+/**
+ * Convert krb5_principal structure to a string with flags.
+ *
+ * @param [in] context Library context
+ * @param [in] principal Principal
+ * @param [in] flags Flags
+ * @param [out] name String representation of principal name
+ *
+ * Similar to krb5_unparse_name(), this function converts a krb5_principal
+ * structure to a string representation.
+ *
+ * The following flags are valid:
+ * @li #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm
+ * @li #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm
+ * @li #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters
+ *
+ * Use krb5_free_unparsed_name() to free @a name when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes. On failure @a name is set to NULL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
+ int flags, char **name);
+
+/**
+ * Convert krb5_principal structure to string format with flags.
+ *
+ * @param [in] context Library context
+ * @param [in] principal Principal
+ * @param [in] flags Flags
+ * @param [out] name Single string format of principal name
+ * @param [out] size Size of unparsed name buffer
+ *
+ * @sa krb5_unparse_name() krb5_unparse_name_flags() krb5_unparse_name_ext()
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes. On failure @a name is set to NULL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal,
+ int flags, char **name, unsigned int *size);
+
+/**
+ * Set the realm field of a principal
+ *
+ * @param [in,out] context Library context
+ * @param [in] principal Principal name
+ * @param [in] realm Realm name
+ *
+ * Set the realm name part of @a principal to @a realm, overwriting the
+ * previous realm.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_principal_realm(krb5_context context, krb5_principal principal,
+ const char *realm);
+
+/**
+ * Search a list of addresses for a specified address.
+ *
+ * @param [in] context Library context
+ * @param [in] addr Address to search for
+ * @param [in] addrlist Address list to be searched (or NULL)
+ *
+ * @note If @a addrlist contains only a NetBIOS addresses, it will be treated
+ * as a null list.
+ *
+ * @return
+ * TRUE if @a addr is listed in @a addrlist, or @c addrlist is NULL; FALSE
+ * otherwise
+ */
+krb5_boolean KRB5_CALLCONV_WRONG
+krb5_address_search(krb5_context context, const krb5_address *addr,
+ krb5_address *const *addrlist);
+
+/**
+ * Compare two Kerberos addresses.
+ *
+ * @param [in] context Library context
+ * @param [in] addr1 First address to be compared
+ * @param [in] addr2 Second address to be compared
+ *
+ * @return
+ * TRUE if the addresses are the same, FALSE otherwise
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_address_compare(krb5_context context, const krb5_address *addr1,
+ const krb5_address *addr2);
+
+/**
+ * Return an ordering of the specified addresses.
+ *
+ * @param [in] context Library context
+ * @param [in] addr1 First address
+ * @param [in] addr2 Second address
+ *
+ * @retval
+ * 0 The two addresses are the same
+ * @retval
+ * \< 0 First address is less than second
+ * @retval
+ * \> 0 First address is greater than second
+ */
+int KRB5_CALLCONV
+krb5_address_order(krb5_context context, const krb5_address *addr1,
+ const krb5_address *addr2);
+
+/**
+ * Compare the realms of two principals.
+ *
+ * @param [in] context Library context
+ * @param [in] princ1 First principal
+ * @param [in] princ2 Second principal
+ *
+ * @retval
+ * TRUE if the realm names are the same; FALSE otherwise
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
+ krb5_const_principal princ2);
+
+/**
+ * Compare two principals.
+ *
+ * @param [in] context Library context
+ * @param [in] princ1 First principal
+ * @param [in] princ2 Second principal
+ *
+ * @retval
+ * TRUE if the principals are the same; FALSE otherwise
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2);
+
+/**
+ * Compare two principals ignoring realm components.
+ *
+ * @param [in] context Library context
+ * @param [in] princ1 First principal
+ * @param [in] princ2 Second principal
+ *
+ * Similar to krb5_principal_compare(), but do not compare the realm
+ * components of the principals.
+ *
+ * @retval
+ * TRUE if the principals are the same; FALSE otherwise
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare_any_realm(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2);
+
+#define KRB5_PRINCIPAL_COMPARE_IGNORE_REALM 1 /**< ignore realm component */
+#define KRB5_PRINCIPAL_COMPARE_ENTERPRISE 2 /**< UPNs as real principals */
+#define KRB5_PRINCIPAL_COMPARE_CASEFOLD 4 /**< case-insensitive */
+#define KRB5_PRINCIPAL_COMPARE_UTF8 8 /**< treat principals as UTF-8 */
+
+/**
+ * Compare two principals with additional flags.
+ *
+ * @param [in] context Library context
+ * @param [in] princ1 First principal
+ * @param [in] princ2 Second principal
+ * @param [in] flags Flags
+ *
+ * Valid flags are:
+ * @li #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component
+ * @li #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals
+ * @li #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive
+ * @li #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8
+ *
+ * @sa krb5_principal_compare()
+ *
+ * @retval
+ * TRUE if the principal names are the same; FALSE otherwise
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare_flags(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2,
+ int flags);
+
+/**
+ * Initialize an empty @c krb5_keyblock.
+ *
+ * @param [in] context Library context
+ * @param [in] enctype Encryption type
+ * @param [in] length Length of keyblock (or 0)
+ * @param [out] out New keyblock structure
+ *
+ * Initialize a new keyblock and allocate storage for the contents of the key.
+ * It is legal to pass in a length of 0, in which case contents are left
+ * unallocated. Use krb5_free_keyblock() to free @a out when it is no longer
+ * needed.
+ *
+ * @note If @a length is set to 0, contents are left unallocated.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
+ size_t length, krb5_keyblock **out);
+
+/**
+ * Copy a keyblock.
+ *
+ * @param [in] context Library context
+ * @param [in] from Keyblock to be copied
+ * @param [out] to Copy of keyblock @a from
+ *
+ * This function creates a new keyblock with the same contents as @a from. Use
+ * krb5_free_keyblock() to free @a to when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from,
+ krb5_keyblock **to);
+
+/**
+ * Copy the contents of a keyblock.
+ *
+ * @param [in] context Library context
+ * @param [in] from Key to be copied
+ * @param [out] to Output key
+ *
+ * This function copies the contents of @a from to @a to. Use
+ * krb5_free_keyblock_contents() to free @a to when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from,
+ krb5_keyblock *to);
+
+/**
+ * Copy a krb5_creds structure.
+ *
+ * @param [in] context Library context
+ * @param [in] incred Credentials structure to be copied
+ * @param [out] outcred Copy of @a incred
+ *
+ * This function creates a new credential with the contents of @a incred. Use
+ * krb5_free_creds() to free @a outcred when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred);
+
+/**
+ * Copy a krb5_data object.
+ *
+ * @param [in] context Library context
+ * @param [in] indata Data object to be copied
+ * @param [out] outdata Copy of @a indata
+ *
+ * This function creates a new krb5_data object with the contents of @a indata.
+ * Use krb5_free_data() to free @a outdata when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata);
+
+/**
+ * Copy a principal.
+ *
+ * @param [in] context Library context
+ * @param [in] inprinc Principal to be copied
+ * @param [out] outprinc Copy of @a inprinc
+ *
+ * This function creates a new principal structure with the contents of @a
+ * inprinc. Use krb5_free_principal() to free @a outprinc when it is no longer
+ * needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
+ krb5_principal *outprinc);
+
+/**
+ * Copy an array of addresses.
+ *
+ * @param [in] context Library context
+ * @param [in] inaddr Array of addresses to be copied
+ * @param [out] outaddr Copy of array of addresses
+ *
+ * This function creates a new address array containing a copy of @a inaddr.
+ * Use krb5_free_addresses() to free @a outaddr when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr,
+ krb5_address ***outaddr);
+
+/**
+ * Copy a krb5_ticket structure.
+ *
+ * @param [in] context Library context
+ * @param [in] from Ticket to be copied
+ * @param [out] pto Copy of ticket
+ *
+ * This function creates a new krb5_ticket structure containing the contents of
+ * @a from. Use krb5_free_ticket() to free @a pto when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto);
+
+/**
+ * Copy an authorization data list.
+ *
+ * @param [in] context Library context
+ * @param [in] in_authdat List of @a krb5_authdata structures
+ * @param [out] out New array of @a krb5_authdata structures
+ *
+ * This function creates a new authorization data list containing a copy of @a
+ * in_authdat, which must be null-terminated. Use krb5_free_authdata() to free
+ * @a out when it is no longer needed.
+ *
+ * @note The last array entry in @a in_authdat must be a NULL pointer.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_authdata(krb5_context context,
+ krb5_authdata *const *in_authdat, krb5_authdata ***out);
+
+/**
+ * Find authorization data elements.
+ *
+ * @param [in] context Library context
+ * @param [in] ticket_authdata Authorization data list from ticket
+ * @param [in] ap_req_authdata Authorization data list from AP request
+ * @param [in] ad_type Authorization data type to find
+ * @param [out] results List of matching entries
+ *
+ * This function searches @a ticket_authdata and @a ap_req_authdata for
+ * elements of type @a ad_type. Either input list may be NULL, in which case
+ * it will not be searched; otherwise, the input lists must be terminated by
+ * NULL entries. This function will search inside AD-IF-RELEVANT containers if
+ * found in either list. Use krb5_free_authdata() to free @a results when it
+ * is no longer needed.
+ *
+ * @version First introduced in 1.10
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata,
+ krb5_authdata *const *ap_req_authdata,
+ krb5_authdatatype ad_type, krb5_authdata ***results);
+
+/**
+ * Merge two authorization data lists into a new list.
+ *
+ * @param [in] context Library context
+ * @param [in] inauthdat1 First list of @a krb5_authdata structures
+ * @param [in] inauthdat2 Second list of @a krb5_authdata structures
+ * @param [out] outauthdat Merged list of @a krb5_authdata structures
+ *
+ * Merge two authdata arrays, such as the array from a ticket
+ * and authenticator.
+ * Use krb5_free_authdata() to free @a outauthdat when it is no longer needed.
+ *
+ * @note The last array entry in @a inauthdat1 and @a inauthdat2
+ * must be a NULL pointer.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_merge_authdata(krb5_context context,
+ krb5_authdata *const *inauthdat1,
+ krb5_authdata * const *inauthdat2,
+ krb5_authdata ***outauthdat);
+
+/**
+ * Copy a krb5_authenticator structure.
+ *
+ * @param [in] context Library context
+ * @param [in] authfrom krb5_authenticator structure to be copied
+ * @param [out] authto Copy of krb5_authenticator structure
+ *
+ * This function creates a new krb5_authenticator structure with the content of
+ * @a authfrom. Use krb5_free_authenticator() to free @a authto when it is no
+ * longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom,
+ krb5_authenticator **authto);
+
+/**
+ * Copy a krb5_checksum structure.
+ *
+ * @param [in] context Library context
+ * @param [in] ckfrom Checksum to be copied
+ * @param [out] ckto Copy of krb5_checksum structure
+ *
+ * This function creates a new krb5_checksum structure with the contents of @a
+ * ckfrom. Use krb5_free_checksum() to free @a ckto when it is no longer
+ * needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom,
+ krb5_checksum **ckto);
+
+/**
+ * Generate a replay cache object for server use and open it.
+ *
+ * @param [in] context Library context
+ * @param [in] piece Unique identifier for replay cache
+ * @param [out] rcptr Handle to an open rcache
+ *
+ * This function generates a replay cache name based on @a piece and opens a
+ * handle to it. Typically @a piece is the first component of the service
+ * principal name. Use krb5_rc_close() to close @a rcptr when it is no longer
+ * needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
+ krb5_rcache *rcptr);
+
+/**
+ * Build a principal name using length-counted strings.
+ *
+ * @param [in] context Library context
+ * @param [out] princ Principal name
+ * @param [in] rlen Realm name length
+ * @param [in] realm Realm name
+ * @param [in] ... List of unsigned int/char * components, followed by 0
+ *
+ * This function creates a principal from a length-counted string and a
+ * variable-length list of length-counted components. The list of components
+ * ends with the first 0 length argument (so it is not possible to specify an
+ * empty component with this function). Call krb5_free_principal() to free
+ * allocated memory for principal when it is no longer needed.
+ *
+ * @code
+ * Example of how to build principal WELLKNOWN/ANONYMOUS@R
+ * krb5_build_principal_ext(context, &principal, strlen("R"), "R",
+ * (unsigned int)strlen(KRB5_WELLKNOWN_NAMESTR),
+ * KRB5_WELLKNOWN_NAMESTR,
+ * (unsigned int)strlen(KRB5_ANONYMOUS_PRINCSTR),
+ * KRB5_ANONYMOUS_PRINCSTR, 0);
+ * @endcode
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV_C
+krb5_build_principal_ext(krb5_context context, krb5_principal * princ,
+ unsigned int rlen, const char * realm, ...);
+
+/**
+ * Build a principal name using null-terminated strings.
+ *
+ * @param [in] context Library context
+ * @param [out] princ Principal name
+ * @param [in] rlen Realm name length
+ * @param [in] realm Realm name
+ * @param [in] ... List of char * components, ending with NULL
+ *
+ * Call krb5_free_principal() to free @a princ when it is no longer needed.
+ *
+ * @note krb5_build_principal() and krb5_build_principal_alloc_va() perform the
+ * same task. krb5_build_principal() takes variadic arguments.
+ * krb5_build_principal_alloc_va() takes a pre-computed @a varargs pointer.
+ *
+ * @code
+ * Example of how to build principal H/S@R
+ * krb5_build_principal(context, &principal,
+ * strlen("R"), "R", "H", "S", (char*)NULL);
+ * @endcode
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV_C
+krb5_build_principal(krb5_context context,
+ krb5_principal * princ,
+ unsigned int rlen,
+ const char * realm, ...)
+#if __GNUC__ >= 4
+ __attribute__ ((sentinel))
+#endif
+ ;
+#if KRB5_DEPRECATED
+/** @deprecated Replaced by krb5_build_principal_alloc_va(). */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_build_principal_va(krb5_context context,
+ krb5_principal princ,
+ unsigned int rlen,
+ const char *realm,
+ va_list ap);
+#endif
+
+/**
+ * Build a principal name, using a precomputed variable argument list
+ *
+ * @param [in] context Library context
+ * @param [out] princ Principal structure
+ * @param [in] rlen Realm name length
+ * @param [in] realm Realm name
+ * @param [in] ap List of char * components, ending with NULL
+ *
+ * Similar to krb5_build_principal(), this function builds a principal name,
+ * but its name components are specified as a va_list.
+ *
+ * Use krb5_free_principal() to deallocate @a princ when it is no longer
+ * needed.
+ *
+ * @code
+ * Function usage example:
+ * va_list ap;
+ * va_start(ap, realm);
+ * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap);
+ * va_end(ap);
+ * @endcode
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
+ va_list ap);
+
+/**
+ * Convert a Kerberos V4 principal to a Kerberos V5 principal.
+ *
+ * @param [in] context Library context
+ * @param [in] name V4 name
+ * @param [in] instance V4 instance
+ * @param [in] realm Realm
+ * @param [out] princ V5 principal
+ *
+ * This function builds a @a princ from V4 specification based on given input
+ * @a name.instance\@realm.
+ *
+ * Use krb5_free_principal() to free @a princ when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_425_conv_principal(krb5_context context, const char *name,
+ const char *instance, const char *realm,
+ krb5_principal *princ);
+
+/**
+ * Convert a Kerberos V5 principal to a Kerberos V4 principal.
+ *
+ * @param [in] context Library context
+ * @param [in] princ V5 Principal
+ * @param [out] name V4 principal's name to be filled in
+ * @param [out] inst V4 principal's instance name to be filled in
+ * @param [out] realm Principal's realm name to be filled in
+ *
+ * This function separates a V5 principal @a princ into @a name, @a instance,
+ * and @a realm.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * KRB5_INVALID_PRINCIPAL Invalid principal name
+ * @retval
+ * KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
+ char *name, char *inst, char *realm);
+/**
+ *@deprecated
+ */
+struct credentials;
+
+/**
+ * Convert a Kerberos V5 credentials to a Kerberos V4 credentials
+ *
+ * @note Not implemented
+ *
+ * @retval KRB524_KRB4_DISABLED (always)
+ */
+int KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds);
+
+#if KRB5_DEPRECATED
+#define krb524_convert_creds_kdc krb5_524_convert_creds
+#define krb524_init_ets(x) (0)
+#endif
+
+/* libkt.spec */
+
+/**
+ * Get a handle for a key table.
+ *
+ * @param [in] context Library context
+ * @param [in] name Name of the key table
+ * @param [out] ktid Key table handle
+ *
+ * Resolve the key table name @a name and fill in a handle identifying the key
+ * table. The key table is not opened.
+ *
+ * @note @a name must be of the form @c type:residual, where @a type must be a
+ * type known to the library and @a residual portion should be specific to the
+ * particular keytab type.
+ *
+ * @sa krb5_kt_close()
+ *
+ * @code
+ * Example: krb5_kt_resolve(context, "FILE:/tmp/filename",&ktid);
+ * @endcode
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid);
+
+/**
+ * Get default key table name.
+ *
+ * @param [in] context Library context
+ * @param [in,out] name Key table name to be resolved
+ * @param [in] name_size Size of @a name to return
+ *
+ * Fill @a name with the first @a name_size bytes of the name of the default
+ * key table for the current user.
+ *
+ * @sa MAX_KEYTAB_NAME_LEN
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * KRB5_CONFIG_NOTENUFSPACE Buffer is too short
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_default_name(krb5_context context, char *name, int name_size);
+
+/**
+ * Resolve default key table.
+ *
+ * @param [in] context Library context
+ * @param [in,out] id Key table handle
+ *
+ * Fill @a keytab with the default key table's @a handle.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_default(krb5_context context, krb5_keytab *id);
+
+/**
+ * Free the contents of a key table entry.
+ *
+ * @param [in] context Library context
+ * @param [in] entry Key table entry whose contents are to be freed
+ *
+ * @note The pointer is not freed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry);
+
+/** @deprecated Use krb5_free_keytab_entry_contents instead. */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry);
+
+
+/* remove and add are functions, so that they can return NOWRITE
+ if not a writable keytab */
+
+/**
+ * Remove an entry from a key table.
+ *
+ * @param [in] context Library context
+ * @param [in] id Key table handle
+ * @param [in] entry Entry to remove from key table
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * KRB5_KT_NOWRITE Key table is not writable
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
+
+/**
+ * Add a new entry to a key table.
+ *
+ * @param [in] context Library context
+ * @param [in] id Key table handle
+ * @param [in] entry Entry to be added
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * ENOMEM Insufficient memory
+ * @retval
+ * KRB5_KT_NOWRITE Key table is not writeable
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry);
+
+/**
+ * Convert a principal name into the default salt for that principal.
+ *
+ * @param [in] context Library context
+ * @param [in] pr Principal name
+ * @param [out] ret Default salt for @a pr to be filled in
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV_WRONG
+krb5_principal2salt(krb5_context context,
+ register krb5_const_principal pr, krb5_data *ret);
+/* librc.spec--see rcache.h */
+
+/* libcc.spec */
+
+/**
+ * Resolve a credential cache name.
+ *
+ * @param [in] context Library context
+ * @param [in] name Credential cache name to be resolved
+ * @param [out] cache Credential cache handle
+ *
+ * Fills in @a cache with a @a cache handle that corresponds to the name in @a
+ * name. @a name should be of the form @c type:residual, and @a type must be a
+ * type known to the library. If the @a name does not contain a colon,
+ * interpret it as a file name.
+ *
+ * @code
+ * Example: krb5_cc_resolve(context, "MEMORY:C_", &cache);
+ * @endcode
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache);
+
+/**
+ * Duplicate ccache handle.
+ *
+ * @param [in] context Library context
+ * @param [in] in Credential cache handle to be duplicated
+ * @param [out] out Credential cache handle
+ *
+ * Create a new handle referring to the same cache as @a in.
+ * The new handle and @a in can be closed independently.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out);
+
+/**
+ * Return the name of the default credential cache.
+ *
+ * @param [in] context Library context
+ *
+ * Try the environment variable @a KRB5CCNAME first then, if it is not set,
+ * fall back on the default ccache name for the OS.
+ *
+ * @return
+ * Name of default credential cache for the current user.
+ */
+const char *KRB5_CALLCONV
+krb5_cc_default_name(krb5_context context);
+
+/**
+ * Set the default credential cache name.
+ *
+ * @param [in,out] context Library context
+ * @param [in] name Default credential cache name
+ *
+ * This function frees the old default credential cache name and then sets it
+ * to @a name.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * KV5M_CONTEXT Bad magic number for @c _krb5_context structure
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_default_name(krb5_context context, const char *name);
+
+/**
+ * Resolve the default crendentials cache name.
+ *
+ * @param [in,out] context Library context
+ * @param [out] ccache Pointer to credential cache name
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * KV5M_CONTEXT Bad magic number for @c _krb5_context structure
+ * @retval
+ * KRB5_FCC_INTERNAL The name of the default credential cache cannot be
+ * obtained
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_default(krb5_context context, krb5_ccache *ccache);
+
+/**
+ * Copy a credential cache.
+ *
+ * @param [in] context Library context
+ * @param [in] incc Credential cache to be copied
+ * @param [out] outcc Copy of credential cache to be filled in
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
+
+/**
+ * Get a configuration value from a credential cache.
+ *
+ * @param [in] context Library context
+ * @param [in] id Credential cache handle
+ * @param [in] principal Configuration for this principal;
+ * if NULL, global for the whole cache
+ * @param [in] key Name of config variable
+ * @param [out] data Data to be fetched
+ *
+ * Use krb5_free_data_contents() to free @a data when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_config(krb5_context context, krb5_ccache id,
+ krb5_const_principal principal,
+ const char *key, krb5_data *data);
+
+/**
+ * Store a configuration value in a credential cache.
+ *
+ * @param [in] context Library context
+ * @param [in] id Credential cache handle
+ * @param [in] principal Configuration for a specific principal;
+ * if NULL, global for the whole cache
+ * @param [in] key Name of config variable
+ * @param [in] data Data to store, or NULL to remove
+ *
+ * @note Existing configuration under the same key is over-written.
+ *
+ * @warning Before version 1.10 @a data was assumed to be always non-null.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_config(krb5_context context, krb5_ccache id,
+ krb5_const_principal principal,
+ const char *key, krb5_data *data);
+
+/**
+ * Test whether a principal is a configuration principal.
+ *
+ * @param [in] context Library context
+ * @param [in] principal Principal to check
+ *
+ * @return
+ * @c TRUE if the principal is a configuration principal (generated part of
+ * krb5_cc_set_config()); @c FALSE otherwise.
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_is_config_principal(krb5_context context, krb5_const_principal principal);
+
+/**
+ * Make a credential cache the primary cache for its collection.
+ *
+ * @param [in] context Library context
+ * @param [in] cache Credential cache handle
+ *
+ * If the type of @a cache supports it, set @a cache to be the primary
+ * credential cache for the collection it belongs to.
+ *
+ * @retval
+ * 0 Success, or the type of @a cache doesn't support switching
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_switch(krb5_context context, krb5_ccache cache);
+
+/**
+ * Determine whether a credential cache type supports switching.
+ *
+ * @param [in] context Library context
+ * @param [in] type Credential cache type
+ *
+ * @version First introduced in 1.10
+ *
+ * @retval TRUE if @a type supports switching
+ * @retval FALSE if it does not or is not a valid credential cache type.
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_cc_support_switch(krb5_context context, const char *type);
+
+/**
+ * Find a credential cache with a specified client principal.
+ *
+ * @param [in] context Library context
+ * @param [in] client Client principal
+ * @param [out] cache_out Credential cache handle
+ *
+ * Find a cache within the collection whose default principal is @a client.
+ * Use @a krb5_cc_close to close @a ccache when it is no longer needed.
+ *
+ * @retval 0 Success
+ * @retval KRB5_CC_NOTFOUND
+ *
+ * @sa krb5_cccol_cursor_new
+ *
+ * @version First introduced in 1.10
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_cache_match(krb5_context context, krb5_principal client,
+ krb5_ccache *cache_out);
+
+/**
+ * Select a credential cache to use with a server principal.
+ *
+ * @param [in] context Library context
+ * @param [in] server Server principal
+ * @param [out] cache_out Credential cache handle
+ * @param [out] princ_out Client principal
+ *
+ * Select a cache within the collection containing credentials most appropriate
+ * for use with @a server, according to configured rules and heuristics.
+ *
+ * Use krb5_cc_close() to release @a cache_out when it is no longer needed.
+ * Use krb5_free_principal() to release @a princ_out when it is no longer
+ * needed. Note that @a princ_out is set in some error conditions.
+ *
+ * @return
+ * If an appropriate cache is found, 0 is returned, @a cache_out is set to the
+ * selected cache, and @a princ_out is set to the default principal of that
+ * cache.
+ *
+ * If the appropriate client principal can be authoritatively determined but
+ * the cache collection contains no credentials for that principal, then
+ * KRB5_CC_NOTFOUND is returned, @a cache_out is set to NULL, and @a princ_out
+ * is set to the appropriate client principal.
+ *
+ * If no configured mechanism can determine the appropriate cache or principal,
+ * KRB5_CC_NOTFOUND is returned and @a cache_out and @a princ_out are set to
+ * NULL.
+ *
+ * Any other error code indicates a fatal error in the processing of a cache
+ * selection mechanism.
+ *
+ * @version First introduced in 1.10
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cc_select(krb5_context context, krb5_principal server,
+ krb5_ccache *cache_out, krb5_principal *princ_out);
+
+/* krb5_free.c */
+/**
+ * Free the storage assigned to a principal.
+ *
+ * @param [in] context Library context
+ * @param [in] val Principal to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_principal(krb5_context context, krb5_principal val);
+
+/**
+ * Free a krb5_authenticator structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Authenticator structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_authenticator(krb5_context context, krb5_authenticator *val);
+
+/**
+ * Free the data stored in array of addresses.
+ *
+ * @param [in] context Library context
+ * @param [in] val Array of addresses to be freed
+ *
+ * This function frees the contents of @a val and the array itself.
+ *
+ * @note The last entry in the array must be a NULL pointer.
+ */
+void KRB5_CALLCONV
+krb5_free_addresses(krb5_context context, krb5_address **val);
+
+/**
+ * Free the storage assigned to array of authentication data.
+ *
+ * @param [in] context Library context
+ * @param [in] val Array of authentication data to be freed
+ *
+ * This function frees the contents of @a val and the array itself.
+ *
+ * @note The last entry in the array must be a NULL pointer.
+ */
+void KRB5_CALLCONV
+krb5_free_authdata(krb5_context context, krb5_authdata **val);
+
+/**
+ * Free a ticket.
+ *
+ * @param [in] context Library context
+ * @param [in] val Ticket to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_ticket(krb5_context context, krb5_ticket *val);
+
+/**
+ * Free an error allocated by krb5_read_error() or krb5_sendauth().
+ *
+ * @param [in] context Library context
+ * @param [in] val Error data structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_error(krb5_context context, register krb5_error *val);
+
+/**
+ * Free a krb5_creds structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Credential structure to be freed.
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_creds(krb5_context context, krb5_creds *val);
+
+/**
+ * Free the contents of a krb5_creds structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Credential structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_cred_contents(krb5_context context, krb5_creds *val);
+
+/**
+ * Free a krb5_checksum structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Checksum structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_checksum(krb5_context context, register krb5_checksum *val);
+
+/**
+ * Free the contents of a krb5_checksum structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Checksum structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val);
+
+/**
+ * Free a krb5_keyblock structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Keyblock to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_keyblock(krb5_context context, register krb5_keyblock *val);
+
+/**
+ * Free the contents of a krb5_keyblock structure.
+ *
+ * @param [in] context Library context
+ * @param [in] key Keyblock to be freed
+ *
+ * This function frees the contents of @a key, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key);
+
+/**
+ * Free a krb5_ap_rep_enc_part structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val AP-REP enc part to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
+
+/**
+ * Free a krb5_data structure.
+ *
+ * @param [in] context Library context
+ * @param [in] val Data structure to be freed
+ *
+ * This function frees the contents of @a val and the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_data(krb5_context context, krb5_data *val);
+
+/* Free a krb5_octet_data structure (should be unused). */
+void KRB5_CALLCONV
+krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
+
+/**
+ * Free the contents of a krb5_data structure and zero the data field.
+ *
+ * @param [in] context Library context
+ * @param [in] val Data structure to free contents of
+ *
+ * This function frees the contents of @a val, but not the structure itself.
+ */
+void KRB5_CALLCONV
+krb5_free_data_contents(krb5_context context, krb5_data *val);
+
+/**
+ * Free a string representation of a principal.
+ *
+ * @param [in] context Library context
+ * @param [in] val Name string to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_unparsed_name(krb5_context context, char *val);
+
+/**
+ * Free a string allocated by a krb5 function.
+ *
+ * @param [in] context Library context
+ * @param [in] val String to be freed
+ *
+ * @version First introduced in 1.10
+ */
+void KRB5_CALLCONV
+krb5_free_string(krb5_context context, char *val);
+
+/**
+ * Free an array of checksum types.
+ *
+ * @param [in] context Library context
+ * @param [in] val Array of checksum types to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val);
+
+/* From krb5/os, but needed by the outside world */
+/**
+ * Retrieve the system time of day, in sec and ms, since the epoch.
+ *
+ * @param [in] context Library context
+ * @param [out] seconds System timeofday, seconds portion
+ * @param [out] microseconds System timeofday, microseconds portion
+ *
+ * This function retrieves the system time of day with the context
+ * specific time offset adjustment.
+ *
+ * @sa krb5_crypto_us_timeofday()
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_us_timeofday(krb5_context context,
+ krb5_timestamp *seconds, krb5_int32 *microseconds);
+
+/**
+ * Retrieve the current time with context specific time offset adjustment.
+ *
+ * @param [in] context Library context
+ * @param [in,out] timeret Timestamp to fill in
+ *
+ * This function retrieves the system time of day with the context specific
+ * time offset adjustment.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_timeofday(krb5_context context, register krb5_timestamp *timeret);
+
+/**
+ * Check if a timestamp is within the allowed clock skew of the current time.
+ *
+ * @param [in] context Library context
+ * @param [in] date Timestamp to check
+ *
+ * This function checks if @a date is close enough to the current time
+ * according to the configured allowable clock skew.
+ *
+ * @version First introduced in 1.10
+ *
+ * @retval 0 Success
+ * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_check_clockskew(krb5_context context, krb5_timestamp date);
+
+/**
+ * Return all interface addresses for this host.
+ *
+ * @param [in] context Library context
+ * @param [out] addr Array of krb5_address pointers, ending with
+ * NULL
+ *
+ * Use krb5_free_addresses() to free @a addr when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_os_localaddr(krb5_context context, krb5_address ***addr);
+
+/**
+ * Retrieve the default realm.
+ *
+ * @param [in] context Library context
+ * @param [out] lrealm Default realm name
+ *
+ * Retrieves the default realm to be used if no user-specified realm is
+ * available.
+ *
+ * Use krb5_free_default_realm() to free @a lrealm when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_default_realm(krb5_context context, char **lrealm);
+
+/**
+ * Override the default realm for the specified context.
+ *
+ * @param [in] context Library context
+ * @param [in] lrealm Realm name for the default realm
+ *
+ * If @a lrealm is NULL, clear the default realm setting.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_default_realm(krb5_context context, const char *lrealm);
+
+/**
+ * Free a default realm string returned by krb5_get_default_realm().
+ *
+ * @param [in] context Library context
+ * @param [in] lrealm Realm to be freed
+ */
+void KRB5_CALLCONV
+krb5_free_default_realm(krb5_context context, char *lrealm);
+
+/**
+ * Generate a full principal name from a service name.
+ *
+ * @param [in] context Library context
+ * @param [in] hostname Host name, or NULL to use local host
+ * @param [in] sname Service name, or NULL to use @c "host"
+ * @param [in] type Principal type
+ * @param [out] ret_princ Generated principal
+ *
+ * This function converts a @a hostname and @a sname into @a krb5_principal
+ * structure @a ret_princ. The returned principal will be of the form @a
+ * sname\/hostname\@REALM where REALM is determined by krb5_get_host_realm().
+ * In some cases this may be the referral (empty) realm.
+ *
+ * The @a type can be one of the following:
+ *
+ * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the
+ * realm and generating the principal.
+ *
+ * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not
+ * canonicalize it.
+ *
+ * Use krb5_free_principal to free @a ret_princ when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname,
+ krb5_int32 type, krb5_principal *ret_princ);
+
+/**
+ * Test whether a principal matches a matching principal.
+ *
+ * @param [in] context Library context
+ * @param [in] matching Matching principal
+ * @param [in] princ Principal to test
+ *
+ * @note A matching principal is a host-based principal with an empty realm
+ * and/or second data component (hostname). Profile configuration may cause
+ * the hostname to be ignored even if it is present. A principal matches a
+ * matching principal if the former has the same non-empty (and non-ignored)
+ * components of the latter.
+ *
+ * If @a matching is NULL, return TRUE. If @a matching is not a matching
+ * principal, return the value of krb5_principal_compare(context, matching,
+ * princ).
+ *
+ * @return
+ * TRUE if @a princ matches @a matching, FALSE otherwise.
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_sname_match(krb5_context context, krb5_const_principal matching,
+ krb5_const_principal princ);
+
+/**
+ * Change a password for an existing Kerberos account.
+ *
+ * @param [in] context Library context
+ * @param [in] creds Credentials for kadmin/changepw service
+ * @param [in] newpw New password
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Change password response from the KDC
+ *
+ * Change the password for the existing principal identified by @a creds.
+ *
+ * The possible values of the output @a result_code are:
+ *
+ * @li #KRB5_KPASSWD_SUCCESS (0) - success
+ * @li #KRB5_KPASSWD_MALFORMED (1) - Malformed request error
+ * @li #KRB5_KPASSWD_HARDERROR (2) - Server error
+ * @li #KRB5_KPASSWD_AUTHERROR (3) - Authentication error
+ * @li #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw,
+ int *result_code, krb5_data *result_code_string,
+ krb5_data *result_string);
+
+/**
+ * Set a password for a principal using specified credentials.
+ *
+ * @param [in] context Library context
+ * @param [in] creds Credentials for kadmin/changepw service
+ * @param [in] newpw New password
+ * @param [in] change_password_for Change the password for this principal
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Data returned from the remote system
+ *
+ * This function uses the credentials @a creds to set the password @a newpw for
+ * the principal @a change_password_for. It implements the set password
+ * operation of RFC 3244, for interoperability with Microsoft Windows
+ * implementations.
+ *
+ * @note If @a change_password_for is NULL, the change is performed on the
+ * current principal. If @a change_password_for is non-null, the change is
+ * performed on the principal name passed in @a change_password_for.
+ *
+ * The error code and strings are returned in @a result_code,
+ * @a result_code_string and @a result_string.
+ *
+ * @sa krb5_set_password_using_ccache()
+ *
+ * @retval
+ * 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.
+ * @return
+ * Kerberos error codes.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
+ krb5_principal change_password_for, int *result_code,
+ krb5_data *result_code_string, krb5_data *result_string);
+
+/**
+ * Set a password for a principal using cached credentials.
+ *
+ * @param [in] context Library context
+ * @param [in] ccache Credential cache
+ * @param [in] newpw New password
+ * @param [in] change_password_for Change the password for this principal
+ * @param [out] result_code Numeric error code from server
+ * @param [out] result_code_string String equivalent to @a result_code
+ * @param [out] result_string Data returned from the remote system
+ *
+ * This function uses the cached credentials from @a ccache to set the password
+ * @a newpw for the principal @a change_password_for. It implements RFC 3244
+ * set password operation (interoperable with MS Windows implementations) using
+ * the credential cache.
+ *
+ * The error code and strings are returned in @a result_code,
+ * @a result_code_string and @a result_string.
+ *
+ * @note If @a change_password_for is set to NULL, the change is performed on
+ * the default principal in @a ccache. If @a change_password_for is non null,
+ * the change is performed on the specified principal.
+ *
+ * @sa krb5_set_password()
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
+ char *newpw, krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string,
+ krb5_data *result_string);
+
+/**
+ * Retrieve configuration profile from the context.
+ *
+ * @param [in] context Library context
+ * @param [out] profile Pointer to data read from a configuration file
+ *
+ * This function creates a new @a profile object that reflects profile
+ * in the supplied @a context.
+ *
+ * The @a profile object may be freed with profile_release() function.
+ * See profile.h and profile API for more details.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_profile(krb5_context context, struct _profile_t ** profile);
+
+#if KRB5_DEPRECATED
+/** @deprecated Replaced by krb5_get_init_creds_password().*/
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ const char *password, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
+
+/** @deprecated Replaced by krb5_get_init_creds(). */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ const krb5_keyblock *key, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
+
+/** @deprecated Replaced by krb5_get_init_creds_keytab(). */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ krb5_keytab arg_keytab, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply);
+
+#endif /* KRB5_DEPRECATED */
+
+/**
+ * Parse and decrypt a @c KRB_AP_REQ message.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Pre-existing or newly created auth context
+ * @param [in] inbuf AP-REQ message to be parsed
+ * @param [in] server Matching principal for server, or NULL to
+ * allow any principal in keytab
+ * @param [in] keytab Key table, or NULL to use the default
+ * @param [out] ap_req_options If non-null, the AP-REQ flags on output
+ * @param [out] ticket If non-null, ticket from the AP-REQ message
+ *
+ * This function parses, decrypts and verifies a AP-REQ message from @a inbuf
+ * and stores the authenticator in @a auth_context.
+ *
+ * If a keyblock is present in the @a auth_context, it is used to decrypt the
+ * ticket in AP-REQ message. (This is useful for user-to-user authentication.)
+ * Otherwise, the decryption key is obtained from the @a keytab. If @a keytab
+ * is iterable, all of its key entries it will be tried against the ticket;
+ * otherwise, the server principal in the ticket will be looked up in the
+ * keytab and that key will be tried.
+ *
+ * The client specified in the decrypted authenticator must match the client
+ * specified in the decrypted ticket. If @a server is non-null, the key in
+ * which the ticket is encrypted must correspond to a principal in @a keytab
+ * matching @a server according to the rules of krb5_sname_match().
+ *
+ * If the @a remote_addr field of @a auth_context is set, the request must come
+ * from that address.
+ *
+ * If a replay cache handle is provided in the @a auth_context, the
+ * authenticator and ticket are verified against it. If no conflict is found,
+ * the new authenticator is then stored in the replay cash of @a auth_context.
+ *
+ * Various other checks are performed on the decoded data, including
+ * cross-realm policy, clockskew, and ticket validation times.
+ *
+ * On success the authenticator, subkey, and remote sequence number of the
+ * request are stored in @a auth_context. If the #AP_OPTS_MUTUAL_REQUIRED
+ * bit is set, the local sequence number is XORed with the remote sequence
+ * number in the request.
+ *
+ * Use krb5_free_ticket() to free @a ticket when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
+ const krb5_data *inbuf, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket);
+
+/**
+ * Retrieve a service key from a key table.
+ *
+ * @param [in] context Library context
+ * @param [in] keyprocarg Name of a key table (NULL to use default name)
+ * @param [in] principal Service principal
+ * @param [in] vno Key version number (0 for highest available)
+ * @param [in] enctype Encryption type (0 for any type)
+ * @param [out] key Service key from key table
+ *
+ * Open and search the specified key table for the entry identified by @a
+ * principal, @a enctype, and @a vno. If no key is found, return an error code.
+ *
+ * The default key table is used, unless @a keyprocarg is non-null.
+ * @a keyprocarg designates a specific key table.
+ *
+ * Use krb5_free_keyblock() to free @a key when it is no longer needed.
+ *
+ * @retval
+ * 0 Success
+ * @return Kerberos error code if not found or @a keyprocarg is invalid.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg,
+ krb5_principal principal, krb5_kvno vno,
+ krb5_enctype enctype, krb5_keyblock **key);
+
+/**
+ * Format a @c KRB-SAFE message.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] userdata User data in the message
+ * @param [out] outbuf Formatted @c KRB-SAFE buffer
+ * @param [out] outdata Replay data. Specify NULL if not needed
+ *
+ * This function creates an integrity protected @c KRB-SAFE message
+ * using data supplied by the application.
+ *
+ * Fields in @a auth_context specify the checksum type, the keyblock that
+ * can be used to seed the checksum, full addresses (host and port) for
+ * the sender and receiver, and @ref KRB5_AUTH_CONTEXT flags.
+ *
+ * The local address in @a auth_context must be set, and is used to form the
+ * sender address used in the KRB-SAFE message. The remote address is
+ * optional; if specified, it will be used to form the receiver address used in
+ * the message.
+ *
+ * If #KRB5_AUTH_CONTEXT_DO_TIME flag is set in the @a auth_context, an entry
+ * describing the message is entered in the replay cache @a
+ * auth_context->rcache which enables the caller to detect if this message is
+ * reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, the
+ * replay cache is not used.
+ *
+ * If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or
+ * #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the @a auth_context local sequence
+ * number will be placed in @a outdata as its sequence number.
+ *
+ * @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
+ * #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.
+ *
+ * Use krb5_free_data_contents() to free @a outbuf when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
+ const krb5_data *userdata, krb5_data *outbuf,
+ krb5_replay_data *outdata);
+
+/**
+ * Format a @c KRB-PRIV message.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] userdata User data for @c KRB-PRIV message
+ * @param [out] outbuf Formatted @c KRB-PRIV message
+ * @param [out] outdata Replay cache handle (NULL if not needed)
+ *
+ * This function is similar to krb5_mk_safe(), but the message is encrypted and
+ * integrity-protected, not just integrity-protected.
+ *
+ * The local address in @a auth_context must be set, and is used to form the
+ * sender address used in the KRB-SAFE message. The remote address is
+ * optional; if specified, it will be used to form the receiver address used in
+ * the message.
+ *
+ * @note If the #KRB5_AUTH_CONTEXT_RET_TIME or
+ * #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in @a auth_context, the @a
+ * outdata is required.
+ *
+ * @note The flags from @a auth_context specify whether sequence numbers or
+ * timestamps will be used to identify the message. Valid values are:
+ *
+ * @li #KRB5_AUTH_CONTEXT_DO_TIME - Use timestamps in @a outdata
+ * @li #KRB5_AUTH_CONTEXT_RET_TIME - Copy timestamp to @a outdata.
+ * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE - Use local sequence numbers from
+ * @a auth_context in replay cache.
+ * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE - Use local sequence numbers from
+ * @a auth_context as a sequence number
+ * in the encrypted message @a outbuf.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
+ const krb5_data *userdata, krb5_data *outbuf,
+ krb5_replay_data *outdata);
+
+/**
+ * Client function for @c sendauth protocol.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] fd File descriptor that describes network socket
+ * @param [in] appl_version Application protocol version to be matched
+ * with the receiver's application version
+ * @param [in] client Client principal
+ * @param [in] server Server principal
+ * @param [in] ap_req_options @ref AP_OPTS options
+ * @param [in] in_data Data to be sent to the server
+ * @param [in] in_creds Input credentials, or NULL to use @a ccache
+ * @param [in] ccache Credential cache
+ * @param [out] error If non-null, contains KRB_ERROR message
+ * returned from server
+ * @param [out] rep_result If non-null and @a ap_req_options is
+ * #AP_OPTS_MUTUAL_REQUIRED, contains the result
+ * of mutual authentication exchange
+ * @param [out] out_creds If non-null, the retrieved credentials
+ *
+ * This function performs the client side of a sendauth/recvauth exchange by
+ * sending and receiving messages over @a fd.
+ *
+ * Credentials may be specified in three ways:
+ *
+ * @li If @a in_creds is NULL, credentials are obtained with
+ * krb5_get_credentials() using the principals @a client and @a server. @a
+ * server must be non-null; @a client may NULL to use the default principal of
+ * @a ccache.
+ *
+ * @li If @a in_creds is non-null, but does not contain a ticket, credentials
+ * for the exchange are obtained with krb5_get_credentials() using @a in_creds.
+ * In this case, the values of @a client and @a server are unused.
+ *
+ * @li If @a in_creds is a complete credentials structure, it used directly.
+ * In this case, the values of @a client, @a server, and @a ccache are unused.
+ *
+ * If the server is using a different application protocol than that specified
+ * in @a appl_version, an error will be returned.
+ *
+ * Use krb5_free_creds() to free @a out_creds, krb5_free_ap_rep_enc_part() to
+ * free @a rep_result, and krb5_free_error() to free @a error when they are no
+ * longer needed.
+ *
+ * @sa krb5_recvauth()
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
+ krb5_pointer fd, char *appl_version, krb5_principal client,
+ krb5_principal server, krb5_flags ap_req_options,
+ krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache,
+ krb5_error **error, krb5_ap_rep_enc_part **rep_result,
+ krb5_creds **out_creds);
+
+/**
+ * Server function for @a sendauth protocol.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] fd File descriptor
+ * @param [in] appl_version Application protocol version to be matched
+ * against the client's application version
+ * @param [in] server Server principal (NULL for any in @a keytab)
+ * @param [in] flags Additional specifications
+ * @param [in] keytab Key table containing service keys
+ * @param [out] ticket Ticket (NULL if not needed)
+ *
+ * This function performs the srever side of a sendauth/recvauth exchange by
+ * sending and receiving messages over @a fd.
+ *
+ * Use krb5_free_ticket() to free @a ticket when it is no longer needed.
+ *
+ * @sa krb5_sendauth()
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_recvauth(krb5_context context, krb5_auth_context *auth_context,
+ krb5_pointer fd, char *appl_version, krb5_principal server,
+ krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket);
+
+/**
+ * Server function for @a sendauth protocol with version parameter.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] fd File descriptor
+ * @param [in] server Server principal (NULL for any in @a keytab)
+ * @param [in] flags Additional specifications
+ * @param [in] keytab Decryption key
+ * @param [out] ticket Ticket (NULL if not needed)
+ * @param [out] version sendauth protocol version (NULL if not needed)
+ *
+ * This function is similar to krb5_recvauth() with the additional output
+ * information place into @a version.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_recvauth_version(krb5_context context,
+ krb5_auth_context *auth_context,
+ krb5_pointer fd,
+ krb5_principal server,
+ krb5_int32 flags,
+ krb5_keytab keytab,
+ krb5_ticket **ticket,
+ krb5_data *version);
+
+/**
+ * Format a @c KRB-CRED message for an array of credentials.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] ppcreds Null-terminated array of credentials
+ * @param [out] ppdata Encoded credentials
+ * @param [out] outdata Replay cache information (NULL if not needed)
+ *
+ * This function takes an array of credentials @a ppcreds and formats
+ * a @c KRB-CRED message @a ppdata to pass to krb5_rd_cred().
+ *
+ * @note If the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE
+ * flag is set in @a auth_context, @a outdata is required.
+ *
+ * The message will be encrypted using the send subkey of @a auth_context if it
+ * is present, or the session key otherwise.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * ENOMEM Insufficient memory
+ * @retval
+ * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds **ppcreds, krb5_data **ppdata,
+ krb5_replay_data *outdata);
+
+/**
+ * Format a @c KRB-CRED message for a single set of credentials.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] pcreds Pointer to credentials
+ * @param [out] ppdata Encoded credentials
+ * @param [out] outdata Replay cache data (NULL if not needed)
+ *
+ * This is a convenience function that calls krb5_mk_ncred() with a single set
+ * of credentials.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * ENOMEM Insufficient memory
+ * @retval
+ * KRB5_RC_REQUIRED Message replay detection requires @a rcache parameter
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds *pcreds, krb5_data **ppdata,
+ krb5_replay_data *outdata);
+
+/**
+ * Read and validate a @c KRB-CRED message.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] pcreddata @c KRB-CRED message
+ * @param [out] pppcreds Null-terminated array of forwarded credentials
+ * @param [out] outdata Replay data (NULL if not needed)
+ *
+ * @note The @a outdata argument is required if #KRB5_AUTH_CONTEXT_RET_TIME or
+ * #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the @a auth_context.`
+ *
+ * @a pcreddata will be decrypted using the receiving subkey if it is present
+ * in @a auth_context, or the session key if the receiving subkey is not
+ * present or fails to decrypt the message.
+ *
+ * Use krb5_free_tgt_creds() to free @a pppcreds when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
+ krb5_data *pcreddata, krb5_creds ***pppcreds,
+ krb5_replay_data *outdata);
+
+/**
+ * Get a forwarded TGT and format a @c KRB-CRED message.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] rhost Remote host
+ * @param [in] client Client principal of TGT
+ * @param [in] server Principal of server to receive TGT
+ * @param [in] cc Credential cache handle (NULL to use default)
+ * @param [in] forwardable Whether TGT should be forwardable
+ * @param [out] outbuf KRB-CRED message
+ *
+ * Get a TGT for use at the remote host @a rhost and format it into a KRB-CRED
+ * message. If @a rhost is NULL and @a server is of type #KRB5_NT_SRV_HST,
+ * the second component of @a server will be used.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * ENOMEM Insufficient memory
+ * @retval
+ * KRB5_PRINC_NOMATCH Requested principal and ticket do not match
+ * @retval
+ * KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
+ * @retval
+ * KRB5_CC_BADNAME Credential cache name or principal name malformed
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
+ char *rhost, krb5_principal client, krb5_principal server,
+ krb5_ccache cc, int forwardable, krb5_data *outbuf);
+
+/**
+ * Create and initialize an authentication context.
+ *
+ * @param [in] context Library context
+ * @param [out] auth_context Authentication context
+ *
+ * This function creates an authentication context to hold configuration and
+ * state relevant to krb5 functions for authenticating principals and
+ * protecting messages once authentication has occurred.
+ *
+ * By default, flags for the context are set to enable the use of the replay
+ * cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use
+ * krb5_auth_con_setflags() to change the flags.
+ *
+ * The allocated @a auth_context must be freed with krb5_auth_con_free() when
+ * it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);
+
+/**
+ * Free a krb5_auth_context structure.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context to be freed
+ *
+ * This function frees an auth context allocated by krb5_auth_con_init().
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
+
+/**
+ * Set a flags field in a krb5_auth_context structure.
+ *
+ * @param [in] context Library context
+ * @param [in,out] auth_context Authentication context
+ * @param [in] flags Flags bit mask
+ *
+ * Valid values for @a flags are:
+ * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
+ * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
+ * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
+ * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags);
+
+/**
+ * Retrieve flags from a krb5_auth_context structure.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] flags Flags bit mask
+ *
+ * Valid values for @a flags are:
+ * @li #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps
+ * @li #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps
+ * @li #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers
+ * @li #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
+ krb5_int32 *flags);
+
+/**
+ * Set a checksum callback in an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] func Checksum callback
+ * @param [in] data Callback argument
+ *
+ * Set a callback to obtain checksum data in krb5_mk_req(). The callback will
+ * be invoked after the subkey and local sequence number are stored in @a
+ * auth_context.
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_set_checksum_func( krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_mk_req_checksum_func func,
+ void *data);
+
+/**
+ * Get the checksum callback from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] func Checksum callback
+ * @param [out] data Callback argument
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_get_checksum_func( krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_mk_req_checksum_func *func,
+ void **data);
+
+/**
+ * Set the local and remote addresses in an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] local_addr Local address
+ * @param [in] remote_addr Remote address
+ *
+ * This function releases the storage assigned to the contents of the local and
+ * remote addresses of @a auth_context and then sets them to @a local_addr and
+ * @a remote_addr respectively.
+ *
+ * @sa krb5_auth_con_genaddrs()
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV_WRONG
+krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
+ krb5_address *local_addr, krb5_address *remote_addr);
+
+/**
+ * Retrieve address fields from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] local_addr Local address (NULL if not needed)
+ * @param [out] remote_addr Remote address (NULL if not needed)
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
+ krb5_address **local_addr, krb5_address **remote_addr);
+
+/**
+ * Set local and remote port fields in an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] local_port Local port
+ * @param [in] remote_port Remote port
+ *
+ * This function releases the storage assigned to the contents of the local and
+ * remote ports of @a auth_context and then sets them to @a local_port and @a
+ * remote_port respectively.
+ *
+ * @sa krb5_auth_con_genaddrs()
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context,
+ krb5_address *local_port, krb5_address *remote_port);
+
+/**
+ * Set the session key in an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] keyblock User key
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context,
+ krb5_keyblock *keyblock);
+
+/**
+ * Retrieve the session key from an auth context as a keyblock.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] keyblock Session key
+ *
+ * This function creates a keyblock containing the session key from @a
+ * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
+ * longer needed
+ *
+ * @retval 0 Success. Otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
+ krb5_keyblock **keyblock);
+
+/**
+ * Retrieve the session key from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] key Session key
+ *
+ * This function sets @a key to the session key from @a auth_context. Use
+ * krb5_k_free_key() to release @a key when it is no longer needed.
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
+ krb5_key *key);
+
+/**
+ * Retrieve the send subkey from an auth context as a keyblock.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [out] keyblock Send subkey
+ *
+ * This function creates a keyblock containing the send subkey from @a
+ * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
+ * longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
+
+/**
+ * Retrieve the send subkey from an auth context.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [out] key Send subkey
+ *
+ * This function sets @a key to the send subkey from @a auth_context. Use
+ * krb5_k_free_key() to release @a key when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key *key);
+
+/**
+ * Retrieve the receiving subkey from an auth context as a keyblock.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [out] keyblock Receiving subkey
+ *
+ * This function creates a keyblock containing the receiving subkey from @a
+ * auth_context. Use krb5_free_keyblock() to free @a keyblock when it is no
+ * longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock);
+
+/**
+ * Retrieve the receiving subkey from an auth context as a keyblock.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [out] key Receiving subkey
+ *
+ * This function sets @a key to the receiving subkey from @a auth_context. Use
+ * krb5_k_free_key() to release @a key when it is no longer needed.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key);
+
+/**
+ * Set the send subkey in an auth context with a keyblock.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [in] keyblock Send subkey
+ *
+ * This function sets the send subkey in @a ac to a copy of @a keyblock.
+ *
+ * @retval 0 Success. Otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac,
+ krb5_keyblock *keyblock);
+
+/**
+ * Set the send subkey in an auth context.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [out] key Send subkey
+ *
+ * This function sets the send subkey in @a ac to @a key, incrementing its
+ * reference count.
+ *
+ * @version First introduced in 1.9
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key);
+
+/**
+ * Set the receiving subkey in an auth context with a keyblock.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [in] keyblock Receiving subkey
+ *
+ * This function sets the receiving subkey in @a ac to a copy of @a keyblock.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac,
+ krb5_keyblock *keyblock);
+
+/**
+ * Set the receiving subkey in an auth context.
+ *
+ * @param [in] ctx Library context
+ * @param [in] ac Authentication context
+ * @param [in] key Receiving subkey
+ *
+ * This function sets the receiving subkey in @a ac to @a key, incrementing its
+ * reference count.
+ *
+ * @version First introduced in 1.9
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key key);
+
+#if KRB5_DEPRECATED
+/** @deprecated Replaced by krb5_auth_con_getsendsubkey(). */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
+ krb5_keyblock **keyblock);
+
+/** @deprecated Replaced by krb5_auth_con_getrecvsubkey(). */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
+ krb5_keyblock **keyblock);
+#endif
+
+/**
+ * Retrieve the local sequence number from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] seqnumber Local sequence number
+ *
+ * Retrieve the local sequence number from @a auth_context and return it in @a
+ * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
+ * auth_context for this function to be useful.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context,
+ krb5_int32 *seqnumber);
+
+/**
+ * Retrieve the remote sequence number from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] seqnumber Remote sequence number
+ *
+ * Retrieve the remote sequence number from @a auth_context and return it in @a
+ * seqnumber. The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in @a
+ * auth_context for this function to be useful.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context,
+ krb5_int32 *seqnumber);
+
+#if KRB5_DEPRECATED
+/** @deprecated Not replaced.
+ *
+ * RFC 4120 doesn't have anything like the initvector concept;
+ * only really old protocols may need this API.
+ */
+KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
+krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
+#endif
+
+/**
+ * Set the replay cache in an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] rcache Replay cache haddle
+ *
+ * This function sets the replay cache in @a auth_context to @a rcache. @a
+ * rcache will be closed when @a auth_context is freed, so the caller should
+ * relinguish that responsibility.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context,
+ krb5_rcache rcache);
+
+/**
+ * Retrieve the replay cache from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] rcache Replay cache handle
+ *
+ * This function fetches the replay cache from @a auth_context. The caller
+ * should not close @a rcache.
+ *
+ * @retval 0 (always)
+ */
+krb5_error_code KRB5_CALLCONV_WRONG
+krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context,
+ krb5_rcache *rcache);
+
+/**
+ * Retrieve the authenticator from an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [out] authenticator Authenticator
+ *
+ * Use krb5_free_authenticator() to free @a authenticator when it is no longer
+ * needed.
+ *
+ * @retval 0 Success. Otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context,
+ krb5_authenticator **authenticator);
+
+/**
+ * Set checksum type in an an auth context.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] cksumtype Checksum type
+ *
+ * This function sets the checksum type in @a auth_context to be used by
+ * krb5_mk_req() for the authenticator checksum.
+ *
+ * @retval 0 Success. Otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context,
+ krb5_cksumtype cksumtype);
+
+#define KRB5_REALM_BRANCH_CHAR '.'
+
+/*
+ * end "func-proto.h"
+ */
+
+/*
+ * begin stuff from libos.h
+ */
+
+/**
+ * @brief Read a password from keyboard input.
+ *
+ * @param [in] context Library context
+ * @param [in] prompt First user prompt when reading password
+ * @param [in] prompt2 Second user prompt (NULL to prompt only once)
+ * @param [out] return_pwd Returned password
+ * @param [in,out] size_return On input, maximum size of password; on output,
+ * size of password read
+ *
+ * This function reads a password from keyboard input and stores it in @a
+ * return_pwd. @a size_return should be set by the caller to the amount of
+ * storage space available in @a return_pwd; on successful return, it will be
+ * set to the length of the password read.
+ *
+ * @a prompt is printed to the terminal, followed by ": ", and then a password
+ * is read from the keyboard.
+ *
+ * If @a prompt2 is NULL, the password is read only once. Otherwise, @a
+ * prompt2 is printed to the terminal and a second password is read. If the
+ * two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned.
+ *
+ * Echoing is turned off when the password is read.
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Error in reading or verifying the password
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_read_password(krb5_context context,
+ const char *prompt, const char *prompt2,
+ char *return_pwd, unsigned int *size_return);
+
+/**
+ * Convert a principal name to a local name.
+ *
+ * @param [in] context Library context
+ * @param [in] aname Principal name
+ * @param [in] lnsize_in Space available in @a lname
+ * @param [out] lname Local name buffer to be filled in
+ *
+ * If @a aname does not correspond to any local account, KRB5_LNAME_NOTRANS is
+ * returned. If @a lnsize_in is too small for the local name,
+ * KRB5_CONFIG_NOTENUFSPACE is returned.
+ *
+ * Local names, rather than principal names, can be used by programs that
+ * translate to an environment-specific name (for example, a user account
+ * name).
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * System errors
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_aname_to_localname(krb5_context context, krb5_const_principal aname,
+ int lnsize_in, char *lname);
+
+/**
+ * Get the Kerberos realm names for a host.
+ *
+ * @param [in] context Library context
+ * @param [in] host Host name (or NULL)
+ * @param [out] realmsp Null-terminated list of realm names
+ *
+ * Fill in @a realmsp with a pointer to a null-terminated list of realm names.
+ * If there are no known realms for the host, a list containing the referral
+ * (empty) realm is returned.
+ *
+ * If @a host is NULL, the local host's realms are determined.
+ *
+ * Use krb5_free_host_realm() to release @a realmsp when it is no longer
+ * needed.
+ *
+ * @retval
+ * 0 Success
+ * @retval
+ * ENOMEM Insufficient memory
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp);
+
+/**
+ *
+ * @param [in] context Library context
+ * @param [in] hdata Host name (or NULL)
+ * @param [out] realmsp Null-terminated list of realm names
+ *
+ * Fill in @a realmsp with a pointer to a null-terminated list of realm names
+ * obtained through heuristics or insecure resolution methods which have lower
+ * priority than KDC referrals.
+ *
+ * If @a host is NULL, the local host's realms are determined.
+ *
+ * Use krb5_free_host_realm() to release @a realmsp when it is no longer
+ * needed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_fallback_host_realm(krb5_context context,
+ krb5_data *hdata, char ***realmsp);
+
+/**
+ * Free the memory allocated by krb5_get_host_realm().
+ *
+ * @param [in] context Library context
+ * @param [in] realmlist List of realm names to be released
+ *
+ * @retval
+ * 0 Success
+ * @return
+ * Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_free_host_realm(krb5_context context, char *const *realmlist);
+
+/**
+ * Determine if a principal is authorized to log in as a local user.
+ *
+ * @param [in] context Library context
+ * @param [in] principal Principal name
+ * @param [in] luser Local username
+ *
+ * Determine whether @a principal is authorized to log in as a local user @a
+ * luser.
+ *
+ * @retval
+ * TRUE Principal is authorized to log in as user; FALSE otherwise.
+ */
+krb5_boolean KRB5_CALLCONV
+krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser);
+
+/**
+ * Generate auth context addresses from a connected socket.
+ *
+ * @param [in] context Library context
+ * @param [in] auth_context Authentication context
+ * @param [in] infd Connected socket descriptor
+ * @param [in] flags Flags
+ *
+ * This function sets the local and/or remote addresses in @a auth_context
+ * based on the local and remote endpoints of the socket @a infd. The
+ * following flags determine the operations performed:
+ *
+ * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address.
+ * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address.
+ * @li #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port.
+ * @li #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context,
+ int infd, int flags);
+
+/**
+ * Set time offset field in a krb5_context structure.
+ *
+ * @param [in] context Library context
+ * @param [in] seconds Real time, seconds portion
+ * @param [in] microseconds Real time, microseconds portion
+ *
+ * This function sets the time offset in @a context to the difference between
+ * the system time and the real time as determined by @a seconds and @a
+ * microseconds.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_set_real_time(krb5_context context, krb5_timestamp seconds,
+ krb5_int32 microseconds);
+
+/**
+ * Return the time offsets from the os context.
+ *
+ * @param [in] context Library context
+ * @param [out] seconds Time offset, seconds portion
+ * @param [out] microseconds Time offset, microseconds portion
+ *
+ * This function returns the time offsets in @a context.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds);
+
+/* str_conv.c */
+/**
+ * Convert a string to an encryption type.
+ *
+ * @param [in] string String to convert to an encryption type
+ * @param [out] enctypep Encryption type
+ *
+ * @retval 0 Success; otherwise - EINVAL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_enctype(char *string, krb5_enctype *enctypep);
+
+/**
+ * Convert a string to a salt type.
+ *
+ * @param [in] string String to convert to an encryption type
+ * @param [out] salttypep Salt type to be filled in
+ *
+ * @retval 0 Success; otherwise - EINVAL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_salttype(char *string, krb5_int32 *salttypep);
+
+/**
+ * Convert a string to a checksum type.
+ *
+ * @param [in] string String to be converted
+ * @param [out] cksumtypep Checksum type to be filled in
+ *
+ * @retval 0 Success; otherwise - EINVAL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep);
+
+/**
+ * Convert a string to a timestamp.
+ *
+ * @param [in] string String to be converted
+ * @param [out] timestampp Pointer to timestamp
+ *
+ * @retval 0 Success; otherwise - EINVAL
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp);
+
+/**
+ * Convert a string to a delta time value.
+ *
+ * @param [in] string String to be converted
+ * @param [out] deltatp Delta time to be filled in
+ *
+ * @retval 0 Success; otherwise - KRB5_DELTAT_BADFORMAT
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_deltat(char *string, krb5_deltat *deltatp);
+
+/**
+ * Convert an encryption type to a string.
+ *
+ * @param [in] enctype Encryption type
+ * @param [out] buffer Buffer to hold encryption type string
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen);
+
+/**
+ * Convert an encryption type to a name or alias.
+ *
+ * @param [in] enctype Encryption type
+ * @param [in] shortest Flag
+ * @param [out] buffer Buffer to hold encryption type string
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * If @a shortest is FALSE, this function returns the enctype's canonical name
+ * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the
+ * enctype's shortest alias (like "aes128-cts").
+ *
+ * @version First introduced in 1.9
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
+ char *buffer, size_t buflen);
+
+/**
+ * Convert a salt type to a string.
+ *
+ * @param [in] salttype Salttype to convert
+ * @param [out] buffer Buffer to receive the converted string
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen);
+
+/**
+ * Convert a checksum type to a string.
+ *
+ * @param [in] cksumtype Checksum type
+ * @param [out] buffer Buffer to hold converted checksum type
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen);
+
+/**
+ * Convert a timestamp to a string.
+ *
+ * @param [in] timestamp Timestamp to convert
+ * @param [out] buffer Buffer to hold converted timestamp
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * The string is returned in the locale's appropriate date and time
+ * representation.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen);
+
+/**
+ * Convert a timestamp to a string, with optional output padding
+ *
+ * @param [in] timestamp Timestamp to convert
+ * @param [out] buffer Buffer to hold the converted timestamp
+ * @param [in] buflen Length of buffer
+ * @param [in] pad Optional value to pad @a buffer if converted
+ * timestamp does not fill it
+ *
+ * If @a pad is not NULL, @a buffer is padded out to @a buflen - 1 characters
+ * with the value of *@a pad.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer,
+ size_t buflen, char *pad);
+
+/**
+ * Convert a relative time value to a string.
+ *
+ * @param [in] deltat Relative time value to convert
+ * @param [out] buffer Buffer to hold time string
+ * @param [in] buflen Storage available in @a buffer
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen);
+
+/* The name of the Kerberos ticket granting service... and its size */
+#define KRB5_TGS_NAME "krbtgt"
+#define KRB5_TGS_NAME_SIZE 6
+
+/* flags for recvauth */
+#define KRB5_RECVAUTH_SKIP_VERSION 0x0001
+#define KRB5_RECVAUTH_BADAUTHVERS 0x0002
+/* initial ticket api functions */
+
+/** Text for prompt used in prompter callback function. */
+typedef struct _krb5_prompt {
+ char *prompt; /**< The prompt to show to the user */
+ int hidden; /**< Boolean; informative prompt or hidden (e.g. PIN) */
+ krb5_data *reply; /**< Must be allocated before call to prompt routine */