logo_kerberos.gif

Difference between revisions of "Projects/GSSExtras"

From K5Wiki
Jump to: navigation, search
(Status)
Line 65: Line 65:
 
Code is in the [http://src.mit.edu/fisheye/browse/krb5/users/lhoward/iakerb users/lhoward/gssexts branch].
 
Code is in the [http://src.mit.edu/fisheye/browse/krb5/users/lhoward/iakerb users/lhoward/gssexts branch].
   
Tests are in src/tests/gssapi/t_gssexts.c. Sorry, no individual tests yet.
+
Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.

Revision as of 14:00, 24 November 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

Implement:

  • gss_pseudo_random (RFC 4401 and RFC 4402)
  • gss_store_cred (RFC 5588)
  • gss_context_query_attributes for GSS_C_ATTR_STREAM_SIZES (from Heimdal)

Architecture

Each function touches:

  • the mechglue
  • the Kerberos 5 mechanism
  • SPNEGO

Implementation

gss_pseudo_random

Implemented in terms of krb5_c_prf (why no krb5_k_prf?)

This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_store_cred

Copies credentials into default credentials cache (like Solaris, requires default_cred argument be true.) This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_context_query_attributes

typedef struct gss_context_stream_sizes_struct {
    size_t header;
    size_t trailer;
    size_t max_msg_size;
    size_t buffers;
    size_t blocksize;
} gss_context_stream_sizes;

GSS_DLLIMP extern gss_OID GSS_C_ATTR_STREAM_SIZES;

OM_uint32 KRB5_CALLCONV gss_context_query_attributes
(
    OM_uint32 *,        /* minor_status */
    const gss_ctx_id_t, /* context_handle */
    const gss_OID,      /* attribute */
    void *,             /* data */
    size_t              /* len */
);

The API is similar to gss_inquire_sec_context_by_oid() except it takes a void * pointer instead of a buffer set. A single OID is presently supported, which returns the sizes of different components in a GSS wrap stream buffer.

This is implemented in terms of gss_wrap_size_limit() and gss_wrap_iov_length(), which begs the question: why do we need this API? (Particularly given that it ostensibly serves the same function as gss_inquire_sec_context_by_oid()). It is slightly more convenient to use though.

So, I would propose we don't merge this.

Open issues

Status

Code is in the users/lhoward/gssexts branch.

Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.