xref: /freebsd/crypto/heimdal/lib/krb5/krb5.h (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*
2  * Copyright (c) 1997 - 2007 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /* $Id: krb5.h 22100 2007-12-03 17:15:00Z lha $ */
35 
36 #ifndef __KRB5_H__
37 #define __KRB5_H__
38 
39 #include <time.h>
40 #include <krb5-types.h>
41 
42 #include <asn1_err.h>
43 #include <krb5_err.h>
44 #include <heim_err.h>
45 #include <k524_err.h>
46 
47 #include <krb5_asn1.h>
48 
49 /* name confusion with MIT */
50 #ifndef KRB5KDC_ERR_KEY_EXP
51 #define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
52 #endif
53 
54 /* simple constants */
55 
56 #ifndef TRUE
57 #define TRUE  1
58 #define FALSE 0
59 #endif
60 
61 typedef int krb5_boolean;
62 
63 typedef int32_t krb5_error_code;
64 
65 typedef int krb5_kvno;
66 
67 typedef uint32_t krb5_flags;
68 
69 typedef void *krb5_pointer;
70 typedef const void *krb5_const_pointer;
71 
72 struct krb5_crypto_data;
73 typedef struct krb5_crypto_data *krb5_crypto;
74 
75 struct krb5_get_creds_opt_data;
76 typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt;
77 
78 struct krb5_digest_data;
79 typedef struct krb5_digest_data *krb5_digest;
80 struct krb5_ntlm_data;
81 typedef struct krb5_ntlm_data *krb5_ntlm;
82 
83 struct krb5_pac_data;
84 typedef struct krb5_pac_data *krb5_pac;
85 
86 typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx;
87 typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx;
88 
89 typedef CKSUMTYPE krb5_cksumtype;
90 
91 typedef Checksum krb5_checksum;
92 
93 typedef ENCTYPE krb5_enctype;
94 
95 typedef heim_octet_string krb5_data;
96 
97 /* PKINIT related forward declarations */
98 struct ContentInfo;
99 struct krb5_pk_identity;
100 struct krb5_pk_cert;
101 
102 /* krb5_enc_data is a mit compat structure */
103 typedef struct krb5_enc_data {
104     krb5_enctype enctype;
105     krb5_kvno kvno;
106     krb5_data ciphertext;
107 } krb5_enc_data;
108 
109 /* alternative names */
110 enum {
111     ENCTYPE_NULL		= ETYPE_NULL,
112     ENCTYPE_DES_CBC_CRC		= ETYPE_DES_CBC_CRC,
113     ENCTYPE_DES_CBC_MD4		= ETYPE_DES_CBC_MD4,
114     ENCTYPE_DES_CBC_MD5		= ETYPE_DES_CBC_MD5,
115     ENCTYPE_DES3_CBC_MD5	= ETYPE_DES3_CBC_MD5,
116     ENCTYPE_OLD_DES3_CBC_SHA1	= ETYPE_OLD_DES3_CBC_SHA1,
117     ENCTYPE_SIGN_DSA_GENERATE	= ETYPE_SIGN_DSA_GENERATE,
118     ENCTYPE_ENCRYPT_RSA_PRIV	= ETYPE_ENCRYPT_RSA_PRIV,
119     ENCTYPE_ENCRYPT_RSA_PUB	= ETYPE_ENCRYPT_RSA_PUB,
120     ENCTYPE_DES3_CBC_SHA1	= ETYPE_DES3_CBC_SHA1,
121     ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96,
122     ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96,
123     ENCTYPE_ARCFOUR_HMAC	= ETYPE_ARCFOUR_HMAC_MD5,
124     ENCTYPE_ARCFOUR_HMAC_MD5	= ETYPE_ARCFOUR_HMAC_MD5,
125     ENCTYPE_ARCFOUR_HMAC_MD5_56	= ETYPE_ARCFOUR_HMAC_MD5_56,
126     ENCTYPE_ENCTYPE_PK_CROSS	= ETYPE_ENCTYPE_PK_CROSS,
127     ENCTYPE_DES_CBC_NONE	= ETYPE_DES_CBC_NONE,
128     ENCTYPE_DES3_CBC_NONE	= ETYPE_DES3_CBC_NONE,
129     ENCTYPE_DES_CFB64_NONE	= ETYPE_DES_CFB64_NONE,
130     ENCTYPE_DES_PCBC_NONE	= ETYPE_DES_PCBC_NONE
131 };
132 
133 typedef PADATA_TYPE krb5_preauthtype;
134 
135 typedef enum krb5_key_usage {
136     KRB5_KU_PA_ENC_TIMESTAMP = 1,
137     /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
138        client key (section 5.4.1) */
139     KRB5_KU_TICKET = 2,
140     /* AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
141        application session key), encrypted with the service key
142        (section 5.4.2) */
143     KRB5_KU_AS_REP_ENC_PART = 3,
144     /* AS-REP encrypted part (includes tgs session key or application
145        session key), encrypted with the client key (section 5.4.2) */
146     KRB5_KU_TGS_REQ_AUTH_DAT_SESSION = 4,
147     /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
148        session key (section 5.4.1) */
149     KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY = 5,
150     /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
151           authenticator subkey (section 5.4.1) */
152     KRB5_KU_TGS_REQ_AUTH_CKSUM = 6,
153     /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
154        with the tgs session key (sections 5.3.2, 5.4.1) */
155     KRB5_KU_TGS_REQ_AUTH = 7,
156     /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
157        authenticator subkey), encrypted with the tgs session key
158        (section 5.3.2) */
159     KRB5_KU_TGS_REP_ENC_PART_SESSION = 8,
160     /* TGS-REP encrypted part (includes application session key),
161        encrypted with the tgs session key (section 5.4.2) */
162     KRB5_KU_TGS_REP_ENC_PART_SUB_KEY = 9,
163     /* TGS-REP encrypted part (includes application session key),
164        encrypted with the tgs authenticator subkey (section 5.4.2) */
165     KRB5_KU_AP_REQ_AUTH_CKSUM = 10,
166     /* AP-REQ Authenticator cksum, keyed with the application session
167        key (section 5.3.2) */
168     KRB5_KU_AP_REQ_AUTH = 11,
169     /* AP-REQ Authenticator (includes application authenticator
170        subkey), encrypted with the application session key (section
171        5.3.2) */
172     KRB5_KU_AP_REQ_ENC_PART = 12,
173     /* AP-REP encrypted part (includes application session subkey),
174        encrypted with the application session key (section 5.5.2) */
175     KRB5_KU_KRB_PRIV = 13,
176     /* KRB-PRIV encrypted part, encrypted with a key chosen by the
177        application (section 5.7.1) */
178     KRB5_KU_KRB_CRED = 14,
179     /* KRB-CRED encrypted part, encrypted with a key chosen by the
180        application (section 5.8.1) */
181     KRB5_KU_KRB_SAFE_CKSUM = 15,
182     /* KRB-SAFE cksum, keyed with a key chosen by the application
183        (section 5.6.1) */
184     KRB5_KU_OTHER_ENCRYPTED = 16,
185     /* Data which is defined in some specification outside of
186        Kerberos to be encrypted using an RFC1510 encryption type. */
187     KRB5_KU_OTHER_CKSUM = 17,
188     /* Data which is defined in some specification outside of
189        Kerberos to be checksummed using an RFC1510 checksum type. */
190     KRB5_KU_KRB_ERROR = 18,
191     /* Krb-error checksum */
192     KRB5_KU_AD_KDC_ISSUED = 19,
193     /* AD-KDCIssued checksum */
194     KRB5_KU_MANDATORY_TICKET_EXTENSION = 20,
195     /* Checksum for Mandatory Ticket Extensions */
196     KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21,
197     /* Checksum in Authorization Data in Ticket Extensions */
198     KRB5_KU_USAGE_SEAL = 22,
199     /* seal in GSSAPI krb5 mechanism */
200     KRB5_KU_USAGE_SIGN = 23,
201     /* sign in GSSAPI krb5 mechanism */
202     KRB5_KU_USAGE_SEQ = 24,
203     /* SEQ in GSSAPI krb5 mechanism */
204     KRB5_KU_USAGE_ACCEPTOR_SEAL = 22,
205     /* acceptor sign in GSSAPI CFX krb5 mechanism */
206     KRB5_KU_USAGE_ACCEPTOR_SIGN = 23,
207     /* acceptor seal in GSSAPI CFX krb5 mechanism */
208     KRB5_KU_USAGE_INITIATOR_SEAL = 24,
209     /* initiator sign in GSSAPI CFX krb5 mechanism */
210     KRB5_KU_USAGE_INITIATOR_SIGN = 25,
211     /* initiator seal in GSSAPI CFX krb5 mechanism */
212     KRB5_KU_PA_SERVER_REFERRAL_DATA = 22,
213     /* encrypted server referral data */
214     KRB5_KU_SAM_CHECKSUM = 25,
215     /* Checksum for the SAM-CHECKSUM field */
216     KRB5_KU_SAM_ENC_TRACK_ID = 26,
217     /* Encryption of the SAM-TRACK-ID field */
218     KRB5_KU_PA_SERVER_REFERRAL = 26,
219     /* Keyusage for the server referral in a TGS req */
220     KRB5_KU_SAM_ENC_NONCE_SAD = 27,
221     /* Encryption of the SAM-NONCE-OR-SAD field */
222     KRB5_KU_DIGEST_ENCRYPT = -18,
223     /* Encryption key usage used in the digest encryption field */
224     KRB5_KU_DIGEST_OPAQUE = -19,
225     /* Checksum key usage used in the digest opaque field */
226     KRB5_KU_KRB5SIGNEDPATH = -21,
227     /* Checksum key usage on KRB5SignedPath */
228     KRB5_KU_CANONICALIZED_NAMES = -23
229     /* Checksum key usage on PA-CANONICALIZED */
230 } krb5_key_usage;
231 
232 typedef krb5_key_usage krb5_keyusage;
233 
234 typedef enum krb5_salttype {
235     KRB5_PW_SALT = KRB5_PADATA_PW_SALT,
236     KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT
237 }krb5_salttype;
238 
239 typedef struct krb5_salt {
240     krb5_salttype salttype;
241     krb5_data saltvalue;
242 } krb5_salt;
243 
244 typedef ETYPE_INFO krb5_preauthinfo;
245 
246 typedef struct {
247     krb5_preauthtype type;
248     krb5_preauthinfo info; /* list of preauthinfo for this type */
249 } krb5_preauthdata_entry;
250 
251 typedef struct krb5_preauthdata {
252     unsigned len;
253     krb5_preauthdata_entry *val;
254 }krb5_preauthdata;
255 
256 typedef enum krb5_address_type {
257     KRB5_ADDRESS_INET     =   2,
258     KRB5_ADDRESS_NETBIOS  =  20,
259     KRB5_ADDRESS_INET6    =  24,
260     KRB5_ADDRESS_ADDRPORT = 256,
261     KRB5_ADDRESS_IPPORT   = 257
262 } krb5_address_type;
263 
264 enum {
265   AP_OPTS_USE_SESSION_KEY = 1,
266   AP_OPTS_MUTUAL_REQUIRED = 2,
267   AP_OPTS_USE_SUBKEY = 4		/* library internal */
268 };
269 
270 typedef HostAddress krb5_address;
271 
272 typedef HostAddresses krb5_addresses;
273 
274 typedef enum krb5_keytype {
275     KEYTYPE_NULL	= 0,
276     KEYTYPE_DES		= 1,
277     KEYTYPE_DES3	= 7,
278     KEYTYPE_AES128	= 17,
279     KEYTYPE_AES256	= 18,
280     KEYTYPE_ARCFOUR	= 23,
281     KEYTYPE_ARCFOUR_56	= 24
282 } krb5_keytype;
283 
284 typedef EncryptionKey krb5_keyblock;
285 
286 typedef AP_REQ krb5_ap_req;
287 
288 struct krb5_cc_ops;
289 
290 #define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
291 
292 #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
293 
294 #define KRB5_ACCEPT_NULL_ADDRESSES(C) 					 \
295     krb5_config_get_bool_default((C), NULL, TRUE, 			 \
296 				 "libdefaults", "accept_null_addresses", \
297 				 NULL)
298 
299 typedef void *krb5_cc_cursor;
300 
301 typedef struct krb5_ccache_data {
302     const struct krb5_cc_ops *ops;
303     krb5_data data;
304 }krb5_ccache_data;
305 
306 typedef struct krb5_ccache_data *krb5_ccache;
307 
308 typedef struct krb5_context_data *krb5_context;
309 
310 typedef Realm krb5_realm;
311 typedef const char *krb5_const_realm; /* stupid language */
312 
313 #define krb5_realm_length(r) strlen(r)
314 #define krb5_realm_data(r) (r)
315 
316 typedef Principal krb5_principal_data;
317 typedef struct Principal *krb5_principal;
318 typedef const struct Principal *krb5_const_principal;
319 
320 typedef time_t krb5_deltat;
321 typedef time_t krb5_timestamp;
322 
323 typedef struct krb5_times {
324   krb5_timestamp authtime;
325   krb5_timestamp starttime;
326   krb5_timestamp endtime;
327   krb5_timestamp renew_till;
328 } krb5_times;
329 
330 typedef union {
331     TicketFlags b;
332     krb5_flags i;
333 } krb5_ticket_flags;
334 
335 /* options for krb5_get_in_tkt() */
336 #define KDC_OPT_FORWARDABLE		(1 << 1)
337 #define KDC_OPT_FORWARDED		(1 << 2)
338 #define KDC_OPT_PROXIABLE		(1 << 3)
339 #define KDC_OPT_PROXY			(1 << 4)
340 #define KDC_OPT_ALLOW_POSTDATE		(1 << 5)
341 #define KDC_OPT_POSTDATED		(1 << 6)
342 #define KDC_OPT_RENEWABLE		(1 << 8)
343 #define KDC_OPT_REQUEST_ANONYMOUS	(1 << 14)
344 #define KDC_OPT_DISABLE_TRANSITED_CHECK	(1 << 26)
345 #define KDC_OPT_RENEWABLE_OK		(1 << 27)
346 #define KDC_OPT_ENC_TKT_IN_SKEY		(1 << 28)
347 #define KDC_OPT_RENEW			(1 << 30)
348 #define KDC_OPT_VALIDATE		(1 << 31)
349 
350 typedef union {
351     KDCOptions b;
352     krb5_flags i;
353 } krb5_kdc_flags;
354 
355 /* flags for krb5_verify_ap_req */
356 
357 #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID	(1 << 0)
358 
359 #define KRB5_GC_CACHED			(1U << 0)
360 #define KRB5_GC_USER_USER		(1U << 1)
361 #define KRB5_GC_EXPIRED_OK		(1U << 2)
362 #define KRB5_GC_NO_STORE		(1U << 3)
363 #define KRB5_GC_FORWARDABLE		(1U << 4)
364 #define KRB5_GC_NO_TRANSIT_CHECK	(1U << 5)
365 #define KRB5_GC_CONSTRAINED_DELEGATION	(1U << 6)
366 
367 /* constants for compare_creds (and cc_retrieve_cred) */
368 #define KRB5_TC_DONT_MATCH_REALM	(1U << 31)
369 #define KRB5_TC_MATCH_KEYTYPE		(1U << 30)
370 #define KRB5_TC_MATCH_KTYPE		KRB5_TC_MATCH_KEYTYPE    /* MIT name */
371 #define KRB5_TC_MATCH_SRV_NAMEONLY	(1 << 29)
372 #define KRB5_TC_MATCH_FLAGS_EXACT	(1 << 28)
373 #define KRB5_TC_MATCH_FLAGS		(1 << 27)
374 #define KRB5_TC_MATCH_TIMES_EXACT	(1 << 26)
375 #define KRB5_TC_MATCH_TIMES		(1 << 25)
376 #define KRB5_TC_MATCH_AUTHDATA		(1 << 24)
377 #define KRB5_TC_MATCH_2ND_TKT		(1 << 23)
378 #define KRB5_TC_MATCH_IS_SKEY		(1 << 22)
379 
380 typedef AuthorizationData krb5_authdata;
381 
382 typedef KRB_ERROR krb5_error;
383 
384 typedef struct krb5_creds {
385     krb5_principal client;
386     krb5_principal server;
387     krb5_keyblock session;
388     krb5_times times;
389     krb5_data ticket;
390     krb5_data second_ticket;
391     krb5_authdata authdata;
392     krb5_addresses addresses;
393     krb5_ticket_flags flags;
394 } krb5_creds;
395 
396 typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
397 
398 typedef struct krb5_cc_ops {
399     const char *prefix;
400     const char* (*get_name)(krb5_context, krb5_ccache);
401     krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *);
402     krb5_error_code (*gen_new)(krb5_context, krb5_ccache *);
403     krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal);
404     krb5_error_code (*destroy)(krb5_context, krb5_ccache);
405     krb5_error_code (*close)(krb5_context, krb5_ccache);
406     krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*);
407     krb5_error_code (*retrieve)(krb5_context, krb5_ccache,
408 				krb5_flags, const krb5_creds*, krb5_creds *);
409     krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*);
410     krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
411     krb5_error_code (*get_next)(krb5_context, krb5_ccache,
412 				krb5_cc_cursor*, krb5_creds*);
413     krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*);
414     krb5_error_code (*remove_cred)(krb5_context, krb5_ccache,
415 				   krb5_flags, krb5_creds*);
416     krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags);
417     int (*get_version)(krb5_context, krb5_ccache);
418     krb5_error_code (*get_cache_first)(krb5_context, krb5_cc_cursor *);
419     krb5_error_code (*get_cache_next)(krb5_context, krb5_cc_cursor, krb5_ccache *);
420     krb5_error_code (*end_cache_get)(krb5_context, krb5_cc_cursor);
421     krb5_error_code (*move)(krb5_context, krb5_ccache, krb5_ccache);
422     krb5_error_code (*default_name)(krb5_context, char **);
423 } krb5_cc_ops;
424 
425 struct krb5_log_facility;
426 
427 struct krb5_config_binding {
428     enum { krb5_config_string, krb5_config_list } type;
429     char *name;
430     struct krb5_config_binding *next;
431     union {
432 	char *string;
433 	struct krb5_config_binding *list;
434 	void *generic;
435     } u;
436 };
437 
438 typedef struct krb5_config_binding krb5_config_binding;
439 
440 typedef krb5_config_binding krb5_config_section;
441 
442 typedef struct krb5_ticket {
443     EncTicketPart ticket;
444     krb5_principal client;
445     krb5_principal server;
446 } krb5_ticket;
447 
448 typedef Authenticator krb5_authenticator_data;
449 
450 typedef krb5_authenticator_data *krb5_authenticator;
451 
452 struct krb5_rcache_data;
453 typedef struct krb5_rcache_data *krb5_rcache;
454 typedef Authenticator krb5_donot_replay;
455 
456 #define KRB5_STORAGE_HOST_BYTEORDER			0x01 /* old */
457 #define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS	0x02
458 #define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE		0x04
459 #define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE		0x08
460 #define KRB5_STORAGE_BYTEORDER_MASK			0x60
461 #define KRB5_STORAGE_BYTEORDER_BE			0x00 /* default */
462 #define KRB5_STORAGE_BYTEORDER_LE			0x20
463 #define KRB5_STORAGE_BYTEORDER_HOST			0x40
464 #define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER		0x80
465 
466 struct krb5_storage_data;
467 typedef struct krb5_storage_data krb5_storage;
468 
469 typedef struct krb5_keytab_entry {
470     krb5_principal principal;
471     krb5_kvno vno;
472     krb5_keyblock keyblock;
473     uint32_t timestamp;
474 } krb5_keytab_entry;
475 
476 typedef struct krb5_kt_cursor {
477     int fd;
478     krb5_storage *sp;
479     void *data;
480 } krb5_kt_cursor;
481 
482 struct krb5_keytab_data;
483 
484 typedef struct krb5_keytab_data *krb5_keytab;
485 
486 #define KRB5_KT_PREFIX_MAX_LEN	30
487 
488 struct krb5_keytab_data {
489     const char *prefix;
490     krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab);
491     krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t);
492     krb5_error_code (*close)(krb5_context, krb5_keytab);
493     krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal,
494 			   krb5_kvno, krb5_enctype, krb5_keytab_entry*);
495     krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
496     krb5_error_code (*next_entry)(krb5_context, krb5_keytab,
497 				  krb5_keytab_entry*, krb5_kt_cursor*);
498     krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
499     krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*);
500     krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*);
501     void *data;
502     int32_t version;
503 };
504 
505 typedef struct krb5_keytab_data krb5_kt_ops;
506 
507 struct krb5_keytab_key_proc_args {
508     krb5_keytab keytab;
509     krb5_principal principal;
510 };
511 
512 typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
513 
514 typedef struct krb5_replay_data {
515     krb5_timestamp timestamp;
516     int32_t usec;
517     uint32_t seq;
518 } krb5_replay_data;
519 
520 /* flags for krb5_auth_con_setflags */
521 enum {
522     KRB5_AUTH_CONTEXT_DO_TIME      		= 1,
523     KRB5_AUTH_CONTEXT_RET_TIME     		= 2,
524     KRB5_AUTH_CONTEXT_DO_SEQUENCE  		= 4,
525     KRB5_AUTH_CONTEXT_RET_SEQUENCE 		= 8,
526     KRB5_AUTH_CONTEXT_PERMIT_ALL   		= 16,
527     KRB5_AUTH_CONTEXT_USE_SUBKEY   		= 32,
528     KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED	= 64
529 };
530 
531 /* flags for krb5_auth_con_genaddrs */
532 enum {
533     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR       = 1,
534     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR  = 3,
535     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR      = 4,
536     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12
537 };
538 
539 typedef struct krb5_auth_context_data {
540     unsigned int flags;
541 
542     krb5_address *local_address;
543     krb5_address *remote_address;
544     int16_t local_port;
545     int16_t remote_port;
546     krb5_keyblock *keyblock;
547     krb5_keyblock *local_subkey;
548     krb5_keyblock *remote_subkey;
549 
550     uint32_t local_seqnumber;
551     uint32_t remote_seqnumber;
552 
553     krb5_authenticator authenticator;
554 
555     krb5_pointer i_vector;
556 
557     krb5_rcache rcache;
558 
559     krb5_keytype keytype;	/* �requested key type ? */
560     krb5_cksumtype cksumtype;	/* �requested checksum type! */
561 
562 }krb5_auth_context_data, *krb5_auth_context;
563 
564 typedef struct {
565     KDC_REP kdc_rep;
566     EncKDCRepPart enc_part;
567     KRB_ERROR error;
568 } krb5_kdc_rep;
569 
570 extern const char *heimdal_version, *heimdal_long_version;
571 
572 typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
573 typedef void (*krb5_log_close_func_t)(void*);
574 
575 typedef struct krb5_log_facility {
576     char *program;
577     int len;
578     struct facility *val;
579 } krb5_log_facility;
580 
581 typedef EncAPRepPart krb5_ap_rep_enc_part;
582 
583 #define KRB5_RECVAUTH_IGNORE_VERSION 1
584 
585 #define KRB5_SENDAUTH_VERSION "KRB5_SENDAUTH_V1.0"
586 
587 #define KRB5_TGS_NAME_SIZE (6)
588 #define KRB5_TGS_NAME ("krbtgt")
589 
590 #define KRB5_DIGEST_NAME ("digest")
591 
592 /* variables */
593 
594 extern const char *krb5_config_file;
595 extern const char *krb5_defkeyname;
596 
597 typedef enum {
598     KRB5_PROMPT_TYPE_PASSWORD		= 0x1,
599     KRB5_PROMPT_TYPE_NEW_PASSWORD	= 0x2,
600     KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3,
601     KRB5_PROMPT_TYPE_PREAUTH		= 0x4,
602     KRB5_PROMPT_TYPE_INFO		= 0x5
603 } krb5_prompt_type;
604 
605 typedef struct _krb5_prompt {
606     const char *prompt;
607     int hidden;
608     krb5_data *reply;
609     krb5_prompt_type type;
610 } krb5_prompt;
611 
612 typedef int (*krb5_prompter_fct)(krb5_context /*context*/,
613 				 void * /*data*/,
614 				 const char * /*name*/,
615 				 const char * /*banner*/,
616 				 int /*num_prompts*/,
617 				 krb5_prompt /*prompts*/[]);
618 typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/,
619 					 krb5_enctype /*type*/,
620 					 krb5_salt /*salt*/,
621 					 krb5_const_pointer /*keyseed*/,
622 					 krb5_keyblock ** /*key*/);
623 typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/,
624 					     krb5_keyblock * /*key*/,
625 					     krb5_key_usage /*usage*/,
626 					     krb5_const_pointer /*decrypt_arg*/,
627 					     krb5_kdc_rep * /*dec_rep*/);
628 typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/,
629 					 krb5_enctype /*type*/,
630 					 krb5_const_pointer /*keyseed*/,
631 					 krb5_salt /*salt*/,
632 					 krb5_data * /*s2kparms*/,
633 					 krb5_keyblock ** /*key*/);
634 
635 struct _krb5_get_init_creds_opt_private;
636 
637 typedef struct _krb5_get_init_creds_opt {
638     krb5_flags flags;
639     krb5_deltat tkt_life;
640     krb5_deltat renew_life;
641     int forwardable;
642     int proxiable;
643     int anonymous;
644     krb5_enctype *etype_list;
645     int etype_list_length;
646     krb5_addresses *address_list;
647     /* XXX the next three should not be used, as they may be
648        removed later */
649     krb5_preauthtype *preauth_list;
650     int preauth_list_length;
651     krb5_data *salt;
652     struct _krb5_get_init_creds_opt_private *opt_private;
653 } krb5_get_init_creds_opt;
654 
655 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
656 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE	0x0002
657 #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE	0x0004
658 #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE	0x0008
659 #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST	0x0010
660 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
661 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
662 #define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
663 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS	0x0100
664 #define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK	0x0200
665 
666 typedef struct _krb5_verify_init_creds_opt {
667     krb5_flags flags;
668     int ap_req_nofail;
669 } krb5_verify_init_creds_opt;
670 
671 #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
672 
673 typedef struct krb5_verify_opt {
674     unsigned int flags;
675     krb5_ccache ccache;
676     krb5_keytab keytab;
677     krb5_boolean secure;
678     const char *service;
679 } krb5_verify_opt;
680 
681 #define KRB5_VERIFY_LREALMS		1
682 #define KRB5_VERIFY_NO_ADDRESSES	2
683 
684 extern const krb5_cc_ops krb5_acc_ops;
685 extern const krb5_cc_ops krb5_fcc_ops;
686 extern const krb5_cc_ops krb5_mcc_ops;
687 extern const krb5_cc_ops krb5_kcm_ops;
688 
689 extern const krb5_kt_ops krb5_fkt_ops;
690 extern const krb5_kt_ops krb5_wrfkt_ops;
691 extern const krb5_kt_ops krb5_javakt_ops;
692 extern const krb5_kt_ops krb5_mkt_ops;
693 extern const krb5_kt_ops krb5_akf_ops;
694 extern const krb5_kt_ops krb4_fkt_ops;
695 extern const krb5_kt_ops krb5_srvtab_fkt_ops;
696 extern const krb5_kt_ops krb5_any_ops;
697 
698 #define KRB5_KPASSWD_VERS_CHANGEPW      1
699 #define KRB5_KPASSWD_VERS_SETPW         0xff80
700 
701 #define KRB5_KPASSWD_SUCCESS	0
702 #define KRB5_KPASSWD_MALFORMED	1
703 #define KRB5_KPASSWD_HARDERROR	2
704 #define KRB5_KPASSWD_AUTHERROR	3
705 #define KRB5_KPASSWD_SOFTERROR	4
706 #define KRB5_KPASSWD_ACCESSDENIED 5
707 #define KRB5_KPASSWD_BAD_VERSION 6
708 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
709 
710 #define KPASSWD_PORT 464
711 
712 /* types for the new krbhst interface */
713 struct krb5_krbhst_data;
714 typedef struct krb5_krbhst_data *krb5_krbhst_handle;
715 
716 #define KRB5_KRBHST_KDC		1
717 #define KRB5_KRBHST_ADMIN	2
718 #define KRB5_KRBHST_CHANGEPW	3
719 #define KRB5_KRBHST_KRB524	4
720 #define KRB5_KRBHST_KCA		5
721 
722 typedef struct krb5_krbhst_info {
723     enum { KRB5_KRBHST_UDP,
724 	   KRB5_KRBHST_TCP,
725 	   KRB5_KRBHST_HTTP } proto;
726     unsigned short port;
727     unsigned short def_port;
728     struct addrinfo *ai;
729     struct krb5_krbhst_info *next;
730     char hostname[1]; /* has to come last */
731 } krb5_krbhst_info;
732 
733 /* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */
734 enum {
735     KRB5_KRBHST_FLAGS_MASTER      = 1,
736     KRB5_KRBHST_FLAGS_LARGE_MSG	  = 2
737 };
738 
739 typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context,
740 						 void *,
741 						 krb5_krbhst_info *,
742 						 const krb5_data *,
743 						 krb5_data *);
744 
745 /* flags for krb5_parse_name_flags */
746 enum {
747     KRB5_PRINCIPAL_PARSE_NO_REALM = 1,
748     KRB5_PRINCIPAL_PARSE_MUST_REALM = 2,
749     KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4
750 };
751 
752 /* flags for krb5_unparse_name_flags */
753 enum {
754     KRB5_PRINCIPAL_UNPARSE_SHORT = 1,
755     KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2,
756     KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4
757 };
758 
759 typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx;
760 
761 #define KRB5_SENDTO_DONE	0
762 #define KRB5_SENDTO_RESTART	1
763 #define KRB5_SENDTO_CONTINUE	2
764 
765 typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
766 
767 struct krb5_plugin;
768 enum krb5_plugin_type {
769     PLUGIN_TYPE_DATA = 1,
770     PLUGIN_TYPE_FUNC
771 };
772 
773 struct credentials; /* this is to keep the compiler happy */
774 struct getargs;
775 struct sockaddr;
776 
777 #include <krb5-protos.h>
778 
779 #endif /* __KRB5_H__ */
780 
781