diff --git a/winpr/sspi/CMakeLists.txt b/winpr/sspi/CMakeLists.txt index 442894b23..a26426c40 100644 --- a/winpr/sspi/CMakeLists.txt +++ b/winpr/sspi/CMakeLists.txt @@ -27,16 +27,6 @@ set(WINPR_SSPI_NTLM_SRCS NTLM/ntlm.c NTLM/ntlm.h) -set(WINPR_SSPI_KERBEROS_SRCS - Kerberos/kerberos_crypto.c - Kerberos/kerberos_crypto.h - Kerberos/kerberos_decode.c - Kerberos/kerberos_decode.h - Kerberos/kerberos_encode.c - Kerberos/kerberos_encode.h - Kerberos/kerberos.c - Kerberos/kerberos.h) - set(WINPR_SSPI_NEGOTIATE_SRCS Negotiate/negotiate.c Negotiate/negotiate.h) diff --git a/winpr/sspi/Kerberos/kerberos.c b/winpr/sspi/Kerberos/kerberos.c deleted file mode 100644 index fe5fe0515..000000000 --- a/winpr/sspi/Kerberos/kerberos.c +++ /dev/null @@ -1,1320 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include - -#ifndef _WIN32 -#include -#include -#include -#include -#include -#include -#endif - -#include "kerberos.h" -#include "kerberos_crypto.h" -#include "kerberos_encode.h" -#include "kerberos_decode.h" - -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "../sspi.h" - -char* KRB_PACKAGE_NAME = "Kerberos"; - -boolean tcp_is_ipaddr(const char* hostname) -{ - char* s; - BYTE dotcnt, digcnt; - char val; - s = (char*)hostname; - dotcnt = digcnt = 0; - while((s - hostname) < 15 && (*s != '\0')) - { - val = *s; - if(!isdigit(val) && (val != '.')) - return false; - if(val == '.') - if((digcnt == 0) && (dotcnt == 0)) - return false; - else - { - if(dotcnt >= 3) - return false; - dotcnt++; - digcnt = 0; - } - else - if(digcnt >= 3) - return false; - else - digcnt++; - s++; - } - if((*s != '\0') || (dotcnt < 3) || (digcnt == 0)) - return false; - return true; -} - -char* get_utc_time(time_t t) -{ - char* str; - struct tm* utc; - - if (t == 0) - t = time(NULL); - - utc = gmtime(&t); - str = (char*) xzalloc(16); - strftime(str, 16, "%Y%m%d%H%M%SZ", utc); - - return str; -} - -time_t get_local_time(char* str) -{ - return freerdp_get_unix_time_from_generalized_time(str); -} - -time_t get_clock_skew(char* str) -{ - time_t ctime; - ctime = time(NULL); - return (get_local_time(str) - ctime); -} - -char* get_dns_queryname(char *host, char* protocol) -{ - char* qname; - UINT32 buflen; - buflen = 0; - - if(protocol) - buflen = strlen(protocol); - - buflen += strlen(host)+strlen(SERVICE)+1; - qname = (char*)xzalloc(buflen); - strcat(qname, SERVICE); - - if(protocol) - strcat(qname, protocol); - - strcat(qname, host); - - return qname; -} - -int get_krb_realm(rdpSettings* settings) -{ -#ifdef WITH_RESOLV - char* s; - char* queryname; - int reslen; - unsigned char response[2048]; - char ns_realm[2048]; - ns_msg handle; - ns_rr rr; - s = settings->hostname; - if (settings->kerberos_realm) - return 0; - do - { - queryname = get_dns_queryname(s, NULL); - - if ((reslen = res_query(queryname, ns_c_in, ns_t_txt, response, sizeof(response)))) - { - ns_initparse(response, reslen, &handle); - ns_parserr(&handle, ns_s_an, 0, &rr); - if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle), ns_rr_rdata(rr), (char*)ns_realm, sizeof(ns_realm)) < 0) - goto end; - else - settings->kerberos_realm = xstrdup(ns_realm); - free(queryname); - return 0; - } - - end: - free(queryname); - for (;*s != '.' && *s != '\0';s++); - if (*s != '\0') - s++; - } - while (*s != '\0'); - s = settings->hostname; - for (;*s != '.';s++); - s++; - settings->kerberos_realm = xstrdup(s); -#endif - - return 0; -} - -KDCENTRY* krb_locate_kdc(rdpSettings* settings) -{ -#ifdef WITH_RESOLV - char *qname; - int reslen, i; - unsigned char response[4096]; - char kdc_host[4096]; - unsigned char* temp; - KDCENTRY* head; - KDCENTRY* kdcentry; - KDCENTRY* srvans; - ns_msg handle; - ns_rr rr; - head = kdcentry = NULL; - if (get_krb_realm(settings)) - return NULL; - if (settings->kerberos_kdc) - { - srvans = xnew(KDCENTRY); - srvans->kdchost = xstrdup(settings->kerberos_kdc); - srvans->port = 88; - return srvans; - } - qname = get_dns_queryname(settings->kerberos_realm, "_tcp."); - - if ((reslen = res_query(qname, ns_c_in, ns_t_srv, response, sizeof(response))) < 0) - return NULL; - - ns_initparse(response, reslen, &handle); - - for (i = 0;i < ns_msg_count(handle, ns_s_an);i++) - { - ns_parserr(&handle, ns_s_an, i, &rr); - srvans = xnew(KDCENTRY); - temp = (unsigned char*)ns_rr_rdata(rr); - GETUINT16(temp, &(srvans->priority)); - GETUINT16(temp, &(srvans->weight)); - GETUINT16(temp, &(srvans->port)); - if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle), temp, (char*)kdc_host, sizeof(kdc_host)) < 0) - srvans->kdchost = xstrdup((const char*)temp); - else - srvans->kdchost = xstrdup(kdc_host); - if (head == NULL || head->priority > srvans->priority) - { - srvans->next = head; - head = srvans; - } - else - { - for (kdcentry = head;kdcentry->next != NULL && kdcentry->next->priority < srvans->priority;kdcentry = kdcentry->next); - srvans->next = kdcentry->next; - kdcentry->next = srvans; - } - } - - return head; -#else - return NULL; -#endif -} - -int krb_tcp_connect(KRB_CONTEXT* krb_ctx, KDCENTRY* entry) -{ - int sockfd; - - sockfd = freerdp_tcp_connect(entry->kdchost, entry->port); - - if (sockfd == -1) - return -1; - - krb_ctx->krbhost = xstrdup(entry->kdchost); - krb_ctx->krbport = entry->port; - krb_ctx->ksockfd = sockfd; - - return 0; -} - -int kerberos_tcp_recv(KRB_CONTEXT* krb_ctx, BYTE* data, UINT32 length) -{ - return freerdp_tcp_read(krb_ctx->ksockfd, data, length); -} - -int krb_tcp_send(KRB_CONTEXT* krb_ctx, BYTE* data, UINT32 length) -{ - return freerdp_tcp_write(krb_ctx->ksockfd, data, length); -} - -KRB_CONTEXT* kerberos_ContextNew() -{ - KRB_CONTEXT* context; - - context = (KRB_CONTEXT*) calloc(1, sizeof(KRB_CONTEXT)); - - if (context != NULL) - { - context->enctype = ETYPE_RC4_HMAC; - context->state = KRB_STATE_INITIAL; - } - - return context; -} - -void kerberos_ContextFree(KRB_CONTEXT* krb_ctx) -{ - if (krb_ctx != NULL) - { - free(krb_ctx->krbhost); - free(krb_ctx->cname); - free(krb_ctx->realm); - freerdp_blob_free(&(krb_ctx->passwd)); - - if (krb_ctx->askey != NULL) - { - freerdp_blob_free(&(krb_ctx->askey->skey)); - free(krb_ctx->askey); - } - - if (krb_ctx->tgskey != NULL) - { - freerdp_blob_free(&(krb_ctx->tgskey->skey)); - free(krb_ctx->tgskey); - } - - kerberos_free_ticket(&(krb_ctx->asticket)); - kerberos_free_ticket(&(krb_ctx->tgsticket)); - krb_ctx->state = KRB_STATE_FINAL; - } -} - -SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, - ULONG fCredentialUse, PLUID pvLogonID, void* pAuthData, void* pGetKeyFn, - void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, - ULONG fCredentialUse, PLUID pvLogonID, void* pAuthData, void* pGetKeyFn, - void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) -{ - CREDENTIALS* credentials; - SEC_WINNT_AUTH_IDENTITY* identity; - - if (fCredentialUse == SECPKG_CRED_OUTBOUND) - { - credentials = sspi_CredentialsNew(); - identity = (SEC_WINNT_AUTH_IDENTITY*) pAuthData; - - memcpy(&(credentials->identity), identity, sizeof(SEC_WINNT_AUTH_IDENTITY)); - - sspi_SecureHandleSetLowerPointer(phCredential, (void*) credentials); - sspi_SecureHandleSetUpperPointer(phCredential, (void*) KRB_PACKAGE_NAME); - - return SEC_E_OK; - } - - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential) -{ - CREDENTIALS* credentials; - - if (!phCredential) - return SEC_E_INVALID_HANDLE; - - credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential); - - if (!credentials) - return SEC_E_INVALID_HANDLE; - - sspi_CredentialsFree(credentials); - - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) -{ - if (ulAttribute == SECPKG_CRED_ATTR_NAMES) - { - CREDENTIALS* credentials; - //SecPkgCredentials_Names* credential_names = (SecPkgCredentials_Names*) pBuffer; - - credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential); - - //if (credentials->identity.Flags == SEC_WINNT_AUTH_IDENTITY_ANSI) - // credential_names->sUserName = xstrdup((char*) credentials->identity.User); - - return SEC_E_OK; - } - - return SEC_E_UNSUPPORTED_FUNCTION; -} - -void krb_SetContextIdentity(KRB_CONTEXT* context, SEC_WINNT_AUTH_IDENTITY* identity) -{ - context->identity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; - - if (identity->Flags == SEC_WINNT_AUTH_IDENTITY_ANSI) - { - context->identity.UserLength = strlen((char*) identity->User) * 2; - context->identity.User = (UINT16*) malloc(context->identity.UserLength); - MultiByteToWideChar(CP_ACP, 0, (char*) identity->User, strlen((char*) identity->User), - (LPWSTR) context->identity.User, context->identity.UserLength / 2); - - if (identity->DomainLength > 0) - { - context->identity.DomainLength = strlen((char*) identity->Domain) * 2; - context->identity.Domain = (UINT16*) malloc(context->identity.DomainLength); - MultiByteToWideChar(CP_ACP, 0, (char*) identity->Domain, strlen((char*) identity->Domain), - (LPWSTR) context->identity.Domain, context->identity.DomainLength / 2); - } - else - { - context->identity.Domain = (UINT16*) NULL; - context->identity.DomainLength = 0; - } - - context->identity.PasswordLength = strlen((char*) identity->Password) * 2; - context->identity.Password = (UINT16*) malloc(context->identity.PasswordLength); - MultiByteToWideChar(CP_ACP, 0, (char*) identity->Password, strlen((char*) identity->Password), - (LPWSTR) context->identity.Password, context->identity.PasswordLength / 2); - } - else - { - context->identity.User = (UINT16*) malloc(identity->UserLength); - memcpy(context->identity.User, identity->User, identity->UserLength); - context->identity.UserLength = identity->UserLength; - - if (identity->DomainLength > 0) - { - context->identity.Domain = (UINT16*) malloc(identity->DomainLength); - memcpy(context->identity.Domain, identity->Domain, identity->DomainLength); - context->identity.DomainLength = identity->DomainLength; - } - else - { - context->identity.Domain = (UINT16*) NULL; - context->identity.DomainLength = 0; - } - - context->identity.Password = (UINT16*) malloc(identity->PasswordLength); - memcpy(context->identity.Password, identity->Password, identity->PasswordLength); - context->identity.PasswordLength = identity->PasswordLength; - } -} - -SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext, - SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, - PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, - PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext, - SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, - PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, - PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry) -{ - KRB_CONTEXT* krb_ctx; - //SECURITY_STATUS status; - //CREDENTIALS* credentials; - //PSecBuffer input_SecBuffer; - //PSecBuffer output_SecBuffer; - int errcode; - errcode = 0; - - krb_ctx = (KRB_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext); - - if (!krb_ctx) - return SEC_E_INVALID_HANDLE; - else - { - while(true) - { - switch(krb_ctx->state) - { - case KRB_PACKET_ERROR: - kerberos_ContextFree(krb_ctx); - return SEC_E_INVALID_HANDLE; - break; - case KRB_STATE_INITIAL: - case KRB_ASREP_ERR: - kerberos_asreq_send(krb_ctx, errcode); - break; - case KRB_ASREQ_OK: - errcode = kerberos_asrep_recv(krb_ctx); - break; - case KRB_ASREP_OK: - kerberos_tgsreq_send(krb_ctx, 0); - break; - case KRB_TGSREQ_OK: - kerberos_tgsrep_recv(krb_ctx); - break; - case KRB_TGSREP_OK: - return SEC_I_COMPLETE_AND_CONTINUE; - break; - default: - printf("not implemented\n"); - return -1; - } - } - } -} - -PCtxtHandle krbctx_client_init(rdpSettings* settings, SEC_WINNT_AUTH_IDENTITY* identity) -{ - SECURITY_STATUS status; - KDCENTRY* kdclist; - KDCENTRY* entry; - KRB_CONTEXT* krb_ctx; - ULONG fContextReq; - ULONG pfContextAttr; - TimeStamp expiration; - - if (tcp_is_ipaddr(settings->hostname)) - return NULL; - - kdclist = krb_locate_kdc(settings); - - /* start the state machine with initialized to zero */ - krb_ctx = kerberos_ContextNew(); - - for (entry = kdclist;entry != NULL; entry = entry->next) - { - if(!krb_tcp_connect(krb_ctx, entry)) - break; - } - - if (entry == NULL) - { - free(krb_ctx); - return NULL; - } - - krb_SetContextIdentity(krb_ctx, identity); - krb_ctx->realm = xstrtoup(settings->kerberos_realm); - krb_ctx->cname = xstrdup((char*)krb_ctx->identity.User); - krb_ctx->settings = settings; - - krb_ctx->passwd.length = strlen((char*) krb_ctx->identity.Password) * 2; - krb_ctx->passwd.data = (uint16*) malloc(krb_ctx->passwd.length); - MultiByteToWideChar(CP_ACP, 0, (char*) krb_ctx->identity.Password, strlen((char*) krb_ctx->identity.Password), - (LPWSTR) krb_ctx->passwd.data, krb_ctx->passwd.length / 2); - - fContextReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | - ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; - - sspi_SecureHandleSetLowerPointer(&krb_ctx->context, krb_ctx); - sspi_SecureHandleSetUpperPointer(&krb_ctx->context, (void*) KRB_PACKAGE_NAME); - - status = kerberos_InitializeSecurityContextA(NULL, &krb_ctx->context, NULL, - fContextReq, 0, SECURITY_NATIVE_DREP, NULL, 0, &krb_ctx->context, NULL, &pfContextAttr, &expiration); - - if (status == SEC_E_INVALID_HANDLE) - { - printf("failed to init kerberos\n"); - return NULL; - } - else if (status == SEC_I_COMPLETE_AND_CONTINUE) - { - printf("successfully obtained ticket for TERMSRV\n"); - return &krb_ctx->context; - } - else if (status == -1) - { - printf("deadend \n "); - return NULL; - } - else - { - printf("shit got wrong in state machine\n"); - return NULL; - } -} - -void kerberos_asreq_send(KRB_CONTEXT* context, BYTE errcode) -{ - KrbASREQ* krb_asreq; - PAData** pa_data; - KrbENCData enc_data; - KrbENCKey* enckey; - STREAM* s; - STREAM* paenc; - rdpBlob msg; - rdpBlob* encmsg; - UINT32 curlen, totlen, pai; - BYTE *bm; - bm = NULL; - totlen = pai = 0; - krb_asreq = kerberos_asreq_new(context, errcode); - pa_data = krb_asreq->padata; - enckey = NULL; - s = stream_new(2048); - paenc = stream_new(100); - - //Begin write asn1 data reversely into stream - stream_seek(s, 1024); - stream_seek(paenc, 99); - - /* KDC-REQ-BODY (TAG 4) */ - totlen += kerberos_encode_req_body(s, &(krb_asreq->req_body), krb_asreq->type); - totlen += kerberos_encode_contextual_tag(s, 4, totlen); - - /* padata = PA-ENC-TIMESTAMP */ - if (errcode != 0) - { - freerdp_blob_alloc(&msg, 21); - memcpy(msg.data, "\x30\x13\xa0\x11\x18\x0f", 6); // PA-ENC-TS-ENC without optional pausec - memcpy(((BYTE*) msg.data) + 6, krb_asreq->req_body.from, 15); - enckey = string2key(&(context->passwd), context->enctype); - encmsg = crypto_kdcmsg_encrypt(&msg, enckey, 1); //RFC4757 section 3 for msgtype (T=1) - enc_data.enctype = enckey->enctype; - enc_data.kvno = -1; - enc_data.encblob.data = encmsg->data; - enc_data.encblob.length = encmsg->length; - curlen = kerberos_encode_encrypted_data(paenc, &enc_data); - freerdp_blob_free(&msg); - msg.data = paenc->p; - msg.length = curlen; - - /* padata = PA-ENC-TIMESTAMP */ - (*(pa_data + pai))->type = 2; - (*(pa_data + pai))->value = msg; - pai++; - freerdp_blob_free(encmsg); - free(encmsg); - } - - freerdp_blob_alloc(&msg, 7); - memcpy(msg.data, "\x30\x05\xa0\03\x01\x01", 6); // asn1 data - *((BYTE*)msg.data + 6) = krb_asreq->pa_pac_request; - - /* padata = PA-PAC-REQUEST */ - (*(pa_data + pai))->type = 128; - (*(pa_data + pai))->value = msg; - - *(pa_data + ++pai) = NULL; - - /* padata (TAG 3) */ - curlen = kerberos_encode_padata(s, pa_data); - totlen += curlen + kerberos_encode_contextual_tag(s, 3, curlen); - - /* MSGTYPE = AS-REQ (TAG 2) */ - totlen += kerberos_encode_uint8(s, 2, krb_asreq->type); - - /* KERBEROS PROTOCOL VERSION NO (TAG 1)*/ - totlen += kerberos_encode_uint8(s, 1, krb_asreq->pvno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - totlen += kerberos_encode_application_tag(s, krb_asreq->type, totlen); - totlen += kerberos_encode_recordmark(s, totlen); - - /* READY SEND */ - krb_tcp_send(context, s->p, totlen); - - /* save stuff */ - context->askey = enckey; - context->nonce = krb_asreq->req_body.nonce; - free(context->sname); - context->sname = xstrdup(krb_asreq->req_body.sname); - context->ctime = get_local_time(krb_asreq->req_body.from); - context->state = KRB_ASREQ_OK; - - /* clean up */ - freerdp_blob_free(&msg); - stream_free(s); - stream_free(paenc); - kerberos_free_asreq(krb_asreq); - free(krb_asreq); -} - -int kerberos_asrep_recv(KRB_CONTEXT* context) -{ - int totlen, tmp, len; - int errcode; - STREAM* s; - KrbERROR* krb_err; - KrbASREP* krb_asrep; - KrbKDCREP* kdc_rep; - errcode = -1; - s = stream_new(2048); - kerberos_tcp_recv(context, s->data, s->size); - - stream_read_uint32_be(s, totlen); - - if (totlen >= 2044) // MALFORMED PACKET - goto finish; - - if (((len = krb_decode_application_tag(s, KRB_TAG_ASREP, &tmp)) == 0) || (tmp != (totlen - len))) //NOT AN AS-REP - { - if (((len = krb_decode_application_tag(s, KRB_TAG_ERROR, &tmp)) == 0) || (tmp != (totlen - len))) // NOT AN KRB-ERROR - { - context->state = KRB_PACKET_ERROR; - goto finish; - } - else - { - totlen -= len; - krb_err = xnew(KrbERROR); - - if ((totlen <= 0) || ((len = krb_decode_krb_error(s, krb_err, totlen)) == 0)) - { - context->state = KRB_PACKET_ERROR; - free(krb_err); - goto finish; - } - - /* ERROR CODE */ - errcode = krb_err->errcode; - if (errcode == KRB_AP_ERR_SKEW) - { - context->state = KRB_ASREP_ERR; - goto errclean; - } - else if (errcode == KDC_ERR_PREAUTH_REQ) - { - /* should parse PA-ENC-TYPE-INFO2 */ - context->state = KRB_ASREP_ERR; - goto errclean; - } - else if (errcode == KDC_ERR_C_PRINCIPAL_UNKNOWN) - { - printf("KDC_ERR_C_PRINCIPAL_UNKNOWN\n"); - context->state = KRB_ASREP_ERR; - goto errclean; - } - else - { - context->state = KRB_PACKET_ERROR; - goto errclean; - } - errclean: - krb_free_krb_error(krb_err); - free(krb_err); - goto finish; - } - } - else /* AS-REP process */ - { - totlen -= len; - - krb_asrep = xnew(KrbASREP); - if (krb_decode_kdc_rep(s, &(krb_asrep->kdc_rep), totlen) == 0) - { - context->state = KRB_PACKET_ERROR; - xfree(krb_asrep); - goto finish; - } - kdc_rep = &(krb_asrep->kdc_rep); - - if (kerberos_verify_kdcrep(context, kdc_rep, KRB_TAG_ASREP) == 0) - context->state = KRB_ASREP_OK; - else - context->state = KRB_PACKET_ERROR; - - /* clean up */ - kerberos_free_asrep(krb_asrep); - free(krb_asrep); - goto finish; - } - finish: - stream_free(s); - return errcode; -} - -void kerberos_tgsreq_send(KRB_CONTEXT* context, BYTE errcode) -{ - KrbTGSREQ* krb_tgsreq; - KrbAPREQ* krb_apreq; - PAData** pa_data; - Authenticator* krb_auth; - STREAM* s; - STREAM* sapreq; - rdpBlob msg; - UINT32 curlen, totlen, tmp; - BYTE *bm; - bm = NULL; - totlen = tmp = 0; - krb_tgsreq = kerberos_tgsreq_new(context, errcode); - krb_auth = xnew(Authenticator); - pa_data = krb_tgsreq->padata; - s = stream_new(4096); - sapreq = stream_new(2048); - - //Begin write asn1 data reversely into stream - stream_seek(s, 4095); - stream_seek(sapreq, 2047); - - /* KDC-REQ-BODY (TAG 4) */ - totlen += kerberos_encode_req_body(s, &(krb_tgsreq->req_body), krb_tgsreq->type); - stream_get_mark(s, bm); - tmp = totlen; - totlen += kerberos_encode_contextual_tag(s, 4, totlen); - - msg.data = bm; - msg.length = tmp; - - /* Authenticator */ - krb_auth->avno = KRB_VERSION; - krb_auth->cname = context->cname; - krb_auth->crealm = context->realm; - krb_auth->cksumtype = get_cksum_type(context->enctype); - krb_auth->cksum = crypto_kdcmsg_cksum(&msg, context->askey, 6); //RFC4757 section 3 for msgtype (T=6) - krb_auth->ctime = krb_tgsreq->req_body.from; - krb_auth->cusec = 0; - crypto_nonce((BYTE*)&(krb_auth->seqno), 4); - - /* PA-TGS-REQ */ - krb_apreq = kerberos_apreq_new(context, &(context->asticket), krb_auth); - curlen = kerberos_encode_apreq(sapreq, krb_apreq); - xfree(krb_apreq) ; - - msg.data = sapreq->p; - msg.length = curlen; - (*pa_data)->type = 1; - (*pa_data)->value = msg; - - /* PA-DATA (TAG 3) */ - curlen = kerberos_encode_padata(s, pa_data); - totlen += curlen + kerberos_encode_contextual_tag(s, 3, curlen); - - /* MSGTYPE (TAG 2) */ - totlen += kerberos_encode_uint8(s, 2, krb_tgsreq->type); - - /* VERSION NO (TAG 1) */ - totlen += kerberos_encode_uint8(s, 1, krb_tgsreq->pvno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - totlen += kerberos_encode_application_tag(s, krb_tgsreq->type, totlen); - totlen += kerberos_encode_recordmark(s, totlen); - - /* READY SEND */ - krb_tcp_send(context, s->p, totlen); - - /* save stuff */ - context->nonce = krb_tgsreq->req_body.nonce; - free(context->sname); - context->sname = xstrdup(krb_tgsreq->req_body.sname); - context->ctime = get_local_time(krb_tgsreq->req_body.from); - context->state = KRB_TGSREQ_OK; - - /* clean up */ - freerdp_blob_free(krb_auth->cksum); - free(krb_auth->cksum); - free(krb_auth); - kerberos_free_tgsreq(krb_tgsreq); - free(krb_tgsreq); - stream_free(sapreq); - stream_free(s); -} - -int kerberos_tgsrep_recv(KRB_CONTEXT* context) -{ - int totlen, tmp, len; - int errcode; - STREAM* s; - KrbTGSREP* krb_tgsrep; - KrbKDCREP* kdc_rep; - errcode = -1; - s = stream_new(2048); - kerberos_tcp_recv(context, s->data, s->size); - - stream_read_uint32_be(s, totlen); - - if (totlen >= 2044) // MALFORMED PACKET - goto finish; - - if (((len = krb_decode_application_tag(s, KRB_TAG_TGSREP, &tmp)) == 0) || (tmp != (totlen - len))) //NOT AN TGS-REP - { - context->state = KRB_PACKET_ERROR; - goto finish; - } - else /* TGS-REP process */ - { - totlen -= len; - - krb_tgsrep = xnew(KrbTGSREP); - context->tgskey = xnew(KrbENCKey); - if(krb_decode_kdc_rep(s, &(krb_tgsrep->kdc_rep), totlen) == 0) - { - context->state = KRB_PACKET_ERROR; - xfree(krb_tgsrep); - goto finish; - } - kdc_rep = &(krb_tgsrep->kdc_rep); - - if(kerberos_verify_kdcrep(context, kdc_rep, KRB_TAG_TGSREP) == 0) - context->state = KRB_TGSREP_OK; - else - context->state = KRB_PACKET_ERROR; - - /* clean up */ - kerberos_free_tgsrep(krb_tgsrep); - free(krb_tgsrep); - goto finish; - } - finish: - stream_free(s); - return errcode; -} - -int kerberos_verify_kdcrep(KRB_CONTEXT* context, KrbKDCREP* kdc_rep, int msgtype) -{ - ENCKDCREPPart* reppart; - KrbENCKey* key; - rdpBlob* decmsg; - BYTE tag; - tag = 0; - key = NULL; - - /* Verify everything */ - if ((kdc_rep->pvno != KRB_VERSION) || (kdc_rep->type != msgtype) || strcasecmp(kdc_rep->cname, context->cname) || strcasecmp(kdc_rep->realm, context->realm)) - { - context->state = KRB_PACKET_ERROR; - return -1; - } - - /* decrypt enc-part */ - if (context->askey->enctype != kdc_rep->enc_part.enctype && msgtype == KRB_TAG_ASREP) - { - freerdp_blob_free(&(context->askey->skey)); - free(context->askey); - context->askey = string2key(&(context->passwd), kdc_rep->enc_part.enctype); - } - context->askey->enctype = kdc_rep->enc_part.enctype; - decmsg = crypto_kdcmsg_decrypt(&(kdc_rep->enc_part.encblob), context->askey, 8); //RFC4757 section 3 for msgtype (T=8) - - if (msgtype == KRB_TAG_ASREP) - { - key = context->askey; - tag = 25; - } - else if (msgtype == KRB_TAG_TGSREP) - { - key = context->tgskey; - tag = 26; - } - - /* KDC-REP-PART decode */ - if (decmsg == NULL || ((reppart = krb_decode_enc_reppart(decmsg, tag)) == NULL)) - { - context->state = KRB_PACKET_ERROR; - return -1; - } - freerdp_blob_free(decmsg); - free(decmsg); - - /* Verify KDC-REP-PART */ - if (reppart->nonce != context->nonce || strcasecmp(reppart->realm, context->realm) || strcasecmp(reppart->sname, context->sname)) - { - kerberos_free_reppart(reppart); - free(reppart); - context->state = KRB_PACKET_ERROR; - return -1; - } - - /* save stuff */ - context->clockskew = reppart->authtime - context->ctime; //Used to synchronize clocks - kerberos_save_ticket(context, kdc_rep); - freerdp_blob_copy(&(key->skey), &(reppart->key.skey)); - key->enctype = reppart->key.enctype; - kerberos_free_reppart(reppart); - free(reppart); - return 0; -} - -void kerberos_save_ticket(KRB_CONTEXT* context, KrbKDCREP* kdc_rep) -{ - Ticket* src; - Ticket* dst; - - dst = NULL; - src = &(kdc_rep->etgt); - - if (kdc_rep->type == KRB_TAG_ASREP) - dst = &(context->asticket); - else if (kdc_rep->type == KRB_TAG_TGSREP) - dst = &(context->tgsticket); - - dst->tktvno = src->tktvno; - dst->realm = xstrdup(src->realm); - dst->sname = xstrdup(src->sname); - dst->enc_part.enctype = src->enc_part.enctype; - dst->enc_part.kvno = src->enc_part.kvno; - - freerdp_blob_copy(&(dst->enc_part.encblob), &(src->enc_part.encblob)); -} - -void kerberos_reqbody_init(KRB_CONTEXT* context, KDCReqBody* req_body, BYTE reqtype) -{ - time_t t; - - req_body->cname = xstrdup(context->cname); - req_body->realm = xstrdup(context->realm); - - if (reqtype == KRB_TAG_ASREQ) - { - req_body->kdc_options = 0x40000000 | 0x00800000 | 0x00010000 | 0x00000010; /* forwardable , renewable, canonicalize, renewable OK */ - req_body->sname = xzalloc((strlen(req_body->realm) + 8) * sizeof(char)); - strcpy(req_body->sname, KRB_SERVER); - strcat(req_body->sname, req_body->realm); - } - else if (reqtype == KRB_TAG_TGSREQ) - { - req_body->kdc_options = 0x40000000 | 0x00800000 | 0x00010000; /* forwardable , renewable, canonicalize */ - req_body->sname = xzalloc((strlen(context->settings->hostname) + 10) * sizeof(char)); - strcpy(req_body->sname, APP_SERVER); - strcat(req_body->sname, context->settings->hostname); - } - - t = time(NULL); - t += context->clockskew; /* fix clockskew */ - - req_body->from = get_utc_time((time_t)(t)); - req_body->till = get_utc_time((time_t)(t + 473040000)); - req_body->rtime = get_utc_time((time_t)(t + 473040000)); - - crypto_nonce((BYTE*) &(req_body->nonce), 4); -} - -KrbASREQ* kerberos_asreq_new(KRB_CONTEXT* context, BYTE errcode) -{ - KrbASREQ* krb_asreq; - PAData** lpa_data; - BYTE pacntmax, i; - pacntmax = 2; - - krb_asreq = xnew(KrbASREQ); - krb_asreq->pvno = KRB_VERSION; - krb_asreq->type = KRB_TAG_ASREQ; - krb_asreq->pa_pac_request = 0xff; //true - krb_asreq->padata = (PAData**)xzalloc((pacntmax + 1) * sizeof(PAData*)); - lpa_data = krb_asreq->padata; - - for (i = 0; i < pacntmax; i++) - *(lpa_data + i) = (PAData*)xzalloc(sizeof(PAData)); - - kerberos_reqbody_init(context, &(krb_asreq->req_body), krb_asreq->type); - - return krb_asreq; -} - -KrbAPREQ* kerberos_apreq_new(KRB_CONTEXT* context, Ticket* ticket, Authenticator* krb_auth) -{ - KrbAPREQ* krb_apreq; - STREAM* as; - rdpBlob msg; - rdpBlob* encmsg; - UINT32 len; - - as = stream_new(1024); - stream_seek(as, 1023); - - krb_apreq = xnew(KrbAPREQ); - krb_apreq->pvno = KRB_VERSION; - krb_apreq->type = KRB_TAG_APREQ; - krb_apreq->ap_options = 0x00000000 | 0x00000000 | 0x00000000; /* Reserved (bit 31), Use session Key (bit 30), Mututal Required (bit 29) */ - krb_apreq->ticket = ticket; - - if (krb_auth != NULL) - { - len = kerberos_encode_authenticator(as, krb_auth); - msg.data = as->p; - msg.length = len; - encmsg = crypto_kdcmsg_encrypt(&msg, context->askey, 7); /* RFC4757 section 3 for msgtype (T=7) */ - krb_apreq->enc_auth.enctype = context->askey->enctype; - krb_apreq->enc_auth.kvno = -1; - krb_apreq->enc_auth.encblob.data = encmsg->data; - krb_apreq->enc_auth.encblob.length = encmsg->length; - free(encmsg); - } - - stream_free(as); - - return krb_apreq; -} - -KrbTGSREQ* kerberos_tgsreq_new(KRB_CONTEXT* context, BYTE errcode) -{ - KrbTGSREQ* krb_tgsreq; - BYTE pacntmax; - pacntmax = 1; - - krb_tgsreq = xnew(KrbTGSREQ); - krb_tgsreq->pvno = KRB_VERSION; - krb_tgsreq->type = KRB_TAG_TGSREQ; - krb_tgsreq->pa_pac_request = 0xFF; /* true */ - - krb_tgsreq->padata = (PAData**) xzalloc((pacntmax + 1) * sizeof(PAData*)); - *(krb_tgsreq->padata) = xnew(PAData); - *(krb_tgsreq->padata + 1) = NULL; - - kerberos_reqbody_init(context, &(krb_tgsreq->req_body), krb_tgsreq->type); - - return krb_tgsreq; -} - -void kerberos_free_ticket(Ticket* ticket) -{ - if (ticket != NULL) - { - free(ticket->realm); - free(ticket->sname); - freerdp_blob_free(&(ticket->enc_part.encblob)); - ticket->enc_part.encblob.data = NULL; - } -} - -void kerberos_free_padata(PAData** padata) -{ - PAData** lpa_data; - lpa_data = padata; - - if (lpa_data == NULL) - return; - - while (*lpa_data != NULL) - { - free(*lpa_data); - lpa_data++; - } -} - -void kerberos_free_kdcrep(KrbKDCREP* kdc_rep) -{ - if (kdc_rep != NULL) - { - kerberos_free_padata(kdc_rep->padata); - free(kdc_rep->cname); - free(kdc_rep->realm); - kerberos_free_ticket(&(kdc_rep->etgt)); - freerdp_blob_free(&(kdc_rep->enc_part.encblob)); - kdc_rep->enc_part.encblob.data = NULL; - } -} - -void kerberos_free_reppart(ENCKDCREPPart* reppart) -{ - if (reppart != NULL) - { - freerdp_blob_free(&(reppart->key.skey)); - free(reppart->sname); - free(reppart->realm); - } -} - -void kerberos_free_req_body(KDCReqBody* req_body) -{ - if (req_body != NULL) - { - free(req_body->sname); - free(req_body->realm); - free(req_body->cname); - free(req_body->from); - free(req_body->till); - free(req_body->rtime); - } -} - -void kerberos_free_asreq(KrbASREQ* krb_asreq) -{ - if (krb_asreq != NULL) - { - kerberos_free_padata(krb_asreq->padata); - kerberos_free_req_body(&(krb_asreq->req_body)); - } -} - -void kerberos_free_asrep(KrbASREP* krb_asrep) -{ - if (krb_asrep != NULL) - { - kerberos_free_kdcrep(&(krb_asrep->kdc_rep)); - } -} - -void kerberos_free_tgsreq(KrbTGSREQ* krb_tgsreq) -{ - if(krb_tgsreq != NULL) - { - kerberos_free_padata(krb_tgsreq->padata); - kerberos_free_req_body(&(krb_tgsreq->req_body)); - } -} - -void kerberos_free_tgsrep(KrbTGSREP* krb_tgsrep) -{ - if (krb_tgsrep != NULL) - { - kerberos_free_kdcrep(&(krb_tgsrep->kdc_rep)); - } -} - -void krb_free_krb_error(KrbERROR* krb_err) -{ - if (krb_err != NULL) - { - free(krb_err->stime); - freerdp_blob_free(&(krb_err->edata)); - } -} - -SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) -{ - if (!phContext) - return SEC_E_INVALID_HANDLE; - - if (!pBuffer) - return SEC_E_INSUFFICIENT_MEMORY; - - if (ulAttribute == SECPKG_ATTR_SIZES) - { - SecPkgContext_Sizes* ContextSizes = (SecPkgContext_Sizes*) pBuffer; - - ContextSizes->cbMaxToken = 2010; - ContextSizes->cbMaxSignature = 16; - ContextSizes->cbBlockSize = 0; - ContextSizes->cbSecurityTrailer = 16; - - return SEC_E_OK; - } - - return SEC_E_UNSUPPORTED_FUNCTION; -} - -SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) -{ - return SEC_E_OK; -} - -SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) -{ - return SEC_E_OK; -} - -const SecPkgInfoA KERBEROS_SecPkgInfoA = -{ - 0x000F3BBF, /* fCapabilities */ - 1, /* wVersion */ - 0x0010, /* wRPCID */ - 0x00002EE0, /* cbMaxToken */ - "Kerberos", /* Name */ - "Microsoft Kerberos V1.0" /* Comment */ -}; - -const SecPkgInfoW KERBEROS_SecPkgInfoW = -{ - 0x000F3BBF, /* fCapabilities */ - 1, /* wVersion */ - 0x0010, /* wRPCID */ - 0x00002EE0, /* cbMaxToken */ - L"Kerberos", /* Name */ - L"Microsoft Kerberos V1.0" /* Comment */ -}; - -const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = -{ - 1, /* dwVersion */ - NULL, /* EnumerateSecurityPackages */ - kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */ - kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */ - kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */ - NULL, /* Reserved2 */ - kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */ - NULL, /* AcceptSecurityContext */ - NULL, /* CompleteAuthToken */ - NULL, /* DeleteSecurityContext */ - NULL, /* ApplyControlToken */ - kerberos_QueryContextAttributesA, /* QueryContextAttributes */ - NULL, /* ImpersonateSecurityContext */ - NULL, /* RevertSecurityContext */ - kerberos_MakeSignature, /* MakeSignature */ - kerberos_VerifySignature, /* VerifySignature */ - NULL, /* FreeContextBuffer */ - NULL, /* QuerySecurityPackageInfo */ - NULL, /* Reserved3 */ - NULL, /* Reserved4 */ - NULL, /* ExportSecurityContext */ - NULL, /* ImportSecurityContext */ - NULL, /* AddCredentials */ - NULL, /* Reserved8 */ - NULL, /* QuerySecurityContextToken */ - kerberos_EncryptMessage, /* EncryptMessage */ - kerberos_DecryptMessage, /* DecryptMessage */ - NULL, /* SetContextAttributes */ -}; - -const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = -{ - 1, /* dwVersion */ - NULL, /* EnumerateSecurityPackages */ - kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */ - kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */ - kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */ - NULL, /* Reserved2 */ - kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */ - NULL, /* AcceptSecurityContext */ - NULL, /* CompleteAuthToken */ - NULL, /* DeleteSecurityContext */ - NULL, /* ApplyControlToken */ - kerberos_QueryContextAttributesW, /* QueryContextAttributes */ - NULL, /* ImpersonateSecurityContext */ - NULL, /* RevertSecurityContext */ - kerberos_MakeSignature, /* MakeSignature */ - kerberos_VerifySignature, /* VerifySignature */ - NULL, /* FreeContextBuffer */ - NULL, /* QuerySecurityPackageInfo */ - NULL, /* Reserved3 */ - NULL, /* Reserved4 */ - NULL, /* ExportSecurityContext */ - NULL, /* ImportSecurityContext */ - NULL, /* AddCredentials */ - NULL, /* Reserved8 */ - NULL, /* QuerySecurityContextToken */ - kerberos_EncryptMessage, /* EncryptMessage */ - kerberos_DecryptMessage, /* DecryptMessage */ - NULL, /* SetContextAttributes */ -}; diff --git a/winpr/sspi/Kerberos/kerberos.h b/winpr/sspi/Kerberos/kerberos.h deleted file mode 100644 index aee47e9e7..000000000 --- a/winpr/sspi/Kerberos/kerberos.h +++ /dev/null @@ -1,350 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef WINPR_SSPI_KERBEROS_PRIVATE_H -#define WINPR_SSPI_KERBEROS_PRIVATE_H - -#ifndef _WIN32 -#include -#include -#include -#include -#include -#endif - -#ifndef MSG_NOSIGNAL -#define MSG_NOSIGNAL 0 -#endif - -#include - -#include -#include -#include -#include -#include -#include - -#define MSKRB_OID "1.2.840.48018.1.2.2" -#define STDKRB_OID "1.2.840.113554.1.2.2" - -#define SERVICE "_kerberos." -#define KRB_VERSION 5 -#define KRB_SERVER "krbtgt/" -#define APP_SERVER "TERMSRV/" - -#define KRB_NAME_PRINCIPAL 1 -#define KRB_NAME_SERVICE 2 - -/* KRB TAGS */ -#define KRB_TAG_ASREQ 10 -#define KRB_TAG_ASREP 11 -#define KRB_TAG_TGSREQ 12 -#define KRB_TAG_TGSREP 13 -#define KRB_TAG_APREQ 14 -#define KRB_TAG_APREP 15 -#define KRB_TAG_ERROR 30 -#define KRB_TAG_U2UTGTREQ 16 -#define KRB_TAG_U2UTGTREP 16 - -#define NAME_TYPE_PRINCIPAL 1 -#define NAME_TYPE_SERVICE 2 - -/* KRB ERROR */ -#define KDC_ERR_PREAUTH_FAILED 24 -#define KDC_ERR_PREAUTH_REQ 25 -#define KRB_AP_ERR_SKEW 37 -#define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 - -#define PA_ENCTYPE_INFO 11 -#define PA_ENCTYPE_INFO2 19 - -/* ENCRYPTION TYPE */ -#define ETYPE_DES_CBC_CRC 1 -#define ETYPE_DES_CBC_MD5 3 -#define ETYPE_AES128_CTS_HMAC 17 -#define ETYPE_AES256_CTS_HMAC 18 -#define ETYPE_RC4_HMAC 23 - -/* CHECKSUM TYPE */ -#define KRB_CKSUM_HMAC_MD5 -138 - -/* AD TYPE */ -#define AD_IF_RELEVANT 1 - -#define GETUINT16( _s, _p) do{ \ - *(_p) = (BYTE)(_s)[0] << 8 | (BYTE)(_s)[1]; \ - (_s) += 2; } while (0) -#define _GET_BYTE_LENGTH(_n) (((_n) > 0xFF) ? 3 :(((_n) > 0x7F) ? 2 : 1)) - -enum _KRBCTX_STATE -{ - KRB_STATE_INITIAL, - KRB_FAILOVER_NTLM, - KRB_ASREQ_OK, - KRB_ASREP_OK, - KRB_ASREP_ERR, - KRB_TGSREQ_OK, - KRB_TGSREP_OK, - KRB_TGSREP_ERR, - KRB_U2UTGTREQ_OK, - KRB_U2UTGTREP_OK, - KRB_APREQ_OK, - KRB_APREP_OK, - KRB_PACKET_ERROR, - KRB_STATE_FINAL -}; -typedef enum _KRBCTX_STATE KRBCTX_STATE; - -struct _kdc_srv_entry -{ - struct _kdc_srv_entry* next; - UINT16 priority; - UINT16 weight; - UINT16 port; - char* kdchost; -}; -typedef struct _kdc_srv_entry KDCENTRY; - -struct _PA_DATA -{ - int type; - rdpBlob value; -}; -typedef struct _PA_DATA PAData; - -struct _AUTH_DATA -{ - int ad_type; - BYTE* ad_data; -}; -typedef struct _AUTH_DATA AuthData; - -struct _Krb_ENCData -{ - INT32 enctype; - int kvno; - rdpBlob encblob; -}; -typedef struct _Krb_ENCData KrbENCData; - -struct _Krb_ENCKey -{ - INT32 enctype; - rdpBlob skey; -}; -typedef struct _Krb_ENCKey KrbENCKey; - -struct _ENC_KDC_REPPART -{ - KrbENCKey key; - int nonce; - UINT32 flags; - time_t authtime; - time_t endtime; - char *realm; - char *sname; -}; -typedef struct _ENC_KDC_REPPART ENCKDCREPPart; - -struct _Krb_Ticket -{ - int tktvno; - char* realm; - char* sname; - KrbENCData enc_part; -}; -typedef struct _Krb_Ticket Ticket; - -struct _Krb_Authenticator -{ - int avno; - char* crealm; - char* cname; - int cksumtype; - rdpBlob* cksum; - UINT32 cusec; - char* ctime; - UINT32 seqno; - AuthData auth_data; -}; -typedef struct _Krb_Authenticator Authenticator; - -struct _KDC_REQ_BODY -{ - UINT32 kdc_options; - char* cname; - char* realm; - char* sname; - char* from; - char* till; - char* rtime; - UINT32 nonce; -}; -typedef struct _KDC_REQ_BODY KDCReqBody; - -struct _KRB_KDCREP -{ - int pvno; - int type; - PAData** padata; - char* realm; - char* cname; - Ticket etgt; - KrbENCData enc_part; -}; -typedef struct _KRB_KDCREP KrbKDCREP; - -struct _KRB_AS_REQ -{ - int pvno; - int type; - boolean pa_pac_request; - PAData** padata; - KDCReqBody req_body; -}; -typedef struct _KRB_AS_REQ KrbASREQ; - -struct _KRB_TGS_REQ -{ - int pvno; - int type; - boolean pa_pac_request; - PAData** padata; - KDCReqBody req_body; -}; -typedef struct _KRB_TGS_REQ KrbTGSREQ; - -struct _KRB_APREQ -{ - int pvno; - int type; - UINT32 ap_options; - Ticket* ticket; - KrbENCData enc_auth; -}; -typedef struct _KRB_APREQ KrbAPREQ; - -struct _KRB_ERROR -{ - int pvno; - int type; - int errcode; - char* stime; - UINT32 susec; - char* realm; - char* sname; - rdpBlob edata; -}; -typedef struct _KRB_ERROR KrbERROR; - -struct _KRB_ASREP -{ - KrbKDCREP kdc_rep; -}; -typedef struct _KRB_ASREP KrbASREP; - -struct _KRB_TGSREP -{ - KrbKDCREP kdc_rep; -}; -typedef struct _KRB_TGSREP KrbTGSREP; - -struct _KRB_TGTREQ -{ - int pvno; - int type; - char* sname; - char* realm; -}; -typedef struct _KRB_TGTREQ KrbTGTREQ; - -struct _KRB_TGTREP -{ - int pvno; - int type; - Ticket ticket; -}; -typedef struct _KRB_TGTREP KrbTGTREP; - -struct _KRB_CONTEXT -{ - rdpSettings* settings; - int ksockfd; - UINT16 krbport; - char* krbhost; - char* cname; - char* realm; - char* sname; - char* hostname; - rdpBlob passwd; - INT32 enctype; - time_t clockskew; - time_t ctime; - UINT32 nonce; - Ticket asticket; - KrbENCKey* askey; - Ticket tgsticket; - KrbENCKey* tgskey; - KRBCTX_STATE state; - CtxtHandle context; - SEC_WINNT_AUTH_IDENTITY identity; -}; -typedef struct _KRB_CONTEXT KRB_CONTEXT; - -CtxtHandle* krbctx_client_init(rdpSettings* settings, SEC_WINNT_AUTH_IDENTITY* identity); - -boolean tcp_is_ipaddr(const char* hostname); -char* get_utc_time(time_t t); -time_t get_local_time(char* str); -time_t get_clock_skew(char* str); -char* get_dns_queryname(char *host, char* protocol); -int krb_get_realm(rdpSettings* settings); -KDCENTRY* krb_locate_kdc(rdpSettings* settings); - -int kerberos_tcp_connect(KRB_CONTEXT* krb_ctx, KDCENTRY* entry); -int kerberos_tcp_send(KRB_CONTEXT* krb_ctx, BYTE* data, UINT32 length); -int kerberos_tcp_recv(KRB_CONTEXT* krb_ctx, BYTE* data, UINT32 length); - -void kerberos_asreq_send(KRB_CONTEXT* krb_ctx, BYTE errcode); -int kerberos_asrep_recv(KRB_CONTEXT* krb_ctx); - -void kerberos_tgsreq_send(KRB_CONTEXT* krb_ctx, BYTE errcode); -int kerberos_tgsrep_recv(KRB_CONTEXT* krb_ctx); - -int kerberos_verify_kdcrep(KRB_CONTEXT* krb_ctx, KrbKDCREP* kdc_rep, int msgtype); -void kerberos_save_ticket(KRB_CONTEXT* krb_ctx, KrbKDCREP* kdc_rep); - -KrbASREQ* kerberos_asreq_new(KRB_CONTEXT* krb_ctx, BYTE errcode); -KrbTGSREQ* kerberos_tgsreq_new(KRB_CONTEXT* krb_Rss, BYTE errcode); -KrbAPREQ* kerberos_apreq_new(KRB_CONTEXT* krb_ctx, Ticket* ticket, Authenticator* krb_auth); - -void kerberos_ContextFree(KRB_CONTEXT* krb_ctx); -void kerberos_free_ticket(Ticket* ticket); -void kerberos_free_padata(PAData** padata); -void kerberos_free_req_body(KDCReqBody* req_body); -void kerberos_free_kdcrep(KrbKDCREP* kdc_rep); -void kerberos_free_reppart(ENCKDCREPPart* reppart); -void kerberos_free_asreq(KrbASREQ* krb_asreq); -void kerberos_free_asrep(KrbASREP* krb_asrep); -void kerberos_free_tgsreq(KrbTGSREQ* krb_tgsreq); -void kerberos_free_tgsrep(KrbTGSREP* krb_tgsrep); -void krb_free_krb_error(KrbERROR* krb_err); - -#endif /* WINPR_SSPI_KERBEROS_PRIVATE_H */ diff --git a/winpr/sspi/Kerberos/kerberos_crypto.c b/winpr/sspi/Kerberos/kerberos_crypto.c deleted file mode 100644 index 449ef27e9..000000000 --- a/winpr/sspi/Kerberos/kerberos_crypto.c +++ /dev/null @@ -1,194 +0,0 @@ -/** -* WinPR: Windows Portable Runtime -* kerberos Crypto Support -* -* Copyright 2011 Samsung, Author Jiten Pathy -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -#include "kerberos.h" -#include "kerberos_crypto.h" - -BYTE* crypto_md4_hash(rdpBlob* blob) -{ - BYTE* hash; - MD4_CTX md4_ctx; - - hash = (BYTE*) malloc(16); - ZeroMemory(hash, 16); - - MD4_Init(&md4_ctx); - MD4_Update(&md4_ctx, blob->data, blob->length); - MD4_Final(hash, &md4_ctx); - - return hash; -} - -KrbENCKey* string2key(rdpBlob* string, sint8 enctype) -{ - KrbENCKey* key; - key = xnew(KrbENCKey); - key->enctype = enctype; - - switch(enctype) - { - case ETYPE_RC4_HMAC: - key->skey.data = crypto_md4_hash(string); - key->skey.length = 16; - break; - } - - return key; -} - -rdpBlob* crypto_kdcmsg_encrypt_rc4(rdpBlob* msg, BYTE* key, UINT32 msgtype) -{ - rdpBlob* encmsg; - BYTE* K1; - BYTE* K3; - UINT32 len; - krbEdata* edata; - CryptoRc4 rc4; - - K1 = xzalloc(16); - K3 = xzalloc(16); - len = ((msg->length > 16) ? msg->length : 16); - len += sizeof(krbEdata); - edata = xzalloc(len); - encmsg = xnew(rdpBlob); - freerdp_blob_alloc(encmsg, len); - HMAC(EVP_md5(), (void*) key, 16, (BYTE*)&msgtype, 4, (void*) K1, NULL); - crypto_nonce((BYTE*)(edata->Confounder), 8); - memcpy(&(edata->data[0]), msg->data, msg->length); - HMAC(EVP_md5(), (void*) K1, 16, (BYTE*) edata->Confounder, len - 16, (void*) &(edata->Checksum), NULL); - HMAC(EVP_md5(), (void*) K1, 16, (BYTE*) &(edata->Checksum), 16, (void*) K3, NULL); - memcpy(encmsg->data, &(edata->Checksum), 16); - rc4 = crypto_rc4_init(K3, 16); - crypto_rc4(rc4, len - 16, (BYTE*) edata->Confounder, (BYTE*)(((BYTE*) encmsg->data) + 16)); - crypto_rc4_free(rc4); - free(K1); - free(K3); - free(edata); - - return encmsg; -} - -rdpBlob* crypto_kdcmsg_encrypt(rdpBlob* msg, KrbENCKey* key, UINT32 msgtype) -{ - switch(key->enctype) - { - case ETYPE_RC4_HMAC: - if(key->skey.length != 16) - return NULL; - return crypto_kdcmsg_encrypt_rc4(msg, key->skey.data, msgtype); - } - - return NULL; -} - -rdpBlob* crypto_kdcmsg_decrypt_rc4(rdpBlob* msg, BYTE* key, UINT32 msgtype) -{ - rdpBlob* decmsg; - BYTE* K1; - BYTE* K3; - UINT32 len; - krbEdata* edata; - CryptoRc4 rc4; - - K1 = xzalloc(16); - K3 = xzalloc(16); - len = msg->length; - edata = xzalloc(len); - HMAC(EVP_md5(), (void*) key, 16, (BYTE*) &msgtype, 4, (void*) K1, NULL); - HMAC(EVP_md5(), (void*) K1, 16, (BYTE*) msg->data , 16, (void*) K3, NULL); - rc4 = crypto_rc4_init(K3, 16); - crypto_rc4(rc4, len - 16, (BYTE*)(((BYTE*) msg->data) + 16), (BYTE*) edata->Confounder); - crypto_rc4_free(rc4); - HMAC(EVP_md5(), (void*) K1, 16, (BYTE*)edata->Confounder, len - 16, (void*) &(edata->Checksum), NULL); - - if (memcmp(msg->data, &edata->Checksum, 16)) - { - free(edata) ; - free(K1) ; - free(K3) ; - return NULL; - } - - decmsg = xnew(rdpBlob); - freerdp_blob_alloc(decmsg, len); - memcpy(decmsg->data, edata, len); - - free(K1); - free(K3); - free(edata); - - return decmsg; -} - -rdpBlob* crypto_kdcmsg_decrypt(rdpBlob* msg, KrbENCKey* key, UINT32 msgtype) -{ - switch(key->enctype) - { - case ETYPE_RC4_HMAC: - if(key->skey.length != 16) - return NULL; - return crypto_kdcmsg_decrypt_rc4(msg, key->skey.data, msgtype); - } - return NULL; -} - -rdpBlob* crypto_kdcmsg_cksum_hmacmd5(rdpBlob* msg, BYTE* key, UINT32 msgtype) -{ - rdpBlob* cksum; - BYTE* Ksign; - BYTE* tmpdata; - BYTE* tmp; - CryptoMd5 md5; - Ksign = xzalloc(16); - tmp = xzalloc(16); - cksum = xnew(rdpBlob); - freerdp_blob_alloc(cksum, 16); - tmpdata = xzalloc(msg->length + 4); - HMAC(EVP_md5(), (void*) key, 16, (BYTE*)"signaturekey\0", 13, (void*) Ksign, NULL); - memcpy(tmpdata, (void*)&msgtype, 4); - memcpy(tmpdata + 4, msg->data, msg->length); - md5 = crypto_md5_init(); - crypto_md5_update(md5, tmpdata, msg->length + 4); - crypto_md5_final(md5, tmp); - HMAC(EVP_md5(), (void*) Ksign, 16, (BYTE*)tmp, 16, (void*) cksum->data, NULL); - return cksum; -} - -rdpBlob* crypto_kdcmsg_cksum(rdpBlob* msg, KrbENCKey* key, UINT32 msgtype) -{ - switch(key->enctype) - { - case ETYPE_RC4_HMAC: - if(key->skey.length != 16) - return NULL; - return crypto_kdcmsg_cksum_hmacmd5(msg, key->skey.data, msgtype); - } - return NULL; -} - -int get_cksum_type(UINT32 enctype) -{ - switch(enctype) - { - case ETYPE_RC4_HMAC: - return KRB_CKSUM_HMAC_MD5; - } - - return 0; -} diff --git a/winpr/sspi/Kerberos/kerberos_crypto.h b/winpr/sspi/Kerberos/kerberos_crypto.h deleted file mode 100644 index bcccb7f30..000000000 --- a/winpr/sspi/Kerberos/kerberos_crypto.h +++ /dev/null @@ -1,56 +0,0 @@ -/** -* WinPR: Windows Portable Runtime -* kerberos Crypto Support -* -* Copyright 2011 Samsung, Author Jiten Pathy -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -#ifndef WINPR_SSPI_KERBEROS_CRYPTO_H -#define WINPR_SSPI_KERBEROS_CRYPTO_H - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -struct _KRB_EDATA -{ - uint8 Checksum[16]; - uint8 Confounder[8]; - uint8* data[0]; -}; -typedef struct _KRB_EDATA krbEdata; - -int get_cksum_type(uint32 enctype); - -uint8* crypto_md4_hash(rdpBlob* blob); -KrbENCKey* string2key(rdpBlob* string, sint8 enctype); - -rdpBlob* crypto_kdcmsg_encrypt_rc4(rdpBlob* msg, uint8* key, uint32 msgtype); -rdpBlob* crypto_kdcmsg_encrypt(rdpBlob* msg, KrbENCKey* key, uint32 msgtype); - -rdpBlob* crypto_kdcmsg_decrypt_rc4(rdpBlob* msg, uint8* key, uint32 msgtype); -rdpBlob* crypto_kdcmsg_decrypt(rdpBlob* msg, KrbENCKey* key, uint32 msgtype); - -rdpBlob* crypto_kdcmsg_cksum_hmacmd5(rdpBlob* msg, uint8* key, uint32 msgtype); -rdpBlob* crypto_kdcmsg_cksum(rdpBlob* msg, KrbENCKey* key, uint32 msgtype); - -#endif /* FREERDP_SSPI_KERBEROS_CRYPTO_H */ diff --git a/winpr/sspi/Kerberos/kerberos_decode.c b/winpr/sspi/Kerberos/kerberos_decode.c deleted file mode 100644 index 7d1ba226b..000000000 --- a/winpr/sspi/Kerberos/kerberos_decode.c +++ /dev/null @@ -1,837 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol DER Decode - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kerberos_decode.h" - -int krb_decode_application_tag(STREAM* s, uint8 tag, int *length) -{ - uint8* bm; - stream_get_mark(s, bm); - - if(!der_read_application_tag(s, tag, length)) - { - stream_set_mark(s, bm); - *length = 0; - return 0; - } - return (s->p - bm); -} - -int krb_decode_sequence_tag(STREAM* s, int *length) -{ - uint8* bm; - stream_get_mark(s, bm); - - if(!der_read_sequence_tag(s, length)) - { - stream_set_mark(s, bm); - *length = 0; - return 0; - } - return (s->p - bm); -} - -int krb_decode_contextual_tag(STREAM* s, uint8 tag, int *length) -{ - uint8* bm; - stream_get_mark(s, bm); - - if(!der_read_contextual_tag(s, tag, length, true)) - { - stream_set_mark(s, bm); - *length = 0; - return 0; - } - return (s->p - bm); -} - -int krb_skip_contextual_tag(STREAM* s, uint8 tag) -{ - uint8* bm; - int length; - stream_get_mark(s, bm); - - if(!der_read_contextual_tag(s, tag, &length, true)) - { - stream_set_mark(s, bm); - length = 0; - return 0; - } - stream_seek(s, length); - return (s->p - bm); -} - -int krb_decode_integer(STREAM* s, uint32* value) -{ - uint8* bm; - stream_get_mark(s, bm); - - if(!der_read_integer(s, value)) - { - stream_set_mark(s, bm); - *value = 0; - return 0; - } - else - return (s->p - bm); -} - -int krb_decode_time(STREAM* s, uint8 tag, char** str) -{ - uint8* bm; - int tmp; - stream_get_mark(s, bm); - - if((krb_decode_contextual_tag(s, tag, &tmp) == 0) || (tmp != 17) || !der_read_generalized_time(s, str)) - { - stream_set_mark(s, bm); - return 0; - } - else - return (s->p - bm); -} - -int krb_decode_int(STREAM* s, uint8 tag, uint32* result) -{ - uint8* bm; - int totlen, len, tmp; - totlen = 0; - stream_get_mark(s, bm); - - if((len = krb_decode_contextual_tag(s, tag, &tmp)) == 0) - goto err; - - totlen += len; - - if(((len = krb_decode_integer(s, result)) == 0) || (tmp != len)) - goto err; - - totlen += len; - return totlen; - - err: - stream_set_mark(s, bm); - *result = 0; - return 0; -} - -int krb_decode_flags(STREAM* s, uint8 tag, uint32* flags) -{ - uint8* bm; - int len, tmp, verlen; - verlen = 9; - stream_get_mark(s, bm); - - if(((len = krb_decode_contextual_tag(s, tag, &tmp)) == 0) || (len != (verlen - tmp))) - goto err; - - verlen -= len; - - if(!der_read_bit_string(s, &tmp, (uint8*)&len) || (tmp != 5)) - goto err; - - stream_read_uint32_be(s, *flags); - return 9; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_string(STREAM* s, uint8 tag, char** str) -{ - uint8* bm; - int totlen, len, tmp; - totlen = 0; - stream_get_mark(s, bm); - - if((len = krb_decode_contextual_tag(s, tag, &tmp)) == 0) - goto err; - - totlen += len; - - if(((*str = der_read_general_string(s, &len)) == NULL) || tmp != len) - goto err; - - totlen += len; - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_octet_string(STREAM* s, uint8 tag, uint8** data, int* length) -{ - uint8* bm; - int totlen, len, tmp, verlen; - totlen = 0; - stream_get_mark(s, bm); - - if((len = krb_decode_contextual_tag(s, tag, &verlen)) == 0) - goto err; - - totlen += len; - - if(!der_read_octet_string(s, &tmp)) - { - stream_set_mark(s, bm); - *length = 0; - return 0; - } - - totlen += tmp + _GET_BYTE_LENGTH(tmp) + 1; - verlen -= (tmp + _GET_BYTE_LENGTH(tmp) + 1); - - if(verlen != 0) - goto err; - - *data = xzalloc(tmp); - stream_read(s, *data, tmp); - *length = tmp; - - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - - -int krb_decode_cname(STREAM* s, uint8 tag, char** str) -{ - uint8* bm; - int totlen, len, tmp, type, verlen; - totlen = 0; - stream_get_mark(s, bm); - - /* Contextual tag */ - if((len = krb_decode_contextual_tag(s, tag, &verlen)) == 0) - goto err; - - totlen += len; - - /* cname sequence tag */ - if(((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - /* cname name type[0] */ - if((verlen <= 0) || ((len = krb_decode_int(s, 0, (uint32*)&type)) == 0) || (type != KRB_NAME_PRINCIPAL)) - goto err; - - totlen += len; - verlen -= len; - - /* cname name[1] */ - if((verlen <= 0) || ((len = krb_decode_contextual_tag(s, 1, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if((verlen <= 0) || ((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if(((*str = der_read_general_string(s, &len)) == NULL)) - goto err; - - totlen += len; - - if(verlen != len) - { - xfree(*str); - *str = NULL; - goto err; - } - - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_sname(STREAM* s, uint8 tag, char** str) -{ - uint8* bm; - int totlen, len, tmp, type, verlen; - char* name; - char* realm; - totlen = 0; - stream_get_mark(s, bm); - - /* Contextual tag */ - if((len = krb_decode_contextual_tag(s, tag, &verlen)) == 0) - goto err; - - totlen += len; - - /* sname sequence tag */ - if(((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - /* sname name type[0] */ - if((verlen <= 0) || ((len = krb_decode_int(s, 0, (uint32*)&type)) == 0) || (type != KRB_NAME_SERVICE)) - goto err; - - totlen += len; - verlen -= len; - - /* sname name & realm[1] */ - if((verlen <= 0) || ((len = krb_decode_contextual_tag(s, 1, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if((verlen <= 0) || ((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if(((name = der_read_general_string(s, &len)) == NULL)) - goto err; - - totlen += len; - verlen -= len; - - if(((realm = der_read_general_string(s, &len)) == NULL)) - { - xfree(name); - goto err; - } - - totlen += len; - - if(verlen != len) - { - xfree(name); - xfree(realm); - goto err; - } - - *str = xzalloc(strlen(name) + strlen(realm) + 2); - strcpy(*str, name); - strcat(*str, "/"); - strcat(*str, realm); - - xfree(name); - xfree(realm); - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_enckey(STREAM* s, KrbENCKey* key) -{ - uint8* bm; - int totlen, len, verlen; - totlen = 0; - stream_get_mark(s, bm); - - if((len = krb_decode_sequence_tag(s, &verlen)) == 0) - goto err; - - totlen += len; - - /* enctype[0] */ - if((len = krb_decode_int(s, 0, (uint32*)&(key->enctype))) == 0) - goto err; - - totlen += len; - verlen -= len; - - /* keyvalue[1] */ - if((verlen <= 0) || ((len = krb_decode_octet_string(s, 1, (uint8**)&(key->skey.data), &(key->skey.length))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_encrypted_data(STREAM* s, KrbENCData* enc_data) -{ - uint8* bm; - int totlen, len, verlen; - totlen = 0; - stream_get_mark(s, bm); - - if((len = krb_decode_sequence_tag(s, &verlen)) == 0) - goto err; - - totlen += len; - - /* enctype[0] */ - if(((len = krb_decode_int(s, 0, (uint32*)&(enc_data->enctype))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* kvno[1] OPTIONAL */ - if((verlen <= 0)) - goto err; - len = krb_decode_int(s, 1, (uint32*)&(enc_data->kvno)); - totlen += len; - verlen -= len; - - /* data[2] */ - if((verlen <= 0) || ((len = krb_decode_octet_string(s, 2, (uint8**)&(enc_data->encblob.data), &(enc_data->encblob.length))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - -int krb_decode_ticket(STREAM* s, uint8 tag, Ticket* ticket) -{ - uint8* bm; - int totlen, len, tmp, verlen; - totlen = 0; - stream_get_mark(s, bm); - - /* Contextual tag */ - if((len = krb_decode_contextual_tag(s, tag, &verlen)) == 0) - goto err; - - totlen += len; - - /* Application Tag 1 */ - if(((len = krb_decode_application_tag(s, 1, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -=len; - - if((verlen <= 0) || ((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - /* tkt vno[0] */ - if((verlen <= 0) || ((len = krb_decode_int(s, 0, (uint32*)&(ticket->tktvno))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* realm[1] */ - if((verlen <= 0) || ((len = krb_decode_string(s, 1, &(ticket->realm))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* sname[2] */ - if((verlen <= 0) || ((len = krb_decode_sname(s, 2, &(ticket->sname))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* Encrypted Data[3] */ - if((verlen <= 0) || ((len = krb_decode_contextual_tag(s, 3, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if((verlen <= 0) || ((len = krb_decode_encrypted_data(s, &(ticket->enc_part))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - stream_set_mark(s, bm); - kerberos_free_ticket(ticket); - return 0; -} - -int krb_decode_kdc_rep(STREAM* s, KrbKDCREP* kdc_rep, sint32 maxlen) -{ - uint8* bm; - int totlen, len, tmp, verlen; - totlen = 0; - stream_get_mark(s, bm); - - /* sequence tag */ - if(((len = krb_decode_sequence_tag(s, &verlen)) == 0) || (verlen != (maxlen - len))) - goto err; - - totlen += len; - - /* version no[0] */ - if(((len = krb_decode_int(s, 0, (uint32*)&(kdc_rep->pvno))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* msg type[1] */ - if((verlen <= 0) || ((len = krb_decode_int(s, 1, (uint32*)&(kdc_rep->type))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* PA-DATA[2] OPTIONAL */ - if(verlen <= 0) - goto err; - len = krb_decode_contextual_tag(s, 2, &tmp); - totlen += len + tmp; - verlen -= (len + tmp); - stream_seek(s, tmp); - - /* crealm[3] */ - if((verlen <= 0) || ((len = krb_decode_string(s, 3, &(kdc_rep->realm))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* cname[4] */ - if((verlen <= 0) || ((len = krb_decode_cname(s, 4, &(kdc_rep->cname))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* ticket[5] */ - if((verlen <= 0) || ((len = krb_decode_ticket(s, 5, &(kdc_rep->etgt))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* enc_part[6] */ - if((verlen <= 0) || ((len = krb_decode_contextual_tag(s, 6, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - totlen += len; - verlen -= len; - - if((verlen <= 0) || ((len = krb_decode_encrypted_data(s, &(kdc_rep->enc_part))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - kerberos_free_kdcrep(kdc_rep); - return 0; -} - -int krb_decode_krb_error(STREAM* s, KrbERROR* krb_err, sint32 maxlen) -{ - uint8* bm; - int totlen, len, verlen; - int i, tag; - totlen = tag = 0; - stream_get_mark(s, bm); - - /* sequence tag */ - if(((len = krb_decode_sequence_tag(s, &verlen)) == 0) || (verlen != (maxlen - len))) - goto err; - - totlen += len; - - /* version no[0] */ - if(((len = krb_decode_int(s, tag++, (uint32*)&(krb_err->pvno))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* msg type[1] */ - if((verlen <= 0) || ((len = krb_decode_int(s, tag++, (uint32*)&(krb_err->type))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* skip tag 2 3 */ - for(i = 2;i < 4;i++) - { - if(verlen <= 0) - goto err; - - len = krb_skip_contextual_tag(s, tag++); - verlen -= len; - totlen += len; - } - - /* stime[4] */ - if((verlen <= 0) || ((len = krb_decode_time(s, tag++, &(krb_err->stime))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* skip tag 5 */ - if(verlen <= 0) - goto err; - len = krb_skip_contextual_tag(s, tag++); - - totlen += len; - verlen -= len; - - /* error code[6] */ - if((verlen <= 0) || ((len = krb_decode_int(s, tag++, (uint32*)&(krb_err->errcode))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* skip tag 7, 8, 9, 10, 11 */ - for(i = 7;i < 12;i++) - { - if(verlen <= 0) - goto err; - else if(verlen == 0) - return totlen; - - len = krb_skip_contextual_tag(s, tag++); - verlen -= len; - totlen += len; - } - - /* edata (tag 12) */ - if((verlen < 0) || ((len = krb_decode_octet_string(s, tag++, (uint8**)&(krb_err->edata.data), &(krb_err->edata.length))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - krb_free_krb_error(krb_err); - return 0; -} - -ENCKDCREPPart* krb_decode_enc_reppart(rdpBlob* msg, uint8 apptag) -{ - int len, tmp, verlen; - STREAM* s; - char* timestr; - ENCKDCREPPart* reppart; - - reppart = xnew(ENCKDCREPPart); - s = stream_new(0); - stream_attach(s, ((uint8*) msg->data) + 24, msg->length); - verlen = msg->length - 24; - - /* application tag */ - if((verlen <= 0) || ((len = krb_decode_application_tag(s, apptag, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - verlen -= len; - - /* sequence tag */ - if((verlen <= 0) || ((len = krb_decode_sequence_tag(s, &tmp)) == 0) || (tmp != (verlen - len))) - goto err; - - verlen -= len; - - /* skey[0] */ - if((verlen <= 0) || ((len = krb_decode_contextual_tag(s, 0, &tmp)) == 0)) - goto err; - - verlen -= len; - - if((verlen <= 0) || ((len = krb_decode_enckey(s, &(reppart->key))) == 0)) - goto err; - - verlen -= len; - - /* skip tag 1 (last req) */ - if(verlen <= 0) - goto err; - len = krb_skip_contextual_tag(s, 1); - - verlen -= len; - - /* nonce[2] */ - - if((verlen <= 0) || ((len = krb_decode_int(s, 2, (uint32*)&(reppart->nonce))) == 0)) - goto err; - - verlen -= len; - - /* skip tag 3 (key expiration) */ - if(verlen <= 0) - goto err; - len = krb_skip_contextual_tag(s, 3); - - verlen -= len; - - /* TicketFlags[4] */ - if((verlen <= 0) || ((len = krb_decode_flags(s, 4, (uint32*)&(reppart->flags))) == 0)) - goto err; - - verlen -= len; - - /* authtime[5] */ - if((verlen <= 0) || ((len = krb_decode_time(s, 5, ×tr)) == 0)) - goto err; - - reppart->authtime = get_local_time(timestr); - verlen -= len; - xfree(timestr); - - /* skip tag 6 (start time) */ - if(verlen <= 0) - goto err; - len = krb_skip_contextual_tag(s, 6); - - verlen -= len; - - /* endtime[7] */ - if((verlen <= 0) || ((len = krb_decode_time(s, 7, ×tr)) == 0)) - goto err; - - reppart->endtime = get_local_time(timestr); - verlen -= len; - xfree(timestr); - - /* skip tag 8 (renew till) */ - if(verlen <= 0) - goto err; - len = krb_skip_contextual_tag(s, 8); - - verlen -= len; - - /* realm[9] */ - if((verlen <= 0) || ((len = krb_decode_string(s, 9, &(reppart->realm))) == 0)) - goto err; - - verlen -= len; - - /* sname[10] */ - if((verlen <= 0) || ((len = krb_decode_sname(s, 10, &(reppart->sname))) == 0)) - goto err; - - verlen -= len; - - /* skip tag 11, 12 (tag 12 is supported enctypes) */ - if(verlen <= 0) - goto err; - - len = krb_skip_contextual_tag(s, 11); - len += krb_skip_contextual_tag(s, 12); - - verlen -= len; - - if(verlen != 0) - goto err; - - stream_detach(s); - stream_free(s) ; - return reppart; - err: - kerberos_free_reppart(reppart); - xfree(reppart); - stream_detach(s) ; - stream_free(s) ; - return NULL; -} - -int krb_decode_tgtrep(STREAM* s, KrbTGTREP* krb_tgtrep) -{ - uint8* bm; - int totlen, len, verlen; - totlen = 0; - stream_get_mark(s, bm); - - /* sequence tag */ - if(((len = krb_decode_sequence_tag(s, &verlen)) == 0)) - goto err; - - totlen += len; - - /* version no[0] */ - if(((len = krb_decode_int(s, 0, (uint32*)&(krb_tgtrep->pvno))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* msg type[1] */ - if((verlen <= 0) || ((len = krb_decode_int(s, 1, (uint32*)&(krb_tgtrep->type))) == 0)) - goto err; - - totlen += len; - verlen -= len; - - /* ticket[2] */ - if((verlen <= 0) || ((len = krb_decode_ticket(s, 2, &(krb_tgtrep->ticket))) == 0)) - goto err; - - totlen += len; - - if(verlen != len) - goto err; - - return totlen; - - err: - stream_set_mark(s, bm); - return 0; -} - diff --git a/winpr/sspi/Kerberos/kerberos_decode.h b/winpr/sspi/Kerberos/kerberos_decode.h deleted file mode 100644 index 8674deeab..000000000 --- a/winpr/sspi/Kerberos/kerberos_decode.h +++ /dev/null @@ -1,47 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol DER Decode - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include - -#include "kerberos.h" - -#ifndef FREERDP_SSPI_KERBEROS_DECODE_H -#define FREERDP_SSPI_KERBEROS_DECODE_H - -int krb_decode_application_tag(STREAM* s, uint8 tag, int *length); -int krb_decode_sequence_tag(STREAM* s, int *length); -int krb_skip_contextual_tag(STREAM* s, uint8 tag); -int krb_decode_contextual_tag(STREAM* s, uint8 tag, int *length); -int krb_decode_integer(STREAM* s, uint32* value); -int krb_decode_time(STREAM* s, uint8 tag, char** str); -int krb_decode_int(STREAM* s, uint8 tag, uint32* result); -int krb_decode_flags(STREAM* s, uint8 tag, uint32* flags); -int krb_decode_string(STREAM* s, uint8 tag, char** str); -int krb_decode_octet_string(STREAM* s, uint8 tag, uint8** data, int* length); -int krb_decode_cname(STREAM* s, uint8 tag, char** str); -int krb_decode_sname(STREAM* s, uint8 tag, char** str); -int krb_decode_enckey(STREAM* s, KrbENCKey* key); -int krb_decode_encrypted_data(STREAM* s, KrbENCData* enc_data); -int krb_decode_ticket(STREAM* s, uint8 tag, Ticket* ticket); -int krb_decode_kdc_rep(STREAM* s, KrbKDCREP* kdc_rep, sint32 maxlen); -int krb_decode_krb_error(STREAM* s, KrbERROR* krb_err, sint32 maxlen); -ENCKDCREPPart* krb_decode_enc_reppart(rdpBlob* msg, uint8 apptag); -int krb_decode_tgtrep(STREAM* s, KrbTGTREP* krb_tgtrep); - -#endif /* FREERDP_SSPI_KERBEROS_DECODE_H */ diff --git a/winpr/sspi/Kerberos/kerberos_encode.c b/winpr/sspi/Kerberos/kerberos_encode.c deleted file mode 100644 index b5c3bc74a..000000000 --- a/winpr/sspi/Kerberos/kerberos_encode.c +++ /dev/null @@ -1,410 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol DER Encode - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "kerberos_encode.h" - -int kerberos_encode_sequence_tag(STREAM* s, uint32 len) -{ - uint8* bm; - uint32 totlen; - totlen = _GET_BYTE_LENGTH(len + 2) + 1; - stream_rewind(s, totlen); - stream_get_mark(s, bm); - der_write_sequence_tag(s, len); - stream_set_mark(s, bm); - return totlen; -} - -int kerberos_encode_contextual_tag(STREAM* s, uint8 tag, uint32 len) -{ - uint8* bm; - uint32 totlen; - totlen = _GET_BYTE_LENGTH(len) + 1; - stream_rewind(s, totlen); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, len, true); - stream_set_mark(s, bm); - return totlen; -} - -int kerberos_encode_application_tag(STREAM* s, uint8 tag, uint32 len) -{ - uint8* bm; - uint32 totlen; - totlen = _GET_BYTE_LENGTH(len) + 1; - stream_rewind(s, totlen); - stream_get_mark(s, bm); - der_write_application_tag(s, tag, len); - stream_set_mark(s, bm); - return totlen; -} - -int kerberos_encode_recordmark(STREAM* s, uint32 len) -{ - uint8* bm; - stream_rewind(s, 4); - stream_get_mark(s, bm); - stream_write_uint32_be(s, len); - stream_set_mark(s, bm); - return 4; -} - -int kerberos_encode_cname(STREAM* s, uint8 tag, char* cname) -{ - uint8* bm; - uint32 len; - char* names[2]; - - names[0] = cname; - names[1] = NULL; - - len = strlen(cname) + 15; - stream_rewind(s, len); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, len - 2, true); - der_write_principal_name(s, NAME_TYPE_PRINCIPAL, names); - stream_set_mark(s, bm); - - return len; -} - -int kerberos_encode_sname(STREAM* s, uint8 tag, char* sname) -{ - uint8* bm; - char* str; - char* names[3]; - uint32 len, tmp; - - len = strlen(sname) - 1 + 17; - - stream_rewind(s, len); - stream_get_mark(s, bm); - - der_write_contextual_tag(s, tag, len - 2, true); - - tmp = strchr(sname, '/') - sname; - - str = (char*) xzalloc(tmp + 1); - strncpy(str, sname, tmp); - - names[0] = str; - names[1] = sname + tmp + 1; - names[2] = NULL; - - der_write_principal_name(s, NAME_TYPE_SERVICE, names); - - xfree(str); - stream_set_mark(s, bm); - - return len; -} - -int kerberos_encode_uint8(STREAM* s, uint8 tag, uint8 val) -{ - uint8* bm; - stream_rewind(s, 5); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, 3, true); - der_write_integer(s, val); - stream_set_mark(s, bm); - return 5; -} - -int kerberos_encode_integer(STREAM* s, uint8 tag, int val) -{ - uint8* bm; - uint32 totlen; - totlen = der_skip_integer(val); - stream_rewind(s, totlen + 2); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, totlen, true); - der_write_integer(s, val); - stream_set_mark(s, bm); - return (totlen + 2); -} - -int kerberos_encode_options(STREAM* s, uint8 tag, uint32 options) -{ - uint8* bm; - stream_rewind(s, 9); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, 7, true); - der_write_bit_string_tag(s, 5, 0); - stream_write_uint32_be(s, options); - stream_set_mark(s, bm); - return 9; -} - -int kerberos_encode_string(STREAM* s, uint8 tag, char* str) -{ - uint8* bm; - uint32 len; - len = strlen(str); - stream_rewind(s, len + 4); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, len + 2, true); - der_write_general_string(s, str); - stream_set_mark(s, bm); - return (len + 4); -} - -int kerberos_encode_time(STREAM* s, uint8 tag, char* strtime) -{ - uint8* bm; - stream_rewind(s, 19); - stream_get_mark(s, bm); - der_write_contextual_tag(s, tag, 17, true); - der_write_generalized_time(s, strtime); - stream_set_mark(s, bm); - return 19; -} - -int kerberos_encode_octet_string(STREAM* s, uint8* string, uint32 len) -{ - uint8* bm; - uint32 totlen; - totlen = len + _GET_BYTE_LENGTH(len) + 1; - stream_rewind(s, totlen); - stream_get_mark(s, bm); - der_write_octet_string(s, string, len); - stream_set_mark(s, bm); - return totlen; -} - -int kerberos_encode_encrypted_data(STREAM* s, KrbENCData* enc_data) -{ - uint32 totlen; - - /* Encrypted Data[2] */ - totlen = kerberos_encode_octet_string(s, (enc_data->encblob).data, (enc_data->encblob).length); - totlen += kerberos_encode_contextual_tag(s, 2, totlen); - - /* Encrypted key version no[1] */ - if(enc_data->kvno != -1) - totlen += kerberos_encode_uint8(s, 1, enc_data->kvno); - - /* Encrypted Type[0] */ - totlen += kerberos_encode_integer(s, 0, enc_data->enctype); - - totlen += kerberos_encode_sequence_tag(s, totlen); - return totlen; -} - -int kerberos_encode_checksum(STREAM* s, rdpBlob* cksum, int cktype) -{ - uint32 totlen; - - /* Checksum Data[1] */ - totlen = kerberos_encode_octet_string(s, cksum->data, cksum->length); - totlen += kerberos_encode_contextual_tag(s, 1, totlen); - - /* Checksum Type[0] */ - totlen += kerberos_encode_integer(s, 0, cktype); - - totlen += kerberos_encode_sequence_tag(s, totlen); - return totlen; -} - -int kerberos_encode_padata(STREAM* s, PAData** pa_data) -{ - uint32 totlen; - uint32 curlen; - PAData** lpa_data; - - totlen = 0; - lpa_data = pa_data; - - while (*lpa_data != NULL) - { - /* padata value */ - curlen = kerberos_encode_octet_string(s, ((*lpa_data)->value).data, ((*lpa_data)->value).length); - curlen += kerberos_encode_contextual_tag(s, 2, curlen); - - /* padata type */ - curlen += kerberos_encode_integer(s, 1, ((*lpa_data)->type)); - curlen += kerberos_encode_sequence_tag(s, curlen); - totlen += curlen; - lpa_data++; - } - - totlen += kerberos_encode_sequence_tag(s, totlen); - - return totlen; -} - -int kerberos_encode_authenticator(STREAM* s, Authenticator* krb_auth) -{ - uint8* bm; - uint32 totlen, curlen; - - /* seq no[7] */ - stream_rewind(s, 8); - stream_get_mark(s, bm); - der_write_contextual_tag(s, 7, 6, true); - der_write_integer(s, krb_auth->seqno); - totlen = 8; - - stream_set_mark(s, bm); - - /* ctime[5] */ - totlen += kerberos_encode_time(s, 5, krb_auth->ctime); - - /* cusec[4] */ - totlen += kerberos_encode_integer(s, 4, krb_auth->cusec); - - /* cksum[3] */ - curlen = kerberos_encode_checksum(s, krb_auth->cksum, krb_auth->cksumtype); - totlen += kerberos_encode_contextual_tag(s, 3, curlen) + curlen; - - /* cname[2] */ - totlen += kerberos_encode_cname(s, 2, krb_auth->cname); - - /* crealm[1] */ - totlen += kerberos_encode_string(s, 1, krb_auth->crealm); - - /* avno[0] */ - totlen += kerberos_encode_uint8(s, 0, krb_auth->avno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - totlen += kerberos_encode_application_tag(s, 2, totlen); - - return totlen; -} - -int kerberos_encode_ticket(STREAM* s, uint8 tag, Ticket* ticket) -{ - uint32 totlen; - - /* Encrypted DATA[3] */ - totlen = kerberos_encode_encrypted_data(s, &(ticket->enc_part)); - totlen += kerberos_encode_contextual_tag(s, 3, totlen); - - /* sname[2] */ - totlen += kerberos_encode_sname(s, 2, ticket->sname); - - /* realm[1] */ - totlen += kerberos_encode_string(s, 1, ticket->realm); - - /* ticket vno[0] */ - totlen += kerberos_encode_uint8(s, 0, ticket->tktvno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - totlen += kerberos_encode_application_tag(s, 1, totlen); - totlen += kerberos_encode_contextual_tag(s, tag, totlen); - - return totlen; -} - -int kerberos_encode_req_body(STREAM* s, KDCReqBody* req_body, int msgtype) -{ - uint8* bm; - uint32 totlen; - totlen = 0; - - /* ETYPE[8] we support des-cbc-crc, rc4-hmac and aes-128-ctc-hmac-sha1-96 only */ - stream_rewind(s, 10); - stream_get_mark(s, bm); - der_write_contextual_tag(s, 8, 8, true); - der_write_sequence_tag(s, 6); - der_write_integer(s, ETYPE_RC4_HMAC); - der_write_integer(s, ETYPE_DES_CBC_CRC); - totlen += 10; - - stream_set_mark(s, bm); - - /* NONCE[7] */ - stream_rewind(s, 8); - stream_get_mark(s, bm); - der_write_contextual_tag(s, 7, 6, true); - der_write_integer(s, req_body->nonce); - totlen += 8; - - stream_set_mark(s, bm); - - /* till[5] and rtime (tag 6)*/ - totlen += kerberos_encode_time(s, 6, req_body->rtime); - totlen += kerberos_encode_time(s, 5, req_body->till); - - /* SNAME[3]*/ - totlen += kerberos_encode_sname(s, 3, req_body->sname); - - /* REALM[2] */ - totlen += kerberos_encode_string(s, 2, req_body->realm); - - /* CNAME[1] */ - totlen += kerberos_encode_cname(s, 1, req_body->cname); - - /* KDCOptions[0]*/ - totlen += kerberos_encode_options(s, 0, req_body->kdc_options); - - /* KDC_BODY */ - totlen += kerberos_encode_sequence_tag(s, totlen); - - return totlen; -} - -int kerberos_encode_apreq(STREAM* s, KrbAPREQ* krb_apreq) -{ - uint32 totlen; - - /* Encrypted Authenticator[4] */ - totlen = kerberos_encode_encrypted_data(s, &(krb_apreq->enc_auth)); - totlen += kerberos_encode_contextual_tag(s, 4, totlen); - - /* Ticket[3] */ - totlen += kerberos_encode_ticket(s, 3, krb_apreq->ticket); - - /* APOPTIONS[2] */ - totlen += kerberos_encode_options(s, 2, krb_apreq->ap_options); - - /* MSGTYPE[1] */ - totlen += kerberos_encode_uint8(s , 1, krb_apreq->type); - - /* VERSION NO[0] */ - totlen += kerberos_encode_uint8(s, 0, krb_apreq->pvno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - totlen += kerberos_encode_application_tag(s, krb_apreq->type, totlen); - - return totlen; -} - -int kerberos_encode_tgtreq(STREAM* s, KrbTGTREQ* krb_tgtreq) -{ - uint32 totlen; - totlen = 0; - - /* realm[3] optional */ - if (krb_tgtreq->realm != NULL) - totlen += kerberos_encode_string(s, 3, krb_tgtreq->realm); - - /* sname[2] optional */ - if (krb_tgtreq->sname != NULL) - totlen += kerberos_encode_sname(s, 3, krb_tgtreq->sname); - - /* msgtype[1] */ - totlen += kerberos_encode_uint8(s , 1, krb_tgtreq->type); - - /* pvno[0] */ - totlen += kerberos_encode_uint8(s, 0, krb_tgtreq->pvno); - - totlen += kerberos_encode_sequence_tag(s, totlen); - - return totlen; -} diff --git a/winpr/sspi/Kerberos/kerberos_encode.h b/winpr/sspi/Kerberos/kerberos_encode.h deleted file mode 100644 index 4910a5194..000000000 --- a/winpr/sspi/Kerberos/kerberos_encode.h +++ /dev/null @@ -1,48 +0,0 @@ -/** - * WinPR: Windows Portable Runtime - * Kerberos Auth Protocol DER Encode - * - * Copyright 2011 Samsung, Author Jiten Pathy - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include - -#include "kerberos.h" - -#ifndef WINPR_SSPI_KERBEROS_ENCODE_H -#define WINPR_SSPI_KERBEROS_ENCODE_H - -int kerberos_encode_sequence_tag(STREAM* s, uint32 len); -int kerberos_encode_contextual_tag(STREAM* s, uint8 tag, uint32 len); -int kerberos_encode_application_tag(STREAM* s, uint8 tag, uint32 len); -int kerberos_encode_recordmark(STREAM* s, uint32 len); -int kerberos_encode_cname(STREAM* s, uint8 tag, char* cname); -int kerberos_encode_sname(STREAM* s, uint8 tag, char* sname); -int kerberos_encode_uint8(STREAM* s, uint8 tag, uint8 val); -int kerberos_encode_integer(STREAM* s, uint8 tag, int val); -int kerberos_encode_options(STREAM* s, uint8 tag, uint32 options); -int kerberos_encode_string(STREAM* s, uint8 tag, char* str); -int kerberos_encode_time(STREAM* s, uint8 tag, char* strtime); -int kerberos_encode_octet_string(STREAM* s, uint8* string, uint32 len); -int kerberos_encode_padata(STREAM* s, PAData** pa_data); -int kerberos_encode_encrypted_data(STREAM* s, KrbENCData* enc_data); -int kerberos_encode_checksum(STREAM* s, rdpBlob* cksum, int cktype); -int kerberos_encode_authenticator(STREAM* s, Authenticator *krb_auth); -int kerberos_encode_ticket(STREAM* s, uint8 tag, Ticket* ticket); -int kerberos_encode_req_body(STREAM* s, KDCReqBody* req_body, int msgtype); -int kerberos_encode_apreq(STREAM* s, KrbAPREQ* krb_apreq); -int kerberos_encode_tgtreq(STREAM* s, KrbTGTREQ* krb_tgtreq); - -#endif /* WINPR_SSPI_KERBEROS_ENCODE_H */ diff --git a/winpr/sspi/Negotiate/negotiate.c b/winpr/sspi/Negotiate/negotiate.c index 0052f2a7e..3af655e5e 100644 --- a/winpr/sspi/Negotiate/negotiate.c +++ b/winpr/sspi/Negotiate/negotiate.c @@ -180,13 +180,9 @@ SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesA(PCredHandle phCr if (ulAttribute == SECPKG_CRED_ATTR_NAMES) { CREDENTIALS* credentials; - //SecPkgCredentials_Names* credential_names = (SecPkgCredentials_Names*) pBuffer; credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential); - //if (credentials->identity.Flags == SEC_WINNT_AUTH_IDENTITY_ANSI) - // credential_names->sUserName = xstrdup((char*) credentials->identity.User); - return SEC_E_OK; } diff --git a/winpr/sspi/Negotiate/negotiate.h b/winpr/sspi/Negotiate/negotiate.h index fc85b5198..2f19a66e3 100644 --- a/winpr/sspi/Negotiate/negotiate.h +++ b/winpr/sspi/Negotiate/negotiate.h @@ -21,9 +21,6 @@ #define WINPR_SSPI_NEGOTIATE_PRIVATE_H #include -#include - -#include "../Kerberos/kerberos.h" #include "../sspi.h" @@ -41,7 +38,7 @@ typedef enum _NEGOTIATE_STATE NEGOTIATE_STATE; struct _NEGOTIATE_CONTEXT { NEGOTIATE_STATE state; - uint32 NegotiateFlags; + UINT32 NegotiateFlags; PCtxtHandle auth_ctx; SEC_WINNT_AUTH_IDENTITY identity; SecBuffer NegoInitMessage;