krb5_rd_safe - Process KRB-SAFE message.¶
- krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * outbuf, krb5_replay_data * outdata)¶
param: | [in] context - Library context [in] auth_context - Authentication context [in] inbuf - KRB-SAFE message to be parsed [out] outbuf - Data parsed from KRB-SAFE message [out] outdata - Replay data. Specify NULL if not needed |
---|
retval: |
|
---|
This function parses a KRB-SAFE message, verifies its integrity, and stores its data into outbuf .
If the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in auth_context , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of auth_context . Otherwise, the sequence number is not used.
If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , then two additional checks are performed:
- The timestamp in the message must be within the permitted clock skew (which is usually five minutes).
- The message must not be a replayed message field in auth_context .
Use krb5_free_data_contents() to free outbuf when it is no longer needed.
Note
The outdata argument is required if KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the auth_context .
auth_context must have a remote address set. This address will be used to verify the sender address in the KRB-SAFE message. If auth_context has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. Both addresses must use type ADDRTYPE_ADDRPORT .