Re: [neon] [PATCH] GSSAPI support for neon

[Joe Orton <jo...@manyfish.co.uk>]

Hi, thanks for sending this in.  I've done the autoconf stuff, but with
a MIT Kerberos v5 (1.2.7) installation, I get this compiler error:

ne_auth.c: In function `get_gss_name':
ne_auth.c:318: `GSS_C_NT_HOSTBASED_SERVICE' undeclared (first use in this function)
ne_auth.c:318: (Each undeclared identifier is reported only once
ne_auth.c:318: for each function it appears in.)

is a newer version required?

I've attached a slightly cleaned up version of your patch; can you test
this? It looks like this is only useful for authentication to the origin
server, and not to a proxy, so the code should ignore a GSS-Negotiate
challenge in a 407 response.

Regards,

joe

Re: [neon] [PATCH] GSSAPI support for neon

[RISKO Gergely <ri...@risko.hu>]

Hello!

And here comes the log for the new version:
 * macros/gssapi.m4: new file, gssapi/kerberos checker function
 * macros/neon.m4: adding gssapi/kerberos checking, work with heimdal
                   and mit also, can be disabled with --without-gss
 * src/Makefile.in
   Added -lgssapi to LIBS. One should make a --with(out)-gssapi for
   autoconf, but I can't...
 * src/ne_auth.c (every change ifdefed with HAVE_GSSAPI)
   including errno.h and gssapi.h
   (auth_scheme enum): auth_scheme_gssapi added. (not ifdefed)
   (auth_session struct): added char* gssapi_token.
   (request_gssapi): new function, sends the gssapi_token.
   (get_gss_name): new function, internal for gssapi.
   (gssapi_challenge): new function, produces the gssapi_token.
   (tokenize): fix the bug when the string to tokenize is: "GSS-Authenticate"
   (auth_challenge): added GSSAPI.
   (ah_pre_send): added GSSAPI to the switch.
   (log_gss_error): new function, for logging
   (clean_session): NE_FREE(sess->gssapi_token); added.    
 * src/ne_string.c
   (ne_base64): fixed the wrong algorithm, which only worked for 7bit strings

I hope this version of the patch will be good enough to go to the
main trunk.

Gergely

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [neon] [PATCH] GSSAPI support for neon

[RISKO Gergely <ri...@risko.hu>]

>> Thanks for your patch, here is our product of the day.
>> 
>> The base64 modification is required to work, so please apply it too!
>
> I forgot to mention - this was fixed already in neon 0.24.0. (the fix
> was simply to make the input buffer "unsigned")

Hmmm, it's a bit simpler...

> The new log_gss_error function is a lot of effort just for debugging
> output.  If you really want this can you indent the code properly,
> surround it with #ifdef NE_DEBUGGING, and try and simplify it? Could it
> just progressively print the result of each call to gss_display_status
> rather than trying to buffer it all up?

You're right, but now I haven't got time to write a better one, I will
(hopefully) do on a nice day, drop it for now, but please change
    if (GSS_ERROR(major_status)) {
        return -1;
    }
with
    if (GSS_ERROR(major_status)) {
        NE_DEBUG(NE_DBG_HTTPAUTH, "GSSAPI Failed.\n");
        return -1;
    }
then.

> Attached a new combined attempt, with log_gss_error removed for the
> moment.  Can you test this as well? I'll commit this if you confirm it
> works.

It works.

The another bug in the feature request can be workarounded on the
server side with an ugly apache2 config. If anybody wants it, mail me.

Gergely

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [neon] [PATCH] GSSAPI support for neon

[Joe Orton <jo...@manyfish.co.uk>]

On Wed, Jul 23, 2003 at 07:34:37PM +0200, RISKO Gergely wrote:
> Thanks for your patch, here is our product of the day.
> 
> The base64 modification is required to work, so please apply it too!

I forgot to mention - this was fixed already in neon 0.24.0. (the fix
was simply to make the input buffer "unsigned")

> The configure script is now new mit (with krb5-config binary at least)
> and heimdal ready. You have to run ./autogen.sh.

That looks overengineered to just check for gssapi.h in two places; I
extended my code to do this, and added a workaround for the lack of
GSS_C_NT_HOSTBASED_SERVICE in MIT Kerberos. (which works for me insofar
as it compiles and links)

> We couldn't probe out the MIT version, only for compiling (with MIT
> libs 1.3) because we haven't got MIT Kerberos infrastructure. With
> Heimdal it also compile & work, tested.

The new log_gss_error function is a lot of effort just for debugging
output.  If you really want this can you indent the code properly,
surround it with #ifdef NE_DEBUGGING, and try and simplify it? Could it
just progressively print the result of each call to gss_display_status
rather than trying to buffer it all up?

Attached a new combined attempt, with log_gss_error removed for the
moment.  Can you test this as well? I'll commit this if you confirm it
works.

Regards,

joe

Re: [neon] [PATCH] GSSAPI support for neon

[RISKO Gergely <ri...@risko.hu>]

Hi!

> Hi, thanks for sending this in.  I've done the autoconf stuff, but with
> a MIT Kerberos v5 (1.2.7) installation, I get this compiler error:
>
> ne_auth.c: In function `get_gss_name':
> ne_auth.c:318: `GSS_C_NT_HOSTBASED_SERVICE' undeclared (first use in this function)
> ne_auth.c:318: (Each undeclared identifier is reported only once
> ne_auth.c:318: for each function it appears in.)
>
> is a newer version required?
>
> I've attached a slightly cleaned up version of your patch; can you test
> this? It looks like this is only useful for authentication to the origin
> server, and not to a proxy, so the code should ignore a GSS-Negotiate
> challenge in a 407 response.

Thanks for your patch, here is our product of the day.

The base64 modification is required to work, so please apply it too!
The configure script is now new mit (with krb5-config binary at least)
and heimdal ready. You have to run ./autogen.sh.

We couldn't probe out the MIT version, only for compiling (with MIT
libs 1.3) because we haven't got MIT Kerberos infrastructure. With
Heimdal it also compile & work, tested.

Thanks,
Burjan Gabor, Risko Gergely