[PATCH v2 0/2] MR8272: kerberos: EncryptMessage() should fail if context doesn't support confidentiality.

List overview All Threads

newer

older

[PATCH 0/2] MR8285: kernelbase:...

[PATCH 0/1] MR8252: nsiproxy.sys:...

Dmitry Timoshkov (＠dmitry)

11 Jun 2025 11 Jun '25

9:17 a.m.

-- v2: kerberos: When requested confidentiality InitializeSecurityContext() should also add integrity. kerberos: EncryptMessage() should fail if context doesn't support confidentiality.

https://gitlab.winehq.org/wine/wine/-/merge_requests/8272

Show replies by date

Dmitry Timoshkov

11 Jun 11 Jun

9:17 a.m.

New subject: [PATCH v2 1/2] kerberos: EncryptMessage() should fail if context doesn't support confidentiality.

From: Dmitry Timoshkov dmitry@baikal.ru

Manual testing shows that EncryptMessage() returns SEC_E_UNSUPPORTED_FUNCTION in that case.

Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kerberos/unixlib.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 51580458811..8a5ddde228c 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -459,11 +459,17 @@ fail: return FALSE; }

-static BOOL is_dce_style_context( gss_ctx_id_t ctx ) +static OM_uint32 get_context_flags( gss_ctx_id_t ctx ) { OM_uint32 ret, minor_status, flags; ret = pgss_inquire_context( &minor_status, ctx, NULL, NULL, NULL, NULL, &flags, NULL, NULL ); - return (ret == GSS_S_COMPLETE && (flags & GSS_C_DCE_STYLE)); + return ret == GSS_S_COMPLETE ? flags : 0; +} + +static BOOL is_dce_style_context( gss_ctx_id_t ctx ) +{ + OM_uint32 flags = get_context_flags( ctx ); + return flags & GSS_C_DCE_STYLE; }

static NTSTATUS status_gss_to_sspi( OM_uint32 status ) @@ -971,8 +977,12 @@ static NTSTATUS seal_message( void *args ) { struct seal_message_params *params = args; gss_ctx_id_t ctx = ctxhandle_sspi_to_gss( params->context ); + OM_uint32 flags = get_context_flags( ctx ); + + if (params->qop != SECQOP_WRAP_NO_ENCRYPT && !(flags & GSS_C_CONF_FLAG)) + return SEC_E_UNSUPPORTED_FUNCTION;

- if (is_dce_style_context( ctx )) return seal_message_vector( ctx, params ); + if (flags & GSS_C_DCE_STYLE) return seal_message_vector( ctx, params ); return seal_message_no_vector( ctx, params ); }

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/8272

Dmitry Timoshkov

9:17 a.m.

New subject: [PATCH v2 2/2] kerberos: When requested confidentiality InitializeSecurityContext() should also add integrity.

From: Dmitry Timoshkov dmitry@baikal.ru

Manual testing shows that InitializeSecurityContext(ISC_REQ_CONFIDENTIALITY) returns ISC_RET_INTEGRITY in attributes, but not the other way around.

Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kerberos/unixlib.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 8a5ddde228c..159eb6a824e 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -757,6 +757,8 @@ static NTSTATUS initialize_context( void *args )

if (params->target_name && (status = import_name( params->target_name, &target ))) return status;

+ if (req_flags & GSS_C_CONF_FLAG) req_flags |= GSS_C_INTEG_FLAG; + ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags, &expiry_time );

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/8272

Hans Leidekker (＠hans)

9:52 a.m.

New subject: [PATCH v2 0/2] MR8272: kerberos: EncryptMessage() should fail if context doesn't support confidentiality. - approved

This merge request was approved by Hans Leidekker.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/8272

Age (days ago)

Last active (days ago)

wine-gitlab@winehq.org

3 comments

3 participants

tags (0)

participants (3)

Dmitry Timoshkov
Dmitry Timoshkov (＠dmitry)
Hans Leidekker (＠hans)