From 49e965f41257a0ed299c58a7cf1c120ddf944aaa Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Tue, 5 May 2020 14:51:36 -0400

Subject: [PATCH] Add support for setting max ssf 0 to GSS-SPNEGO

Bacport form this proposed PR (still open at bacport time):

https://github.com/cyrusimap/cyrus-sasl/pull/603

Signed-off-by: Simo Sorce <simo@redhat.com>

---

 m4/sasl2.m4          | 13 +++++++

 plugins/gssapi.c     | 44 ++++++++++++++++++++-

 tests/runtests.py    | 91 ++++++++++++++++++++++++++++++++++++++++----

 tests/t_common.c     | 13 ++++---

 tests/t_common.h     |  3 +-

 tests/t_gssapi_cli.c | 25 ++++++++++--

 tests/t_gssapi_srv.c | 28 +++++++++++---

 7 files changed, 194 insertions(+), 23 deletions(-)

diff --git a/m4/sasl2.m4 b/m4/sasl2.m4

index 56e0504..6effe99 100644

--- a/m4/sasl2.m4

+++ b/m4/sasl2.m4

@@ -287,6 +287,19 @@ if test "$gssapi" != no; then

   AC_CHECK_FUNCS(gss_oid_equal)

   LIBS="$cmu_save_LIBS"

+  cmu_save_LIBS="$LIBS"

+  LIBS="$LIBS $GSSAPIBASE_LIBS"

+  if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then

+    AC_CHECK_DECL(GSS_KRB5_CRED_NO_CI_FLAGS_X,

+                  [AC_DEFINE(HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X,1,

+                             [Define if your GSSAPI implementation supports GSS_KRB5_CRED_NO_CI_FLAGS_X])],,

+                  [

+                    AC_INCLUDES_DEFAULT

+                    #include <gssapi/gssapi_krb5.h>

+                    ])

+  fi

+  LIBS="$cmu_save_LIBS"

+

   cmu_save_LIBS="$LIBS"

   LIBS="$LIBS $GSSAPIBASE_LIBS"

   AC_CHECK_FUNCS(gss_get_name_attribute)

diff --git a/plugins/gssapi.c b/plugins/gssapi.c

index 5d900c5..7480316 100644

--- a/plugins/gssapi.c

+++ b/plugins/gssapi.c

@@ -1783,7 +1783,49 @@ static int gssapi_client_mech_step(void *conn_context,

 		/* We want to try for privacy */

 		req_flags |= GSS_C_CONF_FLAG;

 	    }

-	}

+#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X

+        /* The krb5 mechanism automatically adds INTEG and CONF flags even when

+         * not specified, this has the effect of rendering explicit requests

+         * of no confidentiality and integrity via setting maxssf 0 moot.

+         * However to interoperate with Windows machines it needs to be

+         * possible to unset these flags as Windows machines refuse to allow

+         * two layers (say TLS and GSSAPI) to both provide these services.

+         * So if we do not suppress these flags a SASL/GSS-SPNEGO negotiation

+         * over, say, LDAPS will fail against Windows Servers */

+	} else if (params->props.max_ssf == 0) {

+            gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;

+            if (client_creds == GSS_C_NO_CREDENTIAL) {

+                gss_OID_set_desc mechs = { 0 };

+                gss_OID_set desired_mechs = GSS_C_NO_OID_SET;

+                if (text->mech_type != GSS_C_NO_OID) {

+                    mechs.count = 1;

+                    mechs.elements = text->mech_type;

+                    desired_mechs = &mechs;

+                }

+

+                maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME,

+                                            GSS_C_INDEFINITE, desired_mechs,

+                                            GSS_C_INITIATE,

+                                            &text->client_creds, NULL, NULL);

+                if (GSS_ERROR(maj_stat)) {

+                    sasl_gss_seterror(text->utils, maj_stat, min_stat);

+                    sasl_gss_free_context_contents(text);

+                    return SASL_FAIL;

+                }

+                client_creds = text->client_creds;

+            }

+

+            maj_stat = gss_set_cred_option(&min_stat, &client_creds,

+                                           (gss_OID)GSS_KRB5_CRED_NO_CI_FLAGS_X,

+                                            &empty_buffer);

+            if (GSS_ERROR(maj_stat)) {

+                sasl_gss_seterror(text->utils, maj_stat, min_stat);

+                sasl_gss_free_context_contents(text);

+                return SASL_FAIL;

+            }

+#endif

+        }

+

 	if (params->props.security_flags & SASL_SEC_PASS_CREDENTIALS) {

 	    req_flags = req_flags |  GSS_C_DELEG_FLAG;

diff --git a/tests/runtests.py b/tests/runtests.py

index fc9cf24..4106401 100755

--- a/tests/runtests.py

+++ b/tests/runtests.py

@@ -6,6 +6,7 @@ import os

 import shutil

 import signal

 import subprocess

+import sys

 import time

 from string import Template

@@ -149,11 +150,12 @@ def gssapi_basic_test(kenv):

                 srv.returncode, srv.stderr.read().decode('utf-8')))

     except Exception as e:

         print("FAIL: {}".format(e))

-        return

+        return 1

     print("PASS: CLI({}) SRV({})".format(

         cli.stdout.read().decode('utf-8').strip(),

         srv.stdout.read().decode('utf-8').strip()))

+    return 0

 def gssapi_channel_binding_test(kenv):

     try:

@@ -178,11 +180,12 @@ def gssapi_channel_binding_test(kenv):

                 srv.returncode, srv.stderr.read().decode('utf-8')))

     except Exception as e:

         print("FAIL: {}".format(e))

-        return

+        return 1

     print("PASS: CLI({}) SRV({})".format(

         cli.stdout.read().decode('utf-8').strip(),

         srv.stdout.read().decode('utf-8').strip()))

+    return 0

 def gssapi_channel_binding_mismatch_test(kenv):

     result = "FAIL"

@@ -212,11 +215,70 @@ def gssapi_channel_binding_mismatch_test(kenv):

                 cli.returncode, cli_err, srv.returncode, srv_err))

     except Exception as e:

         print("{}: {}".format(result, e))

-        return

+        return 0

     print("FAIL: This test should fail [CLI({}) SRV({})]".format(

         cli.stdout.read().decode('utf-8').strip(),

         srv.stdout.read().decode('utf-8').strip()))

+    return 1

+

+def gss_spnego_basic_test(kenv):

+    try:

+        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-N"],

+                               stdout=subprocess.PIPE,

+                               stderr=subprocess.PIPE, env=kenv)

+        srv.stdout.readline() # Wait for srv to say it is ready

+        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-N"],

+                               stdout=subprocess.PIPE,

+                               stderr=subprocess.PIPE, env=kenv)

+        try:

+            cli.wait(timeout=5)

+            srv.wait(timeout=5)

+        except Exception as e:

+            print("Failed on {}".format(e));

+            cli.kill()

+            srv.kill()

+        if cli.returncode != 0 or srv.returncode != 0:

+            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(

+                cli.returncode, cli.stderr.read().decode('utf-8'),

+                srv.returncode, srv.stderr.read().decode('utf-8')))

+    except Exception as e:

+        print("FAIL: {}".format(e))

+        return 1

+

+    print("PASS: CLI({}) SRV({})".format(

+        cli.stdout.read().decode('utf-8').strip(),

+        srv.stdout.read().decode('utf-8').strip()))

+    return 0

+

+def gss_spnego_zeromaxssf_test(kenv):

+    try:

+        srv = subprocess.Popen(["../tests/t_gssapi_srv", "-N", "-z"],

+                               stdout=subprocess.PIPE,

+                               stderr=subprocess.PIPE, env=kenv)

+        srv.stdout.readline() # Wait for srv to say it is ready

+        cli = subprocess.Popen(["../tests/t_gssapi_cli", "-N", "-z"],

+                               stdout=subprocess.PIPE,

+                               stderr=subprocess.PIPE, env=kenv)

+        try:

+            cli.wait(timeout=5)

+            srv.wait(timeout=5)

+        except Exception as e:

+            print("Failed on {}".format(e));

+            cli.kill()

+            srv.kill()

+        if cli.returncode != 0 or srv.returncode != 0:

+            raise Exception("CLI ({}): {} --> SRV ({}): {}".format(

+                cli.returncode, cli.stderr.read().decode('utf-8'),

+                srv.returncode, srv.stderr.read().decode('utf-8')))

+    except Exception as e:

+        print("FAIL: {}".format(e))

+        return 1

+

+    print("PASS: CLI({}) SRV({})".format(

+        cli.stdout.read().decode('utf-8').strip(),

+        srv.stdout.read().decode('utf-8').strip()))

+    return 0

 def gssapi_tests(testdir):

     """ SASL/GSSAPI Tests """

@@ -225,20 +287,32 @@ def gssapi_tests(testdir):

     #print("KDC: {}, ENV: {}".format(kdc, kenv))

     kenv['KRB5_TRACE'] = os.path.join(testdir, 'trace.log')

+    err = 0

+

     print('GSSAPI BASIC:')

     print('    ', end='')

-    gssapi_basic_test(kenv)

+    err += gssapi_basic_test(kenv)

     print('GSSAPI CHANNEL BINDING:')

     print('    ', end='')

-    gssapi_channel_binding_test(kenv)

+    err += gssapi_channel_binding_test(kenv)

     print('GSSAPI CHANNEL BINDING MISMTACH:')

     print('    ', end='')

-    gssapi_channel_binding_mismatch_test(kenv)

+    err += gssapi_channel_binding_mismatch_test(kenv)

+

+    print('GSS-SPNEGO BASIC:')

+    print('    ', end='')

+    err += gss_spnego_basic_test(kenv)

+

+    print('GSS-SPNEGO 0 MAXSSF:')

+    print('    ', end='')

+    err += gss_spnego_zeromaxssf_test(kenv)

     os.killpg(kdc.pid, signal.SIGTERM)

+    return err

+

 if __name__ == "__main__":

@@ -253,4 +327,7 @@ if __name__ == "__main__":

         shutil.rmtree(T)

     os.makedirs(T)

-    gssapi_tests(T)

+    err = gssapi_tests(T)

+    if err != 0:

+        print('{} test(s) FAILED'.format(err))

+        sys.exit(-1)

diff --git a/tests/t_common.c b/tests/t_common.c

index 478e6a1..f56098e 100644

--- a/tests/t_common.c

+++ b/tests/t_common.c

@@ -23,20 +23,21 @@ void send_string(int sd, const char *s, unsigned int l)

     if (ret != l) s_error("send data", ret, l, errno);

 }

-void recv_string(int sd, char *buf, unsigned int *buflen)

+void recv_string(int sd, char *buf, unsigned int *buflen, bool allow_eof)

 {

+    unsigned int bufsize = *buflen;

     unsigned int l;

     ssize_t ret;

+    *buflen = 0;

+

     ret = recv(sd, &l, sizeof(l), MSG_WAITALL);

+    if (allow_eof && ret == 0) return;

     if (ret != sizeof(l)) s_error("recv size", ret, sizeof(l), errno);

-    if (l == 0) {

-        *buflen = 0;

-        return;

-    }

+    if (l == 0) return;

-    if (*buflen < l) s_error("recv len", l, *buflen, E2BIG);

+    if (bufsize < l) s_error("recv len", l, bufsize, E2BIG);

     ret = recv(sd, buf, l, 0);

     if (ret != l) s_error("recv data", ret, l, errno);

diff --git a/tests/t_common.h b/tests/t_common.h

index a10def1..be24a53 100644

--- a/tests/t_common.h

+++ b/tests/t_common.h

@@ -4,6 +4,7 @@

 #include "config.h"

 #include <errno.h>

+#include <stdbool.h>

 #include <stdio.h>

 #include <sys/socket.h>

@@ -12,7 +13,7 @@

 void s_error(const char *hdr, ssize_t ret, ssize_t len, int err);

 void send_string(int sd, const char *s, unsigned int l);

-void recv_string(int sd, char *buf, unsigned int *buflen);

+void recv_string(int sd, char *buf, unsigned int *buflen, bool allow_eof);

 void saslerr(int why, const char *what);

 int getpath(void *context __attribute__((unused)), const char **path);

 void parse_cb(sasl_channel_binding_t *cb, char *buf, unsigned max, char *in);

diff --git a/tests/t_gssapi_cli.c b/tests/t_gssapi_cli.c

index a44a3f5..d9eafe1 100644

--- a/tests/t_gssapi_cli.c

+++ b/tests/t_gssapi_cli.c

@@ -46,12 +46,21 @@ int main(int argc, char *argv[])

     char cb_buf[256];

     int sd;

     int c, r;

+    const char *sasl_mech = "GSSAPI";

+    bool spnego = false;

+    bool zeromaxssf = false;

-    while ((c = getopt(argc, argv, "c:")) != EOF) {

+    while ((c = getopt(argc, argv, "c:zN")) != EOF) {

         switch (c) {

         case 'c':

             parse_cb(&cb, cb_buf, 256, optarg);

             break;

+        case 'z':

+            zeromaxssf = true;

+            break;

+        case 'N':

+            spnego = true;

+            break;

         default:

             break;

         }

@@ -78,7 +87,17 @@ int main(int argc, char *argv[])

         sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb;;

     }

-    r = sasl_client_start(conn, "GSSAPI", NULL, &data, &len, &chosenmech);

+    if (spnego) {

+        sasl_mech = "GSS-SPNEGO";

+    }

+

+    if (zeromaxssf) {

+        /* set all security properties to 0 including maxssf */

+        sasl_security_properties_t secprops = { 0 };

+        sasl_setprop(conn, SASL_SEC_PROPS, &secprops);

+    }

+

+    r = sasl_client_start(conn, sasl_mech, NULL, &data, &len, &chosenmech);

     if (r != SASL_OK && r != SASL_CONTINUE) {

 	saslerr(r, "starting SASL negotiation");

 	printf("\n%s\n", sasl_errdetail(conn));

@@ -90,7 +109,7 @@ int main(int argc, char *argv[])

     while (r == SASL_CONTINUE) {

         send_string(sd, data, len);

         len = 8192;

-        recv_string(sd, buf, &len;;

+        recv_string(sd, buf, &len, false);

 	r = sasl_client_step(conn, buf, len, NULL, &data, &len;;

 	if (r != SASL_OK && r != SASL_CONTINUE) {

diff --git a/tests/t_gssapi_srv.c b/tests/t_gssapi_srv.c

index ef1217f..448a218 100644

--- a/tests/t_gssapi_srv.c

+++ b/tests/t_gssapi_srv.c

@@ -56,12 +56,21 @@ int main(int argc, char *argv[])

     unsigned char cb_buf[256];

     int sd;

     int c, r;

+    const char *sasl_mech = "GSSAPI";

+    bool spnego = false;

+    bool zeromaxssf = false;

-    while ((c = getopt(argc, argv, "c:")) != EOF) {

+    while ((c = getopt(argc, argv, "c:zN")) != EOF) {

         switch (c) {

         case 'c':

             parse_cb(&cb, cb_buf, 256, optarg);

             break;

+        case 'z':

+            zeromaxssf = true;

+            break;

+        case 'N':

+            spnego = true;

+            break;

         default:

             break;

         }

@@ -90,12 +99,22 @@ int main(int argc, char *argv[])

         sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb;;

     }

+    if (spnego) {

+        sasl_mech = "GSS-SPNEGO";

+    }

+

+    if (zeromaxssf) {

+        /* set all security properties to 0 including maxssf */

+        sasl_security_properties_t secprops = { 0 };

+        sasl_setprop(conn, SASL_SEC_PROPS, &secprops);

+    }

+

     sd = setup_socket();

     len = 8192;

-    recv_string(sd, buf, &len;;

+    recv_string(sd, buf, &len, false);

-    r = sasl_server_start(conn, "GSSAPI", buf, len, &data, &len;;

+    r = sasl_server_start(conn, sasl_mech, buf, len, &data, &len;;

     if (r != SASL_OK && r != SASL_CONTINUE) {

 	saslerr(r, "starting SASL negotiation");

 	printf("\n%s\n", sasl_errdetail(conn));

@@ -105,7 +124,7 @@ int main(int argc, char *argv[])

     while (r == SASL_CONTINUE) {

         send_string(sd, data, len);

         len = 8192;

-        recv_string(sd, buf, &len;;

+        recv_string(sd, buf, &len, true);

 	r = sasl_server_step(conn, buf, len, &data, &len;;

 	if (r != SASL_OK && r != SASL_CONTINUE) {

@@ -113,7 +132,6 @@ int main(int argc, char *argv[])

 	    printf("\n%s\n", sasl_errdetail(conn));

 	    exit(-1);

 	}

-

     }

     if (r != SASL_OK) exit(-1);

-- 

2.18.2