search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix #245: "Unable to resolve DNS SRV record" error when joining conference
[siplcs.git] / src / core / sip-sec-gssapi.c
blob50c270122938cf2c791f6bbc2f7edd124354fabb
1 /**
2 * @file sip-sec-gssapi.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 *
24 *
25 * This module implements sip-sec authentication API using GSSAPI.
26 *
27 * It can be compiled in two different modes:
28 *
29 * - Kerberos-only: NTLM & SPNEGO are using SIPE internal implementation
30 * [HAVE_GSSAPI_ONLY is not defined]
31 *
32 * - pure GSSAPI: this modules handles Kerberos, NTLM & SPNEGO
33 * [HAVE_GSSAPI_ONLY is defined]
34 */
35
36 #ifdef HAVE_CONFIG_H
37 #include "config.h"
38 #endif
39
40 #include <glib.h>
41 #include <string.h>
42 #include <gssapi/gssapi.h>
43 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
44 #include <gssapi/gssapi_ext.h>
45 #endif
46 #include <gssapi/gssapi_krb5.h>
47 #ifdef HAVE_GSSAPI_ONLY
48 #include <gssapi/gssapi_ntlmssp.h>
49 #endif
50
51 #include "sipe-common.h"
52 #include "sip-sec.h"
53 #include "sip-sec-mech.h"
54 #include "sip-sec-gssapi.h"
55 #include "sipe-backend.h"
56 #include "sipe-core.h"
57 #include "sipe-utils.h"
58
59 /* Security context for Kerberos */
60 typedef struct _context_gssapi {
61 struct sip_sec_context common;
62 gss_cred_id_t cred_gssapi;
63 gss_ctx_id_t ctx_gssapi;
64 gss_name_t target_name;
65 } *context_gssapi;
66
67 #ifdef HAVE_GSSAPI_ONLY
68 static const gss_OID_desc gss_mech_ntlmssp = {
69 GSS_NTLMSSP_OID_LENGTH,
70 GSS_NTLMSSP_OID_STRING
71 };
72
73 static const gss_OID_desc gss_mech_spnego = {
74 6,
75 "\x2b\x06\x01\x05\x05\x02"
76 };
77
78 /*
79 * The SPNEGO implementation on older Microsoft IIS servers sends a
80 * non-conformant final empty token that is not accepted by the SPNEGO
81 * implementation in older MIT KRB5 releases:
82 *
83 * Base64-encoded DER: oRgwFqADCgEAoQsGCSqGSIb3EgECAqICBAA=
84 *
85 * Decoded ASN.1:
86 * 0:d=0 hl=2 l= 24 cons: cont [ 1 ]
87 * 2:d=1 hl=2 l= 22 cons: SEQUENCE
88 * 4:d=2 hl=2 l= 3 cons: cont [ 0 ]
89 * 6:d=3 hl=2 l= 1 prim: ENUMERATED :00
90 * 9:d=2 hl=2 l= 11 cons: cont [ 1 ]
91 * 11:d=3 hl=2 l= 9 prim: OBJECT :1.2.840.113554.1.2.2
92 * 22:d=2 hl=2 l= 2 cons: cont [ 2 ] | this empty element is not
93 * 24:d=3 hl=2 l= 0 prim: OCTET STRING | correct according to spec
94 *
95 * We can circumvent this problem by setting GSS_C_MUTUAL_FLAG which causes
96 * the server to send a non-empty final token. We set the following flag to
97 * TRUE after the first time gss_init_sec_context() returns with a
98 * "defective token" error.
99 */
100 static gboolean spnego_mutual_flag = FALSE;
101 #endif
102
103 #define SIP_SEC_FLAG_GSSAPI_SIP_NTLM 0x00010000
104 #define SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK 0x00020000
105
106 static void sip_sec_gssapi_print_gss_error0(char *func,
107 OM_uint32 status,
108 int type)
109 {
110 OM_uint32 minor;
111 OM_uint32 message_context = 0;
112 gss_buffer_desc status_string;
113
114 do {
115 gss_display_status(&minor,
116 status,
117 type,
118 GSS_C_NO_OID,
119 &message_context,
120 &status_string);
121
122 SIPE_DEBUG_ERROR("sip_sec_gssapi: GSSAPI error in %s (%s): %s",
123 func,
124 (type == GSS_C_GSS_CODE ? "GSS" : "Mech"),
125 (gchar *) status_string.value);
126 gss_release_buffer(&minor, &status_string);
127 } while (message_context != 0);
128 }
129
130 /* Prints out errors of GSSAPI function invocation */
131 static void sip_sec_gssapi_print_gss_error(char *func,
132 OM_uint32 ret,
133 OM_uint32 minor)
134 {
135 sip_sec_gssapi_print_gss_error0(func, ret, GSS_C_GSS_CODE);
136 sip_sec_gssapi_print_gss_error0(func, minor, GSS_C_MECH_CODE);
137 }
138
139 #if defined(HAVE_GSSAPI_PASSWORD_SUPPORT) || defined(HAVE_GSSAPI_ONLY)
140 /* NOTE: releases "set" on error */
141 static gboolean add_mech(gss_OID_set set,
142 gss_OID mech,
143 const gchar *name)
144 {
145 OM_uint32 ret;
146 OM_uint32 minor;
147
148 ret = gss_add_oid_set_member(&minor, mech, &set);
149 if (GSS_ERROR(ret)) {
150 sip_sec_gssapi_print_gss_error("gss_add_oid_set_member", ret, minor);
151 SIPE_DEBUG_ERROR("add_mech: can't add %s to mech set (ret=%u)", name, ret);
152 gss_release_oid_set(&minor, &set);
153 return(FALSE);
154 }
155 SIPE_DEBUG_INFO("add_mech: added %s to mech set", name);
156
157 return(TRUE);
158 }
159
160 static gss_OID_set create_mechs_set(guint type)
161 {
162 OM_uint32 ret;
163 OM_uint32 minor;
164 gss_OID_set set = GSS_C_NO_OID_SET;
165 gss_OID mech_oid;
166 const gchar *name;
167
168 ret = gss_create_empty_oid_set(&minor, &set);
169 if (GSS_ERROR(ret)) {
170 sip_sec_gssapi_print_gss_error("gss_create_empty_oid_set", ret, minor);
171 SIPE_DEBUG_ERROR("create_mechs_set: can't create mech set (ret=%u)", ret);
172 return(GSS_C_NO_OID_SET);
173 }
174
175 #ifdef HAVE_GSSAPI_ONLY
176 switch (type) {
177 case SIPE_AUTHENTICATION_TYPE_NTLM:
178 mech_oid = (gss_OID) &gss_mech_ntlmssp;
179 name = "NTLM";
180 break;
181
182 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
183 #else
184 (void) type; /* keep compiler happy */
185 #endif
186 mech_oid = (gss_OID) gss_mech_krb5;
187 name = "Kerberos";
188 #ifdef HAVE_GSSAPI_ONLY
189 break;
190
191 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
192 mech_oid = (gss_OID) &gss_mech_spnego;
193 name = "SPNEGO";
194 break;
195
196 default:
197 SIPE_DEBUG_ERROR("create_mechs_set: invoked with invalid type %u",
198 type);
199 gss_release_oid_set(&minor, &set);
200 return(GSS_C_NO_OID_SET);
201 break;
202 }
203 #endif
204
205 return(add_mech(set, mech_oid, name) ? set : GSS_C_NO_OID_SET);
206 }
207 #endif
208
209 #ifdef HAVE_GSSAPI_ONLY
210 static gss_OID_set create_neg_mechs_set(void)
211 {
212 OM_uint32 ret;
213 OM_uint32 minor;
214 gss_OID_set set = GSS_C_NO_OID_SET;
215
216 ret = gss_create_empty_oid_set(&minor, &set);
217 if (GSS_ERROR(ret)) {
218 sip_sec_gssapi_print_gss_error("gss_create_empty_oid_set", ret, minor);
219 SIPE_DEBUG_ERROR("create_neg_mechs_set: can't create mech set (ret=%u)", ret);
220 return(GSS_C_NO_OID_SET);
221 }
222
223 return((add_mech(set, (gss_OID) gss_mech_krb5, "Kerberos") &&
224 add_mech(set, (gss_OID) &gss_mech_ntlmssp, "NTLM")) ?
225 set : GSS_C_NO_OID_SET);
226 }
227
228 static gboolean gssntlm_reset_mic_sequence(context_gssapi context)
229 {
230 OM_uint32 ret;
231 OM_uint32 minor;
232 gss_buffer_desc value;
233 guint sequence = 100;
234
235 static const gss_OID_desc set_sequence_num_oid = {
236 GSS_NTLMSSP_SET_SEQ_NUM_OID_LENGTH,
237 GSS_NTLMSSP_SET_SEQ_NUM_OID_STRING
238 };
239
240 value.length = sizeof(sequence);
241 value.value = &sequence;
242
243 ret = gss_set_sec_context_option(&minor,
244 &context->ctx_gssapi,
245 (gss_OID_desc *) &set_sequence_num_oid,
246 &value);
247 if (GSS_ERROR(ret)) {
248 sip_sec_gssapi_print_gss_error("gss_set_sec_context_option", ret, minor);
249 SIPE_DEBUG_ERROR("gssntlm_reset_mic_sequence: failed to reset MIC sequence number (ret=%u)", ret);
250 return(FALSE);
251 }
252
253 return(TRUE);
254 }
255 #endif
256
257 static void drop_gssapi_context(SipSecContext context)
258 {
259 context_gssapi ctx = (context_gssapi) context;
260 OM_uint32 ret;
261 OM_uint32 minor;
262
263 ret = gss_delete_sec_context(&minor,
264 &(ctx->ctx_gssapi),
265 GSS_C_NO_BUFFER);
266 if (GSS_ERROR(ret)) {
267 sip_sec_gssapi_print_gss_error("gss_delete_sec_context", ret, minor);
268 SIPE_DEBUG_ERROR("drop_gssapi_context: failed to delete security context (ret=%u)", ret);
269 }
270 ctx->ctx_gssapi = GSS_C_NO_CONTEXT;
271 context->flags &= ~SIP_SEC_FLAG_COMMON_READY;
272 }
273
274 /* sip-sec-mech.h API implementation for Kerberos/GSSAPI */
275
276 static gboolean
277 sip_sec_acquire_cred__gssapi(SipSecContext context,
278 const gchar *domain,
279 const gchar *username,
280 const gchar *password)
281 {
282 context_gssapi ctx = (context_gssapi) context;
283
284 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__gssapi: started");
285
286 /* this is the first time we are allowed to set private flags */
287 if (((context->flags & SIP_SEC_FLAG_COMMON_HTTP) == 0) &&
288 (context->type == SIPE_AUTHENTICATION_TYPE_NTLM))
289 context->flags |= SIP_SEC_FLAG_GSSAPI_SIP_NTLM;
290
291 /* With SSO we use the default credentials */
292 if ((context->flags & SIP_SEC_FLAG_COMMON_SSO) == 0) {
293 #ifdef HAVE_GSSAPI_PASSWORD_SUPPORT
294 gchar *username_new;
295 OM_uint32 ret;
296 OM_uint32 minor, minor_ignore;
297 gss_OID_set mechs_set;
298 gss_cred_id_t credentials;
299 gss_buffer_desc input_name_buffer;
300 gss_name_t user_name;
301
302 /* Without SSO we need user name and password */
303 if (!username || !password) {
304 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__gssapi: no valid authentication information provided");
305 return(FALSE);
306 }
307
308 mechs_set = create_mechs_set(context->type);
309 if (mechs_set == GSS_C_NO_OID_SET)
310 return(FALSE);
311
312 /* Construct user name to acquire credentials for */
313 if (!is_empty(domain)) {
314 /* User specified a domain */
315 gchar *realm = g_ascii_strup(domain, -1);
316
317 username_new = g_strdup_printf("%s@%s",
318 username,
319 realm);
320 g_free(realm);
321
322 } else if (strchr(username, '@')) {
323 /* No domain, username matches XXX@YYY */
324 gchar **user_realm = g_strsplit(username, "@", 2);
325 gchar *realm = g_ascii_strup(user_realm[1], -1);
326
327 /*
328 * We should escape the "@" to generate a enterprise
329 * principal, i.e. XXX\@YYY
330 *
331 * But krb5 libraries currently don't support this:
332 *
333 * http://krbdev.mit.edu/rt/Ticket/Display.html?id=7729
334 *
335 * username_new = g_strdup_printf("%s\\@%s",
336 */
337 username_new = g_strdup_printf("%s@%s",
338 user_realm[0],
339 realm);
340 g_free(realm);
341 g_strfreev(user_realm);
342 } else {
343 /* Otherwise use username as is */
344 username_new = g_strdup(username);
345 }
346 SIPE_DEBUG_INFO("sip_sec_acquire_cred__gssapi: username '%s'",
347 username_new);
348
349 /* Import user name into GSS format */
350 input_name_buffer.value = (void *) username_new;
351 input_name_buffer.length = strlen(username_new) + 1;
352
353 ret = gss_import_name(&minor,
354 &input_name_buffer,
355 (gss_OID) GSS_C_NT_USER_NAME,
356 &user_name);
357 g_free(username_new);
358
359 if (GSS_ERROR(ret)) {
360 sip_sec_gssapi_print_gss_error("gss_import_name", ret, minor);
361 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to construct user name (ret=%u)", ret);
362 gss_release_oid_set(&minor, &mechs_set);
363 return(FALSE);
364 }
365
366 /* Acquire user credentials with password */
367 input_name_buffer.value = (void *) password;
368 input_name_buffer.length = strlen(password) + 1;
369 ret = gss_acquire_cred_with_password(&minor,
370 user_name,
371 &input_name_buffer,
372 GSS_C_INDEFINITE,
373 mechs_set,
374 GSS_C_INITIATE,
375 &credentials,
376 NULL,
377 NULL);
378 gss_release_name(&minor_ignore, &user_name);
379 gss_release_oid_set(&minor_ignore, &mechs_set);
380
381 if (GSS_ERROR(ret)) {
382 sip_sec_gssapi_print_gss_error("gss_acquire_cred_with_password", ret, minor);
383 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to acquire credentials (ret=%u)", ret);
384 return(FALSE);
385 }
386
387 ctx->cred_gssapi = credentials;
388
389 #else
390 /*
391 * non-SSO support requires gss_acquire_cred_with_password()
392 * which is not available on older GSSAPI releases.
393 */
394 (void) domain; /* keep compiler happy */
395 (void) username; /* keep compiler happy */
396 (void) password; /* keep compiler happy */
397 (void) ctx; /* keep compiler happy */
398 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_acquire_cred__gssapi: non-SSO mode not supported");
399 return(FALSE);
400 #endif
401 }
402 #ifdef HAVE_GSSAPI_ONLY
403 else {
404 OM_uint32 ret;
405 OM_uint32 minor, minor_ignore;
406 gss_OID_set mechs_set;
407 gss_cred_id_t credentials;
408
409 mechs_set = create_mechs_set(context->type);
410 if (mechs_set == GSS_C_NO_OID_SET)
411 return(FALSE);
412
413 ret = gss_acquire_cred(&minor,
414 GSS_C_NO_NAME,
415 GSS_C_INDEFINITE,
416 mechs_set,
417 GSS_C_INITIATE,
418 &credentials,
419 NULL,
420 NULL);
421 gss_release_oid_set(&minor_ignore, &mechs_set);
422
423 if (GSS_ERROR(ret)) {
424 sip_sec_gssapi_print_gss_error("gss_acquire_cred", ret, minor);
425 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to acquire credentials (ret=%u)", ret);
426 return(FALSE);
427 }
428
429 ctx->cred_gssapi = credentials;
430 }
431
432 if (context->type == SIPE_AUTHENTICATION_TYPE_NEGOTIATE) {
433 OM_uint32 ret;
434 OM_uint32 minor, minor_ignore;
435 gss_OID_set mechs_set = create_neg_mechs_set();
436
437 if (mechs_set == GSS_C_NO_OID_SET)
438 return(FALSE);
439
440 ret = gss_set_neg_mechs(&minor,
441 ctx->cred_gssapi,
442 mechs_set);
443 gss_release_oid_set(&minor_ignore, &mechs_set);
444
445 if (GSS_ERROR(ret)) {
446 sip_sec_gssapi_print_gss_error("gss_set_neg_mechs", ret, minor);
447 SIPE_DEBUG_ERROR("sip_sec_acquire_cred__gssapi: failed to set negotiate mechanisms (ret=%u)", ret);
448 return(FALSE);
449 }
450 }
451 #endif
452
453 return(TRUE);
454 }
455
456 static gboolean
457 sip_sec_init_sec_context__gssapi(SipSecContext context,
458 SipSecBuffer in_buff,
459 SipSecBuffer *out_buff,
460 const gchar *service_name)
461 {
462 context_gssapi ctx = (context_gssapi) context;
463 OM_uint32 ret;
464 OM_uint32 minor, minor_ignore;
465 OM_uint32 expiry;
466 gss_buffer_desc input_token;
467 gss_buffer_desc output_token;
468 #ifdef HAVE_GSSAPI_ONLY
469 gss_OID mech_oid;
470 OM_uint32 flags = GSS_C_INTEG_FLAG;
471 #endif
472
473 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: started");
474
475 /*
476 * If authentication was already completed, then this mean a new
477 * authentication handshake has started on the existing connection.
478 * We must throw away the old context, because we need a new one.
479 */
480 if ((context->flags & SIP_SEC_FLAG_COMMON_READY) &&
481 (ctx->ctx_gssapi != GSS_C_NO_CONTEXT)) {
482 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: dropping old context");
483 drop_gssapi_context(context);
484 }
485
486 /* Import service name to GSS */
487 if (ctx->target_name == GSS_C_NO_NAME) {
488 gchar *hostbased_service_name = sipe_utils_str_replace(service_name,
489 "/",
490 "@");
491
492 input_token.value = (void *) hostbased_service_name;
493 input_token.length = strlen(input_token.value) + 1;
494 ret = gss_import_name(&minor,
495 &input_token,
496 (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
497 &(ctx->target_name));
498 g_free(hostbased_service_name);
499
500 if (GSS_ERROR(ret)) {
501 sip_sec_gssapi_print_gss_error("gss_import_name", ret, minor);
502 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: failed to construct target name (ret=%u)", ret);
503 return(FALSE);
504 }
505 }
506
507 #ifdef HAVE_GSSAPI_ONLY
508 switch(context->type) {
509 case SIPE_AUTHENTICATION_TYPE_NTLM:
510 mech_oid = (gss_OID) &gss_mech_ntlmssp;
511 if (context->flags & SIP_SEC_FLAG_GSSAPI_SIP_NTLM)
512 flags |= GSS_C_DATAGRAM_FLAG;
513 break;
514
515 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
516 mech_oid = (gss_OID) gss_mech_krb5;
517 break;
518
519 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
520 /*
521 * Some servers do not accept SPNEGO for Negotiate.
522 * If come back here with an existing security context
523 * and NULL input token we will fall back to NTLM
524 */
525 if (ctx->ctx_gssapi && (in_buff.value == NULL)) {
526
527 /* Only try this once */
528 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK) {
529 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_init_sec_context__gssapi: SPNEGO-to-NTLM fallback failed");
530 return(FALSE);
531 }
532
533 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__gssapi: SPNEGO failed. Falling back to NTLM");
534 drop_gssapi_context(context);
535
536 context->flags |= SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK;
537 }
538
539 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK) {
540 mech_oid = (gss_OID) &gss_mech_ntlmssp;
541 } else {
542 mech_oid = (gss_OID) &gss_mech_spnego;
543 if (spnego_mutual_flag)
544 flags |= GSS_C_MUTUAL_FLAG;
545 }
546 break;
547
548 default:
549 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: invoked for invalid type %u",
550 context->type);
551 return(FALSE);
552 }
553 #endif
554
555 /* Create context */
556 input_token.length = in_buff.length;
557 input_token.value = in_buff.value;
558
559 output_token.length = 0;
560 output_token.value = NULL;
561
562 ret = gss_init_sec_context(&minor,
563 ctx->cred_gssapi,
564 &(ctx->ctx_gssapi),
565 ctx->target_name,
566 #ifdef HAVE_GSSAPI_ONLY
567 mech_oid,
568 flags,
569 #else
570 (gss_OID) gss_mech_krb5,
571 GSS_C_INTEG_FLAG,
572 #endif
573 GSS_C_INDEFINITE,
574 GSS_C_NO_CHANNEL_BINDINGS,
575 &input_token,
576 NULL,
577 &output_token,
578 NULL,
579 &expiry);
580
581 if (GSS_ERROR(ret)) {
582 gss_release_buffer(&minor_ignore, &output_token);
583 sip_sec_gssapi_print_gss_error("gss_init_sec_context", ret, minor);
584 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__gssapi: failed to initialize context (ret=%u)", ret);
585
586 #ifdef HAVE_GSSAPI_ONLY
587 /* Enable workaround for SPNEGO (see above) */
588 if (ret == GSS_S_DEFECTIVE_TOKEN) {
589 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_init_sec_context__gssapi: enabling workaround for SPNEGO");
590 spnego_mutual_flag = TRUE;
591 }
592 #endif
593
594 return(FALSE);
595 }
596
597 out_buff->length = output_token.length;
598 if (out_buff->length)
599 out_buff->value = g_memdup(output_token.value, output_token.length);
600 else
601 /* Special case: empty token */
602 out_buff->value = (guint8 *) g_strdup("");
603
604 gss_release_buffer(&minor_ignore, &output_token);
605
606 context->expires = (int)expiry;
607
608 if (ret == GSS_S_COMPLETE) {
609 /* Authentication is completed */
610 context->flags |= SIP_SEC_FLAG_COMMON_READY;
611
612 #ifdef HAVE_GSSAPI_ONLY
613 if ((context->flags & SIP_SEC_FLAG_GSSAPI_SIP_NTLM) &&
614 !gssntlm_reset_mic_sequence(ctx))
615 return(FALSE);
616 #endif
617 }
618
619 return(TRUE);
620 }
621
622 /**
623 * @param message a NULL terminated string to sign
624 */
625 static gboolean
626 sip_sec_make_signature__gssapi(SipSecContext context,
627 const gchar *message,
628 SipSecBuffer *signature)
629 {
630 OM_uint32 ret;
631 OM_uint32 minor;
632 gss_buffer_desc input_message;
633 gss_buffer_desc output_token;
634
635 input_message.value = (void *)message;
636 input_message.length = strlen(input_message.value);
637
638 ret = gss_get_mic(&minor,
639 ((context_gssapi)context)->ctx_gssapi,
640 GSS_C_QOP_DEFAULT,
641 &input_message,
642 &output_token);
643
644 if (GSS_ERROR(ret)) {
645 sip_sec_gssapi_print_gss_error("gss_get_mic", ret, minor);
646 SIPE_DEBUG_ERROR("sip_sec_make_signature__gssapi: failed to make signature (ret=%u)", ret);
647 return FALSE;
648 } else {
649 signature->length = output_token.length;
650 signature->value = g_memdup(output_token.value,
651 output_token.length);
652 gss_release_buffer(&minor, &output_token);
653 return TRUE;
654 }
655 }
656
657 /**
658 * @param message a NULL terminated string to check signature of
659 */
660 static gboolean
661 sip_sec_verify_signature__gssapi(SipSecContext context,
662 const gchar *message,
663 SipSecBuffer signature)
664 {
665 OM_uint32 ret;
666 OM_uint32 minor;
667 gss_buffer_desc input_message;
668 gss_buffer_desc input_token;
669
670 input_message.value = (void *)message;
671 input_message.length = strlen(input_message.value);
672
673 input_token.value = signature.value;
674 input_token.length = signature.length;
675
676 ret = gss_verify_mic(&minor,
677 ((context_gssapi)context)->ctx_gssapi,
678 &input_message,
679 &input_token,
680 NULL);
681
682 if (GSS_ERROR(ret)) {
683 sip_sec_gssapi_print_gss_error("gss_verify_mic", ret, minor);
684 SIPE_DEBUG_ERROR("sip_sec_verify_signature__gssapi: failed to verify signature (ret=%u)", ret);
685 return FALSE;
686 } else {
687 return TRUE;
688 }
689 }
690
691 static void
692 sip_sec_destroy_sec_context__gssapi(SipSecContext context)
693 {
694 context_gssapi ctx = (context_gssapi) context;
695 OM_uint32 ret;
696 OM_uint32 minor;
697
698 if (ctx->ctx_gssapi != GSS_C_NO_CONTEXT)
699 drop_gssapi_context(context);
700
701 if (ctx->cred_gssapi != GSS_C_NO_CREDENTIAL) {
702 ret = gss_release_cred(&minor, &(ctx->cred_gssapi));
703 if (GSS_ERROR(ret)) {
704 sip_sec_gssapi_print_gss_error("gss_release_cred", ret, minor);
705 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__gssapi: failed to release credentials (ret=%u)", ret);
706 }
707 ctx->cred_gssapi = GSS_C_NO_CREDENTIAL;
708 }
709
710 if (ctx->target_name != GSS_C_NO_NAME) {
711 ret = gss_release_name(&minor, &(ctx->target_name));
712 if (GSS_ERROR(ret)) {
713 sip_sec_gssapi_print_gss_error("gss_release_name", ret, minor);
714 SIPE_DEBUG_ERROR("sip_sec_destroy_sec_context__gssapi: failed to release name (ret=%u)", ret);
715 }
716 ctx->target_name = GSS_C_NO_NAME;
717 }
718
719 g_free(context);
720 }
721
722 static const gchar *
723 sip_sec_context_name__gssapi(SipSecContext context)
724 {
725 #ifdef HAVE_GSSAPI_ONLY
726 const gchar *name;
727
728 switch(context->type) {
729 case SIPE_AUTHENTICATION_TYPE_NTLM:
730 name = "NTLM";
731 break;
732
733 case SIPE_AUTHENTICATION_TYPE_KERBEROS:
734 name = "Kerberos";
735 break;
736
737 case SIPE_AUTHENTICATION_TYPE_NEGOTIATE:
738 if (context->flags & SIP_SEC_FLAG_GSSAPI_NEGOTIATE_FALLBACK)
739 name = "NTLM";
740 else
741 name = "Negotiate";
742 break;
743
744 default:
745 SIPE_DEBUG_ERROR("sip_sec_context_name__gssapi: invoked for invalid type %u",
746 context->type);
747 name = "";
748 break;
749 }
750
751 return(name);
752
753 #else
754 (void) context; /* keep compiler happy */
755 return("Kerberos");
756 #endif
757 }
758
759 SipSecContext
760 sip_sec_create_context__gssapi(SIPE_UNUSED_PARAMETER guint type)
761 {
762 context_gssapi context = g_malloc0(sizeof(struct _context_gssapi));
763 if (!context) return(NULL);
764
765 context->common.acquire_cred_func = sip_sec_acquire_cred__gssapi;
766 context->common.init_context_func = sip_sec_init_sec_context__gssapi;
767 context->common.destroy_context_func = sip_sec_destroy_sec_context__gssapi;
768 context->common.make_signature_func = sip_sec_make_signature__gssapi;
769 context->common.verify_signature_func = sip_sec_verify_signature__gssapi;
770 context->common.context_name_func = sip_sec_context_name__gssapi;
771
772 context->cred_gssapi = GSS_C_NO_CREDENTIAL;
773 context->ctx_gssapi = GSS_C_NO_CONTEXT;
774 context->target_name = GSS_C_NO_NAME;
775
776 return((SipSecContext) context);
777 }
778
779 gboolean sip_sec_password__gssapi(void)
780 {
781 /* Kerberos supports Single-Sign On */
782 return(FALSE);
783 }
784
785 /*
786 Local Variables:
787 mode: c
788 c-file-style: "bsd"
789 indent-tabs-mode: t
790 tab-width: 8
791 End:
792 */
A third-party Pidgin plugin for Microsoft LCS/OCS