logo_kerberos.gif

Difference between revisions of "Projects/GSSExtras"

From K5Wiki
Jump to: navigation, search
(gss_context_query_attributes)
Line 1: Line 1:
{{project-early}}
+
{{project-review|2009-12-08}}
 
<includeonly>[[Category: early stage projects]]</includeonly>
 
   
 
==Background==
 
==Background==

Revision as of 14:39, 1 December 2009

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2009-12-08.

Comments can be sent to krbdev@mit.edu.


Background

Implement:

  • gss_pseudo_random (RFC 4401 and RFC 4402)
  • gss_store_cred (RFC 5588)
  • gss_context_query_attributes for GSS_C_ATTR_STREAM_SIZES (from Heimdal)

Architecture

Each function touches:

  • the mechglue
  • the Kerberos 5 mechanism
  • SPNEGO

Implementation

gss_pseudo_random

Implemented in terms of krb5_c_prf (why no krb5_k_prf?)

This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_store_cred

Copies credentials into default credentials cache (like Solaris, requires default_cred argument be true.) This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_context_query_attributes

typedef struct gss_context_stream_sizes_struct {
    size_t header;
    size_t trailer;
    size_t max_msg_size;
    size_t buffers;
    size_t blocksize;
} gss_context_stream_sizes;

GSS_DLLIMP extern gss_OID GSS_C_ATTR_STREAM_SIZES;

OM_uint32 KRB5_CALLCONV gss_context_query_attributes
(
    OM_uint32 *,        /* minor_status */
    const gss_ctx_id_t, /* context_handle */
    const gss_OID,      /* attribute */
    void *,             /* data */
    size_t              /* len */
);

The API is similar to gss_inquire_sec_context_by_oid() except it takes a void * pointer instead of a buffer set. A single OID is presently supported, which returns the sizes of different components in a GSS wrap stream buffer.

This is implemented in terms of gss_wrap_size_limit() and gss_wrap_iov_length(), which begs the question: why do we need this API? (Particularly given that it ostensibly serves the same function as gss_inquire_sec_context_by_oid()). It is slightly more convenient to use though. If we do merge this, then we should possibly consider whether some of the other gss_inquire_sec_context_by_oid()-based APIs (internal or otherwise) should be re-factored in terms of this function.

Open issues

Status

Code is in the users/lhoward/gssexts branch.

Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.