HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

181

182

183

184

185

186

187

188

189

190

gssapi(5) gssapi(5)

Channel Bindings

You can deﬁne and use channel bindings to associate the security context with the communications channel

that carries the context. Channel bindings are communicated to the GSSAPI by using the following struc-

ture:

typedef struct gss_channel_binding_struct {

OM_uint32 initiator_addrtype;

gss_buffer_desc initiator_address;

OM_uint32 acceptor_addrtype;

gss_buffer_desc aceptor_address;

gss_buffer_desc application_data;

} *gss_channel_bindings_t;

Use the initiator_addrtype

and acceptor_addrtype

ﬁelds to initiate the type of addresses

contained in the

initiator_address

and acceptor_address

buffers. The following table lists

the address types and their

addrtype values:

Address Type addrtype Value

Unspeciﬁed GSS_C_AF_UNSPEC

Host-local GSS_C_AF_LOCAL

DARPA Internet GSS_C_AF_INET

ARPAnet IMP GSS_C_AF_IMPLINK

pup protocols (for example, BSP) GSS_C_AF_PUP

MIT CHAOS protocol GSS_C_AF_CHAOS

XEROX NS GSS_C_AF_NS

nbs GSS_C_AF_NBS

ECMA GSS_C_AF_ECMA

datakit protocols GSS_C_AF_DATAKIT

CCITT protocols (for example, X.25) GSS_C_AF_CCITT

IBM SNA GSS_C_AF_SNA

Digital DECnet GSS_C_AF_DECnet

Direct data link interface GSS_C_AF_DLI

LAT GSS_C_AF_LAT

NSC Hyperchannel GSS_C_AF_HYLINK

AppleTalk GSS_C_AF_APPLETALK

BISYNC 2780/3780 GSS_C_AF_BSC

Distributed system services GSS_C_AF_DSS

OSI TP4 GSS_C_AF_OSI

X25 GSS_C_AF_X25

No address speciﬁed GSS_C_AF_NULLADDR

The tags specify address families rather than addressing formats. For address families that contain several

alternative address forms, the initiator_address

and the acceptor_address ﬁelds should con-

tain sufﬁcient information to determine which address form is used. Format the bytes that contain the

addresses in the order in which the bytes are transmitted across the network.

The GSSAPI creates an octet string by concatenating all the ﬁelds (

initiator_addrtype,

initiator_address, acceptor_addrtype, acceptor_address

, and

application_data). The security mechanism signs the octet string and binds the signature to the

token generated by the gss_init_sec_context() routine. The context acceptor presents the same

bindings to the gss_accept_sec_context() routine, which evaluates the signature and compares it

to the signature in the token. If the signatures differ, the

gss_accept_sec_context()

routine

returns a

GSS_S_BAD_BINDINGS error, and the context is not established.

Some security mechanisms check that the initiator_address ﬁeld of the channel bindings presented

to the gss_init_sec_context() routine contains the correct network address of the host system.

Therefore portable applications should use either the correct address type and value or the

GSS_C_AF_NULLADDR for the initiator_addrtype

address ﬁeld. Some security mechanisms

include the channel binding data in the token instead of a signature, so portable applications should not use

conﬁdential data as channel-binding components. The GSSAPI does not verify the address or include the

plain text bindings information in the token.

Optional Parameters

In routine descriptions, optional parameters allow the application to request default behaviors by passing a

default value for the parameter. The following conventions are used for optional parameters:

HP-UX 11i Version 3: February 2007 − 6 − Hewlett-Packard Company 187