About 2, what you suggest might also work, but my suggestion was different, probably simpler. Let me try to explain.
So, the gss client need to do this exchange âdanceâ with the server. Similar to the hello based âhandshakingâ between the mom and the server, we could implement this at the application layer, instead of changing the transport layer.
We could add a batch identifier, say PBS_BATCH_GSS_HANDSHAKE
The message could look like this:
Header: PBS_BATCH_AUTH_HANDSHAKE
Protocol: GSS/TLS
state: Some_identifier to know the state of the handshake (BEGIN, STAGE1, STAGE2, ESTABLISHEDâŚetc)
Encrypted? flag: 0/1
Gss_data (in future TLS data)
So, now the client side in the pbsgss_client_establish_context(), in the loop, when you call pbsgss_send_token(), basically this function can be modified to send a batch request to the server with the above structure. The server can then receive the batch request in its usual event mechanism in"wait_request()", dispatch to a âreq_auth_handshake()â handler, which checks what state the handshake is in, and respond accordingly. Till the entire exchange is over, we can keep the client connection marked as ânot authenticatedâ and so any other data is not acceptable from the client.
Since the above exchanges will be over batch protocols, the code will be the same between TCP or TPP. And we can even have encryption on the TPP messages also!
We can probably use such a thing for TLS in the future as well.