Difference between revisions of "Projects/GS2"
From K5Wiki
< Projects
(New page: {{project-early}} {{project-target|1.9}} ==Background== Implement GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname as defined in [url http://tools.ietf.org/html/draft-ietf...) |
|||
| (11 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | {{project- |
+ | {{project-rel|1.9}} |
| − | {{project-target|1.9}} |
||
==Background== |
==Background== |
||
| − | Implement GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname as defined in [url http://tools.ietf.org/html/draft-ietf-sasl-gs2-20]draft-ietf-sasl-gs2-20[/url]. |
||
| + | Some additional features in the GSS mechanism glue are useful for implementors of SASL GS2. |
||
| + | |||
| + | * RFC 5801: GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname |
||
| + | * RFC 5587: gss_inquire_attrs_for_mech &c |
||
| + | |||
| + | These allow a SASL library to dynamically bridge GSS mechanisms without mechanism-specific knowledge. |
||
==Architecture== |
==Architecture== |
||
| ⚫ | |||
| + | The functionality of the aforementioned APIs is as follows: |
||
| + | |||
| ⚫ | |||
| + | * a means to determine which features, denoted by OIDs, are supported by mechanisms |
||
| + | |||
| + | For example, a GS2 implementation that wished to ignore negotiate mechanisms whilst selecting mechanisms that supported mutual authentication, might do: |
||
| + | |||
| + | <pre> |
||
| + | static int gs2_indicate_mechs(void) |
||
| + | { |
||
| + | OM_uint32 major, minor; |
||
| + | gss_OID_desc desired_oids[2]; |
||
| + | gss_OID_set_desc desired_attrs; |
||
| + | gss_OID_desc except_oids[3]; |
||
| + | gss_OID_set_desc except_attrs; |
||
| + | |||
| + | desired_oids[0] = *GSS_C_MA_AUTH_INIT; |
||
| + | desired_oids[1] = *GSS_C_MA_AUTH_TARG; |
||
| + | desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]); |
||
| + | desired_attrs.elements = desired_oids; |
||
| + | |||
| + | except_oids[0] = *GSS_C_MA_MECH_NEGO; |
||
| + | except_oids[1] = *GSS_C_MA_NOT_MECH; |
||
| + | except_oids[2] = *GSS_C_MA_DEPRECATED; |
||
| + | |||
| + | except_attrs.count = sizeof(except_oids)/sizeof(except_oids[0]); |
||
| + | except_attrs.elements = except_oids; |
||
| + | |||
| + | major = gss_indicate_mechs_by_attrs(&minor, |
||
| + | &desired_attrs, |
||
| + | &except_attrs, |
||
| + | GSS_C_NO_OID_SET, |
||
| + | &gs2_mechs); |
||
| + | if (GSS_ERROR(major)) { |
||
| + | return SASL_FAIL; |
||
| + | } |
||
| + | |||
| + | return SASL_OK; |
||
| + | </pre> |
||
==Implementation== |
==Implementation== |
||
| − | The implementations live in src/lib/gssapi/mechglue/g_saslname.c. |
+ | The implementations live in src/lib/gssapi/mechglue/g_saslname.c and src/lib/gssapi/mechglue/g_mechattr.c, respectively. |
<pre> |
<pre> |
||
| Line 25: | Line 68: | ||
const gss_buffer_t sasl_mech_name, |
const gss_buffer_t sasl_mech_name, |
||
gss_OID *mech_type); |
gss_OID *mech_type); |
||
| + | |||
| + | OM_uint32 KRB5_CALLCONV |
||
| + | gss_indicate_mechs_by_attrs( |
||
| + | OM_uint32 *, /* minor_status */ |
||
| + | gss_const_OID_set, /* desired_mech_attrs */ |
||
| + | gss_const_OID_set, /* except_mech_attrs */ |
||
| + | gss_const_OID_set, /* critical_mech_attrs */ |
||
| + | gss_OID_set *); /* mechs */ |
||
| + | |||
| + | OM_uint32 KRB5_CALLCONV |
||
| + | gss_inquire_attrs_for_mech( |
||
| + | OM_uint32 *, /* minor_status */ |
||
| + | gss_const_OID, /* mech */ |
||
| + | gss_OID_set *, /* mech_attrs */ |
||
| + | gss_OID_set *); /* known_mech_attrs */ |
||
| + | |||
| + | OM_uint32 KRB5_CALLCONV |
||
| + | gss_display_mech_attr( |
||
| + | OM_uint32 *, /* minor_status */ |
||
| + | gss_const_OID, /* mech_attr */ |
||
| + | gss_buffer_t, /* name */ |
||
| + | gss_buffer_t, /* short_desc */ |
||
| + | gss_buffer_t); /* long_desc */ |
||
</pre> |
</pre> |
||
| Line 33: | Line 99: | ||
==Status== |
==Status== |
||
| − | Implemented and tested with a prototype GS2 implementation, as well as a mechanism plugin. |
+ | Implemented and tested with a prototype GS2 implementation, as well as a mechanism plugin. Code is in the users/lhoward/sasl-gs2 branch (note that this is branched off import-cred; pick up only the changes you need). |
| + | |||
| + | A test program is in src/tests/gssapi/t_saslname.c. |
||
| + | |||
| + | GS2 implementation at http://www.project-moonshot.org/git/cyrus-sasl in plugins/gs2.c. |
||
==Examples== |
==Examples== |
||
| − | A list of GS2 mechanisms. |
+ | A list of GS2 mechanisms and their attributes. |
| + | |||
| + | <pre> |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 2 840 113554 1 2 2 } |
||
| + | SASL mech : GS2-KRB5 |
||
| + | Mech name : krb5 |
||
| + | Mech desc : Kerberos 5 GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 5 1 5 2 } |
||
| + | SASL mech : GS2-KRB5 |
||
| + | Mech name : krb5 |
||
| + | Mech desc : Kerberos 5 GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5 |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 2 840 48018 1 2 2 } |
||
| + | SASL mech : GS2-KRB5 |
||
| + | Mech name : krb5 |
||
| + | Mech desc : Kerberos 5 GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 5 2 5 } |
||
| + | SASL mech : GS2-KRB5 |
||
| + | Mech name : krb5 |
||
| + | Mech desc : Kerberos 5 GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5 |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 5 5 2 } |
||
| + | SASL mech : SPNEGO |
||
| + | Mech name : spnego |
||
| + | Mech desc : Simple and Protected GSS-API Negotiation Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_NEGO GSS_C_MA_ITOK_FRAMED GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 4 1 5322 21 1 16 } |
||
| + | SASL mech : GS2-ZGMBGB5SLBQ |
||
| + | Mech name : eap-des3-cbc-sha1 |
||
| + | Mech desc : Extensible Authentication Protocol GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 4 1 5322 21 1 17 } |
||
| + | SASL mech : GS2-EAP-AES128 |
||
| + | Mech name : eap-aes128-cts-hmac-sha1-96 |
||
| + | Mech desc : Extensible Authentication Protocol GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 4 1 5322 21 1 18 } |
||
| + | SASL mech : GS2-EAP-AES256 |
||
| + | Mech name : eap-aes256-cts-hmac-sha1-96 |
||
| + | Mech desc : Extensible Authentication Protocol GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | ------------------------------------------------------------------------------ |
||
| + | ------------------------------------------------------------------------------ |
||
| + | OID : { 1 3 6 1 4 1 5322 21 1 23 } |
||
| + | SASL mech : GS2-6PUERUGDUSC |
||
| + | Mech name : eap-arcfour-hmac |
||
| + | Mech desc : Extensible Authentication Protocol GSS-API Mechanism |
||
| + | Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH |
||
| + | Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS |
||
| + | </pre> |
||
Latest revision as of 12:24, 12 October 2010
This project was completed in release 1.9.
Background
Some additional features in the GSS mechanism glue are useful for implementors of SASL GS2.
- RFC 5801: GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname
- RFC 5587: gss_inquire_attrs_for_mech &c
These allow a SASL library to dynamically bridge GSS mechanisms without mechanism-specific knowledge.
Architecture
The functionality of the aforementioned APIs is as follows:
- a bidirectional mapping between GSS OIDs and SASL mechanism names. (In the case of no mapping, the mechanism glue synthesises a SASL name using a base-32 encoded SHA-1 of the OID.)
- a means to determine which features, denoted by OIDs, are supported by mechanisms
For example, a GS2 implementation that wished to ignore negotiate mechanisms whilst selecting mechanisms that supported mutual authentication, might do:
static int gs2_indicate_mechs(void)
{
OM_uint32 major, minor;
gss_OID_desc desired_oids[2];
gss_OID_set_desc desired_attrs;
gss_OID_desc except_oids[3];
gss_OID_set_desc except_attrs;
desired_oids[0] = *GSS_C_MA_AUTH_INIT;
desired_oids[1] = *GSS_C_MA_AUTH_TARG;
desired_attrs.count = sizeof(desired_oids)/sizeof(desired_oids[0]);
desired_attrs.elements = desired_oids;
except_oids[0] = *GSS_C_MA_MECH_NEGO;
except_oids[1] = *GSS_C_MA_NOT_MECH;
except_oids[2] = *GSS_C_MA_DEPRECATED;
except_attrs.count = sizeof(except_oids)/sizeof(except_oids[0]);
except_attrs.elements = except_oids;
major = gss_indicate_mechs_by_attrs(&minor,
&desired_attrs,
&except_attrs,
GSS_C_NO_OID_SET,
&gs2_mechs);
if (GSS_ERROR(major)) {
return SASL_FAIL;
}
return SASL_OK;
Implementation
The implementations live in src/lib/gssapi/mechglue/g_saslname.c and src/lib/gssapi/mechglue/g_mechattr.c, respectively.
OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
OM_uint32 *minor_status,
const gss_OID desired_mech,
gss_buffer_t sasl_mech_name,
gss_buffer_t mech_name,
gss_buffer_t mech_description);
OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname(
OM_uint32 *minor_status,
const gss_buffer_t sasl_mech_name,
gss_OID *mech_type);
OM_uint32 KRB5_CALLCONV
gss_indicate_mechs_by_attrs(
OM_uint32 *, /* minor_status */
gss_const_OID_set, /* desired_mech_attrs */
gss_const_OID_set, /* except_mech_attrs */
gss_const_OID_set, /* critical_mech_attrs */
gss_OID_set *); /* mechs */
OM_uint32 KRB5_CALLCONV
gss_inquire_attrs_for_mech(
OM_uint32 *, /* minor_status */
gss_const_OID, /* mech */
gss_OID_set *, /* mech_attrs */
gss_OID_set *); /* known_mech_attrs */
OM_uint32 KRB5_CALLCONV
gss_display_mech_attr(
OM_uint32 *, /* minor_status */
gss_const_OID, /* mech_attr */
gss_buffer_t, /* name */
gss_buffer_t, /* short_desc */
gss_buffer_t); /* long_desc */
If a mechanism does not provide the entry point or returns GSS_S_BAD_MECH, then the name is mapped as described above.
The Kerberos and SPNEGO mechanisms have been updated to return GS2-KRB5 and SPNEGO, respectively, as their SASL names.
Status
Implemented and tested with a prototype GS2 implementation, as well as a mechanism plugin. Code is in the users/lhoward/sasl-gs2 branch (note that this is branched off import-cred; pick up only the changes you need).
A test program is in src/tests/gssapi/t_saslname.c.
GS2 implementation at http://www.project-moonshot.org/git/cyrus-sasl in plugins/gs2.c.
Examples
A list of GS2 mechanisms and their attributes.
------------------------------------------------------------------------------
OID : { 1 2 840 113554 1 2 2 }
SASL mech : GS2-KRB5
Mech name : krb5
Mech desc : Kerberos 5 GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 5 1 5 2 }
SASL mech : GS2-KRB5
Mech name : krb5
Mech desc : Kerberos 5 GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
------------------------------------------------------------------------------
OID : { 1 2 840 48018 1 2 2 }
SASL mech : GS2-KRB5
Mech name : krb5
Mech desc : Kerberos 5 GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 6 1 5 2 5 }
SASL mech : GS2-KRB5
Mech name : krb5
Mech desc : Kerberos 5 GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
Got different OID { 1 2 840 113554 1 2 2 } for mechanism GS2-KRB5
------------------------------------------------------------------------------
OID : { 1 3 6 1 5 5 2 }
SASL mech : SPNEGO
Mech name : spnego
Mech desc : Simple and Protected GSS-API Negotiation Mechanism
Mech attrs: GSS_C_MA_MECH_NEGO GSS_C_MA_ITOK_FRAMED GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 16 }
SASL mech : GS2-ZGMBGB5SLBQ
Mech name : eap-des3-cbc-sha1
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 17 }
SASL mech : GS2-EAP-AES128
Mech name : eap-aes128-cts-hmac-sha1-96
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 18 }
SASL mech : GS2-EAP-AES256
Mech name : eap-aes256-cts-hmac-sha1-96
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
------------------------------------------------------------------------------
------------------------------------------------------------------------------
OID : { 1 3 6 1 4 1 5322 21 1 23 }
SASL mech : GS2-6PUERUGDUSC
Mech name : eap-arcfour-hmac
Mech desc : Extensible Authentication Protocol GSS-API Mechanism
Mech attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_CTX_TRANS GSS_C_MA_NOT_DFLT_MECH
Known attrs: GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE GSS_C_MA_MECH_NEGO GSS_C_MA_MECH_GLUE GSS_C_MA_NOT_MECH GSS_C_MA_DEPRECATED GSS_C_MA_NOT_DFLT_MECH GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT GSS_C_MA_AUTH_TARG GSS_C_MA_AUTH_INIT_INIT GSS_C_MA_AUTH_TARG_INIT GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_DELEG_CRED GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_PROT_READY GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS
