Coverage Report

Created: 2025-07-11 06:41

/src/FreeRDP/winpr/libwinpr/sspi/Negotiate/negotiate.c
Line
Count
Source (jump to first uncovered line)
1
/**
2
 * WinPR: Windows Portable Runtime
3
 * Negotiate Security Package
4
 *
5
 * Copyright 2011-2014 Marc-Andre Moreau <marcandre.moreau@gmail.com>
6
 * Copyright 2017 Dorian Ducournau <dorian.ducournau@gmail.com>
7
 *
8
 * Licensed under the Apache License, Version 2.0 (the "License");
9
 * you may not use this file except in compliance with the License.
10
 * You may obtain a copy of the License at
11
 *
12
 *     http://www.apache.org/licenses/LICENSE-2.0
13
 *
14
 * Unless required by applicable law or agreed to in writing, software
15
 * distributed under the License is distributed on an "AS IS" BASIS,
16
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
 * See the License for the specific language governing permissions and
18
 * limitations under the License.
19
 */
20
21
#include <winpr/config.h>
22
23
#include <winpr/crt.h>
24
#include <winpr/wtypes.h>
25
#include <winpr/assert.h>
26
#include <winpr/sspi.h>
27
#include <winpr/tchar.h>
28
#include <winpr/registry.h>
29
#include <winpr/build-config.h>
30
#include <winpr/asn1.h>
31
32
#include "negotiate.h"
33
34
#include "../NTLM/ntlm.h"
35
#include "../NTLM/ntlm_export.h"
36
#include "../Kerberos/kerberos.h"
37
#include "../sspi.h"
38
#include "../../log.h"
39
#define TAG WINPR_TAG("negotiate")
40
41
static const char NEGO_REG_KEY[] =
42
    "Software\\" WINPR_VENDOR_STRING "\\" WINPR_PRODUCT_STRING "\\SSPI\\Negotiate";
43
44
typedef struct
45
{
46
  const TCHAR* name;
47
  const SecurityFunctionTableA* table;
48
  const SecurityFunctionTableW* table_w;
49
} SecPkg;
50
51
struct Mech_st
52
{
53
  const WinPrAsn1_OID* oid;
54
  const SecPkg* pkg;
55
  const UINT flags;
56
  const BOOL preferred;
57
};
58
59
typedef struct
60
{
61
  const Mech* mech;
62
  CredHandle cred;
63
  BOOL valid;
64
} MechCred;
65
66
const SecPkgInfoA NEGOTIATE_SecPkgInfoA = {
67
  0x00083BB3,                    /* fCapabilities */
68
  1,                             /* wVersion */
69
  0x0009,                        /* wRPCID */
70
  0x00002FE0,                    /* cbMaxToken */
71
  "Negotiate",                   /* Name */
72
  "Microsoft Package Negotiator" /* Comment */
73
};
74
75
static WCHAR NEGOTIATE_SecPkgInfoW_NameBuffer[32] = { 0 };
76
static WCHAR NEGOTIATE_SecPkgInfoW_CommentBuffer[32] = { 0 };
77
78
const SecPkgInfoW NEGOTIATE_SecPkgInfoW = {
79
  0x00083BB3,                         /* fCapabilities */
80
  1,                                  /* wVersion */
81
  0x0009,                             /* wRPCID */
82
  0x00002FE0,                         /* cbMaxToken */
83
  NEGOTIATE_SecPkgInfoW_NameBuffer,   /* Name */
84
  NEGOTIATE_SecPkgInfoW_CommentBuffer /* Comment */
85
};
86
87
static const WinPrAsn1_OID spnego_OID = { 6, (BYTE*)"\x2b\x06\x01\x05\x05\x02" };
88
static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
89
                                              (BYTE*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
90
static const WinPrAsn1_OID kerberos_OID = { 9, (BYTE*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
91
static const WinPrAsn1_OID kerberos_wrong_OID = { 9,
92
                                                (BYTE*)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02" };
93
static const WinPrAsn1_OID ntlm_OID = { 10, (BYTE*)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
94
95
static const WinPrAsn1_OID negoex_OID = { 10, (BYTE*)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e" };
96
97
#ifdef WITH_KRB5
98
static const SecPkg SecPkgTable[] = {
99
  { KERBEROS_SSP_NAME, &KERBEROS_SecurityFunctionTableA, &KERBEROS_SecurityFunctionTableW },
100
  { KERBEROS_SSP_NAME, &KERBEROS_SecurityFunctionTableA, &KERBEROS_SecurityFunctionTableW },
101
  { NTLM_SSP_NAME, &NTLM_SecurityFunctionTableA, &NTLM_SecurityFunctionTableW }
102
};
103
104
static const Mech MechTable[] = {
105
  { &kerberos_u2u_OID, &SecPkgTable[0], ISC_REQ_INTEGRITY | ISC_REQ_USE_SESSION_KEY, TRUE },
106
  { &kerberos_OID, &SecPkgTable[1], ISC_REQ_INTEGRITY, TRUE },
107
  { &ntlm_OID, &SecPkgTable[2], 0, FALSE },
108
};
109
#else
110
static const SecPkg SecPkgTable[] = { { NTLM_SSP_NAME, &NTLM_SecurityFunctionTableA,
111
                                      &NTLM_SecurityFunctionTableW } };
112
113
static const Mech MechTable[] = {
114
  { &ntlm_OID, &SecPkgTable[0], 0, FALSE },
115
};
116
#endif
117
118
static const size_t MECH_COUNT = sizeof(MechTable) / sizeof(Mech);
119
120
enum NegState
121
{
122
  NOSTATE = -1,
123
  ACCEPT_COMPLETED,
124
  ACCEPT_INCOMPLETE,
125
  REJECT,
126
  REQUEST_MIC
127
};
128
129
typedef struct
130
{
131
  enum NegState negState;
132
  BOOL init;
133
  WinPrAsn1_OID supportedMech;
134
  SecBuffer mechTypes;
135
  SecBuffer mechToken;
136
  SecBuffer mic;
137
} NegToken;
138
139
static const NegToken empty_neg_token = { NOSTATE,        FALSE,          { 0, NULL },
140
                                        { 0, 0, NULL }, { 0, 0, NULL }, { 0, 0, NULL } };
141
142
static NEGOTIATE_CONTEXT* negotiate_ContextNew(NEGOTIATE_CONTEXT* init_context)
143
0
{
144
0
  NEGOTIATE_CONTEXT* context = NULL;
145
146
0
  WINPR_ASSERT(init_context);
147
148
0
  context = calloc(1, sizeof(NEGOTIATE_CONTEXT));
149
0
  if (!context)
150
0
    return NULL;
151
152
0
  if (init_context->spnego)
153
0
  {
154
0
    init_context->mechTypes.pvBuffer = malloc(init_context->mechTypes.cbBuffer);
155
0
    if (!init_context->mechTypes.pvBuffer)
156
0
    {
157
0
      free(context);
158
0
      return NULL;
159
0
    }
160
0
  }
161
162
0
  *context = *init_context;
163
164
0
  return context;
165
0
}
166
167
static void negotiate_ContextFree(NEGOTIATE_CONTEXT* context)
168
0
{
169
0
  WINPR_ASSERT(context);
170
171
0
  if (context->mechTypes.pvBuffer)
172
0
    free(context->mechTypes.pvBuffer);
173
0
  free(context);
174
0
}
175
176
static const char* negotiate_mech_name(const WinPrAsn1_OID* oid)
177
0
{
178
0
  if (sspi_gss_oid_compare(oid, &spnego_OID))
179
0
    return "SPNEGO (1.3.6.1.5.5.2)";
180
0
  else if (sspi_gss_oid_compare(oid, &kerberos_u2u_OID))
181
0
    return "Kerberos user to user (1.2.840.113554.1.2.2.3)";
182
0
  else if (sspi_gss_oid_compare(oid, &kerberos_OID))
183
0
    return "Kerberos (1.2.840.113554.1.2.2)";
184
0
  else if (sspi_gss_oid_compare(oid, &kerberos_wrong_OID))
185
0
    return "Kerberos [wrong OID] (1.2.840.48018.1.2.2)";
186
0
  else if (sspi_gss_oid_compare(oid, &ntlm_OID))
187
0
    return "NTLM (1.3.6.1.4.1.311.2.2.10)";
188
0
  else if (sspi_gss_oid_compare(oid, &negoex_OID))
189
0
    return "NegoEx (1.3.6.1.4.1.311.2.2.30)";
190
0
  else
191
0
    return "Unknown mechanism";
192
0
}
193
194
static const Mech* negotiate_GetMechByOID(const WinPrAsn1_OID* oid)
195
0
{
196
0
  WINPR_ASSERT(oid);
197
198
0
  WinPrAsn1_OID testOid = *oid;
199
200
0
  if (sspi_gss_oid_compare(&testOid, &kerberos_wrong_OID))
201
0
  {
202
0
    testOid.len = kerberos_OID.len;
203
0
    testOid.data = kerberos_OID.data;
204
0
  }
205
206
0
  for (size_t i = 0; i < MECH_COUNT; i++)
207
0
  {
208
0
    if (sspi_gss_oid_compare(&testOid, MechTable[i].oid))
209
0
      return &MechTable[i];
210
0
  }
211
0
  return NULL;
212
0
}
213
214
static PSecHandle negotiate_FindCredential(MechCred* creds, const Mech* mech)
215
0
{
216
0
  WINPR_ASSERT(creds);
217
218
0
  if (!mech)
219
0
    return NULL;
220
221
0
  for (size_t i = 0; i < MECH_COUNT; i++)
222
0
  {
223
0
    MechCred* cred = &creds[i];
224
225
0
    if (cred->mech == mech)
226
0
    {
227
0
      if (cred->valid)
228
0
        return &cred->cred;
229
0
      return NULL;
230
0
    }
231
0
  }
232
233
0
  return NULL;
234
0
}
235
236
static BOOL negotiate_get_dword(HKEY hKey, const char* subkey, DWORD* pdwValue)
237
0
{
238
0
  DWORD dwValue = 0;
239
0
  DWORD dwType = 0;
240
0
  DWORD dwSize = sizeof(dwValue);
241
0
  LONG rc = RegQueryValueExA(hKey, subkey, NULL, &dwType, (BYTE*)&dwValue, &dwSize);
242
243
0
  if (rc != ERROR_SUCCESS)
244
0
    return FALSE;
245
0
  if (dwType != REG_DWORD)
246
0
    return FALSE;
247
248
0
  *pdwValue = dwValue;
249
0
  return TRUE;
250
0
}
251
252
static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* kerberos, BOOL* ntlm,
253
                                                        BOOL* u2u)
254
0
{
255
0
  char* tok_ctx = NULL;
256
0
  char* tok_ptr = NULL;
257
0
  char* PackageList = NULL;
258
259
0
  if (!sspi_CopyAuthPackageListA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &PackageList))
260
0
    return FALSE;
261
262
0
  tok_ptr = strtok_s(PackageList, ",", &tok_ctx);
263
264
0
  while (tok_ptr)
265
0
  {
266
0
    char* PackageName = tok_ptr;
267
0
    BOOL PackageInclude = TRUE;
268
269
0
    if (PackageName[0] == '!')
270
0
    {
271
0
      PackageName = &PackageName[1];
272
0
      PackageInclude = FALSE;
273
0
    }
274
275
0
    if (_stricmp(PackageName, "ntlm") == 0)
276
0
    {
277
0
      *ntlm = PackageInclude;
278
0
    }
279
0
    else if (_stricmp(PackageName, "kerberos") == 0)
280
0
    {
281
0
      *kerberos = PackageInclude;
282
0
    }
283
0
    else if (_stricmp(PackageName, "u2u") == 0)
284
0
    {
285
0
      *u2u = PackageInclude;
286
0
    }
287
0
    else
288
0
    {
289
0
      WLog_WARN(TAG, "Unknown authentication package name: %s", PackageName);
290
0
    }
291
292
0
    tok_ptr = strtok_s(NULL, ",", &tok_ctx);
293
0
  }
294
295
0
  free(PackageList);
296
0
  return TRUE;
297
0
}
298
299
static BOOL negotiate_get_config(void* pAuthData, BOOL* kerberos, BOOL* ntlm, BOOL* u2u)
300
0
{
301
0
  HKEY hKey = NULL;
302
0
  LONG rc = 0;
303
304
0
  WINPR_ASSERT(kerberos);
305
0
  WINPR_ASSERT(ntlm);
306
0
  WINPR_ASSERT(u2u);
307
308
0
#if !defined(WITH_KRB5_NO_NTLM_FALLBACK)
309
0
  *ntlm = TRUE;
310
#else
311
  *ntlm = FALSE;
312
#endif
313
0
#if defined(WITH_KRB5)
314
0
  *kerberos = TRUE;
315
0
  *u2u = TRUE;
316
#else
317
  *kerberos = FALSE;
318
  *u2u = FALSE;
319
#endif
320
321
0
  if (negotiate_get_config_from_auth_package_list(pAuthData, kerberos, ntlm, u2u))
322
0
  {
323
0
    return TRUE; // use explicit authentication package list
324
0
  }
325
326
0
  rc = RegOpenKeyExA(HKEY_LOCAL_MACHINE, NEGO_REG_KEY, 0, KEY_READ | KEY_WOW64_64KEY, &hKey);
327
0
  if (rc == ERROR_SUCCESS)
328
0
  {
329
0
    DWORD dwValue = 0;
330
331
0
    if (negotiate_get_dword(hKey, "kerberos", &dwValue))
332
0
      *kerberos = (dwValue != 0) ? TRUE : FALSE;
333
334
0
#if !defined(WITH_KRB5_NO_NTLM_FALLBACK)
335
0
    if (negotiate_get_dword(hKey, "ntlm", &dwValue))
336
0
      *ntlm = (dwValue != 0) ? TRUE : FALSE;
337
0
#endif
338
339
0
    RegCloseKey(hKey);
340
0
  }
341
342
0
  return TRUE;
343
0
}
344
345
static BOOL negotiate_write_neg_token(PSecBuffer output_buffer, NegToken* token)
346
0
{
347
0
  WINPR_ASSERT(output_buffer);
348
0
  WINPR_ASSERT(token);
349
350
0
  BOOL ret = FALSE;
351
0
  WinPrAsn1Encoder* enc = NULL;
352
0
  WinPrAsn1_MemoryChunk mechTypes = { token->mechTypes.cbBuffer, token->mechTypes.pvBuffer };
353
0
  WinPrAsn1_OctetString mechToken = { token->mechToken.cbBuffer, token->mechToken.pvBuffer };
354
0
  WinPrAsn1_OctetString mechListMic = { token->mic.cbBuffer, token->mic.pvBuffer };
355
0
  wStream s;
356
0
  size_t len = 0;
357
358
0
  enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
359
0
  if (!enc)
360
0
    return FALSE;
361
362
  /* For NegTokenInit wrap in an initialContextToken */
363
0
  if (token->init)
364
0
  {
365
    /* InitialContextToken [APPLICATION 0] IMPLICIT SEQUENCE */
366
0
    if (!WinPrAsn1EncAppContainer(enc, 0))
367
0
      goto cleanup;
368
369
    /* thisMech MechType OID */
370
0
    if (!WinPrAsn1EncOID(enc, &spnego_OID))
371
0
      goto cleanup;
372
0
  }
373
374
  /* innerContextToken [0] NegTokenInit or [1] NegTokenResp */
375
0
  if (!WinPrAsn1EncContextualSeqContainer(enc, token->init ? 0 : 1))
376
0
    goto cleanup;
377
378
0
  WLog_DBG(TAG, token->init ? "Writing negTokenInit..." : "Writing negTokenResp...");
379
380
  /* mechTypes [0] MechTypeList (mechTypes already contains the SEQUENCE tag) */
381
0
  if (token->init)
382
0
  {
383
0
    if (!WinPrAsn1EncContextualRawContent(enc, 0, &mechTypes))
384
0
      goto cleanup;
385
0
    WLog_DBG(TAG, "\tmechTypes [0] (%li bytes)", token->mechTypes.cbBuffer);
386
0
  }
387
  /* negState [0] ENUMERATED */
388
0
  else if (token->negState != NOSTATE)
389
0
  {
390
0
    if (!WinPrAsn1EncContextualEnumerated(enc, 0, token->negState))
391
0
      goto cleanup;
392
0
    WLog_DBG(TAG, "\tnegState [0] (%d)", token->negState);
393
0
  }
394
395
  /* supportedMech [1] OID */
396
0
  if (token->supportedMech.len)
397
0
  {
398
0
    if (!WinPrAsn1EncContextualOID(enc, 1, &token->supportedMech))
399
0
      goto cleanup;
400
0
    WLog_DBG(TAG, "\tsupportedMech [1] (%s)", negotiate_mech_name(&token->supportedMech));
401
0
  }
402
403
  /* mechToken [2] OCTET STRING */
404
0
  if (token->mechToken.cbBuffer)
405
0
  {
406
0
    if (WinPrAsn1EncContextualOctetString(enc, 2, &mechToken) == 0)
407
0
      goto cleanup;
408
0
    WLog_DBG(TAG, "\tmechToken [2] (%li bytes)", token->mechToken.cbBuffer);
409
0
  }
410
411
  /* mechListMIC [3] OCTET STRING */
412
0
  if (token->mic.cbBuffer)
413
0
  {
414
0
    if (WinPrAsn1EncContextualOctetString(enc, 3, &mechListMic) == 0)
415
0
      goto cleanup;
416
0
    WLog_DBG(TAG, "\tmechListMIC [3] (%li bytes)", token->mic.cbBuffer);
417
0
  }
418
419
  /* NegTokenInit or NegTokenResp */
420
0
  if (!WinPrAsn1EncEndContainer(enc))
421
0
    goto cleanup;
422
423
0
  if (token->init)
424
0
  {
425
    /* initialContextToken */
426
0
    if (!WinPrAsn1EncEndContainer(enc))
427
0
      goto cleanup;
428
0
  }
429
430
0
  if (!WinPrAsn1EncStreamSize(enc, &len) || len > output_buffer->cbBuffer)
431
0
    goto cleanup;
432
433
0
  if (len > UINT32_MAX)
434
0
    goto cleanup;
435
436
0
  Stream_StaticInit(&s, output_buffer->pvBuffer, len);
437
438
0
  if (WinPrAsn1EncToStream(enc, &s))
439
0
  {
440
0
    output_buffer->cbBuffer = (UINT32)len;
441
0
    ret = TRUE;
442
0
  }
443
444
0
cleanup:
445
0
  WinPrAsn1Encoder_Free(&enc);
446
0
  return ret;
447
0
}
448
449
static BOOL negotiate_read_neg_token(PSecBuffer input, NegToken* token)
450
0
{
451
0
  WinPrAsn1Decoder dec;
452
0
  WinPrAsn1Decoder dec2;
453
0
  WinPrAsn1_OID oid;
454
0
  WinPrAsn1_tagId contextual = 0;
455
0
  WinPrAsn1_tag tag = 0;
456
0
  size_t len = 0;
457
0
  WinPrAsn1_OctetString octet_string;
458
0
  BOOL err = 0;
459
460
0
  WINPR_ASSERT(input);
461
0
  WINPR_ASSERT(token);
462
463
0
  WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, input->pvBuffer, input->cbBuffer);
464
465
0
  if (!WinPrAsn1DecPeekTag(&dec, &tag))
466
0
    return FALSE;
467
468
0
  if (tag == 0x60)
469
0
  {
470
    /* initialContextToken [APPLICATION 0] */
471
0
    if (!WinPrAsn1DecReadApp(&dec, &tag, &dec2) || tag != 0)
472
0
      return FALSE;
473
0
    dec = dec2;
474
475
    /* thisMech OID */
476
0
    if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE))
477
0
      return FALSE;
478
479
0
    if (!sspi_gss_oid_compare(&spnego_OID, &oid))
480
0
      return FALSE;
481
482
    /* [0] NegTokenInit */
483
0
    if (!WinPrAsn1DecReadContextualSequence(&dec, 0, &err, &dec2))
484
0
      return FALSE;
485
486
0
    token->init = TRUE;
487
0
  }
488
  /* [1] NegTokenResp */
489
0
  else if (!WinPrAsn1DecReadContextualSequence(&dec, 1, &err, &dec2))
490
0
    return FALSE;
491
0
  dec = dec2;
492
493
0
  WLog_DBG(TAG, token->init ? "Reading negTokenInit..." : "Reading negTokenResp...");
494
495
  /* Read NegTokenResp sequence members */
496
0
  do
497
0
  {
498
0
    if (!WinPrAsn1DecReadContextualTag(&dec, &contextual, &dec2))
499
0
      return FALSE;
500
501
0
    switch (contextual)
502
0
    {
503
0
      case 0:
504
0
        if (token->init)
505
0
        {
506
          /* mechTypes [0] MechTypeList */
507
0
          wStream s = WinPrAsn1DecGetStream(&dec2);
508
0
          token->mechTypes.BufferType = SECBUFFER_TOKEN;
509
0
          const size_t mlen = Stream_Length(&s);
510
0
          if (mlen > UINT32_MAX)
511
0
            return FALSE;
512
0
          token->mechTypes.cbBuffer = (UINT32)mlen;
513
0
          token->mechTypes.pvBuffer = Stream_Buffer(&s);
514
0
          WLog_DBG(TAG, "\tmechTypes [0] (%li bytes)", token->mechTypes.cbBuffer);
515
0
        }
516
0
        else
517
0
        {
518
          /* negState [0] ENUMERATED */
519
0
          WinPrAsn1_ENUMERATED rd = 0;
520
0
          if (!WinPrAsn1DecReadEnumerated(&dec2, &rd))
521
0
            return FALSE;
522
0
          token->negState = rd;
523
0
          WLog_DBG(TAG, "\tnegState [0] (%d)", token->negState);
524
0
        }
525
0
        break;
526
0
      case 1:
527
0
        if (token->init)
528
0
        {
529
          /* reqFlags [1] ContextFlags BIT STRING (ignored) */
530
0
          if (!WinPrAsn1DecPeekTagAndLen(&dec2, &tag, &len) || (tag != ER_TAG_BIT_STRING))
531
0
            return FALSE;
532
0
          WLog_DBG(TAG, "\treqFlags [1] (%li bytes)", len);
533
0
        }
534
0
        else
535
0
        {
536
          /* supportedMech [1] MechType */
537
0
          if (!WinPrAsn1DecReadOID(&dec2, &token->supportedMech, FALSE))
538
0
            return FALSE;
539
0
          WLog_DBG(TAG, "\tsupportedMech [1] (%s)",
540
0
                   negotiate_mech_name(&token->supportedMech));
541
0
        }
542
0
        break;
543
0
      case 2:
544
        /* mechToken [2] OCTET STRING */
545
0
        if (!WinPrAsn1DecReadOctetString(&dec2, &octet_string, FALSE))
546
0
          return FALSE;
547
0
        if (octet_string.len > UINT32_MAX)
548
0
          return FALSE;
549
0
        token->mechToken.cbBuffer = (UINT32)octet_string.len;
550
0
        token->mechToken.pvBuffer = octet_string.data;
551
0
        token->mechToken.BufferType = SECBUFFER_TOKEN;
552
0
        WLog_DBG(TAG, "\tmechToken [2] (%li bytes)", octet_string.len);
553
0
        break;
554
0
      case 3:
555
        /* mechListMic [3] OCTET STRING */
556
0
        if (!WinPrAsn1DecReadOctetString(&dec2, &octet_string, FALSE))
557
0
          return FALSE;
558
0
        if (octet_string.len > UINT32_MAX)
559
0
          return FALSE;
560
0
        token->mic.cbBuffer = (UINT32)octet_string.len;
561
0
        token->mic.pvBuffer = octet_string.data;
562
0
        token->mic.BufferType = SECBUFFER_TOKEN;
563
0
        WLog_DBG(TAG, "\tmechListMIC [3] (%li bytes)", octet_string.len);
564
0
        break;
565
0
      default:
566
0
        WLog_ERR(TAG, "unknown contextual item %d", contextual);
567
0
        return FALSE;
568
0
    }
569
0
  } while (WinPrAsn1DecPeekTag(&dec, &tag));
570
571
0
  return TRUE;
572
0
}
573
574
static SECURITY_STATUS negotiate_mic_exchange(NEGOTIATE_CONTEXT* context, NegToken* input_token,
575
                                              NegToken* output_token, PSecBuffer output_buffer)
576
0
{
577
0
  SecBuffer mic_buffers[2] = { 0 };
578
0
  SecBufferDesc mic_buffer_desc = { SECBUFFER_VERSION, 2, mic_buffers };
579
0
  SECURITY_STATUS status = 0;
580
581
0
  WINPR_ASSERT(context);
582
0
  WINPR_ASSERT(input_token);
583
0
  WINPR_ASSERT(output_token);
584
0
  WINPR_ASSERT(context->mech);
585
0
  WINPR_ASSERT(context->mech->pkg);
586
587
0
  const SecurityFunctionTableA* table = context->mech->pkg->table;
588
0
  WINPR_ASSERT(table);
589
590
0
  mic_buffers[0] = context->mechTypes;
591
592
  /* Verify MIC if we received one */
593
0
  if (input_token->mic.cbBuffer > 0)
594
0
  {
595
0
    mic_buffers[1] = input_token->mic;
596
597
0
    status = table->VerifySignature(&context->sub_context, &mic_buffer_desc, 0, 0);
598
0
    if (status != SEC_E_OK)
599
0
      return status;
600
601
0
    output_token->negState = ACCEPT_COMPLETED;
602
0
  }
603
604
  /* If peer expects a MIC then generate it */
605
0
  if (input_token->negState != ACCEPT_COMPLETED)
606
0
  {
607
    /* Store the mic token after the mech token in the output buffer */
608
0
    output_token->mic.BufferType = SECBUFFER_TOKEN;
609
0
    if (output_buffer)
610
0
    {
611
0
      output_token->mic.cbBuffer = output_buffer->cbBuffer - output_token->mechToken.cbBuffer;
612
0
      output_token->mic.pvBuffer =
613
0
          (BYTE*)output_buffer->pvBuffer + output_token->mechToken.cbBuffer;
614
0
    }
615
0
    mic_buffers[1] = output_token->mic;
616
617
0
    status = table->MakeSignature(&context->sub_context, 0, &mic_buffer_desc, 0);
618
0
    if (status != SEC_E_OK)
619
0
      return status;
620
621
0
    output_token->mic = mic_buffers[1];
622
0
  }
623
624
  /* When using NTLM cipher states need to be reset after mic exchange */
625
0
  const TCHAR* name = sspi_SecureHandleGetUpperPointer(&context->sub_context);
626
0
  if (!name)
627
0
    return SEC_E_INTERNAL_ERROR;
628
629
0
  if (_tcsncmp(name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0)
630
0
  {
631
0
    if (!ntlm_reset_cipher_state(&context->sub_context))
632
0
      return SEC_E_INTERNAL_ERROR;
633
0
  }
634
635
0
  return SEC_E_OK;
636
0
}
637
638
static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(
639
    PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq,
640
    ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
641
    PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
642
0
{
643
0
  NEGOTIATE_CONTEXT* context = NULL;
644
0
  NEGOTIATE_CONTEXT init_context = { 0 };
645
0
  MechCred* creds = NULL;
646
0
  PCtxtHandle sub_context = NULL;
647
0
  PCredHandle sub_cred = NULL;
648
0
  NegToken input_token = empty_neg_token;
649
0
  NegToken output_token = empty_neg_token;
650
0
  PSecBuffer input_buffer = NULL;
651
0
  PSecBuffer output_buffer = NULL;
652
0
  PSecBuffer bindings_buffer = NULL;
653
0
  SecBuffer mech_input_buffers[2] = { 0 };
654
0
  SecBufferDesc mech_input = { SECBUFFER_VERSION, 2, mech_input_buffers };
655
0
  SecBufferDesc mech_output = { SECBUFFER_VERSION, 1, &output_token.mechToken };
656
0
  SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
657
0
  SECURITY_STATUS sub_status = SEC_E_INTERNAL_ERROR;
658
0
  WinPrAsn1Encoder* enc = NULL;
659
0
  wStream s;
660
0
  const Mech* mech = NULL;
661
662
0
  if (!phCredential || !SecIsValidHandle(phCredential))
663
0
    return SEC_E_NO_CREDENTIALS;
664
665
0
  creds = sspi_SecureHandleGetLowerPointer(phCredential);
666
667
  /* behave like windows SSPIs that don't want empty context */
668
0
  if (phContext && !phContext->dwLower && !phContext->dwUpper)
669
0
    return SEC_E_INVALID_HANDLE;
670
671
0
  context = sspi_SecureHandleGetLowerPointer(phContext);
672
673
0
  if (pInput)
674
0
  {
675
0
    input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
676
0
    bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS);
677
0
  }
678
0
  if (pOutput)
679
0
    output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
680
681
0
  if (!context)
682
0
  {
683
0
    enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER);
684
0
    if (!enc)
685
0
      return SEC_E_INSUFFICIENT_MEMORY;
686
687
0
    if (!WinPrAsn1EncSeqContainer(enc))
688
0
      goto cleanup;
689
690
0
    for (size_t i = 0; i < MECH_COUNT; i++)
691
0
    {
692
0
      MechCred* cred = &creds[i];
693
0
      const SecPkg* pkg = MechTable[i].pkg;
694
0
      WINPR_ASSERT(pkg);
695
0
      WINPR_ASSERT(pkg->table_w);
696
697
0
      if (!cred->valid)
698
0
        continue;
699
700
      /* Send an optimistic token for the first valid mechanism */
701
0
      if (!init_context.mech)
702
0
      {
703
        /* Use the output buffer to store the optimistic token */
704
0
        if (!output_buffer)
705
0
          goto cleanup;
706
707
0
        CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer));
708
709
0
        if (bindings_buffer)
710
0
          mech_input_buffers[0] = *bindings_buffer;
711
712
0
        WINPR_ASSERT(pkg->table_w->InitializeSecurityContextW);
713
0
        sub_status = pkg->table_w->InitializeSecurityContextW(
714
0
            &cred->cred, NULL, pszTargetName, fContextReq | cred->mech->flags, Reserved1,
715
0
            TargetDataRep, &mech_input, Reserved2, &init_context.sub_context, &mech_output,
716
0
            pfContextAttr, ptsExpiry);
717
718
        /* If the mechanism failed we can't use it; skip */
719
0
        if (IsSecurityStatusError(sub_status))
720
0
        {
721
0
          if (SecIsValidHandle(&init_context.sub_context))
722
0
          {
723
0
            WINPR_ASSERT(pkg->table_w->DeleteSecurityContext);
724
0
            pkg->table_w->DeleteSecurityContext(&init_context.sub_context);
725
0
          }
726
0
          cred->valid = FALSE;
727
0
          continue;
728
0
        }
729
730
0
        init_context.mech = cred->mech;
731
0
      }
732
733
0
      if (!WinPrAsn1EncOID(enc, cred->mech->oid))
734
0
        goto cleanup;
735
0
      WLog_DBG(TAG, "Available mechanism: %s", negotiate_mech_name(cred->mech->oid));
736
0
    }
737
738
    /* No usable mechanisms were found */
739
0
    if (!init_context.mech)
740
0
      goto cleanup;
741
742
    /* If the only available mech is NTLM use it directly otherwise use spnego */
743
0
    if (init_context.mech->oid == &ntlm_OID)
744
0
    {
745
0
      init_context.spnego = FALSE;
746
0
      output_buffer->cbBuffer = output_token.mechToken.cbBuffer;
747
0
      WLog_DBG(TAG, "Using direct NTLM");
748
0
    }
749
0
    else
750
0
    {
751
0
      init_context.spnego = TRUE;
752
0
      init_context.mechTypes.BufferType = SECBUFFER_DATA;
753
0
      const size_t cb = WinPrAsn1EncEndContainer(enc);
754
0
      WINPR_ASSERT(cb <= UINT32_MAX);
755
0
      init_context.mechTypes.cbBuffer = (UINT32)cb;
756
0
    }
757
758
    /* Allocate memory for the new context */
759
0
    context = negotiate_ContextNew(&init_context);
760
0
    if (!context)
761
0
    {
762
0
      init_context.mech->pkg->table->DeleteSecurityContext(&init_context.sub_context);
763
0
      WinPrAsn1Encoder_Free(&enc);
764
0
      return SEC_E_INSUFFICIENT_MEMORY;
765
0
    }
766
767
0
    sspi_SecureHandleSetUpperPointer(phNewContext, NEGO_SSP_NAME);
768
0
    sspi_SecureHandleSetLowerPointer(phNewContext, context);
769
770
0
    if (!context->spnego)
771
0
    {
772
0
      status = sub_status;
773
0
      goto cleanup;
774
0
    }
775
776
    /* Write mechTypesList */
777
0
    Stream_StaticInit(&s, context->mechTypes.pvBuffer, context->mechTypes.cbBuffer);
778
0
    if (!WinPrAsn1EncToStream(enc, &s))
779
0
      goto cleanup;
780
781
0
    output_token.mechTypes.cbBuffer = context->mechTypes.cbBuffer;
782
0
    output_token.mechTypes.pvBuffer = context->mechTypes.pvBuffer;
783
0
    output_token.init = TRUE;
784
785
0
    if (sub_status == SEC_E_OK)
786
0
      context->state = NEGOTIATE_STATE_FINAL_OPTIMISTIC;
787
0
  }
788
0
  else
789
0
  {
790
0
    if (!input_buffer)
791
0
      return SEC_E_INVALID_TOKEN;
792
793
0
    sub_context = &context->sub_context;
794
0
    sub_cred = negotiate_FindCredential(creds, context->mech);
795
796
0
    if (!context->spnego)
797
0
    {
798
0
      return context->mech->pkg->table_w->InitializeSecurityContextW(
799
0
          sub_cred, sub_context, pszTargetName, fContextReq | context->mech->flags, Reserved1,
800
0
          TargetDataRep, pInput, Reserved2, sub_context, pOutput, pfContextAttr, ptsExpiry);
801
0
    }
802
803
0
    if (!negotiate_read_neg_token(input_buffer, &input_token))
804
0
      return SEC_E_INVALID_TOKEN;
805
806
    /* On first response check if the server doesn't like out preferred mech */
807
0
    if (context->state < NEGOTIATE_STATE_NEGORESP && input_token.supportedMech.len &&
808
0
        !sspi_gss_oid_compare(&input_token.supportedMech, context->mech->oid))
809
0
    {
810
0
      mech = negotiate_GetMechByOID(&input_token.supportedMech);
811
0
      if (!mech)
812
0
        return SEC_E_INVALID_TOKEN;
813
814
      /* Make sure the specified mech is supported and get the appropriate credential */
815
0
      sub_cred = negotiate_FindCredential(creds, mech);
816
0
      if (!sub_cred)
817
0
        return SEC_E_INVALID_TOKEN;
818
819
      /* Clean up the optimistic mech */
820
0
      context->mech->pkg->table_w->DeleteSecurityContext(&context->sub_context);
821
0
      sub_context = NULL;
822
823
0
      context->mech = mech;
824
0
      context->mic = TRUE;
825
0
    }
826
827
    /* Check neg_state (required on first response) */
828
0
    if (context->state < NEGOTIATE_STATE_NEGORESP)
829
0
    {
830
0
      switch (input_token.negState)
831
0
      {
832
0
        case NOSTATE:
833
0
          return SEC_E_INVALID_TOKEN;
834
0
        case REJECT:
835
0
          return SEC_E_LOGON_DENIED;
836
0
        case REQUEST_MIC:
837
0
          context->mic = TRUE;
838
          /* fallthrough */
839
0
          WINPR_FALLTHROUGH
840
0
        case ACCEPT_INCOMPLETE:
841
0
          context->state = NEGOTIATE_STATE_NEGORESP;
842
0
          break;
843
0
        case ACCEPT_COMPLETED:
844
0
          if (context->state == NEGOTIATE_STATE_INITIAL)
845
0
            context->state = NEGOTIATE_STATE_NEGORESP;
846
0
          else
847
0
            context->state = NEGOTIATE_STATE_FINAL;
848
0
          break;
849
0
        default:
850
0
          break;
851
0
      }
852
853
0
      WLog_DBG(TAG, "Negotiated mechanism: %s", negotiate_mech_name(context->mech->oid));
854
0
    }
855
856
0
    if (context->state == NEGOTIATE_STATE_NEGORESP)
857
0
    {
858
      /* Store the mech token in the output buffer */
859
0
      if (!output_buffer)
860
0
        goto cleanup;
861
0
      CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer));
862
863
0
      mech_input_buffers[0] = input_token.mechToken;
864
0
      if (bindings_buffer)
865
0
        mech_input_buffers[1] = *bindings_buffer;
866
867
0
      status = context->mech->pkg->table_w->InitializeSecurityContextW(
868
0
          sub_cred, sub_context, pszTargetName, fContextReq | context->mech->flags, Reserved1,
869
0
          TargetDataRep, input_token.mechToken.cbBuffer ? &mech_input : NULL, Reserved2,
870
0
          &context->sub_context, &mech_output, pfContextAttr, ptsExpiry);
871
872
0
      if (IsSecurityStatusError(status))
873
0
        return status;
874
0
    }
875
876
0
    if (status == SEC_E_OK)
877
0
    {
878
0
      if (output_token.mechToken.cbBuffer > 0)
879
0
        context->state = NEGOTIATE_STATE_MIC;
880
0
      else
881
0
        context->state = NEGOTIATE_STATE_FINAL;
882
0
    }
883
884
    /* Check if the acceptor sent its final token without a mic */
885
0
    if (context->state == NEGOTIATE_STATE_FINAL && input_token.mic.cbBuffer == 0)
886
0
    {
887
0
      if (context->mic || input_token.negState != ACCEPT_COMPLETED)
888
0
        return SEC_E_INVALID_TOKEN;
889
890
0
      if (output_buffer)
891
0
        output_buffer->cbBuffer = 0;
892
0
      return SEC_E_OK;
893
0
    }
894
895
0
    if ((context->state == NEGOTIATE_STATE_MIC && context->mic) ||
896
0
        context->state == NEGOTIATE_STATE_FINAL)
897
0
    {
898
0
      status = negotiate_mic_exchange(context, &input_token, &output_token, output_buffer);
899
0
      if (status != SEC_E_OK)
900
0
        return status;
901
0
    }
902
0
  }
903
904
0
  if (input_token.negState == ACCEPT_COMPLETED)
905
0
  {
906
0
    if (output_buffer)
907
0
      output_buffer->cbBuffer = 0;
908
0
    return SEC_E_OK;
909
0
  }
910
911
0
  if (output_token.negState == ACCEPT_COMPLETED)
912
0
    status = SEC_E_OK;
913
0
  else
914
0
    status = SEC_I_CONTINUE_NEEDED;
915
916
0
  if (!negotiate_write_neg_token(output_buffer, &output_token))
917
0
    status = SEC_E_INTERNAL_ERROR;
918
919
0
cleanup:
920
0
  WinPrAsn1Encoder_Free(&enc);
921
0
  return status;
922
0
}
923
924
static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(
925
    PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq,
926
    ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2,
927
    PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
928
0
{
929
0
  SECURITY_STATUS status = 0;
930
0
  SEC_WCHAR* pszTargetNameW = NULL;
931
932
0
  if (pszTargetName)
933
0
  {
934
0
    pszTargetNameW = ConvertUtf8ToWCharAlloc(pszTargetName, NULL);
935
0
    if (!pszTargetNameW)
936
0
      return SEC_E_INTERNAL_ERROR;
937
0
  }
938
939
0
  status = negotiate_InitializeSecurityContextW(
940
0
      phCredential, phContext, pszTargetNameW, fContextReq, Reserved1, TargetDataRep, pInput,
941
0
      Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry);
942
0
  free(pszTargetNameW);
943
0
  return status;
944
0
}
945
946
static const Mech* guessMech(PSecBuffer input_buffer, BOOL* spNego, WinPrAsn1_OID* oid)
947
0
{
948
0
  WinPrAsn1Decoder decoder;
949
0
  WinPrAsn1Decoder appDecoder;
950
0
  WinPrAsn1_tagId tag = 0;
951
0
  const char ssp[] = "NTLMSSP";
952
953
0
  *spNego = FALSE;
954
955
  /* Check for NTLM token */
956
0
  if (input_buffer->cbBuffer >= 8 && strncmp(input_buffer->pvBuffer, ssp, sizeof(ssp)) == 0)
957
0
  {
958
0
    *oid = ntlm_OID;
959
0
    return negotiate_GetMechByOID(&ntlm_OID);
960
0
  }
961
962
  /* Read initialContextToken or raw Kerberos token */
963
0
  WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, input_buffer->pvBuffer,
964
0
                           input_buffer->cbBuffer);
965
966
0
  if (!WinPrAsn1DecReadApp(&decoder, &tag, &appDecoder) || tag != 0)
967
0
    return NULL;
968
969
0
  if (!WinPrAsn1DecReadOID(&appDecoder, oid, FALSE))
970
0
    return NULL;
971
972
0
  if (sspi_gss_oid_compare(oid, &spnego_OID))
973
0
  {
974
0
    *spNego = TRUE;
975
0
    return NULL;
976
0
  }
977
978
0
  return negotiate_GetMechByOID(oid);
979
0
}
980
981
static SECURITY_STATUS SEC_ENTRY negotiate_AcceptSecurityContext(
982
    PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput, ULONG fContextReq,
983
    ULONG TargetDataRep, PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr,
984
    PTimeStamp ptsTimeStamp)
985
0
{
986
0
  NEGOTIATE_CONTEXT* context = NULL;
987
0
  NEGOTIATE_CONTEXT init_context = { 0 };
988
0
  MechCred* creds = NULL;
989
0
  PCredHandle sub_cred = NULL;
990
0
  NegToken input_token = empty_neg_token;
991
0
  NegToken output_token = empty_neg_token;
992
0
  PSecBuffer input_buffer = NULL;
993
0
  PSecBuffer output_buffer = NULL;
994
0
  SecBufferDesc mech_input = { SECBUFFER_VERSION, 1, &input_token.mechToken };
995
0
  SecBufferDesc mech_output = { SECBUFFER_VERSION, 1, &output_token.mechToken };
996
0
  SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
997
0
  WinPrAsn1Decoder dec;
998
0
  WinPrAsn1Decoder dec2;
999
0
  WinPrAsn1_tagId tag = 0;
1000
0
  WinPrAsn1_OID oid = { 0 };
1001
0
  const Mech* first_mech = NULL;
1002
1003
0
  if (!phCredential || !SecIsValidHandle(phCredential))
1004
0
    return SEC_E_NO_CREDENTIALS;
1005
1006
0
  creds = sspi_SecureHandleGetLowerPointer(phCredential);
1007
1008
0
  if (!pInput)
1009
0
    return SEC_E_INVALID_TOKEN;
1010
1011
  /* behave like windows SSPIs that don't want empty context */
1012
0
  if (phContext && !phContext->dwLower && !phContext->dwUpper)
1013
0
    return SEC_E_INVALID_HANDLE;
1014
1015
0
  context = sspi_SecureHandleGetLowerPointer(phContext);
1016
1017
0
  input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN);
1018
0
  if (pOutput)
1019
0
    output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN);
1020
1021
0
  if (!context)
1022
0
  {
1023
0
    init_context.mech = guessMech(input_buffer, &init_context.spnego, &oid);
1024
0
    if (!init_context.mech && !init_context.spnego)
1025
0
      return SEC_E_INVALID_TOKEN;
1026
1027
0
    WLog_DBG(TAG, "Mechanism: %s", negotiate_mech_name(&oid));
1028
1029
0
    if (init_context.spnego)
1030
0
    {
1031
      /* Process spnego token */
1032
0
      if (!negotiate_read_neg_token(input_buffer, &input_token))
1033
0
        return SEC_E_INVALID_TOKEN;
1034
1035
      /* First token must be negoTokenInit and must contain a mechList */
1036
0
      if (!input_token.init || input_token.mechTypes.cbBuffer == 0)
1037
0
        return SEC_E_INVALID_TOKEN;
1038
1039
0
      init_context.mechTypes.BufferType = SECBUFFER_DATA;
1040
0
      init_context.mechTypes.cbBuffer = input_token.mechTypes.cbBuffer;
1041
1042
      /* Prepare to read mechList */
1043
0
      WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, input_token.mechTypes.pvBuffer,
1044
0
                               input_token.mechTypes.cbBuffer);
1045
1046
0
      if (!WinPrAsn1DecReadSequence(&dec, &dec2))
1047
0
        return SEC_E_INVALID_TOKEN;
1048
0
      dec = dec2;
1049
1050
      /* If an optimistic token was provided pass it into the first mech */
1051
0
      if (input_token.mechToken.cbBuffer)
1052
0
      {
1053
0
        if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE))
1054
0
          return SEC_E_INVALID_TOKEN;
1055
1056
0
        init_context.mech = negotiate_GetMechByOID(&oid);
1057
1058
0
        if (init_context.mech)
1059
0
        {
1060
0
          if (output_buffer)
1061
0
            output_token.mechToken = *output_buffer;
1062
0
          WLog_DBG(TAG, "Requested mechanism: %s",
1063
0
                   negotiate_mech_name(init_context.mech->oid));
1064
0
        }
1065
0
      }
1066
0
    }
1067
1068
0
    if (init_context.mech)
1069
0
    {
1070
0
      sub_cred = negotiate_FindCredential(creds, init_context.mech);
1071
1072
0
      status = init_context.mech->pkg->table->AcceptSecurityContext(
1073
0
          sub_cred, NULL, init_context.spnego ? &mech_input : pInput, fContextReq,
1074
0
          TargetDataRep, &init_context.sub_context,
1075
0
          init_context.spnego ? &mech_output : pOutput, pfContextAttr, ptsTimeStamp);
1076
0
    }
1077
1078
0
    if (IsSecurityStatusError(status))
1079
0
    {
1080
0
      if (!init_context.spnego)
1081
0
        return status;
1082
1083
0
      init_context.mic = TRUE;
1084
0
      first_mech = init_context.mech;
1085
0
      init_context.mech = NULL;
1086
0
      output_token.mechToken.cbBuffer = 0;
1087
0
    }
1088
1089
0
    while (!init_context.mech && WinPrAsn1DecPeekTag(&dec, &tag))
1090
0
    {
1091
      /* Read each mechanism */
1092
0
      if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE))
1093
0
        return SEC_E_INVALID_TOKEN;
1094
1095
0
      init_context.mech = negotiate_GetMechByOID(&oid);
1096
0
      WLog_DBG(TAG, "Requested mechanism: %s", negotiate_mech_name(&oid));
1097
1098
      /* Microsoft may send two versions of the kerberos OID */
1099
0
      if (init_context.mech == first_mech)
1100
0
        init_context.mech = NULL;
1101
1102
0
      if (init_context.mech && !negotiate_FindCredential(creds, init_context.mech))
1103
0
        init_context.mech = NULL;
1104
0
    }
1105
1106
0
    if (!init_context.mech)
1107
0
      return SEC_E_INTERNAL_ERROR;
1108
1109
0
    context = negotiate_ContextNew(&init_context);
1110
0
    if (!context)
1111
0
    {
1112
0
      if (!IsSecurityStatusError(status))
1113
0
        init_context.mech->pkg->table->DeleteSecurityContext(&init_context.sub_context);
1114
0
      return SEC_E_INSUFFICIENT_MEMORY;
1115
0
    }
1116
1117
0
    sspi_SecureHandleSetUpperPointer(phNewContext, NEGO_SSP_NAME);
1118
0
    sspi_SecureHandleSetLowerPointer(phNewContext, context);
1119
1120
0
    if (!init_context.spnego)
1121
0
      return status;
1122
1123
0
    CopyMemory(init_context.mechTypes.pvBuffer, input_token.mechTypes.pvBuffer,
1124
0
               input_token.mechTypes.cbBuffer);
1125
1126
0
    if (!context->mech->preferred)
1127
0
    {
1128
0
      output_token.negState = REQUEST_MIC;
1129
0
      context->mic = TRUE;
1130
0
    }
1131
0
    else
1132
0
    {
1133
0
      output_token.negState = ACCEPT_INCOMPLETE;
1134
0
    }
1135
1136
0
    if (status == SEC_E_OK)
1137
0
      context->state = NEGOTIATE_STATE_FINAL;
1138
0
    else
1139
0
      context->state = NEGOTIATE_STATE_NEGORESP;
1140
1141
0
    output_token.supportedMech = oid;
1142
0
    WLog_DBG(TAG, "Accepted mechanism: %s", negotiate_mech_name(&output_token.supportedMech));
1143
0
  }
1144
0
  else
1145
0
  {
1146
0
    sub_cred = negotiate_FindCredential(creds, context->mech);
1147
0
    if (!sub_cred)
1148
0
      return SEC_E_NO_CREDENTIALS;
1149
1150
0
    if (!context->spnego)
1151
0
    {
1152
0
      return context->mech->pkg->table->AcceptSecurityContext(
1153
0
          sub_cred, &context->sub_context, pInput, fContextReq, TargetDataRep,
1154
0
          &context->sub_context, pOutput, pfContextAttr, ptsTimeStamp);
1155
0
    }
1156
1157
0
    if (!negotiate_read_neg_token(input_buffer, &input_token))
1158
0
      return SEC_E_INVALID_TOKEN;
1159
1160
    /* Process the mechanism token */
1161
0
    if (input_token.mechToken.cbBuffer > 0)
1162
0
    {
1163
0
      if (context->state != NEGOTIATE_STATE_NEGORESP)
1164
0
        return SEC_E_INVALID_TOKEN;
1165
1166
      /* Use the output buffer to store the optimistic token */
1167
0
      if (output_buffer)
1168
0
        CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer));
1169
1170
0
      status = context->mech->pkg->table->AcceptSecurityContext(
1171
0
          sub_cred, &context->sub_context, &mech_input, fContextReq | context->mech->flags,
1172
0
          TargetDataRep, &context->sub_context, &mech_output, pfContextAttr, ptsTimeStamp);
1173
1174
0
      if (IsSecurityStatusError(status))
1175
0
        return status;
1176
1177
0
      if (status == SEC_E_OK)
1178
0
        context->state = NEGOTIATE_STATE_FINAL;
1179
0
    }
1180
0
    else if (context->state == NEGOTIATE_STATE_NEGORESP)
1181
0
      return SEC_E_INVALID_TOKEN;
1182
0
  }
1183
1184
0
  if (context->state == NEGOTIATE_STATE_FINAL)
1185
0
  {
1186
    /* Check if initiator sent the last mech token without a mic and a mic was required */
1187
0
    if (context->mic && output_token.mechToken.cbBuffer == 0 && input_token.mic.cbBuffer == 0)
1188
0
      return SEC_E_INVALID_TOKEN;
1189
1190
0
    if (context->mic || input_token.mic.cbBuffer > 0)
1191
0
    {
1192
0
      status = negotiate_mic_exchange(context, &input_token, &output_token, output_buffer);
1193
0
      if (status != SEC_E_OK)
1194
0
        return status;
1195
0
    }
1196
0
    else
1197
0
      output_token.negState = ACCEPT_COMPLETED;
1198
0
  }
1199
1200
0
  if (input_token.negState == ACCEPT_COMPLETED)
1201
0
  {
1202
0
    if (output_buffer)
1203
0
      output_buffer->cbBuffer = 0;
1204
0
    return SEC_E_OK;
1205
0
  }
1206
1207
0
  if (output_token.negState == ACCEPT_COMPLETED)
1208
0
    status = SEC_E_OK;
1209
0
  else
1210
0
    status = SEC_I_CONTINUE_NEEDED;
1211
1212
0
  if (!negotiate_write_neg_token(output_buffer, &output_token))
1213
0
    return SEC_E_INTERNAL_ERROR;
1214
1215
0
  return status;
1216
0
}
1217
1218
static SECURITY_STATUS SEC_ENTRY negotiate_CompleteAuthToken(PCtxtHandle phContext,
1219
                                                             PSecBufferDesc pToken)
1220
0
{
1221
0
  NEGOTIATE_CONTEXT* context = NULL;
1222
0
  SECURITY_STATUS status = SEC_E_OK;
1223
0
  context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1224
1225
0
  if (!context)
1226
0
    return SEC_E_INVALID_HANDLE;
1227
1228
0
  WINPR_ASSERT(context->mech);
1229
0
  WINPR_ASSERT(context->mech->pkg);
1230
0
  WINPR_ASSERT(context->mech->pkg->table);
1231
0
  if (context->mech->pkg->table->CompleteAuthToken)
1232
0
    status = context->mech->pkg->table->CompleteAuthToken(&context->sub_context, pToken);
1233
1234
0
  return status;
1235
0
}
1236
1237
static SECURITY_STATUS SEC_ENTRY negotiate_DeleteSecurityContext(PCtxtHandle phContext)
1238
0
{
1239
0
  NEGOTIATE_CONTEXT* context = NULL;
1240
0
  SECURITY_STATUS status = SEC_E_OK;
1241
0
  context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1242
0
  const SecPkg* pkg = NULL;
1243
1244
0
  if (!context)
1245
0
    return SEC_E_INVALID_HANDLE;
1246
1247
0
  WINPR_ASSERT(context->mech);
1248
0
  WINPR_ASSERT(context->mech->pkg);
1249
0
  WINPR_ASSERT(context->mech->pkg->table);
1250
0
  pkg = context->mech->pkg;
1251
1252
0
  if (pkg->table->DeleteSecurityContext)
1253
0
    status = pkg->table->DeleteSecurityContext(&context->sub_context);
1254
1255
0
  negotiate_ContextFree(context);
1256
0
  return status;
1257
0
}
1258
1259
static SECURITY_STATUS SEC_ENTRY
1260
negotiate_ImpersonateSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
1261
0
{
1262
0
  return SEC_E_OK;
1263
0
}
1264
1265
static SECURITY_STATUS SEC_ENTRY
1266
negotiate_RevertSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext)
1267
0
{
1268
0
  return SEC_E_OK;
1269
0
}
1270
1271
static SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesW(PCtxtHandle phContext,
1272
                                                                   ULONG ulAttribute, void* pBuffer)
1273
0
{
1274
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1275
1276
0
  if (!context)
1277
0
    return SEC_E_INVALID_HANDLE;
1278
1279
0
  WINPR_ASSERT(context->mech);
1280
0
  WINPR_ASSERT(context->mech->pkg);
1281
0
  WINPR_ASSERT(context->mech->pkg->table_w);
1282
0
  if (context->mech->pkg->table_w->QueryContextAttributesW)
1283
0
    return context->mech->pkg->table_w->QueryContextAttributesW(&context->sub_context,
1284
0
                                                                ulAttribute, pBuffer);
1285
1286
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1287
0
}
1288
1289
static SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesA(PCtxtHandle phContext,
1290
                                                                   ULONG ulAttribute, void* pBuffer)
1291
0
{
1292
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1293
1294
0
  if (!context)
1295
0
    return SEC_E_INVALID_HANDLE;
1296
1297
0
  WINPR_ASSERT(context->mech);
1298
0
  WINPR_ASSERT(context->mech->pkg);
1299
0
  WINPR_ASSERT(context->mech->pkg->table);
1300
0
  if (context->mech->pkg->table->QueryContextAttributesA)
1301
0
    return context->mech->pkg->table->QueryContextAttributesA(&context->sub_context,
1302
0
                                                              ulAttribute, pBuffer);
1303
1304
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1305
0
}
1306
1307
static SECURITY_STATUS SEC_ENTRY negotiate_SetContextAttributesW(PCtxtHandle phContext,
1308
                                                                 ULONG ulAttribute, void* pBuffer,
1309
                                                                 ULONG cbBuffer)
1310
0
{
1311
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1312
1313
0
  if (!context)
1314
0
    return SEC_E_INVALID_HANDLE;
1315
1316
0
  WINPR_ASSERT(context->mech);
1317
0
  WINPR_ASSERT(context->mech->pkg);
1318
0
  WINPR_ASSERT(context->mech->pkg->table_w);
1319
0
  if (context->mech->pkg->table_w->SetContextAttributesW)
1320
0
    return context->mech->pkg->table_w->SetContextAttributesW(&context->sub_context,
1321
0
                                                              ulAttribute, pBuffer, cbBuffer);
1322
1323
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1324
0
}
1325
1326
static SECURITY_STATUS SEC_ENTRY negotiate_SetContextAttributesA(PCtxtHandle phContext,
1327
                                                                 ULONG ulAttribute, void* pBuffer,
1328
                                                                 ULONG cbBuffer)
1329
0
{
1330
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1331
1332
0
  if (!context)
1333
0
    return SEC_E_INVALID_HANDLE;
1334
1335
0
  WINPR_ASSERT(context->mech);
1336
0
  WINPR_ASSERT(context->mech->pkg);
1337
0
  WINPR_ASSERT(context->mech->pkg->table);
1338
0
  if (context->mech->pkg->table->SetContextAttributesA)
1339
0
    return context->mech->pkg->table->SetContextAttributesA(&context->sub_context, ulAttribute,
1340
0
                                                            pBuffer, cbBuffer);
1341
1342
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1343
0
}
1344
1345
static SECURITY_STATUS SEC_ENTRY negotiate_SetCredentialsAttributesW(PCredHandle phCredential,
1346
                                                                     ULONG ulAttribute,
1347
                                                                     void* pBuffer, ULONG cbBuffer)
1348
0
{
1349
0
  MechCred* creds = NULL;
1350
0
  BOOL success = FALSE;
1351
0
  SECURITY_STATUS secStatus = 0;
1352
1353
0
  creds = sspi_SecureHandleGetLowerPointer(phCredential);
1354
1355
0
  if (!creds)
1356
0
    return SEC_E_INVALID_HANDLE;
1357
1358
0
  for (size_t i = 0; i < MECH_COUNT; i++)
1359
0
  {
1360
0
    MechCred* cred = &creds[i];
1361
1362
0
    WINPR_ASSERT(cred->mech);
1363
0
    WINPR_ASSERT(cred->mech->pkg);
1364
0
    WINPR_ASSERT(cred->mech->pkg->table);
1365
0
    WINPR_ASSERT(cred->mech->pkg->table_w->SetCredentialsAttributesW);
1366
0
    secStatus = cred->mech->pkg->table_w->SetCredentialsAttributesW(&cred->cred, ulAttribute,
1367
0
                                                                    pBuffer, cbBuffer);
1368
1369
0
    if (secStatus == SEC_E_OK)
1370
0
    {
1371
0
      success = TRUE;
1372
0
    }
1373
0
  }
1374
1375
  // return success if at least one submodule accepts the credential attribute
1376
0
  return (success ? SEC_E_OK : SEC_E_UNSUPPORTED_FUNCTION);
1377
0
}
1378
1379
static SECURITY_STATUS SEC_ENTRY negotiate_SetCredentialsAttributesA(PCredHandle phCredential,
1380
                                                                     ULONG ulAttribute,
1381
                                                                     void* pBuffer, ULONG cbBuffer)
1382
0
{
1383
0
  MechCred* creds = NULL;
1384
0
  BOOL success = FALSE;
1385
0
  SECURITY_STATUS secStatus = 0;
1386
1387
0
  creds = sspi_SecureHandleGetLowerPointer(phCredential);
1388
1389
0
  if (!creds)
1390
0
    return SEC_E_INVALID_HANDLE;
1391
1392
0
  for (size_t i = 0; i < MECH_COUNT; i++)
1393
0
  {
1394
0
    MechCred* cred = &creds[i];
1395
1396
0
    if (!cred->valid)
1397
0
      continue;
1398
1399
0
    WINPR_ASSERT(cred->mech);
1400
0
    WINPR_ASSERT(cred->mech->pkg);
1401
0
    WINPR_ASSERT(cred->mech->pkg->table);
1402
0
    WINPR_ASSERT(cred->mech->pkg->table->SetCredentialsAttributesA);
1403
0
    secStatus = cred->mech->pkg->table->SetCredentialsAttributesA(&cred->cred, ulAttribute,
1404
0
                                                                  pBuffer, cbBuffer);
1405
1406
0
    if (secStatus == SEC_E_OK)
1407
0
    {
1408
0
      success = TRUE;
1409
0
    }
1410
0
  }
1411
1412
  // return success if at least one submodule accepts the credential attribute
1413
0
  return (success ? SEC_E_OK : SEC_E_UNSUPPORTED_FUNCTION);
1414
0
}
1415
1416
static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleW(
1417
    SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
1418
    void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
1419
    PTimeStamp ptsExpiry)
1420
0
{
1421
0
  BOOL kerberos = FALSE;
1422
0
  BOOL ntlm = FALSE;
1423
0
  BOOL u2u = FALSE;
1424
1425
0
  if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u))
1426
0
    return SEC_E_INTERNAL_ERROR;
1427
1428
0
  MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred));
1429
1430
0
  if (!creds)
1431
0
    return SEC_E_INTERNAL_ERROR;
1432
1433
0
  for (size_t i = 0; i < MECH_COUNT; i++)
1434
0
  {
1435
0
    MechCred* cred = &creds[i];
1436
0
    const SecPkg* pkg = MechTable[i].pkg;
1437
0
    cred->mech = &MechTable[i];
1438
1439
0
    if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID))
1440
0
      continue;
1441
0
    if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID))
1442
0
      continue;
1443
0
    if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0)
1444
0
      continue;
1445
1446
0
    WINPR_ASSERT(pkg->table_w);
1447
0
    WINPR_ASSERT(pkg->table_w->AcquireCredentialsHandleW);
1448
0
    if (pkg->table_w->AcquireCredentialsHandleW(
1449
0
            pszPrincipal, pszPackage, fCredentialUse, pvLogonID, pAuthData, pGetKeyFn,
1450
0
            pvGetKeyArgument, &cred->cred, ptsExpiry) != SEC_E_OK)
1451
0
      continue;
1452
1453
0
    cred->valid = TRUE;
1454
0
  }
1455
1456
0
  sspi_SecureHandleSetLowerPointer(phCredential, (void*)creds);
1457
0
  sspi_SecureHandleSetUpperPointer(phCredential, (void*)NEGO_SSP_NAME);
1458
0
  return SEC_E_OK;
1459
0
}
1460
1461
static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleA(
1462
    SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
1463
    void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
1464
    PTimeStamp ptsExpiry)
1465
0
{
1466
0
  BOOL kerberos = FALSE;
1467
0
  BOOL ntlm = FALSE;
1468
0
  BOOL u2u = FALSE;
1469
1470
0
  if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u))
1471
0
    return SEC_E_INTERNAL_ERROR;
1472
1473
0
  MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred));
1474
1475
0
  if (!creds)
1476
0
    return SEC_E_INTERNAL_ERROR;
1477
1478
0
  for (size_t i = 0; i < MECH_COUNT; i++)
1479
0
  {
1480
0
    const SecPkg* pkg = MechTable[i].pkg;
1481
0
    MechCred* cred = &creds[i];
1482
1483
0
    cred->mech = &MechTable[i];
1484
1485
0
    if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID))
1486
0
      continue;
1487
0
    if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID))
1488
0
      continue;
1489
0
    if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0)
1490
0
      continue;
1491
1492
0
    WINPR_ASSERT(pkg->table);
1493
0
    WINPR_ASSERT(pkg->table->AcquireCredentialsHandleA);
1494
0
    if (pkg->table->AcquireCredentialsHandleA(pszPrincipal, pszPackage, fCredentialUse,
1495
0
                                              pvLogonID, pAuthData, pGetKeyFn, pvGetKeyArgument,
1496
0
                                              &cred->cred, ptsExpiry) != SEC_E_OK)
1497
0
      continue;
1498
1499
0
    cred->valid = TRUE;
1500
0
  }
1501
1502
0
  sspi_SecureHandleSetLowerPointer(phCredential, (void*)creds);
1503
0
  sspi_SecureHandleSetUpperPointer(phCredential, (void*)NEGO_SSP_NAME);
1504
0
  return SEC_E_OK;
1505
0
}
1506
1507
static SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesW(
1508
    WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
1509
    WINPR_ATTR_UNUSED void* pBuffer)
1510
0
{
1511
0
  WLog_ERR(TAG, "TODO: Implement");
1512
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1513
0
}
1514
1515
static SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesA(
1516
    WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute,
1517
    WINPR_ATTR_UNUSED void* pBuffer)
1518
0
{
1519
0
  WLog_ERR(TAG, "TODO: Implement");
1520
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1521
0
}
1522
1523
static SECURITY_STATUS SEC_ENTRY negotiate_FreeCredentialsHandle(PCredHandle phCredential)
1524
0
{
1525
0
  MechCred* creds = NULL;
1526
1527
0
  creds = sspi_SecureHandleGetLowerPointer(phCredential);
1528
0
  if (!creds)
1529
0
    return SEC_E_INVALID_HANDLE;
1530
1531
0
  for (size_t i = 0; i < MECH_COUNT; i++)
1532
0
  {
1533
0
    MechCred* cred = &creds[i];
1534
1535
0
    WINPR_ASSERT(cred->mech);
1536
0
    WINPR_ASSERT(cred->mech->pkg);
1537
0
    WINPR_ASSERT(cred->mech->pkg->table);
1538
0
    WINPR_ASSERT(cred->mech->pkg->table->FreeCredentialsHandle);
1539
0
    cred->mech->pkg->table->FreeCredentialsHandle(&cred->cred);
1540
0
  }
1541
0
  free(creds);
1542
1543
0
  return SEC_E_OK;
1544
0
}
1545
1546
static SECURITY_STATUS SEC_ENTRY negotiate_EncryptMessage(PCtxtHandle phContext, ULONG fQOP,
1547
                                                          PSecBufferDesc pMessage,
1548
                                                          ULONG MessageSeqNo)
1549
0
{
1550
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1551
1552
0
  if (!context)
1553
0
    return SEC_E_INVALID_HANDLE;
1554
1555
0
  if (context->mic)
1556
0
    MessageSeqNo++;
1557
1558
0
  WINPR_ASSERT(context->mech);
1559
0
  WINPR_ASSERT(context->mech->pkg);
1560
0
  WINPR_ASSERT(context->mech->pkg->table);
1561
0
  if (context->mech->pkg->table->EncryptMessage)
1562
0
    return context->mech->pkg->table->EncryptMessage(&context->sub_context, fQOP, pMessage,
1563
0
                                                     MessageSeqNo);
1564
1565
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1566
0
}
1567
1568
static SECURITY_STATUS SEC_ENTRY negotiate_DecryptMessage(PCtxtHandle phContext,
1569
                                                          PSecBufferDesc pMessage,
1570
                                                          ULONG MessageSeqNo, ULONG* pfQOP)
1571
0
{
1572
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1573
1574
0
  if (!context)
1575
0
    return SEC_E_INVALID_HANDLE;
1576
1577
0
  if (context->mic)
1578
0
    MessageSeqNo++;
1579
1580
0
  WINPR_ASSERT(context->mech);
1581
0
  WINPR_ASSERT(context->mech->pkg);
1582
0
  WINPR_ASSERT(context->mech->pkg->table);
1583
0
  if (context->mech->pkg->table->DecryptMessage)
1584
0
    return context->mech->pkg->table->DecryptMessage(&context->sub_context, pMessage,
1585
0
                                                     MessageSeqNo, pfQOP);
1586
1587
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1588
0
}
1589
1590
static SECURITY_STATUS SEC_ENTRY negotiate_MakeSignature(PCtxtHandle phContext, ULONG fQOP,
1591
                                                         PSecBufferDesc pMessage,
1592
                                                         ULONG MessageSeqNo)
1593
0
{
1594
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1595
1596
0
  if (!context)
1597
0
    return SEC_E_INVALID_HANDLE;
1598
1599
0
  if (context->mic)
1600
0
    MessageSeqNo++;
1601
1602
0
  WINPR_ASSERT(context->mech);
1603
0
  WINPR_ASSERT(context->mech->pkg);
1604
0
  WINPR_ASSERT(context->mech->pkg->table);
1605
0
  if (context->mech->pkg->table->MakeSignature)
1606
0
    return context->mech->pkg->table->MakeSignature(&context->sub_context, fQOP, pMessage,
1607
0
                                                    MessageSeqNo);
1608
1609
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1610
0
}
1611
1612
static SECURITY_STATUS SEC_ENTRY negotiate_VerifySignature(PCtxtHandle phContext,
1613
                                                           PSecBufferDesc pMessage,
1614
                                                           ULONG MessageSeqNo, ULONG* pfQOP)
1615
0
{
1616
0
  NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
1617
1618
0
  if (!context)
1619
0
    return SEC_E_INVALID_HANDLE;
1620
1621
0
  if (context->mic)
1622
0
    MessageSeqNo++;
1623
1624
0
  WINPR_ASSERT(context->mech);
1625
0
  WINPR_ASSERT(context->mech->pkg);
1626
0
  WINPR_ASSERT(context->mech->pkg->table);
1627
0
  if (context->mech->pkg->table->VerifySignature)
1628
0
    return context->mech->pkg->table->VerifySignature(&context->sub_context, pMessage,
1629
0
                                                      MessageSeqNo, pfQOP);
1630
1631
0
  return SEC_E_UNSUPPORTED_FUNCTION;
1632
0
}
1633
1634
const SecurityFunctionTableA NEGOTIATE_SecurityFunctionTableA = {
1635
  3,                                     /* dwVersion */
1636
  NULL,                                  /* EnumerateSecurityPackages */
1637
  negotiate_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
1638
  negotiate_AcquireCredentialsHandleA,   /* AcquireCredentialsHandle */
1639
  negotiate_FreeCredentialsHandle,       /* FreeCredentialsHandle */
1640
  NULL,                                  /* Reserved2 */
1641
  negotiate_InitializeSecurityContextA,  /* InitializeSecurityContext */
1642
  negotiate_AcceptSecurityContext,       /* AcceptSecurityContext */
1643
  negotiate_CompleteAuthToken,           /* CompleteAuthToken */
1644
  negotiate_DeleteSecurityContext,       /* DeleteSecurityContext */
1645
  NULL,                                  /* ApplyControlToken */
1646
  negotiate_QueryContextAttributesA,     /* QueryContextAttributes */
1647
  negotiate_ImpersonateSecurityContext,  /* ImpersonateSecurityContext */
1648
  negotiate_RevertSecurityContext,       /* RevertSecurityContext */
1649
  negotiate_MakeSignature,               /* MakeSignature */
1650
  negotiate_VerifySignature,             /* VerifySignature */
1651
  NULL,                                  /* FreeContextBuffer */
1652
  NULL,                                  /* QuerySecurityPackageInfo */
1653
  NULL,                                  /* Reserved3 */
1654
  NULL,                                  /* Reserved4 */
1655
  NULL,                                  /* ExportSecurityContext */
1656
  NULL,                                  /* ImportSecurityContext */
1657
  NULL,                                  /* AddCredentials */
1658
  NULL,                                  /* Reserved8 */
1659
  NULL,                                  /* QuerySecurityContextToken */
1660
  negotiate_EncryptMessage,              /* EncryptMessage */
1661
  negotiate_DecryptMessage,              /* DecryptMessage */
1662
  negotiate_SetContextAttributesA,       /* SetContextAttributes */
1663
  negotiate_SetCredentialsAttributesA,   /* SetCredentialsAttributes */
1664
};
1665
1666
const SecurityFunctionTableW NEGOTIATE_SecurityFunctionTableW = {
1667
  3,                                     /* dwVersion */
1668
  NULL,                                  /* EnumerateSecurityPackages */
1669
  negotiate_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
1670
  negotiate_AcquireCredentialsHandleW,   /* AcquireCredentialsHandle */
1671
  negotiate_FreeCredentialsHandle,       /* FreeCredentialsHandle */
1672
  NULL,                                  /* Reserved2 */
1673
  negotiate_InitializeSecurityContextW,  /* InitializeSecurityContext */
1674
  negotiate_AcceptSecurityContext,       /* AcceptSecurityContext */
1675
  negotiate_CompleteAuthToken,           /* CompleteAuthToken */
1676
  negotiate_DeleteSecurityContext,       /* DeleteSecurityContext */
1677
  NULL,                                  /* ApplyControlToken */
1678
  negotiate_QueryContextAttributesW,     /* QueryContextAttributes */
1679
  negotiate_ImpersonateSecurityContext,  /* ImpersonateSecurityContext */
1680
  negotiate_RevertSecurityContext,       /* RevertSecurityContext */
1681
  negotiate_MakeSignature,               /* MakeSignature */
1682
  negotiate_VerifySignature,             /* VerifySignature */
1683
  NULL,                                  /* FreeContextBuffer */
1684
  NULL,                                  /* QuerySecurityPackageInfo */
1685
  NULL,                                  /* Reserved3 */
1686
  NULL,                                  /* Reserved4 */
1687
  NULL,                                  /* ExportSecurityContext */
1688
  NULL,                                  /* ImportSecurityContext */
1689
  NULL,                                  /* AddCredentials */
1690
  NULL,                                  /* Reserved8 */
1691
  NULL,                                  /* QuerySecurityContextToken */
1692
  negotiate_EncryptMessage,              /* EncryptMessage */
1693
  negotiate_DecryptMessage,              /* DecryptMessage */
1694
  negotiate_SetContextAttributesW,       /* SetContextAttributes */
1695
  negotiate_SetCredentialsAttributesW,   /* SetCredentialsAttributes */
1696
};
1697
1698
BOOL NEGOTIATE_init(void)
1699
0
{
1700
0
  InitializeConstWCharFromUtf8(NEGOTIATE_SecPkgInfoA.Name, NEGOTIATE_SecPkgInfoW_NameBuffer,
1701
0
                               ARRAYSIZE(NEGOTIATE_SecPkgInfoW_NameBuffer));
1702
0
  InitializeConstWCharFromUtf8(NEGOTIATE_SecPkgInfoA.Comment, NEGOTIATE_SecPkgInfoW_CommentBuffer,
1703
0
                               ARRAYSIZE(NEGOTIATE_SecPkgInfoW_CommentBuffer));
1704
1705
0
  return TRUE;
1706
0
}