csf_gss_get_context_options(3)csf_gss_get_context_options(3)NAMEcsf_gss_get_context_options - Obtain information about a security con‐
text
SYNOPSIS
#include <gssapi/gssapi.h>
OM_uint32 csf_gss_get_context_options(
OM_uint32 minor_status,
const gss_ctx_id_t context handle,
OM_uint32 ctx_flags );
PARAMETERS
Kerberos 5 error code. Security context to be queried. Flags that
indicate the service options the context supports. Specify NULL if this
information is not required.
Symbolic names are provided for each flag. These names should be
bitwise ANDed with the ctx_flags value to test whether a given
option is supported by the context.
The flags are: True -- DES encryption is available.
False -- DES encryption is not available. True -- DES3 encryp‐
tion is available.
False -- DES3 encryption is not available.
Note
DES3 and DES encryption are mutually exclusive and unique to the
HP implementation of the GSS-API. Since the HP Application
Security SDK does not support anonymous authentication, this
value is always set to false. True -- Confidentiality service
may be invoked by calling the gss_wrap() function.
False -- No confidentiality service via gss_wrap() is available.
The gss_wrap() function provides message encapsulation, data
origin authentication, and integrity services only. True --
Credentials were delegated to the initiating application.
False -- No credentials were delegated. True -- Integrity ser‐
vice may be invoked by calling either gss_get_mic() or
gss_wrap().
False -- Per-message integrity service is unavailable. True --
The remote peer that, in this case, is the initiating applica‐
tion, requested mutual authentication.
False -- The remote peer did not request mutual authentication.
The value of this bit indicates the actual state at the time
gss_accept_sec_context() returns, whether or not the context is
fully established.
True -- Protection services (as specified by the states of
GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG) are available for use if
the accompanying major status return value is either GSS_S_COM‐
PLETE or GSS_S_CONTINUE_NEEDED.
False -- Protection services (as specified by the states of
GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG) are available only if the
accompanying major status return value is GSS_S_COMPLETE. True
-- Replay of protected messages will be detected.
False -- Replay of messages will not be detected. True -- Out-
of-sequence protected messages will be detected.
False -- Out-of-sequence messages will not be detected. The
value of this bit indicates the actual state at the time
gss_accept_sec_context() returns, whether or not the context is
fully established.
True -- The resulting security context may be transferred to
other processes via a call to gss_export_sec_context().
False -- The security context is not transferable.
DESCRIPTION
The csf_gss_get_context_options() function is an extension that obtains
information about a security context. The application must already have
initiated the context, although the context need not be fully estab‐
lished.
Use this function to determine what type of encryption (DES3 or DES) is
supported by the context. A context can be downgraded from DES3 to DES
if the following conditions are not met: ActiveTRUST Security Server
must be configured for DES3. The principals for the initiating and
accepting applications must be DES3 enabled in the principal database.
The security context initiator must obtain a TGT enabled for DES3. The
security context initiator must use the DES3 flag when initiating the
security context.
RETURN VALUES
GSS_S_CALL_INACCESSIBLE_READ 01xxxxxx
GSS_S_CALL_INACCESSIBLE_WRITE 02xxxxxx
GSS_S_COMPLETE 00000000
GSS_S_FAILURE xx0Dxxxx
GSS_S_NO_CONTEXT xx08xxxx
PORTABILITY CONSIDERATIONS
This function is an HP extension of the GSS-API standard that is not
supported by other GSS-API implementations.
SEE ALSO
Functions: gss_accept_sec_context(3), gss_get_mic(3),
gss_import_sec_context(3), gss_init_sec_context(3), gss_wrap(3)csf_gss_get_context_options(3)