module Netsys_gssapi:sig..end
GSS-API Definition
This is mainly a translation of RFC 2743/2744 to Ocaml.
The following other modules are also interesting in this context:
typeoid =int array
OIDs like "1.3.6.1.5.6.2" as array of int's. The empty array
means GSS_C_NO_OID. See also Netoid.
typeoid_set =oid list
A set of OID's. These lists should not contain OID's twice.
The empty list means GSS_C_NO_OID_SET.
typetoken =string
Authentication tokens. These are also opaque to the caller, but have a string representation so that they can be sent over the wire.
typeinterprocess_token =string
Interprocess tokens. These are also opaque to the caller, but have a string representation so that they can be sent over the wire.
typecalling_error =[ `Bad_structure | `Inaccessible_read | `Inaccessible_write | `None ]
Possible errors caused by the caller
typeroutine_error =[ `Bad_QOP
| `Bad_bindings
| `Bad_mech
| `Bad_mic
| `Bad_name
| `Bad_nametype
| `Bad_status
| `Context_expired
| `Credentials_expired
| `Defective_credential
| `Defective_token
| `Duplicate_element
| `Failure
| `Name_not_mn
| `No_context
| `No_cred
| `None
| `Unauthorized
| `Unavailable ]
Possible errors caused by the provider
typesuppl_status =[ `Continue_needed
| `Duplicate_token
| `Gap_token
| `Old_token
| `Unseq_token ]
Further flags
typemajor_status =calling_error * routine_error *
suppl_status list
The major status consists of these three elements. The bits of the supplementary status field are represented as list
typeminor_status =int32
The minor status is provider-specific. Note that GSS-API defines
it as unsigned 32-bit integer whereas int32 is signed.
typeaddress =[ `Inet of Unix.inet_addr
| `Local of string
| `Nulladdr
| `Other of int32 * string
| `Unspecified of string ]
Addresses tagged by address types
typechannel_bindings =address * address * string
Channel binding as tuple
(initiator_address, acceptor_address, application_data)
typecred_usage =[ `Accept | `Both | `Initiate ]
typeqop =int32
Quality-of-proctection parameters are mechanism-specific. The value 0 can always be used for a default protection level.
typemessage =Netsys_types.mstring list
Messages are represented as lists of mstring
typeret_flag =[ `Anon_flag
| `Conf_flag
| `Deleg_flag
| `Integ_flag
| `Mutual_flag
| `Prot_ready_flag
| `Replay_flag
| `Sequence_flag
| `Trans_flag ]
Flags for the accept_sec_context method
typereq_flag =[ `Anon_flag
| `Conf_flag
| `Deleg_flag
| `Integ_flag
| `Mutual_flag
| `Replay_flag
| `Sequence_flag ]
Flags for the init_sec_context method
typetime =[ `Indefinite | `This of float ]
class type[['credential, 'name, 'context]]poly_gss_api =object..end
module type GSSAPI =sig..end
These functions convert values to strings. Useful for generating log messages.
val string_of_calling_error : calling_error -> string
val string_of_routine_error : routine_error -> string
val string_of_suppl_status : suppl_status -> string
val string_of_major_status : major_status -> string
val string_of_flag : ret_flag -> stringSee RFC 2078, section 4
val nt_hostbased_service : oidnames like "service@hostname"
val nt_hostbased_service_alt : oidanother OID for the same (RFC 1964 mentions it)
val nt_user_name : oidnames like "username"
val nt_machine_uid_name : oiduser ID in host byte order
val nt_string_uid_name : oiduser ID as string of digits
val nt_anonymous : oidanonymous name
val nt_export_name : oidan export name
val nt_krb5_principal_name : oida Kerberos 5 principal name (see Netgssapi_support for parsers
val parse_hostbased_service : string -> string * stringReturns (service,host) for "service@host". Fails if not parseable
typesupport_level =[ `If_possible | `None | `Required ]
class type client_config =object..end
val create_client_config : ?mech_type:oid ->
?initiator_name:string * oid ->
?initiator_cred:exn ->
?target_name:string * oid ->
?privacy:support_level ->
?integrity:support_level ->
?flags:(req_flag * support_level) list ->
unit -> client_configmech_type is the GSSAPI mechanism to use. If left unspecified,
a default is used. target_name is the name of the service to
connect to. initiator_name identifies and authenticates the client.
Note that you normally can omit all of mech_type, target_name,
and initiator_name as GSSAPI already substitutes reasonable defaults
(at least if Kerberos is available as mechanism).
If you have a delegated credential you can also pass it as
initiator_cred. This must be a Credential exception from the
GSSAPI provider. initiator_cred has precedence over initiator_name.
privacy and integrity specify the desired level of protection.
By default, both integrity and privacy are enabled if available, but
it is no error if the mechanism doesn't support these features.
flags: additional GSSAPI flags. These should not contain `Conf_flag
and `Integ_flag (instead use privacy and integrity, resp.).
class type client_props =object..end
Return properties of the client context
val marshal_client_props : client_props -> string
val unmarshal_client_props : string -> client_propsclass type server_config =object..end
val create_server_config : ?mech_types:oid list ->
?acceptor_name:string * oid ->
?privacy:support_level ->
?integrity:support_level ->
?flags:(req_flag * support_level) list ->
unit -> server_configmech_types is the list of GSSAPI mechanism that are acceptable.
If left unspecified,
a default is used. acceptor_name is the name of the service to
offer.
Note that you normally can omit mech_types
as GSSAPI already substitutes reasonable defaults
(at least if Kerberos is available as mechanism). acceptor_name should
normally be specified.
privacy and integrity specify the desired level of protection.
By default, both integrity and privacy are enabled if available, but
it is no error if the mechanism doesn't support these features.
flags: additional GSSAPI flags. These should not contain `Conf_flag
and `Integ_flag (instead use privacy and integrity, resp.).
class type server_props =object..end
Return properties of the server context
val marshal_server_props : server_props -> string
val unmarshal_server_props : string -> server_propsThis doesn't restore deleg_credential which is unmarshallable!
Some conversions have been moved to Netoid:
oid_to_string is now Netoid.to_string_curlystring_to_oid is now Netoid.of_string_curlyThe remaining functions can now be found in Netgssapi_support.
All functions have been moved to Netgssapi_support