net-ssh-kerberos 0.1.3 → 0.2.0

data/lib/net/ssh/kerberos/drivers/sspi.rb

@@ -0,0 +1,216 @@
+module Net; module SSH; module Kerberos; module Drivers
+
+  module SSPI
+
+    SEC_E_OK = 0x00000000
+
+    SEC_I_CONTINUE_NEEDED = 0x00090312
+    SEC_I_COMPLETE_NEEDED = 0x00090313
+    SEC_I_COMPLETE_AND_CONTINUE = 0x00090314
+    SEC_I_INCOMPLETE_CREDENTIALS = 0x00090320
+    SEC_I_RENEGOTIATE = 0x00090321
+  
+    SEC_E_INSUFFICIENT_MEMORY = 0x80090300
+    SEC_E_INVALID_HANDLE = 0x80090301
+    SEC_E_UNSUPPORTED_FUNCTION = 0x80090302
+    SEC_E_TARGET_UNKNOWN = 0x80090303
+    SEC_E_INTERNAL_ERROR = 0x80090304
+    SEC_E_SECPKG_NOT_FOUND = 0x80090305
+    SEC_E_NOT_OWNER = 0x80090306
+    SEC_E_INVALID_TOKEN = 0x80090308
+    SEC_E_LOGON_DENIED = 0x8009030C
+    SEC_E_UNKNOWN_CREDENTIALS = 0x8009030D
+    SEC_E_NO_CREDENTIALS = 0x8009030E
+    SEC_E_NO_AUTHENTICATING_AUTHORITY = 0x80090311
+    SEC_E_WRONG_PRINCIPAL = 0x80090322
+
+    SECPKG_CRED_INBOUND = 0x00000001
+    SECPKG_CRED_OUTBOUND = 0x00000002
+    SECPKG_CRED_BOTH = 0x00000003
+
+    SECBUFFER_EMPTY = 0
+    SECBUFFER_DATA = 1
+    SECBUFFER_TOKEN = 2
+
+	  SECURITY_NATIVE_DREP = 0x00000010
+	  SECURITY_NETWORK_DREP = 0x00000000
+
+    SECPKG_ATTR_SIZES = 0
+    SECPKG_ATTR_NAMES = 1
+
+    ISC_REQ_DELEGATE                = 0x00000001
+    ISC_REQ_MUTUAL_AUTH             = 0x00000002
+    ISC_REQ_INTEGRITY               = 0x00010000
+    
+    module API
+      extend DL::Importable
+      include DLExtensions
+      
+      dlload 'secur32'
+    
+      typealias "void **", "p", PTR_REF_ENC, proc{|v| v.ptr}
+      typealias "SECURITY_STATUS", "L", proc{|v| v.to_i }, proc{|v| SSPIResult.new(v) }
+      typealias "USHORT", "unsigned short"
+      typealias "ULONG_REF", "unsigned long ref"
+      typealias "SEC_CHAR *", "char *"
+      typealias "PCtxtBuffer", "void **"
+      typealias "PCharBuffer", "P", nil, nil, "P", PTR_ENC
+      SecPkgInfo = struct [ "ULONG capabilities", "USHORT version", "USHORT rpcid",
+                            "ULONG max_token", "SEC_CHAR *name", "SEC_CHAR *comment" ]
+      typealias "PSecPkgInfo", "p", PTR_REF_ENC, PTR_REF_DEC(SecPkgInfo)
+      SecHandle = struct2([ "ULONG lower", "ULONG upper" ]) do def nil?; lower.zero? && upper.zero? end end
+      typealias "PSecHandle", "P"
+      typealias "PCredHandle", "PSecHandle"
+      typealias "PCtxtHandle", "PSecHandle"
+      SecBuffer = struct2 [ "ULONG length", "ULONG type", "PCharBuffer data" ] do
+        def to_s; data.to_s(length) end
+      end
+      typealias "PSecBuffer", "P"
+      SecBufferDesc = struct2 [ "ULONG version", "ULONG count", "PSecBuffer buffers" ] do
+        def buffer(n) SecBuffer.new(@ptr[:buffers] + SecBuffer.size * n) end
+      end
+      typealias "PSecBufferDesc", "P"
+      TimeStamp = SecHandle
+      typealias "PTimeStamp", "P"
+      SecPkgSizes = struct [ "ULONG max_token", "ULONG max_signature",
+                             "ULONG block_size", "ULONG security_trailer" ]
+    
+      class SSPIResult
+        @@map = {}
+        SSPI.constants.each { |v| @@map[SSPI.const_get(v.to_s)] = v if v.to_s =~ /^SEC_[EI]_/ }
+    
+        attr_reader :value
+        alias :to_i :value
+    
+        def initialize(value)
+          value = [value].pack("L").unpack("L").first
+          raise "#{value.to_s(16)} is not a recognized result" unless @@map.has_key? value
+          @value = value
+        end
+    
+        def ok?; value & 0x80000000 == 0 end
+        def complete?; value == 0 end
+        def incomplete?; SEC_I_COMPLETE_NEEDED==value || SEC_I_COMPLETE_AND_CONTINUE==value end
+        def failure?; value & 0x80000000 != 0 end
+        def temporary_failure?
+          value==SEC_E_LOGON_DENIED || value==SEC_E_NO_AUTHENTICATING_AUTHORITY || value==SEC_E_NO_CREDENTIALS
+        end
+        def to_s; @@map[@value].to_s end
+        def ==(result)
+          case result
+          when SSPIResult;  @value == result.value
+          when Fixnum;      @value == @@map[other]
+          else false
+          end
+        end
+      end
+
+      extern 'SECURITY_STATUS FreeContextBuffer(void *)'
+      extern 'SECURITY_STATUS QuerySecurityPackageInfo(SEC_CHAR *, PSecPkgInfo)'
+			extern 'SECURITY_STATUS AcquireCredentialsHandle(void *, SEC_CHAR *, ULONG, void *, '+
+				                        'void *, void *, void *, PCredHandle, PTimeStamp)'
+      extern 'SECURITY_STATUS QueryCredentialsAttributes(PCredHandle, ULONG, PCtxtBuffer)'
+      extern 'SECURITY_STATUS FreeCredentialsHandle(PCredHandle)'
+      extern 'SECURITY_STATUS QueryContextAttributes(PCtxtHandle, ULONG, void *)'
+      extern 'SECURITY_STATUS CompleteAuthToken(PCtxtHandle, PSecBufferDesc)'
+      extern 'SECURITY_STATUS MakeSignature(PCtxtHandle, ULONG, PSecBufferDesc, ULONG)'
+			extern 'SECURITY_STATUS InitializeSecurityContext(PCredHandle, PCtxtHandle, char *, '+
+				                        'ULONG, ULONG, ULONG, PSecBufferDesc, ULONG, PCtxtHandle, '+
+				                        'PSecBufferDesc, ULONG_REF, PTimeStamp)'
+      extern 'SECURITY_STATUS DeleteSecurityContext(PCtxtHandle)'
+      
+      def SecBuffer.createArray(types,data)
+        buffs = []
+        mem = DL::malloc(size * types.size)
+        0.upto(types.size - 1) do |n|
+          buff = new DL::PtrData.new(mem.to_i + (n * size), size)
+          buff.type = types[n]
+          n = data[n]
+          buff.data = Fixnum===n ? "\0" * n : n
+          buff.length = Fixnum===n ? n : n.length
+          buffs << buff
+        end
+        buffs
+      end
+      
+      def SecBufferDesc.create(token)
+        desc = API::SecBufferDesc.malloc
+        desc.version = 0
+        desc.count = 1
+        desc.buffers = SecBuffer.createArray([SECBUFFER_TOKEN], [token]).first.to_ptr
+        desc
+      end
+    end
+
+    def self.max_token; @@max_token end
+
+    # SSPI - Kerberos 5 mechanism support.
+    result = API.querySecurityPackageInfo "Kerberos", nil
+    if result.ok? and ! (pkg_info = API._args_[1]).nil?
+      @@max_token = pkg_info.max_token
+      API.freeContextBuffer pkg_info
+    else
+      raise "SSPI reports no support for Kerberos authentication"
+    end
+
+    class Context < Net::SSH::Kerberos::Context
+			def init(token=nil)
+			  prev = @state.handle if @state && ! @state.handle.nil?
+			  ctx = prev || API::SecHandle.malloc
+			  input = API::SecBufferDesc.create(token) if token
+			  output = API::SecBufferDesc.create(12288)
+			  result = API.initializeSecurityContext @credentials, prev, @target,
+				                 ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY, 0,
+				                 SECURITY_NATIVE_DREP, input, 0, ctx, output, 0, ts=API::TimeStamp.malloc
+			  result.failure? and raise GeneralError, "Error initializing security context: #{result}"
+			  result = API.completeAuthToken ctx, output if result.incomplete?
+			  result.failure? and raise GeneralError, "Error initializing security context: #{result}"
+			  @state = State.new(ctx, result, output.buffers ? output.buffer(0).to_s : nil, ts)
+			  if result.complete?
+			    result = API.queryContextAttributes @state.handle, SECPKG_ATTR_SIZES, @sizes=API::SecPkgSizes.malloc
+				  result.failure? and raise GeneralError, "Error initializing security context: #{result}"
+			    @handle = @state.handle
+			  end
+			  @state.token
+			end
+			
+			def get_mic(token)
+        desc = API::SecBufferDesc.malloc
+        desc.version = 0
+        desc.count = 2
+        desc.buffers = API::SecBuffer.createArray([SECBUFFER_DATA, SECBUFFER_TOKEN],
+					                                        [token, @sizes.max_signature]).first.to_ptr
+			  @state.result = API.makeSignature @handle, 0, desc, 0
+			  @state.result.complete? or raise GeneralError, "Error creating the signature: #{result}"
+		    desc.buffer(1).to_s
+			end
+			
+		private
+			
+			def acquire_current_credentials
+			  result = API.acquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil,
+			                                         creds=API::SecHandle.malloc, ts=API::TimeStamp.malloc
+			  result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
+			  result = API.queryCredentialsAttributes creds, SECPKG_ATTR_NAMES, nil
+			  if result.ok?
+			    name = API._args_[2]
+			    begin return [creds, name.to_s]
+			    ensure API.freeContextBuffer name
+			    end
+			  end
+			end
+			
+			def release_credentials(creds) API.freeCredentialsHandle creds unless creds.nil? end
+			  
+			def import_server_name(host) ['host/'+host, 'host/'+host] end
+			  
+			def release_server_name(target) end
+			  
+			def delete_context(handle)
+			  API.deleteSecurityContext handle unless handle.nil?
+			  API.freeContextBuffer @sizes unless @sizes.nil?
+			end
+		end
+  end
+
+end; end; end; end

data/test/gss_context_test.rb

@@ -2,10 +2,10 @@ require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 class GssContextTest < Test::Unit::TestCase
 
-if defined? Net::SSH::Kerberos::GSS::Context
+if Net::SSH::Kerberos::Drivers.available.include? 'GSS'
 
   def setup
-    @gss = Net::SSH::Kerberos::GSS::Context.new 
+    @gss = Net::SSH::Kerberos::Drivers::GSS::Context.new 
   end
 
   def teardown
@@ -22,13 +22,12 @@ if defined? Net::SSH::Kerberos::GSS::Context
     @gss.init nil
     state = @gss.send(:state)
     assert ! state.handle.nil?, "Should have provided an initial context"
-    assert ! state.handle.handle.nil?, "Should have provided an initial context"
     assert ! state.token.nil?, "Should have built an initial token"
     assert state.token.length.nonzero?, "Should have built an initial token"
   end
 
 else
-  $stderr.puts "Skipping GSS tests on this platform: no supported GSSAPI library was loaded."
+  def test_nothing; assert true end
 end
 
 end

data/test/gss_test.rb

@@ -2,42 +2,38 @@ require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 class GssTest < Test::Unit::TestCase
 
-  include Net::SSH::Kerberos::GSS
+if Net::SSH::Kerberos::Drivers.available.include? 'GSS'
+
+  include Net::SSH::Kerberos::Drivers::GSS
 
   def test_acquire_cred
-    creds = API::GssCredRef.malloc
-    result = call_and_assert :gss_acquire_cred, nil, 60, nil, GSS_C_INITIATE, creds, nil, nil
-    assert_not_equal 0, creds.handle.to_i, "Should acquire default credentials"
+    result = API.gss_acquire_cred nil, 60, nil, GSS_C_INITIATE, nil, nil, 0
+    assert result.ok?, "gss_acquire_cred failed: #{result}"
+    creds = API._args_[4]
+    assert_not_equal creds, GSS_C_NO_CREDENTIAL, "Should acquire default credentials"
     begin
-      name = API::GssNameRef.malloc
-      lifetime = API::OM_uint32Ref.malloc
-      usage = API::GssCredUsageRef.malloc
-      oids = API::GssOIDSetRef.malloc
-      result = call_and_assert :gss_inquire_cred, creds.handle, name, nil, usage, oids
-      assert_not_equal 0, name.handle.to_i, "Should provide the internal name"
-      assert_not_equal 0, oids.oidset.count, "Should provide the supported oids"
+      result = API.gss_inquire_cred creds, nil, 0, 0, nil
+      assert result.ok?, "gss_inquire_cred failed: #{result}"
+      name, oids = API._args_[1], API._args_[4]
+      assert_not_equal name, GSS_C_NO_NAME, "Should provide the internal name"
+      assert_not_equal oids, GSS_C_NO_OID_SET, "Should provide the supported oids"
+      assert oids.count > 0, "Should provide the supported oids"
       begin
-        buffer = API::GssBuffer.malloc
-        oid = API::GssOIDRef.malloc
-        assert_equal GSS_C_INITIATE, usage.value, "Usage should specify GSS_C_INITIATE"
-        result = call_and_assert :gss_display_name, name.handle, buffer, oid
-        assert_not_equal 0, buffer.value.to_i, "Should provide the display name"
+        result = API.gss_display_name name, buffer=API::GssBuffer.malloc, nil
+        assert result.ok?, "gss_display_name failed: #{result}"
+        assert buffer.length > 0, "Should provide the display name"
         begin
-          assert_not_equal 0, oid.ptr.to_i, "Should provide the supported oid"
+          assert_not_equal API._args_[2], GSS_C_NO_OID, "Should provide the supported oid"
           #$stderr.puts "credentials: #{creds.handle.to_i} #{buffer.value} (OID: #{oid.oid.length}, #{oid.oid.to_hex})"
         ensure
-          result = API.gss_release_buffer API::OM_uint32Ref.malloc, buffer
+          API.gss_release_buffer buffer
         end
       ensure
-        minor_status = API::OM_uint32Ref.malloc
-        API.gss_release_name minor_status, name
-        API.gss_release_oid_set minor_status, oids
-        assert_equal 0, name.handle.to_i, "Should release the internal name"
-        assert_equal 0, oids.ptr.to_i, "Should release the supported oids"
+        API.gss_release_name name
+        API.gss_release_oid_set oids
       end
     ensure
-      minor_status = API::OM_uint32Ref.malloc
-      API.gss_release_cred minor_status, creds
+      API.gss_release_cred creds
     end
   end
   
@@ -46,52 +42,38 @@ class GssTest < Test::Unit::TestCase
     buffer = API::GssBuffer.malloc
     buffer.value = target_name
     buffer.length = target_name.length
-    mech = API::GssOID.malloc
-    mech.elements = GSS_C_NT_HOSTBASED_SERVICE
-    mech.length = GSS_C_NT_HOSTBASED_SERVICE.length
-    target_name = API::GssNameRef.malloc
-    result = call_and_assert :gss_import_name, buffer, mech, target_name
-    assert_not_equal target_name.handle, GSS_C_NO_NAME, "Should import the name"
-
-    buffer = API::GssBuffer.malloc
-    result = call_and_assert :gss_display_name, target_name.handle, buffer, nil
-    assert_not_equal 0, buffer.value.to_i, "Should provide the display name"
+    result = API.gss_import_name buffer, GSS_C_NT_HOSTBASED_SERVICE, nil
+    assert result.ok?, "gss_import_name failed: #{result}"
+    target = API._args_[2]
+    assert_not_equal target, GSS_C_NO_NAME, "Should import the name"
+    result = API.gss_display_name target, buffer=API::GssBuffer.malloc, nil
+    assert result.ok?, "gss_display_name failed: #{result}"
+    assert buffer.length > 0, "Should provide the display name"
     #$stderr.puts "target: #{buffer.value} (OID: #{mech.length}, #{mech.to_hex})"
-    call_and_assert :gss_release_buffer, buffer
+    API.gss_release_buffer buffer
 
-    mech.elements = GSS_KRB5_MECH
-    mech.length = GSS_KRB5_MECH.length
-    actual_mech = API::GssOIDRef.malloc
-    context = API::GssContextRef.malloc
-    context.handle = GSS_C_NO_CONTEXT
     buffer.value = nil
     buffer.length = 0
-    result = call_and_assert :gss_init_sec_context, GSS_C_NO_CREDENTIAL, context, target_name.handle, mech,
-                              GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
-                              GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, actual_mech, buffer, nil, nil
-    assert_not_equal 0, context.handle.to_i, "Should initialize the security context"
+    result = API.gss_init_sec_context GSS_C_NO_CREDENTIAL, GSS_C_NO_CONTEXT, target, GSS_C_KRB5,
+                                      GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
+                                      GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, nil, buffer, 0, 0
+    assert result.ok?, "gss_init_sec_context failed: #{result}"
+    context, actual_mech = API._args_[1], API._args_[8]
+    assert_not_equal context, GSS_C_NO_CONTEXT, "Should initialize the security context"
     begin
-      assert_equal GSS_S_CONTINUE_NEEDED, result, "Should need continued initialization of the security context"
+      assert_equal result.status, GSS_S_CONTINUE_NEEDED, "Should need continued initialization of the security context"
       assert buffer.length > 0, "Should output a token to send to the server"
+      assert_not_equal actual_mech, GSS_C_NO_OID, "Should initialize the security context"
       #$stderr.puts "context: (#{buffer.length}) (OID: #{actual_mech.oid.length}, #{actual_mech.oid.to_hex})"
-      call_and_assert :gss_release_buffer, buffer
+      API.gss_release_buffer buffer
     ensure
-      minor_status = API::OM_uint32Ref.malloc
-      API.gss_delete_sec_context minor_status, context, nil
-      if buffer.value.nil?
-        assert_equal 0, context.handle.to_i, "Should delete the security context"
-      end
+      API.gss_delete_sec_context context, nil if context and buffer.value.nil?
     end
   end
 
-private
-  
-  def call_and_assert(sym, *args)
-    minor_status = API::OM_uint32Ref.malloc
-    result = API.send sym, minor_status, *args
-    assert_equal 0, (result & 0xffff0000), "#{sym} failed: 0x#{result.to_s(16)}"
-    assert_equal 0, minor_status.value, "#{sym} failed: minor status 0x#{minor_status.value.to_s(16)}"
-    result
-  end
+else
+  def test_nothing; assert true end
+end
+
 end
 

data/test/sspi_context_test.rb

@@ -2,10 +2,10 @@ require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 class SspiContextTest < Test::Unit::TestCase
 
-if defined? Net::SSH::Kerberos::SSPI::Context
+if Net::SSH::Kerberos::Drivers.available.include? 'SSPI'
 
   def setup
-    @gss = Net::SSH::Kerberos::SSPI::Context.new 
+    @gss = Net::SSH::Kerberos::Drivers::SSPI::Context.new 
   end
 
   def teardown
@@ -18,8 +18,6 @@ if defined? Net::SSH::Kerberos::SSPI::Context
   end
 
 else
-  $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
-
   def test_nothing; assert true end
 end
 

data/test/sspi_test.rb

@@ -2,69 +2,61 @@ require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 class SspiTest < Test::Unit::TestCase
 
-if defined? Net::SSH::Kerberos::SSPI::Context
+if Net::SSH::Kerberos::Drivers.available.include? 'SSPI'
 
-include Win32::SSPI
+  include Net::SSH::Kerberos::Drivers::SSPI
 
   def test_query_security_package_info
-    pkg_info = SecPkgInfo.new
-    result = API::QuerySecurityPackageInfo "Kerberos", pkg_info
-    assert result.ok?, "QuerySecurityPackageInfo failed: #{result}"
-    assert_equal pkg_info.name, "Kerberos"
-    assert pkg_info.max_token >= 128, "The maximum token size is assumed to be greater than 128 bytes"
-    assert pkg_info.max_token <= 12288, "The maximum token size is assumed to be less than 12288 bytes"
-    result = API::FreeContextBuffer pkg_info
-    assert result.ok?, "FreeContextBuffer failed: #{result}"
+    result = API.querySecurityPackageInfo "Kerberos", nil
+    assert result.ok?, "querySecurityPackageInfo failed: #{result}"
+    #$stderr.puts "querySecurityPackageInfo => #{pkg_info.comment} (max_token=#{pkg_info.max_token})"
+    pkg_info = API._args_[1]
+    assert_equal pkg_info.name.to_s, "Kerberos"
+    assert pkg_info.max_token >= 128, "The maximum token size is assumed to be greater than 127 bytes"
+    assert pkg_info.max_token <= 12288, "The maximum token size is assumed to be less than 12289 bytes"
+    result = API.freeContextBuffer pkg_info
+    assert result.ok?, "freeContextBuffer failed: #{result}"
   end
 
   def test_security_context_initialization
-    creds = SecurityHandle.new
-    ts = TimeStamp.new
-    result = API::AcquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil, creds, ts
+    result = API.acquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil,
+                                          creds=API::SecHandle.malloc, ts=API::TimeStamp.malloc
     unless result.temporary_failure?
-      assert result.ok?, "AcquireCredentialsHandle failed: #{result}"
+      assert result.ok?, "acquireCredentialsHandle failed: #{result}"
       assert ! creds.nil?, "Should acquire a credentials handle"
       begin
-        buff = "\0\0\0\0"
-        result = API::QueryCredentialsAttributes creds, SECPKG_CRED_ATTR_NAMES, buff
-        assert result.ok?, "QueryCredentialsAttributes failed: #{result}"
-        names = buff.to_ptr.ptr
+        result = API.queryCredentialsAttributes creds, SECPKG_ATTR_NAMES, nil
+        assert result.ok?, "queryCredentialsAttributes failed: #{result}"
+        names = API._args_[2]
         assert ! names.nil?, "Should return the user name."
+        #$stderr.puts "queryCredentialsAttributes: (#{result}) #{names.to_s}"
         begin
-          ts = TimeStamp.new
-          output = SecurityBuffer.new
-          ctx = CtxtHandle.new
-          ctxAttr = "\0" * 4
-          req = ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH
-          result = API::InitializeSecurityContext creds, nil, 'host/'+Socket.gethostbyname('localhost')[0], 
-                                                  req, 0, SECURITY_NATIVE_DREP, nil, 0, ctx, output, ctxAttr, ts
+          output = API::SecBufferDesc.create(12288)
+          result = API.initializeSecurityContext creds, nil, 'host/'+Socket.gethostbyname('localhost')[0], 
+                                                 ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY, 0, SECURITY_NATIVE_DREP,
+                                                 nil, 0, ctx=API::SecHandle.malloc, output, 0, ts=API::TimeStamp.malloc
           unless result.temporary_failure?
-            assert result.ok?, "InitializeSecurityContext failed: #{result}"
+            assert result.ok?, "initializeSecurityContext failed: #{result}"
             begin
               assert ! ctx.nil?, "Should initialize a context handle"
-              assert ! output.token.nil?, "Should output a token into the buffer"
-              assert output.bufferSize.nonzero?, "Should output a token into the buffer"
+              assert ! output.buffer(0).data.nil?, "Should output a token into the buffer"
+              assert output.buffer(0).length < 12288, "Should output a token into the buffer"
             ensure
-              result = API::DeleteSecurityContext ctx
-              ctx = nil if result.ok?
+              ctx = nil if (result = API.deleteSecurityContext(ctx)).ok?
             end
-            assert ctx.nil?, "DeleteSecurityContext failed: #{result}"
+            assert ctx.nil?, "deleteSecurityContext failed: #{result}"
           end
         ensure
-          result = API::FreeContextBuffer names
-          names = nil if result.ok?
+          names = nil if (result = API.freeContextBuffer(names)).ok?
         end
-        assert names.nil?, "FreeContextBuffer failed: #{result}"
+        assert names.nil?, "freeContextBuffer failed: #{result}"
       ensure
-        result = API::FreeCredentialsHandle creds
-        creds = nil if result.ok?
+        creds = nil if (result = API.freeCredentialsHandle(creds)).ok?
       end
-      assert creds.nil?, "FreeCredentialsHandle failed: #{result}"
+      assert creds.nil?, "freeCredentialsHandle failed: #{result}"
     end
   end
 else
-  $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
-
   def test_nothing; assert true end
 end