Introduce Channel Bindings Support

DirectXMan12 · DirectXMan12 · commit 90de1d7397bb · 2014-10-31T23:25:43.000-04:00
This commit introduces support for channel bindings.
The `ChannelBindings` class, found in `raw`, may be used
to create a set or channel bindings that may be passed to
both the high- and low-level APIs.  Additionally, a new
`IntEnum` named `AddressType` has been introduced; `AddressType`
contains potential values for the initiator and acceptor address-type
fields in the `ChannelBindings` class.
diff --git a/gssapi/raw/__init__.py b/gssapi/raw/__init__.py
@@ -6,6 +6,7 @@
 from gssapi.raw.sec_contexts import *  # noqa
 from gssapi.raw.oids import *  # noqa
 from gssapi.raw.types import *  # noqa
+from gssapi.raw.chan_bindings import *  # noqa
 
 # optional S4U support
 try:
diff --git a/gssapi/raw/chan_bindings.pxd b/gssapi/raw/chan_bindings.pxd
@@ -0,0 +1,14 @@
+from libc.stdlib cimport malloc, free
+
+from gssapi.raw.cython_types cimport *
+
+cdef class ChannelBindings:
+    cdef public object initiator_address_type
+    cdef public bytes initiator_address
+
+    cdef public object acceptor_address_type
+    cdef public bytes acceptor_address
+
+    cdef public bytes application_data
+
+    cdef gss_channel_bindings_t __cvalue__(ChannelBindings self)
diff --git a/gssapi/raw/chan_bindings.pyx b/gssapi/raw/chan_bindings.pyx
@@ -0,0 +1,58 @@
+from libc.stdlib cimport malloc, free
+
+from gssapi.raw.cython_types cimport *
+
+cdef class ChannelBindings:
+    # defined in pxd file
+    # cdef public object initiator_address_type
+    # cdef public bytes initiator_address
+
+    # cdef public object acceptor_address_type
+    # cdef public bytes acceptor_address
+
+    # cdef public bytes application_data
+
+    def __init__(ChannelBindings self, initiator_address_type=None,
+                 initiator_address=None, acceptor_address_type=None,
+                 acceptor_address=None, application_data=None):
+        self.initiator_address_type = initiator_address_type
+        self.initiator_address = initiator_address
+
+        self.acceptor_address_type = acceptor_address_type
+        self.acceptor_address = acceptor_address
+
+        self.application_data = application_data
+
+    cdef gss_channel_bindings_t __cvalue__(ChannelBindings self) except NULL:
+        cdef gss_channel_bindings_t res
+        res = <gss_channel_bindings_t>malloc(sizeof(res[0]))
+
+        if self.initiator_address_type is None:
+            res.initiator_addrtype = GSS_C_AF_NULLADDR
+        else:
+            res.initiator_addrtype = self.initiator_address_type
+
+        if self.initiator_address is not None:
+            res.initiator_address.value = self.initiator_address
+            res.initiator_address.length = len(self.initiator_address)
+        else:
+            res.initiator_address.length = 0
+
+        if self.acceptor_address_type is None:
+            res.acceptor_addrtype = GSS_C_AF_NULLADDR
+        else:
+            res.acceptor_addrtype = self.acceptor_address_type
+
+        if self.acceptor_address is not None:
+            res.acceptor_address.value = self.acceptor_address
+            res.acceptor_address.length = len(self.acceptor_address)
+        else:
+            res.acceptor_address.length = 0
+
+        if self.application_data is not None:
+            res.application_data.value = self.application_data
+            res.application_data.length = len(self.application_data)
+        else:
+            res.application_data.length = 0
+
+        return res
diff --git a/gssapi/raw/cython_types.pxd b/gssapi/raw/cython_types.pxd
@@ -106,6 +106,30 @@ cdef extern from "gssapi.h":
     OM_uint32 GSS_C_TRANS_FLAG
     OM_uint32 GSS_C_PROT_READY_FLAG
 
+    # address types
+    OM_uint32 GSS_C_AF_UNSPEC
+    OM_uint32 GSS_C_AF_LOCAL
+    OM_uint32 GSS_C_AF_INET
+    OM_uint32 GSS_C_AF_IMPLINK
+    OM_uint32 GSS_C_AF_PUP
+    OM_uint32 GSS_C_AF_CHAOS
+    OM_uint32 GSS_C_AF_NS
+    OM_uint32 GSS_C_AF_NBS
+    OM_uint32 GSS_C_AF_ECMA
+    OM_uint32 GSS_C_AF_DATAKIT
+    OM_uint32 GSS_C_AF_CCITT
+    OM_uint32 GSS_C_AF_SNA
+    OM_uint32 GSS_C_AF_DECnet
+    OM_uint32 GSS_C_AF_DLI
+    OM_uint32 GSS_C_AF_LAT
+    OM_uint32 GSS_C_AF_HYLINK
+    OM_uint32 GSS_C_AF_APPLETALK
+    OM_uint32 GSS_C_AF_BSC
+    OM_uint32 GSS_C_AF_DSS
+    OM_uint32 GSS_C_AF_OSI
+    OM_uint32 GSS_C_AF_X25
+    OM_uint32 GSS_C_AF_NULLADDR
+
     # error helpers
     OM_uint32 GSS_CALLING_ERROR(OM_uint32 full_error)
     OM_uint32 GSS_ROUTINE_ERROR(OM_uint32 full_error)
diff --git a/gssapi/raw/sec_contexts.pyx b/gssapi/raw/sec_contexts.pyx
@@ -1,10 +1,13 @@
 GSSAPI="BASE"  # This ensures that a full module is generated by Cython
 
+from libc.stdlib cimport free
+
 from gssapi.raw.cython_types cimport *
 from gssapi.raw.cython_converters cimport c_py_ttl_to_c, c_c_ttl_to_py
 from gssapi.raw.creds cimport Creds
 from gssapi.raw.names cimport Name
 from gssapi.raw.oids cimport OID
+from gssapi.raw.chan_bindings cimport ChannelBindings
 
 from gssapi.raw.types import MechType, RequirementFlag, IntEnumFlagSet
 from gssapi.raw.misc import GSSError
@@ -110,7 +113,8 @@ cdef class SecurityContext:
 def init_sec_context(Name target_name not None, Creds cred=None,
                      SecurityContext context=None,
                      OID mech_type=None,
-                     flags=None, ttl=None, channel_bindings=None,
+                     flags=None, ttl=None,
+                     ChannelBindings channel_bindings=None,
                      input_token=None):
     """
     Initiate a GSSAPI Security Context.
@@ -136,7 +140,8 @@ def init_sec_context(Name target_name not None, Creds cred=None,
             out_of_sequence_detection
         ttl (int): the request lifetime of the security context (a value of
             0 or None means indefinite)
-        channel_bindings (ChannelBindings): NCI
+        channel_bindings (ChannelBindings): The channel bindings (or None for
+            no channel bindings)
         input_token (bytes): the token to use to update the security context,
             or None if you are creating a new context
 
@@ -162,7 +167,12 @@ def init_sec_context(Name target_name not None, Creds cred=None,
         RequirementFlag.mutual_authentication,
         RequirementFlag.out_of_sequence_detection])
 
-    cdef gss_channel_bindings_t bdng = GSS_C_NO_CHANNEL_BINDINGS
+    cdef gss_channel_bindings_t bdng
+    if channel_bindings is not None:
+        bdng = channel_bindings.__cvalue__()
+    else:
+        bdng = GSS_C_NO_CHANNEL_BINDINGS
+
     # TODO(sross): just import GSS_C_EMPTY_BUFFER == gss_buffer_desc(0, NULL)
     cdef gss_buffer_desc input_token_buffer = gss_buffer_desc(0, NULL)
 
@@ -205,6 +215,9 @@ def init_sec_context(Name target_name not None, Creds cred=None,
         output_token = output_token_buffer.value[:output_token_buffer.length]
     gss_release_buffer(&min_stat, &output_token_buffer)
 
+    if channel_bindings is not None:
+        free(bdng)
+
     cdef OID output_mech_type = OID()
     if maj_stat == GSS_S_COMPLETE or maj_stat == GSS_S_CONTINUE_NEEDED:
         output_mech_type.raw_oid = actual_mech_type[0]
@@ -219,7 +232,8 @@ def init_sec_context(Name target_name not None, Creds cred=None,
 
 
 def accept_sec_context(input_token not None, Creds acceptor_cred=None,
-                       SecurityContext context=None, channel_bindings=None):
+                       SecurityContext context=None,
+                       ChannelBindings channel_bindings=None):
     """
     Accept a GSSAPI security context.
 
@@ -237,7 +251,8 @@ def accept_sec_context(input_token not None, Creds acceptor_cred=None,
             (or None to use the default credentials)
         context (SecurityContext): the security context to update
             (or None to create a new security context object)
-        channel_bindings: NCI
+        channel_bindings (ChannelBindings): The channel bindings (or None for
+            no channel bindings)
 
     Returns:
         AcceptSecContextResult: the resulting security context, the initiator
@@ -251,7 +266,12 @@ def accept_sec_context(input_token not None, Creds acceptor_cred=None,
         GSSError
     """
 
-    cdef gss_channel_bindings_t bdng = GSS_C_NO_CHANNEL_BINDINGS
+    cdef gss_channel_bindings_t bdng
+    if channel_bindings is not None:
+        bdng = channel_bindings.__cvalue__()
+    else:
+        bdng = GSS_C_NO_CHANNEL_BINDINGS
+
     cdef gss_buffer_desc input_token_buffer = gss_buffer_desc(len(input_token),
                                                               input_token)
 
@@ -289,6 +309,9 @@ def accept_sec_context(input_token not None, Creds acceptor_cred=None,
         output_token = output_token_buffer.value[:output_token_buffer.length]
     gss_release_buffer(&min_stat, &output_token_buffer)
 
+    if channel_bindings is not None:
+        free(bdng)
+
     cdef Name on = Name()
     cdef Creds oc = Creds()
     cdef OID py_mech_type
diff --git a/gssapi/raw/types.pyx b/gssapi/raw/types.pyx
@@ -58,6 +58,41 @@ class RequirementFlag(IntEnum):
     transferable = GSS_C_TRANS_FLAG
 
 
+class AddressType(IntEnum):
+    """
+    GSSAPI Channel Bindings Address Types
+
+    This IntEnum represents the various address
+    types used with the channel bindings structure.
+
+    The numbers behind the values correspond directly
+    to their C counterparts.
+    """
+
+    unspecified = GSS_C_AF_UNSPEC
+    local = GSS_C_AF_LOCAL
+    ip = GSS_C_AF_INET
+    arpanet = GSS_C_AF_IMPLINK  # ARPAnet support, heh, heh
+    pup = GSS_C_AF_PUP
+    chaos = GSS_C_AF_CHAOS
+    xerox_ns = GSS_C_AF_NS  # and XEROX too?
+    nbs = GSS_C_AF_NBS
+    ecma = GSS_C_AF_ECMA
+    datakit = GSS_C_AF_DATAKIT
+    ccitt = GSS_C_AF_CCITT
+    ibm_sna = GSS_C_AF_SNA
+    decnet = GSS_C_AF_DECnet
+    dli = GSS_C_AF_DLI
+    lat = GSS_C_AF_LAT
+    hyperchannel = GSS_C_AF_HYLINK
+    appletalk = GSS_C_AF_APPLETALK  # this list just keeps getting better
+    bisync = GSS_C_AF_BSC
+    dss = GSS_C_AF_DSS
+    osi_tp4 = GSS_C_AF_OSI
+    x25 = GSS_C_AF_X25
+    # None --> GSS_C_AF_NULLADDR
+
+
 class MechType(object):
     """
     GSSAPI Mechanism Types
diff --git a/gssapi/tests/test_base.py b/gssapi/tests/test_base.py
@@ -588,6 +588,55 @@ def test_basic_accept_context(self):
 
         cont_needed.should_be_a(bool)
 
+    def test_channel_bindings(self):
+        bdgs = gb.ChannelBindings(application_data=b'abcxyz',
+                                  initiator_address_type=gb.AddressType.ip,
+                                  initiator_address=b'127.0.0.1',
+                                  acceptor_address_type=gb.AddressType.ip,
+                                  acceptor_address=b'127.0.0.1')
+        self.target_name = gb.import_name(TARGET_SERVICE_NAME,
+                                          gb.NameType.hostbased_service)
+        ctx_resp = gb.init_sec_context(self.target_name,
+                                       channel_bindings=bdgs)
+
+        self.client_token = ctx_resp[3]
+        self.client_ctx = ctx_resp[0]
+        self.client_ctx.shouldnt_be_none()
+
+        self.server_name = gb.import_name(SERVICE_PRINCIPAL,
+                                          gb.NameType.kerberos_principal)
+        self.server_creds = gb.acquire_cred(self.server_name)[0]
+
+        server_resp = gb.accept_sec_context(self.client_token,
+                                            acceptor_cred=self.server_creds,
+                                            channel_bindings=bdgs)
+        server_resp.shouldnt_be_none
+        self.server_ctx = server_resp.context
+
+    def test_bad_channel_binding_raises_error(self):
+        bdgs = gb.ChannelBindings(application_data=b'abcxyz',
+                                  initiator_address_type=gb.AddressType.ip,
+                                  initiator_address=b'127.0.0.1',
+                                  acceptor_address_type=gb.AddressType.ip,
+                                  acceptor_address=b'127.0.0.1')
+        self.target_name = gb.import_name(TARGET_SERVICE_NAME,
+                                          gb.NameType.hostbased_service)
+        ctx_resp = gb.init_sec_context(self.target_name,
+                                       channel_bindings=bdgs)
+
+        self.client_token = ctx_resp[3]
+        self.client_ctx = ctx_resp[0]
+        self.client_ctx.shouldnt_be_none()
+
+        self.server_name = gb.import_name(SERVICE_PRINCIPAL,
+                                          gb.NameType.kerberos_principal)
+        self.server_creds = gb.acquire_cred(self.server_name)[0]
+
+        bdgs.acceptor_address = b'127.0.1.0'
+        gb.accept_sec_context.should_raise(gb.GSSError, self.client_token,
+                                           acceptor_cred=self.server_creds,
+                                           channel_bindings=bdgs)
+
 
 class TestWrapUnwrap(_GSSAPIKerberosTestCase):
     def setUp(self):
diff --git a/gssapi/tests/test_high_level.py b/gssapi/tests/test_high_level.py
@@ -458,6 +458,42 @@ def test_initiate_accept_steps(self):
         client_ctx.locally_initiated.should_be_true()
         client_ctx.complete.should_be_true()
 
+    def test_channel_bindings(self):
+        bdgs = gb.ChannelBindings(application_data=b'abcxyz',
+                                  initiator_address_type=gb.AddressType.ip,
+                                  initiator_address=b'127.0.0.1',
+                                  acceptor_address_type=gb.AddressType.ip,
+                                  acceptor_address=b'127.0.0.1')
+        client_ctx = self._create_client_ctx(desired_lifetime=400,
+                                             channel_bindings=bdgs)
+
+        client_token = client_ctx.step()
+        client_token.should_be_a(bytes)
+
+        server_ctx = gssctx.SecurityContext(creds=self.server_creds,
+                                            channel_bindings=bdgs)
+        server_token = server_ctx.step(client_token)
+        server_token.should_be_a(bytes)
+
+        client_ctx.step(server_token)
+
+    def test_bad_channel_bindings_raises_error(self):
+        bdgs = gb.ChannelBindings(application_data=b'abcxyz',
+                                  initiator_address_type=gb.AddressType.ip,
+                                  initiator_address=b'127.0.0.1',
+                                  acceptor_address_type=gb.AddressType.ip,
+                                  acceptor_address=b'127.0.0.1')
+        client_ctx = self._create_client_ctx(desired_lifetime=400,
+                                             channel_bindings=bdgs)
+
+        client_token = client_ctx.step()
+        client_token.should_be_a(bytes)
+
+        bdgs.acceptor_address = b'127.0.1.0'
+        server_ctx = gssctx.SecurityContext(creds=self.server_creds,
+                                            channel_bindings=bdgs)
+        server_ctx.step.should_raise(gb.BadChannelBindingsError, client_token)
+
     def test_export_create_from_token(self):
         client_ctx, server_ctx = self._create_completed_contexts()
         token = client_ctx.export()
diff --git a/setup.py b/setup.py
@@ -143,6 +143,7 @@ def gssapi_modules(lst):
         main_file('message'),
         main_file('oids'),
         main_file('cython_converters'),
+        main_file('chan_bindings'),
         extension_file('s4u', 'gss_acquire_cred_impersonate_name'),
         extension_file('cred_store', 'gss_store_cred_into'),
         extension_file('rfc5588', 'gss_store_cred'),
