Wine-Devel
Threads by month
- ----- 2026 -----
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- 22 participants
- 84527 discussions
[PATCH v2 3/5] kerberos: Move support for SpAcceptLsaModeContext to the Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/krb5_ap.c | 91 ++++-------------------------------------
dlls/kerberos/unixlib.c | 63 ++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 2 +
3 files changed, 72 insertions(+), 84 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index b1fe036a071..176546d9e1d 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -753,33 +753,6 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
}
}
-static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
-{
- FILETIME filetime;
- ULARGE_INTEGER tmp;
-
- GetSystemTimeAsFileTime( &filetime );
- FileTimeToLocalFileTime( &filetime, &filetime );
- tmp.QuadPart = ((ULONGLONG)filetime.dwLowDateTime | (ULONGLONG)filetime.dwHighDateTime << 32) + expirytime;
- timestamp->LowPart = tmp.QuadPart;
- timestamp->HighPart = tmp.QuadPart >> 32;
-}
-
-static ULONG flags_gss_to_asc_ret( ULONG flags )
-{
- ULONG ret = 0;
- if (flags & GSS_C_DELEG_FLAG) ret |= ASC_RET_DELEGATE;
- if (flags & GSS_C_MUTUAL_FLAG) ret |= ASC_RET_MUTUAL_AUTH;
- if (flags & GSS_C_REPLAY_FLAG) ret |= ASC_RET_REPLAY_DETECT;
- if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
- if (flags & GSS_C_CONF_FLAG) ret |= ASC_RET_CONFIDENTIALITY;
- if (flags & GSS_C_INTEG_FLAG) ret |= ASC_RET_INTEGRITY;
- if (flags & GSS_C_ANON_FLAG) ret |= ASC_RET_NULL_SESSION;
- if (flags & GSS_C_DCE_STYLE) ret |= ASC_RET_USED_DCE_STYLE;
- if (flags & GSS_C_IDENTIFY_FLAG) ret |= ASC_RET_IDENTIFY;
- return ret;
-}
-
static BOOL is_dce_style_context( gss_ctx_id_t ctxt_handle )
{
OM_uint32 ret, minor_status, flags;
@@ -906,70 +879,20 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential,
static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
SecBufferDesc *input, ULONG context_req, ULONG target_data_rep, LSA_SEC_HANDLE *new_context,
- SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
+ SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status, ret_flags = 0, expiry_time;
- gss_cred_id_t cred_handle;
- gss_ctx_id_t ctxt_handle;
- gss_buffer_desc input_token, output_token;
- gss_name_t target = GSS_C_NO_NAME;
- int idx;
+ NTSTATUS status;
- TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
- target_data_rep, input, new_context, output, context_attr, ts_expiry,
- mapped_context, context_data );
+ TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req, target_data_rep, input,
+ new_context, output, context_attr, expiry, mapped_context, context_data );
if (context_req) FIXME( "ignoring flags 0x%08x\n", context_req );
if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
- cred_handle = credhandle_sspi_to_gss( credential );
- ctxt_handle = ctxthandle_sspi_to_gss( context );
-
- if (!input) input_token.length = 0;
- else
- {
- if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- input_token.length = input->pBuffers[idx].cbBuffer;
- input_token.value = input->pBuffers[idx].pvBuffer;
- }
-
- if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- output_token.length = 0;
- output_token.value = NULL;
- ret = pgss_accept_sec_context( &minor_status, &ctxt_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
- &target, NULL, &output_token, &ret_flags, &expiry_time, NULL );
- TRACE( "gss_accept_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
- {
- if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
- {
- TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
- pgss_release_buffer( &minor_status, &output_token );
- pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
- return SEC_E_BUFFER_TOO_SMALL;
- }
- output->pBuffers[idx].cbBuffer = output_token.length;
- memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
- pgss_release_buffer( &minor_status, &output_token );
-
- ctxthandle_gss_to_sspi( ctxt_handle, new_context );
- if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags );
- expirytime_gss_to_sspi( expiry_time, ts_expiry );
- }
-
- /* we do support user mode SSP/AP functions */
- *mapped_context = TRUE;
+ status = krb5_funcs->accept_context( credential, context, input, new_context, output, context_attr, expiry );
+ if (!status) *mapped_context = TRUE;
/* FIXME: initialize context_data */
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
- target_data_rep, input, new_context, output, context_attr, ts_expiry,
- mapped_context, context_data );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return status;
}
static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index f7579b3fae2..04bff0b032e 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -308,6 +308,68 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
timestamp->HighPart = time.QuadPart >> 32;
}
+static ULONG flags_gss_to_asc_ret( ULONG flags )
+{
+ ULONG ret = 0;
+ if (flags & GSS_C_DELEG_FLAG) ret |= ASC_RET_DELEGATE;
+ if (flags & GSS_C_MUTUAL_FLAG) ret |= ASC_RET_MUTUAL_AUTH;
+ if (flags & GSS_C_REPLAY_FLAG) ret |= ASC_RET_REPLAY_DETECT;
+ if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
+ if (flags & GSS_C_CONF_FLAG) ret |= ASC_RET_CONFIDENTIALITY;
+ if (flags & GSS_C_INTEG_FLAG) ret |= ASC_RET_INTEGRITY;
+ if (flags & GSS_C_ANON_FLAG) ret |= ASC_RET_NULL_SESSION;
+ if (flags & GSS_C_DCE_STYLE) ret |= ASC_RET_USED_DCE_STYLE;
+ if (flags & GSS_C_IDENTIFY_FLAG) ret |= ASC_RET_IDENTIFY;
+ return ret;
+}
+
+NTSTATUS CDECL accept_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, SecBufferDesc *input,
+ LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr,
+ TimeStamp *expiry )
+{
+ OM_uint32 ret, minor_status, ret_flags = 0, expiry_time;
+ gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential );
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+ gss_buffer_desc input_token, output_token;
+ int idx;
+
+ if (!input) input_token.length = 0;
+ else
+ {
+ if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ input_token.length = input->pBuffers[idx].cbBuffer;
+ input_token.value = input->pBuffers[idx].pvBuffer;
+ }
+
+ if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ output_token.length = 0;
+ output_token.value = NULL;
+
+ ret = pgss_accept_sec_context( &minor_status, &ctx_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
+ NULL, NULL, &output_token, &ret_flags, &expiry_time, NULL );
+ TRACE( "gss_accept_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+ {
+ if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+ {
+ TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
+ pgss_release_buffer( &minor_status, &output_token );
+ pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+ return SEC_E_BUFFER_TOO_SMALL;
+ }
+ output->pBuffers[idx].cbBuffer = output_token.length;
+ memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+ pgss_release_buffer( &minor_status, &output_token );
+
+ ctxhandle_gss_to_sspi( ctx_handle, new_context );
+ if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags );
+ expirytime_gss_to_sspi( expiry_time, expiry );
+ }
+
+ return status_gss_to_sspi( ret );
+}
+
static NTSTATUS init_creds( const char *user_at_domain, const char *password )
{
krb5_context ctx;
@@ -498,6 +560,7 @@ static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HAN
static const struct krb5_funcs funcs =
{
+ accept_context,
acquire_credentials_handle,
delete_context,
free_credentials_handle,
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index 2f885e920d4..88d13ce8aab 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -21,6 +21,8 @@
struct krb5_funcs
{
+ NTSTATUS (CDECL *accept_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, SecBufferDesc *, LSA_SEC_HANDLE *,
+ SecBufferDesc *, ULONG *, TimeStamp *);
NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
TimeStamp *);
NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE);
--
2.30.2
1
0
[PATCH v2 2/5] kerberos: Move support for SpInitLsaModeContext/SpDeleteContext to the Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/krb5_ap.c | 135 ++++------------------------------------
dlls/kerberos/unixlib.c | 116 ++++++++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 3 +
3 files changed, 130 insertions(+), 124 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 08265beeceb..b1fe036a071 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -765,54 +765,6 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
timestamp->HighPart = tmp.QuadPart >> 32;
}
-static NTSTATUS name_sspi_to_gss( const UNICODE_STRING *name_str, gss_name_t *name )
-{
- OM_uint32 ret, minor_status;
- gss_OID type = GSS_C_NO_OID; /* FIXME: detect the appropriate value for this ourselves? */
- gss_buffer_desc buf;
-
- buf.length = WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
- if (!(buf.value = heap_alloc( buf.length ))) return SEC_E_INSUFFICIENT_MEMORY;
- WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), buf.value, buf.length, NULL, NULL );
-
- ret = pgss_import_name( &minor_status, &buf, type, name );
- TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
- heap_free( buf.value );
- return status_gss_to_sspi( ret );
-}
-
-static ULONG flags_isc_req_to_gss( ULONG flags )
-{
- ULONG ret = 0;
- if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG;
- if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG;
- if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG;
- if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
- if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
- if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG;
- if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG;
- if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE;
- if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG;
- return ret;
-}
-
-static ULONG flags_gss_to_isc_ret( ULONG flags )
-{
- ULONG ret = 0;
- if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE;
- if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH;
- if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT;
- if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
- if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY;
- if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY;
- if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION;
- if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE;
- if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
- return ret;
-}
-
static ULONG flags_gss_to_asc_ret( ULONG flags )
{
ULONG ret = 0;
@@ -927,80 +879,29 @@ static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credentia
static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input,
- LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry,
+ LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry,
BOOLEAN *mapped_context, SecBuffer *context_data )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE |
ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION;
- OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req );
- gss_cred_id_t cred_handle;
- gss_ctx_id_t ctxt_handle;
- gss_buffer_desc input_token, output_token;
- gss_name_t target = GSS_C_NO_NAME;
+ char *target = NULL;
NTSTATUS status;
- int idx;
TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
- context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry,
+ context_req, target_data_rep, input, new_context, output, context_attr, expiry,
mapped_context, context_data );
- if (context_req & ~supported)
- FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
+ if (context_req & ~supported) FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
- cred_handle = credhandle_sspi_to_gss( credential );
- ctxt_handle = ctxthandle_sspi_to_gss( context );
-
- if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0;
- else
- {
- input_token.length = input->pBuffers[idx].cbBuffer;
- input_token.value = input->pBuffers[idx].pvBuffer;
- }
-
- if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- output_token.length = 0;
- output_token.value = NULL;
-
- if (target_name && ((status = name_sspi_to_gss( target_name, &target )) != SEC_E_OK)) return status;
+ if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY;
- ret = pgss_init_sec_context( &minor_status, cred_handle, &ctxt_handle, target, GSS_C_NO_OID, req_flags, 0,
- GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
- &expiry_time );
- TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
- {
- if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
- {
- TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
- pgss_release_buffer( &minor_status, &output_token );
- pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
- return SEC_E_INCOMPLETE_MESSAGE;
- }
- output->pBuffers[idx].cbBuffer = output_token.length;
- memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
- pgss_release_buffer( &minor_status, &output_token );
-
- ctxthandle_gss_to_sspi( ctxt_handle, new_context );
- if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
- expirytime_gss_to_sspi( expiry_time, ts_expiry );
- }
-
- if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
-
- /* we do support user mode SSP/AP functions */
- *mapped_context = TRUE;
+ status = krb5_funcs->initialize_context( credential, context, target, context_req, input, new_context, output,
+ context_attr, expiry );
+ if (!status) *mapped_context = TRUE;
/* FIXME: initialize context_data */
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
- context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry,
- mapped_context, context_data );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ heap_free( target );
+ return status;
}
static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
@@ -1073,23 +974,9 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential
static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status;
- gss_ctx_id_t ctxt_handle;
-
TRACE( "(%lx)\n", context );
if (!context) return SEC_E_INVALID_HANDLE;
- if (!(ctxt_handle = ctxthandle_sspi_to_gss( context ))) return SEC_E_OK;
-
- ret = pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
- TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx)\n", context );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return krb5_funcs->delete_context( context );
}
static SecPkgInfoW *build_package_info( const SecPkgInfoW *info )
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index 7b15f00428a..f7579b3fae2 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -211,6 +211,17 @@ fail:
return FALSE;
}
+static int get_buffer_index( SecBufferDesc *desc, DWORD type )
+{
+ UINT i;
+ if (!desc) return -1;
+ for (i = 0; i < desc->cBuffers; i++)
+ {
+ if (desc->pBuffers[i].BufferType == type) return i;
+ }
+ return -1;
+}
+
static NTSTATUS status_gss_to_sspi( OM_uint32 status )
{
switch (status)
@@ -267,11 +278,21 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
}
}
+static inline gss_ctx_id_t ctxhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
+{
+ return (gss_ctx_id_t)handle;
+}
+
static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
{
return (gss_cred_id_t)handle;
}
+static inline void ctxhandle_gss_to_sspi( gss_ctx_id_t handle, LSA_SEC_HANDLE *ctx )
+{
+ *ctx = (LSA_SEC_HANDLE)handle;
+}
+
static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred )
{
*cred = (LSA_SEC_HANDLE)handle;
@@ -371,6 +392,17 @@ static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG c
return status_gss_to_sspi( ret );
}
+static NTSTATUS CDECL delete_context( LSA_SEC_HANDLE context )
+{
+ OM_uint32 ret, minor_status;
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+
+ ret = pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+ TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ return status_gss_to_sspi( ret );
+}
+
static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
{
OM_uint32 ret, minor_status;
@@ -382,10 +414,94 @@ static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
return status_gss_to_sspi( ret );
}
+static ULONG flags_isc_req_to_gss( ULONG flags )
+{
+ ULONG ret = 0;
+ if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG;
+ if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG;
+ if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG;
+ if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
+ if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
+ if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG;
+ if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG;
+ if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE;
+ if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG;
+ return ret;
+}
+
+static ULONG flags_gss_to_isc_ret( ULONG flags )
+{
+ ULONG ret = 0;
+ if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE;
+ if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH;
+ if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT;
+ if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
+ if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY;
+ if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY;
+ if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION;
+ if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE;
+ if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
+ return ret;
+}
+
+static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, const char *target_name,
+ ULONG context_req, SecBufferDesc *input, LSA_SEC_HANDLE *new_context,
+ SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry )
+{
+ OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req );
+ gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential );
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+ gss_buffer_desc input_token, output_token;
+ gss_name_t target = GSS_C_NO_NAME;
+ NTSTATUS status;
+ int idx;
+
+ if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0;
+ else
+ {
+ input_token.length = input->pBuffers[idx].cbBuffer;
+ input_token.value = input->pBuffers[idx].pvBuffer;
+ }
+
+ if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ output_token.length = 0;
+ output_token.value = NULL;
+
+ if (target_name && (status = import_name( target_name, &target ))) return status;
+
+ ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0,
+ GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
+ &expiry_time );
+ TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+ {
+ if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+ {
+ TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
+ pgss_release_buffer( &minor_status, &output_token );
+ pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+ return SEC_E_INCOMPLETE_MESSAGE;
+ }
+ output->pBuffers[idx].cbBuffer = output_token.length;
+ memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+ pgss_release_buffer( &minor_status, &output_token );
+
+ ctxhandle_gss_to_sspi( ctx_handle, new_context );
+ if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
+ expirytime_gss_to_sspi( expiry_time, expiry );
+ }
+
+ if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
+ return status_gss_to_sspi( ret );
+}
+
static const struct krb5_funcs funcs =
{
acquire_credentials_handle,
+ delete_context,
free_credentials_handle,
+ initialize_context,
};
NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index 864c321c59d..2f885e920d4 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -23,7 +23,10 @@ struct krb5_funcs
{
NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
TimeStamp *);
+ NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE);
NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
+ NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *,
+ LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *);
};
extern const struct krb5_funcs *krb5_funcs;
--
2.30.2
1
0
[PATCH v2 1/5] kerberos: Move support for SpAcquireCredentialsHandle/SpFreeCredentialsHandle to a new Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
v2: Copy copyright headers.
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/Makefile.in | 3 +-
dlls/kerberos/krb5_ap.c | 189 ++++++------------
dlls/kerberos/unixlib.c | 402 ++++++++++++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 29 +++
4 files changed, 494 insertions(+), 129 deletions(-)
create mode 100644 dlls/kerberos/unixlib.c
create mode 100644 dlls/kerberos/unixlib.h
diff --git a/dlls/kerberos/Makefile.in b/dlls/kerberos/Makefile.in
index f67ba567fb0..ab5e6b59976 100644
--- a/dlls/kerberos/Makefile.in
+++ b/dlls/kerberos/Makefile.in
@@ -2,4 +2,5 @@ MODULE = kerberos.dll
EXTRAINCL = $(KRB5_CFLAGS) $(GSSAPI_CFLAGS)
C_SRCS = \
- krb5_ap.c
+ krb5_ap.c \
+ unixlib.c
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 44d6b86e019..08265beeceb 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -46,9 +46,14 @@
#include "wine/heap.h"
#include "wine/debug.h"
#include "wine/unicode.h"
+#include "unixlib.h"
WINE_DEFAULT_DEBUG_CHANNEL(kerberos);
+static HINSTANCE instance;
+
+const struct krb5_funcs *krb5_funcs = NULL;
+
#define KERBEROS_MAX_BUF 12000
#define KERBEROS_CAPS \
@@ -840,8 +845,19 @@ static int get_buffer_index( SecBufferDesc *desc, DWORD type )
}
return -1;
}
+#endif /* SONAME_LIBGSSAPI_KRB5 */
-static char *get_user_at_domain( const WCHAR *user, ULONG user_len, const WCHAR *domain, ULONG domain_len )
+static char *get_str_unixcp( const UNICODE_STRING *str )
+{
+ char *ret;
+ int len = WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
+ if (!(ret = heap_alloc( len + 1 ))) return NULL;
+ WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), ret, len, NULL, NULL );
+ ret[len] = 0;
+ return ret;
+}
+
+static char *get_username_unixcp( const WCHAR *user, ULONG user_len, const WCHAR *domain, ULONG domain_len )
{
int len_user, len_domain;
char *ret;
@@ -857,7 +873,7 @@ static char *get_user_at_domain( const WCHAR *user, ULONG user_len, const WCHAR
return ret;
}
-static char *get_password( const WCHAR *passwd, ULONG passwd_len )
+static char *get_password_unixcp( const WCHAR *passwd, ULONG passwd_len )
{
int len;
char *ret;
@@ -869,145 +885,44 @@ static char *get_password( const WCHAR *passwd, ULONG passwd_len )
return ret;
}
-static NTSTATUS init_creds( const SEC_WINNT_AUTH_IDENTITY_W *id )
-{
- char *user_at_domain, *password;
- krb5_context ctx;
- krb5_principal principal = NULL;
- krb5_get_init_creds_opt *options = NULL;
- krb5_ccache cache = NULL;
- krb5_creds creds;
- krb5_error_code err;
-
- if (!id) return STATUS_SUCCESS;
- if (id->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI)
- {
- FIXME( "ANSI identity not supported\n" );
- return SEC_E_UNSUPPORTED_FUNCTION;
- }
- if (!(user_at_domain = get_user_at_domain( id->User, id->UserLength, id->Domain, id->DomainLength )))
- {
- return SEC_E_INSUFFICIENT_MEMORY;
- }
- if (!(password = get_password( id->Password, id->PasswordLength )))
- {
- heap_free( user_at_domain );
- return SEC_E_INSUFFICIENT_MEMORY;
- }
-
- if ((err = p_krb5_init_context( &ctx )))
- {
- heap_free( password );
- heap_free( user_at_domain );
- return krb5_error_to_status( err );
- }
- if ((err = p_krb5_parse_name_flags( ctx, user_at_domain, 0, &principal ))) goto done;
- if ((err = p_krb5_cc_default( ctx, &cache ))) goto done;
- if ((err = p_krb5_get_init_creds_opt_alloc( ctx, &options ))) goto done;
- if ((err = p_krb5_get_init_creds_opt_set_out_ccache( ctx, options, cache ))) goto done;
- if ((err = p_krb5_get_init_creds_password( ctx, &creds, principal, password, 0, NULL, 0, NULL, 0 ))) goto done;
- if ((err = p_krb5_cc_initialize( ctx, cache, principal ))) goto done;
- if ((err = p_krb5_cc_store_cred( ctx, cache, &creds ))) goto done;
-
- TRACE( "success\n" );
- p_krb5_free_cred_contents( ctx, &creds );
-
-done:
- if (cache) p_krb5_cc_close( ctx, cache );
- if (principal) p_krb5_free_principal( ctx, principal );
- if (options) p_krb5_get_init_creds_opt_free( ctx, options );
- p_krb5_free_context( ctx );
- heap_free( user_at_domain );
- heap_free( password );
-
- return krb5_error_to_status( err );
-}
-
-static NTSTATUS acquire_credentials_handle( UNICODE_STRING *principal_us, gss_cred_usage_t cred_usage,
- LSA_SEC_HANDLE *credential, TimeStamp *ts_expiry )
-{
- OM_uint32 ret, minor_status, expiry_time;
- gss_name_t principal = GSS_C_NO_NAME;
- gss_cred_id_t cred_handle;
- NTSTATUS status;
-
- if (principal_us && ((status = name_sspi_to_gss( principal_us, &principal )) != SEC_E_OK)) return status;
-
- ret = pgss_acquire_cred( &minor_status, principal, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, cred_usage,
- &cred_handle, NULL, &expiry_time );
- TRACE( "gss_acquire_cred returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE)
- {
- credhandle_gss_to_sspi( cred_handle, credential );
- expirytime_gss_to_sspi( expiry_time, ts_expiry );
- }
-
- if (principal != GSS_C_NO_NAME) pgss_release_name( &minor_status, &principal );
-
- return status_gss_to_sspi( ret );
-}
-#endif /* SONAME_LIBGSSAPI_KRB5 */
-
static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle(
UNICODE_STRING *principal_us, ULONG credential_use, LUID *logon_id, void *auth_data,
- void *get_key_fn, void *get_key_arg, LSA_SEC_HANDLE *credential, TimeStamp *ts_expiry )
+ void *get_key_fn, void *get_key_arg, LSA_SEC_HANDLE *credential, TimeStamp *expiry )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- gss_cred_usage_t cred_usage;
- NTSTATUS status;
+ char *principal = NULL, *username = NULL, *password = NULL;
+ SEC_WINNT_AUTH_IDENTITY_W *id = auth_data;
+ NTSTATUS status = SEC_E_INSUFFICIENT_MEMORY;
TRACE( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us), credential_use,
- logon_id, auth_data, get_key_fn, get_key_arg, credential, ts_expiry );
+ logon_id, auth_data, get_key_fn, get_key_arg, credential, expiry );
- switch (credential_use)
+ if (principal_us && !(principal = get_str_unixcp( principal_us ))) return SEC_E_INSUFFICIENT_MEMORY;
+ if (id)
{
- case SECPKG_CRED_INBOUND:
- cred_usage = GSS_C_ACCEPT;
- break;
-
- case SECPKG_CRED_OUTBOUND:
- if ((status = init_creds( auth_data )) != STATUS_SUCCESS) return status;
- cred_usage = GSS_C_INITIATE;
- break;
-
- case SECPKG_CRED_BOTH:
- cred_usage = GSS_C_BOTH;
- break;
-
- default:
- return SEC_E_UNKNOWN_CREDENTIALS;
+ if (id->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI)
+ {
+ FIXME( "ANSI identity not supported\n" );
+ status = SEC_E_UNSUPPORTED_FUNCTION;
+ goto done;
+ }
+ if (!(username = get_username_unixcp( id->User, id->UserLength, id->Domain, id->DomainLength ))) goto done;
+ if (!(password = get_password_unixcp( id->Password, id->PasswordLength ))) goto done;
}
- return acquire_credentials_handle( principal_us, cred_usage, credential, ts_expiry );
-#else
- FIXME( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us), credential_use,
- logon_id, auth_data, get_key_fn, get_key_arg, credential, ts_expiry );
- FIXME( "Wine was built without Kerberos support.\n" );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ status = krb5_funcs->acquire_credentials_handle( principal, credential_use, username, password, credential,
+ expiry );
+done:
+ heap_free( principal );
+ heap_free( username );
+ heap_free( password );
+ return status;
}
static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credential )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status;
- gss_cred_id_t cred_handle;
-
TRACE( "(%lx)\n", credential );
-
if (!credential) return SEC_E_INVALID_HANDLE;
- if (!(cred_handle = credhandle_sspi_to_gss( credential ))) return SEC_E_OK;
-
- ret = pgss_release_cred( &minor_status, &cred_handle );
- TRACE( "gss_release_cred returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx)\n", credential );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return krb5_funcs->free_credentials_handle( credential );
}
static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
@@ -1257,11 +1172,15 @@ static NTSTATUS NTAPI kerberos_SpInitialize(ULONG_PTR package_id, SECPKG_PARAMET
{
TRACE("%lu,%p,%p\n", package_id, params, lsa_function_table);
+ if (!krb5_funcs && __wine_init_unix_lib( instance, DLL_PROCESS_ATTACH, NULL, &krb5_funcs ))
+ {
+ WARN( "no Kerberos support\n" );
+ return STATUS_UNSUCCESSFUL;
+ }
#ifdef SONAME_LIBGSSAPI_KRB5
if (load_gssapi_krb5()) return STATUS_SUCCESS;
#endif
-
- return STATUS_UNSUCCESSFUL;
+ return STATUS_SUCCESS;
}
static NTSTATUS NTAPI kerberos_SpShutdown(void)
@@ -1644,3 +1563,17 @@ NTSTATUS NTAPI SpUserModeInitialize(ULONG lsa_version, PULONG package_version,
return STATUS_SUCCESS;
}
+
+BOOL WINAPI DllMain( HINSTANCE hinst, DWORD reason, void *reserved )
+{
+ switch (reason)
+ {
+ case DLL_PROCESS_ATTACH:
+ instance = hinst;
+ DisableThreadLibraryCalls( hinst );
+ break;
+ case DLL_PROCESS_DETACH:
+ break;
+ }
+ return TRUE;
+}
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
new file mode 100644
index 00000000000..7b15f00428a
--- /dev/null
+++ b/dlls/kerberos/unixlib.c
@@ -0,0 +1,402 @@
+/*
+ * Unix interface for libkrb5/libgssapi_krb5
+ *
+ * Copyright 2017 Dmitry Timoshkov
+ * Copyright 2017 George Popoff
+ * Copyright 2008 Robert Shearman for CodeWeavers
+ * Copyright 2017,2021 Hans Leidekker for CodeWeavers
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#if 0
+#pragma makedep unix
+#endif
+
+#include "config.h"
+#if defined(SONAME_LIBKRB5) && defined(SONAME_LIBGSSAPI_KRB5)
+#include "wine/port.h"
+
+#include <stdarg.h>
+#ifdef HAVE_KRB5_KRB5_H
+# include <krb5/krb5.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_H
+# include <gssapi/gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+# include <gssapi/gssapi_ext.h>
+#endif
+
+#include "ntstatus.h"
+#define WIN32_NO_STATUS
+#include "windef.h"
+#include "winternl.h"
+#include "winbase.h"
+#include "rpc.h"
+#include "sspi.h"
+#include "ntsecapi.h"
+#include "ntsecpkg.h"
+
+#include "wine/debug.h"
+#include "unixlib.h"
+
+WINE_DEFAULT_DEBUG_CHANNEL(kerberos);
+WINE_DECLARE_DEBUG_CHANNEL(winediag);
+
+static void *libkrb5_handle;
+
+#define MAKE_FUNCPTR(f) static typeof(f) * p_##f
+MAKE_FUNCPTR( krb5_cc_close );
+MAKE_FUNCPTR( krb5_cc_default );
+MAKE_FUNCPTR( krb5_cc_end_seq_get );
+MAKE_FUNCPTR( krb5_cc_initialize );
+MAKE_FUNCPTR( krb5_cc_next_cred );
+MAKE_FUNCPTR( krb5_cc_start_seq_get );
+MAKE_FUNCPTR( krb5_cc_store_cred );
+MAKE_FUNCPTR( krb5_cccol_cursor_free );
+MAKE_FUNCPTR( krb5_cccol_cursor_new );
+MAKE_FUNCPTR( krb5_cccol_cursor_next );
+MAKE_FUNCPTR( krb5_decode_ticket );
+MAKE_FUNCPTR( krb5_free_context );
+MAKE_FUNCPTR( krb5_free_cred_contents );
+MAKE_FUNCPTR( krb5_free_principal );
+MAKE_FUNCPTR( krb5_free_ticket );
+MAKE_FUNCPTR( krb5_free_unparsed_name );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_alloc );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_free );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_set_out_ccache );
+MAKE_FUNCPTR( krb5_get_init_creds_password );
+MAKE_FUNCPTR( krb5_init_context );
+MAKE_FUNCPTR( krb5_is_config_principal );
+MAKE_FUNCPTR( krb5_parse_name_flags );
+MAKE_FUNCPTR( krb5_unparse_name_flags );
+#undef MAKE_FUNCPTR
+
+static BOOL load_krb5(void)
+{
+ if (!(libkrb5_handle = dlopen( SONAME_LIBKRB5, RTLD_NOW )))
+ {
+ WARN_(winediag)( "failed to load %s, Kerberos support will be disabled\n", SONAME_LIBKRB5 );
+ return FALSE;
+ }
+
+#define LOAD_FUNCPTR(f) \
+ if (!(p_##f = dlsym( libkrb5_handle, #f ))) \
+ { \
+ ERR( "failed to load %s\n", #f ); \
+ goto fail; \
+ }
+
+ LOAD_FUNCPTR( krb5_cc_close )
+ LOAD_FUNCPTR( krb5_cc_default )
+ LOAD_FUNCPTR( krb5_cc_end_seq_get )
+ LOAD_FUNCPTR( krb5_cc_initialize )
+ LOAD_FUNCPTR( krb5_cc_next_cred )
+ LOAD_FUNCPTR( krb5_cc_start_seq_get )
+ LOAD_FUNCPTR( krb5_cc_store_cred )
+ LOAD_FUNCPTR( krb5_cccol_cursor_free )
+ LOAD_FUNCPTR( krb5_cccol_cursor_new )
+ LOAD_FUNCPTR( krb5_cccol_cursor_next )
+ LOAD_FUNCPTR( krb5_decode_ticket )
+ LOAD_FUNCPTR( krb5_free_context )
+ LOAD_FUNCPTR( krb5_free_cred_contents )
+ LOAD_FUNCPTR( krb5_free_principal )
+ LOAD_FUNCPTR( krb5_free_ticket )
+ LOAD_FUNCPTR( krb5_free_unparsed_name )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_alloc )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_free )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_set_out_ccache )
+ LOAD_FUNCPTR( krb5_get_init_creds_password )
+ LOAD_FUNCPTR( krb5_init_context )
+ LOAD_FUNCPTR( krb5_is_config_principal )
+ LOAD_FUNCPTR( krb5_parse_name_flags )
+ LOAD_FUNCPTR( krb5_unparse_name_flags )
+#undef LOAD_FUNCPTR
+ return TRUE;
+
+fail:
+ dlclose( libkrb5_handle );
+ libkrb5_handle = NULL;
+ return FALSE;
+}
+
+static void unload_krb5(void)
+{
+ dlclose( libkrb5_handle );
+ libkrb5_handle = NULL;
+}
+
+static NTSTATUS krb5_error_to_status( krb5_error_code err )
+{
+ switch (err)
+ {
+ case 0: return STATUS_SUCCESS;
+ default: return STATUS_UNSUCCESSFUL; /* FIXME */
+ }
+}
+
+static void *libgssapi_krb5_handle;
+
+#define MAKE_FUNCPTR(f) static typeof(f) * p##f
+MAKE_FUNCPTR( gss_accept_sec_context );
+MAKE_FUNCPTR( gss_acquire_cred );
+MAKE_FUNCPTR( gss_delete_sec_context );
+MAKE_FUNCPTR( gss_display_status );
+MAKE_FUNCPTR( gss_get_mic );
+MAKE_FUNCPTR( gss_import_name );
+MAKE_FUNCPTR( gss_init_sec_context );
+MAKE_FUNCPTR( gss_inquire_context );
+MAKE_FUNCPTR( gss_release_buffer );
+MAKE_FUNCPTR( gss_release_cred );
+MAKE_FUNCPTR( gss_release_iov_buffer );
+MAKE_FUNCPTR( gss_release_name );
+MAKE_FUNCPTR( gss_unwrap );
+MAKE_FUNCPTR( gss_unwrap_iov );
+MAKE_FUNCPTR( gss_verify_mic );
+MAKE_FUNCPTR( gss_wrap );
+MAKE_FUNCPTR( gss_wrap_iov );
+#undef MAKE_FUNCPTR
+
+static BOOL load_gssapi_krb5(void)
+{
+ if (!(libgssapi_krb5_handle = dlopen( SONAME_LIBGSSAPI_KRB5, RTLD_NOW )))
+ {
+ WARN_(winediag)( "failed to load %s, Kerberos support will be disabled\n", SONAME_LIBGSSAPI_KRB5 );
+ return FALSE;
+ }
+
+#define LOAD_FUNCPTR(f) \
+ if (!(p##f = dlsym( libgssapi_krb5_handle, #f ))) \
+ { \
+ ERR( "failed to load %s\n", #f ); \
+ goto fail; \
+ }
+
+ LOAD_FUNCPTR( gss_accept_sec_context)
+ LOAD_FUNCPTR( gss_acquire_cred)
+ LOAD_FUNCPTR( gss_delete_sec_context)
+ LOAD_FUNCPTR( gss_display_status)
+ LOAD_FUNCPTR( gss_get_mic)
+ LOAD_FUNCPTR( gss_import_name)
+ LOAD_FUNCPTR( gss_init_sec_context)
+ LOAD_FUNCPTR( gss_inquire_context)
+ LOAD_FUNCPTR( gss_release_buffer)
+ LOAD_FUNCPTR( gss_release_cred)
+ LOAD_FUNCPTR( gss_release_iov_buffer)
+ LOAD_FUNCPTR( gss_release_name)
+ LOAD_FUNCPTR( gss_unwrap)
+ LOAD_FUNCPTR( gss_unwrap_iov)
+ LOAD_FUNCPTR( gss_verify_mic)
+ LOAD_FUNCPTR( gss_wrap )
+ LOAD_FUNCPTR( gss_wrap_iov )
+#undef LOAD_FUNCPTR
+ return TRUE;
+
+fail:
+ dlclose( libgssapi_krb5_handle );
+ libgssapi_krb5_handle = NULL;
+ return FALSE;
+}
+
+static NTSTATUS status_gss_to_sspi( OM_uint32 status )
+{
+ switch (status)
+ {
+ case GSS_S_COMPLETE: return SEC_E_OK;
+ case GSS_S_BAD_MECH: return SEC_E_SECPKG_NOT_FOUND;
+ case GSS_S_BAD_SIG: return SEC_E_MESSAGE_ALTERED;
+ case GSS_S_NO_CRED: return SEC_E_NO_CREDENTIALS;
+ case GSS_S_NO_CONTEXT: return SEC_E_INVALID_HANDLE;
+ case GSS_S_DEFECTIVE_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_DEFECTIVE_CREDENTIAL: return SEC_E_NO_CREDENTIALS;
+ case GSS_S_CREDENTIALS_EXPIRED: return SEC_E_CONTEXT_EXPIRED;
+ case GSS_S_CONTEXT_EXPIRED: return SEC_E_CONTEXT_EXPIRED;
+ case GSS_S_BAD_QOP: return SEC_E_QOP_NOT_SUPPORTED;
+ case GSS_S_CONTINUE_NEEDED: return SEC_I_CONTINUE_NEEDED;
+ case GSS_S_DUPLICATE_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_OLD_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_UNSEQ_TOKEN: return SEC_E_OUT_OF_SEQUENCE;
+ case GSS_S_GAP_TOKEN: return SEC_E_OUT_OF_SEQUENCE;
+ case GSS_S_FAILURE: return SEC_E_INTERNAL_ERROR;
+
+ default:
+ FIXME( "couldn't convert status 0x%08x to NTSTATUS\n", status );
+ return SEC_E_INTERNAL_ERROR;
+ }
+}
+
+static void trace_gss_status_ex( OM_uint32 code, int type )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc buf;
+ OM_uint32 msg_ctx = 0;
+
+ for (;;)
+ {
+ ret = pgss_display_status( &minor_status, code, type, GSS_C_NULL_OID, &msg_ctx, &buf );
+ if (GSS_ERROR( ret ))
+ {
+ TRACE( "gss_display_status(0x%08x,%d) returned %08x minor status %08x\n", code, type, ret, minor_status );
+ return;
+ }
+ TRACE( "GSS-API error: 0x%08x: %s\n", code, debugstr_an(buf.value, buf.length) );
+ pgss_release_buffer( &minor_status, &buf );
+ if (!msg_ctx) return;
+ }
+}
+
+static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
+{
+ if (TRACE_ON(kerberos))
+ {
+ trace_gss_status_ex( major_status, GSS_C_GSS_CODE );
+ trace_gss_status_ex( minor_status, GSS_C_MECH_CODE );
+ }
+}
+
+static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
+{
+ return (gss_cred_id_t)handle;
+}
+
+static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred )
+{
+ *cred = (LSA_SEC_HANDLE)handle;
+}
+
+static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
+{
+ LARGE_INTEGER time;
+
+ NtQuerySystemTime( &time );
+ RtlSystemTimeToLocalTime( &time, &time );
+ timestamp->LowPart = time.QuadPart;
+ timestamp->HighPart = time.QuadPart >> 32;
+}
+
+static NTSTATUS init_creds( const char *user_at_domain, const char *password )
+{
+ krb5_context ctx;
+ krb5_principal principal = NULL;
+ krb5_get_init_creds_opt *options = NULL;
+ krb5_ccache cache = NULL;
+ krb5_creds creds;
+ krb5_error_code err;
+
+ if (!user_at_domain) return STATUS_SUCCESS;
+ if ((err = p_krb5_init_context( &ctx ))) return krb5_error_to_status( err );
+ if ((err = p_krb5_parse_name_flags( ctx, user_at_domain, 0, &principal ))) goto done;
+ if ((err = p_krb5_cc_default( ctx, &cache ))) goto done;
+ if ((err = p_krb5_get_init_creds_opt_alloc( ctx, &options ))) goto done;
+ if ((err = p_krb5_get_init_creds_opt_set_out_ccache( ctx, options, cache ))) goto done;
+ if ((err = p_krb5_get_init_creds_password( ctx, &creds, principal, password, 0, NULL, 0, NULL, 0 ))) goto done;
+ if ((err = p_krb5_cc_initialize( ctx, cache, principal ))) goto done;
+ if ((err = p_krb5_cc_store_cred( ctx, cache, &creds ))) goto done;
+
+ TRACE( "success\n" );
+ p_krb5_free_cred_contents( ctx, &creds );
+
+done:
+ if (cache) p_krb5_cc_close( ctx, cache );
+ if (principal) p_krb5_free_principal( ctx, principal );
+ if (options) p_krb5_get_init_creds_opt_free( ctx, options );
+ p_krb5_free_context( ctx );
+ return krb5_error_to_status( err );
+}
+
+static NTSTATUS import_name( const char *src, gss_name_t *dst )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc buf;
+
+ buf.length = strlen( src );
+ buf.value = (void *)src;
+ ret = pgss_import_name( &minor_status, &buf, GSS_C_NO_OID, dst );
+ TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ return status_gss_to_sspi( ret );
+}
+
+static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG credential_use, const char *username,
+ const char *password, LSA_SEC_HANDLE *credential, TimeStamp *expiry )
+{
+ OM_uint32 ret, minor_status, expiry_time;
+ gss_name_t name = GSS_C_NO_NAME;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t cred_handle;
+ NTSTATUS status;
+
+ switch (credential_use)
+ {
+ case SECPKG_CRED_INBOUND:
+ cred_usage = GSS_C_ACCEPT;
+ break;
+
+ case SECPKG_CRED_OUTBOUND:
+ if ((status = init_creds( username, password )) != STATUS_SUCCESS) return status;
+ cred_usage = GSS_C_INITIATE;
+ break;
+
+ default:
+ FIXME( "SECPKG_CRED_BOTH not supported\n" );
+ return SEC_E_UNKNOWN_CREDENTIALS;
+ }
+
+ if (principal && (status = import_name( principal, &name ))) return status;
+
+ ret = pgss_acquire_cred( &minor_status, name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, cred_usage, &cred_handle,
+ NULL, &expiry_time );
+ TRACE( "gss_acquire_cred returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE)
+ {
+ credhandle_gss_to_sspi( cred_handle, credential );
+ expirytime_gss_to_sspi( expiry_time, expiry );
+ }
+
+ if (name != GSS_C_NO_NAME) pgss_release_name( &minor_status, &name );
+ return status_gss_to_sspi( ret );
+}
+
+static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
+{
+ OM_uint32 ret, minor_status;
+ gss_cred_id_t cred = credhandle_sspi_to_gss( handle );
+
+ ret = pgss_release_cred( &minor_status, &cred );
+ TRACE( "gss_release_cred returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ return status_gss_to_sspi( ret );
+}
+
+static const struct krb5_funcs funcs =
+{
+ acquire_credentials_handle,
+ free_credentials_handle,
+};
+
+NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
+{
+ if (reason != DLL_PROCESS_ATTACH) return STATUS_SUCCESS;
+ if (load_krb5() && load_gssapi_krb5())
+ {
+ *(const struct krb5_funcs **)ptr_out = &funcs;
+ return STATUS_SUCCESS;
+ }
+ if (libkrb5_handle) unload_krb5();
+ return STATUS_DLL_NOT_FOUND;
+}
+#endif /* defined(SONAME_LIBKRB5) && defined(SONAME_LIBGSSAPI_KRB5) */
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
new file mode 100644
index 00000000000..864c321c59d
--- /dev/null
+++ b/dlls/kerberos/unixlib.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2017 Dmitry Timoshkov
+ * Copyright 2017 George Popoff
+ * Copyright 2008 Robert Shearman for CodeWeavers
+ * Copyright 2017,2021 Hans Leidekker for CodeWeavers
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+struct krb5_funcs
+{
+ NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
+ TimeStamp *);
+ NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
+};
+
+extern const struct krb5_funcs *krb5_funcs;
--
2.30.2
1
0
April 20, 2021
Signed-off-by: Hugh McMaster <hugh.mcmaster(a)outlook.com>
---
programs/reg/tests/query.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/programs/reg/tests/query.c b/programs/reg/tests/query.c
index c475d288fd8..3c87f76742e 100644
--- a/programs/reg/tests/query.c
+++ b/programs/reg/tests/query.c
@@ -167,6 +167,10 @@ static void test_query(void)
run_reg_exe("reg query -H", &r);
ok(r == REG_EXIT_SUCCESS, "got exit code %d, expected 0\n", r);
+ /* Key not present */
+ run_reg_exe("reg query HKCU\\" KEY_BASE, &r);
+ ok(r == REG_EXIT_FAILURE, "got exit code %d, expected 1\n", r);
+
/* Create a test key */
add_key(HKEY_CURRENT_USER, KEY_BASE, &key);
add_value(key, "Test1", REG_SZ, "Hello, World", 13);
@@ -245,6 +249,7 @@ static void test_query(void)
add_value(key, NULL, REG_SZ, "Empty", 6);
add_value(subkey, NULL, REG_SZ, "Empty", 6);
close_key(subkey);
+ close_key(key);
run_reg_exe("reg query HKCU\\" KEY_BASE "\\subkey /ve", &r);
ok(r == REG_EXIT_SUCCESS, "got exit code %d, expected 0\n", r);
@@ -253,17 +258,7 @@ static void test_query(void)
ok(r == REG_EXIT_SUCCESS || r == REG_EXIT_FAILURE /* WinXP */,
"got exit code %d, expected 0\n", r);
- /* Clean-up, then query */
- delete_key(key, "subkey");
- close_key(key);
-
- run_reg_exe("reg query HKCU\\" KEY_BASE "\\subkey", &r);
- ok(r == REG_EXIT_FAILURE, "got exit code %d, expected 1\n", r);
-
- delete_key(HKEY_CURRENT_USER, KEY_BASE);
-
- run_reg_exe("reg query HKCU\\" KEY_BASE, &r);
- ok(r == REG_EXIT_FAILURE, "got exit code %d, expected 1\n", r);
+ delete_tree(HKEY_CURRENT_USER, KEY_BASE);
}
START_TEST(query)
--
2.31.0
1
4
This fixes the game Evil Genius 2 complaining about unsupported OS.
Signed-off-by: Arkadiusz Hiler <ahiler(a)codeweavers.com>
---
dlls/kernel32/version.rc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/dlls/kernel32/version.rc b/dlls/kernel32/version.rc
index 82287e5da79..b6002f51f7a 100644
--- a/dlls/kernel32/version.rc
+++ b/dlls/kernel32/version.rc
@@ -25,10 +25,10 @@ LANGUAGE LANG_ENGLISH, SUBLANG_DEFAULT
#define WINE_FILEDESCRIPTION_STR "Wine kernel DLL"
#define WINE_FILENAME_STR "kernel32.dll"
-/* these values come from Windows 7 SP1 */
-#define WINE_FILEVERSION 6,1,7601,17514
-#define WINE_FILEVERSION_STR "6.1.7601.17514"
-#define WINE_PRODUCTVERSION 6,1,7601,17514
-#define WINE_PRODUCTVERSION_STR "6.1.7601.17514"
+/* these values come from Windows 10 Version 1909 */
+#define WINE_FILEVERSION 10,0,18362,1350
+#define WINE_FILEVERSION_STR "10.0.18362.1350"
+#define WINE_PRODUCTVERSION 10,0,18362,1350
+#define WINE_PRODUCTVERSION_STR "10.0.18362.1350"
#include "wine/wine_common_ver.rc"
--
2.31.1
2
1
Signed-off-by: Serge Gautherie <winehq-git_serge_180711(a)gautherie.fr>
---
ReactOS:
'...\sdk\lib\rtl\compress.c(62): warning C4334: '<<': result of 32-bit shift implicitly converted to 64 bits (was 64-bit shift intended?)'
---
dlls/ntdll/rtl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dlls/ntdll/rtl.c b/dlls/ntdll/rtl.c
index cf21c98..df9dd8d 100644
--- a/dlls/ntdll/rtl.c
+++ b/dlls/ntdll/rtl.c
@@ -1877,7 +1877,10 @@ static UCHAR *lznt1_decompress_chunk(UCHAR *dst, ULONG dst_size, UCHAR *src, ULO
/* find length / displacement bits */
for (displacement_bits = 12; displacement_bits > 4; displacement_bits--)
- if ((1 << (displacement_bits - 1)) < dst_cur - dst) break;
+ {
+ if (((SIZE_T)1 << (displacement_bits - 1)) < dst_cur - dst)
+ break;
+ }
length_bits = 16 - displacement_bits;
code_length = (code & ((1 << length_bits) - 1)) + 3;
--
2.10.0.windows.1
2
2
[PATCH 1/5] kerberos: Move support for SpAcquireCredentialsHandle/SpFreeCredentialsHandle to a new Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/Makefile.in | 3 +-
dlls/kerberos/krb5_ap.c | 189 ++++++------------
dlls/kerberos/unixlib.c | 399 ++++++++++++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 26 +++
4 files changed, 488 insertions(+), 129 deletions(-)
create mode 100644 dlls/kerberos/unixlib.c
create mode 100644 dlls/kerberos/unixlib.h
diff --git a/dlls/kerberos/Makefile.in b/dlls/kerberos/Makefile.in
index f67ba567fb0..ab5e6b59976 100644
--- a/dlls/kerberos/Makefile.in
+++ b/dlls/kerberos/Makefile.in
@@ -2,4 +2,5 @@ MODULE = kerberos.dll
EXTRAINCL = $(KRB5_CFLAGS) $(GSSAPI_CFLAGS)
C_SRCS = \
- krb5_ap.c
+ krb5_ap.c \
+ unixlib.c
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 44d6b86e019..08265beeceb 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -46,9 +46,14 @@
#include "wine/heap.h"
#include "wine/debug.h"
#include "wine/unicode.h"
+#include "unixlib.h"
WINE_DEFAULT_DEBUG_CHANNEL(kerberos);
+static HINSTANCE instance;
+
+const struct krb5_funcs *krb5_funcs = NULL;
+
#define KERBEROS_MAX_BUF 12000
#define KERBEROS_CAPS \
@@ -840,8 +845,19 @@ static int get_buffer_index( SecBufferDesc *desc, DWORD type )
}
return -1;
}
+#endif /* SONAME_LIBGSSAPI_KRB5 */
-static char *get_user_at_domain( const WCHAR *user, ULONG user_len, const WCHAR *domain, ULONG domain_len )
+static char *get_str_unixcp( const UNICODE_STRING *str )
+{
+ char *ret;
+ int len = WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
+ if (!(ret = heap_alloc( len + 1 ))) return NULL;
+ WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), ret, len, NULL, NULL );
+ ret[len] = 0;
+ return ret;
+}
+
+static char *get_username_unixcp( const WCHAR *user, ULONG user_len, const WCHAR *domain, ULONG domain_len )
{
int len_user, len_domain;
char *ret;
@@ -857,7 +873,7 @@ static char *get_user_at_domain( const WCHAR *user, ULONG user_len, const WCHAR
return ret;
}
-static char *get_password( const WCHAR *passwd, ULONG passwd_len )
+static char *get_password_unixcp( const WCHAR *passwd, ULONG passwd_len )
{
int len;
char *ret;
@@ -869,145 +885,44 @@ static char *get_password( const WCHAR *passwd, ULONG passwd_len )
return ret;
}
-static NTSTATUS init_creds( const SEC_WINNT_AUTH_IDENTITY_W *id )
-{
- char *user_at_domain, *password;
- krb5_context ctx;
- krb5_principal principal = NULL;
- krb5_get_init_creds_opt *options = NULL;
- krb5_ccache cache = NULL;
- krb5_creds creds;
- krb5_error_code err;
-
- if (!id) return STATUS_SUCCESS;
- if (id->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI)
- {
- FIXME( "ANSI identity not supported\n" );
- return SEC_E_UNSUPPORTED_FUNCTION;
- }
- if (!(user_at_domain = get_user_at_domain( id->User, id->UserLength, id->Domain, id->DomainLength )))
- {
- return SEC_E_INSUFFICIENT_MEMORY;
- }
- if (!(password = get_password( id->Password, id->PasswordLength )))
- {
- heap_free( user_at_domain );
- return SEC_E_INSUFFICIENT_MEMORY;
- }
-
- if ((err = p_krb5_init_context( &ctx )))
- {
- heap_free( password );
- heap_free( user_at_domain );
- return krb5_error_to_status( err );
- }
- if ((err = p_krb5_parse_name_flags( ctx, user_at_domain, 0, &principal ))) goto done;
- if ((err = p_krb5_cc_default( ctx, &cache ))) goto done;
- if ((err = p_krb5_get_init_creds_opt_alloc( ctx, &options ))) goto done;
- if ((err = p_krb5_get_init_creds_opt_set_out_ccache( ctx, options, cache ))) goto done;
- if ((err = p_krb5_get_init_creds_password( ctx, &creds, principal, password, 0, NULL, 0, NULL, 0 ))) goto done;
- if ((err = p_krb5_cc_initialize( ctx, cache, principal ))) goto done;
- if ((err = p_krb5_cc_store_cred( ctx, cache, &creds ))) goto done;
-
- TRACE( "success\n" );
- p_krb5_free_cred_contents( ctx, &creds );
-
-done:
- if (cache) p_krb5_cc_close( ctx, cache );
- if (principal) p_krb5_free_principal( ctx, principal );
- if (options) p_krb5_get_init_creds_opt_free( ctx, options );
- p_krb5_free_context( ctx );
- heap_free( user_at_domain );
- heap_free( password );
-
- return krb5_error_to_status( err );
-}
-
-static NTSTATUS acquire_credentials_handle( UNICODE_STRING *principal_us, gss_cred_usage_t cred_usage,
- LSA_SEC_HANDLE *credential, TimeStamp *ts_expiry )
-{
- OM_uint32 ret, minor_status, expiry_time;
- gss_name_t principal = GSS_C_NO_NAME;
- gss_cred_id_t cred_handle;
- NTSTATUS status;
-
- if (principal_us && ((status = name_sspi_to_gss( principal_us, &principal )) != SEC_E_OK)) return status;
-
- ret = pgss_acquire_cred( &minor_status, principal, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, cred_usage,
- &cred_handle, NULL, &expiry_time );
- TRACE( "gss_acquire_cred returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE)
- {
- credhandle_gss_to_sspi( cred_handle, credential );
- expirytime_gss_to_sspi( expiry_time, ts_expiry );
- }
-
- if (principal != GSS_C_NO_NAME) pgss_release_name( &minor_status, &principal );
-
- return status_gss_to_sspi( ret );
-}
-#endif /* SONAME_LIBGSSAPI_KRB5 */
-
static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle(
UNICODE_STRING *principal_us, ULONG credential_use, LUID *logon_id, void *auth_data,
- void *get_key_fn, void *get_key_arg, LSA_SEC_HANDLE *credential, TimeStamp *ts_expiry )
+ void *get_key_fn, void *get_key_arg, LSA_SEC_HANDLE *credential, TimeStamp *expiry )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- gss_cred_usage_t cred_usage;
- NTSTATUS status;
+ char *principal = NULL, *username = NULL, *password = NULL;
+ SEC_WINNT_AUTH_IDENTITY_W *id = auth_data;
+ NTSTATUS status = SEC_E_INSUFFICIENT_MEMORY;
TRACE( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us), credential_use,
- logon_id, auth_data, get_key_fn, get_key_arg, credential, ts_expiry );
+ logon_id, auth_data, get_key_fn, get_key_arg, credential, expiry );
- switch (credential_use)
+ if (principal_us && !(principal = get_str_unixcp( principal_us ))) return SEC_E_INSUFFICIENT_MEMORY;
+ if (id)
{
- case SECPKG_CRED_INBOUND:
- cred_usage = GSS_C_ACCEPT;
- break;
-
- case SECPKG_CRED_OUTBOUND:
- if ((status = init_creds( auth_data )) != STATUS_SUCCESS) return status;
- cred_usage = GSS_C_INITIATE;
- break;
-
- case SECPKG_CRED_BOTH:
- cred_usage = GSS_C_BOTH;
- break;
-
- default:
- return SEC_E_UNKNOWN_CREDENTIALS;
+ if (id->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI)
+ {
+ FIXME( "ANSI identity not supported\n" );
+ status = SEC_E_UNSUPPORTED_FUNCTION;
+ goto done;
+ }
+ if (!(username = get_username_unixcp( id->User, id->UserLength, id->Domain, id->DomainLength ))) goto done;
+ if (!(password = get_password_unixcp( id->Password, id->PasswordLength ))) goto done;
}
- return acquire_credentials_handle( principal_us, cred_usage, credential, ts_expiry );
-#else
- FIXME( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us), credential_use,
- logon_id, auth_data, get_key_fn, get_key_arg, credential, ts_expiry );
- FIXME( "Wine was built without Kerberos support.\n" );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ status = krb5_funcs->acquire_credentials_handle( principal, credential_use, username, password, credential,
+ expiry );
+done:
+ heap_free( principal );
+ heap_free( username );
+ heap_free( password );
+ return status;
}
static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credential )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status;
- gss_cred_id_t cred_handle;
-
TRACE( "(%lx)\n", credential );
-
if (!credential) return SEC_E_INVALID_HANDLE;
- if (!(cred_handle = credhandle_sspi_to_gss( credential ))) return SEC_E_OK;
-
- ret = pgss_release_cred( &minor_status, &cred_handle );
- TRACE( "gss_release_cred returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx)\n", credential );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return krb5_funcs->free_credentials_handle( credential );
}
static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
@@ -1257,11 +1172,15 @@ static NTSTATUS NTAPI kerberos_SpInitialize(ULONG_PTR package_id, SECPKG_PARAMET
{
TRACE("%lu,%p,%p\n", package_id, params, lsa_function_table);
+ if (!krb5_funcs && __wine_init_unix_lib( instance, DLL_PROCESS_ATTACH, NULL, &krb5_funcs ))
+ {
+ WARN( "no Kerberos support\n" );
+ return STATUS_UNSUCCESSFUL;
+ }
#ifdef SONAME_LIBGSSAPI_KRB5
if (load_gssapi_krb5()) return STATUS_SUCCESS;
#endif
-
- return STATUS_UNSUCCESSFUL;
+ return STATUS_SUCCESS;
}
static NTSTATUS NTAPI kerberos_SpShutdown(void)
@@ -1644,3 +1563,17 @@ NTSTATUS NTAPI SpUserModeInitialize(ULONG lsa_version, PULONG package_version,
return STATUS_SUCCESS;
}
+
+BOOL WINAPI DllMain( HINSTANCE hinst, DWORD reason, void *reserved )
+{
+ switch (reason)
+ {
+ case DLL_PROCESS_ATTACH:
+ instance = hinst;
+ DisableThreadLibraryCalls( hinst );
+ break;
+ case DLL_PROCESS_DETACH:
+ break;
+ }
+ return TRUE;
+}
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
new file mode 100644
index 00000000000..ab7191432fe
--- /dev/null
+++ b/dlls/kerberos/unixlib.c
@@ -0,0 +1,399 @@
+/*
+ * Unix interface for libkrb5/libgssapi_krb5
+ *
+ * Copyright 2021 Hans Leidekker for CodeWeavers
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#if 0
+#pragma makedep unix
+#endif
+
+#include "config.h"
+#if defined(SONAME_LIBKRB5) && defined(SONAME_LIBGSSAPI_KRB5)
+#include "wine/port.h"
+
+#include <stdarg.h>
+#ifdef HAVE_KRB5_KRB5_H
+# include <krb5/krb5.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_H
+# include <gssapi/gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+# include <gssapi/gssapi_ext.h>
+#endif
+
+#include "ntstatus.h"
+#define WIN32_NO_STATUS
+#include "windef.h"
+#include "winternl.h"
+#include "winbase.h"
+#include "rpc.h"
+#include "sspi.h"
+#include "ntsecapi.h"
+#include "ntsecpkg.h"
+
+#include "wine/debug.h"
+#include "unixlib.h"
+
+WINE_DEFAULT_DEBUG_CHANNEL(kerberos);
+WINE_DECLARE_DEBUG_CHANNEL(winediag);
+
+static void *libkrb5_handle;
+
+#define MAKE_FUNCPTR(f) static typeof(f) * p_##f
+MAKE_FUNCPTR( krb5_cc_close );
+MAKE_FUNCPTR( krb5_cc_default );
+MAKE_FUNCPTR( krb5_cc_end_seq_get );
+MAKE_FUNCPTR( krb5_cc_initialize );
+MAKE_FUNCPTR( krb5_cc_next_cred );
+MAKE_FUNCPTR( krb5_cc_start_seq_get );
+MAKE_FUNCPTR( krb5_cc_store_cred );
+MAKE_FUNCPTR( krb5_cccol_cursor_free );
+MAKE_FUNCPTR( krb5_cccol_cursor_new );
+MAKE_FUNCPTR( krb5_cccol_cursor_next );
+MAKE_FUNCPTR( krb5_decode_ticket );
+MAKE_FUNCPTR( krb5_free_context );
+MAKE_FUNCPTR( krb5_free_cred_contents );
+MAKE_FUNCPTR( krb5_free_principal );
+MAKE_FUNCPTR( krb5_free_ticket );
+MAKE_FUNCPTR( krb5_free_unparsed_name );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_alloc );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_free );
+MAKE_FUNCPTR( krb5_get_init_creds_opt_set_out_ccache );
+MAKE_FUNCPTR( krb5_get_init_creds_password );
+MAKE_FUNCPTR( krb5_init_context );
+MAKE_FUNCPTR( krb5_is_config_principal );
+MAKE_FUNCPTR( krb5_parse_name_flags );
+MAKE_FUNCPTR( krb5_unparse_name_flags );
+#undef MAKE_FUNCPTR
+
+static BOOL load_krb5(void)
+{
+ if (!(libkrb5_handle = dlopen( SONAME_LIBKRB5, RTLD_NOW )))
+ {
+ WARN_(winediag)( "failed to load %s, Kerberos support will be disabled\n", SONAME_LIBKRB5 );
+ return FALSE;
+ }
+
+#define LOAD_FUNCPTR(f) \
+ if (!(p_##f = dlsym( libkrb5_handle, #f ))) \
+ { \
+ ERR( "failed to load %s\n", #f ); \
+ goto fail; \
+ }
+
+ LOAD_FUNCPTR( krb5_cc_close )
+ LOAD_FUNCPTR( krb5_cc_default )
+ LOAD_FUNCPTR( krb5_cc_end_seq_get )
+ LOAD_FUNCPTR( krb5_cc_initialize )
+ LOAD_FUNCPTR( krb5_cc_next_cred )
+ LOAD_FUNCPTR( krb5_cc_start_seq_get )
+ LOAD_FUNCPTR( krb5_cc_store_cred )
+ LOAD_FUNCPTR( krb5_cccol_cursor_free )
+ LOAD_FUNCPTR( krb5_cccol_cursor_new )
+ LOAD_FUNCPTR( krb5_cccol_cursor_next )
+ LOAD_FUNCPTR( krb5_decode_ticket )
+ LOAD_FUNCPTR( krb5_free_context )
+ LOAD_FUNCPTR( krb5_free_cred_contents )
+ LOAD_FUNCPTR( krb5_free_principal )
+ LOAD_FUNCPTR( krb5_free_ticket )
+ LOAD_FUNCPTR( krb5_free_unparsed_name )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_alloc )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_free )
+ LOAD_FUNCPTR( krb5_get_init_creds_opt_set_out_ccache )
+ LOAD_FUNCPTR( krb5_get_init_creds_password )
+ LOAD_FUNCPTR( krb5_init_context )
+ LOAD_FUNCPTR( krb5_is_config_principal )
+ LOAD_FUNCPTR( krb5_parse_name_flags )
+ LOAD_FUNCPTR( krb5_unparse_name_flags )
+#undef LOAD_FUNCPTR
+ return TRUE;
+
+fail:
+ dlclose( libkrb5_handle );
+ libkrb5_handle = NULL;
+ return FALSE;
+}
+
+static void unload_krb5(void)
+{
+ dlclose( libkrb5_handle );
+ libkrb5_handle = NULL;
+}
+
+static NTSTATUS krb5_error_to_status( krb5_error_code err )
+{
+ switch (err)
+ {
+ case 0: return STATUS_SUCCESS;
+ default: return STATUS_UNSUCCESSFUL; /* FIXME */
+ }
+}
+
+static void *libgssapi_krb5_handle;
+
+#define MAKE_FUNCPTR(f) static typeof(f) * p##f
+MAKE_FUNCPTR( gss_accept_sec_context );
+MAKE_FUNCPTR( gss_acquire_cred );
+MAKE_FUNCPTR( gss_delete_sec_context );
+MAKE_FUNCPTR( gss_display_status );
+MAKE_FUNCPTR( gss_get_mic );
+MAKE_FUNCPTR( gss_import_name );
+MAKE_FUNCPTR( gss_init_sec_context );
+MAKE_FUNCPTR( gss_inquire_context );
+MAKE_FUNCPTR( gss_release_buffer );
+MAKE_FUNCPTR( gss_release_cred );
+MAKE_FUNCPTR( gss_release_iov_buffer );
+MAKE_FUNCPTR( gss_release_name );
+MAKE_FUNCPTR( gss_unwrap );
+MAKE_FUNCPTR( gss_unwrap_iov );
+MAKE_FUNCPTR( gss_verify_mic );
+MAKE_FUNCPTR( gss_wrap );
+MAKE_FUNCPTR( gss_wrap_iov );
+#undef MAKE_FUNCPTR
+
+static BOOL load_gssapi_krb5(void)
+{
+ if (!(libgssapi_krb5_handle = dlopen( SONAME_LIBGSSAPI_KRB5, RTLD_NOW )))
+ {
+ WARN_(winediag)( "failed to load %s, Kerberos support will be disabled\n", SONAME_LIBGSSAPI_KRB5 );
+ return FALSE;
+ }
+
+#define LOAD_FUNCPTR(f) \
+ if (!(p##f = dlsym( libgssapi_krb5_handle, #f ))) \
+ { \
+ ERR( "failed to load %s\n", #f ); \
+ goto fail; \
+ }
+
+ LOAD_FUNCPTR( gss_accept_sec_context)
+ LOAD_FUNCPTR( gss_acquire_cred)
+ LOAD_FUNCPTR( gss_delete_sec_context)
+ LOAD_FUNCPTR( gss_display_status)
+ LOAD_FUNCPTR( gss_get_mic)
+ LOAD_FUNCPTR( gss_import_name)
+ LOAD_FUNCPTR( gss_init_sec_context)
+ LOAD_FUNCPTR( gss_inquire_context)
+ LOAD_FUNCPTR( gss_release_buffer)
+ LOAD_FUNCPTR( gss_release_cred)
+ LOAD_FUNCPTR( gss_release_iov_buffer)
+ LOAD_FUNCPTR( gss_release_name)
+ LOAD_FUNCPTR( gss_unwrap)
+ LOAD_FUNCPTR( gss_unwrap_iov)
+ LOAD_FUNCPTR( gss_verify_mic)
+ LOAD_FUNCPTR( gss_wrap )
+ LOAD_FUNCPTR( gss_wrap_iov )
+#undef LOAD_FUNCPTR
+ return TRUE;
+
+fail:
+ dlclose( libgssapi_krb5_handle );
+ libgssapi_krb5_handle = NULL;
+ return FALSE;
+}
+
+static NTSTATUS status_gss_to_sspi( OM_uint32 status )
+{
+ switch (status)
+ {
+ case GSS_S_COMPLETE: return SEC_E_OK;
+ case GSS_S_BAD_MECH: return SEC_E_SECPKG_NOT_FOUND;
+ case GSS_S_BAD_SIG: return SEC_E_MESSAGE_ALTERED;
+ case GSS_S_NO_CRED: return SEC_E_NO_CREDENTIALS;
+ case GSS_S_NO_CONTEXT: return SEC_E_INVALID_HANDLE;
+ case GSS_S_DEFECTIVE_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_DEFECTIVE_CREDENTIAL: return SEC_E_NO_CREDENTIALS;
+ case GSS_S_CREDENTIALS_EXPIRED: return SEC_E_CONTEXT_EXPIRED;
+ case GSS_S_CONTEXT_EXPIRED: return SEC_E_CONTEXT_EXPIRED;
+ case GSS_S_BAD_QOP: return SEC_E_QOP_NOT_SUPPORTED;
+ case GSS_S_CONTINUE_NEEDED: return SEC_I_CONTINUE_NEEDED;
+ case GSS_S_DUPLICATE_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_OLD_TOKEN: return SEC_E_INVALID_TOKEN;
+ case GSS_S_UNSEQ_TOKEN: return SEC_E_OUT_OF_SEQUENCE;
+ case GSS_S_GAP_TOKEN: return SEC_E_OUT_OF_SEQUENCE;
+ case GSS_S_FAILURE: return SEC_E_INTERNAL_ERROR;
+
+ default:
+ FIXME( "couldn't convert status 0x%08x to NTSTATUS\n", status );
+ return SEC_E_INTERNAL_ERROR;
+ }
+}
+
+static void trace_gss_status_ex( OM_uint32 code, int type )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc buf;
+ OM_uint32 msg_ctx = 0;
+
+ for (;;)
+ {
+ ret = pgss_display_status( &minor_status, code, type, GSS_C_NULL_OID, &msg_ctx, &buf );
+ if (GSS_ERROR( ret ))
+ {
+ TRACE( "gss_display_status(0x%08x,%d) returned %08x minor status %08x\n", code, type, ret, minor_status );
+ return;
+ }
+ TRACE( "GSS-API error: 0x%08x: %s\n", code, debugstr_an(buf.value, buf.length) );
+ pgss_release_buffer( &minor_status, &buf );
+ if (!msg_ctx) return;
+ }
+}
+
+static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
+{
+ if (TRACE_ON(kerberos))
+ {
+ trace_gss_status_ex( major_status, GSS_C_GSS_CODE );
+ trace_gss_status_ex( minor_status, GSS_C_MECH_CODE );
+ }
+}
+
+static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
+{
+ return (gss_cred_id_t)handle;
+}
+
+static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred )
+{
+ *cred = (LSA_SEC_HANDLE)handle;
+}
+
+static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
+{
+ LARGE_INTEGER time;
+
+ NtQuerySystemTime( &time );
+ RtlSystemTimeToLocalTime( &time, &time );
+ timestamp->LowPart = time.QuadPart;
+ timestamp->HighPart = time.QuadPart >> 32;
+}
+
+static NTSTATUS init_creds( const char *user_at_domain, const char *password )
+{
+ krb5_context ctx;
+ krb5_principal principal = NULL;
+ krb5_get_init_creds_opt *options = NULL;
+ krb5_ccache cache = NULL;
+ krb5_creds creds;
+ krb5_error_code err;
+
+ if (!user_at_domain) return STATUS_SUCCESS;
+ if ((err = p_krb5_init_context( &ctx ))) return krb5_error_to_status( err );
+ if ((err = p_krb5_parse_name_flags( ctx, user_at_domain, 0, &principal ))) goto done;
+ if ((err = p_krb5_cc_default( ctx, &cache ))) goto done;
+ if ((err = p_krb5_get_init_creds_opt_alloc( ctx, &options ))) goto done;
+ if ((err = p_krb5_get_init_creds_opt_set_out_ccache( ctx, options, cache ))) goto done;
+ if ((err = p_krb5_get_init_creds_password( ctx, &creds, principal, password, 0, NULL, 0, NULL, 0 ))) goto done;
+ if ((err = p_krb5_cc_initialize( ctx, cache, principal ))) goto done;
+ if ((err = p_krb5_cc_store_cred( ctx, cache, &creds ))) goto done;
+
+ TRACE( "success\n" );
+ p_krb5_free_cred_contents( ctx, &creds );
+
+done:
+ if (cache) p_krb5_cc_close( ctx, cache );
+ if (principal) p_krb5_free_principal( ctx, principal );
+ if (options) p_krb5_get_init_creds_opt_free( ctx, options );
+ p_krb5_free_context( ctx );
+ return krb5_error_to_status( err );
+}
+
+static NTSTATUS import_name( const char *src, gss_name_t *dst )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc buf;
+
+ buf.length = strlen( src );
+ buf.value = (void *)src;
+ ret = pgss_import_name( &minor_status, &buf, GSS_C_NO_OID, dst );
+ TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ return status_gss_to_sspi( ret );
+}
+
+static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG credential_use, const char *username,
+ const char *password, LSA_SEC_HANDLE *credential, TimeStamp *expiry )
+{
+ OM_uint32 ret, minor_status, expiry_time;
+ gss_name_t name = GSS_C_NO_NAME;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t cred_handle;
+ NTSTATUS status;
+
+ switch (credential_use)
+ {
+ case SECPKG_CRED_INBOUND:
+ cred_usage = GSS_C_ACCEPT;
+ break;
+
+ case SECPKG_CRED_OUTBOUND:
+ if ((status = init_creds( username, password )) != STATUS_SUCCESS) return status;
+ cred_usage = GSS_C_INITIATE;
+ break;
+
+ default:
+ FIXME( "SECPKG_CRED_BOTH not supported\n" );
+ return SEC_E_UNKNOWN_CREDENTIALS;
+ }
+
+ if (principal && (status = import_name( principal, &name ))) return status;
+
+ ret = pgss_acquire_cred( &minor_status, name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, cred_usage, &cred_handle,
+ NULL, &expiry_time );
+ TRACE( "gss_acquire_cred returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE)
+ {
+ credhandle_gss_to_sspi( cred_handle, credential );
+ expirytime_gss_to_sspi( expiry_time, expiry );
+ }
+
+ if (name != GSS_C_NO_NAME) pgss_release_name( &minor_status, &name );
+ return status_gss_to_sspi( ret );
+}
+
+static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
+{
+ OM_uint32 ret, minor_status;
+ gss_cred_id_t cred = credhandle_sspi_to_gss( handle );
+
+ ret = pgss_release_cred( &minor_status, &cred );
+ TRACE( "gss_release_cred returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ return status_gss_to_sspi( ret );
+}
+
+static const struct krb5_funcs funcs =
+{
+ acquire_credentials_handle,
+ free_credentials_handle,
+};
+
+NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
+{
+ if (reason != DLL_PROCESS_ATTACH) return STATUS_SUCCESS;
+ if (load_krb5() && load_gssapi_krb5())
+ {
+ *(const struct krb5_funcs **)ptr_out = &funcs;
+ return STATUS_SUCCESS;
+ }
+ if (libkrb5_handle) unload_krb5();
+ return STATUS_DLL_NOT_FOUND;
+}
+#endif /* defined(SONAME_LIBKRB5) && defined(SONAME_LIBGSSAPI_KRB5) */
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
new file mode 100644
index 00000000000..ecf05b80aba
--- /dev/null
+++ b/dlls/kerberos/unixlib.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2021 Hans Leidekker for CodeWeavers
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+struct krb5_funcs
+{
+ NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
+ TimeStamp *);
+ NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
+};
+
+extern const struct krb5_funcs *krb5_funcs;
--
2.30.2
2
1
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/wldap32/option.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/dlls/wldap32/option.c b/dlls/wldap32/option.c
index 1037b73174b..0f3d10e1204 100644
--- a/dlls/wldap32/option.c
+++ b/dlls/wldap32/option.c
@@ -368,9 +368,10 @@ static BOOL query_supported_server_ctrls( LDAP *ld )
{
char *attrs[] = { (char *)"supportedControl", NULL };
void *res, *entry;
+ struct bervalU **ctrls = SERVER_CTRLS(ld);
ULONG ret;
- if (SERVER_CTRLS(ld)) return TRUE;
+ if (ctrls) return TRUE;
ret = map_error( ldap_funcs->fn_ldap_search_ext_s( CTX(ld), (char *)"", LDAP_SCOPE_BASE, (char *)"(objectClass=*)",
attrs, FALSE, NULL, NULL, NULL, 0, &res ) );
@@ -380,17 +381,14 @@ static BOOL query_supported_server_ctrls( LDAP *ld )
if (entry)
{
ULONG count, i;
- struct bervalU **ctrls = SERVER_CTRLS(ld);
-
- *(struct bervalU ***)&SERVER_CTRLS(ld) = ldap_funcs->fn_ldap_get_values_len( CTX(ld), entry, attrs[0] );
- count = ldap_funcs->fn_ldap_count_values_len( SERVER_CTRLS(ld) );
- for (i = 0; i < count; i++)
- TRACE("%u: %s\n", i, debugstr_an( ctrls[i]->bv_val, ctrls[i]->bv_len ));
+ ctrls = ldap_funcs->fn_ldap_get_values_len( CTX(ld), entry, attrs[0] );
+ count = ldap_funcs->fn_ldap_count_values_len( ctrls );
+ for (i = 0; i < count; i++) TRACE("%u: %s\n", i, debugstr_an( ctrls[i]->bv_val, ctrls[i]->bv_len ));
+ *(struct bervalU ***)&SERVER_CTRLS(ld) = ctrls;
}
ldap_funcs->fn_ldap_msgfree( res );
-
- return SERVER_CTRLS(ld) != NULL;
+ return ctrls != NULL;
}
static BOOL is_supported_server_ctrls( LDAP *ld, LDAPControlU **ctrls )
--
2.30.2
2
1
[PATCH 5/5] kerberos: Move support for SpVerifySignature to the Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/krb5_ap.c | 27 +--------------------------
dlls/kerberos/unixlib.c | 24 ++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 1 +
3 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 998a1cd7636..faeabfb07c9 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -1075,36 +1075,11 @@ static NTSTATUS SEC_ENTRY kerberos_SpMakeSignature( LSA_SEC_HANDLE context, ULON
static NTSTATUS NTAPI kerberos_SpVerifySignature( LSA_SEC_HANDLE context, SecBufferDesc *message,
ULONG message_seq_no, ULONG *quality_of_protection )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status;
- gss_buffer_desc data_buffer, token_buffer;
- gss_ctx_id_t ctxt_handle;
- int data_idx, token_idx;
-
TRACE( "(%lx %p %u %p)\n", context, message, message_seq_no, quality_of_protection );
if (message_seq_no) FIXME( "ignoring message_seq_no %u\n", message_seq_no );
if (!context) return SEC_E_INVALID_HANDLE;
- ctxt_handle = ctxthandle_sspi_to_gss( context );
-
- if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
- data_buffer.length = message->pBuffers[data_idx].cbBuffer;
- data_buffer.value = message->pBuffers[data_idx].pvBuffer;
-
- if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- token_buffer.length = message->pBuffers[token_idx].cbBuffer;
- token_buffer.value = message->pBuffers[token_idx].pvBuffer;
-
- ret = pgss_verify_mic( &minor_status, ctxt_handle, &data_buffer, &token_buffer, NULL );
- TRACE( "gss_verify_mic returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE && quality_of_protection) *quality_of_protection = 0;
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx %p %u %p)\n", context, message, message_seq_no, quality_of_protection );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return krb5_funcs->verify_signature( context, message, quality_of_protection );
}
#ifdef SONAME_LIBGSSAPI_KRB5
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index a598ed76fe4..13d24d26263 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -584,6 +584,29 @@ static NTSTATUS CDECL make_signature( LSA_SEC_HANDLE context, SecBufferDesc *msg
return status_gss_to_sspi( ret );
}
+static NTSTATUS CDECL verify_signature( LSA_SEC_HANDLE context, SecBufferDesc *msg, ULONG *qop )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc data_buffer, token_buffer;
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+ int data_idx, token_idx;
+
+ if ((data_idx = get_buffer_index( msg, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
+ data_buffer.length = msg->pBuffers[data_idx].cbBuffer;
+ data_buffer.value = msg->pBuffers[data_idx].pvBuffer;
+
+ if ((token_idx = get_buffer_index( msg, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ token_buffer.length = msg->pBuffers[token_idx].cbBuffer;
+ token_buffer.value = msg->pBuffers[token_idx].pvBuffer;
+
+ ret = pgss_verify_mic( &minor_status, ctx_handle, &data_buffer, &token_buffer, NULL );
+ TRACE( "gss_verify_mic returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE && qop) *qop = 0;
+
+ return status_gss_to_sspi( ret );
+}
+
static const struct krb5_funcs funcs =
{
accept_context,
@@ -592,6 +615,7 @@ static const struct krb5_funcs funcs =
free_credentials_handle,
initialize_context,
make_signature,
+ verify_signature,
};
NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index cf30c0afbf1..969cc497ed1 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -27,6 +27,7 @@ struct krb5_funcs
NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *,
LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *);
NTSTATUS (CDECL *make_signature)(LSA_SEC_HANDLE, SecBufferDesc *);
+ NTSTATUS (CDECL *verify_signature)(LSA_SEC_HANDLE, SecBufferDesc *, ULONG *);
};
extern const struct krb5_funcs *krb5_funcs;
--
2.30.2
1
0
[PATCH 4/5] kerberos: Move support for SpMakeSignature to the Unix library.
by Hans Leidekker April 20, 2021
by Hans Leidekker April 20, 2021
April 20, 2021
Signed-off-by: Hans Leidekker <hans(a)codeweavers.com>
---
dlls/kerberos/krb5_ap.c | 35 +----------------------------------
dlls/kerberos/unixlib.c | 30 ++++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 1 +
3 files changed, 32 insertions(+), 34 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 176546d9e1d..998a1cd7636 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -1052,57 +1052,24 @@ NTSTATUS NTAPI SpLsaModeInitialize(ULONG lsa_version, PULONG package_version,
*package_version = SECPKG_INTERFACE_VERSION;
*table = &kerberos_table;
*table_count = 1;
-
return STATUS_SUCCESS;
}
static NTSTATUS NTAPI kerberos_SpInstanceInit(ULONG version, SECPKG_DLL_FUNCTIONS *dll_function_table, void **user_functions)
{
TRACE("%#x,%p,%p\n", version, dll_function_table, user_functions);
-
return STATUS_SUCCESS;
}
static NTSTATUS SEC_ENTRY kerberos_SpMakeSignature( LSA_SEC_HANDLE context, ULONG quality_of_protection,
SecBufferDesc *message, ULONG message_seq_no )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status;
- gss_buffer_desc data_buffer, token_buffer;
- gss_ctx_id_t ctxt_handle;
- int data_idx, token_idx;
-
TRACE( "(%lx 0x%08x %p %u)\n", context, quality_of_protection, message, message_seq_no );
if (quality_of_protection) FIXME( "ignoring quality_of_protection 0x%08x\n", quality_of_protection );
if (message_seq_no) FIXME( "ignoring message_seq_no %u\n", message_seq_no );
if (!context) return SEC_E_INVALID_HANDLE;
- ctxt_handle = ctxthandle_sspi_to_gss( context );
-
- /* FIXME: multiple data buffers, read-only buffers */
- if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
- data_buffer.length = message->pBuffers[data_idx].cbBuffer;
- data_buffer.value = message->pBuffers[data_idx].pvBuffer;
-
- if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- token_buffer.length = 0;
- token_buffer.value = NULL;
-
- ret = pgss_get_mic( &minor_status, ctxt_handle, GSS_C_QOP_DEFAULT, &data_buffer, &token_buffer );
- TRACE( "gss_get_mic returned %08x minor status %08x\n", ret, minor_status );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE)
- {
- memcpy( message->pBuffers[token_idx].pvBuffer, token_buffer.value, token_buffer.length );
- message->pBuffers[token_idx].cbBuffer = token_buffer.length;
- pgss_release_buffer( &minor_status, &token_buffer );
- }
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx 0x%08x %p %u)\n", context, quality_of_protection, message, message_seq_no );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return krb5_funcs->make_signature( context, message );
}
static NTSTATUS NTAPI kerberos_SpVerifySignature( LSA_SEC_HANDLE context, SecBufferDesc *message,
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index 03241476d41..a598ed76fe4 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -555,6 +555,35 @@ static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HAN
return status_gss_to_sspi( ret );
}
+static NTSTATUS CDECL make_signature( LSA_SEC_HANDLE context, SecBufferDesc *msg )
+{
+ OM_uint32 ret, minor_status;
+ gss_buffer_desc data_buffer, token_buffer;
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+ int data_idx, token_idx;
+
+ /* FIXME: multiple data buffers, read-only buffers */
+ if ((data_idx = get_buffer_index( msg, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
+ data_buffer.length = msg->pBuffers[data_idx].cbBuffer;
+ data_buffer.value = msg->pBuffers[data_idx].pvBuffer;
+
+ if ((token_idx = get_buffer_index( msg, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ token_buffer.length = 0;
+ token_buffer.value = NULL;
+
+ ret = pgss_get_mic( &minor_status, ctx_handle, GSS_C_QOP_DEFAULT, &data_buffer, &token_buffer );
+ TRACE( "gss_get_mic returned %08x minor status %08x\n", ret, minor_status );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE)
+ {
+ memcpy( msg->pBuffers[token_idx].pvBuffer, token_buffer.value, token_buffer.length );
+ msg->pBuffers[token_idx].cbBuffer = token_buffer.length;
+ pgss_release_buffer( &minor_status, &token_buffer );
+ }
+
+ return status_gss_to_sspi( ret );
+}
+
static const struct krb5_funcs funcs =
{
accept_context,
@@ -562,6 +591,7 @@ static const struct krb5_funcs funcs =
delete_context,
free_credentials_handle,
initialize_context,
+ make_signature,
};
NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index cf5cf6bd104..cf30c0afbf1 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -26,6 +26,7 @@ struct krb5_funcs
NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *,
LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *);
+ NTSTATUS (CDECL *make_signature)(LSA_SEC_HANDLE, SecBufferDesc *);
};
extern const struct krb5_funcs *krb5_funcs;
--
2.30.2
1
0