FreeRDP
Loading...
Searching...
No Matches
kerberos.c
1
22#include <winpr/config.h>
23#include <winpr/library.h>
24
25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
28#include <errno.h>
29#include <fcntl.h>
30#include <ctype.h>
31
32#include <winpr/assert.h>
33#include <winpr/cast.h>
34#include <winpr/asn1.h>
35#include <winpr/crt.h>
36#include <winpr/interlocked.h>
37#include <winpr/sspi.h>
38#include <winpr/print.h>
39#include <winpr/tchar.h>
40#include <winpr/sysinfo.h>
41#include <winpr/registry.h>
42#include <winpr/endian.h>
43#include <winpr/crypto.h>
44#include <winpr/path.h>
45#include <winpr/wtypes.h>
46#include <winpr/winsock.h>
47#include <winpr/schannel.h>
48#include <winpr/secapi.h>
49
50#include "kerberos.h"
51
52#ifdef WITH_KRB5_MIT
53#include "krb5glue.h"
54#include <profile.h>
55#endif
56
57#ifdef WITH_KRB5_HEIMDAL
58#include "krb5glue.h"
59#include <krb5-protos.h>
60#endif
61
62#include "../sspi.h"
63#include "../../log.h"
64
65const SecPkgInfoA KERBEROS_SecPkgInfoA = {
66 0x000F3BBF, /* fCapabilities */
67 1, /* wVersion */
68 0x0010, /* wRPCID */
69 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
70 "Kerberos", /* Name */
71 "Kerberos Security Package" /* Comment */
72};
73
74static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = WINPR_C_ARRAY_INIT;
75static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = WINPR_C_ARRAY_INIT;
76
77const SecPkgInfoW KERBEROS_SecPkgInfoW = {
78 0x000F3BBF, /* fCapabilities */
79 1, /* wVersion */
80 0x0010, /* wRPCID */
81 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
82 KERBEROS_SecPkgInfoW_NameBuffer, /* Name */
83 KERBEROS_SecPkgInfoW_CommentBuffer /* Comment */
84};
85
86#ifdef WITH_KRB5
87#define TAG WINPR_TAG("sspi.Kerberos")
88
89#define KRB_TGT_REQ 16
90#define KRB_TGT_REP 17
91
92enum KERBEROS_STATE
93{
94 KERBEROS_STATE_INITIAL,
95 KERBEROS_STATE_TGT_REQ,
96 KERBEROS_STATE_TGT_REP,
97 KERBEROS_STATE_AP_REQ,
98 KERBEROS_STATE_AP_REP,
99 KERBEROS_STATE_FINAL
100};
101
102typedef struct KRB_CREDENTIALS_st
103{
104 volatile LONG refCount;
105 krb5_context ctx;
106 char* kdc_url;
107 krb5_ccache ccache;
108 krb5_keytab keytab;
109 krb5_keytab client_keytab;
110 BOOL own_ccache;
111} KRB_CREDENTIALS;
112
113struct s_KRB_CONTEXT
114{
115 enum KERBEROS_STATE state;
116 KRB_CREDENTIALS* credentials;
117 krb5_auth_context auth_ctx;
118 BOOL acceptor;
119 uint32_t flags;
120 uint64_t local_seq;
121 uint64_t remote_seq;
122 struct krb5glue_keyset keyset;
123 BOOL u2u;
124 char* targetHost;
125};
126
127static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
128static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
129 (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
130krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
131 const char* file, const char* fkt, size_t line)
132{
133 switch (code)
134 {
135 case 0:
136 case KRB5_KT_END:
137 break;
138 default:
139 {
140 const DWORD level = WLOG_ERROR;
141
142 wLog* log = WLog_Get(TAG);
143 if (WLog_IsLevelActive(log, level))
144 {
145 const char* msg = krb5_get_error_message(ctx, code);
146 WLog_PrintTextMessage(log, level, line, file, fkt, "%s (%s [%d])", what, msg, code);
147 krb5_free_error_message(ctx, msg);
148 }
149 }
150 break;
151 }
152 return code;
153}
154
155void krb_log_context_encryption(krb5_context ctx, krb5_principal princ)
156{
157#if !defined(WITH_KRB5_HEIMDAL)
158 typedef krb5_error_code KRB5_CALLCONV (*krb5_get_etype_info_fn)(
159 krb5_context context, krb5_principal principal, krb5_get_init_creds_opt* opt,
160 krb5_enctype* enctype_out, krb5_data* salt_out, krb5_data* s2kparams_out);
161
162 krb5_get_etype_info_fn fn =
163 GetProcAddressAs(nullptr, "krb5_get_etype_info", krb5_get_etype_info_fn);
164
165 if (fn)
166 {
167 krb5_get_init_creds_opt opt = WINPR_C_ARRAY_INIT;
168 krb5_enctype enctype = 0;
169 krb5_data salt = WINPR_C_ARRAY_INIT;
170 krb5_data s2kparam = WINPR_C_ARRAY_INIT;
171 char buffer[128] = WINPR_C_ARRAY_INIT;
172 krb5_error_code rv = krb_log_exec(fn, ctx, princ, &opt, &enctype, &salt, &s2kparam);
173 krb5_enctype_to_string(enctype, buffer, sizeof(buffer));
174 const char* msg = krb5_get_error_message(ctx, rv);
175
176 WLog_DBG(TAG, "[%s] enctype=%s, salt[%u]=%s, s2kparam[%u]=%s", msg, buffer, salt.length,
177 salt.data, s2kparam.length, s2kparam.data);
178
179 krb5_free_data_contents(ctx, &salt);
180 krb5_free_data_contents(ctx, &s2kparam);
181 krb5_free_error_message(ctx, msg);
182 }
183 else
184#endif
185 {
186 WLog_WARN(TAG,
187 "kerberos implementation does not support 'krb5_get_etype_info', not displaying "
188 "encryption information");
189 }
190}
191
192static void credentials_unref(KRB_CREDENTIALS* credentials);
193
194static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
195{
196 if (!ctx)
197 return;
198
199 free(ctx->targetHost);
200 ctx->targetHost = nullptr;
201
202 if (ctx->credentials)
203 {
204 krb5_context krbctx = ctx->credentials->ctx;
205 if (krbctx)
206 {
207 if (ctx->auth_ctx)
208 krb5_auth_con_free(krbctx, ctx->auth_ctx);
209
210 krb5glue_keys_free(krbctx, &ctx->keyset);
211 }
212
213 credentials_unref(ctx->credentials);
214 }
215
216 if (allocated)
217 free(ctx);
218}
219
220static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
221{
222 KRB_CONTEXT* context = nullptr;
223
224 context = (KRB_CONTEXT*)calloc(1, sizeof(KRB_CONTEXT));
225 if (!context)
226 return nullptr;
227
228 context->credentials = credentials;
229 InterlockedIncrement(&credentials->refCount);
230 return context;
231}
232
233static krb5_error_code krb5_prompter(krb5_context context, void* data,
234 WINPR_ATTR_UNUSED const char* name,
235 WINPR_ATTR_UNUSED const char* banner, int num_prompts,
236 krb5_prompt prompts[])
237{
238 for (int i = 0; i < num_prompts; i++)
239 {
240 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
241 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
242 {
243 prompts[i].reply->data = _strdup((const char*)data);
244
245 const size_t len = strlen((const char*)data);
246 if (len > UINT32_MAX)
247 return KRB5KRB_ERR_GENERIC;
248 prompts[i].reply->length = (UINT32)len;
249 }
250 }
251 return 0;
252}
253
254WINPR_ATTR_NODISCARD static inline krb5glue_key get_key(struct krb5glue_keyset* keyset)
255{
256 return keyset->acceptor_key ? keyset->acceptor_key
257 : keyset->initiator_key ? keyset->initiator_key
258 : keyset->session_key;
259}
260
261static BOOL isValidIPv4(const char* ipAddress)
262{
263 struct sockaddr_in sa = WINPR_C_ARRAY_INIT;
264 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
265 return result != 0;
266}
267
268static BOOL isValidIPv6(const char* ipAddress)
269{
270 struct sockaddr_in6 sa = WINPR_C_ARRAY_INIT;
271 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
272 return result != 0;
273}
274
275static BOOL isValidIP(const char* ipAddress)
276{
277 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
278}
279
280#if defined(WITH_KRB5_MIT)
281WINPR_ATTR_MALLOC(free, 1)
282WINPR_ATTR_NODISCARD
283static char* get_realm_name(krb5_data realm, size_t* plen)
284{
285 WINPR_ASSERT(plen);
286 *plen = 0;
287 if ((realm.length <= 0) || (!realm.data))
288 return nullptr;
289
290 char* name = nullptr;
291 (void)winpr_asprintf(&name, plen, "krbtgt/%*s@%*s", realm.length, realm.data, realm.length,
292 realm.data);
293 return name;
294}
295#elif defined(WITH_KRB5_HEIMDAL)
296WINPR_ATTR_MALLOC(free, 1)
297WINPR_ATTR_NODISCARD
298static char* get_realm_name(Realm realm, size_t* plen)
299{
300 WINPR_ASSERT(plen);
301 *plen = 0;
302 if (!realm)
303 return nullptr;
304
305 char* name = nullptr;
306 (void)winpr_asprintf(&name, plen, "krbtgt/%s@%s", realm, realm);
307 return name;
308}
309#endif
310
311static int build_krbtgt(krb5_context ctx, krb5_principal principal, krb5_principal* ptarget)
312{
313 /* "krbtgt/" + realm + "@" + realm */
314 size_t len = 0;
315 krb5_error_code rv = KRB5_CC_NOMEM;
316
317 char* name = get_realm_name(principal->realm, &len);
318 if (!name || (len == 0))
319 goto fail;
320
321 {
322 krb5_principal target = WINPR_C_ARRAY_INIT;
323 rv = krb5_parse_name(ctx, name, &target);
324 *ptarget = target;
325 }
326fail:
327 free(name);
328 return rv;
329}
330
331#endif /* WITH_KRB5 */
332
333static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
334 WINPR_ATTR_UNUSED SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage,
335 WINPR_ATTR_UNUSED ULONG fCredentialUse, WINPR_ATTR_UNUSED void* pvLogonID,
336 WINPR_ATTR_UNUSED void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn,
337 WINPR_ATTR_UNUSED void* pvGetKeyArgument, WINPR_ATTR_UNUSED PCredHandle phCredential,
338 WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
339{
340#ifdef WITH_KRB5
341 SEC_WINPR_KERBEROS_SETTINGS* krb_settings = nullptr;
342 KRB_CREDENTIALS* credentials = nullptr;
343 krb5_context ctx = nullptr;
344 krb5_ccache ccache = nullptr;
345 krb5_keytab keytab = nullptr;
346 krb5_principal principal = nullptr;
347 char* domain = nullptr;
348 char* username = nullptr;
349 char* password = nullptr;
350 BOOL own_ccache = FALSE;
351 const char* const default_ccache_type = "MEMORY";
352
353 if (pAuthData)
354 {
355 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
356
357 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
358 krb_settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->kerberosSettings);
359
360 if (!sspi_CopyAuthIdentityFieldsA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &username,
361 &domain, &password))
362 {
363 WLog_ERR(TAG, "Failed to copy auth identity fields");
364 goto cleanup;
365 }
366
367 if (!pszPrincipal)
368 pszPrincipal = username;
369 }
370
371 if (krb_log_exec_ptr(krb5_init_context, &ctx))
372 goto cleanup;
373
374 if (domain)
375 {
376 char* udomain = _strdup(domain);
377 if (!udomain)
378 goto cleanup;
379
380 CharUpperA(udomain);
381 /* Will use domain if realm is not specified in username */
382 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
383 free(udomain);
384
385 if (rv)
386 goto cleanup;
387 }
388
389 if (pszPrincipal)
390 {
391 char* cpszPrincipal = _strdup(pszPrincipal);
392 if (!cpszPrincipal)
393 goto cleanup;
394
395 /* Find realm component if included and convert to uppercase */
396 char* p = strchr(cpszPrincipal, '@');
397 if (p)
398 CharUpperA(p);
399
400 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
401 free(cpszPrincipal);
402
403 if (rv)
404 goto cleanup;
405 WINPR_ASSERT(principal);
406 }
407
408 if (krb_settings && krb_settings->cache)
409 {
410 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
411 goto cleanup;
412 }
413 else
414 own_ccache = TRUE;
415
416 if (principal)
417 {
418 /* Use the default cache if it's initialized with the right principal */
419 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
420 {
421 if (own_ccache)
422 {
423 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, nullptr, &ccache))
424 goto cleanup;
425 }
426 else
427 {
428 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
429 goto cleanup;
430 }
431
432 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
433 goto cleanup;
434 }
435 else
436 {
437 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
438 goto cleanup;
439 own_ccache = FALSE;
440 }
441 WINPR_ASSERT(ccache);
442 }
443 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
444 {
445 /* Use the default cache with it's default principal */
446 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
447 goto cleanup;
448 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
449 goto cleanup;
450 WINPR_ASSERT(ccache);
451 own_ccache = FALSE;
452 }
453 else
454 {
455 if (own_ccache)
456 {
457 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, nullptr, &ccache))
458 goto cleanup;
459 }
460 else
461 {
462 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
463 goto cleanup;
464 }
465 WINPR_ASSERT(ccache);
466 }
467
468 if (krb_settings && krb_settings->keytab)
469 {
470 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
471 goto cleanup;
472 }
473 else
474 {
475 if (fCredentialUse & SECPKG_CRED_INBOUND)
476 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
477 goto cleanup;
478 }
479
480 /* Get initial credentials if required */
481 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
482 {
483 krb5_creds creds = WINPR_C_ARRAY_INIT;
484 krb5_creds matchCreds = WINPR_C_ARRAY_INIT;
485 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
486
487 krb5_timeofday(ctx, &matchCreds.times.endtime);
488 matchCreds.times.endtime += 60;
489 matchCreds.client = principal;
490
491 WINPR_ASSERT(principal);
492 WINPR_ASSERT(ctx);
493 WINPR_ASSERT(ccache);
494 if (krb_log_exec(build_krbtgt, ctx, principal, &matchCreds.server))
495 goto cleanup;
496
497 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
498 krb5_free_principal(ctx, matchCreds.server);
499 krb5_free_cred_contents(ctx, &creds);
500 if (rv)
501 {
502 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
503 password, krb_settings))
504 goto cleanup;
505 }
506 }
507
508 credentials = calloc(1, sizeof(KRB_CREDENTIALS));
509 if (!credentials)
510 goto cleanup;
511 credentials->refCount = 1;
512 credentials->ctx = ctx;
513 credentials->ccache = ccache;
514 credentials->keytab = keytab;
515 credentials->own_ccache = own_ccache;
516
517cleanup:
518
519 free(domain);
520 free(username);
521 free(password);
522
523 if (principal)
524 krb5_free_principal(ctx, principal);
525 if (ctx)
526 {
527 if (!credentials)
528 {
529 if (ccache)
530 {
531 if (own_ccache)
532 krb5_cc_destroy(ctx, ccache);
533 else
534 krb5_cc_close(ctx, ccache);
535 }
536 if (keytab)
537 krb5_kt_close(ctx, keytab);
538
539 krb5_free_context(ctx);
540 }
541 }
542
543 /* If we managed to get credentials set the output */
544 if (credentials)
545 {
546 sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials);
547 sspi_SecureHandleSetUpperPointer(phCredential, (void*)KERBEROS_SSP_NAME);
548 return SEC_E_OK;
549 }
550
551 return SEC_E_NO_CREDENTIALS;
552#else
553 return SEC_E_UNSUPPORTED_FUNCTION;
554#endif
555}
556
557static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
558 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
559 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
560 PTimeStamp ptsExpiry)
561{
562 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
563 char* principal = nullptr;
564 char* package = nullptr;
565
566 if (pszPrincipal)
567 {
568 principal = ConvertWCharToUtf8Alloc(pszPrincipal, nullptr);
569 if (!principal)
570 goto fail;
571 }
572 if (pszPackage)
573 {
574 package = ConvertWCharToUtf8Alloc(pszPackage, nullptr);
575 if (!package)
576 goto fail;
577 }
578
579 status =
580 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
581 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
582
583fail:
584 free(principal);
585 free(package);
586
587 return status;
588}
589
590#ifdef WITH_KRB5
591static void credentials_unref(KRB_CREDENTIALS* credentials)
592{
593 WINPR_ASSERT(credentials);
594
595 if (InterlockedDecrement(&credentials->refCount))
596 return;
597
598 free(credentials->kdc_url);
599
600 if (credentials->ccache)
601 {
602 if (credentials->own_ccache)
603 krb5_cc_destroy(credentials->ctx, credentials->ccache);
604 else
605 krb5_cc_close(credentials->ctx, credentials->ccache);
606 }
607 if (credentials->keytab)
608 krb5_kt_close(credentials->ctx, credentials->keytab);
609
610 krb5_free_context(credentials->ctx);
611 free(credentials);
612}
613#endif
614
615static SECURITY_STATUS
616 SEC_ENTRY kerberos_FreeCredentialsHandle(WINPR_ATTR_UNUSED PCredHandle phCredential)
617{
618#ifdef WITH_KRB5
619 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
620 sspi_SecureHandleInvalidate(phCredential);
621 if (!credentials)
622 return SEC_E_INVALID_HANDLE;
623
624 credentials_unref(credentials);
625
626 return SEC_E_OK;
627#else
628 return SEC_E_UNSUPPORTED_FUNCTION;
629#endif
630}
631
632static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
633 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
634 WINPR_ATTR_UNUSED void* pBuffer)
635{
636#ifdef WITH_KRB5
637 switch (ulAttribute)
638 {
639 case SECPKG_CRED_ATTR_NAMES:
640 return SEC_E_OK;
641 default:
642 WLog_ERR(TAG, "TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
643 ulAttribute);
644 return SEC_E_UNSUPPORTED_FUNCTION;
645 }
646
647#else
648 return SEC_E_UNSUPPORTED_FUNCTION;
649#endif
650}
651
652static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential,
653 ULONG ulAttribute,
654 void* pBuffer)
655{
656 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
657}
658
659#ifdef WITH_KRB5
660
661static BOOL kerberos_mk_tgt_token(SecBuffer* buf, int msg_type, char* sname, char* host,
662 const krb5_data* ticket)
663{
664 WinPrAsn1Encoder* enc = nullptr;
665 WinPrAsn1_MemoryChunk data;
666 wStream s;
667 size_t len = 0;
668 sspi_gss_data token;
669 BOOL ret = FALSE;
670
671 WINPR_ASSERT(buf);
672
673 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
674 return FALSE;
675 if (msg_type == KRB_TGT_REP && !ticket)
676 return FALSE;
677
678 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
679 if (!enc)
680 return FALSE;
681
682 /* KERB-TGT-REQUEST (SEQUENCE) */
683 if (!WinPrAsn1EncSeqContainer(enc))
684 goto cleanup;
685
686 /* pvno [0] INTEGER */
687 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
688 goto cleanup;
689
690 /* msg-type [1] INTEGER */
691 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
692 goto cleanup;
693
694 if (msg_type == KRB_TGT_REQ && sname)
695 {
696 /* server-name [2] PrincipalName (SEQUENCE) */
697 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
698 goto cleanup;
699
700 /* name-type [0] INTEGER */
701 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
702 goto cleanup;
703
704 /* name-string [1] SEQUENCE OF GeneralString */
705 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
706 goto cleanup;
707
708 if (!WinPrAsn1EncGeneralString(enc, sname))
709 goto cleanup;
710
711 if (host && !WinPrAsn1EncGeneralString(enc, host))
712 goto cleanup;
713
714 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
715 goto cleanup;
716 }
717 else if (msg_type == KRB_TGT_REP)
718 {
719 /* ticket [2] Ticket */
720 data.data = (BYTE*)ticket->data;
721 data.len = ticket->length;
722 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
723 goto cleanup;
724 }
725
726 if (!WinPrAsn1EncEndContainer(enc))
727 goto cleanup;
728
729 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
730 goto cleanup;
731
732 Stream_StaticInit(&s, buf->pvBuffer, len);
733 if (!WinPrAsn1EncToStream(enc, &s))
734 goto cleanup;
735
736 token.data = buf->pvBuffer;
737 token.length = (UINT)len;
738 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
739 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
740 ret = TRUE;
741
742cleanup:
743 WinPrAsn1Encoder_Free(&enc);
744 return ret;
745}
746
747static BOOL append(char* dst, size_t dstSize, const char* src)
748{
749 const size_t dlen = strnlen(dst, dstSize);
750 const size_t slen = strlen(src);
751 if (dlen + slen >= dstSize)
752 return FALSE;
753 if (!strncat(dst, src, dstSize - dlen))
754 return FALSE;
755 return TRUE;
756}
757
758static BOOL kerberos_rd_tgt_req_tag2(WinPrAsn1Decoder* dec, char* buf, size_t len)
759{
760 BOOL rc = FALSE;
761 WinPrAsn1Decoder seq = WinPrAsn1Decoder_init();
762
763 /* server-name [2] PrincipalName (SEQUENCE) */
764 if (!WinPrAsn1DecReadSequence(dec, &seq))
765 goto end;
766
767 /* name-type [0] INTEGER */
768 {
769 BOOL error = FALSE;
770 {
771 WinPrAsn1_INTEGER val = 0;
772 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
773 goto end;
774 }
775
776 /* name-string [1] SEQUENCE OF GeneralString */
777 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
778 goto end;
779 }
780
781 {
782 WinPrAsn1_tag tag = 0;
783 BOOL first = TRUE;
784 while (WinPrAsn1DecPeekTag(dec, &tag))
785 {
786 BOOL success = FALSE;
787 char* lstr = nullptr;
788 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
789 goto fail;
790
791 if (!first)
792 {
793 if (!append(buf, len, "/"))
794 goto fail;
795 }
796 first = FALSE;
797
798 if (!append(buf, len, lstr))
799 goto fail;
800
801 success = TRUE;
802 fail:
803 free(lstr);
804 if (!success)
805 goto end;
806 }
807 }
808
809 rc = TRUE;
810end:
811 return rc;
812}
813
814static BOOL kerberos_rd_tgt_req_tag3(WinPrAsn1Decoder* dec, char* buf, size_t len)
815{
816 /* realm [3] Realm */
817 BOOL rc = FALSE;
818 WinPrAsn1_STRING str = nullptr;
819 if (!WinPrAsn1DecReadGeneralString(dec, &str))
820 goto end;
821
822 if (!append(buf, len, "@"))
823 goto end;
824 if (!append(buf, len, str))
825 goto end;
826
827 rc = TRUE;
828end:
829 free(str);
830 return rc;
831}
832
833static BOOL kerberos_rd_tgt_req(WinPrAsn1Decoder* dec, char** target)
834{
835 BOOL rc = FALSE;
836
837 if (!target)
838 return FALSE;
839 *target = nullptr;
840
841 wStream s = WinPrAsn1DecGetStream(dec);
842 const size_t len = Stream_Length(&s);
843 if (len == 0)
844 return TRUE;
845
846 WinPrAsn1Decoder dec2 = WinPrAsn1Decoder_init();
847 WinPrAsn1_tagId tag = 0;
848 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
849 return FALSE;
850
851 char* buf = calloc(len + 1, sizeof(char));
852 if (!buf)
853 return FALSE;
854
855 /* We expect ASN1 context tag values 2 or 3.
856 *
857 * In case we got value 2 an (optional) context tag value 3 might follow.
858 */
859 BOOL checkForTag3 = TRUE;
860 if (tag == 2)
861 {
862 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
863 if (rc)
864 {
865 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
866 if (res == 0)
867 checkForTag3 = FALSE;
868 }
869 }
870
871 if (checkForTag3)
872 {
873 if (tag == 3)
874 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
875 else
876 rc = FALSE;
877 }
878
879 if (rc)
880 *target = buf;
881 else
882 free(buf);
883 return rc;
884}
885
886static BOOL kerberos_rd_tgt_rep(WinPrAsn1Decoder* dec, krb5_data* ticket)
887{
888 if (!ticket)
889 return FALSE;
890
891 /* ticket [2] Ticket */
892 WinPrAsn1Decoder asnTicket = WinPrAsn1Decoder_init();
893 WinPrAsn1_tagId tag = 0;
894 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
895 return FALSE;
896
897 if (tag != 2)
898 return FALSE;
899
900 wStream s = WinPrAsn1DecGetStream(&asnTicket);
901 ticket->data = Stream_BufferAs(&s, char);
902
903 const size_t len = Stream_Length(&s);
904 if (len > UINT32_MAX)
905 return FALSE;
906 ticket->length = (UINT32)len;
907 return TRUE;
908}
909
910static BOOL kerberos_rd_tgt_token(const sspi_gss_data* token, char** target, krb5_data* ticket)
911{
912 BOOL error = 0;
913 WinPrAsn1_INTEGER val = 0;
914
915 WINPR_ASSERT(token);
916
917 if (target)
918 *target = nullptr;
919
920 WinPrAsn1Decoder der = WinPrAsn1Decoder_init();
921 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
922
923 /* KERB-TGT-REQUEST (SEQUENCE) */
924 WinPrAsn1Decoder seq = WinPrAsn1Decoder_init();
925 if (!WinPrAsn1DecReadSequence(&der, &seq))
926 return FALSE;
927
928 /* pvno [0] INTEGER */
929 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
930 return FALSE;
931
932 /* msg-type [1] INTEGER */
933 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
934 return FALSE;
935
936 switch (val)
937 {
938 case KRB_TGT_REQ:
939 return kerberos_rd_tgt_req(&seq, target);
940 case KRB_TGT_REP:
941 return kerberos_rd_tgt_rep(&seq, ticket);
942 default:
943 break;
944 }
945 return FALSE;
946}
947
948static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5, SEC_CHANNEL_BINDINGS* bindings)
949{
950 BYTE buf[4];
951
952 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
953 if (!winpr_Digest_Update(md5, buf, 4))
954 return FALSE;
955
956 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
957 if (!winpr_Digest_Update(md5, buf, 4))
958 return FALSE;
959
960 if (bindings->cbInitiatorLength &&
961 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
962 bindings->cbInitiatorLength))
963 return FALSE;
964
965 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
966 if (!winpr_Digest_Update(md5, buf, 4))
967 return FALSE;
968
969 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
970 if (!winpr_Digest_Update(md5, buf, 4))
971 return FALSE;
972
973 if (bindings->cbAcceptorLength &&
974 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
975 bindings->cbAcceptorLength))
976 return FALSE;
977
978 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
979 if (!winpr_Digest_Update(md5, buf, 4))
980 return FALSE;
981
982 if (bindings->cbApplicationDataLength &&
983 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
984 bindings->cbApplicationDataLength))
985 return FALSE;
986
987 return TRUE;
988}
989
990#endif /* WITH_KRB5 */
991
992static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
993 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED PCtxtHandle phContext,
994 WINPR_ATTR_UNUSED SEC_CHAR* pszTargetName, WINPR_ATTR_UNUSED ULONG fContextReq,
995 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep,
996 WINPR_ATTR_UNUSED PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG Reserved2,
997 WINPR_ATTR_UNUSED PCtxtHandle phNewContext, WINPR_ATTR_UNUSED PSecBufferDesc pOutput,
998 WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
999{
1000#ifdef WITH_KRB5
1001 PSecBuffer input_buffer = nullptr;
1002 PSecBuffer output_buffer = nullptr;
1003 PSecBuffer bindings_buffer = nullptr;
1004 WINPR_DIGEST_CTX* md5 = nullptr;
1005 char* target = nullptr;
1006 char* sname = nullptr;
1007 char* host = nullptr;
1008 krb5_data input_token = WINPR_C_ARRAY_INIT;
1009 krb5_data output_token = WINPR_C_ARRAY_INIT;
1010 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1011 WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT;
1012 uint16_t tok_id = 0;
1013 krb5_ap_rep_enc_part* reply = nullptr;
1014 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
1015 char cksum_contents[24] = WINPR_C_ARRAY_INIT;
1016 krb5_data cksum = WINPR_C_ARRAY_INIT;
1017 krb5_creds in_creds = WINPR_C_ARRAY_INIT;
1018 krb5_creds* creds = nullptr;
1019 BOOL isNewContext = FALSE;
1020 KRB_CONTEXT* context = nullptr;
1021 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1022
1023 /* behave like windows SSPIs that don't want empty context */
1024 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1025 return SEC_E_INVALID_HANDLE;
1026
1027 context = sspi_SecureHandleGetLowerPointer(phContext);
1028
1029 if (!credentials)
1030 return SEC_E_NO_CREDENTIALS;
1031
1032 if (pInput)
1033 {
1034 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1035 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
1036 }
1037 if (pOutput)
1038 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1039
1040 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
1041 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
1042
1043 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1044 ap_flags |= AP_OPTS_USE_SESSION_KEY;
1045
1046 /* Split target name into service/hostname components */
1047 if (pszTargetName)
1048 {
1049 target = _strdup(pszTargetName);
1050 if (!target)
1051 {
1052 status = SEC_E_INSUFFICIENT_MEMORY;
1053 goto cleanup;
1054 }
1055 host = strchr(target, '/');
1056 if (host)
1057 {
1058 *host++ = 0;
1059 sname = target;
1060 }
1061 else
1062 host = target;
1063 if (isValidIP(host))
1064 {
1065 status = SEC_E_NO_CREDENTIALS;
1066 goto cleanup;
1067 }
1068 }
1069
1070 if (!context)
1071 {
1072 context = kerberos_ContextNew(credentials);
1073 if (!context)
1074 {
1075 status = SEC_E_INSUFFICIENT_MEMORY;
1076 goto cleanup;
1077 }
1078
1079 isNewContext = TRUE;
1080
1081 if (host)
1082 context->targetHost = _strdup(host);
1083 if (!context->targetHost)
1084 {
1085 status = SEC_E_INSUFFICIENT_MEMORY;
1086 goto cleanup;
1087 }
1088
1089 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1090 {
1091 context->state = KERBEROS_STATE_TGT_REQ;
1092 context->u2u = TRUE;
1093 }
1094 else
1095 context->state = KERBEROS_STATE_AP_REQ;
1096 }
1097 else
1098 {
1099 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1100 goto bad_token;
1101 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1102 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1103 goto bad_token;
1104 }
1105
1106 /* SSPI flags are compatible with GSS flags except INTEG_FLAG */
1107 context->flags |= (fContextReq & 0x1F);
1108 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1109 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1110
1111 switch (context->state)
1112 {
1113 case KERBEROS_STATE_TGT_REQ:
1114
1115 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, nullptr))
1116 goto cleanup;
1117
1118 context->state = KERBEROS_STATE_TGT_REP;
1119 status = SEC_I_CONTINUE_NEEDED;
1120 break;
1121
1122 case KERBEROS_STATE_TGT_REP:
1123
1124 if (tok_id != TOK_ID_TGT_REP)
1125 goto bad_token;
1126
1127 if (!kerberos_rd_tgt_token(&input_token, nullptr, &in_creds.second_ticket))
1128 goto bad_token;
1129
1130 /* Continue to AP-REQ */
1131 /* fallthrough */
1132 WINPR_FALLTHROUGH
1133
1134 case KERBEROS_STATE_AP_REQ:
1135
1136 /* Set auth_context options */
1137 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1138 goto cleanup;
1139 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1140 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1141 goto cleanup;
1142 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1143 GSS_CHECKSUM_TYPE))
1144 goto cleanup;
1145
1146 /* Get a service ticket */
1147 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1148 KRB5_NT_SRV_HST, &in_creds.server))
1149 goto cleanup;
1150
1151 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1152 &in_creds.client))
1153 {
1154 status = SEC_E_WRONG_PRINCIPAL;
1155 goto cleanup;
1156 }
1157
1158 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1159 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1160 &creds))
1161 {
1162 status = SEC_E_NO_CREDENTIALS;
1163 goto cleanup;
1164 }
1165
1166 /* Write the checksum (delegation not implemented) */
1167 cksum.data = cksum_contents;
1168 cksum.length = sizeof(cksum_contents);
1169 winpr_Data_Write_UINT32(cksum_contents, 16);
1170 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1171
1172 if (bindings_buffer)
1173 {
1174 SEC_CHANNEL_BINDINGS* bindings = bindings_buffer->pvBuffer;
1175
1176 /* Sanity checks */
1177 if (bindings_buffer->cbBuffer < sizeof(SEC_CHANNEL_BINDINGS) ||
1178 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1179 bindings_buffer->cbBuffer ||
1180 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1181 bindings_buffer->cbBuffer ||
1182 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1183 bindings_buffer->cbBuffer)
1184 {
1185 status = SEC_E_BAD_BINDINGS;
1186 goto cleanup;
1187 }
1188
1189 md5 = winpr_Digest_New();
1190 if (!md5)
1191 goto cleanup;
1192
1193 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1194 goto cleanup;
1195
1196 if (!kerberos_hash_channel_bindings(md5, bindings))
1197 goto cleanup;
1198
1199 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1200 goto cleanup;
1201 }
1202
1203 /* Make the AP_REQ message */
1204 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1205 &cksum, creds, &output_token))
1206 goto cleanup;
1207
1208 if (!sspi_gss_wrap_token(output_buffer,
1209 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1210 TOK_ID_AP_REQ, &output_token))
1211 goto cleanup;
1212
1213 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1214 {
1215 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1216 context->auth_ctx, (INT32*)&context->local_seq))
1217 goto cleanup;
1218 context->remote_seq ^= context->local_seq;
1219 }
1220
1221 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1222 &context->keyset))
1223 goto cleanup;
1224
1225 context->state = KERBEROS_STATE_AP_REP;
1226
1227 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1228 status = SEC_I_CONTINUE_NEEDED;
1229 else
1230 status = SEC_E_OK;
1231 break;
1232
1233 case KERBEROS_STATE_AP_REP:
1234
1235 if (tok_id == TOK_ID_AP_REP)
1236 {
1237 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1238 &reply))
1239 goto cleanup;
1240 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1241 }
1242 else if (tok_id == TOK_ID_ERROR)
1243 {
1244 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1245 goto cleanup;
1246 }
1247 else
1248 goto bad_token;
1249
1250 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1251 {
1252 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1253 context->auth_ctx, (INT32*)&context->remote_seq))
1254 goto cleanup;
1255 }
1256
1257 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1258 &context->keyset))
1259 goto cleanup;
1260
1261 context->state = KERBEROS_STATE_FINAL;
1262
1263 if (output_buffer)
1264 output_buffer->cbBuffer = 0;
1265 status = SEC_E_OK;
1266 break;
1267
1268 case KERBEROS_STATE_FINAL:
1269 default:
1270 WLog_ERR(TAG, "Kerberos in invalid state!");
1271 goto cleanup;
1272 }
1273
1274cleanup:
1275{
1276 /* second_ticket is not allocated */
1277 krb5_data edata = WINPR_C_ARRAY_INIT;
1278 in_creds.second_ticket = edata;
1279 krb5_free_cred_contents(credentials->ctx, &in_creds);
1280}
1281
1282 krb5_free_creds(credentials->ctx, creds);
1283 if (output_token.data)
1284 krb5glue_free_data_contents(credentials->ctx, &output_token);
1285
1286 winpr_Digest_Free(md5);
1287
1288 free(target);
1289
1290 if (isNewContext)
1291 {
1292 switch (status)
1293 {
1294 case SEC_E_OK:
1295 case SEC_I_CONTINUE_NEEDED:
1296 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1297 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1298 break;
1299 default:
1300 kerberos_ContextFree(context, TRUE);
1301 sspi_SecureHandleInvalidate(phNewContext);
1302 break;
1303 }
1304 }
1305
1306 return status;
1307
1308bad_token:
1309 status = SEC_E_INVALID_TOKEN;
1310 goto cleanup;
1311#else
1312 return SEC_E_UNSUPPORTED_FUNCTION;
1313#endif /* WITH_KRB5 */
1314}
1315
1316static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1317 PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
1318 ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
1319 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, PTimeStamp ptsExpiry)
1320{
1321 SECURITY_STATUS status = 0;
1322 char* target_name = nullptr;
1323
1324 if (pszTargetName)
1325 {
1326 target_name = ConvertWCharToUtf8Alloc(pszTargetName, nullptr);
1327 if (!target_name)
1328 return SEC_E_INSUFFICIENT_MEMORY;
1329 }
1330
1331 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1332 Reserved1, TargetDataRep, pInput, Reserved2,
1333 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1334
1335 if (target_name)
1336 free(target_name);
1337
1338 return status;
1339}
1340
1341#ifdef WITH_KRB5
1342static BOOL retrieveTgtForPrincipal(KRB_CREDENTIALS* credentials, krb5_principal principal,
1343 krb5_creds* creds)
1344{
1345 BOOL ret = FALSE;
1346 krb5_kt_cursor cur = WINPR_C_ARRAY_INIT;
1347 krb5_keytab_entry entry = WINPR_C_ARRAY_INIT;
1348 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1349 goto cleanup;
1350
1351 do
1352 {
1353 krb5_error_code rv =
1354 krb_log_exec(krb5_kt_next_entry, credentials->ctx, credentials->keytab, &entry, &cur);
1355 if (rv == KRB5_KT_END)
1356 break;
1357 if (rv != 0)
1358 goto cleanup;
1359
1360 if (krb5_principal_compare(credentials->ctx, principal, entry.principal))
1361 break;
1362 rv = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);
1363 memset(&entry, 0, sizeof(entry));
1364 if (rv)
1365 goto cleanup;
1366 } while (1);
1367
1368 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1369 goto cleanup;
1370
1371 if (!entry.principal)
1372 goto cleanup;
1373
1374 /* Get the TGT */
1375 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, creds, entry.principal,
1376 credentials->keytab, 0, nullptr, nullptr))
1377 goto cleanup;
1378
1379 ret = TRUE;
1380
1381cleanup:
1382 return ret;
1383}
1384
1385static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, krb5_creds* creds)
1386{
1387 BOOL ret = TRUE;
1388 krb5_principal target_princ = WINPR_C_ARRAY_INIT;
1389 char* default_realm = nullptr;
1390
1391 krb5_error_code rv =
1392 krb_log_exec(krb5_parse_name_flags, credentials->ctx, target, 0, &target_princ);
1393 if (rv)
1394 return FALSE;
1395
1396#if defined(WITH_KRB5_HEIMDAL)
1397 if (!target_princ->realm)
1398 {
1399 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1400 if (rv)
1401 goto out;
1402
1403 target_princ->realm = default_realm;
1404 }
1405#else
1406 if (!target_princ->realm.length)
1407 {
1408 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1409 if (rv)
1410 goto out;
1411
1412 target_princ->realm.data = default_realm;
1413 target_princ->realm.length = (unsigned int)strlen(default_realm);
1414 }
1415#endif
1416
1417 /*
1418 * First try with the account service. We were requested with something like
1419 * TERMSRV/<host>@<realm>, let's see if we have that in our keytab and if we're able
1420 * to retrieve a TGT with that entry
1421 *
1422 */
1423 if (retrieveTgtForPrincipal(credentials, target_princ, creds))
1424 goto out;
1425
1426 ret = FALSE;
1427
1428#if defined(WITH_KRB5_MIT)
1429 /*
1430 * if it's not working let's try with <host>$@<REALM> (note the dollar)
1431 */
1432 {
1433 char hostDollar[300] = WINPR_C_ARRAY_INIT;
1434 if (target_princ->length < 2)
1435 goto out;
1436
1437 (void)snprintf(hostDollar, sizeof(hostDollar) - 1, "%s$@%s", target_princ->data[1].data,
1438 target_princ->realm.data);
1439 krb5_free_principal(credentials->ctx, target_princ);
1440
1441 rv = krb_log_exec(krb5_parse_name_flags, credentials->ctx, hostDollar, 0, &target_princ);
1442 if (rv)
1443 return FALSE;
1444 }
1445 ret = retrieveTgtForPrincipal(credentials, target_princ, creds);
1446#endif
1447
1448out:
1449 if (default_realm)
1450 krb5_free_default_realm(credentials->ctx, default_realm);
1451
1452 krb5_free_principal(credentials->ctx, target_princ);
1453 return ret;
1454}
1455#endif
1456
1457static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1458 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED PCtxtHandle phContext,
1459 WINPR_ATTR_UNUSED PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG fContextReq,
1460 WINPR_ATTR_UNUSED ULONG TargetDataRep, WINPR_ATTR_UNUSED PCtxtHandle phNewContext,
1461 WINPR_ATTR_UNUSED PSecBufferDesc pOutput, WINPR_ATTR_UNUSED ULONG* pfContextAttr,
1462 WINPR_ATTR_UNUSED PTimeStamp ptsExpity)
1463{
1464#ifdef WITH_KRB5
1465 BOOL isNewContext = FALSE;
1466 PSecBuffer input_buffer = nullptr;
1467 PSecBuffer output_buffer = nullptr;
1468 WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT;
1469 uint16_t tok_id = 0;
1470 krb5_data input_token = WINPR_C_ARRAY_INIT;
1471 krb5_data output_token = WINPR_C_ARRAY_INIT;
1472 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1473 krb5_flags ap_flags = 0;
1474 krb5glue_authenticator authenticator = nullptr;
1475 char* target = nullptr;
1476 krb5_keytab_entry entry = WINPR_C_ARRAY_INIT;
1477 krb5_creds creds = WINPR_C_ARRAY_INIT;
1478
1479 /* behave like windows SSPIs that don't want empty context */
1480 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1481 return SEC_E_INVALID_HANDLE;
1482
1483 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1484 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1485
1486 if (pInput)
1487 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1488 if (pOutput)
1489 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1490
1491 if (!input_buffer)
1492 return SEC_E_INVALID_TOKEN;
1493
1494 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1495 return SEC_E_INVALID_TOKEN;
1496
1497 if (!context)
1498 {
1499 isNewContext = TRUE;
1500 context = kerberos_ContextNew(credentials);
1501 context->acceptor = TRUE;
1502
1503 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1504 {
1505 context->u2u = TRUE;
1506 context->state = KERBEROS_STATE_TGT_REQ;
1507 }
1508 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1509 context->state = KERBEROS_STATE_AP_REQ;
1510 else
1511 goto bad_token;
1512 }
1513 else
1514 {
1515 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1516 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1517 goto bad_token;
1518 }
1519
1520 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1521 {
1522 if (!kerberos_rd_tgt_token(&input_token, &target, nullptr))
1523 goto bad_token;
1524
1525 if (!retrieveSomeTgt(credentials, target, &creds))
1526 goto cleanup;
1527
1528 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, nullptr, nullptr, &creds.ticket))
1529 goto cleanup;
1530
1531 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1532 goto cleanup;
1533
1534 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1535 &krb5glue_creds_getkey(creds)))
1536 goto cleanup;
1537
1538 context->state = KERBEROS_STATE_AP_REQ;
1539 }
1540 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1541 {
1542 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, nullptr,
1543 credentials->keytab, &ap_flags, nullptr))
1544 goto cleanup;
1545
1546 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1547 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1548 goto cleanup;
1549
1550 /* Retrieve and validate the checksum */
1551 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1552 &authenticator))
1553 goto cleanup;
1554 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1555 &context->flags))
1556 goto bad_token;
1557
1558 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1559 {
1560 if (!output_buffer)
1561 goto bad_token;
1562 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1563 goto cleanup;
1564 if (!sspi_gss_wrap_token(output_buffer,
1565 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1566 TOK_ID_AP_REP, &output_token))
1567 goto cleanup;
1568 }
1569 else
1570 {
1571 if (output_buffer)
1572 output_buffer->cbBuffer = 0;
1573 }
1574
1575 *pfContextAttr = (context->flags & 0x1F);
1576 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1577 *pfContextAttr |= ASC_RET_INTEGRITY;
1578
1579 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1580 {
1581 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1582 (INT32*)&context->local_seq))
1583 goto cleanup;
1584 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1585 (INT32*)&context->remote_seq))
1586 goto cleanup;
1587 }
1588
1589 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1590 &context->keyset))
1591 goto cleanup;
1592
1593 context->state = KERBEROS_STATE_FINAL;
1594 }
1595 else
1596 goto bad_token;
1597
1598 /* On first call allocate new context */
1599 if (context->state == KERBEROS_STATE_FINAL)
1600 status = SEC_E_OK;
1601 else
1602 status = SEC_I_CONTINUE_NEEDED;
1603
1604cleanup:
1605 free(target);
1606 if (output_token.data)
1607 krb5glue_free_data_contents(credentials->ctx, &output_token);
1608 if (entry.principal)
1609 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1610
1611 if (isNewContext)
1612 {
1613 switch (status)
1614 {
1615 case SEC_E_OK:
1616 case SEC_I_CONTINUE_NEEDED:
1617 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1618 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1619 break;
1620 default:
1621 kerberos_ContextFree(context, TRUE);
1622 sspi_SecureHandleInvalidate(phNewContext);
1623 break;
1624 }
1625 }
1626
1627 return status;
1628
1629bad_token:
1630 status = SEC_E_INVALID_TOKEN;
1631 goto cleanup;
1632#else
1633 return SEC_E_UNSUPPORTED_FUNCTION;
1634#endif /* WITH_KRB5 */
1635}
1636
1637#ifdef WITH_KRB5
1638static KRB_CONTEXT* get_context(PCtxtHandle phContext)
1639{
1640 if (!phContext)
1641 return nullptr;
1642
1643 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1644 if (!name)
1645 return nullptr;
1646
1647 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1648 return nullptr;
1649 return sspi_SecureHandleGetLowerPointer(phContext);
1650}
1651
1652static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1653{
1654 WINPR_ASSERT(data);
1655 WINPR_ASSERT(ptr);
1656 WINPR_ASSERT(psize);
1657
1658 *ptr = (PUCHAR)malloc(data->length);
1659 if (!*ptr)
1660 return FALSE;
1661
1662 *psize = data->length;
1663 memcpy(*ptr, data->data, data->length);
1664 return TRUE;
1665}
1666#endif
1667
1668static SECURITY_STATUS
1669 SEC_ENTRY kerberos_DeleteSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
1670{
1671#ifdef WITH_KRB5
1672 KRB_CONTEXT* context = get_context(phContext);
1673 sspi_SecureHandleInvalidate(phContext);
1674 if (!context)
1675 return SEC_E_INVALID_HANDLE;
1676
1677 kerberos_ContextFree(context, TRUE);
1678
1679 return SEC_E_OK;
1680#else
1681 return SEC_E_UNSUPPORTED_FUNCTION;
1682#endif
1683}
1684
1685#ifdef WITH_KRB5
1686
1687static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1688{
1689 switch (code)
1690 {
1691 case 0:
1692 return SEC_E_OK;
1693 default:
1694 return SEC_E_INTERNAL_ERROR;
1695 }
1696}
1697
1698static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1699 SecPkgContext_Sizes* ContextSizes)
1700{
1701 UINT header = 0;
1702 UINT pad = 0;
1703 UINT trailer = 0;
1704 krb5glue_key key = nullptr;
1705
1706 WINPR_ASSERT(context);
1707 WINPR_ASSERT(context->auth_ctx);
1708
1709 /* The MaxTokenSize by default is 12,000 bytes. This has been the default value
1710 * since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2.
1711 * For Windows Server 2012, the default value of the MaxTokenSize registry
1712 * entry is 48,000 bytes.*/
1713 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1714 ContextSizes->cbMaxSignature = 0;
1715 ContextSizes->cbBlockSize = 1;
1716 ContextSizes->cbSecurityTrailer = 0;
1717
1718 key = get_key(&context->keyset);
1719
1720 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1721 {
1722 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1723 KRB5_CRYPTO_TYPE_HEADER, &header);
1724 if (rv)
1725 return krb5_error_to_SECURITY_STATUS(rv);
1726
1727 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1728 &pad);
1729 if (rv)
1730 return krb5_error_to_SECURITY_STATUS(rv);
1731
1732 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1733 &trailer);
1734 if (rv)
1735 return krb5_error_to_SECURITY_STATUS(rv);
1736
1737 /* GSS header (= 16 bytes) + encrypted header = 32 bytes */
1738 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1739 }
1740
1741 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1742 {
1743 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1744 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1745 if (rv)
1746 return krb5_error_to_SECURITY_STATUS(rv);
1747
1748 ContextSizes->cbMaxSignature += 16;
1749 }
1750
1751 return SEC_E_OK;
1752}
1753
1754static SECURITY_STATUS kerberos_ATTR_AUTH_IDENTITY(KRB_CONTEXT* context,
1755 KRB_CREDENTIALS* credentials,
1756 SecPkgContext_AuthIdentity* AuthIdentity)
1757{
1758 const SecPkgContext_AuthIdentity empty = WINPR_C_ARRAY_INIT;
1759
1760 WINPR_ASSERT(context);
1761 WINPR_ASSERT(context->auth_ctx);
1762 WINPR_ASSERT(credentials);
1763
1764 WINPR_ASSERT(AuthIdentity);
1765 *AuthIdentity = empty;
1766
1767 krb5glue_authenticator authenticator = nullptr;
1768 krb5_error_code rv = krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx,
1769 context->auth_ctx, &authenticator);
1770 if (rv)
1771 goto fail;
1772
1773 {
1774 rv = -1;
1775
1776#if defined(WITH_KRB5_HEIMDAL)
1777 const Realm data = authenticator->crealm;
1778 if (!data)
1779 goto fail;
1780 const size_t data_len = length_Realm(&data);
1781#else
1782 krb5_data* realm_data = krb5_princ_realm(credentials->ctx, authenticator->client);
1783 if (!realm_data)
1784 goto fail;
1785 const char* data = realm_data->data;
1786 if (!data)
1787 goto fail;
1788 const size_t data_len = realm_data->length;
1789#endif
1790
1791 if (data_len > (sizeof(AuthIdentity->Domain) - 1))
1792 goto fail;
1793 strncpy(AuthIdentity->Domain, data, data_len);
1794 }
1795
1796 {
1797#if defined(WITH_KRB5_HEIMDAL)
1798 const PrincipalName* principal = &authenticator->cname;
1799 const size_t name_length = length_PrincipalName(principal);
1800 if (!principal->name_string.val)
1801 goto fail;
1802 const char* name = *principal->name_string.val;
1803#else
1804 char* name = nullptr;
1805 rv = krb_log_exec(krb5_unparse_name_flags, credentials->ctx, authenticator->client,
1806 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
1807 if (rv)
1808 goto fail;
1809
1810 const size_t name_length = strlen(name);
1811#endif
1812
1813 const bool ok = (name_length <= (sizeof(AuthIdentity->User) - 1));
1814 if (ok)
1815 strncpy(AuthIdentity->User, name, name_length);
1816
1817 rv = ok ? 0 : -1;
1818
1819#if !defined(WITH_KRB5_HEIMDAL)
1820 krb5_free_unparsed_name(credentials->ctx, name);
1821#endif
1822 }
1823
1824fail:
1825 krb5glue_free_authenticator(credentials->ctx, authenticator);
1826 return krb5_error_to_SECURITY_STATUS(rv);
1827}
1828
1829static SECURITY_STATUS kerberos_ATTR_PACKAGE_INFO_A(WINPR_ATTR_UNUSED KRB_CONTEXT* context,
1830 WINPR_ATTR_UNUSED KRB_CREDENTIALS* credentials,
1831 SecPkgContext_PackageInfoA* PackageInfo)
1832{
1833 size_t size = sizeof(SecPkgInfoA);
1834 SecPkgInfoA* pPackageInfo =
1835 (SecPkgInfoA*)sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
1836
1837 if (!pPackageInfo)
1838 return SEC_E_INSUFFICIENT_MEMORY;
1839
1840 pPackageInfo->fCapabilities = KERBEROS_SecPkgInfoA.fCapabilities;
1841 pPackageInfo->wVersion = KERBEROS_SecPkgInfoA.wVersion;
1842 pPackageInfo->wRPCID = KERBEROS_SecPkgInfoA.wRPCID;
1843 pPackageInfo->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1844 pPackageInfo->Name = _strdup(KERBEROS_SecPkgInfoA.Name);
1845 pPackageInfo->Comment = _strdup(KERBEROS_SecPkgInfoA.Comment);
1846
1847 if (!pPackageInfo->Name || !pPackageInfo->Comment)
1848 {
1849 sspi_ContextBufferFree(pPackageInfo);
1850 return SEC_E_INSUFFICIENT_MEMORY;
1851 }
1852 PackageInfo->PackageInfo = pPackageInfo;
1853 return SEC_E_OK;
1854}
1855
1856static SECURITY_STATUS kerberos_ATTR_PACKAGE_INFO_W(WINPR_ATTR_UNUSED KRB_CONTEXT* context,
1857 WINPR_ATTR_UNUSED KRB_CREDENTIALS* credentials,
1858 SecPkgContext_PackageInfoW* PackageInfo)
1859{
1860 size_t size = sizeof(SecPkgInfoW);
1861 SecPkgInfoW* pPackageInfo =
1862 (SecPkgInfoW*)sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
1863
1864 if (!pPackageInfo)
1865 return SEC_E_INSUFFICIENT_MEMORY;
1866
1867 pPackageInfo->fCapabilities = KERBEROS_SecPkgInfoW.fCapabilities;
1868 pPackageInfo->wVersion = KERBEROS_SecPkgInfoW.wVersion;
1869 pPackageInfo->wRPCID = KERBEROS_SecPkgInfoW.wRPCID;
1870 pPackageInfo->cbMaxToken = KERBEROS_SecPkgInfoW.cbMaxToken;
1871 pPackageInfo->Name = _wcsdup(KERBEROS_SecPkgInfoW.Name);
1872 pPackageInfo->Comment = _wcsdup(KERBEROS_SecPkgInfoW.Comment);
1873
1874 if (!pPackageInfo->Name || !pPackageInfo->Comment)
1875 {
1876 sspi_ContextBufferFree(pPackageInfo);
1877 return SEC_E_INSUFFICIENT_MEMORY;
1878 }
1879 PackageInfo->PackageInfo = pPackageInfo;
1880 return SEC_E_OK;
1881}
1882
1883static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1884 KRB_CREDENTIALS* credentials,
1885 KERB_TICKET_LOGON* ticketLogon)
1886{
1887 krb5_creds matchCred = WINPR_C_ARRAY_INIT;
1888 krb5_auth_context authContext = nullptr;
1889 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1890 BOOL firstRun = TRUE;
1891 krb5_creds* hostCred = nullptr;
1892 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1893 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost, "HOST",
1894 KRB5_NT_SRV_HST, &matchCred.server);
1895 if (rv)
1896 goto out;
1897
1898 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1899 &matchCred.client);
1900 if (rv)
1901 goto out;
1902
1903 /* try from the cache first, and then do a new request */
1904again:
1905 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1906 &matchCred, &hostCred);
1907 switch (rv)
1908 {
1909 case 0:
1910 break;
1911 case KRB5_CC_NOTFOUND:
1912 getCredsFlags = 0;
1913 if (firstRun)
1914 {
1915 firstRun = FALSE;
1916 goto again;
1917 }
1918 WINPR_FALLTHROUGH
1919 default:
1920 WLog_ERR(TAG, "krb5_get_credentials(hostCreds), rv=%d", rv);
1921 goto out;
1922 }
1923
1924 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1925 goto out;
1926
1927 {
1928 krb5_data derOut = WINPR_C_ARRAY_INIT;
1929 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1930 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1931 {
1932 ret = SEC_E_LOGON_DENIED;
1933 goto out;
1934 }
1935
1936 ticketLogon->MessageType = KerbTicketLogon;
1937 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1938
1939 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1940 &ticketLogon->ServiceTicketLength))
1941 {
1942 krb5_free_data(credentials->ctx, &derOut);
1943 goto out;
1944 }
1945
1946 ticketLogon->TicketGrantingTicketLength = derOut.length;
1947 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1948 }
1949
1950 ret = SEC_E_OK;
1951out:
1952 krb5_auth_con_free(credentials->ctx, authContext);
1953 krb5_free_creds(credentials->ctx, hostCred);
1954 krb5_free_cred_contents(credentials->ctx, &matchCred);
1955 return ret;
1956}
1957
1958#endif /* WITH_KRB5 */
1959
1960WINPR_ATTR_NODISCARD
1961static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesCommon(
1962 PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute, void* pBuffer)
1963{
1964 if (!phContext)
1965 return SEC_E_INVALID_HANDLE;
1966
1967 if (!pBuffer)
1968 return SEC_E_INVALID_PARAMETER;
1969
1970#ifdef WITH_KRB5
1971 KRB_CONTEXT* context = get_context(phContext);
1972 if (!context)
1973 return SEC_E_INVALID_PARAMETER;
1974
1975 KRB_CREDENTIALS* credentials = context->credentials;
1976
1977 switch (ulAttribute)
1978 {
1979 case SECPKG_ATTR_SIZES:
1980 return kerberos_ATTR_SIZES(context, credentials, (SecPkgContext_Sizes*)pBuffer);
1981
1982 case SECPKG_ATTR_AUTH_IDENTITY:
1983 return kerberos_ATTR_AUTH_IDENTITY(context, credentials,
1984 (SecPkgContext_AuthIdentity*)pBuffer);
1985
1986 case SECPKG_CRED_ATTR_TICKET_LOGON:
1987 return kerberos_ATTR_TICKET_LOGON(context, credentials, (KERB_TICKET_LOGON*)pBuffer);
1988
1989 default:
1990 WLog_ERR(TAG, "TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1991 ulAttribute);
1992 return SEC_E_UNSUPPORTED_FUNCTION;
1993 }
1994#else
1995 return SEC_E_UNSUPPORTED_FUNCTION;
1996#endif
1997}
1998
1999static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(
2000 PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute, void* pBuffer)
2001{
2002 if (!phContext)
2003 return SEC_E_INVALID_HANDLE;
2004
2005 if (!pBuffer)
2006 return SEC_E_INVALID_PARAMETER;
2007
2008#ifdef WITH_KRB5
2009 KRB_CONTEXT* context = get_context(phContext);
2010 if (!context)
2011 return SEC_E_INVALID_PARAMETER;
2012
2013 KRB_CREDENTIALS* credentials = context->credentials;
2014
2015 switch (ulAttribute)
2016 {
2017 case SECPKG_ATTR_PACKAGE_INFO:
2018 return kerberos_ATTR_PACKAGE_INFO_A(context, credentials,
2019 (SecPkgContext_PackageInfoA*)pBuffer);
2020 default:
2021 break;
2022 }
2023#endif
2024 return kerberos_QueryContextAttributesCommon(phContext, ulAttribute, pBuffer);
2025}
2026
2027static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext,
2028 ULONG ulAttribute, void* pBuffer)
2029{
2030 if (!phContext)
2031 return SEC_E_INVALID_HANDLE;
2032
2033 if (!pBuffer)
2034 return SEC_E_INVALID_PARAMETER;
2035
2036#ifdef WITH_KRB5
2037 KRB_CONTEXT* context = get_context(phContext);
2038 if (!context)
2039 return SEC_E_INVALID_PARAMETER;
2040
2041 KRB_CREDENTIALS* credentials = context->credentials;
2042
2043 switch (ulAttribute)
2044 {
2045 case SECPKG_ATTR_PACKAGE_INFO:
2046 return kerberos_ATTR_PACKAGE_INFO_W(context, credentials,
2047 (SecPkgContext_PackageInfoW*)pBuffer);
2048 default:
2049 break;
2050 }
2051#endif
2052 return kerberos_QueryContextAttributesCommon(phContext, ulAttribute, pBuffer);
2053}
2054
2055static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
2056 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
2057 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
2058{
2059 return SEC_E_UNSUPPORTED_FUNCTION;
2060}
2061
2062static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
2063 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
2064 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
2065{
2066 return SEC_E_UNSUPPORTED_FUNCTION;
2067}
2068
2069static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(
2070 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
2071 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer,
2072 WINPR_ATTR_UNUSED BOOL unicode)
2073{
2074#ifdef WITH_KRB5
2075 KRB_CREDENTIALS* credentials = nullptr;
2076
2077 if (!phCredential)
2078 return SEC_E_INVALID_HANDLE;
2079
2080 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
2081
2082 if (!credentials)
2083 return SEC_E_INVALID_HANDLE;
2084
2085 if (!pBuffer)
2086 return SEC_E_INSUFFICIENT_MEMORY;
2087
2088 switch (ulAttribute)
2089 {
2090 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
2091 {
2092 SecPkgCredentials_KdcProxySettingsW* kdc_settings = pBuffer;
2093
2094 /* Sanity checks */
2095 if (cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
2096 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
2097 kdc_settings->ProxyServerOffset < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
2098 cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) +
2099 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
2100 return SEC_E_INVALID_TOKEN;
2101
2102 if (credentials->kdc_url)
2103 {
2104 free(credentials->kdc_url);
2105 credentials->kdc_url = nullptr;
2106 }
2107
2108 if (kdc_settings->ProxyServerLength > 0)
2109 {
2110 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
2111
2112 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
2113 proxy, kdc_settings->ProxyServerLength / sizeof(WCHAR), nullptr);
2114 if (!credentials->kdc_url)
2115 return SEC_E_INSUFFICIENT_MEMORY;
2116 }
2117
2118 return SEC_E_OK;
2119 }
2120 case SECPKG_CRED_ATTR_NAMES:
2121 case SECPKG_ATTR_SUPPORTED_ALGS:
2122 default:
2123 WLog_ERR(TAG, "TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
2124 ulAttribute);
2125 return SEC_E_UNSUPPORTED_FUNCTION;
2126 }
2127
2128#else
2129 return SEC_E_UNSUPPORTED_FUNCTION;
2130#endif
2131}
2132
2133static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(PCredHandle phCredential,
2134 ULONG ulAttribute,
2135 void* pBuffer, ULONG cbBuffer)
2136{
2137 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
2138}
2139
2140static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(PCredHandle phCredential,
2141 ULONG ulAttribute,
2142 void* pBuffer, ULONG cbBuffer)
2143{
2144 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
2145}
2146
2147static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2148 WINPR_ATTR_UNUSED ULONG fQOP,
2149 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2150 WINPR_ATTR_UNUSED ULONG MessageSeqNo)
2151{
2152#ifdef WITH_KRB5
2153 KRB_CONTEXT* context = get_context(phContext);
2154 PSecBuffer sig_buffer = nullptr;
2155 PSecBuffer data_buffer = nullptr;
2156 char* header = nullptr;
2157 BYTE flags = 0;
2158 krb5glue_key key = nullptr;
2159 krb5_keyusage usage = 0;
2160 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, WINPR_C_ARRAY_INIT },
2161 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2162 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2163 { KRB5_CRYPTO_TYPE_PADDING, WINPR_C_ARRAY_INIT },
2164 { KRB5_CRYPTO_TYPE_TRAILER, WINPR_C_ARRAY_INIT } };
2165
2166 if (!context)
2167 return SEC_E_INVALID_HANDLE;
2168
2169 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2170 return SEC_E_UNSUPPORTED_FUNCTION;
2171
2172 KRB_CREDENTIALS* creds = context->credentials;
2173
2174 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2175 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2176
2177 if (!sig_buffer || !data_buffer)
2178 return SEC_E_INVALID_TOKEN;
2179
2180 if (fQOP)
2181 return SEC_E_QOP_NOT_SUPPORTED;
2182
2183 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2184 flags |= FLAG_WRAP_CONFIDENTIAL;
2185
2186 key = get_key(&context->keyset);
2187 if (!key)
2188 return SEC_E_INTERNAL_ERROR;
2189
2190 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2191
2192 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
2193
2194 /* Set the lengths of the data (plaintext + header) */
2195 encrypt_iov[1].data.length = data_buffer->cbBuffer;
2196 encrypt_iov[2].data.length = 16;
2197
2198 /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
2199 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
2200 ARRAYSIZE(encrypt_iov)))
2201 return SEC_E_INTERNAL_ERROR;
2202 if (sig_buffer->cbBuffer <
2203 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
2204 return SEC_E_INSUFFICIENT_MEMORY;
2205
2206 /* Set up the iov array in sig_buffer */
2207 header = sig_buffer->pvBuffer;
2208 encrypt_iov[2].data.data = header + 16;
2209 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
2210 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
2211 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
2212 encrypt_iov[1].data.data = data_buffer->pvBuffer;
2213
2214 /* Write the GSS header with 0 in RRC */
2215 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
2216 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2217 header[3] = (char)0xFF;
2218 winpr_Data_Write_UINT32(header + 4, 0);
2219 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2220
2221 /* Copy header to be encrypted */
2222 CopyMemory(encrypt_iov[2].data.data, header, 16);
2223
2224 /* Set the correct RRC */
2225 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
2226 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
2227
2228 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
2229 ARRAYSIZE(encrypt_iov)))
2230 return SEC_E_INTERNAL_ERROR;
2231
2232 return SEC_E_OK;
2233#else
2234 return SEC_E_UNSUPPORTED_FUNCTION;
2235#endif
2236}
2237
2238static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2239 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2240 WINPR_ATTR_UNUSED ULONG MessageSeqNo,
2241 WINPR_ATTR_UNUSED ULONG* pfQOP)
2242{
2243#ifdef WITH_KRB5
2244 KRB_CONTEXT* context = get_context(phContext);
2245 PSecBuffer sig_buffer = nullptr;
2246 PSecBuffer data_buffer = nullptr;
2247 krb5glue_key key = nullptr;
2248 krb5_keyusage usage = 0;
2249 uint16_t tok_id = 0;
2250 BYTE flags = 0;
2251 uint16_t ec = 0;
2252 uint16_t rrc = 0;
2253 uint64_t seq_no = 0;
2254 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, WINPR_C_ARRAY_INIT },
2255 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2256 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2257 { KRB5_CRYPTO_TYPE_PADDING, WINPR_C_ARRAY_INIT },
2258 { KRB5_CRYPTO_TYPE_TRAILER, WINPR_C_ARRAY_INIT } };
2259
2260 if (!context)
2261 return SEC_E_INVALID_HANDLE;
2262
2263 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2264 return SEC_E_UNSUPPORTED_FUNCTION;
2265
2266 KRB_CREDENTIALS* creds = context->credentials;
2267
2268 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2269 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2270
2271 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2272 return SEC_E_INVALID_TOKEN;
2273
2274 /* Read in header information */
2275 BYTE* header = sig_buffer->pvBuffer;
2276 tok_id = winpr_Data_Get_UINT16_BE(header);
2277 flags = header[2];
2278 ec = winpr_Data_Get_UINT16_BE(&header[4]);
2279 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
2280 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
2281
2282 /* Check that the header is valid */
2283 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
2284 return SEC_E_INVALID_TOKEN;
2285
2286 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
2287 return SEC_E_INVALID_TOKEN;
2288
2289 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
2290 (seq_no != context->remote_seq + MessageSeqNo))
2291 return SEC_E_OUT_OF_SEQUENCE;
2292
2293 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
2294 return SEC_E_INVALID_TOKEN;
2295
2296 /* We don't expect a trailer buffer; the encrypted header must be rotated */
2297 if (rrc < 16)
2298 return SEC_E_INVALID_TOKEN;
2299
2300 /* Find the proper key and key usage */
2301 key = get_key(&context->keyset);
2302 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
2303 return SEC_E_INTERNAL_ERROR;
2304 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
2305
2306 /* Fill in the lengths of the iov array */
2307 iov[1].data.length = data_buffer->cbBuffer;
2308 iov[2].data.length = 16;
2309 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2310 return SEC_E_INTERNAL_ERROR;
2311
2312 /* We don't expect a trailer buffer; everything must be in sig_buffer */
2313 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
2314 return SEC_E_INVALID_TOKEN;
2315 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
2316 return SEC_E_INVALID_TOKEN;
2317
2318 /* Locate the parts of the message */
2319 iov[0].data.data = (char*)&header[16 + rrc + ec];
2320 iov[1].data.data = data_buffer->pvBuffer;
2321 iov[2].data.data = (char*)&header[16 + ec];
2322 char* data2 = iov[2].data.data;
2323 iov[3].data.data = &data2[iov[2].data.length];
2324
2325 char* data3 = iov[3].data.data;
2326 iov[4].data.data = &data3[iov[3].data.length];
2327
2328 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2329 return SEC_E_INTERNAL_ERROR;
2330
2331 /* Validate the encrypted header */
2332 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
2333 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
2334 if (memcmp(iov[2].data.data, header, 16) != 0)
2335 return SEC_E_MESSAGE_ALTERED;
2336
2337 *pfQOP = 0;
2338
2339 return SEC_E_OK;
2340#else
2341 return SEC_E_UNSUPPORTED_FUNCTION;
2342#endif
2343}
2344
2345static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2346 WINPR_ATTR_UNUSED ULONG fQOP,
2347 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2348 WINPR_ATTR_UNUSED ULONG MessageSeqNo)
2349{
2350#ifdef WITH_KRB5
2351 KRB_CONTEXT* context = get_context(phContext);
2352 PSecBuffer sig_buffer = nullptr;
2353 PSecBuffer data_buffer = nullptr;
2354 krb5glue_key key = nullptr;
2355 krb5_keyusage usage = 0;
2356 BYTE flags = 0;
2357 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2358 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2359 { KRB5_CRYPTO_TYPE_CHECKSUM, WINPR_C_ARRAY_INIT } };
2360
2361 if (!context)
2362 return SEC_E_INVALID_HANDLE;
2363
2364 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2365 return SEC_E_UNSUPPORTED_FUNCTION;
2366
2367 KRB_CREDENTIALS* creds = context->credentials;
2368
2369 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2370 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2371
2372 if (!sig_buffer || !data_buffer)
2373 return SEC_E_INVALID_TOKEN;
2374
2375 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2376
2377 key = get_key(&context->keyset);
2378 if (!key)
2379 return SEC_E_INTERNAL_ERROR;
2380 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2381
2382 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2383
2384 /* Fill in the lengths of the iov array */
2385 iov[0].data.length = data_buffer->cbBuffer;
2386 iov[1].data.length = 16;
2387 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2388 return SEC_E_INTERNAL_ERROR;
2389
2390 /* Ensure the buffer is big enough */
2391 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2392 return SEC_E_INSUFFICIENT_MEMORY;
2393
2394 /* Write the header */
2395 char* header = sig_buffer->pvBuffer;
2396 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2397 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2398 memset(header + 3, 0xFF, 5);
2399 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2400
2401 /* Set up the iov array */
2402 iov[0].data.data = data_buffer->pvBuffer;
2403 iov[1].data.data = header;
2404 iov[2].data.data = header + 16;
2405
2406 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2407 return SEC_E_INTERNAL_ERROR;
2408
2409 sig_buffer->cbBuffer = iov[2].data.length + 16;
2410
2411 return SEC_E_OK;
2412#else
2413 return SEC_E_UNSUPPORTED_FUNCTION;
2414#endif
2415}
2416
2417static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2418 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2419 WINPR_ATTR_UNUSED ULONG MessageSeqNo,
2420 WINPR_ATTR_UNUSED ULONG* pfQOP)
2421{
2422#ifdef WITH_KRB5
2423 PSecBuffer sig_buffer = nullptr;
2424 PSecBuffer data_buffer = nullptr;
2425 krb5glue_key key = nullptr;
2426 krb5_keyusage usage = 0;
2427 BYTE flags = 0;
2428 uint16_t tok_id = 0;
2429 uint64_t seq_no = 0;
2430 krb5_boolean is_valid = 0;
2431 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2432 { KRB5_CRYPTO_TYPE_DATA, WINPR_C_ARRAY_INIT },
2433 { KRB5_CRYPTO_TYPE_CHECKSUM, WINPR_C_ARRAY_INIT } };
2434 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2435
2436 KRB_CONTEXT* context = get_context(phContext);
2437 if (!context)
2438 return SEC_E_INVALID_HANDLE;
2439
2440 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2441 return SEC_E_UNSUPPORTED_FUNCTION;
2442
2443 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2444 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2445
2446 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2447 return SEC_E_INVALID_TOKEN;
2448
2449 /* Read in header info */
2450 BYTE* header = sig_buffer->pvBuffer;
2451 tok_id = winpr_Data_Get_UINT16_BE(header);
2452 flags = header[2];
2453 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2454
2455 /* Validate header */
2456 if (tok_id != TOK_ID_MIC)
2457 return SEC_E_INVALID_TOKEN;
2458
2459 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2460 return SEC_E_INVALID_TOKEN;
2461
2462 if (memcmp(header + 3, cmp_filler, sizeof(cmp_filler)) != 0)
2463 return SEC_E_INVALID_TOKEN;
2464
2465 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2466 return SEC_E_OUT_OF_SEQUENCE;
2467
2468 /* Find the proper key and usage */
2469 key = get_key(&context->keyset);
2470 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2471 return SEC_E_INTERNAL_ERROR;
2472 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2473
2474 /* Fill in the iov array lengths */
2475 KRB_CREDENTIALS* creds = context->credentials;
2476 iov[0].data.length = data_buffer->cbBuffer;
2477 iov[1].data.length = 16;
2478 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2479 return SEC_E_INTERNAL_ERROR;
2480
2481 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2482 return SEC_E_INTERNAL_ERROR;
2483
2484 /* Set up the iov array */
2485 iov[0].data.data = data_buffer->pvBuffer;
2486 iov[1].data.data = (char*)header;
2487 iov[2].data.data = (char*)&header[16];
2488
2489 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2490 &is_valid))
2491 return SEC_E_INTERNAL_ERROR;
2492
2493 if (!is_valid)
2494 return SEC_E_MESSAGE_ALTERED;
2495
2496 return SEC_E_OK;
2497#else
2498 return SEC_E_UNSUPPORTED_FUNCTION;
2499#endif
2500}
2501
2502const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = {
2503 3, /* dwVersion */
2504 nullptr, /* EnumerateSecurityPackages */
2505 kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
2506 kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
2507 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2508 nullptr, /* Reserved2 */
2509 kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */
2510 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2511 nullptr, /* CompleteAuthToken */
2512 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2513 nullptr, /* ApplyControlToken */
2514 kerberos_QueryContextAttributesA, /* QueryContextAttributes */
2515 nullptr, /* ImpersonateSecurityContext */
2516 nullptr, /* RevertSecurityContext */
2517 kerberos_MakeSignature, /* MakeSignature */
2518 kerberos_VerifySignature, /* VerifySignature */
2519 nullptr, /* FreeContextBuffer */
2520 nullptr, /* QuerySecurityPackageInfo */
2521 nullptr, /* Reserved3 */
2522 nullptr, /* Reserved4 */
2523 nullptr, /* ExportSecurityContext */
2524 nullptr, /* ImportSecurityContext */
2525 nullptr, /* AddCredentials */
2526 nullptr, /* Reserved8 */
2527 nullptr, /* QuerySecurityContextToken */
2528 kerberos_EncryptMessage, /* EncryptMessage */
2529 kerberos_DecryptMessage, /* DecryptMessage */
2530 kerberos_SetContextAttributesA, /* SetContextAttributes */
2531 kerberos_SetCredentialsAttributesA, /* SetCredentialsAttributes */
2532};
2533
2534const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = {
2535 3, /* dwVersion */
2536 nullptr, /* EnumerateSecurityPackages */
2537 kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
2538 kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
2539 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2540 nullptr, /* Reserved2 */
2541 kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */
2542 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2543 nullptr, /* CompleteAuthToken */
2544 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2545 nullptr, /* ApplyControlToken */
2546 kerberos_QueryContextAttributesW, /* QueryContextAttributes */
2547 nullptr, /* ImpersonateSecurityContext */
2548 nullptr, /* RevertSecurityContext */
2549 kerberos_MakeSignature, /* MakeSignature */
2550 kerberos_VerifySignature, /* VerifySignature */
2551 nullptr, /* FreeContextBuffer */
2552 nullptr, /* QuerySecurityPackageInfo */
2553 nullptr, /* Reserved3 */
2554 nullptr, /* Reserved4 */
2555 nullptr, /* ExportSecurityContext */
2556 nullptr, /* ImportSecurityContext */
2557 nullptr, /* AddCredentials */
2558 nullptr, /* Reserved8 */
2559 nullptr, /* QuerySecurityContextToken */
2560 kerberos_EncryptMessage, /* EncryptMessage */
2561 kerberos_DecryptMessage, /* DecryptMessage */
2562 kerberos_SetContextAttributesW, /* SetContextAttributes */
2563 kerberos_SetCredentialsAttributesW, /* SetCredentialsAttributes */
2564};
2565
2566BOOL KERBEROS_init(void)
2567{
2568 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2569 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2570 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2571 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
2572 return TRUE;
2573}
KERB_TICKET_LOGON
Definition secapi.h:51
SECURITY_INTEGER
Definition include/winpr/sspi.h:51
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SEC_WINNT_AUTH_IDENTITY_WINPR
Definition include/winpr/sspi.h:930
SEC_WINPR_KERBEROS_SETTINGS
Definition include/winpr/sspi.h:915
SecPkgContext_AuthIdentity
Definition include/winpr/sspi.h:1435
SecPkgContext_PackageInfoA
Definition include/winpr/sspi.h:416
SecPkgContext_PackageInfoW
Definition include/winpr/sspi.h:421
SecPkgContext_Sizes
Definition include/winpr/sspi.h:450
SecPkgCredentials_KdcProxySettingsW
Definition include/winpr/sspi.h:548
WinPrAsn1_MemoryChunk
Definition asn1.h:92
krb5glue_keyset
Definition krb5glue.h:92
sspi_gss_data
Definition sspi_gss.h:36
SEC_WINNT_AUTH_IDENTITY_INFO
Definition include/winpr/sspi.h:808