Re: [PATCH 13/13] secur32: Add support for switching between Kerberos and NTLM in Negotiate provider.

On Thu, 2018-01-18 at 23:54 +0800, Dmitry Timoshkov wrote:

diff --git a/dlls/secur32/negotiate.c b/dlls/secur32/negotiate.c index bf16258fc2..c7ab97ef79 100644 --- a/dlls/secur32/negotiate.c +++ b/dlls/secur32/negotiate.c @@ -62,20 +62,41 @@ static SECURITY_STATUS SEC_ENTRY nego_AcquireCredentialsHandleW(   PVOID pGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry )  {   static SEC_WCHAR ntlmW[] = {'N','T','L','M',0}; + static SEC_WCHAR kerberosW[] = {'K','e','r','b','e','r','o','s',0};   SECURITY_STATUS ret; + SecurePackage *package; + CredHandle myCred;     TRACE("%s, %s, 0x%08x, %p, %p, %p, %p, %p, %p\n",   debugstr_w(pszPrincipal), debugstr_w(pszPackage), fCredentialUse,   pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument, phCredential, ptsExpiry);   - FIXME("forwarding to NTLM\n"); - ret = ntlm_AcquireCredentialsHandleW( pszPrincipal, ntlmW, fCredentialUse, - pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument, - phCredential, ptsExpiry ); + if (!pszPackage) + return SEC_E_SECPKG_NOT_FOUND; + + package = SECUR32_findPackageW(kerberosW); + if (!package || !package->provider) + { + package = SECUR32_findPackageW(ntlmW); + if (!package || !package->provider) + return SEC_E_SECPKG_NOT_FOUND; + }

For inbound credentials you can't decide at this point whether Kerberos or NTLM will be used, it has to be done when AcceptSecurityContext is called.

+ if (!package->provider->fnTableW.AcquireCredentialsHandleW) + { + FIXME("Package doesn't support this API\n"); + return SEC_E_UNSUPPORTED_FUNCTION; + } + + ret = package->provider->fnTableW.AcquireCredentialsHandleW( + pszPrincipal, package->infoW.Name, fCredentialUse, pLogonID, + pAuthData, pGetKeyFn, pGetKeyArgument, &myCred, + ptsExpiry);   if (ret == SEC_E_OK)   { - NtlmCredentials *cred = (NtlmCredentials *)phCredential->dwLower; - cred->no_cached_credentials = (pAuthData == NULL);

[..]

--- a/dlls/secur32/ntlm.c +++ b/dlls/secur32/ntlm.c @@ -151,7 +151,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(   ntlm_cred->domain_arg = NULL;   ntlm_cred->password = NULL;   ntlm_cred->pwlen = 0; - ntlm_cred->no_cached_credentials = 0; + ntlm_cred->no_cached_credentials = (pAuthData == NULL);

This will break NTLM. no_cached_credentials should only be set when NTLM is called from Negotiate.