search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
wined3d/glsl: Flush NaN to zero in ftoi.
[wine.git] / dlls / kerberos / krb5_ap.c
blobae68c4b90c2a6845afcde3abdd917f0f28e1bcd7
1 /*
2 * Copyright 2017 Dmitry Timoshkov
3 * Copyright 2017 George Popoff
4 * Copyright 2008 Robert Shearman for CodeWeavers
5 * Copyright 2017 Hans Leidekker for CodeWeavers
6 *
7 * Kerberos5 Authentication Package
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
22 */
23
24 #include <stdarg.h>
25 #include <stdlib.h>
26 #include "ntstatus.h"
27 #define WIN32_NO_STATUS
28 #include "windef.h"
29 #include "winbase.h"
30 #include "winnls.h"
31 #include "rpc.h"
32 #include "sspi.h"
33 #include "ntsecapi.h"
34 #include "ntsecpkg.h"
35 #include "winternl.h"
36
37 #include "wine/debug.h"
38 #include "unixlib.h"
39
40 WINE_DEFAULT_DEBUG_CHANNEL(kerberos);
41
42 #define KERBEROS_CAPS \
43 ( SECPKG_FLAG_INTEGRITY \
44 | SECPKG_FLAG_PRIVACY \
45 | SECPKG_FLAG_TOKEN_ONLY \
46 | SECPKG_FLAG_DATAGRAM \
47 | SECPKG_FLAG_CONNECTION \
48 | SECPKG_FLAG_MULTI_REQUIRED \
49 | SECPKG_FLAG_EXTENDED_ERROR \
50 | SECPKG_FLAG_IMPERSONATION \
51 | SECPKG_FLAG_ACCEPT_WIN32_NAME \
52 | SECPKG_FLAG_NEGOTIABLE \
53 | SECPKG_FLAG_GSS_COMPATIBLE \
54 | SECPKG_FLAG_LOGON \
55 | SECPKG_FLAG_MUTUAL_AUTH \
56 | SECPKG_FLAG_DELEGATION \
57 | SECPKG_FLAG_READONLY_WITH_CHECKSUM \
58 | SECPKG_FLAG_RESTRICTED_TOKENS \
59 | SECPKG_FLAG_APPCONTAINER_CHECKS)
60
61 static WCHAR kerberos_name_W[] = L"Kerberos";
62 static WCHAR kerberos_comment_W[] = L"Microsoft Kerberos V1.0";
63 static const SecPkgInfoW infoW =
64 {
65 KERBEROS_CAPS,
66 1,
67 RPC_C_AUTHN_GSS_KERBEROS,
68 KERBEROS_MAX_BUF,
69 kerberos_name_W,
70 kerberos_comment_W
71 };
72
73 static ULONG kerberos_package_id;
74 static LSA_DISPATCH_TABLE lsa_dispatch;
75
76 struct cred_handle
77 {
78 UINT64 handle;
79 };
80
81 struct context_handle
82 {
83 UINT64 handle;
84 };
85
86 static LSA_SEC_HANDLE create_context_handle( struct context_handle *ctx, UINT64 new_context )
87 {
88 UINT64 context = ctx ? ctx->handle : 0;
89 if (new_context && new_context != context)
90 {
91 struct context_handle *new_ctx = malloc(sizeof(*new_ctx));
92 new_ctx->handle = new_context;
93 return (LSA_SEC_HANDLE)new_ctx;
94 }
95 else
96 return (LSA_SEC_HANDLE)ctx;
97 }
98
99 static int get_buffer_index( const SecBufferDesc *desc, DWORD type )
100 {
101 UINT i;
102 if (!desc) return -1;
103 for (i = 0; i < desc->cBuffers; i++)
104 {
105 if (desc->pBuffers[i].BufferType == type) return i;
106 }
107 return -1;
108 }
109
110 static const char *debugstr_us( const UNICODE_STRING *us )
111 {
112 if (!us) return "<null>";
113 return debugstr_wn( us->Buffer, us->Length / sizeof(WCHAR) );
114 }
115
116 static void expiry_to_timestamp( ULONG expiry, TimeStamp *timestamp )
117 {
118 LARGE_INTEGER time;
119
120 if (!timestamp) return;
121 NtQuerySystemTime( &time );
122 RtlSystemTimeToLocalTime( &time, &time );
123 time.QuadPart += expiry * (ULONGLONG)10000000;
124 timestamp->LowPart = time.QuadPart;
125 timestamp->HighPart = time.QuadPart >> 32;
126 }
127
128 static NTSTATUS NTAPI kerberos_LsaApInitializePackage(ULONG package_id, PLSA_DISPATCH_TABLE dispatch,
129 PLSA_STRING database, PLSA_STRING confidentiality, PLSA_STRING *package_name)
130 {
131 char *kerberos_name;
132
133 if (!__wine_unixlib_handle)
134 {
135 if (__wine_init_unix_call() || KRB5_CALL( process_attach, NULL ))
136 ERR( "no Kerberos support, expect problems\n" );
137 }
138
139 kerberos_package_id = package_id;
140 lsa_dispatch = *dispatch;
141
142 kerberos_name = lsa_dispatch.AllocateLsaHeap(sizeof(MICROSOFT_KERBEROS_NAME_A));
143 if (!kerberos_name) return STATUS_NO_MEMORY;
144
145 memcpy(kerberos_name, MICROSOFT_KERBEROS_NAME_A, sizeof(MICROSOFT_KERBEROS_NAME_A));
146
147 *package_name = lsa_dispatch.AllocateLsaHeap(sizeof(**package_name));
148 if (!*package_name)
149 {
150 lsa_dispatch.FreeLsaHeap(kerberos_name);
151 return STATUS_NO_MEMORY;
152 }
153
154 RtlInitString(*package_name, kerberos_name);
155
156 return STATUS_SUCCESS;
157 }
158
159 static NTSTATUS copy_to_client( PLSA_CLIENT_REQUEST lsa_req, KERB_QUERY_TKT_CACHE_EX_RESPONSE *resp,
160 void **out, ULONG size )
161 {
162 NTSTATUS status;
163 ULONG i;
164 char *client_str;
165 KERB_QUERY_TKT_CACHE_RESPONSE *client_resp;
166
167 status = lsa_dispatch.AllocateClientBuffer( lsa_req, size, out );
168 if (status != STATUS_SUCCESS) return status;
169
170 client_resp = *out;
171 status = lsa_dispatch.CopyToClientBuffer(lsa_req, offsetof(KERB_QUERY_TKT_CACHE_RESPONSE, Tickets),
172 client_resp, resp);
173 if (status != STATUS_SUCCESS) goto fail;
174
175 client_str = (char *)&client_resp->Tickets[resp->CountOfTickets];
176
177 for (i = 0; i < resp->CountOfTickets; i++)
178 {
179 KERB_TICKET_CACHE_INFO ticket = {
180 .ServerName = resp->Tickets[i].ServerName,
181 .RealmName = resp->Tickets[i].ServerRealm,
182 .StartTime = resp->Tickets[i].StartTime,
183 .EndTime = resp->Tickets[i].EndTime,
184 .RenewTime = resp->Tickets[i].RenewTime,
185 .EncryptionType = resp->Tickets[i].EncryptionType,
186 .TicketFlags = resp->Tickets[i].TicketFlags,
187 };
188
189 RtlSecondsSince1970ToTime( resp->Tickets[i].StartTime.QuadPart, &ticket.StartTime );
190 RtlSecondsSince1970ToTime( resp->Tickets[i].EndTime.QuadPart, &ticket.EndTime );
191 RtlSecondsSince1970ToTime( resp->Tickets[i].RenewTime.QuadPart, &ticket.RenewTime );
192
193 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.RealmName.MaximumLength,
194 client_str, ticket.RealmName.Buffer);
195 if (status != STATUS_SUCCESS) goto fail;
196 ticket.RealmName.Buffer = (WCHAR *)client_str;
197 client_str += ticket.RealmName.MaximumLength;
198
199 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.ServerName.MaximumLength,
200 client_str, ticket.ServerName.Buffer);
201 if (status != STATUS_SUCCESS) goto fail;
202 ticket.ServerName.Buffer = (WCHAR *)client_str;
203 client_str += ticket.ServerName.MaximumLength;
204
205 status = lsa_dispatch.CopyToClientBuffer(lsa_req, sizeof(ticket), &client_resp->Tickets[i], &ticket);
206 if (status != STATUS_SUCCESS) goto fail;
207 }
208 return STATUS_SUCCESS;
209
210 fail:
211 lsa_dispatch.FreeClientBuffer(lsa_req, client_resp);
212 return status;
213 }
214
215 static NTSTATUS copy_to_client_ex( PLSA_CLIENT_REQUEST lsa_req, KERB_QUERY_TKT_CACHE_EX_RESPONSE *resp,
216 void **out, ULONG size )
217 {
218 NTSTATUS status;
219 ULONG i;
220 char *client_str;
221 KERB_QUERY_TKT_CACHE_EX_RESPONSE *client_resp;
222
223 status = lsa_dispatch.AllocateClientBuffer( lsa_req, size, out );
224 if (status != STATUS_SUCCESS) return status;
225
226 client_resp = *out;
227 status = lsa_dispatch.CopyToClientBuffer(lsa_req, offsetof(KERB_QUERY_TKT_CACHE_EX_RESPONSE, Tickets),
228 client_resp, resp);
229 if (status != STATUS_SUCCESS) goto fail;
230
231 client_str = (char *)&client_resp->Tickets[resp->CountOfTickets];
232
233 for (i = 0; i < resp->CountOfTickets; i++)
234 {
235 KERB_TICKET_CACHE_INFO_EX ticket = resp->Tickets[i];
236
237 RtlSecondsSince1970ToTime( resp->Tickets[i].StartTime.QuadPart, &ticket.StartTime );
238 RtlSecondsSince1970ToTime( resp->Tickets[i].EndTime.QuadPart, &ticket.EndTime );
239 RtlSecondsSince1970ToTime( resp->Tickets[i].RenewTime.QuadPart, &ticket.RenewTime );
240
241 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.ClientRealm.MaximumLength,
242 client_str, ticket.ClientRealm.Buffer);
243 if (status != STATUS_SUCCESS) goto fail;
244 ticket.ClientRealm.Buffer = (WCHAR *)client_str;
245 client_str += ticket.ClientRealm.MaximumLength;
246
247 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.ClientName.MaximumLength,
248 client_str, ticket.ClientName.Buffer);
249 if (status != STATUS_SUCCESS) goto fail;
250 ticket.ClientName.Buffer = (WCHAR *)client_str;
251 client_str += ticket.ClientName.MaximumLength;
252
253 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.ServerRealm.MaximumLength,
254 client_str, ticket.ServerRealm.Buffer);
255 if (status != STATUS_SUCCESS) goto fail;
256 ticket.ServerRealm.Buffer = (WCHAR *)client_str;
257 client_str += ticket.ServerRealm.MaximumLength;
258
259 status = lsa_dispatch.CopyToClientBuffer(lsa_req, ticket.ServerName.MaximumLength,
260 client_str, ticket.ServerName.Buffer);
261 if (status != STATUS_SUCCESS) goto fail;
262 ticket.ServerName.Buffer = (WCHAR *)client_str;
263 client_str += ticket.ServerName.MaximumLength;
264
265 status = lsa_dispatch.CopyToClientBuffer(lsa_req, sizeof(ticket), &client_resp->Tickets[i], &ticket);
266 if (status != STATUS_SUCCESS) goto fail;
267 }
268 return STATUS_SUCCESS;
269
270 fail:
271 lsa_dispatch.FreeClientBuffer(lsa_req, client_resp);
272 return status;
273 }
274
275 static NTSTATUS NTAPI kerberos_LsaApCallPackageUntrusted(PLSA_CLIENT_REQUEST req, void *in_buf,
276 void *client_buf_base, ULONG in_buf_len, void **out_buf, ULONG *out_buf_len, NTSTATUS *ret_status)
277 {
278 KERB_PROTOCOL_MESSAGE_TYPE msg;
279
280 TRACE("%p, %p, %p, %lu, %p, %p, %p\n", req, in_buf, client_buf_base, in_buf_len, out_buf, out_buf_len, ret_status);
281
282 if (!in_buf || in_buf_len < sizeof(msg)) return STATUS_INVALID_PARAMETER;
283
284 msg = *(KERB_PROTOCOL_MESSAGE_TYPE *)in_buf;
285 switch (msg)
286 {
287 case KerbQueryTicketCacheMessage:
288 {
289 KERB_QUERY_TKT_CACHE_REQUEST *query = (KERB_QUERY_TKT_CACHE_REQUEST *)in_buf;
290 NTSTATUS status;
291
292 if (!in_buf || in_buf_len != sizeof(*query) || !out_buf || !out_buf_len) return STATUS_INVALID_PARAMETER;
293 if (query->LogonId.HighPart || query->LogonId.LowPart) return STATUS_ACCESS_DENIED;
294
295 *out_buf_len = 1024;
296 for (;;)
297 {
298 KERB_QUERY_TKT_CACHE_EX_RESPONSE *resp = malloc( *out_buf_len );
299 struct query_ticket_cache_params params = { resp, out_buf_len };
300 if (!resp)
301 {
302 status = STATUS_NO_MEMORY;
303 break;
304 }
305 status = KRB5_CALL( query_ticket_cache, &params );
306 if (status == STATUS_SUCCESS) status = copy_to_client( req, resp, out_buf, *out_buf_len );
307 free( resp );
308 if (status != STATUS_BUFFER_TOO_SMALL) break;
309 }
310 *ret_status = status;
311 break;
312 }
313 case KerbQueryTicketCacheExMessage:
314 {
315 KERB_QUERY_TKT_CACHE_REQUEST *query = (KERB_QUERY_TKT_CACHE_REQUEST *)in_buf;
316 NTSTATUS status;
317
318 if (!in_buf || in_buf_len != sizeof(*query) || !out_buf || !out_buf_len) return STATUS_INVALID_PARAMETER;
319 if (query->LogonId.HighPart || query->LogonId.LowPart) return STATUS_ACCESS_DENIED;
320
321 *out_buf_len = 1024;
322 for (;;)
323 {
324 KERB_QUERY_TKT_CACHE_EX_RESPONSE *resp = malloc( *out_buf_len );
325 struct query_ticket_cache_params params = { resp, out_buf_len };
326 if (!resp)
327 {
328 status = STATUS_NO_MEMORY;
329 break;
330 }
331 status = KRB5_CALL( query_ticket_cache, &params );
332 if (status == STATUS_SUCCESS) status = copy_to_client_ex( req, resp, out_buf, *out_buf_len );
333 free( resp );
334 if (status != STATUS_BUFFER_TOO_SMALL) break;
335 }
336 *ret_status = status;
337 break;
338 }
339 case KerbRetrieveTicketMessage:
340 FIXME("KerbRetrieveTicketMessage stub\n");
341 *ret_status = STATUS_NOT_IMPLEMENTED;
342 break;
343
344 case KerbPurgeTicketCacheMessage:
345 FIXME("KerbPurgeTicketCacheMessage stub\n");
346 *ret_status = STATUS_NOT_IMPLEMENTED;
347 break;
348
349 default: /* All other requests should call LsaApCallPackage */
350 WARN("%u => access denied\n", msg);
351 *ret_status = STATUS_ACCESS_DENIED;
352 break;
353 }
354
355 return *ret_status;
356 }
357
358 static NTSTATUS NTAPI kerberos_SpGetInfo(SecPkgInfoW *info)
359 {
360 TRACE("%p\n", info);
361
362 /* LSA will make a copy before forwarding the structure, so
363 * it's safe to put pointers to dynamic or constant data there.
364 */
365 *info = infoW;
366
367 return STATUS_SUCCESS;
368 }
369
370 static char *get_str_unixcp( const UNICODE_STRING *str )
371 {
372 char *ret;
373 int len = WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), NULL, 0, NULL, NULL );
374 if (!(ret = malloc( len + 1 ))) return NULL;
375 WideCharToMultiByte( CP_UNIXCP, 0, str->Buffer, str->Length / sizeof(WCHAR), ret, len, NULL, NULL );
376 ret[len] = 0;
377 return ret;
378 }
379
380 static char *get_username_unixcp( const WCHAR *user, ULONG user_len, const WCHAR *domain, ULONG domain_len )
381 {
382 int len_user, len_domain;
383 char *ret;
384
385 len_user = WideCharToMultiByte( CP_UNIXCP, 0, user, user_len, NULL, 0, NULL, NULL );
386 len_domain = WideCharToMultiByte( CP_UNIXCP, 0, domain, domain_len, NULL, 0, NULL, NULL );
387 if (!(ret = malloc( len_user + len_domain + 2 ))) return NULL;
388
389 WideCharToMultiByte( CP_UNIXCP, 0, user, user_len, ret, len_user, NULL, NULL );
390 ret[len_user] = '@';
391 WideCharToMultiByte( CP_UNIXCP, 0, domain, domain_len, ret + len_user + 1, len_domain, NULL, NULL );
392 ret[len_user + len_domain + 1] = 0;
393 return ret;
394 }
395
396 static char *get_password_unixcp( const WCHAR *passwd, ULONG passwd_len )
397 {
398 int len;
399 char *ret;
400
401 len = WideCharToMultiByte( CP_UNIXCP, WC_NO_BEST_FIT_CHARS, passwd, passwd_len, NULL, 0, NULL, NULL );
402 if (!(ret = malloc( len + 1 ))) return NULL;
403 WideCharToMultiByte( CP_UNIXCP, 0, passwd, passwd_len, ret, len, NULL, NULL );
404 ret[len] = 0;
405 return ret;
406 }
407
408 static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle(
409 UNICODE_STRING *principal_us, ULONG credential_use, LUID *logon_id, void *auth_data,
410 void *get_key_fn, void *get_key_arg, LSA_SEC_HANDLE *credential, TimeStamp *expiry )
411 {
412 char *principal = NULL, *username = NULL, *password = NULL;
413 SEC_WINNT_AUTH_IDENTITY_W *id = auth_data;
414 NTSTATUS status = SEC_E_INSUFFICIENT_MEMORY;
415 struct cred_handle *cred_handle;
416 ULONG exptime;
417
418 TRACE( "%s, %#lx, %p, %p, %p, %p, %p, %p\n", debugstr_us(principal_us), credential_use,
419 logon_id, auth_data, get_key_fn, get_key_arg, credential, expiry );
420
421 if (principal_us && !(principal = get_str_unixcp( principal_us ))) return SEC_E_INSUFFICIENT_MEMORY;
422 if (id)
423 {
424 if (id->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI)
425 {
426 FIXME( "ANSI identity not supported\n" );
427 status = SEC_E_UNSUPPORTED_FUNCTION;
428 goto done;
429 }
430 if (!(username = get_username_unixcp( id->User, id->UserLength, id->Domain, id->DomainLength ))) goto done;
431 if (!(password = get_password_unixcp( id->Password, id->PasswordLength ))) goto done;
432 }
433
434 if (!(cred_handle = calloc( 1, sizeof(*cred_handle) )))
435 {
436 status = SEC_E_INSUFFICIENT_MEMORY;
437 goto done;
438 }
439
440 {
441 struct acquire_credentials_handle_params params = { principal, credential_use, username, password,
442 &cred_handle->handle, &exptime };
443 if (!(status = KRB5_CALL( acquire_credentials_handle, &params )))
444 *credential = (LSA_SEC_HANDLE)cred_handle;
445 else
446 free( cred_handle );
447 expiry_to_timestamp( exptime, expiry );
448 }
449
450 done:
451 free( principal );
452 free( username );
453 free( password );
454 return status;
455 }
456
457 static NTSTATUS NTAPI kerberos_SpFreeCredentialsHandle( LSA_SEC_HANDLE credential )
458 {
459 struct cred_handle *cred_handle = (void *)credential;
460 struct free_credentials_handle_params params;
461 NTSTATUS status;
462
463 TRACE( "%Ix\n", credential );
464
465 if (!cred_handle) return SEC_E_INVALID_HANDLE;
466
467 params.credential = cred_handle->handle;
468 status = KRB5_CALL( free_credentials_handle, &params );
469 free(cred_handle);
470 return status;
471 }
472
473 static NTSTATUS NTAPI kerberos_SpInitLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
474 UNICODE_STRING *target_name, ULONG context_req, ULONG target_data_rep, SecBufferDesc *input,
475 LSA_SEC_HANDLE *new_context, SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry,
476 BOOLEAN *mapped_context, SecBuffer *context_data )
477 {
478 static const ULONG supported = ISC_REQ_CONFIDENTIALITY | ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT |
479 ISC_REQ_REPLAY_DETECT | ISC_REQ_MUTUAL_AUTH | ISC_REQ_USE_DCE_STYLE |
480 ISC_REQ_IDENTIFY | ISC_REQ_CONNECTION | ISC_REQ_DELEGATE;
481 char *target = NULL;
482 NTSTATUS status;
483 ULONG exptime;
484
485 TRACE( "%Ix, %Ix, %s, %#lx, %lu, %p, %p, %p, %p, %p, %p, %p\n", credential, context, debugstr_us(target_name),
486 context_req, target_data_rep, input, new_context, output, context_attr, expiry,
487 mapped_context, context_data );
488 if (context_req & ~supported) FIXME( "flags %#lx not supported\n", context_req & ~supported );
489
490 if (!context && !input && !credential) return SEC_E_INVALID_HANDLE;
491 if (target_name && !(target = get_str_unixcp( target_name ))) return SEC_E_INSUFFICIENT_MEMORY;
492 else
493 {
494 struct cred_handle *cred_handle = (struct cred_handle *)credential;
495 struct context_handle *context_handle = (struct context_handle *)context;
496 struct initialize_context_params params = { 0 };
497 UINT64 new_context_handle = 0;
498 int idx;
499
500 params.credential = cred_handle ? cred_handle->handle : 0;
501 params.context = context_handle ? context_handle->handle : 0;
502 params.target_name = target;
503 params.context_req = context_req;
504 params.new_context = &new_context_handle;
505 params.context_attr = context_attr;
506 params.expiry = &exptime;
507
508 idx = get_buffer_index( input, SECBUFFER_TOKEN );
509 if (idx != -1)
510 {
511 params.input_token = input->pBuffers[idx].pvBuffer;
512 params.input_token_length = input->pBuffers[idx].cbBuffer;
513 }
514
515 if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
516 params.output_token = output->pBuffers[idx].pvBuffer;
517 params.output_token_length = &output->pBuffers[idx].cbBuffer;
518
519 status = KRB5_CALL( initialize_context, &params );
520 if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED)
521 *new_context = create_context_handle( context_handle, new_context_handle );
522 if (!status)
523 {
524 *mapped_context = TRUE;
525 expiry_to_timestamp( exptime, expiry );
526 }
527 }
528 /* FIXME: initialize context_data */
529 free( target );
530 return status;
531 }
532
533 static NTSTATUS NTAPI kerberos_SpAcceptLsaModeContext( LSA_SEC_HANDLE credential, LSA_SEC_HANDLE context,
534 SecBufferDesc *input, ULONG context_req, ULONG target_data_rep, LSA_SEC_HANDLE *new_context,
535 SecBufferDesc *output, ULONG *context_attr, TimeStamp *expiry, BOOLEAN *mapped_context, SecBuffer *context_data )
536 {
537 NTSTATUS status = SEC_E_INVALID_HANDLE;
538 ULONG exptime;
539 int idx;
540
541 TRACE( "%Ix, %Ix, %#lx, %lu, %p, %p, %p, %p, %p, %p, %p\n", credential, context, context_req, target_data_rep,
542 input, new_context, output, context_attr, expiry, mapped_context, context_data );
543 if (context_req) FIXME( "ignoring flags %#lx\n", context_req );
544
545 if (context || input || credential)
546 {
547 struct cred_handle *cred_handle = (struct cred_handle *)credential;
548 struct context_handle *context_handle = (struct context_handle *)context;
549 struct accept_context_params params = { 0 };
550 UINT64 new_context_handle = 0;
551
552 params.credential = cred_handle ? cred_handle->handle : 0;
553 params.context = context_handle ? context_handle->handle : 0;
554 params.new_context = &new_context_handle;
555 params.context_attr = context_attr;
556 params.expiry = &exptime;
557
558 if (input)
559 {
560 if ((idx = get_buffer_index( input, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
561 params.input_token = input->pBuffers[idx].pvBuffer;
562 params.input_token_length = input->pBuffers[idx].cbBuffer;
563 }
564 if ((idx = get_buffer_index( output, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
565 params.output_token = output->pBuffers[idx].pvBuffer;
566 params.output_token_length = &output->pBuffers[idx].cbBuffer;
567
568 /* FIXME: check if larger output buffer exists */
569 status = KRB5_CALL( accept_context, &params );
570 if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED)
571 *new_context = create_context_handle( context_handle, new_context_handle );
572 if (!status)
573 {
574 *mapped_context = TRUE;
575 expiry_to_timestamp( exptime, expiry );
576 }
577 /* FIXME: initialize context_data */
578 }
579 return status;
580 }
581
582 static NTSTATUS NTAPI kerberos_SpDeleteContext( LSA_SEC_HANDLE context )
583 {
584 struct context_handle *context_handle = (void *)context;
585 struct delete_context_params params;
586 NTSTATUS status;
587
588 TRACE( "%Ix\n", context );
589
590 if (!context) return SEC_E_INVALID_HANDLE;
591
592 params.context = context_handle->handle;
593 status = KRB5_CALL( delete_context, &params );
594 free( context_handle );
595 return status;
596 }
597
598 static SecPkgInfoW *build_package_info( const SecPkgInfoW *info )
599 {
600 SecPkgInfoW *ret;
601 DWORD size_name = (wcslen(info->Name) + 1) * sizeof(WCHAR);
602 DWORD size_comment = (wcslen(info->Comment) + 1) * sizeof(WCHAR);
603
604 if (!(ret = malloc( sizeof(*ret) + size_name + size_comment ))) return NULL;
605 ret->fCapabilities = info->fCapabilities;
606 ret->wVersion = info->wVersion;
607 ret->wRPCID = info->wRPCID;
608 ret->cbMaxToken = info->cbMaxToken;
609 ret->Name = (SEC_WCHAR *)(ret + 1);
610 memcpy( ret->Name, info->Name, size_name );
611 ret->Comment = (SEC_WCHAR *)((char *)ret->Name + size_name);
612 memcpy( ret->Comment, info->Comment, size_comment );
613 return ret;
614 }
615
616 static NTSTATUS NTAPI kerberos_SpQueryContextAttributes( LSA_SEC_HANDLE context, ULONG attribute, void *buffer )
617 {
618 struct context_handle *context_handle = (void *)context;
619
620 TRACE( "%Ix, %lu, %p\n", context, attribute, buffer );
621
622 if (!context) return SEC_E_INVALID_HANDLE;
623
624 switch (attribute)
625 {
626 #define X(x) case (x) : FIXME(#x" stub\n"); break
627 X(SECPKG_ATTR_ACCESS_TOKEN);
628 X(SECPKG_ATTR_AUTHORITY);
629 X(SECPKG_ATTR_DCE_INFO);
630 X(SECPKG_ATTR_KEY_INFO);
631 X(SECPKG_ATTR_LIFESPAN);
632 X(SECPKG_ATTR_NAMES);
633 X(SECPKG_ATTR_NATIVE_NAMES);
634 X(SECPKG_ATTR_PACKAGE_INFO);
635 X(SECPKG_ATTR_PASSWORD_EXPIRY);
636 X(SECPKG_ATTR_STREAM_SIZES);
637 X(SECPKG_ATTR_TARGET_INFORMATION);
638 #undef X
639 case SECPKG_ATTR_SESSION_KEY:
640 {
641 SecPkgContext_SessionKey key = { 128 };
642 struct query_context_attributes_params params = { context_handle->handle, attribute, &key };
643 NTSTATUS status;
644
645 if (!(key.SessionKey = RtlAllocateHeap( GetProcessHeap(), 0, key.SessionKeyLength ))) return STATUS_NO_MEMORY;
646
647 if ((status = KRB5_CALL( query_context_attributes, &params )))
648 {
649 RtlFreeHeap( GetProcessHeap(), 0, key.SessionKey );
650 return status;
651 }
652
653 *(SecPkgContext_SessionKey *)buffer = key;
654 return SEC_E_OK;
655 }
656 case SECPKG_ATTR_SIZES:
657 {
658 struct query_context_attributes_params params = { context_handle->handle, attribute, buffer };
659 return KRB5_CALL( query_context_attributes, &params );
660 }
661 case SECPKG_ATTR_NEGOTIATION_INFO:
662 {
663 SecPkgContext_NegotiationInfoW *info = (SecPkgContext_NegotiationInfoW *)buffer;
664 if (!(info->PackageInfo = build_package_info( &infoW ))) return SEC_E_INSUFFICIENT_MEMORY;
665 info->NegotiationState = SECPKG_NEGOTIATION_COMPLETE;
666 return SEC_E_OK;
667 }
668 default:
669 FIXME( "unknown attribute %lu\n", attribute );
670 break;
671 }
672
673 return SEC_E_UNSUPPORTED_FUNCTION;
674 }
675
676 static NTSTATUS NTAPI kerberos_SpInitialize(ULONG_PTR package_id, SECPKG_PARAMETERS *params,
677 LSA_SECPKG_FUNCTION_TABLE *lsa_function_table)
678 {
679 TRACE("%Iu, %p, %p\n", package_id, params, lsa_function_table);
680
681 if (!__wine_unixlib_handle)
682 {
683 if (__wine_init_unix_call() || KRB5_CALL( process_attach, NULL ))
684 WARN( "no Kerberos support\n" );
685 return STATUS_UNSUCCESSFUL;
686 }
687 return STATUS_SUCCESS;
688 }
689
690 static NTSTATUS NTAPI kerberos_SpShutdown(void)
691 {
692 TRACE("\n");
693 return STATUS_SUCCESS;
694 }
695
696 static SECPKG_FUNCTION_TABLE kerberos_table =
697 {
698 kerberos_LsaApInitializePackage, /* InitializePackage */
699 NULL, /* LsaLogonUser */
700 NULL, /* CallPackage */
701 NULL, /* LogonTerminated */
702 kerberos_LsaApCallPackageUntrusted, /* CallPackageUntrusted */
703 NULL, /* CallPackagePassthrough */
704 NULL, /* LogonUserEx */
705 NULL, /* LogonUserEx2 */
706 kerberos_SpInitialize,
707 kerberos_SpShutdown,
708 kerberos_SpGetInfo,
709 NULL, /* AcceptCredentials */
710 kerberos_SpAcquireCredentialsHandle,
711 NULL, /* SpQueryCredentialsAttributes */
712 kerberos_SpFreeCredentialsHandle,
713 NULL, /* SaveCredentials */
714 NULL, /* GetCredentials */
715 NULL, /* DeleteCredentials */
716 kerberos_SpInitLsaModeContext,
717 kerberos_SpAcceptLsaModeContext,
718 kerberos_SpDeleteContext,
719 NULL, /* ApplyControlToken */
720 NULL, /* GetUserInfo */
721 NULL, /* GetExtendedInformation */
722 kerberos_SpQueryContextAttributes,
723 NULL, /* SpAddCredentials */
724 NULL, /* SetExtendedInformation */
725 NULL, /* SetContextAttributes */
726 NULL, /* SetCredentialsAttributes */
727 NULL, /* ChangeAccountPassword */
728 NULL, /* QueryMetaData */
729 NULL, /* ExchangeMetaData */
730 NULL, /* GetCredUIContext */
731 NULL, /* UpdateCredentials */
732 NULL, /* ValidateTargetInfo */
733 NULL, /* PostLogonUser */
734 };
735
736 NTSTATUS NTAPI SpLsaModeInitialize(ULONG lsa_version, PULONG package_version,
737 PSECPKG_FUNCTION_TABLE *table, PULONG table_count)
738 {
739 TRACE("%#lx, %p, %p, %p\n", lsa_version, package_version, table, table_count);
740
741 *package_version = SECPKG_INTERFACE_VERSION;
742 *table = &kerberos_table;
743 *table_count = 1;
744 return STATUS_SUCCESS;
745 }
746
747 static NTSTATUS NTAPI kerberos_SpInstanceInit(ULONG version, SECPKG_DLL_FUNCTIONS *dll_function_table, void **user_functions)
748 {
749 TRACE("%#lx, %p, %p\n", version, dll_function_table, user_functions);
750 return STATUS_SUCCESS;
751 }
752
753 static NTSTATUS SEC_ENTRY kerberos_SpMakeSignature( LSA_SEC_HANDLE context, ULONG quality_of_protection,
754 SecBufferDesc *message, ULONG message_seq_no )
755 {
756 TRACE( "%Ix, %#lx, %p, %lu\n", context, quality_of_protection, message, message_seq_no );
757 if (quality_of_protection) FIXME( "ignoring quality_of_protection %#lx\n", quality_of_protection );
758 if (message_seq_no) FIXME( "ignoring message_seq_no %lu\n", message_seq_no );
759
760 if (context)
761 {
762 struct context_handle *context_handle = (void *)context;
763 struct make_signature_params params;
764 int data_idx, token_idx;
765
766 /* FIXME: multiple data buffers, read-only buffers */
767 if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
768 if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
769
770 params.context = context_handle->handle;
771 params.data_length = message->pBuffers[data_idx].cbBuffer;
772 params.data = message->pBuffers[data_idx].pvBuffer;
773 params.token_length = &message->pBuffers[token_idx].cbBuffer;
774 params.token = message->pBuffers[token_idx].pvBuffer;
775
776 return KRB5_CALL( make_signature, &params );
777 }
778 else return SEC_E_INVALID_HANDLE;
779 }
780
781 static NTSTATUS NTAPI kerberos_SpVerifySignature( LSA_SEC_HANDLE context, SecBufferDesc *message,
782 ULONG message_seq_no, ULONG *quality_of_protection )
783 {
784 TRACE( "%Ix, %p, %lu, %p\n", context, message, message_seq_no, quality_of_protection );
785 if (message_seq_no) FIXME( "ignoring message_seq_no %lu\n", message_seq_no );
786
787 if (context)
788 {
789 struct context_handle *context_handle = (void *)context;
790 struct verify_signature_params params;
791 int data_idx, token_idx;
792
793 if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
794 if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
795
796 params.context = context_handle->handle;
797 params.data_length = message->pBuffers[data_idx].cbBuffer;
798 params.data = message->pBuffers[data_idx].pvBuffer;
799 params.token_length = message->pBuffers[token_idx].cbBuffer;
800 params.token = message->pBuffers[token_idx].pvBuffer;
801 params.qop = quality_of_protection;
802
803 return KRB5_CALL( verify_signature, &params );
804 }
805 else return SEC_E_INVALID_HANDLE;
806 }
807
808 static NTSTATUS NTAPI kerberos_SpSealMessage( LSA_SEC_HANDLE context, ULONG quality_of_protection,
809 SecBufferDesc *message, ULONG message_seq_no )
810 {
811 TRACE( "%Ix, %#lx, %p, %lu\n", context, quality_of_protection, message, message_seq_no );
812 if (message_seq_no) FIXME( "ignoring message_seq_no %lu\n", message_seq_no );
813
814 if (context)
815 {
816 struct context_handle *context_handle = (void *)context;
817 struct seal_message_params params;
818 int data_idx, token_idx;
819
820 /* FIXME: multiple data buffers, read-only buffers */
821 if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
822 if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
823
824 params.context = context_handle->handle;
825 params.data_length = message->pBuffers[data_idx].cbBuffer;
826 params.data = message->pBuffers[data_idx].pvBuffer;
827 params.token_length = &message->pBuffers[token_idx].cbBuffer;
828 params.token = message->pBuffers[token_idx].pvBuffer;
829 params.qop = quality_of_protection;
830
831 return KRB5_CALL( seal_message, &params );
832 }
833 else return SEC_E_INVALID_HANDLE;
834 }
835
836 static NTSTATUS NTAPI kerberos_SpUnsealMessage( LSA_SEC_HANDLE context, SecBufferDesc *message,
837 ULONG message_seq_no, ULONG *quality_of_protection )
838 {
839 TRACE( "%Ix, %p, %lu, %p\n", context, message, message_seq_no, quality_of_protection );
840 if (message_seq_no) FIXME( "ignoring message_seq_no %lu\n", message_seq_no );
841
842 if (context)
843 {
844 struct context_handle *context_handle = (void *)context;
845 struct unseal_message_params params;
846 int data_idx, token_idx;
847
848 if ((data_idx = get_buffer_index( message, SECBUFFER_DATA )) == -1) return SEC_E_INVALID_TOKEN;
849 if ((token_idx = get_buffer_index( message, SECBUFFER_TOKEN )) == -1) return SEC_E_INVALID_TOKEN;
850
851 params.context = context_handle->handle;
852 params.data_length = message->pBuffers[data_idx].cbBuffer;
853 params.data = message->pBuffers[data_idx].pvBuffer;
854 params.token_length = message->pBuffers[token_idx].cbBuffer;
855 params.token = message->pBuffers[token_idx].pvBuffer;
856 params.qop = quality_of_protection;
857
858 return KRB5_CALL( unseal_message, &params );
859 }
860 else return SEC_E_INVALID_HANDLE;
861 }
862
863 static SECPKG_USER_FUNCTION_TABLE kerberos_user_table =
864 {
865 kerberos_SpInstanceInit,
866 NULL, /* SpInitUserModeContext */
867 kerberos_SpMakeSignature,
868 kerberos_SpVerifySignature,
869 kerberos_SpSealMessage,
870 kerberos_SpUnsealMessage,
871 NULL, /* SpGetContextToken */
872 NULL, /* SpQueryContextAttributes */
873 NULL, /* SpCompleteAuthToken */
874 NULL, /* SpDeleteContext */
875 NULL, /* SpFormatCredentialsFn */
876 NULL, /* SpMarshallSupplementalCreds */
877 NULL, /* SpExportSecurityContext */
878 NULL /* SpImportSecurityContext */
879 };
880
881 NTSTATUS NTAPI SpUserModeInitialize(ULONG lsa_version, PULONG package_version,
882 PSECPKG_USER_FUNCTION_TABLE *table, PULONG table_count)
883 {
884 TRACE("%#lx, %p, %p, %p\n", lsa_version, package_version, table, table_count);
885
886 *package_version = SECPKG_INTERFACE_VERSION;
887 *table = &kerberos_user_table;
888 *table_count = 1;
889 return STATUS_SUCCESS;
890 }
Windows API implementation