212 lines
6.1 KiB
HTML
212 lines
6.1 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
||
|
<title>krb5_rd_req()--Process Kerberos AP_REQ Message</title>
|
||
|
<!-- Begin Header Records -->
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<!-- Change History: -->
|
||
|
<!-- YYMMDD USERID Change description -->
|
||
|
<!-- Created by Kent Hofer for V5R1 -->
|
||
|
<!-- Edited by Kersten Jan 02 -->
|
||
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
||
|
</head>
|
||
|
<body>
|
||
|
<!-- End Header Records -->
|
||
|
<!--Java sync-link-->
|
||
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
||
|
</script>
|
||
|
|
||
|
<a name="Top_Of_Page"></a>
|
||
|
|
||
|
<h2>krb5_rd_req()--Process Kerberos AP_REQ Message</h2>
|
||
|
|
||
|
<div class="box" style="width: 70%;">
|
||
|
<br>
|
||
|
Syntax
|
||
|
|
||
|
<pre>
|
||
|
#include <krb5.h>
|
||
|
|
||
|
krb5_error_code krb5_rd_req(
|
||
|
krb5_context <em>context</em>,
|
||
|
krb5_auth_context * <em>auth_context</em>,
|
||
|
krb5_const krb5_data * <em>in_data</em>,
|
||
|
krb5_const_principal <em>server</em>,
|
||
|
krb5_keytab <em>keytab</em>,
|
||
|
krb5_flags * <em>ap_req_options</em>,
|
||
|
krb5_ticket ** <em>ticket</em>);
|
||
|
</pre>
|
||
|
|
||
|
Service Program Name: QSYS/QKRBGSS<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Default Public Authority: *USE<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Threadsafe: Conditional. See <a href="#usage_notes">Usage
|
||
|
notes</a>.<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
<p>The <strong>krb5_rd_req()</strong> function processes a Kerberos AP_REQ
|
||
|
message generated by the partner application. The authenticator is extracted,
|
||
|
validated, and stored in the authentication context. If the <em>server</em>
|
||
|
parameter is not <strong>NULL</strong> and no replay cache is associated with
|
||
|
the authentication context, the Kerberos protocol runtime creates a replay
|
||
|
cache and stores the cache handle in the authentication context.</p>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Parameters</h3>
|
||
|
|
||
|
<dl>
|
||
|
<dt><strong>context</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The Kerberos context.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>auth_context</strong> (Input/Output)</dt>
|
||
|
|
||
|
<dd>The authentication context. A new authentication context is created and
|
||
|
returned in this parameter if the value is <strong>NULL</strong>.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>in_data</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The buffer containing the AP_REQ message.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>server</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The server name. The server principal in the AP_REQ must be the same as the
|
||
|
principal specified by this parameter. Specify <strong>NULL</strong> if any
|
||
|
server principal is acceptable.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>keytab</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The key table that contains the server key. The default key table is used
|
||
|
if <strong>NULL</strong> is specified for this parameter.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>ap_req_options</strong> (Output)</dt>
|
||
|
|
||
|
<dd>The options from the AP_REQ message. Specify <strong>NULL</strong> for this
|
||
|
parameter if the options are not needed.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>ticket</strong> (Output)</dt>
|
||
|
|
||
|
<dd>The ticket from the AP_REQ message. Specify <strong>NULL</strong> for this
|
||
|
parameter if the ticket is not needed. The <strong>krb5_free_ticket()</strong>
|
||
|
routine should be called to release the ticket when it is no longer
|
||
|
needed.</dd>
|
||
|
</dl>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Return Value</h3>
|
||
|
|
||
|
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
|
||
|
is returned.</p>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Authorities</h3>
|
||
|
|
||
|
<p>No authorities are required.</p>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Error Messages</h3>
|
||
|
|
||
|
<table width="100%" cellpadding="5">
|
||
|
<tr>
|
||
|
<th align="left" valign="top">Message ID</th>
|
||
|
<th align="left" valign="top">Error Message Text</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="15%" valign="top">CPE3418 E</td>
|
||
|
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3><a name="usage_notes">Usage Notes</a></h3>
|
||
|
|
||
|
<ol>
|
||
|
<li>If the authentication context contains a keyblock, it is used to decrypt
|
||
|
the ticket in the AP_REQ message. This is useful for user-to-user
|
||
|
authentication. If the authentication context does not contain a keyblock, the
|
||
|
key table specified on the function call is used to obtain the decryption
|
||
|
key.<br>
|
||
|
<br>
|
||
|
</li>
|
||
|
|
||
|
<li>The client in the authenticator must match the client in the ticket. If the
|
||
|
remote address has been set in the authentication context, the request must
|
||
|
have come from that address. If a replay cache handle is stored in the
|
||
|
authentication context, the new authenticator is stored in the cache after
|
||
|
checking for replay.<br>
|
||
|
<br>
|
||
|
</li>
|
||
|
|
||
|
<li>If no errors are detected, the authenticator, subsession key, and remote
|
||
|
sequence number are stored in the authentication context. If
|
||
|
<strong>AP_OPTS_MUTUAL_REQUIRED</strong> (x'20000000') is specified in the
|
||
|
AP_REQ message, the local sequence number is XORed with the remote sequence
|
||
|
number.<br>
|
||
|
<br>
|
||
|
</li>
|
||
|
|
||
|
<li>The Kerberos protocol runtime provides no concurrency control for the
|
||
|
authentication context. If the application wants to use the same authentication
|
||
|
context in multiple threads, it is the responsibility of the application to
|
||
|
serialize access to the authentication context so that only a single thread is
|
||
|
accessing the authentication context at any time. Because message sequence
|
||
|
numbers are contained in the authentication context, this serialization needs
|
||
|
to be extended to encompass the message exchange between the two applications.
|
||
|
Otherwise, message sequence errors are liable to occur if the messages are
|
||
|
delivered out of sequence.</li>
|
||
|
</ol>
|
||
|
|
||
|
<br>
|
||
|
<hr>
|
||
|
API introduced: V5R1
|
||
|
|
||
|
<hr>
|
||
|
<center>
|
||
|
<table cellpadding="2" cellspacing="2">
|
||
|
<tr align="center">
|
||
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
|
||
|
"sec.htm">Security APIs</a> <br>
|
||
|
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
|
||
|
category</a> </td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</center>
|
||
|
</body>
|
||
|
</html>
|
||
|
|