negotiate: add user2user filtering

This patch adds the possibility to disable kerberos user2user in the SPnego SSPI module, so you can set "!u2u" in the authPackageList to disable user2user kerberos. It also does a few cleanups (FALSE instead of 0, and defaulting to no kerberos when kerberos support is not compiled in).
2026-04-15 00:44:19 +09:00 · 2025-07-02 10:01:57 +02:00
parent a7b051b590
commit 6e7f5c6355
1 changed files with 31 additions and 13 deletions
--- a/winpr/libwinpr/sspi/Negotiate/negotiate.c
+++ b/winpr/libwinpr/sspi/Negotiate/negotiate.c
@@ -249,7 +249,8 @@ static BOOL negotiate_get_dword(HKEY hKey, const char* subkey, DWORD* pdwValue)
 	return TRUE;
 }

-static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* kerberos, BOOL* ntlm)
+static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* kerberos, BOOL* ntlm,
+                                                        BOOL* u2u)
 {
 	char* tok_ctx = NULL;
 	char* tok_ptr = NULL;
@@ -271,14 +272,18 @@ static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* k
 			PackageInclude = FALSE;
 		}

-		if (!_stricmp(PackageName, "ntlm"))
+		if (_stricmp(PackageName, "ntlm") == 0)
 		{
 			*ntlm = PackageInclude;
 		}
-		else if (!_stricmp(PackageName, "kerberos"))
+		else if (_stricmp(PackageName, "kerberos") == 0)
 		{
 			*kerberos = PackageInclude;
 		}
+		else if (_stricmp(PackageName, "u2u") == 0)
+		{
+			*u2u = PackageInclude;
+		}
 		else
 		{
 			WLog_WARN(TAG, "Unknown authentication package name: %s", PackageName);
@@ -291,22 +296,29 @@ static BOOL negotiate_get_config_from_auth_package_list(void* pAuthData, BOOL* k
 	return TRUE;
 }

-static BOOL negotiate_get_config(void* pAuthData, BOOL* kerberos, BOOL* ntlm)
+static BOOL negotiate_get_config(void* pAuthData, BOOL* kerberos, BOOL* ntlm, BOOL* u2u)
 {
 	HKEY hKey = NULL;
 	LONG rc = 0;

 	WINPR_ASSERT(kerberos);
 	WINPR_ASSERT(ntlm);
+	WINPR_ASSERT(u2u);

 #if !defined(WITH_KRB5_NO_NTLM_FALLBACK)
 	*ntlm = TRUE;
 #else
 	*ntlm = FALSE;
 #endif
+#if defined(WITH_KRB5)
 	*kerberos = TRUE;
+	*u2u = TRUE;
+#else
+	*kerberos = FALSE;
+	*u2u = FALSE;
+#endif

-	if (negotiate_get_config_from_auth_package_list(pAuthData, kerberos, ntlm))
+	if (negotiate_get_config_from_auth_package_list(pAuthData, kerberos, ntlm, u2u))
 	{
 		return TRUE; // use explicit authentication package list
 	}
@@ -1406,10 +1418,11 @@ static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleW(
    void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
    PTimeStamp ptsExpiry)
 {
-	BOOL kerberos = 0;
-	BOOL ntlm = 0;
+	BOOL kerberos = FALSE;
+	BOOL ntlm = FALSE;
+	BOOL u2u = FALSE;

-	if (!negotiate_get_config(pAuthData, &kerberos, &ntlm))
+	if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u))
 		return SEC_E_INTERNAL_ERROR;

 	MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred));
@@ -1423,7 +1436,9 @@ static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleW(
 		const SecPkg* pkg = MechTable[i].pkg;
 		cred->mech = &MechTable[i];

-		if (!kerberos && _tcsncmp(pkg->name, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0)
+		if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID))
+			continue;
+		if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID))
 			continue;
 		if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0)
 			continue;
@@ -1448,10 +1463,11 @@ static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleA(
    void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
    PTimeStamp ptsExpiry)
 {
-	BOOL kerberos = 0;
-	BOOL ntlm = 0;
+	BOOL kerberos = FALSE;
+	BOOL ntlm = FALSE;
+	BOOL u2u = FALSE;

-	if (!negotiate_get_config(pAuthData, &kerberos, &ntlm))
+	if (!negotiate_get_config(pAuthData, &kerberos, &ntlm, &u2u))
 		return SEC_E_INTERNAL_ERROR;

 	MechCred* creds = calloc(MECH_COUNT, sizeof(MechCred));
@@ -1466,7 +1482,9 @@ static SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleA(

 		cred->mech = &MechTable[i];

-		if (!kerberos && _tcsncmp(pkg->name, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0)
+		if (!kerberos && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_OID))
+			continue;
+		if (!u2u && sspi_gss_oid_compare(MechTable[i].oid, &kerberos_u2u_OID))
 			continue;
 		if (!ntlm && _tcsncmp(SecPkgTable[i].name, NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0)
 			continue;