22 #include <winpr/config.h>
31 #include <winpr/assert.h>
32 #include <winpr/cast.h>
33 #include <winpr/asn1.h>
34 #include <winpr/crt.h>
35 #include <winpr/interlocked.h>
36 #include <winpr/sspi.h>
37 #include <winpr/print.h>
38 #include <winpr/tchar.h>
39 #include <winpr/sysinfo.h>
40 #include <winpr/registry.h>
41 #include <winpr/endian.h>
42 #include <winpr/crypto.h>
43 #include <winpr/path.h>
44 #include <winpr/wtypes.h>
45 #include <winpr/winsock.h>
46 #include <winpr/schannel.h>
47 #include <winpr/secapi.h>
56 #ifdef WITH_KRB5_HEIMDAL
58 #include <krb5-protos.h>
62 #include "../../log.h"
63 #define TAG WINPR_TAG("sspi.Kerberos")
65 #define KRB_TGT_REQ 16
66 #define KRB_TGT_REP 17
74 "Kerberos Security Package"
77 static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 };
78 static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 };
85 KERBEROS_SecPkgInfoW_NameBuffer,
86 KERBEROS_SecPkgInfoW_CommentBuffer
93 KERBEROS_STATE_INITIAL,
94 KERBEROS_STATE_TGT_REQ,
95 KERBEROS_STATE_TGT_REP,
96 KERBEROS_STATE_AP_REQ,
97 KERBEROS_STATE_AP_REP,
101 typedef struct KRB_CREDENTIALS_st
103 volatile LONG refCount;
108 krb5_keytab client_keytab;
114 enum KERBEROS_STATE state;
115 KRB_CREDENTIALS* credentials;
116 krb5_auth_context auth_ctx;
126 static const WinPrAsn1_OID kerberos_OID = { 9, (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
128 (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
130 #define krb_log_exec_bool(fkt, ctx, ...) \
131 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__) ? KRB5KRB_ERR_GENERIC : 0, #fkt, __FILE__, \
133 #define krb_log_exec(fkt, ctx, ...) \
134 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
135 #define krb_log_exec_ptr(fkt, ctx, ...) \
136 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
137 static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code,
const char* what,
138 const char* file,
const char* fkt,
size_t line)
147 const DWORD level = WLOG_ERROR;
149 wLog* log = WLog_Get(TAG);
150 if (WLog_IsLevelActive(log, level))
152 const char* msg = krb5_get_error_message(ctx, code);
153 WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt,
"%s (%s [%d])",
155 krb5_free_error_message(ctx, msg);
163 static void credentials_unref(KRB_CREDENTIALS* credentials);
165 static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
170 free(ctx->targetHost);
171 ctx->targetHost = NULL;
173 if (ctx->credentials)
175 krb5_context krbctx = ctx->credentials->ctx;
179 krb5_auth_con_free(krbctx, ctx->auth_ctx);
181 krb5glue_keys_free(krbctx, &ctx->keyset);
184 credentials_unref(ctx->credentials);
191 static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
193 KRB_CONTEXT* context = NULL;
195 context = (KRB_CONTEXT*)calloc(1,
sizeof(KRB_CONTEXT));
199 context->credentials = credentials;
200 InterlockedIncrement(&credentials->refCount);
204 static krb5_error_code krb5_prompter(krb5_context context,
void* data,
const char* name,
205 const char* banner,
int num_prompts, krb5_prompt prompts[])
207 for (
int i = 0; i < num_prompts; i++)
209 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
210 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
212 prompts[i].reply->data = _strdup((
const char*)data);
214 const size_t len = strlen((
const char*)data);
215 if (len > UINT32_MAX)
216 return KRB5KRB_ERR_GENERIC;
217 prompts[i].reply->length = (UINT32)len;
225 return keyset->acceptor_key ? keyset->acceptor_key
226 : keyset->initiator_key ? keyset->initiator_key
227 : keyset->session_key;
230 static BOOL isValidIPv4(
const char* ipAddress)
232 struct sockaddr_in sa = { 0 };
233 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
237 static BOOL isValidIPv6(
const char* ipAddress)
239 struct sockaddr_in6 sa = { 0 };
240 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
244 static BOOL isValidIP(
const char* ipAddress)
246 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
249 static int build_krbtgt(krb5_context ctx, krb5_data* realm, krb5_principal* ptarget)
254 krb5_error_code rv = KRB5_CC_NOMEM;
256 (void)winpr_asprintf(&name, &len,
"krbtgt/%s@%s", realm->data, realm->data);
257 if (!name || (len == 0))
260 krb5_principal target = { 0 };
261 rv = krb5_parse_name(ctx, name, &target);
270 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
271 SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse,
void* pvLogonID,
272 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
277 KRB_CREDENTIALS* credentials = NULL;
278 krb5_context ctx = NULL;
279 krb5_ccache ccache = NULL;
280 krb5_keytab keytab = NULL;
281 krb5_principal principal = NULL;
283 char* username = NULL;
284 char* password = NULL;
285 BOOL own_ccache = FALSE;
286 const char*
const default_ccache_type =
"MEMORY";
290 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
292 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
298 WLog_ERR(TAG,
"Failed to copy auth identity fields");
303 pszPrincipal = username;
306 if (krb_log_exec_ptr(krb5_init_context, &ctx))
311 char* udomain = _strdup(domain);
317 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
326 char* cpszPrincipal = _strdup(pszPrincipal);
331 char* p = strchr(cpszPrincipal,
'@');
335 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
342 if (krb_settings && krb_settings->cache)
344 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
353 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
357 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
362 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
366 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
372 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
375 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
377 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
385 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
390 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
395 if (krb_settings && krb_settings->keytab)
397 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
402 if (fCredentialUse & SECPKG_CRED_INBOUND)
403 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
408 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
410 krb5_creds creds = { 0 };
411 krb5_creds matchCreds = { 0 };
412 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
414 krb5_timeofday(ctx, &matchCreds.times.endtime);
415 matchCreds.times.endtime += 60;
416 matchCreds.client = principal;
418 if (krb_log_exec(build_krbtgt, ctx, &principal->realm, &matchCreds.server))
421 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
422 krb5_free_principal(ctx, matchCreds.server);
423 krb5_free_cred_contents(ctx, &creds);
426 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
427 password, krb_settings))
432 credentials = calloc(1,
sizeof(KRB_CREDENTIALS));
435 credentials->refCount = 1;
436 credentials->ctx = ctx;
437 credentials->ccache = ccache;
438 credentials->keytab = keytab;
439 credentials->own_ccache = own_ccache;
448 krb5_free_principal(ctx, principal);
456 krb5_cc_destroy(ctx, ccache);
458 krb5_cc_close(ctx, ccache);
461 krb5_kt_close(ctx, keytab);
463 krb5_free_context(ctx);
470 sspi_SecureHandleSetLowerPointer(phCredential, (
void*)credentials);
471 sspi_SecureHandleSetUpperPointer(phCredential, (
void*)KERBEROS_SSP_NAME);
475 return SEC_E_NO_CREDENTIALS;
477 return SEC_E_UNSUPPORTED_FUNCTION;
481 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
482 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse,
void* pvLogonID,
483 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
486 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
487 char* principal = NULL;
488 char*
package = NULL;
492 principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL);
498 package = ConvertWCharToUtf8Alloc(pszPackage, NULL);
504 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
505 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
515 static void credentials_unref(KRB_CREDENTIALS* credentials)
517 WINPR_ASSERT(credentials);
519 if (InterlockedDecrement(&credentials->refCount))
522 free(credentials->kdc_url);
524 if (credentials->ccache)
526 if (credentials->own_ccache)
527 krb5_cc_destroy(credentials->ctx, credentials->ccache);
529 krb5_cc_close(credentials->ctx, credentials->ccache);
531 if (credentials->keytab)
532 krb5_kt_close(credentials->ctx, credentials->keytab);
534 krb5_free_context(credentials->ctx);
539 static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(
PCredHandle phCredential)
542 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
544 return SEC_E_INVALID_HANDLE;
546 credentials_unref(credentials);
548 sspi_SecureHandleInvalidate(phCredential);
551 return SEC_E_UNSUPPORTED_FUNCTION;
555 static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
PCredHandle phCredential,
562 case SECPKG_CRED_ATTR_NAMES:
565 WLog_ERR(TAG,
"TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
567 return SEC_E_UNSUPPORTED_FUNCTION;
571 return SEC_E_UNSUPPORTED_FUNCTION;
575 static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(
PCredHandle phCredential,
579 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
584 static BOOL kerberos_mk_tgt_token(
SecBuffer* buf,
int msg_type,
char* sname,
char* host,
585 const krb5_data* ticket)
587 WinPrAsn1Encoder* enc = NULL;
596 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
598 if (msg_type == KRB_TGT_REP && !ticket)
601 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
606 if (!WinPrAsn1EncSeqContainer(enc))
610 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
614 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
617 if (msg_type == KRB_TGT_REQ && sname)
620 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
624 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
628 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
631 if (!WinPrAsn1EncGeneralString(enc, sname))
634 if (host && !WinPrAsn1EncGeneralString(enc, host))
637 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
640 else if (msg_type == KRB_TGT_REP)
643 data.data = (BYTE*)ticket->data;
644 data.len = ticket->length;
645 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
649 if (!WinPrAsn1EncEndContainer(enc))
652 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
655 Stream_StaticInit(&s, buf->pvBuffer, len);
656 if (!WinPrAsn1EncToStream(enc, &s))
659 token.data = buf->pvBuffer;
660 token.length = (UINT)len;
661 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
662 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
666 WinPrAsn1Encoder_Free(&enc);
670 static BOOL append(
char* dst,
size_t dstSize,
const char* src)
672 const size_t dlen = strnlen(dst, dstSize);
673 const size_t slen = strlen(src);
674 if (dlen + slen >= dstSize)
676 if (!strncat(dst, src, slen))
681 static BOOL kerberos_rd_tgt_req_tag2(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
687 if (!WinPrAsn1DecReadSequence(dec, &seq))
692 WinPrAsn1_INTEGER val = 0;
693 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
697 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
700 WinPrAsn1_tag tag = 0;
702 while (WinPrAsn1DecPeekTag(dec, &tag))
704 BOOL success = FALSE;
706 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
711 if (!append(buf, len,
"/"))
716 if (!append(buf, len, lstr))
731 static BOOL kerberos_rd_tgt_req_tag3(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
735 WinPrAsn1_STRING str = NULL;
736 if (!WinPrAsn1DecReadGeneralString(dec, &str))
739 if (!append(buf, len,
"@"))
741 if (!append(buf, len, str))
758 wStream s = WinPrAsn1DecGetStream(dec);
759 const size_t len = Stream_Length(&s);
764 WinPrAsn1_tagId tag = 0;
765 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
768 char* buf = calloc(len + 1,
sizeof(
char));
776 BOOL checkForTag3 = TRUE;
779 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
782 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
784 checkForTag3 = FALSE;
791 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
810 WinPrAsn1_tagId tag = 0;
811 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
817 wStream s = WinPrAsn1DecGetStream(&asnTicket);
818 ticket->data = Stream_BufferAs(&s,
char);
820 const size_t len = Stream_Length(&s);
821 if (len > UINT32_MAX)
823 ticket->length = (UINT32)len;
827 static BOOL kerberos_rd_tgt_token(
const sspi_gss_data* token,
char** target, krb5_data* ticket)
830 WinPrAsn1_INTEGER val = 0;
838 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
842 if (!WinPrAsn1DecReadSequence(&der, &seq))
846 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
850 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
856 return kerberos_rd_tgt_req(&seq, target);
858 return kerberos_rd_tgt_rep(&seq, ticket);
867 static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5,
SEC_CHANNEL_BINDINGS* bindings)
871 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
872 if (!winpr_Digest_Update(md5, buf, 4))
875 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
876 if (!winpr_Digest_Update(md5, buf, 4))
879 if (bindings->cbInitiatorLength &&
880 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
881 bindings->cbInitiatorLength))
884 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
885 if (!winpr_Digest_Update(md5, buf, 4))
888 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
889 if (!winpr_Digest_Update(md5, buf, 4))
892 if (bindings->cbAcceptorLength &&
893 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
894 bindings->cbAcceptorLength))
897 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
898 if (!winpr_Digest_Update(md5, buf, 4))
901 if (bindings->cbApplicationDataLength &&
902 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
903 bindings->cbApplicationDataLength))
909 static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
911 ULONG Reserved1, ULONG TargetDataRep,
PSecBufferDesc pInput, ULONG Reserved2,
918 WINPR_DIGEST_CTX* md5 = NULL;
922 krb5_data input_token = { 0 };
923 krb5_data output_token = { 0 };
924 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
927 krb5_ap_rep_enc_part* reply = NULL;
928 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
929 char cksum_contents[24] = { 0 };
930 krb5_data cksum = { 0 };
931 krb5_creds in_creds = { 0 };
932 krb5_creds* creds = NULL;
933 BOOL isNewContext = FALSE;
934 KRB_CONTEXT* context = NULL;
935 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
938 if (phContext && !phContext->dwLower && !phContext->dwUpper)
939 return SEC_E_INVALID_HANDLE;
941 context = sspi_SecureHandleGetLowerPointer(phContext);
944 return SEC_E_NO_CREDENTIALS;
948 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
949 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
952 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
954 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
955 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
957 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
958 ap_flags |= AP_OPTS_USE_SESSION_KEY;
963 target = _strdup(pszTargetName);
966 status = SEC_E_INSUFFICIENT_MEMORY;
969 host = strchr(target,
'/');
979 status = SEC_E_NO_CREDENTIALS;
986 context = kerberos_ContextNew(credentials);
989 status = SEC_E_INSUFFICIENT_MEMORY;
996 context->targetHost = _strdup(host);
997 if (!context->targetHost)
999 status = SEC_E_INSUFFICIENT_MEMORY;
1003 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1005 context->state = KERBEROS_STATE_TGT_REQ;
1006 context->u2u = TRUE;
1009 context->state = KERBEROS_STATE_AP_REQ;
1013 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1015 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1016 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1021 context->flags |= (fContextReq & 0x1F);
1022 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1023 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1025 switch (context->state)
1027 case KERBEROS_STATE_TGT_REQ:
1029 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL))
1032 context->state = KERBEROS_STATE_TGT_REP;
1033 status = SEC_I_CONTINUE_NEEDED;
1036 case KERBEROS_STATE_TGT_REP:
1038 if (tok_id != TOK_ID_TGT_REP)
1041 if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket))
1048 case KERBEROS_STATE_AP_REQ:
1051 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1053 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1054 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1056 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1061 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1062 KRB5_NT_SRV_HST, &in_creds.server))
1065 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1068 status = SEC_E_WRONG_PRINCIPAL;
1072 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1073 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1076 status = SEC_E_NO_CREDENTIALS;
1081 cksum.data = cksum_contents;
1082 cksum.length =
sizeof(cksum_contents);
1083 winpr_Data_Write_UINT32(cksum_contents, 16);
1084 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1086 if (bindings_buffer)
1092 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1093 bindings_buffer->cbBuffer ||
1094 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1095 bindings_buffer->cbBuffer ||
1096 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1097 bindings_buffer->cbBuffer)
1099 status = SEC_E_BAD_BINDINGS;
1103 md5 = winpr_Digest_New();
1107 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1110 if (!kerberos_hash_channel_bindings(md5, bindings))
1113 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1118 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1119 &cksum, creds, &output_token))
1122 if (!sspi_gss_wrap_token(output_buffer,
1123 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1124 TOK_ID_AP_REQ, &output_token))
1127 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1129 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1130 context->auth_ctx, (INT32*)&context->local_seq))
1132 context->remote_seq ^= context->local_seq;
1135 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1139 context->state = KERBEROS_STATE_AP_REP;
1141 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1142 status = SEC_I_CONTINUE_NEEDED;
1147 case KERBEROS_STATE_AP_REP:
1149 if (tok_id == TOK_ID_AP_REP)
1151 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1154 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1156 else if (tok_id == TOK_ID_ERROR)
1158 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1164 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1166 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1167 context->auth_ctx, (INT32*)&context->remote_seq))
1171 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1175 context->state = KERBEROS_STATE_FINAL;
1178 output_buffer->cbBuffer = 0;
1182 case KERBEROS_STATE_FINAL:
1184 WLog_ERR(TAG,
"Kerberos in invalid state!");
1191 krb5_data edata = { 0 };
1192 in_creds.second_ticket = edata;
1193 krb5_free_cred_contents(credentials->ctx, &in_creds);
1196 krb5_free_creds(credentials->ctx, creds);
1197 if (output_token.data)
1198 krb5glue_free_data_contents(credentials->ctx, &output_token);
1200 winpr_Digest_Free(md5);
1209 case SEC_I_CONTINUE_NEEDED:
1210 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1211 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1214 kerberos_ContextFree(context, TRUE);
1222 status = SEC_E_INVALID_TOKEN;
1225 return SEC_E_UNSUPPORTED_FUNCTION;
1229 static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1231 ULONG Reserved1, ULONG TargetDataRep,
PSecBufferDesc pInput, ULONG Reserved2,
1234 SECURITY_STATUS status = 0;
1235 char* target_name = NULL;
1239 target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL);
1241 return SEC_E_INSUFFICIENT_MEMORY;
1244 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1245 Reserved1, TargetDataRep, pInput, Reserved2,
1246 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1254 static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1260 BOOL isNewContext = FALSE;
1264 uint16_t tok_id = 0;
1265 krb5_data input_token = { 0 };
1266 krb5_data output_token = { 0 };
1267 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1268 krb5_flags ap_flags = 0;
1269 krb5glue_authenticator authenticator = NULL;
1270 char* target = NULL;
1273 krb5_kt_cursor cur = { 0 };
1274 krb5_keytab_entry entry = { 0 };
1275 krb5_principal principal = NULL;
1276 krb5_creds creds = { 0 };
1279 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1280 return SEC_E_INVALID_HANDLE;
1282 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1283 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1286 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1288 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1291 return SEC_E_INVALID_TOKEN;
1293 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1294 return SEC_E_INVALID_TOKEN;
1298 isNewContext = TRUE;
1299 context = kerberos_ContextNew(credentials);
1300 context->acceptor = TRUE;
1302 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1304 context->u2u = TRUE;
1305 context->state = KERBEROS_STATE_TGT_REQ;
1307 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1308 context->state = KERBEROS_STATE_AP_REQ;
1314 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1315 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1319 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1321 if (!kerberos_rd_tgt_token(&input_token, &target, NULL))
1326 if (*target != 0 && *target !=
'@')
1328 realm = strchr(target,
'@');
1333 if (krb_log_exec(krb5_parse_name_flags, credentials->ctx, sname ? sname :
"",
1334 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
1339 if (krb_log_exec(krb5glue_set_principal_realm, credentials->ctx, principal, realm))
1343 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1348 krb5_error_code rv = krb_log_exec(krb5_kt_next_entry, credentials->ctx,
1349 credentials->keytab, &entry, &cur);
1350 if (rv == KRB5_KT_END)
1355 if ((!sname || krb_log_exec_bool(krb5_principal_compare_any_realm, credentials->ctx,
1356 principal, entry.principal)) &&
1357 (!realm || krb_log_exec_bool(krb5_realm_compare, credentials->ctx, principal,
1360 if (krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry))
1364 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1367 if (!entry.principal)
1371 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, &creds, entry.principal,
1372 credentials->keytab, 0, NULL, NULL))
1375 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
1378 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1381 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1382 &krb5glue_creds_getkey(creds)))
1385 context->state = KERBEROS_STATE_AP_REQ;
1387 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1389 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL,
1390 credentials->keytab, &ap_flags, NULL))
1393 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1394 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1398 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1401 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1405 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1409 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1411 if (!sspi_gss_wrap_token(output_buffer,
1412 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1413 TOK_ID_AP_REP, &output_token))
1419 output_buffer->cbBuffer = 0;
1422 *pfContextAttr = (context->flags & 0x1F);
1423 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1424 *pfContextAttr |= ASC_RET_INTEGRITY;
1426 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1428 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1429 (INT32*)&context->local_seq))
1431 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1432 (INT32*)&context->remote_seq))
1436 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1440 context->state = KERBEROS_STATE_FINAL;
1446 if (context->state == KERBEROS_STATE_FINAL)
1449 status = SEC_I_CONTINUE_NEEDED;
1453 if (output_token.data)
1454 krb5glue_free_data_contents(credentials->ctx, &output_token);
1455 if (entry.principal)
1456 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1463 case SEC_I_CONTINUE_NEEDED:
1464 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1465 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1468 kerberos_ContextFree(context, TRUE);
1476 status = SEC_E_INVALID_TOKEN;
1479 return SEC_E_UNSUPPORTED_FUNCTION;
1484 static KRB_CONTEXT* get_context(
PCtxtHandle phContext)
1489 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1493 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1495 return sspi_SecureHandleGetLowerPointer(phContext);
1498 static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1502 WINPR_ASSERT(psize);
1504 *ptr = (PUCHAR)malloc(data->length);
1508 *psize = data->length;
1509 memcpy(*ptr, data->data, data->length);
1514 static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(
PCtxtHandle phContext)
1517 KRB_CONTEXT* context = get_context(phContext);
1519 return SEC_E_INVALID_HANDLE;
1521 kerberos_ContextFree(context, TRUE);
1525 return SEC_E_UNSUPPORTED_FUNCTION;
1531 static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1538 return SEC_E_INTERNAL_ERROR;
1542 static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1548 krb5glue_key key = NULL;
1550 WINPR_ASSERT(context);
1551 WINPR_ASSERT(context->auth_ctx);
1557 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1558 ContextSizes->cbMaxSignature = 0;
1559 ContextSizes->cbBlockSize = 1;
1560 ContextSizes->cbSecurityTrailer = 0;
1562 key = get_key(&context->keyset);
1564 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1566 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1567 KRB5_CRYPTO_TYPE_HEADER, &header);
1569 return krb5_error_to_SECURITY_STATUS(rv);
1571 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1574 return krb5_error_to_SECURITY_STATUS(rv);
1576 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1579 return krb5_error_to_SECURITY_STATUS(rv);
1582 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1585 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1587 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1588 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1590 return krb5_error_to_SECURITY_STATUS(rv);
1592 ContextSizes->cbMaxSignature += 16;
1598 static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1599 KRB_CREDENTIALS* credentials,
1602 krb5_creds matchCred = { 0 };
1603 krb5_auth_context authContext = NULL;
1604 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1605 BOOL firstRun = TRUE;
1606 krb5_creds* hostCred = NULL;
1607 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1608 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost,
"HOST",
1609 KRB5_NT_SRV_HST, &matchCred.server);
1613 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1620 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1621 &matchCred, &hostCred);
1626 case KRB5_CC_NOTFOUND:
1635 WLog_ERR(TAG,
"krb5_get_credentials(hostCreds), rv=%d", rv);
1639 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1642 krb5_data derOut = { 0 };
1643 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1644 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1646 ret = SEC_E_LOGON_DENIED;
1650 ticketLogon->MessageType = KerbTicketLogon;
1651 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1653 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1654 &ticketLogon->ServiceTicketLength))
1656 krb5_free_data(credentials->ctx, &derOut);
1660 ticketLogon->TicketGrantingTicketLength = derOut.length;
1661 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1665 krb5_auth_con_free(credentials->ctx, authContext);
1666 krb5_free_creds(credentials->ctx, hostCred);
1667 krb5_free_cred_contents(credentials->ctx, &matchCred);
1673 static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(
PCtxtHandle phContext,
1674 ULONG ulAttribute,
void* pBuffer)
1677 return SEC_E_INVALID_HANDLE;
1680 return SEC_E_INVALID_PARAMETER;
1683 KRB_CONTEXT* context = get_context(phContext);
1685 return SEC_E_INVALID_PARAMETER;
1687 KRB_CREDENTIALS* credentials = context->credentials;
1689 switch (ulAttribute)
1691 case SECPKG_ATTR_SIZES:
1694 case SECPKG_CRED_ATTR_TICKET_LOGON:
1695 return kerberos_ATTR_TICKET_LOGON(context, credentials, (
KERB_TICKET_LOGON*)pBuffer);
1698 WLog_ERR(TAG,
"TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1700 return SEC_E_UNSUPPORTED_FUNCTION;
1703 return SEC_E_UNSUPPORTED_FUNCTION;
1707 static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(
PCtxtHandle phContext,
1708 ULONG ulAttribute,
void* pBuffer)
1710 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1713 static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
PCtxtHandle phContext,
1714 ULONG ulAttribute,
void* pBuffer,
1717 return SEC_E_UNSUPPORTED_FUNCTION;
1720 static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
PCtxtHandle phContext,
1721 ULONG ulAttribute,
void* pBuffer,
1724 return SEC_E_UNSUPPORTED_FUNCTION;
1727 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(
PCredHandle phCredential,
1729 void* pBuffer, ULONG cbBuffer,
1733 KRB_CREDENTIALS* credentials = NULL;
1736 return SEC_E_INVALID_HANDLE;
1738 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1741 return SEC_E_INVALID_HANDLE;
1744 return SEC_E_INSUFFICIENT_MEMORY;
1746 switch (ulAttribute)
1748 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1754 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1757 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1758 return SEC_E_INVALID_TOKEN;
1760 if (credentials->kdc_url)
1762 free(credentials->kdc_url);
1763 credentials->kdc_url = NULL;
1766 if (kdc_settings->ProxyServerLength > 0)
1768 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
1770 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
1771 proxy, kdc_settings->ProxyServerLength /
sizeof(WCHAR), NULL);
1772 if (!credentials->kdc_url)
1773 return SEC_E_INSUFFICIENT_MEMORY;
1778 case SECPKG_CRED_ATTR_NAMES:
1779 case SECPKG_ATTR_SUPPORTED_ALGS:
1781 WLog_ERR(TAG,
"TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
1783 return SEC_E_UNSUPPORTED_FUNCTION;
1787 return SEC_E_UNSUPPORTED_FUNCTION;
1791 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(
PCredHandle phCredential,
1793 void* pBuffer, ULONG cbBuffer)
1795 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
1798 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(
PCredHandle phCredential,
1800 void* pBuffer, ULONG cbBuffer)
1802 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
1805 static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(
PCtxtHandle phContext, ULONG fQOP,
1810 KRB_CONTEXT* context = get_context(phContext);
1813 char* header = NULL;
1815 krb5glue_key key = NULL;
1816 krb5_keyusage usage = 0;
1817 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1818 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1819 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1820 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1821 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1824 return SEC_E_INVALID_HANDLE;
1826 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1827 return SEC_E_UNSUPPORTED_FUNCTION;
1829 KRB_CREDENTIALS* creds = context->credentials;
1831 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1832 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1834 if (!sig_buffer || !data_buffer)
1835 return SEC_E_INVALID_TOKEN;
1838 return SEC_E_QOP_NOT_SUPPORTED;
1840 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
1841 flags |= FLAG_WRAP_CONFIDENTIAL;
1843 key = get_key(&context->keyset);
1845 return SEC_E_INTERNAL_ERROR;
1847 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
1849 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
1852 encrypt_iov[1].data.length = data_buffer->cbBuffer;
1853 encrypt_iov[2].data.length = 16;
1856 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
1857 ARRAYSIZE(encrypt_iov)))
1858 return SEC_E_INTERNAL_ERROR;
1859 if (sig_buffer->cbBuffer <
1860 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
1861 return SEC_E_INSUFFICIENT_MEMORY;
1864 header = sig_buffer->pvBuffer;
1865 encrypt_iov[2].data.data = header + 16;
1866 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
1867 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
1868 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
1869 encrypt_iov[1].data.data = data_buffer->pvBuffer;
1872 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
1873 header[2] = WINPR_ASSERTING_INT_CAST(
char, flags);
1874 header[3] = (char)0xFF;
1875 winpr_Data_Write_UINT32(header + 4, 0);
1876 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
1879 CopyMemory(encrypt_iov[2].data.data, header, 16);
1882 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
1883 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
1885 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
1886 ARRAYSIZE(encrypt_iov)))
1887 return SEC_E_INTERNAL_ERROR;
1891 return SEC_E_UNSUPPORTED_FUNCTION;
1895 static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(
PCtxtHandle phContext,
1897 ULONG MessageSeqNo, ULONG* pfQOP)
1900 KRB_CONTEXT* context = get_context(phContext);
1903 krb5glue_key key = NULL;
1904 krb5_keyusage usage = 0;
1905 uint16_t tok_id = 0;
1909 uint64_t seq_no = 0;
1910 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1911 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1912 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1913 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1914 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1917 return SEC_E_INVALID_HANDLE;
1919 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1920 return SEC_E_UNSUPPORTED_FUNCTION;
1922 KRB_CREDENTIALS* creds = context->credentials;
1924 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1925 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1927 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
1928 return SEC_E_INVALID_TOKEN;
1931 BYTE* header = sig_buffer->pvBuffer;
1932 tok_id = winpr_Data_Get_UINT16_BE(header);
1934 ec = winpr_Data_Get_UINT16_BE(&header[4]);
1935 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
1936 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
1939 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
1940 return SEC_E_INVALID_TOKEN;
1942 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
1943 return SEC_E_INVALID_TOKEN;
1945 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
1946 (seq_no != context->remote_seq + MessageSeqNo))
1947 return SEC_E_OUT_OF_SEQUENCE;
1949 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
1950 return SEC_E_INVALID_TOKEN;
1954 return SEC_E_INVALID_TOKEN;
1957 key = get_key(&context->keyset);
1958 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
1959 return SEC_E_INTERNAL_ERROR;
1960 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
1963 iov[1].data.length = data_buffer->cbBuffer;
1964 iov[2].data.length = 16;
1965 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
1966 return SEC_E_INTERNAL_ERROR;
1969 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
1970 return SEC_E_INVALID_TOKEN;
1971 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
1972 return SEC_E_INVALID_TOKEN;
1975 iov[0].data.data = (
char*)&header[16 + rrc + ec];
1976 iov[1].data.data = data_buffer->pvBuffer;
1977 iov[2].data.data = (
char*)&header[16 + ec];
1978 char* data2 = iov[2].data.data;
1979 iov[3].data.data = &data2[iov[2].data.length];
1981 char* data3 = iov[3].data.data;
1982 iov[4].data.data = &data2[iov[3].data.length];
1983 iov[4].data.data = &data3[iov[3].data.length];
1985 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
1986 return SEC_E_INTERNAL_ERROR;
1989 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
1990 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
1991 if (memcmp(iov[2].data.data, header, 16) != 0)
1992 return SEC_E_MESSAGE_ALTERED;
1998 return SEC_E_UNSUPPORTED_FUNCTION;
2002 static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(
PCtxtHandle phContext, ULONG fQOP,
2006 KRB_CONTEXT* context = get_context(phContext);
2009 krb5glue_key key = NULL;
2010 krb5_keyusage usage = 0;
2012 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2013 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2014 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2017 return SEC_E_INVALID_HANDLE;
2019 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2020 return SEC_E_UNSUPPORTED_FUNCTION;
2022 KRB_CREDENTIALS* creds = context->credentials;
2024 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2025 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2027 if (!sig_buffer || !data_buffer)
2028 return SEC_E_INVALID_TOKEN;
2030 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2032 key = get_key(&context->keyset);
2034 return SEC_E_INTERNAL_ERROR;
2035 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2037 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2040 iov[0].data.length = data_buffer->cbBuffer;
2041 iov[1].data.length = 16;
2042 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2043 return SEC_E_INTERNAL_ERROR;
2046 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2047 return SEC_E_INSUFFICIENT_MEMORY;
2050 char* header = sig_buffer->pvBuffer;
2051 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2052 header[2] = WINPR_ASSERTING_INT_CAST(
char, flags);
2053 memset(header + 3, 0xFF, 5);
2054 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2057 iov[0].data.data = data_buffer->pvBuffer;
2058 iov[1].data.data = header;
2059 iov[2].data.data = header + 16;
2061 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2062 return SEC_E_INTERNAL_ERROR;
2064 sig_buffer->cbBuffer = iov[2].data.length + 16;
2068 return SEC_E_UNSUPPORTED_FUNCTION;
2072 static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(
PCtxtHandle phContext,
2074 ULONG MessageSeqNo, ULONG* pfQOP)
2079 krb5glue_key key = NULL;
2080 krb5_keyusage usage = 0;
2082 uint16_t tok_id = 0;
2083 uint64_t seq_no = 0;
2084 krb5_boolean is_valid = 0;
2085 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2086 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2087 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2088 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2090 KRB_CONTEXT* context = get_context(phContext);
2092 return SEC_E_INVALID_HANDLE;
2094 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2095 return SEC_E_UNSUPPORTED_FUNCTION;
2097 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2098 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2100 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2101 return SEC_E_INVALID_TOKEN;
2104 BYTE* header = sig_buffer->pvBuffer;
2105 tok_id = winpr_Data_Get_UINT16_BE(header);
2107 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2110 if (tok_id != TOK_ID_MIC)
2111 return SEC_E_INVALID_TOKEN;
2113 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2114 return SEC_E_INVALID_TOKEN;
2116 if (memcmp(header + 3, cmp_filler,
sizeof(cmp_filler)) != 0)
2117 return SEC_E_INVALID_TOKEN;
2119 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2120 return SEC_E_OUT_OF_SEQUENCE;
2123 key = get_key(&context->keyset);
2124 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2125 return SEC_E_INTERNAL_ERROR;
2126 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2129 KRB_CREDENTIALS* creds = context->credentials;
2130 iov[0].data.length = data_buffer->cbBuffer;
2131 iov[1].data.length = 16;
2132 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2133 return SEC_E_INTERNAL_ERROR;
2135 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2136 return SEC_E_INTERNAL_ERROR;
2139 iov[0].data.data = data_buffer->pvBuffer;
2140 iov[1].data.data = (
char*)header;
2141 iov[2].data.data = (
char*)&header[16];
2143 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2145 return SEC_E_INTERNAL_ERROR;
2148 return SEC_E_MESSAGE_ALTERED;
2152 return SEC_E_UNSUPPORTED_FUNCTION;
2159 kerberos_QueryCredentialsAttributesA,
2160 kerberos_AcquireCredentialsHandleA,
2161 kerberos_FreeCredentialsHandle,
2163 kerberos_InitializeSecurityContextA,
2164 kerberos_AcceptSecurityContext,
2166 kerberos_DeleteSecurityContext,
2168 kerberos_QueryContextAttributesA,
2171 kerberos_MakeSignature,
2172 kerberos_VerifySignature,
2182 kerberos_EncryptMessage,
2183 kerberos_DecryptMessage,
2184 kerberos_SetContextAttributesA,
2185 kerberos_SetCredentialsAttributesA,
2191 kerberos_QueryCredentialsAttributesW,
2192 kerberos_AcquireCredentialsHandleW,
2193 kerberos_FreeCredentialsHandle,
2195 kerberos_InitializeSecurityContextW,
2196 kerberos_AcceptSecurityContext,
2198 kerberos_DeleteSecurityContext,
2200 kerberos_QueryContextAttributesW,
2203 kerberos_MakeSignature,
2204 kerberos_VerifySignature,
2214 kerberos_EncryptMessage,
2215 kerberos_DecryptMessage,
2216 kerberos_SetContextAttributesW,
2217 kerberos_SetCredentialsAttributesW,
2220 BOOL KERBEROS_init(
void)
2222 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2223 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2224 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2225 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
1.9.1