logo_kerberos.gif

Difference between revisions of "Projects/GSSExtras"

From K5Wiki
Jump to: navigation, search
Line 62: Line 62:
   
 
Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.
 
Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.
  +
  +
==Review==
  +
  +
This section documents the review of the project according to [[Project policy]].
  +
It is divided into multiple sections. First, approvals should be listed. To list an approval type
  +
:<nowiki>#~~~~</nowiki>
  +
(hash mark followed by four tilde characters) on its own line.
  +
The next section is for summarizing discussion, which should take place on krbdev@mit.edu. Provide links to the archive at http://mailman.mit.edu/pipermail/krbdev/ if appropriate. Blocking objections can be noted with <nowiki>{{project-block}}</nowiki>.
  +
  +
===Approvals===
  +
  +
===Discussion===

Revision as of 12:09, 7 December 2009

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2009-12-08.

Comments can be sent to krbdev@mit.edu.


Background

Implement:

  • gss_pseudo_random (RFC 4401 and RFC 4402)
  • gss_store_cred (RFC 5588)
  • gss_context_query_attributes for GSS_C_ATTR_STREAM_SIZES (from Heimdal)

Architecture

Each function touches:

  • the mechglue
  • the Kerberos 5 mechanism
  • SPNEGO

Implementation

gss_pseudo_random

Implemented in terms of krb5_c_prf (why no krb5_k_prf?)

This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_store_cred

Copies credentials into default credentials cache (like Solaris, requires default_cred argument be true.) This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.

gss_context_query_attributes

typedef struct gss_context_stream_sizes_struct {
    size_t header;
    size_t trailer;
    size_t max_msg_size;
    size_t buffers;
    size_t blocksize;
} gss_context_stream_sizes;

GSS_DLLIMP extern gss_OID GSS_C_ATTR_STREAM_SIZES;

OM_uint32 KRB5_CALLCONV gss_context_query_attributes
(
    OM_uint32 *,        /* minor_status */
    const gss_ctx_id_t, /* context_handle */
    const gss_OID,      /* attribute */
    void *,             /* data */
    size_t              /* len */
);

The API is similar to gss_inquire_sec_context_by_oid() except it takes a void * pointer instead of a buffer set. A single OID is presently supported, which returns the sizes of different components in a GSS wrap stream buffer.

This is implemented in terms of gss_wrap_size_limit() and gss_wrap_iov_length(), which begs the question: why do we need this API? (Particularly given that it ostensibly serves the same function as gss_inquire_sec_context_by_oid()). It is slightly more convenient to use though. If we do merge this, then we should possibly consider whether some of the other gss_inquire_sec_context_by_oid()-based APIs (internal or otherwise) should be re-factored in terms of this function.

Open issues

Status

Code is in the users/lhoward/gssexts branch.

Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.

Review

This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type

#~~~~

(hash mark followed by four tilde characters) on its own line. The next section is for summarizing discussion, which should take place on krbdev@mit.edu. Provide links to the archive at http://mailman.mit.edu/pipermail/krbdev/ if appropriate. Blocking objections can be noted with {{project-block}}.

Approvals

Discussion