//----------------------------------------------------------------------------
//
// Secure channel support.
// Code lifted from the SDK sample security\ssl.
//
// Copyright (C) Microsoft Corporation, 2000.
//
//----------------------------------------------------------------------------
#include "pch.hpp"
HMODULE g_hSecurity;
SecurityFunctionTable g_SecurityFunc;
HCERTSTORE g_hMyCertStore;
enum
{
SEQ_INTERNAL = 0xffffff00
};
//----------------------------------------------------------------------------
//
// Basic schannel support functions.
//
//----------------------------------------------------------------------------
void
DbgDumpBuffers(PCSTR Name, SecBufferDesc* Desc)
{
#if 0
ULONG i;
g_NtDllCalls.DbgPrint("%s desc %p has %d buffers\n",
Name, Desc, Desc->cBuffers);
for (i = 0; i < Desc->cBuffers; i++)
{
g_NtDllCalls.DbgPrint(" type %d, %X bytes at %p\n",
Desc->pBuffers[i].BufferType,
Desc->pBuffers[i].cbBuffer,
Desc->pBuffers[i].pvBuffer);
}
#endif
}
#if 0
#define DSCHAN(Args) g_NtDllCalls.DbgPrint Args
#define DumpBuffers(Name, Desc) DbgDumpBuffers(Name, Desc)
#else
#define DSCHAN(Args)
#define DumpBuffers(Name, Desc)
#endif
#if 0
#define DSCHAN_IO(Args) g_NtDllCalls.DbgPrint Args
#define DumpBuffersIo(Name, Desc) DbgDumpBuffers(Name, Desc)
#else
#define DSCHAN_IO(Args)
#define DumpBuffersIo(Name, Desc)
#endif
HRESULT
LoadSecurityLibrary(void)
{
HRESULT Status;
if ((Status = InitDynamicCalls(&g_Crypt32CallsDesc)) != S_OK)
{
return Status;
}
PSecurityFunctionTable pSecurityFunc;
INIT_SECURITY_INTERFACE pInitSecurityInterface;
if (g_hSecurity != NULL)
{
// Already loaded.
return S_OK;
}
if (g_Crypt32Calls.CertOpenStore == NULL)
{
// Unable to load crypt32.dll.
return HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND);
}
g_hSecurity = LoadLibrary("security.dll");
if (g_hSecurity == NULL)
{
goto EH_Fail;
}
pInitSecurityInterface = (INIT_SECURITY_INTERFACE)
GetProcAddress(g_hSecurity, "InitSecurityInterfaceA");
if (pInitSecurityInterface == NULL)
{
goto EH_Dll;
}
pSecurityFunc = pInitSecurityInterface();
if (pSecurityFunc == NULL)
{
goto EH_Dll;
}
memcpy(&g_SecurityFunc, pSecurityFunc, sizeof(g_SecurityFunc));
return S_OK;
EH_Dll:
FreeLibrary(g_hSecurity);
g_hSecurity = NULL;
EH_Fail:
return WIN32_LAST_STATUS();
}
HRESULT
CreateCredentials(LPSTR pszUserName,
BOOL fMachineStore,
BOOL Server,
ULONG dwProtocol,
SCHANNEL_CRED* ScCreds,
PCredHandle phCreds)
{
TimeStamp tsExpiry;
SECURITY_STATUS Status;
PCCERT_CONTEXT pCertContext = NULL;
// Open the "MY" certificate store.
if (g_hMyCertStore == NULL)
{
if (fMachineStore)
{
g_hMyCertStore = g_Crypt32Calls.
CertOpenStore(CERT_STORE_PROV_SYSTEM,
X509_ASN_ENCODING,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE,
L"MY");
}
else
{
g_hMyCertStore = g_Crypt32Calls.
CertOpenSystemStore(0, "MY");
}
if (!g_hMyCertStore)
{
Status = WIN32_LAST_STATUS();
goto Exit;
}
}
//
// If a user name is specified, then attempt to find a client
// certificate. Otherwise, just create a NULL credential.
//
if (pszUserName != NULL && *pszUserName)
{
// Find certificate. Note that this sample just searches for a
// certificate that contains the user name somewhere in the subject
// name. A real application should be a bit less casual.
pCertContext = g_Crypt32Calls.
CertFindCertificateInStore(g_hMyCertStore,
X509_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR_A,
pszUserName,
NULL);
if (pCertContext == NULL)
{
Status = WIN32_LAST_STATUS();
goto Exit;
}
}
//
// Build Schannel credential structure. Currently, this sample only
// specifies the protocol to be used (and optionally the certificate,
// of course). Real applications may wish to specify other parameters
// as well.
//
ZeroMemory(ScCreds, sizeof(*ScCreds));
ScCreds->dwVersion = SCHANNEL_CRED_VERSION;
if (pCertContext != NULL)
{
ScCreds->cCreds = 1;
ScCreds->paCred = &pCertContext;
}
ScCreds->grbitEnabledProtocols = dwProtocol;
if (!Server)
{
if (pCertContext != NULL)
{
ScCreds->dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
}
else
{
ScCreds->dwFlags |= SCH_CRED_USE_DEFAULT_CREDS;
}
ScCreds->dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION;
}
//
// Create an SSPI credential.
//
//
// NOTE: In theory, an application could enumerate the security packages
// until it finds one with attributes it likes. Some applications
// (such as IIS) enumerate the packages and call AcquireCredentialsHandle
// on each until it finds one that accepts the SCHANNEL_CRED structure.
// If an application has its heart set on using SSL, like this sample
// does, then just hardcoding the UNISP_NAME package name when calling
// AcquireCredentialsHandle is not a bad thing.
//
Status = g_SecurityFunc.AcquireCredentialsHandle(
NULL, // Name of principal
UNISP_NAME_A, // Name of package
Server ? // Flags indicating use
SECPKG_CRED_INBOUND :
SECPKG_CRED_OUTBOUND,
NULL, // Pointer to logon ID
ScCreds, // Package specific data
NULL, // Pointer to GetKey() func
NULL, // Value to pass to GetKey()
phCreds, // (out) Cred Handle
&tsExpiry); // (out) Lifetime (optional)
//
// Free the certificate context. Schannel has already made its own copy.
//
if (pCertContext)
{
g_Crypt32Calls.CertFreeCertificateContext(pCertContext);
}
Exit:
DSCHAN(("CreateCredentials returns %X\n", Status));
return Status;
}
HRESULT
VerifyRemoteCertificate(PCtxtHandle Context,
PSTR pszServerName,
DWORD dwCertFlags)
{
SSL_EXTRA_CERT_CHAIN_POLICY_PARA SslPara;
CERT_CHAIN_POLICY_PARA PolicyPara;
CERT_CHAIN_POLICY_STATUS PolicyStatus;
CERT_CHAIN_PARA ChainPara;
PCCERT_CHAIN_CONTEXT pChain = NULL;
PCCERT_CONTEXT pCert = NULL;
HRESULT Status;
PWSTR pwszServerName;
DWORD cchServerName;
// Read the remote certificate.
if ((Status = g_SecurityFunc.
QueryContextAttributes(Context,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
&pCert)) != S_OK)
{
goto Exit;
}
if (pCert == NULL)
{
Status = SEC_E_WRONG_PRINCIPAL;
goto EH_Cert;
}
if (pszServerName != NULL && *pszServerName)
{
//
// Convert server name to unicode.
//
cchServerName = MultiByteToWideChar(CP_ACP, 0, pszServerName,
-1, NULL, 0);
pwszServerName = (PWSTR)
LocalAlloc(LMEM_FIXED, cchServerName * sizeof(WCHAR));
if (pwszServerName == NULL)
{
Status = SEC_E_INSUFFICIENT_MEMORY;
goto EH_Cert;
}
cchServerName = MultiByteToWideChar(CP_ACP, 0, pszServerName,
-1, pwszServerName, cchServerName);
if (cchServerName == 0)
{
Status = SEC_E_WRONG_PRINCIPAL;
goto EH_Name;
}
}
else
{
pwszServerName = NULL;
}
//
// Build certificate chain.
//
ZeroMemory(&ChainPara, sizeof(ChainPara));
ChainPara.cbSize = sizeof(ChainPara);
if (!g_Crypt32Calls.CertGetCertificateChain(NULL,
pCert,
NULL,
pCert->hCertStore,
&ChainPara,
0,
NULL,
&pChain))
{
Status = WIN32_LAST_STATUS();
goto EH_Name;
}
//
// Validate certificate chain.
//
ZeroMemory(&SslPara, sizeof(SslPara));
SslPara.cbStruct = sizeof(SslPara);
SslPara.dwAuthType = pwszServerName == NULL ?
AUTHTYPE_CLIENT : AUTHTYPE_SERVER;
SslPara.fdwChecks = dwCertFlags;
SslPara.pwszServerName = pwszServerName;
ZeroMemory(&PolicyPara, sizeof(PolicyPara));
PolicyPara.cbSize = sizeof(PolicyPara);
PolicyPara.pvExtraPolicyPara = &SslPara;
ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
PolicyStatus.cbSize = sizeof(PolicyStatus);
if (!g_Crypt32Calls.CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL,
pChain,
&PolicyPara,
&PolicyStatus))
{
Status = WIN32_LAST_STATUS();
goto EH_Chain;
}
if (PolicyStatus.dwError)
{
Status = PolicyStatus.dwError;
}
else
{
Status = S_OK;
}
EH_Chain:
g_Crypt32Calls.CertFreeCertificateChain(pChain);
EH_Name:
if (pwszServerName != NULL)
{
LocalFree(pwszServerName);
}
EH_Cert:
g_Crypt32Calls.CertFreeCertificateContext(pCert);
Exit:
DSCHAN(("VerifyRemoteCertificate returns %X\n", Status));
return Status;
}
//----------------------------------------------------------------------------
//
// Schannel wrapper transport.
//
//----------------------------------------------------------------------------
#define SecHandleIsValid(Handle) \
((Handle)->dwLower != -1 || (Handle)->dwUpper != -1)
DbgRpcSecureChannelTransport::
DbgRpcSecureChannelTransport(ULONG ThisTransport,
ULONG BaseTransport)
{
m_Name = g_DbgRpcTransportNames[ThisTransport];
m_ThisTransport = ThisTransport;
m_BaseTransport = BaseTransport;
m_Stream = NULL;
SecInvalidateHandle(&m_Creds);
m_OwnCreds = FALSE;
SecInvalidateHandle(&m_Context);
m_OwnContext = FALSE;
m_BufferUsed = 0;
m_Server = FALSE;
}
DbgRpcSecureChannelTransport::~DbgRpcSecureChannelTransport(void)
{
if (SecHandleIsValid(&m_Context))
{
if (m_Server)
{
DisconnectFromClient();
}
else
{
DisconnectFromServer();
}
}
delete m_Stream;
if (m_OwnContext && SecHandleIsValid(&m_Context))
{
g_SecurityFunc.DeleteSecurityContext(&m_Context);
}
if (m_OwnCreds && SecHandleIsValid(&m_Creds))
{
g_SecurityFunc.FreeCredentialsHandle(&m_Creds);
}
}
ULONG
DbgRpcSecureChannelTransport::GetNumberParameters(void)
{
return 2 + (m_Stream != NULL ? m_Stream->GetNumberParameters() : 0);
}
void
DbgRpcSecureChannelTransport::GetParameter(ULONG Index, PSTR Name, PSTR Value)
{
switch(Index)
{
case 0:
if (m_Protocol)
{
strcpy(Name, "Proto");
switch(m_Protocol)
{
case SP_PROT_PCT1:
strcpy(Name, "PCT1");
break;
case SP_PROT_SSL2:
strcpy(Name, "SSL2");
break;
case SP_PROT_SSL3:
strcpy(Name, "SSL3");
break;
case SP_PROT_TLS1:
strcpy(Name, "TLS1");
break;
}
}
break;
case 1:
if (m_User[0])
{
strcpy(Name, m_MachineStore ? "MachUser" : "CertUser");
strcpy(Value, m_User);
}
break;
default:
if (m_Stream != NULL)
{
m_Stream->GetParameter(Index - 2, Name, Value);
}
break;
}
}
void
DbgRpcSecureChannelTransport::ResetParameters(void)
{
m_Protocol = 0;
m_User[0] = 0;
m_MachineStore = FALSE;
if (m_Stream == NULL)
{
m_Stream = DbgRpcNewTransport(m_BaseTransport);
}
if (m_Stream != NULL)
{
m_Stream->ResetParameters();
}
}
BOOL
DbgRpcSecureChannelTransport::SetParameter(PCSTR Name, PCSTR Value)
{
if (m_Stream == NULL)
{
// Force all initialization to fail.
return FALSE;
}
if (!_stricmp(Name, "proto"))
{
if (Value == NULL)
{
DbgRpcError("%s parameters: "
"the protocol name was not specified correctly\n",
m_Name);
return FALSE;
}
if (!_stricmp(Value, "pct1"))
{
m_Protocol = SP_PROT_PCT1;
}
else if (!_stricmp(Value, "ssl2"))
{
m_Protocol = SP_PROT_SSL2;
}
else if (!_stricmp(Value, "ssl3"))
{
m_Protocol = SP_PROT_SSL3;
}
else if (!_stricmp(Value, "tls1"))
{
m_Protocol = SP_PROT_TLS1;
}
else
{
DbgRpcError("%s parameters: unknown protocol '%s'\n", Value,
m_Name);
return FALSE;
}
}
else if (!_stricmp(Name, "machuser"))
{
if (Value == NULL)
{
DbgRpcError("%s parameters: "
"the user name was not specified correctly\n",
m_Name);
return FALSE;
}
m_User[0] = 0;
strncat(m_User, Value, sizeof(m_User) - 1);
m_MachineStore = TRUE;
}
else if (!_stricmp(Name, "certuser"))
{
if (Value == NULL)
{
DbgRpcError("%s parameters: "
"the user name was not specified correctly\n",
m_Name);
return FALSE;
}
m_User[0] = 0;
strncat(m_User, Value, sizeof(m_User) - 1);
m_MachineStore = FALSE;
}
else
{
if (!m_Stream->SetParameter(Name, Value))
{
return FALSE;
}
}
return TRUE;
}
DbgRpcTransport*
DbgRpcSecureChannelTransport::Clone(void)
{
DbgRpcTransport* Stream = m_Stream->Clone();
if (Stream == NULL)
{
return NULL;
}
DbgRpcSecureChannelTransport* Trans =
new DbgRpcSecureChannelTransport(m_ThisTransport, m_BaseTransport);
if (Trans != NULL)
{
Trans->m_Stream = Stream;
Trans->m_Creds = m_Creds;
Trans->m_OwnCreds = FALSE;
Trans->m_Context = m_Context;
Trans->m_OwnContext = FALSE;
Trans->m_Protocol = m_Protocol;
strcpy(Trans->m_User, m_User);
Trans->m_MachineStore = m_MachineStore;
Trans->m_Sizes = m_Sizes;
Trans->m_MaxChunk = m_MaxChunk;
Trans->m_Server = m_Server;
}
else
{
delete Stream;
}
return Trans;
}
HRESULT
DbgRpcSecureChannelTransport::CreateServer(void)
{
HRESULT Status;
if ((Status = LoadSecurityLibrary()) != S_OK)
{
return Status;
}
if ((Status = CreateCredentials(m_User, m_MachineStore, TRUE,
m_Protocol, &m_ScCreds, &m_Creds)) != S_OK)
{
return Status;
}
m_OwnCreds = TRUE;
if ((Status = m_Stream->CreateServer()) != S_OK)
{
return Status;
}
m_Server = TRUE;
return S_OK;
}
HRESULT
DbgRpcSecureChannelTransport::AcceptConnection(DbgRpcTransport** ClientTrans,
PSTR Identity)
{
HRESULT Status;
DbgRpcTransport* Stream;
if ((Status = m_Stream->AcceptConnection(&Stream, Identity)) != S_OK)
{
return Status;
}
DbgRpcSecureChannelTransport* Trans =
new DbgRpcSecureChannelTransport(m_ThisTransport, m_BaseTransport);
if (Trans == NULL)
{
delete Stream;
return E_OUTOFMEMORY;
}
Trans->m_Stream = Stream;
Trans->m_Creds = m_Creds;
Trans->m_OwnCreds = FALSE;
Trans->m_Server = TRUE;
if ((Status = Trans->AuthenticateClientConnection()) != S_OK)
{
goto EH_Trans;
}
if ((Status = Trans->GetSizes()) != S_OK)
{
goto EH_Trans;
}
// Attempt to validate client certificate.
if ((Status = VerifyRemoteCertificate(&Trans->m_Context, NULL, 0)) != S_OK)
{
goto EH_Trans;
}
*ClientTrans = Trans;
return S_OK;
EH_Trans:
delete Trans;
return Status;
}
HRESULT
DbgRpcSecureChannelTransport::ConnectServer(void)
{
HRESULT Status = m_Stream->ConnectServer();
if (Status != S_OK)
{
return Status;
}
if ((Status = LoadSecurityLibrary()) != S_OK)
{
return Status;
}
if ((Status = CreateCredentials(m_User, m_MachineStore, FALSE,
m_Protocol, &m_ScCreds, &m_Creds)) != S_OK)
{
return Status;
}
m_OwnCreds = TRUE;
if ((Status = InitiateServerConnection(m_Stream->m_ServerName)) != S_OK)
{
return Status;
}
if ((Status = AuthenticateServerConnection()) != S_OK)
{
return Status;
}
if ((Status = GetSizes()) != S_OK)
{
return Status;
}
// Attempt to validate server certificate.
if ((Status = VerifyRemoteCertificate(&m_Context,
m_Stream->m_ServerName, 0)) != S_OK)
{
// If this fails with CERT_E_CN_NO_MATCH it's most
// likely that the server name wasn't given as a fully
// qualified machine name. We may just want to ignore that error.
return Status;
}
return S_OK;
}
ULONG
DbgRpcSecureChannelTransport::Read(ULONG Seq, PVOID Buffer, ULONG Len)
{
SecBufferDesc Message;
SecBuffer Buffers[4];
DWORD Status;
ULONG Complete;
DSCHAN_IO(("Start read(%X) with %X bytes cached\n",
Len, m_BufferUsed));
//
// Initialize security buffer structs
//
Message.ulVersion = SECBUFFER_VERSION;
Message.cBuffers = 4;
Message.pBuffers = Buffers;
//
// Receive the data from the client.
//
Complete = 0;
while (Complete < Len)
{
do
{
// Pass in the data we have so far.
Buffers[0].pvBuffer = m_Buffer;
Buffers[0].cbBuffer = m_BufferUsed;
Buffers[0].BufferType = SECBUFFER_DATA;
// Provide extra buffers for header, trailer
// and possibly extra data.
Buffers[1].BufferType = SECBUFFER_EMPTY;
Buffers[2].BufferType = SECBUFFER_EMPTY;
Buffers[3].BufferType = SECBUFFER_EMPTY;
Status = g_SecurityFunc.DecryptMessage(&m_Context, &Message,
Seq, NULL);
DSCHAN_IO(("Read DecryptMessage on %X bytes returns %X\n",
m_BufferUsed, Status));
DumpBuffersIo("Read", &Message);
if (Status == SEC_E_INCOMPLETE_MESSAGE)
{
DSCHAN_IO((" Missing %X bytes\n", Buffers[1].cbBuffer));
ULONG Read = StreamRead(Seq, m_Buffer + m_BufferUsed,
sizeof(m_Buffer) - m_BufferUsed);
if (Read == 0)
{
return Complete;
}
m_BufferUsed += Read;
}
else if (Status == SEC_I_RENEGOTIATE)
{
// The server wants to perform another handshake
// sequence.
if ((Status = AuthenticateServerConnection()) != S_OK)
{
break;
}
}
}
while (Status == SEC_E_INCOMPLETE_MESSAGE);
if (Status != S_OK)
{
break;
}
// Buffers 0,1,2 should be header, data, trailer.
DBG_ASSERT(Buffers[1].BufferType == SECBUFFER_DATA);
DSCHAN_IO((" %X bytes of %X read\n",
Buffers[1].cbBuffer, Len));
memcpy((PUCHAR)Buffer + Complete,
Buffers[1].pvBuffer, Buffers[1].cbBuffer);
Complete += Buffers[1].cbBuffer;
// Check for extra data in buffer 3.
if (Buffers[3].BufferType == SECBUFFER_EXTRA)
{
DSCHAN_IO((" %X bytes extra\n"));
memmove(m_Buffer, Buffers[3].pvBuffer, Buffers[3].cbBuffer);
m_BufferUsed = Buffers[3].cbBuffer;
}
else
{
m_BufferUsed = 0;
}
}
DSCHAN_IO((" Read returns %X bytes\n", Complete));
return Complete;
}
ULONG
DbgRpcSecureChannelTransport::Write(ULONG Seq, PVOID Buffer, ULONG Len)
{
SecBufferDesc Message;
SecBuffer Buffers[3];
DWORD Status;
ULONG Complete;
DSCHAN_IO(("Start write(%X) with %X bytes cached\n",
Len, m_BufferUsed));
Message.ulVersion = SECBUFFER_VERSION;
Message.cBuffers = 3;
Message.pBuffers = Buffers;
Complete = 0;
while (Complete < Len)
{
ULONG Chunk;
//
// Set up header, data and trailer buffers so
// that EncryptMessage has room for everything
// in one contiguous buffer.
//
Buffers[0].pvBuffer = m_Buffer + m_BufferUsed;
Buffers[0].cbBuffer = m_Sizes.cbHeader;
Buffers[0].BufferType = SECBUFFER_STREAM_HEADER;
//
// Data is encrypted in-place so copy data
// from the user's buffer into the working buffer.
// Part of the working buffer may be taken up
// by queued data so work with what's left.
//
if (Len > m_MaxChunk - m_BufferUsed)
{
Chunk = m_MaxChunk - m_BufferUsed;
}
else
{
Chunk = Len;
}
DSCHAN_IO((" write %X bytes of %X\n", Chunk, Len));
Buffers[1].pvBuffer =
(PUCHAR)Buffers[0].pvBuffer + Buffers[0].cbBuffer;
Buffers[1].cbBuffer = Chunk;
Buffers[1].BufferType = SECBUFFER_DATA;
memcpy(Buffers[1].pvBuffer, (PUCHAR)Buffer + Complete, Chunk);
Buffers[2].pvBuffer =
(PUCHAR)Buffers[1].pvBuffer + Buffers[1].cbBuffer;
Buffers[2].cbBuffer = m_Sizes.cbTrailer;
Buffers[2].BufferType = SECBUFFER_STREAM_TRAILER;
Status = g_SecurityFunc.EncryptMessage(&m_Context, 0, &Message, Seq);
if (Status != S_OK)
{
break;
}
DumpBuffersIo("Write encrypt", &Message);
ULONG Total, Written;
Total = Buffers[0].cbBuffer + Buffers[1].cbBuffer +
Buffers[2].cbBuffer;
Written = StreamWrite(Seq, Buffers[0].pvBuffer, Total);
if (Written != Total)
{
break;
}
Complete += Chunk;
}
DSCHAN_IO((" Write returns %X bytes\n", Complete));
return Complete;
}
HRESULT
DbgRpcSecureChannelTransport::GetSizes(void)
{
HRESULT Status;
//
// Find out how big the header will be:
//
if ((Status = g_SecurityFunc.
QueryContextAttributes(&m_Context, SECPKG_ATTR_STREAM_SIZES,
&m_Sizes)) != S_OK)
{
return Status;
}
// Compute the largest chunk that can be encrypted at
// once in the transport's data buffer.
m_MaxChunk = sizeof(m_Buffer) - (m_Sizes.cbHeader + m_Sizes.cbTrailer);
if (m_MaxChunk > m_Sizes.cbMaximumMessage)
{
m_MaxChunk = m_Sizes.cbMaximumMessage;
}
return S_OK;
}
HRESULT
DbgRpcSecureChannelTransport::AuthenticateClientConnection(void)
{
TimeStamp tsExpiry;
SECURITY_STATUS Status;
SecBufferDesc InBuffer;
SecBufferDesc OutBuffer;
SecBuffer InBuffers[2];
SecBuffer OutBuffers[1];
BOOL fInitContext = TRUE;
DWORD dwSSPIFlags, dwSSPIOutFlags;
ULONG Seq;
Status = SEC_E_SECPKG_NOT_FOUND; //default error if we run out of packages
dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONFIDENTIALITY |
ASC_REQ_EXTENDED_ERROR |
ASC_REQ_ALLOCATE_MEMORY |
ASC_REQ_STREAM |
ASC_REQ_MUTUAL_AUTH;
//
// Set buffers for AcceptSecurityContext call
//
InBuffer.cBuffers = 2;
InBuffer.pBuffers = InBuffers;
InBuffer.ulVersion = SECBUFFER_VERSION;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = SEC_I_CONTINUE_NEEDED;
m_BufferUsed = 0;
while ( Status == SEC_I_CONTINUE_NEEDED ||
Status == SEC_E_INCOMPLETE_MESSAGE ||
Status == SEC_I_INCOMPLETE_CREDENTIALS)
{
if (0 == m_BufferUsed || Status == SEC_E_INCOMPLETE_MESSAGE)
{
ULONG Read = StreamRead(SEQ_INTERNAL, m_Buffer + m_BufferUsed,
sizeof(m_Buffer) - m_BufferUsed);
if (Read == 0)
{
Status = HRESULT_FROM_WIN32(ERROR_READ_FAULT);
goto Exit;
}
else
{
m_BufferUsed += Read;
}
}
//
// InBuffers[1] is for getting extra data that
// SSPI/SCHANNEL doesn't proccess on this
// run around the loop.
//
InBuffers[0].pvBuffer = m_Buffer;
InBuffers[0].cbBuffer = m_BufferUsed;
InBuffers[0].BufferType = SECBUFFER_TOKEN;
InBuffers[1].pvBuffer = NULL;
InBuffers[1].cbBuffer = 0;
InBuffers[1].BufferType = SECBUFFER_EMPTY;
//
// Initialize these so if we fail, pvBuffer contains NULL,
// so we don't try to free random garbage at the quit
//
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].cbBuffer = 0;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
Status = g_SecurityFunc.AcceptSecurityContext(
&m_Creds,
(fInitContext ? NULL : &m_Context),
&InBuffer,
dwSSPIFlags,
SECURITY_NATIVE_DREP,
(fInitContext ? &m_Context : NULL),
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);
DSCHAN(("ASC on %X bytes returns %X\n",
m_BufferUsed, Status));
DumpBuffers("ASC in", &InBuffer);
DumpBuffers("ASC out", &OutBuffer);
if (SUCCEEDED(Status))
{
fInitContext = FALSE;
m_OwnContext = TRUE;
}
if ( Status == SEC_E_OK ||
Status == SEC_I_CONTINUE_NEEDED ||
(FAILED(Status) &&
(0 != (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR))))
{
if (OutBuffers[0].cbBuffer != 0 &&
OutBuffers[0].pvBuffer != NULL )
{
ULONG Written;
DSCHAN((" write back %X bytes\n", OutBuffers[0].cbBuffer));
//
// Send response to server if there is one
//
Written = StreamWrite(SEQ_INTERNAL, OutBuffers[0].pvBuffer,
OutBuffers[0].cbBuffer);
g_SecurityFunc.FreeContextBuffer( OutBuffers[0].pvBuffer );
OutBuffers[0].pvBuffer = NULL;
if (Written != OutBuffers[0].cbBuffer)
{
Status = HRESULT_FROM_WIN32(ERROR_WRITE_FAULT);
goto Exit;
}
}
}
if ( Status == SEC_E_OK )
{
if ( InBuffers[1].BufferType == SECBUFFER_EXTRA )
{
DSCHAN_IO((" ASC returns with %X extra bytes\n",
InBuffers[1].cbBuffer));
memmove(m_Buffer,
m_Buffer + (m_BufferUsed - InBuffers[1].cbBuffer),
InBuffers[1].cbBuffer);
m_BufferUsed = InBuffers[1].cbBuffer;
}
else
{
m_BufferUsed = 0;
}
goto Exit;
}
else if (FAILED(Status) && (Status != SEC_E_INCOMPLETE_MESSAGE))
{
goto Exit;
}
if ( Status != SEC_E_INCOMPLETE_MESSAGE &&
Status != SEC_I_INCOMPLETE_CREDENTIALS)
{
if ( InBuffers[1].BufferType == SECBUFFER_EXTRA )
{
DSCHAN_IO((" ASC loops with %X extra bytes\n",
InBuffers[1].cbBuffer));
memmove(m_Buffer,
m_Buffer + (m_BufferUsed - InBuffers[1].cbBuffer),
InBuffers[1].cbBuffer);
m_BufferUsed = InBuffers[1].cbBuffer;
}
else
{
//
// prepare for next receive
//
m_BufferUsed = 0;
}
}
}
Exit:
DSCHAN(("AuthClient returns %X\n", Status));
return Status;
}
HRESULT
DbgRpcSecureChannelTransport::InitiateServerConnection(LPSTR pszServerName)
{
SecBufferDesc OutBuffer;
SecBuffer OutBuffers[1];
DWORD dwSSPIFlags;
DWORD dwSSPIOutFlags;
TimeStamp tsExpiry;
SECURITY_STATUS Status;
DWORD cbData;
dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_EXTENDED_ERROR |
ISC_REQ_ALLOCATE_MEMORY |
ISC_REQ_STREAM |
ISC_REQ_MUTUAL_AUTH;
//
// Initiate a ClientHello message and generate a token.
//
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = g_SecurityFunc.InitializeSecurityContextA(
&m_Creds,
NULL,
pszServerName,
dwSSPIFlags,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
&m_Context,
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);
DSCHAN(("First ISC returns %X\n", Status));
DumpBuffers("First ISC out", &OutBuffer);
if (Status != SEC_I_CONTINUE_NEEDED)
{
goto Exit;
}
m_OwnContext = TRUE;
// Send response to server if there is one.
if (OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
{
DSCHAN((" write back %X bytes\n", OutBuffers[0].cbBuffer));
cbData = StreamWrite(SEQ_INTERNAL, OutBuffers[0].pvBuffer,
OutBuffers[0].cbBuffer);
if(cbData == 0)
{
g_SecurityFunc.FreeContextBuffer(OutBuffers[0].pvBuffer);
if (m_OwnContext)
{
g_SecurityFunc.DeleteSecurityContext(&m_Context);
SecInvalidateHandle(&m_Context);
}
Status = HRESULT_FROM_WIN32(ERROR_WRITE_FAULT);
goto Exit;
}
// Free output buffer.
g_SecurityFunc.FreeContextBuffer(OutBuffers[0].pvBuffer);
OutBuffers[0].pvBuffer = NULL;
}
Status = S_OK;
Exit:
DSCHAN(("InitServer returns %X\n", Status));
return Status;
}
HRESULT
DbgRpcSecureChannelTransport::AuthenticateServerConnection(void)
{
SecBufferDesc InBuffer;
SecBuffer InBuffers[2];
SecBufferDesc OutBuffer;
SecBuffer OutBuffers[1];
DWORD dwSSPIFlags;
DWORD dwSSPIOutFlags;
TimeStamp tsExpiry;
SECURITY_STATUS Status;
DWORD cbData;
ULONG ReadNeeded;
dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_EXTENDED_ERROR |
ISC_REQ_ALLOCATE_MEMORY |
ISC_REQ_STREAM;
m_BufferUsed = 0;
ReadNeeded = 1;
//
// Loop until the handshake is finished or an error occurs.
//
Status = SEC_I_CONTINUE_NEEDED;
while(Status == SEC_I_CONTINUE_NEEDED ||
Status == SEC_E_INCOMPLETE_MESSAGE ||
Status == SEC_I_INCOMPLETE_CREDENTIALS)
{
//
// Read data from server.
//
if (0 == m_BufferUsed || Status == SEC_E_INCOMPLETE_MESSAGE)
{
if (ReadNeeded > 0)
{
cbData = StreamRead(SEQ_INTERNAL, m_Buffer + m_BufferUsed,
sizeof(m_Buffer) - m_BufferUsed);
if(cbData == 0)
{
Status = HRESULT_FROM_WIN32(ERROR_READ_FAULT);
break;
}
m_BufferUsed += cbData;
}
else
{
ReadNeeded = 1;
}
}
//
// Set up the input buffers. Buffer 0 is used to pass in data
// received from the server. Schannel will consume some or all
// of this. Leftover data (if any) will be placed in buffer 1 and
// given a buffer type of SECBUFFER_EXTRA.
//
InBuffers[0].pvBuffer = m_Buffer;
InBuffers[0].cbBuffer = m_BufferUsed;
InBuffers[0].BufferType = SECBUFFER_TOKEN;
InBuffers[1].pvBuffer = NULL;
InBuffers[1].cbBuffer = 0;
InBuffers[1].BufferType = SECBUFFER_EMPTY;
InBuffer.cBuffers = 2;
InBuffer.pBuffers = InBuffers;
InBuffer.ulVersion = SECBUFFER_VERSION;
//
// Set up the output buffers. These are initialized to NULL
// so as to make it less likely we'll attempt to free random
// garbage later.
//
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType= SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
//
// Call InitializeSecurityContext.
//
Status = g_SecurityFunc.InitializeSecurityContextA(
&m_Creds,
&m_Context,
NULL,
dwSSPIFlags,
0,
SECURITY_NATIVE_DREP,
&InBuffer,
0,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);
DSCHAN(("ISC on %X bytes returns %X\n",
m_BufferUsed, Status));
DumpBuffers("ISC in", &InBuffer);
DumpBuffers("ISC out", &OutBuffer);
//
// If InitializeSecurityContext was successful (or if the error was
// one of the special extended ones), send the contends of the output
// buffer to the server.
//
if(Status == SEC_E_OK ||
Status == SEC_I_CONTINUE_NEEDED ||
FAILED(Status) && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR))
{
if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
{
DSCHAN((" write back %X bytes\n", OutBuffers[0].cbBuffer));
cbData = StreamWrite(SEQ_INTERNAL, OutBuffers[0].pvBuffer,
OutBuffers[0].cbBuffer);
if(cbData == 0)
{
g_SecurityFunc.FreeContextBuffer(OutBuffers[0].pvBuffer);
if (m_OwnContext)
{
g_SecurityFunc.DeleteSecurityContext(&m_Context);
SecInvalidateHandle(&m_Context);
}
Status = HRESULT_FROM_WIN32(ERROR_WRITE_FAULT);
goto Exit;
}
// Free output buffer.
g_SecurityFunc.FreeContextBuffer(OutBuffers[0].pvBuffer);
OutBuffers[0].pvBuffer = NULL;
}
}
//
// If InitializeSecurityContext returned SEC_E_INCOMPLETE_MESSAGE,
// then we need to read more data from the server and try again.
//
if(Status == SEC_E_INCOMPLETE_MESSAGE)
{
continue;
}
//
// If InitializeSecurityContext returned SEC_E_OK, then the
// handshake completed successfully.
//
if(Status == SEC_E_OK)
{
//
// If the "extra" buffer contains data, this is encrypted application
// protocol layer stuff. It needs to be saved. The application layer
// will later decrypt it with DecryptMessage.
//
if(InBuffers[1].BufferType == SECBUFFER_EXTRA)
{
DSCHAN_IO((" ISC returns with %X extra bytes\n",
InBuffers[1].cbBuffer));
memmove(m_Buffer,
m_Buffer + (m_BufferUsed - InBuffers[1].cbBuffer),
InBuffers[1].cbBuffer);
m_BufferUsed = InBuffers[1].cbBuffer;
}
else
{
m_BufferUsed = 0;
}
//
// Bail out to quit
//
break;
}
//
// Check for fatal error.
//
if(FAILED(Status))
{
break;
}
//
// If InitializeSecurityContext returned SEC_I_INCOMPLETE_CREDENTIALS,
// then the server just requested client authentication.
//
if(Status == SEC_I_INCOMPLETE_CREDENTIALS)
{
DSCHAN(("Get new client credentials\n"));
//
// Display trusted issuers info.
//
GetNewClientCredentials();
//
// Now would be a good time perhaps to prompt the user to select
// a client certificate and obtain a new credential handle,
// but I don't have the energy nor inclination.
//
// As this is currently written, Schannel will send a "no
// certificate" alert to the server in place of a certificate.
// The server might be cool with this, or it might drop the
// connection.
//
// Go around again.
ReadNeeded = 0;
Status = SEC_I_CONTINUE_NEEDED;
continue;
}
//
// Copy any leftover data from the "extra" buffer, and go around
// again.
//
if ( InBuffers[1].BufferType == SECBUFFER_EXTRA )
{
DSCHAN((" ISC loops with %X extra bytes\n",
InBuffers[1].cbBuffer));
memmove(m_Buffer,
m_Buffer + (m_BufferUsed - InBuffers[1].cbBuffer),
InBuffers[1].cbBuffer);
m_BufferUsed = InBuffers[1].cbBuffer;
}
else
{
m_BufferUsed = 0;
}
}
// Delete the security context in the case of a fatal error.
if(FAILED(Status))
{
if (m_OwnContext)
{
g_SecurityFunc.DeleteSecurityContext(&m_Context);
SecInvalidateHandle(&m_Context);
}
}
Exit:
DSCHAN(("AuthServer returns %X\n", Status));
return Status;
}
void
DbgRpcSecureChannelTransport::GetNewClientCredentials(void)
{
CredHandle hCreds;
SecPkgContext_IssuerListInfoEx IssuerListInfo;
PCCERT_CHAIN_CONTEXT pChainContext;
CERT_CHAIN_FIND_BY_ISSUER_PARA FindByIssuerPara;
PCCERT_CONTEXT pCertContext;
TimeStamp tsExpiry;
SECURITY_STATUS Status;
//
// Read list of trusted issuers from schannel.
//
Status = g_SecurityFunc.QueryContextAttributes(&m_Context,
SECPKG_ATTR_ISSUER_LIST_EX,
(PVOID)&IssuerListInfo);
if (Status != SEC_E_OK)
{
goto Exit;
}
//
// Enumerate the client certificates.
//
ZeroMemory(&FindByIssuerPara, sizeof(FindByIssuerPara));
FindByIssuerPara.cbSize = sizeof(FindByIssuerPara);
FindByIssuerPara.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
FindByIssuerPara.dwKeySpec = 0;
FindByIssuerPara.cIssuer = IssuerListInfo.cIssuers;
FindByIssuerPara.rgIssuer = IssuerListInfo.aIssuers;
pChainContext = NULL;
while(TRUE)
{
// Find a certificate chain.
pChainContext = g_Crypt32Calls.
CertFindChainInStore(g_hMyCertStore,
X509_ASN_ENCODING,
0,
CERT_CHAIN_FIND_BY_ISSUER,
&FindByIssuerPara,
pChainContext);
if(pChainContext == NULL)
{
break;
}
// Get pointer to leaf certificate context.
pCertContext = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
// Create schannel credential.
m_ScCreds.cCreds = 1;
m_ScCreds.paCred = &pCertContext;
Status = g_SecurityFunc.AcquireCredentialsHandleA(
NULL, // Name of principal
UNISP_NAME_A, // Name of package
SECPKG_CRED_OUTBOUND, // Flags indicating use
NULL, // Pointer to logon ID
&m_ScCreds, // Package specific data
NULL, // Pointer to GetKey() func
NULL, // Value to pass to GetKey()
&hCreds, // (out) Cred Handle
&tsExpiry); // (out) Lifetime (optional)
if(Status != SEC_E_OK)
{
continue;
}
// Destroy the old credentials.
if (m_OwnCreds)
{
g_SecurityFunc.FreeCredentialsHandle(&m_Creds);
}
// XXX drewb - This doesn't really work if this
// isn't the credential owner.
m_Creds = hCreds;
break;
}
Exit:
DSCHAN(("GetNewClientCredentials returns %X\n", Status));
}
void
DbgRpcSecureChannelTransport::DisconnectFromClient(void)
{
DWORD dwType;
PBYTE pbMessage;
DWORD cbMessage;
DWORD cbData;
SecBufferDesc OutBuffer;
SecBuffer OutBuffers[1];
DWORD dwSSPIFlags;
DWORD dwSSPIOutFlags;
TimeStamp tsExpiry;
DWORD Status;
//
// Notify schannel that we are about to close the connection.
//
dwType = SCHANNEL_SHUTDOWN;
OutBuffers[0].pvBuffer = &dwType;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = sizeof(dwType);
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = g_SecurityFunc.ApplyControlToken(&m_Context, &OutBuffer);
if(FAILED(Status))
{
goto cleanup;
}
//
// Build an SSL close notify message.
//
dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONFIDENTIALITY |
ASC_REQ_EXTENDED_ERROR |
ASC_REQ_ALLOCATE_MEMORY |
ASC_REQ_STREAM;
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = g_SecurityFunc.AcceptSecurityContext(
&m_Creds,
&m_Context,
NULL,
dwSSPIFlags,
SECURITY_NATIVE_DREP,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);
DSCHAN(("DisASC returns %X\n", Status));
DumpBuffers("DisASC out", &OutBuffer);
if(FAILED(Status))
{
goto cleanup;
}
pbMessage = (PBYTE)OutBuffers[0].pvBuffer;
cbMessage = OutBuffers[0].cbBuffer;
//
// Send the close notify message to the client.
//
if (pbMessage != NULL && cbMessage != 0)
{
DSCHAN((" write back %X bytes\n", cbMessage));
cbData = StreamWrite(SEQ_INTERNAL, pbMessage, cbMessage);
if (cbData == 0)
{
Status = HRESULT_FROM_WIN32(ERROR_WRITE_FAULT);
goto cleanup;
}
// Free output buffer.
g_SecurityFunc.FreeContextBuffer(pbMessage);
}
cleanup:
DSCHAN(("DisconnectFromClient returns %X\n", Status));
}
void
DbgRpcSecureChannelTransport::DisconnectFromServer(void)
{
DWORD dwType;
PBYTE pbMessage;
DWORD cbMessage;
DWORD cbData;
SecBufferDesc OutBuffer;
SecBuffer OutBuffers[1];
DWORD dwSSPIFlags;
DWORD dwSSPIOutFlags;
TimeStamp tsExpiry;
DWORD Status;
//
// Notify schannel that we are about to close the connection.
//
dwType = SCHANNEL_SHUTDOWN;
OutBuffers[0].pvBuffer = &dwType;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = sizeof(dwType);
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = g_SecurityFunc.ApplyControlToken(&m_Context, &OutBuffer);
if(FAILED(Status))
{
goto cleanup;
}
//
// Build an SSL close notify message.
//
dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_EXTENDED_ERROR |
ISC_REQ_ALLOCATE_MEMORY |
ISC_REQ_STREAM;
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;
Status = g_SecurityFunc.InitializeSecurityContextA(
&m_Creds,
&m_Context,
NULL,
dwSSPIFlags,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
&m_Context,
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);
DSCHAN(("DisISC returns %X\n", Status));
DumpBuffers("DisISC out", &OutBuffer);
if(FAILED(Status))
{
goto cleanup;
}
pbMessage = (PBYTE)OutBuffers[0].pvBuffer;
cbMessage = OutBuffers[0].cbBuffer;
//
// Send the close notify message to the server.
//
if(pbMessage != NULL && cbMessage != 0)
{
DSCHAN((" write back %X bytes\n", cbMessage));
cbData = StreamWrite(SEQ_INTERNAL, pbMessage, cbMessage);
if (cbData == 0)
{
Status = HRESULT_FROM_WIN32(ERROR_WRITE_FAULT);
goto cleanup;
}
// Free output buffer.
g_SecurityFunc.FreeContextBuffer(pbMessage);
}
cleanup:
DSCHAN(("DisconnectFromServer returns %X\n", Status));
}