From 47aaaf46930a98a3f3560d8a46723ae75a051336 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= Date: Thu, 13 Oct 2022 09:16:27 -0400 Subject: [PATCH] Fix CredSSP extended credential attributes on Windows (SECPKG_CRED_ATTR_KDC_URL) --- libfreerdp/core/credssp_auth.c | 57 +++++++++++++++++++++++++++------- 1 file changed, 45 insertions(+), 12 deletions(-) diff --git a/libfreerdp/core/credssp_auth.c b/libfreerdp/core/credssp_auth.c index b05a11fba..27c2c7e1a 100644 --- a/libfreerdp/core/credssp_auth.c +++ b/libfreerdp/core/credssp_auth.c @@ -151,6 +151,48 @@ BOOL credssp_auth_setup_auth_data(rdpCredsspAuth* auth, const SEC_WINNT_AUTH_IDE return TRUE; } +static BOOL credssp_auth_client_init_cred_attributes(rdpCredsspAuth* auth) +{ + SECURITY_STATUS status; + + WINPR_ASSERT(auth); + + if (auth->kerberosSettings.kdcUrl) + { +#ifdef UNICODE + SecPkgCredentials_KdcUrlW secAttr = { NULL }; + ConvertToUnicode(CP_UTF8, 0, auth->kerberosSettings.kdcUrl, -1, &secAttr.KdcUrl, 0); + + if (!secAttr.KdcUrl) + return FALSE; + + if (auth->table->SetCredentialsAttributesW) + status = auth->table->SetCredentialsAttributesW( + &auth->credentials, SECPKG_CRED_ATTR_KDC_URL, (void*)&secAttr, sizeof(secAttr)); + else + status = SEC_E_UNSUPPORTED_FUNCTION; + + free(secAttr.KdcUrl); +#else + SecPkgCredentials_KdcUrlA secAttr = { NULL }; + secAttr.KdcUrl = auth->kerberosSettings.kdcUrl; + + if (auth->table->SetCredentialsAttributesA) + status = auth->table->SetCredentialsAttributesA( + &auth->credentials, SECPKG_CRED_ATTR_KDC_URL, (void*)&secAttr, sizeof(secAttr)); + else + status = SEC_E_UNSUPPORTED_FUNCTION; +#endif + if (status != SEC_E_OK) + { + WLog_WARN(TAG, "Explicit Kerberos KDC URL (%s) injection is not supported", + auth->kerberosSettings.kdcUrl); + } + } + + return TRUE; +} + BOOL credssp_auth_setup_client(rdpCredsspAuth* auth, const char* target_service, const char* target_hostname, const SEC_WINNT_AUTH_IDENTITY* identity, const char* pkinit) @@ -195,19 +237,10 @@ BOOL credssp_auth_setup_client(rdpCredsspAuth* auth, const char* target_service, return FALSE; } - if (auth->kerberosSettings.kdcUrl) + if (!credssp_auth_client_init_cred_attributes(auth)) { - SecPkgCredentials_KdcUrlA attr = { auth->kerberosSettings.kdcUrl }; - - if (auth->table->SetCredentialsAttributes) - status = auth->table->SetCredentialsAttributes( - &auth->credentials, SECPKG_CRED_ATTR_KDC_URL, &attr, sizeof(attr)); - else - status = SEC_E_UNSUPPORTED_FUNCTION; - - if (status != SEC_E_OK) - WLog_WARN(TAG, "Explicit Kerberos KDC URL (%s) injection is not supported", - attr.KdcUrl); + WLog_ERR(TAG, "Fatal error setting credential attributes"); + return FALSE; } auth->state = AUTH_STATE_CREDS;