+/**
+ * Free an error allocated by krb5_read_error() or krb5_sendauth().
+ *
+ * @param [in] context Library context
+ * @param [in] val Error data structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_error(krb5_context context, register krb5_error *val);
+
+/**
+ * Free a krb5_creds structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Credential structure to be freed.
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_creds(krb5_context context, krb5_creds *val);
+
+/**
+ * Free the contents of a krb5_creds structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Credential structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_cred_contents(krb5_context context, krb5_creds *val);
+
+/**
+ * Free a krb5_checksum structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Checksum structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_checksum(krb5_context context, register krb5_checksum *val);
+
+/**
+ * Free the contents of a krb5_checksum structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Checksum structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val);
+
+/**
+ * Free a krb5_keyblock structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Keyblock to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_keyblock(krb5_context context, register krb5_keyblock *val);
+
+/**
+ * Free the contents of a krb5_keyblock structure.
+ *
+ * @param [in] context Library context
+ * @param [in] key Keyblock to be freed
+ *
+ * This function frees the contents of @a key, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key);
+
+/**
+ * Free a krb5_ap_rep_enc_part structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val AP-REP enc part to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
+
+/**
+ * Free a krb5_data structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Data structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_data(krb5_context context, krb5_data *val);
+
+/* Free a krb5_octet_data structure (should be unused). */
+void KRB5_CALLCONV
+krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
+
+/**
+ * Free the contents of a krb5_data structure and zero the data field.
+ *
+ * @param [in] context Library context
+ * @param [in] val Data structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_data_contents(krb5_context context, krb5_data *val);
+
+/**
+ * Free a string representation of a principal.
+ *
+ * @param [in] context Library context
+ * @param [in] val Name string to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_unparsed_name(krb5_context context, char *val);
+
+/**
+ * Free a string allocated by a krb5 function.
+ *
+ * @param [in] context Library context
+ * @param [in] val String to be freed
+ *
+ * @version First introduced in 1.10
+ */
+void KRB5_CALLCONV
+krb5_free_string(krb5_context context, char *val);
+
+/**
+ * Free an array of checksum types.
+ *
+ * @param [in] context Library context
+ * @param [in] val Array of checksum types to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val);
+
+/* From krb5/os, but needed by the outside world */
+/**
+ * Retrieve the system time of day, in sec and ms, since the epoch.
+ *
+ * @param [in] context Library context
+ * @param [out] seconds System timeofday, seconds portion
+ * @param [out] microseconds System timeofday, microseconds portion
+ *
+ * This function retrieves the system time of day with the context
+ * specific time offset adjustment.
+ *
+ * @sa krb5_crypto_us_timeofday()
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_us_timeofday(krb5_context context,
+ krb5_timestamp *seconds, krb5_int32 *microseconds);
+
+/**
+ * Retrieve the current time with context specific time offset adjustment.
+ *
+ * @param [in] context Library context
+ * @param [in,out] timeret Timestamp to fill in
+ *
+ * This function retrieves the system time of day with the context specific
+ * time offset adjustment.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_timeofday(krb5_context context, register krb5_timestamp *timeret);
+
+/**
+ * Check if a timestamp is within the allowed clock skew of the current time.
+ *
+ * @param [in] context Library context
+ * @param [in] date Timestamp to check
+ *
+ * This function checks if @a date is close enough to the current time
+ * according to the configured allowable clock skew.
+ *
+ * @version First introduced in 1.10
+ *
+ * @retval 0 Success
+ * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_check_clockskew(krb5_context context, krb5_timestamp date);
+
+/**
+ * Return all interface addresses for this host.
+ *
+ * @param [in] context Library context
+ * @param [out] addr Array of krb5_address pointers, ending with
+ * NULL
+ *
+ * Use krb5_free_addresses() to free @a addr when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_os_localaddr(krb5_context context, krb5_address ***addr);
+
+/**
+ * Retrieve the default realm.
+ *
+ * @param [in] context Library context
+ * @param [out] lrealm Default realm name
+ *
+ * Retrieves the default realm to be used if no user-specified realm is
+ * available.
+ *
+ * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_default_realm(krb5_context context, char **lrealm);
+
+/**
+ * Override the default realm for the specified context.
+ *
+ * @param [in] context Library context
+ * @param [in] lrealm Realm name for the default realm
+ *
+ * If @a lrealm is NULL, clear the default realm setting.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_default_realm(krb5_context context, const char *lrealm);
+
+/**
+ * Free a default realm string returned by krb5_get_default_realm().
+ *
+ * @param [in] context Library context
+ * @param [in] lrealm Realm to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_default_realm(krb5_context context, char *lrealm);
+
+/**
+ * Generate a full principal name from a service name.
+ *
+ * @param [in] context Library context
+ * @param [in] hostname Host name, or NULL to use local host
+ * @param [in] sname Service name, or NULL to use @c "host"
+ * @param [in] type Principal type
+ * @param [out] ret_princ Generated principal
+ *
+ * This function converts a @a hostname and @a sname into @a krb5_principal
+ * structure @a ret_princ. The returned principal will be of the form @a
+ * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm().
+ * In some cases this may be the referral (empty) realm.
+ *
+ * The @a type can be one of the following:
+ *
+ * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the
+ * realm and generating the principal.
+ *
+ * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not
+ * canonicalize it.
+ *
+ * Use krb5_free_principal to free @a ret_princ when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname,
+ krb5_int32 type, krb5_principal *ret_princ);
+
+/**
+ * Test whether a principal matches a matching principal.
+ *
+ * @param [in] context Library context
+ * @param [in] matching Matching principal
+ * @param [in] princ Principal to test
+ *
+ * @note A matching principal is a host-based principal with an empty realm
+ * and/or second data component (hostname). Profile configuration may cause
+ * the hostname to be ignored even if it is present. A principal matches a
+ * matching principal if the former has the same non-empty (and non-ignored)
+ * components of the latter.
+ *
+ * If @a matching is NULL, return TRUE. If @a matching is not a matching
+ * principal, return the value of krb5_principal_compare(context, matching,
+ * princ).
+ *
+ * @return
+ * TRUE if @a princ matches @a matching, FALSE otherwise.
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_sname_match(krb5_context context, krb5_const_principal matching,
+ krb5_const_principal princ);
+
+/**
+ * Change a password for an existing Kerberos account.
+ *
+ * @param [in] context Library context
+ * @param [in] creds Credentials for kadmin/changepw service
+ * @param [in] newpw New password
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Change password response from the KDC
+ *
+ * Change the password for the existing principal identified by @a creds.
+ *
+ * The possible values of the output @a result_code are:
+ *
+ * @li #KRB5_KPASSWD_SUCCESS (0) - success
+ * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error
+ * @li #KRB5_KPASSWD_HARDERROR (2) - Server error
+ * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error
+ * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw,
+ int *result_code, krb5_data *result_code_string,
+ krb5_data *result_string);
+
+/**
+ * Set a password for a principal using specified credentials.
+ *
+ * @param [in] context Library context
+ * @param [in] creds Credentials for kadmin/changepw service
+ * @param [in] newpw New password
+ * @param [in] change_password_for Change the password for this principal
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Data returned from the remote system
+ *
+ * This function uses the credentials @a creds to set the password @a newpw for
+ * the principal @a change_password_for. It implements the set password
+ * operation of RFC 3244, for interoperability with Microsoft Windows
+ * implementations.
+ *
+ * @note If @a change_password_for is NULL, the change is performed on the
+ * current principal. If @a change_password_for is non-null, the change is
+ * performed on the principal name passed in @a change_password_for.
+ *
+ * The error code and strings are returned in @a result_code,
+ * @a result_code_string and @a result_string.
+ *
+ * @sa krb5_set_password_using_ccache()
+ *
+ * @retval
+ * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.
+ * @return
+ * Kerberos error codes.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
+ krb5_principal change_password_for, int *result_code,
+ krb5_data *result_code_string, krb5_data *result_string);
+
+/**
+ * Set a password for a principal using cached credentials.
+ *
+ * @param [in] context Library context
+ * @param [in] ccache Credential cache
+ * @param [in] newpw New password
+ * @param [in] change_password_for Change the password for this principal
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Data returned from the remote system
+ *
+ * This function uses the cached credentials from @a ccache to set the password
+ * @a newpw for the principal @a change_password_for. It implements RFC 3244
+ * set password operation (interoperable with MS Windows implementations) using
+ * the credential cache.
+ *
+ * The error code and strings are returned in @a result_code,
+ * @a result_code_string and @a result_string.
+ *
+ * @note If @a change_password_for is set to NULL, the change is performed on
+ * the default principal in @a ccache. If @a change_password_for is non null,
+ * the change is performed on the specified principal.
+ *
+ * @sa krb5_set_password()
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
+ char *newpw, krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string,
+ krb5_data *result_string);
+
+/**
+ * Get a result message for changing or setting a password.
+ *
+ * @param [in] context Library context
+ * @param [in] server_string Data returned from the remote system
+ * @param [out] message_out A message displayable to the user
+ *
+ * This function processes the @a server_string returned in the @a
+ * result_string parameter of krb5_change_password(), krb5_set_password(), and
+ * related functions, and returns a displayable string. If @a server_string
+ * contains Active Directory structured policy information, it will be
+ * converted into human-readable text.
+ *
+ * Use krb5_free_string() to free @a message_out when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ *
+ * @version First introduced in 1.11
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_chpw_message(krb5_context context, const krb5_data *server_string,
+ char **message_out);
+
+/**
+ * Retrieve configuration profile from the context.
+ *
+ * @param [in] context Library context
+ * @param [out] profile Pointer to data read from a configuration file
+ *
+ * This function creates a new @a profile object that reflects profile
+ * in the supplied @a context.
+ *
+ * The @a profile object may be freed with profile_release() function.
+ * See profile.h and profile API for more details.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_profile(krb5_context context, struct _profile_t ** profile);
+
+#if KRB5_DEPRECATED
+/** @deprecated Replaced by krb5_get_init_creds_password().*/