gss_accept_sec_context(3)gss_accept_sec_context(3)NAMEgss_accept_sec_context() - establish a security context between the
application and a context acceptor
SYNOPSISDESCRIPTION
The routine is the second step in establishing a security context
between the context initiator and a context acceptor. In the first
step, the context initiator calls the routine. The routine generates a
token for the security context and passes it to the context initiator.
The context initiator sends the token to the context acceptor.
In the second step, the context acceptor accepts the call from the con‐
text initiator and calls the routine. The routine expects a value for
the input_token parameter. The value for the input_token parameter is
generated by the routine and passed by the initiator to the acceptor.
The routine can also return a value for the output_token parameter.
The context acceptor presents the token to the routine. If the accep‐
tor does not need to send a token to the initiator, sets the length
field of the output_token parameter to 0 (zero).
To complete establishing the context, the context initiator can require
one or more reply tokens from the context acceptor. If the application
requires reply tokens, the routine returns a status value containing
The application calls the routine again when the reply token is
received from the context acceptor. The application passes the token
to the routine via the output_token parameters.
The values returned using the src_name, ret_flags, time_rec, and dele‐
gated_cred_handle parameters are not defined unless the routine returns
the status,
Input Parameters
acceptor_cred_handle Specifies the credential handle (the identity)
claimed by the context acceptor. This is
optional information. The credential must be
either an ACCEPT type credential or a BOTH type
credential. Specify to accept the context as
default principal
input_token_buffer Specifies the token received from the context
acceptor.
input_chan_bindings Specifies bindings supplied by the context ini‐
tiator. Allows the context initiator to bind the
channel identification information securely to
the security context. If no channel bindings are
used, specify
Input/Output Parameters
context_handle Specifies a context handle for a new context.
The first time the context initiator uses the
routine, specify to set up a specific context.
In subsequent calls, use the value returned by
this parameter.
Output Parameters
src_name Returns the authenticated name of the context
initiator. This information is optional. If the
authenticated name is not required, specify NULL.
To deallocate the authenticated name, pass it to
the routine.
actual_mech_type Actual mechanism used. Specify NULL if not
required.
output_token Returns a token to pass to the context acceptor.
If no token is to be passed to the context accep‐
tor, the routine sets the length field of the
returned token buffer to 0 (zero).
ret_flags Returns a bitmask containing six independent
flags, each of which requests that the context
support a service option. The following symbolic
names are provided to correspond to each flag.
The symbolic names should be logically ANDed with
the value of ret_flags to test whether the con‐
text supports the service option.
The True/False values are:
True Delegated credentials are available
from the delegated_cred_handle
parameter.
False No credentials were delegated.
The True/False values are:
True The context acceptor requested
mutual authentication.
False The context acceptor did not request
mutual authentication.
The True/False values are:
True Replayed signed or sealed messages
will be detected.
False Replayed messages will not be
detected.
The True/False values are:
True Out-of-sequence signed or sealed
messages will be detected.
False Out-of-sequence signed or sealed
messages will not be detected.
The True/False values are:
True Confidentiality services are avail‐
able by calling the routine.
False Confidentiality services are not
available. However, the application
can call the routine to provide mes‐
sage encapsulation, data-origin
authentication, and integrity ser‐
vices.
The True/False values are:
True Integrity services can be invoked by
calling either the or routine.
False Integrity services for individual
messages are not available.
The True/False values are:
True The initiator's identity has not
been revealed, and will not be
revealed if any emitted token is
passed to the acceptor.
False The initiator's identity has been or
will be authenticated normally.
The True/False values are:
True Protection services (as specified by
the states of the and are available
for use if the accompanying major
status return value is either or
False Protection services (as specified by
the states of the and are available
only if the accompanying major sta‐
tus return value is
The True/False values are:
True The resultant security context may
be transferred to other processes
via a call to
False The security context is not trans‐
ferable.
time_rec Returns the number of seconds for which the con‐
text remains valid. This is optional informa‐
tion. If the time is not required, specify NULL.
delegated_cred_handle Returns the credential handle for credentials
received from the context initiator. The creden‐
tial handle is valid only if delegated creden‐
tials are available. If the ret_flags parameter
is true, the flag s set, indicating that dele‐
gated credentials are available.
minor_status Returns a status code from the security mecha‐
nism.
STATUS CODES
The following status codes can be returned:
The routine was completed successfully.
The input_token parameter contains different chan‐
nel bindings from those specified with the
input_chan_bindings parameter.
The input_token parameter contains an invalid sig‐
nature.
To complete the context, the
routine must be called again with a token
required from the context acceptor.
The referenced credentials have expired.
Consistency checks performed on the
credential failed.
Consistency checks performed on the
input_token parameter failed.
The input_token parameter was already processed.
This is a fatal error that occurs during con‐
text establishment.
The routine failed. See the
minor_status parameter return value for more
information.
The supplied context handle did not refer to a valid context.
Indicates either the supplied credentials were not valid for context
acceptance or the credential handle did not
reference any credentials.
The input_token parameter was too old. This is a
fatal error that occurs during context estab‐
lishment.
The received token specified a mechanism that is not supported
AUTHOR
was developed by Sun Microsystems, Inc.
SEE ALSOgss_acquire_cred(3), gss_delete_sec_context(3), gss_init_sec_con‐
text(3).
The manpages for DCE-GSSAPI are included with the DCE-CoreTools prod‐
uct. To see those manpages add to
gss_accept_sec_context(3)