2 * Copyright 2017 Dmitry Timoshkov
3 * Copyright 2017 George Popoff
4 * Copyright 2008 Robert Shearman for CodeWeavers
5 * Copyright 2017 Hans Leidekker for CodeWeavers
7 * Kerberos5 Authentication Package
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
25 #include "wine/port.h"
28 #ifdef HAVE_KRB5_KRB5_H
29 #include <krb5/krb5.h>
31 #ifdef SONAME_LIBGSSAPI_KRB5
32 # include <gssapi/gssapi.h>
33 # include <gssapi/gssapi_ext.h>
37 #define WIN32_NO_STATUS
46 #include "wine/heap.h"
47 #include "wine/library.h"
48 #include "wine/debug.h"
49 #include "wine/unicode.h"
51 WINE_DEFAULT_DEBUG_CHANNEL(kerberos
);
53 #define KERBEROS_MAX_BUF 12000
55 #define KERBEROS_CAPS \
56 ( SECPKG_FLAG_INTEGRITY \
57 | SECPKG_FLAG_PRIVACY \
58 | SECPKG_FLAG_TOKEN_ONLY \
59 | SECPKG_FLAG_DATAGRAM \
60 | SECPKG_FLAG_CONNECTION \
61 | SECPKG_FLAG_MULTI_REQUIRED \
62 | SECPKG_FLAG_EXTENDED_ERROR \
63 | SECPKG_FLAG_IMPERSONATION \
64 | SECPKG_FLAG_ACCEPT_WIN32_NAME \
65 | SECPKG_FLAG_NEGOTIABLE \
66 | SECPKG_FLAG_GSS_COMPATIBLE \
68 | SECPKG_FLAG_MUTUAL_AUTH \
69 | SECPKG_FLAG_DELEGATION \
70 | SECPKG_FLAG_READONLY_WITH_CHECKSUM \
71 | SECPKG_FLAG_RESTRICTED_TOKENS \
72 | SECPKG_FLAG_APPCONTAINER_CHECKS)
74 static WCHAR kerberos_name_W
[] = {'K','e','r','b','e','r','o','s',0};
75 static WCHAR kerberos_comment_W
[] = {'M','i','c','r','o','s','o','f','t',' ','K','e','r','b','e','r','o','s',' ','V','1','.','0',0};
76 static const SecPkgInfoW infoW
=
80 RPC_C_AUTHN_GSS_KERBEROS
,
86 static ULONG kerberos_package_id
;
87 static LSA_DISPATCH_TABLE lsa_dispatch
;
91 static void *libkrb5_handle
;
93 #define MAKE_FUNCPTR(f) static typeof(f) * p_##f
94 MAKE_FUNCPTR(krb5_cc_close
);
95 MAKE_FUNCPTR(krb5_cc_default
);
96 MAKE_FUNCPTR(krb5_cc_end_seq_get
);
97 MAKE_FUNCPTR(krb5_cc_initialize
);
98 MAKE_FUNCPTR(krb5_cc_next_cred
);
99 MAKE_FUNCPTR(krb5_cc_start_seq_get
);
100 MAKE_FUNCPTR(krb5_cc_store_cred
);
101 MAKE_FUNCPTR(krb5_cccol_cursor_free
);
102 MAKE_FUNCPTR(krb5_cccol_cursor_new
);
103 MAKE_FUNCPTR(krb5_cccol_cursor_next
);
104 MAKE_FUNCPTR(krb5_decode_ticket
);
105 MAKE_FUNCPTR(krb5_free_context
);
106 MAKE_FUNCPTR(krb5_free_cred_contents
);
107 MAKE_FUNCPTR(krb5_free_principal
);
108 MAKE_FUNCPTR(krb5_free_ticket
);
109 MAKE_FUNCPTR(krb5_free_unparsed_name
);
110 MAKE_FUNCPTR(krb5_get_init_creds_opt_alloc
);
111 MAKE_FUNCPTR(krb5_get_init_creds_opt_free
);
112 MAKE_FUNCPTR(krb5_get_init_creds_opt_set_out_ccache
);
113 MAKE_FUNCPTR(krb5_get_init_creds_password
);
114 MAKE_FUNCPTR(krb5_init_context
);
115 MAKE_FUNCPTR(krb5_is_config_principal
);
116 MAKE_FUNCPTR(krb5_parse_name_flags
);
117 MAKE_FUNCPTR(krb5_unparse_name_flags
);
120 static void load_krb5(void)
122 if (!(libkrb5_handle
= wine_dlopen(SONAME_LIBKRB5
, RTLD_NOW
, NULL
, 0)))
124 WARN("Failed to load %s, Kerberos support will be disabled\n", SONAME_LIBKRB5
);
128 #define LOAD_FUNCPTR(f) \
129 if (!(p_##f = wine_dlsym(libkrb5_handle, #f, NULL, 0))) \
131 ERR("Failed to load %s\n", #f); \
135 LOAD_FUNCPTR(krb5_cc_close
)
136 LOAD_FUNCPTR(krb5_cc_default
)
137 LOAD_FUNCPTR(krb5_cc_end_seq_get
)
138 LOAD_FUNCPTR(krb5_cc_initialize
)
139 LOAD_FUNCPTR(krb5_cc_next_cred
)
140 LOAD_FUNCPTR(krb5_cc_start_seq_get
)
141 LOAD_FUNCPTR(krb5_cc_store_cred
)
142 LOAD_FUNCPTR(krb5_cccol_cursor_free
)
143 LOAD_FUNCPTR(krb5_cccol_cursor_new
)
144 LOAD_FUNCPTR(krb5_cccol_cursor_next
)
145 LOAD_FUNCPTR(krb5_decode_ticket
)
146 LOAD_FUNCPTR(krb5_free_context
)
147 LOAD_FUNCPTR(krb5_free_cred_contents
)
148 LOAD_FUNCPTR(krb5_free_principal
)
149 LOAD_FUNCPTR(krb5_free_ticket
)
150 LOAD_FUNCPTR(krb5_free_unparsed_name
)
151 LOAD_FUNCPTR(krb5_get_init_creds_opt_alloc
)
152 LOAD_FUNCPTR(krb5_get_init_creds_opt_free
)
153 LOAD_FUNCPTR(krb5_get_init_creds_opt_set_out_ccache
)
154 LOAD_FUNCPTR(krb5_get_init_creds_password
)
155 LOAD_FUNCPTR(krb5_init_context
)
156 LOAD_FUNCPTR(krb5_is_config_principal
)
157 LOAD_FUNCPTR(krb5_parse_name_flags
)
158 LOAD_FUNCPTR(krb5_unparse_name_flags
)
164 wine_dlclose(libkrb5_handle
, NULL
, 0);
165 libkrb5_handle
= NULL
;
168 #else /* SONAME_LIBKRB5 */
170 static void load_krb5(void)
172 WARN("Kerberos support was not provided at compile time\n");
175 #endif /* SONAME_LIBKRB5 */
177 static const char *debugstr_us( const UNICODE_STRING
*us
)
179 if (!us
) return "<null>";
180 return debugstr_wn( us
->Buffer
, us
->Length
/ sizeof(WCHAR
) );
183 static NTSTATUS NTAPI
kerberos_LsaApInitializePackage(ULONG package_id
, PLSA_DISPATCH_TABLE dispatch
,
184 PLSA_STRING database
, PLSA_STRING confidentiality
, PLSA_STRING
*package_name
)
190 kerberos_package_id
= package_id
;
191 lsa_dispatch
= *dispatch
;
193 kerberos_name
= lsa_dispatch
.AllocateLsaHeap(sizeof(MICROSOFT_KERBEROS_NAME_A
));
194 if (!kerberos_name
) return STATUS_NO_MEMORY
;
196 memcpy(kerberos_name
, MICROSOFT_KERBEROS_NAME_A
, sizeof(MICROSOFT_KERBEROS_NAME_A
));
198 *package_name
= lsa_dispatch
.AllocateLsaHeap(sizeof(**package_name
));
201 lsa_dispatch
.FreeLsaHeap(kerberos_name
);
202 return STATUS_NO_MEMORY
;
205 RtlInitString(*package_name
, kerberos_name
);
207 return STATUS_SUCCESS
;
210 #ifdef SONAME_LIBKRB5
214 ULONG count
, allocated
;
215 KERB_TICKET_CACHE_INFO
*info
;
218 static NTSTATUS
krb5_error_to_status(krb5_error_code error
)
222 case 0: return STATUS_SUCCESS
;
225 return STATUS_UNSUCCESSFUL
;
229 static void free_ticket_info(struct ticket_info
*info
)
233 for (i
= 0; i
< info
->count
; i
++)
235 heap_free(info
->info
[i
].RealmName
.Buffer
);
236 heap_free(info
->info
[i
].ServerName
.Buffer
);
239 heap_free(info
->info
);
242 static WCHAR
*utf8_to_wstr(const char *utf8
)
247 len
= MultiByteToWideChar(CP_UTF8
, 0, utf8
, -1, NULL
, 0);
248 wstr
= heap_alloc(len
* sizeof(WCHAR
));
250 MultiByteToWideChar(CP_UTF8
, 0, utf8
, -1, wstr
, len
);
255 static NTSTATUS
copy_tickets_from_cache(krb5_context context
, krb5_ccache cache
, struct ticket_info
*info
)
258 krb5_cc_cursor cursor
;
259 krb5_error_code error
;
260 krb5_creds credentials
;
262 char *name_with_realm
, *name_without_realm
, *realm_name
;
263 WCHAR
*realm_nameW
, *name_without_realmW
;
265 error
= p_krb5_cc_start_seq_get(context
, cache
, &cursor
);
266 if (error
) return krb5_error_to_status(error
);
270 error
= p_krb5_cc_next_cred(context
, cache
, &cursor
, &credentials
);
273 if (error
== KRB5_CC_END
)
274 status
= STATUS_SUCCESS
;
276 status
= krb5_error_to_status(error
);
280 if (p_krb5_is_config_principal(context
, credentials
.server
))
282 p_krb5_free_cred_contents(context
, &credentials
);
286 if (info
->count
== info
->allocated
)
288 KERB_TICKET_CACHE_INFO
*new_info
;
293 new_allocated
= info
->allocated
* 2;
294 new_info
= heap_realloc(info
->info
, sizeof(*new_info
) * new_allocated
);
299 new_info
= heap_alloc(sizeof(*new_info
) * new_allocated
);
303 p_krb5_free_cred_contents(context
, &credentials
);
304 status
= STATUS_NO_MEMORY
;
308 info
->info
= new_info
;
309 info
->allocated
= new_allocated
;
312 error
= p_krb5_unparse_name_flags(context
, credentials
.server
, 0, &name_with_realm
);
315 p_krb5_free_cred_contents(context
, &credentials
);
316 status
= krb5_error_to_status(error
);
320 TRACE("name_with_realm: %s\n", debugstr_a(name_with_realm
));
322 error
= p_krb5_unparse_name_flags(context
, credentials
.server
,
323 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &name_without_realm
);
326 p_krb5_free_unparsed_name(context
, name_with_realm
);
327 p_krb5_free_cred_contents(context
, &credentials
);
328 status
= krb5_error_to_status(error
);
332 TRACE("name_without_realm: %s\n", debugstr_a(name_without_realm
));
334 name_without_realmW
= utf8_to_wstr(name_without_realm
);
335 RtlInitUnicodeString(&info
->info
[info
->count
].ServerName
, name_without_realmW
);
337 realm_name
= strchr(name_with_realm
, '@');
340 ERR("wrong name with realm %s\n", debugstr_a(name_with_realm
));
341 realm_name
= name_with_realm
;
346 /* realm_name - now contains only realm! */
348 realm_nameW
= utf8_to_wstr(realm_name
);
349 RtlInitUnicodeString(&info
->info
[info
->count
].RealmName
, realm_nameW
);
351 if (!credentials
.times
.starttime
)
352 credentials
.times
.starttime
= credentials
.times
.authtime
;
354 /* TODO: if krb5_is_config_principal = true */
355 RtlSecondsSince1970ToTime(credentials
.times
.starttime
, &info
->info
[info
->count
].StartTime
);
356 RtlSecondsSince1970ToTime(credentials
.times
.endtime
, &info
->info
[info
->count
].EndTime
);
357 RtlSecondsSince1970ToTime(credentials
.times
.renew_till
, &info
->info
[info
->count
].RenewTime
);
359 info
->info
[info
->count
].TicketFlags
= credentials
.ticket_flags
;
361 error
= p_krb5_decode_ticket(&credentials
.ticket
, &ticket
);
363 p_krb5_free_unparsed_name(context
, name_with_realm
);
364 p_krb5_free_unparsed_name(context
, name_without_realm
);
365 p_krb5_free_cred_contents(context
, &credentials
);
369 status
= krb5_error_to_status(error
);
373 info
->info
[info
->count
].EncryptionType
= ticket
->enc_part
.enctype
;
375 p_krb5_free_ticket(context
, ticket
);
380 p_krb5_cc_end_seq_get(context
, cache
, &cursor
);
385 static inline void init_client_us(UNICODE_STRING
*dst
, void *client_ws
, const UNICODE_STRING
*src
)
387 dst
->Buffer
= client_ws
;
388 dst
->Length
= src
->Length
;
389 dst
->MaximumLength
= src
->MaximumLength
;
392 static NTSTATUS
copy_to_client(PLSA_CLIENT_REQUEST lsa_req
, struct ticket_info
*info
, void **out
, ULONG
*out_size
)
396 SIZE_T size
, client_str_off
;
397 char *client_resp
, *client_ticket
, *client_str
;
398 KERB_QUERY_TKT_CACHE_RESPONSE resp
;
400 size
= sizeof(KERB_QUERY_TKT_CACHE_RESPONSE
);
401 if (info
->count
!= 0)
402 size
+= (info
->count
- 1) * sizeof(KERB_TICKET_CACHE_INFO
);
404 client_str_off
= size
;
406 for (i
= 0; i
< info
->count
; i
++)
408 size
+= info
->info
[i
].RealmName
.MaximumLength
;
409 size
+= info
->info
[i
].ServerName
.MaximumLength
;
412 status
= lsa_dispatch
.AllocateClientBuffer(lsa_req
, size
, (void **)&client_resp
);
413 if (status
!= STATUS_SUCCESS
) return status
;
415 resp
.MessageType
= KerbQueryTicketCacheMessage
;
416 resp
.CountOfTickets
= info
->count
;
417 size
= FIELD_OFFSET(KERB_QUERY_TKT_CACHE_RESPONSE
, Tickets
);
418 status
= lsa_dispatch
.CopyToClientBuffer(lsa_req
, size
, client_resp
, &resp
);
419 if (status
!= STATUS_SUCCESS
) goto fail
;
424 *out_size
= sizeof(resp
);
425 return STATUS_SUCCESS
;
430 client_ticket
= client_resp
+ size
;
431 client_str
= client_resp
+ client_str_off
;
433 for (i
= 0; i
< info
->count
; i
++)
435 KERB_TICKET_CACHE_INFO ticket
;
437 ticket
= info
->info
[i
];
439 init_client_us(&ticket
.RealmName
, client_str
, &info
->info
[i
].RealmName
);
441 size
= info
->info
[i
].RealmName
.MaximumLength
;
442 status
= lsa_dispatch
.CopyToClientBuffer(lsa_req
, size
, client_str
, info
->info
[i
].RealmName
.Buffer
);
443 if (status
!= STATUS_SUCCESS
) goto fail
;
447 init_client_us(&ticket
.ServerName
, client_str
, &info
->info
[i
].ServerName
);
449 size
= info
->info
[i
].ServerName
.MaximumLength
;
450 status
= lsa_dispatch
.CopyToClientBuffer(lsa_req
, size
, client_str
, info
->info
[i
].ServerName
.Buffer
);
451 if (status
!= STATUS_SUCCESS
) goto fail
;
455 status
= lsa_dispatch
.CopyToClientBuffer(lsa_req
, sizeof(ticket
), client_ticket
, &ticket
);
456 if (status
!= STATUS_SUCCESS
) goto fail
;
458 client_ticket
+= sizeof(ticket
);
459 *out_size
+= sizeof(ticket
);
463 return STATUS_SUCCESS
;
466 lsa_dispatch
.FreeClientBuffer(lsa_req
, client_resp
);
470 static NTSTATUS
query_ticket_cache(PLSA_CLIENT_REQUEST lsa_req
, void *in
, ULONG in_len
, void **out
, ULONG
*out_len
)
473 KERB_QUERY_TKT_CACHE_REQUEST
*query
;
474 struct ticket_info info
;
475 krb5_error_code error
;
476 krb5_context context
= NULL
;
477 krb5_cccol_cursor cursor
= NULL
;
480 if (!in
|| in_len
!= sizeof(KERB_QUERY_TKT_CACHE_REQUEST
) || !out
|| !out_len
)
481 return STATUS_INVALID_PARAMETER
;
483 query
= (KERB_QUERY_TKT_CACHE_REQUEST
*)in
;
485 if (query
->LogonId
.HighPart
!= 0 || query
->LogonId
.LowPart
!= 0)
486 return STATUS_ACCESS_DENIED
;
492 error
= p_krb5_init_context(&context
);
495 status
= krb5_error_to_status(error
);
499 error
= p_krb5_cccol_cursor_new(context
, &cursor
);
502 status
= krb5_error_to_status(error
);
508 error
= p_krb5_cccol_cursor_next(context
, cursor
, &cache
);
511 status
= krb5_error_to_status(error
);
516 status
= copy_tickets_from_cache(context
, cache
, &info
);
518 p_krb5_cc_close(context
, cache
);
520 if (status
!= STATUS_SUCCESS
)
524 status
= copy_to_client(lsa_req
, &info
, out
, out_len
);
528 p_krb5_cccol_cursor_free(context
, &cursor
);
531 p_krb5_free_context(context
);
533 free_ticket_info(&info
);
538 #else /* SONAME_LIBKRB5 */
540 static NTSTATUS
query_ticket_cache(PLSA_CLIENT_REQUEST lsa_req
, void *in
, ULONG in_len
, void **out
, ULONG
*out_len
)
542 FIXME("%p,%p,%u,%p,%p: stub\n", lsa_req
, in
, in_len
, out
, out_len
);
543 return STATUS_NOT_IMPLEMENTED
;
546 #endif /* SONAME_LIBKRB5 */
548 static NTSTATUS NTAPI
kerberos_LsaApCallPackageUntrusted(PLSA_CLIENT_REQUEST request
,
549 PVOID in_buffer
, PVOID client_buffer_base
, ULONG in_buffer_length
,
550 PVOID
*out_buffer
, PULONG out_buffer_length
, PNTSTATUS status
)
552 KERB_PROTOCOL_MESSAGE_TYPE msg
;
554 TRACE("%p,%p,%p,%u,%p,%p,%p\n", request
, in_buffer
, client_buffer_base
,
555 in_buffer_length
, out_buffer
, out_buffer_length
, status
);
557 if (!in_buffer
|| in_buffer_length
< sizeof(msg
))
558 return STATUS_INVALID_PARAMETER
;
560 msg
= *(KERB_PROTOCOL_MESSAGE_TYPE
*)in_buffer
;
564 case KerbQueryTicketCacheMessage
:
565 *status
= query_ticket_cache(request
, in_buffer
, in_buffer_length
, out_buffer
, out_buffer_length
);
568 case KerbRetrieveTicketMessage
:
569 FIXME("KerbRetrieveTicketMessage stub\n");
570 *status
= STATUS_NOT_IMPLEMENTED
;
573 case KerbPurgeTicketCacheMessage
:
574 FIXME("KerbPurgeTicketCacheMessage stub\n");
575 *status
= STATUS_NOT_IMPLEMENTED
;
578 default: /* All other requests should call LsaApCallPackage */
579 WARN("%u => access denied\n", msg
);
580 *status
= STATUS_ACCESS_DENIED
;
587 static NTSTATUS NTAPI
kerberos_SpGetInfo(SecPkgInfoW
*info
)
591 /* LSA will make a copy before forwarding the structure, so
592 * it's safe to put pointers to dynamic or constant data there.
596 return STATUS_SUCCESS
;
599 #ifdef SONAME_LIBGSSAPI_KRB5
601 WINE_DECLARE_DEBUG_CHANNEL(winediag
);
602 static void *libgssapi_krb5_handle
;
604 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
605 MAKE_FUNCPTR(gss_accept_sec_context
);
606 MAKE_FUNCPTR(gss_acquire_cred
);
607 MAKE_FUNCPTR(gss_delete_sec_context
);
608 MAKE_FUNCPTR(gss_display_status
);
609 MAKE_FUNCPTR(gss_get_mic
);
610 MAKE_FUNCPTR(gss_import_name
);
611 MAKE_FUNCPTR(gss_init_sec_context
);
612 MAKE_FUNCPTR(gss_inquire_context
);
613 MAKE_FUNCPTR(gss_release_buffer
);
614 MAKE_FUNCPTR(gss_release_cred
);
615 MAKE_FUNCPTR(gss_release_iov_buffer
);
616 MAKE_FUNCPTR(gss_release_name
);
617 MAKE_FUNCPTR(gss_unwrap
);
618 MAKE_FUNCPTR(gss_unwrap_iov
);
619 MAKE_FUNCPTR(gss_verify_mic
);
620 MAKE_FUNCPTR(gss_wrap
);
621 MAKE_FUNCPTR(gss_wrap_iov
);
624 static BOOL
load_gssapi_krb5(void)
626 if (!(libgssapi_krb5_handle
= wine_dlopen( SONAME_LIBGSSAPI_KRB5
, RTLD_NOW
, NULL
, 0 )))
628 ERR_(winediag
)( "Failed to load libgssapi_krb5, Kerberos SSP support will not be available.\n" );
632 #define LOAD_FUNCPTR(f) \
633 if (!(p##f = wine_dlsym( libgssapi_krb5_handle, #f, NULL, 0 ))) \
635 ERR( "Failed to load %s\n", #f ); \
639 LOAD_FUNCPTR(gss_accept_sec_context
)
640 LOAD_FUNCPTR(gss_acquire_cred
)
641 LOAD_FUNCPTR(gss_delete_sec_context
)
642 LOAD_FUNCPTR(gss_display_status
)
643 LOAD_FUNCPTR(gss_get_mic
)
644 LOAD_FUNCPTR(gss_import_name
)
645 LOAD_FUNCPTR(gss_init_sec_context
)
646 LOAD_FUNCPTR(gss_inquire_context
)
647 LOAD_FUNCPTR(gss_release_buffer
)
648 LOAD_FUNCPTR(gss_release_cred
)
649 LOAD_FUNCPTR(gss_release_iov_buffer
)
650 LOAD_FUNCPTR(gss_release_name
)
651 LOAD_FUNCPTR(gss_unwrap
)
652 LOAD_FUNCPTR(gss_unwrap_iov
)
653 LOAD_FUNCPTR(gss_verify_mic
)
654 LOAD_FUNCPTR(gss_wrap
)
655 LOAD_FUNCPTR(gss_wrap_iov
)
661 wine_dlclose( libgssapi_krb5_handle
, NULL
, 0 );
662 libgssapi_krb5_handle
= NULL
;
666 static void unload_gssapi_krb5(void)
668 wine_dlclose( libgssapi_krb5_handle
, NULL
, 0 );
669 libgssapi_krb5_handle
= NULL
;
672 static inline gss_cred_id_t
credhandle_sspi_to_gss( LSA_SEC_HANDLE cred
)
674 if (!cred
) return GSS_C_NO_CREDENTIAL
;
675 return (gss_cred_id_t
)cred
;
678 static inline void credhandle_gss_to_sspi( gss_cred_id_t handle
, LSA_SEC_HANDLE
*cred
)
680 *cred
= (LSA_SEC_HANDLE
)handle
;
683 static inline gss_ctx_id_t
ctxthandle_sspi_to_gss( LSA_SEC_HANDLE ctxt
)
685 if (!ctxt
) return GSS_C_NO_CONTEXT
;
686 return (gss_ctx_id_t
)ctxt
;
689 static inline void ctxthandle_gss_to_sspi( gss_ctx_id_t handle
, LSA_SEC_HANDLE
*ctxt
)
691 *ctxt
= (LSA_SEC_HANDLE
)handle
;
694 static NTSTATUS
status_gss_to_sspi( OM_uint32 status
)
698 case GSS_S_COMPLETE
: return SEC_E_OK
;
699 case GSS_S_BAD_MECH
: return SEC_E_SECPKG_NOT_FOUND
;
700 case GSS_S_BAD_SIG
: return SEC_E_MESSAGE_ALTERED
;
701 case GSS_S_NO_CRED
: return SEC_E_NO_CREDENTIALS
;
702 case GSS_S_NO_CONTEXT
: return SEC_E_INVALID_HANDLE
;
703 case GSS_S_DEFECTIVE_TOKEN
: return SEC_E_INVALID_TOKEN
;
704 case GSS_S_DEFECTIVE_CREDENTIAL
: return SEC_E_NO_CREDENTIALS
;
705 case GSS_S_CREDENTIALS_EXPIRED
: return SEC_E_CONTEXT_EXPIRED
;
706 case GSS_S_CONTEXT_EXPIRED
: return SEC_E_CONTEXT_EXPIRED
;
707 case GSS_S_BAD_QOP
: return SEC_E_QOP_NOT_SUPPORTED
;
708 case GSS_S_CONTINUE_NEEDED
: return SEC_I_CONTINUE_NEEDED
;
709 case GSS_S_DUPLICATE_TOKEN
: return SEC_E_INVALID_TOKEN
;
710 case GSS_S_OLD_TOKEN
: return SEC_E_INVALID_TOKEN
;
711 case GSS_S_UNSEQ_TOKEN
: return SEC_E_OUT_OF_SEQUENCE
;
712 case GSS_S_GAP_TOKEN
: return SEC_E_OUT_OF_SEQUENCE
;
713 case GSS_S_FAILURE
: return SEC_E_INTERNAL_ERROR
;
716 FIXME( "couldn't convert status 0x%08x to NTSTATUS\n", status
);
717 return SEC_E_INTERNAL_ERROR
;
721 static void trace_gss_status_ex( OM_uint32 code
, int type
)
723 OM_uint32 ret
, minor_status
;
725 OM_uint32 message_context
= 0;
729 ret
= pgss_display_status( &minor_status
, code
, type
, GSS_C_NULL_OID
, &message_context
, &buf
);
732 TRACE( "gss_display_status(0x%08x,%d) returned %08x minor status %08x\n",
733 code
, type
, ret
, minor_status
);
736 TRACE( "GSS-API error: 0x%08x: %s\n", code
, debugstr_an(buf
.value
, buf
.length
) );
737 pgss_release_buffer( &minor_status
, &buf
);
739 if (!message_context
) return;
743 static void trace_gss_status( OM_uint32 major_status
, OM_uint32 minor_status
)
745 if (TRACE_ON(kerberos
))
747 trace_gss_status_ex( major_status
, GSS_C_GSS_CODE
);
748 trace_gss_status_ex( minor_status
, GSS_C_MECH_CODE
);
752 static void expirytime_gss_to_sspi( OM_uint32 expirytime
, TimeStamp
*timestamp
)
758 GetLocalTime( &time
);
759 SystemTimeToFileTime( &time
, &filetime
);
760 tmp
.QuadPart
= ((ULONGLONG
)filetime
.dwLowDateTime
| (ULONGLONG
)filetime
.dwHighDateTime
<< 32) + expirytime
;
761 timestamp
->LowPart
= tmp
.QuadPart
;
762 timestamp
->HighPart
= tmp
.QuadPart
>> 32;
765 static NTSTATUS
name_sspi_to_gss( const UNICODE_STRING
*name_str
, gss_name_t
*name
)
767 OM_uint32 ret
, minor_status
;
768 gss_OID type
= GSS_C_NO_OID
; /* FIXME: detect the appropriate value for this ourselves? */
771 buf
.length
= WideCharToMultiByte( CP_UNIXCP
, 0, name_str
->Buffer
, name_str
->Length
/ sizeof(WCHAR
), NULL
, 0, NULL
, NULL
);
772 if (!(buf
.value
= heap_alloc( buf
.length
))) return SEC_E_INSUFFICIENT_MEMORY
;
773 WideCharToMultiByte( CP_UNIXCP
, 0, name_str
->Buffer
, name_str
->Length
/ sizeof(WCHAR
), buf
.value
, buf
.length
, NULL
, NULL
);
775 ret
= pgss_import_name( &minor_status
, &buf
, type
, name
);
776 TRACE( "gss_import_name returned %08x minor status %08x\n", ret
, minor_status
);
777 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
779 heap_free( buf
.value
);
780 return status_gss_to_sspi( ret
);
783 static ULONG
flags_isc_req_to_gss( ULONG flags
)
786 if (flags
& ISC_REQ_DELEGATE
) ret
|= GSS_C_DELEG_FLAG
;
787 if (flags
& ISC_REQ_MUTUAL_AUTH
) ret
|= GSS_C_MUTUAL_FLAG
;
788 if (flags
& ISC_REQ_REPLAY_DETECT
) ret
|= GSS_C_REPLAY_FLAG
;
789 if (flags
& ISC_REQ_SEQUENCE_DETECT
) ret
|= GSS_C_SEQUENCE_FLAG
;
790 if (flags
& ISC_REQ_CONFIDENTIALITY
) ret
|= GSS_C_CONF_FLAG
;
791 if (flags
& ISC_REQ_INTEGRITY
) ret
|= GSS_C_INTEG_FLAG
;
792 if (flags
& ISC_REQ_NULL_SESSION
) ret
|= GSS_C_ANON_FLAG
;
793 if (flags
& ISC_REQ_USE_DCE_STYLE
) ret
|= GSS_C_DCE_STYLE
;
797 static ULONG
flags_gss_to_isc_ret( ULONG flags
)
800 if (flags
& GSS_C_DELEG_FLAG
) ret
|= ISC_RET_DELEGATE
;
801 if (flags
& GSS_C_MUTUAL_FLAG
) ret
|= ISC_RET_MUTUAL_AUTH
;
802 if (flags
& GSS_C_REPLAY_FLAG
) ret
|= ISC_RET_REPLAY_DETECT
;
803 if (flags
& GSS_C_SEQUENCE_FLAG
) ret
|= ISC_RET_SEQUENCE_DETECT
;
804 if (flags
& GSS_C_CONF_FLAG
) ret
|= ISC_RET_CONFIDENTIALITY
;
805 if (flags
& GSS_C_INTEG_FLAG
) ret
|= ISC_RET_INTEGRITY
;
806 if (flags
& GSS_C_ANON_FLAG
) ret
|= ISC_RET_NULL_SESSION
;
810 static ULONG
flags_gss_to_asc_ret( ULONG flags
)
813 if (flags
& GSS_C_DELEG_FLAG
) ret
|= ASC_RET_DELEGATE
;
814 if (flags
& GSS_C_MUTUAL_FLAG
) ret
|= ASC_RET_MUTUAL_AUTH
;
815 if (flags
& GSS_C_REPLAY_FLAG
) ret
|= ASC_RET_REPLAY_DETECT
;
816 if (flags
& GSS_C_SEQUENCE_FLAG
) ret
|= ASC_RET_SEQUENCE_DETECT
;
817 if (flags
& GSS_C_CONF_FLAG
) ret
|= ASC_RET_CONFIDENTIALITY
;
818 if (flags
& GSS_C_INTEG_FLAG
) ret
|= ASC_RET_INTEGRITY
;
819 if (flags
& GSS_C_ANON_FLAG
) ret
|= ASC_RET_NULL_SESSION
;
823 static BOOL
is_dce_style_context( gss_ctx_id_t ctxt_handle
)
825 OM_uint32 ret
, minor_status
, flags
;
826 ret
= pgss_inquire_context( &minor_status
, ctxt_handle
, NULL
, NULL
, NULL
, NULL
, &flags
, NULL
, NULL
);
827 return (ret
== GSS_S_COMPLETE
&& (flags
& GSS_C_DCE_STYLE
));
830 static int get_buffer_index( SecBufferDesc
*desc
, DWORD type
)
833 if (!desc
) return -1;
834 for (i
= 0; i
< desc
->cBuffers
; i
++)
836 if (desc
->pBuffers
[i
].BufferType
== type
) return i
;
841 static char *get_user_at_domain( const WCHAR
*user
, ULONG user_len
, const WCHAR
*domain
, ULONG domain_len
)
843 int len_user
, len_domain
;
846 len_user
= WideCharToMultiByte( CP_UNIXCP
, 0, user
, user_len
, NULL
, 0, NULL
, NULL
);
847 len_domain
= WideCharToMultiByte( CP_UNIXCP
, 0, domain
, domain_len
, NULL
, 0, NULL
, NULL
);
848 if (!(ret
= heap_alloc( len_user
+ len_domain
+ 2 ))) return NULL
;
850 WideCharToMultiByte( CP_UNIXCP
, 0, user
, user_len
, ret
, len_user
, NULL
, NULL
);
852 WideCharToMultiByte( CP_UNIXCP
, 0, domain
, domain_len
, ret
+ len_user
+ 1, len_domain
, NULL
, NULL
);
853 ret
[len_user
+ len_domain
+ 1] = 0;
857 static char *get_password( const WCHAR
*passwd
, ULONG passwd_len
)
862 len
= WideCharToMultiByte( CP_UNIXCP
, WC_NO_BEST_FIT_CHARS
, passwd
, passwd_len
, NULL
, 0, NULL
, NULL
);
863 if (!(ret
= heap_alloc( len
+ 1 ))) return NULL
;
864 WideCharToMultiByte( CP_UNIXCP
, 0, passwd
, passwd_len
, ret
, len
, NULL
, NULL
);
869 static NTSTATUS
init_creds( const SEC_WINNT_AUTH_IDENTITY_W
*id
)
871 char *user_at_domain
, *password
;
873 krb5_principal principal
= NULL
;
874 krb5_get_init_creds_opt
*options
= NULL
;
875 krb5_ccache cache
= NULL
;
879 if (!id
) return STATUS_SUCCESS
;
880 if (id
->Flags
& SEC_WINNT_AUTH_IDENTITY_ANSI
)
882 FIXME( "ANSI identity not supported\n" );
883 return SEC_E_UNSUPPORTED_FUNCTION
;
885 if (!(user_at_domain
= get_user_at_domain( id
->User
, id
->UserLength
, id
->Domain
, id
->DomainLength
)))
887 return SEC_E_INSUFFICIENT_MEMORY
;
889 if (!(password
= get_password( id
->Password
, id
->PasswordLength
)))
891 heap_free( user_at_domain
);
892 return SEC_E_INSUFFICIENT_MEMORY
;
895 if ((err
= p_krb5_init_context( &ctx
)))
897 heap_free( password
);
898 heap_free( user_at_domain
);
899 return krb5_error_to_status( err
);
901 if ((err
= p_krb5_parse_name_flags( ctx
, user_at_domain
, 0, &principal
))) goto done
;
902 if ((err
= p_krb5_cc_default( ctx
, &cache
))) goto done
;
903 if ((err
= p_krb5_get_init_creds_opt_alloc( ctx
, &options
))) goto done
;
904 if ((err
= p_krb5_get_init_creds_opt_set_out_ccache( ctx
, options
, cache
))) goto done
;
905 if ((err
= p_krb5_get_init_creds_password( ctx
, &creds
, principal
, password
, 0, NULL
, 0, NULL
, 0 ))) goto done
;
906 if ((err
= p_krb5_cc_initialize( ctx
, cache
, principal
))) goto done
;
907 if ((err
= p_krb5_cc_store_cred( ctx
, cache
, &creds
))) goto done
;
909 TRACE( "success\n" );
910 p_krb5_free_cred_contents( ctx
, &creds
);
913 if (cache
) p_krb5_cc_close( ctx
, cache
);
914 if (principal
) p_krb5_free_principal( ctx
, principal
);
915 if (options
) p_krb5_get_init_creds_opt_free( ctx
, options
);
916 p_krb5_free_context( ctx
);
917 heap_free( user_at_domain
);
918 heap_free( password
);
920 return krb5_error_to_status( err
);
923 static NTSTATUS
acquire_credentials_handle( UNICODE_STRING
*principal_us
, gss_cred_usage_t cred_usage
,
924 LSA_SEC_HANDLE
*credential
, TimeStamp
*ts_expiry
)
926 OM_uint32 ret
, minor_status
, expiry_time
;
927 gss_name_t principal
= GSS_C_NO_NAME
;
928 gss_cred_id_t cred_handle
;
931 if (principal_us
&& ((status
= name_sspi_to_gss( principal_us
, &principal
)) != SEC_E_OK
)) return status
;
933 ret
= pgss_acquire_cred( &minor_status
, principal
, GSS_C_INDEFINITE
, GSS_C_NULL_OID_SET
, cred_usage
,
934 &cred_handle
, NULL
, &expiry_time
);
935 TRACE( "gss_acquire_cred returned %08x minor status %08x\n", ret
, minor_status
);
936 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
937 if (ret
== GSS_S_COMPLETE
)
939 credhandle_gss_to_sspi( cred_handle
, credential
);
940 expirytime_gss_to_sspi( expiry_time
, ts_expiry
);
943 if (principal
!= GSS_C_NO_NAME
) pgss_release_name( &minor_status
, &principal
);
945 return status_gss_to_sspi( ret
);
947 #endif /* SONAME_LIBGSSAPI_KRB5 */
949 static NTSTATUS NTAPI
kerberos_SpAcquireCredentialsHandle(
950 UNICODE_STRING
*principal_us
, ULONG credential_use
, LUID
*logon_id
, void *auth_data
,
951 void *get_key_fn
, void *get_key_arg
, LSA_SEC_HANDLE
*credential
, TimeStamp
*ts_expiry
)
953 #ifdef SONAME_LIBGSSAPI_KRB5
954 gss_cred_usage_t cred_usage
;
957 TRACE( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us
), credential_use
,
958 logon_id
, auth_data
, get_key_fn
, get_key_arg
, credential
, ts_expiry
);
960 switch (credential_use
)
962 case SECPKG_CRED_INBOUND
:
963 cred_usage
= GSS_C_ACCEPT
;
966 case SECPKG_CRED_OUTBOUND
:
967 if ((status
= init_creds( auth_data
)) != STATUS_SUCCESS
) return status
;
968 cred_usage
= GSS_C_INITIATE
;
971 case SECPKG_CRED_BOTH
:
972 cred_usage
= GSS_C_BOTH
;
976 return SEC_E_UNKNOWN_CREDENTIALS
;
979 return acquire_credentials_handle( principal_us
, cred_usage
, credential
, ts_expiry
);
981 FIXME( "(%s 0x%08x %p %p %p %p %p %p)\n", debugstr_us(principal_us
), credential_use
,
982 logon_id
, auth_data
, get_key_fn
, get_key_arg
, credential
, ts_expiry
);
983 FIXME( "Wine was built without Kerberos support.\n" );
984 return SEC_E_UNSUPPORTED_FUNCTION
;
988 static NTSTATUS NTAPI
kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credential
)
990 #ifdef SONAME_LIBGSSAPI_KRB5
991 OM_uint32 ret
, minor_status
;
992 gss_cred_id_t cred_handle
;
994 TRACE( "(%lx)\n", credential
);
996 if (!credential
) return SEC_E_INVALID_HANDLE
;
997 if (!(cred_handle
= credhandle_sspi_to_gss( credential
))) return SEC_E_OK
;
999 ret
= pgss_release_cred( &minor_status
, &cred_handle
);
1000 TRACE( "gss_release_cred returned %08x minor status %08x\n", ret
, minor_status
);
1001 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1003 return status_gss_to_sspi( ret
);
1005 FIXME( "(%lx)\n", credential
);
1006 return SEC_E_UNSUPPORTED_FUNCTION
;
1010 static NTSTATUS NTAPI
kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential
, LSA_SEC_HANDLE context
,
1011 UNICODE_STRING
*target_name
, ULONG context_req
, ULONG target_data_rep
, SecBufferDesc
*input
,
1012 LSA_SEC_HANDLE
*new_context
, SecBufferDesc
*output
, ULONG
*context_attr
, TimeStamp
*ts_expiry
,
1013 BOOLEAN
*mapped_context
, SecBuffer
*context_data
)
1015 #ifdef SONAME_LIBGSSAPI_KRB5
1016 static const ULONG supported
= ISC_REQ_CONFIDENTIALITY
| ISC_REQ_INTEGRITY
| ISC_REQ_SEQUENCE_DETECT
|
1017 ISC_REQ_REPLAY_DETECT
| ISC_REQ_MUTUAL_AUTH
| ISC_REQ_USE_DCE_STYLE
;
1018 OM_uint32 ret
, minor_status
, ret_flags
= 0, expiry_time
, req_flags
= flags_isc_req_to_gss( context_req
);
1019 gss_cred_id_t cred_handle
;
1020 gss_ctx_id_t ctxt_handle
;
1021 gss_buffer_desc input_token
, output_token
;
1022 gss_name_t target
= GSS_C_NO_NAME
;
1026 TRACE( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential
, context
, debugstr_us(target_name
),
1027 context_req
, target_data_rep
, input
, new_context
, output
, context_attr
, ts_expiry
,
1028 mapped_context
, context_data
);
1029 if (context_req
& ~supported
)
1030 FIXME( "flags 0x%08x not supported\n", context_req
& ~supported
);
1032 if (!context
&& !input
&& !credential
) return SEC_E_INVALID_HANDLE
;
1033 cred_handle
= credhandle_sspi_to_gss( credential
);
1034 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1036 if ((idx
= get_buffer_index( input
, SECBUFFER_TOKEN
)) == -1) input_token
.length
= 0;
1039 input_token
.length
= input
->pBuffers
[idx
].cbBuffer
;
1040 input_token
.value
= input
->pBuffers
[idx
].pvBuffer
;
1043 if ((idx
= get_buffer_index( output
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1044 output_token
.length
= 0;
1045 output_token
.value
= NULL
;
1047 if (target_name
&& ((status
= name_sspi_to_gss( target_name
, &target
)) != SEC_E_OK
)) return status
;
1049 ret
= pgss_init_sec_context( &minor_status
, cred_handle
, &ctxt_handle
, target
, GSS_C_NO_OID
, req_flags
, 0,
1050 GSS_C_NO_CHANNEL_BINDINGS
, &input_token
, NULL
, &output_token
, &ret_flags
,
1052 TRACE( "gss_init_sec_context returned %08x minor status %08x ret_flags %08x\n", ret
, minor_status
, ret_flags
);
1053 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1054 if (ret
== GSS_S_COMPLETE
|| ret
== GSS_S_CONTINUE_NEEDED
)
1056 if (output_token
.length
> output
->pBuffers
[idx
].cbBuffer
) /* FIXME: check if larger buffer exists */
1058 TRACE( "buffer too small %lu > %u\n", (SIZE_T
)output_token
.length
, output
->pBuffers
[idx
].cbBuffer
);
1059 pgss_release_buffer( &minor_status
, &output_token
);
1060 pgss_delete_sec_context( &minor_status
, &ctxt_handle
, GSS_C_NO_BUFFER
);
1061 return SEC_E_INCOMPLETE_MESSAGE
;
1063 output
->pBuffers
[idx
].cbBuffer
= output_token
.length
;
1064 memcpy( output
->pBuffers
[idx
].pvBuffer
, output_token
.value
, output_token
.length
);
1065 pgss_release_buffer( &minor_status
, &output_token
);
1067 ctxthandle_gss_to_sspi( ctxt_handle
, new_context
);
1068 if (context_attr
) *context_attr
= flags_gss_to_isc_ret( ret_flags
);
1069 expirytime_gss_to_sspi( expiry_time
, ts_expiry
);
1072 if (target
!= GSS_C_NO_NAME
) pgss_release_name( &minor_status
, &target
);
1074 /* we do support user mode SSP/AP functions */
1075 *mapped_context
= TRUE
;
1076 /* FIXME: initialize context_data */
1078 return status_gss_to_sspi( ret
);
1080 FIXME( "(%lx %lx %s 0x%08x %u %p %p %p %p %p %p %p)\n", credential
, context
, debugstr_us(target_name
),
1081 context_req
, target_data_rep
, input
, new_context
, output
, context_attr
, ts_expiry
,
1082 mapped_context
, context_data
);
1083 return SEC_E_UNSUPPORTED_FUNCTION
;
1087 static NTSTATUS NTAPI
kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential
, LSA_SEC_HANDLE context
,
1088 SecBufferDesc
*input
, ULONG context_req
, ULONG target_data_rep
, LSA_SEC_HANDLE
*new_context
,
1089 SecBufferDesc
*output
, ULONG
*context_attr
, TimeStamp
*ts_expiry
, BOOLEAN
*mapped_context
, SecBuffer
*context_data
)
1091 #ifdef SONAME_LIBGSSAPI_KRB5
1092 OM_uint32 ret
, minor_status
, ret_flags
= 0, expiry_time
;
1093 gss_cred_id_t cred_handle
;
1094 gss_ctx_id_t ctxt_handle
;
1095 gss_buffer_desc input_token
, output_token
;
1096 gss_name_t target
= GSS_C_NO_NAME
;
1099 TRACE( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential
, context
, context_req
,
1100 target_data_rep
, input
, new_context
, output
, context_attr
, ts_expiry
,
1101 mapped_context
, context_data
);
1102 if (context_req
) FIXME( "ignoring flags 0x%08x\n", context_req
);
1104 if (!context
&& !input
&& !credential
) return SEC_E_INVALID_HANDLE
;
1105 cred_handle
= credhandle_sspi_to_gss( credential
);
1106 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1108 if (!input
) input_token
.length
= 0;
1111 if ((idx
= get_buffer_index( input
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1112 input_token
.length
= input
->pBuffers
[idx
].cbBuffer
;
1113 input_token
.value
= input
->pBuffers
[idx
].pvBuffer
;
1116 if ((idx
= get_buffer_index( output
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1117 output_token
.length
= 0;
1118 output_token
.value
= NULL
;
1120 ret
= pgss_accept_sec_context( &minor_status
, &ctxt_handle
, cred_handle
, &input_token
, GSS_C_NO_CHANNEL_BINDINGS
,
1121 &target
, NULL
, &output_token
, &ret_flags
, &expiry_time
, NULL
);
1122 TRACE( "gss_accept_sec_context returned %08x minor status %08x ret_flags %08x\n", ret
, minor_status
, ret_flags
);
1123 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1124 if (ret
== GSS_S_COMPLETE
|| ret
== GSS_S_CONTINUE_NEEDED
)
1126 if (output_token
.length
> output
->pBuffers
[idx
].cbBuffer
) /* FIXME: check if larger buffer exists */
1128 TRACE( "buffer too small %lu > %u\n", (SIZE_T
)output_token
.length
, output
->pBuffers
[idx
].cbBuffer
);
1129 pgss_release_buffer( &minor_status
, &output_token
);
1130 pgss_delete_sec_context( &minor_status
, &ctxt_handle
, GSS_C_NO_BUFFER
);
1131 return SEC_E_BUFFER_TOO_SMALL
;
1133 output
->pBuffers
[idx
].cbBuffer
= output_token
.length
;
1134 memcpy( output
->pBuffers
[idx
].pvBuffer
, output_token
.value
, output_token
.length
);
1135 pgss_release_buffer( &minor_status
, &output_token
);
1137 ctxthandle_gss_to_sspi( ctxt_handle
, new_context
);
1138 if (context_attr
) *context_attr
= flags_gss_to_asc_ret( ret_flags
);
1139 expirytime_gss_to_sspi( expiry_time
, ts_expiry
);
1142 /* we do support user mode SSP/AP functions */
1143 *mapped_context
= TRUE
;
1144 /* FIXME: initialize context_data */
1146 return status_gss_to_sspi( ret
);
1148 FIXME( "(%lx %lx 0x%08x %u %p %p %p %p %p %p %p)\n", credential
, context
, context_req
,
1149 target_data_rep
, input
, new_context
, output
, context_attr
, ts_expiry
,
1150 mapped_context
, context_data
);
1151 return SEC_E_UNSUPPORTED_FUNCTION
;
1155 static NTSTATUS NTAPI
kerberos_SpDeleteContext( LSA_SEC_HANDLE context
)
1157 #ifdef SONAME_LIBGSSAPI_KRB5
1158 OM_uint32 ret
, minor_status
;
1159 gss_ctx_id_t ctxt_handle
;
1161 TRACE( "(%lx)\n", context
);
1162 if (!context
) return SEC_E_INVALID_HANDLE
;
1163 if (!(ctxt_handle
= ctxthandle_sspi_to_gss( context
))) return SEC_E_OK
;
1165 ret
= pgss_delete_sec_context( &minor_status
, &ctxt_handle
, GSS_C_NO_BUFFER
);
1166 TRACE( "gss_delete_sec_context returned %08x minor status %08x\n", ret
, minor_status
);
1167 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1169 return status_gss_to_sspi( ret
);
1171 FIXME( "(%lx)\n", context
);
1172 return SEC_E_UNSUPPORTED_FUNCTION
;
1176 static SecPkgInfoW
*build_package_info( const SecPkgInfoW
*info
)
1179 DWORD size_name
= (strlenW(info
->Name
) + 1) * sizeof(WCHAR
);
1180 DWORD size_comment
= (strlenW(info
->Comment
) + 1) * sizeof(WCHAR
);
1182 if (!(ret
= heap_alloc( sizeof(*ret
) + size_name
+ size_comment
))) return NULL
;
1183 ret
->fCapabilities
= info
->fCapabilities
;
1184 ret
->wVersion
= info
->wVersion
;
1185 ret
->wRPCID
= info
->wRPCID
;
1186 ret
->cbMaxToken
= info
->cbMaxToken
;
1187 ret
->Name
= (SEC_WCHAR
*)(ret
+ 1);
1188 memcpy( ret
->Name
, info
->Name
, size_name
);
1189 ret
->Comment
= (SEC_WCHAR
*)((char *)ret
->Name
+ size_name
);
1190 memcpy( ret
->Comment
, info
->Comment
, size_comment
);
1194 static NTSTATUS NTAPI
kerberos_SpQueryContextAttributes( LSA_SEC_HANDLE context
, ULONG attribute
, void *buffer
)
1196 TRACE( "(%lx %u %p)\n", context
, attribute
, buffer
);
1198 if (!context
) return SEC_E_INVALID_HANDLE
;
1202 #define X(x) case (x) : FIXME(#x" stub\n"); break
1203 X(SECPKG_ATTR_ACCESS_TOKEN
);
1204 X(SECPKG_ATTR_AUTHORITY
);
1205 X(SECPKG_ATTR_DCE_INFO
);
1206 X(SECPKG_ATTR_KEY_INFO
);
1207 X(SECPKG_ATTR_LIFESPAN
);
1208 X(SECPKG_ATTR_NAMES
);
1209 X(SECPKG_ATTR_NATIVE_NAMES
);
1210 X(SECPKG_ATTR_PACKAGE_INFO
);
1211 X(SECPKG_ATTR_PASSWORD_EXPIRY
);
1212 X(SECPKG_ATTR_SESSION_KEY
);
1213 X(SECPKG_ATTR_STREAM_SIZES
);
1214 X(SECPKG_ATTR_TARGET_INFORMATION
);
1215 case SECPKG_ATTR_SIZES
:
1217 SecPkgContext_Sizes
*sizes
= (SecPkgContext_Sizes
*)buffer
;
1218 ULONG size_max_signature
= 37, size_security_trailer
= 49;
1219 #ifdef SONAME_LIBGSSAPI_KRB5
1220 gss_ctx_id_t ctxt_handle
;
1222 if (!(ctxt_handle
= ctxthandle_sspi_to_gss( context
))) return SEC_E_INVALID_HANDLE
;
1223 if (is_dce_style_context( ctxt_handle
))
1225 size_max_signature
= 28;
1226 size_security_trailer
= 76;
1229 sizes
->cbMaxToken
= KERBEROS_MAX_BUF
;
1230 sizes
->cbMaxSignature
= size_max_signature
;
1231 sizes
->cbBlockSize
= 1;
1232 sizes
->cbSecurityTrailer
= size_security_trailer
;
1235 case SECPKG_ATTR_NEGOTIATION_INFO
:
1237 SecPkgContext_NegotiationInfoW
*info
= (SecPkgContext_NegotiationInfoW
*)buffer
;
1238 if (!(info
->PackageInfo
= build_package_info( &infoW
))) return SEC_E_INSUFFICIENT_MEMORY
;
1239 info
->NegotiationState
= SECPKG_NEGOTIATION_COMPLETE
;
1244 FIXME( "unknown attribute %u\n", attribute
);
1248 return SEC_E_UNSUPPORTED_FUNCTION
;
1251 static NTSTATUS NTAPI
kerberos_SpInitialize(ULONG_PTR package_id
, SECPKG_PARAMETERS
*params
,
1252 LSA_SECPKG_FUNCTION_TABLE
*lsa_function_table
)
1254 TRACE("%lu,%p,%p\n", package_id
, params
, lsa_function_table
);
1256 #ifdef SONAME_LIBGSSAPI_KRB5
1257 if (load_gssapi_krb5()) return STATUS_SUCCESS
;
1260 return STATUS_UNSUCCESSFUL
;
1263 static NTSTATUS NTAPI
kerberos_SpShutdown(void)
1267 #ifdef SONAME_LIBGSSAPI_KRB5
1268 unload_gssapi_krb5();
1271 return STATUS_SUCCESS
;
1274 static SECPKG_FUNCTION_TABLE kerberos_table
=
1276 kerberos_LsaApInitializePackage
, /* InitializePackage */
1277 NULL
, /* LsaLogonUser */
1278 NULL
, /* CallPackage */
1279 NULL
, /* LogonTerminated */
1280 kerberos_LsaApCallPackageUntrusted
, /* CallPackageUntrusted */
1281 NULL
, /* CallPackagePassthrough */
1282 NULL
, /* LogonUserEx */
1283 NULL
, /* LogonUserEx2 */
1284 kerberos_SpInitialize
,
1285 kerberos_SpShutdown
,
1287 NULL
, /* AcceptCredentials */
1288 kerberos_SpAcquireCredentialsHandle
,
1289 NULL
, /* SpQueryCredentialsAttributes */
1290 kerberos_SpFreeCredentialsHandle
,
1291 NULL
, /* SaveCredentials */
1292 NULL
, /* GetCredentials */
1293 NULL
, /* DeleteCredentials */
1294 kerberos_SpInitLsaModeContext
,
1295 kerberos_SpAcceptLsaModeContext
,
1296 kerberos_SpDeleteContext
,
1297 NULL
, /* ApplyControlToken */
1298 NULL
, /* GetUserInfo */
1299 NULL
, /* GetExtendedInformation */
1300 kerberos_SpQueryContextAttributes
,
1301 NULL
, /* SpAddCredentials */
1302 NULL
, /* SetExtendedInformation */
1303 NULL
, /* SetContextAttributes */
1304 NULL
, /* SetCredentialsAttributes */
1305 NULL
, /* ChangeAccountPassword */
1306 NULL
, /* QueryMetaData */
1307 NULL
, /* ExchangeMetaData */
1308 NULL
, /* GetCredUIContext */
1309 NULL
, /* UpdateCredentials */
1310 NULL
, /* ValidateTargetInfo */
1311 NULL
, /* PostLogonUser */
1314 NTSTATUS NTAPI
SpLsaModeInitialize(ULONG lsa_version
, PULONG package_version
,
1315 PSECPKG_FUNCTION_TABLE
*table
, PULONG table_count
)
1317 TRACE("%#x,%p,%p,%p\n", lsa_version
, package_version
, table
, table_count
);
1319 *package_version
= SECPKG_INTERFACE_VERSION
;
1320 *table
= &kerberos_table
;
1323 return STATUS_SUCCESS
;
1326 static NTSTATUS NTAPI
kerberos_SpInstanceInit(ULONG version
, SECPKG_DLL_FUNCTIONS
*dll_function_table
, void **user_functions
)
1328 FIXME("%u,%p,%p: stub\n", version
, dll_function_table
, user_functions
);
1330 return STATUS_SUCCESS
;
1333 static NTSTATUS SEC_ENTRY
kerberos_SpMakeSignature( LSA_SEC_HANDLE context
, ULONG quality_of_protection
,
1334 SecBufferDesc
*message
, ULONG message_seq_no
)
1336 #ifdef SONAME_LIBGSSAPI_KRB5
1337 OM_uint32 ret
, minor_status
;
1338 gss_buffer_desc data_buffer
, token_buffer
;
1339 gss_ctx_id_t ctxt_handle
;
1340 int data_idx
, token_idx
;
1342 TRACE( "(%lx 0x%08x %p %u)\n", context
, quality_of_protection
, message
, message_seq_no
);
1343 if (quality_of_protection
) FIXME( "ignoring quality_of_protection 0x%08x\n", quality_of_protection
);
1344 if (message_seq_no
) FIXME( "ignoring message_seq_no %u\n", message_seq_no
);
1346 if (!context
) return SEC_E_INVALID_HANDLE
;
1347 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1349 /* FIXME: multiple data buffers, read-only buffers */
1350 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1351 data_buffer
.length
= message
->pBuffers
[data_idx
].cbBuffer
;
1352 data_buffer
.value
= message
->pBuffers
[data_idx
].pvBuffer
;
1354 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1355 token_buffer
.length
= 0;
1356 token_buffer
.value
= NULL
;
1358 ret
= pgss_get_mic( &minor_status
, ctxt_handle
, GSS_C_QOP_DEFAULT
, &data_buffer
, &token_buffer
);
1359 TRACE( "gss_get_mic returned %08x minor status %08x\n", ret
, minor_status
);
1360 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1361 if (ret
== GSS_S_COMPLETE
)
1363 memcpy( message
->pBuffers
[token_idx
].pvBuffer
, token_buffer
.value
, token_buffer
.length
);
1364 message
->pBuffers
[token_idx
].cbBuffer
= token_buffer
.length
;
1365 pgss_release_buffer( &minor_status
, &token_buffer
);
1368 return status_gss_to_sspi( ret
);
1370 FIXME( "(%lx 0x%08x %p %u)\n", context
, quality_of_protection
, message
, message_seq_no
);
1371 return SEC_E_UNSUPPORTED_FUNCTION
;
1375 static NTSTATUS NTAPI
kerberos_SpVerifySignature( LSA_SEC_HANDLE context
, SecBufferDesc
*message
,
1376 ULONG message_seq_no
, ULONG
*quality_of_protection
)
1378 #ifdef SONAME_LIBGSSAPI_KRB5
1379 OM_uint32 ret
, minor_status
;
1380 gss_buffer_desc data_buffer
, token_buffer
;
1381 gss_ctx_id_t ctxt_handle
;
1382 int data_idx
, token_idx
;
1384 TRACE( "(%lx %p %u %p)\n", context
, message
, message_seq_no
, quality_of_protection
);
1385 if (message_seq_no
) FIXME( "ignoring message_seq_no %u\n", message_seq_no
);
1387 if (!context
) return SEC_E_INVALID_HANDLE
;
1388 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1390 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1391 data_buffer
.length
= message
->pBuffers
[data_idx
].cbBuffer
;
1392 data_buffer
.value
= message
->pBuffers
[data_idx
].pvBuffer
;
1394 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1395 token_buffer
.length
= message
->pBuffers
[token_idx
].cbBuffer
;
1396 token_buffer
.value
= message
->pBuffers
[token_idx
].pvBuffer
;
1398 ret
= pgss_verify_mic( &minor_status
, ctxt_handle
, &data_buffer
, &token_buffer
, NULL
);
1399 TRACE( "gss_verify_mic returned %08x minor status %08x\n", ret
, minor_status
);
1400 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1401 if (ret
== GSS_S_COMPLETE
&& quality_of_protection
) *quality_of_protection
= 0;
1403 return status_gss_to_sspi( ret
);
1405 FIXME( "(%lx %p %u %p)\n", context
, message
, message_seq_no
, quality_of_protection
);
1406 return SEC_E_UNSUPPORTED_FUNCTION
;
1410 #ifdef SONAME_LIBGSSAPI_KRB5
1411 static NTSTATUS
seal_message_iov( gss_ctx_id_t ctxt_handle
, SecBufferDesc
*message
)
1413 gss_iov_buffer_desc iov
[4];
1414 OM_uint32 ret
, minor_status
;
1415 int token_idx
, data_idx
, conf_state
;
1417 /* FIXME: multiple data buffers, read-only buffers */
1418 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1419 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1421 iov
[0].type
= GSS_IOV_BUFFER_TYPE_SIGN_ONLY
| GSS_IOV_BUFFER_FLAG_ALLOCATE
;
1422 iov
[0].buffer
.length
= 0;
1423 iov
[0].buffer
.value
= NULL
;
1425 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
1426 iov
[1].buffer
.length
= message
->pBuffers
[data_idx
].cbBuffer
;
1427 iov
[1].buffer
.value
= message
->pBuffers
[data_idx
].pvBuffer
;
1429 iov
[2].type
= GSS_IOV_BUFFER_TYPE_SIGN_ONLY
| GSS_IOV_BUFFER_FLAG_ALLOCATE
;
1430 iov
[2].buffer
.length
= 0;
1431 iov
[2].buffer
.value
= NULL
;
1433 iov
[3].type
= GSS_IOV_BUFFER_TYPE_HEADER
| GSS_IOV_BUFFER_FLAG_ALLOCATE
;
1434 iov
[3].buffer
.length
= 0;
1435 iov
[3].buffer
.value
= NULL
;
1437 ret
= pgss_wrap_iov( &minor_status
, ctxt_handle
, 1, GSS_C_QOP_DEFAULT
, &conf_state
, iov
, 4 );
1438 TRACE( "gss_wrap_iov returned %08x minor status %08x\n", ret
, minor_status
);
1439 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1440 if (ret
== GSS_S_COMPLETE
)
1442 memcpy( message
->pBuffers
[token_idx
].pvBuffer
, iov
[3].buffer
.value
, iov
[3].buffer
.length
);
1443 message
->pBuffers
[token_idx
].cbBuffer
= iov
[3].buffer
.length
;
1444 pgss_release_iov_buffer( &minor_status
, iov
, 4 );
1447 return status_gss_to_sspi( ret
);
1450 static NTSTATUS
seal_message( gss_ctx_id_t ctxt_handle
, SecBufferDesc
*message
)
1452 gss_buffer_desc input
, output
;
1453 OM_uint32 ret
, minor_status
;
1454 int token_idx
, data_idx
, conf_state
;
1456 /* FIXME: multiple data buffers, read-only buffers */
1457 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1458 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1460 input
.length
= message
->pBuffers
[data_idx
].cbBuffer
;
1461 input
.value
= message
->pBuffers
[data_idx
].pvBuffer
;
1463 ret
= pgss_wrap( &minor_status
, ctxt_handle
, 1, GSS_C_QOP_DEFAULT
, &input
, &conf_state
, &output
);
1464 TRACE( "gss_wrap returned %08x minor status %08x\n", ret
, minor_status
);
1465 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1466 if (ret
== GSS_S_COMPLETE
)
1468 DWORD len_data
= message
->pBuffers
[data_idx
].cbBuffer
, len_token
= message
->pBuffers
[token_idx
].cbBuffer
;
1469 if (len_token
< output
.length
- len_data
)
1471 TRACE( "buffer too small %lu > %u\n", (SIZE_T
)output
.length
- len_data
, len_token
);
1472 pgss_release_buffer( &minor_status
, &output
);
1473 return SEC_E_BUFFER_TOO_SMALL
;
1475 memcpy( message
->pBuffers
[data_idx
].pvBuffer
, output
.value
, len_data
);
1476 memcpy( message
->pBuffers
[token_idx
].pvBuffer
, (char *)output
.value
+ len_data
, output
.length
- len_data
);
1477 message
->pBuffers
[token_idx
].cbBuffer
= output
.length
- len_data
;
1478 pgss_release_buffer( &minor_status
, &output
);
1481 return status_gss_to_sspi( ret
);
1485 static NTSTATUS NTAPI
kerberos_SpSealMessage( LSA_SEC_HANDLE context
, ULONG quality_of_protection
,
1486 SecBufferDesc
*message
, ULONG message_seq_no
)
1488 #ifdef SONAME_LIBGSSAPI_KRB5
1489 gss_ctx_id_t ctxt_handle
;
1491 TRACE( "(%lx 0x%08x %p %u)\n", context
, quality_of_protection
, message
, message_seq_no
);
1492 if (quality_of_protection
)
1494 FIXME( "flags %08x not supported\n", quality_of_protection
);
1495 return SEC_E_UNSUPPORTED_FUNCTION
;
1497 if (message_seq_no
) FIXME( "ignoring message_seq_no %u\n", message_seq_no
);
1499 if (!context
) return SEC_E_INVALID_HANDLE
;
1500 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1502 if (is_dce_style_context( ctxt_handle
)) return seal_message_iov( ctxt_handle
, message
);
1503 return seal_message( ctxt_handle
, message
);
1505 FIXME( "(%lx 0x%08x %p %u)\n", context
, quality_of_protection
, message
, message_seq_no
);
1506 return SEC_E_UNSUPPORTED_FUNCTION
;
1510 #ifdef SONAME_LIBGSSAPI_KRB5
1511 static NTSTATUS
unseal_message_iov( gss_ctx_id_t ctxt_handle
, SecBufferDesc
*message
, ULONG
*quality_of_protection
)
1513 gss_iov_buffer_desc iov
[4];
1514 OM_uint32 ret
, minor_status
;
1515 int token_idx
, data_idx
, conf_state
;
1517 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1518 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1520 iov
[0].type
= GSS_IOV_BUFFER_TYPE_SIGN_ONLY
;
1521 iov
[0].buffer
.length
= 0;
1522 iov
[0].buffer
.value
= NULL
;
1524 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
1525 iov
[1].buffer
.length
= message
->pBuffers
[data_idx
].cbBuffer
;
1526 iov
[1].buffer
.value
= message
->pBuffers
[data_idx
].pvBuffer
;
1528 iov
[2].type
= GSS_IOV_BUFFER_TYPE_SIGN_ONLY
;
1529 iov
[2].buffer
.length
= 0;
1530 iov
[2].buffer
.value
= NULL
;
1532 iov
[3].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
1533 iov
[3].buffer
.length
= message
->pBuffers
[token_idx
].cbBuffer
;
1534 iov
[3].buffer
.value
= message
->pBuffers
[token_idx
].pvBuffer
;
1536 ret
= pgss_unwrap_iov( &minor_status
, ctxt_handle
, &conf_state
, NULL
, iov
, 4 );
1537 TRACE( "gss_unwrap_iov returned %08x minor status %08x\n", ret
, minor_status
);
1538 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1539 if (ret
== GSS_S_COMPLETE
&& quality_of_protection
)
1541 *quality_of_protection
= (conf_state
? 0 : SECQOP_WRAP_NO_ENCRYPT
);
1543 return status_gss_to_sspi( ret
);
1546 static NTSTATUS
unseal_message( gss_ctx_id_t ctxt_handle
, SecBufferDesc
*message
, ULONG
*quality_of_protection
)
1548 gss_buffer_desc input
, output
;
1549 OM_uint32 ret
, minor_status
;
1550 int token_idx
, data_idx
, conf_state
;
1551 DWORD len_data
, len_token
;
1553 if ((data_idx
= get_buffer_index( message
, SECBUFFER_DATA
)) == -1) return SEC_E_INVALID_TOKEN
;
1554 if ((token_idx
= get_buffer_index( message
, SECBUFFER_TOKEN
)) == -1) return SEC_E_INVALID_TOKEN
;
1556 len_data
= message
->pBuffers
[data_idx
].cbBuffer
;
1557 len_token
= message
->pBuffers
[token_idx
].cbBuffer
;
1559 input
.length
= len_data
+ len_token
;
1560 if (!(input
.value
= heap_alloc( input
.length
))) return SEC_E_INSUFFICIENT_MEMORY
;
1561 memcpy( input
.value
, message
->pBuffers
[data_idx
].pvBuffer
, len_data
);
1562 memcpy( (char *)input
.value
+ len_data
, message
->pBuffers
[token_idx
].pvBuffer
, len_token
);
1564 ret
= pgss_unwrap( &minor_status
, ctxt_handle
, &input
, &output
, &conf_state
, NULL
);
1565 heap_free( input
.value
);
1566 TRACE( "gss_unwrap returned %08x minor status %08x\n", ret
, minor_status
);
1567 if (GSS_ERROR(ret
)) trace_gss_status( ret
, minor_status
);
1568 if (ret
== GSS_S_COMPLETE
)
1570 if (quality_of_protection
) *quality_of_protection
= (conf_state
? 0 : SECQOP_WRAP_NO_ENCRYPT
);
1571 memcpy( message
->pBuffers
[data_idx
].pvBuffer
, output
.value
, len_data
);
1572 pgss_release_buffer( &minor_status
, &output
);
1575 return status_gss_to_sspi( ret
);
1579 static NTSTATUS NTAPI
kerberos_SpUnsealMessage( LSA_SEC_HANDLE context
, SecBufferDesc
*message
,
1580 ULONG message_seq_no
, ULONG
*quality_of_protection
)
1582 #ifdef SONAME_LIBGSSAPI_KRB5
1583 gss_ctx_id_t ctxt_handle
;
1585 TRACE( "(%lx %p %u %p)\n", context
, message
, message_seq_no
, quality_of_protection
);
1586 if (message_seq_no
) FIXME( "ignoring message_seq_no %u\n", message_seq_no
);
1588 if (!context
) return SEC_E_INVALID_HANDLE
;
1589 ctxt_handle
= ctxthandle_sspi_to_gss( context
);
1591 if (is_dce_style_context( ctxt_handle
)) return unseal_message_iov( ctxt_handle
, message
, quality_of_protection
);
1592 return unseal_message( ctxt_handle
, message
, quality_of_protection
);
1594 FIXME( "(%lx %p %u %p)\n", context
, message
, message_seq_no
, quality_of_protection
);
1595 return SEC_E_UNSUPPORTED_FUNCTION
;
1599 static SECPKG_USER_FUNCTION_TABLE kerberos_user_table
=
1601 kerberos_SpInstanceInit
,
1602 NULL
, /* SpInitUserModeContext */
1603 kerberos_SpMakeSignature
,
1604 kerberos_SpVerifySignature
,
1605 kerberos_SpSealMessage
,
1606 kerberos_SpUnsealMessage
,
1607 NULL
, /* SpGetContextToken */
1608 NULL
, /* SpQueryContextAttributes */
1609 NULL
, /* SpCompleteAuthToken */
1610 NULL
, /* SpDeleteContext */
1611 NULL
, /* SpFormatCredentialsFn */
1612 NULL
, /* SpMarshallSupplementalCreds */
1613 NULL
, /* SpExportSecurityContext */
1614 NULL
/* SpImportSecurityContext */
1617 NTSTATUS NTAPI
SpUserModeInitialize(ULONG lsa_version
, PULONG package_version
,
1618 PSECPKG_USER_FUNCTION_TABLE
*table
, PULONG table_count
)
1620 TRACE("%#x,%p,%p,%p\n", lsa_version
, package_version
, table
, table_count
);
1622 *package_version
= SECPKG_INTERFACE_VERSION
;
1623 *table
= &kerberos_user_table
;
1626 return STATUS_SUCCESS
;