generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-10-28 19:51:58 +01:00
Code Issues Projects Releases Wiki Activity

added support for SSPI-based NTLM authentication using the credentials of the currently logged in Windows user (Windows only)

Browse Source
This commit is contained in:
Günter Obiltschnig
2019-05-15 15:43:37 +02:00
parent e1435a6620
commit e821a2a9f1
11 changed files with 553 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Net/include/Poco/Net/HTTPCredentials.h
View File

@@ -103,6 +103,14 @@ public:
const std::string& getPassword() const; const std::string& getPassword() const;
/// Returns the password. /// Returns the password.
void setHost(const std::string& host);
/// Sets the target host. Only used for SSPI-based NTLM authentication using
/// the credentials of the currently logged-in user on Windows.
const std::string& getHost() const;
/// Returns the target host. Only used for SSPI-based NTLM authentication using
/// the credentials of the currently logged-in user on Windows.
void authenticate(HTTPRequest& request, const HTTPResponse& response); void authenticate(HTTPRequest& request, const HTTPResponse& response);
/// Inspects WWW-Authenticate header of the response, initializes /// Inspects WWW-Authenticate header of the response, initializes
/// the internal state (in case of digest authentication) and /// the internal state (in case of digest authentication) and
@@ -196,6 +204,18 @@ inline const std::string& HTTPCredentials::getPassword() const
} }
inline void HTTPCredentials::setHost(const std::string& host)
{
_ntlm.setHost(host);
}
inline const std::string& HTTPCredentials::getHost() const
{
return _ntlm.getHost();
}
} } // namespace Poco::Net } } // namespace Poco::Net

27
Net/include/Poco/Net/HTTPNTLMCredentials.h
View File

@@ -19,6 +19,7 @@
#include "Poco/Net/Net.h" #include "Poco/Net/Net.h"
#include "Poco/Net/SSPINTLMCredentials.h"
#include <vector> #include <vector>
@@ -42,6 +43,9 @@ public:
HTTPNTLMCredentials(const std::string& username, const std::string& password); HTTPNTLMCredentials(const std::string& username, const std::string& password);
/// Creates a HTTPNTLMCredentials object with the given username and password. /// Creates a HTTPNTLMCredentials object with the given username and password.
HTTPNTLMCredentials(const std::string& username, const std::string& password, const std::string& host);
/// Creates a HTTPNTLMCredentials object with the given username, password and target host.
~HTTPNTLMCredentials(); ~HTTPNTLMCredentials();
/// Destroys the HTTPNTLMCredentials. /// Destroys the HTTPNTLMCredentials.
@@ -60,6 +64,14 @@ public:
const std::string& getPassword() const; const std::string& getPassword() const;
/// Returns the password. /// Returns the password.
void setHost(const std::string& host);
/// Sets the target host.\
///
/// Used for SSPI-based NTLM authentication only.
const std::string& getHost() const;
/// Returns the target host.
void authenticate(HTTPRequest& request, const HTTPResponse& response); void authenticate(HTTPRequest& request, const HTTPResponse& response);
/// Parses WWW-Authenticate header of the HTTPResponse, initializes /// Parses WWW-Authenticate header of the HTTPResponse, initializes
/// internal state, and adds authentication information to the given HTTPRequest. /// internal state, and adds authentication information to the given HTTPRequest.
@@ -101,9 +113,12 @@ private:
HTTPNTLMCredentials& operator = (const HTTPNTLMCredentials&); HTTPNTLMCredentials& operator = (const HTTPNTLMCredentials&);
std::string createNTLMMessage(const std::string& ntlmChallengeBase64); std::string createNTLMMessage(const std::string& ntlmChallengeBase64);
bool useSSPINTLM() const;
std::string _username; std::string _username;
std::string _password; std::string _password;
std::string _host;
Poco::SharedPtr<NTLMContext> _pNTLMContext;
}; };
@@ -122,6 +137,18 @@ inline const std::string& HTTPNTLMCredentials::getPassword() const
} }
inline const std::string& HTTPNTLMCredentials::getHost() const
{
return _host;
}
inline bool HTTPNTLMCredentials::useSSPINTLM() const
{
return _username.empty() && _password.empty() && SSPINTLMCredentials::available();
}
} } // namespace Poco::Net } } // namespace Poco::Net

4
Net/include/Poco/Net/NTLMCredentials.h
View File

@@ -2,7 +2,7 @@
// NTLMCredentials.h // NTLMCredentials.h
// //
// Library: Net // Library: Net
// Package: HTTP // Package: NTLM
// Module: NTLMCredentials // Module: NTLMCredentials
// //
// Definition of the NTLMCredentials class. // Definition of the NTLMCredentials class.
@@ -152,7 +152,7 @@ public:
/// Returns true if the message was parsed successfully, otherwise false. /// Returns true if the message was parsed successfully, otherwise false.
static std::vector<unsigned char> formatAuthenticateMessage(const AuthenticateMessage& message); static std::vector<unsigned char> formatAuthenticateMessage(const AuthenticateMessage& message);
/// Creates the NTLM Type 1 Authenticate message used for initiating NTLM authentication from the client. /// Creates the NTLM Type 3 Authenticate message used for sending the response to the challenge.
static void readBufferDesc(Poco::BinaryReader& reader, BufferDesc& desc); static void readBufferDesc(Poco::BinaryReader& reader, BufferDesc& desc);
/// Reads a buffer descriptor. /// Reads a buffer descriptor.

1
Net/include/Poco/Net/SMTPClientSession.h
View File

@@ -192,6 +192,7 @@ private:
void sendCommands(const MailMessage& message, const Recipients* pRecipients = 0); void sendCommands(const MailMessage& message, const Recipients* pRecipients = 0);
void transportMessage(const MailMessage& message); void transportMessage(const MailMessage& message);
std::string _host;
DialogSocket _socket; DialogSocket _socket;
bool _isOpen; bool _isOpen;
}; };

83
Net/include/Poco/Net/SSPINTLMCredentials.h Normal file
View File

@@ -0,0 +1,83 @@
//
// SSPINTLMCredentials.h
//
// Library: Net
// Package: NTLM
// Module: SSPINTLMCredentials
//
// Definition of the SSPINTLMCredentials class.
//
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier: BSL-1.0
//
#include "Poco/Net/Net.h"
#include <vector>
#ifndef Net_SSPINTLMCredentials_INCLUDED
#define Net_SSPINTLMCredentials_INCLUDED
#include "Poco/Net/Net.h"
#include "Poco/Net/NTLMCredentials.h"
#include "Poco/SharedPtr.h"
namespace Poco {
namespace Net {
struct NTLMContextImpl;
class NTLMContext
/// An opaque context class for working with SSPI NTLM authentication.
{
public:
~NTLMContext();
protected:
NTLMContext(NTLMContextImpl* pImpl);
private:
NTLMContextImpl* _pImpl;
NTLMContext();
NTLMContext(const NTLMContext&);
NTLMContext& operator = (const NTLMContext&);
friend class SSPINTLMProvider;
};
class Net_API SSPINTLMCredentials
/// Support for NTLM authentication using credentials of the currently
/// logged in user via SSPI.
{
public:
static bool available();
/// Returns true if SSPI NTLM support is available.
static Poco::SharedPtr<NTLMContext> createNTLMContext(const std::string& host, const std::string& service);
/// Creates an NTLMContext structure for use with negotiate()
/// and authenticate().
static std::vector<unsigned char> negotiate(NTLMContext& context);
/// Creates the NTLM Type 1 Negotiate message used for initiating NTLM authentication from the client.
static std::vector<unsigned char> authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge);
/// Creates the NTLM Type 3 Authenticate message used for sending the response to the challenge.
static const std::string SERVICE_HTTP;
static const std::string SERVICE_SMTP;
};
} } // namespace Poco::Net
#endif // Net_SSPINTLMCredentials_INCLUDED

1
Net/src/HTTPClientSession.cpp
View File

@@ -475,6 +475,7 @@ void HTTPClientSession::proxyAuthenticateImpl(HTTPRequest& request, const ProxyC
{ {
_proxyNTLMCreds.setUsername(proxyConfig.username); _proxyNTLMCreds.setUsername(proxyConfig.username);
_proxyNTLMCreds.setPassword(proxyConfig.password); _proxyNTLMCreds.setPassword(proxyConfig.password);
_proxyNTLMCreds.setHost(proxyConfig.host);
proxyAuthenticateNTLM(request); proxyAuthenticateNTLM(request);
_ntlmProxyAuthenticated = true; _ntlmProxyAuthenticated = true;
} }

5
Net/src/HTTPCredentials.cpp
View File

@@ -67,6 +67,7 @@ void HTTPCredentials::fromURI(const URI& uri)
extractCredentials(uri, username, password); extractCredentials(uri, username, password);
setUsername(username); setUsername(username);
setPassword(password); setPassword(password);
setHost(uri.getHost());
_digest.reset(); _digest.reset();
} }
@@ -89,6 +90,10 @@ void HTTPCredentials::authenticate(HTTPRequest& request, const HTTPResponse& res
{ {
_ntlm.setUsername(_digest.getUsername()); _ntlm.setUsername(_digest.getUsername());
_ntlm.setPassword(_digest.getPassword()); _ntlm.setPassword(_digest.getPassword());
if (_ntlm.getHost().empty())
{
_ntlm.setHost(request.getHost());
}
_ntlm.authenticate(request, iter->second.substr(5)); _ntlm.authenticate(request, iter->second.substr(5));
return; return;
} }

85
Net/src/HTTPNTLMCredentials.cpp
View File

@@ -64,6 +64,12 @@ void HTTPNTLMCredentials::setPassword(const std::string& password)
} }
void HTTPNTLMCredentials::setHost(const std::string& host)
{
_host = host;
}
void HTTPNTLMCredentials::authenticate(HTTPRequest& request, const HTTPResponse& response) void HTTPNTLMCredentials::authenticate(HTTPRequest& request, const HTTPResponse& response)
{ {
HTTPAuthenticationParams params(response); HTTPAuthenticationParams params(response);
@@ -108,45 +114,62 @@ std::string HTTPNTLMCredentials::createNTLMMessage(const std::string& responseAu
{ {
if (responseAuthParams.empty()) if (responseAuthParams.empty())
{ {
NTLMCredentials::NegotiateMessage negotiateMsg; std::vector<unsigned char> negotiateBuf;
std::string username; if (useSSPINTLM())
NTLMCredentials::splitUsername(_username, username, negotiateMsg.domain); {
std::vector<unsigned char> negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg); _pNTLMContext = SSPINTLMCredentials::createNTLMContext(_host, SSPINTLMCredentials::SERVICE_HTTP);
negotiateBuf = SSPINTLMCredentials::negotiate(*_pNTLMContext);
}
else
{
NTLMCredentials::NegotiateMessage negotiateMsg;
std::string username;
NTLMCredentials::splitUsername(_username, username, negotiateMsg.domain);
negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
}
return NTLMCredentials::toBase64(negotiateBuf); return NTLMCredentials::toBase64(negotiateBuf);
} }
else else
{ {
std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(responseAuthParams); std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(responseAuthParams);
if (buffer.empty()) throw HTTPException("Invalid NTLM challenge"); if (buffer.empty()) throw HTTPException("Invalid NTLM challenge");
NTLMCredentials::ChallengeMessage challengeMsg; std::vector<unsigned char> authenticateBuf;
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg)) if (useSSPINTLM() && _pNTLMContext)
{ {
if ((challengeMsg.flags & NTLMCredentials::NTLM_FLAG_NEGOTIATE_NTLM2_KEY) == 0) authenticateBuf = SSPINTLMCredentials::authenticate(*_pNTLMContext, buffer);
{
throw HTTPException("Proxy does not support NTLMv2 authentication");
}
std::string username;
std::string domain;
NTLMCredentials::splitUsername(_username, username, domain);
NTLMCredentials::AuthenticateMessage authenticateMsg;
authenticateMsg.flags = challengeMsg.flags;
authenticateMsg.target = challengeMsg.target;
authenticateMsg.username = username;
std::vector<unsigned char> lmNonce = NTLMCredentials::createNonce();
std::vector<unsigned char> ntlmNonce = NTLMCredentials::createNonce();
Poco::UInt64 timestamp = NTLMCredentials::createTimestamp();
std::vector<unsigned char> ntlm2Hash = NTLMCredentials::createNTLMv2Hash(username, challengeMsg.target, _password);
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
std::vector<unsigned char> authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
return NTLMCredentials::toBase64(authenticateBuf);
} }
else throw HTTPException("Invalid NTLM challenge"); else
{
NTLMCredentials::ChallengeMessage challengeMsg;
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg))
{
if ((challengeMsg.flags & NTLMCredentials::NTLM_FLAG_NEGOTIATE_NTLM2_KEY) == 0)
{
throw HTTPException("Proxy does not support NTLMv2 authentication");
}
std::string username;
std::string domain;
NTLMCredentials::splitUsername(_username, username, domain);
NTLMCredentials::AuthenticateMessage authenticateMsg;
authenticateMsg.flags = challengeMsg.flags;
authenticateMsg.target = challengeMsg.target;
authenticateMsg.username = username;
std::vector<unsigned char> lmNonce = NTLMCredentials::createNonce();
std::vector<unsigned char> ntlmNonce = NTLMCredentials::createNonce();
Poco::UInt64 timestamp = NTLMCredentials::createTimestamp();
std::vector<unsigned char> ntlm2Hash = NTLMCredentials::createNTLMv2Hash(username, challengeMsg.target, _password);
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
}
else throw HTTPException("Invalid NTLM challenge");
}
return NTLMCredentials::toBase64(authenticateBuf);
} }
} }

7
Net/src/NTLMCredentials.cpp
View File

@@ -2,7 +2,7 @@
// NTLMCredentials.cpp // NTLMCredentials.cpp
// //
// Library: Net // Library: Net
// Package: HTTP // Package: NTLM
// Module: NTLMCredentials // Module: NTLMCredentials
// //
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH. // Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
@@ -138,7 +138,10 @@ std::vector<unsigned char> NTLMCredentials::createNTLMv2Response(const std::vect
writer << timestamp; writer << timestamp;
writer.writeRaw(reinterpret_cast<const char*>(&nonce[0]), nonce.size()); writer.writeRaw(reinterpret_cast<const char*>(&nonce[0]), nonce.size());
writer << Poco::UInt32(0); writer << Poco::UInt32(0);
writer.writeRaw(reinterpret_cast<const char*>(&targetInfo[0]), targetInfo.size()); if (targetInfo.size() > 0)
{
writer.writeRaw(reinterpret_cast<const char*>(&targetInfo[0]), targetInfo.size());
}
writer << Poco::UInt32(0); writer << Poco::UInt32(0);
poco_assert_dbg (blobStream.charsWritten() == blob.size() - 16); poco_assert_dbg (blobStream.charsWritten() == blob.size() - 16);

78
Net/src/SMTPClientSession.cpp
View File

@@ -21,6 +21,7 @@
#include "Poco/Net/NetException.h" #include "Poco/Net/NetException.h"
#include "Poco/Net/NetworkInterface.h" #include "Poco/Net/NetworkInterface.h"
#include "Poco/Net/NTLMCredentials.h" #include "Poco/Net/NTLMCredentials.h"
#include "Poco/Net/SSPINTLMCredentials.h"
#include "Poco/Environment.h" #include "Poco/Environment.h"
#include "Poco/HMACEngine.h" #include "Poco/HMACEngine.h"
#include "Poco/MD5Engine.h" #include "Poco/MD5Engine.h"
@@ -58,6 +59,7 @@ SMTPClientSession::SMTPClientSession(const StreamSocket& socket):
SMTPClientSession::SMTPClientSession(const std::string& host, Poco::UInt16 port): SMTPClientSession::SMTPClientSession(const std::string& host, Poco::UInt16 port):
_host(host),
_socket(SocketAddress(host, port)), _socket(SocketAddress(host, port)),
_isOpen(false) _isOpen(false)
{ {
@@ -243,46 +245,62 @@ void SMTPClientSession::loginUsingNTLM(const std::string& username, const std::s
// [MS-SMTPNTLM]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension // [MS-SMTPNTLM]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smtpntlm/50c668f6-5ffc-4616-96df-b5a3f4b3311d // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smtpntlm/50c668f6-5ffc-4616-96df-b5a3f4b3311d
NTLMCredentials::NegotiateMessage negotiateMsg;
std::string user; std::string user;
std::string domain; std::string domain;
NTLMCredentials::splitUsername(username, user, domain); std::vector<unsigned char> negotiateBuf;
negotiateMsg.domain = domain; Poco::SharedPtr<NTLMContext> pNTLMContext;
std::vector<unsigned char> negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg); if (username.empty() && password.empty() && !_host.empty() && SSPINTLMCredentials::available())
{
pNTLMContext = SSPINTLMCredentials::createNTLMContext(_host, SSPINTLMCredentials::SERVICE_SMTP);
negotiateBuf = SSPINTLMCredentials::negotiate(*pNTLMContext);
}
else
{
NTLMCredentials::NegotiateMessage negotiateMsg;
NTLMCredentials::splitUsername(username, user, domain);
negotiateMsg.domain = domain;
negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
}
std::string response; std::string response;
int status = sendCommand("AUTH NTLM", NTLMCredentials::toBase64(negotiateBuf), response); int status = sendCommand("AUTH NTLM", NTLMCredentials::toBase64(negotiateBuf), response);
if (status == 334) if (status == 334)
{ {
std::vector<unsigned char> authenticateBuf;
std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(response.substr(4)); std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(response.substr(4));
if (buffer.empty()) throw SMTPException("Invalid NTLM challenge"); if (buffer.empty()) throw SMTPException("Invalid NTLM challenge");
NTLMCredentials::ChallengeMessage challengeMsg; if (pNTLMContext)
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg))
{ {
if ((challengeMsg.flags & NTLMCredentials::NTLM_FLAG_NEGOTIATE_NTLM2_KEY) == 0) authenticateBuf = SSPINTLMCredentials::authenticate(*pNTLMContext, buffer);
{
throw SMTPException("Server does not support NTLMv2 authentication");
}
NTLMCredentials::AuthenticateMessage authenticateMsg;
authenticateMsg.flags = challengeMsg.flags;
authenticateMsg.target = challengeMsg.target;
authenticateMsg.username = user;
std::vector<unsigned char> lmNonce = NTLMCredentials::createNonce();
std::vector<unsigned char> ntlmNonce = NTLMCredentials::createNonce();
Poco::UInt64 timestamp = NTLMCredentials::createTimestamp();
std::vector<unsigned char> ntlm2Hash = NTLMCredentials::createNTLMv2Hash(user, challengeMsg.target, password);
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
std::vector<unsigned char> authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
status = sendCommand(NTLMCredentials::toBase64(authenticateBuf), response);
if (status != 235) throw SMTPException("NTLM authentication failed", response, status);
} }
else throw SMTPException("Invalid NTLM challenge"); else
{
NTLMCredentials::ChallengeMessage challengeMsg;
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg))
{
if ((challengeMsg.flags & NTLMCredentials::NTLM_FLAG_NEGOTIATE_NTLM2_KEY) == 0)
{
throw SMTPException("Server does not support NTLMv2 authentication");
}
NTLMCredentials::AuthenticateMessage authenticateMsg;
authenticateMsg.flags = challengeMsg.flags;
authenticateMsg.target = challengeMsg.target;
authenticateMsg.username = user;
std::vector<unsigned char> lmNonce = NTLMCredentials::createNonce();
std::vector<unsigned char> ntlmNonce = NTLMCredentials::createNonce();
Poco::UInt64 timestamp = NTLMCredentials::createTimestamp();
std::vector<unsigned char> ntlm2Hash = NTLMCredentials::createNTLMv2Hash(user, challengeMsg.target, password);
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
}
else throw SMTPException("Invalid NTLM challenge");
}
status = sendCommand(NTLMCredentials::toBase64(authenticateBuf), response);
if (status != 235) throw SMTPException("NTLM authentication failed", response, status);
} }
else throw SMTPException("Server does not support NTLM authentication"); else throw SMTPException("Server does not support NTLM authentication");
} }

307
Net/src/SSPINTLMCredentials.cpp Normal file
View File

@@ -0,0 +1,307 @@
//
// SSPINTLMCredentials.cpp
//
// Library: Net
// Package: NTLM
// Module: SSPINTLMCredentials
//
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier: BSL-1.0
//
#include "Poco/Net/SSPINTLMCredentials.h"
#if POCO_OS == POCO_OS_WINDOWS_NT
#include "Poco/SharedLibrary.h"
#include "Poco/SingletonHolder.h"
#include "Poco/UnicodeConverter.h"
#include <vector>
#define SECURITY_WIN32
#include <security.h>
namespace Poco {
namespace Net {
const std::string SSPINTLMCredentials::SERVICE_HTTP("HTTP");
const std::string SSPINTLMCredentials::SERVICE_SMTP("SMTP");
struct NTLMContextImpl
{
NTLMContextImpl():
maxTokenSize(0)
{
SecInvalidateHandle(&credentials);
SecInvalidateHandle(&context);
}
std::size_t maxTokenSize;
CredHandle credentials;
CtxtHandle context;
std::wstring spn;
};
class SSPINTLMProvider
{
public:
SSPINTLMProvider():
_securityLib("security.dll"),
_pSecFunTable(0)
{
InitSecurityInterfaceW pInitSecurityInterface = reinterpret_cast<InitSecurityInterfaceW>(_securityLib.getSymbol("InitSecurityInterfaceW"));
if (pInitSecurityInterface)
{
_pSecFunTable = pInitSecurityInterface();
}
if (!_pSecFunTable) throw Poco::SystemException("Failed to initialize SSPI");
}
~SSPINTLMProvider()
{
}
bool available()
{
PSecPkgInfoW pSecPkgInfo;
SECURITY_STATUS status = _pSecFunTable->QuerySecurityPackageInfoW(L"NTLM", &pSecPkgInfo);
if (status == SEC_E_OK)
{
_pSecFunTable->FreeContextBuffer(pSecPkgInfo);
return true;
}
else return false;
}
Poco::SharedPtr<NTLMContext> createNTLMContext(const std::string& host, const std::string& service)
{
PSecPkgInfoW pSecPkgInfo;
SECURITY_STATUS status = _pSecFunTable->QuerySecurityPackageInfoW(L"NTLM", &pSecPkgInfo);
if (status != SEC_E_OK) throw Poco::SystemException("NTLM SSPI not available", status);
std::size_t maxTokenSize = pSecPkgInfo->cbMaxToken;
_pSecFunTable->FreeContextBuffer(pSecPkgInfo);
Poco::SharedPtr<NTLMContext> pContext = new NTLMContext(new NTLMContextImpl);
pContext->_pImpl->maxTokenSize = maxTokenSize;
TimeStamp expiry;
status = _pSecFunTable->AcquireCredentialsHandleW(
NULL,
L"NTLM",
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
&pContext->_pImpl->credentials,
&expiry);
if (status != SEC_E_OK) throw Poco::SystemException("Failed to acquire NTLM credentials", status);
std::string spn = service;
spn += '/';
spn += host;
Poco::UnicodeConverter::convert(spn, pContext->_pImpl->spn);
return pContext;
}
std::vector<unsigned char> negotiate(NTLMContext& context)
{
std::vector<unsigned char> buffer(context._pImpl->maxTokenSize);
SecBuffer msgBuffer;
msgBuffer.BufferType = SECBUFFER_TOKEN;
msgBuffer.pvBuffer = &buffer[0];
msgBuffer.cbBuffer = buffer.size();
SecBufferDesc msgBufferDesc;
msgBufferDesc.ulVersion = SECBUFFER_VERSION;
msgBufferDesc.cBuffers = 1;
msgBufferDesc.pBuffers = &msgBuffer;
unsigned long attrs;
TimeStamp expiry;
SECURITY_STATUS status = _pSecFunTable->InitializeSecurityContextW(
&context._pImpl->credentials,
NULL,
const_cast<SEC_WCHAR*>(context._pImpl->spn.c_str()),
0,
0,
SECURITY_NETWORK_DREP,
NULL,
0,
&context._pImpl->context,
&msgBufferDesc,
&attrs,
&expiry);
if (status == SEC_I_COMPLETE_NEEDED || status == SEC_I_COMPLETE_AND_CONTINUE)
{
_pSecFunTable->CompleteAuthToken(&context._pImpl->context, &msgBufferDesc);
}
else if (status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
{
throw Poco::SystemException("Failed to initialize NTLM security context", status);
}
buffer.resize(msgBuffer.cbBuffer);
return buffer;
}
std::vector<unsigned char> authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge)
{
std::vector<unsigned char> response(context._pImpl->maxTokenSize);
SecBuffer responseBuffer;
responseBuffer.BufferType = SECBUFFER_TOKEN;
responseBuffer.pvBuffer = &response[0];
responseBuffer.cbBuffer = response.size();
SecBufferDesc responseBufferDesc;
responseBufferDesc.ulVersion = SECBUFFER_VERSION;
responseBufferDesc.cBuffers = 1;
responseBufferDesc.pBuffers = &responseBuffer;
SecBuffer challengeBuffer;
challengeBuffer.BufferType = SECBUFFER_TOKEN;
challengeBuffer.pvBuffer = const_cast<unsigned char*>(&challenge[0]);
challengeBuffer.cbBuffer = challenge.size();
SecBufferDesc challengeBufferDesc;
challengeBufferDesc.ulVersion = SECBUFFER_VERSION;
challengeBufferDesc.cBuffers = 1;
challengeBufferDesc.pBuffers = &challengeBuffer;
unsigned long attrs;
TimeStamp expiry;
SECURITY_STATUS status = _pSecFunTable->InitializeSecurityContextW(
&context._pImpl->credentials,
&context._pImpl->context,
const_cast<SEC_WCHAR*>(context._pImpl->spn.c_str()),
0,
0,
SECURITY_NETWORK_DREP,
&challengeBufferDesc,
0,
&context._pImpl->context,
&responseBufferDesc,
&attrs,
&expiry);
if (status != SEC_E_OK)
{
throw Poco::SystemException("Failed to create NTLM authenticate message", status);
}
response.resize(responseBuffer.cbBuffer);
return response;
}
void clearNTLMContext(NTLMContext& ctx)
{
if (SecIsValidHandle(&ctx._pImpl->context))
{
_pSecFunTable->DeleteSecurityContext(&ctx._pImpl->context);
}
if (SecIsValidHandle(&ctx._pImpl->credentials))
{
_pSecFunTable->FreeCredentialsHandle(&ctx._pImpl->credentials);
}
}
static SSPINTLMProvider& instance();
private:
typedef PSecurityFunctionTableW(APIENTRY *InitSecurityInterfaceW)(VOID);
Poco::SharedLibrary _securityLib;
PSecurityFunctionTableW _pSecFunTable;
};
namespace
{
static Poco::SingletonHolder<SSPINTLMProvider> sspintlmProviderHolder;
}
SSPINTLMProvider& SSPINTLMProvider::instance()
{
return *sspintlmProviderHolder.get();
}
NTLMContext::NTLMContext(NTLMContextImpl* pImpl):
_pImpl(pImpl)
{
}
NTLMContext::~NTLMContext()
{
SSPINTLMProvider::instance().clearNTLMContext(*this);
delete _pImpl;
}
#endif // POCO_OS == POCO_OS_WINDOWS_NT
bool SSPINTLMCredentials::available()
{
#if POCO_OS == POCO_OS_WINDOWS_NT
try
{
return SSPINTLMProvider::instance().available();
}
catch (...)
{
return false;
}
#else
return false;
#endif
}
Poco::SharedPtr<NTLMContext> SSPINTLMCredentials::createNTLMContext(const std::string& workstation, const std::string& service)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().createNTLMContext(workstation, service);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::createNTLMContext() is only available on Windows");
#endif
}
std::vector<unsigned char> SSPINTLMCredentials::negotiate(NTLMContext& context)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().negotiate(context);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::negotiate() is only available on Windows");
#endif
}
std::vector<unsigned char> SSPINTLMCredentials::authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().authenticate(context, challenge);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::authenticate() is only available on Windows");
#endif
}
} } // namespace Poco::Net