OM_uint32
gss_accept_sec_context(
OM_uint32 * minor_status
gss_ctx_id_t * context_handle
const gss_cred_id_t acceptor_cred_handle
const gss_buffer_t input_token_buffer
const gss_channel_bindings_t input_chan_bindings
gss_name_t * src_name
gss_OID * mech_type
gss_buffer_t output_token
OM_uint32 * ret_flags
OM_uint32 * time_rec
gss_cred_id_t * delegated_cred_handle
)
OM_uint32
gss_acquire_cred(
OM_uint32 * minor_status
const gss_name_t desired_name
OM_uint32 time_req
const gss_OID_set desired_mechs
gss_cred_usage_t cred_usage
gss_cred_id_t * output_cred_handle
gss_OID_set * actual_mechs
OM_uint32 * time_rec
)
OM_uint32
gss_add_cred(
OM_uint32 *minor_status
const gss_cred_id_t input_cred_handle
const gss_name_t desired_name
const gss_OID desired_mech
gss_cred_usage_t cred_usage
OM_uint32 initiator_time_req
OM_uint32 acceptor_time_req
gss_cred_id_t *output_cred_handle
gss_OID_set *actual_mechs
OM_uint32 *initiator_time_rec
OM_uint32 *acceptor_time_rec
)
OM_uint32
gss_add_oid_set_member(
OM_uint32 * minor_status
const gss_OID member_oid
gss_OID_set * oid_set
)
OM_uint32
gss_canonicalize_name(
OM_uint32 * minor_status
const gss_name_t input_name
const gss_OID mech_type
gss_name_t * output_name
)
OM_uint32
gss_compare_name(
OM_uint32 * minor_status
const gss_name_t name1
const gss_name_t name2
int * name_equal
)
OM_uint32
gss_context_time(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
OM_uint32 * time_rec
)
OM_uint32
gss_create_empty_oid_set(
OM_uint32 * minor_status
gss_OID_set * oid_set
)
OM_uint32
gss_delete_sec_context(
OM_uint32 * minor_status
gss_ctx_id_t * context_handle
gss_buffer_t output_token
)
OM_uint32
gss_display_name(
OM_uint32 * minor_status
const gss_name_t input_name
gss_buffer_t output_name_buffer
gss_OID * output_name_type
)
OM_uint32
gss_display_status(
OM_uint32 *minor_status
OM_uint32 status_value
int status_type
const gss_OID mech_type
OM_uint32 *message_context
gss_buffer_t status_string
)
OM_uint32
gss_duplicate_name(
OM_uint32 * minor_status
const gss_name_t src_name
gss_name_t * dest_name
)
OM_uint32
gss_export_name(
OM_uint32 * minor_status
const gss_name_t input_name
gss_buffer_t exported_name
)
OM_uint32
gss_export_sec_context(
OM_uint32 * minor_status
gss_ctx_id_t * context_handle
gss_buffer_t interprocess_token
)
OM_uint32
gss_get_mic(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
gss_qop_t qop_req
const gss_buffer_t message_buffer
gss_buffer_t message_token
)
OM_uint32
gss_import_name(
OM_uint32 * minor_status
const gss_buffer_t input_name_buffer
const gss_OID input_name_type
gss_name_t * output_name
)
OM_uint32
gss_import_sec_context(
OM_uint32 * minor_status
const gss_buffer_t interprocess_token
gss_ctx_id_t * context_handle
)
OM_uint32
gss_indicate_mechs(
OM_uint32 * minor_status
gss_OID_set * mech_set
)
OM_uint32
gss_init_sec_context(
OM_uint32 * minor_status
const gss_cred_id_t initiator_cred_handle
gss_ctx_id_t * context_handle
const gss_name_t target_name
const gss_OID mech_type
OM_uint32 req_flags
OM_uint32 time_req
const gss_channel_bindings_t input_chan_bindings
const gss_buffer_t input_token
gss_OID * actual_mech_type
gss_buffer_t output_token
OM_uint32 * ret_flags
OM_uint32 * time_rec
)
OM_uint32
gss_inquire_context(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
gss_name_t * src_name
gss_name_t * targ_name
OM_uint32 * lifetime_rec
gss_OID * mech_type
OM_uint32 * ctx_flags
int * locally_initiated
int * open_context
)
OM_uint32
gss_inquire_cred(
OM_uint32 * minor_status
const gss_cred_id_t cred_handle
gss_name_t * name
OM_uint32 * lifetime
gss_cred_usage_t * cred_usage
gss_OID_set * mechanisms
)
OM_uint32
gss_inquire_cred_by_mech(
OM_uint32 * minor_status
const gss_cred_id_t cred_handle
const gss_OID mech_type
gss_name_t * name
OM_uint32 * initiator_lifetime
OM_uint32 * acceptor_lifetime
gss_cred_usage_t * cred_usage
)
OM_uint32
gss_inquire_mechs_for_name(
OM_uint32 * minor_status
const gss_name_t input_name
gss_OID_set * mech_types
)
OM_uint32
gss_inquire_names_for_mech(
OM_uint32 * minor_status
const gss_OID mechanism
gss_OID_set * name_types
)
OM_uint32
gss_krb5_ccache_name(
OM_uint32 *minor
const char *name
const char **old_name
)
OM_uint32
gss_krb5_copy_ccache(
OM_uint32 *minor
gss_cred_id_t cred
krb5_ccache out
)
OM_uint32
gss_krb5_import_cred(
OM_uint32 *minor_status
krb5_ccache id
krb5_principal keytab_principal
krb5_keytab keytab
gss_cred_id_t *cred
)
OM_uint32
gss_krb5_compat_des3_mic(
OM_uint32 * minor_status
gss_ctx_id_t context_handle
int onoff
)
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(
OM_uint32 *minor_status
gss_ctx_id_t context_handle
int ad_type
gss_buffer_t ad_data
)
OM_uint32
gsskrb5_register_acceptor_identity(
const char *identity
)
OM_uint32
gss_krb5_import_cache(
OM_uint32 *minor
krb5_ccache id
krb5_keytab keytab
gss_cred_id_t *cred
)
OM_uint32
gss_krb5_get_tkt_flags(
OM_uint32 *minor_status
gss_ctx_id_t context_handle
OM_uint32 *tkt_flags
)
OM_uint32
gss_process_context_token(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
const gss_buffer_t token_buffer
)
OM_uint32
gss_release_buffer(
OM_uint32 * minor_status
gss_buffer_t buffer
)
OM_uint32
gss_release_cred(
OM_uint32 * minor_status
gss_cred_id_t * cred_handle
)
OM_uint32
gss_release_name(
OM_uint32 * minor_status
gss_name_t * input_name
)
OM_uint32
gss_release_oid_set(
OM_uint32 * minor_status
gss_OID_set * set
)
OM_uint32
gss_seal(
OM_uint32 * minor_status
gss_ctx_id_t context_handle
int conf_req_flag
int qop_req
gss_buffer_t input_message_buffer
int * conf_state
gss_buffer_t output_message_buffer
)
OM_uint32
gss_sign(
OM_uint32 * minor_status
gss_ctx_id_t context_handle
int qop_req
gss_buffer_t message_buffer
gss_buffer_t message_token
)
OM_uint32
gss_test_oid_set_member(
OM_uint32 * minor_status
const gss_OID member
const gss_OID_set set
int * present
)
OM_uint32
gss_unseal(
OM_uint32 * minor_status
gss_ctx_id_t context_handle
gss_buffer_t input_message_buffer
gss_buffer_t output_message_buffer
int * conf_state
int * qop_state
)
OM_uint32
gss_unwrap(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
const gss_buffer_t input_message_buffer
gss_buffer_t output_message_buffer
int * conf_state
gss_qop_t * qop_state
)
OM_uint32
gss_verify(
OM_uint32 * minor_status
gss_ctx_id_t context_handle
gss_buffer_t message_buffer
gss_buffer_t token_buffer
int * qop_state
)
OM_uint32
gss_verify_mic(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
const gss_buffer_t message_buffer
const gss_buffer_t token_buffer
gss_qop_t * qop_state
)
OM_uint32
gss_wrap(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
int conf_req_flag
gss_qop_t qop_req
const gss_buffer_t input_message_buffer
int * conf_state
gss_buffer_t output_message_buffer
)
OM_uint32
gss_wrap_size_limit(
OM_uint32 * minor_status
const gss_ctx_id_t context_handle
int conf_req_flag
gss_qop_t qop_req
OM_uint32 req_output_size
OM_uint32 * max_input_size
)
RFC2743
and
RFC2744
.
Version 1 (deprecated) of the C binding is described in
RFC1509
.
Heimdals GSS-API implementation supports the following mechanisms
GSS_KRB5_MECHANISM
GSS_SPNEGO_MECHANISM
GSS-API have generic name types that all mechanism are supposed to implement (if possible):
GSS_C_NT_USER_NAME
GSS_C_NT_MACHINE_UID_NAME
GSS_C_NT_STRING_UID_NAME
GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_ANONYMOUS
GSS_C_NT_EXPORT_NAME
GSS-API implementations that supports Kerberos 5 have some additional name types:
GSS_KRB5_NT_PRINCIPAL_NAME
GSS_KRB5_NT_USER_NAME
GSS_KRB5_NT_MACHINE_UID_NAME
GSS_KRB5_NT_STRING_UID_NAME
In GSS-API, names have two forms, internal names and contiguous string names.
Internal
name
and
mechanism
name
Internal names are implementation specific representation of
a GSS-API name.
Mechanism
names
special form of internal names corresponds to one and only one mechanism.
In GSS-API an internal name is stored in a
gss_name_t
.
Contiguous
string
name
and
exported
name
Contiguous string names are gssapi names stored in a
OCTET
STRING
that together with a name type identifier (OID) uniquely specifies a
gss-name.
A special form of the contiguous string name is the exported name that
have a OID embedded in the string to make it unique.
Exported name have the nametype
GSS_C_NT_EXPORT_NAME
.
In GSS-API an contiguous string name is stored in a
gss_buffer_t
.
Exported names also have the property that they are specified by the mechanism itself and compatible between diffrent GSS-API implementations.
To compare two internal names with each other, import (if needed) the
names with
gss_import_name()
into the GSS-API implementation and the compare the imported name with
gss_compare_name(
).
Importing names can be slow, so when its possible to store exported names in the access control list, comparing contiguous string name might be better.
when comparing contiguous string name, first export them into a
GSS_C_NT_EXPORT_NAME
name with
gss_export_name()
and then compare with
memcmp(3).
Note that there are might be a difference between the two methods of
comparing names.
The first (using
gss_compare_name())
will compare to (unauthenticated) names are the same.
The second will compare if a mechanism will authenticate them as the
same principal.
For example, if
gss_import_name()
name was used with
GSS_C_NO_OID
the default syntax is used for all mechanism the GSS-API
implementation supports.
When compare the imported name of
GSS_C_NO_OID
it may match serveral mechanism names (MN).
The resulting name from
gss_display_name()
must not be used for acccess control.
)
takes the gss name in
input_name
and puts a printable form in
output_name_buffer
.
output_name_buffer
should be freed when done using
gss_release_buffer(
).
output_name_type
can either be
NULL
or a pointer to a
gss_OID
and will in the latter case contain the OID type of the name.
The name must only be used for printing.
If access control is needed, see section
ACCESS CONTROL.
gss_inquire_context()
returns information about the context.
Information is available even after the context have expired.
lifetime_rec
argument is set to
GSS_C_INDEFINITE
(dont expire) or the number of seconds that the context is still valid.
A value of 0 means that the context is expired.
mech_type
argument should be considered readonly and must not be released.
src_name
and
dest_name()
are both mechanims names and must be released with
gss_release_name(
)
when no longer used.
gss_context_time
will return the amount of time (in seconds) of the context is still
valid.
If its expired
time_rec
will be set to 0 and
GSS_S_CONTEXT_EXPIRED
returned.
gss_sign(),
gss_verify(
),
gss_seal(
),
and
gss_unseal(
)
are part of the GSS-API V1 interface and are obsolete.
The functions should not be used for new applications.
They are provided so that version 1 applications can link against the
library.
)
sets the internal kerberos 5 credential cache name to
name
.
The old name is returned in
old_name
,
and must not be freed.
The data allocated for
old_name
is free upon next call to
gss_krb5_ccache_name(
).
This function is not threadsafe if
old_name
argument is used.
gss_krb5_copy_ccache()
will extract the krb5 credentials that are transferred from the
initiator to the acceptor when using token delegation in the Kerberos
mechanism.
The acceptor receives the delegated token in the last argument to
gss_accept_sec_context(
).
gss_krb5_import_cred()
will import the krb5 credentials (both keytab and/or credential cache)
into gss credential so it can be used withing GSS-API.
The
ccache
is copied by reference and thus shared, so if the credential is destroyed
with
krb5_cc_destroy
,
all users of thep
gss_cred_id_t
returned by
gss_krb5_import_ccache()
will fail.
gsskrb5_register_acceptor_identity()
sets the Kerberos 5 filebased keytab that the acceptor will use. The
identifier
is the file name.
gsskrb5_extract_authz_data_from_sec_context()
extracts the Kerberos authorizationdata that may be stored within the
context.
Tha caller must free the returned buffer
ad_data
with
gss_release_buffer()
upon success.
gss_krb5_get_tkt_flags()
return the ticket flags for the kerberos ticket receive when
authenticating the initiator.
Only valid on the acceptor context.
gss_krb5_compat_des3_mic()
turns on or off the compatibility with older version of Heimdal using
des3 get and verify mic, this is way to programmatically set the
[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see
COMPATIBILITY section in
gssapi(3)).
If the CPP symbol
GSS_C_KRB5_COMPAT_DES3_MIC
is present,
gss_krb5_compat_des3_mic()
exists.
gss_krb5_compat_des3_mic(
)
will be removed in a later version of the GSS-API library.