[PATCH 13/13] secur32: Add support for switching between Kerberos and NTLM in Negotiate provider.

Wed Jan 31 03:27:40 CST 2018

On Thu, 2018-01-18 at 23:54 +0800, Dmitry Timoshkov wrote:
> diff --git a/dlls/secur32/negotiate.c b/dlls/secur32/negotiate.c
> index bf16258fc2..c7ab97ef79 100644
> --- a/dlls/secur32/negotiate.c
> +++ b/dlls/secur32/negotiate.c
> @@ -62,20 +62,41 @@ static SECURITY_STATUS SEC_ENTRY nego_AcquireCredentialsHandleW(
>      PVOID pGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry )
>  {
>      static SEC_WCHAR ntlmW[] = {'N','T','L','M',0};
> +    static SEC_WCHAR kerberosW[] = {'K','e','r','b','e','r','o','s',0};
>      SECURITY_STATUS ret;
> +    SecurePackage *package;
> +    CredHandle myCred;
>  
>      TRACE("%s, %s, 0x%08x, %p, %p, %p, %p, %p, %p\n",
>            debugstr_w(pszPrincipal), debugstr_w(pszPackage), fCredentialUse,
>            pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument, phCredential, ptsExpiry);
>  
> -    FIXME("forwarding to NTLM\n");
> -    ret = ntlm_AcquireCredentialsHandleW( pszPrincipal, ntlmW, fCredentialUse,
> -                                          pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument,
> -                                          phCredential, ptsExpiry );
> +    if (!pszPackage)
> +        return SEC_E_SECPKG_NOT_FOUND;
> +
> +    package = SECUR32_findPackageW(kerberosW);
> +    if (!package || !package->provider)
> +    {
> +        package = SECUR32_findPackageW(ntlmW);
> +        if (!package || !package->provider)
> +            return SEC_E_SECPKG_NOT_FOUND;
> +    }

For inbound credentials you can't decide at this point whether Kerberos or NTLM will be
used, it has to be done when AcceptSecurityContext is called.

> +    if (!package->provider->fnTableW.AcquireCredentialsHandleW)
> +    {
> +        FIXME("Package doesn't support this API\n");
> +        return SEC_E_UNSUPPORTED_FUNCTION;
> +    }
> +
> +    ret = package->provider->fnTableW.AcquireCredentialsHandleW(
> +                 pszPrincipal, package->infoW.Name, fCredentialUse, pLogonID,
> +                 pAuthData, pGetKeyFn, pGetKeyArgument, &myCred,
> +                 ptsExpiry);
>      if (ret == SEC_E_OK)
>      {
> -        NtlmCredentials *cred = (NtlmCredentials *)phCredential->dwLower;
> -        cred->no_cached_credentials = (pAuthData == NULL);

[..]

> --- a/dlls/secur32/ntlm.c
> +++ b/dlls/secur32/ntlm.c
> @@ -151,7 +151,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
>                  ntlm_cred->domain_arg = NULL;
>                  ntlm_cred->password = NULL;
>                  ntlm_cred->pwlen = 0;
> -                ntlm_cred->no_cached_credentials = 0;
> +                ntlm_cred->no_cached_credentials = (pAuthData == NULL);
> 

This will break NTLM. no_cached_credentials should only be set when NTLM is called
from Negotiate.