Next: Ticket Functions, Previous: AP-REQ and AP-REP Functions, Up: Programming Manual [Contents][Index]
The “KRB-SAFE” is an ASN.1 structure used by application client and servers to exchange integrity protected data. The integrity protection is keyed, usually with a key agreed on via the AP exchange (see AP-REQ and AP-REP Functions). The following illustrates the KRB-SAFE ASN.1 structure.
KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (20), safe-body [2] KRB-SAFE-BODY, cksum [3] Checksum } KRB-SAFE-BODY ::= SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress, r-address [5] HostAddress OPTIONAL }
handle: shishi handle as allocated by shishi_init()
.
safe: pointer to new structure that holds information about SAFE exchange
Description: Create a new SAFE exchange.
Return value: Returns SHISHI_OK iff successful.
safe: structure that holds information about SAFE exchange
Description: Deallocate resources associated with SAFE exchange. This should be called by the application when it no longer need to utilize the SAFE exchange handle.
safe: structure that holds information about SAFE exchange
Description: Get key structured from SAFE exchange.
Return value: Returns the key used in the SAFE exchange, or NULL if not yet set or an error occured.
safe: structure that holds information about SAFE exchange
key: key to store in SAFE.
Description: Set the Key in the SAFE exchange.
safe: structure that holds information about SAFE exchange
Description: Get ASN.1 SAFE structured from SAFE exchange.
Return value: Returns the ASN.1 safe in the SAFE exchange, or NULL if not yet set or an error occured.
safe: structure that holds information about SAFE exchange
asn1safe: KRB-SAFE to store in SAFE exchange.
Description: Set the KRB-SAFE in the SAFE exchange.
safe: safe as allocated by shishi_safe()
.
out: output array with newly allocated DER encoding of SAFE.
outlen: length of output array with DER encoding of SAFE.
Description: DER encode SAFE structure. Typically shishi_safe_build()
is used
to build the SAFE structure first. out is allocated by this
function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
safe: safe as allocated by shishi_safe()
.
der: input array with DER encoded KRB-SAFE.
derlen: length of input array with DER encoded KRB-SAFE.
Description: DER decode KRB-SAFE and set it SAFE exchange. If decoding fails, the KRB-SAFE in the SAFE exchange remains.
Return value: Returns SHISHI_OK.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for writing.
safe: SAFE to print.
Description: Print ASCII armored DER encoding of SAFE to file.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for writing.
safe: SAFE to save.
Description: Save DER encoding of SAFE to file.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: SAFE to save.
filetype: input variable specifying type of file to be written,
see Shishi_filetype.
filename: input variable with filename to write to.
Description: Write SAFE to file in specified TYPE. The file will be truncated if it exists.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for reading.
safe: output variable with newly allocated SAFE.
Description: Read ASCII armored DER encoded SAFE from file and populate given variable.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for reading.
safe: output variable with newly allocated SAFE.
Description: Read DER encoded SAFE from file and populate given variable.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: output variable with newly allocated SAFE.
filetype: input variable specifying type of file to be read,
see Shishi_filetype.
filename: input variable with filename to read from.
Description: Read SAFE from file in specified TYPE.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: safe as allocated by shishi_safe()
.
cksumtype: output checksum type.
cksum: output array with newly allocated checksum data from SAFE.
cksumlen: output size of output checksum data buffer.
Description: Read checksum value from KRB-SAFE. cksum is allocated by this function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: safe as allocated by shishi_safe()
.
cksumtype: input checksum type to store in SAFE.
cksum: input checksum data to store in SAFE.
cksumlen: size of input checksum data to store in SAFE.
Description: Store checksum value in SAFE. A checksum is usually created by
calling shishi_checksum()
on some application specific data using
the key from the ticket that is being used. To save time, you may
want to use shishi_safe_build()
instead, which calculates the
checksum and calls this function in one step.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: safe as allocated by shishi_safe()
.
userdata: output array with newly allocated user data from KRB-SAFE.
userdatalen: output size of output user data buffer.
Description: Read user data value from KRB-SAFE. userdata is allocated by this function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
safe: safe as allocated by shishi_safe()
.
userdata: input user application to store in SAFE.
userdatalen: size of input user application to store in SAFE.
Description: Set the application data in SAFE.
Return value: Returns SHISHI_OK iff successful.
safe: safe as allocated by shishi_safe()
.
key: key for session, used to compute checksum.
Description: Build checksum and set it in KRB-SAFE. Note that this follows RFC 1510bis and is incompatible with RFC 1510, although presumably few implementations use the RFC1510 algorithm.
Return value: Returns SHISHI_OK iff successful.
safe: safe as allocated by shishi_safe()
.
key: key for session, used to verify checksum.
Description: Verify checksum in KRB-SAFE. Note that this follows RFC 1510bis and is incompatible with RFC 1510, although presumably few implementations use the RFC1510 algorithm.
Return value: Returns SHISHI_OK iff successful, SHISHI_SAFE_BAD_KEYTYPE if an incompatible key type is used, or SHISHI_SAFE_VERIFY_FAILED if the actual verification failed.
The “KRB-PRIV” is an ASN.1 structure used by application client and servers to exchange confidential data. The confidentiality is keyed, usually with a key agreed on via the AP exchange (see AP-REQ and AP-REP Functions). The following illustrates the KRB-PRIV ASN.1 structure.
KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (21), -- NOTE: there is no [2] tag enc-part [3] EncryptedData -- EncKrbPrivPart } EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { user-data [0] OCTET STRING, timestamp [1] KerberosTime OPTIONAL, usec [2] Microseconds OPTIONAL, seq-number [3] UInt32 OPTIONAL, s-address [4] HostAddress -- sender's addr --, r-address [5] HostAddress OPTIONAL -- recip's addr }
handle: shishi handle as allocated by shishi_init()
.
priv: pointer to new structure that holds information about PRIV exchange
Description: Create a new PRIV exchange.
Return value: Returns SHISHI_OK iff successful.
priv: structure that holds information about PRIV exchange
Description: Deallocate resources associated with PRIV exchange. This should be called by the application when it no longer need to utilize the PRIV exchange handle.
priv: structure that holds information about PRIV exchange
Description: Get key from PRIV exchange.
Return value: Returns the key used in the PRIV exchange, or NULL if not yet set or an error occured.
priv: structure that holds information about PRIV exchange
key: key to store in PRIV.
Description: Set the Key in the PRIV exchange.
priv: structure that holds information about PRIV exchange
Description: Get ASN.1 PRIV structure in PRIV exchange.
Return value: Returns the ASN.1 priv in the PRIV exchange, or NULL if not yet set or an error occured.
priv: structure that holds information about PRIV exchange
asn1priv: KRB-PRIV to store in PRIV exchange.
Description: Set the KRB-PRIV in the PRIV exchange.
priv: priv as allocated by shishi_priv()
.
out: output array with newly allocated DER encoding of PRIV.
outlen: length of output array with DER encoding of PRIV.
Description: DER encode PRIV structure. Typically shishi_priv_build()
is used
to build the PRIV structure first. out is allocated by this
function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
priv: priv as allocated by shishi_priv()
.
der: input array with DER encoded KRB-PRIV.
derlen: length of input array with DER encoded KRB-PRIV.
Description: DER decode KRB-PRIV and set it PRIV exchange. If decoding fails, the KRB-PRIV in the PRIV exchange remains.
Return value: Returns SHISHI_OK.
priv: structure that holds information about PRIV exchange
Description: Get ASN.1 EncPrivPart structure from PRIV exchange.
Return value: Returns the ASN.1 encprivpart in the PRIV exchange, or NULL if not yet set or an error occured.
priv: structure that holds information about PRIV exchange
asn1encprivpart: ENCPRIVPART to store in PRIV exchange.
Description: Set the ENCPRIVPART in the PRIV exchange.
priv: priv as allocated by shishi_priv()
.
out: output array with newly allocated DER encoding of ENCPRIVPART.
outlen: length of output array with DER encoding of ENCPRIVPART.
Description: DER encode ENCPRIVPART structure. out is allocated by this function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
priv: priv as allocated by shishi_priv()
.
der: input array with DER encoded ENCPRIVPART.
derlen: length of input array with DER encoded ENCPRIVPART.
Description: DER decode ENCPRIVPART and set it PRIV exchange. If decoding fails, the ENCPRIVPART in the PRIV exchange remains.
Return value: Returns SHISHI_OK.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for writing.
priv: PRIV to print.
Description: Print ASCII armored DER encoding of PRIV to file.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for writing.
priv: PRIV to save.
Description: Save DER encoding of PRIV to file.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
priv: PRIV to save.
filetype: input variable specifying type of file to be written,
see Shishi_filetype.
filename: input variable with filename to write to.
Description: Write PRIV to file in specified TYPE. The file will be truncated if it exists.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for reading.
priv: output variable with newly allocated PRIV.
Description: Read ASCII armored DER encoded PRIV from file and populate given variable.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
fh: file handle open for reading.
priv: output variable with newly allocated PRIV.
Description: Read DER encoded PRIV from file and populate given variable.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
priv: output variable with newly allocated PRIV.
filetype: input variable specifying type of file to be read,
see Shishi_filetype.
filename: input variable with filename to read from.
Description: Read PRIV from file in specified TYPE.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
priv: PRIV variable to get value from.
etype: output variable that holds the value.
Description: Extract PRIV.enc-part.etype.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
priv: priv as allocated by shishi_priv()
.
etype: input encryption type to store in PRIV.
encpart: input encrypted data to store in PRIV.
encpartlen: size of input encrypted data to store in PRIV.
Description: Store encrypted data in PRIV. The encrypted data is usually
created by calling shishi_encrypt()
on some application specific
data using the key from the ticket that is being used. To save
time, you may want to use shishi_priv_build()
instead, which
encryptes the data and calls this function in one step.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
encprivpart: encprivpart as allocated by shishi_priv()
.
userdata: output array with newly allocated user data from KRB-PRIV.
userdatalen: output size of output user data buffer.
Description: Read user data value from KRB-PRIV. userdata is allocated by this function, and it is the responsibility of caller to deallocate it.
Return value: Returns SHISHI_OK iff successful.
handle: shishi handle as allocated by shishi_init()
.
encprivpart: encprivpart as allocated by shishi_priv()
.
userdata: input user application to store in PRIV.
userdatalen: size of input user application to store in PRIV.
Description: Set the application data in PRIV.
Return value: Returns SHISHI_OK iff successful.
priv: priv as allocated by shishi_priv()
.
key: key for session, used to encrypt data.
Description: Build checksum and set it in KRB-PRIV. Note that this follows RFC 1510bis and is incompatible with RFC 1510, although presumably few implementations use the RFC1510 algorithm.
Return value: Returns SHISHI_OK iff successful.
priv: priv as allocated by shishi_priv()
.
key: key to use to decrypt EncPrivPart.
Description: Decrypt encrypted data in KRB-PRIV and set the EncPrivPart in the PRIV exchange.
Return value: Returns SHISHI_OK iff successful, SHISHI_PRIV_BAD_KEYTYPE if an incompatible key type is used, or SHISHI_CRYPTO_ERROR if the actual decryption failed.
Next: Ticket Functions, Previous: AP-REQ and AP-REP Functions, Up: Programming Manual [Contents][Index]