Re: gss_wrap/gss_unwrap sasl buffers?

[Howard Chu <hyc@symas.com>]

Michael B Allen wrote:
> Anyway, I have GSS-SPNEGO almost working (only wrapping outgoing
> messages at the moment, unwrapping is tomorrow) but it required
> modifying libldap and liblber. I added an ldap_set_inspect_hdlr
> function that sets read/write callbacks. They're invoked in
> sockbuf.c:{ber_int_sb_read,ber_int_sb_write} if Sockbuf has a handler
> installed. The user must supply handler that read/write and "inspect"
> the buffers possibly writing alternative data (ie the gss_wrap'd data).
>
> The modifications were pretty simple and clean. Is there a better way?

Assuming that OpenLDAP was the appropriate home for such code (which it is 
not) the correct approach would be to write a new Sockbuf handler and push it 
onto the existing stack of handlers. That's how both SASL and TLS are 
implemented. Mucking with sockbuf.c itself is definitely the wrong way. The 
whole point of the sockbuf infrastructure is that it allows arbitrary 
processing layers to be stacked without having to modify any core code.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/