[PATCH 3/5] kerberos: Move support for SpAcceptLsaModeContext to the Unix library.
Hans Leidekker
hans at codeweavers.com
Tue Apr 20 04:42:39 CDT 2021
Signed-off-by: Hans Leidekker <hans at codeweavers.com>
---
dlls/kerberos/krb5_ap.c | 91 ++++-------------------------------------
dlls/kerberos/unixlib.c | 63 ++++++++++++++++++++++++++++
dlls/kerberos/unixlib.h | 2 +
3 files changed, 72 insertions(+), 84 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c
index b1fe036a071..176546d9e1d 100644
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -753,33 +753,6 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
}
}
-static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
-{
- FILETIME filetime;
- ULARGE_INTEGER tmp;
-
- GetSystemTimeAsFileTime( &filetime );
- FileTimeToLocalFileTime( &filetime, &filetime );
- tmp.QuadPart = ((ULONGLONG)filetime.dwLowDateTime | (ULONGLONG)filetime.dwHighDateTime << 32) + expirytime;
- timestamp->LowPart = tmp.QuadPart;
- timestamp->HighPart = tmp.QuadPart >> 32;
-}
-
-static ULONG flags_gss_to_asc_ret( ULONG flags )
-{
- ULONG ret = 0;
- if (flags & GSS_C_DELEG_FLAG) ret |= ASC_RET_DELEGATE;
- if (flags & GSS_C_MUTUAL_FLAG) ret |= ASC_RET_MUTUAL_AUTH;
- if (flags & GSS_C_REPLAY_FLAG) ret |= ASC_RET_REPLAY_DETECT;
- if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
- if (flags & GSS_C_CONF_FLAG) ret |= ASC_RET_CONFIDENTIALITY;
- if (flags & GSS_C_INTEG_FLAG) ret |= ASC_RET_INTEGRITY;
- if (flags & GSS_C_ANON_FLAG) ret |= ASC_RET_NULL_SESSION;
- if (flags & GSS_C_DCE_STYLE) ret |= ASC_RET_USED_DCE_STYLE;
- if (flags & GSS_C_IDENTIFY_FLAG) ret |= ASC_RET_IDENTIFY;
- return ret;
-}
-
static BOOL is_dce_style_context( gss_ctx_id_t ctxt_handle )
{
OM_uint32 ret, minor_status, flags;
@@ -906,70 +879,20 @@ static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential,
static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
SecBufferDesc *input, ULONG context_req, ULONG target_data_rep, LSA_SEC_HANDLE *new_context,
- SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
+ SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
{
-#ifdef SONAME_LIBGSSAPI_KRB5
- OM_uint32 ret, minor_status, ret_flags = 0, expiry_time;
- gss_cred_id_t cred_handle;
- gss_ctx_id_t ctxt_handle;
- gss_buffer_desc input_token, output_token;
- gss_name_t target = GSS_C_NO_NAME;
- int idx;
+ NTSTATUS status;
- TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
- target_data_rep, input, new_context, output, context_attr, ts_expiry,
- mapped_context, context_data );
+ TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req, target_data_rep, input,
+ new_context, output, context_attr, expiry, mapped_context, context_data );
if (context_req) FIXME( "ignoring flags 0x%08x\n", context_req );
if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
- cred_handle = credhandle_sspi_to_gss( credential );
- ctxt_handle = ctxthandle_sspi_to_gss( context );
-
- if (!input) input_token.length = 0;
- else
- {
- if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- input_token.length = input->pBuffers[idx].cbBuffer;
- input_token.value = input->pBuffers[idx].pvBuffer;
- }
-
- if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
- output_token.length = 0;
- output_token.value = NULL;
- ret = pgss_accept_sec_context( &minor_status, &ctxt_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
- &target, NULL, &output_token, &ret_flags, &expiry_time, NULL );
- TRACE( "gss_accept_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
- if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
- if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
- {
- if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
- {
- TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
- pgss_release_buffer( &minor_status, &output_token );
- pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
- return SEC_E_BUFFER_TOO_SMALL;
- }
- output->pBuffers[idx].cbBuffer = output_token.length;
- memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
- pgss_release_buffer( &minor_status, &output_token );
-
- ctxthandle_gss_to_sspi( ctxt_handle, new_context );
- if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags );
- expirytime_gss_to_sspi( expiry_time, ts_expiry );
- }
-
- /* we do support user mode SSP/AP functions */
- *mapped_context = TRUE;
+ status = krb5_funcs->accept_context( credential, context, input, new_context, output, context_attr, expiry );
+ if (!status) *mapped_context = TRUE;
/* FIXME: initialize context_data */
-
- return status_gss_to_sspi( ret );
-#else
- FIXME( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, context_req,
- target_data_rep, input, new_context, output, context_attr, ts_expiry,
- mapped_context, context_data );
- return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+ return status;
}
static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c
index 4356cdbae2b..03241476d41 100644
--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -305,6 +305,68 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
timestamp->HighPart = time.QuadPart >> 32;
}
+static ULONG flags_gss_to_asc_ret( ULONG flags )
+{
+ ULONG ret = 0;
+ if (flags & GSS_C_DELEG_FLAG) ret |= ASC_RET_DELEGATE;
+ if (flags & GSS_C_MUTUAL_FLAG) ret |= ASC_RET_MUTUAL_AUTH;
+ if (flags & GSS_C_REPLAY_FLAG) ret |= ASC_RET_REPLAY_DETECT;
+ if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
+ if (flags & GSS_C_CONF_FLAG) ret |= ASC_RET_CONFIDENTIALITY;
+ if (flags & GSS_C_INTEG_FLAG) ret |= ASC_RET_INTEGRITY;
+ if (flags & GSS_C_ANON_FLAG) ret |= ASC_RET_NULL_SESSION;
+ if (flags & GSS_C_DCE_STYLE) ret |= ASC_RET_USED_DCE_STYLE;
+ if (flags & GSS_C_IDENTIFY_FLAG) ret |= ASC_RET_IDENTIFY;
+ return ret;
+}
+
+NTSTATUS CDECL accept_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, SecBufferDesc *input,
+ LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr,
+ TimeStamp *expiry )
+{
+ OM_uint32 ret, minor_status, ret_flags = 0, expiry_time;
+ gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential );
+ gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+ gss_buffer_desc input_token, output_token;
+ int idx;
+
+ if (!input) input_token.length = 0;
+ else
+ {
+ if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ input_token.length = input->pBuffers[idx].cbBuffer;
+ input_token.value = input->pBuffers[idx].pvBuffer;
+ }
+
+ if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+ output_token.length = 0;
+ output_token.value = NULL;
+
+ ret = pgss_accept_sec_context( &minor_status, &ctx_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
+ NULL, NULL, &output_token, &ret_flags, &expiry_time, NULL );
+ TRACE( "gss_accept_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
+ if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+ if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+ {
+ if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+ {
+ TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
+ pgss_release_buffer( &minor_status, &output_token );
+ pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+ return SEC_E_BUFFER_TOO_SMALL;
+ }
+ output->pBuffers[idx].cbBuffer = output_token.length;
+ memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+ pgss_release_buffer( &minor_status, &output_token );
+
+ ctxhandle_gss_to_sspi( ctx_handle, new_context );
+ if (context_attr) *context_attr = flags_gss_to_asc_ret( ret_flags );
+ expirytime_gss_to_sspi( expiry_time, expiry );
+ }
+
+ return status_gss_to_sspi( ret );
+}
+
static NTSTATUS init_creds( const char *user_at_domain, const char *password )
{
krb5_context ctx;
@@ -495,6 +557,7 @@ static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HAN
static const struct krb5_funcs funcs =
{
+ accept_context,
acquire_credentials_handle,
delete_context,
free_credentials_handle,
diff --git a/dlls/kerberos/unixlib.h b/dlls/kerberos/unixlib.h
index dc7c3da6a35..cf5cf6bd104 100644
--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -18,6 +18,8 @@
struct krb5_funcs
{
+ NTSTATUS (CDECL *accept_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, SecBufferDesc *, LSA_SEC_HANDLE *,
+ SecBufferDesc *, ULONG *, TimeStamp *);
NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
TimeStamp *);
NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE);
--
2.30.2
More information about the wine-devel
mailing list