Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-winehq
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-winehq
Commits
a110f87b
Commit
a110f87b
authored
Feb 21, 2018
by
Hans Leidekker
Committed by
Alexandre Julliard
Feb 21, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
kerberos: Add support for caller supplied credentials.
Signed-off-by:
Hans Leidekker
<
hans@codeweavers.com
>
Signed-off-by:
Alexandre Julliard
<
julliard@winehq.org
>
parent
917bf273
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
154 additions
and
44 deletions
+154
-44
krb5_ap.c
dlls/kerberos/krb5_ap.c
+154
-44
No files found.
dlls/kerberos/krb5_ap.c
View file @
a110f87b
...
@@ -91,21 +91,30 @@ static LSA_DISPATCH_TABLE lsa_dispatch;
...
@@ -91,21 +91,30 @@ static LSA_DISPATCH_TABLE lsa_dispatch;
static
void
*
libkrb5_handle
;
static
void
*
libkrb5_handle
;
#define MAKE_FUNCPTR(f) static typeof(f) * p_##f
#define MAKE_FUNCPTR(f) static typeof(f) * p_##f
MAKE_FUNCPTR
(
krb5_init_context
);
MAKE_FUNCPTR
(
krb5_free_context
);
MAKE_FUNCPTR
(
krb5_free_ticket
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_new
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_next
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_free
);
MAKE_FUNCPTR
(
krb5_cc_close
);
MAKE_FUNCPTR
(
krb5_cc_close
);
MAKE_FUNCPTR
(
krb5_cc_
start_seq_ge
t
);
MAKE_FUNCPTR
(
krb5_cc_
defaul
t
);
MAKE_FUNCPTR
(
krb5_cc_end_seq_get
);
MAKE_FUNCPTR
(
krb5_cc_end_seq_get
);
MAKE_FUNCPTR
(
krb5_cc_initialize
);
MAKE_FUNCPTR
(
krb5_cc_next_cred
);
MAKE_FUNCPTR
(
krb5_cc_next_cred
);
MAKE_FUNCPTR
(
krb5_is_config_principal
);
MAKE_FUNCPTR
(
krb5_cc_start_seq_get
);
MAKE_FUNCPTR
(
krb5_cc_store_cred
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_free
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_new
);
MAKE_FUNCPTR
(
krb5_cccol_cursor_next
);
MAKE_FUNCPTR
(
krb5_decode_ticket
);
MAKE_FUNCPTR
(
krb5_decode_ticket
);
MAKE_FUNCPTR
(
krb5_unparse_name_flags
);
MAKE_FUNCPTR
(
krb5_free_context
);
MAKE_FUNCPTR
(
krb5_free_unparsed_name
);
MAKE_FUNCPTR
(
krb5_free_cred_contents
);
MAKE_FUNCPTR
(
krb5_free_cred_contents
);
MAKE_FUNCPTR
(
krb5_free_principal
);
MAKE_FUNCPTR
(
krb5_free_ticket
);
MAKE_FUNCPTR
(
krb5_free_unparsed_name
);
MAKE_FUNCPTR
(
krb5_get_init_creds_opt_alloc
);
MAKE_FUNCPTR
(
krb5_get_init_creds_opt_free
);
MAKE_FUNCPTR
(
krb5_get_init_creds_opt_set_out_ccache
);
MAKE_FUNCPTR
(
krb5_get_init_creds_password
);
MAKE_FUNCPTR
(
krb5_init_context
);
MAKE_FUNCPTR
(
krb5_is_config_principal
);
MAKE_FUNCPTR
(
krb5_parse_name_flags
);
MAKE_FUNCPTR
(
krb5_unparse_name_flags
);
#undef MAKE_FUNCPTR
#undef MAKE_FUNCPTR
static
void
load_krb5
(
void
)
static
void
load_krb5
(
void
)
...
@@ -123,21 +132,30 @@ static void load_krb5(void)
...
@@ -123,21 +132,30 @@ static void load_krb5(void)
goto fail; \
goto fail; \
}
}
LOAD_FUNCPTR
(
krb5_init_context
)
LOAD_FUNCPTR
(
krb5_free_context
)
LOAD_FUNCPTR
(
krb5_free_ticket
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_new
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_next
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_free
)
LOAD_FUNCPTR
(
krb5_cc_close
)
LOAD_FUNCPTR
(
krb5_cc_close
)
LOAD_FUNCPTR
(
krb5_cc_
start_seq_ge
t
)
LOAD_FUNCPTR
(
krb5_cc_
defaul
t
)
LOAD_FUNCPTR
(
krb5_cc_end_seq_get
)
LOAD_FUNCPTR
(
krb5_cc_end_seq_get
)
LOAD_FUNCPTR
(
krb5_cc_initialize
)
LOAD_FUNCPTR
(
krb5_cc_next_cred
)
LOAD_FUNCPTR
(
krb5_cc_next_cred
)
LOAD_FUNCPTR
(
krb5_is_config_principal
)
LOAD_FUNCPTR
(
krb5_cc_start_seq_get
)
LOAD_FUNCPTR
(
krb5_cc_store_cred
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_free
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_new
)
LOAD_FUNCPTR
(
krb5_cccol_cursor_next
)
LOAD_FUNCPTR
(
krb5_decode_ticket
)
LOAD_FUNCPTR
(
krb5_decode_ticket
)
LOAD_FUNCPTR
(
krb5_unparse_name_flags
)
LOAD_FUNCPTR
(
krb5_free_context
)
LOAD_FUNCPTR
(
krb5_free_unparsed_name
)
LOAD_FUNCPTR
(
krb5_free_cred_contents
)
LOAD_FUNCPTR
(
krb5_free_cred_contents
)
LOAD_FUNCPTR
(
krb5_free_principal
)
LOAD_FUNCPTR
(
krb5_free_ticket
)
LOAD_FUNCPTR
(
krb5_free_unparsed_name
)
LOAD_FUNCPTR
(
krb5_get_init_creds_opt_alloc
)
LOAD_FUNCPTR
(
krb5_get_init_creds_opt_free
)
LOAD_FUNCPTR
(
krb5_get_init_creds_opt_set_out_ccache
)
LOAD_FUNCPTR
(
krb5_get_init_creds_password
)
LOAD_FUNCPTR
(
krb5_init_context
)
LOAD_FUNCPTR
(
krb5_is_config_principal
)
LOAD_FUNCPTR
(
krb5_parse_name_flags
)
LOAD_FUNCPTR
(
krb5_unparse_name_flags
)
#undef LOAD_FUNCPTR
#undef LOAD_FUNCPTR
return
;
return
;
...
@@ -818,38 +836,96 @@ static int get_buffer_index( SecBufferDesc *desc, DWORD type )
...
@@ -818,38 +836,96 @@ static int get_buffer_index( SecBufferDesc *desc, DWORD type )
}
}
return
-
1
;
return
-
1
;
}
}
#endif
/* SONAME_LIBGSSAPI_KRB5 */
static
NTSTATUS
NTAPI
kerberos_SpAcquireCredentialsHandle
(
static
char
*
get_user_at_domain
(
const
WCHAR
*
user
,
ULONG
user_len
,
const
WCHAR
*
domain
,
ULONG
domain_len
)
UNICODE_STRING
*
principal_us
,
ULONG
credential_use
,
LUID
*
logon_id
,
void
*
auth_data
,
void
*
get_key_fn
,
void
*
get_key_arg
,
LSA_SEC_HANDLE
*
credential
,
TimeStamp
*
ts_expiry
)
{
{
#ifdef SONAME_LIBGSSAPI_KRB5
int
len_user
,
len_domain
;
OM_uint32
ret
,
minor_status
,
expiry_time
;
char
*
ret
;
gss_name_t
principal
=
GSS_C_NO_NAME
;
gss_cred_usage_t
cred_usage
;
gss_cred_id_t
cred_handle
;
TRACE
(
"(%s 0x%08x %p %p %p %p %p %p)
\n
"
,
debugstr_us
(
principal_us
),
credential_use
,
len_user
=
WideCharToMultiByte
(
CP_UNIXCP
,
0
,
user
,
user_len
,
NULL
,
0
,
NULL
,
NULL
);
logon_id
,
auth_data
,
get_key_fn
,
get_key_arg
,
credential
,
ts_expiry
);
len_domain
=
WideCharToMultiByte
(
CP_UNIXCP
,
0
,
domain
,
domain_len
,
NULL
,
0
,
NULL
,
NULL
);
if
(
!
(
ret
=
heap_alloc
(
len_user
+
len_domain
+
2
)))
return
NULL
;
WideCharToMultiByte
(
CP_UNIXCP
,
0
,
user
,
user_len
,
ret
,
len_user
,
NULL
,
NULL
);
ret
[
len_user
]
=
'@'
;
WideCharToMultiByte
(
CP_UNIXCP
,
0
,
domain
,
domain_len
,
ret
+
len_user
+
1
,
len_domain
,
NULL
,
NULL
);
ret
[
len_user
+
len_domain
+
1
]
=
0
;
return
ret
;
}
if
(
auth_data
)
FIXME
(
"specific credentials not supported
\n
"
);
static
char
*
get_password
(
const
WCHAR
*
passwd
,
ULONG
passwd_len
)
{
int
len
;
char
*
ret
;
switch
(
credential_use
)
len
=
WideCharToMultiByte
(
CP_UNIXCP
,
WC_NO_BEST_FIT_CHARS
,
passwd
,
passwd_len
,
NULL
,
0
,
NULL
,
NULL
);
if
(
!
(
ret
=
heap_alloc
(
len
+
1
)))
return
NULL
;
WideCharToMultiByte
(
CP_UNIXCP
,
0
,
passwd
,
passwd_len
,
ret
,
len
,
NULL
,
NULL
);
ret
[
len
]
=
0
;
return
ret
;
}
static
NTSTATUS
init_creds
(
const
SEC_WINNT_AUTH_IDENTITY_W
*
id
)
{
char
*
user_at_domain
,
*
password
;
krb5_context
ctx
;
krb5_principal
principal
=
NULL
;
krb5_get_init_creds_opt
*
options
=
NULL
;
krb5_ccache
cache
=
NULL
;
krb5_creds
creds
;
krb5_error_code
err
;
if
(
!
id
)
return
STATUS_SUCCESS
;
if
(
id
->
Flags
&
SEC_WINNT_AUTH_IDENTITY_ANSI
)
{
{
case
SECPKG_CRED_INBOUND
:
FIXME
(
"ANSI identity not supported
\n
"
);
cred_usage
=
GSS_C_ACCEPT
;
return
SEC_E_UNSUPPORTED_FUNCTION
;
break
;
}
case
SECPKG_CRED_OUTBOUND
:
if
(
!
(
user_at_domain
=
get_user_at_domain
(
id
->
User
,
id
->
UserLength
,
id
->
Domain
,
id
->
DomainLength
)))
cred_usage
=
GSS_C_INITIATE
;
{
break
;
return
SEC_E_INSUFFICIENT_MEMORY
;
case
SECPKG_CRED_BOTH
:
}
cred_usage
=
GSS_C_BOTH
;
if
(
!
(
password
=
get_password
(
id
->
Password
,
id
->
PasswordLength
)))
break
;
{
default:
heap_free
(
user_at_domain
);
return
SEC_E_UNKNOWN_CREDENTIALS
;
return
SEC_E_INSUFFICIENT_MEMORY
;
}
}
if
((
err
=
p_krb5_init_context
(
&
ctx
)))
{
heap_free
(
password
);
heap_free
(
user_at_domain
);
return
krb5_error_to_status
(
err
);
}
if
((
err
=
p_krb5_parse_name_flags
(
ctx
,
user_at_domain
,
0
,
&
principal
)))
goto
done
;
if
((
err
=
p_krb5_cc_default
(
ctx
,
&
cache
)))
goto
done
;
if
((
err
=
p_krb5_get_init_creds_opt_alloc
(
ctx
,
&
options
)))
goto
done
;
if
((
err
=
p_krb5_get_init_creds_opt_set_out_ccache
(
ctx
,
options
,
cache
)))
goto
done
;
if
((
err
=
p_krb5_get_init_creds_password
(
ctx
,
&
creds
,
principal
,
password
,
0
,
NULL
,
0
,
NULL
,
0
)))
goto
done
;
if
((
err
=
p_krb5_cc_initialize
(
ctx
,
cache
,
principal
)))
goto
done
;
if
((
err
=
p_krb5_cc_store_cred
(
ctx
,
cache
,
&
creds
)))
goto
done
;
TRACE
(
"success
\n
"
);
p_krb5_free_cred_contents
(
ctx
,
&
creds
);
done:
if
(
cache
)
p_krb5_cc_close
(
ctx
,
cache
);
if
(
principal
)
p_krb5_free_principal
(
ctx
,
principal
);
if
(
options
)
p_krb5_get_init_creds_opt_free
(
ctx
,
options
);
p_krb5_free_context
(
ctx
);
heap_free
(
user_at_domain
);
heap_free
(
password
);
return
krb5_error_to_status
(
err
);
}
static
NTSTATUS
acquire_credentials_handle
(
UNICODE_STRING
*
principal_us
,
gss_cred_usage_t
cred_usage
,
LSA_SEC_HANDLE
*
credential
,
TimeStamp
*
ts_expiry
)
{
OM_uint32
ret
,
minor_status
,
expiry_time
;
gss_name_t
principal
=
GSS_C_NO_NAME
;
gss_cred_id_t
cred_handle
;
if
(
principal_us
&&
((
ret
=
name_sspi_to_gss
(
principal_us
,
&
principal
))
!=
SEC_E_OK
))
return
ret
;
if
(
principal_us
&&
((
ret
=
name_sspi_to_gss
(
principal_us
,
&
principal
))
!=
SEC_E_OK
))
return
ret
;
ret
=
pgss_acquire_cred
(
&
minor_status
,
principal
,
GSS_C_INDEFINITE
,
GSS_C_NULL_OID_SET
,
cred_usage
,
ret
=
pgss_acquire_cred
(
&
minor_status
,
principal
,
GSS_C_INDEFINITE
,
GSS_C_NULL_OID_SET
,
cred_usage
,
...
@@ -865,6 +941,40 @@ static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle(
...
@@ -865,6 +941,40 @@ static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle(
if
(
principal
!=
GSS_C_NO_NAME
)
pgss_release_name
(
&
minor_status
,
&
principal
);
if
(
principal
!=
GSS_C_NO_NAME
)
pgss_release_name
(
&
minor_status
,
&
principal
);
return
status_gss_to_sspi
(
ret
);
return
status_gss_to_sspi
(
ret
);
}
#endif
/* SONAME_LIBGSSAPI_KRB5 */
static
NTSTATUS
NTAPI
kerberos_SpAcquireCredentialsHandle
(
UNICODE_STRING
*
principal_us
,
ULONG
credential_use
,
LUID
*
logon_id
,
void
*
auth_data
,
void
*
get_key_fn
,
void
*
get_key_arg
,
LSA_SEC_HANDLE
*
credential
,
TimeStamp
*
ts_expiry
)
{
#ifdef SONAME_LIBGSSAPI_KRB5
gss_cred_usage_t
cred_usage
;
NTSTATUS
status
;
TRACE
(
"(%s 0x%08x %p %p %p %p %p %p)
\n
"
,
debugstr_us
(
principal_us
),
credential_use
,
logon_id
,
auth_data
,
get_key_fn
,
get_key_arg
,
credential
,
ts_expiry
);
switch
(
credential_use
)
{
case
SECPKG_CRED_INBOUND
:
cred_usage
=
GSS_C_ACCEPT
;
break
;
case
SECPKG_CRED_OUTBOUND
:
if
((
status
=
init_creds
(
auth_data
))
!=
STATUS_SUCCESS
)
return
status
;
cred_usage
=
GSS_C_INITIATE
;
break
;
case
SECPKG_CRED_BOTH
:
cred_usage
=
GSS_C_BOTH
;
break
;
default:
return
SEC_E_UNKNOWN_CREDENTIALS
;
}
return
acquire_credentials_handle
(
principal_us
,
cred_usage
,
credential
,
ts_expiry
);
#else
#else
FIXME
(
"(%s 0x%08x %p %p %p %p %p %p)
\n
"
,
debugstr_us
(
principal_us
),
credential_use
,
FIXME
(
"(%s 0x%08x %p %p %p %p %p %p)
\n
"
,
debugstr_us
(
principal_us
),
credential_use
,
logon_id
,
auth_data
,
get_key_fn
,
get_key_arg
,
credential
,
ts_expiry
);
logon_id
,
auth_data
,
get_key_fn
,
get_key_arg
,
credential
,
ts_expiry
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment