Fixed SSPI fallback to NTLM (#7642)

* Fixed SSPI fallback to NTLM

* Fixed wide/ansi mixup

* WITH_GSS fixes

* Move to WinPR as this is not related to FreeRDP
* Add option WITH_GSS_NO_NTLM_FALLBACK to disable NTLM fallback

* Abort NLA if status is SEC_E_NO_CREDENTIALS

* Properly invalidate sspi::SubContext
This commit is contained in:
akallabeth 2022-02-15 08:04:17 +00:00 committed by GitHub
parent 8cc6582044
commit 2d2627deab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 51 additions and 36 deletions

View File

@ -811,23 +811,6 @@ if (WITH_OPENH264 AND NOT OPENH264_FOUND)
endif()
set(WITH_OPENH264 ${OPENH264_FOUND})
if ( (WITH_GSSAPI) AND (NOT GSS_FOUND))
message(WARNING "-DWITH_GSSAPI=ON is set, but not GSSAPI implementation was found, disabling")
elseif(WITH_GSSAPI)
if(GSS_FLAVOUR STREQUAL "MIT")
add_definitions("-DWITH_GSSAPI -DWITH_GSSAPI_MIT")
if(GSS_VERSION_1_13)
add_definitions("-DHAVE_AT_LEAST_KRB_V1_13")
endif()
include_directories(${_GSS_INCLUDE_DIR})
elseif(GSS_FLAVOUR STREQUAL "Heimdal")
add_definitions("-DWITH_GSSAPI -DWITH_GSSAPI_HEIMDAL")
include_directories(${_GSS_INCLUDE_DIR})
else()
message(WARNING "Kerberos version not detected")
endif()
endif()
if(TARGET_ARCH MATCHES "x86|x64")
if (NOT APPLE)
# Intel Performance Primitives

View File

@ -149,7 +149,6 @@ option(WITH_DEBUG_RINGBUFFER "Enable Ringbuffer debug messages" ${DEFAULT_DEBUG_
option(WITH_DEBUG_SYMBOLS "Pack debug symbols to installer" OFF)
option(WITH_CCACHE "Use ccache support if available" ON)
option(WITH_CLANG_FORMAT "Detect clang-format. run 'cmake --build . --target clangformat' to format." ON)
option(WITH_GSSAPI "Compile support for kerberos authentication. (EXPERIMENTAL)" OFF)
option(WITH_DSP_EXPERIMENTAL "Enable experimental sound encoder/decoder formats" OFF)
if (WITH_FFMPEG)

View File

@ -147,10 +147,6 @@ endif()
freerdp_library_add(${OPENSSL_LIBRARIES})
if(WITH_GSSAPI)
freerdp_library_add(${GSS_LIBRARIES})
endif()
if(BUILD_TESTING)
add_subdirectory(test)
endif()

View File

@ -786,10 +786,11 @@ int nla_client_begin(rdpNla* nla)
goto fail;
nla_set_state(nla, NLA_STATE_NEGO_TOKEN);
break;
case SEC_E_NO_CREDENTIALS:
case SEC_I_INCOMPLETE_CREDENTIALS:
case SEC_E_INCOMPLETE_MESSAGE:
default:
break;
goto fail;
}
rc = 1;

View File

@ -48,6 +48,29 @@ option(WITH_NATIVE_SSPI "Use native SSPI modules" ${NATIVE_SSPI})
option(WITH_SMARTCARD_INSPECT "Enable SmartCard API Inspector" OFF)
option(WITH_DEBUG_MUTEX "Print mutex debug messages" ${DEFAULT_DEBUG_OPTION})
option(WITH_ICU "Use ICU for unicode conversion" OFF)
option(WITH_GSSAPI "Compile support for kerberos authentication. (EXPERIMENTAL)" OFF)
if ( (WITH_GSSAPI) AND (NOT GSS_FOUND))
message(WARNING "-DWITH_GSSAPI=ON is set, but not GSSAPI implementation was found, disabling")
elseif(WITH_GSSAPI)
if(GSS_FLAVOUR STREQUAL "MIT")
add_definitions("-DWITH_GSSAPI -DWITH_GSSAPI_MIT")
if(GSS_VERSION_1_13)
add_definitions("-DHAVE_AT_LEAST_KRB_V1_13")
endif()
include_directories(${_GSS_INCLUDE_DIR})
elseif(GSS_FLAVOUR STREQUAL "Heimdal")
add_definitions("-DWITH_GSSAPI -DWITH_GSSAPI_HEIMDAL")
include_directories(${_GSS_INCLUDE_DIR})
else()
message(WARNING "Kerberos version not detected")
endif()
endif()
include(CMakeDependentOption)
CMAKE_DEPENDENT_OPTION(WITH_GSS_NO_NTLM_FALLBACK "Do not fall back to NTLM if no kerberos ticket available" OFF "WITH_GSSAPI" OFF)
if (WITH_GSS_NO_NTLM_FALLBACK)
add_definitions("-DWITH_GSS_NO_NTLM_FALLBACK")
endif()
option(WITH_DEBUG_NTLM "Print NTLM debug messages" ${DEFAULT_DEBUG_OPTION})
if(WITH_DEBUG_NTLM)

View File

@ -25,6 +25,7 @@
#include <winpr/crt.h>
#include <winpr/sspi.h>
#include <winpr/tchar.h>
#include <winpr/assert.h>
#include "negotiate.h"
@ -70,16 +71,19 @@ const SecPkgInfoW NEGOTIATE_SecPkgInfoW = {
static void negotiate_SetSubPackage(NEGOTIATE_CONTEXT* context, const TCHAR* name)
{
WINPR_ASSERT(context);
WINPR_ASSERT(name);
if (_tcsnccmp(name, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0)
{
context->sspiA = (const SecurityFunctionTableA*)&KERBEROS_SecurityFunctionTableA;
context->sspiW = (const SecurityFunctionTableW*)&KERBEROS_SecurityFunctionTableW;
context->sspiA = &KERBEROS_SecurityFunctionTableA;
context->sspiW = &KERBEROS_SecurityFunctionTableW;
context->kerberos = TRUE;
}
else
{
context->sspiA = (const SecurityFunctionTableA*)&NTLM_SecurityFunctionTableA;
context->sspiW = (const SecurityFunctionTableW*)&NTLM_SecurityFunctionTableW;
context->sspiA = &NTLM_SecurityFunctionTableA;
context->sspiW = &NTLM_SecurityFunctionTableW;
context->kerberos = FALSE;
}
}
@ -129,6 +133,8 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(
{
if (!pInput)
{
context->sspiW->DeleteSecurityContext(&(context->SubContext));
SecInvalidateHandle(&context->SubContext);
negotiate_SetSubPackage(context, KERBEROS_SSP_NAME);
}
@ -137,20 +143,23 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(
TargetDataRep, pInput, Reserved2, &(context->SubContext), pOutput, pfContextAttr,
ptsExpiry);
#if !defined(WITH_GSS_NO_NTLM_FALLBACK)
if (status == SEC_E_NO_CREDENTIALS)
{
WLog_WARN(TAG, "No Kerberos credentials. Retry with NTLM");
ErrorInitContextKerberos = TRUE;
context->sspiA->DeleteSecurityContext(&(context->SubContext));
negotiate_ContextFree(context);
return status;
context->sspiW->DeleteSecurityContext(&(context->SubContext));
SecInvalidateHandle(&context->SubContext);
}
#endif
}
else
if (ErrorInitContextKerberos)
{
if (!pInput)
{
context->sspiA->DeleteSecurityContext(&(context->SubContext));
context->sspiW->DeleteSecurityContext(&(context->SubContext));
SecInvalidateHandle(&context->SubContext);
negotiate_SetSubPackage(context, NTLM_SSP_NAME);
}
@ -188,6 +197,8 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(
{
if (!pInput)
{
context->sspiA->DeleteSecurityContext(&(context->SubContext));
SecInvalidateHandle(&context->SubContext);
negotiate_SetSubPackage(context, KERBEROS_SSP_NAME);
}
@ -196,21 +207,23 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(
TargetDataRep, pInput, Reserved2, &(context->SubContext), pOutput, pfContextAttr,
ptsExpiry);
#if !defined(WITH_GSS_NO_NTLM_FALLBACK)
if (status == SEC_E_NO_CREDENTIALS)
{
WLog_WARN(TAG, "No Kerberos credentials. Retry with NTLM");
ErrorInitContextKerberos = TRUE;
context->sspiA->DeleteSecurityContext(&(context->SubContext));
negotiate_ContextFree(context);
sspi_SecureHandleSetLowerPointer(phNewContext, NULL);
return status;
SecInvalidateHandle(&context->SubContext);
}
#endif
}
else
if (ErrorInitContextKerberos)
{
if (!pInput)
{
context->sspiA->DeleteSecurityContext(&(context->SubContext));
SecInvalidateHandle(&context->SubContext);
negotiate_SetSubPackage(context, NTLM_SSP_NAME);
}