FreeRDP
Loading...
Searching...
No Matches
kerberos.c
1
22#include <winpr/config.h>
23
24#include <stdio.h>
25#include <stdlib.h>
26#include <string.h>
27#include <errno.h>
28#include <fcntl.h>
29#include <ctype.h>
30
31#include <winpr/assert.h>
32#include <winpr/cast.h>
33#include <winpr/asn1.h>
34#include <winpr/crt.h>
35#include <winpr/interlocked.h>
36#include <winpr/sspi.h>
37#include <winpr/print.h>
38#include <winpr/tchar.h>
39#include <winpr/sysinfo.h>
40#include <winpr/registry.h>
41#include <winpr/endian.h>
42#include <winpr/crypto.h>
43#include <winpr/path.h>
44#include <winpr/wtypes.h>
45#include <winpr/winsock.h>
46#include <winpr/schannel.h>
47#include <winpr/secapi.h>
48
49#include "kerberos.h"
50
51#ifdef WITH_KRB5_MIT
52#include "krb5glue.h"
53#include <profile.h>
54#endif
55
56#ifdef WITH_KRB5_HEIMDAL
57#include "krb5glue.h"
58#include <krb5-protos.h>
59#endif
60
61#include "../sspi.h"
62#include "../../log.h"
63#define TAG WINPR_TAG("sspi.Kerberos")
64
65#define KRB_TGT_REQ 16
66#define KRB_TGT_REP 17
67
68const SecPkgInfoA KERBEROS_SecPkgInfoA = {
69 0x000F3BBF, /* fCapabilities */
70 1, /* wVersion */
71 0x0010, /* wRPCID */
72 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
73 "Kerberos", /* Name */
74 "Kerberos Security Package" /* Comment */
75};
76
77static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 };
78static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 };
79
80const SecPkgInfoW KERBEROS_SecPkgInfoW = {
81 0x000F3BBF, /* fCapabilities */
82 1, /* wVersion */
83 0x0010, /* wRPCID */
84 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */
85 KERBEROS_SecPkgInfoW_NameBuffer, /* Name */
86 KERBEROS_SecPkgInfoW_CommentBuffer /* Comment */
87};
88
89#ifdef WITH_KRB5
90
91enum KERBEROS_STATE
92{
93 KERBEROS_STATE_INITIAL,
94 KERBEROS_STATE_TGT_REQ,
95 KERBEROS_STATE_TGT_REP,
96 KERBEROS_STATE_AP_REQ,
97 KERBEROS_STATE_AP_REP,
98 KERBEROS_STATE_FINAL
99};
100
101typedef struct KRB_CREDENTIALS_st
102{
103 volatile LONG refCount;
104 krb5_context ctx;
105 char* kdc_url;
106 krb5_ccache ccache;
107 krb5_keytab keytab;
108 krb5_keytab client_keytab;
109 BOOL own_ccache;
110} KRB_CREDENTIALS;
111
112struct s_KRB_CONTEXT
113{
114 enum KERBEROS_STATE state;
115 KRB_CREDENTIALS* credentials;
116 krb5_auth_context auth_ctx;
117 BOOL acceptor;
118 uint32_t flags;
119 uint64_t local_seq;
120 uint64_t remote_seq;
121 struct krb5glue_keyset keyset;
122 BOOL u2u;
123 char* targetHost;
124};
125
126static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
127static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
128 (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
129
130#define krb_log_exec(fkt, ctx, ...) \
131 kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
132#define krb_log_exec_ptr(fkt, ctx, ...) \
133 kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
134static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
135 const char* file, const char* fkt, size_t line)
136{
137 switch (code)
138 {
139 case 0:
140 case KRB5_KT_END:
141 break;
142 default:
143 {
144 const DWORD level = WLOG_ERROR;
145
146 wLog* log = WLog_Get(TAG);
147 if (WLog_IsLevelActive(log, level))
148 {
149 const char* msg = krb5_get_error_message(ctx, code);
150 WLog_PrintTextMessage(log, level, line, file, fkt, "%s (%s [%d])", what, msg, code);
151 krb5_free_error_message(ctx, msg);
152 }
153 }
154 break;
155 }
156 return code;
157}
158
159static void credentials_unref(KRB_CREDENTIALS* credentials);
160
161static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
162{
163 if (!ctx)
164 return;
165
166 free(ctx->targetHost);
167 ctx->targetHost = NULL;
168
169 if (ctx->credentials)
170 {
171 krb5_context krbctx = ctx->credentials->ctx;
172 if (krbctx)
173 {
174 if (ctx->auth_ctx)
175 krb5_auth_con_free(krbctx, ctx->auth_ctx);
176
177 krb5glue_keys_free(krbctx, &ctx->keyset);
178 }
179
180 credentials_unref(ctx->credentials);
181 }
182
183 if (allocated)
184 free(ctx);
185}
186
187static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials)
188{
189 KRB_CONTEXT* context = NULL;
190
191 context = (KRB_CONTEXT*)calloc(1, sizeof(KRB_CONTEXT));
192 if (!context)
193 return NULL;
194
195 context->credentials = credentials;
196 InterlockedIncrement(&credentials->refCount);
197 return context;
198}
199
200static krb5_error_code krb5_prompter(krb5_context context, void* data,
201 WINPR_ATTR_UNUSED const char* name,
202 WINPR_ATTR_UNUSED const char* banner, int num_prompts,
203 krb5_prompt prompts[])
204{
205 for (int i = 0; i < num_prompts; i++)
206 {
207 krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i);
208 if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data)
209 {
210 prompts[i].reply->data = _strdup((const char*)data);
211
212 const size_t len = strlen((const char*)data);
213 if (len > UINT32_MAX)
214 return KRB5KRB_ERR_GENERIC;
215 prompts[i].reply->length = (UINT32)len;
216 }
217 }
218 return 0;
219}
220
221static inline krb5glue_key get_key(struct krb5glue_keyset* keyset)
222{
223 return keyset->acceptor_key ? keyset->acceptor_key
224 : keyset->initiator_key ? keyset->initiator_key
225 : keyset->session_key;
226}
227
228static BOOL isValidIPv4(const char* ipAddress)
229{
230 struct sockaddr_in sa = { 0 };
231 int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
232 return result != 0;
233}
234
235static BOOL isValidIPv6(const char* ipAddress)
236{
237 struct sockaddr_in6 sa = { 0 };
238 int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
239 return result != 0;
240}
241
242static BOOL isValidIP(const char* ipAddress)
243{
244 return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
245}
246
247#if defined(WITH_KRB5_MIT)
248WINPR_ATTR_MALLOC(free, 1)
249WINPR_ATTR_NODISCARD
250static char* get_realm_name(krb5_data realm, size_t* plen)
251{
252 WINPR_ASSERT(plen);
253 *plen = 0;
254 if ((realm.length <= 0) || (!realm.data))
255 return NULL;
256
257 char* name = NULL;
258 (void)winpr_asprintf(&name, plen, "krbtgt/%*s@%*s", realm.length, realm.data, realm.length,
259 realm.data);
260 return name;
261}
262#elif defined(WITH_KRB5_HEIMDAL)
263WINPR_ATTR_MALLOC(free, 1)
264WINPR_ATTR_NODISCARD
265static char* get_realm_name(Realm realm, size_t* plen)
266{
267 WINPR_ASSERT(plen);
268 *plen = 0;
269 if (!realm)
270 return NULL;
271
272 char* name = NULL;
273 (void)winpr_asprintf(&name, plen, "krbtgt/%s@%s", realm, realm);
274 return name;
275}
276#endif
277
278static int build_krbtgt(krb5_context ctx, krb5_principal principal, krb5_principal* ptarget)
279{
280 /* "krbtgt/" + realm + "@" + realm */
281 size_t len = 0;
282 krb5_error_code rv = KRB5_CC_NOMEM;
283
284 char* name = get_realm_name(principal->realm, &len);
285 if (!name || (len == 0))
286 goto fail;
287
288 {
289 krb5_principal target = { 0 };
290 rv = krb5_parse_name(ctx, name, &target);
291 *ptarget = target;
292 }
293fail:
294 free(name);
295 return rv;
296}
297
298#endif /* WITH_KRB5 */
299
300static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
301 SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage, ULONG fCredentialUse,
302 WINPR_ATTR_UNUSED void* pvLogonID, void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn,
303 WINPR_ATTR_UNUSED void* pvGetKeyArgument, PCredHandle phCredential,
304 WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
305{
306#ifdef WITH_KRB5
307 SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
308 KRB_CREDENTIALS* credentials = NULL;
309 krb5_context ctx = NULL;
310 krb5_ccache ccache = NULL;
311 krb5_keytab keytab = NULL;
312 krb5_principal principal = NULL;
313 char* domain = NULL;
314 char* username = NULL;
315 char* password = NULL;
316 BOOL own_ccache = FALSE;
317 const char* const default_ccache_type = "MEMORY";
318
319 if (pAuthData)
320 {
321 UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
322
323 if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
324 krb_settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->kerberosSettings);
325
326 if (!sspi_CopyAuthIdentityFieldsA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &username,
327 &domain, &password))
328 {
329 WLog_ERR(TAG, "Failed to copy auth identity fields");
330 goto cleanup;
331 }
332
333 if (!pszPrincipal)
334 pszPrincipal = username;
335 }
336
337 if (krb_log_exec_ptr(krb5_init_context, &ctx))
338 goto cleanup;
339
340 if (domain)
341 {
342 char* udomain = _strdup(domain);
343 if (!udomain)
344 goto cleanup;
345
346 CharUpperA(udomain);
347 /* Will use domain if realm is not specified in username */
348 krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
349 free(udomain);
350
351 if (rv)
352 goto cleanup;
353 }
354
355 if (pszPrincipal)
356 {
357 char* cpszPrincipal = _strdup(pszPrincipal);
358 if (!cpszPrincipal)
359 goto cleanup;
360
361 /* Find realm component if included and convert to uppercase */
362 char* p = strchr(cpszPrincipal, '@');
363 if (p)
364 CharUpperA(p);
365
366 krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
367 free(cpszPrincipal);
368
369 if (rv)
370 goto cleanup;
371 WINPR_ASSERT(principal);
372 }
373
374 if (krb_settings && krb_settings->cache)
375 {
376 if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
377 goto cleanup;
378 }
379 else
380 own_ccache = TRUE;
381
382 if (principal)
383 {
384 /* Use the default cache if it's initialized with the right principal */
385 if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND)
386 {
387 if (own_ccache)
388 {
389 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
390 goto cleanup;
391 }
392 else
393 {
394 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
395 goto cleanup;
396 }
397
398 if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
399 goto cleanup;
400 }
401 else
402 {
403 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
404 goto cleanup;
405 own_ccache = FALSE;
406 }
407 WINPR_ASSERT(ccache);
408 }
409 else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
410 {
411 /* Use the default cache with it's default principal */
412 if (krb_log_exec(krb5_cc_default, ctx, &ccache))
413 goto cleanup;
414 if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
415 goto cleanup;
416 WINPR_ASSERT(ccache);
417 own_ccache = FALSE;
418 }
419 else
420 {
421 if (own_ccache)
422 {
423 if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
424 goto cleanup;
425 }
426 else
427 {
428 if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
429 goto cleanup;
430 }
431 WINPR_ASSERT(ccache);
432 }
433
434 if (krb_settings && krb_settings->keytab)
435 {
436 if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
437 goto cleanup;
438 }
439 else
440 {
441 if (fCredentialUse & SECPKG_CRED_INBOUND)
442 if (krb_log_exec(krb5_kt_default, ctx, &keytab))
443 goto cleanup;
444 }
445
446 /* Get initial credentials if required */
447 if (fCredentialUse & SECPKG_CRED_OUTBOUND)
448 {
449 krb5_creds creds = { 0 };
450 krb5_creds matchCreds = { 0 };
451 krb5_flags matchFlags = KRB5_TC_MATCH_TIMES;
452
453 krb5_timeofday(ctx, &matchCreds.times.endtime);
454 matchCreds.times.endtime += 60;
455 matchCreds.client = principal;
456
457 WINPR_ASSERT(principal);
458 WINPR_ASSERT(ctx);
459 WINPR_ASSERT(ccache);
460 if (krb_log_exec(build_krbtgt, ctx, principal, &matchCreds.server))
461 goto cleanup;
462
463 int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds);
464 krb5_free_principal(ctx, matchCreds.server);
465 krb5_free_cred_contents(ctx, &creds);
466 if (rv)
467 {
468 if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter,
469 password, krb_settings))
470 goto cleanup;
471 }
472 }
473
474 credentials = calloc(1, sizeof(KRB_CREDENTIALS));
475 if (!credentials)
476 goto cleanup;
477 credentials->refCount = 1;
478 credentials->ctx = ctx;
479 credentials->ccache = ccache;
480 credentials->keytab = keytab;
481 credentials->own_ccache = own_ccache;
482
483cleanup:
484
485 free(domain);
486 free(username);
487 free(password);
488
489 if (principal)
490 krb5_free_principal(ctx, principal);
491 if (ctx)
492 {
493 if (!credentials)
494 {
495 if (ccache)
496 {
497 if (own_ccache)
498 krb5_cc_destroy(ctx, ccache);
499 else
500 krb5_cc_close(ctx, ccache);
501 }
502 if (keytab)
503 krb5_kt_close(ctx, keytab);
504
505 krb5_free_context(ctx);
506 }
507 }
508
509 /* If we managed to get credentials set the output */
510 if (credentials)
511 {
512 sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials);
513 sspi_SecureHandleSetUpperPointer(phCredential, (void*)KERBEROS_SSP_NAME);
514 return SEC_E_OK;
515 }
516
517 return SEC_E_NO_CREDENTIALS;
518#else
519 return SEC_E_UNSUPPORTED_FUNCTION;
520#endif
521}
522
523static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(
524 SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
525 void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
526 PTimeStamp ptsExpiry)
527{
528 SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY;
529 char* principal = NULL;
530 char* package = NULL;
531
532 if (pszPrincipal)
533 {
534 principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL);
535 if (!principal)
536 goto fail;
537 }
538 if (pszPackage)
539 {
540 package = ConvertWCharToUtf8Alloc(pszPackage, NULL);
541 if (!package)
542 goto fail;
543 }
544
545 status =
546 kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData,
547 pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);
548
549fail:
550 free(principal);
551 free(package);
552
553 return status;
554}
555
556#ifdef WITH_KRB5
557static void credentials_unref(KRB_CREDENTIALS* credentials)
558{
559 WINPR_ASSERT(credentials);
560
561 if (InterlockedDecrement(&credentials->refCount))
562 return;
563
564 free(credentials->kdc_url);
565
566 if (credentials->ccache)
567 {
568 if (credentials->own_ccache)
569 krb5_cc_destroy(credentials->ctx, credentials->ccache);
570 else
571 krb5_cc_close(credentials->ctx, credentials->ccache);
572 }
573 if (credentials->keytab)
574 krb5_kt_close(credentials->ctx, credentials->keytab);
575
576 krb5_free_context(credentials->ctx);
577 free(credentials);
578}
579#endif
580
581static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential)
582{
583#ifdef WITH_KRB5
584 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
585 if (!credentials)
586 return SEC_E_INVALID_HANDLE;
587
588 credentials_unref(credentials);
589
590 sspi_SecureHandleInvalidate(phCredential);
591 return SEC_E_OK;
592#else
593 return SEC_E_UNSUPPORTED_FUNCTION;
594#endif
595}
596
597static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(
598 WINPR_ATTR_UNUSED PCredHandle phCredential, ULONG ulAttribute, WINPR_ATTR_UNUSED void* pBuffer)
599{
600#ifdef WITH_KRB5
601 switch (ulAttribute)
602 {
603 case SECPKG_CRED_ATTR_NAMES:
604 return SEC_E_OK;
605 default:
606 WLog_ERR(TAG, "TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32,
607 ulAttribute);
608 return SEC_E_UNSUPPORTED_FUNCTION;
609 }
610
611#else
612 return SEC_E_UNSUPPORTED_FUNCTION;
613#endif
614}
615
616static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential,
617 ULONG ulAttribute,
618 void* pBuffer)
619{
620 return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);
621}
622
623#ifdef WITH_KRB5
624
625static BOOL kerberos_mk_tgt_token(SecBuffer* buf, int msg_type, char* sname, char* host,
626 const krb5_data* ticket)
627{
628 WinPrAsn1Encoder* enc = NULL;
629 WinPrAsn1_MemoryChunk data;
630 wStream s;
631 size_t len = 0;
632 sspi_gss_data token;
633 BOOL ret = FALSE;
634
635 WINPR_ASSERT(buf);
636
637 if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP)
638 return FALSE;
639 if (msg_type == KRB_TGT_REP && !ticket)
640 return FALSE;
641
642 enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
643 if (!enc)
644 return FALSE;
645
646 /* KERB-TGT-REQUEST (SEQUENCE) */
647 if (!WinPrAsn1EncSeqContainer(enc))
648 goto cleanup;
649
650 /* pvno [0] INTEGER */
651 if (!WinPrAsn1EncContextualInteger(enc, 0, 5))
652 goto cleanup;
653
654 /* msg-type [1] INTEGER */
655 if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type))
656 goto cleanup;
657
658 if (msg_type == KRB_TGT_REQ && sname)
659 {
660 /* server-name [2] PrincipalName (SEQUENCE) */
661 if (!WinPrAsn1EncContextualSeqContainer(enc, 2))
662 goto cleanup;
663
664 /* name-type [0] INTEGER */
665 if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST))
666 goto cleanup;
667
668 /* name-string [1] SEQUENCE OF GeneralString */
669 if (!WinPrAsn1EncContextualSeqContainer(enc, 1))
670 goto cleanup;
671
672 if (!WinPrAsn1EncGeneralString(enc, sname))
673 goto cleanup;
674
675 if (host && !WinPrAsn1EncGeneralString(enc, host))
676 goto cleanup;
677
678 if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc))
679 goto cleanup;
680 }
681 else if (msg_type == KRB_TGT_REP)
682 {
683 /* ticket [2] Ticket */
684 data.data = (BYTE*)ticket->data;
685 data.len = ticket->length;
686 if (!WinPrAsn1EncContextualRawContent(enc, 2, &data))
687 goto cleanup;
688 }
689
690 if (!WinPrAsn1EncEndContainer(enc))
691 goto cleanup;
692
693 if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer)
694 goto cleanup;
695
696 Stream_StaticInit(&s, buf->pvBuffer, len);
697 if (!WinPrAsn1EncToStream(enc, &s))
698 goto cleanup;
699
700 token.data = buf->pvBuffer;
701 token.length = (UINT)len;
702 if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID,
703 msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token))
704 ret = TRUE;
705
706cleanup:
707 WinPrAsn1Encoder_Free(&enc);
708 return ret;
709}
710
711static BOOL append(char* dst, size_t dstSize, const char* src)
712{
713 const size_t dlen = strnlen(dst, dstSize);
714 const size_t slen = strlen(src);
715 if (dlen + slen >= dstSize)
716 return FALSE;
717 if (!strncat(dst, src, dstSize - dlen))
718 return FALSE;
719 return TRUE;
720}
721
722static BOOL kerberos_rd_tgt_req_tag2(WinPrAsn1Decoder* dec, char* buf, size_t len)
723{
724 BOOL rc = FALSE;
725 WinPrAsn1Decoder seq = { .encoding = WINPR_ASN1_BER, { 0 } };
726
727 /* server-name [2] PrincipalName (SEQUENCE) */
728 if (!WinPrAsn1DecReadSequence(dec, &seq))
729 goto end;
730
731 /* name-type [0] INTEGER */
732 {
733 BOOL error = FALSE;
734 {
735 WinPrAsn1_INTEGER val = 0;
736 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val))
737 goto end;
738 }
739
740 /* name-string [1] SEQUENCE OF GeneralString */
741 if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec))
742 goto end;
743 }
744
745 {
746 WinPrAsn1_tag tag = 0;
747 BOOL first = TRUE;
748 while (WinPrAsn1DecPeekTag(dec, &tag))
749 {
750 BOOL success = FALSE;
751 char* lstr = NULL;
752 if (!WinPrAsn1DecReadGeneralString(dec, &lstr))
753 goto fail;
754
755 if (!first)
756 {
757 if (!append(buf, len, "/"))
758 goto fail;
759 }
760 first = FALSE;
761
762 if (!append(buf, len, lstr))
763 goto fail;
764
765 success = TRUE;
766 fail:
767 free(lstr);
768 if (!success)
769 goto end;
770 }
771 }
772
773 rc = TRUE;
774end:
775 return rc;
776}
777
778static BOOL kerberos_rd_tgt_req_tag3(WinPrAsn1Decoder* dec, char* buf, size_t len)
779{
780 /* realm [3] Realm */
781 BOOL rc = FALSE;
782 WinPrAsn1_STRING str = NULL;
783 if (!WinPrAsn1DecReadGeneralString(dec, &str))
784 goto end;
785
786 if (!append(buf, len, "@"))
787 goto end;
788 if (!append(buf, len, str))
789 goto end;
790
791 rc = TRUE;
792end:
793 free(str);
794 return rc;
795}
796
797static BOOL kerberos_rd_tgt_req(WinPrAsn1Decoder* dec, char** target)
798{
799 BOOL rc = FALSE;
800
801 if (!target)
802 return FALSE;
803 *target = NULL;
804
805 wStream s = WinPrAsn1DecGetStream(dec);
806 const size_t len = Stream_Length(&s);
807 if (len == 0)
808 return TRUE;
809
810 WinPrAsn1Decoder dec2 = { .encoding = WINPR_ASN1_BER, { 0 } };
811 WinPrAsn1_tagId tag = 0;
812 if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0)
813 return FALSE;
814
815 char* buf = calloc(len + 1, sizeof(char));
816 if (!buf)
817 return FALSE;
818
819 /* We expect ASN1 context tag values 2 or 3.
820 *
821 * In case we got value 2 an (optional) context tag value 3 might follow.
822 */
823 BOOL checkForTag3 = TRUE;
824 if (tag == 2)
825 {
826 rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len);
827 if (rc)
828 {
829 const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec);
830 if (res == 0)
831 checkForTag3 = FALSE;
832 }
833 }
834
835 if (checkForTag3)
836 {
837 if (tag == 3)
838 rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len);
839 else
840 rc = FALSE;
841 }
842
843 if (rc)
844 *target = buf;
845 else
846 free(buf);
847 return rc;
848}
849
850static BOOL kerberos_rd_tgt_rep(WinPrAsn1Decoder* dec, krb5_data* ticket)
851{
852 if (!ticket)
853 return FALSE;
854
855 /* ticket [2] Ticket */
856 WinPrAsn1Decoder asnTicket = { .encoding = WINPR_ASN1_BER, { 0 } };
857 WinPrAsn1_tagId tag = 0;
858 if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0)
859 return FALSE;
860
861 if (tag != 2)
862 return FALSE;
863
864 wStream s = WinPrAsn1DecGetStream(&asnTicket);
865 ticket->data = Stream_BufferAs(&s, char);
866
867 const size_t len = Stream_Length(&s);
868 if (len > UINT32_MAX)
869 return FALSE;
870 ticket->length = (UINT32)len;
871 return TRUE;
872}
873
874static BOOL kerberos_rd_tgt_token(const sspi_gss_data* token, char** target, krb5_data* ticket)
875{
876 BOOL error = 0;
877 WinPrAsn1_INTEGER val = 0;
878
879 WINPR_ASSERT(token);
880
881 if (target)
882 *target = NULL;
883
884 WinPrAsn1Decoder der = { .encoding = WINPR_ASN1_BER, { 0 } };
885 WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length);
886
887 /* KERB-TGT-REQUEST (SEQUENCE) */
888 WinPrAsn1Decoder seq = { .encoding = WINPR_ASN1_BER, { 0 } };
889 if (!WinPrAsn1DecReadSequence(&der, &seq))
890 return FALSE;
891
892 /* pvno [0] INTEGER */
893 if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5)
894 return FALSE;
895
896 /* msg-type [1] INTEGER */
897 if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val))
898 return FALSE;
899
900 switch (val)
901 {
902 case KRB_TGT_REQ:
903 return kerberos_rd_tgt_req(&seq, target);
904 case KRB_TGT_REP:
905 return kerberos_rd_tgt_rep(&seq, ticket);
906 default:
907 break;
908 }
909 return FALSE;
910}
911
912#endif /* WITH_KRB5 */
913
914static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5, SEC_CHANNEL_BINDINGS* bindings)
915{
916 BYTE buf[4];
917
918 winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType);
919 if (!winpr_Digest_Update(md5, buf, 4))
920 return FALSE;
921
922 winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength);
923 if (!winpr_Digest_Update(md5, buf, 4))
924 return FALSE;
925
926 if (bindings->cbInitiatorLength &&
927 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset,
928 bindings->cbInitiatorLength))
929 return FALSE;
930
931 winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType);
932 if (!winpr_Digest_Update(md5, buf, 4))
933 return FALSE;
934
935 winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength);
936 if (!winpr_Digest_Update(md5, buf, 4))
937 return FALSE;
938
939 if (bindings->cbAcceptorLength &&
940 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset,
941 bindings->cbAcceptorLength))
942 return FALSE;
943
944 winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength);
945 if (!winpr_Digest_Update(md5, buf, 4))
946 return FALSE;
947
948 if (bindings->cbApplicationDataLength &&
949 !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset,
950 bindings->cbApplicationDataLength))
951 return FALSE;
952
953 return TRUE;
954}
955
956static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
957 PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq,
958 WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep, PSecBufferDesc pInput,
959 WINPR_ATTR_UNUSED ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput,
960 WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry)
961{
962#ifdef WITH_KRB5
963 PSecBuffer input_buffer = NULL;
964 PSecBuffer output_buffer = NULL;
965 PSecBuffer bindings_buffer = NULL;
966 WINPR_DIGEST_CTX* md5 = NULL;
967 char* target = NULL;
968 char* sname = NULL;
969 char* host = NULL;
970 krb5_data input_token = { 0 };
971 krb5_data output_token = { 0 };
972 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
973 WinPrAsn1_OID oid = { 0 };
974 uint16_t tok_id = 0;
975 krb5_ap_rep_enc_part* reply = NULL;
976 krb5_flags ap_flags = AP_OPTS_USE_SUBKEY;
977 char cksum_contents[24] = { 0 };
978 krb5_data cksum = { 0 };
979 krb5_creds in_creds = { 0 };
980 krb5_creds* creds = NULL;
981 BOOL isNewContext = FALSE;
982 KRB_CONTEXT* context = NULL;
983 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
984
985 /* behave like windows SSPIs that don't want empty context */
986 if (phContext && !phContext->dwLower && !phContext->dwUpper)
987 return SEC_E_INVALID_HANDLE;
988
989 context = sspi_SecureHandleGetLowerPointer(phContext);
990
991 if (!credentials)
992 return SEC_E_NO_CREDENTIALS;
993
994 if (pInput)
995 {
996 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
997 bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
998 }
999 if (pOutput)
1000 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1001
1002 if (fContextReq & ISC_REQ_MUTUAL_AUTH)
1003 ap_flags |= AP_OPTS_MUTUAL_REQUIRED;
1004
1005 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1006 ap_flags |= AP_OPTS_USE_SESSION_KEY;
1007
1008 /* Split target name into service/hostname components */
1009 if (pszTargetName)
1010 {
1011 target = _strdup(pszTargetName);
1012 if (!target)
1013 {
1014 status = SEC_E_INSUFFICIENT_MEMORY;
1015 goto cleanup;
1016 }
1017 host = strchr(target, '/');
1018 if (host)
1019 {
1020 *host++ = 0;
1021 sname = target;
1022 }
1023 else
1024 host = target;
1025 if (isValidIP(host))
1026 {
1027 status = SEC_E_NO_CREDENTIALS;
1028 goto cleanup;
1029 }
1030 }
1031
1032 if (!context)
1033 {
1034 context = kerberos_ContextNew(credentials);
1035 if (!context)
1036 {
1037 status = SEC_E_INSUFFICIENT_MEMORY;
1038 goto cleanup;
1039 }
1040
1041 isNewContext = TRUE;
1042
1043 if (host)
1044 context->targetHost = _strdup(host);
1045 if (!context->targetHost)
1046 {
1047 status = SEC_E_INSUFFICIENT_MEMORY;
1048 goto cleanup;
1049 }
1050
1051 if (fContextReq & ISC_REQ_USE_SESSION_KEY)
1052 {
1053 context->state = KERBEROS_STATE_TGT_REQ;
1054 context->u2u = TRUE;
1055 }
1056 else
1057 context->state = KERBEROS_STATE_AP_REQ;
1058 }
1059 else
1060 {
1061 if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1062 goto bad_token;
1063 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1064 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1065 goto bad_token;
1066 }
1067
1068 /* SSPI flags are compatible with GSS flags except INTEG_FLAG */
1069 context->flags |= (fContextReq & 0x1F);
1070 if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY))
1071 context->flags |= SSPI_GSS_C_INTEG_FLAG;
1072
1073 switch (context->state)
1074 {
1075 case KERBEROS_STATE_TGT_REQ:
1076
1077 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL))
1078 goto cleanup;
1079
1080 context->state = KERBEROS_STATE_TGT_REP;
1081 status = SEC_I_CONTINUE_NEEDED;
1082 break;
1083
1084 case KERBEROS_STATE_TGT_REP:
1085
1086 if (tok_id != TOK_ID_TGT_REP)
1087 goto bad_token;
1088
1089 if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket))
1090 goto bad_token;
1091
1092 /* Continue to AP-REQ */
1093 /* fallthrough */
1094 WINPR_FALLTHROUGH
1095
1096 case KERBEROS_STATE_AP_REQ:
1097
1098 /* Set auth_context options */
1099 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1100 goto cleanup;
1101 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1102 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1103 goto cleanup;
1104 if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx,
1105 GSS_CHECKSUM_TYPE))
1106 goto cleanup;
1107
1108 /* Get a service ticket */
1109 if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname,
1110 KRB5_NT_SRV_HST, &in_creds.server))
1111 goto cleanup;
1112
1113 if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1114 &in_creds.client))
1115 {
1116 status = SEC_E_WRONG_PRINCIPAL;
1117 goto cleanup;
1118 }
1119
1120 if (krb_log_exec(krb5_get_credentials, credentials->ctx,
1121 context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
1122 &creds))
1123 {
1124 status = SEC_E_NO_CREDENTIALS;
1125 goto cleanup;
1126 }
1127
1128 /* Write the checksum (delegation not implemented) */
1129 cksum.data = cksum_contents;
1130 cksum.length = sizeof(cksum_contents);
1131 winpr_Data_Write_UINT32(cksum_contents, 16);
1132 winpr_Data_Write_UINT32((cksum_contents + 20), context->flags);
1133
1134 if (bindings_buffer)
1135 {
1136 SEC_CHANNEL_BINDINGS* bindings = bindings_buffer->pvBuffer;
1137
1138 /* Sanity checks */
1139 if (bindings_buffer->cbBuffer < sizeof(SEC_CHANNEL_BINDINGS) ||
1140 (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) >
1141 bindings_buffer->cbBuffer ||
1142 (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) >
1143 bindings_buffer->cbBuffer ||
1144 (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) >
1145 bindings_buffer->cbBuffer)
1146 {
1147 status = SEC_E_BAD_BINDINGS;
1148 goto cleanup;
1149 }
1150
1151 md5 = winpr_Digest_New();
1152 if (!md5)
1153 goto cleanup;
1154
1155 if (!winpr_Digest_Init(md5, WINPR_MD_MD5))
1156 goto cleanup;
1157
1158 if (!kerberos_hash_channel_bindings(md5, bindings))
1159 goto cleanup;
1160
1161 if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16))
1162 goto cleanup;
1163 }
1164
1165 /* Make the AP_REQ message */
1166 if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags,
1167 &cksum, creds, &output_token))
1168 goto cleanup;
1169
1170 if (!sspi_gss_wrap_token(output_buffer,
1171 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1172 TOK_ID_AP_REQ, &output_token))
1173 goto cleanup;
1174
1175 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1176 {
1177 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx,
1178 context->auth_ctx, (INT32*)&context->local_seq))
1179 goto cleanup;
1180 context->remote_seq ^= context->local_seq;
1181 }
1182
1183 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1184 &context->keyset))
1185 goto cleanup;
1186
1187 context->state = KERBEROS_STATE_AP_REP;
1188
1189 if (context->flags & SSPI_GSS_C_MUTUAL_FLAG)
1190 status = SEC_I_CONTINUE_NEEDED;
1191 else
1192 status = SEC_E_OK;
1193 break;
1194
1195 case KERBEROS_STATE_AP_REP:
1196
1197 if (tok_id == TOK_ID_AP_REP)
1198 {
1199 if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token,
1200 &reply))
1201 goto cleanup;
1202 krb5_free_ap_rep_enc_part(credentials->ctx, reply);
1203 }
1204 else if (tok_id == TOK_ID_ERROR)
1205 {
1206 krb5glue_log_error(credentials->ctx, &input_token, TAG);
1207 goto cleanup;
1208 }
1209 else
1210 goto bad_token;
1211
1212 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1213 {
1214 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx,
1215 context->auth_ctx, (INT32*)&context->remote_seq))
1216 goto cleanup;
1217 }
1218
1219 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE,
1220 &context->keyset))
1221 goto cleanup;
1222
1223 context->state = KERBEROS_STATE_FINAL;
1224
1225 if (output_buffer)
1226 output_buffer->cbBuffer = 0;
1227 status = SEC_E_OK;
1228 break;
1229
1230 case KERBEROS_STATE_FINAL:
1231 default:
1232 WLog_ERR(TAG, "Kerberos in invalid state!");
1233 goto cleanup;
1234 }
1235
1236cleanup:
1237{
1238 /* second_ticket is not allocated */
1239 krb5_data edata = { 0 };
1240 in_creds.second_ticket = edata;
1241 krb5_free_cred_contents(credentials->ctx, &in_creds);
1242}
1243
1244 krb5_free_creds(credentials->ctx, creds);
1245 if (output_token.data)
1246 krb5glue_free_data_contents(credentials->ctx, &output_token);
1247
1248 winpr_Digest_Free(md5);
1249
1250 free(target);
1251
1252 if (isNewContext)
1253 {
1254 switch (status)
1255 {
1256 case SEC_E_OK:
1257 case SEC_I_CONTINUE_NEEDED:
1258 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1259 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1260 break;
1261 default:
1262 kerberos_ContextFree(context, TRUE);
1263 break;
1264 }
1265 }
1266
1267 return status;
1268
1269bad_token:
1270 status = SEC_E_INVALID_TOKEN;
1271 goto cleanup;
1272#else
1273 return SEC_E_UNSUPPORTED_FUNCTION;
1274#endif /* WITH_KRB5 */
1275}
1276
1277static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(
1278 PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
1279 ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
1280 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, PTimeStamp ptsExpiry)
1281{
1282 SECURITY_STATUS status = 0;
1283 char* target_name = NULL;
1284
1285 if (pszTargetName)
1286 {
1287 target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL);
1288 if (!target_name)
1289 return SEC_E_INSUFFICIENT_MEMORY;
1290 }
1291
1292 status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq,
1293 Reserved1, TargetDataRep, pInput, Reserved2,
1294 phNewContext, pOutput, pfContextAttr, ptsExpiry);
1295
1296 if (target_name)
1297 free(target_name);
1298
1299 return status;
1300}
1301
1302#ifdef WITH_KRB5
1303static BOOL retrieveTgtForPrincipal(KRB_CREDENTIALS* credentials, krb5_principal principal,
1304 krb5_creds* creds)
1305{
1306 BOOL ret = FALSE;
1307 krb5_kt_cursor cur = { 0 };
1308 krb5_keytab_entry entry = { 0 };
1309 if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur))
1310 goto cleanup;
1311
1312 do
1313 {
1314 krb5_error_code rv =
1315 krb_log_exec(krb5_kt_next_entry, credentials->ctx, credentials->keytab, &entry, &cur);
1316 if (rv == KRB5_KT_END)
1317 break;
1318 if (rv != 0)
1319 goto cleanup;
1320
1321 if (krb5_principal_compare(credentials->ctx, principal, entry.principal))
1322 break;
1323 rv = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);
1324 memset(&entry, 0, sizeof(entry));
1325 if (rv)
1326 goto cleanup;
1327 } while (1);
1328
1329 if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur))
1330 goto cleanup;
1331
1332 if (!entry.principal)
1333 goto cleanup;
1334
1335 /* Get the TGT */
1336 if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, creds, entry.principal,
1337 credentials->keytab, 0, NULL, NULL))
1338 goto cleanup;
1339
1340 ret = TRUE;
1341
1342cleanup:
1343 return ret;
1344}
1345
1346static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, krb5_creds* creds)
1347{
1348 BOOL ret = TRUE;
1349 krb5_principal target_princ = { 0 };
1350 char* default_realm = NULL;
1351
1352 krb5_error_code rv =
1353 krb_log_exec(krb5_parse_name_flags, credentials->ctx, target, 0, &target_princ);
1354 if (rv)
1355 return FALSE;
1356
1357#if defined(WITH_KRB5_HEIMDAL)
1358 if (!target_princ->realm)
1359 {
1360 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1361 if (rv)
1362 goto out;
1363
1364 target_princ->realm = default_realm;
1365 }
1366#else
1367 if (!target_princ->realm.length)
1368 {
1369 rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
1370 if (rv)
1371 goto out;
1372
1373 target_princ->realm.data = default_realm;
1374 target_princ->realm.length = (unsigned int)strlen(default_realm);
1375 }
1376#endif
1377
1378 /*
1379 * First try with the account service. We were requested with something like
1380 * TERMSRV/<host>@<realm>, let's see if we have that in our keytab and if we're able
1381 * to retrieve a TGT with that entry
1382 *
1383 */
1384 if (retrieveTgtForPrincipal(credentials, target_princ, creds))
1385 goto out;
1386
1387 ret = FALSE;
1388
1389#if defined(WITH_KRB5_MIT)
1390 /*
1391 * if it's not working let's try with <host>$@<REALM> (note the dollar)
1392 */
1393 {
1394 char hostDollar[300] = { 0 };
1395 if (target_princ->length < 2)
1396 goto out;
1397
1398 (void)snprintf(hostDollar, sizeof(hostDollar) - 1, "%s$@%s", target_princ->data[1].data,
1399 target_princ->realm.data);
1400 krb5_free_principal(credentials->ctx, target_princ);
1401
1402 rv = krb_log_exec(krb5_parse_name_flags, credentials->ctx, hostDollar, 0, &target_princ);
1403 if (rv)
1404 return FALSE;
1405 }
1406 ret = retrieveTgtForPrincipal(credentials, target_princ, creds);
1407#endif
1408
1409out:
1410 if (default_realm)
1411 krb5_free_default_realm(credentials->ctx, default_realm);
1412
1413 krb5_free_principal(credentials->ctx, target_princ);
1414 return ret;
1415}
1416#endif
1417
1418static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
1419 PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput,
1420 WINPR_ATTR_UNUSED ULONG fContextReq, WINPR_ATTR_UNUSED ULONG TargetDataRep,
1421 PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr,
1422 WINPR_ATTR_UNUSED PTimeStamp ptsExpity)
1423{
1424#ifdef WITH_KRB5
1425 BOOL isNewContext = FALSE;
1426 PSecBuffer input_buffer = NULL;
1427 PSecBuffer output_buffer = NULL;
1428 WinPrAsn1_OID oid = { 0 };
1429 uint16_t tok_id = 0;
1430 krb5_data input_token = { 0 };
1431 krb5_data output_token = { 0 };
1432 SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
1433 krb5_flags ap_flags = 0;
1434 krb5glue_authenticator authenticator = NULL;
1435 char* target = NULL;
1436 krb5_keytab_entry entry = { 0 };
1437 krb5_creds creds = { 0 };
1438
1439 /* behave like windows SSPIs that don't want empty context */
1440 if (phContext && !phContext->dwLower && !phContext->dwUpper)
1441 return SEC_E_INVALID_HANDLE;
1442
1443 KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext);
1444 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1445
1446 if (pInput)
1447 input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1448 if (pOutput)
1449 output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1450
1451 if (!input_buffer)
1452 return SEC_E_INVALID_TOKEN;
1453
1454 if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token))
1455 return SEC_E_INVALID_TOKEN;
1456
1457 if (!context)
1458 {
1459 isNewContext = TRUE;
1460 context = kerberos_ContextNew(credentials);
1461 context->acceptor = TRUE;
1462
1463 if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
1464 {
1465 context->u2u = TRUE;
1466 context->state = KERBEROS_STATE_TGT_REQ;
1467 }
1468 else if (sspi_gss_oid_compare(&oid, &kerberos_OID))
1469 context->state = KERBEROS_STATE_AP_REQ;
1470 else
1471 goto bad_token;
1472 }
1473 else
1474 {
1475 if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) ||
1476 (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID)))
1477 goto bad_token;
1478 }
1479
1480 if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ)
1481 {
1482 if (!kerberos_rd_tgt_token(&input_token, &target, NULL))
1483 goto bad_token;
1484
1485 if (!retrieveSomeTgt(credentials, target, &creds))
1486 goto cleanup;
1487
1488 if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
1489 goto cleanup;
1490
1491 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx))
1492 goto cleanup;
1493
1494 if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx,
1495 &krb5glue_creds_getkey(creds)))
1496 goto cleanup;
1497
1498 context->state = KERBEROS_STATE_AP_REQ;
1499 }
1500 else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
1501 {
1502 if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL,
1503 credentials->keytab, &ap_flags, NULL))
1504 goto cleanup;
1505
1506 if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx,
1507 KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
1508 goto cleanup;
1509
1510 /* Retrieve and validate the checksum */
1511 if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx,
1512 &authenticator))
1513 goto cleanup;
1514 if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
1515 &context->flags))
1516 goto bad_token;
1517
1518 if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG))
1519 {
1520 if (!output_buffer)
1521 goto bad_token;
1522 if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token))
1523 goto cleanup;
1524 if (!sspi_gss_wrap_token(output_buffer,
1525 context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
1526 TOK_ID_AP_REP, &output_token))
1527 goto cleanup;
1528 }
1529 else
1530 {
1531 if (output_buffer)
1532 output_buffer->cbBuffer = 0;
1533 }
1534
1535 *pfContextAttr = (context->flags & 0x1F);
1536 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1537 *pfContextAttr |= ASC_RET_INTEGRITY;
1538
1539 if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
1540 {
1541 if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx,
1542 (INT32*)&context->local_seq))
1543 goto cleanup;
1544 if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx,
1545 (INT32*)&context->remote_seq))
1546 goto cleanup;
1547 }
1548
1549 if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE,
1550 &context->keyset))
1551 goto cleanup;
1552
1553 context->state = KERBEROS_STATE_FINAL;
1554 }
1555 else
1556 goto bad_token;
1557
1558 /* On first call allocate new context */
1559 if (context->state == KERBEROS_STATE_FINAL)
1560 status = SEC_E_OK;
1561 else
1562 status = SEC_I_CONTINUE_NEEDED;
1563
1564cleanup:
1565 free(target);
1566 if (output_token.data)
1567 krb5glue_free_data_contents(credentials->ctx, &output_token);
1568 if (entry.principal)
1569 krb5glue_free_keytab_entry_contents(credentials->ctx, &entry);
1570
1571 if (isNewContext)
1572 {
1573 switch (status)
1574 {
1575 case SEC_E_OK:
1576 case SEC_I_CONTINUE_NEEDED:
1577 sspi_SecureHandleSetLowerPointer(phNewContext, context);
1578 sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME);
1579 break;
1580 default:
1581 kerberos_ContextFree(context, TRUE);
1582 break;
1583 }
1584 }
1585
1586 return status;
1587
1588bad_token:
1589 status = SEC_E_INVALID_TOKEN;
1590 goto cleanup;
1591#else
1592 return SEC_E_UNSUPPORTED_FUNCTION;
1593#endif /* WITH_KRB5 */
1594}
1595
1596#ifdef WITH_KRB5
1597static KRB_CONTEXT* get_context(PCtxtHandle phContext)
1598{
1599 if (!phContext)
1600 return NULL;
1601
1602 TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext);
1603 if (!name)
1604 return NULL;
1605
1606 if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0)
1607 return NULL;
1608 return sspi_SecureHandleGetLowerPointer(phContext);
1609}
1610
1611static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize)
1612{
1613 WINPR_ASSERT(data);
1614 WINPR_ASSERT(ptr);
1615 WINPR_ASSERT(psize);
1616
1617 *ptr = (PUCHAR)malloc(data->length);
1618 if (!*ptr)
1619 return FALSE;
1620
1621 *psize = data->length;
1622 memcpy(*ptr, data->data, data->length);
1623 return TRUE;
1624}
1625#endif
1626
1627static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext)
1628{
1629#ifdef WITH_KRB5
1630 KRB_CONTEXT* context = get_context(phContext);
1631 if (!context)
1632 return SEC_E_INVALID_HANDLE;
1633
1634 kerberos_ContextFree(context, TRUE);
1635
1636 return SEC_E_OK;
1637#else
1638 return SEC_E_UNSUPPORTED_FUNCTION;
1639#endif
1640}
1641
1642#ifdef WITH_KRB5
1643
1644static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code)
1645{
1646 switch (code)
1647 {
1648 case 0:
1649 return SEC_E_OK;
1650 default:
1651 return SEC_E_INTERNAL_ERROR;
1652 }
1653}
1654
1655static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials,
1656 SecPkgContext_Sizes* ContextSizes)
1657{
1658 UINT header = 0;
1659 UINT pad = 0;
1660 UINT trailer = 0;
1661 krb5glue_key key = NULL;
1662
1663 WINPR_ASSERT(context);
1664 WINPR_ASSERT(context->auth_ctx);
1665
1666 /* The MaxTokenSize by default is 12,000 bytes. This has been the default value
1667 * since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2.
1668 * For Windows Server 2012, the default value of the MaxTokenSize registry
1669 * entry is 48,000 bytes.*/
1670 ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1671 ContextSizes->cbMaxSignature = 0;
1672 ContextSizes->cbBlockSize = 1;
1673 ContextSizes->cbSecurityTrailer = 0;
1674
1675 key = get_key(&context->keyset);
1676
1677 if (context->flags & SSPI_GSS_C_CONF_FLAG)
1678 {
1679 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1680 KRB5_CRYPTO_TYPE_HEADER, &header);
1681 if (rv)
1682 return krb5_error_to_SECURITY_STATUS(rv);
1683
1684 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
1685 &pad);
1686 if (rv)
1687 return krb5_error_to_SECURITY_STATUS(rv);
1688
1689 rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
1690 &trailer);
1691 if (rv)
1692 return krb5_error_to_SECURITY_STATUS(rv);
1693
1694 /* GSS header (= 16 bytes) + encrypted header = 32 bytes */
1695 ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
1696 }
1697
1698 if (context->flags & SSPI_GSS_C_INTEG_FLAG)
1699 {
1700 krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key,
1701 KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature);
1702 if (rv)
1703 return krb5_error_to_SECURITY_STATUS(rv);
1704
1705 ContextSizes->cbMaxSignature += 16;
1706 }
1707
1708 return SEC_E_OK;
1709}
1710
1711static SECURITY_STATUS kerberos_ATTR_AUTH_IDENTITY(KRB_CONTEXT* context,
1712 KRB_CREDENTIALS* credentials,
1713 SecPkgContext_AuthIdentity* AuthIdentity)
1714{
1715 const SecPkgContext_AuthIdentity empty = { 0 };
1716
1717 WINPR_ASSERT(context);
1718 WINPR_ASSERT(context->auth_ctx);
1719 WINPR_ASSERT(credentials);
1720
1721 WINPR_ASSERT(AuthIdentity);
1722 *AuthIdentity = empty;
1723
1724 krb5glue_authenticator authenticator = NULL;
1725 krb5_error_code rv = krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx,
1726 context->auth_ctx, &authenticator);
1727 if (rv)
1728 goto fail;
1729
1730 {
1731 rv = -1;
1732
1733#if defined(WITH_KRB5_HEIMDAL)
1734 const Realm data = authenticator->crealm;
1735 if (!data)
1736 goto fail;
1737 const size_t data_len = length_Realm(&data);
1738#else
1739 krb5_data* realm_data = krb5_princ_realm(credentials->ctx, authenticator->client);
1740 if (!realm_data)
1741 goto fail;
1742 const char* data = realm_data->data;
1743 if (!data)
1744 goto fail;
1745 const size_t data_len = realm_data->length;
1746#endif
1747
1748 if (data_len > (sizeof(AuthIdentity->Domain) - 1))
1749 goto fail;
1750 strncpy(AuthIdentity->Domain, data, data_len);
1751 }
1752
1753 {
1754#if defined(WITH_KRB5_HEIMDAL)
1755 const PrincipalName* principal = &authenticator->cname;
1756 const size_t name_length = length_PrincipalName(principal);
1757 if (!principal->name_string.val)
1758 goto fail;
1759 const char* name = *principal->name_string.val;
1760#else
1761 char* name = NULL;
1762 rv = krb_log_exec(krb5_unparse_name_flags, credentials->ctx, authenticator->client,
1763 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
1764 if (rv)
1765 goto fail;
1766
1767 const size_t name_length = strlen(name);
1768#endif
1769
1770 const bool ok = (name_length <= (sizeof(AuthIdentity->User) - 1));
1771 if (ok)
1772 strncpy(AuthIdentity->User, name, name_length);
1773
1774 rv = ok ? 0 : -1;
1775
1776#if !defined(WITH_KRB5_HEIMDAL)
1777 krb5_free_unparsed_name(credentials->ctx, name);
1778#endif
1779 }
1780
1781fail:
1782 krb5glue_free_authenticator(credentials->ctx, authenticator);
1783 return krb5_error_to_SECURITY_STATUS(rv);
1784}
1785
1786static SECURITY_STATUS kerberos_ATTR_PACKAGE_INFO(WINPR_ATTR_UNUSED KRB_CONTEXT* context,
1787 WINPR_ATTR_UNUSED KRB_CREDENTIALS* credentials,
1788 SecPkgContext_PackageInfo* PackageInfo)
1789{
1790 size_t size = sizeof(SecPkgInfoA);
1791 SecPkgInfoA* pPackageInfo =
1792 (SecPkgInfoA*)sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
1793
1794 if (!pPackageInfo)
1795 return SEC_E_INSUFFICIENT_MEMORY;
1796
1797 pPackageInfo->fCapabilities = KERBEROS_SecPkgInfoA.fCapabilities;
1798 pPackageInfo->wVersion = KERBEROS_SecPkgInfoA.wVersion;
1799 pPackageInfo->wRPCID = KERBEROS_SecPkgInfoA.wRPCID;
1800 pPackageInfo->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken;
1801 pPackageInfo->Name = _strdup(KERBEROS_SecPkgInfoA.Name);
1802 pPackageInfo->Comment = _strdup(KERBEROS_SecPkgInfoA.Comment);
1803
1804 if (!pPackageInfo->Name || !pPackageInfo->Comment)
1805 {
1806 sspi_ContextBufferFree(pPackageInfo);
1807 return SEC_E_INSUFFICIENT_MEMORY;
1808 }
1809 PackageInfo->PackageInfo = pPackageInfo;
1810 return SEC_E_OK;
1811}
1812
1813static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context,
1814 KRB_CREDENTIALS* credentials,
1815 KERB_TICKET_LOGON* ticketLogon)
1816{
1817 krb5_creds matchCred = { 0 };
1818 krb5_auth_context authContext = NULL;
1819 krb5_flags getCredsFlags = KRB5_GC_CACHED;
1820 BOOL firstRun = TRUE;
1821 krb5_creds* hostCred = NULL;
1822 SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY;
1823 int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost, "HOST",
1824 KRB5_NT_SRV_HST, &matchCred.server);
1825 if (rv)
1826 goto out;
1827
1828 rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache,
1829 &matchCred.client);
1830 if (rv)
1831 goto out;
1832
1833 /* try from the cache first, and then do a new request */
1834again:
1835 rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache,
1836 &matchCred, &hostCred);
1837 switch (rv)
1838 {
1839 case 0:
1840 break;
1841 case KRB5_CC_NOTFOUND:
1842 getCredsFlags = 0;
1843 if (firstRun)
1844 {
1845 firstRun = FALSE;
1846 goto again;
1847 }
1848 WINPR_FALLTHROUGH
1849 default:
1850 WLog_ERR(TAG, "krb5_get_credentials(hostCreds), rv=%d", rv);
1851 goto out;
1852 }
1853
1854 if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext))
1855 goto out;
1856
1857 {
1858 krb5_data derOut = { 0 };
1859 if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost,
1860 matchCred.client, matchCred.server, credentials->ccache, 1, &derOut))
1861 {
1862 ret = SEC_E_LOGON_DENIED;
1863 goto out;
1864 }
1865
1866 ticketLogon->MessageType = KerbTicketLogon;
1867 ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED;
1868
1869 if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket,
1870 &ticketLogon->ServiceTicketLength))
1871 {
1872 krb5_free_data(credentials->ctx, &derOut);
1873 goto out;
1874 }
1875
1876 ticketLogon->TicketGrantingTicketLength = derOut.length;
1877 ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data;
1878 }
1879
1880 ret = SEC_E_OK;
1881out:
1882 krb5_auth_con_free(credentials->ctx, authContext);
1883 krb5_free_creds(credentials->ctx, hostCred);
1884 krb5_free_cred_contents(credentials->ctx, &matchCred);
1885 return ret;
1886}
1887
1888#endif /* WITH_KRB5 */
1889
1890static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext,
1891 ULONG ulAttribute, void* pBuffer)
1892{
1893 if (!phContext)
1894 return SEC_E_INVALID_HANDLE;
1895
1896 if (!pBuffer)
1897 return SEC_E_INVALID_PARAMETER;
1898
1899#ifdef WITH_KRB5
1900 KRB_CONTEXT* context = get_context(phContext);
1901 if (!context)
1902 return SEC_E_INVALID_PARAMETER;
1903
1904 KRB_CREDENTIALS* credentials = context->credentials;
1905
1906 switch (ulAttribute)
1907 {
1908 case SECPKG_ATTR_SIZES:
1909 return kerberos_ATTR_SIZES(context, credentials, (SecPkgContext_Sizes*)pBuffer);
1910
1911 case SECPKG_ATTR_AUTH_IDENTITY:
1912 return kerberos_ATTR_AUTH_IDENTITY(context, credentials,
1913 (SecPkgContext_AuthIdentity*)pBuffer);
1914
1915 case SECPKG_ATTR_PACKAGE_INFO:
1916 return kerberos_ATTR_PACKAGE_INFO(context, credentials,
1917 (SecPkgContext_PackageInfo*)pBuffer);
1918
1919 case SECPKG_CRED_ATTR_TICKET_LOGON:
1920 return kerberos_ATTR_TICKET_LOGON(context, credentials, (KERB_TICKET_LOGON*)pBuffer);
1921
1922 default:
1923 WLog_ERR(TAG, "TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32,
1924 ulAttribute);
1925 return SEC_E_UNSUPPORTED_FUNCTION;
1926 }
1927#else
1928 return SEC_E_UNSUPPORTED_FUNCTION;
1929#endif
1930}
1931
1932static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext,
1933 ULONG ulAttribute, void* pBuffer)
1934{
1935 return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer);
1936}
1937
1938static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW(
1939 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1940 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1941{
1942 return SEC_E_UNSUPPORTED_FUNCTION;
1943}
1944
1945static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA(
1946 WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute,
1947 WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer)
1948{
1949 return SEC_E_UNSUPPORTED_FUNCTION;
1950}
1951
1952static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(PCredHandle phCredential,
1953 ULONG ulAttribute,
1954 void* pBuffer, ULONG cbBuffer,
1955 WINPR_ATTR_UNUSED BOOL unicode)
1956{
1957#ifdef WITH_KRB5
1958 KRB_CREDENTIALS* credentials = NULL;
1959
1960 if (!phCredential)
1961 return SEC_E_INVALID_HANDLE;
1962
1963 credentials = sspi_SecureHandleGetLowerPointer(phCredential);
1964
1965 if (!credentials)
1966 return SEC_E_INVALID_HANDLE;
1967
1968 if (!pBuffer)
1969 return SEC_E_INSUFFICIENT_MEMORY;
1970
1971 switch (ulAttribute)
1972 {
1973 case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS:
1974 {
1975 SecPkgCredentials_KdcProxySettingsW* kdc_settings = pBuffer;
1976
1977 /* Sanity checks */
1978 if (cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1979 kdc_settings->Version != KDC_PROXY_SETTINGS_V1 ||
1980 kdc_settings->ProxyServerOffset < sizeof(SecPkgCredentials_KdcProxySettingsW) ||
1981 cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) +
1982 kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength)
1983 return SEC_E_INVALID_TOKEN;
1984
1985 if (credentials->kdc_url)
1986 {
1987 free(credentials->kdc_url);
1988 credentials->kdc_url = NULL;
1989 }
1990
1991 if (kdc_settings->ProxyServerLength > 0)
1992 {
1993 WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset);
1994
1995 credentials->kdc_url = ConvertWCharNToUtf8Alloc(
1996 proxy, kdc_settings->ProxyServerLength / sizeof(WCHAR), NULL);
1997 if (!credentials->kdc_url)
1998 return SEC_E_INSUFFICIENT_MEMORY;
1999 }
2000
2001 return SEC_E_OK;
2002 }
2003 case SECPKG_CRED_ATTR_NAMES:
2004 case SECPKG_ATTR_SUPPORTED_ALGS:
2005 default:
2006 WLog_ERR(TAG, "TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32,
2007 ulAttribute);
2008 return SEC_E_UNSUPPORTED_FUNCTION;
2009 }
2010
2011#else
2012 return SEC_E_UNSUPPORTED_FUNCTION;
2013#endif
2014}
2015
2016static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(PCredHandle phCredential,
2017 ULONG ulAttribute,
2018 void* pBuffer, ULONG cbBuffer)
2019{
2020 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE);
2021}
2022
2023static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(PCredHandle phCredential,
2024 ULONG ulAttribute,
2025 void* pBuffer, ULONG cbBuffer)
2026{
2027 return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE);
2028}
2029
2030static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP,
2031 PSecBufferDesc pMessage,
2032 ULONG MessageSeqNo)
2033{
2034#ifdef WITH_KRB5
2035 KRB_CONTEXT* context = get_context(phContext);
2036 PSecBuffer sig_buffer = NULL;
2037 PSecBuffer data_buffer = NULL;
2038 char* header = NULL;
2039 BYTE flags = 0;
2040 krb5glue_key key = NULL;
2041 krb5_keyusage usage = 0;
2042 krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2043 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2044 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2045 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2046 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2047
2048 if (!context)
2049 return SEC_E_INVALID_HANDLE;
2050
2051 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2052 return SEC_E_UNSUPPORTED_FUNCTION;
2053
2054 KRB_CREDENTIALS* creds = context->credentials;
2055
2056 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2057 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2058
2059 if (!sig_buffer || !data_buffer)
2060 return SEC_E_INVALID_TOKEN;
2061
2062 if (fQOP)
2063 return SEC_E_QOP_NOT_SUPPORTED;
2064
2065 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2066 flags |= FLAG_WRAP_CONFIDENTIAL;
2067
2068 key = get_key(&context->keyset);
2069 if (!key)
2070 return SEC_E_INTERNAL_ERROR;
2071
2072 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2073
2074 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL;
2075
2076 /* Set the lengths of the data (plaintext + header) */
2077 encrypt_iov[1].data.length = data_buffer->cbBuffer;
2078 encrypt_iov[2].data.length = 16;
2079
2080 /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
2081 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov,
2082 ARRAYSIZE(encrypt_iov)))
2083 return SEC_E_INTERNAL_ERROR;
2084 if (sig_buffer->cbBuffer <
2085 encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
2086 return SEC_E_INSUFFICIENT_MEMORY;
2087
2088 /* Set up the iov array in sig_buffer */
2089 header = sig_buffer->pvBuffer;
2090 encrypt_iov[2].data.data = header + 16;
2091 encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length;
2092 encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length;
2093 encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length;
2094 encrypt_iov[1].data.data = data_buffer->pvBuffer;
2095
2096 /* Write the GSS header with 0 in RRC */
2097 winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP);
2098 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2099 header[3] = (char)0xFF;
2100 winpr_Data_Write_UINT32(header + 4, 0);
2101 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2102
2103 /* Copy header to be encrypted */
2104 CopyMemory(encrypt_iov[2].data.data, header, 16);
2105
2106 /* Set the correct RRC */
2107 const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length;
2108 winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len));
2109
2110 if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov,
2111 ARRAYSIZE(encrypt_iov)))
2112 return SEC_E_INTERNAL_ERROR;
2113
2114 return SEC_E_OK;
2115#else
2116 return SEC_E_UNSUPPORTED_FUNCTION;
2117#endif
2118}
2119
2120static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
2121 PSecBufferDesc pMessage,
2122 ULONG MessageSeqNo, ULONG* pfQOP)
2123{
2124#ifdef WITH_KRB5
2125 KRB_CONTEXT* context = get_context(phContext);
2126 PSecBuffer sig_buffer = NULL;
2127 PSecBuffer data_buffer = NULL;
2128 krb5glue_key key = NULL;
2129 krb5_keyusage usage = 0;
2130 uint16_t tok_id = 0;
2131 BYTE flags = 0;
2132 uint16_t ec = 0;
2133 uint16_t rrc = 0;
2134 uint64_t seq_no = 0;
2135 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } },
2136 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2137 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2138 { KRB5_CRYPTO_TYPE_PADDING, { 0 } },
2139 { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } };
2140
2141 if (!context)
2142 return SEC_E_INVALID_HANDLE;
2143
2144 if (!(context->flags & SSPI_GSS_C_CONF_FLAG))
2145 return SEC_E_UNSUPPORTED_FUNCTION;
2146
2147 KRB_CREDENTIALS* creds = context->credentials;
2148
2149 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2150 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2151
2152 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2153 return SEC_E_INVALID_TOKEN;
2154
2155 /* Read in header information */
2156 BYTE* header = sig_buffer->pvBuffer;
2157 tok_id = winpr_Data_Get_UINT16_BE(header);
2158 flags = header[2];
2159 ec = winpr_Data_Get_UINT16_BE(&header[4]);
2160 rrc = winpr_Data_Get_UINT16_BE(&header[6]);
2161 seq_no = winpr_Data_Get_UINT64_BE(&header[8]);
2162
2163 /* Check that the header is valid */
2164 if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF))
2165 return SEC_E_INVALID_TOKEN;
2166
2167 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor)
2168 return SEC_E_INVALID_TOKEN;
2169
2170 if ((context->flags & ISC_REQ_SEQUENCE_DETECT) &&
2171 (seq_no != context->remote_seq + MessageSeqNo))
2172 return SEC_E_OUT_OF_SEQUENCE;
2173
2174 if (!(flags & FLAG_WRAP_CONFIDENTIAL))
2175 return SEC_E_INVALID_TOKEN;
2176
2177 /* We don't expect a trailer buffer; the encrypted header must be rotated */
2178 if (rrc < 16)
2179 return SEC_E_INVALID_TOKEN;
2180
2181 /* Find the proper key and key usage */
2182 key = get_key(&context->keyset);
2183 if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key)))
2184 return SEC_E_INTERNAL_ERROR;
2185 usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
2186
2187 /* Fill in the lengths of the iov array */
2188 iov[1].data.length = data_buffer->cbBuffer;
2189 iov[2].data.length = 16;
2190 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2191 return SEC_E_INTERNAL_ERROR;
2192
2193 /* We don't expect a trailer buffer; everything must be in sig_buffer */
2194 if (rrc != 16 + iov[3].data.length + iov[4].data.length)
2195 return SEC_E_INVALID_TOKEN;
2196 if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length)
2197 return SEC_E_INVALID_TOKEN;
2198
2199 /* Locate the parts of the message */
2200 iov[0].data.data = (char*)&header[16 + rrc + ec];
2201 iov[1].data.data = data_buffer->pvBuffer;
2202 iov[2].data.data = (char*)&header[16 + ec];
2203 char* data2 = iov[2].data.data;
2204 iov[3].data.data = &data2[iov[2].data.length];
2205
2206 char* data3 = iov[3].data.data;
2207 iov[4].data.data = &data3[iov[3].data.length];
2208
2209 if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2210 return SEC_E_INTERNAL_ERROR;
2211
2212 /* Validate the encrypted header */
2213 winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec);
2214 winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc);
2215 if (memcmp(iov[2].data.data, header, 16) != 0)
2216 return SEC_E_MESSAGE_ALTERED;
2217
2218 *pfQOP = 0;
2219
2220 return SEC_E_OK;
2221#else
2222 return SEC_E_UNSUPPORTED_FUNCTION;
2223#endif
2224}
2225
2226static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext,
2227 WINPR_ATTR_UNUSED ULONG fQOP,
2228 PSecBufferDesc pMessage, ULONG MessageSeqNo)
2229{
2230#ifdef WITH_KRB5
2231 KRB_CONTEXT* context = get_context(phContext);
2232 PSecBuffer sig_buffer = NULL;
2233 PSecBuffer data_buffer = NULL;
2234 krb5glue_key key = NULL;
2235 krb5_keyusage usage = 0;
2236 BYTE flags = 0;
2237 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2238 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2239 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2240
2241 if (!context)
2242 return SEC_E_INVALID_HANDLE;
2243
2244 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2245 return SEC_E_UNSUPPORTED_FUNCTION;
2246
2247 KRB_CREDENTIALS* creds = context->credentials;
2248
2249 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2250 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2251
2252 if (!sig_buffer || !data_buffer)
2253 return SEC_E_INVALID_TOKEN;
2254
2255 flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0;
2256
2257 key = get_key(&context->keyset);
2258 if (!key)
2259 return SEC_E_INTERNAL_ERROR;
2260 usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN;
2261
2262 flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0;
2263
2264 /* Fill in the lengths of the iov array */
2265 iov[0].data.length = data_buffer->cbBuffer;
2266 iov[1].data.length = 16;
2267 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2268 return SEC_E_INTERNAL_ERROR;
2269
2270 /* Ensure the buffer is big enough */
2271 if (sig_buffer->cbBuffer < iov[2].data.length + 16)
2272 return SEC_E_INSUFFICIENT_MEMORY;
2273
2274 /* Write the header */
2275 char* header = sig_buffer->pvBuffer;
2276 winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC);
2277 header[2] = WINPR_ASSERTING_INT_CAST(char, flags);
2278 memset(header + 3, 0xFF, 5);
2279 winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo));
2280
2281 /* Set up the iov array */
2282 iov[0].data.data = data_buffer->pvBuffer;
2283 iov[1].data.data = header;
2284 iov[2].data.data = header + 16;
2285
2286 if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov)))
2287 return SEC_E_INTERNAL_ERROR;
2288
2289 sig_buffer->cbBuffer = iov[2].data.length + 16;
2290
2291 return SEC_E_OK;
2292#else
2293 return SEC_E_UNSUPPORTED_FUNCTION;
2294#endif
2295}
2296
2297static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
2298 PSecBufferDesc pMessage,
2299 ULONG MessageSeqNo,
2300 WINPR_ATTR_UNUSED ULONG* pfQOP)
2301{
2302#ifdef WITH_KRB5
2303 PSecBuffer sig_buffer = NULL;
2304 PSecBuffer data_buffer = NULL;
2305 krb5glue_key key = NULL;
2306 krb5_keyusage usage = 0;
2307 BYTE flags = 0;
2308 uint16_t tok_id = 0;
2309 uint64_t seq_no = 0;
2310 krb5_boolean is_valid = 0;
2311 krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2312 { KRB5_CRYPTO_TYPE_DATA, { 0 } },
2313 { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } };
2314 BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
2315
2316 KRB_CONTEXT* context = get_context(phContext);
2317 if (!context)
2318 return SEC_E_INVALID_HANDLE;
2319
2320 if (!(context->flags & SSPI_GSS_C_INTEG_FLAG))
2321 return SEC_E_UNSUPPORTED_FUNCTION;
2322
2323 sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN);
2324 data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA);
2325
2326 if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16)
2327 return SEC_E_INVALID_TOKEN;
2328
2329 /* Read in header info */
2330 BYTE* header = sig_buffer->pvBuffer;
2331 tok_id = winpr_Data_Get_UINT16_BE(header);
2332 flags = header[2];
2333 seq_no = winpr_Data_Get_UINT64_BE((header + 8));
2334
2335 /* Validate header */
2336 if (tok_id != TOK_ID_MIC)
2337 return SEC_E_INVALID_TOKEN;
2338
2339 if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL)
2340 return SEC_E_INVALID_TOKEN;
2341
2342 if (memcmp(header + 3, cmp_filler, sizeof(cmp_filler)) != 0)
2343 return SEC_E_INVALID_TOKEN;
2344
2345 if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo)
2346 return SEC_E_OUT_OF_SEQUENCE;
2347
2348 /* Find the proper key and usage */
2349 key = get_key(&context->keyset);
2350 if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key))
2351 return SEC_E_INTERNAL_ERROR;
2352 usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
2353
2354 /* Fill in the iov array lengths */
2355 KRB_CREDENTIALS* creds = context->credentials;
2356 iov[0].data.length = data_buffer->cbBuffer;
2357 iov[1].data.length = 16;
2358 if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov)))
2359 return SEC_E_INTERNAL_ERROR;
2360
2361 if (sig_buffer->cbBuffer != iov[2].data.length + 16)
2362 return SEC_E_INTERNAL_ERROR;
2363
2364 /* Set up the iov array */
2365 iov[0].data.data = data_buffer->pvBuffer;
2366 iov[1].data.data = (char*)header;
2367 iov[2].data.data = (char*)&header[16];
2368
2369 if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov),
2370 &is_valid))
2371 return SEC_E_INTERNAL_ERROR;
2372
2373 if (!is_valid)
2374 return SEC_E_MESSAGE_ALTERED;
2375
2376 return SEC_E_OK;
2377#else
2378 return SEC_E_UNSUPPORTED_FUNCTION;
2379#endif
2380}
2381
2382const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = {
2383 3, /* dwVersion */
2384 NULL, /* EnumerateSecurityPackages */
2385 kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
2386 kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
2387 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2388 NULL, /* Reserved2 */
2389 kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */
2390 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2391 NULL, /* CompleteAuthToken */
2392 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2393 NULL, /* ApplyControlToken */
2394 kerberos_QueryContextAttributesA, /* QueryContextAttributes */
2395 NULL, /* ImpersonateSecurityContext */
2396 NULL, /* RevertSecurityContext */
2397 kerberos_MakeSignature, /* MakeSignature */
2398 kerberos_VerifySignature, /* VerifySignature */
2399 NULL, /* FreeContextBuffer */
2400 NULL, /* QuerySecurityPackageInfo */
2401 NULL, /* Reserved3 */
2402 NULL, /* Reserved4 */
2403 NULL, /* ExportSecurityContext */
2404 NULL, /* ImportSecurityContext */
2405 NULL, /* AddCredentials */
2406 NULL, /* Reserved8 */
2407 NULL, /* QuerySecurityContextToken */
2408 kerberos_EncryptMessage, /* EncryptMessage */
2409 kerberos_DecryptMessage, /* DecryptMessage */
2410 kerberos_SetContextAttributesA, /* SetContextAttributes */
2411 kerberos_SetCredentialsAttributesA, /* SetCredentialsAttributes */
2412};
2413
2414const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = {
2415 3, /* dwVersion */
2416 NULL, /* EnumerateSecurityPackages */
2417 kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
2418 kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
2419 kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
2420 NULL, /* Reserved2 */
2421 kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */
2422 kerberos_AcceptSecurityContext, /* AcceptSecurityContext */
2423 NULL, /* CompleteAuthToken */
2424 kerberos_DeleteSecurityContext, /* DeleteSecurityContext */
2425 NULL, /* ApplyControlToken */
2426 kerberos_QueryContextAttributesW, /* QueryContextAttributes */
2427 NULL, /* ImpersonateSecurityContext */
2428 NULL, /* RevertSecurityContext */
2429 kerberos_MakeSignature, /* MakeSignature */
2430 kerberos_VerifySignature, /* VerifySignature */
2431 NULL, /* FreeContextBuffer */
2432 NULL, /* QuerySecurityPackageInfo */
2433 NULL, /* Reserved3 */
2434 NULL, /* Reserved4 */
2435 NULL, /* ExportSecurityContext */
2436 NULL, /* ImportSecurityContext */
2437 NULL, /* AddCredentials */
2438 NULL, /* Reserved8 */
2439 NULL, /* QuerySecurityContextToken */
2440 kerberos_EncryptMessage, /* EncryptMessage */
2441 kerberos_DecryptMessage, /* DecryptMessage */
2442 kerberos_SetContextAttributesW, /* SetContextAttributes */
2443 kerberos_SetCredentialsAttributesW, /* SetCredentialsAttributes */
2444};
2445
2446BOOL KERBEROS_init(void)
2447{
2448 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer,
2449 ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer));
2450 InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer,
2451 ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer));
2452 return TRUE;
2453}
KERB_TICKET_LOGON
Definition secapi.h:51
SECURITY_INTEGER
Definition include/winpr/sspi.h:51
SEC_CHANNEL_BINDINGS
Definition include/winpr/sspi.h:349
SEC_WINNT_AUTH_IDENTITY_WINPR
Definition include/winpr/sspi.h:885
SEC_WINPR_KERBEROS_SETTINGS
Definition include/winpr/sspi.h:870
SecPkgContext_AuthIdentity
Definition include/winpr/sspi.h:1342
SecPkgContext_PackageInfo
Definition include/winpr/sspi.h:404
SecPkgContext_Sizes
Definition include/winpr/sspi.h:427
SecPkgCredentials_KdcProxySettingsW
Definition include/winpr/sspi.h:525
WinPrAsn1_MemoryChunk
Definition asn1.h:79
krb5glue_keyset
Definition krb5glue.h:92
sspi_gss_data
Definition sspi_gss.h:36
SEC_WINNT_AUTH_IDENTITY_INFO
Definition include/winpr/sspi.h:783