Provided by: heimdal-dev_1.6~git20120311.dfsg.1-2_amd64 bug


     gss_accept_sec_context, gss_acquire_cred, gss_add_cred, gss_add_oid_set_member,
     gss_canonicalize_name, gss_compare_name, gss_context_time, gss_create_empty_oid_set,
     gss_delete_sec_context, gss_display_name, gss_display_status, gss_duplicate_name,
     gss_export_name, gss_export_sec_context, gss_get_mic, gss_import_name,
     gss_import_sec_context, gss_indicate_mechs, gss_init_sec_context, gss_inquire_context,
     gss_inquire_cred, gss_inquire_cred_by_mech, gss_inquire_mechs_for_name,
     gss_inquire_names_for_mech, gss_krb5_ccache_name, gss_krb5_compat_des3_mic,
     gss_krb5_copy_ccache, gss_krb5_import_cred gsskrb5_extract_authz_data_from_sec_context,
     gsskrb5_register_acceptor_identity, gss_krb5_import_ccache, gss_krb5_get_tkt_flags,
     gss_process_context_token, gss_release_buffer, gss_release_cred, gss_release_name,
     gss_release_oid_set, gss_seal, gss_sign, gss_test_oid_set_member, gss_unseal, gss_unwrap,
     gss_verify, gss_verify_mic, gss_wrap, gss_wrap_size_limit — Generic Security Service
     Application Program Interface library


     GSS-API library (libgssapi, -lgssapi)


     #include <gssapi.h>

     gss_accept_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle,
         const gss_cred_id_t acceptor_cred_handle, const gss_buffer_t input_token_buffer,
         const gss_channel_bindings_t input_chan_bindings, gss_name_t * src_name,
         gss_OID * mech_type, gss_buffer_t output_token, OM_uint32 * ret_flags,
         OM_uint32 * time_rec, gss_cred_id_t * delegated_cred_handle);

     gss_acquire_cred(OM_uint32 * minor_status, const gss_name_t desired_name,
         OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage,
         gss_cred_id_t * output_cred_handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec);

     gss_add_cred(OM_uint32 *minor_status, const gss_cred_id_t input_cred_handle,
         const gss_name_t desired_name, const gss_OID desired_mech, gss_cred_usage_t cred_usage,
         OM_uint32 initiator_time_req, OM_uint32 acceptor_time_req,
         gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs,
         OM_uint32 *initiator_time_rec, OM_uint32 *acceptor_time_rec);

     gss_add_oid_set_member(OM_uint32 * minor_status, const gss_OID member_oid,
         gss_OID_set * oid_set);

     gss_canonicalize_name(OM_uint32 * minor_status, const gss_name_t input_name,
         const gss_OID mech_type, gss_name_t * output_name);

     gss_compare_name(OM_uint32 * minor_status, const gss_name_t name1, const gss_name_t name2,
         int * name_equal);

     gss_context_time(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         OM_uint32 * time_rec);

     gss_create_empty_oid_set(OM_uint32 * minor_status, gss_OID_set * oid_set);

     gss_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle,
         gss_buffer_t output_token);

     gss_display_name(OM_uint32 * minor_status, const gss_name_t input_name,
         gss_buffer_t output_name_buffer, gss_OID * output_name_type);

     gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, int status_type,
         const gss_OID mech_type, OM_uint32 *message_context, gss_buffer_t status_string);

     gss_duplicate_name(OM_uint32 * minor_status, const gss_name_t src_name,
         gss_name_t * dest_name);

     gss_export_name(OM_uint32 * minor_status, const gss_name_t input_name,
         gss_buffer_t exported_name);

     gss_export_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle,
         gss_buffer_t interprocess_token);

     gss_get_mic(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req,
         const gss_buffer_t message_buffer, gss_buffer_t message_token);

     gss_import_name(OM_uint32 * minor_status, const gss_buffer_t input_name_buffer,
         const gss_OID input_name_type, gss_name_t * output_name);

     gss_import_sec_context(OM_uint32 * minor_status, const gss_buffer_t interprocess_token,
         gss_ctx_id_t * context_handle);

     gss_indicate_mechs(OM_uint32 * minor_status, gss_OID_set * mech_set);

     gss_init_sec_context(OM_uint32 * minor_status, const gss_cred_id_t initiator_cred_handle,
         gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type,
         OM_uint32 req_flags, OM_uint32 time_req,
         const gss_channel_bindings_t input_chan_bindings, const gss_buffer_t input_token,
         gss_OID * actual_mech_type, gss_buffer_t output_token, OM_uint32 * ret_flags,
         OM_uint32 * time_rec);

     gss_inquire_context(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         gss_name_t * src_name, gss_name_t * targ_name, OM_uint32 * lifetime_rec,
         gss_OID * mech_type, OM_uint32 * ctx_flags, int * locally_initiated,
         int * open_context);

     gss_inquire_cred(OM_uint32 * minor_status, const gss_cred_id_t cred_handle,
         gss_name_t * name, OM_uint32 * lifetime, gss_cred_usage_t * cred_usage,
         gss_OID_set * mechanisms);

     gss_inquire_cred_by_mech(OM_uint32 * minor_status, const gss_cred_id_t cred_handle,
         const gss_OID mech_type, gss_name_t * name, OM_uint32 * initiator_lifetime,
         OM_uint32 * acceptor_lifetime, gss_cred_usage_t * cred_usage);

     gss_inquire_mechs_for_name(OM_uint32 * minor_status, const gss_name_t input_name,
         gss_OID_set * mech_types);

     gss_inquire_names_for_mech(OM_uint32 * minor_status, const gss_OID mechanism,
         gss_OID_set * name_types);

     gss_krb5_ccache_name(OM_uint32 *minor, const char *name, const char **old_name);

     gss_krb5_copy_ccache(OM_uint32 *minor, gss_cred_id_t cred, krb5_ccache out);

     gss_krb5_import_cred(OM_uint32 *minor_status, krb5_ccache id,
         krb5_principal keytab_principal, krb5_keytab keytab, gss_cred_id_t *cred);

     gss_krb5_compat_des3_mic(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int onoff);

     gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
         gss_ctx_id_t context_handle, int ad_type, gss_buffer_t ad_data);

     gsskrb5_register_acceptor_identity(const char *identity);

     gss_krb5_import_cache(OM_uint32 *minor, krb5_ccache id, krb5_keytab keytab,
         gss_cred_id_t *cred);

     gss_krb5_get_tkt_flags(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
         OM_uint32 *tkt_flags);

     gss_process_context_token(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         const gss_buffer_t token_buffer);

     gss_release_buffer(OM_uint32 * minor_status, gss_buffer_t buffer);

     gss_release_cred(OM_uint32 * minor_status, gss_cred_id_t * cred_handle);

     gss_release_name(OM_uint32 * minor_status, gss_name_t * input_name);

     gss_release_oid_set(OM_uint32 * minor_status, gss_OID_set * set);

     gss_seal(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag,
         int qop_req, gss_buffer_t input_message_buffer, int * conf_state,
         gss_buffer_t output_message_buffer);

     gss_sign(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int qop_req,
         gss_buffer_t message_buffer, gss_buffer_t message_token);

     gss_test_oid_set_member(OM_uint32 * minor_status, const gss_OID member,
         const gss_OID_set set, int * present);

     gss_unseal(OM_uint32 * minor_status, gss_ctx_id_t context_handle,
         gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state,
         int * qop_state);

     gss_unwrap(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer,
         int * conf_state, gss_qop_t * qop_state);

     gss_verify(OM_uint32 * minor_status, gss_ctx_id_t context_handle,
         gss_buffer_t message_buffer, gss_buffer_t token_buffer, int * qop_state);

     gss_verify_mic(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         const gss_buffer_t message_buffer, const gss_buffer_t token_buffer,
         gss_qop_t * qop_state);

     gss_wrap(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int conf_req_flag,
         gss_qop_t qop_req, const gss_buffer_t input_message_buffer, int * conf_state,
         gss_buffer_t output_message_buffer);

     gss_wrap_size_limit(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
         int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
         OM_uint32 * max_input_size);


     Generic Security Service API (GSS-API) version 2, and its C binding, is described in RFC2743
     and RFC2744.  Version 1 (deprecated) of the C binding is described in RFC1509.

     Heimdals GSS-API implementation supports the following mechanisms



     GSS-API have generic name types that all mechanism are supposed to implement (if possible):







     GSS-API implementations that supports Kerberos 5 have some additional name types:





     In GSS-API, names have two forms, internal names and contiguous string names.

     ·   Internal name and mechanism name

         Internal names are implementation specific representation of a GSS-API name.  Mechanism
         names special form of internal names corresponds to one and only one mechanism.

         In GSS-API an internal name is stored in a gss_name_t.

     ·   Contiguous string name and exported name

         Contiguous string names are gssapi names stored in a OCTET STRING that together with a
         name type identifier (OID) uniquely specifies a gss-name.  A special form of the
         contiguous string name is the exported name that have a OID embedded in the string to
         make it unique.  Exported name have the nametype GSS_C_NT_EXPORT_NAME.

         In GSS-API an contiguous string name is stored in a gss_buffer_t.

         Exported names also have the property that they are specified by the mechanism itself
         and compatible between different GSS-API implementations.


     There are two ways of comparing GSS-API names, either comparing two internal names with each
     other or two contiguous string names with either other.

     To compare two internal names with each other, import (if needed) the names with
     gss_import_name() into the GSS-API implementation and the compare the imported name with

     Importing names can be slow, so when its possible to store exported names in the access
     control list, comparing contiguous string name might be better.

     when comparing contiguous string name, first export them into a GSS_C_NT_EXPORT_NAME name
     with gss_export_name() and then compare with memcmp(3).

     Note that there are might be a difference between the two methods of comparing names.  The
     first (using gss_compare_name()) will compare to (unauthenticated) names are the same.  The
     second will compare if a mechanism will authenticate them as the same principal.

     For example, if gss_import_name() name was used with GSS_C_NO_OID the default syntax is used
     for all mechanism the GSS-API implementation supports.  When compare the imported name of
     GSS_C_NO_OID it may match serveral mechanism names (MN).

     The resulting name from gss_display_name() must not be used for acccess control.


     gss_display_name() takes the gss name in input_name and puts a printable form in
     output_name_buffer.  output_name_buffer should be freed when done using
     gss_release_buffer().  output_name_type can either be NULL or a pointer to a gss_OID and
     will in the latter case contain the OID type of the name.  The name must only be used for
     printing.  If access control is needed, see section ACCESS CONTROL.

     gss_inquire_context() returns information about the context.  Information is available even
     after the context have expired.  lifetime_rec argument is set to GSS_C_INDEFINITE (dont
     expire) or the number of seconds that the context is still valid.  A value of 0 means that
     the context is expired.  mech_type argument should be considered readonly and must not be
     released.  src_name and dest_name() are both mechanims names and must be released with
     gss_release_name() when no longer used.

     gss_context_time will return the amount of time (in seconds) of the context is still valid.
     If its expired time_rec will be set to 0 and GSS_S_CONTEXT_EXPIRED returned.

     gss_sign(), gss_verify(), gss_seal(), and gss_unseal() are part of the GSS-API V1 interface
     and are obsolete.  The functions should not be used for new applications.  They are provided
     so that version 1 applications can link against the library.


     gss_krb5_ccache_name() sets the internal kerberos 5 credential cache name to name.  The old
     name is returned in old_name, and must not be freed.  The data allocated for old_name is
     free upon next call to gss_krb5_ccache_name().  This function is not threadsafe if old_name
     argument is used.

     gss_krb5_copy_ccache() will extract the krb5 credentials that are transferred from the
     initiator to the acceptor when using token delegation in the Kerberos mechanism.  The
     acceptor receives the delegated token in the last argument to gss_accept_sec_context().

     gss_krb5_import_cred() will import the krb5 credentials (both keytab and/or credential
     cache) into gss credential so it can be used withing GSS-API.  The ccache is copied by
     reference and thus shared, so if the credential is destroyed with krb5_cc_destroy, all users
     of thep gss_cred_id_t returned by gss_krb5_import_ccache() will fail.

     gsskrb5_register_acceptor_identity() sets the Kerberos 5 filebased keytab that the acceptor
     will use.  The identifier is the file name.

     gsskrb5_extract_authz_data_from_sec_context() extracts the Kerberos authorizationdata that
     may be stored within the context.  Tha caller must free the returned buffer ad_data with
     gss_release_buffer() upon success.

     gss_krb5_get_tkt_flags() return the ticket flags for the kerberos ticket receive when
     authenticating the initiator.  Only valid on the acceptor context.

     gss_krb5_compat_des3_mic() turns on or off the compatibility with older version of Heimdal
     using des3 get and verify mic, this is way to programmatically set the
     [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see COMPATIBILITY section in
     gssapi(3)).  If the CPP symbol GSS_C_KRB5_COMPAT_DES3_MIC is present,
     gss_krb5_compat_des3_mic() exists.  gss_krb5_compat_des3_mic() will be removed in a later
     version of the GSS-API library.


     gssapi(3), krb5(3), krb5_ccache(3), kerberos(8)