[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-105-g1f68730
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-105-g1f68730 |
|
Date: |
Tue, 30 Mar 2010 16:08:15 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gsasl".
http://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=1f68730a92b888b3ac9d33a1aef66bd075cb0c7b
The branch, master has been updated
via 1f68730a92b888b3ac9d33a1aef66bd075cb0c7b (commit)
via 5f69b02461be3398242f5ffba616ad520c262059 (commit)
via 0a3aae9135e3f51342942db4614dea2bb582b6fa (commit)
via 4c72b81f1e5957dab98aa606c55c3cba0d19b5af (commit)
via b550032df8488a9ceaa3cfd4c634947d8f219717 (commit)
via ac9f47f0ffffc2fad166d9adb75d99a8ecba264b (commit)
via 72e47f465de904504749a2a18011649b010e2131 (commit)
via a35fdcd3245c658f00a4b0db139a817ce33293ea (commit)
via 73d94e3e9e427a5ce23a38133f72ce9009dd5112 (commit)
via 7bcba752df2819809d998e637a7a60f16e38886a (commit)
via ead93132e7b34d3a6f6dbea54f481a51c97d17dc (commit)
from 654123b448fb96670f732774aa1411876a4d56d1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1f68730a92b888b3ac9d33a1aef66bd075cb0c7b
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 17:32:34 2010 +0200
Also test non-authzid scenario.
commit 5f69b02461be3398242f5ffba616ad520c262059
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 17:23:43 2010 +0200
Ignore some functions/files.
commit 0a3aae9135e3f51342942db4614dea2bb582b6fa
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 17:17:43 2010 +0200
Reduce complexity.
commit 4c72b81f1e5957dab98aa606c55c3cba0d19b5af
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 16:46:59 2010 +0200
Check NULL handling in interfaces.
commit b550032df8488a9ceaa3cfd4c634947d8f219717
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 16:46:31 2010 +0200
gsasl_finish: Handle NULL sctx.
commit ac9f47f0ffffc2fad166d9adb75d99a8ecba264b
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 16:37:14 2010 +0200
Fix memory leak and improve code coverage.
commit 72e47f465de904504749a2a18011649b010e2131
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 16:05:50 2010 +0200
Fix @url's.
commit a35fdcd3245c658f00a4b0db139a817ce33293ea
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 15:59:13 2010 +0200
Update.
commit 73d94e3e9e427a5ce23a38133f72ce9009dd5112
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 15:56:18 2010 +0200
Add GS2 material.
commit 7bcba752df2819809d998e637a7a60f16e38886a
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 15:42:49 2010 +0200
Add.
commit ead93132e7b34d3a6f6dbea54f481a51c97d17dc
Author: Simon Josefsson <address@hidden>
Date: Tue Mar 30 15:13:32 2010 +0200
Fix GNU GSS checks. Be more verbose about configure options.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 8 +
configure.ac | 15 ++-
doc/cyclo/Makefile.am | 4 +-
doc/gsasl.texi | 83 +++++++++----
doc/reference/gsasl-docs.sgml | 5 +-
lib/gs2/client.c | 287 ++++++++++++++++++++++------------------
lib/src/xfinish.c | 5 +-
tests/Makefile.am | 7 +-
tests/gs2-krb5.c | 18 ++-
tests/gssapi.c | 10 +-
tests/simple.c | 6 +-
11 files changed, 276 insertions(+), 172 deletions(-)
diff --git a/.gitignore b/.gitignore
index 833960c..661d54d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -93,6 +93,7 @@ gl/arg-nonnull.h
gl/arpa/
gl/asnprintf.lo
gl/asnprintf.o
+gl/c++defs.h
gl/c-ctype.lo
gl/c-ctype.o
gl/c-strcasecmp.lo
@@ -105,6 +106,7 @@ gl/close-hook.o
gl/configmake.h
gl/exitfail.lo
gl/exitfail.o
+gl/iconv.h
gl/iconv_open-aix.h
gl/iconv_open-hpux.h
gl/iconv_open-irix.h
@@ -140,6 +142,7 @@ gl/version-etc.lo
gl/version-etc.o
gl/warn-on-use.h
gl/wchar.h
+gl/wctype.h
gl/xalloc-die.lo
gl/xalloc-die.o
gl/xmalloc.lo
@@ -148,6 +151,7 @@ gltests/.deps/
gltests/Makefile
gltests/Makefile.in
gltests/arg-nonnull.h
+gltests/c++defs.h
gltests/fcntl.h
gltests/libtests.a
gltests/malloca.o
@@ -375,6 +379,7 @@ lib/gl/asnprintf.lo
lib/gl/asnprintf.o
lib/gl/base64.lo
lib/gl/base64.o
+lib/gl/c++defs.h
lib/gl/gc-libgcrypt.lo
lib/gl/gc-libgcrypt.o
lib/gl/gc-pbkdf2-sha1.lo
@@ -398,6 +403,7 @@ lib/gltests/.deps/
lib/gltests/Makefile
lib/gltests/Makefile.in
lib/gltests/arg-nonnull.h
+lib/gltests/c++defs.h
lib/gltests/dummy.o
lib/gltests/libtests.a
lib/gltests/test-alloca-opt
@@ -749,6 +755,8 @@ tests/old-md5file
tests/old-md5file.o
tests/old-simple
tests/old-simple.o
+tests/readnz
+tests/readnz.o
tests/scram
tests/scram.o
tests/simple
diff --git a/configure.ac b/configure.ac
index 006feae..28a9972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -127,8 +127,6 @@ export WARN_CFLAGS
AC_CONFIG_SUBDIRS([lib])
-AM_CONDITIONAL(GNUGSS, grep 'HAVE_LIBGSS 1' lib/config.h > /dev/null)
-
AC_CONFIG_FILES([
Makefile
doc/Makefile
@@ -143,3 +141,16 @@ AC_CONFIG_FILES([
tests/Makefile
])
AC_OUTPUT
+
+AC_MSG_NOTICE([summary of build options:
+
+ version: ${VERSION}
+ Host type: ${host}
+ Install prefix: ${prefix}
+ Compiler: ${CC}
+ Warning flags: errors: ${WERROR_CFLAGS} warnings: ${WARN_CFLAGS}
+ Library types: Shared=${enable_shared}, Static=${enable_static}
+ Valgrind: ${VALGRIND}
+ GnuTLS support: $gnutls
+ Obsolete functions: $obsolete
+])
diff --git a/doc/cyclo/Makefile.am b/doc/cyclo/Makefile.am
index b14e750..c356965 100644
--- a/doc/cyclo/Makefile.am
+++ b/doc/cyclo/Makefile.am
@@ -1,4 +1,4 @@
-# Copyright (C) 2008, 2009 Simon Josefsson
+# Copyright (C) 2008, 2009, 2010 Simon Josefsson
#
# This file is part of GNU SASL.
#
@@ -18,7 +18,7 @@
EXTRA_DIST = cyclo-$(PACKAGE).html
cyclo-$(PACKAGE).html:
- $(PMCCABE) `find $(top_srcdir)/lib -name \*.[ch] | grep -v -e ../gl` \
+ $(PMCCABE) `find $(top_srcdir)/lib -name \*.[ch] | grep -v -e ../gl -e
test-parser.c -e test-errors.c -e obsolete.c -e kerberos_v5` \
| sort -nr \
| $(AWK) -f ${top_srcdir}/lib/build-aux/pmccabe2html \
-v lang=html -v name="$(PACKAGE_NAME)" \
diff --git a/doc/gsasl.texi b/doc/gsasl.texi
index 5329473..aa90e2d 100644
--- a/doc/gsasl.texi
+++ b/doc/gsasl.texi
@@ -170,9 +170,9 @@ GNU SASL consists of a library (@code{libgsasl}), a command
line
utility (@code{gsasl}) to access the library from the shell, and a
manual. The library includes support for the framework (with
authentication functions and application data privacy and integrity
-functions) and at least partial support for the CRAM-MD5, EXTERNAL,
-GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1, LOGIN, and
-NTLM mechanisms.
+functions) and at least partial support for the ANONYMOUS, CRAM-MD5,
+DIGEST-MD5, EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN,
+SCRAM-SHA-1, and SECURID mechanisms.
The library is easily ported because it does not do network
communication by itself, but rather leaves it up to the calling
@@ -249,11 +249,12 @@ library.
@table @asis
@item LibNTLM
The NTLM mechanism requires the library LibNTLM,
address@hidden://josefsson.org/libntlm/}.
address@hidden://www.nongnu.org/libntlm/}.
@item GSS-API
-The GSS-API mechanism requires a GSS-API library, such as GNU GSS
-(@url{http://www.gnu.org/software/gss/}), MIT Kerberos or Heimdal.
+The GSSAPI and GS2-KRB5 mechanisms requires a GSS-API library, see GNU
+GSS (@url{http://www.gnu.org/software/gss/}). MIT Kerberos or Heimdal
+are also supported.
@item LibIDN
Processing of non-ASCII usernames and passwords requires the SASLprep
@@ -414,7 +415,7 @@ A mailing list where users may help each other exists, and
you can
reach it by sending e-mail to @email{help-gsasl@@gnu.org}. Archives
of the mailing list discussions, and an interface to manage
subscriptions, is available through the World Wide Web at
address@hidden://lists.gnu.org/mailman/listinfo/help-gsasl}.
address@hidden://lists.gnu.org/mailman/listinfo/help-gsasl/}.
@node Commercial Support
@section Commercial Support
@@ -458,7 +459,7 @@ be mentioned here, contact the author (@pxref{Bug Reports}).
The package can be downloaded from several places, including:
address@hidden://ftp.gnu.org/pub/gnu/gsasl/}
address@hidden://ftp.gnu.org/gnu/gsasl/}
The latest version is stored in a file, e.g.,
@address@hidden where the @address@hidden
@@ -474,7 +475,7 @@ and install the package. You will need a few basic tools,
such as
@samp{sh}, @samp{make} and @samp{cc}.
@example
-$ wget -q ftp://ftp.gnu.org/pub/gnu/gsasl/address@hidden
+$ wget -q ftp://ftp.gnu.org/gnu/gsasl/address@hidden
$ tar xfz address@hidden
$ cd address@hidden/
$ ./configure
@@ -513,6 +514,7 @@ want to limit the size of the library.
@itemx --disable-cram-md5
@itemx --disable-digest-md5
@itemx --disable-gssapi
address@hidden --disable-gs2
@itemx --enable-kerberos_v5
@itemx --disable-scram-sha1
Disable or enable individual mechanisms (@pxref{Mechanisms}).
@@ -1468,8 +1470,8 @@ The GSASL_ANONYMOUS_TOKEN will contain token that
identity the client.
@item @code{GSASL_VALIDATE_GSSAPI}
-Used by the GSSAPI mechanism on the server side, to validate the
-client. You may retrieve the authorization identity from
+Used by the GSSAPI and GS2-KRB5 mechanisms on the server side, to
+validate the client. You may retrieve the authorization identity from
GSASL_AUTHZID and the GSS-API display name from
GSASL_GSSAPI_DISPLAY_NAME.
@@ -1506,13 +1508,13 @@ network but rather a hash of it. Existing policy
deciding systems
like PAM cannot handle this, so the server callback for these
mechanisms are more complicated.
-Further, mechanisms like GSSAPI (Kerberos 5) assume a specific
-authentication system. In theory this means that the SASL library
-would not need to interact with the application, but rather call this
-specific authentication system directly. However, some callbacks are
-supported anyway, to modify the behaviour of how the specific
-authentication system is used (i.e., to handle ``super-user'' login as
-some other user).
+Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a
+specific authentication system. In theory this means that the SASL
+library would not need to interact with the application, but rather
+call this specific authentication system directly. However, some
+callbacks are supported anyway, to modify the behaviour of how the
+specific authentication system is used (i.e., to handle ``super-user''
+login as some other user).
Some mechanisms, like @samp{EXTERNAL} and @samp{ANONYMOUS} are
entirely dependent on callbacks.
@@ -1528,6 +1530,7 @@ entirely dependent on callbacks.
* NTLM:: Microsoft NTLM authentication.
* SECURID:: Authentication using tokens.
* GSSAPI:: GSSAPI (Kerberos 5) authentication.
+* GS2-KRB5:: Improved GSSAPI (Kerberos 5) authentication.
* KERBEROS_V5:: Experimental KERBEROS_V5 authentication.
@end menu
@@ -1780,10 +1783,11 @@ find out the client selected PIN code.
@section The GSSAPI mechanism
@cindex GSSAPI
-GSS-API is a framework, similar to SASL, for authentication. The
-GSSAPI mechanism only supports the Kerberos 5 GSS-API mechanism,
-though. (A new SASL mechanism to support non-Kerberos 5 GSS-API
-mechanisms may be supported in the future.)
+The GSSAPI mechanism allows you to authenticate using Kerberos V5.
+The mechanism was originally designed to allow for any GSS-API
+mechanism to be used, but problems with the protocol made it
+unpractical and it is today restricted for use with Kerberos V5. See
+the GS2 mechanism (@pxref{GS2-KRB5}) for a general solution.
In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
@@ -1800,6 +1804,37 @@ GSS-API library.
XXX: explain more about quality of service, maximum buffer size, etc.
address@hidden GS2-KRB5
address@hidden The GS2-KRB5 mechanism
address@hidden GS2
address@hidden GS2-KRB5
+
+GS2 is a protocol bridge between GSS-API and SASL, and allows every
+GSS-API mechanism that supports mutual authentication and channel
+bindings to be used as a SASL mechanism. Currently we support the
+GS2-KRB5 mechanism, for Kerberos V5 authentication, however our GS2
+implementation is flexible enough to easily support other GSS-API
+mechanism if any gains popularity.
+
+In the client, the mechanism is enabled only if the user has acquired
+credentials (i.e., a ticket granting ticket), and it requires the
address@hidden, @code{GSASL_SERVICE}, and @code{GSASL_HOSTNAME}
+properties.
+
+In the server, the mechanism requires the @code{GSASL_SERVICE} and
address@hidden properties, and it will invoke the
address@hidden callback property in order to validate
+the user. The callback may inspect the @code{GSASL_AUTHZID} and
address@hidden properties to decide whether to
+authorize the user. Note that authentication is performed by the
+GSS-API library.
+
address@hidden GS2-KRB5-PLUS
+The GS2 framework supports a variant of each mechanism, called the
+PLUS variant, which can also bind the authentication to a secure
+channel through channel bindings. Currently this is not supported by
+GNU SASL.
+
@node KERBEROS_V5
@section The KERBEROS_V5 mechanism
@cindex KERBEROS_V5
@@ -2019,8 +2054,8 @@ Cryptographic functions for some SASL mechanisms uses
Libgcrypt by
Werner Koch et al. The NTLM mechanism uses Libntlm by Grant Edwards
et al, using code from Samba written by Andrew Tridgell, and now
maintained by Simon Josefsson. The KERBEROS_V5 mechanism uses Shishi
-by Simon Josefsson. The GSSAPI mechanism uses a GSS-API
-implementation, such as GSSLib by Simon Josefsson.
+by Simon Josefsson. The GSSAPI and GS2-KRB5 mechanism uses a GSS-API
+implementation, such as GNU GSS by Simon Josefsson.
Gnulib is used to simplify portability.
diff --git a/doc/reference/gsasl-docs.sgml b/doc/reference/gsasl-docs.sgml
index 97510fd..c1c5b84 100644
--- a/doc/reference/gsasl-docs.sgml
+++ b/doc/reference/gsasl-docs.sgml
@@ -21,8 +21,9 @@ GNU SASL consists of a library (`libgsasl'), a command line
utility
(`gsasl') to access the library from the shell, and a manual. The
library includes support for the framework (with authentication
functions and application data privacy and integrity functions) and at
-least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS,
-PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1, LOGIN, and NTLM mechanisms.
+least partial support for the ANONYMOUS, CRAM-MD5, DIGEST-MD5,
+EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN, SCRAM-SHA-1, and
+SECURID mechanisms.
</para>
<para>
diff --git a/lib/gs2/client.c b/lib/gs2/client.c
index 0f88792..2664672 100644
--- a/lib/gs2/client.c
+++ b/lib/gs2/client.c
@@ -37,10 +37,11 @@
struct _gsasl_gs2_client_state
{
- int step;
+ int step; /* 0 = initial, 1 = first token, 2 = looping, 3 = done */
gss_name_t service;
gss_ctx_id_t context;
gss_OID mech_oid;
+ gss_buffer_desc token;
struct gss_channel_bindings_struct cb;
};
typedef struct _gsasl_gs2_client_state _gsasl_gs2_client_state;
@@ -55,6 +56,10 @@ _gsasl_gs2_client_start (Gsasl_session * sctx, void
**mech_data)
if (state == NULL)
return GSASL_MALLOC_ERROR;
+ state->step = 0;
+ state->service = GSS_C_NO_NAME;
+ state->context = GSS_C_NO_CONTEXT;
+
res = gs2_get_oid (sctx, &state->mech_oid);
if (res != GSASL_OK)
{
@@ -62,9 +67,8 @@ _gsasl_gs2_client_start (Gsasl_session * sctx, void
**mech_data)
return res;
}
- state->context = GSS_C_NO_CONTEXT;
- state->service = GSS_C_NO_NAME;
- state->step = 0;
+ state->token.length = 0;
+ state->token.value = NULL;
/* The initiator-address-type and acceptor-address-type fields of
the GSS-CHANNEL-BINDINGS structure MUST be set to 0. The
@@ -117,6 +121,107 @@ escape_authzid (const char *str)
return out;
}
+static int
+prepare (Gsasl_session * sctx, _gsasl_gs2_client_state *state)
+{
+ const char *service, *hostname;
+ const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID);
+ gss_buffer_desc bufdesc;
+ OM_uint32 maj_stat, min_stat;
+
+ service = gsasl_property_get (sctx, GSASL_SERVICE);
+ if (!service)
+ return GSASL_NO_SERVICE;
+
+ hostname = gsasl_property_get (sctx, GSASL_HOSTNAME);
+ if (!hostname)
+ return GSASL_NO_HOSTNAME;
+
+ bufdesc.length = asprintf ((char**) &bufdesc.value, "address@hidden",
+ service, hostname);
+ if (bufdesc.length <= 0 || bufdesc.value == NULL)
+ return GSASL_MALLOC_ERROR;
+
+ maj_stat = gss_import_name (&min_stat, &bufdesc,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &state->service);
+ free (bufdesc.value);
+ if (GSS_ERROR (maj_stat))
+ return GSASL_GSSAPI_IMPORT_NAME_ERROR;
+
+ if (authzid)
+ {
+ char *escaped_authzid = escape_authzid (authzid);
+ if (!escaped_authzid)
+ return GSASL_MALLOC_ERROR;
+ state->cb.application_data.length
+ = asprintf ((char**) &state->cb.application_data.value,
+ "n,a=%s,", escaped_authzid);
+ free (escaped_authzid);
+ }
+ else
+ {
+ state->cb.application_data.value = strdup ("n,,");
+ state->cb.application_data.length = 3;
+ }
+
+ if (state->cb.application_data.length <= 0
+ || state->cb.application_data.value == NULL)
+ return GSASL_MALLOC_ERROR;
+
+ return GSASL_OK;
+}
+
+/* Copy token to output buffer. On first round trip, strip context
+ token header and add channel binding data. For later round trips,
+ just copy the buffer. */
+static int
+token2output (Gsasl_session * sctx,
+ _gsasl_gs2_client_state *state,
+ const gss_buffer_t token,
+ char **output, size_t * output_len)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc bufdesc;
+
+ if (state->step == 1)
+ {
+ state->step++;
+
+ maj_stat = gss_decapsulate_token (token, state->mech_oid,
+ &bufdesc);
+ if (GSS_ERROR (maj_stat))
+ return GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR;
+
+ *output_len = state->cb.application_data.length + bufdesc.length;
+ *output = malloc (*output_len);
+ if (!*output)
+ {
+ gss_release_buffer (&min_stat, &bufdesc);
+ return GSASL_MALLOC_ERROR;
+ }
+
+ memcpy (*output, state->cb.application_data.value,
+ state->cb.application_data.length);
+ memcpy (*output + state->cb.application_data.length,
+ bufdesc.value, bufdesc.length);
+
+ maj_stat = gss_release_buffer (&min_stat, &bufdesc);
+ if (GSS_ERROR (maj_stat))
+ return GSASL_GSSAPI_RELEASE_BUFFER_ERROR;
+ }
+ else
+ {
+ *output_len = token->length;
+ *output = malloc (*output_len);
+ if (!*output)
+ return GSASL_MALLOC_ERROR;
+ memcpy (*output, token->value, token->length);
+ }
+
+ return GSASL_OK;
+}
+
int
_gsasl_gs2_client_step (Gsasl_session * sctx,
void *mech_data,
@@ -124,150 +229,72 @@ _gsasl_gs2_client_step (Gsasl_session * sctx,
char **output, size_t * output_len)
{
_gsasl_gs2_client_state *state = mech_data;
- gss_buffer_desc bufdesc, bufdesc2;
+ gss_buffer_desc bufdesc;
gss_buffer_t buf = GSS_C_NO_BUFFER;
OM_uint32 maj_stat, min_stat, ret_flags;
gss_OID actual_mech_type;
int res;
+ if (state->step > 2)
+ return GSASL_MECHANISM_CALLED_TOO_MANY_TIMES;
+
if (state->step == 0)
{
- const char *service, *hostname;
- const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID);
-
- service = gsasl_property_get (sctx, GSASL_SERVICE);
- if (!service)
- return GSASL_NO_SERVICE;
-
- hostname = gsasl_property_get (sctx, GSASL_HOSTNAME);
- if (!hostname)
- return GSASL_NO_HOSTNAME;
-
- bufdesc.length = asprintf ((char**) &bufdesc.value, "address@hidden",
- service, hostname);
- if (bufdesc.length <= 0 || bufdesc.value == NULL)
- return GSASL_MALLOC_ERROR;
-
- maj_stat = gss_import_name (&min_stat, &bufdesc,
- GSS_C_NT_HOSTBASED_SERVICE,
- &state->service);
- free (bufdesc.value);
- if (GSS_ERROR (maj_stat))
- return GSASL_GSSAPI_IMPORT_NAME_ERROR;
-
- if (authzid)
- {
- char *escaped_authzid = escape_authzid (authzid);
- if (!escaped_authzid)
- return GSASL_MALLOC_ERROR;
- state->cb.application_data.length
- = asprintf ((char**) &state->cb.application_data.value,
- "n,a=%s,", escaped_authzid);
- free (escaped_authzid);
- }
- else
- {
- state->cb.application_data.value = strdup ("n,,");
- state->cb.application_data.length = 3;
- }
-
- if (state->cb.application_data.length <= 0
- || state->cb.application_data.value == NULL)
- return GSASL_MALLOC_ERROR;
+ res = prepare (sctx, state);
+ if (res != GSASL_OK)
+ return res;
+ state->step++;
}
- switch (state->step)
+ if (state->step == 2)
{
- case 1:
bufdesc.length = input_len;
bufdesc.value = (void *) input;
buf = &bufdesc;
- /* fall through */
-
- case 0:
- bufdesc2.length = 0;
- bufdesc2.value = NULL;
-
- maj_stat = gss_init_sec_context (&min_stat,
- GSS_C_NO_CREDENTIAL,
- &state->context,
- state->service,
- state->mech_oid,
- GSS_C_MUTUAL_FLAG,
- 0,
- &state->cb,
- buf,
- &actual_mech_type,
- &bufdesc2,
- &ret_flags,
- NULL);
- if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
- return GSASL_GSSAPI_INIT_SEC_CONTEXT_ERROR;
-
- /* The mutual_req_flag MUST be set. Clients MUST check that the
- corresponding ret_flag is set when the context is fully
- established, else authentication MUST fail. */
- if (maj_stat == GSS_S_COMPLETE && !(ret_flags & GSS_C_MUTUAL_FLAG))
- return GSASL_AUTHENTICATION_ERROR;
-
- if (!gss_oid_equal (state->mech_oid, actual_mech_type))
- return GSASL_AUTHENTICATION_ERROR;
-
- if (state->step == 0)
- {
- OM_uint32 maj_stat2;
-
- maj_stat2 = gss_decapsulate_token (&bufdesc2, state->mech_oid,
- &bufdesc);
- if (GSS_ERROR (maj_stat2))
- return GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR;
-
- *output_len = state->cb.application_data.length + bufdesc.length;
- *output = malloc (*output_len);
- if (!*output)
- {
- gss_release_buffer (&min_stat, &bufdesc);
- return GSASL_MALLOC_ERROR;
- }
- memcpy (*output, state->cb.application_data.value,
- state->cb.application_data.length);
- memcpy (*output + state->cb.application_data.length,
- bufdesc.value, bufdesc.length);
-
- maj_stat2 = gss_release_buffer (&min_stat, &bufdesc2);
- if (GSS_ERROR (maj_stat2))
- return GSASL_GSSAPI_RELEASE_BUFFER_ERROR;
- }
- else
- {
- *output_len = bufdesc2.length;
- *output = malloc (*output_len);
- if (!*output)
- return GSASL_MALLOC_ERROR;
- memcpy (*output, bufdesc2.value, bufdesc2.length);
- }
-
- if (state->step == 0 && maj_stat == GSS_S_CONTINUE_NEEDED)
- state->step++;
- if (maj_stat == GSS_S_COMPLETE)
- state->step++;
-
- if (maj_stat == GSS_S_COMPLETE)
- res = GSASL_OK;
- else
- res = GSASL_NEEDS_MORE;
+ }
- maj_stat = gss_release_buffer (&min_stat, &bufdesc2);
+ /* Release memory for token from last round-trip, if any. */
+ if (state->token.value != NULL)
+ {
+ maj_stat = gss_release_buffer (&min_stat, &state->token);
if (GSS_ERROR (maj_stat))
return GSASL_GSSAPI_RELEASE_BUFFER_ERROR;
- break;
- default:
- res = GSASL_MECHANISM_CALLED_TOO_MANY_TIMES;
- break;
+ state->token.value = NULL;
+ state->token.length = 0;
}
- return res;
+ maj_stat = gss_init_sec_context (&min_stat,
+ GSS_C_NO_CREDENTIAL,
+ &state->context,
+ state->service,
+ state->mech_oid,
+ GSS_C_MUTUAL_FLAG,
+ 0,
+ &state->cb,
+ buf,
+ &actual_mech_type,
+ &state->token,
+ &ret_flags,
+ NULL);
+ if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
+ return GSASL_GSSAPI_INIT_SEC_CONTEXT_ERROR;
+
+ res = token2output (sctx, state, &state->token, output, output_len);
+ if (res != GSASL_OK)
+ return res;
+
+ if (maj_stat == GSS_S_CONTINUE_NEEDED)
+ return GSASL_NEEDS_MORE;
+
+ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+ return GSASL_AUTHENTICATION_ERROR;
+
+ if (!gss_oid_equal (state->mech_oid, actual_mech_type))
+ return GSASL_AUTHENTICATION_ERROR;
+
+ state->step++;
+ return GSASL_OK;
}
void
@@ -279,6 +306,8 @@ _gsasl_gs2_client_finish (Gsasl_session * sctx, void
*mech_data)
if (!state)
return;
+ if (state->token.value != NULL)
+ maj_stat = gss_release_buffer (&min_stat, &state->token);
if (state->service != GSS_C_NO_NAME)
maj_stat = gss_release_name (&min_stat, &state->service);
if (state->context != GSS_C_NO_CONTEXT)
diff --git a/lib/src/xfinish.c b/lib/src/xfinish.c
index 63d3937..4b963bf 100644
--- a/lib/src/xfinish.c
+++ b/lib/src/xfinish.c
@@ -1,5 +1,5 @@
/* xfinish.c --- Finish libgsasl session.
- * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon
Josefsson
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of GNU SASL Library.
*
@@ -32,6 +32,9 @@
void
gsasl_finish (Gsasl_session * sctx)
{
+ if (sctx == NULL)
+ return;
+
if (sctx->clientp)
{
if (sctx->mech && sctx->mech->client.finish)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a15558a..58d571c 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -38,14 +38,11 @@ TESTS_ENVIRONMENT = \
THREADSAFETY_FILES=`ls $(top_srcdir)/lib/*/*.c | $(GREP) -v -e
lib/gl/vasnprintf.c -e lib/gl/getdelim.c` \
MD5FILE=$(srcdir)/cram-md5.pwd \
EGREP="$(EGREP)" \
+ GNUGSS=`if grep 'HAVE_LIBGSS 1' ../lib/config.h > /dev/null; then echo
yes; else echo no; fi`
$(VALGRIND)
ctests = external cram-md5 digest-md5 md5file name errors suggest \
- simple crypto scram symbols readnz
-
-if GNUGSS
-ctests += gssapi gs2-krb5
-endif
+ simple crypto scram symbols readnz gssapi gs2-krb5
if OBSOLETE
ctests += old-simple old-md5file old-cram-md5 old-digest-md5 \
old-base64
diff --git a/tests/gs2-krb5.c b/tests/gs2-krb5.c
index 7032f56..d804f15 100644
--- a/tests/gs2-krb5.c
+++ b/tests/gs2-krb5.c
@@ -35,7 +35,7 @@
#define GSSAPI_USER "jas"
static const char *AUTHZID[] = {
- "foo", "BAB,ABA", ",=,=", "=", "@"
+ "foo", "BAB,ABA", ",=,=", "=", ""
};
size_t i;
@@ -48,8 +48,11 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property
prop)
switch (prop)
{
case GSASL_AUTHZID:
- gsasl_property_set (sctx, GSASL_AUTHZID, AUTHZID[i]);
- rc = GSASL_OK;
+ if (*AUTHZID[i])
+ {
+ gsasl_property_set (sctx, GSASL_AUTHZID, AUTHZID[i]);
+ rc = GSASL_OK;
+ }
break;
case GSASL_SERVICE:
@@ -76,7 +79,8 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property
prop)
printf ("Authorization ID: %s\n", authzid);
if (client_name && strcmp (client_name, GSSAPI_USER) == 0 &&
- (authzid == NULL || strcmp (authzid, AUTHZID[i]) == 0))
+ ((authzid == NULL && *AUTHZID[i] == '\0')
+ || strcmp (authzid, AUTHZID[i]) == 0))
rc = GSASL_OK;
else
rc = GSASL_AUTHENTICATION_ERROR;
@@ -110,6 +114,12 @@ doit (void)
char *s1 = NULL, *s2 = NULL;
int rc, res1, res2;
+ if (getenv ("GNUGSS") && strcmp (getenv ("GNUGSS"), "no") == 0)
+ {
+ fail ("Not using GNU GSS, skipping self-test.\n");
+ exit (77);
+ }
+
rc = gsasl_init (&ctx);
if (rc != GSASL_OK)
{
diff --git a/tests/gssapi.c b/tests/gssapi.c
index 0ea717f..ae98aae 100644
--- a/tests/gssapi.c
+++ b/tests/gssapi.c
@@ -95,6 +95,12 @@ doit (void)
char *s1 = NULL, *s2 = NULL;
int rc, res1, res2;
+ if (getenv ("GNUGSS") && strcmp (getenv ("GNUGSS"), "no") == 0)
+ {
+ fail ("Not using GNU GSS, skipping self-test.\n");
+ exit (77);
+ }
+
rc = gsasl_init (&ctx);
if (rc != GSASL_OK)
{
@@ -106,8 +112,8 @@ doit (void)
|| !gsasl_server_support_p (ctx, "GSSAPI"))
{
gsasl_done (ctx);
- fail("No support for GSSAPI.\n");
- exit(77);
+ fail ("No support for GSSAPI.\n");
+ exit (77);
}
gsasl_callback_set (ctx, callback);
diff --git a/tests/simple.c b/tests/simple.c
index 84817f3..91fc2d8 100644
--- a/tests/simple.c
+++ b/tests/simple.c
@@ -1,5 +1,5 @@
/* simple.c --- Test the simple SASL mechanisms.
- * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon
Josefsson
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon
Josefsson
*
* This file is part of GNU SASL.
*
@@ -415,4 +415,8 @@ doit (void)
}
gsasl_done (ctx);
+
+ /* Sanity check interfaces. */
+ gsasl_finish (NULL);
+ gsasl_done (NULL);
}
hooks/post-receive
--
GNU gsasl
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gsasl branch, master, updated. gsasl-1-4-1-105-g1f68730,
Simon Josefsson <=