Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

316 lines
7.2 KiB

  1. /*++
  2. Copyright (c) 1995 Microsoft Corporation
  3. Module Name:
  4. simssl.h
  5. Abstract:
  6. This module contains class declarations/definitions for
  7. CEncryptCtx (some code stolen from internet server)
  8. Revision History:
  9. --*/
  10. #ifndef _SIMSSL_H_
  11. #define _SIMSSL_H_
  12. class CEncryptCtx
  13. {
  14. private:
  15. //
  16. // is this the client side
  17. //
  18. BOOL m_IsClient;
  19. //
  20. // indicates whether we are starting a new session
  21. //
  22. BOOL m_IsNewSSLSession;
  23. //
  24. // should this session be encypted
  25. //
  26. BOOL m_IsEncrypted;
  27. //
  28. // Handle to user's security context for encryption
  29. //
  30. CtxtHandle m_hSealCtxt;
  31. //
  32. // Pointers to cached credential blocks
  33. //
  34. //
  35. // Array of credential handles - Note this comes form the credential cache
  36. // and should not be deleted. m_phCredInUse is the pointer to the
  37. // credential handle that is in use
  38. //
  39. PVOID m_phCreds;
  40. CredHandle* m_phCredInUse;
  41. DWORD m_iCredInUse;
  42. //
  43. // ecryption header and trailer lengths
  44. //
  45. DWORD m_cbSealHeaderSize;
  46. DWORD m_cbSealTrailerSize;
  47. //
  48. // indicates whether we have context handles opened
  49. //
  50. BOOL m_haveSSLCtxtHandle;
  51. //
  52. // Have we been authenticated ? we will consider an
  53. // SSL session to be authenticated, if we have a non-null
  54. // NT token.
  55. //
  56. BOOL m_IsAuthenticated;
  57. //
  58. // SSL access perms - should we map client certs to NT accounts
  59. //
  60. DWORD m_dwSslAccessPerms;
  61. //
  62. // NT token - non-NULL if client cert was mapped successfully
  63. //
  64. HANDLE m_hSSPToken;
  65. //
  66. // Key size used - 40 bit vs 128 bit etc
  67. //
  68. DWORD m_dwKeySize;
  69. //
  70. // Have we been authenticated, if so did we use the
  71. // anonymous token
  72. //
  73. static BOOL m_IsSecureCapable;
  74. //
  75. // static variables used by all class instances
  76. //
  77. static WCHAR wszServiceName[16];
  78. #if 0
  79. static char szLsaPrefix[16];
  80. #endif
  81. //
  82. // hSecurity - NULL when security.dll/secur32.dll is not loaded
  83. //
  84. static HINSTANCE m_hSecurity;
  85. //
  86. // hLsa - NULL for Win95, set for NT
  87. //
  88. static HINSTANCE m_hLsa;
  89. //
  90. // shared context callback for instance mapper
  91. //
  92. static PVOID m_psmcMapContext;
  93. //
  94. // internal routine to implement public Converse
  95. //
  96. DWORD EncryptConverse(
  97. IN PVOID InBuffer,
  98. IN DWORD InBufferSize,
  99. OUT LPBYTE OutBuffer,
  100. OUT PDWORD OutBufferSize,
  101. OUT PBOOL MoreBlobsExpected,
  102. IN CredHandle* pCredHandle,
  103. OUT PULONG pcbExtra
  104. );
  105. public:
  106. CEncryptCtx( BOOL IsClient = FALSE, DWORD dwSslAccessPerms = 0 );
  107. ~CEncryptCtx();
  108. //
  109. // routines used to initialize and terminate use of this class
  110. //
  111. static BOOL WINAPI Initialize( LPSTR pszServiceName,
  112. IMDCOM* pImdcom,
  113. PVOID psmcMapContext = NULL,
  114. PVOID pvAdminBase = NULL /*,
  115. LPSTR pszLsaPrefix */ );
  116. static VOID WINAPI Terminate( VOID );
  117. //
  118. // routine to set the magic bits required by the IIS Admin tool
  119. //
  120. static void WINAPI GetAdminInfoEncryptCaps( PDWORD pdwEncCaps );
  121. //
  122. // returns whether sspi packages and credentials have been installed
  123. //
  124. static BOOL IsSecureCapable( void ) { return m_IsSecureCapable; }
  125. //
  126. // returns whether session is encrypted or not
  127. //
  128. BOOL IsEncrypted( void ) { return m_IsEncrypted; }
  129. //
  130. // returns whether session has successfully authenticated
  131. //
  132. BOOL IsAuthenticated( void ) { return m_IsAuthenticated; }
  133. //
  134. // returns key size used in SSL session
  135. //
  136. DWORD QueryKeySize() { return m_dwKeySize; }
  137. //
  138. // Encryption routines
  139. //
  140. BOOL WINAPI SealMessage(
  141. IN LPBYTE Message,
  142. IN DWORD cbMessage,
  143. OUT LPBYTE pbuffOut,
  144. OUT DWORD *pcbBuffOut
  145. );
  146. BOOL WINAPI UnsealMessage(
  147. IN LPBYTE Message,
  148. IN DWORD cbMessage,
  149. OUT LPBYTE *DecryptedMessage,
  150. OUT PDWORD DecryptedMessageSize,
  151. OUT PDWORD ExpectedMessageSize,
  152. OUT LPBYTE *NextSealMessage = NULL
  153. );
  154. //
  155. // SSL specific routines. This is used for processing SSL negotiation
  156. // packets.
  157. //
  158. DWORD WINAPI Converse(
  159. IN PVOID InBuffer,
  160. IN DWORD InBufferSize,
  161. OUT LPBYTE OutBuffer,
  162. OUT PDWORD OutBufferSize,
  163. OUT PBOOL MoreBlobsExpected,
  164. IN LPSTR LocalIpAddr,
  165. IN LPSTR LocalPort,
  166. IN LPVOID lpvInstance,
  167. IN DWORD dwInstance,
  168. OUT PULONG pcbExtra
  169. );
  170. //
  171. // resets the user name
  172. //
  173. void WINAPI Reset( void );
  174. //
  175. // returns the size of the encryption header for this session
  176. //
  177. DWORD GetSealHeaderSize( void )
  178. { return m_haveSSLCtxtHandle ? m_cbSealHeaderSize : 0 ; }
  179. //
  180. // returns the size of the encryption trailer for this session
  181. //
  182. DWORD GetSealTrailerSize( void )
  183. { return m_haveSSLCtxtHandle ? m_cbSealTrailerSize : 0 ; }
  184. //
  185. // return the NT token mapped from the client cert
  186. //
  187. HANDLE QueryCertificateToken() { return m_hSSPToken; }
  188. //
  189. // decrypts read buffer, concatenating all decrypted data at the
  190. // head of the buffer.
  191. //
  192. DWORD WINAPI DecryptInputBuffer(
  193. IN LPBYTE pBuffer,
  194. IN DWORD cbInBuffer,
  195. OUT DWORD* pcbOutBuffer,
  196. OUT DWORD* pcbParsable,
  197. OUT DWORD* pcbExpected
  198. );
  199. //
  200. // verifies the intended host name matches the name contained in the cert
  201. // This function, checks a given hostname against the current certificate
  202. // stored in an active SSPI Context Handle. If the certificate containts
  203. // a common name, and it matches the passed in hostname, this function
  204. // will return TRUE.
  205. //
  206. BOOL CheckCertificateCommonName(
  207. IN LPSTR pszHostName
  208. );
  209. BOOL CheckCertificateSubjectName(
  210. IN LPSTR pszHostName
  211. );
  212. //
  213. // Check if the certificate is issued by a trusted authority
  214. //
  215. BOOL CheckCertificateTrust();
  216. //
  217. // verifies the ccertificate has not expired
  218. // returns TRUE if the cert is valid
  219. //
  220. BOOL CheckCertificateExpired(
  221. void
  222. );
  223. //
  224. // check that a server cert is installed
  225. //
  226. BOOL CheckServerCert(
  227. IN LPSTR LocalIpAddr,
  228. IN LPSTR LocalPort,
  229. IN LPVOID lpvInstance,
  230. IN DWORD dwInstance);
  231. }; // CSslCtx
  232. //
  233. // blkcred.cpp
  234. //
  235. #endif // _SECURITY_H_