FreeRDP
Loading...
Searching...
No Matches
kerberos.c
1
22#include <winpr/config.h>
23
24#include <stdio.h>
25#include <stdlib.h>
26#include <string.h>
27#include <errno.h>
28#include <fcntl.h>
29#include <ctype.h>
30
31#include <winpr/assert.h>
32#include <winpr/cast.h>
33#include <winpr/asn1.h>
34#include <winpr/crt.h>
35#include <winpr/interlocked.h>
36#include <winpr/sspi.h>
37#include <winpr/print.h>
38#include <winpr/tchar.h>
39#include <winpr/sysinfo.h>
40#include <winpr/registry.h>
41#include <winpr/endian.h>
42#include <winpr/crypto.h>
43#include <winpr/path.h>
44#include <winpr/wtypes.h>
45#include <winpr/winsock.h>
46#include <winpr/schannel.h>
47#include <winpr/secapi.h>
48
49#include "kerberos.h"
50
51#ifdef WITH_KRB5_MIT
52#include "krb5glue.h"
53#include <profile.h>
54#endif
55
56#ifdef WITH_KRB5_HEIMDAL
57#include "krb5glue.h"
58#include <krb5-protos.h>
59#endif
60
61#include "../sspi.h"
62#include "../../log.h"
63#define TAG WINPR_TAG("sspi.Kerberos")
64
65#define KRB_TGT_REQ 16
66#define KRB_TGT_REP 17
67
68const SecPkgInfoA KERBEROS_SecPkgInfoA = {
69 0x000F3BBF, /* fCapabilities */
70 1, /* wVersion */
71 0x0010, /* wRPCID */
72 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
73 "Kerberos", /* Name */
74 "Kerberos Security Package" /* Comment */
75};
76
77static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 };
78static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 };
79
80const SecPkgInfoW KERBEROS_SecPkgInfoW = {
81 0x000F3BBF, /* fCapabilities */
82 1, /* wVersion */
83 0x0010, /* wRPCID */
84 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
85 KERBEROS_SecPkgInfoW_NameBuffer, /* Name */
86 KERBEROS_SecPkgInfoW_CommentBuffer /* Comment */
87};
88
89#ifdef WITH_KRB5
90
91enum KERBEROS_STATE
92{
93 KERBEROS_STATE_INITIAL,
94 KERBEROS_STATE_TGT_REQ,
95 KERBEROS_STATE_TGT_REP,
96 KERBEROS_STATE_AP_REQ,
97 KERBEROS_STATE_AP_REP,
98 KERBEROS_STATE_FINAL
99};
100
101typedef struct KRB_CREDENTIALS_st
102{
103 volatile LONG refCount;
104 krb5_context ctx;
105 char* kdc_url;
106 krb5_ccache ccache;
107 krb5_keytab keytab;
108 krb5_keytab client_keytab;
109 BOOL own_ccache;
110} KRB_CREDENTIALS;
111
112struct s_KRB_CONTEXT
113{
114 enum KERBEROS_STATE state;
115 KRB_CREDENTIALS* credentials;
116 krb5_auth_context auth_ctx;
117 BOOL acceptor;
118 uint32_t flags;
119 uint64_t local_seq;
120 uint64_t remote_seq;
121 struct krb5glue_keyset keyset;
122 BOOL u2u;
123 char* targetHost;
124};
125
126static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
127static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
128 (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
129
130#define krb_log_exec(fkt, ctx, ...) \
131 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
132#define krb_log_exec_ptr(fkt, ctx, ...) \
133 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
134static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
135 const char* file, const char* fkt, size_t line)
136{
137 switch (code)
138 {
139 case 0:
140 case KRB5_KT_END:
141 break;
142 default:
143 {
144 const DWORD level = WLOG_ERROR;
145
146 wLog* log = WLog_Get(TAG);
147 if (WLog_IsLevelActive(log, level))
148 {
149 const char* msg = krb5_get_error_message(ctx, code);
150 WLog_PrintTextMessage(log, level, line, file, fkt, "%s (%s [%d])", what, msg, code);
151 krb5_free_error_message(ctx, msg);
152 }
153 }
154 break;
155 }
156 return code;
157}
158
159static void credentials_unref(KRB_CREDENTIALS* credentials);
160
161static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
162{
163 if (!ctx)
164 return;
165
166 free(ctx->targetHost);
167 ctx->targetHost = NULL;
168
169 if (ctx->credentials)
170 {
171 krb5_context krbctx = ctx->credentials->ctx;
172 if (krbctx)
173 {
174 if (ctx->auth_ctx)
175 krb5_auth_con_free(krbctx, ctx->auth_ctx);
176
177 krb5glue_keys_free(krbctx, &ctx->keyset);
178 }
179
180 credentials_unref(ctx->credentials);
181 }
182
183 if (allocated)
184 free(ctx);
185}
186
187static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
188{
189 KRB_CONTEXT* context = NULL;
190
191 context = (KRB_CONTEXT*)calloc(1, sizeof(KRB_CONTEXT));
192 if (!context)
193 return NULL;
194
195 context->credentials = credentials;
196 InterlockedIncrement(&credentials->refCount);
197 return context;
198}
199
200static krb5_error_code krb5_prompter(krb5_context context, void* data,
201 WINPR_ATTR_UNUSED const char* name,
202 WINPR_ATTR_UNUSED const char* banner, int num_prompts,
203 krb5_prompt prompts[])
204{
205 for (int i = 0; i < num_prompts; i++)
206 {
207 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
208 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
209 {
210 prompts[i].reply->data = _strdup((const char*)data);
211
212 const size_t len = strlen((const char*)data);
213 if (len > UINT32_MAX)
214 return KRB5KRB_ERR_GENERIC;
215 prompts[i].reply->length = (UINT32)len;
216 }
217 }
218 return 0;
219}
220
221static inline krb5glue_key get_key(struct krb5glue_keyset* keyset)
222{
223 return keyset->acceptor_key ? keyset->acceptor_key
224 : keyset->initiator_key ? keyset->initiator_key
225 : keyset->session_key;
226}
227
228static BOOL isValidIPv4(const char* ipAddress)
229{
230 struct sockaddr_in sa = { 0 };
231 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
232 return result != 0;
233}
234
235static BOOL isValidIPv6(const char* ipAddress)
236{
237 struct sockaddr_in6 sa = { 0 };
238 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
239 return result != 0;
240}
241
242static BOOL isValidIP(const char* ipAddress)
243{
244 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
245}
246
247#if defined(WITH_KRB5_MIT)
248WINPR_ATTR_MALLOC(free, 1)
249static char* get_realm_name(krb5_data realm, size_t* plen)
250{
251 WINPR_ASSERT(plen);
252 *plen = 0;
253 if ((realm.length <= 0) || (!realm.data))
254 return NULL;
255
256 char* name = NULL;
257 (void)winpr_asprintf(&name, plen, "krbtgt/%*s@%*s", realm.length, realm.data, realm.length,
258 realm.data);
259 return name;
260}
261#elif defined(WITH_KRB5_HEIMDAL)
262WINPR_ATTR_MALLOC(free, 1)
263static char* get_realm_name(Realm realm, size_t* plen)
264{
265 WINPR_ASSERT(plen);
266 *plen = 0;
267 if (!realm)
268 return NULL;
269
270 char* name = NULL;
271 (void)winpr_asprintf(&name, plen, "krbtgt/%s@%s", realm, realm);
272 return name;
273}
274#endif
275
276static int build_krbtgt(krb5_context ctx, krb5_principal principal, krb5_principal* ptarget)
277{
278 /* "krbtgt/" + realm + "@" + realm */
279 size_t len = 0;
280 krb5_error_code rv = KRB5_CC_NOMEM;
281
282 char* name = get_realm_name(principal->realm, &len);
283 if (!name || (len == 0))
284 goto fail;
285
286 {
287 krb5_principal target = { 0 };
288 rv = krb5_parse_name(ctx, name, &target);
289 *ptarget = target;
290 }
291fail:
292 free(name);
293 return rv;
294}
295
296#endif /* WITH_KRB5 */
297
298static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
299 SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage, ULONG fCredentialUse,
300 WINPR_ATTR_UNUSED void* pvLogonID, void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn,
301 WINPR_ATTR_UNUSED void* pvGetKeyArgument, PCredHandle phCredential,
302 WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
303{
304#ifdef WITH_KRB5
305 SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
306 KRB_CREDENTIALS* credentials = NULL;
307 krb5_context ctx = NULL;
308 krb5_ccache ccache = NULL;
309 krb5_keytab keytab = NULL;
310 krb5_principal principal = NULL;
311 char* domain = NULL;
312 char* username = NULL;
313 char* password = NULL;
314 BOOL own_ccache = FALSE;
315 const char* const default_ccache_type = "MEMORY";
316
317 if (pAuthData)
318 {
319 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
320
321 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
322 krb_settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->kerberosSettings);
323
324 if (!sspi_CopyAuthIdentityFieldsA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &username,
325 &domain, &password))
326 {
327 WLog_ERR(TAG, "Failed to copy auth identity fields");
328 goto cleanup;
329 }
330
331 if (!pszPrincipal)
332 pszPrincipal = username;
333 }
334
335 if (krb_log_exec_ptr(krb5_init_context, &ctx))
336 goto cleanup;
337
338 if (domain)
339 {
340 char* udomain = _strdup(domain);
341 if (!udomain)
342 goto cleanup;
343
344 CharUpperA(udomain);
345 /* Will use domain if realm is not specified in username */
346 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
347 free(udomain);
348
349 if (rv)
350 goto cleanup;
351 }
352
353 if (pszPrincipal)
354 {
355 char* cpszPrincipal = _strdup(pszPrincipal);
356 if (!cpszPrincipal)
357 goto cleanup;
358
359 /* Find realm component if included and convert to uppercase */
360 char* p = strchr(cpszPrincipal, '@');
361 if (p)
362 CharUpperA(p);
363
364 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
365 free(cpszPrincipal);
366
367 if (rv)
368 goto cleanup;
369 WINPR_ASSERT(principal);
370 }
371
372 if (krb_settings && krb_settings->cache)
373 {
374 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
375 goto cleanup;
376 }
377 else
378 own_ccache = TRUE;
379
380 if (principal)
381 {
382 /* Use the default cache if it's initialized with the right principal */
383 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
384 {
385 if (own_ccache)
386 {
387 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
388 goto cleanup;
389 }
390 else
391 {
392 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
393 goto cleanup;
394 }
395
396 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
397 goto cleanup;
398 }
399 else
400 {
401 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
402 goto cleanup;
403 own_ccache = FALSE;
404 }
405 WINPR_ASSERT(ccache);
406 }
407 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
408 {
409 /* Use the default cache with it's default principal */
410 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
411 goto cleanup;
412 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
413 goto cleanup;
414 WINPR_ASSERT(ccache);
415 own_ccache = FALSE;
416 }
417 else
418 {
419 if (own_ccache)
420 {
421 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
422 goto cleanup;
423 }
424 else
425 {
426 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
427 goto cleanup;
428 }
429 WINPR_ASSERT(ccache);
430 }
431
432 if (krb_settings && krb_settings->keytab)
433 {
434 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
435 goto cleanup;
436 }
437 else
438 {
439 if (fCredentialUse & SECPKG_CRED_INBOUND)
440 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
441 goto cleanup;
442 }
443
444 /* Get initial credentials if required */
445 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
446 {
447 krb5_creds creds = { 0 };
448 krb5_creds matchCreds = { 0 };
449 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
450
451 krb5_timeofday(ctx, &matchCreds.times.endtime);
452 matchCreds.times.endtime += 60;
453 matchCreds.client = principal;
454
455 WINPR_ASSERT(principal);
456 WINPR_ASSERT(ctx);
457 WINPR_ASSERT(ccache);
458 if (krb_log_exec(build_krbtgt, ctx, principal, &matchCreds.server))
459 goto cleanup;
460
461 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
462 krb5_free_principal(ctx, matchCreds.server);
463 krb5_free_cred_contents(ctx, &creds);
464 if (rv)
465 {
466 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
467 password, krb_settings))
468 goto cleanup;
469 }
470 }
471
472 credentials = calloc(1, sizeof(KRB_CREDENTIALS));
473 if (!credentials)
474 goto cleanup;
475 credentials->refCount = 1;
476 credentials->ctx = ctx;
477 credentials->ccache = ccache;
478 credentials->keytab = keytab;
479 credentials->own_ccache = own_ccache;
480
481cleanup:
482
483 free(domain);
484 free(username);
485 free(password);
486
487 if (principal)
488 krb5_free_principal(ctx, principal);
489 if (ctx)
490 {
491 if (!credentials)
492 {
493 if (ccache)
494 {
495 if (own_ccache)
496 krb5_cc_destroy(ctx, ccache);
497 else
498 krb5_cc_close(ctx, ccache);
499 }
500 if (keytab)
501 krb5_kt_close(ctx, keytab);
502
503 krb5_free_context(ctx);
504 }
505 }
506
507 /* If we managed to get credentials set the output */
508 if (credentials)
509 {
510 sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials);
511 sspi_SecureHandleSetUpperPointer(phCredential, (void*)KERBEROS_SSP_NAME);
512 return SEC_E_OK;
513 }
514
515 return SEC_E_NO_CREDENTIALS;
516#else
517 return SEC_E_UNSUPPORTED_FUNCTION;
518#endif
519}
520
521static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
522 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
523 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
524 PTimeStamp ptsExpiry)
525{
526 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
527 char* principal = NULL;
528 char* package = NULL;
529
530 if (pszPrincipal)
531 {
532 principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL);
533 if (!principal)
534 goto fail;
535 }
536 if (pszPackage)
537 {
538 package = ConvertWCharToUtf8Alloc(pszPackage, NULL);
539 if (!package)
540 goto fail;
541 }
542
543 status =
544 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
545 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
546
547fail:
548 free(principal);
549 free(package);
550
551 return status;
552}
553
554#ifdef WITH_KRB5
555static void credentials_unref(KRB_CREDENTIALS* credentials)
556{
557 WINPR_ASSERT(credentials);
558
559 if (InterlockedDecrement(&credentials->refCount))
560 return;
561
562 free(credentials->kdc_url);
563
564 if (credentials->ccache)
565 {
566 if (credentials->own_ccache)
567 krb5_cc_destroy(credentials->ctx, credentials->ccache);
568 else
569 krb5_cc_close(credentials->ctx, credentials->ccache);
570 }
571 if (credentials->keytab)
572 krb5_kt_close(credentials->ctx, credentials->keytab);
573
574 krb5_free_context(credentials->ctx);
575 free(credentials);
576}
577#endif
578
579static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential)
580{
581#ifdef WITH_KRB5
582 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
583 if (!credentials)
584 return SEC_E_INVALID_HANDLE;
585
586 credentials_unref(credentials);
587
588 sspi_SecureHandleInvalidate(phCredential);
589 return SEC_E_OK;
590#else
591 return SEC_E_UNSUPPORTED_FUNCTION;
592#endif
593}
594
595static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
596 WINPR_ATTR_UNUSED PCredHandle phCredential, ULONG ulAttribute, WINPR_ATTR_UNUSED void* pBuffer)
597{
598#ifdef WITH_KRB5
599 switch (ulAttribute)
600 {
601 case SECPKG_CRED_ATTR_NAMES:
602 return SEC_E_OK;
603 default:
604 WLog_ERR(TAG, "TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
605 ulAttribute);
606 return SEC_E_UNSUPPORTED_FUNCTION;
607 }
608
609#else
610 return SEC_E_UNSUPPORTED_FUNCTION;
611#endif
612}
613
614static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential,
615 ULONG ulAttribute,
616 void* pBuffer)
617{
618 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
619}
620
621#ifdef WITH_KRB5
622
623static BOOL kerberos_mk_tgt_token(SecBuffer* buf, int msg_type, char* sname, char* host,
624 const krb5_data* ticket)
625{
626 WinPrAsn1Encoder* enc = NULL;
627 WinPrAsn1_MemoryChunk data;
628 wStream s;
629 size_t len = 0;
630 sspi_gss_data token;
631 BOOL ret = FALSE;
632
633 WINPR_ASSERT(buf);
634
635 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
636 return FALSE;
637 if (msg_type == KRB_TGT_REP && !ticket)
638 return FALSE;
639
640 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
641 if (!enc)
642 return FALSE;
643
644 /* KERB-TGT-REQUEST (SEQUENCE) */
645 if (!WinPrAsn1EncSeqContainer(enc))
646 goto cleanup;
647
648 /* pvno [0] INTEGER */
649 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
650 goto cleanup;
651
652 /* msg-type [1] INTEGER */
653 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
654 goto cleanup;
655
656 if (msg_type == KRB_TGT_REQ && sname)
657 {
658 /* server-name [2] PrincipalName (SEQUENCE) */
659 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
660 goto cleanup;
661
662 /* name-type [0] INTEGER */
663 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
664 goto cleanup;
665
666 /* name-string [1] SEQUENCE OF GeneralString */
667 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
668 goto cleanup;
669
670 if (!WinPrAsn1EncGeneralString(enc, sname))
671 goto cleanup;
672
673 if (host && !WinPrAsn1EncGeneralString(enc, host))
674 goto cleanup;
675
676 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
677 goto cleanup;
678 }
679 else if (msg_type == KRB_TGT_REP)
680 {
681 /* ticket [2] Ticket */
682 data.data = (BYTE*)ticket->data;
683 data.len = ticket->length;
684 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
685 goto cleanup;
686 }
687
688 if (!WinPrAsn1EncEndContainer(enc))
689 goto cleanup;
690
691 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
692 goto cleanup;
693
694 Stream_StaticInit(&s, buf->pvBuffer, len);
695 if (!WinPrAsn1EncToStream(enc, &s))
696 goto cleanup;
697
698 token.data = buf->pvBuffer;
699 token.length = (UINT)len;
700 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
701 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
702 ret = TRUE;
703
704cleanup:
705 WinPrAsn1Encoder_Free(&enc);
706 return ret;
707}
708
709static BOOL append(char* dst, size_t dstSize, const char* src)
710{
711 const size_t dlen = strnlen(dst, dstSize);
712 const size_t slen = strlen(src);
713 if (dlen + slen >= dstSize)
714 return FALSE;
715 if (!strncat(dst, src, dstSize - dlen))
716 return FALSE;
717 return TRUE;
718}
719
720static BOOL kerberos_rd_tgt_req_tag2(WinPrAsn1Decoder* dec, char* buf, size_t len)
721{
722 BOOL rc = FALSE;
723 WinPrAsn1Decoder seq = { .encoding = WINPR_ASN1_BER, { 0 } };
724
725 /* server-name [2] PrincipalName (SEQUENCE) */
726 if (!WinPrAsn1DecReadSequence(dec, &seq))
727 goto end;
728
729 /* name-type [0] INTEGER */
730 {
731 BOOL error = FALSE;
732 {
733 WinPrAsn1_INTEGER val = 0;
734 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
735 goto end;
736 }
737
738 /* name-string [1] SEQUENCE OF GeneralString */
739 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
740 goto end;
741 }
742
743 {
744 WinPrAsn1_tag tag = 0;
745 BOOL first = TRUE;
746 while (WinPrAsn1DecPeekTag(dec, &tag))
747 {
748 BOOL success = FALSE;
749 char* lstr = NULL;
750 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
751 goto fail;
752
753 if (!first)
754 {
755 if (!append(buf, len, "/"))
756 goto fail;
757 }
758 first = FALSE;
759
760 if (!append(buf, len, lstr))
761 goto fail;
762
763 success = TRUE;
764 fail:
765 free(lstr);
766 if (!success)
767 goto end;
768 }
769 }
770
771 rc = TRUE;
772end:
773 return rc;
774}
775
776static BOOL kerberos_rd_tgt_req_tag3(WinPrAsn1Decoder* dec, char* buf, size_t len)
777{
778 /* realm [3] Realm */
779 BOOL rc = FALSE;
780 WinPrAsn1_STRING str = NULL;
781 if (!WinPrAsn1DecReadGeneralString(dec, &str))
782 goto end;
783
784 if (!append(buf, len, "@"))
785 goto end;
786 if (!append(buf, len, str))
787 goto end;
788
789 rc = TRUE;
790end:
791 free(str);
792 return rc;
793}
794
795static BOOL kerberos_rd_tgt_req(WinPrAsn1Decoder* dec, char** target)
796{
797 BOOL rc = FALSE;
798
799 if (!target)
800 return FALSE;
801 *target = NULL;
802
803 wStream s = WinPrAsn1DecGetStream(dec);
804 const size_t len = Stream_Length(&s);
805 if (len == 0)
806 return TRUE;
807
808 WinPrAsn1Decoder dec2 = { .encoding = WINPR_ASN1_BER, { 0 } };
809 WinPrAsn1_tagId tag = 0;
810 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
811 return FALSE;
812
813 char* buf = calloc(len + 1, sizeof(char));
814 if (!buf)
815 return FALSE;
816
817 /* We expect ASN1 context tag values 2 or 3.
818 *
819 * In case we got value 2 an (optional) context tag value 3 might follow.
820 */
821 BOOL checkForTag3 = TRUE;
822 if (tag == 2)
823 {
824 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
825 if (rc)
826 {
827 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
828 if (res == 0)
829 checkForTag3 = FALSE;
830 }
831 }
832
833 if (checkForTag3)
834 {
835 if (tag == 3)
836 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
837 else
838 rc = FALSE;
839 }
840
841 if (rc)
842 *target = buf;
843 else
844 free(buf);
845 return rc;
846}
847
848static BOOL kerberos_rd_tgt_rep(WinPrAsn1Decoder* dec, krb5_data* ticket)
849{
850 if (!ticket)
851 return FALSE;
852
853 /* ticket [2] Ticket */
854 WinPrAsn1Decoder asnTicket = { .encoding = WINPR_ASN1_BER, { 0 } };
855 WinPrAsn1_tagId tag = 0;
856 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
857 return FALSE;
858
859 if (tag != 2)
860 return FALSE;
861
862 wStream s = WinPrAsn1DecGetStream(&asnTicket);
863 ticket->data = Stream_BufferAs(&s, char);
864
865 const size_t len = Stream_Length(&s);
866 if (len > UINT32_MAX)
867 return FALSE;
868 ticket->length = (UINT32)len;
869 return TRUE;
870}
871
872static BOOL kerberos_rd_tgt_token(const sspi_gss_data* token, char** target, krb5_data* ticket)
873{
874 BOOL error = 0;
875 WinPrAsn1_INTEGER val = 0;
876
877 WINPR_ASSERT(token);
878
879 if (target)
880 *target = NULL;
881
882 WinPrAsn1Decoder der = { .encoding = WINPR_ASN1_BER, { 0 } };
883 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
884
885 /* KERB-TGT-REQUEST (SEQUENCE) */
886 WinPrAsn1Decoder seq = { .encoding = WINPR_ASN1_BER, { 0 } };
887 if (!WinPrAsn1DecReadSequence(&der, &seq))
888 return FALSE;
889
890 /* pvno [0] INTEGER */
891 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
892 return FALSE;
893
894 /* msg-type [1] INTEGER */
895 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
896 return FALSE;
897
898 switch (val)
899 {
900 case KRB_TGT_REQ:
901 return kerberos_rd_tgt_req(&seq, target);
902 case KRB_TGT_REP:
903 return kerberos_rd_tgt_rep(&seq, ticket);
904 default:
905 break;
906 }
907 return FALSE;
908}
909
910#endif /* WITH_KRB5 */
911
912static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5, SEC_CHANNEL_BINDINGS* bindings)
913{
914 BYTE buf[4];
915
916 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
917 if (!winpr_Digest_Update(md5, buf, 4))
918 return FALSE;
919
920 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
921 if (!winpr_Digest_Update(md5, buf, 4))
922 return FALSE;
923
924 if (bindings->cbInitiatorLength &&
925 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
926 bindings->cbInitiatorLength))
927 return FALSE;
928
929 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
930 if (!winpr_Digest_Update(md5, buf, 4))
931 return FALSE;
932
933 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
934 if (!winpr_Digest_Update(md5, buf, 4))
935 return FALSE;
936
937 if (bindings->cbAcceptorLength &&
938 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
939 bindings->cbAcceptorLength))
940 return FALSE;
941
942 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
943 if (!winpr_Digest_Update(md5, buf, 4))
944 return FALSE;
945
946 if (bindings->cbApplicationDataLength &&
947 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
948 bindings->cbApplicationDataLength))
949 return FALSE;
950
951 return TRUE;
952}
953
954static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
955 PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq,
956 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep, PSecBufferDesc pInput,
957 WINPR_ATTR_UNUSED ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput,
958 WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
959{
960#ifdef WITH_KRB5
961 PSecBuffer input_buffer = NULL;
962 PSecBuffer output_buffer = NULL;
963 PSecBuffer bindings_buffer = NULL;
964 WINPR_DIGEST_CTX* md5 = NULL;
965 char* target = NULL;
966 char* sname = NULL;
967 char* host = NULL;
968 krb5_data input_token = { 0 };
969 krb5_data output_token = { 0 };
970 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
971 WinPrAsn1_OID oid = { 0 };
972 uint16_t tok_id = 0;
973 krb5_ap_rep_enc_part* reply = NULL;
974 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
975 char cksum_contents[24] = { 0 };
976 krb5_data cksum = { 0 };
977 krb5_creds in_creds = { 0 };
978 krb5_creds* creds = NULL;
979 BOOL isNewContext = FALSE;
980 KRB_CONTEXT* context = NULL;
981 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
982
983 /* behave like windows SSPIs that don't want empty context */
984 if (phContext && !phContext->dwLower && !phContext->dwUpper)
985 return SEC_E_INVALID_HANDLE;
986
987 context = sspi_SecureHandleGetLowerPointer(phContext);
988
989 if (!credentials)
990 return SEC_E_NO_CREDENTIALS;
991
992 if (pInput)
993 {
994 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
995 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
996 }
997 if (pOutput)
998 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
999
1000 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
1001 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
1002
1003 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1004 ap_flags |= AP_OPTS_USE_SESSION_KEY;
1005
1006 /* Split target name into service/hostname components */
1007 if (pszTargetName)
1008 {
1009 target = _strdup(pszTargetName);
1010 if (!target)
1011 {
1012 status = SEC_E_INSUFFICIENT_MEMORY;
1013 goto cleanup;
1014 }
1015 host = strchr(target, '/');
1016 if (host)
1017 {
1018 *host++ = 0;
1019 sname = target;
1020 }
1021 else
1022 host = target;
1023 if (isValidIP(host))
1024 {
1025 status = SEC_E_NO_CREDENTIALS;
1026 goto cleanup;
1027 }
1028 }
1029
1030 if (!context)
1031 {
1032 context = kerberos_ContextNew(credentials);
1033 if (!context)
1034 {
1035 status = SEC_E_INSUFFICIENT_MEMORY;
1036 goto cleanup;
1037 }
1038
1039 isNewContext = TRUE;
1040
1041 if (host)
1042 context->targetHost = _strdup(host);
1043 if (!context->targetHost)
1044 {
1045 status = SEC_E_INSUFFICIENT_MEMORY;
1046 goto cleanup;
1047 }
1048
1049 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1050 {
1051 context->state = KERBEROS_STATE_TGT_REQ;
1052 context->u2u = TRUE;
1053 }
1054 else
1055 context->state = KERBEROS_STATE_AP_REQ;
1056 }
1057 else
1058 {
1059 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1060 goto bad_token;
1061 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1062 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1063 goto bad_token;
1064 }
1065
1066 /* SSPI flags are compatible with GSS flags except INTEG_FLAG */
1067 context->flags |= (fContextReq & 0x1F);
1068 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1069 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1070
1071 switch (context->state)
1072 {
1073 case KERBEROS_STATE_TGT_REQ:
1074
1075 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL))
1076 goto cleanup;
1077
1078 context->state = KERBEROS_STATE_TGT_REP;
1079 status = SEC_I_CONTINUE_NEEDED;
1080 break;
1081
1082 case KERBEROS_STATE_TGT_REP:
1083
1084 if (tok_id != TOK_ID_TGT_REP)
1085 goto bad_token;
1086
1087 if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket))
1088 goto bad_token;
1089
1090 /* Continue to AP-REQ */
1091 /* fallthrough */
1092 WINPR_FALLTHROUGH
1093
1094 case KERBEROS_STATE_AP_REQ:
1095
1096 /* Set auth_context options */
1097 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1098 goto cleanup;
1099 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1100 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1101 goto cleanup;
1102 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1103 GSS_CHECKSUM_TYPE))
1104 goto cleanup;
1105
1106 /* Get a service ticket */
1107 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1108 KRB5_NT_SRV_HST, &in_creds.server))
1109 goto cleanup;
1110
1111 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1112 &in_creds.client))
1113 {
1114 status = SEC_E_WRONG_PRINCIPAL;
1115 goto cleanup;
1116 }
1117
1118 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1119 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1120 &creds))
1121 {
1122 status = SEC_E_NO_CREDENTIALS;
1123 goto cleanup;
1124 }
1125
1126 /* Write the checksum (delegation not implemented) */
1127 cksum.data = cksum_contents;
1128 cksum.length = sizeof(cksum_contents);
1129 winpr_Data_Write_UINT32(cksum_contents, 16);
1130 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1131
1132 if (bindings_buffer)
1133 {
1134 SEC_CHANNEL_BINDINGS* bindings = bindings_buffer->pvBuffer;
1135
1136 /* Sanity checks */
1137 if (bindings_buffer->cbBuffer < sizeof(SEC_CHANNEL_BINDINGS) ||
1138 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1139 bindings_buffer->cbBuffer ||
1140 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1141 bindings_buffer->cbBuffer ||
1142 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1143 bindings_buffer->cbBuffer)
1144 {
1145 status = SEC_E_BAD_BINDINGS;
1146 goto cleanup;
1147 }
1148
1149 md5 = winpr_Digest_New();
1150 if (!md5)
1151 goto cleanup;
1152
1153 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1154 goto cleanup;
1155
1156 if (!kerberos_hash_channel_bindings(md5, bindings))
1157 goto cleanup;
1158
1159 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1160 goto cleanup;
1161 }
1162
1163 /* Make the AP_REQ message */
1164 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1165 &cksum, creds, &output_token))
1166 goto cleanup;
1167
1168 if (!sspi_gss_wrap_token(output_buffer,
1169 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1170 TOK_ID_AP_REQ, &output_token))
1171 goto cleanup;
1172
1173 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1174 {
1175 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1176 context->auth_ctx, (INT32*)&context->local_seq))
1177 goto cleanup;
1178 context->remote_seq ^= context->local_seq;
1179 }
1180
1181 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1182 &context->keyset))
1183 goto cleanup;
1184
1185 context->state = KERBEROS_STATE_AP_REP;
1186
1187 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1188 status = SEC_I_CONTINUE_NEEDED;
1189 else
1190 status = SEC_E_OK;
1191 break;
1192
1193 case KERBEROS_STATE_AP_REP:
1194
1195 if (tok_id == TOK_ID_AP_REP)
1196 {
1197 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1198 &reply))
1199 goto cleanup;
1200 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1201 }
1202 else if (tok_id == TOK_ID_ERROR)
1203 {
1204 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1205 goto cleanup;
1206 }
1207 else
1208 goto bad_token;
1209
1210 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1211 {
1212 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1213 context->auth_ctx, (INT32*)&context->remote_seq))
1214 goto cleanup;
1215 }
1216
1217 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1218 &context->keyset))
1219 goto cleanup;
1220
1221 context->state = KERBEROS_STATE_FINAL;
1222
1223 if (output_buffer)
1224 output_buffer->cbBuffer = 0;
1225 status = SEC_E_OK;
1226 break;
1227
1228 case KERBEROS_STATE_FINAL:
1229 default:
1230 WLog_ERR(TAG, "Kerberos in invalid state!");
1231 goto cleanup;
1232 }
1233
1234cleanup:
1235{
1236 /* second_ticket is not allocated */
1237 krb5_data edata = { 0 };
1238 in_creds.second_ticket = edata;
1239 krb5_free_cred_contents(credentials->ctx, &in_creds);
1240}
1241
1242 krb5_free_creds(credentials->ctx, creds);
1243 if (output_token.data)
1244 krb5glue_free_data_contents(credentials->ctx, &output_token);
1245
1246 winpr_Digest_Free(md5);
1247
1248 free(target);
1249
1250 if (isNewContext)
1251 {
1252 switch (status)
1253 {
1254 case SEC_E_OK:
1255 case SEC_I_CONTINUE_NEEDED:
1256 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1257 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1258 break;
1259 default:
1260 kerberos_ContextFree(context, TRUE);
1261 break;
1262 }
1263 }
1264
1265 return status;
1266
1267bad_token:
1268 status = SEC_E_INVALID_TOKEN;
1269 goto cleanup;
1270#else
1271 return SEC_E_UNSUPPORTED_FUNCTION;
1272#endif /* WITH_KRB5 */
1273}
1274
1275static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1276 PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
1277 ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
1278 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, PTimeStamp ptsExpiry)
1279{
1280 SECURITY_STATUS status = 0;
1281 char* target_name = NULL;
1282
1283 if (pszTargetName)
1284 {
1285 target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL);
1286 if (!target_name)
1287 return SEC_E_INSUFFICIENT_MEMORY;
1288 }
1289
1290 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1291 Reserved1, TargetDataRep, pInput, Reserved2,
1292 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1293
1294 if (target_name)
1295 free(target_name);
1296
1297 return status;
1298}
1299
1300#ifdef WITH_KRB5
1301static BOOL retrieveTgtForPrincipal(KRB_CREDENTIALS* credentials, krb5_principal principal,
1302 krb5_creds* creds)
1303{
1304 BOOL ret = FALSE;
1305 krb5_kt_cursor cur = { 0 };
1306 krb5_keytab_entry entry = { 0 };
1307 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1308 goto cleanup;
1309
1310 do
1311 {
1312 krb5_error_code rv =
1313 krb_log_exec(krb5_kt_next_entry, credentials->ctx, credentials->keytab, &entry, &cur);
1314 if (rv == KRB5_KT_END)
1315 break;
1316 if (rv != 0)
1317 goto cleanup;
1318
1319 if (krb5_principal_compare(credentials->ctx, principal, entry.principal))
1320 break;
1321 rv = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);
1322 memset(&entry, 0, sizeof(entry));
1323 if (rv)
1324 goto cleanup;
1325 } while (1);
1326
1327 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1328 goto cleanup;
1329
1330 if (!entry.principal)
1331 goto cleanup;
1332
1333 /* Get the TGT */
1334 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, creds, entry.principal,
1335 credentials->keytab, 0, NULL, NULL))
1336 goto cleanup;
1337
1338 ret = TRUE;
1339
1340cleanup:
1341 return ret;
1342}
1343
1344static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, krb5_creds* creds)
1345{
1346 BOOL ret = TRUE;
1347 krb5_principal target_princ = { 0 };
1348 char* default_realm = NULL;
1349
1350 krb5_error_code rv =
1351 krb_log_exec(krb5_parse_name_flags, credentials->ctx, target, 0, &target_princ);
1352 if (rv)
1353 return FALSE;
1354
1355#if defined(WITH_KRB5_HEIMDAL)
1356 if (!target_princ->realm)
1357 {
1358 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1359 if (rv)
1360 goto out;
1361
1362 target_princ->realm = default_realm;
1363 }
1364#else
1365 if (!target_princ->realm.length)
1366 {
1367 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1368 if (rv)
1369 goto out;
1370
1371 target_princ->realm.data = default_realm;
1372 target_princ->realm.length = (unsigned int)strlen(default_realm);
1373 }
1374#endif
1375
1376 /*
1377 * First try with the account service. We were requested with something like
1378 * TERMSRV/<host>@<realm>, let's see if we have that in our keytab and if we're able
1379 * to retrieve a TGT with that entry
1380 *
1381 */
1382 if (retrieveTgtForPrincipal(credentials, target_princ, creds))
1383 goto out;
1384
1385 ret = FALSE;
1386
1387#if defined(WITH_KRB5_MIT)
1388 /*
1389 * if it's not working let's try with <host>$@<REALM> (note the dollar)
1390 */
1391 {
1392 char hostDollar[300] = { 0 };
1393 if (target_princ->length < 2)
1394 goto out;
1395
1396 (void)snprintf(hostDollar, sizeof(hostDollar) - 1, "%s$@%s", target_princ->data[1].data,
1397 target_princ->realm.data);
1398 krb5_free_principal(credentials->ctx, target_princ);
1399
1400 rv = krb_log_exec(krb5_parse_name_flags, credentials->ctx, hostDollar, 0, &target_princ);
1401 if (rv)
1402 return FALSE;
1403 }
1404 ret = retrieveTgtForPrincipal(credentials, target_princ, creds);
1405#endif
1406
1407out:
1408 if (default_realm)
1409 krb5_free_default_realm(credentials->ctx, default_realm);
1410
1411 krb5_free_principal(credentials->ctx, target_princ);
1412 return ret;
1413}
1414#endif
1415
1416static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1417 PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput,
1418 WINPR_ATTR_UNUSED ULONG fContextReq, WINPR_ATTR_UNUSED ULONG TargetDataRep,
1419 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr,
1420 WINPR_ATTR_UNUSED PTimeStamp ptsExpity)
1421{
1422#ifdef WITH_KRB5
1423 BOOL isNewContext = FALSE;
1424 PSecBuffer input_buffer = NULL;
1425 PSecBuffer output_buffer = NULL;
1426 WinPrAsn1_OID oid = { 0 };
1427 uint16_t tok_id = 0;
1428 krb5_data input_token = { 0 };
1429 krb5_data output_token = { 0 };
1430 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1431 krb5_flags ap_flags = 0;
1432 krb5glue_authenticator authenticator = NULL;
1433 char* target = NULL;
1434 krb5_keytab_entry entry = { 0 };
1435 krb5_creds creds = { 0 };
1436
1437 /* behave like windows SSPIs that don't want empty context */
1438 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1439 return SEC_E_INVALID_HANDLE;
1440
1441 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1442 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1443
1444 if (pInput)
1445 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1446 if (pOutput)
1447 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1448
1449 if (!input_buffer)
1450 return SEC_E_INVALID_TOKEN;
1451
1452 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1453 return SEC_E_INVALID_TOKEN;
1454
1455 if (!context)
1456 {
1457 isNewContext = TRUE;
1458 context = kerberos_ContextNew(credentials);
1459 context->acceptor = TRUE;
1460
1461 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1462 {
1463 context->u2u = TRUE;
1464 context->state = KERBEROS_STATE_TGT_REQ;
1465 }
1466 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1467 context->state = KERBEROS_STATE_AP_REQ;
1468 else
1469 goto bad_token;
1470 }
1471 else
1472 {
1473 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1474 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1475 goto bad_token;
1476 }
1477
1478 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1479 {
1480 if (!kerberos_rd_tgt_token(&input_token, &target, NULL))
1481 goto bad_token;
1482
1483 if (!retrieveSomeTgt(credentials, target, &creds))
1484 goto cleanup;
1485
1486 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
1487 goto cleanup;
1488
1489 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1490 goto cleanup;
1491
1492 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1493 &krb5glue_creds_getkey(creds)))
1494 goto cleanup;
1495
1496 context->state = KERBEROS_STATE_AP_REQ;
1497 }
1498 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1499 {
1500 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL,
1501 credentials->keytab, &ap_flags, NULL))
1502 goto cleanup;
1503
1504 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1505 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1506 goto cleanup;
1507
1508 /* Retrieve and validate the checksum */
1509 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1510 &authenticator))
1511 goto cleanup;
1512 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1513 &context->flags))
1514 goto bad_token;
1515
1516 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1517 {
1518 if (!output_buffer)
1519 goto bad_token;
1520 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1521 goto cleanup;
1522 if (!sspi_gss_wrap_token(output_buffer,
1523 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1524 TOK_ID_AP_REP, &output_token))
1525 goto cleanup;
1526 }
1527 else
1528 {
1529 if (output_buffer)
1530 output_buffer->cbBuffer = 0;
1531 }
1532
1533 *pfContextAttr = (context->flags & 0x1F);
1534 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1535 *pfContextAttr |= ASC_RET_INTEGRITY;
1536
1537 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1538 {
1539 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1540 (INT32*)&context->local_seq))
1541 goto cleanup;
1542 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1543 (INT32*)&context->remote_seq))
1544 goto cleanup;
1545 }
1546
1547 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1548 &context->keyset))
1549 goto cleanup;
1550
1551 context->state = KERBEROS_STATE_FINAL;
1552 }
1553 else
1554 goto bad_token;
1555
1556 /* On first call allocate new context */
1557 if (context->state == KERBEROS_STATE_FINAL)
1558 status = SEC_E_OK;
1559 else
1560 status = SEC_I_CONTINUE_NEEDED;
1561
1562cleanup:
1563 free(target);
1564 if (output_token.data)
1565 krb5glue_free_data_contents(credentials->ctx, &output_token);
1566 if (entry.principal)
1567 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1568
1569 if (isNewContext)
1570 {
1571 switch (status)
1572 {
1573 case SEC_E_OK:
1574 case SEC_I_CONTINUE_NEEDED:
1575 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1576 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1577 break;
1578 default:
1579 kerberos_ContextFree(context, TRUE);
1580 break;
1581 }
1582 }
1583
1584 return status;
1585
1586bad_token:
1587 status = SEC_E_INVALID_TOKEN;
1588 goto cleanup;
1589#else
1590 return SEC_E_UNSUPPORTED_FUNCTION;
1591#endif /* WITH_KRB5 */
1592}
1593
1594#ifdef WITH_KRB5
1595static KRB_CONTEXT* get_context(PCtxtHandle phContext)
1596{
1597 if (!phContext)
1598 return NULL;
1599
1600 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1601 if (!name)
1602 return NULL;
1603
1604 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1605 return NULL;
1606 return sspi_SecureHandleGetLowerPointer(phContext);
1607}
1608
1609static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1610{
1611 WINPR_ASSERT(data);
1612 WINPR_ASSERT(ptr);
1613 WINPR_ASSERT(psize);
1614
1615 *ptr = (PUCHAR)malloc(data->length);
1616 if (!*ptr)
1617 return FALSE;
1618
1619 *psize = data->length;
1620 memcpy(*ptr, data->data, data->length);
1621 return TRUE;
1622}
1623#endif
1624
1625static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext)
1626{
1627#ifdef WITH_KRB5
1628 KRB_CONTEXT* context = get_context(phContext);
1629 if (!context)
1630 return SEC_E_INVALID_HANDLE;
1631
1632 kerberos_ContextFree(context, TRUE);
1633
1634 return SEC_E_OK;
1635#else
1636 return SEC_E_UNSUPPORTED_FUNCTION;
1637#endif
1638}
1639
1640#ifdef WITH_KRB5
1641
1642static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1643{
1644 switch (code)
1645 {
1646 case 0:
1647 return SEC_E_OK;
1648 default:
1649 return SEC_E_INTERNAL_ERROR;
1650 }
1651}
1652
1653static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1654 SecPkgContext_Sizes* ContextSizes)
1655{
1656 UINT header = 0;
1657 UINT pad = 0;
1658 UINT trailer = 0;
1659 krb5glue_key key = NULL;
1660
1661 WINPR_ASSERT(context);
1662 WINPR_ASSERT(context->auth_ctx);
1663
1664 /* The MaxTokenSize by default is 12,000 bytes. This has been the default value
1665 * since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2.
1666 * For Windows Server 2012, the default value of the MaxTokenSize registry
1667 * entry is 48,000 bytes.*/
1668 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1669 ContextSizes->cbMaxSignature = 0;
1670 ContextSizes->cbBlockSize = 1;
1671 ContextSizes->cbSecurityTrailer = 0;
1672
1673 key = get_key(&context->keyset);
1674
1675 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1676 {
1677 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1678 KRB5_CRYPTO_TYPE_HEADER, &header);
1679 if (rv)
1680 return krb5_error_to_SECURITY_STATUS(rv);
1681
1682 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1683 &pad);
1684 if (rv)
1685 return krb5_error_to_SECURITY_STATUS(rv);
1686
1687 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1688 &trailer);
1689 if (rv)
1690 return krb5_error_to_SECURITY_STATUS(rv);
1691
1692 /* GSS header (= 16 bytes) + encrypted header = 32 bytes */
1693 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1694 }
1695
1696 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1697 {
1698 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1699 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1700 if (rv)
1701 return krb5_error_to_SECURITY_STATUS(rv);
1702
1703 ContextSizes->cbMaxSignature += 16;
1704 }
1705
1706 return SEC_E_OK;
1707}
1708
1709static SECURITY_STATUS kerberos_ATTR_AUTH_IDENTITY(KRB_CONTEXT* context,
1710 KRB_CREDENTIALS* credentials,
1711 SecPkgContext_AuthIdentity* AuthIdentity)
1712{
1713 const SecPkgContext_AuthIdentity empty = { 0 };
1714
1715 WINPR_ASSERT(context);
1716 WINPR_ASSERT(context->auth_ctx);
1717 WINPR_ASSERT(credentials);
1718
1719 WINPR_ASSERT(AuthIdentity);
1720 *AuthIdentity = empty;
1721
1722 krb5glue_authenticator authenticator = NULL;
1723 krb5_error_code rv = krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx,
1724 context->auth_ctx, &authenticator);
1725 if (rv)
1726 goto fail;
1727
1728 {
1729 rv = -1;
1730
1731#if defined(WITH_KRB5_HEIMDAL)
1732 const Realm data = authenticator->crealm;
1733 if (!data)
1734 goto fail;
1735 const size_t data_len = length_Realm(&data);
1736#else
1737 krb5_data* realm_data = krb5_princ_realm(credentials->ctx, authenticator->client);
1738 if (!realm_data)
1739 goto fail;
1740 const char* data = realm_data->data;
1741 if (!data)
1742 goto fail;
1743 const size_t data_len = realm_data->length;
1744#endif
1745
1746 if (data_len > (sizeof(AuthIdentity->Domain) - 1))
1747 goto fail;
1748 strncpy(AuthIdentity->Domain, data, data_len);
1749 }
1750
1751 {
1752#if defined(WITH_KRB5_HEIMDAL)
1753 const PrincipalName* principal = &authenticator->cname;
1754 const size_t name_length = length_PrincipalName(principal);
1755 if (!principal->name_string.val)
1756 goto fail;
1757 const char* name = *principal->name_string.val;
1758#else
1759 char* name = NULL;
1760 rv = krb_log_exec(krb5_unparse_name_flags, credentials->ctx, authenticator->client,
1761 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
1762 if (rv)
1763 goto fail;
1764
1765 const size_t name_length = strlen(name);
1766#endif
1767
1768 const bool ok = (name_length <= (sizeof(AuthIdentity->User) - 1));
1769 if (ok)
1770 strncpy(AuthIdentity->User, name, name_length);
1771
1772 rv = ok ? 0 : -1;
1773
1774#if !defined(WITH_KRB5_HEIMDAL)
1775 krb5_free_unparsed_name(credentials->ctx, name);
1776#endif
1777 }
1778
1779fail:
1780 krb5glue_free_authenticator(credentials->ctx, authenticator);
1781 return krb5_error_to_SECURITY_STATUS(rv);
1782}
1783
1784static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1785 KRB_CREDENTIALS* credentials,
1786 KERB_TICKET_LOGON* ticketLogon)
1787{
1788 krb5_creds matchCred = { 0 };
1789 krb5_auth_context authContext = NULL;
1790 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1791 BOOL firstRun = TRUE;
1792 krb5_creds* hostCred = NULL;
1793 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1794 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost, "HOST",
1795 KRB5_NT_SRV_HST, &matchCred.server);
1796 if (rv)
1797 goto out;
1798
1799 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1800 &matchCred.client);
1801 if (rv)
1802 goto out;
1803
1804 /* try from the cache first, and then do a new request */
1805again:
1806 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1807 &matchCred, &hostCred);
1808 switch (rv)
1809 {
1810 case 0:
1811 break;
1812 case KRB5_CC_NOTFOUND:
1813 getCredsFlags = 0;
1814 if (firstRun)
1815 {
1816 firstRun = FALSE;
1817 goto again;
1818 }
1819 WINPR_FALLTHROUGH
1820 default:
1821 WLog_ERR(TAG, "krb5_get_credentials(hostCreds), rv=%d", rv);
1822 goto out;
1823 }
1824
1825 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1826 goto out;
1827
1828 {
1829 krb5_data derOut = { 0 };
1830 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1831 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1832 {
1833 ret = SEC_E_LOGON_DENIED;
1834 goto out;
1835 }
1836
1837 ticketLogon->MessageType = KerbTicketLogon;
1838 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1839
1840 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1841 &ticketLogon->ServiceTicketLength))
1842 {
1843 krb5_free_data(credentials->ctx, &derOut);
1844 goto out;
1845 }
1846
1847 ticketLogon->TicketGrantingTicketLength = derOut.length;
1848 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1849 }
1850
1851 ret = SEC_E_OK;
1852out:
1853 krb5_auth_con_free(credentials->ctx, authContext);
1854 krb5_free_creds(credentials->ctx, hostCred);
1855 krb5_free_cred_contents(credentials->ctx, &matchCred);
1856 return ret;
1857}
1858
1859#endif /* WITH_KRB5 */
1860
1861static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext,
1862 ULONG ulAttribute, void* pBuffer)
1863{
1864 if (!phContext)
1865 return SEC_E_INVALID_HANDLE;
1866
1867 if (!pBuffer)
1868 return SEC_E_INVALID_PARAMETER;
1869
1870#ifdef WITH_KRB5
1871 KRB_CONTEXT* context = get_context(phContext);
1872 if (!context)
1873 return SEC_E_INVALID_PARAMETER;
1874
1875 KRB_CREDENTIALS* credentials = context->credentials;
1876
1877 switch (ulAttribute)
1878 {
1879 case SECPKG_ATTR_SIZES:
1880 return kerberos_ATTR_SIZES(context, credentials, (SecPkgContext_Sizes*)pBuffer);
1881
1882 case SECPKG_ATTR_AUTH_IDENTITY:
1883 return kerberos_ATTR_AUTH_IDENTITY(context, credentials,
1884 (SecPkgContext_AuthIdentity*)pBuffer);
1885
1886 case SECPKG_CRED_ATTR_TICKET_LOGON:
1887 return kerberos_ATTR_TICKET_LOGON(context, credentials, (KERB_TICKET_LOGON*)pBuffer);
1888
1889 default:
1890 WLog_ERR(TAG, "TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1891 ulAttribute);
1892 return SEC_E_UNSUPPORTED_FUNCTION;
1893 }
1894#else
1895 return SEC_E_UNSUPPORTED_FUNCTION;
1896#endif
1897}
1898
1899static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext,
1900 ULONG ulAttribute, void* pBuffer)
1901{
1902 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1903}
1904
1905static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
1906 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1907 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1908{
1909 return SEC_E_UNSUPPORTED_FUNCTION;
1910}
1911
1912static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
1913 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1914 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1915{
1916 return SEC_E_UNSUPPORTED_FUNCTION;
1917}
1918
1919static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(PCredHandle phCredential,
1920 ULONG ulAttribute,
1921 void* pBuffer, ULONG cbBuffer,
1922 WINPR_ATTR_UNUSED BOOL unicode)
1923{
1924#ifdef WITH_KRB5
1925 KRB_CREDENTIALS* credentials = NULL;
1926
1927 if (!phCredential)
1928 return SEC_E_INVALID_HANDLE;
1929
1930 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1931
1932 if (!credentials)
1933 return SEC_E_INVALID_HANDLE;
1934
1935 if (!pBuffer)
1936 return SEC_E_INSUFFICIENT_MEMORY;
1937
1938 switch (ulAttribute)
1939 {
1940 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1941 {
1942 SecPkgCredentials_KdcProxySettingsW* kdc_settings = pBuffer;
1943
1944 /* Sanity checks */
1945 if (cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1946 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1947 kdc_settings->ProxyServerOffset < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1948 cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) +
1949 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1950 return SEC_E_INVALID_TOKEN;
1951
1952 if (credentials->kdc_url)
1953 {
1954 free(credentials->kdc_url);
1955 credentials->kdc_url = NULL;
1956 }
1957
1958 if (kdc_settings->ProxyServerLength > 0)
1959 {
1960 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
1961
1962 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
1963 proxy, kdc_settings->ProxyServerLength / sizeof(WCHAR), NULL);
1964 if (!credentials->kdc_url)
1965 return SEC_E_INSUFFICIENT_MEMORY;
1966 }
1967
1968 return SEC_E_OK;
1969 }
1970 case SECPKG_CRED_ATTR_NAMES:
1971 case SECPKG_ATTR_SUPPORTED_ALGS:
1972 default:
1973 WLog_ERR(TAG, "TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
1974 ulAttribute);
1975 return SEC_E_UNSUPPORTED_FUNCTION;
1976 }
1977
1978#else
1979 return SEC_E_UNSUPPORTED_FUNCTION;
1980#endif
1981}
1982
1983static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(PCredHandle phCredential,
1984 ULONG ulAttribute,
1985 void* pBuffer, ULONG cbBuffer)
1986{
1987 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
1988}
1989
1990static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(PCredHandle phCredential,
1991 ULONG ulAttribute,
1992 void* pBuffer, ULONG cbBuffer)
1993{
1994 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
1995}
1996
1997static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP,
1998 PSecBufferDesc pMessage,
1999 ULONG MessageSeqNo)
2000{
2001#ifdef WITH_KRB5
2002 KRB_CONTEXT* context = get_context(phContext);
2003 PSecBuffer sig_buffer = NULL;
2004 PSecBuffer data_buffer = NULL;
2005 char* header = NULL;
2006 BYTE flags = 0;
2007 krb5glue_key key = NULL;
2008 krb5_keyusage usage = 0;
2009 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2010 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2011 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2012 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2013 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2014
2015 if (!context)
2016 return SEC_E_INVALID_HANDLE;
2017
2018 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2019 return SEC_E_UNSUPPORTED_FUNCTION;
2020
2021 KRB_CREDENTIALS* creds = context->credentials;
2022
2023 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2024 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2025
2026 if (!sig_buffer || !data_buffer)
2027 return SEC_E_INVALID_TOKEN;
2028
2029 if (fQOP)
2030 return SEC_E_QOP_NOT_SUPPORTED;
2031
2032 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2033 flags |= FLAG_WRAP_CONFIDENTIAL;
2034
2035 key = get_key(&context->keyset);
2036 if (!key)
2037 return SEC_E_INTERNAL_ERROR;
2038
2039 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2040
2041 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
2042
2043 /* Set the lengths of the data (plaintext + header) */
2044 encrypt_iov[1].data.length = data_buffer->cbBuffer;
2045 encrypt_iov[2].data.length = 16;
2046
2047 /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
2048 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
2049 ARRAYSIZE(encrypt_iov)))
2050 return SEC_E_INTERNAL_ERROR;
2051 if (sig_buffer->cbBuffer <
2052 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
2053 return SEC_E_INSUFFICIENT_MEMORY;
2054
2055 /* Set up the iov array in sig_buffer */
2056 header = sig_buffer->pvBuffer;
2057 encrypt_iov[2].data.data = header + 16;
2058 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
2059 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
2060 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
2061 encrypt_iov[1].data.data = data_buffer->pvBuffer;
2062
2063 /* Write the GSS header with 0 in RRC */
2064 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
2065 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2066 header[3] = (char)0xFF;
2067 winpr_Data_Write_UINT32(header + 4, 0);
2068 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2069
2070 /* Copy header to be encrypted */
2071 CopyMemory(encrypt_iov[2].data.data, header, 16);
2072
2073 /* Set the correct RRC */
2074 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
2075 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
2076
2077 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
2078 ARRAYSIZE(encrypt_iov)))
2079 return SEC_E_INTERNAL_ERROR;
2080
2081 return SEC_E_OK;
2082#else
2083 return SEC_E_UNSUPPORTED_FUNCTION;
2084#endif
2085}
2086
2087static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
2088 PSecBufferDesc pMessage,
2089 ULONG MessageSeqNo, ULONG* pfQOP)
2090{
2091#ifdef WITH_KRB5
2092 KRB_CONTEXT* context = get_context(phContext);
2093 PSecBuffer sig_buffer = NULL;
2094 PSecBuffer data_buffer = NULL;
2095 krb5glue_key key = NULL;
2096 krb5_keyusage usage = 0;
2097 uint16_t tok_id = 0;
2098 BYTE flags = 0;
2099 uint16_t ec = 0;
2100 uint16_t rrc = 0;
2101 uint64_t seq_no = 0;
2102 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2103 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2104 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2105 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2106 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2107
2108 if (!context)
2109 return SEC_E_INVALID_HANDLE;
2110
2111 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2112 return SEC_E_UNSUPPORTED_FUNCTION;
2113
2114 KRB_CREDENTIALS* creds = context->credentials;
2115
2116 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2117 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2118
2119 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2120 return SEC_E_INVALID_TOKEN;
2121
2122 /* Read in header information */
2123 BYTE* header = sig_buffer->pvBuffer;
2124 tok_id = winpr_Data_Get_UINT16_BE(header);
2125 flags = header[2];
2126 ec = winpr_Data_Get_UINT16_BE(&header[4]);
2127 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
2128 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
2129
2130 /* Check that the header is valid */
2131 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
2132 return SEC_E_INVALID_TOKEN;
2133
2134 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
2135 return SEC_E_INVALID_TOKEN;
2136
2137 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
2138 (seq_no != context->remote_seq + MessageSeqNo))
2139 return SEC_E_OUT_OF_SEQUENCE;
2140
2141 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
2142 return SEC_E_INVALID_TOKEN;
2143
2144 /* We don't expect a trailer buffer; the encrypted header must be rotated */
2145 if (rrc < 16)
2146 return SEC_E_INVALID_TOKEN;
2147
2148 /* Find the proper key and key usage */
2149 key = get_key(&context->keyset);
2150 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
2151 return SEC_E_INTERNAL_ERROR;
2152 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
2153
2154 /* Fill in the lengths of the iov array */
2155 iov[1].data.length = data_buffer->cbBuffer;
2156 iov[2].data.length = 16;
2157 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2158 return SEC_E_INTERNAL_ERROR;
2159
2160 /* We don't expect a trailer buffer; everything must be in sig_buffer */
2161 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
2162 return SEC_E_INVALID_TOKEN;
2163 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
2164 return SEC_E_INVALID_TOKEN;
2165
2166 /* Locate the parts of the message */
2167 iov[0].data.data = (char*)&header[16 + rrc + ec];
2168 iov[1].data.data = data_buffer->pvBuffer;
2169 iov[2].data.data = (char*)&header[16 + ec];
2170 char* data2 = iov[2].data.data;
2171 iov[3].data.data = &data2[iov[2].data.length];
2172
2173 char* data3 = iov[3].data.data;
2174 iov[4].data.data = &data3[iov[3].data.length];
2175
2176 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2177 return SEC_E_INTERNAL_ERROR;
2178
2179 /* Validate the encrypted header */
2180 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
2181 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
2182 if (memcmp(iov[2].data.data, header, 16) != 0)
2183 return SEC_E_MESSAGE_ALTERED;
2184
2185 *pfQOP = 0;
2186
2187 return SEC_E_OK;
2188#else
2189 return SEC_E_UNSUPPORTED_FUNCTION;
2190#endif
2191}
2192
2193static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext,
2194 WINPR_ATTR_UNUSED ULONG fQOP,
2195 PSecBufferDesc pMessage, ULONG MessageSeqNo)
2196{
2197#ifdef WITH_KRB5
2198 KRB_CONTEXT* context = get_context(phContext);
2199 PSecBuffer sig_buffer = NULL;
2200 PSecBuffer data_buffer = NULL;
2201 krb5glue_key key = NULL;
2202 krb5_keyusage usage = 0;
2203 BYTE flags = 0;
2204 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2205 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2206 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2207
2208 if (!context)
2209 return SEC_E_INVALID_HANDLE;
2210
2211 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2212 return SEC_E_UNSUPPORTED_FUNCTION;
2213
2214 KRB_CREDENTIALS* creds = context->credentials;
2215
2216 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2217 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2218
2219 if (!sig_buffer || !data_buffer)
2220 return SEC_E_INVALID_TOKEN;
2221
2222 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2223
2224 key = get_key(&context->keyset);
2225 if (!key)
2226 return SEC_E_INTERNAL_ERROR;
2227 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2228
2229 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2230
2231 /* Fill in the lengths of the iov array */
2232 iov[0].data.length = data_buffer->cbBuffer;
2233 iov[1].data.length = 16;
2234 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2235 return SEC_E_INTERNAL_ERROR;
2236
2237 /* Ensure the buffer is big enough */
2238 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2239 return SEC_E_INSUFFICIENT_MEMORY;
2240
2241 /* Write the header */
2242 char* header = sig_buffer->pvBuffer;
2243 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2244 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2245 memset(header + 3, 0xFF, 5);
2246 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2247
2248 /* Set up the iov array */
2249 iov[0].data.data = data_buffer->pvBuffer;
2250 iov[1].data.data = header;
2251 iov[2].data.data = header + 16;
2252
2253 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2254 return SEC_E_INTERNAL_ERROR;
2255
2256 sig_buffer->cbBuffer = iov[2].data.length + 16;
2257
2258 return SEC_E_OK;
2259#else
2260 return SEC_E_UNSUPPORTED_FUNCTION;
2261#endif
2262}
2263
2264static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
2265 PSecBufferDesc pMessage,
2266 ULONG MessageSeqNo,
2267 WINPR_ATTR_UNUSED ULONG* pfQOP)
2268{
2269#ifdef WITH_KRB5
2270 PSecBuffer sig_buffer = NULL;
2271 PSecBuffer data_buffer = NULL;
2272 krb5glue_key key = NULL;
2273 krb5_keyusage usage = 0;
2274 BYTE flags = 0;
2275 uint16_t tok_id = 0;
2276 uint64_t seq_no = 0;
2277 krb5_boolean is_valid = 0;
2278 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2279 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2280 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2281 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2282
2283 KRB_CONTEXT* context = get_context(phContext);
2284 if (!context)
2285 return SEC_E_INVALID_HANDLE;
2286
2287 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2288 return SEC_E_UNSUPPORTED_FUNCTION;
2289
2290 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2291 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2292
2293 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2294 return SEC_E_INVALID_TOKEN;
2295
2296 /* Read in header info */
2297 BYTE* header = sig_buffer->pvBuffer;
2298 tok_id = winpr_Data_Get_UINT16_BE(header);
2299 flags = header[2];
2300 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2301
2302 /* Validate header */
2303 if (tok_id != TOK_ID_MIC)
2304 return SEC_E_INVALID_TOKEN;
2305
2306 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2307 return SEC_E_INVALID_TOKEN;
2308
2309 if (memcmp(header + 3, cmp_filler, sizeof(cmp_filler)) != 0)
2310 return SEC_E_INVALID_TOKEN;
2311
2312 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2313 return SEC_E_OUT_OF_SEQUENCE;
2314
2315 /* Find the proper key and usage */
2316 key = get_key(&context->keyset);
2317 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2318 return SEC_E_INTERNAL_ERROR;
2319 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2320
2321 /* Fill in the iov array lengths */
2322 KRB_CREDENTIALS* creds = context->credentials;
2323 iov[0].data.length = data_buffer->cbBuffer;
2324 iov[1].data.length = 16;
2325 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2326 return SEC_E_INTERNAL_ERROR;
2327
2328 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2329 return SEC_E_INTERNAL_ERROR;
2330
2331 /* Set up the iov array */
2332 iov[0].data.data = data_buffer->pvBuffer;
2333 iov[1].data.data = (char*)header;
2334 iov[2].data.data = (char*)&header[16];
2335
2336 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2337 &is_valid))
2338 return SEC_E_INTERNAL_ERROR;
2339
2340 if (!is_valid)
2341 return SEC_E_MESSAGE_ALTERED;
2342
2343 return SEC_E_OK;
2344#else
2345 return SEC_E_UNSUPPORTED_FUNCTION;
2346#endif
2347}
2348
2349const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = {
2350 3, /* dwVersion */
2351 NULL, /* EnumerateSecurityPackages */
2352 kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
2353 kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
2354 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2355 NULL, /* Reserved2 */
2356 kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */
2357 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2358 NULL, /* CompleteAuthToken */
2359 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2360 NULL, /* ApplyControlToken */
2361 kerberos_QueryContextAttributesA, /* QueryContextAttributes */
2362 NULL, /* ImpersonateSecurityContext */
2363 NULL, /* RevertSecurityContext */
2364 kerberos_MakeSignature, /* MakeSignature */
2365 kerberos_VerifySignature, /* VerifySignature */
2366 NULL, /* FreeContextBuffer */
2367 NULL, /* QuerySecurityPackageInfo */
2368 NULL, /* Reserved3 */
2369 NULL, /* Reserved4 */
2370 NULL, /* ExportSecurityContext */
2371 NULL, /* ImportSecurityContext */
2372 NULL, /* AddCredentials */
2373 NULL, /* Reserved8 */
2374 NULL, /* QuerySecurityContextToken */
2375 kerberos_EncryptMessage, /* EncryptMessage */
2376 kerberos_DecryptMessage, /* DecryptMessage */
2377 kerberos_SetContextAttributesA, /* SetContextAttributes */
2378 kerberos_SetCredentialsAttributesA, /* SetCredentialsAttributes */
2379};
2380
2381const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = {
2382 3, /* dwVersion */
2383 NULL, /* EnumerateSecurityPackages */
2384 kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
2385 kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
2386 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2387 NULL, /* Reserved2 */
2388 kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */
2389 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2390 NULL, /* CompleteAuthToken */
2391 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2392 NULL, /* ApplyControlToken */
2393 kerberos_QueryContextAttributesW, /* QueryContextAttributes */
2394 NULL, /* ImpersonateSecurityContext */
2395 NULL, /* RevertSecurityContext */
2396 kerberos_MakeSignature, /* MakeSignature */
2397 kerberos_VerifySignature, /* VerifySignature */
2398 NULL, /* FreeContextBuffer */
2399 NULL, /* QuerySecurityPackageInfo */
2400 NULL, /* Reserved3 */
2401 NULL, /* Reserved4 */
2402 NULL, /* ExportSecurityContext */
2403 NULL, /* ImportSecurityContext */
2404 NULL, /* AddCredentials */
2405 NULL, /* Reserved8 */
2406 NULL, /* QuerySecurityContextToken */
2407 kerberos_EncryptMessage, /* EncryptMessage */
2408 kerberos_DecryptMessage, /* DecryptMessage */
2409 kerberos_SetContextAttributesW, /* SetContextAttributes */
2410 kerberos_SetCredentialsAttributesW, /* SetCredentialsAttributes */
2411};
2412
2413BOOL KERBEROS_init(void)
2414{
2415 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2416 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2417 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2418 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
2419 return TRUE;
2420}
KERB_TICKET_LOGON
Definition secapi.h:51
SECURITY_INTEGER
Definition include/winpr/sspi.h:51
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SEC_WINNT_AUTH_IDENTITY_WINPR
Definition include/winpr/sspi.h:885
SEC_WINPR_KERBEROS_SETTINGS
Definition include/winpr/sspi.h:870
SecPkgContext_AuthIdentity
Definition include/winpr/sspi.h:1342
SecPkgContext_Sizes
Definition include/winpr/sspi.h:427
SecPkgCredentials_KdcProxySettingsW
Definition include/winpr/sspi.h:525
WinPrAsn1_MemoryChunk
Definition asn1.h:79
krb5glue_keyset
Definition krb5glue.h:92
sspi_gss_data
Definition sspi_gss.h:36
SEC_WINNT_AUTH_IDENTITY_INFO
Definition include/winpr/sspi.h:783