api: GNU Generic Security Service (GSS) API Reference Manual

api

Functions

#define	GSS_CALLING_ERROR()
#define	GSS_ROUTINE_ERROR()
#define	GSS_SUPPLEMENTARY_INFO()
#define	GSS_ERROR()
OM_uint32	gss_acquire_cred ()
OM_uint32	gss_release_cred ()
OM_uint32	gss_init_sec_context ()
OM_uint32	gss_accept_sec_context ()
OM_uint32	gss_process_context_token ()
OM_uint32	gss_delete_sec_context ()
OM_uint32	gss_context_time ()
OM_uint32	gss_get_mic ()
OM_uint32	gss_verify_mic ()
OM_uint32	gss_wrap ()
OM_uint32	gss_unwrap ()
OM_uint32	gss_display_status ()
OM_uint32	gss_indicate_mechs ()
OM_uint32	gss_compare_name ()
OM_uint32	gss_display_name ()
OM_uint32	gss_import_name ()
OM_uint32	gss_export_name ()
OM_uint32	gss_release_name ()
OM_uint32	gss_release_buffer ()
OM_uint32	gss_release_oid_set ()
OM_uint32	gss_inquire_cred ()
OM_uint32	gss_inquire_context ()
OM_uint32	gss_wrap_size_limit ()
OM_uint32	gss_add_cred ()
OM_uint32	gss_inquire_cred_by_mech ()
OM_uint32	gss_export_sec_context ()
OM_uint32	gss_import_sec_context ()
OM_uint32	gss_create_empty_oid_set ()
OM_uint32	gss_add_oid_set_member ()
OM_uint32	gss_test_oid_set_member ()
OM_uint32	gss_inquire_names_for_mech ()
OM_uint32	gss_inquire_mechs_for_name ()
OM_uint32	gss_canonicalize_name ()
OM_uint32	gss_duplicate_name ()
OM_uint32	gss_sign ()
OM_uint32	gss_verify ()
OM_uint32	gss_seal ()
OM_uint32	gss_unseal ()
OM_uint32	gss_inquire_saslname_for_mech ()
OM_uint32	gss_inquire_mech_for_saslname ()
int	gss_oid_equal ()
OM_uint32	gss_encapsulate_token ()
OM_uint32	gss_decapsulate_token ()

Types and Values

typedef	gss_ctx_id_t
typedef	gss_cred_id_t
typedef	gss_name_t
typedef	gss_uint32
typedef	OM_uint32
typedef	gss_qop_t
typedef	gss_cred_usage_t
#define	GSS_C_DELEG_FLAG
#define	GSS_C_MUTUAL_FLAG
#define	GSS_C_REPLAY_FLAG
#define	GSS_C_SEQUENCE_FLAG
#define	GSS_C_CONF_FLAG
#define	GSS_C_INTEG_FLAG
#define	GSS_C_ANON_FLAG
#define	GSS_C_PROT_READY_FLAG
#define	GSS_C_TRANS_FLAG
#define	GSS_C_BOTH
#define	GSS_C_INITIATE
#define	GSS_C_ACCEPT
#define	GSS_C_GSS_CODE
#define	GSS_C_MECH_CODE
#define	GSS_C_AF_UNSPEC
#define	GSS_C_AF_LOCAL
#define	GSS_C_AF_INET
#define	GSS_C_AF_IMPLINK
#define	GSS_C_AF_PUP
#define	GSS_C_AF_CHAOS
#define	GSS_C_AF_NS
#define	GSS_C_AF_NBS
#define	GSS_C_AF_ECMA
#define	GSS_C_AF_DATAKIT
#define	GSS_C_AF_CCITT
#define	GSS_C_AF_SNA
#define	GSS_C_AF_DECnet
#define	GSS_C_AF_DLI
#define	GSS_C_AF_LAT
#define	GSS_C_AF_HYLINK
#define	GSS_C_AF_APPLETALK
#define	GSS_C_AF_BSC
#define	GSS_C_AF_DSS
#define	GSS_C_AF_OSI
#define	GSS_C_AF_X25
#define	GSS_C_AF_NULLADDR
#define	GSS_C_NO_NAME
#define	GSS_C_NO_BUFFER
#define	GSS_C_NO_OID
#define	GSS_C_NO_OID_SET
#define	GSS_C_NO_CONTEXT
#define	GSS_C_NO_CREDENTIAL
#define	GSS_C_NO_CHANNEL_BINDINGS
#define	GSS_C_EMPTY_BUFFER
#define	GSS_C_NULL_OID
#define	GSS_C_NULL_OID_SET
#define	GSS_C_QOP_DEFAULT
#define	GSS_C_INDEFINITE
extern gss_OID	GSS_C_NT_USER_NAME
extern gss_OID	GSS_C_NT_MACHINE_UID_NAME
extern gss_OID	GSS_C_NT_STRING_UID_NAME
extern gss_OID	GSS_C_NT_HOSTBASED_SERVICE_X
extern gss_OID	GSS_C_NT_HOSTBASED_SERVICE
extern gss_OID	GSS_C_NT_ANONYMOUS
extern gss_OID	GSS_C_NT_EXPORT_NAME
#define	GSS_S_COMPLETE
#define	GSS_C_CALLING_ERROR_OFFSET
#define	GSS_C_ROUTINE_ERROR_OFFSET
#define	GSS_C_SUPPLEMENTARY_OFFSET
#define	GSS_C_CALLING_ERROR_MASK
#define	GSS_C_ROUTINE_ERROR_MASK
#define	GSS_C_SUPPLEMENTARY_MASK
#define	GSS_S_CALL_INACCESSIBLE_READ
#define	GSS_S_CALL_INACCESSIBLE_WRITE
#define	GSS_S_CALL_BAD_STRUCTURE
#define	GSS_S_BAD_MECH
#define	GSS_S_BAD_NAME
#define	GSS_S_BAD_NAMETYPE
#define	GSS_S_BAD_BINDINGS
#define	GSS_S_BAD_STATUS
#define	GSS_S_BAD_SIG
#define	GSS_S_BAD_MIC
#define	GSS_S_NO_CRED
#define	GSS_S_NO_CONTEXT
#define	GSS_S_DEFECTIVE_TOKEN
#define	GSS_S_DEFECTIVE_CREDENTIAL
#define	GSS_S_CREDENTIALS_EXPIRED
#define	GSS_S_CONTEXT_EXPIRED
#define	GSS_S_FAILURE
#define	GSS_S_BAD_QOP
#define	GSS_S_UNAUTHORIZED
#define	GSS_S_UNAVAILABLE
#define	GSS_S_DUPLICATE_ELEMENT
#define	GSS_S_NAME_NOT_MN
#define	GSS_S_CONTINUE_NEEDED
#define	GSS_S_DUPLICATE_TOKEN
#define	GSS_S_OLD_TOKEN
#define	GSS_S_UNSEQ_TOKEN
#define	GSS_S_GAP_TOKEN
typedef	gss_const_buffer_t
typedef	gss_const_ctx_id_t
typedef	gss_const_cred_id_t
typedef	gss_const_name_t
typedef	gss_const_OID
typedef	gss_const_OID_set

Description

Functions

GSS_CALLING_ERROR()

#define             GSS_CALLING_ERROR(x)

GSS_ROUTINE_ERROR()

#define             GSS_ROUTINE_ERROR(x)

GSS_SUPPLEMENTARY_INFO()

#define             GSS_SUPPLEMENTARY_INFO(x)

GSS_ERROR()

#define             GSS_ERROR(x)

gss_acquire_cred ()

OM_uint32
gss_acquire_cred (OM_uint32 *minor_status,
                  const gss_name_t desired_name,
                  OM_uint32 time_req,
                  const gss_OID_set desired_mechs,
                  gss_cred_usage_t cred_usage,
                  gss_cred_id_t *output_cred_handle,
                  gss_OID_set *actual_mechs,
                  OM_uint32 *time_rec);

Allows an application to acquire a handle for a pre-existing credential by name. GSS-API implementations must impose a local access-control policy on callers of this routine to prevent unauthorized callers from acquiring credentials to which they are not entitled. This routine is not intended to provide a "login to the network" function, as such a function would involve the creation of new credentials rather than merely acquiring a handle to existing credentials. Such functions, if required, should be defined in implementation-specific extensions to the API.

If desired_name is GSS_C_NO_NAME, the call is interpreted as a request for a credential handle that will invoke default behavior when passed to gss_init_sec_context() (if cred_usage is GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).

Mechanisms should honor the desired_mechs parameter, and return a credential that is suitable to use only with the requested mechanisms. An exception to this is the case where one underlying credential element can be shared by multiple mechanisms; in this case it is permissible for an implementation to indicate all mechanisms with which the credential element may be used. If desired_mechs is an empty set, behavior is undefined.

This routine is expected to be used primarily by context acceptors, since implementations are likely to provide mechanism-specific ways of obtaining GSS-API initiator credentials from the system login process. Some implementations may therefore not support the acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name produced by applying either gss_inquire_cred to a valid credential, or gss_inquire_context to an active context.

If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required (e.g. by gss_init_sec_context or gss_accept_sec_context). Such mechanism-specific implementation decisions should be invisible to the calling application; thus a call of gss_inquire_cred immediately following the call of gss_acquire_cred must return valid credential data, and may therefore incur the overhead of a deferred credential acquisition.

Parameters

minor_status	(integer, modify) Mechanism specific status code.
desired_name	(gss_name_t, read) Name of principal whose credential should be acquired.
time_req	(Integer, read, optional) Number of seconds that credentials should remain valid. Specify GSS_C_INDEFINITE to request that the credentials have the maximum permitted lifetime.
desired_mechs	(Set of Object IDs, read, optional) Set of underlying security mechanisms that may be used. GSS_C_NO_OID_SET may be used to obtain an implementation-specific default.
cred_usage	(gss_cred_usage_t, read) GSS_C_BOTH - Credentials may be used either to initiate or accept security contexts. GSS_C_INITIATE - Credentials will only be used to initiate security contexts. GSS_C_ACCEPT - Credentials will only be used to accept security contexts.
output_cred_handle	(gss_cred_id_t, modify) The returned credential handle. Resources associated with this credential handle must be released by the application after use with a call to `gss_release_cred()`.
actual_mechs	(Set of Object IDs, modify, optional) The set of mechanisms for which the credential is valid. Storage associated with the returned OID-set must be released by the application after use with a call to `gss_release_oid_set()`. Specify NULL if not required.
time_rec	(Integer, modify, optional) Actual number of seconds for which the returned credentials will remain valid. If the implementation does not support expiration of credentials, the value GSS_C_INDEFINITE will be returned. Specify NULL if not required.

Returns

GSS_S_COMPLETE: Successful completion.

GSS_S_BAD_MECH: Unavailable mechanism requested.

GSS_S_BAD_NAMETYPE: Type contained within desired_name parameter is not supported.

GSS_S_BAD_NAME: Value supplied for desired_name parameter is ill formed.

GSS_S_CREDENTIALS_EXPIRED: The credentials could not be acquired Because they have expired.

GSS_S_NO_CRED: No credentials were found for the specified name.

gss_release_cred ()

OM_uint32
gss_release_cred (OM_uint32 *minor_status,
                  gss_cred_id_t *cred_handle);

Informs GSS-API that the specified credential handle is no longer required by the application, and frees associated resources. The cred_handle is set to GSS_C_NO_CREDENTIAL on successful completion of this call.

Parameters

minor_status	(Integer, modify) Mechanism specific status code.
cred_handle	(gss_cred_id_t, modify, optional) Opaque handle identifying credential to be released. If GSS_C_NO_CREDENTIAL is supplied, the routine will complete successfully, but will do nothing.

Returns

GSS_S_COMPLETE: Successful completion.

GSS_S_NO_CRED: Credentials could not be accessed.

gss_init_sec_context ()

OM_uint32
gss_init_sec_context (OM_uint32 *minor_status,
                      const gss_cred_id_t initiator_cred_handle,
                      gss_ctx_id_t *context_handle,
                      const gss_name_t target_name,
                      const gss_OID mech_type,
                      OM_uint32 req_flags,
                      OM_uint32 time_req,
                      const gss_channel_bindings_t input_chan_bindings,
                      const gss_buffer_t input_token,
                      gss_OID *actual_mech_type,
                      gss_buffer_t output_token,
                      OM_uint32 *ret_flags,
                      OM_uint32 *time_rec);

Initiates the establishment of a security context between the application and a remote peer. Initially, the input_token parameter should be specified either as GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose length field contains the value zero. The routine may return a output_token which should be transferred to the peer application, where the peer application will present it to gss_accept_sec_context. If no token need be sent, gss_init_sec_context will indicate this by setting the length field of the output_token argument to zero. To complete the context establishment, one or more reply tokens may be required from the peer application; if so, gss_init_sec_context will return a status containing the supplementary information bit GSS_S_CONTINUE_NEEDED. In this case, gss_init_sec_context should be called again when the reply token is received from the peer application, passing the reply token to gss_init_sec_context via the input_token parameters.

Portable applications should be constructed to use the token length and return status to determine whether a token needs to be sent or waited for. Thus a typical portable caller should always invoke gss_init_sec_context within a loop:

Portable applications should be constructed to use the token length and return status to determine whether a token needs to be sent or waited for. Thus a typical portable caller should always invoke gss_init_sec_context within a loop:

int context_established = 0; gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; ... input_token->length = 0;

while (!context_established) { maj_stat = gss_init_sec_context(&min_stat, cred_hdl, &context_hdl, target_name, desired_mech, desired_services, desired_time, input_bindings, input_token, &actual_mech, output_token, &actual_services, &actual_time); if (GSS_ERROR(maj_stat)) { report_error(maj_stat, min_stat); };

if (output_token->length != 0) { send_token_to_peer(output_token); gss_release_buffer(&min_stat, output_token) }; if (GSS_ERROR(maj_stat)) {

if (context_hdl != GSS_C_NO_CONTEXT) gss_delete_sec_context(&min_stat, &context_hdl, GSS_C_NO_BUFFER); break; };

if (maj_stat & GSS_S_CONTINUE_NEEDED) { receive_token_from_peer(input_token); } else { context_established = 1; };

};

Whenever the routine returns a major status that includes the value GSS_S_CONTINUE_NEEDED, the context is not fully established and the following restrictions apply to the output parameters:

The value returned via the time_rec parameter is undefined unless the accompanying ret_flags parameter contains the bit GSS_C_PROT_READY_FLAG, indicating that per-message services may be applied in advance of a successful completion status, the value returned via the actual_mech_type parameter is undefined until the routine returns a major status value of GSS_S_COMPLETE.
The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG, GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG, GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the ret_flags parameter should contain the values that the implementation expects would be valid if context establishment were to succeed. In particular, if the application has requested a service such as delegation or anonymous authentication via the req_flags argument, and such a service is unavailable from the underlying mechanism, gss_init_sec_context should generate a token that will not provide the service, and indicate via the ret_flags argument that the service will not be supported. The application may choose to abort the context establishment by calling gss_delete_sec_context (if it cannot continue in the absence of the service), or it may choose to transmit the token and continue context establishment (if the service was merely desired but not mandatory).
The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits within ret_flags should indicate the actual state at the time gss_init_sec_context returns, whether or not the context is fully established.
GSS-API implementations that support per-message protection are encouraged to set the GSS_C_PROT