diff options
Diffstat (limited to 'doc/doxyout/krb5/html/krb5_introduction.html')
| -rw-r--r-- | doc/doxyout/krb5/html/krb5_introduction.html | 145 |
1 files changed, 130 insertions, 15 deletions
diff --git a/doc/doxyout/krb5/html/krb5_introduction.html b/doc/doxyout/krb5/html/krb5_introduction.html index aec79a42d39f..ead091a77cbf 100644 --- a/doc/doxyout/krb5/html/krb5_introduction.html +++ b/doc/doxyout/krb5/html/krb5_introduction.html @@ -8,17 +8,18 @@ <a href="http://www.h5l.org/"><img src="http://www.h5l.org/keyhole-heimdal.png" alt="keyhole logo"/></a> </p> <!-- end of header marker --> -<!-- Generated by Doxygen 1.8.13 --> +<!-- Generated by Doxygen 1.9.1 --> <script type="text/javascript" src="menudata.js"></script> <script type="text/javascript" src="menu.js"></script> <script type="text/javascript"> +/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ $(function() { initMenu('',false,false,'search.php','Search'); }); -</script> +/* @license-end */</script> <div id="main-nav"></div> </div><!-- top --> -<div class="header"> +<div class="PageDoc"><div class="header"> <div class="headertitle"> <div class="title">Introduction to the Kerberos 5 API </div> </div> </div><!--header--> @@ -49,7 +50,7 @@ Credential cache</h2> <p>See also <a class="el" href="krb5_ccache_intro.html">The credential cache functions</a> and <a class="el" href="group__krb5__ccache.html">Heimdal Kerberos 5 credential cache functions</a> .</p> <h2><a class="anchor" id="intro_krb5_error_code"></a> Kerberos errors</h2> -<p>Kerberos errors are based on the com_err library. All error codes are 32-bit signed numbers, the first 24 bits define what subsystem the error originates from, and last 8 bits are 255 error codes within the library. Each error code have fixed string associated with it. For example, the error-code -1765328383 have the symbolic name KRB5KDC_ERR_NAME_EXP, and associated error string ``Client's entry in database has expired''.</p> +<p>Kerberos errors are based on the com_err library. All error codes are 32-bit signed numbers, the first 24 bits define what subsystem the error originates from, and last 8 bits are 255 error codes within the library. Each error code have fixed string associated with it. For example, the error-code -1765328383 have the symbolic name KRB5KDC_ERR_NAME_EXP, and associated error string `‘Client's entry in database has expired’'.</p> <p>This is a great improvement compared to just getting one of the unix error-codes back. However, Heimdal have an extention to pass back customised errors messages. Instead of getting <code>Key table entry not found'', the user might back</code>failed to find host/host.example.com@EXAMLE.COM(kvno 3) in keytab /etc/krb5.keytab (des-cbc-crc)''. This improves the chance that the user find the cause of the error so you should use the customised error message whenever it's available.</p> <p>See also module <a class="el" href="group__krb5__error.html">Heimdal Kerberos 5 error reporting functions</a> .</p> <h2><a class="anchor" id="intro_krb5_keytab"></a> @@ -67,19 +68,132 @@ Walkthrough of a sample Kerberos 5 client</h1> <p>All Kerberos error-codes that are returned from kerberos functions in this program are passed to krb5_err, that will print a descriptive text of the error code and exit. Graphical programs can convert error-code to a human readable error-string with the <a class="el" href="group__krb5__error.html#ga35cbf80e68f43a6d9503952886b85ed2">krb5_get_error_message()</a> function.</p> <p>Note that you should not use any Kerberos function before <a class="el" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context()</a> have completed successfully. That is the reason err() is used when <a class="el" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context()</a> fails.</p> <p>First the client needs to call krb5_init_context to initialise the Kerberos 5 library. This is only needed once per thread in the program. If the function returns a non-zero value it indicates that either the Kerberos implementation is failing or it's disabled on this host.</p> -<div class="fragment"><div class="line"><span class="preprocessor">#include <krb5.h></span></div><div class="line"></div><div class="line"><span class="keywordtype">int</span></div><div class="line">main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div><div class="line">{</div><div class="line"> krb5_context context;</div><div class="line"></div><div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context</a>(&context))</div><div class="line"> errx (1, <span class="stringliteral">"krb5_context"</span>);</div></div><!-- fragment --><p>Now the client wants to connect to the host at the other end. The preferred way of doing this is using getaddrinfo (for operating system that have this function implemented), since getaddrinfo is neutral to the address type and can use any protocol that is available.</p> -<div class="fragment"><div class="line"><span class="keyword">struct </span>addrinfo *ai, *a;</div><div class="line"><span class="keyword">struct </span>addrinfo hints;</div><div class="line"><span class="keywordtype">int</span> error;</div><div class="line"></div><div class="line">memset (&hints, 0, <span class="keyword">sizeof</span>(hints));</div><div class="line">hints.ai_socktype = SOCK_STREAM;</div><div class="line">hints.ai_protocol = IPPROTO_TCP;</div><div class="line"></div><div class="line">error = getaddrinfo (hostname, <span class="stringliteral">"pop3"</span>, &hints, &ai);</div><div class="line"><span class="keywordflow">if</span> (error)</div><div class="line"> errx (1, <span class="stringliteral">"%s: %s"</span>, hostname, gai_strerror(error));</div><div class="line"></div><div class="line"><span class="keywordflow">for</span> (a = ai; a != NULL; a = a->ai_next) {</div><div class="line"> <span class="keywordtype">int</span> s;</div><div class="line"></div><div class="line"> s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);</div><div class="line"> <span class="keywordflow">if</span> (s < 0)</div><div class="line"> <span class="keywordflow">continue</span>;</div><div class="line"> <span class="keywordflow">if</span> (connect (s, a->ai_addr, a->ai_addrlen) < 0) {</div><div class="line"> warn (<span class="stringliteral">"connect(%s)"</span>, hostname);</div><div class="line"> close (s);</div><div class="line"> <span class="keywordflow">continue</span>;</div><div class="line"> }</div><div class="line"> freeaddrinfo (ai);</div><div class="line"> ai = NULL;</div><div class="line">}</div><div class="line"><span class="keywordflow">if</span> (ai) {</div><div class="line"> freeaddrinfo (ai);</div><div class="line"> errx (<span class="stringliteral">"failed to contact %s"</span>, hostname);</div><div class="line">}</div></div><!-- fragment --><p>Before authenticating, an authentication context needs to be created. This context keeps all information for one (to be) authenticated connection (see krb5_auth_context).</p> -<div class="fragment"><div class="line">status = krb5_auth_con_init (context, &auth_context);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_auth_con_init"</span>);</div></div><!-- fragment --><p>For setting the address in the authentication there is a help function krb5_auth_con_setaddrs_from_fd() that does everything that is needed when given a connected file descriptor to the socket.</p> -<div class="fragment"><div class="line">status = krb5_auth_con_setaddrs_from_fd (context,</div><div class="line"> auth_context,</div><div class="line"> &sock);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status,</div><div class="line"> <span class="stringliteral">"krb5_auth_con_setaddrs_from_fd"</span>);</div></div><!-- fragment --><p>The next step is to build a server principal for the service we want to connect to. (See also <a class="el" href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal()</a>.)</p> -<div class="fragment"><div class="line">status = <a class="code" href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal</a> (context,</div><div class="line"> hostname,</div><div class="line"> service,</div><div class="line"> KRB5_NT_SRV_HST,</div><div class="line"> &server);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_sname_to_principal"</span>);</div></div><!-- fragment --><p>The client principal is not passed to krb5_sendauth() function, this causes the krb5_sendauth() function to try to figure it out itself.</p> +<div class="fragment"><div class="line"><span class="preprocessor">#include <krb5.h></span></div> +<div class="line"> </div> +<div class="line"><span class="keywordtype">int</span></div> +<div class="line">main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv)</div> +<div class="line">{</div> +<div class="line"> krb5_context context;</div> +<div class="line"> </div> +<div class="line"> <span class="keywordflow">if</span> (<a class="code" href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context</a>(&context))</div> +<div class="line"> errx (1, <span class="stringliteral">"krb5_context"</span>);</div> +<div class="ttc" id="agroup__krb5_html_gabd94206e186c58a093975424a4a567a8"><div class="ttname"><a href="group__krb5.html#gabd94206e186c58a093975424a4a567a8">krb5_init_context</a></div><div class="ttdeci">KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_context(krb5_context *context)</div><div class="ttdef"><b>Definition:</b> context.c:417</div></div> +</div><!-- fragment --><p>Now the client wants to connect to the host at the other end. The preferred way of doing this is using getaddrinfo (for operating system that have this function implemented), since getaddrinfo is neutral to the address type and can use any protocol that is available.</p> +<div class="fragment"><div class="line"><span class="keyword">struct </span>addrinfo *ai, *a;</div> +<div class="line"><span class="keyword">struct </span>addrinfo hints;</div> +<div class="line"><span class="keywordtype">int</span> error;</div> +<div class="line"> </div> +<div class="line">memset (&hints, 0, <span class="keyword">sizeof</span>(hints));</div> +<div class="line">hints.ai_socktype = SOCK_STREAM;</div> +<div class="line">hints.ai_protocol = IPPROTO_TCP;</div> +<div class="line"> </div> +<div class="line">error = getaddrinfo (hostname, <span class="stringliteral">"pop3"</span>, &hints, &ai);</div> +<div class="line"><span class="keywordflow">if</span> (error)</div> +<div class="line"> errx (1, <span class="stringliteral">"%s: %s"</span>, hostname, gai_strerror(error));</div> +<div class="line"> </div> +<div class="line"><span class="keywordflow">for</span> (a = ai; a != NULL; a = a->ai_next) {</div> +<div class="line"> <span class="keywordtype">int</span> s;</div> +<div class="line"> </div> +<div class="line"> s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);</div> +<div class="line"> <span class="keywordflow">if</span> (s < 0)</div> +<div class="line"> <span class="keywordflow">continue</span>;</div> +<div class="line"> <span class="keywordflow">if</span> (connect (s, a->ai_addr, a->ai_addrlen) < 0) {</div> +<div class="line"> warn (<span class="stringliteral">"connect(%s)"</span>, hostname);</div> +<div class="line"> close (s);</div> +<div class="line"> <span class="keywordflow">continue</span>;</div> +<div class="line"> }</div> +<div class="line"> freeaddrinfo (ai);</div> +<div class="line"> ai = NULL;</div> +<div class="line">}</div> +<div class="line"><span class="keywordflow">if</span> (ai) {</div> +<div class="line"> freeaddrinfo (ai);</div> +<div class="line"> errx (<span class="stringliteral">"failed to contact %s"</span>, hostname);</div> +<div class="line">}</div> +</div><!-- fragment --><p>Before authenticating, an authentication context needs to be created. This context keeps all information for one (to be) authenticated connection (see krb5_auth_context).</p> +<div class="fragment"><div class="line">status = krb5_auth_con_init (context, &auth_context);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_auth_con_init"</span>);</div> +<div class="ttc" id="agroup__krb5__error_html_gad75c268bcf26225ee8d4a39c178131a1"><div class="ttname"><a href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a></div><div class="ttdeci">KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_err(krb5_context context, int eval, krb5_error_code code, const char *fmt,...) __attribute__((__noreturn__</div></div> +</div><!-- fragment --><p>For setting the address in the authentication there is a help function krb5_auth_con_setaddrs_from_fd() that does everything that is needed when given a connected file descriptor to the socket.</p> +<div class="fragment"><div class="line">status = krb5_auth_con_setaddrs_from_fd (context,</div> +<div class="line"> auth_context,</div> +<div class="line"> &sock);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status,</div> +<div class="line"> <span class="stringliteral">"krb5_auth_con_setaddrs_from_fd"</span>);</div> +</div><!-- fragment --><p>The next step is to build a server principal for the service we want to connect to. (See also <a class="el" href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal()</a>.)</p> +<div class="fragment"><div class="line">status = <a class="code" href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal</a> (context,</div> +<div class="line"> hostname,</div> +<div class="line"> service,</div> +<div class="line"> KRB5_NT_SRV_HST,</div> +<div class="line"> &server);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_sname_to_principal"</span>);</div> +<div class="ttc" id="agroup__krb5__principal_html_ga8be0f5000da6ee0d4bd5dcaf3cb01d08"><div class="ttname"><a href="group__krb5__principal.html#ga8be0f5000da6ee0d4bd5dcaf3cb01d08">krb5_sname_to_principal</a></div><div class="ttdeci">KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, int32_t type, krb5_principal *ret_princ)</div><div class="ttdef"><b>Definition:</b> principal.c:1364</div></div> +</div><!-- fragment --><p>The client principal is not passed to krb5_sendauth() function, this causes the krb5_sendauth() function to try to figure it out itself.</p> <p>The server program is using the function krb5_recvauth() to receive the Kerberos 5 authenticator.</p> <p>In this case, mutual authentication will be tried. That means that the server will authenticate to the client. Using mutual authentication is required to avoid man-in-the-middle attacks, since it enables the user to verify that they are talking to the right server (a server that knows the key).</p> <p>If you are using a non-blocking socket you will need to do all work of krb5_sendauth() yourself. Basically you need to send over the authenticator from krb5_mk_req() and, in case of mutual authentication, verifying the result from the server with krb5_rd_rep().</p> -<div class="fragment"><div class="line">status = krb5_sendauth (context,</div><div class="line"> &auth_context,</div><div class="line"> &sock,</div><div class="line"> VERSION,</div><div class="line"> NULL,</div><div class="line"> server,</div><div class="line"> AP_OPTS_MUTUAL_REQUIRED,</div><div class="line"> NULL,</div><div class="line"> NULL,</div><div class="line"> NULL,</div><div class="line"> NULL,</div><div class="line"> NULL,</div><div class="line"> NULL);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_sendauth"</span>);</div></div><!-- fragment --><p>Once authentication has been performed, it is time to send some data. First we create a krb5_data structure, then we sign it with krb5_mk_safe() using the auth_context that contains the session-key that was exchanged in the krb5_sendauth()/krb5_recvauth() authentication sequence.</p> -<div class="fragment"><div class="line">data.data = <span class="stringliteral">"hej"</span>;</div><div class="line">data.length = 3;</div><div class="line"></div><div class="line"><a class="code" href="group__krb5.html#gaa059e96dde4e0b8c082eb6f3d570b7bc">krb5_data_zero</a> (&packet);</div><div class="line"></div><div class="line">status = krb5_mk_safe (context,</div><div class="line"> auth_context,</div><div class="line"> &data,</div><div class="line"> &packet,</div><div class="line"> NULL);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_mk_safe"</span>);</div></div><!-- fragment --><p>And send it over the network.</p> -<div class="fragment"><div class="line">len = packet.length;</div><div class="line">net_len = htonl(len);</div><div class="line"></div><div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, &net_len, 4) != 4)</div><div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div><div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, packet.data, len) != len)</div><div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div></div><!-- fragment --><p>To send encrypted (and signed) data krb5_mk_priv() should be used instead. krb5_mk_priv() works the same way as krb5_mk_safe(), with the exception that it encrypts the data in addition to signing it.</p> -<div class="fragment"><div class="line">data.data = <span class="stringliteral">"hemligt"</span>;</div><div class="line">data.length = 7;</div><div class="line"></div><div class="line"><a class="code" href="group__krb5.html#gab4b80ac7a8bbab89fe947ae1c7828ea8">krb5_data_free</a> (&packet);</div><div class="line"></div><div class="line">status = krb5_mk_priv (context,</div><div class="line"> auth_context,</div><div class="line"> &data,</div><div class="line"> &packet,</div><div class="line"> NULL);</div><div class="line"><span class="keywordflow">if</span> (status)</div><div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_mk_priv"</span>);</div></div><!-- fragment --><p>And send it over the network.</p> -<div class="fragment"><div class="line">len = packet.length;</div><div class="line">net_len = htonl(len);</div><div class="line"></div><div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, &net_len, 4) != 4)</div><div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div><div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, packet.data, len) != len)</div><div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div></div><!-- fragment --><p>The server is using krb5_rd_safe() and krb5_rd_priv() to verify the signature and decrypt the packet.</p> +<div class="fragment"><div class="line">status = krb5_sendauth (context,</div> +<div class="line"> &auth_context,</div> +<div class="line"> &sock,</div> +<div class="line"> VERSION,</div> +<div class="line"> NULL,</div> +<div class="line"> server,</div> +<div class="line"> AP_OPTS_MUTUAL_REQUIRED,</div> +<div class="line"> NULL,</div> +<div class="line"> NULL,</div> +<div class="line"> NULL,</div> +<div class="line"> NULL,</div> +<div class="line"> NULL,</div> +<div class="line"> NULL);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_sendauth"</span>);</div> +</div><!-- fragment --><p>Once authentication has been performed, it is time to send some data. First we create a krb5_data structure, then we sign it with krb5_mk_safe() using the auth_context that contains the session-key that was exchanged in the krb5_sendauth()/krb5_recvauth() authentication sequence.</p> +<div class="fragment"><div class="line">data.data = <span class="stringliteral">"hej"</span>;</div> +<div class="line">data.length = 3;</div> +<div class="line"> </div> +<div class="line"><a class="code" href="group__krb5.html#gaa059e96dde4e0b8c082eb6f3d570b7bc">krb5_data_zero</a> (&packet);</div> +<div class="line"> </div> +<div class="line">status = krb5_mk_safe (context,</div> +<div class="line"> auth_context,</div> +<div class="line"> &data,</div> +<div class="line"> &packet,</div> +<div class="line"> NULL);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_mk_safe"</span>);</div> +<div class="ttc" id="agroup__krb5_html_gaa059e96dde4e0b8c082eb6f3d570b7bc"><div class="ttname"><a href="group__krb5.html#gaa059e96dde4e0b8c082eb6f3d570b7bc">krb5_data_zero</a></div><div class="ttdeci">KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_zero(krb5_data *p)</div><div class="ttdef"><b>Definition:</b> data.c:45</div></div> +</div><!-- fragment --><p>And send it over the network.</p> +<div class="fragment"><div class="line">len = packet.length;</div> +<div class="line">net_len = htonl(len);</div> +<div class="line"> </div> +<div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, &net_len, 4) != 4)</div> +<div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div> +<div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, packet.data, len) != len)</div> +<div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div> +</div><!-- fragment --><p>To send encrypted (and signed) data krb5_mk_priv() should be used instead. krb5_mk_priv() works the same way as krb5_mk_safe(), with the exception that it encrypts the data in addition to signing it.</p> +<div class="fragment"><div class="line">data.data = <span class="stringliteral">"hemligt"</span>;</div> +<div class="line">data.length = 7;</div> +<div class="line"> </div> +<div class="line"><a class="code" href="group__krb5.html#gab4b80ac7a8bbab89fe947ae1c7828ea8">krb5_data_free</a> (&packet);</div> +<div class="line"> </div> +<div class="line">status = krb5_mk_priv (context,</div> +<div class="line"> auth_context,</div> +<div class="line"> &data,</div> +<div class="line"> &packet,</div> +<div class="line"> NULL);</div> +<div class="line"><span class="keywordflow">if</span> (status)</div> +<div class="line"> <a class="code" href="group__krb5__error.html#gad75c268bcf26225ee8d4a39c178131a1">krb5_err</a> (context, 1, status, <span class="stringliteral">"krb5_mk_priv"</span>);</div> +<div class="ttc" id="agroup__krb5_html_gab4b80ac7a8bbab89fe947ae1c7828ea8"><div class="ttname"><a href="group__krb5.html#gab4b80ac7a8bbab89fe947ae1c7828ea8">krb5_data_free</a></div><div class="ttdeci">KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_data_free(krb5_data *p)</div><div class="ttdef"><b>Definition:</b> data.c:63</div></div> +</div><!-- fragment --><p>And send it over the network.</p> +<div class="fragment"><div class="line">len = packet.length;</div> +<div class="line">net_len = htonl(len);</div> +<div class="line"> </div> +<div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, &net_len, 4) != 4)</div> +<div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div> +<div class="line"><span class="keywordflow">if</span> (krb5_net_write (context, &sock, packet.data, len) != len)</div> +<div class="line"> err (1, <span class="stringliteral">"krb5_net_write"</span>);</div> +</div><!-- fragment --><p>The server is using krb5_rd_safe() and krb5_rd_priv() to verify the signature and decrypt the packet.</p> <h1><a class="anchor" id="intro_krb5_verify_user"></a> Validating a password in an application</h1> <p>See the manual page for krb5_verify_user().</p> @@ -96,7 +210,8 @@ Error messages</h2> <p>To get the error string, Heimdal uses <a class="el" href="group__krb5__error.html#ga35cbf80e68f43a6d9503952886b85ed2">krb5_get_error_message()</a>. This is to return custom error messages (like <code>Can't find host/datan.example.com\@CODE.COM in /etc/krb5.conf.'' instead of a</code>Key table entry not found'' that error_message returns.</p> <p>Heimdal uses a threadsafe(r) version of the com_err interface; the global com_err table isn't initialised. Then error_message returns quite a boring error string (just the error code itself). </p> </div></div><!-- contents --> +</div><!-- PageDoc --> <hr size="1"><address style="text-align: right;"><small> -Generated on Fri Jun 7 2019 02:49:56 for HeimdalKerberos5library by <a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.8.13</small></address> +Generated on Tue Nov 15 2022 14:04:26 for Heimdal Kerberos 5 library by <a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.9.1</small></address> </body> </html> |