On Sat, 27 Jan 2007 22:48:24 -0800 Howard Chu hyc@symas.com wrote:
Michael B Allen wrote:
Hi,
I need to gss_wrap/gss_unwrap all requests and responses into SASL buffers. Is there an existing method for doing that?
Otherwise, I suppose the best techniqure would be to allow the user to register an "inspect" callback that will be called with the data buffer just read from or wrtten to the network. I'm starting to look at the code now but if someone could give me a hint I would appreciate it.
libldap interfaces with libsasl. The SASL GSSAPI module already handles gss_wrap/gss_unwrap.
Your question doesn't provide enough context; give a broader explanation of what you're trying to do.
Mmm, I *think* you're talking about mechanism "GSSAPI". I'm doing "GSS-SPNEGO" which is little different. In particular, after the GSS-SPNEGO bind, requests and responses (e.g. searches) are wrapped with gss_wrap/gss_unwrap. That presents a problem because the current API doesn't seem to provide a method for accessing network buffers.
Anyway, I have GSS-SPNEGO almost working (only wrapping outgoing messages at the moment, unwrapping is tomorrow) but it required modifying libldap and liblber. I added an ldap_set_inspect_hdlr function that sets read/write callbacks. They're invoked in sockbuf.c:{ber_int_sb_read,ber_int_sb_write} if Sockbuf has a handler installed. The user must supply handler that read/write and "inspect" the buffers possibly writing alternative data (ie the gss_wrap'd data).
The modifications were pretty simple and clean. Is there a better way?
Do you guys want to support GSS-SPNEGO?
Mike