Skip to content

Allow to gss_wrap even if NEGOTIATE_SEAL is not negotiated #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 2, 2022
Merged

Allow to gss_wrap even if NEGOTIATE_SEAL is not negotiated #78

merged 1 commit into from
Aug 2, 2022

Conversation

simo5
Copy link
Collaborator

@simo5 simo5 commented Aug 1, 2022

Fixes #77

@simo5
Allow ntlm_seal even withon NEGOTIATE_SEAL
c906189 
So according to Issue gssapi#77 we have an interop issue if we prevent the use
of gss_wrap when sealing has not been negotiated. On the technical side,
whether we negotiate sealing or not we always create a seal handle with
RC4.

Change behavior to allow applications to still wrap/unwrap data if they
want, even though the negotiation marked sealing as not selected.
The worst thing that can happen is that the peer application does no
like sealed content and bails.

Applications that need to avoid seeling should already just use
gss_get_mic() anyway and they can check the returned GSS flags to see if
sealing was negotiated (returned as GSS_CONF_FLAG), so applications
still have all they need to make their choice and be compatible with
whatever peer they need to speak to.

Thanks to Filip Navara for finding this.

Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Copy link
Collaborator Author

simo5 commented Aug 1, 2022

@filipnavara do you think you can check if this removes the need for a workaround in DOTNET ?

@filipnavara
Copy link

LGTM. I'll run my tests tomorrow morning when I get back to office.

@filipnavara
Copy link

Passed the .NET SMTP tests with the removed workaround.

Before (main):

  ===========================================================================================================
  /workspaces/runtime/artifacts/bin/System.Net.Mail.Functional.Tests/Debug/net7.0-unix /workspaces/runtime/src/libraries/System.Net.Mail/tests/Functional
    Discovering: System.Net.Mail.Functional.Tests (method display = ClassAndMethod, method display options = None)
    Discovered:  System.Net.Mail.Functional.Tests (found 154 of 156 test cases)
    Starting:    System.Net.Mail.Functional.Tests (parallel test collections = on, max threads = 8)
      System.Net.Mail.Tests.SmtpClientTest.TestGssapiAuthentication [FAIL]
        Assert.Equal() Failure
        Expected: GSSAPI
        Actual:   login
        Stack Trace:
          /workspaces/runtime/src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs(577,0): at System.Net.Mail.Tests.SmtpClientTest.TestGssapiAuthentication()
             at System.RuntimeMethodHandle.InvokeMethod(Object target, Void** arguments, Signature sig, Boolean isConstructor)
          /workspaces/runtime/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodInvoker.cs(64,0): at System.Reflection.MethodInvoker.Invoke(Object obj, IntPtr* args, BindingFlags invokeAttr)
    Finished:    System.Net.Mail.Functional.Tests
  === TEST EXECUTION SUMMARY ===
     System.Net.Mail.Functional.Tests  Total: 249, Errors: 0, Failed: 1, Skipped: 0, Time: 8.038s

After (PR):

  ===========================================================================================================
  /workspaces/runtime/artifacts/bin/System.Net.Mail.Functional.Tests/Debug/net7.0-unix /workspaces/runtime/src/libraries/System.Net.Mail/tests/Functional
    Discovering: System.Net.Mail.Functional.Tests (method display = ClassAndMethod, method display options = None)
    Discovered:  System.Net.Mail.Functional.Tests (found 154 of 156 test cases)
    Starting:    System.Net.Mail.Functional.Tests (parallel test collections = on, max threads = 8)
    Finished:    System.Net.Mail.Functional.Tests
  === TEST EXECUTION SUMMARY ===
     System.Net.Mail.Functional.Tests  Total: 249, Errors: 0, Failed: 0, Skipped: 0, Time: 7.040s

@simo5
Copy link
Collaborator Author

simo5 commented Aug 2, 2022

Great!
Thanks.

@simo5 simo5 merged commit ea20b62 into gssapi:main Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@filipnavara filipnavara filipnavara approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gss_wrap/gss_unwrap should work on connection without NEGOTIATE_SEAL
2 participants
@simo5 @filipnavara