MIT Kerberos Documentation

krb5_mk_safe - Format a KRB-SAFE message.

krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out)

[in] context - Library context

[in] auth_context - Authentication context

[in] userdata - User data in the message

[out] der_out - Formatted KRB-SAFE buffer

[out] rdata_out - Replay data. Specify NULL if not needed

  • 0 Success; otherwise - Kerberos error codes

This function creates an integrity protected KRB-SAFE message using data supplied by the application.

Fields in auth_context specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5_AUTH_CONTEXT flags.

The local address in auth_context must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in auth_context , a timestamp is included in the KRB-SAFE message and is stored in rdata_out .

If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number is included in the KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in rdata_out .

Use krb5_free_data_contents() to free der_out when it is no longer needed.


The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .