IOV support

[macsux]

I've added support for IOV based message wrapping as well as created a common base class for the acceptor/initiator and wanted to do a PR, but I'm struggling to get GSSAPI to actually return successfully from the gss_wrap_iov command. I think the context isn't ready as I'm not getting GSS_C_PROT_READY_FLAG after creating a context (testing against kerb5 targeting MS AD). Maybe you can take a look.

https://github.com/macsux/aspnetcore-kerberos/tree/iov

(Code is a bit messy atm - I'll clean it up before PR to add proper pinning and recycling of handles - I just wanna make sure the function works before I invest any more time in this)

[ianclegg]

@macsux I'm out of the country with my family this weekend so I won't have a chance to try it until Wednesday. Assuming the pinvokes are ok, which side are you attempting to wrap from first? so is the encryption being done on the initiator or the acceptors context first? In which case, did the context exchange complete entirely/ successfully first Finally, what are the major and minor status codes set by the call to gss_wrap_iov? Usually the tricky bit is the unwrap

[ianclegg]

@macsux What's the broader application for Kerberos message wrapping you need this for? I can't think of many scenarios where the context is used for encrypting/decrypting payloads over HTTP ... except maybe Microsoft's WSMan

[macsux]

I'm building shims to provide drop in replacement of SSPI in existing WCF applications. I'm trying to mimic SSPI interactions via MIT kerberos GSSAPI implementation. Most of these interactions will do message level encryption/signing with wrap tokens via WS* spec. I tried context with/without GSS_C_DCE_STYLE flag on both init and accept side. Following this as reference https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html

I'll post my test harness tomorrow.

[macsux]

End goal is to support iwa in wcf on non domain joined machines

[ianclegg]

Great! Well it sounds like an interesting project. Is target platform Linux or Windows?

[macsux]

Windows. I've already built .net core

On Fri, Mar 8, 2019, 8:18 PM Ian Clegg, notifications@github.com wrote:

Great! Well it sounds like an interesting project. Is target platform Linux or Windows?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ianclegg/aspnetcore-kerberos/issues/25#issuecomment-471131299, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDS2D9ukhN4HPt0BXmAwTYRCXdtgqGNks5vUwvtgaJpZM4blZfU .

[macsux]

I've pushed test harness I'm using. I'll email you the kerb5.conf & tabfile I'm using, these are pointing to my sandbox AD.

On Fri, Mar 8, 2019 at 8:28 PM Andrew Stakhov andrew.stakhov@gmail.com wrote:

Windows. I've already built .net core

On Fri, Mar 8, 2019, 8:18 PM Ian Clegg, notifications@github.com wrote:

Great! Well it sounds like an interesting project. Is target platform Linux or Windows?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ianclegg/aspnetcore-kerberos/issues/25#issuecomment-471131299, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDS2D9ukhN4HPt0BXmAwTYRCXdtgqGNks5vUwvtgaJpZM4blZfU .

[macsux]

I confirmed the method works in C, I must have gotten marshaling wrong, investigating how to properly hook that up now...

[ianclegg]

@macsux Thats great, I have not had a chance to try the test harness out. I'll look over the pinvokes too

[macsux]

Seems to work when i switched to passing raw IntPtr instead of relying on marshalling attribute to pass in IOV struct. Maybe I'm not getting how marshalling is supposed to work, as i'm not sure it actually pins the memory under the covers. Anyways, I'll clean up the code so it's consumable and make PR. Here's how I attempted to call it originally, which makes it "cleaner", but doesn't work :)

            [DllImport(GssModulename, EntryPoint = "gss_wrap_iov")]
            internal static extern uint gss_wrap_iov(
                out uint minorStatus,
                IntPtr contextHandle,
                int confReqFlag,
                uint qopReq,
                out int confState,
                [MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 6)]
                GssIovBufferDescStruct[] iov,
                int iovCount);

[ianclegg]

@macsux Why don't you start the PR and we'll look over it together? Then we'll squash and rebase. CLR p/invoke will take care of the pinning, so the GCAlloc is not necessary.

I suggest run the test harness in windbg on windows and setting a breakpoint on the exported gss_wrap_iov symbol - then look at stack, then we can be sure whats going on

[macsux]

gonna be away for a couple of weeks. will do this when i come back... cheers