negotiate auth

[Joe Orton]

On Tue, Aug 05, 2008 at 01:47:15PM +0000, Milosz Kmieciak wrote:
> 2008/8/5 Joe Orton <joe at manyfish.co.uk>:
> > On Tue, Aug 05, 2008 at 12:22:11PM +0000, Milosz Kmieciak wrote:
> >> Hello,
> >>
> >> I am trying to use negotiate auth mechanism (spnego + gss), and as I
> >> can see all gss-connected routines are in ne_auth.c source code. My
> >> problem is - how can I set the mechanism oid (gss_OID gssmech field in
> >> auth_session)? I can not find even where it is being set at init time
> >> (ex. GSS_C_NO_OID).
> >
> > It's not set, it's left as GSS_C_NO_OID for gss_init_sec_context to
> > determine appropriately.
> 
> In my opinion leaving gssmech not set (==NULL) is quite risky. I am
> not sure, but it does not mean that gss implementation will choose
> GSS_C_NO_OID and this can provide strange behavior.

This is required by the GSSAPI specification, AFAICT.  At least it 
specifies all the GSS_C_NO_* values as zero in the appendix:

http://tools.ietf.org/html/rfc2744#appendix-A

I guess that having neon explicitly initialize these would not be 
harmful; do you have a patch?

> > There is no API to change this, though I've wondered about adding an API
> > for some other GSSAPI options, notably whether or not to delegate
> > credentials.  Can you explain why/how you'd want to set to OID
> > differently?
> 
> So it would be nice to set gssmech explicit, to set as
> implementation's default mech or whatever you like (for testing
> especially). In my case I would like to set it to custom mech (saml2)
> or default one in the worst case (spnego).

OK, I'd accept patches for this, unlikely I have time to do it myself.  

I'm not sure how to design the API - ne_auth.h should not expose the 
underlying GSSAPI interfaces, so we'd need to pass the OID as a (char *, 
length) pair, I suppose?  Any suggestions there?

Regards, Joe