--------------------- PatchSet 2027 Date: 2005/10/30 19:59:29 Author: serassio Branch: nt Tag: (none) Log: Added Windows native negotiate helper Members: include/sspwin32.h:1.2.18.4->1.2.18.5 lib/sspwin32.c:1.2.18.5->1.2.18.6 Index: squid3/include/sspwin32.h =================================================================== RCS file: /cvsroot/squid-sf//squid3/include/sspwin32.h,v retrieving revision 1.2.18.4 retrieving revision 1.2.18.5 diff -u -r1.2.18.4 -r1.2.18.5 --- squid3/include/sspwin32.h 3 Jan 2004 16:22:57 -0000 1.2.18.4 +++ squid3/include/sspwin32.h 30 Oct 2005 19:59:29 -0000 1.2.18.5 @@ -19,6 +19,7 @@ #define _LIBSSPWIN32_H_ #define SECURITY_WIN32 #define NTLM_PACKAGE_NAME "NTLM" +#define NEGOTIATE_PACKAGE_NAME "Negotiate" #ifdef _SQUID_CYGWIN_ #include @@ -30,17 +31,28 @@ #include #include +typedef char * SSP_blobP; + #define WINNT_SECURITY_DLL "security.dll" #define WIN2K_SECURITY_DLL "secur32.dll" #define SSP_BASIC 1 #define SSP_NTLM 2 -HMODULE LoadSecurityDll(int); +#define SSP_MAX_CRED_LEN 848 + +#define SSP_DEBUG 0 + +#define SSP_OK 1 +#define SSP_ERROR 2 + +HMODULE LoadSecurityDll(int, char *); void UnloadSecurityDll(void); BOOL WINAPI SSP_LogonUser(PTSTR, PTSTR, PTSTR); -BOOL WINAPI SSP_ValidateCredentials(PVOID, int, char *); +BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID, int, char *); +const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID, int, PBOOL, int *, char *); const char * WINAPI SSP_MakeChallenge(PVOID, int); +const char * WINAPI SSP_MakeNegotiateBlob(PVOID, int, PBOOL, int *, char *); extern BOOL Use_Unicode; extern BOOL NTLM_LocalCall; Index: squid3/lib/sspwin32.c =================================================================== RCS file: /cvsroot/squid-sf//squid3/lib/sspwin32.c,v retrieving revision 1.2.18.5 retrieving revision 1.2.18.6 diff -u -r1.2.18.5 -r1.2.18.6 --- squid3/lib/sspwin32.c 3 Jan 2004 19:28:05 -0000 1.2.18.5 +++ squid3/lib/sspwin32.c 30 Oct 2005 20:02:33 -0000 1.2.18.6 @@ -35,6 +35,7 @@ static HMODULE hModule; static int NTLM_mode = SSP_BASIC; +static char * SSP_Package_InUse; SECURITY_STATUS SecurityStatus = SEC_E_OK; static DWORD cbMaxToken = 0; @@ -71,6 +72,7 @@ if (hModule) FreeLibrary(hModule); + xfree(SSP_Package_InUse); xfree(pClientBuf); xfree(pServerBuf); @@ -88,7 +90,7 @@ } -HMODULE LoadSecurityDll(int mode) +HMODULE LoadSecurityDll(int mode, char * SSP_Package) { TCHAR lpszDLL[MAX_PATH]; OSVERSIONINFO VerInfo; @@ -203,13 +205,14 @@ } /* Get max token size */ - _QuerySecurityPackageInfo((SEC_CHAR*)_T("NTLM"), &pSPI); + _QuerySecurityPackageInfo((SEC_CHAR*)_T(SSP_Package), &pSPI); cbMaxToken = pSPI->cbMaxToken; _FreeContextBuffer(pSPI); /* Allocate buffers for client and server messages */ pClientBuf = xcalloc(cbMaxToken, sizeof(char)); pServerBuf = xcalloc(cbMaxToken, sizeof(char)); + SSP_Package_InUse = xstrdup(SSP_Package); return hModule; } @@ -236,7 +239,7 @@ ULONG fContextAttr; if (!pAS->fInitialized) { - SecurityStatus = _AcquireCredentialsHandle(NULL, (SEC_CHAR*) _T(NTLM_PACKAGE_NAME), + SecurityStatus = _AcquireCredentialsHandle(NULL, (SEC_CHAR*) _T(SSP_Package_InUse), SECPKG_CRED_OUTBOUND, NULL, (NTLM_mode == SSP_NTLM) ? NULL : pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry); if (SecurityStatus < 0) @@ -307,11 +310,18 @@ SecPkgContext_Names namebuffer; if (!pAS->fInitialized) { - SecurityStatus = _AcquireCredentialsHandle(NULL, (SEC_CHAR*) _T("NTLM"), + SecurityStatus = _AcquireCredentialsHandle(NULL, (SEC_CHAR*) _T(SSP_Package_InUse), SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &pAS->hcred, &pAS->hcredLifeTime); - if (SecurityStatus < 0) +#if SSP_DEBUG + fprintf(stderr, "AcquireCredentialsHandle returned: %x\n", SecurityStatus); +#endif + if (SecurityStatus < 0) { +#if SSP_DEBUG + fprintf(stderr, "AcquireCredentialsHandle failed: %x\n", SecurityStatus); +#endif return FALSE; + } pAS->fHaveCredHandle = TRUE; } @@ -334,28 +344,50 @@ pAS->fInitialized ? &pAS->hctxt : NULL, &sbdIn, (NTLM_mode == SSP_NTLM) ? ASC_REQ_DELEGATE : 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, &fContextAttr, &pAS->hctxtLifeTime); - if (SecurityStatus < 0) +#if SSP_DEBUG + fprintf(stderr, "AcceptSecurityContext returned: %x\n", SecurityStatus); +#endif + if (SecurityStatus < 0) { +#if SSP_DEBUG + fprintf(stderr, "AcceptSecurityContext failed: %x\n", SecurityStatus); +#endif return FALSE; + } pAS->fHaveCtxtHandle = TRUE; /* If necessary, complete token */ if (SecurityStatus == SEC_I_COMPLETE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE) { SecurityStatus = _CompleteAuthToken(&pAS->hctxt, &sbdOut); - if (SecurityStatus < 0) +#if SSP_DEBUG + fprintf(stderr, "CompleteAuthToken returned: %x\n", SecurityStatus); +#endif + if (SecurityStatus < 0) { +#if SSP_DEBUG + fprintf(stderr, "CompleteAuthToken failed: %x\n", SecurityStatus); +#endif return FALSE; + } } - if (credentials != NULL) { + if ((credentials != NULL) && + !(SecurityStatus == SEC_I_CONTINUE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE)) { SecurityStatus = _QueryContextAttributes(&pAS->hctxt, SECPKG_ATTR_NAMES, &namebuffer); - if (SecurityStatus < 0) +#if SSP_DEBUG + fprintf(stderr, "QueryContextAttributes returned: %x\n", SecurityStatus); +#endif + if (SecurityStatus < 0) { +#if SSP_DEBUG + fprintf(stderr, "QueryContextAttributes failed: %x\n", SecurityStatus); +#endif return FALSE; - strcpy(credentials, namebuffer.sUserName); + } + strncpy(credentials, namebuffer.sUserName, SSP_MAX_CRED_LEN); } *pcbOut = sbOut.cbBuffer; if (!pAS->fInitialized) pAS->fInitialized = TRUE; - *pfDone = !(SecurityStatus = SEC_I_CONTINUE_NEEDED + *pfDone = !(SecurityStatus == SEC_I_CONTINUE_NEEDED || SecurityStatus == SEC_I_COMPLETE_AND_CONTINUE); return TRUE; } @@ -478,7 +510,7 @@ } -BOOL WINAPI SSP_ValidateCredentials(PVOID PAutenticateBuf, int AutenticateLen, char * credentials) +BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID PAutenticateBuf, int AutenticateLen, char * credentials) { BOOL fDone = FALSE; BOOL fResult = FALSE; @@ -502,3 +534,65 @@ return fResult; } + + +const char * WINAPI SSP_MakeNegotiateBlob(PVOID PNegotiateBuf, int NegotiateLen, PBOOL fDone, int * Status, char * credentials) +{ + DWORD cbOut = 0; + DWORD cbIn = 0; + const char * encoded = NULL; + + if (NTLM_asServer.fHaveCtxtHandle) + _DeleteSecurityContext(&NTLM_asServer.hctxt); + if (NTLM_asServer.fHaveCredHandle) + _FreeCredentialsHandle(&NTLM_asServer.hcred); + + memcpy(pClientBuf, PNegotiateBuf, NegotiateLen); + ZeroMemory(pServerBuf, cbMaxToken); + ZeroMemory(&NTLM_asServer, sizeof(NTLM_asServer)); + do { + if (!hModule) + break; + + /* Prepare server message (challenge) */ + cbIn = NegotiateLen; + cbOut = cbMaxToken; + if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, + fDone, credentials)) { + *Status = SSP_ERROR; + break; + } + *Status = SSP_OK; + } while(0); + if (pServerBuf != NULL && cbOut > 0) + encoded = base64_encode_bin((char *) pServerBuf, cbOut); + return encoded; +} + + +const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID PAutenticateBuf, int AutenticateLen, PBOOL fDone, int * Status, char * credentials) +{ + DWORD cbOut = 0; + DWORD cbIn = 0; + const char * encoded = NULL; + + memcpy(pClientBuf, PAutenticateBuf, AutenticateLen); + ZeroMemory(pServerBuf, cbMaxToken); + do { + if (!hModule) + break; + + /* Prepare server message (authentication) */ + cbIn = AutenticateLen; + cbOut = cbMaxToken; + if (!GenServerContext(&NTLM_asServer, pClientBuf, cbIn, pServerBuf, &cbOut, + fDone, credentials)) { + *Status = SSP_ERROR; + break; + } + *Status = SSP_OK; + } while(0); + if (pServerBuf != NULL && cbOut > 0) + encoded = base64_encode_bin((char *) pServerBuf, cbOut); + return encoded; +}