647
988
#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54
648
989
#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55
649
990
#define KRB5_KEYUSAGE_AS_REQ 56
651
krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype(krb5_enctype ktype);
652
krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype(krb5_cksumtype ctype);
653
krb5_boolean KRB5_CALLCONV krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
654
krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
991
/** @} */ /* end of KRB5_KEYUSAGE group */
994
* Verify that a specified encryption type is a valid Kerberos encryption type.
996
* @param [in] ktype Encryption type
998
* @return @c TRUE if @a ktype is valid, @c FALSE if not
1000
krb5_boolean KRB5_CALLCONV
1001
krb5_c_valid_enctype(krb5_enctype ktype);
1004
* Verify that specified checksum type is a valid Kerberos checksum type.
1006
* @param [in] ctype Checksum type
1008
* @return @c TRUE if @a ctype is valid, @c FALSE if not
1010
krb5_boolean KRB5_CALLCONV
1011
krb5_c_valid_cksumtype(krb5_cksumtype ctype);
1014
* Test whether a checksum type is collision-proof.
1016
* @param [in] ctype Checksum type
1018
* @return @c TRUE if @a ctype is collision-proof, @c FALSE if it is not
1019
* collision-proof or not a valid checksum type.
1021
krb5_boolean KRB5_CALLCONV
1022
krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
1025
* Test whether a checksum type is keyed.
1027
* @param [in] ctype Checksum type
1029
* @return @c TRUE if @a ctype is a keyed checksum type, @c FALSE otherwise.
1031
krb5_boolean KRB5_CALLCONV
1032
krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
657
#define KRB5_CRYPTO_TYPE_EMPTY 0 /* [in] ignored */
658
#define KRB5_CRYPTO_TYPE_HEADER 1 /* [out] header */
659
#define KRB5_CRYPTO_TYPE_DATA 2 /* [in, out] plaintext */
660
#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /* [in] associated data */
661
#define KRB5_CRYPTO_TYPE_PADDING 4 /* [out] padding */
662
#define KRB5_CRYPTO_TYPE_TRAILER 5 /* [out] checksum for encrypt */
663
#define KRB5_CRYPTO_TYPE_CHECKSUM 6 /* [out] checksum for MIC */
664
#define KRB5_CRYPTO_TYPE_STREAM 7 /* [in] entire message */
1035
/** @defgroup KRB5_CRYPTO_TYPE KRB5_CRYPTO_TYPE
1038
#define KRB5_CRYPTO_TYPE_EMPTY 0 /**< [in] ignored */
1039
#define KRB5_CRYPTO_TYPE_HEADER 1 /**< [out] header */
1040
#define KRB5_CRYPTO_TYPE_DATA 2 /**< [in, out] plaintext */
1041
#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /**< [in] associated data */
1042
#define KRB5_CRYPTO_TYPE_PADDING 4 /**< [out] padding */
1043
#define KRB5_CRYPTO_TYPE_TRAILER 5 /**< [out] checksum for encrypt */
1044
#define KRB5_CRYPTO_TYPE_CHECKSUM 6 /**< [out] checksum for MIC */
1045
#define KRB5_CRYPTO_TYPE_STREAM 7 /**< [in] entire message without
1046
decomposing the structure into
1047
header, data and trailer buffers */
1048
/** @} */ /* end of KRB5_CRYPTO_TYPE group */
1051
* Fill in a checksum element in IOV array (operates on keyblock)
1053
* @param [in] context Library context
1054
* @param [in] cksumtype Checksum type (0 for mandatory type)
1055
* @param [in] key Encryption key for a keyed checksum
1056
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1057
* @param [in,out] data IOV array
1058
* @param [in] num_data Size of @a data
1060
* Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
1061
* #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
1062
* Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
1064
* @note This function is similar to krb5_k_make_checksum_iov(), but operates
1065
* on keyblock @a key.
1067
* @sa krb5_c_verify_checksum_iov()
1069
* @retval 0 Success; otherwise - Kerberos error codes
666
1071
krb5_error_code KRB5_CALLCONV
667
1072
krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
668
1073
const krb5_keyblock *key, krb5_keyusage usage,
669
1074
krb5_crypto_iov *data, size_t num_data);
1077
* Validate a checksum element in IOV array (operates on keyblock).
1079
* @param [in] context Library context
1080
* @param [in] cksumtype Checksum type (0 for mandatory type)
1081
* @param [in] key Encryption key for a keyed checksum
1082
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1083
* @param [in] data IOV array
1084
* @param [in] num_data Size of @a data
1085
* @param [out] valid Non-zero for success, zero for failure
1087
* Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
1088
* valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
1089
* regions in the iov.
1091
* @note This function is similar to krb5_k_verify_checksum_iov(), but operates
1092
* on keyblock @a key.
1094
* @sa krb5_c_make_checksum_iov()
1096
* @retval 0 Success; otherwise - Kerberos error codes
671
1098
krb5_error_code KRB5_CALLCONV
672
1099
krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
673
1100
const krb5_keyblock *key, krb5_keyusage usage,
674
1101
const krb5_crypto_iov *data, size_t num_data,
675
1102
krb5_boolean *valid);
677
krb5_error_code KRB5_CALLCONV
678
krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *key,
679
krb5_keyusage usage, const krb5_data *cipher_state,
680
krb5_crypto_iov *data, size_t num_data);
682
krb5_error_code KRB5_CALLCONV
683
krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *key,
684
krb5_keyusage usage, const krb5_data *cipher_state,
685
krb5_crypto_iov *data, size_t num_data);
1105
* Encrypt data in place supporting AEAD (operates on keyblock).
1107
* @param [in] context Library context
1108
* @param [in] keyblock Encryption key
1109
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1110
* @param [in] cipher_state Cipher state; specify NULL if not needed
1111
* @param [in,out] data IOV array. Modified in-place.
1112
* @param [in] num_data Size of @a data
1114
* This function encrypts the data block @a data and stores the output in-place.
1115
* The actual encryption key will be derived from @a keyblock and @a usage
1116
* if key derivation is specified for the encryption type. If non-null, @a
1117
* cipher_state specifies the beginning state for the encryption operation, and
1118
* is updated with the state to be passed as input to the next operation.
1119
* The caller must allocate the right number of krb5_crypto_iov
1120
* structures before calling into this API.
1122
* @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
1123
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
1124
* For example, if the padding length is too large, the length will be reduced.
1125
* Lengths are never increased.
1127
* @note This function is similar to krb5_k_encrypt_iov(), but operates
1128
* on keyblock @a keyblock.
1130
* @sa krb5_c_decrypt_iov()
1132
* @retval 0 Success; otherwise - Kerberos error codes
1134
krb5_error_code KRB5_CALLCONV
1135
krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
1136
krb5_keyusage usage, const krb5_data *cipher_state,
1137
krb5_crypto_iov *data, size_t num_data);
1140
* Decrypt data in place supporting AEAD (operates on keyblock).
1142
* @param [in] context Library context
1143
* @param [in] keyblock Encryption key
1144
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1145
* @param [in] cipher_state Cipher state; specify NULL if not needed
1146
* @param [in,out] data IOV array. Modified in-place.
1147
* @param [in] num_data Size of @a data
1149
* This function decrypts the data block @a data and stores the output in-place.
1150
* The actual decryption key will be derived from @a keyblock and @a usage
1151
* if key derivation is specified for the encryption type. If non-null, @a
1152
* cipher_state specifies the beginning state for the decryption operation, and
1153
* is updated with the state to be passed as input to the next operation.
1154
* The caller must allocate the right number of krb5_crypto_iov
1155
* structures before calling into this API.
1157
* @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
1158
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
1159
* For example, if the padding length is too large, the length will be reduced.
1160
* Lengths are never increased.
1162
* @note This function is similar to krb5_k_decrypt_iov(), but operates
1163
* on keyblock @a keyblock.
1165
* @sa krb5_c_decrypt_iov()
1167
* @retval 0 Success; otherwise - Kerberos error codes
1169
krb5_error_code KRB5_CALLCONV
1170
krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
1171
krb5_keyusage usage, const krb5_data *cipher_state,
1172
krb5_crypto_iov *data, size_t num_data);
1175
* Return a length of a message field specific to the encryption type.
1177
* @param [in] context Library context
1178
* @param [in] enctype Encryption type
1179
* @param [in] type Type field (See @ref KRB5_CRYPTO_TYPE types)
1180
* @param [out] size Length of the @a type specific to @a enctype
1182
* @retval 0 Success; otherwise - Kerberos error codes
687
1184
krb5_error_code KRB5_CALLCONV
688
1185
krb5_c_crypto_length(krb5_context context, krb5_enctype enctype,
689
1186
krb5_cryptotype type, unsigned int *size);
1189
* Fill in lengths for header, trailer and padding in a IOV array.
1191
* @param [in] context Library context
1192
* @param [in] enctype Encryption type
1193
* @param [in,out] data IOV array
1194
* @param [in] num_data Size of @a data
1196
* Padding is set to the actual padding required based on the provided
1197
* @a data buffers. Typically this API is used after setting up the data
1198
* buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually
1199
* allocating header, trailer and padding.
1201
* @retval 0 Success; otherwise - Kerberos error codes
691
1203
krb5_error_code KRB5_CALLCONV
692
1204
krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype,
693
1205
krb5_crypto_iov *data, size_t num_data);
1208
* Return a number of padding octets.
1210
* @param [in] context Library context
1211
* @param [in] enctype Encryption type
1212
* @param [in] data_length Length of the plaintext to pad
1213
* @param [out] size Number of padding octets
1215
* This function returns the number of the padding octets required to pad
1216
* @a data_length octets of plaintext.
1218
* @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
695
1220
krb5_error_code KRB5_CALLCONV
696
1221
krb5_c_padding_length(krb5_context context, krb5_enctype enctype,
697
1222
size_t data_length, unsigned int *size);
1225
* Create a krb5_key from the enctype and key data in a keyblock.
1227
* @param [in] context Library context
1228
* @param [in] key_data Keyblock
1229
* @param [out] out Opaque key
1231
* The reference count on a key @a out is set to 1.
1232
* Use krb5_k_free_key() to free @a out when it is no longer needed.
1234
* @retval 0 Success; otherwise - KRB5_BAD_ENCTYPE
699
1236
krb5_error_code KRB5_CALLCONV
700
1237
krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
703
/* Keys are logically immutable and can be "copied" by reference count. */
704
void KRB5_CALLCONV krb5_k_reference_key(krb5_context context, krb5_key key);
706
/* Decrement the reference count on a key and free it if it hits zero. */
707
void KRB5_CALLCONV krb5_k_free_key(krb5_context context, krb5_key key);
1240
/** Increment the reference count on a key. */
1242
krb5_k_reference_key(krb5_context context, krb5_key key);
1244
/** Decrement the reference count on a key and free it if it hits zero. */
1246
krb5_k_free_key(krb5_context context, krb5_key key);
1248
/** Retrieve a copy of the keyblock from a krb5_key structure. */
709
1249
krb5_error_code KRB5_CALLCONV
710
1250
krb5_k_key_keyblock(krb5_context context, krb5_key key,
711
1251
krb5_keyblock **key_data);
1253
/** Retrieve the enctype of a krb5_key structure. */
713
1254
krb5_enctype KRB5_CALLCONV
714
1255
krb5_k_key_enctype(krb5_context context, krb5_key key);
1258
* Encrypt data using a key (operates on opaque key).
1260
* @param [in] context Library context
1261
* @param [in] key Encryption key
1262
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1263
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
1264
* @param [in] input Data to be encrypted
1265
* @param [out] output Encrypted data
1267
* This function encrypts the data block @a input and stores the output into @a
1268
* output. The actual encryption key will be derived from @a key and @a usage
1269
* if key derivation is specified for the encryption type. If non-null, @a
1270
* cipher_state specifies the beginning state for the encryption operation, and
1271
* is updated with the state to be passed as input to the next operation.
1273
* @note The caller must initialize @a output and allocate at least enough
1274
* space for the result (using krb5_c_encrypt_length() to determine the amount
1275
* of space needed). @a output->length will be set to the actual length of the
1278
* @retval 0 Success; otherwise - Kerberos error codes
716
1280
krb5_error_code KRB5_CALLCONV
717
1281
krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
718
1282
const krb5_data *cipher_state, const krb5_data *input,
719
1283
krb5_enc_data *output);
1286
* Encrypt data in place supporting AEAD (operates on opaque key).
1288
* @param [in] context Library context
1289
* @param [in] key Encryption key
1290
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1291
* @param [in] cipher_state Cipher state; specify NULL if not needed
1292
* @param [in,out] data IOV array. Modified in-place.
1293
* @param [in] num_data Size of @a data
1295
* This function encrypts the data block @a data and stores the output in-place.
1296
* The actual encryption key will be derived from @a key and @a usage
1297
* if key derivation is specified for the encryption type. If non-null, @a
1298
* cipher_state specifies the beginning state for the encryption operation, and
1299
* is updated with the state to be passed as input to the next operation.
1300
* The caller must allocate the right number of krb5_crypto_iov
1301
* structures before calling into this API.
1303
* @note On return from a krb5_c_encrypt_iov() call, the @a data->length in the
1304
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
1305
* For example, if the padding length is too large, the length will be reduced.
1306
* Lengths are never increased.
1308
* @note This function is similar to krb5_c_encrypt_iov(), but operates
1309
* on opaque key @a key.
1311
* @sa krb5_k_decrypt_iov()
1313
* @retval 0 Success; otherwise - Kerberos error codes
721
1315
krb5_error_code KRB5_CALLCONV
722
1316
krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
723
1317
const krb5_data *cipher_state, krb5_crypto_iov *data,
724
1318
size_t num_data);
1321
* Decrypt data using a key (operates on opaque key).
1323
* @param [in] context Library context
1324
* @param [in] key Encryption key
1325
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1326
* @param [in,out] cipher_state Cipher state; specify NULL if not needed
1327
* @param [in] input Encrypted data
1328
* @param [out] output Decrypted data
1330
* This function decrypts the data block @a input and stores the output into @a
1331
* output. The actual decryption key will be derived from @a key and @a usage
1332
* if key derivation is specified for the encryption type. If non-null, @a
1333
* cipher_state specifies the beginning state for the decryption operation, and
1334
* is updated with the state to be passed as input to the next operation.
1336
* @note The caller must initialize @a output and allocate at least enough
1337
* space for the result. The usual practice is to allocate an output buffer as
1338
* long as the ciphertext, and let krb5_c_decrypt() trim @a output->length.
1339
* For some enctypes, the resulting @a output->length may include padding
1342
* @retval 0 Success; otherwise - Kerberos error codes
726
1344
krb5_error_code KRB5_CALLCONV
727
1345
krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
728
1346
const krb5_data *cipher_state, const krb5_enc_data *input,
729
1347
krb5_data *output);
1350
* Decrypt data in place supporting AEAD (operates on opaque key).
1352
* @param [in] context Library context
1353
* @param [in] key Encryption key
1354
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1355
* @param [in] cipher_state Cipher state; specify NULL if not needed
1356
* @param [in,out] data IOV array. Modified in-place.
1357
* @param [in] num_data Size of @a data
1359
* This function decrypts the data block @a data and stores the output in-place.
1360
* The actual decryption key will be derived from @a key and @a usage
1361
* if key derivation is specified for the encryption type. If non-null, @a
1362
* cipher_state specifies the beginning state for the decryption operation, and
1363
* is updated with the state to be passed as input to the next operation.
1364
* The caller must allocate the right number of krb5_crypto_iov
1365
* structures before calling into this API.
1367
* @note On return from a krb5_c_decrypt_iov() call, the @a data->length in the
1368
* iov structure are adjusted to reflect actual lengths of the ciphertext used.
1369
* For example, if the padding length is too large, the length will be reduced.
1370
* Lengths are never increased.
1372
* @note This function is similar to krb5_c_decrypt_iov(), but operates
1373
* on opaque key @a key.
1375
* @sa krb5_k_encrypt_iov()
1377
* @retval 0 Success; otherwise - Kerberos error codes
731
1379
krb5_error_code KRB5_CALLCONV
732
1380
krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
733
1381
const krb5_data *cipher_state, krb5_crypto_iov *data,
734
1382
size_t num_data);
1384
* Compute a checksum (operates on opaque key).
1386
* @param [in] context Library context
1387
* @param [in] cksumtype Checksum type (0 for mandatory type)
1388
* @param [in] key Encryption key for a keyed checksum
1389
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1390
* @param [in] input Input data
1391
* @param [out] cksum Generated checksum
1393
* This function computes a checksum of type @a cksumtype over @a input, using
1394
* @a key if the checksum type is a keyed checksum. If @a cksumtype is 0 and
1395
* @a key is non-null, the checksum type will be the mandatory-to-implement
1396
* checksum type for the key's encryption type. The actual checksum key will
1397
* be derived from @a key and @a usage if key derivation is specified for the
1398
* checksum type. The newly created @a cksum must be released by calling
1399
* krb5_free_checksum_contents() when it is no longer needed.
1401
* @note This function is similar to krb5_c_make_checksum(), but operates
1404
* @sa krb5_c_verify_checksum()
1406
* @retval 0 Success; otherwise - Kerberos error codes
736
1408
krb5_error_code KRB5_CALLCONV
737
1409
krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
738
1410
krb5_key key, krb5_keyusage usage, const krb5_data *input,
739
1411
krb5_checksum *cksum);
1414
* Fill in a checksum element in IOV array (operates on opaque key)
1416
* @param [in] context Library context
1417
* @param [in] cksumtype Checksum type (0 for mandatory type)
1418
* @param [in] key Encryption key for a keyed checksum
1419
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1420
* @param [in,out] data IOV array
1421
* @param [in] num_data Size of @a data
1423
* Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over
1424
* #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in @a data.
1425
* Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.
1427
* @note This function is similar to krb5_c_make_checksum_iov(), but operates
1430
* @sa krb5_k_verify_checksum_iov()
1432
* @retval 0 Success; otherwise - Kerberos error codes
741
1434
krb5_error_code KRB5_CALLCONV
742
1435
krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
743
1436
krb5_key key, krb5_keyusage usage,
744
1437
krb5_crypto_iov *data, size_t num_data);
1440
* Verify a checksum (operates on opaque key).
1442
* @param [in] context Library context
1443
* @param [in] key Encryption key for a keyed checksum
1444
* @param [in] usage @a key usage
1445
* @param [in] data Data to be used to compute a new checksum
1446
* using @a key to compare @a cksum against
1447
* @param [in] cksum Checksum to be verified
1448
* @param [out] valid Non-zero for success, zero for failure
1450
* This function verifies that @a cksum is a valid checksum for @a data. If
1451
* the checksum type of @a cksum is a keyed checksum, @a key is used to verify
1452
* the checksum. The actual checksum key will be derived from @a key and @a
1453
* usage if key derivation is specified for the checksum type.
1455
* @note This function is similar to krb5_c_verify_checksum(), but operates
1458
* @retval 0 Success; otherwise - Kerberos error codes
746
1460
krb5_error_code KRB5_CALLCONV
747
1461
krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage,
748
1462
const krb5_data *data, const krb5_checksum *cksum,
749
1463
krb5_boolean *valid);
1466
* Validate a checksum element in IOV array (operates on opaque key).
1468
* @param [in] context Library context
1469
* @param [in] cksumtype Checksum type (0 for mandatory type)
1470
* @param [in] key Encryption key for a keyed checksum
1471
* @param [in] usage Key usage (see @ref KRB5_KEYUSAGE types)
1472
* @param [in] data IOV array
1473
* @param [in] num_data Size of @a data
1474
* @param [out] valid Non-zero for success, zero for failure
1476
* Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a
1477
* valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY
1478
* regions in the iov.
1480
* @note This function is similar to krb5_c_verify_checksum_iov(), but operates
1483
* @sa krb5_k_make_checksum_iov()
1485
* @retval 0 Success; otherwise - Kerberos error codes
751
1487
krb5_error_code KRB5_CALLCONV
752
1488
krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
753
1489
krb5_key key, krb5_keyusage usage,
754
1490
const krb5_crypto_iov *data, size_t num_data,
755
1491
krb5_boolean *valid);
1494
* Generate enctype-specific pseudo-random bytes (operates on opaque key).
1496
* @param [in] context Library context
1497
* @param [in] key Key
1498
* @param [in] input Input data
1499
* @param [out] output Output data
1501
* This function selects a pseudo-random function based on @a key and
1502
* computes its value over @a input, placing the result into @a output.
1503
* The caller must preinitialize @a output and allocate space for the
1506
* @note This function is similar to krb5_c_prf(), but operates
1509
* @retval 0 Success; otherwise - Kerberos error codes
757
1511
krb5_error_code KRB5_CALLCONV
758
krb5_k_prf(krb5_context context, krb5_key key, krb5_data *in, krb5_data *out);
1512
krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output);
760
1514
#ifdef KRB5_OLD_CRYPTO
762
1516
* old cryptosystem routine prototypes. These are now layered
763
1517
* on top of the functions above.
1519
/** @deprecated Replaced by krb5_c_ API family.*/
765
1520
krb5_error_code KRB5_CALLCONV
766
1521
krb5_encrypt(krb5_context context, krb5_const_pointer inptr,
767
1522
krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
768
1523
krb5_pointer ivec);
1525
/** @deprecated Replaced by krb5_c_ API family. */
770
1526
krb5_error_code KRB5_CALLCONV
771
1527
krb5_decrypt(krb5_context context, krb5_const_pointer inptr,
772
1528
krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock,
773
1529
krb5_pointer ivec);
1531
/** @deprecated Replaced by krb5_c_ API family. */
775
1532
krb5_error_code KRB5_CALLCONV
776
1533
krb5_process_key(krb5_context context, krb5_encrypt_block *eblock,
777
1534
const krb5_keyblock * key);
1536
/** @deprecated Replaced by krb5_c_ API family. */
779
1537
krb5_error_code KRB5_CALLCONV
780
1538
krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock);
1540
/** @deprecated See krb5_c_string_to_key() */
782
1541
krb5_error_code KRB5_CALLCONV
783
1542
krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock,
784
1543
krb5_keyblock * keyblock, const krb5_data *data,
785
1544
const krb5_data *salt);
1546
/** @deprecated Replaced by krb5_c_ API family. */
787
1547
krb5_error_code KRB5_CALLCONV
788
1548
krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock,
789
1549
const krb5_keyblock *keyblock, krb5_pointer *ptr);
1551
/** @deprecated Replaced by krb5_c_ API family. */
791
1552
krb5_error_code KRB5_CALLCONV
792
1553
krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock,
793
1554
krb5_pointer *ptr);
1556
/** @deprecated Replaced by krb5_c_ API family. */
795
1557
krb5_error_code KRB5_CALLCONV
796
1558
krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock,
797
1559
krb5_pointer ptr, krb5_keyblock **keyblock);
1561
/** @deprecated Replaced by krb5_c_ API family. */
799
1562
krb5_enctype KRB5_CALLCONV
800
1563
krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock);
1565
/** @deprecated Replaced by krb5_c_ API family. */
802
1566
krb5_error_code KRB5_CALLCONV
803
1567
krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock,
804
1568
krb5_enctype enctype);
1570
/** @deprecated Replaced by krb5_c_ API family. */
806
1571
size_t KRB5_CALLCONV
807
1572
krb5_encrypt_size(size_t length, krb5_enctype crypto);
1574
/** @deprecated See krb5_c_checksum_length() */
809
1575
size_t KRB5_CALLCONV
810
1576
krb5_checksum_size(krb5_context context, krb5_cksumtype ctype);
1578
/** @deprecated See krb5_c_make_checksum() */
812
1579
krb5_error_code KRB5_CALLCONV
813
1580
krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
814
1581
krb5_const_pointer in, size_t in_length,
815
1582
krb5_const_pointer seed, size_t seed_length,
816
1583
krb5_checksum * outcksum);
1585
/** @deprecated See krb5_c_verify_checksum() */
818
1586
krb5_error_code KRB5_CALLCONV
819
1587
krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
820
1588
const krb5_checksum * cksum, krb5_const_pointer in,
1605
2899
* begin "func-proto.h"
1608
krb5_error_code KRB5_CALLCONV krb5_init_context(krb5_context *);
1609
krb5_error_code KRB5_CALLCONV krb5_init_secure_context(krb5_context *);
1610
void KRB5_CALLCONV krb5_free_context(krb5_context);
1611
krb5_error_code KRB5_CALLCONV krb5_copy_context(krb5_context, krb5_context *);
1613
krb5_error_code KRB5_CALLCONV
1614
krb5_set_default_tgs_enctypes(krb5_context, const krb5_enctype *);
1616
krb5_error_code KRB5_CALLCONV
1617
krb5_get_permitted_enctypes(krb5_context, krb5_enctype **);
1619
krb5_boolean KRB5_CALLCONV krb5_is_thread_safe(void);
2902
#define KRB5_INIT_CONTEXT_SECURE 0x1 /**< Use secure context configuration */
2903
#define KRB5_INIT_CONTEXT_KDC 0x2 /**< Use KDC configuration if available */
2906
* Create a krb5 library context.
2908
* @param [out] context Library context
2910
* The @a context must be released by calling krb5_free_context() when
2911
* it is no longer needed.
2913
* @warning Any program or module that needs the Kerberos code to not trust the
2914
* environment must use krb5_init_secure_context(), or clean out the
2920
* Kerberos error codes
2922
krb5_error_code KRB5_CALLCONV
2923
krb5_init_context(krb5_context *context);
2926
* Create a krb5 library context using only configuration files.
2928
* @param [out] context Library context
2930
* Create a context structure, using only system configuration files. All
2931
* information passed through the environment variables is ignored.
2933
* The @a context must be released by calling krb5_free_context() when
2934
* it is no longer needed.
2939
* Kerberos error codes
2941
krb5_error_code KRB5_CALLCONV
2942
krb5_init_secure_context(krb5_context *context);
2945
* Create a krb5 library context using a specified profile.
2947
* @param [in] profile Profile object (NULL to create default profile)
2948
* @param [in] flags Context initialization flags
2949
* @param [out] context Library context
2951
* Create a context structure, optionally using a specified profile and
2952
* initialization flags. If @a profile is NULL, the default profile will be
2953
* created from config files. If @a profile is non-null, a copy of it will be
2954
* made for the new context; the caller should still clean up its copy. Valid
2957
* @li #KRB5_INIT_CONTEXT_SECURE Ignore environment variables
2958
* @li #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile
2960
krb5_error_code KRB5_CALLCONV
2961
krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags,
2962
krb5_context *context);
2965
* Free a krb5 library context.
2967
* @param [in] context Library context
2969
* This function frees a @a context that was created by krb5_init_context()
2970
* or krb5_init_secure_context().
2973
krb5_free_context(krb5_context context);
2976
* Copy a krb5_context structure.
2978
* @param [in] ctx Library context
2979
* @param [out] nctx_out New context structure
2981
* The newly created context must be released by calling krb5_free_context()
2982
* when it is no longer needed.
2987
* Kerberos error codes
2989
krb5_error_code KRB5_CALLCONV
2990
krb5_copy_context(krb5_context ctx, krb5_context *nctx_out);
2993
* Set default TGS encryption types in a krb5_context structure.
2995
* @param [in,out] context Library context
2996
* @param [in] etypes Encryption type(s) to set
2998
* This function sets the default enctype list for TGS requests
2999
* made using @a context to @a etypes.
3001
* @note This overrides the default list (from config file or built-in).
3006
* KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type
3008
* Kerberos error codes
3010
krb5_error_code KRB5_CALLCONV
3011
krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes);
3014
* Return a list of encryption types permitted for session keys.
3016
* @param [in] context Library context
3017
* @param [out] ktypes Zero-terminated list of encryption types
3019
* This function returns the list of encryption types permitted for session
3020
* keys within @a context, as determined by configuration or by a previous call
3021
* to krb5_set_default_tgs_enctypes().
3023
* @retval 0 Success; otherwise - Kerberos error codes
3025
krb5_error_code KRB5_CALLCONV
3026
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes);
3029
* Test whether the Kerberos library was built with multithread support.
3032
* TRUE if the library is threadsafe; FALSE otherwise
3034
krb5_boolean KRB5_CALLCONV
3035
krb5_is_thread_safe(void);
1621
3037
/* libkrb.spec */
3040
* Decrypt a ticket using the specified key table.
3042
* @param [in] context Library context
3043
* @param [in] kt Key table
3044
* @param [in,out] ticket Ticket to be decrypted
3046
* This function takes a @a ticket as input and decrypts it using
3047
* key data from @a kt. The result is placed into @a ticket->enc_part2.
3049
* @retval 0 Success; otherwise - Kerberos error codes
1623
3051
krb5_error_code KRB5_CALLCONV
1624
3052
krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt,
1625
3053
krb5_ticket *ticket);
1627
void KRB5_CALLCONV krb5_free_tgt_creds(krb5_context, krb5_creds **);
1629
#define KRB5_GC_USER_USER 1 /* want user-user ticket */
1630
#define KRB5_GC_CACHED 2 /* want cached ticket only */
1631
#define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
1632
#define KRB5_GC_NO_STORE 8 /* do not store in credentials cache */
1633
#define KRB5_GC_FORWARDABLE 16 /* acquire forwardable tickets */
1634
#define KRB5_GC_NO_TRANSIT_CHECK 32 /* disable transited check */
1635
#define KRB5_GC_CONSTRAINED_DELEGATION 64 /* constrained delegation */
1637
krb5_error_code KRB5_CALLCONV
1638
krb5_get_credentials(krb5_context, krb5_flags, krb5_ccache, krb5_creds *,
1641
krb5_error_code KRB5_CALLCONV
1642
krb5_get_credentials_validate(krb5_context, krb5_flags, krb5_ccache,
1643
krb5_creds *, krb5_creds **);
1645
krb5_error_code KRB5_CALLCONV
1646
krb5_get_credentials_renew(krb5_context, krb5_flags, krb5_ccache, krb5_creds *,
1649
krb5_error_code KRB5_CALLCONV
1650
krb5_mk_req(krb5_context, krb5_auth_context *, krb5_flags, char *, char *,
1651
krb5_data *, krb5_ccache, krb5_data *);
1653
krb5_error_code KRB5_CALLCONV
1654
krb5_mk_req_extended(krb5_context, krb5_auth_context *, krb5_flags,
1655
krb5_data *, krb5_creds *, krb5_data * );
1657
krb5_error_code KRB5_CALLCONV
1658
krb5_mk_rep(krb5_context, krb5_auth_context, krb5_data *);
1660
krb5_error_code KRB5_CALLCONV
1661
krb5_mk_rep_dce(krb5_context, krb5_auth_context, krb5_data *);
1663
krb5_error_code KRB5_CALLCONV
1664
krb5_rd_rep(krb5_context, krb5_auth_context, const krb5_data *,
1665
krb5_ap_rep_enc_part **);
1667
krb5_error_code KRB5_CALLCONV
1668
krb5_rd_rep_dce(krb5_context, krb5_auth_context, const krb5_data *,
1671
krb5_error_code KRB5_CALLCONV
1672
krb5_mk_error(krb5_context, const krb5_error *, krb5_data *);
1674
krb5_error_code KRB5_CALLCONV
1675
krb5_rd_error(krb5_context, const krb5_data *, krb5_error **);
1677
krb5_error_code KRB5_CALLCONV
1678
krb5_rd_safe(krb5_context, krb5_auth_context, const krb5_data *, krb5_data *,
1679
krb5_replay_data *);
1681
krb5_error_code KRB5_CALLCONV
1682
krb5_rd_priv(krb5_context, krb5_auth_context, const krb5_data *, krb5_data *,
1683
krb5_replay_data *);
1685
krb5_error_code KRB5_CALLCONV
1686
krb5_parse_name(krb5_context, const char *, krb5_principal *);
1688
#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1
1689
#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2
1690
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4
1691
krb5_error_code KRB5_CALLCONV
1692
krb5_parse_name_flags(krb5_context, const char *, int, krb5_principal *);
1694
krb5_error_code KRB5_CALLCONV
1695
krb5_unparse_name(krb5_context, krb5_const_principal, char **);
1697
krb5_error_code KRB5_CALLCONV
1698
krb5_unparse_name_ext(krb5_context, krb5_const_principal, char **,
1701
#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1
1702
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2
1703
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4
1704
krb5_error_code KRB5_CALLCONV
1705
krb5_unparse_name_flags(krb5_context, krb5_const_principal, int, char **);
1707
krb5_error_code KRB5_CALLCONV
1708
krb5_unparse_name_flags_ext(krb5_context, krb5_const_principal, int,
1709
char **, unsigned int *);
1711
krb5_error_code KRB5_CALLCONV
1712
krb5_set_principal_realm(krb5_context, krb5_principal, const char *);
3056
* Free an array of credential structures.
3058
* @param [in] context Library context
3059
* @param [in] tgts Null-terminated array of credentials to free
3061
* @note The last entry in the array @a tgts must be a NULL pointer.
3064
krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts);
3066
/** @defgroup KRB5_GC KRB5_GC
3069
#define KRB5_GC_USER_USER 1 /**< Want user-user ticket */
3070
#define KRB5_GC_CACHED 2 /**< Want cached ticket only */
3071
#define KRB5_GC_CANONICALIZE 4 /**< Set canonicalize KDC option */
3072
#define KRB5_GC_NO_STORE 8 /**< Do not store in credential cache */
3073
#define KRB5_GC_FORWARDABLE 16 /**< Acquire forwardable tickets */
3074
#define KRB5_GC_NO_TRANSIT_CHECK 32 /**< Disable transited check */
3075
#define KRB5_GC_CONSTRAINED_DELEGATION 64 /**< Constrained delegation */
3076
/** @} */ /* end of KRB5_GC group */
3079
* Get an additional ticket.
3081
* @param [in] context Library context
3082
* @param [in] options Options
3083
* @param [in,out] ccache Credential cache handle
3084
* @param [in] in_creds Input credentials
3085
* @param [out] out_creds Output updated credentials
3087
* Use @a ccache or a TGS exchange to get a service ticket matching @a
3090
* Valid values for @a options are:
3091
* @li #KRB5_GC_CACHED Search only credential cache for the ticket
3092
* @li #KRB5_GC_USER_USER Return a user to user authentication ticket
3094
* @a in_creds must be non-null. @a in_creds->client and @a in_creds->server
3095
* must be filled in to specify the client and the server respectively. If any
3096
* authorization data needs to be requested for the service ticket (such as
3097
* restrictions on how the ticket can be used), specify it in @a
3098
* in_creds->authdata; otherwise set @a in_creds->authdata to NULL. The
3099
* session key type is specified in @a in_creds->keyblock.enctype, if it is
3102
* The expiration date is specified in @a in_creds->times.endtime.
3103
* The KDC may return tickets with an earlier expiration date.
3104
* If @a in_creds->times.endtime is set to 0, the latest possible
3105
* expiration date will be requested.
3107
* Any returned ticket and intermediate ticket-granting tickets are stored
3110
* Use krb5_free_creds() to free @a out_creds when it is no longer needed.
3115
* Kerberos error codes
3117
krb5_error_code KRB5_CALLCONV
3118
krb5_get_credentials(krb5_context context, krb5_flags options,
3119
krb5_ccache ccache, krb5_creds *in_creds,
3120
krb5_creds **out_creds);
3122
/** @deprecated Replaced by krb5_get_validated_creds. */
3123
krb5_error_code KRB5_CALLCONV
3124
krb5_get_credentials_validate(krb5_context context, krb5_flags options,
3125
krb5_ccache ccache, krb5_creds *in_creds,
3126
krb5_creds **out_creds);
3128
/** @deprecated Replaced by krb5_get_renewed_creds. */
3129
krb5_error_code KRB5_CALLCONV
3130
krb5_get_credentials_renew(krb5_context context, krb5_flags options,
3131
krb5_ccache ccache, krb5_creds *in_creds,
3132
krb5_creds **out_creds);
3135
* Create a @c KRB_AP_REQ message.
3137
* @param [in] context Library context
3138
* @param [in,out] auth_context Pre-existing or newly created auth context
3139
* @param [in] ap_req_options @ref AP_OPTS options
3140
* @param [in] service Service name, or NULL to use @c "host"
3141
* @param [in] hostname Host name, or NULL to use local hostname
3142
* @param [in] in_data Application data to be checksummed in the
3143
* authenticator, or NULL
3144
* @param [in] ccache Credential cache used to obtain credentials
3145
* for the desired service.
3146
* @param [out] outbuf @c AP-REQ message
3148
* This function is similar to krb5_mk_req_extended() except that it uses a
3149
* given @a hostname, @a service, and @a ccache to construct a service
3150
* principal name and obtain credentials.
3152
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
3154
* @retval 0 Success; otherwise - Kerberos error codes
3156
krb5_error_code KRB5_CALLCONV
3157
krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
3158
krb5_flags ap_req_options, char *service, char *hostname,
3159
krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf);
3162
* Create a @c KRB_AP_REQ message using supplied credentials.
3164
* @param [in] context Library context
3165
* @param [in,out] auth_context Pre-existing or newly created auth context
3166
* @param [in] ap_req_options @ref AP_OPTS options
3167
* @param [in] in_data Application data to be checksummed in the
3168
* authenticator, or NULL
3169
* @param [in] in_creds Credentials for the service with valid ticket
3171
* @param [out] outbuf @c AP-REQ message
3173
* Valid @a ap_req_options are:
3174
* @li #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the
3175
* request used for user to user
3177
* @li #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from
3179
* @li #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current
3180
* session key obtained from the credentials.
3182
* This function creates a KRB_AP_REQ message using supplied credentials @a
3183
* in_creds. @a auth_context may point to an existing auth context or to NULL,
3184
* in which case a new one will be created. If @a in_data is non-null, a
3185
* checksum of it will be included in the authenticator contained in the
3186
* KRB_AP_REQ message. Use krb5_free_data_contents() to free @a outbuf when it
3187
* is no longer needed.
3189
* On successful return, the authenticator is stored in @a auth_context with
3190
* the @a client and @a checksum fields nulled out. (This is to prevent
3191
* pointer-sharing problems; the caller should not need these fields anyway,
3192
* since the caller supplied them.)
3196
* @retval 0 Success; otherwise - Kerberos error codes
3198
krb5_error_code KRB5_CALLCONV
3199
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
3200
krb5_flags ap_req_options, krb5_data *in_data,
3201
krb5_creds *in_creds, krb5_data *outbuf);
3204
* Format and encrypt a @c KRB_AP_REP message.
3206
* @param [in] context Library context
3207
* @param [in,out] auth_context Authentication context
3208
* @param [out] outbuf @c AP-REP message
3210
* This function fills in @a outbuf with an AP-REP message using information
3211
* from @a auth_context.
3213
* If the flags in @a auth_context indicate that a sequence number should be
3214
* used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
3215
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in @a
3216
* auth_context is 0, a new number will be generated with
3217
* krb5_generate_seq_number().
3219
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
3221
* @retval 0 Success; otherwise - Kerberos error codes
3223
krb5_error_code KRB5_CALLCONV
3224
krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
3227
* Format and encrypt a @c KRB_AP_REP message for DCE RPC.
3229
* @param [in] context Library context
3230
* @param [in,out] auth_context Authentication context
3231
* @param [out] outbuf @c AP-REP message
3233
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
3235
* @retval 0 Success; otherwise - Kerberos error codes
3237
krb5_error_code KRB5_CALLCONV
3238
krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf);
3241
* Parse and decrypt a @c KRB_AP_REP message.
3243
* @param [in] context Library context
3244
* @param [in,out] auth_context Authentication context
3245
* @param [in] inbuf AP-REP message
3246
* @param [out] repl Decrypted reply message
3248
* This function parses, decrypts and verifies a message from @a inbuf and
3249
* fills in @a repl with a pointer to allocated memory containing the fields
3250
* from the encrypted response.
3252
* Use krb5_free_ap_rep_enc_part() to free @a repl when it is no longer needed.
3254
* @retval 0 Success; otherwise - Kerberos error codes
3256
krb5_error_code KRB5_CALLCONV
3257
krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
3258
const krb5_data *inbuf, krb5_ap_rep_enc_part **repl);
3261
* Parse and decrypt a @c KRB_AP_REP message for DCE RPC.
3263
* @param [in] context Library context
3264
* @param [in,out] auth_context Authentication context
3265
* @param [in] inbuf AP-REP message
3266
* @param [out] nonce Sequence number from the decrypted reply
3268
* This function parses, decrypts and verifies a message from @a inbuf and
3269
* fills in @a nonce with a decrypted reply sequence number.
3271
* @retval 0 Success; otherwise - Kerberos error codes
3273
krb5_error_code KRB5_CALLCONV
3274
krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
3275
const krb5_data *inbuf, krb5_ui_4 *nonce);
3278
* Format and encode a @c KRB_ERROR message.
3280
* @param [in] context Library context
3281
* @param [in] dec_err Error structure to be encoded
3282
* @param [out] enc_err Encoded error structure
3284
* This function creates a @c KRB_ERROR message in @a enc_err. Use
3285
* krb5_free_data_contents() to free @a enc_err when it is no longer needed.
3287
* @retval 0 Success; otherwise - Kerberos error codes
3289
krb5_error_code KRB5_CALLCONV
3290
krb5_mk_error(krb5_context context, const krb5_error *dec_err,
3291
krb5_data *enc_err);
3294
* Decode a @c KRB-ERROR message.
3296
* @param [in] context Library context
3297
* @param [in] enc_errbuf Encoded error message
3298
* @param [out] dec_error Decoded error message
3300
* This function processes @c KRB-ERROR message @a enc_errbuf and returns
3301
* an allocated structure @a dec_error containing the error message.
3302
* Use krb5_free_error() to free @a dec_error when it is no longer needed.
3304
* @retval 0 Success; otherwise - Kerberos error codes
3306
krb5_error_code KRB5_CALLCONV
3307
krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf,
3308
krb5_error **dec_error);
3311
* Process @c KRB-SAFE message.
3313
* @param [in] context Library context
3314
* @param [in,out] auth_context Authentication structure
3315
* @param [in] inbuf @c KRB-SAFE message to be parsed
3316
* @param [out] outbuf Data parsed from @c KRB-SAFE message
3317
* @param [out] outdata Replay data. Specify NULL if not needed
3319
* This function parses a @c KRB-SAFE message, verifies its integrity, and
3320
* stores its data into @a outbuf.
3322
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
3323
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.
3325
* @note @a auth_context must have a remote address set. This address will be
3326
* used to verify the sender address in the KRB-SAFE message. If @a
3327
* auth_context has a local address set, it will be used to verify the
3328
* receiver address in the KRB-SAFE message if the message contains one.
3329
* Both addresses must use type @c ADDRTYPE_ADDRPORT.
3331
* If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
3332
* sequence number of the KRB-SAFE message is checked against the remote
3333
* sequence number field of @a auth_context. Otherwise, the sequence number is
3336
* If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context,
3337
* then two additional checks are performed:
3338
* @li The timestamp in the message must be within the permitted clock skew
3339
* (which is usually five minutes).
3340
* @li The message must not be a replayed message field in @a auth_context.
3342
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
3344
* @retval 0 Success; otherwise - Kerberos error codes
3346
krb5_error_code KRB5_CALLCONV
3347
krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
3348
const krb5_data *inbuf, krb5_data *outbuf,
3349
krb5_replay_data *outdata);
3352
* Process a @c KRB-PRIV message.
3354
* @param [in] context Library context
3355
* @param [in,out] auth_context Authentication structure
3356
* @param [in] inbuf @c KRB-PRIV message to be parsed
3357
* @param [out] outbuf Data parsed from @c KRB-PRIV message
3358
* @param [out] outdata Replay data. Specify NULL if not needed
3360
* This function parses a @c KRB-PRIV message, verifies its integrity, and
3361
* stores its unencrypted data into @a outbuf.
3363
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or @c
3364
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in @a auth_context, @a
3365
* outdata is required.
3367
* @note @a auth_context must have a remote address set. This address will be
3368
* used to verify the sender address in the KRB-PRIV message. If @a
3369
* auth_context has a local address set, it will be used to verify the
3370
* receiver address in the KRB-PRIV message if the message contains one.
3371
* Both addresses must use type @c ADDRTYPE_ADDRPORT.
3373
* If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in @a auth_context, the
3374
* sequence number of the KRB-SAFE message is checked against the remote
3375
* sequence number field of @a auth_context. Otherwise, the sequence number is
3378
* If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in @a auth_context,
3379
* then two additional checks are performed:
3380
* @li The timestamp in the message must be within the permitted clock skew
3381
* (which is usually five minutes).
3382
* @li The message must not be a replayed message field in @a auth_context.
3384
* @retval 0 Success; otherwise - Kerberos error codes
3386
krb5_error_code KRB5_CALLCONV
3387
krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
3388
const krb5_data *inbuf, krb5_data *outbuf,
3389
krb5_replay_data *outdata);
3392
* Convert a string principal name to a krb5_principal structure.
3394
* @param [in] context Library context
3395
* @param [in] name String representation of a principal name
3396
* @param [out] nprincipal Principal
3398
* Convert a string representation of a principal name to a krb5_principal
3401
* A string representation of a Kerberos name consists of one or more principal
3402
* name components, separated by slashes, optionally followed by the \@
3403
* character and a realm name. If the realm name is not specified, the local
3406
* To use the slash and \@ symbols as part of a component (quoted) instead of
3407
* using them as a component separator or as a realm prefix), put a backslash
3408
* (\) character in front of the symbol. Similarly, newline, tab, backspace,
3409
* and NULL characters can be included in a component by using @c n, @c t, @c b
3410
* or @c 0, respectively.
3412
* @note The realm in a Kerberos @a name cannot contain slash, colon,
3413
* or NULL characters.
3415
* Use krb5_free_principal() to free @a nprincipal when it is no longer needed.
3420
* Kerberos error codes
3422
krb5_error_code KRB5_CALLCONV
3423
krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal);
3425
#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */
3426
#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */
3427
#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 /**< Create single-component
3428
enterprise principle */
3431
* Convert a string principal name to a krb5_principal with flags
3433
* @param [in] context Library context
3434
* @param [in] name String representation of a principal name
3435
* @param [in] flags Flag
3436
* @param [out] nprincipal Principal
3438
* Similar to krb5_parse_name(), this function converts a single-string
3439
* representation of a principal name to a krb5_principal structure.
3441
* The following flags are valid:
3442
* @li #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in @a name
3443
* @li #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in @a name
3444
* @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise
3447
* Use krb5_free_principal() to free @a nprincipal when it is no longer needed.
3452
* Kerberos error codes
3454
krb5_error_code KRB5_CALLCONV
3455
krb5_parse_name_flags(krb5_context context, const char *name,
3456
int flags, krb5_principal *nprincipal);
3459
* Convert a krb5_principal structure to a string representation.
3461
* @param [in] context Library context
3462
* @param [in] principal Principal
3463
* @param [out] name String representation of principal name
3465
* The resulting string representation uses the format and quoting conventions
3466
* described for krb5_parse_name().
3468
* Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
3473
* Kerberos error codes
3475
krb5_error_code KRB5_CALLCONV
3476
krb5_unparse_name(krb5_context context, krb5_const_principal principal,
3477
register char **name);
3480
* Convert krb5_principal structure to string and length.
3482
* @param [in] context Library context
3483
* @param [in] principal Principal
3484
* @param [out] name String representation of principal name
3485
* @param [out] size Size of unparsed name
3487
* This function is similar to krb5_unparse_name(), but also returns the length
3488
* of the string representation.
3493
* Kerberos error codes. On failure @a name is set to NULL
3495
krb5_error_code KRB5_CALLCONV
3496
krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal,
3497
char **name, unsigned int *size);
3499
#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 /**< Omit realm if it is the local realm */
3500
#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 /**< Omit realm always */
3501
#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 /**< Don't escape special characters */
3504
* Convert krb5_principal structure to a string with flags.
3506
* @param [in] context Library context
3507
* @param [in] principal Principal
3508
* @param [in] flags Flags
3509
* @param [out] name String representation of principal name
3511
* Similar to krb5_unparse_name(), this function converts a krb5_principal
3512
* structure to a string representation.
3514
* The following flags are valid:
3515
* @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm
3516
* @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm
3517
* @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters
3519
* Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
3524
* Kerberos error codes. On failure @a name is set to NULL
3526
krb5_error_code KRB5_CALLCONV
3527
krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
3528
int flags, char **name);
3531
* Convert krb5_principal structure to string format with flags.
3533
* @param [in] context Library context
3534
* @param [in] principal Principal
3535
* @param [in] flags Flags
3536
* @param [out] name Single string format of principal name
3537
* @param [out] size Size of unparsed name buffer
3539
* @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext()
3544
* Kerberos error codes. On failure @a name is set to NULL
3546
krb5_error_code KRB5_CALLCONV
3547
krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal,
3548
int flags, char **name, unsigned int *size);
3551
* Set the realm field of a principal
3553
* @param [in,out] context Library context
3554
* @param [in] principal Principal name
3555
* @param [in] realm Realm name
3557
* Set the realm name part of @a principal to @a realm, overwriting the
3563
* Kerberos error codes
3565
krb5_error_code KRB5_CALLCONV
3566
krb5_set_principal_realm(krb5_context context, krb5_principal principal,
3570
* Search a list of addresses for a specified address.
3572
* @param [in] context Library context
3573
* @param [in] addr Address to search for
3574
* @param [in] addrlist Address list to be searched (or NULL)
3576
* @note If @a addrlist contains only a NetBIOS addresses, it will be treated
3580
* TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE
1714
3583
krb5_boolean KRB5_CALLCONV_WRONG
1715
krb5_address_search(krb5_context, const krb5_address *, krb5_address *const *);
3584
krb5_address_search(krb5_context context, const krb5_address *addr,
3585
krb5_address *const *addrlist);
3588
* Compare two Kerberos addresses.
3590
* @param [in] context Library context
3591
* @param [in] addr1 First address to be compared
3592
* @param [in] addr2 Second address to be compared
3595
* TRUE if the addresses are the same, FALSE otherwise
1717
3597
krb5_boolean KRB5_CALLCONV
1718
krb5_address_compare(krb5_context, const krb5_address *, const krb5_address *);
3598
krb5_address_compare(krb5_context context, const krb5_address *addr1,
3599
const krb5_address *addr2);
3602
* Return an ordering of the specified addresses.
3604
* @param [in] context Library context
3605
* @param [in] addr1 First address
3606
* @param [in] addr2 Second address
3609
* 0 The two addresses are the same
3611
* \< 0 First address is less than second
3613
* \> 0 First address is greater than second
1720
3615
int KRB5_CALLCONV
1721
krb5_address_order(krb5_context, const krb5_address *, const krb5_address *);
1723
krb5_boolean KRB5_CALLCONV
1724
krb5_realm_compare(krb5_context, krb5_const_principal, krb5_const_principal);
1726
krb5_boolean KRB5_CALLCONV
1727
krb5_principal_compare(krb5_context, krb5_const_principal,
1728
krb5_const_principal);
1730
krb5_boolean KRB5_CALLCONV
1731
krb5_principal_compare_any_realm(krb5_context, krb5_const_principal,
1732
krb5_const_principal);
1734
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1
1735
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /* UPNs as real principals */
1736
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /* case-insensitive */
1737
#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /* treat principals as UTF-8 */
1739
krb5_boolean KRB5_CALLCONV
1740
krb5_principal_compare_flags(krb5_context, krb5_const_principal,
1741
krb5_const_principal, int);
1743
krb5_error_code KRB5_CALLCONV
1744
krb5_init_keyblock(krb5_context, krb5_enctype enctype, size_t length,
1745
krb5_keyblock **out);
1747
/* Initialize a new keyblock and allocate storage
1748
* for the contents of the key, which will be freed along
1749
* with the keyblock when krb5_free_keyblock is called.
1750
* It is legal to pass in a length of 0, in which
1751
* case contents are left unallocated.
1753
krb5_error_code KRB5_CALLCONV
1754
krb5_copy_keyblock(krb5_context, const krb5_keyblock *, krb5_keyblock **);
1756
krb5_error_code KRB5_CALLCONV
1757
krb5_copy_keyblock_contents(krb5_context, const krb5_keyblock *,
1760
krb5_error_code KRB5_CALLCONV
1761
krb5_copy_creds(krb5_context, const krb5_creds *, krb5_creds **);
1763
krb5_error_code KRB5_CALLCONV
1764
krb5_copy_data(krb5_context, const krb5_data *, krb5_data **);
1766
krb5_error_code KRB5_CALLCONV
1767
krb5_copy_principal(krb5_context, krb5_const_principal, krb5_principal *);
1769
krb5_error_code KRB5_CALLCONV
1770
krb5_copy_addresses(krb5_context, krb5_address * const *, krb5_address ***);
1772
krb5_error_code KRB5_CALLCONV
1773
krb5_copy_ticket(krb5_context, const krb5_ticket *, krb5_ticket **);
1775
krb5_error_code KRB5_CALLCONV
1776
krb5_copy_authdata(krb5_context, krb5_authdata * const *, krb5_authdata ***);
1778
/* Merge two authdata arrays, such as the array from a ticket
1779
* and authenticator. */
1780
krb5_error_code KRB5_CALLCONV
1781
krb5_merge_authdata(krb5_context, krb5_authdata * const *,
1782
krb5_authdata *const *, krb5_authdata ***);
1784
krb5_error_code KRB5_CALLCONV
1785
krb5_copy_authenticator(krb5_context, const krb5_authenticator *,
1786
krb5_authenticator **);
1788
krb5_error_code KRB5_CALLCONV
1789
krb5_copy_checksum(krb5_context, const krb5_checksum *, krb5_checksum **);
1791
krb5_error_code KRB5_CALLCONV
1792
krb5_get_server_rcache(krb5_context, const krb5_data *, krb5_rcache *);
1794
krb5_error_code KRB5_CALLCONV_C
1795
krb5_build_principal_ext(krb5_context, krb5_principal *, unsigned int,
1798
krb5_error_code KRB5_CALLCONV_C
1799
krb5_build_principal(krb5_context, krb5_principal *, unsigned int,
3616
krb5_address_order(krb5_context context, const krb5_address *addr1,
3617
const krb5_address *addr2);
3620
* Compare the realms of two principals.
3622
* @param [in] context Library context
3623
* @param [in] princ1 First principal
3624
* @param [in] princ2 Second principal
3627
* TRUE if the realm names are the same; FALSE otherwise
3629
krb5_boolean KRB5_CALLCONV
3630
krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
3631
krb5_const_principal princ2);
3634
* Compare two principals.
3636
* @param [in] context Library context
3637
* @param [in] princ1 First principal
3638
* @param [in] princ2 Second principal
3641
* TRUE if the principals are the same; FALSE otherwise
3643
krb5_boolean KRB5_CALLCONV
3644
krb5_principal_compare(krb5_context context,
3645
krb5_const_principal princ1,
3646
krb5_const_principal princ2);
3649
* Compare two principals ignoring realm components.
3651
* @param [in] context Library context
3652
* @param [in] princ1 First principal
3653
* @param [in] princ2 Second principal
3655
* Similar to krb5_principal_compare(), but do not compare the realm
3656
* components of the principals.
3659
* TRUE if the principals are the same; FALSE otherwise
3661
krb5_boolean KRB5_CALLCONV
3662
krb5_principal_compare_any_realm(krb5_context context,
3663
krb5_const_principal princ1,
3664
krb5_const_principal princ2);
3666
#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */
3667
#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */
3668
#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */
3669
#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */
3672
* Compare two principals with additional flags.
3674
* @param [in] context Library context
3675
* @param [in] princ1 First principal
3676
* @param [in] princ2 Second principal
3677
* @param [in] flags Flags
3680
* @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component
3681
* @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals
3682
* @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive
3683
* @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8
3685
* @sa krb5_principal_compare()
3688
* TRUE if the principal names are the same; FALSE otherwise
3690
krb5_boolean KRB5_CALLCONV
3691
krb5_principal_compare_flags(krb5_context context,
3692
krb5_const_principal princ1,
3693
krb5_const_principal princ2,
3697
* Initialize an empty @c krb5_keyblock.
3699
* @param [in] context Library context
3700
* @param [in] enctype Encryption type
3701
* @param [in] length Length of keyblock (or 0)
3702
* @param [out] out New keyblock structure
3704
* Initialize a new keyblock and allocate storage for the contents of the key.
3705
* It is legal to pass in a length of 0, in which case contents are left
3706
* unallocated. Use krb5_free_keyblock() to free @a out when it is no longer
3709
* @note If @a length is set to 0, contents are left unallocated.
3711
* @retval 0 Success; otherwise - Kerberos error codes
3713
krb5_error_code KRB5_CALLCONV
3714
krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
3715
size_t length, krb5_keyblock **out);
3720
* @param [in] context Library context
3721
* @param [in] from Keyblock to be copied
3722
* @param [out] to Copy of keyblock @a from
3724
* This function creates a new keyblock with the same contents as @a from. Use
3725
* krb5_free_keyblock() to free @a to when it is no longer needed.
3727
* @retval 0 Success; otherwise - Kerberos error codes
3729
krb5_error_code KRB5_CALLCONV
3730
krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from,
3731
krb5_keyblock **to);
3734
* Copy the contents of a keyblock.
3736
* @param [in] context Library context
3737
* @param [in] from Key to be copied
3738
* @param [out] to Output key
3740
* This function copies the contents of @a from to @a to. Use
3741
* krb5_free_keyblock_contents() to free @a to when it is no longer needed.
3743
* @retval 0 Success; otherwise - Kerberos error codes
3745
krb5_error_code KRB5_CALLCONV
3746
krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from,
3750
* Copy a krb5_creds structure.
3752
* @param [in] context Library context
3753
* @param [in] incred Credentials structure to be copied
3754
* @param [out] outcred Copy of @a incred
3756
* This function creates a new credential with the contents of @a incred. Use
3757
* krb5_free_creds() to free @a outcred when it is no longer needed.
3759
* @retval 0 Success; otherwise - Kerberos error codes
3761
krb5_error_code KRB5_CALLCONV
3762
krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred);
3765
* Copy a krb5_data object.
3767
* @param [in] context Library context
3768
* @param [in] indata Data object to be copied
3769
* @param [out] outdata Copy of @a indata
3771
* This function creates a new krb5_data object with the contents of @a indata.
3772
* Use krb5_free_data() to free @a outdata when it is no longer needed.
3774
* @retval 0 Success; otherwise - Kerberos error codes
3776
krb5_error_code KRB5_CALLCONV
3777
krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata);
3782
* @param [in] context Library context
3783
* @param [in] inprinc Principal to be copied
3784
* @param [out] outprinc Copy of @a inprinc
3786
* This function creates a new principal structure with the contents of @a
3787
* inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer
3790
* @retval 0 Success; otherwise - Kerberos error codes
3792
krb5_error_code KRB5_CALLCONV
3793
krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
3794
krb5_principal *outprinc);
3797
* Copy an array of addresses.
3799
* @param [in] context Library context
3800
* @param [in] inaddr Array of addresses to be copied
3801
* @param [out] outaddr Copy of array of addresses
3803
* This function creates a new address array containing a copy of @a inaddr.
3804
* Use krb5_free_addresses() to free @a outaddr when it is no longer needed.
3806
* @retval 0 Success; otherwise - Kerberos error codes
3808
krb5_error_code KRB5_CALLCONV
3809
krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr,
3810
krb5_address ***outaddr);
3813
* Copy a krb5_ticket structure.
3815
* @param [in] context Library context
3816
* @param [in] from Ticket to be copied
3817
* @param [out] pto Copy of ticket
3819
* This function creates a new krb5_ticket structure containing the contents of
3820
* @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed.
3822
* @retval 0 Success; otherwise - Kerberos error codes
3824
krb5_error_code KRB5_CALLCONV
3825
krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto);
3828
* Copy an authorization data list.
3830
* @param [in] context Library context
3831
* @param [in] in_authdat List of @a krb5_authdata structures
3832
* @param [out] out New array of @a krb5_authdata structures
3834
* This function creates a new authorization data list containing a copy of @a
3835
* in_authdat, which must be null-terminated. Use krb5_free_authdata() to free
3836
* @a out when it is no longer needed.
3838
* @note The last array entry in @a in_authdat must be a NULL pointer.
3840
* @retval 0 Success; otherwise - Kerberos error codes
3842
krb5_error_code KRB5_CALLCONV
3843
krb5_copy_authdata(krb5_context context,
3844
krb5_authdata *const *in_authdat, krb5_authdata ***out);
3847
* Find authorization data elements.
3849
* @param [in] context Library context
3850
* @param [in] ticket_authdata Authorization data list from ticket
3851
* @param [in] ap_req_authdata Authorization data list from AP request
3852
* @param [in] ad_type Authorization data type to find
3853
* @param [out] results List of matching entries
3855
* This function searches @a ticket_authdata and @a ap_req_authdata for
3856
* elements of type @a ad_type. Either input list may be NULL, in which case
3857
* it will not be searched; otherwise, the input lists must be terminated by
3858
* NULL entries. This function will search inside AD-IF-RELEVANT containers if
3859
* found in either list. Use krb5_free_authdata() to free @a results when it
3860
* is no longer needed.
3862
krb5_error_code KRB5_CALLCONV
3863
krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata,
3864
krb5_authdata *const *ap_req_authdata,
3865
krb5_authdatatype ad_type, krb5_authdata ***results);
3868
* Merge two authorization data lists into a new list.
3870
* @param [in] context Library context
3871
* @param [in] inauthdat1 First list of @a krb5_authdata structures
3872
* @param [in] inauthdat2 Second list of @a krb5_authdata structures
3873
* @param [out] outauthdat Merged list of @a krb5_authdata structures
3875
* Merge two authdata arrays, such as the array from a ticket
3876
* and authenticator.
3877
* Use krb5_free_authdata() to free @a outauthdat when it is no longer needed.
3879
* @note The last array entry in @a inauthdat1 and @a inauthdat2
3880
* must be a NULL pointer.
3882
* @retval 0 Success; otherwise - Kerberos error codes
3884
krb5_error_code KRB5_CALLCONV
3885
krb5_merge_authdata(krb5_context context,
3886
krb5_authdata *const *inauthdat1,
3887
krb5_authdata * const *inauthdat2,
3888
krb5_authdata ***outauthdat);
3891
* Copy a krb5_authenticator structure.
3893
* @param [in] context Library context
3894
* @param [in] authfrom krb5_authenticator structure to be copied
3895
* @param [out] authto Copy of krb5_authenticator structure
3897
* This function creates a new krb5_authenticator structure with the content of
3898
* @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no
3901
* @retval 0 Success; otherwise - Kerberos error codes
3903
krb5_error_code KRB5_CALLCONV
3904
krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom,
3905
krb5_authenticator **authto);
3908
* Copy a krb5_checksum structure.
3910
* @param [in] context Library context
3911
* @param [in] ckfrom Checksum to be copied
3912
* @param [out] ckto Copy of krb5_checksum structure
3914
* This function creates a new krb5_checksum structure with the contents of @a
3915
* ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer
3918
* @retval 0 Success; otherwise - Kerberos error codes
3920
krb5_error_code KRB5_CALLCONV
3921
krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom,
3922
krb5_checksum **ckto);
3925
* Generate a replay cache object for server use and open it.
3927
* @param [in] context Library context
3928
* @param [in] piece Unique identifier for replay cache
3929
* @param [out] rcptr Handle to an open rcache
3931
* This function generates a replay cache name based on @a piece and opens a
3932
* handle to it. Typically @a piece is the first component of the service
3933
* principal name. Use krb5_rc_close() to close @a rcptr when it is no longer
3936
* @retval 0 Success; otherwise - Kerberos error codes
3938
krb5_error_code KRB5_CALLCONV
3939
krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
3940
krb5_rcache *rcptr);
3943
* Build a principal name using length-counted strings.
3945
* @param [in] context Library context
3946
* @param [out] princ Principal name
3947
* @param [in] rlen Realm name length
3948
* @param [in] realm Realm name
3949
* @param [in] ... List of unsigned int/char * components, followed by 0
3951
* This function creates a principal from a length-counted string and a
3952
* variable-length list of length-counted components. The list of components
3953
* ends with the first 0 length argument (so it is not possible to specify an
3954
* empty component with this function). Call krb5_free_principal() to free
3955
* allocated memory for principal when it is no longer needed.
3958
* Example of how to build principal WELLKNOWN/ANONYMOUS@R
3959
* krb5_build_principal_ext(context, &principal, strlen("R"), "R",
3960
* (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR),
3961
* KRB5_WELLKNOWN_NAMESTR,
3962
* (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR),
3963
* KRB5_ANONYMOUS_PRINCSTR, 0);
3969
* Kerberos error codes
3971
krb5_error_code KRB5_CALLCONV_C
3972
krb5_build_principal_ext(krb5_context context, krb5_principal * princ,
3973
unsigned int rlen, const char * realm, ...);
3976
* Build a principal name using null-terminated strings.
3978
* @param [in] context Library context
3979
* @param [out] princ Principal name
3980
* @param [in] rlen Realm name length
3981
* @param [in] realm Realm name
3982
* @param [in] ... List of char * components, ending with NULL
3984
* Call krb5_free_principal() to free @a princ when it is no longer needed.
3986
* @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the
3987
* same task. krb5_build_principal() takes variadic arguments.
3988
* krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer.
3991
* Example of how to build principal H/S@R
3992
* krb5_build_principal(context, &principal,
3993
* strlen("R"), "R", "H", "S", (char*)NULL);
3999
* Kerberos error codes
4001
krb5_error_code KRB5_CALLCONV_C
4002
krb5_build_principal(krb5_context context,
4003
krb5_principal * princ,
4005
const char * realm, ...)
1801
4006
#if __GNUC__ >= 4
1802
4007
__attribute__ ((sentinel))
1805
4010
#if KRB5_DEPRECATED
4011
/** @deprecated Replaced by krb5_build_principal_alloc_va(). */
1806
4012
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
1807
krb5_build_principal_va(krb5_context, krb5_principal, unsigned int,
1808
const char *, va_list);
4013
krb5_build_principal_va(krb5_context context,
4014
krb5_principal princ,
1811
/* Version of krb5_build_principal_va which allocates krb5_principal_data */
1812
krb5_error_code KRB5_CALLCONV
1813
krb5_build_principal_alloc_va(krb5_context, krb5_principal *, unsigned int,
1814
const char *, va_list);
1816
krb5_error_code KRB5_CALLCONV
1817
krb5_425_conv_principal(krb5_context, const char *name, const char *instance,
1818
const char *realm, krb5_principal *princ);
4021
* Build a principal name, using a precomputed variable argument list
4023
* @param [in] context Library context
4024
* @param [out] princ Principal structure
4025
* @param [in] rlen Realm name length
4026
* @param [in] realm Realm name
4027
* @param [in] ap List of char * components, ending with NULL
4029
* Similar to krb5_build_principal(), this function builds a principal name,
4030
* but its name components are specified as a va_list.
4032
* Use krb5_free_principal() to deallocate @a princ when it is no longer
4036
* Function usage example:
4038
* va_start(ap, realm);
4039
* krb5_build_principal_alloc_va(context, princ, rlen, realm, ap);
4046
* Kerberos error codes
4048
krb5_error_code KRB5_CALLCONV
4049
krb5_build_principal_alloc_va(krb5_context context,
4050
krb5_principal *princ,
4056
* Convert a Kerberos V4 principal to a Kerberos V5 principal.
4058
* @param [in] context Library context
4059
* @param [in] name V4 name
4060
* @param [in] instance V4 instance
4061
* @param [in] realm Realm
4062
* @param [out] princ V5 principal
4064
* This function builds a @a princ from V4 specification based on given input
4065
* @a name.instance\@realm.
4067
* Use krb5_free_principal() to free @a princ when it is no longer needed.
4069
* @retval 0 Success; otherwise - Kerberos error codes
4071
krb5_error_code KRB5_CALLCONV
4072
krb5_425_conv_principal(krb5_context context, const char *name,
4073
const char *instance, const char *realm,
4074
krb5_principal *princ);
4077
* Convert a Kerberos V5 principal to a Kerberos V4 principal.
4079
* @param [in] context Library context
4080
* @param [in] princ V5 Principal
4081
* @param [out] name V4 principal's name to be filled in
4082
* @param [out] inst V4 principal's instance name to be filled in
4083
* @param [out] realm Principal's realm name to be filled in
4085
* This function separates a V5 principal @a princ into @a name, @a instance,
4091
* KRB5_INVALID_PRINCIPAL Invalid principal name
4093
* KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file
4095
* Kerberos error codes
1820
4097
krb5_error_code KRB5_CALLCONV
1821
4098
krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
1822
4099
char *name, char *inst, char *realm);
1824
4103
struct credentials;
4106
* Convert a Kerberos V5 credentials to a Kerberos V4 credentials
4108
* @note Not implemented
4110
* @retval KRB524_KRB4_DISABLED (always)
1825
4112
int KRB5_CALLCONV
1826
4113
krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
1827
4114
struct credentials *v4creds);
1828
4116
#if KRB5_DEPRECATED
1829
4117
#define krb524_convert_creds_kdc krb5_524_convert_creds
1830
4118
#define krb524_init_ets(x) (0)
1833
4121
/* libkt.spec */
1834
krb5_error_code KRB5_CALLCONV
1835
krb5_kt_resolve(krb5_context, const char *, krb5_keytab *);
1837
krb5_error_code KRB5_CALLCONV
1838
krb5_kt_default_name(krb5_context, char *, int);
1840
krb5_error_code KRB5_CALLCONV
1841
krb5_kt_default(krb5_context, krb5_keytab * );
1843
krb5_error_code KRB5_CALLCONV
1844
krb5_free_keytab_entry_contents(krb5_context, krb5_keytab_entry *);
1846
/* use krb5_free_keytab_entry_contents instead; this does the same thing but is
1847
* misnamed and retained for backward compatability.*/
1848
krb5_error_code KRB5_CALLCONV krb5_kt_free_entry(krb5_context,
1849
krb5_keytab_entry * );
4124
* Get a handle for a key table.
4126
* @param [in] context Library context
4127
* @param [in] name Name of the key table
4128
* @param [out] ktid Key table handle
4130
* Resolve the key table name @a name and fill in a handle identifying the key
4131
* table. The key table is not opened.
4133
* @note @a name must be of the form @c type:residual, where @a type must be a
4134
* type known to the library and @a residual portion should be specific to the
4135
* particular keytab type.
4137
* @sa krb5_kt_close()
4140
* Example: krb5_kt_resolve(context, "FILE:/tmp/filename",&ktid);
4146
* Kerberos error codes
4148
krb5_error_code KRB5_CALLCONV
4149
krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid);
4152
* Get default key table name.
4154
* @param [in] context Library context
4155
* @param [in,out] name Key table name to be resolved
4156
* @param [in] name_size Size of @a name to return
4158
* Fill @a name with the first @a name_size bytes of the name of the default
4159
* key table for the current user.
4161
* @sa MAX_KEYTAB_NAME_LEN
4166
* KRB5_CONFIG_NOTENUFSPACE Buffer is too short
4168
* Kerberos error codes
4170
krb5_error_code KRB5_CALLCONV
4171
krb5_kt_default_name(krb5_context context, char *name, int name_size);
4174
* Resolve default key table.
4176
* @param [in] context Library context
4177
* @param [in,out] id Key table handle
4179
* Fill @a keytab with the default key table's @a handle.
4184
* Kerberos error codes
4186
krb5_error_code KRB5_CALLCONV
4187
krb5_kt_default(krb5_context context, krb5_keytab *id);
4190
* Free the contents of a key table entry.
4192
* @param [in] context Library context
4193
* @param [in] entry Key table entry whose contents are to be freed
4195
* @note The pointer is not freed.
4197
* @retval 0 Success; otherwise - Kerberos error codes
4199
krb5_error_code KRB5_CALLCONV
4200
krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry);
4202
/** @deprecated Use krb5_free_keytab_entry_contents instead. */
4203
krb5_error_code KRB5_CALLCONV
4204
krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry);
1851
4207
/* remove and add are functions, so that they can return NOWRITE
1852
4208
if not a writable keytab */
1853
krb5_error_code KRB5_CALLCONV
1854
krb5_kt_remove_entry(krb5_context, krb5_keytab, krb5_keytab_entry *);
1856
krb5_error_code KRB5_CALLCONV
1857
krb5_kt_add_entry(krb5_context, krb5_keytab, krb5_keytab_entry *);
4211
* Remove an entry from a key table.
4213
* @param [in] context Library context
4214
* @param [in] id Key table handle
4215
* @param [in] entry Entry to remove from key table
4220
* KRB5_KT_NOWRITE Key table is not writable
4222
* Kerberos error codes
4224
krb5_error_code KRB5_CALLCONV
4225
krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
4228
* Add a new entry to a key table.
4230
* @param [in] context Library context
4231
* @param [in] id Key table handle
4232
* @param [in] entry Entry to be added
4237
* ENOMEM Insufficient memory
4239
* KRB5_KT_NOWRITE Key table is not writeable
4241
* Kerberos error codes
4243
krb5_error_code KRB5_CALLCONV
4244
krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
4247
* Convert a principal name into the default salt for that principal.
4249
* @param [in] context Library context
4250
* @param [in] pr Principal name
4251
* @param [out] ret Default salt for @a pr to be filled in
4253
* @retval 0 Success; otherwise - Kerberos error codes
1859
4255
krb5_error_code KRB5_CALLCONV_WRONG
1860
krb5_principal2salt(krb5_context, krb5_const_principal, krb5_data *);
4256
krb5_principal2salt(krb5_context context,
4257
register krb5_const_principal pr, krb5_data *ret);
1861
4258
/* librc.spec--see rcache.h */
1863
4260
/* libcc.spec */
4263
* Resolve a credential cache name.
4265
* @param [in] context Library context
4266
* @param [in] name Credential cache name to be resolved
4267
* @param [out] cache Credential cache handle
4269
* Fills in @a cache with a @a cache handle that corresponds to the name in @a
4270
* name. @a name should be of the form @c type:residual, and @a type must be a
4271
* type known to the library. If the @a name does not contain a colon,
4272
* interpret it as a file name.
4275
* Example: krb5_cc_resolve(context, "MEMORY:C_", &cache);
4281
* Kerberos error codes
1864
4283
krb5_error_code KRB5_CALLCONV
1865
krb5_cc_resolve(krb5_context, const char *, krb5_ccache *);
4284
krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache);
4287
* Duplicate ccache handle.
4289
* @param [in] context Library context
4290
* @param [in] in Credential cache handle to be duplicated
4291
* @param [out] out Credential cache handle
1868
4293
* Create a new handle referring to the same cache as @a in.
1869
4294
* The new handle and @a in can be closed independently.
1871
4296
krb5_error_code KRB5_CALLCONV
1872
4297
krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out);
4300
* Return the name of the default credential cache.
4302
* @param [in] context Library context
4304
* Try the environment variable KRB5CCNAME first then, if it is not set,
4305
* fall back on the default ccache name for the OS.
4308
* Name of default credential cache for the current user.
1874
4310
const char *KRB5_CALLCONV
1875
krb5_cc_default_name(krb5_context);
1877
krb5_error_code KRB5_CALLCONV
1878
krb5_cc_set_default_name(krb5_context, const char *);
1880
krb5_error_code KRB5_CALLCONV
1881
krb5_cc_default(krb5_context, krb5_ccache *);
4311
krb5_cc_default_name(krb5_context context);
4314
* Set the default credential cache name.
4316
* @param [in,out] context Library context
4317
* @param [in] name Default credential cache name
4319
* This function frees the old default credential cache name and then sets it
4325
* KV5M_CONTEXT Bad magic number for @c _krb5_context structure
4327
* Kerberos error codes
4329
krb5_error_code KRB5_CALLCONV
4330
krb5_cc_set_default_name(krb5_context context, const char *name);
4333
* Resolve the default crendentials cache name.
4335
* @param [in,out] context Library context
4336
* @param [out] ccache Pointer to credential cache name
4341
* KV5M_CONTEXT Bad magic number for @c _krb5_context structure
4343
* KRB5_FCC_INTERNAL The name of the default credential cache cannot be
4346
* Kerberos error codes
4348
krb5_error_code KRB5_CALLCONV
4349
krb5_cc_default(krb5_context context, krb5_ccache *ccache);
4352
* Copy a credential cache.
4354
* @param [in] context Library context
4355
* @param [in] incc Credential cache to be copied
4356
* @param [out] outcc Copy of credential cache to be filled in
4358
* @retval 0 Success; otherwise - Kerberos error codes
1883
4360
krb5_error_code KRB5_CALLCONV
1884
4361
krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
1886
krb5_error_code KRB5_CALLCONV
1887
krb5_cc_get_config(krb5_context, krb5_ccache,
1888
krb5_const_principal,
1889
const char *, krb5_data *);
1891
krb5_error_code KRB5_CALLCONV
1892
krb5_cc_set_config(krb5_context, krb5_ccache,
1893
krb5_const_principal,
1894
const char *, krb5_data *);
1896
krb5_boolean KRB5_CALLCONV
1897
krb5_is_config_principal(krb5_context,
1898
krb5_const_principal);
4364
* Get a configuration value from a credential cache.
4366
* @param [in] context Library context
4367
* @param [in] id Credential cache handle
4368
* @param [in] principal Configuration for this principal;
4369
* if NULL, global for the whole cache
4370
* @param [in] key Name of config variable
4371
* @param [out] data Data to be fetched
4373
* Use krb5_free_data_contents() to free @a data when it is no longer needed.
4378
* Kerberos error codes
4380
krb5_error_code KRB5_CALLCONV
4381
krb5_cc_get_config(krb5_context context, krb5_ccache id,
4382
krb5_const_principal principal,
4383
const char *key, krb5_data *data);
4386
* Store a configuration value in a credential cache.
4388
* @param [in] context Library context
4389
* @param [in] id Credential cache handle
4390
* @param [in] principal Configuration for a specific principal;
4391
* if NULL, global for the whole cache
4392
* @param [in] key Name of config variable
4393
* @param [in] data Data to store, or NULL to remove
4395
* @note Existing configuration under the same key is over-written.
4397
* @warning Before version 1.10 @a data was assumed to be always non-null.
4402
* Kerberos error codes
4404
krb5_error_code KRB5_CALLCONV
4405
krb5_cc_set_config(krb5_context context, krb5_ccache id,
4406
krb5_const_principal principal,
4407
const char *key, krb5_data *data);
4410
* Test whether a principal is a configuration principal.
4412
* @param [in] context Library context
4413
* @param [in] principal Principal to check
4416
* @c TRUE if the principal is a configuration principal (generated part of
4417
* krb5_cc_set_config()); @c FALSE otherwise.
4419
krb5_boolean KRB5_CALLCONV
4420
krb5_is_config_principal(krb5_context context, krb5_const_principal principal);
4423
* Make a credential cache the primary cache for its collection.
4425
* @param [in] context Library context
4426
* @param [in] cache Credential cache handle
4428
* If the type of @a cache supports it, set @a cache to be the primary
4429
* credential cache for the collection it belongs to.
4432
* 0 Success, or the type of @a cache doesn't support switching
4434
* Kerberos error codes
4436
krb5_error_code KRB5_CALLCONV
4437
krb5_cc_switch(krb5_context context, krb5_ccache cache);
4440
* Determine whether a credential cache type supports switching.
4442
* @param [in] context Library context
4443
* @param [in] type Credential cache type
4445
* @retval TRUE if @a type supports switching
4446
* @retval FALSE if it does not or is not a valid credential cache type.
4448
krb5_boolean KRB5_CALLCONV
4449
krb5_cc_support_switch(krb5_context context, const char *type);
4452
* Find a credential cache with a specified client principal.
4454
* @param [in] context Library context
4455
* @param [in] client Client principal
4456
* @param [out] cache_out Credential cache handle
4458
* Find a cache within the collection whose default principal is @a client.
4459
* Use @a krb5_cc_close to close @a ccache when it is no longer needed.
4462
* @retval KRB5_CC_NOTFOUND
4464
* @sa krb5_cccol_cursor_new
4466
krb5_error_code KRB5_CALLCONV
4467
krb5_cc_cache_match(krb5_context context, krb5_principal client,
4468
krb5_ccache *cache_out);
4471
* Select a credential cache to use with a server principal.
4473
* @param [in] context Library context
4474
* @param [in] server Server principal
4475
* @param [out] cache_out Credential cache handle
4476
* @param [out] princ_out Client principal
4478
* Select a cache within the collection containing credentials most appropriate
4479
* for use with @a server, according to configured rules and heuristics.
4481
* Use krb5_cc_close() to release @a cache_out when it is no longer needed.
4482
* Use krb5_free_principal() to release @a princ_out when it is no longer
4483
* needed. Note that @a princ_out is set in some error conditions.
4486
* If an appropriate cache is found, 0 is returned, @a cache_out is set to the
4487
* selected cache, and @a princ_out is set to the default principal of that
4490
* If the appropriate client principal can be authoritatively determined but
4491
* the cache collection contains no credentials for that principal, then
4492
* KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out
4493
* is set to the appropriate client principal.
4495
* If no configured mechanism can determine the appropriate cache or principal,
4496
* KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to
4499
* Any other error code indicates a fatal error in the processing of a cache
4500
* selection mechanism.
4502
krb5_error_code KRB5_CALLCONV
4503
krb5_cc_select(krb5_context context, krb5_principal server,
4504
krb5_ccache *cache_out, krb5_principal *princ_out);
1900
4506
/* krb5_free.c */
1901
void KRB5_CALLCONV krb5_free_principal(krb5_context, krb5_principal );
1902
void KRB5_CALLCONV krb5_free_authenticator(krb5_context,
1903
krb5_authenticator * );
1904
void KRB5_CALLCONV krb5_free_addresses(krb5_context, krb5_address ** );
1905
void KRB5_CALLCONV krb5_free_authdata(krb5_context, krb5_authdata ** );
1906
void KRB5_CALLCONV krb5_free_ticket(krb5_context, krb5_ticket * );
1907
void KRB5_CALLCONV krb5_free_error(krb5_context, krb5_error * );
1908
void KRB5_CALLCONV krb5_free_creds(krb5_context, krb5_creds *);
1909
void KRB5_CALLCONV krb5_free_cred_contents(krb5_context, krb5_creds *);
1910
void KRB5_CALLCONV krb5_free_checksum(krb5_context, krb5_checksum *);
1911
void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context, krb5_checksum *);
1912
void KRB5_CALLCONV krb5_free_keyblock(krb5_context, krb5_keyblock *);
1913
void KRB5_CALLCONV krb5_free_keyblock_contents(krb5_context, krb5_keyblock *);
1914
void KRB5_CALLCONV krb5_free_ap_rep_enc_part(krb5_context,
1915
krb5_ap_rep_enc_part *);
1916
void KRB5_CALLCONV krb5_free_data(krb5_context, krb5_data *);
1917
void KRB5_CALLCONV krb5_free_data_contents(krb5_context, krb5_data *);
1918
void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context, char *);
1919
void KRB5_CALLCONV krb5_free_cksumtypes(krb5_context, krb5_cksumtype *);
1921
/* From krb5/os but needed but by the outside world */
1922
krb5_error_code KRB5_CALLCONV
1923
krb5_us_timeofday(krb5_context, krb5_timestamp *, krb5_int32 *);
1925
krb5_error_code KRB5_CALLCONV
1926
krb5_timeofday(krb5_context, krb5_timestamp *);
1928
/* get all the addresses of this host */
1929
krb5_error_code KRB5_CALLCONV
1930
krb5_os_localaddr(krb5_context, krb5_address ***);
1932
krb5_error_code KRB5_CALLCONV
1933
krb5_get_default_realm(krb5_context, char **);
1935
krb5_error_code KRB5_CALLCONV
1936
krb5_set_default_realm(krb5_context, const char * );
1939
krb5_free_default_realm(krb5_context, char * );
1941
krb5_error_code KRB5_CALLCONV
1942
krb5_sname_to_principal(krb5_context, const char *, const char *, krb5_int32,
4508
* Free the storage assigned to a principal.
4510
* @param [in] context Library context
4511
* @param [in] val Principal to be freed
4514
krb5_free_principal(krb5_context context, krb5_principal val);
4517
* Free a krb5_authenticator structure.
4519
* @param [in] context Library context
4520
* @param [in] val Authenticator structure to be freed
4522
* This function frees the contents of @a val and the structure itself.
4525
krb5_free_authenticator(krb5_context context, krb5_authenticator *val);
4528
* Free the data stored in array of addresses.
4530
* @param [in] context Library context
4531
* @param [in] val Array of addresses to be freed
4533
* This function frees the contents of @a val and the array itself.
4535
* @note The last entry in the array must be a NULL pointer.
4538
krb5_free_addresses(krb5_context context, krb5_address **val);
4541
* Free the storage assigned to array of authentication data.
4543
* @param [in] context Library context
4544
* @param [in] val Array of authentication data to be freed
4546
* This function frees the contents of @a val and the array itself.
4548
* @note The last entry in the array must be a NULL pointer.
4551
krb5_free_authdata(krb5_context context, krb5_authdata **val);
4556
* @param [in] context Library context
4557
* @param [in] val Ticket to be freed
4559
* This function frees the contents of @a val and the structure itself.
4562
krb5_free_ticket(krb5_context context, krb5_ticket *val);
4565
* Free an error allocated by krb5_read_error() or krb5_sendauth().
4567
* @param [in] context Library context
4568
* @param [in] val Error data structure to be freed
4570
* This function frees the contents of @a val and the structure itself.
4573
krb5_free_error(krb5_context context, register krb5_error *val);
4576
* Free a krb5_creds structure.
4578
* @param [in] context Library context
4579
* @param [in] val Credential structure to be freed.
4581
* This function frees the contents of @a val and the structure itself.
4584
krb5_free_creds(krb5_context context, krb5_creds *val);
4587
* Free the contents of a krb5_creds structure.
4589
* @param [in] context Library context
4590
* @param [in] val Credential structure to free contents of
4592
* This function frees the contents of @a val, but not the structure itself.
4595
krb5_free_cred_contents(krb5_context context, krb5_creds *val);
4598
* Free a krb5_checksum structure.
4600
* @param [in] context Library context
4601
* @param [in] val Checksum structure to be freed
4603
* This function frees the contents of @a val and the structure itself.
4606
krb5_free_checksum(krb5_context context, register krb5_checksum *val);
4609
* Free the contents of a krb5_checksum structure.
4611
* @param [in] context Library context
4612
* @param [in] val Checksum structure to free contents of
4614
* This function frees the contents of @a val, but not the structure itself.
4617
krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val);
4620
* Free a krb5_keyblock structure.
4622
* @param [in] context Library context
4623
* @param [in] val Keyblock to be freed
4625
* This function frees the contents of @a val and the structure itself.
4628
krb5_free_keyblock(krb5_context context, register krb5_keyblock *val);
4631
* Free the contents of a krb5_keyblock structure.
4633
* @param [in] context Library context
4634
* @param [in] key Keyblock to be freed
4636
* This function frees the contents of @a key, but not the structure itself.
4639
krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key);
4642
* Free a krb5_ap_rep_enc_part structure.
4644
* @param [in] context Library context
4645
* @param [in] val AP-REP enc part to be freed
4647
* This function frees the contents of @a val and the structure itself.
4650
krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
4653
* Free a krb5_data structure.
4655
* @param [in] context Library context
4656
* @param [in] val Data structure to be freed
4658
* This function frees the contents of @a val and the structure itself.
4661
krb5_free_data(krb5_context context, krb5_data *val);
4664
* Free storage associated with a @c krb5_octet_data structure and its pointer.
4666
* @param [in] context Context structure
4667
* @param [in] val Data structure to be freed
4673
krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
4676
* Free the contents of a krb5_data structure and zero the data field.
4678
* @param [in] context Library context
4679
* @param [in] val Data structure to free contents of
4681
* This function frees the contents of @a val, but not the structure itself.
4684
krb5_free_data_contents(krb5_context context, krb5_data *val);
4687
* Free a string representation of a principal.
4689
* @param [in] context Library context
4690
* @param [in] val Name string to be freed
4693
krb5_free_unparsed_name(krb5_context context, char *val);
4696
* Free a string allocated by a krb5 function.
4698
* @param [in] context Library context
4699
* @param [in] val String to be freed
4702
krb5_free_string(krb5_context context, char *val);
4705
* Free an array of checksum types.
4707
* @param [in] context Library context
4708
* @param [in] val Array of checksum types to be freed
4711
krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val);
4713
/* From krb5/os, but needed by the outside world */
4715
* Retrieve the system time of day, in sec and ms, since the epoch.
4717
* @param [in] context Library context
4718
* @param [out] seconds System timeofday, seconds portion
4719
* @param [out] microseconds System timeofday, microseconds portion
4721
* This function retrieves the system time of day with the context
4722
* specific time offset adjustment.
4724
* @sa krb5_crypto_us_timeofday()
4729
* Kerberos error codes
4731
krb5_error_code KRB5_CALLCONV
4732
krb5_us_timeofday(krb5_context context,
4733
krb5_timestamp *seconds, krb5_int32 *microseconds);
4736
* Retrieve the current time with context specific time offset adjustment.
4738
* @param [in] context Library context
4739
* @param [in,out] timeret Timestamp to fill in
4741
* This function retrieves the system time of day with the context specific
4742
* time offset adjustment.
4747
* Kerberos error codes
4749
krb5_error_code KRB5_CALLCONV
4750
krb5_timeofday(krb5_context context, register krb5_timestamp *timeret);
4753
* Check if a timestamp is within the allowed clock skew of the current time.
4755
* @param [in] context Library context
4756
* @param [in] date Timestamp to check
4758
* This function checks if @a date is close enough to the current time
4759
* according to the configured allowable clock skew.
4762
* @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew
4764
krb5_error_code KRB5_CALLCONV
4765
krb5_check_clockskew(krb5_context context, krb5_timestamp date);
4768
* Return all interface addresses for this host.
4770
* @param [in] context Library context
4771
* @param [out] addr Array of krb5_address pointers, ending with
4774
* Use krb5_free_addresses() to free @a addr when it is no longer needed.
4776
* @retval 0 Success; otherwise - Kerberos error codes
4778
krb5_error_code KRB5_CALLCONV
4779
krb5_os_localaddr(krb5_context context, krb5_address ***addr);
4782
* Retrieve the default realm.
4784
* @param [in] context Library context
4785
* @param [out] lrealm Default realm name
4787
* Retrieves the default realm to be used if no user-specified realm is
4790
* Use krb5_free_default_realm() to free @a lrealm when it is no longer needed.
4795
* Kerberos error codes
4797
krb5_error_code KRB5_CALLCONV
4798
krb5_get_default_realm(krb5_context context, char **lrealm);
4801
* Override the default realm for the specified context.
4803
* @param [in] context Library context
4804
* @param [in] lrealm Realm name for the default realm
4806
* If @a lrealm is NULL, clear the default realm setting.
4811
* Kerberos error codes
4813
krb5_error_code KRB5_CALLCONV
4814
krb5_set_default_realm(krb5_context context, const char *lrealm);
4817
* Free a default realm string returned by krb5_get_default_realm().
4819
* @param [in] context Library context
4820
* @param [in] lrealm Realm to be freed
4823
krb5_free_default_realm(krb5_context context, char *lrealm);
4826
* Generate a full principal name from a service name.
4828
* @param [in] context Library context
4829
* @param [in] hostname Host name, or NULL to use local host
4830
* @param [in] sname Service name, or NULL to use @c "host"
4831
* @param [in] type Principal type
4832
* @param [out] ret_princ Generated principal
4834
* This function converts a @a hostname and @a sname into @a krb5_principal
4835
* structure @a ret_princ. The returned principal will be of the form @a
4836
* sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm().
4837
* In some cases this may be the referral (empty) realm.
4839
* The @a type can be one of the following:
4841
* @li #KRB5_NT_SRV_HOST canonicalizes the host name before looking up the
4842
* realm and generating the principal.
4844
* @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not
4847
* Use krb5_free_principal to free @a ret_princ when it is no longer needed.
4852
* Kerberos error codes
4854
krb5_error_code KRB5_CALLCONV
4855
krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname,
4856
krb5_int32 type, krb5_principal *ret_princ);
4859
* Test whether a principal matches a matching principal.
4861
* @param [in] context Library context
4862
* @param [in] matching Matching principal
4863
* @param [in] princ Principal to test
4865
* @note A matching principal is a host-based principal with an empty realm
4866
* and/or second data component (hostname). Profile configuration may cause
4867
* the hostname to be ignored even if it is present. A principal matches a
4868
* matching principal if the former has the same non-empty (and non-ignored)
4869
* components of the latter.
4871
* If @a matching is NULL, return TRUE. If @a matching is not a matching
4872
* principal, return the value of krb5_principal_compare(context, matching,
4876
* TRUE if @a princ matches @a matching, FALSE otherwise.
4878
krb5_boolean KRB5_CALLCONV
4879
krb5_sname_match(krb5_context context, krb5_const_principal matching,
4880
krb5_const_principal princ);
4883
* Change a password for an existing Kerberos account.
4885
* @param [in] context Library context
4886
* @param [in] creds Credentials for kadmin/changepw service
4887
* @param [in] newpw New password
4888
* @param [out] result_code Numeric error code from server
4889
* @param [out] result_code_string String equivalent to @a result_code
4890
* @param [out] result_string Change password response from the KDC
4892
* Change the password for the existing principal identified by @a creds.
4894
* The possible values of the output @a result_code are:
4896
* @li #KRB5_KPASSWD_SUCCESS (0) - success
4897
* @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error
4898
* @li #KRB5_KPASSWD_HARDERROR (2) - Server error
4899
* @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error
4900
* @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected
4902
* @retval 0 Success; otherwise - Kerberos error codes
1945
4904
krb5_error_code KRB5_CALLCONV
1946
4905
krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw,
1947
4906
int *result_code, krb5_data *result_code_string,
1948
4907
krb5_data *result_string);
4910
* Set a password for a principal using specified credentials.
4912
* @param [in] context Library context
4913
* @param [in] creds Credentials for kadmin/changepw service
4914
* @param [in] newpw New password
4915
* @param [in] change_password_for Change the password for this principal
4916
* @param [out] result_code Numeric error code from server
4917
* @param [out] result_code_string String equivalent to @a result_code
4918
* @param [out] result_string Data returned from the remote system
4920
* This function uses the credentials @a creds to set the password @a newpw for
4921
* the principal @a change_password_for. It implements the set password
4922
* operation of RFC 3244, for interoperability with Microsoft Windows
4925
* @note If @a change_password_for is NULL, the change is performed on the
4926
* current principal. If @a change_password_for is non-null, the change is
4927
* performed on the principal name passed in @a change_password_for.
4929
* The error code and strings are returned in @a result_code,
4930
* @a result_code_string and @a result_string.
4932
* @sa krb5_set_password_using_ccache()
4935
* 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.
4937
* Kerberos error codes.
1950
4939
krb5_error_code KRB5_CALLCONV
1951
4940
krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
1952
4941
krb5_principal change_password_for, int *result_code,
1953
4942
krb5_data *result_code_string, krb5_data *result_string);
4945
* Set a password for a principal using cached credentials.
4947
* @param [in] context Library context
4948
* @param [in] ccache Credential cache
4949
* @param [in] newpw New password
4950
* @param [in] change_password_for Change the password for this principal
4951
* @param [out] result_code Numeric error code from server
4952
* @param [out] result_code_string String equivalent to @a result_code
4953
* @param [out] result_string Data returned from the remote system
4955
* This function uses the cached credentials from @a ccache to set the password
4956
* @a newpw for the principal @a change_password_for. It implements RFC 3244
4957
* set password operation (interoperable with MS Windows implementations) using
4958
* the credential cache.
4960
* The error code and strings are returned in @a result_code,
4961
* @a result_code_string and @a result_string.
4963
* @note If @a change_password_for is set to NULL, the change is performed on
4964
* the default principal in @a ccache. If @a change_password_for is non null,
4965
* the change is performed on the specified principal.
4967
* @sa krb5_set_password()
4972
* Kerberos error codes
1955
4974
krb5_error_code KRB5_CALLCONV
1956
4975
krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
1957
4976
char *newpw, krb5_principal change_password_for,
1958
4977
int *result_code, krb5_data *result_code_string,
1959
4978
krb5_data *result_string);
4981
* Retrieve configuration profile from the context.
4983
* @param [in] context Library context
4984
* @param [out] profile Pointer to data read from a configuration file
4986
* This function creates a new @a profile object that reflects profile
4987
* in the supplied @a context.
4989
* The @a profile object may be freed with profile_release() function.
4990
* See profile.h and profile API for more details.
4995
* Kerberos error codes
1961
4997
krb5_error_code KRB5_CALLCONV
1962
krb5_get_profile(krb5_context, struct _profile_t * /* profile_t */ *);
4998
krb5_get_profile(krb5_context context, struct _profile_t ** profile);
1964
5000
#if KRB5_DEPRECATED
1965
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
1966
krb5_get_in_tkt_with_password(krb5_context, krb5_flags, krb5_address *const *,
1967
krb5_enctype *, krb5_preauthtype *, const char *,
1968
krb5_ccache, krb5_creds *, krb5_kdc_rep **);
1970
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
1971
krb5_get_in_tkt_with_skey(krb5_context, krb5_flags, krb5_address *const *,
1972
krb5_enctype *, krb5_preauthtype *,
1973
const krb5_keyblock *, krb5_ccache, krb5_creds *,
1976
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
1977
krb5_get_in_tkt_with_keytab(krb5_context, krb5_flags, krb5_address *const *,
1978
krb5_enctype *, krb5_preauthtype *, krb5_keytab,
1979
krb5_ccache, krb5_creds *, krb5_kdc_rep ** );
5001
/** @deprecated Replaced by krb5_get_init_creds_password().*/
5002
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5003
krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
5004
krb5_address *const *addrs, krb5_enctype *ktypes,
5005
krb5_preauthtype *pre_auth_types,
5006
const char *password, krb5_ccache ccache,
5007
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
5009
/** @deprecated Replaced by krb5_get_init_creds(). */
5010
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5011
krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
5012
krb5_address *const *addrs, krb5_enctype *ktypes,
5013
krb5_preauthtype *pre_auth_types,
5014
const krb5_keyblock *key, krb5_ccache ccache,
5015
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
5017
/** @deprecated Replaced by krb5_get_init_creds_keytab(). */
5018
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5019
krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
5020
krb5_address *const *addrs, krb5_enctype *ktypes,
5021
krb5_preauthtype *pre_auth_types,
5022
krb5_keytab arg_keytab, krb5_ccache ccache,
5023
krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
1980
5025
#endif /* KRB5_DEPRECATED */
1982
krb5_error_code KRB5_CALLCONV
1983
krb5_rd_req(krb5_context, krb5_auth_context *, const krb5_data *,
1984
krb5_const_principal, krb5_keytab, krb5_flags *, krb5_ticket **);
1986
krb5_error_code KRB5_CALLCONV
1987
krb5_kt_read_service_key(krb5_context, krb5_pointer, krb5_principal, krb5_kvno,
1988
krb5_enctype, krb5_keyblock **);
1990
krb5_error_code KRB5_CALLCONV
1991
krb5_mk_safe(krb5_context, krb5_auth_context, const krb5_data *, krb5_data *,
1992
krb5_replay_data *);
1994
krb5_error_code KRB5_CALLCONV
1995
krb5_mk_priv(krb5_context, krb5_auth_context, const krb5_data *, krb5_data *,
1996
krb5_replay_data *);
1998
krb5_error_code KRB5_CALLCONV
1999
krb5_sendauth(krb5_context, krb5_auth_context *, krb5_pointer, char *,
2000
krb5_principal, krb5_principal, krb5_flags, krb5_data *,
2001
krb5_creds *, krb5_ccache, krb5_error **,
2002
krb5_ap_rep_enc_part **, krb5_creds **);
2004
krb5_error_code KRB5_CALLCONV
2005
krb5_recvauth(krb5_context, krb5_auth_context *, krb5_pointer, char *,
2006
krb5_principal, krb5_int32, krb5_keytab, krb5_ticket **);
2008
krb5_error_code KRB5_CALLCONV
2009
krb5_recvauth_version(krb5_context, krb5_auth_context *, krb5_pointer,
2010
krb5_principal, krb5_int32, krb5_keytab, krb5_ticket **,
2013
krb5_error_code KRB5_CALLCONV
2014
krb5_mk_ncred(krb5_context, krb5_auth_context, krb5_creds **, krb5_data **,
2015
krb5_replay_data *);
2017
krb5_error_code KRB5_CALLCONV
2018
krb5_mk_1cred(krb5_context, krb5_auth_context, krb5_creds *, krb5_data **,
2019
krb5_replay_data *);
2021
krb5_error_code KRB5_CALLCONV
2022
krb5_rd_cred(krb5_context, krb5_auth_context, krb5_data *, krb5_creds ***,
2023
krb5_replay_data *);
2025
krb5_error_code KRB5_CALLCONV
2026
krb5_fwd_tgt_creds(krb5_context, krb5_auth_context, char *, krb5_principal,
2027
krb5_principal, krb5_ccache, int forwardable, krb5_data *);
2029
krb5_error_code KRB5_CALLCONV
2030
krb5_auth_con_init(krb5_context, krb5_auth_context *);
2032
krb5_error_code KRB5_CALLCONV
2033
krb5_auth_con_free(krb5_context, krb5_auth_context);
2035
krb5_error_code KRB5_CALLCONV
2036
krb5_auth_con_setflags(krb5_context, krb5_auth_context, krb5_int32);
2038
krb5_error_code KRB5_CALLCONV
2039
krb5_auth_con_getflags(krb5_context, krb5_auth_context, krb5_int32 *);
2041
krb5_error_code KRB5_CALLCONV
2042
krb5_auth_con_set_checksum_func(krb5_context, krb5_auth_context,
2043
krb5_mk_req_checksum_func, void *);
2045
krb5_error_code KRB5_CALLCONV
2046
krb5_auth_con_get_checksum_func(krb5_context, krb5_auth_context,
2047
krb5_mk_req_checksum_func *, void **);
2049
krb5_error_code KRB5_CALLCONV_WRONG
2050
krb5_auth_con_setaddrs(krb5_context, krb5_auth_context, krb5_address *,
2053
krb5_error_code KRB5_CALLCONV
2054
krb5_auth_con_getaddrs(krb5_context, krb5_auth_context, krb5_address **,
2057
krb5_error_code KRB5_CALLCONV
2058
krb5_auth_con_setports(krb5_context, krb5_auth_context, krb5_address *,
2061
krb5_error_code KRB5_CALLCONV
2062
krb5_auth_con_setuseruserkey(krb5_context, krb5_auth_context, krb5_keyblock *);
2064
krb5_error_code KRB5_CALLCONV
2065
krb5_auth_con_getkey(krb5_context, krb5_auth_context, krb5_keyblock **);
2067
krb5_error_code KRB5_CALLCONV
2068
krb5_auth_con_getkey_k(krb5_context, krb5_auth_context, krb5_key *);
2070
krb5_error_code KRB5_CALLCONV
2071
krb5_auth_con_getsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
2073
krb5_error_code KRB5_CALLCONV
2074
krb5_auth_con_getsendsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
2076
krb5_error_code KRB5_CALLCONV
2077
krb5_auth_con_getrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
2079
krb5_error_code KRB5_CALLCONV
2080
krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
2082
krb5_error_code KRB5_CALLCONV
2083
krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
2085
krb5_error_code KRB5_CALLCONV
2086
krb5_auth_con_setsendsubkey_k(krb5_context, krb5_auth_context, krb5_key);
2088
krb5_error_code KRB5_CALLCONV
2089
krb5_auth_con_setrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
2091
krb5_error_code KRB5_CALLCONV
2092
krb5_auth_con_setrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key);
2095
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
2096
krb5_auth_con_getlocalsubkey(krb5_context, krb5_auth_context,
2099
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
2100
krb5_auth_con_getremotesubkey(krb5_context, krb5_auth_context,
2104
krb5_error_code KRB5_CALLCONV
2105
krb5_auth_con_getlocalseqnumber(krb5_context, krb5_auth_context, krb5_int32 *);
2107
krb5_error_code KRB5_CALLCONV
2108
krb5_auth_con_getremoteseqnumber(krb5_context, krb5_auth_context,
2112
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
2113
krb5_auth_con_initivector(krb5_context, krb5_auth_context);
2116
krb5_error_code KRB5_CALLCONV
2117
krb5_auth_con_setrcache(krb5_context, krb5_auth_context, krb5_rcache);
2119
krb5_error_code KRB5_CALLCONV_WRONG
2120
krb5_auth_con_getrcache(krb5_context, krb5_auth_context, krb5_rcache *);
2122
krb5_error_code KRB5_CALLCONV
2123
krb5_auth_con_getauthenticator(krb5_context, krb5_auth_context,
2124
krb5_authenticator **);
2126
krb5_error_code KRB5_CALLCONV
2127
krb5_auth_con_set_req_cksumtype(krb5_context, krb5_auth_context,
5028
* Parse and decrypt a @c KRB_AP_REQ message.
5030
* @param [in] context Library context
5031
* @param [in,out] auth_context Pre-existing or newly created auth context
5032
* @param [in] inbuf AP-REQ message to be parsed
5033
* @param [in] server Matching principal for server, or NULL to
5034
* allow any principal in keytab
5035
* @param [in] keytab Key table, or NULL to use the default
5036
* @param [out] ap_req_options If non-null, the AP-REQ flags on output
5037
* @param [out] ticket If non-null, ticket from the AP-REQ message
5039
* This function parses, decrypts and verifies a AP-REQ message from @a inbuf
5040
* and stores the authenticator in @a auth_context.
5042
* If a keyblock is present in the @a auth_context, it is used to decrypt the
5043
* ticket in AP-REQ message. (This is useful for user-to-user authentication.)
5044
* Otherwise, the decryption key is obtained from the @a keytab. If @a keytab
5045
* is iterable, all of its key entries it will be tried against the ticket;
5046
* otherwise, the server principal in the ticket will be looked up in the
5047
* keytab and that key will be tried.
5049
* The client specified in the decrypted authenticator must match the client
5050
* specified in the decrypted ticket. If @a server is non-null, the key in
5051
* which the ticket is encrypted must correspond to a principal in @a keytab
5052
* matching @a server according to the rules of krb5_sname_match().
5054
* If the @a remote_addr field of @a auth_context is set, the request must come
5055
* from that address.
5057
* If a replay cache handle is provided in the @a auth_context, the
5058
* authenticator and ticket are verified against it. If no conflict is found,
5059
* the new authenticator is then stored in the replay cash of @a auth_context.
5061
* Various other checks are performed on the decoded data, including
5062
* cross-realm policy, clockskew, and ticket validation times.
5064
* On success the authenticator, subkey, and remote sequence number of the
5065
* request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED
5066
* bit is set, the local sequence number is XORed with the remote sequence
5067
* number in the request.
5069
* Use krb5_free_ticket() to free @a ticket when it is no longer needed.
5071
* @retval 0 Success; otherwise - Kerberos error codes
5073
krb5_error_code KRB5_CALLCONV
5074
krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
5075
const krb5_data *inbuf, krb5_const_principal server,
5076
krb5_keytab keytab, krb5_flags *ap_req_options,
5077
krb5_ticket **ticket);
5080
* Retrieve a service key from a key table.
5082
* @param [in] context Library context
5083
* @param [in] keyprocarg Name of a key table (NULL to use default name)
5084
* @param [in] principal Service principal
5085
* @param [in] vno Key version number (0 for highest available)
5086
* @param [in] enctype Encryption type (0 for any type)
5087
* @param [out] key Service key from key table
5089
* Open and search the specified key table for the entry identified by @a
5090
* principal, @a enctype, and @a vno. If no key is found, return an error code.
5092
* The default key table is used, unless @a keyprocarg is non-null.
5093
* @a keyprocarg designates a specific key table.
5095
* Use krb5_free_keyblock() to free @a key when it is no longer needed.
5099
* @return Kerberos error code if not found or @a keyprocarg is invalid.
5101
krb5_error_code KRB5_CALLCONV
5102
krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg,
5103
krb5_principal principal, krb5_kvno vno,
5104
krb5_enctype enctype, krb5_keyblock **key);
5107
* Format a @c KRB-SAFE message.
5109
* @param [in] context Library context
5110
* @param [in,out] auth_context Authentication context
5111
* @param [in] userdata User data in the message
5112
* @param [out] outbuf Formatted @c KRB-SAFE buffer
5113
* @param [out] outdata Replay data. Specify NULL if not needed
5115
* This function creates an integrity protected @c KRB-SAFE message
5116
* using data supplied by the application.
5118
* Fields in @a auth_context specify the checksum type, the keyblock that
5119
* can be used to seed the checksum, full addresses (host and port) for
5120
* the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags.
5122
* The local address in @a auth_context must be set, and is used to form the
5123
* sender address used in the KRB-SAFE message. The remote address is
5124
* optional; if specified, it will be used to form the receiver address used in
5127
* If #KRB5_AUTH_CONTEXT_DO_TIME flag is set in the @a auth_context, an entry
5128
* describing the message is entered in the replay cache @a
5129
* auth_context->rcache which enables the caller to detect if this message is
5130
* reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, the
5131
* replay cache is not used.
5133
* If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
5134
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the @a auth_context local sequence
5135
* number will be placed in @a outdata as its sequence number.
5137
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
5138
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.
5140
* Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
5142
* @retval 0 Success; otherwise - Kerberos error codes
5144
krb5_error_code KRB5_CALLCONV
5145
krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
5146
const krb5_data *userdata, krb5_data *outbuf,
5147
krb5_replay_data *outdata);
5150
* Format a @c KRB-PRIV message.
5152
* @param [in] context Library context
5153
* @param [in,out] auth_context Authentication context
5154
* @param [in] userdata User data for @c KRB-PRIV message
5155
* @param [out] outbuf Formatted @c KRB-PRIV message
5156
* @param [out] outdata Replay cache handle (NULL if not needed)
5158
* This function is similar to krb5_mk_safe(), but the message is encrypted and
5159
* integrity-protected, not just integrity-protected.
5161
* The local address in @a auth_context must be set, and is used to form the
5162
* sender address used in the KRB-SAFE message. The remote address is
5163
* optional; if specified, it will be used to form the receiver address used in
5166
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or
5167
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in @a auth_context, the @a
5168
* outdata is required.
5170
* @note The flags from @a auth_context specify whether sequence numbers or
5171
* timestamps will be used to identify the message. Valid values are:
5173
* @li #KRB5_AUTH_CONTEXT_DO_TIME - Use timestamps in @a outdata
5174
* @li #KRB5_AUTH_CONTEXT_RET_TIME - Copy timestamp to @a outdata.
5175
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE - Use local sequence numbers from
5176
* @a auth_context in replay cache.
5177
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE - Use local sequence numbers from
5178
* @a auth_context as a sequence number
5179
* in the encrypted message @a outbuf.
5181
* @retval 0 Success; otherwise - Kerberos error codes
5183
krb5_error_code KRB5_CALLCONV
5184
krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
5185
const krb5_data *userdata, krb5_data *outbuf,
5186
krb5_replay_data *outdata);
5189
* Client function for @c sendauth protocol.
5191
* @param [in] context Library context
5192
* @param [in,out] auth_context Authentication context
5193
* @param [in] fd File descriptor that describes network socket
5194
* @param [in] appl_version Application protocol version to be matched
5195
* with the receiver's application version
5196
* @param [in] client Client principal
5197
* @param [in] server Server principal
5198
* @param [in] ap_req_options @ref AP_OPTS options
5199
* @param [in] in_data Data to be sent to the server
5200
* @param [in] in_creds Input credentials, or NULL to use @a ccache
5201
* @param [in] ccache Credential cache
5202
* @param [out] error If non-null, contains KRB_ERROR message
5203
* returned from server
5204
* @param [out] rep_result If non-null and @a ap_req_options is
5205
* #AP_OPTS_MUTUAL_REQUIRED, contains the result
5206
* of mutual authentication exchange
5207
* @param [out] out_creds If non-null, the retrieved credentials
5209
* This function performs the client side of a sendauth/recvauth exchange by
5210
* sending and receiving messages over @a fd.
5212
* Credentials may be specified in three ways:
5214
* @li If @a in_creds is NULL, credentials are obtained with
5215
* krb5_get_credentials() using the principals @a client and @a server. @a
5216
* server must be non-null; @a client may NULL to use the default principal of
5219
* @li If @a in_creds is non-null, but does not contain a ticket, credentials
5220
* for the exchange are obtained with krb5_get_credentials() using @a in_creds.
5221
* In this case, the values of @a client and @a server are unused.
5223
* @li If @a in_creds is a complete credentials structure, it used directly.
5224
* In this case, the values of @a client, @a server, and @a ccache are unused.
5226
* If the server is using a different application protocol than that specified
5227
* in @a appl_version, an error will be returned.
5229
* Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to
5230
* free @a rep_result, and krb5_free_error() to free @a error when they are no
5233
* @sa krb5_recvauth()
5235
* @retval 0 Success; otherwise - Kerberos error codes
5237
krb5_error_code KRB5_CALLCONV
5238
krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
5239
krb5_pointer fd, char *appl_version, krb5_principal client,
5240
krb5_principal server, krb5_flags ap_req_options,
5241
krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
5242
krb5_error **error, krb5_ap_rep_enc_part **rep_result,
5243
krb5_creds **out_creds);
5246
* Server function for @a sendauth protocol.
5248
* @param [in] context Library context
5249
* @param [in,out] auth_context Authentication context
5250
* @param [in] fd File descriptor
5251
* @param [in] appl_version Application protocol version to be matched
5252
* against the client's application version
5253
* @param [in] server Server principal (NULL for any in @a keytab)
5254
* @param [in] flags Additional specifications
5255
* @param [in] keytab Key table containing service keys
5256
* @param [out] ticket Ticket (NULL if not needed)
5258
* This function performs the srever side of a sendauth/recvauth exchange by
5259
* sending and receiving messages over @a fd.
5261
* Use krb5_free_ticket() to free @a ticket when it is no longer needed.
5263
* @sa krb5_sendauth()
5265
* @retval 0 Success; otherwise - Kerberos error codes
5267
krb5_error_code KRB5_CALLCONV
5268
krb5_recvauth(krb5_context context, krb5_auth_context *auth_context,
5269
krb5_pointer fd, char *appl_version, krb5_principal server,
5270
krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket);
5273
* Server function for @a sendauth protocol with version parameter.
5275
* @param [in] context Library context
5276
* @param [in,out] auth_context Authentication context
5277
* @param [in] fd File descriptor
5278
* @param [in] server Server principal (NULL for any in @a keytab)
5279
* @param [in] flags Additional specifications
5280
* @param [in] keytab Decryption key
5281
* @param [out] ticket Ticket (NULL if not needed)
5282
* @param [out] version sendauth protocol version (NULL if not needed)
5284
* This function is similar to krb5_recvauth() with the additional output
5285
* information place into @a version.
5287
* @retval 0 Success; otherwise - Kerberos error codes
5289
krb5_error_code KRB5_CALLCONV
5290
krb5_recvauth_version(krb5_context context,
5291
krb5_auth_context *auth_context,
5293
krb5_principal server,
5296
krb5_ticket **ticket,
5297
krb5_data *version);
5300
* Format a @c KRB-CRED message for an array of credentials.
5302
* @param [in] context Library context
5303
* @param [in,out] auth_context Authentication context
5304
* @param [in] ppcreds Null-terminated array of credentials
5305
* @param [out] ppdata Encoded credentials
5306
* @param [out] outdata Replay cache information (NULL if not needed)
5308
* This function takes an array of credentials @a ppcreds and formats
5309
* a @c KRB-CRED message @a ppdata to pass to krb5_rd_cred().
5311
* @note If the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
5312
* flag is set in @a auth_context, @a outdata is required.
5314
* The message will be encrypted using the send subkey of @a auth_context if it
5315
* is present, or the session key otherwise.
5320
* ENOMEM Insufficient memory
5322
* KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
5324
* Kerberos error codes
5326
krb5_error_code KRB5_CALLCONV
5327
krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
5328
krb5_creds **ppcreds, krb5_data **ppdata,
5329
krb5_replay_data *outdata);
5332
* Format a @c KRB-CRED message for a single set of credentials.
5334
* @param [in] context Library context
5335
* @param [in,out] auth_context Authentication context
5336
* @param [in] pcreds Pointer to credentials
5337
* @param [out] ppdata Encoded credentials
5338
* @param [out] outdata Replay cache data (NULL if not needed)
5340
* This is a convenience function that calls krb5_mk_ncred() with a single set
5346
* ENOMEM Insufficient memory
5348
* KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
5350
* Kerberos error codes
5352
krb5_error_code KRB5_CALLCONV
5353
krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
5354
krb5_creds *pcreds, krb5_data **ppdata,
5355
krb5_replay_data *outdata);
5358
* Read and validate a @c KRB-CRED message.
5360
* @param [in] context Library context
5361
* @param [in,out] auth_context Authentication context
5362
* @param [in] pcreddata @c KRB-CRED message
5363
* @param [out] pppcreds Null-terminated array of forwarded credentials
5364
* @param [out] outdata Replay data (NULL if not needed)
5366
* @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
5367
* #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.`
5369
* @a pcreddata will be decrypted using the receiving subkey if it is present
5370
* in @a auth_context, or the session key if the receiving subkey is not
5371
* present or fails to decrypt the message.
5373
* Use krb5_free_tgt_creds() to free @a pppcreds when it is no longer needed.
5375
* @retval 0 Success; otherwise - Kerberos error codes
5377
krb5_error_code KRB5_CALLCONV
5378
krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
5379
krb5_data *pcreddata, krb5_creds ***pppcreds,
5380
krb5_replay_data *outdata);
5383
* Get a forwarded TGT and format a @c KRB-CRED message.
5385
* @param [in] context Library context
5386
* @param [in] auth_context Authentication context
5387
* @param [in] rhost Remote host
5388
* @param [in] client Client principal of TGT
5389
* @param [in] server Principal of server to receive TGT
5390
* @param [in] cc Credential cache handle (NULL to use default)
5391
* @param [in] forwardable Whether TGT should be forwardable
5392
* @param [out] outbuf KRB-CRED message
5394
* Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED
5395
* message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST,
5396
* the second component of @a server will be used.
5401
* ENOMEM Insufficient memory
5403
* KRB5_PRINC_NOMATCH Requested principal and ticket do not match
5405
* KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
5407
* KRB5_CC_BADNAME Credential cache name or principal name malformed
5409
* Kerberos error codes
5411
krb5_error_code KRB5_CALLCONV
5412
krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
5413
char *rhost, krb5_principal client, krb5_principal server,
5414
krb5_ccache cc, int forwardable, krb5_data *outbuf);
5417
* Create and initialize an authentication context.
5419
* @param [in] context Library context
5420
* @param [out] auth_context Authentication context
5422
* This function creates an authentication context to hold configuration and
5423
* state relevant to krb5 functions for authenticating principals and
5424
* protecting messages once authentication has occurred.
5426
* By default, flags for the context are set to enable the use of the replay
5427
* cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use
5428
* krb5_auth_con_setflags() to change the flags.
5430
* The allocated @a auth_context must be freed with krb5_auth_con_free() when
5431
* it is no longer needed.
5433
* @retval 0 Success; otherwise - Kerberos error codes
5435
krb5_error_code KRB5_CALLCONV
5436
krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);
5439
* Free a krb5_auth_context structure.
5441
* @param [in] context Library context
5442
* @param [in] auth_context Authentication context to be freed
5444
* This function frees an auth context allocated by krb5_auth_con_init().
5446
* @retval 0 (always)
5448
krb5_error_code KRB5_CALLCONV
5449
krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
5452
* Set a flags field in a krb5_auth_context structure.
5454
* @param [in] context Library context
5455
* @param [in,out] auth_context Authentication context
5456
* @param [in] flags Flags bit mask
5458
* Valid values for @a flags are:
5459
* @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
5460
* @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
5461
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
5462
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
5464
* @retval 0 (always)
5466
krb5_error_code KRB5_CALLCONV
5467
krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags);
5470
* Retrieve flags from a krb5_auth_context structure.
5472
* @param [in] context Library context
5473
* @param [in] auth_context Authentication context
5474
* @param [out] flags Flags bit mask
5476
* Valid values for @a flags are:
5477
* @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
5478
* @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
5479
* @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
5480
* @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
5482
* @retval 0 (always)
5484
krb5_error_code KRB5_CALLCONV
5485
krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
5489
* Set a checksum callback in an auth context.
5491
* @param [in] context Library context
5492
* @param [in] auth_context Authentication context
5493
* @param [in] func Checksum callback
5494
* @param [in] data Callback argument
5496
* Set a callback to obtain checksum data in krb5_mk_req(). The callback will
5497
* be invoked after the subkey and local sequence number are stored in @a
5500
* @retval 0 (always)
5502
krb5_error_code KRB5_CALLCONV
5503
krb5_auth_con_set_checksum_func( krb5_context context,
5504
krb5_auth_context auth_context,
5505
krb5_mk_req_checksum_func func,
5509
* Get the checksum callback from an auth context.
5511
* @param [in] context Library context
5512
* @param [in] auth_context Authentication context
5513
* @param [out] func Checksum callback
5514
* @param [out] data Callback argument
5516
* @retval 0 (always)
5518
krb5_error_code KRB5_CALLCONV
5519
krb5_auth_con_get_checksum_func( krb5_context context,
5520
krb5_auth_context auth_context,
5521
krb5_mk_req_checksum_func *func,
5525
* Set the local and remote addresses in an auth context.
5527
* @param [in] context Library context
5528
* @param [in] auth_context Authentication context
5529
* @param [in] local_addr Local address
5530
* @param [in] remote_addr Remote address
5532
* This function releases the storage assigned to the contents of the local and
5533
* remote addresses of @a auth_context and then sets them to @a local_addr and
5534
* @a remote_addr respectively.
5536
* @sa krb5_auth_con_genaddrs()
5538
* @retval 0 Success; otherwise - Kerberos error codes
5540
krb5_error_code KRB5_CALLCONV_WRONG
5541
krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
5542
krb5_address *local_addr, krb5_address *remote_addr);
5545
* Retrieve address fields from an auth context.
5547
* @param [in] context Library context
5548
* @param [in] auth_context Authentication context
5549
* @param [out] local_addr Local address (NULL if not needed)
5550
* @param [out] remote_addr Remote address (NULL if not needed)
5552
* @retval 0 Success; otherwise - Kerberos error codes
5554
krb5_error_code KRB5_CALLCONV
5555
krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
5556
krb5_address **local_addr, krb5_address **remote_addr);
5559
* Set local and remote port fields in an auth context.
5561
* @param [in] context Library context
5562
* @param [in] auth_context Authentication context
5563
* @param [in] local_port Local port
5564
* @param [in] remote_port Remote port
5566
* This function releases the storage assigned to the contents of the local and
5567
* remote ports of @a auth_context and then sets them to @a local_port and @a
5568
* remote_port respectively.
5570
* @sa krb5_auth_con_genaddrs()
5572
* @retval 0 Success; otherwise - Kerberos error codes
5574
krb5_error_code KRB5_CALLCONV
5575
krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context,
5576
krb5_address *local_port, krb5_address *remote_port);
5579
* Set the session key in an auth context.
5581
* @param [in] context Library context
5582
* @param [in] auth_context Authentication context
5583
* @param [in] keyblock User key
5585
* @retval 0 Success; otherwise - Kerberos error codes
5587
krb5_error_code KRB5_CALLCONV
5588
krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context,
5589
krb5_keyblock *keyblock);
5592
* Retrieve the session key from an auth context as a keyblock.
5594
* @param [in] context Library context
5595
* @param [in] auth_context Authentication context
5596
* @param [out] keyblock Session key
5598
* This function creates a keyblock containing the session key from @a
5599
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
5602
* @retval 0 Success. Otherwise - Kerberos error codes
5604
krb5_error_code KRB5_CALLCONV
5605
krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
5606
krb5_keyblock **keyblock);
5609
* Retrieve the session key from an auth context.
5611
* @param [in] context Library context
5612
* @param [in] auth_context Authentication context
5613
* @param [out] key Session key
5615
* This function sets @a key to the session key from @a auth_context. Use
5616
* krb5_k_free_key() to release @a key when it is no longer needed.
5618
* @retval 0 (always)
5620
krb5_error_code KRB5_CALLCONV
5621
krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
5625
* Retrieve the send subkey from an auth context as a keyblock.
5627
* @param [in] ctx Library context
5628
* @param [in] ac Authentication context
5629
* @param [out] keyblock Send subkey
5631
* This function creates a keyblock containing the send subkey from @a
5632
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
5635
* @retval 0 Success; otherwise - Kerberos error codes
5637
krb5_error_code KRB5_CALLCONV
5638
krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
5641
* Retrieve the send subkey from an auth context.
5643
* @param [in] ctx Library context
5644
* @param [in] ac Authentication context
5645
* @param [out] key Send subkey
5647
* This function sets @a key to the send subkey from @a auth_context. Use
5648
* krb5_k_free_key() to release @a key when it is no longer needed.
5650
* @retval 0 Success; otherwise - Kerberos error codes
5652
krb5_error_code KRB5_CALLCONV
5653
krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
5657
* Retrieve the receiving subkey from an auth context as a keyblock.
5659
* @param [in] ctx Library context
5660
* @param [in] ac Authentication context
5661
* @param [out] keyblock Receiving subkey
5663
* This function creates a keyblock containing the receiving subkey from @a
5664
* auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
5667
* @retval 0 Success; otherwise - Kerberos error codes
5669
krb5_error_code KRB5_CALLCONV
5670
krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
5673
* Retrieve the receiving subkey from an auth context as a keyblock.
5675
* @param [in] ctx Library context
5676
* @param [in] ac Authentication context
5677
* @param [out] key Receiving subkey
5679
* This function sets @a key to the receiving subkey from @a auth_context. Use
5680
* krb5_k_free_key() to release @a key when it is no longer needed.
5682
* @retval 0 Success; otherwise - Kerberos error codes
5684
krb5_error_code KRB5_CALLCONV
5685
krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key);
5688
* Set the send subkey in an auth context with a keyblock.
5690
* @param [in] ctx Library context
5691
* @param [in] ac Authentication context
5692
* @param [in] keyblock Send subkey
5694
* This function sets the send subkey in @a ac to a copy of @a keyblock.
5696
* @retval 0 Success. Otherwise - Kerberos error codes
5698
krb5_error_code KRB5_CALLCONV
5699
krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac,
5700
krb5_keyblock *keyblock);
5703
* Set the send subkey in an auth context.
5705
* @param [in] ctx Library context
5706
* @param [in] ac Authentication context
5707
* @param [out] key Send subkey
5709
* This function sets the send subkey in @a ac to @a key, incrementing its
5712
* @retval 0 Success; otherwise - Kerberos error codes
5714
krb5_error_code KRB5_CALLCONV
5715
krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key);
5718
* Set the receiving subkey in an auth context with a keyblock.
5720
* @param [in] ctx Library context
5721
* @param [in] ac Authentication context
5722
* @param [in] keyblock Receiving subkey
5724
* This function sets the receiving subkey in @a ac to a copy of @a keyblock.
5726
* @retval 0 Success; otherwise - Kerberos error codes
5728
krb5_error_code KRB5_CALLCONV
5729
krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac,
5730
krb5_keyblock *keyblock);
5733
* Set the receiving subkey in an auth context.
5735
* @param [in] ctx Library context
5736
* @param [in] ac Authentication context
5737
* @param [in] key Receiving subkey
5739
* This function sets the receiving subkey in @a ac to @a key, incrementing its
5742
* @retval 0 Success; otherwise - Kerberos error codes
5744
krb5_error_code KRB5_CALLCONV
5745
krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
5749
/** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */
5750
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5751
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
5752
krb5_keyblock **keyblock);
5754
/** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */
5755
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5756
krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
5757
krb5_keyblock **keyblock);
5761
* Retrieve the local sequence number from an auth context.
5763
* @param [in] context Library context
5764
* @param [in] auth_context Authentication context
5765
* @param [out] seqnumber Local sequence number
5767
* Retrieve the local sequence number from @a auth_context and return it in @a
5768
* seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
5769
* auth_context for this function to be useful.
5771
* @retval 0 Success; otherwise - Kerberos error codes
5773
krb5_error_code KRB5_CALLCONV
5774
krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context,
5775
krb5_int32 *seqnumber);
5778
* Retrieve the remote sequence number from an auth context.
5780
* @param [in] context Library context
5781
* @param [in] auth_context Authentication context
5782
* @param [out] seqnumber Remote sequence number
5784
* Retrieve the remote sequence number from @a auth_context and return it in @a
5785
* seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
5786
* auth_context for this function to be useful.
5788
* @retval 0 Success; otherwise - Kerberos error codes
5790
krb5_error_code KRB5_CALLCONV
5791
krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context,
5792
krb5_int32 *seqnumber);
5795
/** @deprecated Not replaced.
5797
* RFC 4120 doesn't have anything like the initvector concept;
5798
* only really old protocols may need this API.
5800
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
5801
krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
5805
* Set the replay cache in an auth context.
5807
* @param [in] context Library context
5808
* @param [in] auth_context Authentication context
5809
* @param [in] rcache Replay cache haddle
5811
* This function sets the replay cache in @a auth_context to @a rcache. @a
5812
* rcache will be closed when @a auth_context is freed, so the caller should
5813
* relinguish that responsibility.
5815
* @retval 0 Success; otherwise - Kerberos error codes
5817
krb5_error_code KRB5_CALLCONV
5818
krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context,
5819
krb5_rcache rcache);
5822
* Retrieve the replay cache from an auth context.
5824
* @param [in] context Library context
5825
* @param [in] auth_context Authentication context
5826
* @param [out] rcache Replay cache handle
5828
* This function fetches the replay cache from @a auth_context. The caller
5829
* should not close @a rcache.
5831
* @retval 0 (always)
5833
krb5_error_code KRB5_CALLCONV_WRONG
5834
krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context,
5835
krb5_rcache *rcache);
5838
* Retrieve the authenticator from an auth context.
5840
* @param [in] context Library context
5841
* @param [in] auth_context Authentication context
5842
* @param [out] authenticator Authenticator
5844
* Use krb5_free_authenticator() to free @a authenticator when it is no longer
5847
* @retval 0 Success. Otherwise - Kerberos error codes
5849
krb5_error_code KRB5_CALLCONV
5850
krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context,
5851
krb5_authenticator **authenticator);
5854
* Set checksum type in an an auth context.
5856
* @param [in] context Library context
5857
* @param [in] auth_context Authentication context
5858
* @param [in] cksumtype Checksum type
5860
* This function sets the checksum type in @a auth_context to be used by
5861
* krb5_mk_req() for the authenticator checksum.
5863
* @retval 0 Success. Otherwise - Kerberos error codes
5865
krb5_error_code KRB5_CALLCONV
5866
krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context,
5867
krb5_cksumtype cksumtype);
2130
5869
#define KRB5_REALM_BRANCH_CHAR '.'