Network Working Group N. Williams Request for Comments: 5587 Sun Category: Standards Track July 2009
Network Working Group N. Williams Request for Comments: 5587 Sun Category: Standards Track July 2009
Extended Generic Security Service Mechanism Inquiry APIs
扩展的通用安全服务机制查询API
Abstract
摘要
This document introduces new application programming interfaces (APIs) to the Generic Security Services API (GSS-API) for extended mechanism attribute inquiry. These interfaces are primarily intended to reduce instances of hardcoding of mechanism identifiers in GSS applications.
本文档向通用安全服务API(GSS-API)引入了新的应用程序编程接口(API),用于扩展机制属性查询。这些接口主要用于减少GSS应用程序中机构标识符的硬编码实例。
These interfaces include mechanism attributes and attribute sets, a function for inquiring the attributes of a mechanism, a function for indicating mechanisms that possess given attributes, and a function for displaying mechanism attributes.
这些接口包括机构属性和属性集、查询机构属性的功能、指示具有给定属性的机构的功能以及显示机构属性的功能。
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2 2. Conventions Used in This Document ...............................2 3. New GSS-API Interfaces ..........................................3 3.1. Mechanism Attributes and Attribute Sets ....................3 3.2. List of Known Mechanism Attributes .........................4 3.3. Mechanism Attribute Sets of Existing Mechs .................6 3.4. New GSS-API Function Interfaces ............................8 3.4.1. Mechanism Attribute Criticality .....................8 3.4.2. GSS_Indicate_mechs_by_attrs() .......................9 3.4.3. GSS_Inquire_attrs_for_mech() .......................10 3.4.4. GSS_Display_mech_attr() ............................10 3.4.5. New Major Status Values ............................11 3.4.6. C-Bindings .........................................11 4. Requirements for Mechanism Designers ...........................13 5. IANA Considerations ............................................13 6. Security Considerations ........................................13 7. References .....................................................13 7.1. Normative References ......................................13 7.2. Informative References ....................................14 Appendix A. Typedefs and C Bindings ..................................15
1. Introduction ....................................................2 2. Conventions Used in This Document ...............................2 3. New GSS-API Interfaces ..........................................3 3.1. Mechanism Attributes and Attribute Sets ....................3 3.2. List of Known Mechanism Attributes .........................4 3.3. Mechanism Attribute Sets of Existing Mechs .................6 3.4. New GSS-API Function Interfaces ............................8 3.4.1. Mechanism Attribute Criticality .....................8 3.4.2. GSS_Indicate_mechs_by_attrs() .......................9 3.4.3. GSS_Inquire_attrs_for_mech() .......................10 3.4.4. GSS_Display_mech_attr() ............................10 3.4.5. New Major Status Values ............................11 3.4.6. C-Bindings .........................................11 4. Requirements for Mechanism Designers ...........................13 5. IANA Considerations ............................................13 6. Security Considerations ........................................13 7. References .....................................................13 7.1. Normative References ......................................13 7.2. Informative References ....................................14 Appendix A. Typedefs and C Bindings ..................................15
GSS-API [RFC2743] mechanisms have a number of properties that may be of interest to applications. The lack of APIs for inquiring about available mechanisms' properties has meant that many GSS-API applications must hardcode mechanism Object Identifiers (OIDs). Ongoing work may result in a variety of new GSS-API mechanisms. Applications should not have to hardcode their OIDs.
GSS-API[RFC2743]机制具有许多应用程序可能感兴趣的属性。缺少查询可用机制属性的API意味着许多GSS-API应用程序必须硬编码机制对象标识符(OID)。正在进行的工作可能会产生各种新的GSS-API机制。应用程序不必硬编码其OID。
For example, the Secure Shell version 2 (SSHv2) protocol [RFC4251] supports the use of GSS-API mechanisms for authentication [RFC4462] but explicitly prohibits the use of Simple and Protected GSS-API Negotiation (SPNEGO) [RFC4178]. Future mechanisms that negotiate mechanisms would have to be forbidden as well, but there is no way to implement applications that inquire what mechanisms are available and then programmatically exclude mechanisms "like SPNEGO".
例如,安全外壳版本2(SSHv2)协议[RFC4251]支持使用GSS-API机制进行身份验证[RFC4462],但明确禁止使用简单且受保护的GSS-API协商(SPNEGO)[RFC4178]。未来协商机制的机制也必须被禁止,但是没有办法实现查询哪些机制可用然后以编程方式排除“像SPNEGO”的机制的应用程序。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
We introduce a new concept -- that of mechanism attributes. By allowing applications to query the set of attributes associated with individual mechanisms and to find out which mechanisms support a given set of attributes, we allow applications to select mechanisms based on their attributes without having to hardcode mechanism OIDs.
我们引入了一个新概念——机制属性。通过允许应用程序查询与单个机制关联的属性集,并找出哪些机制支持给定的属性集,我们允许应用程序根据其属性选择机制,而无需硬编码机制OID。
Section 3.1 describes the mechanism attributes concept. Sections 3.4.2, 3.4.3, and 3.4.4 describe three new interfaces that deal in mechanisms and attribute sets:
第3.1节描述了机构属性的概念。第3.4.2、3.4.3和3.4.4节描述了处理机制和属性集的三个新接口:
o GSS_Indicate_mechs_by_attrs()
o GSS通过属性()指示机械
o GSS_Inquire_attrs_for_mech()
o GSS\u查询\u属性\u获取\u机械()
o GSS_Display_mech_attr()
o GSS_显示_机械_属性()
An abstraction for the features provided by mechanisms and pseudo-mechanisms is needed in order to facilitate the programmatic selection of mechanisms. Pseudo-mechanisms are mechanisms that make reference to other mechanisms in order to provide their services. For example, SPNEGO is a pseudo-mechanism, for without other mechanisms SPNEGO is useless.
需要对机制和伪机制提供的特性进行抽象,以便于对机制进行编程选择。伪机制是引用其他机制以提供其服务的机制。例如,SPNEGO是一种伪机制,因为没有其他机制,SPNEGO是无用的。
Two data types are needed: one for individual mechanism attributes and one for mechanism attribute sets. To simplify the mechanism attribute interfaces, we reuse the 'OID' and 'OID set' data types and model individual mechanism attribute types as OIDs.
需要两种数据类型:一种用于单个机构属性,另一种用于机构属性集。为了简化机制属性接口,我们重用“OID”和“OID集合”数据类型,并将各个机制属性类型建模为OID。
To this end, we define an open namespace of mechanism attributes and assign them arcs off of this OID:
为此,我们定义了一个机制属性的开放名称空间,并将它们分配给该OID的弧:
<1.3.6.1.5.5.13>
<1.3.6.1.5.5.13>
Each mechanism has a set of mechanism attributes that it supports as described in its specification.
每个机制都有一组其支持的机制属性,如其规范中所述。
+-------------------------+---------+-------------------------+ | Mech Attr Name | OID Arc | Arc Name | +-------------------------+---------+-------------------------+ | GSS_C_MA_MECH_CONCRETE | (1) | concrete-mech | | GSS_C_MA_MECH_PSEUDO | (2) | pseudo-mech | | GSS_C_MA_MECH_COMPOSITE | (3) | composite-mech | | GSS_C_MA_MECH_NEGO | (4) | mech-negotiation-mech | | GSS_C_MA_MECH_GLUE | (5) | mech-glue | | GSS_C_MA_NOT_MECH | (6) | not-mech | | GSS_C_MA_DEPRECATED | (7) | mech-deprecated | | GSS_C_MA_NOT_DFLT_MECH | (8) | mech-not-default | | GSS_C_MA_ITOK_FRAMED | (9) | initial-is-framed | | GSS_C_MA_AUTH_INIT | (10) | auth-init-princ | | GSS_C_MA_AUTH_TARG | (11) | auth-targ-princ | | GSS_C_MA_AUTH_INIT_INIT | (12) | auth-init-princ-initial | | GSS_C_MA_AUTH_TARG_INIT | (13) | auth-targ-princ-initial | | GSS_C_MA_AUTH_INIT_ANON | (14) | auth-init-princ-anon | | GSS_C_MA_AUTH_TARG_ANON | (15) | auth-targ-princ-anon | | GSS_C_MA_DELEG_CRED | (16) | deleg-cred | | GSS_C_MA_INTEG_PROT | (17) | integ-prot | | GSS_C_MA_CONF_PROT | (18) | conf-prot | | GSS_C_MA_MIC | (19) | mic | | GSS_C_MA_WRAP | (20) | wrap | | GSS_C_MA_PROT_READY | (21) | prot-ready | | GSS_C_MA_REPLAY_DET | (22) | replay-detection | | GSS_C_MA_OOS_DET | (23) | oos-detection | | GSS_C_MA_CBINDINGS | (24) | channel-bindings | | GSS_C_MA_PFS | (25) | pfs | | GSS_C_MA_COMPRESS | (26) | compress | | GSS_C_MA_CTX_TRANS | (27) | context-transfer | | <reserved> | (28...) | | +-------------------------+---------+-------------------------+
+-------------------------+---------+-------------------------+ | Mech Attr Name | OID Arc | Arc Name | +-------------------------+---------+-------------------------+ | GSS_C_MA_MECH_CONCRETE | (1) | concrete-mech | | GSS_C_MA_MECH_PSEUDO | (2) | pseudo-mech | | GSS_C_MA_MECH_COMPOSITE | (3) | composite-mech | | GSS_C_MA_MECH_NEGO | (4) | mech-negotiation-mech | | GSS_C_MA_MECH_GLUE | (5) | mech-glue | | GSS_C_MA_NOT_MECH | (6) | not-mech | | GSS_C_MA_DEPRECATED | (7) | mech-deprecated | | GSS_C_MA_NOT_DFLT_MECH | (8) | mech-not-default | | GSS_C_MA_ITOK_FRAMED | (9) | initial-is-framed | | GSS_C_MA_AUTH_INIT | (10) | auth-init-princ | | GSS_C_MA_AUTH_TARG | (11) | auth-targ-princ | | GSS_C_MA_AUTH_INIT_INIT | (12) | auth-init-princ-initial | | GSS_C_MA_AUTH_TARG_INIT | (13) | auth-targ-princ-initial | | GSS_C_MA_AUTH_INIT_ANON | (14) | auth-init-princ-anon | | GSS_C_MA_AUTH_TARG_ANON | (15) | auth-targ-princ-anon | | GSS_C_MA_DELEG_CRED | (16) | deleg-cred | | GSS_C_MA_INTEG_PROT | (17) | integ-prot | | GSS_C_MA_CONF_PROT | (18) | conf-prot | | GSS_C_MA_MIC | (19) | mic | | GSS_C_MA_WRAP | (20) | wrap | | GSS_C_MA_PROT_READY | (21) | prot-ready | | GSS_C_MA_REPLAY_DET | (22) | replay-detection | | GSS_C_MA_OOS_DET | (23) | oos-detection | | GSS_C_MA_CBINDINGS | (24) | channel-bindings | | GSS_C_MA_PFS | (25) | pfs | | GSS_C_MA_COMPRESS | (26) | compress | | GSS_C_MA_CTX_TRANS | (27) | context-transfer | | <reserved> | (28...) | | +-------------------------+---------+-------------------------+
Table 1
表1
+-------------------------+-----------------------------------------+ | Mech Attr Name | Purpose | +-------------------------+-----------------------------------------+ | GSS_C_MA_MECH_CONCRETE | Indicates that a mech is neither a | | | pseudo-mechanism nor a composite | | | mechanism. | | GSS_C_MA_MECH_PSEUDO | Indicates that a mech is a | | | pseudo-mechanism. | | GSS_C_MA_MECH_COMPOSITE | Indicates that a mech is a composite of | | | other mechanisms. This is reserved for | | | a specification of "stackable" | | | pseudo-mechanisms. | | GSS_C_MA_MECH_NEGO | Indicates that a mech negotiates other | | | mechs (e.g., SPNEGO has this | | | attribute). | | GSS_C_MA_MECH_GLUE | Indicates that the OID is not for a | | | mechanism but for the GSS-API itself. | | GSS_C_MA_NOT_MECH | Indicates that the OID is known, yet it | | | is also known not to be the OID of any | | | GSS-API mechanism (or of the GSS-API | | | itself). | | GSS_C_MA_DEPRECATED | Indicates that a mech (or its OID) is | | | deprecated and MUST NOT be used as a | | | default mechanism. | | GSS_C_MA_NOT_DFLT_MECH | Indicates that a mech (or its OID) MUST | | | NOT be used as a default mechanism. | | GSS_C_MA_ITOK_FRAMED | Indicates that the given mechanism's | | | initial context tokens are properly | | | framed as per Section 3.1 of [RFC2743]. | | GSS_C_MA_AUTH_INIT | Indicates support for authentication of | | | initiator to acceptor. | | GSS_C_MA_AUTH_TARG | Indicates support for authentication of | | | acceptor to initiator. | | GSS_C_MA_AUTH_INIT_INIT | Indicates support for "initial" | | | authentication of initiator to | | | acceptor. "Initial authentication" | | | refers to the use of passwords, or keys | | | stored on tokens, for authentication. | | | Whether a mechanism supports initial | | | authentication may depend on IETF | | | consensus (see Security | | | Considerations). | | GSS_C_MA_AUTH_TARG_INIT | Indicates support for initial | | | authentication of acceptor to | | | initiator. | | GSS_C_MA_AUTH_INIT_ANON | Indicates support for | | | GSS_C_NT_ANONYMOUS as an initiator | | | principal name. |
+-------------------------+-----------------------------------------+ | Mech Attr Name | Purpose | +-------------------------+-----------------------------------------+ | GSS_C_MA_MECH_CONCRETE | Indicates that a mech is neither a | | | pseudo-mechanism nor a composite | | | mechanism. | | GSS_C_MA_MECH_PSEUDO | Indicates that a mech is a | | | pseudo-mechanism. | | GSS_C_MA_MECH_COMPOSITE | Indicates that a mech is a composite of | | | other mechanisms. This is reserved for | | | a specification of "stackable" | | | pseudo-mechanisms. | | GSS_C_MA_MECH_NEGO | Indicates that a mech negotiates other | | | mechs (e.g., SPNEGO has this | | | attribute). | | GSS_C_MA_MECH_GLUE | Indicates that the OID is not for a | | | mechanism but for the GSS-API itself. | | GSS_C_MA_NOT_MECH | Indicates that the OID is known, yet it | | | is also known not to be the OID of any | | | GSS-API mechanism (or of the GSS-API | | | itself). | | GSS_C_MA_DEPRECATED | Indicates that a mech (or its OID) is | | | deprecated and MUST NOT be used as a | | | default mechanism. | | GSS_C_MA_NOT_DFLT_MECH | Indicates that a mech (or its OID) MUST | | | NOT be used as a default mechanism. | | GSS_C_MA_ITOK_FRAMED | Indicates that the given mechanism's | | | initial context tokens are properly | | | framed as per Section 3.1 of [RFC2743]. | | GSS_C_MA_AUTH_INIT | Indicates support for authentication of | | | initiator to acceptor. | | GSS_C_MA_AUTH_TARG | Indicates support for authentication of | | | acceptor to initiator. | | GSS_C_MA_AUTH_INIT_INIT | Indicates support for "initial" | | | authentication of initiator to | | | acceptor. "Initial authentication" | | | refers to the use of passwords, or keys | | | stored on tokens, for authentication. | | | Whether a mechanism supports initial | | | authentication may depend on IETF | | | consensus (see Security | | | Considerations). | | GSS_C_MA_AUTH_TARG_INIT | Indicates support for initial | | | authentication of acceptor to | | | initiator. | | GSS_C_MA_AUTH_INIT_ANON | Indicates support for | | | GSS_C_NT_ANONYMOUS as an initiator | | | principal name. |
| GSS_C_MA_AUTH_TARG_ANON | Indicates support for | | | GSS_C_NT_ANONYMOUS as a target | | | principal name. | | GSS_C_MA_DELEG_CRED | Indicates support for credential | | | delegation. | | GSS_C_MA_INTEG_PROT | Indicates support for per-message | | | integrity protection. | | GSS_C_MA_CONF_PROT | Indicates support for per-message | | | confidentiality protection. | | GSS_C_MA_MIC | Indicates support for Message Integrity | | | Code (MIC) tokens. | | GSS_C_MA_WRAP | Indicates support for WRAP tokens. | | GSS_C_MA_PROT_READY | Indicates support for per-message | | | protection prior to full context | | | establishment. | | GSS_C_MA_REPLAY_DET | Indicates support for replay detection. | | GSS_C_MA_OOS_DET | Indicates support for out-of-sequence | | | detection. | | GSS_C_MA_CBINDINGS | Indicates support for channel bindings. | | GSS_C_MA_PFS | Indicates support for Perfect Forward | | | Security. | | GSS_C_MA_COMPRESS | Indicates support for compression of | | | data inputs to GSS_Wrap(). | | GSS_C_MA_CTX_TRANS | Indicates support for security context | | | export/import. | +-------------------------+-----------------------------------------+
| GSS_C_MA_AUTH_TARG_ANON | Indicates support for | | | GSS_C_NT_ANONYMOUS as a target | | | principal name. | | GSS_C_MA_DELEG_CRED | Indicates support for credential | | | delegation. | | GSS_C_MA_INTEG_PROT | Indicates support for per-message | | | integrity protection. | | GSS_C_MA_CONF_PROT | Indicates support for per-message | | | confidentiality protection. | | GSS_C_MA_MIC | Indicates support for Message Integrity | | | Code (MIC) tokens. | | GSS_C_MA_WRAP | Indicates support for WRAP tokens. | | GSS_C_MA_PROT_READY | Indicates support for per-message | | | protection prior to full context | | | establishment. | | GSS_C_MA_REPLAY_DET | Indicates support for replay detection. | | GSS_C_MA_OOS_DET | Indicates support for out-of-sequence | | | detection. | | GSS_C_MA_CBINDINGS | Indicates support for channel bindings. | | GSS_C_MA_PFS | Indicates support for Perfect Forward | | | Security. | | GSS_C_MA_COMPRESS | Indicates support for compression of | | | data inputs to GSS_Wrap(). | | GSS_C_MA_CTX_TRANS | Indicates support for security context | | | export/import. | +-------------------------+-----------------------------------------+
Table 2
表2
The Kerberos V mechanism [RFC1964] provides the following mechanism attributes:
Kerberos V机制[RFC1964]提供以下机制属性:
o GSS_C_MA_MECH_CONCRETE
o GSS_C_MA_机械混凝土
o GSS_C_MA_ITOK_FRAMED
o GSS_C_MA_ITOK_
o GSS_C_MA_AUTH_INIT
o GSS_C_MA_AUTH_INIT
o GSS_C_MA_AUTH_TARG
o GSS_C_MA_授权目标
o GSS_C_MA_DELEG_CRED
o GSS_C_MA_DELEG_CRED
o GSS_C_MA_INTEG_PROT
o GSS\U C\U MA\U集成保护
o GSS_C_MA_CONF_PROT
o GSS_C_MA_CONF_PROT
o GSS_C_MA_MIC
o GSS_C_MA_话筒
o GSS_C_MA_WRAP
o GSS_C_MA_包装
o GSS_C_MA_PROT_READY
o GSS_C_MA_保护准备就绪
o GSS_C_MA_REPLAY_DET
o GSS_C_MA_回放_DET
o GSS_C_MA_OOS_DET
o GSS_C_MA_OOS_DET
o GSS_C_MA_CBINDINGS
o GSS_C_MA_CBINDINGS
o GSS_C_MA_CTX_TRANS (some implementations, using implementation-specific exported context token formats)
o GSS_C_MA_CTX_TRANS(某些实现,使用特定于实现的导出上下文令牌格式)
The Kerberos V mechanism also has a deprecated OID that has the same mechanism attributes as above as well as GSS_C_MA_DEPRECATED.
Kerberos V机制还有一个已弃用的OID,它具有与上面相同的机制属性以及已弃用的GSS_C_MA_。
The mechanism attributes of the Simple Public-Key GSS-API Mechanism (SPKM) [RFC2025] family of mechanisms will be provided in a separate document, as SPKM is currently being reviewed for possibly significant changes due to problems in its specifications.
简单公钥GSS-API机制(SPKM)[RFC2025]系列机制的机制属性将在单独的文件中提供,因为SPKM目前正在审查其规范中的问题可能导致的重大变化。
The Low Infrastructure Public Key (LIPKEY) mechanism [RFC2847] offers the following attributes:
低基础设施公钥(LIPKEY)机制[RFC2847]提供以下属性:
o GSS_C_MA_MECH_CONCRETE
o GSS_C_MA_机械混凝土
o GSS_C_MA_ITOK_FRAMED
o GSS_C_MA_ITOK_
o GSS_C_MA_AUTH_INIT_INIT
o GSS_C_MA_AUTH_INIT_INIT
o GSS_C_MA_AUTH_TARG (from SPKM-3)
o GSS_C_MA_认证目标(来自SPKM-3)
o GSS_C_MA_AUTH_TARG_ANON (from SPKM-3)
o GSS_C_MA_AUTH_target_ANON(来自SPKM-3)
o GSS_C_MA_INTEG_PROT
o GSS\U C\U MA\U集成保护
o GSS_C_MA_CONF_PROT
o GSS_C_MA_CONF_PROT
o GSS_C_MA_REPLAY_DET
o GSS_C_MA_回放_DET
o GSS_C_MA_OOS_DET
o GSS_C_MA_OOS_DET
o GSS_C_MA_CTX_TRANS (some implementations, using implementation-specific exported context token formats)
o GSS_C_MA_CTX_TRANS(某些实现,使用特定于实现的导出上下文令牌格式)
(LIPKEY should also provide GSS_C_MA_CBINDINGS, but SPKM-3 requires clarifications on this point.)
(LIPKEY还应提供GSS_C_MA_CBINDINGS,但SPKM-3需要澄清这一点。)
The SPNEGO mechanism [RFC4178] provides the following attributes:
SPNEGO机制[RFC4178]提供以下属性:
o GSS_C_MA_MECH_NEGO
o GSS_C_MA_MECH_NEGO
o GSS_C_MA_ITOK_FRAMED
o GSS_C_MA_ITOK_
All other mechanisms' attributes will be described elsewhere.
所有其他机制的属性将在别处描述。
Several new interfaces are given by which, for example, GSS-API applications may determine what features are provided by a given mechanism and what mechanisms provide what features.
给出了几个新接口,例如,GSS-API应用程序可以通过这些接口确定给定机制提供的功能以及哪些机制提供的功能。
These new interfaces are all OPTIONAL.
这些新接口都是可选的。
Applications should use GSS_Indicate_mechs_by_attrs() instead of GSS_Indicate_mechs() wherever possible.
应用程序应尽可能使用GSS_Indicate_mechs_by_attrs()而不是GSS_Indicate_mechs()。
Applications can use GSS_Indicate_mechs_by_attrs() to determine what, if any, mechanisms provide a given set of features.
应用程序可以使用GSS_Indicate_mechs_by_attrs()来确定哪些机制(如果有的话)提供了一组给定的功能。
GSS_Indicate_mechs_by_attrs() can also be used to indicate (as in GSS_Indicate_mechs()) the set of available mechanisms of each type (concrete, mechanism negotiation pseudo-mechanism, etc.).
GSS_Indicate_mechs_by_attrs()还可用于指示(如在GSS_Indicate_mechs()中)每种类型的可用机制集(具体机制、虚拟机制等)。
Mechanism attributes may be added at any time. Not only may attributes be added to the list of known mechanism attributes at any time, but the set of mechanism attributes supported by a mechanism can be changed at any time.
可以随时添加机构属性。不仅可以随时将属性添加到已知机制属性列表中,还可以随时更改机制支持的机制属性集。
For example, new attributes might be added to reflect whether a mechanism's initiator must contact an online infrastructure and/or whether the acceptor must do so. In this example, the Kerberos V mechanism would gain a new attribute even though the mechanism itself is not modified.
例如,可以添加新属性以反映机制的发起方是否必须联系在线基础设施和/或接受方是否必须联系在线基础设施。在本例中,Kerberos V机制将获得一个新属性,即使该机制本身未被修改。
Applications making use of attributes not defined herein would then have no way of knowing whether a GSS-API implementation and its mechanisms know about new mechanism attributes. To address this problem, GSS_Indicate_mechs_by_attrs() and GSS_Inquire_attrs_for_mech() support a notion of critical mechanism attributes. Applications can search for mechanisms that understand
使用本文未定义的属性的应用程序将无法知道GSS-API实现及其机制是否知道新的机制属性。为了解决这个问题,GSS_通过_attrs()表示_mechan_,GSS_Inquire_attrs_for_mech()支持关键机制属性的概念。应用程序可以搜索理解
mechanism attributes that are critical to the application, and the application may ask what mechanism attributes are understood by a given mechanism.
对应用程序至关重要的机制属性,应用程序可能会询问给定机制理解哪些机制属性。
Inputs:
投入:
o desired_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* OIDs that the mechanisms indicated in the mechs output parameter MUST offer.
o 所需的对象标识符的机械属性集——机械输出参数中指示的机构必须提供的GSS机械属性集。
o except_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* OIDs that the mechanisms indicated in the mechs output parameter MUST NOT offer.
o 除对象标识符的\u mech\u attrs集合外——mechs输出参数中指示的机构不能提供的GSS\u C\u MA*OIDs集合。
o critical_mech_attrs SET OF OBJECT IDENTIFIER -- set of GSS_C_MA_* OIDs that the mechanisms indicated in the mechs output parameter MUST understand (i.e., mechs must know whether critical attributes are or are not supported).
o critical_mech_attrs对象标识符集——机械输出参数中指示的机构必须理解的GSS_C_MA_*OIDs集(即,机械必须知道是否支持关键属性)。
Outputs:
产出:
o major_status INTEGER
o 主状态整数
o minor_status INTEGER
o 次要状态整数
o mechs SET OF OBJECT IDENTIFIER -- set of mechanisms that support the given desired_mech_attrs but not the except_mech_attrs, and all of which understand the given critical_mech_attrs (the caller must release this output with GSS_Release_oid_set()).
o mechs SET OF OBJECT IDENTIFIER——一组机制,支持给定的所需的_mech_属性,但不支持Exception_mech_属性,并且所有这些机制都理解给定的关键_mech_属性(调用方必须使用GSS_release_oid_SET()释放此输出)。
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates success; the output mechs parameter MAY be the empty set (GSS_C_NO_OID_SET).
o GSS__完成表示成功;输出机械参数可能为空集(GSS\U C\U NO\U OID\U set)。
o GSS_S_FAILURE indicates that the request failed for some other reason.
o GSS_S_失败表示请求因其他原因失败。
GSS_Indicate_mechs_by_attrs() returns the set of OIDs corresponding to mechanisms that offer at least the desired_mech_attrs but none of the except_mech_attrs, and that understand all of the attributes listed in critical_mech_attrs.
GSS_Indicate_mechan_by_attrs()返回一组OID,这些OID对应于至少提供所需的_mechan_attrs但除_mechan_attrs之外没有其他属性的机制,并且它们了解关键_mechan_attrs中列出的所有属性。
When all three sets of OID input parameters are the empty set, this function acts as a version of GSS_indicate_mechs() that outputs the set of all supported mechanisms.
当所有三组OID输入参数均为空集时,此函数充当输出所有受支持机构集的GSS_indicate_mechs()版本。
Inputs:
投入:
o mech OBJECT IDENTIFIER -- mechanism OID
o 机械对象标识符--机械OID
Outputs:
产出:
o major_status INTEGER
o 主状态整数
o minor_status INTEGER
o 次要状态整数
o mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs OIDs (GSS_C_MA_*) supported by the mechanism (the caller must release this output with GSS_Release_oid_set()).
o 对象标识符的mech_attrs集合--机制支持的mech_attrs oid(GSS_C_MA_*)集合(调用方必须使用GSS_release_oid_SET()释放此输出)。
o known_mech_attrs SET OF OBJECT IDENTIFIER -- set of mech_attrs OIDs known to the mechanism implementation (the caller must release this output with GSS_Release_oid_set()).
o 对象标识符的已知\机械\属性集--机制实现已知的机械\属性oid集(调用方必须使用GSS \ u release \ u oid \ u SET()释放此输出)。
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates success; the output mech_attrs parameter MAY be the empty set (GSS_C_NO_OID_SET).
o GSS__完成表示成功;输出机械属性参数可以是空集(GSS\U C\U NO\U OID\U set)。
o GSS_S_BAD_MECH indicates that the mechanism named by the mech parameter does not exist or that the mech is GSS_C_NO_OID and no default mechanism could be determined.
o GSS_S_BAD_MECH表示由MECH参数命名的机构不存在,或者该机构为GSS_C_NO_OID且无法确定默认机构。
o GSS_S_FAILURE indicates that the request failed for some other reason.
o GSS_S_失败表示请求因其他原因失败。
GSS_Inquire_attrs_for_mech() indicates the set of mechanism attributes supported by a given mechanism.
GSS_Inquire_attrs_for_mech()表示给定机制支持的机制属性集。
Inputs:
投入:
o mech_attr OBJECT IDENTIFIER -- mechanism attribute OID
o 机械属性对象标识符--机械属性OID
Outputs:
产出:
o major_status INTEGER
o 主状态整数
o minor_status INTEGER
o 次要状态整数
o name OCTET STRING, -- name of mechanism attribute (e.g., GSS_C_MA_*).
o 名称八位字节字符串,--机制属性的名称(例如,GSS_C_MA_*)。
o short_desc OCTET STRING, -- a short description of the mechanism attribute (the caller must release this output with GSS_Release_buffer()).
o short_desc OCTET STRING,--机制属性的简短描述(调用方必须使用GSS_release_buffer()释放此输出)。
o long_desc OCTET STRING -- a longer description of the mechanism attribute (the caller must release this output with GSS_Release_buffer()).
o long_desc OCTET STRING——机制属性的较长描述(调用方必须使用GSS_release_buffer()释放此输出)。
Return major_status codes:
返回主要_状态代码:
o GSS_S_COMPLETE indicates success.
o GSS__完成表示成功。
o GSS_S_BAD_MECH_ATTR indicates that the mechanism attribute referenced by the mech_attr parameter is unknown to the implementation.
o GSS_S_BAD_MECH_ATTR表示MECH_ATTR参数引用的机制属性对于实现是未知的。
o GSS_S_FAILURE indicates that the request failed for some other reason.
o GSS_S_失败表示请求因其他原因失败。
This function can be used to obtain human-readable descriptions of GSS-API mechanism attributes.
此函数可用于获取GSS-API机制属性的可读描述。
A single, new, major status code is added for GSS_Display_mech_attr():
为GSS\u Display\u mech\u attr()添加一个新的主要状态代码:
o GSS_S_BAD_MECH_ATTR,
o GSS_S_坏_机械属性,
roughly corresponding to GSS_S_BAD_MECH but applicable to mechanism attribute OIDs rather than to mechanism OIDs.
大致对应于GSS_S_BAD_MECH,但适用于机构属性OID,而不是机构OID。
For the C-bindings of the GSS-API [RFC2744], GSS_S_BAD_MECH_ATTR shall have a routine error number of 19 (this is shifted to the left by GSS_C_ROUTINE_ERROR_OFFSET).
对于GSS-API[RFC2744]的C-绑定,GSS\U S\U BAD\U MECH\U ATTR的常规错误号应为19(通过GSS\U C\U ROUTE\U error\U OFFSET向左移动)。
Note that there is a bug in the C bindings of the GSS-APIv2u1 [RFC2744] in that the C 'const' attribute is applied to types that are pointer typedefs. This is a bug because it declares that the pointer argument is 'const' rather than that the object pointed by it is const. To avoid this error, we hereby define new typedefs, which include const properly:
请注意,GSS-APIv2u1[RFC2744]的C绑定中存在一个错误,即C'const'属性应用于指针typedef类型。这是一个bug,因为它声明指针参数是“const”,而不是它所指向的对象是const。为了避免此错误,我们在此定义新的typedef,其中包括const:
typedef const gss_buffer_desc * gss_const_buffer_t; typedef const struct gss_channel_bindings_struct * gss_const_channel_bindings_t; typedef const <platform-specific> gss_const_ctx_id_t; typedef const <platform-specific> gss_const_cred_id_t; typedef const <platform-specific> gss_const_name_t; typedef const gss_OID_desc * gss_const_OID; typedef const gss_OID_set_desc * gss_const_OID_set;
typedef const gss_buffer_desc * gss_const_buffer_t; typedef const struct gss_channel_bindings_struct * gss_const_channel_bindings_t; typedef const <platform-specific> gss_const_ctx_id_t; typedef const <platform-specific> gss_const_cred_id_t; typedef const <platform-specific> gss_const_name_t; typedef const gss_OID_desc * gss_const_OID; typedef const gss_OID_set_desc * gss_const_OID_set;
Figure 1: const typedefs
图1:consttypedefs
Note that only gss_const_OID and gss_const_OID_set are used below. We include the other const typedefs for convenience since the C bindings of the GSS-API do use const with pointer typedefs when it should often instead use the above typedefs instead.
请注意,下面仅使用gss_const_OID和gss_const_OID_set。为了方便起见,我们包含了其他consttypedef,因为GSS-API的C绑定确实使用const和指针typedef,而它通常应该使用上述typedef。
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
OM_uint32 gss_indicate_mechs_by_attrs( OM_uint32 *minor_status, gss_const_OID_set desired_mech_attrs, gss_const_OID_set except_mech_attrs, gss_const_OID_set critical_mech_attrs, gss_OID_set *mechs);
OM_uint32 gss_通过属性表示机械(OM_uint32*次要状态、gss_常量旧设置所需机械属性、gss_常量旧设置,机械属性、gss_常量旧设置除外,关键机械属性、gss_常量旧设置*机械);
OM_uint32 gss_inquire_attrs_for_mech( OM_uint32 *minor_status, gss_const_OID mech, gss_OID_set *mech_attrs, gss_OID_set *known_mech_attrs);
OM_uint32 gss_查询机械属性(OM_uint32*次要状态、gss_常量机械、gss_旧设置*机械属性、gss_旧设置*已知机械属性);
OM_uint32 gss_display_mech_attr( OM_uint32 *minor_status, gss_const_OID mech_attr, gss_buffer_t name, gss_buffer_t short_desc, gss_buffer_t long_desc);
OM_uint32 gss_显示机械属性(OM_uint32*次要状态、gss_常量机械属性、gss_缓冲区名称、gss_缓冲区短描述、gss_缓冲区长描述);
Figure 2: C bindings
图2:C绑定
Note that output buffers must be released via gss_release_buffer(). Output OID sets must be released via gss_release_oid_set().
请注意,输出缓冲区必须通过gss_release_buffer()释放。输出OID集必须通过gss_release_OID_set()释放。
Please see Appendix A for a full set of typedef fragments defined in this document and the necessary code license.
有关本文档中定义的全套typedef片段和必要的代码许可证,请参见附录A。
All future GSS-API mechanism specifications MUST:
所有未来GSS-API机构规范必须:
o list the set of GSS-API mechanism attributes associated with them.
o 列出与其关联的GSS-API机制属性集。
The namespace of programming-language symbols with names beginning with GSS_C_MA_* is reserved for allocation by IETF Consensus. IANA allocated a base OID, as an arc of 1.3.6.1.5.5, for the set of GSS_C_MA_* described herein, and registered all of the GSS_C_MA_* values described in Section 3.2.
名称以GSS_C_MA_*开头的编程语言符号的名称空间保留给IETF协商一致的分配。IANA为本文所述的一组GSS_C_MA_*分配了一个基本OID,作为1.3.6.1.5.5的弧,并注册了第3.2节所述的所有GSS_C_MA_*值。
This document specifies extensions to a security-related API. It imposes new requirements on future GSS-API mechanisms, and the specifications of future protocols that use the GSS-API should make reference to this document where applicable. The ability to inquire about specific properties of mechanisms should improve security.
本文档指定了安全相关API的扩展。它对未来的GSS-API机制提出了新的要求,使用GSS-API的未来协议的规范应在适用时参考本文件。查询机制的特定属性的能力应该可以提高安全性。
The semantics of each mechanism attribute may include a security component.
每个机制属性的语义可能包括一个安全组件。
Application developers must understand that mechanism attributes may be added at any time -- both to the set of known mechanism attributes as well as to existing mechanisms' sets of supported mechanism attributes. Therefore, application developers using the APIs described herein must understand what mechanism attributes their applications depend critically on, and must use the mechanism attribute criticality features of these APIs.
应用程序开发人员必须了解,机制属性可以随时添加到已知机制属性集以及现有机制支持的机制属性集。因此,使用本文描述的API的应用程序开发人员必须了解其应用程序关键依赖的机制属性,并且必须使用这些API的机制属性关键特性。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2743]Linn,J.,“通用安全服务应用程序接口版本2,更新1”,RFC 2743,2000年1月。
[RFC2744] Wray, J., "Generic Security Service API Version 2 : C-bindings", RFC 2744, January 2000.
[RFC2744]Wray,J.,“通用安全服务API第2版:C-绑定”,RFC 2744,2000年1月。
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June 1996.
[RFC1964]Linn,J.,“Kerberos版本5 GSS-API机制”,RFC19641996年6月。
[RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism (SPKM)", RFC 2025, October 1996.
[RFC2025]Adams,C.,“简单公钥GSS-API机制(SPKM)”,RFC 20252996年10月。
[RFC2847] Eisler, M., "LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM", RFC 2847, June 2000.
[RFC2847]Eisler,M.,“LIPKEY-一种使用SPKM的低基础设施公钥机制”,RFC 2847,2000年6月。
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178, October 2005.
[RFC4178]Zhu,L.,Leach,P.,Jaganathan,K.,和W.Ingersoll,“简单和受保护的通用安全服务应用程序接口(GSS-API)协商机制”,RFC 4178,2005年10月。
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006.
[RFC4251]Ylonen,T.和C.Lonvick,“安全外壳(SSH)协议架构”,RFC 4251,2006年1月。
[RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, "Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol", RFC 4462, May 2006.
[RFC4462]Hutzelman,J.,Salowey,J.,Galbraith,J.,和V.Welch,“安全壳(SSH)协议的通用安全服务应用程序接口(GSS-API)认证和密钥交换”,RFC 4462,2006年5月。
This appendix contains the full set of code fragments defined in this document.
本附录包含本文档中定义的全套代码片段。
Copyright (c) 2009 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2009 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
在满足以下条件的情况下,允许以源代码和二进制格式重新分发和使用,无论是否修改:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- 源代码的重新分发必须保留上述版权声明、此条件列表和以下免责声明。
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- 以二进制形式重新分发时,必须在分发时提供的文档和/或其他材料中复制上述版权声明、本条件列表和以下免责声明。
- Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors, may be used to endorse or promote products derived from this software without specific prior written permission.
- 未经事先书面许可,不得使用互联网协会、IETF或IETF Trust的名称或特定贡献者的名称来认可或推广源自本软件的产品。
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
本软件由版权所有人和贡献者提供,仅限于以下内容,对适销性和特定用途适用性的默示保证不承担任何责任。在任何情况下,版权所有人或贡献者均不对任何直接、间接、偶然、特殊、惩戒性或后果性损害(包括但不限于替代商品或服务的采购;使用、数据或利润的损失;或业务中断)负责,无论是在合同中还是在任何责任理论下,严格责任,或因使用本软件而产生的侵权行为(包括疏忽或其他),即使告知可能发生此类损害。
typedef const gss_buffer_desc * gss_const_buffer_t; typedef const struct gss_channel_bindings_struct * gss_const_channel_bindings_t; typedef const <platform-specific> gss_const_ctx_id_t; typedef const <platform-specific> gss_const_cred_id_t; typedef const <platform-specific> gss_const_name_t; typedef const gss_OID_desc * gss_const_OID; typedef const gss_OID_set_desc * gss_const_OID_set;
typedef const gss_buffer_desc * gss_const_buffer_t; typedef const struct gss_channel_bindings_struct * gss_const_channel_bindings_t; typedef const <platform-specific> gss_const_ctx_id_t; typedef const <platform-specific> gss_const_cred_id_t; typedef const <platform-specific> gss_const_name_t; typedef const gss_OID_desc * gss_const_OID; typedef const gss_OID_set_desc * gss_const_OID_set;
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
OM_uint32 gss_indicate_mechs_by_attrs( OM_uint32 *minor_status, gss_const_OID_set desired_mech_attrs, gss_const_OID_set except_mech_attrs, gss_const_OID_set critical_mech_attrs, gss_OID_set *mechs);
OM_uint32 gss_通过属性表示机械(OM_uint32*次要状态、gss_常量旧设置所需机械属性、gss_常量旧设置,机械属性、gss_常量旧设置除外,关键机械属性、gss_常量旧设置*机械);
OM_uint32 gss_inquire_attrs_for_mech( OM_uint32 *minor_status, gss_const_OID mech, gss_OID_set *mech_attrs, gss_OID_set *known_mech_attrs);
OM_uint32 gss_查询机械属性(OM_uint32*次要状态、gss_常量机械、gss_旧设置*机械属性、gss_旧设置*已知机械属性);
OM_uint32 gss_display_mech_attr( OM_uint32 *minor_status, gss_const_OID mech_attr, gss_buffer_t name, gss_buffer_t short_desc, gss_buffer_t long_desc);
OM_uint32 gss_显示机械属性(OM_uint32*次要状态、gss_常量机械属性、gss_缓冲区名称、gss_缓冲区短描述、gss_缓冲区长描述);
Author's Address
作者地址
Nicolas Williams Sun Microsystems 5300 Riata Trace Ct Austin, TX 78727 US
Nicolas Williams Sun Microsystems 5300 Riata Trace Ct德克萨斯州奥斯汀78727美国
EMail: Nicolas.Williams@sun.com
EMail: Nicolas.Williams@sun.com