[PATCH] GSSAPI credentials

Howard Chu hyc at highlandsun.com
Tue May 11 11:10:18 EDT 2010 

Alexey Melnikov wrote:
> Howard Chu wrote:
>
>> This patch implements the SASL_GSS_CREDS property, which was defined
>> in sasl.h back in 2005.
>>
>> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600
>>
>>
>> Applications need this functionality to make use of Kerberos
>> Services4User features.
>>
>> http://k5wiki.kerberos.org/wiki/Projects/Services4User
>>
>> Setting the credential in the SASL client will allow it to use an
>> S4U2Proxy credential, among other things.
>>
>> Additional patches will still be needed to allow a SASL server to take
>> advantage of this feature, as mentioned in my previous email. But this
>> is a small first step just to get the ball rolling.
>
> Hi Howard,
> This looks fine, but let me ask some questions on your patch:
>
>> Index: lib/common.c
>> ===================================================================
>> RCS file: /cvs/src/sasl/lib/common.c,v
>> retrieving revision 1.124
>> diff -u -r1.124 common.c
>> --- lib/common.c	20 Feb 2009 23:10:53 -0000	1.124
>> +++ lib/common.c	10 May 2010 08:04:24 -0000
>> @@ -1238,6 +1238,13 @@
>>        }
>>        break;
>>
>> +  case SASL_GSS_CREDS:
>> +      if(conn->type == SASL_CONN_CLIENT)
>> +          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
>> +      else
>> +          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
>> +      break;
>> +
>>
> What about updating sasl_getprop() to match?

Sure. I didn't think it was too important since the calling app is the only 
thing that can set it, it must already have it.

>> Index: plugins/gssapi.c
>> ===================================================================
>> RCS file: /cvs/src/sasl/plugins/gssapi.c,v
>> retrieving revision 1.109
>> diff -u -r1.109 gssapi.c
>> --- plugins/gssapi.c	24 Feb 2010 22:41:18 -0000	1.109
>> +++ plugins/gssapi.c	10 May 2010 08:04:24 -0000
>> @@ -657,6 +657,7 @@
>>      OM_uint32 max_input;
>>      gss_buffer_desc name_token;
>>      int ret, out_flags = 0 ;
>> +    gss_cred_id_t server_creds = params->gss_creds;
>>
> GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
> no extra initialization is needed.

This is not simply initialization, it's retrieving the value that a caller 
set, if any.

> Have you compiled this change against both MIT and Heimdal?

Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I know, 
but I don't think this is particularly version dependent.)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the Cyrus-sasl mailing list