JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Developer's Guide to Oracle Solaris 11 Security     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Oracle Solaris Security for Developers (Overview)

2.  Developing Privileged Applications

3.  Writing PAM Applications and Services

4.  Writing Applications That Use GSS-API

5.  GSS-API Client Example

6.  GSS-API Server Example

7.  Writing Applications That Use SASL

8.  Introduction to the Oracle Solaris Cryptographic Framework

9.  Writing User-Level Cryptographic Applications

10.  Introduction to the Oracle Solaris Key Management Framework

A.  Secure Coding Guidelines for Developers

B.  Sample C-Based GSS-API Programs

C.  GSS-API Reference

GSS-API Functions

Functions From Previous Versions of GSS-API

Functions for Manipulating OIDs

Renamed Functions

GSS-API Status Codes

GSS-API Major Status Code Values

Displaying Status Codes

Status Code Macros

GSS-API Data Types and Values

Basic GSS-API Data Types

OM_uint32

gss_buffer_desc

gss_OID_desc

gss_OID_set_desc

gss_channel_bindings_struct

Name Types

Address Types for Channel Bindings

Implementation-Specific Features in GSS-API

Oracle Solaris-Specific Functions

Human-Readable Name Syntax

Format of Anonymous Names

Implementations of Selected Data Types

Deletion of Contexts and Stored Data

Protection of Channel-Binding Information

Context Exportation and Interprocess Tokens

Types of Credentials Supported

Credential Expiration

Context Expiration

Wrap Size Limits and QOP Values

Use of minor_status Parameter

Kerberos v5 Status Codes

Messages Returned in Kerberos v5 for Status Code 1

Messages Returned in Kerberos v5 for Status Code 2

Messages Returned in Kerberos v5 for Status Code 3

Messages Returned in Kerberos v5 for Status Code 4

Messages Returned in Kerberos v5 for Status Code 5

Messages Returned in Kerberos v5 for Status Code 6

Messages Returned in Kerberos v5 for Status Code 7

D.  Specifying an OID

E.  Source Code for SASL Example

F.  SASL Reference Tables

Glossary

Index

Implementation-Specific Features in GSS-API

Some aspects of the GSS-API can differ between implementations of the API. In most cases, differences in implementations have only minimal effect on programs. In all cases, developers can maximize portability by not relying on any behavior that is specific to a given implementation, including the Oracle Solaris implementation.

Oracle Solaris-Specific Functions

The Oracle Solaris implementation does not have customized GSS-API functions.

Human-Readable Name Syntax

Implementations of GSS-API can differ in the printable syntax that corresponds to names. For portability, applications should not compare names that use human-readable, that is, printable, forms. Instead, such applications should use gss_compare_name() to determine whether an internal-format name matches any other name.

The Oracle Solaris implementation of gss_display_name() displays names as follows. If the input_nameargument denotes a user principal, the gss_display_name() returns user_principal@realm as the output_name_buffer and the gss_OID value as the output_name_type. If Kerberos v5 is the underlying mechanism, gss_OID is 1.2.840.11354.1.2.2.

If gss_display_name() receives a name that was created by gss_import_name() with the GSS_C_NO_OID name type, gss_display_name() returns GSS_C_NO_OID in the output_name_type parameter.

Format of Anonymous Names

The gss_display_name() function outputs the string '<anonymous>' to indicate an anonymous GSS-API principal. The name type OID associated with this name is GSS_C_NT_ANONYMOUS. No other valid printable names supported by the Oracle Solaris implementation should be surrounded by angle brackets (<>).

Implementations of Selected Data Types

The following data types have been implemented as pointers, although some implementations might specify these types as arithmetic types: gss_cred_t, gss_ctx_id_t, and gss_name_t.

Deletion of Contexts and Stored Data

When context establishment fails, the Oracle Solaris implementation does not automatically delete partially built contexts. Applications should therefore handle this event by deleting the contexts with gss_delete_sec_context().

The Oracle Solaris implementation automatically releases stored data, such as internal names, through memory management. However, applications should still call appropriate functions, such as gss_release_name(), when data elements are no longer needed.

Protection of Channel-Binding Information

Support for channel bindings varies by mechanism. Both the Diffie-Hellman mechanism and the Kerberos v5 mechanism support channel bindings.

Developers should assume that channel bindings data do not have confidentiality protection. Although the Kerberos v5 mechanism provides this protection, confidentiality for channel-bindings data is not available with the Diffie-Hellman mechanism.

Context Exportation and Interprocess Tokens

The Oracle Solaris implementation detects and rejects attempted multiple imports of the same context.

Types of Credentials Supported

The Oracle Solaris implementation of the GSS-API supports the acquisition of GSS_C_INITIATE, GSS_C_ACCEPT, and GSS_C_BOTH credentials through gss_acquire_cred().

Credential Expiration

The Oracle Solaris implementation of the GSS-API supports credential expiration. Therefore, programmers can use parameters that relate to credential lifetime in functions such as gss_acquire_cred() and gss_add_cred().

Context Expiration

The Oracle Solaris implementation of the GSS-API supports context expiration. Therefore, programmers can use parameters that relate to context lifetime in functions such as gss_init_sec_context() and gss_inquire_context().

Wrap Size Limits and QOP Values

The Oracle Solaris implementation of the GSS-API, as opposed to any underlying mechanism, does not impose a maximum size for messages to be processed by gss_wrap(). Applications can determine the maximum message size with gss_wrap_size_limit().

The Oracle Solaris implementation of the GSS-API detects invalid QOP values when gss_wrap_size_limit() is called.

Use of minor_status Parameter

In the Oracle Solaris implementation of the GSS-API, functions return only mechanism-specific information in the minor_status parameter. Other implementations might include implementation-specific return values as part of the returned minor-status code.