Kerberos SSO: The buffers supplied to a function was too small InitializeSecurityContext

[Ulyana Tsyukh]

Hi, 

We have a Kerberos SSO implemented in Java using Waffle, basically I use waffle-jna.jar and platform.jar. My solution was previously described here https://groups.google.com/forum/#!topic/waffle-users/pefWKjcV-CI which also solves the problem of 'Kerberos TGT Session Key restriction for Domain user in local Administrators group with UAC enabled on Windows 7'.

Recently we have experienced an issue with one specific domain user who fails to automatically login with SSO, everyone else can login without any problems. The error we are getting occurs in InitializeSecurityContext: 'The buffers supplied to a function was too small'. I have investigated the problem a little and found this post:

https://github.com/twall/jna/issues/94 

In our solution we were using waffle-jna.jar and platform.jar version 3.3.0 and looks like there were a few changes since then, specifically related to the 'Problem calling SSPI API for Kerberos Authentication' mentioned above. I have downloaded latest version 3.5.0 of waffle-jna.jar and platform.jar but we still get the same problem: 'The buffers supplied to a function was too small'.

We have the SSO Kerberos implementation using native Windows API (which is very similar to JNA but we use to free some buffers after calling InitializeSecurityContext, unfortunately I am not a big expert in that) and we are sure that this error does not occur for that specific user when using native Windows API. Any thoughts on how that problem can be fixed, should that be done in JNA or is there is anything we can change in the way we obtain Service ticket? If anyone is interested I can share the Windows API code.  

Note: We observe that problem on both Windows 64 and Windows 32 platform. 

Thanks in advance.

Ulyana

[Daniel Doubrovkine]

This is not going to be easy.

Since you have a place where you can reproduce this I think you want to narrow it down to the absolute minimum unit test with JNA and debug the parameters passed into InitializeSecurityContext. I am going to guess that the output buffer is too small (http://msdn.microsoft.com/en-us/library/windows/desktop/aa375509(v=vs.85).aspx), start by seeing whether doing some hacking on the size of it helps. Generally the internals of these APIs are ridiculously complicated and I had to often write C implementations for the same to make sure I am passing the right thing in, at all, then occasionally resort to calling some old friends in Windows so that they can walk my call with a kernel debugger to figure out why something like this is returned. Fun.

Ulyana

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

dB. | Moscow - Geneva - Seattle - New York
dblock.org - @dblockdotorg

[Ulyana Tsyukh]

Here is the solution that worked for us. I am not sure if you should consider that for waffle-jna implementation, but in case anyone is interested here is how we handle InitializeSecurityContext:

  public void initialize(final CtxtHandle continueCtx, final SecBufferDesc continueToken, final String targetName) {

    _attr = new IntByReference();

    _token = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, Sspi.MAX_TOKEN_SIZE);

    _ctx = new CtxtHandle();

    final int rc = Secur32.INSTANCE.InitializeSecurityContext(_credentials, continueCtx,

         targetName, deleg_flag, 0, Sspi.SECURITY_NATIVE_DREP, continueToken, 0, _ctx, _token, _attr,  null);

    

    if (continueToken != null && continueToken.pBuffers != null) {

        for (SecBuffer buffer : continueToken.pBuffers) {

          if (buffer.pvBuffer != null) {

            Secur32.INSTANCE.FreeContextBuffer(buffer.pvBuffer);

            buffer.cbBuffer = 0;

          }

        }

      }

    }

    switch (rc) {

      case W32Errors.SEC_I_CONTINUE_NEEDED:

        _continue = true;

        break;

      case W32Errors.SEC_E_OK:

        _continue = false;

        break;

      default:

        throw new Win32Exception(rc);

    }

  }

[Daniel Doubrovkine]

What is the difference with what's in https://github.com/dblock/waffle/blob/master/Source/JNA/waffle-jna/src/waffle/windows/auth/impl/WindowsSecurityContextImpl.java ?

I'd take any pull request that fixes someone's problem.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ulyana Tsyukh]

This part is different, I have added the code which free the buffers on each iteration, because the error we were getting "The buffers supplied to a function was too small."

  if (continueToken != null && continueToken.pBuffers != null) {

        for (SecBuffer buffer : continueToken.pBuffers) {

          if (buffer.pvBuffer != null) {

            Secur32.INSTANCE.FreeContextBuffer(buffer.pvBuffer);

            buffer.cbBuffer = 0;

          }

        }

    }

I didn't understand what you mean by pull request.

[Daniel Doubrovkine]

So it looks like a bug in Waffle code. Waffle is open-source and I am asking you to contribute the fix without me having to copy-paste the code changes. There's a contributing section in the README, and pull requests are specifically explained in https://help.github.com/articles/using-pull-requests.

I am happy to help you through any of these steps.

Contributing

• Fork the project.
• Set Up a Development Environment.
• Make your code changes. Don't forget tests.
• Update CHANGELOG.
• Make pull requests. Bonus points for topic branches.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ulyana Tsyukh]

Hi,

I think I will be needing some help. Thanks.

[Daniel Doubrovkine]

Always here. Try doing it, see how far you get.

On Tue, Apr 2, 2013 at 7:01 AM, Ulyana Tsyukh <ulja...@gmail.com> wrote:

Hi,

I think I will be needing some help. Thanks.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ulyana Tsyukh]

Hi Daniel,

I can not build waffle 1.5 branch is there any info about that. I managed to build main successfully. Maybe there is other ways of communication with you, something faster perhaps. 

Thanks in advance. 

Ulyana

[Daniel Doubrovkine]

You shouldn't need the 1.5 branch, make changes on main. 

I'm @dblockdotorg on Skype if you would like, but I think it's better to use the list because it keeps a record of problems/solutions.

[Ulyana Tsyukh]

But my change is related to the 1.5 waffle version. 

[Ulyana Tsyukh]

- Can I do pull request with Github for Mac ?

- Do I need to write additional tests for my change or only run available tests ? I have only changed one method and it is already covered by currents test suit. 

[Daniel Doubrovkine]

You should make your changes on master, because the problem is likely the same and because we don't re-release old versions unless we really have to. So whatever you fix will be in the next release of Waffle. 

Makes sense?

[Daniel Doubrovkine]

1) Maybe. I always use the command line/website, so I don't know. 

2) We have a bug, but no test that catches it. So ideally you should first write a test that reproduces the problem and fails. Then fix the code and the test should pass. I realize it may be difficult because it seems related to some environment, so dont' spend your life on it.

Thanks,

-dB.

On Tue, Apr 9, 2013 at 7:45 AM, Ulyana Tsyukh <ulja...@gmail.com> wrote:

- Can I do pull request with Github for Mac ?

- Do I need to write additional tests for my change or only run available tests ? I have only changed one method and it is already covered by currents test suit. 

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ulyana Tsyukh]

I have made my changes and seems like all the tests pass for me. (I use master branch.)

I don't have specific scenario for the Failure test. 

About submit it is strange for me, because this GitHub for Mac doesn't have a pull request, so I guess if I submit my change it is going to be a pull request. At least I hope so :)

[Daniel Doubrovkine]

Once you pushed your changes to github (to your fork), you can make a pull request on the website.

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Daniel Doubrovkine]

This has been fixed in https://github.com/dblock/waffle/commit/ebedaf7e92535e2cdcbd46bf9032ebce360383ed, with a proper explanation via https://github.com/twall/jna/issues/261 and http://support.microsoft.com/default.aspx?scid=kb;EN-US;327825.

code.dblock.org - @dblockdotorg - artsy.net - github/dblock