Projects/GSSExtras
Contents
Background
Implement:
- gss_pseudo_random (RFC 4401 and RFC 4402)
- gss_store_cred (RFC 5588)
- gss_context_query_attributes for GSS_C_ATTR_STREAM_SIZES (from Heimdal)
Architecture
Each function touches:
- the mechglue
- the Kerberos 5 mechanism
- SPNEGO
Implementation
gss_pseudo_random
Implemented in terms of krb5_c_prf (why no krb5_k_prf?)
This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.
gss_store_cred
Copies credentials into default credentials cache (like Solaris, requires default_cred argument be true.) This function is declared in gssapi.h instead of gssapi_ext.h because it is defined in an RFC.
gss_context_query_attributes
typedef struct gss_context_stream_sizes_struct { size_t header; size_t trailer; size_t max_msg_size; size_t buffers; size_t blocksize; } gss_context_stream_sizes; GSS_DLLIMP extern gss_OID GSS_C_ATTR_STREAM_SIZES; OM_uint32 KRB5_CALLCONV gss_context_query_attributes ( OM_uint32 *, /* minor_status */ const gss_ctx_id_t, /* context_handle */ const gss_OID, /* attribute */ void *, /* data */ size_t /* len */ );
The API is similar to gss_inquire_sec_context_by_oid() except it takes a void * pointer instead of a buffer set. A single OID is presently supported, which returns the sizes of different components in a GSS wrap stream buffer.
This is implemented in terms of gss_wrap_size_limit() and gss_wrap_iov_length(), which begs the question: why do we need this API? (Particularly given that it ostensibly serves the same function as gss_inquire_sec_context_by_oid()). It is slightly more convenient to use though.
So, I would propose we don't merge this.
Open issues
Status
Code is in the users/lhoward/gssexts branch.
Tests are in src/tests/gssapi/t_gssexts.c. This is a variant of t_s4u, the usage is the same. Sorry, no individual tests yet: this file exercises all APIs.