jpayne@69: /* This file is generated, please don't edit it directly. */ jpayne@69: #ifndef KRB5_KRB5_H_INCLUDED jpayne@69: #define KRB5_KRB5_H_INCLUDED jpayne@69: /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ jpayne@69: /* General definitions for Kerberos version 5. */ jpayne@69: /* jpayne@69: * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts jpayne@69: * Institute of Technology. All Rights Reserved. jpayne@69: * jpayne@69: * Export of this software from the United States of America may jpayne@69: * require a specific license from the United States Government. jpayne@69: * It is the responsibility of any person or organization contemplating jpayne@69: * export to obtain such a license before exporting. jpayne@69: * jpayne@69: * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and jpayne@69: * distribute this software and its documentation for any purpose and jpayne@69: * without fee is hereby granted, provided that the above copyright jpayne@69: * notice appear in all copies and that both that copyright notice and jpayne@69: * this permission notice appear in supporting documentation, and that jpayne@69: * the name of M.I.T. not be used in advertising or publicity pertaining jpayne@69: * to distribution of the software without specific, written prior jpayne@69: * permission. Furthermore if you modify this software you must label jpayne@69: * your software as modified software and not distribute it in such a jpayne@69: * fashion that it might be confused with the original M.I.T. software. jpayne@69: * M.I.T. makes no representations about the suitability of jpayne@69: * this software for any purpose. It is provided "as is" without express jpayne@69: * or implied warranty. jpayne@69: */ jpayne@69: /* jpayne@69: * Copyright (C) 1998 by the FundsXpress, INC. jpayne@69: * jpayne@69: * All rights reserved. jpayne@69: * jpayne@69: * Export of this software from the United States of America may require jpayne@69: * a specific license from the United States Government. It is the jpayne@69: * responsibility of any person or organization contemplating export to jpayne@69: * obtain such a license before exporting. jpayne@69: * jpayne@69: * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and jpayne@69: * distribute this software and its documentation for any purpose and jpayne@69: * without fee is hereby granted, provided that the above copyright jpayne@69: * notice appear in all copies and that both that copyright notice and jpayne@69: * this permission notice appear in supporting documentation, and that jpayne@69: * the name of FundsXpress. not be used in advertising or publicity pertaining jpayne@69: * to distribution of the software without specific, written prior jpayne@69: * permission. FundsXpress makes no representations about the suitability of jpayne@69: * this software for any purpose. It is provided "as is" without express jpayne@69: * or implied warranty. jpayne@69: * jpayne@69: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR jpayne@69: * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED jpayne@69: * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. jpayne@69: */ jpayne@69: jpayne@69: #ifndef KRB5_GENERAL__ jpayne@69: #define KRB5_GENERAL__ jpayne@69: jpayne@69: /** @defgroup KRB5_H krb5 library API jpayne@69: * @{ jpayne@69: */ jpayne@69: jpayne@69: /* By default, do not expose deprecated interfaces. */ jpayne@69: #ifndef KRB5_DEPRECATED jpayne@69: #define KRB5_DEPRECATED 0 jpayne@69: #endif jpayne@69: jpayne@69: #if defined(__MACH__) && defined(__APPLE__) jpayne@69: # include jpayne@69: # if TARGET_RT_MAC_CFM jpayne@69: # error "Use KfM 4.0 SDK headers for CFM compilation." jpayne@69: # endif jpayne@69: #endif jpayne@69: jpayne@69: #if defined(_MSDOS) || defined(_WIN32) jpayne@69: #include jpayne@69: #endif jpayne@69: jpayne@69: #ifndef KRB5_CONFIG__ jpayne@69: #ifndef KRB5_CALLCONV jpayne@69: #define KRB5_CALLCONV jpayne@69: #define KRB5_CALLCONV_C jpayne@69: #endif /* !KRB5_CALLCONV */ jpayne@69: #endif /* !KRB5_CONFIG__ */ jpayne@69: jpayne@69: #ifndef KRB5_CALLCONV_WRONG jpayne@69: #define KRB5_CALLCONV_WRONG jpayne@69: #endif jpayne@69: jpayne@69: #ifndef THREEPARAMOPEN jpayne@69: #define THREEPARAMOPEN(x,y,z) open(x,y,z) jpayne@69: #endif jpayne@69: jpayne@69: #define KRB5_OLD_CRYPTO jpayne@69: jpayne@69: #include jpayne@69: #include /* for *_MAX */ jpayne@69: #include jpayne@69: #include jpayne@69: jpayne@69: #ifndef KRB5INT_BEGIN_DECLS jpayne@69: #if defined(__cplusplus) jpayne@69: #define KRB5INT_BEGIN_DECLS extern "C" { jpayne@69: #define KRB5INT_END_DECLS } jpayne@69: #else jpayne@69: #define KRB5INT_BEGIN_DECLS jpayne@69: #define KRB5INT_END_DECLS jpayne@69: #endif jpayne@69: #endif jpayne@69: jpayne@69: KRB5INT_BEGIN_DECLS jpayne@69: jpayne@69: #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) jpayne@69: #pragma pack(push,2) jpayne@69: #endif jpayne@69: jpayne@69: #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 30203 jpayne@69: # define KRB5_ATTR_DEPRECATED __attribute__((deprecated)) jpayne@69: #elif defined _WIN32 jpayne@69: # define KRB5_ATTR_DEPRECATED __declspec(deprecated) jpayne@69: #else jpayne@69: # define KRB5_ATTR_DEPRECATED jpayne@69: #endif jpayne@69: jpayne@69: /* from profile.h */ jpayne@69: struct _profile_t; jpayne@69: /* typedef struct _profile_t *profile_t; */ jpayne@69: jpayne@69: /* jpayne@69: * begin wordsize.h jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * Word-size related definition. jpayne@69: */ jpayne@69: jpayne@69: typedef uint8_t krb5_octet; jpayne@69: typedef int16_t krb5_int16; jpayne@69: typedef uint16_t krb5_ui_2; jpayne@69: typedef int32_t krb5_int32; jpayne@69: typedef uint32_t krb5_ui_4; jpayne@69: jpayne@69: #define VALID_INT_BITS INT_MAX jpayne@69: #define VALID_UINT_BITS UINT_MAX jpayne@69: jpayne@69: #define KRB5_INT32_MAX 2147483647 jpayne@69: /* this strange form is necessary since - is a unary operator, not a sign jpayne@69: indicator */ jpayne@69: #define KRB5_INT32_MIN (-KRB5_INT32_MAX-1) jpayne@69: jpayne@69: #define KRB5_INT16_MAX 65535 jpayne@69: /* this strange form is necessary since - is a unary operator, not a sign jpayne@69: indicator */ jpayne@69: #define KRB5_INT16_MIN (-KRB5_INT16_MAX-1) jpayne@69: jpayne@69: /* jpayne@69: * end wordsize.h jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "base-defs.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * Basic definitions for Kerberos V5 library jpayne@69: */ jpayne@69: jpayne@69: #ifndef FALSE jpayne@69: #define FALSE 0 jpayne@69: #endif jpayne@69: #ifndef TRUE jpayne@69: #define TRUE 1 jpayne@69: #endif jpayne@69: jpayne@69: typedef unsigned int krb5_boolean; jpayne@69: typedef unsigned int krb5_msgtype; jpayne@69: typedef unsigned int krb5_kvno; jpayne@69: jpayne@69: typedef krb5_int32 krb5_addrtype; jpayne@69: typedef krb5_int32 krb5_enctype; jpayne@69: typedef krb5_int32 krb5_cksumtype; jpayne@69: typedef krb5_int32 krb5_authdatatype; jpayne@69: typedef krb5_int32 krb5_keyusage; jpayne@69: typedef krb5_int32 krb5_cryptotype; jpayne@69: jpayne@69: typedef krb5_int32 krb5_preauthtype; /* This may change, later on */ jpayne@69: typedef krb5_int32 krb5_flags; jpayne@69: jpayne@69: /** jpayne@69: * Represents a timestamp in seconds since the POSIX epoch. This legacy type jpayne@69: * is used frequently in the ABI, but cannot represent timestamps after 2038 as jpayne@69: * a positive number. Code which uses this type should cast values of it to jpayne@69: * uint32_t so that negative values are treated as timestamps between 2038 and jpayne@69: * 2106 on platforms with 64-bit time_t. jpayne@69: */ jpayne@69: typedef krb5_int32 krb5_timestamp; jpayne@69: jpayne@69: typedef krb5_int32 krb5_deltat; jpayne@69: jpayne@69: /** jpayne@69: * Used to convey an operation status. The value 0 indicates success; any jpayne@69: * other values are com_err codes. Use krb5_get_error_message() to obtain a jpayne@69: * string describing the error. jpayne@69: */ jpayne@69: typedef krb5_int32 krb5_error_code; jpayne@69: jpayne@69: typedef krb5_error_code krb5_magic; jpayne@69: jpayne@69: typedef struct _krb5_data { jpayne@69: krb5_magic magic; jpayne@69: unsigned int length; jpayne@69: char *data; jpayne@69: } krb5_data; jpayne@69: jpayne@69: /* Originally introduced for PKINIT; now unused. Do not use this. */ jpayne@69: typedef struct _krb5_octet_data { jpayne@69: krb5_magic magic; jpayne@69: unsigned int length; jpayne@69: krb5_octet *data; jpayne@69: } krb5_octet_data; jpayne@69: jpayne@69: /* Originally used to recognize AFS and default salts. No longer used. */ jpayne@69: #define SALT_TYPE_AFS_LENGTH UINT_MAX jpayne@69: #define SALT_TYPE_NO_LENGTH UINT_MAX jpayne@69: jpayne@69: typedef void * krb5_pointer; jpayne@69: typedef void const * krb5_const_pointer; jpayne@69: jpayne@69: typedef struct krb5_principal_data { jpayne@69: krb5_magic magic; jpayne@69: krb5_data realm; jpayne@69: krb5_data *data; /**< An array of strings */ jpayne@69: krb5_int32 length; jpayne@69: krb5_int32 type; jpayne@69: } krb5_principal_data; jpayne@69: jpayne@69: typedef krb5_principal_data * krb5_principal; jpayne@69: jpayne@69: /* jpayne@69: * Per V5 spec on definition of principal types jpayne@69: */ jpayne@69: jpayne@69: #define KRB5_NT_UNKNOWN 0 /**< Name type not known */ jpayne@69: #define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal jpayne@69: as in DCE, or for users */ jpayne@69: #define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */ jpayne@69: #define KRB5_NT_SRV_HST 3 /**< Service with host name as instance jpayne@69: (telnet, rcommands) */ jpayne@69: #define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */ jpayne@69: #define KRB5_NT_UID 5 /**< Unique ID */ jpayne@69: #define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */ jpayne@69: #define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */ jpayne@69: #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */ jpayne@69: #define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */ jpayne@69: #define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of jpayne@69: NT_WELLKNOWN principals */ jpayne@69: #define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */ jpayne@69: #define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */ jpayne@69: #define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */ jpayne@69: jpayne@69: /** Constant version of krb5_principal_data. */ jpayne@69: typedef const krb5_principal_data *krb5_const_principal; jpayne@69: jpayne@69: #define krb5_princ_realm(context, princ) (&(princ)->realm) jpayne@69: #define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value)) jpayne@69: #define krb5_princ_set_realm_length(context, princ,value) (princ)->realm.length = (value) jpayne@69: #define krb5_princ_set_realm_data(context, princ,value) (princ)->realm.data = (value) jpayne@69: #define krb5_princ_size(context, princ) (princ)->length jpayne@69: #define krb5_princ_type(context, princ) (princ)->type jpayne@69: #define krb5_princ_name(context, princ) (princ)->data jpayne@69: #define krb5_princ_component(context, princ,i) \ jpayne@69: (((i) < krb5_princ_size(context, princ)) \ jpayne@69: ? (princ)->data + (i) \ jpayne@69: : NULL) jpayne@69: jpayne@69: /** Constant for realm referrals. */ jpayne@69: #define KRB5_REFERRAL_REALM "" jpayne@69: jpayne@69: /* jpayne@69: * Referral-specific functions. jpayne@69: */ jpayne@69: jpayne@69: /** jpayne@69: * Check for a match with KRB5_REFERRAL_REALM. jpayne@69: * jpayne@69: * @param [in] r Realm to check jpayne@69: * jpayne@69: * @return @c TRUE if @a r is zero-length, @c FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_is_referral_realm(const krb5_data *r); jpayne@69: jpayne@69: /** jpayne@69: * Return an anonymous realm data. jpayne@69: * jpayne@69: * This function returns constant storage that must not be freed. jpayne@69: * jpayne@69: * @sa #KRB5_ANONYMOUS_REALMSTR jpayne@69: */ jpayne@69: const krb5_data *KRB5_CALLCONV jpayne@69: krb5_anonymous_realm(void); jpayne@69: jpayne@69: /** jpayne@69: * Build an anonymous principal. jpayne@69: * jpayne@69: * This function returns constant storage that must not be freed. jpayne@69: * jpayne@69: * @sa #KRB5_ANONYMOUS_PRINCSTR jpayne@69: */ jpayne@69: krb5_const_principal KRB5_CALLCONV jpayne@69: krb5_anonymous_principal(void); jpayne@69: jpayne@69: #define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */ jpayne@69: #define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */ jpayne@69: /* jpayne@69: * end "base-defs.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "hostaddr.h" jpayne@69: */ jpayne@69: jpayne@69: /** Structure for address */ jpayne@69: typedef struct _krb5_address { jpayne@69: krb5_magic magic; jpayne@69: krb5_addrtype addrtype; jpayne@69: unsigned int length; jpayne@69: krb5_octet *contents; jpayne@69: } krb5_address; jpayne@69: jpayne@69: /* per Kerberos v5 protocol spec */ jpayne@69: #define ADDRTYPE_INET 0x0002 jpayne@69: #define ADDRTYPE_CHAOS 0x0005 jpayne@69: #define ADDRTYPE_XNS 0x0006 jpayne@69: #define ADDRTYPE_ISO 0x0007 jpayne@69: #define ADDRTYPE_DDP 0x0010 jpayne@69: #define ADDRTYPE_NETBIOS 0x0014 jpayne@69: #define ADDRTYPE_INET6 0x0018 jpayne@69: /* not yet in the spec... */ jpayne@69: #define ADDRTYPE_ADDRPORT 0x0100 jpayne@69: #define ADDRTYPE_IPPORT 0x0101 jpayne@69: jpayne@69: /* macros to determine if a type is a local type */ jpayne@69: #define ADDRTYPE_IS_LOCAL(addrtype) (addrtype & 0x8000) jpayne@69: jpayne@69: /* jpayne@69: * end "hostaddr.h" jpayne@69: */ jpayne@69: jpayne@69: jpayne@69: struct _krb5_context; jpayne@69: typedef struct _krb5_context * krb5_context; jpayne@69: jpayne@69: struct _krb5_auth_context; jpayne@69: typedef struct _krb5_auth_context * krb5_auth_context; jpayne@69: jpayne@69: struct _krb5_cryptosystem_entry; jpayne@69: jpayne@69: /* jpayne@69: * begin "encryption.h" jpayne@69: */ jpayne@69: jpayne@69: /** Exposed contents of a key. */ jpayne@69: typedef struct _krb5_keyblock { jpayne@69: krb5_magic magic; jpayne@69: krb5_enctype enctype; jpayne@69: unsigned int length; jpayne@69: krb5_octet *contents; jpayne@69: } krb5_keyblock; jpayne@69: jpayne@69: struct krb5_key_st; jpayne@69: /** jpayne@69: * Opaque identifier for a key. jpayne@69: * jpayne@69: * Use with the krb5_k APIs for better performance for repeated operations with jpayne@69: * the same key and usage. Key identifiers must not be used simultaneously jpayne@69: * within multiple threads, as they may contain mutable internal state and are jpayne@69: * not mutex-protected. jpayne@69: */ jpayne@69: typedef struct krb5_key_st *krb5_key; jpayne@69: jpayne@69: #ifdef KRB5_OLD_CRYPTO jpayne@69: typedef struct _krb5_encrypt_block { jpayne@69: krb5_magic magic; jpayne@69: krb5_enctype crypto_entry; /* to call krb5_encrypt_size, you need jpayne@69: this. it was a pointer, but it jpayne@69: doesn't have to be. gross. */ jpayne@69: krb5_keyblock *key; jpayne@69: } krb5_encrypt_block; jpayne@69: #endif jpayne@69: jpayne@69: typedef struct _krb5_checksum { jpayne@69: krb5_magic magic; jpayne@69: krb5_cksumtype checksum_type; /* checksum type */ jpayne@69: unsigned int length; jpayne@69: krb5_octet *contents; jpayne@69: } krb5_checksum; jpayne@69: jpayne@69: typedef struct _krb5_enc_data { jpayne@69: krb5_magic magic; jpayne@69: krb5_enctype enctype; jpayne@69: krb5_kvno kvno; jpayne@69: krb5_data ciphertext; jpayne@69: } krb5_enc_data; jpayne@69: jpayne@69: /** jpayne@69: * Structure to describe a region of text to be encrypted or decrypted. jpayne@69: * jpayne@69: * The @a flags member describes the type of the iov. jpayne@69: * The @a data member points to the memory that will be manipulated. jpayne@69: * All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's jpayne@69: * along with the size of that array. Buffer contents are manipulated in-place; jpayne@69: * data is overwritten. Callers must allocate the right number of krb5_crypto_iov jpayne@69: * structures before calling into an iov API. jpayne@69: */ jpayne@69: typedef struct _krb5_crypto_iov { jpayne@69: krb5_cryptotype flags; /**< @ref KRB5_CRYPTO_TYPE type of the iov */ jpayne@69: krb5_data data; jpayne@69: } krb5_crypto_iov; jpayne@69: jpayne@69: /* per Kerberos v5 protocol spec */ jpayne@69: #define ENCTYPE_NULL 0x0000 jpayne@69: #define ENCTYPE_DES_CBC_CRC 0x0001 /**< @deprecated no longer supported */ jpayne@69: #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ jpayne@69: #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ jpayne@69: #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ jpayne@69: #define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */ jpayne@69: #define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */ jpayne@69: #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ jpayne@69: /* PKINIT */ jpayne@69: #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ jpayne@69: #define ENCTYPE_MD5_RSA_CMS 0x000a /**< MD5 with RSA, CMS signature */ jpayne@69: #define ENCTYPE_SHA1_RSA_CMS 0x000b /**< SHA1 with RSA, CMS signature */ jpayne@69: #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */ jpayne@69: #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */ jpayne@69: #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */ jpayne@69: #define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */ jpayne@69: jpayne@69: #define ENCTYPE_DES3_CBC_SHA1 0x0010 jpayne@69: #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ jpayne@69: #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ jpayne@69: #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ jpayne@69: #define ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014 /**< RFC 8009 */ jpayne@69: #define ENCTYPE_ARCFOUR_HMAC 0x0017 /**< RFC 4757 */ jpayne@69: #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 /**< RFC 4757 */ jpayne@69: #define ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019 /**< RFC 6803 */ jpayne@69: #define ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a /**< RFC 6803 */ jpayne@69: #define ENCTYPE_UNKNOWN 0x01ff jpayne@69: jpayne@69: /* jpayne@69: * Historically we used the value 9 for unkeyed SHA-1. RFC 3961 assigns this jpayne@69: * value to rsa-md5-des3, which fortunately is unused. For ABI compatibility jpayne@69: * we allow either 9 or 14 for SHA-1. jpayne@69: */ jpayne@69: #define CKSUMTYPE_CRC32 0x0001 jpayne@69: #define CKSUMTYPE_RSA_MD4 0x0002 jpayne@69: #define CKSUMTYPE_RSA_MD4_DES 0x0003 jpayne@69: #define CKSUMTYPE_DESCBC 0x0004 jpayne@69: /* des-mac-k */ jpayne@69: /* rsa-md4-des-k */ jpayne@69: #define CKSUMTYPE_RSA_MD5 0x0007 jpayne@69: #define CKSUMTYPE_RSA_MD5_DES 0x0008 jpayne@69: #define CKSUMTYPE_NIST_SHA 0x0009 jpayne@69: #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c jpayne@69: #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */ jpayne@69: #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with jpayne@69: ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ jpayne@69: #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with jpayne@69: ENCTYPE_AES256_CTS_HMAC_SHA1_96 */ jpayne@69: #define CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013 /**< RFC 8009 */ jpayne@69: #define CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014 /**< RFC 8009 */ jpayne@69: #define CKSUMTYPE_CMAC_CAMELLIA128 0x0011 /**< RFC 6803 */ jpayne@69: #define CKSUMTYPE_CMAC_CAMELLIA256 0x0012 /**< RFC 6803 */ jpayne@69: #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /* Microsoft netlogon */ jpayne@69: #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /**< RFC 4757 */ jpayne@69: jpayne@69: /* Constants for the deprecated krb5_c_random_add_entropy() */ jpayne@69: enum { jpayne@69: KRB5_C_RANDSOURCE_OLDAPI = 0, jpayne@69: KRB5_C_RANDSOURCE_OSRAND = 1, jpayne@69: KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, jpayne@69: KRB5_C_RANDSOURCE_TIMING = 3, jpayne@69: KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, jpayne@69: KRB5_C_RANDSOURCE_MAX = 5 jpayne@69: }; jpayne@69: jpayne@69: #ifndef krb5_roundup jpayne@69: /* round x up to nearest multiple of y */ jpayne@69: #define krb5_roundup(x, y) ((((x) + (y) - 1)/(y))*(y)) jpayne@69: #endif /* roundup */ jpayne@69: jpayne@69: /* macro function definitions to help clean up code */ jpayne@69: jpayne@69: #if 1 jpayne@69: #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) jpayne@69: #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) jpayne@69: #else jpayne@69: #define krb5_x(ptr,args) ((*(ptr)) args) jpayne@69: #define krb5_xc(ptr,args) ((*(ptr)) args) jpayne@69: #endif jpayne@69: jpayne@69: /** jpayne@69: * Encrypt data using a key (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in] input Data to be encrypted jpayne@69: * @param [out] output Encrypted data jpayne@69: * jpayne@69: * This function encrypts the data block @a input and stores the output into @a jpayne@69: * output. The actual encryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the encryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * jpayne@69: * @note The caller must initialize @a output and allocate at least enough jpayne@69: * space for the result (using krb5_c_encrypt_length() to determine the amount jpayne@69: * of space needed). @a output->length will be set to the actual length of the jpayne@69: * ciphertext. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, jpayne@69: krb5_keyusage usage, const krb5_data *cipher_state, jpayne@69: const krb5_data *input, krb5_enc_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Decrypt data using a key (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in] input Encrypted data jpayne@69: * @param [out] output Decrypted data jpayne@69: * jpayne@69: * This function decrypts the data block @a input and stores the output into @a jpayne@69: * output. The actual decryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the decryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * jpayne@69: * @note The caller must initialize @a output and allocate at least enough jpayne@69: * space for the result. The usual practice is to allocate an output buffer as jpayne@69: * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. jpayne@69: * For some enctypes, the resulting @a output->length may include padding jpayne@69: * bytes. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_decrypt(krb5_context context, const krb5_keyblock *key, jpayne@69: krb5_keyusage usage, const krb5_data *cipher_state, jpayne@69: const krb5_enc_data *input, krb5_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Compute encrypted data length. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] inputlen Length of the data to be encrypted jpayne@69: * @param [out] length Length of the encrypted data jpayne@69: * jpayne@69: * This function computes the length of the ciphertext produced by encrypting jpayne@69: * @a inputlen bytes including padding, confounder, and checksum. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, jpayne@69: size_t inputlen, size_t *length); jpayne@69: jpayne@69: /** jpayne@69: * Return cipher block size. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [out] blocksize Block size for @a enctype jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_block_size(krb5_context context, krb5_enctype enctype, jpayne@69: size_t *blocksize); jpayne@69: jpayne@69: /** jpayne@69: * Return length of the specified key in bytes. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [out] keybytes Number of bytes required to make a key jpayne@69: * @param [out] keylength Length of final key jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_keylengths(krb5_context context, krb5_enctype enctype, jpayne@69: size_t *keybytes, size_t *keylength); jpayne@69: jpayne@69: /** jpayne@69: * Initialize a new cipher state. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [out] new_state New cipher state jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_init_state(krb5_context context, const krb5_keyblock *key, jpayne@69: krb5_keyusage usage, krb5_data *new_state); jpayne@69: jpayne@69: /** jpayne@69: * Free a cipher state previously allocated by krb5_c_init_state(). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Key jpayne@69: * @param [in] state Cipher state to be freed jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_free_state(krb5_context context, const krb5_keyblock *key, jpayne@69: krb5_data *state); jpayne@69: jpayne@69: /** jpayne@69: * Generate enctype-specific pseudo-random bytes. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keyblock Key jpayne@69: * @param [in] input Input data jpayne@69: * @param [out] output Output data jpayne@69: * jpayne@69: * This function selects a pseudo-random function based on @a keyblock and jpayne@69: * computes its value over @a input, placing the result into @a output. jpayne@69: * The caller must preinitialize @a output and allocate space for the jpayne@69: * result, using krb5_c_prf_length() to determine the required length. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock, jpayne@69: krb5_data *input, krb5_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Get the output length of pseudo-random functions for an encryption type. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [out] len Length of PRF output jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len); jpayne@69: jpayne@69: /** jpayne@69: * Generate pseudo-random bytes using RFC 6113 PRF+. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] k KDC contribution key jpayne@69: * @param [in] input Input data jpayne@69: * @param [out] output Pseudo-random output buffer jpayne@69: * jpayne@69: * This function fills @a output with PRF+(k, input) as defined in RFC 6113 jpayne@69: * section 5.1. The caller must preinitialize @a output and allocate the jpayne@69: * desired amount of space. The length of the pseudo-random output will match jpayne@69: * the length of @a output. jpayne@69: * jpayne@69: * @note RFC 4402 defines a different PRF+ operation. This function does not jpayne@69: * implement that operation. jpayne@69: * jpayne@69: * @return 0 on success, @c E2BIG if output->length is too large for PRF+ to jpayne@69: * generate, @c ENOMEM on allocation failure, or an error code from jpayne@69: * krb5_c_prf() jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_prfplus(krb5_context context, const krb5_keyblock *k, jpayne@69: const krb5_data *input, krb5_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Derive a key using some input data (via RFC 6113 PRF+). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] k KDC contribution key jpayne@69: * @param [in] input Input string jpayne@69: * @param [in] enctype Output key enctype (or @c ENCTYPE_NULL) jpayne@69: * @param [out] out Derived keyblock jpayne@69: * jpayne@69: * This function uses PRF+ as defined in RFC 6113 to derive a key from another jpayne@69: * key and an input string. If @a enctype is @c ENCTYPE_NULL, the output key jpayne@69: * will have the same enctype as the input key. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k, jpayne@69: const krb5_data *input, krb5_enctype enctype, jpayne@69: krb5_keyblock **out); jpayne@69: jpayne@69: /** jpayne@69: * Compute the KRB-FX-CF2 combination of two keys and pepper strings. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] k1 KDC contribution key jpayne@69: * @param [in] pepper1 String "PKINIT" jpayne@69: * @param [in] k2 Reply key jpayne@69: * @param [in] pepper2 String "KeyExchange" jpayne@69: * @param [out] out Output key jpayne@69: * jpayne@69: * This function computes the KRB-FX-CF2 function over its inputs and places jpayne@69: * the results in a newly allocated keyblock. This function is simple in that jpayne@69: * it assumes that @a pepper1 and @a pepper2 are C strings with no internal jpayne@69: * nulls and that the enctype of the result will be the same as that of @a k1. jpayne@69: * @a k1 and @a k2 may be of different enctypes. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_fx_cf2_simple(krb5_context context, jpayne@69: const krb5_keyblock *k1, const char *pepper1, jpayne@69: const krb5_keyblock *k2, const char *pepper2, jpayne@69: krb5_keyblock **out); jpayne@69: jpayne@69: /** jpayne@69: * Generate an enctype-specific random encryption key. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type of the generated key jpayne@69: * @param [out] k5_random_key An allocated and initialized keyblock jpayne@69: * jpayne@69: * Use krb5_free_keyblock_contents() to free @a k5_random_key when jpayne@69: * no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, jpayne@69: krb5_keyblock *k5_random_key); jpayne@69: jpayne@69: /** jpayne@69: * Generate an enctype-specific key from random data. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] random_data Random input data jpayne@69: * @param [out] k5_random_key Resulting key jpayne@69: * jpayne@69: * This function takes random input data @a random_data and produces a valid jpayne@69: * key @a k5_random_key for a given @a enctype. jpayne@69: * jpayne@69: * @note It is assumed that @a k5_random_key has already been initialized and jpayne@69: * @a k5_random_key->contents has been allocated with the correct length. jpayne@69: * jpayne@69: * @sa krb5_c_keylengths() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, jpayne@69: krb5_data *random_data, krb5_keyblock *k5_random_key); jpayne@69: jpayne@69: /** @deprecated This call is no longer necessary. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, jpayne@69: const krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Generate pseudo-random bytes. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] data Random data jpayne@69: * jpayne@69: * Fills in @a data with bytes from the PRNG used by krb5 crypto operations. jpayne@69: * The caller must preinitialize @a data and allocate the desired amount of jpayne@69: * space. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_random_make_octets(krb5_context context, krb5_data *data); jpayne@69: jpayne@69: /** @deprecated This call is no longer necessary. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_random_os_entropy(krb5_context context, int strong, int *success); jpayne@69: jpayne@69: /** @deprecated This call is no longer necessary. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_random_seed(krb5_context context, krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string (such a password) to a key. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] string String to be converted jpayne@69: * @param [in] salt Salt value jpayne@69: * @param [out] key Generated key jpayne@69: * jpayne@69: * This function converts @a string to a @a key of encryption type @a enctype, jpayne@69: * using the specified @a salt. The newly created @a key must be released by jpayne@69: * calling krb5_free_keyblock_contents() when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, jpayne@69: const krb5_data *string, const krb5_data *salt, jpayne@69: krb5_keyblock *key); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string (such as a password) to a key with additional parameters. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] string String to be converted jpayne@69: * @param [in] salt Salt value jpayne@69: * @param [in] params Parameters jpayne@69: * @param [out] key Generated key jpayne@69: * jpayne@69: * This function is similar to krb5_c_string_to_key(), but also takes jpayne@69: * parameters which may affect the algorithm in an enctype-dependent way. The jpayne@69: * newly created @a key must be released by calling jpayne@69: * krb5_free_keyblock_contents() when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_string_to_key_with_params(krb5_context context, jpayne@69: krb5_enctype enctype, jpayne@69: const krb5_data *string, jpayne@69: const krb5_data *salt, jpayne@69: const krb5_data *params, jpayne@69: krb5_keyblock *key); jpayne@69: jpayne@69: /** jpayne@69: * Compare two encryption types. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] e1 First encryption type jpayne@69: * @param [in] e2 Second encryption type jpayne@69: * @param [out] similar @c TRUE if types are similar, @c FALSE if not jpayne@69: * jpayne@69: * This function determines whether two encryption types use the same kind of jpayne@69: * keys. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, jpayne@69: krb5_boolean *similar); jpayne@69: jpayne@69: /** jpayne@69: * Compute a checksum (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] input Input data jpayne@69: * @param [out] cksum Generated checksum jpayne@69: * jpayne@69: * This function computes a checksum of type @a cksumtype over @a input, using jpayne@69: * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and jpayne@69: * @a key is non-null, the checksum type will be the mandatory-to-implement jpayne@69: * checksum type for the key's encryption type. The actual checksum key will jpayne@69: * be derived from @a key and @a usage if key derivation is specified for the jpayne@69: * checksum type. The newly created @a cksum must be released by calling jpayne@69: * krb5_free_checksum_contents() when it is no longer needed. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_make_checksum(), but operates jpayne@69: * on keyblock @a key. jpayne@69: * jpayne@69: * @sa krb5_c_verify_checksum() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: const krb5_keyblock *key, krb5_keyusage usage, jpayne@69: const krb5_data *input, krb5_checksum *cksum); jpayne@69: jpayne@69: /** jpayne@69: * Verify a checksum (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage @a key usage jpayne@69: * @param [in] data Data to be used to compute a new checksum jpayne@69: * using @a key to compare @a cksum against jpayne@69: * @param [in] cksum Checksum to be verified jpayne@69: * @param [out] valid Non-zero for success, zero for failure jpayne@69: * jpayne@69: * This function verifies that @a cksum is a valid checksum for @a data. If jpayne@69: * the checksum type of @a cksum is a keyed checksum, @a key is used to verify jpayne@69: * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, jpayne@69: * the mandatory checksum type for @a key will be used. The actual checksum jpayne@69: * key will be derived from @a key and @a usage if key derivation is specified jpayne@69: * for the checksum type. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_verify_checksum(), but operates jpayne@69: * on keyblock @a key. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, jpayne@69: krb5_keyusage usage, const krb5_data *data, jpayne@69: const krb5_checksum *cksum, krb5_boolean *valid); jpayne@69: jpayne@69: /** jpayne@69: * Return the length of checksums for a checksum type. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type jpayne@69: * @param [out] length Checksum length jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: size_t *length); jpayne@69: jpayne@69: /** jpayne@69: * Return a list of keyed checksum types usable with an encryption type. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [out] count Count of allowable checksum types jpayne@69: * @param [out] cksumtypes Array of allowable checksum types jpayne@69: * jpayne@69: * Use krb5_free_cksumtypes() to free @a cksumtypes when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, jpayne@69: unsigned int *count, krb5_cksumtype **cksumtypes); jpayne@69: jpayne@69: /** @defgroup KRB5_KEYUSAGE KRB5_KEYUSAGE jpayne@69: * @{ jpayne@69: */ jpayne@69: #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS 1 jpayne@69: #define KRB5_KEYUSAGE_KDC_REP_TICKET 2 jpayne@69: #define KRB5_KEYUSAGE_AS_REP_ENCPART 3 jpayne@69: #define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY 4 jpayne@69: #define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY 5 jpayne@69: #define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM 6 jpayne@69: #define KRB5_KEYUSAGE_TGS_REQ_AUTH 7 jpayne@69: #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY 8 jpayne@69: #define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY 9 jpayne@69: #define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM 10 jpayne@69: #define KRB5_KEYUSAGE_AP_REQ_AUTH 11 jpayne@69: #define KRB5_KEYUSAGE_AP_REP_ENCPART 12 jpayne@69: #define KRB5_KEYUSAGE_KRB_PRIV_ENCPART 13 jpayne@69: #define KRB5_KEYUSAGE_KRB_CRED_ENCPART 14 jpayne@69: #define KRB5_KEYUSAGE_KRB_SAFE_CKSUM 15 jpayne@69: #define KRB5_KEYUSAGE_APP_DATA_ENCRYPT 16 jpayne@69: #define KRB5_KEYUSAGE_APP_DATA_CKSUM 17 jpayne@69: #define KRB5_KEYUSAGE_KRB_ERROR_CKSUM 18 jpayne@69: #define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM 19 jpayne@69: #define KRB5_KEYUSAGE_AD_MTE 20 jpayne@69: #define KRB5_KEYUSAGE_AD_ITE 21 jpayne@69: jpayne@69: /* XXX need to register these */ jpayne@69: jpayne@69: #define KRB5_KEYUSAGE_GSS_TOK_MIC 22 jpayne@69: #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23 jpayne@69: #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24 jpayne@69: jpayne@69: /* Defined in Integrating SAM Mechanisms with Kerberos draft */ jpayne@69: #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25 jpayne@69: /** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST */ jpayne@69: #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 jpayne@69: /** Note conflict with @ref KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY */ jpayne@69: #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 jpayne@69: jpayne@69: /* Defined in [MS-SFU] */ jpayne@69: /** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID */ jpayne@69: #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST 26 jpayne@69: /** Note conflict with @ref KRB5_KEYUSAGE_PA_SAM_RESPONSE */ jpayne@69: #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 jpayne@69: jpayne@69: /* unused */ jpayne@69: #define KRB5_KEYUSAGE_PA_REFERRAL 26 jpayne@69: jpayne@69: #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 jpayne@69: #define KRB5_KEYUSAGE_IAKERB_FINISHED 42 jpayne@69: #define KRB5_KEYUSAGE_PA_PKINIT_KX 44 jpayne@69: #define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */ jpayne@69: /* define in draft-ietf-krb-wg-preauth-framework*/ jpayne@69: #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 jpayne@69: #define KRB5_KEYUSAGE_FAST_ENC 51 jpayne@69: #define KRB5_KEYUSAGE_FAST_REP 52 jpayne@69: #define KRB5_KEYUSAGE_FAST_FINISHED 53 jpayne@69: #define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 jpayne@69: #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 jpayne@69: #define KRB5_KEYUSAGE_AS_REQ 56 jpayne@69: #define KRB5_KEYUSAGE_CAMMAC 64 jpayne@69: #define KRB5_KEYUSAGE_SPAKE 65 jpayne@69: jpayne@69: /* Key usage values 512-1023 are reserved for uses internal to a Kerberos jpayne@69: * implementation. */ jpayne@69: #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ jpayne@69: #define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */ jpayne@69: /** @} */ /* end of KRB5_KEYUSAGE group */ jpayne@69: jpayne@69: /** jpayne@69: * Verify that a specified encryption type is a valid Kerberos encryption type. jpayne@69: * jpayne@69: * @param [in] ktype Encryption type jpayne@69: * jpayne@69: * @return @c TRUE if @a ktype is valid, @c FALSE if not jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_c_valid_enctype(krb5_enctype ktype); jpayne@69: jpayne@69: /** jpayne@69: * Verify that specified checksum type is a valid Kerberos checksum type. jpayne@69: * jpayne@69: * @param [in] ctype Checksum type jpayne@69: * jpayne@69: * @return @c TRUE if @a ctype is valid, @c FALSE if not jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_c_valid_cksumtype(krb5_cksumtype ctype); jpayne@69: jpayne@69: /** jpayne@69: * Test whether a checksum type is collision-proof. jpayne@69: * jpayne@69: * @param [in] ctype Checksum type jpayne@69: * jpayne@69: * @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not jpayne@69: * collision-proof or not a valid checksum type. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype); jpayne@69: jpayne@69: /** jpayne@69: * Test whether a checksum type is keyed. jpayne@69: * jpayne@69: * @param [in] ctype Checksum type jpayne@69: * jpayne@69: * @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_c_is_keyed_cksum(krb5_cksumtype ctype); jpayne@69: jpayne@69: /* AEAD APIs */ jpayne@69: /** @defgroup KRB5_CRYPTO_TYPE KRB5_CRYPTO_TYPE jpayne@69: * @{ jpayne@69: */ jpayne@69: #define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */ jpayne@69: #define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */ jpayne@69: #define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */ jpayne@69: #define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */ jpayne@69: #define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */ jpayne@69: #define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */ jpayne@69: #define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */ jpayne@69: #define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without jpayne@69: decomposing the structure into jpayne@69: header, data and trailer buffers */ jpayne@69: /** @} */ /* end of KRB5_CRYPTO_TYPE group */ jpayne@69: jpayne@69: /** jpayne@69: * Fill in a checksum element in IOV array (operates on keyblock) jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] data IOV array jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over jpayne@69: * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. jpayne@69: * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_make_checksum_iov(), but operates jpayne@69: * on keyblock @a key. jpayne@69: * jpayne@69: * @sa krb5_c_verify_checksum_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: const krb5_keyblock *key, krb5_keyusage usage, jpayne@69: krb5_crypto_iov *data, size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Validate a checksum element in IOV array (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] data IOV array jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * @param [out] valid Non-zero for success, zero for failure jpayne@69: * jpayne@69: * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a jpayne@69: * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY jpayne@69: * regions in the iov. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_verify_checksum_iov(), but operates jpayne@69: * on keyblock @a key. jpayne@69: * jpayne@69: * @sa krb5_c_make_checksum_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: const krb5_keyblock *key, krb5_keyusage usage, jpayne@69: const krb5_crypto_iov *data, size_t num_data, jpayne@69: krb5_boolean *valid); jpayne@69: jpayne@69: /** jpayne@69: * Encrypt data in place supporting AEAD (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keyblock Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in,out] data IOV array. Modified in-place. jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * This function encrypts the data block @a data and stores the output in-place. jpayne@69: * The actual encryption key will be derived from @a keyblock and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the encryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * The caller must allocate the right number of krb5_crypto_iov jpayne@69: * structures before calling into this API. jpayne@69: * jpayne@69: * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the jpayne@69: * iov structure are adjusted to reflect actual lengths of the ciphertext used. jpayne@69: * For example, if the padding length is too large, the length will be reduced. jpayne@69: * Lengths are never increased. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_encrypt_iov(), but operates jpayne@69: * on keyblock @a keyblock. jpayne@69: * jpayne@69: * @sa krb5_c_decrypt_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, jpayne@69: krb5_keyusage usage, const krb5_data *cipher_state, jpayne@69: krb5_crypto_iov *data, size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Decrypt data in place supporting AEAD (operates on keyblock). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keyblock Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in,out] data IOV array. Modified in-place. jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * This function decrypts the data block @a data and stores the output in-place. jpayne@69: * The actual decryption key will be derived from @a keyblock and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the decryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * The caller must allocate the right number of krb5_crypto_iov jpayne@69: * structures before calling into this API. jpayne@69: * jpayne@69: * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the jpayne@69: * iov structure are adjusted to reflect actual lengths of the ciphertext used. jpayne@69: * For example, if the padding length is too large, the length will be reduced. jpayne@69: * Lengths are never increased. jpayne@69: * jpayne@69: * @note This function is similar to krb5_k_decrypt_iov(), but operates jpayne@69: * on keyblock @a keyblock. jpayne@69: * jpayne@69: * @sa krb5_c_decrypt_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, jpayne@69: krb5_keyusage usage, const krb5_data *cipher_state, jpayne@69: krb5_crypto_iov *data, size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Return a length of a message field specific to the encryption type. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] type Type field (See @ref KRB5_CRYPTO_TYPE types) jpayne@69: * @param [out] size Length of the @a type specific to @a enctype jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, jpayne@69: krb5_cryptotype type, unsigned int *size); jpayne@69: jpayne@69: /** jpayne@69: * Fill in lengths for header, trailer and padding in a IOV array. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in,out] data IOV array jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * Padding is set to the actual padding required based on the provided jpayne@69: * @a data buffers. Typically this API is used after setting up the data jpayne@69: * buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually jpayne@69: * allocating header, trailer and padding. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, jpayne@69: krb5_crypto_iov *data, size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Return a number of padding octets. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] data_length Length of the plaintext to pad jpayne@69: * @param [out] size Number of padding octets jpayne@69: * jpayne@69: * This function returns the number of the padding octets required to pad jpayne@69: * @a data_length octets of plaintext. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_c_padding_length(krb5_context context, krb5_enctype enctype, jpayne@69: size_t data_length, unsigned int *size); jpayne@69: jpayne@69: /** jpayne@69: * Create a krb5_key from the enctype and key data in a keyblock. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key_data Keyblock jpayne@69: * @param [out] out Opaque key jpayne@69: * jpayne@69: * The reference count on a key @a out is set to 1. jpayne@69: * Use krb5_k_free_key() to free @a out when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data, jpayne@69: krb5_key *out); jpayne@69: jpayne@69: /** Increment the reference count on a key. */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_k_reference_key(krb5_context context, krb5_key key); jpayne@69: jpayne@69: /** Decrement the reference count on a key and free it if it hits zero. */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_k_free_key(krb5_context context, krb5_key key); jpayne@69: jpayne@69: /** Retrieve a copy of the keyblock from a krb5_key structure. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_key_keyblock(krb5_context context, krb5_key key, jpayne@69: krb5_keyblock **key_data); jpayne@69: jpayne@69: /** Retrieve the enctype of a krb5_key structure. */ jpayne@69: krb5_enctype KRB5_CALLCONV jpayne@69: krb5_k_key_enctype(krb5_context context, krb5_key key); jpayne@69: jpayne@69: /** jpayne@69: * Encrypt data using a key (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in] input Data to be encrypted jpayne@69: * @param [out] output Encrypted data jpayne@69: * jpayne@69: * This function encrypts the data block @a input and stores the output into @a jpayne@69: * output. The actual encryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the encryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * jpayne@69: * @note The caller must initialize @a output and allocate at least enough jpayne@69: * space for the result (using krb5_c_encrypt_length() to determine the amount jpayne@69: * of space needed). @a output->length will be set to the actual length of the jpayne@69: * ciphertext. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_data *cipher_state, const krb5_data *input, jpayne@69: krb5_enc_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Encrypt data in place supporting AEAD (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in,out] data IOV array. Modified in-place. jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * This function encrypts the data block @a data and stores the output in-place. jpayne@69: * The actual encryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the encryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * The caller must allocate the right number of krb5_crypto_iov jpayne@69: * structures before calling into this API. jpayne@69: * jpayne@69: * @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the jpayne@69: * iov structure are adjusted to reflect actual lengths of the ciphertext used. jpayne@69: * For example, if the padding length is too large, the length will be reduced. jpayne@69: * Lengths are never increased. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_encrypt_iov(), but operates jpayne@69: * on opaque key @a key. jpayne@69: * jpayne@69: * @sa krb5_k_decrypt_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_data *cipher_state, krb5_crypto_iov *data, jpayne@69: size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Decrypt data using a key (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in] input Encrypted data jpayne@69: * @param [out] output Decrypted data jpayne@69: * jpayne@69: * This function decrypts the data block @a input and stores the output into @a jpayne@69: * output. The actual decryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the decryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * jpayne@69: * @note The caller must initialize @a output and allocate at least enough jpayne@69: * space for the result. The usual practice is to allocate an output buffer as jpayne@69: * long as the ciphertext, and let krb5_c_decrypt() trim @a output->length. jpayne@69: * For some enctypes, the resulting @a output->length may include padding jpayne@69: * bytes. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_data *cipher_state, const krb5_enc_data *input, jpayne@69: krb5_data *output); jpayne@69: jpayne@69: /** jpayne@69: * Decrypt data in place supporting AEAD (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] cipher_state Cipher state; specify NULL if not needed jpayne@69: * @param [in,out] data IOV array. Modified in-place. jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * This function decrypts the data block @a data and stores the output in-place. jpayne@69: * The actual decryption key will be derived from @a key and @a usage jpayne@69: * if key derivation is specified for the encryption type. If non-null, @a jpayne@69: * cipher_state specifies the beginning state for the decryption operation, and jpayne@69: * is updated with the state to be passed as input to the next operation. jpayne@69: * The caller must allocate the right number of krb5_crypto_iov jpayne@69: * structures before calling into this API. jpayne@69: * jpayne@69: * @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the jpayne@69: * iov structure are adjusted to reflect actual lengths of the ciphertext used. jpayne@69: * For example, if the padding length is too large, the length will be reduced. jpayne@69: * Lengths are never increased. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_decrypt_iov(), but operates jpayne@69: * on opaque key @a key. jpayne@69: * jpayne@69: * @sa krb5_k_encrypt_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_data *cipher_state, krb5_crypto_iov *data, jpayne@69: size_t num_data); jpayne@69: /** jpayne@69: * Compute a checksum (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] input Input data jpayne@69: * @param [out] cksum Generated checksum jpayne@69: * jpayne@69: * This function computes a checksum of type @a cksumtype over @a input, using jpayne@69: * @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and jpayne@69: * @a key is non-null, the checksum type will be the mandatory-to-implement jpayne@69: * checksum type for the key's encryption type. The actual checksum key will jpayne@69: * be derived from @a key and @a usage if key derivation is specified for the jpayne@69: * checksum type. The newly created @a cksum must be released by calling jpayne@69: * krb5_free_checksum_contents() when it is no longer needed. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_make_checksum(), but operates jpayne@69: * on opaque @a key. jpayne@69: * jpayne@69: * @sa krb5_c_verify_checksum() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: krb5_key key, krb5_keyusage usage, const krb5_data *input, jpayne@69: krb5_checksum *cksum); jpayne@69: jpayne@69: /** jpayne@69: * Fill in a checksum element in IOV array (operates on opaque key) jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in,out] data IOV array jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * jpayne@69: * Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over jpayne@69: * #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data. jpayne@69: * Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_make_checksum_iov(), but operates jpayne@69: * on opaque @a key. jpayne@69: * jpayne@69: * @sa krb5_k_verify_checksum_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: krb5_key key, krb5_keyusage usage, jpayne@69: krb5_crypto_iov *data, size_t num_data); jpayne@69: jpayne@69: /** jpayne@69: * Verify a checksum (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage @a key usage jpayne@69: * @param [in] data Data to be used to compute a new checksum jpayne@69: * using @a key to compare @a cksum against jpayne@69: * @param [in] cksum Checksum to be verified jpayne@69: * @param [out] valid Non-zero for success, zero for failure jpayne@69: * jpayne@69: * This function verifies that @a cksum is a valid checksum for @a data. If jpayne@69: * the checksum type of @a cksum is a keyed checksum, @a key is used to verify jpayne@69: * the checksum. If the checksum type in @a cksum is 0 and @a key is not NULL, jpayne@69: * the mandatory checksum type for @a key will be used. The actual checksum jpayne@69: * key will be derived from @a key and @a usage if key derivation is specified jpayne@69: * for the checksum type. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_verify_checksum(), but operates jpayne@69: * on opaque @a key. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_data *data, const krb5_checksum *cksum, jpayne@69: krb5_boolean *valid); jpayne@69: jpayne@69: /** jpayne@69: * Validate a checksum element in IOV array (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cksumtype Checksum type (0 for mandatory type) jpayne@69: * @param [in] key Encryption key for a keyed checksum jpayne@69: * @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types) jpayne@69: * @param [in] data IOV array jpayne@69: * @param [in] num_data Size of @a data jpayne@69: * @param [out] valid Non-zero for success, zero for failure jpayne@69: * jpayne@69: * Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a jpayne@69: * valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY jpayne@69: * regions in the iov. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_verify_checksum_iov(), but operates jpayne@69: * on opaque @a key. jpayne@69: * jpayne@69: * @sa krb5_k_make_checksum_iov() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, jpayne@69: krb5_key key, krb5_keyusage usage, jpayne@69: const krb5_crypto_iov *data, size_t num_data, jpayne@69: krb5_boolean *valid); jpayne@69: jpayne@69: /** jpayne@69: * Generate enctype-specific pseudo-random bytes (operates on opaque key). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Key jpayne@69: * @param [in] input Input data jpayne@69: * @param [out] output Output data jpayne@69: * jpayne@69: * This function selects a pseudo-random function based on @a key and jpayne@69: * computes its value over @a input, placing the result into @a output. jpayne@69: * The caller must preinitialize @a output and allocate space for the jpayne@69: * result. jpayne@69: * jpayne@69: * @note This function is similar to krb5_c_prf(), but operates jpayne@69: * on opaque @a key. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output); jpayne@69: jpayne@69: #ifdef KRB5_OLD_CRYPTO jpayne@69: /* jpayne@69: * old cryptosystem routine prototypes. These are now layered jpayne@69: * on top of the functions above. jpayne@69: */ jpayne@69: /** @deprecated Replaced by krb5_c_* API family.*/ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_encrypt(krb5_context context, krb5_const_pointer inptr, jpayne@69: krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, jpayne@69: krb5_pointer ivec); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_decrypt(krb5_context context, krb5_const_pointer inptr, jpayne@69: krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, jpayne@69: krb5_pointer ivec); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_process_key(krb5_context context, krb5_encrypt_block *eblock, jpayne@69: const krb5_keyblock * key); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock); jpayne@69: jpayne@69: /** @deprecated See krb5_c_string_to_key() */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock, jpayne@69: krb5_keyblock * keyblock, const krb5_data *data, jpayne@69: const krb5_data *salt); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock, jpayne@69: const krb5_keyblock *keyblock, krb5_pointer *ptr); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock, jpayne@69: krb5_pointer *ptr); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock, jpayne@69: krb5_pointer ptr, krb5_keyblock **keyblock); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_enctype KRB5_CALLCONV jpayne@69: krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock, jpayne@69: krb5_enctype enctype); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_c_* API family. */ jpayne@69: size_t KRB5_CALLCONV jpayne@69: krb5_encrypt_size(size_t length, krb5_enctype crypto); jpayne@69: jpayne@69: /** @deprecated See krb5_c_checksum_length() */ jpayne@69: size_t KRB5_CALLCONV jpayne@69: krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); jpayne@69: jpayne@69: /** @deprecated See krb5_c_make_checksum() */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, jpayne@69: krb5_const_pointer in, size_t in_length, jpayne@69: krb5_const_pointer seed, size_t seed_length, jpayne@69: krb5_checksum * outcksum); jpayne@69: jpayne@69: /** @deprecated See krb5_c_verify_checksum() */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, jpayne@69: const krb5_checksum * cksum, krb5_const_pointer in, jpayne@69: size_t in_length, krb5_const_pointer seed, jpayne@69: size_t seed_length); jpayne@69: jpayne@69: #endif /* KRB5_OLD_CRYPTO */ jpayne@69: jpayne@69: /* jpayne@69: * end "encryption.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "fieldbits.h" jpayne@69: */ jpayne@69: jpayne@69: /* kdc_options for kdc_request */ jpayne@69: /* options is 32 bits; each host is responsible to put the 4 bytes jpayne@69: representing these bits into net order before transmission */ jpayne@69: /* #define KDC_OPT_RESERVED 0x80000000 */ jpayne@69: #define KDC_OPT_FORWARDABLE 0x40000000 jpayne@69: #define KDC_OPT_FORWARDED 0x20000000 jpayne@69: #define KDC_OPT_PROXIABLE 0x10000000 jpayne@69: #define KDC_OPT_PROXY 0x08000000 jpayne@69: #define KDC_OPT_ALLOW_POSTDATE 0x04000000 jpayne@69: #define KDC_OPT_POSTDATED 0x02000000 jpayne@69: /* #define KDC_OPT_UNUSED 0x01000000 */ jpayne@69: #define KDC_OPT_RENEWABLE 0x00800000 jpayne@69: /* #define KDC_OPT_UNUSED 0x00400000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00200000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00100000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00080000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00040000 */ jpayne@69: #define KDC_OPT_CNAME_IN_ADDL_TKT 0x00020000 jpayne@69: #define KDC_OPT_CANONICALIZE 0x00010000 jpayne@69: #define KDC_OPT_REQUEST_ANONYMOUS 0x00008000 jpayne@69: /* #define KDC_OPT_RESERVED 0x00004000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00002000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00001000 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000800 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000400 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000200 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000100 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000080 */ jpayne@69: /* #define KDC_OPT_RESERVED 0x00000040 */ jpayne@69: #define KDC_OPT_DISABLE_TRANSITED_CHECK 0x00000020 jpayne@69: #define KDC_OPT_RENEWABLE_OK 0x00000010 jpayne@69: #define KDC_OPT_ENC_TKT_IN_SKEY 0x00000008 jpayne@69: /* #define KDC_OPT_UNUSED 0x00000004 */ jpayne@69: #define KDC_OPT_RENEW 0x00000002 jpayne@69: #define KDC_OPT_VALIDATE 0x00000001 jpayne@69: jpayne@69: /* jpayne@69: * Mask of ticket flags in the TGT which should be converted into KDC jpayne@69: * options when using the TGT to get derivative tickets. jpayne@69: * jpayne@69: * New mask = KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | jpayne@69: * KDC_OPT_ALLOW_POSTDATE | KDC_OPT_RENEWABLE jpayne@69: */ jpayne@69: #define KDC_TKT_COMMON_MASK 0x54800000 jpayne@69: jpayne@69: /* definitions for ap_options fields */ jpayne@69: jpayne@69: /** @defgroup AP_OPTS AP_OPTS jpayne@69: * jpayne@69: * ap_options are 32 bits; each host is responsible to put the 4 bytes jpayne@69: * representing these bits into net order before transmission jpayne@69: * @{ jpayne@69: */ jpayne@69: #define AP_OPTS_RESERVED 0x80000000 jpayne@69: #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */ jpayne@69: #define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual jpayne@69: authentication exchange */ jpayne@69: #define AP_OPTS_ETYPE_NEGOTIATION 0x00000002 jpayne@69: #define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key jpayne@69: from the current session key jpayne@69: obtained from the jpayne@69: credentials */ jpayne@69: /* #define AP_OPTS_RESERVED 0x10000000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x08000000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x04000000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x02000000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x01000000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00800000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00400000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00200000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00100000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00080000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00040000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00020000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00010000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00008000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00004000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00002000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00001000 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000800 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000400 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000200 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000100 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000080 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000040 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000020 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000010 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000008 */ jpayne@69: /* #define AP_OPTS_RESERVED 0x00000004 */ jpayne@69: jpayne@69: jpayne@69: #define AP_OPTS_WIRE_MASK 0xfffffff0 jpayne@69: /** @} */ /* end of AP_OPTS group */ jpayne@69: jpayne@69: /* definitions for ad_type fields. */ jpayne@69: #define AD_TYPE_RESERVED 0x8000 jpayne@69: #define AD_TYPE_EXTERNAL 0x4000 jpayne@69: #define AD_TYPE_REGISTERED 0x2000 jpayne@69: jpayne@69: #define AD_TYPE_FIELD_TYPE_MASK 0x1fff jpayne@69: jpayne@69: /* Ticket flags */ jpayne@69: /* flags are 32 bits; each host is responsible to put the 4 bytes jpayne@69: representing these bits into net order before transmission */ jpayne@69: /* #define TKT_FLG_RESERVED 0x80000000 */ jpayne@69: #define TKT_FLG_FORWARDABLE 0x40000000 jpayne@69: #define TKT_FLG_FORWARDED 0x20000000 jpayne@69: #define TKT_FLG_PROXIABLE 0x10000000 jpayne@69: #define TKT_FLG_PROXY 0x08000000 jpayne@69: #define TKT_FLG_MAY_POSTDATE 0x04000000 jpayne@69: #define TKT_FLG_POSTDATED 0x02000000 jpayne@69: #define TKT_FLG_INVALID 0x01000000 jpayne@69: #define TKT_FLG_RENEWABLE 0x00800000 jpayne@69: #define TKT_FLG_INITIAL 0x00400000 jpayne@69: #define TKT_FLG_PRE_AUTH 0x00200000 jpayne@69: #define TKT_FLG_HW_AUTH 0x00100000 jpayne@69: #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 jpayne@69: #define TKT_FLG_OK_AS_DELEGATE 0x00040000 jpayne@69: #define TKT_FLG_ENC_PA_REP 0x00010000 jpayne@69: #define TKT_FLG_ANONYMOUS 0x00008000 jpayne@69: /* #define TKT_FLG_RESERVED 0x00004000 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00002000 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00001000 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000800 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000400 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000200 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000100 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000080 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000040 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000020 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000010 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000008 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000004 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000002 */ jpayne@69: /* #define TKT_FLG_RESERVED 0x00000001 */ jpayne@69: jpayne@69: /* definitions for lr_type fields. */ jpayne@69: #define LR_TYPE_THIS_SERVER_ONLY 0x8000 jpayne@69: jpayne@69: #define LR_TYPE_INTERPRETATION_MASK 0x7fff jpayne@69: jpayne@69: /* definitions for msec direction bit for KRB_SAFE, KRB_PRIV */ jpayne@69: #define MSEC_DIRBIT 0x8000 jpayne@69: #define MSEC_VAL_MASK 0x7fff jpayne@69: jpayne@69: /* jpayne@69: * end "fieldbits.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "proto.h" jpayne@69: */ jpayne@69: jpayne@69: /** Protocol version number */ jpayne@69: #define KRB5_PVNO 5 jpayne@69: jpayne@69: /* Message types */ jpayne@69: jpayne@69: #define KRB5_AS_REQ ((krb5_msgtype)10) /**< Initial authentication request */ jpayne@69: #define KRB5_AS_REP ((krb5_msgtype)11) /**< Response to AS request */ jpayne@69: #define KRB5_TGS_REQ ((krb5_msgtype)12) /**< Ticket granting server request */ jpayne@69: #define KRB5_TGS_REP ((krb5_msgtype)13) /**< Response to TGS request */ jpayne@69: #define KRB5_AP_REQ ((krb5_msgtype)14) /**< Auth req to application server */ jpayne@69: #define KRB5_AP_REP ((krb5_msgtype)15) /**< Response to mutual AP request */ jpayne@69: #define KRB5_SAFE ((krb5_msgtype)20) /**< Safe application message */ jpayne@69: #define KRB5_PRIV ((krb5_msgtype)21) /**< Private application message */ jpayne@69: #define KRB5_CRED ((krb5_msgtype)22) /**< Cred forwarding message */ jpayne@69: #define KRB5_ERROR ((krb5_msgtype)30) /**< Error response */ jpayne@69: jpayne@69: /* LastReq types */ jpayne@69: #define KRB5_LRQ_NONE 0 jpayne@69: #define KRB5_LRQ_ALL_LAST_TGT 1 jpayne@69: #define KRB5_LRQ_ONE_LAST_TGT (-1) jpayne@69: #define KRB5_LRQ_ALL_LAST_INITIAL 2 jpayne@69: #define KRB5_LRQ_ONE_LAST_INITIAL (-2) jpayne@69: #define KRB5_LRQ_ALL_LAST_TGT_ISSUED 3 jpayne@69: #define KRB5_LRQ_ONE_LAST_TGT_ISSUED (-3) jpayne@69: #define KRB5_LRQ_ALL_LAST_RENEWAL 4 jpayne@69: #define KRB5_LRQ_ONE_LAST_RENEWAL (-4) jpayne@69: #define KRB5_LRQ_ALL_LAST_REQ 5 jpayne@69: #define KRB5_LRQ_ONE_LAST_REQ (-5) jpayne@69: #define KRB5_LRQ_ALL_PW_EXPTIME 6 jpayne@69: #define KRB5_LRQ_ONE_PW_EXPTIME (-6) jpayne@69: #define KRB5_LRQ_ALL_ACCT_EXPTIME 7 jpayne@69: #define KRB5_LRQ_ONE_ACCT_EXPTIME (-7) jpayne@69: jpayne@69: /* PADATA types */ jpayne@69: #define KRB5_PADATA_NONE 0 jpayne@69: #define KRB5_PADATA_AP_REQ 1 jpayne@69: #define KRB5_PADATA_TGS_REQ KRB5_PADATA_AP_REQ jpayne@69: #define KRB5_PADATA_ENC_TIMESTAMP 2 /**< RFC 4120 */ jpayne@69: #define KRB5_PADATA_PW_SALT 3 /**< RFC 4120 */ jpayne@69: #if 0 /* Not used */ jpayne@69: #define KRB5_PADATA_ENC_ENCKEY 4 /* Key encrypted within itself */ jpayne@69: #endif jpayne@69: #define KRB5_PADATA_ENC_UNIX_TIME 5 /**< timestamp encrypted in key. RFC 4120 */ jpayne@69: #define KRB5_PADATA_ENC_SANDIA_SECURID 6 /**< SecurId passcode. RFC 4120 */ jpayne@69: #define KRB5_PADATA_SESAME 7 /**< Sesame project. RFC 4120 */ jpayne@69: #define KRB5_PADATA_OSF_DCE 8 /**< OSF DCE. RFC 4120 */ jpayne@69: #define KRB5_CYBERSAFE_SECUREID 9 /**< Cybersafe. RFC 4120 */ jpayne@69: #define KRB5_PADATA_AFS3_SALT 10 /**< Cygnus. RFC 4120, 3961 */ jpayne@69: #define KRB5_PADATA_ETYPE_INFO 11 /**< Etype info for preauth. RFC 4120 */ jpayne@69: #define KRB5_PADATA_SAM_CHALLENGE 12 /**< SAM/OTP */ jpayne@69: #define KRB5_PADATA_SAM_RESPONSE 13 /**< SAM/OTP */ jpayne@69: #define KRB5_PADATA_PK_AS_REQ_OLD 14 /**< PKINIT */ jpayne@69: #define KRB5_PADATA_PK_AS_REP_OLD 15 /**< PKINIT */ jpayne@69: #define KRB5_PADATA_PK_AS_REQ 16 /**< PKINIT. RFC 4556 */ jpayne@69: #define KRB5_PADATA_PK_AS_REP 17 /**< PKINIT. RFC 4556 */ jpayne@69: #define KRB5_PADATA_ETYPE_INFO2 19 /**< RFC 4120 */ jpayne@69: #define KRB5_PADATA_USE_SPECIFIED_KVNO 20 /**< RFC 4120 */ jpayne@69: #define KRB5_PADATA_SVR_REFERRAL_INFO 20 /**< Windows 2000 referrals. RFC 6820 */ jpayne@69: #define KRB5_PADATA_SAM_REDIRECT 21 /**< SAM/OTP. RFC 4120 */ jpayne@69: #define KRB5_PADATA_GET_FROM_TYPED_DATA 22 /**< Embedded in typed data. RFC 4120 */ jpayne@69: #define KRB5_PADATA_REFERRAL 25 /**< draft referral system */ jpayne@69: #define KRB5_PADATA_SAM_CHALLENGE_2 30 /**< draft challenge system, updated */ jpayne@69: #define KRB5_PADATA_SAM_RESPONSE_2 31 /**< draft challenge system, updated */ jpayne@69: /* MS-KILE */ jpayne@69: #define KRB5_PADATA_PAC_REQUEST 128 /**< include Windows PAC */ jpayne@69: #define KRB5_PADATA_FOR_USER 129 /**< username protocol transition request */ jpayne@69: #define KRB5_PADATA_S4U_X509_USER 130 /**< certificate protocol transition request */ jpayne@69: #define KRB5_PADATA_AS_CHECKSUM 132 /**< AS checksum */ jpayne@69: #define KRB5_PADATA_FX_COOKIE 133 /**< RFC 6113 */ jpayne@69: #define KRB5_PADATA_FX_FAST 136 /**< RFC 6113 */ jpayne@69: #define KRB5_PADATA_FX_ERROR 137 /**< RFC 6113 */ jpayne@69: #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 /**< RFC 6113 */ jpayne@69: #define KRB5_PADATA_OTP_CHALLENGE 141 /**< RFC 6560 section 4.1 */ jpayne@69: #define KRB5_PADATA_OTP_REQUEST 142 /**< RFC 6560 section 4.2 */ jpayne@69: #define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */ jpayne@69: #define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */ jpayne@69: #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */ jpayne@69: #define KRB5_PADATA_AS_FRESHNESS 150 /**< RFC 8070 */ jpayne@69: #define KRB5_PADATA_SPAKE 151 jpayne@69: #define KRB5_PADATA_REDHAT_IDP_OAUTH2 152 /**< Red Hat IdP mechanism */ jpayne@69: #define KRB5_PADATA_PAC_OPTIONS 167 /**< MS-KILE and MS-SFU */ jpayne@69: jpayne@69: #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 jpayne@69: #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 jpayne@69: #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /**< currently must be zero */ jpayne@69: jpayne@69: /** Transited encoding types */ jpayne@69: #define KRB5_DOMAIN_X500_COMPRESS 1 jpayne@69: jpayne@69: /** alternate authentication types */ jpayne@69: #define KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE 64 jpayne@69: jpayne@69: /* authorization data types. See RFC 4120 section 5.2.6 */ jpayne@69: jpayne@69: /** @defgroup KRB5_AUTHDATA KRB5_AUTHDATA jpayne@69: * @{ jpayne@69: */ jpayne@69: #define KRB5_AUTHDATA_IF_RELEVANT 1 jpayne@69: #define KRB5_AUTHDATA_KDC_ISSUED 4 jpayne@69: #define KRB5_AUTHDATA_AND_OR 5 jpayne@69: #define KRB5_AUTHDATA_MANDATORY_FOR_KDC 8 jpayne@69: #define KRB5_AUTHDATA_INITIAL_VERIFIED_CAS 9 jpayne@69: #define KRB5_AUTHDATA_OSF_DCE 64 jpayne@69: #define KRB5_AUTHDATA_SESAME 65 jpayne@69: #define KRB5_AUTHDATA_CAMMAC 96 jpayne@69: #define KRB5_AUTHDATA_WIN2K_PAC 128 jpayne@69: #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /**< RFC 4537 */ jpayne@69: #define KRB5_AUTHDATA_SIGNTICKET 512 /**< @deprecated use PAC */ jpayne@69: #define KRB5_AUTHDATA_FX_ARMOR 71 jpayne@69: #define KRB5_AUTHDATA_AUTH_INDICATOR 97 jpayne@69: #define KRB5_AUTHDATA_AP_OPTIONS 143 jpayne@69: /** @} */ /* end of KRB5_AUTHDATA group */ jpayne@69: jpayne@69: /* password change constants */ jpayne@69: #define KRB5_KPASSWD_SUCCESS 0 /**< Success */ jpayne@69: #define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */ jpayne@69: #define KRB5_KPASSWD_HARDERROR 2 /**< Server error */ jpayne@69: #define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */ jpayne@69: #define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */ jpayne@69: /* These are Microsoft's extensions in RFC 3244, and it looks like jpayne@69: they'll become standardized, possibly with other additions. */ jpayne@69: #define KRB5_KPASSWD_ACCESSDENIED 5 /**< Not authorized */ jpayne@69: #define KRB5_KPASSWD_BAD_VERSION 6 /**< Unknown RPC version */ jpayne@69: /** The presented credentials were not obtained using a password directly */ jpayne@69: #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 jpayne@69: jpayne@69: /* jpayne@69: * end "proto.h" jpayne@69: */ jpayne@69: jpayne@69: /* Time set */ jpayne@69: /** Ticket start time, end time, and renewal duration. */ jpayne@69: typedef struct _krb5_ticket_times { jpayne@69: krb5_timestamp authtime; /**< Time at which KDC issued the initial ticket that corresponds to this ticket */ jpayne@69: /* XXX ? should ktime in KDC_REP == authtime jpayne@69: in ticket? otherwise client can't get this */ jpayne@69: krb5_timestamp starttime; /**< optional in ticket, if not present, use @a authtime */ jpayne@69: krb5_timestamp endtime; /**< Ticket expiration time */ jpayne@69: krb5_timestamp renew_till; /**< Latest time at which renewal of ticket can be valid */ jpayne@69: } krb5_ticket_times; jpayne@69: jpayne@69: /** Structure for auth data */ jpayne@69: typedef struct _krb5_authdata { jpayne@69: krb5_magic magic; jpayne@69: krb5_authdatatype ad_type; /**< ADTYPE */ jpayne@69: unsigned int length; /**< Length of data */ jpayne@69: krb5_octet *contents; /**< Data */ jpayne@69: } krb5_authdata; jpayne@69: jpayne@69: /** Structure for transited encoding */ jpayne@69: typedef struct _krb5_transited { jpayne@69: krb5_magic magic; jpayne@69: krb5_octet tr_type; /**< Transited encoding type */ jpayne@69: krb5_data tr_contents; /**< Contents */ jpayne@69: } krb5_transited; jpayne@69: jpayne@69: /** Encrypted part of ticket. */ jpayne@69: typedef struct _krb5_enc_tkt_part { jpayne@69: krb5_magic magic; jpayne@69: /* to-be-encrypted portion */ jpayne@69: krb5_flags flags; /**< flags */ jpayne@69: krb5_keyblock *session; /**< session key: includes enctype */ jpayne@69: krb5_principal client; /**< client name/realm */ jpayne@69: krb5_transited transited; /**< list of transited realms */ jpayne@69: krb5_ticket_times times; /**< auth, start, end, renew_till */ jpayne@69: krb5_address **caddrs; /**< array of ptrs to addresses */ jpayne@69: krb5_authdata **authorization_data; /**< auth data */ jpayne@69: } krb5_enc_tkt_part; jpayne@69: jpayne@69: /** jpayne@69: * Ticket structure. jpayne@69: * jpayne@69: * The C representation of the ticket message, with a pointer to the jpayne@69: * C representation of the encrypted part. jpayne@69: */ jpayne@69: typedef struct _krb5_ticket { jpayne@69: krb5_magic magic; jpayne@69: /* cleartext portion */ jpayne@69: krb5_principal server; /**< server name/realm */ jpayne@69: krb5_enc_data enc_part; /**< encryption type, kvno, encrypted encoding */ jpayne@69: krb5_enc_tkt_part *enc_part2; /**< ptr to decrypted version, if available */ jpayne@69: } krb5_ticket; jpayne@69: jpayne@69: /* the unencrypted version */ jpayne@69: /** jpayne@69: * Ticket authenticator. jpayne@69: * jpayne@69: * The C representation of an unencrypted authenticator. jpayne@69: */ jpayne@69: typedef struct _krb5_authenticator { jpayne@69: krb5_magic magic; jpayne@69: krb5_principal client; /**< client name/realm */ jpayne@69: krb5_checksum *checksum; /**< checksum, includes type, optional */ jpayne@69: krb5_int32 cusec; /**< client usec portion */ jpayne@69: krb5_timestamp ctime; /**< client sec portion */ jpayne@69: krb5_keyblock *subkey; /**< true session key, optional */ jpayne@69: krb5_ui_4 seq_number; /**< sequence #, optional */ jpayne@69: krb5_authdata **authorization_data; /**< authoriazation data */ jpayne@69: } krb5_authenticator; jpayne@69: jpayne@69: /** Ticket authentication data. */ jpayne@69: typedef struct _krb5_tkt_authent { jpayne@69: krb5_magic magic; jpayne@69: krb5_ticket *ticket; jpayne@69: krb5_authenticator *authenticator; jpayne@69: krb5_flags ap_options; jpayne@69: } krb5_tkt_authent; jpayne@69: jpayne@69: /** Credentials structure including ticket, session key, and lifetime info. */ jpayne@69: typedef struct _krb5_creds { jpayne@69: krb5_magic magic; jpayne@69: krb5_principal client; /**< client's principal identifier */ jpayne@69: krb5_principal server; /**< server's principal identifier */ jpayne@69: krb5_keyblock keyblock; /**< session encryption key info */ jpayne@69: krb5_ticket_times times; /**< lifetime info */ jpayne@69: krb5_boolean is_skey; /**< true if ticket is encrypted in jpayne@69: another ticket's skey */ jpayne@69: krb5_flags ticket_flags; /**< flags in ticket */ jpayne@69: krb5_address **addresses; /**< addrs in ticket */ jpayne@69: krb5_data ticket; /**< ticket string itself */ jpayne@69: krb5_data second_ticket; /**< second ticket, if related to jpayne@69: ticket (via DUPLICATE-SKEY or jpayne@69: ENC-TKT-IN-SKEY) */ jpayne@69: krb5_authdata **authdata; /**< authorization data */ jpayne@69: } krb5_creds; jpayne@69: jpayne@69: /** Last request entry */ jpayne@69: typedef struct _krb5_last_req_entry { jpayne@69: krb5_magic magic; jpayne@69: krb5_int32 lr_type; /**< LR type */ jpayne@69: krb5_timestamp value; /**< Timestamp */ jpayne@69: } krb5_last_req_entry; jpayne@69: jpayne@69: /** Pre-authentication data */ jpayne@69: typedef struct _krb5_pa_data { jpayne@69: krb5_magic magic; jpayne@69: krb5_preauthtype pa_type; /**< Preauthentication data type */ jpayne@69: unsigned int length; /**< Length of data */ jpayne@69: krb5_octet *contents; /**< Data */ jpayne@69: } krb5_pa_data; jpayne@69: jpayne@69: /* Don't use this; use krb5_pa_data instead. */ jpayne@69: typedef struct _krb5_typed_data { jpayne@69: krb5_magic magic; jpayne@69: krb5_int32 type; jpayne@69: unsigned int length; jpayne@69: krb5_octet *data; jpayne@69: } krb5_typed_data; jpayne@69: jpayne@69: /** C representation of KDC-REQ protocol message, including KDC-REQ-BODY */ jpayne@69: typedef struct _krb5_kdc_req { jpayne@69: krb5_magic magic; jpayne@69: krb5_msgtype msg_type; /**< KRB5_AS_REQ or KRB5_TGS_REQ */ jpayne@69: krb5_pa_data **padata; /**< Preauthentication data */ jpayne@69: /* real body */ jpayne@69: krb5_flags kdc_options; /**< Requested options */ jpayne@69: krb5_principal client; /**< Client principal and realm */ jpayne@69: krb5_principal server; /**< Server principal and realm */ jpayne@69: krb5_timestamp from; /**< Requested start time */ jpayne@69: krb5_timestamp till; /**< Requested end time */ jpayne@69: krb5_timestamp rtime; /**< Requested renewable end time */ jpayne@69: krb5_int32 nonce; /**< Nonce to match request and response */ jpayne@69: int nktypes; /**< Number of enctypes */ jpayne@69: krb5_enctype *ktype; /**< Requested enctypes */ jpayne@69: krb5_address **addresses; /**< Requested addresses (optional) */ jpayne@69: krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */ jpayne@69: krb5_authdata **unenc_authdata; /**< Unencrypted authz data */ jpayne@69: krb5_ticket **second_ticket; /**< Second ticket array (optional) */ jpayne@69: } krb5_kdc_req; jpayne@69: jpayne@69: /** jpayne@69: * C representation of @c EncKDCRepPart protocol message. jpayne@69: * jpayne@69: * This is the cleartext message that is encrypted and inserted in @c KDC-REP. jpayne@69: */ jpayne@69: typedef struct _krb5_enc_kdc_rep_part { jpayne@69: krb5_magic magic; jpayne@69: /* encrypted part: */ jpayne@69: krb5_msgtype msg_type; /**< krb5 message type */ jpayne@69: krb5_keyblock *session; /**< Session key */ jpayne@69: krb5_last_req_entry **last_req; /**< Array of pointers to entries */ jpayne@69: krb5_int32 nonce; /**< Nonce from request */ jpayne@69: krb5_timestamp key_exp; /**< Expiration date */ jpayne@69: krb5_flags flags; /**< Ticket flags */ jpayne@69: krb5_ticket_times times; /**< Lifetime info */ jpayne@69: krb5_principal server; /**< Server's principal identifier */ jpayne@69: krb5_address **caddrs; /**< Array of ptrs to addrs, optional */ jpayne@69: krb5_pa_data **enc_padata; /**< Encrypted preauthentication data */ jpayne@69: } krb5_enc_kdc_rep_part; jpayne@69: jpayne@69: /** Representation of the @c KDC-REP protocol message. */ jpayne@69: typedef struct _krb5_kdc_rep { jpayne@69: krb5_magic magic; jpayne@69: /* cleartext part: */ jpayne@69: krb5_msgtype msg_type; /**< KRB5_AS_REP or KRB5_KDC_REP */ jpayne@69: krb5_pa_data **padata; /**< Preauthentication data from KDC */ jpayne@69: krb5_principal client; /**< Client principal and realm */ jpayne@69: krb5_ticket *ticket; /**< Ticket */ jpayne@69: krb5_enc_data enc_part; /**< Encrypted part of reply */ jpayne@69: krb5_enc_kdc_rep_part *enc_part2; /**< Unencrypted version, if available */ jpayne@69: } krb5_kdc_rep; jpayne@69: jpayne@69: /** Error message structure */ jpayne@69: typedef struct _krb5_error { jpayne@69: krb5_magic magic; jpayne@69: /* some of these may be meaningless in certain contexts */ jpayne@69: krb5_timestamp ctime; /**< Client sec portion; optional */ jpayne@69: krb5_int32 cusec; /**< Client usec portion; optional */ jpayne@69: krb5_int32 susec; /**< Server usec portion */ jpayne@69: krb5_timestamp stime; /**< Server sec portion */ jpayne@69: krb5_ui_4 error; /**< Error code (protocol error #'s) */ jpayne@69: krb5_principal client; /**< Client principal and realm */ jpayne@69: krb5_principal server; /**< Server principal and realm */ jpayne@69: krb5_data text; /**< Descriptive text */ jpayne@69: krb5_data e_data; /**< Additional error-describing data */ jpayne@69: } krb5_error; jpayne@69: jpayne@69: /** Authentication header. */ jpayne@69: typedef struct _krb5_ap_req { jpayne@69: krb5_magic magic; jpayne@69: krb5_flags ap_options; /**< Requested options */ jpayne@69: krb5_ticket *ticket; /**< Ticket */ jpayne@69: krb5_enc_data authenticator; /**< Encrypted authenticator */ jpayne@69: } krb5_ap_req; jpayne@69: jpayne@69: /** jpayne@69: * C representaton of AP-REP message. jpayne@69: * jpayne@69: * The server's response to a client's request for mutual authentication. jpayne@69: */ jpayne@69: typedef struct _krb5_ap_rep { jpayne@69: krb5_magic magic; jpayne@69: krb5_enc_data enc_part; /**< Ciphertext of ApRepEncPart */ jpayne@69: } krb5_ap_rep; jpayne@69: jpayne@69: /** Cleartext that is encrypted and put into @c _krb5_ap_rep. */ jpayne@69: typedef struct _krb5_ap_rep_enc_part { jpayne@69: krb5_magic magic; jpayne@69: krb5_timestamp ctime; /**< Client time, seconds portion */ jpayne@69: krb5_int32 cusec; /**< Client time, microseconds portion */ jpayne@69: krb5_keyblock *subkey; /**< Subkey (optional) */ jpayne@69: krb5_ui_4 seq_number; /**< Sequence number */ jpayne@69: } krb5_ap_rep_enc_part; jpayne@69: jpayne@69: /* Unused */ jpayne@69: typedef struct _krb5_response { jpayne@69: krb5_magic magic; jpayne@69: krb5_octet message_type; jpayne@69: krb5_data response; jpayne@69: krb5_int32 expected_nonce; jpayne@69: krb5_timestamp request_time; jpayne@69: } krb5_response; jpayne@69: jpayne@69: /** Credentials information inserted into @c EncKrbCredPart. */ jpayne@69: typedef struct _krb5_cred_info { jpayne@69: krb5_magic magic; jpayne@69: krb5_keyblock *session; /**< Session key used to encrypt ticket */ jpayne@69: krb5_principal client; /**< Client principal and realm */ jpayne@69: krb5_principal server; /**< Server principal and realm */ jpayne@69: krb5_flags flags; /**< Ticket flags */ jpayne@69: krb5_ticket_times times; /**< Auth, start, end, renew_till */ jpayne@69: krb5_address **caddrs; /**< Array of pointers to addrs (optional) */ jpayne@69: } krb5_cred_info; jpayne@69: jpayne@69: /** Cleartext credentials information. */ jpayne@69: typedef struct _krb5_cred_enc_part { jpayne@69: krb5_magic magic; jpayne@69: krb5_int32 nonce; /**< Nonce (optional) */ jpayne@69: krb5_timestamp timestamp; /**< Generation time, seconds portion */ jpayne@69: krb5_int32 usec; /**< Generation time, microseconds portion */ jpayne@69: krb5_address *s_address; /**< Sender address (optional) */ jpayne@69: krb5_address *r_address; /**< Recipient address (optional) */ jpayne@69: krb5_cred_info **ticket_info; jpayne@69: } krb5_cred_enc_part; jpayne@69: jpayne@69: /** Credentials data structure.*/ jpayne@69: typedef struct _krb5_cred { jpayne@69: krb5_magic magic; jpayne@69: krb5_ticket **tickets; /**< Tickets */ jpayne@69: krb5_enc_data enc_part; /**< Encrypted part */ jpayne@69: krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */ jpayne@69: } krb5_cred; jpayne@69: jpayne@69: /* Unused, but here for API compatibility. */ jpayne@69: typedef struct _passwd_phrase_element { jpayne@69: krb5_magic magic; jpayne@69: krb5_data *passwd; jpayne@69: krb5_data *phrase; jpayne@69: } passwd_phrase_element; jpayne@69: jpayne@69: /* Unused, but here for API compatibility. */ jpayne@69: typedef struct _krb5_pwd_data { jpayne@69: krb5_magic magic; jpayne@69: int sequence_count; jpayne@69: passwd_phrase_element **element; jpayne@69: } krb5_pwd_data; jpayne@69: jpayne@69: /* Unused, but here for API compatibility. */ jpayne@69: typedef struct _krb5_pa_svr_referral_data { jpayne@69: /** Referred name, only realm is required */ jpayne@69: krb5_principal principal; jpayne@69: } krb5_pa_svr_referral_data; jpayne@69: jpayne@69: /* Unused, but here for API compatibility. */ jpayne@69: typedef struct _krb5_pa_server_referral_data { jpayne@69: krb5_data *referred_realm; jpayne@69: krb5_principal true_principal_name; jpayne@69: krb5_principal requested_principal_name; jpayne@69: krb5_timestamp referral_valid_until; jpayne@69: krb5_checksum rep_cksum; jpayne@69: } krb5_pa_server_referral_data; jpayne@69: jpayne@69: typedef struct _krb5_pa_pac_req { jpayne@69: /** TRUE if a PAC should be included in TGS-REP */ jpayne@69: krb5_boolean include_pac; jpayne@69: } krb5_pa_pac_req; jpayne@69: jpayne@69: /* jpayne@69: * begin "safepriv.h" jpayne@69: */ jpayne@69: jpayne@69: /** @defgroup KRB5_AUTH_CONTEXT KRB5_AUTH_CONTEXT jpayne@69: * @{ jpayne@69: */ jpayne@69: /** Prevent replays with timestamps and replay cache. */ jpayne@69: #define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 jpayne@69: /** Save timestamps for application. */ jpayne@69: #define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002 jpayne@69: /** Prevent replays with sequence numbers. */ jpayne@69: #define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 jpayne@69: /** Save sequence numbers for application. */ jpayne@69: #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 jpayne@69: #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 jpayne@69: #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 jpayne@69: /** @} */ /* end of KRB5_AUTH_CONTEXT group */ jpayne@69: jpayne@69: /** jpayne@69: * Replay data. jpayne@69: * jpayne@69: * Sequence number and timestamp information output by krb5_rd_priv() and jpayne@69: * krb5_rd_safe(). jpayne@69: */ jpayne@69: typedef struct krb5_replay_data { jpayne@69: krb5_timestamp timestamp; /**< Timestamp, seconds portion */ jpayne@69: krb5_int32 usec; /**< Timestamp, microseconds portion */ jpayne@69: krb5_ui_4 seq; /**< Sequence number */ jpayne@69: } krb5_replay_data; jpayne@69: jpayne@69: /* Flags for krb5_auth_con_genaddrs(). */ jpayne@69: jpayne@69: /** Generate the local network address. */ jpayne@69: #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR 0x00000001 jpayne@69: /** Generate the remote network address. */ jpayne@69: #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR 0x00000002 jpayne@69: /** Generate the local network address and the local port. */ jpayne@69: #define KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR 0x00000004 jpayne@69: /** Generate the remote network address and the remote port. */ jpayne@69: #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008 jpayne@69: jpayne@69: /** Type of function used as a callback to generate checksum data for mk_req */ jpayne@69: typedef krb5_error_code jpayne@69: (KRB5_CALLCONV * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context, jpayne@69: void *, krb5_data **); jpayne@69: jpayne@69: /* jpayne@69: * end "safepriv.h" jpayne@69: */ jpayne@69: jpayne@69: jpayne@69: /* jpayne@69: * begin "ccache.h" jpayne@69: */ jpayne@69: jpayne@69: /** Cursor for sequential lookup */ jpayne@69: typedef krb5_pointer krb5_cc_cursor; jpayne@69: jpayne@69: struct _krb5_ccache; jpayne@69: typedef struct _krb5_ccache *krb5_ccache; jpayne@69: struct _krb5_cc_ops; jpayne@69: typedef struct _krb5_cc_ops krb5_cc_ops; jpayne@69: jpayne@69: struct _krb5_cccol_cursor; jpayne@69: /** Cursor for iterating over all ccaches */ jpayne@69: typedef struct _krb5_cccol_cursor *krb5_cccol_cursor; jpayne@69: jpayne@69: /* Flags for krb5_cc_retrieve_cred. */ jpayne@69: /** The requested lifetime must be at least as great as the time specified. */ jpayne@69: #define KRB5_TC_MATCH_TIMES 0x00000001 jpayne@69: /** The is_skey field must match exactly. */ jpayne@69: #define KRB5_TC_MATCH_IS_SKEY 0x00000002 jpayne@69: /** All the flags set in the match credentials must be set. */ jpayne@69: #define KRB5_TC_MATCH_FLAGS 0x00000004 jpayne@69: /** All the time fields must match exactly. */ jpayne@69: #define KRB5_TC_MATCH_TIMES_EXACT 0x00000008 jpayne@69: /** All the flags must match exactly. */ jpayne@69: #define KRB5_TC_MATCH_FLAGS_EXACT 0x00000010 jpayne@69: /** The authorization data must match. */ jpayne@69: #define KRB5_TC_MATCH_AUTHDATA 0x00000020 jpayne@69: /** Only the name portion of the principal name must match. */ jpayne@69: #define KRB5_TC_MATCH_SRV_NAMEONLY 0x00000040 jpayne@69: /** The second ticket must match. */ jpayne@69: #define KRB5_TC_MATCH_2ND_TKT 0x00000080 jpayne@69: /** The encryption key type must match. */ jpayne@69: #define KRB5_TC_MATCH_KTYPE 0x00000100 jpayne@69: /** The supported key types must match. */ jpayne@69: #define KRB5_TC_SUPPORTED_KTYPES 0x00000200 jpayne@69: jpayne@69: /* Flags for krb5_cc_set_flags and similar. */ jpayne@69: /** Open and close the file for each cache operation. */ jpayne@69: #define KRB5_TC_OPENCLOSE 0x00000001 /**< @deprecated has no effect */ jpayne@69: #define KRB5_TC_NOTICKET 0x00000002 jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the name, but not type of a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * jpayne@69: * @warning Returns the name of the credential cache. The result is an alias jpayne@69: * into @a cache and should not be freed or modified by the caller. This name jpayne@69: * does not include the cache type, so should not be used as input to jpayne@69: * krb5_cc_resolve(). jpayne@69: * jpayne@69: * @return jpayne@69: * On success - the name of the credential cache. jpayne@69: */ jpayne@69: const char * KRB5_CALLCONV jpayne@69: krb5_cc_get_name(krb5_context context, krb5_ccache cache); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the full name of a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [out] fullname_out Full name of cache jpayne@69: * jpayne@69: * Use krb5_free_string() to free @a fullname_out when it is no longer needed. jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, jpayne@69: char **fullname_out); jpayne@69: jpayne@69: #if KRB5_DEPRECATED jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_gen_new(krb5_context context, krb5_ccache *cache); jpayne@69: #endif /* KRB5_DEPRECATED */ jpayne@69: jpayne@69: /** jpayne@69: * Initialize a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] principal Default principal name jpayne@69: * jpayne@69: * Destroy any existing contents of @a cache and initialize it for the default jpayne@69: * principal @a principal. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * System errors; Permission errors; Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_initialize(krb5_context context, krb5_ccache cache, jpayne@69: krb5_principal principal); jpayne@69: jpayne@69: /** jpayne@69: * Destroy a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * jpayne@69: * This function destroys any existing contents of @a cache and closes the jpayne@69: * handle to it. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Permission errors jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_destroy(krb5_context context, krb5_ccache cache); jpayne@69: jpayne@69: /** jpayne@69: * Close a credential cache handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * jpayne@69: * This function closes a credential cache handle @a cache without affecting jpayne@69: * the contents of the cache. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_close(krb5_context context, krb5_ccache cache); jpayne@69: jpayne@69: /** jpayne@69: * Store credentials in a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] creds Credentials to be stored in cache jpayne@69: * jpayne@69: * This function stores @a creds into @a cache. If @a creds->server and the jpayne@69: * server in the decoded ticket @a creds->ticket differ, the credentials will jpayne@69: * be stored under both server principal names. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return Permission errors; storage failure errors; Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve a specified credentials from a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] flags Flags bit mask jpayne@69: * @param [in] mcreds Credentials to match jpayne@69: * @param [out] creds Credentials matching the requested value jpayne@69: * jpayne@69: * This function searches a credential cache for credentials matching @a mcreds jpayne@69: * and returns it if found. jpayne@69: * jpayne@69: * Valid values for @a flags are: jpayne@69: * jpayne@69: * @li #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as jpayne@69: * great as in @a mcreds . jpayne@69: * @li #KRB5_TC_MATCH_IS_SKEY The @a is_skey field much match exactly. jpayne@69: * @li #KRB5_TC_MATCH_FLAGS Flags set in @a mcreds must be set. jpayne@69: * @li #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. jpayne@69: * @li #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. jpayne@69: * @li #KRB5_TC_MATCH_AUTHDATA The authorization data must match. jpayne@69: * @li #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal jpayne@69: * name must match, not the realm. jpayne@69: * @li #KRB5_TC_MATCH_2ND_TKT The second tickets must match. jpayne@69: * @li #KRB5_TC_MATCH_KTYPE The encryption key types must match. jpayne@69: * @li #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any jpayne@69: * supported encryption type and return the jpayne@69: * one with the encryption type listed earliest. jpayne@69: * jpayne@69: * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, jpayne@69: krb5_flags flags, krb5_creds *mcreds, jpayne@69: krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Get the default principal of a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [out] principal Primary principal jpayne@69: * jpayne@69: * Returns the default client principal of a credential cache as set by jpayne@69: * krb5_cc_initialize(). jpayne@69: * jpayne@69: * Use krb5_free_principal() to free @a principal when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_get_principal(krb5_context context, krb5_ccache cache, jpayne@69: krb5_principal *principal); jpayne@69: jpayne@69: /** jpayne@69: * Prepare to sequentially read every credential in a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [out] cursor Cursor jpayne@69: * jpayne@69: * krb5_cc_end_seq_get() must be called to complete the retrieve operation. jpayne@69: * jpayne@69: * @note If the cache represented by @a cache is modified between the time of jpayne@69: * the call to this function and the time of the final krb5_cc_end_seq_get(), jpayne@69: * these changes may not be reflected in the results of krb5_cc_next_cred() jpayne@69: * calls. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, jpayne@69: krb5_cc_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the next entry from the credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] cursor Cursor jpayne@69: * @param [out] creds Next credential cache entry jpayne@69: * jpayne@69: * This function fills in @a creds with the next entry in @a cache and advances jpayne@69: * @a cursor. jpayne@69: * jpayne@69: * Use krb5_free_cred_contents() to free @a creds when it is no longer needed. jpayne@69: * jpayne@69: * @sa krb5_cc_start_seq_get(), krb5_end_seq_get() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_next_cred(krb5_context context, krb5_ccache cache, jpayne@69: krb5_cc_cursor *cursor, krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Finish a series of sequential processing credential cache entries. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] cursor Cursor jpayne@69: * jpayne@69: * This function finishes processing credential cache entries and invalidates jpayne@69: * @a cursor. jpayne@69: * jpayne@69: * @sa krb5_cc_start_seq_get(), krb5_cc_next_cred() jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, jpayne@69: krb5_cc_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Remove credentials from a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] flags Bitwise-ORed search flags jpayne@69: * @param [in] creds Credentials to be matched jpayne@69: * jpayne@69: * @warning This function is not implemented for some cache types. jpayne@69: * jpayne@69: * This function accepts the same flag values as krb5_cc_retrieve_cred(). jpayne@69: * jpayne@69: * @retval KRB5_CC_NOSUPP Not implemented for this cache type jpayne@69: * @return No matches found; Data cannot be deleted; Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, jpayne@69: krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Set options flags on a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [in] flags Flag bit mask jpayne@69: * jpayne@69: * This function resets @a cache flags to @a flags. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve flags from a credential cache structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * @param [out] flags Flag bit mask jpayne@69: * jpayne@69: * @warning For memory credential cache always returns a flag mask of 0. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the type of a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * jpayne@69: * @return The type of a credential cache as an alias that must not be modified jpayne@69: * or freed by the caller. jpayne@69: */ jpayne@69: const char * KRB5_CALLCONV jpayne@69: krb5_cc_get_type(krb5_context context, krb5_ccache cache); jpayne@69: jpayne@69: /** jpayne@69: * Move a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] src The credential cache to move the content from jpayne@69: * @param [in] dst The credential cache to move the content to jpayne@69: * jpayne@69: * This function reinitializes @a dst and populates it with the credentials and jpayne@69: * default principal of @a src; then, if successful, destroys @a src. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success; @a src is closed. jpayne@69: * @return jpayne@69: * Kerberos error codes; @a src is still allocated. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst); jpayne@69: jpayne@69: /** jpayne@69: * Prepare to iterate over the collection of known credential caches. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] cursor Cursor jpayne@69: * jpayne@69: * Get a new cache iteration @a cursor that will iterate over all known jpayne@69: * credential caches independent of type. jpayne@69: * jpayne@69: * Use krb5_cccol_cursor_free() to release @a cursor when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @sa krb5_cccol_cursor_next() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Get the next credential cache in the collection. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cursor Cursor jpayne@69: * @param [out] ccache Credential cache handle jpayne@69: * jpayne@69: * @note When all caches are iterated over and the end of the list is reached, jpayne@69: * @a ccache is set to NULL. jpayne@69: * jpayne@69: * Use krb5_cc_close() to close @a ccache when it is no longer needed. jpayne@69: * jpayne@69: * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_free() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, jpayne@69: krb5_ccache *ccache); jpayne@69: jpayne@69: /** jpayne@69: * Free a credential cache collection cursor. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cursor Cursor jpayne@69: * jpayne@69: * @sa krb5_cccol_cursor_new(), krb5_cccol_cursor_next() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Check if the credential cache collection contains any initialized caches. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: * jpayne@69: * @retval 0 At least one initialized cache is present in the collection jpayne@69: * @retval KRB5_CC_NOTFOUND The collection contains no caches jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cccol_have_content(krb5_context context); jpayne@69: jpayne@69: /** jpayne@69: * Create a new credential cache of the specified type with a unique name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] type Credential cache type name jpayne@69: * @param [in] hint Unused jpayne@69: * @param [out] id Credential cache handle jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_new_unique(krb5_context context, const char *type, const char *hint, jpayne@69: krb5_ccache *id); jpayne@69: jpayne@69: /* jpayne@69: * end "ccache.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "rcache.h" jpayne@69: */ jpayne@69: jpayne@69: struct krb5_rc_st; jpayne@69: typedef struct krb5_rc_st *krb5_rcache; jpayne@69: jpayne@69: /* jpayne@69: * end "rcache.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "keytab.h" jpayne@69: */ jpayne@69: jpayne@69: jpayne@69: /* XXX */ jpayne@69: #define MAX_KEYTAB_NAME_LEN 1100 /**< Long enough for MAXPATHLEN + some extra */ jpayne@69: jpayne@69: typedef krb5_pointer krb5_kt_cursor; jpayne@69: jpayne@69: /** A key table entry. */ jpayne@69: typedef struct krb5_keytab_entry_st { jpayne@69: krb5_magic magic; jpayne@69: krb5_principal principal; /**< Principal of this key */ jpayne@69: krb5_timestamp timestamp; /**< Time entry written to keytable */ jpayne@69: krb5_kvno vno; /**< Key version number */ jpayne@69: krb5_keyblock key; /**< The secret key */ jpayne@69: } krb5_keytab_entry; jpayne@69: jpayne@69: struct _krb5_kt; jpayne@69: typedef struct _krb5_kt *krb5_keytab; jpayne@69: jpayne@69: /** jpayne@69: * Return the type of a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * jpayne@69: * @return The type of a key table as an alias that must not be modified or jpayne@69: * freed by the caller. jpayne@69: */ jpayne@69: const char * KRB5_CALLCONV jpayne@69: krb5_kt_get_type(krb5_context context, krb5_keytab keytab); jpayne@69: jpayne@69: /** jpayne@69: * Get a key table name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * @param [out] name Key table name jpayne@69: * @param [in] namelen Maximum length to fill in name jpayne@69: * jpayne@69: * Fill @a name with the name of @a keytab including the type and delimiter. jpayne@69: * jpayne@69: * @sa MAX_KEYTAB_NAME_LEN jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_KT_NAME_TOOLONG Key table name does not fit in @a namelen bytes jpayne@69: * jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, jpayne@69: unsigned int namelen); jpayne@69: jpayne@69: /** jpayne@69: * Close a key table handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * jpayne@69: * @retval 0 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_close(krb5_context context, krb5_keytab keytab); jpayne@69: jpayne@69: /** jpayne@69: * Get an entry from a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * @param [in] principal Principal name jpayne@69: * @param [in] vno Key version number (0 for highest available) jpayne@69: * @param [in] enctype Encryption type (0 zero for any enctype) jpayne@69: * @param [out] entry Returned entry from key table jpayne@69: * jpayne@69: * Retrieve an entry from a key table which matches the @a keytab, @a jpayne@69: * principal, @a vno, and @a enctype. If @a vno is zero, retrieve the jpayne@69: * highest-numbered kvno matching the other fields. If @a enctype is 0, match jpayne@69: * any enctype. jpayne@69: * jpayne@69: * Use krb5_free_keytab_entry_contents() to free @a entry when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @note If @a vno is zero, the function retrieves the highest-numbered-kvno jpayne@69: * entry that matches the specified principal. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * Kerberos error codes on failure jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, jpayne@69: krb5_const_principal principal, krb5_kvno vno, jpayne@69: krb5_enctype enctype, krb5_keytab_entry *entry); jpayne@69: jpayne@69: /** jpayne@69: * Start a sequential retrieval of key table entries. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * @param [out] cursor Cursor jpayne@69: * jpayne@69: * Prepare to read sequentially every key in the specified key table. Use jpayne@69: * krb5_kt_end_seq_get() to release the cursor when it is no longer needed. jpayne@69: * jpayne@69: * @sa krb5_kt_next_entry(), krb5_kt_end_seq_get() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, jpayne@69: krb5_kt_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the next entry from the key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * @param [out] entry Returned key table entry jpayne@69: * @param [in] cursor Key table cursor jpayne@69: * jpayne@69: * Return the next sequential entry in @a keytab and advance @a cursor. jpayne@69: * Callers must release the returned entry with krb5_kt_free_entry(). jpayne@69: * jpayne@69: * @sa krb5_kt_start_seq_get(), krb5_kt_end_seq_get() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_KT_END - if the last entry was reached jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, jpayne@69: krb5_keytab_entry *entry, krb5_kt_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Release a keytab cursor. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * @param [out] cursor Cursor jpayne@69: * jpayne@69: * This function should be called to release the cursor created by jpayne@69: * krb5_kt_start_seq_get(). jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, jpayne@69: krb5_kt_cursor *cursor); jpayne@69: jpayne@69: /** jpayne@69: * Check if a keytab exists and contains entries. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: * jpayne@69: * @retval 0 Keytab exists and contains entries jpayne@69: * @retval KRB5_KT_NOTFOUND Keytab does not contain entries jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_have_content(krb5_context context, krb5_keytab keytab); jpayne@69: jpayne@69: /* jpayne@69: * end "keytab.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin "func-proto.h" jpayne@69: */ jpayne@69: jpayne@69: #define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */ jpayne@69: #define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */ jpayne@69: jpayne@69: /** jpayne@69: * Create a krb5 library context. jpayne@69: * jpayne@69: * @param [out] context Library context jpayne@69: * jpayne@69: * The @a context must be released by calling krb5_free_context() when jpayne@69: * it is no longer needed. jpayne@69: * jpayne@69: * @warning Any program or module that needs the Kerberos code to not trust the jpayne@69: * environment must use krb5_init_secure_context(), or clean out the jpayne@69: * environment. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_context(krb5_context *context); jpayne@69: jpayne@69: /** jpayne@69: * Create a krb5 library context using only configuration files. jpayne@69: * jpayne@69: * @param [out] context Library context jpayne@69: * jpayne@69: * Create a context structure, using only system configuration files. All jpayne@69: * information passed through the environment variables is ignored. jpayne@69: * jpayne@69: * The @a context must be released by calling krb5_free_context() when jpayne@69: * it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_secure_context(krb5_context *context); jpayne@69: jpayne@69: /** jpayne@69: * Create a krb5 library context using a specified profile. jpayne@69: * jpayne@69: * @param [in] profile Profile object (NULL to create default profile) jpayne@69: * @param [in] flags Context initialization flags jpayne@69: * @param [out] context Library context jpayne@69: * jpayne@69: * Create a context structure, optionally using a specified profile and jpayne@69: * initialization flags. If @a profile is NULL, the default profile will be jpayne@69: * created from config files. If @a profile is non-null, a copy of it will be jpayne@69: * made for the new context; the caller should still clean up its copy. Valid jpayne@69: * flag values are: jpayne@69: * jpayne@69: * @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables jpayne@69: * @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags, jpayne@69: krb5_context *context); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5 library context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * jpayne@69: * This function frees a @a context that was created by krb5_init_context() jpayne@69: * or krb5_init_secure_context(). jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_context(krb5_context context); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_context structure. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [out] nctx_out New context structure jpayne@69: * jpayne@69: * The newly created context must be released by calling krb5_free_context() jpayne@69: * when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_context(krb5_context ctx, krb5_context *nctx_out); jpayne@69: jpayne@69: /** jpayne@69: * Set default TGS encryption types in a krb5_context structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] etypes Encryption type(s) to set jpayne@69: * jpayne@69: * This function sets the default enctype list for TGS requests jpayne@69: * made using @a context to @a etypes. jpayne@69: * jpayne@69: * @note This overrides the default list (from config file or built-in). jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes); jpayne@69: jpayne@69: /** jpayne@69: * Return a list of encryption types permitted for session keys. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] ktypes Zero-terminated list of encryption types jpayne@69: * jpayne@69: * This function returns the list of encryption types permitted for session jpayne@69: * keys within @a context, as determined by configuration or by a previous call jpayne@69: * to krb5_set_default_tgs_enctypes(). jpayne@69: * jpayne@69: * Use krb5_free_enctypes() to free @a ktypes when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes); jpayne@69: jpayne@69: /** jpayne@69: * Test whether the Kerberos library was built with multithread support. jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE if the library is threadsafe; FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_is_thread_safe(void); jpayne@69: jpayne@69: /* libkrb.spec */ jpayne@69: jpayne@69: /** jpayne@69: * Decrypt a ticket using the specified key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] kt Key table jpayne@69: * @param [in] ticket Ticket to be decrypted jpayne@69: * jpayne@69: * This function takes a @a ticket as input and decrypts it using jpayne@69: * key data from @a kt. The result is placed into @a ticket->enc_part2. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, jpayne@69: krb5_ticket *ticket); jpayne@69: jpayne@69: /** jpayne@69: * Free an array of credential structures. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] tgts Null-terminated array of credentials to free jpayne@69: * jpayne@69: * @note The last entry in the array @a tgts must be a NULL pointer. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts); jpayne@69: jpayne@69: /** @defgroup KRB5_GC KRB5_GC jpayne@69: * @{ jpayne@69: */ jpayne@69: #define KRB5_GC_USER_USER 1 /**< Want user-user ticket */ jpayne@69: #define KRB5_GC_CACHED 2 /**< Want cached ticket only */ jpayne@69: #define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */ jpayne@69: #define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */ jpayne@69: #define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */ jpayne@69: #define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */ jpayne@69: #define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */ jpayne@69: /** @} */ /* end of KRB5_GC group */ jpayne@69: jpayne@69: /** jpayne@69: * Get an additional ticket. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] options Options jpayne@69: * @param [in] ccache Credential cache handle jpayne@69: * @param [in] in_creds Input credentials jpayne@69: * @param [out] out_creds Output updated credentials jpayne@69: * jpayne@69: * Use @a ccache or a TGS exchange to get a service ticket matching @a jpayne@69: * in_creds. jpayne@69: * jpayne@69: * Valid values for @a options are: jpayne@69: * @li #KRB5_GC_CACHED Search only credential cache for the ticket jpayne@69: * @li #KRB5_GC_USER_USER Return a user to user authentication ticket jpayne@69: * jpayne@69: * @a in_creds must be non-null. @a in_creds->client and @a in_creds->server jpayne@69: * must be filled in to specify the client and the server respectively. If any jpayne@69: * authorization data needs to be requested for the service ticket (such as jpayne@69: * restrictions on how the ticket can be used), specify it in @a jpayne@69: * in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The jpayne@69: * session key type is specified in @a in_creds->keyblock.enctype, if it is jpayne@69: * nonzero. jpayne@69: * jpayne@69: * The expiration date is specified in @a in_creds->times.endtime. jpayne@69: * The KDC may return tickets with an earlier expiration date. jpayne@69: * If @a in_creds->times.endtime is set to 0, the latest possible jpayne@69: * expiration date will be requested. jpayne@69: * jpayne@69: * Any returned ticket and intermediate ticket-granting tickets are stored jpayne@69: * in @a ccache. jpayne@69: * jpayne@69: * Use krb5_free_creds() to free @a out_creds when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_credentials(krb5_context context, krb5_flags options, jpayne@69: krb5_ccache ccache, krb5_creds *in_creds, jpayne@69: krb5_creds **out_creds); jpayne@69: jpayne@69: /** jpayne@69: * Serialize a @c krb5_creds object. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] in_creds The credentials object to serialize jpayne@69: * @param [out] data_out The serialized credentials jpayne@69: * jpayne@69: * Serialize @a creds in the format used by the FILE ccache format (vesion 4) jpayne@69: * and KCM ccache protocol. jpayne@69: * jpayne@69: * Use krb5_free_data() to free @a data_out when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_marshal_credentials(krb5_context context, krb5_creds *in_creds, jpayne@69: krb5_data **data_out); jpayne@69: jpayne@69: /** jpayne@69: * Deserialize a @c krb5_creds object. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] data The serialized credentials jpayne@69: * @param [out] creds_out The resulting creds object jpayne@69: * jpayne@69: * Deserialize @a data to credentials in the format used by the FILE ccache jpayne@69: * format (vesion 4) and KCM ccache protocol. jpayne@69: * jpayne@69: * Use krb5_free_creds() to free @a creds_out when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_unmarshal_credentials(krb5_context context, const krb5_data *data, jpayne@69: krb5_creds **creds_out); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_get_validated_creds. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_credentials_validate(krb5_context context, krb5_flags options, jpayne@69: krb5_ccache ccache, krb5_creds *in_creds, jpayne@69: krb5_creds **out_creds); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_get_renewed_creds. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_credentials_renew(krb5_context context, krb5_flags options, jpayne@69: krb5_ccache ccache, krb5_creds *in_creds, jpayne@69: krb5_creds **out_creds); jpayne@69: jpayne@69: /** jpayne@69: * Create a @c KRB_AP_REQ message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] ap_req_options @ref AP_OPTS options jpayne@69: * @param [in] service Service name, or NULL to use @c "host" jpayne@69: * @param [in] hostname Host name, or NULL to use local hostname jpayne@69: * @param [in] in_data Application data to be checksummed in the jpayne@69: * authenticator, or NULL jpayne@69: * @param [in] ccache Credential cache used to obtain credentials jpayne@69: * for the desired service. jpayne@69: * @param [out] outbuf @c AP-REQ message jpayne@69: * jpayne@69: * This function is similar to krb5_mk_req_extended() except that it uses a jpayne@69: * given @a hostname, @a service, and @a ccache to construct a service jpayne@69: * principal name and obtain credentials. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, jpayne@69: krb5_flags ap_req_options, const char *service, jpayne@69: const char *hostname, krb5_data *in_data, krb5_ccache ccache, jpayne@69: krb5_data *outbuf); jpayne@69: jpayne@69: /** jpayne@69: * Create a @c KRB_AP_REQ message using supplied credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] ap_req_options @ref AP_OPTS options jpayne@69: * @param [in] in_data Application data to be checksummed in the jpayne@69: * authenticator, or NULL jpayne@69: * @param [in] in_creds Credentials for the service with valid ticket jpayne@69: * and key jpayne@69: * @param [out] outbuf @c AP-REQ message jpayne@69: * jpayne@69: * Valid @a ap_req_options are: jpayne@69: * @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the jpayne@69: * request used for user to user jpayne@69: * authentication. jpayne@69: * @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from jpayne@69: * the receiver. jpayne@69: * @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current jpayne@69: * session key obtained from the credentials. jpayne@69: * jpayne@69: * This function creates a KRB_AP_REQ message using supplied credentials @a jpayne@69: * in_creds. @a auth_context may point to an existing auth context or to NULL, jpayne@69: * in which case a new one will be created. If @a in_data is non-null, a jpayne@69: * checksum of it will be included in the authenticator contained in the jpayne@69: * KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it jpayne@69: * is no longer needed. jpayne@69: * jpayne@69: * On successful return, the authenticator is stored in @a auth_context with jpayne@69: * the @a client and @a checksum fields nulled out. (This is to prevent jpayne@69: * pointer-sharing problems; the caller should not need these fields anyway, jpayne@69: * since the caller supplied them.) jpayne@69: * jpayne@69: * @sa krb5_mk_req() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, jpayne@69: krb5_flags ap_req_options, krb5_data *in_data, jpayne@69: krb5_creds *in_creds, krb5_data *outbuf); jpayne@69: jpayne@69: /** jpayne@69: * Format and encrypt a @c KRB_AP_REP message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] outbuf @c AP-REP message jpayne@69: * jpayne@69: * This function fills in @a outbuf with an AP-REP message using information jpayne@69: * from @a auth_context. jpayne@69: * jpayne@69: * If the flags in @a auth_context indicate that a sequence number should be jpayne@69: * used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or jpayne@69: * #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a jpayne@69: * auth_context is 0, a new number will be generated with jpayne@69: * krb5_generate_seq_number(). jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); jpayne@69: jpayne@69: /** jpayne@69: * Format and encrypt a @c KRB_AP_REP message for DCE RPC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] outbuf @c AP-REP message jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf); jpayne@69: jpayne@69: /** jpayne@69: * Parse and decrypt a @c KRB_AP_REP message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] inbuf AP-REP message jpayne@69: * @param [out] repl Decrypted reply message jpayne@69: * jpayne@69: * This function parses, decrypts and verifies a message from @a inbuf and jpayne@69: * fills in @a repl with a pointer to allocated memory containing the fields jpayne@69: * from the encrypted response. jpayne@69: * jpayne@69: * Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *inbuf, krb5_ap_rep_enc_part **repl); jpayne@69: jpayne@69: /** jpayne@69: * Parse and decrypt a @c KRB_AP_REP message for DCE RPC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] inbuf AP-REP message jpayne@69: * @param [out] nonce Sequence number from the decrypted reply jpayne@69: * jpayne@69: * This function parses, decrypts and verifies a message from @a inbuf and jpayne@69: * fills in @a nonce with a decrypted reply sequence number. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *inbuf, krb5_ui_4 *nonce); jpayne@69: jpayne@69: /** jpayne@69: * Format and encode a @c KRB_ERROR message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] dec_err Error structure to be encoded jpayne@69: * @param [out] enc_err Encoded error structure jpayne@69: * jpayne@69: * This function creates a @c KRB_ERROR message in @a enc_err. Use jpayne@69: * krb5_free_data_contents() to free @a enc_err when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_error(krb5_context context, const krb5_error *dec_err, jpayne@69: krb5_data *enc_err); jpayne@69: jpayne@69: /** jpayne@69: * Decode a @c KRB-ERROR message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enc_errbuf Encoded error message jpayne@69: * @param [out] dec_error Decoded error message jpayne@69: * jpayne@69: * This function processes @c KRB-ERROR message @a enc_errbuf and returns jpayne@69: * an allocated structure @a dec_error containing the error message. jpayne@69: * Use krb5_free_error() to free @a dec_error when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, jpayne@69: krb5_error **dec_error); jpayne@69: jpayne@69: /** jpayne@69: * Process @c KRB-SAFE message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] inbuf @c KRB-SAFE message to be parsed jpayne@69: * @param [out] userdata_out Data parsed from @c KRB-SAFE message jpayne@69: * @param [out] rdata_out Replay data. Specify NULL if not needed jpayne@69: * jpayne@69: * This function parses a @c KRB-SAFE message, verifies its integrity, and jpayne@69: * stores its data into @a userdata_out. jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context. jpayne@69: * jpayne@69: * If @a auth_context has a remote address set, the address will be used to jpayne@69: * verify the sender address in the KRB-SAFE message. If @a auth_context has a jpayne@69: * local address set, it will be used to verify the receiver address in the jpayne@69: * KRB-SAFE message if the message contains one. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the jpayne@69: * sequence number of the KRB-SAFE message is checked against the remote jpayne@69: * sequence number field of @a auth_context. Otherwise, the sequence number is jpayne@69: * not used. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the jpayne@69: * timestamp in the message is verified to be within the permitted clock skew jpayne@69: * of the current time, and the message is checked against an in-memory replay jpayne@69: * cache to detect reflections or replays. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a userdata_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *inbuf, krb5_data *userdata_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Process a @c KRB-PRIV message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication structure jpayne@69: * @param [in] inbuf @c KRB-PRIV message to be parsed jpayne@69: * @param [out] userdata_out Data parsed from @c KRB-PRIV message jpayne@69: * @param [out] rdata_out Replay data. Specify NULL if not needed jpayne@69: * jpayne@69: * This function parses a @c KRB-PRIV message, verifies its integrity, and jpayne@69: * stores its unencrypted data into @a userdata_out. jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context. jpayne@69: * jpayne@69: * If @a auth_context has a remote address set, the address will be used to jpayne@69: * verify the sender address in the KRB-PRIV message. If @a auth_context has a jpayne@69: * local address set, it will be used to verify the receiver address in the jpayne@69: * KRB-PRIV message if the message contains one. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the jpayne@69: * sequence number of the KRB-PRIV message is checked against the remote jpayne@69: * sequence number field of @a auth_context. Otherwise, the sequence number is jpayne@69: * not used. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, then the jpayne@69: * timestamp in the message is verified to be within the permitted clock skew jpayne@69: * of the current time, and the message is checked against an in-memory replay jpayne@69: * cache to detect reflections or replays. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a userdata_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *inbuf, krb5_data *userdata_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string principal name to a krb5_principal structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name String representation of a principal name jpayne@69: * @param [out] principal_out New principal jpayne@69: * jpayne@69: * Convert a string representation of a principal name to a krb5_principal jpayne@69: * structure. jpayne@69: * jpayne@69: * A string representation of a Kerberos name consists of one or more principal jpayne@69: * name components, separated by slashes, optionally followed by the \@ jpayne@69: * character and a realm name. If the realm name is not specified, the local jpayne@69: * realm is used. jpayne@69: * jpayne@69: * To use the slash and \@ symbols as part of a component (quoted) instead of jpayne@69: * using them as a component separator or as a realm prefix), put a backslash jpayne@69: * (\) character in front of the symbol. Similarly, newline, tab, backspace, jpayne@69: * and NULL characters can be included in a component by using @c n, @c t, @c b jpayne@69: * or @c 0, respectively. jpayne@69: * jpayne@69: * @note The realm in a Kerberos @a name cannot contain slash, colon, jpayne@69: * or NULL characters. jpayne@69: * jpayne@69: * Beginning with release 1.20, the name type of the principal will be inferred jpayne@69: * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. jpayne@69: * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. jpayne@69: * jpayne@69: * Use krb5_free_principal() to free @a principal_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_parse_name(krb5_context context, const char *name, jpayne@69: krb5_principal *principal_out); jpayne@69: jpayne@69: #define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */ jpayne@69: #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */ jpayne@69: #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component jpayne@69: enterprise principle */ jpayne@69: #define KRB5_PRINCIPAL_PARSE_IGNORE_REALM 0x8 /**< Ignore realm if present */ jpayne@69: #define KRB5_PRINCIPAL_PARSE_NO_DEF_REALM 0x10 /**< Don't add default realm */ jpayne@69: jpayne@69: /** jpayne@69: * Convert a string principal name to a krb5_principal with flags. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name String representation of a principal name jpayne@69: * @param [in] flags Flag jpayne@69: * @param [out] principal_out New principal jpayne@69: * jpayne@69: * Similar to krb5_parse_name(), this function converts a single-string jpayne@69: * representation of a principal name to a krb5_principal structure. jpayne@69: * jpayne@69: * The following flags are valid: jpayne@69: * @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name jpayne@69: * @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name jpayne@69: * @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise jpayne@69: * principal jpayne@69: * @li #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in @a name jpayne@69: * jpayne@69: * If @c KRB5_PRINCIPAL_PARSE_NO_REALM or @c KRB5_PRINCIPAL_PARSE_IGNORE_REALM jpayne@69: * is specified in @a flags, the realm of the new principal will be empty. jpayne@69: * Otherwise, the default realm for @a context will be used if @a name does not jpayne@69: * specify a realm. jpayne@69: * jpayne@69: * Use krb5_free_principal() to free @a principal_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_parse_name_flags(krb5_context context, const char *name, jpayne@69: int flags, krb5_principal *principal_out); jpayne@69: jpayne@69: /** jpayne@69: * Convert a krb5_principal structure to a string representation. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal jpayne@69: * @param [out] name String representation of principal name jpayne@69: * jpayne@69: * The resulting string representation uses the format and quoting conventions jpayne@69: * described for krb5_parse_name(). jpayne@69: * jpayne@69: * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_unparse_name(krb5_context context, krb5_const_principal principal, jpayne@69: char **name); jpayne@69: jpayne@69: /** jpayne@69: * Convert krb5_principal structure to string and length. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal jpayne@69: * @param [in,out] name String representation of principal name jpayne@69: * @param [in,out] size Size of unparsed name jpayne@69: * jpayne@69: * This function is similar to krb5_unparse_name(), but allows the use of an jpayne@69: * existing buffer for the result. If size is not NULL, then @a name must jpayne@69: * point to either NULL or an existing buffer of at least the size pointed to jpayne@69: * by @a size. The buffer will be allocated or resized if necessary, with the jpayne@69: * new pointer stored into @a name. Whether or not the buffer is resized, the jpayne@69: * necessary space for the result, including null terminator, will be stored jpayne@69: * into @a size. jpayne@69: * jpayne@69: * If size is NULL, this function behaves exactly as krb5_unparse_name(). jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes. On failure @a name is set to NULL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, jpayne@69: char **name, unsigned int *size); jpayne@69: jpayne@69: #define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */ jpayne@69: #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */ jpayne@69: #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */ jpayne@69: jpayne@69: /** jpayne@69: * Convert krb5_principal structure to a string with flags. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal jpayne@69: * @param [in] flags Flags jpayne@69: * @param [out] name String representation of principal name jpayne@69: * jpayne@69: * Similar to krb5_unparse_name(), this function converts a krb5_principal jpayne@69: * structure to a string representation. jpayne@69: * jpayne@69: * The following flags are valid: jpayne@69: * @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm jpayne@69: * @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm jpayne@69: * @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters jpayne@69: * jpayne@69: * Use krb5_free_unparsed_name() to free @a name when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes. On failure @a name is set to NULL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, jpayne@69: int flags, char **name); jpayne@69: jpayne@69: /** jpayne@69: * Convert krb5_principal structure to string format with flags. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal jpayne@69: * @param [in] flags Flags jpayne@69: * @param [out] name Single string format of principal name jpayne@69: * @param [out] size Size of unparsed name buffer jpayne@69: * jpayne@69: * @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes. On failure @a name is set to NULL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, jpayne@69: int flags, char **name, unsigned int *size); jpayne@69: jpayne@69: /** jpayne@69: * Set the realm field of a principal jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal name jpayne@69: * @param [in] realm Realm name jpayne@69: * jpayne@69: * Set the realm name part of @a principal to @a realm, overwriting the jpayne@69: * previous realm. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_principal_realm(krb5_context context, krb5_principal principal, jpayne@69: const char *realm); jpayne@69: jpayne@69: /** jpayne@69: * Search a list of addresses for a specified address. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] addr Address to search for jpayne@69: * @param [in] addrlist Address list to be searched (or NULL) jpayne@69: * jpayne@69: * @note If @a addrlist contains only a NetBIOS addresses, it will be treated jpayne@69: * as a null list. jpayne@69: * jpayne@69: * @return jpayne@69: * TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE jpayne@69: * otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV_WRONG jpayne@69: krb5_address_search(krb5_context context, const krb5_address *addr, jpayne@69: krb5_address *const *addrlist); jpayne@69: jpayne@69: /** jpayne@69: * Compare two Kerberos addresses. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] addr1 First address to be compared jpayne@69: * @param [in] addr2 Second address to be compared jpayne@69: * jpayne@69: * @return jpayne@69: * TRUE if the addresses are the same, FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_address_compare(krb5_context context, const krb5_address *addr1, jpayne@69: const krb5_address *addr2); jpayne@69: jpayne@69: /** jpayne@69: * Return an ordering of the specified addresses. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] addr1 First address jpayne@69: * @param [in] addr2 Second address jpayne@69: * jpayne@69: * @retval 0 if The two addresses are the same jpayne@69: * @retval < 0 First address is less than second jpayne@69: * @retval > 0 First address is greater than second jpayne@69: */ jpayne@69: int KRB5_CALLCONV jpayne@69: krb5_address_order(krb5_context context, const krb5_address *addr1, jpayne@69: const krb5_address *addr2); jpayne@69: jpayne@69: /** jpayne@69: * Compare the realms of two principals. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] princ1 First principal jpayne@69: * @param [in] princ2 Second principal jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE if the realm names are the same; FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_realm_compare(krb5_context context, krb5_const_principal princ1, jpayne@69: krb5_const_principal princ2); jpayne@69: jpayne@69: /** jpayne@69: * Compare two principals. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] princ1 First principal jpayne@69: * @param [in] princ2 Second principal jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE if the principals are the same; FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_principal_compare(krb5_context context, jpayne@69: krb5_const_principal princ1, jpayne@69: krb5_const_principal princ2); jpayne@69: jpayne@69: /** jpayne@69: * Compare two principals ignoring realm components. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] princ1 First principal jpayne@69: * @param [in] princ2 Second principal jpayne@69: * jpayne@69: * Similar to krb5_principal_compare(), but do not compare the realm jpayne@69: * components of the principals. jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE if the principals are the same; FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_principal_compare_any_realm(krb5_context context, jpayne@69: krb5_const_principal princ1, jpayne@69: krb5_const_principal princ2); jpayne@69: jpayne@69: #define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */ jpayne@69: #define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */ jpayne@69: #define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */ jpayne@69: #define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */ jpayne@69: jpayne@69: /** jpayne@69: * Compare two principals with additional flags. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] princ1 First principal jpayne@69: * @param [in] princ2 Second principal jpayne@69: * @param [in] flags Flags jpayne@69: * jpayne@69: * Valid flags are: jpayne@69: * @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component jpayne@69: * @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals jpayne@69: * @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive jpayne@69: * @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 jpayne@69: * jpayne@69: * @sa krb5_principal_compare() jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE if the principal names are the same; FALSE otherwise jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_principal_compare_flags(krb5_context context, jpayne@69: krb5_const_principal princ1, jpayne@69: krb5_const_principal princ2, jpayne@69: int flags); jpayne@69: jpayne@69: /** jpayne@69: * Initialize an empty @c krb5_keyblock. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] length Length of keyblock (or 0) jpayne@69: * @param [out] out New keyblock structure jpayne@69: * jpayne@69: * Initialize a new keyblock and allocate storage for the contents of the key. jpayne@69: * It is legal to pass in a length of 0, in which case contents are left jpayne@69: * unallocated. Use krb5_free_keyblock() to free @a out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @note If @a length is set to 0, contents are left unallocated. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_keyblock(krb5_context context, krb5_enctype enctype, jpayne@69: size_t length, krb5_keyblock **out); jpayne@69: jpayne@69: /** jpayne@69: * Copy a keyblock. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] from Keyblock to be copied jpayne@69: * @param [out] to Copy of keyblock @a from jpayne@69: * jpayne@69: * This function creates a new keyblock with the same contents as @a from. Use jpayne@69: * krb5_free_keyblock() to free @a to when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from, jpayne@69: krb5_keyblock **to); jpayne@69: jpayne@69: /** jpayne@69: * Copy the contents of a keyblock. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] from Key to be copied jpayne@69: * @param [out] to Output key jpayne@69: * jpayne@69: * This function copies the contents of @a from to @a to. Use jpayne@69: * krb5_free_keyblock_contents() to free @a to when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from, jpayne@69: krb5_keyblock *to); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_creds structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] incred Credentials structure to be copied jpayne@69: * @param [out] outcred Copy of @a incred jpayne@69: * jpayne@69: * This function creates a new credential with the contents of @a incred. Use jpayne@69: * krb5_free_creds() to free @a outcred when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_data object. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] indata Data object to be copied jpayne@69: * @param [out] outdata Copy of @a indata jpayne@69: * jpayne@69: * This function creates a new krb5_data object with the contents of @a indata. jpayne@69: * Use krb5_free_data() to free @a outdata when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata); jpayne@69: jpayne@69: /** jpayne@69: * Copy a principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] inprinc Principal to be copied jpayne@69: * @param [out] outprinc Copy of @a inprinc jpayne@69: * jpayne@69: * This function creates a new principal structure with the contents of @a jpayne@69: * inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, jpayne@69: krb5_principal *outprinc); jpayne@69: jpayne@69: /** jpayne@69: * Copy an array of addresses. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] inaddr Array of addresses to be copied jpayne@69: * @param [out] outaddr Copy of array of addresses jpayne@69: * jpayne@69: * This function creates a new address array containing a copy of @a inaddr. jpayne@69: * Use krb5_free_addresses() to free @a outaddr when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, jpayne@69: krb5_address ***outaddr); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_ticket structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] from Ticket to be copied jpayne@69: * @param [out] pto Copy of ticket jpayne@69: * jpayne@69: * This function creates a new krb5_ticket structure containing the contents of jpayne@69: * @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto); jpayne@69: jpayne@69: /** jpayne@69: * Copy an authorization data list. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] in_authdat List of @a krb5_authdata structures jpayne@69: * @param [out] out New array of @a krb5_authdata structures jpayne@69: * jpayne@69: * This function creates a new authorization data list containing a copy of @a jpayne@69: * in_authdat, which must be null-terminated. Use krb5_free_authdata() to free jpayne@69: * @a out when it is no longer needed. jpayne@69: * jpayne@69: * @note The last array entry in @a in_authdat must be a NULL pointer. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_authdata(krb5_context context, jpayne@69: krb5_authdata *const *in_authdat, krb5_authdata ***out); jpayne@69: jpayne@69: /** jpayne@69: * Find authorization data elements. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ticket_authdata Authorization data list from ticket jpayne@69: * @param [in] ap_req_authdata Authorization data list from AP request jpayne@69: * @param [in] ad_type Authorization data type to find jpayne@69: * @param [out] results List of matching entries jpayne@69: * jpayne@69: * This function searches @a ticket_authdata and @a ap_req_authdata for jpayne@69: * elements of type @a ad_type. Either input list may be NULL, in which case jpayne@69: * it will not be searched; otherwise, the input lists must be terminated by jpayne@69: * NULL entries. This function will search inside AD-IF-RELEVANT containers if jpayne@69: * found in either list. Use krb5_free_authdata() to free @a results when it jpayne@69: * is no longer needed. jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, jpayne@69: krb5_authdata *const *ap_req_authdata, jpayne@69: krb5_authdatatype ad_type, krb5_authdata ***results); jpayne@69: jpayne@69: /** jpayne@69: * Merge two authorization data lists into a new list. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] inauthdat1 First list of @a krb5_authdata structures jpayne@69: * @param [in] inauthdat2 Second list of @a krb5_authdata structures jpayne@69: * @param [out] outauthdat Merged list of @a krb5_authdata structures jpayne@69: * jpayne@69: * Merge two authdata arrays, such as the array from a ticket jpayne@69: * and authenticator. jpayne@69: * Use krb5_free_authdata() to free @a outauthdat when it is no longer needed. jpayne@69: * jpayne@69: * @note The last array entry in @a inauthdat1 and @a inauthdat2 jpayne@69: * must be a NULL pointer. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_merge_authdata(krb5_context context, jpayne@69: krb5_authdata *const *inauthdat1, jpayne@69: krb5_authdata * const *inauthdat2, jpayne@69: krb5_authdata ***outauthdat); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_authenticator structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] authfrom krb5_authenticator structure to be copied jpayne@69: * @param [out] authto Copy of krb5_authenticator structure jpayne@69: * jpayne@69: * This function creates a new krb5_authenticator structure with the content of jpayne@69: * @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no jpayne@69: * longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, jpayne@69: krb5_authenticator **authto); jpayne@69: jpayne@69: /** jpayne@69: * Copy a krb5_checksum structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ckfrom Checksum to be copied jpayne@69: * @param [out] ckto Copy of krb5_checksum structure jpayne@69: * jpayne@69: * This function creates a new krb5_checksum structure with the contents of @a jpayne@69: * ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, jpayne@69: krb5_checksum **ckto); jpayne@69: jpayne@69: /** jpayne@69: * Generate a replay cache object for server use and open it. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] piece Unused (replay cache identifier) jpayne@69: * @param [out] rcptr Handle to an open rcache jpayne@69: * jpayne@69: * This function creates a handle to the default replay cache. Use jpayne@69: * krb5_rc_close() to close @a rcptr when it is no longer needed. jpayne@69: * jpayne@69: * @version Prior to release 1.18, this function creates a handle to a jpayne@69: * different replay cache for each unique value of @a piece. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_server_rcache(krb5_context context, const krb5_data *piece, jpayne@69: krb5_rcache *rcptr); jpayne@69: jpayne@69: /** jpayne@69: * Build a principal name using length-counted strings. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] princ Principal name jpayne@69: * @param [in] rlen Realm name length jpayne@69: * @param [in] realm Realm name jpayne@69: * @param [in] ... List of unsigned int/char * components, followed by 0 jpayne@69: * jpayne@69: * This function creates a principal from a length-counted string and a jpayne@69: * variable-length list of length-counted components. The list of components jpayne@69: * ends with the first 0 length argument (so it is not possible to specify an jpayne@69: * empty component with this function). Call krb5_free_principal() to free jpayne@69: * allocated memory for principal when it is no longer needed. jpayne@69: * jpayne@69: * Beginning with release 1.20, the name type of the principal will be inferred jpayne@69: * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. jpayne@69: * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. jpayne@69: * jpayne@69: * @code jpayne@69: * Example of how to build principal WELLKNOWN/ANONYMOUS@R jpayne@69: * krb5_build_principal_ext(context, &principal, strlen("R"), "R", jpayne@69: * (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR), jpayne@69: * KRB5_WELLKNOWN_NAMESTR, jpayne@69: * (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR), jpayne@69: * KRB5_ANONYMOUS_PRINCSTR, 0); jpayne@69: * @endcode jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV_C jpayne@69: krb5_build_principal_ext(krb5_context context, krb5_principal * princ, jpayne@69: unsigned int rlen, const char * realm, ...); jpayne@69: jpayne@69: /** jpayne@69: * Build a principal name using null-terminated strings. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] princ Principal name jpayne@69: * @param [in] rlen Realm name length jpayne@69: * @param [in] realm Realm name jpayne@69: * @param [in] ... List of char * components, ending with NULL jpayne@69: * jpayne@69: * Call krb5_free_principal() to free @a princ when it is no longer needed. jpayne@69: * jpayne@69: * Beginning with release 1.20, the name type of the principal will be inferred jpayne@69: * as @c KRB5_NT_SRV_INST or @c KRB5_NT_WELLKNOWN based on the principal name. jpayne@69: * The type will be @c KRB5_NT_PRINCIPAL if a type cannot be inferred. jpayne@69: * jpayne@69: * @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the jpayne@69: * same task. krb5_build_principal() takes variadic arguments. jpayne@69: * krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer. jpayne@69: * jpayne@69: * @code jpayne@69: * Example of how to build principal H/S@R jpayne@69: * krb5_build_principal(context, &principal, jpayne@69: * strlen("R"), "R", "H", "S", (char*)NULL); jpayne@69: * @endcode jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV_C jpayne@69: krb5_build_principal(krb5_context context, jpayne@69: krb5_principal * princ, jpayne@69: unsigned int rlen, jpayne@69: const char * realm, ...) jpayne@69: #if __GNUC__ >= 4 jpayne@69: __attribute__ ((sentinel)) jpayne@69: #endif jpayne@69: ; jpayne@69: #if KRB5_DEPRECATED jpayne@69: /** @deprecated Replaced by krb5_build_principal_alloc_va(). */ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_build_principal_va(krb5_context context, jpayne@69: krb5_principal princ, jpayne@69: unsigned int rlen, jpayne@69: const char *realm, jpayne@69: va_list ap); jpayne@69: #endif jpayne@69: jpayne@69: /** jpayne@69: * Build a principal name, using a precomputed variable argument list jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] princ Principal structure jpayne@69: * @param [in] rlen Realm name length jpayne@69: * @param [in] realm Realm name jpayne@69: * @param [in] ap List of char * components, ending with NULL jpayne@69: * jpayne@69: * Similar to krb5_build_principal(), this function builds a principal name, jpayne@69: * but its name components are specified as a va_list. jpayne@69: * jpayne@69: * Use krb5_free_principal() to deallocate @a princ when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @code jpayne@69: * Function usage example: jpayne@69: * va_list ap; jpayne@69: * va_start(ap, realm); jpayne@69: * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); jpayne@69: * va_end(ap); jpayne@69: * @endcode jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_build_principal_alloc_va(krb5_context context, jpayne@69: krb5_principal *princ, jpayne@69: unsigned int rlen, jpayne@69: const char *realm, jpayne@69: va_list ap); jpayne@69: jpayne@69: /** jpayne@69: * Convert a Kerberos V4 principal to a Kerberos V5 principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name V4 name jpayne@69: * @param [in] instance V4 instance jpayne@69: * @param [in] realm Realm jpayne@69: * @param [out] princ V5 principal jpayne@69: * jpayne@69: * This function builds a @a princ from V4 specification based on given input jpayne@69: * @a name.instance\@realm. jpayne@69: * jpayne@69: * Use krb5_free_principal() to free @a princ when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_425_conv_principal(krb5_context context, const char *name, jpayne@69: const char *instance, const char *realm, jpayne@69: krb5_principal *princ); jpayne@69: jpayne@69: /** jpayne@69: * Convert a Kerberos V5 principal to a Kerberos V4 principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] princ V5 Principal jpayne@69: * @param [out] name V4 principal's name to be filled in jpayne@69: * @param [out] inst V4 principal's instance name to be filled in jpayne@69: * @param [out] realm Principal's realm name to be filled in jpayne@69: * jpayne@69: * This function separates a V5 principal @a princ into @a name, @a instance, jpayne@69: * and @a realm. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_INVALID_PRINCIPAL Invalid principal name jpayne@69: * @retval jpayne@69: * KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, jpayne@69: char *name, char *inst, char *realm); jpayne@69: /** jpayne@69: *@deprecated jpayne@69: */ jpayne@69: struct credentials; jpayne@69: jpayne@69: /** jpayne@69: * Convert a Kerberos V5 credentials to a Kerberos V4 credentials jpayne@69: * jpayne@69: * @note Not implemented jpayne@69: * jpayne@69: * @retval KRB524_KRB4_DISABLED (always) jpayne@69: */ jpayne@69: int KRB5_CALLCONV jpayne@69: krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, jpayne@69: struct credentials *v4creds); jpayne@69: jpayne@69: #if KRB5_DEPRECATED jpayne@69: #define krb524_convert_creds_kdc krb5_524_convert_creds jpayne@69: #define krb524_init_ets(x) (0) jpayne@69: #endif jpayne@69: jpayne@69: /* libkt.spec */ jpayne@69: jpayne@69: /** jpayne@69: * Get a handle for a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name Name of the key table jpayne@69: * @param [out] ktid Key table handle jpayne@69: * jpayne@69: * Resolve the key table name @a name and set @a ktid to a handle identifying jpayne@69: * the key table. Use krb5_kt_close() to free @a ktid when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @a name must be of the form @c type:residual, where @a type must be a type jpayne@69: * known to the library and @a residual portion should be specific to the jpayne@69: * particular keytab type. If no @a type is given, the default is @c FILE. jpayne@69: * jpayne@69: * If @a name is of type @c FILE, the keytab file is not opened by this call. jpayne@69: * jpayne@69: * @code jpayne@69: * Example: krb5_kt_resolve(context, "FILE:/tmp/filename", &ktid); jpayne@69: * @endcode jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid); jpayne@69: jpayne@69: /** jpayne@69: * Duplicate keytab handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] in Key table handle to be duplicated jpayne@69: * @param [out] out Key table handle jpayne@69: * jpayne@69: * Create a new handle referring to the same key table as @a in. The new jpayne@69: * handle and @a in can be closed independently. jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out); jpayne@69: jpayne@69: /** jpayne@69: * Get the default key table name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] name Default key table name jpayne@69: * @param [in] name_size Space available in @a name jpayne@69: * jpayne@69: * Fill @a name with the name of the default key table for @a context. jpayne@69: * jpayne@69: * @sa MAX_KEYTAB_NAME_LEN jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_CONFIG_NOTENUFSPACE Buffer is too short jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_default_name(krb5_context context, char *name, int name_size); jpayne@69: jpayne@69: /** jpayne@69: * Resolve the default key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] id Key table handle jpayne@69: * jpayne@69: * Set @a id to a handle to the default key table. The key table is not jpayne@69: * opened. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_default(krb5_context context, krb5_keytab *id); jpayne@69: jpayne@69: /** jpayne@69: * Resolve the default client key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] keytab_out Key table handle jpayne@69: * jpayne@69: * Fill @a keytab_out with a handle to the default client key table. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out); jpayne@69: jpayne@69: /** jpayne@69: * Free the contents of a key table entry. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] entry Key table entry whose contents are to be freed jpayne@69: * jpayne@69: * @note The pointer is not freed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry); jpayne@69: jpayne@69: /** @deprecated Use krb5_free_keytab_entry_contents instead. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry); jpayne@69: jpayne@69: jpayne@69: /* remove and add are functions, so that they can return NOWRITE jpayne@69: if not a writable keytab */ jpayne@69: jpayne@69: /** jpayne@69: * Remove an entry from a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] id Key table handle jpayne@69: * @param [in] entry Entry to remove from key table jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_KT_NOWRITE Key table is not writable jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); jpayne@69: jpayne@69: /** jpayne@69: * Add a new entry to a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] id Key table handle jpayne@69: * @param [in] entry Entry to be added jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * ENOMEM Insufficient memory jpayne@69: * @retval jpayne@69: * KRB5_KT_NOWRITE Key table is not writeable jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry); jpayne@69: jpayne@69: /** jpayne@69: * Convert a principal name into the default salt for that principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pr Principal name jpayne@69: * @param [out] ret Default salt for @a pr to be filled in jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV_WRONG jpayne@69: krb5_principal2salt(krb5_context context, jpayne@69: krb5_const_principal pr, krb5_data *ret); jpayne@69: /* librc.spec--see rcache.h */ jpayne@69: jpayne@69: /* libcc.spec */ jpayne@69: jpayne@69: /** jpayne@69: * Resolve a credential cache name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name Credential cache name to be resolved jpayne@69: * @param [out] cache Credential cache handle jpayne@69: * jpayne@69: * Fills in @a cache with a @a cache handle that corresponds to the name in @a jpayne@69: * name. @a name should be of the form @c type:residual, and @a type must be a jpayne@69: * type known to the library. If the @a name does not contain a colon, jpayne@69: * interpret it as a file name. jpayne@69: * jpayne@69: * @code jpayne@69: * Example: krb5_cc_resolve(context, "MEMORY:C_", &cache); jpayne@69: * @endcode jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache); jpayne@69: jpayne@69: /** jpayne@69: * Duplicate ccache handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] in Credential cache handle to be duplicated jpayne@69: * @param [out] out Credential cache handle jpayne@69: * jpayne@69: * Create a new handle referring to the same cache as @a in. jpayne@69: * The new handle and @a in can be closed independently. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out); jpayne@69: jpayne@69: /** jpayne@69: * Return the name of the default credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * jpayne@69: * Return a pointer to the default credential cache name for @a context, as jpayne@69: * determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME jpayne@69: * environment variable, by the default_ccache_name profile variable, or by the jpayne@69: * operating system or build-time default value. The returned value must not jpayne@69: * be modified or freed by the caller. The returned value becomes invalid when jpayne@69: * @a context is destroyed krb5_free_context() or if a subsequent call to jpayne@69: * krb5_cc_set_default_name() is made on @a context. jpayne@69: * jpayne@69: * The default credential cache name is cached in @a context between calls to jpayne@69: * this function, so if the value of KRB5CCNAME changes in the process jpayne@69: * environment after the first call to this function on, that change will not jpayne@69: * be reflected in later calls with the same context. The caller can invoke jpayne@69: * krb5_cc_set_default_name() with a NULL value of @a name to clear the cached jpayne@69: * value and force the default name to be recomputed. jpayne@69: * jpayne@69: * @return jpayne@69: * Name of default credential cache for the current user. jpayne@69: */ jpayne@69: const char *KRB5_CALLCONV jpayne@69: krb5_cc_default_name(krb5_context context); jpayne@69: jpayne@69: /** jpayne@69: * Set the default credential cache name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] name Default credential cache name or NULL jpayne@69: * jpayne@69: * Set the default credential cache name to @a name for future operations using jpayne@69: * @a context. If @a name is NULL, clear any previous application-set default jpayne@69: * name and forget any cached value of the default name for @a context. jpayne@69: * jpayne@69: * Calls to this function invalidate the result of any previous calls to jpayne@69: * krb5_cc_default_name() using @a context. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KV5M_CONTEXT Bad magic number for @c _krb5_context structure jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_set_default_name(krb5_context context, const char *name); jpayne@69: jpayne@69: /** jpayne@69: * Resolve the default credential cache name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] ccache Pointer to credential cache name jpayne@69: * jpayne@69: * Create a handle to the default credential cache as given by jpayne@69: * krb5_cc_default_name(). jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KV5M_CONTEXT Bad magic number for @c _krb5_context structure jpayne@69: * @retval jpayne@69: * KRB5_FCC_INTERNAL The name of the default credential cache cannot be jpayne@69: * obtained jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_default(krb5_context context, krb5_ccache *ccache); jpayne@69: jpayne@69: /** jpayne@69: * Copy a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] incc Credential cache to be copied jpayne@69: * @param [out] outcc Copy of credential cache to be filled in jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc); jpayne@69: jpayne@69: /** jpayne@69: * Get a configuration value from a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] id Credential cache handle jpayne@69: * @param [in] principal Configuration for this principal; jpayne@69: * if NULL, global for the whole cache jpayne@69: * @param [in] key Name of config variable jpayne@69: * @param [out] data Data to be fetched jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a data when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_get_config(krb5_context context, krb5_ccache id, jpayne@69: krb5_const_principal principal, jpayne@69: const char *key, krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Store a configuration value in a credential cache. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] id Credential cache handle jpayne@69: * @param [in] principal Configuration for a specific principal; jpayne@69: * if NULL, global for the whole cache jpayne@69: * @param [in] key Name of config variable jpayne@69: * @param [in] data Data to store, or NULL to remove jpayne@69: * jpayne@69: * @note Existing configuration under the same key is over-written. jpayne@69: * jpayne@69: * @warning Before version 1.10 @a data was assumed to be always non-null. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_set_config(krb5_context context, krb5_ccache id, jpayne@69: krb5_const_principal principal, jpayne@69: const char *key, krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Test whether a principal is a configuration principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal to check jpayne@69: * jpayne@69: * @return jpayne@69: * @c TRUE if the principal is a configuration principal (generated part of jpayne@69: * krb5_cc_set_config()); @c FALSE otherwise. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_is_config_principal(krb5_context context, krb5_const_principal principal); jpayne@69: jpayne@69: /** jpayne@69: * Make a credential cache the primary cache for its collection. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] cache Credential cache handle jpayne@69: * jpayne@69: * If the type of @a cache supports it, set @a cache to be the primary jpayne@69: * credential cache for the collection it belongs to. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success, or the type of @a cache doesn't support switching jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_switch(krb5_context context, krb5_ccache cache); jpayne@69: jpayne@69: /** jpayne@69: * Determine whether a credential cache type supports switching. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] type Credential cache type jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: * jpayne@69: * @retval TRUE if @a type supports switching jpayne@69: * @retval FALSE if it does not or is not a valid credential cache type. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_cc_support_switch(krb5_context context, const char *type); jpayne@69: jpayne@69: /** jpayne@69: * Find a credential cache with a specified client principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] client Client principal jpayne@69: * @param [out] cache_out Credential cache handle jpayne@69: * jpayne@69: * Find a cache within the collection whose default principal is @a client. jpayne@69: * Use @a krb5_cc_close to close @a ccache when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success jpayne@69: * @retval KRB5_CC_NOTFOUND jpayne@69: * jpayne@69: * @sa krb5_cccol_cursor_new jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_cache_match(krb5_context context, krb5_principal client, jpayne@69: krb5_ccache *cache_out); jpayne@69: jpayne@69: /** jpayne@69: * Select a credential cache to use with a server principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] server Server principal jpayne@69: * @param [out] cache_out Credential cache handle jpayne@69: * @param [out] princ_out Client principal jpayne@69: * jpayne@69: * Select a cache within the collection containing credentials most appropriate jpayne@69: * for use with @a server, according to configured rules and heuristics. jpayne@69: * jpayne@69: * Use krb5_cc_close() to release @a cache_out when it is no longer needed. jpayne@69: * Use krb5_free_principal() to release @a princ_out when it is no longer jpayne@69: * needed. Note that @a princ_out is set in some error conditions. jpayne@69: * jpayne@69: * @return jpayne@69: * If an appropriate cache is found, 0 is returned, @a cache_out is set to the jpayne@69: * selected cache, and @a princ_out is set to the default principal of that jpayne@69: * cache. jpayne@69: * jpayne@69: * If the appropriate client principal can be authoritatively determined but jpayne@69: * the cache collection contains no credentials for that principal, then jpayne@69: * KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out jpayne@69: * is set to the appropriate client principal. jpayne@69: * jpayne@69: * If no configured mechanism can determine the appropriate cache or principal, jpayne@69: * KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to jpayne@69: * NULL. jpayne@69: * jpayne@69: * Any other error code indicates a fatal error in the processing of a cache jpayne@69: * selection mechanism. jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cc_select(krb5_context context, krb5_principal server, jpayne@69: krb5_ccache *cache_out, krb5_principal *princ_out); jpayne@69: jpayne@69: /* krb5_free.c */ jpayne@69: /** jpayne@69: * Free the storage assigned to a principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Principal to be freed jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_principal(krb5_context context, krb5_principal val); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_authenticator structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Authenticator structure to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_authenticator(krb5_context context, krb5_authenticator *val); jpayne@69: jpayne@69: /** jpayne@69: * Free the data stored in array of addresses. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Array of addresses to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the array itself. jpayne@69: * jpayne@69: * @note The last entry in the array must be a NULL pointer. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_addresses(krb5_context context, krb5_address **val); jpayne@69: jpayne@69: /** jpayne@69: * Free the storage assigned to array of authentication data. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Array of authentication data to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the array itself. jpayne@69: * jpayne@69: * @note The last entry in the array must be a NULL pointer. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_authdata(krb5_context context, krb5_authdata **val); jpayne@69: jpayne@69: /** jpayne@69: * Free a ticket. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Ticket to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_ticket(krb5_context context, krb5_ticket *val); jpayne@69: jpayne@69: /** jpayne@69: * Free an error allocated by krb5_read_error() or krb5_sendauth(). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Error data structure to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_error(krb5_context context, krb5_error *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_creds structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Credential structure to be freed. jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_creds(krb5_context context, krb5_creds *val); jpayne@69: jpayne@69: /** jpayne@69: * Free the contents of a krb5_creds structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Credential structure to free contents of jpayne@69: * jpayne@69: * This function frees the contents of @a val, but not the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_cred_contents(krb5_context context, krb5_creds *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_checksum structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Checksum structure to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_checksum(krb5_context context, krb5_checksum *val); jpayne@69: jpayne@69: /** jpayne@69: * Free the contents of a krb5_checksum structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Checksum structure to free contents of jpayne@69: * jpayne@69: * This function frees the contents of @a val, but not the structure itself. jpayne@69: * It sets the checksum's data pointer to null and (beginning in release 1.19) jpayne@69: * sets its length to zero. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_checksum_contents(krb5_context context, krb5_checksum *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_keyblock structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Keyblock to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_keyblock(krb5_context context, krb5_keyblock *val); jpayne@69: jpayne@69: /** jpayne@69: * Free the contents of a krb5_keyblock structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Keyblock to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a key, but not the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_ap_rep_enc_part structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val AP-REP enc part to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_data structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Data structure to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a val and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_data(krb5_context context, krb5_data *val); jpayne@69: jpayne@69: /* Free a krb5_octet_data structure (should be unused). */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_octet_data(krb5_context context, krb5_octet_data *val); jpayne@69: jpayne@69: /** jpayne@69: * Free the contents of a krb5_data structure and zero the data field. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Data structure to free contents of jpayne@69: * jpayne@69: * This function frees the contents of @a val, but not the structure itself. jpayne@69: * It sets the structure's data pointer to null and (beginning in release 1.19) jpayne@69: * sets its length to zero. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_data_contents(krb5_context context, krb5_data *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a string representation of a principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Name string to be freed jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_unparsed_name(krb5_context context, char *val); jpayne@69: jpayne@69: /** jpayne@69: * Free a string allocated by a krb5 function. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val String to be freed jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_string(krb5_context context, char *val); jpayne@69: jpayne@69: /** jpayne@69: * Free an array of encryption types. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Array of enctypes to be freed jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_enctypes(krb5_context context, krb5_enctype *val); jpayne@69: jpayne@69: /** jpayne@69: * Free an array of checksum types. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] val Array of checksum types to be freed jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val); jpayne@69: jpayne@69: /* From krb5/os, but needed by the outside world */ jpayne@69: /** jpayne@69: * Retrieve the system time of day, in sec and ms, since the epoch. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] seconds System timeofday, seconds portion jpayne@69: * @param [out] microseconds System timeofday, microseconds portion jpayne@69: * jpayne@69: * This function retrieves the system time of day with the context jpayne@69: * specific time offset adjustment. jpayne@69: * jpayne@69: * @sa krb5_crypto_us_timeofday() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_us_timeofday(krb5_context context, jpayne@69: krb5_timestamp *seconds, krb5_int32 *microseconds); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the current time with context specific time offset adjustment. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] timeret Timestamp to fill in jpayne@69: * jpayne@69: * This function retrieves the system time of day with the context specific jpayne@69: * time offset adjustment. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_timeofday(krb5_context context, krb5_timestamp *timeret); jpayne@69: jpayne@69: /** jpayne@69: * Check if a timestamp is within the allowed clock skew of the current time. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] date Timestamp to check jpayne@69: * jpayne@69: * This function checks if @a date is close enough to the current time jpayne@69: * according to the configured allowable clock skew. jpayne@69: * jpayne@69: * @version New in 1.10 jpayne@69: * jpayne@69: * @retval 0 Success jpayne@69: * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_check_clockskew(krb5_context context, krb5_timestamp date); jpayne@69: jpayne@69: /** jpayne@69: * Return all interface addresses for this host. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] addr Array of krb5_address pointers, ending with jpayne@69: * NULL jpayne@69: * jpayne@69: * Use krb5_free_addresses() to free @a addr when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_os_localaddr(krb5_context context, krb5_address ***addr); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the default realm. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] lrealm Default realm name jpayne@69: * jpayne@69: * Retrieves the default realm to be used if no user-specified realm is jpayne@69: * available. jpayne@69: * jpayne@69: * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_default_realm(krb5_context context, char **lrealm); jpayne@69: jpayne@69: /** jpayne@69: * Override the default realm for the specified context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] lrealm Realm name for the default realm jpayne@69: * jpayne@69: * If @a lrealm is NULL, clear the default realm setting. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_default_realm(krb5_context context, const char *lrealm); jpayne@69: jpayne@69: /** jpayne@69: * Free a default realm string returned by krb5_get_default_realm(). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] lrealm Realm to be freed jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_default_realm(krb5_context context, char *lrealm); jpayne@69: jpayne@69: /** jpayne@69: * Canonicalize a hostname, possibly using name service. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] host Input hostname jpayne@69: * @param [out] canonhost_out Canonicalized hostname jpayne@69: * jpayne@69: * This function canonicalizes orig_hostname, possibly using name service jpayne@69: * lookups if configuration permits. Use krb5_free_string() to free @a jpayne@69: * canonhost_out when it is no longer needed. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_expand_hostname(krb5_context context, const char *host, jpayne@69: char **canonhost_out); jpayne@69: jpayne@69: /** jpayne@69: * Generate a full principal name from a service name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] hostname Host name, or NULL to use local host jpayne@69: * @param [in] sname Service name, or NULL to use @c "host" jpayne@69: * @param [in] type Principal type jpayne@69: * @param [out] ret_princ Generated principal jpayne@69: * jpayne@69: * This function converts a @a hostname and @a sname into @a krb5_principal jpayne@69: * structure @a ret_princ. The returned principal will be of the form @a jpayne@69: * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm(). jpayne@69: * In some cases this may be the referral (empty) realm. jpayne@69: * jpayne@69: * The @a type can be one of the following: jpayne@69: * jpayne@69: * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the jpayne@69: * realm and generating the principal. jpayne@69: * jpayne@69: * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not jpayne@69: * canonicalize it. jpayne@69: * jpayne@69: * Use krb5_free_principal to free @a ret_princ when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, jpayne@69: krb5_int32 type, krb5_principal *ret_princ); jpayne@69: jpayne@69: /** jpayne@69: * Test whether a principal matches a matching principal. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] matching Matching principal jpayne@69: * @param [in] princ Principal to test jpayne@69: * jpayne@69: * @note A matching principal is a host-based principal with an empty realm jpayne@69: * and/or second data component (hostname). Profile configuration may cause jpayne@69: * the hostname to be ignored even if it is present. A principal matches a jpayne@69: * matching principal if the former has the same non-empty (and non-ignored) jpayne@69: * components of the latter. jpayne@69: * jpayne@69: * If @a matching is NULL, return TRUE. If @a matching is not a matching jpayne@69: * principal, return the value of krb5_principal_compare(context, matching, jpayne@69: * princ). jpayne@69: * jpayne@69: * @return jpayne@69: * TRUE if @a princ matches @a matching, FALSE otherwise. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_sname_match(krb5_context context, krb5_const_principal matching, jpayne@69: krb5_const_principal princ); jpayne@69: jpayne@69: /** jpayne@69: * Change a password for an existing Kerberos account. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] creds Credentials for kadmin/changepw service jpayne@69: * @param [in] newpw New password jpayne@69: * @param [out] result_code Numeric error code from server jpayne@69: * @param [out] result_code_string String equivalent to @a result_code jpayne@69: * @param [out] result_string Change password response from the KDC jpayne@69: * jpayne@69: * Change the password for the existing principal identified by @a creds. jpayne@69: * jpayne@69: * The possible values of the output @a result_code are: jpayne@69: * jpayne@69: * @li #KRB5_KPASSWD_SUCCESS (0) - success jpayne@69: * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error jpayne@69: * @li #KRB5_KPASSWD_HARDERROR (2) - Server error jpayne@69: * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error jpayne@69: * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_change_password(krb5_context context, krb5_creds *creds, jpayne@69: const char *newpw, int *result_code, jpayne@69: krb5_data *result_code_string, krb5_data *result_string); jpayne@69: jpayne@69: /** jpayne@69: * Set a password for a principal using specified credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] creds Credentials for kadmin/changepw service jpayne@69: * @param [in] newpw New password jpayne@69: * @param [in] change_password_for Change the password for this principal jpayne@69: * @param [out] result_code Numeric error code from server jpayne@69: * @param [out] result_code_string String equivalent to @a result_code jpayne@69: * @param [out] result_string Data returned from the remote system jpayne@69: * jpayne@69: * This function uses the credentials @a creds to set the password @a newpw for jpayne@69: * the principal @a change_password_for. It implements the set password jpayne@69: * operation of RFC 3244, for interoperability with Microsoft Windows jpayne@69: * implementations. jpayne@69: * jpayne@69: * @note If @a change_password_for is NULL, the change is performed on the jpayne@69: * current principal. If @a change_password_for is non-null, the change is jpayne@69: * performed on the principal name passed in @a change_password_for. jpayne@69: * jpayne@69: * The error code and strings are returned in @a result_code, jpayne@69: * @a result_code_string and @a result_string. jpayne@69: * jpayne@69: * @sa krb5_set_password_using_ccache() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS. jpayne@69: * @return jpayne@69: * Kerberos error codes. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw, jpayne@69: krb5_principal change_password_for, int *result_code, jpayne@69: krb5_data *result_code_string, krb5_data *result_string); jpayne@69: jpayne@69: /** jpayne@69: * Set a password for a principal using cached credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ccache Credential cache jpayne@69: * @param [in] newpw New password jpayne@69: * @param [in] change_password_for Change the password for this principal jpayne@69: * @param [out] result_code Numeric error code from server jpayne@69: * @param [out] result_code_string String equivalent to @a result_code jpayne@69: * @param [out] result_string Data returned from the remote system jpayne@69: * jpayne@69: * This function uses the cached credentials from @a ccache to set the password jpayne@69: * @a newpw for the principal @a change_password_for. It implements RFC 3244 jpayne@69: * set password operation (interoperable with MS Windows implementations) using jpayne@69: * the credential cache. jpayne@69: * jpayne@69: * The error code and strings are returned in @a result_code, jpayne@69: * @a result_code_string and @a result_string. jpayne@69: * jpayne@69: * @note If @a change_password_for is set to NULL, the change is performed on jpayne@69: * the default principal in @a ccache. If @a change_password_for is non null, jpayne@69: * the change is performed on the specified principal. jpayne@69: * jpayne@69: * @sa krb5_set_password() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, jpayne@69: const char *newpw, jpayne@69: krb5_principal change_password_for, jpayne@69: int *result_code, krb5_data *result_code_string, jpayne@69: krb5_data *result_string); jpayne@69: jpayne@69: /** jpayne@69: * Get a result message for changing or setting a password. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] server_string Data returned from the remote system jpayne@69: * @param [out] message_out A message displayable to the user jpayne@69: * jpayne@69: * This function processes the @a server_string returned in the @a jpayne@69: * result_string parameter of krb5_change_password(), krb5_set_password(), and jpayne@69: * related functions, and returns a displayable string. If @a server_string jpayne@69: * contains Active Directory structured policy information, it will be jpayne@69: * converted into human-readable text. jpayne@69: * jpayne@69: * Use krb5_free_string() to free @a message_out when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_chpw_message(krb5_context context, const krb5_data *server_string, jpayne@69: char **message_out); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve configuration profile from the context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] profile Pointer to data read from a configuration file jpayne@69: * jpayne@69: * This function creates a new @a profile object that reflects profile jpayne@69: * in the supplied @a context. jpayne@69: * jpayne@69: * The @a profile object may be freed with profile_release() function. jpayne@69: * See profile.h and profile API for more details. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_profile(krb5_context context, struct _profile_t ** profile); jpayne@69: jpayne@69: #if KRB5_DEPRECATED jpayne@69: /** @deprecated Replaced by krb5_get_init_creds_password().*/ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, jpayne@69: krb5_address *const *addrs, krb5_enctype *ktypes, jpayne@69: krb5_preauthtype *pre_auth_types, jpayne@69: const char *password, krb5_ccache ccache, jpayne@69: krb5_creds *creds, krb5_kdc_rep **ret_as_reply); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_get_init_creds(). */ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, jpayne@69: krb5_address *const *addrs, krb5_enctype *ktypes, jpayne@69: krb5_preauthtype *pre_auth_types, jpayne@69: const krb5_keyblock *key, krb5_ccache ccache, jpayne@69: krb5_creds *creds, krb5_kdc_rep **ret_as_reply); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_get_init_creds_keytab(). */ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, jpayne@69: krb5_address *const *addrs, krb5_enctype *ktypes, jpayne@69: krb5_preauthtype *pre_auth_types, jpayne@69: krb5_keytab arg_keytab, krb5_ccache ccache, jpayne@69: krb5_creds *creds, krb5_kdc_rep **ret_as_reply); jpayne@69: jpayne@69: #endif /* KRB5_DEPRECATED */ jpayne@69: jpayne@69: /** jpayne@69: * Parse and decrypt a @c KRB_AP_REQ message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] inbuf AP-REQ message to be parsed jpayne@69: * @param [in] server Matching principal for server, or NULL to jpayne@69: * allow any principal in keytab jpayne@69: * @param [in] keytab Key table, or NULL to use the default jpayne@69: * @param [out] ap_req_options If non-null, the AP-REQ flags on output jpayne@69: * @param [out] ticket If non-null, ticket from the AP-REQ message jpayne@69: * jpayne@69: * This function parses, decrypts and verifies a AP-REQ message from @a inbuf jpayne@69: * and stores the authenticator in @a auth_context. jpayne@69: * jpayne@69: * If a keyblock was specified in @a auth_context using jpayne@69: * krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in jpayne@69: * AP-REQ message and @a keytab is ignored. In this case, @a server should be jpayne@69: * specified as a complete principal name to allow for proper transited-path jpayne@69: * checking and replay cache selection. jpayne@69: * jpayne@69: * Otherwise, the decryption key is obtained from @a keytab, or from the jpayne@69: * default keytab if it is NULL. In this case, @a server may be a complete jpayne@69: * principal name, a matching principal (see krb5_sname_match()), or NULL to jpayne@69: * match any principal name. The keys tried against the encrypted part of the jpayne@69: * ticket are determined as follows: jpayne@69: * jpayne@69: * - If @a server is a complete principal name, then its entry in @a keytab is jpayne@69: * tried. jpayne@69: * - Otherwise, if @a keytab is iterable, then all entries in @a keytab which jpayne@69: * match @a server are tried. jpayne@69: * - Otherwise, the server principal in the ticket must match @a server, and jpayne@69: * its entry in @a keytab is tried. jpayne@69: * jpayne@69: * The client specified in the decrypted authenticator must match the client jpayne@69: * specified in the decrypted ticket. jpayne@69: * jpayne@69: * If the @a remote_addr field of @a auth_context is set, the request must come jpayne@69: * from that address. jpayne@69: * jpayne@69: * If a replay cache handle is provided in the @a auth_context, the jpayne@69: * authenticator and ticket are verified against it. If no conflict is found, jpayne@69: * the new authenticator is then stored in the replay cache of @a auth_context. jpayne@69: * jpayne@69: * Various other checks are performed on the decoded data, including jpayne@69: * cross-realm policy, clockskew, and ticket validation times. jpayne@69: * jpayne@69: * On success the authenticator, subkey, and remote sequence number of the jpayne@69: * request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED jpayne@69: * bit is set, the local sequence number is XORed with the remote sequence jpayne@69: * number in the request. jpayne@69: * jpayne@69: * Use krb5_free_ticket() to free @a ticket when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, jpayne@69: const krb5_data *inbuf, krb5_const_principal server, jpayne@69: krb5_keytab keytab, krb5_flags *ap_req_options, jpayne@69: krb5_ticket **ticket); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve a service key from a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] keyprocarg Name of a key table (NULL to use default name) jpayne@69: * @param [in] principal Service principal jpayne@69: * @param [in] vno Key version number (0 for highest available) jpayne@69: * @param [in] enctype Encryption type (0 for any type) jpayne@69: * @param [out] key Service key from key table jpayne@69: * jpayne@69: * Open and search the specified key table for the entry identified by @a jpayne@69: * principal, @a enctype, and @a vno. If no key is found, return an error code. jpayne@69: * jpayne@69: * The default key table is used, unless @a keyprocarg is non-null. jpayne@69: * @a keyprocarg designates a specific key table. jpayne@69: * jpayne@69: * Use krb5_free_keyblock() to free @a key when it is no longer needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return Kerberos error code if not found or @a keyprocarg is invalid. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, jpayne@69: krb5_principal principal, krb5_kvno vno, jpayne@69: krb5_enctype enctype, krb5_keyblock **key); jpayne@69: jpayne@69: /** jpayne@69: * Format a @c KRB-SAFE message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] userdata User data in the message jpayne@69: * @param [out] der_out Formatted @c KRB-SAFE buffer jpayne@69: * @param [out] rdata_out Replay data. Specify NULL if not needed jpayne@69: * jpayne@69: * This function creates an integrity protected @c KRB-SAFE message jpayne@69: * using data supplied by the application. jpayne@69: * jpayne@69: * Fields in @a auth_context specify the checksum type, the keyblock that jpayne@69: * can be used to seed the checksum, full addresses (host and port) for jpayne@69: * the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags. jpayne@69: * jpayne@69: * The local address in @a auth_context must be set, and is used to form the jpayne@69: * sender address used in the KRB-SAFE message. The remote address is jpayne@69: * optional; if specified, it will be used to form the receiver address used in jpayne@69: * the message. jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a jpayne@69: * timestamp is included in the KRB-SAFE message, and an entry for the message jpayne@69: * is entered in an in-memory replay cache to detect if the message is jpayne@69: * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no jpayne@69: * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a jpayne@69: * auth_context, a timestamp is included in the KRB-SAFE message and is stored jpayne@69: * in @a rdata_out. jpayne@69: * jpayne@69: * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the @a auth_context local sequence number is included in the jpayne@69: * KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the sequence number used is stored in @a rdata_out. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a der_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *userdata, krb5_data *der_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Format a @c KRB-PRIV message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] userdata User data for @c KRB-PRIV message jpayne@69: * @param [out] der_out Formatted @c KRB-PRIV message jpayne@69: * @param [out] rdata_out Replay data (NULL if not needed) jpayne@69: * jpayne@69: * This function is similar to krb5_mk_safe(), but the message is encrypted and jpayne@69: * integrity-protected, not just integrity-protected. jpayne@69: * jpayne@69: * The local address in @a auth_context must be set, and is used to form the jpayne@69: * sender address used in the KRB-PRIV message. The remote address is jpayne@69: * optional; if specified, it will be used to form the receiver address used in jpayne@69: * the message. jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, a jpayne@69: * timestamp is included in the KRB-PRIV message, and an entry for the message jpayne@69: * is entered in an in-memory replay cache to detect if the message is jpayne@69: * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no jpayne@69: * replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a jpayne@69: * auth_context, a timestamp is included in the KRB-PRIV message and is stored jpayne@69: * in @a rdata_out. jpayne@69: * jpayne@69: * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the @a auth_context local sequence number is included in the jpayne@69: * KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the sequence number used is stored in @a rdata_out. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a der_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, jpayne@69: const krb5_data *userdata, krb5_data *der_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Client function for @c sendauth protocol. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] fd File descriptor that describes network socket jpayne@69: * @param [in] appl_version Application protocol version to be matched jpayne@69: * with the receiver's application version jpayne@69: * @param [in] client Client principal jpayne@69: * @param [in] server Server principal jpayne@69: * @param [in] ap_req_options @ref AP_OPTS options jpayne@69: * @param [in] in_data Data to be sent to the server jpayne@69: * @param [in] in_creds Input credentials, or NULL to use @a ccache jpayne@69: * @param [in] ccache Credential cache jpayne@69: * @param [out] error If non-null, contains KRB_ERROR message jpayne@69: * returned from server jpayne@69: * @param [out] rep_result If non-null and @a ap_req_options is jpayne@69: * #AP_OPTS_MUTUAL_REQUIRED, contains the result jpayne@69: * of mutual authentication exchange jpayne@69: * @param [out] out_creds If non-null, the retrieved credentials jpayne@69: * jpayne@69: * This function performs the client side of a sendauth/recvauth exchange by jpayne@69: * sending and receiving messages over @a fd. jpayne@69: * jpayne@69: * Credentials may be specified in three ways: jpayne@69: * jpayne@69: * @li If @a in_creds is NULL, credentials are obtained with jpayne@69: * krb5_get_credentials() using the principals @a client and @a server. @a jpayne@69: * server must be non-null; @a client may NULL to use the default principal of jpayne@69: * @a ccache. jpayne@69: * jpayne@69: * @li If @a in_creds is non-null, but does not contain a ticket, credentials jpayne@69: * for the exchange are obtained with krb5_get_credentials() using @a in_creds. jpayne@69: * In this case, the values of @a client and @a server are unused. jpayne@69: * jpayne@69: * @li If @a in_creds is a complete credentials structure, it used directly. jpayne@69: * In this case, the values of @a client, @a server, and @a ccache are unused. jpayne@69: * jpayne@69: * If the server is using a different application protocol than that specified jpayne@69: * in @a appl_version, an error will be returned. jpayne@69: * jpayne@69: * Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to jpayne@69: * free @a rep_result, and krb5_free_error() to free @a error when they are no jpayne@69: * longer needed. jpayne@69: * jpayne@69: * @sa krb5_recvauth() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, jpayne@69: krb5_pointer fd, char *appl_version, krb5_principal client, jpayne@69: krb5_principal server, krb5_flags ap_req_options, jpayne@69: krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, jpayne@69: krb5_error **error, krb5_ap_rep_enc_part **rep_result, jpayne@69: krb5_creds **out_creds); jpayne@69: jpayne@69: /** jpayne@69: * Server function for @a sendauth protocol. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] fd File descriptor jpayne@69: * @param [in] appl_version Application protocol version to be matched jpayne@69: * against the client's application version jpayne@69: * @param [in] server Server principal (NULL for any in @a keytab) jpayne@69: * @param [in] flags Additional specifications jpayne@69: * @param [in] keytab Key table containing service keys jpayne@69: * @param [out] ticket Ticket (NULL if not needed) jpayne@69: * jpayne@69: * This function performs the server side of a sendauth/recvauth exchange by jpayne@69: * sending and receiving messages over @a fd. jpayne@69: * jpayne@69: * Use krb5_free_ticket() to free @a ticket when it is no longer needed. jpayne@69: * jpayne@69: * @sa krb5_sendauth() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, jpayne@69: krb5_pointer fd, char *appl_version, krb5_principal server, jpayne@69: krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket); jpayne@69: jpayne@69: /** jpayne@69: * Server function for @a sendauth protocol with version parameter. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in,out] auth_context Pre-existing or newly created auth context jpayne@69: * @param [in] fd File descriptor jpayne@69: * @param [in] server Server principal (NULL for any in @a keytab) jpayne@69: * @param [in] flags Additional specifications jpayne@69: * @param [in] keytab Decryption key jpayne@69: * @param [out] ticket Ticket (NULL if not needed) jpayne@69: * @param [out] version sendauth protocol version (NULL if not needed) jpayne@69: * jpayne@69: * This function is similar to krb5_recvauth() with the additional output jpayne@69: * information place into @a version. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_recvauth_version(krb5_context context, jpayne@69: krb5_auth_context *auth_context, jpayne@69: krb5_pointer fd, jpayne@69: krb5_principal server, jpayne@69: krb5_int32 flags, jpayne@69: krb5_keytab keytab, jpayne@69: krb5_ticket **ticket, jpayne@69: krb5_data *version); jpayne@69: jpayne@69: /** jpayne@69: * Format a @c KRB-CRED message for an array of credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] creds Null-terminated array of credentials jpayne@69: * @param [out] der_out Encoded credentials jpayne@69: * @param [out] rdata_out Replay cache information (NULL if not needed) jpayne@69: * jpayne@69: * This function takes an array of credentials @a creds and formats jpayne@69: * a @c KRB-CRED message @a der_out to pass to krb5_rd_cred(). jpayne@69: * jpayne@69: * The local and remote addresses in @a auth_context are optional; if either is jpayne@69: * specified, they are used to form the sender and receiver addresses in the jpayne@69: * KRB-CRED message. jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context. jpayne@69: * jpayne@69: * If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context, an entry jpayne@69: * for the message is entered in an in-memory replay cache to detect if the jpayne@69: * message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not jpayne@69: * set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in @a jpayne@69: * auth_context, the timestamp used for the KRB-CRED message is stored in @a jpayne@69: * rdata_out. jpayne@69: * jpayne@69: * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the @a auth_context local sequence number is included in the jpayne@69: * KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE jpayne@69: * is set, the sequence number used is stored in @a rdata_out. jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a der_out when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * The message will be encrypted using the send subkey of @a auth_context if it jpayne@69: * is present, or the session key otherwise. If neither key is present, the jpayne@69: * credentials will not be encrypted, and the message should only be sent over jpayne@69: * a secure channel. No replay cache entry is used in this case. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * ENOMEM Insufficient memory jpayne@69: * @retval jpayne@69: * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_creds **creds, krb5_data **der_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Format a @c KRB-CRED message for a single set of credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] creds Pointer to credentials jpayne@69: * @param [out] der_out Encoded credentials jpayne@69: * @param [out] rdata_out Replay cache data (NULL if not needed) jpayne@69: * jpayne@69: * This is a convenience function that calls krb5_mk_ncred() with a single set jpayne@69: * of credentials. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * ENOMEM Insufficient memory jpayne@69: * @retval jpayne@69: * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_creds *creds, krb5_data **der_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Read and validate a @c KRB-CRED message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] creddata @c KRB-CRED message jpayne@69: * @param [out] creds_out Null-terminated array of forwarded credentials jpayne@69: * @param [out] rdata_out Replay data (NULL if not needed) jpayne@69: * jpayne@69: * @note The @a rdata_out argument is required if the jpayne@69: * #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set jpayne@69: * in @a auth_context.` jpayne@69: * jpayne@69: * @a creddata will be decrypted using the receiving subkey if it is present in jpayne@69: * @a auth_context, or the session key if the receiving subkey is not present jpayne@69: * or fails to decrypt the message. jpayne@69: * jpayne@69: * Use krb5_free_tgt_creds() to free @a creds_out when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_data *creddata, krb5_creds ***creds_out, jpayne@69: krb5_replay_data *rdata_out); jpayne@69: jpayne@69: /** jpayne@69: * Get a forwarded TGT and format a @c KRB-CRED message. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] rhost Remote host jpayne@69: * @param [in] client Client principal of TGT jpayne@69: * @param [in] server Principal of server to receive TGT jpayne@69: * @param [in] cc Credential cache handle (NULL to use default) jpayne@69: * @param [in] forwardable Whether TGT should be forwardable jpayne@69: * @param [out] outbuf KRB-CRED message jpayne@69: * jpayne@69: * Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED jpayne@69: * message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST, jpayne@69: * the second component of @a server will be used. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * ENOMEM Insufficient memory jpayne@69: * @retval jpayne@69: * KRB5_PRINC_NOMATCH Requested principal and ticket do not match jpayne@69: * @retval jpayne@69: * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket jpayne@69: * @retval jpayne@69: * KRB5_CC_BADNAME Credential cache name or principal name malformed jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, jpayne@69: const char *rhost, krb5_principal client, jpayne@69: krb5_principal server, krb5_ccache cc, int forwardable, jpayne@69: krb5_data *outbuf); jpayne@69: jpayne@69: /** jpayne@69: * Create and initialize an authentication context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] auth_context Authentication context jpayne@69: * jpayne@69: * This function creates an authentication context to hold configuration and jpayne@69: * state relevant to krb5 functions for authenticating principals and jpayne@69: * protecting messages once authentication has occurred. jpayne@69: * jpayne@69: * By default, flags for the context are set to enable the use of the replay jpayne@69: * cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use jpayne@69: * krb5_auth_con_setflags() to change the flags. jpayne@69: * jpayne@69: * The allocated @a auth_context must be freed with krb5_auth_con_free() when jpayne@69: * it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context); jpayne@69: jpayne@69: /** jpayne@69: * Free a krb5_auth_context structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context to be freed jpayne@69: * jpayne@69: * This function frees an auth context allocated by krb5_auth_con_init(). jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context); jpayne@69: jpayne@69: /** jpayne@69: * Set a flags field in a krb5_auth_context structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] flags Flags bit mask jpayne@69: * jpayne@69: * Valid values for @a flags are: jpayne@69: * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps jpayne@69: * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps jpayne@69: * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers jpayne@69: * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve flags from a krb5_auth_context structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] flags Flags bit mask jpayne@69: * jpayne@69: * Valid values for @a flags are: jpayne@69: * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps jpayne@69: * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps jpayne@69: * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers jpayne@69: * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_int32 *flags); jpayne@69: jpayne@69: /** jpayne@69: * Set a checksum callback in an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] func Checksum callback jpayne@69: * @param [in] data Callback argument jpayne@69: * jpayne@69: * Set a callback to obtain checksum data in krb5_mk_req(). The callback will jpayne@69: * be invoked after the subkey and local sequence number are stored in @a jpayne@69: * auth_context. jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_set_checksum_func( krb5_context context, jpayne@69: krb5_auth_context auth_context, jpayne@69: krb5_mk_req_checksum_func func, jpayne@69: void *data); jpayne@69: jpayne@69: /** jpayne@69: * Get the checksum callback from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] func Checksum callback jpayne@69: * @param [out] data Callback argument jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_get_checksum_func( krb5_context context, jpayne@69: krb5_auth_context auth_context, jpayne@69: krb5_mk_req_checksum_func *func, jpayne@69: void **data); jpayne@69: jpayne@69: /** jpayne@69: * Set the local and remote addresses in an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] local_addr Local address jpayne@69: * @param [in] remote_addr Remote address jpayne@69: * jpayne@69: * This function releases the storage assigned to the contents of the local and jpayne@69: * remote addresses of @a auth_context and then sets them to @a local_addr and jpayne@69: * @a remote_addr respectively. jpayne@69: * jpayne@69: * @sa krb5_auth_con_genaddrs() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV_WRONG jpayne@69: krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_address *local_addr, krb5_address *remote_addr); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve address fields from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] local_addr Local address (NULL if not needed) jpayne@69: * @param [out] remote_addr Remote address (NULL if not needed) jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_address **local_addr, krb5_address **remote_addr); jpayne@69: jpayne@69: /** jpayne@69: * Set local and remote port fields in an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] local_port Local port jpayne@69: * @param [in] remote_port Remote port jpayne@69: * jpayne@69: * This function releases the storage assigned to the contents of the local and jpayne@69: * remote ports of @a auth_context and then sets them to @a local_port and @a jpayne@69: * remote_port respectively. jpayne@69: * jpayne@69: * @sa krb5_auth_con_genaddrs() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_address *local_port, krb5_address *remote_port); jpayne@69: jpayne@69: /** jpayne@69: * Set the session key in an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] keyblock User key jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_keyblock *keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the session key from an auth context as a keyblock. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] keyblock Session key jpayne@69: * jpayne@69: * This function creates a keyblock containing the session key from @a jpayne@69: * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no jpayne@69: * longer needed jpayne@69: * jpayne@69: * @retval 0 Success. Otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_keyblock **keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the session key from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] key Session key jpayne@69: * jpayne@69: * This function sets @a key to the session key from @a auth_context. Use jpayne@69: * krb5_k_free_key() to release @a key when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_key *key); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the send subkey from an auth context as a keyblock. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [out] keyblock Send subkey jpayne@69: * jpayne@69: * This function creates a keyblock containing the send subkey from @a jpayne@69: * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no jpayne@69: * longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the send subkey from an auth context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [out] key Send subkey jpayne@69: * jpayne@69: * This function sets @a key to the send subkey from @a auth_context. Use jpayne@69: * krb5_k_free_key() to release @a key when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, jpayne@69: krb5_key *key); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the receiving subkey from an auth context as a keyblock. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [out] keyblock Receiving subkey jpayne@69: * jpayne@69: * This function creates a keyblock containing the receiving subkey from @a jpayne@69: * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no jpayne@69: * longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the receiving subkey from an auth context as a keyblock. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [out] key Receiving subkey jpayne@69: * jpayne@69: * This function sets @a key to the receiving subkey from @a auth_context. Use jpayne@69: * krb5_k_free_key() to release @a key when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key); jpayne@69: jpayne@69: /** jpayne@69: * Set the send subkey in an auth context with a keyblock. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [in] keyblock Send subkey jpayne@69: * jpayne@69: * This function sets the send subkey in @a ac to a copy of @a keyblock. jpayne@69: * jpayne@69: * @retval 0 Success. Otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, jpayne@69: krb5_keyblock *keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Set the send subkey in an auth context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [out] key Send subkey jpayne@69: * jpayne@69: * This function sets the send subkey in @a ac to @a key, incrementing its jpayne@69: * reference count. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key); jpayne@69: jpayne@69: /** jpayne@69: * Set the receiving subkey in an auth context with a keyblock. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [in] keyblock Receiving subkey jpayne@69: * jpayne@69: * This function sets the receiving subkey in @a ac to a copy of @a keyblock. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, jpayne@69: krb5_keyblock *keyblock); jpayne@69: jpayne@69: /** jpayne@69: * Set the receiving subkey in an auth context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] ac Authentication context jpayne@69: * @param [in] key Receiving subkey jpayne@69: * jpayne@69: * This function sets the receiving subkey in @a ac to @a key, incrementing its jpayne@69: * reference count. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, jpayne@69: krb5_key key); jpayne@69: jpayne@69: #if KRB5_DEPRECATED jpayne@69: /** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_keyblock **keyblock); jpayne@69: jpayne@69: /** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */ jpayne@69: KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_keyblock **keyblock); jpayne@69: #endif jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the local sequence number from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] seqnumber Local sequence number jpayne@69: * jpayne@69: * Retrieve the local sequence number from @a auth_context and return it in @a jpayne@69: * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a jpayne@69: * auth_context for this function to be useful. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_int32 *seqnumber); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the remote sequence number from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] seqnumber Remote sequence number jpayne@69: * jpayne@69: * Retrieve the remote sequence number from @a auth_context and return it in @a jpayne@69: * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a jpayne@69: * auth_context for this function to be useful. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_int32 *seqnumber); jpayne@69: jpayne@69: /** jpayne@69: * Cause an auth context to use cipher state. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * jpayne@69: * Prepare @a auth_context to use cipher state when krb5_mk_priv() or jpayne@69: * krb5_rd_priv() encrypt or decrypt data. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context); jpayne@69: jpayne@69: /** jpayne@69: * Set the replay cache in an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] rcache Replay cache haddle jpayne@69: * jpayne@69: * This function sets the replay cache in @a auth_context to @a rcache. @a jpayne@69: * rcache will be closed when @a auth_context is freed, so the caller should jpayne@69: * relinquish that responsibility. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_rcache rcache); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the replay cache from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] rcache Replay cache handle jpayne@69: * jpayne@69: * This function fetches the replay cache from @a auth_context. The caller jpayne@69: * should not close @a rcache. jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV_WRONG jpayne@69: krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_rcache *rcache); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the authenticator from an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [out] authenticator Authenticator jpayne@69: * jpayne@69: * Use krb5_free_authenticator() to free @a authenticator when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 Success. Otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_authenticator **authenticator); jpayne@69: jpayne@69: /** jpayne@69: * Set checksum type in an an auth context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] cksumtype Checksum type jpayne@69: * jpayne@69: * This function sets the checksum type in @a auth_context to be used by jpayne@69: * krb5_mk_req() for the authenticator checksum. jpayne@69: * jpayne@69: * @retval 0 Success. Otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, jpayne@69: krb5_cksumtype cksumtype); jpayne@69: jpayne@69: #define KRB5_REALM_BRANCH_CHAR '.' jpayne@69: jpayne@69: /* jpayne@69: * end "func-proto.h" jpayne@69: */ jpayne@69: jpayne@69: /* jpayne@69: * begin stuff from libos.h jpayne@69: */ jpayne@69: jpayne@69: /** jpayne@69: * @brief Read a password from keyboard input. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] prompt First user prompt when reading password jpayne@69: * @param [in] prompt2 Second user prompt (NULL to prompt only once) jpayne@69: * @param [out] return_pwd Returned password jpayne@69: * @param [in,out] size_return On input, maximum size of password; on output, jpayne@69: * size of password read jpayne@69: * jpayne@69: * This function reads a password from keyboard input and stores it in @a jpayne@69: * return_pwd. @a size_return should be set by the caller to the amount of jpayne@69: * storage space available in @a return_pwd; on successful return, it will be jpayne@69: * set to the length of the password read. jpayne@69: * jpayne@69: * @a prompt is printed to the terminal, followed by ": ", and then a password jpayne@69: * is read from the keyboard. jpayne@69: * jpayne@69: * If @a prompt2 is NULL, the password is read only once. Otherwise, @a jpayne@69: * prompt2 is printed to the terminal and a second password is read. If the jpayne@69: * two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. jpayne@69: * jpayne@69: * Echoing is turned off when the password is read. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Error in reading or verifying the password jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_read_password(krb5_context context, jpayne@69: const char *prompt, const char *prompt2, jpayne@69: char *return_pwd, unsigned int *size_return); jpayne@69: jpayne@69: /** jpayne@69: * Convert a principal name to a local name. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] aname Principal name jpayne@69: * @param [in] lnsize_in Space available in @a lname jpayne@69: * @param [out] lname Local name buffer to be filled in jpayne@69: * jpayne@69: * If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is jpayne@69: * returned. If @a lnsize_in is too small for the local name, jpayne@69: * KRB5_CONFIG_NOTENUFSPACE is returned. jpayne@69: * jpayne@69: * Local names, rather than principal names, can be used by programs that jpayne@69: * translate to an environment-specific name (for example, a user account jpayne@69: * name). jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * System errors jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, jpayne@69: int lnsize_in, char *lname); jpayne@69: jpayne@69: /** jpayne@69: * Get the Kerberos realm names for a host. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] host Host name (or NULL) jpayne@69: * @param [out] realmsp Null-terminated list of realm names jpayne@69: * jpayne@69: * Fill in @a realmsp with a pointer to a null-terminated list of realm names. jpayne@69: * If there are no known realms for the host, a list containing the referral jpayne@69: * (empty) realm is returned. jpayne@69: * jpayne@69: * If @a host is NULL, the local host's realms are determined. jpayne@69: * jpayne@69: * Use krb5_free_host_realm() to release @a realmsp when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * ENOMEM Insufficient memory jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp); jpayne@69: jpayne@69: /** jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] hdata Host name (or NULL) jpayne@69: * @param [out] realmsp Null-terminated list of realm names jpayne@69: * jpayne@69: * Fill in @a realmsp with a pointer to a null-terminated list of realm names jpayne@69: * obtained through heuristics or insecure resolution methods which have lower jpayne@69: * priority than KDC referrals. jpayne@69: * jpayne@69: * If @a host is NULL, the local host's realms are determined. jpayne@69: * jpayne@69: * Use krb5_free_host_realm() to release @a realmsp when it is no longer jpayne@69: * needed. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_fallback_host_realm(krb5_context context, jpayne@69: krb5_data *hdata, char ***realmsp); jpayne@69: jpayne@69: /** jpayne@69: * Free the memory allocated by krb5_get_host_realm(). jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] realmlist List of realm names to be released jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_free_host_realm(krb5_context context, char *const *realmlist); jpayne@69: jpayne@69: /** jpayne@69: * Determine if a principal is authorized to log in as a local user. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal name jpayne@69: * @param [in] luser Local username jpayne@69: * jpayne@69: * Determine whether @a principal is authorized to log in as a local user @a jpayne@69: * luser. jpayne@69: * jpayne@69: * @retval jpayne@69: * TRUE Principal is authorized to log in as user; FALSE otherwise. jpayne@69: */ jpayne@69: krb5_boolean KRB5_CALLCONV jpayne@69: krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser); jpayne@69: jpayne@69: /** jpayne@69: * Generate auth context addresses from a connected socket. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] auth_context Authentication context jpayne@69: * @param [in] infd Connected socket descriptor jpayne@69: * @param [in] flags Flags jpayne@69: * jpayne@69: * This function sets the local and/or remote addresses in @a auth_context jpayne@69: * based on the local and remote endpoints of the socket @a infd. The jpayne@69: * following flags determine the operations performed: jpayne@69: * jpayne@69: * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. jpayne@69: * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. jpayne@69: * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. jpayne@69: * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, jpayne@69: int infd, int flags); jpayne@69: jpayne@69: /** jpayne@69: * Set time offset field in a krb5_context structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] seconds Real time, seconds portion jpayne@69: * @param [in] microseconds Real time, microseconds portion jpayne@69: * jpayne@69: * This function sets the time offset in @a context to the difference between jpayne@69: * the system time and the real time as determined by @a seconds and @a jpayne@69: * microseconds. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_real_time(krb5_context context, krb5_timestamp seconds, jpayne@69: krb5_int32 microseconds); jpayne@69: jpayne@69: /** jpayne@69: * Return the time offsets from the os context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] seconds Time offset, seconds portion jpayne@69: * @param [out] microseconds Time offset, microseconds portion jpayne@69: * jpayne@69: * This function returns the time offsets in @a context. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds); jpayne@69: jpayne@69: /* str_conv.c */ jpayne@69: /** jpayne@69: * Convert a string to an encryption type. jpayne@69: * jpayne@69: * @param [in] string String to convert to an encryption type jpayne@69: * @param [out] enctypep Encryption type jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - EINVAL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_enctype(char *string, krb5_enctype *enctypep); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string to a salt type. jpayne@69: * jpayne@69: * @param [in] string String to convert to an encryption type jpayne@69: * @param [out] salttypep Salt type to be filled in jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - EINVAL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_salttype(char *string, krb5_int32 *salttypep); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string to a checksum type. jpayne@69: * jpayne@69: * @param [in] string String to be converted jpayne@69: * @param [out] cksumtypep Checksum type to be filled in jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - EINVAL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string to a timestamp. jpayne@69: * jpayne@69: * @param [in] string String to be converted jpayne@69: * @param [out] timestampp Pointer to timestamp jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - EINVAL jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp); jpayne@69: jpayne@69: /** jpayne@69: * Convert a string to a delta time value. jpayne@69: * jpayne@69: * @param [in] string String to be converted jpayne@69: * @param [out] deltatp Delta time to be filled in jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_string_to_deltat(char *string, krb5_deltat *deltatp); jpayne@69: jpayne@69: /** jpayne@69: * Convert an encryption type to a string. jpayne@69: * jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [out] buffer Buffer to hold encryption type string jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen); jpayne@69: jpayne@69: /** jpayne@69: * Convert an encryption type to a name or alias. jpayne@69: * jpayne@69: * @param [in] enctype Encryption type jpayne@69: * @param [in] shortest Flag jpayne@69: * @param [out] buffer Buffer to hold encryption type string jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * If @a shortest is FALSE, this function returns the enctype's canonical name jpayne@69: * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the jpayne@69: * enctype's shortest alias (like "aes128-cts"). jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, jpayne@69: char *buffer, size_t buflen); jpayne@69: jpayne@69: /** jpayne@69: * Convert a salt type to a string. jpayne@69: * jpayne@69: * @param [in] salttype Salttype to convert jpayne@69: * @param [out] buffer Buffer to receive the converted string jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen); jpayne@69: jpayne@69: /** jpayne@69: * Convert a checksum type to a string. jpayne@69: * jpayne@69: * @param [in] cksumtype Checksum type jpayne@69: * @param [out] buffer Buffer to hold converted checksum type jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen); jpayne@69: jpayne@69: /** jpayne@69: * Convert a timestamp to a string. jpayne@69: * jpayne@69: * @param [in] timestamp Timestamp to convert jpayne@69: * @param [out] buffer Buffer to hold converted timestamp jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * The string is returned in the locale's appropriate date and time jpayne@69: * representation. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen); jpayne@69: jpayne@69: /** jpayne@69: * Convert a timestamp to a string, with optional output padding jpayne@69: * jpayne@69: * @param [in] timestamp Timestamp to convert jpayne@69: * @param [out] buffer Buffer to hold the converted timestamp jpayne@69: * @param [in] buflen Length of buffer jpayne@69: * @param [in] pad Optional value to pad @a buffer if converted jpayne@69: * timestamp does not fill it jpayne@69: * jpayne@69: * If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters jpayne@69: * with the value of *@a pad. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, jpayne@69: size_t buflen, char *pad); jpayne@69: jpayne@69: /** jpayne@69: * Convert a relative time value to a string. jpayne@69: * jpayne@69: * @param [in] deltat Relative time value to convert jpayne@69: * @param [out] buffer Buffer to hold time string jpayne@69: * @param [in] buflen Storage available in @a buffer jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen); jpayne@69: jpayne@69: /* The name of the Kerberos ticket granting service... and its size */ jpayne@69: #define KRB5_TGS_NAME "krbtgt" jpayne@69: #define KRB5_TGS_NAME_SIZE 6 jpayne@69: jpayne@69: /* flags for recvauth */ jpayne@69: #define KRB5_RECVAUTH_SKIP_VERSION 0x0001 jpayne@69: #define KRB5_RECVAUTH_BADAUTHVERS 0x0002 jpayne@69: /* initial ticket api functions */ jpayne@69: jpayne@69: /** Text for prompt used in prompter callback function. */ jpayne@69: typedef struct _krb5_prompt { jpayne@69: char *prompt; /**< The prompt to show to the user */ jpayne@69: int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */ jpayne@69: krb5_data *reply; /**< Must be allocated before call to prompt routine */ jpayne@69: } krb5_prompt; jpayne@69: jpayne@69: /** Pointer to a prompter callback function. */ jpayne@69: typedef krb5_error_code jpayne@69: (KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context, void *data, jpayne@69: const char *name, const char *banner, jpayne@69: int num_prompts, krb5_prompt prompts[]); jpayne@69: jpayne@69: /** jpayne@69: * Prompt user for password. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param data Unused (callback argument) jpayne@69: * @param [in] name Name to output during prompt jpayne@69: * @param [in] banner Banner to output during prompt jpayne@69: * @param [in] num_prompts Number of prompts in @a prompts jpayne@69: * @param [in] prompts Array of prompts and replies jpayne@69: * jpayne@69: * This function is intended to be used as a prompter callback for jpayne@69: * krb5_get_init_creds_password() or krb5_init_creds_init(). jpayne@69: * jpayne@69: * Writes @a name and @a banner to stdout, each followed by a newline, then jpayne@69: * writes each prompt field in the @a prompts array, followed by ": ", and sets jpayne@69: * the reply field of the entry to a line of input read from stdin. If the jpayne@69: * hidden flag is set for a prompt, then terminal echoing is turned off when jpayne@69: * input is read. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: * jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_prompter_posix(krb5_context context, void *data, const char *name, jpayne@69: const char *banner, int num_prompts, jpayne@69: krb5_prompt prompts[]); jpayne@69: jpayne@69: /** jpayne@69: * Long-term password responder question jpayne@69: * jpayne@69: * This question is asked when the long-term password is needed. It has no jpayne@69: * challenge and the response is simply the password string. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_QUESTION_PASSWORD "password" jpayne@69: jpayne@69: /** jpayne@69: * OTP responder question jpayne@69: * jpayne@69: * The OTP responder question is asked when the KDC indicates that an OTP jpayne@69: * value is required in order to complete the authentication. The JSON format jpayne@69: * of the challenge is: jpayne@69: * jpayne@69: * { jpayne@69: * "service": , jpayne@69: * "tokenInfo": [ jpayne@69: * { jpayne@69: * "flags": , jpayne@69: * "vendor": , jpayne@69: * "challenge": , jpayne@69: * "length": , jpayne@69: * "format": , jpayne@69: * "tokenID": , jpayne@69: * "algID": , jpayne@69: * }, jpayne@69: * ... jpayne@69: * ] jpayne@69: * } jpayne@69: * jpayne@69: * The answer to the question MUST be JSON formatted: jpayne@69: * jpayne@69: * { jpayne@69: * "tokeninfo": , jpayne@69: * "value": , jpayne@69: * "pin": , jpayne@69: * } jpayne@69: * jpayne@69: * For more detail, please see RFC 6560. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_QUESTION_OTP "otp" jpayne@69: jpayne@69: /** jpayne@69: * These format constants identify the format of the token value. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_OTP_FORMAT_DECIMAL 0 jpayne@69: #define KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL 1 jpayne@69: #define KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC 2 jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that the token value MUST be collected. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN 0x0001 jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that the PIN value MUST be collected. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN 0x0002 jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that the token is now in re-synchronization mode with jpayne@69: * the server. The user is expected to reply with the next code displayed on jpayne@69: * the token. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP 0x0004 jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that the PIN MUST be returned as a separate item. This jpayne@69: * flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If jpayne@69: * this flag is not set, the responder may either concatenate PIN + token value jpayne@69: * and store it as "value" in the answer or it may return them separately. If jpayne@69: * they are returned separately, they will be concatenated internally. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008 jpayne@69: jpayne@69: /** jpayne@69: * PKINIT responder question jpayne@69: * jpayne@69: * The PKINIT responder question is asked when the client needs a password jpayne@69: * that's being used to protect key information, and is formatted as a JSON jpayne@69: * object. A specific identity's flags value, if not zero, is the bitwise-OR jpayne@69: * of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined jpayne@69: * below, and possibly other flags to be added later. Any resemblance to jpayne@69: * similarly-named CKF_* values in the PKCS#11 API should not be depended on. jpayne@69: * jpayne@69: * { jpayne@69: * identity : flags , jpayne@69: * ... jpayne@69: * } jpayne@69: * jpayne@69: * The answer to the question MUST be JSON formatted: jpayne@69: * jpayne@69: * { jpayne@69: * identity : password , jpayne@69: * ... jpayne@69: * } jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_QUESTION_PKINIT "pkinit" jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that an incorrect PIN was supplied at least once since jpayne@69: * the last time the correct PIN was supplied. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0) jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that supplying an incorrect PIN will cause the token to jpayne@69: * lock itself. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1) jpayne@69: jpayne@69: /** jpayne@69: * This flag indicates that the user PIN is locked, and you can't log in to the jpayne@69: * token with it. jpayne@69: */ jpayne@69: #define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2) jpayne@69: jpayne@69: /** jpayne@69: * A container for a set of preauthentication questions and answers jpayne@69: * jpayne@69: * A responder context is supplied by the krb5 authentication system to a @ref jpayne@69: * krb5_responder_fn callback. It contains a list of questions and can receive jpayne@69: * answers. Questions contained in a responder context can be listed using jpayne@69: * krb5_responder_list_questions(), retrieved using jpayne@69: * krb5_responder_get_challenge(), or answered using jpayne@69: * krb5_responder_set_answer(). The form of a question's challenge and jpayne@69: * answer depend on the question name. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: typedef struct krb5_responder_context_st *krb5_responder_context; jpayne@69: jpayne@69: /** jpayne@69: * List the question names contained in the responder context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * jpayne@69: * Return a pointer to a null-terminated list of question names which are jpayne@69: * present in @a rctx. The pointer is an alias, valid only as long as the jpayne@69: * lifetime of @a rctx, and should not be modified or freed by the caller. A jpayne@69: * question's challenge can be retrieved using krb5_responder_get_challenge() jpayne@69: * and answered using krb5_responder_set_answer(). jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: const char * const * KRB5_CALLCONV jpayne@69: krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve the challenge data for a given question in the responder context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] question Question name jpayne@69: * jpayne@69: * Return a pointer to a C string containing the challenge for @a question jpayne@69: * within @a rctx, or NULL if the question is not present in @a rctx. The jpayne@69: * structure of the question depends on the question name, but will always be jpayne@69: * printable UTF-8 text. The returned pointer is an alias, valid only as long jpayne@69: * as the lifetime of @a rctx, and should not be modified or freed by the jpayne@69: * caller. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: const char * KRB5_CALLCONV jpayne@69: krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, jpayne@69: const char *question); jpayne@69: jpayne@69: /** jpayne@69: * Answer a named question in the responder context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] question Question name jpayne@69: * @param [in] answer The string to set (MUST be printable UTF-8) jpayne@69: * jpayne@69: * This function supplies an answer to @a question within @a rctx. The jpayne@69: * appropriate form of the answer depends on the question name. jpayne@69: * jpayne@69: * @retval EINVAL @a question is not present within @a rctx jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, jpayne@69: const char *question, const char *answer); jpayne@69: jpayne@69: /** jpayne@69: * Responder function for an initial credential exchange. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] data Callback data jpayne@69: * @param [in] rctx Responder context jpayne@69: * jpayne@69: * A responder function is like a prompter function, but is used for handling jpayne@69: * questions and answers as potentially complex data types. Client jpayne@69: * preauthentication modules will insert a set of named "questions" into jpayne@69: * the responder context. Each question may optionally contain a challenge. jpayne@69: * This challenge is printable UTF-8, but may be an encoded value. The jpayne@69: * precise encoding and contents of the challenge are specific to the question jpayne@69: * asked. When the responder is called, it should answer all the questions it jpayne@69: * understands. Like the challenge, the answer MUST be printable UTF-8, but jpayne@69: * may contain structured/encoded data formatted to the expected answer format jpayne@69: * of the question. jpayne@69: * jpayne@69: * If a required question is unanswered, the prompter may be called. jpayne@69: */ jpayne@69: typedef krb5_error_code jpayne@69: (KRB5_CALLCONV *krb5_responder_fn)(krb5_context ctx, void *data, jpayne@69: krb5_responder_context rctx); jpayne@69: jpayne@69: typedef struct _krb5_responder_otp_tokeninfo { jpayne@69: krb5_flags flags; jpayne@69: krb5_int32 format; /* -1 when not specified. */ jpayne@69: krb5_int32 length; /* -1 when not specified. */ jpayne@69: char *vendor; jpayne@69: char *challenge; jpayne@69: char *token_id; jpayne@69: char *alg_id; jpayne@69: } krb5_responder_otp_tokeninfo; jpayne@69: jpayne@69: typedef struct _krb5_responder_otp_challenge { jpayne@69: char *service; jpayne@69: krb5_responder_otp_tokeninfo **tokeninfo; jpayne@69: } krb5_responder_otp_challenge; jpayne@69: jpayne@69: /** jpayne@69: * Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. jpayne@69: * jpayne@69: * A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP jpayne@69: * question challenge data, making it available in native C. The main feature jpayne@69: * of this function is the ability to interact with OTP tokens without parsing jpayne@69: * the JSON. jpayne@69: * jpayne@69: * The returned value must be passed to krb5_responder_otp_challenge_free() to jpayne@69: * be freed. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [out] chl Challenge structure jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_responder_otp_get_challenge(krb5_context ctx, jpayne@69: krb5_responder_context rctx, jpayne@69: krb5_responder_otp_challenge **chl); jpayne@69: jpayne@69: /** jpayne@69: * Answer the KRB5_RESPONDER_QUESTION_OTP question. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] ti The index of the tokeninfo selected jpayne@69: * @param [in] value The value to set, or NULL for none jpayne@69: * @param [in] pin The pin to set, or NULL for none jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, jpayne@69: size_t ti, const char *value, const char *pin); jpayne@69: jpayne@69: /** jpayne@69: * Free the value returned by krb5_responder_otp_get_challenge(). jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] chl The challenge to free jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_responder_otp_challenge_free(krb5_context ctx, jpayne@69: krb5_responder_context rctx, jpayne@69: krb5_responder_otp_challenge *chl); jpayne@69: jpayne@69: typedef struct _krb5_responder_pkinit_identity { jpayne@69: char *identity; jpayne@69: krb5_int32 token_flags; /* 0 when not specified or not applicable. */ jpayne@69: } krb5_responder_pkinit_identity; jpayne@69: jpayne@69: typedef struct _krb5_responder_pkinit_challenge { jpayne@69: krb5_responder_pkinit_identity **identities; jpayne@69: } krb5_responder_pkinit_challenge; jpayne@69: jpayne@69: /** jpayne@69: * Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. jpayne@69: * jpayne@69: * A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT jpayne@69: * question challenge data, making it available in native C. The main feature jpayne@69: * of this function is the ability to read the challenge without parsing jpayne@69: * the JSON. jpayne@69: * jpayne@69: * The returned value must be passed to krb5_responder_pkinit_challenge_free() jpayne@69: * to be freed. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [out] chl_out Challenge structure jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_responder_pkinit_get_challenge(krb5_context ctx, jpayne@69: krb5_responder_context rctx, jpayne@69: krb5_responder_pkinit_challenge **chl_out); jpayne@69: jpayne@69: /** jpayne@69: * Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] identity The identity for which a PIN is being supplied jpayne@69: * @param [in] pin The provided PIN, or NULL for none jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, jpayne@69: const char *identity, const char *pin); jpayne@69: jpayne@69: /** jpayne@69: * Free the value returned by krb5_responder_pkinit_get_challenge(). jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] rctx Responder context jpayne@69: * @param [in] chl The challenge to free jpayne@69: * jpayne@69: * @version New in 1.12 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_responder_pkinit_challenge_free(krb5_context ctx, jpayne@69: krb5_responder_context rctx, jpayne@69: krb5_responder_pkinit_challenge *chl); jpayne@69: jpayne@69: /** Store options for @c _krb5_get_init_creds */ jpayne@69: typedef struct _krb5_get_init_creds_opt { jpayne@69: krb5_flags flags; jpayne@69: krb5_deltat tkt_life; jpayne@69: krb5_deltat renew_life; jpayne@69: int forwardable; jpayne@69: int proxiable; jpayne@69: krb5_enctype *etype_list; jpayne@69: int etype_list_length; jpayne@69: krb5_address **address_list; jpayne@69: krb5_preauthtype *preauth_list; jpayne@69: int preauth_list_length; jpayne@69: krb5_data *salt; jpayne@69: } krb5_get_init_creds_opt; jpayne@69: jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT 0x0100 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE 0x0200 jpayne@69: #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400 jpayne@69: jpayne@69: jpayne@69: /** jpayne@69: * Allocate a new initial credential options structure. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] opt New options structure jpayne@69: * jpayne@69: * This function is the preferred way to create an options structure for jpayne@69: * getting initial credentials, and is required to make use of certain options. jpayne@69: * Use krb5_get_init_creds_opt_free() to free @a opt when it is no longer jpayne@69: * needed. jpayne@69: * jpayne@69: * @retval 0 - Success; Kerberos errors otherwise. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_alloc(krb5_context context, jpayne@69: krb5_get_init_creds_opt **opt); jpayne@69: jpayne@69: /** jpayne@69: * Free initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options structure to free jpayne@69: * jpayne@69: * @sa krb5_get_init_creds_opt_alloc() jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_free(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt); jpayne@69: jpayne@69: /** @deprecated Use krb5_get_init_creds_opt_alloc() instead. */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt); jpayne@69: jpayne@69: /** jpayne@69: * Set the ticket lifetime in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] tkt_life Ticket lifetime jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, jpayne@69: krb5_deltat tkt_life); jpayne@69: jpayne@69: /** jpayne@69: * Set the ticket renewal lifetime in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Pointer to @a options field jpayne@69: * @param [in] renew_life Ticket renewal lifetime jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, jpayne@69: krb5_deltat renew_life); jpayne@69: jpayne@69: /** jpayne@69: * Set or unset the forwardable flag in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] forwardable Whether credentials should be forwardable jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, jpayne@69: int forwardable); jpayne@69: jpayne@69: /** jpayne@69: * Set or unset the proxiable flag in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] proxiable Whether credentials should be proxiable jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, jpayne@69: int proxiable); jpayne@69: jpayne@69: /** jpayne@69: * Set or unset the canonicalize flag in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] canonicalize Whether to canonicalize client principal jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, jpayne@69: int canonicalize); jpayne@69: jpayne@69: /** jpayne@69: * Set or unset the anonymous flag in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] anonymous Whether to make an anonymous request jpayne@69: * jpayne@69: * This function may be used to request anonymous credentials from the KDC by jpayne@69: * setting @a anonymous to non-zero. Note that anonymous credentials are only jpayne@69: * a request; clients must verify that credentials are anonymous if that is a jpayne@69: * requirement. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, jpayne@69: int anonymous); jpayne@69: jpayne@69: /** jpayne@69: * Set allowable encryption types in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] etype_list Array of encryption types jpayne@69: * @param [in] etype_list_length Length of @a etype_list jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, jpayne@69: krb5_enctype *etype_list, jpayne@69: int etype_list_length); jpayne@69: jpayne@69: /** jpayne@69: * Set address restrictions in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] addresses Null-terminated array of addresses jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, jpayne@69: krb5_address **addresses); jpayne@69: jpayne@69: /** jpayne@69: * Set preauthentication types in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] preauth_list Array of preauthentication types jpayne@69: * @param [in] preauth_list_length Length of @a preauth_list jpayne@69: * jpayne@69: * This function can be used to perform optimistic preauthentication when jpayne@69: * getting initial credentials, in combination with jpayne@69: * krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa(). jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, jpayne@69: krb5_preauthtype *preauth_list, jpayne@69: int preauth_list_length); jpayne@69: jpayne@69: /** jpayne@69: * Set salt for optimistic preauthentication in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] salt Salt data jpayne@69: * jpayne@69: * When getting initial credentials with a password, a salt string it used to jpayne@69: * convert the password to a key. Normally this salt is obtained from the jpayne@69: * first KDC reply, but when performing optimistic preauthentication, the jpayne@69: * client may need to supply the salt string with this function. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, jpayne@69: krb5_data *salt); jpayne@69: jpayne@69: /** jpayne@69: * Set or unset change-password-prompt flag in initial credential options. jpayne@69: * jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] prompt Whether to prompt to change password jpayne@69: * jpayne@69: * This flag is on by default. It controls whether jpayne@69: * krb5_get_init_creds_password() will react to an expired-password error by jpayne@69: * prompting for a new password and attempting to change the old one. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, jpayne@69: int prompt); jpayne@69: jpayne@69: /** Generic preauth option attribute/value pairs */ jpayne@69: typedef struct _krb5_gic_opt_pa_data { jpayne@69: char *attr; jpayne@69: char *value; jpayne@69: } krb5_gic_opt_pa_data; jpayne@69: jpayne@69: /** jpayne@69: * Supply options for preauthentication in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] attr Preauthentication option name jpayne@69: * @param [in] value Preauthentication option value jpayne@69: * jpayne@69: * This function allows the caller to supply options for preauthentication. jpayne@69: * The values of @a attr and @a value are supplied to each preauthentication jpayne@69: * module available within @a context. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_pa(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, const char *attr, jpayne@69: const char *value); jpayne@69: jpayne@69: /** jpayne@69: * Set location of FAST armor ccache in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [in] fast_ccache_name Credential cache name jpayne@69: * jpayne@69: * Sets the location of a credential cache containing an armor ticket to jpayne@69: * protect an initial credential exchange using the FAST protocol extension. jpayne@69: * jpayne@69: * In version 1.7, setting an armor ccache requires that FAST be used for the jpayne@69: * exchange. In version 1.8 or later, setting the armor ccache causes FAST to jpayne@69: * be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() jpayne@69: * must be used to require that FAST be used. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: const char *fast_ccache_name); jpayne@69: jpayne@69: /** jpayne@69: * Set FAST armor cache in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [in] ccache Credential cache handle jpayne@69: * jpayne@69: * This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), jpayne@69: * but uses a credential cache handle instead of a name. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_ccache ccache); jpayne@69: jpayne@69: /** jpayne@69: * Set an input credential cache in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [in] ccache Credential cache handle jpayne@69: * jpayne@69: * If an input credential cache is set, then the krb5_get_init_creds family of jpayne@69: * APIs will read settings from it. Setting an input ccache is desirable when jpayne@69: * the application wishes to perform authentication in the same way (using the jpayne@69: * same preauthentication mechanisms, and making the same non-security- jpayne@69: * sensitive choices) as the previous authentication attempt, which stored jpayne@69: * information in the passed-in ccache. jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_in_ccache(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_ccache ccache); jpayne@69: jpayne@69: /** jpayne@69: * Set an output credential cache in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [in] ccache Credential cache handle jpayne@69: * jpayne@69: * If an output credential cache is set, then the krb5_get_init_creds family of jpayne@69: * APIs will write credentials to it. Setting an output ccache is desirable jpayne@69: * both because it simplifies calling code and because it permits the jpayne@69: * krb5_get_init_creds APIs to write out configuration information about the jpayne@69: * realm to the ccache. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_out_ccache(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_ccache ccache); jpayne@69: jpayne@69: /** jpayne@69: * @brief Ask the KDC to include or not include a PAC in the ticket jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] req_pac Whether to request a PAC or not jpayne@69: * jpayne@69: * If this option is set, the AS request will include a PAC-REQUEST pa-data jpayne@69: * item explicitly asking the KDC to either include or not include a privilege jpayne@69: * attribute certificate in the ticket authorization data. By default, no jpayne@69: * request is made; typically the KDC will default to including a PAC if it jpayne@69: * supports them. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_pac_request(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_boolean req_pac); jpayne@69: jpayne@69: /** jpayne@69: * Set FAST flags in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [in] flags FAST flags jpayne@69: * jpayne@69: * The following flag values are valid: jpayne@69: * @li #KRB5_FAST_REQUIRED - Require FAST to be used jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 - Success; Kerberos errors otherwise. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_fast_flags(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_flags flags); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve FAST flags from initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options jpayne@69: * @param [out] out_flags FAST flags jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 - Success; Kerberos errors otherwise. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_get_fast_flags(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_flags *out_flags); jpayne@69: jpayne@69: /* Fast flags*/ jpayne@69: #define KRB5_FAST_REQUIRED 0x0001 /**< Require KDC to support FAST*/ jpayne@69: jpayne@69: typedef void jpayne@69: (KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data, jpayne@69: krb5_timestamp password_expiration, jpayne@69: krb5_timestamp account_expiration, jpayne@69: krb5_boolean is_last_req); jpayne@69: jpayne@69: /** jpayne@69: * Set an expiration callback in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] cb Callback function jpayne@69: * @param [in] data Callback argument jpayne@69: * jpayne@69: * Set a callback to receive password and account expiration times. jpayne@69: * jpayne@69: * @a cb will be invoked if and only if credentials are successfully acquired. jpayne@69: * The callback will receive the @a context from the calling function and the jpayne@69: * @a data argument supplied with this API. The remaining arguments should be jpayne@69: * interpreted as follows: jpayne@69: * jpayne@69: * If @a is_last_req is true, then the KDC reply contained last-req entries jpayne@69: * which unambiguously indicated the password expiration, account expiration, jpayne@69: * or both. (If either value was not present, the corresponding argument will jpayne@69: * be 0.) Furthermore, a non-zero @a password_expiration should be taken as a jpayne@69: * suggestion from the KDC that a warning be displayed. jpayne@69: * jpayne@69: * If @a is_last_req is false, then @a account_expiration will be 0 and @a jpayne@69: * password_expiration will contain the expiration time of either the password jpayne@69: * or account, or 0 if no expiration time was indicated in the KDC reply. The jpayne@69: * callback should independently decide whether to display a password jpayne@69: * expiration warning. jpayne@69: * jpayne@69: * Note that @a cb may be invoked even if credentials are being acquired for jpayne@69: * the kadmin/changepw service in order to change the password. It is the jpayne@69: * caller's responsibility to avoid displaying a password expiry warning in jpayne@69: * this case. jpayne@69: * jpayne@69: * @warning Setting an expire callback with this API will cause jpayne@69: * krb5_get_init_creds_password() not to send password expiry warnings to the jpayne@69: * prompter, as it ordinarily may. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_expire_callback(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_expire_callback_func cb, jpayne@69: void *data); jpayne@69: jpayne@69: /** jpayne@69: * Set the responder function in initial credential options. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] opt Options structure jpayne@69: * @param [in] responder Responder function jpayne@69: * @param [in] data Responder data argument jpayne@69: * jpayne@69: * @version New in 1.11 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_opt_set_responder(krb5_context context, jpayne@69: krb5_get_init_creds_opt *opt, jpayne@69: krb5_responder_fn responder, void *data); jpayne@69: jpayne@69: /** jpayne@69: * Get initial credentials using a password. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] creds New credentials jpayne@69: * @param [in] client Client principal jpayne@69: * @param [in] password Password (or NULL) jpayne@69: * @param [in] prompter Prompter function jpayne@69: * @param [in] data Prompter callback data jpayne@69: * @param [in] start_time Time when ticket becomes valid (0 for now) jpayne@69: * @param [in] in_tkt_service Service name of initial credentials (or NULL) jpayne@69: * @param [in] k5_gic_options Initial credential options jpayne@69: * jpayne@69: * This function requests KDC for an initial credentials for @a client using @a jpayne@69: * password. If @a password is NULL, a password will be prompted for using @a jpayne@69: * prompter if necessary. If @a in_tkt_service is specified, it is parsed as a jpayne@69: * principal name (with the realm ignored) and used as the service principal jpayne@69: * for the request; otherwise the ticket-granting service is used. jpayne@69: * jpayne@69: * @sa krb5_verify_init_creds() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * EINVAL Invalid argument jpayne@69: * @retval jpayne@69: * KRB5_KDC_UNREACH Cannot contact any KDC for requested realm jpayne@69: * @retval jpayne@69: * KRB5_PREAUTH_FAILED Generic Pre-athentication failure jpayne@69: * @retval jpayne@69: * KRB5_LIBOS_PWDINTR Password read interrupted jpayne@69: * @retval jpayne@69: * KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm jpayne@69: * @retval jpayne@69: * KRB5KDC_ERR_KEY_EXP Password has expired jpayne@69: * @retval jpayne@69: * KRB5_LIBOS_BADPWDMATCH Password mismatch jpayne@69: * @retval jpayne@69: * KRB5_CHPW_PWDNULL New password cannot be zero length jpayne@69: * @retval jpayne@69: * KRB5_CHPW_FAIL Password change failed jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, jpayne@69: krb5_principal client, const char *password, jpayne@69: krb5_prompter_fct prompter, void *data, jpayne@69: krb5_deltat start_time, jpayne@69: const char *in_tkt_service, jpayne@69: krb5_get_init_creds_opt *k5_gic_options); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve enctype, salt and s2kparams from KDC jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] principal Principal whose information is requested jpayne@69: * @param [in] opt Initial credential options jpayne@69: * @param [out] enctype_out The enctype chosen by KDC jpayne@69: * @param [out] salt_out Salt returned from KDC jpayne@69: * @param [out] s2kparams_out String-to-key parameters returned from KDC jpayne@69: * jpayne@69: * Send an initial ticket request for @a principal and extract the encryption jpayne@69: * type, salt type, and string-to-key parameters from the KDC response. If the jpayne@69: * KDC provides no etype-info, set @a enctype_out to @c ENCTYPE_NULL and set @a jpayne@69: * salt_out and @a s2kparams_out to empty. If the KDC etype-info provides no jpayne@69: * salt, compute the default salt and place it in @a salt_out. If the KDC jpayne@69: * etype-info provides no string-to-key parameters, set @a s2kparams_out to jpayne@69: * empty. jpayne@69: * jpayne@69: * @a opt may be used to specify options which affect the initial request, such jpayne@69: * as request encryption types or a FAST armor cache (see jpayne@69: * krb5_get_init_creds_opt_set_etype_list() and jpayne@69: * krb5_get_init_creds_opt_set_fast_ccache_name()). jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a salt_out and @a s2kparams_out when jpayne@69: * they are no longer needed. jpayne@69: * jpayne@69: * @version New in 1.17 jpayne@69: * jpayne@69: * @retval 0 Success jpayne@69: * @return A Kerberos error code jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_etype_info(krb5_context context, krb5_principal principal, jpayne@69: krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, jpayne@69: krb5_data *salt_out, krb5_data *s2kparams_out); jpayne@69: jpayne@69: struct _krb5_init_creds_context; jpayne@69: typedef struct _krb5_init_creds_context *krb5_init_creds_context; jpayne@69: jpayne@69: #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ jpayne@69: jpayne@69: /** jpayne@69: * Free an initial credentials context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * jpayne@69: * @a context must be the same as the one passed to krb5_init_creds_init() for jpayne@69: * this initial credentials context. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); jpayne@69: jpayne@69: /** jpayne@69: * Acquire credentials using an initial credentials context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * jpayne@69: * This function synchronously obtains credentials using a context created by jpayne@69: * krb5_init_creds_init(). On successful return, the credentials can be jpayne@69: * retrieved with krb5_init_creds_get_creds(). jpayne@69: * jpayne@69: * @a context must be the same as the one passed to krb5_init_creds_init() for jpayne@69: * this initial credentials context. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve acquired credentials from an initial credentials context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [out] creds Acquired credentials jpayne@69: * jpayne@69: * This function copies the acquired initial credentials from @a ctx into @a jpayne@69: * creds, after the successful completion of krb5_init_creds_get() or jpayne@69: * krb5_init_creds_step(). Use krb5_free_cred_contents() to free @a creds when jpayne@69: * it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, jpayne@69: krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Get the last error from KDC from an initial credentials context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [out] error Error from KDC, or NULL if none was received jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, jpayne@69: krb5_error **error); jpayne@69: jpayne@69: /** jpayne@69: * Create a context for acquiring initial credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] client Client principal to get initial creds for jpayne@69: * @param [in] prompter Prompter callback jpayne@69: * @param [in] data Prompter callback argument jpayne@69: * @param [in] start_time Time when credentials become valid (0 for now) jpayne@69: * @param [in] options Options structure (NULL for default) jpayne@69: * @param [out] ctx New initial credentials context jpayne@69: * jpayne@69: * This function creates a new context for acquiring initial credentials. Use jpayne@69: * krb5_init_creds_free() to free @a ctx when it is no longer needed. jpayne@69: * jpayne@69: * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or jpayne@69: * krb5_init_creds_free() for this initial credentials context must use the jpayne@69: * same @a context argument as the one passed to this function. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_init(krb5_context context, krb5_principal client, jpayne@69: krb5_prompter_fct prompter, void *data, jpayne@69: krb5_deltat start_time, krb5_get_init_creds_opt *options, jpayne@69: krb5_init_creds_context *ctx); jpayne@69: jpayne@69: /** jpayne@69: * Specify a keytab to use for acquiring initial credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [in] keytab Key table handle jpayne@69: * jpayne@69: * This function supplies a keytab containing the client key for an initial jpayne@69: * credentials request. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, jpayne@69: krb5_keytab keytab); jpayne@69: jpayne@69: /** jpayne@69: * Get the next KDC request for acquiring initial credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [in] in KDC response (empty on the first call) jpayne@69: * @param [out] out Next KDC request jpayne@69: * @param [out] realm Realm for next KDC request jpayne@69: * @param [out] flags Output flags jpayne@69: * jpayne@69: * This function constructs the next KDC request in an initial credential jpayne@69: * exchange, allowing the caller to control the transport of KDC requests and jpayne@69: * replies. On the first call, @a in should be set to an empty buffer; on jpayne@69: * subsequent calls, it should be set to the KDC's reply to the previous jpayne@69: * request. jpayne@69: * jpayne@69: * If more requests are needed, @a flags will be set to jpayne@69: * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in jpayne@69: * @a out. If no more requests are needed, @a flags will not contain jpayne@69: * #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. jpayne@69: * jpayne@69: * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should jpayne@69: * transmit the next request using TCP rather than UDP. If this function jpayne@69: * returns any other error, the initial credential exchange has failed. jpayne@69: * jpayne@69: * @a context must be the same as the one passed to krb5_init_creds_init() for jpayne@69: * this initial credentials context. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, jpayne@69: krb5_data *in, krb5_data *out, krb5_data *realm, jpayne@69: unsigned int *flags); jpayne@69: jpayne@69: /** jpayne@69: * Set a password for acquiring initial credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [in] password Password jpayne@69: * jpayne@69: * This function supplies a password to be used to construct the client key for jpayne@69: * an initial credentials request. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, jpayne@69: const char *password); jpayne@69: jpayne@69: /** jpayne@69: * Specify a service principal for acquiring initial credentials. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [in] service Service principal string jpayne@69: * jpayne@69: * This function supplies a service principal string to acquire initial jpayne@69: * credentials for instead of the default krbtgt service. @a service is parsed jpayne@69: * as a principal name; any realm part is ignored. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, jpayne@69: const char *service); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve ticket times from an initial credentials context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ctx Initial credentials context jpayne@69: * @param [out] times Ticket times for acquired credentials jpayne@69: * jpayne@69: * The initial credentials context must have completed obtaining credentials jpayne@69: * via either krb5_init_creds_get() or krb5_init_creds_step(). jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, jpayne@69: krb5_ticket_times *times); jpayne@69: jpayne@69: struct _krb5_tkt_creds_context; jpayne@69: typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context; jpayne@69: jpayne@69: /** jpayne@69: * Create a context to get credentials from a KDC's Ticket Granting Service. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ccache Credential cache handle jpayne@69: * @param[in] creds Input credentials jpayne@69: * @param[in] options @ref KRB5_GC options for this request. jpayne@69: * @param[out] ctx New TGS request context jpayne@69: * jpayne@69: * This function prepares to obtain credentials matching @a creds, either by jpayne@69: * retrieving them from @a ccache or by making requests to ticket-granting jpayne@69: * services beginning with a ticket-granting ticket for the client principal's jpayne@69: * realm. jpayne@69: * jpayne@69: * The resulting TGS acquisition context can be used asynchronously with jpayne@69: * krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also jpayne@69: * krb5_get_credentials() for synchronous use. jpayne@69: * jpayne@69: * Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, jpayne@69: krb5_creds *creds, krb5_flags options, jpayne@69: krb5_tkt_creds_context *ctx); jpayne@69: jpayne@69: /** jpayne@69: * Synchronously obtain credentials using a TGS request context. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ctx TGS request context jpayne@69: * jpayne@69: * This function synchronously obtains credentials using a context created by jpayne@69: * krb5_tkt_creds_init(). On successful return, the credentials can be jpayne@69: * retrieved with krb5_tkt_creds_get_creds(). jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve acquired credentials from a TGS request context. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ctx TGS request context jpayne@69: * @param[out] creds Acquired credentials jpayne@69: * jpayne@69: * This function copies the acquired initial credentials from @a ctx into @a jpayne@69: * creds, after the successful completion of krb5_tkt_creds_get() or jpayne@69: * krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when jpayne@69: * it is no longer needed. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, jpayne@69: krb5_creds *creds); jpayne@69: jpayne@69: /** jpayne@69: * Free a TGS request context. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ctx TGS request context jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx); jpayne@69: jpayne@69: #define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ jpayne@69: jpayne@69: /** jpayne@69: * Get the next KDC request in a TGS exchange. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ctx TGS request context jpayne@69: * @param[in] in KDC response (empty on the first call) jpayne@69: * @param[out] out Next KDC request jpayne@69: * @param[out] realm Realm for next KDC request jpayne@69: * @param[out] flags Output flags jpayne@69: * jpayne@69: * This function constructs the next KDC request for a TGS exchange, allowing jpayne@69: * the caller to control the transport of KDC requests and replies. On the jpayne@69: * first call, @a in should be set to an empty buffer; on subsequent calls, it jpayne@69: * should be set to the KDC's reply to the previous request. jpayne@69: * jpayne@69: * If more requests are needed, @a flags will be set to jpayne@69: * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in @a jpayne@69: * out. If no more requests are needed, @a flags will not contain jpayne@69: * #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and @a out will be empty. jpayne@69: * jpayne@69: * If this function returns @c KRB5KRB_ERR_RESPONSE_TOO_BIG, the caller should jpayne@69: * transmit the next request using TCP rather than UDP. If this function jpayne@69: * returns any other error, the TGS exchange has failed. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, jpayne@69: krb5_data *in, krb5_data *out, krb5_data *realm, jpayne@69: unsigned int *flags); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve ticket times from a TGS request context. jpayne@69: * jpayne@69: * @param[in] context Library context jpayne@69: * @param[in] ctx TGS request context jpayne@69: * @param[out] times Ticket times for acquired credentials jpayne@69: * jpayne@69: * The TGS request context must have completed obtaining credentials via either jpayne@69: * krb5_tkt_creds_get() or krb5_tkt_creds_step(). jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, jpayne@69: krb5_ticket_times *times); jpayne@69: jpayne@69: /** jpayne@69: * Get initial credentials using a key table. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] creds New credentials jpayne@69: * @param [in] client Client principal jpayne@69: * @param [in] arg_keytab Key table handle jpayne@69: * @param [in] start_time Time when ticket becomes valid (0 for now) jpayne@69: * @param [in] in_tkt_service Service name of initial credentials (or NULL) jpayne@69: * @param [in] k5_gic_options Initial credential options jpayne@69: * jpayne@69: * This function requests KDC for an initial credentials for @a client using a jpayne@69: * client key stored in @a arg_keytab. If @a in_tkt_service is specified, it jpayne@69: * is parsed as a principal name (with the realm ignored) and used as the jpayne@69: * service principal for the request; otherwise the ticket-granting service is jpayne@69: * used. jpayne@69: * jpayne@69: * @sa krb5_verify_init_creds() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds, jpayne@69: krb5_principal client, krb5_keytab arg_keytab, jpayne@69: krb5_deltat start_time, const char *in_tkt_service, jpayne@69: krb5_get_init_creds_opt *k5_gic_options); jpayne@69: jpayne@69: typedef struct _krb5_verify_init_creds_opt { jpayne@69: krb5_flags flags; jpayne@69: int ap_req_nofail; /**< boolean */ jpayne@69: } krb5_verify_init_creds_opt; jpayne@69: jpayne@69: #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 jpayne@69: jpayne@69: /** jpayne@69: * Initialize a credential verification options structure. jpayne@69: * jpayne@69: * @param [in] k5_vic_options Verification options structure jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options); jpayne@69: jpayne@69: /** jpayne@69: * Set whether credential verification is required. jpayne@69: * jpayne@69: * @param [in] k5_vic_options Verification options structure jpayne@69: * @param [in] ap_req_nofail Whether to require successful verification jpayne@69: * jpayne@69: * This function determines how krb5_verify_init_creds() behaves if no keytab jpayne@69: * information is available. If @a ap_req_nofail is @c FALSE, verification jpayne@69: * will be skipped in this case and krb5_verify_init_creds() will return jpayne@69: * successfully. If @a ap_req_nofail is @c TRUE, krb5_verify_init_creds() will jpayne@69: * not return successfully unless verification can be performed. jpayne@69: * jpayne@69: * If this function is not used, the behavior of krb5_verify_init_creds() is jpayne@69: * determined through configuration. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, jpayne@69: int ap_req_nofail); jpayne@69: jpayne@69: /** jpayne@69: * Verify initial credentials against a keytab. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] creds Initial credentials to be verified jpayne@69: * @param [in] server Server principal (or NULL) jpayne@69: * @param [in] keytab Key table (NULL to use default keytab) jpayne@69: * @param [in] ccache Credential cache for fetched creds (or NULL) jpayne@69: * @param [in] options Verification options (NULL for default options) jpayne@69: * jpayne@69: * This function attempts to verify that @a creds were obtained from a KDC with jpayne@69: * knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL. jpayne@69: * If @a server is provided, the highest-kvno key entry for that principal name jpayne@69: * is used to verify the credentials; otherwise, all unique "host" service jpayne@69: * principals in the keytab are tried. jpayne@69: * jpayne@69: * If the specified keytab does not exist, or is empty, or cannot be read, or jpayne@69: * does not contain an entry for @a server, then credential verification may be jpayne@69: * skipped unless configuration demands that it succeed. The caller can jpayne@69: * control this behavior by providing a verification options structure; see jpayne@69: * krb5_verify_init_creds_opt_init() and jpayne@69: * krb5_verify_init_creds_opt_set_ap_req_nofail(). jpayne@69: * jpayne@69: * If @a ccache is NULL, any additional credentials fetched during the jpayne@69: * verification process will be destroyed. If @a ccache points to NULL, a jpayne@69: * memory ccache will be created for the additional credentials and returned in jpayne@69: * @a ccache. If @a ccache points to a valid credential cache handle, the jpayne@69: * additional credentials will be stored in that cache. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_verify_init_creds(krb5_context context, krb5_creds *creds, jpayne@69: krb5_principal server, krb5_keytab keytab, jpayne@69: krb5_ccache *ccache, jpayne@69: krb5_verify_init_creds_opt *options); jpayne@69: jpayne@69: /** jpayne@69: * Get validated credentials from the KDC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] creds Validated credentials jpayne@69: * @param [in] client Client principal name jpayne@69: * @param [in] ccache Credential cache jpayne@69: * @param [in] in_tkt_service Server principal string (or NULL) jpayne@69: * jpayne@69: * This function gets a validated credential using a postdated credential from jpayne@69: * @a ccache. If @a in_tkt_service is specified, it is parsed (with the realm jpayne@69: * part ignored) and used as the server principal of the credential; jpayne@69: * otherwise, the ticket-granting service is used. jpayne@69: * jpayne@69: * If successful, the validated credential is placed in @a creds. jpayne@69: * jpayne@69: * @sa krb5_get_renewed_creds() jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @retval jpayne@69: * KRB5_NO_2ND_TKT Request missing second ticket jpayne@69: * @retval jpayne@69: * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket jpayne@69: * @retval jpayne@69: * KRB5_PRINC_NOMATCH Requested principal and ticket do not match jpayne@69: * @retval jpayne@69: * KRB5_KDCREP_MODIFIED KDC reply did not match expectations jpayne@69: * @retval jpayne@69: * KRB5_KDCREP_SKEW Clock skew too great in KDC reply jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_validated_creds(krb5_context context, krb5_creds *creds, jpayne@69: krb5_principal client, krb5_ccache ccache, jpayne@69: const char *in_tkt_service); jpayne@69: jpayne@69: /** jpayne@69: * Get renewed credential from KDC using an existing credential. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] creds Renewed credentials jpayne@69: * @param [in] client Client principal name jpayne@69: * @param [in] ccache Credential cache jpayne@69: * @param [in] in_tkt_service Server principal string (or NULL) jpayne@69: * jpayne@69: * This function gets a renewed credential using an existing one from @a jpayne@69: * ccache. If @a in_tkt_service is specified, it is parsed (with the realm jpayne@69: * part ignored) and used as the server principal of the credential; otherwise, jpayne@69: * the ticket-granting service is used. jpayne@69: * jpayne@69: * If successful, the renewed credential is placed in @a creds. jpayne@69: * jpayne@69: * @retval jpayne@69: * 0 Success jpayne@69: * @return jpayne@69: * Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, jpayne@69: krb5_principal client, krb5_ccache ccache, jpayne@69: const char *in_tkt_service); jpayne@69: jpayne@69: /** jpayne@69: * Decode an ASN.1-formatted ticket. jpayne@69: * jpayne@69: * @param [in] code ASN.1-formatted ticket jpayne@69: * @param [out] rep Decoded ticket information jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve a string value from the appdefaults section of krb5.conf. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] appname Application name jpayne@69: * @param [in] realm Realm name jpayne@69: * @param [in] option Option to be checked jpayne@69: * @param [in] default_value Default value to return if no match is found jpayne@69: * @param [out] ret_value String value of @a option jpayne@69: * jpayne@69: * This function gets the application defaults for @a option based on the given jpayne@69: * @a appname and/or @a realm. jpayne@69: * jpayne@69: * @sa krb5_appdefault_boolean() jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_appdefault_string(krb5_context context, const char *appname, jpayne@69: const krb5_data *realm, const char *option, jpayne@69: const char *default_value, char ** ret_value); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve a boolean value from the appdefaults section of krb5.conf. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] appname Application name jpayne@69: * @param [in] realm Realm name jpayne@69: * @param [in] option Option to be checked jpayne@69: * @param [in] default_value Default value to return if no match is found jpayne@69: * @param [out] ret_value Boolean value of @a option jpayne@69: * jpayne@69: * This function gets the application defaults for @a option based on the given jpayne@69: * @a appname and/or @a realm. jpayne@69: * jpayne@69: * @sa krb5_appdefault_string() jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_appdefault_boolean(krb5_context context, const char *appname, jpayne@69: const krb5_data *realm, const char *option, jpayne@69: int default_value, int *ret_value); jpayne@69: jpayne@69: /* jpayne@69: * Prompter enhancements jpayne@69: */ jpayne@69: /** Prompt for password */ jpayne@69: #define KRB5_PROMPT_TYPE_PASSWORD 0x1 jpayne@69: /** Prompt for new password (during password change) */ jpayne@69: #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2 jpayne@69: /** Prompt for new password again */ jpayne@69: #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3 jpayne@69: /** Prompt for preauthentication data (such as an OTP value) */ jpayne@69: #define KRB5_PROMPT_TYPE_PREAUTH 0x4 jpayne@69: jpayne@69: typedef krb5_int32 krb5_prompt_type; jpayne@69: jpayne@69: /** jpayne@69: * Get prompt types array from a context. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * jpayne@69: * @return jpayne@69: * Pointer to an array of prompt types corresponding to the prompter's @a jpayne@69: * prompts arguments. Each type has one of the following values: jpayne@69: * @li #KRB5_PROMPT_TYPE_PASSWORD jpayne@69: * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD jpayne@69: * @li #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN jpayne@69: * @li #KRB5_PROMPT_TYPE_PREAUTH jpayne@69: */ jpayne@69: krb5_prompt_type* KRB5_CALLCONV jpayne@69: krb5_get_prompt_types(krb5_context context); jpayne@69: jpayne@69: /* Error reporting */ jpayne@69: /** jpayne@69: * Set an extended error message for an error code. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Error string for the error code jpayne@69: * @param [in] ... printf(3) style parameters jpayne@69: */ jpayne@69: void KRB5_CALLCONV_C jpayne@69: krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 3, 4))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Set an extended error message for an error code using a va_list. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Error string for the error code jpayne@69: * @param [in] args List of vprintf(3) style arguments jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_vset_error_message(krb5_context ctx, krb5_error_code code, jpayne@69: const char *fmt, va_list args) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 3, 0))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Add a prefix to the message for an error code. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Format string for error message prefix jpayne@69: * @param [in] ... printf(3) style parameters jpayne@69: * jpayne@69: * Format a message and prepend it to the current message for @a code. The jpayne@69: * prefix will be separated from the old message with a colon and space. jpayne@69: */ jpayne@69: void KRB5_CALLCONV_C jpayne@69: krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, jpayne@69: const char *fmt, ...) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 3, 4))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Add a prefix to the message for an error code using a va_list. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Format string for error message prefix jpayne@69: * @param [in] args List of vprintf(3) style arguments jpayne@69: * jpayne@69: * This function is similar to krb5_prepend_error_message(), but uses a jpayne@69: * va_list instead of variadic arguments. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, jpayne@69: const char *fmt, va_list args) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 3, 0))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Add a prefix to a different error code's message. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] old_code Previous error code jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Format string for error message prefix jpayne@69: * @param [in] ... printf(3) style parameters jpayne@69: * jpayne@69: * Format a message and prepend it to the message for @a old_code. The prefix jpayne@69: * will be separated from the old message with a colon and space. Set the jpayne@69: * resulting message as the extended error message for @a code. jpayne@69: */ jpayne@69: void KRB5_CALLCONV_C jpayne@69: krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, jpayne@69: krb5_error_code code, const char *fmt, ...) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 4, 5))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Add a prefix to a different error code's message using a va_list. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] old_code Previous error code jpayne@69: * @param [in] code Error code jpayne@69: * @param [in] fmt Format string for error message prefix jpayne@69: * @param [in] args List of vprintf(3) style arguments jpayne@69: * jpayne@69: * This function is similar to krb5_wrap_error_message(), but uses a jpayne@69: * va_list instead of variadic arguments. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, jpayne@69: krb5_error_code code, const char *fmt, va_list args) jpayne@69: #if !defined(__cplusplus) && (__GNUC__ > 2) jpayne@69: __attribute__((__format__(__printf__, 4, 0))) jpayne@69: #endif jpayne@69: ; jpayne@69: jpayne@69: /** jpayne@69: * Copy the most recent extended error message from one context to another. jpayne@69: * jpayne@69: * @param [in] dest_ctx Library context to copy message to jpayne@69: * @param [in] src_ctx Library context with current message jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx); jpayne@69: jpayne@69: /** jpayne@69: * Get the (possibly extended) error message for a code. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] code Error code jpayne@69: * jpayne@69: * The behavior of krb5_get_error_message() is only defined the first time it jpayne@69: * is called after a failed call to a krb5 function using the same context, and jpayne@69: * only when the error code passed in is the same as that returned by the krb5 jpayne@69: * function. jpayne@69: * jpayne@69: * This function never returns NULL, so its result may be used unconditionally jpayne@69: * as a C string. jpayne@69: * jpayne@69: * The string returned by this function must be freed using jpayne@69: * krb5_free_error_message() jpayne@69: * jpayne@69: * @note Future versions may return the same string for the second jpayne@69: * and following calls. jpayne@69: */ jpayne@69: const char * KRB5_CALLCONV jpayne@69: krb5_get_error_message(krb5_context ctx, krb5_error_code code); jpayne@69: jpayne@69: /** jpayne@69: * Free an error message generated by krb5_get_error_message(). jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * @param [in] msg Pointer to error message jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_free_error_message(krb5_context ctx, const char *msg); jpayne@69: jpayne@69: /** jpayne@69: * Clear the extended error message in a context. jpayne@69: * jpayne@69: * @param [in] ctx Library context jpayne@69: * jpayne@69: * This function unsets the extended error message in a context, to ensure that jpayne@69: * it is not mistakenly applied to another occurrence of the same error code. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_clear_error_message(krb5_context ctx); jpayne@69: jpayne@69: /** jpayne@69: * Unwrap authorization data. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] type @ref KRB5_AUTHDATA type of @a container jpayne@69: * @param [in] container Authorization data to be decoded jpayne@69: * @param [out] authdata List of decoded authorization data jpayne@69: * jpayne@69: * @sa krb5_encode_authdata_container() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_decode_authdata_container(krb5_context context, jpayne@69: krb5_authdatatype type, jpayne@69: const krb5_authdata *container, jpayne@69: krb5_authdata ***authdata); jpayne@69: /** jpayne@69: * Wrap authorization data in a container. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] type @ref KRB5_AUTHDATA type of @a container jpayne@69: * @param [in] authdata List of authorization data to be encoded jpayne@69: * @param [out] container List of encoded authorization data jpayne@69: * jpayne@69: * The result is returned in @a container as a single-element list. jpayne@69: * jpayne@69: * @sa krb5_decode_authdata_container() jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_encode_authdata_container(krb5_context context, jpayne@69: krb5_authdatatype type, jpayne@69: krb5_authdata * const*authdata, jpayne@69: krb5_authdata ***container); jpayne@69: jpayne@69: /* jpayne@69: * AD-KDCIssued jpayne@69: */ jpayne@69: /** jpayne@69: * Encode and sign AD-KDCIssued authorization data. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Session key jpayne@69: * @param [in] issuer The name of the issuing principal jpayne@69: * @param [in] authdata List of authorization data to be signed jpayne@69: * @param [out] ad_kdcissued List containing AD-KDCIssued authdata jpayne@69: * jpayne@69: * This function wraps a list of authorization data entries @a authdata in an jpayne@69: * AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with @a key. jpayne@69: * The result is returned in @a ad_kdcissued as a single-element list. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_make_authdata_kdc_issued(krb5_context context, jpayne@69: const krb5_keyblock *key, jpayne@69: krb5_const_principal issuer, jpayne@69: krb5_authdata *const *authdata, jpayne@69: krb5_authdata ***ad_kdcissued); jpayne@69: jpayne@69: /** jpayne@69: * Unwrap and verify AD-KDCIssued authorization data. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] key Session key jpayne@69: * @param [in] ad_kdcissued AD-KDCIssued authorization data to be unwrapped jpayne@69: * @param [out] issuer Name of issuing principal (or NULL) jpayne@69: * @param [out] authdata Unwrapped list of authorization data jpayne@69: * jpayne@69: * This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section jpayne@69: * 5.2.6.2) and verifies its signature against @a key. The issuer field of the jpayne@69: * authdatum element is returned in @a issuer, and the unwrapped list of jpayne@69: * authdata is returned in @a authdata. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_verify_authdata_kdc_issued(krb5_context context, jpayne@69: const krb5_keyblock *key, jpayne@69: const krb5_authdata *ad_kdcissued, jpayne@69: krb5_principal *issuer, jpayne@69: krb5_authdata ***authdata); jpayne@69: jpayne@69: /* jpayne@69: * Windows PAC jpayne@69: */ jpayne@69: jpayne@69: /* Microsoft defined types of data */ jpayne@69: #define KRB5_PAC_LOGON_INFO 1 /**< Logon information */ jpayne@69: #define KRB5_PAC_CREDENTIALS_INFO 2 /**< Credentials information */ jpayne@69: #define KRB5_PAC_SERVER_CHECKSUM 6 /**< Server checksum */ jpayne@69: #define KRB5_PAC_PRIVSVR_CHECKSUM 7 /**< KDC checksum */ jpayne@69: #define KRB5_PAC_CLIENT_INFO 10 /**< Client name and ticket info */ jpayne@69: #define KRB5_PAC_DELEGATION_INFO 11 /**< Constrained delegation info */ jpayne@69: #define KRB5_PAC_UPN_DNS_INFO 12 /**< User principal name and DNS info */ jpayne@69: #define KRB5_PAC_CLIENT_CLAIMS 13 /**< Client claims information */ jpayne@69: #define KRB5_PAC_DEVICE_INFO 14 /**< Device information */ jpayne@69: #define KRB5_PAC_DEVICE_CLAIMS 15 /**< Device claims information */ jpayne@69: #define KRB5_PAC_TICKET_CHECKSUM 16 /**< Ticket checksum */ jpayne@69: #define KRB5_PAC_ATTRIBUTES_INFO 17 /**< PAC attributes */ jpayne@69: #define KRB5_PAC_REQUESTOR 18 /**< PAC requestor SID */ jpayne@69: jpayne@69: struct krb5_pac_data; jpayne@69: /** PAC data structure to convey authorization information */ jpayne@69: typedef struct krb5_pac_data *krb5_pac; jpayne@69: jpayne@69: /** jpayne@69: * Add a buffer to a PAC handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [in] type Buffer type jpayne@69: * @param [in] data contents jpayne@69: * jpayne@69: * This function adds a buffer of type @a type and contents @a data to @a pac jpayne@69: * if there isn't already a buffer of this type present. jpayne@69: * jpayne@69: * The valid values of @a type is one of the following: jpayne@69: * @li #KRB5_PAC_LOGON_INFO - Logon information jpayne@69: * @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information jpayne@69: * @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum jpayne@69: * @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum jpayne@69: * @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information jpayne@69: * @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information jpayne@69: * @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, jpayne@69: const krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Free a PAC handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC to be freed jpayne@69: * jpayne@69: * This function frees the contents of @a pac and the structure itself. jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_pac_free(krb5_context context, krb5_pac pac); jpayne@69: jpayne@69: /** jpayne@69: * Retrieve a buffer value from a PAC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [in] type Type of buffer to retrieve jpayne@69: * @param [out] data Buffer value jpayne@69: * jpayne@69: * Use krb5_free_data_contents() to free @a data when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, jpayne@69: krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Return an array of buffer types in a PAC handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [out] len Number of entries in @a types jpayne@69: * @param [out] types Array of buffer types jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len, jpayne@69: krb5_ui_4 **types); jpayne@69: jpayne@69: /** jpayne@69: * Create an empty Privilege Attribute Certificate (PAC) handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [out] pac New PAC handle jpayne@69: * jpayne@69: * Use krb5_pac_free() to free @a pac when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_init(krb5_context context, krb5_pac *pac); jpayne@69: jpayne@69: /** jpayne@69: * Unparse an encoded PAC into a new handle. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] ptr PAC buffer jpayne@69: * @param [in] len Length of @a ptr jpayne@69: * @param [out] pac PAC handle jpayne@69: * jpayne@69: * Use krb5_pac_free() to free @a pac when it is no longer needed. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_parse(krb5_context context, const void *ptr, size_t len, jpayne@69: krb5_pac *pac); jpayne@69: jpayne@69: /** jpayne@69: * Verify a PAC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [in] authtime Expected timestamp jpayne@69: * @param [in] principal Expected principal name (or NULL) jpayne@69: * @param [in] server Key to validate server checksum (or NULL) jpayne@69: * @param [in] privsvr Key to validate KDC checksum (or NULL) jpayne@69: * jpayne@69: * This function validates @a pac against the supplied @a server, @a privsvr, jpayne@69: * @a principal and @a authtime. If @a principal is NULL, the principal and jpayne@69: * authtime are not verified. If @a server or @a privsvr is NULL, the jpayne@69: * corresponding checksum is not verified. jpayne@69: * jpayne@69: * If successful, @a pac is marked as verified. jpayne@69: * jpayne@69: * @note A checksum mismatch can occur if the PAC was copied from a cross-realm jpayne@69: * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) jpayne@69: * generates PACs with no server checksum at all. One should consider not jpayne@69: * failing the whole authentication because of this reason, but, instead, jpayne@69: * treating the ticket as if it did not contain a PAC or marking the PAC jpayne@69: * information as non-verified. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_verify(krb5_context context, const krb5_pac pac, jpayne@69: krb5_timestamp authtime, krb5_const_principal principal, jpayne@69: const krb5_keyblock *server, const krb5_keyblock *privsvr); jpayne@69: jpayne@69: /** jpayne@69: * Verify a PAC, possibly from a specified realm. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [in] authtime Expected timestamp jpayne@69: * @param [in] principal Expected principal name (or NULL) jpayne@69: * @param [in] server Key to validate server checksum (or NULL) jpayne@69: * @param [in] privsvr Key to validate KDC checksum (or NULL) jpayne@69: * @param [in] with_realm If true, expect the realm of @a principal jpayne@69: * jpayne@69: * This function is similar to krb5_pac_verify(), but adds a parameter jpayne@69: * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field is jpayne@69: * expected to include the realm of @a principal as well as the name. This jpayne@69: * flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. jpayne@69: * jpayne@69: * @version New in 1.17 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, jpayne@69: krb5_timestamp authtime, krb5_const_principal principal, jpayne@69: const krb5_keyblock *server, const krb5_keyblock *privsvr, jpayne@69: krb5_boolean with_realm); jpayne@69: jpayne@69: /** jpayne@69: * Verify a PAC, possibly including ticket signature jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC jpayne@69: * @param [in] server_princ Canonicalized name of ticket server jpayne@69: * @param [in] server Key to validate server checksum (or NULL) jpayne@69: * @param [in] privsvr Key to validate KDC checksum (or NULL) jpayne@69: * @param [out] pac_out Verified PAC (NULL if no PAC included) jpayne@69: * jpayne@69: * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is jpayne@69: * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service, jpayne@69: * require a ticket signature over @a enc_tkt in addition to the KDC signature. jpayne@69: * Place the verified PAC in @a pac_out. If an invalid PAC signature is found, jpayne@69: * return an error matching the Windows KDC protocol code for that condition as jpayne@69: * closely as possible. jpayne@69: * jpayne@69: * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return jpayne@69: * successfully. jpayne@69: * jpayne@69: * @note This function does not validate the PAC_CLIENT_INFO buffer. If a jpayne@69: * specific value is expected, the caller can make a separate call to jpayne@69: * krb5_pac_verify_ext() with a principal but no keys. jpayne@69: * jpayne@69: * @retval 0 Success; otherwise - Kerberos error codes jpayne@69: * jpayne@69: * @version New in 1.20 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, jpayne@69: krb5_const_principal server_princ, jpayne@69: const krb5_keyblock *server, jpayne@69: const krb5_keyblock *privsvr, krb5_pac *pac_out); jpayne@69: jpayne@69: /** @deprecated Use krb5_kdc_sign_ticket() instead. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, jpayne@69: krb5_const_principal principal, const krb5_keyblock *server_key, jpayne@69: const krb5_keyblock *privsvr_key, krb5_data *data); jpayne@69: jpayne@69: /** @deprecated Use krb5_kdc_sign_ticket() instead. */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, jpayne@69: krb5_const_principal principal, jpayne@69: const krb5_keyblock *server_key, jpayne@69: const krb5_keyblock *privsvr_key, krb5_boolean with_realm, jpayne@69: krb5_data *data); jpayne@69: jpayne@69: /** jpayne@69: * Sign a PAC, possibly including a ticket signature jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enc_tkt The ticket for the signature jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [in] server_princ Canonical ticket server name jpayne@69: * @param [in] client_princ PAC_CLIENT_INFO principal (or NULL) jpayne@69: * @param [in] server Key for server checksum jpayne@69: * @param [in] privsvr Key for KDC and ticket checksum jpayne@69: * @param [in] with_realm If true, include the realm of @a principal jpayne@69: * jpayne@69: * Sign @a pac using the keys @a server and @a privsvr. Include a ticket jpayne@69: * signature over @a enc_tkt if @a server_princ is not a TGS or kadmin/changepw jpayne@69: * principal name. Add the signed PAC's encoding to the authorization data of jpayne@69: * @a enc_tkt in the first slot, wrapped in an AD-IF-RELEVANT container. If @a jpayne@69: * client_princ is non-null, add a PAC_CLIENT_INFO buffer, including the realm jpayne@69: * if @a with_realm is true. jpayne@69: * jpayne@69: * @retval 0 on success, otherwise - Kerberos error codes jpayne@69: * jpayne@69: * @version New in 1.20 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, jpayne@69: const krb5_pac pac, krb5_const_principal server_princ, jpayne@69: krb5_const_principal client_princ, jpayne@69: const krb5_keyblock *server, const krb5_keyblock *privsvr, jpayne@69: krb5_boolean with_realm); jpayne@69: jpayne@69: /** jpayne@69: * Read client information from a PAC. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] pac PAC handle jpayne@69: * @param [out] authtime_out Authentication timestamp (NULL if not needed) jpayne@69: * @param [out] princname_out Client account name jpayne@69: * jpayne@69: * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as jpayne@69: * a string in @a princname_out. If @a authtime_out is not NULL, place the jpayne@69: * initial authentication timestamp in @a authtime_out. jpayne@69: * jpayne@69: * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a jpayne@69: * pac, ERANGE if the buffer contains invalid lengths. jpayne@69: * jpayne@69: * @version New in 1.18 jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, jpayne@69: krb5_timestamp *authtime_out, char **princname_out); jpayne@69: jpayne@69: /** jpayne@69: * Allow the application to override the profile's allow_weak_crypto setting. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] enable Boolean flag jpayne@69: * jpayne@69: * This function allows an application to override the allow_weak_crypto jpayne@69: * setting. It is primarily for use by aklog. jpayne@69: * jpayne@69: * @retval 0 (always) jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable); jpayne@69: jpayne@69: /** jpayne@69: * A wrapper for passing information to a @c krb5_trace_callback. jpayne@69: * jpayne@69: * Currently, it only contains the formatted message as determined jpayne@69: * the the format string and arguments of the tracing macro, but it jpayne@69: * may be extended to contain more fields in the future. jpayne@69: */ jpayne@69: typedef struct _krb5_trace_info { jpayne@69: const char *message; jpayne@69: } krb5_trace_info; jpayne@69: jpayne@69: typedef void jpayne@69: (KRB5_CALLCONV *krb5_trace_callback)(krb5_context context, jpayne@69: const krb5_trace_info *info, jpayne@69: void *cb_data); jpayne@69: jpayne@69: /** jpayne@69: * Specify a callback function for trace events. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] fn Callback function jpayne@69: * @param [in] cb_data Callback data jpayne@69: * jpayne@69: * Specify a callback for trace events occurring in krb5 operations performed jpayne@69: * within @a context. @a fn will be invoked with @a context as the first jpayne@69: * argument, @a cb_data as the last argument, and a pointer to a jpayne@69: * krb5_trace_info as the second argument. If the trace callback is reset via jpayne@69: * this function or @a context is destroyed, @a fn will be invoked with a NULL jpayne@69: * second argument so it can clean up @a cb_data. Supply a NULL value for @a jpayne@69: * fn to disable trace callbacks within @a context. jpayne@69: * jpayne@69: * @note This function overrides the information passed through the jpayne@69: * @a KRB5_TRACE environment variable. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library jpayne@69: * (unless @a fn is NULL). jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, jpayne@69: void *cb_data); jpayne@69: jpayne@69: /** jpayne@69: * Specify a file name for directing trace events. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] filename File name jpayne@69: * jpayne@69: * Open @a filename for appending (creating it, if necessary) and set up a jpayne@69: * callback to write trace events to it. jpayne@69: * jpayne@69: * @note This function overrides the information passed through the jpayne@69: * @a KRB5_TRACE environment variable. jpayne@69: * jpayne@69: * @version New in 1.9 jpayne@69: * jpayne@69: * @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library. jpayne@69: */ jpayne@69: krb5_error_code KRB5_CALLCONV jpayne@69: krb5_set_trace_filename(krb5_context context, const char *filename); jpayne@69: jpayne@69: jpayne@69: /** jpayne@69: * Hook function for inspecting or modifying messages sent to KDCs. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] data Callback data jpayne@69: * @param [in] realm The realm the message will be sent to jpayne@69: * @param [in] message The original message to be sent to the KDC jpayne@69: * @param [out] new_message_out Optional replacement message to be sent jpayne@69: * @param [out] new_reply_out Optional synthetic reply jpayne@69: * jpayne@69: * If the hook function returns an error code, the KDC communication will be jpayne@69: * aborted and the error code will be returned to the library operation which jpayne@69: * initiated the communication. jpayne@69: * jpayne@69: * If the hook function sets @a new_reply_out, @a message will not be sent to jpayne@69: * the KDC, and the given reply will used instead. jpayne@69: * jpayne@69: * If the hook function sets @a new_message_out, the given message will be sent jpayne@69: * to the KDC in place of @a message. jpayne@69: * jpayne@69: * If the hook function returns successfully without setting either output, jpayne@69: * @a message will be sent to the KDC normally. jpayne@69: * jpayne@69: * The hook function should use krb5_copy_data() to construct the value for jpayne@69: * @a new_message_out or @a reply_out, to ensure that it can be freed correctly jpayne@69: * by the library. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: * jpayne@69: * @retval 0 Success jpayne@69: * @return A Kerberos error code jpayne@69: */ jpayne@69: typedef krb5_error_code jpayne@69: (KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, jpayne@69: const krb5_data *realm, jpayne@69: const krb5_data *message, jpayne@69: krb5_data **new_message_out, jpayne@69: krb5_data **new_reply_out); jpayne@69: jpayne@69: /** jpayne@69: * Hook function for inspecting or overriding KDC replies. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] data Callback data jpayne@69: * @param [in] code Status of KDC communication jpayne@69: * @param [in] realm The realm the reply was received from jpayne@69: * @param [in] message The message sent to the realm's KDC jpayne@69: * @param [in] reply The reply received from the KDC jpayne@69: * @param [out] new_reply_out Optional replacement reply jpayne@69: * jpayne@69: * If @a code is zero, @a reply contains the reply received from the KDC. The jpayne@69: * hook function may return an error code to simulate an error, may synthesize jpayne@69: * a different reply by setting @a new_reply_out, or may simply return jpayne@69: * successfully to do nothing. jpayne@69: * jpayne@69: * If @a code is non-zero, KDC communication failed and @a reply should be jpayne@69: * ignored. The hook function may return @a code or a different error code, or jpayne@69: * may synthesize a reply by setting @a new_reply_out and return successfully. jpayne@69: * jpayne@69: * The hook function should use krb5_copy_data() to construct the value for jpayne@69: * @a new_reply_out, to ensure that it can be freed correctly by the library. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: * jpayne@69: * @retval 0 Success jpayne@69: * @return A Kerberos error code jpayne@69: */ jpayne@69: typedef krb5_error_code jpayne@69: (KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, jpayne@69: krb5_error_code code, jpayne@69: const krb5_data *realm, jpayne@69: const krb5_data *message, jpayne@69: const krb5_data *reply, jpayne@69: krb5_data **new_reply_out); jpayne@69: jpayne@69: /** jpayne@69: * Set a KDC pre-send hook function. jpayne@69: * jpayne@69: * @param [in] context Library context jpayne@69: * @param [in] send_hook Hook function (or NULL to disable the hook) jpayne@69: * @param [in] data Callback data to be passed to @a send_hook jpayne@69: * jpayne@69: * @a send_hook will be called before messages are sent to KDCs by library jpayne@69: * functions such as krb5_get_credentials(). The hook function may inspect, jpayne@69: * override, or synthesize its own reply to the message. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, jpayne@69: void *data); jpayne@69: jpayne@69: /** jpayne@69: * Set a KDC post-receive hook function. jpayne@69: * jpayne@69: * @param [in] context The library context. jpayne@69: * @param [in] recv_hook Hook function (or NULL to disable the hook) jpayne@69: * @param [in] data Callback data to be passed to @a recv_hook jpayne@69: * jpayne@69: * @a recv_hook will be called after a reply is received from a KDC during a jpayne@69: * call to a library function such as krb5_get_credentials(). The hook jpayne@69: * function may inspect or override the reply. This hook will not be executed jpayne@69: * if the pre-send hook returns a synthetic reply. jpayne@69: * jpayne@69: * @version New in 1.15 jpayne@69: */ jpayne@69: void KRB5_CALLCONV jpayne@69: krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, jpayne@69: void *data); jpayne@69: jpayne@69: #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) jpayne@69: #pragma pack(pop) jpayne@69: #endif jpayne@69: jpayne@69: KRB5INT_END_DECLS jpayne@69: jpayne@69: /* Don't use this! We're going to phase it out. It's just here to keep jpayne@69: applications from breaking right away. */ jpayne@69: #define krb5_const const jpayne@69: jpayne@69: #undef KRB5_ATTR_DEPRECATED jpayne@69: jpayne@69: /** @} */ /* end of KRB5_H group */ jpayne@69: jpayne@69: #endif /* KRB5_GENERAL__ */ jpayne@69: /* jpayne@69: * et-h-krb5_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define KRB5KDC_ERR_NONE (-1765328384L) jpayne@69: #define KRB5KDC_ERR_NAME_EXP (-1765328383L) jpayne@69: #define KRB5KDC_ERR_SERVICE_EXP (-1765328382L) jpayne@69: #define KRB5KDC_ERR_BAD_PVNO (-1765328381L) jpayne@69: #define KRB5KDC_ERR_C_OLD_MAST_KVNO (-1765328380L) jpayne@69: #define KRB5KDC_ERR_S_OLD_MAST_KVNO (-1765328379L) jpayne@69: #define KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (-1765328378L) jpayne@69: #define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) jpayne@69: #define KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE (-1765328376L) jpayne@69: #define KRB5KDC_ERR_NULL_KEY (-1765328375L) jpayne@69: #define KRB5KDC_ERR_CANNOT_POSTDATE (-1765328374L) jpayne@69: #define KRB5KDC_ERR_NEVER_VALID (-1765328373L) jpayne@69: #define KRB5KDC_ERR_POLICY (-1765328372L) jpayne@69: #define KRB5KDC_ERR_BADOPTION (-1765328371L) jpayne@69: #define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L) jpayne@69: #define KRB5KDC_ERR_SUMTYPE_NOSUPP (-1765328369L) jpayne@69: #define KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368L) jpayne@69: #define KRB5KDC_ERR_TRTYPE_NOSUPP (-1765328367L) jpayne@69: #define KRB5KDC_ERR_CLIENT_REVOKED (-1765328366L) jpayne@69: #define KRB5KDC_ERR_SERVICE_REVOKED (-1765328365L) jpayne@69: #define KRB5KDC_ERR_TGT_REVOKED (-1765328364L) jpayne@69: #define KRB5KDC_ERR_CLIENT_NOTYET (-1765328363L) jpayne@69: #define KRB5KDC_ERR_SERVICE_NOTYET (-1765328362L) jpayne@69: #define KRB5KDC_ERR_KEY_EXP (-1765328361L) jpayne@69: #define KRB5KDC_ERR_PREAUTH_FAILED (-1765328360L) jpayne@69: #define KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359L) jpayne@69: #define KRB5KDC_ERR_SERVER_NOMATCH (-1765328358L) jpayne@69: #define KRB5KDC_ERR_MUST_USE_USER2USER (-1765328357L) jpayne@69: #define KRB5KDC_ERR_PATH_NOT_ACCEPTED (-1765328356L) jpayne@69: #define KRB5KDC_ERR_SVC_UNAVAILABLE (-1765328355L) jpayne@69: #define KRB5PLACEHOLD_30 (-1765328354L) jpayne@69: #define KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353L) jpayne@69: #define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L) jpayne@69: #define KRB5KRB_AP_ERR_TKT_NYV (-1765328351L) jpayne@69: #define KRB5KRB_AP_ERR_REPEAT (-1765328350L) jpayne@69: #define KRB5KRB_AP_ERR_NOT_US (-1765328349L) jpayne@69: #define KRB5KRB_AP_ERR_BADMATCH (-1765328348L) jpayne@69: #define KRB5KRB_AP_ERR_SKEW (-1765328347L) jpayne@69: #define KRB5KRB_AP_ERR_BADADDR (-1765328346L) jpayne@69: #define KRB5KRB_AP_ERR_BADVERSION (-1765328345L) jpayne@69: #define KRB5KRB_AP_ERR_MSG_TYPE (-1765328344L) jpayne@69: #define KRB5KRB_AP_ERR_MODIFIED (-1765328343L) jpayne@69: #define KRB5KRB_AP_ERR_BADORDER (-1765328342L) jpayne@69: #define KRB5KRB_AP_ERR_ILL_CR_TKT (-1765328341L) jpayne@69: #define KRB5KRB_AP_ERR_BADKEYVER (-1765328340L) jpayne@69: #define KRB5KRB_AP_ERR_NOKEY (-1765328339L) jpayne@69: #define KRB5KRB_AP_ERR_MUT_FAIL (-1765328338L) jpayne@69: #define KRB5KRB_AP_ERR_BADDIRECTION (-1765328337L) jpayne@69: #define KRB5KRB_AP_ERR_METHOD (-1765328336L) jpayne@69: #define KRB5KRB_AP_ERR_BADSEQ (-1765328335L) jpayne@69: #define KRB5KRB_AP_ERR_INAPP_CKSUM (-1765328334L) jpayne@69: #define KRB5KRB_AP_PATH_NOT_ACCEPTED (-1765328333L) jpayne@69: #define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) jpayne@69: #define KRB5PLACEHOLD_53 (-1765328331L) jpayne@69: #define KRB5PLACEHOLD_54 (-1765328330L) jpayne@69: #define KRB5PLACEHOLD_55 (-1765328329L) jpayne@69: #define KRB5PLACEHOLD_56 (-1765328328L) jpayne@69: #define KRB5PLACEHOLD_57 (-1765328327L) jpayne@69: #define KRB5PLACEHOLD_58 (-1765328326L) jpayne@69: #define KRB5PLACEHOLD_59 (-1765328325L) jpayne@69: #define KRB5KRB_ERR_GENERIC (-1765328324L) jpayne@69: #define KRB5KRB_ERR_FIELD_TOOLONG (-1765328323L) jpayne@69: #define KRB5KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322L) jpayne@69: #define KRB5KDC_ERR_KDC_NOT_TRUSTED (-1765328321L) jpayne@69: #define KRB5KDC_ERR_INVALID_SIG (-1765328320L) jpayne@69: #define KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (-1765328319L) jpayne@69: #define KRB5KDC_ERR_CERTIFICATE_MISMATCH (-1765328318L) jpayne@69: #define KRB5KRB_AP_ERR_NO_TGT (-1765328317L) jpayne@69: #define KRB5KDC_ERR_WRONG_REALM (-1765328316L) jpayne@69: #define KRB5KRB_AP_ERR_USER_TO_USER_REQUIRED (-1765328315L) jpayne@69: #define KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE (-1765328314L) jpayne@69: #define KRB5KDC_ERR_INVALID_CERTIFICATE (-1765328313L) jpayne@69: #define KRB5KDC_ERR_REVOKED_CERTIFICATE (-1765328312L) jpayne@69: #define KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN (-1765328311L) jpayne@69: #define KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (-1765328310L) jpayne@69: #define KRB5KDC_ERR_CLIENT_NAME_MISMATCH (-1765328309L) jpayne@69: #define KRB5KDC_ERR_KDC_NAME_MISMATCH (-1765328308L) jpayne@69: #define KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE (-1765328307L) jpayne@69: #define KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (-1765328306L) jpayne@69: #define KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (-1765328305L) jpayne@69: #define KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (-1765328304L) jpayne@69: #define KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (-1765328303L) jpayne@69: #define KRB5PLACEHOLD_82 (-1765328302L) jpayne@69: #define KRB5PLACEHOLD_83 (-1765328301L) jpayne@69: #define KRB5PLACEHOLD_84 (-1765328300L) jpayne@69: #define KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND (-1765328299L) jpayne@69: #define KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE (-1765328298L) jpayne@69: #define KRB5PLACEHOLD_87 (-1765328297L) jpayne@69: #define KRB5PLACEHOLD_88 (-1765328296L) jpayne@69: #define KRB5PLACEHOLD_89 (-1765328295L) jpayne@69: #define KRB5KDC_ERR_PREAUTH_EXPIRED (-1765328294L) jpayne@69: #define KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (-1765328293L) jpayne@69: #define KRB5PLACEHOLD_92 (-1765328292L) jpayne@69: #define KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION (-1765328291L) jpayne@69: #define KRB5PLACEHOLD_94 (-1765328290L) jpayne@69: #define KRB5PLACEHOLD_95 (-1765328289L) jpayne@69: #define KRB5PLACEHOLD_96 (-1765328288L) jpayne@69: #define KRB5PLACEHOLD_97 (-1765328287L) jpayne@69: #define KRB5PLACEHOLD_98 (-1765328286L) jpayne@69: #define KRB5PLACEHOLD_99 (-1765328285L) jpayne@69: #define KRB5KDC_ERR_NO_ACCEPTABLE_KDF (-1765328284L) jpayne@69: #define KRB5PLACEHOLD_101 (-1765328283L) jpayne@69: #define KRB5PLACEHOLD_102 (-1765328282L) jpayne@69: #define KRB5PLACEHOLD_103 (-1765328281L) jpayne@69: #define KRB5PLACEHOLD_104 (-1765328280L) jpayne@69: #define KRB5PLACEHOLD_105 (-1765328279L) jpayne@69: #define KRB5PLACEHOLD_106 (-1765328278L) jpayne@69: #define KRB5PLACEHOLD_107 (-1765328277L) jpayne@69: #define KRB5PLACEHOLD_108 (-1765328276L) jpayne@69: #define KRB5PLACEHOLD_109 (-1765328275L) jpayne@69: #define KRB5PLACEHOLD_110 (-1765328274L) jpayne@69: #define KRB5PLACEHOLD_111 (-1765328273L) jpayne@69: #define KRB5PLACEHOLD_112 (-1765328272L) jpayne@69: #define KRB5PLACEHOLD_113 (-1765328271L) jpayne@69: #define KRB5PLACEHOLD_114 (-1765328270L) jpayne@69: #define KRB5PLACEHOLD_115 (-1765328269L) jpayne@69: #define KRB5PLACEHOLD_116 (-1765328268L) jpayne@69: #define KRB5PLACEHOLD_117 (-1765328267L) jpayne@69: #define KRB5PLACEHOLD_118 (-1765328266L) jpayne@69: #define KRB5PLACEHOLD_119 (-1765328265L) jpayne@69: #define KRB5PLACEHOLD_120 (-1765328264L) jpayne@69: #define KRB5PLACEHOLD_121 (-1765328263L) jpayne@69: #define KRB5PLACEHOLD_122 (-1765328262L) jpayne@69: #define KRB5PLACEHOLD_123 (-1765328261L) jpayne@69: #define KRB5PLACEHOLD_124 (-1765328260L) jpayne@69: #define KRB5PLACEHOLD_125 (-1765328259L) jpayne@69: #define KRB5PLACEHOLD_126 (-1765328258L) jpayne@69: #define KRB5PLACEHOLD_127 (-1765328257L) jpayne@69: #define KRB5_ERR_RCSID (-1765328256L) jpayne@69: #define KRB5_LIBOS_BADLOCKFLAG (-1765328255L) jpayne@69: #define KRB5_LIBOS_CANTREADPWD (-1765328254L) jpayne@69: #define KRB5_LIBOS_BADPWDMATCH (-1765328253L) jpayne@69: #define KRB5_LIBOS_PWDINTR (-1765328252L) jpayne@69: #define KRB5_PARSE_ILLCHAR (-1765328251L) jpayne@69: #define KRB5_PARSE_MALFORMED (-1765328250L) jpayne@69: #define KRB5_CONFIG_CANTOPEN (-1765328249L) jpayne@69: #define KRB5_CONFIG_BADFORMAT (-1765328248L) jpayne@69: #define KRB5_CONFIG_NOTENUFSPACE (-1765328247L) jpayne@69: #define KRB5_BADMSGTYPE (-1765328246L) jpayne@69: #define KRB5_CC_BADNAME (-1765328245L) jpayne@69: #define KRB5_CC_UNKNOWN_TYPE (-1765328244L) jpayne@69: #define KRB5_CC_NOTFOUND (-1765328243L) jpayne@69: #define KRB5_CC_END (-1765328242L) jpayne@69: #define KRB5_NO_TKT_SUPPLIED (-1765328241L) jpayne@69: #define KRB5KRB_AP_WRONG_PRINC (-1765328240L) jpayne@69: #define KRB5KRB_AP_ERR_TKT_INVALID (-1765328239L) jpayne@69: #define KRB5_PRINC_NOMATCH (-1765328238L) jpayne@69: #define KRB5_KDCREP_MODIFIED (-1765328237L) jpayne@69: #define KRB5_KDCREP_SKEW (-1765328236L) jpayne@69: #define KRB5_IN_TKT_REALM_MISMATCH (-1765328235L) jpayne@69: #define KRB5_PROG_ETYPE_NOSUPP (-1765328234L) jpayne@69: #define KRB5_PROG_KEYTYPE_NOSUPP (-1765328233L) jpayne@69: #define KRB5_WRONG_ETYPE (-1765328232L) jpayne@69: #define KRB5_PROG_SUMTYPE_NOSUPP (-1765328231L) jpayne@69: #define KRB5_REALM_UNKNOWN (-1765328230L) jpayne@69: #define KRB5_SERVICE_UNKNOWN (-1765328229L) jpayne@69: #define KRB5_KDC_UNREACH (-1765328228L) jpayne@69: #define KRB5_NO_LOCALNAME (-1765328227L) jpayne@69: #define KRB5_MUTUAL_FAILED (-1765328226L) jpayne@69: #define KRB5_RC_TYPE_EXISTS (-1765328225L) jpayne@69: #define KRB5_RC_MALLOC (-1765328224L) jpayne@69: #define KRB5_RC_TYPE_NOTFOUND (-1765328223L) jpayne@69: #define KRB5_RC_UNKNOWN (-1765328222L) jpayne@69: #define KRB5_RC_REPLAY (-1765328221L) jpayne@69: #define KRB5_RC_IO (-1765328220L) jpayne@69: #define KRB5_RC_NOIO (-1765328219L) jpayne@69: #define KRB5_RC_PARSE (-1765328218L) jpayne@69: #define KRB5_RC_IO_EOF (-1765328217L) jpayne@69: #define KRB5_RC_IO_MALLOC (-1765328216L) jpayne@69: #define KRB5_RC_IO_PERM (-1765328215L) jpayne@69: #define KRB5_RC_IO_IO (-1765328214L) jpayne@69: #define KRB5_RC_IO_UNKNOWN (-1765328213L) jpayne@69: #define KRB5_RC_IO_SPACE (-1765328212L) jpayne@69: #define KRB5_TRANS_CANTOPEN (-1765328211L) jpayne@69: #define KRB5_TRANS_BADFORMAT (-1765328210L) jpayne@69: #define KRB5_LNAME_CANTOPEN (-1765328209L) jpayne@69: #define KRB5_LNAME_NOTRANS (-1765328208L) jpayne@69: #define KRB5_LNAME_BADFORMAT (-1765328207L) jpayne@69: #define KRB5_CRYPTO_INTERNAL (-1765328206L) jpayne@69: #define KRB5_KT_BADNAME (-1765328205L) jpayne@69: #define KRB5_KT_UNKNOWN_TYPE (-1765328204L) jpayne@69: #define KRB5_KT_NOTFOUND (-1765328203L) jpayne@69: #define KRB5_KT_END (-1765328202L) jpayne@69: #define KRB5_KT_NOWRITE (-1765328201L) jpayne@69: #define KRB5_KT_IOERR (-1765328200L) jpayne@69: #define KRB5_NO_TKT_IN_RLM (-1765328199L) jpayne@69: #define KRB5DES_BAD_KEYPAR (-1765328198L) jpayne@69: #define KRB5DES_WEAK_KEY (-1765328197L) jpayne@69: #define KRB5_BAD_ENCTYPE (-1765328196L) jpayne@69: #define KRB5_BAD_KEYSIZE (-1765328195L) jpayne@69: #define KRB5_BAD_MSIZE (-1765328194L) jpayne@69: #define KRB5_CC_TYPE_EXISTS (-1765328193L) jpayne@69: #define KRB5_KT_TYPE_EXISTS (-1765328192L) jpayne@69: #define KRB5_CC_IO (-1765328191L) jpayne@69: #define KRB5_FCC_PERM (-1765328190L) jpayne@69: #define KRB5_FCC_NOFILE (-1765328189L) jpayne@69: #define KRB5_FCC_INTERNAL (-1765328188L) jpayne@69: #define KRB5_CC_WRITE (-1765328187L) jpayne@69: #define KRB5_CC_NOMEM (-1765328186L) jpayne@69: #define KRB5_CC_FORMAT (-1765328185L) jpayne@69: #define KRB5_CC_NOT_KTYPE (-1765328184L) jpayne@69: #define KRB5_INVALID_FLAGS (-1765328183L) jpayne@69: #define KRB5_NO_2ND_TKT (-1765328182L) jpayne@69: #define KRB5_NOCREDS_SUPPLIED (-1765328181L) jpayne@69: #define KRB5_SENDAUTH_BADAUTHVERS (-1765328180L) jpayne@69: #define KRB5_SENDAUTH_BADAPPLVERS (-1765328179L) jpayne@69: #define KRB5_SENDAUTH_BADRESPONSE (-1765328178L) jpayne@69: #define KRB5_SENDAUTH_REJECTED (-1765328177L) jpayne@69: #define KRB5_PREAUTH_BAD_TYPE (-1765328176L) jpayne@69: #define KRB5_PREAUTH_NO_KEY (-1765328175L) jpayne@69: #define KRB5_PREAUTH_FAILED (-1765328174L) jpayne@69: #define KRB5_RCACHE_BADVNO (-1765328173L) jpayne@69: #define KRB5_CCACHE_BADVNO (-1765328172L) jpayne@69: #define KRB5_KEYTAB_BADVNO (-1765328171L) jpayne@69: #define KRB5_PROG_ATYPE_NOSUPP (-1765328170L) jpayne@69: #define KRB5_RC_REQUIRED (-1765328169L) jpayne@69: #define KRB5_ERR_BAD_HOSTNAME (-1765328168L) jpayne@69: #define KRB5_ERR_HOST_REALM_UNKNOWN (-1765328167L) jpayne@69: #define KRB5_SNAME_UNSUPP_NAMETYPE (-1765328166L) jpayne@69: #define KRB5KRB_AP_ERR_V4_REPLY (-1765328165L) jpayne@69: #define KRB5_REALM_CANT_RESOLVE (-1765328164L) jpayne@69: #define KRB5_TKT_NOT_FORWARDABLE (-1765328163L) jpayne@69: #define KRB5_FWD_BAD_PRINCIPAL (-1765328162L) jpayne@69: #define KRB5_GET_IN_TKT_LOOP (-1765328161L) jpayne@69: #define KRB5_CONFIG_NODEFREALM (-1765328160L) jpayne@69: #define KRB5_SAM_UNSUPPORTED (-1765328159L) jpayne@69: #define KRB5_SAM_INVALID_ETYPE (-1765328158L) jpayne@69: #define KRB5_SAM_NO_CHECKSUM (-1765328157L) jpayne@69: #define KRB5_SAM_BAD_CHECKSUM (-1765328156L) jpayne@69: #define KRB5_KT_NAME_TOOLONG (-1765328155L) jpayne@69: #define KRB5_KT_KVNONOTFOUND (-1765328154L) jpayne@69: #define KRB5_APPL_EXPIRED (-1765328153L) jpayne@69: #define KRB5_LIB_EXPIRED (-1765328152L) jpayne@69: #define KRB5_CHPW_PWDNULL (-1765328151L) jpayne@69: #define KRB5_CHPW_FAIL (-1765328150L) jpayne@69: #define KRB5_KT_FORMAT (-1765328149L) jpayne@69: #define KRB5_NOPERM_ETYPE (-1765328148L) jpayne@69: #define KRB5_CONFIG_ETYPE_NOSUPP (-1765328147L) jpayne@69: #define KRB5_OBSOLETE_FN (-1765328146L) jpayne@69: #define KRB5_EAI_FAIL (-1765328145L) jpayne@69: #define KRB5_EAI_NODATA (-1765328144L) jpayne@69: #define KRB5_EAI_NONAME (-1765328143L) jpayne@69: #define KRB5_EAI_SERVICE (-1765328142L) jpayne@69: #define KRB5_ERR_NUMERIC_REALM (-1765328141L) jpayne@69: #define KRB5_ERR_BAD_S2K_PARAMS (-1765328140L) jpayne@69: #define KRB5_ERR_NO_SERVICE (-1765328139L) jpayne@69: #define KRB5_CC_READONLY (-1765328138L) jpayne@69: #define KRB5_CC_NOSUPP (-1765328137L) jpayne@69: #define KRB5_DELTAT_BADFORMAT (-1765328136L) jpayne@69: #define KRB5_PLUGIN_NO_HANDLE (-1765328135L) jpayne@69: #define KRB5_PLUGIN_OP_NOTSUPP (-1765328134L) jpayne@69: #define KRB5_ERR_INVALID_UTF8 (-1765328133L) jpayne@69: #define KRB5_ERR_FAST_REQUIRED (-1765328132L) jpayne@69: #define KRB5_LOCAL_ADDR_REQUIRED (-1765328131L) jpayne@69: #define KRB5_REMOTE_ADDR_REQUIRED (-1765328130L) jpayne@69: #define KRB5_TRACE_NOSUPP (-1765328129L) jpayne@69: #define ERROR_TABLE_BASE_krb5 (-1765328384L) jpayne@69: jpayne@69: extern const struct error_table et_krb5_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_krb5_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_krb5_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_krb5_err_tbl initialize_krb5_error_table jpayne@69: #define krb5_err_base ERROR_TABLE_BASE_krb5 jpayne@69: #endif jpayne@69: /* jpayne@69: * et-h-k5e1_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define KRB5_PLUGIN_VER_NOTSUPP (-1750600192L) jpayne@69: #define KRB5_PLUGIN_BAD_MODULE_SPEC (-1750600191L) jpayne@69: #define KRB5_PLUGIN_NAME_NOTFOUND (-1750600190L) jpayne@69: #define KRB5KDC_ERR_DISCARD (-1750600189L) jpayne@69: #define KRB5_DCC_CANNOT_CREATE (-1750600188L) jpayne@69: #define KRB5_KCC_INVALID_ANCHOR (-1750600187L) jpayne@69: #define KRB5_KCC_UNKNOWN_VERSION (-1750600186L) jpayne@69: #define KRB5_KCC_INVALID_UID (-1750600185L) jpayne@69: #define KRB5_KCM_MALFORMED_REPLY (-1750600184L) jpayne@69: #define KRB5_KCM_RPC_ERROR (-1750600183L) jpayne@69: #define KRB5_KCM_REPLY_TOO_BIG (-1750600182L) jpayne@69: #define KRB5_KCM_NO_SERVER (-1750600181L) jpayne@69: #define KRB5_CERTAUTH_HWAUTH (-1750600180L) jpayne@69: #define KRB5_CERTAUTH_HWAUTH_PASS (-1750600179L) jpayne@69: #define ERROR_TABLE_BASE_k5e1 (-1750600192L) jpayne@69: jpayne@69: extern const struct error_table et_k5e1_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_k5e1_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_k5e1_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_k5e1_err_tbl initialize_k5e1_error_table jpayne@69: #define k5e1_err_base ERROR_TABLE_BASE_k5e1 jpayne@69: #endif jpayne@69: /* jpayne@69: * et-h-kdb5_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define KRB5_KDB_RCSID (-1780008448L) jpayne@69: #define KRB5_KDB_INUSE (-1780008447L) jpayne@69: #define KRB5_KDB_UK_SERROR (-1780008446L) jpayne@69: #define KRB5_KDB_UK_RERROR (-1780008445L) jpayne@69: #define KRB5_KDB_UNAUTH (-1780008444L) jpayne@69: #define KRB5_KDB_NOENTRY (-1780008443L) jpayne@69: #define KRB5_KDB_ILL_WILDCARD (-1780008442L) jpayne@69: #define KRB5_KDB_DB_INUSE (-1780008441L) jpayne@69: #define KRB5_KDB_DB_CHANGED (-1780008440L) jpayne@69: #define KRB5_KDB_TRUNCATED_RECORD (-1780008439L) jpayne@69: #define KRB5_KDB_RECURSIVELOCK (-1780008438L) jpayne@69: #define KRB5_KDB_NOTLOCKED (-1780008437L) jpayne@69: #define KRB5_KDB_BADLOCKMODE (-1780008436L) jpayne@69: #define KRB5_KDB_DBNOTINITED (-1780008435L) jpayne@69: #define KRB5_KDB_DBINITED (-1780008434L) jpayne@69: #define KRB5_KDB_ILLDIRECTION (-1780008433L) jpayne@69: #define KRB5_KDB_NOMASTERKEY (-1780008432L) jpayne@69: #define KRB5_KDB_BADMASTERKEY (-1780008431L) jpayne@69: #define KRB5_KDB_INVALIDKEYSIZE (-1780008430L) jpayne@69: #define KRB5_KDB_CANTREAD_STORED (-1780008429L) jpayne@69: #define KRB5_KDB_BADSTORED_MKEY (-1780008428L) jpayne@69: #define KRB5_KDB_NOACTMASTERKEY (-1780008427L) jpayne@69: #define KRB5_KDB_KVNONOMATCH (-1780008426L) jpayne@69: #define KRB5_KDB_STORED_MKEY_NOTCURRENT (-1780008425L) jpayne@69: #define KRB5_KDB_CANTLOCK_DB (-1780008424L) jpayne@69: #define KRB5_KDB_DB_CORRUPT (-1780008423L) jpayne@69: #define KRB5_KDB_BAD_VERSION (-1780008422L) jpayne@69: #define KRB5_KDB_BAD_SALTTYPE (-1780008421L) jpayne@69: #define KRB5_KDB_BAD_ENCTYPE (-1780008420L) jpayne@69: #define KRB5_KDB_BAD_CREATEFLAGS (-1780008419L) jpayne@69: #define KRB5_KDB_NO_PERMITTED_KEY (-1780008418L) jpayne@69: #define KRB5_KDB_NO_MATCHING_KEY (-1780008417L) jpayne@69: #define KRB5_KDB_DBTYPE_NOTFOUND (-1780008416L) jpayne@69: #define KRB5_KDB_DBTYPE_NOSUP (-1780008415L) jpayne@69: #define KRB5_KDB_DBTYPE_INIT (-1780008414L) jpayne@69: #define KRB5_KDB_SERVER_INTERNAL_ERR (-1780008413L) jpayne@69: #define KRB5_KDB_ACCESS_ERROR (-1780008412L) jpayne@69: #define KRB5_KDB_INTERNAL_ERROR (-1780008411L) jpayne@69: #define KRB5_KDB_CONSTRAINT_VIOLATION (-1780008410L) jpayne@69: #define KRB5_LOG_CONV (-1780008409L) jpayne@69: #define KRB5_LOG_UNSTABLE (-1780008408L) jpayne@69: #define KRB5_LOG_CORRUPT (-1780008407L) jpayne@69: #define KRB5_LOG_ERROR (-1780008406L) jpayne@69: #define KRB5_KDB_DBTYPE_MISMATCH (-1780008405L) jpayne@69: #define KRB5_KDB_POLICY_REF (-1780008404L) jpayne@69: #define KRB5_KDB_STRINGS_TOOLONG (-1780008403L) jpayne@69: #define ERROR_TABLE_BASE_kdb5 (-1780008448L) jpayne@69: jpayne@69: extern const struct error_table et_kdb5_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_kdb5_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_kdb5_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_kdb5_err_tbl initialize_kdb5_error_table jpayne@69: #define kdb5_err_base ERROR_TABLE_BASE_kdb5 jpayne@69: #endif jpayne@69: /* jpayne@69: * et-h-kv5m_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define KV5M_NONE (-1760647424L) jpayne@69: #define KV5M_PRINCIPAL (-1760647423L) jpayne@69: #define KV5M_DATA (-1760647422L) jpayne@69: #define KV5M_KEYBLOCK (-1760647421L) jpayne@69: #define KV5M_CHECKSUM (-1760647420L) jpayne@69: #define KV5M_ENCRYPT_BLOCK (-1760647419L) jpayne@69: #define KV5M_ENC_DATA (-1760647418L) jpayne@69: #define KV5M_CRYPTOSYSTEM_ENTRY (-1760647417L) jpayne@69: #define KV5M_CS_TABLE_ENTRY (-1760647416L) jpayne@69: #define KV5M_CHECKSUM_ENTRY (-1760647415L) jpayne@69: #define KV5M_AUTHDATA (-1760647414L) jpayne@69: #define KV5M_TRANSITED (-1760647413L) jpayne@69: #define KV5M_ENC_TKT_PART (-1760647412L) jpayne@69: #define KV5M_TICKET (-1760647411L) jpayne@69: #define KV5M_AUTHENTICATOR (-1760647410L) jpayne@69: #define KV5M_TKT_AUTHENT (-1760647409L) jpayne@69: #define KV5M_CREDS (-1760647408L) jpayne@69: #define KV5M_LAST_REQ_ENTRY (-1760647407L) jpayne@69: #define KV5M_PA_DATA (-1760647406L) jpayne@69: #define KV5M_KDC_REQ (-1760647405L) jpayne@69: #define KV5M_ENC_KDC_REP_PART (-1760647404L) jpayne@69: #define KV5M_KDC_REP (-1760647403L) jpayne@69: #define KV5M_ERROR (-1760647402L) jpayne@69: #define KV5M_AP_REQ (-1760647401L) jpayne@69: #define KV5M_AP_REP (-1760647400L) jpayne@69: #define KV5M_AP_REP_ENC_PART (-1760647399L) jpayne@69: #define KV5M_RESPONSE (-1760647398L) jpayne@69: #define KV5M_SAFE (-1760647397L) jpayne@69: #define KV5M_PRIV (-1760647396L) jpayne@69: #define KV5M_PRIV_ENC_PART (-1760647395L) jpayne@69: #define KV5M_CRED (-1760647394L) jpayne@69: #define KV5M_CRED_INFO (-1760647393L) jpayne@69: #define KV5M_CRED_ENC_PART (-1760647392L) jpayne@69: #define KV5M_PWD_DATA (-1760647391L) jpayne@69: #define KV5M_ADDRESS (-1760647390L) jpayne@69: #define KV5M_KEYTAB_ENTRY (-1760647389L) jpayne@69: #define KV5M_CONTEXT (-1760647388L) jpayne@69: #define KV5M_OS_CONTEXT (-1760647387L) jpayne@69: #define KV5M_ALT_METHOD (-1760647386L) jpayne@69: #define KV5M_ETYPE_INFO_ENTRY (-1760647385L) jpayne@69: #define KV5M_DB_CONTEXT (-1760647384L) jpayne@69: #define KV5M_AUTH_CONTEXT (-1760647383L) jpayne@69: #define KV5M_KEYTAB (-1760647382L) jpayne@69: #define KV5M_RCACHE (-1760647381L) jpayne@69: #define KV5M_CCACHE (-1760647380L) jpayne@69: #define KV5M_PREAUTH_OPS (-1760647379L) jpayne@69: #define KV5M_SAM_CHALLENGE (-1760647378L) jpayne@69: #define KV5M_SAM_CHALLENGE_2 (-1760647377L) jpayne@69: #define KV5M_SAM_KEY (-1760647376L) jpayne@69: #define KV5M_ENC_SAM_RESPONSE_ENC (-1760647375L) jpayne@69: #define KV5M_ENC_SAM_RESPONSE_ENC_2 (-1760647374L) jpayne@69: #define KV5M_SAM_RESPONSE (-1760647373L) jpayne@69: #define KV5M_SAM_RESPONSE_2 (-1760647372L) jpayne@69: #define KV5M_PREDICTED_SAM_RESPONSE (-1760647371L) jpayne@69: #define KV5M_PASSWD_PHRASE_ELEMENT (-1760647370L) jpayne@69: #define KV5M_GSS_OID (-1760647369L) jpayne@69: #define KV5M_GSS_QUEUE (-1760647368L) jpayne@69: #define KV5M_FAST_ARMORED_REQ (-1760647367L) jpayne@69: #define KV5M_FAST_REQ (-1760647366L) jpayne@69: #define KV5M_FAST_RESPONSE (-1760647365L) jpayne@69: #define KV5M_AUTHDATA_CONTEXT (-1760647364L) jpayne@69: #define ERROR_TABLE_BASE_kv5m (-1760647424L) jpayne@69: jpayne@69: extern const struct error_table et_kv5m_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_kv5m_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_kv5m_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_kv5m_err_tbl initialize_kv5m_error_table jpayne@69: #define kv5m_err_base ERROR_TABLE_BASE_kv5m jpayne@69: #endif jpayne@69: /* jpayne@69: * et-h-krb524_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define KRB524_BADKEY (-1750206208L) jpayne@69: #define KRB524_BADADDR (-1750206207L) jpayne@69: #define KRB524_BADPRINC (-1750206206L) jpayne@69: #define KRB524_BADREALM (-1750206205L) jpayne@69: #define KRB524_V4ERR (-1750206204L) jpayne@69: #define KRB524_ENCFULL (-1750206203L) jpayne@69: #define KRB524_DECEMPTY (-1750206202L) jpayne@69: #define KRB524_NOTRESP (-1750206201L) jpayne@69: #define KRB524_KRB4_DISABLED (-1750206200L) jpayne@69: #define ERROR_TABLE_BASE_k524 (-1750206208L) jpayne@69: jpayne@69: extern const struct error_table et_k524_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_k524_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_k524_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_k524_err_tbl initialize_k524_error_table jpayne@69: #define k524_err_base ERROR_TABLE_BASE_k524 jpayne@69: #endif jpayne@69: /* jpayne@69: * et-h-asn1_err.h: jpayne@69: * This file is automatically generated; please do not edit it. jpayne@69: */ jpayne@69: jpayne@69: #include jpayne@69: jpayne@69: #define ASN1_BAD_TIMEFORMAT (1859794432L) jpayne@69: #define ASN1_MISSING_FIELD (1859794433L) jpayne@69: #define ASN1_MISPLACED_FIELD (1859794434L) jpayne@69: #define ASN1_TYPE_MISMATCH (1859794435L) jpayne@69: #define ASN1_OVERFLOW (1859794436L) jpayne@69: #define ASN1_OVERRUN (1859794437L) jpayne@69: #define ASN1_BAD_ID (1859794438L) jpayne@69: #define ASN1_BAD_LENGTH (1859794439L) jpayne@69: #define ASN1_BAD_FORMAT (1859794440L) jpayne@69: #define ASN1_PARSE_ERROR (1859794441L) jpayne@69: #define ASN1_BAD_GMTIME (1859794442L) jpayne@69: #define ASN1_INDEF (1859794443L) jpayne@69: #define ASN1_MISSING_EOC (1859794444L) jpayne@69: #define ASN1_OMITTED (1859794445L) jpayne@69: #define ERROR_TABLE_BASE_asn1 (1859794432L) jpayne@69: jpayne@69: extern const struct error_table et_asn1_error_table; jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: /* for compatibility with older versions... */ jpayne@69: extern void initialize_asn1_error_table (void) /*@modifies internalState@*/; jpayne@69: #else jpayne@69: #define initialize_asn1_error_table() jpayne@69: #endif jpayne@69: jpayne@69: #if !defined(_WIN32) jpayne@69: #define init_asn1_err_tbl initialize_asn1_error_table jpayne@69: #define asn1_err_base ERROR_TABLE_BASE_asn1 jpayne@69: #endif jpayne@69: #endif /* KRB5_KRB5_H_INCLUDED */