krb5_recvauth()--Process an Authentication Message Stream

 #include <krb5.h>

 krb5_error_code krb5_recvauth(
     krb5_context     context,
     krb5_auth_context *                auth_context,  
     krb5_pointer                       socket,  
     char *                             appl_version,  
     krb5_principal                     server,  
     krb5_int32                         flags,  
     krb5_keytab                        keytab,
     krb5_ticket **                     ticket); 

The krb5_recvauth() function processes an authentication message stream generated by the krb5_sendauth() routine. It receives the authentication message and sends the authentication response using the socket descriptor supplied by the application. The application is responsible for establishing the connection before calling the krb5_recvauth() routine.

The krb5_recvauth() routine processes an AP_REQ message generated by the partner application. The authenticator is extracted, validated, and stored in the authentication context. If the server parameter is not NULL and no replay cache is associated with the authentication context, the Kerberos runtime will create a replay cache and store the cache handle in the authentication context..

Authorities

None.

Parameters

context  (Input)

The Kerberos context.

auth_context  (Input/Output)

The authentication context. A new authentication context will be created and returned in this parameter if the value is NULL.

socket  (Input)

The address of a socket descriptor. This descriptor must represent a TCP stream connection and not a UDP datagram connection.

appl_version  (Input)

The application version message. An error will be returned if this application version message does not match the application version message s upplied by the sender. Specify NULL for this parameter if the application version message does not need to be verified. The supplied application version message will be converted to the network code page before comparing it with the sender's application version message.

server  (Input)

The server name. The server principal in the AP_REQ must be the same as the principal specified by this parameter. Specify NULL if any server principal is acceptable.

flags  (Input)

Specifies flags for the krb5_recvauth() routine. There are currently no defined flags.

keytab  (Input)

The key table which contains the server key. The default key table will be used if NULL is specified for this parameter.

ticket  (Output)

The ticket returned from the AP_REQ message. Specify NULL for this parameter if the ticket is not needed. The krb5_free_ticket() routine should be called to release the ticket when it is no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Usage Notes

1. If the authentication context contains a keyblock, it will be used to decrypt the ticket in the AP_REQ message. This is useful for user-to-user authentication. If the authentication context does not contain a keyblock, the key table specified on the function call will be used to obtain the decryption key.
2. The client in the authenticator must match the client in the ticket. If the remote address is set in the authentication context, the address list in the ticket must either include that address or must be a null list. If a replay cache handle is stored in the authentication context, the new authenticator is stored in the cache after checking for replay.
3. If no errors are detected, the authenticator, subsession key, and remote sequence number are stored in the authentication context. If AP_OPTS_MUTUAL_REQUIRED is specified in the AP_REQ message, the local sequence number is XORed with the remote sequence number.

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]