friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/krb5_mk_priv.htm

226 lines
7.1 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<title>krb5_mk_priv()--Create Kerberos KRB_PRIV Message</title>
<!-- Begin Header Records -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Change History: -->
<!-- YYMMDD USERID Change description -->
<!-- Created by Kent Hofer for V5R1 -->
<!-- Edited by Kersten Jan 02 -->
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<!-- End Header Records -->
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<a name="Top_Of_Page"></a>
<h2>krb5_mk_priv()--Create Kerberos KRB_PRIV Message</h2>
<div class="box" style="width: 60%;">
<br>
&nbsp;&nbsp;Syntax
<pre>
#include &lt;krb5.h&gt;
krb5_error_code krb5_mk_priv(
krb5_context <em>context</em>,
krb5_auth_context <em>auth_context</em>,
krb5_const krb5_data * <em>userdata</em>,
krb5_data * <em>out_data</em>,
krb5_replay_data * <em>replay_data</em>);
</pre>
&nbsp;&nbsp;Service Program Name: QSYS/QKRBGSS<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Default Public Authority: *USE<br>
<!-- iddvc RMBR -->
<br>
&nbsp;&nbsp;Threadsafe: Conditional. See <a href="#usage_notes">Usage
notes</a>.<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The <strong>krb5_mk_priv()</strong> function creates a Kerberos KRB_PRIV
message using data supplied by the application. The
<strong>krb5_mk_priv()</strong> routine is similar to the
<strong>krb5_mk_safe()</strong> routine, but the message is encrypted and
integrity-protected rather than just integrity-protected. The
<strong>krb5_rd_priv()</strong> routine decrypts and validates the message
integrity.</p>
<br>
<h3>Authorities</h3>
<p>No authorities are required.</p>
<br>
<h3>Parameters</h3>
<dl>
<dt><strong>context</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The Kerberos context.<br>
<br>
</dd>
<dt><strong>auth_context</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The authentication context.<br>
<br>
</dd>
<dt><strong>userdata</strong>&nbsp;&nbsp;(Input)</dt>
<dd>The application data for the KRB_PRIV message.<br>
<br>
</dd>
<dt><strong>out_data</strong>&nbsp;&nbsp;(Output)</dt>
<dd>The KRB_PRIV message. The <strong>krb5_free_data_contents()</strong>
routine should be called to release the storage pointed to by the <em>data</em>
field of the krb5_data structure when it is no longer needed.<br>
<br>
</dd>
<dt><strong>replay_data</strong>&nbsp;&nbsp;(Output)</dt>
<dd>Replay information returned to the caller. This parameter is required if
the <strong>KRB5_AUTH_CONTEXT_RET_TIME</strong> (x'00000002') or
<strong>KRB5_AUTH_CONTEXT_RET_SEQUENCE</strong> (x'00000008') flag is set in
the authentication context. Otherwise, <strong>NULL</strong> may be specified
for this parameter.</dd>
</dl>
<br>
<h3>Return Value</h3>
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.</p>
<br>
<h3>Error Messages</h3>
<table width="100%" cellpadding="5">
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPE3418 E</td>
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
</tr>
</table>
<br>
<br>
<h3><a name="usage_notes">Usage Notes</a></h3>
<ol>
<li>The authentication context specifies the checksum type, the data encryption
type, the keyblock used to seed the checksum, the addresses of the sender and
receiver, and the replay cache.<br>
<br>
</li>
<li>Use the <strong>krb5_auth_con_setrcache()</strong> routine to set the
replay cache in the authentication context.<br>
<br>
</li>
<li>The local address in the authentication context is used to create the
KRB_PRIV message and must be present. The remote address is optional. Use the
<strong>krb5_auth_con_genaddrs()</strong> routine or a combination of the
<strong>krb5_auth_con_setaddrs()</strong> and the
<strong>krb5_auth_con_setports()</strong> routines to set the addresses in the
authentication context. If the remote address is set, then the local address
also must be set in the authentication context that is used for the
<strong>krb5_rd_priv()</strong> routine. If port numbers are set, then they
also must be set in the authentication context used for the
<strong>krb5_rd_priv()</strong> routine.<br>
<br>
</li>
<li>The authentication context flags determine whether sequence numbers or
timestamps should be used to identify the message. Use the
<strong>krb5_auth_con_set_flags()</strong> routine to set the authentication
context flags.<br>
<br>
</li>
<li>The encryption type is taken from the keyblock in the authentication
context. If the initial vector has been set in the authentication context, it
is used as the initialization vector for the encryption (if the encryption type
supports initialization) and its contents are replaced with the last block of
encrypted data upon return. Use the <strong>krb5_auth_con_setivector()</strong>
routine or the <strong>krb5_auth_con_initvector()</strong> routine to modify
the initial vector in the authentication context.<br>
<br>
</li>
<li>If timestamps are used (<strong>KRB5_AUTH_CONTEXT_DO_TIME</strong>
(x'00000001') is set), an entry describing the message is entered in the replay
cache so the caller can detect if this message is sent back by an attacker. An
error is returned if the authentication context does not specify a replay
cache.<br>
<br>
</li>
<li>If sequence numbers are used
(<strong>KRB5_AUTH_CONTEXT_DO_SEQUENCE</strong> (x'00000004') or
<strong>KRB5_AUTH_CONTEXT_RET_SEQUENCE</strong> (x'00000008') is set), the
local sequence number in the authentication context is placed in the protected
message as its sequence number.<br>
<br>
</li>
<li>The Kerberos protocol runtime provides no concurrency control for the
authentication context. If the application wants to use the same authentication
context in multiple threads, it is the responsibility of the application to
serialize access to the authentication context so that only a single thread is
accessing the authentication context at any time. Because message sequence
numbers are contained in the authentication context, this serialization needs
to be extended to encompass the message exchange between the two applications.
Otherwise, message sequence errors are liable to occur if the messages are
delivered out of sequence.</li>
</ol>
<br>
<hr>
API introduced: V5R1
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
"sec.htm">Security APIs</a> <br>
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
category</a> </td>
</tr>
</table>
</center>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink