A packet or streams layer for GENSEC/SASL?

[simo]

On Sat, 2006-02-04 at 16:21 +1100, Andrew Bartlett wrote:
> I've been looking at the complexities of the GENSEC 'wrap' code for
> GSSAPI, and trying to follow the spec in the process.  
> 
> One of the important details that is securely negotiated between client
> and server is the maximum buffer size.  Currently, there isn't a good
> way to communicate this up and down the stack, and I get the felling
> that we are using gensec_wrap() in the 'wrong way'. 
> 
> It seems to me that just as gnutls is free to accept 'writes' and manage
> it's own 'network socket' (by means of plugin 'read'/'write' functions),
> that is how SASL wants us to behave.  A SASL layer should break up the
> LDAP packets into 4-byte prefixed SASL packets, for output on a stream
> socket.
> 
> Indeed, with both the TLS libs and GENSEC wanting to be in this stack,
> could we simply define them both in terms of our current socket API, and
> have them recurse down to a real socket?  Or would that all end up in a
> mess with events?

I'd go with the layer approach and let them manage the socket exposing a
stackable API, in my experience that's what works best.

Simo.

-- 
Simo Sorce
Samba Team
email: idra at samba.org
http://samba.org/~idra