6 * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <gssapi/gssapi.h>
32 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
33 #include <gssapi/gssapi_ext.h>
35 #include <gssapi/gssapi_krb5.h>
37 #include "sipe-common.h"
39 #include "sip-sec-mech.h"
40 #include "sip-sec-krb5.h"
41 #include "sipe-backend.h"
42 #include "sipe-utils.h"
44 /* Security context for Kerberos */
45 typedef struct _context_krb5
{
46 struct sip_sec_context common
;
47 gss_cred_id_t cred_krb5
;
48 gss_ctx_id_t ctx_krb5
;
51 static void sip_sec_krb5_print_gss_error0(char *func
,
56 OM_uint32 message_context
= 0;
57 gss_buffer_desc status_string
;
60 gss_display_status(&minor
,
67 SIPE_DEBUG_ERROR("sip_sec_krb5: GSSAPI error in %s (%s): %s",
69 (type
== GSS_C_GSS_CODE
? "GSS" : "Mech"),
70 (gchar
*) status_string
.value
);
71 gss_release_buffer(&minor
, &status_string
);
72 } while (message_context
!= 0);
76 * Prints out errors of GSSAPI function invocation
78 static void sip_sec_krb5_print_gss_error(char *func
,
82 sip_sec_krb5_print_gss_error0(func
, ret
, GSS_C_GSS_CODE
);
83 sip_sec_krb5_print_gss_error0(func
, minor
, GSS_C_MECH_CODE
);
86 /* sip-sec-mech.h API implementation for Kerberos/GSSAPI */
89 sip_sec_acquire_cred__krb5(SipSecContext context
,
91 const gchar
*username
,
92 const gchar
*password
)
94 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__krb5: started");
96 /* With SSO we use the default credentials */
97 if ((context
->flags
& SIP_SEC_FLAG_COMMON_SSO
) == 0) {
98 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
101 OM_uint32 minor
, minor_ignore
;
102 gss_cred_id_t credentials
;
103 gss_buffer_desc input_name_buffer
;
104 gss_name_t user_name
;
106 /* Without SSO we need user name and password */
107 if (!username
|| !password
) {
108 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__krb5: no valid authentication information provided");
112 /* Construct user name to acquire credentials for */
113 if (!is_empty(domain
)) {
114 /* User specified a domain */
115 gchar
*realm
= g_ascii_strup(domain
, -1);
117 username_new
= g_strdup_printf("%s@%s",
122 } else if (strchr(username
, '@')) {
123 /* No domain, username matches XXX@YYY */
124 gchar
**user_realm
= g_strsplit(username
, "@", 2);
125 gchar
*realm
= g_ascii_strup(user_realm
[1], -1);
128 * We should escape the "@" to generate a enterprise
129 * principal, i.e. XXX\@YYY
131 * But krb5 libraries currently don't support this:
133 * http://krbdev.mit.edu/rt/Ticket/Display.html?id=7729
135 * username_new = g_strdup_printf("%s\\@%s",
137 username_new
= g_strdup_printf("%s@%s",
141 g_strfreev(user_realm
);
143 /* Otherwise use username as is */
144 username_new
= g_strdup(username
);
146 SIPE_DEBUG_INFO("sip_sec_acquire_cred__krb5: username '%s'",
149 /* Import user name into GSS format */
150 input_name_buffer
.value
= (void *) username_new
;
151 input_name_buffer
.length
= strlen(username_new
) + 1;
153 ret
= gss_import_name(&minor
,
155 (gss_OID
) GSS_C_NT_USER_NAME
,
157 g_free(username_new
);
159 if (GSS_ERROR(ret
)) {
160 sip_sec_krb5_print_gss_error("gss_import_name", ret
, minor
);
161 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__krb5: failed to construct user name (ret=%d)", (int)ret
);
165 /* Acquire user credentials with password */
166 input_name_buffer
.value
= (void *) password
;
167 input_name_buffer
.length
= strlen(password
) + 1;
168 ret
= gss_acquire_cred_with_password(&minor
,
177 gss_release_name(&minor_ignore
, &user_name
);
179 if (GSS_ERROR(ret
)) {
180 sip_sec_krb5_print_gss_error("gss_acquire_cred_with_password", ret
, minor
);
181 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__krb5: failed to acquire credentials (ret=%d)", (int)ret
);
184 ((context_krb5
) context
)->cred_krb5
= credentials
;
188 (void) domain
; /* keep compiler happy */
189 (void) username
; /* keep compiler happy */
190 (void) password
; /* keep compiler happy */
191 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__krb5: non-SSO mode not supported");
200 sip_sec_init_sec_context__krb5(SipSecContext context
,
201 SipSecBuffer in_buff
,
202 SipSecBuffer
*out_buff
,
203 const gchar
*service_name
)
205 context_krb5 ctx
= (context_krb5
) context
;
207 OM_uint32 minor
, minor_ignore
;
209 gss_buffer_desc input_token
;
210 gss_buffer_desc output_token
;
211 gss_name_t target_name
;
213 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__krb5: started");
216 * If authentication was already completed, then this mean a new
217 * authentication handshake has started on the existing connection.
218 * We must throw away the old context, because we need a new one.
220 if ((context
->flags
& SIP_SEC_FLAG_COMMON_READY
) &&
221 (ctx
->ctx_krb5
!= GSS_C_NO_CONTEXT
)) {
222 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__krb5: dropping old context");
223 ret
= gss_delete_sec_context(&minor
,
226 if (GSS_ERROR(ret
)) {
227 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret
, minor
);
228 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to delete security context (ret=%d)", (int)ret
);
230 ctx
->ctx_krb5
= GSS_C_NO_CONTEXT
;
233 /* Import service name to GSS */
234 input_token
.value
= (void *) service_name
;
235 input_token
.length
= strlen(service_name
) + 1;
237 ret
= gss_import_name(&minor
,
239 (gss_OID
) GSS_KRB5_NT_PRINCIPAL_NAME
,
241 if (GSS_ERROR(ret
)) {
242 sip_sec_krb5_print_gss_error("gss_import_name", ret
, minor
);
243 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to construct target name (ret=%d)", (int)ret
);
248 input_token
.length
= in_buff
.length
;
249 input_token
.value
= in_buff
.value
;
251 output_token
.length
= 0;
252 output_token
.value
= NULL
;
254 ret
= gss_init_sec_context(&minor
,
258 (gss_OID
) gss_mech_krb5
,
261 GSS_C_NO_CHANNEL_BINDINGS
,
267 gss_release_name(&minor_ignore
, &target_name
);
269 if (GSS_ERROR(ret
)) {
270 gss_release_buffer(&minor_ignore
, &output_token
);
271 sip_sec_krb5_print_gss_error("gss_init_sec_context", ret
, minor
);
272 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to initialize context (ret=%d)", (int)ret
);
276 out_buff
->length
= output_token
.length
;
277 out_buff
->value
= g_memdup(output_token
.value
, output_token
.length
);
278 gss_release_buffer(&minor_ignore
, &output_token
);
280 context
->expires
= (int)expiry
;
282 /* Authentication is completed */
283 context
->flags
|= SIP_SEC_FLAG_COMMON_READY
;
289 * @param message a NULL terminated string to sign
292 sip_sec_make_signature__krb5(SipSecContext context
,
293 const gchar
*message
,
294 SipSecBuffer
*signature
)
298 gss_buffer_desc input_message
;
299 gss_buffer_desc output_token
;
301 input_message
.value
= (void *)message
;
302 input_message
.length
= strlen(input_message
.value
);
304 ret
= gss_get_mic(&minor
,
305 ((context_krb5
)context
)->ctx_krb5
,
310 if (GSS_ERROR(ret
)) {
311 sip_sec_krb5_print_gss_error("gss_get_mic", ret
, minor
);
312 SIPE_DEBUG_ERROR("sip_sec_make_signature__krb5: failed to make signature (ret=%d)", (int)ret
);
315 signature
->length
= output_token
.length
;
316 signature
->value
= g_memdup(output_token
.value
,
317 output_token
.length
);
318 gss_release_buffer(&minor
, &output_token
);
324 * @param message a NULL terminated string to check signature of
327 sip_sec_verify_signature__krb5(SipSecContext context
,
328 const gchar
*message
,
329 SipSecBuffer signature
)
333 gss_buffer_desc input_message
;
334 gss_buffer_desc input_token
;
336 input_message
.value
= (void *)message
;
337 input_message
.length
= strlen(input_message
.value
);
339 input_token
.value
= signature
.value
;
340 input_token
.length
= signature
.length
;
342 ret
= gss_verify_mic(&minor
,
343 ((context_krb5
)context
)->ctx_krb5
,
348 if (GSS_ERROR(ret
)) {
349 sip_sec_krb5_print_gss_error("gss_verify_mic", ret
, minor
);
350 SIPE_DEBUG_ERROR("sip_sec_verify_signature__krb5: failed to make signature (ret=%d)", (int)ret
);
358 sip_sec_destroy_sec_context__krb5(SipSecContext context
)
360 context_krb5 ctx
= (context_krb5
) context
;
364 if (ctx
->ctx_krb5
!= GSS_C_NO_CONTEXT
) {
365 ret
= gss_delete_sec_context(&minor
, &(ctx
->ctx_krb5
), GSS_C_NO_BUFFER
);
366 if (GSS_ERROR(ret
)) {
367 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret
, minor
);
368 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__krb5: failed to delete security context (ret=%d)", (int)ret
);
370 ctx
->ctx_krb5
= GSS_C_NO_CONTEXT
;
373 if (ctx
->cred_krb5
!= GSS_C_NO_CREDENTIAL
) {
374 ret
= gss_release_cred(&minor
, &(ctx
->cred_krb5
));
375 if (GSS_ERROR(ret
)) {
376 sip_sec_krb5_print_gss_error("gss_release_cred", ret
, minor
);
377 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__krb5: failed to release credentials (ret=%d)", (int)ret
);
379 ctx
->cred_krb5
= GSS_C_NO_CREDENTIAL
;
386 sip_sec_create_context__krb5(SIPE_UNUSED_PARAMETER guint type
)
388 context_krb5 context
= g_malloc0(sizeof(struct _context_krb5
));
389 if (!context
) return(NULL
);
391 context
->common
.acquire_cred_func
= sip_sec_acquire_cred__krb5
;
392 context
->common
.init_context_func
= sip_sec_init_sec_context__krb5
;
393 context
->common
.destroy_context_func
= sip_sec_destroy_sec_context__krb5
;
394 context
->common
.make_signature_func
= sip_sec_make_signature__krb5
;
395 context
->common
.verify_signature_func
= sip_sec_verify_signature__krb5
;
397 context
->cred_krb5
= GSS_C_NO_CREDENTIAL
;
398 context
->ctx_krb5
= GSS_C_NO_CONTEXT
;
400 return((SipSecContext
) context
);
403 gboolean
sip_sec_password__krb5(void)
405 /* Kerberos supports Single-Sign On */