oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gsskrb5: Add simple name attributes support

Browse Source 
This adds Kerberos mechanism support for:

 - composite principal name export/import
 - getting rudimentary name attributes from GSS names using
   gss_get_name_attribute():
    - all (raw) authorization data from the Ticket
    - all (raw) authorization data from the Authenticator
    - transit path
    - realm
    - component count
    - each component
 - gss_inquire_name()
 - gss_display_name_ext() (just for the hostbased service name type
                           though)

The test exercises almost all of the functionality, except for:

 - getting the PAC
 - getting authz-data from the Authenticator
 - getting the transit path

TBD (much) later:

 - amend test_context to do minimal name attribute checks as well
 - gss_set_name_attribute() (to request authz-data)
 - gss_delete_name_attribute()
 - getting specific authorization data elements via URN fragments (as
   opposed to all of them)
 - parsing the PAC, extracting SIDs (each one as a separate value)
 - some configurable local policy (?)
 - plugin interface for additional local policy
This commit is contained in:
Nicolas Williams
2021-12-22 17:01:12 -06:00
committed by Nico Williams
parent 1cede09a0b
commit be708ca3cf
10 changed files with 1220 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/gssapi/krb5/external.c
View File

@@ -152,6 +152,13 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_export_name_oid_desc =
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_oid_desc =
{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
/*
* GSS_C_NT_COMPOSITE_EXPORT [RFC6680], OID {iso(1) identified-organization(3)
* dod(6) internet(1) security(5) nametypes(6) gss-composite-export(6)}.
*/
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_composite_export_oid_desc =
{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x06")};
/*
* draft-ietf-cat-iakerb-09, IAKERB:
* The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance
@@ -383,12 +390,12 @@ static gssapi_mech_interface_desc krb5_mech = {
sizeof(krb5_mo) / sizeof(krb5_mo[0]),
_gsskrb5_localname,
_gsskrb5_authorize_localname,
NULL, /* gm_display_name_ext */
NULL, /* gm_inquire_name */
NULL, /* gm_get_name_attribute */
_gsskrb5_display_name_ext,
_gsskrb5_inquire_name,
_gsskrb5_get_name_attribute,
NULL, /* gm_set_name_attribute */
NULL, /* gm_delete_name_attribute */
NULL, /* gm_export_name_composite */
_gsskrb5_export_name_composite,
_gsskrb5_duplicate_cred,
_gsskrb5_add_cred_from,
_gsskrb5_store_cred_into,