1305 lines
32 KiB
C
1305 lines
32 KiB
C
/**
|
|
* FreeRDP: A Remote Desktop Protocol Client
|
|
* Kerberos Auth Protocol
|
|
*
|
|
* Copyright 2011 Samsung, Author Jiten Pathy
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
|
|
#ifndef _WIN32
|
|
#include <unistd.h>
|
|
#include <netdb.h>
|
|
#include <net/if.h>
|
|
#include <unistd.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/socket.h>
|
|
#endif
|
|
|
|
#include "kerberos.h"
|
|
#include "kerberos_crypto.h"
|
|
#include "kerberos_encode.h"
|
|
#include "kerberos_decode.h"
|
|
|
|
#include <freerdp/sspi/sspi.h>
|
|
|
|
#include <freerdp/utils/tcp.h>
|
|
#include <freerdp/utils/time.h>
|
|
#include <freerdp/utils/blob.h>
|
|
#include <freerdp/utils/print.h>
|
|
#include <freerdp/utils/memory.h>
|
|
#include <freerdp/utils/unicode.h>
|
|
|
|
#include "../sspi.h"
|
|
|
|
char* KRB_PACKAGE_NAME = "Kerberos";
|
|
|
|
boolean tcp_is_ipaddr(const char* hostname)
|
|
{
|
|
char* s;
|
|
uint8 dotcnt, digcnt;
|
|
char val;
|
|
s = (char*)hostname;
|
|
dotcnt = digcnt = 0;
|
|
while((s - hostname) < 15 && (*s != '\0'))
|
|
{
|
|
val = *s;
|
|
if(!isdigit(val) && (val != '.'))
|
|
return false;
|
|
if(val == '.')
|
|
if((digcnt == 0) && (dotcnt == 0))
|
|
return false;
|
|
else
|
|
{
|
|
if(dotcnt >= 3)
|
|
return false;
|
|
dotcnt++;
|
|
digcnt = 0;
|
|
}
|
|
else
|
|
if(digcnt >= 3)
|
|
return false;
|
|
else
|
|
digcnt++;
|
|
s++;
|
|
}
|
|
if((*s != '\0') || (dotcnt < 3) || (digcnt == 0))
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
char* get_utc_time(time_t t)
|
|
{
|
|
char* str;
|
|
struct tm* utc;
|
|
|
|
if (t == 0)
|
|
t = time(NULL);
|
|
|
|
utc = gmtime(&t);
|
|
str = (char*) xzalloc(16);
|
|
strftime(str, 16, "%Y%m%d%H%M%SZ", utc);
|
|
|
|
return str;
|
|
}
|
|
|
|
time_t get_local_time(char* str)
|
|
{
|
|
return freerdp_get_unix_time_from_generalized_time(str);
|
|
}
|
|
|
|
time_t get_clock_skew(char* str)
|
|
{
|
|
time_t ctime;
|
|
ctime = time(NULL);
|
|
return (get_local_time(str) - ctime);
|
|
}
|
|
|
|
char* get_dns_queryname(char *host, char* protocol)
|
|
{
|
|
char* qname;
|
|
uint32 buflen;
|
|
buflen = 0;
|
|
|
|
if(protocol)
|
|
buflen = strlen(protocol);
|
|
|
|
buflen += strlen(host)+strlen(SERVICE)+1;
|
|
qname = (char*)xzalloc(buflen);
|
|
strcat(qname, SERVICE);
|
|
|
|
if(protocol)
|
|
strcat(qname, protocol);
|
|
|
|
strcat(qname, host);
|
|
|
|
return qname;
|
|
}
|
|
|
|
int get_krb_realm(rdpSettings* settings)
|
|
{
|
|
#ifdef WITH_RESOLV
|
|
char* s;
|
|
char* queryname;
|
|
int reslen;
|
|
unsigned char response[2048];
|
|
char ns_realm[2048];
|
|
ns_msg handle;
|
|
ns_rr rr;
|
|
s = settings->hostname;
|
|
if (settings->kerberos_realm)
|
|
return 0;
|
|
do
|
|
{
|
|
queryname = get_dns_queryname(s, NULL);
|
|
|
|
if ((reslen = res_query(queryname, ns_c_in, ns_t_txt, response, sizeof(response))))
|
|
{
|
|
ns_initparse(response, reslen, &handle);
|
|
ns_parserr(&handle, ns_s_an, 0, &rr);
|
|
if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle), ns_rr_rdata(rr), (char*)ns_realm, sizeof(ns_realm)) < 0)
|
|
goto end;
|
|
else
|
|
settings->kerberos_realm = xstrdup(ns_realm);
|
|
xfree(queryname);
|
|
return 0;
|
|
}
|
|
|
|
end:
|
|
xfree(queryname);
|
|
for (;*s != '.' && *s != '\0';s++);
|
|
if (*s != '\0')
|
|
s++;
|
|
}
|
|
while (*s != '\0');
|
|
s = settings->hostname;
|
|
for (;*s != '.';s++);
|
|
s++;
|
|
settings->kerberos_realm = xstrdup(s);
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
KDCENTRY* krb_locate_kdc(rdpSettings* settings)
|
|
{
|
|
#ifdef WITH_RESOLV
|
|
char *qname;
|
|
int reslen, i;
|
|
unsigned char response[4096];
|
|
char kdc_host[4096];
|
|
unsigned char* temp;
|
|
KDCENTRY* head;
|
|
KDCENTRY* kdcentry;
|
|
KDCENTRY* srvans;
|
|
ns_msg handle;
|
|
ns_rr rr;
|
|
head = kdcentry = NULL;
|
|
if (get_krb_realm(settings))
|
|
return NULL;
|
|
if (settings->kerberos_kdc)
|
|
{
|
|
srvans = xnew(KDCENTRY);
|
|
srvans->kdchost = xstrdup(settings->kerberos_kdc);
|
|
srvans->port = 88;
|
|
return srvans;
|
|
}
|
|
qname = get_dns_queryname(settings->kerberos_realm, "_tcp.");
|
|
|
|
if ((reslen = res_query(qname, ns_c_in, ns_t_srv, response, sizeof(response))) < 0)
|
|
return NULL;
|
|
|
|
ns_initparse(response, reslen, &handle);
|
|
|
|
for (i = 0;i < ns_msg_count(handle, ns_s_an);i++)
|
|
{
|
|
ns_parserr(&handle, ns_s_an, i, &rr);
|
|
srvans = xnew(KDCENTRY);
|
|
temp = (unsigned char*)ns_rr_rdata(rr);
|
|
GETUINT16(temp, &(srvans->priority));
|
|
GETUINT16(temp, &(srvans->weight));
|
|
GETUINT16(temp, &(srvans->port));
|
|
if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle), temp, (char*)kdc_host, sizeof(kdc_host)) < 0)
|
|
srvans->kdchost = xstrdup((const char*)temp);
|
|
else
|
|
srvans->kdchost = xstrdup(kdc_host);
|
|
if (head == NULL || head->priority > srvans->priority)
|
|
{
|
|
srvans->next = head;
|
|
head = srvans;
|
|
}
|
|
else
|
|
{
|
|
for (kdcentry = head;kdcentry->next != NULL && kdcentry->next->priority < srvans->priority;kdcentry = kdcentry->next);
|
|
srvans->next = kdcentry->next;
|
|
kdcentry->next = srvans;
|
|
}
|
|
}
|
|
|
|
return head;
|
|
#else
|
|
return NULL;
|
|
#endif
|
|
}
|
|
|
|
int krb_tcp_connect(KRB_CONTEXT* krb_ctx, KDCENTRY* entry)
|
|
{
|
|
int sockfd;
|
|
|
|
sockfd = freerdp_tcp_connect(entry->kdchost, entry->port);
|
|
|
|
if (sockfd == -1)
|
|
return -1;
|
|
|
|
krb_ctx->krbhost = xstrdup(entry->kdchost);
|
|
krb_ctx->krbport = entry->port;
|
|
krb_ctx->ksockfd = sockfd;
|
|
|
|
return 0;
|
|
}
|
|
|
|
int krb_tcp_recv(KRB_CONTEXT* krb_ctx, uint8* data, uint32 length)
|
|
{
|
|
return freerdp_tcp_read(krb_ctx->ksockfd, data, length);
|
|
}
|
|
|
|
int krb_tcp_send(KRB_CONTEXT* krb_ctx, uint8* data, uint32 length)
|
|
{
|
|
return freerdp_tcp_write(krb_ctx->ksockfd, data, length);
|
|
}
|
|
|
|
KRB_CONTEXT* kerberos_ContextNew()
|
|
{
|
|
KRB_CONTEXT* context;
|
|
|
|
context = xnew(KRB_CONTEXT);
|
|
|
|
if (context != NULL)
|
|
{
|
|
context->enctype = ETYPE_RC4_HMAC; //choose enc type
|
|
context->state = KRB_STATE_INITIAL;
|
|
context->uniconv = freerdp_uniconv_new();
|
|
}
|
|
|
|
return context;
|
|
}
|
|
|
|
void kerberos_ContextFree(KRB_CONTEXT* krb_ctx)
|
|
{
|
|
if (krb_ctx != NULL)
|
|
{
|
|
xfree(krb_ctx->krbhost);
|
|
xfree(krb_ctx->cname);
|
|
xfree(krb_ctx->realm);
|
|
freerdp_blob_free(&(krb_ctx->passwd));
|
|
|
|
if(krb_ctx->askey != NULL)
|
|
{
|
|
freerdp_blob_free(&(krb_ctx->askey->skey));
|
|
xfree(krb_ctx->askey);
|
|
}
|
|
|
|
if(krb_ctx->tgskey != NULL)
|
|
{
|
|
freerdp_blob_free(&(krb_ctx->tgskey->skey));
|
|
xfree(krb_ctx->tgskey);
|
|
}
|
|
|
|
krb_free_ticket(&(krb_ctx->asticket));
|
|
krb_free_ticket(&(krb_ctx->tgsticket));
|
|
krb_ctx->state = KRB_STATE_FINAL;
|
|
}
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage,
|
|
uint32 fCredentialUse, void* pvLogonID, void* pAuthData, void* pGetKeyFn,
|
|
void* pvGetKeyArgument, PCredHandle phCredential, TimeStamp* ptsExpiry)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage,
|
|
uint32 fCredentialUse, void* pvLogonID, void* pAuthData, void* pGetKeyFn,
|
|
void* pvGetKeyArgument, PCredHandle phCredential, TimeStamp* ptsExpiry)
|
|
{
|
|
CREDENTIALS* credentials;
|
|
SEC_WINNT_AUTH_IDENTITY* identity;
|
|
|
|
if (fCredentialUse == SECPKG_CRED_OUTBOUND)
|
|
{
|
|
credentials = sspi_CredentialsNew();
|
|
identity = (SEC_WINNT_AUTH_IDENTITY*) pAuthData;
|
|
|
|
memcpy(&(credentials->identity), identity, sizeof(SEC_WINNT_AUTH_IDENTITY));
|
|
|
|
sspi_SecureHandleSetLowerPointer(phCredential, (void*) credentials);
|
|
sspi_SecureHandleSetUpperPointer(phCredential, (void*) KRB_PACKAGE_NAME);
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential)
|
|
{
|
|
CREDENTIALS* credentials;
|
|
|
|
if (!phCredential)
|
|
return SEC_E_INVALID_HANDLE;
|
|
|
|
credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
|
|
|
|
if (!credentials)
|
|
return SEC_E_INVALID_HANDLE;
|
|
|
|
sspi_CredentialsFree(credentials);
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(PCredHandle phCredential, uint32 ulAttribute, void* pBuffer)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential, uint32 ulAttribute, void* pBuffer)
|
|
{
|
|
if (ulAttribute == SECPKG_CRED_ATTR_NAMES)
|
|
{
|
|
CREDENTIALS* credentials;
|
|
//SecPkgCredentials_Names* credential_names = (SecPkgCredentials_Names*) pBuffer;
|
|
|
|
credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
|
|
|
|
//if (credentials->identity.Flags == SEC_WINNT_AUTH_IDENTITY_ANSI)
|
|
// credential_names->sUserName = xstrdup((char*) credentials->identity.User);
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
return SEC_E_UNSUPPORTED_FUNCTION;
|
|
}
|
|
|
|
void krb_SetContextIdentity(KRB_CONTEXT* context, SEC_WINNT_AUTH_IDENTITY* identity)
|
|
{
|
|
size_t size;
|
|
/* TEMPORARY workaround for utf8 TODO: UTF16 to utf8 */
|
|
identity->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
|
|
context->identity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
|
|
|
|
if (identity->Flags == SEC_WINNT_AUTH_IDENTITY_ANSI)
|
|
{
|
|
context->identity.User = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->User, &size);
|
|
context->identity.UserLength = (uint32) size;
|
|
|
|
if (identity->DomainLength > 0)
|
|
{
|
|
context->identity.Domain = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->Domain, &size);
|
|
context->identity.DomainLength = (uint32) size;
|
|
}
|
|
else
|
|
{
|
|
context->identity.Domain = (uint16*) NULL;
|
|
context->identity.DomainLength = 0;
|
|
}
|
|
|
|
context->identity.Password = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->Password, &size);
|
|
context->identity.PasswordLength = (uint32) size;
|
|
}
|
|
else
|
|
{
|
|
context->identity.User = (uint16*) xzalloc(identity->UserLength + 1);
|
|
memcpy(context->identity.User, identity->User, identity->UserLength);
|
|
|
|
if (identity->DomainLength > 0)
|
|
{
|
|
context->identity.Domain = (uint16*) xmalloc(identity->DomainLength);
|
|
memcpy(context->identity.Domain, identity->Domain, identity->DomainLength);
|
|
}
|
|
else
|
|
{
|
|
context->identity.Domain = (uint16*) NULL;
|
|
context->identity.DomainLength = 0;
|
|
}
|
|
|
|
context->identity.Password = (uint16*) xzalloc(identity->PasswordLength + 1);
|
|
memcpy(context->identity.Password, identity->Password, identity->PasswordLength);
|
|
identity->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
|
|
}
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext,
|
|
SEC_WCHAR* pszTargetName, uint32 fContextReq, uint32 Reserved1, uint32 TargetDataRep,
|
|
PSecBufferDesc pInput, uint32 Reserved2, PCtxtHandle phNewContext,
|
|
PSecBufferDesc pOutput, uint32* pfContextAttr, PTimeStamp ptsExpiry)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext,
|
|
SEC_CHAR* pszTargetName, uint32 fContextReq, uint32 Reserved1, uint32 TargetDataRep,
|
|
PSecBufferDesc pInput, uint32 Reserved2, PCtxtHandle phNewContext,
|
|
PSecBufferDesc pOutput, uint32* pfContextAttr, PTimeStamp ptsExpiry)
|
|
{
|
|
KRB_CONTEXT* krb_ctx;
|
|
//SECURITY_STATUS status;
|
|
//CREDENTIALS* credentials;
|
|
//PSecBuffer input_SecBuffer;
|
|
//PSecBuffer output_SecBuffer;
|
|
int errcode;
|
|
errcode = 0;
|
|
|
|
krb_ctx = (KRB_CONTEXT*)sspi_SecureHandleGetLowerPointer(phContext);
|
|
|
|
if (!krb_ctx)
|
|
return SEC_E_INVALID_HANDLE;
|
|
else
|
|
{
|
|
while(true)
|
|
{
|
|
switch(krb_ctx->state)
|
|
{
|
|
case KRB_PACKET_ERROR:
|
|
kerberos_ContextFree(krb_ctx);
|
|
return SEC_E_INVALID_HANDLE;
|
|
break;
|
|
case KRB_STATE_INITIAL:
|
|
case KRB_ASREP_ERR:
|
|
krb_asreq_send(krb_ctx, errcode);
|
|
break;
|
|
case KRB_ASREQ_OK:
|
|
errcode = krb_asrep_recv(krb_ctx);
|
|
break;
|
|
case KRB_ASREP_OK:
|
|
krb_tgsreq_send(krb_ctx, 0);
|
|
break;
|
|
case KRB_TGSREQ_OK:
|
|
krb_tgsrep_recv(krb_ctx);
|
|
break;
|
|
case KRB_TGSREP_OK:
|
|
return SEC_I_COMPLETE_AND_CONTINUE;
|
|
break;
|
|
default:
|
|
printf("not implemented\n");
|
|
return -1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
PCtxtHandle krbctx_client_init(rdpSettings* settings, SEC_WINNT_AUTH_IDENTITY* identity)
|
|
{
|
|
SECURITY_STATUS status;
|
|
KDCENTRY* kdclist;
|
|
KDCENTRY* entry;
|
|
KRB_CONTEXT* krb_ctx;
|
|
uint32 fContextReq;
|
|
uint32 pfContextAttr;
|
|
TimeStamp expiration;
|
|
|
|
if (tcp_is_ipaddr(settings->hostname))
|
|
return NULL;
|
|
|
|
kdclist = krb_locate_kdc(settings);
|
|
|
|
/* start the state machine with initialized to zero */
|
|
krb_ctx = kerberos_ContextNew();
|
|
|
|
for (entry = kdclist;entry != NULL; entry = entry->next)
|
|
{
|
|
if(!krb_tcp_connect(krb_ctx, entry))
|
|
break;
|
|
}
|
|
|
|
if (entry == NULL)
|
|
{
|
|
xfree(krb_ctx);
|
|
return NULL;
|
|
}
|
|
|
|
krb_SetContextIdentity(krb_ctx, identity);
|
|
krb_ctx->realm = xstrtoup(settings->kerberos_realm);
|
|
krb_ctx->cname = xstrdup((char*)krb_ctx->identity.User);
|
|
krb_ctx->settings = settings;
|
|
krb_ctx->passwd.data = freerdp_uniconv_out(krb_ctx->uniconv, (char*) krb_ctx->identity.Password, (size_t*) &(krb_ctx->passwd.length));
|
|
|
|
fContextReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT |
|
|
ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE;
|
|
|
|
sspi_SecureHandleSetLowerPointer(&krb_ctx->context, krb_ctx);
|
|
sspi_SecureHandleSetUpperPointer(&krb_ctx->context, (void*) KRB_PACKAGE_NAME);
|
|
|
|
status = kerberos_InitializeSecurityContextA(NULL, &krb_ctx->context, NULL,
|
|
fContextReq, 0, SECURITY_NATIVE_DREP, NULL, 0, &krb_ctx->context, NULL, &pfContextAttr, &expiration);
|
|
|
|
if(status == SEC_E_INVALID_HANDLE)
|
|
{
|
|
printf("failed to init kerberos\n");
|
|
return NULL;
|
|
}
|
|
else if(status == SEC_I_COMPLETE_AND_CONTINUE)
|
|
{
|
|
printf("successfully obtained ticket for TERMSRV\n");
|
|
return &krb_ctx->context;
|
|
}
|
|
else if(status == -1)
|
|
{
|
|
printf("deadend \n ");
|
|
return NULL;
|
|
}
|
|
else
|
|
{
|
|
printf("shit got wrong in state machine\n");
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
void krb_asreq_send(KRB_CONTEXT* krb_ctx, uint8 errcode)
|
|
{
|
|
KrbASREQ* krb_asreq;
|
|
PAData** pa_data;
|
|
KrbENCData enc_data;
|
|
KrbENCKey* enckey;
|
|
STREAM* s;
|
|
STREAM* paenc;
|
|
rdpBlob msg;
|
|
rdpBlob* encmsg;
|
|
uint32 curlen, totlen, pai;
|
|
uint8 *bm;
|
|
bm = NULL;
|
|
totlen = pai = 0;
|
|
krb_asreq = krb_asreq_new(krb_ctx, errcode);
|
|
pa_data = krb_asreq->padata;
|
|
enckey = NULL;
|
|
s = stream_new(2048);
|
|
paenc = stream_new(100);
|
|
|
|
//Begin write asn1 data reversely into stream
|
|
stream_seek(s, 1024);
|
|
stream_seek(paenc, 99);
|
|
|
|
/* KDC-REQ-BODY (TAG 4) */
|
|
totlen += krb_encode_req_body(s, &(krb_asreq->req_body), krb_asreq->type);
|
|
totlen += krb_encode_contextual_tag(s, 4, totlen);
|
|
|
|
/* padata = PA-ENC-TIMESTAMP */
|
|
if(errcode != 0)
|
|
{
|
|
freerdp_blob_alloc(&msg, 21);
|
|
memcpy(msg.data, "\x30\x13\xa0\x11\x18\x0f", 6); // PA-ENC-TS-ENC without optional pausec
|
|
memcpy(((uint8*) msg.data) + 6, krb_asreq->req_body.from, 15);
|
|
enckey = string2key(&(krb_ctx->passwd), krb_ctx->enctype);
|
|
encmsg = crypto_kdcmsg_encrypt(&msg, enckey, 1); //RFC4757 section 3 for msgtype (T=1)
|
|
enc_data.enctype = enckey->enctype;
|
|
enc_data.kvno = -1;
|
|
enc_data.encblob.data = encmsg->data;
|
|
enc_data.encblob.length = encmsg->length;
|
|
curlen = krb_encode_encrypted_data(paenc, &enc_data);
|
|
freerdp_blob_free(&msg);
|
|
msg.data = paenc->p;
|
|
msg.length = curlen;
|
|
|
|
/* padata = PA-ENC-TIMESTAMP */
|
|
(*(pa_data + pai))->type = 2;
|
|
(*(pa_data + pai))->value = msg;
|
|
pai++;
|
|
freerdp_blob_free(encmsg);
|
|
xfree(encmsg);
|
|
}
|
|
|
|
freerdp_blob_alloc(&msg, 7);
|
|
memcpy(msg.data, "\x30\x05\xa0\03\x01\x01", 6); // asn1 data
|
|
*((uint8*)msg.data + 6) = krb_asreq->pa_pac_request;
|
|
|
|
/* padata = PA-PAC-REQUEST */
|
|
(*(pa_data + pai))->type = 128;
|
|
(*(pa_data + pai))->value = msg;
|
|
|
|
*(pa_data + ++pai) = NULL;
|
|
|
|
/* padata (TAG 3) */
|
|
curlen = krb_encode_padata(s, pa_data);
|
|
totlen += curlen + krb_encode_contextual_tag(s, 3, curlen);
|
|
|
|
/* MSGTYPE = AS-REQ (TAG 2) */
|
|
totlen += krb_encode_uint8(s, 2, krb_asreq->type);
|
|
|
|
/* KERBEROS PROTOCOL VERSION NO (TAG 1)*/
|
|
totlen += krb_encode_uint8(s, 1, krb_asreq->pvno);
|
|
|
|
totlen += krb_encode_sequence_tag(s, totlen);
|
|
totlen += krb_encode_application_tag(s, krb_asreq->type, totlen);
|
|
totlen += krb_encode_recordmark(s, totlen);
|
|
|
|
/* READY SEND */
|
|
krb_tcp_send(krb_ctx, s->p, totlen);
|
|
|
|
/* save stuff */
|
|
krb_ctx->askey = enckey;
|
|
krb_ctx->nonce = krb_asreq->req_body.nonce;
|
|
xfree(krb_ctx->sname);
|
|
krb_ctx->sname = xstrdup(krb_asreq->req_body.sname);
|
|
krb_ctx->ctime = get_local_time(krb_asreq->req_body.from);
|
|
krb_ctx->state = KRB_ASREQ_OK;
|
|
|
|
/* clean up */
|
|
freerdp_blob_free(&msg);
|
|
stream_free(s);
|
|
stream_free(paenc);
|
|
krb_free_asreq(krb_asreq);
|
|
xfree(krb_asreq);
|
|
}
|
|
|
|
int krb_asrep_recv(KRB_CONTEXT* krb_ctx)
|
|
{
|
|
int totlen, tmp, len;
|
|
int errcode;
|
|
STREAM* s;
|
|
KrbERROR* krb_err;
|
|
KrbASREP* krb_asrep;
|
|
KrbKDCREP* kdc_rep;
|
|
errcode = -1;
|
|
s = stream_new(2048);
|
|
krb_tcp_recv(krb_ctx, s->data, s->size);
|
|
|
|
stream_read_uint32_be(s, totlen);
|
|
if(totlen >= 2044) // MALFORMED PACKET
|
|
goto finish;
|
|
|
|
if(((len = krb_decode_application_tag(s, KRB_TAG_ASREP, &tmp)) == 0) || (tmp != (totlen - len))) //NOT AN AS-REP
|
|
{
|
|
if(((len = krb_decode_application_tag(s, KRB_TAG_ERROR, &tmp)) == 0) || (tmp != (totlen - len))) // NOT AN KRB-ERROR
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
goto finish;
|
|
}
|
|
else
|
|
{
|
|
totlen -= len;
|
|
krb_err = xnew(KrbERROR);
|
|
|
|
if((totlen <= 0) || ((len = krb_decode_krb_error(s, krb_err, totlen)) == 0))
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
xfree(krb_err);
|
|
goto finish;
|
|
}
|
|
|
|
/* ERROR CODE */
|
|
errcode = krb_err->errcode;
|
|
if(errcode == KRB_AP_ERR_SKEW)
|
|
{
|
|
krb_ctx->state = KRB_ASREP_ERR;
|
|
goto errclean;
|
|
}
|
|
else if(errcode == KDC_ERR_PREAUTH_REQ)
|
|
{
|
|
/* should parse PA-ENC-TYPE-INFO2 */
|
|
krb_ctx->state = KRB_ASREP_ERR;
|
|
goto errclean;
|
|
}
|
|
else if(errcode == KDC_ERR_C_PRINCIPAL_UNKNOWN)
|
|
{
|
|
printf("KDC_ERR_C_PRINCIPAL_UNKNOWN\n");
|
|
krb_ctx->state = KRB_ASREP_ERR;
|
|
goto errclean;
|
|
}
|
|
else
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
goto errclean;
|
|
}
|
|
errclean:
|
|
krb_free_krb_error(krb_err);
|
|
xfree(krb_err);
|
|
goto finish;
|
|
}
|
|
}
|
|
else /* AS-REP process */
|
|
{
|
|
totlen -= len;
|
|
|
|
krb_asrep = xnew(KrbASREP);
|
|
if(krb_decode_kdc_rep(s, &(krb_asrep->kdc_rep), totlen) == 0)
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
goto finish;
|
|
}
|
|
kdc_rep = &(krb_asrep->kdc_rep);
|
|
|
|
if(krb_verify_kdcrep(krb_ctx, kdc_rep, KRB_TAG_ASREP) == 0)
|
|
krb_ctx->state = KRB_ASREP_OK;
|
|
else
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
|
|
/* clean up */
|
|
krb_free_asrep(krb_asrep);
|
|
xfree(krb_asrep);
|
|
goto finish;
|
|
}
|
|
finish:
|
|
stream_free(s);
|
|
return errcode;
|
|
}
|
|
|
|
void krb_tgsreq_send(KRB_CONTEXT* krb_ctx, uint8 errcode)
|
|
{
|
|
KrbTGSREQ* krb_tgsreq;
|
|
KrbAPREQ* krb_apreq;
|
|
PAData** pa_data;
|
|
Authenticator* krb_auth;
|
|
STREAM* s;
|
|
STREAM* sapreq;
|
|
rdpBlob msg;
|
|
uint32 curlen, totlen, tmp;
|
|
uint8 *bm;
|
|
bm = NULL;
|
|
totlen = tmp = 0;
|
|
krb_tgsreq = krb_tgsreq_new(krb_ctx, errcode);
|
|
krb_auth = xnew(Authenticator);
|
|
pa_data = krb_tgsreq->padata;
|
|
s = stream_new(4096);
|
|
sapreq = stream_new(2048);
|
|
|
|
//Begin write asn1 data reversely into stream
|
|
stream_seek(s, 4095);
|
|
stream_seek(sapreq, 2047);
|
|
|
|
/* KDC-REQ-BODY (TAG 4) */
|
|
totlen += krb_encode_req_body(s, &(krb_tgsreq->req_body), krb_tgsreq->type);
|
|
stream_get_mark(s, bm);
|
|
tmp = totlen;
|
|
totlen += krb_encode_contextual_tag(s, 4, totlen);
|
|
|
|
msg.data = bm;
|
|
msg.length = tmp;
|
|
|
|
/* Authenticator */
|
|
krb_auth->avno = KRB_VERSION;
|
|
krb_auth->cname = krb_ctx->cname;
|
|
krb_auth->crealm = krb_ctx->realm;
|
|
krb_auth->cksumtype = get_cksum_type(krb_ctx->enctype);
|
|
krb_auth->cksum = crypto_kdcmsg_cksum(&msg, krb_ctx->askey, 6); //RFC4757 section 3 for msgtype (T=6)
|
|
krb_auth->ctime = krb_tgsreq->req_body.from;
|
|
krb_auth->cusec = 0;
|
|
crypto_nonce((uint8*)&(krb_auth->seqno), 4);
|
|
|
|
/* PA-TGS-REQ */
|
|
krb_apreq = krb_apreq_new(krb_ctx, &(krb_ctx->asticket), krb_auth);
|
|
curlen = krb_encode_apreq(sapreq, krb_apreq);
|
|
msg.data = sapreq->p;
|
|
msg.length = curlen;
|
|
(*pa_data)->type = 1;
|
|
(*pa_data)->value = msg;
|
|
|
|
/* PA-DATA (TAG 3) */
|
|
curlen = krb_encode_padata(s, pa_data);
|
|
totlen += curlen + krb_encode_contextual_tag(s, 3, curlen);
|
|
|
|
/* MSGTYPE (TAG 2) */
|
|
totlen += krb_encode_uint8(s, 2, krb_tgsreq->type);
|
|
|
|
/* VERSION NO (TAG 1) */
|
|
totlen += krb_encode_uint8(s, 1, krb_tgsreq->pvno);
|
|
|
|
totlen += krb_encode_sequence_tag(s, totlen);
|
|
totlen += krb_encode_application_tag(s, krb_tgsreq->type, totlen);
|
|
totlen += krb_encode_recordmark(s, totlen);
|
|
|
|
/* READY SEND */
|
|
krb_tcp_send(krb_ctx, s->p, totlen);
|
|
|
|
/* save stuff */
|
|
krb_ctx->nonce = krb_tgsreq->req_body.nonce;
|
|
xfree(krb_ctx->sname);
|
|
krb_ctx->sname = xstrdup(krb_tgsreq->req_body.sname);
|
|
krb_ctx->ctime = get_local_time(krb_tgsreq->req_body.from);
|
|
krb_ctx->state = KRB_TGSREQ_OK;
|
|
|
|
/* clean up */
|
|
freerdp_blob_free(krb_auth->cksum);
|
|
xfree(krb_auth->cksum);
|
|
xfree(krb_auth);
|
|
krb_free_tgsreq(krb_tgsreq);
|
|
xfree(krb_tgsreq);
|
|
stream_free(sapreq);
|
|
stream_free(s);
|
|
}
|
|
|
|
int krb_tgsrep_recv(KRB_CONTEXT* krb_ctx)
|
|
{
|
|
int totlen, tmp, len;
|
|
int errcode;
|
|
STREAM* s;
|
|
KrbTGSREP* krb_tgsrep;
|
|
KrbKDCREP* kdc_rep;
|
|
errcode = -1;
|
|
s = stream_new(2048);
|
|
krb_tcp_recv(krb_ctx, s->data, s->size);
|
|
|
|
stream_read_uint32_be(s, totlen);
|
|
if(totlen >= 2044) // MALFORMED PACKET
|
|
goto finish;
|
|
|
|
if(((len = krb_decode_application_tag(s, KRB_TAG_TGSREP, &tmp)) == 0) || (tmp != (totlen - len))) //NOT AN TGS-REP
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
goto finish;
|
|
}
|
|
else /* TGS-REP process */
|
|
{
|
|
totlen -= len;
|
|
|
|
krb_tgsrep = xnew(KrbTGSREP);
|
|
krb_ctx->tgskey = xnew(KrbENCKey);
|
|
if(krb_decode_kdc_rep(s, &(krb_tgsrep->kdc_rep), totlen) == 0)
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
goto finish;
|
|
}
|
|
kdc_rep = &(krb_tgsrep->kdc_rep);
|
|
|
|
if(krb_verify_kdcrep(krb_ctx, kdc_rep, KRB_TAG_TGSREP) == 0)
|
|
krb_ctx->state = KRB_TGSREP_OK;
|
|
else
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
|
|
/* clean up */
|
|
krb_free_tgsrep(krb_tgsrep);
|
|
xfree(krb_tgsrep);
|
|
goto finish;
|
|
}
|
|
finish:
|
|
stream_free(s);
|
|
return errcode;
|
|
}
|
|
|
|
int krb_verify_kdcrep(KRB_CONTEXT* krb_ctx, KrbKDCREP* kdc_rep, int msgtype)
|
|
{
|
|
ENCKDCREPPart* reppart;
|
|
KrbENCKey* key;
|
|
rdpBlob* decmsg;
|
|
uint8 tag;
|
|
tag = 0;
|
|
key = NULL;
|
|
|
|
/* Verify everything */
|
|
if((kdc_rep->pvno != KRB_VERSION) || (kdc_rep->type != msgtype) || strcasecmp(kdc_rep->cname, krb_ctx->cname) || strcasecmp(kdc_rep->realm, krb_ctx->realm))
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
return -1;
|
|
}
|
|
/* decrypt enc-part */
|
|
decmsg = xnew(rdpBlob);
|
|
if(krb_ctx->askey->enctype != kdc_rep->enc_part.enctype && msgtype == KRB_TAG_ASREP)
|
|
{
|
|
freerdp_blob_free(&(krb_ctx->askey->skey));
|
|
xfree(krb_ctx->askey);
|
|
krb_ctx->askey = string2key(&(krb_ctx->passwd), kdc_rep->enc_part.enctype);
|
|
}
|
|
krb_ctx->askey->enctype = kdc_rep->enc_part.enctype;
|
|
decmsg = crypto_kdcmsg_decrypt(&(kdc_rep->enc_part.encblob), krb_ctx->askey, 8); //RFC4757 section 3 for msgtype (T=8)
|
|
|
|
if(msgtype == KRB_TAG_ASREP)
|
|
{
|
|
key = krb_ctx->askey;
|
|
tag = 25;
|
|
}
|
|
else if (msgtype == KRB_TAG_TGSREP)
|
|
{
|
|
key = krb_ctx->tgskey;
|
|
tag = 26;
|
|
}
|
|
|
|
/* KDC-REP-PART decode */
|
|
if(decmsg == NULL || ((reppart = krb_decode_enc_reppart(decmsg, tag)) == NULL))
|
|
{
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
return -1;
|
|
}
|
|
freerdp_blob_free(decmsg);
|
|
xfree(decmsg);
|
|
|
|
/* Verify KDC-REP-PART */
|
|
if(reppart->nonce != krb_ctx->nonce || strcasecmp(reppart->realm, krb_ctx->realm) || strcasecmp(reppart->sname, krb_ctx->sname))
|
|
{
|
|
krb_free_reppart(reppart);
|
|
xfree(reppart);
|
|
krb_ctx->state = KRB_PACKET_ERROR;
|
|
return -1;
|
|
}
|
|
|
|
/* save stuff */
|
|
krb_ctx->clockskew = reppart->authtime - krb_ctx->ctime; //Used to synchronize clocks
|
|
krb_save_ticket(krb_ctx, kdc_rep);
|
|
freerdp_blob_copy(&(key->skey), &(reppart->key.skey));
|
|
key->enctype = reppart->key.enctype;
|
|
krb_free_reppart(reppart);
|
|
xfree(reppart);
|
|
return 0;
|
|
}
|
|
|
|
void krb_save_ticket(KRB_CONTEXT* krb_ctx, KrbKDCREP* kdc_rep)
|
|
{
|
|
Ticket* src;
|
|
Ticket* dst;
|
|
|
|
dst = NULL;
|
|
src = &(kdc_rep->etgt);
|
|
|
|
if (kdc_rep->type == KRB_TAG_ASREP)
|
|
dst = &(krb_ctx->asticket);
|
|
else if (kdc_rep->type == KRB_TAG_TGSREP)
|
|
dst = &(krb_ctx->tgsticket);
|
|
|
|
dst->tktvno = src->tktvno;
|
|
dst->realm = xstrdup(src->realm);
|
|
dst->sname = xstrdup(src->sname);
|
|
dst->enc_part.enctype = src->enc_part.enctype;
|
|
dst->enc_part.kvno = src->enc_part.kvno;
|
|
|
|
freerdp_blob_copy(&(dst->enc_part.encblob), &(src->enc_part.encblob));
|
|
}
|
|
|
|
void krb_reqbody_init(KRB_CONTEXT* krb_ctx, KDCReqBody* req_body, uint8 reqtype)
|
|
{
|
|
time_t t;
|
|
|
|
req_body->cname = xstrdup(krb_ctx->cname);
|
|
req_body->realm = xstrdup(krb_ctx->realm);
|
|
|
|
if (reqtype == KRB_TAG_ASREQ)
|
|
{
|
|
req_body->kdc_options = 0x40000000 | 0x00800000 | 0x00010000 | 0x00000010; /* forwardable , renewable, canonicalize, renewable OK */
|
|
req_body->sname = xzalloc((strlen(req_body->realm) + 8) * sizeof(char));
|
|
strcpy(req_body->sname, KRB_SERVER);
|
|
strcat(req_body->sname, req_body->realm);
|
|
}
|
|
else if (reqtype == KRB_TAG_TGSREQ)
|
|
{
|
|
req_body->kdc_options = 0x40000000 | 0x00800000 | 0x00010000; /* forwardable , renewable, canonicalize */
|
|
req_body->sname = xzalloc((strlen(krb_ctx->settings->hostname) + 10) * sizeof(char));
|
|
strcpy(req_body->sname, APP_SERVER);
|
|
strcat(req_body->sname, krb_ctx->settings->hostname);
|
|
}
|
|
|
|
t = time(NULL);
|
|
t += krb_ctx->clockskew; /* fix clockskew */
|
|
|
|
req_body->from = get_utc_time((time_t)(t));
|
|
req_body->till = get_utc_time((time_t)(t + 473040000));
|
|
req_body->rtime = get_utc_time((time_t)(t + 473040000));
|
|
|
|
crypto_nonce((uint8*) &(req_body->nonce), 4);
|
|
}
|
|
|
|
KrbASREQ* krb_asreq_new(KRB_CONTEXT* krb_ctx, uint8 errcode)
|
|
{
|
|
KrbASREQ* krb_asreq;
|
|
PAData** lpa_data;
|
|
uint8 pacntmax, i;
|
|
pacntmax = 2;
|
|
|
|
krb_asreq = xnew(KrbASREQ);
|
|
krb_asreq->pvno = KRB_VERSION;
|
|
krb_asreq->type = KRB_TAG_ASREQ;
|
|
krb_asreq->pa_pac_request = 0xff; //true
|
|
krb_asreq->padata = (PAData**)xzalloc((pacntmax + 1) * sizeof(PAData*));
|
|
lpa_data = krb_asreq->padata;
|
|
|
|
for (i = 0; i < pacntmax; i++)
|
|
*(lpa_data + i) = (PAData*)xzalloc(sizeof(PAData));
|
|
|
|
krb_reqbody_init(krb_ctx, &(krb_asreq->req_body), krb_asreq->type);
|
|
|
|
return krb_asreq;
|
|
}
|
|
|
|
KrbAPREQ* krb_apreq_new(KRB_CONTEXT* krb_ctx, Ticket* ticket, Authenticator* krb_auth)
|
|
{
|
|
KrbAPREQ* krb_apreq;
|
|
STREAM* as;
|
|
rdpBlob msg;
|
|
rdpBlob* encmsg;
|
|
uint32 len;
|
|
|
|
as = stream_new(1024);
|
|
stream_seek(as, 1023);
|
|
|
|
krb_apreq = xnew(KrbAPREQ);
|
|
krb_apreq->pvno = KRB_VERSION;
|
|
krb_apreq->type = KRB_TAG_APREQ;
|
|
krb_apreq->ap_options = 0x00000000 | 0x00000000 | 0x00000000; /* Reserved (bit 31), Use session Key (bit 30), Mututal Required (bit 29) */
|
|
krb_apreq->ticket = ticket;
|
|
|
|
if (krb_auth != NULL)
|
|
{
|
|
len = krb_encode_authenticator(as, krb_auth);
|
|
msg.data = as->p;
|
|
msg.length = len;
|
|
encmsg = crypto_kdcmsg_encrypt(&msg, krb_ctx->askey, 7); /* RFC4757 section 3 for msgtype (T=7) */
|
|
krb_apreq->enc_auth.enctype = krb_ctx->askey->enctype;
|
|
krb_apreq->enc_auth.kvno = -1;
|
|
krb_apreq->enc_auth.encblob.data = encmsg->data;
|
|
krb_apreq->enc_auth.encblob.length = encmsg->length;
|
|
xfree(encmsg);
|
|
}
|
|
|
|
stream_free(as);
|
|
|
|
return krb_apreq;
|
|
}
|
|
|
|
KrbTGSREQ* krb_tgsreq_new(KRB_CONTEXT* krb_ctx, uint8 errcode)
|
|
{
|
|
KrbTGSREQ* krb_tgsreq;
|
|
uint8 pacntmax;
|
|
pacntmax = 1;
|
|
|
|
krb_tgsreq = xnew(KrbTGSREQ);
|
|
krb_tgsreq->pvno = KRB_VERSION;
|
|
krb_tgsreq->type = KRB_TAG_TGSREQ;
|
|
krb_tgsreq->pa_pac_request = 0xFF; /* true */
|
|
|
|
krb_tgsreq->padata = (PAData**) xzalloc((pacntmax + 1) * sizeof(PAData*));
|
|
*(krb_tgsreq->padata) = xnew(PAData);
|
|
*(krb_tgsreq->padata + 1) = NULL;
|
|
|
|
krb_reqbody_init(krb_ctx, &(krb_tgsreq->req_body), krb_tgsreq->type);
|
|
|
|
return krb_tgsreq;
|
|
}
|
|
|
|
void krb_free_ticket(Ticket* ticket)
|
|
{
|
|
if (ticket != NULL)
|
|
{
|
|
xfree(ticket->realm);
|
|
xfree(ticket->sname);
|
|
freerdp_blob_free(&(ticket->enc_part.encblob));
|
|
ticket->enc_part.encblob.data = NULL;
|
|
}
|
|
}
|
|
|
|
void krb_free_padata(PAData** padata)
|
|
{
|
|
PAData** lpa_data;
|
|
lpa_data = padata;
|
|
|
|
if(lpa_data == NULL)
|
|
return;
|
|
while(*lpa_data != NULL)
|
|
{
|
|
xfree(*lpa_data);
|
|
lpa_data++;
|
|
}
|
|
}
|
|
|
|
void krb_free_kdcrep(KrbKDCREP* kdc_rep)
|
|
{
|
|
if(kdc_rep != NULL)
|
|
{
|
|
krb_free_padata(kdc_rep->padata);
|
|
xfree(kdc_rep->cname);
|
|
xfree(kdc_rep->realm);
|
|
krb_free_ticket(&(kdc_rep->etgt));
|
|
freerdp_blob_free(&(kdc_rep->enc_part.encblob));
|
|
kdc_rep->enc_part.encblob.data = NULL;
|
|
}
|
|
}
|
|
|
|
void krb_free_reppart(ENCKDCREPPart* reppart)
|
|
{
|
|
if(reppart != NULL)
|
|
{
|
|
freerdp_blob_free(&(reppart->key.skey));
|
|
xfree(reppart->sname);
|
|
xfree(reppart->realm);
|
|
}
|
|
}
|
|
|
|
void krb_free_req_body(KDCReqBody* req_body)
|
|
{
|
|
if(req_body != NULL)
|
|
{
|
|
xfree(req_body->sname);
|
|
xfree(req_body->realm);
|
|
xfree(req_body->cname);
|
|
xfree(req_body->from);
|
|
xfree(req_body->till);
|
|
xfree(req_body->rtime);
|
|
}
|
|
}
|
|
|
|
void krb_free_asreq(KrbASREQ* krb_asreq)
|
|
{
|
|
if(krb_asreq != NULL)
|
|
{
|
|
krb_free_padata(krb_asreq->padata);
|
|
krb_free_req_body(&(krb_asreq->req_body));
|
|
}
|
|
}
|
|
|
|
void krb_free_asrep(KrbASREP* krb_asrep)
|
|
{
|
|
if(krb_asrep != NULL)
|
|
{
|
|
krb_free_kdcrep(&(krb_asrep->kdc_rep));
|
|
}
|
|
}
|
|
|
|
void krb_free_tgsreq(KrbTGSREQ* krb_tgsreq)
|
|
{
|
|
if(krb_tgsreq != NULL)
|
|
{
|
|
krb_free_padata(krb_tgsreq->padata);
|
|
krb_free_req_body(&(krb_tgsreq->req_body));
|
|
}
|
|
}
|
|
|
|
void krb_free_tgsrep(KrbTGSREP* krb_tgsrep)
|
|
{
|
|
if(krb_tgsrep != NULL)
|
|
{
|
|
krb_free_kdcrep(&(krb_tgsrep->kdc_rep));
|
|
}
|
|
}
|
|
|
|
void krb_free_krb_error(KrbERROR* krb_err)
|
|
{
|
|
if(krb_err != NULL)
|
|
{
|
|
xfree(krb_err->stime);
|
|
freerdp_blob_free(&(krb_err->edata));
|
|
}
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext, uint32 ulAttribute, void* pBuffer)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext, uint32 ulAttribute, void* pBuffer)
|
|
{
|
|
if (!phContext)
|
|
return SEC_E_INVALID_HANDLE;
|
|
|
|
if (!pBuffer)
|
|
return SEC_E_INSUFFICIENT_MEMORY;
|
|
|
|
if (ulAttribute == SECPKG_ATTR_SIZES)
|
|
{
|
|
SecPkgContext_Sizes* ContextSizes = (SecPkgContext_Sizes*) pBuffer;
|
|
|
|
ContextSizes->cbMaxToken = 2010;
|
|
ContextSizes->cbMaxSignature = 16;
|
|
ContextSizes->cbBlockSize = 0;
|
|
ContextSizes->cbSecurityTrailer = 16;
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
return SEC_E_UNSUPPORTED_FUNCTION;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, uint32 fQOP, PSecBufferDesc pMessage, uint32 MessageSeqNo)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, uint32 MessageSeqNo, uint32* pfQOP)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, uint32 fQOP, PSecBufferDesc pMessage, uint32 MessageSeqNo)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, uint32 MessageSeqNo, uint32* pfQOP)
|
|
{
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
const SecPkgInfoA KERBEROS_SecPkgInfoA =
|
|
{
|
|
0x000F3BBF, /* fCapabilities */
|
|
1, /* wVersion */
|
|
0x0010, /* wRPCID */
|
|
0x00002EE0, /* cbMaxToken */
|
|
"Kerberos", /* Name */
|
|
"Microsoft Kerberos V1.0" /* Comment */
|
|
};
|
|
|
|
const SecPkgInfoW KERBEROS_SecPkgInfoW =
|
|
{
|
|
0x000F3BBF, /* fCapabilities */
|
|
1, /* wVersion */
|
|
0x0010, /* wRPCID */
|
|
0x00002EE0, /* cbMaxToken */
|
|
L"Kerberos", /* Name */
|
|
L"Microsoft Kerberos V1.0" /* Comment */
|
|
};
|
|
|
|
const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA =
|
|
{
|
|
1, /* dwVersion */
|
|
NULL, /* EnumerateSecurityPackages */
|
|
kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */
|
|
kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */
|
|
kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
|
|
NULL, /* Reserved2 */
|
|
kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */
|
|
NULL, /* AcceptSecurityContext */
|
|
NULL, /* CompleteAuthToken */
|
|
NULL, /* DeleteSecurityContext */
|
|
NULL, /* ApplyControlToken */
|
|
kerberos_QueryContextAttributesA, /* QueryContextAttributes */
|
|
NULL, /* ImpersonateSecurityContext */
|
|
NULL, /* RevertSecurityContext */
|
|
kerberos_MakeSignature, /* MakeSignature */
|
|
kerberos_VerifySignature, /* VerifySignature */
|
|
NULL, /* FreeContextBuffer */
|
|
NULL, /* QuerySecurityPackageInfo */
|
|
NULL, /* Reserved3 */
|
|
NULL, /* Reserved4 */
|
|
NULL, /* ExportSecurityContext */
|
|
NULL, /* ImportSecurityContext */
|
|
NULL, /* AddCredentials */
|
|
NULL, /* Reserved8 */
|
|
NULL, /* QuerySecurityContextToken */
|
|
kerberos_EncryptMessage, /* EncryptMessage */
|
|
kerberos_DecryptMessage, /* DecryptMessage */
|
|
NULL, /* SetContextAttributes */
|
|
};
|
|
|
|
const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW =
|
|
{
|
|
1, /* dwVersion */
|
|
NULL, /* EnumerateSecurityPackages */
|
|
kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */
|
|
kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */
|
|
kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */
|
|
NULL, /* Reserved2 */
|
|
kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */
|
|
NULL, /* AcceptSecurityContext */
|
|
NULL, /* CompleteAuthToken */
|
|
NULL, /* DeleteSecurityContext */
|
|
NULL, /* ApplyControlToken */
|
|
kerberos_QueryContextAttributesW, /* QueryContextAttributes */
|
|
NULL, /* ImpersonateSecurityContext */
|
|
NULL, /* RevertSecurityContext */
|
|
kerberos_MakeSignature, /* MakeSignature */
|
|
kerberos_VerifySignature, /* VerifySignature */
|
|
NULL, /* FreeContextBuffer */
|
|
NULL, /* QuerySecurityPackageInfo */
|
|
NULL, /* Reserved3 */
|
|
NULL, /* Reserved4 */
|
|
NULL, /* ExportSecurityContext */
|
|
NULL, /* ImportSecurityContext */
|
|
NULL, /* AddCredentials */
|
|
NULL, /* Reserved8 */
|
|
NULL, /* QuerySecurityContextToken */
|
|
kerberos_EncryptMessage, /* EncryptMessage */
|
|
kerberos_DecryptMessage, /* DecryptMessage */
|
|
NULL, /* SetContextAttributes */
|
|
};
|