HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 5 GSSAPI (Generic Security Services Application Programming Interface)

gss_wrap — Attach a MIC to a message and encrypt the message

  Table of Contents



C Prototype

OM_uint32 gss_wrap(
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer );


minor_status (output) 

An implementation-specific status code.

context_handle (input) 

Identifies the context on which the message will be sent.

conf_req_flag (input) 

A Boolean value indicating which services are to be used.

TRUE — Both confidentiality and integrity services are requested.FALSE — Only integrity service is requested.

qop_req (input) 

Specifies the required quality of protection. A mechanism-specific default may be requested by setting qop_req to GSS_C_QOP_DEFAULT. If an unsupported protection strength is requested, gss_wrap will return a status of GSS_S_BAD_QOP.

input_message_buffer (input) 

The message to be protected.

conf_state (output) 

A Boolean value indicating which services have been applied. Specify NULL if not required.

TRUE — Confidentiality, data origin authentication and integrity services have been applied.FALSE — Only integrity and data origin services have been applied.

output_message_buffer (output)

The buffer to receive the protected message. Storage associated with this message must be freed by the application after use with a call to gss_release_buffer.


This routine attaches a cryptographic MIC and optionally encrypts the specified input_message_buffer. The output_message_buffer contains both the MIC and the message. The qop_req argument allows a choice between several cryptographic algorithms.

This routine is functionally equivalent to the gss_seal routine. New code should use gss_wrap instead of gss_seal. Although both routines are supported, gss_seal has been deprecated in the GSSAPI Version 2 specification.

Return Values

This routine returns one of the following GSS status codes:


Indicates that the input_message_buffer was successfully processed and that the output_message_buffer is ready for transmission.
GSS_S_CONTEXT_EXPIREDIndicates that context-related data items have expired, so that the requested operation cannot be performed.


Indicates that the context_handle argument did not identify a valid context.

Indicates that the provided QOP value is not recognized or supported for the context.