negotiate auth

Milosz Kmieciak milosz at kmieciak.eu
Tue Aug 5 10:41:01 EDT 2008 

2008/8/5 Joe Orton <joe at manyfish.co.uk>:
>> In my opinion leaving gssmech not set (==NULL) is quite risky. I am
>> not sure, but it does not mean that gss implementation will choose
>> GSS_C_NO_OID and this can provide strange behavior.
>
> This is required by the GSSAPI specification, AFAICT.  At least it
> specifies all the GSS_C_NO_* values as zero in the appendix:
>

OK, you are right. As it appears for heimdal default mech is not
spnego but krb, that's why this if-condition checking mech_oid ==
NULL. Adding GSS_C_NO_OID is not necessary then.

>> > There is no API to change this, though I've wondered about adding an API
>> > for some other GSSAPI options, notably whether or not to delegate
>> > credentials.  Can you explain why/how you'd want to set to OID
>> > differently?
>>
>> So it would be nice to set gssmech explicit, to set as
>> implementation's default mech or whatever you like (for testing
>> especially). In my case I would like to set it to custom mech (saml2)
>> or default one in the worst case (spnego).
>
> OK, I'd accept patches for this, unlikely I have time to do it myself.
>
> I'm not sure how to design the API - ne_auth.h should not expose the
> underlying GSSAPI interfaces, so we'd need to pass the OID as a (char *,
> length) pair, I suppose?  Any suggestions there?

Hmm, this could be problematic here, developer has to be sure what
oids are accessible - in my case I had to list all oid's - heimdal
changes oid from /etc/gss/mech to its own representation (I couldn't
find out why). Once I've done it, I am checking if oids I demand can
be used on current system. This is how I do it right now:

/*
 * Does not copy arr, so be carefull and free it when no longer needed.
 */
gss_OID
build_oid_from_array(OM_uint32 l, const unsigned char *arr) {
        gss_OID p_oid;

        p_oid = malloc(sizeof(*p_oid));
        p_oid->elements = (void *)arr;
        p_oid->length = l;
        return p_oid;
}

and then:

        // build SPNEGO oid
        p_oid_spnego = build_oid_from_array(SPNEGO_OID_L, spnego_arr);

        // check if we have SPNEGO oid
        gss_test_oid_set_member(&ret, p_oid_spnego, p_oid_set, &has_spnego);

This could be combined into one function.

Cheers
-- 
Milosz Kmieciak

More information about the neon mailing list