archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/inc/tssec.hxx

612 lines
17 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  4. Copyright (c) 1995 Microsoft Corporation
  6. Module Name:
  7. tssec.hxx
  9. Abstract:
  10. This file declares security related classes and functions
  12. Author:
  14. Murali R. Krishnan ( MuraliK ) 11-Oct-1995
  16. Environment:
  18. Win32 User Mode
  20. Project:
  22. Internet Services Common DLL
  24. Revision History:
  26. --*/
  28. # ifndef _TSSEC_HXX_
  29. # define _TSSEC_HXX_
  31. /************************************************************
  32. * Include Headers
  33. ************************************************************/
  35. # define SECURITY_WIN32
  36. #include <sspi.h> // Security Support Provider APIs
  38. #include <schnlsp.h>
  40. #include <pudebug.h>
  42. // forward declaration
  43. class IIS_SERVER_INSTANCE;
  44. class IIS_SSL_INFO;
  46. /************************************************************
  47. * Type Definitions
  48. ************************************************************/
  50. typedef BOOL (WINAPI *SECURITY_CONTEXT_DELETE_FUNCTION)( CtxtHandle*, PVOID );
  52. //
  53. // Globals
  54. //
  56. extern HANDLE g_hProcessImpersonationToken;
  57. extern HANDLE g_hProcessPrimaryToken;
  58. extern BOOL g_fUseSingleToken;
  60. //
  61. // The TCP_AUTHENT_INFO structure is used as a shorthand to convey
  62. // a bunch of authentication related information to a few routines that
  63. // need it.
  64. //
  65. class TCP_AUTHENT_INFO
  66. {
  67. public:
  68. TCP_AUTHENT_INFO( VOID )
  69. : fDontUseAnonSubAuth( FALSE ),
  70. dwLogonMethod ( LOGON32_LOGON_INTERACTIVE ),
  71. cbAnonAcctDesc ( 0 )
  72. {
  73. }
  75. STR strAnonUserName;
  76. STR strAnonUserPassword;
  77. STR strDefaultLogonDomain;
  78. DWORD dwLogonMethod;
  79. BOOL fDontUseAnonSubAuth;
  81. //
  82. // Stores the anonymous account descriptor
  83. //
  85. BUFFER bAnonAcctDesc;
  86. DWORD cbAnonAcctDesc;
  87. };
  89. typedef TCP_AUTHENT_INFO * PTCP_AUTHENT_INFO;
  92. //
  93. // Security functions.
  94. //
  96. #define IIS_DNLEN 256
  97. #define MAX_ACCT_DESC_LEN (UNLEN+1+IIS_DNLEN+1+PWLEN+1)
  99. class CACHED_CREDENTIAL
  100. {
  101. public:
  102. CACHED_CREDENTIAL()
  103. {
  104. _ListEntry.Flink = NULL;
  105. _fHaveCredHandle = FALSE;
  106. }
  107. ~CACHED_CREDENTIAL();
  108. BOOL
  109. static CACHED_CREDENTIAL::GetCredential(
  110. LPSTR pszPackage,
  111. PIIS_SERVER_INSTANCE psi,
  112. PTCP_AUTHENT_INFO pTAI,
  113. CredHandle* prcred,
  114. ULONG* pcbMaxToken
  115. );
  116. LIST_ENTRY _ListEntry;
  118. private:
  119. STR _PackageName;
  120. STR _DefaultDomain;
  121. CredHandle _hcred;
  122. BOOL _fHaveCredHandle;
  123. ULONG _cbMaxToken; // Used for SSP, max message token size
  124. } ;
  126. class CACHED_TOKEN
  127. {
  128. public:
  129. CACHED_TOKEN( VOID )
  130. : _hToken( NULL ),
  131. _cRef ( 1 ),
  132. _TTL ( 2 ),
  133. m_hImpersonationToken( NULL ),
  134. m_fGuest ( FALSE ),
  135. m_dwLogonMethod ( 0 )
  136. {
  137. _ListEntry.Flink = NULL;
  138. _liExpiry.HighPart = 0x7fffffff;
  139. _liExpiry.LowPart = 0xffffffff;
  140. }
  142. ~CACHED_TOKEN( VOID )
  143. {
  144. if ( !g_fUseSingleToken )
  145. {
  146. DBG_ASSERT( _ListEntry.Flink == NULL );
  148. if ( m_hImpersonationToken) {
  150. DBG_REQUIRE( CloseHandle( m_hImpersonationToken ));
  151. m_hImpersonationToken = NULL;
  152. }
  154. if ( _hToken )
  155. {
  156. DBG_REQUIRE( CloseHandle( _hToken ) );
  157. _hToken = NULL;
  158. }
  159. }
  160. }
  162. static VOID Reference( CACHED_TOKEN * pct )
  163. {
  164. DBG_ASSERT( pct->_cRef > 0 );
  165. InterlockedIncrement( &pct->_cRef );
  166. }
  168. static VOID Dereference( CACHED_TOKEN * pct )
  169. {
  170. DBG_ASSERT( pct->_cRef > 0 );
  172. if ( !InterlockedDecrement( &pct->_cRef ) )
  173. {
  174. delete pct;
  175. }
  176. }
  178. HANDLE QueryImpersonationToken(VOID) const
  179. { return g_fUseSingleToken ? g_hProcessImpersonationToken : m_hImpersonationToken; }
  181. HANDLE QueryPrimaryToken(VOID) const
  182. { return g_fUseSingleToken ? g_hProcessImpersonationToken : m_hImpersonationToken; }
  184. VOID SetImpersonationToken(IN HANDLE hImpersonation)
  185. {
  186. DBG_ASSERT( m_hImpersonationToken == NULL);
  187. if ( g_fUseSingleToken )
  188. {
  189. DBG_ASSERT( FALSE );
  190. }
  191. else
  192. {
  193. m_hImpersonationToken = hImpersonation;
  194. }
  195. }
  197. VOID SetExpiry( LARGE_INTEGER* pE )
  198. {
  199. if ( g_fUseSingleToken )
  200. {
  201. DBG_ASSERT( FALSE );
  202. }
  204. if ( NULL != pE )
  205. {
  206. memcpy( &_liExpiry, pE, sizeof(LARGE_INTEGER) );
  207. }
  208. else
  209. {
  210. _liExpiry.HighPart = 0x7fffffff;
  211. _liExpiry.LowPart = 0xffffffff;
  212. }
  213. }
  215. LARGE_INTEGER* QueryExpiry() { return &_liExpiry; }
  217. BOOL IsGuest(VOID) const { return (m_fGuest); }
  218. VOID SetGuest(IN BOOL fGuest) { m_fGuest = fGuest; }
  220. HANDLE _hToken; // Must be first data member
  221. LIST_ENTRY _ListEntry;
  222. LONG _cRef;
  223. DWORD _TTL; // Gets decremented on each timeout, when zero,
  224. // remove this item from the cache
  225. BOOL m_fGuest; // Is this token a guest user?
  226. HANDLE m_hImpersonationToken;
  228. CHAR _achAcctDesc[MAX_ACCT_DESC_LEN];
  229. DWORD m_dwAcctDescLen;
  230. LARGE_INTEGER _liExpiry;
  232. DWORD m_dwLogonMethod;
  233. CHAR m_achUserName[ UNLEN ];
  234. CHAR m_achDomainName[ IIS_DNLEN ];
  235. };
  237. typedef CACHED_TOKEN* TS_TOKEN; // Choose an incompatible type so warnings
  238. // are produced
  240. ///////////////////////////////////////////////////////////////////////
  241. //
  242. // NT Authentication support
  243. //
  244. //////////////////////////////////////////////////////////////////////
  246. //
  247. // TCP Authenticator flags passed to init
  248. //
  250. #define TCPAUTH_SERVER 0x00000001 // This is the server side
  251. #define TCPAUTH_CLIENT 0x00000002 // This is the client side
  252. #define TCPAUTH_UUENCODE 0x00000004 // Input buffers are uudecoded,
  253. // output buffers are uuencoded
  254. #define TCPAUTH_BASE64 0x00000008 // uses base64 for uuenc/dec
  256. #define CRED_STATUS_INVALID_TIME 0x00001000
  257. #define CRED_STATUS_REVOKED 0x00002000
  259. class TCP_AUTHENT
  260. {
  261. public:
  263. dllexp TCP_AUTHENT( DWORD AuthFlags );
  264. dllexp ~TCP_AUTHENT();
  266. //
  267. // Server side only: For clients that pass clear text, the server should
  268. // authenticate with this method
  269. //
  271. dllexp BOOL ClearTextLogon( CHAR * pszUser,
  272. CHAR * pszPassword,
  273. BOOL * pfAsGuest,
  274. BOOL * pfAsAnonymous,
  275. IIS_SERVER_INSTANCE * pInstance,
  276. PTCP_AUTHENT_INFO pTAI,
  277. CHAR * pszWorkstation = NULL
  278. );
  280. #if 0
  281. //
  282. // Server side only : Digest logon
  283. //
  285. dllexp BOOL LogonDigestUser(
  286. PSTR pszUserName,
  287. PSTR pszRealm,
  288. PSTR pszUri,
  289. PSTR pszMethod,
  290. PSTR pszNonce,
  291. PSTR pszServerNonce,
  292. PSTR pszDigest,
  293. DWORD dwAlgo,
  294. LPTSVC_INFO psi
  295. );
  296. #endif
  298. //
  299. // Server side only: For filters that set access tokens
  300. //
  302. dllexp BOOL SetAccessToken( HANDLE hPrimaryToken,
  303. HANDLE hImpersonationToken
  304. );
  306. //
  307. // Client calls this first to get the negotiation message which
  308. // it then sends to the server. The server calls this with the
  309. // client result and sends back the result. The conversation
  310. // continues until *pcbBuffOut is zero and *pfNeedMoreData is FALSE.
  311. //
  312. // On the first call, pszPackage must point to the zero terminated
  313. // authentication package name to be used and pszUser and pszPassword
  314. // should point to the user name and password to authenticated with
  315. // on the client side (server side will always be NULL).
  316. //
  318. dllexp BOOL Converse( VOID * pBuffIn,
  319. DWORD cbBuffIn,
  320. BUFFER * pbuffOut,
  321. DWORD * pcbBuffOut,
  322. BOOL * pfNeedMoreData,
  323. PTCP_AUTHENT_INFO pTAI,
  324. CHAR * pszPackage = NULL,
  325. CHAR * pszUser = NULL,
  326. CHAR * pszPassword = NULL,
  327. PIIS_SERVER_INSTANCE psi = NULL );
  329. dllexp BOOL TCP_AUTHENT::ConverseEx(
  330. SecBufferDesc* pInSecBufDesc, // passed in by caller
  331. BUFFER * pDecodedBuffer, // passed in by caller
  332. BUFFER * pbuffOut,
  333. DWORD * pcbBuffOut,
  334. BOOL * pfNeedMoreData,
  335. PTCP_AUTHENT_INFO pTAI,
  336. CHAR * pszPackage,
  337. CHAR * pszUser,
  338. CHAR * pszPassword,
  339. PIIS_SERVER_INSTANCE psi
  340. );
  342. //
  343. // Server side only. Impersonates client after successful authentication
  344. //
  346. dllexp BOOL Impersonate( VOID );
  347. dllexp BOOL RevertToSelf( VOID );
  348. dllexp BOOL IsForwardable( VOID ) const;
  350. dllexp BOOL StartProcessAsUser( LPCSTR lpApplicationName,
  351. LPSTR lpCommandLine,
  352. BOOL bInheritHandles,
  353. DWORD dwCreationFlags,
  354. LPVOID lpEnvironment,
  355. LPCSTR lpCurrentDirectory,
  356. LPSTARTUPINFOA lpStartupInfo,
  357. LPPROCESS_INFORMATION lpProcessInformation
  358. );
  360. //
  361. // Gives the name of all authentication packages in a double null
  362. // terminated list. i.e.:
  363. //
  364. // NTLM\0
  365. // MSKerberos\0
  366. // \0
  367. //
  369. dllexp BOOL EnumAuthPackages( BUFFER * pBuff );
  371. //
  372. // Returns the user name associated with this context, not supported for
  373. // clear text
  374. //
  376. dllexp BOOL QueryUserName( STR * pBuff, BOOL fImpersonated = FALSE );
  377. dllexp BOOL QueryExpiry( PTimeStamp pExpiry );
  379. dllexp TS_TOKEN GetToken( VOID ) const
  380. { return _hToken; }
  382. //
  383. // Gets actual impersonation token handle
  384. //
  386. dllexp HANDLE QueryPrimaryToken( VOID );
  387. dllexp HANDLE QueryImpersonationToken( VOID );
  389. dllexp HANDLE GetUserHandle( VOID )
  390. { return QueryPrimaryToken(); }
  392. dllexp BOOL QueryFullyQualifiedUserName(
  393. LPSTR pszUser,
  394. STR * strU,
  395. IIS_SERVER_INSTANCE * psi,
  396. PTCP_AUTHENT_INFO pTAI
  397. );
  399. dllexp BOOL IsGuest( BOOL );
  401. dllexp BOOL Reset( BOOL fSessionReset = TRUE );
  403. dllexp CredHandle * QueryCredHandle( VOID )
  404. { return (_fHaveCredHandle ? &_hcred : NULL); }
  406. dllexp CtxtHandle * QueryCtxtHandle( VOID )
  407. { return (_fHaveCtxtHandle ? &_hctxt : NULL); }
  409. dllexp CtxtHandle * QuerySslCtxtHandle( VOID )
  410. { return _phSslCtxt; }
  412. dllexp BOOL SetSecurityContextToken( CtxtHandle* pCtxt,
  413. HANDLE hImpersonationToken,
  414. SECURITY_CONTEXT_DELETE_FUNCTION pFn,
  415. PVOID pArg,
  416. IIS_SSL_INFO *pSslInfo );
  418. dllexp BOOL IsSslCertPresent();
  420. dllexp BOOL DeleteCachedTokenOnReset( VOID );
  422. dllexp BOOL QueryCertificateIssuer( LPSTR ppIssuer, DWORD, LPBOOL );
  423. dllexp BOOL QueryCertificateSubject( LPSTR ppSubject, DWORD, LPBOOL );
  424. dllexp BOOL QueryCertificateFlags( LPDWORD pdwFlags, LPBOOL );
  425. dllexp BOOL QueryCertificateSerialNumber( LPBYTE* pSerialNumber, LPDWORD pdwLen, LPBOOL );
  427. dllexp BOOL QueryServerCertificateIssuer( LPSTR* ppIssuer, LPBOOL );
  428. dllexp BOOL QueryServerCertificateSubject( LPSTR* ppSubject, LPBOOL );
  429. dllexp BOOL QueryEncryptionKeySize( LPDWORD, LPBOOL );
  430. dllexp BOOL QueryEncryptionServerPrivateKeySize( LPDWORD, LPBOOL );
  432. dllexp BOOL
  433. GetClientCertBlob(
  434. IN DWORD cbAllocated,
  435. OUT DWORD * pdwCertEncodingType,
  436. OUT unsigned char * pbCertEncoded,
  437. OUT DWORD * pcbCertEncoded,
  438. OUT DWORD * pfCertificateVerified);
  440. dllexp BOOL UpdateClientCertFlags( DWORD dwFlags, LPBOOL pfCert, LPBYTE pbCa, DWORD dwCa );
  442. dllexp BOOL PackageSupportsEncoding( LPSTR pszPackage );
  444. dllexp BOOL SetTargetName( LPSTR pszTarget );
  446. private:
  447. BOOL QueryCertificateInfo( LPBOOL );
  448. BOOL QueryServerCertificateInfo( LPBOOL );
  450. protected:
  451. DWORD _fClient:1; // TRUE if client side, FALSE if SERVER side
  452. DWORD _fNewConversation:1; // Forces initialization params for client side
  453. DWORD _fUUEncodeData:1; // uuencode/decode input and output buffers
  454. DWORD _fClearText:1; // Use the Gina APIs rather then the SSP APIs
  455. DWORD _fHaveCredHandle:1; // _hcred contains a credential handle
  456. DWORD _fHaveCtxtHandle:1; // _hctxt contains a context handle
  457. DWORD _fBase64:1; // uses base64 for uuenc/dec
  458. DWORD _fKnownToBeGuest:1; // TRUE if SSPI flag access token as "Guest"
  459. DWORD _fHaveAccessTokens:1;// TRUE if access token set by caller
  460. DWORD _fHaveExpiry:1; // TRUE if clear text logon has pwd expiry time
  461. DWORD _fDelegate:1; // TRUE if security context forwardable
  462. DWORD _fCertCheckForRevocation:1; // TRUE if we should revocation check
  463. DWORD _fCertCheckCacheOnly:1; // TRUE if we should not go on wire
  464. TS_TOKEN _hToken; // Used for clear text
  465. CredHandle _hcred; // Used for SSP
  466. ULONG _cbMaxToken; // Used for SSP, max message token size
  467. HANDLE _hSSPToken; // Used for SSP, caches real token
  468. HANDLE _hSSPPrimaryToken;// Used for SSP, caches duplicated token
  469. CtxtHandle _hctxt; // Used for SSP
  471. SECURITY_CONTEXT_DELETE_FUNCTION _pDeleteFunction;
  472. PVOID _pDeleteArg;
  473. LARGE_INTEGER _liPwdExpiry;
  475. PCERT_CONTEXT _pClientCertContext;
  476. DWORD _dwX509Flags;
  477. IIS_SSL_INFO * _pSslInfo;
  478. PX509Certificate _pServerX509Certificate;
  479. DWORD _dwServerX509Flags;
  480. DWORD _dwServerBitsInKey;
  481. CtxtHandle * _phSslCtxt; // ptr to SSL sec context
  482. STR _strTarget;
  483. };
  487. DWORD
  488. InitializeSecurity(
  489. HINSTANCE hDll
  490. );
  492. VOID
  493. TerminateSecurity(
  494. VOID
  495. );
  498. dllexp
  499. BOOL
  500. TsImpersonateUser(
  501. TS_TOKEN hToken
  502. );
  504. dllexp
  505. HANDLE
  506. TsTokenToHandle(
  507. TS_TOKEN hToken
  508. );
  510. dllexp
  511. HANDLE
  512. TsTokenToImpHandle(
  513. TS_TOKEN hToken
  514. );
  516. dllexp
  517. DWORD
  518. TsApiAccessCheck(
  519. ACCESS_MASK maskDesiredAccess
  520. );
  523. dllexp
  524. BOOL
  525. TsDeleteUserToken(
  526. TS_TOKEN hToken
  527. );
  529. dllexp
  530. TS_TOKEN
  531. TsLogonUser(
  532. CHAR * pszUser,
  533. CHAR * pszPassword,
  534. BOOL * pfAsGuest,
  535. BOOL * pfAsAnonymous,
  536. IIS_SERVER_INSTANCE * pInstance,
  537. PTCP_AUTHENT_INFO pTAI,
  538. CHAR * pszWorkstation = NULL,
  539. LARGE_INTEGER * pExpiry = NULL,
  540. BOOL * pfExpiry = NULL
  541. );
  543. dllexp
  544. BOOL
  545. TsGetSecretW(
  546. WCHAR * pszSecretName,
  547. BUFFER * pbufSecret
  548. );
  550. dllexp
  551. DWORD
  552. TsSetSecretW(
  553. IN LPWSTR SecretName,
  554. IN LPWSTR pSecret,
  555. IN DWORD cbSecret
  556. );
  558. #ifdef CHICAGO
  559. dllexp
  560. BOOL
  561. TsIsUserLevelPresent(VOID);
  562. #endif
  565. dllexp
  566. BOOL
  567. uudecode(
  568. char * bufcoded,
  569. BUFFER * pbuffdecoded,
  570. DWORD * pcbDecoded = NULL,
  571. BOOL fBase64 = FALSE
  572. );
  574. dllexp
  575. BOOL
  576. uuencode(
  577. BYTE * pchData,
  578. DWORD cbData,
  579. BUFFER * pbuffEncoded,
  580. BOOL fBase64 = FALSE
  581. );
  583. dllexp
  584. BOOL
  585. BuildAnonymousAcctDesc(
  586. PTCP_AUTHENT_INFO pTAI
  587. );
  589. dllexp
  590. QuerySingleAccessToken(
  591. VOID
  592. );
  594. extern TS_TOKEN g_pctProcessToken;
  596. #include <tslogon.hxx>
  598. #include <wintrust.h>
  599. typedef
  600. LONG (WINAPI *PFN_WinVerifyTrust)(IN OPTIONAL HWND hwnd,
  601. IN GUID *pgActionID,
  602. IN LPVOID pWintrustData);
  604. extern HINSTANCE g_hWinTrust;
  605. extern PFN_WinVerifyTrust g_pfnWinVerifyTrust;
  608. #endif
  610. /************************ End of File ***********************/
  612.