gsasl  2.2.1
gs2/server.c
Go to the documentation of this file.
1 /* server.c --- SASL mechanism GS2, server side.
2  * Copyright (C) 2002-2024 Simon Josefsson
3  *
4  * This file is part of GNU SASL Library.
5  *
6  * GNU SASL Library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public License
8  * as published by the Free Software Foundation; either version 2.1 of
9  * the License, or (at your option) any later version.
10  *
11  * GNU SASL Library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with GNU SASL Library; if not, write to the Free
18  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
19  * Boston, MA 02110-1301, USA.
20  *
21  */
22 
23 #include <config.h>
24 
25 /* Get specification. */
26 #include "gs2.h"
27 
28 /* Get malloc, free. */
29 #include <stdlib.h>
30 
31 /* Get memcpy, strlen. */
32 #include <string.h>
33 
34 /* Get FALLTHROUGH. */
35 #include <attribute.h>
36 
37 #include "gss-extra.h"
38 #include "gs2helper.h"
39 #include "mechtools.h"
40 
42 {
43  /* steps: 0 = first state, 1 = initial, 2 = processing, 3 = done */
44  int step;
45  gss_name_t client;
46  gss_cred_id_t cred;
47  gss_ctx_id_t context;
48  gss_OID mech_oid;
49  struct gss_channel_bindings_struct cb;
50 };
52 
53 /* Populate state->cred with credential to use for connection. Return
54  GSASL_OK on success or an error code. */
55 static int
56 gs2_get_cred (Gsasl_session *sctx, _Gsasl_gs2_server_state *state)
57 {
58  OM_uint32 maj_stat, min_stat;
59  gss_buffer_desc bufdesc;
60  const char *service = gsasl_property_get (sctx, GSASL_SERVICE);
61  const char *hostname = gsasl_property_get (sctx, GSASL_HOSTNAME);
62  gss_name_t server;
63  gss_OID_set_desc oid_set;
64  gss_OID_set actual_mechs;
65  int present;
66 
67  if (!service)
68  return GSASL_NO_SERVICE;
69  if (!hostname)
70  return GSASL_NO_HOSTNAME;
71 
72  bufdesc.length = asprintf ((char **) &bufdesc.value, "%s@%s",
73  service, hostname);
74  if (bufdesc.length <= 0 || bufdesc.value == NULL)
75  return GSASL_MALLOC_ERROR;
76 
77  maj_stat = gss_import_name (&min_stat, &bufdesc,
78  GSS_C_NT_HOSTBASED_SERVICE, &server);
79  free (bufdesc.value);
80  if (GSS_ERROR (maj_stat))
82 
83  /* Attempt to get a credential for our mechanism. */
84 
85  oid_set.count = 1;
86  oid_set.elements = state->mech_oid;
87 
88  maj_stat = gss_acquire_cred (&min_stat, server, 0,
89  &oid_set, GSS_C_ACCEPT,
90  &state->cred, &actual_mechs, NULL);
91  gss_release_name (&min_stat, &server);
92  if (GSS_ERROR (maj_stat))
94 
95  /* Now double check that the credential actually was for our
96  mechanism... */
97 
98  maj_stat = gss_test_oid_set_member (&min_stat, state->mech_oid,
99  actual_mechs, &present);
100  if (GSS_ERROR (maj_stat))
101  {
102  gss_release_oid_set (&min_stat, &actual_mechs);
104  }
105 
106  maj_stat = gss_release_oid_set (&min_stat, &actual_mechs);
107  if (GSS_ERROR (maj_stat))
109 
110  if (!present)
112 
113  return GSASL_OK;
114 }
115 
116 /* Initialize GS2 state into MECH_DATA. Return GSASL_OK if GS2 is
117  ready and initialization succeeded, or an error code. */
118 int
119 _gsasl_gs2_server_start (Gsasl_session *sctx, void **mech_data)
120 {
122  int res;
123 
124  state = (_Gsasl_gs2_server_state *) malloc (sizeof (*state));
125  if (state == NULL)
126  return GSASL_MALLOC_ERROR;
127 
128  res = gs2_get_oid (sctx, &state->mech_oid);
129  if (res != GSASL_OK)
130  {
131  free (state);
132  return res;
133  }
134 
135  state->step = 0;
136  state->context = GSS_C_NO_CONTEXT;
137  state->cred = GSS_C_NO_CREDENTIAL;
138  state->client = NULL;
139  /* The initiator-address-type and acceptor-address-type fields of
140  the GSS-CHANNEL-BINDINGS structure MUST be set to 0. The
141  initiator-address and acceptor-address fields MUST be the empty
142  string. */
143  state->cb.initiator_addrtype = 0;
144  state->cb.initiator_address.length = 0;
145  state->cb.initiator_address.value = NULL;
146  state->cb.acceptor_addrtype = 0;
147  state->cb.acceptor_address.length = 0;
148  state->cb.acceptor_address.value = NULL;
149  state->cb.application_data.length = 0;
150  state->cb.application_data.value = NULL;
151 
152  *mech_data = state;
153 
154  return GSASL_OK;
155 }
156 
157 /* Perform one GS2 step. GS2 state is in MECH_DATA. Any data from
158  client is provided in INPUT/INPUT_LEN and output from server is
159  expected to be put in newly allocated OUTPUT/OUTPUT_LEN. Return
160  GSASL_NEEDS_MORE or GSASL_OK on success, or an error code. */
161 int
163  void *mech_data,
164  const char *input, size_t input_len,
165  char **output, size_t *output_len)
166 {
167  _Gsasl_gs2_server_state *state = mech_data;
168  gss_buffer_desc bufdesc1, bufdesc2;
169  OM_uint32 maj_stat, min_stat;
170  gss_buffer_desc client_name;
171  gss_OID mech_type;
172  int res;
173  OM_uint32 ret_flags;
174  int free_bufdesc1 = 0;
175 
176  *output = NULL;
177  *output_len = 0;
178  bufdesc1.value = (char *) input;
179  bufdesc1.length = input_len;
180 
181  switch (state->step)
182  {
183  case 0:
184  res = gs2_get_cred (sctx, state);
185  if (res != GSASL_OK)
186  return res;
187  if (input_len == 0)
188  {
189  res = GSASL_NEEDS_MORE;
190  break;
191  }
192  state->step++;
193  FALLTHROUGH; /* fall through */
194 
195  case 1:
196  {
197  char *authzid;
198  size_t headerlen;
199 
200  res = _gsasl_parse_gs2_header (input, input_len,
201  &authzid, &headerlen);
202  if (res != GSASL_OK)
203  return res;
204 
205  if (authzid)
206  {
207  res = gsasl_property_set (sctx, GSASL_AUTHZID, authzid);
208  free (authzid);
209  if (res != GSASL_OK)
210  return res;
211  }
212 
213  state->cb.application_data.value = (char *) input;
214  state->cb.application_data.length = headerlen;
215 
216  bufdesc2.value = (char *) input + headerlen;
217  bufdesc2.length = input_len - headerlen;
218 
219  maj_stat = gss_encapsulate_token (&bufdesc2, state->mech_oid,
220  &bufdesc1);
221  if (GSS_ERROR (maj_stat))
223 
224  free_bufdesc1 = 1;
225  }
226  state->step++;
227  FALLTHROUGH; /* fall through */
228 
229  case 2:
230  if (state->client)
231  {
232  gss_release_name (&min_stat, &state->client);
233  state->client = GSS_C_NO_NAME;
234  }
235 
236  maj_stat = gss_accept_sec_context (&min_stat,
237  &state->context,
238  state->cred,
239  &bufdesc1,
240  &state->cb,
241  &state->client,
242  &mech_type,
243  &bufdesc2, &ret_flags, NULL, NULL);
244  if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
246 
247  if (maj_stat == GSS_S_COMPLETE)
248  {
249  state->step++;
250 
251  if (!(ret_flags & GSS_C_MUTUAL_FLAG))
253 
254  maj_stat = gss_display_name (&min_stat, state->client,
255  &client_name, &mech_type);
256  if (GSS_ERROR (maj_stat))
258 
260  client_name.value,
261  client_name.length);
262  if (res != GSASL_OK)
263  return res;
264 
265  res = gsasl_callback (NULL, sctx, GSASL_VALIDATE_GSSAPI);
266  }
267  else
268  res = GSASL_NEEDS_MORE;
269 
270  if (free_bufdesc1)
271  {
272  maj_stat = gss_release_buffer (&min_stat, &bufdesc1);
273  if (GSS_ERROR (maj_stat))
275  }
276 
277  *output = malloc (bufdesc2.length);
278  if (!*output)
279  return GSASL_MALLOC_ERROR;
280  memcpy (*output, bufdesc2.value, bufdesc2.length);
281  *output_len = bufdesc2.length;
282 
283  maj_stat = gss_release_buffer (&min_stat, &bufdesc2);
284  if (GSS_ERROR (maj_stat))
286  break;
287 
288  default:
290  break;
291  }
292 
293  return res;
294 }
295 
296 /* Cleanup GS2 state context, i.e., release memory associated with
297  buffers in MECH_DATA state. */
298 void
299 _gsasl_gs2_server_finish (Gsasl_session *sctx, void *mech_data)
300 {
301  _Gsasl_gs2_server_state *state = mech_data;
302  OM_uint32 min_stat;
303  (void) sctx;
304 
305  if (!state)
306  return;
307 
308  if (state->context != GSS_C_NO_CONTEXT)
309  gss_delete_sec_context (&min_stat, &state->context, GSS_C_NO_BUFFER);
310 
311  if (state->cred != GSS_C_NO_CREDENTIAL)
312  gss_release_cred (&min_stat, &state->cred);
313 
314  if (state->client != GSS_C_NO_NAME)
315  gss_release_name (&min_stat, &state->client);
316 
317  free (state);
318 }
int gsasl_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop)
Definition: callback.c:71
int _gsasl_gs2_server_start(Gsasl_session *sctx, void **mech_data)
Definition: gs2/server.c:119
int _gsasl_gs2_server_step(Gsasl_session *sctx, void *mech_data, const char *input, size_t input_len, char **output, size_t *output_len)
Definition: gs2/server.c:162
void _gsasl_gs2_server_finish(Gsasl_session *sctx, void *mech_data)
Definition: gs2/server.c:299
int gs2_get_oid(Gsasl_session *sctx, gss_OID *mech_oid)
Definition: gs2helper.c:38
@ GSASL_GSSAPI_IMPORT_NAME_ERROR
Definition: gsasl.h:158
@ GSASL_GSSAPI_RELEASE_OID_SET_ERROR
Definition: gsasl.h:172
@ GSASL_OK
Definition: gsasl.h:129
@ GSASL_GSSAPI_RELEASE_BUFFER_ERROR
Definition: gsasl.h:157
@ GSASL_GSSAPI_ACCEPT_SEC_CONTEXT_ERROR
Definition: gsasl.h:160
@ GSASL_NEEDS_MORE
Definition: gsasl.h:130
@ GSASL_GSSAPI_TEST_OID_SET_MEMBER_ERROR
Definition: gsasl.h:171
@ GSASL_MALLOC_ERROR
Definition: gsasl.h:133
@ GSASL_GSSAPI_DISPLAY_NAME_ERROR
Definition: gsasl.h:164
@ GSASL_NO_SERVICE
Definition: gsasl.h:149
@ GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR
Definition: gsasl.h:168
@ GSASL_GSSAPI_ACQUIRE_CRED_ERROR
Definition: gsasl.h:163
@ GSASL_MECHANISM_CALLED_TOO_MANY_TIMES
Definition: gsasl.h:132
@ GSASL_NO_HOSTNAME
Definition: gsasl.h:150
@ GSASL_MECHANISM_PARSE_ERROR
Definition: gsasl.h:137
_GSASL_API int gsasl_property_set_raw(Gsasl_session *sctx, Gsasl_property prop, const char *data, size_t len)
Definition: property.c:218
_GSASL_API int gsasl_property_set(Gsasl_session *sctx, Gsasl_property prop, const char *data)
Definition: property.c:189
_GSASL_API const char * gsasl_property_get(Gsasl_session *sctx, Gsasl_property prop)
Definition: property.c:292
@ GSASL_HOSTNAME
Definition: gsasl.h:229
@ GSASL_AUTHZID
Definition: gsasl.h:225
@ GSASL_VALIDATE_GSSAPI
Definition: gsasl.h:256
@ GSASL_SERVICE
Definition: gsasl.h:228
@ GSASL_GSSAPI_DISPLAY_NAME
Definition: gsasl.h:230
int _gsasl_parse_gs2_header(const char *data, size_t len, char **authzid, size_t *headerlen)
Definition: mechtools.c:97
struct gss_channel_bindings_struct cb
Definition: gs2/server.c:49
gss_cred_id_t cred
Definition: gs2/server.c:46
gss_ctx_id_t context
Definition: gs2/server.c:47