/*
* Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
* Cambridge, MA, USA. All Rights Reserved.
- *
- * This software is being provided to you, the LICENSEE, by the
- * Massachusetts Institute of Technology (M.I.T.) under the following
- * license. By obtaining, using and/or copying this software, you agree
- * that you have read, understood, and will comply with these terms and
- * conditions:
- *
+ *
+ * This software is being provided to you, the LICENSEE, by the
+ * Massachusetts Institute of Technology (M.I.T.) under the following
+ * license. By obtaining, using and/or copying this software, you agree
+ * that you have read, understood, and will comply with these terms and
+ * conditions:
+ *
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
- * this software and its documentation for any purpose and without fee or
- * royalty is hereby granted, provided that you agree to comply with the
- * following copyright notice and statements, including the disclaimer, and
- * that the same appear on ALL copies of the software and documentation,
- * including modifications that you make for internal use or for
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
+ * this software and its documentation for any purpose and without fee or
+ * royalty is hereby granted, provided that you agree to comply with the
+ * following copyright notice and statements, including the disclaimer, and
+ * that the same appear on ALL copies of the software and documentation,
+ * including modifications that you make for internal use or for
* distribution:
- *
- * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
- * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
- * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
- * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
- * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
- * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
- *
- * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
- * be used in advertising or publicity pertaining to distribution of the
- * software. Title to copyright in this software and any associated
- * documentation shall at all times remain with M.I.T., and USER agrees to
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
+ * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
+ * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
+ * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
+ * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
+ *
+ * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
+ * be used in advertising or publicity pertaining to distribution of the
+ * software. Title to copyright in this software and any associated
+ * documentation shall at all times remain with M.I.T., and USER agrees to
* preserve same.
*
* Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
+ * fashion that it might be confused with the original M.I.T. software.
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#ifndef KRB5_CONFIG__
#define KRB5_CONFIG__
-/*
+/*
* Machine-type definitions: PC Clone 386 running Microloss Windows
*/
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
#define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
-/*
+/*
* Windows requires a different api interface to each function. Here
* just define it as NULL.
*/
#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
+#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
+#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
+#define KRB5_CONF_CANONICALIZE "canonicalize"
#define KRB5_CONF_CCACHE_TYPE "ccache_type"
#define KRB5_CONF_CLOCKSKEW "clockskew"
#define KRB5_CONF_DATABASE_NAME "database_name"
#define KRB5_CONF_DB_MODULES "db_modules"
#define KRB5_CONF_DOMAIN_REALM "domain_realm"
#define KRB5_CONF_DEFAULT_REALM "default_realm"
+#define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
#define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
#define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
#define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
#define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
#define KRB5_CONF_DNS_FALLBACK "dns_fallback"
-#edefine KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
+#define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
+#define KRB5_CONF_FORWARDABLE "forwardable"
#define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
#define KRB5_CONF_KDC "kdc"
#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
#define KRB5_CONF_KDC_PORTS "kdc_ports"
-#define KRB5_CONF_TCP_PORTS "kdc_tcp_ports"
+#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
#define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
+#define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
#define KRB5_CONF_LDAP_SERVERS "ldap_servers"
#define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
#define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
#define KRB5_CONF_MASTER_KDC "master_kdc"
#define KRB5_CONF_MAX_LIFE "max_life"
#define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
-#define KRB5_CONF_NOADDRESS "noaddresses"
+#define KRB5_CONF_NOADDRESSES "noaddresses"
#define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
-#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
-#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
-#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
-#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
-#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
-#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file"
-#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
-#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
-#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
-#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
+#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
+#define KRB5_CONF_PROXIABLE "proxiable"
#define KRB5_CONF_RDNS "rdns"
#define KRB5_CONF_REALMS "realms"
#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
+#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
+#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
+#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
krb5_data s2kparams;
} krb5_etype_info_entry;
-/*
+/*
* This is essentially -1 without sign extension which can screw up
* comparisons on 64 bit machines. If the length is this value, then
* the salt data is not present. This is to distinguish between not
- * being set and being of 0 length.
+ * being set and being of 0 length.
*/
#define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
} krb5_etype_list;
/*
- * a sam_challenge is returned for alternate preauth
+ * a sam_challenge is returned for alternate preauth
*/
/*
SAMFlags ::= BIT STRING {
void krb5_os_free_context (krb5_context);
-/* This function is needed by KfM's KerberosPreferences API
+/* This function is needed by KfM's KerberosPreferences API
* because it needs to be able to specify "secure" */
-krb5_error_code os_get_default_config_files
+krb5_error_code os_get_default_config_files
(profile_filespec_t **pfiles, krb5_boolean secure);
krb5_error_code krb5_os_hostaddr
void (*freefn)(void *);
void *data;
} *addrs;
- int naddrs;
- int space;
+ size_t naddrs;
+ size_t space;
};
#define ADDRLIST_INIT { 0, 0, 0 }
extern void krb5int_free_addrlist (struct addrlist *);
struct addrlist *, enum locate_service_type svc,
int sockettype, int family);
+struct derived_key {
+ krb5_data constant;
+ krb5_key dkey;
+ struct derived_key *next;
+};
+
+/* Internal structure of an opaque key identifier */
+struct krb5_key_st {
+ krb5_keyblock keyblock;
+ int refcount;
+ struct derived_key *derived;
+};
+
/* new encryption provider api */
struct krb5_enc_provider {
- /* keybytes is the input size to make_key;
+ /* keybytes is the input size to make_key;
keylength is the output size */
size_t block_size, keybytes, keylength;
/* cipher-state == 0 fresh state thrown away at end */
- krb5_error_code (*encrypt) (const krb5_keyblock *key,
+ krb5_error_code (*encrypt) (krb5_key key,
const krb5_data *cipher_state,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*decrypt) (const krb5_keyblock *key,
+ krb5_error_code (*decrypt) (krb5_key key,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
krb5_error_code (*free_state) (krb5_data *state);
/* In-place encryption/decryption of multiple buffers */
- krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+ krb5_error_code (*encrypt_iov) (krb5_key key,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
size_t num_data);
- krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+ krb5_error_code (*decrypt_iov) (krb5_key key,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
size_t num_data);
};
struct krb5_hash_provider {
+ char hash_name[8];
size_t hashsize, blocksize;
/* this takes multiple inputs to avoid lots of copying. */
struct krb5_keyhash_provider {
size_t hashsize;
- krb5_error_code (*hash) (const krb5_keyblock *key,
+ krb5_error_code (*hash) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*verify) (const krb5_keyblock *key,
+ krb5_error_code (*verify) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
const krb5_data *hash,
krb5_boolean *valid);
- krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+ krb5_error_code (*hash_iov) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_crypto_iov *data,
size_t num_data,
krb5_data *output);
- krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+ krb5_error_code (*verify_iov) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_crypto_iov *data,
krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
* in here to deal with stuff from lib/crypto
*/
-void krb5_nfold
+void krb5int_nfold
(unsigned int inbits, const unsigned char *in,
unsigned int outbits, unsigned char *out);
-krb5_error_code krb5_hmac
+krb5_error_code krb5int_hmac
(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, unsigned int icount,
+ krb5_key key, unsigned int icount,
const krb5_data *input, krb5_data *output);
krb5_error_code krb5int_hmac_iov
+(const struct krb5_hash_provider *hash,
+ krb5_key key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
+krb5_error_code krb5int_hmac_keyblock
+(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, unsigned int icount,
+ const krb5_data *input, krb5_data *output);
+
+krb5_error_code krb5int_hmac_iov_keyblock
(const struct krb5_hash_provider *hash,
const krb5_keyblock *key,
const krb5_crypto_iov *data, size_t num_data,
#endif /* WIN32 */
#define zap(p,l) krb5int_zap_data(p,l)
+/* Convenience function: zap and free ptr if it is non-NULL. */
+static inline void
+zapfree(void *ptr, size_t len)
+{
+ if (ptr != NULL) {
+ zap(ptr, len);
+ free(ptr);
+ }
+}
+
/* A definition of init_state for DES based encryption systems.
* sets up an 8-byte IV of all zeros
*/
krb5_error_code krb5int_des_init_state
(const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state);
-/*
+/*
* normally to free a cipher_state you can just memset the length to zero and
* free it.
*/
(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
krb5_keyblock *outkey);
+
void krb5int_c_free_keyblock
(krb5_context, krb5_keyblock *key);
void krb5int_c_free_keyblock_contents
(krb5_context, krb5_keyblock *);
-krb5_error_code krb5int_c_init_keyblock
+krb5_error_code krb5int_c_init_keyblock
(krb5_context, krb5_enctype enctype,
- size_t length, krb5_keyblock **out);
+ size_t length, krb5_keyblock **out);
+krb5_error_code krb5int_c_copy_keyblock
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock **to);
+krb5_error_code krb5int_c_copy_keyblock_contents
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock *to);
/*
* Internal - for cleanup.
extern void krb5int_prng_cleanup (void);
-/*
+/*
* These declarations are here, so both krb5 and k5crypto
* can get to them.
* krb5 needs to get to them so it can make them available to libgssapi.
krb5_keyusage keyusage, const krb5_data *plain,
krb5_enc_data *cipher);
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+ krb5_keyusage keyusage, const krb5_data *plain,
+ krb5_enc_data *cipher);
+
/*
* End "los-proto.h"
*/
* Define our view of the size of a DES key.
*/
#define KRB5_MIT_DES_KEYSIZE 8
+#define KRB5_MIT_DES3_KEYSIZE 24
+#define KRB5_MIT_DES3_KEY_BYTES 21
+
/*
* Check if des_int.h has been included before us. If so, then check to see
* that our view of the DES key size is the same as des_int.h's.
* (Originally written by Glen Machin at Sandia Labs.)
*/
/*
- * Sandia National Laboratories also makes no representations about the
- * suitability of the modifications, or additions to this software for
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
* any purpose. It is provided "as is" without express or implied warranty.
- *
+ *
*/
#ifndef KRB5_PREAUTH__
#define KRB5_PREAUTH__
* requested information. It is opaque to the plugin code and can be
* expanded in the future as new types of requests are defined which
* may require other things to be passed through. */
+ struct krb5int_fast_request_state;
typedef struct _krb5_preauth_client_rock {
krb5_magic magic;
- krb5_kdc_rep *as_reply;
+ krb5_enctype *etype;
+ struct krb5int_fast_request_state *fast_state;
} krb5_preauth_client_rock;
/* This structure lets us keep track of all of the modules which are loaded,
krb5_data auth_package;
} krb5_pa_for_user;
+typedef struct _krb5_s4u_userid {
+ krb5_int32 nonce;
+ krb5_principal user;
+ krb5_data subject_cert;
+ krb5_flags options;
+} krb5_s4u_userid;
+
+#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
+#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
+
+typedef struct _krb5_pa_s4u_x509_user {
+ krb5_s4u_userid user_id;
+ krb5_checksum cksum;
+} krb5_pa_s4u_x509_user;
+
+enum {
+ KRB5_FAST_ARMOR_AP_REQUEST = 0x1
+};
+
+typedef struct _krb5_fast_armor {
+ krb5_int32 armor_type;
+ krb5_data armor_value;
+} krb5_fast_armor;
+typedef struct _krb5_fast_armored_req {
+ krb5_magic magic;
+ krb5_fast_armor *armor;
+ krb5_checksum req_checksum;
+ krb5_enc_data enc_part;
+} krb5_fast_armored_req;
+
+typedef struct _krb5_fast_req {
+ krb5_magic magic;
+ krb5_flags fast_options;
+ /* padata from req_body is used*/
+ krb5_kdc_req *req_body;
+} krb5_fast_req;
+
+/* Bits 0-15 are critical in fast options.*/
+#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
+#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
+
+typedef struct _krb5_fast_finished {
+ krb5_timestamp timestamp;
+ krb5_int32 usec;
+ krb5_principal client;
+ krb5_checksum ticket_checksum;
+} krb5_fast_finished;
+
+typedef struct _krb5_fast_response {
+ krb5_magic magic;
+ krb5_pa_data **padata;
+ krb5_keyblock *strengthen_key;
+ krb5_fast_finished *finished;
+ krb5_int32 nonce;
+} krb5_fast_response;
+
+typedef struct _krb5_ad_kdcissued {
+ krb5_checksum ad_checksum;
+ krb5_principal i_principal;
+ krb5_authdata **elements;
+} krb5_ad_kdcissued;
+
typedef krb5_error_code (*krb5_preauth_obtain_proc)
(krb5_context,
krb5_pa_data *,
krb5_etype_info,
- krb5_keyblock *,
+ krb5_keyblock *,
krb5_error_code ( * )(krb5_context,
const krb5_enctype,
krb5_data *,
krb5_const_pointer,
krb5_kdc_rep * ),
krb5_keyblock **,
- krb5_creds *,
+ krb5_creds *,
krb5_int32 *,
krb5_int32 *);
krb5_data *,
krb5_const_pointer,
krb5_keyblock **),
- krb5_const_pointer,
+ krb5_const_pointer,
krb5_creds *,
krb5_kdc_req *);
const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ),
- krb5_keyblock **,
- krb5_creds *,
- krb5_int32 *);
+ krb5_keyblock **,
+ krb5_creds *,
+ krb5_int32 *);
+
+krb5_pa_data * krb5int_find_pa_data
+(krb5_context, krb5_pa_data * const *, krb5_preauthtype);
+/* Does not return a copy; original padata sequence responsible for freeing*/
void krb5_free_etype_info
(krb5_context, krb5_etype_info);
* with the new krb5_get_init_creds_opt_alloc() function.
* KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
* structure is a shadow copy of an original krb5_get_init_creds_opt
- * structure.
+ * structure.
* If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
* krb5int_gic_opt_to_opte(), the resulting extended structure should be
* freed (using krb5_get_init_creds_free). Otherwise, the original
typedef struct _krb5_gic_opt_private {
int num_preauth_data;
krb5_gic_opt_pa_data *preauth_data;
+ char * fast_ccache_name;
} krb5_gic_opt_private;
/*
krb5_error_code
krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
+krb5_error_code
+krb5int_copy_data_contents_add0 (krb5_context, const krb5_data *, krb5_data *);
+
krb5_error_code
krb5int_copy_creds_contents (krb5_context, const krb5_creds *, krb5_creds *);
(krb5_context, krb5_enc_sam_response_enc * );
void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
(krb5_context, krb5_enc_sam_response_enc_2 * );
-
+
void KRB5_CALLCONV krb5_free_pa_enc_ts
(krb5_context, krb5_pa_enc_ts *);
void KRB5_CALLCONV krb5_free_pa_for_user
(krb5_context, krb5_pa_for_user * );
+void KRB5_CALLCONV krb5_free_s4u_userid_contents
+ (krb5_context, krb5_s4u_userid * );
+void KRB5_CALLCONV krb5_free_pa_s4u_x509_user
+ (krb5_context, krb5_pa_s4u_x509_user * );
void KRB5_CALLCONV krb5_free_pa_svr_referral_data
(krb5_context, krb5_pa_svr_referral_data * );
void KRB5_CALLCONV krb5_free_pa_server_referral_data
void KRB5_CALLCONV krb5_free_etype_list
(krb5_context, krb5_etype_list * );
+void KRB5_CALLCONV krb5_free_fast_armor
+(krb5_context, krb5_fast_armor *);
+void KRB5_CALLCONV krb5_free_fast_armored_req
+(krb5_context, krb5_fast_armored_req *);
+void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
+void KRB5_CALLCONV krb5_free_fast_finished
+(krb5_context, krb5_fast_finished *);
+void KRB5_CALLCONV krb5_free_fast_response
+(krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
+
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
#include "com_err.h"
#include "k5-plugin.h"
+#include <krb5/authdata_plugin.h>
+
+struct _krb5_authdata_context {
+ krb5_magic magic;
+ int n_modules;
+ struct _krb5_authdata_context_module {
+ krb5_authdatatype ad_type;
+ void *plugin_context;
+ authdata_client_plugin_fini_proc client_fini;
+ krb5_flags flags;
+ krb5plugin_authdata_client_ftable_v0 *ftable;
+ authdata_client_request_init_proc client_req_init;
+ authdata_client_request_fini_proc client_req_fini;
+ const char *name;
+ void *request_context;
+ void **request_context_pp;
+ } *modules;
+ struct plugin_dir_handle plugins;
+};
+
+typedef struct _krb5_authdata_context *krb5_authdata_context;
+
+void KRB5_CALLCONV krb5int_free_data_list
+(krb5_context context, krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_init
+(krb5_context kcontext, krb5_authdata_context *pcontext);
+
+void KRB5_CALLCONV
+krb5_authdata_context_free
+(krb5_context kcontext, krb5_authdata_context context);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_authdata
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata ***pauthdata);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_get_attribute_types
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_data **attrs);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_get_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_set_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_delete_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ const krb5_data *attributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_data **pattributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean restrict_authenticated,
+ const char *module,
+ void **ptr);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_copy
+(krb5_context kcontext,
+ krb5_authdata_context src,
+ krb5_authdata_context *dst);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_free_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const char *module,
+ void *ptr);
+
+
struct _kdb5_dal_handle; /* private, in kdb5.h */
typedef struct _kdb5_dal_handle kdb5_dal_handle;
struct _kdb_log_context;
struct _krb5_context {
krb5_magic magic;
- krb5_enctype *in_tkt_ktypes;
- unsigned int in_tkt_ktype_count;
- krb5_enctype *tgs_ktypes;
- unsigned int tgs_ktype_count;
+ krb5_enctype *in_tkt_etypes;
+ krb5_enctype *tgs_etypes;
struct _krb5_os_context os_context;
char *default_realm;
profile_t profile;
/* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
/* here we use some knowledge of ASN.1 encodings */
-/*
+/*
Ticket is APPLICATION 1.
Authenticator is APPLICATION 2.
AS_REQ is APPLICATION 10.
krb5_error_code encode_krb5_enc_kdc_rep_part
(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
-/* yes, the translation is identical to that used for KDC__REP */
+/* yes, the translation is identical to that used for KDC__REP */
krb5_error_code encode_krb5_as_rep
(const krb5_kdc_rep *rep, krb5_data **code);
-/* yes, the translation is identical to that used for KDC__REP */
+/* yes, the translation is identical to that used for KDC__REP */
krb5_error_code encode_krb5_tgs_rep
(const krb5_kdc_rep *rep, krb5_data **code);
krb5_error_code encode_krb5_pa_for_user
(const krb5_pa_for_user * , krb5_data **);
+krb5_error_code encode_krb5_s4u_userid
+ (const krb5_s4u_userid * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_s4u_x509_user
+ (const krb5_pa_s4u_x509_user * , krb5_data **);
+
krb5_error_code encode_krb5_pa_svr_referral_data
(const krb5_pa_svr_referral_data * , krb5_data **);
krb5_error_code encode_krb5_etype_list
(const krb5_etype_list * , krb5_data **);
+krb5_error_code encode_krb5_pa_fx_fast_request
+(const krb5_fast_armored_req *, krb5_data **);
+krb5_error_code encode_krb5_fast_req
+(const krb5_fast_req *, krb5_data **);
+krb5_error_code encode_krb5_pa_fx_fast_reply
+(const krb5_enc_data *, krb5_data **);
+
+krb5_error_code encode_krb5_fast_response
+(const krb5_fast_response *, krb5_data **);
+
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
*************************************************************************/
krb5_error_code krb5_validate_times
- (krb5_context,
+ (krb5_context,
krb5_ticket_times *);
/*
krb5_error_code decode_krb5_structure(const krb5_data *code,
krb5_structure **rep);
-
+
requires Expects **rep to not have been allocated;
a new *rep is allocated regardless of the old value.
effects Decodes *code into **rep.
krb5_error_code decode_krb5_pa_for_user
(const krb5_data *, krb5_pa_for_user **);
+krb5_error_code decode_krb5_pa_s4u_x509_user
+ (const krb5_data *, krb5_pa_s4u_x509_user **);
+
krb5_error_code decode_krb5_pa_svr_referral_data
(const krb5_data *, krb5_pa_svr_referral_data **);
krb5_error_code decode_krb5_etype_list
(const krb5_data *, krb5_etype_list **);
+krb5_error_code decode_krb5_pa_fx_fast_request
+(const krb5_data *, krb5_fast_armored_req **);
+
+krb5_error_code decode_krb5_fast_req
+(const krb5_data *, krb5_fast_req **);
+
+
+krb5_error_code decode_krb5_pa_fx_fast_reply
+(const krb5_data *, krb5_enc_data **);
+
+krb5_error_code decode_krb5_fast_response
+(const krb5_data *, krb5_fast_response **);
+
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
struct _krb5_key_data; /* kdb.h */
struct ldap_seqof_key_data {
/* set and change password helpers */
krb5_error_code krb5int_mk_chpw_req
- (krb5_context context, krb5_auth_context auth_context,
+ (krb5_context context, krb5_auth_context auth_context,
krb5_data *ap_req, char *passwd, krb5_data *packet);
krb5_error_code krb5int_rd_chpw_rep
(krb5_context context, krb5_auth_context auth_context,
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 13
+#define KRB5INT_ACCESS_STRUCT_VERSION 15
#ifndef ANAME_SZ
struct ktext; /* from krb.h, for krb524 support */
/* crypto stuff */
const struct krb5_hash_provider *md5_hash_provider;
const struct krb5_enc_provider *arcfour_enc_provider;
- krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- unsigned int icount, const krb5_data *input,
- krb5_data *output);
- krb5_error_code (* krb5_auth_con_get_subkey_enctype)(krb5_context, krb5_auth_context, krb5_enctype *);
+ krb5_error_code (*hmac)(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ unsigned int icount, const krb5_data *input,
+ krb5_data *output);
+ krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
+ krb5_auth_context,
+ krb5_enctype *);
/* service location and communication */
krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
int (*use_dns_kdc)(krb5_context);
krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
- /* krb4 compatibility stuff -- may be null if not enabled */
- krb5_int32 (*krb_life_to_time)(krb5_int32, int);
- int (*krb_time_to_life)(krb5_int32, krb5_int32);
- int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
- krb5_error_code (*krb5int_c_mandatory_cksumtype)
- (krb5_context, krb5_enctype, krb5_cksumtype *);
- krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
- (krb5_int64, krb5_octet **, size_t *);
- krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
- (krb5_int64 *, krb5_octet **, size_t *);
+ krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
+ krb5_cksumtype *);
+ krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(krb5_int64, krb5_octet **,
+ size_t *);
+ krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(krb5_int64 *,
+ krb5_octet **, size_t *);
/* Used for KDB LDAP back end. */
krb5_error_code
krb5_error_code
(*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
ldap_seqof_key_data **);
+ /* Used for encrypted challenge fast factor*/
+ krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
+ krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
+ void (*free_enc_data)(krb5_context, krb5_enc_data *);
+ krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
+ krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
+ void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
+ krb5_error_code (*encrypt_helper)
+ (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *,
+ krb5_enc_data *);
/*
* pkinit asn.1 encode/decode functions
(const krb5_data *output, krb5_kdc_req **rep);
krb5_error_code (*encode_krb5_kdc_req_body)
(const krb5_kdc_req *rep, krb5_data **code);
- void (KRB5_CALLCONV *krb5_free_kdc_req)
+ void (KRB5_CALLCONV *free_kdc_req)
(krb5_context, krb5_kdc_req * );
- void (*krb5int_set_prompt_types)
+ void (*set_prompt_types)
(krb5_context, krb5_prompt_type *);
krb5_error_code (*encode_krb5_authdata_elt)
(const krb5_authdata *rep, krb5_data **code);
/*
* Per-type ccache cursor.
*/
-struct krb5_cc_ptcursor {
+struct krb5_cc_ptcursor_s {
const struct _krb5_cc_ops *ops;
krb5_pointer data;
};
-typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
+typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
struct _krb5_cc_ops {
krb5_magic magic;
krb5_ccache *);
krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
krb5_cc_ptcursor *);
- krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
+ krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
krb5_ccache);
krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
krb5_ccache, krb5_timestamp *);
krb5_timestamp ctime;
} krb5_donot_replay;
-krb5_error_code krb5_rc_default
+krb5_error_code krb5_rc_default
(krb5_context,
krb5_rcache *);
-krb5_error_code krb5_rc_resolve_type
+krb5_error_code krb5_rc_resolve_type
(krb5_context,
krb5_rcache *,char *);
-krb5_error_code krb5_rc_resolve_full
+krb5_error_code krb5_rc_resolve_full
(krb5_context,
krb5_rcache *,char *);
-char * krb5_rc_get_type
+char * krb5_rc_get_type
(krb5_context,
krb5_rcache);
-char * krb5_rc_default_type
+char * krb5_rc_default_type
(krb5_context);
-char * krb5_rc_default_name
+char * krb5_rc_default_name
(krb5_context);
-krb5_error_code krb5_auth_to_rep
+krb5_error_code krb5_auth_to_rep
(krb5_context,
krb5_tkt_authent *,
krb5_donot_replay *);
krb5_magic magic;
char *prefix;
/* routines always present */
- krb5_error_code (KRB5_CALLCONV *resolve)
+ krb5_error_code (KRB5_CALLCONV *resolve)
(krb5_context,
const char *,
krb5_keytab *);
- krb5_error_code (KRB5_CALLCONV *get_name)
+ krb5_error_code (KRB5_CALLCONV *get_name)
(krb5_context,
krb5_keytab,
char *,
unsigned int);
- krb5_error_code (KRB5_CALLCONV *close)
+ krb5_error_code (KRB5_CALLCONV *close)
(krb5_context,
krb5_keytab);
- krb5_error_code (KRB5_CALLCONV *get)
+ krb5_error_code (KRB5_CALLCONV *get)
(krb5_context,
krb5_keytab,
krb5_const_principal,
krb5_kvno,
krb5_enctype,
krb5_keytab_entry *);
- krb5_error_code (KRB5_CALLCONV *start_seq_get)
+ krb5_error_code (KRB5_CALLCONV *start_seq_get)
(krb5_context,
krb5_keytab,
- krb5_kt_cursor *);
- krb5_error_code (KRB5_CALLCONV *get_next)
+ krb5_kt_cursor *);
+ krb5_error_code (KRB5_CALLCONV *get_next)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *,
krb5_kt_cursor *);
- krb5_error_code (KRB5_CALLCONV *end_get)
+ krb5_error_code (KRB5_CALLCONV *end_get)
(krb5_context,
krb5_keytab,
krb5_kt_cursor *);
/* routines to be included on extended version (write routines) */
- krb5_error_code (KRB5_CALLCONV *add)
+ krb5_error_code (KRB5_CALLCONV *add)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *);
- krb5_error_code (KRB5_CALLCONV *remove)
+ krb5_error_code (KRB5_CALLCONV *remove)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *);
extern int krb5int_crypto_init (void);
extern int krb5int_prng_init(void);
-#define krb5_copy_error_state(CTX, OCTX) \
- krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg)
-
/*
* Referral definitions, debugging hooks, and subfunctions.
*/
char *,
size_t);
-/* Use the above four instead. */
-krb5_boolean KRB5_CALLCONV valid_enctype
- (krb5_enctype ktype);
-krb5_boolean KRB5_CALLCONV valid_cksumtype
- (krb5_cksumtype ctype);
-krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
- (krb5_cksumtype ctype);
-krb5_boolean KRB5_CALLCONV is_keyed_cksum
- (krb5_cksumtype ctype);
-
-krb5_error_code KRB5_CALLCONV krb5_random_confounder
- (size_t, krb5_pointer);
-
-krb5_error_code krb5_encrypt_data
- (krb5_context context, krb5_keyblock *key,
- krb5_pointer ivec, krb5_data *data,
- krb5_enc_data *enc_data);
-
-krb5_error_code krb5_decrypt_data
- (krb5_context context, krb5_keyblock *key,
- krb5_pointer ivec, krb5_enc_data *data,
- krb5_data *enc_data);
-
krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
struct _krb5_kt { /* should move into k5-int.h */
krb5_int32 etype_count;
} krb5_etypes_permitted;
-krb5_boolean krb5_is_permitted_enctype_ext
+krb5_boolean krb5_is_permitted_enctype_ext
( krb5_context, krb5_etypes_permitted *);
-krb5_boolean KRB5_CALLCONV krb5_c_weak_enctype(krb5_enctype);
+krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
krb5_error_code krb5_kdc_rep_decrypt_proc
(krb5_context,
(krb5_context, krb5_pwd_data *);
void KRB5_CALLCONV krb5_free_pwd_sequences
(krb5_context, passwd_phrase_element **);
+void KRB5_CALLCONV krb5_free_passwd_phrase_element
+ (krb5_context, passwd_phrase_element *);
+void KRB5_CALLCONV krb5_free_alt_method
+ (krb5_context, krb5_alt_method *);
+void KRB5_CALLCONV krb5_free_enc_data
+ (krb5_context, krb5_enc_data *);
krb5_error_code krb5_set_config_files
(krb5_context, const char **);
void KRB5_CALLCONV krb5_free_config_files
(char **filenames);
-krb5_error_code krb5_send_tgs
+krb5_error_code krb5int_send_tgs
(krb5_context,
krb5_flags,
const krb5_ticket_times *,
krb5_pa_data * const *,
const krb5_data *,
krb5_creds *,
- krb5_response * );
-krb5_error_code krb5_decode_kdc_rep
+ krb5_error_code (*gcvt_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *gcvt_data,
+ krb5_response * , krb5_keyblock **subkey);
+ /* The subkey field is an output parameter; if a
+ * tgs-rep is received then the subkey will be filled
+ * in with the subkey needed to decrypt the TGS
+ * response. Otherwise it will be set to null.
+ */
+krb5_error_code krb5int_decode_tgs_rep
(krb5_context,
krb5_data *,
- const krb5_keyblock *,
+ const krb5_keyblock *, krb5_keyusage,
krb5_kdc_rep ** );
+krb5_error_code krb5int_find_authdata
+(krb5_context context, krb5_authdata *const * ticket_authdata,
+ krb5_authdata * const *ap_req_authdata,
+ krb5_authdatatype ad_type,
+ krb5_authdata ***results);
krb5_error_code krb5_rd_req_decoded
(krb5_context,
krb5_keytab,
krb5_flags *,
krb5_ticket **);
+
krb5_error_code KRB5_CALLCONV krb5_cc_register
(krb5_context,
const krb5_cc_ops *,
krb5_auth_context,
krb5_enctype *);
+krb5_error_code
+krb5_auth_con_get_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context);
+
krb5_error_code KRB5_CALLCONV
krb5int_server_decrypt_ticket_keyblock
(krb5_context context,
/* Internal principal function used by KIM to avoid code duplication */
krb5_error_code KRB5_CALLCONV
-krb5int_build_principal_alloc_va(krb5_context context,
- krb5_principal *princ,
- unsigned int rlen,
- const char *realm,
+krb5int_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
const char *first,
va_list ap);
/* Some data comparison and conversion functions. */
-#if 0
-static inline int data_cmp(krb5_data d1, krb5_data d2)
-{
- if (d1.length < d2.length) return -1;
- if (d1.length > d2.length) return 1;
- return memcmp(d1.data, d2.data, d1.length);
-}
-static inline int data_eq (krb5_data d1, krb5_data d2)
-{
- return data_cmp(d1, d2) == 0;
-}
-#else
-static inline int data_eq (krb5_data d1, krb5_data d2)
+static inline int
+data_eq(krb5_data d1, krb5_data d2)
{
return (d1.length == d2.length
&& !memcmp(d1.data, d2.data, d1.length));
}
-#endif
-static inline krb5_data string2data (char *str)
+
+static inline krb5_data
+make_data(void *data, unsigned int len)
{
krb5_data d;
+
d.magic = KV5M_DATA;
- d.length = strlen(str);
- d.data = str;
+ d.data = (char *) data;
+ d.length = len;
return d;
}
-static inline int data_eq_string (krb5_data d, char *s)
+
+static inline krb5_data
+empty_data()
+{
+ return make_data(NULL, 0);
+}
+
+static inline krb5_data
+string2data(char *str)
+{
+ return make_data(str, strlen(str));
+}
+
+static inline int
+data_eq_string (krb5_data d, char *s)
{
return data_eq(d, string2data(s));
}
-static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
+
+static inline int
+authdata_eq(krb5_authdata a1, krb5_authdata a2)
{
return (a1.ad_type == a2.ad_type
&& a1.length == a2.length
&& !memcmp(a1.contents, a2.contents, a1.length));
}
+/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
+static inline void *
+k5alloc(size_t size, krb5_error_code *code)
+{
+ void *ptr;
+
+ ptr = calloc(size, 1);
+ *code = (ptr == NULL) ? ENOMEM : 0;
+ return ptr;
+}
+
krb5_error_code KRB5_CALLCONV
krb5int_pac_sign(krb5_context context,
krb5_pac pac,
const krb5_keyblock *privsvr_key,
krb5_data *data);
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_data *cert,
+ krb5_creds **out_creds);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_proxy(krb5_context context,
+ krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_ticket *evidence_tkt,
+ krb5_creds **out_creds);
+
+krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
+ krb5_enctype *default_list,
+ krb5_enctype **result);
+
+#ifdef DEBUG_ERROR_LOCATIONS
+#define krb5_set_error_message(ctx, code, ...) \
+ krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
+#endif
+
#endif /* _KRB5_INT_H */