xref: /freebsd/lib/libgssapi/gss_acquire_cred.3 (revision 02e9120893770924227138ba49df1edb3896112a)
1.\" -*- nroff -*-
2.\"
3.\" Copyright (c) 2005 Doug Rabson
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" The following commands are required for all man pages.
28.Dd January 26, 2010
29.Dt GSS_ACQUIRE_CRED 3 PRM
30.Os
31.Sh NAME
32.Nm gss_acquire_cred
33.Nd Obtain a GSS-API credential handle for pre-existing credentials
34.\" This next command is for sections 2 and 3 only.
35.\" .Sh LIBRARY
36.Sh SYNOPSIS
37.In "gssapi/gssapi.h"
38.Ft OM_uint32
39.Fo gss_acquire_cred
40.Fa "OM_uint32 *minor_status"
41.Fa "const gss_name_t desired_name"
42.Fa "OM_uint32 time_req"
43.Fa "const gss_OID_set desired_mechs"
44.Fa "gss_cred_usage_t cred_usage"
45.Fa "gss_cred_id_t *output_cred_handle"
46.Fa "gss_OID_set *actual_mechs"
47.Fa "OM_uint32 *time_rec"
48.Fc
49.Sh DESCRIPTION
50Allows an application to acquire a handle for a pre-existing
51credential by name.
52GSS-API implementations must impose a local
53access-control policy on callers of this routine to prevent
54unauthorized callers from acquiring credentials to which they are not
55entitled.
56This routine is not intended to provide a "login to the
57network" function, as such a function would involve the creation of
58new credentials rather than merely acquiring a handle to existing
59credentials.
60Such functions, if required, should be defined in
61implementation-specific extensions to the API.
62.Pp
63If desired_name is
64.Dv GSS_C_NO_NAME ,
65the call is interpreted as a
66request for a credential handle that will invoke default behavior
67when passed to
68.Fn gss_init_sec_context
69(if cred_usage is
70.Dv GSS_C_INITIATE
71or
72.Dv GSS_C_BOTH )
73or
74.Fn gss_accept_sec_context
75(if cred_usage is
76.Dv GSS_C_ACCEPT
77or
78.Dv GSS_C_BOTH ).
79.Pp
80Mechanisms should honor the
81.Fa desired_mechs
82parameter,
83and return a credential that is suitable to use only with the
84requested mechanisms.
85An exception to this is the case where one underlying credential
86element can be shared by multiple mechanisms;
87in this case it is permissible for an implementation to indicate all
88mechanisms with which the credential element may be used.
89If
90.Fa desired_mechs
91is an empty set, behavior is undefined.
92.Pp
93This routine is expected to be used primarily by context acceptors,
94since implementations are likely to provide mechanism-specific ways
95of obtaining GSS-API initiator credentials from the system login
96process.
97Some implementations may therefore not support the acquisition of
98.Dv GSS_C_INITIATE
99or
100.Dv GSS_C_BOTH
101credentials via
102.Fn gss_acquire_cred
103for any name other than
104.Dv GSS_C_NO_NAME ,
105or a name produced by applying either
106.Fn gss_inquire_cred
107to a valid credential, or
108.Fn gss_inquire_context
109to an active context.
110.Pp
111If credential acquisition is time-consuming for a mechanism,
112the mechanism may choose to delay the actual acquisition until the
113credential is required
114(e.g. by
115.Fn gss_init_sec_context
116or
117.Fn gss_accept_sec_context ).
118Such mechanism-specific implementation
119decisions should be invisible to the calling application;
120thus a call of
121.Fn gss_inquire_cred
122immediately following the call of
123.Fn gss_acquire_cred
124must return valid credential data,
125and may therefore incur the overhead of a deferred credential acquisition.
126.Sh PARAMETERS
127.Bl -tag -width ".It output_cred_handle"
128.It desired_name
129Name of principal whose credential should be acquired.
130.It time_req
131Number of seconds that credentials should remain valid.
132Specify
133.Dv GSS_C_INDEFINITE
134to request that the credentials have the maximum
135permitted lifetime.
136.It desired_mechs
137Set of underlying security mechanisms that may be used.
138.Dv GSS_C_NO_OID_SET
139may be used to obtain an implementation-specific default.
140.It cred_usage
141.Bl -tag -width "GSS_C_INITIATE"
142.It GSS_C_BOTH
143Credentials may be used either to initiate or accept security
144contexts.
145.It GSS_C_INITIATE
146Credentials will only be used to initiate security contexts.
147.It GSS_C_ACCEPT
148Credentials will only be used to accept security contexts.
149.El
150.It output_cred_handle
151The returned credential handle.
152Resources
153associated with this credential handle must be released by
154the application after use with a call to
155.Fn gss_release_cred .
156.It actual_mechs
157The set of mechanisms for which the credential is valid.
158Storage associated with the returned OID-set must be released by the
159application after use with a call to
160.Fn gss_release_oid_set .
161Specify
162.Dv NULL if not required.
163.It time_rec
164Actual number of seconds for which the returned credentials will
165remain valid.
166If the implementation does not support expiration of credentials,
167the value
168.Dv GSS_C_INDEFINITE
169will be returned.
170Specify NULL if not required.
171.It minor_status
172Mechanism specific status code.
173.El
174.Sh RETURN VALUES
175.Bl -tag -width ".It GSS_S_CREDENTIALS_EXPIRED"
176.It GSS_S_COMPLETE
177Successful completion.
178.It GSS_S_BAD_MECH
179Unavailable mechanism requested.
180.It GSS_S_BAD_NAMETYPE
181Type contained within desired_name parameter is not supported.
182.It GSS_S_BAD_NAME
183Value supplied for desired_name parameter is ill formed.
184.It GSS_S_CREDENTIALS_EXPIRED
185The credentials could not be acquired because they have expired.
186.It GSS_S_NO_CRED
187No credentials were found for the specified name.
188.El
189.Sh SEE ALSO
190.Xr gss_accept_sec_context 3 ,
191.Xr gss_init_sec_context 3 ,
192.Xr gss_inquire_context 3 ,
193.Xr gss_inquire_cred 3 ,
194.Xr gss_release_cred 3 ,
195.Xr gss_release_oid_set 3
196.Sh STANDARDS
197.Bl -tag -width ".It RFC 2743"
198.It RFC 2743
199Generic Security Service Application Program Interface Version 2, Update 1
200.It RFC 2744
201Generic Security Service API Version 2 : C-bindings
202.El
203.Sh HISTORY
204The
205.Nm
206function first appeared in
207.Fx 7.0 .
208.Sh AUTHORS
209John Wray, Iris Associates
210.Sh COPYRIGHT
211Copyright (C) The Internet Society (2000).  All Rights Reserved.
212.Pp
213This document and translations of it may be copied and furnished to
214others, and derivative works that comment on or otherwise explain it
215or assist in its implementation may be prepared, copied, published
216and distributed, in whole or in part, without restriction of any
217kind, provided that the above copyright notice and this paragraph are
218included on all such copies and derivative works.  However, this
219document itself may not be modified in any way, such as by removing
220the copyright notice or references to the Internet Society or other
221Internet organizations, except as needed for the purpose of
222developing Internet standards in which case the procedures for
223copyrights defined in the Internet Standards process must be
224followed, or as required to translate it into languages other than
225English.
226.Pp
227The limited permissions granted above are perpetual and will not be
228revoked by the Internet Society or its successors or assigns.
229.Pp
230This document and the information contained herein is provided on an
231"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
232TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
233BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
234HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
235MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
236