HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 6 KRB5 (Kerberos V5) Application Programming Interface

krb5_mk_safe — Format a KRB_SAFE message

  Table of Contents

  Glossary

  Index

C Prototype

krb5_error_code krb5_mk_safe(
krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *userdata,
krb5_data *outbuf,
krb5_replay_data *outdata );

Arguments

context (input/output) 

The context structure.

auth_context (input/output) 

Authentication context. The auth_context->auth_context_flags select whether sequence numbers or timestamps should be used to identify the message. Valid flags are:

KRB5_AUTH_CONTEXT_DO_TIME — Use timestamps and replay cache.

KRB5_AUTH_CONTEXT_RET_TIME — Copy timestamp to *outdata.

KRB5_AUTH_CONTEXT_DO_SEQUENCE — Use sequence numbers.

KRB5_AUTH_CONTEXT_RET_SEQUENCE — Copy sequence numbers to *outdata.

userdata (input) 

The user data in the message.

outbuf (output) 

The formatted KRB_SAFE buffer.

outdata (input/output) 

Contains the sequence numbers if KRB5_AUTH_CONTEXT_RET_SEQUENCE was specified in auth_context.

Description

This routine formats a KRB_SAFE message into outbuf.

The userdata argument is formatted as the user data in the message. Portions of auth_context specify the checksum type, the keyblock that might be used to seed the checksum, and full addresses (host and port) for the sender and receiver. The local_addr portion of *auth_context is used to form the addresses used in the KRB_SAFE message. The remote_addr is optional; if the receiver's address is not known, it may be replaced by NULL. The local_addr argument, however, is mandatory.

If timestamps are to be used (that is, if KRB5_AUTH_CONTEXT_DO_TIME is set), an entry describing the message will be entered in the replay cache so that the caller may detect if this message is sent back by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, the auth_context replay cache is not used.

If sequence numbers are to be used (if either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set), then auth_context local sequence number will be placed in the protected message as its sequence number.

The outbuf buffer storage (outbuf->data) is allocated, and should be freed by the caller when finished.

Return Values

This routine returns one of the following KRB5 status codes:

0Successful completion.