You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2017/07/13 13:25:00 UTC

[jira] [Commented] (PROTON-1486) Proton(-J) provides no mechanism to get or set the additional-data field on sasl-outcome

    [ https://issues.apache.org/jira/browse/PROTON-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16085691#comment-16085691 ] 

Alex Rudyy commented on PROTON-1486:
------------------------------------

We looked into proton-c implementation and identified that following changes that need to be made there:

h3. Proton public API

# The object returned by {{pn_sasl}} needs to be changed to allow additional-data to be sent/recv by an application using Proton.  At the moment the send/recv functions are used for the sending/receiving of challenge data, I think the same mechanism should be used to all the addition-data to be passed to.

h3. Proton/SASL integration
# {{pn_do_outcome}} needs to pass {{additional-data}} to {{pni_sasl_impl_process_outcome}} 
# {{pni_sasl_impl_process_outcome}} prototype needs to be change to take the additional-data (which may be null) {{pni_sasl_impl_process_outcome(pn_transport_t *transport, const pn_bytes_t *additional_data)}}
# Plugin API needs to be: {{void (*process_outcome)(pn_transport_t *transport, const pn_bytes_t *additional_data)}}

h3. CyrusSASL proton plugin
#  {{cyrus_sasl_process_outcome}} needs to call {{pni_wrap_client_step}} unconditionally (as per sasl documentation)  passing the additional data if present. Handle the result (if result is anything other than SASL_OK, the authentication must be made to fail)



> Proton(-J) provides no mechanism to get or set the additional-data field on sasl-outcome
> ----------------------------------------------------------------------------------------
>
>                 Key: PROTON-1486
>                 URL: https://issues.apache.org/jira/browse/PROTON-1486
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>            Reporter: Rob Godfrey
>            Assignee: Keith Wall
>         Attachments: PROTON_1486.patch
>
>
> The Proton Engine API provides no mechanism for getting or setting the additional-data field on sasl-outcome.
> Some SASL mechanisms (e.g. SCRAM-SHA-\*) send additional data along with the outcome (in the case of SCRAM-SHA-\* the additional data is a proof that the server is also aware of the credentials and is not simply just accepting any credential data as part of some sort of attack).
> One approach for the API would be to expose the additional-data field using the send/recv/pending methods used for exchanging the challenge/response in the earlier phases of the sasl exchange.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org