kerberos: Move support for SpInitLsaModeContext/SpDeleteContext to the Unix library.

Signed-off-by: Hans Leidekker <hans@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

kerberos: Move support for SpInitLsaModeContext/SpDeleteContext to the Unix library.
f9292ec8 · Hans Leidekker · Alexandre Julliard · 6e9a9d67 · f9292ec8 · f9292ec8
Commit f9292ec8 authored Apr 20, 2021 by Hans Leidekker Committed by Alexandre Julliard Apr 20, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 130 additions and 124 deletions

krb5_ap.c dlls/kerberos/krb5_ap.c +11 -124

unixlib.c dlls/kerberos/unixlib.c +116 -0

unixlib.h dlls/kerberos/unixlib.h +3 -0

No files found.
--- a/dlls/kerberos/krb5_ap.c
+++ b/dlls/kerberos/krb5_ap.c
@@ -760,54 +760,6 @@ static void expirytime_gss_to_sspi( OM_uint32 expirytime, TimeStamp *timestamp )
    timestamp->HighPart = tmp.QuadPart >> 32;
 }

-static NTSTATUS name_sspi_to_gss( const UNICODE_STRING *name_str, gss_name_t *name )
-{
-    OM_uint32 ret, minor_status;
-    gss_OID type = GSS_C_NO_OID; /* FIXME: detect the appropriate value for this ourselves? */
-    gss_buffer_desc buf;
-
-    buf.length = WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
-    if (!(buf.value = heap_alloc( buf.length ))) return SEC_E_INSUFFICIENT_MEMORY;
-    WideCharToMultiByte( CP_UNIXCP, 0, name_str->Buffer, name_str->Length / sizeof(WCHAR), buf.value, buf.length, NULL, NULL );
-
-    ret = pgss_import_name( &minor_status, &buf, type, name );
-    TRACE( "gss_import_name returned %08x minor status %08x\n", ret, minor_status );
-    if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
-    heap_free( buf.value );
-    return status_gss_to_sspi( ret );
-}
-
-static ULONG flags_isc_req_to_gss( ULONG flags )
-{
-    ULONG ret = 0;
-    if (flags & ISC_REQ_DELEGATE)        ret |= GSS_C_DELEG_FLAG;
-    if (flags & ISC_REQ_MUTUAL_AUTH)     ret |= GSS_C_MUTUAL_FLAG;
-    if (flags & ISC_REQ_REPLAY_DETECT)   ret |= GSS_C_REPLAY_FLAG;
-    if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
-    if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
-    if (flags & ISC_REQ_INTEGRITY)       ret |= GSS_C_INTEG_FLAG;
-    if (flags & ISC_REQ_NULL_SESSION)    ret |= GSS_C_ANON_FLAG;
-    if (flags & ISC_REQ_USE_DCE_STYLE)   ret |= GSS_C_DCE_STYLE;
-    if (flags & ISC_REQ_IDENTIFY)        ret |= GSS_C_IDENTIFY_FLAG;
-    return ret;
-}
-
-static ULONG flags_gss_to_isc_ret( ULONG flags )
-{
-    ULONG ret = 0;
-    if (flags & GSS_C_DELEG_FLAG)    ret |= ISC_RET_DELEGATE;
-    if (flags & GSS_C_MUTUAL_FLAG)   ret |= ISC_RET_MUTUAL_AUTH;
-    if (flags & GSS_C_REPLAY_FLAG)   ret |= ISC_RET_REPLAY_DETECT;
-    if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
-    if (flags & GSS_C_CONF_FLAG)     ret |= ISC_RET_CONFIDENTIALITY;
-    if (flags & GSS_C_INTEG_FLAG)    ret |= ISC_RET_INTEGRITY;
-    if (flags & GSS_C_ANON_FLAG)     ret |= ISC_RET_NULL_SESSION;
-    if (flags & GSS_C_DCE_STYLE)     ret |= ISC_RET_USED_DCE_STYLE;
-    if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
-    return ret;
-}
-
 static ULONG flags_gss_to_asc_ret( ULONG flags )
 {
    ULONG ret = 0;
@@ -922,80 +874,29 @@ static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credentia

 static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
    UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input,
-    LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *ts_expiry,
+    LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry,
    BOOLEAN *mapped_context, SecBuffer *context_data )
 {
-#ifdef SONAME_LIBGSSAPI_KRB5
    static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT |
                                   ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE |
                                   ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION;
-    OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req );
-    gss_cred_id_t cred_handle;
-    gss_ctx_id_t ctxt_handle;
-    gss_buffer_desc input_token, output_token;
-    gss_name_t target = GSS_C_NO_NAME;
+    char *target = NULL;
    NTSTATUS status;
-    int idx;

    TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
-           context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry,
+           context_req, target_data_rep, input, new_context, output, context_attr, expiry,
           mapped_context, context_data );
-    if (context_req & ~supported)
-        FIXME( "flags 0x%08x not supported\n", context_req & ~supported );
+    if (context_req & ~supported) FIXME( "flags 0x%08x not supported\n", context_req & ~supported );

    if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
-    cred_handle = credhandle_sspi_to_gss( credential );
-    ctxt_handle = ctxthandle_sspi_to_gss( context );
-
-    if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0;
-    else
-    {
-        input_token.length = input->pBuffers[idx].cbBuffer;
-        input_token.value  = input->pBuffers[idx].pvBuffer;
-    }
-
-    if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
-    output_token.length = 0;
-    output_token.value  = NULL;
-
-    if (target_name && ((status = name_sspi_to_gss( target_name, &target )) != SEC_E_OK)) return status;
+    if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY;

-    ret = pgss_init_sec_context( &minor_status, cred_handle, &ctxt_handle, target, GSS_C_NO_OID, req_flags, 0,
-                                 GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
-                                 &expiry_time );
-    TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
-    if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
-    {
-        if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
-        {
-            TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
-            pgss_release_buffer( &minor_status, &output_token );
-            pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
-            return SEC_E_INCOMPLETE_MESSAGE;
-        }
-        output->pBuffers[idx].cbBuffer = output_token.length;
-        memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
-        pgss_release_buffer( &minor_status, &output_token );
-
-        ctxthandle_gss_to_sspi( ctxt_handle, new_context );
-        if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
-        expirytime_gss_to_sspi( expiry_time, ts_expiry );
-    }
-
-    if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
-
-    /* we do support user mode SSP/AP functions */
-    *mapped_context = TRUE;
+    status = krb5_funcs->initialize_context( credential, context, target, context_req, input, new_context, output,
+                                             context_attr, expiry );
+    if (!status) *mapped_context = TRUE;
    /* FIXME: initialize context_data */
-
-    return status_gss_to_sspi( ret );
-#else
-    FIXME( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential, context, debugstr_us(target_name),
-           context_req, target_data_rep, input, new_context, output, context_attr, ts_expiry,
-           mapped_context, context_data );
-    return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+    heap_free( target );
+    return status;
 }

 static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
@@ -1068,23 +969,9 @@ static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential

 static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
 {
-#ifdef SONAME_LIBGSSAPI_KRB5
-    OM_uint32 ret, minor_status;
-    gss_ctx_id_t ctxt_handle;
-
    TRACE( "(%lx)\n", context );
    if (!context) return SEC_E_INVALID_HANDLE;
-    if (!(ctxt_handle = ctxthandle_sspi_to_gss( context ))) return SEC_E_OK;
-
-    ret = pgss_delete_sec_context( &minor_status, &ctxt_handle, GSS_C_NO_BUFFER );
-    TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
-    if (GSS_ERROR(ret)) trace_gss_status( ret, minor_status );
-
-    return status_gss_to_sspi( ret );
-#else
-    FIXME( "(%lx)\n", context );
-    return SEC_E_UNSUPPORTED_FUNCTION;
-#endif
+    return krb5_funcs->delete_context( context );
 }

 static SecPkgInfoW *build_package_info( const SecPkgInfoW *info )

--- a/dlls/kerberos/unixlib.c
+++ b/dlls/kerberos/unixlib.c
@@ -211,6 +211,17 @@ fail:
    return FALSE;
 }

+static int get_buffer_index( SecBufferDesc *desc, DWORD type )
+{
+    UINT i;
+    if (!desc) return -1;
+    for (i = 0; i < desc->cBuffers; i++)
+    {
+        if (desc->pBuffers[i].BufferType == type) return i;
+    }
+    return -1;
+}
+
 static NTSTATUS status_gss_to_sspi( OM_uint32 status )
 {
    switch (status)
@@ -267,11 +278,21 @@ static void trace_gss_status( OM_uint32 major_status, OM_uint32 minor_status )
    }
 }

+static inline gss_ctx_id_t ctxhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
+{
+    return (gss_ctx_id_t)handle;
+}
+
 static inline gss_cred_id_t credhandle_sspi_to_gss( LSA_SEC_HANDLE handle )
 {
    return (gss_cred_id_t)handle;
 }

+static inline void ctxhandle_gss_to_sspi( gss_ctx_id_t handle, LSA_SEC_HANDLE *ctx )
+{
+    *ctx = (LSA_SEC_HANDLE)handle;
+}
+
 static inline void credhandle_gss_to_sspi( gss_cred_id_t handle, LSA_SEC_HANDLE *cred )
 {
    *cred = (LSA_SEC_HANDLE)handle;
@@ -371,6 +392,17 @@ static NTSTATUS CDECL acquire_credentials_handle( const char *principal, ULONG c
    return status_gss_to_sspi( ret );
 }

+static NTSTATUS CDECL delete_context( LSA_SEC_HANDLE context )
+{
+    OM_uint32 ret, minor_status;
+    gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+
+    ret = pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+    TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret, minor_status );
+    if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+    return status_gss_to_sspi( ret );
+}
+
 static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
 {
    OM_uint32 ret, minor_status;
@@ -382,10 +414,94 @@ static NTSTATUS CDECL free_credentials_handle( LSA_SEC_HANDLE handle )
    return status_gss_to_sspi( ret );
 }

+static ULONG flags_isc_req_to_gss( ULONG flags )
+{
+    ULONG ret = 0;
+    if (flags & ISC_REQ_DELEGATE)        ret |= GSS_C_DELEG_FLAG;
+    if (flags & ISC_REQ_MUTUAL_AUTH)     ret |= GSS_C_MUTUAL_FLAG;
+    if (flags & ISC_REQ_REPLAY_DETECT)   ret |= GSS_C_REPLAY_FLAG;
+    if (flags & ISC_REQ_SEQUENCE_DETECT) ret |= GSS_C_SEQUENCE_FLAG;
+    if (flags & ISC_REQ_CONFIDENTIALITY) ret |= GSS_C_CONF_FLAG;
+    if (flags & ISC_REQ_INTEGRITY)       ret |= GSS_C_INTEG_FLAG;
+    if (flags & ISC_REQ_NULL_SESSION)    ret |= GSS_C_ANON_FLAG;
+    if (flags & ISC_REQ_USE_DCE_STYLE)   ret |= GSS_C_DCE_STYLE;
+    if (flags & ISC_REQ_IDENTIFY)        ret |= GSS_C_IDENTIFY_FLAG;
+    return ret;
+}
+
+static ULONG flags_gss_to_isc_ret( ULONG flags )
+{
+    ULONG ret = 0;
+    if (flags & GSS_C_DELEG_FLAG)    ret |= ISC_RET_DELEGATE;
+    if (flags & GSS_C_MUTUAL_FLAG)   ret |= ISC_RET_MUTUAL_AUTH;
+    if (flags & GSS_C_REPLAY_FLAG)   ret |= ISC_RET_REPLAY_DETECT;
+    if (flags & GSS_C_SEQUENCE_FLAG) ret |= ISC_RET_SEQUENCE_DETECT;
+    if (flags & GSS_C_CONF_FLAG)     ret |= ISC_RET_CONFIDENTIALITY;
+    if (flags & GSS_C_INTEG_FLAG)    ret |= ISC_RET_INTEGRITY;
+    if (flags & GSS_C_ANON_FLAG)     ret |= ISC_RET_NULL_SESSION;
+    if (flags & GSS_C_DCE_STYLE)     ret |= ISC_RET_USED_DCE_STYLE;
+    if (flags & GSS_C_IDENTIFY_FLAG) ret |= ISC_RET_IDENTIFY;
+    return ret;
+}
+
+static NTSTATUS CDECL initialize_context( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context, const char *target_name,
+                                          ULONG context_req, SecBufferDesc *input, LSA_SEC_HANDLE *new_context,
+                                          SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry )
+{
+    OM_uint32 ret, minor_status, ret_flags = 0, expiry_time, req_flags = flags_isc_req_to_gss( context_req );
+    gss_cred_id_t cred_handle = credhandle_sspi_to_gss( credential );
+    gss_ctx_id_t ctx_handle = ctxhandle_sspi_to_gss( context );
+    gss_buffer_desc input_token, output_token;
+    gss_name_t target = GSS_C_NO_NAME;
+    NTSTATUS status;
+    int idx;
+
+    if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) input_token.length = 0;
+    else
+    {
+        input_token.length = input->pBuffers[idx].cbBuffer;
+        input_token.value  = input->pBuffers[idx].pvBuffer;
+    }
+
+    if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
+    output_token.length = 0;
+    output_token.value  = NULL;
+
+    if (target_name && (status = import_name( target_name, &target ))) return status;
+
+    ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0,
+                                 GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags,
+                                 &expiry_time );
+    TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret, minor_status, ret_flags );
+    if (GSS_ERROR( ret )) trace_gss_status( ret, minor_status );
+    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED)
+    {
+        if (output_token.length > output->pBuffers[idx].cbBuffer) /* FIXME: check if larger buffer exists */
+        {
+            TRACE( "buffer too small %lu > %u\n", (SIZE_T)output_token.length, output->pBuffers[idx].cbBuffer );
+            pgss_release_buffer( &minor_status, &output_token );
+            pgss_delete_sec_context( &minor_status, &ctx_handle, GSS_C_NO_BUFFER );
+            return SEC_E_INCOMPLETE_MESSAGE;
+        }
+        output->pBuffers[idx].cbBuffer = output_token.length;
+        memcpy( output->pBuffers[idx].pvBuffer, output_token.value, output_token.length );
+        pgss_release_buffer( &minor_status, &output_token );
+
+        ctxhandle_gss_to_sspi( ctx_handle, new_context );
+        if (context_attr) *context_attr = flags_gss_to_isc_ret( ret_flags );
+        expirytime_gss_to_sspi( expiry_time, expiry );
+    }
+
+    if (target != GSS_C_NO_NAME) pgss_release_name( &minor_status, &target );
+    return status_gss_to_sspi( ret );
+}
+
 static const struct krb5_funcs funcs =
 {
    acquire_credentials_handle,
+    delete_context,
    free_credentials_handle,
+    initialize_context,
 };

 NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )

--- a/dlls/kerberos/unixlib.h
+++ b/dlls/kerberos/unixlib.h
@@ -23,7 +23,10 @@ struct krb5_funcs
 {
    NTSTATUS (CDECL *acquire_credentials_handle)(const char *, ULONG, const char *, const char *, LSA_SEC_HANDLE *,
                                                 TimeStamp *);
+    NTSTATUS (CDECL *delete_context)(LSA_SEC_HANDLE);
    NTSTATUS (CDECL *free_credentials_handle)(LSA_SEC_HANDLE);
+    NTSTATUS (CDECL *initialize_context)(LSA_SEC_HANDLE, LSA_SEC_HANDLE, const char *, ULONG, SecBufferDesc *,
+                                         LSA_SEC_HANDLE *, SecBufferDesc *, ULONG *, TimeStamp *);
 };

 extern const struct krb5_funcs *krb5_funcs;