|
|
#include "precomp.h"
DEBUG_FILEZONE(ZONE_T120_MSMCSTCP);
// #define FORCE_SSL3_NEGOTIATION
#include "tprtsec.h"
#include "nmmkcert.h"
#define STRSAFE_NO_DEPRECATE 1
#include <strsafe.h>
/* Tprtsec.cpp
* * Copyright (c) 1997 by Microsoft Corporation * * Abstract: * This module maintains security for the TCP transport. * */
/* External definitions */ extern HINSTANCE g_hDllInst;
/*
* The following array contains a template for the X.224 data header. * The 5 of the 7 bytes that it initializes are actually sent to the * wire. Bytes 3 and 4 will be set to contain the size of the PDU. * The array is only used when we encode a data PDU. */ extern UChar g_X224Header[];
#ifdef DEBUG
//#define TESTHACKS // DANGER! don't turn on in public build!
//#define DUMP
//#define DUMPCERTS
//#undef TRACE_OUT
//#define TRACE_OUT WARNING_OUT
#endif //DEBUG
#define SZSECPKG UNISP_NAME_A
#define ISC_REQ_FLAGS ( ISC_REQ_SEQUENCE_DETECT |\
ISC_REQ_REPLAY_DETECT |\ ISC_REQ_CONFIDENTIALITY |\ ISC_REQ_EXTENDED_ERROR |\ ISC_REQ_ALLOCATE_MEMORY |\ ISC_REQ_STREAM)
#define ASC_REQ_FLAGS ( ASC_REQ_SEQUENCE_DETECT |\
ASC_REQ_REPLAY_DETECT |\ ASC_REQ_CONFIDENTIALITY |\ ASC_REQ_EXTENDED_ERROR |\ ASC_REQ_ALLOCATE_MEMORY |\ ASC_REQ_MUTUAL_AUTH |\ ASC_REQ_STREAM)
#if defined(DUMP) || defined(DUMPCERTS)
#define MAX_DUMP_BYTES 512
void dumpbytes(PSTR szComment, PBYTE p, int cb) { int i,j; char buf[80]; char buf2[80]; DWORD dwCheckSum = 0; int cbShow = min(MAX_DUMP_BYTES,cb);
for (i=0; i<cb; i++) dwCheckSum += p[i];
wsprintf(buf,"%s (%d bytes, checksum %x):", szComment? szComment : "unknown", cb, dwCheckSum); OutputDebugString(buf); WARNING_OUT(("%s",buf)); OutputDebugString("\n\r");
for (i=0; i<cbShow/16; i++) { wsprintf(buf, "%08x: ", (DWORD) &p[(i*16)] ); for (j=0; j<16; j++) { wsprintf(buf2," %02x", (int) (unsigned char) p[(i*16)+j] ); lstrcat ( buf, buf2 ); } WARNING_OUT(("%s",buf)); lstrcat ( buf, "\n\r"); OutputDebugString(buf); } if ( cbShow%16 ) { wsprintf(buf, "%08x: ", (DWORD) &p[(i*16)] ); for (j=0; j<cbShow%16; j++) { wsprintf(buf2," %02x", (int) (unsigned char) p[(i*16)+j] ); lstrcat ( buf, buf2 ); } WARNING_OUT(("%s",buf)); lstrcat(buf,"\n\r"); OutputDebugString(buf); } if ( cbShow < cb ) { OutputDebugString("...\n\r"); WARNING_OUT(("...")); } } #endif //DUMP or DUMPCERTS
///////////////////////////////////////////////////////////////////////////
// Security Interface
///////////////////////////////////////////////////////////////////////////
SecurityInterface::SecurityInterface(BOOL bService) : LastError(TPRTSEC_NOERROR), bInboundCredentialValid(FALSE), bOutboundCredentialValid(FALSE), m_pbEncodedCert(NULL), m_cbEncodedCert(0), hSecurityDll(NULL), pfnTable(NULL), bInServiceContext(bService) { }
SecurityInterface::~SecurityInterface(VOID) { if ( pfnTable && bInboundCredentialValid ) { pfnTable->FreeCredentialHandle ( &hInboundCredential ); }
if ( pfnTable && bOutboundCredentialValid ) { pfnTable->FreeCredentialHandle ( &hOutboundCredential ); }
if ( NULL != m_pbEncodedCert ) { delete m_pbEncodedCert; }
if ( NULL != hSecurityDll ) { FreeLibrary( hSecurityDll ); } }
#ifdef DUMPCERTS
VOID DumpCertStore ( SecurityInterface * pSI, char * sz, HCERTSTORE hStore) { WARNING_OUT(("************ %s *************", sz)); PCCERT_CONTEXT pC = NULL; int i = 0; char buf[256];
while ( pC = CertEnumCertificatesInStore( hStore, (PCERT_CONTEXT)pC )) { WARNING_OUT(("----------- Entry %d: ----------------", i));
// Dump stuff in pC->pCertInfo
//DWORD dwVersion;
//CRYPT_INTEGER_BLOB SerialNumber;
//CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
//CERT_NAME_BLOB Issuer;
//FILETIME NotBefore;
//FILETIME NotAfter;
//CERT_NAME_BLOB Subject;
//CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
//CRYPT_BIT_BLOB IssuerUniqueId;
//CRYPT_BIT_BLOB SubjectUniqueId;
//DWORD cExtension;
//PCERT_EXTENSION rgExtension;
WARNING_OUT(("dwVersion: %x", pC->pCertInfo->dwVersion));
dumpbytes("SerialNumber", pC->pCertInfo->SerialNumber.pbData, pC->pCertInfo->SerialNumber.cbData );
WARNING_OUT(("SignatureAlgorithm (name): %s", pC->pCertInfo->SignatureAlgorithm.pszObjId ));
CertNameToStr( pC->dwCertEncodingType, &pC->pCertInfo->Issuer, CERT_X500_NAME_STR, buf, sizeof(buf) ); WARNING_OUT(("Issuer: %s", buf ));
WARNING_OUT(("NotBefore: %x,%x", pC->pCertInfo->NotBefore.dwLowDateTime, pC->pCertInfo->NotBefore.dwHighDateTime )); WARNING_OUT(("NotAfter: %x,%x", pC->pCertInfo->NotAfter.dwLowDateTime, pC->pCertInfo->NotAfter.dwHighDateTime ));
CertNameToStr( pC->dwCertEncodingType, &pC->pCertInfo->Subject, CERT_X500_NAME_STR, buf, sizeof(buf) ); WARNING_OUT(("Subject: %s", buf ));
WARNING_OUT(("<stuff omitted for now>"));
dumpbytes("IssuerUniqueId", pC->pCertInfo->IssuerUniqueId.pbData, pC->pCertInfo->IssuerUniqueId.cbData );
dumpbytes("SubjectUniqueId", pC->pCertInfo->SubjectUniqueId.pbData, pC->pCertInfo->SubjectUniqueId.cbData );
WARNING_OUT(("cExtension: %x", pC->pCertInfo->cExtension )); WARNING_OUT(("<stuff omitted for now>"));
i++; } } #endif // DUMPCERTS
TransportSecurityError SecurityInterface::InitializeCreds( PCCERT_CONTEXT pCertContext ) { SECURITY_STATUS ss; SCHANNEL_CRED CredData;
CredHandle hNewInboundCred; CredHandle hNewOutboundCred;
//
// Are we going to create new creds or just clean up?
//
if ( NULL != pCertContext ) { ZeroMemory(&CredData, sizeof(CredData)); CredData.dwVersion = SCHANNEL_CRED_VERSION;
#ifdef FORCE_SSL3_NEGOTIATION
CredData.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT | SP_PROT_SSL3_SERVER; #endif // FORCE_SSL3_NEGOTIATION
CredData.dwFlags = SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;
CredData.cCreds = 1; CredData.paCred = &pCertContext;
// Acquire client and server credential handles
ss = pfnTable->AcquireCredentialsHandle ( NULL, SZSECPKG, SECPKG_CRED_INBOUND, NULL, &CredData, NULL, NULL, &hNewInboundCred, &tsExpiry );
if ( SEC_E_OK != ss ) { WARNING_OUT(("AcquireCredentialsHandle (inbound) failed %lx", ss)); LastError = TPRTSEC_SSPIFAIL; goto error; }
ss = pfnTable->AcquireCredentialsHandle ( NULL, SZSECPKG, SECPKG_CRED_OUTBOUND, NULL, &CredData, NULL, NULL, &hNewOutboundCred, &tsExpiry );
if ( SEC_E_OK != ss ) { WARNING_OUT(("AcquireCredentialsHandle (outbound) failed %lx", ss)); pfnTable->FreeCredentialHandle( &hNewInboundCred ); LastError = TPRTSEC_SSPIFAIL; goto error; }
// Empty the SSL cache
if (pfn_SslEmptyCache) { pfn_SslEmptyCache(); }
// This member can be called even when we're already initialized, as
// when the user chooses a different cert and we need to build new
// credentials based on it. Clear out the old information as necessary:
if ( NULL != m_pbEncodedCert ) { delete m_pbEncodedCert; m_pbEncodedCert = NULL; } }
if ( bInboundCredentialValid ) pfnTable->FreeCredentialHandle ( &hInboundCredential );
if ( bOutboundCredentialValid ) pfnTable->FreeCredentialHandle ( &hOutboundCredential );
if ( NULL != pCertContext ) { hInboundCredential = hNewInboundCred; hOutboundCredential = hNewOutboundCred; bInboundCredentialValid = TRUE; bOutboundCredentialValid = TRUE;
//
// Save the cert name for later use
//
ASSERT( NULL == m_pbEncodedCert ); m_pbEncodedCert = new BYTE[pCertContext->cbCertEncoded];
if ( NULL == m_pbEncodedCert ) { ERROR_OUT(("Error allocating data for encoded Cert")); goto error; }
memcpy( m_pbEncodedCert, pCertContext->pbCertEncoded, pCertContext->cbCertEncoded );
ASSERT(pCertContext->cbCertEncoded); m_cbEncodedCert = pCertContext->cbCertEncoded; } else { bInboundCredentialValid = FALSE; bOutboundCredentialValid = FALSE; }
LastError = TPRTSEC_NOERROR;
error:
return LastError; }
TransportSecurityError SecurityInterface::Initialize(VOID) { TRACE_OUT(("Initializing security interface"));
// Load the security provider DLL
hSecurityDll = LoadLibrary("SCHANNEL");
if ( !hSecurityDll ) { ERROR_OUT(("Loadlib schannel.dll failed")); LastError = TPRTSEC_NODLL; goto error; }
// Get the initialization entrypoint
pfnInitSecurityInterface = (INIT_SECURITY_INTERFACE)GetProcAddress( hSecurityDll, SECURITY_ENTRYPOINT );
if ( NULL == pfnInitSecurityInterface ) { ERROR_OUT(("GetProcAddr %s failed", SECURITY_ENTRYPOINT)); LastError = TPRTSEC_NOENTRYPT; goto error; }
// Get the SSPI function table
pfnTable = (*pfnInitSecurityInterface)();
if ( NULL == pfnTable ) { ERROR_OUT(("InitializeSecurityProvider failed")); LastError = TPRTSEC_SSPIFAIL; goto error; }
pfn_SslEmptyCache = (PFN_SSL_EMPTY_CACHE)GetProcAddress(hSecurityDll, SZ_SSLEMPTYCACHE); if ( NULL == pfnInitSecurityInterface ) { ERROR_OUT(("GetProcAddr %s failed", SZ_SSLEMPTYCACHE)); LastError = TPRTSEC_NOENTRYPT; goto error; }
error:
return LastError; }
BOOL SecurityInterface::GetUserCert(PBYTE pInfo, PDWORD pcbInfo) { if ( NULL == m_pbEncodedCert) { WARNING_OUT(("GetUserCert: no encoded certname")); return FALSE; }
ASSERT(m_cbEncodedCert > 0);
if ( NULL == pInfo ) { // Caller wants to know how much to allocate
ASSERT(pcbInfo); *pcbInfo = m_cbEncodedCert; return TRUE; }
if ( *pcbInfo < m_cbEncodedCert ) { ERROR_OUT(("GetUserCert: insufficient buffer (%ld) %ld required", *pcbInfo, m_cbEncodedCert )); return FALSE; }
memcpy ( (PCHAR)pInfo, m_pbEncodedCert, m_cbEncodedCert ); *pcbInfo = m_cbEncodedCert;
return TRUE; }
///////////////////////////////////////////////////////////////////////////
// Security Context
///////////////////////////////////////////////////////////////////////////
SecurityContext::SecurityContext(PSecurityInterface pSI, LPCSTR szHostName) : scstate(SECCTX_STATE_NEW), fContinueNeeded(FALSE), LastError(TPRTSEC_NOERROR), bContextHandleValid(FALSE) { ASSERT(pSI); ASSERT(szHostName);
pSecurityInterface = pSI;
OutBuffers[0].pvBuffer = NULL; OutBuffers[0].cbBuffer = 0;
if ( NULL != szHostName ) { StringCchPrintf( szTargetName, CCHMAX(szTargetName), "%s:%x%x", szHostName, pSI->hOutboundCredential.dwUpper, pSI->hOutboundCredential.dwLower); TRACE_OUT(("SecurityContext::SecurityContext: targ %s",szTargetName)); } ASSERT(pSecurityInterface); }
SecurityContext::~SecurityContext(VOID) { ASSERT(pSecurityInterface); if ( NULL != OutBuffers[0].pvBuffer ) { ASSERT(pSecurityInterface->pfnTable);
pSecurityInterface->pfnTable->FreeContextBuffer(OutBuffers[0].pvBuffer); OutBuffers[0].pvBuffer = NULL; } if ( bContextHandleValid ) { pSecurityInterface->pfnTable->DeleteSecurityContext(&hContext); } }
TransportSecurityError SecurityContext::InitContextAttributes(VOID) { SECURITY_STATUS ss;
ss = pSecurityInterface->pfnTable->QueryContextAttributes(&hContext, SECPKG_ATTR_STREAM_SIZES, &Sizes ); if (ss != ERROR_SUCCESS) { ERROR_OUT(("QueryContextAttributes returned [%x]", ss)); return LastError = TPRTSEC_SSPIFAIL; } else { ASSERT (Sizes.cbHeader + Sizes.cbTrailer <= PROTOCOL_OVERHEAD_SECURITY); TRACE_OUT(("QueryContextAttributes returned header=%d trailer=%d", Sizes.cbHeader, Sizes.cbTrailer)); }
#ifdef DEBUG //////////////////////////////////////////////////////////
SecPkgContext_KeyInfo KeyInfo;
ss = pSecurityInterface->pfnTable->QueryContextAttributes(&hContext, SECPKG_ATTR_KEY_INFO, &KeyInfo ); if (ss != ERROR_SUCCESS) { ERROR_OUT(("QueryContextAttributes (KEY_INFO) failed %x", ss)); } else { WARNING_OUT(("KEY INFO: Sign:%s Encrypt:%s Keysize:%d", KeyInfo.sSignatureAlgorithmName, KeyInfo.sEncryptAlgorithmName, KeyInfo.KeySize )); pSecurityInterface->pfnTable->FreeContextBuffer( KeyInfo.sSignatureAlgorithmName ); pSecurityInterface->pfnTable->FreeContextBuffer( KeyInfo.sEncryptAlgorithmName ); }
#endif //DEBUG ///////////////////////////////////////////////////////
return TPRTSEC_NOERROR; }
TransportSecurityError SecurityContext::Initialize(PBYTE pData, DWORD cbData) { SECURITY_STATUS ss; DWORD dwReqFlags;
TRACE_OUT(("SecurityContext Initialize (%x,%d)", pData, cbData));
fContinueNeeded = FALSE;
ASSERT(pSecurityInterface); ASSERT(SECCTX_STATE_INIT == scstate || SECCTX_STATE_NEW == scstate);
if ( !pSecurityInterface->bOutboundCredentialValid ) { WARNING_OUT(("SecurityContext::Initialize: no outbound cred")); return TPRTSEC_SSPIFAIL; }
if ( SECCTX_STATE_INIT == scstate) { ASSERT(NULL != pData); ASSERT(0 != cbData);
if ( NULL == pData || 0 == cbData ) { ERROR_OUT(("Second initialize call with no data")); return LastError = TPRTSEC_INVALID_PARAMETER; }
// Build the input buffer descriptor
InputBufferDescriptor.cBuffers = 2; InputBufferDescriptor.pBuffers = InBuffers; InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
InBuffers[0].BufferType = SECBUFFER_TOKEN; InBuffers[0].cbBuffer = cbData; InBuffers[0].pvBuffer = pData;
InBuffers[1].BufferType = SECBUFFER_EMPTY; InBuffers[1].cbBuffer = 0; InBuffers[1].pvBuffer = NULL; } else { ASSERT(NULL == pData); ASSERT(0 == cbData); }
OutputBufferDescriptor.cBuffers = 1; OutputBufferDescriptor.pBuffers = OutBuffers; OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
// If there's a output buffer from a previous call, free it here
if ( NULL != OutBuffers[0].pvBuffer ) { pSecurityInterface->pfnTable->FreeContextBuffer(OutBuffers[0].pvBuffer); }
dwReqFlags = ISC_REQ_FLAGS;
while ( 1 ) { OutBuffers[0].BufferType = SECBUFFER_TOKEN; OutBuffers[0].cbBuffer = 0; OutBuffers[0].pvBuffer = NULL;
#ifdef DUMP
if (SECCTX_STATE_INIT == scstate) { dumpbytes("input token", (unsigned char *)InBuffers[0].pvBuffer, InBuffers[0].cbBuffer); } #endif //DUMP
ss = pSecurityInterface->pfnTable->InitializeSecurityContext( &(pSecurityInterface->hOutboundCredential), SECCTX_STATE_INIT == scstate ? &hContext : NULL, szTargetName, // TargetName
dwReqFlags, 0, // Reserved
SECURITY_NATIVE_DREP, SECCTX_STATE_INIT == scstate ? &InputBufferDescriptor : NULL, 0, // reserved
&hContext, &OutputBufferDescriptor, &ContextAttributes, &Expiration );
// Some security providers don't process all the packet data
// in one call to SCA - readjust the input buffers with the offset
// returned in the extra buffer and iterate as necessary
if (( SEC_I_CONTINUE_NEEDED == ss && NULL == OutBuffers[0].pvBuffer ) && SECBUFFER_EXTRA == InBuffers[1].BufferType && 0 != InBuffers[1].cbBuffer ) { InBuffers[0].pvBuffer = (PBYTE)(InBuffers[0].pvBuffer) + ( InBuffers[0].cbBuffer - InBuffers[1].cbBuffer ); InBuffers[0].BufferType = SECBUFFER_TOKEN; InBuffers[0].cbBuffer = InBuffers[1].cbBuffer;
InBuffers[1].BufferType = SECBUFFER_EMPTY; InBuffers[1].cbBuffer = 0; InBuffers[1].pvBuffer = NULL;
continue; } break; }
#ifdef DUMP
if ( SEC_E_OK == ss || SEC_I_CONTINUE_NEEDED == ss ) { dumpbytes("output token", (unsigned char *)OutBuffers[0].pvBuffer, OutBuffers[0].cbBuffer); } #endif //DUMP
#ifdef ALLOW_NON_AUTHENTICATED_CLIENTS
if ( SEC_I_INCOMPLETE_CREDENTIALS == ss ) { WARNING_OUT(("InitializeSecurityContext:SEC_I_INCOMPLETE_CREDENTIALS"));
dwReqFlags |= ISC_REQ_USE_SUPPLIED_CREDS;
ss = pSecurityInterface->pfnTable->InitializeSecurityContext( &(pSecurityInterface->hOutboundCredential), SECCTX_STATE_INIT == scstate ? &hContext : NULL, szTargetName, // TargetName
dwReqFlags, 0, // Reserved
SECURITY_NATIVE_DREP, SECCTX_STATE_INIT == scstate ? &InputBufferDescriptor : NULL, 0, // reserved
&hContext, &OutputBufferDescriptor, &ContextAttributes, &Expiration ); } #endif // ALLOW_NON_AUTHENTICATED_CLIENTS
if ( SEC_E_OK != ss ) { if ( SEC_I_CONTINUE_NEEDED == ss && NULL != OutBuffers[0].pvBuffer ) { ASSERT(SECCTX_STATE_NEW == scstate || SECCTX_STATE_INIT == scstate);
TRACE_OUT(("Initialize: SEC_I_CONTINUE_NEEDED")); scstate = SECCTX_STATE_INIT; } else { ERROR_OUT(("Initialize failed: %x in state %d",(DWORD)ss,scstate)); return LastError = TPRTSEC_SSPIFAIL; } } else { // We're almost done,
// find the header and trailer sizes
//
if ( TPRTSEC_NOERROR != InitContextAttributes() ) return LastError;
if ( !Verify() ) return LastError = TPRTSEC_SSPIFAIL;
TRACE_OUT(("INITIALIZE OK"));
scstate = SECCTX_STATE_INIT_COMPLETE; }
// If there is an output buffer, set the flag to get it sent accross
if ( ( SEC_E_OK == ss || SEC_I_CONTINUE_NEEDED == ss ) && NULL != OutBuffers[0].pvBuffer ) { fContinueNeeded = TRUE; }
bContextHandleValid = TRUE; return LastError = TPRTSEC_NOERROR; }
TransportSecurityError SecurityContext::Accept(PBYTE pData, DWORD cbData) { SECURITY_STATUS ss;
fContinueNeeded = FALSE;
ASSERT(SECCTX_STATE_NEW == scstate || SECCTX_STATE_ACCEPT == scstate);
if ( !pSecurityInterface->bInboundCredentialValid ) { WARNING_OUT(("SecurityContext::Initialize: no inbound cred")); return TPRTSEC_SSPIFAIL; }
// Check to see if the required data is present
if ( NULL == pData || 0 == cbData ) { ERROR_OUT(("Accept: no data")); return LastError = TPRTSEC_INVALID_PARAMETER; }
// Build the input buffer descriptor
InputBufferDescriptor.cBuffers = 2; InputBufferDescriptor.pBuffers = InBuffers; InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
InBuffers[0].BufferType = SECBUFFER_TOKEN; InBuffers[0].cbBuffer = cbData; InBuffers[0].pvBuffer = pData;
InBuffers[1].BufferType = SECBUFFER_EMPTY; InBuffers[1].cbBuffer = 0; InBuffers[1].pvBuffer = NULL;
// Build the output buffer descriptor
OutputBufferDescriptor.cBuffers = 1; OutputBufferDescriptor.pBuffers = OutBuffers; OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
// If there's a output buffer from a previous call, free it here
if ( NULL != OutBuffers[0].pvBuffer ) { pSecurityInterface->pfnTable->FreeContextBuffer(OutBuffers[0].pvBuffer); }
while ( 1 ) { OutBuffers[0].BufferType = SECBUFFER_TOKEN; OutBuffers[0].cbBuffer = 0; OutBuffers[0].pvBuffer = NULL;
#ifdef DUMP
dumpbytes("input token", (unsigned char *)InBuffers[0].pvBuffer, InBuffers[0].cbBuffer); #endif //DUMP
ss = pSecurityInterface->pfnTable->AcceptSecurityContext( &(pSecurityInterface->hInboundCredential), SECCTX_STATE_NEW == scstate ? NULL : &hContext, &InputBufferDescriptor, ASC_REQ_FLAGS, SECURITY_NATIVE_DREP, &hContext, // receives new context handle
&OutputBufferDescriptor, // receives output security token
&ContextAttributes, // receives context attributes
&Expiration ); // receives expiration time
// Some security providers don't process all the packet data
// in one call to SCA - readjust the input buffers with the offset
// returned in the extra buffer and iterate as necessary
if (( SEC_I_CONTINUE_NEEDED == ss && NULL == OutBuffers[0].pvBuffer ) && SECBUFFER_EXTRA == InBuffers[1].BufferType && 0 != InBuffers[1].cbBuffer ) { InBuffers[0].pvBuffer = (PBYTE)(InBuffers[0].pvBuffer) + ( InBuffers[0].cbBuffer - InBuffers[1].cbBuffer ); InBuffers[0].BufferType = SECBUFFER_TOKEN; InBuffers[0].cbBuffer = InBuffers[1].cbBuffer;
InBuffers[1].BufferType = SECBUFFER_EMPTY; InBuffers[1].cbBuffer = 0; InBuffers[1].pvBuffer = NULL;
continue; } break; }
#ifdef DUMP
if ( SEC_E_OK == ss || SEC_I_CONTINUE_NEEDED == ss ) { dumpbytes("output token", (unsigned char *)OutBuffers[0].pvBuffer, OutBuffers[0].cbBuffer); } #endif //DUMP
if ( SEC_E_OK != ss ) { if ( SEC_I_CONTINUE_NEEDED == ss ) { TRACE_OUT(("Accept: SEC_I_CONTINUE_NEEDED"));
scstate = SECCTX_STATE_ACCEPT; } else { ERROR_OUT(("AcceptSecurityContext failed: %x", (DWORD)ss)); return LastError = TPRTSEC_SSPIFAIL; } } else {
// We're almost done,
// find the header and trailer sizes
//
if ( TPRTSEC_NOERROR != InitContextAttributes() ) return LastError;
if ( !Verify() ) return LastError = TPRTSEC_SSPIFAIL;
TRACE_OUT(("ACCEPT OK"));
scstate = SECCTX_STATE_ACCEPT_COMPLETE; }
// If there is an output buffer, set the flag to get it sent accross
if ( ( SEC_E_OK == ss || SEC_I_CONTINUE_NEEDED == ss ) && NULL != OutBuffers[0].pvBuffer ) { fContinueNeeded = TRUE; }
bContextHandleValid = TRUE; return LastError = TPRTSEC_NOERROR; }
/////////////////////////////////////////////////////////////////////////////
//
// Encrypt()
//
// Description:
// Encrypts a packet to be sent using SSL/PCT by calling SealMessage().
//
// Parameters:
// phContext - security context handle returned from InitiateSecConnection
// pBufIn1, pBufIn2 - buffers to be encrypted
// cbBufIn1,cbBufIn2 - lengths of buffers to be encrypted
// ppBufOut - allocated encrypted buffer, to be freed by caller
// pcbBufOut - length of encrypted buffer
//
// Return:
// TransprotSecurityError
//
TransportSecurityError SecurityContext::Encrypt( LPBYTE pBufIn1, UINT cbBufIn1, LPBYTE pBufIn2, UINT cbBufIn2, LPBYTE *ppBufOut, UINT *pcbBufOut) { SECURITY_STATUS scRet = ERROR_SUCCESS; SecBufferDesc Buffer; SecBuffer Buffers[4]; UINT cbBufInTotal; LPBYTE pbTemp;
// pBufIn2 and cbBufIn2 maybe NULL and 0, respectively.
ASSERT(pBufIn1); ASSERT(cbBufIn1); ASSERT(ppBufOut); ASSERT(pcbBufOut);
ASSERT(SECCTX_STATE_INIT_COMPLETE == scstate || SECCTX_STATE_ACCEPT_COMPLETE == scstate); if (SECCTX_STATE_INIT_COMPLETE != scstate && SECCTX_STATE_ACCEPT_COMPLETE != scstate) return LastError = TPRTSEC_INCOMPLETE_CONTEXT;
*pcbBufOut = 0; cbBufInTotal = cbBufIn1 + cbBufIn2;
// We allocate a buffer to hold the (larger) encrypted data.
// This must be freed by the caller!
// christts: The buffer will now also hold the X.224 header.
if (NULL == (*ppBufOut = (LPBYTE)LocalAlloc(0, cbBufInTotal + Sizes.cbHeader + Sizes.cbTrailer + sizeof(X224_DATA_PACKET)))) return LastError = TPRTSEC_NOMEM;
pbTemp = *ppBufOut + sizeof(X224_DATA_PACKET);
//
// prepare data for SecBuffer
//
Buffers[0].pvBuffer = pbTemp; Buffers[0].cbBuffer = Sizes.cbHeader; Buffers[0].BufferType = SECBUFFER_STREAM_HEADER;
Buffers[1].pvBuffer = pbTemp + Sizes.cbHeader; // Copy the user's data
CopyMemory(Buffers[1].pvBuffer, pBufIn1, cbBufIn1); if (NULL != pBufIn2) { CopyMemory((PVoid) ((PUChar) (Buffers[1].pvBuffer) + cbBufIn1), pBufIn2, cbBufIn2); } Buffers[1].cbBuffer = cbBufInTotal; Buffers[1].BufferType = SECBUFFER_DATA;
Buffers[2].pvBuffer = pbTemp + Sizes.cbHeader + cbBufInTotal; Buffers[2].cbBuffer = Sizes.cbTrailer; Buffers[2].BufferType = SECBUFFER_STREAM_TRAILER;
Buffers[3].pvBuffer = NULL; Buffers[3].cbBuffer = 0; Buffers[3].BufferType = SECBUFFER_EMPTY;
Buffer.cBuffers = 4; Buffer.pBuffers = Buffers; Buffer.ulVersion = SECBUFFER_VERSION;
#ifdef DUMP
dumpbytes("data BEFORE encryption", (PBYTE)Buffers[1].pvBuffer, Buffers[1].cbBuffer); #endif // DUMP
// Call the semi-documented SealMessage function (Reserved3)
scRet = ((SEAL_MESSAGE_FN)pSecurityInterface->pfnTable->Reserved3)( &hContext, 0, &Buffer, 0);
if (scRet != ERROR_SUCCESS) { //
// Map the SSPI error.
//
ERROR_OUT(("SealMessage failed: %x", scRet)); LocalFree(*ppBufOut); return LastError = TPRTSEC_SSPIFAIL; }
// We also have to add the X.224 header.
*pcbBufOut = cbBufInTotal + Sizes.cbHeader + Sizes.cbTrailer + sizeof(X224_DATA_PACKET); memcpy (*ppBufOut, g_X224Header, sizeof(X224_DATA_PACKET)); AddRFCSize(*ppBufOut, *pcbBufOut);
#ifdef TESTHACKS
// Inject an error...
if (GetAsyncKeyState(VK_CONTROL)&0x8000) { OutputDebugString("*** INJECTING ERROR IN OUTGOING PACKET ***\n\r"); pbTemp[(*pcbBufOut - sizeof(X224_DATA_PACKET))/2] ^= 0x55; } #endif //TESTHACKS
#ifdef DUMP
dumpbytes("data AFTER encryption", pbTemp, *pcbBufOut - sizeof(X224_DATA_PACKET)); #endif // DUMP
TRACE_OUT(("SealMessage returned Buffer = %p, EncryptBytes = %d, UnencryptBytes = %d", pbTemp, *pcbBufOut - sizeof(X224_DATA_PACKET), cbBufInTotal));
return LastError = TPRTSEC_NOERROR; }
/////////////////////////////////////////////////////////////////////////////
//
// Decrypt
//
// Description:
// Decrypts a buffer received using SCHANNEL by calling UnsealMessage().
//
// Parameters:
// pBuf - buffer to be decrypted
// cbBufIn - length of buffer to be decrypted
//
TransportSecurityError SecurityContext::Decrypt( PBYTE pBuf, DWORD cbBuf) { SecBufferDesc Buffer; SecBuffer Buffers[4]; DWORD scRet = ERROR_SUCCESS; SecBuffer * pDataBuffer; int i;
LastError = TPRTSEC_SSPIFAIL;
ASSERT(SECCTX_STATE_INIT_COMPLETE == scstate || SECCTX_STATE_ACCEPT_COMPLETE == scstate); if (SECCTX_STATE_INIT_COMPLETE != scstate && SECCTX_STATE_ACCEPT_COMPLETE != scstate) return LastError = TPRTSEC_INCOMPLETE_CONTEXT;
ASSERT(!IsBadWritePtr(pBuf,cbBuf));
#ifdef TESTHACKS
// Inject an error...
if ( GetAsyncKeyState(VK_SHIFT) & 0x8000 ) { OutputDebugString("*** INJECTING ERROR IN INCOMING PACKET ***\n\r"); pBuf[cbBuf/2] ^= 0x55; } #endif //TESTHACKS
//
// prepare data the SecBuffer for a call to SSL/PCT decryption code.
//
Buffers[0].pvBuffer = pBuf; Buffers[0].cbBuffer = cbBuf;
Buffers[0].BufferType = SECBUFFER_DATA;
Buffers[1].pvBuffer = NULL; Buffers[1].cbBuffer = 0; Buffers[1].BufferType = SECBUFFER_EMPTY; Buffers[2].pvBuffer = NULL; Buffers[2].cbBuffer = 0; Buffers[2].BufferType = SECBUFFER_EMPTY; Buffers[3].pvBuffer = NULL; Buffers[3].cbBuffer = 0; Buffers[3].BufferType = SECBUFFER_EMPTY;
Buffer.cBuffers = 4; Buffer.pBuffers = Buffers; Buffer.ulVersion = SECBUFFER_VERSION;
// Call the semi-documented UnsealMessage function (Reserved4)
#ifdef DUMP
dumpbytes("data BEFORE decryption:", (PBYTE)Buffers[0].pvBuffer, Buffers[0].cbBuffer); #endif // DUMP
scRet = ((UNSEAL_MESSAGE_FN)pSecurityInterface->pfnTable->Reserved4)( &hContext, &Buffer, 0, NULL);
pDataBuffer = NULL;
for( i=0; i<4; i++ ) { if ( NULL == pDataBuffer && SECBUFFER_DATA == Buffers[i].BufferType ) { pDataBuffer = &Buffers[i]; } }
if ( NULL == pDataBuffer ) { ERROR_OUT(("Unseal: no data buffer found")); return LastError = TPRTSEC_SSPIFAIL; }
#ifdef DUMP
dumpbytes("data AFTER decryption:", (PBYTE)pDataBuffer->pvBuffer, pDataBuffer->cbBuffer); #endif // DUMP
if (scRet != ERROR_SUCCESS) { ERROR_OUT(("UnsealMessage failed with [%x]", scRet)); return LastError = TPRTSEC_SSPIFAIL; } return LastError = TPRTSEC_NOERROR; }
TransportSecurityError SecurityContext::AdvanceState(PBYTE pIncomingData, DWORD cbBuf) { TRACE_OUT(("AdvanceState: state %d using data %x (%d)", scstate, pIncomingData, cbBuf ));
switch ( scstate ) { case SECCTX_STATE_INIT: if ( TPRTSEC_NOERROR != Initialize( pIncomingData, cbBuf ) ) { WARNING_OUT(("AdvanceState: Initialize failed in INIT")); goto error; } break;
case SECCTX_STATE_ACCEPT: case SECCTX_STATE_NEW: if ( TPRTSEC_NOERROR != Accept( pIncomingData, cbBuf ) ) { WARNING_OUT(("AdvanceState: Accept failed in ACCEPT or NEW")); goto error; } break;
case SECCTX_STATE_INIT_COMPLETE: case SECCTX_STATE_ACCEPT_COMPLETE: case SECCTX_STATE_ERROR: default: ERROR_OUT(("AdvanceState: called in unexpected state %d")); goto error;
} return LastError = TPRTSEC_NOERROR;
error:
scstate = SECCTX_STATE_ERROR; return LastError; }
#define CHECKFLAGS (CERT_STORE_REVOCATION_FLAG |\
CERT_STORE_SIGNATURE_FLAG |\ CERT_STORE_TIME_VALIDITY_FLAG)
BOOL SecurityContext::Verify(VOID) { BOOL fRet = TRUE; DWORD sc; PCCERT_CONTEXT pCert = NULL, pIssuerCert = NULL, pCACert = NULL; DWORD dwFlags; HCERTSTORE hStore = NULL; HCERTSTORE hCAStore = NULL; RegEntry rePol(POLICIES_KEY, HKEY_LOCAL_MACHINE); CHAR * pIssuer = NULL;
ASSERT( NULL != pSecurityInterface );
// Get the subject cert context
sc = pSecurityInterface->pfnTable->QueryContextAttributes(&hContext, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pCert );
if ( SEC_E_OK != sc ) { ERROR_OUT(("QueryContextAttributes (REMOTE_CERT_CONTEXT) failed")); goto error; }
if ( NULL == pCert ) { // The caller is not authenticated
WARNING_OUT(("No remote cred data")); goto error; }
// Open the root store for certificate verification
hStore = CertOpenSystemStore(0, "Root");
if( NULL == hStore ) { ERROR_OUT(("Couldn't open root certificate store")); goto error; }
dwFlags = CHECKFLAGS;
// Get the issuer of this cert
pIssuerCert = CertGetIssuerCertificateFromStore( hStore, pCert, NULL, &dwFlags );
// If the issuer of the certificate cannot be found in the root store,
// check the CA store iteratively until we work our way back to a root
// certificate
pCACert = pCert;
while ( NULL == pIssuerCert ) { PCCERT_CONTEXT pTmpCert;
if ( NULL == hCAStore ) { hCAStore = CertOpenSystemStore(0, "CA");
if ( NULL == hCAStore ) { ERROR_OUT(("Couldn't open CA certificate store")); goto error; } }
dwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
pTmpCert = CertGetIssuerCertificateFromStore( hCAStore, pCACert, NULL, &dwFlags );
if ( NULL == pTmpCert ) { TRACE_OUT(("Issuer not found in CA store either")); break; }
if ( pCACert != pCert ) CertFreeCertificateContext(pCACert); pCACert = pTmpCert;
if ((( CERT_STORE_REVOCATION_FLAG & dwFlags ) && !( CERT_STORE_NO_CRL_FLAG & dwFlags )) || ( CERT_STORE_SIGNATURE_FLAG & dwFlags ) || ( CERT_STORE_TIME_VALIDITY_FLAG & dwFlags )) { TRACE_OUT(("Problem with issuer in CA store: %x", dwFlags)); break; }
dwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
pIssuerCert = CertGetIssuerCertificateFromStore( hStore, pCACert, NULL, &dwFlags );
}
if ( pCACert != pCert ) CertFreeCertificateContext ( pCACert );
if ( NULL == pIssuerCert ) { WARNING_OUT(("Verify: Can't find issuer in store")); }
// Check certificate
if ( NULL != pIssuerCert && 0 != dwFlags ) { if ( dwFlags & CERT_STORE_SIGNATURE_FLAG ) { WARNING_OUT(("Verify: Signature invalid")); } if ( dwFlags & CERT_STORE_TIME_VALIDITY_FLAG ) { WARNING_OUT(("Verify: Cert expired")); } if ( dwFlags & CERT_STORE_REVOCATION_FLAG ) { if (!(dwFlags & CERT_STORE_NO_CRL_FLAG)) { WARNING_OUT(("Verify: Cert revoked")); } else { // We have no CRL for this issuer, do not
// treat as revoked by default:
dwFlags &= ~CERT_STORE_REVOCATION_FLAG; } } }
//
// Check for no-incomplete-certs policy
//
if (( NULL == pIssuerCert || ( 0 != ( CHECKFLAGS & dwFlags ))) && rePol.GetNumber( REGVAL_POL_NO_INCOMPLETE_CERTS, DEFAULT_POL_NO_INCOMPLETE_CERTS )) { WARNING_OUT(("Verify: policy prevents cert use")); fRet = FALSE; goto error; }
//
// Is there a mandatory issuer?
//
if ( lstrlen(rePol.GetString( REGVAL_POL_ISSUER ))) { DWORD cbIssuer;
//
// Get the issuer information
//
cbIssuer = CertNameToStr ( pCert->dwCertEncodingType, &pCert->pCertInfo->Issuer, CERT_FORMAT_FLAGS, NULL, 0);
if ( 0 == cbIssuer ) { ERROR_OUT(("GetUserInfo: no issuer string")); fRet = FALSE; goto error; }
pIssuer = new CHAR[cbIssuer + 1];
if ( NULL == pIssuer ) { ERROR_OUT(("GetUserInfo: error allocating issuer name")); }
if ( 0 >= CertNameToStr ( pCert->dwCertEncodingType, &pCert->pCertInfo->Issuer, CERT_FORMAT_FLAGS, pIssuer, cbIssuer+1)) { ERROR_OUT(("GetUserInfo: error getting issuer string")); fRet = FALSE; goto error; }
if ( lstrcmp ( rePol.GetString(REGVAL_POL_ISSUER), pIssuer )) { WARNING_OUT(("Issuer (%s) didn't match policy (%s)", pIssuer, rePol.GetString(REGVAL_POL_ISSUER))); fRet = FALSE; } }
error:
if ( NULL != hStore ) { CertCloseStore(hStore, 0); }
if ( NULL != hCAStore ) { CertCloseStore(hCAStore, 0); }
if ( NULL != pCert ) { CertFreeCertificateContext ( pCert ); }
if ( NULL != pIssuerCert ) { CertFreeCertificateContext ( pIssuerCert ); }
if ( NULL != pIssuer ) { delete pIssuer; }
return fRet; }
BOOL SecurityContext::GetUserCert(PBYTE pInfo, PDWORD pcbInfo) { BOOL fRet = FALSE; DWORD sc; PCCERT_CONTEXT pCert = NULL;
ASSERT( NULL != pSecurityInterface );
//
// Get the certificate from the context
//
sc = pSecurityInterface->pfnTable->QueryContextAttributes(&hContext, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pCert );
if ( SEC_E_OK != sc ) { ERROR_OUT(("QueryContextAttributes failed")); goto cleanup; }
if ( NULL == pCert ) { // The caller is not authenticated
WARNING_OUT(("No remote cred data")); goto cleanup; }
if ( NULL != pInfo && *pcbInfo >= pCert->cbCertEncoded ) { memcpy ( pInfo, pCert->pbCertEncoded, pCert->cbCertEncoded ); } *pcbInfo = pCert->cbCertEncoded;
fRet = TRUE;
cleanup:
if ( NULL != pCert ) { CertFreeCertificateContext ( pCert ); }
return fRet; }
|