Hans Leidekker : kerberos: Implement SpAcceptLsaModeContext. - wine-commits

24 Jan 2018

Module: wine
Branch: master
Commit: ce3f72ef32186b8e212c1ca14b6aed9d79f074b7
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=ce3f72ef32186b8e212c1ca14...
Author: Hans Leidekker hans@codeweavers.com
Date:   Thu Jan 18 23:51:31 2018 +0800
kerberos: Implement SpAcceptLsaModeContext.
Signed-off-by: Hans Leidekker hans@codeweavers.com
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/kerberos/krb5_ap.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 1 deletion(-)

diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 0821e7c..7f0006d 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -186,6 +186,7 @@ WINE_DECLARE_DEBUG_CHANNEL(winediag);
 static void *libgssapi_krb5_handle;
#define MAKE_FUNCPTR(f) static typeof(f) * p##f
+MAKE_FUNCPTR(gss_accept_sec_context);
 MAKE_FUNCPTR(gss_acquire_cred);
 MAKE_FUNCPTR(gss_delete_sec_context);
 MAKE_FUNCPTR(gss_import_name);
@@ -209,6 +210,7 @@ static BOOL load_gssapi_krb5(void)
         goto fail; \
     }
+    LOAD_FUNCPTR(gss_accept_sec_context)
     LOAD_FUNCPTR(gss_acquire_cred)
     LOAD_FUNCPTR(gss_delete_sec_context)
     LOAD_FUNCPTR(gss_import_name)
@@ -336,6 +338,19 @@ static ULONG flags_gss_to_isc_ret( ULONG flags )
     return ret;
 }
+static ULONG flags_gss_to_asc_ret( ULONG flags )
+{
+    ULONG ret = 0;
+    if (flags & GSS_C_DELEG_FLAG)    ret |= ASC_RET_DELEGATE;
+    if (flags & GSS_C_MUTUAL_FLAG)   ret |= ASC_RET_MUTUAL_AUTH;
+    if (flags & GSS_C_REPLAY_FLAG)   ret |= ASC_RET_REPLAY_DETECT;
+    if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
+    if (flags & GSS_C_CONF_FLAG)     ret |= ASC_RET_CONFIDENTIALITY;
+    if (flags & GSS_C_INTEG_FLAG)    ret |= ASC_RET_INTEGRITY;
+    if (flags & GSS_C_ANON_FLAG)     ret |= ASC_RET_NULL_SESSION;
+    return ret;
+}
+
 static int get_buffer_index( SecBufferDesc *desc, DWORD type )
 {
     UINT i;
@@ -483,6 +498,73 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential,
 #endif
 }
+static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
+    SecBufferDesc *input, ULONG context_req, ULONG target_data_rep, LSA_SEC_HANDLE *new_context,
+    SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
+{
+#ifdef SONAME_LIBGSSAPI_KRB5
+    OM_uint32 ret, minor_status, ret_flags, expiry_time;
+    gss_cred_id_t cred_handle;
+    gss_ctx_id_t ctxt_handle;
+    gss_buffer_desc input_token, output_token;
+    gss_name_t target = GSS_C_NO_NAME;
+    int idx;
+
+    TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
+           target_data_rep, input, new_context, output, context_attr, ts_expiry,
+           mapped_context, context_data );
+    if (context_req) FIXME( "ignoring flags 0x%08x\n", context_req );
+
+    if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
+    cred_handle = credhandle_sspi_to_gss( credential );
+    ctxt_handle = ctxthandle_sspi_to_gss( context );
+
+    if (!input) input_token.length = 0;
+    else
+    {
+        if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+        input_token.length = input->pBuffers[idx].cbBuffer;
+        input_token.value  = input->pBuffers[idx].pvBuffer;
+    }
+
+    if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+    output_token.length = 0;
+    output_token.value  = NULL;
+
+    ret = pgss_accept_sec_context( &minor_status, &ctxt_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
+                                   &target, NULL, &output_token, &ret_flags, &expiry_time, NULL );
+    TRACE( "gss_accept_sec_context returned %08x minor status %08x ctxt_handle %p\n", ret, minor_status, ctxt_handle );
+    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+    {
+        if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+        {
+            TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
+            pgss_release_buffer( &minor_status, &output_token );
+            pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
+            return SEC_E_BUFFER_TOO_SMALL;
+        }
+        output->pBuffers[idx].cbBuffer = output_token.length;
+        memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+        pgss_release_buffer( &minor_status, &output_token );
+
+        ctxthandle_gss_to_sspi( ctxt_handle, new_context );
+        if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags );
+        expirytime_gss_to_sspi( expiry_time, ts_expiry );
+    }
+
+    /* we do support user mode SSP/AP functions */
+    *mapped_context = TRUE;
+    /* FIXME: initialize context_data */
+
+    return status_gss_to_sspi( ret );
+#else
+    FIXME( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
+           target_data_rep, input, new_context, output, context_attr, ts_expiry,
+           mapped_context, context_data );
+    return SEC_E_UNSUPPORTED_FUNCTION;
+#endif
+}
+
 static NTSTATUS NTAPI kerberos_SpInitialize(ULONG_PTR package_id, SECPKG_PARAMETERS *params,
     LSA_SECPKG_FUNCTION_TABLE *lsa_function_table)
 {
@@ -527,7 +609,7 @@ static SECPKG_FUNCTION_TABLE kerberos_table =
     NULL, /* GetCredentials */
     NULL, /* DeleteCredentials */
     kerberos_SpInitLsaModeContext,
-    NULL, /* AcceptLsaModeContext */
+    kerberos_SpAcceptLsaModeContext,
     NULL, /* DeleteContext */
     NULL, /* ApplyControlToken */
     NULL, /* GetUserInfo */

    