search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ntlm: drop all references to it when SSPI is selected
[siplcs.git] / src / core / sip-sec-sspi.c
blob706ebc8848f55fb9516c5faaa70f60401d7ad372
1 /**
2 * @file sip-sec-sspi.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2011 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include <stdio.h>
26 #include <windows.h>
27 #include <rpc.h>
28 #ifdef HAVE_CONFIG_H
29 /* This should not affect Makefile.mingw builds, as it doesn't use config.h */
30 #ifndef SECURITY_WIN32
31 #define SECURITY_WIN32 1
32 #endif
33 #endif
34 #include <security.h>
35
36 #include <glib.h>
37
38 #include "sip-sec.h"
39 #include "sip-sec-mech.h"
40 #include "sip-sec-sspi.h"
41 #include "sipe-backend.h"
42
43 /* Mechanism names */
44 #define SSPI_MECH_NTLM "NTLM"
45 #define SSPI_MECH_KERBEROS "Kerberos"
46 #define SSPI_MECH_NEGOTIATE "Negotiate"
47
48 #ifndef ISC_REQ_IDENTIFY
49 #define ISC_REQ_IDENTIFY 0x00002000
50 #endif
51
52 typedef struct _context_sspi {
53 struct sip_sec_context common;
54 CredHandle* cred_sspi;
55 CtxtHandle* ctx_sspi;
56 /** Kerberos or NTLM */
57 const char *mech;
58 } *context_sspi;
59
60 static int
61 sip_sec_get_interval_from_now_sec(TimeStamp timestamp);
62
63 void
64 sip_sec_sspi_print_error(const char *func,
65 SECURITY_STATUS ret);
66
67 /** internal method */
68 static void
69 sip_sec_destroy_sspi_context(context_sspi context)
70 {
71 if (context->ctx_sspi)
72 DeleteSecurityContext(context->ctx_sspi);
73 if (context->cred_sspi)
74 FreeCredentialsHandle(context->cred_sspi);
75 }
76
77 /* sip-sec-mech.h API implementation for SSPI - Kerberos and NTLM */
78
79 static sip_uint32
80 sip_sec_acquire_cred__sspi(SipSecContext context,
81 const char *domain,
82 const char *username,
83 const char *password)
84 {
85 SECURITY_STATUS ret;
86 TimeStamp expiry;
87 SEC_WINNT_AUTH_IDENTITY auth_identity;
88 context_sspi ctx = (context_sspi)context;
89 CredHandle *cred_handle;
90
91 if (username) {
92 if (!password) {
93 return SIP_SEC_E_INTERNAL_ERROR;
94 }
95
96 memset(&auth_identity, 0, sizeof(auth_identity));
97 auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
98
99 if ( domain && (strlen(domain) > 0) ) {
100 auth_identity.Domain = (unsigned char*)domain;
101 auth_identity.DomainLength = strlen(domain);
102 }
103
104 auth_identity.User = (unsigned char*)username;
105 auth_identity.UserLength = strlen(username);
106
107 auth_identity.Password = (unsigned char*)password;
108 auth_identity.PasswordLength = strlen(password);
109 }
110
111 cred_handle = g_malloc0(sizeof(CredHandle));
112
113 ret = AcquireCredentialsHandle( NULL,
114 (SEC_CHAR *)ctx->mech,
115 SECPKG_CRED_OUTBOUND,
116 NULL,
117 (context->sso || !username) ? NULL : &auth_identity,
118 NULL,
119 NULL,
120 cred_handle,
121 &expiry
122 );
123
124 if (ret != SEC_E_OK) {
125 sip_sec_sspi_print_error("sip_sec_acquire_cred__sspi: AcquireCredentialsHandle", ret);
126 ctx->cred_sspi = NULL;
127 return SIP_SEC_E_INTERNAL_ERROR;
128 } else {
129 ctx->cred_sspi = cred_handle;
130 return SIP_SEC_E_OK;
131 }
132 }
133
134 static sip_uint32
135 sip_sec_init_sec_context__sspi(SipSecContext context,
136 SipSecBuffer in_buff,
137 SipSecBuffer *out_buff,
138 const char *service_name)
139 {
140 TimeStamp expiry;
141 SecBufferDesc input_desc, output_desc;
142 SecBuffer in_token, out_token;
143 SECURITY_STATUS ret;
144 ULONG req_flags;
145 ULONG ret_flags;
146 context_sspi ctx = (context_sspi)context;
147 CtxtHandle* out_context = g_malloc0(sizeof(CtxtHandle));
148
149 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__sspi: in use");
150
151 input_desc.cBuffers = 1;
152 input_desc.pBuffers = &in_token;
153 input_desc.ulVersion = SECBUFFER_VERSION;
154
155 /* input token */
156 in_token.BufferType = SECBUFFER_TOKEN;
157 in_token.cbBuffer = in_buff.length;
158 in_token.pvBuffer = in_buff.value;
159
160 output_desc.cBuffers = 1;
161 output_desc.pBuffers = &out_token;
162 output_desc.ulVersion = SECBUFFER_VERSION;
163
164 /* to hold output token */
165 out_token.BufferType = SECBUFFER_TOKEN;
166 out_token.cbBuffer = 0;
167 out_token.pvBuffer = NULL;
168
169 req_flags = (ISC_REQ_ALLOCATE_MEMORY |
170 ISC_REQ_INTEGRITY |
171 ISC_REQ_IDENTIFY);
172
173 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_NTLM) &&
174 !context->is_connection_based)
175 {
176 req_flags |= (ISC_REQ_DATAGRAM);
177 }
178
179 ret = InitializeSecurityContext(ctx->cred_sspi,
180 ctx->ctx_sspi,
181 (SEC_CHAR *)service_name,
182 req_flags,
183 0,
184 SECURITY_NATIVE_DREP,
185 &input_desc,
186 0,
187 out_context,
188 &output_desc,
189 &ret_flags,
190 &expiry
191 );
192
193 if (ret != SEC_E_OK && ret != SEC_I_CONTINUE_NEEDED) {
194 sip_sec_destroy_sspi_context(ctx);
195 sip_sec_sspi_print_error("sip_sec_init_sec_context__sspi: InitializeSecurityContext", ret);
196 return SIP_SEC_E_INTERNAL_ERROR;
197 }
198
199 out_buff->length = out_token.cbBuffer;
200 out_buff->value = NULL;
201 if (out_token.cbBuffer) {
202 out_buff->value = g_malloc0(out_token.cbBuffer);
203 memmove(out_buff->value, out_token.pvBuffer, out_token.cbBuffer);
204 FreeContextBuffer(out_token.pvBuffer);
205 }
206
207 ctx->ctx_sspi = out_context;
208 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_KERBEROS)) {
209 context->expires = sip_sec_get_interval_from_now_sec(expiry);
210 }
211
212 if (ret == SEC_I_CONTINUE_NEEDED) {
213 return SIP_SEC_I_CONTINUE_NEEDED;
214 } else {
215 return SIP_SEC_E_OK;
216 }
217 }
218
219 static void
220 sip_sec_destroy_sec_context__sspi(SipSecContext context)
221 {
222 sip_sec_destroy_sspi_context((context_sspi)context);
223 g_free(context);
224 }
225
226 /**
227 * @param message a NULL terminated string to sign
228 *
229 */
230 static sip_uint32
231 sip_sec_make_signature__sspi(SipSecContext context,
232 const char *message,
233 SipSecBuffer *signature)
234 {
235 SecBufferDesc buffs_desc;
236 SecBuffer buffs[2];
237 SECURITY_STATUS ret;
238 SecPkgContext_Sizes context_sizes;
239 unsigned char *signature_buff;
240 size_t signature_buff_length;
241 context_sspi ctx = (context_sspi) context;
242
243 ret = QueryContextAttributes(ctx->ctx_sspi,
244 SECPKG_ATTR_SIZES,
245 &context_sizes);
246
247 if (ret != SEC_E_OK) {
248 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: QueryContextAttributes", ret);
249 return SIP_SEC_E_INTERNAL_ERROR;
250 }
251
252 signature_buff_length = context_sizes.cbMaxSignature;
253 signature_buff = g_malloc0(signature_buff_length);
254
255 buffs_desc.cBuffers = 2;
256 buffs_desc.pBuffers = buffs;
257 buffs_desc.ulVersion = SECBUFFER_VERSION;
258
259 /* message to sign */
260 buffs[0].BufferType = SECBUFFER_DATA;
261 buffs[0].cbBuffer = strlen(message);
262 buffs[0].pvBuffer = (PVOID)message;
263
264 /* to hold signature */
265 buffs[1].BufferType = SECBUFFER_TOKEN;
266 buffs[1].cbBuffer = signature_buff_length;
267 buffs[1].pvBuffer = signature_buff;
268
269 ret = MakeSignature(ctx->ctx_sspi,
270 (ULONG)0,
271 &buffs_desc,
272 100);
273 if (ret != SEC_E_OK) {
274 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: MakeSignature", ret);
275 g_free(signature_buff);
276 return SIP_SEC_E_INTERNAL_ERROR;
277 }
278
279 signature->value = signature_buff;
280 signature->length = buffs[1].cbBuffer;
281
282 return SIP_SEC_E_OK;
283 }
284
285 /**
286 * @param message a NULL terminated string to check signature of
287 * @return SIP_SEC_E_OK on success
288 */
289 static sip_uint32
290 sip_sec_verify_signature__sspi(SipSecContext context,
291 const char *message,
292 SipSecBuffer signature)
293 {
294 SecBufferDesc buffs_desc;
295 SecBuffer buffs[2];
296 SECURITY_STATUS ret;
297
298 buffs_desc.cBuffers = 2;
299 buffs_desc.pBuffers = buffs;
300 buffs_desc.ulVersion = SECBUFFER_VERSION;
301
302 /* message to sign */
303 buffs[0].BufferType = SECBUFFER_DATA;
304 buffs[0].cbBuffer = strlen(message);
305 buffs[0].pvBuffer = (PVOID)message;
306
307 /* signature to check */
308 buffs[1].BufferType = SECBUFFER_TOKEN;
309 buffs[1].cbBuffer = signature.length;
310 buffs[1].pvBuffer = signature.value;
311
312 ret = VerifySignature(((context_sspi)context)->ctx_sspi,
313 &buffs_desc,
314 0,
315 0);
316
317 if (ret != SEC_E_OK) {
318 sip_sec_sspi_print_error("sip_sec_verify_signature__sspi: VerifySignature", ret);
319 return SIP_SEC_E_INTERNAL_ERROR;
320 }
321
322 return SIP_SEC_E_OK;
323 }
324
325 SipSecContext
326 sip_sec_create_context__sspi(guint type)
327 {
328 context_sspi context = g_malloc0(sizeof(struct _context_sspi));
329 if (!context) return(NULL);
330
331 context->common.acquire_cred_func = sip_sec_acquire_cred__sspi;
332 context->common.init_context_func = sip_sec_init_sec_context__sspi;
333 context->common.destroy_context_func = sip_sec_destroy_sec_context__sspi;
334 context->common.make_signature_func = sip_sec_make_signature__sspi;
335 context->common.verify_signature_func = sip_sec_verify_signature__sspi;
336 context->mech = (type == AUTH_TYPE_NTLM) ? SSPI_MECH_NTLM :
337 ((type == AUTH_TYPE_KERBEROS) ? SSPI_MECH_KERBEROS : SSPI_MECH_NEGOTIATE);
338
339 return((SipSecContext) context);
340 }
341
342 /* Utility Functions */
343
344 /**
345 * Returns interval in seconds from now till provided value
346 */
347 static int
348 sip_sec_get_interval_from_now_sec(TimeStamp timestamp)
349 {
350 SYSTEMTIME stNow;
351 FILETIME ftNow;
352 ULARGE_INTEGER uliNow, uliTo;
353
354 GetLocalTime(&stNow);
355 SystemTimeToFileTime(&stNow, &ftNow);
356
357 uliNow.LowPart = ftNow.dwLowDateTime;
358 uliNow.HighPart = ftNow.dwHighDateTime;
359
360 uliTo.LowPart = timestamp.LowPart;
361 uliTo.HighPart = timestamp.HighPart;
362
363 return (int)((uliTo.QuadPart - uliNow.QuadPart)/10/1000/1000);
364 }
365
366 void
367 sip_sec_sspi_print_error(const char *func,
368 SECURITY_STATUS ret)
369 {
370 char *error_message;
371 static char *buff;
372 int buff_length;
373
374 buff_length = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
375 FORMAT_MESSAGE_ALLOCATE_BUFFER |
376 FORMAT_MESSAGE_IGNORE_INSERTS,
377 0,
378 ret,
379 0,
380 (LPTSTR)&buff,
381 16384,
382 0);
383 error_message = g_strndup(buff, buff_length);
384 LocalFree(buff);
385
386 printf("SSPI ERROR [%d] in %s: %s", (int)ret, func, error_message);
387 g_free(error_message);
388 }
389
390
391 /*
392 Local Variables:
393 mode: c
394 c-file-style: "bsd"
395 indent-tabs-mode: t
396 tab-width: 8
397 End:
398 */
A third-party Pidgin plugin for Microsoft LCS/OCS