xref: /freebsd/lib/libgssapi/gss_add_cred.3 (revision ebacd8013fe5f7fdf9f6a5b286f6680dd2891036)
1.\" -*- nroff -*-
2.\"
3.\" Copyright (c) 2005 Doug Rabson
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\"	$FreeBSD$
28.\"
29.\" The following commands are required for all man pages.
30.Dd January 26, 2010
31.Dt GSS_ADD_CRED 3 PRM
32.Os
33.Sh NAME
34.Nm gss_add_cred
35.Nd Construct credentials incrementally
36.\" This next command is for sections 2 and 3 only.
37.\" .Sh LIBRARY
38.Sh SYNOPSIS
39.In "gssapi/gssapi.h"
40.Ft OM_uint32
41.Fo gss_add_cred
42.Fa "OM_uint32 *minor_status"
43.Fa "const gss_cred_id_t input_cred_handle"
44.Fa "const gss_name_t desired_name"
45.Fa "const gss_OID desired_mech"
46.Fa "gss_cred_usage_t cred_usage"
47.Fa "OM_uint32 initiator_time_req"
48.Fa "OM_uint32 acceptor_time_req"
49.Fa "gss_cred_id_t *output_cred_handle"
50.Fa "gss_OID_set *actual_mechs"
51.Fa "OM_uint32 *initiator_time_rec"
52.Fa "OM_uint32 *acceptor_time_rec"
53.Fc
54.Sh DESCRIPTION
55Adds a credential-element to a credential.
56The credential-element is identified by the name of the principal to
57which it refers.
58GSS-API implementations must impose a local access-control policy on
59callers of this routine to prevent unauthorized callers from acquiring
60credential-elements to which they are not entitled.
61This routine is not intended to provide a "login to the network"
62function,
63as such a function would involve the creation of new
64mechanism-specific authentication data,
65rather than merely acquiring a GSS-API handle to existing data.
66Such functions,
67if required,
68should be defined in implementation-specific extensions to the API.
69.Pp
70If
71.Fa desired_name
72is
73.Dv GSS_C_NO_NAME ,
74the call is interpreted as a request to add a credential element that
75will invoke default behavior when passed to
76.Fn gss_init_sec_context
77(if cred_usage is
78.Dv GSS_C_INITIATE
79or
80.Dv GSS_C_BOTH )
81or
82.Fn gss_accept_sec_context
83(if
84.Fa cred_usage
85is
86.Dv GSS_C_ACCEPT
87or
88.Dv GSS_C_BOTH ).
89.Pp
90This routine is expected to be used primarily by context acceptors,
91since implementations are likely to provide mechanism-specific ways of
92obtaining GSS-API initiator credentials from the system login process.
93Some implementations may therefore not support the acquisition of
94.Dv GSS_C_INITIATE
95or
96.Dv GSS_C_BOTH
97credentials via
98.Fn gss_acquire_cred
99for any name other than
100.Dv GSS_C_NO_NAME ,
101or a name produced by applying either
102.Fn gss_inquire_cred
103to a valid credential,
104or
105.Fn gss_inquire_context
106to an active context.
107.Pp
108If credential acquisition is time-consuming for a mechanism,
109the mechanism may choose to delay the actual acquisition until the
110credential is required (e.g. by
111.Fn gss_init_sec_context
112or
113.Fn gss_accept_sec_context ).
114Such mechanism-specific implementation decisions should be invisible
115to the calling application;
116thus a call of
117.Fn gss_inquire_cred
118immediately following the call of
119.Fn gss_add_cred
120must return valid credential data,
121and may therefore incur the overhead of a deferred credential acquisition.
122.Pp
123This routine can be used to either compose a new credential containing
124all credential-elements of the original in addition to the
125newly-acquire credential-element,
126or to add the new credential-element to an existing credential.
127If
128.Dv NULL
129is specified for the
130.Fa output_cred_handle
131parameter argument,
132the new credential-element will be added to the credential identified
133by
134.Fa input_cred_handle ;
135if a valid pointer is specified for the
136.Fa output_cred_handle
137parameter,
138a new credential handle will be created.
139.Pp
140If
141.Dv GSS_C_NO_CREDENTIAL
142is specified as the
143.Fa input_cred_handle ,
144.Fn gss_add_cred
145will compose a credential (and set the
146.Fa output_cred_handle
147parameter accordingly) based on default behavior.
148That is, the call will have the same effect as if the application had
149first made a call to
150.Fn gss_acquire_cred ,
151specifying the same usage and passing
152.Dv GSS_C_NO_NAME
153as the
154.Fa desired_name
155parameter to obtain an explicit credential handle embodying default
156behavior,
157passed this credential handle to
158.Fn gss_add_cred ,
159and finally called
160.Fn gss_release_cred
161on the first credential handle.
162.Pp
163If
164.Dv GSS_C_NO_CREDENTIAL
165is specified as the
166.Fa input_cred_handle
167parameter,
168a non-
169.Dv NULL
170.Fa output_cred_handle
171must be supplied.
172.Sh PARAMETERS
173.Bl -tag -width ".It output_cred_handle"
174.It minor_status
175Mechanism specific status code.
176.It input_cred_handle
177The credential to which a credential-element will be added.
178If
179.Dv GSS_C_NO_CREDENTIAL
180is specified, the routine will compose the new credential based on
181default behavior (see description above).
182Note that, while the credential-handle is not modified by
183.Fn gss_add_cred ,
184the underlying credential will be modified if
185.Fa output_credential_handle
186is
187.Dv NULL .
188.It desired_name
189Name of principal whose credential should be acquired.
190.It desired_mech
191Underlying security mechanism with which the credential may be used.
192.It cred_usage
193.Bl -tag -width "GSS_C_INITIATE"
194.It GSS_C_BOTH
195Credential may be used either to initiate or accept security
196contexts.
197.It GSS_C_INITIATE
198Credential will only be used to initiate security contexts.
199.It GSS_C_ACCEPT
200Credential will only be used to accept security contexts.
201.El
202.It initiator_time_req
203Number of seconds that the credential should remain valid for
204initiating security contexts.
205This argument is ignored if the composed credentials are of type
206.Dv GSS_C_ACCEPT .
207Specify
208.Dv GSS_C_INDEFINITE
209to request that the credentials have the maximum permitted initiator lifetime.
210.It acceptor_time_req
211Number of seconds that the credential should remain valid for
212accepting security contexts.
213This argument is ignored if the composed credentials are of type
214.Dv GSS_C_INITIATE .
215Specify
216.Dv GSS_C_INDEFINITE
217to request that the credentials have the maximum permitted initiator lifetime.
218.It output_cred_handle
219The returned credential handle,
220containing
221the new credential-element and all the credential-elements from
222.Fa input_cred_handle .
223If a valid pointer to a
224.Fa gss_cred_id_t
225is supplied for this parameter,
226.Fn gss_add_cred
227creates a new credential handle containing all credential-elements
228from the
229.Fa input_cred_handle
230and the newly acquired credential-element;
231if
232.Dv NULL
233is specified for this parameter,
234the newly acquired credential-element will be added to the credential
235identified by
236.Fa input_cred_handle .
237.Pp
238The resources associated with any credential handle returned via this
239parameter must be released by the application after use with a call to
240.Fn gss_release_cred .
241.It actual_mechs
242The complete set of mechanisms for which the new credential is valid.
243Storage for the returned OID-set must be freed by the application
244after use with a call to
245.Fn gss_release_oid_set .
246Specify
247.Dv NULL if not required.
248.It initiator_time_rec
249Actual number of seconds for which the returned credentials will
250remain valid for initiating contexts using the specified mechanism.
251If the implementation or mechanism does not support expiration of
252credentials,
253the value
254.Dv GSS_C_INDEFINITE
255will be returned.
256Specify
257.Dv NULL
258if not required.
259.It acceptor_time_rec
260Actual number of seconds for which the returned credentials will
261remain valid for accepting security contexts using the specified
262mechanism.
263If the implementation or mechanism does not support expiration of
264credentials,
265the value
266.Dv GSS_C_INDEFINITE
267will be returned.
268Specify
269.Dv NULL
270if not required.
271.El
272.Sh RETURN VALUES
273.Bl -tag -width ".It GSS_S_CREDENTIALS_EXPIRED"
274.It GSS_S_COMPLETE
275Successful completion.
276.It GSS_S_BAD_MECH
277Unavailable mechanism requested.
278.It GSS_S_BAD_NAMETYPE
279Type contained within desired_name parameter is not supported
280.It GSS_S_BAD_NAME
281Value supplied for desired_name parameter is ill-formed.
282.It GSS_S_DUPLICATE_ELEMENT
283The credential already contains an element for the requested mechanism
284with overlapping usage and validity period.
285.It GSS_S_CREDENTIALS_EXPIRED
286The required credentials could not be added because they have expired.
287.It GSS_S_NO_CRED
288No credentials were found for the specified name.
289.El
290.Sh SEE ALSO
291.Xr gss_accept_sec_context 3 ,
292.Xr gss_acquire_cred 3 ,
293.Xr gss_init_sec_context 3 ,
294.Xr gss_inquire_context 3 ,
295.Xr gss_inquire_cred 3 ,
296.Xr gss_release_cred 3 ,
297.Xr gss_release_oid_set 3
298.Sh STANDARDS
299.Bl -tag -width ".It RFC 2743"
300.It RFC 2743
301Generic Security Service Application Program Interface Version 2, Update 1
302.It RFC 2744
303Generic Security Service API Version 2 : C-bindings
304.El
305.Sh HISTORY
306The
307.Nm
308function first appeared in
309.Fx 7.0 .
310.Sh AUTHORS
311John Wray, Iris Associates
312.Sh COPYRIGHT
313Copyright (C) The Internet Society (2000).  All Rights Reserved.
314.Pp
315This document and translations of it may be copied and furnished to
316others, and derivative works that comment on or otherwise explain it
317or assist in its implementation may be prepared, copied, published
318and distributed, in whole or in part, without restriction of any
319kind, provided that the above copyright notice and this paragraph are
320included on all such copies and derivative works.  However, this
321document itself may not be modified in any way, such as by removing
322the copyright notice or references to the Internet Society or other
323Internet organizations, except as needed for the purpose of
324developing Internet standards in which case the procedures for
325copyrights defined in the Internet Standards process must be
326followed, or as required to translate it into languages other than
327English.
328.Pp
329The limited permissions granted above are perpetual and will not be
330revoked by the Internet Society or its successors or assigns.
331.Pp
332This document and the information contained herein is provided on an
333"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
334TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
335BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
336HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
337MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
338