Struct ServerCtx

Source

pub struct ServerCtx { /* private fields */ }

Expand description

The server side of a security context

Implementations§

Source §

impl ServerCtx

Source

pub fn new(cred: Option<Cred>) -> ServerCtx

Create a new uninitialized server context with the specified credentials. You must then call step until the context is fully initialized. The mechanism is not specified because it is dictated by the client.

Examples found in repository ?

examples/krb5.rs (line 99)

86fn setup_server_ctx(
87    service_name: &[u8],
88    desired_mechs: &OidSet
89) -> Result<(ServerCtx, Name), Error> {
90    println!("import name");
91    let name = Name::new(service_name, Some(&GSS_NT_HOSTBASED_SERVICE))?;
92    let cname = name.canonicalize(Some(&GSS_MECH_KRB5))?;
93    println!("canonicalize name for kerberos 5");
94    println!("server name: {}, server cname: {}", name, cname);
95    let server_cred = Cred::acquire(
96        Some(&cname), None, CredUsage::Accept, Some(desired_mechs)
97    )?;
98    println!("acquired server credentials: {:#?}", server_cred.info()?);
99    Ok((ServerCtx::new(Some(server_cred)), cname))
100}

Source

pub fn step(&mut self, tok: &[u8]) -> Result<Option<Buf>, Error>

Perform 1 step in the initialization of the server context, feeding it a token you received from the client. If initialization is complete from the point of view of the server then this will return Ok(None). Otherwise it will return a token that needs to be sent to the client and fed to ClientCtx::step.

Examples found in repository ?

examples/krb5.rs (line 127)

115fn run(service_name: &[u8]) -> Result<(), Error> {
116    let desired_mechs = {
117        let mut s = OidSet::new()?;
118        s.add(&GSS_MECH_KRB5)?;
119        s
120    };
121    let (mut server_ctx, cname) = setup_server_ctx(service_name, &desired_mechs)?;
122    let mut client_ctx = setup_client_ctx(cname, &desired_mechs)?;
123    let mut server_tok: Option<Buf> = None;
124    loop {
125        match client_ctx.step(server_tok.as_ref().map(|b| &**b), None)? {
126            None => break,
127            Some(client_tok) => match server_ctx.step(&*client_tok)? {
128                None => break,
129                Some(tok) => { server_tok = Some(tok); }
130            }
131        }
132    }
133    println!("security context initialized successfully");
134    println!("client ctx info: {:#?}", client_ctx.info()?);
135    println!("server ctx info: {:#?}", server_ctx.info()?);
136    let secret_msg = client_ctx.wrap(true, b"super secret message")?;
137    let decoded_msg = server_ctx.unwrap(&*secret_msg)?;
138    println!("the decrypted message is: '{}'", String::from_utf8_lossy(&*decoded_msg));
139    Ok(())
140}

Source

pub fn delegated_cred(&self) -> Option<&Cred>

Source

pub fn take_delegated_cred(&mut self) -> Option<Cred>

Trait Implementations§

Source §

impl Debug for ServerCtx

Source §

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Source §

impl Drop for ServerCtx

Source §

fn drop(&mut self)

Executes the destructor for this type. Read more

Source §

impl SecurityContext for ServerCtx

Source §

fn wrap(&mut self, encrypt: bool, msg: &[u8]) -> Result<Buf, Error>

Wrap a message with optional encryption. If encrypt is true then only the other side of the context can read the message. In any case the other side can always verify message integrity.

Source §

fn wrap_iov( &mut self, encrypt: bool, msg: &mut [GssIov<'_>], ) -> Result<(), Error>

From the MIT kerberos documentation, Read more

Source §

fn wrap_iov_length( &mut self, encrypt: bool, msg: &mut [GssIovFake], ) -> Result<(), Error>

This will set the required length of all the buffers except the data buffer, which must be provided as it will be to wrap_iov. The value of the encrypt flag must match what you pass to wrap_iov.

Source §