gssapi 1.1.0 → 1.3.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3783cdc3cf7cac849ba482b3b03e5f73593f91beab95e31b8dfdd296a8cd0e4a
+  data.tar.gz: 11d7a7b367ad6f7e8f3420c094976dceee1bdedb7907bef5614e6a5846164cb4
+SHA512:
+  metadata.gz: 462afcc325ae6e9c0c3b63ba711569bda177c6443792031a857a01808ba63e9e5a90c0cc455518c431e39275dc68421b6b426a89bd6cb5bd61a5aebd53a04a3b
+  data.tar.gz: d76e23ca9d859dc7a11589c8490d92c455e6874336efc00a070442f695713aa5adcc008767fc3943176aaec8a4dfe0f86b5f70cfc003650ab33f0d4bfea9d916

data/.gitignore

@@ -0,0 +1,11 @@
+Gemfile.lock
+
+# RVM setup
+/.ruby-version
+/.ruby-gemset
+
+# Vim swap files
+*.sw[op]
+
+# VS Code Dir
+/.vscode

data/Changelog.md

@@ -0,0 +1,23 @@
+## Version 1.1.1
+  * Allow GssApiError to be initialized with string.
+  * Add display_name wrapper for gss_display_name to GSSAPI::Simple
+  * gss_iov examples
+  * Ruby 1.8.x support
+  * Change loader for MIT and Heimdal to be a bit cleaner. Fix syntax in simple.rb
+  * Do a gss_acquire_cred for every connection to the server.
+  * updating path to gssapi32.dll
+
+## Version 1.1.2
+  * add gss_get_mic
+
+## Version 1.2.0
+  * Move IOV and AEAD to gssapi/extensions.rb so it can be loaded separately when needed
+
+## Version 1.3.0
+
+Sorry everyone that this has taken so long to go out. I don't really work much
+with GSSAPI so it hasn't been a priority for me.
+
+  * Implemented delegation and added verify_mic. Thanks @mfazekas
+  * Add loading of MIT GSS libs for solaris/smartos. Thanks @fac
+  * Fix corruption in iov_decrypt example. Thanks @Iristyle

data/Gemfile

@@ -0,0 +1,2 @@
+source "https://rubygems.org"
+gemspec

data/README.md

@@ -0,0 +1,22 @@
+# Ruby GSSAPI Library
+
+This is a wrapper around the system GSSAPI library (MIT only at this time).  It exposes the low-level GSSAPI methods like gss_init_sec_context and gss_wrap and also provides an easier to use wrapper on top of this for common usage scenarios.
+
+
+I'm going to try and maintain most of the docs in the Github WIKI for this project so please check there for documentation and examples.
+
+https://github.com/zenchild/gssapi/wiki
+
+
+Also check out the examples directory for some stubbed out client/server examples.
+
+
+## Note on IOV and AEAD functions
+
+If you require the IOV and AEAD functions you will have to `require "gssapi/extensions"` to gain access to them.
+
+
+#### License
+
+Copyright © 2010 Dan Wanek <dan.wanek@gmail.com>
+Ruby gssapi is licensed under the MIT license (see COPYING)

data/Rakefile

@@ -1,29 +1,11 @@
-desc "Build the gem"
-task :gem do
-    system "gem build gssapi.gemspec"
-end
-
-desc "Clean the build environment"
-task :clean do
-    system "rm gssapi*.gem"
-end
-
-desc "Increment the version by 1 minor release"
-task :versionup do
-	ver = up_min_version
-	puts "New version: #{ver}"
-end
-
-
-def up_min_version
-	f = File.open('VERSION', 'r+')
-	ver = f.readline.chomp
-	v_arr = ver.split(/\./).map do |v|
-		v.to_i
-	end
-	v_arr[2] += 1
-	ver = v_arr.join('.')
-	f.rewind
-	f.write(ver)
-	ver
+require "bundler/gem_tasks"
+
+desc "Open a Pry Console"
+task :console do
+  require "pry"
+  require "pathname"
+  $: << (Pathname(__FILE__).dirname + "lib").to_s
+  require "gssapi"
+  ARGV.clear
+  Pry.start
 end

data/VERSION

@@ -1 +1 @@
-1.1.0
+1.3.1

data/examples/gss_iov_helpers.rb

@@ -47,7 +47,7 @@ module GssIOVHelpers
 
     len = str.unpack("L").first
     puts "LEN: #{len}"
-    iov_data = str.unpack("LA#{len}A*")
+    iov_data = str.unpack("La#{len}a*")
     iov0[:buffer].value = iov_data[1]
     iov1[:buffer].value = iov_data[2]
 

data/gssapi.gemspec

@@ -4,21 +4,22 @@ $:.unshift lib unless $:.include?(lib)
 require 'date'
 
 Gem::Specification.new do |gem|
-  gem.name = "gssapi"
-  gem.version = File.open('VERSION').readline.chomp
-  gem.date		= Date.today.to_s
+  gem.name     = "gssapi"
+  gem.version  = File.open('VERSION').readline.chomp
+  gem.date     = Date.today.to_s
   gem.platform = Gem::Platform::RUBY
   gem.rubyforge_project  = nil
 
   gem.author = "Dan Wanek"
   gem.email = "dan.wanek@gmail.com"
   gem.homepage = "http://github.com/zenchild/gssapi"
+  gem.license = "MIT"
 
   gem.summary = "A FFI wrapper around the system GSSAPI library."
   gem.description	= <<-EOF
     A FFI wrapper around the system GSSAPI library. Please make sure and read the
     Yard docs or standard GSSAPI documentation if you have any questions.
-    
+
     There is also a class called GSSAPI::Simple that wraps many of the common features
     used for GSSAPI.
   EOF
@@ -26,8 +27,10 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split(/\n/)
   gem.require_path = "lib"
   gem.rdoc_options	= %w(-x test/ -x examples/)
-  gem.extra_rdoc_files = %w(README.textile COPYING)
+  gem.extra_rdoc_files = %w(README.md COPYING Changelog.md)
 
   gem.required_ruby_version	= '>= 1.8.7'
   gem.add_runtime_dependency  'ffi', '>= 1.0.1'
+
+  gem.add_development_dependency "pry-byebug"
 end

data/lib/gssapi/exceptions.rb

@@ -11,6 +11,14 @@ module GSSAPI
     def message; to_s + ": " + @s; end
 
     def initialize(maj_stat = nil, min_stat = nil)
+
+      # If raised as class (raise GssApiError, "msg) the error message is given
+      # as the first parameter.
+      if maj_stat.class == String
+        @s = maj_stat
+        return super maj_stat
+      end
+
       if(maj_stat.nil? && min_stat.nil?)
         @s = '(no error info)'
       else

data/lib/gssapi/extensions.rb

@@ -0,0 +1,40 @@
+=begin
+Copyright © 2014 Dan Wanek <dan.wanek@gmail.com>
+
+Licensed under the MIT License: http://www.opensource.org/licenses/mit-license.php
+=end
+module GSSAPI
+  module LibGSSAPI
+
+    # Some versions of GSSAPI might not have support for IOV yet.
+    begin
+      # OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_iov( OM_uint32 * minor_status, gss_ctx_id_t  context_handle,
+      #   int conf_req_flag, gss_qop_t  qop_req, int *  conf_state, gss_iov_buffer_desc *  iov, int  iov_count );
+      attach_function :gss_wrap_iov, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :int], :OM_uint32
+
+      # OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap_iov ( OM_uint32 * minor_status, gss_ctx_id_t context_handle,
+      #   int * conf_state, gss_qop_t * qop_state, gss_iov_buffer_desc * iov, int iov_count )
+      attach_function :gss_unwrap_iov, [:pointer, :pointer, :pointer, :pointer, :pointer, :int], :OM_uint32
+
+      # OM_uint32 GSSAPI_LIB_CALL gss_wrap_iov_length ( OM_uint32 * minor_status, gss_ctx_id_t context_handle,
+      #   int conf_req_flag, gss_qop_t  qop_req, int *  conf_state, gss_iov_buffer_desc * iov, int iov_count)
+      attach_function :gss_wrap_iov_length, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :int], :OM_uint32
+    rescue FFI::NotFoundError => ex
+      warn "WARNING: Could not load IOV methods. Check your GSSAPI C library for an update"
+    end
+
+    begin
+      # OM_uint32 gss_wrap_aead(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag,
+      #   gss_qop_t qop_req, gss_buffer_t input_assoc_buffer,
+      #   gss_buffer_t input_payload_buffer, int * conf_state, gss_buffer_t output_message_buffer);
+      attach_function :gss_wrap_aead, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :pointer, :pointer], :OM_uint32
+
+      # OM_uint32 gss_unwrap_aead(OM_uint32 * minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer,
+      #   gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int * conf_state, gss_qop_t * qop_state);
+      attach_function :gss_unwrap_aead, [:pointer,:pointer,:pointer,:pointer,:pointer,:pointer,:pointer], :OM_uint32
+    rescue FFI::NotFoundError => ex
+      warn "WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update"
+    end
+
+  end
+end

data/lib/gssapi/lib_gssapi.rb

@@ -158,7 +158,7 @@ module GSSAPI
 
       def self.release(ptr)
         if( ptr.address == 0 )
-          puts "NULL POINTER: Not freeing" if $DEBUG
+          puts "Releasing #{self.name} NULL POINTER: Not freeing" if $DEBUG
           return
         else
           puts "Releasing #{self.name} at #{ptr.address.to_s(16)}" if $DEBUG
@@ -179,11 +179,13 @@ module GSSAPI
     class GssCtxIdT < GssPointer
       def self.release_ptr(context_ptr)
         min_stat = FFI::MemoryPointer.new :OM_uint32
-        maj_stat = LibGSSAPI.gss_delete_sec_context(min_stat, context_ptr, LibGSSAPI::GSS_C_NO_BUFFER)
+        ptr_p = FFI::MemoryPointer.new :pointer
+        ctx_ptr = ptr_p.write_pointer(context_ptr)
+        maj_stat = LibGSSAPI.gss_delete_sec_context(min_stat, ctx_ptr, LibGSSAPI::GSS_C_NO_BUFFER)
       end
 
       def self.gss_c_no_context
-        self.new(GSSAPI::LibGSSAPI::GSS_C_NO_CONTEXT)
+        GssPointer.new(GSSAPI::LibGSSAPI::GSS_C_NO_CONTEXT)
       end
     end
 
@@ -257,6 +259,9 @@ module GSSAPI
     #   gss_buffer_t output_token, OM_uint32 *ret_flags, OM_uint32 *time_rec, gss_cred_id_t *delegated_cred_handle);
     attach_function :gss_accept_sec_context, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :OM_uint32
 
+    # OM_uint32 gss_display_name(OM_uint32 * minor_status, gss_name_t input_name, gss_buffer_t output_name_buffer, gss_OID * output_name_type);
+    attach_function :gss_display_name, [:pointer, :pointer, :pointer, :pointer], :OM_uint32
+
     # OM_uint32 gss_acquire_cred(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs,
     #   gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec);
     attach_function :gss_acquire_cred, [:pointer, :pointer, :OM_uint32, :pointer, :OM_uint32, :pointer, :pointer, :pointer], :OM_uint32
@@ -267,36 +272,6 @@ module GSSAPI
     #   min_stat = FFI::MemoryPointer.new :OM_uint32
     # Remember to free the allocated output_message_buffer with gss_release_buffer
     attach_function :gss_wrap, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :pointer], :OM_uint32
-    
-    # Some versions of GSSAPI might not have support for IOV yet.
-    begin
-      # OM_uint32 GSSAPI_LIB_FUNCTION gss_wrap_iov( OM_uint32 * minor_status, gss_ctx_id_t  context_handle,
-      #   int conf_req_flag, gss_qop_t  qop_req, int *  conf_state, gss_iov_buffer_desc *  iov, int  iov_count );
-      attach_function :gss_wrap_iov, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :int], :OM_uint32
-
-      # OM_uint32 GSSAPI_LIB_FUNCTION gss_unwrap_iov ( OM_uint32 * minor_status, gss_ctx_id_t context_handle,
-      #   int * conf_state, gss_qop_t * qop_state, gss_iov_buffer_desc * iov, int iov_count )
-      attach_function :gss_unwrap_iov, [:pointer, :pointer, :pointer, :pointer, :pointer, :int], :OM_uint32
-
-      # OM_uint32 GSSAPI_LIB_CALL gss_wrap_iov_length ( OM_uint32 * minor_status, gss_ctx_id_t context_handle,
-      #   int conf_req_flag, gss_qop_t  qop_req, int *  conf_state, gss_iov_buffer_desc * iov, int iov_count)
-      attach_function :gss_wrap_iov_length, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :int], :OM_uint32
-    rescue FFI::NotFoundError => ex
-      warn "WARNING: Could not load IOV methods. Check your GSSAPI C library for an update"
-    end
-    
-    begin
-      # OM_uint32 gss_wrap_aead(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int conf_req_flag,
-      #   gss_qop_t qop_req, gss_buffer_t input_assoc_buffer,
-      #   gss_buffer_t input_payload_buffer, int * conf_state, gss_buffer_t output_message_buffer);
-      attach_function :gss_wrap_aead, [:pointer, :pointer, :int, :OM_uint32, :pointer, :pointer, :pointer, :pointer], :OM_uint32
-
-      # OM_uint32 gss_unwrap_aead(OM_uint32 * minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer,
-      #   gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int * conf_state, gss_qop_t * qop_state);
-      attach_function :gss_unwrap_aead, [:pointer,:pointer,:pointer,:pointer,:pointer,:pointer,:pointer], :OM_uint32
-    rescue FFI::NotFoundError => ex
-      warn "WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update"
-    end
 
     # OM_uint32  gss_unwrap(OM_uint32  *  minor_status, const gss_ctx_id_t context_handle,
     #   const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer, int * conf_state, gss_qop_t * qop_state);
@@ -305,6 +280,12 @@ module GSSAPI
     # Remember to free the allocated output_message_buffer with gss_release_buffer
     attach_function :gss_unwrap, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :OM_uint32
 
+    # OM_uint32 gss_get_mic(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer)
+    attach_function :gss_get_mic, [:pointer, :pointer, :OM_uint32, :pointer, :pointer], :OM_uint32
+
+    # OM_uint32 gss_verify_mic (OM_uint32          *minor_status,const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer,const gss_buffer_t token_buffer, gss_qop_t          qop_state)
+    attach_function :gss_verify_mic, [:pointer, :pointer, :pointer, :pointer, :OM_uint32], :OM_uint32
+
     # OM_uint32 gss_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t output_token);
     attach_function :gss_delete_sec_context, [:pointer, :pointer, :pointer], :OM_uint32
 
@@ -324,6 +305,9 @@ module GSSAPI
     # OM_uint32 gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, int status_type, gss_OID mech_type, OM_uint32 *message_context, gss_buffer_t status_string)
     attach_function :gss_display_status, [:pointer, :OM_uint32, :int, :pointer, :pointer, :pointer], :OM_uint32
 
+    # OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, gss_cred_id_t cred_handle, krb5_ccache out_ccache)
+    attach_function :gss_krb5_copy_ccache, [:pointer, :pointer, :pointer], :OM_uint32
+
     # Variable definitions
     # --------------------
 

data/lib/gssapi/lib_gssapi_loader.rb

@@ -17,22 +17,26 @@ module GSSAPI
 
 
     def self.load_mit
-      case RUBY_PLATFORM
+      host_os = RbConfig::CONFIG['host_os']
+      case host_os
       when /linux/
         gssapi_lib = 'libgssapi_krb5.so.2'
+        ffi_lib gssapi_lib, FFI::Library::LIBC
       when /darwin/
         gssapi_lib = '/usr/lib/libgssapi_krb5.dylib'
+        ffi_lib gssapi_lib, FFI::Library::LIBC
       when /mswin|mingw32|windows/
         # Pull the gssapi32 path from the environment if it exist, otherwise use the default in Program Files
         gssapi32_path = ENV['gssapi32'] ? ENV['gssapi32'] : 'C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll'
         ffi_lib gssapi32_path, FFI::Library::LIBC  # Required the MIT Kerberos libraries to be installed
         ffi_convention :stdcall
+      when /solaris/
+        ffi_lib 'libgss.so', 'mech_krb5.so', FFI::Library::LIBC
       else
-        raise LoadError, "This platform (#{RUBY_PLATFORM}) is not supported by ruby gssapi and the MIT libraries."
+        raise LoadError, "This host OS (#{host_os}) is not supported by ruby gssapi and the MIT libraries."
       end
-      ffi_lib gssapi_lib, FFI::Library::LIBC
 
-      # -------------------- MIT Specifics -------------------- 
+      # -------------------- MIT Specifics --------------------
       attach_variable :__GSS_C_NT_HOSTBASED_SERVICE, :GSS_C_NT_HOSTBASED_SERVICE, :pointer # type gss_OID
       attach_variable :__GSS_C_NT_EXPORT_NAME, :GSS_C_NT_EXPORT_NAME, :pointer # type gss_OID
       LibGSSAPI.const_set("GSS_C_NT_HOSTBASED_SERVICE", __GSS_C_NT_HOSTBASED_SERVICE)
@@ -40,25 +44,26 @@ module GSSAPI
     end
 
     def self.load_heimdal
-      case RUBY_PLATFORM
+      host_os = RbConfig::CONFIG['host_os']
+      case host_os
       when /linux/
         gssapi_lib = 'libgssapi.so.3'
       when /darwin/
         # use Heimdal Kerberos since Mac MIT Kerberos is OLD. Do a "require 'gssapi/heimdal'" first
         gssapi_lib = '/usr/heimdal/lib/libgssapi.dylib'
       else
-        raise LoadError, "This platform (#{RUBY_PLATFORM}) is not supported by ruby gssapi and the Heimdal libraries."
+        raise LoadError, "This host OS (#{host_os}) is not supported by ruby gssapi and the Heimdal libraries."
       end
       ffi_lib gssapi_lib, FFI::Library::LIBC
 
-      # ------------------ Heimdal Specifics ------------------ 
+      # ------------------ Heimdal Specifics ------------------
       attach_variable :__gss_c_nt_hostbased_service_oid_desc, GssOID
       attach_variable :__gss_c_nt_export_name_oid_desc, GssOID
       LibGSSAPI.const_set("GSS_C_NT_HOSTBASED_SERVICE", FFI::Pointer.new(__gss_c_nt_hostbased_service_oid_desc.to_ptr))
       LibGSSAPI.const_set("GSS_C_NT_EXPORT_NAME", FFI::Pointer.new(__gss_c_nt_export_name_oid_desc.to_ptr))
     end
 
-    # Heimdal supported the *_iov functions befor MIT did so in some OS distributions if
+    # Heimdal supported the *_iov functions before MIT did so in some OS distributions if
     # you need IOV support and MIT does not provide it try the Heimdal libs and then
     # before doing a "require 'gssapi'" do a "require 'gssapi/heimdal'" and that will attempt
     # to load the Heimdal libs

data/lib/gssapi/simple.rb

@@ -10,6 +10,7 @@ module GSSAPI
   class Simple
 
     attr_reader :context
+    attr_reader :delegated_credentials
 
     # Initialize a new GSSAPI::Simple object
     # @param [String] host_name the fully qualified host name
@@ -26,6 +27,7 @@ module GSSAPI
       @context = nil # the security context
       @scred = nil # the service credentials.  really only used for the server-side via acquire_credentials
       set_keytab(keytab) unless keytab.nil?
+      @delegated_credentials = nil
     end
 
 
@@ -57,11 +59,12 @@ module GSSAPI
     # @option opts [Fixnum] :flags override all other flags.  If you set the :delegate option this option will override it.
     #   @see http://tools.ietf.org/html/rfc4121#section-4.1.1.1
     # @option opts [Boolean] :delegate if true set the credential delegate flag
+    #              [Credentials] :credentials set to open the context in behalf of someone (delegated_credentials)
     # @return [String, true] if a continuation flag is set it will return the output token that is needed to send
     #   to the remote host.  Otherwise it returns true and the GSS security context has been established.
     def init_context(in_token = nil, opts = {})
       min_stat = FFI::MemoryPointer.new :OM_uint32
-      ctx = (@context.nil? ? LibGSSAPI::GssCtxIdT.gss_c_no_context.address_of : @context.address_of)
+      pctx = (@context.nil? ? LibGSSAPI::GssCtxIdT.gss_c_no_context.address_of : @context.address_of)
       mech = LibGSSAPI::GssOID.gss_c_no_oid
       if(opts[:flags])
         flags = opts[:flags]
@@ -77,8 +80,8 @@ module GSSAPI
 
 
       maj_stat = LibGSSAPI.gss_init_sec_context(min_stat,
-                                                nil,
-                                                ctx,
+                                                opts[:credentials],
+                                                pctx,
                                                 @int_svc_name,
                                                 mech,
                                                 flags,
@@ -91,8 +94,13 @@ module GSSAPI
                                                 nil)
 
       raise GssApiError.new(maj_stat, min_stat), "gss_init_sec_context did not return GSS_S_COMPLETE" if maj_stat > 1
-      
-      @context = LibGSSAPI::GssCtxIdT.new(ctx.get_pointer(0))
+
+      # The returned context may be equal to the passed in @context. If so, we
+      # must not create another AutoPointer to the same gss_buffer_t. If we do
+      # we will double delete it.
+      ctx = pctx.get_pointer(0)
+      @context = LibGSSAPI::GssCtxIdT.new(ctx) if ctx != @context
+
       maj_stat == 1 ? out_tok.value : true
     end
 
@@ -105,33 +113,88 @@ module GSSAPI
       raise GssApiError, "No credentials yet acquired. Call #{self.class.name}#acquire_credentials first" if @scred.nil?
 
       min_stat = FFI::MemoryPointer.new :OM_uint32
-      ctx = (@context.nil? ? LibGSSAPI::GssCtxIdT.gss_c_no_context.address_of : @context.address_of)
+      pctx = (@context.nil? ? LibGSSAPI::GssCtxIdT.gss_c_no_context.address_of : @context.address_of)
       no_chn_bind = LibGSSAPI::GSS_C_NO_CHANNEL_BINDINGS
-      client = FFI::MemoryPointer.new :pointer  # Will hold the initiating client name after the call
+      @client = FFI::MemoryPointer.new :pointer  # Will hold the initiating client name after the call
       mech = FFI::MemoryPointer.new :pointer  # Will hold the mech being used after the call
       in_tok = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
       in_tok.value = in_token
       out_tok = GSSAPI::LibGSSAPI::ManagedGssBufferDesc.new
       ret_flags = FFI::MemoryPointer.new :OM_uint32
+      delegated_cred_handle = FFI::MemoryPointer.new :pointer
 
       maj_stat = LibGSSAPI.gss_accept_sec_context(min_stat,
-                                                  ctx,
+                                                  pctx,
                                                   @scred,
                                                   in_tok.pointer,
                                                   no_chn_bind,
-                                                  client,
+                                                  @client,
                                                   mech,
                                                   out_tok.pointer,
                                                   ret_flags,
-                                                  nil, nil)
+                                                  nil,
+                                                  delegated_cred_handle)
 
       raise GssApiError.new(maj_stat, min_stat), "gss_accept_sec_context did not return GSS_S_COMPLETE" if maj_stat > 1
 
-      @context = LibGSSAPI::GssCtxIdT.new(ctx.get_pointer(0))
+      if (ret_flags.read_uint32 & LibGSSAPI::GSS_C_DELEG_FLAG) != 0
+        @delegated_credentials = LibGSSAPI::GssCredIdT.new(delegated_cred_handle.get_pointer(0))
+      end
+
+      # The returned context may be equal to the passed in @context. If so, we
+      # must not create another AutoPointer to the same gss_buffer_t. If we do
+      # we will double delete it.
+      ctx = pctx.get_pointer(0)
+      @context = LibGSSAPI::GssCtxIdT.new(ctx) if ctx != @context
+
       out_tok.length > 0 ? out_tok.value : true
     end
 
 
+    def get_mic(token)
+
+      min_stat = FFI::MemoryPointer.new :OM_uint32
+      qop_req = GSSAPI::LibGSSAPI::GSS_C_QOP_DEFAULT
+      in_buff = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
+      in_buff.value = token
+      out_buff = GSSAPI::LibGSSAPI::ManagedGssBufferDesc.new
+      maj_stat = GSSAPI::LibGSSAPI.gss_get_mic(min_stat, @context, qop_req, in_buff.pointer, out_buff.pointer)
+      raise GssApiError.new(maj_stat, min_stat), "Failed to gss_get_mic" if maj_stat != 0
+      out_buff.value
+    end
+
+    def verify_mic(token,mic)
+      min_stat = FFI::MemoryPointer.new :OM_uint32
+      in_buff = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
+      in_buff.value = token
+      mic_buff = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
+      mic_buff.value = mic
+      maj_stat = GSSAPI::LibGSSAPI.gss_verify_mic(min_stat, @context, in_buff.pointer, mic_buff.pointer, 0)
+      raise GssApiError.new(maj_stat, min_stat), "Failed to gss_verify_mic" if maj_stat != 0
+      return (maj_stat == 0)
+    end
+
+    # Get textual representation of internal GSS name
+    # @return [String] textual representation of internal GSS name
+    def display_name
+      raise GssApiError.new(), "No context accepted yet. Call #{self.class.name}#accept_context(in_token) first" if @client.nil?
+
+      output_name = GSSAPI::LibGSSAPI::ManagedGssBufferDesc.new
+
+      min_stat = FFI::MemoryPointer.new :OM_uint32
+      maj_stat = LibGSSAPI.gss_display_name(min_stat,
+                                            @client.get_pointer(0),
+                                            output_name.pointer,
+                                            nil)
+
+      if maj_stat != GSSAPI::LibGSSAPI::GSS_S_COMPLETE
+        raise GssApiError.new(maj_stat, min_stat),
+          "gss_display_name did not return GSS_S_COMPLETE but #{ maj_stat }"
+      end
+
+      output_name.value
+    end
+
     # Acquire security credentials. This does not log you in. It grabs the credentials from a cred cache or keytab.
     # @param [Hash] opts options to pass to the gss_acquire_cred function.
     # @option opts [String] :usage The credential usage type (:accept, :initiate, :both).  It defaults to 'accept' since

data/test/spec/gssapi_simple_spec.rb

@@ -6,19 +6,65 @@ require 'yaml'
 
 describe GSSAPI::Simple, 'Test the Simple GSSAPI interface' do
 
-  before :all do
-    @conf = YAML.load_file "#{File.dirname(__FILE__)}/conf_file.yaml"
-  end
+  let(:conf) { YAML.load_file "#{File.dirname(__FILE__)}/conf_file.yaml" }
+  let(:cli) { GSSAPI::Simple.new(conf['s_host'], conf['s_service']) }
+  let(:srv ) { GSSAPI::Simple.new(conf['s_host'], conf['s_service'], conf['keytab']) }
 
   it 'should get the initial context for a client' do
-    gsscli = GSSAPI::Simple.new(@conf[:c_host], @conf[:c_service])
-    token = gsscli.init_context
-    token.should_not be_empty
+    token = cli.init_context
+    expect(token).not_to be_empty
   end
 
   it 'should acquire credentials for a server service' do
-    gsscli = GSSAPI::Simple.new(@conf[:s_host], @conf[:s_service], @conf[:keytab])
-    gsscli.acquire_credentials.should be_true
+    expect(srv.acquire_credentials).to eq(true)
   end
 
+  def play_handshake(cli,srv,clioptions={})
+    clitoken = cli.init_context(nil, clioptions)
+    expect(clitoken).not_to be_empty
+
+    expect(srv.acquire_credentials).to eq(true)
+
+    srvoktok = srv.accept_context(clitoken)
+    expect(srvoktok).not_to be_empty
+
+    ret = cli.init_context(srvoktok)
+    expect(ret).to eq(true)
+  end
+
+  it 'client server should handshake' do
+    play_handshake(cli,srv)
+  end
+
+  it 'mic' do
+    play_handshake(cli,srv)
+
+    secret = "this is secreta"
+
+    mic = cli.get_mic(secret)
+
+    expect(srv.verify_mic(secret,mic)).to eq(true)
+  end
+
+  context "no delegation" do
+    it "sets delegated_credentials to nil" do
+      play_handshake(cli,srv,:delegate => false)
+      expect(srv.delegated_credentials).to be_nil
+    end
+  end
+
+  describe "delegation" do
+    it "sets delegated_credentials to valid" do
+      play_handshake(cli,srv,:delegate => true)
+      expect(srv.delegated_credentials).not_to be_nil
+      delegated_display_name = srv.display_name
+
+      host2 = conf['s_host2'] || conf['s_host']
+      service2 = conf['s_service2'] || conf['s_service']
+      cli_del = GSSAPI::Simple.new(host2, service2)
+      srv_del = GSSAPI::Simple.new(host2, service2, conf['keytab2'])
+      play_handshake(cli_del,srv_del,:credentials => srv.delegated_credentials)
+      expect(srv_del.display_name).to eq(delegated_display_name)
+    end
+  end
 end

data/test/spec/test_buffer_spec.rb

@@ -10,6 +10,6 @@ describe GSSAPI::LibGSSAPI::UnManagedGssBufferDesc, 'Unmanaged Buffer Test' do
     end
 
     # If we get here without any errors we should be golden
-    true.should be_true
+    expect(true).to eq(true)
   end
 end

metadata

@@ -1,40 +1,62 @@
 --- !ruby/object:Gem::Specification
 name: gssapi
 version: !ruby/object:Gem::Version
-  version: 1.1.0
-  prerelease: 
+  version: 1.3.1
 platform: ruby
 authors:
 - Dan Wanek
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-02-10 00:00:00.000000000 Z
+date: 2020-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
-  requirement: &17171140 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.1
   type: :runtime
   prerelease: false
-  version_requirements: *17171140
-description: ! "    A FFI wrapper around the system GSSAPI library. Please make sure
-  and read the\n    Yard docs or standard GSSAPI documentation if you have any questions.\n
-  \   \n    There is also a class called GSSAPI::Simple that wraps many of the common
-  features\n    used for GSSAPI.\n"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+      A FFI wrapper around the system GSSAPI library. Please make sure and read the
+      Yard docs or standard GSSAPI documentation if you have any questions.
+
+      There is also a class called GSSAPI::Simple that wraps many of the common features
+      used for GSSAPI.
 email: dan.wanek@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.textile
+- README.md
 - COPYING
+- Changelog.md
 files:
+- ".gitignore"
 - COPYING
-- README.textile
+- Changelog.md
+- Gemfile
+- README.md
 - Rakefile
 - VERSION
 - examples/gss_client.rb
@@ -45,6 +67,7 @@ files:
 - gssapi.gemspec
 - lib/gssapi.rb
 - lib/gssapi/exceptions.rb
+- lib/gssapi/extensions.rb
 - lib/gssapi/heimdal.rb
 - lib/gssapi/lib_gssapi.rb
 - lib/gssapi/lib_gssapi_loader.rb
@@ -53,31 +76,30 @@ files:
 - test/spec/gssapi_simple_spec.rb
 - test/spec/test_buffer_spec.rb
 homepage: http://github.com/zenchild/gssapi
-licenses: []
-post_install_message: 
+licenses:
+- MIT
+metadata: {}
+post_install_message:
 rdoc_options:
-- -x
+- "-x"
 - test/
-- -x
+- "-x"
 - examples/
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 1.8.10
-signing_key: 
-specification_version: 3
+rubygems_version: 3.0.8
+signing_key:
+specification_version: 4
 summary: A FFI wrapper around the system GSSAPI library.
 test_files: []

data/README.textile

@@ -1,16 +0,0 @@
-h1. Ruby GSSAPI Library
-
-p. This is a wrapper around the system GSSAPI library (MIT only at this time).  It exposes the low-level GSSAPI methods like gss_init_sec_context and gss_wrap and also provides an easier to use wrapper on top of this for common usage scenarios.
-
-
-p. I'm going to try and maintain most of the docs in the Github WIKI for this project so please check there for documentation and examples.
-
-https://github.com/zenchild/gssapi/wiki
-
-p. Also check out the examples directory for some stubbed out client/server examples.
-
-
-h4. License
-
-Copyright © 2010 Dan Wanek <dan.wanek@gmail.com>
-Ruby gssapi is licensed under the MIT license (see COPYING)