logo_kerberos.gif

Difference between revisions of "Projects/GS2"

From K5Wiki
Jump to: navigation, search
(Status)
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{project-early}}
+
{{project-rel|1.9}}
{{project-target|1.9}}
 
   
 
==Background==
 
==Background==
   
Implement GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname as defined in [url http://tools.ietf.org/html/draft-ietf-sasl-gs2-20]draft-ietf-sasl-gs2-20[/url].
 
  +
Some additional features in the GSS mechanism glue are useful for implementors of SASL GS2.
  +
  +
* RFC 5801: GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname
  +
* RFC 5587: gss_inquire_attrs_for_mech &c
  +
  +
These allow a SASL library to dynamically bridge GSS mechanisms without mechanism-specific knowledge.
   
 
==Architecture==
 
==Architecture==
   
These APIs provide a bidirectional mapping between GSS OIDs and SASL mechanism names. In the case of no mapping, the mechanism glue synthesises a SASL name using a base-32 encoded SHA-1 of the OID.
 
  +
The functionality of the aforementioned APIs is as follows:
  +
 
* a bidirectional mapping between GSS OIDs and SASL mechanism names. (In the case of no mapping, the mechanism glue synthesises a SASL name using a base-32 encoded SHA-1 of the OID.)
  +
* a means to determine which features, denoted by OIDs, are supported by mechanisms
  +
  +
For example, a GS2 implementation that wished to ignore negotiate mechanisms whilst selecting mechanisms that supported mutual authentication, might do:
  +
  +
<pre>
  +
static int gs2_indicate_mechs(void)
  +
{
  +
OM_uint32 major, minor;
  +
gss_OID_desc desired_oids[2];
  +
gss_OID_set_desc desired_attrs;
  +
gss_OID_desc except_oids[3];
  +
gss_OID_set_desc except_attrs;
  +
  +
desired_oids[0] = *GSS_C_MA_AUTH_INIT;
  +
desired_oids[1] = *GSS_C_MA_AUTH_TARG;
  +
desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
  +
desired_attrs.elements = desired_oids;
  +
  +
except_oids[0] = *GSS_C_MA_MECH_NEGO;
  +
except_oids[1] = *GSS_C_MA_NOT_MECH;
  +
except_oids[2] = *GSS_C_MA_DEPRECATED;
  +
  +
except_attrs.count = sizeof(except_oids)/sizeof(except_oids[0]);
  +
except_attrs.elements = except_oids;
  +
  +
major = gss_indicate_mechs_by_attrs(&minor,
  +
&desired_attrs,
  +
&except_attrs,
  +
GSS_C_NO_OID_SET,
  +
&gs2_mechs);
  +
if (GSS_ERROR(major)) {
  +
return SASL_FAIL;
  +
}
  +
  +
return SASL_OK;
  +
</pre>
   
 
==Implementation==
 
==Implementation==
   
The implementations live in src/lib/gssapi/mechglue/g_saslname.c.
+
The implementations live in src/lib/gssapi/mechglue/g_saslname.c and src/lib/gssapi/mechglue/g_mechattr.c, respectively.
   
 
<pre>
 
<pre>
Line 25: Line 68:
 
const gss_buffer_t sasl_mech_name,
 
const gss_buffer_t sasl_mech_name,
 
gss_OID *mech_type);
 
gss_OID *mech_type);
  +
  +
OM_uint32 KRB5_CALLCONV
  +
gss_indicate_mechs_by_attrs(
  +
OM_uint32 *, /* minor_status */
  +
gss_const_OID_set, /* desired_mech_attrs */
  +
gss_const_OID_set, /* except_mech_attrs */
  +
gss_const_OID_set, /* critical_mech_attrs */
  +
gss_OID_set *); /* mechs */
  +
  +
OM_uint32 KRB5_CALLCONV
  +
gss_inquire_attrs_for_mech(
  +
OM_uint32 *, /* minor_status */
  +
gss_const_OID, /* mech */
  +
gss_OID_set *, /* mech_attrs */
  +
gss_OID_set *); /* known_mech_attrs */
  +
  +
OM_uint32 KRB5_CALLCONV
  +
gss_display_mech_attr(
  +
OM_uint32 *, /* minor_status */
  +
gss_const_OID, /* mech_attr */
  +
gss_buffer_t, /* name */
  +
gss_buffer_t, /* short_desc */
  +
gss_buffer_t); /* long_desc */
 
</pre>
 
</pre>
   
Line 36: Line 102:
   
 
A test program is in src/tests/gssapi/t_saslname.c.
 
A test program is in src/tests/gssapi/t_saslname.c.
  +
  +
GS2 implementation at http://www.project-moonshot.org/git/cyrus-sasl in plugins/gs2.c.
   
 
==Examples==
 
==Examples==
   
A list of GS2 mechanisms.
+
A list of GS2 mechanisms and their attributes.
   
 
<pre>
 
<pre>
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 2 840 113554 1 2 2 }
+
OID : { 1 2 840 113554 1 2 2 }
SASL mech: GS2-KRB5
+
SASL mech : GS2-KRB5
Mech name: krb5
+
Mech name : krb5
Mech desc: Kerberos 5 GSS-API Mechanism
+
Mech desc : Kerberos 5 GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 5 1 5 2 }
+
OID : { 1 3 5 1 5 2 }
SASL mech: GS2-KRB5
+
SASL mech : GS2-KRB5
Mech name: krb5
+
Mech name : krb5
Mech desc: Kerberos 5 GSS-API Mechanism
+
Mech desc : Kerberos 5 GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
 
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 2 840 48018 1 2 2 }
+
OID : { 1 2 840 48018 1 2 2 }
SASL mech: GS2-KRB5
+
SASL mech : GS2-KRB5
Mech name: krb5
+
Mech name : krb5
Mech desc: Kerberos 5 GSS-API Mechanism
+
Mech desc : Kerberos 5 GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 5 2 5 }
+
OID : { 1 3 6 1 5 2 5 }
SASL mech: GS2-KRB5
+
SASL mech : GS2-KRB5
Mech name: krb5
+
Mech name : krb5
Mech desc: Kerberos 5 GSS-API Mechanism
+
Mech desc : Kerberos 5 GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
 
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 5 5 2 }
+
OID : { 1 3 6 1 5 5 2 }
SASL mech: SPNEGO
+
SASL mech : SPNEGO
Mech name: spnego
+
Mech name : spnego
Mech desc: Simple and Protected GSS-API Negotiation Mechanism
+
Mech desc : Simple and Protected GSS-API Negotiation Mechanism
------------------------------------------------------------------------------
+
Mech attrs: GSS_C_MA_MECH_NEGO GSS_C_MA_ITOK_FRAMED GSS_C_MA_NOT_DFLT_MECH
------------------------------------------------------------------------------
+
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
OID : { 1 3 6 1 4 1 5322 21 1 }
 
SASL mech: GS2-EAP
 
Mech name: eap
 
Mech desc: Extensible Authentication Protocol GSS-API Mechanism
 
------------------------------------------------------------------------------
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 16 }
 
SASL mech: GS2-ZGMBGB5SLBQ
 
Mech name: eap-des3-cbc-sha1
 
Mech desc: Extensible Authentication Protocol GSS-API Mechanism
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 16 }
 
SASL mech : GS2-ZGMBGB5SLBQ
 
Mech name : eap-des3-cbc-sha1
 
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 17 }
 
SASL mech: GS2-EAP-AES128
 
Mech name: eap-aes128-cts-hmac-sha1-96
 
Mech desc: Extensible Authentication Protocol GSS-API Mechanism
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 17 }
 
SASL mech : GS2-EAP-AES128
 
Mech name : eap-aes128-cts-hmac-sha1-96
  +
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 18 }
 
SASL mech: GS2-EAP-AES256
 
Mech name: eap-aes256-cts-hmac-sha1-96
 
Mech desc: Extensible Authentication Protocol GSS-API Mechanism
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 18 }
 
SASL mech : GS2-EAP-AES256
 
Mech name : eap-aes256-cts-hmac-sha1-96
  +
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 23 }
 
SASL mech: GS2-6PUERUGDUSC
 
Mech name: eap-arcfour-hmac
 
Mech desc: Extensible Authentication Protocol GSS-API Mechanism
 
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 23 }
 
SASL mech : GS2-6PUERUGDUSC
 
Mech name : eap-arcfour-hmac
  +
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
  +
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
  +
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
 
</pre>
 
</pre>

Latest revision as of 13:24, 12 October 2010

This project was completed in release 1.9.


Background

Some additional features in the GSS mechanism glue are useful for implementors of SASL GS2.

  • RFC 5801: GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname
  • RFC 5587: gss_inquire_attrs_for_mech &c

These allow a SASL library to dynamically bridge GSS mechanisms without mechanism-specific knowledge.

Architecture

The functionality of the aforementioned APIs is as follows:

  • a bidirectional mapping between GSS OIDs and SASL mechanism names. (In the case of no mapping, the mechanism glue synthesises a SASL name using a base-32 encoded SHA-1 of the OID.)
  • a means to determine which features, denoted by OIDs, are supported by mechanisms

For example, a GS2 implementation that wished to ignore negotiate mechanisms whilst selecting mechanisms that supported mutual authentication, might do:

static int gs2_indicate_mechs(void)
{
    OM_uint32 major, minor;
    gss_OID_desc desired_oids[2];
    gss_OID_set_desc desired_attrs;
    gss_OID_desc except_oids[3];
    gss_OID_set_desc except_attrs;

    desired_oids[0] = *GSS_C_MA_AUTH_INIT;
    desired_oids[1] = *GSS_C_MA_AUTH_TARG;
    desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
    desired_attrs.elements = desired_oids;

    except_oids[0] = *GSS_C_MA_MECH_NEGO;
    except_oids[1] = *GSS_C_MA_NOT_MECH;
    except_oids[2] = *GSS_C_MA_DEPRECATED;

    except_attrs.count = sizeof(except_oids)/sizeof(except_oids[0]);
    except_attrs.elements = except_oids;

    major = gss_indicate_mechs_by_attrs(&minor,
                                        &desired_attrs,
                                        &except_attrs,
                                        GSS_C_NO_OID_SET,
                                        &gs2_mechs);
    if (GSS_ERROR(major)) {
        return SASL_FAIL;
    }

    return SASL_OK;

Implementation

The implementations live in src/lib/gssapi/mechglue/g_saslname.c and src/lib/gssapi/mechglue/g_mechattr.c, respectively.

OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
    OM_uint32     *minor_status,
    const gss_OID  desired_mech,
    gss_buffer_t   sasl_mech_name,
    gss_buffer_t   mech_name,
    gss_buffer_t   mech_description);

OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname(
    OM_uint32           *minor_status,
    const gss_buffer_t   sasl_mech_name,
    gss_OID             *mech_type);

OM_uint32 KRB5_CALLCONV
gss_indicate_mechs_by_attrs(
    OM_uint32 *,        /* minor_status */
    gss_const_OID_set,  /* desired_mech_attrs */
    gss_const_OID_set,  /* except_mech_attrs */
    gss_const_OID_set,  /* critical_mech_attrs */
    gss_OID_set *);     /* mechs */

OM_uint32 KRB5_CALLCONV
gss_inquire_attrs_for_mech(
    OM_uint32 *,        /* minor_status */
    gss_const_OID,      /* mech */
    gss_OID_set *,      /* mech_attrs */
    gss_OID_set *);     /* known_mech_attrs */

OM_uint32 KRB5_CALLCONV
gss_display_mech_attr(
    OM_uint32 *,        /* minor_status */
    gss_const_OID,      /* mech_attr */
    gss_buffer_t,       /* name */
    gss_buffer_t,       /* short_desc */
    gss_buffer_t);      /* long_desc */

If a mechanism does not provide the entry point or returns GSS_S_BAD_MECH, then the name is mapped as described above.

The Kerberos and SPNEGO mechanisms have been updated to return GS2-KRB5 and SPNEGO, respectively, as their SASL names.

Status

Implemented and tested with a prototype GS2 implementation, as well as a mechanism plugin. Code is in the users/lhoward/sasl-gs2 branch (note that this is branched off import-cred; pick up only the changes you need).

A test program is in src/tests/gssapi/t_saslname.c.

GS2 implementation at http://www.project-moonshot.org/git/cyrus-sasl in plugins/gs2.c.

Examples

A list of GS2 mechanisms and their attributes.

------------------------------------------------------------------------------
OID        : { 1 2 840 113554 1 2 2 }
SASL mech  : GS2-KRB5
Mech name  : krb5
Mech desc  : Kerberos 5 GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 5 1 5 2 }
SASL mech  : GS2-KRB5
Mech name  : krb5
Mech desc  : Kerberos 5 GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
------------------------------------------------------------------------------
OID        : { 1 2 840 48018 1 2 2 }
SASL mech  : GS2-KRB5
Mech name  : krb5
Mech desc  : Kerberos 5 GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 6 1 5 2 5 }
SASL mech  : GS2-KRB5
Mech name  : krb5
Mech desc  : Kerberos 5 GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
------------------------------------------------------------------------------
OID        : { 1 3 6 1 5 5 2 }
SASL mech  : SPNEGO
Mech name  : spnego
Mech desc  : Simple and Protected GSS-API Negotiation Mechanism
Mech attrs:  GSS_C_MA_MECH_NEGO GSS_C_MA_ITOK_FRAMED GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 6 1 4 1 5322 21 1 16 }
SASL mech  : GS2-ZGMBGB5SLBQ
Mech name  : eap-des3-cbc-sha1
Mech desc  : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 6 1 4 1 5322 21 1 17 }
SASL mech  : GS2-EAP-AES128
Mech name  : eap-aes128-cts-hmac-sha1-96
Mech desc  : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 6 1 4 1 5322 21 1 18 }
SASL mech  : GS2-EAP-AES256
Mech name  : eap-aes256-cts-hmac-sha1-96
Mech desc  : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID        : { 1 3 6 1 4 1 5322 21 1 23 }
SASL mech  : GS2-6PUERUGDUSC
Mech name  : eap-arcfour-hmac
Mech desc  : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs:  GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH 
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS