Blame SOURCES/cyrus-sasl-2.1.27-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch

8b8af0
From aa8b6b2275fd14ba2cca3d2339ae61c7e7ddfa70 Mon Sep 17 00:00:00 2001
8b8af0
From: Simo Sorce <simo@redhat.com>
8b8af0
Date: Tue, 5 May 2020 14:08:48 -0400
8b8af0
Subject: [PATCH] Add Channel Binding support for GSSAPI/GSS-SPNEGO
8b8af0
8b8af0
Backport of commit ids:
8b8af0
829a6ed086432e26dafa9d1dcf892aef4c42cfbd
8b8af0
944bd8a6205f840b105206ef83e8f6b9dff0138e
8b8af0
8b8af0
Signed-off-by: Simo Sorce <simo@redhat.com>
8b8af0
---
8b8af0
 plugins/gssapi.c     | 30 +++++++++++---
8b8af0
 tests/runtests.py    | 93 ++++++++++++++++++++++++++++++++++++++++----
8b8af0
 tests/t_common.c     | 24 ++++++++----
8b8af0
 tests/t_common.h     |  5 ++-
8b8af0
 tests/t_gssapi_cli.c | 24 ++++++++++--
8b8af0
 tests/t_gssapi_srv.c | 24 ++++++++++--
8b8af0
 6 files changed, 172 insertions(+), 28 deletions(-)
8b8af0
8b8af0
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
8b8af0
index ff663da..5d900c5 100644
8b8af0
--- a/plugins/gssapi.c
8b8af0
+++ b/plugins/gssapi.c
8b8af0
@@ -830,7 +830,9 @@ gssapi_server_mech_authneg(context_t *text,
8b8af0
     gss_buffer_desc name_without_realm;
8b8af0
     gss_name_t client_name_MN = NULL, without = NULL;
8b8af0
     gss_OID mech_type;
8b8af0
-	
8b8af0
+    gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
8b8af0
+    struct gss_channel_bindings_struct cb = {0};
8b8af0
+
8b8af0
     input_token = &real_input_token;
8b8af0
     output_token = &real_output_token;
8b8af0
     output_token->value = NULL; output_token->length = 0;
8b8af0
@@ -902,6 +904,12 @@ gssapi_server_mech_authneg(context_t *text,
8b8af0
 	real_input_token.length = clientinlen;
8b8af0
     }
8b8af0
 
8b8af0
+    if (params->cbinding != NULL) {
8b8af0
+        cb.application_data.length = params->cbinding->len;
8b8af0
+        cb.application_data.value = params->cbinding->data;
8b8af0
+        bindings = &cb;
8b8af0
+    }
8b8af0
+
8b8af0
 
8b8af0
     GSS_LOCK_MUTEX_CTX(params->utils, text);
8b8af0
     maj_stat =
8b8af0
@@ -909,7 +917,7 @@ gssapi_server_mech_authneg(context_t *text,
8b8af0
 			       &(text->gss_ctx),
8b8af0
 			       server_creds,
8b8af0
 			       input_token,
8b8af0
-			       GSS_C_NO_CHANNEL_BINDINGS,
8b8af0
+			       bindings,
8b8af0
 			       &text->client_name,
8b8af0
 			       &mech_type,
8b8af0
 			       output_token,
8b8af0
@@ -1505,7 +1513,8 @@ static sasl_server_plug_t gssapi_server_plugins[] =
8b8af0
 	| SASL_SEC_PASS_CREDENTIALS,
8b8af0
 	SASL_FEAT_WANT_CLIENT_FIRST
8b8af0
 	| SASL_FEAT_ALLOWS_PROXY
8b8af0
-	| SASL_FEAT_DONTUSE_USERPASSWD,	/* features */
8b8af0
+	| SASL_FEAT_DONTUSE_USERPASSWD
8b8af0
+	| SASL_FEAT_CHANNEL_BINDING,	/* features */
8b8af0
 	NULL,				/* glob_context */
8b8af0
 	&gssapi_server_mech_new,	/* mech_new */
8b8af0
 	&gssapi_server_mech_step,	/* mech_step */
8b8af0
@@ -1529,6 +1538,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
8b8af0
 	SASL_FEAT_WANT_CLIENT_FIRST
8b8af0
 	| SASL_FEAT_ALLOWS_PROXY
8b8af0
 	| SASL_FEAT_DONTUSE_USERPASSWD
8b8af0
+	| SASL_FEAT_CHANNEL_BINDING
8b8af0
 	| SASL_FEAT_SUPPORTS_HTTP,	/* features */
8b8af0
 	&gss_spnego_oid,		/* glob_context */
8b8af0
 	&gssapi_server_mech_new,	/* mech_new */
8b8af0
@@ -1662,6 +1672,8 @@ static int gssapi_client_mech_step(void *conn_context,
8b8af0
     input_token->value = NULL; 
8b8af0
     input_token->length = 0;
8b8af0
     gss_cred_id_t client_creds = (gss_cred_id_t)params->gss_creds;
8b8af0
+    gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
8b8af0
+    struct gss_channel_bindings_struct cb = {0};
8b8af0
 
8b8af0
     if (clientout)
8b8af0
         *clientout = NULL;
8b8af0
@@ -1777,6 +1789,12 @@ static int gssapi_client_mech_step(void *conn_context,
8b8af0
 	    req_flags = req_flags |  GSS_C_DELEG_FLAG;
8b8af0
 	}
8b8af0
 
8b8af0
+        if (params->cbinding != NULL) {
8b8af0
+            cb.application_data.length = params->cbinding->len;
8b8af0
+            cb.application_data.value = params->cbinding->data;
8b8af0
+            bindings = &cb;
8b8af0
+        }
8b8af0
+
8b8af0
 	GSS_LOCK_MUTEX_CTX(params->utils, text);
8b8af0
 	maj_stat = gss_init_sec_context(&min_stat,
8b8af0
 					client_creds, /* GSS_C_NO_CREDENTIAL */
8b8af0
@@ -1785,7 +1803,7 @@ static int gssapi_client_mech_step(void *conn_context,
8b8af0
 					text->mech_type,
8b8af0
 					req_flags,
8b8af0
 					0,
8b8af0
-					GSS_C_NO_CHANNEL_BINDINGS,
8b8af0
+					bindings,
8b8af0
 					input_token,
8b8af0
 					NULL,
8b8af0
 					output_token,
8b8af0
@@ -2190,7 +2208,8 @@ static sasl_client_plug_t gssapi_client_plugins[] =
8b8af0
 	| SASL_SEC_PASS_CREDENTIALS,    /* security_flags */
8b8af0
 	SASL_FEAT_NEEDSERVERFQDN
8b8af0
 	| SASL_FEAT_WANT_CLIENT_FIRST
8b8af0
-	| SASL_FEAT_ALLOWS_PROXY,	/* features */
8b8af0
+	| SASL_FEAT_ALLOWS_PROXY
8b8af0
+	| SASL_FEAT_CHANNEL_BINDING,	/* features */
8b8af0
 	gssapi_required_prompts,	/* required_prompts */
8b8af0
 	GSS_C_NO_OID,			/* glob_context */
8b8af0
 	&gssapi_client_mech_new,	/* mech_new */
8b8af0
@@ -2213,6 +2232,7 @@ static sasl_client_plug_t gssapi_client_plugins[] =
8b8af0
 	SASL_FEAT_NEEDSERVERFQDN
8b8af0
 	| SASL_FEAT_WANT_CLIENT_FIRST
8b8af0
 	| SASL_FEAT_ALLOWS_PROXY
8b8af0
+	| SASL_FEAT_CHANNEL_BINDING
8b8af0
 	| SASL_FEAT_SUPPORTS_HTTP,	/* features */
8b8af0
 	gssapi_required_prompts,	/* required_prompts */
8b8af0
 	&gss_spnego_oid,		/* glob_context */
8b8af0
diff --git a/tests/runtests.py b/tests/runtests.py
8b8af0
index f645adf..fc9cf24 100755
8b8af0
--- a/tests/runtests.py
8b8af0
+++ b/tests/runtests.py
8b8af0
@@ -1,6 +1,7 @@
8b8af0
 #!/usr/bin/python3
8b8af0
 
8b8af0
 import argparse
8b8af0
+import base64
8b8af0
 import os
8b8af0
 import shutil
8b8af0
 import signal
8b8af0
@@ -126,14 +127,7 @@ def setup_kdc(testdir, env):
8b8af0
 
8b8af0
     return kdc, env
8b8af0
 
8b8af0
-
8b8af0
-def gssapi_tests(testdir):
8b8af0
-    """ SASL/GSSAPI Tests """
8b8af0
-    env = setup_socket_wrappers(testdir)
8b8af0
-    kdc, kenv = setup_kdc(testdir, env)
8b8af0
-    #print("KDC: {}, ENV: {}".format(kdc, kenv))
8b8af0
-    kenv['KRB5_TRACE'] = os.path.join(testdir, 'trace.log')
8b8af0
-
8b8af0
+def gssapi_basic_test(kenv):
8b8af0
     try:
8b8af0
         srv = subprocess.Popen(["../tests/t_gssapi_srv"],
8b8af0
                                stdout=subprocess.PIPE,
8b8af0
@@ -155,11 +149,94 @@ def gssapi_tests(testdir):
8b8af0
                 srv.returncode, srv.stderr.read().decode('utf-8')))
8b8af0
     except Exception as e:
8b8af0
         print("FAIL: {}".format(e))
8b8af0
+        return
8b8af0
+
8b8af0
+    print("PASS: CLI({}) SRV({})".format(
8b8af0
+        cli.stdout.read().decode('utf-8').strip(),
8b8af0
+        srv.stdout.read().decode('utf-8').strip()))
8b8af0
+
8b8af0
+def gssapi_channel_binding_test(kenv):
8b8af0
+    try:
8b8af0
+        bindings = base64.b64encode("MATCHING CBS".encode('utf-8'))
8b8af0
+        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-c", bindings],
8b8af0
+                               stdout=subprocess.PIPE,
8b8af0
+                               stderr=subprocess.PIPE, env=kenv)
8b8af0
+        srv.stdout.readline() # Wait for srv to say it is ready
8b8af0
+        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-c", bindings],
8b8af0
+                               stdout=subprocess.PIPE,
8b8af0
+                               stderr=subprocess.PIPE, env=kenv)
8b8af0
+        try:
8b8af0
+            cli.wait(timeout=5)
8b8af0
+            srv.wait(timeout=5)
8b8af0
+        except Exception as e:
8b8af0
+            print("Failed on {}".format(e));
8b8af0
+            cli.kill()
8b8af0
+            srv.kill()
8b8af0
+        if cli.returncode != 0 or srv.returncode != 0:
8b8af0
+            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
8b8af0
+                cli.returncode, cli.stderr.read().decode('utf-8'),
8b8af0
+                srv.returncode, srv.stderr.read().decode('utf-8')))
8b8af0
+    except Exception as e:
8b8af0
+        print("FAIL: {}".format(e))
8b8af0
+        return
8b8af0
 
8b8af0
     print("PASS: CLI({}) SRV({})".format(
8b8af0
         cli.stdout.read().decode('utf-8').strip(),
8b8af0
         srv.stdout.read().decode('utf-8').strip()))
8b8af0
 
8b8af0
+def gssapi_channel_binding_mismatch_test(kenv):
8b8af0
+    result = "FAIL"
8b8af0
+    try:
8b8af0
+        bindings = base64.b64encode("SRV CBS".encode('utf-8'))
8b8af0
+        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-c", bindings],
8b8af0
+                               stdout=subprocess.PIPE,
8b8af0
+                               stderr=subprocess.PIPE, env=kenv)
8b8af0
+        srv.stdout.readline() # Wait for srv to say it is ready
8b8af0
+        bindings = base64.b64encode("CLI CBS".encode('utf-8'))
8b8af0
+        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-c", bindings],
8b8af0
+                               stdout=subprocess.PIPE,
8b8af0
+                               stderr=subprocess.PIPE, env=kenv)
8b8af0
+        try:
8b8af0
+            cli.wait(timeout=5)
8b8af0
+            srv.wait(timeout=5)
8b8af0
+        except Exception as e:
8b8af0
+            print("Failed on {}".format(e));
8b8af0
+            cli.kill()
8b8af0
+            srv.kill()
8b8af0
+        if cli.returncode != 0 or srv.returncode != 0:
8b8af0
+            cli_err = cli.stderr.read().decode('utf-8').strip()
8b8af0
+            srv_err = srv.stderr.read().decode('utf-8').strip()
8b8af0
+            if "authentication failure" in srv_err:
8b8af0
+                result = "PASS"
8b8af0
+            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(
8b8af0
+                cli.returncode, cli_err, srv.returncode, srv_err))
8b8af0
+    except Exception as e:
8b8af0
+        print("{}: {}".format(result, e))
8b8af0
+        return
8b8af0
+
8b8af0
+    print("FAIL: This test should fail [CLI({}) SRV({})]".format(
8b8af0
+        cli.stdout.read().decode('utf-8').strip(),
8b8af0
+        srv.stdout.read().decode('utf-8').strip()))
8b8af0
+
8b8af0
+def gssapi_tests(testdir):
8b8af0
+    """ SASL/GSSAPI Tests """
8b8af0
+    env = setup_socket_wrappers(testdir)
8b8af0
+    kdc, kenv = setup_kdc(testdir, env)
8b8af0
+    #print("KDC: {}, ENV: {}".format(kdc, kenv))
8b8af0
+    kenv['KRB5_TRACE'] = os.path.join(testdir, 'trace.log')
8b8af0
+
8b8af0
+    print('GSSAPI BASIC:')
8b8af0
+    print('    ', end='')
8b8af0
+    gssapi_basic_test(kenv)
8b8af0
+
8b8af0
+    print('GSSAPI CHANNEL BINDING:')
8b8af0
+    print('    ', end='')
8b8af0
+    gssapi_channel_binding_test(kenv)
8b8af0
+
8b8af0
+    print('GSSAPI CHANNEL BINDING MISMTACH:')
8b8af0
+    print('    ', end='')
8b8af0
+    gssapi_channel_binding_mismatch_test(kenv)
8b8af0
+
8b8af0
     os.killpg(kdc.pid, signal.SIGTERM)
8b8af0
 
8b8af0
 
8b8af0
diff --git a/tests/t_common.c b/tests/t_common.c
8b8af0
index 7168b2f..478e6a1 100644
8b8af0
--- a/tests/t_common.c
8b8af0
+++ b/tests/t_common.c
8b8af0
@@ -1,4 +1,5 @@
8b8af0
-/* TBD, add (C) */
8b8af0
+/* Copyright (C) Simo Sorce <simo@redhat.com>
8b8af0
+ * See COPYING file for License */
8b8af0
 
8b8af0
 #include <t_common.h>
8b8af0
 
8b8af0
@@ -13,9 +14,6 @@ void send_string(int sd, const char *s, unsigned int l)
8b8af0
 {
8b8af0
     ssize_t ret;
8b8af0
 
8b8af0
-fprintf(stderr, "s:%u ", l);
8b8af0
-fflush(stderr);
8b8af0
-
8b8af0
     ret = send(sd, &l, sizeof(l), 0);
8b8af0
     if (ret != sizeof(l)) s_error("send size", ret, sizeof(l), errno);
8b8af0
 
8b8af0
@@ -34,8 +32,6 @@ void recv_string(int sd, char *buf, unsigned int *buflen)
8b8af0
     if (ret != sizeof(l)) s_error("recv size", ret, sizeof(l), errno);
8b8af0
 
8b8af0
     if (l == 0) {
8b8af0
-fprintf(stderr, "r:0 ");
8b8af0
-fflush(stderr);
8b8af0
         *buflen = 0;
8b8af0
         return;
8b8af0
     }
8b8af0
@@ -45,8 +41,6 @@ fflush(stderr);
8b8af0
     ret = recv(sd, buf, l, 0);
8b8af0
     if (ret != l) s_error("recv data", ret, l, errno);
8b8af0
 
8b8af0
-fprintf(stderr, "r:%ld ", ret);
8b8af0
-fflush(stderr);
8b8af0
     *buflen = ret;
8b8af0
 }
8b8af0
 
8b8af0
@@ -65,4 +59,18 @@ int getpath(void *context __attribute__((unused)), const char **path)
8b8af0
     return SASL_OK;
8b8af0
 }
8b8af0
 
8b8af0
+void parse_cb(sasl_channel_binding_t *cb, char *buf, unsigned max, char *in)
8b8af0
+{
8b8af0
+    unsigned len;
8b8af0
+    int r;
8b8af0
 
8b8af0
+    r = sasl_decode64(in, strlen(in), buf, max, &len;;
8b8af0
+    if (r != SASL_OK) {
8b8af0
+        saslerr(r, "failed to parse channel bindings");
8b8af0
+        exit(-1);
8b8af0
+    }
8b8af0
+    cb->name = "TEST BINDINGS";
8b8af0
+    cb->critical = 0;
8b8af0
+    cb->data = (unsigned char *)buf;
8b8af0
+    cb->len = len;
8b8af0
+}
8b8af0
diff --git a/tests/t_common.h b/tests/t_common.h
8b8af0
index 4ee1976..a10def1 100644
8b8af0
--- a/tests/t_common.h
8b8af0
+++ b/tests/t_common.h
8b8af0
@@ -1,4 +1,5 @@
8b8af0
-/* TBD, add (C) */
8b8af0
+/* Copyright (C) Simo Sorce <simo@redhat.com>
8b8af0
+ * See COPYING file for License */
8b8af0
 
8b8af0
 #include "config.h"
8b8af0
 
8b8af0
@@ -7,9 +8,11 @@
8b8af0
 #include <sys/socket.h>
8b8af0
 
8b8af0
 #include <sasl.h>
8b8af0
+#include <saslutil.h>
8b8af0
 
8b8af0
 void s_error(const char *hdr, ssize_t ret, ssize_t len, int err);
8b8af0
 void send_string(int sd, const char *s, unsigned int l);
8b8af0
 void recv_string(int sd, char *buf, unsigned int *buflen);
8b8af0
 void saslerr(int why, const char *what);
8b8af0
 int getpath(void *context __attribute__((unused)), const char **path);
8b8af0
+void parse_cb(sasl_channel_binding_t *cb, char *buf, unsigned max, char *in);
8b8af0
diff --git a/tests/t_gssapi_cli.c b/tests/t_gssapi_cli.c
8b8af0
index c833c05..a44a3f5 100644
8b8af0
--- a/tests/t_gssapi_cli.c
8b8af0
+++ b/tests/t_gssapi_cli.c
8b8af0
@@ -1,4 +1,5 @@
8b8af0
-/* TBD, add (C) */
8b8af0
+/* Copyright (C) Simo Sorce <simo@redhat.com>
8b8af0
+ * See COPYING file for License */
8b8af0
 
8b8af0
 #include "t_common.h"
8b8af0
 
8b8af0
@@ -13,6 +14,7 @@
8b8af0
 
8b8af0
 #include <arpa/inet.h>
8b8af0
 #include <saslplug.h>
8b8af0
+#include <saslutil.h>
8b8af0
 
8b8af0
 static int setup_socket(void)
8b8af0
 {
8b8af0
@@ -32,7 +34,7 @@ static int setup_socket(void)
8b8af0
     return sock;
8b8af0
 }
8b8af0
 
8b8af0
-int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
8b8af0
+int main(int argc, char *argv[])
8b8af0
 {
8b8af0
     sasl_callback_t callbacks[2] = {};
8b8af0
     char buf[8192];
8b8af0
@@ -40,8 +42,20 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
8b8af0
     sasl_conn_t *conn;
8b8af0
     const char *data;
8b8af0
     unsigned int len;
8b8af0
+    sasl_channel_binding_t cb = {0};
8b8af0
+    char cb_buf[256];
8b8af0
     int sd;
8b8af0
-    int r;
8b8af0
+    int c, r;
8b8af0
+
8b8af0
+    while ((c = getopt(argc, argv, "c:")) != EOF) {
8b8af0
+        switch (c) {
8b8af0
+        case 'c':
8b8af0
+            parse_cb(&cb, cb_buf, 256, optarg);
8b8af0
+            break;
8b8af0
+        default:
8b8af0
+            break;
8b8af0
+        }
8b8af0
+    }
8b8af0
 
8b8af0
     /* initialize the sasl library */
8b8af0
     callbacks[0].id = SASL_CB_GETPATH;
8b8af0
@@ -60,6 +74,10 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
8b8af0
         exit(-1);
8b8af0
     }
8b8af0
 
8b8af0
+    if (cb.name) {
8b8af0
+        sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb;;
8b8af0
+    }
8b8af0
+
8b8af0
     r = sasl_client_start(conn, "GSSAPI", NULL, &data, &len, &chosenmech);
8b8af0
     if (r != SASL_OK && r != SASL_CONTINUE) {
8b8af0
 	saslerr(r, "starting SASL negotiation");
8b8af0
diff --git a/tests/t_gssapi_srv.c b/tests/t_gssapi_srv.c
8b8af0
index 29f538d..ef1217f 100644
8b8af0
--- a/tests/t_gssapi_srv.c
8b8af0
+++ b/tests/t_gssapi_srv.c
8b8af0
@@ -1,4 +1,5 @@
8b8af0
-/* TBD, add (C) */
8b8af0
+/* Copyright (C) Simo Sorce <simo@redhat.com>
8b8af0
+ * See COPYING file for License */
8b8af0
 
8b8af0
 #include "t_common.h"
8b8af0
 
8b8af0
@@ -44,15 +45,28 @@ static int setup_socket(void)
8b8af0
     return sd;
8b8af0
 }
8b8af0
 
8b8af0
-int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
8b8af0
+int main(int argc, char *argv[])
8b8af0
 {
8b8af0
     sasl_callback_t callbacks[2] = {};
8b8af0
     char buf[8192];
8b8af0
     sasl_conn_t *conn;
8b8af0
     const char *data;
8b8af0
     unsigned int len;
8b8af0
+    sasl_channel_binding_t cb = {0};
8b8af0
+    unsigned char cb_buf[256];
8b8af0
     int sd;
8b8af0
-    int r;
8b8af0
+    int c, r;
8b8af0
+
8b8af0
+    while ((c = getopt(argc, argv, "c:")) != EOF) {
8b8af0
+        switch (c) {
8b8af0
+        case 'c':
8b8af0
+            parse_cb(&cb, cb_buf, 256, optarg);
8b8af0
+            break;
8b8af0
+        default:
8b8af0
+            break;
8b8af0
+        }
8b8af0
+    }
8b8af0
+
8b8af0
 
8b8af0
     /* initialize the sasl library */
8b8af0
     callbacks[0].id = SASL_CB_GETPATH;
8b8af0
@@ -72,6 +86,10 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
8b8af0
         exit(-1);
8b8af0
     }
8b8af0
 
8b8af0
+    if (cb.name) {
8b8af0
+        sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb;;
8b8af0
+    }
8b8af0
+
8b8af0
     sd = setup_socket();
8b8af0
 
8b8af0
     len = 8192;
8b8af0
-- 
8b8af0
2.18.2
8b8af0