1c0b9f4feSDoug Rabson.\" -*- nroff -*- 2c0b9f4feSDoug Rabson.\" 3c0b9f4feSDoug Rabson.\" Copyright (c) 2005 Doug Rabson 4c0b9f4feSDoug Rabson.\" All rights reserved. 5c0b9f4feSDoug Rabson.\" 6c0b9f4feSDoug Rabson.\" Redistribution and use in source and binary forms, with or without 7c0b9f4feSDoug Rabson.\" modification, are permitted provided that the following conditions 8c0b9f4feSDoug Rabson.\" are met: 9c0b9f4feSDoug Rabson.\" 1. Redistributions of source code must retain the above copyright 10c0b9f4feSDoug Rabson.\" notice, this list of conditions and the following disclaimer. 11c0b9f4feSDoug Rabson.\" 2. Redistributions in binary form must reproduce the above copyright 12c0b9f4feSDoug Rabson.\" notice, this list of conditions and the following disclaimer in the 13c0b9f4feSDoug Rabson.\" documentation and/or other materials provided with the distribution. 14c0b9f4feSDoug Rabson.\" 15c0b9f4feSDoug Rabson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16c0b9f4feSDoug Rabson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17c0b9f4feSDoug Rabson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18c0b9f4feSDoug Rabson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19c0b9f4feSDoug Rabson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20c0b9f4feSDoug Rabson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21c0b9f4feSDoug Rabson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22c0b9f4feSDoug Rabson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23c0b9f4feSDoug Rabson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24c0b9f4feSDoug Rabson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25c0b9f4feSDoug Rabson.\" SUCH DAMAGE. 26c0b9f4feSDoug Rabson.\" 27c0b9f4feSDoug Rabson.\" The following commands are required for all man pages. 28d76ba3efSGavin Atkinson.Dd January 26, 2010 29c0b9f4feSDoug Rabson.Dt GSS_ACCEPT_SEC_CONTEXT 3 PRM 30aa12cea2SUlrich Spörlein.Os 31c0b9f4feSDoug Rabson.Sh NAME 32c0b9f4feSDoug Rabson.Nm gss_accept_sec_context 33c0b9f4feSDoug Rabson.Nd Accept a security context initiated by a peer application 34c0b9f4feSDoug Rabson.\" This next command is for sections 2 and 3 only. 35c0b9f4feSDoug Rabson.\" .Sh LIBRARY 36c0b9f4feSDoug Rabson.Sh SYNOPSIS 37c0b9f4feSDoug Rabson.In "gssapi/gssapi.h" 38c0b9f4feSDoug Rabson.Ft OM_uint32 39c0b9f4feSDoug Rabson.Fo gss_accept_sec_context 40c2965cd1SJoel Dahl.Fa "OM_uint32 *minor_status" 41c0b9f4feSDoug Rabson.Fa "gss_ctx_id_t *context_handle" 42c0b9f4feSDoug Rabson.Fa "const gss_cred_id_t acceptor_cred_handle" 43c0b9f4feSDoug Rabson.Fa "const gss_buffer_t input_token_buffer" 44c0b9f4feSDoug Rabson.Fa "const gss_channel_bindings_t input_chan_bindings" 45c0b9f4feSDoug Rabson.Fa "const gss_name_t *src_name" 46c0b9f4feSDoug Rabson.Fa "gss_OID *mech_type" 47c0b9f4feSDoug Rabson.Fa "gss_buffer_t output_token" 48c0b9f4feSDoug Rabson.Fa "OM_uint32 *ret_flags" 49c0b9f4feSDoug Rabson.Fa "OM_uint32 *time_rec" 50c0b9f4feSDoug Rabson.Fa "gss_cred_id_t *delegated_cred_handle" 51c0b9f4feSDoug Rabson.Fc 52c0b9f4feSDoug Rabson.Sh DESCRIPTION 53*3d265fceSGordon BerglingAllows a remotely initiated security context between the application and a remote 54*3d265fceSGordon Berglingpeer to be established. 55*3d265fceSGordon BerglingThe routine may return a 56c0b9f4feSDoug Rabson.Fa output_token 57c0b9f4feSDoug Rabsonwhich should be transferred to the peer application, 58c0b9f4feSDoug Rabsonwhere the peer application will present it to 59c0b9f4feSDoug Rabson.Xr gss_init_sec_context 3 . 60c0b9f4feSDoug RabsonIf no token need be sent, 61c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 62c0b9f4feSDoug Rabsonwill indicate this 63c0b9f4feSDoug Rabsonby setting the length field of the 64c0b9f4feSDoug Rabson.Fa output_token 65c0b9f4feSDoug Rabsonargument to zero. 66c0b9f4feSDoug RabsonTo complete the context establishment, one or more reply tokens may be 67c0b9f4feSDoug Rabsonrequired from the peer application; if so, 68c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 69c0b9f4feSDoug Rabsonwill return a status flag of 70c0b9f4feSDoug Rabson.Dv GSS_S_CONTINUE_NEEDED , in which case it 71c0b9f4feSDoug Rabsonshould be called again when the reply token is received from the peer 72c0b9f4feSDoug Rabsonapplication, passing the token to 73c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 74c0b9f4feSDoug Rabsonvia the 75c0b9f4feSDoug Rabson.Fa input_token 76c0b9f4feSDoug Rabsonparameters. 77c0b9f4feSDoug Rabson.Pp 78c0b9f4feSDoug RabsonPortable applications should be constructed to use the token length 79c0b9f4feSDoug Rabsonand return status to determine whether a token needs to be sent or 80*3d265fceSGordon Berglingwaited for. 81*3d265fceSGordon BerglingThus a typical portable caller should always invoke 82c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 83c0b9f4feSDoug Rabsonwithin a loop: 84c0b9f4feSDoug Rabson.Bd -literal 85c0b9f4feSDoug Rabsongss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; 86c0b9f4feSDoug Rabson 87c0b9f4feSDoug Rabsondo { 88c0b9f4feSDoug Rabson receive_token_from_peer(input_token); 89c0b9f4feSDoug Rabson maj_stat = gss_accept_sec_context(&min_stat, 90c0b9f4feSDoug Rabson &context_hdl, 91c0b9f4feSDoug Rabson cred_hdl, 92c0b9f4feSDoug Rabson input_token, 93c0b9f4feSDoug Rabson input_bindings, 94c0b9f4feSDoug Rabson &client_name, 95c0b9f4feSDoug Rabson &mech_type, 96c0b9f4feSDoug Rabson output_token, 97c0b9f4feSDoug Rabson &ret_flags, 98c0b9f4feSDoug Rabson &time_rec, 99c0b9f4feSDoug Rabson &deleg_cred); 100c0b9f4feSDoug Rabson if (GSS_ERROR(maj_stat)) { 101c0b9f4feSDoug Rabson report_error(maj_stat, min_stat); 102c0b9f4feSDoug Rabson }; 103c0b9f4feSDoug Rabson if (output_token->length != 0) { 104c0b9f4feSDoug Rabson send_token_to_peer(output_token); 105c0b9f4feSDoug Rabson 106c0b9f4feSDoug Rabson gss_release_buffer(&min_stat, output_token); 107c0b9f4feSDoug Rabson }; 108c0b9f4feSDoug Rabson if (GSS_ERROR(maj_stat)) { 109c0b9f4feSDoug Rabson if (context_hdl != GSS_C_NO_CONTEXT) 110c0b9f4feSDoug Rabson gss_delete_sec_context(&min_stat, 111c0b9f4feSDoug Rabson &context_hdl, 112c0b9f4feSDoug Rabson GSS_C_NO_BUFFER); 113c0b9f4feSDoug Rabson break; 114c0b9f4feSDoug Rabson }; 115c0b9f4feSDoug Rabson} while (maj_stat & GSS_S_CONTINUE_NEEDED); 116c0b9f4feSDoug Rabson.Ed 117c0b9f4feSDoug Rabson.Pp 118c0b9f4feSDoug RabsonWhenever the routine returns a major status that includes the value 119c0b9f4feSDoug Rabson.Dv GSS_S_CONTINUE_NEEDED , the context is not fully established and the 120c0b9f4feSDoug Rabsonfollowing restrictions apply to the output parameters: 121c0b9f4feSDoug Rabson.Pp 122c0b9f4feSDoug RabsonThe value returned via the 123c0b9f4feSDoug Rabson.Fa time_rec 124c2025a76SJoel Dahlparameter is undefined unless the 125c0b9f4feSDoug Rabsonaccompanying 126c0b9f4feSDoug Rabson.Fa ret_flags 127c0b9f4feSDoug Rabsonparameter contains the bit 128c0b9f4feSDoug Rabson.Dv GSS_C_PROT_READY_FLAG , indicating that per-message services may be 129c0b9f4feSDoug Rabsonapplied in advance of a successful completion status, the value 130c0b9f4feSDoug Rabsonreturned via the 131c0b9f4feSDoug Rabson.Fa mech_type 132c0b9f4feSDoug Rabsonparameter may be undefined until the 133c0b9f4feSDoug Rabsonroutine returns a major status value of 134c0b9f4feSDoug Rabson.Dv GSS_S_COMPLETE . 135c0b9f4feSDoug Rabson.Pp 136c0b9f4feSDoug RabsonThe values of the 137c0b9f4feSDoug Rabson.Dv GSS_C_DELEG_FLAG , 138c0b9f4feSDoug Rabson.Dv GSS_C_MUTUAL_FLAG , 139c0b9f4feSDoug Rabson.Dv GSS_C_REPLAY_FLAG , 140c0b9f4feSDoug Rabson.Dv GSS_C_SEQUENCE_FLAG , 141c0b9f4feSDoug Rabson.Dv GSS_C_CONF_FLAG , 142c0b9f4feSDoug Rabson.Dv GSS_C_INTEG_FLAG 143c0b9f4feSDoug Rabsonand 144c0b9f4feSDoug Rabson.Dv GSS_C_ANON_FLAG bits returned 145c0b9f4feSDoug Rabsonvia the 146c0b9f4feSDoug Rabson.Fa ret_flags 147c0b9f4feSDoug Rabsonparameter should contain the values that the 148c0b9f4feSDoug Rabsonimplementation expects would be valid if context establishment were 149c0b9f4feSDoug Rabsonto succeed. 150c0b9f4feSDoug Rabson.Pp 151c0b9f4feSDoug RabsonThe values of the 152c0b9f4feSDoug Rabson.Dv GSS_C_PROT_READY_FLAG 153c0b9f4feSDoug Rabsonand 154c0b9f4feSDoug Rabson.Dv GSS_C_TRANS_FLAG bits 155c0b9f4feSDoug Rabsonwithin 156c0b9f4feSDoug Rabson.Fa ret_flags 157c0b9f4feSDoug Rabsonshould indicate the actual state at the time 158c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 159c0b9f4feSDoug Rabsonreturns, whether or not the context is fully established. 160c0b9f4feSDoug Rabson.Pp 161c0b9f4feSDoug RabsonAlthough this requires that GSS-API implementations set the 162c0b9f4feSDoug Rabson.Dv GSS_C_PROT_READY_FLAG 163c0b9f4feSDoug Rabsonin the final 164c0b9f4feSDoug Rabson.Fa ret_flags 165c0b9f4feSDoug Rabsonreturned to a caller 166c0b9f4feSDoug Rabson(i.e. when accompanied by a 167c0b9f4feSDoug Rabson.Dv GSS_S_COMPLETE 168c0b9f4feSDoug Rabsonstatus code), applications 169*3d265fceSGordon Berglingshould not rely on this behavior as the flag was not defined in Version 1 of the GSS-API. 170*3d265fceSGordon BerglingInstead, applications should be prepared to use per-message services after a 171*3d265fceSGordon Berglingsuccessful context establishment, according to the 172c0b9f4feSDoug Rabson.Dv GSS_C_INTEG_FLAG 173c0b9f4feSDoug Rabsonand 174c0b9f4feSDoug Rabson.Dv GSS_C_CONF_FLAG values. 175c0b9f4feSDoug Rabson.Pp 176c0b9f4feSDoug RabsonAll other bits within the 177c0b9f4feSDoug Rabson.Fa ret_flags 178c0b9f4feSDoug Rabsonargument should be set to zero. 179c0b9f4feSDoug RabsonWhile the routine returns 180c0b9f4feSDoug Rabson.Dv GSS_S_CONTINUE_NEEDED , the values returned 181c0b9f4feSDoug Rabsonvia the 182c0b9f4feSDoug Rabson.Fa ret_flags 183c0b9f4feSDoug Rabsonargument indicate the services that the 184c0b9f4feSDoug Rabsonimplementation expects to be available from the established context. 185c0b9f4feSDoug Rabson.Pp 186c0b9f4feSDoug RabsonIf the initial call of 187c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 188c0b9f4feSDoug Rabsonfails, the 189c0b9f4feSDoug Rabsonimplementation should not create a context object, and should leave 190c0b9f4feSDoug Rabsonthe value of the context_handle parameter set to 191c0b9f4feSDoug Rabson.Dv GSS_C_NO_CONTEXT to 192*3d265fceSGordon Berglingindicate this. 193*3d265fceSGordon BerglingIn the event of a failure on a subsequent call, the implementation is 194*3d265fceSGordon Berglingpermitted to delete the "half-built" security context (in which case it 195*3d265fceSGordon Berglingshould set the 196c0b9f4feSDoug Rabson.Fa context_handle 197c0b9f4feSDoug Rabsonparameter to 198c0b9f4feSDoug Rabson.Dv GSS_C_NO_CONTEXT ), but the preferred behavior is to leave the 199c0b9f4feSDoug Rabsonsecurity context (and the context_handle parameter) untouched for the 200c0b9f4feSDoug Rabsonapplication to delete (using 201c0b9f4feSDoug Rabson.Xr gss_delete_sec_context 3 ). 202c0b9f4feSDoug Rabson.Pp 203c0b9f4feSDoug RabsonDuring context establishment, the informational status bits 204c0b9f4feSDoug Rabson.Dv GSS_S_OLD_TOKEN 205c0b9f4feSDoug Rabsonand 206c0b9f4feSDoug Rabson.Dv GSS_S_DUPLICATE_TOKEN 207c0b9f4feSDoug Rabsonindicate fatal errors, and 208c0b9f4feSDoug RabsonGSS-API mechanisms should always return them in association with a 209c0b9f4feSDoug Rabsonroutine error of 210c0b9f4feSDoug Rabson.Dv GSS_S_FAILURE . This requirement for pairing did not 211c0b9f4feSDoug Rabsonexist in version 1 of the GSS-API specification, so applications that 212c0b9f4feSDoug Rabsonwish to run over version 1 implementations must special-case these 213c0b9f4feSDoug Rabsoncodes. 214c0b9f4feSDoug Rabson.Sh PARAMETERS 2156a557179SJoel Dahl.Bl -tag -width ".It input_chan_bindings" 216c0b9f4feSDoug Rabson.It context_handle 217c0b9f4feSDoug RabsonContext handle for new context. 218c0b9f4feSDoug RabsonSupply 219c0b9f4feSDoug Rabson.Dv GSS_C_NO_CONTEXT for first 220c0b9f4feSDoug Rabsoncall; use value returned in subsequent calls. 221c0b9f4feSDoug RabsonOnce 222c0b9f4feSDoug Rabson.Fn gss_accept_sec_context 223c0b9f4feSDoug Rabsonhas returned a 224c0b9f4feSDoug Rabsonvalue via this parameter, resources have been 225c0b9f4feSDoug Rabsonassigned to the corresponding context, and must 226c0b9f4feSDoug Rabsonbe freed by the application after use with a 227c0b9f4feSDoug Rabsoncall to 228c0b9f4feSDoug Rabson.Xr gss_delete_sec_context 3 . 229c0b9f4feSDoug Rabson.It acceptor_cred_handle 230c0b9f4feSDoug RabsonCredential handle claimed by context acceptor. 231c0b9f4feSDoug RabsonSpecify 232c0b9f4feSDoug Rabson.Dv GSS_C_NO_CREDENTIAL to accept the context as a 233c0b9f4feSDoug Rabsondefault principal. 234c0b9f4feSDoug RabsonIf 235c0b9f4feSDoug Rabson.Dv GSS_C_NO_CREDENTIAL is 236c0b9f4feSDoug Rabsonspecified, but no default acceptor principal is 237c0b9f4feSDoug Rabsondefined, 238c0b9f4feSDoug Rabson.Dv GSS_S_NO_CRED will be returned. 239c0b9f4feSDoug Rabson.It input_token_buffer 240c0b9f4feSDoug RabsonToken obtained from remote application. 241c0b9f4feSDoug Rabson.It input_chan_bindings 242c0b9f4feSDoug RabsonApplication-specified bindings. 243c0b9f4feSDoug RabsonAllows application to securely bind channel identification information 244c0b9f4feSDoug Rabsonto the security context. 245c0b9f4feSDoug RabsonIf channel bindings are not used, specify 246c0b9f4feSDoug Rabson.Dv GSS_C_NO_CHANNEL_BINDINGS . 247c0b9f4feSDoug Rabson.It src_name 248c0b9f4feSDoug RabsonAuthenticated name of context initiator. 249c0b9f4feSDoug RabsonAfter use, this name should be deallocated by passing it to 250c0b9f4feSDoug Rabson.Xr gss_release_name 3 . 251c0b9f4feSDoug RabsonIf not required, specify 252c0b9f4feSDoug Rabson.Dv NULL . 253c0b9f4feSDoug Rabson.It mech_type 254c0b9f4feSDoug RabsonSecurity mechanism used. 255c0b9f4feSDoug RabsonThe returned OID value will be a pointer into static storage, 256c0b9f4feSDoug Rabsonand should be treated as read-only by the caller 257c0b9f4feSDoug Rabson(in particular, it does not need to be freed). 258c0b9f4feSDoug RabsonIf not required, specify 259c0b9f4feSDoug Rabson.Dv NULL . 260c0b9f4feSDoug Rabson.It output_token 261c0b9f4feSDoug RabsonToken to be passed to peer application. 262c0b9f4feSDoug RabsonIf the length field of the returned token buffer is 0, 263c0b9f4feSDoug Rabsonthen no token need be passed to the peer application. 264c0b9f4feSDoug RabsonIf a non-zero length field is returned, 265c0b9f4feSDoug Rabsonthe associated storage must be freed after use by the 266c0b9f4feSDoug Rabsonapplication with a call to 267c0b9f4feSDoug Rabson.Xr gss_release_buffer 3 . 268c0b9f4feSDoug Rabson.It ret_flags 269c0b9f4feSDoug RabsonContains various independent flags, 270c0b9f4feSDoug Rabsoneach of which indicates that the context supports a specific service option. 271c0b9f4feSDoug RabsonIf not needed, specify 272c0b9f4feSDoug Rabson.Dv NULL . 273c0b9f4feSDoug RabsonSymbolic names are provided for each flag, 274c0b9f4feSDoug Rabsonand the symbolic names corresponding to the required flags should be 275c0b9f4feSDoug Rabsonlogically-ANDed with the 276c0b9f4feSDoug Rabson.Fa ret_flags 277c0b9f4feSDoug Rabsonvalue to test whether a given option is supported by the context. 278c0b9f4feSDoug RabsonThe flags are: 279c0b9f4feSDoug Rabson.Bl -tag -width "WW" 280c0b9f4feSDoug Rabson.It GSS_C_DELEG_FLAG 281c0b9f4feSDoug Rabson.Bl -tag -width "False" 282c0b9f4feSDoug Rabson.It True 283c0b9f4feSDoug RabsonDelegated credentials are available via the delegated_cred_handle parameter 284c0b9f4feSDoug Rabson.It False 285c0b9f4feSDoug RabsonNo credentials were delegated 286c0b9f4feSDoug Rabson.El 287c0b9f4feSDoug Rabson.It GSS_C_MUTUAL_FLAG 288c0b9f4feSDoug Rabson.Bl -tag -width "False" 289c0b9f4feSDoug Rabson.It True 290c0b9f4feSDoug RabsonRemote peer asked for mutual authentication 291c0b9f4feSDoug Rabson.It False 292c0b9f4feSDoug RabsonRemote peer did not ask for mutual authentication 293c0b9f4feSDoug Rabson.El 294c0b9f4feSDoug Rabson.It GSS_C_REPLAY_FLAG 295c0b9f4feSDoug Rabson.Bl -tag -width "False" 296c0b9f4feSDoug Rabson.It True 297c0b9f4feSDoug RabsonReplay of protected messages will be detected 298c0b9f4feSDoug Rabson.It False 299c0b9f4feSDoug RabsonReplayed messages will not be detected 300c0b9f4feSDoug Rabson.El 301c0b9f4feSDoug Rabson.It GSS_C_SEQUENCE_FLAG 302c0b9f4feSDoug Rabson.Bl -tag -width "False" 303c0b9f4feSDoug Rabson.It True 304c0b9f4feSDoug RabsonOut-of-sequence protected messages will be detected 305c0b9f4feSDoug Rabson.It False 306c0b9f4feSDoug RabsonOut-of-sequence messages will not be detected 307c0b9f4feSDoug Rabson.El 308c0b9f4feSDoug Rabson.It GSS_C_CONF_FLAG 309c0b9f4feSDoug Rabson.Bl -tag -width "False" 310c0b9f4feSDoug Rabson.It True 311c0b9f4feSDoug RabsonConfidentiality service may be invoked by calling the 312c0b9f4feSDoug Rabson.Xr gss_wrap 3 313c0b9f4feSDoug Rabsonroutine 314c0b9f4feSDoug Rabson.It False 315c0b9f4feSDoug RabsonNo confidentiality service (via 316c0b9f4feSDoug Rabson.Xr gss_wrap 3 ) 317c0b9f4feSDoug Rabsonavailable. 318c0b9f4feSDoug Rabson.Xr gss_wrap 3 319c0b9f4feSDoug Rabsonwill provide message encapsulation, 320c0b9f4feSDoug Rabsondata-origin authentication and integrity services only. 321c0b9f4feSDoug Rabson.El 322c0b9f4feSDoug Rabson.It GSS_C_INTEG_FLAG 323c0b9f4feSDoug Rabson.Bl -tag -width "False" 324c0b9f4feSDoug Rabson.It True 325c0b9f4feSDoug RabsonIntegrity service may be invoked by calling either 326c0b9f4feSDoug Rabson.Xr gss_get_mic 3 327c0b9f4feSDoug Rabsonor 328c0b9f4feSDoug Rabson.Xr gss_wrap 3 329c0b9f4feSDoug Rabsonroutines. 330c0b9f4feSDoug Rabson.It False 331c0b9f4feSDoug RabsonPer-message integrity service unavailable. 332c0b9f4feSDoug Rabson.El 333c0b9f4feSDoug Rabson.It GSS_C_ANON_FLAG 334c0b9f4feSDoug Rabson.Bl -tag -width "False" 335c0b9f4feSDoug Rabson.It True 336c0b9f4feSDoug RabsonThe initiator does not wish to be authenticated; the 337c0b9f4feSDoug Rabson.Fa src_name 338c0b9f4feSDoug Rabsonparameter (if requested) contains an anonymous internal name. 339c0b9f4feSDoug Rabson.It False 340c0b9f4feSDoug RabsonThe initiator has been authenticated normally. 341c0b9f4feSDoug Rabson.El 342c0b9f4feSDoug Rabson.It GSS_C_PROT_READY_FLAG 343c0b9f4feSDoug Rabson.Bl -tag -width "False" 344c0b9f4feSDoug Rabson.It True 345c0b9f4feSDoug RabsonProtection services (as specified by the states of the 346c0b9f4feSDoug Rabson.Dv GSS_C_CONF_FLAG 347c0b9f4feSDoug Rabsonand 348c0b9f4feSDoug Rabson.Dv GSS_C_INTEG_FLAG ) 349c0b9f4feSDoug Rabsonare available if the accompanying major status return value is either 350c0b9f4feSDoug Rabson.Dv GSS_S_COMPLETE 351c0b9f4feSDoug Rabsonor 352c0b9f4feSDoug Rabson.Dv GSS_S_CONTINUE_NEEDED. 353c0b9f4feSDoug Rabson.It False 354c0b9f4feSDoug RabsonProtection services (as specified by the states of the 355c0b9f4feSDoug Rabson.Dv GSS_C_CONF_FLAG 356c0b9f4feSDoug Rabsonand 357c0b9f4feSDoug Rabson.Dv GSS_C_INTEG_FLAG ) 358c0b9f4feSDoug Rabsonare available only if the accompanying major status return value is 359c0b9f4feSDoug Rabson.Dv GSS_S_COMPLETE . 360c0b9f4feSDoug Rabson.El 361c0b9f4feSDoug Rabson.It GSS_C_TRANS_FLAG 362c0b9f4feSDoug Rabson.Bl -tag -width "False" 363c0b9f4feSDoug Rabson.It True 364c0b9f4feSDoug RabsonThe resultant security context may be transferred to other processes 365c0b9f4feSDoug Rabsonvia a call to 366c0b9f4feSDoug Rabson.Xr gss_export_sec_context 3 . 367c0b9f4feSDoug Rabson.It False 368c0b9f4feSDoug RabsonThe security context is not transferable. 369c0b9f4feSDoug Rabson.El 370c0b9f4feSDoug Rabson.El 371c0b9f4feSDoug Rabson.Pp 372c0b9f4feSDoug RabsonAll other bits should be set to zero. 373c0b9f4feSDoug Rabson.It time_rec 374c0b9f4feSDoug RabsonNumber of seconds for which the context will remain valid. 375c0b9f4feSDoug RabsonSpecify 376c0b9f4feSDoug Rabson.Dv NULL 377c0b9f4feSDoug Rabsonif not required. 378c0b9f4feSDoug Rabson.It delegated_cred_handle 379c0b9f4feSDoug RabsonCredential 380c0b9f4feSDoug Rabsonhandle for credentials received from context initiator. 381c0b9f4feSDoug RabsonOnly valid if 382c0b9f4feSDoug Rabson.Dv GSS_C_DELEG_FLAG 383c0b9f4feSDoug Rabsonin 384c0b9f4feSDoug Rabson.Fa ret_flags 385c0b9f4feSDoug Rabsonis true, 386c0b9f4feSDoug Rabsonin which case an explicit credential handle 387c0b9f4feSDoug Rabson(i.e. not 388c0b9f4feSDoug Rabson.Dv GSS_C_NO_CREDENTIAL ) 389c0b9f4feSDoug Rabsonwill be returned; if false, 390c0b9f4feSDoug Rabson.Fn gss_accept_context 391c0b9f4feSDoug Rabsonwill set this parameter to 392c0b9f4feSDoug Rabson.Dv GSS_C_NO_CREDENTIAL . 393c0b9f4feSDoug RabsonIf a credential handle is returned, 394c0b9f4feSDoug Rabsonthe associated resources must be released by the application after use 395c0b9f4feSDoug Rabsonwith a call to 396c0b9f4feSDoug Rabson.Xr gss_release_cred 3 . 397c0b9f4feSDoug RabsonSpecify 398c0b9f4feSDoug Rabson.Dv NULL if not required. 399c0b9f4feSDoug Rabson.It minor_status 400c0b9f4feSDoug RabsonMechanism specific status code. 401c0b9f4feSDoug Rabson.El 402c0b9f4feSDoug Rabson.Sh RETURN VALUES 4036a557179SJoel Dahl.Bl -tag -width ".It GSS_S_DEFECTIVE_CREDENTIAL" 404c0b9f4feSDoug Rabson.It GSS_S_CONTINUE_NEEDED 405c0b9f4feSDoug RabsonIndicates that a token from the peer application is required to 406c0b9f4feSDoug Rabsoncomplete the context, 407c0b9f4feSDoug Rabsonand that gss_accept_sec_context must be called again with that token. 408c0b9f4feSDoug Rabson.It GSS_S_DEFECTIVE_TOKEN 409c0b9f4feSDoug RabsonIndicates that consistency checks performed on the input_token failed. 410c0b9f4feSDoug Rabson.It GSS_S_DEFECTIVE_CREDENTIAL 411c0b9f4feSDoug RabsonIndicates that consistency checks performed on the credential failed. 412c0b9f4feSDoug Rabson.It GSS_S_NO_CRED 413c0b9f4feSDoug RabsonThe supplied credentials were not valid for context acceptance, 414c0b9f4feSDoug Rabsonor the credential handle did not reference any credentials. 415c0b9f4feSDoug Rabson.It GSS_S_CREDENTIALS_EXPIRED 416c0b9f4feSDoug RabsonThe referenced credentials have expired. 417c0b9f4feSDoug Rabson.It GSS_S_BAD_BINDINGS 418c0b9f4feSDoug RabsonThe input_token contains different channel bindings to those specified via the 419c0b9f4feSDoug Rabsoninput_chan_bindings parameter. 420c0b9f4feSDoug Rabson.It GSS_S_NO_CONTEXT 421c0b9f4feSDoug RabsonIndicates that the supplied context handle did not refer to a valid context. 422c0b9f4feSDoug Rabson.It GSS_S_BAD_SIG 423c0b9f4feSDoug RabsonThe input_token contains an invalid MIC. 424c0b9f4feSDoug Rabson.It GSS_S_OLD_TOKEN 425c0b9f4feSDoug RabsonThe input_token was too old. 426c0b9f4feSDoug RabsonThis is a fatal error during context establishment. 427c0b9f4feSDoug Rabson.It GSS_S_DUPLICATE_TOKEN 428c0b9f4feSDoug RabsonThe input_token is valid, 429c0b9f4feSDoug Rabsonbut is a duplicate of a token already processed. 430c0b9f4feSDoug RabsonThis is a fatal error during context establishment. 431c0b9f4feSDoug Rabson.It GSS_S_BAD_MECH 432c0b9f4feSDoug RabsonThe received token specified a mechanism that is not supported by 433c0b9f4feSDoug Rabsonthe implementation or the provided credential. 434c0b9f4feSDoug Rabson.El 435c0b9f4feSDoug Rabson.Sh SEE ALSO 436c0b9f4feSDoug Rabson.Xr gss_delete_sec_context 3 , 437c0b9f4feSDoug Rabson.Xr gss_export_sec_context 3 , 438c0b9f4feSDoug Rabson.Xr gss_get_mic 3 , 439c0b9f4feSDoug Rabson.Xr gss_init_sec_context 3 , 440c0b9f4feSDoug Rabson.Xr gss_release_buffer 3 , 441c0b9f4feSDoug Rabson.Xr gss_release_cred 3 , 442c0b9f4feSDoug Rabson.Xr gss_release_name 3 , 443c0b9f4feSDoug Rabson.Xr gss_wrap 3 444c0b9f4feSDoug Rabson.Sh STANDARDS 4456a557179SJoel Dahl.Bl -tag -width ".It RFC 2743" 446c0b9f4feSDoug Rabson.It RFC 2743 447c0b9f4feSDoug RabsonGeneric Security Service Application Program Interface Version 2, Update 1 448c0b9f4feSDoug Rabson.It RFC 2744 449c0b9f4feSDoug RabsonGeneric Security Service API Version 2 : C-bindings 450c0b9f4feSDoug Rabson.El 451c0b9f4feSDoug Rabson.Sh HISTORY 452c0b9f4feSDoug RabsonThe 453c0b9f4feSDoug Rabson.Nm 454d76ba3efSGavin Atkinsonfunction first appeared in 455c0b9f4feSDoug Rabson.Fx 7.0 . 456c0b9f4feSDoug Rabson.Sh AUTHORS 457c0b9f4feSDoug RabsonJohn Wray, Iris Associates 45860b9f20aSDoug Rabson.Sh COPYRIGHT 45960b9f20aSDoug RabsonCopyright (C) The Internet Society (2000). All Rights Reserved. 46060b9f20aSDoug Rabson.Pp 46160b9f20aSDoug RabsonThis document and translations of it may be copied and furnished to 46260b9f20aSDoug Rabsonothers, and derivative works that comment on or otherwise explain it 46360b9f20aSDoug Rabsonor assist in its implementation may be prepared, copied, published 46460b9f20aSDoug Rabsonand distributed, in whole or in part, without restriction of any 46560b9f20aSDoug Rabsonkind, provided that the above copyright notice and this paragraph are 46660b9f20aSDoug Rabsonincluded on all such copies and derivative works. However, this 46760b9f20aSDoug Rabsondocument itself may not be modified in any way, such as by removing 46860b9f20aSDoug Rabsonthe copyright notice or references to the Internet Society or other 46960b9f20aSDoug RabsonInternet organizations, except as needed for the purpose of 47060b9f20aSDoug Rabsondeveloping Internet standards in which case the procedures for 47160b9f20aSDoug Rabsoncopyrights defined in the Internet Standards process must be 47260b9f20aSDoug Rabsonfollowed, or as required to translate it into languages other than 47360b9f20aSDoug RabsonEnglish. 47460b9f20aSDoug Rabson.Pp 47560b9f20aSDoug RabsonThe limited permissions granted above are perpetual and will not be 47660b9f20aSDoug Rabsonrevoked by the Internet Society or its successors or assigns. 47760b9f20aSDoug Rabson.Pp 47860b9f20aSDoug RabsonThis document and the information contained herein is provided on an 47960b9f20aSDoug Rabson"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 48060b9f20aSDoug RabsonTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 48160b9f20aSDoug RabsonBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 48260b9f20aSDoug RabsonHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 48360b9f20aSDoug RabsonMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 484