krb5_mk_req_extended()--Create Kerberos AP_REQ Message Using Supplied Credentials


  Syntax 
 #include <krb5.h>

 krb5_error_code krb5_mk_req_extended(
     krb5_context       context,
     krb5_auth_context *    auth_context,
     krb5_const krb5_flags    ap_req_options,  
     krb5_data *      in_data,
     krb5_creds *     in_creds,
     krb5_data *      out_data);
  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Conditional. See Usage notes.

The krb5_mk_req_extended() function creates a Kerberos AP_REQ message using supplied credentials. It is similar to the krb5_mk_req() routine, but the caller passes the actual credentials as a parameter rather than letting the Kerberos runtime construct the credentials. The checksum of the input data is included in the authenticator that is part of the AP_REQ message. This message is then sent to the partner application, which calls the krb5_rd_req() routine to extract the application data after validating the authenticity of the message. The checksum method set in the authentication context is used to generate the checksum.


Authorities

No authorities are required.


Parameters

context  (Input)
The Kerberos context.

auth_context  (Input/Output)
The authentication context. A new authentication context is created and returned in this parameter if the value is NULL.

ap_req_options  (Input)
The request options as follows:
AP_OPTS_USE_SESSION_KEY (x'40000000') Use session key instead of server key. The credentials must include a ticket that is encrypted in the session key.
AP_OPTS_MUTUAL_REQUIRED (x'20000000') Mutual authentication required.
AP_OPTS_USE_SUBKEY (x'00000001') Generate a subsession key from the current session key obtained from the credentials.

in_data  (Input)
The application data's checksum that is to be included in the authenticator.

in_creds  (Input)
The credentials for the specified service.

out_data  (Output)
The AP_REQ message. The krb5_free_data_contents() routine should be called to release the storage pointed to by the data field of the krb5_data structure when it is no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.


Error Messages

Message ID Error Message Text
CPE3418 E Possible APAR condition or hardware failure.


Usage Notes

  1. The Kerberos protocol runtime provides no concurrency control for the authentication context. If the application wants to use the same authentication context in multiple threads, it is the responsibility of the application to serialize access to the authentication context so that only a single thread is accessing the authentication context at any time. Because message sequence numbers are contained in the authentication context, this serialization needs to be extended to encompass the message exchange between the two applications. Otherwise, message sequence errors are liable to occur if the messages are delivered out of sequence.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]