3.2.4.2 Application Request to Send Data

When the Stream State is set to Authenticated, the application can at any time request that the protocol transfer an application-specific data message to the client. If the application requests that data be transferred while not in the Authenticated state, an error MUST be returned. If the Negotiated Protection Level is None, the application data MUST be transferred directly over the Underlying TCP Connection. Otherwise, the application data MUST be passed as the input_message parameter to the GSS_Wrap function ([RFC2743] section 2.3.3) along with the Security Provider Context as the context_handle parameter. The conf_req_flag MUST be set if and only if the Negotiated Protection Level is EncryptAndSign, and the qop_req parameter MUST be set to 0. If the function returns a major_status of GSS_S_COMPLETE, the output_message MUST be wrapped in a Data message (as specified in section 2.2) and transmitted to the client via the Underlying TCP Connection. If any other major_status is returned, the server application MUST be notified of the failure without writing anything to the Underlying TCP Connection.