search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sspi: use "Schannel" as TLS-DSK provider
[siplcs.git] / src / core / sip-sec-sspi.c
blob97dff01f368c95ee84cb20e47f5b2387e28b55d6
1 /**
2 * @file sip-sec-sspi.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2011-12 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include <stdio.h>
26 #include <windows.h>
27 #include <rpc.h>
28 #ifdef HAVE_CONFIG_H
29 /* This should not affect Makefile.mingw builds, as it doesn't use config.h */
30 #ifndef SECURITY_WIN32
31 #define SECURITY_WIN32 1
32 #endif
33 #endif
34 #include <security.h>
35
36 #include <glib.h>
37
38 #include "sip-sec.h"
39 #include "sip-sec-mech.h"
40 #include "sip-sec-sspi.h"
41 #include "sipe-backend.h"
42
43 /* Mechanism names */
44 #define SSPI_MECH_NTLM "NTLM"
45 #define SSPI_MECH_KERBEROS "Kerberos"
46 #define SSPI_MECH_NEGOTIATE "Negotiate"
47 #define SSPI_MECH_TLS_DSK "Schannel" /* SSL/TLS provider, is this correct? */
48
49 #ifndef ISC_REQ_IDENTIFY
50 #define ISC_REQ_IDENTIFY 0x00002000
51 #endif
52
53 typedef struct _context_sspi {
54 struct sip_sec_context common;
55 CredHandle* cred_sspi;
56 CtxtHandle* ctx_sspi;
57 /** Kerberos or NTLM */
58 const char *mech;
59 } *context_sspi;
60
61 static int
62 sip_sec_get_interval_from_now_sec(TimeStamp timestamp);
63
64 void
65 sip_sec_sspi_print_error(const char *func,
66 SECURITY_STATUS ret);
67
68 /** internal method */
69 static void
70 sip_sec_destroy_sspi_context(context_sspi context)
71 {
72 if (context->ctx_sspi)
73 DeleteSecurityContext(context->ctx_sspi);
74 if (context->cred_sspi)
75 FreeCredentialsHandle(context->cred_sspi);
76 }
77
78 /* sip-sec-mech.h API implementation for SSPI - Kerberos and NTLM */
79
80 static sip_uint32
81 sip_sec_acquire_cred__sspi(SipSecContext context,
82 const char *domain,
83 const char *username,
84 const char *password)
85 {
86 SECURITY_STATUS ret;
87 TimeStamp expiry;
88 SEC_WINNT_AUTH_IDENTITY auth_identity;
89 context_sspi ctx = (context_sspi)context;
90 CredHandle *cred_handle;
91
92 if (username) {
93 if (!password) {
94 return SIP_SEC_E_INTERNAL_ERROR;
95 }
96
97 memset(&auth_identity, 0, sizeof(auth_identity));
98 auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
99
100 if ( domain && (strlen(domain) > 0) ) {
101 auth_identity.Domain = (unsigned char*)domain;
102 auth_identity.DomainLength = strlen(domain);
103 }
104
105 auth_identity.User = (unsigned char*)username;
106 auth_identity.UserLength = strlen(username);
107
108 auth_identity.Password = (unsigned char*)password;
109 auth_identity.PasswordLength = strlen(password);
110 }
111
112 cred_handle = g_malloc0(sizeof(CredHandle));
113
114 ret = AcquireCredentialsHandleA(NULL,
115 (SEC_CHAR *)ctx->mech,
116 SECPKG_CRED_OUTBOUND,
117 NULL,
118 (context->sso || !username) ? NULL : &auth_identity,
119 NULL,
120 NULL,
121 cred_handle,
122 &expiry);
123
124 if (ret != SEC_E_OK) {
125 sip_sec_sspi_print_error("sip_sec_acquire_cred__sspi: AcquireCredentialsHandleA", ret);
126 ctx->cred_sspi = NULL;
127 return SIP_SEC_E_INTERNAL_ERROR;
128 } else {
129 ctx->cred_sspi = cred_handle;
130 return SIP_SEC_E_OK;
131 }
132 }
133
134 static sip_uint32
135 sip_sec_init_sec_context__sspi(SipSecContext context,
136 SipSecBuffer in_buff,
137 SipSecBuffer *out_buff,
138 const char *service_name)
139 {
140 TimeStamp expiry;
141 SecBufferDesc input_desc, output_desc;
142 SecBuffer in_token, out_token;
143 SECURITY_STATUS ret;
144 ULONG req_flags;
145 ULONG ret_flags;
146 context_sspi ctx = (context_sspi)context;
147 CtxtHandle* out_context = g_malloc0(sizeof(CtxtHandle));
148
149 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__sspi: in use");
150
151 input_desc.cBuffers = 1;
152 input_desc.pBuffers = &in_token;
153 input_desc.ulVersion = SECBUFFER_VERSION;
154
155 /* input token */
156 in_token.BufferType = SECBUFFER_TOKEN;
157 in_token.cbBuffer = in_buff.length;
158 in_token.pvBuffer = in_buff.value;
159
160 output_desc.cBuffers = 1;
161 output_desc.pBuffers = &out_token;
162 output_desc.ulVersion = SECBUFFER_VERSION;
163
164 /* to hold output token */
165 out_token.BufferType = SECBUFFER_TOKEN;
166 out_token.cbBuffer = 0;
167 out_token.pvBuffer = NULL;
168
169 req_flags = (ISC_REQ_ALLOCATE_MEMORY |
170 ISC_REQ_INTEGRITY |
171 ISC_REQ_IDENTIFY);
172
173 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_NTLM) &&
174 !context->is_connection_based)
175 {
176 req_flags |= (ISC_REQ_DATAGRAM);
177 }
178
179 ret = InitializeSecurityContextA(ctx->cred_sspi,
180 ctx->ctx_sspi,
181 (SEC_CHAR *)service_name,
182 req_flags,
183 0,
184 SECURITY_NATIVE_DREP,
185 &input_desc,
186 0,
187 out_context,
188 &output_desc,
189 &ret_flags,
190 &expiry);
191
192 if (ret != SEC_E_OK && ret != SEC_I_CONTINUE_NEEDED) {
193 sip_sec_destroy_sspi_context(ctx);
194 sip_sec_sspi_print_error("sip_sec_init_sec_context__sspi: InitializeSecurityContextA", ret);
195 return SIP_SEC_E_INTERNAL_ERROR;
196 }
197
198 out_buff->length = out_token.cbBuffer;
199 out_buff->value = NULL;
200 if (out_token.cbBuffer) {
201 out_buff->value = g_malloc0(out_token.cbBuffer);
202 memmove(out_buff->value, out_token.pvBuffer, out_token.cbBuffer);
203 FreeContextBuffer(out_token.pvBuffer);
204 }
205
206 ctx->ctx_sspi = out_context;
207 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_KERBEROS)) {
208 context->expires = sip_sec_get_interval_from_now_sec(expiry);
209 }
210
211 if (ret == SEC_I_CONTINUE_NEEDED) {
212 return SIP_SEC_I_CONTINUE_NEEDED;
213 } else {
214 return SIP_SEC_E_OK;
215 }
216 }
217
218 static void
219 sip_sec_destroy_sec_context__sspi(SipSecContext context)
220 {
221 sip_sec_destroy_sspi_context((context_sspi)context);
222 g_free(context);
223 }
224
225 /**
226 * @param message a NULL terminated string to sign
227 *
228 */
229 static sip_uint32
230 sip_sec_make_signature__sspi(SipSecContext context,
231 const char *message,
232 SipSecBuffer *signature)
233 {
234 SecBufferDesc buffs_desc;
235 SecBuffer buffs[2];
236 SECURITY_STATUS ret;
237 SecPkgContext_Sizes context_sizes;
238 unsigned char *signature_buff;
239 size_t signature_buff_length;
240 context_sspi ctx = (context_sspi) context;
241
242 ret = QueryContextAttributes(ctx->ctx_sspi,
243 SECPKG_ATTR_SIZES,
244 &context_sizes);
245
246 if (ret != SEC_E_OK) {
247 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: QueryContextAttributes", ret);
248 return SIP_SEC_E_INTERNAL_ERROR;
249 }
250
251 signature_buff_length = context_sizes.cbMaxSignature;
252 signature_buff = g_malloc0(signature_buff_length);
253
254 buffs_desc.cBuffers = 2;
255 buffs_desc.pBuffers = buffs;
256 buffs_desc.ulVersion = SECBUFFER_VERSION;
257
258 /* message to sign */
259 buffs[0].BufferType = SECBUFFER_DATA;
260 buffs[0].cbBuffer = strlen(message);
261 buffs[0].pvBuffer = (PVOID)message;
262
263 /* to hold signature */
264 buffs[1].BufferType = SECBUFFER_TOKEN;
265 buffs[1].cbBuffer = signature_buff_length;
266 buffs[1].pvBuffer = signature_buff;
267
268 ret = MakeSignature(ctx->ctx_sspi,
269 (ULONG)0,
270 &buffs_desc,
271 100);
272 if (ret != SEC_E_OK) {
273 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: MakeSignature", ret);
274 g_free(signature_buff);
275 return SIP_SEC_E_INTERNAL_ERROR;
276 }
277
278 signature->value = signature_buff;
279 signature->length = buffs[1].cbBuffer;
280
281 return SIP_SEC_E_OK;
282 }
283
284 /**
285 * @param message a NULL terminated string to check signature of
286 * @return SIP_SEC_E_OK on success
287 */
288 static sip_uint32
289 sip_sec_verify_signature__sspi(SipSecContext context,
290 const char *message,
291 SipSecBuffer signature)
292 {
293 SecBufferDesc buffs_desc;
294 SecBuffer buffs[2];
295 SECURITY_STATUS ret;
296
297 buffs_desc.cBuffers = 2;
298 buffs_desc.pBuffers = buffs;
299 buffs_desc.ulVersion = SECBUFFER_VERSION;
300
301 /* message to sign */
302 buffs[0].BufferType = SECBUFFER_DATA;
303 buffs[0].cbBuffer = strlen(message);
304 buffs[0].pvBuffer = (PVOID)message;
305
306 /* signature to check */
307 buffs[1].BufferType = SECBUFFER_TOKEN;
308 buffs[1].cbBuffer = signature.length;
309 buffs[1].pvBuffer = signature.value;
310
311 ret = VerifySignature(((context_sspi)context)->ctx_sspi,
312 &buffs_desc,
313 0,
314 0);
315
316 if (ret != SEC_E_OK) {
317 sip_sec_sspi_print_error("sip_sec_verify_signature__sspi: VerifySignature", ret);
318 return SIP_SEC_E_INTERNAL_ERROR;
319 }
320
321 return SIP_SEC_E_OK;
322 }
323
324 SipSecContext
325 sip_sec_create_context__sspi(guint type)
326 {
327 context_sspi context = g_malloc0(sizeof(struct _context_sspi));
328 if (!context) return(NULL);
329
330 context->common.acquire_cred_func = sip_sec_acquire_cred__sspi;
331 context->common.init_context_func = sip_sec_init_sec_context__sspi;
332 context->common.destroy_context_func = sip_sec_destroy_sec_context__sspi;
333 context->common.make_signature_func = sip_sec_make_signature__sspi;
334 context->common.verify_signature_func = sip_sec_verify_signature__sspi;
335 context->mech = (type == AUTH_TYPE_NTLM) ? SSPI_MECH_NTLM :
336 ((type == AUTH_TYPE_KERBEROS) ? SSPI_MECH_KERBEROS :
337 ((type == AUTH_TYPE_NEGOTIATE) ? SSPI_MECH_NEGOTIATE : SSPI_MECH_TLS_DSK));
338
339 return((SipSecContext) context);
340 }
341
342 /* Utility Functions */
343
344 /**
345 * Returns interval in seconds from now till provided value
346 */
347 static int
348 sip_sec_get_interval_from_now_sec(TimeStamp timestamp)
349 {
350 SYSTEMTIME stNow;
351 FILETIME ftNow;
352 ULARGE_INTEGER uliNow, uliTo;
353
354 GetLocalTime(&stNow);
355 SystemTimeToFileTime(&stNow, &ftNow);
356
357 uliNow.LowPart = ftNow.dwLowDateTime;
358 uliNow.HighPart = ftNow.dwHighDateTime;
359
360 uliTo.LowPart = timestamp.LowPart;
361 uliTo.HighPart = timestamp.HighPart;
362
363 return (int)((uliTo.QuadPart - uliNow.QuadPart)/10/1000/1000);
364 }
365
366 void
367 sip_sec_sspi_print_error(const char *func,
368 SECURITY_STATUS ret)
369 {
370 char *error_message;
371 static char *buff;
372 int buff_length;
373
374 buff_length = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
375 FORMAT_MESSAGE_ALLOCATE_BUFFER |
376 FORMAT_MESSAGE_IGNORE_INSERTS,
377 0,
378 ret,
379 0,
380 (LPTSTR)&buff,
381 16384,
382 0);
383 error_message = g_strndup(buff, buff_length);
384 LocalFree(buff);
385
386 printf("SSPI ERROR [%d] in %s: %s", (int)ret, func, error_message);
387 g_free(error_message);
388 }
389
390
391 /*
392 Local Variables:
393 mode: c
394 c-file-style: "bsd"
395 indent-tabs-mode: t
396 tab-width: 8
397 End:
398 */
A third-party Pidgin plugin for Microsoft LCS/OCS