|
|
/*++
Copyright (c) 1999 Microsoft Corporation
Module Name : digestprovider.cxx
Abstract: Digest authentication provider Author: Ming Lu (minglu) 24-Jun-2000
Environment: Win32 - User Mode
Project: ULW3.DLL--*/
#include "precomp.hxx"
#include "sspiprovider.hxx"
#include "digestprovider.hxx"
#include "uuencode.hxx"
ALLOC_CACHE_HANDLER * DIGEST_SECURITY_CONTEXT::sm_pachDIGESTSecContext = NULL;
//static
HRESULTDIGEST_AUTH_PROVIDER::Initialize( DWORD dwInternalId)/*++
Routine Description:
Initialize Digest SSPI provider
Arguments:
None Return Value:
HRESULT
--*/{ HRESULT hr;
SetInternalId( dwInternalId ); hr = DIGEST_SECURITY_CONTEXT::Initialize(); if ( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error initializing Digest Auth Prov. hr = %x\n", hr )); return hr; } return NO_ERROR;}
//static
VOIDDIGEST_AUTH_PROVIDER::Terminate( VOID)/*++
Routine Description:
Terminate SSPI Digest provider
Arguments:
None Return Value:
None
--*/{ DIGEST_SECURITY_CONTEXT::Terminate();}
HRESULTDIGEST_AUTH_PROVIDER::DoesApply( W3_MAIN_CONTEXT * pMainContext, BOOL * pfApplies)/*++
Routine Description:
Does the given request have credentials applicable to the Digest provider
Arguments:
pMainContext - Main context representing request pfApplies - Set to true if Digest is applicable Return Value:
HRESULT
--*/{ CHAR * pszAuthHeader = NULL; HRESULT hr; SSPI_CONTEXT_STATE * pContextState; STACK_STRA( strPackage, 64 ); W3_METADATA * pMetaData = NULL; if ( pMainContext == NULL || pfApplies == NULL ) { DBG_ASSERT( FALSE ); return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER ); } *pfApplies = FALSE;
//
// Is using of Digest SSP enabled?
//
if ( !g_pW3Server->QueryUseDigestSSP() ) { return NO_ERROR; }
//
// Get the auth type
//
hr = pMainContext->QueryRequest()->GetAuthType( &strPackage ); if ( FAILED( hr ) ) { return hr; } //
// No package, no auth
//
if ( strPackage.IsEmpty() ) { return NO_ERROR; } //
// Is it Digest?
//
if ( _stricmp( strPackage.QueryStr(), "Digest" ) == 0 ) { //
// Save away the package so we don't have to calc again
//
DBG_ASSERT( !strPackage.IsEmpty() );
pszAuthHeader = pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization ); DBG_ASSERT( pszAuthHeader != NULL ); pContextState = new (pMainContext) SSPI_CONTEXT_STATE( pszAuthHeader + strPackage.QueryCCH() + 1 ); if ( pContextState == NULL ) { return HRESULT_FROM_WIN32( GetLastError() ); }
hr = pContextState->SetPackage( strPackage.QueryStr() ); if ( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error in SetPackage(). hr = %x\n", hr )); delete pContextState; pContextState = NULL; return hr; }
pMainContext->SetContextState( pContextState );
*pfApplies = TRUE; } return NO_ERROR;}
HRESULTDIGEST_AUTH_PROVIDER::DoAuthenticate( W3_MAIN_CONTEXT * pMainContext)/*++
Description:
Do authentication work (we will be called if we apply)
Arguments:
pMainContext - Main context Return Value:
HRESULT
--*/{ DWORD err; HRESULT hr = E_FAIL; W3_METADATA * pMetaData = NULL; W3_CONNECTION * pW3Connection = NULL; DIGEST_SECURITY_CONTEXT * pDigestSecurityContext = NULL; SSPI_CONTEXT_STATE * pContextState = NULL; SSPI_USER_CONTEXT * pUserContext = NULL; SSPI_CREDENTIAL * pDigestCredentials = NULL;
SecBufferDesc SecBuffDescOutput; SecBufferDesc SecBuffDescInput;
//
// We have 5 input buffer and 1 output buffer to fill data
// in for digest authentication
//
SecBuffer SecBuffTokenOut[ 1 ]; SecBuffer SecBuffTokenIn[ 5 ];
SECURITY_STATUS secStatus = SEC_E_OK;
CtxtHandle hServerCtxtHandle;
TimeStamp Lifetime;
ULONG ContextReqFlags = 0; ULONG ContextAttributes = 0;
STACK_STRU( strOutputHeader, 256 );
STACK_BUFFER( bufOutputBuffer, 4096 ); STACK_STRA( strMethod, 10 ); STACK_STRU( strUrl, MAX_PATH ); STACK_STRA( strUrlA, MAX_PATH ); STACK_STRA( strRealm, 128 );
if ( pMainContext == NULL ) { DBG_ASSERT( FALSE ); return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER ); } pContextState = ( SSPI_CONTEXT_STATE* ) pMainContext->QueryContextState(); DBG_ASSERT( pContextState != NULL ); pMetaData = pMainContext->QueryUrlContext()->QueryMetaData(); DBG_ASSERT( pMetaData != NULL ); //
// clean the memory and set it to zero
//
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) ); ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) ); ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
//
// define the buffer descriptor for the Outpt
//
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION; SecBuffDescOutput.cBuffers = 1; SecBuffDescOutput.pBuffers = SecBuffTokenOut;
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN; SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize(); SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
//
// define the buffer descriptor for the Input
//
SecBuffDescInput.ulVersion = SECBUFFER_VERSION; SecBuffDescInput.cBuffers = 5; SecBuffDescInput.pBuffers = SecBuffTokenIn;
//
// set the digest auth header in the buffer
//
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN; SecBuffTokenIn[0].cbBuffer = strlen(pContextState->QueryCredentials()); SecBuffTokenIn[0].pvBuffer = pContextState->QueryCredentials();
//
// Get and Set the information for the method
//
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod ); if ( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error getting the method. hr = %x\n", hr )); return hr; }
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH(); SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
//
// Get and Set the infomation for the Url
//
hr = pMainContext->QueryRequest()->GetUrl( &strUrl ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error getting the URL. hr = %x\n", hr )); return hr; } hr = strUrlA.CopyW( strUrl.QueryStr() ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error copying the URL. hr = %x\n", hr )); return hr; } SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB(); SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
//
// Get and Set the information for the hentity
//
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
SecBuffTokenIn[3].pvBuffer = 0; // this is not yet implemeted
//
//Get and Set the Realm Information
//
if( pMetaData->QueryRealm() ) { hr = strRealm.CopyW( pMetaData->QueryRealm() ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error copying the realm. hr = %x\n", hr )); return hr; } }
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB(); SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
//
// Get a Security Context
//
//
// get the credential for the server
//
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME, &pDigestCredentials ); if ( FAILED( hr ) ) { DBGPRINTF((DBG_CONTEXT, "Error get credential handle. hr = 0x%x \n", hr )); return hr; }
DBG_ASSERT( pDigestCredentials != NULL );
//
// Resize the output buffer to max token size
//
if( !bufOutputBuffer.Resize( pDigestCredentials->QueryMaxTokenSize() ) ) { return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY ); }
pDigestSecurityContext = ( DIGEST_SECURITY_CONTEXT * ) QueryConnectionAuthContext( pMainContext );
//
// check to see if there is an old Context Handle
//
if ( pDigestSecurityContext != NULL ) { //
// defined the buffer
//
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN; SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize(); SecBuffTokenIn[4].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
secStatus = VerifySignature( pDigestSecurityContext->QueryContextHandle(), &SecBuffDescInput, 0, 0 );
} else { //
// set the flags
//
ContextReqFlags = ASC_REQ_REPLAY_DETECT | ASC_REQ_CONNECTION;
//
// get the security context
//
secStatus = AcceptSecurityContext( pDigestCredentials->QueryCredHandle(), NULL, &SecBuffDescInput, ContextReqFlags, SECURITY_NATIVE_DREP, &hServerCtxtHandle, &SecBuffDescOutput, &ContextAttributes, &Lifetime);
if( SEC_I_COMPLETE_NEEDED == secStatus ) { //
//defined the buffer
//
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN; SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize(); SecBuffTokenIn[4].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
secStatus = CompleteAuthToken( &hServerCtxtHandle, &SecBuffDescInput ); }
if ( SUCCEEDED( secStatus ) ) { pDigestSecurityContext = new DIGEST_SECURITY_CONTEXT( pDigestCredentials ); if ( NULL == pDigestSecurityContext ) { return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY ); }
pDigestSecurityContext->SetContextHandle( hServerCtxtHandle );
pDigestSecurityContext->SetContextAttributes( ContextAttributes );
//
// Mark the security context is complete, so we can detect
// reauthentication on the same connection
//
// CODEWORK: Can probably get away will just
// un-associating/deleting the
// SSPI_SECURITY_CONTEXT now!
//
pDigestSecurityContext->SetIsComplete( TRUE );
SetConnectionAuthContext( pMainContext, pDigestSecurityContext ); } }
//
// Check to see if the nonce has expired
//
if (SEC_E_CONTEXT_EXPIRED == secStatus) { //
// stale = true indicates that user knows password but he need to use new nonce
// let's treat stale = true as part of the continuing authentication handshake
// IIS will send back only Digest header in this case ( even if more auth methods
// are enabled )
//
if ( NULL != pDigestSecurityContext ) { pDigestSecurityContext->SetStale( TRUE ); } //
// Add Digest headers to response
//
hr = SetDigestHeader( pMainContext, TRUE //Stale
); if ( FAILED( hr ) ) { return hr; } //
// Don't let anyone else send back authentication headers when
// the 401 is sent
//
pMainContext->SetProviderHandled( TRUE );
//
// We need to send a 401 response to continue the handshake.
// We have already setup the WWW-Authenticate header
//
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401BadLogon ); pMainContext->SetFinishedResponse(); pMainContext->SetErrorStatus( SEC_E_CONTEXT_EXPIRED ); } else if( FAILED( secStatus ) ) { err = GetLastError(); if( err == ERROR_PASSWORD_MUST_CHANGE || err == ERROR_PASSWORD_EXPIRED ) { return HRESULT_FROM_WIN32( err ); }
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401BadLogon ); pMainContext->SetErrorStatus( HRESULT_FROM_WIN32( secStatus ) ); } else { //
// Create a user context and setup it up
//
pUserContext = new SSPI_USER_CONTEXT( this ); if ( pUserContext == NULL ) { return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY ); } hr = pUserContext->Create( pDigestSecurityContext, pMainContext ); if ( FAILED( hr ) ) { pUserContext->DereferenceUserContext(); pUserContext = NULL; return hr; } pMainContext->SetUserContext( pUserContext ); }
return NO_ERROR;}
HRESULTDIGEST_AUTH_PROVIDER::OnAccessDenied( W3_MAIN_CONTEXT * pMainContext)/*++
Description: Add WWW-Authenticate Digest headers
Arguments:
pMainContext - main context Return Value:
HRESULT
--*/{ W3_METADATA * pMetaData;
if ( pMainContext == NULL ) { DBG_ASSERT( FALSE ); return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER ); }
//
// Is using of Digest SSP enabled?
//
if ( !g_pW3Server->QueryUseDigestSSP() ) { return NO_ERROR; }
if( !W3_STATE_AUTHENTICATION::QueryIsDomainMember() ) { //
// We are not a domain member, so do nothing
//
return NO_ERROR; }
return SetDigestHeader( pMainContext, FALSE //stale will not be sent
);}
HRESULTDIGEST_AUTH_PROVIDER::SetDigestHeader( IN W3_MAIN_CONTEXT * pMainContext, IN BOOL fStale )/*++
Description: Add WWW-Authenticate Digest headers
Arguments:
pMainContext - main context pDigestSecurityContext - Digest context containing information such as Stale. NULL means that no stale is to be sent Return Value:
HRESULT
--*/{ HRESULT hr = E_FAIL; W3_METADATA * pMetaData; W3_CONNECTION * pW3Connection;
//
// 4096 is the max output for digest authenticaiton
//
STACK_BUFFER( bufOutputBuffer, 4096 ); STACK_STRA( strOutputHeader, MAX_PATH ); STACK_STRA( strMethod, 10 ); STACK_STRU( strUrl, MAX_PATH ); STACK_STRA( strRealm, 128 );
STACK_STRA( strUrlA, MAX_PATH );
SecBufferDesc SecBuffDescOutput; SecBufferDesc SecBuffDescInput;
SecBuffer SecBuffTokenOut[ 1 ]; SecBuffer SecBuffTokenIn[ 5 ];
SECURITY_STATUS secStatus = SEC_E_OK;
SSPI_CREDENTIAL * pDigestCredential = NULL; CtxtHandle hServerCtxtHandle;
ULONG ContextReqFlags = 0; ULONG ContextAttributes = 0; TimeStamp Lifetime;
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData(); DBG_ASSERT( pMetaData != NULL );
//
// Get a Security Context
//
//
// get the credential for the server
//
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME, &pDigestCredential ); if ( FAILED( hr ) ) { DBGPRINTF((DBG_CONTEXT, "Error get credential handle. hr = 0x%x \n", hr )); return hr; }
DBG_ASSERT( pDigestCredential != NULL );
if( !bufOutputBuffer.Resize( pDigestCredential->QueryMaxTokenSize() ) ) { hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
DBGPRINTF((DBG_CONTEXT, "Error resize the output buffer. hr = 0x%x \n", hr )); return hr; }
//
// clean the memory and set it to zero
//
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) ); ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) ); ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
//
// define the OUTPUT
//
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION; SecBuffDescOutput.cBuffers = 1; SecBuffDescOutput.pBuffers = SecBuffTokenOut;
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN; SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize(); SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
//
// define the Input
//
SecBuffDescInput.ulVersion = SECBUFFER_VERSION; SecBuffDescInput.cBuffers = 5; SecBuffDescInput.pBuffers = SecBuffTokenIn;
//
// Get and Set the information for the challenge
//
//
// set the inforamtion in the buffer, this case is Null to
// authenticate user
//
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN; SecBuffTokenIn[0].cbBuffer = 0; SecBuffTokenIn[0].pvBuffer = NULL;
//
// Get and Set the information for the method
//
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod ); if ( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error getting the method. hr = %x\n", hr )); return hr; }
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH(); SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
//
// Get and Set the infomation for the Url
//
hr = pMainContext->QueryRequest()->GetUrl( &strUrl ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error getting the URL. hr = %x\n", hr )); return hr; } hr = strUrlA.CopyW( strUrl.QueryStr() ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error copying the URL. hr = %x\n", hr )); return hr; } SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB(); SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
//
// Get and Set the information for the hentity
//
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
SecBuffTokenIn[3].pvBuffer = NULL; // this is not yet implemeted
//
//Get and Set the Realm Information
//
if( pMetaData->QueryRealm() ) { hr = strRealm.CopyW( pMetaData->QueryRealm() ); if( FAILED( hr ) ) { DBGPRINTF(( DBG_CONTEXT, "Error copying the realm. hr = %x\n", hr )); return hr; } }
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS; SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB(); SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
//
// set the flags
//
ContextReqFlags = ASC_REQ_REPLAY_DETECT | ASC_REQ_CONNECTION;
//
// get the security context
//
secStatus = AcceptSecurityContext( pDigestCredential->QueryCredHandle(), NULL, &SecBuffDescInput, ContextReqFlags, SECURITY_NATIVE_DREP, &hServerCtxtHandle, &SecBuffDescOutput, &ContextAttributes, &Lifetime);
//
// a challenge has to be send back to the client
//
if ( SEC_I_CONTINUE_NEEDED == secStatus ) { //
// Do we already have a digest security context
//
if( fStale ) { hr = strOutputHeader.Copy( "Digest stale=TRUE ," ); } else { hr = strOutputHeader.Copy( "Digest " ); }
if( FAILED( hr ) ) { return hr; }
hr = strOutputHeader.Append( ( CHAR * )SecBuffDescOutput.pBuffers[0].pvBuffer, SecBuffDescOutput.pBuffers[0].cbBuffer - 1 ); if( FAILED( hr ) ) { return hr; }
//
// Add the header WWW-Authenticate to the response after a
// 401 server error
//
hr = pMainContext->QueryResponse()->SetHeader( "WWW-Authenticate", 16, strOutputHeader.QueryStr(), strOutputHeader.QueryCCH() ); } else { hr = S_OK; }
return hr;}
//static
HRESULTDIGEST_SECURITY_CONTEXT::Initialize( VOID)/*++
Description: Global DIGEST_SECURITY_CONTEXT initialization
Arguments:
None Return Value:
HRESULT
--*/{ ALLOC_CACHE_CONFIGURATION acConfig;
//
// Initialize allocation lookaside
//
acConfig.nConcurrency = 1; acConfig.nThreshold = 100; acConfig.cbSize = sizeof( DIGEST_SECURITY_CONTEXT );
DBG_ASSERT( sm_pachDIGESTSecContext == NULL ); sm_pachDIGESTSecContext = new ALLOC_CACHE_HANDLER( "DIGEST_SECURITY_CONTEXT", &acConfig );
if ( sm_pachDIGESTSecContext == NULL ) { HRESULT hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
DBGPRINTF(( DBG_CONTEXT, "Error initializing sm_pachDIGESTSecContext. hr = 0x%x\n", hr ));
return hr; } return S_OK;
} // DIGEST_SECURITY_CONTEXT::Initialize
//static
VOIDDIGEST_SECURITY_CONTEXT::Terminate( VOID)/*++
Routine Description:
Destroy DIGEST_SECURITY_CONTEXT globals
Arguments:
None Return Value:
None
--*/{ DBG_ASSERT( sm_pachDIGESTSecContext != NULL );
delete sm_pachDIGESTSecContext; sm_pachDIGESTSecContext = NULL;
} // DIGEST_SECURITY_CONTEXT::Terminate
|
