fixed a bug related to using only a username and refactored a little.

craiggwilson · craiggwilson · commit 484733cf1875 · 2017-05-05T12:23:08.000-05:00
diff --git a/examples/count/main.go b/examples/count/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"log"
+	"time"
 
 	"flag"
 
@@ -37,8 +38,10 @@ func main() {
 	}
 
 	ctx := context.Background()
+	timeoutCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
 
-	s, err := c.SelectServer(ctx, cluster.WriteSelector())
+	s, err := c.SelectServer(timeoutCtx, cluster.WriteSelector())
 	if err != nil {
 		log.Fatalf("%v: %v", err, c.Model().Servers[0].LastError)
 	}
diff --git a/internal/auth/gssapi/sspi.go b/internal/auth/gssapi/sspi.go
@@ -98,7 +98,7 @@ func (sc *SaslClient) Start() (string, []byte, error) {
 	status := C.sspi_client_init(&sc.state, cusername, cpassword)
 
 	if status != C.SSPI_OK {
-		return mechName, nil, fmt.Errorf("unable to intitialize sspi client state: %s", statusMessage(sc.state.status))
+		return mechName, nil, sc.getError("unable to intitialize client")
 	}
 
 	return mechName, nil, nil
@@ -112,9 +112,9 @@ func (sc *SaslClient) Next(challenge []byte) ([]byte, error) {
 	if sc.contextComplete {
 		if sc.username == "" {
 			var cusername *C.char
-			status := C.sspi_client_get_username(&sc.state, &cusername)
+			status := C.sspi_client_username(&sc.state, &cusername)
 			if status != C.SSPI_OK {
-				return nil, fmt.Errorf("unable to acquire username: %v", statusMessage(sc.state.status))
+				return nil, sc.getError("unable to acquire username")
 			}
 			defer C.free(unsafe.Pointer(cusername))
 			sc.username = C.GoString((*C.char)(unsafe.Pointer(cusername)))
@@ -125,7 +125,7 @@ func (sc *SaslClient) Next(challenge []byte) ([]byte, error) {
 		bufLen := C.ULONG(len(bytes))
 		status := C.sspi_client_wrap_msg(&sc.state, buf, bufLen, &outBuf, &outBufLen)
 		if status != C.SSPI_OK {
-			return nil, fmt.Errorf("unable to wrap authz: %v", statusMessage(sc.state.status))
+			return nil, sc.getError("unable to wrap authz")
 		}
 
 		sc.done = true
@@ -139,13 +139,13 @@ func (sc *SaslClient) Next(challenge []byte) ([]byte, error) {
 		cservicePrincipalName := C.CString(sc.servicePrincipalName)
 		defer C.free(unsafe.Pointer(cservicePrincipalName))
 
-		status := C.sspi_init_sec_context(&sc.state, cservicePrincipalName, buf, bufLen, &outBuf, &outBufLen)
+		status := C.sspi_client_negotiate(&sc.state, cservicePrincipalName, buf, bufLen, &outBuf, &outBufLen)
 		switch status {
 		case C.SSPI_OK:
 			sc.contextComplete = true
 		case C.SSPI_CONTINUE:
 		default:
-			return nil, fmt.Errorf("unable to initialize sec context: %v", statusMessage(sc.state.status))
+			return nil, sc.getError("unable to negotiate with server")
 		}
 	}
 
@@ -160,6 +160,10 @@ func (sc *SaslClient) Completed() bool {
 	return sc.done
 }
 
+func (sc *SaslClient) getError(prefix string) error {
+	return getError(prefix, sc.state.status)
+}
+
 var initOnce sync.Once
 var initError error
 
@@ -170,7 +174,7 @@ func initSSPI() {
 	}
 }
 
-func statusMessage(status C.SECURITY_STATUS) string {
+func getError(prefix string, status C.SECURITY_STATUS) error {
 	var s string
 	switch status {
 	case C.SEC_E_ALGORITHM_MISMATCH:
@@ -326,8 +330,8 @@ func statusMessage(status C.SECURITY_STATUS) string {
 	case C.SEC_I_RENEGOTIATE:
 		s = "The context data must be renegotiated with the peer."
 	default:
-		return fmt.Sprintf("status code 0x%x", uint32(status))
+		return fmt.Errorf("%s: 0x%x", prefix, uint32(status))
 	}
 
-	return fmt.Sprintf("status code 0x%x: %s", uint32(status), s)
+	return fmt.Errorf("%s: %s(0x%x)", prefix, s, uint32(status))
 }
diff --git a/internal/auth/gssapi/sspi_wrapper.c b/internal/auth/gssapi/sspi_wrapper.c
@@ -36,24 +36,24 @@ int sspi_client_init(
 	TimeStamp timestamp;
 
     if (username) {
-        SEC_WINNT_AUTH_IDENTITY auth_identity;
-        
-    #ifdef _UNICODE
-        auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
-    #else
-        auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
-    #endif
-        auth_identity.User = (LPSTR) username;
-        auth_identity.UserLength = strlen(username);
-        auth_identity.Password = NULL;
-        auth_identity.PasswordLength = 0;
         if (password) {
+            SEC_WINNT_AUTH_IDENTITY auth_identity;
+            
+        #ifdef _UNICODE
+            auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
+        #else
+            auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
+        #endif
+            auth_identity.User = (LPSTR) username;
+            auth_identity.UserLength = strlen(username);
             auth_identity.Password = (LPSTR) password;
             auth_identity.PasswordLength = strlen(password);
+            auth_identity.Domain = NULL;
+            auth_identity.DomainLength = 0;
+            client->status = sspi_functions->AcquireCredentialsHandle(NULL, SSPI_PACKAGE_NAME, SECPKG_CRED_OUTBOUND, NULL, &auth_identity, NULL, NULL, &client->cred, &timestamp);
+        } else {
+            client->status = sspi_functions->AcquireCredentialsHandle(username, SSPI_PACKAGE_NAME, SECPKG_CRED_OUTBOUND, NULL, NULL, NULL, NULL, &client->cred, &timestamp);
         }
-        auth_identity.Domain = NULL;
-        auth_identity.DomainLength = 0;
-        client->status = sspi_functions->AcquireCredentialsHandle(NULL, SSPI_PACKAGE_NAME, SECPKG_CRED_OUTBOUND, NULL, &auth_identity, NULL, NULL, &client->cred, &timestamp);
     } else {
         client->status = sspi_functions->AcquireCredentialsHandle(NULL, SSPI_PACKAGE_NAME, SECPKG_CRED_OUTBOUND, NULL, NULL, NULL, NULL, &client->cred, &timestamp);
     }
@@ -65,20 +65,7 @@ int sspi_client_init(
     return SSPI_OK;
 }
 
-int sspi_client_destroy(
-    sspi_client_state *client
-)
-{
-    if (client->has_ctx > 0) {
-        sspi_functions->DeleteSecurityContext(&client->ctx);
-    }
-
-    sspi_functions->FreeCredentialsHandle(&client->cred);
-
-    return SSPI_OK;
-}
-
-int sspi_client_get_username(
+int sspi_client_username(
     sspi_client_state *client,
     char** username
 )
@@ -94,17 +81,78 @@ int sspi_client_get_username(
 	*username = malloc(len);
 	memcpy(*username, names.sUserName, len);
 
-	client->status = sspi_functions->FreeContextBuffer(names.sUserName);
-    if (client->status != SEC_E_OK) {
+	sspi_functions->FreeContextBuffer(names.sUserName);
+
+    return SSPI_OK;
+}
+
+int sspi_client_negotiate(
+    sspi_client_state *client,
+    char* spn,
+    PVOID input,
+    ULONG input_length,
+    PVOID* output,
+    ULONG* output_length
+)
+{
+    SecBufferDesc inbuf;
+	SecBuffer in_bufs[1];
+	SecBufferDesc outbuf;
+	SecBuffer out_bufs[1];
+
+	if (client->has_ctx > 0) {
+		inbuf.ulVersion = SECBUFFER_VERSION;
+		inbuf.cBuffers = 1;
+		inbuf.pBuffers = in_bufs;
+		in_bufs[0].pvBuffer = input;
+		in_bufs[0].cbBuffer = input_length;
+		in_bufs[0].BufferType = SECBUFFER_TOKEN;
+	}
+
+	outbuf.ulVersion = SECBUFFER_VERSION;
+	outbuf.cBuffers = 1;
+	outbuf.pBuffers = out_bufs;
+	out_bufs[0].pvBuffer = NULL;
+	out_bufs[0].cbBuffer = 0;
+	out_bufs[0].BufferType = SECBUFFER_TOKEN;
+
+	ULONG context_attr = 0;
+
+	client->status = sspi_functions->InitializeSecurityContext(
+        &client->cred,
+        client->has_ctx > 0 ? &client->ctx : NULL,
+        (LPSTR) spn,
+        ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_MUTUAL_AUTH,
+        0,
+        SECURITY_NETWORK_DREP,
+        client->has_ctx > 0 ? &inbuf : NULL,
+        0,
+        &client->ctx,
+        &outbuf,
+        &context_attr,
+        NULL);
+
+    if (client->status != SEC_E_OK && client->status != SEC_I_CONTINUE_NEEDED) {
         return SSPI_ERROR;
     }
 
+    client->has_ctx = 1;
+
+	*output = malloc(out_bufs[0].cbBuffer);
+	*output_length = out_bufs[0].cbBuffer;
+	memcpy(*output, out_bufs[0].pvBuffer, *output_length);
+    sspi_functions->FreeContextBuffer(out_bufs[0].pvBuffer);
+
+    if (client->status == SEC_I_CONTINUE_NEEDED) {
+        return SSPI_CONTINUE;
+    }
+
     return SSPI_OK;
 }
 
 int sspi_client_wrap_msg(
     sspi_client_state *client,
-    PVOID* input,
+    PVOID input,
     ULONG input_length,
     PVOID* output,
     ULONG* output_length 
@@ -156,62 +204,15 @@ int sspi_client_wrap_msg(
 	return SSPI_OK;
 }
 
-int sspi_init_sec_context(
-    sspi_client_state *client,
-    char* spn,
-    PVOID input,
-    ULONG input_length,
-    PVOID* output,
-    ULONG* output_length
+int sspi_client_destroy(
+    sspi_client_state *client
 )
 {
-    SecBufferDesc inbuf;
-	SecBuffer in_bufs[1];
-	SecBufferDesc outbuf;
-	SecBuffer out_bufs[1];
-
-	if (client->has_ctx > 0) {
-		inbuf.ulVersion = SECBUFFER_VERSION;
-		inbuf.cBuffers = 1;
-		inbuf.pBuffers = in_bufs;
-		in_bufs[0].pvBuffer = input;
-		in_bufs[0].cbBuffer = input_length;
-		in_bufs[0].BufferType = SECBUFFER_TOKEN;
-	}
-
-	outbuf.ulVersion = SECBUFFER_VERSION;
-	outbuf.cBuffers = 1;
-	outbuf.pBuffers = out_bufs;
-	out_bufs[0].pvBuffer = NULL;
-	out_bufs[0].cbBuffer = 0;
-	out_bufs[0].BufferType = SECBUFFER_TOKEN;
-
-	ULONG context_attr = 0;
-
-	client->status = sspi_functions->InitializeSecurityContext(
-        &client->cred,
-        client->has_ctx > 0 ? &client->ctx : NULL,
-        (LPSTR) spn,
-        ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_MUTUAL_AUTH,
-        0,
-        SECURITY_NETWORK_DREP,
-        client->has_ctx > 0 ? &inbuf : NULL,
-        0,
-        &client->ctx,
-        &outbuf,
-        &context_attr,
-        NULL);
-
-	*output = malloc(out_bufs[0].cbBuffer);
-	*output_length = out_bufs[0].cbBuffer;
-	memcpy(*output, out_bufs[0].pvBuffer, *output_length);
-    client->has_ctx = 1;
-
-    if (client->status == SEC_I_CONTINUE_NEEDED || client->status == SEC_I_COMPLETE_AND_CONTINUE) {
-        return SSPI_CONTINUE;
-    } else if (client->status == SEC_E_OK) {
-        return SSPI_OK;
+    if (client->has_ctx > 0) {
+        sspi_functions->DeleteSecurityContext(&client->ctx);
     }
 
-    return SSPI_ERROR;
-}
+    sspi_functions->FreeCredentialsHandle(&client->cred);
+
+    return SSPI_OK;
+}
diff --git a/internal/auth/gssapi/sspi_wrapper.h b/internal/auth/gssapi/sspi_wrapper.h
@@ -29,30 +29,30 @@ int sspi_client_init(
     char* password
 );
 
-int sspi_client_destroy(
-    sspi_client_state *client
-);
-
-int sspi_client_get_username(
+int sspi_client_username(
     sspi_client_state *client,
     char** username
 );
 
-int sspi_client_wrap_msg(
+int sspi_client_negotiate(
     sspi_client_state *client,
-    PVOID* input,
+    char* spn,
+    PVOID input,
     ULONG input_length,
     PVOID* output,
-    ULONG* output_length 
+    ULONG* output_length
 );
 
-int sspi_init_sec_context(
+int sspi_client_wrap_msg(
     sspi_client_state *client,
-    char* spn,
     PVOID input,
     ULONG input_length,
     PVOID* output,
-    ULONG* output_length
+    ULONG* output_length 
+);
+
+int sspi_client_destroy(
+    sspi_client_state *client
 );
 
 #endif
