1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
Origin: upstream, https://github.com/cyrusimap/cyrus-sasl/commit/975edbb69070eba6b035f08776de771a129cfb57
From: Simo Sorce <simo@redhat.com>
Date: Fri, 20 Mar 2020 14:51:04 -0400
Subject: Add Channel Binding support for GSSAPI/GSS-SPNEGO
Signed-off-by: Simo Sorce <simo@redhat.com>
---
plugins/gssapi.c | 30 +++++++++++---
tests/runtests.py | 93 ++++++++++++++++++++++++++++++++++++++++----
tests/t_common.c | 14 +++++++
tests/t_common.h | 2 +
tests/t_gssapi_cli.c | 21 +++++++++-
tests/t_gssapi_srv.c | 21 +++++++++-
6 files changed, 164 insertions(+), 17 deletions(-)
Bug: https://github.com/cyrusimap/cyrus-sasl/issues/600
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1912256
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index ff663da7..5d900c5e 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -830,7 +830,9 @@ gssapi_server_mech_authneg(context_t *text,
gss_buffer_desc name_without_realm;
gss_name_t client_name_MN = NULL, without = NULL;
gss_OID mech_type;
-
+ gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
+ struct gss_channel_bindings_struct cb = {0};
+
input_token = &real_input_token;
output_token = &real_output_token;
output_token->value = NULL; output_token->length = 0;
@@ -902,6 +904,12 @@ gssapi_server_mech_authneg(context_t *text,
real_input_token.length = clientinlen;
}
+ if (params->cbinding != NULL) {
+ cb.application_data.length = params->cbinding->len;
+ cb.application_data.value = params->cbinding->data;
+ bindings = &cb;
+ }
+
GSS_LOCK_MUTEX_CTX(params->utils, text);
maj_stat =
@@ -909,7 +917,7 @@ gssapi_server_mech_authneg(context_t *text,
&(text->gss_ctx),
server_creds,
input_token,
- GSS_C_NO_CHANNEL_BINDINGS,
+ bindings,
&text->client_name,
&mech_type,
output_token,
@@ -1505,7 +1513,8 @@ static sasl_server_plug_t gssapi_server_plugins[] =
| SASL_SEC_PASS_CREDENTIALS,
SASL_FEAT_WANT_CLIENT_FIRST
| SASL_FEAT_ALLOWS_PROXY
- | SASL_FEAT_DONTUSE_USERPASSWD, /* features */
+ | SASL_FEAT_DONTUSE_USERPASSWD
+ | SASL_FEAT_CHANNEL_BINDING, /* features */
NULL, /* glob_context */
&gssapi_server_mech_new, /* mech_new */
&gssapi_server_mech_step, /* mech_step */
@@ -1529,6 +1538,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
SASL_FEAT_WANT_CLIENT_FIRST
| SASL_FEAT_ALLOWS_PROXY
| SASL_FEAT_DONTUSE_USERPASSWD
+ | SASL_FEAT_CHANNEL_BINDING
| SASL_FEAT_SUPPORTS_HTTP, /* features */
&gss_spnego_oid, /* glob_context */
&gssapi_server_mech_new, /* mech_new */
@@ -1662,6 +1672,8 @@ static int gssapi_client_mech_step(void *conn_context,
input_token->value = NULL;
input_token->length = 0;
gss_cred_id_t client_creds = (gss_cred_id_t)params->gss_creds;
+ gss_channel_bindings_t bindings = GSS_C_NO_CHANNEL_BINDINGS;
+ struct gss_channel_bindings_struct cb = {0};
if (clientout)
*clientout = NULL;
@@ -1777,6 +1789,12 @@ static int gssapi_client_mech_step(void *conn_context,
req_flags = req_flags | GSS_C_DELEG_FLAG;
}
+ if (params->cbinding != NULL) {
+ cb.application_data.length = params->cbinding->len;
+ cb.application_data.value = params->cbinding->data;
+ bindings = &cb;
+ }
+
GSS_LOCK_MUTEX_CTX(params->utils, text);
maj_stat = gss_init_sec_context(&min_stat,
client_creds, /* GSS_C_NO_CREDENTIAL */
@@ -1785,7 +1803,7 @@ static int gssapi_client_mech_step(void *conn_context,
text->mech_type,
req_flags,
0,
- GSS_C_NO_CHANNEL_BINDINGS,
+ bindings,
input_token,
NULL,
output_token,
@@ -2190,7 +2208,8 @@ static sasl_client_plug_t gssapi_client_plugins[] =
| SASL_SEC_PASS_CREDENTIALS, /* security_flags */
SASL_FEAT_NEEDSERVERFQDN
| SASL_FEAT_WANT_CLIENT_FIRST
- | SASL_FEAT_ALLOWS_PROXY, /* features */
+ | SASL_FEAT_ALLOWS_PROXY
+ | SASL_FEAT_CHANNEL_BINDING, /* features */
gssapi_required_prompts, /* required_prompts */
GSS_C_NO_OID, /* glob_context */
&gssapi_client_mech_new, /* mech_new */
@@ -2213,6 +2232,7 @@ static sasl_client_plug_t gssapi_client_plugins[] =
SASL_FEAT_NEEDSERVERFQDN
| SASL_FEAT_WANT_CLIENT_FIRST
| SASL_FEAT_ALLOWS_PROXY
+ | SASL_FEAT_CHANNEL_BINDING
| SASL_FEAT_SUPPORTS_HTTP, /* features */
gssapi_required_prompts, /* required_prompts */
&gss_spnego_oid, /* glob_context */
|
