archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/iisrearc/iisplus/ulw3/iiscertmap.cxx

739 lines
21 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1998 Microsoft Corporation
  5. Module Name :
  6. iiscertmap.cxx
  8. Abstract:
  9. IIS Certificate mapping
  12. Author:
  13. Bilal Alam (BAlam) 19-Apr-2000
  15. Environment:
  16. Win32 - User Mode
  18. Project:
  19. Stream Filter Worker Process
  20. --*/
  22. #include "precomp.hxx"
  23. #include <mbstring.h>
  27. IIS_CERTIFICATE_MAPPING::IIS_CERTIFICATE_MAPPING( VOID )
  28. : _pCert11Mapper( NULL ),
  29. _pCertWildcardMapper( NULL ),
  30. _cRefs( 1 )
  31. {
  32. }
  34. IIS_CERTIFICATE_MAPPING::~IIS_CERTIFICATE_MAPPING( VOID )
  35. {
  36. if ( _pCert11Mapper != NULL )
  37. {
  38. delete _pCert11Mapper;
  39. _pCert11Mapper = NULL;
  40. }
  42. if ( _pCertWildcardMapper != NULL )
  43. {
  44. delete _pCertWildcardMapper;
  45. _pCertWildcardMapper = NULL;
  46. }
  47. }
  49. HRESULT
  50. IIS_CERTIFICATE_MAPPING::Read11Mappings(
  51. DWORD dwSiteId
  52. )
  53. /*++
  55. Routine Description:
  57. Read 1-1 mappings from metabase
  59. Arguments:
  61. dwSiteId - Site ID (duh)
  63. Return Value:
  65. HRESULT
  67. --*/
  68. {
  69. MB mb( g_pW3Server->QueryMDObject() );
  70. WCHAR achMBPath[ 256 ];
  71. HRESULT hr = NO_ERROR;
  72. WCHAR achMappingName[ MAX_PATH + 1 ];
  73. BOOL fRet;
  74. DWORD dwIndex;
  75. BYTE abBuffer[ 1024 ];
  76. BUFFER buff( abBuffer, sizeof( abBuffer ) );
  77. DWORD cbRequired;
  78. STACK_STRU( strTemp, 64 );
  79. STACK_STRU( strUserName, 64 );
  80. STACK_STRU( strPassword, 64 );
  81. DWORD dwEnabled;
  82. CIisMapping * pCertMapping;
  84. //
  85. // Setup the NSEPM path to get at 1-1 mappings
  86. //
  88. _snwprintf( achMBPath,
  89. sizeof( achMBPath ) / sizeof( WCHAR ) - 1,
  90. L"/LM/W3SVC/%d/<nsepm>/Cert11/Mappings",
  91. dwSiteId );
  93. //
  94. // Open the metabase and read 1-1 mapping properties
  95. //
  97. fRet = mb.Open( achMBPath,
  98. METADATA_PERMISSION_READ );
  99. if ( fRet )
  100. {
  101. dwIndex = 0;
  102. achMappingName[ 0 ] = L'/';
  104. for ( ; ; )
  105. {
  106. //
  107. // We will need to prepend the object name with '/'. Hence
  108. // goofyness of sending an offseted pointed to name
  109. //
  111. fRet = mb.EnumObjects( L"",
  112. achMappingName + 1,
  113. dwIndex );
  114. if ( !fRet )
  115. {
  116. hr = HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  117. break;
  118. }
  120. //
  121. // Get certificate blob
  122. //
  124. cbRequired = buff.QuerySize();
  126. fRet = mb.GetData( achMappingName,
  127. MD_MAPCERT,
  128. IIS_MD_UT_SERVER,
  129. BINARY_METADATA,
  130. buff.QueryPtr(),
  131. &cbRequired,
  132. METADATA_NO_ATTRIBUTES );
  133. if ( !fRet )
  134. {
  135. if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  136. {
  137. DBG_ASSERT( cbRequired > buff.QuerySize() );
  139. if ( !buff.Resize( cbRequired ) )
  140. {
  141. hr = HRESULT_FROM_WIN32( GetLastError() );
  142. break;
  143. }
  145. fRet = mb.GetData( achMappingName,
  146. MD_MAPCERT,
  147. IIS_MD_UT_SERVER,
  148. BINARY_METADATA,
  149. buff.QueryPtr(),
  150. &cbRequired,
  151. METADATA_NO_ATTRIBUTES );
  152. if ( !fRet )
  153. {
  154. DBG_ASSERT( GetLastError() != ERROR_INSUFFICIENT_BUFFER );
  155. hr = HRESULT_FROM_WIN32( GetLastError() );
  156. break;
  157. }
  158. }
  159. else
  160. {
  161. hr = HRESULT_FROM_WIN32( GetLastError() );
  162. break;
  163. }
  164. }
  166. //
  167. // Get NT account name
  168. //
  170. if ( !mb.GetStr( achMappingName,
  171. MD_MAPNTACCT,
  172. IIS_MD_UT_SERVER,
  173. &strUserName ) )
  174. {
  175. hr = HRESULT_FROM_WIN32( GetLastError() );
  176. break;
  177. }
  179. //
  180. // Get NT password
  181. //
  183. if ( !mb.GetStr( achMappingName,
  184. MD_MAPNTPWD,
  185. IIS_MD_UT_SERVER,
  186. &strPassword ) )
  187. {
  188. hr = HRESULT_FROM_WIN32( GetLastError() );
  189. break;
  190. }
  192. //
  193. // Is this mapping enabled?
  194. //
  196. if ( !mb.GetDword( achMappingName,
  197. MD_MAPENABLED,
  198. IIS_MD_UT_SERVER,
  199. &dwEnabled ) )
  200. {
  201. hr = HRESULT_FROM_WIN32( GetLastError() );
  202. break;
  203. }
  205. //
  206. // If this mapping is enabled, add it to 1-1 mapper
  207. //
  209. if ( dwEnabled )
  210. {
  211. if ( _pCert11Mapper == NULL )
  212. {
  213. _pCert11Mapper = new CIisCert11Mapper();
  214. if ( _pCert11Mapper == NULL )
  215. {
  216. hr = HRESULT_FROM_WIN32( GetLastError() );
  217. break;
  218. }
  220. //
  221. // Reset() will configure default hierarchies
  222. // If hierarchies are not configured then comparison (CIisMapping::Cmp() function
  223. // implemented in iismap.cxx) will fail
  224. // (and mapper will always incorrectly map to first available 1to1 mapping)
  225. //
  227. if(!_pCert11Mapper->Reset())
  228. {
  229. delete _pCert11Mapper;
  230. _pCert11Mapper = NULL;
  232. hr = HRESULT_FROM_WIN32( GetLastError() );
  233. break;
  234. }
  235. }
  237. DBG_ASSERT( _pCert11Mapper != NULL );
  239. pCertMapping = _pCert11Mapper->CreateNewMapping();
  240. if ( pCertMapping == NULL )
  241. {
  242. hr = HRESULT_FROM_WIN32( GetLastError() );
  243. break;
  244. }
  246. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_CERT,
  247. (CHAR*)buff.QueryPtr(),
  248. cbRequired,
  249. FALSE ) )
  250. {
  251. hr = HRESULT_FROM_WIN32( GetLastError() );
  252. break;
  253. }
  255. //
  256. // Encrypted metabase stuff returned as ANSI (LAME!!!!!)
  257. //
  259. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_NT_ACCT,
  260. (CHAR*) strUserName.QueryStr() ) )
  261. {
  262. hr = HRESULT_FROM_WIN32( GetLastError() );
  263. break;
  264. }
  266. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_NT_PWD,
  267. (CHAR*) strPassword.QueryStr() ) )
  268. {
  269. hr = HRESULT_FROM_WIN32( GetLastError() );
  270. break;
  271. }
  273. if ( !((CIisAcctMapper*)_pCert11Mapper)->Add( pCertMapping, FALSE ) )
  274. {
  275. hr = HRESULT_FROM_WIN32( GetLastError() );
  276. break;
  277. }
  278. }
  280. dwIndex++;
  281. }
  282. }
  283. else
  284. {
  285. hr = HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  286. }
  288. return hr;
  289. }
  291. HRESULT
  292. IIS_CERTIFICATE_MAPPING::ReadWildcardMappings(
  293. DWORD dwSiteId
  294. )
  295. /*++
  297. Routine Description:
  299. Read wildcard mappings from metabase
  301. Arguments:
  303. dwSiteId - Site ID (duh)
  305. Return Value:
  307. HRESULT
  309. --*/
  310. {
  311. MB mb( g_pW3Server->QueryMDObject() );
  312. WCHAR achMBPath[ 256 ];
  313. BOOL fRet;
  314. BYTE abBuffer[ 1024 ];
  315. BUFFER buff( abBuffer, sizeof( abBuffer ) );
  316. DWORD cbRequired;
  317. PUCHAR pLamePointer;
  319. //
  320. // Setup the NSEPM path to get at wildcard mappings
  321. //
  323. _snwprintf( achMBPath,
  324. sizeof( achMBPath ) / sizeof( WCHAR ) - 1,
  325. L"/LM/W3SVC/%d/<nsepm>/CertW",
  326. dwSiteId );
  328. //
  329. // Open the metabase and read wildcard mappings
  330. //
  332. fRet = mb.Open( achMBPath,
  333. METADATA_PERMISSION_READ );
  334. if ( fRet )
  335. {
  336. cbRequired = buff.QuerySize();
  338. fRet = mb.GetData( L"",
  339. MD_SERIAL_CERTW,
  340. IIS_MD_UT_SERVER,
  341. BINARY_METADATA,
  342. buff.QueryPtr(),
  343. &cbRequired,
  344. METADATA_NO_ATTRIBUTES );
  345. if ( !fRet )
  346. {
  347. if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  348. {
  349. DBG_ASSERT( cbRequired > buff.QuerySize() );
  351. if ( !buff.Resize( cbRequired ) )
  352. {
  353. return HRESULT_FROM_WIN32( GetLastError() );
  354. }
  356. fRet = mb.GetData( L"",
  357. MD_SERIAL_CERTW,
  358. IIS_MD_UT_SERVER,
  359. BINARY_METADATA,
  360. buff.QueryPtr(),
  361. &cbRequired,
  362. METADATA_NO_ATTRIBUTES );
  363. if ( !fRet )
  364. {
  365. DBG_ASSERT( GetLastError() != ERROR_INSUFFICIENT_BUFFER );
  367. return HRESULT_FROM_WIN32( GetLastError() );
  368. }
  369. }
  371. return HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  372. }
  374. //
  375. // Thanx to the man, I can just unserialize. XBF rocks ;-)
  376. //
  378. DBG_ASSERT( _pCertWildcardMapper == NULL );
  380. _pCertWildcardMapper = new CIisRuleMapper();
  381. if ( _pCertWildcardMapper == NULL )
  382. {
  383. return HRESULT_FROM_WIN32( GetLastError() );
  384. }
  386. pLamePointer = (PUCHAR) buff.QueryPtr();
  388. fRet = _pCertWildcardMapper->Unserialize( &pLamePointer,
  389. &cbRequired );
  390. if ( !fRet )
  391. {
  392. return HRESULT_FROM_WIN32( GetLastError() );
  393. }
  394. }
  395. else
  396. {
  397. return HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  398. }
  400. return NO_ERROR;
  401. }
  404. //static
  405. HRESULT
  406. IIS_CERTIFICATE_MAPPING::GetCertificateMapping(
  407. DWORD dwSiteId,
  408. IIS_CERTIFICATE_MAPPING ** ppCertificateMapping
  409. )
  410. /*++
  412. Routine Description:
  414. Read appropriate metabase configuration to get configured IIS
  415. certificate mapping
  417. Arguments:
  419. dwSiteId - Site ID (duh)
  420. ppCertificateMapping - Filled with certificate mapping descriptor on
  421. success
  423. Return Value:
  425. HRESULT
  427. --*/
  428. {
  429. IIS_CERTIFICATE_MAPPING * pCertMapping = NULL;
  430. HRESULT hr = NO_ERROR;
  432. if ( ppCertificateMapping == NULL )
  433. {
  434. DBG_ASSERT( FALSE );
  435. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  436. }
  437. *ppCertificateMapping = NULL;
  439. //
  440. // Create a certificate mapping descriptor
  441. //
  443. pCertMapping = new IIS_CERTIFICATE_MAPPING();
  444. if ( pCertMapping == NULL )
  445. {
  446. hr = HRESULT_FROM_WIN32( GetLastError() );
  447. goto Finished;
  448. }
  450. //
  451. // Read 1-1 mappings
  452. //
  454. hr = pCertMapping->Read11Mappings( dwSiteId );
  455. if ( FAILED( hr ) &&
  456. hr != HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND ) )
  457. {
  458. goto Finished;
  459. }
  460. hr = NO_ERROR;
  462. //
  463. // Read wildcards
  464. //
  466. hr = pCertMapping->ReadWildcardMappings( dwSiteId );
  467. if ( FAILED( hr ) &&
  468. hr != HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND ) )
  469. {
  470. goto Finished;
  471. }
  472. hr = NO_ERROR;
  474. Finished:
  475. if ( FAILED( hr ) )
  476. {
  477. if ( pCertMapping != NULL )
  478. {
  479. delete pCertMapping;
  480. }
  481. }
  482. else
  483. {
  484. DBG_ASSERT( pCertMapping != NULL );
  485. *ppCertificateMapping = pCertMapping;
  486. }
  488. return hr;
  489. }
  492. HRESULT
  493. IIS_CERTIFICATE_MAPPING::DoMapCredential(
  494. PBYTE pClientCertBlob,
  495. DWORD cbClientCertBlob,
  496. TOKEN_CACHE_ENTRY ** ppCachedToken,
  497. BOOL * pfClientCertDeniedByMapper
  498. )
  499. {
  500. CIisMapping * pQuery;
  501. CIisMapping * pResult;
  502. CHAR achUserName[ UNLEN + 1 ];
  503. LPSTR pszUserName;
  504. DWORD cbUserName;
  505. CHAR achPassword[ PWLEN + 1 ];
  506. LPSTR pszPassword;
  507. DWORD cbPassword;
  508. CHAR * pszDomain;
  509. DWORD dwEnabled = 0;
  510. DWORD cbEnabled;
  511. BOOL fMatch = FALSE;
  512. DWORD dwLogonError = NO_ERROR;
  513. HRESULT hr = S_OK;
  514. //
  515. // add 1 to strUserDomainW for separator "\"
  516. //
  517. STACK_STRU( strUserDomainW, UNLEN + IIS_DNLEN + 1 + 1 );
  518. STACK_STRU( strUserNameW, UNLEN + 1 );
  519. STACK_STRU( strPasswordW, PWLEN + 1 );
  521. DBG_ASSERT( pClientCertBlob != NULL );
  522. DBG_ASSERT( cbClientCertBlob != 0 );
  523. DBG_ASSERT( ppCachedToken != NULL );
  524. DBG_ASSERT( pfClientCertDeniedByMapper != NULL );
  527. //
  528. // First try the 1-1 mapper
  529. //
  532. if ( _pCert11Mapper != NULL )
  533. {
  534. //
  535. // Build a query mapping to check
  536. //
  538. pQuery = _pCert11Mapper->CreateNewMapping( pClientCertBlob,
  539. cbClientCertBlob );
  540. if ( pQuery == NULL )
  541. {
  542. return SEC_E_INTERNAL_ERROR;
  543. }
  545. _pCert11Mapper->Lock();
  547. if ( _pCert11Mapper->FindMatch( pQuery,
  548. &pResult ) )
  549. {
  550. //
  551. // Awesome. We found a match. Do the deed if the rule is
  552. // enabled
  553. //
  555. if ( pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_ACCT,
  556. &pszUserName,
  557. &cbUserName,
  558. FALSE ) &&
  559. pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_PWD,
  560. &pszPassword,
  561. &cbPassword,
  562. FALSE ) )
  563. {
  564. //
  565. // No need to check for Enabled (IISMDB_INDEX_CERT11_ENABLED)
  566. // since Read11Mappings() will build mapping table consisting only
  567. // of enabled mappings
  568. //
  570. strncpy( achUserName,
  571. pszUserName,
  572. UNLEN );
  573. achUserName[ UNLEN ] = '\0';
  575. strncpy( achPassword,
  576. pszPassword,
  577. PWLEN );
  578. achPassword[ PWLEN ] = '\0';
  580. fMatch = TRUE;
  581. }
  582. }
  584. _pCert11Mapper->Unlock();
  586. delete pQuery;
  587. pQuery = NULL;
  588. }
  590. //
  591. // Try the wildcard mapper if we still haven't found a match
  592. //
  594. if ( !fMatch &&
  595. _pCertWildcardMapper != NULL )
  596. {
  598. PCCERT_CONTEXT pClientCert = CertCreateCertificateContext(
  599. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  600. pClientCertBlob,
  601. cbClientCertBlob );
  602. if ( pClientCert == NULL )
  603. {
  604. DBG_ASSERT( pClientCert != NULL );
  605. }
  606. else if ( !_pCertWildcardMapper->Match( (PCERT_CONTEXT) (pClientCert),
  607. NULL, // legacy value
  608. achUserName,
  609. achPassword ) )
  610. {
  611. //
  612. // If the mapping rule is denied then return
  613. // a NULL pointer through ppCachedToken with SEC_E_OK.
  614. // That indicated to caller that mapping was denied
  615. //
  617. if ( GetLastError() == ERROR_ACCESS_DENIED )
  618. {
  619. *ppCachedToken = NULL;
  620. *pfClientCertDeniedByMapper = TRUE;
  622. if ( pClientCert != NULL )
  623. {
  624. CertFreeCertificateContext( pClientCert );
  625. pClientCert = NULL;
  626. }
  628. return SEC_E_OK;
  629. }
  630. }
  631. else
  632. {
  633. fMatch = TRUE;
  634. }
  636. if ( pClientCert != NULL )
  637. {
  638. CertFreeCertificateContext( pClientCert );
  639. pClientCert = NULL;
  640. }
  641. }
  643. //
  644. // If we still haven't found a match, then return error
  645. //
  647. if ( fMatch )
  648. {
  649. //
  650. // Split up the user name into domain/user if needed
  651. //
  653. pszUserName = (LPSTR) _mbspbrk( (UCHAR*) achUserName, (UCHAR*) "/\\" );
  654. if ( pszUserName == NULL )
  655. {
  656. //
  657. // No domain in the user name. First try the metabase domain
  658. // name
  659. //
  661. //
  662. // BUGBUG: DefaultLogonDomain is not used for cert mapping at all
  663. //
  665. pszDomain = "";
  666. pszUserName = achUserName;
  667. }
  668. else
  669. {
  670. *pszUserName = '\0';
  671. pszDomain = achUserName;
  672. pszUserName = pszUserName + 1;
  673. }
  675. //
  676. // Convert domain, user and password to unicode
  677. //
  679. hr = strUserNameW.CopyA( pszUserName );
  680. if ( FAILED( hr ) )
  681. {
  682. return hr;
  683. }
  685. hr = strUserDomainW.CopyA( pszDomain );
  686. if ( FAILED( hr ) )
  687. {
  688. return hr;
  689. }
  691. hr = strPasswordW.CopyA( achPassword );
  692. if ( FAILED( hr ) )
  693. {
  694. return hr;
  695. }
  697. //
  698. // We should have valid credentials to call LogonUser()
  699. //
  700. DBG_ASSERT( g_pW3Server->QueryTokenCache() != NULL );
  702. hr = g_pW3Server->QueryTokenCache()->GetCachedToken(
  703. strUserNameW.QueryStr(),
  704. strUserDomainW.QueryStr(),
  705. strPasswordW.QueryStr(),
  706. LOGON32_LOGON_INTERACTIVE,
  707. FALSE, // BUGBUG not UPN logon
  708. ppCachedToken,
  709. &dwLogonError );
  710. if ( FAILED( hr ) )
  711. {
  712. return SEC_E_UNKNOWN_CREDENTIALS;
  713. }
  714. //
  715. // If *ppCachedToken is NULL, then logon failed
  716. //
  718. if ( *ppCachedToken == NULL )
  719. {
  720. //
  721. // Note: With IIS5 we used to log logon failure to event log
  722. // however it doesn't seem to be necessary because if logon/logoff auditing is enabled
  723. // then security log would have relevant information about the logon failure
  724. //
  725. DBG_ASSERT( dwLogonError != ERROR_SUCCESS );
  726. return SEC_E_UNKNOWN_CREDENTIALS;
  727. }
  729. DBG_ASSERT( (*ppCachedToken)->CheckSignature() );
  730. *pfClientCertDeniedByMapper = FALSE;
  731. return SEC_E_OK;
  732. }
  734. return SEC_E_UNKNOWN_CREDENTIALS;
  735. }