sspwin32.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#include "squid.h"
10#include "base64.h"
11#if HAVE_AUTH_MODULE_NTLM
12#include "ntlmauth/ntlmauth.h"
13#endif
14#include "sspi/sspwin32.h"
15#include "util.h"
16
17// FARPROC is an exception on Windows to the -Wcast-function-type sanity check.
18// suppress the warning only when casting FARPROC
19template <typename T>
20T
21farproc_cast(FARPROC in)
22{
23#if defined(__GNUC__)
24#pragma GCC diagnostic push
25#pragma GCC diagnostic ignored "-Wcast-function-type"
26 return reinterpret_cast<T>(in);
27#pragma GCC diagnostic pop
28#else
29 return reinterpret_cast<T>(in);
30#endif
31}
32
33typedef struct _AUTH_SEQ {
34 BOOL fInitialized;
35 BOOL fHaveCredHandle;
36 BOOL fHaveCtxtHandle;
37 CredHandle hcred;
38 TimeStamp hcredLifeTime;
39 struct _SecHandle hctxt;
40 TimeStamp hctxtLifeTime;
41} AUTH_SEQ, *PAUTH_SEQ;
42
43BOOL GenClientContext(PAUTH_SEQ, PSEC_WINNT_AUTH_IDENTITY, PVOID, DWORD, PVOID, PDWORD, PBOOL);
44BOOL GenServerContext(PAUTH_SEQ, PVOID, DWORD, PVOID, PDWORD, PBOOL, char *);
45
46static HMODULE hModule;
47static int NTLM_mode = SSP_BASIC;
48static char * SSP_Package_InUse;
49SECURITY_STATUS SecurityStatus = SEC_E_OK;
50
51static DWORD cbMaxToken = 0;
52static uint8_t * pClientBuf = nullptr;
53static uint8_t * pServerBuf = nullptr;
54
55static AUTH_SEQ NTLM_asServer = {};
56
57BOOL Use_Unicode = FALSE;
58#if HAVE_AUTH_MODULE_NTLM
59BOOL NTLM_LocalCall = FALSE;
60#endif
61
62/* Function pointers */
63ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext = nullptr;
64ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle = nullptr;
65COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken = nullptr;
66DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext = nullptr;
67FREE_CONTEXT_BUFFER_FN _FreeContextBuffer = nullptr;
68FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle = nullptr;
69INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext = nullptr;
70QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo = nullptr;
71#ifdef UNICODE
72QUERY_CONTEXT_ATTRIBUTES_FN_W _QueryContextAttributes = nullptr;
73#else
74QUERY_CONTEXT_ATTRIBUTES_FN_A _QueryContextAttributes = nullptr;
75#endif
76
77void UnloadSecurityDll(void)
78{
79 if (NTLM_asServer.fHaveCtxtHandle)
80 _DeleteSecurityContext(&NTLM_asServer.hctxt);
81 if (NTLM_asServer.fHaveCredHandle)
82 _FreeCredentialsHandle(&NTLM_asServer.hcred);
83
84 if (hModule)
85 FreeLibrary(hModule);
86
87 xfree(SSP_Package_InUse);
88 xfree(pClientBuf);
89 xfree(pServerBuf);
90
91 _AcceptSecurityContext = nullptr;
92 _AcquireCredentialsHandle = nullptr;
93 _CompleteAuthToken = nullptr;
94 _DeleteSecurityContext = nullptr;
95 _FreeContextBuffer = nullptr;
96 _FreeCredentialsHandle = nullptr;
97 _InitializeSecurityContext = nullptr;
98 _QuerySecurityPackageInfo = nullptr;
99 _QueryContextAttributes = nullptr;
100
101 hModule = nullptr;
102}
103
104HMODULE LoadSecurityDll(int mode, const char * SSP_Package)
105{
106 TCHAR lpszDLL[MAX_PATH];
107 OSVERSIONINFO VerInfo;
108 PSecPkgInfo pSPI = nullptr;
109
110 /*
111 * Find out which security DLL to use, depending on
112 * whether we are on NT or 2000 or XP or 2003 Server
113 * We have to use security.dll on Windows NT 4.0.
114 * All other operating systems, we have to use Secur32.dll
115 */
116 hModule = nullptr;
117 if ((mode != SSP_BASIC) && (mode != SSP_NTLM))
118 return hModule;
119 NTLM_mode = mode;
120 VerInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
121 if (!GetVersionEx (&VerInfo)) { /* If this fails, something has gone wrong */
122 return hModule;
123 }
124 if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
125 VerInfo.dwMajorVersion == 4 &&
126 VerInfo.dwMinorVersion == 0) {
127 lstrcpy (lpszDLL, _T(WINNT_SECURITY_DLL));
128 } else {
129 lstrcpy (lpszDLL, _T(WIN2K_SECURITY_DLL));
130 }
131 hModule = LoadLibrary(lpszDLL);
132 if (!hModule)
133 return hModule;
134 _AcceptSecurityContext = farproc_cast<ACCEPT_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "AcceptSecurityContext"));
135 if (!_AcceptSecurityContext) {
136 UnloadSecurityDll();
137 hModule = nullptr;
138 return hModule;
139 }
140#ifdef UNICODE
141 _AcquireCredentialsHandle = farproc_cast<ACQUIRE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "AcquireCredentialsHandleW"));
142#else
143 _AcquireCredentialsHandle = farproc_cast<ACQUIRE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "AcquireCredentialsHandleA"));
144#endif
145 if (!_AcquireCredentialsHandle) {
146 UnloadSecurityDll();
147 hModule = nullptr;
148 return hModule;
149 }
150 _CompleteAuthToken = farproc_cast<COMPLETE_AUTH_TOKEN_FN>(GetProcAddress(hModule, "CompleteAuthToken"));
151 if (!_CompleteAuthToken) {
152 UnloadSecurityDll();
153 hModule = nullptr;
154 return hModule;
155 }
156 _DeleteSecurityContext = farproc_cast<DELETE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "DeleteSecurityContext"));
157 if (!_DeleteSecurityContext) {
158 UnloadSecurityDll();
159 hModule = nullptr;
160 return hModule;
161 }
162 _FreeContextBuffer = farproc_cast<FREE_CONTEXT_BUFFER_FN>(GetProcAddress(hModule, "FreeContextBuffer"));
163 if (!_FreeContextBuffer) {
164 UnloadSecurityDll();
165 hModule = nullptr;
166 return hModule;
167 }
168 _FreeCredentialsHandle = farproc_cast<FREE_CREDENTIALS_HANDLE_FN>(GetProcAddress(hModule, "FreeCredentialsHandle"));
169 if (!_FreeCredentialsHandle) {
170 UnloadSecurityDll();
171 hModule = nullptr;
172 return hModule;
173 }
174#ifdef UNICODE
175 _InitializeSecurityContext = farproc_cast<INITIALIZE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "InitializeSecurityContextW"));
176#else
177 _InitializeSecurityContext = farproc_cast<INITIALIZE_SECURITY_CONTEXT_FN>(GetProcAddress(hModule, "InitializeSecurityContextA"));
178#endif
179 if (!_InitializeSecurityContext) {
180 UnloadSecurityDll();
181 hModule = nullptr;
182 return hModule;
183 }
184#ifdef UNICODE
185 _QuerySecurityPackageInfo = farproc_cast<QUERY_SECURITY_PACKAGE_INFO_FN>(GetProcAddress(hModule, "QuerySecurityPackageInfoW"));
186#else
187 _QuerySecurityPackageInfo = farproc_cast<QUERY_SECURITY_PACKAGE_INFO_FN>(GetProcAddress(hModule, "QuerySecurityPackageInfoA"));
188#endif
189 if (!_QuerySecurityPackageInfo) {
190 UnloadSecurityDll();
191 hModule = nullptr;
192 }
193
194#ifdef UNICODE
195 _QueryContextAttributes = farproc_cast<QUERY_CONTEXT_ATTRIBUTES_FN_W>(GetProcAddress(hModule, "QueryContextAttributesW"));
196#else
197 _QueryContextAttributes = farproc_cast<QUERY_CONTEXT_ATTRIBUTES_FN_A>(GetProcAddress(hModule, "QueryContextAttributesA"));
198#endif
199 if (!_QueryContextAttributes) {
200 UnloadSecurityDll();
201 hModule = nullptr;
202 }
203
204 /* Get max token size */
205 _QuerySecurityPackageInfo((SEC_CHAR*)_T(SSP_Package), &pSPI);
206 cbMaxToken = pSPI->cbMaxToken;
207 _FreeContextBuffer(pSPI);
208
209 /* Allocate buffers for client and server messages */
210 pClientBuf = static_cast<uint8_t *>(xcalloc(cbMaxToken, sizeof(char)));
211 pServerBuf = static_cast<uint8_t *>(xcalloc(cbMaxToken, sizeof(char)));
212 SSP_Package_InUse = xstrdup(SSP_Package);
213
214 return hModule;
215}
216
217BOOL GenClientContext(PAUTH_SEQ pAS, PSEC_WINNT_AUTH_IDENTITY pAuthIdentity,
218 PVOID pIn, DWORD cbIn, PVOID pOut, PDWORD pcbOut, PBOOL pfDone)
219{
220 /*
221 * Routine Description:
222 *
223 * Optionally takes an input buffer coming from the server and returns
224 * a buffer of information to send back to the server. Also returns
225 * an indication of whether or not the context is complete.
226 *
227 * Return Value:
228 * Returns TRUE if successful; otherwise FALSE.
229 */
230 TimeStamp tsExpiry;
231 SecBufferDesc sbdOut;
232 SecBuffer sbOut;
233 SecBufferDesc sbdIn;
234 SecBuffer sbIn;
235 ULONG fContextAttr;
236
237 if (!pAS->fInitialized) {
238 SecurityStatus = _AcquireCredentialsHandle(nullptr, (SEC_CHAR*) _T(SSP_Package_InUse),
239 SECPKG_CRED_OUTBOUND, nullptr, (NTLM_mode == SSP_NTLM) ? NULL : pAuthIdentity, nullptr, nullptr,
240 &pAS->hcred, &tsExpiry);
241 if (SecurityStatus < 0)
242 return FALSE;
243 pAS->fHaveCredHandle = TRUE;
244 }
245
246 /* Prepare output buffer */
247 sbdOut.ulVersion = 0;
248 sbdOut.cBuffers = 1;
249 sbdOut.pBuffers = &sbOut;
250 sbOut.cbBuffer = *pcbOut;
251 sbOut.BufferType = SECBUFFER_TOKEN;
252 sbOut.pvBuffer = pOut;
253
254 /* Prepare input buffer */
255 if (pAS->fInitialized) {
256 sbdIn.ulVersion = 0;
257 sbdIn.cBuffers = 1;
258 sbdIn.pBuffers = &sbIn;
259 sbIn.cbBuffer = cbIn;
260 sbIn.BufferType = SECBUFFER_TOKEN;
261 sbIn.pvBuffer = pIn;
262 }
263 SecurityStatus = _InitializeSecurityContext(&pAS->hcred,
264 pAS->fInitialized ? &pAS->hctxt : NULL, nullptr, 0, 0,
265 SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : NULL,
266 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
267 if (SecurityStatus < 0)
268 return FALSE;
269 pAS->fHaveCtxtHandle = TRUE;
270
271 /* If necessary, complete token */
272 if (SecurityStatus == SEC_I_COMPLETE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE) {
273 SecurityStatus = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
274 if (SecurityStatus < 0)
275 return FALSE;
276 }
277 *pcbOut = sbOut.cbBuffer;
278 if (!pAS->fInitialized)
279 pAS->fInitialized = TRUE;
280 *pfDone = !(SecurityStatus == SEC_I_CONTINUE_NEEDED
281 || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE );
282 return TRUE;
283}
284
285BOOL GenServerContext(PAUTH_SEQ pAS, PVOID pIn, DWORD cbIn, PVOID pOut,
286 PDWORD pcbOut, PBOOL pfDone, char * credentials)
287{
288 /*
289 * Routine Description:
290 *
291 * Takes an input buffer coming from the client and returns a buffer
292 * to be sent to the client. Also returns an indication of whether or
293 * not the context is complete.
294 *
295 * Return Value:
296 *
297 * Returns TRUE if successful; otherwise FALSE.
298 */
299
300 SecBufferDesc sbdOut;
301 SecBuffer sbOut;
302 SecBufferDesc sbdIn;
303 SecBuffer sbIn;
304 ULONG fContextAttr;
305 SecPkgContext_Names namebuffer;
306
307 if (!pAS->fInitialized) {
308 SecurityStatus = _AcquireCredentialsHandle(nullptr, (SEC_CHAR*) _T(SSP_Package_InUse),
309 SECPKG_CRED_INBOUND, nullptr, nullptr, nullptr, nullptr, &pAS->hcred,
310 &pAS->hcredLifeTime);
311#if SSP_DEBUG
312 fprintf(stderr, "AcquireCredentialsHandle returned: %x\n", SecurityStatus);
313#endif
314 if (SecurityStatus < 0) {
315#if SSP_DEBUG
316 fprintf(stderr, "AcquireCredentialsHandle failed: %x\n", SecurityStatus);
317#endif
318 return FALSE;
319 }
320 pAS->fHaveCredHandle = TRUE;
321 }
322
323 /* Prepare output buffer */
324 sbdOut.ulVersion = 0;
325 sbdOut.cBuffers = 1;
326 sbdOut.pBuffers = &sbOut;
327 sbOut.cbBuffer = *pcbOut;
328 sbOut.BufferType = SECBUFFER_TOKEN;
329 sbOut.pvBuffer = pOut;
330
331 /* Prepare input buffer */
332 sbdIn.ulVersion = 0;
333 sbdIn.cBuffers = 1;
334 sbdIn.pBuffers = &sbIn;
335 sbIn.cbBuffer = cbIn;
336 sbIn.BufferType = SECBUFFER_TOKEN;
337 sbIn.pvBuffer = pIn;
338 SecurityStatus = _AcceptSecurityContext(&pAS->hcred,
339 pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, (NTLM_mode == SSP_NTLM) ? ASC_REQ_DELEGATE : 0,
340 SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr,
341 &pAS->hctxtLifeTime);
342#if SSP_DEBUG
343 fprintf(stderr, "AcceptSecurityContext returned: %x\n", SecurityStatus);
344#endif
345 if (SecurityStatus < 0) {
346#if SSP_DEBUG
347 fprintf(stderr, "AcceptSecurityContext failed: %x\n", SecurityStatus);
348#endif
349 return FALSE;
350 }
351 pAS->fHaveCtxtHandle = TRUE;
352
353 /* If necessary, complete token */
354 if (SecurityStatus == SEC_I_COMPLETE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE) {
355 SecurityStatus = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
356#if SSP_DEBUG
357 fprintf(stderr, "CompleteAuthToken returned: %x\n", SecurityStatus);
358#endif
359 if (SecurityStatus < 0) {
360#if SSP_DEBUG
361 fprintf(stderr, "CompleteAuthToken failed: %x\n", SecurityStatus);
362#endif
363 return FALSE;
364 }
365 }
366
367 if ((credentials != NULL) &&
368 !(SecurityStatus == SEC_I_CONTINUE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE)) {
369 SecurityStatus = _QueryContextAttributes(&pAS->hctxt, SECPKG_ATTR_NAMES, &namebuffer);
370#if SSP_DEBUG
371 fprintf(stderr, "QueryContextAttributes returned: %x\n", SecurityStatus);
372#endif
373 if (SecurityStatus < 0) {
374#if SSP_DEBUG
375 fprintf(stderr, "QueryContextAttributes failed: %x\n", SecurityStatus);
376#endif
377 return FALSE;
378 }
379 strncpy(credentials, namebuffer.sUserName, SSP_MAX_CRED_LEN);
380 }
381
382 *pcbOut = sbOut.cbBuffer;
383 if (!pAS->fInitialized)
384 pAS->fInitialized = TRUE;
385 *pfDone = !(SecurityStatus == SEC_I_CONTINUE_NEEDED
386 || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE);
387 return TRUE;
388}
389
390BOOL WINAPI SSP_LogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain)
391{
392 AUTH_SEQ asServer = {};
393 AUTH_SEQ asClient = {};
394 BOOL fDone = FALSE;
395 BOOL fResult = FALSE;
396 DWORD cbOut = 0;
397 DWORD cbIn = 0;
398
399 SEC_WINNT_AUTH_IDENTITY ai;
400
401 do {
402 if (!hModule)
403 break;
404
405 /* Initialize auth identity structure */
406 ZeroMemory(&ai, sizeof(ai));
407 ai.Domain = (unsigned char *)szDomain;
408 ai.DomainLength = lstrlen(szDomain);
409 ai.User = (unsigned char *)szUser;
410 ai.UserLength = lstrlen(szUser);
411 ai.Password = (unsigned char *)szPassword;
412 ai.PasswordLength = lstrlen(szPassword);
413#if defined(UNICODE) || defined(_UNICODE)
414 ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
415#else
416 ai.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
417#endif
418
419 /* Prepare client message (negotiate) */
420 cbOut = cbMaxToken;
421 if (!GenClientContext(&asClient, &ai, nullptr, 0, pClientBuf, &cbOut, &fDone))
422 break;
423
424 /* Prepare server message (challenge) */
425 cbIn = cbOut;
426 cbOut = cbMaxToken;
427 if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
428 &fDone, nullptr))
429 break;
430 /* Most likely failure: AcceptServerContext fails with SEC_E_LOGON_DENIED
431 * in the case of bad szUser or szPassword.
432 * Unexpected Result: Logon will succeed if you pass in a bad szUser and
433 * the guest account is enabled in the specified domain.
434 */
435
436 /* Prepare client message (authenticate) */
437 cbIn = cbOut;
438 cbOut = cbMaxToken;
439 if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, &cbOut,
440 &fDone))
441 break;
442
443 /* Prepare server message (authentication) */
444 cbIn = cbOut;
445 cbOut = cbMaxToken;
446 if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
447 &fDone, nullptr))
448 break;
449 fResult = TRUE;
450 } while (0);
451
452 /* Clean up resources */
453 if (asClient.fHaveCtxtHandle)
454 _DeleteSecurityContext(&asClient.hctxt);
455 if (asClient.fHaveCredHandle)
456 _FreeCredentialsHandle(&asClient.hcred);
457 if (asServer.fHaveCtxtHandle)
458 _DeleteSecurityContext(&asServer.hctxt);
459 if (asServer.fHaveCredHandle)
460 _FreeCredentialsHandle(&asServer.hcred);
461
462 return fResult;
463}
464
465#if HAVE_AUTH_MODULE_NTLM
466const char * WINAPI SSP_MakeChallenge(PVOID PNegotiateBuf, int NegotiateLen)
467{
468 BOOL fDone = FALSE;
469 uint8_t * fResult = nullptr;
470 DWORD cbOut = 0;
471 DWORD cbIn = 0;
472 ntlm_challenge * challenge;
473
474 if (NTLM_asServer.fHaveCtxtHandle)
475 _DeleteSecurityContext(&NTLM_asServer.hctxt);
476 if (NTLM_asServer.fHaveCredHandle)
477 _FreeCredentialsHandle(&NTLM_asServer.hcred);
478
479 NTLM_LocalCall = FALSE;
480 Use_Unicode = FALSE;
481 memcpy(pClientBuf, PNegotiateBuf, NegotiateLen);
482 ZeroMemory(pServerBuf, cbMaxToken);
483 ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer));
484 do {
485 if (!hModule)
486 break;
487
488 /* Prepare server message (challenge) */
489 cbIn = NegotiateLen;
490 cbOut = cbMaxToken;
491 if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
492 &fDone, nullptr))
493 break;
494 fResult = pServerBuf;
495 } while (0);
496 if (fResult != NULL) {
497 challenge = (ntlm_challenge *) fResult;
498 Use_Unicode = NTLM_NEGOTIATE_UNICODE & challenge->flags;
499 NTLM_LocalCall = NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL & challenge->flags;
500 struct base64_encode_ctx ctx;
501 base64_encode_init(&ctx);
502 static char encoded[8192];
503 size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(fResult));
504 assert(dstLen < sizeof(encoded));
505 dstLen += base64_encode_final(&ctx, encoded+dstLen);
506 assert(dstLen < sizeof(encoded));
507 encoded[dstLen] = '\0';
508 return encoded;
509 }
510 return nullptr;
511}
512
513BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID PAutenticateBuf, int AutenticateLen, char * credentials)
514{
515 BOOL fDone = FALSE;
516 BOOL fResult = FALSE;
517 DWORD cbOut = 0;
518 DWORD cbIn = 0;
519
520 memcpy(pClientBuf, PAutenticateBuf, AutenticateLen);
521 ZeroMemory(pServerBuf, cbMaxToken);
522 do {
523 if (!hModule)
524 break;
525
526 /* Prepare server message (authentication) */
527 cbIn = AutenticateLen;
528 cbOut = cbMaxToken;
529 if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
530 &fDone, credentials))
531 break;
532 fResult = TRUE;
533 } while (0);
534
535 return fResult;
536}
537#endif /* HAVE_AUTH_MODULE_NTLM */
538
539#if HAVE_AUTH_MODULE_NEGOTIATE
540const char * WINAPI SSP_MakeNegotiateBlob(PVOID PNegotiateBuf, int NegotiateLen, PBOOL fDone, int * Status, char * credentials)
541{
542 DWORD cbOut = 0;
543 DWORD cbIn = 0;
544
545 if (NTLM_asServer.fHaveCtxtHandle)
546 _DeleteSecurityContext(&NTLM_asServer.hctxt);
547 if (NTLM_asServer.fHaveCredHandle)
548 _FreeCredentialsHandle(&NTLM_asServer.hcred);
549
550 memcpy(pClientBuf, PNegotiateBuf, NegotiateLen);
551 ZeroMemory(pServerBuf, cbMaxToken);
552 ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer));
553 do {
554 if (!hModule)
555 break;
556
557 /* Prepare server message (challenge) */
558 cbIn = NegotiateLen;
559 cbOut = cbMaxToken;
560 if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
561 fDone, credentials)) {
562 *Status = SSP_ERROR;
563 break;
564 }
565 *Status = SSP_OK;
566 } while (0);
567 if (pServerBuf != NULL && cbOut > 0) {
568 struct base64_encode_ctx ctx;
569 base64_encode_init(&ctx);
570 static char encoded[8192];
571 size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(pServerBuf));
572 assert(dstLen < sizeof(encoded));
573 dstLen += base64_encode_final(&ctx, encoded+dstLen);
574 assert(dstLen < sizeof(encoded));
575 encoded[dstLen] = '\0';
576 return encoded;
577 }
578 return nullptr;
579}
580
581const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID PAutenticateBuf, int AutenticateLen, PBOOL fDone, int * Status, char * credentials)
582{
583 DWORD cbOut = 0;
584 DWORD cbIn = 0;
585
586 memcpy(pClientBuf, PAutenticateBuf, AutenticateLen);
587 ZeroMemory(pServerBuf, cbMaxToken);
588 do {
589 if (!hModule)
590 break;
591
592 /* Prepare server message (authentication) */
593 cbIn = AutenticateLen;
594 cbOut = cbMaxToken;
595 if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut,
596 fDone, credentials)) {
597 *Status = SSP_ERROR;
598 break;
599 }
600 *Status = SSP_OK;
601 } while (0);
602 if (pServerBuf != NULL && cbOut > 0) {
603 struct base64_encode_ctx ctx;
604 base64_encode_init(&ctx);
605 static char encoded[8192];
606 size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(pServerBuf));
607 assert(dstLen < sizeof(encoded));
608 dstLen += base64_encode_final(&ctx, encoded+dstLen);
609 assert(dstLen < sizeof(encoded));
610 encoded[dstLen] = '\0';
611 return encoded;
612 }
613 return nullptr;
614}
615#endif /* HAVE_AUTH_MODULE_NEGOTIATE */
assert
#define assert(EX)
Definition: assert.h:17
base64_encode_init
void base64_encode_init(struct base64_encode_ctx *ctx)
Definition: base64.c:232
base64_encode_update
size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src)
Definition: base64.c:265
base64_encode_final
size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst)
Definition: base64.c:308
xfree
#define xfree
Definition: negotiate_wrapper.cc:54
xstrdup
#define xstrdup
Definition: negotiate_wrapper.cc:51
credentials
static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]
Definition: ntlm_smb_lm_auth.cc:97
challenge
static unsigned char challenge[NTLM_NONCE_LEN]
Definition: ntlm_smb_lm_auth.cc:92
NTLM_NEGOTIATE_UNICODE
#define NTLM_NEGOTIATE_UNICODE
Definition: ntlmauth.h:107
NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL
#define NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL
Definition: ntlmauth.h:118
ULONG
unsigned int ULONG
Definition: smblib-priv.h:147
pClientBuf
static uint8_t * pClientBuf
Definition: sspwin32.cc:52
GenServerContext
BOOL GenServerContext(PAUTH_SEQ, PVOID, DWORD, PVOID, PDWORD, PBOOL, char *)
Definition: sspwin32.cc:285
NTLM_mode
static int NTLM_mode
Definition: sspwin32.cc:47
_FreeContextBuffer
FREE_CONTEXT_BUFFER_FN _FreeContextBuffer
Definition: sspwin32.cc:67
_FreeCredentialsHandle
FREE_CREDENTIALS_HANDLE_FN _FreeCredentialsHandle
Definition: sspwin32.cc:68
_InitializeSecurityContext
INITIALIZE_SECURITY_CONTEXT_FN _InitializeSecurityContext
Definition: sspwin32.cc:69
farproc_cast
T farproc_cast(FARPROC in)
Definition: sspwin32.cc:21
_DeleteSecurityContext
DELETE_SECURITY_CONTEXT_FN _DeleteSecurityContext
Definition: sspwin32.cc:66
_CompleteAuthToken
COMPLETE_AUTH_TOKEN_FN _CompleteAuthToken
Definition: sspwin32.cc:65
Use_Unicode
BOOL Use_Unicode
Definition: sspwin32.cc:57
pServerBuf
static uint8_t * pServerBuf
Definition: sspwin32.cc:53
NTLM_asServer
static AUTH_SEQ NTLM_asServer
Definition: sspwin32.cc:55
SSP_Package_InUse
static char * SSP_Package_InUse
Definition: sspwin32.cc:48
UnloadSecurityDll
void UnloadSecurityDll(void)
Definition: sspwin32.cc:77
GenClientContext
BOOL GenClientContext(PAUTH_SEQ, PSEC_WINNT_AUTH_IDENTITY, PVOID, DWORD, PVOID, PDWORD, PBOOL)
Definition: sspwin32.cc:217
_QueryContextAttributes
QUERY_CONTEXT_ATTRIBUTES_FN_A _QueryContextAttributes
Definition: sspwin32.cc:74
LoadSecurityDll
HMODULE LoadSecurityDll(int mode, const char *SSP_Package)
Definition: sspwin32.cc:104
_QuerySecurityPackageInfo
QUERY_SECURITY_PACKAGE_INFO_FN _QuerySecurityPackageInfo
Definition: sspwin32.cc:70
_AcceptSecurityContext
ACCEPT_SECURITY_CONTEXT_FN _AcceptSecurityContext
Definition: sspwin32.cc:63
_AcquireCredentialsHandle
ACQUIRE_CREDENTIALS_HANDLE_FN _AcquireCredentialsHandle
Definition: sspwin32.cc:64
hModule
static HMODULE hModule
Definition: sspwin32.cc:46
PAUTH_SEQ
struct _AUTH_SEQ * PAUTH_SEQ
cbMaxToken
static DWORD cbMaxToken
Definition: sspwin32.cc:51
AUTH_SEQ
struct _AUTH_SEQ AUTH_SEQ
SecurityStatus
SECURITY_STATUS SecurityStatus
Definition: sspwin32.cc:49
SSP_LogonUser
BOOL WINAPI SSP_LogonUser(PTSTR szUser, PTSTR szPassword, PTSTR szDomain)
Definition: sspwin32.cc:390
SSP_MAX_CRED_LEN
#define SSP_MAX_CRED_LEN
Definition: sspwin32.h:45
SSP_OK
#define SSP_OK
Definition: sspwin32.h:49
WINNT_SECURITY_DLL
#define WINNT_SECURITY_DLL
Definition: sspwin32.h:39
SSP_NTLM
#define SSP_NTLM
Definition: sspwin32.h:43
SSP_ERROR
#define SSP_ERROR
Definition: sspwin32.h:50
SSP_BASIC
#define SSP_BASIC
Definition: sspwin32.h:42
WIN2K_SECURITY_DLL
#define WIN2K_SECURITY_DLL
Definition: sspwin32.h:40
TRUE
#define TRUE
Definition: std-includes.h:55
FALSE
#define FALSE
Definition: std-includes.h:56
BOOL
#define BOOL
Definition: std-includes.h:38
_AUTH_SEQ
Definition: sspwin32.cc:33
_AUTH_SEQ::hctxtLifeTime
TimeStamp hctxtLifeTime
Definition: sspwin32.cc:40
_AUTH_SEQ::hcred
CredHandle hcred
Definition: sspwin32.cc:37
_AUTH_SEQ::fHaveCtxtHandle
BOOL fHaveCtxtHandle
Definition: sspwin32.cc:36
_AUTH_SEQ::fInitialized
BOOL fInitialized
Definition: sspwin32.cc:34
_AUTH_SEQ::fHaveCredHandle
BOOL fHaveCredHandle
Definition: sspwin32.cc:35
_AUTH_SEQ::hctxt
struct _SecHandle hctxt
Definition: sspwin32.cc:39
_AUTH_SEQ::hcredLifeTime
TimeStamp hcredLifeTime
Definition: sspwin32.cc:38
_ntlm_challenge
Definition: ntlmauth.h:142
base64_encode_ctx
Definition: base64.h:69
NULL
#define NULL
Definition: types.h:145
xcalloc
void * xcalloc(size_t n, size_t sz)
Definition: xalloc.cc:71

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors