Channel Bindings

You can define and use channel bindings to associate the security context with the communications channel that carries the context. Channel bindings are communicated to the GSSAPI by using the following structure:

typedef struct gss_channel_binding_struct {
OM_uint32 initiator_addrtype;
gss_buffer_desc initiator_address;
OM_uint32 acceptor_addrtype;
gss_buffer_desc aceptor_address;
gss_buffer_desc application_data;
} *gss_channel_bindings_t;

Use the initiator_addrtype and acceptor_addrtype fields to initiate the type of addresses contained in the initiator_address and acceptor_address buffers. The following table lists the address types and their addrtype values:

Address Type addrtype Value

Unspecified GSS_C_AF_UNSPEC

Host-local GSS_C_AF_LOCAL

DARPA Internet GSS_C_AF_INET

ARPAnet IMP GSS_C_AF_IMPLINK

pup protocols (for example, BSP) GSS_C_AF_PUP

MIT CHAOS protocol GSS_C_AF_CHAOS

XEROX NS GSS_C_AF_NS

nbs GSS_C_AF_NBS

ECMA GSS_C_AF_ECMA

datakit protocols GSS_C_AF_DATAKIT

CCITT protocols (for example, X.25) GSS_C_AF_CCITT

IBM SNA GSS_C_AF_SNA

Digital DECnet GSS_C_AF_DECnet

Direct data link interface GSS_C_AF_DLI

LAT GSS_C_AF_LAT

NSC Hyperchannel GSS_C_AF_HYLINK

AppleTalk GSS_C_AF_APPLETALK

BISYNC 2780/3780 GSS_C_AF_BSC

Distributed system services GSS_C_AF_DSS

OSI TP4 GSS_C_AF_OSI

X25 GSS_C_AF_X25

No address specified GSS_C_AF_NULLADDR

The tags specify address families rather than addressing formats. For address families that contain several alternative address forms, the initiator_address and the acceptor_address fields should contain sufficient information to determine which address form is used. Format the bytes that contain the addresses in the order in which the bytes are transmitted across the network.

The GSSAPI creates an octet string by concatenating all the fields (initiator_addrtype, initiator_address, acceptor_addrtype, acceptor_address, and application_data). The security mechanism signs the octet string and binds the signature to the token generated by the gss_init_sec_context( ) routine. The context acceptor presents the same bindings to the gss_accept_sec_context( ) routine, which evaluates the signature and compares it to the signature in the token. If the signatures differ, the gss_accept_sec_context( ) routine returns a GSS_S_BAD_BINDINGS error, and the context is not established.

Some security mechanisms check that the initiator_address field of the channel bindings presented to the gss_init_sec_context( ) routine contains the correct network address of the host system. Therefore portable applications should use either the correct address type and value or the GSS_C_AF_NULLADDR for the initiator_addrtype address field. Some security mechanisms include the channel binding data in the token instead of a signature, so portable applications should not use confidential data as channel-binding components. The DCE GSSAPI does not verify the address or include the plain text bindings information in the token.