From: Armin Novak Date: Tue, 16 Jan 2018 09:58:30 +0000 (+0100) Subject: Refactored kerberos SSPI X-Git-Tag: 2.0.0-rc2~87^2~4 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1611ec16b16932a2d08e200105de55a599a2bcc7;p=platform%2Fupstream%2Ffreerdp.git Refactored kerberos SSPI * Functions static where approrpriate * Variables static const where appropriate --- diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.c b/winpr/libwinpr/sspi/Kerberos/kerberos.c index 5de991f..93f1937 100644 --- a/winpr/libwinpr/sspi/Kerberos/kerberos.c +++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c @@ -18,6 +18,10 @@ * limitations under the License. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include #include #include @@ -40,12 +44,56 @@ #include "../../log.h" #define TAG WINPR_TAG("sspi.Kerberos") -char* KRB_PACKAGE_NAME = "Kerberos"; +struct _KRB_CONTEXT +{ + CtxtHandle context; + SSPI_CREDENTIALS* credentials; + SEC_WINNT_AUTH_IDENTITY identity; + + /* GSSAPI */ + UINT32 major_status; + UINT32 minor_status; + UINT32 actual_time; + sspi_gss_cred_id_t cred; + sspi_gss_ctx_id_t gss_ctx; + sspi_gss_name_t target_name; +}; + +static const char* KRB_PACKAGE_NAME = "Kerberos"; + +const SecPkgInfoA KERBEROS_SecPkgInfoA = +{ + 0x000F3BBF, /* fCapabilities */ + 1, /* wVersion */ + 0x0010, /* wRPCID */ + 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ + "Kerberos", /* Name */ + "Kerberos Security Package" /* Comment */ +}; + +static const WCHAR KERBEROS_SecPkgInfoW_Name[] = { 'K', 'e', 'r', 'b', 'e', 'r', 'o', 's', '\0' }; + +static const WCHAR KERBEROS_SecPkgInfoW_Comment[] = +{ + 'K', 'e', 'r', 'b', 'e', 'r', 'o', 's', ' ', + 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', ' ', + 'P', 'a', 'c', 'k', 'a', 'g', 'e', '\0' +}; + +const SecPkgInfoW KERBEROS_SecPkgInfoW = +{ + 0x000F3BBF, /* fCapabilities */ + 1, /* wVersion */ + 0x0010, /* wRPCID */ + 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ + KERBEROS_SecPkgInfoW_Name, /* Name */ + KERBEROS_SecPkgInfoW_Comment /* Comment */ +}; static sspi_gss_OID_desc g_SSPI_GSS_C_SPNEGO_KRB5 = { 9, (void*) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; -sspi_gss_OID SSPI_GSS_C_SPNEGO_KRB5 = &g_SSPI_GSS_C_SPNEGO_KRB5; +static sspi_gss_OID SSPI_GSS_C_SPNEGO_KRB5 = &g_SSPI_GSS_C_SPNEGO_KRB5; -KRB_CONTEXT* kerberos_ContextNew() +static KRB_CONTEXT* kerberos_ContextNew(void) { KRB_CONTEXT* context; context = (KRB_CONTEXT*) calloc(1, sizeof(KRB_CONTEXT)); @@ -60,7 +108,7 @@ KRB_CONTEXT* kerberos_ContextNew() return context; } -void kerberos_ContextFree(KRB_CONTEXT* context) +static void kerberos_ContextFree(KRB_CONTEXT* context) { UINT32 minor_status; @@ -82,7 +130,7 @@ void kerberos_ContextFree(KRB_CONTEXT* context) free(context); } -SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, +static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, @@ -91,7 +139,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleW(SEC_WCHAR* pszPrinc return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, +static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, @@ -100,7 +148,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(SEC_CHAR* pszPrinci return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential) +static SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredential) { SSPI_CREDENTIALS* credentials; @@ -116,7 +164,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_FreeCredentialsHandle(PCredHandle phCredentia return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(PCredHandle phCredential, +static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) { if (ulAttribute == SECPKG_CRED_ATTR_NAMES) @@ -127,13 +175,13 @@ SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesW(PCredHandle phCre return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential, +static SECURITY_STATUS SEC_ENTRY kerberos_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer) { return kerberos_QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer); } -SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(PCredHandle phCredential, +static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, @@ -143,7 +191,8 @@ SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextW(PCredHandle phCred return SEC_E_UNSUPPORTED_FUNCTION; } -int kerberos_SetContextServicePrincipalNameA(KRB_CONTEXT* context, SEC_CHAR* ServicePrincipalName) +static int kerberos_SetContextServicePrincipalNameA(KRB_CONTEXT* context, + SEC_CHAR* ServicePrincipalName) { char* p; UINT32 major_status; @@ -184,7 +233,7 @@ int kerberos_SetContextServicePrincipalNameA(KRB_CONTEXT* context, SEC_CHAR* Ser } #ifdef WITH_GSSAPI -krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV acquire_cred(krb5_context ctx, krb5_principal client, const char* password) { krb5_error_code ret; @@ -218,14 +267,15 @@ acquire_cred(krb5_context ctx, krb5_principal client, const char* password) /* Set default options */ krb5_get_init_creds_opt_set_forwardable(options, 0); krb5_get_init_creds_opt_set_proxiable(options, 0); - #ifdef WITH_GSSAPI_MIT + /* for MIT we specify ccache output using an option */ if ((ret = krb5_get_init_creds_opt_set_out_ccache(ctx, options, ccache))) { WLog_ERR(TAG, "error while setting ccache output"); goto cleanup; } + #endif if ((ret = krb5_init_creds_init(ctx, client, NULL, NULL, starttime, options, &init_ctx))) @@ -255,23 +305,25 @@ acquire_cred(krb5_context ctx, krb5_principal client, const char* password) } #ifdef WITH_GSSAPI_HEIMDAL + /* For Heimdal, we use this function to store credentials */ if ((ret = krb5_init_creds_store(ctx, init_ctx, ccache))) { WLog_ERR(TAG, "error while storing credentials"); goto cleanup; } -#endif +#endif cleanup: krb5_free_cred_contents(ctx, &creds); - #ifdef HAVE_AT_LEAST_KRB_V1_13 + /* MIT Kerberos version 1.13 at minimum. * For releases 1.12 and previous, krb5_get_init_creds_opt structure * is freed in krb5_init_creds_free() */ if (options) krb5_get_init_creds_opt_free(ctx, options); + #endif if (init_ctx) @@ -283,7 +335,7 @@ cleanup: return ret; } -int init_creds(LPCWSTR username, size_t username_len, LPCWSTR password, size_t password_len) +static int init_creds(LPCWSTR username, size_t username_len, LPCWSTR password, size_t password_len) { krb5_error_code ret = 0; krb5_context ctx = NULL; @@ -393,7 +445,7 @@ cleanup: } #endif -SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle phCredential, +static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext, SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, @@ -540,7 +592,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle phCred return SEC_E_INTERNAL_ERROR; } -SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext) +static SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext) { KRB_CONTEXT* context; context = (KRB_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext); @@ -552,13 +604,15 @@ SECURITY_STATUS SEC_ENTRY kerberos_DeleteSecurityContext(PCtxtHandle phContext) return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, +static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesW(PCtxtHandle phContext, + ULONG ulAttribute, void* pBuffer) { return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, +static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext, + ULONG ulAttribute, void* pBuffer) { if (!phContext) @@ -584,7 +638,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle phContext return SEC_E_UNSUPPORTED_FUNCTION; } -SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, +static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) { int index; @@ -629,7 +683,7 @@ SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext, ULONG f return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, +static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, ULONG* pfQOP) { int index; @@ -675,13 +729,13 @@ SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext, return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, +static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) { return SEC_E_OK; } -SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext, +static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, ULONG* pfQOP) { return SEC_E_OK; diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.h b/winpr/libwinpr/sspi/Kerberos/kerberos.h index a974aff..504c8df 100644 --- a/winpr/libwinpr/sspi/Kerberos/kerberos.h +++ b/winpr/libwinpr/sspi/Kerberos/kerberos.h @@ -32,52 +32,6 @@ #include #endif -struct _KRB_CONTEXT -{ - CtxtHandle context; - SSPI_CREDENTIALS* credentials; - SEC_WINNT_AUTH_IDENTITY identity; - - /* GSSAPI */ - UINT32 major_status; - UINT32 minor_status; - UINT32 actual_time; - sspi_gss_cred_id_t cred; - sspi_gss_ctx_id_t gss_ctx; - sspi_gss_name_t target_name; -}; typedef struct _KRB_CONTEXT KRB_CONTEXT; -const SecPkgInfoA KERBEROS_SecPkgInfoA = -{ - 0x000F3BBF, /* fCapabilities */ - 1, /* wVersion */ - 0x0010, /* wRPCID */ - 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ - "Kerberos", /* Name */ - "Kerberos Security Package" /* Comment */ -}; - -WCHAR KERBEROS_SecPkgInfoW_Name[] = { 'K', 'e', 'r', 'b', 'e', 'r', 'o', 's', '\0' }; - -WCHAR KERBEROS_SecPkgInfoW_Comment[] = -{ - 'K', 'e', 'r', 'b', 'e', 'r', 'o', 's', ' ', - 'S', 'e', 'c', 'u', 'r', 'i', 't', 'y', ' ', - 'P', 'a', 'c', 'k', 'a', 'g', 'e', '\0' -}; - -const SecPkgInfoW KERBEROS_SecPkgInfoW = -{ - 0x000F3BBF, /* fCapabilities */ - 1, /* wVersion */ - 0x0010, /* wRPCID */ - 0x0000BB80, /* cbMaxToken : 48k bytes maximum for Windows Server 2012 */ - KERBEROS_SecPkgInfoW_Name, /* Name */ - KERBEROS_SecPkgInfoW_Comment /* Comment */ -}; - - -void krb_ContextFree(KRB_CONTEXT* context); - #endif /* FREERDP_SSPI_KERBEROS_PRIVATE_H */