 dc130c2c75
			
		
	
	dc130c2c75
	
	
	
		
			
			from Thomas Klausner <wiz@netbsd.org> git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12032 ec53bebd-3082-4978-b11e-865c3cabbd6b
		
			
				
	
	
		
			318 lines
		
	
	
		
			8.7 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
			
		
		
	
	
			318 lines
		
	
	
		
			8.7 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
| .\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan
 | |
| .\" (Royal Institute of Technology, Stockholm, Sweden). 
 | |
| .\" All rights reserved. 
 | |
| .\"
 | |
| .\" Redistribution and use in source and binary forms, with or without 
 | |
| .\" modification, are permitted provided that the following conditions 
 | |
| .\" are met: 
 | |
| .\"
 | |
| .\" 1. Redistributions of source code must retain the above copyright 
 | |
| .\"    notice, this list of conditions and the following disclaimer. 
 | |
| .\"
 | |
| .\" 2. Redistributions in binary form must reproduce the above copyright 
 | |
| .\"    notice, this list of conditions and the following disclaimer in the 
 | |
| .\"    documentation and/or other materials provided with the distribution. 
 | |
| .\"
 | |
| .\" 3. Neither the name of the Institute nor the names of its contributors 
 | |
| .\"    may be used to endorse or promote products derived from this software 
 | |
| .\"    without specific prior written permission. 
 | |
| .\"
 | |
| .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 | |
| .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 | |
| .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 | |
| .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 | |
| .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 | |
| .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 | |
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 | |
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 | |
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 | |
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 | |
| .\" SUCH DAMAGE. 
 | |
| .\"
 | |
| .\" $Id$
 | |
| .\"
 | |
| .Dd January 21, 2001
 | |
| .Dt KRB5_AUTH_CONTEXT 3
 | |
| .Os HEIMDAL
 | |
| .Sh NAME
 | |
| .Nm krb5_auth_context ,
 | |
| .Nm krb5_auth_con_init ,
 | |
| .Nm krb5_auth_con_free ,
 | |
| .Nm krb5_auth_con_setflags ,
 | |
| .Nm krb5_auth_con_getflags ,
 | |
| .Nm krb5_auth_con_setaddrs ,
 | |
| .Nm krb5_auth_con_setaddrs_from_fd ,
 | |
| .Nm krb5_auth_con_getaddrs ,
 | |
| .Nm krb5_auth_con_genaddrs ,
 | |
| .Nm krb5_auth_con_getkey ,
 | |
| .Nm krb5_auth_con_setkey ,
 | |
| .Nm krb5_auth_con_getuserkey ,
 | |
| .Nm krb5_auth_con_setuserkey ,
 | |
| .Nm krb5_auth_con_getlocalsubkey ,
 | |
| .Nm krb5_auth_con_setlocalsubkey ,
 | |
| .Nm krb5_auth_con_getremotesubkey ,
 | |
| .Nm krb5_auth_con_setremotesubkey ,
 | |
| .Nm krb5_auth_setcksumtype ,
 | |
| .Nm krb5_auth_getcksumtype ,
 | |
| .Nm krb5_auth_setkeytype ,
 | |
| .Nm krb5_auth_getkeytype ,
 | |
| .Nm krb5_auth_getlocalseqnumber ,
 | |
| .Nm krb5_auth_setlocalseqnumber ,
 | |
| .Nm krb5_auth_getremoteseqnumber ,
 | |
| .Nm krb5_auth_setremoteseqnumber ,
 | |
| .Nm krb5_auth_getauthenticator ,
 | |
| .Nm krb5_auth_con_getrcache ,
 | |
| .Nm krb5_auth_con_setrcache ,
 | |
| .Nm krb5_auth_con_initivector ,
 | |
| .Nm krb5_auth_con_setivector
 | |
| .Nd manage authentication on connection level
 | |
| .Sh LIBRARY
 | |
| Kerberos 5 Library (libkrb5, -lkrb5)
 | |
| .Sh SYNOPSIS
 | |
| .In krb5.h
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_init
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context *auth_context"
 | |
| .Fc
 | |
| .Ft void
 | |
| .Fo krb5_auth_con_free
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_setflags
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "int32_t flags"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_getflags
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "int32_t *flags"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_setaddrs
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "krb5_address *local_addr"
 | |
| .Fa "krb5_address *remote_addr"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_getaddrs
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "krb5_address **local_addr"
 | |
| .Fa "krb5_address **remote_addr"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_genaddrs
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "int fd"
 | |
| .Fa "int flags"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_setaddrs_from_fd
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "void *p_fd"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_getkey
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "krb5_keyblock **keyblock"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_getlocalsubkey
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "krb5_keyblock **keyblock"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_getremotesubkey
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fa "krb5_keyblock **keyblock"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_initivector
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context auth_context"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_auth_con_setivector
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_auth_context *auth_context"
 | |
| .Fa "krb5_pointer ivector"
 | |
| .Fc
 | |
| .Sh DESCRIPTION
 | |
| The
 | |
| .Nm krb5_auth_context
 | |
| structure holds all context related to an authenticated connection, in
 | |
| a similar way to
 | |
| .Nm krb5_context
 | |
| that holds the context for the thread or process.
 | |
| .Nm krb5_auth_context
 | |
| is used by various functions that are directly related to
 | |
| authentication between the server/client. Example of data that this
 | |
| structure contains are various flags, addresses of client and server,
 | |
| port numbers, keyblocks (and subkeys), sequence numbers, replay cache,
 | |
| and checksum-type.
 | |
| .Pp
 | |
| .Fn krb5_auth_con_init
 | |
| allocates and initializes the
 | |
| .Nm krb5_auth_context
 | |
| structure. Default values can be changed with
 | |
| .Fn krb5_auth_con_setcksumtype
 | |
| and
 | |
| .Fn krb5_auth_con_setflags .
 | |
| The
 | |
| .Nm auth_context
 | |
| structure must be freed by
 | |
| .Fn krb5_auth_con_free .
 | |
| .Pp
 | |
| .Fn krb5_auth_con_getflags
 | |
| and
 | |
| .Fn krb5_auth_con_setflags
 | |
| gets and modifies the flags for a
 | |
| .Nm krb5_auth_context
 | |
| structure. Possible flags to set are:
 | |
| .Bl -tag -width Ds
 | |
| .It Dv KRB5_AUTH_CONTEXT_DO_TIME
 | |
| check timestamp on incoming packets.
 | |
| .\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
 | |
| .It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
 | |
| Generate and check sequence-number on each packet.
 | |
| .\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
 | |
| .\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
 | |
| .El
 | |
| .Pp
 | |
| .Fn krb5_auth_con_setaddrs ,
 | |
| .Fn krb5_auth_con_setaddrs_from_fd
 | |
| and
 | |
| .Fn krb5_auth_con_getaddrs
 | |
| gets and sets the addresses that are checked when a packet is received.
 | |
| It is mandatory to set an address for the remote
 | |
| host. If the local address is not set, it iss deduced from the underlaying
 | |
| operating system.
 | |
| .Fn krb5_auth_con_getaddrs
 | |
| will call
 | |
| .Fn krb5_free_address
 | |
| on any address that is passed in
 | |
| .Fa local_addr
 | |
| or
 | |
| .Fa remote_addr .
 | |
| .Fn krb5_auth_con_setaddr
 | |
| allows passing in a
 | |
| .Dv NULL
 | |
| pointer as
 | |
| .Fa local_addr
 | |
| and
 | |
| .Fa remote_addr ,
 | |
| in that case it will just not set that address.
 | |
| .Pp
 | |
| .Fn krb5_auth_con_setaddrs_from_fd
 | |
| fetches the addresses from a file descriptor.
 | |
| .Pp
 | |
| .Fn krb5_auth_con_genaddrs
 | |
| fetches the address information from the given file descriptor
 | |
| .Fa fd
 | |
| depending on the bitmap argument
 | |
| .Fa flags .
 | |
| .Pp
 | |
| Possible values on
 | |
| .Fa flags
 | |
| are:
 | |
| .Bl -tag -width Ds
 | |
| .It Va KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
 | |
| fetches the local address from
 | |
| .Fa fd .
 | |
| .It Va KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
 | |
| fetches the remote address from
 | |
| .Fa fd .
 | |
| .El
 | |
| .Pp
 | |
| .Fn krb5_auth_con_setkey ,
 | |
| .Fn krb5_auth_con_setuserkey
 | |
| and
 | |
| .Fn krb5_auth_con_getkey
 | |
| gets and sets the key used for this auth context. The keyblock returned by
 | |
| .Fn krb5_auth_con_getkey
 | |
| should be freed with
 | |
| .Fn krb5_free_keyblock .
 | |
| The keyblock send into
 | |
| .Fn krb5_auth_con_setkey
 | |
| is copied into the
 | |
| .Nm krb5_auth_context ,
 | |
| and thus no special handling is needed.
 | |
| .Dv NULL
 | |
| is not a valid keyblock to
 | |
| .Fn krb5_auth_con_setkey .
 | |
| .Pp
 | |
| .Fn krb5_auth_con_setuserkey
 | |
| is only useful when doing user to user authentication.
 | |
| .Fn krb5_auth_con_setkey
 | |
| is equivalent to
 | |
| .Fn krb5_auth_con_setuserkey .
 | |
| .Pp
 | |
| .Fn krb5_auth_con_getlocalsubkey ,
 | |
| .Fn krb5_auth_con_setlocalsubkey ,
 | |
| .Fn krb5_auth_con_getremotesubkey
 | |
| and
 | |
| .Fn krb5_auth_con_setremotesubkey
 | |
| gets and sets the keyblock for the local and remote subkey. The keyblock returned by
 | |
| .Fn krb5_auth_con_getlocalsubkey
 | |
| and
 | |
| .Fn krb5_auth_con_getremotesubkey
 | |
| must be freed with
 | |
| .Fn krb5_free_keyblock .
 | |
| .Pp
 | |
| .Fn krb5_auth_setcksumtype
 | |
| and
 | |
| .Fn krb5_auth_getcksumtype
 | |
| sets and gets the checksum type that should be used for this
 | |
| connection.
 | |
| .Pp
 | |
| .Fn krb5_auth_getremoteseqnumber
 | |
| .Fn krb5_auth_setremoteseqnumber ,
 | |
| .Fn krb5_auth_getlocalseqnumber
 | |
| and
 | |
| .Fn krb5_auth_setlocalseqnumber
 | |
| gets and sets the sequence-number for the local and remote
 | |
| sequence-number counter.
 | |
| .Pp
 | |
| .Fn krb5_auth_setkeytype
 | |
| and
 | |
| .Fn krb5_auth_getkeytype
 | |
| gets and gets the keytype of the keyblock in
 | |
| .Nm krb5_auth_context .
 | |
| .Pp
 | |
| .Fn krb5_auth_getauthenticator
 | |
| Retrieves the authenticator that was used during mutual
 | |
| authentication. The
 | |
| .Dv authenticator
 | |
| returned should be freed by calling
 | |
| .Fn krb5_free_authenticator .
 | |
| .Pp
 | |
| .Fn krb5_auth_con_getrcache
 | |
| and
 | |
| .Fn krb5_auth_con_setrcache
 | |
| gets and sets the replay-cache.
 | |
| .Pp
 | |
| .Fn krb5_auth_con_initivector
 | |
| allocates memory for and zeros the initial vector in the
 | |
| .Fa auth_context
 | |
| keyblock.
 | |
| .Pp
 | |
| .Fn krb5_auth_con_setivector
 | |
| sets the i_vector portion of
 | |
| .Fa auth_context
 | |
| to
 | |
| .Fa ivector .
 | |
| .Sh SEE ALSO
 | |
| .Xr krb5_context 3 ,
 | |
| .Xr kerberos 8
 |