[01/10] secur32: Implement AcquireCredentialsHandle for Kerberos.

Mon Oct 16 05:45:30 CDT 2017

On Mon, 2017-10-16 at 17:55 +0800, Dmitry Timoshkov wrote:
> I'm attaching the version of our patches that I have around for the reference.
> Feel free to use them as a base for your patches, or I could just send them
> to wine-patches (with proper sign-offs).

Thanks. From patch 7:

+    LOAD_FUNCPTR(gss_import_name);
+    LOAD_FUNCPTR(gss_acquire_cred);
+    LOAD_FUNCPTR(gss_release_name);
+    LOAD_FUNCPTR(gss_init_sec_context);
+    LOAD_FUNCPTR(gss_accept_sec_context);
+    LOAD_FUNCPTR(gss_delete_sec_context);
+    LOAD_FUNCPTR(gss_get_mic);
+    LOAD_FUNCPTR(gss_verify_mic);
+    LOAD_FUNCPTR(gss_release_cred);
+    LOAD_FUNCPTR(gss_wrap);
+    LOAD_FUNCPTR(gss_unwrap);

This is what Rob did originally and it would probably work with a Unix Kerberos
server, but I found that we need the newer iov functions to make it work with
an Active Directory server. From patch 8:

@@ -61,22 +69,50 @@ static SECURITY_STATUS SEC_ENTRY nego_AcquireCredentialsHandleW(
     PLUID pLogonID, PVOID pAuthData, SEC_GET_KEY_FN pGetKeyFn,
     PVOID pGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry )
 {
-    static SEC_WCHAR ntlmW[] = {'N','T','L','M',0};
     SECURITY_STATUS ret;
 
     TRACE("%s, %s, 0x%08x, %p, %p, %p, %p, %p, %p\n",
           debugstr_w(pszPrincipal), debugstr_w(pszPackage), fCredentialUse,
           pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument, phCredential, ptsExpiry);
 
-    FIXME("forwarding to NTLM\n");
-    ret = ntlm_AcquireCredentialsHandleW( pszPrincipal, ntlmW, fCredentialUse,
+    /* Assume this */
+    ret = SEC_E_INTERNAL_ERROR;
+
+    /* First we need to try kerberos */
+
+    if (kerberos_provider)
+    {
+        ret = kerberos_provider->fnTableW.
+                AcquireCredentialsHandleW(pszPrincipal, kerberos_name_W, fCredentialUse,
                                           pLogonID, pAuthData, pGetKeyFn, pGetKeyArgument,
-                                          phCredential, ptsExpiry );
+                                          phCredential, ptsExpiry);
+    }
+
     if (ret == SEC_E_OK)
     {
+    /* FIXME: create KerberosCredentials */
         NtlmCredentials *cred = (NtlmCredentials *)phCredential->dwLower;
         cred->no_cached_credentials = (pAuthData == NULL);
+        return ret;
+    }
+
+    FIXME("Failed to AcquireCredentialHandle via Kerberos.\n");
+
+    /* Maybe ntlm? */
+    if (ntlm_provider)

It's not part of this patch series but I have worked on the Negotiate part.
I found that native is able to pick the right provider at the last possible moment,
when the first authentication token arrives. So it can't work like this. We probably
need to acquire credential handles for both providers and store them in the
Negotiate handle until we can decide.


