krb5_sendauth()--Send an Authentication Message Stream


  Syntax 
 #include <krb5.h>

 krb5_error_code krb5_sendauth(
     krb5_context     context,
     krb5_auth_context *                auth_context,  
     krb5_pointer                       socket,  
     char *                             appl_version,  
     krb5_principal                     client,  
     krb5_principal                     server,  
     krb5_int32                         app_req_options,  
     krb5_data *                        appl_data,
     krb5_creds *                       in_creds,
     krb5_ccache                        ccache,
     krb5_error **                      error,
     krb5_ap_rep_enc_part **            rep_result,
     krb5_creds **                      out_creds)
  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_sendauth() function generates an authentication message stream for processing by the krb5_recvauth() routine. It sends the authentication message and receives the authentication response using the socket descriptor supplied by the application. The application is responsible for establishing the connection before calling the krb5_sendauth() routine. The krb5_sendauth() routine generates an AP_REQ message. The checksum of the application data is included in the authenticator which is part of the AP_REQ message. This message is then sent to the partner application, which calls the krb5_recvauth() routine to validate the authenticity of the message. The checksum method set in the authentication context is used to generate the checksum.


Authorities

None.


Parameters

context  (Input)
The Kerberos context.

auth_context  (Input/Output)
The authentication context. A new authentication context will be created and returned in this parameter if the value is NULL.

socket  (Input)
The address of a socket descriptor. This descriptor must represent a TCP stream connection and not a UDP datagram connection.

appl_version  (Input)
The application version message. An error will be returned if this application version message does not match the application version message supplied by the receiver. The supplied application version message will be converted to the network code page before being sent to the partner application.

client  (Input)
The client name. This parameter is ignored if a non-NULL value is supplied for the 'in_creds' parameter. The client name is obtained from the credentials cache if this parameter is NULL.

server  (Input)
The server name. This parameter is ignored if a non-NULL value is provided for the 'in_creds' parameter.

ap_req_options  (Input)
Request options as follows:
AP_OPTS_USE_SESSION_KEY Use session key instead of server key for the service ticket. The credentials must include a ticket which is encrypted in the session key.
AP_OPTS_MUTUAL_REQUIRED Mutual authentication required.
AP_OPTS_USE_SUBKEY Generate a subsession key from the current session key obtained from the credentials.

appl_data  (Input)
The application data whose checksum is to be included in the authenticator. Specify NULL for this parameter if no checksum is to be included in the authenticator.

in_creds  (Input)
The credentials for the specified service. The 'client' and 'server' parameters are ignored if a non-NULL value is provided for the 'in_creds' parameter. In this case, the client and server names must be set in the input credentials. The service ticket may be supplied as part of the input credentials by setting a non-zero ticket length value. If the service ticket is not supplied as part of the input credentials, the Kerberos runtime will obtain a service ticket using the ticket-granting ticket retrieved from the credentials cache.

When the Kerberos runtime obtains the service ticket, additional fields are checked in the input credentials. The second_ticket field must be set if the service ticket is to be encrypted in a session key. The ticket expiration time can be set to override the default expiration time. The key encryption type can be set to override the default ticket encryption type.

ccache  (Input)
The credentials cache which is to be used to obtain credentials to the desired service. The credentials cache is not used when the service ticket is supplied as part of the input credentials. The default credentials cache will be used if this parameter is NULL.

error  (Output)
The KRB_ERROR message returned if an authentication error is reported by the partner application. The krb5_free_error() routine should be called to release the error message when it is no longer needed. Specify NULL for this parameter if the error message is not needed.

rep_result  (Output)
The decrypted reply data returned from the AP_REP message. The krb5_free_ap_rep_enc_part() routine should be called to release the reply data when it is no longer needed. Specify NULL for this parameter if the reply data is not needed. A reply is available only if AP_OPTS_MUTUAL_REQUIRED is specified in the request options.

out_creds  (Output)
The service ticket returned. The krb5_free_creds() routine should be called to release the credentials when they are no longer needed. Specify NULL for this parameter if the service ticket is not needed.


Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.


Error Messages

Message ID Error Message Text
CPE3418 E Possible APAR condition or hardware failure.



API introduced: V5R2

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]