1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
<!DOCTYPE html>
<html lang="en" data-content_root="../../../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. — MIT Kerberos Documentation</title>
<link rel="stylesheet" type="text/css" href="../../../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../../../_static/agogo.css?v=879f3c71" />
<link rel="stylesheet" type="text/css" href="../../../_static/kerb.css?v=6a0b3979" />
<script src="../../../_static/documentation_options.js?v=236fef3b"></script>
<script src="../../../_static/doctools.js?v=888ff710"></script>
<script src="../../../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="author" title="About these documents" href="../../../about.html" />
<link rel="index" title="Index" href="../../../genindex.html" />
<link rel="search" title="Search" href="../../../search.html" />
<link rel="copyright" title="Copyright" href="../../../copyright.html" />
<link rel="next" title="krb5_rd_safe - Process KRB-SAFE message." href="krb5_rd_safe.html" />
<link rel="prev" title="krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC." href="krb5_rd_rep_dce.html" />
</head><body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../../../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../../../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="krb5_rd_rep_dce.html" title="krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC."
accesskey="P">previous</a> |
<a href="krb5_rd_safe.html" title="krb5_rd_safe - Process KRB-SAFE message."
accesskey="N">next</a> |
<a href="../../../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../../../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message">
<h1>krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.<a class="headerlink" href="#krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message" title="Link to this heading">¶</a></h1>
<dl class="c function">
<dt class="sig sig-object c" id="c.krb5_rd_req">
<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code"><span class="n"><span class="pre">krb5_error_code</span></span></a><span class="w"> </span><span class="sig-name descname"><span class="n"><span class="pre">krb5_rd_req</span></span></span><span class="sig-paren">(</span><a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context"><span class="n"><span class="pre">krb5_context</span></span></a><span class="w"> </span><span class="n"><span class="pre">context</span></span>, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context"><span class="n"><span class="pre">krb5_auth_context</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">auth_context</span></span>, <span class="k"><span class="pre">const</span></span><span class="w"> </span><a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data"><span class="n"><span class="pre">krb5_data</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">inbuf</span></span>, <a class="reference internal" href="../types/krb5_const_principal.html#c.krb5_const_principal" title="krb5_const_principal"><span class="n"><span class="pre">krb5_const_principal</span></span></a><span class="w"> </span><span class="n"><span class="pre">server</span></span>, <a class="reference internal" href="../types/krb5_keytab.html#c.krb5_keytab" title="krb5_keytab"><span class="n"><span class="pre">krb5_keytab</span></span></a><span class="w"> </span><span class="n"><span class="pre">keytab</span></span>, <a class="reference internal" href="../types/krb5_flags.html#c.krb5_flags" title="krb5_flags"><span class="n"><span class="pre">krb5_flags</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">ap_req_options</span></span>, <a class="reference internal" href="../types/krb5_ticket.html#c.krb5_ticket" title="krb5_ticket"><span class="n"><span class="pre">krb5_ticket</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">ticket</span></span><span class="sig-paren">)</span><a class="headerlink" href="#c.krb5_rd_req" title="Link to this definition">¶</a><br /></dt>
<dd></dd></dl>
<dl class="field-list">
<dt class="field-odd">param<span class="colon">:</span></dt>
<dd class="field-odd"><p><strong>[in]</strong> <strong>context</strong> - Library context</p>
<p><strong>[inout]</strong> <strong>auth_context</strong> - Pre-existing or newly created auth context</p>
<p><strong>[in]</strong> <strong>inbuf</strong> - AP-REQ message to be parsed</p>
<p><strong>[in]</strong> <strong>server</strong> - Matching principal for server, or NULL to allow any principal in keytab</p>
<p><strong>[in]</strong> <strong>keytab</strong> - Key table, or NULL to use the default</p>
<p><strong>[out]</strong> <strong>ap_req_options</strong> - If non-null, the AP-REQ flags on output</p>
<p><strong>[out]</strong> <strong>ticket</strong> - If non-null, ticket from the AP-REQ message</p>
</dd>
</dl>
<dl class="field-list simple">
<dt class="field-odd">retval<span class="colon">:</span></dt>
<dd class="field-odd"><ul class="simple">
<li><p>0 Success; otherwise - Kerberos error codes</p></li>
</ul>
</dd>
</dl>
<p>This function parses, decrypts and verifies a AP-REQ message from <em>inbuf</em> and stores the authenticator in <em>auth_context</em> .</p>
<p>If a keyblock was specified in <em>auth_context</em> using krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in AP-REQ message and <em>keytab</em> is ignored. In this case, <em>server</em> should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.</p>
<p>Otherwise, the decryption key is obtained from <em>keytab</em> , or from the default keytab if it is NULL. In this case, <em>server</em> may be a complete principal name, a matching principal (see krb5_sname_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:</p>
<blockquote>
<div><ul class="simple">
<li><p>If <em>server</em> is a complete principal name, then its entry in <em>keytab</em> is tried.</p></li>
<li><p>Otherwise, if <em>keytab</em> is iterable, then all entries in <em>keytab</em> which match <em>server</em> are tried.</p></li>
<li><p>Otherwise, the server principal in the ticket must match <em>server</em> , and its entry in <em>keytab</em> is tried.</p></li>
</ul>
</div></blockquote>
<p>The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.</p>
<p>If the <em>remote_addr</em> field of <em>auth_context</em> is set, the request must come from that address.</p>
<p>If a replay cache handle is provided in the <em>auth_context</em> , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of <em>auth_context</em> .</p>
<p>Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.</p>
<p>On success the authenticator, subkey, and remote sequence number of the request are stored in <em>auth_context</em> . If the AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.</p>
<p>Use krb5_free_ticket() to free <em>ticket</em> when it is no longer needed.</p>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.</a></li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../admin/index.html">For administrators</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../index.html">For application developers</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../gssapi.html">Developing with GSSAPI</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../y2038.html">Year 2038 considerations for uses of krb5_timestamp</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../h5l_mit_apidiff.html">Differences between Heimdal and MIT Kerberos API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../init_creds.html">Initial credentials</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../princ_handle.html">Principal manipulation and parsing</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../index.html">Complete reference - API and datatypes</a><ul class="current">
<li class="toctree-l3 current"><a class="reference internal" href="index.html">krb5 API</a></li>
<li class="toctree-l3"><a class="reference internal" href="../types/index.html">krb5 types and structures</a></li>
<li class="toctree-l3"><a class="reference internal" href="../macros/index.html">krb5 simple macros</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../../../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../../../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.22-final</i><br />
© <a href="../../../copyright.html">Copyright</a> 1985-2025, MIT.
</div>
<div class="left">
<a href="../../../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="krb5_rd_rep_dce.html" title="krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC."
>previous</a> |
<a href="krb5_rd_safe.html" title="krb5_rd_safe - Process KRB-SAFE message."
>next</a> |
<a href="../../../genindex.html" title="General Index"
>index</a> |
<a href="../../../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
