549 lines
11 KiB
C++
549 lines
11 KiB
C++
|
/*++
|
|||
|
|
|||
|
Copyright (C) Microsoft Corporation, 1991 - 1999
|
|||
|
|
|||
|
Module Name:
|
|||
|
|
|||
|
secclnt.hxx
|
|||
|
|
|||
|
Abstract:
|
|||
|
|
|||
|
This file contains an abstraction to the security support for clients
|
|||
|
and that which is common to both servers and clients.
|
|||
|
|
|||
|
Author:
|
|||
|
|
|||
|
Michael Montague (mikemon) 10-Apr-1992
|
|||
|
|
|||
|
Revision History:
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
#ifndef __SECCLNT_HXX__
|
|||
|
#define __SECCLNT_HXX__
|
|||
|
|
|||
|
typedef SecBufferDesc SECURITY_BUFFER_DESCRIPTOR;
|
|||
|
typedef SecBuffer SECURITY_BUFFER;
|
|||
|
|
|||
|
#define MAXIMUM_SECURITY_BLOCK_SIZE 16
|
|||
|
|
|||
|
enum PACKAGE_LEG_COUNT
|
|||
|
{
|
|||
|
LegsUnknown,
|
|||
|
ThreeLegs,
|
|||
|
EvenNumberOfLegs
|
|||
|
};
|
|||
|
|
|||
|
typedef struct
|
|||
|
{
|
|||
|
#ifdef UNICODE
|
|||
|
SecPkgInfoW PackageInfo;
|
|||
|
#else
|
|||
|
SecPkgInfoA PackageInfo;
|
|||
|
#endif
|
|||
|
SECURITY_CREDENTIALS *ServerSecurityCredentials;
|
|||
|
PACKAGE_LEG_COUNT LegCount;
|
|||
|
} SECURITY_PACKAGE_INFO;
|
|||
|
|
|||
|
typedef struct
|
|||
|
{
|
|||
|
unsigned long Count;
|
|||
|
SECURITY_PACKAGE_INFO * SecurityPackages;
|
|||
|
PSecurityFunctionTable RpcSecurityInterface;
|
|||
|
void * ProviderDll;
|
|||
|
RPC_CHAR *ProviderDllName;
|
|||
|
} SECURITY_PROVIDER_INFO;
|
|||
|
|
|||
|
extern SECURITY_PROVIDER_INFO PAPI * ProviderList;
|
|||
|
extern unsigned long NumberOfProviders;
|
|||
|
extern unsigned long LoadedProviders;
|
|||
|
extern unsigned long AvailableProviders;
|
|||
|
|
|||
|
|
|||
|
extern int SecuritySupportLoaded;
|
|||
|
extern int FailedToLoad;
|
|||
|
extern PSecurityFunctionTable RpcSecurityInterface;
|
|||
|
extern SecPkgInfo PAPI * SecurityPackages;
|
|||
|
extern unsigned long NumberOfSecurityPackages;
|
|||
|
extern MUTEX * SecurityCritSect;
|
|||
|
|
|||
|
extern RPC_STATUS
|
|||
|
InsureSecuritySupportLoaded (
|
|||
|
);
|
|||
|
|
|||
|
extern RPC_STATUS
|
|||
|
IsAuthenticationServiceSupported (
|
|||
|
IN unsigned long AuthenticationService
|
|||
|
);
|
|||
|
|
|||
|
extern RPC_STATUS
|
|||
|
FindServerCredentials (
|
|||
|
IN RPC_AUTH_KEY_RETRIEVAL_FN GetKeyFn,
|
|||
|
IN void __RPC_FAR * Arg,
|
|||
|
IN unsigned long AuthenticationService,
|
|||
|
IN unsigned long AuthenticationLevel,
|
|||
|
IN RPC_CHAR __RPC_FAR * Principal,
|
|||
|
IN OUT SECURITY_CREDENTIALS ** SecurityCredentials
|
|||
|
);
|
|||
|
|
|||
|
extern RPC_STATUS
|
|||
|
RemoveCredentialsFromCache (
|
|||
|
IN unsigned long AuthenticationService
|
|||
|
);
|
|||
|
|
|||
|
extern PACKAGE_LEG_COUNT
|
|||
|
GetPackageLegCount(
|
|||
|
DWORD id
|
|||
|
);
|
|||
|
|
|||
|
extern BOOL
|
|||
|
ReadPackageLegInfo();
|
|||
|
|
|||
|
extern DWORD * FourLeggedPackages;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
class SECURITY_CREDENTIALS
|
|||
|
/*++
|
|||
|
|
|||
|
Class Description:
|
|||
|
|
|||
|
This class is an abstraction of the credential handle provided by
|
|||
|
the Security APIs.
|
|||
|
|
|||
|
Fields:
|
|||
|
|
|||
|
PackageIndex - Contains the index for this package in the array of
|
|||
|
packages pointed to by SecurityPackages.
|
|||
|
|
|||
|
Credentials - Contains the credential handle used by the security
|
|||
|
package.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
|
|||
|
friend RPC_STATUS
|
|||
|
FindServerCredentials (
|
|||
|
IN RPC_AUTH_KEY_RETRIEVAL_FN GetKeyFn,
|
|||
|
IN void __RPC_FAR * Arg,
|
|||
|
IN unsigned long AuthenticationService,
|
|||
|
IN unsigned long AuthenticationLevel,
|
|||
|
IN RPC_CHAR __RPC_FAR * Principal,
|
|||
|
IN OUT SECURITY_CREDENTIALS ** SecurityCredentials
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
public:
|
|||
|
|
|||
|
unsigned AuthenticationService;
|
|||
|
|
|||
|
private:
|
|||
|
|
|||
|
BOOL Valid;
|
|||
|
unsigned int ProviderIndex;
|
|||
|
unsigned int PackageIndex;
|
|||
|
CredHandle CredentialsHandle;
|
|||
|
unsigned int ReferenceCount;
|
|||
|
MUTEX CredentialsMutex;
|
|||
|
BOOL bServerCredentials;
|
|||
|
BOOL fDeleted;
|
|||
|
|
|||
|
SEC_CHAR __SEC_FAR * DefaultPrincName;
|
|||
|
|
|||
|
public:
|
|||
|
|
|||
|
SECURITY_CREDENTIALS (
|
|||
|
IN OUT RPC_STATUS PAPI * Status
|
|||
|
);
|
|||
|
|
|||
|
~SECURITY_CREDENTIALS ();
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
AcquireCredentialsForServer (
|
|||
|
IN RPC_AUTH_KEY_RETRIEVAL_FN GetKeyFn,
|
|||
|
IN void __RPC_FAR * Arg,
|
|||
|
IN unsigned long AuthenticationService,
|
|||
|
IN unsigned long AuthenticationLevel,
|
|||
|
IN RPC_CHAR __RPC_FAR * Principal
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
AcquireCredentialsForClient (
|
|||
|
IN RPC_AUTH_IDENTITY_HANDLE AuthIdentity,
|
|||
|
IN unsigned long AuthenticationService,
|
|||
|
IN unsigned long AuthenticationLevel
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
InquireDefaultPrincName (
|
|||
|
OUT SEC_CHAR __SEC_FAR **MyDefaultPrincName
|
|||
|
);
|
|||
|
|
|||
|
void
|
|||
|
FreeCredentials (
|
|||
|
);
|
|||
|
|
|||
|
unsigned int
|
|||
|
MaximumTokenLength (
|
|||
|
);
|
|||
|
|
|||
|
PCredHandle
|
|||
|
InquireCredHandle (
|
|||
|
);
|
|||
|
|
|||
|
void
|
|||
|
ReferenceCredentials(
|
|||
|
);
|
|||
|
|
|||
|
void
|
|||
|
DereferenceCredentials(
|
|||
|
BOOL fRemoveIt = FALSE OPTIONAL
|
|||
|
);
|
|||
|
|
|||
|
PSecurityFunctionTable
|
|||
|
InquireProviderFunctionTable (
|
|||
|
);
|
|||
|
|
|||
|
int
|
|||
|
CompareCredentials(
|
|||
|
SECURITY_CREDENTIALS PAPI * Creds
|
|||
|
);
|
|||
|
|
|||
|
};
|
|||
|
|
|||
|
|
|||
|
inline
|
|||
|
int
|
|||
|
SECURITY_CREDENTIALS::CompareCredentials(
|
|||
|
SECURITY_CREDENTIALS PAPI * Creds
|
|||
|
)
|
|||
|
{
|
|||
|
CredHandle * Cookie = Creds->InquireCredHandle();
|
|||
|
|
|||
|
if ( (CredentialsHandle.dwLower == Cookie->dwLower)
|
|||
|
&&(CredentialsHandle.dwUpper == Cookie->dwUpper) )
|
|||
|
{
|
|||
|
return 0;
|
|||
|
}
|
|||
|
return 1;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
inline unsigned int
|
|||
|
SECURITY_CREDENTIALS::MaximumTokenLength (
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
The maximum size, in bytes, of the tokens passed around at security
|
|||
|
context initialization time.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(ProviderList[ProviderIndex].SecurityPackages[PackageIndex].PackageInfo.cbMaxToken);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
inline PSecurityFunctionTable
|
|||
|
SECURITY_CREDENTIALS::InquireProviderFunctionTable(
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(ProviderList[ProviderIndex].RpcSecurityInterface);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
inline PCredHandle
|
|||
|
SECURITY_CREDENTIALS::InquireCredHandle (
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
The credential handle for this object will be returned.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(&CredentialsHandle);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
class SECURITY_CONTEXT : public CLIENT_AUTH_INFO
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
Class Description:
|
|||
|
|
|||
|
This is an abstraction of a security context. It allows you to use
|
|||
|
it to generate signatures and then verify them, as well as, sealing
|
|||
|
and unsealing messages.
|
|||
|
|
|||
|
Fields:
|
|||
|
|
|||
|
DontForgetToDelete - Contains a flag indicating whether or not there
|
|||
|
is a valid security context which needs to be deleted. A value
|
|||
|
of non-zero indicates there is a valid security context.
|
|||
|
|
|||
|
SecurityContext - Contains a handle to the security context maintained
|
|||
|
by the security package on our behalf.
|
|||
|
|
|||
|
MaxHeaderLength - Contains the maximum size of a header for this
|
|||
|
security context.
|
|||
|
|
|||
|
MaxSignatureLength - Contains the maximum size of a signature for
|
|||
|
this security context.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
public:
|
|||
|
|
|||
|
unsigned AuthContextId;
|
|||
|
unsigned Flags;
|
|||
|
unsigned long ContextAttributes;
|
|||
|
PACKAGE_LEG_COUNT Legs;
|
|||
|
|
|||
|
SECURITY_CONTEXT (
|
|||
|
CLIENT_AUTH_INFO *myAuthInfo,
|
|||
|
unsigned myAuthContextId,
|
|||
|
BOOL fUseDatagram,
|
|||
|
RPC_STATUS __RPC_FAR * pStatus
|
|||
|
);
|
|||
|
|
|||
|
inline ~SECURITY_CONTEXT (
|
|||
|
void
|
|||
|
)
|
|||
|
{
|
|||
|
DeleteSecurityContext();
|
|||
|
}
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
SetMaximumLengths (
|
|||
|
);
|
|||
|
|
|||
|
unsigned int
|
|||
|
MaximumHeaderLength (
|
|||
|
);
|
|||
|
|
|||
|
unsigned int
|
|||
|
MaximumSignatureLength (
|
|||
|
);
|
|||
|
|
|||
|
unsigned int
|
|||
|
BlockSize (
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
CompleteSecurityToken (
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR PAPI * BufferDescriptor
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
SignOrSeal (
|
|||
|
IN unsigned long Sequence,
|
|||
|
IN unsigned int SignNotSealFlag,
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR PAPI * BufferDescriptor
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
VerifyOrUnseal (
|
|||
|
IN unsigned long Sequence,
|
|||
|
IN unsigned int VerifyNotUnsealFlag,
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR PAPI * BufferDescriptor
|
|||
|
);
|
|||
|
|
|||
|
BOOL
|
|||
|
FullyConstructed()
|
|||
|
{
|
|||
|
return fFullyConstructed;
|
|||
|
}
|
|||
|
|
|||
|
// client-side calls
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
InitializeFirstTime(
|
|||
|
IN SECURITY_CREDENTIALS * Credentials,
|
|||
|
IN RPC_CHAR * ServerPrincipal,
|
|||
|
IN unsigned long AuthenticationLevel,
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR * BufferDescriptor,
|
|||
|
IN OUT unsigned char *NewAuthType = NULL
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
InitializeThirdLeg(
|
|||
|
IN SECURITY_CREDENTIALS * Credentials,
|
|||
|
IN unsigned long DataRep,
|
|||
|
IN SECURITY_BUFFER_DESCRIPTOR * In,
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR * Out
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
GetWireIdForSnego(
|
|||
|
OUT unsigned char *WireId
|
|||
|
);
|
|||
|
|
|||
|
// server-side calls
|
|||
|
|
|||
|
void
|
|||
|
DeletePac (
|
|||
|
void PAPI * Pac
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
AcceptFirstTime (
|
|||
|
IN SECURITY_CREDENTIALS * Credentials,
|
|||
|
IN SECURITY_BUFFER_DESCRIPTOR PAPI * InputBufferDescriptor,
|
|||
|
IN OUT SECURITY_BUFFER_DESCRIPTOR PAPI * OutputBufferDescriptor,
|
|||
|
IN unsigned long AuthenticationLevel,
|
|||
|
IN unsigned long DataRepresentation,
|
|||
|
IN unsigned long NewContextNeededFlag
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
AcceptThirdLeg (
|
|||
|
IN unsigned long DataRepresentation,
|
|||
|
IN SECURITY_BUFFER_DESCRIPTOR PAPI * BufferDescriptor,
|
|||
|
OUT SECURITY_BUFFER_DESCRIPTOR PAPI * OutBufferDescriptor
|
|||
|
);
|
|||
|
|
|||
|
unsigned long
|
|||
|
InquireAuthorizationService (
|
|||
|
);
|
|||
|
|
|||
|
RPC_AUTHZ_HANDLE
|
|||
|
InquirePrivileges (
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
ImpersonateClient (
|
|||
|
);
|
|||
|
|
|||
|
void
|
|||
|
RevertToSelf (
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
GetAccessToken (
|
|||
|
OUT HANDLE *ImpersonationToken,
|
|||
|
OUT BOOL *fNeedToCloseToken
|
|||
|
);
|
|||
|
|
|||
|
inline AUTHZ_CLIENT_CONTEXT_HANDLE
|
|||
|
GetAuthzContext (
|
|||
|
void
|
|||
|
)
|
|||
|
{
|
|||
|
return AuthzClientContext;
|
|||
|
}
|
|||
|
|
|||
|
inline PAUTHZ_CLIENT_CONTEXT_HANDLE
|
|||
|
GetAuthzContextAddress (
|
|||
|
void
|
|||
|
)
|
|||
|
{
|
|||
|
return &AuthzClientContext;
|
|||
|
}
|
|||
|
|
|||
|
DWORD
|
|||
|
GetDceInfo (
|
|||
|
RPC_AUTHZ_HANDLE __RPC_FAR * PacHandle,
|
|||
|
unsigned long __RPC_FAR * AuthzSvc
|
|||
|
);
|
|||
|
|
|||
|
void
|
|||
|
DeleteSecurityContext (
|
|||
|
void
|
|||
|
);
|
|||
|
|
|||
|
RPC_STATUS
|
|||
|
CheckForFailedThirdLeg (
|
|||
|
void
|
|||
|
);
|
|||
|
|
|||
|
protected:
|
|||
|
|
|||
|
unsigned char fFullyConstructed;
|
|||
|
unsigned char DontForgetToDelete;
|
|||
|
unsigned char fDatagram;
|
|||
|
|
|||
|
CtxtHandle SecurityContext;
|
|||
|
|
|||
|
unsigned int MaxHeaderLength;
|
|||
|
unsigned int MaxSignatureLength;
|
|||
|
unsigned int cbBlockSize;
|
|||
|
|
|||
|
PSecurityFunctionTable RpcSecurityInterface;
|
|||
|
int FailedContext;
|
|||
|
ExtendedErrorInfo *FailedContextEEInfo;
|
|||
|
|
|||
|
AUTHZ_CLIENT_CONTEXT_HANDLE AuthzClientContext;
|
|||
|
|
|||
|
DWORD VerifyCertificate();
|
|||
|
|
|||
|
public:
|
|||
|
CtxtHandle *
|
|||
|
InqSecurityContext ()
|
|||
|
{
|
|||
|
return &SecurityContext;
|
|||
|
}
|
|||
|
};
|
|||
|
|
|||
|
typedef SECURITY_CONTEXT * PSECURITY_CONTEXT;
|
|||
|
|
|||
|
|
|||
|
inline unsigned int
|
|||
|
SECURITY_CONTEXT::MaximumHeaderLength (
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
The maximum size of the header used by SECURITY_CONTEXT::SealMessage
|
|||
|
will be returned. This is in bytes.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(MaxHeaderLength);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
inline unsigned int
|
|||
|
SECURITY_CONTEXT::BlockSize (
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
For best effect, buffers to be signed or sealed should be a multiple
|
|||
|
of this length.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(cbBlockSize);
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
inline unsigned int
|
|||
|
SECURITY_CONTEXT::MaximumSignatureLength (
|
|||
|
)
|
|||
|
/*++
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
The maximum size, in bytes, of the signature used by
|
|||
|
SECURITY_CONTEXT::MakeSignature will be returned.
|
|||
|
|
|||
|
--*/
|
|||
|
{
|
|||
|
return(MaxSignatureLength);
|
|||
|
}
|
|||
|
|
|||
|
#endif // __SECCLNT_HXX__
|
|||
|
|