HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 6 KRB5 (Kerberos V5) Application Programming Interface

krb5_rd_safe — Parse a KRB_SAFE message

  Table of Contents



C Prototype

krb5_error_code krb5_rd_safe(
krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
krb5_data *outbuf,
krb5_replay_data *outdata );


context (input/output) 

The context structure.

auth_context (input/output) 

Authentication context.

inbuf (input) 

The KRB_SAFE message to be parsed.

outbuf (output) 

The data parsed from the KRB_SAFE message.

outdata (input/output) 

Contains the sequence numbers if KRB5_AUTH_CONTEXT_RET_SEQUENCE was specified in auth_context.


This routine parses a KRB_SAFE message from inbuf, placing the data in outbuf after verifying its integrity.

The keyblock used for verifying the integrity of the message is taken from the auth_context local_subkey, remote_subkey, or keyblock. The keyblock is chosen in the preceding order by the first one that is not NULL.

The remote_addr and localaddr portions of the *auth_context specify the full addresses (host and port) of the sender and receiver, and must be of type ADDRTYPE_ADDRPORT.

The remote_addr argument is mandatory; it specifies the address of the sender. If the address of the sender in the message does not match remote_addr, the error KRB5KRB_AP_ERR_BADADDR will be returned.

If local_addr is nonNULL, then the address of the receiver in the message much match it. If it is NULL, the receiver address in the message will be checked against the list of local addresses as returned by krb5_os_localaddr. If the check fails, KRB5KRB_AP_ERR_BADARRD is returned.

The outbuf buffer storage (outbuf->data) is allocated storage which the caller should free when it is no longer needed.

If auth_context_flags portion of auth_context indicates that sequence numbers are to be used (if KRB5_AUTH_CONTEXT_DOSEQUENCE is set in it), the remote_seq_number portion of auth_context is compared to the sequence number for the message, and KRB5_KRB_AP_ERR_BADORDER is returned if it does not match. Otherwise, the sequence number is not used.

If timestamps are to be used (if KRB5_AUTH_CONTEXT_DO_TIME is set in auth_context), then two additional checks are performed:

  • The timestamp in the message must be within the permitted clock skew (which is usually five minutes), or KRB5KRB_AP_ERR_SKEW is returned.

  • The message must not be a replayed message, according to rcache.

Return Values

This routine returns one of the following KRB5 status codes:

0Successful completion.