Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bugfix] Added APOptions []int in client.GSSAPIBindRequest(...) and client.InitSecContext(...), fixes #536 #537

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
+120 −12
Open

[bugfix] Added APOptions []int in client.GSSAPIBindRequest(...) and client.InitSecContext(...), fixes #536 #537

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fe5ed31
Added APOptions []int in client.GSSAPIBindRequest(...) and client.Ini…
p0dalirius Nov 14, 2024
3bbd598
Moving APOptions to GSSAPIBindRequest struct for coherence and to avo…
p0dalirius Nov 18, 2024
78ef5d4
Unified UnmarshalWrapToken() with v3 and base
p0dalirius Nov 18, 2024
1cad944
Update client.go
p0dalirius Dec 13, 2024
1cc1eb3
Removed breaking API changes to InitSecContext, added APOptions in C…
p0dalirius Dec 13, 2024
f752bf8
Removed breaking API changes to InitSecContext, added APOptions in C…
p0dalirius Dec 13, 2024
a55dbd6
Changing unmarshalWrapToken function to private
p0dalirius Dec 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions bind.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,10 +606,13 @@ type GSSAPIBindRequest struct {

// GSSAPIBind performs the GSSAPI SASL bind using the provided GSSAPI client.
func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string) error {
return l.GSSAPIBindRequest(client, &GSSAPIBindRequest{
ServicePrincipalName: servicePrincipal,
AuthZID: authzid,
})
return l.GSSAPIBindRequest(
client,
&GSSAPIBindRequest{
ServicePrincipalName: servicePrincipal,
AuthZID: authzid,
},
)
}

// GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
Expand Down
55 changes: 53 additions & 2 deletions gssapi/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package gssapi

import (
"bytes"
"encoding/binary"
"encoding/hex"
"errors"
"fmt"

"github.com/jcmturner/gokrb5/v8/client"
Expand All @@ -24,6 +28,8 @@ type Client struct {

ekey types.EncryptionKey
Subkey types.EncryptionKey

APOptions []int
}

// NewClientWithKeytab creates a new client from a keytab credential.
Expand Down Expand Up @@ -110,7 +116,7 @@ func (client *Client) InitSecContext(target string, input []byte) ([]byte, bool,
}
client.ekey = ekey

token, err := spnego.NewKRB5TokenAPREQ(client.Client, tkt, ekey, gssapiFlags, []int{})
token, err := spnego.NewKRB5TokenAPREQ(client.Client, tkt, ekey, gssapiFlags, client.APOptions)
if err != nil {
return nil, false, err
}
Expand Down Expand Up @@ -160,7 +166,7 @@ func (client *Client) InitSecContext(target string, input []byte) ([]byte, bool,
// See RFC 4752 section 3.1.
func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, error) {
token := &gssapi.WrapToken{}
err := token.Unmarshal(input, true)
err := unmarshalWrapToken(token, input, true)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -212,3 +218,48 @@ func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, e

return output, nil
}

func unmarshalWrapToken(wt *gssapi.WrapToken, data []byte, expectFromAcceptor bool) error {
// Check if we can read a whole header
if len(data) < 16 {
return errors.New("bytes shorter than header length")
}

// Is the Token ID correct?
expectedWrapTokenId := [2]byte{0x05, 0x04}
if !bytes.Equal(expectedWrapTokenId[:], data[0:2]) {
return fmt.Errorf("wrong Token ID. Expected %s, was %s", hex.EncodeToString(expectedWrapTokenId[:]), hex.EncodeToString(data[0:2]))
}

// Check the acceptor flag
flags := data[2]
isFromAcceptor := flags&0x01 == 1
if isFromAcceptor && !expectFromAcceptor {
return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
}
if !isFromAcceptor && expectFromAcceptor {
return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
}

// Check the filler byte
if data[3] != gssapi.FillerByte {
return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(data[3:4]))
}
checksumL := binary.BigEndian.Uint16(data[4:6])

// Sanity check on the checksum length
if int(checksumL) > len(data)-gssapi.HdrLen {
return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(data), checksumL)
}

payloadStart := 16 + checksumL

wt.Flags = flags
wt.EC = checksumL
wt.RRC = binary.BigEndian.Uint16(data[6:8])
wt.SndSeqNum = binary.BigEndian.Uint64(data[8:16])
wt.CheckSum = data[16:payloadStart]
wt.Payload = data[payloadStart:]

return nil
}
11 changes: 7 additions & 4 deletions v3/bind.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,10 +606,13 @@ type GSSAPIBindRequest struct {

// GSSAPIBind performs the GSSAPI SASL bind using the provided GSSAPI client.
func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string) error {
return l.GSSAPIBindRequest(client, &GSSAPIBindRequest{
ServicePrincipalName: servicePrincipal,
AuthZID: authzid,
})
return l.GSSAPIBindRequest(
client,
&GSSAPIBindRequest{
ServicePrincipalName: servicePrincipal,
AuthZID: authzid,
},
)
}

// GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
Expand Down
55 changes: 53 additions & 2 deletions v3/gssapi/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package gssapi

import (
"bytes"
"encoding/binary"
"encoding/hex"
"errors"
"fmt"

"github.com/jcmturner/gokrb5/v8/client"
Expand All @@ -24,6 +28,8 @@ type Client struct {

ekey types.EncryptionKey
Subkey types.EncryptionKey

APOptions []int
}

// NewClientWithKeytab creates a new client from a keytab credential.
Expand Down Expand Up @@ -110,7 +116,7 @@ func (client *Client) InitSecContext(target string, input []byte) ([]byte, bool,
}
client.ekey = ekey

token, err := spnego.NewKRB5TokenAPREQ(client.Client, tkt, ekey, gssapiFlags, []int{})
token, err := spnego.NewKRB5TokenAPREQ(client.Client, tkt, ekey, gssapiFlags, client.APOptions)
if err != nil {
return nil, false, err
}
Expand Down Expand Up @@ -160,7 +166,7 @@ func (client *Client) InitSecContext(target string, input []byte) ([]byte, bool,
// See RFC 4752 section 3.1.
func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, error) {
token := &gssapi.WrapToken{}
err := token.Unmarshal(input, true)
err := unmarshalWrapToken(token, input, true)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -212,3 +218,48 @@ func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, e

return output, nil
}

func unmarshalWrapToken(wt *gssapi.WrapToken, data []byte, expectFromAcceptor bool) error {
// Check if we can read a whole header
if len(data) < 16 {
return errors.New("bytes shorter than header length")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we anticipate any kind of code handling of these errors it may be kinder to actually create named errors (var ErrInvalidGSSAPIFooBarHeaderLength = "bytes shorter ..."), that can be used with the errors.Is and related helper functions.

}

// Is the Token ID correct?
expectedWrapTokenId := [2]byte{0x05, 0x04}
if !bytes.Equal(expectedWrapTokenId[:], data[0:2]) {
return fmt.Errorf("wrong Token ID. Expected %s, was %s", hex.EncodeToString(expectedWrapTokenId[:]), hex.EncodeToString(data[0:2]))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In cases where returning additional context with the error it may be nice for it to wrap a simpler 'known' error as the related comment says.

eg return fmt.Errorf("wrong blah blah. expected %s, was %s: %w", x, y, ErrUnmarshalFault) or something like that

}

// Check the acceptor flag
flags := data[2]
isFromAcceptor := flags&0x01 == 1
if isFromAcceptor && !expectFromAcceptor {
return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
}
if !isFromAcceptor && expectFromAcceptor {
return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
}

// Check the filler byte
if data[3] != gssapi.FillerByte {
return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(data[3:4]))
}
checksumL := binary.BigEndian.Uint16(data[4:6])

// Sanity check on the checksum length
if int(checksumL) > len(data)-gssapi.HdrLen {
return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(data), checksumL)
}

payloadStart := 16 + checksumL

wt.Flags = flags
wt.EC = checksumL
wt.RRC = binary.BigEndian.Uint16(data[6:8])
wt.SndSeqNum = binary.BigEndian.Uint64(data[8:16])
wt.CheckSum = data[16:payloadStart]
wt.Payload = data[payloadStart:]

return nil
}
Loading