Gsi implementation details.
GSI Implementation Details.
The Globus GSI GSSAPI is an implementation of GSS API C Bindings using OpenSSL. This API documentation is intended to explain implementation-specific behavior of this GSSAPI implementation, as well as GSSAPI extensions.
The API documentation is divided into sections covering:
Globus GSSAPI
Activation
Constants
Request Flags
Return Flags
GSSAPI Extensions
Delegation
GSS Accept Security Context.
Parameters:
minor_status
context_handle_P
acceptor_cred_handle
input_token
input_chan_bindings
src_name_P
mech_type
output_token
ret_flags Also used as req_flags for other functions
time_rec
delegated_cred_handle_P
Returns:
Acquire Credential. GSSAPI routine to acquire the local credential. See the latest IETF draft/RFC on the GSSAPI C bindings.
Gets the local credentials. The proxy_init_cred does most of the work of setting up the SSL_ctx, getting the user's cert, key, etc.
The globusid will be obtained from the certificate. (Minus and /CN=proxy entries.)
Parameters:
minor_status Mechanism specific status code. In this implementation, the minor_status is a cast from a globus_result_t value, which is either GLOBUS_SUCCESS or a globus error object ID if an error occurred.
desired_name_P Name of principle whose credentials should be acquired This parameter maps to the desired subject of the cert to be acquired as the credential. Possible values are:
For a service cert: service name@fqdn
For a host cert: fqdn
For a proxy cert: subject name
For a user cert: subject name This parameter can be NULL, in which case the cert is chosen using a default search order of: host, proxy, user, service
time_req Number of seconds that credentials should remain valid. This value can be GSS_C_INDEFINITE for an unlimited lifetime. NOTE: in the current implementation, this parameter is ignored, since you can't change the expiration of a signed cert.
desired_mechs
cred_usage
output_cred_handle_P
actual_mechs
time_rec
Add OID Set Member. Adds an Object Identifier to an Object Identifier set. This routine is intended for use in conjunction with GSS_Create_empty_OID_set() when constructing a set of mechanism OIDs for input to GSS_Acquire_cred().
Parameters:
minor_status
member_oid
oid_set
Return values:
GSS_S_COMPLETE Success
GSS_S_FAILURE Operation failed
Compare Name. Compare two names. GSSAPI names in this implementation are pointers to X.509 names.
Parameters:
minor_status currently is always set to GLOBUS_SUCCESS
name1_P
name2_P
name_equal
Returns:
currently always returns GSS_S_COMPLETE
Context Time.
Parameters:
minor_status
context_handle
time_rec
Returns:
Create Empty OID Set
Creates an object identifier set containing no object identifiers, to which members may be subsequently added using the GSS_Add_OID_set_member() routine. These routines are intended to be used to construct sets of mechanism object identifiers, for input to GSS_Acquire_cred().
Parameters:
minor_status
oid_set
Return values:
GSS_S_COMPLETE Success
GSS_S_FAILURE Operation failed
Delete Security Context. Delete the GSS Security Context
Parameters:
minor_status The minor status result - this is a globus_result_t cast to a OM_uint32.
context_handle_P The context handle to be deleted
output_token A token created upon destroying the context. If non-empty, this should be sent to the peer of the context to indicate that the context is closed.
Returns:
This function always returns GSS_S_COMPLETE
Display Name. Produces a single line version of the internal X.509 name
Parameters:
minor_status
input_name_P
output_name
output_name_type
Returns:
Display Status
Calls the OpenSSL error print routines to produce a printable message. This may need some work, as the OpenSSL error messages are more of a trace, and my not be the best for the user. Also don't take advantage of being called in a loop.
Parameters:
minor_status
status_value
status_type
mech_type
message_context
status_string
Returns:
Duplicate Name. Copy a GSSAPI name.
Parameters:
minor_status
src_name
dest_name
Returns:
Export Name. Produces a mechanism-independent exported name object. See section 3.2 of RFC 2743.
Export Security Context. Saves the important info about the session, converts it to a token, then deletes the context.
Parameters:
minor_status
context_handle_P
interprocess_token
Returns:
For SSL handle We need to save: version of this routine. cred_usage, i.e. are we accept or initiate target/source or name Session: Protocol, cipher, and Master-Key Client-Random Server-Random tmp.key_block: client and server Mac_secrets write_sequence read_sequence write iv read iv
see SSL 3.0 draft http://wp.netscape.com/eng/ssl3/index.html
Get MIC
Calculates a cryptographic MIC (message integrity check) over an application message, and returns that MIC in the token. The token and message can then be passed to the peer application which calls gss_verify_mic to verify the MIC.
Parameters:
minor_status
context_handle
qop_req
message_buffer
message_token
Returns:
Import a name into a gss_name_t
Creates a new gss_name_t which contains a mechanism-specific representation of the input name. GSSAPI OpenSSL implements the following name types, based on the input_name_type OID:
GSS_C_NT_ANONYMOUS (input_name_buffer is ignored)
GSS_C_NT_HOSTBASED_SERVICE (input_name_buffer contains a string 'service@FQN' which will match /CN=service/FQDN)
GSS_C_NT_EXPORT_NAME (input_name_buffer contains a string with the X509_oneline representation of a name) like '/X=Y/Z=A...')
GSS_C_NO_OID or GSS_C_NT_USER_NAME (input_name_buffer contains an X.500 name formatted like '/X=Y/Z=A...')
GLOBUS_GSS_C_NT_HOST_IP (input_name_buffer contains a string 'FQDN/ip-address' which will match names with the FQDN or the IP address)
GLOBUS_SSS_C_NT_X509 (input buffer is an X509 struct from OpenSSL)
Parameters:
minor_status Minor status
input_name_buffer Input name buffer which is interpreted based on the input_name_type
input_name_type OID of the name
output_name_P New gss_name_t value containing the name
Return values:
GSS_S_COMPLETE indicates that a valid name representation is output in output_name and described by the type value in output_name_type.
GSS_S_BAD_NAMETYPE indicates that the input_name_type is unsupported by the applicable underlying GSS-API mechanism(s), so the import operation could not be completed.
GSS_S_BAD_NAME indicates that the provided input_name_string is ill-formed in terms of the input_name_type, so the import operation could not be completed.
GSS_S_BAD_MECH indicates that the input presented for import was an exported name object and that its enclosed mechanism type was not recognized or was unsupported by the GSS-API implementation.
GSS_S_FAILURE indicates that the requested operation could not be performed for reasons unspecified at the GSS-API level.
Indicate Mechs. Passes back the mech set of available mechs. We only have one for now.
Parameters:
minor_status
mech_set
Inquire Context.
Parameters:
minor_status
context_handle_P
src_name_P
targ_name_P
lifetime_rec
mech_type
ctx_flags
locally_initiated
open
Returns:
Inquire Cred. We will also allow the return of the proxy file name, if the minor_status is set to a value of 57056 0xdee0 This is done since there is no way to pass back the delegated credential file name.
When 57056 is seen, this will cause a new copy of this credential to be written, and it is the user's responsibility to free the file when done. The name will be a pointer to a char * of the file name which must be freeed. The minor_status will be set to 57057 0xdee1 to indicate this.
DEE - this is a kludge, till the GSSAPI get a better way to return the name.
If the minor status is not changed from 57056 to 57057 assume it is not this gssapi, and a gss name was returned.
Parameters:
minor_status
cred_handle_P
name
lifetime
cred_usage
mechanisms
Returns:
Release Buffer.
Parameters:
minor_status
buffer
Return values:
GSS_S_COMPLETE Success
Release Credential. Release the GSSAPI credential handle
Parameters:
minor_status The minor status result - this is a globus_result_t cast to a OM_uint32. To access the globus error object use: globus_error_get((globus_result_t) *minor_status)
cred_handle_P The gss cred handle to be released
Return values:
GSS_S_COMPLETE Success
GSS Release Name. Release the GSS Name
Parameters:
minor_status The minor status result - this is a globus_result_t cast to a (OM_uint32 *).
name_P The GSSAPI name to be released
Return values:
GSS_S_COMPLETE Success
GSS_S_FAILURE Failure
Release OID Set. Release the OID set.
Parameters:
minor_status
mech_set
Return values:
GSS_S_COMPLETE Success
Seal. Obsolete variant of gss_wrap for V1 compatibility
Parameters:
minor_status
context_handle
conf_req_flag
qop_req
input_message_buffer
conf_state
output_message_buffer
Returns:
Sign. Deprecated. Does the same thing as gss_get_mic for V1 compatibility.
Parameters:
minor_status
context_handle
qop_req
message_buffer
message_token
Returns:
Test OID Set Member. Interrogates an Object Identifier set to determine whether a specified Object Identifier is a member. This routine is intended to be used with OID sets returned by GSS_Indicate_mechs(), GSS_Acquire_cred(), and GSS_Inquire_cred().
Parameters:
minor_status
member
set
present
Return values:
GSS_S_COMPLETE Success
GSS_S_FAILURE Operation failed
Unseal. Obsolete variant of gss_wrap for V1 compatibility allow for non 32 bit integer in qop_state.
Return the data from the wrapped buffer. There may also be errors, such as integrity errors. Since we can not communicate directly with our peer, we can not do everything SSL could, i.e. return a token for example.
Parameters:
minor_status
context_handle
input_message_buffer
output_message_buffer
conf_state
qop_state
Unwrap. GSSAPI routine to unwrap a buffer which may have been received and wraped by wrap.c
Return the data from the wrapped buffer. There may also be errors, such as integrity errors. Since we can not communicate directly with our peer, we can not do everything SSL could, i.e. return a token for example.
Parameters:
minor_status
context_handle
input_message_buffer
output_message_buffer
conf_state
qop_state
Verify. Obsolete variant of gss_verify for V1 compatibility Check a MIC of the date
Parameters:
minor_status
context_handle
message_buffer
token_buffer
qop_state
Returns:
Verify MIC. Check a MIC of the data
Parameters:
minor_status
context_handle
message_buffer
token_buffer
qop_state
Returns:
Wrap. Wrap a message for integrity and protection. We do this using the SSLv3 routines, by writing to the SSL bio, and pulling off the buffer from the back of the write BIO. But we can't do everything SSL might want, such as control messages, or segment the messages here, since we are forced to using the GSSAPI tokens, and can not communicate directly with our peer. So there maybe some failures which would work with true SSL.
Parameters:
minor_status
context_handle
conf_req_flag
qop_req
input_message_buffer
conf_state
output_message_buffer
Returns:
Wrap Size Limit. GSSAPI routine to take a buffer, calculate a MIC which is returned as a token. We will use the SSL protocol here.
Parameters:
minor_status
context_handle
conf_req_flag
qop_req
req_output_size
max_input_size
Generated automatically by Doxygen for globus_gssapi_gsi from the source code.