Howard Chu wrote:
Alexey Melnikov wrote:
Howard Chu wrote:
This patch implements the SASL_GSS_CREDS property, which was defined
in sasl.h back in 2005.
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=sasl_gss_creds&msg=7600
Applications need this functionality to make use of Kerberos
Services4User features.
http://k5wiki.kerberos.org/wiki/Projects/Services4User
Setting the credential in the SASL client will allow it to use an
S4U2Proxy credential, among other things.
Additional patches will still be needed to allow a SASL server to take
advantage of this feature, as mentioned in my previous email. But this
is a small first step just to get the ball rolling.
Hi Howard,
This looks fine, but let me ask some questions on your patch:
Index: lib/common.c
===================================================================
RCS file: /cvs/src/sasl/lib/common.c,v
retrieving revision 1.124
diff -u -r1.124 common.c
--- lib/common.c 20 Feb 2009 23:10:53 -0000 1.124
+++ lib/common.c 10 May 2010 08:04:24 -0000
@@ -1238,6 +1238,13 @@
}
break;
+ case SASL_GSS_CREDS:
+ if(conn->type == SASL_CONN_CLIENT)
+ ((sasl_client_conn_t *)conn)->cparams->gss_creds = value;
+ else
+ ((sasl_server_conn_t *)conn)->sparams->gss_creds = value;
+ break;
+
What about updating sasl_getprop() to match?
Sure. I didn't think it was too important since the calling app is the
only thing that can set it, it must already have it.
Let's make everything symmetrical, if it is easy. Pretty much all props
that can be set are also retrievable with sasl_getprop().
Index: plugins/gssapi.c
===================================================================
RCS file: /cvs/src/sasl/plugins/gssapi.c,v
retrieving revision 1.109
diff -u -r1.109 gssapi.c
--- plugins/gssapi.c 24 Feb 2010 22:41:18 -0000 1.109
+++ plugins/gssapi.c 10 May 2010 08:04:24 -0000
@@ -657,6 +657,7 @@
OM_uint32 max_input;
gss_buffer_desc name_token;
int ret, out_flags = 0 ;
+ gss_cred_id_t server_creds = params->gss_creds;
GSS_C_NO_CREDENTIAL is defined as "((gss_cred_id_t) 0)" in RFC 2744, so
no extra initialization is needed.
This is not simply initialization, it's retrieving the value that a
caller set, if any.
I was talking about the case when the application doesn't set anything.
I think the plugin should work as before your change. I think it does, I
was mostly talking aloud to convince myself that that was the case.
Have you compiled this change against both MIT and Heimdal?
Yes, using MIT Kerb 1.8.1 and Heimdal 1.2.1. (Not the latest Heimdal I
know, but I don't think this is particularly version dependent.)
Ok, great. That is good enough.
