gsasl  1.10.0
About: GNU SASL is an implementation of the Simple Authentication and Security Layer (SASL). Development version.
  Fossies Dox: gsasl-1.10.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

server.c
Go to the documentation of this file.
1 /* server.c --- SASL mechanism GS2, server side.
2  * Copyright (C) 2002-2021 Simon Josefsson
3  *
4  * This file is part of GNU SASL Library.
5  *
6  * GNU SASL Library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public License
8  * as published by the Free Software Foundation; either version 2.1 of
9  * the License, or (at your option) any later version.
10  *
11  * GNU SASL Library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with GNU SASL Library; if not, write to the Free
18  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
19  * Boston, MA 02110-1301, USA.
20  *
21  */
22 
23 #ifdef HAVE_CONFIG_H
24 #include "config.h"
25 #endif
26 
27 /* Get specification. */
28 #include "gs2.h"
29 
30 /* Get malloc, free. */
31 #include <stdlib.h>
32 
33 /* Get memcpy, strlen. */
34 #include <string.h>
35 
36 /* Get FALLTHROUGH. */
37 #include <attribute.h>
38 
39 #include "gss-extra.h"
40 #include "gs2helper.h"
41 #include "mechtools.h"
42 
44 {
45  /* steps: 0 = first state, 1 = initial, 2 = processing, 3 = done */
46  int step;
47  gss_name_t client;
48  gss_cred_id_t cred;
49  gss_ctx_id_t context;
50  gss_OID mech_oid;
51  struct gss_channel_bindings_struct cb;
52 };
54 
55 /* Populate state->cred with credential to use for connection. Return
56  GSASL_OK on success or an error code. */
57 static int
59 {
60  OM_uint32 maj_stat, min_stat;
61  gss_buffer_desc bufdesc;
62  const char *service = gsasl_property_get (sctx, GSASL_SERVICE);
63  const char *hostname = gsasl_property_get (sctx, GSASL_HOSTNAME);
64  gss_name_t server;
65  gss_OID_set_desc oid_set;
66  gss_OID_set actual_mechs;
67  int present;
68 
69  if (!service)
70  return GSASL_NO_SERVICE;
71  if (!hostname)
72  return GSASL_NO_HOSTNAME;
73 
74  bufdesc.length = asprintf ((char **) &bufdesc.value, "%s@%s",
75  service, hostname);
76  if (bufdesc.length <= 0 || bufdesc.value == NULL)
77  return GSASL_MALLOC_ERROR;
78 
79  maj_stat = gss_import_name (&min_stat, &bufdesc,
81  free (bufdesc.value);
82  if (GSS_ERROR (maj_stat))
84 
85  /* Attempt to get a credential for our mechanism. */
86 
87  oid_set.count = 1;
88  oid_set.elements = state->mech_oid;
89 
90  maj_stat = gss_acquire_cred (&min_stat, server, 0,
91  &oid_set, GSS_C_ACCEPT,
92  &state->cred, &actual_mechs, NULL);
93  gss_release_name (&min_stat, &server);
94  if (GSS_ERROR (maj_stat))
96 
97  /* Now double check that the credential actually was for our
98  mechanism... */
99 
100  maj_stat = gss_test_oid_set_member (&min_stat, state->mech_oid,
101  actual_mechs, &present);
102  if (GSS_ERROR (maj_stat))
103  {
104  gss_release_oid_set (&min_stat, &actual_mechs);
106  }
107 
108  maj_stat = gss_release_oid_set (&min_stat, &actual_mechs);
109  if (GSS_ERROR (maj_stat))
111 
112  if (!present)
114 
115  return GSASL_OK;
116 }
117 
118 /* Initialize GS2 state into MECH_DATA. Return GSASL_OK if GS2 is
119  ready and initialization succeeded, or an error code. */
120 int
121 _gsasl_gs2_server_start (Gsasl_session * sctx, void **mech_data)
122 {
124  int res;
125 
126  state = (_Gsasl_gs2_server_state *) malloc (sizeof (*state));
127  if (state == NULL)
128  return GSASL_MALLOC_ERROR;
129 
130  res = gs2_get_oid (sctx, &state->mech_oid);
131  if (res != GSASL_OK)
132  {
133  free (state);
134  return res;
135  }
136 
137  state->step = 0;
138  state->context = GSS_C_NO_CONTEXT;
139  state->cred = GSS_C_NO_CREDENTIAL;
140  state->client = NULL;
141  /* The initiator-address-type and acceptor-address-type fields of
142  the GSS-CHANNEL-BINDINGS structure MUST be set to 0. The
143  initiator-address and acceptor-address fields MUST be the empty
144  string. */
145  state->cb.initiator_addrtype = 0;
146  state->cb.initiator_address.length = 0;
147  state->cb.initiator_address.value = NULL;
148  state->cb.acceptor_addrtype = 0;
149  state->cb.acceptor_address.length = 0;
150  state->cb.acceptor_address.value = NULL;
151  state->cb.application_data.length = 0;
152  state->cb.application_data.value = NULL;
153 
154  *mech_data = state;
155 
156  return GSASL_OK;
157 }
158 
159 /* Perform one GS2 step. GS2 state is in MECH_DATA. Any data from
160  client is provided in INPUT/INPUT_LEN and output from server is
161  expected to be put in newly allocated OUTPUT/OUTPUT_LEN. Return
162  GSASL_NEEDS_MORE or GSASL_OK on success, or an error code. */
163 int
165  void *mech_data,
166  const char *input, size_t input_len,
167  char **output, size_t *output_len)
168 {
169  _Gsasl_gs2_server_state *state = mech_data;
170  gss_buffer_desc bufdesc1, bufdesc2;
171  OM_uint32 maj_stat, min_stat;
172  gss_buffer_desc client_name;
173  gss_OID mech_type;
174  int res;
175  OM_uint32 ret_flags;
176  int free_bufdesc1 = 0;
177 
178  *output = NULL;
179  *output_len = 0;
180  bufdesc1.value = (char *) input;
181  bufdesc1.length = input_len;
182 
183  switch (state->step)
184  {
185  case 0:
186  res = gs2_get_cred (sctx, state);
187  if (res != GSASL_OK)
188  return res;
189  if (input_len == 0)
190  {
192  break;
193  }
194  state->step++;
195  FALLTHROUGH; /* fall through */
196 
197  case 1:
198  {
199  char *authzid;
200  size_t headerlen;
201 
202  res = _gsasl_parse_gs2_header (input, input_len,
203  &authzid, &headerlen);
204  if (res != GSASL_OK)
205  return res;
206 
207  if (authzid)
208  {
209  gsasl_property_set (sctx, GSASL_AUTHZID, authzid);
210  free (authzid);
211  }
212 
213  state->cb.application_data.value = (char *) input;
214  state->cb.application_data.length = headerlen;
215 
216  bufdesc2.value = (char *) input + headerlen;
217  bufdesc2.length = input_len - headerlen;
218 
219  maj_stat = gss_encapsulate_token (&bufdesc2, state->mech_oid,
220  &bufdesc1);
221  if (GSS_ERROR (maj_stat))
223 
224  free_bufdesc1 = 1;
225  }
226  state->step++;
227  FALLTHROUGH; /* fall through */
228 
229  case 2:
230  if (state->client)
231  {
232  gss_release_name (&min_stat, &state->client);
233  state->client = GSS_C_NO_NAME;
234  }
235 
236  maj_stat = gss_accept_sec_context (&min_stat,
237  &state->context,
238  state->cred,
239  &bufdesc1,
240  &state->cb,
241  &state->client,
242  &mech_type,
243  &bufdesc2, &ret_flags, NULL, NULL);
244  if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
246 
247  if (maj_stat == GSS_S_COMPLETE)
248  {
249  state->step++;
250 
251  if (!(ret_flags & GSS_C_MUTUAL_FLAG))
253 
254  maj_stat = gss_display_name (&min_stat, state->client,
255  &client_name, &mech_type);
256  if (GSS_ERROR (maj_stat))
258 
260  client_name.value, client_name.length);
261 
263  }
264  else
266 
267  if (free_bufdesc1)
268  {
269  maj_stat = gss_release_buffer (&min_stat, &bufdesc1);
270  if (GSS_ERROR (maj_stat))
272  }
273 
274  *output = malloc (bufdesc2.length);
275  if (!*output)
276  return GSASL_MALLOC_ERROR;
277  memcpy (*output, bufdesc2.value, bufdesc2.length);
278  *output_len = bufdesc2.length;
279 
280  maj_stat = gss_release_buffer (&min_stat, &bufdesc2);
281  if (GSS_ERROR (maj_stat))
283  break;
284 
285  default:
287  break;
288  }
289 
290  return res;
291 }
292 
293 /* Cleanup GS2 state context, i.e., release memory associated with
294  buffers in MECH_DATA state. */
295 void
296 _gsasl_gs2_server_finish (Gsasl_session * sctx, void *mech_data)
297 {
298  _Gsasl_gs2_server_state *state = mech_data;
299  OM_uint32 min_stat;
300  (void) sctx;
301 
302  if (!state)
303  return;
304 
305  if (state->context != GSS_C_NO_CONTEXT)
306  gss_delete_sec_context (&min_stat, &state->context, GSS_C_NO_BUFFER);
307 
308  if (state->cred != GSS_C_NO_CREDENTIAL)
309  gss_release_cred (&min_stat, &state->cred);
310 
311  if (state->client != GSS_C_NO_NAME)
312  gss_release_name (&min_stat, &state->client);
313 
314  free (state);
315 }
int gsasl_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop)
Definition: callback.c:75
int asprintf(char **resultp, const char *format,...)
Definition: asprintf.c:30
#define FALLTHROUGH
Definition: attribute.h:142
#define NULL
Definition: stddef.in.h:72
int _gsasl_gs2_server_start(Gsasl_session *sctx, void **mech_data)
Definition: server.c:121
static int gs2_get_cred(Gsasl_session *sctx, _Gsasl_gs2_server_state *state)
Definition: server.c:58
int _gsasl_gs2_server_step(Gsasl_session *sctx, void *mech_data, const char *input, size_t input_len, char **output, size_t *output_len)
Definition: server.c:164
void _gsasl_gs2_server_finish(Gsasl_session *sctx, void *mech_data)
Definition: server.c:296
int gs2_get_oid(Gsasl_session *sctx, gss_OID *mech_oid)
Definition: gs2helper.c:40
const char * gsasl_property_get(Gsasl_session *sctx, Gsasl_property prop)
Definition: property.c:263
void gsasl_property_set(Gsasl_session *sctx, Gsasl_property prop, const char *data)
Definition: property.c:158
@ GSASL_GSSAPI_IMPORT_NAME_ERROR
Definition: gsasl.h:199
@ GSASL_GSSAPI_RELEASE_OID_SET_ERROR
Definition: gsasl.h:216
@ GSASL_OK
Definition: gsasl.h:171
@ GSASL_GSSAPI_RELEASE_BUFFER_ERROR
Definition: gsasl.h:198
@ GSASL_GSSAPI_ACCEPT_SEC_CONTEXT_ERROR
Definition: gsasl.h:201
@ GSASL_NEEDS_MORE
Definition: gsasl.h:172
@ GSASL_GSSAPI_TEST_OID_SET_MEMBER_ERROR
Definition: gsasl.h:215
@ GSASL_MALLOC_ERROR
Definition: gsasl.h:175
@ GSASL_GSSAPI_DISPLAY_NAME_ERROR
Definition: gsasl.h:205
@ GSASL_NO_SERVICE
Definition: gsasl.h:191
@ GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR
Definition: gsasl.h:212
@ GSASL_GSSAPI_ACQUIRE_CRED_ERROR
Definition: gsasl.h:204
@ GSASL_MECHANISM_CALLED_TOO_MANY_TIMES
Definition: gsasl.h:174
@ GSASL_NO_HOSTNAME
Definition: gsasl.h:192
@ GSASL_MECHANISM_PARSE_ERROR
Definition: gsasl.h:179
void gsasl_property_set_raw(Gsasl_session *sctx, Gsasl_property prop, const char *data, size_t len)
Definition: property.c:184
@ GSASL_HOSTNAME
Definition: gsasl.h:340
@ GSASL_AUTHZID
Definition: gsasl.h:336
@ GSASL_VALIDATE_GSSAPI
Definition: gsasl.h:366
@ GSASL_SERVICE
Definition: gsasl.h:339
@ GSASL_GSSAPI_DISPLAY_NAME
Definition: gsasl.h:341
OM_uint32 gss_encapsulate_token(const gss_buffer_t input_token, const gss_OID token_oid, gss_buffer_t output_token)
Definition: gss-extra.c:176
gss_OID GSS_C_NT_HOSTBASED_SERVICE
Definition: gss-extra.c:42
int res
Definition: mbrtowc-impl.h:45
int _gsasl_parse_gs2_header(const char *data, size_t len, char **authzid, size_t *headerlen)
Definition: mechtools.c:99
struct gss_channel_bindings_struct cb
Definition: server.c:51
gss_cred_id_t cred
Definition: server.c:48
gss_ctx_id_t context
Definition: server.c:49
gss_name_t client
Definition: server.c:47