search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
configure: add check for older GSSAPI releases
[siplcs.git] / src / core / sip-sec-krb5.c
blob387586e0ab980eee7eb4918e7a073417ddcbf71e
1 /**
2 * @file sip-sec-krb5.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #ifdef HAVE_CONFIG_H
26 #include "config.h"
27 #endif
28
29 #include <glib.h>
30 #include <string.h>
31 #include <gssapi/gssapi.h>
32 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
33 #include <gssapi/gssapi_ext.h>
34 #endif
35 #include <gssapi/gssapi_krb5.h>
36
37 #include "sipe-common.h"
38 #include "sip-sec.h"
39 #include "sip-sec-mech.h"
40 #include "sip-sec-krb5.h"
41 #include "sipe-backend.h"
42 #include "sipe-utils.h"
43
44 /* Security context for Kerberos */
45 typedef struct _context_krb5 {
46 struct sip_sec_context common;
47 gss_cred_id_t cred_krb5;
48 gss_ctx_id_t ctx_krb5;
49 } *context_krb5;
50
51 static void sip_sec_krb5_print_gss_error0(char *func,
52 OM_uint32 status,
53 int type)
54 {
55 OM_uint32 minor;
56 OM_uint32 message_context = 0;
57 gss_buffer_desc status_string;
58
59 do {
60 gss_display_status(&minor,
61 status,
62 type,
63 GSS_C_NO_OID,
64 &message_context,
65 &status_string);
66
67 SIPE_DEBUG_ERROR("sip_sec_krb5: GSSAPI error in %s (%s): %s",
68 func,
69 (type == GSS_C_GSS_CODE ? "GSS" : "Mech"),
70 (gchar *) status_string.value);
71 gss_release_buffer(&minor, &status_string);
72 } while (message_context != 0);
73 }
74
75 /**
76 * Prints out errors of GSSAPI function invocation
77 */
78 static void sip_sec_krb5_print_gss_error(char *func,
79 OM_uint32 ret,
80 OM_uint32 minor)
81 {
82 sip_sec_krb5_print_gss_error0(func, ret, GSS_C_GSS_CODE);
83 sip_sec_krb5_print_gss_error0(func, minor, GSS_C_MECH_CODE);
84 }
85
86 /* sip-sec-mech.h API implementation for Kerberos/GSSAPI */
87
88 static gboolean
89 sip_sec_acquire_cred__krb5(SipSecContext context,
90 const gchar *domain,
91 const gchar *username,
92 const gchar *password)
93 {
94 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__krb5: started");
95
96 /* With SSO we use the default credentials */
97 if ((context->flags & SIP_SEC_FLAG_COMMON_SSO) == 0) {
98 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
99 gchar *username_new;
100 OM_uint32 ret;
101 OM_uint32 minor, minor_ignore;
102 gss_cred_id_t credentials;
103 gss_buffer_desc input_name_buffer;
104 gss_name_t user_name;
105
106 /* Without SSO we need user name and password */
107 if (!username || !password) {
108 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__krb5: no valid authentication information provided");
109 return(FALSE);
110 }
111
112 /* Construct user name to acquire credentials for */
113 if (!is_empty(domain)) {
114 /* User specified a domain */
115 gchar *realm = g_ascii_strup(domain, -1);
116
117 username_new = g_strdup_printf("%s@%s",
118 username,
119 realm);
120 g_free(realm);
121
122 } else if (strchr(username, '@')) {
123 /* No domain, username matches XXX@YYY */
124 gchar **user_realm = g_strsplit(username, "@", 2);
125 gchar *realm = g_ascii_strup(user_realm[1], -1);
126
127 /*
128 * We should escape the "@" to generate a enterprise
129 * principal, i.e. XXX\@YYY
130 *
131 * But krb5 libraries currently don't support this:
132 *
133 * http://krbdev.mit.edu/rt/Ticket/Display.html?id=7729
134 *
135 * username_new = g_strdup_printf("%s\\@%s",
136 */
137 username_new = g_strdup_printf("%s@%s",
138 user_realm[0],
139 realm);
140 g_free(realm);
141 g_strfreev(user_realm);
142 } else {
143 /* Otherwise use username as is */
144 username_new = g_strdup(username);
145 }
146 SIPE_DEBUG_INFO("sip_sec_acquire_cred__krb5: username '%s'",
147 username_new);
148
149 /* Import user name into GSS format */
150 input_name_buffer.value = (void *) username_new;
151 input_name_buffer.length = strlen(username_new) + 1;
152
153 ret = gss_import_name(&minor,
154 &input_name_buffer,
155 (gss_OID) GSS_C_NT_USER_NAME,
156 &user_name);
157 g_free(username_new);
158
159 if (GSS_ERROR(ret)) {
160 sip_sec_krb5_print_gss_error("gss_import_name", ret, minor);
161 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__krb5: failed to construct user name (ret=%d)", (int)ret);
162 return(FALSE);
163 }
164
165 /* Acquire user credentials with password */
166 input_name_buffer.value = (void *) password;
167 input_name_buffer.length = strlen(password) + 1;
168 ret = gss_acquire_cred_with_password(&minor,
169 user_name,
170 &input_name_buffer,
171 GSS_C_INDEFINITE,
172 GSS_C_NO_OID_SET,
173 GSS_C_INITIATE,
174 &credentials,
175 NULL,
176 NULL);
177 gss_release_name(&minor_ignore, &user_name);
178
179 if (GSS_ERROR(ret)) {
180 sip_sec_krb5_print_gss_error("gss_acquire_cred_with_password", ret, minor);
181 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__krb5: failed to acquire credentials (ret=%d)", (int)ret);
182 return(FALSE);
183 } else {
184 ((context_krb5) context)->cred_krb5 = credentials;
185 return(TRUE);
186 }
187 #else
188 (void) domain; /* keep compiler happy */
189 (void) username; /* keep compiler happy */
190 (void) password; /* keep compiler happy */
191 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__krb5: non-SSO mode not supported");
192 return(FALSE);
193 #endif
194 }
195
196 return(TRUE);
197 }
198
199 static gboolean
200 sip_sec_init_sec_context__krb5(SipSecContext context,
201 SipSecBuffer in_buff,
202 SipSecBuffer *out_buff,
203 const gchar *service_name)
204 {
205 context_krb5 ctx = (context_krb5) context;
206 OM_uint32 ret;
207 OM_uint32 minor, minor_ignore;
208 OM_uint32 expiry;
209 gss_buffer_desc input_token;
210 gss_buffer_desc output_token;
211 gss_name_t target_name;
212
213 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__krb5: started");
214
215 /*
216 * If authentication was already completed, then this mean a new
217 * authentication handshake has started on the existing connection.
218 * We must throw away the old context, because we need a new one.
219 */
220 if ((context->flags & SIP_SEC_FLAG_COMMON_READY) &&
221 (ctx->ctx_krb5 != GSS_C_NO_CONTEXT)) {
222 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__krb5: dropping old context");
223 ret = gss_delete_sec_context(&minor,
224 &(ctx->ctx_krb5),
225 GSS_C_NO_BUFFER);
226 if (GSS_ERROR(ret)) {
227 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret, minor);
228 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to delete security context (ret=%d)", (int)ret);
229 }
230 ctx->ctx_krb5 = GSS_C_NO_CONTEXT;
231 }
232
233 /* Import service name to GSS */
234 input_token.value = (void *) service_name;
235 input_token.length = strlen(service_name) + 1;
236
237 ret = gss_import_name(&minor,
238 &input_token,
239 (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME,
240 &target_name);
241 if (GSS_ERROR(ret)) {
242 sip_sec_krb5_print_gss_error("gss_import_name", ret, minor);
243 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to construct target name (ret=%d)", (int)ret);
244 return(FALSE);
245 }
246
247 /* Create context */
248 input_token.length = in_buff.length;
249 input_token.value = in_buff.value;
250
251 output_token.length = 0;
252 output_token.value = NULL;
253
254 ret = gss_init_sec_context(&minor,
255 ctx->cred_krb5,
256 &(ctx->ctx_krb5),
257 target_name,
258 (gss_OID) gss_mech_krb5,
259 GSS_C_INTEG_FLAG,
260 GSS_C_INDEFINITE,
261 GSS_C_NO_CHANNEL_BINDINGS,
262 &input_token,
263 NULL,
264 &output_token,
265 NULL,
266 &expiry);
267 gss_release_name(&minor_ignore, &target_name);
268
269 if (GSS_ERROR(ret)) {
270 gss_release_buffer(&minor_ignore, &output_token);
271 sip_sec_krb5_print_gss_error("gss_init_sec_context", ret, minor);
272 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to initialize context (ret=%d)", (int)ret);
273 return(FALSE);
274 }
275
276 out_buff->length = output_token.length;
277 out_buff->value = g_memdup(output_token.value, output_token.length);
278 gss_release_buffer(&minor_ignore, &output_token);
279
280 context->expires = (int)expiry;
281
282 /* Authentication is completed */
283 context->flags |= SIP_SEC_FLAG_COMMON_READY;
284
285 return(TRUE);
286 }
287
288 /**
289 * @param message a NULL terminated string to sign
290 */
291 static gboolean
292 sip_sec_make_signature__krb5(SipSecContext context,
293 const gchar *message,
294 SipSecBuffer *signature)
295 {
296 OM_uint32 ret;
297 OM_uint32 minor;
298 gss_buffer_desc input_message;
299 gss_buffer_desc output_token;
300
301 input_message.value = (void *)message;
302 input_message.length = strlen(input_message.value);
303
304 ret = gss_get_mic(&minor,
305 ((context_krb5)context)->ctx_krb5,
306 GSS_C_QOP_DEFAULT,
307 &input_message,
308 &output_token);
309
310 if (GSS_ERROR(ret)) {
311 sip_sec_krb5_print_gss_error("gss_get_mic", ret, minor);
312 SIPE_DEBUG_ERROR("sip_sec_make_signature__krb5: failed to make signature (ret=%d)", (int)ret);
313 return FALSE;
314 } else {
315 signature->length = output_token.length;
316 signature->value = g_memdup(output_token.value,
317 output_token.length);
318 gss_release_buffer(&minor, &output_token);
319 return TRUE;
320 }
321 }
322
323 /**
324 * @param message a NULL terminated string to check signature of
325 */
326 static gboolean
327 sip_sec_verify_signature__krb5(SipSecContext context,
328 const gchar *message,
329 SipSecBuffer signature)
330 {
331 OM_uint32 ret;
332 OM_uint32 minor;
333 gss_buffer_desc input_message;
334 gss_buffer_desc input_token;
335
336 input_message.value = (void *)message;
337 input_message.length = strlen(input_message.value);
338
339 input_token.value = signature.value;
340 input_token.length = signature.length;
341
342 ret = gss_verify_mic(&minor,
343 ((context_krb5)context)->ctx_krb5,
344 &input_message,
345 &input_token,
346 NULL);
347
348 if (GSS_ERROR(ret)) {
349 sip_sec_krb5_print_gss_error("gss_verify_mic", ret, minor);
350 SIPE_DEBUG_ERROR("sip_sec_verify_signature__krb5: failed to make signature (ret=%d)", (int)ret);
351 return FALSE;
352 } else {
353 return TRUE;
354 }
355 }
356
357 static void
358 sip_sec_destroy_sec_context__krb5(SipSecContext context)
359 {
360 context_krb5 ctx = (context_krb5) context;
361 OM_uint32 ret;
362 OM_uint32 minor;
363
364 if (ctx->ctx_krb5 != GSS_C_NO_CONTEXT) {
365 ret = gss_delete_sec_context(&minor, &(ctx->ctx_krb5), GSS_C_NO_BUFFER);
366 if (GSS_ERROR(ret)) {
367 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret, minor);
368 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__krb5: failed to delete security context (ret=%d)", (int)ret);
369 }
370 ctx->ctx_krb5 = GSS_C_NO_CONTEXT;
371 }
372
373 if (ctx->cred_krb5 != GSS_C_NO_CREDENTIAL) {
374 ret = gss_release_cred(&minor, &(ctx->cred_krb5));
375 if (GSS_ERROR(ret)) {
376 sip_sec_krb5_print_gss_error("gss_release_cred", ret, minor);
377 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__krb5: failed to release credentials (ret=%d)", (int)ret);
378 }
379 ctx->cred_krb5 = GSS_C_NO_CREDENTIAL;
380 }
381
382 g_free(context);
383 }
384
385 SipSecContext
386 sip_sec_create_context__krb5(SIPE_UNUSED_PARAMETER guint type)
387 {
388 context_krb5 context = g_malloc0(sizeof(struct _context_krb5));
389 if (!context) return(NULL);
390
391 context->common.acquire_cred_func = sip_sec_acquire_cred__krb5;
392 context->common.init_context_func = sip_sec_init_sec_context__krb5;
393 context->common.destroy_context_func = sip_sec_destroy_sec_context__krb5;
394 context->common.make_signature_func = sip_sec_make_signature__krb5;
395 context->common.verify_signature_func = sip_sec_verify_signature__krb5;
396
397 context->cred_krb5 = GSS_C_NO_CREDENTIAL;
398 context->ctx_krb5 = GSS_C_NO_CONTEXT;
399
400 return((SipSecContext) context);
401 }
402
403 gboolean sip_sec_password__krb5(void)
404 {
405 /* Kerberos supports Single-Sign On */
406 return(FALSE);
407 }
408
409 /*
410 Local Variables:
411 mode: c
412 c-file-style: "bsd"
413 indent-tabs-mode: t
414 tab-width: 8
415 End:
416 */
A third-party Pidgin plugin for Microsoft LCS/OCS