Merge remote-tracking branch 'remotes/origin/jake/new-seccontext-interface' into dev

Move to a cleaner seccontext/acceptcontext interface.  This change makes
the context estalishment loop simpler and is more akin to the Java
interface.

Author: jake-scott

examples/go/go.mod

@@ -0,0 +1,9 @@
+module examples
+
+go 1.22.4
+
+replace github.com/golang-auth/go-gssapi/v3 => ../../v3
+
+require github.com/golang-auth/go-gssapi/v3 v3.0.0-alpha
+
+require github.com/golang-auth/go-gssapi-c v0.0.0-20240828194135-955ba90d4511

examples/go/go.sum

@@ -0,0 +1,12 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-auth/go-gssapi-c v0.0.0-20240827133603-e7af9f04586a h1:qdMspd9EVKyHD4PqzYpCDpWaBwdm4oBY1u631biS/3U=
+github.com/golang-auth/go-gssapi-c v0.0.0-20240827133603-e7af9f04586a/go.mod h1:7+YbBfLmM3gMF6DoCfjZFQBx1SXj1Uru6Y2tl77nhJ8=
+github.com/golang-auth/go-gssapi-c v0.0.0-20240828194135-955ba90d4511 h1:k9cgAxS+AYKwAN7/moi03LK3EjTFUKeMRh9Cu2j4/D0=
+github.com/golang-auth/go-gssapi-c v0.0.0-20240828194135-955ba90d4511/go.mod h1:rb9NLAgRMfr732Kvm1mOH5J6eIx/WULl8rAFNXSzGqY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

examples/go/gss-client/gss-client.go

@@ -0,0 +1,277 @@
+// SPDX-License-Identifier: Apache-2.0
+package main
+
+import (
+	"bytes"
+	"encoding/asn1"
+	"encoding/binary"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	_ "github.com/golang-auth/go-gssapi-c"
+	"github.com/golang-auth/go-gssapi/v3"
+)
+
+var _debug bool
+
+var provider string = "GSSAPI-C"
+var gss = gssapi.NewProvider(provider)
+
+func main() {
+	port := flag.Int("port", 1234, "remote port to connect to")
+	mech := flag.String("mech", "", "use specific mech OID")
+	deleg := flag.Bool("d", false, "request delegation")
+	file := flag.Bool("f", false, "use file")
+	confReq := flag.Bool("seal", false, "seal (encrypt) the message")
+	mutual := flag.Bool("mutual", false, "request mutual authentication")
+	flag.BoolVar(&_debug, "debug", false, "enable debugging")
+	flag.Parse()
+
+	if flag.NArg() != 3 {
+		log.Fatalf("Usage: %s [-port <int>] [-mech <OID>] [-d] [-f] [-seal] [-mutual] [-debug] host service msg\n", os.Args[0])
+	}
+
+	host := flag.Arg(0)
+	service := flag.Arg(1)
+	msg := flag.Arg(2)
+
+	// Connect to the host
+	addr := fmt.Sprintf("%s:%d", host, *port)
+	conn, err := net.Dial("tcp", addr)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	debug("Connected to %s", addr)
+
+	var flags gssapi.ContextFlag
+	if *mutual {
+		flags |= gssapi.ContextFlagMutual
+	}
+	if *deleg {
+		flags |= gssapi.ContextFlagDeleg
+	}
+
+	opts := []gssapi.InitSecContextOption{
+		gssapi.WithInitiatorFlags(flags),
+	}
+	if *mech != "" {
+		oid, err := parseOid(*mech)
+		if err != nil {
+			log.Fatal(err)
+		}
+		gssMech, err := gssapi.MechFromOid(oid)
+		if err != nil {
+			log.Fatal(err)
+		}
+		opts = append(opts, gssapi.WithInitatorMech(gssMech))
+	}
+
+	serviceName, err := gss.ImportName(service, gssapi.GSS_NT_HOSTBASED_SERVICE)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer serviceName.Release()
+
+	debug("Requested flags: %s", flags)
+
+	secctx, outToken, err := gss.InitSecContext(serviceName, opts...)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer secctx.Delete()
+
+	if sendErr := sendToken(conn, outToken); sendErr != nil {
+		log.Fatal(err)
+	}
+	debug("Sent context token (%d bytes):", len(outToken))
+	debug("%s", formatToken(outToken))
+
+	for secctx.ContinueNeeded() {
+
+		inToken, err := recvToken(conn)
+		if err != nil {
+			log.Fatal(err)
+		}
+		debug("Read context token (%d bytes:", len(inToken))
+		debug("%s", formatToken(inToken))
+
+		outToken, err = secctx.Continue(inToken)
+
+		if len(outToken) > 0 {
+			if err := sendToken(conn, outToken); err != nil {
+				log.Fatal(err)
+			}
+			debug("Sent context token (%d bytes):", len(outToken))
+			debug("%s", formatToken(outToken))
+
+		}
+
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
+	info, err := secctx.Inquire()
+	if err != nil {
+		log.Fatal(err)
+	}
+	printContextInfo(info)
+
+	ntypes, err := gss.InquireNamesForMech(info.Mech)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	debug("Name types supported by mech:")
+	for _, nt := range ntypes {
+		debug("  %-30s (%s)", nt, nt.OidString())
+	}
+
+	var msgBuf []byte
+	if *file {
+		msgBuf, err = os.ReadFile(msg)
+		if err != nil {
+			log.Fatal(err)
+		}
+	} else {
+		msgBuf = []byte(msg)
+	}
+
+	// Wrap the message
+	outMsg, hasConf, err := secctx.Wrap(msgBuf, *confReq, 0)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if !hasConf {
+		debug("Warning!  Message not encrypted.")
+	}
+
+	if err = sendToken(conn, outMsg); err != nil {
+		log.Fatal(err)
+	}
+	debug("Sent wrap message (%d bytes):\n%s", len(outMsg), formatToken(outMsg))
+
+	// Receive a wrapped token from the server
+	msgMIC, err := recvToken(conn)
+	if err != nil {
+		log.Fatal(err)
+	}
+	debug("Received MIC message (%d bytes):\n%s", len(msgMIC), formatToken(msgMIC))
+
+	if _, err = secctx.VerifyMIC(msgBuf, msgMIC); err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println("Successfully verified message signature (MIC) from server")
+
+}
+
+func printContextInfo(info *gssapi.SecContextInfo) {
+	local := "remotely initiated"
+	open := "closed"
+
+	if info.LocallyInitiated {
+		local = "locally initiated"
+	}
+	if info.FullyEstablished {
+		open = "open"
+	}
+
+	debug("Context flags: %s", info.Flags)
+	debug("\"%s\" to \"%s\", expires: %s, %s, %s",
+		info.InitiatorName, info.AcceptorName,
+		info.ExpiresAt.Round(time.Second),
+		local,
+		open)
+
+	debug("Name type of source is %s (%s)", info.AcceptorNameType, info.AcceptorNameType.OidString())
+	debug("Name type of destination is %s (%s)", info.InitiatorNameType, info.InitiatorNameType.OidString())
+	debug("Mechanism: %s (%s)", info.Mech, info.Mech.OidString())
+}
+
+func parseOid(s string) (gssapi.Oid, error) {
+	// split string into components
+	elms := strings.Split(s, ".")
+
+	oid := make(asn1.ObjectIdentifier, len(elms))
+
+	for i, elm := range elms {
+		j, err := strconv.ParseUint(elm, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("non-number in OID: %w", err)
+		}
+
+		oid[i] = int(j)
+	}
+
+	enc, err := asn1.Marshal(oid)
+	if err != nil {
+		return nil, fmt.Errorf("parsing OID: %w", err)
+	}
+
+	return enc[2:], nil
+}
+
+func sendToken(conn net.Conn, token []byte) error {
+	szBuff := make([]byte, 4)
+	binary.BigEndian.PutUint32(szBuff, uint32(len(token)))
+	_, err := conn.Write(szBuff)
+	if err != nil {
+		return err
+	}
+
+	_, err = conn.Write(token)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func formatToken(tok []byte) string {
+	b := &strings.Builder{}
+
+	bd := hex.Dumper(b)
+	defer bd.Close()
+
+	bd.Write(tok)
+	return b.String()
+}
+
+func recvToken(conn net.Conn) (token []byte, err error) {
+	szBuff := make([]byte, 4)
+	_, err = conn.Read(szBuff)
+	if err != nil {
+		return
+	}
+
+	buf := bytes.NewBuffer(szBuff)
+	var tokenSize uint32
+	binary.Read(buf, binary.BigEndian, &tokenSize)
+
+	token = make([]byte, tokenSize)
+	_, err = conn.Read(token)
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+func debug(format string, args ...interface{}) {
+	if !_debug {
+		return
+	}
+
+	fmt.Printf(format+"\n", args...)
+}