krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/appdev/refs/api/krb5_rd_req.html
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/appdev/refs/api/krb5_rd_req.html')

-rw-r--r--

doc/html/appdev/refs/api/krb5_rd_req.html

1 files changed, 42 insertions, 56 deletions

diff --git a/doc/html/appdev/refs/api/krb5_rd_req.html b/doc/html/appdev/refs/api/krb5_rd_req.html
index 8e7e2912af89..9f25dad04564 100644
--- a/doc/html/appdev/refs/api/krb5_rd_req.html
+++ b/doc/html/appdev/refs/api/krb5_rd_req.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../../_static/kerb.css" />

+ <script data-url_root="../../../" id="documentation_options" src="../../../_static/documentation_options.js"></script>

+ <script src="../../../_static/jquery.js"></script>

+ <script src="../../../_static/underscore.js"></script>

+ <script src="../../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,63 +52,57 @@

- <div class="section" id="krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message">

+ <section id="krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message">

<h1>krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.<a class="headerlink" href="#krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message" title="Permalink to this headline">¶</a></h1>

-<dl class="function">

-<dt id="c.krb5_rd_req">

-<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> <code class="descname">krb5_rd_req</code>(<a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a> context, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a> * auth_context, const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> * inbuf, <a class="reference internal" href="../types/krb5_const_principal.html#c.krb5_const_principal" title="krb5_const_principal">krb5_const_principal</a> server, <a class="reference internal" href="../types/krb5_keytab.html#c.krb5_keytab" title="krb5_keytab">krb5_keytab</a> keytab, <a class="reference internal" href="../types/krb5_flags.html#c.krb5_flags" title="krb5_flags">krb5_flags</a> * ap_req_options, <a class="reference internal" href="../types/krb5_ticket.html#c.krb5_ticket" title="krb5_ticket">krb5_ticket</a> ** ticket)<a class="headerlink" href="#c.krb5_rd_req" title="Permalink to this definition">¶</a></dt>

+<dl class="c function">

+<dt class="sig sig-object c" id="c.krb5_rd_req">

+<a class="reference internal" href="../types/krb5_error_code.html#c.krb5_error_code" title="krb5_error_code">krb5_error_code</a> krb5_rd_req(<a class="reference internal" href="../types/krb5_context.html#c.krb5_context" title="krb5_context">krb5_context</a> context, <a class="reference internal" href="../types/krb5_auth_context.html#c.krb5_auth_context" title="krb5_auth_context">krb5_auth_context</a> *auth_context, const <a class="reference internal" href="../types/krb5_data.html#c.krb5_data" title="krb5_data">krb5_data</a> *inbuf, <a class="reference internal" href="../types/krb5_const_principal.html#c.krb5_const_principal" title="krb5_const_principal">krb5_const_principal</a> server, <a class="reference internal" href="../types/krb5_keytab.html#c.krb5_keytab" title="krb5_keytab">krb5_keytab</a> keytab, <a class="reference internal" href="../types/krb5_flags.html#c.krb5_flags" title="krb5_flags">krb5_flags</a> *ap_req_options, <a class="reference internal" href="../types/krb5_ticket.html#c.krb5_ticket" title="krb5_ticket">krb5_ticket</a> **ticket)<a class="headerlink" href="#c.krb5_rd_req" title="Permalink to this definition">¶</a> </dt>

-<table class="docutils field-list" frame="void" rules="none">

-<col class="field-name" />

-<col class="field-body" />

-<tbody valign="top">

-<tr class="field-odd field"><th class="field-name">param:</th><td class="field-body">[in] context - Library context

+<dl class="field-list">

+<dt class="field-odd">param</dt>

+<dd class="field-odd">[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] inbuf - AP-REQ message to be parsed

[in] server - Matching principal for server, or NULL to allow any principal in keytab

[in] keytab - Key table, or NULL to use the default

[out] ap_req_options - If non-null, the AP-REQ flags on output

-[out] ticket - If non-null, ticket from the AP-REQ message

-</td>

-</tr>

-</tbody>

-</table>

-<table class="docutils field-list" frame="void" rules="none">

-<col class="field-name" />

-<col class="field-body" />

-<tbody valign="top">

-<tr class="field-odd field"><th class="field-name">retval:</th><td class="field-body"><ul class="first last simple">

-<li>0 Success; otherwise - Kerberos error codes</li>

+[out] ticket - If non-null, ticket from the AP-REQ message

+</dd>

+</dl>

+<dl class="field-list simple">

+<dt class="field-odd">retval</dt>

+<dd class="field-odd"><ul class="simple">

+<li>0 Success; otherwise - Kerberos error codes</li>

</ul>

-</td>

-</tr>

-</tbody>

-</table>

+</dd>

+</dl>

This function parses, decrypts and verifies a AP-REQ message from inbuf and stores the authenticator in auth_context .

-If a keyblock was specified in auth_context using <a class="reference internal" href="krb5_auth_con_setuseruserkey.html#c.krb5_auth_con_setuseruserkey" title="krb5_auth_con_setuseruserkey"><code class="xref c c-func docutils literal">krb5_auth_con_setuseruserkey()</code></a> , that key is used to decrypt the ticket in AP-REQ message and keytab is ignored. In this case, server should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.

-Otherwise, the decryption key is obtained from keytab , or from the default keytab if it is NULL. In this case, server may be a complete principal name, a matching principal (see <a class="reference internal" href="krb5_sname_match.html#c.krb5_sname_match" title="krb5_sname_match"><code class="xref c c-func docutils literal">krb5_sname_match()</code></a> ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:

+If a keyblock was specified in auth_context using krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in AP-REQ message and keytab is ignored. In this case, server should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.

+Otherwise, the decryption key is obtained from keytab , or from the default keytab if it is NULL. In this case, server may be a complete principal name, a matching principal (see krb5_sname_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:

-<li>If server is a complete principal name, then its entry in keytab is tried.</li>

-<li>Otherwise, if keytab is iterable, then all entries in keytab which match server are tried.</li>

-<li>Otherwise, the server principal in the ticket must match server , and its entry in keytab is tried.</li>

+<li>If server is a complete principal name, then its entry in keytab is tried.</li>

+<li>Otherwise, if keytab is iterable, then all entries in keytab which match server are tried.</li>

+<li>Otherwise, the server principal in the ticket must match server , and its entry in keytab is tried.</li>

</ul>

</div></blockquote>

The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.

If the remote_addr field of auth_context is set, the request must come from that address.

If a replay cache handle is provided in the auth_context , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of auth_context .

Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.

-On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the <a class="reference internal" href="../macros/AP_OPTS_MUTUAL_REQUIRED.html#AP_OPTS_MUTUAL_REQUIRED" title="AP_OPTS_MUTUAL_REQUIRED"><code class="xref py py-data docutils literal">AP_OPTS_MUTUAL_REQUIRED</code></a> bit is set, the local sequence number is XORed with the remote sequence number in the request.

-Use <a class="reference internal" href="krb5_free_ticket.html#c.krb5_free_ticket" title="krb5_free_ticket"><code class="xref c c-func docutils literal">krb5_free_ticket()</code></a> to free ticket when it is no longer needed.

-</div>

+On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the #AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.

+Use krb5_free_ticket() to free ticket when it is no longer needed.

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.</a></li>

@@ -161,6 +146,7 @@

</form>

</div>

</div>

@@ -168,8 +154,8 @@

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

</div>