This API is used for both const and non-const strings, depending on
whether there is a deallocator passed or not, so the C type system
can't distinguish this for us.
XXX Perhaps this should be two separate APIs, one which takes
const-qualified pointers and one which takes non-const-qualified
pointers.
This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().
It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).
The point of this commit is to explore:
- GSS functionality for kinit-like actions
- credential store key/value pairs supported by the mechanisms
- document the credential store key/value pairs (in gsstool.1)
that might lead to further enhancements. But gsstool acquire-cred
is quite functional at this point!
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
There were cases where we weren't negotiating SANON where we should
have. But we really don't want to overdo it. In particular we really
never ever want a user with expired or absent Kerberos credentials (say)
to accidentally negotiate SANON as that will then lead to authorization
errors down the line, and those would be hard to diagnose as they would
be masking the real issue (expired or absent credentials).
So basically either the user passes GSS_C_ANON_FLAG or (and/or) they
call gss_set_neg_mechs() to explicitly request SANON.
Partly authored by me, partly authored by Claude with heavy human
guidance, and reviewed by me.
