appl/simple/client/sim_client.c uses internal APIs

[Nico Williams]

On Fri, Feb 24, 2023 at 12:19:53PM -0800, Russ Allbery wrote:
> Nico Williams <nico at cryptonector.com> writes:
> > If you're just trying to set up a GSS context between a client and a
> > server, then GSS is really simple, and much simpler than the krb5 API.
> 
> I'm very dubious about this statement.  The requirement to handle
> negotiation and potential multiple round trips and all the complexity with
> major and minor status codes makes the equivalent GSS code complicated and
> annoying.

If you're using SPNEGO then you don't have to concern yourself with
negotiation.  If you're implementing SSHv2 or SASL it's another story,
though not much more complicated because you're doing negotiation at a
layer that already does it and all you have to do is maybe pick a GSS
mechanism.

RFC 7546 exists.

I've written a fair amount of app code using krb5 and GSS APIs, and I
strongly prefer GSS code.

> GSS pays a significant price for being a generic mechanism with a
> negotiation method, and the API does not hide that price from the
> programmer.

It does pay a price, but if all you need is encrypted sessions, then
it's simple.

GSS does have some ugly things, mainly OIDs, but also not having
something like a krb5_context.  Regarding not having a krb5_context,
I've played with a couple of ways to fix that in Heimdal: either a)
enhancing the `OM_uint32 *minor_status` to be a more complex, opaque
object, or b) adding configuration key/value parameters to the
`cred_store` used in `gss_acquire_cred_from()`.

Nico
--