Difference between revisions of "Projects/GSSExtras"

Revision as of 04:42, 24 November 2009

Background

Implement:

• gss_pseudo_random (RFC 4401 and RFC 4402)
• gss_store_cred (RFC 5588)
• gss_context_query_attributes for GSS_C_ATTR_STREAM_SIZES (from Heimdal)

Architecture

Each function touches:

• the mechglue
• the Kerberos 5 mechanism
• SPNEGO

Implementation

gss_pseudo_random

Implemented in terms of krb5_c_prf (why no krb5_k_prf?)

This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_store_cred

Copies credentials into default credentials cache (like Solaris, requires default_cred argument be true.) This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_context_query_attributes

typedef struct gss_context_stream_sizes_struct {
    size_t header;
    size_t trailer;
    size_t max_msg_size;
    size_t buffers;
    size_t blocksize;
} gss_context_stream_sizes;

GSS_DLLIMP extern gss_OID GSS_C_ATTR_STREAM_SIZES;

OM_uint32 KRB5_CALLCONV gss_context_query_attributes
(
    OM_uint32 *,        /* minor_status */
    const gss_ctx_id_t, /* context_handle */
    const gss_OID,      /* attribute */
    void *,             /* data */
    size_t              /* len */
);

The API is similar to gss_inquire_sec_context_by_oid() except it takes a void * pointer instead of a buffer set. A single OID is presently supported, which returns the sizes of different components in a GSS wrap stream buffer.

This is implemented in terms of gss_wrap_size_limit() and gss_wrap_iov_length(), which begs the question: why do we need this API? (Particularly given that it ostensibly serves the same function as gss_inquire_sec_context_by_oid()). It is slightly more convenient to use though.

So, I would propose we don't merge this.

Open issues

Status

Code is in the users/lhoward/gssexts branch.

Tests for PRF and query_context_attributes are in src/tests/gssapi/t_prf.c. No test for gss_store_cred() yet.