xref: /freebsd/crypto/krb5/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1krb5_rd_req -  Parse and decrypt a KRB_AP_REQ message.
2=======================================================
3
4..
5
6.. c:function:: krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket)
7
8..
9
10
11:param:
12
13	          **[in]** **context** - Library context
14
15	          **[inout]** **auth_context** - Pre-existing or newly created auth context
16
17	          **[in]** **inbuf** - AP-REQ message to be parsed
18
19	          **[in]** **server** - Matching principal for server, or NULL to allow any principal in keytab
20
21	          **[in]** **keytab** - Key table, or NULL to use the default
22
23	          **[out]** **ap_req_options** - If non-null, the AP-REQ flags on output
24
25	          **[out]** **ticket** - If non-null, ticket from the AP-REQ message
26
27
28..
29
30
31:retval:
32         -   0   Success; otherwise - Kerberos error codes
33
34
35..
36
37
38
39
40
41
42
43This function parses, decrypts and verifies a AP-REQ message from *inbuf* and stores the authenticator in *auth_context* .
44
45
46
47If a keyblock was specified in *auth_context* using krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in AP-REQ message and *keytab* is ignored. In this case, *server* should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.
48
49
50
51Otherwise, the decryption key is obtained from *keytab* , or from the default keytab if it is NULL. In this case, *server* may be a complete principal name, a matching principal (see krb5_sname_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:
52
53
54
55
56
57	 - If *server* is a complete principal name, then its entry in *keytab* is tried.
58
59
60	 - Otherwise, if *keytab* is iterable, then all entries in *keytab* which match *server* are tried.
61
62
63	 - Otherwise, the server principal in the ticket must match *server* , and its entry in *keytab* is tried.
64
65
66
67
68
69The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.
70
71
72
73If the *remote_addr* field of *auth_context* is set, the request must come from that address.
74
75
76
77If a replay cache handle is provided in the *auth_context* , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of *auth_context* .
78
79
80
81Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.
82
83
84
85On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the #AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.
86
87
88
89Use krb5_free_ticket() to free *ticket* when it is no longer needed.
90
91
92
93
94
95
96
97
98
99
100..
101
102
103
104
105
106