1 /* 2 * Copyright (c) 2007-2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "krb5_locl.h" 35 36 /** 37 * 38 */ 39 40 /*! @mainpage Heimdal Kerberos 5 library 41 * 42 * @section intro Introduction 43 * 44 * Heimdal libkrb5 library is a implementation of the Kerberos 45 * protocol. 46 * 47 * Kerberos is a system for authenticating users and services on a 48 * network. It is built upon the assumption that the network is 49 * ``unsafe''. For example, data sent over the network can be 50 * eavesdropped and altered, and addresses can also be faked. 51 * Therefore they cannot be used for authentication purposes. 52 * 53 * 54 * - @ref krb5_introduction 55 * - @ref krb5_principal_intro 56 * - @ref krb5_ccache_intro 57 * - @ref krb5_keytab_intro 58 * 59 * If you want to know more about the file formats that is used by 60 * Heimdal, please see: @ref krb5_fileformats 61 * 62 * The project web page: http://www.h5l.org/ 63 * 64 */ 65 66 /** @defgroup krb5 Heimdal Kerberos 5 library */ 67 /** @defgroup krb5_address Heimdal Kerberos 5 address functions */ 68 /** @defgroup krb5_principal Heimdal Kerberos 5 principal functions */ 69 /** @defgroup krb5_ccache Heimdal Kerberos 5 credential cache functions */ 70 /** @defgroup krb5_crypto Heimdal Kerberos 5 cryptography functions */ 71 /** @defgroup krb5_credential Heimdal Kerberos 5 credential handing functions */ 72 /** @defgroup krb5_deprecated Heimdal Kerberos 5 deprecated functions */ 73 /** @defgroup krb5_digest Heimdal Kerberos 5 digest service */ 74 /** @defgroup krb5_error Heimdal Kerberos 5 error reporting functions */ 75 /** @defgroup krb5_keytab Heimdal Kerberos 5 keytab handling functions */ 76 /** @defgroup krb5_ticket Heimdal Kerberos 5 ticket functions */ 77 /** @defgroup krb5_pac Heimdal Kerberos 5 PAC handling functions */ 78 /** @defgroup krb5_v4compat Heimdal Kerberos 4 compatiblity functions */ 79 /** @defgroup krb5_storage Heimdal Kerberos 5 storage functions */ 80 /** @defgroup krb5_support Heimdal Kerberos 5 support functions */ 81 /** @defgroup krb5_auth Heimdal Kerberos 5 authentication functions */ 82 83 84 /** 85 * @page krb5_introduction Introduction to the Kerberos 5 API 86 * @section api_overview Kerberos 5 API Overview 87 * 88 * All functions are documented in manual pages. This section tries 89 * to give an overview of the major components used in Kerberos 90 * library, and point to where to look for a specific function. 91 * 92 * @subsection intro_krb5_context Kerberos context 93 * 94 * A kerberos context (krb5_context) holds all per thread state. All 95 * global variables that are context specific are stored in this 96 * structure, including default encryption types, credential cache 97 * (for example, a ticket file), and default realms. 98 * 99 * The internals of the structure should never be accessed directly, 100 * functions exist for extracting information. 101 * 102 * See the manual page for krb5_init_context() how to create a context 103 * and module @ref krb5 for more information about the functions. 104 * 105 * @subsection intro_krb5_auth_context Kerberos authentication context 106 * 107 * Kerberos authentication context (krb5_auth_context) holds all 108 * context related to an authenticated connection, in a similar way to 109 * the kerberos context that holds the context for the thread or 110 * process. 111 * 112 * The krb5_auth_context is used by various functions that are 113 * directly related to authentication between the 114 * server/client. Example of data that this structure contains are 115 * various flags, addresses of client and server, port numbers, 116 * keyblocks (and subkeys), sequence numbers, replay cache, and 117 * checksum types. 118 * 119 * @subsection intro_krb5_principal Kerberos principal 120 * 121 * The Kerberos principal is the structure that identifies a user or 122 * service in Kerberos. The structure that holds the principal is the 123 * krb5_principal. There are function to extract the realm and 124 * elements of the principal, but most applications have no reason to 125 * inspect the content of the structure. 126 * 127 * The are several ways to create a principal (with different degree of 128 * portability), and one way to free it. 129 * 130 * See also the page @ref krb5_principal_intro for more information and also 131 * module @ref krb5_principal. 132 * 133 * @subsection intro_krb5_ccache Credential cache 134 * 135 * A credential cache holds the tickets for a user. A given user can 136 * have several credential caches, one for each realm where the user 137 * have the initial tickets (the first krbtgt). 138 * 139 * The credential cache data can be stored internally in different 140 * way, each of them for different proposes. File credential (FILE) 141 * caches and processes based (KCM) caches are for permanent 142 * storage. While memory caches (MEMORY) are local caches to the local 143 * process. 144 * 145 * Caches are opened with krb5_cc_resolve() or created with 146 * krb5_cc_new_unique(). 147 * 148 * If the cache needs to be opened again (using krb5_cc_resolve()) 149 * krb5_cc_close() will close the handle, but not the remove the 150 * cache. krb5_cc_destroy() will zero out the cache, remove the cache 151 * so it can no longer be referenced. 152 * 153 * See also @ref krb5_ccache_intro and @ref krb5_ccache . 154 * 155 * @subsection intro_krb5_error_code Kerberos errors 156 * 157 * Kerberos errors are based on the com_err library. All error codes are 158 * 32-bit signed numbers, the first 24 bits define what subsystem the 159 * error originates from, and last 8 bits are 255 error codes within the 160 * library. Each error code have fixed string associated with it. For 161 * example, the error-code -1765328383 have the symbolic name 162 * KRB5KDC_ERR_NAME_EXP, and associated error string ``Client's entry in 163 * database has expired''. 164 * 165 * This is a great improvement compared to just getting one of the unix 166 * error-codes back. However, Heimdal have an extention to pass back 167 * customised errors messages. Instead of getting ``Key table entry not 168 * found'', the user might back ``failed to find 169 * host/host.example.com\@EXAMLE.COM(kvno 3) in keytab /etc/krb5.keytab 170 * (des-cbc-crc)''. This improves the chance that the user find the 171 * cause of the error so you should use the customised error message 172 * whenever it's available. 173 * 174 * See also module @ref krb5_error . 175 * 176 * 177 * @subsection intro_krb5_keytab Keytab management 178 * 179 * A keytab is a storage for locally stored keys. Heimdal includes keytab 180 * support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, 181 * and for storing keys in memory. 182 * 183 * Keytabs are used for servers and long-running services. 184 * 185 * See also @ref krb5_keytab_intro and @ref krb5_keytab . 186 * 187 * @subsection intro_krb5_crypto Kerberos crypto 188 * 189 * Heimdal includes a implementation of the Kerberos crypto framework, 190 * all crypto operations. To create a crypto context call krb5_crypto_init(). 191 * 192 * See also module @ref krb5_crypto . 193 * 194 * @section kerberos5_client Walkthrough of a sample Kerberos 5 client 195 * 196 * This example contains parts of a sample TCP Kerberos 5 clients, if you 197 * want a real working client, please look in appl/test directory in 198 * the Heimdal distribution. 199 * 200 * All Kerberos error-codes that are returned from kerberos functions in 201 * this program are passed to krb5_err, that will print a 202 * descriptive text of the error code and exit. Graphical programs can 203 * convert error-code to a human readable error-string with the 204 * krb5_get_error_message() function. 205 * 206 * Note that you should not use any Kerberos function before 207 * krb5_init_context() have completed successfully. That is the 208 * reason err() is used when krb5_init_context() fails. 209 * 210 * First the client needs to call krb5_init_context to initialise 211 * the Kerberos 5 library. This is only needed once per thread 212 * in the program. If the function returns a non-zero value it indicates 213 * that either the Kerberos implementation is failing or it's disabled on 214 * this host. 215 * 216 * @code 217 * #include <krb5.h> 218 * 219 * int 220 * main(int argc, char **argv) 221 * { 222 * krb5_context context; 223 * 224 * if (krb5_init_context(&context)) 225 * errx (1, "krb5_context"); 226 * @endcode 227 * 228 * Now the client wants to connect to the host at the other end. The 229 * preferred way of doing this is using getaddrinfo (for 230 * operating system that have this function implemented), since getaddrinfo 231 * is neutral to the address type and can use any protocol that is available. 232 * 233 * @code 234 * struct addrinfo *ai, *a; 235 * struct addrinfo hints; 236 * int error; 237 * 238 * memset (&hints, 0, sizeof(hints)); 239 * hints.ai_socktype = SOCK_STREAM; 240 * hints.ai_protocol = IPPROTO_TCP; 241 * 242 * error = getaddrinfo (hostname, "pop3", &hints, &ai); 243 * if (error) 244 * errx (1, "%s: %s", hostname, gai_strerror(error)); 245 * 246 * for (a = ai; a != NULL; a = a->ai_next) { 247 * int s; 248 * 249 * s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); 250 * if (s < 0) 251 * continue; 252 * if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { 253 * warn ("connect(%s)", hostname); 254 * close (s); 255 * continue; 256 * } 257 * freeaddrinfo (ai); 258 * ai = NULL; 259 * } 260 * if (ai) { 261 * freeaddrinfo (ai); 262 * errx ("failed to contact %s", hostname); 263 * } 264 * @endcode 265 * 266 * Before authenticating, an authentication context needs to be 267 * created. This context keeps all information for one (to be) authenticated 268 * connection (see krb5_auth_context). 269 * 270 * @code 271 * status = krb5_auth_con_init (context, &auth_context); 272 * if (status) 273 * krb5_err (context, 1, status, "krb5_auth_con_init"); 274 * @endcode 275 * 276 * For setting the address in the authentication there is a help function 277 * krb5_auth_con_setaddrs_from_fd() that does everything that is needed 278 * when given a connected file descriptor to the socket. 279 * 280 * @code 281 * status = krb5_auth_con_setaddrs_from_fd (context, 282 * auth_context, 283 * &sock); 284 * if (status) 285 * krb5_err (context, 1, status, 286 * "krb5_auth_con_setaddrs_from_fd"); 287 * @endcode 288 * 289 * The next step is to build a server principal for the service we want 290 * to connect to. (See also krb5_sname_to_principal().) 291 * 292 * @code 293 * status = krb5_sname_to_principal (context, 294 * hostname, 295 * service, 296 * KRB5_NT_SRV_HST, 297 * &server); 298 * if (status) 299 * krb5_err (context, 1, status, "krb5_sname_to_principal"); 300 * @endcode 301 * 302 * The client principal is not passed to krb5_sendauth() 303 * function, this causes the krb5_sendauth() function to try to figure it 304 * out itself. 305 * 306 * The server program is using the function krb5_recvauth() to 307 * receive the Kerberos 5 authenticator. 308 * 309 * In this case, mutual authentication will be tried. That means that the server 310 * will authenticate to the client. Using mutual authentication 311 * is good since it enables the user to verify that they are talking to the 312 * right server (a server that knows the key). 313 * 314 * If you are using a non-blocking socket you will need to do all work of 315 * krb5_sendauth() yourself. Basically you need to send over the 316 * authenticator from krb5_mk_req() and, in case of mutual 317 * authentication, verifying the result from the server with 318 * krb5_rd_rep(). 319 * 320 * @code 321 * status = krb5_sendauth (context, 322 * &auth_context, 323 * &sock, 324 * VERSION, 325 * NULL, 326 * server, 327 * AP_OPTS_MUTUAL_REQUIRED, 328 * NULL, 329 * NULL, 330 * NULL, 331 * NULL, 332 * NULL, 333 * NULL); 334 * if (status) 335 * krb5_err (context, 1, status, "krb5_sendauth"); 336 * @endcode 337 * 338 * Once authentication has been performed, it is time to send some 339 * data. First we create a krb5_data structure, then we sign it with 340 * krb5_mk_safe() using the auth_context that contains the 341 * session-key that was exchanged in the 342 * krb5_sendauth()/krb5_recvauth() authentication 343 * sequence. 344 * 345 * @code 346 * data.data = "hej"; 347 * data.length = 3; 348 * 349 * krb5_data_zero (&packet); 350 * 351 * status = krb5_mk_safe (context, 352 * auth_context, 353 * &data, 354 * &packet, 355 * NULL); 356 * if (status) 357 * krb5_err (context, 1, status, "krb5_mk_safe"); 358 * @endcode 359 * 360 * And send it over the network. 361 * 362 * @code 363 * len = packet.length; 364 * net_len = htonl(len); 365 * 366 * if (krb5_net_write (context, &sock, &net_len, 4) != 4) 367 * err (1, "krb5_net_write"); 368 * if (krb5_net_write (context, &sock, packet.data, len) != len) 369 * err (1, "krb5_net_write"); 370 * @endcode 371 * 372 * To send encrypted (and signed) data krb5_mk_priv() should be 373 * used instead. krb5_mk_priv() works the same way as 374 * krb5_mk_safe(), with the exception that it encrypts the data 375 * in addition to signing it. 376 * 377 * @code 378 * data.data = "hemligt"; 379 * data.length = 7; 380 * 381 * krb5_data_free (&packet); 382 * 383 * status = krb5_mk_priv (context, 384 * auth_context, 385 * &data, 386 * &packet, 387 * NULL); 388 * if (status) 389 * krb5_err (context, 1, status, "krb5_mk_priv"); 390 * @endcode 391 * 392 * And send it over the network. 393 * 394 * @code 395 * len = packet.length; 396 * net_len = htonl(len); 397 * 398 * if (krb5_net_write (context, &sock, &net_len, 4) != 4) 399 * err (1, "krb5_net_write"); 400 * if (krb5_net_write (context, &sock, packet.data, len) != len) 401 * err (1, "krb5_net_write"); 402 * 403 * @endcode 404 * 405 * The server is using krb5_rd_safe() and 406 * krb5_rd_priv() to verify the signature and decrypt the packet. 407 * 408 * @section intro_krb5_verify_user Validating a password in an application 409 * 410 * See the manual page for krb5_verify_user(). 411 * 412 * @section mit_differences API differences to MIT Kerberos 413 * 414 * This section is somewhat disorganised, but so far there is no overall 415 * structure to the differences, though some of the have their root in 416 * that Heimdal uses an ASN.1 compiler and MIT doesn't. 417 * 418 * @subsection mit_krb5_principal Principal and realms 419 * 420 * Heimdal stores the realm as a krb5_realm, that is a char *. 421 * MIT Kerberos uses a krb5_data to store a realm. 422 * 423 * In Heimdal krb5_principal doesn't contain the component 424 * name_type; it's instead stored in component 425 * name.name_type. To get and set the nametype in Heimdal, use 426 * krb5_principal_get_type() and 427 * krb5_principal_set_type(). 428 * 429 * For more information about principal and realms, see 430 * krb5_principal. 431 * 432 * @subsection mit_krb5_error_code Error messages 433 * 434 * To get the error string, Heimdal uses 435 * krb5_get_error_message(). This is to return custom error messages 436 * (like ``Can't find host/datan.example.com\@CODE.COM in 437 * /etc/krb5.conf.'' instead of a ``Key table entry not found'' that 438 * error_message returns. 439 * 440 * Heimdal uses a threadsafe(r) version of the com_err interface; the 441 * global com_err table isn't initialised. Then 442 * error_message returns quite a boring error string (just 443 * the error code itself). 444 * 445 * 446 */ 447 448 /** 449 * 450 * 451 * @page krb5_fileformats File formats 452 * 453 * @section fileformats File formats 454 * 455 * This section documents the diffrent file formats that are used in 456 * Heimdal and other Kerberos implementations. 457 * 458 * @subsection file_keytab keytab 459 * 460 * The keytab binary format is not a standard format. The format has 461 * evolved and may continue to. It is however understood by several 462 * Kerberos implementations including Heimdal, MIT, Sun's Java ktab and 463 * are created by the ktpass.exe utility from Windows. So it has 464 * established itself as the defacto format for storing Kerberos keys. 465 * 466 * The following C-like structure definitions illustrate the MIT keytab 467 * file format. All values are in network byte order. All text is ASCII. 468 * 469 * @code 470 * keytab { 471 * uint16_t file_format_version; # 0x502 472 * keytab_entry entries[*]; 473 * }; 474 * 475 * keytab_entry { 476 * int32_t size; 477 * uint16_t num_components; # subtract 1 if version 0x501 478 * counted_octet_string realm; 479 * counted_octet_string components[num_components]; 480 * uint32_t name_type; # not present if version 0x501 481 * uint32_t timestamp; 482 * uint8_t vno8; 483 * keyblock key; 484 * uint32_t vno; #only present if >= 4 bytes left in entry 485 * uint32_t flags; #only present if >= 4 bytes left in entry 486 * }; 487 * 488 * counted_octet_string { 489 * uint16_t length; 490 * uint8_t data[length]; 491 * }; 492 * 493 * keyblock { 494 * uint16_t type; 495 * counted_octet_string; 496 * }; 497 * @endcode 498 * 499 * All numbers are stored in network byteorder (big endian) format. 500 * 501 * The keytab file format begins with the 16 bit file_format_version which 502 * at the time this document was authored is 0x502. The format of older 503 * keytabs is described at the end of this document. 504 * 505 * The file_format_version is immediately followed by an array of 506 * keytab_entry structures which are prefixed with a 32 bit size indicating 507 * the number of bytes that follow in the entry. Note that the size should be 508 * evaluated as signed. This is because a negative value indicates that the 509 * entry is in fact empty (e.g. it has been deleted) and that the negative 510 * value of that negative value (which is of course a positive value) is 511 * the offset to the next keytab_entry. Based on these size values alone 512 * the entire keytab file can be traversed. 513 * 514 * The size is followed by a 16 bit num_components field indicating the 515 * number of counted_octet_string components in the components array. 516 * 517 * The num_components field is followed by a counted_octet_string 518 * representing the realm of the principal. 519 * 520 * A counted_octet_string is simply an array of bytes prefixed with a 16 521 * bit length. For the realm and name components, the counted_octet_string 522 * bytes are ASCII encoded text with no zero terminator. 523 * 524 * Following the realm is the components array that represents the name of 525 * the principal. The text of these components may be joined with slashs 526 * to construct the typical SPN representation. For example, the service 527 * principal HTTP/www.foo.net\@FOO.NET would consist of name components 528 * "HTTP" followed by "www.foo.net". 529 * 530 * Following the components array is the 32 bit name_type (e.g. 1 is 531 * KRB5_NT_PRINCIPAL, 2 is KRB5_NT_SRV_INST, 5 is KRB5_NT_UID, etc). In 532 * practice the name_type is almost certainly 1 meaning KRB5_NT_PRINCIPAL. 533 * 534 * The 32 bit timestamp indicates the time the key was established for that 535 * principal. The value represents the number of seconds since Jan 1, 1970. 536 * 537 * The 8 bit vno8 field is the version number of the key. This value is 538 * overridden by the 32 bit vno field if it is present. The vno8 field is 539 * filled with the lower 8 bits of the 32 bit protocol kvno field. 540 * 541 * The keyblock structure consists of a 16 bit value indicating the 542 * encryption type and is a counted_octet_string containing the key. The 543 * encryption type is the same as the Kerberos standard (e.g. 3 is 544 * des-cbc-md5, 23 is arcfour-hmac-md5, etc). 545 * 546 * The last field of the keytab_entry structure is optional. If the size of 547 * the keytab_entry indicates that there are at least 4 bytes remaining, 548 * a 32 bit value representing the key version number is present. This 549 * value supersedes the 8 bit vno8 value preceeding the keyblock. 550 * 551 * Older keytabs with a file_format_version of 0x501 are different in 552 * three ways: 553 * 554 * - All integers are in host byte order [1]. 555 * - The num_components field is 1 too large (i.e. after decoding, decrement by 1). 556 * - The 32 bit name_type field is not present. 557 * 558 * [1] The file_format_version field should really be treated as two 559 * separate 8 bit quantities representing the major and minor version 560 * number respectively. 561 * 562 * @subsection file_hdb_dump Heimdal database dump file 563 * 564 * Format of the Heimdal text dump file as of Heimdal 0.6.3: 565 * 566 * Each line in the dump file is one entry in the database. 567 * 568 * Each field of a line is separated by one or more spaces, with the 569 * exception of fields consisting of principals containing spaces, where 570 * space can be quoted with \ and \ is quoted by \. 571 * 572 * Fields and their types are: 573 * 574 * @code 575 * Quoted princial (quote character is \) [string] 576 * Keys [keys] 577 * Created by [event] 578 * Modified by [event optional] 579 * Valid start time [time optional] 580 * Valid end time [time optional] 581 * Password end valid time [time optional] 582 * Max lifetime of ticket [time optional] 583 * Max renew time of ticket [integer optional] 584 * Flags [hdb flags] 585 * Generation number [generation optional] 586 * Extensions [extentions optional] 587 * @endcode 588 * 589 * Fields following these silently are ignored. 590 * 591 * All optional fields will be skipped if they fail to parse (or comprise 592 * the optional field marker of "-", w/o quotes). 593 * 594 * Example: 595 * 596 * @code 597 * fred\@CODE.COM 27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:- 20020415130120:admin\@CODE.COM 20041221112428:fred\@CODE.COM - - - 86400 604800 126 20020415130120:793707:28 - 598 * @endcode 599 * 600 * Encoding of types are as follows: 601 * 602 * - keys 603 * 604 * @code 605 * kvno:[masterkvno:keytype:keydata:salt]{zero or more separated by :} 606 * @endcode 607 * 608 * kvno is the key version number. 609 * 610 * keydata is hex-encoded 611 * 612 * masterkvno is the kvno of the database master key. If this field is 613 * empty, the kadmin load and merge operations will encrypt the key data 614 * with the master key if there is one. Otherwise the key data will be 615 * imported asis. 616 * 617 * salt is encoded as "-" (no/default salt) or 618 * 619 * @code 620 * salt-type / 621 * salt-type / "string" 622 * salt-type / hex-encoded-data 623 * @endcode 624 * 625 * keytype is the protocol enctype number; see enum ENCTYPE in 626 * include/krb5_asn1.h for values. 627 * 628 * Example: 629 * @code 630 * 27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:- 631 * @endcode 632 * 633 * 634 * @code 635 * kvno=27,{key: masterkvno=1,keytype=des3-cbc-sha1,keydata=..., default salt}... 636 * @endcode 637 * 638 * - time 639 * 640 * Format of the time is: YYYYmmddHHMMSS, corresponding to strftime 641 * format "%Y%m%d%k%M%S". 642 * 643 * Time is expressed in UTC. 644 * 645 * Time can be optional (using -), when the time 0 is used. 646 * 647 * Example: 648 * 649 * @code 650 * 20041221112428 651 * @endcode 652 * 653 * - event 654 * 655 * @code 656 * time:principal 657 * @endcode 658 * 659 * time is as given in format time 660 * 661 * principal is a string. Not quoting it may not work in earlier 662 * versions of Heimdal. 663 * 664 * Example: 665 * @code 666 * 20041221112428:bloggs\@CODE.COM 667 * @endcode 668 * 669 * - hdb flags 670 * 671 * Integer encoding of HDB flags, see HDBFlags in lib/hdb/hdb.asn1. Each 672 * bit in the integer is the same as the bit in the specification. 673 * 674 * - generation: 675 * 676 * @code 677 * time:usec:gen 678 * @endcode 679 * 680 * 681 * usec is a the microsecond, integer. 682 * gen is generation number, integer. 683 * 684 * The generation can be defaulted (using '-') or the empty string 685 * 686 * - extensions: 687 * 688 * @code 689 * first-hex-encoded-HDB-Extension[:second-...] 690 * @endcode 691 * 692 * HDB-extension is encoded the DER encoded HDB-Extension from 693 * lib/hdb/hdb.asn1. Consumers HDB extensions should be aware that 694 * unknown entires needs to be preserved even thought the ASN.1 data 695 * content might be unknown. There is a critical flag in the data to show 696 * to the KDC that the entry MUST be understod if the entry is to be 697 * used. 698 * 699 * 700 */ 701