Chapter 5 GSSAPI (Generic Security Services Application Programming Interface)
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Table of Contents
- gss_accept_sec_context — Establish a security context
- gss_acquire_cred — Acquire credential handle
- gss_add_cred — Construct credentials incrementally
- gss_add_oid_set_member — Add an object identifier to a set
- gss_compare_name — Allow application to compare two internal names
- gss_canonicalize_name — Convert internal name to internal mechanism name
- gss_context_time — Check how much longer context is valid
- gss_create_empty_oid_set — Create a set containing no object identifiers
- gss_delete_sec_context — Delete a security context
- gss_display_name — Provide textual representation of opaque internal name
- gss_display_status — Convert GSSAPI status code to text for user display
- gss_duplicate_name — Create a copy of an internal name
- gss_export_name — Convert an internal mechanism name to export form
- gss_export_sec_context — Transfer a security context to another process
- gss_get_mic — Generate a cryptographic MIC for a message
- gss_import_name — Convert a printable string to an internal form
- gss_import_sec_context — Import a transferred context
- gss_indicate_mechs — Allow an application to determine which security mechanisms are available
- gss_init_sec_context — Establish a security context
- gss_inquire_context — Extract security context information
- gss_inquire_cred — Provide calling application with information about a credential
- gss_inquire_cred_by_mech — Obtain per-mechanism information about a credential
- gss_inquire_names_for_mech — Return set of supported nametypes
- gss_process_context_token — Pass a security context to the security service
- gss_release_buffer — Free storage associated with a buffer
- gss_release_cred — Mark a credential for deletion
- gss_release_name — Free storage associated with an internal name that was allocated by a GSSAPI routine
- gss_release_oid_set — Free storage associated with a gss_OID_set object
- gss_test_oid_set_member — Determine whether an object identifier is a member of the set
- gss_unwrap — Verify a message with attached MIC and decrypt message content
- gss_verify_mic — Check that a cryptographic MIC fits the applied message
- gss_wrap — Attach a MIC to a message and encrypt the message
- gss_wrap_size_limit — Check expected size of wrapped output
This chapter describes the C language bindings for the routines that make up the Generic Security Services Application Programming Interface (GSSAPI).
The GSSAPI provides security services to its callers, and is intended for implementation atop alternative underlying cryptographic mechanisms. In this manual, the underlying cryptographic mechanism is assumed to be Kerberos.
The GSSAPI allows a communicating application to authenticate the user associated with another application, to delegate rights to another application, and to apply security services such as confidentiality and integrity on a per-message basis.
There are four stages to using the GSSAPI:
The application acquires a set of credentials with which it can prove its identity to other processes.
A pair of communicating applications establish a joint security context using their credentials. The security context is a pair of GSSAPI data structures that contain shared state information.
Per-message services are invoked to apply either integrity and data origin authentication, or confidentiality, integrity, and data authentication to application data.
At the completion of a communications session, the peer applications call GSSAPI routines to delete the security context.
Routines described in this chapter are implemented in the Generic Security Service library (GSS$RTL.EXE for 64-bit interfaces, or GSS$RTL32.EXE for 32-bit interfaces) in SYS$LIBRARY.