summaryrefslogtreecommitdiff
path: root/doc/html/_sources/appdev
diff options
context:
space:
mode:
Diffstat (limited to 'doc/html/_sources/appdev')
-rw-r--r--doc/html/_sources/appdev/gssapi.txt19
-rw-r--r--doc/html/_sources/appdev/index.txt1
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt15
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_mk_req.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt2
-rw-r--r--doc/html/_sources/appdev/refs/types/krb5_timestamp.txt3
-rw-r--r--doc/html/_sources/appdev/y2038.txt28
13 files changed, 75 insertions, 13 deletions
diff --git a/doc/html/_sources/appdev/gssapi.txt b/doc/html/_sources/appdev/gssapi.txt
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/html/_sources/appdev/gssapi.txt
+++ b/doc/html/_sources/appdev/gssapi.txt
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service. The GSSAPI
library will then use this ticket to authenticate to the target
service.
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+ OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ gss_OID desired_object,
+ gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service. If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set. If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
AEAD message wrapping
---------------------
diff --git a/doc/html/_sources/appdev/index.txt b/doc/html/_sources/appdev/index.txt
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/html/_sources/appdev/index.txt
+++ b/doc/html/_sources/appdev/index.txt
@@ -5,6 +5,7 @@ For application developers
:maxdepth: 1
gssapi.rst
+ y2038.rst
h5l_mit_apidiff.rst
init_creds.rst
princ_handle.rst
diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
index 7d5bf4cf03ee..4dc9e0afb9a0 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
@@ -1,5 +1,5 @@
-krb5_auth_con_initivector
-=========================
+krb5_auth_con_initivector - Cause an auth context to use cipher state.
+========================================================================
..
@@ -10,30 +10,31 @@ krb5_auth_con_initivector
:param:
- **context**
+ **[in]** **context** - Library context
- **auth_context**
+ **[in]** **auth_context** - Authentication context
..
+:retval:
+ - 0 Success; otherwise - Kerberos error codes
-..
+..
-DEPRECATED Not replaced.
+Prepare *auth_context* to use cipher state when :c:func:`krb5_mk_priv()` or :c:func:`krb5_rd_priv()` encrypt or decrypt data.
-RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
index a6273bbb2c75..fab6d70594f3 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
@@ -3,7 +3,7 @@ krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.
..
-.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
..
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
index 85efec065a5e..011fe47837fd 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
@@ -27,7 +27,7 @@ krb5_init_creds_free - Free an initial credentials context.
-
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
index 05c26f3759b4..291fa509269d 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
@@ -34,6 +34,10 @@ This function synchronously obtains credentials using a context created by :c:fu
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
index 6bbbeed869e4..c703124106db 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
@@ -44,6 +44,10 @@ This function creates a new context for acquiring initial credentials. Use :c:fu
+Any subsequent calls to :c:func:`krb5_init_creds_step()` , :c:func:`krb5_init_creds_get()` , or :c:func:`krb5_init_creds_free()` for this initial credentials context must use the same *context* argument as the one passed to this function.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
index d08ffc7d629d..67b9b5d6de0b 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
@@ -32,7 +32,7 @@ krb5_init_creds_set_service - Specify a service principal for acquiring initial
-This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
+Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
index c4e8a202aa53..8008e6724f1a 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
@@ -50,6 +50,10 @@ If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should tr
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
index e3a5da424a8d..695eb79399cb 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
@@ -3,7 +3,7 @@ krb5_mk_req - Create a KRB_AP_REQ message.
..
-.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
..
diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
index d9af52f770ab..338b43a1453e 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
@@ -62,7 +62,7 @@ If successful, *pac* is marked as verified.
.. note::
- A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
+ A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
diff --git a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
index e9263e49d1b7..dc3e9eee79ab 100644
--- a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
+++ b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
@@ -9,8 +9,9 @@ krb5_timestamp
.. c:type:: krb5_timestamp
..
+Represents a timestamp in seconds since the POSIX epoch.
-
+This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.
Declaration
------------
diff --git a/doc/html/_sources/appdev/y2038.txt b/doc/html/_sources/appdev/y2038.txt
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/html/_sources/appdev/y2038.txt
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038. This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values. To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+ (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type. This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times. Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-05 09:52:39 +0000