/*

 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

/*

 * ===========================================================================

 * (C) Copyright IBM Corp. 2000 All Rights Reserved.

 * ===========================================================================

 */

#define UNICODE

#define _UNICODE

#include <windows.h>

#include <stdio.h>

#include <string.h>

#define SECURITY_WIN32

#include <security.h>

#include <ntsecapi.h>

#include <dsgetdc.h>

#include <lmcons.h>

#include <lmapibuf.h>

#include <jni.h>

#include "jni_util.h"

#include <winsock.h>

#include "sun_security_krb5_Credentials.h"

#undef LSA_SUCCESS

#define LSA_SUCCESS(Status) ((Status) >= 0)

#define EXIT_FAILURE -1 // mdu

/*

 * Library-wide static references

 */

jclass ticketClass = NULL;

jclass principalNameClass = NULL;

jclass encryptionKeyClass = NULL;

jclass ticketFlagsClass = NULL;

jclass kerberosTimeClass = NULL;

jclass javaLangStringClass = NULL;

jmethodID ticketConstructor = 0;

jmethodID principalNameConstructor = 0;

jmethodID encryptionKeyConstructor = 0;

jmethodID ticketFlagsConstructor = 0;

jmethodID kerberosTimeConstructor = 0;

jmethodID krbcredsConstructor = 0;

/*

 * Function prototypes for internal routines

 *

 */

BOOL native_debug = 0;

BOOL PackageConnectLookup(PHANDLE,PULONG);

NTSTATUS ConstructTicketRequest(JNIEnv *env,

                                UNICODE_STRING DomainName,

                                PKERB_RETRIEVE_TKT_REQUEST *outRequest,

                                ULONG *outSize);

DWORD ConcatenateUnicodeStrings(UNICODE_STRING *pTarget,

                                UNICODE_STRING Source1,

                                UNICODE_STRING Source2);

VOID ShowNTError(LPSTR,NTSTATUS);

VOID

InitUnicodeString(

    PUNICODE_STRING DestinationString,

    PCWSTR SourceString OPTIONAL

);

jobject BuildTicket(JNIEnv *env, PUCHAR encodedTicket, ULONG encodedTicketSize);

//mdu

jobject BuildPrincipal(JNIEnv *env, PKERB_EXTERNAL_NAME principalName,

                                UNICODE_STRING domainName);

jobject BuildEncryptionKey(JNIEnv *env, PKERB_CRYPTO_KEY cryptoKey);

jobject BuildTicketFlags(JNIEnv *env, PULONG flags);

jobject BuildKerberosTime(JNIEnv *env, PLARGE_INTEGER kerbtime);

void ThrowOOME(JNIEnv *env, const char *szMessage);

/*

 * Class:     sun_security_krb5_KrbCreds

 * Method:    JNI_OnLoad

 */

JNIEXPORT jint JNICALL DEF_JNI_OnLoad(

        JavaVM  *jvm,

        void    *reserved) {

    jclass cls;

    JNIEnv *env;

    jfieldID fldDEBUG;

    if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) {

        return JNI_EVERSION; /* JNI version not supported */

    }

    cls = (*env)->FindClass(env,"sun/security/krb5/internal/Krb5");

    if (cls == NULL) {

        printf("LSA: Couldn't find Krb5\n");

        return JNI_ERR;

    }

    fldDEBUG = (*env)->GetStaticFieldID(env, cls, "DEBUG", "Z");

    if (fldDEBUG == NULL) {

        printf("LSA: Krb5 has no DEBUG field\n");

        return JNI_ERR;

    }

    native_debug = (*env)->GetStaticBooleanField(env, cls, fldDEBUG);

    cls = (*env)->FindClass(env,"sun/security/krb5/internal/Ticket");

    if (cls == NULL) {

        printf("LSA: Couldn't find Ticket\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found Ticket\n");

    }

    ticketClass = (*env)->NewWeakGlobalRef(env,cls);

    if (ticketClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    cls = (*env)->FindClass(env, "sun/security/krb5/PrincipalName");

    if (cls == NULL) {

        printf("LSA: Couldn't find PrincipalName\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found PrincipalName\n");

    }

    principalNameClass = (*env)->NewWeakGlobalRef(env,cls);

    if (principalNameClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    cls = (*env)->FindClass(env,"sun/security/krb5/EncryptionKey");

    if (cls == NULL) {

        printf("LSA: Couldn't find EncryptionKey\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found EncryptionKey\n");

    }

    encryptionKeyClass = (*env)->NewWeakGlobalRef(env,cls);

    if (encryptionKeyClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    cls = (*env)->FindClass(env,"sun/security/krb5/internal/TicketFlags");

    if (cls == NULL) {

        printf("LSA: Couldn't find TicketFlags\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found TicketFlags\n");

    }

    ticketFlagsClass = (*env)->NewWeakGlobalRef(env,cls);

    if (ticketFlagsClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    cls = (*env)->FindClass(env,"sun/security/krb5/internal/KerberosTime");

    if (cls == NULL) {

        printf("LSA: Couldn't find KerberosTime\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found KerberosTime\n");

    }

    kerberosTimeClass = (*env)->NewWeakGlobalRef(env,cls);

    if (kerberosTimeClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    cls = (*env)->FindClass(env,"java/lang/String");

    if (cls == NULL) {

        printf("LSA: Couldn't find String\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found String\n");

    }

    javaLangStringClass = (*env)->NewWeakGlobalRef(env,cls);

    if (javaLangStringClass == NULL) {

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Made NewWeakGlobalRef\n");

    }

    ticketConstructor = (*env)->GetMethodID(env, ticketClass,

    if (ticketConstructor == 0) {

        printf("LSA: Couldn't find Ticket constructor\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found Ticket constructor\n");

    }

    principalNameConstructor = (*env)->GetMethodID(env, principalNameClass,

                        "<init>", "([Ljava/lang/String;Ljava/lang/String;)V");

    if (principalNameConstructor == 0) {

        printf("LSA: Couldn't find PrincipalName constructor\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found PrincipalName constructor\n");

    }

    encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass,

                                            "<init>", "(I[B)V");

    if (encryptionKeyConstructor == 0) {

        printf("LSA: Couldn't find EncryptionKey constructor\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found EncryptionKey constructor\n");

    }

    ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass,

                                            "<init>", "(I[B)V");

    if (ticketFlagsConstructor == 0) {

        printf("LSA: Couldn't find TicketFlags constructor\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found TicketFlags constructor\n");

    }

    kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass,

                                    "<init>", "(Ljava/lang/String;)V");

    if (kerberosTimeConstructor == 0) {

        printf("LSA: Couldn't find KerberosTime constructor\n");

        return JNI_ERR;

    }

    if (native_debug) {

        printf("LSA: Found KerberosTime constructor\n");

    }

    if (native_debug) {

        printf("LSA: Finished OnLoad processing\n");

    }

    return JNI_VERSION_1_2;

}

/*

 * Class:     sun_security_jgss_KrbCreds

 * Method:    JNI_OnUnload

 */

JNIEXPORT void JNICALL DEF_JNI_OnUnload(

        JavaVM  *jvm,

        void    *reserved) {

    JNIEnv *env;

    if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) {

        return; /* Nothing else we can do */

    }

    if (ticketClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,ticketClass);

    }

    if (principalNameClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,principalNameClass);

    }

    if (encryptionKeyClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,encryptionKeyClass);

    }

    if (ticketFlagsClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,ticketFlagsClass);

    }

    if (kerberosTimeClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,kerberosTimeClass);

    }

    if (javaLangStringClass != NULL) {

        (*env)->DeleteWeakGlobalRef(env,javaLangStringClass);

    }

    return;

}

/*

 * Class:     sun_security_krb5_Credentials

 * Method:    acquireDefaultNativeCreds

 * Signature: ([I])Lsun/security/krb5/Credentials;

 */

JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds(

        JNIEnv *env,

        jclass krbcredsClass,

        jintArray jetypes) {

    KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;

    PKERB_RETRIEVE_TKT_RESPONSE TktCacheResponse = NULL;

    PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;

    PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;

    NTSTATUS Status, SubStatus;

    ULONG requestSize = 0;

    ULONG responseSize = 0;

    ULONG rspSize = 0;

    HANDLE LogonHandle = NULL;

    ULONG PackageId;

    jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;

    jobject ticketFlags, startTime, endTime, krbCreds = NULL;

    jobject authTime, renewTillTime, hostAddresses = NULL;

    KERB_EXTERNAL_TICKET *msticket;

    int found = 0;

    FILETIME Now, EndTime;

    int i, netypes;

    jint *etypes = NULL;

    while (TRUE) {

        if (krbcredsConstructor == 0) {

            krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",

                    "(Lsun/security/krb5/internal/Ticket;"

                    "Lsun/security/krb5/PrincipalName;"

                    "Lsun/security/krb5/PrincipalName;"

                    "Lsun/security/krb5/PrincipalName;"

                    "Lsun/security/krb5/PrincipalName;"

                    "Lsun/security/krb5/EncryptionKey;"

                    "Lsun/security/krb5/internal/TicketFlags;"

                    "Lsun/security/krb5/internal/KerberosTime;"

                    "Lsun/security/krb5/internal/KerberosTime;"

                    "Lsun/security/krb5/internal/KerberosTime;"

                    "Lsun/security/krb5/internal/KerberosTime;"

                    "Lsun/security/krb5/internal/HostAddresses;)V");

            if (krbcredsConstructor == 0) {

                printf("LSA: Couldn't find sun.security.krb5.Credentials constructor\n");

                break;

            }

        }

        if (native_debug) {

            printf("LSA: Found KrbCreds constructor\n");

        }

        //

        // Get the logon handle and package ID from the

        // Kerberos package

        //

        if (!PackageConnectLookup(&LogonHandle, &PackageId))

            break;

        if (native_debug) {

            printf("LSA: Got handle to Kerberos package\n");

        }

        // Get the MS TGT from cache

        CacheRequest.MessageType = KerbRetrieveTicketMessage;

        CacheRequest.LogonId.LowPart = 0;

        CacheRequest.LogonId.HighPart = 0;

        Status = LsaCallAuthenticationPackage(

                        LogonHandle,

                        PackageId,

                        &CacheRequest,

                        sizeof(CacheRequest),

                        &TktCacheResponse,

                        &rspSize,

                        &SubStatus

                        );

        if (native_debug) {

            printf("LSA: Response size is %d\n", rspSize);

        }

        if (!LSA_SUCCESS(Status) || !LSA_SUCCESS(SubStatus)) {

            if (!LSA_SUCCESS(Status)) {

                ShowNTError("LsaCallAuthenticationPackage", Status);

            } else {

                ShowNTError("Protocol status", SubStatus);

            }

            break;

        }

        // got the native MS TGT

        msticket = &(TktCacheResponse->Ticket);

        netypes = (*env)->GetArrayLength(env, jetypes);

        etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);

        if (etypes == NULL) {

            break;

        }

        // check TGT validity

        if (native_debug) {

            printf("LSA: TICKET SessionKey KeyType is %d\n", msticket->SessionKey.KeyType);

        }

        if ((msticket->TicketFlags & KERB_TICKET_FLAGS_invalid) == 0) {

            GetSystemTimeAsFileTime(&Now);

            EndTime.dwLowDateTime = msticket->EndTime.LowPart;

            EndTime.dwHighDateTime = msticket->EndTime.HighPart;

            if (CompareFileTime(&Now, &EndTime) < 0) {

                for (i=0; i<netypes; i++) {

                    if (etypes[i] == msticket->SessionKey.KeyType) {

                        found = 1;

                        if (native_debug) {

                            printf("LSA: Valid etype found: %d\n", etypes[i]);

                        }

                        break;

                    }

                }

            }

        }

        if (!found) {

            if (native_debug) {

                printf("LSA: MS TGT in cache is invalid/not supported; request new ticket\n");

            }

            // use domain to request Ticket

            Status = ConstructTicketRequest(env, msticket->TargetDomainName,

                                &pTicketRequest, &requestSize);

            if (!LSA_SUCCESS(Status)) {

                ShowNTError("ConstructTicketRequest status", Status);

                break;

            }

            pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;

            pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;

            for (i=0; i<netypes; i++) {

                pTicketRequest->EncryptionType = etypes[i];

                Status = LsaCallAuthenticationPackage(

                            LogonHandle,

                            PackageId,

                            pTicketRequest,

                            requestSize,

                            &pTicketResponse,

                            &responseSize,

                            &SubStatus

                            );

                if (native_debug) {