/*++
Copyright (C) 1997-2001 Microsoft Corporation
Module Name:
CSSPI.H
Abstract:
SSPI wrapper implementation for NTLM/MSN network authentication.
History:
raymcc 15-Jul-97 Created
--*/
#include "precomp.h"
#include <tchar.h>
#include <stdio.h>
#include <csspi.h>
// #define trace(x) printf x
#define trace(x)
static BOOL IsNt(void);
//***************************************************************************
//
// String helper macros
//
//***************************************************************************
#define Macro_CloneLPWSTR(x) \
(x ? _wcsdup(x) : 0)
#define Macro_CloneLPSTR(x) \
(x ? _strdup(x) : 0)
#ifdef _UNICODE
#define Macro_CloneLPTSTR(x) (x ? _wcsdup(x) : 0)
#else
#define Macro_CloneLPTSTR(x) (x ? _strdup(x) : 0)
#endif
//***************************************************************************
//
// BOOL IsNt
//
// DESCRIPTION:
//
// Returns true if running windows NT.
//
// RETURN VALUE:
//
// see description.
//
//***************************************************************************
// ok
static BOOL IsNt(void)
{
OSVERSIONINFO os;
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&os))
return FALSE; // should never happen
return os.dwPlatformId == VER_PLATFORM_WIN32_NT;
}
//***************************************************************************
//
// CSSPI Static Data Members
//
//***************************************************************************
ULONG CSSPI::m_uNumPackages = 0;
PSecPkgInfo CSSPI::m_pEnumPkgInfo = 0;
PSecurityFunctionTable CSSPI::pVtbl = 0;
//***************************************************************************
//
// CSSPI::Initialize
//
// This must be called prior to any other operations, but may be
// called multiple times.
//
// Return value:
// TRUE on success, FALSE on failure.
//
//***************************************************************************
// ok
BOOL CSSPI::Initialize()
{
static HMODULE hLib = 0;
// If we have already called this function and everything
// is already ok, short-circuit.
// ======================================================
if (hLib != 0 && pVtbl != 0)
{
return TRUE;
}
if (IsNt())
{
hLib = LoadLibrary(__TEXT("SECURITY.DLL"));
}
else
{
hLib = LoadLibrary(__TEXT("SECUR32.DLL"));
}
if (hLib == 0)
{
trace(("CSSPI::Startup() Library failed to load\n"));
return FALSE;
}
#ifdef _UNICODE
INIT_SECURITY_INTERFACE_W pInitFn =
(INIT_SECURITY_INTERFACE_W)
GetProcAddress(hLib, "InitSecurityInterfaceW");
#else
INIT_SECURITY_INTERFACE_A pInitFn =
(INIT_SECURITY_INTERFACE_A)
GetProcAddress(hLib, "InitSecurityInterfaceA");
#endif
if (pInitFn == 0)
{
trace(("CSSPI::Startup() ERROR : Unable to locate function InitSecurityInterface()\n"
));
FreeLibrary(hLib);
hLib = 0;
return FALSE;
}
pVtbl = pInitFn();
if (pVtbl == 0)
{
trace(("CSSPI::Startup() ERROR : Function table not found\n"));
FreeLibrary(hLib);
hLib = 0;
return FALSE;
}
return TRUE;
}
//***************************************************************************
//
// CSSPI::TranslateError
//
// Translates an error code to a displayable message.
// Treat the return value as read-only (you must, since it is 'const').
//
//***************************************************************************
// ok
const LPTSTR CSSPI::TranslateError(
ULONG uCode
)
{
LPTSTR p = 0;
switch (uCode)
{
case SEC_E_INSUFFICIENT_MEMORY: p = _T("SEC_E_INSUFFICIENT_MEMORY"); break;
case SEC_E_INVALID_HANDLE : p = _T("SEC_E_INVALID_HANDLE"); break;
case SEC_E_UNSUPPORTED_FUNCTION : p = _T("SEC_E_UNSUPPORTED_FUNCTION"); break;
case SEC_E_TARGET_UNKNOWN : p = _T("SEC_E_TARGET_UNKNOWN"); break;
case SEC_E_INTERNAL_ERROR : p = _T("SEC_E_INTERNAL_ERROR"); break;
case SEC_E_SECPKG_NOT_FOUND : p = _T("SEC_E_SECPKG_NOT_FOUND"); break;
case SEC_E_NOT_OWNER : p = _T("SEC_E_NOT_OWNER"); break;
case SEC_E_CANNOT_INSTALL : p = _T("SEC_E_CANNOT_INSTALL"); break;
case SEC_E_INVALID_TOKEN : p = _T("SEC_E_INVALID_TOKEN"); break;
case SEC_E_CANNOT_PACK : p = _T("SEC_E_CANNOT_PACK"); break;
case SEC_E_QOP_NOT_SUPPORTED : p = _T("SEC_E_QOP_NOT_SUPPORTED"); break;
case SEC_E_NO_IMPERSONATION : p = _T("SEC_E_NO_IMPERSONATION"); break;
case SEC_E_LOGON_DENIED : p = _T("SEC_E_LOGON_DENIED"); break;
case SEC_E_UNKNOWN_CREDENTIALS : p = _T("SEC_E_UNKNOWN_CREDENTIALS"); break;
case SEC_E_NO_CREDENTIALS : p = _T("SEC_E_NO_CREDENTIALS"); break;
case SEC_E_MESSAGE_ALTERED : p = _T("SEC_E_MESSAGE_ALTERED"); break;
case SEC_E_OUT_OF_SEQUENCE : p = _T("SEC_E_OUT_OF_SEQUENCE"); break;
case SEC_E_NO_AUTHENTICATING_AUTHORITY : p = _T("SEC_E_NO_AUTHENTICATING_AUTHORITY"); break;
case SEC_I_CONTINUE_NEEDED : p = _T("SEC_I_CONTINUE_NEEDED"); break;
case SEC_I_COMPLETE_NEEDED : p = _T("SEC_I_COMPLETE_NEEDED"); break;
case SEC_I_COMPLETE_AND_CONTINUE : p = _T("SEC_I_COMPLETE_AND_CONTINUE"); break;
case SEC_I_LOCAL_LOGON : p = _T("SEC_I_LOCAL_LOGON"); break;
case SEC_E_BAD_PKGID : p = _T("SEC_E_BAD_PKGID"); break;
case SEC_E_CONTEXT_EXPIRED : p = _T("SEC_E_CONTEXT_EXPIRED"); break;
case SEC_E_INCOMPLETE_MESSAGE : p = _T("SEC_E_INCOMPLETE_MESSAGE"); break;
case SEC_E_INCOMPLETE_CREDENTIALS : p = _T("SEC_E_INCOMPLETE_CREDENTIALS"); break;
case SEC_E_BUFFER_TOO_SMALL : p = _T("SEC_E_BUFFER_TOO_SMALL"); break;
case SEC_I_INCOMPLETE_CREDENTIALS : p = _T("SEC_I_INCOMPLETE_CREDENTIALS"); break;
case SEC_I_RENEGOTIATE : p = _T("SEC_I_RENEGOTIATE"); break;
default:
p = _T("<UNDEFINED ERROR CODE>");
}
return (const LPTSTR) p;
}
//***************************************************************************
//
// CSSPI::DisplayContextAttributes
//
// Display authentication context attribute bits in readable form.
//
//***************************************************************************
// ok
void CSSPI::DisplayContextAttributes(
ULONG uAttrib
)
{
if (uAttrib & ISC_RET_DELEGATE)
printf("ISC_RET_DELEGATE\n");
if (uAttrib & ISC_RET_MUTUAL_AUTH)
printf("ISC_RET_MUTUAL_AUTH\n");
if (uAttrib & ISC_RET_REPLAY_DETECT)
printf("ISC_RET_REPLAY_DETECT\n");
if (uAttrib & ISC_RET_SEQUENCE_DETECT)
printf("ISC_RET_SEQUENCE_DETECT\n");
if (uAttrib & ISC_RET_CONFIDENTIALITY)
printf("ISC_RET_CONFIDENTIALITY\n");
if (uAttrib & ISC_RET_USE_SESSION_KEY)
printf("ISC_RET_USE_SESSION_KEY\n");
if (uAttrib & ISC_RET_USED_COLLECTED_CREDS)
printf("ISC_RET_USED_COLLECTED_CREDS\n");
if (uAttrib & ISC_RET_USED_SUPPLIED_CREDS)
printf("ISC_RET_USED_SUPPLIED_CREDS\n");
if (uAttrib & ISC_RET_ALLOCATED_MEMORY)
printf("ISC_RET_ALLOCATED_MEMORY\n");
if (uAttrib & ISC_RET_USED_DCE_STYLE)
printf("ISC_RET_USED_DCE_STYLE\n");
if (uAttrib & ISC_RET_DATAGRAM)
printf("ISC_RET_DATAGRAM\n");
if (uAttrib & ISC_RET_CONNECTION)
printf("ISC_RET_CONNECTION\n");
if (uAttrib & ISC_RET_INTERMEDIATE_RETURN)
printf("ISC_RET_INTERMEDIATE_RETURN\n");
if (uAttrib & ISC_RET_CALL_LEVEL)
printf("ISC_RET_CALL_LEVEL\n");
if (uAttrib & ISC_RET_EXTENDED_ERROR)
printf("ISC_RET_EXTENDED_ERROR\n");
if (uAttrib & ISC_RET_STREAM)
printf("ISC_RET_STREAM\n");
if (uAttrib & ISC_RET_INTEGRITY)
printf("ISC_RET_INTEGRITY\n");
}
//***************************************************************************
//
// CSSPI::DisplayPkgInfo
//
// Dumps package information to console.
//
//***************************************************************************
// ok
void CSSPI::DisplayPkgInfo(PSecPkgInfo pPkg)
{
printf("---------------------------------------------\n");
printf("Name = <%s>\n", pPkg->Name);
printf("Comment = <%s>\n", pPkg->Comment);
printf("Version = 0x%X\n", pPkg->wVersion);
printf("Max token = %d bytes\n", pPkg->cbMaxToken);
printf("DCE RPC Id = 0x%X\n", pPkg->wRPCID);
printf("Capabilities = \n");
if (pPkg->fCapabilities & SECPKG_FLAG_INTEGRITY)
printf(" SECPKG_FLAG_INTEGRITY\n");
if (pPkg->fCapabilities & SECPKG_FLAG_PRIVACY)
printf(" SECPKG_FLAG_PRIVACY\n");
if (pPkg->fCapabilities & SECPKG_FLAG_TOKEN_ONLY)
printf(" SECPKG_FLAG_TOKEN_ONLY\n");
if (pPkg->fCapabilities & SECPKG_FLAG_DATAGRAM)
printf(" SECPKG_FLAG_DATAGRAM\n");
if (pPkg->fCapabilities & SECPKG_FLAG_CONNECTION)
printf(" SECPKG_FLAG_CONNECTION\n");
if (pPkg->fCapabilities & SECPKG_FLAG_MULTI_REQUIRED)
printf(" SECPKG_FLAG_MULTI_REQUIRED\n");
if (pPkg->fCapabilities & SECPKG_FLAG_CLIENT_ONLY)
printf(" SECPKG_FLAG_CLIENT_ONLY\n");
if (pPkg->fCapabilities & SECPKG_FLAG_EXTENDED_ERROR)
printf(" SECPKG_FLAG_EXTENDED_ERROR\n");
if (pPkg->fCapabilities & SECPKG_FLAG_IMPERSONATION)
printf(" SECPKG_FLAG_IMPERSONATION\n");
if (pPkg->fCapabilities & SECPKG_FLAG_ACCEPT_WIN32_NAME)
printf(" SECPKG_FLAG_ACCEPT_WIN32_NAME\n");
if (pPkg->fCapabilities & SECPKG_FLAG_STREAM)
printf(" SECPKG_FLAG_STREAM\n");
printf("---------------------------------------------\n");
}
//***************************************************************************
//
// CSSPI::GetNumPkgs
//
// Gets the number of SSPI packages available on the current machine.
//
// Returns 0 if none available.
//
//***************************************************************************
// ok
ULONG CSSPI::GetNumPkgs()
{
// Short-circuit to see if this function has been called before.
// It is not possible for new SSPI packages to appear between
// reboots, so we cache all info.
// =============================================================
if (m_uNumPackages != 0 && m_pEnumPkgInfo)
return m_uNumPackages;
// Enumerate security packages.
// ============================
SECURITY_STATUS SecStatus =
pVtbl->EnumerateSecurityPackages(&m_uNumPackages, &m_pEnumPkgInfo);
if (SecStatus)
{
trace(("EnumerateSecurityPackages() failed. Error = %s\n", TranslateError(SecStatus)
));
return 0;
}
return m_uNumPackages;
}
//***************************************************************************
//
// CSSPI::GetPkgInfo
//
// Retrieves a single read-only PSecPkgInfo pointer, describing the
// requested package. This is to be used in conjunction with GetNumPkgs()
// in order to iterate through the SSPI package list.
//
// Returns NULL on error or a read-only PSecPkgInfo pointer.
//
//***************************************************************************
// ok
const PSecPkgInfo CSSPI::GetPkgInfo(ULONG ulPkgNum)
{
if (ulPkgNum >= m_uNumPackages)
return 0;
if (m_pEnumPkgInfo == 0)
return 0;
return &m_pEnumPkgInfo[ulPkgNum];
}
//***************************************************************************
//
// CSSPI::DumpSecurityPackages
//
// Dumps all available security packages to the console.
//
//***************************************************************************
// ok
BOOL CSSPI::DumpSecurityPackages()
{
// Enumerate security packages.
// ============================
unsigned long lNum = 0;
PSecPkgInfo pPkgInfo;
lNum = GetNumPkgs();
if (lNum == 0)
return FALSE;
trace(("SSPI Supports %d security packages\n", lNum));
for (unsigned long i = 0; i < lNum; i++)
{
pPkgInfo = GetPkgInfo(i);
if (pPkgInfo)
DisplayPkgInfo(pPkgInfo);
}
return TRUE;
}
//***************************************************************************
//
// CSSPI::ServerSupport
//
// Determines whether the a server-side package can be expected to work.
//
// Parameters:
// <pszPkgName> The authentication package. Usually "NTLM"
//
// Return value:
// TRUE if the package will support a server-side authentication, FALSE
// if not supported.
//
//***************************************************************************
BOOL CSSPI::ServerSupport(LPTSTR pszPkgName)
{
if (pszPkgName == 0 || lstrlen(pszPkgName) == 0)
return FALSE;
if (Initialize() == FALSE)
return FALSE;
CSSPIServer Server(pszPkgName);
if (Server.GetStatus() != CSSPIServer::Waiting)
return FALSE;
return TRUE;
}
//***************************************************************************
//
// CSSPI::ClientSupport
//
// Determines whether the a client-side package can be expected to work.
//
// Parameters:
// <pszPkgName> The authentication package. Usually "NTLM"
//
// Return value:
// TRUE if the package will support a client-side authentication, FALSE
// if not supported.
//
//***************************************************************************
BOOL CSSPI::ClientSupport(LPTSTR pszPkgName)
{
if (pszPkgName == 0 || lstrlen(pszPkgName) == 0)
return FALSE;
if (Initialize() == FALSE)
return FALSE;
CSSPIClient Client(pszPkgName);
if (Client.GetStatus() != CSSPIClient::Waiting)
return FALSE;
return TRUE;
}
//***************************************************************************
//
// CSSPIClient constructor
//
// Parameters:
// <pszPkgName> A valid SSPI package. Usually "NTLM".
//
// After construction has completed, GetStatus() should return
// CSSPIClient::Waiting. CSSPIClient::InvalidPackage indicates that
// the object will not function.
//
//***************************************************************************
CSSPIClient::CSSPIClient(LPTSTR pszPkgName)
{
// Initialize variables.
// =====================
m_dwStatus = InvalidPackage;
memset(&m_ClientCredential, 0, sizeof(CredHandle));
m_pPkgInfo = 0;
m_pszPkgName = 0;
m_cbMaxToken = 0;
m_bValidCredHandle = FALSE;
memset(&m_ClientContext, 0, sizeof(CtxtHandle));
m_bValidContextHandle = FALSE;
// Copy package name.
// ===================
m_pszPkgName = Macro_CloneLPTSTR(pszPkgName);
if (!m_pszPkgName)
{
trace(("CSSPIClient failed to construct (out of memory).\n"));
m_dwStatus = InvalidPackage;
return;
}
// Init the requested package.
// ===========================
SECURITY_STATUS SecStatus = 0;
SecStatus = CSSPI::pVtbl->QuerySecurityPackageInfo(pszPkgName, &m_pPkgInfo);
if (SecStatus != 0)
{
trace(("CSSPIClient fails to construct. Error = %s\n",
CSSPI::TranslateError(SecStatus)
));
m_dwStatus = InvalidPackage;
return;
}
// If here, things are ok. We are waiting
// for client to set login information.
// ========================================
m_cbMaxToken = m_pPkgInfo->cbMaxToken;
m_dwStatus = Waiting;
}
//***************************************************************************
//
// CSSPIClient
//
// Destructor
//
//***************************************************************************
CSSPIClient::~CSSPIClient()
{
if (m_pPkgInfo)
CSSPI::pVtbl->FreeContextBuffer(m_pPkgInfo);
if (m_pszPkgName)
delete [] m_pszPkgName;
if (m_bValidCredHandle)
CSSPI::pVtbl->FreeCredentialHandle(&m_ClientCredential);
if (m_bValidContextHandle)
CSSPI::pVtbl->DeleteSecurityContext(&m_ClientContext);
}
//***************************************************************************
//
// CSSPIClient::SetLoginInfo
//
// Sets login info prior to beginning a login session.
// pszUser, pszDomain, pszPassword must be either all NULL or all not
// NULL. If NULLs are used, the current user's security context
// is propagated.
//
// This must be the first call after constructing the CSSPIClient.
// If this returns NoError, then ContinueLogin must be called next
// before communicating with the server process.
//
// Parameters:
// <pszUser> The user name
// <pszDomain> The NTLM domain
// <pszPassword> The cleartext password
// <dwLoginFlags> Reserved
//
// Return value:
// <NoError> if the caller can immediately proceed to ContinueLogin().
// <InvalidParameter> if one or more parameters were not valid.
// <InvalidPackage> if the SSPI package is not operational
//
// <InvalidUser> if the user/domain/password parameters are
// of the wrong format.
//
// After successful completion, <NoError> is returned and
// GetStatus() will return CSSPIClient::LoginContinue.
//
//***************************************************************************
DWORD CSSPIClient::SetLoginInfo(
IN LPTSTR pszUser,
IN LPTSTR pszDomain,
IN LPTSTR pszPassword,
IN DWORD dwLoginFlags
)
{
if (m_dwStatus != Waiting)
return m_dwStatus = InvalidPackage;
// If the user specifies any of one {user,password,domain}, they
// all must be specified.
// =============================================================
if (pszUser || pszDomain || pszPassword)
{
if (!pszUser || !pszDomain || !pszPassword)
return InvalidParameter;
}
// Acquire a credentials handle for subsequent calls.
// ==================================================
SEC_WINNT_AUTH_IDENTITY AdditionalCredentials;
BOOL bSupplyCredentials = FALSE;
TimeStamp Expiration;
AdditionalCredentials.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
// Due to the parameter validation, we know that if
// a user was specified, the other parameters have been, too.
// ==========================================================
if (pszUser != 0)
{
bSupplyCredentials = TRUE;
AdditionalCredentials.User = pszUser;
AdditionalCredentials.UserLength = lstrlen(pszUser);
AdditionalCredentials.Password = pszPassword;
AdditionalCredentials.PasswordLength = lstrlen(pszPassword);
AdditionalCredentials.Domain = pszDomain;
AdditionalCredentials.DomainLength = lstrlen(pszDomain);
}
// Get client credentials handle.
// ==============================
SECURITY_STATUS SecStatus = CSSPI::pVtbl->AcquireCredentialsHandle(
NULL,
m_pszPkgName,
SECPKG_CRED_OUTBOUND,
NULL,
bSupplyCredentials ? &AdditionalCredentials : 0,
NULL,
NULL,
&m_ClientCredential,
&Expiration
);
if (SecStatus)
{
trace(("AcquireCredentialsHandle() failed. Error=%s\n",
CSSPI::TranslateError(SecStatus) ));
return m_dwStatus = InvalidUser;
}
m_bValidCredHandle = TRUE;
// Signal to caller that login must continue.
// ==========================================
m_dwStatus = LoginContinue;
return NoError;
}
//***************************************************************************
//
// CSSPIClient::SetDefaultLogin
//
// Convenience method to login using 'current' credentials.
//
// Return values same as for SetLoginInfo().
//
//***************************************************************************
DWORD CSSPIClient::SetDefaultLogin(DWORD dwFlags)
{
return SetLoginInfo(0, 0, 0, dwFlags);
}
//***************************************************************************
//
// CSSPIClient::ContinueLogin
//
// Called immediately after SetDefaultLogin() or SetLoginInfo() or
// after prior calls to ContinueLogin after receiving binary tokens
// from the server-side of the conversation.
//
// This is used for both to prepare the logon request and the
// response to the challenge from the server.
//
// Parameters:
// <pInToken> A token received from the server. If no
// token has been received yet, then use NULL.
// This is treated as read-only.
//
// <dwInTokenSize> The number of bytes in the token pointed
// to by <dwInTokenSize>, or 0 if the above
// token is NULL.
//
// <pToken> Receives a pointer to a memory buffer
// containing the token to transfer to the
// server. Deallocate with operator delete.
//
// <pdwTokenSize> Points to a DWORD to receive the size
// of the above token.
//
// Return value:
// <NoError> Returned when no more calls to ContinueLogin
// are completed. <pToken> and <pdwTokenSize>
// are still returned in this case.
// This completes the 'response' portion
// in the challenge-response sequence. The server
// will return an 'access denied' status through
// private means. Note that <NoError> does not
// imply successful logon or that 'access denied' will
// not occur. It merely completes the response
// to the 'challenge'.
//
// After the login request phase (the first call to
// this function) GetStatus() should return
// CSSPIClient::LoginContinue, to indicate that
// another call to this function will be required.
// If GetStatus() CSSPIClient::LoginComplete is
// returned, no more SSPI operations will occur.
// Final success or denial by the server will
// be privately indicated by the server.
//
// <Failed> Internal error. No out-parms are returned in this
// case.
//
//***************************************************************************
DWORD CSSPIClient::ContinueLogin(
IN LPBYTE pInToken,
IN DWORD dwInTokenSize,
OUT LPBYTE *pToken,
OUT DWORD *pdwTokenSize
)
{
// If here, we are ready to build up a token.
// ==========================================
SecBufferDesc OutputBufferDescriptor;
SecBuffer OutputSecurityToken;
ULONG uContextRequirements = 0;
ULONG uContextAttributes;
TimeStamp Expiration;
// Set up the output buffers and out params by
// default. On errors, we simply null the out params.
// ===================================================
OutputBufferDescriptor.cBuffers = 1;
OutputBufferDescriptor.pBuffers = &OutputSecurityToken;
OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
LPBYTE pTokenBuf = new BYTE[m_cbMaxToken];
OutputSecurityToken.BufferType = SECBUFFER_TOKEN;
OutputSecurityToken.cbBuffer = m_cbMaxToken;
OutputSecurityToken.pvBuffer = pTokenBuf;
// Build up the input buffer, if required.
// =======================================
SecBufferDesc InputBufferDescriptor;
SecBuffer InputSecurityToken;
if (pInToken)
{
InputBufferDescriptor.cBuffers = 1;
InputBufferDescriptor.pBuffers = &InputSecurityToken;
InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
InputSecurityToken.BufferType = SECBUFFER_TOKEN;
InputSecurityToken.cbBuffer = dwInTokenSize;
InputSecurityToken.pvBuffer = pInToken;
}
PSecBufferDesc pInBuf = pInToken ? &InputBufferDescriptor : 0;
// Determine if this is first-time or continued call.
// ==================================================
PCtxtHandle pTmp = m_bValidContextHandle ? &m_ClientContext : 0;
SECURITY_STATUS SecStatus =
CSSPI::pVtbl->InitializeSecurityContext(
&m_ClientCredential,
pTmp, // Context handle pointer(
NULL, // Target name (server)
uContextRequirements, // Requirements
0, // Reserved
SECURITY_NATIVE_DREP, // Target data representation
pInBuf, // Input buffer for continued calls
0, // Reserved
&m_ClientContext, // Receives client context handle
&OutputBufferDescriptor,
&uContextAttributes,
&Expiration
);
// Determine the next step.
// ========================
if (SecStatus == SEC_E_OK)
{
*pToken = pTokenBuf;
*pdwTokenSize = OutputSecurityToken.cbBuffer;
m_dwStatus = LoginCompleted;
return NoError;
}
if (SecStatus == SEC_I_CONTINUE_NEEDED)
{
// Set up the output parameters.
// =============================
*pToken = pTokenBuf;
*pdwTokenSize = OutputSecurityToken.cbBuffer;
m_bValidContextHandle = TRUE;
m_dwStatus = LoginContinue;
return NoError;
}
// If here, an error occurred.
// ===========================
trace(("CSSPIClient::ContinueLogin failed. Status code = %s",
CSSPI::TranslateError(SecStatus)
));
CSSPI::pVtbl->DeleteSecurityContext(pTmp);
// Deallocate useless return buffer and NULL the out-parameters.
// =============================================================
delete [] pTokenBuf;
*pToken = 0;
*pdwTokenSize = 0;
m_dwStatus = Failed;
return Failed;
}
//***************************************************************************
//
// CSSPIServer constructor
//
// Parameters:
// <pszPkgName> The SSPI package to use, usually "NTLM".
//
// After construction, CSSPIServer::GetStatus() should return
// CSSPIServer::Waiting. Any other value indicates that the object
// is invalid and cannot be used.
//
//***************************************************************************
CSSPIServer::CSSPIServer(LPTSTR pszPkgName)
{
m_dwStatus = 0;
m_cbMaxToken = 0;
m_pPkgInfo = 0;
m_bValidCredHandle = FALSE;
m_bValidContextHandle = FALSE;
memset(&m_ServerCredential, 0, sizeof(CredHandle));
memset(&m_ServerContext, 0, sizeof(CtxtHandle));
m_pszPkgName = Macro_CloneLPTSTR(pszPkgName);
if (!m_pszPkgName)
{
trace(("CSSPIServer failed to construct (out of memory).\n"));
m_dwStatus = InvalidPackage;
return;
}
// Init the requested package.
// ===========================
SECURITY_STATUS SecStatus = 0;
SecStatus = CSSPI::pVtbl->QuerySecurityPackageInfo(pszPkgName, &m_pPkgInfo);
if (SecStatus != 0)
{
trace(("CSSPIServer failed to construct. Error = %s\n",
CSSPI::TranslateError(SecStatus)
));
m_dwStatus = InvalidPackage;
return;
}
m_cbMaxToken = m_pPkgInfo->cbMaxToken;
// Now acquire a default credentials handle for this machine.
// ==========================================================
TimeStamp Expiration;
SecStatus = CSSPI::pVtbl->AcquireCredentialsHandle(
NULL, // No principal
m_pszPkgName, // Authentication package to use
SECPKG_CRED_INBOUND, // We are a 'server'
NULL, // No logon identifier
NULL, // No pkg specific data
NULL, // No GetKey function
NULL, // No GetKey function arg
&m_ServerCredential, // Server credential
&Expiration // Expiration timestamp
);
if (SecStatus != 0)
{
trace(("CSSPIServer failed in AcquireCredentialsHandle(). Error = %s\n",
CSSPI::TranslateError(SecStatus)
));
m_dwStatus = Failed;
return;
}
m_bValidCredHandle = TRUE;
m_dwStatus = Waiting;
}
//***************************************************************************
//
// CSSPIServer destructor
//
//***************************************************************************
CSSPIServer::~CSSPIServer()
{
if (m_pPkgInfo)
CSSPI::pVtbl->FreeContextBuffer(m_pPkgInfo);
delete [] m_pszPkgName;
if (m_bValidCredHandle)
CSSPI::pVtbl->FreeCredentialHandle(&m_ServerCredential);
if (m_bValidContextHandle)
CSSPI::pVtbl->DeleteSecurityContext(&m_ServerContext);
}
//***************************************************************************
//
// CSSPIServer::ContinueClientLogin
//
// Used to
//
// (1) Receive the client's logon request, and compute the challenge as
// the out-parameter <pToken>
//
// (2) Verify the response to the challenge.
//
// Parameters:
// <pInToken> A read-only pointer to the response (on the second call).
// NULL on the initial call.
//
// <dwInTokenSize> The number of bytes pointed to by the above pointers.
//
// <pToken> On the first call, receives a pointer to the
// challenge to send to the client.
//
// <pdwTokenSize> The size of the above challenge.
//
// Return values:
//
// <LoginContinue> Sent back on the first call to indicate that a
// challenge has been computed and returned to the
// client in <pToken>.
//
// <Failed> No out-params assigned. Indicates internal failure.
//
// <NoError> Only possible on the second call. Indicates the
// client was authenticated.
//
// <AccessDenied> Returned on the second call if the user was denied
// logon.
//
//***************************************************************************
DWORD CSSPIServer::ContinueClientLogin(
IN LPBYTE pInToken,
IN DWORD dwInTokenSize,
OUT LPBYTE *pToken,
OUT DWORD *pdwTokenSize
)
{
TimeStamp Expiration;
SecBufferDesc InputBufferDescriptor;
SecBuffer InputSecurityToken;
SecBufferDesc OutputBufferDescriptor;
SecBuffer OutputSecurityToken;
ULONG uContextRequirements = 0;
ULONG uContextAttributes;
// Build up the input buffer.
// ==========================
InputBufferDescriptor.cBuffers = 1;
InputBufferDescriptor.pBuffers = &InputSecurityToken;
InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
InputSecurityToken.BufferType = SECBUFFER_TOKEN;
InputSecurityToken.cbBuffer = dwInTokenSize;
InputSecurityToken.pvBuffer = pInToken;
// Build the output buffer descriptor.
// ===================================
OutputBufferDescriptor.cBuffers = 1;
OutputBufferDescriptor.pBuffers = &OutputSecurityToken;
OutputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
LPBYTE pOutBuf = new BYTE[m_cbMaxToken];
OutputSecurityToken.BufferType = SECBUFFER_TOKEN;
OutputSecurityToken.cbBuffer = m_cbMaxToken;
OutputSecurityToken.pvBuffer = pOutBuf;
// Set up partial or final context handle.
// =======================================
PCtxtHandle pTmp = m_bValidContextHandle ? &m_ServerContext : 0;
// Process the client's initial token and see what happens.
// ========================================================
SECURITY_STATUS SecStatus = 0;
SecStatus = CSSPI::pVtbl->AcceptSecurityContext(
&m_ServerCredential,
pTmp, // No context handle yet
&InputBufferDescriptor,
uContextRequirements, // No context requirements
SECURITY_NATIVE_DREP,
&m_ServerContext,
&OutputBufferDescriptor,
&uContextAttributes,
&Expiration
);
*pToken = pOutBuf;
*pdwTokenSize = OutputSecurityToken.cbBuffer;
if (SecStatus == SEC_I_CONTINUE_NEEDED)
{
m_dwStatus = LoginContinue;
m_bValidContextHandle = TRUE;
return LoginContinue;
}
if (SecStatus == SEC_E_OK)
{
m_bValidContextHandle = TRUE;
delete [] pOutBuf;
*pToken = 0;
*pdwTokenSize = 0;
m_dwStatus = LoginCompleted;
return NoError;
}
// If here, an error occurred.
// ===========================
trace(("CSSPIClient::ContinueLogin failed. Status code = %s",
CSSPI::TranslateError(SecStatus)
));
*pToken = 0;
*pdwTokenSize = 0;
delete [] pOutBuf;
if (SecStatus == SEC_E_LOGON_DENIED)
{
m_dwStatus = AccessDenied;
return AccessDenied;
}
return Failed;
}
//***************************************************************************
//
// CSSPIServer::QueryUserInfo
//
// Gets information about a client after authentication.
//
// Parameters:
// <pszUser> Receives a pointer to the user name if TRUE is
// returned. Use operator delete to deallocate.
//
// Return value:
// TRUE if the user name was returned, FALSE if not.
//
//***************************************************************************
BOOL CSSPIServer::QueryUserInfo(
OUT LPTSTR *pszUser // Use operator delete
)
{
SecPkgContext_Names Names;
memset(&Names, 0, sizeof(SecPkgContext_Names));
*pszUser = 0;
SECURITY_STATUS SecStatus = CSSPI::pVtbl->QueryContextAttributes(
&m_ServerContext,
SECPKG_ATTR_NAMES,
&Names
);
if (SecStatus != 0)
{
trace(("QueryContextAttributes() for Name fails with %s ",
CSSPI::TranslateError(SecStatus)
));
return FALSE;
}
if (pszUser)
*pszUser = Macro_CloneLPTSTR(Names.sUserName);
CSSPI::pVtbl->FreeContextBuffer(LPVOID(Names.sUserName));
return TRUE;
}
//***************************************************************************
//
// CSSPIServer::IssueLoginToken
//
// Issues a login token for the client to use in subsequent access.
// This will only succeed if the client successfully computed the
// reponse to the challenge and <NoError> was returned from
// ContinueClientLogin.
//
// Parameters:
// <ClsId> Receives the CLSID which becomes the WBEM access token.
//
// Return value:
// NoError, Failed
//
//***************************************************************************
DWORD CSSPIServer::IssueLoginToken(
OUT CLSID &ClsId
)
{
if (m_dwStatus == LoginCompleted)
{
if (SUCCEEDED(CoCreateGuid(&ClsId)))
return NoError;
else
return Failed;
}
memset(&ClsId, 0, sizeof(CLSID));
return Failed;
}