Struct ClientCtx

Source

pub struct ClientCtx { /* private fields */ }

Expand description

The client side of a security context

Implementations§

Source §

impl ClientCtx

Source

pub fn new( cred: Option<Cred>, target: Name, flags: CtxFlags, mech: Option<&'static Oid>, ) -> ClientCtx

Create a new uninitialized client security context using the specified credentials, targeting the service named by target, and optionally using a specific mechanism (otherwise gssapi will pick a default for you). To finish initializing the context you must call step.

Examples found in repository ?

examples/krb5.rs (lines 110-112)

102fn setup_client_ctx(
103    service_name: Name,
104    desired_mechs: &OidSet
105) -> Result<ClientCtx, Error> {
106    let client_cred = Cred::acquire(
107        None, None, CredUsage::Initiate, Some(&desired_mechs)
108    )?;
109    println!("acquired default client credentials: {:#?}", client_cred.info()?);
110    Ok(ClientCtx::new(
111        Some(client_cred), service_name, CtxFlags::GSS_C_MUTUAL_FLAG, Some(&GSS_MECH_KRB5)
112    ))
113}

Source

pub fn step( &mut self, tok: Option<&[u8]>, channel_bindings: Option<&[u8]>, ) -> Result<Option<Buf>, Error>

Perform 1 step in the initialization of the specfied security context. Since the client initiates context creation, the token will initially be None. If the connection uses channel bindings, they are passed as the second argument.

As a result this step, GSSAPI will give you a token to send to the server. The server may send back a token, which you must feed to this function, and possibly get another token to send to the server. This will go on a mechanism specifiec number of times until step returns Ok(None). At that point the context is fully initialized.

Examples found in repository ?

examples/krb5.rs (line 125)

115fn run(service_name: &[u8]) -> Result<(), Error> {
116    let desired_mechs = {
117        let mut s = OidSet::new()?;
118        s.add(&GSS_MECH_KRB5)?;
119        s
120    };
121    let (mut server_ctx, cname) = setup_server_ctx(service_name, &desired_mechs)?;
122    let mut client_ctx = setup_client_ctx(cname, &desired_mechs)?;
123    let mut server_tok: Option<Buf> = None;
124    loop {
125        match client_ctx.step(server_tok.as_ref().map(|b| &**b), None)? {
126            None => break,
127            Some(client_tok) => match server_ctx.step(&*client_tok)? {
128                None => break,
129                Some(tok) => { server_tok = Some(tok); }
130            }
131        }
132    }
133    println!("security context initialized successfully");
134    println!("client ctx info: {:#?}", client_ctx.info()?);
135    println!("server ctx info: {:#?}", server_ctx.info()?);
136    let secret_msg = client_ctx.wrap(true, b"super secret message")?;
137    let decoded_msg = server_ctx.unwrap(&*secret_msg)?;
138    println!("the decrypted message is: '{}'", String::from_utf8_lossy(&*decoded_msg));
139    Ok(())
140}

Trait Implementations§

Source §

impl Debug for ClientCtx

Source §

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Source §

impl Drop for ClientCtx

Source §

fn drop(&mut self)

Executes the destructor for this type. Read more

Source §

impl SecurityContext for ClientCtx

Source §

fn wrap(&mut self, encrypt: bool, msg: &[u8]) -> Result<Buf, Error>

Wrap a message with optional encryption. If encrypt is true then only the other side of the context can read the message. In any case the other side can always verify message integrity.

Source §

fn wrap_iov( &mut self, encrypt: bool, msg: &mut [GssIov<'_>], ) -> Result<(), Error>

From the MIT kerberos documentation, Read more

Source §

fn wrap_iov_length( &mut self, encrypt: bool, msg: &mut [GssIovFake], ) -> Result<(), Error>

This will set the required length of all the buffers except the data buffer, which must be provided as it will be to wrap_iov. The value of the encrypt flag must match what you pass to wrap_iov.

Source §