The Eternal List Of Extension Implementation

[DirectXMan12]

So, I went and compared the gssapi.h and gssapi_ext.h files with Python-GSSAPI to look for any extensions and/or additional RFCs that we missed.

Extensions (as indicated by being in gssapi_ext.h, for the most part)

Solaris

• [ ] buffer GSS_C_ATTR_LOCAL_LOGIN_USER
• [ ] gss_localname ( #49 )
• [ ] gss_pname_to_uid ( #49 )
• [ ] gss_userok ( #49 )
• [ ] gss_authorize_localname ( #49 )
• [x] gss_acquire_cred_with_password ( #5 )
• [x] gss_add_cred_with_password ( #5 )

GGF (Global Grid Forum) ( #51 )

• [x] gss_inquire_sec_context_by_oid
• [x] gss_inquire_cred_by_oid
• [x] gss_set_sec_context_option
• [ ] gssapi_mech_invoke ??
• [ ] gss_import_cred (GGF variant, nobody implements this)
• [ ] gss_export_cred (GGF variant, nobody implements this)

AEAD / SSPI (DCE)

• [x] gss_wrap_aead ( #6 )
• [x] gss_unwrap_aead ( #6 )
• [ ] OID GSS_C_INQ_SSPI_SESSION_KEY
• [ ] gss_complete_auth_token
• [x] gss_wrap_iov ( #6 )
• [x] gss_unwrap_iov ( #6 )
• [x] gss_wrap_iov_length ( #6 )

IOV MIC

• [x] gss_get_mic_iov ( #6 )
• [x] gss_get_mic_iov_length ( #6 )
• [x] gss_verify_mic_iov ( #6 )

Services4User

• [x] gss_acquire_cred_impersonate_name
• [x] gss_add_cred_impersonate_name

Naming Extensions (actually RFC 6680)

• [x] OID GSS_C_NT_COMPOSITE_EXPORT
• [x] gss_display_name_ext
• [x] gss_inquire_name
• [x] gss_get_name_attribute
• [x] gss_set_name_attribute
• [x] gss_delete_name_attribute
• [x] gss_export_name_composite

Capsulate (draft-josefsson-gss-capsulate)

• [ ] gss_encapsulate_token
• [ ] gss_decapsulate_token
• [ ] gss_oid_equal

Cred Store

• [x] gss_acquire_cred_from
• [x] gss_add_cred_from
• [x] gss_store_cred_into

Cred Import/Export

• [x] gss_export_cred ( #25 )
• [x] gss_import_cred ( #25 )

Credentials Options (see https://github.com/pythongssapi/python-gssapi/issues/51#issuecomment-357022036)

• [x] gss_set_cred_option

Additional RFCs (in gssapi.h)

RFC 4401 (Pseduo-Random Generators)

• [ ] gss_pseudo_random

RFC 5588 (Store Cred)

• [x] gss_store_cred

RFC 4178 (SPNEGO)

• [x] gss_set_neg_mechs ( #50 )
• [ ] gss_get_neg_mechs (NOT ACTUALLY PRESENT)

RFC 5587 (Mechanism Inquiry)

• [x] gss_indicate_mechs_by_attrs
• [x] gss_inquire_attrs_for_mech
• [x] gss_display_mech_attr

RFC 5801 (GSSAPI-SASL Naming)

• [x] gss_inquire_saslname_for_mech
• [x] gss_inquire_mech_for_saslname

Mechanism Specific Extensions

Krb5 Specific Extensions (gssapi_krb5.h) (#75)

• [x] GSS_KRB5_NT_PRINCIPAL_NAME
• [x] gss_krb5_ccache_name
• [ ] gss_krb5_copy_ccache (use case unclear, deprecated on macOS)
• [x] gss_krb5_get_tkt_flags
• [x] gss_krb5_set_allowable_enctypes
• [x] gss_krb5_export_lucid_sec_context
• [x] gss_krb5_free_lucid_sec_context
• [x] gsskrb5_extract_authz_data_from_sec_context
• [x] gsskrb5_extract_authtime_from_sec_context

The following functionality is also available through the cred_store API extensions so we may elect not to implement them at all:

• [ ] gss_krb5_set_cred_rcache (not implemented by Heimdal)
• [x] gss_krb5_import_cred (implemented because Heimdal doesn't support cred store extensions)