archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/inetcore/wininet/dll/cliauth.cxx

467 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1995 Microsoft Corporation
  5. Module Name:
  7. cliauth.cxx
  9. Abstract:
  11. Contains Schannel/SSPI specific code for handling Client Authenication
  12. multiplexed between several asynchronous requests using fibers
  14. Contents:
  15. CliAuthRefreshCredential
  16. CliAuthSelectCredential
  18. Author:
  20. Arthur L Bierer (arthurbi) 13-Jun-1996
  22. Environment:
  24. Win32 user-mode DLL
  26. Revision History:
  28. 13-Jun-1996 arthurbi
  29. Created, based on orginal code from a-petesk.
  31. --*/
  33. #include <wininetp.h>
  36. extern "C" {
  38. #include <nt.h>
  39. #include <ntrtl.h>
  40. #include <nturtl.h>
  41. #include <ntsecapi.h>
  43. }
  46. CERT_CONTEXT_ARRAY::CERT_CONTEXT_ARRAY()
  47. {
  48. _error = ERROR_SUCCESS;
  49. _iSelected = -1;
  50. _ppCertContexts = (PCCERT_CONTEXT *)
  51. ALLOCATE_MEMORY(LMEM_FIXED,
  52. sizeof(PCERT_CONTEXT)* CERT_CONTEXT_ARRAY_ALLOC_UNIT);
  54. if ( _ppCertContexts == NULL ) {
  55. _error = GetLastError();
  56. }
  58. _cAlloced = CERT_CONTEXT_ARRAY_ALLOC_UNIT;
  59. _cCertContexts = 0;
  61. ClearCreds(_hCreds);
  62. InitializeCriticalSection(&_cs);
  63. }
  65. void CERT_CONTEXT_ARRAY::Reset(void)
  66. {
  67. if ( _ppCertContexts )
  68. {
  69. for ( DWORD i = 0; i < _cCertContexts; i++ )
  70. {
  71. INET_ASSERT(_ppCertContexts[i]);
  72. CertFreeCertificateContext(_ppCertContexts[i]);
  73. }
  74. }
  75. _cCertContexts = 0;
  77. // It is important that this Free is guarded by a try except.
  78. // These objects get freed up at dll unload time and there is a circular
  79. // dependency between winient and schannel which can cause schannel to
  80. // get unloaded. If that is the case we could fault here.
  81. if (!IsCredClear(_hCreds))
  82. {
  83. __try
  84. {
  85. g_FreeCredentialsHandle(&_hCreds);
  86. }
  87. __except ( EXCEPTION_EXECUTE_HANDLER )
  88. {
  89. // do nothing.
  90. }
  91. }
  92. }
  95. CERT_CONTEXT_ARRAY::~CERT_CONTEXT_ARRAY()
  96. {
  97. Reset();
  99. FREE_MEMORY(_ppCertContexts);
  100. DeleteCriticalSection(&_cs);
  101. }
  103. DWORD
  104. CliAuthSelectCredential(
  105. IN PCtxtHandle phContext,
  106. IN LPTSTR pszPackageName,
  107. IN CERT_CONTEXT_ARRAY* pCertContextArray,
  108. OUT PCredHandle phCredential)
  110. /*++
  112. Routine Description:
  114. Uses a selected Certificate Chain to produce a Credential handle.
  116. The credential handle will be used by SCHANNEL to produce a valid Client
  117. Auth session with a server.
  119. Arguments:
  121. phContext - SSPI Context Handle
  123. pszPackageName - Name of the SSPI package we're using.
  125. pSelectedCert - Cert that User wishes us to use for Client Auth with this server.
  126. (BUGBUG who should free this? )
  128. phCredential - Outgoing SSPI Credential handle that we may generate
  129. IMPORTANT: Do not free the credential handle returned by this function.
  130. These have to be cached for the lifetime of the process so the user
  131. doesn't get prompted forthe password over and over. Unfortunately there is
  132. no ref-counting mechanism on CredHandle's so callers of this function need to
  133. make sure they don't free the handle.
  135. Return Value:
  137. DWORD
  138. Success - ERROR_SUCCESS
  139. Caller should return ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED,
  140. to its caller. The appropriate Cert chain was generated,
  141. and the User needs to select it using UI.
  143. Failure -
  144. ERROR_NOT_ENOUGH_MEMORY -
  145. Out of Memory
  147. ERROR_INTERNET_SECURITY_CHANNEL_ERROR -
  148. Call Down to SSPI or WinTrust failed.
  150. ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP -
  151. Client Auth is not setup on this machine.
  153. --*/
  155. {
  157. SCHANNEL_CRED CredData = {SCHANNEL_CRED_VERSION,
  158. 0,
  159. NULL,
  160. 0,
  161. 0,
  162. NULL,
  163. 0,
  164. NULL,
  165. DEFAULT_SECURE_PROTOCOLS,
  166. 0,
  167. 0,
  168. 0,
  169. SCH_CRED_MANUAL_CRED_VALIDATION |
  170. SCH_CRED_NO_DEFAULT_CREDS
  171. };
  172. SECURITY_STATUS scRet;
  175. DWORD i;
  176. PCERT_BLOB pBlob;
  177. DWORD index;
  178. DWORD error;
  179. PCCERT_CONTEXT pCert;
  180. CredHandle hCreds;
  182. DEBUG_ENTER((DBG_SOCKETS,
  183. Dword,
  184. "CliAuthSelectCredential",
  185. "%#x, %s, %x, %x",
  186. phContext,
  187. pszPackageName,
  188. pCertContextArray,
  189. phCredential
  190. ));
  193. INET_ASSERT(phContext);
  194. INET_ASSERT(pCertContextArray);
  195. INET_ASSERT(pszPackageName);
  198. pCertContextArray->LockCredHandle( );
  200. if ( pCertContextArray->GetArraySize() == 0 )
  201. {
  202. error = ERROR_SUCCESS;
  203. goto quit;
  204. }
  206. // First check and see if the Cert context already has a CredHandle associated with it.
  207. hCreds = pCertContextArray->GetCredHandle( );
  209. if (!IsCredClear(hCreds))
  210. {
  211. *phCredential = hCreds;
  212. error = ERROR_SUCCESS;
  213. goto quit;
  214. }
  216. pCert = pCertContextArray->GetSelectedCertContext();
  219. //
  220. // Setup strucutres for AcquireCredentialsHandle call.
  221. //
  223. if ( pCert )
  224. {
  226. CredData.cCreds = 1;
  227. CredData.paCred = &pCert;
  228. }
  229. InternetReadRegistryDword("SecureProtocols",
  230. (LPDWORD)&CredData.grbitEnabledProtocols
  231. );
  233. scRet = g_AcquireCredentialsHandle(
  234. NULL,
  235. pszPackageName,
  236. SECPKG_CRED_OUTBOUND,
  237. NULL,
  238. &CredData,
  239. NULL,
  240. NULL,
  241. phCredential,
  242. NULL);
  244. error = MapInternetError((DWORD)scRet);
  245. if (error == ERROR_SUCCESS)
  246. {
  247. pCertContextArray->SetCredHandle(*phCredential);
  248. }
  250. quit:
  251. pCertContextArray->UnlockCredHandle();
  252. DEBUG_LEAVE(error);
  254. return error;
  255. }
  258. DWORD
  259. CliAuthAcquireCertContexts(
  260. IN PCtxtHandle phContext,
  261. IN LPTSTR pszPackageName,
  262. OUT CERT_CONTEXT_ARRAY** ppCertContextArray
  263. )
  265. /*++
  267. Routine Description:
  269. Acquires a List of valid Certificate Chains for use in Client Authentication.
  271. Gathers an issuer list from the current context, and uses CAPI stored Certificates
  272. to build a list which will be selected from by the user at a later point.
  274. Arguments:
  276. phContext - SSPI Context Handle
  278. pszPackageName - Name of the SSPI package we're using.
  280. phCredential - Outgoing SSPI Credential handle that we may generate
  282. ppCertContextArray - Outgoing List of Certifcate Contexts that can be selected
  283. among to generate a Context.
  285. Return Value:
  287. DWORD
  288. Success - ERROR_SUCCESS
  289. Caller should return ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED,
  290. to its caller. The appropriate Cert chain was generated,
  291. and the User needs to select it using UI.
  293. Failure -
  294. ERROR_NOT_ENOUGH_MEMORY -
  295. Out of Memory
  297. ERROR_INTERNET_SECURITY_CHANNEL_ERROR -
  298. Call Down to SSPI or WinTrust failed.
  300. ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP -
  301. Client Auth is not setup on this machine.
  303. --*/
  305. {
  306. DEBUG_ENTER((DBG_SOCKETS,
  307. Dword,
  308. "CliAuthAcquireCertContexts",
  309. "%#x, %s, %x",
  310. phContext,
  311. pszPackageName,
  312. ppCertContextArray
  313. ));
  315. LPINTERNET_THREAD_INFO lpThreadInfo = InternetGetThreadInfo();
  316. BOOL async;
  317. SECURITY_STATUS scRet;
  318. DWORD cCerts;
  319. CERT_CHAIN_FIND_BY_ISSUER_PARA FindByIssuerPara;
  320. SecPkgContext_IssuerListInfoEx IssuerListInfo;
  321. PCCERT_CHAIN_CONTEXT pChainContext;
  322. PCCERT_CONTEXT pCertContext;
  323. DWORD error;
  325. if (lpThreadInfo != NULL) {
  326. async = _InternetGetAsync(lpThreadInfo);
  327. _InternetSetAsync(lpThreadInfo, FALSE);
  328. }
  330. INET_ASSERT(ppCertContextArray);
  333. INET_ASSERT(*ppCertContextArray == NULL );
  334. *ppCertContextArray = NULL;
  336. IssuerListInfo.cIssuers = 0;
  337. IssuerListInfo.aIssuers = NULL;
  339. if ( phContext == NULL )
  340. {
  341. error = ERROR_INVALID_PARAMETER;
  342. goto quit;
  343. }
  345. //
  346. // Attempt to find out whether we have any issuers
  347. // from this connection that the Server might have
  348. // told us about.
  349. //
  351. scRet = g_QueryContextAttributes(phContext,
  352. SECPKG_ATTR_ISSUER_LIST_EX,
  353. &IssuerListInfo);
  355. if(FAILED(scRet))
  356. {
  357. error = MapInternetError((DWORD) scRet);
  358. goto quit;
  359. }
  361. cCerts = 0;
  363. //
  364. // Create our CertChain Array for keeping CertChains around
  365. //
  367. *ppCertContextArray = new CERT_CONTEXT_ARRAY();
  369. if ( *ppCertContextArray == NULL )
  370. {
  371. error = ERROR_NOT_ENOUGH_MEMORY;
  372. goto quit;
  373. }
  375. error = (*ppCertContextArray)->GetError();
  377. if ( error != ERROR_SUCCESS)
  378. {
  379. goto quit;
  380. }
  382. if (g_CertFindChainInStore == NULL || g_CertFreeCertificateChain == NULL)
  383. {
  384. // We don't support client-auth unless we have the new crypto dlls
  385. error = ERROR_CALL_NOT_IMPLEMENTED;
  386. goto quit;
  387. }
  389. ZeroMemory(&FindByIssuerPara, sizeof(FindByIssuerPara));
  391. FindByIssuerPara.cbSize = sizeof(FindByIssuerPara);
  392. FindByIssuerPara.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
  393. FindByIssuerPara.dwKeySpec = 0;
  394. FindByIssuerPara.cIssuer = IssuerListInfo.cIssuers;
  395. FindByIssuerPara.rgIssuer = IssuerListInfo.aIssuers;
  397. pChainContext = NULL;
  399. while (TRUE)
  400. {
  401. // Find a certificate chain.
  402. if(g_bOpenMyCertStore && g_hMyCertStore == NULL)
  403. ReopenMyCertStore();
  404. pChainContext = g_CertFindChainInStore(g_hMyCertStore,
  405. X509_ASN_ENCODING,
  406. 0,
  407. CERT_CHAIN_FIND_BY_ISSUER,
  408. &FindByIssuerPara,
  409. pChainContext);
  411. if (pChainContext == NULL)
  412. break;
  414. // Get pointer to leaf certificate context.
  415. pCertContext = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
  417. // This could only happen if there is a bug in the crypto code. But we will deal with
  418. // that and continue looking in any case.
  419. if (pCertContext == NULL)
  420. {
  421. INET_ASSERT(FALSE);
  422. continue;
  423. }
  425. BOOL AcceptCert=FALSE;
  427. // retrieve key usage field
  428. BYTE KeyUsage;
  429. BOOL BKeyUsage = CertGetIntendedKeyUsage(pCertContext->dwCertEncodingType, pCertContext->pCertInfo, &KeyUsage, sizeof(KeyUsage));
  431. // if there is no key usage field (BKeyUsage is FALSE) or key usage is set to CERT_DIGITAL_SIGNATURE_KEY_USAGE, then accept certificate
  432. // as client certificate for SSL auth
  433. if ( !BKeyUsage || (KeyUsage & CERT_DIGITAL_SIGNATURE_KEY_USAGE))
  434. AcceptCert = TRUE;
  436. if (AcceptCert)
  437. error = (*ppCertContextArray)->AddCertContext(pCertContext);
  439. if (error != ERROR_SUCCESS)
  440. {
  441. g_CertFreeCertificateChain(pChainContext);
  442. goto quit;
  443. }
  444. }
  446. quit:
  448. if ( error != ERROR_SUCCESS &&
  449. *ppCertContextArray != NULL )
  450. {
  451. delete *ppCertContextArray;
  452. *ppCertContextArray = NULL;
  453. }
  455. if (IssuerListInfo.aIssuers != NULL)
  456. {
  457. g_FreeContextBuffer(IssuerListInfo.aIssuers);
  458. }
  460. if (lpThreadInfo != NULL) {
  461. _InternetSetAsync(lpThreadInfo, async);
  462. }
  464. DEBUG_LEAVE(error);
  466. return error;
  467. }