Skip to content

the code for accepting delegated credentials is incorrect #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
simo5 opened this issue Feb 24, 2016 · 6 comments
Closed

the code for accepting delegated credentials is incorrect #96

simo5 opened this issue Feb 24, 2016 · 6 comments
Assignees
@DirectXMan12
Labels
bug
Milestone
1.2.0

Comments

@simo5
Copy link
Contributor

simo5 commented Feb 24, 2016

Both the low level and the high level API unconditionally try at any step of the context extablishment (on the acceptor side) to return delegated credentials and create the appropriate classes.

Delegated credentials are returned only if the context establishment return GSS_S_COMPLETE and are undefined in any other step.

In the high level API care need to be taken so that if the lower level returns None the delegated_creds should be set straight to None as well, as calling Credentials(None) will istead try to fetch the default credentials for the process, and that is an error.
@DirectXMan12
Copy link
Member

Recording conversations for posterity:

RFC 2744 says:

Only valid if deleg_flag in ret_flags is true, in which case an explicit credential handle (i.e. not GSS_C_NO_CREDENTIAL) will be returned; if deleg_flag is false, gss_accept_context() will set this parameter to GSS_C_NO_CREDENTIAL.

RFC 2743 says (in Inquire_context):

GSS_S_COMPLETE indicates that the referenced context is valid and that deleg_state, mutual_state, replay_det_state, sequence_state, anon_state, trans_state, prot_ready_state, conf_avail, integ_avail, locally_initiated, and open return values describe the corresponding characteristics of the context.

And says for init_sec_context (also applying to accept_sec_context):

These state indicators' [deleg_state, etc] values are undefined unless either the routine's major_status indicates GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is possible that additional features, not confirmed or indicated along with TRUE prot_ready_state, will be confirmed and indicated when GSS_S_COMPLETE is subsequently returned.

So it looks like we should check for COMPLETE or (prot_ready and CONTINUE), and then check DELEG_FLAG (the equivalent of deleg_state in 2744).

@DirectXMan12 DirectXMan12 added this to the 1.1.5 milestone Feb 24, 2016
@DirectXMan12 DirectXMan12 self-assigned this Feb 24, 2016
@DirectXMan12
Copy link
Member

So the question is: does "undefined" mean "up to the implementation" or "in an invalid state" here?
If it means "up to the implementation", it seems to me according to 2744, we can count on:

  • if DELEG_FLAG is false, delegated_creds is NULL
  • if DELEG_FLAG is true, delegated_creds is valid
  • DELEG_FLAG will always be either true or false

meaning that it's fine to just check NULL. My concern is that if we add more complicated logic than "is it NULL or not" and miss a valid pointer, we'll have a memory leak, since

If a credential handle is returned, the associated resources must be released by the application after use with a call to gss_release_cred()

But if we wrap an invalid pointer, then we'll try to release() an invalid pointer.

(this phrasing seems to support the case that delegated_creds will always be either NULL or valid).

cc @simo5 @kaduk WDYT

@frozencemetery
Copy link
Member

(My opinion that I mentioned in our conversation is that it means "up to the implementation" since if it were "invalid" it would be stated as such, but I don't have anything to back that up.)

@simo5
Copy link
Contributor Author

simo5 commented Feb 25, 2016

If GSS_S_COMPLETE is returned then delegated_creds is either NULL (when deleg_state is False) or it is a valid credential (and deleg_state is True).

This is a requirement by 2744: "if deleg_flag is false, gss_accept_context() will set this parameter to GSS_C_NO_CREDENTIAL.

GSS_C_NO_CREDENTIAL == NULL

@DirectXMan12
Copy link
Member

GSS_C_NO_CREDENTIAL == NULL

Yes, I know that. NULL is shorter to type.

2743 potentially seems to imply (under one interpretation of "undefined") that there's cases where the value of deleg_flag might not be "valid"

DirectXMan12 added a commit that referenced this issue Feb 25, 2016
@DirectXMan12
Ensure that delegated_creds is non-null when set
55af4f3 
Previously, in the high-level API, we would unconditionally set
wrap the return value of delegated_creds, which could result in
delegated_creds being set to the default credentials when no
delegated creds were returned (since the call would be
`Credentials(None)`).  This changes the logic so that delegated_creds
stays set as `None` unless delegated_creds are actually returned.

Partial solution for #96
DirectXMan12 added a commit that referenced this issue Feb 25, 2016
@DirectXMan12
Ensure that delegated_creds is non-null when set
b8c76a0 
Previously, in the high-level API, we would unconditionally set
wrap the return value of delegated_creds, which could result in
delegated_creds being set to the default credentials when no
delegated creds were returned (since the call would be
`Credentials(None)`).  This changes the logic so that delegated_creds
stays set as `None` unless delegated_creds are actually returned.

Partial solution for #96
@DirectXMan12 DirectXMan12 mentioned this issue Feb 25, 2016
Merged
@DirectXMan12 DirectXMan12 modified the milestones: 1.2.0, 1.1.5 Mar 1, 2016
@frozencemetery
Copy link
Member

After discussion I believe this has been resolved. If there's more to say we should reopen (and retarget).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DirectXMan12 DirectXMan12

Labels
bug
Projects
None yet
Milestone
1.2.0
Development

No branches or pull requests
3 participants
@DirectXMan12 @frozencemetery @simo5