE (-1780008441L)
|
|
jpayne@69
|
8950 #define KRB5_KDB_DB_CHANGED (-1780008440L)
|
|
jpayne@69
|
8951 #define KRB5_KDB_TRUNCATED_RECORD (-1780008439L)
|
|
jpayne@69
|
8952 #define KRB5_KDB_RECURSIVELOCK (-1780008438L)
|
|
jpayne@69
|
8953 #define KRB5_KDB_NOTLOCKED (-1780008437L)
|
|
jpayne@69
|
8954 #define KRB5_KDB_BADLOCKMODE (-1780008436L)
|
|
jpayne@69
|
8955 #define KRB5_KDB_DBNOTINITED (-1780008435L)
|
|
jpayne@69
|
8956 #define KRB5_KDB_DBINITED (-1780008434L)
|
|
jpayne@69
|
8957 #define KRB5_KDB_ILLDIRECTION (-1780008433L)
|
|
jpayne@69
|
8958 #define KRB5_KDB_NOMASTERKEY (-1780008432L)
|
|
jpayne@69
|
8959 #define KRB5_KDB_BADMASTERKEY (-1780008431L)
|
|
jpayne@69
|
8960 #define KRB5_KDB_INVALIDKEYSIZE (-1780008430L)
|
|
jpayne@69
|
8961 #define KRB5_KDB_CANTREAD_STORED (-1780008429L)
|
|
jpayne@69
|
8962 #define KRB5_KDB_BADSTORED_MKEY (-1780008428L)
|
|
jpayne@69
|
8963 #define KRB5_KDB_NOACTMASTERKEY (-1780008427L)
|
|
jpayne@69
|
8964 #define KRB5_KDB_KVNONOMATCH (-1780008426L)
|
|
jpayne@69
|
8965 #define KRB5_KDB_STORED_MKEY_NOTCURRENT (-1780008425L)
|
|
jpayne@69
|
8966 #define KRB5_KDB_CANTLOCK_DB (-1780008424L)
|
|
jpayne@69
|
8967 #define KRB5_KDB_DB_CORRUPT (-1780008423L)
|
|
jpayne@69
|
8968 #define KRB5_KDB_BAD_VERSION (-1780008422L)
|
|
jpayne@69
|
8969 #define KRB5_KDB_BAD_SALTTYPE (-1780008421L)
|
|
jpayne@69
|
8970 #define KRB5_KDB_BAD_ENCTYPE (-1780008420L)
|
|
jpayne@69
|
8971 #define KRB5_KDB_BAD_CREATEFLAGS (-1780008419L)
|
|
jpayne@69
|
8972 #define KRB5_KDB_NO_PERMITTED_KEY (-1780008418L)
|
|
jpayne@69
|
8973 #define KRB5_KDB_NO_MATCHING_KEY (-1780008417L)
|
|
jpayne@69
|
8974 #define KRB5_KDB_DBTYPE_NOTFOUND (-1780008416L)
|
|
jpayne@69
|
8975 #define KRB5_KDB_DBTYPE_NOSUP (-1780008415L)
|
|
jpayne@69
|
8976 #define KRB5_KDB_DBTYPE_INIT (-1780008414L)
|
|
jpayne@69
|
8977 #define KRB5_KDB_SERVER_INTERNAL_ERR (-1780008413L)
|
|
jpayne@69
|
8978 #define KRB5_KDB_ACCESS_ERROR (-1780008412L)
|
|
jpayne@69
|
8979 #define KRB5_KDB_INTERNAL_ERROR (-1780008411L)
|
|
jpayne@69
|
8980 #define KRB5_KDB_CONSTRAINT_VIOLATION (-1780008410L)
|
|
jpayne@69
|
8981 #define KRB5_LOG_CONV (-1780008409L)
|
|
jpayne@69
|
8982 #define KRB5_LOG_UNSTABLE (-1780008408L)
|
|
jpayne@69
|
8983 #define KRB5_LOG_CORRUPT (-1780008407L)
|
|
jpayne@69
|
8984 #define KRB5_LOG_ERROR (-1780008406L)
|
|
jpayne@69
|
8985 #define KRB5_KDB_DBTYPE_MISMATCH (-1780008405L)
|
|
jpayne@69
|
8986 #define KRB5_KDB_POLICY_REF (-1780008404L)
|
|
jpayne@69
|
8987 #define KRB5_KDB_STRINGS_TOOLONG (-1780008403L)
|
|
jpayne@69
|
8988 #define ERROR_TABLE_BASE_kdb5 (-1780008448L)
|
|
jpayne@69
|
8989
|
|
jpayne@69
|
8990 extern const struct error_table et_kdb5_error_table;
|
|
jpayne@69
|
8991
|
|
jpayne@69
|
8992 #if !defined(_WIN32)
|
|
jpayne@69
|
8993 /* for compatibility with older versions... */
|
|
jpayne@69
|
8994 extern void initialize_kdb5_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
8995 #else
|
|
jpayne@69
|
8996 #define initialize_kdb5_error_table()
|
|
jpayne@69
|
8997 #endif
|
|
jpayne@69
|
8998
|
|
jpayne@69
|
8999 #if !defined(_WIN32)
|
|
jpayne@69
|
9000 #define init_kdb5_err_tbl initialize_kdb5_error_table
|
|
jpayne@69
|
9001 #define kdb5_err_base ERROR_TABLE_BASE_kdb5
|
|
jpayne@69
|
9002 #endif
|
|
jpayne@69
|
9003 /*
|
|
jpayne@69
|
9004 * et-h-kv5m_err.h:
|
|
jpayne@69
|
9005 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
9006 */
|
|
jpayne@69
|
9007
|
|
jpayne@69
|
9008 #include <com_err.h>
|
|
jpayne@69
|
9009
|
|
jpayne@69
|
9010 #define KV5M_NONE (-1760647424L)
|
|
jpayne@69
|
9011 #define KV5M_PRINCIPAL (-1760647423L)
|
|
jpayne@69
|
9012 #define KV5M_DATA (-1760647422L)
|
|
jpayne@69
|
9013 #define KV5M_KEYBLOCK (-1760647421L)
|
|
jpayne@69
|
9014 #define KV5M_CHECKSUM (-1760647420L)
|
|
jpayne@69
|
9015 #define KV5M_ENCRYPT_BLOCK (-1760647419L)
|
|
jpayne@69
|
9016 #define KV5M_ENC_DATA (-1760647418L)
|
|
jpayne@69
|
9017 #define KV5M_CRYPTOSYSTEM_ENTRY (-1760647417L)
|
|
jpayne@69
|
9018 #define KV5M_CS_TABLE_ENTRY (-1760647416L)
|
|
jpayne@69
|
9019 #define KV5M_CHECKSUM_ENTRY (-1760647415L)
|
|
jpayne@69
|
9020 #define KV5M_AUTHDATA (-1760647414L)
|
|
jpayne@69
|
9021 #define KV5M_TRANSITED (-1760647413L)
|
|
jpayne@69
|
9022 #define KV5M_ENC_TKT_PART (-1760647412L)
|
|
jpayne@69
|
9023 #define KV5M_TICKET (-1760647411L)
|
|
jpayne@69
|
9024 #define KV5M_AUTHENTICATOR (-1760647410L)
|
|
jpayne@69
|
9025 #define KV5M_TKT_AUTHENT (-1760647409L)
|
|
jpayne@69
|
9026 #define KV5M_CREDS (-1760647408L)
|
|
jpayne@69
|
9027 #define KV5M_LAST_REQ_ENTRY (-1760647407L)
|
|
jpayne@69
|
9028 #define KV5M_PA_DATA (-1760647406L)
|
|
jpayne@69
|
9029 #define KV5M_KDC_REQ (-1760647405L)
|
|
jpayne@69
|
9030 #define KV5M_ENC_KDC_REP_PART (-1760647404L)
|
|
jpayne@69
|
9031 #define KV5M_KDC_REP (-1760647403L)
|
|
jpayne@69
|
9032 #define KV5M_ERROR (-1760647402L)
|
|
jpayne@69
|
9033 #define KV5M_AP_REQ (-1760647401L)
|
|
jpayne@69
|
9034 #define KV5M_AP_REP (-1760647400L)
|
|
jpayne@69
|
9035 #define KV5M_AP_REP_ENC_PART (-1760647399L)
|
|
jpayne@69
|
9036 #define KV5M_RESPONSE (-1760647398L)
|
|
jpayne@69
|
9037 #define KV5M_SAFE (-1760647397L)
|
|
jpayne@69
|
9038 #define KV5M_PRIV (-1760647396L)
|
|
jpayne@69
|
9039 #define KV5M_PRIV_ENC_PART (-1760647395L)
|
|
jpayne@69
|
9040 #define KV5M_CRED (-1760647394L)
|
|
jpayne@69
|
9041 #define KV5M_CRED_INFO (-1760647393L)
|
|
jpayne@69
|
9042 #define KV5M_CRED_ENC_PART (-1760647392L)
|
|
jpayne@69
|
9043 #define KV5M_PWD_DATA (-1760647391L)
|
|
jpayne@69
|
9044 #define KV5M_ADDRESS (-1760647390L)
|
|
jpayne@69
|
9045 #define KV5M_KEYTAB_ENTRY (-1760647389L)
|
|
jpayne@69
|
9046 #define KV5M_CONTEXT (-1760647388L)
|
|
jpayne@69
|
9047 #define KV5M_OS_CONTEXT (-1760647387L)
|
|
jpayne@69
|
9048 #define KV5M_ALT_METHOD (-1760647386L)
|
|
jpayne@69
|
9049 #define KV5M_ETYPE_INFO_ENTRY (-1760647385L)
|
|
jpayne@69
|
9050 #define KV5M_DB_CONTEXT (-1760647384L)
|
|
jpayne@69
|
9051 #define KV5M_AUTH_CONTEXT (-1760647383L)
|
|
jpayne@69
|
9052 #define KV5M_KEYTAB (-1760647382L)
|
|
jpayne@69
|
9053 #define KV5M_RCACHE (-1760647381L)
|
|
jpayne@69
|
9054 #define KV5M_CCACHE (-1760647380L)
|
|
jpayne@69
|
9055 #define KV5M_PREAUTH_OPS (-1760647379L)
|
|
jpayne@69
|
9056 #define KV5M_SAM_CHALLENGE (-1760647378L)
|
|
jpayne@69
|
9057 #define KV5M_SAM_CHALLENGE_2 (-1760647377L)
|
|
jpayne@69
|
9058 #define KV5M_SAM_KEY (-1760647376L)
|
|
jpayne@69
|
9059 #define KV5M_ENC_SAM_RESPONSE_ENC (-1760647375L)
|
|
jpayne@69
|
9060 #define KV5M_ENC_SAM_RESPONSE_ENC_2 (-1760647374L)
|
|
jpayne@69
|
9061 #define KV5M_SAM_RESPONSE (-1760647373L)
|
|
jpayne@69
|
9062 #define KV5M_SAM_RESPONSE_2 (-1760647372L)
|
|
jpayne@69
|
9063 #define KV5M_PREDICTED_SAM_RESPONSE (-1760647371L)
|
|
jpayne@69
|
9064 #define KV5M_PASSWD_PHRASE_ELEMENT (-1760647370L)
|
|
jpayne@69
|
9065 #define KV5M_GSS_OID (-1760647369L)
|
|
jpayne@69
|
9066 #define KV5M_GSS_QUEUE (-1760647368L)
|
|
jpayne@69
|
9067 #define KV5M_FAST_ARMORED_REQ (-1760647367L)
|
|
jpayne@69
|
9068 #define KV5M_FAST_REQ (-1760647366L)
|
|
jpayne@69
|
9069 #define KV5M_FAST_RESPONSE (-1760647365L)
|
|
jpayne@69
|
9070 #define KV5M_AUTHDATA_CONTEXT (-1760647364L)
|
|
jpayne@69
|
9071 #define ERROR_TABLE_BASE_kv5m (-1760647424L)
|
|
jpayne@69
|
9072
|
|
jpayne@69
|
9073 extern const struct error_table et_kv5m_error_table;
|
|
jpayne@69
|
9074
|
|
jpayne@69
|
9075 #if !defined(_WIN32)
|
|
jpayne@69
|
9076 /* for compatibility with older versions... */
|
|
jpayne@69
|
9077 extern void initialize_kv5m_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
9078 #else
|
|
jpayne@69
|
9079 #define initialize_kv5m_error_table()
|
|
jpayne@69
|
9080 #endif
|
|
jpayne@69
|
9081
|
|
jpayne@69
|
9082 #if !defined(_WIN32)
|
|
jpayne@69
|
9083 #define init_kv5m_err_tbl initialize_kv5m_error_table
|
|
jpayne@69
|
9084 #define kv5m_err_base ERROR_TABLE_BASE_kv5m
|
|
jpayne@69
|
9085 #endif
|
|
jpayne@69
|
9086 /*
|
|
jpayne@69
|
9087 * et-h-krb524_err.h:
|
|
jpayne@69
|
9088 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
9089 */
|
|
jpayne@69
|
9090
|
|
jpayne@69
|
9091 #include <com_err.h>
|
|
jpayne@69
|
9092
|
|
jpayne@69
|
9093 #define KRB524_BADKEY (-1750206208L)
|
|
jpayne@69
|
9094 #define KRB524_BADADDR (-1750206207L)
|
|
jpayne@69
|
9095 #define KRB524_BADPRINC (-1750206206L)
|
|
jpayne@69
|
9096 #define KRB524_BADREALM (-1750206205L)
|
|
jpayne@69
|
9097 #define KRB524_V4ERR (-1750206204L)
|
|
jpayne@69
|
9098 #define KRB524_ENCFULL (-1750206203L)
|
|
jpayne@69
|
9099 #define KRB524_DECEMPTY (-1750206202L)
|
|
jpayne@69
|
9100 #define KRB524_NOTRESP (-1750206201L)
|
|
jpayne@69
|
9101 #define KRB524_KRB4_DISABLED (-1750206200L)
|
|
jpayne@69
|
9102 #define ERROR_TABLE_BASE_k524 (-1750206208L)
|
|
jpayne@69
|
9103
|
|
jpayne@69
|
9104 extern const struct error_table et_k524_error_table;
|
|
jpayne@69
|
9105
|
|
jpayne@69
|
9106 #if !defined(_WIN32)
|
|
jpayne@69
|
9107 /* for compatibility with older versions... */
|
|
jpayne@69
|
9108 extern void initialize_k524_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
9109 #else
|
|
jpayne@69
|
9110 #define initialize_k524_error_table()
|
|
jpayne@69
|
9111 #endif
|
|
jpayne@69
|
9112
|
|
jpayne@69
|
9113 #if !defined(_WIN32)
|
|
jpayne@69
|
9114 #define init_k524_err_tbl initialize_k524_error_table
|
|
jpayne@69
|
9115 #define k524_err_base ERROR_TABLE_BASE_k524
|
|
jpayne@69
|
9116 #endif
|
|
jpayne@69
|
9117 /*
|
|
jpayne@69
|
9118 * et-h-asn1_err.h:
|
|
jpayne@69
|
9119 * This file is automatically generated; please do not edit it.
|
|
jpayne@69
|
9120 */
|
|
jpayne@69
|
9121
|
|
jpayne@69
|
9122 #include <com_err.h>
|
|
jpayne@69
|
9123
|
|
jpayne@69
|
9124 #define ASN1_BAD_TIMEFORMAT (1859794432L)
|
|
jpayne@69
|
9125 #define ASN1_MISSING_FIELD (1859794433L)
|
|
jpayne@69
|
9126 #define ASN1_MISPLACED_FIELD (1859794434L)
|
|
jpayne@69
|
9127 #define ASN1_TYPE_MISMATCH (1859794435L)
|
|
jpayne@69
|
9128 #define ASN1_OVERFLOW (1859794436L)
|
|
jpayne@69
|
9129 #define ASN1_OVERRUN (1859794437L)
|
|
jpayne@69
|
9130 #define ASN1_BAD_ID (1859794438L)
|
|
jpayne@69
|
9131 #define ASN1_BAD_LENGTH (1859794439L)
|
|
jpayne@69
|
9132 #define ASN1_BAD_FORMAT (1859794440L)
|
|
jpayne@69
|
9133 #define ASN1_PARSE_ERROR (1859794441L)
|
|
jpayne@69
|
9134 #define ASN1_BAD_GMTIME (1859794442L)
|
|
jpayne@69
|
9135 #define ASN1_INDEF (1859794443L)
|
|
jpayne@69
|
9136 #define ASN1_MISSING_EOC (1859794444L)
|
|
jpayne@69
|
9137 #define ASN1_OMITTED (1859794445L)
|
|
jpayne@69
|
9138 #define ERROR_TABLE_BASE_asn1 (1859794432L)
|
|
jpayne@69
|
9139
|
|
jpayne@69
|
9140 extern const struct error_table et_asn1_error_table;
|
|
jpayne@69
|
9141
|
|
jpayne@69
|
9142 #if !defined(_WIN32)
|
|
jpayne@69
|
9143 /* for compatibility with older versions... */
|
|
jpayne@69
|
9144 extern void initialize_asn1_error_table (void) /*@modifies internalState@*/;
|
|
jpayne@69
|
9145 #else
|
|
jpayne@69
|
9146 #define initialize_asn1_error_table()
|
|
jpayne@69
|
9147 #endif
|
|
jpayne@69
|
9148
|
|
jpayne@69
|
9149 #if !defined(_WIN32)
|
|
jpayne@69
|
9150 #define init_asn1_err_tbl initialize_asn1_error_table
|
|
jpayne@69
|
9151 #define asn1_err_base ERROR_TABLE_BASE_asn1
|
|
jpayne@69
|
9152 #endif
|
|
jpayne@69
|
9153 #endif /* KRB5_KRB5_H_INCLUDED */
|
