Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

714 lines
23 KiB

/*--
Copyright (c) 1995-1998 Microsoft Corporation
Module Name: AUTH.CPP
Author: Arul Menezes
Abstract: Authentication
--*/
#include "pch.h"
#pragma hdrstop
#include "httpd.h"
#define IsAccessAllowed(a,b,c,d) TRUE
#define NTLM_DOMAIN TEXT("Domain") // dummy data.
#define SEC_SUCCESS(Status) ((Status) >= 0)
#ifndef OLD_CE_BUILD
BOOL NTLMServerContext(
PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
PAUTH_NTLM pAS,BYTE *pIn, DWORD cbIn, BYTE *pOut,
DWORD *pcbOut, BOOL *pfDone
);
BOOL NTLMClientContext(
PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
PAUTH_NTLM pAS, BYTE *pIn, DWORD cbIn,
BYTE *pOut, DWORD *pcbOut
);
#endif
AUTHLEVEL GetAuthFromACL(PAUTH_NTLM pAuth, PWSTR wszUser, PWSTR wszVRootUserList);
void AuthInitialize(CReg *pReg, BOOL * pfBasicAuth, BOOL * pfNTLMAuth)
{
*pfBasicAuth = pReg->ValueDW(RV_BASIC);
#ifdef OLD_CE_BUILD
// No passthrough Auth on CE 2.11 devices, set it to 0 to avoid misconfigurations
*pfNTLMAuth = 0;
#else
*pfNTLMAuth = pReg->ValueDW(RV_NTLM);
#endif
}
// For calls to Basic Authentication, only called during the parsing stage.
BOOL HandleBasicAuth(PSTR pszData, PSTR* ppszUser, PSTR *ppszPassword,
AUTHLEVEL* pAuth, PAUTH_NTLM pNTLMState, WCHAR *wszVRootUserList)
{
char szUserName[MAXUSERPASS];
DWORD dwLen = sizeof(szUserName);
*pAuth = AUTH_PUBLIC;
*ppszUser = NULL;
// decode the base64
Base64Decode(pszData, szUserName, &dwLen);
// find the password
PSTR pszPassword = strchr(szUserName, ':');
if (!pszPassword)
{
TraceTag(ttidWebServer, "Bad Format for Basic userpass(%s)-->(%s)", pszData, szUserName);
return FALSE;
}
*pszPassword++ = 0; // seperate user & pass
WCHAR wszPassword[MAXUSERPASS];
MyA2W(pszPassword, wszPassword, CCHSIZEOF(wszPassword));
WCHAR wszUserName[MAXUSERPASS];
MyA2W(szUserName,wszUserName, CCHSIZEOF(wszUserName));
// We save the data no matter what, for logging purposes and for possible
// GetServerVariable call.
*ppszUser = MySzDupA(szUserName);
*ppszPassword = MySzDupA(pszPassword);
// If AUTH_USER has been granted, check to see if they're an administrator.
// In BASIC we can only check against the name (no NTLM group info)
#ifdef UNDER_CE
if (CheckPassword(wszPassword))
{
*pAuth = GetAuthFromACL(NULL,wszUserName,wszVRootUserList);
return TRUE;
}
#endif
#ifndef OLD_CE_BUILD
if (g_pVars->m_fNTLMAuth && BasicToNTLM(pNTLMState, wszPassword,wszUserName,pAuth,wszVRootUserList))
{
return TRUE;
}
#endif
TraceTag(ttidWebServer, "Failed logon with Basic userpass(%s)-->(%s)(%s)", pszData, szUserName, pszPassword);
return FALSE;
}
#ifdef OLD_CE_BUILD
// The web server beta doesn't have NTLM, but it uses this file so we
// don't use AuthStub.cpp here
BOOL CHttpRequest::HandleNTLMAuth(PSTR pszNTLMData)
{
return FALSE;
}
BOOL NTLMInitLib(PAUTH_NTLM pNTLMState)
{
return FALSE;
}
void FreeNTLMHandles(PAUTH_NTLM pNTLMState)
{
;
}
#else
// This function is called 2 times during an NTLM auth session. The first
// time it has the Client user name, domain,... which it forwards to DC or
// looks in registry for (this NTLM detail is transparent to httpd)
// On 2nd time it has the client's response, which either is or is not
// enough to grant access to page. On 2nd pass, free up all NTLM context data.
// FILTER NOTES: On IIS no user name or password info is given to the filter
// on NTLM calls, so neither do we. (WinCE does give BASIC data, though).
// The main reason this is is that
BOOL CHttpRequest::HandleNTLMAuth(PSTR pszNTLMData)
{
DEBUG_CODE_INIT;
BOOL ret = FALSE;
DWORD dwIn;
DWORD dwOut;
BOOL fDone = FALSE;
PBYTE pOutBuf = NULL;
PBYTE pInBuf = NULL; // Base64 decoded data from pszNTLMData
// Are the NTLM libs loaded already?
if (NTLM_NO_INIT_LIB == m_NTLMState.m_Conversation)
{
if ( ! NTLMInitLib(&m_NTLMState))
myretleave(FALSE,94);
}
dwOut = g_pVars->m_cbNTLMMax;
if (NULL == (pOutBuf = MyRgAllocNZ(BYTE,dwOut)))
myleave(360);
if (NULL == m_pszNTLMOutBuf)
{
// We will later Base64Encode pOutBuf later, encoding writes 4 outbut bytes
// for every 3 input bytes
if (NULL == (m_pszNTLMOutBuf = MyRgAllocNZ(CHAR,dwOut*(4/3) + 1)))
myleave(361);
}
dwIn = strlen(pszNTLMData) + 1;
if (NULL == (pInBuf = MyRgAllocNZ(BYTE,dwIn)))
myleave(363);
Base64Decode(pszNTLMData,(PSTR) pInBuf,&dwIn);
// On the 1st pass this gets a data blob to be sent back to the client
// broweser in pOutBuf, which is encoded to m_pszNTLMOutBuf. On the 2nd
// pass it either authenticates or fails.
if (! NTLMServerContext(NULL, &m_NTLMState, pInBuf,
dwIn,pOutBuf,&dwOut,&fDone))
{
// Note: We MUST free the m_pszNTMLOutBuf on 2nd pass failure. If the
// client recieves the blob on a failure
// it will consider the web server to be malfunctioning and will not send
// another set of data, and will not prompt the user for a password.
MyFree(m_pszNTLMOutBuf);
// Setting to DONE will cause the local structs to be freed; they must
// be fresh in case browser attempts to do NTLM again with new user name/
// password on same session. Don't bother unloading the lib.
m_NTLMState.m_Conversation = NTLM_DONE;
myleave(362);
}
if (fDone)
{
TraceTag(ttidWebServer, "NTLM Successfully authenticated user");
m_AuthLevelGranted = GetAuthFromACL(&m_NTLMState,NULL,m_wszVRootUserList);
m_dwAuthFlags |= m_AuthLevelGranted;
m_NTLMState.m_Conversation = NTLM_DONE;
MyFree(m_pszNTLMOutBuf);
myretleave(TRUE,0);
}
Base64Encode(pOutBuf,dwOut,m_pszNTLMOutBuf);
ret = TRUE;
done:
TraceTag(ttidWebServer, "HandleNTLMAuthent died, err = %d, gle = %d",err,GetLastError());
MyFree(pOutBuf);
MyFree(pInBuf);
return ret;
}
// Sets up NTLM info in the passed data structure. This fcn loads the library,
// gets the function table, and determines the maximum buffer size.
// stolen from osinternal\comm\test\security\sockauth\security.c
BOOL NTLMInitLib(PAUTH_NTLM pNTLMState)
{
DEBUG_CODE_INIT;
FARPROC pInit;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
BOOL ret = FALSE;
PSecurityFunctionTable pLocal = NULL;
// load and initialize the ntlm ssp
//
if (g_pVars->m_pNTLMFuncs)
{
pNTLMState->m_Conversation = NTLM_NO_INIT_CONTEXT;
return TRUE;
}
g_pVars->m_hNTLMLib = LoadLibrary (NTLM_DLL_NAME);
if (NULL == g_pVars->m_hNTLMLib)
myleave(700);
pInit = (FARPROC) GetProcAddress (g_pVars->m_hNTLMLib, SECURITY_ENTRYPOINT_CE);
if (NULL == pInit)
myleave(701);
pLocal = (PSecurityFunctionTable) pInit ();
if (NULL == pLocal)
myleave(702);
// Query for the package we're interested in
//
ss = pLocal->QuerySecurityPackageInfo (NTLM_PACKAGE_NAME, &pkgInfo);
if (!SEC_SUCCESS(ss))
myleave(703);
g_pVars->m_cbNTLMMax = pkgInfo->cbMaxToken;
pLocal->FreeContextBuffer (pkgInfo);
// The libraries have been set, but pNTLMState's structures are still empty
pNTLMState->m_Conversation = NTLM_NO_INIT_CONTEXT;
TraceTag(ttidWebServer, "NTLM Libs successfully initialized");
ret = TRUE;
done:
if (FALSE == ret)
{
// Don't worry about freeing pkgInfo, it was freed right after creation
// anyway - no chance to go wrong
MyFreeLib (g_pVars->m_hNTLMLib);
// Set everything to false so httpd doesn't think we have legit data later.
memset(pNTLMState, 0 , sizeof(AUTH_NTLM));
}
else
{
g_pVars->m_pNTLMFuncs = pLocal; // Flag that shows we've initialized
}
TraceTag(ttidWebServer, "NTLMInitLib failed, err = %d, GLE = 0x%08x",err,
GetLastError());
return ret;
}
// Unload the contexts. The library is NOT freed in this call, only freed
// in CHttpRequest destructor.
void FreeNTLMHandles(PAUTH_NTLM pNTLMState)
{
if (NULL == pNTLMState || NULL == g_pVars->m_pNTLMFuncs)
return;
if (pNTLMState->m_fHaveCtxtHandle)
g_pVars->m_pNTLMFuncs->DeleteSecurityContext (&pNTLMState->m_hctxt);
if (pNTLMState->m_fHaveCredHandle)
g_pVars->m_pNTLMFuncs->FreeCredentialHandle (&pNTLMState->m_hcred);
pNTLMState->m_fHaveCredHandle = FALSE;
pNTLMState->m_fHaveCtxtHandle = FALSE;
}
// Given Basic authentication data, we try to "forge" and NTLM request
// This fcn simulates a client+server talking to each other, though it's in the
// same proc. The client is "virtual," doesn't refer to the http client
// pNTLMState is CHttpRequest::m_NTLMState
BOOL BasicToNTLM(PAUTH_NTLM pNTLMState, WCHAR * wszPassword, WCHAR * wszRemoteUser,
AUTHLEVEL *pAuth, WCHAR *wszVRootUserList)
{
DEBUG_CODE_INIT;
AUTH_NTLM ClientState; // forges the client role
AUTH_NTLM ServerState; // forges the server role
BOOL fDone = FALSE;
PBYTE pClientOutBuf = NULL;
PBYTE pServerOutBuf = NULL;
DWORD cbServerBuf;
DWORD cbClientBuf;
DEBUGCHK(wszPassword != NULL && wszRemoteUser != NULL && pNTLMState != NULL);
SEC_WINNT_AUTH_IDENTITY AuthIdentityClient = {
(unsigned short *)wszRemoteUser, wcslen(wszRemoteUser),
(unsigned short *)NTLM_DOMAIN,sizeof(NTLM_DOMAIN)/sizeof(TCHAR) - 1,
(unsigned short *)wszPassword, wcslen(wszPassword),
0}; // dummy domain needed
memset(&ServerState,0,sizeof(AUTH_NTLM));
memset(&ClientState,0,sizeof(AUTH_NTLM));
// 1st pass through, load up library.
if (NTLM_NO_INIT_LIB == pNTLMState->m_Conversation)
{
if ( ! NTLMInitLib(pNTLMState))
myleave(369);
pNTLMState->m_Conversation = NTLM_NO_INIT_CONTEXT;
}
// NTLM auth functions seem to expect that these buffer will be zeroed.
pClientOutBuf = MyRgAllocZ(BYTE,g_pVars->m_cbNTLMMax);
if (NULL == pClientOutBuf)
myleave(370);
pServerOutBuf = MyRgAllocZ(BYTE,g_pVars->m_cbNTLMMax);
if (NULL == pServerOutBuf)
myleave(371);
ServerState.m_Conversation = NTLM_NO_INIT_CONTEXT;
ClientState.m_Conversation = NTLM_NO_INIT_CONTEXT;
cbClientBuf = cbServerBuf = g_pVars->m_cbNTLMMax;
// Main loop that forges client and server talking.
while (!fDone)
{
cbClientBuf = g_pVars->m_cbNTLMMax;
if (! NTLMClientContext(&AuthIdentityClient,&ClientState,pServerOutBuf,
cbServerBuf, pClientOutBuf, &cbClientBuf))
{
myleave(372);
}
cbServerBuf = g_pVars->m_cbNTLMMax;
if (! NTLMServerContext(&AuthIdentityClient,&ServerState, pClientOutBuf,
cbClientBuf, pServerOutBuf, &cbServerBuf, &fDone))
{
myleave(373);
}
}
done:
TraceTag(ttidWebServer, "Unable to convert Basic Auth to NTLM Auth, err = %d",err);
if (fDone)
{
*pAuth = GetAuthFromACL(&ServerState,wszRemoteUser,wszVRootUserList);
}
MyFree(pClientOutBuf);
MyFree(pServerOutBuf);
FreeNTLMHandles(&ServerState);
FreeNTLMHandles(&ClientState);
return fDone;
}
// This calls the DC (or goes to registry in local case), either getting a
// data blob to return to client or granting auth or denying.
// stolen from osinternal\comm\test\security\sockauth\security.c
BOOL NTLMServerContext(
PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
PAUTH_NTLM pAS, // NTLM state info
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone)
{
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG ContextAttributes;
if (NTLM_NO_INIT_CONTEXT == pAS->m_Conversation)
{
ss = g_pVars->m_pNTLMFuncs->AcquireCredentialsHandle (
NULL, // principal
NTLM_PACKAGE_NAME,
SECPKG_CRED_INBOUND,
NULL, // LOGON id
pAuthIdentity,
NULL, // get key fn
NULL, // get key arg
&pAS->m_hcred,
&Lifetime
);
if (SEC_SUCCESS (ss))
pAS->m_fHaveCredHandle = TRUE;
else
{
TraceTag(ttidWebServer, "NTLM AcquireCreds failed: %X", ss);
return(FALSE);
}
}
// prepare output buffer
//
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// prepare input buffer
//
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
ss = g_pVars->m_pNTLMFuncs->AcceptSecurityContext (
&pAS->m_hcred,
(pAS->m_Conversation == NTLM_PROCESSING) ? &pAS->m_hctxt : NULL,
&InBuffDesc,
0, // context requirements
SECURITY_NATIVE_DREP,
&pAS->m_hctxt,
&OutBuffDesc,
&ContextAttributes,
&Lifetime
);
if (!SEC_SUCCESS (ss))
{
TraceTag(ttidWebServer, "NTLM init context failed: %X", ss);
return FALSE;
}
pAS->m_fHaveCtxtHandle = TRUE;
// Complete token -- if applicable
//
if ((SEC_I_COMPLETE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss))
{
if (g_pVars->m_pNTLMFuncs->CompleteAuthToken)
{
ss = g_pVars->m_pNTLMFuncs->CompleteAuthToken (&pAS->m_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
{
TraceTag(ttidWebServer, " NTLM complete failed: %X", ss);
return FALSE;
}
}
else
{
TraceTag(ttidWebServer, "Complete not supported.");
return FALSE;
}
}
*pcbOut = OutSecBuff.cbBuffer;
pAS->m_Conversation = NTLM_PROCESSING;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
return TRUE;
}
// Forges the client browser's part in NTLM communication if the browser
// sent a Basic request. This is used primarily for Netscape clients, which only
// supports Basic.
// stolen from osinternal\comm\test\security\sockauth\security.c
BOOL NTLMClientContext(
PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
PAUTH_NTLM pAS, // NTLM state info
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut)
{
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG ContextAttributes;
if (NTLM_NO_INIT_CONTEXT == pAS->m_Conversation)
{
ss = g_pVars->m_pNTLMFuncs->AcquireCredentialsHandle (
NULL, // principal
NTLM_PACKAGE_NAME,
SECPKG_CRED_OUTBOUND,
NULL, // LOGON id
pAuthIdentity, // auth data
NULL, // get key fn
NULL, // get key arg
&pAS->m_hcred,
&Lifetime
);
if (SEC_SUCCESS (ss))
pAS->m_fHaveCredHandle = TRUE;
else
{
TraceTag(ttidWebServer, "AcquireCreds failed: %X", ss);
return(FALSE);
}
}
// prepare output buffer
//
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// prepare input buffer
if (NTLM_NO_INIT_CONTEXT != pAS->m_Conversation)
{
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
}
ss = g_pVars->m_pNTLMFuncs->InitializeSecurityContext (
&pAS->m_hcred,
(pAS->m_Conversation == NTLM_PROCESSING) ? &pAS->m_hctxt : NULL,
NULL,
0, // context requirements
0, // reserved1
SECURITY_NATIVE_DREP,
(pAS->m_Conversation == NTLM_PROCESSING) ? &InBuffDesc : NULL,
0, // reserved2
&pAS->m_hctxt,
&OutBuffDesc,
&ContextAttributes,
&Lifetime
);
if (!SEC_SUCCESS (ss))
{
TraceTag(ttidWebServer, "init context failed: %X", ss);
return FALSE;
}
pAS->m_fHaveCtxtHandle = TRUE;
// Complete token -- if applicable
//
if ((SEC_I_COMPLETE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss))
{
if (g_pVars->m_pNTLMFuncs->CompleteAuthToken)
{
ss = g_pVars->m_pNTLMFuncs->CompleteAuthToken (&pAS->m_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
{
TraceTag(ttidWebServer, "complete failed: %X", ss);
return FALSE;
}
}
else
{
TraceTag(ttidWebServer, "Complete not supported.");
return FALSE;
}
}
*pcbOut = OutSecBuff.cbBuffer;
pAS->m_Conversation = NTLM_PROCESSING;
return TRUE;
}
#endif // OLD_CE_BUILD
// Called after a user has been successfully authenticated with either BASIC or NTLM.
// See \winceos\comm\security\authhlp to see ACL algorithm function/description.
// Our algorithm: AdminUsers reg value is set and user is a member, always grant
// Admin auth. If no AdminUser key is set always grant Admin auth level,
// UNLESS this vroot has a UserList set. If user is a member, then grant
// ADMIN_USER, otherwise set to AUTH_PUBLIC (no auth).
// If user is not in admin list but in UserList for vroot, grant AUTH_USER.
AUTHLEVEL GetAuthFromACL(PAUTH_NTLM pAuth, PWSTR wszUser, PWSTR wszVRootUserList)
{
AUTHLEVEL AuthGranted = AUTH_USER;
PWSTR wsz = NULL; // User (in function)
PWSTR wszGroup = NULL;
SecPkgContext_Names pkgName;
#if defined(UNDER_CE) && !defined (OLD_CE_BUILD)
SecPkgContext_GroupNames ContextGroups;
ContextGroups.msGroupNames = NULL;
#endif
pkgName.sUserName = NULL;
// If we're called from NTLM request (pAuth != NULL) then we need
// to get the user name if we don't have it. On BASIC request, we
// have wszUser name already.
if (pAuth && !wszUser)
{
if ( SEC_SUCCESS(g_pVars->m_pNTLMFuncs->QueryContextAttributes(&(pAuth->m_hctxt),
SECPKG_ATTR_NAMES, &pkgName)))
{
wsz = pkgName.sUserName;
}
else
goto done; // If we can't get user name, don't bother continuing
}
else
{
wsz = wszUser;
}
#if defined(UNDER_CE) && !defined (OLD_CE_BUILD)
if (pAuth)
g_pVars->m_pNTLMFuncs->QueryContextAttributes(&(pAuth->m_hctxt),SECPKG_ATTR_GROUP_NAMES,&ContextGroups);
wszGroup = ContextGroups.msGroupNames;
#endif
TraceTag(ttidWebServer, "ADmin Users = %s, wsz = %s, pkgName.sUserName = %s, group name = %s\r\n",
g_pVars->m_wszAdminUsers,wsz,pkgName.sUserName,wszGroup);
// Administrators always get admin access and access to the page, even if
// they're barred in the VRoot list. If there is a vroot list and we fail
// the IsAccessAllowed test, we set the auth granted to 0 - this
// will deny access. If no VRoot user list is set, keep us at AUTH_USER.
if ( !g_pVars->m_wszAdminUsers && !wszVRootUserList)
AuthGranted = AUTH_ADMIN;
else if (g_pVars->m_wszAdminUsers && IsAccessAllowed(wsz,wszGroup,g_pVars->m_wszAdminUsers,FALSE))
AuthGranted = AUTH_ADMIN;
else if (wszVRootUserList && IsAccessAllowed(wsz,wszGroup,wszVRootUserList,FALSE))
{
// If there is no Admin list set, grant admin
if (!g_pVars->m_wszAdminUsers)
AuthGranted = AUTH_ADMIN;
else
AuthGranted = AUTH_USER;
}
else if (wszVRootUserList)
AuthGranted = AUTH_PUBLIC;
done:
if (pkgName.sUserName)
g_pVars->m_pNTLMFuncs->FreeContextBuffer(pkgName.sUserName);
#if defined(UNDER_CE) && !defined (OLD_CE_BUILD)
if (ContextGroups.msGroupNames)
g_pVars->m_pNTLMFuncs->FreeContextBuffer(ContextGroups.msGroupNames);
#endif
TraceTag(ttidWebServer, "HTTPD: GetAuthFromACL Admin Priveleges granted = %d",AuthGranted);
return AuthGranted;
}