krb5_mk_priv - Format a KRB-PRIV message.¶
-
krb5_error_code
krb5_mk_priv
(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out)¶
param: | [in] context - Library context [in] auth_context - Authentication context [in] userdata - User data for KRB-PRIV message [out] der_out - Formatted KRB-PRIV message [out] rdata_out - Replay data (NULL if not needed) |
---|
retval: |
|
---|
This function is similar to krb5_mk_safe()
, but the message is encrypted and integrity-protected, not just integrity-protected.
The local address in auth_context must be set, and is used to form the sender address used in the KRB-PRIV message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.
If the KRB5_AUTH_CONTEXT_DO_TIME
flag is set in auth_context , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME
is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME
is set in auth_context , a timestamp is included in the KRB-PRIV message and is stored in rdata_out .
If either KRB5_AUTH_CONTEXT_DO_SEQUENCE
or KRB5_AUTH_CONTEXT_RET_SEQUENCE
is set, the auth_context local sequence number is included in the KRB-PRIV message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE
is set, the sequence number used is stored in rdata_out .
Use krb5_free_data_contents()
to free der_out when it is no longer needed.
Note
The rdata_out argument is required if the KRB5_AUTH_CONTEXT_RET_TIME
or KRB5_AUTH_CONTEXT_RET_SEQUENCE
flag is set in auth_context .