ReceiveTempSMS
/
Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

kerberos: Move support for SpInitLsaModeContext/SpDeleteContext to the Unix library. 

Signed-off-by: Hans Leidekker <hans@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Hans Leidekker 2021-04-20 15:56:49 +02:00 committed by Alexandre Julliard
parent 6e9a9d6701
commit f9292ec8b6
3 changed files with 130 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
dlls/kerberos/krb5_ap.c
View File

@ -760,54 +760,6 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
timestamp->HighPart = tmp.QuadPart >> 32; timestamp->HighPart = tmp.QuadPart >> 32;
} }
static NTSTATUS name_sspi_to_gss( const UNICODE_STRING *name_str, gss_name_t *name )
{
OM_uint32 ret, minor_status;
gss_OID type = GSS_C_NO_OID; /* FIXME: detect the appropriate value for this ourselves? */
gss_buffer_desc buf;
buf.length = WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
if (!(buf.value = heap_alloc( buf.length ))) return SEC_E_INSUFFICIENT_MEMORY;
WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), buf.value, buf.length, NULL, NULL );
ret = pgss_import_name( &minor_status, &buf, type, name );
TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status );
if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
heap_free( buf.value );
return status_gss_to_sspi( ret );
}
static ULONG flags_isc_req_to_gss( ULONG flags )
{
ULONG ret = 0;
if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG;
if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG;
if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG;
if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG;
if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG;
if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE;
if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG;
return ret;
}
static ULONG flags_gss_to_isc_ret( ULONG flags )
{
ULONG ret = 0;
if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE;
if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH;
if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT;
if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY;
if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY;
if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION;
if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE;
if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
return ret;
}
static ULONG flags_gss_to_asc_ret( ULONG flags ) static ULONG flags_gss_to_asc_ret( ULONG flags )
{ {
ULONG ret = 0; ULONG ret = 0;
@ -922,80 +874,29 @@ static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credentia
static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input, UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input,
LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry, LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry,
BOOLEAN *mapped_context, SecBuffer *context_data ) BOOLEAN *mapped_context, SecBuffer *context_data )
{ {
#ifdef SONAME_LIBGSSAPI_KRB5
static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT | static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE | ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE |
ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION; ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION;
OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req ); char *target = NULL;
gss_cred_id_t cred_handle;
gss_ctx_id_t ctxt_handle;
gss_buffer_desc input_token, output_token;
gss_name_t target = GSS_C_NO_NAME;
NTSTATUS status; NTSTATUS status;
int idx;
TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name), TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry, context_req, target_data_rep, input, new_context, output, context_attr, expiry,
mapped_context, context_data ); mapped_context, context_data );
if (context_req & ~supported) if (context_req & ~supported) FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
if (!context && !input && !credential) return SEC_E_INVALID_HANDLE; if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
cred_handle = credhandle_sspi_to_gss( credential ); if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY;
ctxt_handle = ctxthandle_sspi_to_gss( context );
if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0; status = krb5_funcs->initialize_context( credential, context, target, context_req, input, new_context, output,
else context_attr, expiry );
{ if (!status) *mapped_context = TRUE;
input_token.length = input->pBuffers[idx].cbBuffer;
input_token.value = input->pBuffers[idx].pvBuffer;
}
if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
output_token.length = 0;
output_token.value = NULL;
if (target_name && ((status = name_sspi_to_gss( target_name, &target )) != SEC_E_OK)) return status;
ret = pgss_init_sec_context( &minor_status, cred_handle, &ctxt_handle, target, GSS_C_NO_OID, req_flags, 0,
GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
&expiry_time );
TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
{
if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
{
TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
pgss_release_buffer( &minor_status, &output_token );
pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
return SEC_E_INCOMPLETE_MESSAGE;
}
output->pBuffers[idx].cbBuffer = output_token.length;
memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
pgss_release_buffer( &minor_status, &output_token );
ctxthandle_gss_to_sspi( ctxt_handle, new_context );
if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
expirytime_gss_to_sspi( expiry_time, ts_expiry );
}
if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
/* we do support user mode SSP/AP functions */
*mapped_context = TRUE;
/* FIXME: initialize context_data */ /* FIXME: initialize context_data */
heap_free( target );
return status_gss_to_sspi( ret ); return status;
#else
FIXME( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry,
mapped_context, context_data );
return SEC_E_UNSUPPORTED_FUNCTION;
#endif
} }
static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
@ -1068,23 +969,9 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential
static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context ) static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
{ {
#ifdef SONAME_LIBGSSAPI_KRB5
OM_uint32 ret, minor_status;
gss_ctx_id_t ctxt_handle;
TRACE( "(%lx)\n", context ); TRACE( "(%lx)\n", context );
if (!context) return SEC_E_INVALID_HANDLE; if (!context) return SEC_E_INVALID_HANDLE;
if (!(ctxt_handle = ctxthandle_sspi_to_gss( context ))) return SEC_E_OK; return krb5_funcs->delete_context( context );
ret = pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
return status_gss_to_sspi( ret );
#else
FIXME( "(%lx)\n", context );
return SEC_E_UNSUPPORTED_FUNCTION;
#endif
} }
static SecPkgInfoW *build_package_info( const SecPkgInfoW *info ) static SecPkgInfoW *build_package_info( const SecPkgInfoW *info )

116
dlls/kerberos/unixlib.c
View File

@ -211,6 +211,17 @@ fail:
return FALSE; return FALSE;
} }
static int get_buffer_index( SecBufferDesc *desc, DWORD type )
{
UINT i;
if (!desc) return -1;
for (i = 0; i < desc->cBuffers; i++)
{
if (desc->pBuffers[i].BufferType == type) return i;
}
return -1;
}
static NTSTATUS status_gss_to_sspi( OM_uint32 status ) static NTSTATUS status_gss_to_sspi( OM_uint32 status )
{ {
switch (status) switch (status)
@ -267,11 +278,21 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
} }
} }
static inline gss_ctx_id_t ctxhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
{
return (gss_ctx_id_t)handle;
}
static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle ) static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
{ {
return (gss_cred_id_t)handle; return (gss_cred_id_t)handle;
} }
static inline void ctxhandle_gss_to_sspi( gss_ctx_id_t handle, LSA_SEC_HANDLE *ctx )
{
*ctx = (LSA_SEC_HANDLE)handle;
}
static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred ) static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred )
{ {
*cred = (LSA_SEC_HANDLE)handle; *cred = (LSA_SEC_HANDLE)handle;
@ -371,6 +392,17 @@ static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG c
return status_gss_to_sspi( ret ); return status_gss_to_sspi( ret );
} }
static NTSTATUS CDECL delete_context( LSA_SEC_HANDLE context )
{
OM_uint32 ret, minor_status;
gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
ret = pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
return status_gss_to_sspi( ret );
}
static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle ) static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
{ {
OM_uint32 ret, minor_status; OM_uint32 ret, minor_status;
@ -382,10 +414,94 @@ static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
return status_gss_to_sspi( ret ); return status_gss_to_sspi( ret );
} }
static ULONG flags_isc_req_to_gss( ULONG flags )
{
ULONG ret = 0;
if (flags & ISC_REQ_DELEGATE) ret |= GSS_C_DELEG_FLAG;
if (flags & ISC_REQ_MUTUAL_AUTH) ret |= GSS_C_MUTUAL_FLAG;
if (flags & ISC_REQ_REPLAY_DETECT) ret |= GSS_C_REPLAY_FLAG;
if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
if (flags & ISC_REQ_INTEGRITY) ret |= GSS_C_INTEG_FLAG;
if (flags & ISC_REQ_NULL_SESSION) ret |= GSS_C_ANON_FLAG;
if (flags & ISC_REQ_USE_DCE_STYLE) ret |= GSS_C_DCE_STYLE;
if (flags & ISC_REQ_IDENTIFY) ret |= GSS_C_IDENTIFY_FLAG;
return ret;
}
static ULONG flags_gss_to_isc_ret( ULONG flags )
{
ULONG ret = 0;
if (flags & GSS_C_DELEG_FLAG) ret |= ISC_RET_DELEGATE;
if (flags & GSS_C_MUTUAL_FLAG) ret |= ISC_RET_MUTUAL_AUTH;
if (flags & GSS_C_REPLAY_FLAG) ret |= ISC_RET_REPLAY_DETECT;
if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
if (flags & GSS_C_CONF_FLAG) ret |= ISC_RET_CONFIDENTIALITY;
if (flags & GSS_C_INTEG_FLAG) ret |= ISC_RET_INTEGRITY;
if (flags & GSS_C_ANON_FLAG) ret |= ISC_RET_NULL_SESSION;
if (flags & GSS_C_DCE_STYLE) ret |= ISC_RET_USED_DCE_STYLE;
if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
return ret;
}
static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, const char *target_name,
ULONG context_req, SecBufferDesc *input, LSA_SEC_HANDLE *new_context,
SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry )
{
OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req );
gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential );
gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
gss_buffer_desc input_token, output_token;
gss_name_t target = GSS_C_NO_NAME;
NTSTATUS status;
int idx;
if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0;
else
{
input_token.length = input->pBuffers[idx].cbBuffer;
input_token.value = input->pBuffers[idx].pvBuffer;
}
if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
output_token.length = 0;
output_token.value = NULL;
if (target_name && (status = import_name( target_name, &target ))) return status;
ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0,
GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
&expiry_time );
TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
{
if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
{
TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
pgss_release_buffer( &minor_status, &output_token );
pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
return SEC_E_INCOMPLETE_MESSAGE;
}
output->pBuffers[idx].cbBuffer = output_token.length;
memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
pgss_release_buffer( &minor_status, &output_token );
ctxhandle_gss_to_sspi( ctx_handle, new_context );
if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
expirytime_gss_to_sspi( expiry_time, expiry );
}
if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
return status_gss_to_sspi( ret );
}
static const struct krb5_funcs funcs = static const struct krb5_funcs funcs =
{ {
acquire_credentials_handle, acquire_credentials_handle,
delete_context,
free_credentials_handle, free_credentials_handle,
initialize_context,
}; };
NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out ) NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )

3
dlls/kerberos/unixlib.h
View File

@ -23,7 +23,10 @@ struct krb5_funcs
{ {
NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *, NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
TimeStamp *); TimeStamp *);
NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE);
NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE); NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *,
LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *);
}; };
extern const struct krb5_funcs *krb5_funcs; extern const struct krb5_funcs *krb5_funcs;