Struct libgssapi::context::ClientCtx

source ·

pub struct ClientCtx { /* private fields */ }

Expand description

The client side of a security context

Implementations§

source §

impl ClientCtx

source

pub fn new( cred: Cred, target: Name, flags: CtxFlags, mech: Option<&'static Oid> ) -> ClientCtx

Create a new uninitialized client security context using the specified credentials, targeting the service named by target, and optionally using a specific mechanism (otherwise gssapi will pick a default for you). To finish initializing the context you must call step.

Examples found in repository ?

examples/krb5.rs (lines 110-112)

fn setup_client_ctx(
    service_name: Name,
    desired_mechs: &OidSet
) -> Result<ClientCtx, Error> {
    let client_cred = Cred::acquire(
        None, None, CredUsage::Initiate, Some(&desired_mechs)
    )?;
    println!("acquired default client credentials: {:#?}", client_cred.info()?);
    Ok(ClientCtx::new(
        client_cred, service_name, CtxFlags::GSS_C_MUTUAL_FLAG, Some(&GSS_MECH_KRB5)
    ))
}

More examples

Hide additional examples

examples/krb5_iov.rs (lines 42-47)

fn setup_client_ctx(
    service_name: Name,
    desired_mechs: &OidSet,
) -> Result<ClientCtx, Error> {
    let client_cred =
        Cred::acquire(None, None, CredUsage::Initiate, Some(&desired_mechs))?;
    println!(
        "acquired default client credentials: {:#?}",
        client_cred.info()?
    );
    Ok(ClientCtx::new(
        client_cred,
        service_name,
        CtxFlags::GSS_C_MUTUAL_FLAG,
        Some(&GSS_MECH_KRB5),
    ))
}

source

pub fn step( &mut self, tok: Option<&[u8]>, channel_bindings: Option<&[u8]> ) -> Result<Option<Buf>, Error>

Perform 1 step in the initialization of the specfied security context. Since the client initiates context creation, the token will initially be None. If the connection uses channel bindings, they are passed as the second argument.

As a result this step, GSSAPI will give you a token to send to the server. The server may send back a token, which you must feed to this function, and possibly get another token to send to the server. This will go on a mechanism specifiec number of times until step returns Ok(None). At that point the context is fully initialized.

Examples found in repository ?

examples/krb5.rs (line 125)

fn run(service_name: &[u8]) -> Result<(), Error> {
    let desired_mechs = {
        let mut s = OidSet::new()?;
        s.add(&GSS_MECH_KRB5)?;
        s
    };
    let (mut server_ctx, cname) = setup_server_ctx(service_name, &desired_mechs)?;
    let mut client_ctx = setup_client_ctx(cname, &desired_mechs)?;
    let mut server_tok: Option<Buf> = None;
    loop {
        match client_ctx.step(server_tok.as_ref().map(|b| &**b), None)? {
            None => break,
            Some(client_tok) => match server_ctx.step(&*client_tok)? {
                None => break,
                Some(tok) => { server_tok = Some(tok); }
            }
        }
    }
    println!("security context initialized successfully");
    println!("client ctx info: {:#?}", client_ctx.info()?);
    println!("server ctx info: {:#?}", server_ctx.info()?);
    let secret_msg = client_ctx.wrap(true, b"super secret message")?;
    let decoded_msg = server_ctx.unwrap(&*secret_msg)?;
    println!("the decrypted message is: '{}'", String::from_utf8_lossy(&*decoded_msg));
    Ok(())
}

More examples

Hide additional examples

examples/krb5_iov.rs (line 186)

fn run(service_name: &[u8]) -> Result<(), Error> {
    let desired_mechs = {
        let mut s = OidSet::new()?;
        s.add(&GSS_MECH_KRB5)?;
        s
    };
    let (mut server_ctx, cname) = setup_server_ctx(service_name, &desired_mechs)?;
    let mut client_ctx = setup_client_ctx(cname, &desired_mechs)?;
    let mut server_tok: Option<Buf> = None;
    loop {
        match client_ctx.step(server_tok.as_ref().map(|b| &**b), None)? {
            None => break,
            Some(client_tok) => match server_ctx.step(&*client_tok)? {
                None => break,
                Some(tok) => {
                    server_tok = Some(tok);
                }
            },
        }
    }
    println!("security context initialized successfully");
    println!("client ctx info: {:#?}", client_ctx.info()?);
    println!("server ctx info: {:#?}", server_ctx.info()?);
    println!("wrapping secret message using no alloc method");
    let encrypted = wrap_secret_msg_noalloc(&mut client_ctx)?;
    let decrypted = unwrap_secret_msg(&mut server_ctx, encrypted)?;
    println!(
        "The secret message is \"{}\"",
        String::from_utf8_lossy(&*decrypted)
    );
    println!("wrapping secret message using alloc method");
    let encrypted = wrap_secret_msg_alloc(&mut client_ctx)?;
    let decrypted = unwrap_secret_msg(&mut server_ctx, encrypted)?;
    println!(
        "The secret message is \"{}\"",
        String::from_utf8_lossy(&*decrypted)
    );
    Ok(())
}

Trait Implementations§

source §

impl Debug for ClientCtx

source §

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

source §

impl Drop for ClientCtx

source §

fn drop(&mut self)

Executes the destructor for this type. Read more

source §

impl SecurityContext for ClientCtx

source §

fn wrap(&mut self, encrypt: bool, msg: &[u8]) -> Result<Buf, Error>

Wrap a message with optional encryption. If encrypt is true then only the other side of the context can read the message. In any case the other side can always verify message integrity.

source §

fn wrap_iov( &mut self, encrypt: bool, msg: &mut [GssIov<'_>] ) -> Result<(), Error>

From the MIT kerberos documentation, Read more

source §

fn wrap_iov_length( &mut self, encrypt: bool, msg: &mut [GssIovFake] ) -> Result<(), Error>

This will set the required length of all the buffers except the data buffer, which must be provided as it will be to wrap_iov. The value of the encrypt flag must match what you pass to wrap_iov.

source §