From b1c58098ebfc3133789680aba2afa3b069f2565b Mon Sep 17 00:00:00 2001 From: Alexandre Julliard Date: Thu, 4 Nov 2021 17:54:56 +0100 Subject: [PATCH] kerberos: Move timestamp conversion to the PE side. Restore expiry time dropped in 6e9a9d670185f5a18d860602eb23e5a4c0fc1c2e, spotted by Dmitry Timoshkov. Signed-off-by: Alexandre Julliard --- dlls/kerberos/krb5_ap.c | 34 +++++++++++++++++++++++++++++----- dlls/kerberos/unixlib.c | 22 ++++++---------------- dlls/kerberos/unixlib.h | 6 +++--- 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c index 92436ca2bf4..9105e3d2c5d 100644 --- a/dlls/kerberos/krb5_ap.c +++ b/dlls/kerberos/krb5_ap.c @@ -83,6 +83,17 @@ static const char *debugstr_us( const UNICODE_STRING *us ) return debugstr_wn( us->Buffer, us->Length / sizeof(WCHAR) ); } +static void expiry_to_timestamp( ULONG expiry, TimeStamp *timestamp ) +{ + LARGE_INTEGER time; + + NtQuerySystemTime( &time ); + RtlSystemTimeToLocalTime( &time, &time ); + time.QuadPart += expiry * (ULONGLONG)10000000; + timestamp->LowPart = time.QuadPart; + timestamp->HighPart = time.QuadPart >> 32; +} + static NTSTATUS NTAPI kerberos_LsaApInitializePackage(ULONG package_id, PLSA_DISPATCH_TABLE dispatch, PLSA_STRING database, PLSA_STRING confidentiality, PLSA_STRING *package_name) { @@ -267,6 +278,7 @@ static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle( char *principal = NULL, *username = NULL, *password = NULL; SEC_WINNT_AUTH_IDENTITY_W *id = auth_data; NTSTATUS status = SEC_E_INSUFFICIENT_MEMORY; + ULONG exptime; TRACE( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us), credential_use, logon_id, auth_data, get_key_fn, get_key_arg, credential, expiry ); @@ -285,7 +297,9 @@ static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle( } status = krb5_funcs->acquire_credentials_handle( principal, credential_use, username, password, credential, - expiry ); + &exptime ); + expiry_to_timestamp( exptime, expiry ); + done: free( principal ); free( username ); @@ -310,6 +324,7 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION; char *target = NULL; NTSTATUS status; + ULONG exptime; TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name), context_req, target_data_rep, input, new_context, output, context_attr, expiry, @@ -320,8 +335,12 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY; status = krb5_funcs->initialize_context( credential, context, target, context_req, input, new_context, output, - context_attr, expiry ); - if (!status) *mapped_context = TRUE; + context_attr, &exptime ); + if (!status) + { + *mapped_context = TRUE; + expiry_to_timestamp( exptime, expiry ); + } /* FIXME: initialize context_data */ free( target ); return status; @@ -332,6 +351,7 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry, BOOLEAN *mapped_context, SecBuffer *context_data ) { NTSTATUS status; + ULONG exptime; TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req, target_data_rep, input, new_context, output, context_attr, expiry, mapped_context, context_data ); @@ -339,8 +359,12 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential if (!context && !input && !credential) return SEC_E_INVALID_HANDLE; - status = krb5_funcs->accept_context( credential, context, input, new_context, output, context_attr, expiry ); - if (!status) *mapped_context = TRUE; + status = krb5_funcs->accept_context( credential, context, input, new_context, output, context_attr, &exptime ); + if (!status) + { + *mapped_context = TRUE; + expiry_to_timestamp( exptime, expiry ); + } /* FIXME: initialize context_data */ return status; } diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 1a47b0a39ff..4024cc4bec1 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -505,16 +505,6 @@ static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred = (LSA_SEC_HANDLE)handle; } -static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp ) -{ - LARGE_INTEGER time; - - NtQuerySystemTime( &time ); - RtlSystemTimeToLocalTime( &time, &time ); - timestamp->LowPart = time.QuadPart; - timestamp->HighPart = time.QuadPart >> 32; -} - static ULONG flags_gss_to_asc_ret( ULONG flags ) { ULONG ret = 0; @@ -532,7 +522,7 @@ static ULONG flags_gss_to_asc_ret( ULONG flags ) static NTSTATUS CDECL accept_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, SecBufferDesc *input, LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, - TimeStamp *expiry ) + ULONG *expiry ) { OM_uint32 ret, minor_status, ret_flags = 0, expiry_time; gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential ); @@ -571,7 +561,7 @@ static NTSTATUS CDECL accept_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE ctxhandle_gss_to_sspi( ctx_handle, new_context ); if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags ); - expirytime_gss_to_sspi( expiry_time, expiry ); + *expiry = expiry_time; } return status_gss_to_sspi( ret ); @@ -621,7 +611,7 @@ static NTSTATUS import_name( const char *src, gss_name_t *dst ) } static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG credential_use, const char *username, - const char *password, LSA_SEC_HANDLE *credential, TimeStamp *expiry ) + const char *password, LSA_SEC_HANDLE *credential, ULONG *expiry ) { OM_uint32 ret, minor_status, expiry_time; gss_name_t name = GSS_C_NO_NAME; @@ -654,7 +644,7 @@ static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG c if (ret == GSS_S_COMPLETE) { credhandle_gss_to_sspi( cred_handle, credential ); - expirytime_gss_to_sspi( expiry_time, expiry ); + *expiry = expiry_time; } if (name != GSS_C_NO_NAME) pgss_release_name( &minor_status, &name ); @@ -715,7 +705,7 @@ static ULONG flags_gss_to_isc_ret( ULONG flags ) static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, const char *target_name, ULONG context_req, SecBufferDesc *input, LSA_SEC_HANDLE *new_context, - SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry ) + SecBufferDesc *output, ULONG *context_attr, ULONG *expiry ) { OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req ); gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential ); @@ -758,7 +748,7 @@ static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HAN ctxhandle_gss_to_sspi( ctx_handle, new_context ); if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags ); - expirytime_gss_to_sspi( expiry_time, expiry ); + *expiry = expiry_time; } if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target ); diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h index 5648f344431..2d0cb45f979 100644 --- a/dlls/kerberos/unixlib.h +++ b/dlls/kerberos/unixlib.h @@ -24,13 +24,13 @@ struct krb5_funcs { NTSTATUS (CDECL *accept_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, SecBufferDesc *, LSA_SEC_HANDLE *, - SecBufferDesc *, ULONG *, TimeStamp *); + SecBufferDesc *, ULONG *, ULONG *); NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *, - TimeStamp *); + ULONG *); NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE); NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE); NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *, - LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *); + LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, ULONG *); NTSTATUS (CDECL *make_signature)(LSA_SEC_HANDLE, SecBufferDesc *); NTSTATUS (CDECL *query_context_attributes)(LSA_SEC_HANDLE, ULONG, void *); NTSTATUS (CDECL *query_ticket_cache)( KERB_QUERY_TKT_CACHE_RESPONSE *resp, ULONG *out_size );