22#include <winpr/config.h>
31#include <winpr/assert.h>
32#include <winpr/cast.h>
33#include <winpr/asn1.h>
35#include <winpr/interlocked.h>
36#include <winpr/sspi.h>
37#include <winpr/print.h>
38#include <winpr/tchar.h>
39#include <winpr/sysinfo.h>
40#include <winpr/registry.h>
41#include <winpr/endian.h>
42#include <winpr/crypto.h>
43#include <winpr/path.h>
44#include <winpr/wtypes.h>
45#include <winpr/winsock.h>
46#include <winpr/schannel.h>
47#include <winpr/secapi.h>
56#ifdef WITH_KRB5_HEIMDAL
58#include <krb5-protos.h>
63#define TAG WINPR_TAG("sspi.Kerberos")
74 "Kerberos Security Package"
77static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 };
78static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 };
85 KERBEROS_SecPkgInfoW_NameBuffer,
86 KERBEROS_SecPkgInfoW_CommentBuffer
93 KERBEROS_STATE_INITIAL,
94 KERBEROS_STATE_TGT_REQ,
95 KERBEROS_STATE_TGT_REP,
96 KERBEROS_STATE_AP_REQ,
97 KERBEROS_STATE_AP_REP,
101typedef struct KRB_CREDENTIALS_st
103 volatile LONG refCount;
108 krb5_keytab client_keytab;
114 enum KERBEROS_STATE state;
115 KRB_CREDENTIALS* credentials;
116 krb5_auth_context auth_ctx;
126static const WinPrAsn1_OID kerberos_OID = { 9, (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
128 (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
130#define krb_log_exec(fkt, ctx, ...) \
131 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
132#define krb_log_exec_ptr(fkt, ctx, ...) \
133 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
134static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code,
const char* what,
135 const char* file,
const char* fkt,
size_t line)
144 const DWORD level = WLOG_ERROR;
146 wLog* log = WLog_Get(TAG);
147 if (WLog_IsLevelActive(log, level))
149 const char* msg = krb5_get_error_message(ctx, code);
150 WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt,
"%s (%s [%d])",
152 krb5_free_error_message(ctx, msg);
160static void credentials_unref(KRB_CREDENTIALS* credentials);
162static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
167 free(ctx->targetHost);
168 ctx->targetHost = NULL;
170 if (ctx->credentials)
172 krb5_context krbctx = ctx->credentials->ctx;
176 krb5_auth_con_free(krbctx, ctx->auth_ctx);
178 krb5glue_keys_free(krbctx, &ctx->keyset);
181 credentials_unref(ctx->credentials);
188static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
190 KRB_CONTEXT* context = NULL;
192 context = (KRB_CONTEXT*)calloc(1,
sizeof(KRB_CONTEXT));
196 context->credentials = credentials;
197 InterlockedIncrement(&credentials->refCount);
201static krb5_error_code krb5_prompter(krb5_context context,
void* data,
202 WINPR_ATTR_UNUSED
const char* name,
203 WINPR_ATTR_UNUSED
const char* banner,
int num_prompts,
204 krb5_prompt prompts[])
206 for (
int i = 0; i < num_prompts; i++)
208 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
209 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
211 prompts[i].reply->data = _strdup((
const char*)data);
213 const size_t len = strlen((
const char*)data);
214 if (len > UINT32_MAX)
215 return KRB5KRB_ERR_GENERIC;
216 prompts[i].reply->length = (UINT32)len;
224 return keyset->acceptor_key ? keyset->acceptor_key
225 : keyset->initiator_key ? keyset->initiator_key
226 : keyset->session_key;
229static BOOL isValidIPv4(
const char* ipAddress)
231 struct sockaddr_in sa = { 0 };
232 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
236static BOOL isValidIPv6(
const char* ipAddress)
238 struct sockaddr_in6 sa = { 0 };
239 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
243static BOOL isValidIP(
const char* ipAddress)
245 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
248#if defined(WITH_KRB5_MIT)
249WINPR_ATTR_MALLOC(free, 1)
250static
char* get_realm_name(krb5_data realm,
size_t* plen)
254 if ((realm.length <= 0) || (!realm.data))
258 (void)winpr_asprintf(&name, plen,
"krbtgt/%*s@%*s", realm.length, realm.data, realm.length,
262#elif defined(WITH_KRB5_HEIMDAL)
263WINPR_ATTR_MALLOC(free, 1)
264static
char* get_realm_name(Realm realm,
size_t* plen)
272 (void)winpr_asprintf(&name, plen,
"krbtgt/%s@%s", realm, realm);
277static int build_krbtgt(krb5_context ctx, krb5_principal principal, krb5_principal* ptarget)
281 krb5_error_code rv = KRB5_CC_NOMEM;
283 char* name = get_realm_name(principal->realm, &len);
284 if (!name || (len == 0))
287 krb5_principal target = { 0 };
288 rv = krb5_parse_name(ctx, name, &target);
297static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
298 SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage, ULONG fCredentialUse,
299 WINPR_ATTR_UNUSED
void* pvLogonID,
void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn,
300 WINPR_ATTR_UNUSED
void* pvGetKeyArgument,
PCredHandle phCredential,
305 KRB_CREDENTIALS* credentials = NULL;
306 krb5_context ctx = NULL;
307 krb5_ccache ccache = NULL;
308 krb5_keytab keytab = NULL;
309 krb5_principal principal = NULL;
311 char* username = NULL;
312 char* password = NULL;
313 BOOL own_ccache = FALSE;
314 const char*
const default_ccache_type =
"MEMORY";
318 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
320 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
326 WLog_ERR(TAG,
"Failed to copy auth identity fields");
331 pszPrincipal = username;
334 if (krb_log_exec_ptr(krb5_init_context, &ctx))
339 char* udomain = _strdup(domain);
345 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
354 char* cpszPrincipal = _strdup(pszPrincipal);
359 char* p = strchr(cpszPrincipal,
'@');
363 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
368 WINPR_ASSERT(principal);
371 if (krb_settings && krb_settings->cache)
373 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
382 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
386 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
391 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
395 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
401 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
404 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
406 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
414 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
419 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
424 if (krb_settings && krb_settings->keytab)
426 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
431 if (fCredentialUse & SECPKG_CRED_INBOUND)
432 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
437 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
439 krb5_creds creds = { 0 };
440 krb5_creds matchCreds = { 0 };
441 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
443 krb5_timeofday(ctx, &matchCreds.times.endtime);
444 matchCreds.times.endtime += 60;
445 matchCreds.client = principal;
447 WINPR_ASSERT(principal);
448 if (krb_log_exec(build_krbtgt, ctx, principal, &matchCreds.server))
451 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
452 krb5_free_principal(ctx, matchCreds.server);
453 krb5_free_cred_contents(ctx, &creds);
456 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
457 password, krb_settings))
462 credentials = calloc(1,
sizeof(KRB_CREDENTIALS));
465 credentials->refCount = 1;
466 credentials->ctx = ctx;
467 credentials->ccache = ccache;
468 credentials->keytab = keytab;
469 credentials->own_ccache = own_ccache;
478 krb5_free_principal(ctx, principal);
486 krb5_cc_destroy(ctx, ccache);
488 krb5_cc_close(ctx, ccache);
491 krb5_kt_close(ctx, keytab);
493 krb5_free_context(ctx);
500 sspi_SecureHandleSetLowerPointer(phCredential, (
void*)credentials);
501 sspi_SecureHandleSetUpperPointer(phCredential, (
void*)KERBEROS_SSP_NAME);
505 return SEC_E_NO_CREDENTIALS;
507 return SEC_E_UNSUPPORTED_FUNCTION;
511static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
512 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse,
void* pvLogonID,
513 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
516 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
517 char* principal = NULL;
518 char*
package = NULL;
522 principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL);
528 package = ConvertWCharToUtf8Alloc(pszPackage, NULL);
534 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
535 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
545static void credentials_unref(KRB_CREDENTIALS* credentials)
547 WINPR_ASSERT(credentials);
549 if (InterlockedDecrement(&credentials->refCount))
552 free(credentials->kdc_url);
554 if (credentials->ccache)
556 if (credentials->own_ccache)
557 krb5_cc_destroy(credentials->ctx, credentials->ccache);
559 krb5_cc_close(credentials->ctx, credentials->ccache);
561 if (credentials->keytab)
562 krb5_kt_close(credentials->ctx, credentials->keytab);
564 krb5_free_context(credentials->ctx);
569static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(
PCredHandle phCredential)
572 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
574 return SEC_E_INVALID_HANDLE;
576 credentials_unref(credentials);
578 sspi_SecureHandleInvalidate(phCredential);
581 return SEC_E_UNSUPPORTED_FUNCTION;
585static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
586 WINPR_ATTR_UNUSED
PCredHandle phCredential, ULONG ulAttribute, WINPR_ATTR_UNUSED
void* pBuffer)
591 case SECPKG_CRED_ATTR_NAMES:
594 WLog_ERR(TAG,
"TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
596 return SEC_E_UNSUPPORTED_FUNCTION;
600 return SEC_E_UNSUPPORTED_FUNCTION;
604static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(
PCredHandle phCredential,
608 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
613static BOOL kerberos_mk_tgt_token(
SecBuffer* buf,
int msg_type,
char* sname,
char* host,
614 const krb5_data* ticket)
616 WinPrAsn1Encoder* enc = NULL;
625 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
627 if (msg_type == KRB_TGT_REP && !ticket)
630 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
635 if (!WinPrAsn1EncSeqContainer(enc))
639 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
643 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
646 if (msg_type == KRB_TGT_REQ && sname)
649 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
653 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
657 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
660 if (!WinPrAsn1EncGeneralString(enc, sname))
663 if (host && !WinPrAsn1EncGeneralString(enc, host))
666 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
669 else if (msg_type == KRB_TGT_REP)
672 data.data = (BYTE*)ticket->data;
673 data.len = ticket->length;
674 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
678 if (!WinPrAsn1EncEndContainer(enc))
681 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
684 Stream_StaticInit(&s, buf->pvBuffer, len);
685 if (!WinPrAsn1EncToStream(enc, &s))
688 token.data = buf->pvBuffer;
689 token.length = (UINT)len;
690 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
691 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
695 WinPrAsn1Encoder_Free(&enc);
699static BOOL append(
char* dst,
size_t dstSize,
const char* src)
701 const size_t dlen = strnlen(dst, dstSize);
702 const size_t slen = strlen(src);
703 if (dlen + slen >= dstSize)
705 if (!strncat(dst, src, dstSize - dlen))
710static BOOL kerberos_rd_tgt_req_tag2(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
716 if (!WinPrAsn1DecReadSequence(dec, &seq))
721 WinPrAsn1_INTEGER val = 0;
722 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
726 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
729 WinPrAsn1_tag tag = 0;
731 while (WinPrAsn1DecPeekTag(dec, &tag))
733 BOOL success = FALSE;
735 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
740 if (!append(buf, len,
"/"))
745 if (!append(buf, len, lstr))
760static BOOL kerberos_rd_tgt_req_tag3(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
764 WinPrAsn1_STRING str = NULL;
765 if (!WinPrAsn1DecReadGeneralString(dec, &str))
768 if (!append(buf, len,
"@"))
770 if (!append(buf, len, str))
787 wStream s = WinPrAsn1DecGetStream(dec);
788 const size_t len = Stream_Length(&s);
793 WinPrAsn1_tagId tag = 0;
794 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
797 char* buf = calloc(len + 1,
sizeof(
char));
805 BOOL checkForTag3 = TRUE;
808 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
811 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
813 checkForTag3 = FALSE;
820 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
839 WinPrAsn1_tagId tag = 0;
840 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
846 wStream s = WinPrAsn1DecGetStream(&asnTicket);
847 ticket->data = Stream_BufferAs(&s,
char);
849 const size_t len = Stream_Length(&s);
850 if (len > UINT32_MAX)
852 ticket->length = (UINT32)len;
856static BOOL kerberos_rd_tgt_token(
const sspi_gss_data* token,
char** target, krb5_data* ticket)
859 WinPrAsn1_INTEGER val = 0;
867 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
871 if (!WinPrAsn1DecReadSequence(&der, &seq))
875 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
879 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
885 return kerberos_rd_tgt_req(&seq, target);
887 return kerberos_rd_tgt_rep(&seq, ticket);
896static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5,
SEC_CHANNEL_BINDINGS* bindings)
900 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
901 if (!winpr_Digest_Update(md5, buf, 4))
904 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
905 if (!winpr_Digest_Update(md5, buf, 4))
908 if (bindings->cbInitiatorLength &&
909 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
910 bindings->cbInitiatorLength))
913 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
914 if (!winpr_Digest_Update(md5, buf, 4))
917 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
918 if (!winpr_Digest_Update(md5, buf, 4))
921 if (bindings->cbAcceptorLength &&
922 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
923 bindings->cbAcceptorLength))
926 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
927 if (!winpr_Digest_Update(md5, buf, 4))
930 if (bindings->cbApplicationDataLength &&
931 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
932 bindings->cbApplicationDataLength))
938static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
940 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep,
PSecBufferDesc pInput,
942 WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED
PTimeStamp ptsExpiry)
948 WINPR_DIGEST_CTX* md5 = NULL;
952 krb5_data input_token = { 0 };
953 krb5_data output_token = { 0 };
954 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
957 krb5_ap_rep_enc_part* reply = NULL;
958 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
959 char cksum_contents[24] = { 0 };
960 krb5_data cksum = { 0 };
961 krb5_creds in_creds = { 0 };
962 krb5_creds* creds = NULL;
963 BOOL isNewContext = FALSE;
964 KRB_CONTEXT* context = NULL;
965 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
968 if (phContext && !phContext->dwLower && !phContext->dwUpper)
969 return SEC_E_INVALID_HANDLE;
971 context = sspi_SecureHandleGetLowerPointer(phContext);
974 return SEC_E_NO_CREDENTIALS;
978 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
979 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
982 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
984 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
985 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
987 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
988 ap_flags |= AP_OPTS_USE_SESSION_KEY;
993 target = _strdup(pszTargetName);
996 status = SEC_E_INSUFFICIENT_MEMORY;
999 host = strchr(target,
'/');
1007 if (isValidIP(host))
1009 status = SEC_E_NO_CREDENTIALS;
1016 context = kerberos_ContextNew(credentials);
1019 status = SEC_E_INSUFFICIENT_MEMORY;
1023 isNewContext = TRUE;
1026 context->targetHost = _strdup(host);
1027 if (!context->targetHost)
1029 status = SEC_E_INSUFFICIENT_MEMORY;
1033 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1035 context->state = KERBEROS_STATE_TGT_REQ;
1036 context->u2u = TRUE;
1039 context->state = KERBEROS_STATE_AP_REQ;
1043 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1045 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1046 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1051 context->flags |= (fContextReq & 0x1F);
1052 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1053 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1055 switch (context->state)
1057 case KERBEROS_STATE_TGT_REQ:
1059 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL))
1062 context->state = KERBEROS_STATE_TGT_REP;
1063 status = SEC_I_CONTINUE_NEEDED;
1066 case KERBEROS_STATE_TGT_REP:
1068 if (tok_id != TOK_ID_TGT_REP)
1071 if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket))
1078 case KERBEROS_STATE_AP_REQ:
1081 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1083 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1084 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1086 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1091 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1092 KRB5_NT_SRV_HST, &in_creds.server))
1095 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1098 status = SEC_E_WRONG_PRINCIPAL;
1102 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1103 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1106 status = SEC_E_NO_CREDENTIALS;
1111 cksum.data = cksum_contents;
1112 cksum.length =
sizeof(cksum_contents);
1113 winpr_Data_Write_UINT32(cksum_contents, 16);
1114 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1116 if (bindings_buffer)
1122 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1123 bindings_buffer->cbBuffer ||
1124 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1125 bindings_buffer->cbBuffer ||
1126 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1127 bindings_buffer->cbBuffer)
1129 status = SEC_E_BAD_BINDINGS;
1133 md5 = winpr_Digest_New();
1137 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1140 if (!kerberos_hash_channel_bindings(md5, bindings))
1143 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1148 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1149 &cksum, creds, &output_token))
1152 if (!sspi_gss_wrap_token(output_buffer,
1153 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1154 TOK_ID_AP_REQ, &output_token))
1157 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1159 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1160 context->auth_ctx, (INT32*)&context->local_seq))
1162 context->remote_seq ^= context->local_seq;
1165 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1169 context->state = KERBEROS_STATE_AP_REP;
1171 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1172 status = SEC_I_CONTINUE_NEEDED;
1177 case KERBEROS_STATE_AP_REP:
1179 if (tok_id == TOK_ID_AP_REP)
1181 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1184 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1186 else if (tok_id == TOK_ID_ERROR)
1188 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1194 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1196 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1197 context->auth_ctx, (INT32*)&context->remote_seq))
1201 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1205 context->state = KERBEROS_STATE_FINAL;
1208 output_buffer->cbBuffer = 0;
1212 case KERBEROS_STATE_FINAL:
1214 WLog_ERR(TAG,
"Kerberos in invalid state!");
1221 krb5_data edata = { 0 };
1222 in_creds.second_ticket = edata;
1223 krb5_free_cred_contents(credentials->ctx, &in_creds);
1226 krb5_free_creds(credentials->ctx, creds);
1227 if (output_token.data)
1228 krb5glue_free_data_contents(credentials->ctx, &output_token);
1230 winpr_Digest_Free(md5);
1239 case SEC_I_CONTINUE_NEEDED:
1240 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1241 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1244 kerberos_ContextFree(context, TRUE);
1252 status = SEC_E_INVALID_TOKEN;
1255 return SEC_E_UNSUPPORTED_FUNCTION;
1259static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1261 ULONG Reserved1, ULONG TargetDataRep,
PSecBufferDesc pInput, ULONG Reserved2,
1264 SECURITY_STATUS status = 0;
1265 char* target_name = NULL;
1269 target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL);
1271 return SEC_E_INSUFFICIENT_MEMORY;
1274 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1275 Reserved1, TargetDataRep, pInput, Reserved2,
1276 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1284static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1286 WINPR_ATTR_UNUSED ULONG fContextReq, WINPR_ATTR_UNUSED ULONG TargetDataRep,
1291 BOOL isNewContext = FALSE;
1295 uint16_t tok_id = 0;
1296 krb5_data input_token = { 0 };
1297 krb5_data output_token = { 0 };
1298 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1299 krb5_flags ap_flags = 0;
1300 krb5glue_authenticator authenticator = NULL;
1301 char* target = NULL;
1304 krb5_kt_cursor cur = { 0 };
1305 krb5_keytab_entry entry = { 0 };
1306 krb5_principal principal = NULL;
1307 krb5_creds creds = { 0 };
1310 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1311 return SEC_E_INVALID_HANDLE;
1313 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1314 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1317 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1319 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1322 return SEC_E_INVALID_TOKEN;
1324 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1325 return SEC_E_INVALID_TOKEN;
1329 isNewContext = TRUE;
1330 context = kerberos_ContextNew(credentials);
1331 context->acceptor = TRUE;
1333 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1335 context->u2u = TRUE;
1336 context->state = KERBEROS_STATE_TGT_REQ;
1338 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1339 context->state = KERBEROS_STATE_AP_REQ;
1345 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1346 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1350 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1352 if (!kerberos_rd_tgt_token(&input_token, &target, NULL))
1368 sname = strchr(target,
'/');
1374 sname = memmove(target, sname, strlen(sname) + 1);
1376 realm = strchr(target,
'@');
1382 size_t len = strlen(realm);
1383 memmove(realm + 1, realm, len + 1);
1390 size_t len = strlen(sname);
1392 target[len + 1] = 0;
1396 if (krb_log_exec(krb5_parse_name_flags, credentials->ctx, sname ? sname :
"",
1397 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
1400 WINPR_ASSERT(principal);
1404 if (krb_log_exec(krb5glue_set_principal_realm, credentials->ctx, principal, realm))
1408 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1413 krb5_error_code rv = krb_log_exec(krb5_kt_next_entry, credentials->ctx,
1414 credentials->keytab, &entry, &cur);
1415 if (rv == KRB5_KT_END)
1421 krb5_principal_compare_any_realm(credentials->ctx, principal, entry.principal)) &&
1422 (!realm || krb5_realm_compare(credentials->ctx, principal, entry.principal)))
1424 const krb5_error_code res =
1425 krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);
1426 memset(&entry, 0,
sizeof(entry));
1431 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1434 if (!entry.principal)
1438 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, &creds, entry.principal,
1439 credentials->keytab, 0, NULL, NULL))
1442 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
1445 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1448 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1449 &krb5glue_creds_getkey(creds)))
1452 context->state = KERBEROS_STATE_AP_REQ;
1454 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1456 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL,
1457 credentials->keytab, &ap_flags, NULL))
1460 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1461 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1465 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1468 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1472 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1476 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1478 if (!sspi_gss_wrap_token(output_buffer,
1479 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1480 TOK_ID_AP_REP, &output_token))
1486 output_buffer->cbBuffer = 0;
1489 *pfContextAttr = (context->flags & 0x1F);
1490 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1491 *pfContextAttr |= ASC_RET_INTEGRITY;
1493 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1495 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1496 (INT32*)&context->local_seq))
1498 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1499 (INT32*)&context->remote_seq))
1503 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1507 context->state = KERBEROS_STATE_FINAL;
1513 if (context->state == KERBEROS_STATE_FINAL)
1516 status = SEC_I_CONTINUE_NEEDED;
1520 if (output_token.data)
1521 krb5glue_free_data_contents(credentials->ctx, &output_token);
1522 if (entry.principal)
1523 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1530 case SEC_I_CONTINUE_NEEDED:
1531 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1532 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1535 kerberos_ContextFree(context, TRUE);
1543 status = SEC_E_INVALID_TOKEN;
1546 return SEC_E_UNSUPPORTED_FUNCTION;
1551static KRB_CONTEXT* get_context(
PCtxtHandle phContext)
1556 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1560 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1562 return sspi_SecureHandleGetLowerPointer(phContext);
1565static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1569 WINPR_ASSERT(psize);
1571 *ptr = (PUCHAR)malloc(data->length);
1575 *psize = data->length;
1576 memcpy(*ptr, data->data, data->length);
1581static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(
PCtxtHandle phContext)
1584 KRB_CONTEXT* context = get_context(phContext);
1586 return SEC_E_INVALID_HANDLE;
1588 kerberos_ContextFree(context, TRUE);
1592 return SEC_E_UNSUPPORTED_FUNCTION;
1598static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1605 return SEC_E_INTERNAL_ERROR;
1609static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1615 krb5glue_key key = NULL;
1617 WINPR_ASSERT(context);
1618 WINPR_ASSERT(context->auth_ctx);
1624 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1625 ContextSizes->cbMaxSignature = 0;
1626 ContextSizes->cbBlockSize = 1;
1627 ContextSizes->cbSecurityTrailer = 0;
1629 key = get_key(&context->keyset);
1631 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1633 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1634 KRB5_CRYPTO_TYPE_HEADER, &header);
1636 return krb5_error_to_SECURITY_STATUS(rv);
1638 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1641 return krb5_error_to_SECURITY_STATUS(rv);
1643 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1646 return krb5_error_to_SECURITY_STATUS(rv);
1649 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1652 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1654 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1655 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1657 return krb5_error_to_SECURITY_STATUS(rv);
1659 ContextSizes->cbMaxSignature += 16;
1665static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1666 KRB_CREDENTIALS* credentials,
1669 krb5_creds matchCred = { 0 };
1670 krb5_auth_context authContext = NULL;
1671 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1672 BOOL firstRun = TRUE;
1673 krb5_creds* hostCred = NULL;
1674 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1675 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost,
"HOST",
1676 KRB5_NT_SRV_HST, &matchCred.server);
1680 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1687 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1688 &matchCred, &hostCred);
1693 case KRB5_CC_NOTFOUND:
1702 WLog_ERR(TAG,
"krb5_get_credentials(hostCreds), rv=%d", rv);
1706 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1709 krb5_data derOut = { 0 };
1710 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1711 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1713 ret = SEC_E_LOGON_DENIED;
1717 ticketLogon->MessageType = KerbTicketLogon;
1718 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1720 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1721 &ticketLogon->ServiceTicketLength))
1723 krb5_free_data(credentials->ctx, &derOut);
1727 ticketLogon->TicketGrantingTicketLength = derOut.length;
1728 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1732 krb5_auth_con_free(credentials->ctx, authContext);
1733 krb5_free_creds(credentials->ctx, hostCred);
1734 krb5_free_cred_contents(credentials->ctx, &matchCred);
1740static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(
PCtxtHandle phContext,
1741 ULONG ulAttribute,
void* pBuffer)
1744 return SEC_E_INVALID_HANDLE;
1747 return SEC_E_INVALID_PARAMETER;
1750 KRB_CONTEXT* context = get_context(phContext);
1752 return SEC_E_INVALID_PARAMETER;
1754 KRB_CREDENTIALS* credentials = context->credentials;
1756 switch (ulAttribute)
1758 case SECPKG_ATTR_SIZES:
1761 case SECPKG_CRED_ATTR_TICKET_LOGON:
1762 return kerberos_ATTR_TICKET_LOGON(context, credentials, (
KERB_TICKET_LOGON*)pBuffer);
1765 WLog_ERR(TAG,
"TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1767 return SEC_E_UNSUPPORTED_FUNCTION;
1770 return SEC_E_UNSUPPORTED_FUNCTION;
1774static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(
PCtxtHandle phContext,
1775 ULONG ulAttribute,
void* pBuffer)
1777 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1780static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
1781 WINPR_ATTR_UNUSED
PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1782 WINPR_ATTR_UNUSED
void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1784 return SEC_E_UNSUPPORTED_FUNCTION;
1787static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
1788 WINPR_ATTR_UNUSED
PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1789 WINPR_ATTR_UNUSED
void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1791 return SEC_E_UNSUPPORTED_FUNCTION;
1794static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(
PCredHandle phCredential,
1796 void* pBuffer, ULONG cbBuffer,
1797 WINPR_ATTR_UNUSED BOOL unicode)
1800 KRB_CREDENTIALS* credentials = NULL;
1803 return SEC_E_INVALID_HANDLE;
1805 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1808 return SEC_E_INVALID_HANDLE;
1811 return SEC_E_INSUFFICIENT_MEMORY;
1813 switch (ulAttribute)
1815 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1821 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1824 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1825 return SEC_E_INVALID_TOKEN;
1827 if (credentials->kdc_url)
1829 free(credentials->kdc_url);
1830 credentials->kdc_url = NULL;
1833 if (kdc_settings->ProxyServerLength > 0)
1835 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
1837 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
1838 proxy, kdc_settings->ProxyServerLength /
sizeof(WCHAR), NULL);
1839 if (!credentials->kdc_url)
1840 return SEC_E_INSUFFICIENT_MEMORY;
1845 case SECPKG_CRED_ATTR_NAMES:
1846 case SECPKG_ATTR_SUPPORTED_ALGS:
1848 WLog_ERR(TAG,
"TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
1850 return SEC_E_UNSUPPORTED_FUNCTION;
1854 return SEC_E_UNSUPPORTED_FUNCTION;
1858static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(
PCredHandle phCredential,
1860 void* pBuffer, ULONG cbBuffer)
1862 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
1865static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(
PCredHandle phCredential,
1867 void* pBuffer, ULONG cbBuffer)
1869 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
1872static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(
PCtxtHandle phContext, ULONG fQOP,
1877 KRB_CONTEXT* context = get_context(phContext);
1880 char* header = NULL;
1882 krb5glue_key key = NULL;
1883 krb5_keyusage usage = 0;
1884 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1885 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1886 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1887 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1888 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1891 return SEC_E_INVALID_HANDLE;
1893 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1894 return SEC_E_UNSUPPORTED_FUNCTION;
1896 KRB_CREDENTIALS* creds = context->credentials;
1898 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1899 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1901 if (!sig_buffer || !data_buffer)
1902 return SEC_E_INVALID_TOKEN;
1905 return SEC_E_QOP_NOT_SUPPORTED;
1907 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
1908 flags |= FLAG_WRAP_CONFIDENTIAL;
1910 key = get_key(&context->keyset);
1912 return SEC_E_INTERNAL_ERROR;
1914 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
1916 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
1919 encrypt_iov[1].data.length = data_buffer->cbBuffer;
1920 encrypt_iov[2].data.length = 16;
1923 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
1924 ARRAYSIZE(encrypt_iov)))
1925 return SEC_E_INTERNAL_ERROR;
1926 if (sig_buffer->cbBuffer <
1927 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
1928 return SEC_E_INSUFFICIENT_MEMORY;
1931 header = sig_buffer->pvBuffer;
1932 encrypt_iov[2].data.data = header + 16;
1933 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
1934 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
1935 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
1936 encrypt_iov[1].data.data = data_buffer->pvBuffer;
1939 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
1940 header[2] = WINPR_ASSERTING_INT_CAST(
char, flags);
1941 header[3] = (char)0xFF;
1942 winpr_Data_Write_UINT32(header + 4, 0);
1943 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
1946 CopyMemory(encrypt_iov[2].data.data, header, 16);
1949 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
1950 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
1952 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
1953 ARRAYSIZE(encrypt_iov)))
1954 return SEC_E_INTERNAL_ERROR;
1958 return SEC_E_UNSUPPORTED_FUNCTION;
1962static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(
PCtxtHandle phContext,
1964 ULONG MessageSeqNo, ULONG* pfQOP)
1967 KRB_CONTEXT* context = get_context(phContext);
1970 krb5glue_key key = NULL;
1971 krb5_keyusage usage = 0;
1972 uint16_t tok_id = 0;
1976 uint64_t seq_no = 0;
1977 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1978 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1979 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1980 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1981 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1984 return SEC_E_INVALID_HANDLE;
1986 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1987 return SEC_E_UNSUPPORTED_FUNCTION;
1989 KRB_CREDENTIALS* creds = context->credentials;
1991 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1992 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1994 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
1995 return SEC_E_INVALID_TOKEN;
1998 BYTE* header = sig_buffer->pvBuffer;
1999 tok_id = winpr_Data_Get_UINT16_BE(header);
2001 ec = winpr_Data_Get_UINT16_BE(&header[4]);
2002 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
2003 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
2006 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
2007 return SEC_E_INVALID_TOKEN;
2009 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
2010 return SEC_E_INVALID_TOKEN;
2012 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
2013 (seq_no != context->remote_seq + MessageSeqNo))
2014 return SEC_E_OUT_OF_SEQUENCE;
2016 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
2017 return SEC_E_INVALID_TOKEN;
2021 return SEC_E_INVALID_TOKEN;
2024 key = get_key(&context->keyset);
2025 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
2026 return SEC_E_INTERNAL_ERROR;
2027 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
2030 iov[1].data.length = data_buffer->cbBuffer;
2031 iov[2].data.length = 16;
2032 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2033 return SEC_E_INTERNAL_ERROR;
2036 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
2037 return SEC_E_INVALID_TOKEN;
2038 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
2039 return SEC_E_INVALID_TOKEN;
2042 iov[0].data.data = (
char*)&header[16 + rrc + ec];
2043 iov[1].data.data = data_buffer->pvBuffer;
2044 iov[2].data.data = (
char*)&header[16 + ec];
2045 char* data2 = iov[2].data.data;
2046 iov[3].data.data = &data2[iov[2].data.length];
2048 char* data3 = iov[3].data.data;
2049 iov[4].data.data = &data3[iov[3].data.length];
2051 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2052 return SEC_E_INTERNAL_ERROR;
2055 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
2056 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
2057 if (memcmp(iov[2].data.data, header, 16) != 0)
2058 return SEC_E_MESSAGE_ALTERED;
2064 return SEC_E_UNSUPPORTED_FUNCTION;
2068static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(
PCtxtHandle phContext,
2069 WINPR_ATTR_UNUSED ULONG fQOP,
2073 KRB_CONTEXT* context = get_context(phContext);
2076 krb5glue_key key = NULL;
2077 krb5_keyusage usage = 0;
2079 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2080 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2081 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2084 return SEC_E_INVALID_HANDLE;
2086 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2087 return SEC_E_UNSUPPORTED_FUNCTION;
2089 KRB_CREDENTIALS* creds = context->credentials;
2091 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2092 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2094 if (!sig_buffer || !data_buffer)
2095 return SEC_E_INVALID_TOKEN;
2097 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2099 key = get_key(&context->keyset);
2101 return SEC_E_INTERNAL_ERROR;
2102 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2104 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2107 iov[0].data.length = data_buffer->cbBuffer;
2108 iov[1].data.length = 16;
2109 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2110 return SEC_E_INTERNAL_ERROR;
2113 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2114 return SEC_E_INSUFFICIENT_MEMORY;
2117 char* header = sig_buffer->pvBuffer;
2118 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2119 header[2] = WINPR_ASSERTING_INT_CAST(
char, flags);
2120 memset(header + 3, 0xFF, 5);
2121 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2124 iov[0].data.data = data_buffer->pvBuffer;
2125 iov[1].data.data = header;
2126 iov[2].data.data = header + 16;
2128 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2129 return SEC_E_INTERNAL_ERROR;
2131 sig_buffer->cbBuffer = iov[2].data.length + 16;
2135 return SEC_E_UNSUPPORTED_FUNCTION;
2139static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(
PCtxtHandle phContext,
2142 WINPR_ATTR_UNUSED ULONG* pfQOP)
2147 krb5glue_key key = NULL;
2148 krb5_keyusage usage = 0;
2150 uint16_t tok_id = 0;
2151 uint64_t seq_no = 0;
2152 krb5_boolean is_valid = 0;
2153 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2154 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2155 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2156 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2158 KRB_CONTEXT* context = get_context(phContext);
2160 return SEC_E_INVALID_HANDLE;
2162 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2163 return SEC_E_UNSUPPORTED_FUNCTION;
2165 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2166 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2168 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2169 return SEC_E_INVALID_TOKEN;
2172 BYTE* header = sig_buffer->pvBuffer;
2173 tok_id = winpr_Data_Get_UINT16_BE(header);
2175 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2178 if (tok_id != TOK_ID_MIC)
2179 return SEC_E_INVALID_TOKEN;
2181 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2182 return SEC_E_INVALID_TOKEN;
2184 if (memcmp(header + 3, cmp_filler,
sizeof(cmp_filler)) != 0)
2185 return SEC_E_INVALID_TOKEN;
2187 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2188 return SEC_E_OUT_OF_SEQUENCE;
2191 key = get_key(&context->keyset);
2192 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2193 return SEC_E_INTERNAL_ERROR;
2194 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2197 KRB_CREDENTIALS* creds = context->credentials;
2198 iov[0].data.length = data_buffer->cbBuffer;
2199 iov[1].data.length = 16;
2200 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2201 return SEC_E_INTERNAL_ERROR;
2203 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2204 return SEC_E_INTERNAL_ERROR;
2207 iov[0].data.data = data_buffer->pvBuffer;
2208 iov[1].data.data = (
char*)header;
2209 iov[2].data.data = (
char*)&header[16];
2211 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2213 return SEC_E_INTERNAL_ERROR;
2216 return SEC_E_MESSAGE_ALTERED;
2220 return SEC_E_UNSUPPORTED_FUNCTION;
2227 kerberos_QueryCredentialsAttributesA,
2228 kerberos_AcquireCredentialsHandleA,
2229 kerberos_FreeCredentialsHandle,
2231 kerberos_InitializeSecurityContextA,
2232 kerberos_AcceptSecurityContext,
2234 kerberos_DeleteSecurityContext,
2236 kerberos_QueryContextAttributesA,
2239 kerberos_MakeSignature,
2240 kerberos_VerifySignature,
2250 kerberos_EncryptMessage,
2251 kerberos_DecryptMessage,
2252 kerberos_SetContextAttributesA,
2253 kerberos_SetCredentialsAttributesA,
2259 kerberos_QueryCredentialsAttributesW,
2260 kerberos_AcquireCredentialsHandleW,
2261 kerberos_FreeCredentialsHandle,
2263 kerberos_InitializeSecurityContextW,
2264 kerberos_AcceptSecurityContext,
2266 kerberos_DeleteSecurityContext,
2268 kerberos_QueryContextAttributesW,
2271 kerberos_MakeSignature,
2272 kerberos_VerifySignature,
2282 kerberos_EncryptMessage,
2283 kerberos_DecryptMessage,
2284 kerberos_SetContextAttributesW,
2285 kerberos_SetCredentialsAttributesW,
2288BOOL KERBEROS_init(
void)
2290 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2291 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2292 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2293 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
1.9.8 