📄 rfc1509.txt
字号:
required from the peer application; if so, gss_init_sec_context will
return a status indicating GSS_S_CONTINUE_NEEDED in which case it
should be called again when the reply token is received from the peer
application, passing the token to gss_init_sec_context via the
input_token parameters.
The values returned via the ret_flags and time_rec parameters are not
defined unless the routine returns GSS_S_COMPLETE.
Parameters:
claimant_cred_handle gss_cred_id_t, read, optional
handle for credentials claimed. Supply
GSS_C_NO_CREDENTIAL to use default
credentials.
context_handle gss_ctx_id_t, read/modify
context handle for new context. Supply
GSS_C_NO_CONTEXT for first call; use value
returned by first call in continuation calls.
Wray [Page 17]
RFC 1509 GSSAPI - Overview and C bindings September 1993
target_name gss_name_t, read
Name of target
mech_type OID, read, optional
Object ID of desired mechanism. Supply
GSS_C_NULL_OID to obtain an implementation
specific default
req_flags bit-mask, read
Contains four independent flags, each of
which requests that the context support a
specific service option. Symbolic
names are provided for each flag, and the
symbolic names corresponding to the required
flags should be logically-ORed
together to form the bit-mask value. The
flags are:
GSS_C_DELEG_FLAG
True - Delegate credentials to remote peer
False - Don't delegate
GSS_C_MUTUAL_FLAG
True - Request that remote peer
authenticate itself
False - Authenticate self to remote peer
only
GSS_C_REPLAY_FLAG
True - Enable replay detection for signed
or sealed messages
False - Don't attempt to detect
replayed messages
GSS_C_SEQUENCE_FLAG
True - Enable detection of out-of-sequence
signed or sealed messages
False - Don't attempt to detect
out-of-sequence messages
time_req integer, read
Desired number of seconds for which context
should remain valid. Supply 0 to request a
default validity period.
input_chan_bindings channel bindings, read
Application-specified bindings. Allows
application to securely bind channel
identification information to the security
context.
Wray [Page 18]
RFC 1509 GSSAPI - Overview and C bindings September 1993
input_token buffer, opaque, read, optional (see text)
Token received from peer application.
Supply GSS_C_NO_BUFFER on initial call.
actual_mech_type OID, modify
actual mechanism used.
output_token buffer, opaque, modify
token to be sent to peer application. If
the length field of the returned buffer is
zero, no token need be sent to the peer
application.
ret_flags bit-mask, modify
Contains six independent flags, each of which
indicates that the context supports a specific
service option. Symbolic names are provided
for each flag, and the symbolic names
corresponding to the required flags should be
logically-ANDed with the ret_flags value to test
whether a given option is supported by the
context. The flags are:
GSS_C_DELEG_FLAG
True - Credentials were delegated to
the remote peer
False - No credentials were delegated
GSS_C_MUTUAL_FLAG
True - Remote peer has been asked to
authenticated itself
False - Remote peer has not been asked to
authenticate itself
GSS_C_REPLAY_FLAG
True - replay of signed or sealed messages
will be detected
False - replayed messages will not be
detected
GSS_C_SEQUENCE_FLAG
True - out-of-sequence signed or sealed
messages will be detected
False - out-of-sequence messages will not
be detected
GSS_C_CONF_FLAG
True - Confidentiality service may be
invoked by calling seal routine
False - No confidentiality service (via
seal) available. seal will provide
message encapsulation, data-origin
Wray [Page 19]
RFC 1509 GSSAPI - Overview and C bindings September 1993
authentication and integrity
services only.
GSS_C_INTEG_FLAG
True - Integrity service may be invoked by
calling either gss_sign or gss_seal
routines.
False - Per-message integrity service
unavailable.
time_rec integer, modify, optional
number of seconds for which the context
will remain valid. If the implementation does
not support credential expiration, the value
GSS_C_INDEFINITE will be returned. Specify
NULL if not required.
minor_status integer, modify
Mechanism specific status code.
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
application is required to complete thecontext, and
that gss_init_sec_context must be called again with
that token.
GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on
the input_token failed
GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
performed on the credential failed.
GSS_S_NO_CRED The supplied credentials were not valid for context
initiation, or the credential handle did not
reference any credentials.
GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
GSS_S_BAD_BINDINGS The input_token contains different channel
bindings to those specified via the
input_chan_bindings parameter
GSS_S_BAD_SIG The input_token contains an invalid signature, or a
signature that could not be verified
Wray [Page 20]
RFC 1509 GSSAPI - Overview and C bindings September 1993
GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error
during context establishment
GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of
a token already processed. This is a fatal error
during context establishment.
GSS_S_NO_CONTEXT Indicates that the supplied context handle did not
refer to a valid context
GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
invalid or unsupported type of name
GSS_S_BAD_NAME The provided target_name parameter was ill-formed.
GSS_S_FAILURE Failure. See minor_status for more information
3.4. gss_accept_sec_context
OM_uint32 gss_accept_sec_context (
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_cred_id_t verifier_cred_handle,
gss_buffer_t input_token_buffer
gss_channel_bindings_t
input_chan_bindings,
gss_name_t * src_name,
gss_OID * mech_type,
gss_buffer_t output_token,
int * ret_flags,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
Purpose:
Allows a remotely initiated security context between the application
and a remote peer to be established. The routine may return a
output_token which should be transferred to the peer application,
where the peer application will present it to gss_init_sec_context.
If no token need be sent, gss_accept_sec_context will indicate this
by setting the length field of the output_token argument to zero. To
complete the context establishment, one or more reply tokens may be
required from the peer application; if so, gss_accept_sec_context
will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it
should be called again when the reply token is received from the peer
application, passing the token to gss_accept_sec_context via the
input_token parameters.
Wray [Page 21]
RFC 1509 GSSAPI - Overview and C bindings September 1993
The values returned via the src_name, ret_flags, time_rec, and
delegated_cred_handle parameters are not defined unless the routine
returns GSS_S_COMPLETE.
Parameters:
context_handle gss_ctx_id_t, read/modify
context handle for new context. Supply
GSS_C_NO_CONTEXT for first call; use value
returned in subsequent calls.
verifier_cred_handle gss_cred_id_t, read, optional
Credential handle claimed by context
acceptor.
Specify GSS_C_NO_CREDENTIAL to use default
credentials. If GSS_C_NO_CREDENTIAL is
specified, but the caller has no default
credentials established, an
implementation-defined default credential
may be used.
input_token_buffer buffer, opaque, read
token obtained from remote application
input_chan_bindings channel bindings, read
Application-specified bindings. Allows
application to securely bind channel
identification information to the security
context.
src_name gss_name_t, modify, optional
Authenticated name of context initiator.
After use, this name should be deallocated by
passing it to gss_release_name. If not required,
specify NULL.
mech_type Object ID, modify
Security mechanism used. The returned
OID value will be a pointer into static
storage, and should be treated as read-only
by the caller.
output_token buffer, opaque, modify
Token to be passed to peer application. If the
length field of the returned token buffer is 0,
then no token need be passed to the peer
application.
Wray [Page 22]
RFC 1509 GSSAPI - Overview and C bindings September 1993
ret_flags bit-mask, modify
Contains six independent flags, each of
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -