[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gss_wrap/gss_unwrap sasl buffers?



On Sun, 28 Jan 2007 14:42:54 -0800
Howard Chu <hyc@symas.com> wrote:

> Michael B Allen wrote:
> > Anyway, I have GSS-SPNEGO almost working (only wrapping outgoing
> > messages at the moment, unwrapping is tomorrow) but it required
> > modifying libldap and liblber. I added an ldap_set_inspect_hdlr
> > function that sets read/write callbacks. They're invoked in
> > sockbuf.c:{ber_int_sb_read,ber_int_sb_write} if Sockbuf has a handler
> > installed. The user must supply handler that read/write and "inspect"
> > the buffers possibly writing alternative data (ie the gss_wrap'd data).
> > 
> > The modifications were pretty simple and clean. Is there a better way?
> 
> Assuming that OpenLDAP was the appropriate home for such code (which it is 
> not) the correct approach would be to write a new Sockbuf handler and push it 
> onto the existing stack of handlers. That's how both SASL and TLS are 
> implemented. Mucking with sockbuf.c itself is definitely the wrong way. The 
> whole point of the sockbuf infrastructure is that it allows arbitrary 
> processing layers to be stacked without having to modify any core code.

Yup. That's exactly what I'm doing now. I just didn't see it before
but cyrus.c seems to be the model for what I want to do. And I see
ber_sockbuf_add_io et al is public so I'm hoping I can do it without
touching libldap or liblber at all.

For reasons not worth dicussing I'm not very interested in using libsasl
(at least not cyrus).

Thanks,
Mike

PS: OpenLDAP is nice code. Well organised and understandable. Thanks to
those involved.