Plasma GitLab Archive
Projects Blog Knowledge 

(* $Id: netmech_gs2_sasl.mli 2195 2015-01-01 12:23:39Z gerd $ *)

(** The GS2 bridge for using GSSAPI mechanisms as SASL mechanisms *)

module type PROFILE =
  sig
    val mechanism_name : string
      (** The GS2 version of the mechanism name (w/o "-PLUS" suffix) *)

    val announce_channel_binding : bool
      (** Whether to announce the availability of channel binding by
          adding "-PLUS" to the mechanism name, and by offering
          channel bindings in the initial token.
       *)

    val mechanism_oid : Netsys_gssapi.oid
      (** The OID of the mechanism to use *)

    val client_additional_params : string list
      (** Additional parameters understood by [create_client_session] *)

    val server_additional_params : string list
      (** Additional parameters understood by [create_server_session] *)

    val client_map_user_name : 
           params:(string * string) list ->
           string -> 
             string * Netsys_gssapi.oid
      (** For clients: maps user names to a pair [(name_string,name_type)]
          that can be used in the GSSAPI for acquiring a name. 
          If the [name_type] is the empty
          array, no target name is passed to the GSSAPI.

          The [params] are from the [create_client_session] call.
       *)

    val server_map_user_name : 
           params:(string * string) list ->
           (string * Netsys_gssapi.oid) ->
             string
      (** For servers: maps a pair [(name_string,name_type)] coming from the
          GSSAPI to a user name. The
          [params] are from the [create_server_session] call.

          The function may raise [Not_found] in which case the authentication
          will fail.
       *)

    val client_get_target_name :
           params:(string * string) list ->
             (string * Netsys_gssapi.oid)
      (** For clients: get the GSSAPI name of the target to contact as
          [(name_string,name_type)] pair. If the [name_type] is the empty
         array, no target name is passed to the GSSAPI.

          The [params] are from the [create_client_session] call.
       *)


    val server_bind_target_name :
           params:(string * string) list ->
           (string * Netsys_gssapi.oid) option
      (** For servers: optionally bind the GSSAPI name of the server.  The
          [params] are from the [create_server_session] call.
       *)

    val server_check_target_name :
           params:(string * string) list ->
           (string * Netsys_gssapi.oid) ->
             bool
      (** For servers: check whether the GSSAPI name the client sent is the
          right one. This is a more flexible alternative to 
          [server_bind_target_name]: instead of binding to a single name,
          the client may send any target name, and we check now whether
          this name is acceptable.
          [params] are from the [create_server_session] call.
       *)

    val client_flags :
           params:(string * string) list ->
           ( Netsys_gssapi.req_flag * bool ) list
      (** Flags for [init_sec_context]. The bool says whether the flag is
          required (otherwise the feature is only offered). [`Mutual_flag]
          is always required.
       *)

    val server_flags :
           params:(string * string) list ->
           Netsys_gssapi.req_flag list
      (** Required flags for [accept_sec_context]. [`Mutual_flag]
          is always required.
       *)

    val client_credential : exn option
      (** If set, the client will use a certain credential (and not acquire
          one). This is intended for passing in delegated credentials (well,
          not really elegant). This needs to be set to the [Credential]
          exception of the GSSAPI provider.
       *)

  end


module GS2(P:PROFILE)(GSS:Netsys_gssapi.GSSAPI) : 
         Netsys_sasl_types.SASL_MECHANISM
  (** This is an adapter turning any GSSAPI mechanism into
      a SASL mechanism. This is the "GS2" technique as specified in RFC 5801.
      (Note that in particular for Kerberos there is the other specification
      RFC 4752 which is implemented in {!Netmech_krb5_sasl}.)

      Create the final module like
      {[
module P = struct
  let mechanism_name = "FOO"
  let announce_channel_binding = false
  let mechanism_oid = [| 1; ... |]
  let mechanism_acceptable_oid_set = [ [| 1; ... |]; ... ]
  ...
end

module S = Netmech_gs2_sasl.GS2(P)(Netgss.System)
      ]}

      {b Remarks for clients:}

      The profile specifies how user name strings are mapped to GSSAPI
      names. [authz] names are passed to the server as-is.

     {b Remarks for servers:}

     The profile specifies how GSSAPI names are mapped to user name strings.
     The [lookup] callback is then invoked with this user name, and the
     unaltered [authz] name.

     If [lookup] returns [Some c] for any [c] the user is accepted.
     If it returns [None] the user is declined.

    {b Parameters:}

       - The parameter [mutual] is understood but ignored. Mutual authentication
         is always requested from the GSSAPI mechanism.
       - The parameter [secure] is understood but ignored
         (GSSAPI is considered as secure method)

   *)
This web site is published by Informatikbüro Gerd Stolpmann
Powered by Caml