3 .\" Copyright (c) 2005 Doug Rabson
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd "Generic Security Services API"
36 GSS-API Library (libgssapi, -lgssapi)
40 The Generic Security Service Application Programming Interface
41 provides security services to its callers,
42 and is intended for implementation atop a variety of underlying
43 cryptographic mechanisms.
44 Typically, GSS-API callers will be application protocols into which
45 security enhancements are integrated through invocation of services
46 provided by the GSS-API.
47 The GSS-API allows a caller application to authenticate a principal
48 identity associated with a peer application, to delegate rights to a
50 and to apply security services such as confidentiality and integrity
51 on a per-message basis.
53 There are four stages to using the GSS-API:
56 The application acquires a set of credentials with which it may prove
57 its identity to other processes.
58 The application's credentials vouch for its global identity,
59 which may or may not be related to any local username under which it
62 A pair of communicating applications establish a joint security
63 context using their credentials.
64 The security context is a pair of GSS-API data structures that contain
65 shared state information, which is required in order that per-message
66 security services may be provided.
67 Examples of state that might be shared between applications as part of
68 a security context are cryptographic keys,
69 and message sequence numbers.
70 As part of the establishment of a security context,
71 the context initiator is authenticated to the responder,
72 and may require that the responder is authenticated in turn.
73 The initiator may optionally give the responder the right to initiate
74 further security contexts,
75 acting as an agent or delegate of the initiator.
76 This transfer of rights is termed delegation,
77 and is achieved by creating a set of credentials,
78 similar to those used by the initiating application,
79 but which may be used by the responder.
81 To establish and maintain the shared information that makes up the
83 certain GSS-API calls will return a token data structure,
84 which is an opaque data type that may contain cryptographically
86 The caller of such a GSS-API routine is responsible for transferring
87 the token to the peer application,
88 encapsulated if necessary in an application protocol.
89 On receipt of such a token, the peer application should pass it to a
90 corresponding GSS-API routine which will decode the token and extract
92 updating the security context state information accordingly.
94 Per-message services are invoked to apply either:
96 integrity and data origin authentication, or confidentiality,
97 integrity and data origin authentication to application data,
98 which are treated by GSS-API as arbitrary octet-strings.
99 An application transmitting a message that it wishes to protect will
100 call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to
102 specifying the appropriate security context,
103 and send the resulting token to the receiving application.
104 The receiver will pass the received token (and, in the case of data
105 protected by gss_get_mic, the accompanying message-data) to the
106 corresponding decoding routine (gss_verify_mic or gss_unwrap) to
107 remove the protection and validate the data.
109 At the completion of a communications session (which may extend across
110 several transport connections),
111 each application calls a GSS-API routine to delete the security
113 Multiple contexts may also be used (either successively or
114 simultaneously) within a single communications association, at the
115 option of the applications.
118 This section lists the routines that make up the GSS-API,
119 and offers a brief description of the purpose of each routine.
121 GSS-API Credential-management Routines:
122 .Bl -tag -width "gss_inquire_cred_by_mech"
124 Assume a global identity; Obtain a GSS-API credential handle for
125 pre-existing credentials.
127 Construct credentials incrementally
129 Obtain information about a credential
130 .It gss_inquire_cred_by_mech
131 Obtain per-mechanism information about a credential.
133 Discard a credential handle.
136 GSS-API Context-Level Routines:
137 .Bl -tag -width "gss_inquire_cred_by_mech"
138 .It gss_init_sec_context
139 Initiate a security context with a peer application
140 .It gss_accept_sec_context
141 Accept a security context initiated by a peer application
142 .It gss_delete_sec_context
143 Discard a security context
144 .It gss_process_context_token
145 Process a token on a security context from a peer application
147 Determine for how long a context will remain valid
148 .It gss_inquire_context
149 Obtain information about a security context
150 .It gss_wrap_size_limit
151 Determine token-size limit for
154 .It gss_export_sec_context
155 Transfer a security context to another process
156 .It gss_import_sec_context
157 Import a transferred context
160 GSS-API Per-message Routines:
161 .Bl -tag -width "gss_inquire_cred_by_mech"
163 Calculate a cryptographic message integrity code (MIC) for a message;
166 Check a MIC against a message;
167 verify integrity of a received message
169 Attach a MIC to a message, and optionally encrypt the message content;
170 confidentiality service
172 Verify a message with attached MIC, and decrypt message content if
176 GSS-API Name manipulation Routines:
177 .Bl -tag -width "gss_inquire_cred_by_mech"
179 Convert a contiguous string name to internal-form
181 Convert internal-form name to text
183 Compare two internal-form names
185 Discard an internal-form name
186 .It gss_inquire_names_for_mech
187 List the name-types supported by the specified mechanism
188 .It gss_inquire_mechs_for_name
189 List mechanisms that support the specified name-type
190 .It gss_canonicalize_name
191 Convert an internal name to an MN
193 Convert an MN to export form
194 .It gss_duplicate_name
195 Create a copy of an internal name
198 GSS-API Miscellaneous Routines
199 .Bl -tag -width "gss_inquire_cred_by_mech"
200 .It gss_add_oid_set_member
201 Add an object identifier to a set
202 .It gss_display_status
203 Convert a GSS-API status code to text
204 .It gss_indicate_mechs
205 Determine available underlying authentication mechanisms
206 .It gss_release_buffer
208 .It gss_release_oid_set
209 Discard a set of object identifiers
210 .It gss_create_empty_oid_set
211 Create a set containing no object identifiers
212 .It gss_test_oid_set_member
213 Determines whether an object identifier is a member of a set.
216 Individual GSS-API implementations may augment these routines by
217 providing additional mechanism-specific routines if required
218 functionality is not available from the generic forms.
219 Applications are encouraged to use the generic routines wherever
220 possible on portability grounds.
224 Generic Security Service Application Program Interface Version 2, Update 1
226 Generic Security Service API Version 2 : C-bindings
231 library first appeared in
234 John Wray, Iris Associates
236 Copyright (C) The Internet Society (2000). All Rights Reserved.
238 This document and translations of it may be copied and furnished to
239 others, and derivative works that comment on or otherwise explain it
240 or assist in its implementation may be prepared, copied, published
241 and distributed, in whole or in part, without restriction of any
242 kind, provided that the above copyright notice and this paragraph are
243 included on all such copies and derivative works. However, this
244 document itself may not be modified in any way, such as by removing
245 the copyright notice or references to the Internet Society or other
246 Internet organizations, except as needed for the purpose of
247 developing Internet standards in which case the procedures for
248 copyrights defined in the Internet Standards process must be
249 followed, or as required to translate it into languages other than
252 The limited permissions granted above are perpetual and will not be
253 revoked by the Internet Society or its successors or assigns.
255 This document and the information contained herein is provided on an
256 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
257 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
258 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
259 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
260 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.