BOOL ClientAuthenticate(const char *name, const char *hostname)
{
int rc, rcISC;
SEC_WINNT_AUTH_IDENTITY nameAndPwd = {0};
int bytesReceived = 0, bytesSent = 0;
char myTokenSource[256];
TimeStamp useBefore;
DWORD ctxReq, ctxAttr;
int dwRead,dwWritten;
// input and output buffers
SecBufferDesc obd, ibd;
SecBuffer ob, ib[2];
BOOL haveInbuffer = FALSE;
BOOL haveContext = FALSE;
SCHANNEL_CRED cred = {0};
PCCERT_CONTEXT cert = NULL;
HANDLE hMy = CertOpenSystemStore(0,"MY");
if(!hMy)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
return FALSE;
}
if(name)
{
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t *)cvs::wide(name), NULL);
if(!cert)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"No certificate for '%s': %s\n",name,GetErrorString(rcISC));
return FALSE;
}
}
cred.dwVersion = SCHANNEL_CRED_VERSION;
cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS;
if(cert)
{
cred.cCreds = 1;
cred.paCred = &cert;
}
rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore );
ctxReq = ISC_REQ_MANUAL_CRED_VALIDATION | ISC_REQ_INTEGRITY | ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS;
strncpy(myTokenSource,hostname,sizeof(myTokenSource));
CertCloseStore(hMy,0);
ib[0].pvBuffer = NULL;
while ( 1 )
{
obd.ulVersion = SECBUFFER_VERSION;
obd.cBuffers = 1;
obd.pBuffers = &ob; // just one buffer
ob.BufferType = SECBUFFER_TOKEN; // preping a token here
ob.cbBuffer = secPackInfo->cbMaxToken;
ob.pvBuffer = malloc(secPackInfo->cbMaxToken);
rcISC = InitializeSecurityContext( &credHandle, haveContext? &contextHandle: NULL,
myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP, haveInbuffer? &ibd: NULL,
0, &contextHandle, &obd, &ctxAttr, &useBefore );
if ( ib[0].pvBuffer != NULL )
{
free(ib[0].pvBuffer);
ib[0].pvBuffer = NULL;
}
if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED )
{
CompleteAuthToken( &contextHandle, &obd );
if ( rcISC == SEC_I_COMPLETE_NEEDED )
rcISC = SEC_E_OK;
else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE )
rcISC = SEC_I_CONTINUE_NEEDED;
}
if(rcISC<0)
{
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
}
// send the output buffer off to the server
if ( ob.cbBuffer != 0 )
{
if((dwWritten=tcp_write( (const char *) ob.pvBuffer, ob.cbBuffer))<=0)
break;
bytesSent += dwWritten;
}
free(ob.pvBuffer);
ob.pvBuffer = NULL;
ob.cbBuffer = 0;
if ( rcISC != SEC_I_CONTINUE_NEEDED )
break;
// prepare to get the server's response
ibd.ulVersion = SECBUFFER_VERSION;
ibd.cBuffers = 2;
ibd.pBuffers = ib; // just one buffer
ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here
ib[0].cbBuffer = secPackInfo->cbMaxToken;
ib[0].pvBuffer = malloc(secPackInfo->cbMaxToken);
ib[1].cbBuffer = 0;
ib[1].pvBuffer = NULL;
ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff
// receive the server's response
if((dwRead=tcp_read(ib[0].pvBuffer,ib[0].cbBuffer))<=0)
break;
bytesReceived += dwRead;
// by now we have an input buffer and a client context
haveInbuffer = TRUE;
haveContext = TRUE;
}
// we arrive here as soon as InitializeSecurityContext()
// returns != SEC_I_CONTINUE_NEEDED.
if ( rcISC != SEC_E_OK )
haveContext = FALSE;
else
haveContext = TRUE; /* Looopback kerberos needs this */
return haveContext;
}
/* sqAuthContinue: Submit a token to the authentication session.
Arguments:
handle - the authentication session handle
token - the pointer to the token data
tokensize - the length of the token data.
Returns:
An integer status code.
<0 - Error. The error code is platform specific.
0 - OK. The session is authenticated.
1 - Another server-roundtrip is needed.
*/
int sqAuthContinue(int handle, char *token, int tokensize) {
sqAuthData *auth = (sqAuthData*)handle;
SECURITY_STATUS ret;
ULONG flags = DEFAULT_AUTH_FLAGS;
ULONG attrs = 0;
if(auth == NULL) return -1;
auth->inbuf[0].BufferType = SECBUFFER_TOKEN;
auth->inbuf[0].cbBuffer = tokensize;
auth->inbuf[0].pvBuffer = token;
auth->inbuf[1].BufferType = SECBUFFER_EMPTY;
auth->inbuf[1].cbBuffer = 0;
auth->inbuf[1].pvBuffer = NULL;
auth->sbdIn.cBuffers = 2;
ret = InitializeSecurityContext(&auth->cred,
&auth->ctxt,
auth->principal,
flags,
0,
SECURITY_NETWORK_DREP,
&auth->sbdIn,
0,
NULL,
&auth->sbdOut,
&attrs,
NULL);
if (FAILED(ret)) {
if(debug) printf("InitializeSecurityContext failed: %x\n", ret);
return -(ret & 0x7FFFFFFF);
}
if(debug) printf("InitializeSecurityContext returned: %x\n", ret);
/* Complete token if needed */
if(ret == SEC_I_COMPLETE_NEEDED || ret == SEC_I_COMPLETE_AND_CONTINUE) {
SECURITY_STATUS ss;
ss = CompleteAuthToken (&auth->ctxt, &auth->sbdOut);
if(FAILED(ss)) {
if(debug) printf("CompleteAuthToken failed: %x\n", ss);
return ss;
}
}
if(ret == SEC_E_OK || ret == SEC_I_COMPLETE_NEEDED) {
/* success; session is established */
return 0;
}
if(ret == SEC_I_CONTINUE_NEEDED || ret == SEC_I_COMPLETE_AND_CONTINUE) {
/* need another round trip */
return 1;
}
return -ret;
}
apr_status_t
serf__kerb_init_sec_context(serf__kerb_context_t *ctx,
const char *service,
const char *hostname,
serf__kerb_buffer_t *input_buf,
serf__kerb_buffer_t *output_buf,
apr_pool_t *scratch_pool,
apr_pool_t *result_pool
)
{
SECURITY_STATUS status;
ULONG actual_attr;
SecBuffer sspi_in_buffer;
SecBufferDesc sspi_in_buffer_desc;
SecBuffer sspi_out_buffer;
SecBufferDesc sspi_out_buffer_desc;
char *target_name;
apr_status_t apr_status;
const char *canonname;
apr_status = get_canonical_hostname(&canonname, hostname, scratch_pool);
if (apr_status) {
return apr_status;
}
target_name = apr_pstrcat(scratch_pool, service, "/", canonname, NULL);
/* Prepare input buffer description. */
sspi_in_buffer.BufferType = SECBUFFER_TOKEN;
sspi_in_buffer.pvBuffer = input_buf->value;
sspi_in_buffer.cbBuffer = input_buf->length;
sspi_in_buffer_desc.cBuffers = 1;
sspi_in_buffer_desc.pBuffers = &sspi_in_buffer;
sspi_in_buffer_desc.ulVersion = SECBUFFER_VERSION;
/* Output buffers. Output buffer will be allocated by system. */
sspi_out_buffer.BufferType = SECBUFFER_TOKEN;
sspi_out_buffer.pvBuffer = NULL;
sspi_out_buffer.cbBuffer = 0;
sspi_out_buffer_desc.cBuffers = 1;
sspi_out_buffer_desc.pBuffers = &sspi_out_buffer;
sspi_out_buffer_desc.ulVersion = SECBUFFER_VERSION;
status = InitializeSecurityContext(
&ctx->sspi_credentials,
ctx->initalized ? &ctx->sspi_context : NULL,
target_name,
ISC_REQ_ALLOCATE_MEMORY
| ISC_REQ_MUTUAL_AUTH
| ISC_REQ_CONFIDENTIALITY,
0, /* Reserved1 */
SECURITY_NETWORK_DREP,
&sspi_in_buffer_desc,
0, /* Reserved2 */
&ctx->sspi_context,
&sspi_out_buffer_desc,
&actual_attr,
NULL);
if (sspi_out_buffer.cbBuffer > 0) {
apr_pool_cleanup_register(result_pool, sspi_out_buffer.pvBuffer,
cleanup_sec_buffer,
apr_pool_cleanup_null);
}
ctx->initalized = TRUE;
/* Finish authentication if SSPI requires so. */
if (status == SEC_I_COMPLETE_NEEDED
|| status == SEC_I_COMPLETE_AND_CONTINUE)
{
CompleteAuthToken(&ctx->sspi_context, &sspi_out_buffer_desc);
}
output_buf->value = sspi_out_buffer.pvBuffer;
output_buf->length = sspi_out_buffer.cbBuffer;
switch(status) {
case SEC_I_COMPLETE_AND_CONTINUE:
case SEC_I_CONTINUE_NEEDED:
return APR_EAGAIN;
case SEC_I_COMPLETE_NEEDED:
case SEC_E_OK:
return APR_SUCCESS;
default:
return map_sspi_status(status);
}
}
BOOL ServerAuthenticate(const char *hostname)
{
int rc, rcISC, rcl;
BOOL haveToken;
int bytesReceived = 0, bytesSent = 0;
TimeStamp useBefore;
// input and output buffers
SecBufferDesc obd, ibd;
SecBuffer ob, ib[2];
BOOL haveContext = FALSE;
DWORD ctxReq,ctxAttr;
int n;
short len;
SCHANNEL_CRED cred = {0};
char host[256];
struct addrinfo *ai=NULL, hints = {0};
PCCERT_CONTEXT cert;
HANDLE hMy = CertOpenSystemStore(0,"MY");
if(!hMy)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
return FALSE;
}
if(!hostname)
{
gethostname (host, sizeof host);
hints.ai_flags=AI_CANONNAME;
if(getaddrinfo(cvs::idn(host),NULL,&hints,&ai))
server_error (1, "can't get canonical hostname");
hostname = ai->ai_canonname;
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(cvs::decode_idn(hostname)), NULL);
}
else
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(hostname), NULL);
if(!cert)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"No certificate for '%s': %s\n",hostname,GetErrorString(rcISC));
return FALSE;
}
cred.cCreds = 1;
cred.paCred = &cert;
if(ai)
freeaddrinfo(ai);
cred.dwVersion = SCHANNEL_CRED_VERSION;
cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS;
rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_INBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore );
if ( rc == SEC_E_OK )
haveToken = TRUE;
else
haveToken = FALSE;
CertCloseStore(hMy,0);
while ( 1 )
{
// prepare to get the server's response
ibd.ulVersion = SECBUFFER_VERSION;
ibd.cBuffers = 2;
ibd.pBuffers = ib; // just one buffer
ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here
ib[0].cbBuffer = secPackInfo->cbMaxToken;
ib[0].pvBuffer = malloc(ib[0].cbBuffer);
ib[1].cbBuffer = 0;
ib[1].pvBuffer = NULL;
ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff
// receive the client's POD
rcl = read( current_server()->in_fd, ib[0].pvBuffer, ib[0].cbBuffer);
if(rcl<=0)
{
rc = SEC_E_INTERNAL_ERROR;
break;
}
// by now we have an input buffer
obd.ulVersion = SECBUFFER_VERSION;
obd.cBuffers = 1;
obd.pBuffers = &ob; // just one buffer
ob.BufferType = SECBUFFER_TOKEN; // preping a token here
ob.cbBuffer = secPackInfo->cbMaxToken;
ob.pvBuffer = malloc(secPackInfo->cbMaxToken);
if(rc<0)
{
len=0;
if((n=write(current_server()->out_fd,&len,sizeof(len)))<=0)
break;
break;
}
ctxReq = ASC_REQ_INTEGRITY | ASC_REQ_CONFIDENTIALITY | ASC_REQ_REPLAY_DETECT | ASC_REQ_SEQUENCE_DETECT | ASC_REQ_STREAM;
rc = AcceptSecurityContext( &credHandle, haveContext? &contextHandle: NULL,
&ibd, ctxReq, SECURITY_NATIVE_DREP, &contextHandle, &obd, &ctxAttr,
&useBefore );
if ( ib[0].pvBuffer != NULL )
{
free( ib[0].pvBuffer );
ib[0].pvBuffer = NULL;
}
if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED )
{
CompleteAuthToken( &contextHandle, &obd );
if ( rc == SEC_I_COMPLETE_NEEDED )
rc = SEC_E_OK;
else if ( rc == SEC_I_COMPLETE_AND_CONTINUE )
rc = SEC_I_CONTINUE_NEEDED;
}
// send the output buffer off to the server
// warning -- this is machine-dependent! FIX IT!
if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED )
{
if ( ob.cbBuffer != 0 )
{
if((n=write(current_server()->out_fd,ob.pvBuffer, ob.cbBuffer))<=0)
break;
bytesSent += n;
}
free(ob.pvBuffer);
ob.pvBuffer = NULL;
ob.cbBuffer = 0;
}
else
{
break;
}
if ( rc != SEC_I_CONTINUE_NEEDED )
break;
haveContext = TRUE;
}
// we arrive here as soon as InitializeSecurityContext()
// returns != SEC_I_CONTINUE_NEEDED.
if ( rc != SEC_E_OK )
{
haveToken = FALSE;
}
if(rc<0)
server_error(0,"[%08x] %s\n",rc, GetErrorString(rc));
return haveToken?TRUE:FALSE;
}
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
CHAR *pszTarget,
CredHandle *hCred,
struct _SecHandle *hcText)
{
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
{
strcpy_s(lpPackageName, 1024 * sizeof(TCHAR), "Negotiate");
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
{
MyHandleError("AcquireCreds failed ");
}
}
//--------------------------------------------------------------------
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
//-------------------------------------------------------------------
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
{
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
ss = InitializeSecurityContext (
hCred,
hcText,
pszTarget,
MessageAttribute,
0,
SECURITY_NATIVE_DREP,
&InBuffDesc,
0,
hcText,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
}
else
{
ss = InitializeSecurityContext (
hCred,
NULL,
pszTarget,
MessageAttribute,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
hcText,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
}
if (!SEC_SUCCESS (ss))
{
MyHandleError ("InitializeSecurityContext failed " );
}
//-------------------------------------------------------------------
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
{
ss = CompleteAuthToken (hcText, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
{
fprintf (stderr, "complete failed: 0x%08x\n", ss);
return FALSE;
}
}
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
printf ("Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer);
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
}
SECURITY_STATUS getToken(char **negotiateToken, WCHAR *targetName, WCHAR *hostName)
{
//----------------------------------------------------------------------
unsigned long cPackages;
PSecPkgInfo PackageInfo;
SECURITY_STATUS stat;
// Get the name of the package
stat = EnumerateSecurityPackages(
&cPackages,
&PackageInfo);
if (stat != SEC_E_OK)
{
wprintf(
L"Security function failed with error: %i\n",
stat);
return stat;
}
SEC_WCHAR *szPackage = PackageInfo->Name;
unsigned long m_cbMaxToken = PackageInfo->cbMaxToken;
PBYTE m_pOutBuf = (PBYTE)malloc(m_cbMaxToken);
//--------------------------------------------------------------------
CredHandle hCredential;
TimeStamp tsExpiry;
PSEC_WINNT_AUTH_IDENTITY_OPAQUE pAuthIdentity = NULL; // The structure for storing user data entered
stat = AcquireCredentialsHandle(
NULL,
szPackage,
SECPKG_CRED_OUTBOUND,
NULL,
pAuthIdentity,
NULL,
NULL,
&hCredential,
&tsExpiry);
if (stat != SEC_E_OK)
{
wprintf(
L"Credentials function failed with error: %i\n",
stat);
return stat;
}
//--------------------------------------------------------------------
CtxtHandle m_hCtxt;
SecBufferDesc outSecBufDesc;
SecBuffer outSecBuf;
unsigned long fContextAttr;
// prepare output buffer
outSecBufDesc.ulVersion = 0;
outSecBufDesc.cBuffers = 1;
outSecBufDesc.pBuffers = &outSecBuf;
outSecBuf.cbBuffer = m_cbMaxToken;
outSecBuf.BufferType = SECBUFFER_TOKEN;
outSecBuf.pvBuffer = m_pOutBuf;
stat = InitializeSecurityContext(
&hCredential,
NULL,
targetName,
ISC_REQ_CONFIDENTIALITY,
0, // reserved1
SECURITY_NATIVE_DREP,
NULL,
0, // reserved2
&m_hCtxt,
&outSecBufDesc,
&fContextAttr,
&tsExpiry);
FreeCredentialsHandle(&hCredential);
switch (stat)
{
case SEC_I_CONTINUE_NEEDED:
case SEC_I_COMPLETE_AND_CONTINUE: CompleteAuthToken(&m_hCtxt, &outSecBufDesc); break;
case SEC_E_OK: break;
default: return stat;
}
DeleteSecurityContext(&m_hCtxt);
FreeContextBuffer(PackageInfo);
if (outSecBuf.cbBuffer)
{
base64_encode(reinterpret_cast < char* > (m_pOutBuf), outSecBuf.cbBuffer, negotiateToken);
}
else
{
return -1;
}
if (strlen(*negotiateToken) < 500)
{
CREDUI_INFO creduiInfo = { 0 };
creduiInfo.cbSize = sizeof(creduiInfo);
// Change the message text and caption to the actual text for your dialog.
SEC_WCHAR message[NI_MAXHOST];
_snwprintf_s(
message,
NI_MAXHOST,
_TRUNCATE,
L"Enter your username and password to connect to %s",
hostName);
creduiInfo.pszCaptionText = L"Connect to the proxy-server";
creduiInfo.pszMessageText = message;
BOOL fSave = TRUE; // Checkmark "Remember user"
stat = SspiPromptForCredentials(
targetName,
&creduiInfo,
0,
szPackage,
NULL,
&pAuthIdentity,
&fSave,
0);
}
return SEC_E_OK;
}
char* NtlmCreateResponseFromChallenge(HANDLE hSecurity, const char *szChallenge, const TCHAR* login, const TCHAR* psw, bool http, unsigned& complete)
{
if (hSecurity == NULL || ntlmCnt == 0)
return NULL;
SecBufferDesc outputBufferDescriptor, inputBufferDescriptor;
SecBuffer outputSecurityToken, inputSecurityToken;
TimeStamp tokenExpiration;
ULONG contextAttributes;
char *szOutputToken;
NtlmHandleType* hNtlm = (NtlmHandleType*)hSecurity;
if (mir_tstrcmpi(hNtlm->szProvider, _T("Basic"))) {
bool isGSSAPI = mir_tstrcmpi(hNtlm->szProvider, _T("GSSAPI")) == 0;
TCHAR *szProvider = isGSSAPI ? (TCHAR*)_T("Kerberos") : hNtlm->szProvider;
bool hasChallenge = szChallenge != NULL && szChallenge[0] != '\0';
if (hasChallenge) {
unsigned tokenLen;
BYTE *token = (BYTE*)mir_base64_decode(szChallenge, &tokenLen);
if (token == NULL)
return NULL;
if (isGSSAPI && complete)
return CompleteGssapi(hSecurity, token, tokenLen);
inputBufferDescriptor.cBuffers = 1;
inputBufferDescriptor.pBuffers = &inputSecurityToken;
inputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
inputSecurityToken.BufferType = SECBUFFER_TOKEN;
inputSecurityToken.cbBuffer = tokenLen;
inputSecurityToken.pvBuffer = token;
// try to decode the domain name from the NTLM challenge
if (login != NULL && login[0] != '\0' && !hNtlm->hasDomain) {
NtlmType2packet* pkt = (NtlmType2packet*)token;
if (!strncmp(pkt->sign, "NTLMSSP", 8) && pkt->type == 2) {
wchar_t* domainName = (wchar_t*)&token[pkt->targetName.offset];
int domainLen = pkt->targetName.len;
// Negotiate ANSI? if yes, convert the ANSI name to unicode
if ((pkt->flags & 1) == 0) {
int bufsz = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, NULL, 0);
wchar_t* buf = (wchar_t*)alloca(bufsz * sizeof(wchar_t));
domainLen = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, buf, bufsz) - 1;
domainName = buf;
}
else domainLen /= sizeof(wchar_t);
if (domainLen) {
size_t newLoginLen = mir_tstrlen(login) + domainLen + 1;
TCHAR *newLogin = (TCHAR*)alloca(newLoginLen * sizeof(TCHAR));
_tcsncpy(newLogin, domainName, domainLen);
newLogin[domainLen] = '\\';
mir_tstrcpy(newLogin + domainLen + 1, login);
char* szChl = NtlmCreateResponseFromChallenge(hSecurity, NULL, newLogin, psw, http, complete);
mir_free(szChl);
}
}
}
}
else {
if (SecIsValidHandle(&hNtlm->hClientContext))
DeleteSecurityContext(&hNtlm->hClientContext);
if (SecIsValidHandle(&hNtlm->hClientCredential))
FreeCredentialsHandle(&hNtlm->hClientCredential);
SEC_WINNT_AUTH_IDENTITY auth;
if (login != NULL && login[0] != '\0') {
memset(&auth, 0, sizeof(auth));
NetlibLogf(NULL, "Security login requested, user: %S pssw: %s", login, psw ? "(exist)" : "(no psw)");
const TCHAR* loginName = login;
const TCHAR* domainName = _tcschr(login, '\\');
size_t domainLen = 0;
size_t loginLen = mir_tstrlen(loginName);
if (domainName != NULL) {
loginName = domainName + 1;
loginLen = mir_tstrlen(loginName);
domainLen = domainName - login;
domainName = login;
}
else if ((domainName = _tcschr(login, '@')) != NULL) {
loginName = login;
loginLen = domainName - login;
domainLen = mir_tstrlen(++domainName);
}
auth.User = (PWORD)loginName;
auth.UserLength = (ULONG)loginLen;
auth.Password = (PWORD)psw;
auth.PasswordLength = (ULONG)mir_tstrlen(psw);
auth.Domain = (PWORD)domainName;
auth.DomainLength = (ULONG)domainLen;
auth.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
hNtlm->hasDomain = domainLen != 0;
}
SECURITY_STATUS sc = AcquireCredentialsHandle(NULL, szProvider,
SECPKG_CRED_OUTBOUND, NULL, hNtlm->hasDomain ? &auth : NULL, NULL, NULL,
&hNtlm->hClientCredential, &tokenExpiration);
if (sc != SEC_E_OK) {
ReportSecError(sc, __LINE__);
return NULL;
}
}
outputBufferDescriptor.cBuffers = 1;
outputBufferDescriptor.pBuffers = &outputSecurityToken;
outputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
outputSecurityToken.BufferType = SECBUFFER_TOKEN;
outputSecurityToken.cbBuffer = hNtlm->cbMaxToken;
outputSecurityToken.pvBuffer = alloca(outputSecurityToken.cbBuffer);
SECURITY_STATUS sc = InitializeSecurityContext(&hNtlm->hClientCredential,
hasChallenge ? &hNtlm->hClientContext : NULL,
hNtlm->szPrincipal, isGSSAPI ? ISC_REQ_MUTUAL_AUTH | ISC_REQ_STREAM : 0, 0, SECURITY_NATIVE_DREP,
hasChallenge ? &inputBufferDescriptor : NULL, 0, &hNtlm->hClientContext,
&outputBufferDescriptor, &contextAttributes, &tokenExpiration);
complete = (sc != SEC_I_COMPLETE_AND_CONTINUE && sc != SEC_I_CONTINUE_NEEDED);
if (sc == SEC_I_COMPLETE_NEEDED || sc == SEC_I_COMPLETE_AND_CONTINUE)
sc = CompleteAuthToken(&hNtlm->hClientContext, &outputBufferDescriptor);
if (sc != SEC_E_OK && sc != SEC_I_CONTINUE_NEEDED) {
ReportSecError(sc, __LINE__);
return NULL;
}
szOutputToken = mir_base64_encode((PBYTE)outputSecurityToken.pvBuffer, outputSecurityToken.cbBuffer);
}
else {
if (!login || !psw) return NULL;
char *szLogin = mir_t2a(login);
char *szPassw = mir_t2a(psw);
size_t authLen = mir_strlen(szLogin) + mir_strlen(szPassw) + 5;
char *szAuth = (char*)alloca(authLen);
int len = mir_snprintf(szAuth, authLen, "%s:%s", szLogin, szPassw);
szOutputToken = mir_base64_encode((BYTE*)szAuth, len);
complete = true;
mir_free(szPassw);
mir_free(szLogin);
}
if (szOutputToken == NULL)
return NULL;
if (!http)
return szOutputToken;
ptrA szProvider(mir_t2a(hNtlm->szProvider));
size_t resLen = mir_strlen(szOutputToken) + mir_strlen(szProvider) + 10;
char *result = (char*)mir_alloc(resLen);
mir_snprintf(result, resLen, "%s %s", szProvider, szOutputToken);
mir_free(szOutputToken);
return result;
}
BOOL GenServerContext(BYTE *pIn, DWORD cbIn, BYTE *pOut, DWORD *pcbOut, BOOL *pfDone, BOOL fNewConversation)
{
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = ASC_REQ_DELEGATE; //0
// prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
// prepare output security buffers.
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
// prepare input security buffers
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
printf("Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer);
// PrintHexDump(InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
// Get the security context
ss = AcceptSecurityContext(
&hcred,
fNewConversation ? NULL : &hctxt,
&InBuffDesc,
Attribs, //ASC_REQ_DELEGATE
SECURITY_NATIVE_DREP,
&hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "AcceptSecurityContext failed: 0x%08x\n", ss);
return FALSE;
}
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss))
{
printf("Calling complete auth token\n");
ss = CompleteAuthToken(&hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "complete failed: 0x%08x\n", ss);
return FALSE;
}
}
// IT WORKED HERE!!!
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) || (SEC_I_COMPLETE_AND_CONTINUE == ss));
// at the end print if its accepted
printf("AcceptSecurityContext result = 0x%08x\n", ss);
return TRUE;
}
bool CSSPIHandler::ClientStep(bool& more, const char *inputBuffer, size_t inputSize)
{
SECURITY_STATUS rcISC;
DWORD ctxAttr;
// input and output buffers
TimeStamp useBefore;
SecBufferDesc obd,ibd;
SecBuffer ob[1], ib[2];
m_outputBuffer.resize(m_secPackInfo->cbMaxToken);
obd.ulVersion = SECBUFFER_VERSION;
obd.cBuffers = 1;
obd.pBuffers = ob; // just one buffer
ob[0].cbBuffer = m_secPackInfo->cbMaxToken;
ob[0].pvBuffer = (void*)m_outputBuffer.data();
ob[0].BufferType = SECBUFFER_TOKEN; // preping a token here
if(inputBuffer)
{
// prepare to get the server's response
ibd.ulVersion = SECBUFFER_VERSION;
ibd.cBuffers = 1;
ibd.pBuffers = ib; // just one buffer
ib[0].cbBuffer=(DWORD)inputSize;
ib[0].pvBuffer =(void*)inputBuffer;
ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here
}
rcISC = InitializeSecurityContextA( &m_credHandle, m_haveContext? &m_contextHandle:NULL,
(char*)m_tokenSource, m_ctxReq, 0, SECURITY_NATIVE_DREP, m_haveContext?&ibd:NULL,
0, &m_contextHandle, &obd, &ctxAttr, &useBefore );
if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED )
{
CompleteAuthToken( &m_contextHandle, &obd );
if ( rcISC == SEC_I_COMPLETE_NEEDED )
rcISC = SEC_E_OK;
else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE )
rcISC = SEC_I_CONTINUE_NEEDED;
}
if(rcISC<0)
{
m_rc = rcISC;
more=false;
return false;
}
m_outputBuffer.resize(ob[0].cbBuffer);
if ( rcISC != SEC_I_CONTINUE_NEEDED )
{
m_rc = rcISC;
if ( rcISC != SEC_E_OK )
m_haveContext = false;
else
{
QueryContextAttributes(&m_contextHandle,SECPKG_ATTR_SIZES,&m_secSizes);
m_haveContext = true;
}
more=false;
return m_haveContext;
}
m_haveContext = true;
more=true;
return true;
}
bool
NegotiateAuth::authorize(const AuthParams &challenge, AuthParams &authorization,
const URI &uri)
{
SECURITY_STATUS status;
std::wstring packageW = toUtf16(challenge.scheme);
std::string param = challenge.base64;
std::string outboundBuffer;
SecBufferDesc outboundBufferDesc;
SecBuffer outboundSecBuffer;
TimeStamp lifetime;
ULONG contextAttributes;
outboundBuffer.resize(4096);
outboundBufferDesc.ulVersion = 0;
outboundBufferDesc.cBuffers = 1;
outboundBufferDesc.pBuffers = &outboundSecBuffer;
outboundSecBuffer.BufferType = SECBUFFER_TOKEN;
outboundSecBuffer.pvBuffer = &outboundBuffer[0];
outboundSecBuffer.cbBuffer = (unsigned long)outboundBuffer.size();
if (param.empty()) {
// No response from server; we're starting a new session
if (SecIsValidHandle(&m_creds))
return false;
SEC_WINNT_AUTH_IDENTITY_W id;
id.User = (unsigned short *)m_username.c_str();
id.UserLength = (unsigned long)m_username.size();
id.Domain = (unsigned short *)m_domain.c_str();
id.DomainLength = (unsigned long)m_domain.size();
id.Password = (unsigned short *)m_password.c_str();
id.PasswordLength = (unsigned long)m_password.size();
id.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
status = AcquireCredentialsHandleW(NULL,
(wchar_t *)packageW.c_str(),
SECPKG_CRED_OUTBOUND,
NULL,
m_username.empty() ? NULL : &id,
NULL,
NULL,
&m_creds,
&lifetime);
MORDOR_LOG_TRACE(g_log) << "AcquireCredentialsHandleW("
<< challenge.scheme << ", " << toUtf8(m_username) << "): ("
<< status << ")";
if (!SUCCEEDED(status))
MORDOR_THROW_EXCEPTION_FROM_ERROR_API(status, "AcquireCredentialsHandleW");
status = InitializeSecurityContextW(
&m_creds,
NULL,
(wchar_t *)toUtf16(uri.toString()).c_str(),
ISC_REQ_CONFIDENTIALITY,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
&m_secCtx,
&outboundBufferDesc,
&contextAttributes,
&lifetime);
MORDOR_LOG_TRACE(g_log) << "InitializeSecurityContextW("
<< uri << ", {0}): {" << outboundSecBuffer.cbBuffer << "} ("
<< status << ")";
} else {
// Prepare the response from the server
std::string inboundBuffer = base64decode(param);
SecBufferDesc inboundBufferDesc;
SecBuffer inboundSecBuffer;
inboundBufferDesc.ulVersion = 0;
inboundBufferDesc.cBuffers = 1;
inboundBufferDesc.pBuffers = &inboundSecBuffer;
inboundSecBuffer.BufferType = SECBUFFER_TOKEN;
inboundSecBuffer.pvBuffer = &inboundBuffer[0];
inboundSecBuffer.cbBuffer = (unsigned long)inboundBuffer.size();
status = InitializeSecurityContextW(
&m_creds,
&m_secCtx,
(wchar_t *)toUtf16(uri.toString()).c_str(),
ISC_REQ_CONFIDENTIALITY,
0,
SECURITY_NATIVE_DREP,
&inboundBufferDesc,
0,
&m_secCtx,
&outboundBufferDesc,
&contextAttributes,
&lifetime);
MORDOR_LOG_TRACE(g_log) << "InitializeSecurityContextW("
<< uri << ", {" << inboundSecBuffer.cbBuffer << "}): {"
<< outboundSecBuffer.cbBuffer << "} (" << status << ")";
}
if (status == SEC_I_COMPLETE_NEEDED ||
status == SEC_I_COMPLETE_AND_CONTINUE) {
status = CompleteAuthToken(&m_secCtx, &outboundBufferDesc);
MORDOR_LOG_TRACE(g_log) << "CompleteAuthToken(): {"
<< outboundSecBuffer.cbBuffer << "} (" << status << ")";
}
if (!SUCCEEDED(status))
MORDOR_THROW_EXCEPTION_FROM_ERROR(status);
outboundBuffer.resize(outboundSecBuffer.cbBuffer);
authorization.scheme = challenge.scheme;
authorization.base64 = base64encode(outboundBuffer);
authorization.parameters.clear();
return true;
}
