search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
l10n: Updates to Portuguese (Brazilian) (pt_BR) translation
[siplcs.git] / src / core / sip-sec-sspi.c
blobee24eba3af0648db0b9d8a4a942ae569a3149d8c
1 /**
2 * @file sip-sec-sspi.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2009 pier11 <pier11@operamail.com>
7 *
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23
24 #include <stdio.h>
25 #include <windows.h>
26 #include <rpc.h>
27 #include <security.h>
28
29 #include <glib.h>
30
31 #include "sip-sec.h"
32 #include "sip-sec-mech.h"
33 #include "sip-sec-sspi.h"
34 #include "sipe-backend.h"
35
36 /* Mechanism names */
37 #define SSPI_MECH_NTLM "NTLM"
38 #define SSPI_MECH_KERBEROS "Kerberos"
39 #define SSPI_MECH_NEGOTIATE "Negotiate"
40
41 #define ISC_REQ_IDENTIFY 0x00002000
42
43 typedef struct _context_sspi {
44 struct sip_sec_context common;
45 CredHandle* cred_sspi;
46 CtxtHandle* ctx_sspi;
47 /** Kerberos or NTLM */
48 const char *mech;
49 } *context_sspi;
50
51 static int
52 sip_sec_get_interval_from_now_sec(TimeStamp timestamp);
53
54 void
55 sip_sec_sspi_print_error(const char *func,
56 SECURITY_STATUS ret);
57
58 /** internal method */
59 static void
60 sip_sec_destroy_sspi_context(context_sspi context)
61 {
62 if (context->ctx_sspi)
63 DeleteSecurityContext(context->ctx_sspi);
64 if (context->cred_sspi)
65 FreeCredentialsHandle(context->cred_sspi);
66 }
67
68 /* sip-sec-mech.h API implementation for SSPI - Kerberos and NTLM */
69
70 static sip_uint32
71 sip_sec_acquire_cred__sspi(SipSecContext context,
72 const char *domain,
73 const char *username,
74 const char *password)
75 {
76 SECURITY_STATUS ret;
77 TimeStamp expiry;
78 SEC_WINNT_AUTH_IDENTITY auth_identity;
79 context_sspi ctx = (context_sspi)context;
80 CredHandle *cred_handle;
81
82 if (username) {
83 if (!password) {
84 return SIP_SEC_E_INTERNAL_ERROR;
85 }
86
87 memset(&auth_identity, 0, sizeof(auth_identity));
88 auth_identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
89
90 if ( domain && (strlen(domain) > 0) ) {
91 auth_identity.Domain = (unsigned char*)domain;
92 auth_identity.DomainLength = strlen(domain);
93 }
94
95 auth_identity.User = (unsigned char*)username;
96 auth_identity.UserLength = strlen(username);
97
98 auth_identity.Password = (unsigned char*)password;
99 auth_identity.PasswordLength = strlen(password);
100 }
101
102 cred_handle = g_malloc0(sizeof(CredHandle));
103
104 ret = AcquireCredentialsHandle( NULL,
105 (SEC_CHAR *)ctx->mech,
106 SECPKG_CRED_OUTBOUND,
107 NULL,
108 (context->sso || !username) ? NULL : &auth_identity,
109 NULL,
110 NULL,
111 cred_handle,
112 &expiry
113 );
114
115 if (ret != SEC_E_OK) {
116 sip_sec_sspi_print_error("sip_sec_acquire_cred__sspi: AcquireCredentialsHandle", ret);
117 ctx->cred_sspi = NULL;
118 return SIP_SEC_E_INTERNAL_ERROR;
119 } else {
120 ctx->cred_sspi = cred_handle;
121 return SIP_SEC_E_OK;
122 }
123 }
124
125 static sip_uint32
126 sip_sec_init_sec_context__sspi(SipSecContext context,
127 SipSecBuffer in_buff,
128 SipSecBuffer *out_buff,
129 const char *service_name)
130 {
131 TimeStamp expiry;
132 SecBufferDesc input_desc, output_desc;
133 SecBuffer in_token, out_token;
134 SECURITY_STATUS ret;
135 ULONG req_flags;
136 ULONG ret_flags;
137 context_sspi ctx = (context_sspi)context;
138 CtxtHandle* out_context = g_malloc0(sizeof(CtxtHandle));
139
140 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__sspi: in use");
141
142 input_desc.cBuffers = 1;
143 input_desc.pBuffers = &in_token;
144 input_desc.ulVersion = SECBUFFER_VERSION;
145
146 /* input token */
147 in_token.BufferType = SECBUFFER_TOKEN;
148 in_token.cbBuffer = in_buff.length;
149 in_token.pvBuffer = in_buff.value;
150
151 output_desc.cBuffers = 1;
152 output_desc.pBuffers = &out_token;
153 output_desc.ulVersion = SECBUFFER_VERSION;
154
155 /* to hold output token */
156 out_token.BufferType = SECBUFFER_TOKEN;
157 out_token.cbBuffer = 0;
158 out_token.pvBuffer = NULL;
159
160 req_flags = (ISC_REQ_ALLOCATE_MEMORY |
161 ISC_REQ_INTEGRITY |
162 ISC_REQ_IDENTIFY);
163
164 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_NTLM) &&
165 !context->is_connection_based)
166 {
167 req_flags |= (ISC_REQ_DATAGRAM);
168 }
169
170 ret = InitializeSecurityContext(ctx->cred_sspi,
171 ctx->ctx_sspi,
172 (SEC_CHAR *)service_name,
173 req_flags,
174 0,
175 SECURITY_NATIVE_DREP,
176 &input_desc,
177 0,
178 out_context,
179 &output_desc,
180 &ret_flags,
181 &expiry
182 );
183
184 if (ret != SEC_E_OK && ret != SEC_I_CONTINUE_NEEDED) {
185 sip_sec_destroy_sspi_context(ctx);
186 sip_sec_sspi_print_error("sip_sec_init_sec_context__sspi: InitializeSecurityContext", ret);
187 return SIP_SEC_E_INTERNAL_ERROR;
188 }
189
190 out_buff->length = out_token.cbBuffer;
191 out_buff->value = NULL;
192 if (out_token.cbBuffer) {
193 out_buff->value = g_malloc0(out_token.cbBuffer);
194 memmove(out_buff->value, out_token.pvBuffer, out_token.cbBuffer);
195 FreeContextBuffer(out_token.pvBuffer);
196 }
197
198 ctx->ctx_sspi = out_context;
199 if (ctx->mech && !strcmp(ctx->mech, SSPI_MECH_KERBEROS)) {
200 context->expires = sip_sec_get_interval_from_now_sec(expiry);
201 }
202
203 if (ret == SEC_I_CONTINUE_NEEDED) {
204 return SIP_SEC_I_CONTINUE_NEEDED;
205 } else {
206 return SIP_SEC_E_OK;
207 }
208 }
209
210 static void
211 sip_sec_destroy_sec_context__sspi(SipSecContext context)
212 {
213 sip_sec_destroy_sspi_context((context_sspi)context);
214 g_free(context);
215 }
216
217 /**
218 * @param message a NULL terminated string to sign
219 *
220 */
221 static sip_uint32
222 sip_sec_make_signature__sspi(SipSecContext context,
223 const char *message,
224 SipSecBuffer *signature)
225 {
226 SecBufferDesc buffs_desc;
227 SecBuffer buffs[2];
228 SECURITY_STATUS ret;
229 SecPkgContext_Sizes context_sizes;
230 unsigned char *signature_buff;
231 size_t signature_buff_length;
232 context_sspi ctx = (context_sspi) context;
233
234 ret = QueryContextAttributes(ctx->ctx_sspi,
235 SECPKG_ATTR_SIZES,
236 &context_sizes);
237
238 if (ret != SEC_E_OK) {
239 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: QueryContextAttributes", ret);
240 return SIP_SEC_E_INTERNAL_ERROR;
241 }
242
243 signature_buff_length = context_sizes.cbMaxSignature;
244 signature_buff = g_malloc0(signature_buff_length);
245
246 buffs_desc.cBuffers = 2;
247 buffs_desc.pBuffers = buffs;
248 buffs_desc.ulVersion = SECBUFFER_VERSION;
249
250 /* message to sign */
251 buffs[0].BufferType = SECBUFFER_DATA;
252 buffs[0].cbBuffer = strlen(message);
253 buffs[0].pvBuffer = (PVOID)message;
254
255 /* to hold signature */
256 buffs[1].BufferType = SECBUFFER_TOKEN;
257 buffs[1].cbBuffer = signature_buff_length;
258 buffs[1].pvBuffer = signature_buff;
259
260 ret = MakeSignature(ctx->ctx_sspi,
261 (ULONG)0,
262 &buffs_desc,
263 100);
264 if (ret != SEC_E_OK) {
265 sip_sec_sspi_print_error("sip_sec_make_signature__sspi: MakeSignature", ret);
266 g_free(signature_buff);
267 return SIP_SEC_E_INTERNAL_ERROR;
268 }
269
270 signature->value = signature_buff;
271 signature->length = buffs[1].cbBuffer;
272
273 return SIP_SEC_E_OK;
274 }
275
276 /**
277 * @param message a NULL terminated string to check signature of
278 * @return SIP_SEC_E_OK on success
279 */
280 static sip_uint32
281 sip_sec_verify_signature__sspi(SipSecContext context,
282 const char *message,
283 SipSecBuffer signature)
284 {
285 SecBufferDesc buffs_desc;
286 SecBuffer buffs[2];
287 SECURITY_STATUS ret;
288
289 buffs_desc.cBuffers = 2;
290 buffs_desc.pBuffers = buffs;
291 buffs_desc.ulVersion = SECBUFFER_VERSION;
292
293 /* message to sign */
294 buffs[0].BufferType = SECBUFFER_DATA;
295 buffs[0].cbBuffer = strlen(message);
296 buffs[0].pvBuffer = (PVOID)message;
297
298 /* signature to check */
299 buffs[1].BufferType = SECBUFFER_TOKEN;
300 buffs[1].cbBuffer = signature.length;
301 buffs[1].pvBuffer = signature.value;
302
303 ret = VerifySignature(((context_sspi)context)->ctx_sspi,
304 &buffs_desc,
305 0,
306 0);
307
308 if (ret != SEC_E_OK) {
309 sip_sec_sspi_print_error("sip_sec_verify_signature__sspi: VerifySignature", ret);
310 return SIP_SEC_E_INTERNAL_ERROR;
311 }
312
313 return SIP_SEC_E_OK;
314 }
315
316 SipSecContext
317 sip_sec_create_context__sspi(SipSecAuthType type)
318 {
319 context_sspi context = g_malloc0(sizeof(struct _context_sspi));
320 if (!context) return(NULL);
321
322 context->common.acquire_cred_func = sip_sec_acquire_cred__sspi;
323 context->common.init_context_func = sip_sec_init_sec_context__sspi;
324 context->common.destroy_context_func = sip_sec_destroy_sec_context__sspi;
325 context->common.make_signature_func = sip_sec_make_signature__sspi;
326 context->common.verify_signature_func = sip_sec_verify_signature__sspi;
327 context->mech = (type == AUTH_TYPE_NTLM) ? SSPI_MECH_NTLM :
328 ((type == AUTH_TYPE_KERBEROS) ? SSPI_MECH_KERBEROS : SSPI_MECH_NEGOTIATE);
329
330 return((SipSecContext) context);
331 }
332
333 /* Utility Functions */
334
335 /**
336 * Returns interval in seconds from now till provided value
337 */
338 static int
339 sip_sec_get_interval_from_now_sec(TimeStamp timestamp)
340 {
341 SYSTEMTIME stNow;
342 FILETIME ftNow;
343 ULARGE_INTEGER uliNow, uliTo;
344
345 GetLocalTime(&stNow);
346 SystemTimeToFileTime(&stNow, &ftNow);
347
348 uliNow.LowPart = ftNow.dwLowDateTime;
349 uliNow.HighPart = ftNow.dwHighDateTime;
350
351 uliTo.LowPart = timestamp.LowPart;
352 uliTo.HighPart = timestamp.HighPart;
353
354 return (int)((uliTo.QuadPart - uliNow.QuadPart)/10/1000/1000);
355 }
356
357 void
358 sip_sec_sspi_print_error(const char *func,
359 SECURITY_STATUS ret)
360 {
361 char *error_message;
362 static char *buff;
363 int buff_length;
364
365 buff_length = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
366 FORMAT_MESSAGE_ALLOCATE_BUFFER |
367 FORMAT_MESSAGE_IGNORE_INSERTS,
368 0,
369 ret,
370 0,
371 (LPTSTR)&buff,
372 16384,
373 0);
374 error_message = g_strndup(buff, buff_length);
375 LocalFree(buff);
376
377 printf("SSPI ERROR [%d] in %s: %s", (int)ret, func, error_message);
378 g_free(error_message);
379 }
380
381
382 /*
383 Local Variables:
384 mode: c
385 c-file-style: "bsd"
386 indent-tabs-mode: t
387 tab-width: 8
388 End:
389 */
A third-party Pidgin plugin for Microsoft LCS/OCS