search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
http: implement 401 response handling
[siplcs.git] / src / core / sip-sec-krb5.c
blob396552928326610a2e976a970f5903830be2265a
1 /**
2 * @file sip-sec-krb5.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include <glib.h>
26 #include <string.h>
27 #include <gssapi/gssapi.h>
28 #include <gssapi/gssapi_krb5.h>
29 #include <krb5.h>
30
31 #include "sipe-common.h"
32 #include "sip-sec.h"
33 #include "sip-sec-mech.h"
34 #include "sip-sec-krb5.h"
35 #include "sipe-backend.h"
36
37 /* Security context for Kerberos */
38 typedef struct _context_krb5 {
39 struct sip_sec_context common;
40 gss_cred_id_t cred_krb5;
41 gss_ctx_id_t ctx_krb5;
42 const gchar *domain;
43 const gchar *username;
44 const gchar *password;
45 } *context_krb5;
46
47 #define SIP_SEC_FLAG_KRB5_RETRY_AUTH 0x00010000
48
49 static void sip_sec_krb5_print_gss_error(char *func, OM_uint32 ret, OM_uint32 minor);
50
51 static gboolean sip_sec_krb5_obtain_tgt(context_krb5 context);
52
53 static void sip_sec_krb5_destroy_context(context_krb5 context)
54 {
55 OM_uint32 ret;
56 OM_uint32 minor;
57
58 if (context->ctx_krb5 != GSS_C_NO_CONTEXT) {
59 ret = gss_delete_sec_context(&minor, &(context->ctx_krb5), GSS_C_NO_BUFFER);
60 if (GSS_ERROR(ret)) {
61 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret, minor);
62 SIPE_DEBUG_ERROR("sip_sec_krb5_destroy_context: failed to delete security context (ret=%d)", (int)ret);
63 }
64 context->ctx_krb5 = GSS_C_NO_CONTEXT;
65 }
66
67 if (context->cred_krb5) {
68 ret = gss_release_cred(&minor, &(context->cred_krb5));
69 if (GSS_ERROR(ret)) {
70 sip_sec_krb5_print_gss_error("gss_release_cred", ret, minor);
71 SIPE_DEBUG_ERROR("sip_sec_krb5_destroy_context: failed to release credentials (ret=%d)", (int)ret);
72 }
73 context->cred_krb5 = NULL;
74 }
75 }
76
77 static gboolean sip_sec_krb5_acquire_credentials(context_krb5 context)
78 {
79 OM_uint32 ret;
80 OM_uint32 minor;
81 gss_cred_id_t credentials;
82
83 /* Acquire default user credentials */
84 ret = gss_acquire_cred(&minor,
85 GSS_C_NO_NAME,
86 GSS_C_INDEFINITE,
87 GSS_C_NO_OID_SET,
88 GSS_C_INITIATE,
89 &credentials,
90 NULL,
91 NULL);
92
93 if (GSS_ERROR(ret)) {
94 sip_sec_krb5_print_gss_error("gss_acquire_cred", ret, minor);
95 SIPE_DEBUG_ERROR("sip_sec_krb5_acquire_credentials: failed to acquire credentials (ret=%d)", (int)ret);
96 return(FALSE);
97 } else {
98 context->cred_krb5 = credentials;
99 return(TRUE);
100 }
101 }
102
103 static gboolean sip_sec_krb5_initialize_context(context_krb5 context,
104 SipSecBuffer in_buff,
105 SipSecBuffer *out_buff,
106 const gchar *service_name)
107 {
108 OM_uint32 ret;
109 OM_uint32 minor, minor_ignore;
110 OM_uint32 expiry;
111 gss_buffer_desc input_token;
112 gss_buffer_desc output_token;
113 gss_buffer_desc input_name_buffer;
114 gss_name_t target_name;
115
116 input_name_buffer.value = (void *) service_name;
117 input_name_buffer.length = strlen(service_name) + 1;
118
119 ret = gss_import_name(&minor,
120 &input_name_buffer,
121 (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME,
122 &target_name);
123 if (GSS_ERROR(ret)) {
124 sip_sec_krb5_print_gss_error("gss_import_name", ret, minor);
125 SIPE_DEBUG_ERROR("sip_sec_krb5_initialize_context: failed to construct target name (ret=%d)", (int)ret);
126 return(FALSE);
127 }
128
129 input_token.length = in_buff.length;
130 input_token.value = in_buff.value;
131
132 output_token.length = 0;
133 output_token.value = NULL;
134
135 ret = gss_init_sec_context(&minor,
136 context->cred_krb5,
137 &(context->ctx_krb5),
138 target_name,
139 GSS_C_NO_OID,
140 GSS_C_INTEG_FLAG,
141 GSS_C_INDEFINITE,
142 GSS_C_NO_CHANNEL_BINDINGS,
143 &input_token,
144 NULL,
145 &output_token,
146 NULL,
147 &expiry);
148 gss_release_name(&minor_ignore, &target_name);
149
150 if (GSS_ERROR(ret)) {
151 gss_release_buffer(&minor_ignore, &output_token);
152 sip_sec_krb5_print_gss_error("gss_init_sec_context", ret, minor);
153 SIPE_DEBUG_ERROR("sip_sec_krb5_initialize_context: failed to initialize context (ret=%d)", (int)ret);
154 return(FALSE);
155 }
156
157 out_buff->length = output_token.length;
158 out_buff->value = g_memdup(output_token.value, output_token.length);
159 gss_release_buffer(&minor_ignore, &output_token);
160
161 context->common.expires = (int)expiry;
162
163 /* Authentication is completed */
164 context->common.flags |= SIP_SEC_FLAG_COMMON_READY;
165
166 return(TRUE);
167 }
168
169 /* sip-sec-mech.h API implementation for Kerberos/GSS-API */
170
171 static gboolean
172 sip_sec_acquire_cred__krb5(SipSecContext context,
173 const gchar *domain,
174 const gchar *username,
175 const gchar *password)
176 {
177 context_krb5 ctx = (context_krb5) context;
178
179 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__krb5: started");
180
181 /* remember authentication information */
182 ctx->domain = domain ? domain : "";
183 ctx->username = username;
184 ctx->password = password;
185
186 /*
187 * This will be TRUE for SIP, which is the first time when we'll try
188 * to authenticate with Kerberos. We'll allow one retry with the
189 * authentication information provided by the user (see above).
190 *
191 * This will be FALSE for HTTP connections. If Kerberos authentication
192 * succeeded for SIP already, then there is no need to retry.
193 */
194 if ((context->flags & SIP_SEC_FLAG_COMMON_HTTP) == 0)
195 context->flags |= SIP_SEC_FLAG_KRB5_RETRY_AUTH;
196
197 return(sip_sec_krb5_acquire_credentials(ctx));
198 }
199
200 static gboolean
201 sip_sec_init_sec_context__krb5(SipSecContext context,
202 SipSecBuffer in_buff,
203 SipSecBuffer *out_buff,
204 const gchar *service_name)
205 {
206 OM_uint32 ret;
207 OM_uint32 minor;
208 context_krb5 ctx = (context_krb5) context;
209 gboolean result;
210
211 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_init_sec_context__krb5: started");
212
213 /* Delete old context first */
214 if (ctx->ctx_krb5 != GSS_C_NO_CONTEXT) {
215 ret = gss_delete_sec_context(&minor,
216 &(ctx->ctx_krb5),
217 GSS_C_NO_BUFFER);
218 if (GSS_ERROR(ret)) {
219 sip_sec_krb5_print_gss_error("gss_delete_sec_context", ret, minor);
220 SIPE_DEBUG_ERROR("sip_sec_init_sec_context__krb5: failed to delete security context (ret=%d)", (int)ret);
221 }
222 ctx->ctx_krb5 = GSS_C_NO_CONTEXT;
223 }
224
225 result = sip_sec_krb5_initialize_context(ctx,
226 in_buff,
227 out_buff,
228 service_name);
229
230 /*
231 * If context initialization fails retry after trying to obtaining
232 * a TGT. This will will only succeed if we have been provided with
233 * valid authentication information by the user.
234 */
235 if (!result && (context->flags & SIP_SEC_FLAG_KRB5_RETRY_AUTH)) {
236 sip_sec_krb5_destroy_context(ctx);
237 result = sip_sec_krb5_obtain_tgt(ctx) &&
238 sip_sec_krb5_acquire_credentials(ctx) &&
239 sip_sec_krb5_initialize_context(ctx,
240 in_buff,
241 out_buff,
242 service_name);
243 }
244
245 /* Only retry once */
246 context->flags &= ~SIP_SEC_FLAG_KRB5_RETRY_AUTH;
247
248 return(result);
249 }
250
251 /**
252 * @param message a NULL terminated string to sign
253 */
254 static gboolean
255 sip_sec_make_signature__krb5(SipSecContext context,
256 const gchar *message,
257 SipSecBuffer *signature)
258 {
259 OM_uint32 ret;
260 OM_uint32 minor;
261 gss_buffer_desc input_message;
262 gss_buffer_desc output_token;
263
264 input_message.value = (void *)message;
265 input_message.length = strlen(input_message.value);
266
267 ret = gss_get_mic(&minor,
268 ((context_krb5)context)->ctx_krb5,
269 GSS_C_QOP_DEFAULT,
270 &input_message,
271 &output_token);
272
273 if (GSS_ERROR(ret)) {
274 sip_sec_krb5_print_gss_error("gss_get_mic", ret, minor);
275 SIPE_DEBUG_ERROR("sip_sec_make_signature__krb5: failed to make signature (ret=%d)", (int)ret);
276 return FALSE;
277 } else {
278 signature->length = output_token.length;
279 signature->value = g_memdup(output_token.value,
280 output_token.length);
281 gss_release_buffer(&minor, &output_token);
282 return TRUE;
283 }
284 }
285
286 /**
287 * @param message a NULL terminated string to check signature of
288 */
289 static gboolean
290 sip_sec_verify_signature__krb5(SipSecContext context,
291 const gchar *message,
292 SipSecBuffer signature)
293 {
294 OM_uint32 ret;
295 OM_uint32 minor;
296 gss_buffer_desc input_message;
297 gss_buffer_desc input_token;
298
299 input_message.value = (void *)message;
300 input_message.length = strlen(input_message.value);
301
302 input_token.value = signature.value;
303 input_token.length = signature.length;
304
305 ret = gss_verify_mic(&minor,
306 ((context_krb5)context)->ctx_krb5,
307 &input_message,
308 &input_token,
309 NULL);
310
311 if (GSS_ERROR(ret)) {
312 sip_sec_krb5_print_gss_error("gss_verify_mic", ret, minor);
313 SIPE_DEBUG_ERROR("sip_sec_verify_signature__krb5: failed to make signature (ret=%d)", (int)ret);
314 return FALSE;
315 } else {
316 return TRUE;
317 }
318 }
319
320 static void
321 sip_sec_destroy_sec_context__krb5(SipSecContext context)
322 {
323 sip_sec_krb5_destroy_context((context_krb5) context);
324 g_free(context);
325 }
326
327 SipSecContext
328 sip_sec_create_context__krb5(SIPE_UNUSED_PARAMETER guint type)
329 {
330 context_krb5 context = g_malloc0(sizeof(struct _context_krb5));
331 if (!context) return(NULL);
332
333 context->common.acquire_cred_func = sip_sec_acquire_cred__krb5;
334 context->common.init_context_func = sip_sec_init_sec_context__krb5;
335 context->common.destroy_context_func = sip_sec_destroy_sec_context__krb5;
336 context->common.make_signature_func = sip_sec_make_signature__krb5;
337 context->common.verify_signature_func = sip_sec_verify_signature__krb5;
338
339 context->ctx_krb5 = GSS_C_NO_CONTEXT;
340
341 return((SipSecContext) context);
342 }
343
344 gboolean sip_sec_password__krb5(void)
345 {
346 /* Kerberos supports Single-Sign On */
347 return(FALSE);
348 }
349
350 static void
351 sip_sec_krb5_print_gss_error0(char *func,
352 OM_uint32 status,
353 int type)
354 {
355 OM_uint32 minor;
356 OM_uint32 message_context = 0;
357 gss_buffer_desc status_string;
358
359 do {
360 gss_display_status(&minor,
361 status,
362 type,
363 GSS_C_NO_OID,
364 &message_context,
365 &status_string);
366
367 SIPE_DEBUG_ERROR("sip_sec_krb5: GSS-API error in %s (%s): %s", func, (type == GSS_C_GSS_CODE ? "GSS" : "Mech"), (char *)status_string.value);
368 gss_release_buffer(&minor, &status_string);
369 } while (message_context != 0);
370 }
371
372 /**
373 * Prints out errors of GSS-API function invocation
374 */
375 static void sip_sec_krb5_print_gss_error(char *func, OM_uint32 ret, OM_uint32 minor)
376 {
377 sip_sec_krb5_print_gss_error0(func, ret, GSS_C_GSS_CODE);
378 sip_sec_krb5_print_gss_error0(func, minor, GSS_C_MECH_CODE);
379 }
380
381 /**
382 * Prints out errors of Kerberos 5 function invocation
383 */
384 static void
385 sip_sec_krb5_print_error(const gchar *func,
386 krb5_context context,
387 krb5_error_code ret);
388
389 /**
390 * Obtains Kerberos TGT and stores it in default credentials cache.
391 * Similar what kinit util would do.
392 * Can be checked with klist util.
393 *
394 * kinit would require the following name:
395 * alice@ATLANTA.LOCAL
396 * where 'alice' is a username and
397 * 'ATLANTA.LOCAL' is a realm (domain) .
398 */
399 static gboolean sip_sec_krb5_obtain_tgt(context_krb5 ctx)
400 {
401 krb5_context context = NULL;
402 krb5_error_code ret;
403 char *realm;
404 char *username;
405 gchar **user_realm;
406
407 if (!ctx->username && !ctx->password) {
408 SIPE_DEBUG_ERROR_NOFORMAT("sip_sec_krb5_obtain_tgt: no valid authentication information provided");
409 return(FALSE);
410 }
411
412 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_krb5_obtain_tgt: started");
413
414 user_realm = g_strsplit(ctx->username, "@", 2);
415 if (user_realm[1]) {
416 /* "user@domain" -> use domain as realm */
417 realm = g_ascii_strup(user_realm[1], -1);
418 username = g_strdup(user_realm[0]);
419 } else {
420 /* use provided domain as realm */
421 realm = g_ascii_strup(ctx->domain, -1);
422 username = g_strdup(ctx->username);
423 }
424 g_strfreev(user_realm);
425
426 /* Obtait TGT */
427 ret = krb5_init_context(&context);
428 if (ret) {
429 sip_sec_krb5_print_error("krb5_init_context", context, ret);
430 } else {
431 krb5_principal principal = NULL;
432
433 ret = krb5_build_principal(context, &principal, strlen(realm), realm, username, NULL);
434 if (ret) {
435 sip_sec_krb5_print_error("krb5_build_principal", context, ret);
436 } else {
437 krb5_creds credentials;
438
439 memset(&credentials, 0, sizeof(krb5_creds));
440
441 ret = krb5_get_init_creds_password(context, &credentials, principal, (char *)ctx->password, NULL, NULL, 0, NULL, NULL);
442 if (ret) {
443 sip_sec_krb5_print_error("krb5_get_init_creds_password", context, ret);
444 } else {
445 krb5_ccache ccdef = NULL;
446
447 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_krb5_obtain_tgt: new TGT obtained");
448
449 /* Store TGT in default credential cache */
450 ret = krb5_cc_default(context, &ccdef);
451 if (ret) {
452 sip_sec_krb5_print_error("krb5_cc_default", context, ret);
453 } else {
454 /* First try without initializing */
455 ret = krb5_cc_store_cred(context, ccdef, &credentials);
456 if (ret) {
457 ret = krb5_cc_initialize(context, ccdef, credentials.client);
458 if (ret) {
459 sip_sec_krb5_print_error("krb5_cc_initialize", context, ret);
460 } else {
461 /* Second try after initializing the default credential cache */
462 ret = krb5_cc_store_cred(context, ccdef, &credentials);
463 if (ret) {
464 sip_sec_krb5_print_error("krb5_cc_store_cred", context, ret);
465 } else {
466 SIPE_DEBUG_INFO_NOFORMAT("sip_sec_krb5_obtain_tgt: new TGT stored in default credentials cache");
467 }
468 }
469 }
470 krb5_cc_close(context, ccdef);
471 }
472 krb5_free_cred_contents(context, &credentials);
473 }
474 krb5_free_principal(context, principal);
475 }
476 krb5_free_context(context);
477 }
478 g_free(username);
479 g_free(realm);
480
481 return(!ret);
482 }
483
484 static void
485 sip_sec_krb5_print_error(const gchar *func,
486 krb5_context context,
487 krb5_error_code ret)
488 {
489 const gchar *error_message = krb5_get_error_message(context, ret);
490 SIPE_DEBUG_ERROR("Kerberos 5 ERROR in %s: %s", func, error_message);
491 krb5_free_error_message(context, error_message);
492 }
493
494 /*
495 Local Variables:
496 mode: c
497 c-file-style: "bsd"
498 indent-tabs-mode: t
499 tab-width: 8
500 End:
501 */
A third-party Pidgin plugin for Microsoft LCS/OCS