test

Solaris 开发者安全性指南

SASL 示例

本节说明客户机应用程序与服务器应用程序之间的典型 SASL 会话。该示例包含以下步骤:

  1. 客户机应用程序可以初始化 libsasl 并设置以下全局回调:

    • SASL_CB_GETREALM

    • SASL_CB_USER

    • SASL_CB_AUTHNAME

    • SASL_CB_PASS

    • SASL_CB_GETPATH

    • SASL_CB_LIST_END

  2. 服务器应用程序可以初始化 libsasl 并设置以下全局回调:

    • SASL_CB_LOG

    • SASL_CB_LIST_END

  3. 客户机将创建 SASL 连接上下文,设置安全属性并从服务器请求可用机制的列表。

  4. 服务器将创建 SASL 连接上下文,设置安全属性,获取适当 SASL 机制的列表并向客户机发送该列表。

  5. 客户机将接收可用机制的列表,选择一种机制,并向服务器发送所选择的机制以及所有验证数据。

  6. 随后,客户机和服务器将交换 SASL 数据,直到验证和安全层协商完成为止。

  7. 验证完成后,客户机和服务器将确定是否已协商安全层。客户机将对测试消息进行编码。然后,会将该消息发送给服务器。服务器也会确定经过验证的用户的用户名和该用户的领域。

  8. 服务器将接收、解码和列显编码的消息。

  9. 客户机将调用 sasl_dispose() 以释放客户机的 SASL 连接上下文。随后,客户机将调用 sasl_done() 以释放 libsasl 资源。

  10. 服务器将调用 sasl_dispose() 以释放客户机连接上下文。

以下是客户机与服务器之间的对话。执行调用时,会显示对 libsasl 的每个调用。每次数据传输都由发送者和接收者指明。数据采用编码的形式显示,并在前面加上表示来源的字符: C: 表示来自于客户机,S: 表示来自于服务器。附录 D,SASL 示例的源代码 中同时提供了两种应用程序的源代码。

客户机

% doc-sample-client

*** Calling sasl_client_init() to initialize libsasl for client use ***

*** Calling sasl_client_new() to create client SASL connection context ***

*** Calling sasl_setprop() to set sasl context security properties ***

Waiting for mechanism list from server...
服务器

% doc-sample-server digest-md5

*** Calling sasl_server_init() to initialize libsasl for server use ***

*** Calling sasl_server_new() to create server SASL connection context ***

*** Calling sasl_setprop() to set sasl context security properties ***

Forcing use of mechanism digest-md5

Sending list of 1 mechanism(s)

S: ZGlnZXN0LW1kNQ==
客户机

S: ZGlnZXN0LW1kNQ==

received 10 byte message

got 'digest-md5'

Choosing best mechanism from: digest-md5

*** Calling sasl_client_start() ***

Using mechanism DIGEST-MD5

Sending initial response...

C: RElHRVNULU1ENQ==

Waiting for server reply...
服务器

C: RElHRVNULU1ENQ==

got 'DIGEST-MD5'

*** Calling sasl_server_start() ***

Sending response...

S: bm9uY2U9IklicGxhRHJZNE4Z1gyVm5lQzl5MTZOYWxUOVcvanUrcmp5YmRqaHM\

sbT0iam0xMTQxNDIiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoLWNvbmYiLGNpcGhlcj0ic\

QwLHJjNC01NixyYzQiLG1heGJ1Zj0yMDQ4LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1k\

XNz

Waiting for client reply...
客户机

S: bm9uY2U9IklicGxhRHJZNE4Z1gyVm5lQzl5MTZOYWxUOVcvanUrcmp5YmRqaHM\

sbT0iam0xMTQxNDIiLHFvcD0iYXV0aCxhdXRoLWludCxhdXRoLWNvbmYiLGNpcGhlcj0ic\

QwLHJjNC01NixyYzQiLG1heGJ1Zj0yMDQ4LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1k\

XNz

received 171 byte message

got 'nonce="IbplaDrY4N4szhgX2VneC9y16NalT9W/ju+rjybdjhs=",\

realm="jm114142",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,\

rc4",maxbuf=2048,charset=utf-8,algorithm=md5-sess'

*** Calling sasl_client_step() ***

Please enter your authorization name : zzzz

Please enter your authentication name : zzzz

Please enter your password : zz

*** Calling sasl_client_step() ***

Sending response...

C: dXNlcm5hbWU9Inp6enoiLHJlYWxtPSJqbTExNDE0MiIsbm9uY2U9IklicGxhRHJZNE4\

yVm5lQzl5MTZOYWxUOVcvanUrcmp5YmRqaHM9Iixjbm9uY2U9InlqZ2hMVmhjRFJMa0Fob\

tDS0p2WVUxMUM4V1NycjJVWm5IR2Vkclk9IixuYz0wMDAwMDAwMSxxb3A9YXV0aC1jb25m\

Ghlcj0icmM0IixtYXhidWY9MjA0OCxkaWdlc3QtdXJpPSJyY21kLyIscmVzcG9uc2U9OTY\

ODI1MmRmNzY4YTJjYzkxYjJjZDMyYTk0ZWM=

Waiting for server reply...
服务器

C: dXNlcm5hbWU9Inp6enoiLHJlYWxtPSJqbTExNDE0MiIsbm9uY2U9IklicGxhRHJZNE4\

yVm5lQzl5MTZOYWxUOVcvanUrcmp5YmRqaHM9Iixjbm9uY2U9InlqZ2hMVmhjRFJMa0Fob\

tDS0p2WVUxMUM4V1NycjJVWm5IR2Vkclk9IixuYz0wMDAwMDAwMSxxb3A9YXV0aC1jb25m\

Ghlcj0icmM0IixtYXhidWY9MjA0OCxkaWdlc3QtdXJpPSJyY21kLyIscmVzcG9uc2U9OTY\

ODI1MmRmNzY4YTJjYzkxYjJjZDMyYTk0ZWM=

got 'username="zzzz",realm="jm114142",\

nonce="IbplaDrY4N4szhgX2VneC9y16NalT9W/ju+rjybdjhs=",\

cnonce="yjghLVhcDRLkAhoirwKCKJvYU11C8WSrr2UZnHGedrY=", \

nc=00000001,qop=auth-conf,cipher="rc4",maxbuf=2048,digest-uri="rcmd/",\

response=966e978252df768a2cc91b2cd32a94ec'

*** Calling sasl_server_step() ***

Sending response...

S: cnNwYXV0aD0yYjEzMzRjYzU4NTE4MTEwOWM3OTdhMjUwYjkwMzk3OQ==

Waiting for client reply...
客户机

S: cnNwYXV0aD0yYjEzMzRjYzU4NTE4MTEwOWM3OTdhMjUwYjkwMzk3OQ==

received 40 byte message

got 'rspauth=2b1334cc585181109c797a250b903979'

*** Calling sasl_client_step() ***

C:

Negotiation complete

*** Calling sasl_getprop() ***

Username: zzzz

SSF: 128

Waiting for encoded message...
服务器

Waiting for client reply... 

C: got '' *** Calling sasl_server_step() *** 

Negotiation complete 

*** Calling sasl_getprop() to get username, realm, ssf *** 

Username: zzzz 

Realm: 22c38 

SSF: 128 

*** Calling sasl_encode() *** sending encrypted message 'srv message 1'

S: AAAAHvArjnAvDFuMBqAAxkqdumzJB6VD1oajiwABAAAAAA==
客户机

S: AAAAHvArjnAvDFuMBqAAxkqdumzJB6VD1oajiwABAAAAAA==

received 34 byte message

got ''

*** Calling sasl_decode() ***

received decoded message 'srv message 1'

*** Calling sasl_encode() ***

sending encrypted message 'client message 1'

C: AAAAIRdkTEMYOn9X4NXkxPc3OTFvAZUnLbZANqzn6gABAAAAAA==

*** Calling sasl_dispose() to release client SASL connection context ***

*** Calling sasl_done() to release libsasl resources ***
服务器

Waiting for encrypted message...

C: AAAAIRdkTEMYOn9X4NXkxPc3OTFvAZUnLbZANqzn6gABAAAAAA==

got ''

*** Calling sasl_decode() ***

received decoded message 'client message 1'

*** Calling sasl_dispose() to release client SASL connection context ***