FreeRDP
Loading...
Searching...
No Matches
kerberos.c
1
22#include <winpr/config.h>
23
24#include <stdio.h>
25#include <stdlib.h>
26#include <string.h>
27#include <errno.h>
28#include <fcntl.h>
29#include <ctype.h>
30
31#include <winpr/assert.h>
32#include <winpr/cast.h>
33#include <winpr/asn1.h>
34#include <winpr/crt.h>
35#include <winpr/interlocked.h>
36#include <winpr/sspi.h>
37#include <winpr/print.h>
38#include <winpr/tchar.h>
39#include <winpr/sysinfo.h>
40#include <winpr/registry.h>
41#include <winpr/endian.h>
42#include <winpr/crypto.h>
43#include <winpr/path.h>
44#include <winpr/wtypes.h>
45#include <winpr/winsock.h>
46#include <winpr/schannel.h>
47#include <winpr/secapi.h>
48
49#include "kerberos.h"
50
51#ifdef WITH_KRB5_MIT
52#include "krb5glue.h"
53#include <profile.h>
54#endif
55
56#ifdef WITH_KRB5_HEIMDAL
57#include "krb5glue.h"
58#include <krb5-protos.h>
59#endif
60
61#include "../sspi.h"
62#include "../../log.h"
63
64const SecPkgInfoA KERBEROS_SecPkgInfoA = {
65 0x000F3BBF, /* fCapabilities */
66 1, /* wVersion */
67 0x0010, /* wRPCID */
68 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
69 "Kerberos", /* Name */
70 "Kerberos Security Package" /* Comment */
71};
72
73static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = WINPR_C_ARRAY_INIT;
74static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = WINPR_C_ARRAY_INIT;
75
76const SecPkgInfoW KERBEROS_SecPkgInfoW = {
77 0x000F3BBF, /* fCapabilities */
78 1, /* wVersion */
79 0x0010, /* wRPCID */
80 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
81 KERBEROS_SecPkgInfoW_NameBuffer, /* Name */
82 KERBEROS_SecPkgInfoW_CommentBuffer /* Comment */
83};
84
85#ifdef WITH_KRB5
86#define TAG WINPR_TAG("sspi.Kerberos")
87
88#define KRB_TGT_REQ 16
89#define KRB_TGT_REP 17
90
91enum KERBEROS_STATE
92{
93 KERBEROS_STATE_INITIAL,
94 KERBEROS_STATE_TGT_REQ,
95 KERBEROS_STATE_TGT_REP,
96 KERBEROS_STATE_AP_REQ,
97 KERBEROS_STATE_AP_REP,
98 KERBEROS_STATE_FINAL
99};
100
101typedef struct KRB_CREDENTIALS_st
102{
103 volatile LONG refCount;
104 krb5_context ctx;
105 char* kdc_url;
106 krb5_ccache ccache;
107 krb5_keytab keytab;
108 krb5_keytab client_keytab;
109 BOOL own_ccache;
110} KRB_CREDENTIALS;
111
112struct s_KRB_CONTEXT
113{
114 enum KERBEROS_STATE state;
115 KRB_CREDENTIALS* credentials;
116 krb5_auth_context auth_ctx;
117 BOOL acceptor;
118 uint32_t flags;
119 uint64_t local_seq;
120 uint64_t remote_seq;
121 struct krb5glue_keyset keyset;
122 BOOL u2u;
123 char* targetHost;
124};
125
126static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
127static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
128 (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
129
130#define krb_log_exec(fkt, ctx, ...) \
131 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
132#define krb_log_exec_ptr(fkt, ctx, ...) \
133 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
134static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
135 const char* file, const char* fkt, size_t line)
136{
137 switch (code)
138 {
139 case 0:
140 case KRB5_KT_END:
141 break;
142 default:
143 {
144 const DWORD level = WLOG_ERROR;
145
146 wLog* log = WLog_Get(TAG);
147 if (WLog_IsLevelActive(log, level))
148 {
149 const char* msg = krb5_get_error_message(ctx, code);
150 WLog_PrintTextMessage(log, level, line, file, fkt, "%s (%s [%d])", what, msg, code);
151 krb5_free_error_message(ctx, msg);
152 }
153 }
154 break;
155 }
156 return code;
157}
158
159static void credentials_unref(KRB_CREDENTIALS* credentials);
160
161static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
162{
163 if (!ctx)
164 return;
165
166 free(ctx->targetHost);
167 ctx->targetHost = nullptr;
168
169 if (ctx->credentials)
170 {
171 krb5_context krbctx = ctx->credentials->ctx;
172 if (krbctx)
173 {
174 if (ctx->auth_ctx)
175 krb5_auth_con_free(krbctx, ctx->auth_ctx);
176
177 krb5glue_keys_free(krbctx, &ctx->keyset);
178 }
179
180 credentials_unref(ctx->credentials);
181 }
182
183 if (allocated)
184 free(ctx);
185}
186
187static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
188{
189 KRB_CONTEXT* context = nullptr;
190
191 context = (KRB_CONTEXT*)calloc(1, sizeof(KRB_CONTEXT));
192 if (!context)
193 return nullptr;
194
195 context->credentials = credentials;
196 InterlockedIncrement(&credentials->refCount);
197 return context;
198}
199
200static krb5_error_code krb5_prompter(krb5_context context, void* data,
201 WINPR_ATTR_UNUSED const char* name,
202 WINPR_ATTR_UNUSED const char* banner, int num_prompts,
203 krb5_prompt prompts[])
204{
205 for (int i = 0; i < num_prompts; i++)
206 {
207 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
208 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
209 {
210 prompts[i].reply->data = _strdup((const char*)data);
211
212 const size_t len = strlen((const char*)data);
213 if (len > UINT32_MAX)
214 return KRB5KRB_ERR_GENERIC;
215 prompts[i].reply->length = (UINT32)len;
216 }
217 }
218 return 0;
219}
220
221static inline krb5glue_key get_key(struct krb5glue_keyset* keyset)
222{
223 return keyset->acceptor_key ? keyset->acceptor_key
224 : keyset->initiator_key ? keyset->initiator_key
225 : keyset->session_key;
226}
227
228static BOOL isValidIPv4(const char* ipAddress)
229{
230 struct sockaddr_in sa = WINPR_C_ARRAY_INIT;
231 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
232 return result != 0;
233}
234
235static BOOL isValidIPv6(const char* ipAddress)
236{
237 struct sockaddr_in6 sa = WINPR_C_ARRAY_INIT;
238 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
239 return result != 0;
240}
241
242static BOOL isValidIP(const char* ipAddress)
243{
244 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
245}
246
247#if defined(WITH_KRB5_MIT)
248WINPR_ATTR_MALLOC(free, 1)
249WINPR_ATTR_NODISCARD
250static char* get_realm_name(krb5_data realm, size_t* plen)
251{
252 WINPR_ASSERT(plen);
253 *plen = 0;
254 if ((realm.length <= 0) || (!realm.data))
255 return nullptr;
256
257 char* name = nullptr;
258 (void)winpr_asprintf(&name, plen, "krbtgt/%*s@%*s", realm.length, realm.data, realm.length,
259 realm.data);
260 return name;
261}
262#elif defined(WITH_KRB5_HEIMDAL)
263WINPR_ATTR_MALLOC(free, 1)
264WINPR_ATTR_NODISCARD
265static char* get_realm_name(Realm realm, size_t* plen)
266{
267 WINPR_ASSERT(plen);
268 *plen = 0;
269 if (!realm)
270 return nullptr;
271
272 char* name = nullptr;
273 (void)winpr_asprintf(&name, plen, "krbtgt/%s@%s", realm, realm);
274 return name;
275}
276#endif
277
278static int build_krbtgt(krb5_context ctx, krb5_principal principal, krb5_principal* ptarget)
279{
280 /* "krbtgt/" + realm + "@" + realm */
281 size_t len = 0;
282 krb5_error_code rv = KRB5_CC_NOMEM;
283
284 char* name = get_realm_name(principal->realm, &len);
285 if (!name || (len == 0))
286 goto fail;
287
288 {
289 krb5_principal target = WINPR_C_ARRAY_INIT;
290 rv = krb5_parse_name(ctx, name, &target);
291 *ptarget = target;
292 }
293fail:
294 free(name);
295 return rv;
296}
297
298#endif /* WITH_KRB5 */
299
300static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
301 WINPR_ATTR_UNUSED SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage,
302 WINPR_ATTR_UNUSED ULONG fCredentialUse, WINPR_ATTR_UNUSED void* pvLogonID,
303 WINPR_ATTR_UNUSED void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn,
304 WINPR_ATTR_UNUSED void* pvGetKeyArgument, WINPR_ATTR_UNUSED PCredHandle phCredential,
305 WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
306{
307#ifdef WITH_KRB5
308 SEC_WINPR_KERBEROS_SETTINGS* krb_settings = nullptr;
309 KRB_CREDENTIALS* credentials = nullptr;
310 krb5_context ctx = nullptr;
311 krb5_ccache ccache = nullptr;
312 krb5_keytab keytab = nullptr;
313 krb5_principal principal = nullptr;
314 char* domain = nullptr;
315 char* username = nullptr;
316 char* password = nullptr;
317 BOOL own_ccache = FALSE;
318 const char* const default_ccache_type = "MEMORY";
319
320 if (pAuthData)
321 {
322 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
323
324 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
325 krb_settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->kerberosSettings);
326
327 if (!sspi_CopyAuthIdentityFieldsA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &username,
328 &domain, &password))
329 {
330 WLog_ERR(TAG, "Failed to copy auth identity fields");
331 goto cleanup;
332 }
333
334 if (!pszPrincipal)
335 pszPrincipal = username;
336 }
337
338 if (krb_log_exec_ptr(krb5_init_context, &ctx))
339 goto cleanup;
340
341 if (domain)
342 {
343 char* udomain = _strdup(domain);
344 if (!udomain)
345 goto cleanup;
346
347 CharUpperA(udomain);
348 /* Will use domain if realm is not specified in username */
349 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
350 free(udomain);
351
352 if (rv)
353 goto cleanup;
354 }
355
356 if (pszPrincipal)
357 {
358 char* cpszPrincipal = _strdup(pszPrincipal);
359 if (!cpszPrincipal)
360 goto cleanup;
361
362 /* Find realm component if included and convert to uppercase */
363 char* p = strchr(cpszPrincipal, '@');
364 if (p)
365 CharUpperA(p);
366
367 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
368 free(cpszPrincipal);
369
370 if (rv)
371 goto cleanup;
372 WINPR_ASSERT(principal);
373 }
374
375 if (krb_settings && krb_settings->cache)
376 {
377 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
378 goto cleanup;
379 }
380 else
381 own_ccache = TRUE;
382
383 if (principal)
384 {
385 /* Use the default cache if it's initialized with the right principal */
386 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
387 {
388 if (own_ccache)
389 {
390 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, nullptr, &ccache))
391 goto cleanup;
392 }
393 else
394 {
395 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
396 goto cleanup;
397 }
398
399 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
400 goto cleanup;
401 }
402 else
403 {
404 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
405 goto cleanup;
406 own_ccache = FALSE;
407 }
408 WINPR_ASSERT(ccache);
409 }
410 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
411 {
412 /* Use the default cache with it's default principal */
413 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
414 goto cleanup;
415 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
416 goto cleanup;
417 WINPR_ASSERT(ccache);
418 own_ccache = FALSE;
419 }
420 else
421 {
422 if (own_ccache)
423 {
424 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, nullptr, &ccache))
425 goto cleanup;
426 }
427 else
428 {
429 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
430 goto cleanup;
431 }
432 WINPR_ASSERT(ccache);
433 }
434
435 if (krb_settings && krb_settings->keytab)
436 {
437 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
438 goto cleanup;
439 }
440 else
441 {
442 if (fCredentialUse & SECPKG_CRED_INBOUND)
443 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
444 goto cleanup;
445 }
446
447 /* Get initial credentials if required */
448 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
449 {
450 krb5_creds creds = WINPR_C_ARRAY_INIT;
451 krb5_creds matchCreds = WINPR_C_ARRAY_INIT;
452 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
453
454 krb5_timeofday(ctx, &matchCreds.times.endtime);
455 matchCreds.times.endtime += 60;
456 matchCreds.client = principal;
457
458 WINPR_ASSERT(principal);
459 WINPR_ASSERT(ctx);
460 WINPR_ASSERT(ccache);
461 if (krb_log_exec(build_krbtgt, ctx, principal, &matchCreds.server))
462 goto cleanup;
463
464 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
465 krb5_free_principal(ctx, matchCreds.server);
466 krb5_free_cred_contents(ctx, &creds);
467 if (rv)
468 {
469 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
470 password, krb_settings))
471 goto cleanup;
472 }
473 }
474
475 credentials = calloc(1, sizeof(KRB_CREDENTIALS));
476 if (!credentials)
477 goto cleanup;
478 credentials->refCount = 1;
479 credentials->ctx = ctx;
480 credentials->ccache = ccache;
481 credentials->keytab = keytab;
482 credentials->own_ccache = own_ccache;
483
484cleanup:
485
486 free(domain);
487 free(username);
488 free(password);
489
490 if (principal)
491 krb5_free_principal(ctx, principal);
492 if (ctx)
493 {
494 if (!credentials)
495 {
496 if (ccache)
497 {
498 if (own_ccache)
499 krb5_cc_destroy(ctx, ccache);
500 else
501 krb5_cc_close(ctx, ccache);
502 }
503 if (keytab)
504 krb5_kt_close(ctx, keytab);
505
506 krb5_free_context(ctx);
507 }
508 }
509
510 /* If we managed to get credentials set the output */
511 if (credentials)
512 {
513 sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials);
514 sspi_SecureHandleSetUpperPointer(phCredential, (void*)KERBEROS_SSP_NAME);
515 return SEC_E_OK;
516 }
517
518 return SEC_E_NO_CREDENTIALS;
519#else
520 return SEC_E_UNSUPPORTED_FUNCTION;
521#endif
522}
523
524static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
525 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
526 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
527 PTimeStamp ptsExpiry)
528{
529 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
530 char* principal = nullptr;
531 char* package = nullptr;
532
533 if (pszPrincipal)
534 {
535 principal = ConvertWCharToUtf8Alloc(pszPrincipal, nullptr);
536 if (!principal)
537 goto fail;
538 }
539 if (pszPackage)
540 {
541 package = ConvertWCharToUtf8Alloc(pszPackage, nullptr);
542 if (!package)
543 goto fail;
544 }
545
546 status =
547 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
548 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
549
550fail:
551 free(principal);
552 free(package);
553
554 return status;
555}
556
557#ifdef WITH_KRB5
558static void credentials_unref(KRB_CREDENTIALS* credentials)
559{
560 WINPR_ASSERT(credentials);
561
562 if (InterlockedDecrement(&credentials->refCount))
563 return;
564
565 free(credentials->kdc_url);
566
567 if (credentials->ccache)
568 {
569 if (credentials->own_ccache)
570 krb5_cc_destroy(credentials->ctx, credentials->ccache);
571 else
572 krb5_cc_close(credentials->ctx, credentials->ccache);
573 }
574 if (credentials->keytab)
575 krb5_kt_close(credentials->ctx, credentials->keytab);
576
577 krb5_free_context(credentials->ctx);
578 free(credentials);
579}
580#endif
581
582static SECURITY_STATUS
583 SEC_ENTRY kerberos_FreeCredentialsHandle(WINPR_ATTR_UNUSED PCredHandle phCredential)
584{
585#ifdef WITH_KRB5
586 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
587 if (!credentials)
588 return SEC_E_INVALID_HANDLE;
589
590 credentials_unref(credentials);
591
592 sspi_SecureHandleInvalidate(phCredential);
593 return SEC_E_OK;
594#else
595 return SEC_E_UNSUPPORTED_FUNCTION;
596#endif
597}
598
599static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
600 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
601 WINPR_ATTR_UNUSED void* pBuffer)
602{
603#ifdef WITH_KRB5
604 switch (ulAttribute)
605 {
606 case SECPKG_CRED_ATTR_NAMES:
607 return SEC_E_OK;
608 default:
609 WLog_ERR(TAG, "TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
610 ulAttribute);
611 return SEC_E_UNSUPPORTED_FUNCTION;
612 }
613
614#else
615 return SEC_E_UNSUPPORTED_FUNCTION;
616#endif
617}
618
619static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential,
620 ULONG ulAttribute,
621 void* pBuffer)
622{
623 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
624}
625
626#ifdef WITH_KRB5
627
628static BOOL kerberos_mk_tgt_token(SecBuffer* buf, int msg_type, char* sname, char* host,
629 const krb5_data* ticket)
630{
631 WinPrAsn1Encoder* enc = nullptr;
632 WinPrAsn1_MemoryChunk data;
633 wStream s;
634 size_t len = 0;
635 sspi_gss_data token;
636 BOOL ret = FALSE;
637
638 WINPR_ASSERT(buf);
639
640 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
641 return FALSE;
642 if (msg_type == KRB_TGT_REP && !ticket)
643 return FALSE;
644
645 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
646 if (!enc)
647 return FALSE;
648
649 /* KERB-TGT-REQUEST (SEQUENCE) */
650 if (!WinPrAsn1EncSeqContainer(enc))
651 goto cleanup;
652
653 /* pvno [0] INTEGER */
654 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
655 goto cleanup;
656
657 /* msg-type [1] INTEGER */
658 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
659 goto cleanup;
660
661 if (msg_type == KRB_TGT_REQ && sname)
662 {
663 /* server-name [2] PrincipalName (SEQUENCE) */
664 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
665 goto cleanup;
666
667 /* name-type [0] INTEGER */
668 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
669 goto cleanup;
670
671 /* name-string [1] SEQUENCE OF GeneralString */
672 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
673 goto cleanup;
674
675 if (!WinPrAsn1EncGeneralString(enc, sname))
676 goto cleanup;
677
678 if (host && !WinPrAsn1EncGeneralString(enc, host))
679 goto cleanup;
680
681 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
682 goto cleanup;
683 }
684 else if (msg_type == KRB_TGT_REP)
685 {
686 /* ticket [2] Ticket */
687 data.data = (BYTE*)ticket->data;
688 data.len = ticket->length;
689 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
690 goto cleanup;
691 }
692
693 if (!WinPrAsn1EncEndContainer(enc))
694 goto cleanup;
695
696 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
697 goto cleanup;
698
699 Stream_StaticInit(&s, buf->pvBuffer, len);
700 if (!WinPrAsn1EncToStream(enc, &s))
701 goto cleanup;
702
703 token.data = buf->pvBuffer;
704 token.length = (UINT)len;
705 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
706 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
707 ret = TRUE;
708
709cleanup:
710 WinPrAsn1Encoder_Free(&enc);
711 return ret;
712}
713
714static BOOL append(char* dst, size_t dstSize, const char* src)
715{
716 const size_t dlen = strnlen(dst, dstSize);
717 const size_t slen = strlen(src);
718 if (dlen + slen >= dstSize)
719 return FALSE;
720 if (!strncat(dst, src, dstSize - dlen))
721 return FALSE;
722 return TRUE;
723}
724
725static BOOL kerberos_rd_tgt_req_tag2(WinPrAsn1Decoder* dec, char* buf, size_t len)
726{
727 BOOL rc = FALSE;
728 WinPrAsn1Decoder seq = WinPrAsn1Decoder_init();
729
730 /* server-name [2] PrincipalName (SEQUENCE) */
731 if (!WinPrAsn1DecReadSequence(dec, &seq))
732 goto end;
733
734 /* name-type [0] INTEGER */
735 {
736 BOOL error = FALSE;
737 {
738 WinPrAsn1_INTEGER val = 0;
739 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
740 goto end;
741 }
742
743 /* name-string [1] SEQUENCE OF GeneralString */
744 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
745 goto end;
746 }
747
748 {
749 WinPrAsn1_tag tag = 0;
750 BOOL first = TRUE;
751 while (WinPrAsn1DecPeekTag(dec, &tag))
752 {
753 BOOL success = FALSE;
754 char* lstr = nullptr;
755 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
756 goto fail;
757
758 if (!first)
759 {
760 if (!append(buf, len, "/"))
761 goto fail;
762 }
763 first = FALSE;
764
765 if (!append(buf, len, lstr))
766 goto fail;
767
768 success = TRUE;
769 fail:
770 free(lstr);
771 if (!success)
772 goto end;
773 }
774 }
775
776 rc = TRUE;
777end:
778 return rc;
779}
780
781static BOOL kerberos_rd_tgt_req_tag3(WinPrAsn1Decoder* dec, char* buf, size_t len)
782{
783 /* realm [3] Realm */
784 BOOL rc = FALSE;
785 WinPrAsn1_STRING str = nullptr;
786 if (!WinPrAsn1DecReadGeneralString(dec, &str))
787 goto end;
788
789 if (!append(buf, len, "@"))
790 goto end;
791 if (!append(buf, len, str))
792 goto end;
793
794 rc = TRUE;
795end:
796 free(str);
797 return rc;
798}
799
800static BOOL kerberos_rd_tgt_req(WinPrAsn1Decoder* dec, char** target)
801{
802 BOOL rc = FALSE;
803
804 if (!target)
805 return FALSE;
806 *target = nullptr;
807
808 wStream s = WinPrAsn1DecGetStream(dec);
809 const size_t len = Stream_Length(&s);
810 if (len == 0)
811 return TRUE;
812
813 WinPrAsn1Decoder dec2 = WinPrAsn1Decoder_init();
814 WinPrAsn1_tagId tag = 0;
815 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
816 return FALSE;
817
818 char* buf = calloc(len + 1, sizeof(char));
819 if (!buf)
820 return FALSE;
821
822 /* We expect ASN1 context tag values 2 or 3.
823 *
824 * In case we got value 2 an (optional) context tag value 3 might follow.
825 */
826 BOOL checkForTag3 = TRUE;
827 if (tag == 2)
828 {
829 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
830 if (rc)
831 {
832 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
833 if (res == 0)
834 checkForTag3 = FALSE;
835 }
836 }
837
838 if (checkForTag3)
839 {
840 if (tag == 3)
841 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
842 else
843 rc = FALSE;
844 }
845
846 if (rc)
847 *target = buf;
848 else
849 free(buf);
850 return rc;
851}
852
853static BOOL kerberos_rd_tgt_rep(WinPrAsn1Decoder* dec, krb5_data* ticket)
854{
855 if (!ticket)
856 return FALSE;
857
858 /* ticket [2] Ticket */
859 WinPrAsn1Decoder asnTicket = WinPrAsn1Decoder_init();
860 WinPrAsn1_tagId tag = 0;
861 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
862 return FALSE;
863
864 if (tag != 2)
865 return FALSE;
866
867 wStream s = WinPrAsn1DecGetStream(&asnTicket);
868 ticket->data = Stream_BufferAs(&s, char);
869
870 const size_t len = Stream_Length(&s);
871 if (len > UINT32_MAX)
872 return FALSE;
873 ticket->length = (UINT32)len;
874 return TRUE;
875}
876
877static BOOL kerberos_rd_tgt_token(const sspi_gss_data* token, char** target, krb5_data* ticket)
878{
879 BOOL error = 0;
880 WinPrAsn1_INTEGER val = 0;
881
882 WINPR_ASSERT(token);
883
884 if (target)
885 *target = nullptr;
886
887 WinPrAsn1Decoder der = WinPrAsn1Decoder_init();
888 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
889
890 /* KERB-TGT-REQUEST (SEQUENCE) */
891 WinPrAsn1Decoder seq = WinPrAsn1Decoder_init();
892 if (!WinPrAsn1DecReadSequence(&der, &seq))
893 return FALSE;
894
895 /* pvno [0] INTEGER */
896 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
897 return FALSE;
898
899 /* msg-type [1] INTEGER */
900 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
901 return FALSE;
902
903 switch (val)
904 {
905 case KRB_TGT_REQ:
906 return kerberos_rd_tgt_req(&seq, target);
907 case KRB_TGT_REP:
908 return kerberos_rd_tgt_rep(&seq, ticket);
909 default:
910 break;
911 }
912 return FALSE;
913}
914
915static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5, SEC_CHANNEL_BINDINGS* bindings)
916{
917 BYTE buf[4];
918
919 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
920 if (!winpr_Digest_Update(md5, buf, 4))
921 return FALSE;
922
923 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
924 if (!winpr_Digest_Update(md5, buf, 4))
925 return FALSE;
926
927 if (bindings->cbInitiatorLength &&
928 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
929 bindings->cbInitiatorLength))
930 return FALSE;
931
932 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
933 if (!winpr_Digest_Update(md5, buf, 4))
934 return FALSE;
935
936 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
937 if (!winpr_Digest_Update(md5, buf, 4))
938 return FALSE;
939
940 if (bindings->cbAcceptorLength &&
941 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
942 bindings->cbAcceptorLength))
943 return FALSE;
944
945 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
946 if (!winpr_Digest_Update(md5, buf, 4))
947 return FALSE;
948
949 if (bindings->cbApplicationDataLength &&
950 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
951 bindings->cbApplicationDataLength))
952 return FALSE;
953
954 return TRUE;
955}
956
957#endif /* WITH_KRB5 */
958
959static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
960 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED PCtxtHandle phContext,
961 WINPR_ATTR_UNUSED SEC_CHAR* pszTargetName, WINPR_ATTR_UNUSED ULONG fContextReq,
962 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep,
963 WINPR_ATTR_UNUSED PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG Reserved2,
964 WINPR_ATTR_UNUSED PCtxtHandle phNewContext, WINPR_ATTR_UNUSED PSecBufferDesc pOutput,
965 WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
966{
967#ifdef WITH_KRB5
968 PSecBuffer input_buffer = nullptr;
969 PSecBuffer output_buffer = nullptr;
970 PSecBuffer bindings_buffer = nullptr;
971 WINPR_DIGEST_CTX* md5 = nullptr;
972 char* target = nullptr;
973 char* sname = nullptr;
974 char* host = nullptr;
975 krb5_data input_token = WINPR_C_ARRAY_INIT;
976 krb5_data output_token = WINPR_C_ARRAY_INIT;
977 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
978 WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT;
979 uint16_t tok_id = 0;
980 krb5_ap_rep_enc_part* reply = nullptr;
981 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
982 char cksum_contents[24] = WINPR_C_ARRAY_INIT;
983 krb5_data cksum = WINPR_C_ARRAY_INIT;
984 krb5_creds in_creds = WINPR_C_ARRAY_INIT;
985 krb5_creds* creds = nullptr;
986 BOOL isNewContext = FALSE;
987 KRB_CONTEXT* context = nullptr;
988 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
989
990 /* behave like windows SSPIs that don't want empty context */
991 if (phContext && !phContext->dwLower && !phContext->dwUpper)
992 return SEC_E_INVALID_HANDLE;
993
994 context = sspi_SecureHandleGetLowerPointer(phContext);
995
996 if (!credentials)
997 return SEC_E_NO_CREDENTIALS;
998
999 if (pInput)
1000 {
1001 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1002 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
1003 }
1004 if (pOutput)
1005 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1006
1007 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
1008 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
1009
1010 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1011 ap_flags |= AP_OPTS_USE_SESSION_KEY;
1012
1013 /* Split target name into service/hostname components */
1014 if (pszTargetName)
1015 {
1016 target = _strdup(pszTargetName);
1017 if (!target)
1018 {
1019 status = SEC_E_INSUFFICIENT_MEMORY;
1020 goto cleanup;
1021 }
1022 host = strchr(target, '/');
1023 if (host)
1024 {
1025 *host++ = 0;
1026 sname = target;
1027 }
1028 else
1029 host = target;
1030 if (isValidIP(host))
1031 {
1032 status = SEC_E_NO_CREDENTIALS;
1033 goto cleanup;
1034 }
1035 }
1036
1037 if (!context)
1038 {
1039 context = kerberos_ContextNew(credentials);
1040 if (!context)
1041 {
1042 status = SEC_E_INSUFFICIENT_MEMORY;
1043 goto cleanup;
1044 }
1045
1046 isNewContext = TRUE;
1047
1048 if (host)
1049 context->targetHost = _strdup(host);
1050 if (!context->targetHost)
1051 {
1052 status = SEC_E_INSUFFICIENT_MEMORY;
1053 goto cleanup;
1054 }
1055
1056 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1057 {
1058 context->state = KERBEROS_STATE_TGT_REQ;
1059 context->u2u = TRUE;
1060 }
1061 else
1062 context->state = KERBEROS_STATE_AP_REQ;
1063 }
1064 else
1065 {
1066 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1067 goto bad_token;
1068 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1069 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1070 goto bad_token;
1071 }
1072
1073 /* SSPI flags are compatible with GSS flags except INTEG_FLAG */
1074 context->flags |= (fContextReq & 0x1F);
1075 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1076 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1077
1078 switch (context->state)
1079 {
1080 case KERBEROS_STATE_TGT_REQ:
1081
1082 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, nullptr))
1083 goto cleanup;
1084
1085 context->state = KERBEROS_STATE_TGT_REP;
1086 status = SEC_I_CONTINUE_NEEDED;
1087 break;
1088
1089 case KERBEROS_STATE_TGT_REP:
1090
1091 if (tok_id != TOK_ID_TGT_REP)
1092 goto bad_token;
1093
1094 if (!kerberos_rd_tgt_token(&input_token, nullptr, &in_creds.second_ticket))
1095 goto bad_token;
1096
1097 /* Continue to AP-REQ */
1098 /* fallthrough */
1099 WINPR_FALLTHROUGH
1100
1101 case KERBEROS_STATE_AP_REQ:
1102
1103 /* Set auth_context options */
1104 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1105 goto cleanup;
1106 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1107 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1108 goto cleanup;
1109 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1110 GSS_CHECKSUM_TYPE))
1111 goto cleanup;
1112
1113 /* Get a service ticket */
1114 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1115 KRB5_NT_SRV_HST, &in_creds.server))
1116 goto cleanup;
1117
1118 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1119 &in_creds.client))
1120 {
1121 status = SEC_E_WRONG_PRINCIPAL;
1122 goto cleanup;
1123 }
1124
1125 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1126 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1127 &creds))
1128 {
1129 status = SEC_E_NO_CREDENTIALS;
1130 goto cleanup;
1131 }
1132
1133 /* Write the checksum (delegation not implemented) */
1134 cksum.data = cksum_contents;
1135 cksum.length = sizeof(cksum_contents);
1136 winpr_Data_Write_UINT32(cksum_contents, 16);
1137 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1138
1139 if (bindings_buffer)
1140 {
1141 SEC_CHANNEL_BINDINGS* bindings = bindings_buffer->pvBuffer;
1142
1143 /* Sanity checks */
1144 if (bindings_buffer->cbBuffer < sizeof(SEC_CHANNEL_BINDINGS) ||
1145 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1146 bindings_buffer->cbBuffer ||
1147 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1148 bindings_buffer->cbBuffer ||
1149 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1150 bindings_buffer->cbBuffer)
1151 {
1152 status = SEC_E_BAD_BINDINGS;
1153 goto cleanup;
1154 }
1155
1156 md5 = winpr_Digest_New();
1157 if (!md5)
1158 goto cleanup;
1159
1160 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1161 goto cleanup;
1162
1163 if (!kerberos_hash_channel_bindings(md5, bindings))
1164 goto cleanup;
1165
1166 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1167 goto cleanup;
1168 }
1169
1170 /* Make the AP_REQ message */
1171 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1172 &cksum, creds, &output_token))
1173 goto cleanup;
1174
1175 if (!sspi_gss_wrap_token(output_buffer,
1176 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1177 TOK_ID_AP_REQ, &output_token))
1178 goto cleanup;
1179
1180 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1181 {
1182 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1183 context->auth_ctx, (INT32*)&context->local_seq))
1184 goto cleanup;
1185 context->remote_seq ^= context->local_seq;
1186 }
1187
1188 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1189 &context->keyset))
1190 goto cleanup;
1191
1192 context->state = KERBEROS_STATE_AP_REP;
1193
1194 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1195 status = SEC_I_CONTINUE_NEEDED;
1196 else
1197 status = SEC_E_OK;
1198 break;
1199
1200 case KERBEROS_STATE_AP_REP:
1201
1202 if (tok_id == TOK_ID_AP_REP)
1203 {
1204 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1205 &reply))
1206 goto cleanup;
1207 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1208 }
1209 else if (tok_id == TOK_ID_ERROR)
1210 {
1211 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1212 goto cleanup;
1213 }
1214 else
1215 goto bad_token;
1216
1217 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1218 {
1219 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1220 context->auth_ctx, (INT32*)&context->remote_seq))
1221 goto cleanup;
1222 }
1223
1224 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1225 &context->keyset))
1226 goto cleanup;
1227
1228 context->state = KERBEROS_STATE_FINAL;
1229
1230 if (output_buffer)
1231 output_buffer->cbBuffer = 0;
1232 status = SEC_E_OK;
1233 break;
1234
1235 case KERBEROS_STATE_FINAL:
1236 default:
1237 WLog_ERR(TAG, "Kerberos in invalid state!");
1238 goto cleanup;
1239 }
1240
1241cleanup:
1242{
1243 /* second_ticket is not allocated */
1244 krb5_data edata = WINPR_C_ARRAY_INIT;
1245 in_creds.second_ticket = edata;
1246 krb5_free_cred_contents(credentials->ctx, &in_creds);
1247}
1248
1249 krb5_free_creds(credentials->ctx, creds);
1250 if (output_token.data)
1251 krb5glue_free_data_contents(credentials->ctx, &output_token);
1252
1253 winpr_Digest_Free(md5);
1254
1255 free(target);
1256
1257 if (isNewContext)
1258 {
1259 switch (status)
1260 {
1261 case SEC_E_OK:
1262 case SEC_I_CONTINUE_NEEDED:
1263 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1264 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1265 break;
1266 default:
1267 kerberos_ContextFree(context, TRUE);
1268 break;
1269 }
1270 }
1271
1272 return status;
1273
1274bad_token:
1275 status = SEC_E_INVALID_TOKEN;
1276 goto cleanup;
1277#else
1278 return SEC_E_UNSUPPORTED_FUNCTION;
1279#endif /* WITH_KRB5 */
1280}
1281
1282static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1283 PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
1284 ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
1285 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, PTimeStamp ptsExpiry)
1286{
1287 SECURITY_STATUS status = 0;
1288 char* target_name = nullptr;
1289
1290 if (pszTargetName)
1291 {
1292 target_name = ConvertWCharToUtf8Alloc(pszTargetName, nullptr);
1293 if (!target_name)
1294 return SEC_E_INSUFFICIENT_MEMORY;
1295 }
1296
1297 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1298 Reserved1, TargetDataRep, pInput, Reserved2,
1299 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1300
1301 if (target_name)
1302 free(target_name);
1303
1304 return status;
1305}
1306
1307#ifdef WITH_KRB5
1308static BOOL retrieveTgtForPrincipal(KRB_CREDENTIALS* credentials, krb5_principal principal,
1309 krb5_creds* creds)
1310{
1311 BOOL ret = FALSE;
1312 krb5_kt_cursor cur = WINPR_C_ARRAY_INIT;
1313 krb5_keytab_entry entry = WINPR_C_ARRAY_INIT;
1314 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1315 goto cleanup;
1316
1317 do
1318 {
1319 krb5_error_code rv =
1320 krb_log_exec(krb5_kt_next_entry, credentials->ctx, credentials->keytab, &entry, &cur);
1321 if (rv == KRB5_KT_END)
1322 break;
1323 if (rv != 0)
1324 goto cleanup;
1325
1326 if (krb5_principal_compare(credentials->ctx, principal, entry.principal))
1327 break;
1328 rv = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);
1329 memset(&entry, 0, sizeof(entry));
1330 if (rv)
1331 goto cleanup;
1332 } while (1);
1333
1334 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1335 goto cleanup;
1336
1337 if (!entry.principal)
1338 goto cleanup;
1339
1340 /* Get the TGT */
1341 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, creds, entry.principal,
1342 credentials->keytab, 0, nullptr, nullptr))
1343 goto cleanup;
1344
1345 ret = TRUE;
1346
1347cleanup:
1348 return ret;
1349}
1350
1351static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, krb5_creds* creds)
1352{
1353 BOOL ret = TRUE;
1354 krb5_principal target_princ = WINPR_C_ARRAY_INIT;
1355 char* default_realm = nullptr;
1356
1357 krb5_error_code rv =
1358 krb_log_exec(krb5_parse_name_flags, credentials->ctx, target, 0, &target_princ);
1359 if (rv)
1360 return FALSE;
1361
1362#if defined(WITH_KRB5_HEIMDAL)
1363 if (!target_princ->realm)
1364 {
1365 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1366 if (rv)
1367 goto out;
1368
1369 target_princ->realm = default_realm;
1370 }
1371#else
1372 if (!target_princ->realm.length)
1373 {
1374 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1375 if (rv)
1376 goto out;
1377
1378 target_princ->realm.data = default_realm;
1379 target_princ->realm.length = (unsigned int)strlen(default_realm);
1380 }
1381#endif
1382
1383 /*
1384 * First try with the account service. We were requested with something like
1385 * TERMSRV/<host>@<realm>, let's see if we have that in our keytab and if we're able
1386 * to retrieve a TGT with that entry
1387 *
1388 */
1389 if (retrieveTgtForPrincipal(credentials, target_princ, creds))
1390 goto out;
1391
1392 ret = FALSE;
1393
1394#if defined(WITH_KRB5_MIT)
1395 /*
1396 * if it's not working let's try with <host>$@<REALM> (note the dollar)
1397 */
1398 {
1399 char hostDollar[300] = WINPR_C_ARRAY_INIT;
1400 if (target_princ->length < 2)
1401 goto out;
1402
1403 (void)snprintf(hostDollar, sizeof(hostDollar) - 1, "%s$@%s", target_princ->data[1].data,
1404 target_princ->realm.data);
1405 krb5_free_principal(credentials->ctx, target_princ);
1406
1407 rv = krb_log_exec(krb5_parse_name_flags, credentials->ctx, hostDollar, 0, &target_princ);
1408 if (rv)
1409 return FALSE;
1410 }
1411 ret = retrieveTgtForPrincipal(credentials, target_princ, creds);
1412#endif
1413
1414out:
1415 if (default_realm)
1416 krb5_free_default_realm(credentials->ctx, default_realm);
1417
1418 krb5_free_principal(credentials->ctx, target_princ);
1419 return ret;
1420}
1421#endif
1422
1423static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1424 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED PCtxtHandle phContext,
1425 WINPR_ATTR_UNUSED PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG fContextReq,
1426 WINPR_ATTR_UNUSED ULONG TargetDataRep, WINPR_ATTR_UNUSED PCtxtHandle phNewContext,
1427 WINPR_ATTR_UNUSED PSecBufferDesc pOutput, WINPR_ATTR_UNUSED ULONG* pfContextAttr,
1428 WINPR_ATTR_UNUSED PTimeStamp ptsExpity)
1429{
1430#ifdef WITH_KRB5
1431 BOOL isNewContext = FALSE;
1432 PSecBuffer input_buffer = nullptr;
1433 PSecBuffer output_buffer = nullptr;
1434 WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT;
1435 uint16_t tok_id = 0;
1436 krb5_data input_token = WINPR_C_ARRAY_INIT;
1437 krb5_data output_token = WINPR_C_ARRAY_INIT;
1438 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1439 krb5_flags ap_flags = 0;
1440 krb5glue_authenticator authenticator = nullptr;
1441 char* target = nullptr;
1442 krb5_keytab_entry entry = WINPR_C_ARRAY_INIT;
1443 krb5_creds creds = WINPR_C_ARRAY_INIT;
1444
1445 /* behave like windows SSPIs that don't want empty context */
1446 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1447 return SEC_E_INVALID_HANDLE;
1448
1449 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1450 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1451
1452 if (pInput)
1453 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1454 if (pOutput)
1455 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1456
1457 if (!input_buffer)
1458 return SEC_E_INVALID_TOKEN;
1459
1460 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1461 return SEC_E_INVALID_TOKEN;
1462
1463 if (!context)
1464 {
1465 isNewContext = TRUE;
1466 context = kerberos_ContextNew(credentials);
1467 context->acceptor = TRUE;
1468
1469 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1470 {
1471 context->u2u = TRUE;
1472 context->state = KERBEROS_STATE_TGT_REQ;
1473 }
1474 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1475 context->state = KERBEROS_STATE_AP_REQ;
1476 else
1477 goto bad_token;
1478 }
1479 else
1480 {
1481 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1482 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1483 goto bad_token;
1484 }
1485
1486 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1487 {
1488 if (!kerberos_rd_tgt_token(&input_token, &target, nullptr))
1489 goto bad_token;
1490
1491 if (!retrieveSomeTgt(credentials, target, &creds))
1492 goto cleanup;
1493
1494 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, nullptr, nullptr, &creds.ticket))
1495 goto cleanup;
1496
1497 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1498 goto cleanup;
1499
1500 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1501 &krb5glue_creds_getkey(creds)))
1502 goto cleanup;
1503
1504 context->state = KERBEROS_STATE_AP_REQ;
1505 }
1506 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1507 {
1508 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, nullptr,
1509 credentials->keytab, &ap_flags, nullptr))
1510 goto cleanup;
1511
1512 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1513 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1514 goto cleanup;
1515
1516 /* Retrieve and validate the checksum */
1517 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1518 &authenticator))
1519 goto cleanup;
1520 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1521 &context->flags))
1522 goto bad_token;
1523
1524 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1525 {
1526 if (!output_buffer)
1527 goto bad_token;
1528 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1529 goto cleanup;
1530 if (!sspi_gss_wrap_token(output_buffer,
1531 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1532 TOK_ID_AP_REP, &output_token))
1533 goto cleanup;
1534 }
1535 else
1536 {
1537 if (output_buffer)
1538 output_buffer->cbBuffer = 0;
1539 }
1540
1541 *pfContextAttr = (context->flags & 0x1F);
1542 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1543 *pfContextAttr |= ASC_RET_INTEGRITY;
1544
1545 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1546 {
1547 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1548 (INT32*)&context->local_seq))
1549 goto cleanup;
1550 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1551 (INT32*)&context->remote_seq))
1552 goto cleanup;
1553 }
1554
1555 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1556 &context->keyset))
1557 goto cleanup;
1558
1559 context->state = KERBEROS_STATE_FINAL;
1560 }
1561 else
1562 goto bad_token;
1563
1564 /* On first call allocate new context */
1565 if (context->state == KERBEROS_STATE_FINAL)
1566 status = SEC_E_OK;
1567 else
1568 status = SEC_I_CONTINUE_NEEDED;
1569
1570cleanup:
1571 free(target);
1572 if (output_token.data)
1573 krb5glue_free_data_contents(credentials->ctx, &output_token);
1574 if (entry.principal)
1575 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1576
1577 if (isNewContext)
1578 {
1579 switch (status)
1580 {
1581 case SEC_E_OK:
1582 case SEC_I_CONTINUE_NEEDED:
1583 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1584 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1585 break;
1586 default:
1587 kerberos_ContextFree(context, TRUE);
1588 break;
1589 }
1590 }
1591
1592 return status;
1593
1594bad_token:
1595 status = SEC_E_INVALID_TOKEN;
1596 goto cleanup;
1597#else
1598 return SEC_E_UNSUPPORTED_FUNCTION;
1599#endif /* WITH_KRB5 */
1600}
1601
1602#ifdef WITH_KRB5
1603static KRB_CONTEXT* get_context(PCtxtHandle phContext)
1604{
1605 if (!phContext)
1606 return nullptr;
1607
1608 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1609 if (!name)
1610 return nullptr;
1611
1612 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1613 return nullptr;
1614 return sspi_SecureHandleGetLowerPointer(phContext);
1615}
1616
1617static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1618{
1619 WINPR_ASSERT(data);
1620 WINPR_ASSERT(ptr);
1621 WINPR_ASSERT(psize);
1622
1623 *ptr = (PUCHAR)malloc(data->length);
1624 if (!*ptr)
1625 return FALSE;
1626
1627 *psize = data->length;
1628 memcpy(*ptr, data->data, data->length);
1629 return TRUE;
1630}
1631#endif
1632
1633static SECURITY_STATUS
1634 SEC_ENTRY kerberos_DeleteSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
1635{
1636#ifdef WITH_KRB5
1637 KRB_CONTEXT* context = get_context(phContext);
1638 if (!context)
1639 return SEC_E_INVALID_HANDLE;
1640
1641 kerberos_ContextFree(context, TRUE);
1642
1643 return SEC_E_OK;
1644#else
1645 return SEC_E_UNSUPPORTED_FUNCTION;
1646#endif
1647}
1648
1649#ifdef WITH_KRB5
1650
1651static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1652{
1653 switch (code)
1654 {
1655 case 0:
1656 return SEC_E_OK;
1657 default:
1658 return SEC_E_INTERNAL_ERROR;
1659 }
1660}
1661
1662static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1663 SecPkgContext_Sizes* ContextSizes)
1664{
1665 UINT header = 0;
1666 UINT pad = 0;
1667 UINT trailer = 0;
1668 krb5glue_key key = nullptr;
1669
1670 WINPR_ASSERT(context);
1671 WINPR_ASSERT(context->auth_ctx);
1672
1673 /* The MaxTokenSize by default is 12,000 bytes. This has been the default value
1674 * since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2.
1675 * For Windows Server 2012, the default value of the MaxTokenSize registry
1676 * entry is 48,000 bytes.*/
1677 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1678 ContextSizes->cbMaxSignature = 0;
1679 ContextSizes->cbBlockSize = 1;
1680 ContextSizes->cbSecurityTrailer = 0;
1681
1682 key = get_key(&context->keyset);
1683
1684 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1685 {
1686 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1687 KRB5_CRYPTO_TYPE_HEADER, &header);
1688 if (rv)
1689 return krb5_error_to_SECURITY_STATUS(rv);
1690
1691 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1692 &pad);
1693 if (rv)
1694 return krb5_error_to_SECURITY_STATUS(rv);
1695
1696 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1697 &trailer);
1698 if (rv)
1699 return krb5_error_to_SECURITY_STATUS(rv);
1700
1701 /* GSS header (= 16 bytes) + encrypted header = 32 bytes */
1702 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1703 }
1704
1705 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1706 {
1707 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1708 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1709 if (rv)
1710 return krb5_error_to_SECURITY_STATUS(rv);
1711
1712 ContextSizes->cbMaxSignature += 16;
1713 }
1714
1715 return SEC_E_OK;
1716}
1717
1718static SECURITY_STATUS kerberos_ATTR_AUTH_IDENTITY(KRB_CONTEXT* context,
1719 KRB_CREDENTIALS* credentials,
1720 SecPkgContext_AuthIdentity* AuthIdentity)
1721{
1722 const SecPkgContext_AuthIdentity empty = WINPR_C_ARRAY_INIT;
1723
1724 WINPR_ASSERT(context);
1725 WINPR_ASSERT(context->auth_ctx);
1726 WINPR_ASSERT(credentials);
1727
1728 WINPR_ASSERT(AuthIdentity);
1729 *AuthIdentity = empty;
1730
1731 krb5glue_authenticator authenticator = nullptr;
1732 krb5_error_code rv = krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx,
1733 context->auth_ctx, &authenticator);
1734 if (rv)
1735 goto fail;
1736
1737 {
1738 rv = -1;
1739
1740#if defined(WITH_KRB5_HEIMDAL)
1741 const Realm data = authenticator->crealm;
1742 if (!data)
1743 goto fail;
1744 const size_t data_len = length_Realm(&data);
1745#else
1746 krb5_data* realm_data = krb5_princ_realm(credentials->ctx, authenticator->client);
1747 if (!realm_data)
1748 goto fail;
1749 const char* data = realm_data->data;
1750 if (!data)
1751 goto fail;
1752 const size_t data_len = realm_data->length;
1753#endif
1754
1755 if (data_len > (sizeof(AuthIdentity->Domain) - 1))
1756 goto fail;
1757 strncpy(AuthIdentity->Domain, data, data_len);
1758 }
1759
1760 {
1761#if defined(WITH_KRB5_HEIMDAL)
1762 const PrincipalName* principal = &authenticator->cname;
1763 const size_t name_length = length_PrincipalName(principal);
1764 if (!principal->name_string.val)
1765 goto fail;
1766 const char* name = *principal->name_string.val;
1767#else
1768 char* name = nullptr;
1769 rv = krb_log_exec(krb5_unparse_name_flags, credentials->ctx, authenticator->client,
1770 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
1771 if (rv)
1772 goto fail;
1773
1774 const size_t name_length = strlen(name);
1775#endif
1776
1777 const bool ok = (name_length <= (sizeof(AuthIdentity->User) - 1));
1778 if (ok)
1779 strncpy(AuthIdentity->User, name, name_length);
1780
1781 rv = ok ? 0 : -1;
1782
1783#if !defined(WITH_KRB5_HEIMDAL)
1784 krb5_free_unparsed_name(credentials->ctx, name);
1785#endif
1786 }
1787
1788fail:
1789 krb5glue_free_authenticator(credentials->ctx, authenticator);
1790 return krb5_error_to_SECURITY_STATUS(rv);
1791}
1792
1793static SECURITY_STATUS kerberos_ATTR_PACKAGE_INFO(WINPR_ATTR_UNUSED KRB_CONTEXT* context,
1794 WINPR_ATTR_UNUSED KRB_CREDENTIALS* credentials,
1795 SecPkgContext_PackageInfo* PackageInfo)
1796{
1797 size_t size = sizeof(SecPkgInfoA);
1798 SecPkgInfoA* pPackageInfo =
1799 (SecPkgInfoA*)sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
1800
1801 if (!pPackageInfo)
1802 return SEC_E_INSUFFICIENT_MEMORY;
1803
1804 pPackageInfo->fCapabilities = KERBEROS_SecPkgInfoA.fCapabilities;
1805 pPackageInfo->wVersion = KERBEROS_SecPkgInfoA.wVersion;
1806 pPackageInfo->wRPCID = KERBEROS_SecPkgInfoA.wRPCID;
1807 pPackageInfo->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1808 pPackageInfo->Name = _strdup(KERBEROS_SecPkgInfoA.Name);
1809 pPackageInfo->Comment = _strdup(KERBEROS_SecPkgInfoA.Comment);
1810
1811 if (!pPackageInfo->Name || !pPackageInfo->Comment)
1812 {
1813 sspi_ContextBufferFree(pPackageInfo);
1814 return SEC_E_INSUFFICIENT_MEMORY;
1815 }
1816 PackageInfo->PackageInfo = pPackageInfo;
1817 return SEC_E_OK;
1818}
1819
1820static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1821 KRB_CREDENTIALS* credentials,
1822 KERB_TICKET_LOGON* ticketLogon)
1823{
1824 krb5_creds matchCred = WINPR_C_ARRAY_INIT;
1825 krb5_auth_context authContext = nullptr;
1826 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1827 BOOL firstRun = TRUE;
1828 krb5_creds* hostCred = nullptr;
1829 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1830 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost, "HOST",
1831 KRB5_NT_SRV_HST, &matchCred.server);
1832 if (rv)
1833 goto out;
1834
1835 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1836 &matchCred.client);
1837 if (rv)
1838 goto out;
1839
1840 /* try from the cache first, and then do a new request */
1841again:
1842 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1843 &matchCred, &hostCred);
1844 switch (rv)
1845 {
1846 case 0:
1847 break;
1848 case KRB5_CC_NOTFOUND:
1849 getCredsFlags = 0;
1850 if (firstRun)
1851 {
1852 firstRun = FALSE;
1853 goto again;
1854 }
1855 WINPR_FALLTHROUGH
1856 default:
1857 WLog_ERR(TAG, "krb5_get_credentials(hostCreds), rv=%d", rv);
1858 goto out;
1859 }
1860
1861 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1862 goto out;
1863
1864 {
1865 krb5_data derOut = WINPR_C_ARRAY_INIT;
1866 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1867 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1868 {
1869 ret = SEC_E_LOGON_DENIED;
1870 goto out;
1871 }
1872
1873 ticketLogon->MessageType = KerbTicketLogon;
1874 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1875
1876 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1877 &ticketLogon->ServiceTicketLength))
1878 {
1879 krb5_free_data(credentials->ctx, &derOut);
1880 goto out;
1881 }
1882
1883 ticketLogon->TicketGrantingTicketLength = derOut.length;
1884 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1885 }
1886
1887 ret = SEC_E_OK;
1888out:
1889 krb5_auth_con_free(credentials->ctx, authContext);
1890 krb5_free_creds(credentials->ctx, hostCred);
1891 krb5_free_cred_contents(credentials->ctx, &matchCred);
1892 return ret;
1893}
1894
1895#endif /* WITH_KRB5 */
1896
1897static SECURITY_STATUS
1898 SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext,
1899 WINPR_ATTR_UNUSED ULONG ulAttribute, void* pBuffer)
1900{
1901 if (!phContext)
1902 return SEC_E_INVALID_HANDLE;
1903
1904 if (!pBuffer)
1905 return SEC_E_INVALID_PARAMETER;
1906
1907#ifdef WITH_KRB5
1908 KRB_CONTEXT* context = get_context(phContext);
1909 if (!context)
1910 return SEC_E_INVALID_PARAMETER;
1911
1912 KRB_CREDENTIALS* credentials = context->credentials;
1913
1914 switch (ulAttribute)
1915 {
1916 case SECPKG_ATTR_SIZES:
1917 return kerberos_ATTR_SIZES(context, credentials, (SecPkgContext_Sizes*)pBuffer);
1918
1919 case SECPKG_ATTR_AUTH_IDENTITY:
1920 return kerberos_ATTR_AUTH_IDENTITY(context, credentials,
1921 (SecPkgContext_AuthIdentity*)pBuffer);
1922
1923 case SECPKG_ATTR_PACKAGE_INFO:
1924 return kerberos_ATTR_PACKAGE_INFO(context, credentials,
1925 (SecPkgContext_PackageInfo*)pBuffer);
1926
1927 case SECPKG_CRED_ATTR_TICKET_LOGON:
1928 return kerberos_ATTR_TICKET_LOGON(context, credentials, (KERB_TICKET_LOGON*)pBuffer);
1929
1930 default:
1931 WLog_ERR(TAG, "TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1932 ulAttribute);
1933 return SEC_E_UNSUPPORTED_FUNCTION;
1934 }
1935#else
1936 return SEC_E_UNSUPPORTED_FUNCTION;
1937#endif
1938}
1939
1940static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext,
1941 ULONG ulAttribute, void* pBuffer)
1942{
1943 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1944}
1945
1946static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
1947 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1948 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1949{
1950 return SEC_E_UNSUPPORTED_FUNCTION;
1951}
1952
1953static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
1954 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1955 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1956{
1957 return SEC_E_UNSUPPORTED_FUNCTION;
1958}
1959
1960static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(
1961 WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
1962 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer,
1963 WINPR_ATTR_UNUSED BOOL unicode)
1964{
1965#ifdef WITH_KRB5
1966 KRB_CREDENTIALS* credentials = nullptr;
1967
1968 if (!phCredential)
1969 return SEC_E_INVALID_HANDLE;
1970
1971 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1972
1973 if (!credentials)
1974 return SEC_E_INVALID_HANDLE;
1975
1976 if (!pBuffer)
1977 return SEC_E_INSUFFICIENT_MEMORY;
1978
1979 switch (ulAttribute)
1980 {
1981 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1982 {
1983 SecPkgCredentials_KdcProxySettingsW* kdc_settings = pBuffer;
1984
1985 /* Sanity checks */
1986 if (cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1987 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1988 kdc_settings->ProxyServerOffset < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1989 cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) +
1990 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1991 return SEC_E_INVALID_TOKEN;
1992
1993 if (credentials->kdc_url)
1994 {
1995 free(credentials->kdc_url);
1996 credentials->kdc_url = nullptr;
1997 }
1998
1999 if (kdc_settings->ProxyServerLength > 0)
2000 {
2001 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
2002
2003 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
2004 proxy, kdc_settings->ProxyServerLength / sizeof(WCHAR), nullptr);
2005 if (!credentials->kdc_url)
2006 return SEC_E_INSUFFICIENT_MEMORY;
2007 }
2008
2009 return SEC_E_OK;
2010 }
2011 case SECPKG_CRED_ATTR_NAMES:
2012 case SECPKG_ATTR_SUPPORTED_ALGS:
2013 default:
2014 WLog_ERR(TAG, "TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
2015 ulAttribute);
2016 return SEC_E_UNSUPPORTED_FUNCTION;
2017 }
2018
2019#else
2020 return SEC_E_UNSUPPORTED_FUNCTION;
2021#endif
2022}
2023
2024static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(PCredHandle phCredential,
2025 ULONG ulAttribute,
2026 void* pBuffer, ULONG cbBuffer)
2027{
2028 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
2029}
2030
2031static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(PCredHandle phCredential,
2032 ULONG ulAttribute,
2033 void* pBuffer, ULONG cbBuffer)
2034{
2035 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
2036}
2037
2038static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2039 WINPR_ATTR_UNUSED ULONG fQOP,
2040 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2041 WINPR_ATTR_UNUSED ULONG MessageSeqNo)
2042{
2043#ifdef WITH_KRB5
2044 KRB_CONTEXT* context = get_context(phContext);
2045 PSecBuffer sig_buffer = nullptr;
2046 PSecBuffer data_buffer = nullptr;
2047 char* header = nullptr;
2048 BYTE flags = 0;
2049 krb5glue_key key = nullptr;
2050 krb5_keyusage usage = 0;
2051 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2052 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2053 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2054 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2055 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2056
2057 if (!context)
2058 return SEC_E_INVALID_HANDLE;
2059
2060 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2061 return SEC_E_UNSUPPORTED_FUNCTION;
2062
2063 KRB_CREDENTIALS* creds = context->credentials;
2064
2065 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2066 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2067
2068 if (!sig_buffer || !data_buffer)
2069 return SEC_E_INVALID_TOKEN;
2070
2071 if (fQOP)
2072 return SEC_E_QOP_NOT_SUPPORTED;
2073
2074 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2075 flags |= FLAG_WRAP_CONFIDENTIAL;
2076
2077 key = get_key(&context->keyset);
2078 if (!key)
2079 return SEC_E_INTERNAL_ERROR;
2080
2081 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2082
2083 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
2084
2085 /* Set the lengths of the data (plaintext + header) */
2086 encrypt_iov[1].data.length = data_buffer->cbBuffer;
2087 encrypt_iov[2].data.length = 16;
2088
2089 /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
2090 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
2091 ARRAYSIZE(encrypt_iov)))
2092 return SEC_E_INTERNAL_ERROR;
2093 if (sig_buffer->cbBuffer <
2094 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
2095 return SEC_E_INSUFFICIENT_MEMORY;
2096
2097 /* Set up the iov array in sig_buffer */
2098 header = sig_buffer->pvBuffer;
2099 encrypt_iov[2].data.data = header + 16;
2100 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
2101 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
2102 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
2103 encrypt_iov[1].data.data = data_buffer->pvBuffer;
2104
2105 /* Write the GSS header with 0 in RRC */
2106 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
2107 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2108 header[3] = (char)0xFF;
2109 winpr_Data_Write_UINT32(header + 4, 0);
2110 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2111
2112 /* Copy header to be encrypted */
2113 CopyMemory(encrypt_iov[2].data.data, header, 16);
2114
2115 /* Set the correct RRC */
2116 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
2117 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
2118
2119 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
2120 ARRAYSIZE(encrypt_iov)))
2121 return SEC_E_INTERNAL_ERROR;
2122
2123 return SEC_E_OK;
2124#else
2125 return SEC_E_UNSUPPORTED_FUNCTION;
2126#endif
2127}
2128
2129static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2130 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2131 WINPR_ATTR_UNUSED ULONG MessageSeqNo,
2132 WINPR_ATTR_UNUSED ULONG* pfQOP)
2133{
2134#ifdef WITH_KRB5
2135 KRB_CONTEXT* context = get_context(phContext);
2136 PSecBuffer sig_buffer = nullptr;
2137 PSecBuffer data_buffer = nullptr;
2138 krb5glue_key key = nullptr;
2139 krb5_keyusage usage = 0;
2140 uint16_t tok_id = 0;
2141 BYTE flags = 0;
2142 uint16_t ec = 0;
2143 uint16_t rrc = 0;
2144 uint64_t seq_no = 0;
2145 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2146 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2147 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2148 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2149 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2150
2151 if (!context)
2152 return SEC_E_INVALID_HANDLE;
2153
2154 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2155 return SEC_E_UNSUPPORTED_FUNCTION;
2156
2157 KRB_CREDENTIALS* creds = context->credentials;
2158
2159 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2160 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2161
2162 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2163 return SEC_E_INVALID_TOKEN;
2164
2165 /* Read in header information */
2166 BYTE* header = sig_buffer->pvBuffer;
2167 tok_id = winpr_Data_Get_UINT16_BE(header);
2168 flags = header[2];
2169 ec = winpr_Data_Get_UINT16_BE(&header[4]);
2170 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
2171 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
2172
2173 /* Check that the header is valid */
2174 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
2175 return SEC_E_INVALID_TOKEN;
2176
2177 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
2178 return SEC_E_INVALID_TOKEN;
2179
2180 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
2181 (seq_no != context->remote_seq + MessageSeqNo))
2182 return SEC_E_OUT_OF_SEQUENCE;
2183
2184 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
2185 return SEC_E_INVALID_TOKEN;
2186
2187 /* We don't expect a trailer buffer; the encrypted header must be rotated */
2188 if (rrc < 16)
2189 return SEC_E_INVALID_TOKEN;
2190
2191 /* Find the proper key and key usage */
2192 key = get_key(&context->keyset);
2193 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
2194 return SEC_E_INTERNAL_ERROR;
2195 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
2196
2197 /* Fill in the lengths of the iov array */
2198 iov[1].data.length = data_buffer->cbBuffer;
2199 iov[2].data.length = 16;
2200 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2201 return SEC_E_INTERNAL_ERROR;
2202
2203 /* We don't expect a trailer buffer; everything must be in sig_buffer */
2204 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
2205 return SEC_E_INVALID_TOKEN;
2206 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
2207 return SEC_E_INVALID_TOKEN;
2208
2209 /* Locate the parts of the message */
2210 iov[0].data.data = (char*)&header[16 + rrc + ec];
2211 iov[1].data.data = data_buffer->pvBuffer;
2212 iov[2].data.data = (char*)&header[16 + ec];
2213 char* data2 = iov[2].data.data;
2214 iov[3].data.data = &data2[iov[2].data.length];
2215
2216 char* data3 = iov[3].data.data;
2217 iov[4].data.data = &data3[iov[3].data.length];
2218
2219 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2220 return SEC_E_INTERNAL_ERROR;
2221
2222 /* Validate the encrypted header */
2223 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
2224 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
2225 if (memcmp(iov[2].data.data, header, 16) != 0)
2226 return SEC_E_MESSAGE_ALTERED;
2227
2228 *pfQOP = 0;
2229
2230 return SEC_E_OK;
2231#else
2232 return SEC_E_UNSUPPORTED_FUNCTION;
2233#endif
2234}
2235
2236static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2237 WINPR_ATTR_UNUSED ULONG fQOP,
2238 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2239 WINPR_ATTR_UNUSED ULONG MessageSeqNo)
2240{
2241#ifdef WITH_KRB5
2242 KRB_CONTEXT* context = get_context(phContext);
2243 PSecBuffer sig_buffer = nullptr;
2244 PSecBuffer data_buffer = nullptr;
2245 krb5glue_key key = nullptr;
2246 krb5_keyusage usage = 0;
2247 BYTE flags = 0;
2248 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2249 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2250 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2251
2252 if (!context)
2253 return SEC_E_INVALID_HANDLE;
2254
2255 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2256 return SEC_E_UNSUPPORTED_FUNCTION;
2257
2258 KRB_CREDENTIALS* creds = context->credentials;
2259
2260 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2261 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2262
2263 if (!sig_buffer || !data_buffer)
2264 return SEC_E_INVALID_TOKEN;
2265
2266 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2267
2268 key = get_key(&context->keyset);
2269 if (!key)
2270 return SEC_E_INTERNAL_ERROR;
2271 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2272
2273 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2274
2275 /* Fill in the lengths of the iov array */
2276 iov[0].data.length = data_buffer->cbBuffer;
2277 iov[1].data.length = 16;
2278 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2279 return SEC_E_INTERNAL_ERROR;
2280
2281 /* Ensure the buffer is big enough */
2282 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2283 return SEC_E_INSUFFICIENT_MEMORY;
2284
2285 /* Write the header */
2286 char* header = sig_buffer->pvBuffer;
2287 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2288 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2289 memset(header + 3, 0xFF, 5);
2290 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2291
2292 /* Set up the iov array */
2293 iov[0].data.data = data_buffer->pvBuffer;
2294 iov[1].data.data = header;
2295 iov[2].data.data = header + 16;
2296
2297 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2298 return SEC_E_INTERNAL_ERROR;
2299
2300 sig_buffer->cbBuffer = iov[2].data.length + 16;
2301
2302 return SEC_E_OK;
2303#else
2304 return SEC_E_UNSUPPORTED_FUNCTION;
2305#endif
2306}
2307
2308static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(WINPR_ATTR_UNUSED PCtxtHandle phContext,
2309 WINPR_ATTR_UNUSED PSecBufferDesc pMessage,
2310 WINPR_ATTR_UNUSED ULONG MessageSeqNo,
2311 WINPR_ATTR_UNUSED ULONG* pfQOP)
2312{
2313#ifdef WITH_KRB5
2314 PSecBuffer sig_buffer = nullptr;
2315 PSecBuffer data_buffer = nullptr;
2316 krb5glue_key key = nullptr;
2317 krb5_keyusage usage = 0;
2318 BYTE flags = 0;
2319 uint16_t tok_id = 0;
2320 uint64_t seq_no = 0;
2321 krb5_boolean is_valid = 0;
2322 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2323 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2324 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2325 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2326
2327 KRB_CONTEXT* context = get_context(phContext);
2328 if (!context)
2329 return SEC_E_INVALID_HANDLE;
2330
2331 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2332 return SEC_E_UNSUPPORTED_FUNCTION;
2333
2334 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2335 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2336
2337 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2338 return SEC_E_INVALID_TOKEN;
2339
2340 /* Read in header info */
2341 BYTE* header = sig_buffer->pvBuffer;
2342 tok_id = winpr_Data_Get_UINT16_BE(header);
2343 flags = header[2];
2344 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2345
2346 /* Validate header */
2347 if (tok_id != TOK_ID_MIC)
2348 return SEC_E_INVALID_TOKEN;
2349
2350 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2351 return SEC_E_INVALID_TOKEN;
2352
2353 if (memcmp(header + 3, cmp_filler, sizeof(cmp_filler)) != 0)
2354 return SEC_E_INVALID_TOKEN;
2355
2356 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2357 return SEC_E_OUT_OF_SEQUENCE;
2358
2359 /* Find the proper key and usage */
2360 key = get_key(&context->keyset);
2361 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2362 return SEC_E_INTERNAL_ERROR;
2363 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2364
2365 /* Fill in the iov array lengths */
2366 KRB_CREDENTIALS* creds = context->credentials;
2367 iov[0].data.length = data_buffer->cbBuffer;
2368 iov[1].data.length = 16;
2369 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2370 return SEC_E_INTERNAL_ERROR;
2371
2372 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2373 return SEC_E_INTERNAL_ERROR;
2374
2375 /* Set up the iov array */
2376 iov[0].data.data = data_buffer->pvBuffer;
2377 iov[1].data.data = (char*)header;
2378 iov[2].data.data = (char*)&header[16];
2379
2380 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2381 &is_valid))
2382 return SEC_E_INTERNAL_ERROR;
2383
2384 if (!is_valid)
2385 return SEC_E_MESSAGE_ALTERED;
2386
2387 return SEC_E_OK;
2388#else
2389 return SEC_E_UNSUPPORTED_FUNCTION;
2390#endif
2391}
2392
2393const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = {
2394 3, /* dwVersion */
2395 nullptr, /* EnumerateSecurityPackages */
2396 kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
2397 kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
2398 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2399 nullptr, /* Reserved2 */
2400 kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */
2401 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2402 nullptr, /* CompleteAuthToken */
2403 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2404 nullptr, /* ApplyControlToken */
2405 kerberos_QueryContextAttributesA, /* QueryContextAttributes */
2406 nullptr, /* ImpersonateSecurityContext */
2407 nullptr, /* RevertSecurityContext */
2408 kerberos_MakeSignature, /* MakeSignature */
2409 kerberos_VerifySignature, /* VerifySignature */
2410 nullptr, /* FreeContextBuffer */
2411 nullptr, /* QuerySecurityPackageInfo */
2412 nullptr, /* Reserved3 */
2413 nullptr, /* Reserved4 */
2414 nullptr, /* ExportSecurityContext */
2415 nullptr, /* ImportSecurityContext */
2416 nullptr, /* AddCredentials */
2417 nullptr, /* Reserved8 */
2418 nullptr, /* QuerySecurityContextToken */
2419 kerberos_EncryptMessage, /* EncryptMessage */
2420 kerberos_DecryptMessage, /* DecryptMessage */
2421 kerberos_SetContextAttributesA, /* SetContextAttributes */
2422 kerberos_SetCredentialsAttributesA, /* SetCredentialsAttributes */
2423};
2424
2425const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = {
2426 3, /* dwVersion */
2427 nullptr, /* EnumerateSecurityPackages */
2428 kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
2429 kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
2430 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2431 nullptr, /* Reserved2 */
2432 kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */
2433 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2434 nullptr, /* CompleteAuthToken */
2435 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2436 nullptr, /* ApplyControlToken */
2437 kerberos_QueryContextAttributesW, /* QueryContextAttributes */
2438 nullptr, /* ImpersonateSecurityContext */
2439 nullptr, /* RevertSecurityContext */
2440 kerberos_MakeSignature, /* MakeSignature */
2441 kerberos_VerifySignature, /* VerifySignature */
2442 nullptr, /* FreeContextBuffer */
2443 nullptr, /* QuerySecurityPackageInfo */
2444 nullptr, /* Reserved3 */
2445 nullptr, /* Reserved4 */
2446 nullptr, /* ExportSecurityContext */
2447 nullptr, /* ImportSecurityContext */
2448 nullptr, /* AddCredentials */
2449 nullptr, /* Reserved8 */
2450 nullptr, /* QuerySecurityContextToken */
2451 kerberos_EncryptMessage, /* EncryptMessage */
2452 kerberos_DecryptMessage, /* DecryptMessage */
2453 kerberos_SetContextAttributesW, /* SetContextAttributes */
2454 kerberos_SetCredentialsAttributesW, /* SetCredentialsAttributes */
2455};
2456
2457BOOL KERBEROS_init(void)
2458{
2459 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2460 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2461 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2462 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
2463 return TRUE;
2464}
KERB_TICKET_LOGON
Definition secapi.h:51
SECURITY_INTEGER
Definition include/winpr/sspi.h:51
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SEC_WINNT_AUTH_IDENTITY_WINPR
Definition include/winpr/sspi.h:885
SEC_WINPR_KERBEROS_SETTINGS
Definition include/winpr/sspi.h:870
SecPkgContext_AuthIdentity
Definition include/winpr/sspi.h:1342
SecPkgContext_PackageInfo
Definition include/winpr/sspi.h:404
SecPkgContext_Sizes
Definition include/winpr/sspi.h:427
SecPkgCredentials_KdcProxySettingsW
Definition include/winpr/sspi.h:525
WinPrAsn1_MemoryChunk
Definition asn1.h:91
krb5glue_keyset
Definition krb5glue.h:92
sspi_gss_data
Definition sspi_gss.h:36
SEC_WINNT_AUTH_IDENTITY_INFO
Definition include/winpr/sspi.h:783