A packet or streams layer for GENSEC/SASL?

Andrew Bartlett abartlet at samba.org
Sat Feb 4 05:21:41 GMT 2006


I've been looking at the complexities of the GENSEC 'wrap' code for
GSSAPI, and trying to follow the spec in the process.  

One of the important details that is securely negotiated between client
and server is the maximum buffer size.  Currently, there isn't a good
way to communicate this up and down the stack, and I get the felling
that we are using gensec_wrap() in the 'wrong way'. 

It seems to me that just as gnutls is free to accept 'writes' and manage
it's own 'network socket' (by means of plugin 'read'/'write' functions),
that is how SASL wants us to behave.  A SASL layer should break up the
LDAP packets into 4-byte prefixed SASL packets, for output on a stream
socket.

Indeed, with both the TLS libs and GENSEC wanting to be in this stack,
could we simply define them both in terms of our current socket API, and
have them recurse down to a real socket?  Or would that all end up in a
mess with events?

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060204/2c9f0f6c/attachment.bin


More information about the samba-technical mailing list