1212 lines
34 KiB
C++
1212 lines
34 KiB
C++
/*++
|
|
|
|
Copyright (C) 1997-2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
CSSPI.H
|
|
|
|
Abstract:
|
|
|
|
SSPI wrapper implementation for NTLM/MSN network authentication.
|
|
|
|
History:
|
|
|
|
raymcc 15-Jul-97 Created
|
|
|
|
--*/
|
|
|
|
|
|
#include "precomp.h"
|
|
#include <tchar.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
#include <csspi.h>
|
|
|
|
// #define trace(x) printf x
|
|
#define trace(x)
|
|
|
|
|
|
static BOOL IsNt(void);
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// String helper macros
|
|
//
|
|
//***************************************************************************
|
|
|
|
#define Macro_CloneLPWSTR(x) \
|
|
(x ? _wcsdup(x) : 0)
|
|
|
|
#define Macro_CloneLPSTR(x) \
|
|
(x ? _strdup(x) : 0)
|
|
|
|
#ifdef _UNICODE
|
|
#define Macro_CloneLPTSTR(x) (x ? _wcsdup(x) : 0)
|
|
#else
|
|
#define Macro_CloneLPTSTR(x) (x ? _strdup(x) : 0)
|
|
#endif
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// BOOL IsNt
|
|
//
|
|
// DESCRIPTION:
|
|
//
|
|
// Returns true if running windows NT.
|
|
//
|
|
// RETURN VALUE:
|
|
//
|
|
// see description.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
static BOOL IsNt(void)
|
|
{
|
|
OSVERSIONINFO os;
|
|
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
|
if(!GetVersionEx(&os))
|
|
return FALSE; // should never happen
|
|
return os.dwPlatformId == VER_PLATFORM_WIN32_NT;
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI Static Data Members
|
|
//
|
|
//***************************************************************************
|
|
|
|
ULONG CSSPI::m_uNumPackages = 0;
|
|
PSecPkgInfo CSSPI::m_pEnumPkgInfo = 0;
|
|
PSecurityFunctionTable CSSPI::pVtbl = 0;
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::Initialize
|
|
//
|
|
// This must be called prior to any other operations, but may be
|
|
// called multiple times.
|
|
//
|
|
// Return value:
|
|
// TRUE on success, FALSE on failure.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
BOOL CSSPI::Initialize()
|
|
{
|
|
static HMODULE hLib = 0;
|
|
|
|
// If we have already called this function and everything
|
|
// is already ok, short-circuit.
|
|
// ======================================================
|
|
|
|
if (hLib != 0 && pVtbl != 0)
|
|
{
|
|
return TRUE;
|
|
}
|
|
|
|
if (IsNt())
|
|
{
|
|
hLib = LoadLibrary(__TEXT("SECURITY.DLL"));
|
|
}
|
|
else
|
|
{
|
|
hLib = LoadLibrary(__TEXT("SECUR32.DLL"));
|
|
}
|
|
|
|
if (hLib == 0)
|
|
{
|
|
trace(("CSSPI::Startup() Library failed to load\n"));
|
|
return FALSE;
|
|
}
|
|
|
|
#ifdef _UNICODE
|
|
INIT_SECURITY_INTERFACE_W pInitFn =
|
|
(INIT_SECURITY_INTERFACE_W)
|
|
GetProcAddress(hLib, "InitSecurityInterfaceW");
|
|
#else
|
|
INIT_SECURITY_INTERFACE_A pInitFn =
|
|
(INIT_SECURITY_INTERFACE_A)
|
|
GetProcAddress(hLib, "InitSecurityInterfaceA");
|
|
#endif
|
|
|
|
if (pInitFn == 0)
|
|
{
|
|
trace(("CSSPI::Startup() ERROR : Unable to locate function InitSecurityInterface()\n"
|
|
));
|
|
FreeLibrary(hLib);
|
|
hLib = 0;
|
|
return FALSE;
|
|
}
|
|
|
|
pVtbl = pInitFn();
|
|
|
|
if (pVtbl == 0)
|
|
{
|
|
trace(("CSSPI::Startup() ERROR : Function table not found\n"));
|
|
FreeLibrary(hLib);
|
|
hLib = 0;
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::TranslateError
|
|
//
|
|
// Translates an error code to a displayable message.
|
|
// Treat the return value as read-only (you must, since it is 'const').
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
const LPTSTR CSSPI::TranslateError(
|
|
ULONG uCode
|
|
)
|
|
{
|
|
LPTSTR p = 0;
|
|
|
|
switch (uCode)
|
|
{
|
|
case SEC_E_INSUFFICIENT_MEMORY: p = _T("SEC_E_INSUFFICIENT_MEMORY"); break;
|
|
case SEC_E_INVALID_HANDLE : p = _T("SEC_E_INVALID_HANDLE"); break;
|
|
|
|
case SEC_E_UNSUPPORTED_FUNCTION : p = _T("SEC_E_UNSUPPORTED_FUNCTION"); break;
|
|
|
|
case SEC_E_TARGET_UNKNOWN : p = _T("SEC_E_TARGET_UNKNOWN"); break;
|
|
case SEC_E_INTERNAL_ERROR : p = _T("SEC_E_INTERNAL_ERROR"); break;
|
|
case SEC_E_SECPKG_NOT_FOUND : p = _T("SEC_E_SECPKG_NOT_FOUND"); break;
|
|
case SEC_E_NOT_OWNER : p = _T("SEC_E_NOT_OWNER"); break;
|
|
case SEC_E_CANNOT_INSTALL : p = _T("SEC_E_CANNOT_INSTALL"); break;
|
|
case SEC_E_INVALID_TOKEN : p = _T("SEC_E_INVALID_TOKEN"); break;
|
|
case SEC_E_CANNOT_PACK : p = _T("SEC_E_CANNOT_PACK"); break;
|
|
case SEC_E_QOP_NOT_SUPPORTED : p = _T("SEC_E_QOP_NOT_SUPPORTED"); break;
|
|
case SEC_E_NO_IMPERSONATION : p = _T("SEC_E_NO_IMPERSONATION"); break;
|
|
case SEC_E_LOGON_DENIED : p = _T("SEC_E_LOGON_DENIED"); break;
|
|
case SEC_E_UNKNOWN_CREDENTIALS : p = _T("SEC_E_UNKNOWN_CREDENTIALS"); break;
|
|
case SEC_E_NO_CREDENTIALS : p = _T("SEC_E_NO_CREDENTIALS"); break;
|
|
case SEC_E_MESSAGE_ALTERED : p = _T("SEC_E_MESSAGE_ALTERED"); break;
|
|
case SEC_E_OUT_OF_SEQUENCE : p = _T("SEC_E_OUT_OF_SEQUENCE"); break;
|
|
case SEC_E_NO_AUTHENTICATING_AUTHORITY : p = _T("SEC_E_NO_AUTHENTICATING_AUTHORITY"); break;
|
|
case SEC_I_CONTINUE_NEEDED : p = _T("SEC_I_CONTINUE_NEEDED"); break;
|
|
case SEC_I_COMPLETE_NEEDED : p = _T("SEC_I_COMPLETE_NEEDED"); break;
|
|
case SEC_I_COMPLETE_AND_CONTINUE : p = _T("SEC_I_COMPLETE_AND_CONTINUE"); break;
|
|
case SEC_I_LOCAL_LOGON : p = _T("SEC_I_LOCAL_LOGON"); break;
|
|
case SEC_E_BAD_PKGID : p = _T("SEC_E_BAD_PKGID"); break;
|
|
case SEC_E_CONTEXT_EXPIRED : p = _T("SEC_E_CONTEXT_EXPIRED"); break;
|
|
case SEC_E_INCOMPLETE_MESSAGE : p = _T("SEC_E_INCOMPLETE_MESSAGE"); break;
|
|
case SEC_E_INCOMPLETE_CREDENTIALS : p = _T("SEC_E_INCOMPLETE_CREDENTIALS"); break;
|
|
case SEC_E_BUFFER_TOO_SMALL : p = _T("SEC_E_BUFFER_TOO_SMALL"); break;
|
|
case SEC_I_INCOMPLETE_CREDENTIALS : p = _T("SEC_I_INCOMPLETE_CREDENTIALS"); break;
|
|
case SEC_I_RENEGOTIATE : p = _T("SEC_I_RENEGOTIATE"); break;
|
|
|
|
default:
|
|
p = _T("<UNDEFINED ERROR CODE>");
|
|
}
|
|
|
|
return (const LPTSTR) p;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::DisplayContextAttributes
|
|
//
|
|
// Display authentication context attribute bits in readable form.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
void CSSPI::DisplayContextAttributes(
|
|
ULONG uAttrib
|
|
)
|
|
{
|
|
if (uAttrib & ISC_RET_DELEGATE)
|
|
printf("ISC_RET_DELEGATE\n");
|
|
|
|
if (uAttrib & ISC_RET_MUTUAL_AUTH)
|
|
printf("ISC_RET_MUTUAL_AUTH\n");
|
|
|
|
if (uAttrib & ISC_RET_REPLAY_DETECT)
|
|
printf("ISC_RET_REPLAY_DETECT\n");
|
|
|
|
if (uAttrib & ISC_RET_SEQUENCE_DETECT)
|
|
printf("ISC_RET_SEQUENCE_DETECT\n");
|
|
|
|
if (uAttrib & ISC_RET_CONFIDENTIALITY)
|
|
printf("ISC_RET_CONFIDENTIALITY\n");
|
|
|
|
if (uAttrib & ISC_RET_USE_SESSION_KEY)
|
|
printf("ISC_RET_USE_SESSION_KEY\n");
|
|
|
|
if (uAttrib & ISC_RET_USED_COLLECTED_CREDS)
|
|
printf("ISC_RET_USED_COLLECTED_CREDS\n");
|
|
|
|
if (uAttrib & ISC_RET_USED_SUPPLIED_CREDS)
|
|
printf("ISC_RET_USED_SUPPLIED_CREDS\n");
|
|
|
|
if (uAttrib & ISC_RET_ALLOCATED_MEMORY)
|
|
printf("ISC_RET_ALLOCATED_MEMORY\n");
|
|
|
|
if (uAttrib & ISC_RET_USED_DCE_STYLE)
|
|
printf("ISC_RET_USED_DCE_STYLE\n");
|
|
|
|
if (uAttrib & ISC_RET_DATAGRAM)
|
|
printf("ISC_RET_DATAGRAM\n");
|
|
|
|
if (uAttrib & ISC_RET_CONNECTION)
|
|
printf("ISC_RET_CONNECTION\n");
|
|
|
|
if (uAttrib & ISC_RET_INTERMEDIATE_RETURN)
|
|
printf("ISC_RET_INTERMEDIATE_RETURN\n");
|
|
|
|
if (uAttrib & ISC_RET_CALL_LEVEL)
|
|
printf("ISC_RET_CALL_LEVEL\n");
|
|
|
|
if (uAttrib & ISC_RET_EXTENDED_ERROR)
|
|
printf("ISC_RET_EXTENDED_ERROR\n");
|
|
|
|
if (uAttrib & ISC_RET_STREAM)
|
|
printf("ISC_RET_STREAM\n");
|
|
|
|
if (uAttrib & ISC_RET_INTEGRITY)
|
|
printf("ISC_RET_INTEGRITY\n");
|
|
}
|
|
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::DisplayPkgInfo
|
|
//
|
|
// Dumps package information to console.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
void CSSPI::DisplayPkgInfo(PSecPkgInfo pPkg)
|
|
{
|
|
printf("---------------------------------------------\n");
|
|
printf("Name = <%s>\n", pPkg->Name);
|
|
printf("Comment = <%s>\n", pPkg->Comment);
|
|
printf("Version = 0x%X\n", pPkg->wVersion);
|
|
printf("Max token = %d bytes\n", pPkg->cbMaxToken);
|
|
printf("DCE RPC Id = 0x%X\n", pPkg->wRPCID);
|
|
|
|
printf("Capabilities = \n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_INTEGRITY)
|
|
printf(" SECPKG_FLAG_INTEGRITY\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_PRIVACY)
|
|
printf(" SECPKG_FLAG_PRIVACY\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_TOKEN_ONLY)
|
|
printf(" SECPKG_FLAG_TOKEN_ONLY\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_DATAGRAM)
|
|
printf(" SECPKG_FLAG_DATAGRAM\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_CONNECTION)
|
|
printf(" SECPKG_FLAG_CONNECTION\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_MULTI_REQUIRED)
|
|
printf(" SECPKG_FLAG_MULTI_REQUIRED\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_CLIENT_ONLY)
|
|
printf(" SECPKG_FLAG_CLIENT_ONLY\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_EXTENDED_ERROR)
|
|
printf(" SECPKG_FLAG_EXTENDED_ERROR\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_IMPERSONATION)
|
|
printf(" SECPKG_FLAG_IMPERSONATION\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_ACCEPT_WIN32_NAME)
|
|
printf(" SECPKG_FLAG_ACCEPT_WIN32_NAME\n");
|
|
|
|
if (pPkg->fCapabilities & SECPKG_FLAG_STREAM)
|
|
printf(" SECPKG_FLAG_STREAM\n");
|
|
|
|
printf("---------------------------------------------\n");
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::GetNumPkgs
|
|
//
|
|
// Gets the number of SSPI packages available on the current machine.
|
|
//
|
|
// Returns 0 if none available.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
ULONG CSSPI::GetNumPkgs()
|
|
{
|
|
// Short-circuit to see if this function has been called before.
|
|
// It is not possible for new SSPI packages to appear between
|
|
// reboots, so we cache all info.
|
|
// =============================================================
|
|
|
|
if (m_uNumPackages != 0 && m_pEnumPkgInfo)
|
|
return m_uNumPackages;
|
|
|
|
// Enumerate security packages.
|
|
// ============================
|
|
|
|
SECURITY_STATUS SecStatus =
|
|
pVtbl->EnumerateSecurityPackages(&m_uNumPackages, &m_pEnumPkgInfo);
|
|
|
|
if (SecStatus)
|
|
{
|
|
trace(("EnumerateSecurityPackages() failed. Error = %s\n", TranslateError(SecStatus)
|
|
));
|
|
return 0;
|
|
}
|
|
|
|
return m_uNumPackages;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::GetPkgInfo
|
|
//
|
|
// Retrieves a single read-only PSecPkgInfo pointer, describing the
|
|
// requested package. This is to be used in conjunction with GetNumPkgs()
|
|
// in order to iterate through the SSPI package list.
|
|
//
|
|
// Returns NULL on error or a read-only PSecPkgInfo pointer.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
const PSecPkgInfo CSSPI::GetPkgInfo(ULONG ulPkgNum)
|
|
{
|
|
if (ulPkgNum >= m_uNumPackages)
|
|
return 0;
|
|
|
|
if (m_pEnumPkgInfo == 0)
|
|
return 0;
|
|
|
|
return &m_pEnumPkgInfo[ulPkgNum];
|
|
}
|
|
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::DumpSecurityPackages
|
|
//
|
|
// Dumps all available security packages to the console.
|
|
//
|
|
//***************************************************************************
|
|
// ok
|
|
|
|
BOOL CSSPI::DumpSecurityPackages()
|
|
{
|
|
// Enumerate security packages.
|
|
// ============================
|
|
|
|
unsigned long lNum = 0;
|
|
PSecPkgInfo pPkgInfo;
|
|
|
|
lNum = GetNumPkgs();
|
|
if (lNum == 0)
|
|
return FALSE;
|
|
|
|
trace(("SSPI Supports %d security packages\n", lNum));
|
|
|
|
for (unsigned long i = 0; i < lNum; i++)
|
|
{
|
|
pPkgInfo = GetPkgInfo(i);
|
|
|
|
if (pPkgInfo)
|
|
DisplayPkgInfo(pPkgInfo);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::ServerSupport
|
|
//
|
|
// Determines whether the a server-side package can be expected to work.
|
|
//
|
|
// Parameters:
|
|
// <pszPkgName> The authentication package. Usually "NTLM"
|
|
//
|
|
// Return value:
|
|
// TRUE if the package will support a server-side authentication, FALSE
|
|
// if not supported.
|
|
//
|
|
//***************************************************************************
|
|
BOOL CSSPI::ServerSupport(LPTSTR pszPkgName)
|
|
{
|
|
if (pszPkgName == 0 || lstrlen(pszPkgName) == 0)
|
|
return FALSE;
|
|
|
|
if (Initialize() == FALSE)
|
|
return FALSE;
|
|
|
|
CSSPIServer Server(pszPkgName);
|
|
|
|
if (Server.GetStatus() != CSSPIServer::Waiting)
|
|
return FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPI::ClientSupport
|
|
//
|
|
// Determines whether the a client-side package can be expected to work.
|
|
//
|
|
// Parameters:
|
|
// <pszPkgName> The authentication package. Usually "NTLM"
|
|
//
|
|
// Return value:
|
|
// TRUE if the package will support a client-side authentication, FALSE
|
|
// if not supported.
|
|
//
|
|
//***************************************************************************
|
|
|
|
BOOL CSSPI::ClientSupport(LPTSTR pszPkgName)
|
|
{
|
|
if (pszPkgName == 0 || lstrlen(pszPkgName) == 0)
|
|
return FALSE;
|
|
|
|
if (Initialize() == FALSE)
|
|
return FALSE;
|
|
|
|
CSSPIClient Client(pszPkgName);
|
|
|
|
if (Client.GetStatus() != CSSPIClient::Waiting)
|
|
return FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIClient constructor
|
|
//
|
|
// Parameters:
|
|
// <pszPkgName> A valid SSPI package. Usually "NTLM".
|
|
//
|
|
// After construction has completed, GetStatus() should return
|
|
// CSSPIClient::Waiting. CSSPIClient::InvalidPackage indicates that
|
|
// the object will not function.
|
|
//
|
|
//***************************************************************************
|
|
|
|
CSSPIClient::CSSPIClient(LPTSTR pszPkgName)
|
|
{
|
|
// Initialize variables.
|
|
// =====================
|
|
|
|
m_dwStatus = InvalidPackage;
|
|
memset(&m_ClientCredential, 0, sizeof(CredHandle));
|
|
|
|
m_pPkgInfo = 0;
|
|
m_pszPkgName = 0;
|
|
m_cbMaxToken = 0;
|
|
m_bValidCredHandle = FALSE;
|
|
|
|
memset(&m_ClientContext, 0, sizeof(CtxtHandle));
|
|
m_bValidContextHandle = FALSE;
|
|
|
|
// Copy package name.
|
|
// ===================
|
|
|
|
m_pszPkgName = Macro_CloneLPTSTR(pszPkgName);
|
|
|
|
if (!m_pszPkgName)
|
|
{
|
|
trace(("CSSPIClient failed to construct (out of memory).\n"));
|
|
m_dwStatus = InvalidPackage;
|
|
return;
|
|
}
|
|
|
|
// Init the requested package.
|
|
// ===========================
|
|
|
|
SECURITY_STATUS SecStatus = 0;
|
|
|
|
SecStatus = CSSPI::pVtbl->QuerySecurityPackageInfo(pszPkgName, &m_pPkgInfo);
|
|
|
|
if (SecStatus != 0)
|
|
{
|
|
trace(("CSSPIClient fails to construct. Error = %s\n",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
m_dwStatus = InvalidPackage;
|
|
return;
|
|
}
|
|
|
|
// If here, things are ok. We are waiting
|
|
// for client to set login information.
|
|
// ========================================
|
|
|
|
m_cbMaxToken = m_pPkgInfo->cbMaxToken;
|
|
m_dwStatus = Waiting;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIClient
|
|
//
|
|
// Destructor
|
|
//
|
|
//***************************************************************************
|
|
|
|
CSSPIClient::~CSSPIClient()
|
|
{
|
|
if (m_pPkgInfo)
|
|
CSSPI::pVtbl->FreeContextBuffer(m_pPkgInfo);
|
|
|
|
if (m_pszPkgName)
|
|
delete [] m_pszPkgName;
|
|
|
|
if (m_bValidCredHandle)
|
|
CSSPI::pVtbl->FreeCredentialHandle(&m_ClientCredential);
|
|
|
|
if (m_bValidContextHandle)
|
|
CSSPI::pVtbl->DeleteSecurityContext(&m_ClientContext);
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIClient::SetLoginInfo
|
|
//
|
|
// Sets login info prior to beginning a login session.
|
|
// pszUser, pszDomain, pszPassword must be either all NULL or all not
|
|
// NULL. If NULLs are used, the current user's security context
|
|
// is propagated.
|
|
//
|
|
// This must be the first call after constructing the CSSPIClient.
|
|
// If this returns NoError, then ContinueLogin must be called next
|
|
// before communicating with the server process.
|
|
//
|
|
// Parameters:
|
|
// <pszUser> The user name
|
|
// <pszDomain> The NTLM domain
|
|
// <pszPassword> The cleartext password
|
|
// <dwLoginFlags> Reserved
|
|
//
|
|
// Return value:
|
|
// <NoError> if the caller can immediately proceed to ContinueLogin().
|
|
// <InvalidParameter> if one or more parameters were not valid.
|
|
// <InvalidPackage> if the SSPI package is not operational
|
|
//
|
|
// <InvalidUser> if the user/domain/password parameters are
|
|
// of the wrong format.
|
|
//
|
|
// After successful completion, <NoError> is returned and
|
|
// GetStatus() will return CSSPIClient::LoginContinue.
|
|
//
|
|
//***************************************************************************
|
|
|
|
DWORD CSSPIClient::SetLoginInfo(
|
|
IN LPTSTR pszUser,
|
|
IN LPTSTR pszDomain,
|
|
IN LPTSTR pszPassword,
|
|
IN DWORD dwLoginFlags
|
|
)
|
|
{
|
|
if (m_dwStatus != Waiting)
|
|
return m_dwStatus = InvalidPackage;
|
|
|
|
// If the user specifies any of one {user,password,domain}, they
|
|
// all must be specified.
|
|
// =============================================================
|
|
|
|
if (pszUser || pszDomain || pszPassword)
|
|
{
|
|
if (!pszUser || !pszDomain || !pszPassword)
|
|
return InvalidParameter;
|
|
}
|
|
|
|
// Acquire a credentials handle for subsequent calls.
|
|
// ==================================================
|
|
|
|
SEC_WINNT_AUTH_IDENTITY AdditionalCredentials;
|
|
BOOL bSupplyCredentials = FALSE;
|
|
TimeStamp Expiration;
|
|
|
|
AdditionalCredentials.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
|
|
|
|
// Due to the parameter validation, we know that if
|
|
// a user was specified, the other parameters have been, too.
|
|
// ==========================================================
|
|
|
|
if (pszUser != 0)
|
|
{
|
|
bSupplyCredentials = TRUE;
|
|
AdditionalCredentials.User = pszUser;
|
|
AdditionalCredentials.UserLength = lstrlen(pszUser);
|
|
AdditionalCredentials.Password = pszPassword;
|
|
AdditionalCredentials.PasswordLength = lstrlen(pszPassword);
|
|
AdditionalCredentials.Domain = pszDomain;
|
|
AdditionalCredentials.DomainLength = lstrlen(pszDomain);
|
|
}
|
|
|
|
// Get client credentials handle.
|
|
// ==============================
|
|
|
|
SECURITY_STATUS SecStatus = CSSPI::pVtbl->AcquireCredentialsHandle(
|
|
NULL,
|
|
m_pszPkgName,
|
|
SECPKG_CRED_OUTBOUND,
|
|
NULL,
|
|
bSupplyCredentials ? &AdditionalCredentials : 0,
|
|
NULL,
|
|
NULL,
|
|
&m_ClientCredential,
|
|
&Expiration
|
|
);
|
|
|
|
|
|
if (SecStatus)
|
|
{
|
|
trace(("AcquireCredentialsHandle() failed. Error=%s\n",
|
|
CSSPI::TranslateError(SecStatus) ));
|
|
return m_dwStatus = InvalidUser;
|
|
}
|
|
|
|
m_bValidCredHandle = TRUE;
|
|
|
|
// Signal to caller that login must continue.
|
|
// ==========================================
|
|
|
|
m_dwStatus = LoginContinue;
|
|
return NoError;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIClient::SetDefaultLogin
|
|
//
|
|
// Convenience method to login using 'current' credentials.
|
|
//
|
|
// Return values same as for SetLoginInfo().
|
|
//
|
|
//***************************************************************************
|
|
|
|
DWORD CSSPIClient::SetDefaultLogin(DWORD dwFlags)
|
|
{
|
|
return SetLoginInfo(0, 0, 0, dwFlags);
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIClient::ContinueLogin
|
|
//
|
|
// Called immediately after SetDefaultLogin() or SetLoginInfo() or
|
|
// after prior calls to ContinueLogin after receiving binary tokens
|
|
// from the server-side of the conversation.
|
|
//
|
|
// This is used for both to prepare the logon request and the
|
|
// response to the challenge from the server.
|
|
//
|
|
// Parameters:
|
|
// <pInToken> A token received from the server. If no
|
|
// token has been received yet, then use NULL.
|
|
// This is treated as read-only.
|
|
//
|
|
// <dwInTokenSize> The number of bytes in the token pointed
|
|
// to by <dwInTokenSize>, or 0 if the above
|
|
// token is NULL.
|
|
//
|
|
// <pToken> Receives a pointer to a memory buffer
|
|
// containing the token to transfer to the
|
|
// server. Deallocate with operator delete.
|
|
//
|
|
// <pdwTokenSize> Points to a DWORD to receive the size
|
|
// of the above token.
|
|
//
|
|
// Return value:
|
|
// <NoError> Returned when no more calls to ContinueLogin
|
|
// are completed. <pToken> and <pdwTokenSize>
|
|
// are still returned in this case.
|
|
// This completes the 'response' portion
|
|
// in the challenge-response sequence. The server
|
|
// will return an 'access denied' status through
|
|
// private means. Note that <NoError> does not
|
|
// imply successful logon or that 'access denied' will
|
|
// not occur. It merely completes the response
|
|
// to the 'challenge'.
|
|
//
|
|
// After the login request phase (the first call to
|
|
// this function) GetStatus() should return
|
|
// CSSPIClient::LoginContinue, to indicate that
|
|
// another call to this function will be required.
|
|
// If GetStatus() CSSPIClient::LoginComplete is
|
|
// returned, no more SSPI operations will occur.
|
|
// Final success or denial by the server will
|
|
// be privately indicated by the server.
|
|
//
|
|
// <Failed> Internal error. No out-parms are returned in this
|
|
// case.
|
|
//
|
|
//***************************************************************************
|
|
|
|
|
|
DWORD CSSPIClient::ContinueLogin(
|
|
IN LPBYTE pInToken,
|
|
IN DWORD dwInTokenSize,
|
|
OUT LPBYTE *pToken,
|
|
OUT DWORD *pdwTokenSize
|
|
)
|
|
{
|
|
// If here, we are ready to build up a token.
|
|
// ==========================================
|
|
|
|
SecBufferDesc OutputBufferDescriptor;
|
|
SecBuffer OutputSecurityToken;
|
|
ULONG uContextRequirements = 0;
|
|
ULONG uContextAttributes;
|
|
TimeStamp Expiration;
|
|
|
|
// Set up the output buffers and out params by
|
|
// default. On errors, we simply null the out params.
|
|
// ===================================================
|
|
|
|
OutputBufferDescriptor.cBuffers = 1;
|
|
OutputBufferDescriptor.pBuffers = &OutputSecurityToken;
|
|
OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
|
|
|
|
LPBYTE pTokenBuf = new BYTE[m_cbMaxToken];
|
|
|
|
OutputSecurityToken.BufferType = SECBUFFER_TOKEN;
|
|
OutputSecurityToken.cbBuffer = m_cbMaxToken;
|
|
OutputSecurityToken.pvBuffer = pTokenBuf;
|
|
|
|
// Build up the input buffer, if required.
|
|
// =======================================
|
|
|
|
SecBufferDesc InputBufferDescriptor;
|
|
SecBuffer InputSecurityToken;
|
|
|
|
if (pInToken)
|
|
{
|
|
InputBufferDescriptor.cBuffers = 1;
|
|
InputBufferDescriptor.pBuffers = &InputSecurityToken;
|
|
InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
|
|
|
|
InputSecurityToken.BufferType = SECBUFFER_TOKEN;
|
|
InputSecurityToken.cbBuffer = dwInTokenSize;
|
|
InputSecurityToken.pvBuffer = pInToken;
|
|
}
|
|
|
|
PSecBufferDesc pInBuf = pInToken ? &InputBufferDescriptor : 0;
|
|
|
|
// Determine if this is first-time or continued call.
|
|
// ==================================================
|
|
|
|
PCtxtHandle pTmp = m_bValidContextHandle ? &m_ClientContext : 0;
|
|
|
|
SECURITY_STATUS SecStatus =
|
|
CSSPI::pVtbl->InitializeSecurityContext(
|
|
&m_ClientCredential,
|
|
pTmp, // Context handle pointer(
|
|
NULL, // Target name (server)
|
|
|
|
uContextRequirements, // Requirements
|
|
0, // Reserved
|
|
SECURITY_NATIVE_DREP, // Target data representation
|
|
|
|
pInBuf, // Input buffer for continued calls
|
|
0, // Reserved
|
|
&m_ClientContext, // Receives client context handle
|
|
&OutputBufferDescriptor,
|
|
&uContextAttributes,
|
|
&Expiration
|
|
);
|
|
|
|
|
|
// Determine the next step.
|
|
// ========================
|
|
|
|
if (SecStatus == SEC_E_OK)
|
|
{
|
|
*pToken = pTokenBuf;
|
|
*pdwTokenSize = OutputSecurityToken.cbBuffer;
|
|
m_dwStatus = LoginCompleted;
|
|
return NoError;
|
|
}
|
|
|
|
if (SecStatus == SEC_I_CONTINUE_NEEDED)
|
|
{
|
|
// Set up the output parameters.
|
|
// =============================
|
|
*pToken = pTokenBuf;
|
|
*pdwTokenSize = OutputSecurityToken.cbBuffer;
|
|
m_bValidContextHandle = TRUE;
|
|
m_dwStatus = LoginContinue;
|
|
return NoError;
|
|
}
|
|
|
|
// If here, an error occurred.
|
|
// ===========================
|
|
|
|
trace(("CSSPIClient::ContinueLogin failed. Status code = %s",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
|
|
CSSPI::pVtbl->DeleteSecurityContext(pTmp);
|
|
|
|
// Deallocate useless return buffer and NULL the out-parameters.
|
|
// =============================================================
|
|
|
|
delete [] pTokenBuf;
|
|
*pToken = 0;
|
|
*pdwTokenSize = 0;
|
|
|
|
m_dwStatus = Failed;
|
|
return Failed;
|
|
}
|
|
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIServer constructor
|
|
//
|
|
// Parameters:
|
|
// <pszPkgName> The SSPI package to use, usually "NTLM".
|
|
//
|
|
// After construction, CSSPIServer::GetStatus() should return
|
|
// CSSPIServer::Waiting. Any other value indicates that the object
|
|
// is invalid and cannot be used.
|
|
//
|
|
//***************************************************************************
|
|
|
|
CSSPIServer::CSSPIServer(LPTSTR pszPkgName)
|
|
{
|
|
m_dwStatus = 0;
|
|
m_cbMaxToken = 0;
|
|
m_pPkgInfo = 0;
|
|
|
|
m_bValidCredHandle = FALSE;
|
|
m_bValidContextHandle = FALSE;
|
|
|
|
memset(&m_ServerCredential, 0, sizeof(CredHandle));
|
|
memset(&m_ServerContext, 0, sizeof(CtxtHandle));
|
|
|
|
m_pszPkgName = Macro_CloneLPTSTR(pszPkgName);
|
|
|
|
if (!m_pszPkgName)
|
|
{
|
|
trace(("CSSPIServer failed to construct (out of memory).\n"));
|
|
m_dwStatus = InvalidPackage;
|
|
return;
|
|
}
|
|
|
|
// Init the requested package.
|
|
// ===========================
|
|
|
|
SECURITY_STATUS SecStatus = 0;
|
|
|
|
SecStatus = CSSPI::pVtbl->QuerySecurityPackageInfo(pszPkgName, &m_pPkgInfo);
|
|
|
|
if (SecStatus != 0)
|
|
{
|
|
trace(("CSSPIServer failed to construct. Error = %s\n",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
m_dwStatus = InvalidPackage;
|
|
return;
|
|
}
|
|
|
|
m_cbMaxToken = m_pPkgInfo->cbMaxToken;
|
|
|
|
// Now acquire a default credentials handle for this machine.
|
|
// ==========================================================
|
|
|
|
TimeStamp Expiration;
|
|
|
|
SecStatus = CSSPI::pVtbl->AcquireCredentialsHandle(
|
|
NULL, // No principal
|
|
m_pszPkgName, // Authentication package to use
|
|
SECPKG_CRED_INBOUND, // We are a 'server'
|
|
NULL, // No logon identifier
|
|
NULL, // No pkg specific data
|
|
NULL, // No GetKey function
|
|
NULL, // No GetKey function arg
|
|
&m_ServerCredential, // Server credential
|
|
&Expiration // Expiration timestamp
|
|
);
|
|
|
|
if (SecStatus != 0)
|
|
{
|
|
trace(("CSSPIServer failed in AcquireCredentialsHandle(). Error = %s\n",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
|
|
m_dwStatus = Failed;
|
|
return;
|
|
}
|
|
|
|
m_bValidCredHandle = TRUE;
|
|
m_dwStatus = Waiting;
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIServer destructor
|
|
//
|
|
//***************************************************************************
|
|
|
|
CSSPIServer::~CSSPIServer()
|
|
{
|
|
if (m_pPkgInfo)
|
|
CSSPI::pVtbl->FreeContextBuffer(m_pPkgInfo);
|
|
|
|
delete [] m_pszPkgName;
|
|
|
|
if (m_bValidCredHandle)
|
|
CSSPI::pVtbl->FreeCredentialHandle(&m_ServerCredential);
|
|
|
|
if (m_bValidContextHandle)
|
|
CSSPI::pVtbl->DeleteSecurityContext(&m_ServerContext);
|
|
}
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIServer::ContinueClientLogin
|
|
//
|
|
// Used to
|
|
//
|
|
// (1) Receive the client's logon request, and compute the challenge as
|
|
// the out-parameter <pToken>
|
|
//
|
|
// (2) Verify the response to the challenge.
|
|
//
|
|
// Parameters:
|
|
// <pInToken> A read-only pointer to the response (on the second call).
|
|
// NULL on the initial call.
|
|
//
|
|
// <dwInTokenSize> The number of bytes pointed to by the above pointers.
|
|
//
|
|
// <pToken> On the first call, receives a pointer to the
|
|
// challenge to send to the client.
|
|
//
|
|
// <pdwTokenSize> The size of the above challenge.
|
|
//
|
|
// Return values:
|
|
//
|
|
// <LoginContinue> Sent back on the first call to indicate that a
|
|
// challenge has been computed and returned to the
|
|
// client in <pToken>.
|
|
//
|
|
// <Failed> No out-params assigned. Indicates internal failure.
|
|
//
|
|
// <NoError> Only possible on the second call. Indicates the
|
|
// client was authenticated.
|
|
//
|
|
// <AccessDenied> Returned on the second call if the user was denied
|
|
// logon.
|
|
//
|
|
//***************************************************************************
|
|
|
|
|
|
DWORD CSSPIServer::ContinueClientLogin(
|
|
IN LPBYTE pInToken,
|
|
IN DWORD dwInTokenSize,
|
|
OUT LPBYTE *pToken,
|
|
OUT DWORD *pdwTokenSize
|
|
)
|
|
{
|
|
TimeStamp Expiration;
|
|
SecBufferDesc InputBufferDescriptor;
|
|
SecBuffer InputSecurityToken;
|
|
SecBufferDesc OutputBufferDescriptor;
|
|
SecBuffer OutputSecurityToken;
|
|
ULONG uContextRequirements = 0;
|
|
ULONG uContextAttributes;
|
|
|
|
// Build up the input buffer.
|
|
// ==========================
|
|
|
|
InputBufferDescriptor.cBuffers = 1;
|
|
InputBufferDescriptor.pBuffers = &InputSecurityToken;
|
|
InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
|
|
|
|
InputSecurityToken.BufferType = SECBUFFER_TOKEN;
|
|
InputSecurityToken.cbBuffer = dwInTokenSize;
|
|
InputSecurityToken.pvBuffer = pInToken;
|
|
|
|
// Build the output buffer descriptor.
|
|
// ===================================
|
|
|
|
OutputBufferDescriptor.cBuffers = 1;
|
|
OutputBufferDescriptor.pBuffers = &OutputSecurityToken;
|
|
OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
|
|
|
|
LPBYTE pOutBuf = new BYTE[m_cbMaxToken];
|
|
|
|
OutputSecurityToken.BufferType = SECBUFFER_TOKEN;
|
|
OutputSecurityToken.cbBuffer = m_cbMaxToken;
|
|
OutputSecurityToken.pvBuffer = pOutBuf;
|
|
|
|
|
|
// Set up partial or final context handle.
|
|
// =======================================
|
|
|
|
PCtxtHandle pTmp = m_bValidContextHandle ? &m_ServerContext : 0;
|
|
|
|
// Process the client's initial token and see what happens.
|
|
// ========================================================
|
|
|
|
SECURITY_STATUS SecStatus = 0;
|
|
|
|
SecStatus = CSSPI::pVtbl->AcceptSecurityContext(
|
|
&m_ServerCredential,
|
|
pTmp, // No context handle yet
|
|
&InputBufferDescriptor,
|
|
uContextRequirements, // No context requirements
|
|
SECURITY_NATIVE_DREP,
|
|
&m_ServerContext,
|
|
&OutputBufferDescriptor,
|
|
&uContextAttributes,
|
|
&Expiration
|
|
);
|
|
|
|
*pToken = pOutBuf;
|
|
*pdwTokenSize = OutputSecurityToken.cbBuffer;
|
|
|
|
if (SecStatus == SEC_I_CONTINUE_NEEDED)
|
|
{
|
|
m_dwStatus = LoginContinue;
|
|
m_bValidContextHandle = TRUE;
|
|
return LoginContinue;
|
|
}
|
|
|
|
if (SecStatus == SEC_E_OK)
|
|
{
|
|
m_bValidContextHandle = TRUE;
|
|
delete [] pOutBuf;
|
|
*pToken = 0;
|
|
*pdwTokenSize = 0;
|
|
m_dwStatus = LoginCompleted;
|
|
return NoError;
|
|
}
|
|
|
|
// If here, an error occurred.
|
|
// ===========================
|
|
|
|
trace(("CSSPIClient::ContinueLogin failed. Status code = %s",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
|
|
*pToken = 0;
|
|
*pdwTokenSize = 0;
|
|
delete [] pOutBuf;
|
|
|
|
if (SecStatus == SEC_E_LOGON_DENIED)
|
|
{
|
|
m_dwStatus = AccessDenied;
|
|
return AccessDenied;
|
|
}
|
|
|
|
return Failed;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIServer::QueryUserInfo
|
|
//
|
|
// Gets information about a client after authentication.
|
|
//
|
|
// Parameters:
|
|
// <pszUser> Receives a pointer to the user name if TRUE is
|
|
// returned. Use operator delete to deallocate.
|
|
//
|
|
// Return value:
|
|
// TRUE if the user name was returned, FALSE if not.
|
|
//
|
|
//***************************************************************************
|
|
|
|
BOOL CSSPIServer::QueryUserInfo(
|
|
OUT LPTSTR *pszUser // Use operator delete
|
|
)
|
|
{
|
|
SecPkgContext_Names Names;
|
|
memset(&Names, 0, sizeof(SecPkgContext_Names));
|
|
*pszUser = 0;
|
|
|
|
SECURITY_STATUS SecStatus = CSSPI::pVtbl->QueryContextAttributes(
|
|
&m_ServerContext,
|
|
SECPKG_ATTR_NAMES,
|
|
&Names
|
|
);
|
|
|
|
if (SecStatus != 0)
|
|
{
|
|
trace(("QueryContextAttributes() for Name fails with %s ",
|
|
CSSPI::TranslateError(SecStatus)
|
|
));
|
|
return FALSE;
|
|
}
|
|
|
|
if (pszUser)
|
|
*pszUser = Macro_CloneLPTSTR(Names.sUserName);
|
|
|
|
CSSPI::pVtbl->FreeContextBuffer(LPVOID(Names.sUserName));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//***************************************************************************
|
|
//
|
|
// CSSPIServer::IssueLoginToken
|
|
//
|
|
// Issues a login token for the client to use in subsequent access.
|
|
// This will only succeed if the client successfully computed the
|
|
// reponse to the challenge and <NoError> was returned from
|
|
// ContinueClientLogin.
|
|
//
|
|
// Parameters:
|
|
// <ClsId> Receives the CLSID which becomes the WBEM access token.
|
|
//
|
|
// Return value:
|
|
// NoError, Failed
|
|
//
|
|
//***************************************************************************
|
|
|
|
DWORD CSSPIServer::IssueLoginToken(
|
|
OUT CLSID &ClsId
|
|
)
|
|
{
|
|
if (m_dwStatus == LoginCompleted)
|
|
{
|
|
if (SUCCEEDED(CoCreateGuid(&ClsId)))
|
|
return NoError;
|
|
else
|
|
return Failed;
|
|
}
|
|
|
|
memset(&ClsId, 0, sizeof(CLSID));
|
|
return Failed;
|
|
}
|
|
|