xref: /freebsd/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1krb5_mk_safe -  Format a KRB-SAFE message.
2===========================================
3
4..
5
6.. c:function:: krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out)
7
8..
9
10
11:param:
12
13	          **[in]** **context** - Library context
14
15	          **[in]** **auth_context** - Authentication context
16
17	          **[in]** **userdata** - User data in the message
18
19	          **[out]** **der_out** - Formatted **KRB-SAFE** buffer
20
21	          **[out]** **rdata_out** - Replay data. Specify NULL if not needed
22
23
24..
25
26
27:retval:
28         -   0   Success; otherwise - Kerberos error codes
29
30
31..
32
33
34
35
36
37
38
39This function creates an integrity protected **KRB-SAFE** message using data supplied by the application.
40
41
42
43Fields in *auth_context* specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5_AUTH_CONTEXT flags.
44
45
46
47The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.
48
49
50
51If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-SAFE message and is stored in *rdata_out* .
52
53
54
55If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* .
56
57
58
59Use krb5_free_data_contents() to free *der_out* when it is no longer needed.
60
61
62
63
64
65
66
67
68
69
70..
71
72
73
74
75
76
77.. note::
78
79	 The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* .
80
81
82
83
84