Developer's Guide to Oracle Solaris Security

Reading and Verifying a Signature Block From a GSS-API Client

The gss-client program can now test the validity of the message that was sent. The server returns the MIC for the message that was sent. The message can be retrieved with the recv_token().

The gss_verify_mic() function is then used to verify the message's signature, that is, the MIC. gss_verify_mic() compares the MIC that was received with the original, unwrapped message. The received MIC comes from the server's token, which is stored in out_buf. The MIC from the unwrapped version of the message is held in in_buf. If the two MICs match, the message is verified. The client then releases the buffer for the received token, out_buf.

The process of reading and verifying a signature block is demonstrated in the following source code.

Note –

The source code for this example is also available through the Sun download center. See

Example 5–7 gss-client Example – Read and Verify Signature Block

/* Read signature block into out_buf */
     if (recv_token(s, &out_buf) < 0) {
          (void) close(s);
          (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
          return -1;

/* Verify signature block */
     maj_stat = gss_(&min_stat, context, &in_buf,
                               &out_buf, &qop_state);
     if (maj_stat != GSS_S_COMPLETE) {
          display_status("verifying signature", maj_stat, min_stat);
          (void) close(s);
          (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
          return -1;
     (void) gss_release_buffer(&min_stat, &out_buf);

     if (use_file)

     printf("Signature verified.\n");