krb5_rd_priv()--Process Kerberos KRB_PRIV Message

 #include <krb5.h>

 krb5_error_code krb5_rd_priv(
     krb5_context       context,
     krb5_auth_context      auth_context,   
     krb5_const krb5_data *   in_data,
     krb5_data *      out_data,
     krb5_replay_data *     replay_data);

The krb5_rd_priv() function processes a Kerberos KRB_PRIV message and extracts the application data after verifying its integrity. If timestamps are being used, the message is stored in the replay cache associated with the authentication context.

Authorities

No authorities are required.

Parameters

context  (Input)

The Kerberos context.

auth_context  (Input/Output)

The authentication context.

in_data  (Input)

The buffer containing the KRB_PRIV message.

out_data  (Output)

The application data. The krb5_free_data_contents() routine should be called to release the storage pointed to by the data field of the krb5_data structure when it is no longer needed.

replay_data  (Output)

Replay information returned to the caller. This parameter is required if the KRB5_AUTH_CONTEXT_RET_TIME (x'00000002') or KRB5_AUTH_CONTEXT_RET_SEQUENCE (x'00000008') flag is set in the authentication context. Otherwise, NULL may be specified for this parameter.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Usage Notes

1. The keyblock used for decrypting data and verifying message integrity is obtained from the authentication context. The first non-NULL keyblock is used by checking the local_subkey, remote_subkey, or keyblock, in that order. If the initialization vector in the authentication context has been set, it is used to initialize the decryption (if the encryption type supports initialization) and its contents are replaced with the last block of encrypted data in the message upon return. Use the krb5_auth_con_setivector() routine or the krb5_auth_con_initvector() routine to modify the initial vector in the authentication context.
   
   
2. The remote address in the authentication context must be present. It specifies the address of the sender. Use the krb5_auth_con_genaddrs() routine or the krb5_auth_con_setaddrs() routine to set the remote address. If the port number was set in the authentication context used for the krb5_mk_priv() routine, then the port number also must be set in the authentication context used for the krb5_rd_priv() routine. An error is returned if the address or port in the message does not match the remote address or port in the authentication context.
   
   
3. The local address in the authentication context is optional. If it is present, then it must match the receiver address in the message. Otherwise, the receiver address in the message must match one of the local addresses returned by the krb5_os_localaddr() routine. If the port number was set in the authentication context used for the krb5_mk_priv() routine, then both the local address and the local port must be set in the authentication context used for the krb5_rd_priv() routine. Use the krb5_auth_con_genaddrs() routine or a combination of the krb5_auth_con_setaddrs() and krb5_auth_con_setports() routines to set the local address and local port in the authentication context.
   
   
4. Use the krb5_auth_con_setrcache() routine to set the replay cache in the authentication context.
   
   
5. If timestamps are being used (KRB5_AUTH_CONTEXT_DO_TIME (x'00000001') is set in the authentication context), the timestamp in the message must be within the Kerberos clock skew for the current time. In addition, the message must not be found in the replay cache obtained from the authentication context. Use the krb5_auth_con_setflags() routine to set the KRB5_AUTH_CONTEXT_DO_TIME flag.
   
   
6. If message sequence numbers are being used (KRB5_AUTH_CONTEXT_DO_SEQUENCE is set in the authentication context), the remote sequence number in the authentication context must match the sequence number in the message. Use the krb5_auth_con_setflags() routine to set the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag.
   
   
7. The Kerberos protocol runtime provides no concurrency control for the authentication context. If the application wants to use the same authentication context in multiple threads, it is the responsibility of the application to serialize access to the authentication context so that only a single thread is accessing the authentication context at any time. Because message sequence numbers are contained in the authentication context, this serialization needs to be extended to encompass the message exchange between the two applications. Otherwise, message sequence errors are liable to occur if the messages are delivered out of sequence.

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]