From 9fd97beb23ef606b55a72e9663e5a32379ea110c Mon Sep 17 00:00:00 2001 From: David Fort Date: Fri, 28 Mar 2025 09:50:41 +0100 Subject: [PATCH 1/2] ncrypt_pkcs11: remove verbose unneeded log --- winpr/libwinpr/ncrypt/ncrypt_pkcs11.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c index 87d4f58c2..d4af7c48b 100644 --- a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c +++ b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c @@ -541,7 +541,8 @@ static BOOL convertKeyType(CK_KEY_TYPE k, LPWSTR dest, DWORD len, DWORD* outlen) dest[0] = 0; return FALSE; } - else + + if (dest) { if (retLen + 1 > len) { @@ -549,11 +550,8 @@ static BOOL convertKeyType(CK_KEY_TYPE k, LPWSTR dest, DWORD len, DWORD* outlen) return FALSE; } - if (dest) - { - memcpy(dest, r, sizeof(WCHAR) * retLen); - dest[retLen] = 0; - } + memcpy(dest, r, sizeof(WCHAR) * retLen); + dest[retLen] = 0; } return TRUE; From 419f469583b05825c6b8fd170b6ea8c166631cc8 Mon Sep 17 00:00:00 2001 From: David Fort Date: Mon, 31 Mar 2025 09:02:15 +0200 Subject: [PATCH 2/2] kerberos: fix server-side user2user In user to user mode the requested name is something like TERMSRV/@, but we can request a TGT only for $@ as it's the only account that we have in our keytab that can do it. So this patch fix the research in the keytab, and retrieves the TGT using $@ instead of TERMSRV/@. That fixes NLA server-side with kerberos users2user. --- winpr/libwinpr/sspi/Kerberos/kerberos.c | 46 ++++++++++++++++++++----- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.c b/winpr/libwinpr/sspi/Kerberos/kerberos.c index 60a38e0da..1c5b31919 100644 --- a/winpr/libwinpr/sspi/Kerberos/kerberos.c +++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c @@ -127,9 +127,6 @@ static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\ static const WinPrAsn1_OID kerberos_u2u_OID = { 10, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" }; -#define krb_log_exec_bool(fkt, ctx, ...) \ - kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__) ? KRB5KRB_ERR_GENERIC : 0, #fkt, __FILE__, \ - __func__, __LINE__) #define krb_log_exec(fkt, ctx, ...) \ kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__) #define krb_log_exec_ptr(fkt, ctx, ...) \ @@ -1325,13 +1322,45 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext( if (!kerberos_rd_tgt_token(&input_token, &target, NULL)) goto bad_token; + /* + * we're requested with target="TERMSRV/@" but we're gonna look + * at $@ in the keytab (notice the $), so we build a new "target" + * string containing + * + * sname realm + * | | + * v v + * $@ + * + */ if (target) { - if (*target != 0 && *target != '@') - sname = target; + sname = strchr(target, '/'); + if (!sname) + goto cleanup; + sname++; + + /* target goes from TERMSRV/[@] to [@] */ + sname = memmove(target, sname, strlen(sname) + 1); + realm = strchr(target, '@'); if (realm) + { + *realm = '$'; realm++; + + size_t len = strlen(realm); + memmove(realm + 1, realm, len + 1); + + *realm = '@'; + realm++; + } + else + { + size_t len = strlen(sname); + target[len] = '$'; + target[len + 1] = 0; + } } if (krb_log_exec(krb5_parse_name_flags, credentials->ctx, sname ? sname : "", @@ -1356,10 +1385,9 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext( if (rv != 0) goto cleanup; - if ((!sname || krb_log_exec_bool(krb5_principal_compare_any_realm, credentials->ctx, - principal, entry.principal)) && - (!realm || krb_log_exec_bool(krb5_realm_compare, credentials->ctx, principal, - entry.principal))) + if ((!sname || + krb5_principal_compare_any_realm(credentials->ctx, principal, entry.principal)) && + (!realm || krb5_realm_compare(credentials->ctx, principal, entry.principal))) break; const krb5_error_code res = krb_log_exec(krb5glue_free_keytab_entry_contents, credentials->ctx, &entry);