[PATCH v3 1/1] kerberos: Add support for SECBUFFER_STREAM to SpUnsealMessage().

26 May 2025

From: Dmitry Timoshkov dmitry@baikal.ru
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru
---
 dlls/kerberos/krb5_ap.c | 28 ++++++++++++++++++++++++----
 dlls/kerberos/unixlib.c | 34 +++++++++++++++++++++++-----------
 dlls/kerberos/unixlib.h |  2 ++
 3 files changed, 49 insertions(+), 15 deletions(-)

diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index 5a5878faf02..f191ef57363 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -867,16 +867,36 @@ static NTSTATUS NTAPI kerberos_SpUnsealMessage( LSA_SEC_HANDLE context, SecBuffe
     {
         struct context_handle *context_handle = (void *)context;
         struct unseal_message_params params;
-        int data_idx, token_idx;
+        int stream_idx, data_idx, token_idx;
+        if ((stream_idx = get_buffer_index( message, SECBUFFER_STREAM )) == -1 &&
+            (token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
         if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
-        if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
params.context = context_handle->handle;
+
+        if (stream_idx == -1)
+        {
+            params.stream_length = 0;
+            params.stream = NULL;
+            params.token_length = message->pBuffers[token_idx].cbBuffer;
+            params.token = message->pBuffers[token_idx].pvBuffer;
+        }
+        else
+        {
+            if (!message->pBuffers[data_idx].pvBuffer)
+            {
+                message->pBuffers[data_idx].pvBuffer = RtlAllocateHeap( GetProcessHeap(), 0, KERBEROS_MAX_BUF );
+                if (!message->pBuffers[data_idx].pvBuffer) return STATUS_NO_MEMORY;
+                message->pBuffers[data_idx].cbBuffer = KERBEROS_MAX_BUF;
+            }
+            params.stream_length = message->pBuffers[stream_idx].cbBuffer;
+            params.stream = message->pBuffers[stream_idx].pvBuffer;
+            params.token_length = 0;
+            params.token = NULL;
+        }
         params.data_length = message->pBuffers[data_idx].cbBuffer;
         params.data = message->pBuffers[data_idx].pvBuffer;
-        params.token_length = message->pBuffers[token_idx].cbBuffer;
-        params.token = message->pBuffers[token_idx].pvBuffer;
         params.qop = quality_of_protection;
return KRB5_CALL( unseal_message, &params );
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index 93acecc1567..788fa110048 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -1012,25 +1012,33 @@ static NTSTATUS unseal_message_no_vector( gss_ctx_id_t ctx, const struct unseal_
 {
     gss_buffer_desc input, output;
     OM_uint32 ret, minor_status;
-    DWORD len_data, len_token;
     int conf_state;
-    len_data = params->data_length;
-    len_token = params->token_length;
-
-    input.length = len_data + len_token;
-    if (!(input.value = malloc( input.length ))) return SEC_E_INSUFFICIENT_MEMORY;
-    memcpy( input.value, params->data, len_data );
-    memcpy( (char *)input.value + len_data, params->token, len_token );
+    if (params->stream_length)
+    {
+        input.length = params->stream_length;
+        input.value = params->stream;
+    }
+    else
+    {
+        DWORD len_data, len_token;
+
+        len_data = params->data_length;
+        len_token = params->token_length;
+        input.length = len_data + len_token;
+        if (!(input.value = malloc( input.length ))) return SEC_E_INSUFFICIENT_MEMORY;
+        memcpy( input.value, params->data, len_data );
+        memcpy( (char *)input.value + len_data, params->token, len_token );
+    }
ret = pgss_unwrap( &minor_status, ctx, &input, &output, &conf_state, NULL );
-    free( input.value );
+    if (input.value != params->stream) free( input.value );
     TRACE( "gss_unwrap returned %#x minor status %#x\n", ret, minor_status );
     if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
     if (ret == GSS_S_COMPLETE)
     {
         if (params->qop) *params->qop = (conf_state ? 0 : SECQOP_WRAP_NO_ENCRYPT);
-        memcpy( params->data, output.value, len_data );
+        memcpy( params->data, output.value, output.length );
         pgss_release_buffer( &minor_status, &output );
     }
@@ -1042,7 +1050,11 @@ static NTSTATUS unseal_message( void *args )
     struct unseal_message_params *params = args;
     gss_ctx_id_t ctx = ctxhandle_sspi_to_gss( params->context );
-    if (is_dce_style_context( ctx )) return unseal_message_vector( ctx, params );
+    if (is_dce_style_context( ctx ))
+    {
+        if (params->stream_length) return SEC_E_INVALID_HANDLE;
+        return unseal_message_vector( ctx, params );
+    }
     return unseal_message_no_vector( ctx, params );
 }
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index 87516859991..1599d7de4f8 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -106,6 +106,8 @@ struct seal_message_params
 struct unseal_message_params
 {
     UINT64 context;
+    BYTE *stream;
+    ULONG stream_length;
     BYTE *data;
     ULONG data_length;
     BYTE *token;
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/8116

    

2025

2024

2023

2022

[PATCH v3 1/1] kerberos: Add support for SECBUFFER_STREAM to SpUnsealMessage().