gssapi 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4900e3de24fcb1b4bd1e1f6e4beece74187ac663
-  data.tar.gz: 25cd31e5aacea658b701c8870a9d14ce6bb735bf
+SHA256:
+  metadata.gz: e6ab2e07f67767b64527b373d0c6ea265c54d4f4540f2f3821c1b3e013180cc8
+  data.tar.gz: 136299a62f83e238d6f711df62bcc61788112e26a4ae6089c973262226d8a0f9
 SHA512:
-  metadata.gz: d0bf8e7383f210b60f3b9e8207d8a6fd15caea5712dc247e2e3fc014de1f527349e8e97e1110a47f7512ff62622052db2cce1ff1320274a498b4aea3e4604c4d
-  data.tar.gz: 8ae992ceaab77f81815aa836181cc8b929c93b0b58b129d1a27a7f186739384127ee0fdc47105564ffa13c767a4ee20a8926f143bd5b98710c5a2a24a9666669
+  metadata.gz: c771726133a21b478516798b3e5ae969fe2620a0d808531ba0e081cd0437a3a61cb50d7616ffb7f446c63111312c3a5f97016cbccfd3bc7c1f1c530fef7ddc45
+  data.tar.gz: b1a9e90de99f477dd3af1f2a8db990b6a4093389754da6e5df1212e368d99d7fbc7a3c47591506cab3083c4fd123ce73dc70e22b9b2c29e642749d19e7e47321

data/.gitignore

@@ -0,0 +1,11 @@
+Gemfile.lock
+
+# RVM setup
+/.ruby-version
+/.ruby-gemset
+
+# Vim swap files
+*.sw[op]
+
+# VS Code Dir
+/.vscode

data/Changelog.md

@@ -12,3 +12,12 @@
 
 ## Version 1.2.0
   * Move IOV and AEAD to gssapi/extensions.rb so it can be loaded separately when needed
+
+## Version 1.3.0
+
+Sorry everyone that this has taken so long to go out. I don't really work much
+with GSSAPI so it hasn't been a priority for me.
+
+  * Implemented delegation and added verify_mic. Thanks @mfazekas
+  * Add loading of MIT GSS libs for solaris/smartos. Thanks @fac
+  * Fix corruption in iov_decrypt example. Thanks @Iristyle

data/VERSION

@@ -1 +1 @@
-1.2.0
+1.3.0

data/examples/gss_iov_helpers.rb

@@ -47,7 +47,7 @@ module GssIOVHelpers
 
     len = str.unpack("L").first
     puts "LEN: #{len}"
-    iov_data = str.unpack("LA#{len}A*")
+    iov_data = str.unpack("La#{len}a*")
     iov0[:buffer].value = iov_data[1]
     iov1[:buffer].value = iov_data[2]
 

data/lib/gssapi/lib_gssapi.rb

@@ -281,6 +281,9 @@ module GSSAPI
     # OM_uint32 gss_get_mic(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, gss_qop_t qop_req, const gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer)
     attach_function :gss_get_mic, [:pointer, :pointer, :OM_uint32, :pointer, :pointer], :OM_uint32
 
+    # OM_uint32 gss_verify_mic (OM_uint32          *minor_status,const gss_ctx_id_t context_handle, const gss_buffer_t message_buffer,const gss_buffer_t token_buffer, gss_qop_t          qop_state)
+    attach_function :gss_verify_mic, [:pointer, :pointer, :pointer, :pointer, :OM_uint32], :OM_uint32
+
     # OM_uint32 gss_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t output_token);
     attach_function :gss_delete_sec_context, [:pointer, :pointer, :pointer], :OM_uint32
 

data/lib/gssapi/lib_gssapi_loader.rb

@@ -30,6 +30,8 @@ module GSSAPI
         gssapi32_path = ENV['gssapi32'] ? ENV['gssapi32'] : 'C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll'
         ffi_lib gssapi32_path, FFI::Library::LIBC  # Required the MIT Kerberos libraries to be installed
         ffi_convention :stdcall
+      when /solaris/
+        ffi_lib 'libgss.so', 'mech_krb5.so', FFI::Library::LIBC
       else
         raise LoadError, "This host OS (#{host_os}) is not supported by ruby gssapi and the MIT libraries."
       end

data/lib/gssapi/simple.rb

@@ -59,6 +59,7 @@ module GSSAPI
     # @option opts [Fixnum] :flags override all other flags.  If you set the :delegate option this option will override it.
     #   @see http://tools.ietf.org/html/rfc4121#section-4.1.1.1
     # @option opts [Boolean] :delegate if true set the credential delegate flag
+    #              [Credentials] :credentials set to open the context in behalf of someone (delegated_credentials)
     # @return [String, true] if a continuation flag is set it will return the output token that is needed to send
     #   to the remote host.  Otherwise it returns true and the GSS security context has been established.
     def init_context(in_token = nil, opts = {})
@@ -79,7 +80,7 @@ module GSSAPI
 
 
       maj_stat = LibGSSAPI.gss_init_sec_context(min_stat,
-                                                nil,
+                                                opts[:credentials],
                                                 pctx,
                                                 @int_svc_name,
                                                 mech,
@@ -162,6 +163,16 @@ module GSSAPI
       out_buff.value
     end
 
+    def verify_mic(token,mic)
+      min_stat = FFI::MemoryPointer.new :OM_uint32
+      in_buff = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
+      in_buff.value = token
+      mic_buff = GSSAPI::LibGSSAPI::UnManagedGssBufferDesc.new
+      mic_buff.value = mic
+      maj_stat = GSSAPI::LibGSSAPI.gss_verify_mic(min_stat, @context, in_buff.pointer, mic_buff.pointer, 0)
+      raise GssApiError.new(maj_stat, min_stat), "Failed to gss_verify_mic" if maj_stat != 0
+      return (maj_stat == 0)
+    end
 
     # Get textual representation of internal GSS name
     # @return [String] textual representation of internal GSS name

data/test/spec/gssapi_simple_spec.rb

@@ -6,19 +6,65 @@ require 'yaml'
 
 describe GSSAPI::Simple, 'Test the Simple GSSAPI interface' do
 
-  before :all do
-    @conf = YAML.load_file "#{File.dirname(__FILE__)}/conf_file.yaml"
-  end
+  let(:conf) { YAML.load_file "#{File.dirname(__FILE__)}/conf_file.yaml" }
+  let(:cli) { GSSAPI::Simple.new(conf['s_host'], conf['s_service']) }
+  let(:srv ) { GSSAPI::Simple.new(conf['s_host'], conf['s_service'], conf['keytab']) }
 
   it 'should get the initial context for a client' do
-    gsscli = GSSAPI::Simple.new(@conf[:c_host], @conf[:c_service])
-    token = gsscli.init_context
-    token.should_not be_empty
+    token = cli.init_context
+    expect(token).not_to be_empty
   end
 
   it 'should acquire credentials for a server service' do
-    gsscli = GSSAPI::Simple.new(@conf[:s_host], @conf[:s_service], @conf[:keytab])
-    gsscli.acquire_credentials.should be_true
+    expect(srv.acquire_credentials).to eq(true)
   end
 
+  def play_handshake(cli,srv,clioptions={})
+    clitoken = cli.init_context(nil, clioptions)
+    expect(clitoken).not_to be_empty
+
+    expect(srv.acquire_credentials).to eq(true)
+
+    srvoktok = srv.accept_context(clitoken)
+    expect(srvoktok).not_to be_empty
+
+    ret = cli.init_context(srvoktok)
+    expect(ret).to eq(true)
+  end
+
+  it 'client server should handshake' do
+    play_handshake(cli,srv)
+  end
+
+  it 'mic' do
+    play_handshake(cli,srv)
+
+    secret = "this is secreta"
+
+    mic = cli.get_mic(secret)
+
+    expect(srv.verify_mic(secret,mic)).to eq(true)
+  end
+
+  context "no delegation" do
+    it "sets delegated_credentials to nil" do
+      play_handshake(cli,srv,:delegate => false)
+      expect(srv.delegated_credentials).to be_nil
+    end
+  end
+
+  describe "delegation" do
+    it "sets delegated_credentials to valid" do
+      play_handshake(cli,srv,:delegate => true)
+      expect(srv.delegated_credentials).not_to be_nil
+      delegated_display_name = srv.display_name
+
+      host2 = conf['s_host2'] || conf['s_host']
+      service2 = conf['s_service2'] || conf['s_service']
+      cli_del = GSSAPI::Simple.new(host2, service2)
+      srv_del = GSSAPI::Simple.new(host2, service2, conf['keytab2'])
+      play_handshake(cli_del,srv_del,:credentials => srv.delegated_credentials)
+      expect(srv_del.display_name).to eq(delegated_display_name)
+    end
+  end
 end

data/test/spec/test_buffer_spec.rb

@@ -10,6 +10,6 @@ describe GSSAPI::LibGSSAPI::UnManagedGssBufferDesc, 'Unmanaged Buffer Test' do
     end
 
     # If we get here without any errors we should be golden
-    true.should be_true
+    expect(true).to eq(true)
   end
 end

metadata

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: gssapi
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Dan Wanek
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-09-20 00:00:00.000000000 Z
+date: 2019-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.1
 description: |2
@@ -38,6 +38,7 @@ extra_rdoc_files:
 - COPYING
 - Changelog.md
 files:
+- ".gitignore"
 - COPYING
 - Changelog.md
 - Gemfile
@@ -66,25 +67,25 @@ licenses:
 metadata: {}
 post_install_message: 
 rdoc_options:
-- -x
+- "-x"
 - test/
-- -x
+- "-x"
 - examples/
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.7.9
 signing_key: 
 specification_version: 4
 summary: A FFI wrapper around the system GSSAPI library.