The Eternal List Of Extension Implementation

[DirectXMan12]

So, I went and compared the gssapi.h and gssapi_ext.h files with Python-GSSAPI to look for any extensions and/or additional RFCs that we missed.

Extensions (as indicated by being in gssapi_ext.h, for the most part)

Solaris

• buffer GSS_C_ATTR_LOCAL_LOGIN_USER
• gss_localname ( Implement gss_localname and friends #49 )
• gss_pname_to_uid ( Implement gss_localname and friends #49 )
• gss_userok ( Implement gss_localname and friends #49 )
• gss_authorize_localname ( Implement gss_localname and friends #49 )
• gss_acquire_cred_with_password ( Implement acquire_cred_with_password #5 )
• gss_add_cred_with_password ( Implement acquire_cred_with_password #5 )

GGF (Global Grid Forum) ( #51 )

• gss_inquire_sec_context_by_oid
• gss_inquire_cred_by_oid
• gss_set_sec_context_option
• gssapi_mech_invoke ??
• gss_import_cred (GGF variant, nobody implements this)
• gss_export_cred (GGF variant, nobody implements this)

AEAD / SSPI (DCE)

• gss_wrap_aead ( Implement IOV and AEAD Extensions #6 )
• gss_unwrap_aead ( Implement IOV and AEAD Extensions #6 )
• OID GSS_C_INQ_SSPI_SESSION_KEY
• gss_complete_auth_token
• gss_wrap_iov ( Implement IOV and AEAD Extensions #6 )
• gss_unwrap_iov ( Implement IOV and AEAD Extensions #6 )
• gss_wrap_iov_length ( Implement IOV and AEAD Extensions #6 )

IOV MIC

• gss_get_mic_iov ( Implement IOV and AEAD Extensions #6 )
• gss_get_mic_iov_length ( Implement IOV and AEAD Extensions #6 )
• gss_verify_mic_iov ( Implement IOV and AEAD Extensions #6 )

Services4User

• gss_acquire_cred_impersonate_name
• gss_add_cred_impersonate_name

Naming Extensions (actually RFC 6680)

• OID GSS_C_NT_COMPOSITE_EXPORT
• gss_display_name_ext
• gss_inquire_name
• gss_get_name_attribute
• gss_set_name_attribute
• gss_delete_name_attribute
• gss_export_name_composite

Capsulate (draft-josefsson-gss-capsulate)

• gss_encapsulate_token
• gss_decapsulate_token
• gss_oid_equal

Cred Store

• gss_acquire_cred_from
• gss_add_cred_from
• gss_store_cred_into

Cred Import/Export

• gss_export_cred ( Actually wrap the low-level credentials import-export extension #25 )
• gss_import_cred ( Actually wrap the low-level credentials import-export extension #25 )

Credentials Options (see #51 (comment))

• gss_set_cred_option

Additional RFCs (in gssapi.h)

RFC 4401 (Pseduo-Random Generators)

• gss_pseudo_random

RFC 5588 (Store Cred)

• gss_store_cred

RFC 4178 (SPNEGO)

• gss_set_neg_mechs ( Implement RFC 4178 (SPNEGO) related extensions #50 )
• gss_get_neg_mechs (NOT ACTUALLY PRESENT)

RFC 5587 (Mechanism Inquiry)

• gss_indicate_mechs_by_attrs
• gss_inquire_attrs_for_mech
• gss_display_mech_attr

RFC 5801 (GSSAPI-SASL Naming)

• gss_inquire_saslname_for_mech
• gss_inquire_mech_for_saslname

Mechanism Specific Extensions

Krb5 Specific Extensions (gssapi_krb5.h) (#75)

• GSS_KRB5_NT_PRINCIPAL_NAME
• gss_krb5_ccache_name
• gss_krb5_copy_ccache (use case unclear, deprecated on macOS)
• gss_krb5_get_tkt_flags
• gss_krb5_set_allowable_enctypes
• gss_krb5_export_lucid_sec_context
• gss_krb5_free_lucid_sec_context
• gsskrb5_extract_authz_data_from_sec_context
• gsskrb5_extract_authtime_from_sec_context

The following functionality is also available through the cred_store API
extensions so we may elect not to implement them at all:

• gss_krb5_set_cred_rcache (not implemented by Heimdal)
• gss_krb5_import_cred (implemented because Heimdal doesn't support cred store extensions)