📄 rfc1509.txt
字号:
which indicates that the context supports a
specific service option. Symbolic names are
provided for each flag, and the symbolic names
corresponding to the required flags
should be logically-ANDed with the ret_flags
value to test whether a given option is
supported by the context. The flags are:
GSS_C_DELEG_FLAG
True - Delegated credentials are available
via the delegated_cred_handle
parameter
False - No credentials were delegated
GSS_C_MUTUAL_FLAG
True - Remote peer asked for mutual
authentication
False - Remote peer did not ask for mutual
authentication
GSS_C_REPLAY_FLAG
True - replay of signed or sealed messages
will be detected
False - replayed messages will not be
detected
GSS_C_SEQUENCE_FLAG
True - out-of-sequence signed or sealed
messages will be detected
False - out-of-sequence messages will not
be detected
GSS_C_CONF_FLAG
True - Confidentiality service may be
invoked by calling seal routine
False - No confidentiality service (via
seal) available. seal will
provide message encapsulation,
data-origin authentication and
integrity services only.
GSS_C_INTEG_FLAG
True - Integrity service may be invoked
by calling either gss_sign or
gss_seal routines.
False - Per-message integrity service
unavailable.
time_rec integer, modify, optional
number of seconds for which the context
will remain valid. Specify NULL if not required.
Wray [Page 23]
RFC 1509 GSSAPI - Overview and C bindings September 1993
delegated_cred_handle
gss_cred_id_t, modify
credential handle for credentials received from
context initiator. Only valid if deleg_flag in
ret_flags is true.
minor_status integer, modify
Mechanism specific status code.
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
application is required to complete the context,
and that gss_accept_sec_context must be called
again with that token.
GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
performed on the input_token failed.
GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
performed on the credential failed.
GSS_S_NO_CRED The supplied credentials were not valid for
context acceptance, or the credential handle
did not reference any credentials.
GSS_S_CREDENTIALS_EXPIRED The referenced credentials have
expired.
GSS_S_BAD_BINDINGS The input_token contains different channel
bindings to those specified via the
input_chan_bindings parameter.
GSS_S_NO_CONTEXT Indicates that the supplied context handle did
not refer to a valid context.
GSS_S_BAD_SIG The input_token contains an invalid signature.
GSS_S_OLD_TOKEN The input_token was too old. This is a fatal
error during context establishment.
GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a
duplicate of a token already processed. This
is a fatal error during context establishment.
Wray [Page 24]
RFC 1509 GSSAPI - Overview and C bindings September 1993
GSS_S_FAILURE Failure. See minor_status for more information.
3.5. gss_process_context_token
OM_uint32 gss_process_context_token (
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t token_buffer)
Purpose:
Provides a way to pass a token to the security service. Usually,
tokens are associated either with context establishment (when they
would be passed to gss_init_sec_context or gss_accept_sec_context) or
with per-message security service (when they would be passed to
gss_verify or gss_unseal). Occasionally, tokens may be received at
other times, and gss_process_context_token allows such tokens to be
passed to the underlying security service for processing. At
present, such additional tokens may only be generated by
gss_delete_sec_context. GSSAPI implementation may use this service
to implement deletion of the security context.
Parameters:
context_handle gss_ctx_id_t, read
context handle of context on which token is to
be processed
token_buffer buffer, opaque, read
pointer to first byte of token to process
minor_status integer, modify
Implementation specific status code.
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
performed on the token failed
GSS_S_FAILURE Failure. See minor_status for more information
GSS_S_NO_CONTEXT The context_handle did not refer to a valid
context
Wray [Page 25]
RFC 1509 GSSAPI - Overview and C bindings September 1993
3.6. gss_delete_sec_context
OM_uint32 gss_delete_sec_context (
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token)
Purpose:
Delete a security context. gss_delete_sec_context will delete the
local data structures associated with the specified security context,
and generate an output_token, which when passed to the peer
gss_process_context_token will instruct it to do likewise. No
further security services may be obtained using the context specified
by context_handle.
Parameters:
minor_status integer, modify
Mechanism specific status code.
context_handle gss_ctx_id_t, modify
context handle identifying context to delete.
output_token buffer, opaque, modify
token to be sent to remote application to
instruct it to also delete the context
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_FAILURE Failure, see minor_status for more information
GSS_S_NO_CONTEXT No valid context was supplied
3.7. gss_context_time
OM_uint32 gss_context_time (
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
OM_uint32 * time_rec)
Purpose:
Determines the number of seconds for which the specified context will
remain valid.
Wray [Page 26]
RFC 1509 GSSAPI - Overview and C bindings September 1993
Parameters:
minor_status integer, modify
Implementation specific status code.
context_handle gss_ctx_id_t, read
Identifies the context to be interrogated.
time_rec integer, modify
Number of seconds that the context will remain
valid. If the context has already expired,
zero will be returned.
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_CONTEXT_EXPIRED The context has already expired
GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
associated credentials have expired
GSS_S_NO_CONTEXT The context_handle parameter did not identify a
valid context
3.8. gss_sign
OM_uint32 gss_sign (
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int qop_req,
gss_buffer_t message_buffer,
gss_buffer_t msg_token)
Purpose:
Generates a cryptographic signature for the supplied message, and
places the signature in a token for transfer to the peer application.
The qop_req parameter allows a choice between several cryptographic
algorithms, if supported by the chosen mechanism.
Parameters:
minor_status integer, modify
Implementation specific status code.
context_handle gss_ctx_id_t, read
identifies the context on which the message
Wray [Page 27]
RFC 1509 GSSAPI - Overview and C bindings September 1993
will be sent
qop_req integer, read, optional
Specifies requested quality of protection.
Callers are encouraged, on portability grounds,
to accept the default quality of protection
offered by the chosen mechanism, which may be
requested by specifying GSS_C_QOP_DEFAULT for
this parameter. If an unsupported protection
strength is requested, gss_sign will return a
major_status of GSS_S_FAILURE.
message_buffer buffer, opaque, read
message to be signed
msg_token buffer, opaque, modify
buffer to receive token
Function value:
GSS status code:
GSS_S_COMPLETE Successful completion
GSS_S_CONTEXT_EXPIRED The context has already expired
GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
associated credentials have expired
GSS_S_NO_CONTEXT The context_handle parameter did not identify a
valid cont⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -