jabber + sasl/gssapi (was: [Gaim-commits] CVS: gaim/src/protocols/jabber auth.c,1.42,1.43)

[Stu Tomlinson]

On Wed, 2007-10-24 at 21:55 +0100, Simon Wilkinson wrote:
> The change is in relation to whether you send an authorization  
> identity, or not. In general, where the authorization identity can be  
> derived from the authentication identity, the authz identity should  
> not be sent. Unfortunately, SASL's interaction with Jabber is poorly  
> enough specified that it's not clear when this is the case (is the  
> authorization identity the username, or the JID, for example) We're  
> still sending an authentication identity (in response to the AUTHNAME  
> callback), which is why this should work for the trivial case.

Greg & Simon, thanks for the quick and informative responses.

> However, other bits of this patch appear to be interesting
> 
<snip>
> 
> This enables security layers for both SSL and normal connections.  
> Does the security layer chaining now work correctly with SSL  
> connections?

That patch I quoted was nearly 2 years old, there have been other
changes (several from you IIRC) since then, that code now looks like:

    /* Set up security properties and options */
    secprops.min_ssf = 0;
    secprops.security_flags = SASL_SEC_NOANONYMOUS;

    if (!js->gsc) {
        secprops.max_ssf = -1;
        secprops.maxbufsize = 4096;
        plaintext = purple_account_get_bool(js->gc->account,
"auth_plain_in_clear", FALSE);
        if (!plaintext)
            secprops.security_flags |= SASL_SEC_NOPLAINTEXT;
    } else {
        secprops.max_ssf = 0;
        secprops.maxbufsize = 0;
        plaintext = TRUE;
    }
    secprops.property_names = 0;
    secprops.property_values = 0;

I'm not at all familiar with this but hopefully that clears things up
for you ... :)

Regards,


Stu.