module Netgssapi:sig
..end
typeoid =
int array
GSS_C_NO_OID
.typeoid_set =
oid list
GSS_C_NO_OID_SET
.typecredential =
< otype : [ `Credential ] >
Invalid_argument
.typecontext =
< otype : [ `Context ]; valid : bool >
credential
.
The method valid
is true as long as the context is not
deleted.
typetoken =
string
typeinterprocess_token =
string
typecalling_error =
[ `Bad_structure | `Inaccessible_read | `Inaccessible_write | `None ]
typeroutine_error =
[ `Bad_QOP
| `Bad_bindings
| `Bad_mech
| `Bad_mic
| `Bad_name
| `Bad_nametype
| `Bad_status
| `Context_expired
| `Credentials_expired
| `Defective_credential
| `Defective_token
| `Duplicate_element
| `Failure
| `Name_not_mn
| `No_context
| `No_cred
| `None
| `Unauthorized
| `Unavailable ]
typesuppl_status =
[ `Continue_needed
| `Duplicate_token
| `Gap_token
| `Old_token
| `Unseq_token ]
typemajor_status =
calling_error * routine_error *
suppl_status list
typeminor_status =
int32
int32
is signed.typename =
< otype : [ `Name ] >
credential
.typeaddress =
[ `Inet of Unix.inet_addr
| `Local of string
| `Nulladdr
| `Other of int32 * string
| `Unspecified of string ]
typechannel_bindings =
address * address * string
(initiator_address, acceptor_address, application_data)
typecred_usage =
[ `Accept | `Both | `Initiate ]
typeqop =
< otype : [ `QOP ] >
typemessage =
Xdr_mstring.mstring list
mstring
typeret_flag =
[ `Anon_flag
| `Conf_flag
| `Deleg_flag
| `Integ_flag
| `Mutual_flag
| `Prot_ready_flag
| `Replay_flag
| `Sequence_flag
| `Trans_flag ]
accept_sec_context
methodtypereq_flag =
[ `Anon_flag
| `Conf_flag
| `Deleg_flag
| `Integ_flag
| `Mutual_flag
| `Replay_flag
| `Sequence_flag ]
init_sec_context
method
Errors should be reported using the major_status
and minor_status
codes as much as possible.
Invalid_argument
may be raised for clear violations of calling
requirements, e.g. when an opaque object is passed to this interface
that was not returned by it before.
m : 't . arg1 -> ... -> argN -> out:( ret1 -> ... -> retM -> 't ) -> 't
where arg
s are input arguments (with the exception of context
which is in/out), and where outputs are passed back by calling the out
functions with the outputs. The return value of out
is the return
value of the method call.
For example, if only output_token
of the accept_sec_context
method
is needed, one could call this method as in
let output_token =
gss_api # accept_sec_context
...
~out:(fun ~src_name ~mech_type ~output_token ~ret_flags
~time_rec ~delegated_cred_handle ~minor_status
~major_status ->
output_token
)
Output values may not be defined when major_status
indicates
an error. (But see the RFC for details; especially init_sec_contect
and accept_sec_context
may emit tokens even when major_status
indicates an error.)
The names of the parameters are taken from RFC 2744, only
suffixes like _handle
have been removed. When the prefixes
input_
and output_
are meaningless, they are also removed.
All prefixes like "GSS" are removed anyway.
class type gss_api =object
..end
val string_of_calling_error : calling_error -> string
val string_of_routine_error : routine_error -> string
val string_of_suppl_status : suppl_status -> string
val string_of_major_status : major_status -> string
val nt_hostbased_service : oid
val nt_user_name : oid
val nt_machine_uid_name : oid
val nt_string_uid_name : oid
val nt_anonymous : oid
val nt_export_name : oid
val parse_hostbased_service : string -> string * string
service,host
) for "serviceval oid_to_string : oid -> string
val string_to_oid : string -> oid
val oid_to_der : oid -> string
val der_to_oid : string -> int Pervasives.ref -> oid
der_to_oid
takes a cursor as second arg.val wire_encode_token : oid -> token -> string
val wire_decode_token : string -> int Pervasives.ref -> oid * token
val encode_exported_name : oid -> string -> string
val decode_exported_name : string -> int Pervasives.ref -> oid * string
val create_mic_token : sent_by_acceptor:bool ->
acceptor_subkey:bool ->
sequence_number:int64 ->
get_mic:(message -> string) -> message:message -> string
sent_by_acceptor
: whether this token comes from the acceptoracceptor_subkey
: see RFCsequence_number
: a sequence numberget_mic
: the checksum function
(e.g. Netmech_scram.Cryptosystem.get_mic
)message
: the message to be signedval parse_mic_token_header : string -> bool * bool * int64
sent_by_acceptor
, acceptor_subkey
, sequence_number
) from
the header of a MIC token that is passed to this function as
string. Fails if not parsableval verify_mic_token : get_mic:(message -> string) ->
message:message -> token:string -> bool
token
with get_mic
, and returns true if the
verification is successfulval create_wrap_token_conf : sent_by_acceptor:bool ->
acceptor_subkey:bool ->
sequence_number:int64 ->
get_ec:(int -> int) ->
encrypt_and_sign:(message -> message) ->
message:message -> message
message
so that it is encrypted and signed (confidential).
sent_by_acceptor
: whether this token comes from the acceptoracceptor_subkey
: see RFCsequence_number
: a sequence numberget_ec
: This function returns the "extra count" number for
the size of the plaintext w/o filler (e.g. use
Netmech_scram.Cryptosystem.get_ec
).encrypt_and_sign
: the encryption function from the cryptosystem.
The plaintext is passed to this function, and the ciphertext with
the appended signature must be returned in the string.message
: the payload messageval parse_wrap_token_header : message -> bool * bool * bool * int64
let (sent_by_acceptor, sealed, acceptor_subkey, sequence_number) =
parse_wrap_token_header token
Fails if the token
cannot be parsed.
val unwrap_wrap_token_conf : decrypt_and_verify:(message -> message) ->
token:message -> message
token
using the decryption function
decrypt_and_verify
from the cryptosystem.
The functions fails if there is a format error, or the integrity check fails.
Non-confidential messages cannot be unwrapped with this function.