mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
990 lines
24 KiB
990 lines
24 KiB
/*++
|
|
Copyright (c) 1999 Microsoft Corporation
|
|
|
|
Module Name :
|
|
digestprovider.cxx
|
|
|
|
Abstract:
|
|
Digest authentication provider
|
|
|
|
Author:
|
|
Ming Lu (minglu) 24-Jun-2000
|
|
|
|
Environment:
|
|
Win32 - User Mode
|
|
|
|
Project:
|
|
ULW3.DLL
|
|
--*/
|
|
|
|
#include "precomp.hxx"
|
|
#include "sspiprovider.hxx"
|
|
#include "digestprovider.hxx"
|
|
#include "uuencode.hxx"
|
|
|
|
ALLOC_CACHE_HANDLER * DIGEST_SECURITY_CONTEXT::sm_pachDIGESTSecContext
|
|
= NULL;
|
|
|
|
//static
|
|
HRESULT
|
|
DIGEST_AUTH_PROVIDER::Initialize(
|
|
DWORD dwInternalId
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Initialize Digest SSPI provider
|
|
|
|
Arguments:
|
|
|
|
None
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
HRESULT hr;
|
|
|
|
SetInternalId( dwInternalId );
|
|
hr = DIGEST_SECURITY_CONTEXT::Initialize();
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error initializing Digest Auth Prov. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
return NO_ERROR;
|
|
}
|
|
|
|
//static
|
|
VOID
|
|
DIGEST_AUTH_PROVIDER::Terminate(
|
|
VOID
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Terminate SSPI Digest provider
|
|
|
|
Arguments:
|
|
|
|
None
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
{
|
|
DIGEST_SECURITY_CONTEXT::Terminate();
|
|
}
|
|
|
|
HRESULT
|
|
DIGEST_AUTH_PROVIDER::DoesApply(
|
|
W3_MAIN_CONTEXT * pMainContext,
|
|
BOOL * pfApplies
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Does the given request have credentials applicable to the Digest
|
|
provider
|
|
|
|
Arguments:
|
|
|
|
pMainContext - Main context representing request
|
|
pfApplies - Set to true if Digest is applicable
|
|
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
CHAR * pszAuthHeader = NULL;
|
|
HRESULT hr;
|
|
SSPI_CONTEXT_STATE * pContextState;
|
|
STACK_STRA( strPackage, 64 );
|
|
W3_METADATA * pMetaData = NULL;
|
|
|
|
|
|
if ( pMainContext == NULL ||
|
|
pfApplies == NULL )
|
|
{
|
|
DBG_ASSERT( FALSE );
|
|
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
|
|
}
|
|
|
|
*pfApplies = FALSE;
|
|
|
|
//
|
|
// Is using of Digest SSP enabled?
|
|
//
|
|
if ( !g_pW3Server->QueryUseDigestSSP() )
|
|
{
|
|
return NO_ERROR;
|
|
}
|
|
|
|
//
|
|
// Get the auth type
|
|
//
|
|
|
|
hr = pMainContext->QueryRequest()->GetAuthType( &strPackage );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
//
|
|
// No package, no auth
|
|
//
|
|
|
|
if ( strPackage.IsEmpty() )
|
|
{
|
|
return NO_ERROR;
|
|
}
|
|
|
|
//
|
|
// Is it Digest?
|
|
//
|
|
|
|
if ( _stricmp( strPackage.QueryStr(), "Digest" ) == 0 )
|
|
{
|
|
//
|
|
// Save away the package so we don't have to calc again
|
|
//
|
|
|
|
DBG_ASSERT( !strPackage.IsEmpty() );
|
|
|
|
pszAuthHeader = pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization );
|
|
DBG_ASSERT( pszAuthHeader != NULL );
|
|
|
|
pContextState = new (pMainContext) SSPI_CONTEXT_STATE(
|
|
pszAuthHeader + strPackage.QueryCCH() + 1 );
|
|
if ( pContextState == NULL )
|
|
{
|
|
return HRESULT_FROM_WIN32( GetLastError() );
|
|
}
|
|
|
|
hr = pContextState->SetPackage( strPackage.QueryStr() );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error in SetPackage(). hr = %x\n",
|
|
hr ));
|
|
delete pContextState;
|
|
pContextState = NULL;
|
|
return hr;
|
|
}
|
|
|
|
pMainContext->SetContextState( pContextState );
|
|
|
|
*pfApplies = TRUE;
|
|
}
|
|
|
|
return NO_ERROR;
|
|
}
|
|
|
|
HRESULT
|
|
DIGEST_AUTH_PROVIDER::DoAuthenticate(
|
|
W3_MAIN_CONTEXT * pMainContext
|
|
)
|
|
/*++
|
|
|
|
Description:
|
|
|
|
Do authentication work (we will be called if we apply)
|
|
|
|
Arguments:
|
|
|
|
pMainContext - Main context
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
DWORD err;
|
|
HRESULT hr = E_FAIL;
|
|
W3_METADATA * pMetaData = NULL;
|
|
W3_CONNECTION * pW3Connection = NULL;
|
|
DIGEST_SECURITY_CONTEXT * pDigestSecurityContext = NULL;
|
|
SSPI_CONTEXT_STATE * pContextState = NULL;
|
|
SSPI_USER_CONTEXT * pUserContext = NULL;
|
|
SSPI_CREDENTIAL * pDigestCredentials = NULL;
|
|
|
|
SecBufferDesc SecBuffDescOutput;
|
|
SecBufferDesc SecBuffDescInput;
|
|
|
|
//
|
|
// We have 5 input buffer and 1 output buffer to fill data
|
|
// in for digest authentication
|
|
//
|
|
|
|
SecBuffer SecBuffTokenOut[ 1 ];
|
|
SecBuffer SecBuffTokenIn[ 5 ];
|
|
|
|
SECURITY_STATUS secStatus = SEC_E_OK;
|
|
|
|
CtxtHandle hServerCtxtHandle;
|
|
|
|
TimeStamp Lifetime;
|
|
|
|
ULONG ContextReqFlags = 0;
|
|
ULONG ContextAttributes = 0;
|
|
|
|
STACK_STRU( strOutputHeader, 256 );
|
|
|
|
STACK_BUFFER( bufOutputBuffer, 4096 );
|
|
STACK_STRA( strMethod, 10 );
|
|
STACK_STRU( strUrl, MAX_PATH );
|
|
STACK_STRA( strUrlA, MAX_PATH );
|
|
STACK_STRA( strRealm, 128 );
|
|
|
|
if ( pMainContext == NULL )
|
|
{
|
|
DBG_ASSERT( FALSE );
|
|
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
|
|
}
|
|
|
|
pContextState = ( SSPI_CONTEXT_STATE* )
|
|
pMainContext->QueryContextState();
|
|
DBG_ASSERT( pContextState != NULL );
|
|
|
|
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
|
|
DBG_ASSERT( pMetaData != NULL );
|
|
|
|
//
|
|
// clean the memory and set it to zero
|
|
//
|
|
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) );
|
|
ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
|
|
|
|
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) );
|
|
ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
|
|
|
|
//
|
|
// define the buffer descriptor for the Outpt
|
|
//
|
|
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION;
|
|
SecBuffDescOutput.cBuffers = 1;
|
|
SecBuffDescOutput.pBuffers = SecBuffTokenOut;
|
|
|
|
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize();
|
|
SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
|
|
|
|
//
|
|
// define the buffer descriptor for the Input
|
|
//
|
|
|
|
SecBuffDescInput.ulVersion = SECBUFFER_VERSION;
|
|
SecBuffDescInput.cBuffers = 5;
|
|
SecBuffDescInput.pBuffers = SecBuffTokenIn;
|
|
|
|
//
|
|
// set the digest auth header in the buffer
|
|
//
|
|
|
|
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenIn[0].cbBuffer = strlen(pContextState->QueryCredentials());
|
|
SecBuffTokenIn[0].pvBuffer = pContextState->QueryCredentials();
|
|
|
|
//
|
|
// Get and Set the information for the method
|
|
//
|
|
|
|
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error getting the method. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH();
|
|
SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
|
|
|
|
//
|
|
// Get and Set the infomation for the Url
|
|
//
|
|
|
|
hr = pMainContext->QueryRequest()->GetUrl( &strUrl );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error getting the URL. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
hr = strUrlA.CopyW( strUrl.QueryStr() );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error copying the URL. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB();
|
|
SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
|
|
|
|
|
|
//
|
|
// Get and Set the information for the hentity
|
|
//
|
|
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
|
|
SecBuffTokenIn[3].pvBuffer = 0; // this is not yet implemeted
|
|
|
|
//
|
|
//Get and Set the Realm Information
|
|
//
|
|
|
|
if( pMetaData->QueryRealm() )
|
|
{
|
|
hr = strRealm.CopyW( pMetaData->QueryRealm() );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error copying the realm. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
}
|
|
|
|
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB();
|
|
SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
|
|
|
|
//
|
|
// Get a Security Context
|
|
//
|
|
|
|
//
|
|
// get the credential for the server
|
|
//
|
|
|
|
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME,
|
|
&pDigestCredentials );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF((DBG_CONTEXT,
|
|
"Error get credential handle. hr = 0x%x \n",
|
|
hr ));
|
|
|
|
return hr;
|
|
}
|
|
|
|
DBG_ASSERT( pDigestCredentials != NULL );
|
|
|
|
//
|
|
// Resize the output buffer to max token size
|
|
//
|
|
if( !bufOutputBuffer.Resize(
|
|
pDigestCredentials->QueryMaxTokenSize() ) )
|
|
{
|
|
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
|
|
}
|
|
|
|
pDigestSecurityContext =
|
|
( DIGEST_SECURITY_CONTEXT * ) QueryConnectionAuthContext( pMainContext );
|
|
|
|
|
|
//
|
|
// check to see if there is an old Context Handle
|
|
//
|
|
if ( pDigestSecurityContext != NULL )
|
|
{
|
|
//
|
|
// defined the buffer
|
|
//
|
|
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize();
|
|
SecBuffTokenIn[4].pvBuffer =
|
|
( PVOID )bufOutputBuffer.QueryPtr();
|
|
|
|
secStatus = VerifySignature(
|
|
pDigestSecurityContext->QueryContextHandle(),
|
|
&SecBuffDescInput,
|
|
0,
|
|
0 );
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// set the flags
|
|
//
|
|
ContextReqFlags = ASC_REQ_REPLAY_DETECT |
|
|
ASC_REQ_CONNECTION;
|
|
|
|
//
|
|
// get the security context
|
|
//
|
|
secStatus = AcceptSecurityContext(
|
|
pDigestCredentials->QueryCredHandle(),
|
|
NULL,
|
|
&SecBuffDescInput,
|
|
ContextReqFlags,
|
|
SECURITY_NATIVE_DREP,
|
|
&hServerCtxtHandle,
|
|
&SecBuffDescOutput,
|
|
&ContextAttributes,
|
|
&Lifetime);
|
|
|
|
if( SEC_I_COMPLETE_NEEDED == secStatus )
|
|
{
|
|
//
|
|
//defined the buffer
|
|
//
|
|
|
|
SecBuffTokenIn[4].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenIn[4].cbBuffer = bufOutputBuffer.QuerySize();
|
|
SecBuffTokenIn[4].pvBuffer =
|
|
( PVOID )bufOutputBuffer.QueryPtr();
|
|
|
|
secStatus = CompleteAuthToken(
|
|
&hServerCtxtHandle,
|
|
&SecBuffDescInput
|
|
);
|
|
}
|
|
|
|
if ( SUCCEEDED( secStatus ) )
|
|
{
|
|
pDigestSecurityContext = new DIGEST_SECURITY_CONTEXT(
|
|
pDigestCredentials );
|
|
if ( NULL == pDigestSecurityContext )
|
|
{
|
|
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
|
|
}
|
|
|
|
pDigestSecurityContext->SetContextHandle(
|
|
hServerCtxtHandle );
|
|
|
|
pDigestSecurityContext->SetContextAttributes(
|
|
ContextAttributes );
|
|
|
|
//
|
|
// Mark the security context is complete, so we can detect
|
|
// reauthentication on the same connection
|
|
//
|
|
// CODEWORK: Can probably get away will just
|
|
// un-associating/deleting the
|
|
// SSPI_SECURITY_CONTEXT now!
|
|
//
|
|
|
|
pDigestSecurityContext->SetIsComplete( TRUE );
|
|
|
|
SetConnectionAuthContext( pMainContext,
|
|
pDigestSecurityContext );
|
|
}
|
|
}
|
|
|
|
//
|
|
// Check to see if the nonce has expired
|
|
//
|
|
if (SEC_E_CONTEXT_EXPIRED == secStatus)
|
|
{
|
|
//
|
|
// stale = true indicates that user knows password but he need to use new nonce
|
|
// let's treat stale = true as part of the continuing authentication handshake
|
|
// IIS will send back only Digest header in this case ( even if more auth methods
|
|
// are enabled )
|
|
//
|
|
|
|
if ( NULL != pDigestSecurityContext )
|
|
{
|
|
pDigestSecurityContext->SetStale( TRUE );
|
|
}
|
|
|
|
//
|
|
// Add Digest headers to response
|
|
//
|
|
|
|
hr = SetDigestHeader( pMainContext,
|
|
TRUE //Stale
|
|
);
|
|
|
|
if ( FAILED( hr ) )
|
|
{
|
|
return hr;
|
|
}
|
|
//
|
|
// Don't let anyone else send back authentication headers when
|
|
// the 401 is sent
|
|
//
|
|
|
|
pMainContext->SetProviderHandled( TRUE );
|
|
|
|
//
|
|
// We need to send a 401 response to continue the handshake.
|
|
// We have already setup the WWW-Authenticate header
|
|
//
|
|
|
|
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
|
|
Http401BadLogon );
|
|
|
|
pMainContext->SetFinishedResponse();
|
|
|
|
pMainContext->SetErrorStatus( SEC_E_CONTEXT_EXPIRED );
|
|
}
|
|
|
|
else if( FAILED( secStatus ) )
|
|
{
|
|
err = GetLastError();
|
|
if( err == ERROR_PASSWORD_MUST_CHANGE ||
|
|
err == ERROR_PASSWORD_EXPIRED )
|
|
{
|
|
return HRESULT_FROM_WIN32( err );
|
|
}
|
|
|
|
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
|
|
Http401BadLogon );
|
|
|
|
pMainContext->SetErrorStatus( HRESULT_FROM_WIN32( secStatus ) );
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Create a user context and setup it up
|
|
//
|
|
|
|
pUserContext = new SSPI_USER_CONTEXT( this );
|
|
if ( pUserContext == NULL )
|
|
{
|
|
return HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
|
|
}
|
|
|
|
hr = pUserContext->Create( pDigestSecurityContext, pMainContext );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
pUserContext->DereferenceUserContext();
|
|
pUserContext = NULL;
|
|
return hr;
|
|
}
|
|
|
|
pMainContext->SetUserContext( pUserContext );
|
|
}
|
|
|
|
return NO_ERROR;
|
|
}
|
|
|
|
HRESULT
|
|
DIGEST_AUTH_PROVIDER::OnAccessDenied(
|
|
W3_MAIN_CONTEXT * pMainContext
|
|
)
|
|
/*++
|
|
|
|
Description:
|
|
|
|
Add WWW-Authenticate Digest headers
|
|
|
|
Arguments:
|
|
|
|
pMainContext - main context
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
W3_METADATA * pMetaData;
|
|
|
|
if ( pMainContext == NULL )
|
|
{
|
|
DBG_ASSERT( FALSE );
|
|
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
|
|
}
|
|
|
|
//
|
|
// Is using of Digest SSP enabled?
|
|
//
|
|
if ( !g_pW3Server->QueryUseDigestSSP() )
|
|
{
|
|
return NO_ERROR;
|
|
}
|
|
|
|
if( !W3_STATE_AUTHENTICATION::QueryIsDomainMember() )
|
|
{
|
|
//
|
|
// We are not a domain member, so do nothing
|
|
//
|
|
return NO_ERROR;
|
|
}
|
|
|
|
return SetDigestHeader( pMainContext,
|
|
FALSE //stale will not be sent
|
|
);
|
|
}
|
|
|
|
HRESULT
|
|
DIGEST_AUTH_PROVIDER::SetDigestHeader(
|
|
IN W3_MAIN_CONTEXT * pMainContext,
|
|
IN BOOL fStale )
|
|
/*++
|
|
|
|
Description:
|
|
|
|
Add WWW-Authenticate Digest headers
|
|
|
|
Arguments:
|
|
|
|
pMainContext - main context
|
|
pDigestSecurityContext - Digest context containing information such as
|
|
Stale. NULL means that no stale is to be sent
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
HRESULT hr = E_FAIL;
|
|
W3_METADATA * pMetaData;
|
|
W3_CONNECTION * pW3Connection;
|
|
|
|
//
|
|
// 4096 is the max output for digest authenticaiton
|
|
//
|
|
|
|
STACK_BUFFER( bufOutputBuffer, 4096 );
|
|
STACK_STRA( strOutputHeader, MAX_PATH );
|
|
STACK_STRA( strMethod, 10 );
|
|
STACK_STRU( strUrl, MAX_PATH );
|
|
STACK_STRA( strRealm, 128 );
|
|
|
|
STACK_STRA( strUrlA, MAX_PATH );
|
|
|
|
SecBufferDesc SecBuffDescOutput;
|
|
SecBufferDesc SecBuffDescInput;
|
|
|
|
SecBuffer SecBuffTokenOut[ 1 ];
|
|
SecBuffer SecBuffTokenIn[ 5 ];
|
|
|
|
SECURITY_STATUS secStatus = SEC_E_OK;
|
|
|
|
SSPI_CREDENTIAL * pDigestCredential = NULL;
|
|
CtxtHandle hServerCtxtHandle;
|
|
|
|
ULONG ContextReqFlags = 0;
|
|
ULONG ContextAttributes = 0;
|
|
TimeStamp Lifetime;
|
|
|
|
|
|
|
|
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
|
|
DBG_ASSERT( pMetaData != NULL );
|
|
|
|
//
|
|
// Get a Security Context
|
|
//
|
|
|
|
//
|
|
// get the credential for the server
|
|
//
|
|
|
|
hr = SSPI_CREDENTIAL::GetCredential( NTDIGEST_SP_NAME,
|
|
&pDigestCredential );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF((DBG_CONTEXT,
|
|
"Error get credential handle. hr = 0x%x \n",
|
|
hr ));
|
|
|
|
return hr;
|
|
}
|
|
|
|
DBG_ASSERT( pDigestCredential != NULL );
|
|
|
|
if( !bufOutputBuffer.Resize(
|
|
pDigestCredential->QueryMaxTokenSize() ) )
|
|
{
|
|
hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
|
|
|
|
DBGPRINTF((DBG_CONTEXT,
|
|
"Error resize the output buffer. hr = 0x%x \n",
|
|
hr ));
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
//
|
|
// clean the memory and set it to zero
|
|
//
|
|
ZeroMemory( &SecBuffDescOutput, sizeof( SecBufferDesc ) );
|
|
ZeroMemory( SecBuffTokenOut , sizeof( SecBuffTokenOut ) );
|
|
|
|
ZeroMemory( &SecBuffDescInput , sizeof( SecBufferDesc ) );
|
|
ZeroMemory( SecBuffTokenIn , sizeof( SecBuffTokenIn ) );
|
|
|
|
//
|
|
// define the OUTPUT
|
|
//
|
|
|
|
SecBuffDescOutput.ulVersion = SECBUFFER_VERSION;
|
|
SecBuffDescOutput.cBuffers = 1;
|
|
SecBuffDescOutput.pBuffers = SecBuffTokenOut;
|
|
|
|
SecBuffTokenOut[0].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenOut[0].cbBuffer = bufOutputBuffer.QuerySize();
|
|
SecBuffTokenOut[0].pvBuffer = ( PVOID )bufOutputBuffer.QueryPtr();
|
|
|
|
//
|
|
// define the Input
|
|
//
|
|
|
|
SecBuffDescInput.ulVersion = SECBUFFER_VERSION;
|
|
SecBuffDescInput.cBuffers = 5;
|
|
SecBuffDescInput.pBuffers = SecBuffTokenIn;
|
|
|
|
//
|
|
// Get and Set the information for the challenge
|
|
//
|
|
|
|
//
|
|
// set the inforamtion in the buffer, this case is Null to
|
|
// authenticate user
|
|
//
|
|
SecBuffTokenIn[0].BufferType = SECBUFFER_TOKEN;
|
|
SecBuffTokenIn[0].cbBuffer = 0;
|
|
SecBuffTokenIn[0].pvBuffer = NULL;
|
|
|
|
//
|
|
// Get and Set the information for the method
|
|
//
|
|
|
|
hr = pMainContext->QueryRequest()->GetVerbString( &strMethod );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error getting the method. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
SecBuffTokenIn[1].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[1].cbBuffer = strMethod.QueryCCH();
|
|
SecBuffTokenIn[1].pvBuffer = strMethod.QueryStr();
|
|
|
|
//
|
|
// Get and Set the infomation for the Url
|
|
//
|
|
|
|
hr = pMainContext->QueryRequest()->GetUrl( &strUrl );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error getting the URL. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
hr = strUrlA.CopyW( strUrl.QueryStr() );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error copying the URL. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
|
|
SecBuffTokenIn[2].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[2].cbBuffer = strUrlA.QueryCB();
|
|
SecBuffTokenIn[2].pvBuffer = ( PVOID )strUrlA.QueryStr();
|
|
|
|
//
|
|
// Get and Set the information for the hentity
|
|
//
|
|
SecBuffTokenIn[3].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[3].cbBuffer = 0; // this is not yet implemeted
|
|
SecBuffTokenIn[3].pvBuffer = NULL; // this is not yet implemeted
|
|
|
|
//
|
|
//Get and Set the Realm Information
|
|
//
|
|
|
|
if( pMetaData->QueryRealm() )
|
|
{
|
|
hr = strRealm.CopyW( pMetaData->QueryRealm() );
|
|
if( FAILED( hr ) )
|
|
{
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error copying the realm. hr = %x\n",
|
|
hr ));
|
|
return hr;
|
|
}
|
|
}
|
|
|
|
SecBuffTokenIn[4].BufferType = SECBUFFER_PKG_PARAMS;
|
|
SecBuffTokenIn[4].cbBuffer = strRealm.QueryCB();
|
|
SecBuffTokenIn[4].pvBuffer = ( PVOID )strRealm.QueryStr();
|
|
|
|
//
|
|
// set the flags
|
|
//
|
|
|
|
ContextReqFlags = ASC_REQ_REPLAY_DETECT |
|
|
ASC_REQ_CONNECTION;
|
|
|
|
//
|
|
// get the security context
|
|
//
|
|
secStatus = AcceptSecurityContext(
|
|
pDigestCredential->QueryCredHandle(),
|
|
NULL,
|
|
&SecBuffDescInput,
|
|
ContextReqFlags,
|
|
SECURITY_NATIVE_DREP,
|
|
&hServerCtxtHandle,
|
|
&SecBuffDescOutput,
|
|
&ContextAttributes,
|
|
&Lifetime);
|
|
|
|
//
|
|
// a challenge has to be send back to the client
|
|
//
|
|
if ( SEC_I_CONTINUE_NEEDED == secStatus )
|
|
{
|
|
//
|
|
// Do we already have a digest security context
|
|
//
|
|
|
|
|
|
if( fStale )
|
|
{
|
|
hr = strOutputHeader.Copy( "Digest stale=TRUE ," );
|
|
}
|
|
else
|
|
{
|
|
hr = strOutputHeader.Copy( "Digest " );
|
|
}
|
|
|
|
if( FAILED( hr ) )
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
hr = strOutputHeader.Append(
|
|
( CHAR * )SecBuffDescOutput.pBuffers[0].pvBuffer,
|
|
SecBuffDescOutput.pBuffers[0].cbBuffer - 1 );
|
|
if( FAILED( hr ) )
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
//
|
|
// Add the header WWW-Authenticate to the response after a
|
|
// 401 server error
|
|
//
|
|
|
|
hr = pMainContext->QueryResponse()->SetHeader(
|
|
"WWW-Authenticate",
|
|
16,
|
|
strOutputHeader.QueryStr(),
|
|
strOutputHeader.QueryCCH()
|
|
);
|
|
}
|
|
else
|
|
{
|
|
hr = S_OK;
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//static
|
|
HRESULT
|
|
DIGEST_SECURITY_CONTEXT::Initialize(
|
|
VOID
|
|
)
|
|
/*++
|
|
|
|
Description:
|
|
|
|
Global DIGEST_SECURITY_CONTEXT initialization
|
|
|
|
Arguments:
|
|
|
|
None
|
|
|
|
Return Value:
|
|
|
|
HRESULT
|
|
|
|
--*/
|
|
{
|
|
ALLOC_CACHE_CONFIGURATION acConfig;
|
|
|
|
//
|
|
// Initialize allocation lookaside
|
|
//
|
|
|
|
acConfig.nConcurrency = 1;
|
|
acConfig.nThreshold = 100;
|
|
acConfig.cbSize = sizeof( DIGEST_SECURITY_CONTEXT );
|
|
|
|
DBG_ASSERT( sm_pachDIGESTSecContext == NULL );
|
|
|
|
sm_pachDIGESTSecContext = new ALLOC_CACHE_HANDLER(
|
|
"DIGEST_SECURITY_CONTEXT",
|
|
&acConfig );
|
|
|
|
if ( sm_pachDIGESTSecContext == NULL )
|
|
{
|
|
HRESULT hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY );
|
|
|
|
DBGPRINTF(( DBG_CONTEXT,
|
|
"Error initializing sm_pachDIGESTSecContext. hr = 0x%x\n",
|
|
hr ));
|
|
|
|
return hr;
|
|
}
|
|
|
|
return S_OK;
|
|
|
|
} // DIGEST_SECURITY_CONTEXT::Initialize
|
|
|
|
//static
|
|
VOID
|
|
DIGEST_SECURITY_CONTEXT::Terminate(
|
|
VOID
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Destroy DIGEST_SECURITY_CONTEXT globals
|
|
|
|
Arguments:
|
|
|
|
None
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
{
|
|
DBG_ASSERT( sm_pachDIGESTSecContext != NULL );
|
|
|
|
delete sm_pachDIGESTSecContext;
|
|
sm_pachDIGESTSecContext = NULL;
|
|
|
|
} // DIGEST_SECURITY_CONTEXT::Terminate
|
|
|