search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tls: add Server Key Exchange message
[siplcs.git] / src / core / sip-sec-gssapi.c
blob9af8595e4b9650b4598cb40723376f8294857f61
1 /**
2 * @file sip-sec-gssapi.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2010-2015 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 *
24 *
25 * This module implements sip-sec authentication API using GSSAPI.
26 *
27 * It can be compiled in two different modes:
28 *
29 * - Kerberos-only: NTLM & SPNEGO are using SIPE internal implementation
30 * [HAVE_GSSAPI_ONLY is not defined]
31 *
32 * - pure GSSAPI: this modules handles Kerberos, NTLM & SPNEGO
33 * [HAVE_GSSAPI_ONLY is defined]
34 */
35
36 #ifdef HAVE_CONFIG_H
37 #include "config.h"
38 #endif
39
40 #include <glib.h>
41 #include <string.h>
42 #include <gssapi/gssapi.h>
43 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
44 #include <gssapi/gssapi_ext.h>
45 #endif
46 #include <gssapi/gssapi_krb5.h>
47 #ifdef HAVE_GSSAPI_ONLY
48 #include <gssapi/gssapi_ntlmssp.h>
49 #endif
50
51 #include "sipe-common.h"
52 #include "sip-sec.h"
53 #include "sip-sec-mech.h"
54 #include "sip-sec-gssapi.h"
55 #include "sipe-backend.h"
56 #include "sipe-core.h"
57 #include "sipe-utils.h"
58
59 /* Security context for Kerberos */
60 typedef struct _context_gssapi {
61 struct sip_sec_context common;
62 gss_cred_id_t cred_gssapi;
63 gss_ctx_id_t ctx_gssapi;
64 gss_name_t target_name;
65 } *context_gssapi;
66
67 #ifdef HAVE_GSSAPI_ONLY
68 static const gss_OID_desc gss_mech_ntlmssp = {
69 GSS_NTLMSSP_OID_LENGTH,
70 GSS_NTLMSSP_OID_STRING
71 };
72
73 static const gss_OID_desc gss_mech_spnego = {
74 6,
75 "\x2b\x06\x01\x05\x05\x02"
76 };
77
78 /*
79 * The SPNEGO implementation on older Microsoft IIS servers sends a
80 * non-conformant final empty token that is not accepted by the SPNEGO
81 * implementation in older MIT KRB5 releases:
82 *
83 * Base64-encoded DER: oRgwFqADCgEAoQsGCSqGSIb3EgECAqICBAA=
84 *
85 * Decoded ASN.1:
86 * 0:d=0 hl=2 l= 24 cons: cont [ 1 ]
87 * 2:d=1 hl=2 l= 22 cons: SEQUENCE
88 * 4:d=2 hl=2 l= 3 cons: cont [ 0 ]
89 * 6:d=3 hl=2 l= 1 prim: ENUMERATED :00
90 * 9:d=2 hl=2 l= 11 cons: cont [ 1 ]
91 * 11:d=3 hl=2 l= 9 prim: OBJECT :1.2.840.113554.1.2.2
92 * 22:d=2 hl=2 l= 2 cons: cont [ 2 ] | this empty element is not
93 * 24:d=3 hl=2 l= 0 prim: OCTET STRING | correct according to spec
94 *
95 * We can circumvent this problem by setting GSS_C_MUTUAL_FLAG which causes
96 * the server to send a non-empty final token. We set the following flag to
97 * TRUE after the first time gss_init_sec_context() returns with a
98 * "defective token" error.
99 */
100 static gboolean spnego_mutual_flag = FALSE;
101 #endif
102
103 #define SIP_SEC_FLAG_GSSAPI_SIP_NTLM 0x00010000
104 #define SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK 0x00020000
105
106 static void sip_sec_gssapi_print_gss_error0(char *func,
107 OM_uint32 status,
108 int type)
109 {
110 OM_uint32 minor;
111 OM_uint32 message_context = 0;
112 gss_buffer_desc status_string;
113
114 do {
115 gss_display_status(&minor,
116 status,
117 type,
118 GSS_C_NO_OID,
119 &message_context,
120 &status_string);
121
122 SIPE_DEBUG_ERROR("sip_sec_gssapi: GSSAPI error in %s (%s): %s",
123 func,
124 (type == GSS_C_GSS_CODE ? "GSS" : "Mech"),
125 (gchar *) status_string.value);
126 gss_release_buffer(&minor, &status_string);
127 } while (message_context != 0);
128 }
129
130 /* Prints out errors of GSSAPI function invocation */
131 static void sip_sec_gssapi_print_gss_error(char *func,
132 OM_uint32 ret,
133 OM_uint32 minor)
134 {
135 sip_sec_gssapi_print_gss_error0(func, ret, GSS_C_GSS_CODE);
136 sip_sec_gssapi_print_gss_error0(func, minor, GSS_C_MECH_CODE);
137 }
138
139 #if defined(HAVE_GSSAPI_PASSWORD_SUPPORT) || defined(HAVE_GSSAPI_ONLY)
140 /* NOTE: releases "set" on error */
141 static gboolean add_mech(gss_OID_set set,
142 gss_OID mech,
143 const gchar *name)
144 {
145 OM_uint32 ret;
146 OM_uint32 minor;
147
148 ret = gss_add_oid_set_member(&minor, mech, &set);
149 if (GSS_ERROR(ret)) {
150 sip_sec_gssapi_print_gss_error("gss_add_oid_set_member", ret, minor);
151 SIPE_DEBUG_ERROR("add_mech: can't add %s to mech set (ret=%u)", name, ret);
152 gss_release_oid_set(&minor, &set);
153 return(FALSE);
154 }
155 SIPE_DEBUG_INFO("add_mech: added %s to mech set", name);
156
157 return(TRUE);
158 }
159
160 static gss_OID_set create_mechs_set(guint type)
161 {
162 OM_uint32 ret;
163 OM_uint32 minor;
164 gss_OID_set set = GSS_C_NO_OID_SET;
165 gss_OID mech_oid;
166 const gchar *name;
167
168 ret = gss_create_empty_oid_set(&minor, &set);
169 if (GSS_ERROR(ret)) {
170 sip_sec_gssapi_print_gss_error("gss_create_empty_oid_set", ret, minor);
171 SIPE_DEBUG_ERROR("create_mechs_set: can't create mech set (ret=%u)", ret);
172 return(GSS_C_NO_OID_SET);
173 }
174
175 #ifdef HAVE_GSSAPI_ONLY
176 switch (type) {
177 case SIPE_AUTHENTICATION_TYPE_NTLM:
178 mech_oid = (gss_OID) &gss_mech_ntlmssp;
179 name = "NTLM";
180 break;
181
182 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
183 #else
184 (void) type; /* keep compiler happy */
185 #endif
186 mech_oid = (gss_OID) gss_mech_krb5;
187 name = "Kerberos";
188 #ifdef HAVE_GSSAPI_ONLY
189 break;
190
191 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
192 mech_oid = (gss_OID) &gss_mech_spnego;
193 name = "SPNEGO";
194 break;
195
196 default:
197 SIPE_DEBUG_ERROR("create_mechs_set: invoked with invalid type %u",
198 type);
199 gss_release_oid_set(&minor, &set);
200 return(GSS_C_NO_OID_SET);
201 break;
202 }
203 #endif
204
205 return(add_mech(set, mech_oid, name) ? set : GSS_C_NO_OID_SET);
206 }
207 #endif
208
209 #ifdef HAVE_GSSAPI_ONLY
210 static gss_OID_set create_neg_mechs_set(void)
211 {
212 OM_uint32 ret;
213 OM_uint32 minor;
214 gss_OID_set set = GSS_C_NO_OID_SET;
215
216 ret = gss_create_empty_oid_set(&minor, &set);
217 if (GSS_ERROR(ret)) {
218 sip_sec_gssapi_print_gss_error("gss_create_empty_oid_set", ret, minor);
219 SIPE_DEBUG_ERROR("create_neg_mechs_set: can't create mech set (ret=%u)", ret);
220 return(GSS_C_NO_OID_SET);
221 }
222
223 return((add_mech(set, (gss_OID) gss_mech_krb5, "Kerberos") &&
224 add_mech(set, (gss_OID) &gss_mech_ntlmssp, "NTLM")) ?
225 set : GSS_C_NO_OID_SET);
226 }
227
228 static gboolean gssntlm_reset_mic_sequence(context_gssapi context)
229 {
230 OM_uint32 ret;
231 OM_uint32 minor;
232 gss_buffer_desc value;
233 guint sequence = 100;
234
235 static const gss_OID_desc set_sequence_num_oid = {
236 GSS_NTLMSSP_SET_SEQ_NUM_OID_LENGTH,
237 GSS_NTLMSSP_SET_SEQ_NUM_OID_STRING
238 };
239
240 value.length = sizeof(sequence);
241 value.value = &sequence;
242
243 ret = gss_set_sec_context_option(&minor,
244 &context->ctx_gssapi,
245 (gss_OID_desc *) &set_sequence_num_oid,
246 &value);
247 if (GSS_ERROR(ret)) {
248 sip_sec_gssapi_print_gss_error("gss_set_sec_context_option", ret, minor);
249 SIPE_DEBUG_ERROR("gssntlm_reset_mic_sequence: failed to reset MIC sequence number (ret=%u)", ret);
250 return(FALSE);
251 }
252
253 return(TRUE);
254 }
255 #endif
256
257 static void drop_gssapi_context(SipSecContext context)
258 {
259 context_gssapi ctx = (context_gssapi) context;
260 OM_uint32 ret;
261 OM_uint32 minor;
262
263 ret = gss_delete_sec_context(&minor,
264 &(ctx->ctx_gssapi),
265 GSS_C_NO_BUFFER);
266 if (GSS_ERROR(ret)) {
267 sip_sec_gssapi_print_gss_error("gss_delete_sec_context", ret, minor);
268 SIPE_DEBUG_ERROR("drop_gssapi_context: failed to delete security context (ret=%u)", ret);
269 }
270 ctx->ctx_gssapi = GSS_C_NO_CONTEXT;
271 context->flags &= ~SIP_SEC_FLAG_COMMON_READY;
272 }
273
274 /* sip-sec-mech.h API implementation for Kerberos/GSSAPI */
275
276 static gboolean
277 sip_sec_acquire_cred__gssapi(SipSecContext context,
278 const gchar *username,
279 const gchar *password)
280 {
281 context_gssapi ctx = (context_gssapi) context;
282
283 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__gssapi: started");
284
285 /* this is the first time we are allowed to set private flags */
286 if (((context->flags & SIP_SEC_FLAG_COMMON_HTTP) == 0) &&
287 (context->type == SIPE_AUTHENTICATION_TYPE_NTLM))
288 context->flags |= SIP_SEC_FLAG_GSSAPI_SIP_NTLM;
289
290 /* With SSO we use the default credentials */
291 if ((context->flags & SIP_SEC_FLAG_COMMON_SSO) == 0) {
292 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
293 gchar *username_new = NULL;
294 OM_uint32 ret;
295 OM_uint32 minor, minor_ignore;
296 gss_OID_set mechs_set;
297 gss_cred_id_t credentials;
298 gss_buffer_desc input_name_buffer;
299 gss_name_t user_name;
300
301 /* Without SSO we need user name and password */
302 if (is_empty(username) || is_empty(password)) {
303 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__gssapi: no valid authentication information provided");
304 return(FALSE);
305 }
306
307 mechs_set = create_mechs_set(context->type);
308 if (mechs_set == GSS_C_NO_OID_SET)
309 return(FALSE);
310
311 if (!SIP_SEC_USERNAME_IS_ENTERPRISE) {
312 SIP_SEC_USERNAME_SPLIT_START;
313
314 /* Construct user name to acquire credentials for */
315 if (SIP_SEC_USERNAME_HAS_DOMAIN) {
316 /* User specified a domain */
317 gchar *realm = g_ascii_strup(SIP_SEC_USERNAME_DOMAIN,
318 -1);
319
320 username_new = g_strdup_printf("%s@%s",
321 SIP_SEC_USERNAME_ACCOUNT,
322 realm);
323 g_free(realm);
324
325 } else if (strchr(username, '@')) {
326 /* No domain, username matches XXX@YYY */
327 gchar **user_realm = g_strsplit(username, "@", 2);
328 gchar *realm = g_ascii_strup(user_realm[1], -1);
329
330 /*
331 * We should escape the "@" to generate a enterprise
332 * principal, i.e. XXX\@YYY
333 *
334 * But krb5 libraries currently don't support this:
335 *
336 * http://krbdev.mit.edu/rt/Ticket/Display.html?id=7729
337 *
338 * username_new = g_strdup_printf("%s\\@%s",
339 */
340 username_new = g_strdup_printf("%s@%s",
341 user_realm[0],
342 realm);
343 g_free(realm);
344 g_strfreev(user_realm);
345 }
346
347 SIP_SEC_USERNAME_SPLIT_END;
348 }
349
350 if (username_new)
351 username = username_new;
352
353 SIPE_DEBUG_INFO("sip_sec_acquire_cred__gssapi: username '%s'",
354 username);
355
356 /* Import user name into GSS format */
357 input_name_buffer.value = (void *) username;
358 input_name_buffer.length = strlen(username) + 1;
359
360 ret = gss_import_name(&minor,
361 &input_name_buffer,
362 (gss_OID) GSS_C_NT_USER_NAME,
363 &user_name);
364 g_free(username_new);
365
366 if (GSS_ERROR(ret)) {
367 sip_sec_gssapi_print_gss_error("gss_import_name", ret, minor);
368 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to construct user name (ret=%u)", ret);
369 gss_release_oid_set(&minor, &mechs_set);
370 return(FALSE);
371 }
372
373 /* Acquire user credentials with password */
374 input_name_buffer.value = (void *) password;
375 input_name_buffer.length = strlen(password) + 1;
376 ret = gss_acquire_cred_with_password(&minor,
377 user_name,
378 &input_name_buffer,
379 GSS_C_INDEFINITE,
380 mechs_set,
381 GSS_C_INITIATE,
382 &credentials,
383 NULL,
384 NULL);
385 gss_release_name(&minor_ignore, &user_name);
386 gss_release_oid_set(&minor_ignore, &mechs_set);
387
388 if (GSS_ERROR(ret)) {
389 sip_sec_gssapi_print_gss_error("gss_acquire_cred_with_password", ret, minor);
390 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to acquire credentials (ret=%u)", ret);
391 return(FALSE);
392 }
393
394 ctx->cred_gssapi = credentials;
395
396 #else
397 /*
398 * non-SSO support requires gss_acquire_cred_with_password()
399 * which is not available on older GSSAPI releases.
400 */
401 (void) username; /* keep compiler happy */
402 (void) password; /* keep compiler happy */
403 (void) ctx; /* keep compiler happy */
404 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__gssapi: non-SSO mode not supported");
405 return(FALSE);
406 #endif
407 }
408 #ifdef HAVE_GSSAPI_ONLY
409 else {
410 OM_uint32 ret;
411 OM_uint32 minor, minor_ignore;
412 gss_OID_set mechs_set;
413 gss_cred_id_t credentials;
414
415 mechs_set = create_mechs_set(context->type);
416 if (mechs_set == GSS_C_NO_OID_SET)
417 return(FALSE);
418
419 ret = gss_acquire_cred(&minor,
420 GSS_C_NO_NAME,
421 GSS_C_INDEFINITE,
422 mechs_set,
423 GSS_C_INITIATE,
424 &credentials,
425 NULL,
426 NULL);
427 gss_release_oid_set(&minor_ignore, &mechs_set);
428
429 if (GSS_ERROR(ret)) {
430 sip_sec_gssapi_print_gss_error("gss_acquire_cred", ret, minor);
431 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to acquire credentials (ret=%u)", ret);
432 return(FALSE);
433 }
434
435 ctx->cred_gssapi = credentials;
436 }
437
438 if (context->type == SIPE_AUTHENTICATION_TYPE_NEGOTIATE) {
439 OM_uint32 ret;
440 OM_uint32 minor, minor_ignore;
441 gss_OID_set mechs_set = create_neg_mechs_set();
442
443 if (mechs_set == GSS_C_NO_OID_SET)
444 return(FALSE);
445
446 ret = gss_set_neg_mechs(&minor,
447 ctx->cred_gssapi,
448 mechs_set);
449 gss_release_oid_set(&minor_ignore, &mechs_set);
450
451 if (GSS_ERROR(ret)) {
452 sip_sec_gssapi_print_gss_error("gss_set_neg_mechs", ret, minor);
453 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to set negotiate mechanisms (ret=%u)", ret);
454 return(FALSE);
455 }
456 }
457 #endif
458
459 return(TRUE);
460 }
461
462 static gboolean
463 sip_sec_init_sec_context__gssapi(SipSecContext context,
464 SipSecBuffer in_buff,
465 SipSecBuffer *out_buff,
466 const gchar *service_name)
467 {
468 context_gssapi ctx = (context_gssapi) context;
469 OM_uint32 ret;
470 OM_uint32 minor, minor_ignore;
471 OM_uint32 expiry;
472 gss_buffer_desc input_token;
473 gss_buffer_desc output_token;
474 #ifdef HAVE_GSSAPI_ONLY
475 gss_OID mech_oid;
476 OM_uint32 flags = GSS_C_INTEG_FLAG;
477 #endif
478
479 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: started");
480
481 /*
482 * If authentication was already completed, then this mean a new
483 * authentication handshake has started on the existing connection.
484 * We must throw away the old context, because we need a new one.
485 */
486 if ((context->flags & SIP_SEC_FLAG_COMMON_READY) &&
487 (ctx->ctx_gssapi != GSS_C_NO_CONTEXT)) {
488 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: dropping old context");
489 drop_gssapi_context(context);
490 }
491
492 /* Import service name to GSS */
493 if (ctx->target_name == GSS_C_NO_NAME) {
494 gchar *hostbased_service_name = sipe_utils_str_replace(service_name,
495 "/",
496 "@");
497
498 input_token.value = (void *) hostbased_service_name;
499 input_token.length = strlen(input_token.value) + 1;
500 ret = gss_import_name(&minor,
501 &input_token,
502 (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
503 &(ctx->target_name));
504 g_free(hostbased_service_name);
505
506 if (GSS_ERROR(ret)) {
507 sip_sec_gssapi_print_gss_error("gss_import_name", ret, minor);
508 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: failed to construct target name (ret=%u)", ret);
509 return(FALSE);
510 }
511 }
512
513 #ifdef HAVE_GSSAPI_ONLY
514 switch(context->type) {
515 case SIPE_AUTHENTICATION_TYPE_NTLM:
516 mech_oid = (gss_OID) &gss_mech_ntlmssp;
517 if (context->flags & SIP_SEC_FLAG_GSSAPI_SIP_NTLM)
518 flags |= GSS_C_DATAGRAM_FLAG;
519 break;
520
521 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
522 mech_oid = (gss_OID) gss_mech_krb5;
523 break;
524
525 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
526 /*
527 * Some servers do not accept SPNEGO for Negotiate.
528 * If come back here with an existing security context
529 * and NULL input token we will fall back to NTLM
530 */
531 if (ctx->ctx_gssapi && (in_buff.value == NULL)) {
532
533 /* Only try this once */
534 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK) {
535 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_init_sec_context__gssapi: SPNEGO-to-NTLM fallback failed");
536 return(FALSE);
537 }
538
539 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: SPNEGO failed. Falling back to NTLM");
540 drop_gssapi_context(context);
541
542 context->flags |= SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK;
543 }
544
545 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK) {
546 mech_oid = (gss_OID) &gss_mech_ntlmssp;
547 } else {
548 mech_oid = (gss_OID) &gss_mech_spnego;
549 if (spnego_mutual_flag)
550 flags |= GSS_C_MUTUAL_FLAG;
551 }
552 break;
553
554 default:
555 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: invoked for invalid type %u",
556 context->type);
557 return(FALSE);
558 }
559 #endif
560
561 /* Create context */
562 input_token.length = in_buff.length;
563 input_token.value = in_buff.value;
564
565 output_token.length = 0;
566 output_token.value = NULL;
567
568 ret = gss_init_sec_context(&minor,
569 ctx->cred_gssapi,
570 &(ctx->ctx_gssapi),
571 ctx->target_name,
572 #ifdef HAVE_GSSAPI_ONLY
573 mech_oid,
574 flags,
575 #else
576 (gss_OID) gss_mech_krb5,
577 GSS_C_INTEG_FLAG,
578 #endif
579 GSS_C_INDEFINITE,
580 GSS_C_NO_CHANNEL_BINDINGS,
581 &input_token,
582 NULL,
583 &output_token,
584 NULL,
585 &expiry);
586
587 if (GSS_ERROR(ret)) {
588 gss_release_buffer(&minor_ignore, &output_token);
589 sip_sec_gssapi_print_gss_error("gss_init_sec_context", ret, minor);
590 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: failed to initialize context (ret=%u)", ret);
591
592 #ifdef HAVE_GSSAPI_ONLY
593 /* Enable workaround for SPNEGO (see above) */
594 if (ret == GSS_S_DEFECTIVE_TOKEN) {
595 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_init_sec_context__gssapi: enabling workaround for SPNEGO");
596 spnego_mutual_flag = TRUE;
597 }
598 #endif
599
600 return(FALSE);
601 }
602
603 out_buff->length = output_token.length;
604 if (out_buff->length)
605 out_buff->value = g_memdup(output_token.value, output_token.length);
606 else
607 /* Special case: empty token */
608 out_buff->value = (guint8 *) g_strdup("");
609
610 gss_release_buffer(&minor_ignore, &output_token);
611
612 context->expires = (int)expiry;
613
614 if (ret == GSS_S_COMPLETE) {
615 /* Authentication is completed */
616 context->flags |= SIP_SEC_FLAG_COMMON_READY;
617
618 #ifdef HAVE_GSSAPI_ONLY
619 if ((context->flags & SIP_SEC_FLAG_GSSAPI_SIP_NTLM) &&
620 !gssntlm_reset_mic_sequence(ctx))
621 return(FALSE);
622 #endif
623 }
624
625 return(TRUE);
626 }
627
628 /**
629 * @param message a NULL terminated string to sign
630 */
631 static gboolean
632 sip_sec_make_signature__gssapi(SipSecContext context,
633 const gchar *message,
634 SipSecBuffer *signature)
635 {
636 OM_uint32 ret;
637 OM_uint32 minor;
638 gss_buffer_desc input_message;
639 gss_buffer_desc output_token;
640
641 input_message.value = (void *)message;
642 input_message.length = strlen(input_message.value);
643
644 ret = gss_get_mic(&minor,
645 ((context_gssapi)context)->ctx_gssapi,
646 GSS_C_QOP_DEFAULT,
647 &input_message,
648 &output_token);
649
650 if (GSS_ERROR(ret)) {
651 sip_sec_gssapi_print_gss_error("gss_get_mic", ret, minor);
652 SIPE_DEBUG_ERROR("sip_sec_make_signature__gssapi: failed to make signature (ret=%u)", ret);
653 return FALSE;
654 } else {
655 signature->length = output_token.length;
656 signature->value = g_memdup(output_token.value,
657 output_token.length);
658 gss_release_buffer(&minor, &output_token);
659 return TRUE;
660 }
661 }
662
663 /**
664 * @param message a NULL terminated string to check signature of
665 */
666 static gboolean
667 sip_sec_verify_signature__gssapi(SipSecContext context,
668 const gchar *message,
669 SipSecBuffer signature)
670 {
671 OM_uint32 ret;
672 OM_uint32 minor;
673 gss_buffer_desc input_message;
674 gss_buffer_desc input_token;
675
676 input_message.value = (void *)message;
677 input_message.length = strlen(input_message.value);
678
679 input_token.value = signature.value;
680 input_token.length = signature.length;
681
682 ret = gss_verify_mic(&minor,
683 ((context_gssapi)context)->ctx_gssapi,
684 &input_message,
685 &input_token,
686 NULL);
687
688 if (GSS_ERROR(ret)) {
689 sip_sec_gssapi_print_gss_error("gss_verify_mic", ret, minor);
690 SIPE_DEBUG_ERROR("sip_sec_verify_signature__gssapi: failed to verify signature (ret=%u)", ret);
691 return FALSE;
692 } else {
693 return TRUE;
694 }
695 }
696
697 static void
698 sip_sec_destroy_sec_context__gssapi(SipSecContext context)
699 {
700 context_gssapi ctx = (context_gssapi) context;
701 OM_uint32 ret;
702 OM_uint32 minor;
703
704 if (ctx->ctx_gssapi != GSS_C_NO_CONTEXT)
705 drop_gssapi_context(context);
706
707 if (ctx->cred_gssapi != GSS_C_NO_CREDENTIAL) {
708 ret = gss_release_cred(&minor, &(ctx->cred_gssapi));
709 if (GSS_ERROR(ret)) {
710 sip_sec_gssapi_print_gss_error("gss_release_cred", ret, minor);
711 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__gssapi: failed to release credentials (ret=%u)", ret);
712 }
713 ctx->cred_gssapi = GSS_C_NO_CREDENTIAL;
714 }
715
716 if (ctx->target_name != GSS_C_NO_NAME) {
717 ret = gss_release_name(&minor, &(ctx->target_name));
718 if (GSS_ERROR(ret)) {
719 sip_sec_gssapi_print_gss_error("gss_release_name", ret, minor);
720 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__gssapi: failed to release name (ret=%u)", ret);
721 }
722 ctx->target_name = GSS_C_NO_NAME;
723 }
724
725 g_free(context);
726 }
727
728 static const gchar *
729 sip_sec_context_name__gssapi(SipSecContext context)
730 {
731 #ifdef HAVE_GSSAPI_ONLY
732 const gchar *name;
733
734 switch(context->type) {
735 case SIPE_AUTHENTICATION_TYPE_NTLM:
736 name = "NTLM";
737 break;
738
739 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
740 name = "Kerberos";
741 break;
742
743 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
744 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK)
745 name = "NTLM";
746 else
747 name = "Negotiate";
748 break;
749
750 default:
751 SIPE_DEBUG_ERROR("sip_sec_context_name__gssapi: invoked for invalid type %u",
752 context->type);
753 name = "";
754 break;
755 }
756
757 return(name);
758
759 #else
760 (void) context; /* keep compiler happy */
761 return("Kerberos");
762 #endif
763 }
764
765 SipSecContext
766 sip_sec_create_context__gssapi(SIPE_UNUSED_PARAMETER guint type)
767 {
768 context_gssapi context = g_malloc0(sizeof(struct _context_gssapi));
769 if (!context) return(NULL);
770
771 context->common.acquire_cred_func = sip_sec_acquire_cred__gssapi;
772 context->common.init_context_func = sip_sec_init_sec_context__gssapi;
773 context->common.destroy_context_func = sip_sec_destroy_sec_context__gssapi;
774 context->common.make_signature_func = sip_sec_make_signature__gssapi;
775 context->common.verify_signature_func = sip_sec_verify_signature__gssapi;
776 context->common.context_name_func = sip_sec_context_name__gssapi;
777
778 context->cred_gssapi = GSS_C_NO_CREDENTIAL;
779 context->ctx_gssapi = GSS_C_NO_CONTEXT;
780 context->target_name = GSS_C_NO_NAME;
781
782 return((SipSecContext) context);
783 }
784
785 gboolean sip_sec_password__gssapi(void)
786 {
787 /* GSSAPI supports Single-Sign On */
788 return(FALSE);
789 }
790
791 /*
792 Local Variables:
793 mode: c
794 c-file-style: "bsd"
795 indent-tabs-mode: t
796 tab-width: 8
797 End:
798 */
A third-party Pidgin plugin for Microsoft LCS/OCS