MIT Kerberos Documentation

krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.

krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket)

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] inbuf - AP-REQ message to be parsed

[in] server - Matching principal for server, or NULL to allow any principal in keytab

[in] keytab - Key table, or NULL to use the default

[out] ap_req_options - If non-null, the AP-REQ flags on output

[out] ticket - If non-null, ticket from the AP-REQ message

  • 0 Success; otherwise - Kerberos error codes

This function parses, decrypts and verifies a AP-REQ message from inbuf and stores the authenticator in auth_context .

If a keyblock was specified in auth_context using krb5_auth_con_setuseruserkey() , that key is used to decrypt the ticket in AP-REQ message and keytab is ignored. In this case, server should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.

Otherwise, the decryption key is obtained from keytab , or from the default keytab if it is NULL. In this case, server may be a complete principal name, a matching principal (see krb5_sname_match() ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:

  • If server is a complete principal name, then its entry in keytab is tried.
  • Otherwise, if keytab is iterable, then all entries in keytab which match server are tried.
  • Otherwise, the server principal in the ticket must match server , and its entry in keytab is tried.

The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.

If the remote_addr field of auth_context is set, the request must come from that address.

If a replay cache handle is provided in the auth_context , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of auth_context .

Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.

On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.

Use krb5_free_ticket() to free ticket when it is no longer needed.