GSS-API provides the means for exporting and importing contexts. This ability enables a multiprocess application, usually the context acceptor, to transfer a context from one process to another. For example, an acceptor might have one process that listens for context initiators and another that uses the data that is sent in the context. The Using the test_import_export_context() Function section shows how a context can be saved and restored with these functions.
The function gss_export_sec_context() creates
an interprocess token that contains information about the exported context.
See Interprocess Tokens in GSS-API for
more information. The buffer to receive the token should be set to GSS_C_NO_BUFFER
before gss_export_sec_context() is called.
The application then passes the token on to the other process. The new process accepts the token and passes that token to gss_import_sec_context(). The same functions that are used to pass tokens between applications can often be used to pass tokens between processes as well.
Only one instantiation of a security process can exist at a time. gss_export_sec_context() deactivates the exported context and sets
the context handle to GSS_C_NO_CONTEXT
. gss_export_sec_context() also deallocates any process-wide resources that are associated
with that context. If the context exportation cannot be completed, gss_export_sec_context() leaves the existing security context unchanged and does not return
an interprocess token.
Not all mechanisms permit
contexts to be exported. An application can determine whether a context can
be exported by checking the ret_flags argument
to gss_accept_sec_context() or gss_init_sec_context().
If this flag is set to GSS_C_TRANS_FLAG
, then the context can
be exported. (See Accepting a Context in GSS-API and Initiating a Context in GSS-API.)
Figure 4–6 shows how a multiprocess acceptor might use context exporting to multitask. In this case, Process 1 receives and processes tokens. This step separates the context-level tokens from the data tokens and passes the tokens on to Process 2. Process 2 deals with data in an application-specific way. In this illustration, the clients have already obtained export tokens from gss_init_sec_context(). The clients pass the tokens to a user-defined function, send_a_token(), which indicates whether the token to be transmitted is a context-level token or a message token. send_a_token() transmits the tokens to the server. Although not shown here, send_a_token() would presumably be used to pass tokens between threads as well.