Thegss-client program can now test the validity of the message that was sent. The server returns the MIC for the message that was sent. The message can be retrieved with therecv_token().
Thegss_verify_mic() function is then used to verifythe message'ssignature, that is, the MIC.gss_verify_mic() compares the MIC that was received with the original, unwrappedmessage. The received MIC comes from the server's token, which is stored inout_buf. The MIC from the unwrapped version of the message isheld inin_buf. If the two MICs match, the messageis verified. The client then releases the buffer for the received token,out_buf.
The process of reading and verifying a signature block is demonstratedin the following source code.
Example 18 GSSAPI Client Reading and Verifying Signature Block/* Read signature block into out_buf */ if (recv_token(s, &out_buf) < 0) { (void) close(s); (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); return -1; }/* Verify signature block */ maj_stat = gss_(&min_stat, context, &in_buf, &out_buf, &qop_state); if (maj_stat != GSS_S_COMPLETE) { display_status("verifying signature", maj_stat, min_stat); (void) close(s); (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); return -1; } (void) gss_release_buffer(&min_stat, &out_buf); if (use_file) free(in_buf.value); printf("Signature verified.\n");