通过Cyrus SASL使用外部机制

Question

Cyrus SASL api不支持外部机制吗？我尝试将它用作客户端，但当被请求时，它返回SASL_NOMECH。

% cat cyrus_sal_ex.c
/* cyrus_sasl_ex.c: Example of using the Cyrus SASL api */
#include <stdio.h>      /* for printf() */
#include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */

static char const * SASL_return_code(int const code) 
{
  switch(code) 
  {
    /* ... */
    case SASL_OK:     return "SASL_OK[0]: successful result";
    /* ... */
    case SASL_NOMECH: return "SASL_NOMECH[-4]: mechanism not supported";
    /* ... */
  }
  return "unrecognized";
}

int main()
{
  char const *  output = NULL;
  unsigned      outlen = 0;
  char const *  mechanism = NULL;
  sasl_conn_t * conn;

# define PRINT_RESULT( x ) do\
  {\
    int const __result = (x);\
    printf("%s == %d\n\t%s\n", #x, __result, SASL_return_code(__result));\
    if (__result < 0) goto done;\
  }\
  while (0)

  PRINT_RESULT( sasl_client_init( NULL ) );
  PRINT_RESULT( sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) );
  PRINT_RESULT( sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) );

done:
# undef PRINT_RESULT
  printf("output: [%d bytes] : %s\n", outlen, (output ? output : "NULL") );
  printf("mechanism: %s\n", (mechanism ? mechanism : "NULL"));

  return 0;
}
% gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex # your header/library locations may vary
% ./cyrus_sasl_ex
sasl_client_init( NULL ) == 0
        SASL_OK[0]: successful result
sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) == 0
        SASL_OK[0]: successful result
sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) == -4
        SASL_NOMECH[-4]: mechanism not supported
output: [0 bytes] : NULL
mechanism: EXTERNAL
%

我浏览了一下source，看起来所有的客户端都应该支持外部机制：

cyrus-sasl-2.1.22/lib/client.c:
196 int sasl_client_init(const sasl_callback_t *callbacks)
197 {
...
227
228   sasl_client_add_plugin("EXTERNAL", &external_client_plug_init);
229

所以我猜我做错了什么。我尝试将我能想到的所有sasl_callback_t都添加到sasl_client_*()中，但它们都没有被调用。是否有一些我应该传递的参数来断言外部是一种可接受的机制？或者，对于似乎不正确的外部- b/c，总是返回SASL_NOMECH。

有人能帮我吗？

Answer 1

好了，我找到左边的那一步了。

根据sasl/sasl.h的说法，我需要首先为我的sasl_conn_t设置SASL_AUTH_EXTERNAL属性：

/* set property in SASL connection state
 * returns:
 *  SASL_OK       -- value set
 *  SASL_BADPARAM -- invalid property or value
 */
LIBSASL_API int sasl_setprop(sasl_conn_t *conn,
                 int propnum,
                 const void *value);
#define SASL_SSF_EXTERNAL  100  /* external SSF active (sasl_ssf_t *) */
#define SASL_SEC_PROPS     101  /* sasl_security_properties_t */
#define SASL_AUTH_EXTERNAL 102  /* external authentication ID (const char *) */

/* If the SASL_AUTH_EXTERNAL value is non-NULL, then a special version of the
 * EXTERNAL mechanism is enabled (one for server-embedded EXTERNAL mechanisms).
 * Otherwise, the EXTERNAL mechanism will be absent unless a plug-in
 * including EXTERNAL is present.
 */

一旦我这样做了，剩下的就解决了：

% cat cyrus_sasl_ex.c
/* Example of using the Cyrus SASL api */
#include <stdio.h>          /* for printf() */
#include <sasl/sasl.h>  /* for sasl_client_*(), SASL_*, sasl_*_t */

int main()
{
    char const *    output = NULL;
    unsigned            outlen = 0;
    char const *    mechanism = NULL;
    sasl_conn_t * conn;

#   define PRINT_RESULT( x ) do\
    {\
        int const __result = (x);\
        printf("%s == %d\n\t%s\n", #x, __result, sasl_errstring(__result,NULL,NULL));\
        if (__result < 0) goto done;\
    }\
    while (0)

    PRINT_RESULT( sasl_client_init( NULL ) );
    PRINT_RESULT( sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) );
    PRINT_RESULT( sasl_setprop( conn, SASL_AUTH_EXTERNAL, "fake authority" ) );
    PRINT_RESULT( sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) );

done:
#   undef PRINT_RESULT
    printf("output: [%d bytes] : %s\n", outlen, (output ? output : "NULL") );
    printf("mechanism: %s\n", (mechanism ? mechanism : "NULL"));

    return 0;
}
% gcc -I/sw/include -L/sw/lib -lsasl2 cyrus_sasl_ex.c -o cyrus_sasl_ex
% ./cyrus_sasl_ex
sasl_client_init( NULL ) == 0
        successful result
sasl_client_new( "fake", "fakey.mcfaker.ton", "127.0.0.1", "127.255.255.1", NULL, 0, &conn) == 0
        successful result
sasl_setprop( conn, SASL_AUTH_EXTERNAL, "fake authority" ) == 0
        successful result
sasl_client_start( conn, "EXTERNAL", NULL, &output, &outlen, &mechanism) == 0
        successful result
output: [0 bytes] :
mechanism: EXTERNAL

然而，由于预装在OSX10.5上的Cyrus SASL版本有一个bug，使得外部插件需要一个SASL_CB_USER回调，并传递一个空指针来存储它的返回值，这仍然意味着我将不得不在所有这些机器上更新Cyrus SASL。

或者，我可能只会在bug周围编写代码。

Answer 2

这是由于Cyrus SASL是在没有任何机制的情况下编译的(默认情况下，它们是动态链接的)。因此，如果没有动态链接的机制，它将报告没有匹配的机制。

因此，更好的答案是使用静态链接的机制(在Cyrus包中称为插件)重新编译Cyrus SASL。如果您查看config.h头文件并将相应的静态定义定义为1，然后重新编译(我手动将插件源代码从plugins dir添加到libsasl2.a存档)。然后，当你链接这个库时，你不会得到那个错误(没有你找到的变通方法)。