[03/10] secur32: Implement AcceptSecurityContext for Kerberos.

Hans Leidekker hans at codeweavers.com
Mon Oct 16 03:04:56 CDT 2017 

Signed-off-by: Hans Leidekker <hans at codeweavers.com>
---
 dlls/secur32/kerberos.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 71 insertions(+), 4 deletions(-)

diff --git a/dlls/secur32/kerberos.c b/dlls/secur32/kerberos.c
index 83d1c44d98..f5f596659b 100644
--- a/dlls/secur32/kerberos.c
+++ b/dlls/secur32/kerberos.c
@@ -152,6 +152,19 @@ static ULONG flags_gss_to_isc_ret( ULONG flags )
     return ret;
 }
 
+static ULONG flags_gss_to_asc_ret(ULONG flags)
+{
+    ULONG ret = 0;
+    if (flags & GSS_C_DELEG_FLAG)    ret |= ASC_RET_DELEGATE;
+    if (flags & GSS_C_MUTUAL_FLAG)   ret |= ASC_RET_MUTUAL_AUTH;
+    if (flags & GSS_C_REPLAY_FLAG)   ret |= ASC_RET_REPLAY_DETECT;
+    if (flags & GSS_C_SEQUENCE_FLAG) ret |= ASC_RET_SEQUENCE_DETECT;
+    if (flags & GSS_C_CONF_FLAG)     ret |= ASC_RET_CONFIDENTIALITY;
+    if (flags & GSS_C_INTEG_FLAG)    ret |= ASC_RET_INTEGRITY;
+    if (flags & GSS_C_ANON_FLAG)     ret |= ASC_RET_NULL_SESSION;
+    return ret;
+}
+
 static int get_buffer_index( SecBufferDesc *desc, DWORD type )
 {
     UINT i;
@@ -420,12 +433,66 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(CredHandle
 /***********************************************************************
  *              AcceptSecurityContext
  */
-static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(CredHandle *phCredential, CtxtHandle *phContext, SecBufferDesc *pInput,
-        ULONG fContextReq, ULONG TargetDataRep, CtxtHandle *phNewContext, SecBufferDesc *pOutput, ULONG *pfContextAttr, TimeStamp *ptsExpiry)
+static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext( CredHandle *phCredential, CtxtHandle *phContext,
+    SecBufferDesc *pInput, ULONG fContextReq, ULONG TargetDataRep, CtxtHandle *phNewContext, SecBufferDesc *pOutput,
+    ULONG *pfContextAttr, TimeStamp *ptsExpiry )
 {
-    FIXME("(%p %p %p %d %d %p %p %p %p)\n", phCredential, phContext, pInput, fContextReq, TargetDataRep, phNewContext, pOutput,
-          pfContextAttr, ptsExpiry);
+#ifdef HAVE_GSSAPI
+    OM_uint32 ret, minor_status, ret_flags, expiry_time;
+    gss_cred_id_t cred_handle;
+    gss_ctx_id_t ctxt_handle;
+    gss_buffer_desc input_token, output_token;
+    gss_name_t target = GSS_C_NO_NAME;
+    int idx;
+
+    TRACE( "(%p %p %p %u %u %p %p %p %p)\n", phCredential, phContext, pInput, fContextReq, TargetDataRep, phNewContext,
+           pOutput, pfContextAttr, ptsExpiry );
+    if (fContextReq) FIXME( "ignoring flags 0x%08x\n", fContextReq );
+
+    if (!phContext && !pInput && !phCredential) return SEC_E_INVALID_HANDLE;
+    cred_handle = credhandle_sspi_to_gss( phCredential, &target );
+    ctxt_handle = ctxthandle_sspi_to_gss( phContext );
+
+    if (!pInput) input_token.length = 0;
+    else
+    {
+        if ((idx = get_buffer_index( pInput, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+        input_token.length = pInput->pBuffers[idx].cbBuffer;
+        input_token.value  = pInput->pBuffers[idx].pvBuffer;
+    }
+
+    if ((idx = get_buffer_index( pOutput, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+    output_token.length = 0;
+    output_token.value  = NULL;
+
+    ret = gss_accept_sec_context( &minor_status, &ctxt_handle, cred_handle, &input_token, GSS_C_NO_CHANNEL_BINDINGS,
+                                  &target, NULL, &output_token, &ret_flags, &expiry_time, NULL );
+    TRACE( "gss_accept_sec_context returned %08x minor status %08x ctxt_handle %p\n", ret, minor_status, ctxt_handle );
+    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+    {
+        if (output_token.length > pOutput->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+        {
+            TRACE( "buffer too small %u > %u\n", output_token.length, pOutput->pBuffers[idx].cbBuffer );
+            gss_release_buffer( &minor_status, &output_token );
+            gss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
+            if (phContext) phContext->dwLower = 0;
+            return SEC_E_BUFFER_TOO_SMALL;
+        }
+        pOutput->pBuffers[idx].cbBuffer = output_token.length;
+        memcpy( pOutput->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+        gss_release_buffer( &minor_status, &output_token );
+
+        ctxthandle_gss_to_sspi( ctxt_handle, phNewContext );
+        if (pfContextAttr) *pfContextAttr = flags_gss_to_asc_ret( ret_flags );
+        expirytime_gss_to_sspi( expiry_time, ptsExpiry );
+    }
+
+    return status_gss_to_sspi( ret );
+#else
+    FIXME( "(%p %p %p %u %u %p %p %p %p)\n", phCredential, phContext, pInput, fContextReq, TargetDataRep, phNewContext,
+           pOutput, pfContextAttr, ptsExpiry );
     return SEC_E_UNSUPPORTED_FUNCTION;
+#endif
 }
 
 /***********************************************************************
-- 
2.11.0

More information about the wine-patches mailing list