gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:
- composite principal name export/import
- getting rudimentary name attributes from GSS names using
gss_get_name_attribute():
- all (raw) authorization data from the Ticket
- all (raw) authorization data from the Authenticator
- transit path
- realm
- component count
- each component
- gss_inquire_name()
- gss_display_name_ext() (just for the hostbased service name type
though)
The test exercises almost all of the functionality, except for:
- getting the PAC
- getting authz-data from the Authenticator
- getting the transit path
TBD (much) later:
- amend test_context to do minimal name attribute checks as well
- gss_set_name_attribute() (to request authz-data)
- gss_delete_name_attribute()
- getting specific authorization data elements via URN fragments (as
opposed to all of them)
- parsing the PAC, extracting SIDs (each one as a separate value)
- some configurable local policy (?)
- plugin interface for additional local policy
This commit is contained in:
Nicolas Williams
committed by
Nico Williams
Nico Williams
parent
1cede09a0b
commit
be708ca3cf
@@ -233,6 +233,7 @@ typedef OM_uint32 gss_qop_t;
|
||||
#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
|
||||
#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
|
||||
#define GSS_C_EMPTY_BUFFER {0, NULL}
|
||||
#define GSS_C_EMPTY_BUFFER_SET {0, NULL}
|
||||
#define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0)
|
||||
#define GSS_C_NO_CRED_STORE ((gss_key_value_set_t)0)
|
||||
|
||||
@@ -393,6 +394,18 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc;
|
||||
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
|
||||
#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
|
||||
|
||||
/*
|
||||
* The implementation must reserve static storage for a
|
||||
* gss_OID_desc object containing the value
|
||||
* {6, (void *)"\x2b\x06\x01\x05\x06\x06"}, corresponding to an
|
||||
* object-identifier value of {iso(1) identified-organization(3) dod(6)
|
||||
* internet(1) security(5) nametypes(6) gss-composite-export(6)}.
|
||||
* The constant GSS_C_NT_COMPOSITE_EXPORT [RFC6680] should be initialized to
|
||||
* point to that gss_OID_desc.
|
||||
*/
|
||||
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_composite_export_oid_desc;
|
||||
#define GSS_C_NT_COMPOSITE_EXPORT (&__gss_c_nt_composite_export_oid_desc)
|
||||
|
||||
/* Major status codes */
|
||||
|
||||
#define GSS_S_COMPLETE 0
|
||||
|
||||
@@ -218,6 +218,8 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
|
||||
OM_uint32 num_enctypes,
|
||||
int32_t *enctypes);
|
||||
|
||||
#define GSS_KRB5_NAME_ATTRIBUTE_BASE_URN "urn:ietf:kerberos:nameattr-"
|
||||
|
||||
GSSAPI_CPP_END
|
||||
|
||||
#endif /* GSSAPI_SPNEGO_H_ */
|
||||
|
||||
Reference in New Issue
Block a user