[PATCH 13/13] secur32: Add support for switching between Kerberos and NTLM in Negotiate provider.
Dmitry Timoshkov
dmitry at baikal.ru
Thu Jan 18 09:54:37 CST 2018
Based on generic wrapper.c implementation.
Signed-off-by: Dmitry Timoshkov <dmitry at baikal.ru>
---
dlls/secur32/negotiate.c | 330 ++++++++++++++++++++++++++++++++++++--------
dlls/secur32/ntlm.c | 4 +-
dlls/secur32/secur32_priv.h | 19 +--
dlls/secur32/wrapper.c | 2 +-
4 files changed, 277 insertions(+), 78 deletions(-)
diff --git a/dlls/secur32/negotiate.c b/dlls/secur32/negotiate.c
index bf16258fc2..c7ab97ef79 100644
--- a/dlls/secur32/negotiate.c
+++ b/dlls/secur32/negotiate.c
@@ -62,20 +62,41 @@ static SECURITY_STATUS SEC_ENTRY nego_AcquireCredentialsHandleW(
PVOID pGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry )
{
static SEC_WCHAR ntlmW[] = {'N','T','L','M',0};
+ static SEC_WCHAR kerberosW[] = {'K','e','r','b','e','r','o','s',0};
SECURITY_STATUS ret;
+ SecurePackage *package;
+ CredHandle myCred;
TRACE("%s, %s, 0x%08x, %p, %p, %p, %p, %p, %p\n",
debugstr_w(pszPrincipal), debugstr_w(pszPackage), fCredentialUse,
pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument, phCredential, ptsExpiry);
- FIXME("forwarding to NTLM\n");
- ret = ntlm_AcquireCredentialsHandleW( pszPrincipal, ntlmW, fCredentialUse,
- pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument,
- phCredential, ptsExpiry );
+ if (!pszPackage)
+ return SEC_E_SECPKG_NOT_FOUND;
+
+ package = SECUR32_findPackageW(kerberosW);
+ if (!package || !package->provider)
+ {
+ package = SECUR32_findPackageW(ntlmW);
+ if (!package || !package->provider)
+ return SEC_E_SECPKG_NOT_FOUND;
+ }
+
+ if (!package->provider->fnTableW.AcquireCredentialsHandleW)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ret = package->provider->fnTableW.AcquireCredentialsHandleW(
+ pszPrincipal, package->infoW.Name, fCredentialUse, pLogonID,
+ pAuthData, pGetKeyFn, pGetKeyArgument, &myCred,
+ ptsExpiry);
if (ret == SEC_E_OK)
{
- NtlmCredentials *cred = (NtlmCredentials *)phCredential->dwLower;
- cred->no_cached_credentials = (pAuthData == NULL);
+ ret = SECUR32_makeSecHandle(phCredential, package, &myCred);
+ if (ret != SEC_E_OK)
+ package->provider->fnTableW.FreeCredentialsHandle(&myCred);
}
return ret;
}
@@ -173,15 +194,56 @@ static SECURITY_STATUS SEC_ENTRY nego_InitializeSecurityContextW(
PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext,
PSecBufferDesc pOutput, ULONG *pfContextAttr, PTimeStamp ptsExpiry )
{
+ SECURITY_STATUS ret;
+ SecurePackage *package = NULL;
+ PCredHandle cred = NULL;
+ PCredHandle ctxt = NULL;
+ CtxtHandle myCtxt;
+
TRACE("%p, %p, %s, 0x%08x, %u, %u, %p, %u, %p, %p, %p, %p\n",
phCredential, phContext, debugstr_w(pszTargetName), fContextReq,
Reserved1, TargetDataRep, pInput, Reserved1, phNewContext, pOutput,
pfContextAttr, ptsExpiry);
- return ntlm_InitializeSecurityContextW( phCredential, phContext, pszTargetName,
- fContextReq, Reserved1, TargetDataRep,
- pInput, Reserved2, phNewContext,
- pOutput, pfContextAttr, ptsExpiry );
+ if (phContext)
+ {
+ package = (SecurePackage *)phContext->dwUpper;
+ ctxt = (PCtxtHandle)phContext->dwLower;
+ }
+ if (phCredential)
+ {
+ package = (SecurePackage *)phCredential->dwUpper;
+ cred = (PCredHandle)phCredential->dwLower;
+ }
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.InitializeSecurityContextW)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ if (phContext)
+ {
+ PCtxtHandle realCtxt = (PCtxtHandle)phContext->dwLower;
+ myCtxt.dwUpper = realCtxt->dwUpper;
+ myCtxt.dwLower = realCtxt->dwLower;
+ }
+
+ ret = package->provider->fnTableW.InitializeSecurityContextW(
+ cred, ctxt, pszTargetName, fContextReq,
+ Reserved1, TargetDataRep, pInput, Reserved2, phNewContext ? &myCtxt : NULL,
+ pOutput, pfContextAttr, ptsExpiry);
+ if ((ret == SEC_E_OK || ret == SEC_I_CONTINUE_NEEDED) &&
+ phNewContext && phNewContext != phContext)
+ {
+ if (SECUR32_makeSecHandle(phNewContext, package, &myCtxt) != SEC_E_OK)
+ package->provider->fnTableW.DeleteSecurityContext(&myCtxt);
+ }
+
+ return ret;
}
/***********************************************************************
@@ -223,13 +285,49 @@ static SECURITY_STATUS SEC_ENTRY nego_AcceptSecurityContext(
ULONG fContextReq, ULONG TargetDataRep, PCtxtHandle phNewContext,
PSecBufferDesc pOutput, ULONG *pfContextAttr, PTimeStamp ptsExpiry)
{
+ SecurePackage *package;
+ PCredHandle cred;
+ CtxtHandle myCtxt;
+ SECURITY_STATUS ret;
+
TRACE("%p, %p, %p, 0x%08x, %u, %p, %p, %p, %p\n", phCredential, phContext,
pInput, fContextReq, TargetDataRep, phNewContext, pOutput, pfContextAttr,
ptsExpiry);
- return ntlm_AcceptSecurityContext( phCredential, phContext, pInput,
- fContextReq, TargetDataRep, phNewContext,
- pOutput, pfContextAttr, ptsExpiry );
+ if (!phCredential)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phCredential->dwUpper;
+ cred = (PCredHandle)phCredential->dwLower;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.AcceptSecurityContext)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ if(phContext)
+ {
+ PCtxtHandle realCtxt = (PCtxtHandle)phContext->dwLower;
+ TRACE("realCtx: %p\n", realCtxt);
+ myCtxt.dwUpper = realCtxt->dwUpper;
+ myCtxt.dwLower = realCtxt->dwLower;
+ }
+
+ ret = package->provider->fnTableW.AcceptSecurityContext(
+ cred, phContext ? &myCtxt : NULL, pInput, fContextReq,
+ TargetDataRep, &myCtxt, pOutput, pfContextAttr, ptsExpiry);
+ if ((ret == SEC_E_OK || ret == SEC_I_CONTINUE_NEEDED) &&
+ phNewContext && phNewContext != phContext)
+ {
+ if (SECUR32_makeSecHandle(phNewContext, package, &myCtxt) != SEC_E_OK)
+ package->provider->fnTableW.DeleteSecurityContext(&myCtxt);
+ }
+
+ return ret;
}
/***********************************************************************
@@ -257,9 +355,31 @@ static SECURITY_STATUS SEC_ENTRY nego_CompleteAuthToken(PCtxtHandle phContext,
*/
static SECURITY_STATUS SEC_ENTRY nego_DeleteSecurityContext(PCtxtHandle phContext)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+ SECURITY_STATUS ret;
+
TRACE("%p\n", phContext);
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.DeleteSecurityContext)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
- return ntlm_DeleteSecurityContext( phContext );
+ ret = package->provider->fnTableW.DeleteSecurityContext(ctxt);
+ HeapFree(GetProcessHeap(), 0, ctxt);
+
+ return ret;
}
/***********************************************************************
@@ -288,29 +408,28 @@ static SECURITY_STATUS SEC_ENTRY nego_ApplyControlToken(PCtxtHandle phContext,
static SECURITY_STATUS SEC_ENTRY nego_QueryContextAttributesW(
PCtxtHandle phContext, ULONG ulAttribute, void *pBuffer)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, %u, %p\n", phContext, ulAttribute, pBuffer);
- switch (ulAttribute)
- {
- case SECPKG_ATTR_SIZES:
- {
- SecPkgContext_Sizes *sizes = (SecPkgContext_Sizes *)pBuffer;
- sizes->cbMaxToken = 2888;
- sizes->cbMaxSignature = 16;
- sizes->cbSecurityTrailer = 16;
- sizes->cbBlockSize = 0;
- return SEC_E_OK;
- }
- case SECPKG_ATTR_NEGOTIATION_INFO:
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.QueryContextAttributesW)
{
- SecPkgContext_NegotiationInfoW *info = (SecPkgContext_NegotiationInfoW *)pBuffer;
- info->PackageInfo = ntlm_package_infoW;
- info->NegotiationState = SECPKG_NEGOTIATION_COMPLETE;
- return SEC_E_OK;
- }
- default:
- return ntlm_QueryContextAttributesW( phContext, ulAttribute, pBuffer );
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
}
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableW.QueryContextAttributesW(ctxt, ulAttribute, pBuffer);
}
/***********************************************************************
@@ -319,29 +438,28 @@ static SECURITY_STATUS SEC_ENTRY nego_QueryContextAttributesW(
static SECURITY_STATUS SEC_ENTRY nego_QueryContextAttributesA(PCtxtHandle phContext,
ULONG ulAttribute, void *pBuffer)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, %u, %p\n", phContext, ulAttribute, pBuffer);
- switch (ulAttribute)
- {
- case SECPKG_ATTR_SIZES:
- {
- SecPkgContext_Sizes *sizes = (SecPkgContext_Sizes *)pBuffer;
- sizes->cbMaxToken = 2888;
- sizes->cbMaxSignature = 16;
- sizes->cbSecurityTrailer = 16;
- sizes->cbBlockSize = 0;
- return SEC_E_OK;
- }
- case SECPKG_ATTR_NEGOTIATION_INFO:
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableA.QueryContextAttributesA)
{
- SecPkgContext_NegotiationInfoA *info = (SecPkgContext_NegotiationInfoA *)pBuffer;
- info->PackageInfo = ntlm_package_infoA;
- info->NegotiationState = SECPKG_NEGOTIATION_COMPLETE;
- return SEC_E_OK;
- }
- default:
- return ntlm_QueryContextAttributesA( phContext, ulAttribute, pBuffer );
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
}
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableA.QueryContextAttributesA(ctxt, ulAttribute, pBuffer);
}
/***********************************************************************
@@ -388,9 +506,28 @@ static SECURITY_STATUS SEC_ENTRY nego_RevertSecurityContext(PCtxtHandle phContex
static SECURITY_STATUS SEC_ENTRY nego_MakeSignature(PCtxtHandle phContext,
ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, 0x%08x, %p, %u\n", phContext, fQOP, pMessage, MessageSeqNo);
- return ntlm_MakeSignature( phContext, fQOP, pMessage, MessageSeqNo );
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.MakeSignature)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableW.MakeSignature(ctxt, fQOP, pMessage, MessageSeqNo);
}
/***********************************************************************
@@ -399,9 +536,28 @@ static SECURITY_STATUS SEC_ENTRY nego_MakeSignature(PCtxtHandle phContext,
static SECURITY_STATUS SEC_ENTRY nego_VerifySignature(PCtxtHandle phContext,
PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, %p, %u, %p\n", phContext, pMessage, MessageSeqNo, pfQOP);
- return ntlm_VerifySignature( phContext, pMessage, MessageSeqNo, pfQOP );
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.VerifySignature)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableW.VerifySignature(ctxt, pMessage, MessageSeqNo, pfQOP);
}
/***********************************************************************
@@ -409,9 +565,31 @@ static SECURITY_STATUS SEC_ENTRY nego_VerifySignature(PCtxtHandle phContext,
*/
static SECURITY_STATUS SEC_ENTRY nego_FreeCredentialsHandle(PCredHandle phCredential)
{
+ SecurePackage *package;
+ PCredHandle cred;
+ SECURITY_STATUS ret;
+
TRACE("%p\n", phCredential);
- return ntlm_FreeCredentialsHandle( phCredential );
+ if (!phCredential)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phCredential->dwUpper;
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.FreeCredentialsHandle)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ cred = (PCredHandle)phCredential->dwLower;
+
+ ret = package->provider->fnTableW.FreeCredentialsHandle(cred);
+ HeapFree(GetProcessHeap(), 0, cred);
+
+ return ret;
}
/***********************************************************************
@@ -420,9 +598,28 @@ static SECURITY_STATUS SEC_ENTRY nego_FreeCredentialsHandle(PCredHandle phCreden
static SECURITY_STATUS SEC_ENTRY nego_EncryptMessage(PCtxtHandle phContext,
ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, 0x%08x, %p, %u\n", phContext, fQOP, pMessage, MessageSeqNo);
- return ntlm_EncryptMessage( phContext, fQOP, pMessage, MessageSeqNo );
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.EncryptMessage)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableW.EncryptMessage(ctxt, fQOP, pMessage, MessageSeqNo);
}
/***********************************************************************
@@ -431,9 +628,28 @@ static SECURITY_STATUS SEC_ENTRY nego_EncryptMessage(PCtxtHandle phContext,
static SECURITY_STATUS SEC_ENTRY nego_DecryptMessage(PCtxtHandle phContext,
PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP)
{
+ SecurePackage *package;
+ PCtxtHandle ctxt;
+
TRACE("%p, %p, %u, %p\n", phContext, pMessage, MessageSeqNo, pfQOP);
- return ntlm_DecryptMessage( phContext, pMessage, MessageSeqNo, pfQOP );
+ if (!phContext)
+ return SEC_E_INVALID_HANDLE;
+
+ package = (SecurePackage *)phContext->dwUpper;
+
+ if (!package || !package->provider)
+ return SEC_E_INVALID_HANDLE;
+
+ if (!package->provider->fnTableW.DecryptMessage)
+ {
+ FIXME("Package doesn't support this API\n");
+ return SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
+ ctxt = (PCtxtHandle)phContext->dwLower;
+
+ return package->provider->fnTableW.DecryptMessage(ctxt, pMessage, MessageSeqNo, pfQOP);
}
static const SecurityFunctionTableA negoTableA = {
diff --git a/dlls/secur32/ntlm.c b/dlls/secur32/ntlm.c
index 94b94f48ce..2d0557b200 100644
--- a/dlls/secur32/ntlm.c
+++ b/dlls/secur32/ntlm.c
@@ -151,7 +151,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
ntlm_cred->domain_arg = NULL;
ntlm_cred->password = NULL;
ntlm_cred->pwlen = 0;
- ntlm_cred->no_cached_credentials = 0;
+ ntlm_cred->no_cached_credentials = (pAuthData == NULL);
phCredential->dwUpper = fCredentialUse;
phCredential->dwLower = (ULONG_PTR)ntlm_cred;
@@ -172,7 +172,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
ntlm_cred->domain_arg = NULL;
ntlm_cred->password = NULL;
ntlm_cred->pwlen = 0;
- ntlm_cred->no_cached_credentials = 0;
+ ntlm_cred->no_cached_credentials = (pAuthData == NULL);
if(pAuthData != NULL)
{
diff --git a/dlls/secur32/secur32_priv.h b/dlls/secur32/secur32_priv.h
index 973b75c699..e029ea12c4 100644
--- a/dlls/secur32/secur32_priv.h
+++ b/dlls/secur32/secur32_priv.h
@@ -189,24 +189,7 @@ void SECUR32_arc4Cleanup(arc4_info *a4i) DECLSPEC_HIDDEN;
#define NTLMSSP_NEGOTIATE_KEY_EXCHANGE 0x40000000
#define NTLMSSP_NEGOTIATE_56 0x80000000
-SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(SEC_WCHAR *, SEC_WCHAR *,
- ULONG, PLUID, PVOID, SEC_GET_KEY_FN, PVOID, PCredHandle, PTimeStamp) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(PCredHandle, PCtxtHandle,
- SEC_WCHAR *, ULONG fContextReq, ULONG, ULONG, PSecBufferDesc, ULONG, PCtxtHandle,
- PSecBufferDesc, ULONG *, PTimeStamp) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(PCredHandle, PCtxtHandle, PSecBufferDesc,
- ULONG, ULONG, PCtxtHandle, PSecBufferDesc, ULONG *, PTimeStamp) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesA(PCtxtHandle, ULONG, void *) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_QueryContextAttributesW(PCtxtHandle, ULONG, void *) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle, ULONG, PSecBufferDesc, ULONG) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle, PSecBufferDesc, ULONG, PULONG) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_FreeCredentialsHandle(PCredHandle) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_MakeSignature(PCtxtHandle, ULONG, PSecBufferDesc, ULONG) DECLSPEC_HIDDEN;
-SECURITY_STATUS SEC_ENTRY ntlm_VerifySignature(PCtxtHandle, PSecBufferDesc, ULONG, PULONG) DECLSPEC_HIDDEN;
-
-SecPkgInfoW *ntlm_package_infoW DECLSPEC_HIDDEN;
-SecPkgInfoA *ntlm_package_infoA DECLSPEC_HIDDEN;
+SECURITY_STATUS SECUR32_makeSecHandle(PSecHandle phSec, SecurePackage *package, PSecHandle realHandle) DECLSPEC_HIDDEN;
/* schannel internal interface */
typedef struct schan_imp_session_opaque *schan_imp_session;
diff --git a/dlls/secur32/wrapper.c b/dlls/secur32/wrapper.c
index dba675422d..85941d0361 100644
--- a/dlls/secur32/wrapper.c
+++ b/dlls/secur32/wrapper.c
@@ -32,7 +32,7 @@ WINE_DEFAULT_DEBUG_CHANNEL(secur32);
* and stored in phSec->dwLower). SecHandle is equivalent to both a
* CredHandle and a CtxtHandle.
*/
-static SECURITY_STATUS SECUR32_makeSecHandle(PSecHandle phSec,
+SECURITY_STATUS SECUR32_makeSecHandle(PSecHandle phSec,
SecurePackage *package, PSecHandle realHandle)
{
SECURITY_STATUS ret;
--
2.15.1
More information about the wine-devel
mailing list