gssapi.5 (2010 09)
g
gssapi(5) gssapi(5)
in the normal way to the context acceptor. The acceptor passes this token to the
gss_accept_sec_context()
routine, which generates a delegated credential. The context acceptor
can use the credential to initiate additional security contexts. The applications can exchange protected
messages and data using this context.
The applications can call GSSAPI routines to protect data exchanged in messages. The application sends
a protected message by calling the appropriate GSSAPI routine to do the following:
Apply protection.
Bind the message to the appropriate security context.
The application can then send the resulting information to the peer application.
The application that receives the message passes the received data to a GSSAPI routine, which removes
the protection and validates the data.
GSSAPI treats application data as arbitrary octet strings. The GSSAPI per-message security services can
provide either of the following:
Integrity and authentication of data origin.
Confidentiality, integrity, and authentication of data origin.
When the applications have finished communicating, either one may instruct GSSAPI to delete the secu-
rity context.
The Standard GSSAPI routines are defined in the "Internet RFC 2743, Generic Security Service Applica-
tion Programming Interface," and "RFC 2744, Generic Security Service API : C-bindings." These routines
have the prefix
gss_.
The following sections provide an overview of the GSSAPI error handling and data types.
Error Handling
Each GSSAPI routine returns two status values, major and minor:
major status values Major status values are generic API routine errors or calling errors defined in RFC
2744.
minor status values Minor status values indicate mechanism-specific errors.
If a routine has output parameters that contain pointers for storage allocated by the routine, the output
parameters will always contain a valid pointer even if the routine returns an error. If no storage was
allocated, the routine sets the pointer to NULL and sets any length fields associated with the pointers
(such as in the gss_buffer_desc
structure) to 0 (zero).
Minor status values usually contain more detailed information about the error. They are not, however,
portable between GSSAPI implementations. When designing portable applications, use major status
values for handling errors. Use minor status values to debug applications and to display error and error-
recovery information to users.
GSSAPI Data Types
This section provides an overview of the GSSAPI data types and their definitions.
Integer Types The GSSAPI defines the following integer data type:
OM_uint32 32-bit unsigned integer
This integer data type is a portable data type that the GSSAPI routine definitions
use for guaranteed minimum bit-counts.
String and Similar Data types
Many of the GSSAPI routines take arguments and return values that describe con-
tiguous multiple-byte data, such as opaque data and character strings. Use the
gss_buffer_t data type, which is a pointer to the buffer descriptor
gss_buffer_desc, to pass the data between the GSSAPI routines and applica-
tions.
The
gss_buffer_t data type has the following structure:
typedef struct gss_buffer_desc_struct {
size_t length;
void *value;
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010