1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH gss_add_cred 3GSS "30 Jun 2005" "SunOS 5.11" "Generic Security Services API Library Functions"
.SH NAME
gss_add_cred \- add a credential-element to a credential
.SH SYNOPSIS
.LP
.nf
\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ]
#include <gssapi/gssapi.h>
\fBOM_uint32\fR \fBgss_add_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
\fBconst gss_cred_id_t\fR \fIinput_cred_handle\fR,
\fBconst gss_name_t\fR \fIdesired_name\fR,
\fBconst gss_OID\fR \fIdesired_mech\fR,
\fBgss_cred_usage_t\fR \fIcred_usage\fR,
\fBOM_uint32\fR \fIinitiator_time_req\fR,
\fBOM_uint32\fR \fIacceptor_time_req\fR,
\fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR,
\fBgss_OID_set *\fR\fIactual_mechs\fR,
\fBOM_uint32 *\fR\fIinitiator_time_rec\fR,
\fBOM_uint32 *\fR\fIacceptor_time_rec\fR);
.fi
.SH PARAMETERS
.sp
.LP
The parameter descriptions for \fBgss_add_cred()\fR follow:
.sp
.ne 2
.mk
.na
\fB\fIminor_status\fR\fR
.ad
.RS 22n
.rt
Mechanism specific status code.
.RE
.sp
.ne 2
.mk
.na
\fB\fIinput_cred_handle\fR\fR
.ad
.RS 22n
.rt
Credential to which the credential-element is added. If
\fBGSS_C_NO_CREDENTIAL\fR is specified, the function composes the new
credential based on default behavior. While the credential-handle is not
modified by \fBgss_add_cred()\fR, the underlying credential is modified if
\fIoutput_credential_handle\fR is \fBNULL\fR.
.RE
.sp
.ne 2
.mk
.na
\fB\fIdesired_name\fR\fR
.ad
.RS 22n
.rt
Name of the principal for which a credential should be acquired.
.RE
.sp
.ne 2
.mk
.na
\fB\fIdesired_mech\fR\fR
.ad
.RS 22n
.rt
Underlying security mechanism with which the credential can be used.
GSS_C_NULL_OID can be used to obtain a default.
.RE
.sp
.ne 2
.mk
.na
\fB\fIcred_usage\fR\fR
.ad
.RS 22n
.rt
Flag that indicates how a credential is used to initiate or accept security
credentials. If the flag is \fBGSS_C_ACCEPT\fR, the credentials are used only
to accept security credentials. If the flag is \fBGSS_C_INITIATE\fR, the
credentials are used only to initiate security credentials. If the flag is
GSS_C_BOTH, the credentials can be used to either initiate or accept security
contexts.
.RE
.sp
.ne 2
.mk
.na
\fB\fIinitiator_time_req\fR\fR
.ad
.RS 22n
.rt
Number of seconds that the credential may remain valid for initiating security
contexts. This argument is ignored if the composed credentials are of the
\fBGSS_C_ACCEPT\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the
credentials have the maximum permitted initiator lifetime.
.RE
.sp
.ne 2
.mk
.na
\fB\fIacceptor_time_req\fR\fR
.ad
.RS 22n
.rt
Number of seconds that the credential may remain valid for accepting security
contexts. This argument is ignored if the composed credentials are of the
\fBGSS_C_INITIATE\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the
credentials have the maximum permitted initiator lifetime.
.RE
.sp
.ne 2
.mk
.na
\fB\fIoutput_cred_handle\fR\fR
.ad
.RS 22n
.rt
Returned credential handle that contains the new credential-element and all the
credential-elements from \fIinput_cred_handle\fR. If a valid pointer to a
\fBgss_cred_id_t\fR is supplied for this parameter, \fBgss_add_cred()\fR
creates a new credential handle that contains all credential-elements from
\fIinput_cred_handle\fR and the newly acquired credential-element. If
\fBNULL\fR is specified for this parameter, the newly acquired
credential-element is added to the credential identified by
\fIinput_cred_handle\fR.
.sp
The resources associated with any credential handle returned by means of this
parameter must be released by the application after use by a call to
\fBgss_release_cred\fR(3GSS).
.RE
.sp
.ne 2
.mk
.na
\fB\fIactual_mechs\fR\fR
.ad
.RS 22n
.rt
Complete set of mechanisms for which the new credential is valid. Storage for
the returned \fBOID\fR-set must be freed by the application after use by a call
to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not
required.
.RE
.sp
.ne 2
.mk
.na
\fB\fIinitiator_time_rec\fR\fR
.ad
.RS 22n
.rt
Actual number of seconds for which the returned credentials remain valid for
initiating contexts using the specified mechanism. If a mechanism does not
support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is
returned. Specify \fBNULL\fR if this parameter is not required.
.RE
.sp
.ne 2
.mk
.na
\fB\fIacceptor_time_rec\fR\fR
.ad
.RS 22n
.rt
Actual number of seconds for which the returned credentials remain valid for
accepting security contexts using the specified mechanism. If a mechanism does
not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is
returned. Specify \fBNULL\fR if this parameter is not required.
.RE
.SH DESCRIPTION
.sp
.LP
The \fBgss_add_cred()\fR function adds a credential-element to a credential.
The credential-element is identified by the name of the principal to which it
refers. This function is not intended as a function to login to the network. A
function for login to the network would involve creating new mechanism-specific
authentication data, rather than acquiring a handle to existing data.
.sp
.LP
If the value of \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is
interpreted as a request to add a credential-element to invoke default behavior
when passed to \fBgss_init_sec_context\fR(3GSS) if the value of
\fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR. The call is also
interpreted as a request to add a credential-element to the invoke default
behavior when passed to \fBgss_accept_sec_context\fR(3GSS) if the value of
\fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR.
.sp
.LP
The \fBgss_add_cred()\fR function is expected to be used primarily by context
acceptors. The \fBGSS-API\fR provides mechanism-specific ways to obtain
\fBGSS-API\fR initiator credentials through the system login process.
Consequently, the \fBGSS-API\fR does not support acquiring \fBGSS_C_INITIATE\fR
or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred\fR(3GSS) for
any name other than the following:
.RS +4
.TP
.ie t \(bu
.el o
\fBGSS_C_NO_NAME\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
Name produced by \fBgss_inquire_cred\fR(3GSS) applied to a valid credential
.RE
.RS +4
.TP
.ie t \(bu
.el o
Name produced by \fBgss_inquire_context\fR(3GSS) applied to an active context
.RE
.sp
.LP
If credential acquisition is time consuming for a mechanism, the mechanism can
choose to delay the actual acquisition until the credential is required by
\fBgss_init_sec_context\fR(3GSS), for example, or by
\fBgss_accept_sec_context\fR(3GSS). Such mechanism-specific implementation
decisions are invisible to the calling application. A call to
\fBgss_inquire_cred\fR(3GSS) immediately following the call
\fBgss_add_cred()\fR returns valid credential data as well as incurring the
overhead of deferred credential acquisition.
.sp
.LP
The \fBgss_add_cred()\fR function can be used either to compose a new
credential that contains all credential-elements of the original in addition to
the newly-acquired credential-element. The function can also be used to add the
new credential-element to an existing credential. If the value of the
\fIoutput_cred_handle\fR parameter is \fBNULL\fR, the new credential-element is
added to the credential identified by \fIinput_cred_handle\fR. If a valid
pointer is specified for the \fIoutput_cred_handle\fR parameter, a new
credential handle is created.
.sp
.LP
If the value of \fIinput_cred_handle\fR is \fBGSS_C_NO_CREDENTIAL\fR, the
\fBgss_add_cred()\fR function composes a credential and sets the
\fIoutput_cred_handle\fR parameter based on the default behavior. The call has
the same effect as a call first made by the application to
\fBgss_acquire_cred\fR(3GSS) to specify the same usage and to pass
\fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR parameter. Such an application
call obtains an explicit credential handle that incorporates the default
behaviors, then passes the credential handle to \fBgss_add_cred()\fR, and
finally calls \fBgss_release_cred\fR(3GSS) on the first credential handle.
.sp
.LP
If the value of the \fIinput_cred_handle\fR parameter is
\fBGSS_C_NO_CREDENTIAL\fR, a non-\fBNULL\fR value must be supplied for the
\fIoutput_cred_handle\fR parameter.
.SH RETURN VALUES
.sp
.LP
The \fBgss_add_cred()\fR function can return the following status codes:
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_COMPLETE\fR\fR
.ad
.RS 29n
.rt
Successful completion.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_BAD_MECH\fR\fR
.ad
.RS 29n
.rt
An unavailable mechanism has been requested.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
.ad
.RS 29n
.rt
The type contained within the \fIdesired_name\fR parameter is not supported.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_BAD_NAME\fR\fR
.ad
.RS 29n
.rt
The value supplied for \fIdesired_name\fR parameter is ill formed.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR
.ad
.RS 29n
.rt
The credential already contains an element for the requested mechanism that has
overlapping usage and validity period.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
.ad
.RS 29n
.rt
The credentials could not be added because they have expired.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_NO_CRED\fR\fR
.ad
.RS 29n
.rt
No credentials were found for the specified name.
.RE
.sp
.ne 2
.mk
.na
\fB\fBGSS_S_FAILURE\fR\fR
.ad
.RS 29n
.rt
The underlying mechanism detected an error for which no specific \fBGSS\fR
status code is defined. The mechanism-specific status code reported by means of
the \fIminor_status\fR parameter details the error condition.
.RE
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
tab(�) box;
cw(2.75i) |cw(2.75i)
lw(2.75i) |lw(2.75i)
.
ATTRIBUTE TYPE�ATTRIBUTE VALUE
_
MT-Level�Safe
.TE
.SH SEE ALSO
.sp
.LP
\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS),
\fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS),
\fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS),
\fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5)
.sp
.LP
\fISolaris Security for Developers Guide\fR
|
