22 #include <winpr/config.h>
31 #include <winpr/assert.h>
32 #include <winpr/asn1.h>
33 #include <winpr/crt.h>
34 #include <winpr/interlocked.h>
35 #include <winpr/sspi.h>
36 #include <winpr/print.h>
37 #include <winpr/tchar.h>
38 #include <winpr/sysinfo.h>
39 #include <winpr/registry.h>
40 #include <winpr/endian.h>
41 #include <winpr/crypto.h>
42 #include <winpr/path.h>
43 #include <winpr/wtypes.h>
44 #include <winpr/winsock.h>
45 #include <winpr/schannel.h>
46 #include <winpr/secapi.h>
55 #ifdef WITH_KRB5_HEIMDAL
57 #include <krb5-protos.h>
61 #include "../../log.h"
62 #define TAG WINPR_TAG("sspi.Kerberos")
64 #define KRB_TGT_REQ 16
65 #define KRB_TGT_REP 17
73 "Kerberos Security Package"
76 static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 };
77 static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 };
84 KERBEROS_SecPkgInfoW_NameBuffer,
85 KERBEROS_SecPkgInfoW_CommentBuffer
92 KERBEROS_STATE_INITIAL,
93 KERBEROS_STATE_TGT_REQ,
94 KERBEROS_STATE_TGT_REP,
95 KERBEROS_STATE_AP_REQ,
96 KERBEROS_STATE_AP_REP,
100 typedef struct KRB_CREDENTIALS_st
102 volatile LONG refCount;
107 krb5_keytab client_keytab;
113 enum KERBEROS_STATE state;
114 KRB_CREDENTIALS* credentials;
115 krb5_auth_context auth_ctx;
125 static const WinPrAsn1_OID kerberos_OID = { 9, (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
127 (
void*)
"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
129 #define krb_log_exec(fkt, ctx, ...) \
130 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
131 #define krb_log_exec_ptr(fkt, ctx, ...) \
132 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
133 static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code,
const char* what,
134 const char* file,
const char* fkt,
size_t line)
143 const DWORD level = WLOG_ERROR;
145 wLog* log = WLog_Get(TAG);
146 if (WLog_IsLevelActive(log, level))
148 const char* msg = krb5_get_error_message(ctx, code);
149 WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt,
"%s (%s [%d])",
151 krb5_free_error_message(ctx, msg);
159 static void credentials_unref(KRB_CREDENTIALS* credentials);
161 static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
166 free(ctx->targetHost);
167 ctx->targetHost = NULL;
169 if (ctx->credentials)
171 krb5_context krbctx = ctx->credentials->ctx;
175 krb5_auth_con_free(krbctx, ctx->auth_ctx);
177 krb5glue_keys_free(krbctx, &ctx->keyset);
180 credentials_unref(ctx->credentials);
187 static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
189 KRB_CONTEXT* context = NULL;
191 context = (KRB_CONTEXT*)calloc(1,
sizeof(KRB_CONTEXT));
195 context->credentials = credentials;
196 InterlockedIncrement(&credentials->refCount);
200 static krb5_error_code krb5_prompter(krb5_context context,
void* data,
const char* name,
201 const char* banner,
int num_prompts, krb5_prompt prompts[])
203 for (
int i = 0; i < num_prompts; i++)
205 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
206 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
208 prompts[i].reply->data = _strdup((
const char*)data);
210 const size_t len = strlen((
const char*)data);
211 if (len > UINT32_MAX)
213 prompts[i].reply->length = (UINT32)len;
221 return keyset->acceptor_key ? keyset->acceptor_key
222 : keyset->initiator_key ? keyset->initiator_key
223 : keyset->session_key;
226 static BOOL isValidIPv4(
const char* ipAddress)
228 struct sockaddr_in sa = { 0 };
229 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
233 static BOOL isValidIPv6(
const char* ipAddress)
235 struct sockaddr_in6 sa = { 0 };
236 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
240 static BOOL isValidIP(
const char* ipAddress)
242 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
245 static int build_krbtgt(krb5_context ctx, krb5_data* realm, krb5_principal* ptarget)
250 krb5_error_code rv = KRB5_CC_NOMEM;
252 (void)winpr_asprintf(&name, &len,
"krbtgt/%s@%s", realm->data, realm->data);
253 if (!name || (len == 0))
256 krb5_principal target = { 0 };
257 rv = krb5_parse_name(ctx, name, &target);
266 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
267 SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse,
void* pvLogonID,
268 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
273 KRB_CREDENTIALS* credentials = NULL;
274 krb5_context ctx = NULL;
275 krb5_ccache ccache = NULL;
276 krb5_keytab keytab = NULL;
277 krb5_principal principal = NULL;
279 char* username = NULL;
280 char* password = NULL;
281 BOOL own_ccache = FALSE;
282 const char*
const default_ccache_type =
"MEMORY";
286 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
288 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
294 WLog_ERR(TAG,
"Failed to copy auth identity fields");
299 pszPrincipal = username;
302 if (krb_log_exec_ptr(krb5_init_context, &ctx))
307 char* udomain = _strdup(domain);
313 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
322 char* cpszPrincipal = _strdup(pszPrincipal);
327 char* p = strchr(cpszPrincipal,
'@');
331 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
338 if (krb_settings && krb_settings->cache)
340 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
349 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
353 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
358 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
362 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
368 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
371 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
373 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
381 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
386 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
391 if (krb_settings && krb_settings->keytab)
393 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
398 if (fCredentialUse & SECPKG_CRED_INBOUND)
399 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
404 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
406 krb5_creds creds = { 0 };
407 krb5_creds matchCreds = { 0 };
408 int matchFlags = KRB5_TC_MATCH_TIMES;
410 krb5_timeofday(ctx, &matchCreds.times.endtime);
411 matchCreds.times.endtime += 60;
412 matchCreds.client = principal;
414 if (krb_log_exec(build_krbtgt, ctx, &principal->realm, &matchCreds.server))
417 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
418 krb5_free_principal(ctx, matchCreds.server);
419 krb5_free_cred_contents(ctx, &creds);
422 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
423 password, krb_settings))
428 credentials = calloc(1,
sizeof(KRB_CREDENTIALS));
431 credentials->refCount = 1;
432 credentials->ctx = ctx;
433 credentials->ccache = ccache;
434 credentials->keytab = keytab;
435 credentials->own_ccache = own_ccache;
444 krb5_free_principal(ctx, principal);
452 krb5_cc_destroy(ctx, ccache);
454 krb5_cc_close(ctx, ccache);
457 krb5_kt_close(ctx, keytab);
459 krb5_free_context(ctx);
466 sspi_SecureHandleSetLowerPointer(phCredential, (
void*)credentials);
467 sspi_SecureHandleSetUpperPointer(phCredential, (
void*)KERBEROS_SSP_NAME);
471 return SEC_E_NO_CREDENTIALS;
473 return SEC_E_UNSUPPORTED_FUNCTION;
477 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
478 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse,
void* pvLogonID,
479 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
482 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
483 char* principal = NULL;
484 char*
package = NULL;
488 principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL);
494 package = ConvertWCharToUtf8Alloc(pszPackage, NULL);
500 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
501 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
511 static void credentials_unref(KRB_CREDENTIALS* credentials)
513 WINPR_ASSERT(credentials);
515 if (InterlockedDecrement(&credentials->refCount))
518 free(credentials->kdc_url);
520 if (credentials->ccache)
522 if (credentials->own_ccache)
523 krb5_cc_destroy(credentials->ctx, credentials->ccache);
525 krb5_cc_close(credentials->ctx, credentials->ccache);
527 if (credentials->keytab)
528 krb5_kt_close(credentials->ctx, credentials->keytab);
530 krb5_free_context(credentials->ctx);
535 static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(
PCredHandle phCredential)
538 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
540 return SEC_E_INVALID_HANDLE;
542 credentials_unref(credentials);
544 sspi_SecureHandleInvalidate(phCredential);
547 return SEC_E_UNSUPPORTED_FUNCTION;
551 static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
PCredHandle phCredential,
558 case SECPKG_CRED_ATTR_NAMES:
561 WLog_ERR(TAG,
"TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
563 return SEC_E_UNSUPPORTED_FUNCTION;
567 return SEC_E_UNSUPPORTED_FUNCTION;
571 static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(
PCredHandle phCredential,
575 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
580 static BOOL kerberos_mk_tgt_token(
SecBuffer* buf,
int msg_type,
char* sname,
char* host,
581 const krb5_data* ticket)
583 WinPrAsn1Encoder* enc = NULL;
592 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
594 if (msg_type == KRB_TGT_REP && !ticket)
597 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
602 if (!WinPrAsn1EncSeqContainer(enc))
606 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
610 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
613 if (msg_type == KRB_TGT_REQ && sname)
616 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
620 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
624 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
627 if (!WinPrAsn1EncGeneralString(enc, sname))
630 if (host && !WinPrAsn1EncGeneralString(enc, host))
633 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
636 else if (msg_type == KRB_TGT_REP)
639 data.data = (BYTE*)ticket->data;
640 data.len = ticket->length;
641 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
645 if (!WinPrAsn1EncEndContainer(enc))
648 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
651 Stream_StaticInit(&s, buf->pvBuffer, len);
652 if (!WinPrAsn1EncToStream(enc, &s))
655 token.data = buf->pvBuffer;
656 token.length = (UINT)len;
657 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
658 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
662 WinPrAsn1Encoder_Free(&enc);
666 static BOOL append(
char* dst,
size_t dstSize,
const char* src)
668 const size_t dlen = strnlen(dst, dstSize);
669 const size_t slen = strlen(src);
670 if (dlen + slen >= dstSize)
672 if (!strncat(dst, src, slen))
677 static BOOL kerberos_rd_tgt_req_tag2(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
683 if (!WinPrAsn1DecReadSequence(dec, &seq))
688 WinPrAsn1_INTEGER val = 0;
689 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
693 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
696 WinPrAsn1_tag tag = 0;
698 while (WinPrAsn1DecPeekTag(dec, &tag))
700 BOOL success = FALSE;
702 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
707 if (!append(buf, len,
"/"))
712 if (!append(buf, len, lstr))
727 static BOOL kerberos_rd_tgt_req_tag3(
WinPrAsn1Decoder* dec,
char* buf,
size_t len)
731 WinPrAsn1_STRING str = NULL;
732 if (!WinPrAsn1DecReadGeneralString(dec, &str))
735 if (!append(buf, len,
"@"))
737 if (!append(buf, len, str))
754 wStream s = WinPrAsn1DecGetStream(dec);
755 const size_t len = Stream_Length(&s);
760 WinPrAsn1_tagId tag = 0;
761 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
764 char* buf = calloc(len + 1,
sizeof(
char));
772 BOOL checkForTag3 = TRUE;
775 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
778 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
780 checkForTag3 = FALSE;
787 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
806 WinPrAsn1_tagId tag = 0;
807 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
813 wStream s = WinPrAsn1DecGetStream(&asnTicket);
814 ticket->data = Stream_BufferAs(&s,
char);
816 const size_t len = Stream_Length(&s);
817 if (len > UINT32_MAX)
819 ticket->length = (UINT32)len;
823 static BOOL kerberos_rd_tgt_token(
const sspi_gss_data* token,
char** target, krb5_data* ticket)
826 WinPrAsn1_INTEGER val = 0;
834 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
838 if (!WinPrAsn1DecReadSequence(&der, &seq))
842 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
846 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
852 return kerberos_rd_tgt_req(&seq, target);
854 return kerberos_rd_tgt_rep(&seq, ticket);
863 static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5,
SEC_CHANNEL_BINDINGS* bindings)
867 Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
868 if (!winpr_Digest_Update(md5, buf, 4))
871 Data_Write_UINT32(buf, bindings->cbInitiatorLength);
872 if (!winpr_Digest_Update(md5, buf, 4))
875 if (bindings->cbInitiatorLength &&
876 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
877 bindings->cbInitiatorLength))
880 Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
881 if (!winpr_Digest_Update(md5, buf, 4))
884 Data_Write_UINT32(buf, bindings->cbAcceptorLength);
885 if (!winpr_Digest_Update(md5, buf, 4))
888 if (bindings->cbAcceptorLength &&
889 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
890 bindings->cbAcceptorLength))
893 Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
894 if (!winpr_Digest_Update(md5, buf, 4))
897 if (bindings->cbApplicationDataLength &&
898 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
899 bindings->cbApplicationDataLength))
905 static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
907 ULONG Reserved1, ULONG TargetDataRep,
PSecBufferDesc pInput, ULONG Reserved2,
914 WINPR_DIGEST_CTX* md5 = NULL;
918 krb5_data input_token = { 0 };
919 krb5_data output_token = { 0 };
920 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
923 krb5_ap_rep_enc_part* reply = NULL;
924 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
925 char cksum_contents[24] = { 0 };
926 krb5_data cksum = { 0 };
927 krb5_creds in_creds = { 0 };
928 krb5_creds* creds = NULL;
929 BOOL isNewContext = FALSE;
930 KRB_CONTEXT* context = NULL;
931 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
934 if (phContext && !phContext->dwLower && !phContext->dwUpper)
935 return SEC_E_INVALID_HANDLE;
937 context = sspi_SecureHandleGetLowerPointer(phContext);
940 return SEC_E_NO_CREDENTIALS;
944 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
945 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
948 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
950 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
951 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
953 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
954 ap_flags |= AP_OPTS_USE_SESSION_KEY;
959 target = _strdup(pszTargetName);
962 status = SEC_E_INSUFFICIENT_MEMORY;
965 host = strchr(target,
'/');
975 status = SEC_E_NO_CREDENTIALS;
982 context = kerberos_ContextNew(credentials);
985 status = SEC_E_INSUFFICIENT_MEMORY;
992 context->targetHost = _strdup(host);
993 if (!context->targetHost)
995 status = SEC_E_INSUFFICIENT_MEMORY;
999 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1001 context->state = KERBEROS_STATE_TGT_REQ;
1002 context->u2u = TRUE;
1005 context->state = KERBEROS_STATE_AP_REQ;
1009 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1011 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1012 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1017 context->flags |= (fContextReq & 0x1F);
1018 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1019 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1021 switch (context->state)
1023 case KERBEROS_STATE_TGT_REQ:
1025 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL))
1028 context->state = KERBEROS_STATE_TGT_REP;
1029 status = SEC_I_CONTINUE_NEEDED;
1032 case KERBEROS_STATE_TGT_REP:
1034 if (tok_id != TOK_ID_TGT_REP)
1037 if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket))
1044 case KERBEROS_STATE_AP_REQ:
1047 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1049 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1050 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1052 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1057 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1058 KRB5_NT_SRV_HST, &in_creds.server))
1061 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1064 status = SEC_E_WRONG_PRINCIPAL;
1068 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1069 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1072 status = SEC_E_NO_CREDENTIALS;
1077 cksum.data = cksum_contents;
1078 cksum.length =
sizeof(cksum_contents);
1079 Data_Write_UINT32(cksum_contents, 16);
1080 Data_Write_UINT32((cksum_contents + 20), context->flags);
1082 if (bindings_buffer)
1088 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1089 bindings_buffer->cbBuffer ||
1090 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1091 bindings_buffer->cbBuffer ||
1092 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1093 bindings_buffer->cbBuffer)
1095 status = SEC_E_BAD_BINDINGS;
1099 md5 = winpr_Digest_New();
1103 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1106 if (!kerberos_hash_channel_bindings(md5, bindings))
1109 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1114 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1115 &cksum, creds, &output_token))
1118 if (!sspi_gss_wrap_token(output_buffer,
1119 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1120 TOK_ID_AP_REQ, &output_token))
1123 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1125 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1126 context->auth_ctx, (INT32*)&context->local_seq))
1128 context->remote_seq ^= context->local_seq;
1131 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1135 context->state = KERBEROS_STATE_AP_REP;
1137 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1138 status = SEC_I_CONTINUE_NEEDED;
1143 case KERBEROS_STATE_AP_REP:
1145 if (tok_id == TOK_ID_AP_REP)
1147 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1150 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1152 else if (tok_id == TOK_ID_ERROR)
1154 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1160 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1162 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1163 context->auth_ctx, (INT32*)&context->remote_seq))
1167 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1171 context->state = KERBEROS_STATE_FINAL;
1174 output_buffer->cbBuffer = 0;
1178 case KERBEROS_STATE_FINAL:
1180 WLog_ERR(TAG,
"Kerberos in invalid state!");
1187 krb5_data edata = { 0 };
1188 in_creds.second_ticket = edata;
1189 krb5_free_cred_contents(credentials->ctx, &in_creds);
1192 krb5_free_creds(credentials->ctx, creds);
1193 if (output_token.data)
1194 krb5glue_free_data_contents(credentials->ctx, &output_token);
1196 winpr_Digest_Free(md5);
1205 case SEC_I_CONTINUE_NEEDED:
1206 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1207 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1210 kerberos_ContextFree(context, TRUE);
1218 status = SEC_E_INVALID_TOKEN;
1221 return SEC_E_UNSUPPORTED_FUNCTION;
1225 static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1227 ULONG Reserved1, ULONG TargetDataRep,
PSecBufferDesc pInput, ULONG Reserved2,
1230 SECURITY_STATUS status = 0;
1231 char* target_name = NULL;
1235 target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL);
1237 return SEC_E_INSUFFICIENT_MEMORY;
1240 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1241 Reserved1, TargetDataRep, pInput, Reserved2,
1242 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1250 static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1256 BOOL isNewContext = FALSE;
1260 uint16_t tok_id = 0;
1261 krb5_data input_token = { 0 };
1262 krb5_data output_token = { 0 };
1263 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1264 krb5_flags ap_flags = 0;
1265 krb5glue_authenticator authenticator = NULL;
1266 char* target = NULL;
1269 krb5_kt_cursor cur = { 0 };
1270 krb5_keytab_entry entry = { 0 };
1271 krb5_principal principal = NULL;
1272 krb5_creds creds = { 0 };
1275 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1276 return SEC_E_INVALID_HANDLE;
1278 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1279 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1282 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1284 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1287 return SEC_E_INVALID_TOKEN;
1289 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1290 return SEC_E_INVALID_TOKEN;
1294 isNewContext = TRUE;
1295 context = kerberos_ContextNew(credentials);
1296 context->acceptor = TRUE;
1298 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1300 context->u2u = TRUE;
1301 context->state = KERBEROS_STATE_TGT_REQ;
1303 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1304 context->state = KERBEROS_STATE_AP_REQ;
1310 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1311 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1315 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1317 if (!kerberos_rd_tgt_token(&input_token, &target, NULL))
1322 if (*target != 0 && *target !=
'@')
1324 realm = strchr(target,
'@');
1329 if (krb_log_exec(krb5_parse_name_flags, credentials->ctx, sname ? sname :
"",
1330 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
1335 if (krb_log_exec(krb5glue_set_principal_realm, credentials->ctx, principal, realm))
1339 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1344 krb5_error_code rv = krb_log_exec(krb5_kt_next_entry, credentials->ctx,
1345 credentials->keytab, &entry, &cur);
1346 if (rv == KRB5_KT_END)
1351 if ((!sname || krb_log_exec(krb5_principal_compare_any_realm, credentials->ctx,
1352 principal, entry.principal)) &&
1354 krb_log_exec(krb5_realm_compare, credentials->ctx, principal, entry.principal)))
1356 if (krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry))
1360 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1363 if (!entry.principal)
1367 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, &creds, entry.principal,
1368 credentials->keytab, 0, NULL, NULL))
1371 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
1374 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1377 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1378 &krb5glue_creds_getkey(creds)))
1381 context->state = KERBEROS_STATE_AP_REQ;
1383 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1385 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL,
1386 credentials->keytab, &ap_flags, NULL))
1389 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1390 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1394 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1397 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1401 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1405 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1407 if (!sspi_gss_wrap_token(output_buffer,
1408 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1409 TOK_ID_AP_REP, &output_token))
1415 output_buffer->cbBuffer = 0;
1418 *pfContextAttr = (context->flags & 0x1F);
1419 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1420 *pfContextAttr |= ASC_RET_INTEGRITY;
1422 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1424 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1425 (INT32*)&context->local_seq))
1427 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1428 (INT32*)&context->remote_seq))
1432 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1436 context->state = KERBEROS_STATE_FINAL;
1442 if (context->state == KERBEROS_STATE_FINAL)
1445 status = SEC_I_CONTINUE_NEEDED;
1449 if (output_token.data)
1450 krb5glue_free_data_contents(credentials->ctx, &output_token);
1451 if (entry.principal)
1452 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1459 case SEC_I_CONTINUE_NEEDED:
1460 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1461 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1464 kerberos_ContextFree(context, TRUE);
1472 status = SEC_E_INVALID_TOKEN;
1475 return SEC_E_UNSUPPORTED_FUNCTION;
1480 static KRB_CONTEXT* get_context(
PCtxtHandle phContext)
1485 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1489 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1491 return sspi_SecureHandleGetLowerPointer(phContext);
1494 static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1498 WINPR_ASSERT(psize);
1500 *ptr = (PUCHAR)malloc(data->length);
1504 *psize = data->length;
1505 memcpy(*ptr, data->data, data->length);
1510 static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(
PCtxtHandle phContext)
1513 KRB_CONTEXT* context = get_context(phContext);
1515 return SEC_E_INVALID_HANDLE;
1517 kerberos_ContextFree(context, TRUE);
1521 return SEC_E_UNSUPPORTED_FUNCTION;
1527 static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1534 return SEC_E_INTERNAL_ERROR;
1538 static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1544 krb5glue_key key = NULL;
1546 WINPR_ASSERT(context);
1547 WINPR_ASSERT(context->auth_ctx);
1553 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1554 ContextSizes->cbMaxSignature = 0;
1555 ContextSizes->cbBlockSize = 1;
1556 ContextSizes->cbSecurityTrailer = 0;
1558 key = get_key(&context->keyset);
1560 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1562 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1563 KRB5_CRYPTO_TYPE_HEADER, &header);
1565 return krb5_error_to_SECURITY_STATUS(rv);
1567 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1570 return krb5_error_to_SECURITY_STATUS(rv);
1572 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1575 return krb5_error_to_SECURITY_STATUS(rv);
1578 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1581 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1583 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1584 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1586 return krb5_error_to_SECURITY_STATUS(rv);
1588 ContextSizes->cbMaxSignature += 16;
1594 static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1595 KRB_CREDENTIALS* credentials,
1598 krb5_creds matchCred = { 0 };
1599 krb5_auth_context authContext = NULL;
1600 int getCredsFlags = KRB5_GC_CACHED;
1601 BOOL firstRun = TRUE;
1602 krb5_creds* hostCred = NULL;
1603 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1604 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost,
"HOST",
1605 KRB5_NT_SRV_HST, &matchCred.server);
1609 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1616 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1617 &matchCred, &hostCred);
1622 case KRB5_CC_NOTFOUND:
1631 WLog_ERR(TAG,
"krb5_get_credentials(hostCreds), rv=%d", rv);
1635 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1638 krb5_data derOut = { 0 };
1639 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1640 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1642 ret = SEC_E_LOGON_DENIED;
1646 ticketLogon->MessageType = KerbTicketLogon;
1647 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1649 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1650 &ticketLogon->ServiceTicketLength))
1652 krb5_free_data(credentials->ctx, &derOut);
1656 ticketLogon->TicketGrantingTicketLength = derOut.length;
1657 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1661 krb5_auth_con_free(credentials->ctx, authContext);
1662 krb5_free_creds(credentials->ctx, hostCred);
1663 krb5_free_cred_contents(credentials->ctx, &matchCred);
1669 static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(
PCtxtHandle phContext,
1670 ULONG ulAttribute,
void* pBuffer)
1673 return SEC_E_INVALID_HANDLE;
1676 return SEC_E_INVALID_PARAMETER;
1679 KRB_CONTEXT* context = get_context(phContext);
1681 return SEC_E_INVALID_PARAMETER;
1683 KRB_CREDENTIALS* credentials = context->credentials;
1685 switch (ulAttribute)
1687 case SECPKG_ATTR_SIZES:
1690 case SECPKG_CRED_ATTR_TICKET_LOGON:
1691 return kerberos_ATTR_TICKET_LOGON(context, credentials, (
KERB_TICKET_LOGON*)pBuffer);
1694 WLog_ERR(TAG,
"TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1696 return SEC_E_UNSUPPORTED_FUNCTION;
1699 return SEC_E_UNSUPPORTED_FUNCTION;
1703 static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(
PCtxtHandle phContext,
1704 ULONG ulAttribute,
void* pBuffer)
1706 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1709 static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
PCtxtHandle phContext,
1710 ULONG ulAttribute,
void* pBuffer,
1713 return SEC_E_UNSUPPORTED_FUNCTION;
1716 static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
PCtxtHandle phContext,
1717 ULONG ulAttribute,
void* pBuffer,
1720 return SEC_E_UNSUPPORTED_FUNCTION;
1723 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(
PCredHandle phCredential,
1725 void* pBuffer, ULONG cbBuffer,
1729 KRB_CREDENTIALS* credentials = NULL;
1732 return SEC_E_INVALID_HANDLE;
1734 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1737 return SEC_E_INVALID_HANDLE;
1740 return SEC_E_INSUFFICIENT_MEMORY;
1742 switch (ulAttribute)
1744 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1750 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1753 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1754 return SEC_E_INVALID_TOKEN;
1756 if (credentials->kdc_url)
1758 free(credentials->kdc_url);
1759 credentials->kdc_url = NULL;
1762 if (kdc_settings->ProxyServerLength > 0)
1764 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
1766 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
1767 proxy, kdc_settings->ProxyServerLength /
sizeof(WCHAR), NULL);
1768 if (!credentials->kdc_url)
1769 return SEC_E_INSUFFICIENT_MEMORY;
1774 case SECPKG_CRED_ATTR_NAMES:
1775 case SECPKG_ATTR_SUPPORTED_ALGS:
1777 WLog_ERR(TAG,
"TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
1779 return SEC_E_UNSUPPORTED_FUNCTION;
1783 return SEC_E_UNSUPPORTED_FUNCTION;
1787 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(
PCredHandle phCredential,
1789 void* pBuffer, ULONG cbBuffer)
1791 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
1794 static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(
PCredHandle phCredential,
1796 void* pBuffer, ULONG cbBuffer)
1798 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
1801 static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(
PCtxtHandle phContext, ULONG fQOP,
1806 KRB_CONTEXT* context = get_context(phContext);
1809 char* header = NULL;
1811 krb5glue_key key = NULL;
1812 krb5_keyusage usage = 0;
1813 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1814 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1815 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1816 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1817 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1820 return SEC_E_INVALID_HANDLE;
1822 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1823 return SEC_E_UNSUPPORTED_FUNCTION;
1825 KRB_CREDENTIALS* creds = context->credentials;
1827 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1828 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1830 if (!sig_buffer || !data_buffer)
1831 return SEC_E_INVALID_TOKEN;
1834 return SEC_E_QOP_NOT_SUPPORTED;
1836 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
1837 flags |= FLAG_WRAP_CONFIDENTIAL;
1839 key = get_key(&context->keyset);
1841 return SEC_E_INTERNAL_ERROR;
1843 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
1845 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
1848 encrypt_iov[1].data.length = data_buffer->cbBuffer;
1849 encrypt_iov[2].data.length = 16;
1852 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
1853 ARRAYSIZE(encrypt_iov)))
1854 return SEC_E_INTERNAL_ERROR;
1855 if (sig_buffer->cbBuffer <
1856 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
1857 return SEC_E_INSUFFICIENT_MEMORY;
1860 header = sig_buffer->pvBuffer;
1861 encrypt_iov[2].data.data = header + 16;
1862 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
1863 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
1864 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
1865 encrypt_iov[1].data.data = data_buffer->pvBuffer;
1868 Data_Write_UINT16_BE(header, TOK_ID_WRAP);
1870 header[3] = (char)0xFF;
1871 Data_Write_UINT32(header + 4, 0);
1872 Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
1875 CopyMemory(encrypt_iov[2].data.data, header, 16);
1878 Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
1880 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
1881 ARRAYSIZE(encrypt_iov)))
1882 return SEC_E_INTERNAL_ERROR;
1886 return SEC_E_UNSUPPORTED_FUNCTION;
1890 static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(
PCtxtHandle phContext,
1892 ULONG MessageSeqNo, ULONG* pfQOP)
1895 KRB_CONTEXT* context = get_context(phContext);
1898 krb5glue_key key = NULL;
1899 krb5_keyusage usage = 0;
1900 char* header = NULL;
1901 uint16_t tok_id = 0;
1905 uint64_t seq_no = 0;
1906 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
1907 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1908 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
1909 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
1910 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
1913 return SEC_E_INVALID_HANDLE;
1915 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
1916 return SEC_E_UNSUPPORTED_FUNCTION;
1918 KRB_CREDENTIALS* creds = context->credentials;
1920 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
1921 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
1923 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
1924 return SEC_E_INVALID_TOKEN;
1927 header = sig_buffer->pvBuffer;
1928 Data_Read_UINT16_BE(header, tok_id);
1930 Data_Read_UINT16_BE((header + 4), ec);
1931 Data_Read_UINT16_BE((header + 6), rrc);
1932 Data_Read_UINT64_BE((header + 8), seq_no);
1935 if (tok_id != TOK_ID_WRAP || (BYTE)header[3] != 0xFF)
1936 return SEC_E_INVALID_TOKEN;
1938 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
1939 return SEC_E_INVALID_TOKEN;
1941 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
1942 (seq_no != context->remote_seq + MessageSeqNo))
1943 return SEC_E_OUT_OF_SEQUENCE;
1945 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
1946 return SEC_E_INVALID_TOKEN;
1950 return SEC_E_INVALID_TOKEN;
1953 key = get_key(&context->keyset);
1954 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
1955 return SEC_E_INTERNAL_ERROR;
1956 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
1959 iov[1].data.length = data_buffer->cbBuffer;
1960 iov[2].data.length = 16;
1961 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
1962 return SEC_E_INTERNAL_ERROR;
1965 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
1966 return SEC_E_INVALID_TOKEN;
1967 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
1968 return SEC_E_INVALID_TOKEN;
1971 iov[0].data.data = header + 16 + rrc + ec;
1972 iov[1].data.data = data_buffer->pvBuffer;
1973 iov[2].data.data = header + 16 + ec;
1974 iov[3].data.data = iov[2].data.data + iov[2].data.length;
1975 iov[4].data.data = iov[3].data.data + iov[3].data.length;
1977 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
1978 return SEC_E_INTERNAL_ERROR;
1981 Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
1982 Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
1983 if (memcmp(iov[2].data.data, header, 16) != 0)
1984 return SEC_E_MESSAGE_ALTERED;
1990 return SEC_E_UNSUPPORTED_FUNCTION;
1994 static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(
PCtxtHandle phContext, ULONG fQOP,
1998 KRB_CONTEXT* context = get_context(phContext);
2001 krb5glue_key key = NULL;
2002 krb5_keyusage usage = 0;
2003 char* header = NULL;
2005 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2006 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2007 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2010 return SEC_E_INVALID_HANDLE;
2012 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2013 return SEC_E_UNSUPPORTED_FUNCTION;
2015 KRB_CREDENTIALS* creds = context->credentials;
2017 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2018 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2020 if (!sig_buffer || !data_buffer)
2021 return SEC_E_INVALID_TOKEN;
2023 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2025 key = get_key(&context->keyset);
2027 return SEC_E_INTERNAL_ERROR;
2028 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2030 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2033 iov[0].data.length = data_buffer->cbBuffer;
2034 iov[1].data.length = 16;
2035 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2036 return SEC_E_INTERNAL_ERROR;
2039 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2040 return SEC_E_INSUFFICIENT_MEMORY;
2043 header = sig_buffer->pvBuffer;
2044 Data_Write_UINT16_BE(header, TOK_ID_MIC);
2046 memset(header + 3, 0xFF, 5);
2047 Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2050 iov[0].data.data = data_buffer->pvBuffer;
2051 iov[1].data.data = header;
2052 iov[2].data.data = header + 16;
2054 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2055 return SEC_E_INTERNAL_ERROR;
2057 sig_buffer->cbBuffer = iov[2].data.length + 16;
2061 return SEC_E_UNSUPPORTED_FUNCTION;
2065 static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(
PCtxtHandle phContext,
2067 ULONG MessageSeqNo, ULONG* pfQOP)
2072 krb5glue_key key = NULL;
2073 krb5_keyusage usage = 0;
2074 char* header = NULL;
2076 uint16_t tok_id = 0;
2077 uint64_t seq_no = 0;
2078 krb5_boolean is_valid = 0;
2079 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2080 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2081 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2082 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2084 KRB_CONTEXT* context = get_context(phContext);
2086 return SEC_E_INVALID_HANDLE;
2088 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2089 return SEC_E_UNSUPPORTED_FUNCTION;
2091 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2092 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2094 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2095 return SEC_E_INVALID_TOKEN;
2098 header = sig_buffer->pvBuffer;
2099 Data_Read_UINT16_BE(header, tok_id);
2101 Data_Read_UINT64_BE((header + 8), seq_no);
2104 if (tok_id != TOK_ID_MIC)
2105 return SEC_E_INVALID_TOKEN;
2107 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2108 return SEC_E_INVALID_TOKEN;
2110 if (memcmp(header + 3, cmp_filler,
sizeof(cmp_filler)) != 0)
2111 return SEC_E_INVALID_TOKEN;
2113 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2114 return SEC_E_OUT_OF_SEQUENCE;
2117 key = get_key(&context->keyset);
2118 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2119 return SEC_E_INTERNAL_ERROR;
2120 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2123 KRB_CREDENTIALS* creds = context->credentials;
2124 iov[0].data.length = data_buffer->cbBuffer;
2125 iov[1].data.length = 16;
2126 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2127 return SEC_E_INTERNAL_ERROR;
2129 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2130 return SEC_E_INTERNAL_ERROR;
2133 iov[0].data.data = data_buffer->pvBuffer;
2134 iov[1].data.data = header;
2135 iov[2].data.data = header + 16;
2137 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2139 return SEC_E_INTERNAL_ERROR;
2142 return SEC_E_MESSAGE_ALTERED;
2146 return SEC_E_UNSUPPORTED_FUNCTION;
2153 kerberos_QueryCredentialsAttributesA,
2154 kerberos_AcquireCredentialsHandleA,
2155 kerberos_FreeCredentialsHandle,
2157 kerberos_InitializeSecurityContextA,
2158 kerberos_AcceptSecurityContext,
2160 kerberos_DeleteSecurityContext,
2162 kerberos_QueryContextAttributesA,
2165 kerberos_MakeSignature,
2166 kerberos_VerifySignature,
2176 kerberos_EncryptMessage,
2177 kerberos_DecryptMessage,
2178 kerberos_SetContextAttributesA,
2179 kerberos_SetCredentialsAttributesA,
2185 kerberos_QueryCredentialsAttributesW,
2186 kerberos_AcquireCredentialsHandleW,
2187 kerberos_FreeCredentialsHandle,
2189 kerberos_InitializeSecurityContextW,
2190 kerberos_AcceptSecurityContext,
2192 kerberos_DeleteSecurityContext,
2194 kerberos_QueryContextAttributesW,
2197 kerberos_MakeSignature,
2198 kerberos_VerifySignature,
2208 kerberos_EncryptMessage,
2209 kerberos_DecryptMessage,
2210 kerberos_SetContextAttributesW,
2211 kerberos_SetCredentialsAttributesW,
2214 BOOL KERBEROS_init(
void)
2216 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2217 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2218 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2219 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
1.9.1