/** * FreeRDP: A Remote Desktop Protocol Client * Kerberos Auth Protocol * * Copyright 2015 ANSSI, Author Thomas Calderon * Copyright 2017 Dorian Ducournau * Copyright 2022 David Fort * Copyright 2022 Isaac Klein * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "kerberos.h" #ifdef WITH_KRB5_MIT #include "krb5glue.h" #include #endif #ifdef WITH_KRB5_HEIMDAL #include "krb5glue.h" #include #endif #include "../sspi.h" #include "../../log.h" #define TAG WINPR_TAG("sspi.Kerberos") #define KRB_TGT_REQ 16 #define KRB_TGT_REP 17 const SecPkgInfoA KERBEROS_SecPkgInfoA = { 0x000F3BBF, /* fCapabilities */ 1, /* wVersion */ 0x0010, /* wRPCID */ 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ "Kerberos", /* Name */ "Kerberos Security Package" /* Comment */ }; static WCHAR KERBEROS_SecPkgInfoW_NameBuffer[32] = { 0 }; static WCHAR KERBEROS_SecPkgInfoW_CommentBuffer[32] = { 0 }; const SecPkgInfoW KERBEROS_SecPkgInfoW = { 0x000F3BBF, /* fCapabilities */ 1, /* wVersion */ 0x0010, /* wRPCID */ 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ KERBEROS_SecPkgInfoW_NameBuffer, /* Name */ KERBEROS_SecPkgInfoW_CommentBuffer /* Comment */ }; #ifdef WITH_KRB5 enum KERBEROS_STATE { KERBEROS_STATE_INITIAL, KERBEROS_STATE_TGT_REQ, KERBEROS_STATE_TGT_REP, KERBEROS_STATE_AP_REQ, KERBEROS_STATE_AP_REP, KERBEROS_STATE_FINAL }; typedef struct KRB_CREDENTIALS_st { volatile LONG refCount; krb5_context ctx; char* kdc_url; krb5_ccache ccache; krb5_keytab keytab; krb5_keytab client_keytab; BOOL own_ccache; /**< Whether we created ccache, and must destroy it after use. */ } KRB_CREDENTIALS; struct s_KRB_CONTEXT { enum KERBEROS_STATE state; KRB_CREDENTIALS* credentials; krb5_auth_context auth_ctx; BOOL acceptor; uint32_t flags; uint64_t local_seq; uint64_t remote_seq; struct krb5glue_keyset keyset; BOOL u2u; char* targetHost; }; static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; static const WinPrAsn1_OID kerberos_u2u_OID = { 10, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" }; #define krb_log_exec_bool(fkt, ctx, ...) \ kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__) ? KRB5KRB_ERR_GENERIC : 0, #fkt, __FILE__, \ __func__, __LINE__) #define krb_log_exec(fkt, ctx, ...) \ kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__) #define krb_log_exec_ptr(fkt, ctx, ...) \ kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__) static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what, const char* file, const char* fkt, size_t line) { switch (code) { case 0: case KRB5_KT_END: break; default: { const DWORD level = WLOG_ERROR; wLog* log = WLog_Get(TAG); if (WLog_IsLevelActive(log, level)) { const char* msg = krb5_get_error_message(ctx, code); WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "%s (%s [%d])", what, msg, code); krb5_free_error_message(ctx, msg); } } break; } return code; } static void credentials_unref(KRB_CREDENTIALS* credentials); static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated) { if (!ctx) return; free(ctx->targetHost); ctx->targetHost = NULL; if (ctx->credentials) { krb5_context krbctx = ctx->credentials->ctx; if (krbctx) { if (ctx->auth_ctx) krb5_auth_con_free(krbctx, ctx->auth_ctx); krb5glue_keys_free(krbctx, &ctx->keyset); } credentials_unref(ctx->credentials); } if (allocated) free(ctx); } static KRB_CONTEXT* kerberos_ContextNew(KRB_CREDENTIALS* credentials) { KRB_CONTEXT* context = NULL; context = (KRB_CONTEXT*)calloc(1, sizeof(KRB_CONTEXT)); if (!context) return NULL; context->credentials = credentials; InterlockedIncrement(&credentials->refCount); return context; } static krb5_error_code krb5_prompter(krb5_context context, void* data, WINPR_ATTR_UNUSED const char* name, WINPR_ATTR_UNUSED const char* banner, int num_prompts, krb5_prompt prompts[]) { for (int i = 0; i < num_prompts; i++) { krb5_prompt_type type = krb5glue_get_prompt_type(context, prompts, i); if (type && (type == KRB5_PROMPT_TYPE_PREAUTH || type == KRB5_PROMPT_TYPE_PASSWORD) && data) { prompts[i].reply->data = _strdup((const char*)data); const size_t len = strlen((const char*)data); if (len > UINT32_MAX) return KRB5KRB_ERR_GENERIC; prompts[i].reply->length = (UINT32)len; } } return 0; } static INLINE krb5glue_key get_key(struct krb5glue_keyset* keyset) { return keyset->acceptor_key ? keyset->acceptor_key : keyset->initiator_key ? keyset->initiator_key : keyset->session_key; } static BOOL isValidIPv4(const char* ipAddress) { struct sockaddr_in sa = { 0 }; int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr)); return result != 0; } static BOOL isValidIPv6(const char* ipAddress) { struct sockaddr_in6 sa = { 0 }; int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr)); return result != 0; } static BOOL isValidIP(const char* ipAddress) { return isValidIPv4(ipAddress) || isValidIPv6(ipAddress); } static int build_krbtgt(krb5_context ctx, krb5_data* realm, krb5_principal* ptarget) { /* "krbtgt/" + realm + "@" + realm */ size_t len = 0; char* name = NULL; krb5_error_code rv = KRB5_CC_NOMEM; (void)winpr_asprintf(&name, &len, "krbtgt/%s@%s", realm->data, realm->data); if (!name || (len == 0)) goto fail; krb5_principal target = { 0 }; rv = krb5_parse_name(ctx, name, &target); *ptarget = target; fail: free(name); return rv; } #endif /* WITH_KRB5 */ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA( SEC_CHAR* pszPrincipal, WINPR_ATTR_UNUSED SEC_CHAR* pszPackage, ULONG fCredentialUse, WINPR_ATTR_UNUSED void* pvLogonID, void* pAuthData, WINPR_ATTR_UNUSED SEC_GET_KEY_FN pGetKeyFn, WINPR_ATTR_UNUSED void* pvGetKeyArgument, PCredHandle phCredential, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry) { #ifdef WITH_KRB5 SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL; KRB_CREDENTIALS* credentials = NULL; krb5_context ctx = NULL; krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; krb5_principal principal = NULL; char* domain = NULL; char* username = NULL; char* password = NULL; BOOL own_ccache = FALSE; const char* const default_ccache_type = "MEMORY"; if (pAuthData) { UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData); if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED) krb_settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->kerberosSettings); if (!sspi_CopyAuthIdentityFieldsA((const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData, &username, &domain, &password)) { WLog_ERR(TAG, "Failed to copy auth identity fields"); goto cleanup; } if (!pszPrincipal) pszPrincipal = username; } if (krb_log_exec_ptr(krb5_init_context, &ctx)) goto cleanup; if (domain) { char* udomain = _strdup(domain); if (!udomain) goto cleanup; CharUpperA(udomain); /* Will use domain if realm is not specified in username */ krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain); free(udomain); if (rv) goto cleanup; } if (pszPrincipal) { char* cpszPrincipal = _strdup(pszPrincipal); if (!cpszPrincipal) goto cleanup; /* Find realm component if included and convert to uppercase */ char* p = strchr(cpszPrincipal, '@'); if (p) CharUpperA(p); krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal); free(cpszPrincipal); if (rv) goto cleanup; } if (krb_settings && krb_settings->cache) { if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache))) goto cleanup; } else own_ccache = TRUE; if (principal) { /* Use the default cache if it's initialized with the right principal */ if (krb5_cc_cache_match(ctx, principal, &ccache) == KRB5_CC_NOTFOUND) { if (own_ccache) { if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache)) goto cleanup; } else { if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache)) goto cleanup; } if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal)) goto cleanup; } else own_ccache = FALSE; } else if (fCredentialUse & SECPKG_CRED_OUTBOUND) { /* Use the default cache with it's default principal */ if (krb_log_exec(krb5_cc_default, ctx, &ccache)) goto cleanup; if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal)) goto cleanup; own_ccache = FALSE; } else { if (own_ccache) { if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache)) goto cleanup; } else { if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache)) goto cleanup; } } if (krb_settings && krb_settings->keytab) { if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab)) goto cleanup; } else { if (fCredentialUse & SECPKG_CRED_INBOUND) if (krb_log_exec(krb5_kt_default, ctx, &keytab)) goto cleanup; } /* Get initial credentials if required */ if (fCredentialUse & SECPKG_CRED_OUTBOUND) { krb5_creds creds = { 0 }; krb5_creds matchCreds = { 0 }; krb5_flags matchFlags = KRB5_TC_MATCH_TIMES; krb5_timeofday(ctx, &matchCreds.times.endtime); matchCreds.times.endtime += 60; matchCreds.client = principal; if (krb_log_exec(build_krbtgt, ctx, &principal->realm, &matchCreds.server)) goto cleanup; int rv = krb5_cc_retrieve_cred(ctx, ccache, matchFlags, &matchCreds, &creds); krb5_free_principal(ctx, matchCreds.server); krb5_free_cred_contents(ctx, &creds); if (rv) { if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter, password, krb_settings)) goto cleanup; } } credentials = calloc(1, sizeof(KRB_CREDENTIALS)); if (!credentials) goto cleanup; credentials->refCount = 1; credentials->ctx = ctx; credentials->ccache = ccache; credentials->keytab = keytab; credentials->own_ccache = own_ccache; cleanup: free(domain); free(username); free(password); if (principal) krb5_free_principal(ctx, principal); if (ctx) { if (!credentials) { if (ccache) { if (own_ccache) krb5_cc_destroy(ctx, ccache); else krb5_cc_close(ctx, ccache); } if (keytab) krb5_kt_close(ctx, keytab); krb5_free_context(ctx); } } /* If we managed to get credentials set the output */ if (credentials) { sspi_SecureHandleSetLowerPointer(phCredential, (void*)credentials); sspi_SecureHandleSetUpperPointer(phCredential, (void*)KERBEROS_SSP_NAME); return SEC_E_OK; } return SEC_E_NO_CREDENTIALS; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW( SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry) { SECURITY_STATUS status = SEC_E_INSUFFICIENT_MEMORY; char* principal = NULL; char* package = NULL; if (pszPrincipal) { principal = ConvertWCharToUtf8Alloc(pszPrincipal, NULL); if (!principal) goto fail; } if (pszPackage) { package = ConvertWCharToUtf8Alloc(pszPackage, NULL); if (!package) goto fail; } status = kerberos_AcquireCredentialsHandleA(principal, package, fCredentialUse, pvLogonID, pAuthData, pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry); fail: free(principal); free(package); return status; } #ifdef WITH_KRB5 static void credentials_unref(KRB_CREDENTIALS* credentials) { WINPR_ASSERT(credentials); if (InterlockedDecrement(&credentials->refCount)) return; free(credentials->kdc_url); if (credentials->ccache) { if (credentials->own_ccache) krb5_cc_destroy(credentials->ctx, credentials->ccache); else krb5_cc_close(credentials->ctx, credentials->ccache); } if (credentials->keytab) krb5_kt_close(credentials->ctx, credentials->keytab); krb5_free_context(credentials->ctx); free(credentials); } #endif static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential) { #ifdef WITH_KRB5 KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential); if (!credentials) return SEC_E_INVALID_HANDLE; credentials_unref(credentials); sspi_SecureHandleInvalidate(phCredential); return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW( WINPR_ATTR_UNUSED PCredHandle phCredential, ULONG ulAttribute, WINPR_ATTR_UNUSED void* pBuffer) { #ifdef WITH_KRB5 switch (ulAttribute) { case SECPKG_CRED_ATTR_NAMES: return SEC_E_OK; default: WLog_ERR(TAG, "TODO: QueryCredentialsAttributesW, implement ulAttribute=%08" PRIx32, ulAttribute); return SEC_E_UNSUPPORTED_FUNCTION; } #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) { return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer); } #ifdef WITH_KRB5 static BOOL kerberos_mk_tgt_token(SecBuffer* buf, int msg_type, char* sname, char* host, const krb5_data* ticket) { WinPrAsn1Encoder* enc = NULL; WinPrAsn1_MemoryChunk data; wStream s; size_t len = 0; sspi_gss_data token; BOOL ret = FALSE; WINPR_ASSERT(buf); if (msg_type != KRB_TGT_REQ && msg_type != KRB_TGT_REP) return FALSE; if (msg_type == KRB_TGT_REP && !ticket) return FALSE; enc = WinPrAsn1Encoder_New(WINPR_ASN1_DER); if (!enc) return FALSE; /* KERB-TGT-REQUEST (SEQUENCE) */ if (!WinPrAsn1EncSeqContainer(enc)) goto cleanup; /* pvno [0] INTEGER */ if (!WinPrAsn1EncContextualInteger(enc, 0, 5)) goto cleanup; /* msg-type [1] INTEGER */ if (!WinPrAsn1EncContextualInteger(enc, 1, msg_type)) goto cleanup; if (msg_type == KRB_TGT_REQ && sname) { /* server-name [2] PrincipalName (SEQUENCE) */ if (!WinPrAsn1EncContextualSeqContainer(enc, 2)) goto cleanup; /* name-type [0] INTEGER */ if (!WinPrAsn1EncContextualInteger(enc, 0, KRB5_NT_SRV_HST)) goto cleanup; /* name-string [1] SEQUENCE OF GeneralString */ if (!WinPrAsn1EncContextualSeqContainer(enc, 1)) goto cleanup; if (!WinPrAsn1EncGeneralString(enc, sname)) goto cleanup; if (host && !WinPrAsn1EncGeneralString(enc, host)) goto cleanup; if (!WinPrAsn1EncEndContainer(enc) || !WinPrAsn1EncEndContainer(enc)) goto cleanup; } else if (msg_type == KRB_TGT_REP) { /* ticket [2] Ticket */ data.data = (BYTE*)ticket->data; data.len = ticket->length; if (!WinPrAsn1EncContextualRawContent(enc, 2, &data)) goto cleanup; } if (!WinPrAsn1EncEndContainer(enc)) goto cleanup; if (!WinPrAsn1EncStreamSize(enc, &len) || len > buf->cbBuffer) goto cleanup; Stream_StaticInit(&s, buf->pvBuffer, len); if (!WinPrAsn1EncToStream(enc, &s)) goto cleanup; token.data = buf->pvBuffer; token.length = (UINT)len; if (sspi_gss_wrap_token(buf, &kerberos_u2u_OID, msg_type == KRB_TGT_REQ ? TOK_ID_TGT_REQ : TOK_ID_TGT_REP, &token)) ret = TRUE; cleanup: WinPrAsn1Encoder_Free(&enc); return ret; } static BOOL append(char* dst, size_t dstSize, const char* src) { const size_t dlen = strnlen(dst, dstSize); const size_t slen = strlen(src); if (dlen + slen >= dstSize) return FALSE; if (!strncat(dst, src, slen)) return FALSE; return TRUE; } static BOOL kerberos_rd_tgt_req_tag2(WinPrAsn1Decoder* dec, char* buf, size_t len) { BOOL rc = FALSE; WinPrAsn1Decoder seq = { 0 }; /* server-name [2] PrincipalName (SEQUENCE) */ if (!WinPrAsn1DecReadSequence(dec, &seq)) goto end; /* name-type [0] INTEGER */ BOOL error = FALSE; WinPrAsn1_INTEGER val = 0; if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val)) goto end; /* name-string [1] SEQUENCE OF GeneralString */ if (!WinPrAsn1DecReadContextualSequence(&seq, 1, &error, dec)) goto end; WinPrAsn1_tag tag = 0; BOOL first = TRUE; while (WinPrAsn1DecPeekTag(dec, &tag)) { BOOL success = FALSE; char* lstr = NULL; if (!WinPrAsn1DecReadGeneralString(dec, &lstr)) goto fail; if (!first) { if (!append(buf, len, "/")) goto fail; } first = FALSE; if (!append(buf, len, lstr)) goto fail; success = TRUE; fail: free(lstr); if (!success) goto end; } rc = TRUE; end: return rc; } static BOOL kerberos_rd_tgt_req_tag3(WinPrAsn1Decoder* dec, char* buf, size_t len) { /* realm [3] Realm */ BOOL rc = FALSE; WinPrAsn1_STRING str = NULL; if (!WinPrAsn1DecReadGeneralString(dec, &str)) goto end; if (!append(buf, len, "@")) goto end; if (!append(buf, len, str)) goto end; rc = TRUE; end: free(str); return rc; } static BOOL kerberos_rd_tgt_req(WinPrAsn1Decoder* dec, char** target) { BOOL rc = FALSE; if (!target) return FALSE; *target = NULL; wStream s = WinPrAsn1DecGetStream(dec); const size_t len = Stream_Length(&s); if (len == 0) return TRUE; WinPrAsn1Decoder dec2 = { 0 }; WinPrAsn1_tagId tag = 0; if (WinPrAsn1DecReadContextualTag(dec, &tag, &dec2) == 0) return FALSE; char* buf = calloc(len + 1, sizeof(char)); if (!buf) return FALSE; /* We expect ASN1 context tag values 2 or 3. * * In case we got value 2 an (optional) context tag value 3 might follow. */ BOOL checkForTag3 = TRUE; if (tag == 2) { rc = kerberos_rd_tgt_req_tag2(&dec2, buf, len); if (rc) { const size_t res = WinPrAsn1DecReadContextualTag(dec, &tag, dec); if (res == 0) checkForTag3 = FALSE; } } if (checkForTag3) { if (tag == 3) rc = kerberos_rd_tgt_req_tag3(&dec2, buf, len); else rc = FALSE; } if (rc) *target = buf; else free(buf); return rc; } static BOOL kerberos_rd_tgt_rep(WinPrAsn1Decoder* dec, krb5_data* ticket) { if (!ticket) return FALSE; /* ticket [2] Ticket */ WinPrAsn1Decoder asnTicket = { 0 }; WinPrAsn1_tagId tag = 0; if (WinPrAsn1DecReadContextualTag(dec, &tag, &asnTicket) == 0) return FALSE; if (tag != 2) return FALSE; wStream s = WinPrAsn1DecGetStream(&asnTicket); ticket->data = Stream_BufferAs(&s, char); const size_t len = Stream_Length(&s); if (len > UINT32_MAX) return FALSE; ticket->length = (UINT32)len; return TRUE; } static BOOL kerberos_rd_tgt_token(const sspi_gss_data* token, char** target, krb5_data* ticket) { BOOL error = 0; WinPrAsn1_INTEGER val = 0; WINPR_ASSERT(token); if (target) *target = NULL; WinPrAsn1Decoder der = { 0 }; WinPrAsn1Decoder_InitMem(&der, WINPR_ASN1_DER, (BYTE*)token->data, token->length); /* KERB-TGT-REQUEST (SEQUENCE) */ WinPrAsn1Decoder seq = { 0 }; if (!WinPrAsn1DecReadSequence(&der, &seq)) return FALSE; /* pvno [0] INTEGER */ if (!WinPrAsn1DecReadContextualInteger(&seq, 0, &error, &val) || val != 5) return FALSE; /* msg-type [1] INTEGER */ if (!WinPrAsn1DecReadContextualInteger(&seq, 1, &error, &val)) return FALSE; switch (val) { case KRB_TGT_REQ: return kerberos_rd_tgt_req(&seq, target); case KRB_TGT_REP: return kerberos_rd_tgt_rep(&seq, ticket); default: break; } return FALSE; } #endif /* WITH_KRB5 */ static BOOL kerberos_hash_channel_bindings(WINPR_DIGEST_CTX* md5, SEC_CHANNEL_BINDINGS* bindings) { BYTE buf[4]; winpr_Data_Write_UINT32(buf, bindings->dwInitiatorAddrType); if (!winpr_Digest_Update(md5, buf, 4)) return FALSE; winpr_Data_Write_UINT32(buf, bindings->cbInitiatorLength); if (!winpr_Digest_Update(md5, buf, 4)) return FALSE; if (bindings->cbInitiatorLength && !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwInitiatorOffset, bindings->cbInitiatorLength)) return FALSE; winpr_Data_Write_UINT32(buf, bindings->dwAcceptorAddrType); if (!winpr_Digest_Update(md5, buf, 4)) return FALSE; winpr_Data_Write_UINT32(buf, bindings->cbAcceptorLength); if (!winpr_Digest_Update(md5, buf, 4)) return FALSE; if (bindings->cbAcceptorLength && !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwAcceptorOffset, bindings->cbAcceptorLength)) return FALSE; winpr_Data_Write_UINT32(buf, bindings->cbApplicationDataLength); if (!winpr_Digest_Update(md5, buf, 4)) return FALSE; if (bindings->cbApplicationDataLength && !winpr_Digest_Update(md5, (BYTE*)bindings + bindings->dwApplicationDataOffset, bindings->cbApplicationDataLength)) return FALSE; return TRUE; } static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA( PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq, WINPR_ATTR_UNUSED ULONG Reserved1, WINPR_ATTR_UNUSED ULONG TargetDataRep, PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput, WINPR_ATTR_UNUSED ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpiry) { #ifdef WITH_KRB5 PSecBuffer input_buffer = NULL; PSecBuffer output_buffer = NULL; PSecBuffer bindings_buffer = NULL; WINPR_DIGEST_CTX* md5 = NULL; char* target = NULL; char* sname = NULL; char* host = NULL; krb5_data input_token = { 0 }; krb5_data output_token = { 0 }; SECURITY_STATUS status = SEC_E_INTERNAL_ERROR; WinPrAsn1_OID oid = { 0 }; uint16_t tok_id = 0; krb5_ap_rep_enc_part* reply = NULL; krb5_flags ap_flags = AP_OPTS_USE_SUBKEY; char cksum_contents[24] = { 0 }; krb5_data cksum = { 0 }; krb5_creds in_creds = { 0 }; krb5_creds* creds = NULL; BOOL isNewContext = FALSE; KRB_CONTEXT* context = NULL; KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential); /* behave like windows SSPIs that don't want empty context */ if (phContext && !phContext->dwLower && !phContext->dwUpper) return SEC_E_INVALID_HANDLE; context = sspi_SecureHandleGetLowerPointer(phContext); if (!credentials) return SEC_E_NO_CREDENTIALS; if (pInput) { input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN); bindings_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_CHANNEL_BINDINGS); } if (pOutput) output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN); if (fContextReq & ISC_REQ_MUTUAL_AUTH) ap_flags |= AP_OPTS_MUTUAL_REQUIRED; if (fContextReq & ISC_REQ_USE_SESSION_KEY) ap_flags |= AP_OPTS_USE_SESSION_KEY; /* Split target name into service/hostname components */ if (pszTargetName) { target = _strdup(pszTargetName); if (!target) { status = SEC_E_INSUFFICIENT_MEMORY; goto cleanup; } host = strchr(target, '/'); if (host) { *host++ = 0; sname = target; } else host = target; if (isValidIP(host)) { status = SEC_E_NO_CREDENTIALS; goto cleanup; } } if (!context) { context = kerberos_ContextNew(credentials); if (!context) { status = SEC_E_INSUFFICIENT_MEMORY; goto cleanup; } isNewContext = TRUE; if (host) context->targetHost = _strdup(host); if (!context->targetHost) { status = SEC_E_INSUFFICIENT_MEMORY; goto cleanup; } if (fContextReq & ISC_REQ_USE_SESSION_KEY) { context->state = KERBEROS_STATE_TGT_REQ; context->u2u = TRUE; } else context->state = KERBEROS_STATE_AP_REQ; } else { if (!input_buffer || !sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token)) goto bad_token; if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) || (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID))) goto bad_token; } /* SSPI flags are compatible with GSS flags except INTEG_FLAG */ context->flags |= (fContextReq & 0x1F); if ((fContextReq & ISC_REQ_INTEGRITY) && !(fContextReq & ISC_REQ_NO_INTEGRITY)) context->flags |= SSPI_GSS_C_INTEG_FLAG; switch (context->state) { case KERBEROS_STATE_TGT_REQ: if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REQ, sname, host, NULL)) goto cleanup; context->state = KERBEROS_STATE_TGT_REP; status = SEC_I_CONTINUE_NEEDED; break; case KERBEROS_STATE_TGT_REP: if (tok_id != TOK_ID_TGT_REP) goto bad_token; if (!kerberos_rd_tgt_token(&input_token, NULL, &in_creds.second_ticket)) goto bad_token; /* Continue to AP-REQ */ /* fallthrough */ WINPR_FALLTHROUGH case KERBEROS_STATE_AP_REQ: /* Set auth_context options */ if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx)) goto cleanup; if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx, KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY)) goto cleanup; if (krb_log_exec(krb5glue_auth_con_set_cksumtype, credentials->ctx, context->auth_ctx, GSS_CHECKSUM_TYPE)) goto cleanup; /* Get a service ticket */ if (krb_log_exec(krb5_sname_to_principal, credentials->ctx, host, sname, KRB5_NT_SRV_HST, &in_creds.server)) goto cleanup; if (krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache, &in_creds.client)) { status = SEC_E_WRONG_PRINCIPAL; goto cleanup; } if (krb_log_exec(krb5_get_credentials, credentials->ctx, context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds, &creds)) { status = SEC_E_NO_CREDENTIALS; goto cleanup; } /* Write the checksum (delegation not implemented) */ cksum.data = cksum_contents; cksum.length = sizeof(cksum_contents); winpr_Data_Write_UINT32(cksum_contents, 16); winpr_Data_Write_UINT32((cksum_contents + 20), context->flags); if (bindings_buffer) { SEC_CHANNEL_BINDINGS* bindings = bindings_buffer->pvBuffer; /* Sanity checks */ if (bindings_buffer->cbBuffer < sizeof(SEC_CHANNEL_BINDINGS) || (bindings->cbInitiatorLength + bindings->dwInitiatorOffset) > bindings_buffer->cbBuffer || (bindings->cbAcceptorLength + bindings->dwAcceptorOffset) > bindings_buffer->cbBuffer || (bindings->cbApplicationDataLength + bindings->dwApplicationDataOffset) > bindings_buffer->cbBuffer) { status = SEC_E_BAD_BINDINGS; goto cleanup; } md5 = winpr_Digest_New(); if (!md5) goto cleanup; if (!winpr_Digest_Init(md5, WINPR_MD_MD5)) goto cleanup; if (!kerberos_hash_channel_bindings(md5, bindings)) goto cleanup; if (!winpr_Digest_Final(md5, (BYTE*)cksum_contents + 4, 16)) goto cleanup; } /* Make the AP_REQ message */ if (krb_log_exec(krb5_mk_req_extended, credentials->ctx, &context->auth_ctx, ap_flags, &cksum, creds, &output_token)) goto cleanup; if (!sspi_gss_wrap_token(output_buffer, context->u2u ? &kerberos_u2u_OID : &kerberos_OID, TOK_ID_AP_REQ, &output_token)) goto cleanup; if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) { if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx, (INT32*)&context->local_seq)) goto cleanup; context->remote_seq ^= context->local_seq; } if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE, &context->keyset)) goto cleanup; context->state = KERBEROS_STATE_AP_REP; if (context->flags & SSPI_GSS_C_MUTUAL_FLAG) status = SEC_I_CONTINUE_NEEDED; else status = SEC_E_OK; break; case KERBEROS_STATE_AP_REP: if (tok_id == TOK_ID_AP_REP) { if (krb_log_exec(krb5_rd_rep, credentials->ctx, context->auth_ctx, &input_token, &reply)) goto cleanup; krb5_free_ap_rep_enc_part(credentials->ctx, reply); } else if (tok_id == TOK_ID_ERROR) { krb5glue_log_error(credentials->ctx, &input_token, TAG); goto cleanup; } else goto bad_token; if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) { if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx, (INT32*)&context->remote_seq)) goto cleanup; } if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, FALSE, &context->keyset)) goto cleanup; context->state = KERBEROS_STATE_FINAL; if (output_buffer) output_buffer->cbBuffer = 0; status = SEC_E_OK; break; case KERBEROS_STATE_FINAL: default: WLog_ERR(TAG, "Kerberos in invalid state!"); goto cleanup; } cleanup: { /* second_ticket is not allocated */ krb5_data edata = { 0 }; in_creds.second_ticket = edata; krb5_free_cred_contents(credentials->ctx, &in_creds); } krb5_free_creds(credentials->ctx, creds); if (output_token.data) krb5glue_free_data_contents(credentials->ctx, &output_token); winpr_Digest_Free(md5); free(target); if (isNewContext) { switch (status) { case SEC_E_OK: case SEC_I_CONTINUE_NEEDED: sspi_SecureHandleSetLowerPointer(phNewContext, context); sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME); break; default: kerberos_ContextFree(context, TRUE); break; } } return status; bad_token: status = SEC_E_INVALID_TOKEN; goto cleanup; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif /* WITH_KRB5 */ } static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW( PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, PTimeStamp ptsExpiry) { SECURITY_STATUS status = 0; char* target_name = NULL; if (pszTargetName) { target_name = ConvertWCharToUtf8Alloc(pszTargetName, NULL); if (!target_name) return SEC_E_INSUFFICIENT_MEMORY; } status = kerberos_InitializeSecurityContextA(phCredential, phContext, target_name, fContextReq, Reserved1, TargetDataRep, pInput, Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry); if (target_name) free(target_name); return status; } static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext( PCredHandle phCredential, PCtxtHandle phContext, PSecBufferDesc pInput, WINPR_ATTR_UNUSED ULONG fContextReq, WINPR_ATTR_UNUSED ULONG TargetDataRep, PCtxtHandle phNewContext, PSecBufferDesc pOutput, ULONG* pfContextAttr, WINPR_ATTR_UNUSED PTimeStamp ptsExpity) { #ifdef WITH_KRB5 BOOL isNewContext = FALSE; PSecBuffer input_buffer = NULL; PSecBuffer output_buffer = NULL; WinPrAsn1_OID oid = { 0 }; uint16_t tok_id = 0; krb5_data input_token = { 0 }; krb5_data output_token = { 0 }; SECURITY_STATUS status = SEC_E_INTERNAL_ERROR; krb5_flags ap_flags = 0; krb5glue_authenticator authenticator = NULL; char* target = NULL; char* sname = NULL; char* realm = NULL; krb5_kt_cursor cur = { 0 }; krb5_keytab_entry entry = { 0 }; krb5_principal principal = NULL; krb5_creds creds = { 0 }; /* behave like windows SSPIs that don't want empty context */ if (phContext && !phContext->dwLower && !phContext->dwUpper) return SEC_E_INVALID_HANDLE; KRB_CONTEXT* context = sspi_SecureHandleGetLowerPointer(phContext); KRB_CREDENTIALS* credentials = sspi_SecureHandleGetLowerPointer(phCredential); if (pInput) input_buffer = sspi_FindSecBuffer(pInput, SECBUFFER_TOKEN); if (pOutput) output_buffer = sspi_FindSecBuffer(pOutput, SECBUFFER_TOKEN); if (!input_buffer) return SEC_E_INVALID_TOKEN; if (!sspi_gss_unwrap_token(input_buffer, &oid, &tok_id, &input_token)) return SEC_E_INVALID_TOKEN; if (!context) { isNewContext = TRUE; context = kerberos_ContextNew(credentials); context->acceptor = TRUE; if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) { context->u2u = TRUE; context->state = KERBEROS_STATE_TGT_REQ; } else if (sspi_gss_oid_compare(&oid, &kerberos_OID)) context->state = KERBEROS_STATE_AP_REQ; else goto bad_token; } else { if ((context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) || (!context->u2u && !sspi_gss_oid_compare(&oid, &kerberos_OID))) goto bad_token; } if (context->state == KERBEROS_STATE_TGT_REQ && tok_id == TOK_ID_TGT_REQ) { if (!kerberos_rd_tgt_token(&input_token, &target, NULL)) goto bad_token; if (target) { if (*target != 0 && *target != '@') sname = target; realm = strchr(target, '@'); if (realm) realm++; } if (krb_log_exec(krb5_parse_name_flags, credentials->ctx, sname ? sname : "", KRB5_PRINCIPAL_PARSE_NO_REALM, &principal)) goto cleanup; if (realm) { if (krb_log_exec(krb5glue_set_principal_realm, credentials->ctx, principal, realm)) goto cleanup; } if (krb_log_exec(krb5_kt_start_seq_get, credentials->ctx, credentials->keytab, &cur)) goto cleanup; do { krb5_error_code rv = krb_log_exec(krb5_kt_next_entry, credentials->ctx, credentials->keytab, &entry, &cur); if (rv == KRB5_KT_END) break; if (rv != 0) goto cleanup; if ((!sname || krb_log_exec_bool(krb5_principal_compare_any_realm, credentials->ctx, principal, entry.principal)) && (!realm || krb_log_exec_bool(krb5_realm_compare, credentials->ctx, principal, entry.principal))) break; const krb5_error_code res = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry); memset(&entry, 0, sizeof(entry)); if (res != 0) goto cleanup; } while (1); if (krb_log_exec(krb5_kt_end_seq_get, credentials->ctx, credentials->keytab, &cur)) goto cleanup; if (!entry.principal) goto cleanup; /* Get the TGT */ if (krb_log_exec(krb5_get_init_creds_keytab, credentials->ctx, &creds, entry.principal, credentials->keytab, 0, NULL, NULL)) goto cleanup; if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket)) goto cleanup; if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &context->auth_ctx)) goto cleanup; if (krb_log_exec(krb5glue_auth_con_setuseruserkey, credentials->ctx, context->auth_ctx, &krb5glue_creds_getkey(creds))) goto cleanup; context->state = KERBEROS_STATE_AP_REQ; } else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ) { if (krb_log_exec(krb5_rd_req, credentials->ctx, &context->auth_ctx, &input_token, NULL, credentials->keytab, &ap_flags, NULL)) goto cleanup; if (krb_log_exec(krb5_auth_con_setflags, credentials->ctx, context->auth_ctx, KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY)) goto cleanup; /* Retrieve and validate the checksum */ if (krb_log_exec(krb5_auth_con_getauthenticator, credentials->ctx, context->auth_ctx, &authenticator)) goto cleanup; if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE, &context->flags)) goto bad_token; if ((ap_flags & AP_OPTS_MUTUAL_REQUIRED) && (context->flags & SSPI_GSS_C_MUTUAL_FLAG)) { if (!output_buffer) goto bad_token; if (krb_log_exec(krb5_mk_rep, credentials->ctx, context->auth_ctx, &output_token)) goto cleanup; if (!sspi_gss_wrap_token(output_buffer, context->u2u ? &kerberos_u2u_OID : &kerberos_OID, TOK_ID_AP_REP, &output_token)) goto cleanup; } else { if (output_buffer) output_buffer->cbBuffer = 0; } *pfContextAttr = (context->flags & 0x1F); if (context->flags & SSPI_GSS_C_INTEG_FLAG) *pfContextAttr |= ASC_RET_INTEGRITY; if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) { if (krb_log_exec(krb5_auth_con_getlocalseqnumber, credentials->ctx, context->auth_ctx, (INT32*)&context->local_seq)) goto cleanup; if (krb_log_exec(krb5_auth_con_getremoteseqnumber, credentials->ctx, context->auth_ctx, (INT32*)&context->remote_seq)) goto cleanup; } if (krb_log_exec(krb5glue_update_keyset, credentials->ctx, context->auth_ctx, TRUE, &context->keyset)) goto cleanup; context->state = KERBEROS_STATE_FINAL; } else goto bad_token; /* On first call allocate new context */ if (context->state == KERBEROS_STATE_FINAL) status = SEC_E_OK; else status = SEC_I_CONTINUE_NEEDED; cleanup: free(target); if (output_token.data) krb5glue_free_data_contents(credentials->ctx, &output_token); if (entry.principal) krb5glue_free_keytab_entry_contents(credentials->ctx, &entry); if (isNewContext) { switch (status) { case SEC_E_OK: case SEC_I_CONTINUE_NEEDED: sspi_SecureHandleSetLowerPointer(phNewContext, context); sspi_SecureHandleSetUpperPointer(phNewContext, KERBEROS_SSP_NAME); break; default: kerberos_ContextFree(context, TRUE); break; } } return status; bad_token: status = SEC_E_INVALID_TOKEN; goto cleanup; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif /* WITH_KRB5 */ } #ifdef WITH_KRB5 static KRB_CONTEXT* get_context(PCtxtHandle phContext) { if (!phContext) return NULL; TCHAR* name = sspi_SecureHandleGetUpperPointer(phContext); if (!name) return NULL; if (_tcsncmp(KERBEROS_SSP_NAME, name, ARRAYSIZE(KERBEROS_SSP_NAME)) != 0) return NULL; return sspi_SecureHandleGetLowerPointer(phContext); } static BOOL copy_krb5_data(krb5_data* data, PUCHAR* ptr, ULONG* psize) { WINPR_ASSERT(data); WINPR_ASSERT(ptr); WINPR_ASSERT(psize); *ptr = (PUCHAR)malloc(data->length); if (!*ptr) return FALSE; *psize = data->length; memcpy(*ptr, data->data, data->length); return TRUE; } #endif static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext) { #ifdef WITH_KRB5 KRB_CONTEXT* context = get_context(phContext); if (!context) return SEC_E_INVALID_HANDLE; kerberos_ContextFree(context, TRUE); return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } #ifdef WITH_KRB5 static SECURITY_STATUS krb5_error_to_SECURITY_STATUS(krb5_error_code code) { switch (code) { case 0: return SEC_E_OK; default: return SEC_E_INTERNAL_ERROR; } } static SECURITY_STATUS kerberos_ATTR_SIZES(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials, SecPkgContext_Sizes* ContextSizes) { UINT header = 0; UINT pad = 0; UINT trailer = 0; krb5glue_key key = NULL; WINPR_ASSERT(context); WINPR_ASSERT(context->auth_ctx); /* The MaxTokenSize by default is 12,000 bytes. This has been the default value * since Windows 2000 SP2 and still remains in Windows 7 and Windows 2008 R2. * For Windows Server 2012, the default value of the MaxTokenSize registry * entry is 48,000 bytes.*/ ContextSizes->cbMaxToken = KERBEROS_SecPkgInfoA.cbMaxToken; ContextSizes->cbMaxSignature = 0; ContextSizes->cbBlockSize = 1; ContextSizes->cbSecurityTrailer = 0; key = get_key(&context->keyset); if (context->flags & SSPI_GSS_C_CONF_FLAG) { krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_HEADER, &header); if (rv) return krb5_error_to_SECURITY_STATUS(rv); rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_PADDING, &pad); if (rv) return krb5_error_to_SECURITY_STATUS(rv); rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_TRAILER, &trailer); if (rv) return krb5_error_to_SECURITY_STATUS(rv); /* GSS header (= 16 bytes) + encrypted header = 32 bytes */ ContextSizes->cbSecurityTrailer = header + pad + trailer + 32; } if (context->flags & SSPI_GSS_C_INTEG_FLAG) { krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, credentials->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM, &ContextSizes->cbMaxSignature); if (rv) return krb5_error_to_SECURITY_STATUS(rv); ContextSizes->cbMaxSignature += 16; } return SEC_E_OK; } static SECURITY_STATUS kerberos_ATTR_TICKET_LOGON(KRB_CONTEXT* context, KRB_CREDENTIALS* credentials, KERB_TICKET_LOGON* ticketLogon) { krb5_creds matchCred = { 0 }; krb5_auth_context authContext = NULL; krb5_flags getCredsFlags = KRB5_GC_CACHED; BOOL firstRun = TRUE; krb5_creds* hostCred = NULL; SECURITY_STATUS ret = SEC_E_INSUFFICIENT_MEMORY; int rv = krb_log_exec(krb5_sname_to_principal, credentials->ctx, context->targetHost, "HOST", KRB5_NT_SRV_HST, &matchCred.server); if (rv) goto out; rv = krb_log_exec(krb5_cc_get_principal, credentials->ctx, credentials->ccache, &matchCred.client); if (rv) goto out; /* try from the cache first, and then do a new request */ again: rv = krb_log_exec(krb5_get_credentials, credentials->ctx, getCredsFlags, credentials->ccache, &matchCred, &hostCred); switch (rv) { case 0: break; case KRB5_CC_NOTFOUND: getCredsFlags = 0; if (firstRun) { firstRun = FALSE; goto again; } WINPR_FALLTHROUGH default: WLog_ERR(TAG, "krb5_get_credentials(hostCreds), rv=%d", rv); goto out; } if (krb_log_exec(krb5_auth_con_init, credentials->ctx, &authContext)) goto out; krb5_data derOut = { 0 }; if (krb_log_exec(krb5_fwd_tgt_creds, credentials->ctx, authContext, context->targetHost, matchCred.client, matchCred.server, credentials->ccache, 1, &derOut)) { ret = SEC_E_LOGON_DENIED; goto out; } ticketLogon->MessageType = KerbTicketLogon; ticketLogon->Flags = KERB_LOGON_FLAG_REDIRECTED; if (!copy_krb5_data(&hostCred->ticket, &ticketLogon->ServiceTicket, &ticketLogon->ServiceTicketLength)) { krb5_free_data(credentials->ctx, &derOut); goto out; } ticketLogon->TicketGrantingTicketLength = derOut.length; ticketLogon->TicketGrantingTicket = (PUCHAR)derOut.data; ret = SEC_E_OK; out: krb5_auth_con_free(credentials->ctx, authContext); krb5_free_creds(credentials->ctx, hostCred); krb5_free_cred_contents(credentials->ctx, &matchCred); return ret; } #endif /* WITH_KRB5 */ static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) { if (!phContext) return SEC_E_INVALID_HANDLE; if (!pBuffer) return SEC_E_INVALID_PARAMETER; #ifdef WITH_KRB5 KRB_CONTEXT* context = get_context(phContext); if (!context) return SEC_E_INVALID_PARAMETER; KRB_CREDENTIALS* credentials = context->credentials; switch (ulAttribute) { case SECPKG_ATTR_SIZES: return kerberos_ATTR_SIZES(context, credentials, (SecPkgContext_Sizes*)pBuffer); case SECPKG_CRED_ATTR_TICKET_LOGON: return kerberos_ATTR_TICKET_LOGON(context, credentials, (KERB_TICKET_LOGON*)pBuffer); default: WLog_ERR(TAG, "TODO: QueryContextAttributes implement ulAttribute=0x%08" PRIx32, ulAttribute); return SEC_E_UNSUPPORTED_FUNCTION; } #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer) { return kerberos_QueryContextAttributesA(phContext, ulAttribute, pBuffer); } static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesW( WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute, WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer) { return SEC_E_UNSUPPORTED_FUNCTION; } static SECURITY_STATUS SEC_ENTRY kerberos_SetContextAttributesA( WINPR_ATTR_UNUSED PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG ulAttribute, WINPR_ATTR_UNUSED void* pBuffer, WINPR_ATTR_UNUSED ULONG cbBuffer) { return SEC_E_UNSUPPORTED_FUNCTION; } static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesX(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer, ULONG cbBuffer, WINPR_ATTR_UNUSED BOOL unicode) { #ifdef WITH_KRB5 KRB_CREDENTIALS* credentials = NULL; if (!phCredential) return SEC_E_INVALID_HANDLE; credentials = sspi_SecureHandleGetLowerPointer(phCredential); if (!credentials) return SEC_E_INVALID_HANDLE; if (!pBuffer) return SEC_E_INSUFFICIENT_MEMORY; switch (ulAttribute) { case SECPKG_CRED_ATTR_KDC_PROXY_SETTINGS: { SecPkgCredentials_KdcProxySettingsW* kdc_settings = pBuffer; /* Sanity checks */ if (cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) || kdc_settings->Version != KDC_PROXY_SETTINGS_V1 || kdc_settings->ProxyServerOffset < sizeof(SecPkgCredentials_KdcProxySettingsW) || cbBuffer < sizeof(SecPkgCredentials_KdcProxySettingsW) + kdc_settings->ProxyServerOffset + kdc_settings->ProxyServerLength) return SEC_E_INVALID_TOKEN; if (credentials->kdc_url) { free(credentials->kdc_url); credentials->kdc_url = NULL; } if (kdc_settings->ProxyServerLength > 0) { WCHAR* proxy = (WCHAR*)((BYTE*)pBuffer + kdc_settings->ProxyServerOffset); credentials->kdc_url = ConvertWCharNToUtf8Alloc( proxy, kdc_settings->ProxyServerLength / sizeof(WCHAR), NULL); if (!credentials->kdc_url) return SEC_E_INSUFFICIENT_MEMORY; } return SEC_E_OK; } case SECPKG_CRED_ATTR_NAMES: case SECPKG_ATTR_SUPPORTED_ALGS: default: WLog_ERR(TAG, "TODO: SetCredentialsAttributesX implement ulAttribute=0x%08" PRIx32, ulAttribute); return SEC_E_UNSUPPORTED_FUNCTION; } #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer, ULONG cbBuffer) { return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, TRUE); } static SECURITY_STATUS SEC_ENTRY kerberos_SetCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer, ULONG cbBuffer) { return kerberos_SetCredentialsAttributesX(phCredential, ulAttribute, pBuffer, cbBuffer, FALSE); } static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) { #ifdef WITH_KRB5 KRB_CONTEXT* context = get_context(phContext); PSecBuffer sig_buffer = NULL; PSecBuffer data_buffer = NULL; char* header = NULL; BYTE flags = 0; krb5glue_key key = NULL; krb5_keyusage usage = 0; krb5_crypto_iov encrypt_iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_PADDING, { 0 } }, { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } }; if (!context) return SEC_E_INVALID_HANDLE; if (!(context->flags & SSPI_GSS_C_CONF_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION; KRB_CREDENTIALS* creds = context->credentials; sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN); data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA); if (!sig_buffer || !data_buffer) return SEC_E_INVALID_TOKEN; if (fQOP) return SEC_E_QOP_NOT_SUPPORTED; flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0; flags |= FLAG_WRAP_CONFIDENTIAL; key = get_key(&context->keyset); if (!key) return SEC_E_INTERNAL_ERROR; flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0; usage = context->acceptor ? KG_USAGE_ACCEPTOR_SEAL : KG_USAGE_INITIATOR_SEAL; /* Set the lengths of the data (plaintext + header) */ encrypt_iov[1].data.length = data_buffer->cbBuffer; encrypt_iov[2].data.length = 16; /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */ if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, encrypt_iov, ARRAYSIZE(encrypt_iov))) return SEC_E_INTERNAL_ERROR; if (sig_buffer->cbBuffer < encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32) return SEC_E_INSUFFICIENT_MEMORY; /* Set up the iov array in sig_buffer */ header = sig_buffer->pvBuffer; encrypt_iov[2].data.data = header + 16; encrypt_iov[3].data.data = encrypt_iov[2].data.data + encrypt_iov[2].data.length; encrypt_iov[4].data.data = encrypt_iov[3].data.data + encrypt_iov[3].data.length; encrypt_iov[0].data.data = encrypt_iov[4].data.data + encrypt_iov[4].data.length; encrypt_iov[1].data.data = data_buffer->pvBuffer; /* Write the GSS header with 0 in RRC */ winpr_Data_Write_UINT16_BE(header, TOK_ID_WRAP); header[2] = WINPR_ASSERTING_INT_CAST(char, flags); header[3] = (char)0xFF; winpr_Data_Write_UINT32(header + 4, 0); winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo)); /* Copy header to be encrypted */ CopyMemory(encrypt_iov[2].data.data, header, 16); /* Set the correct RRC */ const size_t len = 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length; winpr_Data_Write_UINT16_BE(header + 6, WINPR_ASSERTING_INT_CAST(UINT16, len)); if (krb_log_exec(krb5glue_encrypt_iov, creds->ctx, key, usage, encrypt_iov, ARRAYSIZE(encrypt_iov))) return SEC_E_INTERNAL_ERROR; return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, ULONG* pfQOP) { #ifdef WITH_KRB5 KRB_CONTEXT* context = get_context(phContext); PSecBuffer sig_buffer = NULL; PSecBuffer data_buffer = NULL; krb5glue_key key = NULL; krb5_keyusage usage = 0; uint16_t tok_id = 0; BYTE flags = 0; uint16_t ec = 0; uint16_t rrc = 0; uint64_t seq_no = 0; krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_HEADER, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_PADDING, { 0 } }, { KRB5_CRYPTO_TYPE_TRAILER, { 0 } } }; if (!context) return SEC_E_INVALID_HANDLE; if (!(context->flags & SSPI_GSS_C_CONF_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION; KRB_CREDENTIALS* creds = context->credentials; sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN); data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA); if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16) return SEC_E_INVALID_TOKEN; /* Read in header information */ BYTE* header = sig_buffer->pvBuffer; tok_id = winpr_Data_Get_UINT16_BE(header); flags = header[2]; ec = winpr_Data_Get_UINT16_BE(&header[4]); rrc = winpr_Data_Get_UINT16_BE(&header[6]); seq_no = winpr_Data_Get_UINT64_BE(&header[8]); /* Check that the header is valid */ if ((tok_id != TOK_ID_WRAP) || (header[3] != 0xFF)) return SEC_E_INVALID_TOKEN; if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor) return SEC_E_INVALID_TOKEN; if ((context->flags & ISC_REQ_SEQUENCE_DETECT) && (seq_no != context->remote_seq + MessageSeqNo)) return SEC_E_OUT_OF_SEQUENCE; if (!(flags & FLAG_WRAP_CONFIDENTIAL)) return SEC_E_INVALID_TOKEN; /* We don't expect a trailer buffer; the encrypted header must be rotated */ if (rrc < 16) return SEC_E_INVALID_TOKEN; /* Find the proper key and key usage */ key = get_key(&context->keyset); if (!key || ((flags & FLAG_ACCEPTOR_SUBKEY) && (context->keyset.acceptor_key != key))) return SEC_E_INTERNAL_ERROR; usage = context->acceptor ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL; /* Fill in the lengths of the iov array */ iov[1].data.length = data_buffer->cbBuffer; iov[2].data.length = 16; if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov))) return SEC_E_INTERNAL_ERROR; /* We don't expect a trailer buffer; everything must be in sig_buffer */ if (rrc != 16 + iov[3].data.length + iov[4].data.length) return SEC_E_INVALID_TOKEN; if (sig_buffer->cbBuffer != 16 + rrc + iov[0].data.length) return SEC_E_INVALID_TOKEN; /* Locate the parts of the message */ iov[0].data.data = (char*)&header[16 + rrc + ec]; iov[1].data.data = data_buffer->pvBuffer; iov[2].data.data = (char*)&header[16 + ec]; char* data2 = iov[2].data.data; iov[3].data.data = &data2[iov[2].data.length]; char* data3 = iov[3].data.data; iov[4].data.data = &data3[iov[3].data.length]; if (krb_log_exec(krb5glue_decrypt_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov))) return SEC_E_INTERNAL_ERROR; /* Validate the encrypted header */ winpr_Data_Write_UINT16_BE(iov[2].data.data + 4, ec); winpr_Data_Write_UINT16_BE(iov[2].data.data + 6, rrc); if (memcmp(iov[2].data.data, header, 16) != 0) return SEC_E_MESSAGE_ALTERED; *pfQOP = 0; return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, WINPR_ATTR_UNUSED ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) { #ifdef WITH_KRB5 KRB_CONTEXT* context = get_context(phContext); PSecBuffer sig_buffer = NULL; PSecBuffer data_buffer = NULL; krb5glue_key key = NULL; krb5_keyusage usage = 0; BYTE flags = 0; krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } }; if (!context) return SEC_E_INVALID_HANDLE; if (!(context->flags & SSPI_GSS_C_INTEG_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION; KRB_CREDENTIALS* creds = context->credentials; sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN); data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA); if (!sig_buffer || !data_buffer) return SEC_E_INVALID_TOKEN; flags |= context->acceptor ? FLAG_SENDER_IS_ACCEPTOR : 0; key = get_key(&context->keyset); if (!key) return SEC_E_INTERNAL_ERROR; usage = context->acceptor ? KG_USAGE_ACCEPTOR_SIGN : KG_USAGE_INITIATOR_SIGN; flags |= context->keyset.acceptor_key == key ? FLAG_ACCEPTOR_SUBKEY : 0; /* Fill in the lengths of the iov array */ iov[0].data.length = data_buffer->cbBuffer; iov[1].data.length = 16; if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov))) return SEC_E_INTERNAL_ERROR; /* Ensure the buffer is big enough */ if (sig_buffer->cbBuffer < iov[2].data.length + 16) return SEC_E_INSUFFICIENT_MEMORY; /* Write the header */ char* header = sig_buffer->pvBuffer; winpr_Data_Write_UINT16_BE(header, TOK_ID_MIC); header[2] = WINPR_ASSERTING_INT_CAST(char, flags); memset(header + 3, 0xFF, 5); winpr_Data_Write_UINT64_BE(header + 8, (context->local_seq + MessageSeqNo)); /* Set up the iov array */ iov[0].data.data = data_buffer->pvBuffer; iov[1].data.data = header; iov[2].data.data = header + 16; if (krb_log_exec(krb5glue_make_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov))) return SEC_E_INTERNAL_ERROR; sig_buffer->cbBuffer = iov[2].data.length + 16; return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, WINPR_ATTR_UNUSED ULONG* pfQOP) { #ifdef WITH_KRB5 PSecBuffer sig_buffer = NULL; PSecBuffer data_buffer = NULL; krb5glue_key key = NULL; krb5_keyusage usage = 0; BYTE flags = 0; uint16_t tok_id = 0; uint64_t seq_no = 0; krb5_boolean is_valid = 0; krb5_crypto_iov iov[] = { { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_DATA, { 0 } }, { KRB5_CRYPTO_TYPE_CHECKSUM, { 0 } } }; BYTE cmp_filler[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; KRB_CONTEXT* context = get_context(phContext); if (!context) return SEC_E_INVALID_HANDLE; if (!(context->flags & SSPI_GSS_C_INTEG_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION; sig_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_TOKEN); data_buffer = sspi_FindSecBuffer(pMessage, SECBUFFER_DATA); if (!sig_buffer || !data_buffer || sig_buffer->cbBuffer < 16) return SEC_E_INVALID_TOKEN; /* Read in header info */ BYTE* header = sig_buffer->pvBuffer; tok_id = winpr_Data_Get_UINT16_BE(header); flags = header[2]; seq_no = winpr_Data_Get_UINT64_BE((header + 8)); /* Validate header */ if (tok_id != TOK_ID_MIC) return SEC_E_INVALID_TOKEN; if ((flags & FLAG_SENDER_IS_ACCEPTOR) == context->acceptor || flags & FLAG_WRAP_CONFIDENTIAL) return SEC_E_INVALID_TOKEN; if (memcmp(header + 3, cmp_filler, sizeof(cmp_filler)) != 0) return SEC_E_INVALID_TOKEN; if (context->flags & ISC_REQ_SEQUENCE_DETECT && seq_no != context->remote_seq + MessageSeqNo) return SEC_E_OUT_OF_SEQUENCE; /* Find the proper key and usage */ key = get_key(&context->keyset); if (!key || (flags & FLAG_ACCEPTOR_SUBKEY && context->keyset.acceptor_key != key)) return SEC_E_INTERNAL_ERROR; usage = context->acceptor ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN; /* Fill in the iov array lengths */ KRB_CREDENTIALS* creds = context->credentials; iov[0].data.length = data_buffer->cbBuffer; iov[1].data.length = 16; if (krb_log_exec(krb5glue_crypto_length_iov, creds->ctx, key, iov, ARRAYSIZE(iov))) return SEC_E_INTERNAL_ERROR; if (sig_buffer->cbBuffer != iov[2].data.length + 16) return SEC_E_INTERNAL_ERROR; /* Set up the iov array */ iov[0].data.data = data_buffer->pvBuffer; iov[1].data.data = (char*)header; iov[2].data.data = (char*)&header[16]; if (krb_log_exec(krb5glue_verify_checksum_iov, creds->ctx, key, usage, iov, ARRAYSIZE(iov), &is_valid)) return SEC_E_INTERNAL_ERROR; if (!is_valid) return SEC_E_MESSAGE_ALTERED; return SEC_E_OK; #else return SEC_E_UNSUPPORTED_FUNCTION; #endif } const SecurityFunctionTableA KERBEROS_SecurityFunctionTableA = { 3, /* dwVersion */ NULL, /* EnumerateSecurityPackages */ kerberos_QueryCredentialsAttributesA, /* QueryCredentialsAttributes */ kerberos_AcquireCredentialsHandleA, /* AcquireCredentialsHandle */ kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */ NULL, /* Reserved2 */ kerberos_InitializeSecurityContextA, /* InitializeSecurityContext */ kerberos_AcceptSecurityContext, /* AcceptSecurityContext */ NULL, /* CompleteAuthToken */ kerberos_DeleteSecurityContext, /* DeleteSecurityContext */ NULL, /* ApplyControlToken */ kerberos_QueryContextAttributesA, /* QueryContextAttributes */ NULL, /* ImpersonateSecurityContext */ NULL, /* RevertSecurityContext */ kerberos_MakeSignature, /* MakeSignature */ kerberos_VerifySignature, /* VerifySignature */ NULL, /* FreeContextBuffer */ NULL, /* QuerySecurityPackageInfo */ NULL, /* Reserved3 */ NULL, /* Reserved4 */ NULL, /* ExportSecurityContext */ NULL, /* ImportSecurityContext */ NULL, /* AddCredentials */ NULL, /* Reserved8 */ NULL, /* QuerySecurityContextToken */ kerberos_EncryptMessage, /* EncryptMessage */ kerberos_DecryptMessage, /* DecryptMessage */ kerberos_SetContextAttributesA, /* SetContextAttributes */ kerberos_SetCredentialsAttributesA, /* SetCredentialsAttributes */ }; const SecurityFunctionTableW KERBEROS_SecurityFunctionTableW = { 3, /* dwVersion */ NULL, /* EnumerateSecurityPackages */ kerberos_QueryCredentialsAttributesW, /* QueryCredentialsAttributes */ kerberos_AcquireCredentialsHandleW, /* AcquireCredentialsHandle */ kerberos_FreeCredentialsHandle, /* FreeCredentialsHandle */ NULL, /* Reserved2 */ kerberos_InitializeSecurityContextW, /* InitializeSecurityContext */ kerberos_AcceptSecurityContext, /* AcceptSecurityContext */ NULL, /* CompleteAuthToken */ kerberos_DeleteSecurityContext, /* DeleteSecurityContext */ NULL, /* ApplyControlToken */ kerberos_QueryContextAttributesW, /* QueryContextAttributes */ NULL, /* ImpersonateSecurityContext */ NULL, /* RevertSecurityContext */ kerberos_MakeSignature, /* MakeSignature */ kerberos_VerifySignature, /* VerifySignature */ NULL, /* FreeContextBuffer */ NULL, /* QuerySecurityPackageInfo */ NULL, /* Reserved3 */ NULL, /* Reserved4 */ NULL, /* ExportSecurityContext */ NULL, /* ImportSecurityContext */ NULL, /* AddCredentials */ NULL, /* Reserved8 */ NULL, /* QuerySecurityContextToken */ kerberos_EncryptMessage, /* EncryptMessage */ kerberos_DecryptMessage, /* DecryptMessage */ kerberos_SetContextAttributesW, /* SetContextAttributes */ kerberos_SetCredentialsAttributesW, /* SetCredentialsAttributes */ }; BOOL KERBEROS_init(void) { InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Name, KERBEROS_SecPkgInfoW_NameBuffer, ARRAYSIZE(KERBEROS_SecPkgInfoW_NameBuffer)); InitializeConstWCharFromUtf8(KERBEROS_SecPkgInfoA.Comment, KERBEROS_SecPkgInfoW_CommentBuffer, ARRAYSIZE(KERBEROS_SecPkgInfoW_CommentBuffer)); return TRUE; }