Questions on authentication, what to do in librist vs application
Hi,
I have a couple of questions concerning authentication and how the work is shared between librist and the application.
I have read the wiki article on authentication. Then I looked at files librist_srp.h
(public header) and eap.c
/.h
(internal libsrt files). The protocol is mostly handled inside libsrt and this is fine.
However, looking at the applications ristreceiver.c
and ristsender.c
, I see that they have to provide their own cb_auth_connect
. This callback simply builds an OOB message and sends it back to the peer where it will be processed internally by the EAP part of libsrt. Am I right?
If I understand correctly, isn't there a mismatch in the respective roles of librist and the application? The structure of the OOB message which is used to transport authentication message is part of EAP and should be remain internal to librist. Even more, the simple fact that the authentication callback shall return an OOB message is internal to the EAP part of librist. In other words, rist_enable_eap_srp
should setup its own authentication callback which does the job. Maybe rist_enable_eap_srp
is invoked too early to setup an authentication callback. In that case, a specific "enable auth callbacks for eap srp" function should be added.
As an additional request, would it be possible to move into librist the management of password files as used by ristsrppasswd
? I understand that this feature is not really a RIST feature, any application can implement its own authentication validation mechanism. However, having such a feature in librist would allow any application to be compatible with ristsrppasswd
without duplicating tools/srp_shared.c
in each application.
To summarize, I suggest that applications have two possible simple levels of authentication:
- Provide a
user_verifier_lookup_t
function, callrist_enable_eap_srp
(and possible an additional rist function later) and that's all. The application should not have to mess with the internal OOB message as used in EAP SRP. - Same as 1. with a librist-provided
user_verifier_lookup_t
function which handlesristsrppasswd
files.
Does it make sense?