krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.¶
-
krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds **creds, krb5_data **der_out, krb5_replay_data *rdata_out)¶
- param:
[in] context - Library context
[in] auth_context - Authentication context
[in] creds - Null-terminated array of credentials
[out] der_out - Encoded credentials
[out] rdata_out - Replay cache information (NULL if not needed)
- retval:
0 Success
ENOMEM Insufficient memory
KRB5_RC_REQUIRED Message replay detection requires rcache parameter
- return:
Kerberos error codes
This function takes an array of credentials creds and formats a KRB-CRED message der_out to pass to krb5_rd_cred()
.
The local and remote addresses in auth_context are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message.
If the KRB5_AUTH_CONTEXT_DO_TIME
flag is set in auth_context , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME
is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME
is set in auth_context , the timestamp used for the KRB-CRED message is stored in rdata_out .
If either KRB5_AUTH_CONTEXT_DO_SEQUENCE
or KRB5_AUTH_CONTEXT_RET_SEQUENCE
is set, the auth_context local sequence number is included in the KRB-CRED message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE
is set, the sequence number used is stored in rdata_out .
Use krb5_free_data_contents()
to free der_out when it is no longer needed.
The message will be encrypted using the send subkey of auth_context if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case.
Note
The rdata_out argument is required if the KRB5_AUTH_CONTEXT_RET_TIME
or KRB5_AUTH_CONTEXT_RET_SEQUENCE
flag is set in auth_context .