'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH GSS_ADD_CRED 3GSS "Jun 30, 2005"
.SH NAME
gss_add_cred \- add a credential-element to a credential
.SH SYNOPSIS
.LP
.nf
\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ]
#include <gssapi/gssapi.h>

\fBOM_uint32\fR \fBgss_add_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
     \fBconst gss_cred_id_t\fR \fIinput_cred_handle\fR,
     \fBconst gss_name_t\fR \fIdesired_name\fR,
     \fBconst gss_OID\fR \fIdesired_mech\fR,
     \fBgss_cred_usage_t\fR \fIcred_usage\fR,
     \fBOM_uint32\fR \fIinitiator_time_req\fR,
     \fBOM_uint32\fR \fIacceptor_time_req\fR,
     \fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR,
     \fBgss_OID_set *\fR\fIactual_mechs\fR,
     \fBOM_uint32 *\fR\fIinitiator_time_rec\fR,
     \fBOM_uint32 *\fR\fIacceptor_time_rec\fR);
.fi

.SH PARAMETERS
.sp
.LP
The parameter descriptions for \fBgss_add_cred()\fR follow:
.sp
.ne 2
.na
\fB\fIminor_status\fR\fR
.ad
.RS 22n
Mechanism specific status code.
.RE

.sp
.ne 2
.na
\fB\fIinput_cred_handle\fR\fR
.ad
.RS 22n
Credential to which the credential-element is added. If
\fBGSS_C_NO_CREDENTIAL\fR is specified, the function composes the new
credential based on default behavior. While the credential-handle is not
modified by \fBgss_add_cred()\fR, the underlying credential is modified if
\fIoutput_credential_handle\fR is \fBNULL\fR.
.RE

.sp
.ne 2
.na
\fB\fIdesired_name\fR\fR
.ad
.RS 22n
Name of the principal for which a credential should be acquired.
.RE

.sp
.ne 2
.na
\fB\fIdesired_mech\fR\fR
.ad
.RS 22n
Underlying security mechanism with which the credential can be used.
GSS_C_NULL_OID can be used to obtain a default.
.RE

.sp
.ne 2
.na
\fB\fIcred_usage\fR\fR
.ad
.RS 22n
Flag that indicates how a credential is used to initiate or accept security
credentials. If the flag is \fBGSS_C_ACCEPT\fR, the credentials are used only
to accept security credentials. If the flag is \fBGSS_C_INITIATE\fR, the
credentials are used only to initiate security credentials. If the flag is
GSS_C_BOTH, the credentials can be used to either initiate or accept security
contexts.
.RE

.sp
.ne 2
.na
\fB\fIinitiator_time_req\fR\fR
.ad
.RS 22n
Number of seconds that the credential may remain valid for initiating security
contexts. This argument is ignored if the composed credentials are of the
\fBGSS_C_ACCEPT\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the
credentials have the maximum permitted initiator lifetime.
.RE

.sp
.ne 2
.na
\fB\fIacceptor_time_req\fR\fR
.ad
.RS 22n
Number of seconds that the credential may remain valid for accepting security
contexts. This argument is ignored if the composed credentials are of the
\fBGSS_C_INITIATE\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the
credentials have the maximum permitted initiator lifetime.
.RE

.sp
.ne 2
.na
\fB\fIoutput_cred_handle\fR\fR
.ad
.RS 22n
Returned credential handle that contains the new credential-element and all the
credential-elements from \fIinput_cred_handle\fR. If a valid pointer to a
\fBgss_cred_id_t\fR is supplied for this parameter, \fBgss_add_cred()\fR
creates a new credential handle that contains all credential-elements from
\fIinput_cred_handle\fR and the newly acquired credential-element. If
\fBNULL\fR is specified for this parameter, the newly acquired
credential-element is added to the credential identified by
\fIinput_cred_handle\fR.
.sp
The resources associated with any credential handle returned by means of this
parameter must be released by the application after use by a call to
\fBgss_release_cred\fR(3GSS).
.RE

.sp
.ne 2
.na
\fB\fIactual_mechs\fR\fR
.ad
.RS 22n
Complete set of mechanisms for which the new credential is valid. Storage for
the returned \fBOID\fR-set must be freed by the application after use by a call
to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not
required.
.RE

.sp
.ne 2
.na
\fB\fIinitiator_time_rec\fR\fR
.ad
.RS 22n
Actual number of seconds for which the returned credentials remain valid for
initiating contexts using the specified mechanism. If a mechanism does not
support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is
returned. Specify \fBNULL\fR if this parameter is not required.
.RE

.sp
.ne 2
.na
\fB\fIacceptor_time_rec\fR\fR
.ad
.RS 22n
Actual number of seconds for which the returned credentials remain valid for
accepting security contexts using the specified mechanism. If a mechanism does
not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is
returned. Specify \fBNULL\fR if this parameter is not required.
.RE

.SH DESCRIPTION
.sp
.LP
The \fBgss_add_cred()\fR function adds a credential-element to a credential.
The credential-element is identified by the name of the principal to which it
refers. This function is not intended as a function to login to the network. A
function for login to the network would involve creating new mechanism-specific
authentication data, rather than acquiring a handle to existing data.
.sp
.LP
If the value of \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is
interpreted as a request to add a credential-element to invoke default behavior
when passed to \fBgss_init_sec_context\fR(3GSS) if the value of
\fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR. The call is also
interpreted as a request to add a credential-element to the invoke default
behavior when passed to \fBgss_accept_sec_context\fR(3GSS) if the value of
\fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR.
.sp
.LP
The \fBgss_add_cred()\fR function is expected to be used primarily by context
acceptors. The \fBGSS-API\fR provides mechanism-specific ways to obtain
\fBGSS-API\fR initiator credentials through the system login process.
Consequently, the \fBGSS-API\fR does not support acquiring \fBGSS_C_INITIATE\fR
or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred\fR(3GSS) for
any name other than the following:
.RS +4
.TP
.ie t \(bu
.el o
\fBGSS_C_NO_NAME\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
Name produced by \fBgss_inquire_cred\fR(3GSS) applied to a valid credential
.RE
.RS +4
.TP
.ie t \(bu
.el o
Name produced by \fBgss_inquire_context\fR(3GSS) applied to an active context
.RE
.sp
.LP
If credential acquisition is time consuming for a mechanism, the mechanism can
choose to delay the actual acquisition until the credential is required by
\fBgss_init_sec_context\fR(3GSS), for example, or by
\fBgss_accept_sec_context\fR(3GSS). Such mechanism-specific implementation
decisions are invisible to the calling application. A call to
\fBgss_inquire_cred\fR(3GSS) immediately following the call
\fBgss_add_cred()\fR returns valid credential data as well as incurring the
overhead of deferred credential acquisition.
.sp
.LP
The \fBgss_add_cred()\fR function can be used either to compose a new
credential that contains all credential-elements of the original in addition to
the newly-acquired credential-element. The function can also be used to add the
new credential-element to an existing credential. If the value of the
\fIoutput_cred_handle\fR parameter is \fBNULL\fR, the new credential-element is
added to the credential identified by \fIinput_cred_handle\fR. If a valid
pointer is specified for the \fIoutput_cred_handle\fR parameter, a new
credential handle is created.
.sp
.LP
If the value of \fIinput_cred_handle\fR is \fBGSS_C_NO_CREDENTIAL\fR, the
\fBgss_add_cred()\fR function composes a credential and sets the
\fIoutput_cred_handle\fR parameter based on the default behavior. The call has
the same effect as a call first made by the application to
\fBgss_acquire_cred\fR(3GSS) to specify the same usage and to pass
\fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR parameter. Such an application
call obtains an explicit credential handle that incorporates the default
behaviors, then passes the credential handle to \fBgss_add_cred()\fR, and
finally calls \fBgss_release_cred\fR(3GSS) on the first credential handle.
.sp
.LP
If the value of the \fIinput_cred_handle\fR parameter is
\fBGSS_C_NO_CREDENTIAL\fR, a non-\fBNULL\fR value must be supplied for the
\fIoutput_cred_handle\fR parameter.
.SH RETURN VALUES
.sp
.LP
The \fBgss_add_cred()\fR function can return the following status codes:
.sp
.ne 2
.na
\fB\fBGSS_S_COMPLETE\fR\fR
.ad
.RS 29n
Successful completion.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_BAD_MECH\fR\fR
.ad
.RS 29n
An unavailable mechanism has been requested.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
.ad
.RS 29n
The type contained within the \fIdesired_name\fR parameter is not supported.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_BAD_NAME\fR\fR
.ad
.RS 29n
The value supplied for \fIdesired_name\fR parameter is ill formed.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR
.ad
.RS 29n
The credential already contains an element for the requested mechanism that has
overlapping usage and validity period.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
.ad
.RS 29n
The credentials could not be added because they have expired.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_NO_CRED\fR\fR
.ad
.RS 29n
No credentials were found for the specified name.
.RE

.sp
.ne 2
.na
\fB\fBGSS_S_FAILURE\fR\fR
.ad
.RS 29n
The underlying mechanism detected an error for which no specific \fBGSS\fR
status code is defined. The mechanism-specific status code reported by means of
the \fIminor_status\fR parameter details the error condition.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
MT-Level	Safe
.TE

.SH SEE ALSO
.sp
.LP
\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS),
\fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS),
\fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS),
\fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5)
.sp
.LP
\fISolaris Security for Developers Guide\fR