sspwin32.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "base64.h"
11 #if HAVE_AUTH_MODULE_NTLM
12 #include "ntlmauth/ntlmauth.h"
13 #endif
14 #include "sspi/sspwin32.h"
15 #include "util.h"
16 
17 // FARPROC is an exception on Windows to the -Wcast-function-type sanity check.
18 // suppress the warning only when casting FARPROC
19 template <typename T>
20 T
21 farproc_cast(FARPROC in)
22 {
23 #if defined(__GNUC__)
24 #pragma GCC diagnostic push
25 #pragma GCC diagnostic ignored "-Wcast-function-type"
26  return reinterpret_cast<T>(in);
27 #pragma GCC diagnostic pop
28 #else
29  return reinterpret_cast<T>(in);
30 #endif
31 }
32 
33 typedef struct _AUTH_SEQ {
34  BOOL fInitialized;
35  BOOL fHaveCredHandle;
36  BOOL fHaveCtxtHandle;
37  CredHandle hcred;
38  TimeStamp hcredLifeTime;
39  struct _SecHandle hctxt;
40  TimeStamp hctxtLifeTime;
41 } AUTH_SEQ, *PAUTH_SEQ;
42 
43 BOOL GenClientContext(PAUTH_SEQ, PSEC_WINNT_AUTH_IDENTITY, PVOID, DWORD, PVOID, PDWORD, PBOOL);
44 BOOL GenServerContext(PAUTH_SEQ, PVOID, DWORD, PVOID, PDWORD, PBOOL, char *);
45 
46 static HMODULE hModule;
47 static int NTLM_mode = SSP_BASIC;
48 static char * SSP_Package_InUse;
49 SECURITY_STATUS SecurityStatus = SEC_E_OK;
50 
51 static DWORD cbMaxToken = 0;
52 static uint8_t * pClientBuf = nullptr;
53 static uint8_t * pServerBuf = nullptr;
54 
55 static AUTH_SEQ NTLM_asServer = {};
56 
57 BOOL Use_Unicode = FALSE;
58 #if HAVE_AUTH_MODULE_NTLM
59 BOOL NTLM_LocalCall = FALSE;
60 #endif
61 
62 /* Function pointers */
63 ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext = nullptr;
64 ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle = nullptr;
65 COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken = nullptr;
66 DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext = nullptr;
67 FREE_CONTEXT_BUFFER_FN _FreeContextBuffer = nullptr;
68 FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle = nullptr;
69 INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext = nullptr;
70 QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo = nullptr;
71 #ifdef UNICODE
72 QUERY_CONTEXT_ATTRIBUTES_FN_W _QueryContextAttributes = nullptr;
73 #else
74 QUERY_CONTEXT_ATTRIBUTES_FN_A _QueryContextAttributes = nullptr;
75 #endif
76 
77 void UnloadSecurityDll(void)
78 {
79  if (NTLM_asServer.fHaveCtxtHandle)
80  _DeleteSecurityContext(&NTLM_asServer.hctxt);
81  if (NTLM_asServer.fHaveCredHandle)
82  _FreeCredentialsHandle(&NTLM_asServer.hcred);
83 
84  if (hModule)
85  FreeLibrary(hModule);
86 
87  xfree(SSP_Package_InUse);
88  xfree(pClientBuf);
89  xfree(pServerBuf);
90 
91  _AcceptSecurityContext = nullptr;
92  _AcquireCredentialsHandle = nullptr;
93  _CompleteAuthToken = nullptr;
94  _DeleteSecurityContext = nullptr;
95  _FreeContextBuffer = nullptr;
96  _FreeCredentialsHandle = nullptr;
97  _InitializeSecurityContext = nullptr;
98  _QuerySecurityPackageInfo = nullptr;
99  _QueryContextAttributes = nullptr;
100 
101  hModule = nullptr;
102 }
103 
104 HMODULE LoadSecurityDll(int mode, const char * SSP_Package)
105 {
106  TCHAR lpszDLL[MAX_PATH];
107  OSVERSIONINFO VerInfo;
108  PSecPkgInfo pSPI = nullptr;
109 
110  /*
111  * Find out which security DLL to use, depending on
112  * whether we are on NT or 2000 or XP or 2003 Server
113  * We have to use security.dll on Windows NT 4.0.
114  * All other operating systems, we have to use Secur32.dll
115  */
116  hModule = nullptr;
117  if ((mode != SSP_BASIC) && (mode != SSP_NTLM))
118  return hModule;
119  NTLM_mode = mode;
120  VerInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
121  if (!GetVersionEx (&VerInfo)) { /* If this fails, something has gone wrong */
122  return hModule;
123  }
124  if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
125  VerInfo.dwMajorVersion == 4 &&
126  VerInfo.dwMinorVersion == 0) {
127  lstrcpy (lpszDLL, _T(WINNT_SECURITY_DLL));
128  } else {
129  lstrcpy (lpszDLL, _T(WIN2K_SECURITY_DLL));
130  }
131  hModule = LoadLibrary(lpszDLL);
132  if (!hModule)
133  return hModule;
134  _AcceptSecurityContext = farproc_cast<ACCEPT_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "AcceptSecurityContext"));
135  if (!_AcceptSecurityContext) {
136  UnloadSecurityDll();
137  hModule = nullptr;
138  return hModule;
139  }
140 #ifdef UNICODE
141  _AcquireCredentialsHandle = farproc_cast<ACQUIRE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "AcquireCredentialsHandleW"));
142 #else
143  _AcquireCredentialsHandle = farproc_cast<ACQUIRE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "AcquireCredentialsHandleA"));
144 #endif
145  if (!_AcquireCredentialsHandle) {
146  UnloadSecurityDll();
147  hModule = nullptr;
148  return hModule;
149  }
150  _CompleteAuthToken = farproc_cast<COMPLETE_AUTH_TOKEN_FN>(GetProcAddress(hModule, "CompleteAuthToken"));
151  if (!_CompleteAuthToken) {
152  UnloadSecurityDll();
153  hModule = nullptr;
154  return hModule;
155  }
156  _DeleteSecurityContext = farproc_cast<DELETE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "DeleteSecurityContext"));
157  if (!_DeleteSecurityContext) {
158  UnloadSecurityDll();
159  hModule = nullptr;
160  return hModule;
161  }
162  _FreeContextBuffer = farproc_cast<FREE_CONTEXT_BUFFER_FN>(GetProcAddress(hModule, "FreeContextBuffer"));
163  if (!_FreeContextBuffer) {
164  UnloadSecurityDll();
165  hModule = nullptr;
166  return hModule;
167  }
168  _FreeCredentialsHandle = farproc_cast<FREE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "FreeCredentialsHandle"));
169  if (!_FreeCredentialsHandle) {
170  UnloadSecurityDll();
171  hModule = nullptr;
172  return hModule;
173  }
174 #ifdef UNICODE
175  _InitializeSecurityContext = farproc_cast<INITIALIZE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "InitializeSecurityContextW"));
176 #else
177  _InitializeSecurityContext = farproc_cast<INITIALIZE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "InitializeSecurityContextA"));
178 #endif
179  if (!_InitializeSecurityContext) {
180  UnloadSecurityDll();
181  hModule = nullptr;
182  return hModule;
183  }
184 #ifdef UNICODE
185  _QuerySecurityPackageInfo = farproc_cast<QUERY_SECURITY_PACKAGE_INFO_FN>(GetProcAddress(hModule, "QuerySecurityPackageInfoW"));
186 #else
187  _QuerySecurityPackageInfo = farproc_cast<QUERY_SECURITY_PACKAGE_INFO_FN>(GetProcAddress(hModule, "QuerySecurityPackageInfoA"));
188 #endif
189  if (!_QuerySecurityPackageInfo) {
190  UnloadSecurityDll();
191  hModule = nullptr;
192  }
193 
194 #ifdef UNICODE
195  _QueryContextAttributes = farproc_cast<QUERY_CONTEXT_ATTRIBUTES_FN_W>(GetProcAddress(hModule, "QueryContextAttributesW"));
196 #else
197  _QueryContextAttributes = farproc_cast<QUERY_CONTEXT_ATTRIBUTES_FN_A>(GetProcAddress(hModule, "QueryContextAttributesA"));
198 #endif
199  if (!_QueryContextAttributes) {
200  UnloadSecurityDll();
201  hModule = nullptr;
202  }
203 
204  /* Get max token size */
205  _QuerySecurityPackageInfo((SEC_CHAR*)_T(SSP_Package), &pSPI);
206  cbMaxToken = pSPI->cbMaxToken;
207  _FreeContextBuffer(pSPI);
208 
209  /* Allocate buffers for client and server messages */
210  pClientBuf = static_cast<uint8_t *>(xcalloc(cbMaxToken, sizeof(char)));
211  pServerBuf = static_cast<uint8_t *>(xcalloc(cbMaxToken, sizeof(char)));
212  SSP_Package_InUse = xstrdup(SSP_Package);
213 
214  return hModule;
215 }
216 
217 BOOL GenClientContext(PAUTH_SEQ pAS, PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
218  PVOID pIn, DWORD cbIn, PVOID pOut, PDWORD pcbOut, PBOOL pfDone)
219 {
220  /*
221  * Routine Description:
222  *
223  * Optionally takes an input buffer coming from the server and returns
224  * a buffer of information to send back to the server. Also returns
225  * an indication of whether or not the context is complete.
226  *
227  * Return Value:
228  * Returns TRUE if successful; otherwise FALSE.
229  */
230  TimeStamp tsExpiry;
231  SecBufferDesc sbdOut;
232  SecBuffer sbOut;
233  SecBufferDesc sbdIn;
234  SecBuffer sbIn;
235  ULONG fContextAttr;
236 
237  if (!pAS->fInitialized) {
238  SecurityStatus = _AcquireCredentialsHandle(nullptr, (SEC_CHAR*) _T(SSP_Package_InUse),
239  SECPKG_CRED_OUTBOUND, nullptr, (NTLM_mode == SSP_NTLM) ? NULL : pAuthIdentity, nullptr, nullptr,
240  &pAS->hcred, &tsExpiry);
241  if (SecurityStatus < 0)
242  return FALSE;
243  pAS->fHaveCredHandle = TRUE;
244  }
245 
246  /* Prepare output buffer */
247  sbdOut.ulVersion = 0;
248  sbdOut.cBuffers = 1;
249  sbdOut.pBuffers = &sbOut;
250  sbOut.cbBuffer = *pcbOut;
251  sbOut.BufferType = SECBUFFER_TOKEN;
252  sbOut.pvBuffer = pOut;
253 
254  /* Prepare input buffer */
255  if (pAS->fInitialized) {
256  sbdIn.ulVersion = 0;
257  sbdIn.cBuffers = 1;
258  sbdIn.pBuffers = &sbIn;
259  sbIn.cbBuffer = cbIn;
260  sbIn.BufferType = SECBUFFER_TOKEN;
261  sbIn.pvBuffer = pIn;
262  }
263  SecurityStatus = _InitializeSecurityContext(&pAS->hcred,
264  pAS->fInitialized ? &pAS->hctxt : NULL, nullptr, 0, 0,
265  SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : NULL,
266  0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
267  if (SecurityStatus < 0)
268  return FALSE;
269  pAS->fHaveCtxtHandle = TRUE;
270 
271  /* If necessary, complete token */
272  if (SecurityStatus == SEC_I_COMPLETE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE) {
273  SecurityStatus = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
274  if (SecurityStatus < 0)
275  return FALSE;
276  }
277  *pcbOut = sbOut.cbBuffer;
278  if (!pAS->fInitialized)
279  pAS->fInitialized = TRUE;
280  *pfDone = !(SecurityStatus == SEC_I_CONTINUE_NEEDED
281  || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE );
282  return TRUE;
283 }
284 
285 BOOL GenServerContext(PAUTH_SEQ pAS, PVOID pIn, DWORD cbIn, PVOID pOut,
286  PDWORD pcbOut, PBOOL pfDone, char * credentials)
287 {
288  /*
289  * Routine Description:
290  *
291  * Takes an input buffer coming from the client and returns a buffer
292  * to be sent to the client. Also returns an indication of whether or
293  * not the context is complete.
294  *
295  * Return Value:
296  *
297  * Returns TRUE if successful; otherwise FALSE.
298  */
299 
300  SecBufferDesc sbdOut;
301  SecBuffer sbOut;
302  SecBufferDesc sbdIn;
303  SecBuffer sbIn;
304  ULONG fContextAttr;
305  SecPkgContext_Names namebuffer;
306 
307  if (!pAS->fInitialized) {
308  SecurityStatus = _AcquireCredentialsHandle(nullptr, (SEC_CHAR*) _T(SSP_Package_InUse),
309  SECPKG_CRED_INBOUND, nullptr, nullptr, nullptr, nullptr, &pAS->hcred,
310  &pAS->hcredLifeTime);
311 #if SSP_DEBUG
312  fprintf(stderr, "AcquireCredentialsHandle returned: %x\n", SecurityStatus);
313 #endif
314  if (SecurityStatus < 0) {
315 #if SSP_DEBUG
316  fprintf(stderr, "AcquireCredentialsHandle failed: %x\n", SecurityStatus);
317 #endif
318  return FALSE;
319  }
320  pAS->fHaveCredHandle = TRUE;
321  }
322 
323  /* Prepare output buffer */
324  sbdOut.ulVersion = 0;
325  sbdOut.cBuffers = 1;
326  sbdOut.pBuffers = &sbOut;
327  sbOut.cbBuffer = *pcbOut;
328  sbOut.BufferType = SECBUFFER_TOKEN;
329  sbOut.pvBuffer = pOut;
330 
331  /* Prepare input buffer */
332  sbdIn.ulVersion = 0;
333  sbdIn.cBuffers = 1;
334  sbdIn.pBuffers = &sbIn;
335  sbIn.cbBuffer = cbIn;
336  sbIn.BufferType = SECBUFFER_TOKEN;
337  sbIn.pvBuffer = pIn;
338  SecurityStatus = _AcceptSecurityContext(&pAS->hcred,
339  pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, (NTLM_mode == SSP_NTLM) ? ASC_REQ_DELEGATE : 0,
340  SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr,
341  &pAS->hctxtLifeTime);
342 #if SSP_DEBUG
343  fprintf(stderr, "AcceptSecurityContext returned: %x\n", SecurityStatus);
344 #endif
345  if (SecurityStatus < 0) {
346 #if SSP_DEBUG
347  fprintf(stderr, "AcceptSecurityContext failed: %x\n", SecurityStatus);
348 #endif
349  return FALSE;
350  }
351  pAS->fHaveCtxtHandle = TRUE;
352 
353  /* If necessary, complete token */
354  if (SecurityStatus == SEC_I_COMPLETE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE) {
355  SecurityStatus = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
356 #if SSP_DEBUG
357  fprintf(stderr, "CompleteAuthToken returned: %x\n", SecurityStatus);
358 #endif
359  if (SecurityStatus < 0) {
360 #if SSP_DEBUG
361  fprintf(stderr, "CompleteAuthToken failed: %x\n", SecurityStatus);
362 #endif
363  return FALSE;
364  }
365  }
366 
367  if ((credentials != NULL) &&
368  !(SecurityStatus == SEC_I_CONTINUE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE)) {
369  SecurityStatus = _QueryContextAttributes(&pAS->hctxt, SECPKG_ATTR_NAMES, &namebuffer);
370 #if SSP_DEBUG
371  fprintf(stderr, "QueryContextAttributes returned: %x\n", SecurityStatus);
372 #endif
373  if (SecurityStatus < 0) {
374 #if SSP_DEBUG
375  fprintf(stderr, "QueryContextAttributes failed: %x\n", SecurityStatus);
376 #endif
377  return FALSE;
378  }
379  strncpy(credentials, namebuffer.sUserName, SSP_MAX_CRED_LEN);
380  }
381 
382  *pcbOut = sbOut.cbBuffer;
383  if (!pAS->fInitialized)
384  pAS->fInitialized = TRUE;
385  *pfDone = !(SecurityStatus == SEC_I_CONTINUE_NEEDED
386  || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE);
387  return TRUE;
388 }
389 
390 BOOL WINAPI SSP_LogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain)
391 {
392  AUTH_SEQ asServer = {};
393  AUTH_SEQ asClient = {};
394  BOOL fDone = FALSE;
395  BOOL fResult = FALSE;
396  DWORD cbOut = 0;
397  DWORD cbIn = 0;
398 
399  SEC_WINNT_AUTH_IDENTITY ai;
400 
401  do {
402  if (!hModule)
403  break;
404 
405  /* Initialize auth identity structure */
406  ZeroMemory(&ai, sizeof(ai));
407  ai.Domain = (unsigned char *)szDomain;
408  ai.DomainLength = lstrlen(szDomain);
409  ai.User = (unsigned char *)szUser;
410  ai.UserLength = lstrlen(szUser);
411  ai.Password = (unsigned char *)szPassword;
412  ai.PasswordLength = lstrlen(szPassword);
413 #if defined(UNICODE) || defined(_UNICODE)
414  ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
415 #else
416  ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
417 #endif
418 
419  /* Prepare client message (negotiate) */
420  cbOut = cbMaxToken;
421  if (!GenClientContext(&asClient, &ai, nullptr, 0, pClientBuf, &cbOut, &fDone))
422  break;
423 
424  /* Prepare server message (challenge) */
425  cbIn = cbOut;
426  cbOut = cbMaxToken;
427  if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
428  &fDone, nullptr))
429  break;
430  /* Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED
431  * in the case of bad szUser or szPassword.
432  * Unexpected Result: Logon will succeed if you pass in a bad szUser and
433  * the guest account is enabled in the specified domain.
434  */
435 
436  /* Prepare client message (authenticate) */
437  cbIn = cbOut;
438  cbOut = cbMaxToken;
439  if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut,
440  &fDone))
441  break;
442 
443  /* Prepare server message (authentication) */
444  cbIn = cbOut;
445  cbOut = cbMaxToken;
446  if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
447  &fDone, nullptr))
448  break;
449  fResult = TRUE;
450  } while (0);
451 
452  /* Clean up resources */
453  if (asClient.fHaveCtxtHandle)
454  _DeleteSecurityContext(&asClient.hctxt);
455  if (asClient.fHaveCredHandle)
456  _FreeCredentialsHandle(&asClient.hcred);
457  if (asServer.fHaveCtxtHandle)
458  _DeleteSecurityContext(&asServer.hctxt);
459  if (asServer.fHaveCredHandle)
460  _FreeCredentialsHandle(&asServer.hcred);
461 
462  return fResult;
463 }
464 
465 #if HAVE_AUTH_MODULE_NTLM
466 const char * WINAPI SSP_MakeChallenge(PVOID PNegotiateBuf, int NegotiateLen)
467 {
468  BOOL fDone = FALSE;
469  uint8_t * fResult = nullptr;
470  DWORD cbOut = 0;
471  DWORD cbIn = 0;
472  ntlm_challenge * challenge;
473 
474  if (NTLM_asServer.fHaveCtxtHandle)
475  _DeleteSecurityContext(&NTLM_asServer.hctxt);
476  if (NTLM_asServer.fHaveCredHandle)
477  _FreeCredentialsHandle(&NTLM_asServer.hcred);
478 
479  NTLM_LocalCall = FALSE;
480  Use_Unicode = FALSE;
481  memcpy(pClientBuf, PNegotiateBuf, NegotiateLen);
482  ZeroMemory(pServerBuf, cbMaxToken);
483  ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer));
484  do {
485  if (!hModule)
486  break;
487 
488  /* Prepare server message (challenge) */
489  cbIn = NegotiateLen;
490  cbOut = cbMaxToken;
491  if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
492  &fDone, nullptr))
493  break;
494  fResult = pServerBuf;
495  } while (0);
496  if (fResult != NULL) {
497  challenge = (ntlm_challenge *) fResult;
498  Use_Unicode = NTLM_NEGOTIATE_UNICODE & challenge->flags;
499  NTLM_LocalCall = NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL & challenge->flags;
500  struct base64_encode_ctx ctx;
501  base64_encode_init(&ctx);
502  static char encoded[8192];
503  size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(fResult));
504  assert(dstLen < sizeof(encoded));
505  dstLen += base64_encode_final(&ctx, encoded+dstLen);
506  assert(dstLen < sizeof(encoded));
507  encoded[dstLen] = '\0';
508  return encoded;
509  }
510  return nullptr;
511 }
512 
513 BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID PAutenticateBuf, int AutenticateLen, char * credentials)
514 {
515  BOOL fDone = FALSE;
516  BOOL fResult = FALSE;
517  DWORD cbOut = 0;
518  DWORD cbIn = 0;
519 
520  memcpy(pClientBuf, PAutenticateBuf, AutenticateLen);
521  ZeroMemory(pServerBuf, cbMaxToken);
522  do {
523  if (!hModule)
524  break;
525 
526  /* Prepare server message (authentication) */
527  cbIn = AutenticateLen;
528  cbOut = cbMaxToken;
529  if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
530  &fDone, credentials))
531  break;
532  fResult = TRUE;
533  } while (0);
534 
535  return fResult;
536 }
537 #endif /* HAVE_AUTH_MODULE_NTLM */
538 
539 #if HAVE_AUTH_MODULE_NEGOTIATE
540 const char * WINAPI SSP_MakeNegotiateBlob(PVOID PNegotiateBuf, int NegotiateLen, PBOOL fDone, int * Status, char * credentials)
541 {
542  DWORD cbOut = 0;
543  DWORD cbIn = 0;
544 
545  if (NTLM_asServer.fHaveCtxtHandle)
546  _DeleteSecurityContext(&NTLM_asServer.hctxt);
547  if (NTLM_asServer.fHaveCredHandle)
548  _FreeCredentialsHandle(&NTLM_asServer.hcred);
549 
550  memcpy(pClientBuf, PNegotiateBuf, NegotiateLen);
551  ZeroMemory(pServerBuf, cbMaxToken);
552  ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer));
553  do {
554  if (!hModule)
555  break;
556 
557  /* Prepare server message (challenge) */
558  cbIn = NegotiateLen;
559  cbOut = cbMaxToken;
560  if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
561  fDone, credentials)) {
562  *Status = SSP_ERROR;
563  break;
564  }
565  *Status = SSP_OK;
566  } while (0);
567  if (pServerBuf != NULL && cbOut > 0) {
568  struct base64_encode_ctx ctx;
569  base64_encode_init(&ctx);
570  static char encoded[8192];
571  size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(pServerBuf));
572  assert(dstLen < sizeof(encoded));
573  dstLen += base64_encode_final(&ctx, encoded+dstLen);
574  assert(dstLen < sizeof(encoded));
575  encoded[dstLen] = '\0';
576  return encoded;
577  }
578  return nullptr;
579 }
580 
581 const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID PAutenticateBuf, int AutenticateLen, PBOOL fDone, int * Status, char * credentials)
582 {
583  DWORD cbOut = 0;
584  DWORD cbIn = 0;
585 
586  memcpy(pClientBuf, PAutenticateBuf, AutenticateLen);
587  ZeroMemory(pServerBuf, cbMaxToken);
588  do {
589  if (!hModule)
590  break;
591 
592  /* Prepare server message (authentication) */
593  cbIn = AutenticateLen;
594  cbOut = cbMaxToken;
595  if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
596  fDone, credentials)) {
597  *Status = SSP_ERROR;
598  break;
599  }
600  *Status = SSP_OK;
601  } while (0);
602  if (pServerBuf != NULL && cbOut > 0) {
603  struct base64_encode_ctx ctx;
604  base64_encode_init(&ctx);
605  static char encoded[8192];
606  size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(pServerBuf));
607  assert(dstLen < sizeof(encoded));
608  dstLen += base64_encode_final(&ctx, encoded+dstLen);
609  assert(dstLen < sizeof(encoded));
610  encoded[dstLen] = '\0';
611  return encoded;
612  }
613  return nullptr;
614 }
615 #endif /* HAVE_AUTH_MODULE_NEGOTIATE */
Use_Unicode
BOOL Use_Unicode
Definition: sspwin32.cc:57
xcalloc
void * xcalloc(size_t n, size_t sz)
Definition: xalloc.cc:71
farproc_cast
T farproc_cast(FARPROC in)
Definition: sspwin32.cc:21
AUTH_SEQ
struct _AUTH_SEQ AUTH_SEQ
_ntlm_challenge
Definition: ntlmauth.h:138
FALSE
#define FALSE
Definition: std-includes.h:56
_AUTH_SEQ::hcred
CredHandle hcred
Definition: sspwin32.cc:37
pServerBuf
static uint8_t * pServerBuf
Definition: sspwin32.cc:53
base64_encode_final
size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst)
Definition: base64.c:308
_InitializeSecurityContext
INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext
Definition: sspwin32.cc:69
LoadSecurityDll
HMODULE LoadSecurityDll(int mode, const char *SSP_Package)
Definition: sspwin32.cc:104
_AUTH_SEQ::fHaveCredHandle
BOOL fHaveCredHandle
Definition: sspwin32.cc:35
_QuerySecurityPackageInfo
QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo
Definition: sspwin32.cc:70
cbMaxToken
static DWORD cbMaxToken
Definition: sspwin32.cc:51
xstrdup
#define xstrdup
Definition: negotiate_wrapper.cc:52
_CompleteAuthToken
COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken
Definition: sspwin32.cc:65
GenClientContext
BOOL GenClientContext(PAUTH_SEQ, PSEC_WINNT_AUTH_IDENTITY, PVOID, DWORD, PVOID, PDWORD, PBOOL)
Definition: sspwin32.cc:217
_AUTH_SEQ::hctxtLifeTime
TimeStamp hctxtLifeTime
Definition: sspwin32.cc:40
_AUTH_SEQ::fInitialized
BOOL fInitialized
Definition: sspwin32.cc:34
_AUTH_SEQ::hctxt
struct _SecHandle hctxt
Definition: sspwin32.cc:39
base64_encode_ctx
Definition: base64.h:68
NTLM_asServer
static AUTH_SEQ NTLM_asServer
Definition: sspwin32.cc:55
_ntlm_challenge::flags
uint32_t flags
Definition: ntlmauth.h:141
NTLM_NEGOTIATE_UNICODE
#define NTLM_NEGOTIATE_UNICODE
Definition: ntlmauth.h:103
NULL
#define NULL
Definition: types.h:145
NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL
#define NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL
Definition: ntlmauth.h:114
_AUTH_SEQ
Definition: sspwin32.cc:33
PAUTH_SEQ
struct _AUTH_SEQ * PAUTH_SEQ
SSP_MAX_CRED_LEN
#define SSP_MAX_CRED_LEN
Definition: sspwin32.h:45
_AUTH_SEQ::fHaveCtxtHandle
BOOL fHaveCtxtHandle
Definition: sspwin32.cc:36
WINNT_SECURITY_DLL
#define WINNT_SECURITY_DLL
Definition: sspwin32.h:39
UnloadSecurityDll
void UnloadSecurityDll(void)
Definition: sspwin32.cc:77
assert
#define assert(EX)
Definition: assert.h:17
SecurityStatus
SECURITY_STATUS SecurityStatus
Definition: sspwin32.cc:49
base64_encode_init
void base64_encode_init(struct base64_encode_ctx *ctx)
Definition: base64.c:232
pClientBuf
static uint8_t * pClientBuf
Definition: sspwin32.cc:52
xfree
#define xfree
Definition: negotiate_wrapper.cc:55
ULONG
unsigned int ULONG
Definition: smblib-priv.h:147
SSP_LogonUser
BOOL WINAPI SSP_LogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain)
Definition: sspwin32.cc:390
SSP_NTLM
#define SSP_NTLM
Definition: sspwin32.h:43
_DeleteSecurityContext
DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext
Definition: sspwin32.cc:66
SSP_BASIC
#define SSP_BASIC
Definition: sspwin32.h:42
TRUE
#define TRUE
Definition: std-includes.h:55
WIN2K_SECURITY_DLL
#define WIN2K_SECURITY_DLL
Definition: sspwin32.h:40
NTLM_mode
static int NTLM_mode
Definition: sspwin32.cc:47
hModule
static HMODULE hModule
Definition: sspwin32.cc:46
GenServerContext
BOOL GenServerContext(PAUTH_SEQ, PVOID, DWORD, PVOID, PDWORD, PBOOL, char *)
Definition: sspwin32.cc:285
SSP_ERROR
#define SSP_ERROR
Definition: sspwin32.h:50
_AcceptSecurityContext
ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext
Definition: sspwin32.cc:63
SSP_Package_InUse
static char * SSP_Package_InUse
Definition: sspwin32.cc:48
base64_encode_update
size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src)
Definition: base64.c:265
_FreeContextBuffer
FREE_CONTEXT_BUFFER_FN _FreeContextBuffer
Definition: sspwin32.cc:67
_QueryContextAttributes
QUERY_CONTEXT_ATTRIBUTES_FN_A _QueryContextAttributes
Definition: sspwin32.cc:74
_FreeCredentialsHandle
FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle
Definition: sspwin32.cc:68
SSP_OK
#define SSP_OK
Definition: sspwin32.h:49
_AcquireCredentialsHandle
ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle
Definition: sspwin32.cc:64
_AUTH_SEQ::hcredLifeTime
TimeStamp hcredLifeTime
Definition: sspwin32.cc:38
BOOL
#define BOOL
Definition: std-includes.h:38

 

Introduction

Documentation

Support

Miscellaneous