To build & install:
1. aclocal
2. autoheader
3. automake --add-missing
4. autoconf
5. setenv PKG_CONFIG_PATH ${prefix-of-gssapi-install}/lib/pkgconfig
   default is /usr/local/lib/pkgconfig
6. ./configure 
	--with-openssl=<path to your openssl install if not in system location> 
	
	we assume librpcsecgss.so and libgssapi.so are in /usr/local/lib

7. make
8. make install 
   by default, it will install libgssapi_spkm3.so into /usr/local/lib

To test the installation:
1. modify the /etc/gssapi_mech.conf to include spkm3 
"/usr/local/lib/libgssapi_spkm3.so    spkm3_gss_initialize"
2. cd tests
	This directory contains an RPC based client server program designed to
	test the RPCSEC user level API.

	The server program consists of:
        	list_svc.c      (the main program)
        	list_procs.c    (the service procedures)
        	list_xdr.c      (XDR routines)

	The client program consists of:
        	client_main.c   (the main program)
        	list_clnt.c     (the client calls)
        	list_xdr.c      (XDR routines)

	The include file list.h defines structures exchanged between
	client and server.

	The file list.x, provided for reference only, defines the
	client server data structures in the RPC language.

3. run ./list_svc
4. to run with user creds:
     run ./client <server hostname> <service name> -m <mech_num> [-a]

	<server hostname> is the name of the host on which the server is running
	<service name> (eg, nfs) is the name of the service

	The -m indicate the mechanism used.
		'-m 1' is for kerberos mechanism.
			if you choose to try kerberos authentication. prior to
			executing the server, a server principal must be 
			established in the KDC database, and a keytab file 
			extracted for the principal. The server principal 
			should be of the form <service name>/<host name>.
			the client needs to kinit.
		'-m 2' is for spkm3 mechanism
			this implementation supports anonymous spkm3, to
			enable it add "-a" on the command line 

			By default, we expect to find the server's public 
			(PEM-encoded) key in /etc/spkm/spkm.cert and the 
			corresponding private key in /etc/spkm/spkm.key.
			If you wish to change the location, then change 
			the value of the variable "CertFile" in the file 
			spkm/spkm3/gssapi_spkm3.h and recompile.

			By default, we expect to find a list of CA certs in 
			/etc/grid-security/certificates.
			If you wish to change the location, then change the 
			value of the variable "CertDir" in the file 
			spkm/spkm3/gssapi_spkm3.h and recompile.

			By default, we don't define a location for CRL files. 
			You can specify a location of a CRL file by changing 
			the value of the variable "CRLFile" in the file 
			spkm/spkm3/gssapi_spkm3.h, or you can specify a 
			directory that contains CRL files by changing the 
			value of the variable "CRLDir" in the file 
			spkm/spkm3/gssapi_spkm3.h and recompile.

			By default, we assume that the user's X509 certificate 
			(public and private key) can we found in a file 
			"/tmp/x509up_u<UID>", where UID is a UID of the client.
			You can obtain certs by running "kx509" and 
			"kxlist -p" which stores the public and private keys 
			in the file "/tmp/x509up_u<UID>".

			For the "mount" to work, you need to place machine
			cert+key into /tmp/x509up_u0. The reason for it is
			that "mount" is run as "root" (uid 0) and it acts as
			an spkm3 client therefore the code assume that it
			can find user creds in "/tmp/x509up_u<UID>". Make
			sure that the file has 0600 permissions and owned by
			root (or whatever UID that will use machine creds).

	After starting the client (assuming -m 2 options), you will see 
	the description of which protocol you chose and a list of available
	commands:

		SPKM3 mechanism requested
		Mutual auth SPKM3 requested

		commands are:
        		set <name> <value>
        		get <name>
        		del <name>
        		service (integrity | privacy | none)
        		create-context(cc)
        		destroy-context(dc)
        		loop
        		quit

	First, you need to create a security context. Once a secure context has
 	been established, the server stores the names and corresponding values.
	The client program can be used to add an value to the server's list, 
	delete an value from the server's list, or retrieve an value from the 
	server.  

	To create a secure context, type:

        	create-context or cc (shorthand)
 
	To destroy a secure context, type:

        	destroy-context or dc (shorthand)
 
        To add an value to the server's list:

         	set <name> <value>

        To delete an value from the server's list:
        
		del <name>


        To fetch an value from the server's list:

        	get <name>

	To test multiple "cc, set, get, dc" you can type 

        	loop #loops

        To change the service level [not impelemented?]:

        	service (integrity | privacy | none)
        	(Only works without -l option on server)


Implementation details and such:

Integrity algorithms
	+ implemented md5RSAEncryption, hmac_md5, null_mac.
	- no way of chosing the order 
	by default, 
		authenticated spkm3 uses md5RSAEncryption.
			client adds md5RSAEncryption, hmac_md5, null_mac to 
			its list of supported I-ALG and sends it to the
			server. only QOP of 0 is implemented, so the first
			algorithm on the list is chosen.
		anonymous spkm3 useshmac_md5.
			client sends hmac_md5, null_mac to the server. 

	note, as result, null_mac would never be chosen as an I-ALG after 
	context is established. null_mac is used as an integrity algorithm 
	for the REQ_TOKEN in anonymous spkm3.

Confidentiality algorithms
	- non implemented yet


No error handling is done.
No name (src_name, target_name) matching/testing is done.
 
Debugging: by default, only error messages are logged and they go to syslog.
you can turn on debugging spew by 
	adding -DDEBUG to CFLAGS in the Makefile in spkm/spkm3 and 
	modifying spkm/spkm3/gssapi_spkm3.h spkm3_debug_level value 

	also you need to modify client_main.c and list_svc.c to
	include a call: authgss_set_debug_level(5); (of course don't 
	forget to: make clean; make; make install). 

	If you'd like to see ASN compiler spew, you can add -DASNDEBUG and 
	-DEMIT_ASN_DEBUG to CFLAGS in the Makefile in spkm/spkm3 (warning: 
	be prepared to redirect the output (a lot of it) to a file!).
