#include #include #include #include "auth.h" #define SSP_SPM_NT_DLL "security.dll" #define MAX_SILENT_RETRIES 3 #define OUTPUT_BUFFER_LEN 10000 #define HEADER_IDX 0 #define REALM_IDX 1 #define HOST_IDX 2 #define URL_IDX 3 #define METHOD_IDX 4 #define USER_IDX 5 #define PASS_IDX 6 #define NONCE_IDX 7 #define NC_IDX 8 #define HWND_IDX 9 #define NUM_BUFF 10 #define ISC_MODE_AUTH 0 #define ISC_MODE_PREAUTH 1 #define ISC_MODE_UI 2 struct DIGEST_PKG_DATA { LPSTR szAppCtx; LPSTR szUserCtx; }; /*----------------------------------------------------------------------------- DIGEST_CTX -----------------------------------------------------------------------------*/ // Globals PSecurityFunctionTable DIGEST_CTX::g_pFuncTbl = NULL; CredHandle DIGEST_CTX::g_hCred; /*--------------------------------------------------------------------------- DIGEST_CTX::GetFuncTbl ---------------------------------------------------------------------------*/ VOID DIGEST_CTX::GetFuncTbl() { HINSTANCE hSecLib; INIT_SECURITY_INTERFACE addrProcISI = NULL; OSVERSIONINFO VerInfo; VerInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); GetVersionEx (&VerInfo); if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) { hSecLib = LoadLibrary (SSP_SPM_NT_DLL); } addrProcISI = (INIT_SECURITY_INTERFACE) GetProcAddress(hSecLib, SECURITY_ENTRYPOINT_ANSI); g_pFuncTbl = (*addrProcISI)(); } /*--------------------------------------------------------------------------- DIGEST_CTX::GetRequestUri ---------------------------------------------------------------------------*/ LPSTR DIGEST_CTX::GetRequestUri() { LPSTR szUrl; DWORD cbUrl; URL_COMPONENTS sUrl; memset(&sUrl, 0, sizeof(sUrl)); sUrl.dwStructSize = sizeof(sUrl); sUrl.dwHostNameLength = -1; sUrl.dwUrlPathLength = -1; sUrl.dwExtraInfoLength = -1; szUrl = _pRequest->GetURL(); // Generate request-uri if (WinHttpCrackUrlA(szUrl, strlen(szUrl), 0, &sUrl)) { cbUrl = sUrl.dwUrlPathLength; szUrl = New CHAR[cbUrl+1]; if (!szUrl) { // Alloc failure. Return NULL. We will // use _pRequest->GetURL instead. return NULL; } memcpy(szUrl, sUrl.lpszUrlPath, cbUrl); szUrl[cbUrl] = '\0'; } else { // ICU failed. Return NULL which // will cause _pRequest->GetURL // to be used. return NULL; } return szUrl; } /*--------------------------------------------------------------------------- DIGEST_CTX::InitSecurityBuffers ---------------------------------------------------------------------------*/ VOID DIGEST_CTX::InitSecurityBuffers(LPSTR szOutBuf, DWORD cbOutBuf, LPDWORD pdwSecFlags, DWORD dwISCMode) { // Input Buffer. _SecBuffInDesc.cBuffers = NUM_BUFF; _SecBuffInDesc.pBuffers = _SecBuffIn; // Set Header _SecBuffIn[HEADER_IDX].pvBuffer = _szData; _SecBuffIn[HEADER_IDX].cbBuffer = _cbData; _SecBuffIn[HEADER_IDX].BufferType = SECBUFFER_TOKEN; // If credentials are supplied will be set to // ISC_REQ_USE_SUPPLIED_CREDS. // If prompting for auth dialog will be set to // ISC_REQ_PROMPT_FOR_CREDS. *pdwSecFlags = 0; // Set realm if no header, otherwise NULL. if (_SecBuffIn[HEADER_IDX].pvBuffer) { _SecBuffIn[REALM_IDX].pvBuffer = NULL; _SecBuffIn[REALM_IDX].cbBuffer = 0; } else { // We are preauthenticating using the realm _SecBuffIn[REALM_IDX].pvBuffer = _pCreds->lpszRealm; _SecBuffIn[REALM_IDX].cbBuffer = strlen(_pCreds->lpszRealm); } // Host. _SecBuffIn[HOST_IDX].pvBuffer = _pCreds->lpszHost; _SecBuffIn[HOST_IDX].cbBuffer = strlen(_pCreds->lpszHost); _SecBuffIn[HOST_IDX].BufferType = SECBUFFER_TOKEN; // Request URI. if (!_szRequestUri) { _szRequestUri = GetRequestUri(); if (_szRequestUri) _SecBuffIn[URL_IDX].pvBuffer = _szRequestUri; else _SecBuffIn[URL_IDX].pvBuffer = _pRequest->GetURL(); } _SecBuffIn[URL_IDX].cbBuffer = strlen((LPSTR) _SecBuffIn[URL_IDX].pvBuffer); _SecBuffIn[URL_IDX].BufferType = SECBUFFER_TOKEN; // HTTP method. _SecBuffIn[METHOD_IDX].cbBuffer = MapHttpMethodType(_pRequest->GetMethodType(), (LPCSTR*) &_SecBuffIn[METHOD_IDX].pvBuffer); _SecBuffIn[METHOD_IDX].BufferType = SECBUFFER_TOKEN; // User and pass might be provided from Creds entry. Use only if // we have a challenge header (we don't pre-auth using supplied creds). if (dwISCMode == ISC_MODE_AUTH && _pCreds->lpszUser && *_pCreds->lpszUser && _pCreds->lpszPass && *_pCreds->lpszPass) { // User. _SecBuffIn[USER_IDX].pvBuffer = _pCreds->lpszUser; _SecBuffIn[USER_IDX].cbBuffer = strlen(_pCreds->lpszUser); _SecBuffIn[USER_IDX].BufferType = SECBUFFER_TOKEN; // Pass. _SecBuffIn[PASS_IDX].pvBuffer = _pCreds->lpszPass; _SecBuffIn[PASS_IDX].cbBuffer = strlen(_pCreds->lpszPass); _SecBuffIn[PASS_IDX].BufferType = SECBUFFER_TOKEN; *pdwSecFlags = ISC_REQ_USE_SUPPLIED_CREDS; } else { // User. _SecBuffIn[USER_IDX].pvBuffer = NULL; _SecBuffIn[USER_IDX].cbBuffer = 0; _SecBuffIn[USER_IDX].BufferType = SECBUFFER_TOKEN; // Pass. _SecBuffIn[PASS_IDX].pvBuffer = NULL; _SecBuffIn[PASS_IDX].cbBuffer = 0; _SecBuffIn[PASS_IDX].BufferType = SECBUFFER_TOKEN; } if (dwISCMode == ISC_MODE_UI) *pdwSecFlags = ISC_REQ_PROMPT_FOR_CREDS; // Out Buffer. _SecBuffOutDesc.cBuffers = 1; _SecBuffOutDesc.pBuffers = _SecBuffOut; _SecBuffOut[0].pvBuffer = szOutBuf; _SecBuffOut[0].cbBuffer = cbOutBuf; _SecBuffOut[0].BufferType = SECBUFFER_TOKEN; } /*--------------------------------------------------------------------------- Constructor ---------------------------------------------------------------------------*/ DIGEST_CTX::DIGEST_CTX(HTTP_REQUEST_HANDLE_OBJECT *pRequest, BOOL fIsProxy, SPMData *pSPM, AUTH_CREDS* pCreds) : AUTHCTX(pSPM, pCreds) { SECURITY_STATUS ssResult; _fIsProxy = fIsProxy; _pRequest = pRequest; _szAlloc = NULL; _szData = NULL; _pvContext = NULL; _szRequestUri = NULL; _cbData = 0; _cbContext = 0; _nRetries = 0; // Zero out the security buffers and request context. memset(&_SecBuffInDesc, 0, sizeof(_SecBuffInDesc)); memset(&_SecBuffOutDesc, 0, sizeof(_SecBuffInDesc)); memset(_SecBuffIn, 0, sizeof(_SecBuffIn)); memset(_SecBuffOut, 0, sizeof(_SecBuffOut)); memset(&_hCtxt, 0, sizeof(_hCtxt)); // Is this the first time that the digest SSPI package // is being called for this process. if (!g_pFuncTbl) { // Get the global SSPI dispatch table. GetFuncTbl(); DIGEST_PKG_DATA PkgData; SEC_WINNT_AUTH_IDENTITY_EXA SecIdExA; // Logon with szAppCtx = szUserCtx = NULL. PkgData.szAppCtx = PkgData.szUserCtx = NULL; memset(&SecIdExA, 0, sizeof(SEC_WINNT_AUTH_IDENTITY_EXA)); SecIdExA.Version = sizeof(SEC_WINNT_AUTH_IDENTITY_EXA); SecIdExA.User = (unsigned char*) &PkgData; SecIdExA.UserLength = sizeof(DIGEST_PKG_DATA); // Get the global credentials handle. ssResult = (*(g_pFuncTbl->AcquireCredentialsHandleA)) (NULL, "Digest", SECPKG_CRED_OUTBOUND, NULL, &SecIdExA, NULL, 0, &g_hCred, NULL); } } /*--------------------------------------------------------------------------- DIGEST_CTX::PromptForCreds ---------------------------------------------------------------------------*/ DWORD DIGEST_CTX::PromptForCreds(HWND hWnd) { SECURITY_STATUS ssResult; // Prompt for the credentials. INET_ASSERT(_pvContext); _cbContext = OUTPUT_BUFFER_LEN; DWORD sf; InitSecurityBuffers((LPSTR) _pvContext, _cbContext, &sf, ISC_MODE_UI); _SecBuffIn[HWND_IDX].pvBuffer = &hWnd; _SecBuffIn[HWND_IDX].cbBuffer = sizeof(HWND); ssResult = (*(g_pFuncTbl->InitializeSecurityContextA))(&g_hCred, &_hCtxt, NULL, sf, 0, 0, &_SecBuffInDesc, 0, &_hCtxt, &_SecBuffOutDesc, NULL, NULL); _cbContext = _SecBuffOutDesc.pBuffers[0].cbBuffer; if (ssResult == SEC_E_NO_CREDENTIALS) return ERROR_CANCELLED; return (DWORD) ssResult; } /*--------------------------------------------------------------------------- Destructor ---------------------------------------------------------------------------*/ DIGEST_CTX::~DIGEST_CTX() { if (_szAlloc) delete _szAlloc; if (_pvContext) delete _pvContext; if (_szRequestUri) delete _szRequestUri; } /*--------------------------------------------------------------------------- PreAuthUser ---------------------------------------------------------------------------*/ DWORD DIGEST_CTX::PreAuthUser(OUT LPSTR pBuff, IN OUT LPDWORD pcbBuff) { SECURITY_STATUS ssResult = SEC_E_OK; INET_ASSERT(_pSPMData == _pCreds->pSPM); if (AuthLock()) { // If a response has been generated copy into output buffer. if (_cbContext) { memcpy(pBuff, _pvContext, _cbContext); *pcbBuff = _cbContext; } // Otherwise attempt to preauthenticate. else { // Call into the SSPI package. DWORD sf; InitSecurityBuffers(pBuff, *pcbBuff, &sf, ISC_MODE_PREAUTH); ssResult = (*(g_pFuncTbl->InitializeSecurityContext))(&g_hCred, NULL, NULL, sf, 0, 0, &_SecBuffInDesc, 0, &_hCtxt, &_SecBuffOutDesc, NULL, NULL); *pcbBuff = _SecBuffOut[0].cbBuffer; } AuthUnlock(); } return (DWORD) ssResult; } /*--------------------------------------------------------------------------- UpdateFromHeaders ---------------------------------------------------------------------------*/ DWORD DIGEST_CTX::UpdateFromHeaders(HTTP_REQUEST_HANDLE_OBJECT *pRequest, BOOL fIsProxy) { if (!AuthLock()) { return ERROR_NOT_ENOUGH_MEMORY; } DWORD dwError, cbExtra, dwAuthIdx; LPSTR szAuthHeader, szExtra, szScheme; LPSTR szRealm; DWORD cbRealm; // Get the associated header. if ((dwError = FindHdrIdxFromScheme(&dwAuthIdx)) != ERROR_SUCCESS) goto exit; // If this auth ctx does not have Creds then it has been // just been constructed in response to a 401. if (!_pCreds) { // Get any realm. dwError = GetAuthHeaderData(pRequest, fIsProxy, "Realm", &szRealm, &cbRealm, ALLOCATE_BUFFER, dwAuthIdx); _pCreds = CreateCreds(pRequest, fIsProxy, _pSPMData, szRealm); if (pRequest->_pszRealm) { FREE_MEMORY(pRequest->_pszRealm); } pRequest->_pszRealm = szRealm; szRealm = NULL; if (_pCreds) { INET_ASSERT(_pCreds->pSPM == _pSPMData); } else { dwError = ERROR_WINHTTP_INTERNAL_ERROR; goto exit; } } // Updating the buffer - delete old one if necessary. if (_szAlloc) { delete _szAlloc; _szAlloc = _szData = NULL; _cbData = 0; } // Get the entire authentication header. dwError = GetAuthHeaderData(pRequest, fIsProxy, NULL, &_szAlloc, &_cbData, ALLOCATE_BUFFER, dwAuthIdx); if (dwError != ERROR_SUCCESS) { goto exit; } // Point just past scheme _szData = _szAlloc; while (*_szData != ' ') { _szData++; _cbData--; } // The request will be retried. dwError = ERROR_SUCCESS; exit: AuthUnlock(); return dwError; } /*--------------------------------------------------------------------------- PostAuthUser ---------------------------------------------------------------------------*/ DWORD DIGEST_CTX::PostAuthUser() { if (!AuthLock()) { return ERROR_NOT_ENOUGH_MEMORY; } INET_ASSERT(_pSPMData == _pCreds->pSPM); DWORD dwError; SECURITY_STATUS ssResult; // Allocate an output buffer if not done so already. if (!_pvContext) { _pvContext = New CHAR[OUTPUT_BUFFER_LEN]; if (!_pvContext) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto exit; } } _cbContext = OUTPUT_BUFFER_LEN; if (_nRetries++ < MAX_SILENT_RETRIES) { // If we pre-authenticated, treat as second // or subsequent attempt. We depend on the // server correctly sending stale=FALSE (or no stale) // if the credentials sent during pre-auth were bad. // In this case the digest pkg will return SEC_E_NO_CREDENTIALS // and we will prompt for credentials. // BUGBUG - Use ApplyControlToken if (_nRetries == 1 && _pRequest->GetCreds()) { // Increment num of retries to 2 _nRetries++; // The dwLower member has to have the correct value // so that secur32.dll can route to correct provider. _hCtxt.dwLower = g_hCred.dwLower; } // Call into the SSPI package. DWORD sf; InitSecurityBuffers((LPSTR) _pvContext, _cbContext, &sf, ISC_MODE_AUTH); ssResult = (*(g_pFuncTbl->InitializeSecurityContext)) (&g_hCred, (_nRetries == 1 ? NULL : &_hCtxt), NULL, sf, 0, 0, &_SecBuffInDesc, 0, &_hCtxt, &_SecBuffOutDesc, NULL, NULL); _cbContext = _SecBuffOutDesc.pBuffers[0].cbBuffer; switch(ssResult) { case SEC_E_OK: { dwError = ERROR_WINHTTP_FORCE_RETRY; break; } case SEC_E_NO_CREDENTIALS: { dwError = ERROR_WINHTTP_INCORRECT_PASSWORD; break; } default: dwError = ERROR_WINHTTP_LOGIN_FAILURE; } } else { _cbContext = 0; _nRetries = 0; dwError = ERROR_WINHTTP_INCORRECT_PASSWORD; } exit: _pRequest->SetCreds(NULL); AuthUnlock(); return dwError; } /*--------------------------------------------------------------------------- Flush creds ---------------------------------------------------------------------------*/ VOID DIGEST_CTX::FlushCreds() { DWORD ssResult; if (g_pFuncTbl) { DWORD sf = ISC_REQ_NULL_SESSION; ssResult = (*(g_pFuncTbl->InitializeSecurityContext))(&g_hCred, NULL, NULL, sf, 0, 0, NULL, 0, NULL, NULL, NULL, NULL); } } /*--------------------------------------------------------------------------- Logoff ---------------------------------------------------------------------------*/ VOID DIGEST_CTX::Logoff() { DWORD ssResult; if (g_pFuncTbl) { ssResult = (*(g_pFuncTbl->FreeCredentialsHandle))(&g_hCred); } }