"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/scram/server.c" between
gsasl-2.0.1.tar.gz and gsasl-2.2.0.tar.gz

About: GNU SASL is an implementation of the Simple Authentication and Security Layer (SASL).

server.c  (gsasl-2.0.1):server.c  (gsasl-2.2.0)
skipping to change at line 67 skipping to change at line 67
int step; int step;
char *cbind; char *cbind;
char *gs2header; /* copy of client first gs2-header */ char *gs2header; /* copy of client first gs2-header */
char *cfmb_str; /* copy of client first message bare */ char *cfmb_str; /* copy of client first message bare */
char *sf_str; /* copy of server first message */ char *sf_str; /* copy of server first message */
char *snonce; char *snonce;
char *clientproof; char *clientproof;
char storedkey[GSASL_HASH_MAX_SIZE]; char storedkey[GSASL_HASH_MAX_SIZE];
char serverkey[GSASL_HASH_MAX_SIZE]; char serverkey[GSASL_HASH_MAX_SIZE];
char *authmessage; char *authmessage;
char *cbtlsunique; char *cb;
size_t cbtlsuniquelen; size_t cblen;
struct scram_client_first cf; struct scram_client_first cf;
struct scram_server_first sf; struct scram_server_first sf;
struct scram_client_final cl; struct scram_client_final cl;
struct scram_server_final sl; struct scram_server_final sl;
}; };
static int static int
scram_start (Gsasl_session * sctx _GL_UNUSED, void **mech_data, scram_start (Gsasl_session * sctx _GL_UNUSED, void **mech_data,
bool plus, Gsasl_hash hash) bool plus, Gsasl_hash hash)
{ {
skipping to change at line 190 skipping to change at line 190
*output = NULL; *output = NULL;
*output_len = 0; *output_len = 0;
switch (state->step) switch (state->step)
{ {
case 0: case 0:
{ {
if (input_len == 0) if (input_len == 0)
return GSASL_NEEDS_MORE; return GSASL_NEEDS_MORE;
{
const char *p;
p = gsasl_property_get (sctx, GSASL_CB_TLS_UNIQUE);
if (state->plus && !p)
return GSASL_NO_CB_TLS_UNIQUE;
if (p)
{
rc = gsasl_base64_from (p, strlen (p), &state->cbtlsunique,
&state->cbtlsuniquelen);
if (rc != GSASL_OK)
return rc;
}
}
if (scram_parse_client_first (input, input_len, &state->cf) < 0) if (scram_parse_client_first (input, input_len, &state->cf) < 0)
return GSASL_MECHANISM_PARSE_ERROR; return GSASL_MECHANISM_PARSE_ERROR;
/* In PLUS server mode, we require use of channel bindings. */ if (state->plus)
if (state->plus && state->cf.cbflag != 'p') {
return GSASL_AUTHENTICATION_ERROR; const char *p;
/* In non-PLUS mode, but where have channel bindings data (and /* In PLUS server mode, we require use of channel bindings. */
thus advertised PLUS) we reject a client 'y' cbflag. */ if (state->cf.cbflag != 'p' || state->cf.cbname == NULL)
if (!state->plus return GSASL_AUTHENTICATION_ERROR;
&& state->cbtlsuniquelen > 0 && state->cf.cbflag == 'y')
return GSASL_AUTHENTICATION_ERROR; if (strcmp (state->cf.cbname, "tls-exporter") == 0)
{
p = gsasl_property_get (sctx, GSASL_CB_TLS_EXPORTER);
if (!p)
return GSASL_NO_CB_TLS_EXPORTER;
}
else if (strcmp (state->cf.cbname, "tls-unique") == 0)
{
p = gsasl_property_get (sctx, GSASL_CB_TLS_UNIQUE);
if (!p)
return GSASL_NO_CB_TLS_UNIQUE;
}
else
return GSASL_AUTHENTICATION_ERROR;
rc = gsasl_base64_from (p, strlen (p), &state->cb, &state->cblen);
if (rc != GSASL_OK)
return rc;
}
else if (state->cf.cbflag == 'y')
{
const char *p = gsasl_property_get (sctx, GSASL_CB_TLS_EXPORTER);
/* In non-PLUS mode we reject a client 'y' cbflag since we
support channel bindings UNLESS we actually don't have
any channel bindings (application told to libgsasl that
it doesn't want PLUS). */
if (!p)
p = gsasl_property_get (sctx, GSASL_CB_TLS_UNIQUE);
if (p != NULL)
return GSASL_AUTHENTICATION_ERROR;
}
/* Check that username doesn't fail SASLprep. */ /* Check that username doesn't fail SASLprep. */
{ {
char *tmp; char *tmp;
rc = gsasl_saslprep (state->cf.username, GSASL_ALLOW_UNASSIGNED, rc = gsasl_saslprep (state->cf.username, GSASL_ALLOW_UNASSIGNED,
&tmp, NULL); &tmp, NULL);
if (rc != GSASL_OK || *tmp == '\0') if (rc != GSASL_OK || *tmp == '\0')
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
gsasl_free (tmp); gsasl_free (tmp);
} }
skipping to change at line 341 skipping to change at line 356
return GSASL_MECHANISM_PARSE_ERROR; return GSASL_MECHANISM_PARSE_ERROR;
if (strcmp (state->cl.nonce, state->sf.nonce) != 0) if (strcmp (state->cl.nonce, state->sf.nonce) != 0)
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
/* Base64 decode the c= field and check that it matches /* Base64 decode the c= field and check that it matches
client-first. Also check channel binding data. */ client-first. Also check channel binding data. */
{ {
size_t len; size_t len;
free (state->cbind);
rc = gsasl_base64_from (state->cl.cbind, strlen (state->cl.cbind), rc = gsasl_base64_from (state->cl.cbind, strlen (state->cl.cbind),
&state->cbind, &len); &state->cbind, &len);
if (rc != 0) if (rc != 0)
return rc; return rc;
if (state->cf.cbflag == 'p') if (state->cf.cbflag == 'p')
{ {
if (len < strlen (state->gs2header)) if (len < strlen (state->gs2header))
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
if (memcmp (state->cbind, state->gs2header, if (memcmp (state->cbind, state->gs2header,
strlen (state->gs2header)) != 0) strlen (state->gs2header)) != 0)
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
if (len - strlen (state->gs2header) != state->cbtlsuniquelen) if (len - strlen (state->gs2header) != state->cblen)
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
if (memcmp (state->cbind + strlen (state->gs2header), if (memcmp (state->cbind + strlen (state->gs2header),
state->cbtlsunique, state->cbtlsuniquelen) != 0) state->cb, state->cblen) != 0)
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
} }
else else
{ {
if (len != strlen (state->gs2header)) if (len != strlen (state->gs2header))
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
if (memcmp (state->cbind, state->gs2header, len) != 0) if (memcmp (state->cbind, state->gs2header, len) != 0)
return GSASL_AUTHENTICATION_ERROR; return GSASL_AUTHENTICATION_ERROR;
} }
} }
/* Base64 decode client proof and check that length matches /* Base64 decode client proof and check that length matches
hash size. */ hash size. */
{ {
size_t len; size_t len;
free (state->clientproof);
rc = gsasl_base64_from (state->cl.proof, strlen (state->cl.proof), rc = gsasl_base64_from (state->cl.proof, strlen (state->cl.proof),
&state->clientproof, &len); &state->clientproof, &len);
if (rc != 0) if (rc != 0)
return rc; return rc;
if (gsasl_hash_length (state->hash) != len) if (gsasl_hash_length (state->hash) != len)
return GSASL_MECHANISM_PARSE_ERROR; return GSASL_MECHANISM_PARSE_ERROR;
} }
{ {
const char *p, *q; const char *p, *q;
skipping to change at line 552 skipping to change at line 569
if (!state) if (!state)
return; return;
free (state->cbind); free (state->cbind);
free (state->gs2header); free (state->gs2header);
free (state->cfmb_str); free (state->cfmb_str);
free (state->sf_str); free (state->sf_str);
free (state->snonce); free (state->snonce);
free (state->clientproof); free (state->clientproof);
free (state->authmessage); free (state->authmessage);
free (state->cbtlsunique); free (state->cb);
scram_free_client_first (&state->cf); scram_free_client_first (&state->cf);
scram_free_server_first (&state->sf); scram_free_server_first (&state->sf);
scram_free_client_final (&state->cl); scram_free_client_final (&state->cl);
scram_free_server_final (&state->sl); scram_free_server_final (&state->sl);
free (state); free (state);
} }
 End of changes. 9 change blocks. 
28 lines changed or deleted 45 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)