[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-26-g8af1e3a
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-26-g8af1e3a |
|
Date: |
Wed, 10 Mar 2010 20:30:12 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gsasl".
http://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=8af1e3a6639eb51d97dbecc1777b0bafcbe260c9
The branch, master has been updated
via 8af1e3a6639eb51d97dbecc1777b0bafcbe260c9 (commit)
via 90de2a18fa809655ec66985b0b9491a2a03f2f19 (commit)
via 20e33fa99662672dcdb69439ace285d1e7f7726f (commit)
via 7ed43d9d2342666d438d97de4a35520ba5ede33e (commit)
via 54e836b28f2397a23a0a1a6ac4a41fba66baed94 (commit)
via 4e561d2a12f72acf06acd9d332573594bfa5976b (commit)
via 8bb78f09f994467bd73ba1e70b7380945dd5d97c (commit)
from 7678bbbc9e53cecb845beb2e2bfdc21e57501355 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8af1e3a6639eb51d97dbecc1777b0bafcbe260c9
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 21:30:05 2010 +0100
Use self tests.
commit 90de2a18fa809655ec66985b0b9491a2a03f2f19
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 21:29:54 2010 +0100
Fix comment.
commit 20e33fa99662672dcdb69439ace285d1e7f7726f
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 19:41:35 2010 +0100
Parse GS2 header. Fix authzid handling. Unescape authzid.
commit 7ed43d9d2342666d438d97de4a35520ba5ede33e
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 19:40:39 2010 +0100
Escape authzid.
commit 54e836b28f2397a23a0a1a6ac4a41fba66baed94
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 16:38:20 2010 +0100
Print return values too.
commit 4e561d2a12f72acf06acd9d332573594bfa5976b
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 16:37:02 2010 +0100
Print return values too.
commit 8bb78f09f994467bd73ba1e70b7380945dd5d97c
Author: Simon Josefsson <address@hidden>
Date: Wed Mar 10 14:54:45 2010 +0100
Use a Shishi config file.
-----------------------------------------------------------------------
Summary of changes:
lib/gs2/client.c | 60 ++++++++++++++---
lib/gs2/server.c | 141 +++++++++++++++++++++++++++++++--------
lib/gssapi/client.c | 2 +-
lib/gssapi/server.c | 2 +-
tests/Makefile.am | 4 +-
tests/{gssapi.c => gs2-krb5.c} | 45 +++++++------
tests/gssapi.c | 4 +-
tests/gssapi.cfg | 1 +
tests/scram.c | 10 ++--
9 files changed, 197 insertions(+), 72 deletions(-)
copy tests/{gssapi.c => gs2-krb5.c} (73%)
create mode 100644 tests/gssapi.cfg
diff --git a/lib/gs2/client.c b/lib/gs2/client.c
index 19705fb..2d93e15 100644
--- a/lib/gs2/client.c
+++ b/lib/gs2/client.c
@@ -97,6 +97,39 @@ _gsasl_gs2_client_start (Gsasl_session * sctx, void
**mech_data)
return GSASL_OK;
}
+static char *
+escape_authzid (const char *str)
+{
+ char *out = malloc (strlen (str) * 3 + 1);
+ char *p = out;
+
+ if (!out)
+ return NULL;
+
+ while (*str)
+ {
+ if (*str == ',')
+ {
+ memcpy (p, "=2C", 3);
+ p += 3;
+ }
+ else if (*str == '=')
+ {
+ memcpy (p, "=3D", 3);
+ p += 3;
+ }
+ else
+ {
+ *p = *str;
+ p++;
+ }
+ str++;
+ }
+ *p = '\0';
+
+ return out;
+}
+
int
_gsasl_gs2_client_step (Gsasl_session * sctx,
void *mech_data,
@@ -135,13 +168,16 @@ _gsasl_gs2_client_step (Gsasl_session * sctx,
if (GSS_ERROR (maj_stat))
return GSASL_GSSAPI_IMPORT_NAME_ERROR;
- /* FIXME escape '=' and ',' in authzid to '=3D' and '=2C'
- respectively. */
-
if (authzid)
- state->cb.application_data.length
- = asprintf ((char**) &state->cb.application_data.value,
- "n,a=%s,", authzid);
+ {
+ char *escaped_authzid = escape_authzid (authzid);
+ if (!escaped_authzid)
+ return GSASL_MALLOC_ERROR;
+ state->cb.application_data.length
+ = asprintf ((char**) &state->cb.application_data.value,
+ "n,a=%s,", escaped_authzid);
+ free (escaped_authzid);
+ }
else
{
state->cb.application_data.value = strdup ("n,,");
@@ -188,7 +224,7 @@ _gsasl_gs2_client_step (Gsasl_session * sctx,
state->mech_oid->length) != 0)
return GSASL_AUTHENTICATION_ERROR;
- if (buf == GSS_C_NO_BUFFER)
+ if (state->step == 0)
{
const char *der = bufdesc2.value;
size_t derlen = bufdesc2.length;
@@ -240,11 +276,13 @@ _gsasl_gs2_client_step (Gsasl_session * sctx,
memcpy (*output, bufdesc2.value, bufdesc2.length);
}
+ if (state->step == 0 && maj_stat == GSS_S_CONTINUE_NEEDED)
+ state->step++;
if (maj_stat == GSS_S_COMPLETE)
- {
- state->step++;
- res = GSASL_OK;
- }
+ state->step++;
+
+ if (maj_stat == GSS_S_COMPLETE)
+ res = GSASL_OK;
else
res = GSASL_NEEDS_MORE;
diff --git a/lib/gs2/server.c b/lib/gs2/server.c
index 0b0bd74..96bb79a 100644
--- a/lib/gs2/server.c
+++ b/lib/gs2/server.c
@@ -41,12 +41,15 @@
# include <gssapi/gssapi.h>
#endif
+#include "gs2helper.h"
+
struct _Gsasl_gs2_server_state
{
int step;
gss_name_t client;
gss_cred_id_t cred;
gss_ctx_id_t context;
+ gss_OID mech_oid;
struct gss_channel_bindings_struct cb;
};
typedef struct _Gsasl_gs2_server_state _Gsasl_gs2_server_state;
@@ -101,6 +104,20 @@ _gsasl_gs2_server_start (Gsasl_session * sctx, void
**mech_data)
return GSASL_GSSAPI_ACQUIRE_CRED_ERROR;
}
+ {
+ gss_buffer_desc sasl_mech_name;
+
+ sasl_mech_name.value = (void *) gsasl_mechanism_name (sctx);
+ if (!sasl_mech_name.value)
+ return GSASL_AUTHENTICATION_ERROR;
+ sasl_mech_name.length = strlen (sasl_mech_name.value);
+
+ maj_stat = gss_inquiry_mech_for_saslname (&min_stat, &sasl_mech_name,
+ &state->mech_oid);
+ if (GSS_ERROR (maj_stat))
+ return GSASL_AUTHENTICATION_ERROR;
+ }
+
state->step = 0;
state->context = GSS_C_NO_CONTEXT;
state->client = NULL;
@@ -123,6 +140,69 @@ _gsasl_gs2_server_start (Gsasl_session * sctx, void
**mech_data)
return GSASL_OK;
}
+static char *
+unescape_authzid (const char *str, size_t len)
+{
+ char *out = malloc (len + 1);
+ char *p = out;
+
+ if (!out)
+ return NULL;
+
+ while (len > 0 && *str)
+ {
+ if (len >= 3 && str[0] == '=' && str[1] == '2' && str[2] == 'C')
+ {
+ *p++ = ',';
+ str += 3;
+ len -= 3;
+ }
+ else if (len >= 3 && str[0] == '=' && str[1] == '3' && str[2] == 'D')
+ {
+ *p++ = '=';
+ str += 3;
+ len -= 3;
+ }
+ else
+ {
+ *p++ = *str;
+ str++;
+ len--;
+ }
+ }
+ *p = '\0';
+
+ return out;
+}
+
+static int
+parse_gs2_header (const char *data, size_t len,
+ char **authzid, size_t *headerlen)
+{
+ char *authzid_endptr;
+
+ if (len < 3)
+ return GSASL_MECHANISM_PARSE_ERROR;
+
+ if (strncmp (data, "n,,", 3) == 0)
+ {
+ *headerlen = 3;
+ *authzid = NULL;
+ }
+ else if (strncmp (data, "n,a=", 4) == 0 &&
+ (authzid_endptr = memchr (data + 4, ',', len - 4)))
+ {
+ *authzid = unescape_authzid (data + 4, authzid_endptr - (data + 4));
+ if (!*authzid)
+ return GSASL_MALLOC_ERROR;
+ *headerlen = authzid_endptr - data + 1;
+ }
+ else
+ return GSASL_MECHANISM_PARSE_ERROR;
+
+ return GSASL_OK;
+}
+
int
_gsasl_gs2_server_step (Gsasl_session * sctx,
void *mech_data,
@@ -134,31 +214,13 @@ _gsasl_gs2_server_step (Gsasl_session * sctx,
OM_uint32 maj_stat, min_stat;
gss_buffer_desc client_name;
gss_OID mech_type;
- char tmp[4];
int res;
OM_uint32 ret_flags;
*output = NULL;
*output_len = 0;
-
- if (state->step == 0)
- {
- const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID);
-
- if (authzid)
- state->cb.application_data.length
- = asprintf ((char**) &state->cb.application_data.value,
- "n,a=%s,", authzid);
- else
- {
- state->cb.application_data.value = strdup ("n,,");
- state->cb.application_data.length = 3;
- }
-
- if (state->cb.application_data.length <= 0
- || state->cb.application_data.value == NULL)
- return GSASL_MALLOC_ERROR;
- }
+ bufdesc1.value = input;
+ bufdesc1.length = input_len;
switch (state->step)
{
@@ -172,8 +234,31 @@ _gsasl_gs2_server_step (Gsasl_session * sctx,
/* fall through */
case 1:
- bufdesc1.value = input;
- bufdesc1.length = input_len;
+ {
+ char *authzid;
+ size_t headerlen;
+
+ res = parse_gs2_header (input, input_len, &authzid, &headerlen);
+ if (res != GSASL_OK)
+ return res;
+
+ if (authzid)
+ gsasl_property_set (sctx, GSASL_AUTHZID, authzid);
+
+ state->cb.application_data.value = input;
+ state->cb.application_data.length = headerlen;
+
+ bufdesc2.value = input + headerlen;
+ bufdesc2.length = input_len - headerlen;
+
+ res = gss_encapsulate_token (&bufdesc2, state->mech_oid, &bufdesc1);
+ if (res != 1)
+ return res;
+ }
+ state->step++;
+ /* fall through */
+
+ case 2:
if (state->client)
{
gss_release_name (&min_stat, &state->client);
@@ -204,10 +289,13 @@ _gsasl_gs2_server_step (Gsasl_session * sctx,
if (maj_stat == GSS_S_COMPLETE)
state->step++;
- res = GSASL_NEEDS_MORE;
+ if (maj_stat == GSS_S_COMPLETE)
+ res = GSASL_OK;
+ else
+ res = GSASL_NEEDS_MORE;
break;
- case 2:
+ case 3:
maj_stat = gss_display_name (&min_stat, state->client,
&client_name, &mech_type);
if (GSS_ERROR (maj_stat))
@@ -216,10 +304,6 @@ _gsasl_gs2_server_step (Gsasl_session * sctx,
gsasl_property_set_raw (sctx, GSASL_GSSAPI_DISPLAY_NAME,
client_name.value, client_name.length);
- maj_stat = gss_release_buffer (&min_stat, &bufdesc2);
- if (GSS_ERROR (maj_stat))
- return GSASL_GSSAPI_RELEASE_BUFFER_ERROR;
-
res = gsasl_callback (NULL, sctx, GSASL_VALIDATE_GSSAPI);
state->step++;
@@ -251,6 +335,5 @@ _gsasl_gs2_server_finish (Gsasl_session * sctx, void
*mech_data)
if (state->client != GSS_C_NO_NAME)
gss_release_name (&min_stat, &state->client);
- free (state->cb.application_data.value);
free (state);
}
diff --git a/lib/gssapi/client.c b/lib/gssapi/client.c
index a060baa..5899ab2 100644
--- a/lib/gssapi/client.c
+++ b/lib/gssapi/client.c
@@ -1,4 +1,4 @@
-/* client.c --- SASL mechanism GSSAPI as defined in RFC 2222, client side.
+/* client.c --- SASL mechanism GSSAPI as defined in RFC 4752, client side.
* Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of GNU SASL Library.
diff --git a/lib/gssapi/server.c b/lib/gssapi/server.c
index ae5f737..26099bc 100644
--- a/lib/gssapi/server.c
+++ b/lib/gssapi/server.c
@@ -1,4 +1,4 @@
-/* server.c --- SASL mechanism GSSAPI as defined in RFC 2222, server side.
+/* server.c --- SASL mechanism GSSAPI as defined in RFC 4752, server side.
* Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of GNU SASL Library.
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 01de69c..d7c2eae 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -32,7 +32,7 @@ libutils_la_SOURCES = utils.h utils.c
TESTS_ENVIRONMENT = \
SHISHI_KEYS=$(srcdir)/gssapi.key \
SHISHI_TICKETS=$(srcdir)/gssapi.tkt \
- SHISHI_CONFIG=ignore-this-warning \
+ SHISHI_CONFIG=$(srcdir)/gssapi.cfg \
SHISHI_HOME=ignore-this-warning \
SHISHI_USER=ignore-this-warning \
THREADSAFETY_FILES=`ls $(top_srcdir)/lib/*/*.c | $(GREP) -v -e
lib/gl/vasnprintf.c -e lib/gl/getdelim.c` \
@@ -41,7 +41,7 @@ TESTS_ENVIRONMENT = \
$(VALGRIND)
ctests = external cram-md5 digest-md5 md5file name errors suggest \
- simple crypto scram symbols
+ simple crypto scram symbols gssapi gs2-krb5
if OBSOLETE
ctests += old-simple old-md5file old-cram-md5 old-digest-md5 \
diff --git a/tests/gssapi.c b/tests/gs2-krb5.c
similarity index 73%
copy from tests/gssapi.c
copy to tests/gs2-krb5.c
index fdf6a19..a335cf3 100644
--- a/tests/gssapi.c
+++ b/tests/gs2-krb5.c
@@ -1,5 +1,5 @@
-/* gssapi.c --- Test the GSSAPI mechanism.
- * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008, 2009 Simon Josefsson
+/* gs2-krb5.c --- Test the GS2-KRB5 mechanism.
+ * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of GNU SASL.
*
@@ -33,8 +33,8 @@
#define HOST "latte.josefsson.org"
#define GSSAPI_USER "jas"
-static const char *USERNAME[] = {
- "foo", "BABABA", "jas", "hepp", "@"
+static const char *AUTHZID[] = {
+ "foo", "BAB,ABA", ",=,=", "=", "@"
};
size_t i;
@@ -44,12 +44,10 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property
prop)
{
int rc = GSASL_NO_CALLBACK;
- printf ("Callback for property %d\n", prop);
-
switch (prop)
{
- case GSASL_AUTHID:
- gsasl_property_set (sctx, GSASL_AUTHID, USERNAME[i]);
+ case GSASL_AUTHZID:
+ gsasl_property_set (sctx, GSASL_AUTHZID, AUTHZID[i]);
rc = GSASL_OK;
break;
@@ -69,11 +67,15 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property
prop)
gsasl_property_fast (sctx, GSASL_GSSAPI_DISPLAY_NAME);
const char *authzid = gsasl_property_fast (sctx, GSASL_AUTHZID);
- printf ("GSSAPI user: %s\n", client_name);
- printf ("Authorization ID: %s\n", authzid);
+ if (client_name)
+ printf ("GSSAPI user: %s\n", client_name);
+ else
+ fail ("no client name\n");
+ if (authzid)
+ printf ("Authorization ID: %s\n", authzid);
- if (strcmp (client_name, GSSAPI_USER) == 0 &&
- strcmp (authzid, USERNAME[i]) == 0)
+ if (client_name && strcmp (client_name, GSSAPI_USER) == 0 &&
+ (authzid == NULL || strcmp (authzid, AUTHZID[i]) == 0))
rc = GSASL_OK;
else
rc = GSASL_AUTHENTICATION_ERROR;
@@ -107,13 +109,13 @@ doit (void)
for (i = 0; i < 5; i++)
{
- rc = gsasl_server_start (ctx, "GSSAPI", &server);
+ rc = gsasl_server_start (ctx, "GS2-KRB5", &server);
if (rc != GSASL_OK)
{
fail ("gsasl_init() failed (%d):\n%s\n", rc, gsasl_strerror (rc));
return;
}
- rc = gsasl_client_start (ctx, "GSSAPI", &client);
+ rc = gsasl_client_start (ctx, "GS2-KRB5", &client);
if (rc != GSASL_OK)
{
fail ("gsasl_init() failed (%d):\n%s\n", rc, gsasl_strerror (rc));
@@ -122,7 +124,11 @@ doit (void)
do
{
- res1 = gsasl_step64 (server, s1, &s2);
+ res1 = gsasl_step64 (client, s1, &s2);
+ if (s1 == NULL && res1 == GSASL_OK)
+ fail("gsasl_step64 direct success?\n");
+ if (s1 == NULL && strcmp (s2, "") == 0)
+ fail("gsasl_step64 empty initial output?\n");
if (s1)
{
gsasl_free (s1);
@@ -136,12 +142,9 @@ doit (void)
}
if (debug)
- printf ("S: %s\n", s2);
-
- if (res1 == GSASL_OK && strcmp (s2, "") == 0)
- break;
+ printf ("C: %s [%c]\n", s2, res1 == GSASL_OK ? 'O' : 'N');
- res2 = gsasl_step64 (client, s2, &s1);
+ res2 = gsasl_step64 (server, s2, &s1);
gsasl_free (s2);
if (res2 != GSASL_OK && res2 != GSASL_NEEDS_MORE)
{
@@ -151,7 +154,7 @@ doit (void)
}
if (debug)
- printf ("C: %s\n", s1);
+ printf ("S: %s [%c]\n", s1, res2 == GSASL_OK ? 'O' : 'N');
}
while (res1 != GSASL_OK || res2 != GSASL_OK);
diff --git a/tests/gssapi.c b/tests/gssapi.c
index fdf6a19..170b1f8 100644
--- a/tests/gssapi.c
+++ b/tests/gssapi.c
@@ -136,7 +136,7 @@ doit (void)
}
if (debug)
- printf ("S: %s\n", s2);
+ printf ("S: %s [%c]\n", s2, res1 == GSASL_OK ? 'O' : 'N');
if (res1 == GSASL_OK && strcmp (s2, "") == 0)
break;
@@ -151,7 +151,7 @@ doit (void)
}
if (debug)
- printf ("C: %s\n", s1);
+ printf ("C: %s [%c]\n", s1, res2 == GSASL_OK ? 'O' : 'N');
}
while (res1 != GSASL_OK || res2 != GSASL_OK);
diff --git a/tests/gssapi.cfg b/tests/gssapi.cfg
new file mode 100644
index 0000000..3c48605
--- /dev/null
+++ b/tests/gssapi.cfg
@@ -0,0 +1 @@
+quick-random
diff --git a/tests/scram.c b/tests/scram.c
index d4bb94f..5a074cf 100644
--- a/tests/scram.c
+++ b/tests/scram.c
@@ -1,5 +1,5 @@
/* scram.c --- Test the SCRAM mechanism.
- * Copyright (C) 2009 Simon Josefsson
+ * Copyright (C) 2009, 2010 Simon Josefsson
*
* This file is part of GNU SASL.
*
@@ -163,7 +163,7 @@ doit (void)
}
if (debug)
- printf ("C: %.*s\n", s1len, s1);
+ printf ("C: %.*s [%c]\n", s1len, s1, res == GSASL_OK ? 'O' : 'N');
/* Server first... */
@@ -177,7 +177,7 @@ doit (void)
}
if (debug)
- printf ("S: %.*s\n", s2len, s2);
+ printf ("S: %.*s [%c]\n", s2len, s2, res == GSASL_OK ? 'O' : 'N');
/* Client final... */
@@ -191,7 +191,7 @@ doit (void)
}
if (debug)
- printf ("C: %.*s\n", s1len, s1);
+ printf ("C: %.*s [%c]\n", s1len, s1, res == GSASL_OK ? 'O' : 'N');
/* Server final... */
@@ -205,7 +205,7 @@ doit (void)
}
if (debug)
- printf ("S: %.*s\n", s2len, s2);
+ printf ("S: %.*s [%c]\n", s2len, s2, res == GSASL_OK ? 'O' : 'N');
/* Let client parse server final... */
hooks/post-receive
--
GNU gsasl
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-26-g8af1e3a,
Simon Josefsson <=