heimdal icon indicating copy to clipboard operation
heimdal copied to clipboard
verified publisher icon heimdal

Implement `gss_get_mic_iov` and `gss_verify_mic_iov`

Open sthaber opened this issue 2 years ago • 4 comments

With some limitations:

  • I couldn't for the life of me get the test fixture working at all. It's failing lots of stuff on master for me even without my changes. It's tested out our test environment and it's working fine but that's probably not very helpful for you. I'll include an example test that I want to include at the bottom.
  • Only works for krb5 mechanism; errors for others.
  • Only works for non-DCE style messages, if that's a thing for get/verify MIC. I assume it errors with DCE but didn't try b/c we don't use that in our environment.
  • Probably only is actually zero copy for SHA1 -- this is also true of wrap/unwrap IOV variants today (SHA1 appears zero-copy, others do not). But should work for all checksum flavors.
  • Defined the IOV interface myself to match our use case: get takes a header, padding, and trailer and returns a checksum in the data body. Verify takes a data body and errors if the verification fails. This might not match what other GSS libraries do for these methods with IOV parameters.
  • Could probably share more code but I kept it isolated to make it easy to apply to various versions of the library.

Here's the start of a test I would write in your framework if I could get it working:

static void
getverifymic_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
{
	OM_uint32 min_stat, maj_stat;
	gss_iov_buffer_desc iov[4];
	int iov_len;

	char message_data[16] = "0123456789abcdef";

	memset(iov, 0, sizeof(iov));;
	iov_len = sizeof(iov)/sizeof(iov[0]);

	iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
	iov[1].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
	iov[2].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;

	iov[3].type = GSS_IOV_BUFFER_TYPE_DATA;
	iov[3].buffer.value = message_data;
	iov[3].buffer.length = 16;

	maj_stat = gss_get_mic_iov(&min_stat, cctx, iov, iov_len);
	if (maj_stat != GSS_S_COMPLETE) {
		errx(1, "gss_get_mic_iov failed: %s", gssapi_err(maj_stat, min_stat, mechoid));
	}

	// XXX Steven: verify and assert, using both IOV and non-iov.
}

sthaber avatar Feb 13 '23 22:02 sthaber

From discussion on this issue with @lhoward, sounded like my IOV work might be useful. If not, feel free to close. Thanks.

sthaber avatar Feb 13 '23 22:02 sthaber

Thank you! I'll take a look when I have a moment!

lhoward avatar Feb 13 '23 23:02 lhoward

@jaltman / @nicowilliams please don't merge until I've had a chance to review

lhoward avatar Feb 13 '23 23:02 lhoward

Thanks. Yeah this is definitely a WIP so I for sure wouldn't merge it without some knowledgeable eyes on and unit tests in the library itself.

sthaber avatar Feb 13 '23 23:02 sthaber