[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gss_wrap/gss_unwrap sasl buffers?

Michael B Allen wrote:
Anyway, I have GSS-SPNEGO almost working (only wrapping outgoing
messages at the moment, unwrapping is tomorrow) but it required
modifying libldap and liblber. I added an ldap_set_inspect_hdlr
function that sets read/write callbacks. They're invoked in
sockbuf.c:{ber_int_sb_read,ber_int_sb_write} if Sockbuf has a handler
installed. The user must supply handler that read/write and "inspect"
the buffers possibly writing alternative data (ie the gss_wrap'd data).

The modifications were pretty simple and clean. Is there a better way?

Assuming that OpenLDAP was the appropriate home for such code (which it is not) the correct approach would be to write a new Sockbuf handler and push it onto the existing stack of handlers. That's how both SASL and TLS are implemented. Mucking with sockbuf.c itself is definitely the wrong way. The whole point of the sockbuf infrastructure is that it allows arbitrary processing layers to be stacked without having to modify any core code.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/