[PATCH] GSSAPI credentials

Alexey Melnikov alexey.melnikov at isode.com
Tue May 11 12:32:10 EDT 2010


Howard Chu wrote:

> Alexey Melnikov wrote:
>
>> Howard Chu wrote:
>>
>>> This patch implements the SASL_GSS_CREDS property, which was defined
>>> in sasl.h back in 2005.
>>>
>>> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600 
>>>
>>>
>>>
>>> Applications need this functionality to make use of Kerberos
>>> Services4User features.
>>>
>>> http://k5wiki.kerberos.org/wiki/Projects/Services4User
>>>
>>> Setting the credential in the SASL client will allow it to use an
>>> S4U2Proxy credential, among other things.
>>>
>>> Additional patches will still be needed to allow a SASL server to take
>>> advantage of this feature, as mentioned in my previous email. But this
>>> is a small first step just to get the ball rolling.
>>
>> Hi Howard,
>> This looks fine, but let me ask some questions on your patch:
>>
>>> Index: lib/common.c
>>> ===================================================================
>>> RCS file: /cvs/src/sasl/lib/common.c,v
>>> retrieving revision 1.124
>>> diff -u -r1.124 common.c
>>> --- lib/common.c    20 Feb 2009 23:10:53 -0000    1.124
>>> +++ lib/common.c    10 May 2010 08:04:24 -0000
>>> @@ -1238,6 +1238,13 @@
>>>        }
>>>        break;
>>>
>>> +  case SASL_GSS_CREDS:
>>> +      if(conn->type == SASL_CONN_CLIENT)
>>> +          ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
>>> +      else
>>> +          ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
>>> +      break;
>>> +
>>
>> What about updating sasl_getprop() to match?
>
> Sure. I didn't think it was too important since the calling app is the 
> only thing that can set it, it must already have it.

Let's make everything symmetrical, if it is easy. Pretty much all props 
that can be set are also retrievable with sasl_getprop().

>>> Index: plugins/gssapi.c
>>> ===================================================================
>>> RCS file: /cvs/src/sasl/plugins/gssapi.c,v
>>> retrieving revision 1.109
>>> diff -u -r1.109 gssapi.c
>>> --- plugins/gssapi.c    24 Feb 2010 22:41:18 -0000    1.109
>>> +++ plugins/gssapi.c    10 May 2010 08:04:24 -0000
>>> @@ -657,6 +657,7 @@
>>>      OM_uint32 max_input;
>>>      gss_buffer_desc name_token;
>>>      int ret, out_flags = 0 ;
>>> +    gss_cred_id_t server_creds = params->gss_creds;
>>
>> GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
>> no extra initialization is needed.
>
> This is not simply initialization, it's retrieving the value that a 
> caller set, if any.

I was talking about the case when the application doesn't set anything. 
I think the plugin should work as before your change. I think it does, I 
was mostly talking aloud to convince myself that that was the case.

>> Have you compiled this change against both MIT and Heimdal?
>
> Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I 
> know, but I don't think this is particularly version dependent.)

Ok, great. That is good enough.



More information about the Cyrus-sasl mailing list