Implement Global Grid Forum Extensions

[DirectXMan12]

• gss_inquire_sec_context_by_oid
• gss_inquire_cred_by_oid
• gss_set_sec_context_option
• gss_set_cred_option (probably not GGF)
• gss_{import,export}_cred (GGF variants, nobody implements them, so we should just skip them)

[jborean93]

@DirectXMan12 the docs seem to be out of date but I cannot find any reference from the GFF doc https://www.ogf.org/documents/GFD.24.pdf and gss_set_cred_option. Then again the documentation on the GFF extensions seem to be very rare so I could be missing something.

[frozencemetery]

@jborean93 Hmm, it's not mentioned in the IETF draft either. We pulled this list from krb5's gssapi_ext.h I think, which does have it there. Doing some excavation it doesn't look like it is actually a GGF extension:

• It says GGF extension in gssapi_ext.h, but it's not in any GGF docs I can find
• at 19b34d5112cc13214f6a47962be89f199966a449 it had a note of /* XXX do these really belong in this header? */ right above it
• looks like it was gssspi before that?
• heimdal added it in 2006, with a 2004 copyright on PADL and no other notes
• krb5 adds it in a huge (svn) merge commit in 2009 (0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d)

[frozencemetery]

Upstream believes it's a nonstandard extension mostly from Heimdal (possibly with MIT input). In light of that, it doesn't belong with the other GGF extensions, and the only documentation we're going to get is likely to be the implementations.

[frozencemetery]

Further, it appears that gss_import/export_cred are from the GGF extensions, so we probably want to pool that with these.

[jborean93]

@frozencemetery I saw references to that but it seems like there is already in implementation for a different gss_import/export_cred here https://github.com/pythongssapi/python-gssapi/blob/master/gssapi/raw/ext_cred_imp_exp.pyx which is

OM_uint32 gss_export_cred(
        OM_uint32 *min_stat,
        gss_cred_id_t cred_handle,
        gss_buffer_t token)

This is different from the GGF definition

OM_uint32 gss_export_cred(
        OM_uint32 * minor_status,
        const gss_cred_id_t cred_handle,
        const gss_OID desired_mech,
        gss_OID * actual_mech,
        OM_uint32 option_req,
        gss_buffer_t export_buffer)

Not sure if this would lead to conflicts as gssapi.raw seems to import all plus the the GGF definition doesn't appear in gaapi/gssapi_ext.h` that you linked.

[DirectXMan12]

Ooof. Does anyone implement the GGF variants (doesn't look like MIT krb5 does)? If nobody implements them, I'm tempted to leave a note about it in the docs until someone complains about it.

At any rate, we'd probably want to put those two (the GGF variants of import/export) into their own file and then not import them into the root gssapi.raw namespace like we do for everything else.

[jborean93]

Looks like Heimdal uses the non GGF variant https://github.com/heimdal/heimdal/blob/master/lib/gssapi/gssapi/gssapi.h#L946-L953. So not sure if we even want to define the GGF one as I don't know it is implemented anywhere?

[DirectXMan12]

yeah, let's just skip the GGF variants for now

[simo5]

We want only what is available in MIT/Heimdal unless someone can come up with a library that implemnts other variants.

[DirectXMan12]

I've updated #48 (The Eternal List of Extension Implementation) with the new information (new placement of set_cred_options, GGF import/export variants) from this issue

[jborean93]

@DirectXMan12 also OID GSS_C_INQ_SSPI_SESSION_KEY is set under AEAD when in fact it is retrieved by gss_inquire_sec_context_by_oid (added in #141)