1.\" -*- nroff -*- 2.\" 3.\" Copyright (c) 2005 Doug Rabson 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" The following commands are required for all man pages. 28.Dd January 26, 2010 29.Dt GSS_ADD_CRED 3 PRM 30.Os 31.Sh NAME 32.Nm gss_add_cred 33.Nd Construct credentials incrementally 34.\" This next command is for sections 2 and 3 only. 35.\" .Sh LIBRARY 36.Sh SYNOPSIS 37.In "gssapi/gssapi.h" 38.Ft OM_uint32 39.Fo gss_add_cred 40.Fa "OM_uint32 *minor_status" 41.Fa "const gss_cred_id_t input_cred_handle" 42.Fa "const gss_name_t desired_name" 43.Fa "const gss_OID desired_mech" 44.Fa "gss_cred_usage_t cred_usage" 45.Fa "OM_uint32 initiator_time_req" 46.Fa "OM_uint32 acceptor_time_req" 47.Fa "gss_cred_id_t *output_cred_handle" 48.Fa "gss_OID_set *actual_mechs" 49.Fa "OM_uint32 *initiator_time_rec" 50.Fa "OM_uint32 *acceptor_time_rec" 51.Fc 52.Sh DESCRIPTION 53Adds a credential-element to a credential. 54The credential-element is identified by the name of the principal to 55which it refers. 56GSS-API implementations must impose a local access-control policy on 57callers of this routine to prevent unauthorized callers from acquiring 58credential-elements to which they are not entitled. 59This routine is not intended to provide a "login to the network" 60function, 61as such a function would involve the creation of new 62mechanism-specific authentication data, 63rather than merely acquiring a GSS-API handle to existing data. 64Such functions, 65if required, 66should be defined in implementation-specific extensions to the API. 67.Pp 68If 69.Fa desired_name 70is 71.Dv GSS_C_NO_NAME , 72the call is interpreted as a request to add a credential element that 73will invoke default behavior when passed to 74.Fn gss_init_sec_context 75(if cred_usage is 76.Dv GSS_C_INITIATE 77or 78.Dv GSS_C_BOTH ) 79or 80.Fn gss_accept_sec_context 81(if 82.Fa cred_usage 83is 84.Dv GSS_C_ACCEPT 85or 86.Dv GSS_C_BOTH ). 87.Pp 88This routine is expected to be used primarily by context acceptors, 89since implementations are likely to provide mechanism-specific ways of 90obtaining GSS-API initiator credentials from the system login process. 91Some implementations may therefore not support the acquisition of 92.Dv GSS_C_INITIATE 93or 94.Dv GSS_C_BOTH 95credentials via 96.Fn gss_acquire_cred 97for any name other than 98.Dv GSS_C_NO_NAME , 99or a name produced by applying either 100.Fn gss_inquire_cred 101to a valid credential, 102or 103.Fn gss_inquire_context 104to an active context. 105.Pp 106If credential acquisition is time-consuming for a mechanism, 107the mechanism may choose to delay the actual acquisition until the 108credential is required (e.g. by 109.Fn gss_init_sec_context 110or 111.Fn gss_accept_sec_context ). 112Such mechanism-specific implementation decisions should be invisible 113to the calling application; 114thus a call of 115.Fn gss_inquire_cred 116immediately following the call of 117.Fn gss_add_cred 118must return valid credential data, 119and may therefore incur the overhead of a deferred credential acquisition. 120.Pp 121This routine can be used to either compose a new credential containing 122all credential-elements of the original in addition to the 123newly-acquire credential-element, 124or to add the new credential-element to an existing credential. 125If 126.Dv NULL 127is specified for the 128.Fa output_cred_handle 129parameter argument, 130the new credential-element will be added to the credential identified 131by 132.Fa input_cred_handle ; 133if a valid pointer is specified for the 134.Fa output_cred_handle 135parameter, 136a new credential handle will be created. 137.Pp 138If 139.Dv GSS_C_NO_CREDENTIAL 140is specified as the 141.Fa input_cred_handle , 142.Fn gss_add_cred 143will compose a credential (and set the 144.Fa output_cred_handle 145parameter accordingly) based on default behavior. 146That is, the call will have the same effect as if the application had 147first made a call to 148.Fn gss_acquire_cred , 149specifying the same usage and passing 150.Dv GSS_C_NO_NAME 151as the 152.Fa desired_name 153parameter to obtain an explicit credential handle embodying default 154behavior, 155passed this credential handle to 156.Fn gss_add_cred , 157and finally called 158.Fn gss_release_cred 159on the first credential handle. 160.Pp 161If 162.Dv GSS_C_NO_CREDENTIAL 163is specified as the 164.Fa input_cred_handle 165parameter, 166a non- 167.Dv NULL 168.Fa output_cred_handle 169must be supplied. 170.Sh PARAMETERS 171.Bl -tag -width ".It output_cred_handle" 172.It minor_status 173Mechanism specific status code. 174.It input_cred_handle 175The credential to which a credential-element will be added. 176If 177.Dv GSS_C_NO_CREDENTIAL 178is specified, the routine will compose the new credential based on 179default behavior (see description above). 180Note that, while the credential-handle is not modified by 181.Fn gss_add_cred , 182the underlying credential will be modified if 183.Fa output_credential_handle 184is 185.Dv NULL . 186.It desired_name 187Name of principal whose credential should be acquired. 188.It desired_mech 189Underlying security mechanism with which the credential may be used. 190.It cred_usage 191.Bl -tag -width "GSS_C_INITIATE" 192.It GSS_C_BOTH 193Credential may be used either to initiate or accept security 194contexts. 195.It GSS_C_INITIATE 196Credential will only be used to initiate security contexts. 197.It GSS_C_ACCEPT 198Credential will only be used to accept security contexts. 199.El 200.It initiator_time_req 201Number of seconds that the credential should remain valid for 202initiating security contexts. 203This argument is ignored if the composed credentials are of type 204.Dv GSS_C_ACCEPT . 205Specify 206.Dv GSS_C_INDEFINITE 207to request that the credentials have the maximum permitted initiator lifetime. 208.It acceptor_time_req 209Number of seconds that the credential should remain valid for 210accepting security contexts. 211This argument is ignored if the composed credentials are of type 212.Dv GSS_C_INITIATE . 213Specify 214.Dv GSS_C_INDEFINITE 215to request that the credentials have the maximum permitted initiator lifetime. 216.It output_cred_handle 217The returned credential handle, 218containing 219the new credential-element and all the credential-elements from 220.Fa input_cred_handle . 221If a valid pointer to a 222.Fa gss_cred_id_t 223is supplied for this parameter, 224.Fn gss_add_cred 225creates a new credential handle containing all credential-elements 226from the 227.Fa input_cred_handle 228and the newly acquired credential-element; 229if 230.Dv NULL 231is specified for this parameter, 232the newly acquired credential-element will be added to the credential 233identified by 234.Fa input_cred_handle . 235.Pp 236The resources associated with any credential handle returned via this 237parameter must be released by the application after use with a call to 238.Fn gss_release_cred . 239.It actual_mechs 240The complete set of mechanisms for which the new credential is valid. 241Storage for the returned OID-set must be freed by the application 242after use with a call to 243.Fn gss_release_oid_set . 244Specify 245.Dv NULL if not required. 246.It initiator_time_rec 247Actual number of seconds for which the returned credentials will 248remain valid for initiating contexts using the specified mechanism. 249If the implementation or mechanism does not support expiration of 250credentials, 251the value 252.Dv GSS_C_INDEFINITE 253will be returned. 254Specify 255.Dv NULL 256if not required. 257.It acceptor_time_rec 258Actual number of seconds for which the returned credentials will 259remain valid for accepting security contexts using the specified 260mechanism. 261If the implementation or mechanism does not support expiration of 262credentials, 263the value 264.Dv GSS_C_INDEFINITE 265will be returned. 266Specify 267.Dv NULL 268if not required. 269.El 270.Sh RETURN VALUES 271.Bl -tag -width ".It GSS_S_CREDENTIALS_EXPIRED" 272.It GSS_S_COMPLETE 273Successful completion. 274.It GSS_S_BAD_MECH 275Unavailable mechanism requested. 276.It GSS_S_BAD_NAMETYPE 277Type contained within desired_name parameter is not supported 278.It GSS_S_BAD_NAME 279Value supplied for desired_name parameter is ill-formed. 280.It GSS_S_DUPLICATE_ELEMENT 281The credential already contains an element for the requested mechanism 282with overlapping usage and validity period. 283.It GSS_S_CREDENTIALS_EXPIRED 284The required credentials could not be added because they have expired. 285.It GSS_S_NO_CRED 286No credentials were found for the specified name. 287.El 288.Sh SEE ALSO 289.Xr gss_accept_sec_context 3 , 290.Xr gss_acquire_cred 3 , 291.Xr gss_init_sec_context 3 , 292.Xr gss_inquire_context 3 , 293.Xr gss_inquire_cred 3 , 294.Xr gss_release_cred 3 , 295.Xr gss_release_oid_set 3 296.Sh STANDARDS 297.Bl -tag -width ".It RFC 2743" 298.It RFC 2743 299Generic Security Service Application Program Interface Version 2, Update 1 300.It RFC 2744 301Generic Security Service API Version 2 : C-bindings 302.El 303.Sh HISTORY 304The 305.Nm 306function first appeared in 307.Fx 7.0 . 308.Sh AUTHORS 309John Wray, Iris Associates 310.Sh COPYRIGHT 311Copyright (C) The Internet Society (2000). All Rights Reserved. 312.Pp 313This document and translations of it may be copied and furnished to 314others, and derivative works that comment on or otherwise explain it 315or assist in its implementation may be prepared, copied, published 316and distributed, in whole or in part, without restriction of any 317kind, provided that the above copyright notice and this paragraph are 318included on all such copies and derivative works. However, this 319document itself may not be modified in any way, such as by removing 320the copyright notice or references to the Internet Society or other 321Internet organizations, except as needed for the purpose of 322developing Internet standards in which case the procedures for 323copyrights defined in the Internet Standards process must be 324followed, or as required to translate it into languages other than 325English. 326.Pp 327The limited permissions granted above are perpetual and will not be 328revoked by the Internet Society or its successors or assigns. 329.Pp 330This document and the information contained herein is provided on an 331"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 332TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 333BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 334HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 335MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 336