📄 rfc1509.txt
字号:
GSS_C_NULL_OID to obtain an implementation specific default req_flags bit-mask, read Contains four independent flags, each of which requests that the context support a specific service option. Symbolic names are provided for each flag, and the symbolic names corresponding to the required flags should be logically-ORed together to form the bit-mask value. The flags are: GSS_C_DELEG_FLAG True - Delegate credentials to remote peer False - Don't delegate GSS_C_MUTUAL_FLAG True - Request that remote peer authenticate itself False - Authenticate self to remote peer only GSS_C_REPLAY_FLAG True - Enable replay detection for signed or sealed messages False - Don't attempt to detect replayed messages GSS_C_SEQUENCE_FLAG True - Enable detection of out-of-sequence signed or sealed messages False - Don't attempt to detect out-of-sequence messages time_req integer, read Desired number of seconds for which context should remain valid. Supply 0 to request a default validity period. input_chan_bindings channel bindings, read Application-specified bindings. Allows application to securely bind channel identification information to the security context.Wray [Page 18]
RFC 1509 GSSAPI - Overview and C bindings September 1993 input_token buffer, opaque, read, optional (see text) Token received from peer application. Supply GSS_C_NO_BUFFER on initial call. actual_mech_type OID, modify actual mechanism used. output_token buffer, opaque, modify token to be sent to peer application. If the length field of the returned buffer is zero, no token need be sent to the peer application. ret_flags bit-mask, modify Contains six independent flags, each of which indicates that the context supports a specific service option. Symbolic names are provided for each flag, and the symbolic names corresponding to the required flags should be logically-ANDed with the ret_flags value to test whether a given option is supported by the context. The flags are: GSS_C_DELEG_FLAG True - Credentials were delegated to the remote peer False - No credentials were delegated GSS_C_MUTUAL_FLAG True - Remote peer has been asked to authenticated itself False - Remote peer has not been asked to authenticate itself GSS_C_REPLAY_FLAG True - replay of signed or sealed messages will be detected False - replayed messages will not be detected GSS_C_SEQUENCE_FLAG True - out-of-sequence signed or sealed messages will be detected False - out-of-sequence messages will not be detected GSS_C_CONF_FLAG True - Confidentiality service may be invoked by calling seal routine False - No confidentiality service (via seal) available. seal will provide message encapsulation, data-originWray [Page 19]
RFC 1509 GSSAPI - Overview and C bindings September 1993 authentication and integrity services only. GSS_C_INTEG_FLAG True - Integrity service may be invoked by calling either gss_sign or gss_seal routines. False - Per-message integrity service unavailable. time_rec integer, modify, optional number of seconds for which the context will remain valid. If the implementation does not support credential expiration, the value GSS_C_INDEFINITE will be returned. Specify NULL if not required. minor_status integer, modify Mechanism specific status code. Function value: GSS status code: GSS_S_COMPLETE Successful completion GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application is required to complete thecontext, and that gss_init_sec_context must be called again with that token. GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the input_token failed GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed on the credential failed. GSS_S_NO_CRED The supplied credentials were not valid for context initiation, or the credential handle did not reference any credentials. GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired GSS_S_BAD_BINDINGS The input_token contains different channel bindings to those specified via the input_chan_bindings parameter GSS_S_BAD_SIG The input_token contains an invalid signature, or a signature that could not be verifiedWray [Page 20]
RFC 1509 GSSAPI - Overview and C bindings September 1993 GSS_S_OLD_TOKEN The input_token was too old. This is a fatal error during context establishment GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a token already processed. This is a fatal error during context establishment. GSS_S_NO_CONTEXT Indicates that the supplied context handle did not refer to a valid context GSS_S_BAD_NAMETYPE The provided target_name parameter contained an invalid or unsupported type of name GSS_S_BAD_NAME The provided target_name parameter was ill-formed. GSS_S_FAILURE Failure. See minor_status for more information3.4. gss_accept_sec_context OM_uint32 gss_accept_sec_context ( OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_cred_id_t verifier_cred_handle, gss_buffer_t input_token_buffer gss_channel_bindings_t input_chan_bindings, gss_name_t * src_name, gss_OID * mech_type, gss_buffer_t output_token, int * ret_flags, OM_uint32 * time_rec, gss_cred_id_t * delegated_cred_handle) Purpose: Allows a remotely initiated security context between the application and a remote peer to be established. The routine may return a output_token which should be transferred to the peer application, where the peer application will present it to gss_init_sec_context. If no token need be sent, gss_accept_sec_context will indicate this by setting the length field of the output_token argument to zero. To complete the context establishment, one or more reply tokens may be required from the peer application; if so, gss_accept_sec_context will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it should be called again when the reply token is received from the peer application, passing the token to gss_accept_sec_context via the input_token parameters.Wray [Page 21]
RFC 1509 GSSAPI - Overview and C bindings September 1993 The values returned via the src_name, ret_flags, time_rec, and delegated_cred_handle parameters are not defined unless the routine returns GSS_S_COMPLETE. Parameters: context_handle gss_ctx_id_t, read/modify context handle for new context. Supply GSS_C_NO_CONTEXT for first call; use value returned in subsequent calls. verifier_cred_handle gss_cred_id_t, read, optional Credential handle claimed by context acceptor. Specify GSS_C_NO_CREDENTIAL to use default credentials. If GSS_C_NO_CREDENTIAL is specified, but the caller has no default credentials established, an implementation-defined default credential may be used. input_token_buffer buffer, opaque, read token obtained from remote application input_chan_bindings channel bindings, read Application-specified bindings. Allows application to securely bind channel identification information to the security context. src_name gss_name_t, modify, optional Authenticated name of context initiator. After use, this name should be deallocated by passing it to gss_release_name. If not required, specify NULL. mech_type Object ID, modify Security mechanism used. The returned OID value will be a pointer into static storage, and should be treated as read-only by the caller. output_token buffer, opaque, modify Token to be passed to peer application. If the length field of the returned token buffer is 0, then no token need be passed to the peer application.Wray [Page 22]
RFC 1509 GSSAPI - Overview and C bindings September 1993 ret_flags bit-mask, modify Contains six independent flags, each of which indicates that the context supports a specific service option. Symbolic names are provided for each flag, and the symbolic names corresponding to the required flags should be logically-ANDed with the ret_flags value to test whether a given option is supported by the context. The flags are: GSS_C_DELEG_FLAG True - Delegated credentials are available via the delegated_cred_handle parameter False - No credentials were delegated GSS_C_MUTUAL_FLAG True - Remote peer asked for mutual authentication False - Remote peer did not ask for mutual authentication GSS_C_REPLAY_FLAG True - replay of signed or sealed messages will be detected False - replayed messages will not be detected GSS_C_SEQUENCE_FLAG True - out-of-sequence signed or sealed messages will be detected False - out-of-sequence messages will not be detected GSS_C_CONF_FLAG True - Confidentiality service may be invoked by calling seal routine False - No confidentiality service (via seal) available. seal will provide message encapsulation, data-origin authentication and integrity services only. GSS_C_INTEG_FLAG True - Integrity service may be invoked by calling either gss_sign or gss_seal routines. False - Per-message integrity service unavailable. time_rec integer, modify, optional number of seconds for which the context⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -