HANDLE NetlibInitSecurityProvider(const TCHAR* szProvider, const TCHAR* szPrincipal)
{
HANDLE hSecurity = NULL;
if (mir_tstrcmpi(szProvider, _T("Basic")) == 0) {
NtlmHandleType* hNtlm = (NtlmHandleType*)mir_calloc(sizeof(NtlmHandleType));
hNtlm->szProvider = mir_tstrdup(szProvider);
SecInvalidateHandle(&hNtlm->hClientContext);
SecInvalidateHandle(&hNtlm->hClientCredential);
ntlmCnt++;
return hNtlm;
}
mir_cslock lck(csSec);
PSecPkgInfo ntlmSecurityPackageInfo;
bool isGSSAPI = mir_tstrcmpi(szProvider, _T("GSSAPI")) == 0;
const TCHAR *szProviderC = isGSSAPI ? _T("Kerberos") : szProvider;
SECURITY_STATUS sc = QuerySecurityPackageInfo((LPTSTR)szProviderC, &ntlmSecurityPackageInfo);
if (sc == SEC_E_OK) {
NtlmHandleType* hNtlm;
hSecurity = hNtlm = (NtlmHandleType*)mir_calloc(sizeof(NtlmHandleType));
hNtlm->cbMaxToken = ntlmSecurityPackageInfo->cbMaxToken;
FreeContextBuffer(ntlmSecurityPackageInfo);
hNtlm->szProvider = mir_tstrdup(szProvider);
hNtlm->szPrincipal = mir_tstrdup(szPrincipal ? szPrincipal : _T(""));
SecInvalidateHandle(&hNtlm->hClientContext);
SecInvalidateHandle(&hNtlm->hClientCredential);
ntlmCnt++;
}
return hSecurity;
}
apr_status_t
serf__kerb_create_sec_context(serf__kerb_context_t **ctx_p,
apr_pool_t *scratch_pool,
apr_pool_t *result_pool)
{
SECURITY_STATUS sspi_status;
serf__kerb_context_t *ctx;
ctx = apr_pcalloc(result_pool, sizeof(*ctx));
SecInvalidateHandle(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_credentials);
ctx->initalized = FALSE;
apr_pool_cleanup_register(result_pool, ctx,
cleanup_ctx,
apr_pool_cleanup_null);
sspi_status = AcquireCredentialsHandle(
NULL, "Negotiate", SECPKG_CRED_OUTBOUND,
NULL, NULL, NULL, NULL,
&ctx->sspi_credentials, NULL);
if (FAILED(sspi_status)) {
return map_sspi_status(sspi_status);
}
*ctx_p = ctx;
return APR_SUCCESS;
}
NegotiateAuth::~NegotiateAuth()
{
if (SecIsValidHandle(&m_creds)) {
FreeCredentialHandle(&m_creds);
SecInvalidateHandle(&m_creds);
}
if (SecIsValidHandle(&m_secCtx)) {
FreeCredentialHandle(&m_secCtx);
SecInvalidateHandle(&m_secCtx);
}
}
NegotiateAuth::NegotiateAuth(const std::string &username,
const std::string &password)
: m_username(toUtf16(username)),
m_password(toUtf16(password))
{
SecInvalidateHandle(&m_creds);
SecInvalidateHandle(&m_secCtx);
size_t pos = m_username.find(L'\\');
if (pos != std::wstring::npos) {
m_domain = m_username.substr(0, pos);
m_username = m_username.substr(pos + 1);
}
}
HANDLE NetlibInitSecurityProvider(const TCHAR* szProvider, const TCHAR* szPrincipal)
{
HANDLE hSecurity = NULL;
if (_tcsicmp(szProvider, _T("Basic")) == 0)
{
NtlmHandleType* hNtlm = (NtlmHandleType*)mir_calloc(sizeof(NtlmHandleType));
hNtlm->szProvider = mir_tstrdup(szProvider);
SecInvalidateHandle(&hNtlm->hClientContext);
SecInvalidateHandle(&hNtlm->hClientCredential);
ntlmCnt++;
return hNtlm;
}
WaitForSingleObject(hSecMutex, INFINITE);
if (secCnt == 0 )
{
LoadSecurityLibrary();
secCnt += g_hSecurity != NULL;
}
else secCnt++;
if (g_pSSPI != NULL)
{
PSecPkgInfo ntlmSecurityPackageInfo;
bool isGSSAPI = _tcsicmp(szProvider, _T("GSSAPI")) == 0;
const TCHAR *szProviderC = isGSSAPI ? _T("Kerberos") : szProvider;
SECURITY_STATUS sc = g_pSSPI->QuerySecurityPackageInfo((LPTSTR)szProviderC, &ntlmSecurityPackageInfo);
if (sc == SEC_E_OK)
{
NtlmHandleType* hNtlm;
hSecurity = hNtlm = (NtlmHandleType*)mir_calloc(sizeof(NtlmHandleType));
hNtlm->cbMaxToken = ntlmSecurityPackageInfo->cbMaxToken;
g_pSSPI->FreeContextBuffer(ntlmSecurityPackageInfo);
hNtlm->szProvider = mir_tstrdup(szProvider);
hNtlm->szPrincipal = mir_tstrdup(szPrincipal ? szPrincipal : _T(""));
SecInvalidateHandle(&hNtlm->hClientContext);
SecInvalidateHandle(&hNtlm->hClientCredential);
ntlmCnt++;
}
}
ReleaseMutex(hSecMutex);
return hSecurity;
}
SslCredential::SslCredential() : certStore(0), cert(0)
{
SecInvalidateHandle(&credHandle);
memset(&cred, 0, sizeof(cred));
cred.dwVersion = SCHANNEL_CRED_VERSION;
cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS;
}
int LoadSslModule(void)
{
CreateServiceFunction(MS_SYSTEM_GET_SI, GetSslApi);
g_hSslMutex = CreateMutex(NULL, FALSE, NULL);
SecInvalidateHandle(&hCreds);
return 0;
}
DWORD create_netconn(BOOL useSSL, server_t *server, DWORD security_flags, BOOL mask_errors, DWORD timeout, netconn_t **ret)
{
netconn_t *netconn;
int result;
netconn = heap_alloc_zero(sizeof(*netconn));
if(!netconn)
return ERROR_OUTOFMEMORY;
netconn->socket = -1;
netconn->security_flags = security_flags | server->security_flags;
netconn->mask_errors = mask_errors;
list_init(&netconn->pool_entry);
SecInvalidateHandle(&netconn->ssl_ctx);
result = create_netconn_socket(server, netconn, timeout);
if (result != ERROR_SUCCESS) {
heap_free(netconn);
return result;
}
server_addref(server);
netconn->server = server;
*ret = netconn;
return result;
}
/* Cleans the SSPI context object, when the pool used to create it gets
cleared or destroyed. */
static apr_status_t
cleanup_ctx(void *data)
{
serf__kerb_context_t *ctx = data;
if (SecIsValidHandle(&ctx->sspi_context)) {
DeleteSecurityContext(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_context);
}
if (SecIsValidHandle(&ctx->sspi_credentials)) {
FreeCredentialsHandle(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_context);
}
return APR_SUCCESS;
}
SecHandle* sspi_SecureHandleAlloc(void)
{
SecHandle* handle = (SecHandle*) calloc(1, sizeof(SecHandle));
if (!handle)
return NULL;
SecInvalidateHandle(handle);
return handle;
}
int smpd_create_sspi_client_context(smpd_sspi_client_context_t **new_context)
{
smpd_sspi_client_context_t *context;
smpd_enter_fn(FCNAME);
context = (smpd_sspi_client_context_t *)MPIU_Malloc(sizeof(smpd_sspi_client_context_t));
if (context == NULL)
{
*new_context = NULL;
smpd_exit_fn(FCNAME);
return SMPD_FAIL;
}
context->buffer = NULL;
context->buffer_length = 0;
context->out_buffer = NULL;
context->out_buffer_length = 0;
context->max_buffer_size = 0;
#ifdef HAVE_WINDOWS_H
SecInvalidateHandle(&context->credential);
SecInvalidateHandle(&context->context);
memset(&context->expiration_time, 0, sizeof(TimeStamp));
context->user_handle = INVALID_HANDLE_VALUE;
context->job = INVALID_HANDLE_VALUE;
context->flags = 0;
context->close_handle = SMPD_TRUE;
#endif
/* FIXME: this insertion needs to be thread safe */
if (smpd_process.sspi_context_list == NULL)
{
context->id = 0;
}
else
{
context->id = smpd_process.sspi_context_list->id + 1;
}
context->next = smpd_process.sspi_context_list;
smpd_process.sspi_context_list = context;
*new_context = context;
smpd_exit_fn(FCNAME);
return SMPD_SUCCESS;
}
RPC_STATUS RPCRT4_CloseConnection(RpcConnection* Connection)
{
TRACE("(Connection == ^%p)\n", Connection);
if (SecIsValidHandle(&Connection->ctx))
{
DeleteSecurityContext(&Connection->ctx);
SecInvalidateHandle(&Connection->ctx);
}
rpcrt4_conn_close(Connection);
return RPC_S_OK;
}
apr_status_t
serf__spnego_create_sec_context(serf__spnego_context_t **ctx_p,
const serf__authn_scheme_t *scheme,
apr_pool_t *result_pool,
apr_pool_t *scratch_pool)
{
SECURITY_STATUS sspi_status;
serf__spnego_context_t *ctx;
const char *sspi_package;
ctx = apr_pcalloc(result_pool, sizeof(*ctx));
SecInvalidateHandle(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_credentials);
ctx->initalized = FALSE;
ctx->pool = result_pool;
ctx->target_name = NULL;
ctx->authn_type = scheme->type;
apr_pool_cleanup_register(result_pool, ctx,
cleanup_ctx,
apr_pool_cleanup_null);
if (ctx->authn_type == SERF_AUTHN_NEGOTIATE)
sspi_package = "Negotiate";
else
sspi_package = "NTLM";
sspi_status = AcquireCredentialsHandle(
NULL, sspi_package, SECPKG_CRED_OUTBOUND,
NULL, NULL, NULL, NULL,
&ctx->sspi_credentials, NULL);
if (FAILED(sspi_status)) {
return map_sspi_status(sspi_status);
}
*ctx_p = ctx;
return APR_SUCCESS;
}
ZStreamRWCon_SSL_Win::ZStreamRWCon_SSL_Win(const ZStreamR& iStreamR, const ZStreamW& iStreamW)
: fStreamR(iStreamR)
, fStreamW(iStreamW)
, fSendOpen(true)
, fReceiveOpen(true)
{
bool iVerify = false;
bool iCheckName = false;
SecInvalidateHandle(&fCredHandle);
SecInvalidateHandle(&fCtxtHandle);
if (not spAcquireCredentials(iVerify, iCheckName, fCredHandle))
throw runtime_error("ZStreamRWCon_SSL_Win, couldn't acquire credentials");
if (not this->pConnect())
{
spPSFT->FreeCredentialsHandle(&fCredHandle);
throw runtime_error("ZStreamRWCon_SSL_Win, couldn't handshake");
}
}
rdpCredssp* credssp_new(freerdp* instance, rdpTransport* transport, rdpSettings* settings)
{
rdpCredssp* credssp;
credssp = (rdpCredssp*) malloc(sizeof(rdpCredssp));
ZeroMemory(credssp, sizeof(rdpCredssp));
if (credssp != NULL)
{
HKEY hKey;
LONG status;
DWORD dwType;
DWORD dwSize;
credssp->instance = instance;
credssp->settings = settings;
credssp->server = settings->ServerMode;
credssp->transport = transport;
credssp->send_seq_num = 0;
credssp->recv_seq_num = 0;
ZeroMemory(&credssp->negoToken, sizeof(SecBuffer));
ZeroMemory(&credssp->pubKeyAuth, sizeof(SecBuffer));
ZeroMemory(&credssp->authInfo, sizeof(SecBuffer));
SecInvalidateHandle(&credssp->context);
if (credssp->server)
{
status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("Software\\FreeRDP\\Server"),
0, KEY_READ | KEY_WOW64_64KEY, &hKey);
if (status == ERROR_SUCCESS)
{
status = RegQueryValueEx(hKey, _T("SspiModule"), NULL, &dwType, NULL, &dwSize);
if (status == ERROR_SUCCESS)
{
credssp->SspiModule = (LPTSTR) malloc(dwSize + sizeof(TCHAR));
status = RegQueryValueEx(hKey, _T("SspiModule"), NULL, &dwType,
(BYTE*) credssp->SspiModule, &dwSize);
if (status == ERROR_SUCCESS)
{
_tprintf(_T("Using SSPI Module: %s\n"), credssp->SspiModule);
RegCloseKey(hKey);
}
}
}
}
}
return credssp;
}
apr_status_t
serf__kerb_reset_sec_context(serf__kerb_context_t *ctx)
{
if (SecIsValidHandle(&ctx->sspi_context)) {
DeleteSecurityContext(&ctx->sspi_context);
SecInvalidateHandle(&ctx->sspi_context);
}
ctx->initalized = FALSE;
return APR_SUCCESS;
}
static bool ClientConnect(SslHandle *ssl, const char *host)
{
if (SecIsValidHandle(&ssl->hContext)) {
g_pSSPI->DeleteSecurityContext(&ssl->hContext);
SecInvalidateHandle(&ssl->hContext);
}
if (MySslEmptyCache) MySslEmptyCache();
DWORD dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_EXTENDED_ERROR |
ISC_REQ_ALLOCATE_MEMORY |
ISC_REQ_STREAM;
// Initiate a ClientHello message and generate a token.
SecBuffer OutBuffers[1];
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;
SecBufferDesc OutBuffer;
OutBuffer.cBuffers = _countof(OutBuffers);
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
TimeStamp tsExpiry;
DWORD dwSSPIOutFlags;
SECURITY_STATUS scRet = g_pSSPI->InitializeSecurityContext(&hCreds, NULL, _A2T(host), dwSSPIFlags, 0, 0, NULL, 0,
&ssl->hContext, &OutBuffer, &dwSSPIOutFlags, &tsExpiry);
if (scRet != SEC_I_CONTINUE_NEEDED) {
ReportSslError(scRet, __LINE__);
return 0;
}
// Send response to server if there is one.
if (OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL) {
DWORD cbData = send(ssl->s, (char*)OutBuffers[0].pvBuffer, OutBuffers[0].cbBuffer, 0);
if (cbData == SOCKET_ERROR || cbData == 0) {
Netlib_Logf(NULL, "SSL failure sending connection data (%d %d)", ssl->s, WSAGetLastError());
g_pSSPI->FreeContextBuffer(OutBuffers[0].pvBuffer);
return 0;
}
// Free output buffer.
g_pSSPI->FreeContextBuffer(OutBuffers[0].pvBuffer);
OutBuffers[0].pvBuffer = NULL;
}
return ClientHandshakeLoop(ssl, TRUE) == SEC_E_OK;
}
NEGOTIATE_CONTEXT* negotiate_ContextNew()
{
NEGOTIATE_CONTEXT* context;
context = (NEGOTIATE_CONTEXT*) calloc(1, sizeof(NEGOTIATE_CONTEXT));
if (!context)
return NULL;
context->NegotiateFlags = 0;
context->state = NEGOTIATE_STATE_INITIAL;
SecInvalidateHandle(&(context->SubContext));
negotiate_SetSubPackage(context, (const char*) KERBEROS_SSP_NAME);
return context;
}
RPC_STATUS RPCRT4_CreateConnection(RpcConnection** Connection, BOOL server,
LPCSTR Protseq, LPCSTR NetworkAddr, LPCSTR Endpoint,
LPCWSTR NetworkOptions, RpcAuthInfo* AuthInfo, RpcQualityOfService *QOS)
{
const struct connection_ops *ops;
RpcConnection* NewConnection;
ops = rpcrt4_get_conn_protseq_ops(Protseq);
if (!ops)
{
FIXME("not supported for protseq %s\n", Protseq);
return RPC_S_PROTSEQ_NOT_SUPPORTED;
}
NewConnection = ops->alloc();
NewConnection->Next = NULL;
NewConnection->server_binding = NULL;
NewConnection->server = server;
NewConnection->ops = ops;
NewConnection->NetworkAddr = RPCRT4_strdupA(NetworkAddr);
NewConnection->Endpoint = RPCRT4_strdupA(Endpoint);
NewConnection->NetworkOptions = RPCRT4_strdupW(NetworkOptions);
NewConnection->MaxTransmissionSize = RPC_MAX_PACKET_SIZE;
memset(&NewConnection->ActiveInterface, 0, sizeof(NewConnection->ActiveInterface));
NewConnection->NextCallId = 1;
SecInvalidateHandle(&NewConnection->ctx);
memset(&NewConnection->exp, 0, sizeof(NewConnection->exp));
NewConnection->attr = 0;
if (AuthInfo) RpcAuthInfo_AddRef(AuthInfo);
NewConnection->AuthInfo = AuthInfo;
NewConnection->encryption_auth_len = 0;
NewConnection->signature_auth_len = 0;
if (QOS) RpcQualityOfService_AddRef(QOS);
NewConnection->QOS = QOS;
list_init(&NewConnection->conn_pool_entry);
NewConnection->async_state = NULL;
TRACE("connection: %p\n", NewConnection);
*Connection = NewConnection;
return RPC_S_OK;
}
NEGOTIATE_CONTEXT* negotiate_ContextNew()
{
NEGOTIATE_CONTEXT* context;
context = (NEGOTIATE_CONTEXT*) calloc(1, sizeof(NEGOTIATE_CONTEXT));
if (!context)
return NULL;
context->NegotiateFlags = 0;
context->state = NEGOTIATE_STATE_INITIAL;
SecInvalidateHandle(&(context->SubContext));
context->sspiA = (SecurityFunctionTableA*) &NTLM_SecurityFunctionTableA;
context->sspiW = (SecurityFunctionTableW*) &NTLM_SecurityFunctionTableW;
return context;
}
SslHandle* NetlibSslConnect(SOCKET s, const char* host, int verify)
{
SslHandle *ssl = (SslHandle*)mir_calloc(sizeof(SslHandle));
ssl->s = s;
SecInvalidateHandle(&ssl->hContext);
DWORD dwFlags = 0;
if (!host || inet_addr(host) != INADDR_NONE)
dwFlags |= 0x00001000;
bool res = SSL_library_init();
if (res) res = ClientConnect(ssl, host);
if (res && verify) res = VerifyCertificate(ssl, host, dwFlags);
if (!res) {
NetlibSslFree(ssl);
ssl = NULL;
}
return ssl;
}
rdpNla* nla_new(freerdp* instance, rdpTransport* transport, rdpSettings* settings)
{
rdpNla* nla = (rdpNla*) calloc(1, sizeof(rdpNla));
if (!nla)
return NULL;
nla->identity = calloc(1, sizeof(SEC_WINNT_AUTH_IDENTITY));
if (!nla->identity)
{
free (nla);
return NULL;
}
nla->instance = instance;
nla->settings = settings;
nla->server = settings->ServerMode;
nla->transport = transport;
nla->sendSeqNum = 0;
nla->recvSeqNum = 0;
nla->version = 3;
ZeroMemory(&nla->negoToken, sizeof(SecBuffer));
ZeroMemory(&nla->pubKeyAuth, sizeof(SecBuffer));
ZeroMemory(&nla->authInfo, sizeof(SecBuffer));
SecInvalidateHandle(&nla->context);
if (nla->server)
{
LONG status;
HKEY hKey;
DWORD dwType;
DWORD dwSize;
status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, SERVER_KEY,
0, KEY_READ | KEY_WOW64_64KEY, &hKey);
if (status != ERROR_SUCCESS)
return nla;
status = RegQueryValueEx(hKey, _T("SspiModule"), NULL, &dwType, NULL, &dwSize);
if (status != ERROR_SUCCESS)
{
RegCloseKey(hKey);
return nla;
}
nla->SspiModule = (LPTSTR) malloc(dwSize + sizeof(TCHAR));
if (!nla->SspiModule)
{
RegCloseKey(hKey);
free(nla);
return NULL;
}
status = RegQueryValueEx(hKey, _T("SspiModule"), NULL, &dwType,
(BYTE*) nla->SspiModule, &dwSize);
if (status == ERROR_SUCCESS)
WLog_INFO(TAG, "Using SSPI Module: %s", nla->SspiModule);
RegCloseKey(hKey);
}
return nla;
}
SecurityContext()
{
SecInvalidateHandle(&contextHandle_);
}