Details
-
New Feature
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
None
Description
As a follow-on to MDEV-4691 we would like GSSAPI encryption (in addition to authentication) support in MariaDB. I am told that the current plan is to create a plugin interface and then we can build GSSAPI encryption on top of that, so here is a ticket for that.
From having written GSSAPI for the internal interface, there were a couple things I would like to see in the plugin encryption interface.
First, GSSAPI is weird in that it does authentication before encryption (TLS/SSL are the other way around, establishing an encrypted channel and then doing authentication over it). Of course support for this is needed, but more importantly, packets must be processed in a fully serialized fashion. This is because encrypted packets may be queued while one end of the connection is still finishing up processing the authentication handshake. One way to do this is registering "handle" callbacks with connection-specific state, but there are definitely others.
Additionally, for whatever conception there ends up being of authentication and encryption, it needs to be possible to share more data than just a socket between them. The same context will be used for authentication and encryption, much as an SSL context is (except of course we go from authentication to encryption and not the other way around).
This ties into an issue of dependency. If authentication plugins are separate entities from encryption plugins in the final architecture, it might make sense to do mix-and-match authentication with encryption. However, there are cases - and GSSAPI is one - where doing encryption requires a certain kind of authentication (or vice versa). You can't do GSSAPI encryption without first doing GSSAPI authentication. (Whether or not it's permitted to do GSSAPI auth->encryption all over a TLS channel, for instance, is not something I'm concerned about.)
Finally, encrypted messages are larger than their non-encrypted counterparts. The transport layer should cope with this so that plugins don't have to think about reassembly, keeping in mind that there may not be a way to get the size of a message when encrypted without first encrypting it.
It's unfortunately been a little while since I wrote that code, but I think those were the main things that we'll need for GSSAPI. Thanks!
Attachments
Issue Links
- duplicates
-
MDEV-9060 connection encryption plugins
-
- Closed
-
Activity
Great! Don't worry, nobody can be assigned to a project before the deadline of May the 4, 2017.
The time for writing proposals is open - https://summerofcode.withgoogle.com
Currently no-one has written a proposal for this task.
To summarize: this task is about creating Connection Encryption Plugin API (or extending Authentication Plugin API to do connection encryption) and writing two plugins for it — GSSAPI and SSL.
Hi, I am Steve Smart a Computer Science student at UD. I wish to participate in GSoC 2017 with MariaDB. I am familiar with the development of UDF's which is not too different from plugin development and would love to extend my knowledge in working on this GSSAPI based plugin for MariaDB. I am currently studying the Plugin API in depth to understand how the plugin type MYSQL_AUTHENTICATION_PLUGIN works and how they are implemented. Just want to declare my interest in this project in case another student is already assigned to it.