[
https://issues.apache.org/jira/browse/PROTON-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16085691#comment-16085691
]
Alex Rudyy commented on PROTON-1486:
------------------------------------
We looked into proton-c implementation and identified that following changes
that need to be made there:
h3. Proton public API
# The object returned by {{pn_sasl}} needs to be changed to allow
additional-data to be sent/recv by an application using Proton. At the moment
the send/recv functions are used for the sending/receiving of challenge data, I
think the same mechanism should be used to all the addition-data to be passed
to.
h3. Proton/SASL integration
# {{pn_do_outcome}} needs to pass {{additional-data}} to
{{pni_sasl_impl_process_outcome}}
# {{pni_sasl_impl_process_outcome}} prototype needs to be change to take the
additional-data (which may be null)
{{pni_sasl_impl_process_outcome(pn_transport_t *transport, const pn_bytes_t
*additional_data)}}
# Plugin API needs to be: {{void (*process_outcome)(pn_transport_t *transport,
const pn_bytes_t *additional_data)}}
h3. CyrusSASL proton plugin
# {{cyrus_sasl_process_outcome}} needs to call {{pni_wrap_client_step}}
unconditionally (as per sasl documentation) passing the additional data if
present. Handle the result (if result is anything other than SASL_OK, the
authentication must be made to fail)
> Proton(-J) provides no mechanism to get or set the additional-data field on
> sasl-outcome
> ----------------------------------------------------------------------------------------
>
> Key: PROTON-1486
> URL: https://issues.apache.org/jira/browse/PROTON-1486
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-j
> Reporter: Rob Godfrey
> Assignee: Keith Wall
> Attachments: PROTON_1486.patch
>
>
> The Proton Engine API provides no mechanism for getting or setting the
> additional-data field on sasl-outcome.
> Some SASL mechanisms (e.g. SCRAM-SHA-\*) send additional data along with the
> outcome (in the case of SCRAM-SHA-\* the additional data is a proof that the
> server is also aware of the credentials and is not simply just accepting any
> credential data as part of some sort of attack).
> One approach for the API would be to expose the additional-data field using
> the send/recv/pending methods used for exchanging the challenge/response in
> the earlier phases of the sasl exchange.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
