This appendix includes the following sections:
"GSS-API Functions" provides a table of GSS-API functions.
"GSS-API Status Codes" discusses status codes returned by GSS-API functions, and provides a list of those status codes.
"GSS-API Data Types and Values" discusses the various data types used by the GSS-API.
The following table lists the functions of the GSS-API. For more information on each function, see its man page. See also "Functions From Previous Versions of the GSS-API".
Table B-1 GSS-API Functions
Assume a global identity; obtain a GSS-API credential handle for pre-existing credentials
Construct credentials incrementally
Obtain information about a credential
Obtain per-mechanism information about a credential
Discard a credential handle
Initiate a security context with a peer application
Accept a security context initiated by a peer application
Discard a security context
Process a token on a security context from a peer application
Determine for how long a context will remain valid
Obtain information about a security context
Determine token-size limit for gss_wrap() on a context
Transfer a security context to another process
Import a transferred context
Calculate a cryptographic message integrity code (MIC) for a message; integrity service
Check a MIC against a message; verify integrity of a received message
Attach a MIC to a message, and optionally encrypt the message content
Verify a message with attached MIC, and decrypt message content if necessary
Convert a contiguous string name to internal-form
Convert internal-form name to text
Compare two internal-form names
Discard an internal-form name
List the name types supported by the specified mechanism
List mechanisms that support the specified name type
Convert an internal name to an MN
Convert an MN to export form
Create a copy of an internal name
Add an object identifier to a set
Convert a GSS-API status code to text
Determine available underlying authentication mechanisms
Discard a buffer
Discard a set of object identifiers
Create a set containing no object identifiers
Determine whether an object identifier is a member of a set
Functions From Previous Versions of the GSS-API
This section explains functions that were included in previous versions of the GSS-API.
Functions for Manipulating OIDs
The following functions are supported by the Sun implementation of the GSS-API for convenience and for backward compatibility with programs written for older versions of the GSS-API. However, they should not be relied upon, as they might not be supported by other implementations of the GSS-API.
Although these functions make it possible to convert a mechanism's name from a string to an OID, programmers should use the default GSS-API mechanism, instead of specifying one, if at all possible.
The following functions have been supplanted by newer functions. In each case, the new function is the functional equivalent of the old one. Although the old functions are supported, developers should replace them with the newer functions whenever possible.
GSS-API Status Codes
Major status codes are encoded in the OM_uint32 as shown in Figure B-1.
Figure B-1 Major-Status Encoding
If a GSS-API routine returns a GSS status code whose upper 16 bits contain a non-zero value, the call has failed. If the calling error field is non-zero, the invoking application's call of the routine was erroneous. Calling errors are listed in Table B-2. If the routine error field is non-zero, the routine failed because of a routine-specific error, as listed below in Table B-3. Whether or not the upper 16 bits indicate a failure or a success, the routine might indicate additional information by setting bits in the supplementary information field of the status code. The meaning of individual bits is listed in Table B-4.
GSS-API Major Status Code Values
The following tables lists calling errors returned by the GSS-API; that is, errors that are specific to a particular language-binding (C, in this case).
Table B-2 Calling Errors
Value in Field
A required input parameter could not be read
A required output parameter could not be written
A parameter was malformed
Table B-3 Routine Errors
Value in Field
An unsupported mechanism was requested
An invalid name was supplied
A supplied name was of an unsupported type
Incorrect channel bindings were supplied
An invalid status code was supplied
A token had an invalid MIC
No credentials were supplied, or the credentials were unavailable or inaccessible
No context has been established
A token was invalid
A credential was invalid
The referenced credentials have expired
The context has expired
Miscellaneous failure. The underlying mechanism detected an error for which no specific GSS-API status code is defined. The mechanism-specific status code (minor-status code) provides more details about the error.
The quality-of-protection requested could not be provided
The operation is forbidden by local security policy
The operation or option is unavailable
The requested credential element already exists
The provided name was not a Mechanism Name (MN)