


   SPX Version 2.2                                  gss_accept_sec_context(3)



   Name
     gss_accept_sec_context - accepts a security context from a peer

   Syntax
     #include "gssapi_defs.h"

     int gss_accept_sec_context(minor_status,
                                context_handle,
                                verifier_cred_handle,
                                input_token,
                                input_chan_bindings,
                                src_name,
                                mech_type,
                                output_token,
                                ret_flags,
                                time_rec,
                                delegated_cred_handle)

     OM_uint32             *minor_status;
     gss_ctx_id_t          *context_handle;
     gss_cred_id_t         verifier_cred_handle;
     gss_buffer_t          input_token;
     gss_channel_bindings  input_chan_bindings;
     gss_name_t            *src_name;
     gss_OID               *mech_type;
     gss_buffer_t          output_token;
     int                   *ret_flags;
     OM_uint32             *time_rec;
     gss_cred_id_t         *delegated_cred_handle;

   Arguments

     _m_i_n_o_r__s_t_a_t_u_s
            (OM_uint32, modify) If the routine doesn't return GSS_S_COMPLETE
            or GSS_S_CONTINUE_NEEDED, then this status code can be used to
            display the mechanism specific error using the call
            _g_s_s__d_i_s_p_l_a_y__s_t_a_t_u_s

     _c_o_n_t_e_x_t__h_a_n_d_l_e
            (gss_ctx_id_t, read/modify) Context handle for new context.  Sup-
            ply GSS_C_NO_CONTEXT for first call.  If _g_s_s__a_c_c_e_p_t__s_e_c__c_o_n_t_e_x_t
            returns a value of GSS_S_CONTINUE_NEEDED, use the value returned
            in context_handle for continuation calls.

     _v_e_r_i_f_i_e_r__c_r_e_d__h_a_n_d_l_e
            (gss_cred_id_t, read) Credential handle of the context acceptor.
            Specify GSS_C_NO_CREDENTIAL to use default credentials.  Other-
            wise, _g_s_s__a_c_q_u_i_r_e__c_r_e_d should be called to acquire the proper
            credentials.  Normally, the acceptor will not have default
            credentials, so we must acquire them.

     _i_n_p_u_t__t_o_k_e_n
            (gss_buffer_t, read) Token obtained from the initiator of the


   Digital Equipment Corporation                                            1






   gss_accept_sec_context(3)                                  SPX Version 2.2


            security context.

     _i_n_p_u_t__c_h_a_n__b_i_n_d_i_n_g_s__b_u_f_f_e_r
            (gss_channel_bindings, read) The channel bindings information
            allows the application to securely bind channel identification
            information with the security context.  To ensure portability,
            the channel binding structure requires the initiator and acceptor
            addresses.  Optionally, each application can include its own
            application specific channel information.

     _s_r_c__n_a_m_e
            (gss_name_t, modify) Authenticated SPX name of context initiator.
            After use, this name should be deallocated by passing it to
            _g_s_s__r_e_l_e_a_s_e__n_a_m_e

     _m_e_c_h__t_y_p_e
            (gss_OID, modify) Security mechanism used. Will be
            SPX_MECHTYPE_OID when using SPX.  The returned OID value will be
            a pointer into static storage, and should be treated as read-only
            by the caller.

     _o_u_t_p_u_t__t_o_k_e_n
            (gss_buffer_t, modify) Token to be passed back to the initiator
            of the security context.  If the _l_e_n_g_t_h field of the returned
            token buffer is zero, no token need be passed to the initiator.

     _r_e_t__f_l_a_g_s
            (int, modify) Contains six independent flags, each of which indi-
            cates that the context supports a specific service option.  Sym-
            bolic names are provided for each flag.  To test the value of a
            given flag, logically AND _r_e_t__f_l_a_g_s with the symbolic name to
            determine whether the returned flag is _z_e_r_o or _n_o_n_z_e_r_o.  The
            flags are:

               _G_S_S__C__D_E_L_E_G__F_L_A_G,
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__D_E_L_E_G__F_L_A_G)

                  _N_o_n_z_e_r_o Delegated credentials are available via the
                          _d_e_l_e_g_a_t_e_d__c_r_e_d__h_a_n_d_l_e argument.

                  _Z_e_r_o    No credentials were delegated.

               _G_S_S__C__M_U_T_U_A_L__F_L_A_G
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__M_U_T_U_A_L__F_L_A_G)

                  _N_o_n_z_e_r_o Initiator of the security context asked for mutual
                          authentication.

                  _Z_e_r_o    Initiator of the security context did not ask for
                          mutual authentication.

               _G_S_S__C__R_E_P_L_A_Y__D_E_T__F_L_A_G
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__R_E_P_L_A_Y__F_L_A_G



   2                                            Digital Equipment Corporation






   SPX Version 2.2                                  gss_accept_sec_context(3)


                  _N_o_n_z_e_r_o Replay of signed or sealed application messages
                          will be detected.

                  _Z_e_r_o    Replayed messages will not be detected.  SPX does
                          not support signing or sealing application mes-
                          sages.

               _G_S_S__C__S_E_Q_U_E_N_C_E__R_E_Q__F_L_A_G
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__S_E_Q_U_E_N_C_E__F_L_A_G)

                  _N_o_n_z_e_r_o Out-of-sequence signed or sealed messages will be
                          detected.

                  _Z_e_r_o    Out-of-sequence messages will not be detected.  SPX
                          does not support detection of out-of-sequence
                          application messages.

               _G_S_S__C__C_O_N_F__R_E_Q__F_L_A_G
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__C_O_N_F__F_L_A_G)

                  _N_o_n_z_e_r_o Make confidentiality service available.

                  _Z_e_r_o    Do not make confidentiality service available.  The
                          seal provides message encapsulation and integrity
                          services only.  SPX does not support confidential-
                          ity of application messages.

               _G_S_S__C__I_N_T_E_G__F_L_A_G
                      (_r_e_t__f_l_a_g_s AND _G_S_S__C__I_N_T_E_G__F_L_A_G)

                  _N_o_n_z_e_r_o

                  _Z_e_r_o    This is always the case in SPX.

     _t_i_m_e__r_e_c
            (OM_uint32, modify) Number of seconds for which the context will
            remain valid.  Specify NULL if this information is not required.

     _d_e_l_e_g_a_t_e_d__c_r_e_d__h_a_n_d_l_e
            (gss_cred_id_t, modify) Credential handle for credentials
            received from context initiator.  Valid only if _D_E_L_E_G__F_L_A_G in
            _r_e_t__f_l_a_g_s is _n_o_n_z_e_r_o.

   Description
     This routine, which is part of the Generic Security Service Application
     Program Interface, allows a remotely initiated security context between
     the application and a remote peer to be established.  The caller passes
     a token received from the peer, a verifier credential handle, and any
     application specific channel binding into gss_accept_sec_context rou-
     tine.  This routine returns the underlying security mechanism type used
     during authentication, along with the peer's sourcename.

     If this routine returns an output token, then it should be transferred
     to the peer application, where the peer will present it to


   Digital Equipment Corporation                                            3






   gss_accept_sec_context(3)                                  SPX Version 2.2


     gss_init_sec_context.  If one or more reply tokens are required from the
     peer application, this routine will return a status value of
     GSS_CONTINUE_NEEDED in which case it should be called again when the
     reply token is received from the peer application, passing the token to
     gss_accept_sec_context via the input token parameter.

   Files
     gssapi_defs.h

   See Also
     spx(1), gss_init_sec_context(3), gss_import_name(3), gss_acquire_cred(3)













































   4                                            Digital Equipment Corporation


99