Signed-off-by: Hans Leidekker hans@codeweavers.com --- dlls/kerberos/krb5_ap.c | 135 ++++------------------------------------ dlls/kerberos/unixlib.c | 116 ++++++++++++++++++++++++++++++++++ dlls/kerberos/unixlib.h | 3 + 3 files changed, 130 insertions(+), 124 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c index 08265beeceb..b1fe036a071 100644 --- a/dlls/kerberos/krb5_ap.c +++ b/dlls/kerberos/krb5_ap.c @@ -765,54 +765,6 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp ) timestamp->HighPart = tmp.QuadPart >> 32; }
-static NTSTATUS name_sspi_to_gss( const UNICODE_STRING *name_str, gss_name_t *name ) -{ - OM_uint32 ret, minor_status; - gss_OID type = GSS_C_NO_OID; /* FIXME: detect the appropriate value for this ourselves? */ - gss_buffer_desc buf; - - buf.length = WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL ); - if (!(buf.value = heap_alloc( buf.length ))) return SEC_E_INSUFFICIENT_MEMORY; - WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), buf.value, buf.length, NULL, NULL ); - - ret = pgss_import_name( &minor_status, &buf, type, name ); - TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status ); - if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status ); - - heap_free( buf.value ); - return status_gss_to_sspi( ret ); -} - -static ULONG flags_isc_req_to_gss( ULONG flags ) -{ - ULONG ret = 0; - if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG; - if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG; - if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG; - if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG; - if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG; - if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG; - if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG; - if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE; - if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG; - return ret; -} - -static ULONG flags_gss_to_isc_ret( ULONG flags ) -{ - ULONG ret = 0; - if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE; - if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH; - if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT; - if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT; - if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY; - if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY; - if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION; - if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE; - if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY; - return ret; -} - static ULONG flags_gss_to_asc_ret( ULONG flags ) { ULONG ret = 0; @@ -927,80 +879,29 @@ static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credentia
static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input, - LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry, + LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry, BOOLEAN *mapped_context, SecBuffer *context_data ) { -#ifdef SONAME_LIBGSSAPI_KRB5 static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE | ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION; - OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req ); - gss_cred_id_t cred_handle; - gss_ctx_id_t ctxt_handle; - gss_buffer_desc input_token, output_token; - gss_name_t target = GSS_C_NO_NAME; + char *target = NULL; NTSTATUS status; - int idx;
TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name), - context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry, + context_req, target_data_rep, input, new_context, output, context_attr, expiry, mapped_context, context_data ); - if (context_req & ~supported) - FIXME( "flags 0x%08x not supported\n", context_req & ~supported ); + if (context_req & ~supported) FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
if (!context && !input && !credential) return SEC_E_INVALID_HANDLE; - cred_handle = credhandle_sspi_to_gss( credential ); - ctxt_handle = ctxthandle_sspi_to_gss( context ); - - if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0; - else - { - input_token.length = input->pBuffers[idx].cbBuffer; - input_token.value = input->pBuffers[idx].pvBuffer; - } - - if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN; - output_token.length = 0; - output_token.value = NULL; - - if (target_name && ((status = name_sspi_to_gss( target_name, &target )) != SEC_E_OK)) return status; + if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY;
- ret = pgss_init_sec_context( &minor_status, cred_handle, &ctxt_handle, target, GSS_C_NO_OID, req_flags, 0, - GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags, - &expiry_time ); - TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags ); - if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status ); - if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) - { - if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */ - { - TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer ); - pgss_release_buffer( &minor_status, &output_token ); - pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER ); - return SEC_E_INCOMPLETE_MESSAGE; - } - output->pBuffers[idx].cbBuffer = output_token.length; - memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length ); - pgss_release_buffer( &minor_status, &output_token ); - - ctxthandle_gss_to_sspi( ctxt_handle, new_context ); - if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags ); - expirytime_gss_to_sspi( expiry_time, ts_expiry ); - } - - if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target ); - - /* we do support user mode SSP/AP functions */ - *mapped_context = TRUE; + status = krb5_funcs->initialize_context( credential, context, target, context_req, input, new_context, output, + context_attr, expiry ); + if (!status) *mapped_context = TRUE; /* FIXME: initialize context_data */ - - return status_gss_to_sspi( ret ); -#else - FIXME( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name), - context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry, - mapped_context, context_data ); - return SEC_E_UNSUPPORTED_FUNCTION; -#endif + heap_free( target ); + return status; }
static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, @@ -1073,23 +974,9 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential
static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context ) { -#ifdef SONAME_LIBGSSAPI_KRB5 - OM_uint32 ret, minor_status; - gss_ctx_id_t ctxt_handle; - TRACE( "(%lx)\n", context ); if (!context) return SEC_E_INVALID_HANDLE; - if (!(ctxt_handle = ctxthandle_sspi_to_gss( context ))) return SEC_E_OK; - - ret = pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER ); - TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status ); - if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status ); - - return status_gss_to_sspi( ret ); -#else - FIXME( "(%lx)\n", context ); - return SEC_E_UNSUPPORTED_FUNCTION; -#endif + return krb5_funcs->delete_context( context ); }
static SecPkgInfoW *build_package_info( const SecPkgInfoW *info ) diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 7b15f00428a..f7579b3fae2 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -211,6 +211,17 @@ fail: return FALSE; }
+static int get_buffer_index( SecBufferDesc *desc, DWORD type ) +{ + UINT i; + if (!desc) return -1; + for (i = 0; i < desc->cBuffers; i++) + { + if (desc->pBuffers[i].BufferType == type) return i; + } + return -1; +} + static NTSTATUS status_gss_to_sspi( OM_uint32 status ) { switch (status) @@ -267,11 +278,21 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status ) } }
+static inline gss_ctx_id_t ctxhandle_sspi_to_gss( LSA_SEC_HANDLE handle ) +{ + return (gss_ctx_id_t)handle; +} + static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle ) { return (gss_cred_id_t)handle; }
+static inline void ctxhandle_gss_to_sspi( gss_ctx_id_t handle, LSA_SEC_HANDLE *ctx ) +{ + *ctx = (LSA_SEC_HANDLE)handle; +} + static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred ) { *cred = (LSA_SEC_HANDLE)handle; @@ -371,6 +392,17 @@ static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG c return status_gss_to_sspi( ret ); }
+static NTSTATUS CDECL delete_context( LSA_SEC_HANDLE context ) +{ + OM_uint32 ret, minor_status; + gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context ); + + ret = pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER ); + TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status ); + if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status ); + return status_gss_to_sspi( ret ); +} + static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle ) { OM_uint32 ret, minor_status; @@ -382,10 +414,94 @@ static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle ) return status_gss_to_sspi( ret ); }
+static ULONG flags_isc_req_to_gss( ULONG flags ) +{ + ULONG ret = 0; + if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG; + if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG; + if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG; + if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG; + if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG; + if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG; + if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG; + if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE; + if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG; + return ret; +} + +static ULONG flags_gss_to_isc_ret( ULONG flags ) +{ + ULONG ret = 0; + if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE; + if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH; + if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT; + if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT; + if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY; + if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY; + if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION; + if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE; + if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY; + return ret; +} + +static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, const char *target_name, + ULONG context_req, SecBufferDesc *input, LSA_SEC_HANDLE *new_context, + SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry ) +{ + OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req ); + gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential ); + gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context ); + gss_buffer_desc input_token, output_token; + gss_name_t target = GSS_C_NO_NAME; + NTSTATUS status; + int idx; + + if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0; + else + { + input_token.length = input->pBuffers[idx].cbBuffer; + input_token.value = input->pBuffers[idx].pvBuffer; + } + + if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN; + output_token.length = 0; + output_token.value = NULL; + + if (target_name && (status = import_name( target_name, &target ))) return status; + + ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0, + GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags, + &expiry_time ); + TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags ); + if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status ); + if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) + { + if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */ + { + TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer ); + pgss_release_buffer( &minor_status, &output_token ); + pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER ); + return SEC_E_INCOMPLETE_MESSAGE; + } + output->pBuffers[idx].cbBuffer = output_token.length; + memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length ); + pgss_release_buffer( &minor_status, &output_token ); + + ctxhandle_gss_to_sspi( ctx_handle, new_context ); + if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags ); + expirytime_gss_to_sspi( expiry_time, expiry ); + } + + if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target ); + return status_gss_to_sspi( ret ); +} + static const struct krb5_funcs funcs = { acquire_credentials_handle, + delete_context, free_credentials_handle, + initialize_context, };
NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out ) diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h index 864c321c59d..2f885e920d4 100644 --- a/dlls/kerberos/unixlib.h +++ b/dlls/kerberos/unixlib.h @@ -23,7 +23,10 @@ struct krb5_funcs { NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *, TimeStamp *); + NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE); NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE); + NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *, + LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *); };
extern const struct krb5_funcs *krb5_funcs;