[PATCH] GSSAPI credentials

Howard Chu hyc at highlandsun.com
Tue May 11 12:53:35 EDT 2010


Alexey Melnikov wrote:
> Howard Chu wrote:
>
>> Alexey Melnikov wrote:
>>
>>> Howard Chu wrote:
>>>
>>>> This patch implements the SASL_GSS_CREDS property, which was defined
>>>> in sasl.h back in 2005.
>>>>
>>>> http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600
>>>>
>>>>
>>>>
>>>> Applications need this functionality to make use of Kerberos
>>>> Services4User features.
>>>>
>>>> http://k5wiki.kerberos.org/wiki/Projects/Services4User
>>>>
>>>> Setting the credential in the SASL client will allow it to use an
>>>> S4U2Proxy credential, among other things.
>>>>
>>>> Additional patches will still be needed to allow a SASL server to take
>>>> advantage of this feature, as mentioned in my previous email. But this
>>>> is a small first step just to get the ball rolling.
>>>
>>> Hi Howard,
>>> This looks fine, but let me ask some questions on your patch:

>>> What about updating sasl_getprop() to match?
>>
>> Sure. I didn't think it was too important since the calling app is the
>> only thing that can set it, it must already have it.
>
> Let's make everything symmetrical, if it is easy. Pretty much all props
> that can be set are also retrievable with sasl_getprop().

OK. Assuming you only meant to retrieve the previously-set cred, this patch 
will do. If you mean to retrieve whatever cred got used, including e.g. what 
the server obtained through gss_acquire_cred() that gets a bit trickier; need 
to worry about who disposes of it and such.

>>>> Index: plugins/gssapi.c
>>>> ===================================================================
>>>> RCS file: /cvs/src/sasl/plugins/gssapi.c,v
>>>> retrieving revision 1.109
>>>> diff -u -r1.109 gssapi.c
>>>> --- plugins/gssapi.c    24 Feb 2010 22:41:18 -0000    1.109
>>>> +++ plugins/gssapi.c    10 May 2010 08:04:24 -0000
>>>> @@ -657,6 +657,7 @@
>>>>       OM_uint32 max_input;
>>>>       gss_buffer_desc name_token;
>>>>       int ret, out_flags = 0 ;
>>>> +    gss_cred_id_t server_creds = params->gss_creds;
>>>
>>> GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
>>> no extra initialization is needed.
>>
>> This is not simply initialization, it's retrieving the value that a
>> caller set, if any.
>
> I was talking about the case when the application doesn't set anything.
> I think the plugin should work as before your change. I think it does, I
> was mostly talking aloud to convince myself that that was the case.

OK. Yes, no extra init is needed.

>>> Have you compiled this change against both MIT and Heimdal?
>>
>> Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I
>> know, but I don't think this is particularly version dependent.)
>
> Ok, great. That is good enough.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dif.txt
Url: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100511/827396ac/attachment.txt 


More information about the Cyrus-sasl mailing list