HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 5 GSSAPI (Generic Security Services Application Programming Interface)

gss_unwrap — Verify a message with attached MIC and decrypt message content

  Table of Contents

  Glossary

  Index

C Prototype

OM_uint32 gss_unwrap(
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
gss_qop_t * qop_state );

Arguments

minor_status (output) 

An implementation-specific status code.

context_handle (input) 

Identifies the context in which the message arrived.

input_message_buffer (input) 

The protected message.

output_message_buffer (output)
  

A buffer to receive the unwrapped message. Storage associated with this buffer must be freed by the application after use with a call to gss_release_buffer.

conf_state (output) 

A Boolean value indicating which services have been applied. Specify NULL if not required.

TRUE — Confidentiality and integrity protection services have been applied.FALSE — Only integrity service has been applied.

qop_state (output) 

The quality of protection provided. Specify NULL if not required.

Description

This routine converts a message previously protected by gss_wrap back to a usable form, verifying the embedded Message Integrity Code (MIC). The conf_state argument indicates whether the message was encrypted; the qop_state argument indicates the strength of the protection that was used to provide the confidentiality and integrity services.

This routine is functionally equivalent to the gss_unseal routine. New code should use gss_unwrap instead of gss_unseal. Although both routines are supported, gss_unseal has been deprecated in the GSSAPI Version 2 specification.

Return Values

This routine returns one of the following GSS status codes:

GSS_S_COMPLETE

Indicates that the input_message_buffer was successfully processed and that the output_message_buffer is ready for transmission.

GSS_S_DEFECTIVE_TOKEN

Indicates that the input_message_buffer was successfully processed and that the output_message_buffer is ready for transmission.

GSS_S_BAD_SIG

Indicates that consistency checks performed on the token extracted from the input_message_buffer failed, preventing further processing from being performed with that token.

GSS_S_DUPLICATE_TOKEN

Indicates that the MIC extracted from the input_message_buffer contains an incorrect integrity check for the message.

GSS_S_OLD_TOKEN

The token extracted from the input_message_buffer is valid, and contained a correct MIC for the message, but is a duplicate of a token already processed. This is a fatal error during context establishment.

GSS_S_UNSEQ_TOKE

Indicates that the token was valid, and contained a correct MIC for the message, but has been verified out of sequence; a later token has already been received.

GSS_S_GAP_TOKEN

Indicates that the token was valid, and contained a correct MIC for the message, but has been verified out of sequence; an earlier expected token has not yet been received.

GSS_S_CONTEXT_EXPIRED

Indicates that context-related data items have expired, so that the requested operation cannot be performed
GSS_S_NO_CONTEXT

Indicates that no valid context was recognized for the input context_handle provided.