/src/FreeRDP/winpr/libwinpr/sspi/Negotiate/negotiate.c
Line | Count | Source |
1 | | /** |
2 | | * WinPR: Windows Portable Runtime |
3 | | * Negotiate Security Package |
4 | | * |
5 | | * Copyright 2011-2014 Marc-Andre Moreau <marcandre.moreau@gmail.com> |
6 | | * Copyright 2017 Dorian Ducournau <dorian.ducournau@gmail.com> |
7 | | * |
8 | | * Licensed under the Apache License, Version 2.0 (the "License"); |
9 | | * you may not use this file except in compliance with the License. |
10 | | * You may obtain a copy of the License at |
11 | | * |
12 | | * http://www.apache.org/licenses/LICENSE-2.0 |
13 | | * |
14 | | * Unless required by applicable law or agreed to in writing, software |
15 | | * distributed under the License is distributed on an "AS IS" BASIS, |
16 | | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
17 | | * See the License for the specific language governing permissions and |
18 | | * limitations under the License. |
19 | | */ |
20 | | |
21 | | #include <winpr/config.h> |
22 | | |
23 | | #include <winpr/crt.h> |
24 | | #include <winpr/wtypes.h> |
25 | | #include <winpr/assert.h> |
26 | | #include <winpr/sspi.h> |
27 | | #include <winpr/tchar.h> |
28 | | #include <winpr/registry.h> |
29 | | #include <winpr/build-config.h> |
30 | | #include <winpr/asn1.h> |
31 | | |
32 | | #include "negotiate.h" |
33 | | |
34 | | #include "../NTLM/ntlm.h" |
35 | | #include "../NTLM/ntlm_export.h" |
36 | | #include "../Kerberos/kerberos.h" |
37 | | #include "../sspi.h" |
38 | | #include "../../utils.h" |
39 | | #include "../../log.h" |
40 | | #define TAG WINPR_TAG("negotiate") |
41 | | |
42 | 0 | #define NEGO_REG_KEY "Software\\%s\\SSPI\\Negotiate" |
43 | | |
44 | | static const char PACKAGE_NAME_DISABLE_ALL[] = "none"; |
45 | | static const char PACKAGE_NAME_NTLM[] = "ntlm"; |
46 | | static const char PACKAGE_NAME_KERBEROS[] = "kerberos"; |
47 | | static const char PACKAGE_NAME_KERBEROS_U2U[] = "u2u"; |
48 | | |
49 | | typedef struct |
50 | | { |
51 | | const TCHAR* name; |
52 | | const SecurityFunctionTableA* table; |
53 | | const SecurityFunctionTableW* table_w; |
54 | | } SecPkg; |
55 | | |
56 | | struct Mech_st |
57 | | { |
58 | | const WinPrAsn1_OID* oid; |
59 | | const SecPkg* pkg; |
60 | | const UINT flags; |
61 | | const BOOL preferred; |
62 | | }; |
63 | | |
64 | | typedef struct |
65 | | { |
66 | | const Mech* mech; |
67 | | CredHandle cred; |
68 | | BOOL valid; |
69 | | } MechCred; |
70 | | |
71 | | const SecPkgInfoA NEGOTIATE_SecPkgInfoA = { |
72 | | 0x00083BB3, /* fCapabilities */ |
73 | | 1, /* wVersion */ |
74 | | 0x0009, /* wRPCID */ |
75 | | 0x00002FE0, /* cbMaxToken */ |
76 | | "Negotiate", /* Name */ |
77 | | "Microsoft Package Negotiator" /* Comment */ |
78 | | }; |
79 | | |
80 | | static WCHAR NEGOTIATE_SecPkgInfoW_NameBuffer[32] = WINPR_C_ARRAY_INIT; |
81 | | static WCHAR NEGOTIATE_SecPkgInfoW_CommentBuffer[32] = WINPR_C_ARRAY_INIT; |
82 | | |
83 | | const SecPkgInfoW NEGOTIATE_SecPkgInfoW = { |
84 | | 0x00083BB3, /* fCapabilities */ |
85 | | 1, /* wVersion */ |
86 | | 0x0009, /* wRPCID */ |
87 | | 0x00002FE0, /* cbMaxToken */ |
88 | | NEGOTIATE_SecPkgInfoW_NameBuffer, /* Name */ |
89 | | NEGOTIATE_SecPkgInfoW_CommentBuffer /* Comment */ |
90 | | }; |
91 | | |
92 | | static const WinPrAsn1_OID spnego_OID = { 6, (BYTE*)"\x2b\x06\x01\x05\x05\x02" }; |
93 | | static const WinPrAsn1_OID kerberos_u2u_OID = { 10, |
94 | | (BYTE*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" }; |
95 | | static const WinPrAsn1_OID kerberos_OID = { 9, (BYTE*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; |
96 | | static const WinPrAsn1_OID kerberos_wrong_OID = { 9, |
97 | | (BYTE*)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02" }; |
98 | | static const WinPrAsn1_OID ntlm_OID = { 10, (BYTE*)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; |
99 | | |
100 | | static const WinPrAsn1_OID negoex_OID = { 10, (BYTE*)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e" }; |
101 | | |
102 | | #ifdef WITH_KRB5 |
103 | | static const SecPkg SecPkgTable[] = { |
104 | | { KERBEROS_SSP_NAME, &KERBEROS_SecurityFunctionTableA, &KERBEROS_SecurityFunctionTableW }, |
105 | | { KERBEROS_SSP_NAME, &KERBEROS_SecurityFunctionTableA, &KERBEROS_SecurityFunctionTableW }, |
106 | | { NTLM_SSP_NAME, &NTLM_SecurityFunctionTableA, &NTLM_SecurityFunctionTableW } |
107 | | }; |
108 | | |
109 | | static const Mech MechTable[] = { |
110 | | { &kerberos_u2u_OID, &SecPkgTable[0], ISC_REQ_INTEGRITY | ISC_REQ_USE_SESSION_KEY, TRUE }, |
111 | | { &kerberos_OID, &SecPkgTable[1], ISC_REQ_INTEGRITY, TRUE }, |
112 | | { &ntlm_OID, &SecPkgTable[2], 0, FALSE }, |
113 | | }; |
114 | | #else |
115 | | static const SecPkg SecPkgTable[] = { { NTLM_SSP_NAME, &NTLM_SecurityFunctionTableA, |
116 | | &NTLM_SecurityFunctionTableW } }; |
117 | | |
118 | | static const Mech MechTable[] = { |
119 | | { &ntlm_OID, &SecPkgTable[0], 0, FALSE }, |
120 | | }; |
121 | | #endif |
122 | | |
123 | | static const size_t MECH_COUNT = sizeof(MechTable) / sizeof(Mech); |
124 | | |
125 | | enum NegState |
126 | | { |
127 | | NOSTATE = -1, |
128 | | ACCEPT_COMPLETED, |
129 | | ACCEPT_INCOMPLETE, |
130 | | REJECT, |
131 | | REQUEST_MIC |
132 | | }; |
133 | | |
134 | | typedef struct |
135 | | { |
136 | | enum NegState negState; |
137 | | BOOL init; |
138 | | WinPrAsn1_OID supportedMech; |
139 | | SecBuffer mechTypes; |
140 | | SecBuffer mechToken; |
141 | | SecBuffer mic; |
142 | | } NegToken; |
143 | | |
144 | | static const NegToken empty_neg_token = { NOSTATE, FALSE, { 0, NULL }, |
145 | | { 0, 0, NULL }, { 0, 0, NULL }, { 0, 0, NULL } }; |
146 | | |
147 | | static NEGOTIATE_CONTEXT* negotiate_ContextNew(NEGOTIATE_CONTEXT* init_context) |
148 | 0 | { |
149 | 0 | NEGOTIATE_CONTEXT* context = NULL; |
150 | |
|
151 | 0 | WINPR_ASSERT(init_context); |
152 | |
|
153 | 0 | context = calloc(1, sizeof(NEGOTIATE_CONTEXT)); |
154 | 0 | if (!context) |
155 | 0 | return NULL; |
156 | | |
157 | 0 | if (init_context->spnego) |
158 | 0 | { |
159 | 0 | init_context->mechTypes.pvBuffer = malloc(init_context->mechTypes.cbBuffer); |
160 | 0 | if (!init_context->mechTypes.pvBuffer) |
161 | 0 | { |
162 | 0 | free(context); |
163 | 0 | return NULL; |
164 | 0 | } |
165 | 0 | } |
166 | | |
167 | 0 | *context = *init_context; |
168 | |
|
169 | 0 | return context; |
170 | 0 | } |
171 | | |
172 | | static void negotiate_ContextFree(NEGOTIATE_CONTEXT* context) |
173 | 0 | { |
174 | 0 | WINPR_ASSERT(context); |
175 | |
|
176 | 0 | if (context->mechTypes.pvBuffer) |
177 | 0 | free(context->mechTypes.pvBuffer); |
178 | 0 | free(context); |
179 | 0 | } |
180 | | |
181 | | static const char* negotiate_mech_name(const WinPrAsn1_OID* oid) |
182 | 0 | { |
183 | 0 | if (sspi_gss_oid_compare(oid, &spnego_OID)) |
184 | 0 | return "SPNEGO (1.3.6.1.5.5.2)"; |
185 | 0 | else if (sspi_gss_oid_compare(oid, &kerberos_u2u_OID)) |
186 | 0 | return "Kerberos user to user (1.2.840.113554.1.2.2.3)"; |
187 | 0 | else if (sspi_gss_oid_compare(oid, &kerberos_OID)) |
188 | 0 | return "Kerberos (1.2.840.113554.1.2.2)"; |
189 | 0 | else if (sspi_gss_oid_compare(oid, &kerberos_wrong_OID)) |
190 | 0 | return "Kerberos [wrong OID] (1.2.840.48018.1.2.2)"; |
191 | 0 | else if (sspi_gss_oid_compare(oid, &ntlm_OID)) |
192 | 0 | return "NTLM (1.3.6.1.4.1.311.2.2.10)"; |
193 | 0 | else if (sspi_gss_oid_compare(oid, &negoex_OID)) |
194 | 0 | return "NegoEx (1.3.6.1.4.1.311.2.2.30)"; |
195 | 0 | else |
196 | 0 | return "Unknown mechanism"; |
197 | 0 | } |
198 | | |
199 | | static const Mech* negotiate_GetMechByOID(const WinPrAsn1_OID* oid) |
200 | 0 | { |
201 | 0 | WINPR_ASSERT(oid); |
202 | |
|
203 | 0 | WinPrAsn1_OID testOid = *oid; |
204 | |
|
205 | 0 | if (sspi_gss_oid_compare(&testOid, &kerberos_wrong_OID)) |
206 | 0 | { |
207 | 0 | testOid.len = kerberos_OID.len; |
208 | 0 | testOid.data = kerberos_OID.data; |
209 | 0 | } |
210 | |
|
211 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
212 | 0 | { |
213 | 0 | if (sspi_gss_oid_compare(&testOid, MechTable[i].oid)) |
214 | 0 | return &MechTable[i]; |
215 | 0 | } |
216 | 0 | return NULL; |
217 | 0 | } |
218 | | |
219 | | static PSecHandle negotiate_FindCredential(MechCred* creds, const Mech* mech) |
220 | 0 | { |
221 | 0 | WINPR_ASSERT(creds); |
222 | |
|
223 | 0 | if (!mech) |
224 | 0 | return NULL; |
225 | | |
226 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
227 | 0 | { |
228 | 0 | MechCred* cred = &creds[i]; |
229 | |
|
230 | 0 | if (cred->mech == mech) |
231 | 0 | { |
232 | 0 | if (cred->valid) |
233 | 0 | return &cred->cred; |
234 | 0 | return NULL; |
235 | 0 | } |
236 | 0 | } |
237 | | |
238 | 0 | return NULL; |
239 | 0 | } |
240 | | |
241 | | static BOOL negotiate_get_dword(HKEY hKey, const char* subkey, DWORD* pdwValue) |
242 | 0 | { |
243 | 0 | DWORD dwValue = 0; |
244 | 0 | DWORD dwType = 0; |
245 | 0 | DWORD dwSize = sizeof(dwValue); |
246 | 0 | LONG rc = RegQueryValueExA(hKey, subkey, NULL, &dwType, (BYTE*)&dwValue, &dwSize); |
247 | |
|
248 | 0 | if (rc != ERROR_SUCCESS) |
249 | 0 | return FALSE; |
250 | 0 | if (dwType != REG_DWORD) |
251 | 0 | return FALSE; |
252 | | |
253 | 0 | *pdwValue = dwValue; |
254 | 0 | return TRUE; |
255 | 0 | } |
256 | | |
257 | | static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* kerberos, BOOL* ntlm, |
258 | | BOOL* u2u) |
259 | 0 | { |
260 | 0 | BOOL rc = FALSE; |
261 | 0 | char* tok_ctx = NULL; |
262 | 0 | char* PackageList = NULL; |
263 | |
|
264 | 0 | if (!sspi_CopyAuthPackageListA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &PackageList)) |
265 | 0 | return FALSE; |
266 | | |
267 | 0 | char* tok_ptr = strtok_s(PackageList, ",", &tok_ctx); |
268 | |
|
269 | 0 | while (tok_ptr) |
270 | 0 | { |
271 | 0 | const char* PackageName = tok_ptr; |
272 | 0 | BOOL PackageInclude = TRUE; |
273 | |
|
274 | 0 | if (PackageName[0] == '!') |
275 | 0 | { |
276 | 0 | PackageName = &PackageName[1]; |
277 | 0 | PackageInclude = FALSE; |
278 | 0 | } |
279 | |
|
280 | 0 | if (_stricmp(PackageName, PACKAGE_NAME_NTLM) == 0) |
281 | 0 | { |
282 | 0 | *ntlm = PackageInclude; |
283 | 0 | } |
284 | 0 | else if (_stricmp(PackageName, PACKAGE_NAME_KERBEROS) == 0) |
285 | 0 | { |
286 | 0 | *kerberos = PackageInclude; |
287 | 0 | } |
288 | 0 | else if (_stricmp(PackageName, PACKAGE_NAME_KERBEROS_U2U) == 0) |
289 | 0 | { |
290 | 0 | *u2u = PackageInclude; |
291 | 0 | } |
292 | 0 | else if (_stricmp(PackageName, PACKAGE_NAME_DISABLE_ALL) == 0) |
293 | 0 | { |
294 | 0 | *kerberos = FALSE; |
295 | 0 | *ntlm = FALSE; |
296 | 0 | *u2u = FALSE; |
297 | |
|
298 | 0 | if (PackageName != PackageList) |
299 | 0 | { |
300 | 0 | WLog_WARN(TAG, "Special keyword '%s' not first in list, aborting", PackageName); |
301 | 0 | goto fail; |
302 | 0 | } |
303 | 0 | } |
304 | 0 | else |
305 | 0 | { |
306 | 0 | WLog_WARN(TAG, "Unknown authentication package name: %s, ignoring", PackageName); |
307 | 0 | } |
308 | | |
309 | 0 | tok_ptr = strtok_s(NULL, ",", &tok_ctx); |
310 | 0 | } |
311 | | |
312 | 0 | rc = TRUE; |
313 | 0 | fail: |
314 | 0 | free(PackageList); |
315 | 0 | return rc; |
316 | 0 | } |
317 | | |
318 | | static BOOL negotiate_get_config(void* pAuthData, BOOL* kerberos, BOOL* ntlm, BOOL* u2u) |
319 | 0 | { |
320 | 0 | HKEY hKey = NULL; |
321 | |
|
322 | 0 | WINPR_ASSERT(kerberos); |
323 | 0 | WINPR_ASSERT(ntlm); |
324 | 0 | WINPR_ASSERT(u2u); |
325 | |
|
326 | 0 | #if !defined(WITH_KRB5_NO_NTLM_FALLBACK) |
327 | 0 | *ntlm = TRUE; |
328 | | #else |
329 | | *ntlm = FALSE; |
330 | | #endif |
331 | 0 | #if defined(WITH_KRB5) |
332 | 0 | *kerberos = TRUE; |
333 | 0 | *u2u = TRUE; |
334 | | #else |
335 | | *kerberos = FALSE; |
336 | | *u2u = FALSE; |
337 | | #endif |
338 | |
|
339 | 0 | if (negotiate_get_config_from_auth_package_list(pAuthData, kerberos, ntlm, u2u)) |
340 | 0 | { |
341 | 0 | return TRUE; // use explicit authentication package list |
342 | 0 | } |
343 | | |
344 | 0 | { |
345 | 0 | char* key = winpr_getApplicatonDetailsRegKey(NEGO_REG_KEY); |
346 | 0 | if (key) |
347 | 0 | { |
348 | 0 | const LONG rc = |
349 | 0 | RegOpenKeyExA(HKEY_LOCAL_MACHINE, key, 0, KEY_READ | KEY_WOW64_64KEY, &hKey); |
350 | 0 | free(key); |
351 | 0 | if (rc == ERROR_SUCCESS) |
352 | 0 | { |
353 | 0 | DWORD dwValue = 0; |
354 | |
|
355 | 0 | if (negotiate_get_dword(hKey, PACKAGE_NAME_KERBEROS, &dwValue)) |
356 | 0 | *kerberos = (dwValue != 0) ? TRUE : FALSE; |
357 | |
|
358 | 0 | if (negotiate_get_dword(hKey, PACKAGE_NAME_KERBEROS_U2U, &dwValue)) |
359 | 0 | *u2u = (dwValue != 0) ? TRUE : FALSE; |
360 | |
|
361 | 0 | #if !defined(WITH_KRB5_NO_NTLM_FALLBACK) |
362 | 0 | if (negotiate_get_dword(hKey, PACKAGE_NAME_NTLM, &dwValue)) |
363 | 0 | *ntlm = (dwValue != 0) ? TRUE : FALSE; |
364 | 0 | #endif |
365 | |
|
366 | 0 | RegCloseKey(hKey); |
367 | 0 | } |
368 | 0 | } |
369 | 0 | } |
370 | |
|
371 | 0 | return TRUE; |
372 | 0 | } |
373 | | |
374 | | static BOOL negotiate_write_neg_token(PSecBuffer output_buffer, NegToken* token) |
375 | 0 | { |
376 | 0 | WINPR_ASSERT(output_buffer); |
377 | 0 | WINPR_ASSERT(token); |
378 | |
|
379 | 0 | BOOL ret = FALSE; |
380 | 0 | WinPrAsn1Encoder* enc = NULL; |
381 | 0 | WinPrAsn1_MemoryChunk mechTypes = { token->mechTypes.cbBuffer, token->mechTypes.pvBuffer }; |
382 | 0 | WinPrAsn1_OctetString mechToken = { token->mechToken.cbBuffer, token->mechToken.pvBuffer }; |
383 | 0 | WinPrAsn1_OctetString mechListMic = { token->mic.cbBuffer, token->mic.pvBuffer }; |
384 | 0 | wStream s; |
385 | 0 | size_t len = 0; |
386 | |
|
387 | 0 | enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER); |
388 | 0 | if (!enc) |
389 | 0 | return FALSE; |
390 | | |
391 | | /* For NegTokenInit wrap in an initialContextToken */ |
392 | 0 | if (token->init) |
393 | 0 | { |
394 | | /* InitialContextToken [APPLICATION 0] IMPLICIT SEQUENCE */ |
395 | 0 | if (!WinPrAsn1EncAppContainer(enc, 0)) |
396 | 0 | goto cleanup; |
397 | | |
398 | | /* thisMech MechType OID */ |
399 | 0 | if (!WinPrAsn1EncOID(enc, &spnego_OID)) |
400 | 0 | goto cleanup; |
401 | 0 | } |
402 | | |
403 | | /* innerContextToken [0] NegTokenInit or [1] NegTokenResp */ |
404 | 0 | if (!WinPrAsn1EncContextualSeqContainer(enc, token->init ? 0 : 1)) |
405 | 0 | goto cleanup; |
406 | | |
407 | 0 | WLog_DBG(TAG, token->init ? "Writing negTokenInit..." : "Writing negTokenResp..."); |
408 | | |
409 | | /* mechTypes [0] MechTypeList (mechTypes already contains the SEQUENCE tag) */ |
410 | 0 | if (token->init) |
411 | 0 | { |
412 | 0 | if (!WinPrAsn1EncContextualRawContent(enc, 0, &mechTypes)) |
413 | 0 | goto cleanup; |
414 | 0 | WLog_DBG(TAG, "\tmechTypes [0] (%" PRIu32 " bytes)", token->mechTypes.cbBuffer); |
415 | 0 | } |
416 | | /* negState [0] ENUMERATED */ |
417 | 0 | else if (token->negState != NOSTATE) |
418 | 0 | { |
419 | 0 | if (!WinPrAsn1EncContextualEnumerated(enc, 0, token->negState)) |
420 | 0 | goto cleanup; |
421 | 0 | WLog_DBG(TAG, "\tnegState [0] (%d)", token->negState); |
422 | 0 | } |
423 | | |
424 | | /* supportedMech [1] OID */ |
425 | 0 | if (token->supportedMech.len) |
426 | 0 | { |
427 | 0 | if (!WinPrAsn1EncContextualOID(enc, 1, &token->supportedMech)) |
428 | 0 | goto cleanup; |
429 | 0 | WLog_DBG(TAG, "\tsupportedMech [1] (%s)", negotiate_mech_name(&token->supportedMech)); |
430 | 0 | } |
431 | | |
432 | | /* mechToken [2] OCTET STRING */ |
433 | 0 | if (token->mechToken.cbBuffer) |
434 | 0 | { |
435 | 0 | if (WinPrAsn1EncContextualOctetString(enc, 2, &mechToken) == 0) |
436 | 0 | goto cleanup; |
437 | 0 | WLog_DBG(TAG, "\tmechToken [2] (%" PRIu32 " bytes)", token->mechToken.cbBuffer); |
438 | 0 | } |
439 | | |
440 | | /* mechListMIC [3] OCTET STRING */ |
441 | 0 | if (token->mic.cbBuffer) |
442 | 0 | { |
443 | 0 | if (WinPrAsn1EncContextualOctetString(enc, 3, &mechListMic) == 0) |
444 | 0 | goto cleanup; |
445 | 0 | WLog_DBG(TAG, "\tmechListMIC [3] (%" PRIu32 " bytes)", token->mic.cbBuffer); |
446 | 0 | } |
447 | | |
448 | | /* NegTokenInit or NegTokenResp */ |
449 | 0 | if (!WinPrAsn1EncEndContainer(enc)) |
450 | 0 | goto cleanup; |
451 | | |
452 | 0 | if (token->init) |
453 | 0 | { |
454 | | /* initialContextToken */ |
455 | 0 | if (!WinPrAsn1EncEndContainer(enc)) |
456 | 0 | goto cleanup; |
457 | 0 | } |
458 | | |
459 | 0 | if (!WinPrAsn1EncStreamSize(enc, &len) || len > output_buffer->cbBuffer) |
460 | 0 | goto cleanup; |
461 | | |
462 | 0 | if (len > UINT32_MAX) |
463 | 0 | goto cleanup; |
464 | | |
465 | 0 | Stream_StaticInit(&s, output_buffer->pvBuffer, len); |
466 | |
|
467 | 0 | if (WinPrAsn1EncToStream(enc, &s)) |
468 | 0 | { |
469 | 0 | output_buffer->cbBuffer = (UINT32)len; |
470 | 0 | ret = TRUE; |
471 | 0 | } |
472 | |
|
473 | 0 | cleanup: |
474 | 0 | WinPrAsn1Encoder_Free(&enc); |
475 | 0 | return ret; |
476 | 0 | } |
477 | | |
478 | | static BOOL negotiate_read_neg_token(PSecBuffer input, NegToken* token) |
479 | 0 | { |
480 | 0 | WinPrAsn1Decoder dec = WinPrAsn1Decoder_init(); |
481 | 0 | WinPrAsn1Decoder dec2 = WinPrAsn1Decoder_init(); |
482 | 0 | WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT; |
483 | 0 | WinPrAsn1_tagId contextual = 0; |
484 | 0 | WinPrAsn1_tag tag = 0; |
485 | 0 | size_t len = 0; |
486 | 0 | WinPrAsn1_OctetString octet_string = WINPR_C_ARRAY_INIT; |
487 | 0 | BOOL err = 0; |
488 | |
|
489 | 0 | WINPR_ASSERT(input); |
490 | 0 | WINPR_ASSERT(token); |
491 | |
|
492 | 0 | WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, input->pvBuffer, input->cbBuffer); |
493 | |
|
494 | 0 | if (!WinPrAsn1DecPeekTag(&dec, &tag)) |
495 | 0 | return FALSE; |
496 | | |
497 | 0 | if (tag == 0x60) |
498 | 0 | { |
499 | | /* initialContextToken [APPLICATION 0] */ |
500 | 0 | if (!WinPrAsn1DecReadApp(&dec, &tag, &dec2) || tag != 0) |
501 | 0 | return FALSE; |
502 | 0 | dec = dec2; |
503 | | |
504 | | /* thisMech OID */ |
505 | 0 | if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE)) |
506 | 0 | return FALSE; |
507 | | |
508 | 0 | if (!sspi_gss_oid_compare(&spnego_OID, &oid)) |
509 | 0 | return FALSE; |
510 | | |
511 | | /* [0] NegTokenInit */ |
512 | 0 | if (!WinPrAsn1DecReadContextualSequence(&dec, 0, &err, &dec2)) |
513 | 0 | return FALSE; |
514 | | |
515 | 0 | token->init = TRUE; |
516 | 0 | } |
517 | | /* [1] NegTokenResp */ |
518 | 0 | else if (!WinPrAsn1DecReadContextualSequence(&dec, 1, &err, &dec2)) |
519 | 0 | return FALSE; |
520 | 0 | dec = dec2; |
521 | |
|
522 | 0 | WLog_DBG(TAG, token->init ? "Reading negTokenInit..." : "Reading negTokenResp..."); |
523 | | |
524 | | /* Read NegTokenResp sequence members */ |
525 | 0 | do |
526 | 0 | { |
527 | 0 | if (!WinPrAsn1DecReadContextualTag(&dec, &contextual, &dec2)) |
528 | 0 | return FALSE; |
529 | | |
530 | 0 | switch (contextual) |
531 | 0 | { |
532 | 0 | case 0: |
533 | 0 | if (token->init) |
534 | 0 | { |
535 | | /* mechTypes [0] MechTypeList */ |
536 | 0 | wStream s = WinPrAsn1DecGetStream(&dec2); |
537 | 0 | token->mechTypes.BufferType = SECBUFFER_TOKEN; |
538 | 0 | const size_t mlen = Stream_Length(&s); |
539 | 0 | if (mlen > UINT32_MAX) |
540 | 0 | return FALSE; |
541 | 0 | token->mechTypes.cbBuffer = (UINT32)mlen; |
542 | 0 | token->mechTypes.pvBuffer = Stream_Buffer(&s); |
543 | 0 | WLog_DBG(TAG, "\tmechTypes [0] (%" PRIu32 " bytes)", token->mechTypes.cbBuffer); |
544 | 0 | } |
545 | 0 | else |
546 | 0 | { |
547 | | /* negState [0] ENUMERATED */ |
548 | 0 | WinPrAsn1_ENUMERATED rd = 0; |
549 | 0 | if (!WinPrAsn1DecReadEnumerated(&dec2, &rd)) |
550 | 0 | return FALSE; |
551 | 0 | switch (rd) |
552 | 0 | { |
553 | 0 | case NOSTATE: |
554 | 0 | case ACCEPT_COMPLETED: |
555 | 0 | case ACCEPT_INCOMPLETE: |
556 | 0 | case REJECT: |
557 | 0 | case REQUEST_MIC: |
558 | 0 | break; |
559 | 0 | default: |
560 | 0 | WLog_ERR(TAG, "Invalid negState enumeration value %d", rd); |
561 | 0 | return FALSE; |
562 | 0 | } |
563 | | |
564 | 0 | token->negState = WINPR_ASSERTING_INT_CAST(enum NegState, rd); |
565 | 0 | WLog_DBG(TAG, "\tnegState [0] (%d)", rd); |
566 | 0 | } |
567 | 0 | break; |
568 | 0 | case 1: |
569 | 0 | if (token->init) |
570 | 0 | { |
571 | | /* reqFlags [1] ContextFlags BIT STRING (ignored) */ |
572 | 0 | if (!WinPrAsn1DecPeekTagAndLen(&dec2, &tag, &len) || (tag != ER_TAG_BIT_STRING)) |
573 | 0 | return FALSE; |
574 | 0 | WLog_DBG(TAG, "\treqFlags [1] (%" PRIuz " bytes)", len); |
575 | 0 | } |
576 | 0 | else |
577 | 0 | { |
578 | | /* supportedMech [1] MechType */ |
579 | 0 | if (!WinPrAsn1DecReadOID(&dec2, &token->supportedMech, FALSE)) |
580 | 0 | return FALSE; |
581 | 0 | WLog_DBG(TAG, "\tsupportedMech [1] (%s)", |
582 | 0 | negotiate_mech_name(&token->supportedMech)); |
583 | 0 | } |
584 | 0 | break; |
585 | 0 | case 2: |
586 | | /* mechToken [2] OCTET STRING */ |
587 | 0 | if (!WinPrAsn1DecReadOctetString(&dec2, &octet_string, FALSE)) |
588 | 0 | return FALSE; |
589 | 0 | if (octet_string.len > UINT32_MAX) |
590 | 0 | return FALSE; |
591 | 0 | token->mechToken.cbBuffer = (UINT32)octet_string.len; |
592 | 0 | token->mechToken.pvBuffer = octet_string.data; |
593 | 0 | token->mechToken.BufferType = SECBUFFER_TOKEN; |
594 | 0 | WLog_DBG(TAG, "\tmechToken [2] (%" PRIuz " bytes)", octet_string.len); |
595 | 0 | break; |
596 | 0 | case 3: |
597 | | /* mechListMic [3] OCTET STRING */ |
598 | 0 | if (!WinPrAsn1DecReadOctetString(&dec2, &octet_string, FALSE)) |
599 | 0 | return FALSE; |
600 | 0 | if (octet_string.len > UINT32_MAX) |
601 | 0 | return FALSE; |
602 | 0 | token->mic.cbBuffer = (UINT32)octet_string.len; |
603 | 0 | token->mic.pvBuffer = octet_string.data; |
604 | 0 | token->mic.BufferType = SECBUFFER_TOKEN; |
605 | 0 | WLog_DBG(TAG, "\tmechListMIC [3] (%" PRIuz " bytes)", octet_string.len); |
606 | 0 | break; |
607 | 0 | default: |
608 | 0 | WLog_ERR(TAG, "unknown contextual item %d", contextual); |
609 | 0 | return FALSE; |
610 | 0 | } |
611 | 0 | } while (WinPrAsn1DecPeekTag(&dec, &tag)); |
612 | | |
613 | 0 | return TRUE; |
614 | 0 | } |
615 | | |
616 | | static SECURITY_STATUS negotiate_mic_exchange(NEGOTIATE_CONTEXT* context, NegToken* input_token, |
617 | | NegToken* output_token, PSecBuffer output_buffer) |
618 | 0 | { |
619 | 0 | SecBuffer mic_buffers[2] = WINPR_C_ARRAY_INIT; |
620 | 0 | SecBufferDesc mic_buffer_desc = { SECBUFFER_VERSION, 2, mic_buffers }; |
621 | 0 | SECURITY_STATUS status = 0; |
622 | |
|
623 | 0 | WINPR_ASSERT(context); |
624 | 0 | WINPR_ASSERT(input_token); |
625 | 0 | WINPR_ASSERT(output_token); |
626 | 0 | WINPR_ASSERT(context->mech); |
627 | 0 | WINPR_ASSERT(context->mech->pkg); |
628 | |
|
629 | 0 | const SecurityFunctionTableA* table = context->mech->pkg->table; |
630 | 0 | WINPR_ASSERT(table); |
631 | |
|
632 | 0 | mic_buffers[0] = context->mechTypes; |
633 | | |
634 | | /* Verify MIC if we received one */ |
635 | 0 | if (input_token->mic.cbBuffer > 0) |
636 | 0 | { |
637 | 0 | mic_buffers[1] = input_token->mic; |
638 | |
|
639 | 0 | status = table->VerifySignature(&context->sub_context, &mic_buffer_desc, 0, 0); |
640 | 0 | if (status != SEC_E_OK) |
641 | 0 | return status; |
642 | | |
643 | 0 | output_token->negState = ACCEPT_COMPLETED; |
644 | 0 | } |
645 | | |
646 | | /* If peer expects a MIC then generate it */ |
647 | 0 | if (input_token->negState != ACCEPT_COMPLETED) |
648 | 0 | { |
649 | | /* Store the mic token after the mech token in the output buffer */ |
650 | 0 | output_token->mic.BufferType = SECBUFFER_TOKEN; |
651 | 0 | if (output_buffer) |
652 | 0 | { |
653 | 0 | output_token->mic.cbBuffer = output_buffer->cbBuffer - output_token->mechToken.cbBuffer; |
654 | 0 | output_token->mic.pvBuffer = |
655 | 0 | (BYTE*)output_buffer->pvBuffer + output_token->mechToken.cbBuffer; |
656 | 0 | } |
657 | 0 | mic_buffers[1] = output_token->mic; |
658 | |
|
659 | 0 | status = table->MakeSignature(&context->sub_context, 0, &mic_buffer_desc, 0); |
660 | 0 | if (status != SEC_E_OK) |
661 | 0 | return status; |
662 | | |
663 | 0 | output_token->mic = mic_buffers[1]; |
664 | 0 | } |
665 | | |
666 | | /* When using NTLM cipher states need to be reset after mic exchange */ |
667 | 0 | const TCHAR* name = sspi_SecureHandleGetUpperPointer(&context->sub_context); |
668 | 0 | if (!name) |
669 | 0 | return SEC_E_INTERNAL_ERROR; |
670 | | |
671 | 0 | if (_tcsncmp(name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0) |
672 | 0 | { |
673 | 0 | if (!ntlm_reset_cipher_state(&context->sub_context)) |
674 | 0 | return SEC_E_INTERNAL_ERROR; |
675 | 0 | } |
676 | | |
677 | 0 | return SEC_E_OK; |
678 | 0 | } |
679 | | |
680 | | static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW( |
681 | | PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq, |
682 | | ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, |
683 | | PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) |
684 | 0 | { |
685 | 0 | NEGOTIATE_CONTEXT* context = NULL; |
686 | 0 | NEGOTIATE_CONTEXT init_context = NEGOTIATE_CONTEXT_init(); |
687 | 0 | MechCred* creds = NULL; |
688 | 0 | PCtxtHandle sub_context = NULL; |
689 | 0 | PCredHandle sub_cred = NULL; |
690 | 0 | NegToken input_token = empty_neg_token; |
691 | 0 | NegToken output_token = empty_neg_token; |
692 | 0 | PSecBuffer input_buffer = NULL; |
693 | 0 | PSecBuffer output_buffer = NULL; |
694 | 0 | PSecBuffer bindings_buffer = NULL; |
695 | 0 | SecBuffer mech_input_buffers[2] = WINPR_C_ARRAY_INIT; |
696 | 0 | SecBufferDesc mech_input = { SECBUFFER_VERSION, 2, mech_input_buffers }; |
697 | 0 | SecBufferDesc mech_output = { SECBUFFER_VERSION, 1, &output_token.mechToken }; |
698 | 0 | SECURITY_STATUS status = SEC_E_INTERNAL_ERROR; |
699 | 0 | SECURITY_STATUS sub_status = SEC_E_INTERNAL_ERROR; |
700 | 0 | WinPrAsn1Encoder* enc = NULL; |
701 | 0 | wStream s; |
702 | 0 | const Mech* mech = NULL; |
703 | |
|
704 | 0 | if (!phCredential || !SecIsValidHandle(phCredential)) |
705 | 0 | return SEC_E_NO_CREDENTIALS; |
706 | | |
707 | 0 | creds = sspi_SecureHandleGetLowerPointer(phCredential); |
708 | | |
709 | | /* behave like windows SSPIs that don't want empty context */ |
710 | 0 | if (phContext && !phContext->dwLower && !phContext->dwUpper) |
711 | 0 | return SEC_E_INVALID_HANDLE; |
712 | | |
713 | 0 | context = sspi_SecureHandleGetLowerPointer(phContext); |
714 | |
|
715 | 0 | if (pInput) |
716 | 0 | { |
717 | 0 | input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN); |
718 | 0 | bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS); |
719 | 0 | } |
720 | 0 | if (pOutput) |
721 | 0 | output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN); |
722 | |
|
723 | 0 | if (!context) |
724 | 0 | { |
725 | 0 | enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER); |
726 | 0 | if (!enc) |
727 | 0 | return SEC_E_INSUFFICIENT_MEMORY; |
728 | | |
729 | 0 | if (!WinPrAsn1EncSeqContainer(enc)) |
730 | 0 | goto cleanup; |
731 | | |
732 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
733 | 0 | { |
734 | 0 | MechCred* cred = &creds[i]; |
735 | 0 | const SecPkg* pkg = MechTable[i].pkg; |
736 | 0 | WINPR_ASSERT(pkg); |
737 | 0 | WINPR_ASSERT(pkg->table_w); |
738 | |
|
739 | 0 | if (!cred->valid) |
740 | 0 | { |
741 | 0 | WLog_DBG(TAG, "Unavailable mechanism: %s", negotiate_mech_name(cred->mech->oid)); |
742 | 0 | continue; |
743 | 0 | } |
744 | | |
745 | | /* Send an optimistic token for the first valid mechanism */ |
746 | 0 | if (!init_context.mech) |
747 | 0 | { |
748 | | /* Use the output buffer to store the optimistic token */ |
749 | 0 | if (!output_buffer) |
750 | 0 | goto cleanup; |
751 | | |
752 | 0 | CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer)); |
753 | |
|
754 | 0 | if (bindings_buffer) |
755 | 0 | mech_input_buffers[0] = *bindings_buffer; |
756 | |
|
757 | 0 | WINPR_ASSERT(pkg->table_w->InitializeSecurityContextW); |
758 | 0 | sub_status = pkg->table_w->InitializeSecurityContextW( |
759 | 0 | &cred->cred, NULL, pszTargetName, fContextReq | cred->mech->flags, Reserved1, |
760 | 0 | TargetDataRep, &mech_input, Reserved2, &init_context.sub_context, &mech_output, |
761 | 0 | pfContextAttr, ptsExpiry); |
762 | | |
763 | | /* If the mechanism failed we can't use it; skip */ |
764 | 0 | if (IsSecurityStatusError(sub_status)) |
765 | 0 | { |
766 | 0 | if (SecIsValidHandle(&init_context.sub_context)) |
767 | 0 | { |
768 | 0 | WINPR_ASSERT(pkg->table_w->DeleteSecurityContext); |
769 | 0 | pkg->table_w->DeleteSecurityContext(&init_context.sub_context); |
770 | 0 | } |
771 | 0 | cred->valid = FALSE; |
772 | 0 | continue; |
773 | 0 | } |
774 | | |
775 | 0 | init_context.mech = cred->mech; |
776 | 0 | } |
777 | | |
778 | 0 | if (!WinPrAsn1EncOID(enc, cred->mech->oid)) |
779 | 0 | goto cleanup; |
780 | 0 | WLog_DBG(TAG, "Available mechanism: %s", negotiate_mech_name(cred->mech->oid)); |
781 | 0 | } |
782 | | |
783 | | /* No usable mechanisms were found */ |
784 | 0 | if (!init_context.mech) |
785 | 0 | goto cleanup; |
786 | | |
787 | | /* If the only available mech is NTLM use it directly otherwise use spnego */ |
788 | 0 | if (init_context.mech->oid == &ntlm_OID) |
789 | 0 | { |
790 | 0 | init_context.spnego = FALSE; |
791 | 0 | output_buffer->cbBuffer = output_token.mechToken.cbBuffer; |
792 | 0 | WLog_DBG(TAG, "Using direct NTLM"); |
793 | 0 | } |
794 | 0 | else |
795 | 0 | { |
796 | 0 | init_context.spnego = TRUE; |
797 | 0 | init_context.mechTypes.BufferType = SECBUFFER_DATA; |
798 | 0 | const size_t cb = WinPrAsn1EncEndContainer(enc); |
799 | 0 | WINPR_ASSERT(cb <= UINT32_MAX); |
800 | 0 | init_context.mechTypes.cbBuffer = (UINT32)cb; |
801 | 0 | } |
802 | | |
803 | | /* Allocate memory for the new context */ |
804 | 0 | context = negotiate_ContextNew(&init_context); |
805 | 0 | if (!context) |
806 | 0 | { |
807 | 0 | init_context.mech->pkg->table->DeleteSecurityContext(&init_context.sub_context); |
808 | 0 | WinPrAsn1Encoder_Free(&enc); |
809 | 0 | return SEC_E_INSUFFICIENT_MEMORY; |
810 | 0 | } |
811 | | |
812 | 0 | sspi_SecureHandleSetUpperPointer(phNewContext, NEGO_SSP_NAME); |
813 | 0 | sspi_SecureHandleSetLowerPointer(phNewContext, context); |
814 | |
|
815 | 0 | if (!context->spnego) |
816 | 0 | { |
817 | 0 | status = sub_status; |
818 | 0 | goto cleanup; |
819 | 0 | } |
820 | | |
821 | | /* Write mechTypesList */ |
822 | 0 | Stream_StaticInit(&s, context->mechTypes.pvBuffer, context->mechTypes.cbBuffer); |
823 | 0 | if (!WinPrAsn1EncToStream(enc, &s)) |
824 | 0 | goto cleanup; |
825 | | |
826 | 0 | output_token.mechTypes.cbBuffer = context->mechTypes.cbBuffer; |
827 | 0 | output_token.mechTypes.pvBuffer = context->mechTypes.pvBuffer; |
828 | 0 | output_token.init = TRUE; |
829 | |
|
830 | 0 | if (sub_status == SEC_E_OK) |
831 | 0 | context->state = NEGOTIATE_STATE_FINAL_OPTIMISTIC; |
832 | 0 | } |
833 | 0 | else |
834 | 0 | { |
835 | 0 | if (!input_buffer) |
836 | 0 | return SEC_E_INVALID_TOKEN; |
837 | | |
838 | 0 | sub_context = &context->sub_context; |
839 | 0 | sub_cred = negotiate_FindCredential(creds, context->mech); |
840 | |
|
841 | 0 | if (!context->spnego) |
842 | 0 | { |
843 | 0 | return context->mech->pkg->table_w->InitializeSecurityContextW( |
844 | 0 | sub_cred, sub_context, pszTargetName, fContextReq | context->mech->flags, Reserved1, |
845 | 0 | TargetDataRep, pInput, Reserved2, sub_context, pOutput, pfContextAttr, ptsExpiry); |
846 | 0 | } |
847 | | |
848 | 0 | if (!negotiate_read_neg_token(input_buffer, &input_token)) |
849 | 0 | return SEC_E_INVALID_TOKEN; |
850 | | |
851 | | /* On first response check if the server doesn't like out preferred mech */ |
852 | 0 | if (context->state < NEGOTIATE_STATE_NEGORESP && input_token.supportedMech.len && |
853 | 0 | !sspi_gss_oid_compare(&input_token.supportedMech, context->mech->oid)) |
854 | 0 | { |
855 | 0 | mech = negotiate_GetMechByOID(&input_token.supportedMech); |
856 | 0 | if (!mech) |
857 | 0 | return SEC_E_INVALID_TOKEN; |
858 | | |
859 | | /* Make sure the specified mech is supported and get the appropriate credential */ |
860 | 0 | sub_cred = negotiate_FindCredential(creds, mech); |
861 | 0 | if (!sub_cred) |
862 | 0 | return SEC_E_INVALID_TOKEN; |
863 | | |
864 | | /* Clean up the optimistic mech */ |
865 | 0 | context->mech->pkg->table_w->DeleteSecurityContext(&context->sub_context); |
866 | 0 | sub_context = NULL; |
867 | |
|
868 | 0 | context->mech = mech; |
869 | 0 | context->mic = TRUE; |
870 | 0 | } |
871 | | |
872 | | /* Check neg_state (required on first response) */ |
873 | 0 | if (context->state < NEGOTIATE_STATE_NEGORESP) |
874 | 0 | { |
875 | 0 | switch (input_token.negState) |
876 | 0 | { |
877 | 0 | case NOSTATE: |
878 | 0 | return SEC_E_INVALID_TOKEN; |
879 | 0 | case REJECT: |
880 | 0 | return SEC_E_LOGON_DENIED; |
881 | 0 | case REQUEST_MIC: |
882 | 0 | context->mic = TRUE; |
883 | | /* fallthrough */ |
884 | 0 | WINPR_FALLTHROUGH |
885 | 0 | case ACCEPT_INCOMPLETE: |
886 | 0 | context->state = NEGOTIATE_STATE_NEGORESP; |
887 | 0 | break; |
888 | 0 | case ACCEPT_COMPLETED: |
889 | 0 | if (context->state == NEGOTIATE_STATE_INITIAL) |
890 | 0 | context->state = NEGOTIATE_STATE_NEGORESP; |
891 | 0 | else |
892 | 0 | context->state = NEGOTIATE_STATE_FINAL; |
893 | 0 | break; |
894 | 0 | default: |
895 | 0 | break; |
896 | 0 | } |
897 | | |
898 | 0 | WLog_DBG(TAG, "Negotiated mechanism: %s", negotiate_mech_name(context->mech->oid)); |
899 | 0 | } |
900 | | |
901 | 0 | if (context->state == NEGOTIATE_STATE_NEGORESP) |
902 | 0 | { |
903 | | /* Store the mech token in the output buffer */ |
904 | 0 | if (!output_buffer) |
905 | 0 | goto cleanup; |
906 | 0 | CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer)); |
907 | |
|
908 | 0 | mech_input_buffers[0] = input_token.mechToken; |
909 | 0 | if (bindings_buffer) |
910 | 0 | mech_input_buffers[1] = *bindings_buffer; |
911 | |
|
912 | 0 | status = context->mech->pkg->table_w->InitializeSecurityContextW( |
913 | 0 | sub_cred, sub_context, pszTargetName, fContextReq | context->mech->flags, Reserved1, |
914 | 0 | TargetDataRep, input_token.mechToken.cbBuffer ? &mech_input : NULL, Reserved2, |
915 | 0 | &context->sub_context, &mech_output, pfContextAttr, ptsExpiry); |
916 | |
|
917 | 0 | if (IsSecurityStatusError(status)) |
918 | 0 | return status; |
919 | 0 | } |
920 | | |
921 | 0 | if (status == SEC_E_OK) |
922 | 0 | { |
923 | 0 | if (output_token.mechToken.cbBuffer > 0) |
924 | 0 | context->state = NEGOTIATE_STATE_MIC; |
925 | 0 | else |
926 | 0 | context->state = NEGOTIATE_STATE_FINAL; |
927 | 0 | } |
928 | | |
929 | | /* Check if the acceptor sent its final token without a mic */ |
930 | 0 | if (context->state == NEGOTIATE_STATE_FINAL && input_token.mic.cbBuffer == 0) |
931 | 0 | { |
932 | 0 | if (context->mic || input_token.negState != ACCEPT_COMPLETED) |
933 | 0 | return SEC_E_INVALID_TOKEN; |
934 | | |
935 | 0 | if (output_buffer) |
936 | 0 | output_buffer->cbBuffer = 0; |
937 | 0 | return SEC_E_OK; |
938 | 0 | } |
939 | | |
940 | 0 | if ((context->state == NEGOTIATE_STATE_MIC && context->mic) || |
941 | 0 | context->state == NEGOTIATE_STATE_FINAL) |
942 | 0 | { |
943 | 0 | status = negotiate_mic_exchange(context, &input_token, &output_token, output_buffer); |
944 | 0 | if (status != SEC_E_OK) |
945 | 0 | return status; |
946 | 0 | } |
947 | 0 | } |
948 | | |
949 | 0 | if (input_token.negState == ACCEPT_COMPLETED) |
950 | 0 | { |
951 | 0 | if (output_buffer) |
952 | 0 | output_buffer->cbBuffer = 0; |
953 | 0 | return SEC_E_OK; |
954 | 0 | } |
955 | | |
956 | 0 | if (output_token.negState == ACCEPT_COMPLETED) |
957 | 0 | status = SEC_E_OK; |
958 | 0 | else |
959 | 0 | status = SEC_I_CONTINUE_NEEDED; |
960 | |
|
961 | 0 | if (!negotiate_write_neg_token(output_buffer, &output_token)) |
962 | 0 | status = SEC_E_INTERNAL_ERROR; |
963 | |
|
964 | 0 | cleanup: |
965 | 0 | WinPrAsn1Encoder_Free(&enc); |
966 | 0 | return status; |
967 | 0 | } |
968 | | |
969 | | static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA( |
970 | | PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq, |
971 | | ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, |
972 | | PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) |
973 | 0 | { |
974 | 0 | SECURITY_STATUS status = 0; |
975 | 0 | SEC_WCHAR* pszTargetNameW = NULL; |
976 | |
|
977 | 0 | if (pszTargetName) |
978 | 0 | { |
979 | 0 | pszTargetNameW = ConvertUtf8ToWCharAlloc(pszTargetName, NULL); |
980 | 0 | if (!pszTargetNameW) |
981 | 0 | return SEC_E_INTERNAL_ERROR; |
982 | 0 | } |
983 | | |
984 | 0 | status = negotiate_InitializeSecurityContextW( |
985 | 0 | phCredential, phContext, pszTargetNameW, fContextReq, Reserved1, TargetDataRep, pInput, |
986 | 0 | Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry); |
987 | 0 | free(pszTargetNameW); |
988 | 0 | return status; |
989 | 0 | } |
990 | | |
991 | | static const Mech* guessMech(PSecBuffer input_buffer, BOOL* spNego, WinPrAsn1_OID* oid) |
992 | 0 | { |
993 | 0 | WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init(); |
994 | 0 | WinPrAsn1Decoder appDecoder = WinPrAsn1Decoder_init(); |
995 | 0 | WinPrAsn1_tagId tag = 0; |
996 | 0 | const char ssp[] = "NTLMSSP"; |
997 | |
|
998 | 0 | *spNego = FALSE; |
999 | | |
1000 | | /* Check for NTLM token */ |
1001 | 0 | if (input_buffer->cbBuffer >= 8 && strncmp(input_buffer->pvBuffer, ssp, sizeof(ssp)) == 0) |
1002 | 0 | { |
1003 | 0 | *oid = ntlm_OID; |
1004 | 0 | return negotiate_GetMechByOID(&ntlm_OID); |
1005 | 0 | } |
1006 | | |
1007 | | /* Read initialContextToken or raw Kerberos token */ |
1008 | 0 | WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, input_buffer->pvBuffer, |
1009 | 0 | input_buffer->cbBuffer); |
1010 | |
|
1011 | 0 | if (!WinPrAsn1DecReadApp(&decoder, &tag, &appDecoder) || tag != 0) |
1012 | 0 | return NULL; |
1013 | | |
1014 | 0 | if (!WinPrAsn1DecReadOID(&appDecoder, oid, FALSE)) |
1015 | 0 | return NULL; |
1016 | | |
1017 | 0 | if (sspi_gss_oid_compare(oid, &spnego_OID)) |
1018 | 0 | { |
1019 | 0 | *spNego = TRUE; |
1020 | 0 | return NULL; |
1021 | 0 | } |
1022 | | |
1023 | 0 | return negotiate_GetMechByOID(oid); |
1024 | 0 | } |
1025 | | |
1026 | | static SECURITY_STATUS SEC_ENTRY negotiate_AcceptSecurityContext( |
1027 | | PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput, ULONG fContextReq, |
1028 | | ULONG TargetDataRep, PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, |
1029 | | PTimeStamp ptsTimeStamp) |
1030 | 0 | { |
1031 | 0 | NEGOTIATE_CONTEXT* context = NULL; |
1032 | 0 | NEGOTIATE_CONTEXT init_context = NEGOTIATE_CONTEXT_init(); |
1033 | 0 | MechCred* creds = NULL; |
1034 | 0 | PCredHandle sub_cred = NULL; |
1035 | 0 | NegToken input_token = empty_neg_token; |
1036 | 0 | NegToken output_token = empty_neg_token; |
1037 | 0 | PSecBuffer input_buffer = NULL; |
1038 | 0 | PSecBuffer output_buffer = NULL; |
1039 | 0 | SecBufferDesc mech_input = { SECBUFFER_VERSION, 1, &input_token.mechToken }; |
1040 | 0 | SecBufferDesc mech_output = { SECBUFFER_VERSION, 1, &output_token.mechToken }; |
1041 | 0 | SECURITY_STATUS status = SEC_E_INTERNAL_ERROR; |
1042 | 0 | WinPrAsn1Decoder dec = WinPrAsn1Decoder_init(); |
1043 | 0 | WinPrAsn1Decoder dec2 = WinPrAsn1Decoder_init(); |
1044 | 0 | WinPrAsn1_tagId tag = 0; |
1045 | 0 | WinPrAsn1_OID oid = WINPR_C_ARRAY_INIT; |
1046 | 0 | const Mech* first_mech = NULL; |
1047 | |
|
1048 | 0 | if (!phCredential || !SecIsValidHandle(phCredential)) |
1049 | 0 | return SEC_E_NO_CREDENTIALS; |
1050 | | |
1051 | 0 | creds = sspi_SecureHandleGetLowerPointer(phCredential); |
1052 | |
|
1053 | 0 | if (!pInput) |
1054 | 0 | return SEC_E_INVALID_TOKEN; |
1055 | | |
1056 | | /* behave like windows SSPIs that don't want empty context */ |
1057 | 0 | if (phContext && !phContext->dwLower && !phContext->dwUpper) |
1058 | 0 | return SEC_E_INVALID_HANDLE; |
1059 | | |
1060 | 0 | context = sspi_SecureHandleGetLowerPointer(phContext); |
1061 | |
|
1062 | 0 | input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN); |
1063 | 0 | if (pOutput) |
1064 | 0 | output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN); |
1065 | |
|
1066 | 0 | if (!context) |
1067 | 0 | { |
1068 | 0 | init_context.mech = guessMech(input_buffer, &init_context.spnego, &oid); |
1069 | 0 | if (!init_context.mech && !init_context.spnego) |
1070 | 0 | return SEC_E_INVALID_TOKEN; |
1071 | | |
1072 | 0 | WLog_DBG(TAG, "Mechanism: %s", negotiate_mech_name(&oid)); |
1073 | |
|
1074 | 0 | if (init_context.spnego) |
1075 | 0 | { |
1076 | | /* Process spnego token */ |
1077 | 0 | if (!negotiate_read_neg_token(input_buffer, &input_token)) |
1078 | 0 | return SEC_E_INVALID_TOKEN; |
1079 | | |
1080 | | /* First token must be negoTokenInit and must contain a mechList */ |
1081 | 0 | if (!input_token.init || input_token.mechTypes.cbBuffer == 0) |
1082 | 0 | return SEC_E_INVALID_TOKEN; |
1083 | | |
1084 | 0 | init_context.mechTypes.BufferType = SECBUFFER_DATA; |
1085 | 0 | init_context.mechTypes.cbBuffer = input_token.mechTypes.cbBuffer; |
1086 | | |
1087 | | /* Prepare to read mechList */ |
1088 | 0 | WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_DER, input_token.mechTypes.pvBuffer, |
1089 | 0 | input_token.mechTypes.cbBuffer); |
1090 | |
|
1091 | 0 | if (!WinPrAsn1DecReadSequence(&dec, &dec2)) |
1092 | 0 | return SEC_E_INVALID_TOKEN; |
1093 | 0 | dec = dec2; |
1094 | | |
1095 | | /* If an optimistic token was provided pass it into the first mech */ |
1096 | 0 | if (input_token.mechToken.cbBuffer) |
1097 | 0 | { |
1098 | 0 | if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE)) |
1099 | 0 | return SEC_E_INVALID_TOKEN; |
1100 | | |
1101 | 0 | init_context.mech = negotiate_GetMechByOID(&oid); |
1102 | |
|
1103 | 0 | if (init_context.mech) |
1104 | 0 | { |
1105 | 0 | if (output_buffer) |
1106 | 0 | output_token.mechToken = *output_buffer; |
1107 | 0 | WLog_DBG(TAG, "Requested mechanism: %s", |
1108 | 0 | negotiate_mech_name(init_context.mech->oid)); |
1109 | 0 | } |
1110 | 0 | } |
1111 | 0 | } |
1112 | | |
1113 | 0 | if (init_context.mech) |
1114 | 0 | { |
1115 | 0 | sub_cred = negotiate_FindCredential(creds, init_context.mech); |
1116 | |
|
1117 | 0 | status = init_context.mech->pkg->table->AcceptSecurityContext( |
1118 | 0 | sub_cred, NULL, init_context.spnego ? &mech_input : pInput, fContextReq, |
1119 | 0 | TargetDataRep, &init_context.sub_context, |
1120 | 0 | init_context.spnego ? &mech_output : pOutput, pfContextAttr, ptsTimeStamp); |
1121 | 0 | } |
1122 | |
|
1123 | 0 | if (IsSecurityStatusError(status)) |
1124 | 0 | { |
1125 | 0 | if (!init_context.spnego) |
1126 | 0 | return status; |
1127 | | |
1128 | 0 | init_context.mic = TRUE; |
1129 | 0 | first_mech = init_context.mech; |
1130 | 0 | init_context.mech = NULL; |
1131 | 0 | output_token.mechToken.cbBuffer = 0; |
1132 | 0 | } |
1133 | | |
1134 | 0 | while (!init_context.mech && WinPrAsn1DecPeekTag(&dec, &tag)) |
1135 | 0 | { |
1136 | | /* Read each mechanism */ |
1137 | 0 | if (!WinPrAsn1DecReadOID(&dec, &oid, FALSE)) |
1138 | 0 | return SEC_E_INVALID_TOKEN; |
1139 | | |
1140 | 0 | init_context.mech = negotiate_GetMechByOID(&oid); |
1141 | 0 | WLog_DBG(TAG, "Requested mechanism: %s", negotiate_mech_name(&oid)); |
1142 | | |
1143 | | /* Microsoft may send two versions of the kerberos OID */ |
1144 | 0 | if (init_context.mech == first_mech) |
1145 | 0 | init_context.mech = NULL; |
1146 | |
|
1147 | 0 | if (init_context.mech && !negotiate_FindCredential(creds, init_context.mech)) |
1148 | 0 | init_context.mech = NULL; |
1149 | 0 | } |
1150 | | |
1151 | 0 | if (!init_context.mech) |
1152 | 0 | return SEC_E_INTERNAL_ERROR; |
1153 | | |
1154 | 0 | context = negotiate_ContextNew(&init_context); |
1155 | 0 | if (!context) |
1156 | 0 | { |
1157 | 0 | if (!IsSecurityStatusError(status)) |
1158 | 0 | init_context.mech->pkg->table->DeleteSecurityContext(&init_context.sub_context); |
1159 | 0 | return SEC_E_INSUFFICIENT_MEMORY; |
1160 | 0 | } |
1161 | | |
1162 | 0 | sspi_SecureHandleSetUpperPointer(phNewContext, NEGO_SSP_NAME); |
1163 | 0 | sspi_SecureHandleSetLowerPointer(phNewContext, context); |
1164 | |
|
1165 | 0 | if (!init_context.spnego) |
1166 | 0 | return status; |
1167 | | |
1168 | 0 | CopyMemory(init_context.mechTypes.pvBuffer, input_token.mechTypes.pvBuffer, |
1169 | 0 | input_token.mechTypes.cbBuffer); |
1170 | |
|
1171 | 0 | if (!context->mech->preferred) |
1172 | 0 | { |
1173 | 0 | output_token.negState = REQUEST_MIC; |
1174 | 0 | context->mic = TRUE; |
1175 | 0 | } |
1176 | 0 | else |
1177 | 0 | { |
1178 | 0 | output_token.negState = ACCEPT_INCOMPLETE; |
1179 | 0 | } |
1180 | |
|
1181 | 0 | if (status == SEC_E_OK) |
1182 | 0 | context->state = NEGOTIATE_STATE_FINAL; |
1183 | 0 | else |
1184 | 0 | context->state = NEGOTIATE_STATE_NEGORESP; |
1185 | |
|
1186 | 0 | output_token.supportedMech = oid; |
1187 | 0 | WLog_DBG(TAG, "Accepted mechanism: %s", negotiate_mech_name(&output_token.supportedMech)); |
1188 | 0 | } |
1189 | 0 | else |
1190 | 0 | { |
1191 | 0 | sub_cred = negotiate_FindCredential(creds, context->mech); |
1192 | 0 | if (!sub_cred) |
1193 | 0 | return SEC_E_NO_CREDENTIALS; |
1194 | | |
1195 | 0 | if (!context->spnego) |
1196 | 0 | { |
1197 | 0 | return context->mech->pkg->table->AcceptSecurityContext( |
1198 | 0 | sub_cred, &context->sub_context, pInput, fContextReq, TargetDataRep, |
1199 | 0 | &context->sub_context, pOutput, pfContextAttr, ptsTimeStamp); |
1200 | 0 | } |
1201 | | |
1202 | 0 | if (!negotiate_read_neg_token(input_buffer, &input_token)) |
1203 | 0 | return SEC_E_INVALID_TOKEN; |
1204 | | |
1205 | | /* Process the mechanism token */ |
1206 | 0 | if (input_token.mechToken.cbBuffer > 0) |
1207 | 0 | { |
1208 | 0 | if (context->state != NEGOTIATE_STATE_NEGORESP) |
1209 | 0 | return SEC_E_INVALID_TOKEN; |
1210 | | |
1211 | | /* Use the output buffer to store the optimistic token */ |
1212 | 0 | if (output_buffer) |
1213 | 0 | CopyMemory(&output_token.mechToken, output_buffer, sizeof(SecBuffer)); |
1214 | |
|
1215 | 0 | status = context->mech->pkg->table->AcceptSecurityContext( |
1216 | 0 | sub_cred, &context->sub_context, &mech_input, fContextReq | context->mech->flags, |
1217 | 0 | TargetDataRep, &context->sub_context, &mech_output, pfContextAttr, ptsTimeStamp); |
1218 | |
|
1219 | 0 | if (IsSecurityStatusError(status)) |
1220 | 0 | return status; |
1221 | | |
1222 | 0 | if (status == SEC_E_OK) |
1223 | 0 | context->state = NEGOTIATE_STATE_FINAL; |
1224 | 0 | } |
1225 | 0 | else if (context->state == NEGOTIATE_STATE_NEGORESP) |
1226 | 0 | return SEC_E_INVALID_TOKEN; |
1227 | 0 | } |
1228 | | |
1229 | 0 | if (context->state == NEGOTIATE_STATE_FINAL) |
1230 | 0 | { |
1231 | | /* Check if initiator sent the last mech token without a mic and a mic was required */ |
1232 | 0 | if (context->mic && output_token.mechToken.cbBuffer == 0 && input_token.mic.cbBuffer == 0) |
1233 | 0 | return SEC_E_INVALID_TOKEN; |
1234 | | |
1235 | 0 | if (context->mic || input_token.mic.cbBuffer > 0) |
1236 | 0 | { |
1237 | 0 | status = negotiate_mic_exchange(context, &input_token, &output_token, output_buffer); |
1238 | 0 | if (status != SEC_E_OK) |
1239 | 0 | return status; |
1240 | 0 | } |
1241 | 0 | else |
1242 | 0 | output_token.negState = ACCEPT_COMPLETED; |
1243 | 0 | } |
1244 | | |
1245 | 0 | if (input_token.negState == ACCEPT_COMPLETED) |
1246 | 0 | { |
1247 | 0 | if (output_buffer) |
1248 | 0 | output_buffer->cbBuffer = 0; |
1249 | 0 | return SEC_E_OK; |
1250 | 0 | } |
1251 | | |
1252 | 0 | if (output_token.negState == ACCEPT_COMPLETED) |
1253 | 0 | status = SEC_E_OK; |
1254 | 0 | else |
1255 | 0 | status = SEC_I_CONTINUE_NEEDED; |
1256 | |
|
1257 | 0 | if (!negotiate_write_neg_token(output_buffer, &output_token)) |
1258 | 0 | return SEC_E_INTERNAL_ERROR; |
1259 | | |
1260 | 0 | return status; |
1261 | 0 | } |
1262 | | |
1263 | | static SECURITY_STATUS SEC_ENTRY negotiate_CompleteAuthToken(PCtxtHandle phContext, |
1264 | | PSecBufferDesc pToken) |
1265 | 0 | { |
1266 | 0 | NEGOTIATE_CONTEXT* context = NULL; |
1267 | 0 | SECURITY_STATUS status = SEC_E_OK; |
1268 | 0 | context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1269 | |
|
1270 | 0 | if (!context) |
1271 | 0 | return SEC_E_INVALID_HANDLE; |
1272 | | |
1273 | 0 | WINPR_ASSERT(context->mech); |
1274 | 0 | WINPR_ASSERT(context->mech->pkg); |
1275 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1276 | 0 | if (context->mech->pkg->table->CompleteAuthToken) |
1277 | 0 | status = context->mech->pkg->table->CompleteAuthToken(&context->sub_context, pToken); |
1278 | |
|
1279 | 0 | return status; |
1280 | 0 | } |
1281 | | |
1282 | | static SECURITY_STATUS SEC_ENTRY negotiate_DeleteSecurityContext(PCtxtHandle phContext) |
1283 | 0 | { |
1284 | 0 | NEGOTIATE_CONTEXT* context = NULL; |
1285 | 0 | SECURITY_STATUS status = SEC_E_OK; |
1286 | 0 | context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1287 | 0 | const SecPkg* pkg = NULL; |
1288 | |
|
1289 | 0 | if (!context) |
1290 | 0 | return SEC_E_INVALID_HANDLE; |
1291 | | |
1292 | 0 | WINPR_ASSERT(context->mech); |
1293 | 0 | WINPR_ASSERT(context->mech->pkg); |
1294 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1295 | 0 | pkg = context->mech->pkg; |
1296 | |
|
1297 | 0 | if (pkg->table->DeleteSecurityContext) |
1298 | 0 | status = pkg->table->DeleteSecurityContext(&context->sub_context); |
1299 | |
|
1300 | 0 | negotiate_ContextFree(context); |
1301 | 0 | return status; |
1302 | 0 | } |
1303 | | |
1304 | | static SECURITY_STATUS SEC_ENTRY |
1305 | | negotiate_ImpersonateSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext) |
1306 | 0 | { |
1307 | 0 | return SEC_E_OK; |
1308 | 0 | } |
1309 | | |
1310 | | static SECURITY_STATUS SEC_ENTRY |
1311 | | negotiate_RevertSecurityContext(WINPR_ATTR_UNUSED PCtxtHandle phContext) |
1312 | 0 | { |
1313 | 0 | return SEC_E_OK; |
1314 | 0 | } |
1315 | | |
1316 | | static SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesW(PCtxtHandle phContext, |
1317 | | ULONG ulAttribute, void* pBuffer) |
1318 | 0 | { |
1319 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1320 | |
|
1321 | 0 | if (!context) |
1322 | 0 | return SEC_E_INVALID_HANDLE; |
1323 | | |
1324 | 0 | WINPR_ASSERT(context->mech); |
1325 | 0 | WINPR_ASSERT(context->mech->pkg); |
1326 | 0 | WINPR_ASSERT(context->mech->pkg->table_w); |
1327 | 0 | if (context->mech->pkg->table_w->QueryContextAttributesW) |
1328 | 0 | return context->mech->pkg->table_w->QueryContextAttributesW(&context->sub_context, |
1329 | 0 | ulAttribute, pBuffer); |
1330 | | |
1331 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1332 | 0 | } |
1333 | | |
1334 | | static SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesA(PCtxtHandle phContext, |
1335 | | ULONG ulAttribute, void* pBuffer) |
1336 | 0 | { |
1337 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1338 | |
|
1339 | 0 | if (!context) |
1340 | 0 | return SEC_E_INVALID_HANDLE; |
1341 | | |
1342 | 0 | WINPR_ASSERT(context->mech); |
1343 | 0 | WINPR_ASSERT(context->mech->pkg); |
1344 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1345 | 0 | if (context->mech->pkg->table->QueryContextAttributesA) |
1346 | 0 | return context->mech->pkg->table->QueryContextAttributesA(&context->sub_context, |
1347 | 0 | ulAttribute, pBuffer); |
1348 | | |
1349 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1350 | 0 | } |
1351 | | |
1352 | | static SECURITY_STATUS SEC_ENTRY negotiate_SetContextAttributesW(PCtxtHandle phContext, |
1353 | | ULONG ulAttribute, void* pBuffer, |
1354 | | ULONG cbBuffer) |
1355 | 0 | { |
1356 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1357 | |
|
1358 | 0 | if (!context) |
1359 | 0 | return SEC_E_INVALID_HANDLE; |
1360 | | |
1361 | 0 | WINPR_ASSERT(context->mech); |
1362 | 0 | WINPR_ASSERT(context->mech->pkg); |
1363 | 0 | WINPR_ASSERT(context->mech->pkg->table_w); |
1364 | 0 | if (context->mech->pkg->table_w->SetContextAttributesW) |
1365 | 0 | return context->mech->pkg->table_w->SetContextAttributesW(&context->sub_context, |
1366 | 0 | ulAttribute, pBuffer, cbBuffer); |
1367 | | |
1368 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1369 | 0 | } |
1370 | | |
1371 | | static SECURITY_STATUS SEC_ENTRY negotiate_SetContextAttributesA(PCtxtHandle phContext, |
1372 | | ULONG ulAttribute, void* pBuffer, |
1373 | | ULONG cbBuffer) |
1374 | 0 | { |
1375 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1376 | |
|
1377 | 0 | if (!context) |
1378 | 0 | return SEC_E_INVALID_HANDLE; |
1379 | | |
1380 | 0 | WINPR_ASSERT(context->mech); |
1381 | 0 | WINPR_ASSERT(context->mech->pkg); |
1382 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1383 | 0 | if (context->mech->pkg->table->SetContextAttributesA) |
1384 | 0 | return context->mech->pkg->table->SetContextAttributesA(&context->sub_context, ulAttribute, |
1385 | 0 | pBuffer, cbBuffer); |
1386 | | |
1387 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1388 | 0 | } |
1389 | | |
1390 | | static SECURITY_STATUS SEC_ENTRY negotiate_SetCredentialsAttributesW(PCredHandle phCredential, |
1391 | | ULONG ulAttribute, |
1392 | | void* pBuffer, ULONG cbBuffer) |
1393 | 0 | { |
1394 | 0 | MechCred* creds = NULL; |
1395 | 0 | BOOL success = FALSE; |
1396 | 0 | SECURITY_STATUS secStatus = 0; |
1397 | |
|
1398 | 0 | creds = sspi_SecureHandleGetLowerPointer(phCredential); |
1399 | |
|
1400 | 0 | if (!creds) |
1401 | 0 | return SEC_E_INVALID_HANDLE; |
1402 | | |
1403 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
1404 | 0 | { |
1405 | 0 | MechCred* cred = &creds[i]; |
1406 | |
|
1407 | 0 | WINPR_ASSERT(cred->mech); |
1408 | 0 | WINPR_ASSERT(cred->mech->pkg); |
1409 | 0 | WINPR_ASSERT(cred->mech->pkg->table); |
1410 | 0 | WINPR_ASSERT(cred->mech->pkg->table_w->SetCredentialsAttributesW); |
1411 | 0 | secStatus = cred->mech->pkg->table_w->SetCredentialsAttributesW(&cred->cred, ulAttribute, |
1412 | 0 | pBuffer, cbBuffer); |
1413 | |
|
1414 | 0 | if (secStatus == SEC_E_OK) |
1415 | 0 | { |
1416 | 0 | success = TRUE; |
1417 | 0 | } |
1418 | 0 | } |
1419 | | |
1420 | | // return success if at least one submodule accepts the credential attribute |
1421 | 0 | return (success ? SEC_E_OK : SEC_E_UNSUPPORTED_FUNCTION); |
1422 | 0 | } |
1423 | | |
1424 | | static SECURITY_STATUS SEC_ENTRY negotiate_SetCredentialsAttributesA(PCredHandle phCredential, |
1425 | | ULONG ulAttribute, |
1426 | | void* pBuffer, ULONG cbBuffer) |
1427 | 0 | { |
1428 | 0 | MechCred* creds = NULL; |
1429 | 0 | BOOL success = FALSE; |
1430 | 0 | SECURITY_STATUS secStatus = 0; |
1431 | |
|
1432 | 0 | creds = sspi_SecureHandleGetLowerPointer(phCredential); |
1433 | |
|
1434 | 0 | if (!creds) |
1435 | 0 | return SEC_E_INVALID_HANDLE; |
1436 | | |
1437 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
1438 | 0 | { |
1439 | 0 | MechCred* cred = &creds[i]; |
1440 | |
|
1441 | 0 | if (!cred->valid) |
1442 | 0 | continue; |
1443 | | |
1444 | 0 | WINPR_ASSERT(cred->mech); |
1445 | 0 | WINPR_ASSERT(cred->mech->pkg); |
1446 | 0 | WINPR_ASSERT(cred->mech->pkg->table); |
1447 | 0 | WINPR_ASSERT(cred->mech->pkg->table->SetCredentialsAttributesA); |
1448 | 0 | secStatus = cred->mech->pkg->table->SetCredentialsAttributesA(&cred->cred, ulAttribute, |
1449 | 0 | pBuffer, cbBuffer); |
1450 | |
|
1451 | 0 | if (secStatus == SEC_E_OK) |
1452 | 0 | { |
1453 | 0 | success = TRUE; |
1454 | 0 | } |
1455 | 0 | } |
1456 | | |
1457 | | // return success if at least one submodule accepts the credential attribute |
1458 | 0 | return (success ? SEC_E_OK : SEC_E_UNSUPPORTED_FUNCTION); |
1459 | 0 | } |
1460 | | |
1461 | | static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleW( |
1462 | | SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID, |
1463 | | void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential, |
1464 | | PTimeStamp ptsExpiry) |
1465 | 0 | { |
1466 | 0 | BOOL kerberos = FALSE; |
1467 | 0 | BOOL ntlm = FALSE; |
1468 | 0 | BOOL u2u = FALSE; |
1469 | |
|
1470 | 0 | if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u)) |
1471 | 0 | return SEC_E_INTERNAL_ERROR; |
1472 | | |
1473 | 0 | MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred)); |
1474 | |
|
1475 | 0 | if (!creds) |
1476 | 0 | return SEC_E_INTERNAL_ERROR; |
1477 | | |
1478 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
1479 | 0 | { |
1480 | 0 | MechCred* cred = &creds[i]; |
1481 | 0 | const SecPkg* pkg = MechTable[i].pkg; |
1482 | 0 | cred->mech = &MechTable[i]; |
1483 | |
|
1484 | 0 | if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID)) |
1485 | 0 | continue; |
1486 | 0 | if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID)) |
1487 | 0 | continue; |
1488 | 0 | if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0) |
1489 | 0 | continue; |
1490 | | |
1491 | 0 | WINPR_ASSERT(pkg->table_w); |
1492 | 0 | WINPR_ASSERT(pkg->table_w->AcquireCredentialsHandleW); |
1493 | 0 | if (pkg->table_w->AcquireCredentialsHandleW( |
1494 | 0 | pszPrincipal, pszPackage, fCredentialUse, pvLogonID, pAuthData, pGetKeyFn, |
1495 | 0 | pvGetKeyArgument, &cred->cred, ptsExpiry) != SEC_E_OK) |
1496 | 0 | continue; |
1497 | | |
1498 | 0 | cred->valid = TRUE; |
1499 | 0 | } |
1500 | |
|
1501 | 0 | sspi_SecureHandleSetLowerPointer(phCredential, (void*)creds); |
1502 | 0 | sspi_SecureHandleSetUpperPointer(phCredential, (void*)NEGO_SSP_NAME); |
1503 | 0 | return SEC_E_OK; |
1504 | 0 | } |
1505 | | |
1506 | | static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleA( |
1507 | | SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID, |
1508 | | void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential, |
1509 | | PTimeStamp ptsExpiry) |
1510 | 0 | { |
1511 | 0 | BOOL kerberos = FALSE; |
1512 | 0 | BOOL ntlm = FALSE; |
1513 | 0 | BOOL u2u = FALSE; |
1514 | |
|
1515 | 0 | if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u)) |
1516 | 0 | return SEC_E_INTERNAL_ERROR; |
1517 | | |
1518 | 0 | MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred)); |
1519 | |
|
1520 | 0 | if (!creds) |
1521 | 0 | return SEC_E_INTERNAL_ERROR; |
1522 | | |
1523 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
1524 | 0 | { |
1525 | 0 | const SecPkg* pkg = MechTable[i].pkg; |
1526 | 0 | MechCred* cred = &creds[i]; |
1527 | |
|
1528 | 0 | cred->mech = &MechTable[i]; |
1529 | |
|
1530 | 0 | if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID)) |
1531 | 0 | continue; |
1532 | 0 | if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID)) |
1533 | 0 | continue; |
1534 | 0 | if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0) |
1535 | 0 | continue; |
1536 | | |
1537 | 0 | WINPR_ASSERT(pkg->table); |
1538 | 0 | WINPR_ASSERT(pkg->table->AcquireCredentialsHandleA); |
1539 | 0 | if (pkg->table->AcquireCredentialsHandleA(pszPrincipal, pszPackage, fCredentialUse, |
1540 | 0 | pvLogonID, pAuthData, pGetKeyFn, pvGetKeyArgument, |
1541 | 0 | &cred->cred, ptsExpiry) != SEC_E_OK) |
1542 | 0 | continue; |
1543 | | |
1544 | 0 | cred->valid = TRUE; |
1545 | 0 | } |
1546 | |
|
1547 | 0 | sspi_SecureHandleSetLowerPointer(phCredential, (void*)creds); |
1548 | 0 | sspi_SecureHandleSetUpperPointer(phCredential, (void*)NEGO_SSP_NAME); |
1549 | 0 | return SEC_E_OK; |
1550 | 0 | } |
1551 | | |
1552 | | static SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesW( |
1553 | | WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute, |
1554 | | WINPR_ATTR_UNUSED void* pBuffer) |
1555 | 0 | { |
1556 | 0 | WLog_ERR(TAG, "TODO: Implement"); |
1557 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1558 | 0 | } |
1559 | | |
1560 | | static SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesA( |
1561 | | WINPR_ATTR_UNUSED PCredHandle phCredential, WINPR_ATTR_UNUSED ULONG ulAttribute, |
1562 | | WINPR_ATTR_UNUSED void* pBuffer) |
1563 | 0 | { |
1564 | 0 | WLog_ERR(TAG, "TODO: Implement"); |
1565 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1566 | 0 | } |
1567 | | |
1568 | | static SECURITY_STATUS SEC_ENTRY negotiate_FreeCredentialsHandle(PCredHandle phCredential) |
1569 | 0 | { |
1570 | 0 | MechCred* creds = sspi_SecureHandleGetLowerPointer(phCredential); |
1571 | 0 | if (!creds) |
1572 | 0 | return SEC_E_INVALID_HANDLE; |
1573 | | |
1574 | 0 | for (size_t i = 0; i < MECH_COUNT; i++) |
1575 | 0 | { |
1576 | 0 | MechCred* cred = &creds[i]; |
1577 | |
|
1578 | 0 | WINPR_ASSERT(cred->mech); |
1579 | 0 | WINPR_ASSERT(cred->mech->pkg); |
1580 | 0 | WINPR_ASSERT(cred->mech->pkg->table); |
1581 | 0 | WINPR_ASSERT(cred->mech->pkg->table->FreeCredentialsHandle); |
1582 | 0 | cred->mech->pkg->table->FreeCredentialsHandle(&cred->cred); |
1583 | 0 | } |
1584 | 0 | free(creds); |
1585 | |
|
1586 | 0 | return SEC_E_OK; |
1587 | 0 | } |
1588 | | |
1589 | | static SECURITY_STATUS SEC_ENTRY negotiate_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, |
1590 | | PSecBufferDesc pMessage, |
1591 | | ULONG MessageSeqNo) |
1592 | 0 | { |
1593 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1594 | |
|
1595 | 0 | if (!context) |
1596 | 0 | return SEC_E_INVALID_HANDLE; |
1597 | | |
1598 | 0 | if (context->mic) |
1599 | 0 | MessageSeqNo++; |
1600 | |
|
1601 | 0 | WINPR_ASSERT(context->mech); |
1602 | 0 | WINPR_ASSERT(context->mech->pkg); |
1603 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1604 | 0 | if (context->mech->pkg->table->EncryptMessage) |
1605 | 0 | return context->mech->pkg->table->EncryptMessage(&context->sub_context, fQOP, pMessage, |
1606 | 0 | MessageSeqNo); |
1607 | | |
1608 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1609 | 0 | } |
1610 | | |
1611 | | static SECURITY_STATUS SEC_ENTRY negotiate_DecryptMessage(PCtxtHandle phContext, |
1612 | | PSecBufferDesc pMessage, |
1613 | | ULONG MessageSeqNo, ULONG* pfQOP) |
1614 | 0 | { |
1615 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1616 | |
|
1617 | 0 | if (!context) |
1618 | 0 | return SEC_E_INVALID_HANDLE; |
1619 | | |
1620 | 0 | if (context->mic) |
1621 | 0 | MessageSeqNo++; |
1622 | |
|
1623 | 0 | WINPR_ASSERT(context->mech); |
1624 | 0 | WINPR_ASSERT(context->mech->pkg); |
1625 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1626 | 0 | if (context->mech->pkg->table->DecryptMessage) |
1627 | 0 | return context->mech->pkg->table->DecryptMessage(&context->sub_context, pMessage, |
1628 | 0 | MessageSeqNo, pfQOP); |
1629 | | |
1630 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1631 | 0 | } |
1632 | | |
1633 | | static SECURITY_STATUS SEC_ENTRY negotiate_MakeSignature(PCtxtHandle phContext, ULONG fQOP, |
1634 | | PSecBufferDesc pMessage, |
1635 | | ULONG MessageSeqNo) |
1636 | 0 | { |
1637 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1638 | |
|
1639 | 0 | if (!context) |
1640 | 0 | return SEC_E_INVALID_HANDLE; |
1641 | | |
1642 | 0 | if (context->mic) |
1643 | 0 | MessageSeqNo++; |
1644 | |
|
1645 | 0 | WINPR_ASSERT(context->mech); |
1646 | 0 | WINPR_ASSERT(context->mech->pkg); |
1647 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1648 | 0 | if (context->mech->pkg->table->MakeSignature) |
1649 | 0 | return context->mech->pkg->table->MakeSignature(&context->sub_context, fQOP, pMessage, |
1650 | 0 | MessageSeqNo); |
1651 | | |
1652 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1653 | 0 | } |
1654 | | |
1655 | | static SECURITY_STATUS SEC_ENTRY negotiate_VerifySignature(PCtxtHandle phContext, |
1656 | | PSecBufferDesc pMessage, |
1657 | | ULONG MessageSeqNo, ULONG* pfQOP) |
1658 | 0 | { |
1659 | 0 | NEGOTIATE_CONTEXT* context = (NEGOTIATE_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); |
1660 | |
|
1661 | 0 | if (!context) |
1662 | 0 | return SEC_E_INVALID_HANDLE; |
1663 | | |
1664 | 0 | if (context->mic) |
1665 | 0 | MessageSeqNo++; |
1666 | |
|
1667 | 0 | WINPR_ASSERT(context->mech); |
1668 | 0 | WINPR_ASSERT(context->mech->pkg); |
1669 | 0 | WINPR_ASSERT(context->mech->pkg->table); |
1670 | 0 | if (context->mech->pkg->table->VerifySignature) |
1671 | 0 | return context->mech->pkg->table->VerifySignature(&context->sub_context, pMessage, |
1672 | 0 | MessageSeqNo, pfQOP); |
1673 | | |
1674 | 0 | return SEC_E_UNSUPPORTED_FUNCTION; |
1675 | 0 | } |
1676 | | |
1677 | | const SecurityFunctionTableA NEGOTIATE_SecurityFunctionTableA = { |
1678 | | 3, /* dwVersion */ |
1679 | | NULL, /* EnumerateSecurityPackages */ |
1680 | | negotiate_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */ |
1681 | | negotiate_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */ |
1682 | | negotiate_FreeCredentialsHandle, /* FreeCredentialsHandle */ |
1683 | | NULL, /* Reserved2 */ |
1684 | | negotiate_InitializeSecurityContextA, /* InitializeSecurityContext */ |
1685 | | negotiate_AcceptSecurityContext, /* AcceptSecurityContext */ |
1686 | | negotiate_CompleteAuthToken, /* CompleteAuthToken */ |
1687 | | negotiate_DeleteSecurityContext, /* DeleteSecurityContext */ |
1688 | | NULL, /* ApplyControlToken */ |
1689 | | negotiate_QueryContextAttributesA, /* QueryContextAttributes */ |
1690 | | negotiate_ImpersonateSecurityContext, /* ImpersonateSecurityContext */ |
1691 | | negotiate_RevertSecurityContext, /* RevertSecurityContext */ |
1692 | | negotiate_MakeSignature, /* MakeSignature */ |
1693 | | negotiate_VerifySignature, /* VerifySignature */ |
1694 | | NULL, /* FreeContextBuffer */ |
1695 | | NULL, /* QuerySecurityPackageInfo */ |
1696 | | NULL, /* Reserved3 */ |
1697 | | NULL, /* Reserved4 */ |
1698 | | NULL, /* ExportSecurityContext */ |
1699 | | NULL, /* ImportSecurityContext */ |
1700 | | NULL, /* AddCredentials */ |
1701 | | NULL, /* Reserved8 */ |
1702 | | NULL, /* QuerySecurityContextToken */ |
1703 | | negotiate_EncryptMessage, /* EncryptMessage */ |
1704 | | negotiate_DecryptMessage, /* DecryptMessage */ |
1705 | | negotiate_SetContextAttributesA, /* SetContextAttributes */ |
1706 | | negotiate_SetCredentialsAttributesA, /* SetCredentialsAttributes */ |
1707 | | }; |
1708 | | |
1709 | | const SecurityFunctionTableW NEGOTIATE_SecurityFunctionTableW = { |
1710 | | 3, /* dwVersion */ |
1711 | | NULL, /* EnumerateSecurityPackages */ |
1712 | | negotiate_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */ |
1713 | | negotiate_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */ |
1714 | | negotiate_FreeCredentialsHandle, /* FreeCredentialsHandle */ |
1715 | | NULL, /* Reserved2 */ |
1716 | | negotiate_InitializeSecurityContextW, /* InitializeSecurityContext */ |
1717 | | negotiate_AcceptSecurityContext, /* AcceptSecurityContext */ |
1718 | | negotiate_CompleteAuthToken, /* CompleteAuthToken */ |
1719 | | negotiate_DeleteSecurityContext, /* DeleteSecurityContext */ |
1720 | | NULL, /* ApplyControlToken */ |
1721 | | negotiate_QueryContextAttributesW, /* QueryContextAttributes */ |
1722 | | negotiate_ImpersonateSecurityContext, /* ImpersonateSecurityContext */ |
1723 | | negotiate_RevertSecurityContext, /* RevertSecurityContext */ |
1724 | | negotiate_MakeSignature, /* MakeSignature */ |
1725 | | negotiate_VerifySignature, /* VerifySignature */ |
1726 | | NULL, /* FreeContextBuffer */ |
1727 | | NULL, /* QuerySecurityPackageInfo */ |
1728 | | NULL, /* Reserved3 */ |
1729 | | NULL, /* Reserved4 */ |
1730 | | NULL, /* ExportSecurityContext */ |
1731 | | NULL, /* ImportSecurityContext */ |
1732 | | NULL, /* AddCredentials */ |
1733 | | NULL, /* Reserved8 */ |
1734 | | NULL, /* QuerySecurityContextToken */ |
1735 | | negotiate_EncryptMessage, /* EncryptMessage */ |
1736 | | negotiate_DecryptMessage, /* DecryptMessage */ |
1737 | | negotiate_SetContextAttributesW, /* SetContextAttributes */ |
1738 | | negotiate_SetCredentialsAttributesW, /* SetCredentialsAttributes */ |
1739 | | }; |
1740 | | |
1741 | | BOOL NEGOTIATE_init(void) |
1742 | 0 | { |
1743 | 0 | InitializeConstWCharFromUtf8(NEGOTIATE_SecPkgInfoA.Name, NEGOTIATE_SecPkgInfoW_NameBuffer, |
1744 | 0 | ARRAYSIZE(NEGOTIATE_SecPkgInfoW_NameBuffer)); |
1745 | 0 | InitializeConstWCharFromUtf8(NEGOTIATE_SecPkgInfoA.Comment, NEGOTIATE_SecPkgInfoW_CommentBuffer, |
1746 | 0 | ARRAYSIZE(NEGOTIATE_SecPkgInfoW_CommentBuffer)); |
1747 | |
|
1748 | 0 | return TRUE; |
1749 | 0 | } |