From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: =?UTF-8?Q?Elias_M=C3=A5rtenson?= Newsgroups: gmane.emacs.devel Subject: Re: Request for advice on GNUS internals. GSSAPI progress report Date: Tue, 28 Feb 2017 15:25:21 +0800 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=94eb2c03baa6458dea0549921994 X-Trace: blaine.gmane.org 1488266797 29809 195.159.176.226 (28 Feb 2017 07:26:37 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 28 Feb 2017 07:26:37 +0000 (UTC) Cc: emacs-devel To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Feb 28 08:26:31 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cicB3-0006sf-9k for ged-emacs-devel@m.gmane.org; Tue, 28 Feb 2017 08:26:29 +0100 Original-Received: from localhost ([::1]:59143 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cicB9-0005Fw-4S for ged-emacs-devel@m.gmane.org; Tue, 28 Feb 2017 02:26:35 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51083) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cicA4-0004gs-9B for emacs-devel@gnu.org; Tue, 28 Feb 2017 02:25:32 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cic9z-0005bS-Qs for emacs-devel@gnu.org; Tue, 28 Feb 2017 02:25:28 -0500 Original-Received: from mail-ua0-x231.google.com ([2607:f8b0:400c:c08::231]:33243) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cic9z-0005ZY-L7 for emacs-devel@gnu.org; Tue, 28 Feb 2017 02:25:23 -0500 Original-Received: by mail-ua0-x231.google.com with SMTP id x24so4204236uab.0 for ; Mon, 27 Feb 2017 23:25:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=E87dPceOAMP6bc/+VGnS7gYFjV2Guc2tcNyBH6tvOmQ=; b=YzOPpyi8EVMGBllRfUF7nAiCyYI1k2clJx/u3J5XMSvjjI/dR/uP/1uUZj7XKYVexz J+LDotAw5rfFt0oL2dyGq40ylTRgvigTU6Gz8Z6x9JKh/aqbeIhoVZXzWm3y2hucuoY6 UuTOysOaXjTSFO1q3gvrZ97EtQNOkEkN9aaTGJlNIykc9YHg0suGx3WjinExSH+uorqi jz7saMxNIIa3C8qGCZgXKTryffZ1UUKhd1vAQarIwX0slHO2qvs6R2lMOQ7NrFclm5vL 4ZVqAzT1pJxW/CvBEwXcMPxYCj0pptWAlx57KvhvCSlgpbx2enyhsAgEmPkpqo6ylHVE 1p5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=E87dPceOAMP6bc/+VGnS7gYFjV2Guc2tcNyBH6tvOmQ=; b=TPYMRP3g2EH+S9WmwUHGUgE7CNj71XYUiy4pvv/JioPNf14MVqr4bw8+dwzbl4yEex r/C5pMIO09atoNbSKA6sHVuLm9RuupNb0prKZb8t5wUKs3bI7bNGYvHKN3Unkf/YUfPN IjiOU3938whDqGn9CdK9+QMxM5n3Zcdd7dMckqKMr6N30YL3dPZDSOHlbnSODTunJ8ry PLcm1NtQgO+J0UaQRQ0l0fpegP2ABT11YyUU+TMJ35kxAUTq+tY42rwr0ZTdI4azu0ke Q2uam9WOR3lQupDdw2IoLC79HfkrppMSj+RVhdmHg+zQlv2gAhJNoz3gJ2Ow1WwqwGX0 EyWQ== X-Gm-Message-State: AMke39l3bInP8TnSNwPI7DswOuD2BBy2hlIzlnf37LCnAWqn6/ZOozlOf+OcTOEHpqGfihCiJRusBuS7lsnMcg== X-Received: by 10.159.53.46 with SMTP id o43mr295126uao.113.1488266721592; Mon, 27 Feb 2017 23:25:21 -0800 (PST) Original-Received: by 10.103.119.5 with HTTP; Mon, 27 Feb 2017 23:25:21 -0800 (PST) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2607:f8b0:400c:c08::231 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:212639 Archived-At: --94eb2c03baa6458dea0549921994 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 28 February 2017 at 00:29, Lars Ingebrigtsen wrote: > Elias M=C3=A5rtenson writes: > > > I don't know about POP3, does anyone still use that? It's definitely > > supported for SMTP, and now that you mention it, I have to implement > > that support too. It would be a pretty useless feature if you can read > > your mail without requiring a stored password, but still needing it to > > send them. :-) > > If this is relevant to a lot of the different protocols, perhaps it > would make more sense to put this into the Emacs core like the TLS > support? Then each protocol wouldn't have to be modified this much to > support it across Emacs... Unfortunately, that's not possible. Every protocol has a different idea how to perform a GSSAPI handshake. GSSAPI itself only returns a binary blong that is to be sent to the remote side, that side can then send another blob back. After ping-ponging a few times, you get a validated name object representing the remote principal, and context that can be used to encrypt and decrypt other binary blobs. There docs literally says something along the lines of: =E2=80=9CSend the binary output to the remote server and pass= it to gss_accept_sec_context()=E2=80=9D. This results in plenty of different specs how to apply GSSAPI authentication to various protocols. A few examples: - IMAP: https://tools.ietf.org/html/rfc1731 - SMTP: https://tools.ietf.org/html/rfc4954 - POP3: https://tools.ietf.org/html/rfc5034 - LDAP: https://tools.ietf.org/html/rfc4752 Etc, etc. Currently, when using GNUS, LDAP authentication works with GSSAPI thanks to fact that Emacs leverages the =E2=80=98ldapsearch=E2=80=99 external program= . IMAP4 works now because I've implemented it. I don't use POP3, and I don't think there is much demand for it. That leaves SMTP, which really should have support in Gnus proper, but as it turns out, we're not using authenticated SMTP at my workplace so I'll have a hard time testing it. The same goes for encrypted IMAP (using GSS encryption, rather than tunnelling over TLS). To support it, one would have to implement a very simple function but I left that empty since I have no way of testing it. So, that's the situation as it stands. I've restarted the process with my employer's legal team to make sure I can get the copyright assignments done. It seems to actually be happening this time (which means that we'll be able to get gnu-apl-mode into ELPA soon). Regards, Elias --94eb2c03baa6458dea0549921994 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 2= 8 February 2017 at 00:29, Lars Ingebrigtsen <larsi@gnus.org> = wrote:
Elias M=C3=A5rtenson <loked= hs@gmail.com> writes:

> I don't know about POP3, does anyone still use that? It's defi= nitely
> supported for SMTP, and now that you mention it, I have to implement > that support too. It would be a pretty useless feature if you can read=
> your mail without requiring a stored password, but still needing it to=
> send them. :-)

If this is relevant to a lot of the different protocols, perhaps it<= br> would make more sense to put this into the Emacs core like the TLS
support?=C2=A0 Then each protocol wouldn't have to be modified this muc= h to
support it across Emacs...

Unfortunately, t= hat's not possible. Every protocol has a different idea how to perform = a GSSAPI handshake. GSSAPI itself only returns a binary blong that is to be= sent to the remote side, that side can then send another blob back. After = ping-ponging a few times, you get a validated name object representing the = remote principal, and context that can be used to encrypt and decrypt other= binary blobs. There docs literally says something along the lines of: =E2= =80=9CSend the binary output to the remote server and pass it to gss_accept= _sec_context()=E2=80=9D.

This results in plenty of= different specs how to apply GSSAPI authentication to various protocols. A= few examples:

=C2=A0 - IMAP:=C2=A0https://tools.ietf.org/html/rfc1731

Etc= , etc.

Currently, when using GNUS, LDAP authentica= tion works with GSSAPI thanks to fact that Emacs leverages the =E2=80=98lda= psearch=E2=80=99 external program. IMAP4 works now because I've impleme= nted it. I don't use POP3, and I don't think there is much demand f= or it.

That leaves SMTP, which really should have = support in Gnus proper, but as it turns out, we're not using authentica= ted SMTP at my workplace so I'll have a hard time testing it. The same = goes for encrypted IMAP (using GSS encryption, rather than tunnelling over = TLS). To support it, one would have to implement a very simple function but= I left that empty since I have no way of testing it.

<= div>So, that's the situation as it stands. I've restarted the proce= ss with my employer's legal team to make sure I can get the copyright a= ssignments done. It seems to actually be happening this time (which means t= hat we'll be able to get gnu-apl-mode into ELPA soon).

Regards,
Elias
--94eb2c03baa6458dea0549921994--