gssapi.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

gssapi(5) gssapi(5)

Names are represented in two forms:

A printable form, for presentation to an application.

An internal, canonical form that is used by the APIs and is opaque to applications.

The

gss_import_name()

and gss_display_name()

routines convert names between their print-

able form and their

gss_name_tdata type.

The

gss_compare_name()

routine compares internal form names.

Channel Bindings

You can deﬁne and use channel bindings to associate the security context with the communications chan-

nel that carries the context. Channel bindings are communicated to the GSSAPI by using the following

structure:

typedef struct gss_channel_binding_struct {

OM_uint32 initiator_addrtype;

gss_buffer_desc initiator_address;

OM_uint32 acceptor_addrtype;

gss_buffer_desc aceptor_address;

gss_buffer_desc application_data;

} *gss_channel_bindings_t;

Use the initiator_addrtype

and acceptor_addrtype ﬁelds to initiate the type of addresses con-

tained in the

initiator_address

and acceptor_address buffers. The following table lists the

address types and their

addrtype values:

Address Type addrtype Value

Unspeciﬁed GSS_C_AF_UNSPEC

Host-local GSS_C_AF_LOCAL

DARPA Internet GSS_C_AF_INET

ARPAnet IMP GSS_C_AF_IMPLINK

pup protocols (for example, BSP) GSS_C_AF_PUP

MIT CHAOS protocol GSS_C_AF_CHAOS

XEROX NS GSS_C_AF_NS

nbs GSS_C_AF_NBS

ECMA GSS_C_AF_ECMA

datakit protocols GSS_C_AF_DATAKIT

CCITT protocols (for example, X.25) GSS_C_AF_CCITT

IBM SNA GSS_C_AF_SNA

Digital DECnet GSS_C_AF_DECnet

Direct data link interface GSS_C_AF_DLI

LAT GSS_C_AF_LAT

NSC Hyperchannel GSS_C_AF_HYLINK

AppleTalk GSS_C_AF_APPLETALK

BISYNC 2780/3780 GSS_C_AF_BSC

Distributed system services GSS_C_AF_DSS

OSI TP4 GSS_C_AF_OSI

X25 GSS_C_AF_X25

No address speciﬁed GSS_C_AF_NULLADDR

The tags specify address families rather than addressing formats. For address families that contain

several alternative address forms, the

initiator_address and the acceptor_address

ﬁelds

should contain sufﬁcient information to determine which address form is used. Format the bytes that

contain the addresses in the order in which the bytes are transmitted across the network.

The GSSAPI creates an octet string by concatenating all the ﬁelds (

initiator_addrtype,

initiator_address, acceptor_addrtype, acceptor_address, and application_data).

The security mechanism signs the octet string and binds the signature to the token generated by the

gss_init_sec_context() routine. The context acceptor presents the same bindings to the

gss_accept_sec_context() routine, which evaluates the signature and compares it to the signa-

ture in the token. If the signatures differ, the gss_accept_sec_context() routine returns a

GSS_S_BAD_BINDINGS error, and the context is not established.

Some security mechanisms check that the

initiator_address ﬁeld of the channel bindings

presented to the gss_init_sec_context() routine contains the correct network address of the host

6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2010