| GSS_ACQUIRE_CRED(3) | Library Functions Manual | GSS_ACQUIRE_CRED(3) | 
gss_accept_sec_context,
  gss_acquire_cred,
  gss_add_cred,
  gss_add_oid_set_member,
  gss_canonicalize_name,
  gss_compare_name,
  gss_context_time,
  gss_create_empty_oid_set,
  gss_delete_sec_context,
  gss_display_name,
  gss_display_status,
  gss_duplicate_name,
  gss_export_name,
  gss_export_sec_context,
  gss_get_mic, gss_import_name,
  gss_import_sec_context,
  gss_indicate_mechs,
  gss_init_sec_context,
  gss_inquire_context,
  gss_inquire_cred,
  gss_inquire_cred_by_mech,
  gss_inquire_mechs_for_name,
  gss_inquire_names_for_mech,
  gss_krb5_ccache_name,
  gss_krb5_compat_des3_mic,
  gss_krb5_copy_ccache,
  gss_krb5_import_cred
  gsskrb5_extract_authz_data_from_sec_context,
  gsskrb5_register_acceptor_identity,
  gss_krb5_import_ccache,
  gss_krb5_get_tkt_flags,
  gss_process_context_token,
  gss_release_buffer,
  gss_release_cred,
  gss_release_name,
  gss_release_oid_set, gss_seal,
  gss_sign,
  gss_test_oid_set_member,
  gss_unseal, gss_unwrap,
  gss_verify, gss_verify_mic,
  gss_wrap, gss_wrap_size_limit
  —
#include <gssapi/gssapi.h>
  
  OM_uint32
  
  gss_accept_sec_context(OM_uint32 *
    minor_status, gss_ctx_id_t * context_handle,
    gss_const_cred_id_t acceptor_cred_handle,
    const gss_buffer_t input_token_buffer,
    const gss_channel_bindings_t input_chan_bindings,
    gss_name_t * src_name, gss_OID *
    mech_type, gss_buffer_t output_token,
    OM_uint32 * ret_flags, OM_uint32 *
    time_rec, gss_cred_id_t *
    delegated_cred_handle);
  
  OM_uint32
  
  gss_acquire_cred(OM_uint32 *
    minor_status, gss_const_name_t desired_name,
    OM_uint32 time_req, const gss_OID_set
    desired_mechs, gss_cred_usage_t cred_usage,
    gss_cred_id_t * output_cred_handle,
    gss_OID_set * actual_mechs, OM_uint32
    * time_rec);
OM_uint32
  
  gss_add_cred(OM_uint32
    *minor_status, gss_const_cred_id_t
    input_cred_handle, gss_const_name_t
    desired_name, const gss_OID desired_mech,
    gss_cred_usage_t cred_usage, OM_uint32
    initiator_time_req, OM_uint32 acceptor_time_req,
    gss_cred_id_t *output_cred_handle,
    gss_OID_set *actual_mechs, OM_uint32
    *initiator_time_rec, OM_uint32
    *acceptor_time_rec);
OM_uint32
  
  gss_add_oid_set_member(OM_uint32 *
    minor_status, const gss_OID member_oid,
    gss_OID_set * oid_set);
OM_uint32
  
  gss_canonicalize_name(OM_uint32 *
    minor_status, gss_const_name_t input_name,
    const gss_OID mech_type, gss_name_t *
    output_name);
OM_uint32
  
  gss_compare_name(OM_uint32 *
    minor_status, gss_const_name_t name1,
    gss_const_name_t name2, int *
    name_equal);
OM_uint32
  
  gss_context_time(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    OM_uint32 * time_rec);
OM_uint32
  
  gss_create_empty_oid_set(OM_uint32 *
    minor_status, gss_OID_set * oid_set);
OM_uint32
  
  gss_delete_sec_context(OM_uint32 *
    minor_status, gss_ctx_id_t * context_handle,
    gss_buffer_t output_token);
OM_uint32
  
  gss_display_name(OM_uint32 *
    minor_status, gss_const_name_t input_name,
    gss_buffer_t output_name_buffer,
    gss_OID * output_name_type);
OM_uint32
  
  gss_display_status(OM_uint32
    *minor_status, OM_uint32 status_value,
    int status_type, const gss_OID
    mech_type, OM_uint32 *message_context,
    gss_buffer_t status_string);
OM_uint32
  
  gss_duplicate_name(OM_uint32 *
    minor_status, gss_const_name_t src_name,
    gss_name_t * dest_name);
OM_uint32
  
  gss_export_name(OM_uint32 *
    minor_status, gss_const_name_t input_name,
    gss_buffer_t exported_name);
OM_uint32
  
  gss_export_sec_context(OM_uint32 *
    minor_status, gss_ctx_id_t * context_handle,
    gss_buffer_t interprocess_token);
OM_uint32
  
  gss_get_mic(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    gss_qop_t qop_req, const gss_buffer_t
    message_buffer, gss_buffer_t message_token);
OM_uint32
  
  gss_import_name(OM_uint32 *
    minor_status, const gss_buffer_t
    input_name_buffer, const gss_OID
    input_name_type, gss_name_t * output_name);
OM_uint32
  
  gss_import_sec_context(OM_uint32 *
    minor_status, const gss_buffer_t
    interprocess_token, gss_ctx_id_t *
    context_handle);
OM_uint32
  
  gss_indicate_mechs(OM_uint32 *
    minor_status, gss_OID_set * mech_set);
OM_uint32
  
  gss_init_sec_context(OM_uint32 *
    minor_status, gss_const_cred_id_t
    initiator_cred_handle, gss_ctx_id_t *
    context_handle, gss_const_name_t target_name,
    const gss_OID mech_type, OM_uint32
    req_flags, OM_uint32 time_req,
    const gss_channel_bindings_t input_chan_bindings,
    const gss_buffer_t input_token,
    gss_OID * actual_mech_type,
    gss_buffer_t output_token, OM_uint32 *
    ret_flags, OM_uint32 * time_rec);
OM_uint32
  
  gss_inquire_context(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    gss_name_t * src_name, gss_name_t *
    targ_name, OM_uint32 * lifetime_rec,
    gss_OID * mech_type, OM_uint32 *
    ctx_flags, int * locally_initiated,
    int * open_context);
OM_uint32
  
  gss_inquire_cred(OM_uint32 *
    minor_status, gss_const_cred_id_t cred_handle,
    gss_name_t * name, OM_uint32 *
    lifetime, gss_cred_usage_t * cred_usage,
    gss_OID_set * mechanisms);
OM_uint32
  
  gss_inquire_cred_by_mech(OM_uint32 *
    minor_status, gss_const_cred_id_t cred_handle,
    const gss_OID mech_type, gss_name_t *
    name, OM_uint32 * initiator_lifetime,
    OM_uint32 * acceptor_lifetime,
    gss_cred_usage_t * cred_usage);
OM_uint32
  
  gss_inquire_mechs_for_name(OM_uint32 *
    minor_status, gss_const_name_t input_name,
    gss_OID_set * mech_types);
OM_uint32
  
  gss_inquire_names_for_mech(OM_uint32 *
    minor_status, const gss_OID mechanism,
    gss_OID_set * name_types);
OM_uint32
  
  gss_krb5_ccache_name(OM_uint32
    *minor, const char *name, const
    char **old_name);
OM_uint32
  
  gss_krb5_copy_ccache(OM_uint32
    *minor, gss_cred_id_t cred,
    krb5_ccache out);
OM_uint32
  
  gss_krb5_import_cred(OM_uint32
    *minor_status, krb5_ccache id,
    krb5_principal keytab_principal,
    krb5_keytab keytab, gss_cred_id_t
    *cred);
OM_uint32
  
  gss_krb5_compat_des3_mic(OM_uint32 *
    minor_status, gss_ctx_id_t context_handle,
    int onoff);
OM_uint32
  
  gsskrb5_extract_authz_data_from_sec_context(OM_uint32
    *minor_status, gss_ctx_id_t context_handle,
    int ad_type, gss_buffer_t
    ad_data);
OM_uint32
  
  gsskrb5_register_acceptor_identity(const
    char *identity);
OM_uint32
  
  gss_krb5_import_cache(OM_uint32
    *minor, krb5_ccache id,
    krb5_keytab keytab, gss_cred_id_t
    *cred);
OM_uint32
  
  gss_krb5_get_tkt_flags(OM_uint32
    *minor_status, gss_ctx_id_t context_handle,
    OM_uint32 *tkt_flags);
OM_uint32
  
  gss_process_context_token(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    const gss_buffer_t token_buffer);
OM_uint32
  
  gss_release_buffer(OM_uint32 *
    minor_status, gss_buffer_t buffer);
OM_uint32
  
  gss_release_cred(OM_uint32 *
    minor_status, gss_cred_id_t * cred_handle);
OM_uint32
  
  gss_release_name(OM_uint32 *
    minor_status, gss_name_t * input_name);
OM_uint32
  
  gss_release_oid_set(OM_uint32 *
    minor_status, gss_OID_set * set);
OM_uint32
  
  gss_seal(OM_uint32 *
    minor_status, gss_ctx_id_t context_handle,
    int conf_req_flag, int qop_req,
    gss_buffer_t input_message_buffer, int
    * conf_state, gss_buffer_t
    output_message_buffer);
OM_uint32
  
  gss_sign(OM_uint32 *
    minor_status, gss_ctx_id_t context_handle,
    int qop_req, gss_buffer_t
    message_buffer, gss_buffer_t message_token);
OM_uint32
  
  gss_test_oid_set_member(OM_uint32 *
    minor_status, const gss_OID member,
    const gss_OID_set set, int *
    present);
OM_uint32
  
  gss_unseal(OM_uint32 *
    minor_status, gss_ctx_id_t context_handle,
    gss_buffer_t input_message_buffer,
    gss_buffer_t output_message_buffer,
    int * conf_state, int *
    qop_state);
OM_uint32
  
  gss_unwrap(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    const gss_buffer_t input_message_buffer,
    gss_buffer_t output_message_buffer,
    int * conf_state, gss_qop_t *
    qop_state);
OM_uint32
  
  gss_verify(OM_uint32 *
    minor_status, gss_ctx_id_t context_handle,
    gss_buffer_t message_buffer,
    gss_buffer_t token_buffer, int *
    qop_state);
OM_uint32
  
  gss_verify_mic(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    const gss_buffer_t message_buffer,
    const gss_buffer_t token_buffer,
    gss_qop_t * qop_state);
OM_uint32
  
  gss_wrap(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    int conf_req_flag, gss_qop_t
    qop_req, const gss_buffer_t
    input_message_buffer, int * conf_state,
    gss_buffer_t output_message_buffer);
OM_uint32
  
  gss_wrap_size_limit(OM_uint32 *
    minor_status, gss_const_ctx_id_t context_handle,
    int conf_req_flag, gss_qop_t
    qop_req, OM_uint32 req_output_size,
    OM_uint32 * max_input_size);
RFC2743 and
  RFC2744. Version 1 (deprecated) of the C binding is
  described in RFC1509.
Heimdals GSS-API implementation supports the following mechanisms
GSS-API have generic name types that all mechanism are supposed to implement (if possible):
GSS_C_NT_USER_NAMEGSS_C_NT_MACHINE_UID_NAMEGSS_C_NT_STRING_UID_NAMEGSS_C_NT_HOSTBASED_SERVICEGSS_C_NT_ANONYMOUSGSS_C_NT_EXPORT_NAMEGSS-API implementations that supports Kerberos 5 have some additional name types:
GSS_KRB5_NT_PRINCIPAL_NAMEGSS_KRB5_NT_USER_NAMEGSS_KRB5_NT_MACHINE_UID_NAMEGSS_KRB5_NT_STRING_UID_NAMEIn GSS-API, names have two forms, internal names and contiguous string names.
Internal
      name and mechanism name
    Internal names are implementation specific representation of a
        GSS-API name. Mechanism names special form of
        internal names corresponds to one and only one mechanism.
In GSS-API an internal name is stored in a
        gss_name_t.
Contiguous
      string name and exported name
    Contiguous string names are gssapi names stored in a
        OCTET STRING that together with a name type
        identifier (OID) uniquely specifies a gss-name. A special form of the
        contiguous string name is the exported name that have a OID embedded in
        the string to make it unique. Exported name have the nametype
        GSS_C_NT_EXPORT_NAME.
In GSS-API an contiguous string name is stored in a
        gss_buffer_t.
Exported names also have the property that they are specified by the mechanism itself and compatible between different GSS-API implementations.
To compare two internal names with each other, import (if needed)
    the names with gss_import_name() into the GSS-API
    implementation and the compare the imported name with
    gss_compare_name().
Importing names can be slow, so when its possible to store exported names in the access control list, comparing contiguous string name might be better.
when comparing contiguous string name, first export them into a
    GSS_C_NT_EXPORT_NAME name with
    gss_export_name() and then compare with
    memcmp(3).
Note that there are might be a difference between the two methods
    of comparing names. The first (using
    gss_compare_name()) will compare to
    (unauthenticated) names are the same. The second will compare if a mechanism
    will authenticate them as the same principal.
For example, if gss_import_name() name was
    used with GSS_C_NO_OID the default syntax is used
    for all mechanism the GSS-API implementation supports. When compare the
    imported name of GSS_C_NO_OID it may match several
    mechanism names (MN).
The resulting name from gss_display_name()
    must not be used for acccess control.
gss_display_name() takes the gss name in
  input_name and puts a printable form in
  output_name_buffer.
  output_name_buffer should be freed when done using
  gss_release_buffer().
  output_name_type can either be
  NULL or a pointer to a gss_OID
  and will in the latter case contain the OID type of the name. The name must
  only be used for printing. If access control is needed, see section
  ACCESS CONTROL.
gss_inquire_context() returns information
    about the context. Information is available even after the context have
    expired. lifetime_rec argument is set to
    GSS_C_INDEFINITE (don't expire) or the number of
    seconds that the context is still valid. A value of 0 means that the context
    is expired. mech_type argument should be considered
    readonly and must not be released. src_name and
    dest_name() are both mechanims names and must be
    released with gss_release_name() when no longer
    used.
gss_context_time will return the amount of
    time (in seconds) of the context is still valid. If its expired
    time_rec will be set to 0 and
    GSS_S_CONTEXT_EXPIRED returned.
gss_sign(),
    gss_verify(), gss_seal(),
    and gss_unseal() are part of the GSS-API V1
    interface and are obsolete. The functions should not be used for new
    applications. They are provided so that version 1 applications can link
    against the library.
gss_krb5_ccache_name() sets the internal kerberos 5
  credential cache name to name. The old name is returned
  in old_name, and must not be freed. The data allocated
  for old_name is free upon next call to
  gss_krb5_ccache_name(). This function is not
  threadsafe if old_name argument is used.
gss_krb5_copy_ccache() will extract the
    krb5 credentials that are transferred from the initiator to the acceptor
    when using token delegation in the Kerberos mechanism. The acceptor receives
    the delegated token in the last argument to
    gss_accept_sec_context().
gss_krb5_import_cred() will import the
    krb5 credentials (both keytab and/or credential cache) into gss credential
    so it can be used withing GSS-API. The ccache is
    copied by reference and thus shared, so if the credential is destroyed with
    krb5_cc_destroy, all users of thep
    gss_cred_id_t returned by
    gss_krb5_import_ccache() will fail.
gsskrb5_register_acceptor_identity() sets
    the Kerberos 5 filebased keytab that the acceptor will use. The
    identifier is the file name.
gsskrb5_extract_authz_data_from_sec_context()
    extracts the Kerberos authorizationdata that may be stored within the
    context. Tha caller must free the returned buffer
    ad_data with
    gss_release_buffer() upon success.
gss_krb5_get_tkt_flags() return the ticket
    flags for the kerberos ticket receive when authenticating the initiator.
    Only valid on the acceptor context.
gss_krb5_compat_des3_mic() turns on or off
    the compatibility with older version of Heimdal using des3 get and verify
    mic, this is way to programmatically set the [gssapi]broken_des3_mic and
    [gssapi]correct_des3_mic flags (see COMPATIBILITY section in
    gssapi(3)). If the CPP symbol
    GSS_C_KRB5_COMPAT_DES3_MIC is present,
    gss_krb5_compat_des3_mic() exists.
    gss_krb5_compat_des3_mic() will be removed in a
    later version of the GSS-API library.
| October 26, 2005 | NetBSD 9.4 |