gss_accept_sec_context, gss_acquire_cred, gss_add_cred, gss_add_oid_set_member, gss_canonicalize_name,

       There are two ways of comparing GSS-API names, either comparing two internal names with each other or two
       contiguous string names with either other.

       To compare two internal names with each other, import (if needed) the names with  gss_import_name()  into
       the GSS-API implementation and the compare the imported name with gss_compare_name().

       Importing  names  can  be  slow, so when its possible to store exported names in the access control list,
       comparing contiguous string name might be better.

       when comparing  contiguous  string  name,  first  export  them  into  a  GSS_C_NT_EXPORT_NAME  name  with
       gss_export_name() and then compare with memcmp(3).

       Note  that  there are might be a difference between the two methods of comparing names.  The first (using
       gss_compare_name()) will compare to (unauthenticated) names are the same.  The second will compare  if  a
       mechanism will authenticate them as the same principal.

       For  example,  if  gss_import_name()  name  was used with GSS_C_NO_OID the default syntax is used for all
       mechanism the GSS-API implementation supports.  When compare the imported name  of  GSS_C_NO_OID  it  may
       match several mechanism names (MN).

       The resulting name from gss_display_name() must not be used for acccess control.

       Generic Security Service API (GSS-API) version 2, and its C binding, is described in RFC2743 and RFC2744.
       Version 1 (deprecated) of the C binding is described in RFC1509.

       Heimdals GSS-API implementation supports the following mechanisms

       •GSS_KRB5_MECHANISM•GSS_SPNEGO_MECHANISM

       GSS-API have generic name types that all mechanism are supposed to implement (if possible):

       •GSS_C_NT_USER_NAME•GSS_C_NT_MACHINE_UID_NAME•GSS_C_NT_STRING_UID_NAME•GSS_C_NT_HOSTBASED_SERVICE•GSS_C_NT_ANONYMOUS•GSS_C_NT_EXPORT_NAME

       GSS-API implementations that supports Kerberos 5 have some additional name types:

       •GSS_KRB5_NT_PRINCIPAL_NAME•GSS_KRB5_NT_USER_NAME•GSS_KRB5_NT_MACHINE_UID_NAME•GSS_KRB5_NT_STRING_UID_NAME

       In GSS-API, names have two forms, internal names and contiguous string names.

       •Internalnameandmechanismname

           Internal names are implementation specific representation of a GSS-API name.  Mechanismnames special
           form of internal names corresponds to one and only one mechanism.

           In GSS-API an internal name is stored in a gss_name_t.

       •Contiguousstringnameandexportedname

           Contiguous string names are gssapi names stored in a OCTET STRING that  together  with  a  name  type
           identifier  (OID) uniquely specifies a gss-name.  A special form of the contiguous string name is the
           exported name that have a OID embedded in the string to make  it  unique.   Exported  name  have  the
           nametype GSS_C_NT_EXPORT_NAME.

           In GSS-API an contiguous string name is stored in a gss_buffer_t.

           Exported  names also have the property that they are specified by the mechanism itself and compatible
           between different GSS-API implementations.

gss_krb5_ccache_name()  sets  the  internal  kerberos  5  credential cache name to name.  The old name is
       returned in old_name, and must not be freed.  The data allocated for old_name is free upon next  call  to
       gss_krb5_ccache_name().  This function is not threadsafe if old_name argument is used.

       gss_krb5_copy_ccache()  will  extract the krb5 credentials that are transferred from the initiator to the
       acceptor when using token delegation in the Kerberos mechanism.   The  acceptor  receives  the  delegated
       token in the last argument to gss_accept_sec_context().

       gss_krb5_import_cred()  will  import  the krb5 credentials (both keytab and/or credential cache) into gss
       credential so it can be used withing GSS-API.  The ccache is copied by reference and thus shared,  so  if
       the  credential  is  destroyed  with  krb5_cc_destroy,  all  users  of  thep  gss_cred_id_t  returned  by
       gss_krb5_import_ccache() will fail.

       gsskrb5_register_acceptor_identity() sets the Kerberos 5 filebased keytab that  the  acceptor  will  use.
       The identifier is the file name.

       gsskrb5_extract_authz_data_from_sec_context()  extracts the Kerberos authorizationdata that may be stored
       within the context.  Tha caller must free the returned  buffer  ad_data  with  gss_release_buffer()  upon
       success.

       gss_krb5_get_tkt_flags()  return the ticket flags for the kerberos ticket receive when authenticating the
       initiator.  Only valid on the acceptor context.

       gss_krb5_compat_des3_mic() turns on or off the compatibility with older version of Heimdal using des3 get
       and   verify   mic,   this   is   way   to   programmatically   set   the   [gssapi]broken_des3_mic   and
       [gssapi]correct_des3_mic   flags   (see   COMPATIBILITY   section  in  gssapi(3)).   If  the  CPP  symbol
       GSS_C_KRB5_COMPAT_DES3_MIC is  present,  gss_krb5_compat_des3_mic()  exists.   gss_krb5_compat_des3_mic()
       will be removed in a later version of the GSS-API library.

gss_display_name()  takes  the  gss  name  in input_name and puts a printable form in output_name_buffer.
       output_name_buffer should be freed when done using gss_release_buffer().  output_name_type can either  be
       NULL  or  a  pointer to a gss_OID and will in the latter case contain the OID type of the name.  The name
       must only be used for printing.  If access control is needed, see section “ACCESS CONTROL”.

       gss_inquire_context() returns information about the context.  Information is  available  even  after  the
       context  have  expired.  lifetime_rec argument is set to GSS_C_INDEFINITE (don't expire) or the number of
       seconds that the context is still valid.  A value of 0 means that  the  context  is  expired.   mech_type
       argument  should  be  considered  readonly  and  must not be released.  src_name and dest_name() are both
       mechanims names and must be released with gss_release_name() when no longer used.

       gss_context_time will return the amount of time (in seconds) of the  context  is  still  valid.   If  its
       expired time_rec will be set to 0 and GSS_S_CONTEXT_EXPIRED returned.

       gss_sign(),  gss_verify(),  gss_seal(),  and  gss_unseal()  are  part of the GSS-API V1 interface and are
       obsolete.  The functions should not be used for new applications.  They are provided so  that  version  1
       applications can link against the library.

       GSS-API library (libgssapi, -lgssapi)

       gss_accept_sec_context,  gss_acquire_cred,  gss_add_cred,  gss_add_oid_set_member, gss_canonicalize_name,
       gss_compare_name, gss_context_time, gss_create_empty_oid_set,  gss_delete_sec_context,  gss_display_name,
       gss_display_status,    gss_duplicate_name,    gss_export_name,    gss_export_sec_context,    gss_get_mic,
       gss_import_name, gss_import_sec_context, gss_indicate_mechs,  gss_init_sec_context,  gss_inquire_context,
       gss_inquire_cred,   gss_inquire_cred_by_mech,   gss_inquire_mechs_for_name,   gss_inquire_names_for_mech,
       gss_krb5_ccache_name,      gss_krb5_compat_des3_mic,      gss_krb5_copy_ccache,      gss_krb5_import_cred
       gsskrb5_extract_authz_data_from_sec_context,  gsskrb5_register_acceptor_identity, gss_krb5_import_ccache,
       gss_krb5_get_tkt_flags,      gss_process_context_token,       gss_release_buffer,       gss_release_cred,
       gss_release_name,   gss_release_oid_set,   gss_seal,   gss_sign,   gss_test_oid_set_member,   gss_unseal,
       gss_unwrap,  gss_verify,  gss_verify_mic,  gss_wrap,  gss_wrap_size_limit  —  Generic  Security   Service
       Application Program Interface library

gssapi(3), krb5(3), krb5_ccache(3), kerberos(8)

HEIMDAL                                         October 26, 2005                             GSS_ACQUIRE_CRED(3)

#include<gssapi.h>OM_uint32gss_accept_sec_context(OM_uint32*minor_status,                           gss_ctx_id_t*context_handle,
           gss_const_cred_id_tacceptor_cred_handle,                      constgss_buffer_tinput_token_buffer,
           constgss_channel_bindings_tinput_chan_bindings,     gss_name_t*src_name,     gss_OID*mech_type,
           gss_buffer_toutput_token,                OM_uint32*ret_flags,                OM_uint32*time_rec,
           gss_cred_id_t*delegated_cred_handle);

       OM_uint32gss_acquire_cred(OM_uint32*minor_status,       gss_const_name_tdesired_name,       OM_uint32time_req,
           constgss_OID_setdesired_mechs,   gss_cred_usage_tcred_usage,   gss_cred_id_t*output_cred_handle,
           gss_OID_set*actual_mechs, OM_uint32*time_rec);

       OM_uint32gss_add_cred(OM_uint32*minor_status,                              gss_const_cred_id_tinput_cred_handle,
           gss_const_name_tdesired_name,        constgss_OIDdesired_mech,        gss_cred_usage_tcred_usage,
           OM_uint32initiator_time_req,     OM_uint32acceptor_time_req,     gss_cred_id_t*output_cred_handle,
           gss_OID_set*actual_mechs, OM_uint32*initiator_time_rec, OM_uint32*acceptor_time_rec);

       OM_uint32gss_add_oid_set_member(OM_uint32*minor_status, constgss_OIDmember_oid, gss_OID_set*oid_set);

       OM_uint32gss_canonicalize_name(OM_uint32*minor_status,   gss_const_name_tinput_name,   constgss_OIDmech_type,
           gss_name_t*output_name);

       OM_uint32gss_compare_name(OM_uint32*minor_status,         gss_const_name_tname1,        gss_const_name_tname2,
           int*name_equal);

       OM_uint32gss_context_time(OM_uint32*minor_status, gss_const_ctx_id_tcontext_handle, OM_uint32*time_rec);

       OM_uint32gss_create_empty_oid_set(OM_uint32*minor_status, gss_OID_set*oid_set);

       OM_uint32gss_delete_sec_context(OM_uint32*minor_status,                           gss_ctx_id_t*context_handle,
           gss_buffer_toutput_token);

       OM_uint32gss_display_name(OM_uint32*minor_status,  gss_const_name_tinput_name, gss_buffer_toutput_name_buffer,
           gss_OID*output_name_type);

       OM_uint32gss_display_status(OM_uint32*minor_status,           OM_uint32status_value,            intstatus_type,
           constgss_OIDmech_type, OM_uint32*message_context, gss_buffer_tstatus_string);

       OM_uint32gss_duplicate_name(OM_uint32*minor_status, gss_const_name_tsrc_name, gss_name_t*dest_name);

       OM_uint32gss_export_name(OM_uint32*minor_status, gss_const_name_tinput_name, gss_buffer_texported_name);

       OM_uint32gss_export_sec_context(OM_uint32*minor_status,                           gss_ctx_id_t*context_handle,
           gss_buffer_tinterprocess_token);

       OM_uint32gss_get_mic(OM_uint32*minor_status,        gss_const_ctx_id_tcontext_handle,        gss_qop_tqop_req,
           constgss_buffer_tmessage_buffer, gss_buffer_tmessage_token);

       OM_uint32gss_import_name(OM_uint32*minor_status,                           constgss_buffer_tinput_name_buffer,
           constgss_OIDinput_name_type, gss_name_t*output_name);

       OM_uint32gss_import_sec_context(OM_uint32*minor_status,                   constgss_buffer_tinterprocess_token,
           gss_ctx_id_t*context_handle);

       OM_uint32gss_indicate_mechs(OM_uint32*minor_status, gss_OID_set*mech_set);

       OM_uint32gss_init_sec_context(OM_uint32*minor_status,                 gss_const_cred_id_tinitiator_cred_handle,
           gss_ctx_id_t*context_handle,         gss_const_name_ttarget_name,         constgss_OIDmech_type,
           OM_uint32req_flags,       OM_uint32time_req,      constgss_channel_bindings_tinput_chan_bindings,
           constgss_buffer_tinput_token,        gss_OID*actual_mech_type,         gss_buffer_toutput_token,
           OM_uint32*ret_flags, OM_uint32*time_rec);

       OM_uint32gss_inquire_context(OM_uint32*minor_status,  gss_const_ctx_id_tcontext_handle,  gss_name_t*src_name,
           gss_name_t*targ_name,   OM_uint32*lifetime_rec,    gss_OID*mech_type,    OM_uint32*ctx_flags,
           int*locally_initiated, int*open_context);

       OM_uint32gss_inquire_cred(OM_uint32*minor_status,       gss_const_cred_id_tcred_handle,      gss_name_t*name,
           OM_uint32*lifetime, gss_cred_usage_t*cred_usage, gss_OID_set*mechanisms);

       OM_uint32gss_inquire_cred_by_mech(OM_uint32*minor_status,                       gss_const_cred_id_tcred_handle,
           constgss_OIDmech_type,              gss_name_t*name,              OM_uint32*initiator_lifetime,
           OM_uint32*acceptor_lifetime, gss_cred_usage_t*cred_usage);

       OM_uint32gss_inquire_mechs_for_name(OM_uint32*minor_status,                         gss_const_name_tinput_name,
           gss_OID_set*mech_types);

       OM_uint32gss_inquire_names_for_mech(OM_uint32*minor_status, constgss_OIDmechanism, gss_OID_set*name_types);

       OM_uint32gss_krb5_ccache_name(OM_uint32*minor, constchar*name, constchar**old_name);

       OM_uint32gss_krb5_copy_ccache(OM_uint32*minor, gss_cred_id_tcred, krb5_ccacheout);

       OM_uint32gss_krb5_import_cred(OM_uint32*minor_status,       krb5_ccacheid,      krb5_principalkeytab_principal,
           krb5_keytabkeytab, gss_cred_id_t*cred);

       OM_uint32gss_krb5_compat_des3_mic(OM_uint32*minor_status, gss_ctx_id_tcontext_handle, intonoff);

       OM_uint32gsskrb5_extract_authz_data_from_sec_context(OM_uint32*minor_status,         gss_ctx_id_tcontext_handle,
           intad_type, gss_buffer_tad_data);

       OM_uint32gsskrb5_register_acceptor_identity(constchar*identity);

       OM_uint32gss_krb5_import_cache(OM_uint32*minor, krb5_ccacheid, krb5_keytabkeytab, gss_cred_id_t*cred);

       OM_uint32gss_krb5_get_tkt_flags(OM_uint32*minor_status, gss_ctx_id_tcontext_handle, OM_uint32*tkt_flags);

       OM_uint32gss_process_context_token(OM_uint32*minor_status,                    gss_const_ctx_id_tcontext_handle,
           constgss_buffer_ttoken_buffer);

       OM_uint32gss_release_buffer(OM_uint32*minor_status, gss_buffer_tbuffer);

       OM_uint32gss_release_cred(OM_uint32*minor_status, gss_cred_id_t*cred_handle);

       OM_uint32gss_release_name(OM_uint32*minor_status, gss_name_t*input_name);

       OM_uint32gss_release_oid_set(OM_uint32*minor_status, gss_OID_set*set);

       OM_uint32gss_seal(OM_uint32*minor_status,    gss_ctx_id_tcontext_handle,    intconf_req_flag,     intqop_req,
           gss_buffer_tinput_message_buffer, int*conf_state, gss_buffer_toutput_message_buffer);

       OM_uint32gss_sign(OM_uint32*minor_status, gss_ctx_id_tcontext_handle, intqop_req, gss_buffer_tmessage_buffer,
           gss_buffer_tmessage_token);

       OM_uint32gss_test_oid_set_member(OM_uint32*minor_status,       constgss_OIDmember,      constgss_OID_setset,
           int*present);

       OM_uint32gss_unseal(OM_uint32*minor_status,   gss_ctx_id_tcontext_handle,    gss_buffer_tinput_message_buffer,
           gss_buffer_toutput_message_buffer, int*conf_state, int*qop_state);

       OM_uint32gss_unwrap(OM_uint32*minor_status,                                   gss_const_ctx_id_tcontext_handle,
           constgss_buffer_tinput_message_buffer,    gss_buffer_toutput_message_buffer,     int*conf_state,
           gss_qop_t*qop_state);

       OM_uint32gss_verify(OM_uint32*minor_status,       gss_ctx_id_tcontext_handle,      gss_buffer_tmessage_buffer,
           gss_buffer_ttoken_buffer, int*qop_state);

       OM_uint32gss_verify_mic(OM_uint32*minor_status,                               gss_const_ctx_id_tcontext_handle,
           constgss_buffer_tmessage_buffer, constgss_buffer_ttoken_buffer, gss_qop_t*qop_state);

       OM_uint32gss_wrap(OM_uint32*minor_status,          gss_const_ctx_id_tcontext_handle,         intconf_req_flag,
           gss_qop_tqop_req,             constgss_buffer_tinput_message_buffer,             int*conf_state,
           gss_buffer_toutput_message_buffer);

       OM_uint32gss_wrap_size_limit(OM_uint32*minor_status,    gss_const_ctx_id_tcontext_handle,    intconf_req_flag,
           gss_qop_tqop_req, OM_uint32req_output_size, OM_uint32*max_input_size);