Thread: [Perlgssapi-developer] Feedback on LWP-Authen-Negotiate-0.02
Brought to you by:
achimgrolms
Menu
▾
▴
perlgssapi-developer
|
From: Dax K. <da...@gu...> - 2006-02-16 23:40:26
|
A 'make test' generates the error:
Use of uninitialized value in subroutine entry
at /tmp/too/LWP-Authen-Negotiate-0.02/blib/lib/LWP/Authen/Negotiate.pm
line 76.
57 my $status = GSSAPI::Name->import($target,"HTTP@".$uri->host,GSSAPI::OID::gss_nt_hostbased_service);
58 my $tname;
59 $target->display($tname);
60 #warn "Using HTTP@".$uri->host." -> ".$tname."\n";
61 my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization";
62
63 my $itoken;
64 foreach ($response->header('WWW-Authenticate')) {
65 last if /^Negotiate (.+)/ && ($itoken=decode_base64($1));
66 }
67
68 my $ctx = GSSAPI::Context->new();
69 my $mech = $ENV{LWP_AUTHEN_NEGOTIATE_MECH} || 'KRB5';
70 my $imech = mech2oid($mech);
71 $imech = GSSAPI::OID::gss_mech_krb5 unless $imech;
72 my $iflags = GSS_C_MUTUAL_FLAG;
73 my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
74 my $creds = GSS_C_NO_CREDENTIAL;
75 my $itime = 0;
76 $status = $ctx->init($creds,$target,$imech,$iflags,$itime,$bindings,$itoken,$omech,$otoken,$oflags,$otime);
Line 57 and line 76 together look strange. Should one of them use a different name?
Dax Kelson
Guru Labs
|
|
From: Leif J. <le...@it...> - 2006-02-17 06:50:50
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dax Kelson wrote:
> A 'make test' generates the error:
>
> Use of uninitialized value in subroutine entry
> at /tmp/too/LWP-Authen-Negotiate-0.02/blib/lib/LWP/Authen/Negotiate.pm
> line 76.
>
> 57 my $status = GSSAPI::Name->import($target,"HTTP@".$uri->host,GSSAPI::OID::gss_nt_hostbased_service);
> 58 my $tname;
> 59 $target->display($tname);
> 60 #warn "Using HTTP@".$uri->host." -> ".$tname."\n";
> 61 my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization";
> 62
> 63 my $itoken;
> 64 foreach ($response->header('WWW-Authenticate')) {
> 65 last if /^Negotiate (.+)/ && ($itoken=decode_base64($1));
> 66 }
> 67
> 68 my $ctx = GSSAPI::Context->new();
> 69 my $mech = $ENV{LWP_AUTHEN_NEGOTIATE_MECH} || 'KRB5';
> 70 my $imech = mech2oid($mech);
> 71 $imech = GSSAPI::OID::gss_mech_krb5 unless $imech;
> 72 my $iflags = GSS_C_MUTUAL_FLAG;
> 73 my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
> 74 my $creds = GSS_C_NO_CREDENTIAL;
> 75 my $itime = 0;
> 76 $status = $ctx->init($creds,$target,$imech,$iflags,$itime,$bindings,$itoken,$omech,$otoken,$oflags,$otime);
>
> Line 57 and line 76 together look strange. Should one of them use a different name?
>
> Dax Kelson
> Guru Labs
>
Are you talking about the variable reuse for $status? Imho it is
acceptable in this case since they both represent return-status
from different functions from the same library.
MVH leifj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9XI+8Jx8FtbMZncRAoutAJ90SoQgVbUGlHazTkkpe+2I9lp4SACgjQxC
tHFPR7PJByNwVsQ7IfZWQQY=
=IhLV
-----END PGP SIGNATURE-----
|
|
From: Achim G. <per...@gr...> - 2006-02-17 10:26:47
|
On Friday 17 February 2006 07:50, Leif Johansson wrote:
> Dax Kelson wrote:
>
> Are you talking about the variable reuse for $status? Imho it is
> acceptable in this case since they both represent return-status
> from different functions from the same library.
GSSAPI::Name->import()
can fail. throwing away the return value is not a good idea.
a reason for fail can just be a typo in DNS or /etc/hosts
(GSSAPI is using DNS for resolution to canonical hostname).
the implementation does not print debugging information,
that is a problen (just think of expired credentials).
This is my implementation:
package LWP::Authen::Negotiate;
use strict;
use warnings;
require Exporter;
use AutoLoader qw(AUTOLOAD);
our @ISA = qw(Exporter);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
# This allows declaration use LWP::Authen::Negotiate ':all';
# If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
# will save memory.
our %EXPORT_TAGS = ( 'all' => [ qw(
) ] );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
our @EXPORT = qw(
);
our $VERSION = '0.04';
use MIME::Base64 "2.12";
use GSSAPI 0.18;
sub authenticate
{
LWP::Debug::debug("authenticate() called");
my ($class,$ua,$proxy,$auth_param,$response,$request,$arg,$size) = @_;
my $uri = URI->new($request->uri);
my $targethost = $request->uri()->host();
my ($otime,$omech,$otoken,$oflags);
my $target;
my $status;
TRY: {
$status = GSSAPI::Name->import(
$target,
join( '@', 'HTTP', $targethost ),
GSSAPI::OID::gss_nt_hostbased_service
);
last TRY if ( $status->major != GSS_S_COMPLETE );
my $tname;
$target->display( $tname );
LWP::Debug::debug("target hostname $targethost");
LWP::Debug::debug("GSSAPI servicename $tname");
my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization";
my $itoken = q{};
foreach ($response->header('WWW-Authenticate')) {
last if /^Negotiate (.+)/ && ($itoken=decode_base64($1));
}
my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;
#my $iflags = GSS_C_MUTUAL_FLAG;
my $iflags = GSS_C_REPLAY_FLAG;
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;
$status = $ctx->init($creds,$target,$imech,$iflags,$itime,$bindings,$itoken,
$omech,$otoken,$oflags,$otime);
if ( $status->major == GSS_S_COMPLETE
or $status->major == GSS_S_CONTINUE_NEEDED ) {
LWP::Debug::debug( 'successfull $ctx->init()');
my $referral = $request->clone;
$referral->header( $auth_header => "Negotiate ".encode_base64
($otoken,""));
return $ua->request( $referral, $arg, $size, $response );
}
}
if ( $status->major != GSS_S_COMPLETE ) {
LWP::Debug::debug( $status->generic_message());
LWP::Debug::debug( $status->specific_message() );
return $response;
}
}
1;
__END__
|
|
From: Leif J. <le...@it...> - 2006-02-17 10:47:12
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Achim Grolms wrote:
> On Friday 17 February 2006 07:50, Leif Johansson wrote:
>> Dax Kelson wrote:
>>
>> Are you talking about the variable reuse for $status? Imho it is
>> acceptable in this case since they both represent return-status
>> from different functions from the same library.
>
> GSSAPI::Name->import()
>
> can fail. throwing away the return value is not a good idea.
>
> a reason for fail can just be a typo in DNS or /etc/hosts
> (GSSAPI is using DNS for resolution to canonical hostname).
>
> the implementation does not print debugging information,
> that is a problen (just think of expired credentials).
>
>
> This is my implementation:
>
>
>
>
>
>
> package LWP::Authen::Negotiate;
>
> use strict;
> use warnings;
>
> require Exporter;
> use AutoLoader qw(AUTOLOAD);
>
> our @ISA = qw(Exporter);
>
> # Items to export into callers namespace by default. Note: do not export
> # names by default without a very good reason. Use EXPORT_OK instead.
> # Do not simply export all your public functions/methods/constants.
>
> # This allows declaration use LWP::Authen::Negotiate ':all';
> # If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
> # will save memory.
> our %EXPORT_TAGS = ( 'all' => [ qw(
>
> ) ] );
>
> our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
>
> our @EXPORT = qw(
>
> );
>
> our $VERSION = '0.04';
>
>
> use MIME::Base64 "2.12";
> use GSSAPI 0.18;
>
>
> sub authenticate
> {
> LWP::Debug::debug("authenticate() called");
> my ($class,$ua,$proxy,$auth_param,$response,$request,$arg,$size) = @_;
>
> my $uri = URI->new($request->uri);
> my $targethost = $request->uri()->host();
>
> my ($otime,$omech,$otoken,$oflags);
> my $target;
> my $status;
> TRY: {
> $status = GSSAPI::Name->import(
> $target,
> join( '@', 'HTTP', $targethost ),
> GSSAPI::OID::gss_nt_hostbased_service
> );
> last TRY if ( $status->major != GSS_S_COMPLETE );
> my $tname;
> $target->display( $tname );
> LWP::Debug::debug("target hostname $targethost");
> LWP::Debug::debug("GSSAPI servicename $tname");
> my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization";
>
> my $itoken = q{};
> foreach ($response->header('WWW-Authenticate')) {
> last if /^Negotiate (.+)/ && ($itoken=decode_base64($1));
> }
>
> my $ctx = GSSAPI::Context->new();
> my $imech = GSSAPI::OID::gss_mech_krb5;
> #my $iflags = GSS_C_MUTUAL_FLAG;
> my $iflags = GSS_C_REPLAY_FLAG;
> my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
> my $creds = GSS_C_NO_CREDENTIAL;
> my $itime = 0;
> $status = $ctx->init($creds,$target,$imech,$iflags,$itime,$bindings,$itoken,
> $omech,$otoken,$oflags,$otime);
> if ( $status->major == GSS_S_COMPLETE
> or $status->major == GSS_S_CONTINUE_NEEDED ) {
> LWP::Debug::debug( 'successfull $ctx->init()');
> my $referral = $request->clone;
> $referral->header( $auth_header => "Negotiate ".encode_base64
> ($otoken,""));
> return $ua->request( $referral, $arg, $size, $response );
> }
> }
> if ( $status->major != GSS_S_COMPLETE ) {
> LWP::Debug::debug( $status->generic_message());
> LWP::Debug::debug( $status->specific_message() );
> return $response;
> }
> }
>
> 1;
> __END__
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Perlgssapi-developer mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-developer
Can you send me a patch for that against my 0.03 I just uploaded?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9amm8Jx8FtbMZncRAltIAJ0SvyI97ubE6Mv65FfJtlvOxq09/ACggUda
susubIG7RurlKDyGQ5Uc84U=
=8ZU+
-----END PGP SIGNATURE-----
|
|
From: Achim G. <per...@gr...> - 2006-02-17 13:20:13
Attachments:
errorhandling.diff
|
On Friday 17 February 2006 11:47, Leif Johansson wrote: > Can you send me a patch for that against my 0.03 I just uploaded? find patch attached. (fixes the "uninitaliziede value" warning also) Please check if that works for you. Achim |
|
From: Leif J. <le...@it...> - 2006-02-17 13:27:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Achim Grolms wrote: > On Friday 17 February 2006 11:47, Leif Johansson wrote: > >> Can you send me a patch for that against my 0.03 I just uploaded? > > find patch attached. (fixes the "uninitaliziede value" warning also) > > Please check if that works for you. > > Achim > Doesn't that just replace your code with mine? Let's just follow your original suggestion and go with your code. There is really no point in spending this much time discussing 128 lines of code and docs :-) MVH leifj -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9c9N8Jx8FtbMZncRAnHwAJoDXIuZaJea9I9Q9kKfW0axMHbiRACgkec8 5cLV8oY5iOSLKNrwUYA52rs= =/pS1 -----END PGP SIGNATURE----- |
|
From: Achim G. <per...@gr...> - 2006-02-17 13:43:48
|
On Friday 17 February 2006 14:27, Leif Johansson wrote:
> Achim Grolms wrote:
> > On Friday 17 February 2006 11:47, Leif Johansson wrote:
> >> Can you send me a patch for that against my 0.03 I just uploaded?
> >
> > find patch attached. (fixes the "uninitaliziede value" warning also)
> >
> > Please check if that works for you.
> >
> > Achim
>
> Doesn't that just replace your code with mine?
No, all your configuration options are in the resulting Negotiate.pm.
I am thinking of configuration:
It can be usefull to the user to configure the flags passed to
init_security_context (MUTAL and so on).
My ideas:
1. use Environment variable containg the names the user wants to set.
(export LWPBLAFLAGS = "GSS_C_MUTUAL_FLAG GSS_C_MUTUAL_FLAG"
for example)
Problem: this is a global configuration.
(maybe the user does not want to forward credential to *all*
Servers he uses)
2. a per-host configuration like most browsers do.
I fear that means a Configfile withe
hostname => config
value pairs.
But where to put the file?
And when pull in into LWP::Authen::Negotiate?
on first run of package itself?
on first run auf authenticate() (using counter?)
3. another idea?
how is LWP configuration done in general?
I have asked the on libwww-mailinglist, but got no answer
Achim
|
|
From: Leif J. <le...@it...> - 2006-02-17 13:52:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > My ideas: > > 1. use Environment variable containg the names the user wants to set. > (export LWPBLAFLAGS = "GSS_C_MUTUAL_FLAG GSS_C_MUTUAL_FLAG" > for example) > Problem: this is a global configuration. > (maybe the user does not want to forward credential to *all* > Servers he uses) I don't think this is a problem - setting ENV from wrapper scripts is a no-brainer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9dUF8Jx8FtbMZncRAtAUAJ47DQKgSQ2WVWcu+ciMs2UNCOM28gCfR8TG T4VN+8wMlPL3RAmby1jfJpA= =Qxr1 -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X