This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU gsasl".
http://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=1f68730a92b888b3ac9d33a1aef66bd075cb0c7b The branch, master has been updated via 1f68730a92b888b3ac9d33a1aef66bd075cb0c7b (commit) via 5f69b02461be3398242f5ffba616ad520c262059 (commit) via 0a3aae9135e3f51342942db4614dea2bb582b6fa (commit) via 4c72b81f1e5957dab98aa606c55c3cba0d19b5af (commit) via b550032df8488a9ceaa3cfd4c634947d8f219717 (commit) via ac9f47f0ffffc2fad166d9adb75d99a8ecba264b (commit) via 72e47f465de904504749a2a18011649b010e2131 (commit) via a35fdcd3245c658f00a4b0db139a817ce33293ea (commit) via 73d94e3e9e427a5ce23a38133f72ce9009dd5112 (commit) via 7bcba752df2819809d998e637a7a60f16e38886a (commit) via ead93132e7b34d3a6f6dbea54f481a51c97d17dc (commit) from 654123b448fb96670f732774aa1411876a4d56d1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1f68730a92b888b3ac9d33a1aef66bd075cb0c7b Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 17:32:34 2010 +0200 Also test non-authzid scenario. commit 5f69b02461be3398242f5ffba616ad520c262059 Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 17:23:43 2010 +0200 Ignore some functions/files. commit 0a3aae9135e3f51342942db4614dea2bb582b6fa Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 17:17:43 2010 +0200 Reduce complexity. commit 4c72b81f1e5957dab98aa606c55c3cba0d19b5af Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 16:46:59 2010 +0200 Check NULL handling in interfaces. commit b550032df8488a9ceaa3cfd4c634947d8f219717 Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 16:46:31 2010 +0200 gsasl_finish: Handle NULL sctx. commit ac9f47f0ffffc2fad166d9adb75d99a8ecba264b Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 16:37:14 2010 +0200 Fix memory leak and improve code coverage. commit 72e47f465de904504749a2a18011649b010e2131 Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 16:05:50 2010 +0200 Fix @url's. commit a35fdcd3245c658f00a4b0db139a817ce33293ea Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 15:59:13 2010 +0200 Update. commit 73d94e3e9e427a5ce23a38133f72ce9009dd5112 Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 15:56:18 2010 +0200 Add GS2 material. commit 7bcba752df2819809d998e637a7a60f16e38886a Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 15:42:49 2010 +0200 Add. commit ead93132e7b34d3a6f6dbea54f481a51c97d17dc Author: Simon Josefsson <[email protected]> Date: Tue Mar 30 15:13:32 2010 +0200 Fix GNU GSS checks. Be more verbose about configure options. ----------------------------------------------------------------------- Summary of changes: .gitignore | 8 + configure.ac | 15 ++- doc/cyclo/Makefile.am | 4 +- doc/gsasl.texi | 83 +++++++++---- doc/reference/gsasl-docs.sgml | 5 +- lib/gs2/client.c | 287 ++++++++++++++++++++++------------------ lib/src/xfinish.c | 5 +- tests/Makefile.am | 7 +- tests/gs2-krb5.c | 18 ++- tests/gssapi.c | 10 +- tests/simple.c | 6 +- 11 files changed, 276 insertions(+), 172 deletions(-) diff --git a/.gitignore b/.gitignore index 833960c..661d54d 100644 --- a/.gitignore +++ b/.gitignore @@ -93,6 +93,7 @@ gl/arg-nonnull.h gl/arpa/ gl/asnprintf.lo gl/asnprintf.o +gl/c++defs.h gl/c-ctype.lo gl/c-ctype.o gl/c-strcasecmp.lo @@ -105,6 +106,7 @@ gl/close-hook.o gl/configmake.h gl/exitfail.lo gl/exitfail.o +gl/iconv.h gl/iconv_open-aix.h gl/iconv_open-hpux.h gl/iconv_open-irix.h @@ -140,6 +142,7 @@ gl/version-etc.lo gl/version-etc.o gl/warn-on-use.h gl/wchar.h +gl/wctype.h gl/xalloc-die.lo gl/xalloc-die.o gl/xmalloc.lo @@ -148,6 +151,7 @@ gltests/.deps/ gltests/Makefile gltests/Makefile.in gltests/arg-nonnull.h +gltests/c++defs.h gltests/fcntl.h gltests/libtests.a gltests/malloca.o @@ -375,6 +379,7 @@ lib/gl/asnprintf.lo lib/gl/asnprintf.o lib/gl/base64.lo lib/gl/base64.o +lib/gl/c++defs.h lib/gl/gc-libgcrypt.lo lib/gl/gc-libgcrypt.o lib/gl/gc-pbkdf2-sha1.lo @@ -398,6 +403,7 @@ lib/gltests/.deps/ lib/gltests/Makefile lib/gltests/Makefile.in lib/gltests/arg-nonnull.h +lib/gltests/c++defs.h lib/gltests/dummy.o lib/gltests/libtests.a lib/gltests/test-alloca-opt @@ -749,6 +755,8 @@ tests/old-md5file tests/old-md5file.o tests/old-simple tests/old-simple.o +tests/readnz +tests/readnz.o tests/scram tests/scram.o tests/simple diff --git a/configure.ac b/configure.ac index 006feae..28a9972 100644 --- a/configure.ac +++ b/configure.ac @@ -127,8 +127,6 @@ export WARN_CFLAGS AC_CONFIG_SUBDIRS([lib]) -AM_CONDITIONAL(GNUGSS, grep 'HAVE_LIBGSS 1' lib/config.h > /dev/null) - AC_CONFIG_FILES([ Makefile doc/Makefile @@ -143,3 +141,16 @@ AC_CONFIG_FILES([ tests/Makefile ]) AC_OUTPUT + +AC_MSG_NOTICE([summary of build options: + + version: ${VERSION} + Host type: ${host} + Install prefix: ${prefix} + Compiler: ${CC} + Warning flags: errors: ${WERROR_CFLAGS} warnings: ${WARN_CFLAGS} + Library types: Shared=${enable_shared}, Static=${enable_static} + Valgrind: ${VALGRIND} + GnuTLS support: $gnutls + Obsolete functions: $obsolete +]) diff --git a/doc/cyclo/Makefile.am b/doc/cyclo/Makefile.am index b14e750..c356965 100644 --- a/doc/cyclo/Makefile.am +++ b/doc/cyclo/Makefile.am @@ -1,4 +1,4 @@ -# Copyright (C) 2008, 2009 Simon Josefsson +# Copyright (C) 2008, 2009, 2010 Simon Josefsson # # This file is part of GNU SASL. # @@ -18,7 +18,7 @@ EXTRA_DIST = cyclo-$(PACKAGE).html cyclo-$(PACKAGE).html: - $(PMCCABE) `find $(top_srcdir)/lib -name \*.[ch] | grep -v -e ../gl` \ + $(PMCCABE) `find $(top_srcdir)/lib -name \*.[ch] | grep -v -e ../gl -e test-parser.c -e test-errors.c -e obsolete.c -e kerberos_v5` \ | sort -nr \ | $(AWK) -f ${top_srcdir}/lib/build-aux/pmccabe2html \ -v lang=html -v name="$(PACKAGE_NAME)" \ diff --git a/doc/gsasl.texi b/doc/gsasl.texi index 5329473..aa90e2d 100644 --- a/doc/gsasl.texi +++ b/doc/gsasl.texi @@ -170,9 +170,9 @@ GNU SASL consists of a library (@code{libgsasl}), a command line utility (@code{gsasl}) to access the library from the shell, and a manual. The library includes support for the framework (with authentication functions and application data privacy and integrity -functions) and at least partial support for the CRAM-MD5, EXTERNAL, -GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1, LOGIN, and -NTLM mechanisms. +functions) and at least partial support for the ANONYMOUS, CRAM-MD5, +DIGEST-MD5, EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN, +SCRAM-SHA-1, and SECURID mechanisms. The library is easily ported because it does not do network communication by itself, but rather leaves it up to the calling @@ -249,11 +249,12 @@ library. @table @asis @item LibNTLM The NTLM mechanism requires the library LibNTLM, -...@url{http://josefsson.org/libntlm/}. +...@url{http://www.nongnu.org/libntlm/}. @item GSS-API -The GSS-API mechanism requires a GSS-API library, such as GNU GSS -(@url{http://www.gnu.org/software/gss/}), MIT Kerberos or Heimdal. +The GSSAPI and GS2-KRB5 mechanisms requires a GSS-API library, see GNU +GSS (@url{http://www.gnu.org/software/gss/}). MIT Kerberos or Heimdal +are also supported. @item LibIDN Processing of non-ASCII usernames and passwords requires the SASLprep @@ -414,7 +415,7 @@ A mailing list where users may help each other exists, and you can reach it by sending e-mail to @email{help-gsasl@@gnu.org}. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at -...@url{http://lists.gnu.org/mailman/listinfo/help-gsasl}. +...@url{http://lists.gnu.org/mailman/listinfo/help-gsasl/}. @node Commercial Support @section Commercial Support @@ -458,7 +459,7 @@ be mentioned here, contact the author (@pxref{Bug Reports}). The package can be downloaded from several places, including: -...@url{ftp://ftp.gnu.org/pub/gnu/gsasl/} +...@url{ftp://ftp.gnu.org/gnu/gsasl/} The latest version is stored in a file, e.g., @samp{gsa...@value{version}.tar.gz} where the @sa...@value{version}} @@ -474,7 +475,7 @@ and install the package. You will need a few basic tools, such as @samp{sh}, @samp{make} and @samp{cc}. @example -$ wget -q ftp://ftp.gnu.org/pub/gnu/gsasl/gsa...@value{version}.tar.gz +$ wget -q ftp://ftp.gnu.org/gnu/gsasl/gsa...@value{version}.tar.gz $ tar xfz gsa...@value{version}.tar.gz $ cd gsa...@value{version}/ $ ./configure @@ -513,6 +514,7 @@ want to limit the size of the library. @itemx --disable-cram-md5 @itemx --disable-digest-md5 @itemx --disable-gssapi +...@itemx --disable-gs2 @itemx --enable-kerberos_v5 @itemx --disable-scram-sha1 Disable or enable individual mechanisms (@pxref{Mechanisms}). @@ -1468,8 +1470,8 @@ The GSASL_ANONYMOUS_TOKEN will contain token that identity the client. @item @code{GSASL_VALIDATE_GSSAPI} -Used by the GSSAPI mechanism on the server side, to validate the -client. You may retrieve the authorization identity from +Used by the GSSAPI and GS2-KRB5 mechanisms on the server side, to +validate the client. You may retrieve the authorization identity from GSASL_AUTHZID and the GSS-API display name from GSASL_GSSAPI_DISPLAY_NAME. @@ -1506,13 +1508,13 @@ network but rather a hash of it. Existing policy deciding systems like PAM cannot handle this, so the server callback for these mechanisms are more complicated. -Further, mechanisms like GSSAPI (Kerberos 5) assume a specific -authentication system. In theory this means that the SASL library -would not need to interact with the application, but rather call this -specific authentication system directly. However, some callbacks are -supported anyway, to modify the behaviour of how the specific -authentication system is used (i.e., to handle ``super-user'' login as -some other user). +Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a +specific authentication system. In theory this means that the SASL +library would not need to interact with the application, but rather +call this specific authentication system directly. However, some +callbacks are supported anyway, to modify the behaviour of how the +specific authentication system is used (i.e., to handle ``super-user'' +login as some other user). Some mechanisms, like @samp{EXTERNAL} and @samp{ANONYMOUS} are entirely dependent on callbacks. @@ -1528,6 +1530,7 @@ entirely dependent on callbacks. * NTLM:: Microsoft NTLM authentication. * SECURID:: Authentication using tokens. * GSSAPI:: GSSAPI (Kerberos 5) authentication. +* GS2-KRB5:: Improved GSSAPI (Kerberos 5) authentication. * KERBEROS_V5:: Experimental KERBEROS_V5 authentication. @end menu @@ -1780,10 +1783,11 @@ find out the client selected PIN code. @section The GSSAPI mechanism @cindex GSSAPI -GSS-API is a framework, similar to SASL, for authentication. The -GSSAPI mechanism only supports the Kerberos 5 GSS-API mechanism, -though. (A new SASL mechanism to support non-Kerberos 5 GSS-API -mechanisms may be supported in the future.) +The GSSAPI mechanism allows you to authenticate using Kerberos V5. +The mechanism was originally designed to allow for any GSS-API +mechanism to be used, but problems with the protocol made it +unpractical and it is today restricted for use with Kerberos V5. See +the GS2 mechanism (@pxref{GS2-KRB5}) for a general solution. In the client, the mechanism is enabled only if the user has acquired credentials (i.e., a ticket granting ticket), and it requires the @@ -1800,6 +1804,37 @@ GSS-API library. XXX: explain more about quality of service, maximum buffer size, etc. +...@node GS2-KRB5 +...@section The GS2-KRB5 mechanism +...@cindex GS2 +...@cindex GS2-KRB5 + +GS2 is a protocol bridge between GSS-API and SASL, and allows every +GSS-API mechanism that supports mutual authentication and channel +bindings to be used as a SASL mechanism. Currently we support the +GS2-KRB5 mechanism, for Kerberos V5 authentication, however our GS2 +implementation is flexible enough to easily support other GSS-API +mechanism if any gains popularity. + +In the client, the mechanism is enabled only if the user has acquired +credentials (i.e., a ticket granting ticket), and it requires the +...@code{gsasl_authid}, @code{GSASL_SERVICE}, and @code{GSASL_HOSTNAME} +properties. + +In the server, the mechanism requires the @code{GSASL_SERVICE} and +...@code{gsasl_hostname} properties, and it will invoke the +...@code{gsasl_validate_gssapi} callback property in order to validate +the user. The callback may inspect the @code{GSASL_AUTHZID} and +...@code{gsasl_gssapi_display_name} properties to decide whether to +authorize the user. Note that authentication is performed by the +GSS-API library. + +...@cindex GS2-KRB5-PLUS +The GS2 framework supports a variant of each mechanism, called the +PLUS variant, which can also bind the authentication to a secure +channel through channel bindings. Currently this is not supported by +GNU SASL. + @node KERBEROS_V5 @section The KERBEROS_V5 mechanism @cindex KERBEROS_V5 @@ -2019,8 +2054,8 @@ Cryptographic functions for some SASL mechanisms uses Libgcrypt by Werner Koch et al. The NTLM mechanism uses Libntlm by Grant Edwards et al, using code from Samba written by Andrew Tridgell, and now maintained by Simon Josefsson. The KERBEROS_V5 mechanism uses Shishi -by Simon Josefsson. The GSSAPI mechanism uses a GSS-API -implementation, such as GSSLib by Simon Josefsson. +by Simon Josefsson. The GSSAPI and GS2-KRB5 mechanism uses a GSS-API +implementation, such as GNU GSS by Simon Josefsson. Gnulib is used to simplify portability. diff --git a/doc/reference/gsasl-docs.sgml b/doc/reference/gsasl-docs.sgml index 97510fd..c1c5b84 100644 --- a/doc/reference/gsasl-docs.sgml +++ b/doc/reference/gsasl-docs.sgml @@ -21,8 +21,9 @@ GNU SASL consists of a library (`libgsasl'), a command line utility (`gsasl') to access the library from the shell, and a manual. The library includes support for the framework (with authentication functions and application data privacy and integrity functions) and at -least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, -PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1, LOGIN, and NTLM mechanisms. +least partial support for the ANONYMOUS, CRAM-MD5, DIGEST-MD5, +EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN, SCRAM-SHA-1, and +SECURID mechanisms. </para> <para> diff --git a/lib/gs2/client.c b/lib/gs2/client.c index 0f88792..2664672 100644 --- a/lib/gs2/client.c +++ b/lib/gs2/client.c @@ -37,10 +37,11 @@ struct _gsasl_gs2_client_state { - int step; + int step; /* 0 = initial, 1 = first token, 2 = looping, 3 = done */ gss_name_t service; gss_ctx_id_t context; gss_OID mech_oid; + gss_buffer_desc token; struct gss_channel_bindings_struct cb; }; typedef struct _gsasl_gs2_client_state _gsasl_gs2_client_state; @@ -55,6 +56,10 @@ _gsasl_gs2_client_start (Gsasl_session * sctx, void **mech_data) if (state == NULL) return GSASL_MALLOC_ERROR; + state->step = 0; + state->service = GSS_C_NO_NAME; + state->context = GSS_C_NO_CONTEXT; + res = gs2_get_oid (sctx, &state->mech_oid); if (res != GSASL_OK) { @@ -62,9 +67,8 @@ _gsasl_gs2_client_start (Gsasl_session * sctx, void **mech_data) return res; } - state->context = GSS_C_NO_CONTEXT; - state->service = GSS_C_NO_NAME; - state->step = 0; + state->token.length = 0; + state->token.value = NULL; /* The initiator-address-type and acceptor-address-type fields of the GSS-CHANNEL-BINDINGS structure MUST be set to 0. The @@ -117,6 +121,107 @@ escape_authzid (const char *str) return out; } +static int +prepare (Gsasl_session * sctx, _gsasl_gs2_client_state *state) +{ + const char *service, *hostname; + const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID); + gss_buffer_desc bufdesc; + OM_uint32 maj_stat, min_stat; + + service = gsasl_property_get (sctx, GSASL_SERVICE); + if (!service) + return GSASL_NO_SERVICE; + + hostname = gsasl_property_get (sctx, GSASL_HOSTNAME); + if (!hostname) + return GSASL_NO_HOSTNAME; + + bufdesc.length = asprintf ((char**) &bufdesc.value, "%...@%s", + service, hostname); + if (bufdesc.length <= 0 || bufdesc.value == NULL) + return GSASL_MALLOC_ERROR; + + maj_stat = gss_import_name (&min_stat, &bufdesc, + GSS_C_NT_HOSTBASED_SERVICE, + &state->service); + free (bufdesc.value); + if (GSS_ERROR (maj_stat)) + return GSASL_GSSAPI_IMPORT_NAME_ERROR; + + if (authzid) + { + char *escaped_authzid = escape_authzid (authzid); + if (!escaped_authzid) + return GSASL_MALLOC_ERROR; + state->cb.application_data.length + = asprintf ((char**) &state->cb.application_data.value, + "n,a=%s,", escaped_authzid); + free (escaped_authzid); + } + else + { + state->cb.application_data.value = strdup ("n,,"); + state->cb.application_data.length = 3; + } + + if (state->cb.application_data.length <= 0 + || state->cb.application_data.value == NULL) + return GSASL_MALLOC_ERROR; + + return GSASL_OK; +} + +/* Copy token to output buffer. On first round trip, strip context + token header and add channel binding data. For later round trips, + just copy the buffer. */ +static int +token2output (Gsasl_session * sctx, + _gsasl_gs2_client_state *state, + const gss_buffer_t token, + char **output, size_t * output_len) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc bufdesc; + + if (state->step == 1) + { + state->step++; + + maj_stat = gss_decapsulate_token (token, state->mech_oid, + &bufdesc); + if (GSS_ERROR (maj_stat)) + return GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR; + + *output_len = state->cb.application_data.length + bufdesc.length; + *output = malloc (*output_len); + if (!*output) + { + gss_release_buffer (&min_stat, &bufdesc); + return GSASL_MALLOC_ERROR; + } + + memcpy (*output, state->cb.application_data.value, + state->cb.application_data.length); + memcpy (*output + state->cb.application_data.length, + bufdesc.value, bufdesc.length); + + maj_stat = gss_release_buffer (&min_stat, &bufdesc); + if (GSS_ERROR (maj_stat)) + return GSASL_GSSAPI_RELEASE_BUFFER_ERROR; + } + else + { + *output_len = token->length; + *output = malloc (*output_len); + if (!*output) + return GSASL_MALLOC_ERROR; + memcpy (*output, token->value, token->length); + } + + return GSASL_OK; +} + int _gsasl_gs2_client_step (Gsasl_session * sctx, void *mech_data, @@ -124,150 +229,72 @@ _gsasl_gs2_client_step (Gsasl_session * sctx, char **output, size_t * output_len) { _gsasl_gs2_client_state *state = mech_data; - gss_buffer_desc bufdesc, bufdesc2; + gss_buffer_desc bufdesc; gss_buffer_t buf = GSS_C_NO_BUFFER; OM_uint32 maj_stat, min_stat, ret_flags; gss_OID actual_mech_type; int res; + if (state->step > 2) + return GSASL_MECHANISM_CALLED_TOO_MANY_TIMES; + if (state->step == 0) { - const char *service, *hostname; - const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID); - - service = gsasl_property_get (sctx, GSASL_SERVICE); - if (!service) - return GSASL_NO_SERVICE; - - hostname = gsasl_property_get (sctx, GSASL_HOSTNAME); - if (!hostname) - return GSASL_NO_HOSTNAME; - - bufdesc.length = asprintf ((char**) &bufdesc.value, "%...@%s", - service, hostname); - if (bufdesc.length <= 0 || bufdesc.value == NULL) - return GSASL_MALLOC_ERROR; - - maj_stat = gss_import_name (&min_stat, &bufdesc, - GSS_C_NT_HOSTBASED_SERVICE, - &state->service); - free (bufdesc.value); - if (GSS_ERROR (maj_stat)) - return GSASL_GSSAPI_IMPORT_NAME_ERROR; - - if (authzid) - { - char *escaped_authzid = escape_authzid (authzid); - if (!escaped_authzid) - return GSASL_MALLOC_ERROR; - state->cb.application_data.length - = asprintf ((char**) &state->cb.application_data.value, - "n,a=%s,", escaped_authzid); - free (escaped_authzid); - } - else - { - state->cb.application_data.value = strdup ("n,,"); - state->cb.application_data.length = 3; - } - - if (state->cb.application_data.length <= 0 - || state->cb.application_data.value == NULL) - return GSASL_MALLOC_ERROR; + res = prepare (sctx, state); + if (res != GSASL_OK) + return res; + state->step++; } - switch (state->step) + if (state->step == 2) { - case 1: bufdesc.length = input_len; bufdesc.value = (void *) input; buf = &bufdesc; - /* fall through */ - - case 0: - bufdesc2.length = 0; - bufdesc2.value = NULL; - - maj_stat = gss_init_sec_context (&min_stat, - GSS_C_NO_CREDENTIAL, - &state->context, - state->service, - state->mech_oid, - GSS_C_MUTUAL_FLAG, - 0, - &state->cb, - buf, - &actual_mech_type, - &bufdesc2, - &ret_flags, - NULL); - if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) - return GSASL_GSSAPI_INIT_SEC_CONTEXT_ERROR; - - /* The mutual_req_flag MUST be set. Clients MUST check that the - corresponding ret_flag is set when the context is fully - established, else authentication MUST fail. */ - if (maj_stat == GSS_S_COMPLETE && !(ret_flags & GSS_C_MUTUAL_FLAG)) - return GSASL_AUTHENTICATION_ERROR; - - if (!gss_oid_equal (state->mech_oid, actual_mech_type)) - return GSASL_AUTHENTICATION_ERROR; - - if (state->step == 0) - { - OM_uint32 maj_stat2; - - maj_stat2 = gss_decapsulate_token (&bufdesc2, state->mech_oid, - &bufdesc); - if (GSS_ERROR (maj_stat2)) - return GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR; - - *output_len = state->cb.application_data.length + bufdesc.length; - *output = malloc (*output_len); - if (!*output) - { - gss_release_buffer (&min_stat, &bufdesc); - return GSASL_MALLOC_ERROR; - } - memcpy (*output, state->cb.application_data.value, - state->cb.application_data.length); - memcpy (*output + state->cb.application_data.length, - bufdesc.value, bufdesc.length); - - maj_stat2 = gss_release_buffer (&min_stat, &bufdesc2); - if (GSS_ERROR (maj_stat2)) - return GSASL_GSSAPI_RELEASE_BUFFER_ERROR; - } - else - { - *output_len = bufdesc2.length; - *output = malloc (*output_len); - if (!*output) - return GSASL_MALLOC_ERROR; - memcpy (*output, bufdesc2.value, bufdesc2.length); - } - - if (state->step == 0 && maj_stat == GSS_S_CONTINUE_NEEDED) - state->step++; - if (maj_stat == GSS_S_COMPLETE) - state->step++; - - if (maj_stat == GSS_S_COMPLETE) - res = GSASL_OK; - else - res = GSASL_NEEDS_MORE; + } - maj_stat = gss_release_buffer (&min_stat, &bufdesc2); + /* Release memory for token from last round-trip, if any. */ + if (state->token.value != NULL) + { + maj_stat = gss_release_buffer (&min_stat, &state->token); if (GSS_ERROR (maj_stat)) return GSASL_GSSAPI_RELEASE_BUFFER_ERROR; - break; - default: - res = GSASL_MECHANISM_CALLED_TOO_MANY_TIMES; - break; + state->token.value = NULL; + state->token.length = 0; } - return res; + maj_stat = gss_init_sec_context (&min_stat, + GSS_C_NO_CREDENTIAL, + &state->context, + state->service, + state->mech_oid, + GSS_C_MUTUAL_FLAG, + 0, + &state->cb, + buf, + &actual_mech_type, + &state->token, + &ret_flags, + NULL); + if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) + return GSASL_GSSAPI_INIT_SEC_CONTEXT_ERROR; + + res = token2output (sctx, state, &state->token, output, output_len); + if (res != GSASL_OK) + return res; + + if (maj_stat == GSS_S_CONTINUE_NEEDED) + return GSASL_NEEDS_MORE; + + if (!(ret_flags & GSS_C_MUTUAL_FLAG)) + return GSASL_AUTHENTICATION_ERROR; + + if (!gss_oid_equal (state->mech_oid, actual_mech_type)) + return GSASL_AUTHENTICATION_ERROR; + + state->step++; + return GSASL_OK; } void @@ -279,6 +306,8 @@ _gsasl_gs2_client_finish (Gsasl_session * sctx, void *mech_data) if (!state) return; + if (state->token.value != NULL) + maj_stat = gss_release_buffer (&min_stat, &state->token); if (state->service != GSS_C_NO_NAME) maj_stat = gss_release_name (&min_stat, &state->service); if (state->context != GSS_C_NO_CONTEXT) diff --git a/lib/src/xfinish.c b/lib/src/xfinish.c index 63d3937..4b963bf 100644 --- a/lib/src/xfinish.c +++ b/lib/src/xfinish.c @@ -1,5 +1,5 @@ /* xfinish.c --- Finish libgsasl session. - * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson + * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon Josefsson * * This file is part of GNU SASL Library. * @@ -32,6 +32,9 @@ void gsasl_finish (Gsasl_session * sctx) { + if (sctx == NULL) + return; + if (sctx->clientp) { if (sctx->mech && sctx->mech->client.finish) diff --git a/tests/Makefile.am b/tests/Makefile.am index a15558a..58d571c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -38,14 +38,11 @@ TESTS_ENVIRONMENT = \ THREADSAFETY_FILES=`ls $(top_srcdir)/lib/*/*.c | $(GREP) -v -e lib/gl/vasnprintf.c -e lib/gl/getdelim.c` \ MD5FILE=$(srcdir)/cram-md5.pwd \ EGREP="$(EGREP)" \ + GNUGSS=`if grep 'HAVE_LIBGSS 1' ../lib/config.h > /dev/null; then echo yes; else echo no; fi` $(VALGRIND) ctests = external cram-md5 digest-md5 md5file name errors suggest \ - simple crypto scram symbols readnz - -if GNUGSS -ctests += gssapi gs2-krb5 -endif + simple crypto scram symbols readnz gssapi gs2-krb5 if OBSOLETE ctests += old-simple old-md5file old-cram-md5 old-digest-md5 \ old-base64 diff --git a/tests/gs2-krb5.c b/tests/gs2-krb5.c index 7032f56..d804f15 100644 --- a/tests/gs2-krb5.c +++ b/tests/gs2-krb5.c @@ -35,7 +35,7 @@ #define GSSAPI_USER "jas" static const char *AUTHZID[] = { - "foo", "BAB,ABA", ",=,=", "=", "@" + "foo", "BAB,ABA", ",=,=", "=", "" }; size_t i; @@ -48,8 +48,11 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property prop) switch (prop) { case GSASL_AUTHZID: - gsasl_property_set (sctx, GSASL_AUTHZID, AUTHZID[i]); - rc = GSASL_OK; + if (*AUTHZID[i]) + { + gsasl_property_set (sctx, GSASL_AUTHZID, AUTHZID[i]); + rc = GSASL_OK; + } break; case GSASL_SERVICE: @@ -76,7 +79,8 @@ callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property prop) printf ("Authorization ID: %s\n", authzid); if (client_name && strcmp (client_name, GSSAPI_USER) == 0 && - (authzid == NULL || strcmp (authzid, AUTHZID[i]) == 0)) + ((authzid == NULL && *AUTHZID[i] == '\0') + || strcmp (authzid, AUTHZID[i]) == 0)) rc = GSASL_OK; else rc = GSASL_AUTHENTICATION_ERROR; @@ -110,6 +114,12 @@ doit (void) char *s1 = NULL, *s2 = NULL; int rc, res1, res2; + if (getenv ("GNUGSS") && strcmp (getenv ("GNUGSS"), "no") == 0) + { + fail ("Not using GNU GSS, skipping self-test.\n"); + exit (77); + } + rc = gsasl_init (&ctx); if (rc != GSASL_OK) { diff --git a/tests/gssapi.c b/tests/gssapi.c index 0ea717f..ae98aae 100644 --- a/tests/gssapi.c +++ b/tests/gssapi.c @@ -95,6 +95,12 @@ doit (void) char *s1 = NULL, *s2 = NULL; int rc, res1, res2; + if (getenv ("GNUGSS") && strcmp (getenv ("GNUGSS"), "no") == 0) + { + fail ("Not using GNU GSS, skipping self-test.\n"); + exit (77); + } + rc = gsasl_init (&ctx); if (rc != GSASL_OK) { @@ -106,8 +112,8 @@ doit (void) || !gsasl_server_support_p (ctx, "GSSAPI")) { gsasl_done (ctx); - fail("No support for GSSAPI.\n"); - exit(77); + fail ("No support for GSSAPI.\n"); + exit (77); } gsasl_callback_set (ctx, callback); diff --git a/tests/simple.c b/tests/simple.c index 84817f3..91fc2d8 100644 --- a/tests/simple.c +++ b/tests/simple.c @@ -1,5 +1,5 @@ /* simple.c --- Test the simple SASL mechanisms. - * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson + * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon Josefsson * * This file is part of GNU SASL. * @@ -415,4 +415,8 @@ doit (void) } gsasl_done (ctx); + + /* Sanity check interfaces. */ + gsasl_finish (NULL); + gsasl_done (NULL); } hooks/post-receive -- GNU gsasl _______________________________________________ Gsasl-commit mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gsasl-commit
