X-Git-Url: http://git.tremily.us/?a=blobdiff_plain;f=src%2Finclude%2Fkrb5%2Fkrb5.hin;h=284e6b327c0b53c6752fef471f73bd85ba960ac1;hb=f609e5caff410cc8f71db7d95b4da219541437db;hp=83c2dc72140502ab53f13ada215df68983840d8a;hpb=1e34efd28bd6c7eae84b19f71c87b2ea58939c1a;p=krb5.git diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 83c2dc721..284e6b327 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -52,7 +52,11 @@ #ifndef KRB5_GENERAL__ #define KRB5_GENERAL__ -/* By default, do not expose deprecated interfaces. */ +/** @defgroup KRB5_H krb5 library API + * @{ + */ + + /* By default, do not expose deprecated interfaces. */ #ifndef KRB5_DEPRECATED #define KRB5_DEPRECATED 0 #endif @@ -207,18 +211,14 @@ typedef struct _krb5_data { char *data; } krb5_data; +/* Originally introduced for PKINIT; now unused. Do not use this. */ typedef struct _krb5_octet_data { krb5_magic magic; unsigned int length; krb5_octet *data; } krb5_octet_data; -/* - * Hack length for crypto library to use the afs_string_to_key It is - * equivalent to -1 without possible sign extension - * We also overload for an unset salt type length - which is also -1, but - * hey, why not.... - */ +/* Originally used to recognize AFS and default salts. No longer used. */ #define SALT_TYPE_AFS_LENGTH UINT_MAX #define SALT_TYPE_NO_LENGTH UINT_MAX @@ -239,33 +239,23 @@ typedef krb5_principal_data * krb5_principal; * Per V5 spec on definition of principal types */ -/* Name type not known */ -#define KRB5_NT_UNKNOWN 0 -/* Just the name of the principal as in DCE, or for users */ -#define KRB5_NT_PRINCIPAL 1 -/* Service and other unique instance (krbtgt) */ -#define KRB5_NT_SRV_INST 2 -/* Service with host name as instance (telnet, rcommands) */ -#define KRB5_NT_SRV_HST 3 -/* Service with host as remaining components */ -#define KRB5_NT_SRV_XHST 4 -/* Unique ID */ -#define KRB5_NT_UID 5 -/* PKINIT */ -#define KRB5_NT_X500_PRINCIPAL 6 -/* Name in form of SMTP email name */ -#define KRB5_NT_SMTP_NAME 7 -/* Windows 2000 UPN */ -#define KRB5_NT_ENTERPRISE_PRINCIPAL 10 -#define KRB5_NT_WELLKNOWN 11 -/* First component of NT_WELLKNOWN principals */ -#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" -/* Windows 2000 UPN and SID */ -#define KRB5_NT_MS_PRINCIPAL -128 -/* NT 4 style name */ -#define KRB5_NT_MS_PRINCIPAL_AND_ID -129 -/* NT 4 style name and SID */ -#define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 +#define KRB5_NT_UNKNOWN 0 /**< Name type not known */ +#define KRB5_NT_PRINCIPAL 1 /**< Just the name of the principal + as in DCE, or for users */ +#define KRB5_NT_SRV_INST 2 /**< Service and other unique instance (krbtgt) */ +#define KRB5_NT_SRV_HST 3 /**< Service with host name as instance + (telnet, rcommands) */ +#define KRB5_NT_SRV_XHST 4 /**< Service with host as remaining components */ +#define KRB5_NT_UID 5 /**< Unique ID */ +#define KRB5_NT_X500_PRINCIPAL 6 /**< PKINIT */ +#define KRB5_NT_SMTP_NAME 7 /**< Name in form of SMTP email name */ +#define KRB5_NT_ENTERPRISE_PRINCIPAL 10 /**< Windows 2000 UPN */ +#define KRB5_NT_WELLKNOWN 11 /**< Well-known (special) principal */ +#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /**< First component of + NT_WELLKNOWN principals */ +#define KRB5_NT_MS_PRINCIPAL -128 /**< Windows 2000 UPN and SID */ +#define KRB5_NT_MS_PRINCIPAL_AND_ID -129 /**< NT 4 style name */ +#define KRB5_NT_ENT_PRINCIPAL_AND_ID -130 /**< NT 4 style name and SID */ /** Constant version of krb5_principal_data */ typedef const krb5_principal_data *krb5_const_principal; @@ -314,13 +304,13 @@ krb5_anonymous_realm(void); * * This function returns constant storage that must not be freed. * - * @sa KRB5_ANONYMOUS_PRINCSTR + * @sa #KRB5_ANONYMOUS_PRINCSTR */ krb5_const_principal KRB5_CALLCONV krb5_anonymous_principal(void); -#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" -#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /* wellknown name type */ +#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" /**< Anonymous realm */ +#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /**< Anonymous principal name */ /* * end "base-defs.h" */ @@ -1854,11 +1844,11 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, /** @} */ /* end of KRB5_AUTHDATA group */ /* password change constants */ -#define KRB5_KPASSWD_SUCCESS 0 -#define KRB5_KPASSWD_MALFORMED 1 -#define KRB5_KPASSWD_HARDERROR 2 -#define KRB5_KPASSWD_AUTHERROR 3 -#define KRB5_KPASSWD_SOFTERROR 4 +#define KRB5_KPASSWD_SUCCESS 0 /**< Success */ +#define KRB5_KPASSWD_MALFORMED 1 /**< Malformed request */ +#define KRB5_KPASSWD_HARDERROR 2 /**< Server error */ +#define KRB5_KPASSWD_AUTHERROR 3 /**< Authentication error */ +#define KRB5_KPASSWD_SOFTERROR 4 /**< Password change rejected */ /* These are Microsoft's extensions in RFC 3244, and it looks like they'll become standardized, possibly with other additions. */ #define KRB5_KPASSWD_ACCESSDENIED 5 /* unused */ @@ -1980,12 +1970,7 @@ typedef struct _krb5_pa_data { krb5_octet *contents; /**< Data */ } krb5_pa_data; -/* - * The FAST error handling logic currently assumes that pointers to this - * structure and krb5_pa_data can be safely cast to each other. If this - * structure changes, that code needs to be updated to copy. - */ -/** Typed data */ +/* Don't use this; use krb5_pa_data instead. */ typedef struct _krb5_typed_data { krb5_magic magic; krb5_int32 type; @@ -2127,36 +2112,27 @@ typedef struct _krb5_cred { krb5_cred_enc_part *enc_part2; /**< Unencrypted version, if available */ } krb5_cred; -/* - * Sandia password generation structure - * Used by internal functions only - */ +/* Unused, but here for API compatibility. */ typedef struct _passwd_phrase_element { krb5_magic magic; krb5_data *passwd; krb5_data *phrase; } passwd_phrase_element; -/* - * Password data. - * Used by internal functions only - */ +/* Unused, but here for API compatibility. */ typedef struct _krb5_pwd_data { krb5_magic magic; int sequence_count; passwd_phrase_element **element; } krb5_pwd_data; -/* these need to be here so the typedefs are available for the prototypes */ -/* - * Note for Windows 2000 compatibility this is encoded - * in the enc_padata field of the krb5_enc_kdc_rep_part. - */ +/* Unused, but here for API compatibility. */ typedef struct _krb5_pa_svr_referral_data { /** Referred name, only realm is required */ krb5_principal principal; } krb5_pa_svr_referral_data; +/* Unused, but here for API compatibility. */ typedef struct _krb5_pa_server_referral_data { krb5_data *referred_realm; krb5_principal true_principal_name; @@ -2177,9 +2153,13 @@ typedef struct _krb5_pa_pac_req { /** @defgroup KRB5_AUTH_CONTEXT KRB5_AUTH_CONTEXT * @{ */ -#define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 /**< set timestamp in the message */ +/** Prevent replays with timestamps and replay cache. */ +#define KRB5_AUTH_CONTEXT_DO_TIME 0x00000001 +/** Save timestamps for application. */ #define KRB5_AUTH_CONTEXT_RET_TIME 0x00000002 -#define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 /**< set sequence number in the message */ +/** Prevent replays with sequence numbers. */ +#define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 +/** Save sequence numbers for application. */ #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 #define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 @@ -2285,6 +2265,7 @@ krb5_cc_get_name(krb5_context context, krb5_ccache cache); * @param [in] cache Credential cache handle * @param [out] fullname_out Full name of cache * + * @version First introduced in 1.10 */ krb5_error_code KRB5_CALLCONV krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, @@ -3393,7 +3374,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, * * @param [in] context Library context * @param [in] name String representation of a principal name - * @param [out] nprincipal Principal + * @param [out] principal_out New principal * * Convert a string representation of a principal name to a krb5_principal * structure. @@ -3412,7 +3393,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, * @note The realm in a Kerberos @a name cannot contain slash, colon, * or NULL characters. * - * Use krb5_free_principal() to free @a nprincipal when it is no longer needed. + * Use krb5_free_principal() to free @a principal_out when it is no longer + * needed. * * @retval * 0 Success @@ -3420,7 +3402,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, * Kerberos error codes */ krb5_error_code KRB5_CALLCONV -krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal); +krb5_parse_name(krb5_context context, const char *name, + krb5_principal *principal_out); #define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 /**< Error if realm is present */ #define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 /**< Error if realm is not present */ @@ -3428,12 +3411,12 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip enterprise principle */ /** - * Convert a string principal name to a krb5_principal with flags + * Convert a string principal name to a krb5_principal with flags. * * @param [in] context Library context * @param [in] name String representation of a principal name * @param [in] flags Flag - * @param [out] nprincipal Principal + * @param [out] principal_out New principal * * Similar to krb5_parse_name(), this function converts a single-string * representation of a principal name to a krb5_principal structure. @@ -3444,7 +3427,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip * @li #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise * principal * - * Use krb5_free_principal() to free @a nprincipal when it is no longer needed. + * Use krb5_free_principal() to free @a principal_out when it is no longer + * needed. * * @retval * 0 Success @@ -3453,7 +3437,7 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip */ krb5_error_code KRB5_CALLCONV krb5_parse_name_flags(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal); + int flags, krb5_principal *principal_out); /** * Convert a krb5_principal structure to a string representation. @@ -3858,6 +3842,8 @@ krb5_copy_authdata(krb5_context context, * NULL entries. This function will search inside AD-IF-RELEVANT containers if * found in either list. Use krb5_free_authdata() to free @a results when it * is no longer needed. + * + * @version First introduced in 1.10 */ krb5_error_code KRB5_CALLCONV krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, @@ -4442,6 +4428,8 @@ krb5_cc_switch(krb5_context context, krb5_ccache cache); * @param [in] context Library context * @param [in] type Credential cache type * + * @version First introduced in 1.10 + * * @retval TRUE if @a type supports switching * @retval FALSE if it does not or is not a valid credential cache type. */ @@ -4462,6 +4450,8 @@ krb5_cc_support_switch(krb5_context context, const char *type); * @retval KRB5_CC_NOTFOUND * * @sa krb5_cccol_cursor_new + * + * @version First introduced in 1.10 */ krb5_error_code KRB5_CALLCONV krb5_cc_cache_match(krb5_context context, krb5_principal client, @@ -4498,6 +4488,8 @@ krb5_cc_cache_match(krb5_context context, krb5_principal client, * * Any other error code indicates a fatal error in the processing of a cache * selection mechanism. + * + * @version First introduced in 1.10 */ krb5_error_code KRB5_CALLCONV krb5_cc_select(krb5_context context, krb5_principal server, @@ -4660,15 +4652,7 @@ krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val); -/** - * Free storage associated with a @c krb5_octet_data structure and its pointer. - * - * @param [in] context Context structure - * @param [in] val Data structure to be freed - * - * @return - * None - */ +/* Free a krb5_octet_data structure (should be unused). */ void KRB5_CALLCONV krb5_free_octet_data(krb5_context context, krb5_octet_data *val); @@ -4697,6 +4681,8 @@ krb5_free_unparsed_name(krb5_context context, char *val); * * @param [in] context Library context * @param [in] val String to be freed + * + * @version First introduced in 1.10 */ void KRB5_CALLCONV krb5_free_string(krb5_context context, char *val); @@ -4758,6 +4744,8 @@ krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); * This function checks if @a date is close enough to the current time * according to the configured allowable clock skew. * + * @version First introduced in 1.10 + * * @retval 0 Success * @retval KRB5KRB_AP_ERR_SKEW @a date is not within allowable clock skew */ @@ -4838,7 +4826,7 @@ krb5_free_default_realm(krb5_context context, char *lrealm); * * The @a type can be one of the following: * - * @li #KRB5_NT_SRV_HOST canonicalizes the host name before looking up the + * @li #KRB5_NT_SRV_HST canonicalizes the host name before looking up the * realm and generating the principal. * * @li #KRB5_NT_UNKNOWN accepts the hostname as given, and does not @@ -4977,6 +4965,32 @@ krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, int *result_code, krb5_data *result_code_string, krb5_data *result_string); +/** + * Get a result message for changing or setting a password. + * + * @param [in] context Library context + * @param [in] server_string Data returned from the remote system + * @param [out] message_out A message displayable to the user + * + * This function processes the @a server_string returned in the @a + * result_string parameter of krb5_change_password(), krb5_set_password(), and + * related functions, and returns a displayable string. If @a server_string + * contains Active Directory structured policy information, it will be + * converted into human-readable text. + * + * Use krb5_free_string() to free @a message_out when it is no longer needed. + * + * @retval + * 0 Success + * @return + * Kerberos error codes + * + * @version First introduced in 1.11 + */ +krb5_error_code KRB5_CALLCONV +krb5_chpw_message(krb5_context context, const krb5_data *server_string, + char **message_out); + /** * Retrieve configuration profile from the context. * @@ -5709,6 +5723,8 @@ krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, * This function sets the send subkey in @a ac to @a key, incrementing its * reference count. * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -5739,6 +5755,8 @@ krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, * This function sets the receiving subkey in @a ac to @a key, incrementing its * reference count. * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6148,6 +6166,8 @@ krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen); * (like "aes128-cts-hmac-sha1-96"). If @a shortest is TRUE, it return the * enctype's shortest alias (like "aes128-cts"). * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6520,6 +6540,8 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, * * This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), * but uses a credential cache handle instead of a name. + * + * @version First introduced in 1.9 */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, @@ -6622,6 +6644,8 @@ typedef void * @warning Setting an expire callback with this API will cause * krb5_get_init_creds_password() not to send password expiry warnings to the * prompter, as it ordinarily may. + * + * @version First introduced in 1.9 */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_expire_callback(krb5_context context, @@ -6675,15 +6699,16 @@ krb5_get_init_creds_opt_set_expire_callback(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, - krb5_principal client, char *password, + krb5_principal client, const char *password, krb5_prompter_fct prompter, void *data, - krb5_deltat start_time, char *in_tkt_service, + krb5_deltat start_time, + const char *in_tkt_service, krb5_get_init_creds_opt *k5_gic_options); struct _krb5_init_creds_context; typedef struct _krb5_init_creds_context *krb5_init_creds_context; -#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /* More responses needed */ +#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ /** * Free an initial credentials context. @@ -6882,6 +6907,8 @@ typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context; * * Use krb5_tkt_creds_free() to free @a ctx when it is no longer needed. * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6899,6 +6926,8 @@ krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, * krb5_tkt_creds_init(). On successful return, the credentials can be * retrieved with krb5_tkt_creds_get_creds(). * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6916,6 +6945,8 @@ krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx); * krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free @a creds when * it is no longer needed. * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6927,11 +6958,13 @@ krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, * * @param[in] context Library context * @param[in] ctx TGS request context + * + * @version First introduced in 1.9 */ void KRB5_CALLCONV krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx); -#define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /* More responses needed. */ +#define KRB5_TKT_CREDS_STEP_FLAG_CONTINUE 0x1 /**< More responses needed */ /** * Get the next KDC request in a TGS exchange. @@ -6957,6 +6990,8 @@ krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx); * transmit the next request using TCP rather than UDP. If this function * returns any other error, the TGS exchange has failed. * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -6974,6 +7009,8 @@ krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, * The TGS request context must have completed obtaining credentials via either * krb5_tkt_creds_get() or krb5_tkt_creds_step(). * + * @version First introduced in 1.9 + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -7007,7 +7044,7 @@ krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_error_code KRB5_CALLCONV krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_keytab arg_keytab, - krb5_deltat start_time, char *in_tkt_service, + krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *k5_gic_options); typedef struct _krb5_verify_init_creds_opt { @@ -7049,36 +7086,37 @@ krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic * * @param [in] context Library context * @param [in] creds Initial credentials to be verified - * @param [in] server_arg Server principal (or NULL) - * @param [in] keytab_arg Key table (NULL to use default keytab) - * @param [in,out] ccache_arg Credential cache for fetched creds (or NULL) + * @param [in] server Server principal (or NULL) + * @param [in] keytab Key table (NULL to use default keytab) + * @param [in,out] ccache Credential cache for fetched creds (or NULL) * @param [in] options Verification options (NULL for default options) * * This function attempts to verify that @a creds were obtained from a KDC with - * knowledge of a key in @a keytab_arg. If @a server_arg is provided, the - * highest-kvno key entry for that principal name is used to verify the - * credentials; otherwise, the highest-kvno key entry for the first principal - * listed in @a keytab_arg is used. + * knowledge of a key in @a keytab, or the default keytab if @a keytab is NULL. + * If @a server is provided, the highest-kvno key entry for that principal name + * is used to verify the credentials; otherwise, all unique "host" service + * principals in the keytab are tried. * * If the specified keytab does not exist, or is empty, or cannot be read, or - * does not contain an entry for @a server_arg, then credential verification - * may be skipped unless configuration demands that it succeed. The caller can + * does not contain an entry for @a server, then credential verification may be + * skipped unless configuration demands that it succeed. The caller can * control this behavior by providing a verification options structure; see * krb5_verify_init_creds_opt_init() and * krb5_verify_init_creds_opt_set_ap_req_nofail(). * - * If @a ccache_arg is NULL, any additional credentials fetched during the - * verification process will be destroyed. If @a ccache_arg points to NULL, a + * If @a ccache is NULL, any additional credentials fetched during the + * verification process will be destroyed. If @a ccache points to NULL, a * memory ccache will be created for the additional credentials and returned in - * @a ccache_arg. If @a ccache_arg points to a valid credential cache handle, - * the additional credentials will be stored in that cache. + * @a ccache. If @a ccache points to a valid credential cache handle, the + * additional credentials will be stored in that cache. * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(krb5_context context, krb5_creds *creds, - krb5_principal server_arg, krb5_keytab keytab_arg, - krb5_ccache *ccache_arg, krb5_verify_init_creds_opt *options); + krb5_principal server, krb5_keytab keytab, + krb5_ccache *ccache, + krb5_verify_init_creds_opt *options); /** * Get validated credentials from the KDC. @@ -7116,7 +7154,7 @@ krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_error_code KRB5_CALLCONV krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, - char *in_tkt_service); + const char *in_tkt_service); /** * Get renewed credential from KDC using an existing credential. @@ -7142,7 +7180,7 @@ krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_error_code KRB5_CALLCONV krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, - char *in_tkt_service); + const char *in_tkt_service); /** * Decode an ASN.1-formatted ticket. @@ -7198,9 +7236,13 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, /* * Prompter enhancements */ +/** Prompt for password */ #define KRB5_PROMPT_TYPE_PASSWORD 0x1 +/** Prompt for new password (during password change) */ #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2 +/** Prompt for new password again */ #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3 +/** Prompt for preauthentication data (such as an OTP value) */ #define KRB5_PROMPT_TYPE_PREAUTH 0x4 typedef krb5_int32 krb5_prompt_type; @@ -7415,13 +7457,13 @@ typedef struct krb5_pac_data *krb5_pac; * if there isn't already a buffer of this type present. * * The valid values of @a type is one of the following: - * @li #PAC_LOGON_INFO - Logon information - * @li #PAC_CREDENTIALS_INFO - Credentials information - * @li #PAC_SERVER_CHECKSUM - Server checksum - * @li #PAC_PRIVSVR_CHECKSUM - KDC checksum - * @li #PAC_CLIENT_INFO - Client name and ticket information - * @li #PAC_DELEGATION_INFO - Constrained delegation information - * @li #PAC_UPN_DNS_INFO - User principal name and DNS information + * @li #KRB5_PAC_LOGON_INFO - Logon information + * @li #KRB5_PAC_CREDENTIALS_INFO - Credentials information + * @li #KRB5_PAC_SERVER_CHECKSUM - Server checksum + * @li #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum + * @li #KRB5_PAC_CLIENT_INFO - Client name and ticket information + * @li #KRB5_PAC_DELEGATION_INFO - Constrained delegation information + * @li #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information * * @retval 0 Success; otherwise - Kerberos error codes */ @@ -7545,6 +7587,8 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac, * and returns the signed encoding in @a data. @a pac is modified to include * the server and KDC checksum buffers. Use krb5_free_data_contents() to free * @a data when it is no longer needed. + * + * @version First introduced in 1.10 */ krb5_error_code KRB5_CALLCONV krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, @@ -7593,6 +7637,8 @@ typedef void * @note This function overrides the information passed through the * @a KRB5_TRACE environment variable. * + * @version First introduced in 1.9 + * * @return Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library * (unless @a fn is NULL). */ @@ -7612,6 +7658,8 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, * @note This function overrides the information passed through the * @a KRB5_TRACE environment variable. * + * @version First introduced in 1.9 + * * @retval KRB5_TRACE_NOSUPP Tracing is not supported in the library. */ krb5_error_code KRB5_CALLCONV @@ -7629,4 +7677,6 @@ KRB5INT_END_DECLS #undef KRB5_ATTR_DEPRECATED +/** @} */ /* end of KRB5_H group */ + #endif /* KRB5_GENERAL__ */