Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

935 lines
19 KiB

/*++
opyright (c) 1996 Microsoft Corporation
Module Name:
iiscrmap.cxx
Abstract:
Certificate to NT account mapper
Author:
Philippe Choquier (phillich) 17-may-1996
Alex Mallet (amallet) 13-Feb-1998
--*/
#ifdef __cplusplus
extern "C" {
#endif
# include <nt.h>
# include <ntrtl.h>
# include <nturtl.h>
# include <windows.h>
#include <stdio.h>
#if 1 // DBCS
#include <mbstring.h>
#endif
#include <schnlsp.h>
#include <wincrypt.h>
#include <issperr.h>
#include <certmap.h>
#include <cmnull.hxx>
#include <lmcons.h>
#ifdef __cplusplus
};
#endif
#include <iis64.h>
#include <iiscrmap.hxx>
extern "C" {
#include <tchar.h>
#include <iisfiltp.h>
} // extern "C"
#include <tslogon.hxx>
#include <iismap.hxx>
#include <iiscmr.hxx>
#include "mapmsg.h"
#include <dbgutil.h>
#include <buffer.hxx>
#include <ole2.h>
#include <imd.h>
#include <mb.hxx>
#include <iiscnfgp.h>
#include <reftrace.h>
#include <iiscert.hxx>
#include <iisctl.hxx>
#include <capiutil.hxx>
#include <sslinfo.hxx>
#define CALLC WINAPI
CRITICAL_SECTION g_csInitCritSec;
DWORD g_dwNumLocators;
extern MAPPER_VTABLE g_MapperVtable;
HANDLE g_hModule;
//
//
//
DECLARE_DEBUG_PRINTS_OBJECT();
#include <initguid.h>
DEFINE_GUID(IisCrMapGuid,
0x784d8913, 0xaa8c, 0x11d2, 0x92, 0x5e, 0x00, 0xc0, 0x4f, 0x72, 0xd9, 0x0e);
extern "C"
BOOL
WINAPI
DLLEntry(
HINSTANCE hDll,
DWORD dwReason,
LPVOID lpvReserved
)
{
switch ( dwReason )
{
case DLL_PROCESS_ATTACH:
#ifdef _NO_TRACING_
CREATE_DEBUG_PRINT_OBJECT( "IISCRMAP" );
#else
CREATE_DEBUG_PRINT_OBJECT( "IISCRMAP" , IisCrMapGuid);
#endif
INITIALIZE_CRITICAL_SECTION( &g_csInitCritSec );
g_dwNumLocators = 0;
g_hModule = hDll;
break;
case DLL_PROCESS_DETACH:
if ( g_dwNumLocators )
{
DBGPRINTF((DBG_CONTEXT,
"Still have %d locators left !\n",
g_dwNumLocators));
}
DELETE_DEBUG_PRINT_OBJECT();
DeleteCriticalSection( &g_csInitCritSec );
break;
default:
break;
}
return TRUE;
}
extern "C"
DWORD CALLC
CreateInstance(
OUT HMAPPER** pHMapper
)
/*++
Routine Description:
Called to initialize the mapper
Arguments:
None
Returns:
Ptr to mapper vtable if success, otherwise NULL
--*/
{
IisMapper *pMap;
if ( !(pMap = (IisMapper*)LocalAlloc( LMEM_FIXED, sizeof(IisMapper) )) )
{
return SEC_E_INSUFFICIENT_MEMORY;
}
memcpy ( &pMap->mvtEntryPoints, &g_MapperVtable, sizeof(MAPPER_VTABLE) );
pMap->hMapper.m_vtable = &pMap->mvtEntryPoints;
pMap->hMapper.m_dwMapperVersion = MAPPER_INTERFACE_VER;
pMap->hMapper.m_Reserved1 = NULL;
pMap->lRefCount = 1;
pMap->fIsIisCompliant = TRUE;
pMap->hInst = (HINSTANCE)g_hModule;
pMap->pCert11Mapper = NULL;
pMap->pCertWMapper = NULL;
pMap->pvInfo = NULL;
pMap->dwSignature = IIS_MAPPER_SIGNATURE;
*pHMapper = (HMAPPER*)pMap;
return SEC_E_OK;
}
extern "C"
LONG CALLC
IisReferenceMapper(
OUT HMAPPER* pMap
)
/*++
Routine Description:
Increment reference count to mapper
Arguments:
pMap - ptr to mapper struct
Returns:
Ref count
--*/
{
LONG l;
EnterCriticalSection( &g_csInitCritSec );
l = ++((IisMapper*)pMap)->lRefCount;
LeaveCriticalSection( &g_csInitCritSec );
return l;
}
extern "C"
LONG CALLC
IisDeReferenceMapper(
OUT HMAPPER* pMap
)
/*++
Routine Description:
Decrement reference count to mapper
Arguments:
pMap - ptr to mapper struct
Returns:
Ref count
--*/
{
LONG l;
EnterCriticalSection( &g_csInitCritSec );
if ( !(l = --((IisMapper*)pMap)->lRefCount) )
{
LocalFree( pMap );
}
LeaveCriticalSection( &g_csInitCritSec );
return l;
}
extern "C"
DWORD CALLC
IisGetChallenge(
HMAPPER*,
PBYTE,
DWORD,
PBYTE,
LPDWORD
)
/*++
Routine Description:
Get challenge for auth sequence
Arguments:
Not used
Returns:
FALSE ( not supported )
--*/
{
return SEC_E_UNSUPPORTED_FUNCTION;
}
extern "C"
DWORD CALLC
IisGetIssuerList(
IN HMAPPER* phMapper,
IN LPVOID pvReserved,
OUT LPBYTE pIssuer,
IN OUT DWORD * pdwIssuer
)
/*++
Routine Description:
Called to retrieve the list of preferred cert issuers
Arguments:
phMapper - pointer to mapper object
pvReserved - nothing useful, right now
pIssuer -- updated with ptr buffer of issuers. If NULL, caller wants to get size of buffer
required for issuer list
pdwIssuer -- updated with issuers buffer size
Returns:
SEC_E_* error code
--*/
{
IIS_SSL_INFO *pSslInfo = (IIS_SSL_INFO *) ((IisMapper*) phMapper)->pvInfo;
BOOL fSuccess = FALSE;
//
// Can't get at any instance-specific information, so we'll just pretend
// that nothing happened
//
if ( !pSslInfo )
{
*pdwIssuer = 0;
return SEC_E_OK;
}
//
// Pull out all the trusted CAs
//
PCCERT_CONTEXT *apContexts = NULL;
PCCERT_CONTEXT pCert = NULL;
DWORD dwCertsFound = 0;
DWORD dwCertsInCTL = 0;
DWORD dwTotalSize = 0;
DWORD dwPosition = 0;
if ( !pSslInfo->GetTrustedIssuerCerts( &apContexts,
&dwCertsFound ) )
{
return SEC_E_UNTRUSTED_ROOT;
}
//
// Figure out total size of chain and whether the buffer passed in is big
// enough. Each cert is to be encoded as [MSB of length] [LSB of length] [cert],
// so two extra bytes need to be added to the length for each cert
//
for ( DWORD dwIndex = 0; dwIndex < dwCertsFound; dwIndex++ )
{
dwTotalSize += apContexts[dwIndex]->cbCertEncoded;
}
dwTotalSize += 2*dwCertsFound;
//
// Caller is only interested in size or buffer is too small
//
if ( !pIssuer || ( pIssuer &&
(*pdwIssuer < dwTotalSize) ) )
{
*pdwIssuer = dwTotalSize;
goto cleanup;
}
//
// Fill in the cert info : [MSB of length] [LSB of length] [Actual cert]
//
for ( dwIndex = 0 ; dwIndex < dwCertsFound; dwIndex++ )
{
pIssuer[dwPosition++] = (BYTE) ((apContexts[dwIndex]->cbCertEncoded) & 0xFF00) >> 8;
pIssuer[dwPosition++] = (BYTE) (apContexts[dwIndex]->cbCertEncoded) & 0xFF;
memcpy( pIssuer + dwPosition, apContexts[dwIndex]->pbCertEncoded,
apContexts[dwIndex]->cbCertEncoded );
dwPosition += apContexts[dwIndex]->cbCertEncoded;
}
DBG_ASSERT( dwPosition == dwTotalSize );
*pdwIssuer = dwTotalSize;
fSuccess = TRUE;
cleanup:
if ( apContexts )
{
for ( dwIndex = 0; dwIndex < dwCertsFound; dwIndex++ )
{
CertFreeCertificateContext( apContexts[dwIndex] );
}
delete [] apContexts;
}
return fSuccess ? SEC_E_OK : SEC_E_UNTRUSTED_ROOT;
#if 0
return ((CIisCert11Mapper*)(((IisMapper*)phMapper)->pCert11Mapper))->GetIssuerBuffer( (LPBYTE)pIssuer, pdwIssuer );
#endif
}
extern "C"
__declspec( dllexport )
DWORD CALLC
MapperFree(
LPVOID pvBuff
)
/*++
Routine Description:
Called to delete list of issuers returned by GetIssuerList
Arguments:
pvBuff -- ptr to buffer alloced by the mapper DLL
Returns:
SEC_E_* error code
--*/
{
//
// Dead code, I believe
//
DBG_ASSERT( TRUE );
LocalFree( pvBuff );
return SEC_E_OK;
}
extern "C"
BOOL CALLC
TerminateMapper(
VOID
)
/*++
Routine Description:
Called to terminate the mapper
Arguments:
None
Returns:
--*/
{
return TRUE;
}
extern "C"
DWORD CALLC
IisMapCredential(
IN HMAPPER * phMapper,
IN DWORD dwCredentialType,
IN PVOID pCredential,
IN PVOID pAuthority,
OUT HLOCATOR * phToken
)
/*++
Routine Description:
Called to map a certificate to a NT account
Arguments:
phMapper - ptr to hmapper struct
dwCredentialType -- type of credential
pCredential - ptr to client cert
pAuthority - ptr to Certifying Authority cert
phToken -- updated with impersonation access token
Returns:
SEC_E_* error code
--*/
{
CIisMapping * pQuery = NULL;
CIisMapping * pResult = NULL;
BOOL fSt;
LPSTR pAcct;
LPSTR pPwd;
LPSTR pA;
DWORD dwA;
DWORD dwD;
int x;
BOOL fAllocedAcct = FALSE;
CHAR achDomain[256];
CHAR achUser[64];
CHAR achCookie[64];
CIisCert11Mapper* pCertMapper;
CIisRuleMapper* pCertWildcard;
LPSTR pEnabled;
DWORD dwE;
DWORD dwP;
CHAR achPwd[PWLEN + 1];
PCERT_CONTEXT pClientCert = (PCERT_CONTEXT) pCredential;
DBG_ASSERT( pClientCert );
//
// Reject request if we do not understand the format
//
if ( dwCredentialType != X509_ASN_CHAIN )
{
SetLastError( ERROR_INVALID_PARAMETER );
return SEC_E_NOT_SUPPORTED;
}
//
// IIS 4 used the pAuthority parameter; IIS 5 doesn't, and Schannel always passes in
// NULL, so remove the error check for it
//
#if 0
//
// Reject request if CA not recognized
//
//
// Removing IsCeritificateVerified() since we don't have what
// we need to do the appropriate queries
//
if ( pAuthority == NULL )
{
SetLastError( ERROR_INVALID_PARAMETER );
return SEC_E_INTERNAL_ERROR;
}
#endif
pCertMapper = (CIisCert11Mapper*)((IisMapper*)phMapper)->pCert11Mapper;
pCertWildcard = (CIisRuleMapper*)((IisMapper*)phMapper)->pCertWMapper;
if ( !pCertMapper )
{
goto wildcard_mapper;
}
#if DBG
CHAR szSubjectName[1024];
CHAR szIssuerName[1024];
if ( CertGetNameString( pClientCert,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
0,
NULL,
szSubjectName,
1024 ) &&
CertGetNameString( pClientCert,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
CERT_NAME_ISSUER_FLAG,
NULL,
szIssuerName,
1024 ) )
{
DBGPRINTF((DBG_CONTEXT,
"[IisMapCredential] Trying to map client cert for subject %s, issued by %s \n",
szSubjectName,
szIssuerName));
}
else
{
DBGPRINTF((DBG_CONTEXT,
"[IisMapCredential] Couldn't get subject or issuer name for client cert : 0x%x\n",
GetLastError()));
}
#endif
//
// Create a mapping request object
//
if ( !(pQuery = pCertMapper->CreateNewMapping( pClientCert->pbCertEncoded,
pClientCert->cbCertEncoded ) ) )
{
DBGPRINTF((DBG_CONTEXT,
"[IisMapCredential] Failed to create cert mapping query !\n"));
return SEC_E_INTERNAL_ERROR;
}
//
// Look for a match. If not found, log event
//
pCertMapper->Lock();
if ( pCertMapper->FindMatch( pQuery,
&pResult ) )
{
if ( !pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_ACCT,
&pAcct,
&dwA,
FALSE ) ||
!pResult->MappingGetField( IISMDB_INDEX_CERT11_ENABLED,
&pEnabled,
&dwE,
FALSE ) ||
!pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_PWD,
&pPwd,
&dwP,
FALSE ) )
{
pCertMapper->Unlock();
delete pQuery;
return SEC_E_INTERNAL_ERROR;
}
strncpy( achPwd,
pPwd,
sizeof( achPwd ) - 1 );
delete pQuery;
//
// if mapping not enabled, ignore it
//
if ( !dwE ||
( dwE == sizeof(DWORD) && *(UNALIGNED64 DWORD *)pEnabled == 0 ) ||
( dwE && *pEnabled == '0' ) )
{
pCertMapper->Unlock();
pCertMapper = NULL;
goto wildcard_mapper;
}
}
else
{
#if 0
//
// log event
//
LPCTSTR pA[CERT_MAP_NB_FIELDS];
for ( UINT x = 0 ; x < CERT_MAP_NB_FIELDS ; ++x )
{
if ( !pQuery->MappingGetField( x, (LPSTR*)(pA+x) ) || pA[x] == NULL )
{
pA[x] = "";
}
}
ReportIisMapEvent( EVENTLOG_INFORMATION_TYPE,
IISMAP_EVENT_NO_MAPPING,
CERT_MAP_NB_FIELDS,
pA );
#endif
pCertMapper->Unlock();
pCertMapper = NULL;
delete pQuery;
//
// Try to find a match using wildcard mapper
//
wildcard_mapper:
if ( pCertWildcard )
{
if ( !pCertWildcard->Match( pClientCert,
(PCERT_CONTEXT)pAuthority,
achCookie,
achPwd ) )
{
//
// Set token to special value '1' for mappings that deny access
//
if ( GetLastError() == ERROR_ACCESS_DENIED )
{
*phToken = (HLOCATOR)1;
return SEC_E_OK;
}
else
{
pAcct = NULL;
}
}
else
{
pAcct = achCookie;
dwA = strlen( pAcct );
}
}
else
{
pAcct = NULL;
}
}
if ( pAcct == NULL )
{
if ( pCertMapper )
{
pCertMapper->Unlock();
}
return SEC_E_UNKNOWN_CREDENTIALS;
}
// break in domain & user name
// copy to local storage so we can unlock mapper object
LPSTR pSep;
LPSTR pUser;
#if 1 // DBCS enabling for user name
// pAcct is always zero terminated
if ( (pSep = (LPSTR)_mbschr( (PUCHAR)pAcct, '\\' )) )
#else
if ( (pSep = (LPSTR)memchr( pAcct, '\\', dwA )) )
#endif
{
if ( (pSep - pAcct) < sizeof(achDomain) )
{
memcpy( achDomain, pAcct, DIFF(pSep - pAcct) );
achDomain[pSep - pAcct] = '\0';
}
else
{
SetLastError( ERROR_INVALID_PARAMETER );
pCertMapper->Unlock();
return SEC_E_UNKNOWN_CREDENTIALS;
}
pUser = pSep + 1;
dwA -= DIFF(pSep - pAcct) + 1;
}
else
{
achDomain[0] = '\0';
pUser = pAcct;
}
if ( dwA >= sizeof(achUser) || dwA <= 0 )
{
SetLastError( ERROR_INVALID_PARAMETER );
pCertMapper->Unlock();
return SEC_E_UNKNOWN_CREDENTIALS;
}
memcpy( achUser, pUser, dwA );
achUser[dwA] = '\0';
if ( pCertMapper )
{
pCertMapper->Unlock();
}
if ( fAllocedAcct )
{
LocalFree( pAcct );
}
DBGPRINTF((DBG_CONTEXT,
"Found a mapping, %s\\%s\n",
(achDomain[0] == '\0' ? "<no domain>" : achDomain),
achUser));
fSt = LogonUserA( achUser,
achDomain,
achPwd,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
(HANDLE*)phToken );
if ( !fSt )
{
LPCTSTR pA[2];
CHAR achAcct[128];
DBGPRINTF((DBG_CONTEXT,
"Logon of %s\\%s failed, error 0x%x\n",
(achDomain[0] == '\0' ? "<no domain>" : achDomain),
achUser,
GetLastError()));
wsprintf( achAcct, "%s\\%s", achDomain, achUser );
if ( FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPSTR)&pA[1],
0,
NULL ) )
{
pA[0] = achAcct;
ReportIisMapEvent( EVENTLOG_ERROR_TYPE,
IISMAP_EVENT_ERROR_LOGON,
sizeof(pA)/sizeof(LPCTSTR),
pA );
LocalFree( (LPVOID)pA[1] );
}
}
else
{
DBGPRINTF((DBG_CONTEXT,
"[IisMapCredential] Successful logon, token 0x%p\n",
*phToken));
g_dwNumLocators++;
}
return fSt ? SEC_E_OK : SEC_E_UNKNOWN_CREDENTIALS;
}
extern "C"
DWORD CALLC IisQueryMappedCredentialAttributes( IN HMAPPER *phMapper,
IN HLOCATOR hLocator,
IN ULONG ulAttribute,
OUT PVOID pBuffer,
IN OUT DWORD *pcbBuffer )
{
if ( !pBuffer || ( *pcbBuffer < sizeof( HLOCATOR ) ) )
{
*pcbBuffer = sizeof( HLOCATOR );
}
else
{
*((HLOCATOR*)pBuffer) = hLocator;
}
return SEC_E_OK;
}
extern "C"
DWORD CALLC
IisGetAccessToken(
IN HMAPPER* phMapper,
IN HLOCATOR tokenhandle,
OUT HANDLE *phToken
)
/*++
Routine Description:
Called to retrieve an access token from a mapping
Arguments:
phMapper - pointer to mapper to use
tokenhandle -- HLOCATOR returned by MapCredential
phToken -- updated with potentially new token
Returns:
SEC_E_* error code
--*/
{
#if 1
*phToken = (HANDLE) tokenhandle;
return SEC_E_OK;
#else
//
// Special value '1' is used to denote mappings that -deny- access
//
if ( tokenhandle == 1 )
{
*phToken = (HANDLE)tokenhandle;
}
else
{
if ( !DuplicateTokenEx( (HANDLE)tokenhandle,
TOKEN_ALL_ACCESS,
NULL,
SecurityImpersonation,
TokenPrimary,
phToken ))
{
return SEC_E_INVALID_TOKEN;
}
}
return SEC_E_OK;
#endif
}
extern "C"
DWORD CALLC
IisCloseLocator(
IN HMAPPER* phMapper,
IN HLOCATOR tokenhandle
)
/*++
Routine Description:
Called to close a HLOCATOR returned by MapCredential
Arguments:
tokenhandle -- HLOCATOR
Returns:
SEC_E_* error code
--*/
{
DBG_ASSERT( g_dwNumLocators > 0 );
if ( tokenhandle != 1 && tokenhandle != NULL )
{
CloseHandle( (HANDLE)tokenhandle );
g_dwNumLocators--;
}
return SEC_E_OK;
}
MAPPER_VTABLE g_MapperVtable={
(REF_MAPPER_FN)IisReferenceMapper,
(DEREF_MAPPER_FN)IisDeReferenceMapper,
(GET_ISSUER_LIST_FN)IisGetIssuerList,
(GET_CHALLENGE_FN)IisGetChallenge,
(MAP_CREDENTIAL_FN)IisMapCredential,
(GET_ACCESS_TOKEN_FN)IisGetAccessToken,
(CLOSE_LOCATOR_FN)IisCloseLocator,
(QUERY_MAPPED_CREDENTIAL_ATTRIBUTES_FN)IisQueryMappedCredentialAttributes
} ;