A packet or streams layer for GENSEC/SASL?
simo
idra at samba.org
Sat Feb 4 05:27:30 GMT 2006
On Sat, 2006-02-04 at 16:21 +1100, Andrew Bartlett wrote:
> I've been looking at the complexities of the GENSEC 'wrap' code for
> GSSAPI, and trying to follow the spec in the process.
>
> One of the important details that is securely negotiated between client
> and server is the maximum buffer size. Currently, there isn't a good
> way to communicate this up and down the stack, and I get the felling
> that we are using gensec_wrap() in the 'wrong way'.
>
> It seems to me that just as gnutls is free to accept 'writes' and manage
> it's own 'network socket' (by means of plugin 'read'/'write' functions),
> that is how SASL wants us to behave. A SASL layer should break up the
> LDAP packets into 4-byte prefixed SASL packets, for output on a stream
> socket.
>
> Indeed, with both the TLS libs and GENSEC wanting to be in this stack,
> could we simply define them both in terms of our current socket API, and
> have them recurse down to a real socket? Or would that all end up in a
> mess with events?
I'd go with the layer approach and let them manage the socket exposing a
stackable API, in my experience that's what works best.
Simo.
--
Simo Sorce
Samba Team
email: idra at samba.org
http://samba.org/~idra
More information about the samba-technical
mailing list