Internet Draft D. Thakkar, Bell-Northern Research draft-ietf-cat-idup-cbind-02.txt D. Grebovich, Time-Step Corporation Expires: August 18, 1996 February 18, 1996 Independent Data Unit Protection Generic Security Service Application Program Interface: C-bindings STATUS OF THIS MEMO This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force(IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Comments on this document should be sent to "cat-ietf@mit.edu", the IETF Common Authentication Technology WG discussion list. ABSTRACT The Independent Data Unit Protection Generic Security Service Application Program Interface (IDUP-GSS-API) extends the GSS-API [RFC-1508] for applications requiring protection of a generic data unit (such as a file or message) in a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated "receivers" of the data unit. Thus, it is suitable for applications such as secure electronic mail where data needs to be protected without any on-line connection with the intended recipient(s) of that data. The protection offered by the IDUP includes data origin authentication with data integrity, data confidentiality with data integrity, and support for non-repudiation services. Subsequent to being protected, the independent data unit can be transferred to the recipient(s) - or to an archive - perhaps to be processed ("unprotected") only days or years later. This document is a companion document to the IDUP-GSS-API and specifies its C language bindings. It extends the generic GSS-API: C-Bindings document [RFC-1509]. Thakkar, Grebovich 1 Expires: August 18, 1996 TABLE OF CONTENTS 1. INTRODUCTION ................................................ 3 2. IDUP-GSS-API ROUTINES ....................................... 4 2.1. Data Types and Calling Conventions ........................ 5 2.1.1. Structured data types ................................... 5 2.1.2. Integer types ........................................... 6 2.1.3. String and similar data ................................. 6 2.1.3.1. Opaque data types ..................................... 6 2.1.3.2. Character strings ..................................... 6 2.1.4. Data Unit Identifiers ................................... 7 2.1.5. Data Unit Identifier Sets ............................... 7 2.1.6. Parameter Bundles ....................................... 8 2.1.7. Credentials ............................................. 13 2.1.8. Environments ............................................ 13 2.1.9. Tokens .................................................. 14 2.1.10. Status values .......................................... 14 2.1.10.1. IDUP-GSS status codes ................................ 14 2.1.10.2. Mechanism-specific status codes ...................... 17 2.1.11. Names .................................................. 17 2.1.12. Optional parameters .................................... 18 2.1.12.1. gss_buffer_t types ................................... 18 2.1.12.2. Integer types (input) ................................ 18 2.1.12.3. Integer types (output) ............................... 18 2.1.12.4. Pointer types ........................................ 18 2.1.12.5. Object IDs ........................................... 19 2.1.12.6. Object ID Sets ....................................... 19 2.1.12.7. Parameter Bundles .................................... 19 2.1.12.8. Credentials .......................................... 19 2.1.12.9. Environments ......................................... 19 3. IDUP-GSS-API routine descriptions .......................... 19 3.1. Credential management calls .............................. 19 3.2. Environment-level calls .................................. 19 3.2.1. idup_establish_env ..................................... 20 3.2.2. idup_abolish_env ....................................... 22 3.2.3. idup_inquire_env ....................................... 24 3.3. Per-IDU calls ............................................ 25 3.3.1. idup_start_protect ...................................... 26 3.3.2. idup_protect ............................................ 29 3.3.3. idup_end_protect ........................................ 30 3.3.4. idup_start_unprotect .................................... 32 3.3.5. idup_unprotect .......................................... 36 3.3.6. idup_end_unprotect ...................................... 37 3.4. Special-Purpose Calls .................................... 38 3.4.1. idup_form_complete_evidence ............................. 39 3.5. Support calls ............................................ 40 3.5.1 idup_parse_token ........................................ 41 4. ACKNOWLEDGMENTS ............................................ 42 5. SECURITY CONSIDERATIONS .................................... 42 6. REFERENCES ................................................. 42 7. AUTHOR'S ADDRESS ........................................... 42 APPENDIX - IDUP-GSS-API Example ................................ 43 Thakkar, Grebovich 2 Expires: August 18, 1996 1. INTRODUCTION The Independent Data Unit Protection Generic Security Service Application Program Interface (IDUP-GSS-API) [IDUP] provides security services to calling applications in a local environment. It allows an application to protect an independent data unit for future use, to unprotect a protected independent data unit and to apply security services such as data origin authentication with integrity (DOA), confidentiality with integrity (CONF), and / or support for non- repudiation on a per-data-unit basis. There are four stages to using the IDUP-GSS-API: (a) The application acquires a set of credentials with which it may bind its identity to a data unit. The application's credentials vouch for its global identity, which may or may not be related to the local username under which it is running. (b) The application establishes a security environment using its credentials. The security environment is an IDUP-GSS-API data structure that contains information which is required in order that per-data-unit security services may be provided. (c) Per-data-unit services are invoked on an established IDUP environment to perform IDU protection and unprotection. Per-IDU calls for IDU protection can support (i) data origin authentication with data integrity, (ii) confidentiality with data integrity, (iii) evidence generation (perform non-repudiable "proof of origin" or "proof of delivery") The application wishing to protect an IDU will call the protect IDUP-GSS-API routines, specifying the appropriate security environment. IDUP-GSS-API calls for protection operations will return a token data structure. This token encapsulates all the information required to unprotect the IDU. Per-IDU calls for IDU unprotection can support (i) data origin authentication verification, (ii) decipherment, (iii) evidence verification The recipient will pass the protected IDU to the unprotecting routines to remove the protection and validate the data. Thakkar, Grebovich 3 Expires: August 18, 1996 (d) At the completion of a security environment (which may extend across several protection and unprotection operations), the application calls an IDUP-GSS-API routine to abolish the security environment. 2. IDUP-GSS-API ROUTINES This section lists the functions performed by each of the IDUP-GSS- API calls and discusses their major parameters, describing how they are to be passed to the routines. The calls are listed in Figure 1 (an asterisk marks the calls which are identical to the GSS-API specification). Figure 1 - IDUP-GSS-API Calls CREDENTIAL MANAGEMENT * gss_acquire_cred acquire credentials for use * gss_release_cred release credentials after use * gss_inquire_cred display information about credentials * gss_add_cred add credential info. (see [GSSv2]) ENVIRONMENT-LEVEL CALLS idup_establish_env establish IDUP environment (to protect or unprotect IDUs) idup_abolish_env abolish env. when no longer needed idup_inquire_env obtain environment parameters PER-IDU CALLS idup_start_protect begin the protection process idup_protect protect IDU (perhaps 1 buffer at a time) idup_end_protect end the protection process; create a token which contains info. necessary for the legitimate receiver(s) of the P-IDU to unprotect it idup_start_unprotect begin the unprotection process Thakkar, Grebovich 4 Expires: August 18, 1996 idup_unprotect use the token to unprotect the P-IDU (possibly 1 buffer at a time) idup_end_unprotect end the unprotection process SPECIAL-PURPOSE CALLS (might not be supported by all mechanisms) idup_form_complete_evidence insert in evidence token any data not provided by the protection calls SUPPORT CALLS * gss_display_status translate status codes to printable form * gss_indicate_mechs indicate mech_types supported on local system * gss_compare_name compare two names for equality * gss_display_name translate name to printable form * gss_import_name convert printable name to normalized form * gss_release_name free storage of normalized-form name * gss_release_buffer free storage of printable name * gss_release_oid_set free storage of OID set idup_parse_token examine an input token to determine mech_type and token_type and other info. Individual IDUP-GSS-API implementations may augment these routines by providing additional mechanism-specific routines if required functionality is not available from the generic forms. Applications are encouraged to use the generic routines wherever possible on portability grounds. 2.1. Data Types and Calling Conventions The following conventions are used by the IDUP-GSS-API: 2.1.1. Structured data types Wherever these IDUP-GSS-API C-bindings describe structured data, only fields that must be provided by all IDUP-GSS-API implementations are documented. Individual implementations may provide additional fields, either for internal use within IDUP-GSS-API routines, or for use by non-portable applications. Thakkar, Grebovich 5 Expires: August 18, 1996 2.1.2. Integer types IDUP-GSS-API defines the following integer data type: OM_uint32 32-bit unsigned integer Where guaranteed minimum bit-count is important, this portable data type is used by the IDUP-GSS-API routine definitions. Individual IDUP-GSS-API implementations will include appropriate typedef definitions to map this type onto a built-in data type. 2.1.3. String and similar data Many of the IDUP-GSS-API routines take arguments and return values that describe contiguous multiple-byte data. All such data is passed between the IDUP-GSS-API and the caller using the gss_buffer_t data type. This data type is a pointer to a buffer descriptor, which consists of a length field that contains the total number of bytes in the datum, and a value field which contains a pointer to the actual datum: typedef struct gss_buffer_desc_struct { size_t length; void *value; } gss_buffer_desc, *gss_buffer_t; Storage for data passed to the application by a IDUP-GSS-API routine using the gss_buffer_t conventions is allocated by the IDUP-GSS-API routine. The application may free this storage by invoking the gss_release_buffer routine. Allocation of the gss_buffer_desc data unit is always the responsibility of the application; unused gss_buffer_desc data units may be initialized to the value GSS_C_EMPTY_BUFFER. 2.1.3.1. Opaque data types Certain multiple-word data items are considered opaque data types at the IDUP-GSS-API, because their internal structure has no significance either to the IDUP-GSS-API or to the caller. An example of such an opaque data type is the input_buffer parameter to idup_protect (which is opaque to the IDUP-GSS-API). Opaque data is passed between the IDUP-GSS-API and the application using the gss_buffer_t datatype. 2.1.3.2. Character strings Certain multiple-word data items may be regarded as simple ISO Latin- 1 character strings. An example of this is the input_name_buffer parameter to gss_import_name. Some IDUP-GSS-API routines also return character strings. Character strings are passed between the application and the IDUP-GSS-API using the gss_buffer_t datatype. Thakkar, Grebovich 6 Expires: August 18, 1996 2.1.4. Object Identifiers Certain IDUP-GSS-API procedures take parameters of the type gss_OID, or Object Identifier. This is a type containing ISO-defined tree- structured values, and is used by the IDUP-GSS-API caller to select an underlying security mechanism. A value of type gss_OID has the following structure: typedef struct gss_OID_desc_struct { OM_uint32 length; void *elements; } gss_OID_desc, *gss_OID; The elements field of this structure points to the first byte of an octet string containing the ASN.1 BER encoding of the value of the gss_OID. The length field contains the number of bytes in this value. For example, the gss_OID value corresponding to {iso(1) identified-organization(3) icd-ecma(12) member-company(2) dec(1011) cryptoAlgorithms(7) SPX(5)} meaning SPX (Digital's X.509 authentication mechanism) has a length field of 7 and an elements field pointing to seven octets containing the following octal values: 53,14,2,207,163,7,5. IDUP-GSS-API implementations should provide constant gss_OID values to allow callers to request any supported mechanism, although applications are encouraged on portability grounds to accept the default mechanism. gss_OID values should also be provided to allow applications to specify particular name types (see section 2.1.10). Applications should treat gss_OID_desc values returned by IDUP-GSS-API routines as read-only. In particular, the application should not attempt to deallocate them. The gss_OID_desc datatype is equivalent to the X/Open OM_object_identifier datatype [OSI]. 2.1.5. Object Identifier Sets Certain IDUP-GSS-API procedures take parameters of the type gss_OID_set. This type represents one or more object identifiers (section 2.1.4). A gss_OID_set object has the following structure: typedef struct gss_OID_set_desc_struct { int count; gss_OID elements; } gss_OID_set_desc, *gss_OID_set; The count field contains the number of OIDs within the set. The elements field is a pointer to an array of gss_OID_desc objects, each of which describes a single OID. gss_OID_set values are used to name the available mechanisms supported by the API-GSS-API, to request the use of specific mechanisms, and to indicate which mechanisms a given credential supports. Storage associated with gss_OID_set values returned to the application by the IDUP-GSS-API may be deallocated by the gss_release_oid_set routine. Thakkar, Grebovich 7 Expires: August 18, 1996 2.1.6. Parameter Bundles Parameter bundles are set of closely-related parameters of a call and are used by some IDUP-GSS-API procedures. A parameter bundle in turn may contain one or more parameter bundle. Parameters in a parameter bundle are either used by / available to the calling application or not used by / unavailable to the calling application. These parameters can be all input parameters, all output parameters, or any combination of the two. A parameter with comment "/* Input */" is an input parameter; one with "/* Output */" is an output parameter; one with no comment is an input if the bundle itself is an input and is an output if the bundle itself is an output. Wherever these IDUP-GSS-API C-bindings describe parameter bundles, only fields that must be provided by all IDUP-GSS-API implementations are documented. Individual implementations may provide additional fields, either for internal use within IDUP-GSS-API routines, or for use by non-portable applications. For some parameter bundles actual parameters included are defined by (and specific to) the underlying mechanism and are not described here. Following is the list of parameter bundles (Structures with individual parameters as structure members) that are are described: o Mech_Specific_Info o Idu_Sensitivity o Service_Creation_Info o Service_Verification_Info o Quality o Idu_Information o Prot_Information o Special_Conditions o General_Service_Data o Bad_Target_Name o Target_Info o Prot_Service o Unprot_Service o Services_to_Perform o Services_to_Receive o Mech_Specific_Info : Actual parameters included in this structure are defined by (and specific to) the underlying mechanism. o Idu_Sensitivity : Actual parameters included in this structure are defined by (and specific to) the underlying mechanism, but may include codified values for "Unclassifed", "Secret", "Top Secret", and so on. Thakkar, Grebovich 8 Expires: August 18, 1996 o Service_Creation_Info : o Service_Verification_Info : Actual parameters included in these structures are defined by (and specific to) the underlying mechanism, but it is mandatory that they include at least service_id and Quality. o Quality : This parameter bundle includes information which defines the level of quality associated with a security service. A Quality parameter bundle has the following structure: typedef struct { OM_uint32 qop_algs; OM_uint32 validity; gss_OID policy_id; Boolean allow_policy_mapping; } IDUP_Quality_desc, *IDUP_Quality; o Idu_Information : This parameter bundle contains encapsulated content type, content description and sensitivity IDU information. A Idu_Information parameter bundle has the following structure: typedef struct { gss_buffer_t idu_type; gss_buffer_t idu_title; IDUP_Idu_Sensitivity Idu_Sensitivity; } IDUP_Idu_Information_desc, *IDUP_Idu_Information; o Prot_Information : This parameter bundle contains the originator name, IDU information, and time when protection was performed. A Prot_Information parameter bundle has the following structure: typedef struct { gss_buffer_t originator_name; IDUP_Idu_Information Idu_Information; int protection_time; } IDUP_Prot_Information_desc, *IDUP_Prot_Information; Thakkar, Grebovich 9 Expires: August 18, 1996 o Special_Conditions : This parameter bundle contains parameters which control the (un)protection procedures. A Special_Conditions parameter bundle has the following structure: typedef struct { int prot_oper_id; Boolean use_trusted_time; Boolean use_untrusted_time; } IDUP_Special_Conditions_desc, *IDUP_Special_Conditions; o General_Service_Data : This parameter bundle is used by both protection and unprotection procedures and contains IDUP_Target_Info parameter bundle as input and returns unencapsulated token (if enacapsulation_request is FALSE) and minor status as output. A General_Service_Data parameter bundle has the following structure: typedef struct { IDUP_Target_Info Target_Info; gss_buffer_t unencapsulated_token; /* Output */ OM_uint32 minor_status; /* Output */ } IDUP_General_Service_Data_desc, *IDUP_General_Service_Data; o Bad_Target_Name This parameter bundle contains the target name which has been rejected and an integer specifying reason for rejection. A Bad_Target_Name parameter bundle has the following structure: typedef struct { gss_buffer_t bad_targ_name; /* Output */ int bad_targ_status; /* Output */ } IDUP_Bad_Target_Name_desc, *IDUP_Bad_Target_Name; o Target_Info : This parameter bundle contains parameters which allow the application to specify target names (to whom the service is to be delivered) and to receive rejected names and reason for rejection for each rejected name. A Target_Info parameter bundle has the following structure: Thakkar, Grebovich 10 Expires: August 18, 1996 typedef struct { idup_name_set targ_names; /* Input */ IDUP_Bad_Target_Name Bad_Target_Names; /* Output */ int bad_count; /* Output */ } IDUP_Target_Info_desc, *IDUP_Target_Info; The targ_names field is pointer to array of gss_buffer_desc objects, each of which describes a single buffer containing a name to whom the service is to be delivered. The rejected names are returned in IDUP_Bad_Target_Name which is pointer to array of Bad_Target_Name_desc objects each of which describes a rejected name with reason for rejection. The number of rejected names is returned in bad_count. o Prot_Service : Three types of protection services are defined in IDUP. These are 1. perform unsolicited service As an originator, applying data confidentiality with data integrity, or data origin authentication with data integrity, or proof of origin evidence is an example of this service type. 2. perform solicited service As a target, creating a proof of delivery (i.e., receipt) evidence token as the result of a request received from the originator is an example of this service type. 3. perform service solicitation. As an originator, submitting a request that one or more targets return a receipt for the data sent is an example of this service type. The first four parameters in the Prot_Service parameter bundle pertain to all service types; the fifth parameter is used if and only if service type 2 is desired; parameters 6-8 are used if and only if service type 3 is desired. A Prot_Service parameter bundle has the following structure: typedef struct { int prot_service_type; /* Input */ gss_OID service_id; /* Input */ IDUP_Quality Quality; /* Input */ IDUP_General_Service_Data General_Service_Data; /* Input */ IDUP_Service_Creation_Info Service_Creation_Info; /* Input */ idup_name_set services_to; /* Input */ IDUP_Service_Verification_Info Service_Verification_Info; /* Output */ int service_verification_info_id; /* Output */ } IDUP_Prot_Service_desc, *IDUP_Prot_Service; Thakkar, Grebovich 11 Expires: August 18, 1996 o Services_To_Perform : This parameter bundle is a set of Prot_Service parameter bundles. A Services_To_Perform parameter bundle has the following structure: typedef struct { OM_uint32 no_of_services; IDUP_Prot_Service Prot_Service; } IDUP_Services_To_Perform_desc, *IDUP_Services_To_Perform; o Unprot_Service : Three types of unprotection services are defined. These are 1. receive unsolicited service As a target, unprotecting an encrypted message, or verifying the originator's proof of origin is an example of this service type. 2. receive solicited service As an originator, verifying a proof of delivery which you requested from a target is an example of this service type. 3. receive service solicitation. As a target, receiving a request from an originator for a proof of delivery is an example of this service type. The first four parameters in the Unprot_Service parameter bundle pertain to all service types; parameters 5-6 are used if and only if service type 2 is required; parameters 7-8 are used only if service type 3 is required. A Unprot_Service parameter bundle has the following structure: typedef struct { int unprot_service_type; /* Output */ gss_OID service_id; /* Output */ IDUP_Quality Quality; /* Output */ IDUP_General_Service_Data General_Service_Data; /* Output */ int service_verification_info_id; /* Output */ IDUP_Service_Verification_Info Service_Verification_Info; /* Input */ idup_name_set services_to; /* Output */ IDUP_Service_Creation_Info Service_Creation_Info; /* Output */ } IDUP_Unprot_Service_desc, *IDUP_Unprot_Service; o Services_To_Receive : This parameter bundle is a set of Unprot_Service parameter bundle. A Services_To_Receive parameter bundle has the following structure: Thakkar, Grebovich 12 Expires: August 18, 1996 typedef struct { OM_uint32 no_of_services; IDUP_Unprot_Service Unprot_Service; } IDUP_Services_To_Receive_desc, *IDUP_Services_To_Receive; 2.1.7. Credentials A credential handle is a caller-opaque atomic datum that identifies a IDUP-GSS-API credential data structure. It is represented by the caller-opaque type gss_cred_id_t, which may be implemented as either an arithmetic or a pointer type. Credentials describe a principal, and they give their holder the ability to act as that principal. The IDUP-GSS-API does not make the actual credentials available to applications; instead the credential handle is used to identify a particular credential, held internally by IDUP-GSS-API or an underlying mechanism. Thus the credential handle contains no security-relevant information, and requires no special protection by the application. Depending on the implementation, a given credential handle may refer to different credentials when presented to the IDUP-GSS-API by different callers. Individual IDUP-GSS-API implementations should define both the scope of a credential handle and the scope of a credential itself (which must be at least as wide as that of its handle). Possibilities for credential handle scope include the process that acquired the handle, the acquiring process and its children, or all processes sharing some local identification information (e.g., UID). If no handles exist by which a given credential may be reached, the IDUP-GSS-API may abolish the credential. Certain routines allow credential handle parameters to be omitted to indicate the use of a default credential. The mechanism by which a default credential is established and its scope should be defined by the individual IDUP-GSS-API implementation. 2.1.8. Environments The idup_env_id_t data type contains a caller-opaque atomic value that identifies an IDUP-GSS-API security environment. It may be implemented as either an arithmetic or a pointer type. Depending on the implementation, a given idup_env_id_t value may refer to different IDUP-GSS-API security environments when presented to the IDUP-GSS-API by different callers. The security environment holds state information about the security operations, including cryptographic state information. Individual IDUP-GSS-API implementations should define the scope of an environment. Since no way is provided by which a new idup_env_id_t value may be obtained for an existing environment, the scope of an environment should be the same as the scope of the idup_env_id_t data type. Thakkar, Grebovich 13 Expires: August 18, 1996 2.1.9. Tokens A token is a caller-opaque type that IDUP-GSS-API uses to store information regarding an IDU. The token is a bit-string, generated by the underlying mechanism during protection calls for use by the same or another security mechanism during unprotection calls. A token is passed between the IDUP-GSS-API and the application using the gss_buffer_t convention. 2.1.10. Status values One or more status codes are returned by each IDUP-GSS-API routine. Two distinct sorts of status codes are returned. These are termed GSS status codes and Mechanism status codes. 2.1.10.1. IDUP-GSS status codes IDUP-GSS-API routines return IDUP-GSS status codes as their OM_uint32 function value. These codes indicate errors that are independent of the underlying mechanism used to provide the security service. The errors that can be indicated via a IDUP-GSS status code are either generic API routine errors (errors that are defined in the IDUP-GSS- API specification) or calling errors (errors that are specific to these bindings). An IDUP-GSS status code can indicate a single fatal generic API error from the routine and a single calling error. In addition, supplementary status information may be indicated via the setting of bits in the supplementary info field of a IDUP-GSS status code. These errors are encoded into the 32-bit GSS status code as follows: MSB LSB |------------------------------------------------------------| | Calling Error | Routine Error | Supplementary Info | |------------------------------------------------------------| Bit 31 24 23 16 15 0 Hence if a IDUP-GSS-API routine returns a IDUP-GSS status code whose upper 16 bits contain a non-zero value, the call failed. If the calling error field is non-zero, the invoking application's call of the routine was erroneous. Calling errors are defined in Table 1. If the routine error field is non-zero, the routine failed for one of the routine-specific reasons listed below in Table 2. Whether or not the upper 16 bits indicate a failure or a success, the routine may indicate additional information by setting bits in the supplementary info field of the status code. The meaning of individual bits is listed below in Table 3. Thakkar, Grebovich 14 Expires: August 18, 1996 Table 1 - Calling Errors Name Value in Meaning Field GSS_S_CALL_INACCESSIBLE_READ 1 a required input parameter could not be read GSS_S_CALL_INACCESSIBLE_WRITE 2 a required output parameter could not be written. GSS_S_CALL_BAD_STRUCTURE 3 a parameter was malformed. Table 2 - Routine Errors Name Value in Meaning Field GSS_S_BAD_MECH 1 unsupported mechanism requested GSS_S_BAD_NAME 2 invalid name provided GSS_S_BAD_NAMETYPE 3 name of unsupported type provided GSS_S_BAD_BINDINGS 4 NOT APPLICABLE TO IDUP GSS_S_BAD_STATUS 5 invalid input status selector GSS_S_BAD_SIG 6 token had invalid signature GSS_S_NO_CRED 7 no valid credentials provided GSS_S_NO_CONTEXT 8 NOT APPLICABLE TO IDUP GSS_S_DEFECTIVE_TOKEN 9 defective token detected GSS_S_DEFECTIVE_CREDENTIAL 10 defective credential detected GSS_S_CREDENTIALS_EXPIRED 11 expired credentials detected GSS_S_CONTEXT_EXPIRED 12 specified security context expired GSS_S_FAILURE 13 failure, unspecified at GSS-API level GSS_S_BAD_QOP 14 unsupported QOP value GSS_S_UNAUTHORIZED 15 the operation is forbidden by local security policy GSS_S_UNAVAILABLE 16 the operation or option is not available IDUP_S_BAD_TARG_INFO 17 all target information is invalid or unsuitable for IDU protection. IDUP_S_BAD_DOA_KEY 18 DOA key has expired or been revoked IDUP_S_BAD_KE_KEY 19 key used for key establishment between originator and target has expired or been revoked. IDUP_S_BAD_ENC_IDU 20 encrypted IDU is defective/invalid IDUP_S_EVIDENCE_TOKEN_INCOMPLETE 21 there is not enough info. in evidence_token for verification IDUP_S_SERV_VERIF_INFO_NEEDED 22 the Service_Verification_Info parameter bundle is required IDUP_S_SERVICE_UNAVAIL 23 mechanism does not support requested service Thakkar, Grebovich 15 Expires: August 18, 1996 IDUP_S_REQ_TIME_SERVICE_UNAVAIL 24 the time service in not available in this environment IDUP_S_NO_ENV 25 no environment recognized for env_handle IDUP_S_NO_MATCH 26 Service_Verification_Info and token do not match IDUP_S_UNKNOWN_OPER_ID 27 requested operation id. is unsupported Table 3 - Supplementary Status Bits Name Bit Number(LSB) Meaning GSS_S_CONTINUE_NEEDED 0 continuation call to routine required GSS_S_DUPLICATE_TOKEN 1 NOT APPLICABLE TO IDUP GSS_S_OLD_TOKEN 2 NOT APPLICABLE TO IDUP GSS_S_UNSEQ_TOKEN 3 NOT APPLICABLE TO IDUP GSS_S_GAP_TOKEN 4 NOT APPLICABLE TO IDUP IDUP_S_ENCAPSULATION_UNAVAIL 5 encapsulation of M-IDU into P-IDU is not supported IDUP_S_MORE_PIDU_NEEDED 6 more P-IDU data is needed for idup_start_unprotect() IDUP_S_MORE_DATA_NEEDED 7 more data is needed for protection or unprotection The routine documentation also uses the name GSS_S_COMPLETE, which is a zero value, to indicate an absence of any API errors or supplementary information bits. All GSS_S_xxx and IDUP_S_xxx symbols equate to complete OM_uint32 status codes, rather than to bitfield values. For example, the actual value of the symbol GSS_S_BAD_NAMETYPE (value 4 in the routine error field) is 4 << 16. The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a IDUP-GSS status code and removes all but the relevant field. For example, the value obtained by applying GSS_ROUTINE_ERROR to a status code removes the calling errors and supplementary info fields, leaving only the routine errors field. The values delivered by these macros may be directly compared with a GSS_S_xxx symbol of the appropriate type. The macro GSS_ERROR() is also provided, which when applied to a IDUP- GSS status code returns a non-zero value if the status code indicated a calling or routine error, and a zero value otherwise. An IDUP-GSS-API implementation may choose to signal calling errors in a platform-specific manner instead of, or in addition to, the routine value; routine errors and supplementary info should be returned via routine status values only. Thakkar, Grebovich 16 Expires: August 18, 1996 2.1.10.2. Mechanism-specific status codes IDUP-GSS-API routines return a minor_status parameter, which is used to indicate specialized errors from the underlying security mechanism. This parameter may contain a single mechanism-specific error, indicated by a OM_uint32 value. The minor_status parameter will always be set by an IDUP-GSS-API routine, even if it returns a calling error or one of the generic API errors indicated above as fatal, although other output parameters remain unset in such cases. However, output parameters that are expected to return pointers to storage allocated by a routine must always set by the routine, even in the event of an error, although in such cases the IDUP-GSS-API routine may elect to set the returned parameter value to NULL to indicate that no storage was actually allocated. Any length field associated with such pointers (as in a gss_buffer_desc structure) should also be set to zero in such cases. The GSS status code GSS_S_FAILURE is used to indicate that the underlying mechanism detected an error for which no specific IDUP- GSS-API status code is defined. The mechanism status code will provide more details about the error. 2.1.11. Names A name is used to identify a person or entity. IDUP-GSS-API authenticates the relationship between a name and the entity claiming the name. Two distinct representations are defined for names: (a) A printable form, for presentation to a user (b) An internal form, for presentation at the API The syntax of a printable name is defined by the IDUP-GSS-API implementation, and may be dependent on local system configuration, or on individual user preference. The internal form provides a canonical representation of the name that is independent of configuration. A given IDUP-GSS-API implementation may support names drawn from multiple namespaces. In such an implementation, the internal form of the name must include fields that identify the namespace from which the name is drawn. The namespace from which a printable name is drawn is specified by an accompanying object identifier. Thakkar, Grebovich 17 Expires: August 18, 1996 Routines (gss_import_name and gss_display_name) are provided to convert names between their printable representations and the gss_name_t type. GSS_Import_name may support multiple syntaxes for each supported namespace, allowing users the freedom to choose a preferred name representation. gss_display_name should use an implementation-chosen preferred syntax for each supported name-type. Comparison of internal-form names is accomplished via the gss_compare_names routine. This removes the need for the application program to understand the syntaxes of the various printable names that a given IDUP-GSS-API implementation may support. Storage is allocated by routines that return gss_name_t values. A procedure, gss_release_name, is provided to free storage associated with a name. Certain IDUP-GSS-API procedures take parameters of the type idup_name_set. This type represents one or more names. A idup_name_set object has the following structure: typedef struct idup_name_set_desc_struct { int count; gss_name_t elements; } idup_name_set_desc, *idup_name_set; 2.1.12. Optional parameters Various parameters are described as optional. This means that they follow a convention whereby a default value may be requested. The following conventions are used for omitted parameters. These conventions apply only to those parameters that are explicitly documented as optional. 2.1.12.1. gss_buffer_t types Specify GSS_C_NO_BUFFER as a value. For an input parameter this signifies that default behavior is requested, while for an output parameter it indicates that the information that would be returned via the parameter is not required by the application. 2.1.12.2. Integer types (input) Individual parameter documentation lists values to be used to indicate default actions. 2.1.12.3. Integer types (output) Specify NULL as the value for the pointer. 2.1.12.4. Pointer types Specify NULL as the value. Thakkar, Grebovich 18 Expires: August 18, 1996 2.1.12.5. Object IDs Specify GSS_C_NULL_OID as the value. 2.1.12.6. Object ID Sets Specify GSS_C_NULL_OID_SET as the value. 2.1.12.7. Parameter Bundles Specify NULL as the value. 2.1.12.8. Credentials Specify GSS_C_NO_CREDENTIAL to use the default credential handle. 2.1.12.9. Environments Specify IDUP_C_NO_ENV to use the default environment handle. 3. IDUP-GSS-API routine descriptions 3.1 Credential Management Calls Credential management in IDUP-GSS-API is to be understood and used as described in GSS-API [RFC-1508 and RFC-1509]. The calls gss_acquire_cred(), gss_release_cred(), gss_add_cred() (from [GSSv2]) and gss_inquire_cred() are unchanged. 3.2 Environment-level Calls The set of calls described in this section are used un place of the calls gss_init_sec_context(), gss_accept_sec_context(), gss_delete_sec_context(), gss_process_context_token() and gss_context_time() which are specified in [RFC-1508 and RFC-1509]. Thakkar, Grebovich 19 Expires: August 18, 1996 3.2.1. idup_establish_env OM_uint32 idup_establish_env ( gss_cred_id_t claimant_cred_handle, gss_OID req_mech_type, gss_OID req_policy, time_t policy_time, gss_OID_set req_services, OM_uint32 * minor_status, idup_env_id_t * env_handle, gss_OID * actual_mech_type, gss_OID * actual_policy, time_t * actual_policy_time, gss_OID_set ret_services) Purpose: Called by the application to establish a security environment. Parameters: claimant_cred_handle gss_cred_id_t, read, optional handle for credentials claimed. GSS_C_NO_CREDENTIAL parameter specifies "use default". req_mech_type OID, read, optional Object ID of desired mechanism. GSS_C_NULL_OID parameter specifies "use default". req_policy OID, read, optional Object ID of desired policy. policy_time time_t, read The security policy rules available at the specified time. NULL parameter specifies "use default". req_services set of OID, read set of Object ID which request that the environment support specific services. The OIDs available are: PER_CONF perform data confidentiality PER_DOA perform data origin authentication with data integrity PER_POO perform non-repudiable "proof of origin" PER_POD perform non-repudiable "proof of delivery" REC_CONF receive data confidentiality Thakkar, Grebovich 20 Expires: August 18, 1996 REC_DOA receive/verify DOA with data integrity REC_POO receive/verify "proof of origin" REC_POD receive/verify "proof of delivery" TTIME trusted time available UTIME untrusted time available minor_status integer, modify Mechanism specific status code. env_handle idup_env_id_t, modify environment handle for new environment. actual_mech_type OID, modify Actual mechanism used. Always indicated, never NULL. actual_policy OID, modify Always indicated, never NULL. actual_policy_time time_t, modify Actual time at which the above policy rules came into effect. ret_services set of OID, modify Not all services requested in req_services may be available in all underlying mech_types. The set of OID returned indicates services supported in the environment. The value of this parameter is undefined unless the routine returns GSS_S_COMPLETE. Function value: GSS status code: GSS_S_COMPLETE indicates that environment-level information was successfully initialized, and that IDU / P-IDU processing can begin on the newly-established environment. GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks performed on the credential structure referenced by claimant_cred_handle failed, preventing further processing from being performed using that credential structure. Thakkar, Grebovich 21 Expires: August 18, 1996 GSS_S_NO_CRED indicates that no environment was established, either because the input cred_handle was invalid or because the caller lacks authorization to access the referenced credentials. GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided through the input claimant_cred_handle argument are no longer valid, so environment establishment cannot be completed. GSS_S_BAD_MECH indicates that a mech_type unsupported by the IDUP_GSS-API implementation type was requested, causing the environment establishment operation to fail. GSS_S_FAILURE indicates that environment setup could not be accomplished for reasons unspecified at the IDUP-GSS-API level, and that no interface-defined recovery action is available. See minor_status code for more information. Thakkar, Grebovich 22 Expires: August 18, 1996 3.2.2 idup_abolish_env OM_uint32 idup_abolish_env ( idup_env_id_t * env_handle, OM_uint32 * minor_status) Purpose: This call is made to flush environment-specific information. (Once an environment is established, cashed credential and environment-related information is expected to be retained until an idup_abolish_env() call is made or until the credential lifetime expires.) Attempts to perform IDU processing on a deleted environment will result in error returns. Parameters: env_handle idup_env_id_t, read environment handle identifying environment to abolish minor_status integer, modify Mechanism-specific status code. Function value: GSS status code: GSS_S_COMPLETE indicates that the environment was recognized and that relevant environment- specific information was flushed. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided, so no deletion was performed. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. See minor_status code for more information. Thakkar, Grebovich 23 Expires: August 18, 1996 3.2.3 idup_inquire_env OM_uint32 idup_inquire_env ( idup_env_id_t env_handle, OM_uint32 * minor_status, gss_OID * mech_type, gss_OID * policy, time_t * policy_time, gss_OID_set * ret_services) Purpose: This call is used to extract information describing characteristics of the security environment. Parameters: env_handle idup_env_id_t, read, optional environment handle identifying environment used. minor_status integer, modify mechanism specific status code. mech_type OID, modify, optional the mechanism supporting security environment policy OID, modify The policy used in this environment. policy_time time_t, modify Time at which the above policy rules came into effect. ret_services set of OID, modify The set of OID returned indicates services supported in the environment. OIDs available are: PER_CONF perform data confidentiality PER_DOA perform data origin authentication with data integrity PER_POO perform non-repudiable " of origin" PER_POD perform non-repudiable "proof of delivery" REC_CONF receive data confidentiality REC_DOA receive/verify DOA with data integrity REC_POO receive/verify "proof of origin" Thakkar, Grebovich 24 Expires: August 18, 1996 REC_POD receive/verify "proof of delivery" TTIME trusted time available UTIME untrusted time available Function value: GSS status code: GSS_S_COMPLETE indicates that the referenced environment is valid and that mech_type, and ret_services return values describe the corresponding characteristics of the environment. GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided through the input claimant_cred_handle argument are no longer valid, so environment establishment cannot be completed. IDUP_S_NO_ENV indicates that no valid environment was recognized for the input env_handle provided. Return values other than major_status and minor_status are undefined. GSS_S_FAILURE indicates that the requested operation failed for reasons unspecified at the GSS- API level. Return values other than major_status and minor_status are undefined. 3.3 Per-IDU Calls This group of calls is used to perform IDU protection processing on an established IDUP environment. Some of these calls may block pending network interactions (depending on the underlying mechanism in use). These calls may be invoked by a data unit's protector or by the P-IDU's recipient. The two sets of members of this group form a pair; the output from the protection set is properly input to the unprotection set. Thakkar, Grebovich 25 Expires: August 18, 1996 3.3.1. idup_start_protect OM_uint32 idup_start_protect ( idup_env_id_t env_handle, IDUP_Mech_Specific_Info Mech_Specific_Info, IDUP_Idu_Information Idu_Information, int encapsulation_request, IDUP_Special_Conditions Special_Conditions, gss_buffer_t single_idu_buffer, IDUP_Target_Info Target_Info, IDUP_Services_To_Perform Services_to_Perform, OM_uint32* minor_status, gss_buffer_t midu_buffer, gss_buffer_t pidu_buffer) Purpose: Using the security environment referenced by env_handle, initiate the data structures required to begin the process of protecting the IDU buffers. Parameters: env_handle idup_env_id_t, read Identifies the environment in which the data unit will be protected. Mechanism_Specific_Info IDUP_Mech_Specific_Info, read A collection of information defined by (and specific to) the underlying mechanism. NULL selects the mechanism- defined default value for each parameter. Idu_Information IDUP_Idu_Information, read A collection of information (such as encapsulated content type, content description and sensitivity) about the IDU to be protected. encapsulation_request boolean, read TRUE - request to encapsulate IDU FALSE - do not encapsulate IDU. Special_Conditions IDUP_Special_Conditions, read These conditions control the protection procedure. For those mechanisms which allow or require multiple stages of processing, each producing a different aspect of protection for the data data unit, the parameter bundle contains the prot_oper_id parameter which is used to specify which stage is currently being Thakkar, Grebovich 26 Expires: August 18, 1996 requested by the application. The parameter bundle also includes flags to request use of trusted time or use of untrusted time. single_idu_buffer gss_buffer_t, read Non-zero length for this buffer means that idup_protect() and idup_end_protect() will not be called (i.e., the entire IDU is contained in this buffer) Target_Info IDUP_Target_Info, read/modify The P-IDU recipients are specified using idup_name_set parameter and any invalid recipients are returned in a set of Bad_Target_Name parameter bundle. Services_to_Perform IDUP_Services_To_Perform, read/modify Protection Services requested. Each service is able to return a minor status code to the calling application, if necessary. minor_status integer, modify mechanism specific status code. midu_buffer gss_buffer_t, modify zero length if encapsulation_request is TRUE or if single_idu_buffer has zero length. pidu_buffer gss_buffer_t, modify zero length if encapsulation_request is FALSE or if single_idu_buffer has zero length. Function value: GSS status code: GSS_S_COMPLETE indicates that the protection process can begin (or has completed, if single_idu_buffer has non-zero length). GSS_S_CONTINUE NEEDED indicates that at least one of the buffers supplied is too small to hold the generated data. The application should continue calling this routine (until GSS_S_COMPLETE is returned) in order to get all remaining data. Thakkar, Grebovich 27 Expires: August 18, 1996 GSS_S_CREDENTIALS_EXPIRED indicates that the environment is recognized, but that its associated credentials have expired, so that the requested operation cannot be performed. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. IDUP_S_ENCAPSULATION_UNAVAIL indicates that the underlying mechanism does not support encapsulation of the M- IDU into the token. IDUP_S_MORE_DATA_NEEDED indicates whether protection is completed by this call or by idup_end_protect() (e.g., whether more data buffers are required for evidence generation). IDUP_S_SERVICE_UNAVAIL indicates that the underlying mechanism does not support the service requested. IDUP_S_REQ_TIME_SERVICE_UNAVAIL indicates that the time service requested (TTIME or UTIME) is not available in the environment. IDUP_S_UNKNOWN_OPER_ID indicates that the input prot_oper_id value is not recognized or supported in the underlying mechanism. GSS_S_BAD_QOP indicates that the provided QOP value is not recognized or supported for the environment. IDUP_S_BAD_TARG_INFO indicates that all the information regarding the target(s) is invalid or is insufficient for the protection of an IDU, so the P-IDU cannot be created. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. Thakkar, Grebovich 28 Expires: August 18, 1996 3.3.2. idup_protect OM_uint32 idup_protect ( idup_env_id_t env_handle, gss_buffer_t input_buffer, OM_uint32 * minor_status, gss_buffer_t output_buffer) Purpose: Using the security environment referenced by env_handle, continue the protection processing on the data in input_buffer and, if the underlying mechanism defines this, put any resulting M-IDU data in output_buffer. The application calls this routine over and over again with new buffers of data until it has protected all the data buffers of the IDU. It then calls idup_end_protect() to complete the protection process. Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. input_buffer buffer, read IDU buffer minor_status integer, modify Implementation specific status code output_buffer buffer, opaque, modify Protected data unit buffer. Zero length if encapsulation_request was set to TRUE in idup_start_protect() Function value: GSS status codes: GSS_S_COMPLETE indicates that the input_buffer has successfully been included in the protection computation. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. GSS_S_FAILURE indicates that the environment is recognized, but that the required operation could not be performed for reasons unspecified at the IDUP-GSS-API level. Thakkar, Grebovich 29 Expires: August 18, 1996 3.3.3. idup_end_protect OM_uint32 idup_end_protect ( idup_env_id_t env_handle, OM_uint32 * minor_status, IDUP_Services_To_Perform Services_to_Perform, gss_buffer_t final_midu_buffer, gss_buffer_t final_pidu_buffer) Purpose: Using the security environment referenced by env_handle, complete the protection processing on the data and place the computed output in final_pidu_buffer (or final_midu_buffer and the uncapsulated_token parameter for each Prot_Service). If a service was requested from one or more targets in Start_Protect() - and if this is supported by underlying mechanism - Service_Verification_Info will hold whatever data is necessary for the mechanism to verify a service retuned by a target (unprotector) of the P-IDU. Successful application of idup_end_protect() does not guarantee that the corresponding unprotection set of functions can necessarily be performed successfully when the protected data unit arrives at the target (for example, it may be damaged in transit). Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. minor_status integer, modify Implementation specific status code. Services_to_Perform IDUP_Services_To_Perform Protection Services requested. Each service is able to return minor status code to the calling application, if necessary. final_midu_buffer buffer, opaque, modify Protected data unit buffer which holds any residual data from the previous idup_protect call. Zero length if encapsulation_request was set to TRUE in idup_start_protect(), in which case pidu is used. final_pidu_buffer buffer, opaque, modify Protected data unit buffer. Zero length if encapsulation_request was set to FALSE in idup_start_protect(), in which case token and midu are used. Thakkar, Grebovich 30 Expires: August 18, 1996 Function value: GSS status codes: GSS_S_COMPLETE indicates that the protection computation has been successfully completed and the resulting P-IDU is ready for transfer. If defined by the underlying mechanism, final_midu_buffer will contain any residual M-IDU data. GSS_CONTINUE NEEDED indicates that at least one of the buffers supplied is too small to hold the generated data. The application should continue calling this routine (until GSS_S_COMPLETE is returned) in order to get all remaining data. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. Thakkar, Grebovich 31 Expires: August 18, 1996 3.3.4. idup_start_unprotect OM_uint32 idup_start_unprotect( idup_env_id_t env_handle, IDUP_Mech_Specific_Info Mech_Specific_Info, gss_buffer_t single_pidu_buffer, gss_buffer_t partial_pidu_buffer, gss_buffer_t final_pidu_buffer, IDUP_Special_Conditions Special_Conditions, OM_uint32 * minor_status, IDUP_Services_To_Receive Services_to_Receive, IDUP_Prot_Information Prot_Information, gss_buffer_t single_idu_buffer, gss_buffer_t initial_idu_buffer, IDUP_Service_Verification_Info Service_Verification_Info, int * service_verification_info_id) Purpose: Using the security environment referenced by env_handle, initialize the data structures required to begin the process of unprotecting the P-IDU. Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. Mechanism_Specific_Info IDUP_Mech_Specific_Info, read A collection of information defined by (and specific to) the underlying mechanism. NULL selects the mechanism- defined default value for each parameter. single_pidu_buffer buffer, read Non-zero length for this buffer means that idup_unprotect() and idup_end_unprotect() will not be called. (i.e., the entire P- IDU is contained in this buffer) partial_pidu_buffer buffer, read may be arbitary-sized piece of the full pidu (if the application's buffer isn't large enough to hold entire pidu), or may be service token (if encapsulation was not used). final_pidu_buffer buffer, read final buffer must be passed in final_pidu_buffer rather then partial pidu Thakkar, Grebovich 32 Expires: August 18, 1996 buffer. Only one of single_pidu_buffer and partial(final)_pidu_buffer can have non zero length. Special_Conditions Special_Conditions, read These conditions control the unprotection procedure. For those mechanisms which allow or require multiple stages of processing, each producing a different aspect of unprotection for the P-IDU, the parameter bundle contains a prot_oper_id parameter which is used to specify which stage is currently being requested by the application. The parameter bundle also includes flags to request use of trusted time or use of untrusted time. minor_status integer, modify Implementation specific status code Services_to_Receive IDUP_Services_To_Receive, read/modify This parameter bundle returns which services were applied to the P-IDU. Prot_Information IDUP_Prot_Information, modify Holds originator name, IDU information, time when protection was performed. single_idu_buffer buffer, modify If this buffer has non-zero length, then service processing has been completed on the data in single_pidu_buffer. initial_idu_buffer buffer, modify Holds any data from partial(final)_pidu_buffer which has been unprotected; remaining data will be returned by Unprotect and End_Unprotect as they are called with successive buffers of pidu. Service_Verification_Info IDUP_Service_Verification_Info, modify Used only if target is on "service_to" list in Unprot_Service. service_verification_info_id integer, modify Used only if target is on "service_to" list in Unprot_Service. Function value: GSS status codes: Thakkar, Grebovich 33 Expires: August 18, 1996 GSS_S_COMPLETE indicates that unprotection processing can begin (or has been completed, if single_idu_buffer has non-zero length). GSS_S_CONTINUE NEEDED indicates that at least one of the buffers supplied is too small to hold the generated data. The application should continue calling this routine (until GSS_S_COMPLETE is returned) in order to get all remaining data. IDUP_S_MORE_PIDU_NEEDED indicates that not enough of P-IDU has been input yet for the completion of Start_Unprotect. The application should call this routine again with another buffer of P-IDU in partial_pidu_buffer. GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed on the received P-IDU failed, preventing further processing from being performed with that token. IDUP_S_MORE_DATA_NEEDED indicates whether unprotection is completed by this call or by idup_end_unprotect() (e.g., whether more data buffers are required for unprotection). GSS_DEFECTIVE_VERIF indicates that consistency checks performed on the Service_Verification_Info failed, preventing further processing from being performed with that parameter. IDUP_S_NO_MATCH indicates that Service_Verification_Info and the P-IDU to be verified do not match. IDUP_S_SERVICE_UNAVAIL indicates that the underlying mechanism does not support the service requested. IDUP_S_REQ_TIME_SERVICE_UNAVAIL indicates that the time service requested (TTIME or UTIME) is not available in the environment. IDUP_S_EVIDENCE_TOKEN_INCOMPLETE indicates that more information is needed in the P-IDU in order to verify it (this may, if specified by the underlying mechanism, be an indication that the token is incomplete and idup_form_complete_evidence() needs to be called to complete it). Thakkar, Grebovich 34 Expires: August 18, 1996 IDUP_S_SERV_VERIF_INFO_NEEDED indicates that the Service_Verification_Info parameter bundle must be input in order for service verification to proceed. The output parameter service_verification_info_id contains an identifier whch may be used by the calling application to locate the necessary information. GSS_S_CREDENTIALS_EXPIRED indicates that the environment is recognized, but that its associated credentials have expired, so that the requested operation cannot be performed. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. IDUP_S_UNKNOWN_OPER_ID indicates that the input prot_oper_id value is not recognized or supported in the underlying mechanism. GSS_S_BAD_QOP indicates that the qop_algs value specified in P-IDU for at least one of the services is unavailable in the local mechanism, so processing cannot continue. GSS_S_BAD_SIG indicates that the received P-IDU contains an incorrect integrity field (e.g., signature or MAC) for the data. IDUP_S_BAD_DOA_KEY indicates that the key used to provide IDU data origin auth. / integ. has either expired or been revoked. IDUP_S_BAD_KE_KEY indicates that the key used to establish a key for confidentiality purposes between originator and target has either expired or been revoked. IDUP_S_BAD_ENC_IDU indicates that decryption of the received IDU cannot be completed because the encrypted IDU was invalid/defective (e.g., the final block was short or had incorrect padding). GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. Thakkar, Grebovich 35 Expires: August 18, 1996 3.3.5. idup_unprotect OM_uint32 idup_unprotect ( idup_env_id_t env_handle, gss_buffer_t input_buffer, OM_uint32 * minor_status, gss_buffer_t output_buffer) Purpose: Using the security environment referenced by env_handle, continue the unprotect processing on the data and return the appropriate status code. The application calls this routine over and over again with new buffers of data until it has unprotected all the data buffers of the P-IDU. It then calls idup_end_unprotect() to complete the unprotection process. Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. input_buffer buffer, modify Protected data unit buffer. minor_status integer, modify Implementation specific status code output_buffer buffer, modify Unprotected data unit buffer. Function values: GSS status codes: GSS_S_COMPLETE indicates that the input_buffer has successfully been included in the unprotection computation. IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. Thakkar, Grebovich 36 Expires: August 18, 1996 3.3.6. idup_end_unprotect OM_uint32 idup_end_unprotect ( idup_env_id_t env_handle, OM_uint32 * minor_status, IDUP_Services_To_Receive Services_to_Receive, gss_buffer_t final_idu_buffer, IDUP_Service_Verification_Info Service_Verification_Info, int * service_verification_info_id) Purpose: Using the security environment referenced by env_handle, complete the unprotect processing on the data and return the appropriate status code. Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. minor_status integer, modify Implementation-specific status code. Services_to_Receive IDUP_Services_To_Receive This parameter bundle returns which services were applied to the P-IDU. final_idu_buffer buffer, modify Unprotected data unit buffer. Service_Verification_Info IDUP_Service_Verification_Info, modify Used only if target is on "service_to" list in Unprot_Service. service_verification_info_id integer, modify Used only if target is on "service_to" list in Unprot_Service. Function value: GSS status codes: GSS_S_COMPLETE indicates that the unprotect computation was successful. Any residual IDU data will be returned in final_idu_buffer. Thakkar, Grebovich 37 Expires: August 18, 1996 GSS_S_CONTINUE NEEDED indicates that at least one of the buffers supplied is too small to hold the generated data. The application should continue calling this routine (until GSS_S_COMPLETE is returned) in order to get all remaining data. GSS_S_BAD_SIG indicates that the received P-IDU contains an incorrect integrity field (e.g., signature or MAC) for the data. IDUP_S_BAD_DOA_KEY indicates that the key used to provide IDU data origin auth. / integ. has either expired or been revoked. IDUP_S_BAD_KE_KEY indicates that the key used to establish a key for confidentiality purposes between originator and target has either expired or been revoked. IDUP_S_BAD_ENC_IDU indicates that decryption of the received IDU cannot be completed because the encrypted IDU was invalid/defective (e.g., the final block was short or had incorrect padding). IDUP_S_NO_ENV indicates that no valid environment was recognized for the env_handle provided. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not performed for reasons unspecified at the IDUP-GSS-API level. 3.4 Special Purpose Calls The special purpose call described in this section has no analogue in GSS-API [RFC-1508, RFC-1509]. This call is used to complete the portfolio of evidence services in IDUP environment. This call may not be supported by all underlying IDUP mechanisms or implementations. Thakkar, Grebovich 38 Expires: August 18, 1996 3.4.1. idup_form_complete_evidence OM_uint32 idup_form_complete_evidence ( idup_env_id_t env_handle, gss_buffer_t single_evidence_buffer, gss_buffer_t partial_evidence_buffer, gss_buffer_t final_evidence_buffer, OM_uint32 * minor_status, gss_buffer_t evidence_token_out) Purpose: Using the security environment referenced by env_handle, complete the generation of an evidence token for non-repudiation purposes and return the appropriate status value along with the completed token. Parameters: env_handle idup_env_id_t, read Environment handle identifying environment used. single_evidence_buffer buffer, opaque, read partial_evidence_buffer buffer, opaque, read may be an arbitary-sized piece of the full evidence token. final_evidence_buffer buffer, opaque, read final buffer must be passed in final_evidence_buffer rather then partial evidence buffer. Only one of single_evidence_buffer and partial(final)_evidence_buffer can have non zero length. minor status integer, modify Implementation specific status code. evidence_token_out buffer, modify Function value: GSS status codes: GSS_S_COMPLETE indicates that the completion of evidence generation was successful. Thakkar, Grebovich 39 Expires: August 18, 1996 GSS_S_CONTINUE NEEDED indicates that the buffer supplied for evidence_token_out is too small to hold the generated data. The application should continue calling this routine (until GSS_S_COMPLETE is returned) in order to get all remaining data. IDUP_S_SERVICE_UNAVAIL indicates that the underlying mechanism does not support the service requested. GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed on the input evidence token failed, preventing further processing from being performed with that token. GSS_S_FAILURE indicates that the environment is recognized, but that the requested operation could not be performed for reasons unspecified at the IDUP-GSS-API level. 3.5 Support calls Support calls in IDUP-GSS-API are to be understood and used as described in GSS-API [RFC-1508 and RFC-1509]. The calls gss_display_status(), gss_indicate_mechs(), gss_compare_name(), gss_display_name(), gss_import_name(), gss_release_name(), gss_release_buffer(), gss_release_oid_set() are unchanged. Thakkar, Grebovich 40 Expires: August 18, 1996 3.5.1 idup_parse_token OM_uint32 idup_parse_token ( gss_buffer_t input_token, OM_uint32 * minor_status, gss_OID * mech_type) Purpose: idup_parse_token is used to return to an application the attributes which correspond to a given input token. Parameters: input_token gss_buffer_t, read Input token from the protect call. minor_status integer, modify Implementation specific status code. mech_type OID, modify The mechanism that was used to create input_token. Function value: GSS status code: GSS_S_COMPLETE indicates that the input_token could be parsed for all relevant fields. GSS_S_CREDENTIALS EXPIRED indicates that the environment is recognized, but that its associated credentials have expired, so that the requested operation cannot be performed. GSS_S_DEFECTIVE_TOKEN indicates that the mechanism type could be parsed, but that either the other fields could not be determined from the input_token, or their values did not correspond to valid values for that mechanism. GSS_S_FAILURE indicates that the mechanism type could not be parsed (e.g., the token may be corrupted). Thakkar, Grebovich 41 Expires: August 18, 1996 4. ACKNOWLEDGMENTS Many thanks to Carlisle Adams of Bell-Northern Research for many helpful comments. Section 1 and many parts of section 2 of this document are either strongly influenced by or identical to John Wray's GSS-API: C- Bindings [RFC-1509]. 5. SECURITY CONSIDERATIONS Security issues are discussed throughout this memo. 6. REFERENCES [GSSv2] J. Linn, "Generic Security Service Application Program Interface, Version 2", Internet Draft draft-ietf-cat- gssv2-0x.txt (work in progress). [IDUP] C. Adams, Independent Data Unit Protection Generic Security Service Application Program Interface, Internet Draft draft-ietf-cat-idup-gss-0x.txt (work in progress). [OSI] "OSI Object Management API Specification, Version 2.0 ", X.400 API Association & X/Open Company Limited, August 1990. Specification of datatypes and routines for manipulating information objects. [RFC-1508]: J. Linn, "Generic Security Service Application Program Interface", RFC 1508. [RFC-1509]: J. Wray, "Generic Security Service API: C-bindings", RFC1509. 7. AUTHOR'S ADDRESS Dhanya Thakkar Dragan Grebovich Bell-Northern Research Time-Step Corporation P.O.Box 3511, Station C 359 Terry Fox Drive Nepean, Ontario, CANADA K1Y 4H7 Kanata, Ontario, CANADA K2K 2E7 Phone: +1 (613) 763-9039 Phone: +1 (613) 599-3610 x4361 E-mail: dickie48@bnr.ca E-mail: dgrebovich@timestep.com Thakkar, Grebovich 42 Expires: August 18, 1996 IDUP-GSS-API Example #ifndef IDUP-GSS-API_H_ #define IDUP-GSS-API_H_ /* * First, define the platform-dependent types. */ typedef OM_uint32; typedef idup_env_id_t; typedef gss_cred_id_t; typedef gss_name_t; typedef idup_name_t; /* * Note that a platform supporting the xom.h X/Open header file * may make use of that header for the definitions of OM_uint32 * and the structure to which gss_OID_desc equates. */ typedef struct gss_OID_desc_struct { OM_uint32 length; void *elements; } gss_OID_desc, *gss_OID; typedef struct gss_OID_set_desc_struct { int count; gss_OID elements; } gss_OID_set_desc, *gss_OID_set; typedef struct gss_buffer_desc_struct { size_t length; void *value; } gss_buffer_desc, *gss_buffer_t; typedef struct idup_name_set_desc_struct { int count; gss_name_t elements; } idup_name_set_desc, *idup_name_set; typedef struct { gss_buffer_t idu_type; gss_buffer_t idu_title; IDUP_Idu_Sensitivity Idu_Sensitivity; } IDUP_Idu_Information_desc, *IDUP_Idu_Information; Thakkar, Grebovich 43 Expires: August 18, 1996 typedef struct { OM_uint32 qop_algs; OM_uint32 validity; gss_OID policy_id; int allow_policy_mapping; } IDUP_Quality_desc, *IDUP_Quality; typedef struct { gss_buffer_t originator_name; IDUP_Idu_Information Idu_Information; int protection_time; } IDUP_Prot_Information_desc, *IDUP_Prot_Information; typedef struct { int prot_oper_id; int use_trusted_time; int use_untrusted_time; } IDUP_Special_Conditions_desc, *IDUP_Special_Conditions; typedef struct { IDUP_Target_Info Target_Info; gss_buffer_t unencapsulated_token; /* Output */ OM_uint32 minor_status; /* Output */ } IDUP_General_Service_Data_desc, *IDUP_General_Service_Data; typedef struct { gss_buffer_t bad_targ_name; /* Output */ int bad_targ_status; /* Output */ } IDUP_Bad_Target_Name_desc, *IDUP_Bad_Target_Name; typedef struct { idup_name_set targ_names; /* Input */ IDUP_Bad_Target_Name Bad_Target_Names; /* Output */ int bad_count; /* Output */ } IDUP_Target_Info_desc, *IDUP_Target_Info; Thakkar, Grebovich 44 Expires: August 18, 1996 typedef struct { int prot_service_type; /* Input */ gss_OID service_id; /* Input */ IDUP_Quality Quality; /* Input */ IDUP_General_Service_Data General_Service_Data; /* Input */ IDUP_Service_Creation_Info Service_Creation_Info; /* Input */ idup_name_set services_to; /* Input */ IDUP_Service_Verification_Info Service_Verification_Info; /* Output */ int service_verification_info_id; /* Output */ } IDUP_Prot_Service_desc, *IDUP_Prot_Service; typedef struct { OM_uint32 no_of_services; IDUP_Prot_Service Prot_Service; } IDUP_Services_To_Perform_desc, *IDUP_Services_To_Perform; typedef struct { int unprot_service_type; /* Output */ gss_OID service_id; /* Output */ IDUP_Quality Quality; /* Output */ IDUP_General_Service_Data General_Service_Data; /* Output */ int service_verification_info_id; /* Output */ IDUP_Service_Verification_Info Service_Verification_Info; /* Input */ idup_name_set services_to; /* Output */ IDUP_Service_Creation_Info Service_Creation_Info; /* Output */ } IDUP_Unprot_Service_desc, *IDUP_Unprot_Service; typedef struct { OM_uint32 no_of_services; IDUP_Unprot_Service Unprot_Service; } IDUP_Services_To_Receive_desc, *IDUP_Services_To_Receive; Thakkar, Grebovich 45 Expires: August 18, 1996 /* * Credential usage options */ #define GSS_C_BOTH 0 #define IDUP_C_PROTECT 1 #define IDUP_C_UNPROTECT 2 /* * Status code types for gss_display_status */ #define GSS_C_GSS_CODE 1 #define GSS_C_MECH_CODE 2 #define IDUP_C_CODE 3 #define GSS_C_AF_NULLADDR 255; #define GSS_C_NO_BUFFER ((gss_buffer_t) 0) #define GSS_C_NULL_OID ((gss_OID) 0) #define GSS_C_NULL_OID_SET ((gss_OID_set) 0) #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) #define GSS_C_EMPTY_BUFFER {0, NULL} #define IDUP_C_NO_ENV ((idup_env_id_t) 0) /* * Define the default Quality of Protection for per-data-unit * services. Note that an implementation that offers multiple * levels of QOP may either reserve a value (for example zero, * as assumed here) to mean "default protection", or alternatively * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP * value. */ #define GSS_C_QOP_DEFAULT 0 /* * Define the default policy time for per-data-unit services. * An implementation may equate IDUP_C_POLICY_TIME_DEFAULT to a * specific explicit IDUP_C_POLICY_TIME_DEFAULT value. */ #define IDUP_C_POLICY_TIME_DEFAULT 0 Thakkar, Grebovich 46 Expires: August 18, 1996 /* * Expiration time of 2^32-1 seconds means infinite lifetime for a * credential or security environment */ #define GSS_C_INDEFINITE 0xfffffffful /* Major status codes */ #define GSS_S_COMPLETE 0 /* * Some "helper" definitions to make the status code macros obvious. */ #define GSS_C_CALLING_ERROR_OFFSET 24 #define GSS_C_ROUTINE_ERROR_OFFSET 16 #define GSS_C_SUPPLEMENTARY_OFFSET 0 #define GSS_C_CALLING_ERROR_MASK 0377ul #define GSS_C_ROUTINE_ERROR_MASK 0377ul #define GSS_C_SUPPLEMENTARY_MASK 0177777ul /* * The macros that test status codes for error conditions */ #define GSS_CALLING_ERROR(x) \ (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) #define GSS_ROUTINE_ERROR(x) \ (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) #define GSS_SUPPLEMENTARY_INFO(x) \ (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) #define GSS_ERROR(x) \ ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0)) /* * Calling errors: */ #define GSS_S_CALL_INACCESSIBLE_READ \ (1ul << GSS_C_CALLING_ERROR_OFFSET) #define GSS_S_CALL_INACCESSIBLE_WRITE \ (2ul << GSS_C_CALLING_ERROR_OFFSET) #define GSS_S_CALL_BAD_STRUCTURE \ (3ul << GSS_C_CALLING_ERROR_OFFSET) Thakkar, Grebovich 47 Expires: August 18, 1996 /* * Routine errors: */ #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_CONTEXT_EXPIRED(12ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) #define GSS_S_UNAUTHORIZED (15ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define GSS_S_UNAVAILABLE (16ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_BAD_TARG_INFO (17ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_BAD_DOA_KEY (18ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_BAD_KE_KEY (19ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_BAD_ENC_IDU (20ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_EVIDENCE_TOKEN_INCOMPLETE \ (21ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_SERV_VERIF_INFO_NEEDED \ (22ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_SERVICE_UNAVAIL (23ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_REQ_TIME_SERVICE_UNAVAIL \ (24ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_NO_ENV (25ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_NO_MATCH (26ul << IDUP_C_ROUTINE_ERROR_OFFSET) #define IDUP_S_UNKNOWN_OPER_ID (27ul << IDUP_C_ROUTINE_ERROR_OFFSET) /* * Supplementary info bits: */ #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) #define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) #define IDUP_S_ENCAPSULATION_UNAVAIL \ (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 5)) #define IDUP_S_MORE_PIDU_NEEDED \ (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 6)) #define IDUP_S_MORE_DATA_NEEDED \ (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 7)) Thakkar, Grebovich 48 Expires: August 18, 1996 /* * Finally, function prototypes for the IDUP-GSS-API routines. */ OM_uint32 idup_establish_env ( gss_cred_id_t, /* claimant_cred_handle, gss_OID, /* req_mech_type */ gss_OID, /* req_policy */ time_t, /* policy_time */ gss_OID_set, /* req_services */ OM_uint32 *, /* minor_status */ idup_env_id_t *, /* env_handle */ gss_OID *, /* actual_mech_type */ gss_OID *, /* actual_policy */ time_t *, /* actual_policy_time */ gss_OID_set /* ret_services */ ); OM_uint32 idup_abolish_env ( idup_env_id_t *, /* env_handle */ OM_uint32 * /* minor_status */ ); OM_uint32 idup_inquire_env ( idup_env_id_t, /* env_handle */ OM_uint32 *, /* minor_status */ gss_OID *, /* mech_type */ gss_OID *, /* policy */ time_t *, /* policy_time */ gss_OID_set * /* ret_services */ ); OM_uint32 idup_start_protect ( idup_env_id_t, /* env_handle */ IDUP_Mech_Specific_Info, /* Mech_Specific_Info */ IDUP_Idu_Information, /* Idu_Information */ int, /* encapsulation_request */ IDUP_Special_Conditions, /* Special_Conditions */ gss_buffer_t, /* single_idu_buffer */ IDUP_Target_Info, /* Target_Info */ IDUP_Services_To_Perform, /* Services_to_Perform */ OM_uint32*, /* minor_status */ gss_buffer_t, /* midu_buffer */ gss_buffer_t /* pidu_buffer */ ); Thakkar, Grebovich 49 Expires: August 18, 1996 OM_uint32 idup_protect ( idup_env_id_t, /* env_handle */ gss_buffer_t, /* input_buffer */ OM_uint32 *, /* minor_status */ gss_buffer_t /* output_buffer */ ); OM_uint32 idup_end_protect ( idup_env_id_t, /* env_handle */ OM_uint32 *, /* minor_status */ IDUP_Services_To_Perform, /* Services_to_Perform */ gss_buffer_t, /* final_midu_buffer */ gss_buffer_t /* final_pidu_buffer */ ); OM_uint32 idup_start_unprotect ( idup_env_id_t, /* env_handle */ IDUP_Mech_Specific_Info, /* Mech_Specific_Info */ gss_buffer_t, /* single_pidu_buffer */ gss_buffer_t, /* partial_pidu_buffer */ gss_buffer_t, /* final_pidu_buffer */ IDUP_Special_Conditions, /* Special_Conditions */ OM_uint32 *, /* minor_status */ IDUP_Services_To_Receive, /* Services_to_Receive */ IDUP_Prot_Information, /* Prot_Information */ gss_buffer_t /* single_idu_buffer */ gss_buffer_t, /* initial_idu_buffer */ IDUP_Service_Verification_Info, /* Service_Verification_Info */ int * /* service_verification_info_id */ ); OM_uint32 idup_unprotect ( idup_env_id_t, /* env_handle */ gss_buffer_t, /* input_buffer */ OM_uint32 *, /* minor_status */ gss_buffer_t /* output_buffer */ ); OM_uint32 idup_end_unprotect ( idup_env_id_t, /* env_handle */ OM_uint32 *, /* minor_status */ IDUP_Services_To_Receive, /* Services_to_Receive */ gss_buffer_t, /* final_idu_buffer */ IDUP_Service_Verification_Info, /* Service_Verification_Info */ int * /* service_verification_info_id */ ); Thakkar, Grebovich 50 Expires: August 18, 1996 OM_uint32 idup_form_complete_evidence ( idup_env_id_t, /* env_handle */ gss_buffer_t, /* single_evidence_buffer */ gss_buffer_t, /* partial_evidence_buffer */ gss_buffer_t, /* final_evidence_buffer */ OM_uint32 *, /* minor_status */ gss_buffer_t /* evidence_token_out */ ); OM_uint32 idup_parse_token ( gss_buffer_t, /* input_token */ OM_uint32 *, /* minor_status */ gss_OID * /* mech_type */ ); OM_uint32 gss_display_status ( OM_uint32*, /* minor_status */ OM_uint32, /* status_value */ int, /* status_type */ gss_OID, /* mech_type */ int*, /* message_environment */ gss_buffer_t /* status_string */ ); OM_uint32 gss_indicate_mechs ( OM_uint32*, /* minor_status */ gss_OID_set* /* mech_set */ ); OM_uint32 gss_compare_name ( OM_uint32*, /* minor_status */ gss_name_t, /* name1 */ gss_name_t, /* name2 */ int* /* name_equal */ ); OM_uint32 gss_display_name ( OM_uint32*, /* minor_status */ gss_name_t, /* input_name */ gss_buffer_t, /* output_name_buffer */ gss_OID* /* output_name_type */ ); Thakkar, Grebovich 51 Expires: August 18, 1996 OM_uint32 gss_import_name ( OM_uint32*, /* minor_status */ gss_buffer_t, /* input_name_buffer */ gss_OID, /* input_name_type */ gss_name_t* /* output_name */ ); OM_uint32 gss_release_name ( OM_uint32*, /* minor_status */ gss_name_t* /* input_name */ ); OM_uint32 gss_release_buffer ( OM_uint32*, /* minor_status */ gss_buffer_t /* buffer */ ); OM_uint32 gss_release_oid_set ( OM_uint32*, /* minor_status */ gss_OID_set* /* set */ ); OM_uint32 idup_release_name_set ( OM_uint32*, /* minor_status */ idup_name_set* /* set */ ); #endif /* IDUP-GSS-API_H_ * Thakkar, Grebovich 52 Expires: August 18, 1996