17c478bd9Sstevel@tonic-gate 27c478bd9Sstevel@tonic-gate CDDL HEADER START 37c478bd9Sstevel@tonic-gate 47c478bd9Sstevel@tonic-gate The contents of this file are subject to the terms of the 5*ddcb6370SDan OpenSolaris Anderson Common Development and Distribution License (the "License"). 6*ddcb6370SDan OpenSolaris Anderson You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate and limitations under the License. 127c478bd9Sstevel@tonic-gate 137c478bd9Sstevel@tonic-gate When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate 197c478bd9Sstevel@tonic-gate CDDL HEADER END 207c478bd9Sstevel@tonic-gate 21*ddcb6370SDan OpenSolaris Anderson Copyright 2010 Sun Microsystems, Inc. All rights reserved. 227c478bd9Sstevel@tonic-gate Use is subject to license terms. 237c478bd9Sstevel@tonic-gate 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate The Service Provider Interface for libgss and its Mechanisms 267c478bd9Sstevel@tonic-gate ------------------------------------------------------------ 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate1. The libgss SPI upto 11/2004 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate Prior to PSARC 2004/810 the libgss SPI consisted of a function 317c478bd9Sstevel@tonic-gate provided by each mechanism whose return value is a pointer to a 327c478bd9Sstevel@tonic-gate structure full of references to the mechanism's entry points 337c478bd9Sstevel@tonic-gate (hereinafter: methods). 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate This structure does not include any hooks for versioning, which 367c478bd9Sstevel@tonic-gate means that additions of any mechanism methods at micro/patch 377c478bd9Sstevel@tonic-gate releases require patching libgss.so.1 and all the GSS mechanisms 387c478bd9Sstevel@tonic-gate shipped with Solaris (Kerberos V, DH, SPNEGO). 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate2. The libgss SPI after PSARC 2004/810 417c478bd9Sstevel@tonic-gate 427c478bd9Sstevel@tonic-gate In order to avoid changing the gss_config struct and patching all 437c478bd9Sstevel@tonic-gate three mechanisms (four, if the dummy mech counts) and libgss 447c478bd9Sstevel@tonic-gate together and in anticipation of a cleaner SPI in the future (see 457c478bd9Sstevel@tonic-gate next section) the SPI after PSARC 2004/810 will be as before but 467c478bd9Sstevel@tonic-gate supplemented as follows: 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate - any new SPI mechanism methods will NOT be placed in gss_config, 497c478bd9Sstevel@tonic-gate instead there is a new gss_config_ext structure, which is to be 507c478bd9Sstevel@tonic-gate used _only_ by libgss (to avoid struct versioning and/or patch 517c478bd9Sstevel@tonic-gate issues), which should be extended to have a pointer to the new 527c478bd9Sstevel@tonic-gate method; 537c478bd9Sstevel@tonic-gate 547c478bd9Sstevel@tonic-gate - there is a new libgss function, __gss_get_mechanism_ext(), which 557c478bd9Sstevel@tonic-gate is used to get at the gss_config_ext for a mechanism; 567c478bd9Sstevel@tonic-gate 577c478bd9Sstevel@tonic-gate - __gss_get_mechanism_ext() uses dlsym() to build the 587c478bd9Sstevel@tonic-gate gss_config_ext struct for the mech by individually loading each 597c478bd9Sstevel@tonic-gate and every mechanism method that isn't part of the old gss_config 607c478bd9Sstevel@tonic-gate struct -- this happens only once per-method, of course; the 617c478bd9Sstevel@tonic-gate result is cached. 627c478bd9Sstevel@tonic-gate 637c478bd9Sstevel@tonic-gate The symbol names that are dlsym()ed are of the form gssspi_* and 647c478bd9Sstevel@tonic-gate correspond to gss_*; e.g., gssspi_acquire_cred_with_password(). 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate New methods also have a corresponding typedef named 677c478bd9Sstevel@tonic-gate <gss_func>_sfct -- the 's' in 'sfct' is for "SPI" and the 'fct' 687c478bd9Sstevel@tonic-gate is for "function." This is used to keep cast expressions short. 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate3. The Future libgss SPI 717c478bd9Sstevel@tonic-gate 727c478bd9Sstevel@tonic-gate Once the Solaris krb5 source is resync'ed with MIT krb5 1.4 there 737c478bd9Sstevel@tonic-gate will be no further need for the 'void *context' argument to all the 747c478bd9Sstevel@tonic-gate libgss mechanisms' methods. 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate At that point it will be possible to remove this 'void *context' 777c478bd9Sstevel@tonic-gate argument from all the libgss SPI function prototypes, the main 787c478bd9Sstevel@tonic-gate result of which will be that the mechanisms' methods will then have 797c478bd9Sstevel@tonic-gate the same function signature as the corresponding GSS-API functions. 807c478bd9Sstevel@tonic-gate 817c478bd9Sstevel@tonic-gate We can then rename all mechanisms' methods from <mech>_<gss-func> to 827c478bd9Sstevel@tonic-gate <gss-func>. The corresponding typedefs will be renamed to 837c478bd9Sstevel@tonic-gate <gss-func>_fct. 847c478bd9Sstevel@tonic-gate 857c478bd9Sstevel@tonic-gate The SPI, then, will be almost exactly the same as the API. 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate There will be some minor differences, primarily that some API 887c478bd9Sstevel@tonic-gate functions won't have a corresponding SPI method, such as 897c478bd9Sstevel@tonic-gate gss_release_buffer(3GSS), for example. 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate Some time later we may open the SPI to third party implementors; 927c478bd9Sstevel@tonic-gate this could be particularly useful as a way to get access to 3rd 937c478bd9Sstevel@tonic-gate party implementations of SPKM and LIPKEY (assuming any ever exist -- 947c478bd9Sstevel@tonic-gate SPKM's is a very problematic specification). 957c478bd9Sstevel@tonic-gate 967c478bd9Sstevel@tonic-gate Third party mechanisms should just export all the symbols for the 977c478bd9Sstevel@tonic-gate GSS-API functions, like MIT krb5 does, but functions which libgss 987c478bd9Sstevel@tonic-gate won't call (e.g., gss_release_buffer(3GSS)) should either not be 997c478bd9Sstevel@tonic-gate implemented or should be weak symbols. 1007c478bd9Sstevel@tonic-gate 1017c478bd9Sstevel@tonic-gate Solaris native mechanisms may still provide the mechanism method 1027c478bd9Sstevel@tonic-gate registration function as usual for optimization purposes -- to 1037c478bd9Sstevel@tonic-gate reduce the number of calls to dlsym(). 1047c478bd9Sstevel@tonic-gate 1057c478bd9Sstevel@tonic-gate Mechanisms that do not provide the old method registration function 1067c478bd9Sstevel@tonic-gate will be loaded as follows: 1077c478bd9Sstevel@tonic-gate 1087c478bd9Sstevel@tonic-gate - libgss will look for and find the mechanism's 1097c478bd9Sstevel@tonic-gate GSS_Indicate_mechs() method and will call it to discover the 1107c478bd9Sstevel@tonic-gate mechanism provider's mechanism OIDs. 1117c478bd9Sstevel@tonic-gate 1127c478bd9Sstevel@tonic-gate - libgss will dlsym() each mechanism provider SPI method. 113