libwinpr-sspi: start implementing and using negotiate sspi module

2014-06-07 16:26:57 -04:00 · 2014-06-07 16:26:57 -04:00 · 03cf7933d9
parent 576e0c4d1a
commit 03cf7933d9
6 changed files with 367 additions and 111 deletions
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@ -85,7 +85,7 @@
 #define WITH_DEBUG_CREDSSP
 #endif

-#define NLA_PKG_NAME	NTLMSP_NAME
+#define NLA_PKG_NAME	NEGOSSP_NAME

 #define TERMSRV_SPN_PREFIX	"TERMSRV/"

@ -316,7 +316,7 @@ int credssp_client_authenticate(rdpCredssp* credssp)
 				SECURITY_NATIVE_DREP, (have_input_buffer) ? &input_buffer_desc : NULL,
 				0, &credssp->context, &output_buffer_desc, &pfContextAttr, &expiration);

-		if (have_input_buffer && (input_buffer.pvBuffer != NULL))
+		if (have_input_buffer && (input_buffer.pvBuffer))
 		{
 			free(input_buffer.pvBuffer);
 			input_buffer.pvBuffer = NULL;
@ -324,7 +324,7 @@ int credssp_client_authenticate(rdpCredssp* credssp)

 		if ((status == SEC_I_COMPLETE_AND_CONTINUE) || (status == SEC_I_COMPLETE_NEEDED) || (status == SEC_E_OK))
 		{
-			if (credssp->table->CompleteAuthToken != NULL)
+			if (credssp->table->CompleteAuthToken)
 				credssp->table->CompleteAuthToken(&credssp->context, &output_buffer_desc);

 			have_pub_key_auth = TRUE;
@ -569,7 +569,7 @@ int credssp_server_authenticate(rdpCredssp* credssp)

 		if ((status == SEC_I_COMPLETE_AND_CONTINUE) || (status == SEC_I_COMPLETE_NEEDED))
 		{
-			if (credssp->table->CompleteAuthToken != NULL)
+			if (credssp->table->CompleteAuthToken)
 				credssp->table->CompleteAuthToken(&credssp->context, &output_buffer_desc);

 			if (status == SEC_I_COMPLETE_NEEDED)
--- a/winpr/libwinpr/sspi/NTLM/ntlm.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm.c
@ -636,6 +636,11 @@ SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(PCredHandle phCredenti
 	return status;
 }

+SECURITY_STATUS SEC_ENTRY ntlm_CompleteAuthToken(PCtxtHandle phContext, PSecBufferDesc pToken)
+{
+	return SEC_E_OK;
+}
+
 /* http://msdn.microsoft.com/en-us/library/windows/desktop/aa375354 */

 SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle phContext)
@ -888,7 +893,7 @@ const SecurityFunctionTableA NTLM_SecurityFunctionTableA =
 	NULL, /* Reserved2 */
 	ntlm_InitializeSecurityContextA, /* InitializeSecurityContext */
 	ntlm_AcceptSecurityContext, /* AcceptSecurityContext */
-	NULL, /* CompleteAuthToken */
+	ntlm_CompleteAuthToken, /* CompleteAuthToken */
 	ntlm_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
 	ntlm_QueryContextAttributesA, /* QueryContextAttributes */
@ -920,7 +925,7 @@ const SecurityFunctionTableW NTLM_SecurityFunctionTableW =
 	NULL, /* Reserved2 */
 	ntlm_InitializeSecurityContextW, /* InitializeSecurityContext */
 	ntlm_AcceptSecurityContext, /* AcceptSecurityContext */
-	NULL, /* CompleteAuthToken */
+	ntlm_CompleteAuthToken, /* CompleteAuthToken */
 	ntlm_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
 	ntlm_QueryContextAttributesW, /* QueryContextAttributes */
--- a/winpr/libwinpr/sspi/Negotiate/negotiate.c
+++ b/winpr/libwinpr/sspi/Negotiate/negotiate.c
@ -28,55 +28,11 @@

 #include "../sspi.h"

+extern const SecurityFunctionTableA NTLM_SecurityFunctionTableA;
+extern const SecurityFunctionTableW NTLM_SecurityFunctionTableW;
+
 char* NEGOTIATE_PACKAGE_NAME = "Negotiate";

-SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext,
-		SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep,
-		PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext,
-		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
-{
-	return SEC_E_UNSUPPORTED_FUNCTION;
-}
-
-SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext,
-		SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep,
-		PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext,
-		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
-{
-	NEGOTIATE_CONTEXT* context;
-	CREDENTIALS* credentials;
-	PSecBuffer output_SecBuffer;
-
-	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
-
-	if (!context)
-	{
-		context = negotiate_ContextNew();
-
-		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
-		sspi_CopyAuthIdentity(&context->identity, &credentials->identity);
-
-		sspi_SecureHandleSetLowerPointer(phNewContext, context);
-		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NEGOTIATE_PACKAGE_NAME);
-	}
-
-	if ((!pInput) && (context->state == NEGOTIATE_STATE_INITIAL))
-	{
-		if (!pOutput)
-			return SEC_E_INVALID_TOKEN;
-
-		if (pOutput->cBuffers < 1)
-			return SEC_E_INVALID_TOKEN;
-
-		output_SecBuffer = &pOutput->pBuffers[0];
-
-		if (output_SecBuffer->cbBuffer < 1)
-			return SEC_E_INSUFFICIENT_MEMORY;
-	}	
-
-	return SEC_E_OK;
-}
-
 NEGOTIATE_CONTEXT* negotiate_ContextNew()
 {
 	NEGOTIATE_CONTEXT* context;
@ -89,6 +45,11 @@ NEGOTIATE_CONTEXT* negotiate_ContextNew()
 	context->NegotiateFlags = 0;
 	context->state = NEGOTIATE_STATE_INITIAL;

+	sspi_SecureHandleInit(&(context->Context));
+
+	context->sspiA = (SecurityFunctionTableA*) &NTLM_SecurityFunctionTableA;
+	context->sspiW = (SecurityFunctionTableW*) &NTLM_SecurityFunctionTableW;
+
 	return context;
 }

@ -100,21 +61,197 @@ void negotiate_ContextFree(NEGOTIATE_CONTEXT* context)
 	free(context);
 }

-SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributes(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer)
+SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext,
+		SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep,
+		PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext,
+		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
 {
+	SECURITY_STATUS status;
+	NEGOTIATE_CONTEXT* context;
+	CREDENTIALS* credentials;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+	{
+		context = negotiate_ContextNew();
+
+		if (!context)
+			return SEC_E_INTERNAL_ERROR;
+
+		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+		sspi_CopyAuthIdentity(&context->identity, &credentials->identity);
+
+		sspi_SecureHandleSetLowerPointer(phNewContext, context);
+		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NEGOTIATE_PACKAGE_NAME);
+	}
+
+	status = context->sspiW->InitializeSecurityContextW(phCredential, &(context->Context),
+		pszTargetName, fContextReq, Reserved1, TargetDataRep, pInput, Reserved2, &(context->Context),
+		pOutput, pfContextAttr, ptsExpiry);
+
+	return status;
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext,
+		SEC_CHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep,
+		PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext,
+		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
+{
+	SECURITY_STATUS status;
+	NEGOTIATE_CONTEXT* context;
+	CREDENTIALS* credentials;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+	{
+		context = negotiate_ContextNew();
+
+		if (!context)
+			return SEC_E_INTERNAL_ERROR;
+
+		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+		sspi_CopyAuthIdentity(&context->identity, &credentials->identity);
+
+		sspi_SecureHandleSetLowerPointer(phNewContext, context);
+		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NEGOTIATE_PACKAGE_NAME);
+	}
+
+	status = context->sspiA->InitializeSecurityContextA(phCredential, &(context->Context),
+		pszTargetName, fContextReq, Reserved1, TargetDataRep, pInput, Reserved2, &(context->Context),
+		pOutput, pfContextAttr, ptsExpiry);
+
+	return status;
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_AcceptSecurityContext(PCredHandle phCredential, PCtxtHandle phContext,
+		PSecBufferDesc pInput, ULONG fContextReq, ULONG TargetDataRep, PCtxtHandle phNewContext,
+		PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsTimeStamp)
+{
+	SECURITY_STATUS status;
+	NEGOTIATE_CONTEXT* context;
+	CREDENTIALS* credentials;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+	{
+		context = negotiate_ContextNew();
+
+		if (!context)
+			return SEC_E_INTERNAL_ERROR;
+
+		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+		sspi_CopyAuthIdentity(&context->identity, &credentials->identity);
+
+		sspi_SecureHandleSetLowerPointer(phNewContext, context);
+		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NEGOTIATE_PACKAGE_NAME);
+	}
+
+	status = context->sspiA->AcceptSecurityContext(phCredential, &(context->Context),
+		pInput, fContextReq, TargetDataRep, &(context->Context),
+		pOutput, pfContextAttr, ptsTimeStamp);
+
+	return status;	
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_CompleteAuthToken(PCtxtHandle phContext, PSecBufferDesc pToken)
+{
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_OK;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+		return SEC_E_INVALID_HANDLE;
+
+	if (context->sspiW->CompleteAuthToken)
+		status = context->sspiW->CompleteAuthToken(phContext, pToken);
+
+	return status;
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_DeleteSecurityContext(PCtxtHandle phContext)
+{
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_OK;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
+		return SEC_E_INVALID_HANDLE;
+
+	if (context->sspiW->DeleteSecurityContext)
+		status = context->sspiW->DeleteSecurityContext(&(context->Context));
+
+	negotiate_ContextFree(context);
+
+	return status;
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesW(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer)
+{
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_OK;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
 	if (!phContext)
 		return SEC_E_INVALID_HANDLE;

 	if (!pBuffer)
 		return SEC_E_INSUFFICIENT_MEMORY;

-	return SEC_E_UNSUPPORTED_FUNCTION;
+	if (context->sspiW->QueryContextAttributesW)
+		status = context->sspiW->QueryContextAttributesW(&(context->Context), ulAttribute, pBuffer);
+
+	return status;
+}
+
+SECURITY_STATUS SEC_ENTRY negotiate_QueryContextAttributesA(PCtxtHandle phContext, ULONG ulAttribute, void* pBuffer)
+{
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_OK;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!phContext)
+		return SEC_E_INVALID_HANDLE;
+
+	if (!pBuffer)
+		return SEC_E_INSUFFICIENT_MEMORY;
+
+	if (context->sspiA->QueryContextAttributesA)
+		status = context->sspiA->QueryContextAttributesA(&(context->Context), ulAttribute, pBuffer);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal, SEC_WCHAR* pszPackage,
 		ULONG fCredentialUse, void* pvLogonID, void* pAuthData, SEC_GET_KEY_FN pGetKeyFn,
 		void* pvGetKeyArgument, PCredHandle phCredential, PTimeStamp ptsExpiry)
 {
+	CREDENTIALS* credentials;
+	SEC_WINNT_AUTH_IDENTITY* identity;
+
+	if (fCredentialUse == SECPKG_CRED_OUTBOUND)
+	{
+		credentials = sspi_CredentialsNew();
+
+		if (!credentials)
+			return SEC_E_INSUFFICIENT_MEMORY;
+
+		identity = (SEC_WINNT_AUTH_IDENTITY*) pAuthData;
+
+		CopyMemory(&(credentials->identity), identity, sizeof(SEC_WINNT_AUTH_IDENTITY));
+
+		sspi_SecureHandleSetLowerPointer(phCredential, (void*) credentials);
+		sspi_SecureHandleSetUpperPointer(phCredential, (void*) NEGOTIATE_PACKAGE_NAME);
+
+		return SEC_E_OK;
+	}
+
 	return SEC_E_UNSUPPORTED_FUNCTION;
 }

@ -147,20 +284,11 @@ SECURITY_STATUS SEC_ENTRY negotiate_AcquireCredentialsHandleA(SEC_CHAR* pszPrinc

 SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer)
 {
-	return SEC_E_OK;
+	return SEC_E_UNSUPPORTED_FUNCTION;
 }

 SECURITY_STATUS SEC_ENTRY negotiate_QueryCredentialsAttributesA(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer)
 {
-	if (ulAttribute == SECPKG_CRED_ATTR_NAMES)
-	{
-		CREDENTIALS* credentials;
-
-		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
-
-		return SEC_E_OK;
-	}
-
 	return SEC_E_UNSUPPORTED_FUNCTION;
 }

@ -183,22 +311,54 @@ SECURITY_STATUS SEC_ENTRY negotiate_FreeCredentialsHandle(PCredHandle phCredenti

 SECURITY_STATUS SEC_ENTRY negotiate_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo)
 {
-	return SEC_E_UNSUPPORTED_FUNCTION;
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_UNSUPPORTED_FUNCTION;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (context->sspiW->EncryptMessage)
+		status = context->sspiW->EncryptMessage(&(context->Context), fQOP, pMessage, MessageSeqNo);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY negotiate_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, ULONG* pfQOP)
 {
-	return SEC_E_UNSUPPORTED_FUNCTION;
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_UNSUPPORTED_FUNCTION;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (context->sspiW->DecryptMessage)
+		status = context->sspiW->DecryptMessage(&(context->Context), pMessage, MessageSeqNo, pfQOP);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY negotiate_MakeSignature(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo)
 {
-	return SEC_E_UNSUPPORTED_FUNCTION;
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_UNSUPPORTED_FUNCTION;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (context->sspiW->MakeSignature)
+		status = context->sspiW->MakeSignature(&(context->Context), fQOP, pMessage, MessageSeqNo);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY negotiate_VerifySignature(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, ULONG* pfQOP)
 {
-	return SEC_E_UNSUPPORTED_FUNCTION;
+	NEGOTIATE_CONTEXT* context;
+	SECURITY_STATUS status = SEC_E_UNSUPPORTED_FUNCTION;
+
+	context = (NEGOTIATE_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (context->sspiW->VerifySignature)
+		status = context->sspiW->VerifySignature(&(context->Context), pMessage, MessageSeqNo, pfQOP);
+
+	return status;
 }

 const SecurityFunctionTableA NEGOTIATE_SecurityFunctionTableA =
@ -210,11 +370,11 @@ const SecurityFunctionTableA NEGOTIATE_SecurityFunctionTableA =
 	negotiate_FreeCredentialsHandle, /* FreeCredentialsHandle */
 	NULL, /* Reserved2 */
 	negotiate_InitializeSecurityContextA, /* InitializeSecurityContext */
-	NULL, /* AcceptSecurityContext */
-	NULL, /* CompleteAuthToken */
-	NULL, /* DeleteSecurityContext */
+	negotiate_AcceptSecurityContext, /* AcceptSecurityContext */
+	negotiate_CompleteAuthToken, /* CompleteAuthToken */
+	negotiate_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
-	negotiate_QueryContextAttributes, /* QueryContextAttributes */
+	negotiate_QueryContextAttributesA, /* QueryContextAttributes */
 	NULL, /* ImpersonateSecurityContext */
 	NULL, /* RevertSecurityContext */
 	negotiate_MakeSignature, /* MakeSignature */
@ -242,11 +402,11 @@ const SecurityFunctionTableW NEGOTIATE_SecurityFunctionTableW =
 	negotiate_FreeCredentialsHandle, /* FreeCredentialsHandle */
 	NULL, /* Reserved2 */
 	negotiate_InitializeSecurityContextW, /* InitializeSecurityContext */
-	NULL, /* AcceptSecurityContext */
-	NULL, /* CompleteAuthToken */
-	NULL, /* DeleteSecurityContext */
+	negotiate_AcceptSecurityContext, /* AcceptSecurityContext */
+	negotiate_CompleteAuthToken, /* CompleteAuthToken */
+	negotiate_DeleteSecurityContext, /* DeleteSecurityContext */
 	NULL, /* ApplyControlToken */
-	negotiate_QueryContextAttributes, /* QueryContextAttributes */
+	negotiate_QueryContextAttributesW, /* QueryContextAttributes */
 	NULL, /* ImpersonateSecurityContext */
 	NULL, /* RevertSecurityContext */
 	negotiate_MakeSignature, /* MakeSignature */
--- a/winpr/libwinpr/sspi/Negotiate/negotiate.h
+++ b/winpr/libwinpr/sspi/Negotiate/negotiate.h
@ -42,6 +42,11 @@ struct _NEGOTIATE_CONTEXT
 	PCtxtHandle auth_ctx;
 	SEC_WINNT_AUTH_IDENTITY identity;
 	SecBuffer NegoInitMessage;
+
+	CtxtHandle Context;
+
+	SecurityFunctionTableA* sspiA;
+	SecurityFunctionTableW* sspiW;
 };
 typedef struct _NEGOTIATE_CONTEXT NEGOTIATE_CONTEXT;

--- a/winpr/libwinpr/sspi/sspi.c
+++ b/winpr/libwinpr/sspi/sspi.c
@ -344,7 +344,7 @@ SECURITY_STATUS SEC_ENTRY sspi_EnumerateSecurityPackagesW(ULONG* pcPackages, PSe

 	status = g_SspiW->EnumerateSecurityPackagesW(pcPackages, ppPackageInfo);

-	WLog_Print(g_Log, WLOG_DEBUG, "EnumerateSecurityPackagesW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "EnumerateSecurityPackagesW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -361,7 +361,7 @@ SECURITY_STATUS SEC_ENTRY sspi_EnumerateSecurityPackagesA(ULONG* pcPackages, PSe

 	status = g_SspiA->EnumerateSecurityPackagesA(pcPackages, ppPackageInfo);

-	WLog_Print(g_Log, WLOG_DEBUG, "EnumerateSecurityPackagesA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "EnumerateSecurityPackagesA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -398,7 +398,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QuerySecurityPackageInfoW(SEC_WCHAR* pszPackageNa

 	status = g_SspiW->QuerySecurityPackageInfoW(pszPackageName, ppPackageInfo);

-	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityPackageInfoW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityPackageInfoW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -415,7 +415,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QuerySecurityPackageInfoA(SEC_CHAR* pszPackageNam

 	status = g_SspiA->QuerySecurityPackageInfoA(pszPackageName, ppPackageInfo);

-	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityPackageInfoA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityPackageInfoA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -437,7 +437,7 @@ SECURITY_STATUS SEC_ENTRY sspi_AcquireCredentialsHandleW(SEC_WCHAR* pszPrincipal
 	status = g_SspiW->AcquireCredentialsHandleW(pszPrincipal, pszPackage, fCredentialUse,
 		pvLogonID, pAuthData, pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);

-	WLog_Print(g_Log, WLOG_DEBUG, "AcquireCredentialsHandleW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "AcquireCredentialsHandleW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -457,7 +457,7 @@ SECURITY_STATUS SEC_ENTRY sspi_AcquireCredentialsHandleA(SEC_CHAR* pszPrincipal,
 	status = g_SspiA->AcquireCredentialsHandleA(pszPrincipal, pszPackage, fCredentialUse,
 		pvLogonID, pAuthData, pGetKeyFn, pvGetKeyArgument, phCredential, ptsExpiry);

-	WLog_Print(g_Log, WLOG_DEBUG, "AcquireCredentialsHandleA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "AcquireCredentialsHandleA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -474,7 +474,7 @@ SECURITY_STATUS SEC_ENTRY sspi_ExportSecurityContext(PCtxtHandle phContext, ULON

 	status = g_SspiW->ExportSecurityContext(phContext, fFlags, pPackedContext, pToken);

-	WLog_Print(g_Log, WLOG_DEBUG, "ExportSecurityContext: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "ExportSecurityContext: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -491,7 +491,7 @@ SECURITY_STATUS SEC_ENTRY sspi_FreeCredentialsHandle(PCredHandle phCredential)

 	status = g_SspiW->FreeCredentialsHandle(phCredential);

-	WLog_Print(g_Log, WLOG_DEBUG, "FreeCredentialsHandle: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "FreeCredentialsHandle: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -508,7 +508,7 @@ SECURITY_STATUS SEC_ENTRY sspi_ImportSecurityContextW(SEC_WCHAR* pszPackage, PSe

 	status = g_SspiW->ImportSecurityContextW(pszPackage, pPackedContext, pToken, phContext);

-	WLog_Print(g_Log, WLOG_DEBUG, "ImportSecurityContextW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "ImportSecurityContextW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -525,7 +525,7 @@ SECURITY_STATUS SEC_ENTRY sspi_ImportSecurityContextA(SEC_CHAR* pszPackage, PSec

 	status = g_SspiA->ImportSecurityContextA(pszPackage, pPackedContext, pToken, phContext);

-	WLog_Print(g_Log, WLOG_DEBUG, "ImportSecurityContextA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "ImportSecurityContextA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -542,7 +542,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QueryCredentialsAttributesW(PCredHandle phCredent

 	status = g_SspiW->QueryCredentialsAttributesW(phCredential, ulAttribute, pBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "QueryCredentialsAttributesW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QueryCredentialsAttributesW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -559,7 +559,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QueryCredentialsAttributesA(PCredHandle phCredent

 	status = g_SspiA->QueryCredentialsAttributesA(phCredential, ulAttribute, pBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "QueryCredentialsAttributesA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QueryCredentialsAttributesA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -581,7 +581,7 @@ SECURITY_STATUS SEC_ENTRY sspi_AcceptSecurityContext(PCredHandle phCredential, P
 	status = g_SspiW->AcceptSecurityContext(phCredential, phContext, pInput, fContextReq,
 		TargetDataRep, phNewContext, pOutput, pfContextAttr, ptsTimeStamp);

-	WLog_Print(g_Log, WLOG_DEBUG, "AcceptSecurityContext: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "AcceptSecurityContext: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -598,7 +598,7 @@ SECURITY_STATUS SEC_ENTRY sspi_ApplyControlToken(PCtxtHandle phContext, PSecBuff

 	status = g_SspiW->ApplyControlToken(phContext, pInput);

-	WLog_Print(g_Log, WLOG_DEBUG, "ApplyControlToken: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "ApplyControlToken: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -615,7 +615,7 @@ SECURITY_STATUS SEC_ENTRY sspi_CompleteAuthToken(PCtxtHandle phContext, PSecBuff

 	status = g_SspiW->CompleteAuthToken(phContext, pToken);

-	WLog_Print(g_Log, WLOG_DEBUG, "CompleteAuthToken: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "CompleteAuthToken: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -632,7 +632,7 @@ SECURITY_STATUS SEC_ENTRY sspi_DeleteSecurityContext(PCtxtHandle phContext)

 	status = g_SspiW->DeleteSecurityContext(phContext);

-	WLog_Print(g_Log, WLOG_DEBUG, "DeleteSecurityContext: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "DeleteSecurityContext: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -649,7 +649,7 @@ SECURITY_STATUS SEC_ENTRY sspi_FreeContextBuffer(void* pvContextBuffer)

 	status = g_SspiW->FreeContextBuffer(pvContextBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "FreeContextBuffer: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "FreeContextBuffer: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -666,7 +666,7 @@ SECURITY_STATUS SEC_ENTRY sspi_ImpersonateSecurityContext(PCtxtHandle phContext)

 	status = g_SspiW->ImpersonateSecurityContext(phContext);

-	WLog_Print(g_Log, WLOG_DEBUG, "ImpersonateSecurityContext: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "ImpersonateSecurityContext: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -688,7 +688,7 @@ SECURITY_STATUS SEC_ENTRY sspi_InitializeSecurityContextW(PCredHandle phCredenti
 		pszTargetName, fContextReq, Reserved1, TargetDataRep, pInput,
 		Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry);

-	WLog_Print(g_Log, WLOG_DEBUG, "InitializeSecurityContextW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "InitializeSecurityContextW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -710,7 +710,7 @@ SECURITY_STATUS SEC_ENTRY sspi_InitializeSecurityContextA(PCredHandle phCredenti
 		pszTargetName, fContextReq, Reserved1, TargetDataRep, pInput,
 		Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry);

-	WLog_Print(g_Log, WLOG_DEBUG, "InitializeSecurityContextA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "InitializeSecurityContextA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -727,7 +727,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QueryContextAttributesW(PCtxtHandle phContext, UL

 	status = g_SspiW->QueryContextAttributesW(phContext, ulAttribute, pBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "QueryContextAttributesW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QueryContextAttributesW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -744,7 +744,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QueryContextAttributesA(PCtxtHandle phContext, UL

 	status = g_SspiA->QueryContextAttributesA(phContext, ulAttribute, pBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "QueryContextAttributesA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QueryContextAttributesA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -761,7 +761,7 @@ SECURITY_STATUS SEC_ENTRY sspi_QuerySecurityContextToken(PCtxtHandle phContext,

 	status = g_SspiW->QuerySecurityContextToken(phContext, phToken);

-	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityContextToken: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "QuerySecurityContextToken: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -778,7 +778,7 @@ SECURITY_STATUS SEC_ENTRY sspi_SetContextAttributesW(PCtxtHandle phContext, ULON

 	status = g_SspiW->SetContextAttributesW(phContext, ulAttribute, pBuffer, cbBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "SetContextAttributesW: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "SetContextAttributesW: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -795,7 +795,7 @@ SECURITY_STATUS SEC_ENTRY sspi_SetContextAttributesA(PCtxtHandle phContext, ULON

 	status = g_SspiA->SetContextAttributesA(phContext, ulAttribute, pBuffer, cbBuffer);

-	WLog_Print(g_Log, WLOG_DEBUG, "SetContextAttributesA: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "SetContextAttributesA: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -812,7 +812,7 @@ SECURITY_STATUS SEC_ENTRY sspi_RevertSecurityContext(PCtxtHandle phContext)

 	status = g_SspiW->RevertSecurityContext(phContext);

-	WLog_Print(g_Log, WLOG_DEBUG, "RevertSecurityContext: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "RevertSecurityContext: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -831,7 +831,7 @@ SECURITY_STATUS SEC_ENTRY sspi_DecryptMessage(PCtxtHandle phContext, PSecBufferD

 	status = g_SspiW->DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP);

-	WLog_Print(g_Log, WLOG_DEBUG, "DecryptMessage: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "DecryptMessage: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -848,7 +848,7 @@ SECURITY_STATUS SEC_ENTRY sspi_EncryptMessage(PCtxtHandle phContext, ULONG fQOP,

 	status = g_SspiW->EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);

-	WLog_Print(g_Log, WLOG_DEBUG, "EncryptMessage: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "EncryptMessage: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -865,7 +865,7 @@ SECURITY_STATUS SEC_ENTRY sspi_MakeSignature(PCtxtHandle phContext, ULONG fQOP,

 	status = g_SspiW->MakeSignature(phContext, fQOP, pMessage, MessageSeqNo);

-	WLog_Print(g_Log, WLOG_DEBUG, "MakeSignature: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "MakeSignature: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
@ -882,7 +882,7 @@ SECURITY_STATUS SEC_ENTRY sspi_VerifySignature(PCtxtHandle phContext, PSecBuffer

 	status = g_SspiW->VerifySignature(phContext, pMessage, MessageSeqNo, pfQOP);

-	WLog_Print(g_Log, WLOG_DEBUG, "VerifySignature: 0x%04X", status);
+	WLog_Print(g_Log, WLOG_DEBUG, "VerifySignature: %s (0x%04X)", GetSecurityStatusString(status), status);

 	return status;
 }
--- a/winpr/libwinpr/sspi/sspi_winpr.c
+++ b/winpr/libwinpr/sspi/sspi_winpr.c
@ -43,6 +43,11 @@ extern const SecPkgInfoW NTLM_SecPkgInfoW;
 extern const SecurityFunctionTableA NTLM_SecurityFunctionTableA;
 extern const SecurityFunctionTableW NTLM_SecurityFunctionTableW;

+extern const SecPkgInfoA NEGOTIATE_SecPkgInfoA;
+extern const SecPkgInfoW NEGOTIATE_SecPkgInfoW;
+extern const SecurityFunctionTableA NEGOTIATE_SecurityFunctionTableA;
+extern const SecurityFunctionTableW NEGOTIATE_SecurityFunctionTableW;
+
 extern const SecPkgInfoA CREDSSP_SecPkgInfoA;
 extern const SecPkgInfoW CREDSSP_SecPkgInfoW;
 extern const SecurityFunctionTableA CREDSSP_SecurityFunctionTableA;
@ -56,6 +61,7 @@ extern const SecurityFunctionTableW SCHANNEL_SecurityFunctionTableW;
 const SecPkgInfoA* SecPkgInfoA_LIST[] =
 {
 	&NTLM_SecPkgInfoA,
+	&NEGOTIATE_SecPkgInfoA,
 	&CREDSSP_SecPkgInfoA,
 	&SCHANNEL_SecPkgInfoA
 };
@ -63,6 +69,7 @@ const SecPkgInfoA* SecPkgInfoA_LIST[] =
 const SecPkgInfoW* SecPkgInfoW_LIST[] =
 {
 	&NTLM_SecPkgInfoW,
+	&NEGOTIATE_SecPkgInfoW,
 	&CREDSSP_SecPkgInfoW,
 	&SCHANNEL_SecPkgInfoW
 };
@ -87,17 +94,20 @@ typedef struct _SecurityFunctionTableW_NAME SecurityFunctionTableW_NAME;
 const SecurityFunctionTableA_NAME SecurityFunctionTableA_NAME_LIST[] =
 {
 	{ "NTLM", &NTLM_SecurityFunctionTableA },
+	{ "Negotiate", &NEGOTIATE_SecurityFunctionTableA },
 	{ "CREDSSP", &CREDSSP_SecurityFunctionTableA },
 	{ "Schannel", &SCHANNEL_SecurityFunctionTableA }
 };

 WCHAR NTLM_NAME_W[] = { 'N','T','L','M','\0' };
+WCHAR NEGOTIATE_NAME_W[] = { 'N','e','g','o','t','i','a','t','e','\0' };
 WCHAR CREDSSP_NAME_W[] = { 'C','r','e','d','S','S','P','\0' };
 WCHAR SCHANNEL_NAME_W[] = { 'S','c','h','a','n','n','e','l','\0' };

 const SecurityFunctionTableW_NAME SecurityFunctionTableW_NAME_LIST[] =
 {
 	{ NTLM_NAME_W, &NTLM_SecurityFunctionTableW },
+	{ NEGOTIATE_NAME_W, &NEGOTIATE_SecurityFunctionTableW },
 	{ CREDSSP_NAME_W, &CREDSSP_SecurityFunctionTableW },
 	{ SCHANNEL_NAME_W, &SCHANNEL_SecurityFunctionTableW }
 };
@ -836,7 +846,26 @@ SECURITY_STATUS SEC_ENTRY winpr_ImportSecurityContextW(SEC_WCHAR* pszPackage, PS

 SECURITY_STATUS SEC_ENTRY winpr_ImportSecurityContextA(SEC_CHAR* pszPackage, PSecBuffer pPackedContext, HANDLE pToken, PCtxtHandle phContext)
 {
-	return SEC_E_NOT_SUPPORTED;
+	char* Name = NULL;
+	SECURITY_STATUS status;
+	SecurityFunctionTableA* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableAByNameA(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (!table->ImportSecurityContextA)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->ImportSecurityContextA(pszPackage, pPackedContext, pToken, phContext);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY winpr_QueryCredentialsAttributesW(PCredHandle phCredential, ULONG ulAttribute, void* pBuffer)
@ -918,12 +947,50 @@ SECURITY_STATUS SEC_ENTRY winpr_AcceptSecurityContext(PCredHandle phCredential,

 SECURITY_STATUS SEC_ENTRY winpr_ApplyControlToken(PCtxtHandle phContext, PSecBufferDesc pInput)
 {
-	return SEC_E_NOT_SUPPORTED;
+	char* Name = NULL;
+	SECURITY_STATUS status;
+	SecurityFunctionTableA* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableAByNameA(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (!table->ApplyControlToken)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->ApplyControlToken(phContext, pInput);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY winpr_CompleteAuthToken(PCtxtHandle phContext, PSecBufferDesc pToken)
 {
-	return SEC_E_NOT_SUPPORTED;
+	char* Name = NULL;
+	SECURITY_STATUS status;
+	SecurityFunctionTableA* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableAByNameA(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (!table->CompleteAuthToken)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->CompleteAuthToken(phContext, pToken);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY winpr_DeleteSecurityContext(PCtxtHandle phContext)
@ -962,7 +1029,26 @@ SECURITY_STATUS SEC_ENTRY winpr_FreeContextBuffer(void* pvContextBuffer)

 SECURITY_STATUS SEC_ENTRY winpr_ImpersonateSecurityContext(PCtxtHandle phContext)
 {
-	return SEC_E_NOT_SUPPORTED;
+	SEC_CHAR* Name;
+	SECURITY_STATUS status;
+	SecurityFunctionTableW* table;
+
+	Name = (SEC_CHAR*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableWByNameA(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (!table->ImportSecurityContextW)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->ImpersonateSecurityContext(phContext);
+
+	return status;
 }

 SECURITY_STATUS SEC_ENTRY winpr_InitializeSecurityContextW(PCredHandle phCredential, PCtxtHandle phContext,