able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/inetsrv/iis/iisrearc/iisplus/ulw3/digestprovider.cxx
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

991 lines
24 KiB
C++
Raw Blame History

/*++
Copyright (c) 1999 Microsoft Corporation
Module Name :
digestprovider.cxx
Abstract:
Digest authentication provider
Author:
Ming Lu (minglu) 24-Jun-2000
Environment:
Win32 - User Mode
Project:
ULW3.DLL
--*/
#include "precomp.hxx"
#include "sspiprovider.hxx"
#include "digestprovider.hxx"
#include "uuencode.hxx"
ALLOC_CACHE_HANDLER * DIGEST_SECURITY_CONTEXT::sm_pachDIGESTSecContext
= NULL;
//static
HRESULT
DIGEST_AUTH_PROVIDER::Initialize(
DWORD dwInternalId
)
/*++
Routine Description:
Initialize Digest SSPI provider
Arguments:
None
Return Value:
HRESULT
--*/
{
HRESULT hr;
SetInternalId( dwInternalId );
hr = DIGEST_SECURITY_CONTEXT::Initialize();
if ( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error initializing Digest Auth Prov. hr = %x\n",
hr ));
return hr;
}
return NO_ERROR;
}
//static
VOID
DIGEST_AUTH_PROVIDER::Terminate(
VOID
)
/*++
Routine Description:
Terminate SSPI Digest provider
Arguments:
None
Return Value:
None
--*/
{
DIGEST_SECURITY_CONTEXT::Terminate();
}
HRESULT
DIGEST_AUTH_PROVIDER::DoesApply(
W3_MAIN_CONTEXT * pMainContext,
BOOL * pfApplies
)
/*++
Routine Description:
Does the given request have credentials applicable to the Digest
provider
Arguments:
pMainContext - Main context representing request
pfApplies - Set to true if Digest is applicable
Return Value:
HRESULT
--*/
{
CHAR * pszAuthHeader = NULL;
HRESULT hr;
SSPI_CONTEXT_STATE * pContextState;
STACK_STRA( strPackage, 64 );
W3_METADATA * pMetaData = NULL;
if ( pMainContext == NULL ||
pfApplies == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
*pfApplies = FALSE;
//
// Is using of Digest SSP enabled?
//
if ( !g_pW3Server->QueryUseDigestSSP() )
{
return NO_ERROR;
}
//
// Get the auth type
//
hr = pMainContext->QueryRequest()->GetAuthType( &strPackage );
if ( FAILED( hr ) )
{
return hr;
}
//
// No package, no auth
//
if ( strPackage.IsEmpty() )
{
return NO_ERROR;
}
//
// Is it Digest?
//
if ( _stricmp( strPackage.QueryStr(), "Digest" ) == 0 )
{
//
// Save away the package so we don't have to calc again
//
DBG_ASSERT( !strPackage.IsEmpty() );
pszAuthHeader = pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization );
DBG_ASSERT( pszAuthHeader != NULL );
pContextState = new (pMainContext) SSPI_CONTEXT_STATE(
pszAuthHeader + strPackage.QueryCCH() + 1 );
if ( pContextState == NULL )
{
return HRESULT_FROM_WIN32( GetLastError() );
}
hr = pContextState->SetPackage( strPackage.QueryStr() );
if ( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error in SetPackage(). hr = %x\n",
hr ));
delete pContextState;
pContextState = NULL;
return hr;
}
pMainContext->SetContextState( pContextState );
*pfApplies = TRUE;
}
return NO_ERROR;
}
HRESULT
DIGEST_AUTH_PROVIDER::DoAuthenticate(
W3_MAIN_CONTEXT * pMainContext
)
/*++
Description:
Do authentication work (we will be called if we apply)
Arguments:
pMainContext - Main context
Return Value:
HRESULT
--*/
{
DWORD err;
HRESULT hr = E_FAIL;
W3_METADATA * pMetaData = NULL;
W3_CONNECTION * pW3Connection = NULL;
DIGEST_SECURITY_CONTEXT * pDigestSecurityContext = NULL;
SSPI_CONTEXT_STATE * pContextState = NULL;
SSPI_USER_CONTEXT * pUserContext = NULL;
SSPI_CREDENTIAL * pDigestCredentials = NULL;
SecBufferDesc SecBuffDescOutput;
SecBufferDesc SecBuffDescInput;
//
// We have 5 input buffer and 1 output buffer to fill data
// in for digest authentication
//
SecBuffer SecBuffTokenOut[ 1 ];
SecBuffer SecBuffTokenIn[ 5 ];
SECURITY_STATUS secStatus = SEC_E_OK;
CtxtHandle hServerCtxtHandle;
TimeStamp Lifetime;
ULONG ContextReqFlags = 0;
ULONG ContextAttributes = 0;
STACK_STRU( strOutputHeader, 256 );
STACK_BUFFER( bufOutputBuffer, 4096 );
STACK_STRA( strMethod, 10 );
STACK_STRU( strUrl, MAX_PATH );
STACK_STRA( strUrlA, MAX_PATH );
STACK_STRA( strRealm, 128 );
if ( pMainContext == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
pContextState = ( SSPI_CONTEXT_STATE* )
pMainContext->QueryContextState();
DBG_ASSERT( pContextState != NULL );
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
DBG_ASSERT( pMetaData != NULL );
//
// clean the memory and set it to zero
//
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) );
ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) );
ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
//
// define the buffer descriptor for the Outpt
//
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION;
SecBuffDescOutput.cBuffers = 1;
SecBuffDescOutput.pBuffers = SecBuffTokenOut;
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN;
SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize();
SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
//
// define the buffer descriptor for the Input
//
SecBuffDescInput.ulVersion = SECBUFFER_VERSION;
SecBuffDescInput.cBuffers = 5;
SecBuffDescInput.pBuffers = SecBuffTokenIn;
//
// set the digest auth header in the buffer
//
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN;
SecBuffTokenIn[0].cbBuffer = strlen(pContextState->QueryCredentials());
SecBuffTokenIn[0].pvBuffer = pContextState->QueryCredentials();
//
// Get and Set the information for the method
//
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod );
if ( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error getting the method. hr = %x\n",
hr ));
return hr;
}
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH();
SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
//
// Get and Set the infomation for the Url
//
hr = pMainContext->QueryRequest()->GetUrl( &strUrl );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error getting the URL. hr = %x\n",
hr ));
return hr;
}
hr = strUrlA.CopyW( strUrl.QueryStr() );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error copying the URL. hr = %x\n",
hr ));
return hr;
}
SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB();
SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
//
// Get and Set the information for the hentity
//
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
SecBuffTokenIn[3].pvBuffer = 0; // this is not yet implemeted
//
//Get and Set the Realm Information
//
if( pMetaData->QueryRealm() )
{
hr = strRealm.CopyW( pMetaData->QueryRealm() );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error copying the realm. hr = %x\n",
hr ));
return hr;
}
}
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB();
SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
//
// Get a Security Context
//
//
// get the credential for the server
//
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME,
&pDigestCredentials );
if ( FAILED( hr ) )
{
DBGPRINTF((DBG_CONTEXT,
"Error get credential handle. hr = 0x%x \n",
hr ));
return hr;
}
DBG_ASSERT( pDigestCredentials != NULL );
//
// Resize the output buffer to max token size
//
if( !bufOutputBuffer.Resize(
pDigestCredentials->QueryMaxTokenSize() ) )
{
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
}
pDigestSecurityContext =
( DIGEST_SECURITY_CONTEXT * ) QueryConnectionAuthContext( pMainContext );
//
// check to see if there is an old Context Handle
//
if ( pDigestSecurityContext != NULL )
{
//
// defined the buffer
//
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN;
SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize();
SecBuffTokenIn[4].pvBuffer =
( PVOID )bufOutputBuffer.QueryPtr();
secStatus = VerifySignature(
pDigestSecurityContext->QueryContextHandle(),
&SecBuffDescInput,
0,
0 );
}
else
{
//
// set the flags
//
ContextReqFlags = ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONNECTION;
//
// get the security context
//
secStatus = AcceptSecurityContext(
pDigestCredentials->QueryCredHandle(),
NULL,
&SecBuffDescInput,
ContextReqFlags,
SECURITY_NATIVE_DREP,
&hServerCtxtHandle,
&SecBuffDescOutput,
&ContextAttributes,
&Lifetime);
if( SEC_I_COMPLETE_NEEDED == secStatus )
{
//
//defined the buffer
//
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN;
SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize();
SecBuffTokenIn[4].pvBuffer =
( PVOID )bufOutputBuffer.QueryPtr();
secStatus = CompleteAuthToken(
&hServerCtxtHandle,
&SecBuffDescInput
);
}
if ( SUCCEEDED( secStatus ) )
{
pDigestSecurityContext = new DIGEST_SECURITY_CONTEXT(
pDigestCredentials );
if ( NULL == pDigestSecurityContext )
{
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
}
pDigestSecurityContext->SetContextHandle(
hServerCtxtHandle );
pDigestSecurityContext->SetContextAttributes(
ContextAttributes );
//
// Mark the security context is complete, so we can detect
// reauthentication on the same connection
//
// CODEWORK: Can probably get away will just
// un-associating/deleting the
// SSPI_SECURITY_CONTEXT now!
//
pDigestSecurityContext->SetIsComplete( TRUE );
SetConnectionAuthContext( pMainContext,
pDigestSecurityContext );
}
}
//
// Check to see if the nonce has expired
//
if (SEC_E_CONTEXT_EXPIRED == secStatus)
{
//
// stale = true indicates that user knows password but he need to use new nonce
// let's treat stale = true as part of the continuing authentication handshake
// IIS will send back only Digest header in this case ( even if more auth methods
// are enabled )
//
if ( NULL != pDigestSecurityContext )
{
pDigestSecurityContext->SetStale( TRUE );
}
//
// Add Digest headers to response
//
hr = SetDigestHeader( pMainContext,
TRUE //Stale
);
if ( FAILED( hr ) )
{
return hr;
}
//
// Don't let anyone else send back authentication headers when
// the 401 is sent
//
pMainContext->SetProviderHandled( TRUE );
//
// We need to send a 401 response to continue the handshake.
// We have already setup the WWW-Authenticate header
//
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
Http401BadLogon );
pMainContext->SetFinishedResponse();
pMainContext->SetErrorStatus( SEC_E_CONTEXT_EXPIRED );
}
else if( FAILED( secStatus ) )
{
err = GetLastError();
if( err == ERROR_PASSWORD_MUST_CHANGE ||
err == ERROR_PASSWORD_EXPIRED )
{
return HRESULT_FROM_WIN32( err );
}
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
Http401BadLogon );
pMainContext->SetErrorStatus( HRESULT_FROM_WIN32( secStatus ) );
}
else
{
//
// Create a user context and setup it up
//
pUserContext = new SSPI_USER_CONTEXT( this );
if ( pUserContext == NULL )
{
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
}
hr = pUserContext->Create( pDigestSecurityContext, pMainContext );
if ( FAILED( hr ) )
{
pUserContext->DereferenceUserContext();
pUserContext = NULL;
return hr;
}
pMainContext->SetUserContext( pUserContext );
}
return NO_ERROR;
}
HRESULT
DIGEST_AUTH_PROVIDER::OnAccessDenied(
W3_MAIN_CONTEXT * pMainContext
)
/*++
Description:
Add WWW-Authenticate Digest headers
Arguments:
pMainContext - main context
Return Value:
HRESULT
--*/
{
W3_METADATA * pMetaData;
if ( pMainContext == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
//
// Is using of Digest SSP enabled?
//
if ( !g_pW3Server->QueryUseDigestSSP() )
{
return NO_ERROR;
}
if( !W3_STATE_AUTHENTICATION::QueryIsDomainMember() )
{
//
// We are not a domain member, so do nothing
//
return NO_ERROR;
}
return SetDigestHeader( pMainContext,
FALSE //stale will not be sent
);
}
HRESULT
DIGEST_AUTH_PROVIDER::SetDigestHeader(
IN W3_MAIN_CONTEXT * pMainContext,
IN BOOL fStale )
/*++
Description:
Add WWW-Authenticate Digest headers
Arguments:
pMainContext - main context
pDigestSecurityContext - Digest context containing information such as
Stale. NULL means that no stale is to be sent
Return Value:
HRESULT
--*/
{
HRESULT hr = E_FAIL;
W3_METADATA * pMetaData;
W3_CONNECTION * pW3Connection;
//
// 4096 is the max output for digest authenticaiton
//
STACK_BUFFER( bufOutputBuffer, 4096 );
STACK_STRA( strOutputHeader, MAX_PATH );
STACK_STRA( strMethod, 10 );
STACK_STRU( strUrl, MAX_PATH );
STACK_STRA( strRealm, 128 );
STACK_STRA( strUrlA, MAX_PATH );
SecBufferDesc SecBuffDescOutput;
SecBufferDesc SecBuffDescInput;
SecBuffer SecBuffTokenOut[ 1 ];
SecBuffer SecBuffTokenIn[ 5 ];
SECURITY_STATUS secStatus = SEC_E_OK;
SSPI_CREDENTIAL * pDigestCredential = NULL;
CtxtHandle hServerCtxtHandle;
ULONG ContextReqFlags = 0;
ULONG ContextAttributes = 0;
TimeStamp Lifetime;
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
DBG_ASSERT( pMetaData != NULL );
//
// Get a Security Context
//
//
// get the credential for the server
//
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME,
&pDigestCredential );
if ( FAILED( hr ) )
{
DBGPRINTF((DBG_CONTEXT,
"Error get credential handle. hr = 0x%x \n",
hr ));
return hr;
}
DBG_ASSERT( pDigestCredential != NULL );
if( !bufOutputBuffer.Resize(
pDigestCredential->QueryMaxTokenSize() ) )
{
hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
DBGPRINTF((DBG_CONTEXT,
"Error resize the output buffer. hr = 0x%x \n",
hr ));
return hr;
}
//
// clean the memory and set it to zero
//
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) );
ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) );
ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
//
// define the OUTPUT
//
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION;
SecBuffDescOutput.cBuffers = 1;
SecBuffDescOutput.pBuffers = SecBuffTokenOut;
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN;
SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize();
SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
//
// define the Input
//
SecBuffDescInput.ulVersion = SECBUFFER_VERSION;
SecBuffDescInput.cBuffers = 5;
SecBuffDescInput.pBuffers = SecBuffTokenIn;
//
// Get and Set the information for the challenge
//
//
// set the inforamtion in the buffer, this case is Null to
// authenticate user
//
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN;
SecBuffTokenIn[0].cbBuffer = 0;
SecBuffTokenIn[0].pvBuffer = NULL;
//
// Get and Set the information for the method
//
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod );
if ( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error getting the method. hr = %x\n",
hr ));
return hr;
}
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH();
SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
//
// Get and Set the infomation for the Url
//
hr = pMainContext->QueryRequest()->GetUrl( &strUrl );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error getting the URL. hr = %x\n",
hr ));
return hr;
}
hr = strUrlA.CopyW( strUrl.QueryStr() );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error copying the URL. hr = %x\n",
hr ));
return hr;
}
SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB();
SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
//
// Get and Set the information for the hentity
//
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
SecBuffTokenIn[3].pvBuffer = NULL; // this is not yet implemeted
//
//Get and Set the Realm Information
//
if( pMetaData->QueryRealm() )
{
hr = strRealm.CopyW( pMetaData->QueryRealm() );
if( FAILED( hr ) )
{
DBGPRINTF(( DBG_CONTEXT,
"Error copying the realm. hr = %x\n",
hr ));
return hr;
}
}
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS;
SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB();
SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
//
// set the flags
//
ContextReqFlags = ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONNECTION;
//
// get the security context
//
secStatus = AcceptSecurityContext(
pDigestCredential->QueryCredHandle(),
NULL,
&SecBuffDescInput,
ContextReqFlags,
SECURITY_NATIVE_DREP,
&hServerCtxtHandle,
&SecBuffDescOutput,
&ContextAttributes,
&Lifetime);
//
// a challenge has to be send back to the client
//
if ( SEC_I_CONTINUE_NEEDED == secStatus )
{
//
// Do we already have a digest security context
//
if( fStale )
{
hr = strOutputHeader.Copy( "Digest stale=TRUE ," );
}
else
{
hr = strOutputHeader.Copy( "Digest " );
}
if( FAILED( hr ) )
{
return hr;
}
hr = strOutputHeader.Append(
( CHAR * )SecBuffDescOutput.pBuffers[0].pvBuffer,
SecBuffDescOutput.pBuffers[0].cbBuffer - 1 );
if( FAILED( hr ) )
{
return hr;
}
//
// Add the header WWW-Authenticate to the response after a
// 401 server error
//
hr = pMainContext->QueryResponse()->SetHeader(
"WWW-Authenticate",
16,
strOutputHeader.QueryStr(),
strOutputHeader.QueryCCH()
);
}
else
{
hr = S_OK;
}
return hr;
}
//static
HRESULT
DIGEST_SECURITY_CONTEXT::Initialize(
VOID
)
/*++
Description:
Global DIGEST_SECURITY_CONTEXT initialization
Arguments:
None
Return Value:
HRESULT
--*/
{
ALLOC_CACHE_CONFIGURATION acConfig;
//
// Initialize allocation lookaside
//
acConfig.nConcurrency = 1;
acConfig.nThreshold = 100;
acConfig.cbSize = sizeof( DIGEST_SECURITY_CONTEXT );
DBG_ASSERT( sm_pachDIGESTSecContext == NULL );
sm_pachDIGESTSecContext = new ALLOC_CACHE_HANDLER(
"DIGEST_SECURITY_CONTEXT",
&acConfig );
if ( sm_pachDIGESTSecContext == NULL )
{
HRESULT hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
DBGPRINTF(( DBG_CONTEXT,
"Error initializing sm_pachDIGESTSecContext. hr = 0x%x\n",
hr ));
return hr;
}
return S_OK;
} // DIGEST_SECURITY_CONTEXT::Initialize
//static
VOID
DIGEST_SECURITY_CONTEXT::Terminate(
VOID
)
/*++
Routine Description:
Destroy DIGEST_SECURITY_CONTEXT globals
Arguments:
None
Return Value:
None
--*/
{
DBG_ASSERT( sm_pachDIGESTSecContext != NULL );
delete sm_pachDIGESTSecContext;
sm_pachDIGESTSecContext = NULL;
} // DIGEST_SECURITY_CONTEXT::Terminate
Reference in a new issue View git blame Copy permalink