xref: /freebsd/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1krb5_mk_ncred -  Format a KRB-CRED message for an array of credentials.
2========================================================================
3
4..
5
6.. c:function:: krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** creds, krb5_data ** der_out, krb5_replay_data * rdata_out)
7
8..
9
10
11:param:
12
13	          **[in]** **context** - Library context
14
15	          **[in]** **auth_context** - Authentication context
16
17	          **[in]** **creds** - Null-terminated array of credentials
18
19	          **[out]** **der_out** - Encoded credentials
20
21	          **[out]** **rdata_out** - Replay cache information (NULL if not needed)
22
23
24..
25
26
27:retval:
28         -   0   Success
29         -   ENOMEM   Insufficient memory
30         -   KRB5_RC_REQUIRED   Message replay detection requires rcache parameter
31
32
33:return:
34         -  Kerberos error codes
35
36..
37
38
39
40
41
42
43
44This function takes an array of credentials *creds* and formats a **KRB-CRED** message *der_out* to pass to krb5_rd_cred().
45
46
47
48The local and remote addresses in *auth_context* are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message.
49
50
51
52If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , the timestamp used for the KRB-CRED message is stored in *rdata_out* .
53
54
55
56If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* .
57
58
59
60Use krb5_free_data_contents() to free *der_out* when it is no longer needed.
61
62
63
64The message will be encrypted using the send subkey of *auth_context* if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case.
65
66
67
68
69
70
71
72
73
74
75..
76
77
78
79
80
81
82.. note::
83
84	 The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* .
85
86
87
88
89