generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-10-28 19:51:58 +01:00
Code Issues Projects Releases Wiki Activity

added support for SSPI-based NTLM authentication using the credentials of the currently logged in Windows user (Windows only)

Browse Source
This commit is contained in:
Günter Obiltschnig
2019-05-15 15:43:37 +02:00
parent e1435a6620
commit e821a2a9f1
11 changed files with 553 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Net/include/Poco/Net/HTTPCredentials.h
View File

@@ -103,6 +103,14 @@ public:
const std::string& getPassword() const;
/// Returns the password.
void setHost(const std::string& host);
/// Sets the target host. Only used for SSPI-based NTLM authentication using
/// the credentials of the currently logged-in user on Windows.
const std::string& getHost() const;
/// Returns the target host. Only used for SSPI-based NTLM authentication using
/// the credentials of the currently logged-in user on Windows.
void authenticate(HTTPRequest& request, const HTTPResponse& response);
/// Inspects WWW-Authenticate header of the response, initializes
/// the internal state (in case of digest authentication) and
@@ -196,6 +204,18 @@ inline const std::string& HTTPCredentials::getPassword() const
}
inline void HTTPCredentials::setHost(const std::string& host)
{
_ntlm.setHost(host);
}
inline const std::string& HTTPCredentials::getHost() const
{
return _ntlm.getHost();
}
} } // namespace Poco::Net

27
Net/include/Poco/Net/HTTPNTLMCredentials.h
View File

@@ -19,6 +19,7 @@
#include "Poco/Net/Net.h"
#include "Poco/Net/SSPINTLMCredentials.h"
#include <vector>
@@ -42,6 +43,9 @@ public:
HTTPNTLMCredentials(const std::string& username, const std::string& password);
/// Creates a HTTPNTLMCredentials object with the given username and password.
HTTPNTLMCredentials(const std::string& username, const std::string& password, const std::string& host);
/// Creates a HTTPNTLMCredentials object with the given username, password and target host.
~HTTPNTLMCredentials();
/// Destroys the HTTPNTLMCredentials.
@@ -60,6 +64,14 @@ public:
const std::string& getPassword() const;
/// Returns the password.
void setHost(const std::string& host);
/// Sets the target host.\
///
/// Used for SSPI-based NTLM authentication only.
const std::string& getHost() const;
/// Returns the target host.
void authenticate(HTTPRequest& request, const HTTPResponse& response);
/// Parses WWW-Authenticate header of the HTTPResponse, initializes
/// internal state, and adds authentication information to the given HTTPRequest.
@@ -101,9 +113,12 @@ private:
HTTPNTLMCredentials& operator = (const HTTPNTLMCredentials&);
std::string createNTLMMessage(const std::string& ntlmChallengeBase64);
bool useSSPINTLM() const;
std::string _username;
std::string _password;
std::string _host;
Poco::SharedPtr<NTLMContext> _pNTLMContext;
};
@@ -122,6 +137,18 @@ inline const std::string& HTTPNTLMCredentials::getPassword() const
}
inline const std::string& HTTPNTLMCredentials::getHost() const
{
return _host;
}
inline bool HTTPNTLMCredentials::useSSPINTLM() const
{
return _username.empty() && _password.empty() && SSPINTLMCredentials::available();
}
} } // namespace Poco::Net

4
Net/include/Poco/Net/NTLMCredentials.h
View File

@@ -2,7 +2,7 @@
// NTLMCredentials.h
//
// Library: Net
// Package: HTTP
// Package: NTLM
// Module: NTLMCredentials
//
// Definition of the NTLMCredentials class.
@@ -152,7 +152,7 @@ public:
/// Returns true if the message was parsed successfully, otherwise false.
static std::vector<unsigned char> formatAuthenticateMessage(const AuthenticateMessage& message);
/// Creates the NTLM Type 1 Authenticate message used for initiating NTLM authentication from the client.
/// Creates the NTLM Type 3 Authenticate message used for sending the response to the challenge.
static void readBufferDesc(Poco::BinaryReader& reader, BufferDesc& desc);
/// Reads a buffer descriptor.

1
Net/include/Poco/Net/SMTPClientSession.h
View File

@@ -192,6 +192,7 @@ private:
void sendCommands(const MailMessage& message, const Recipients* pRecipients = 0);
void transportMessage(const MailMessage& message);
std::string _host;
DialogSocket _socket;
bool _isOpen;
};

83
Net/include/Poco/Net/SSPINTLMCredentials.h Normal file
View File

@@ -0,0 +1,83 @@
//
// SSPINTLMCredentials.h
//
// Library: Net
// Package: NTLM
// Module: SSPINTLMCredentials
//
// Definition of the SSPINTLMCredentials class.
//
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier: BSL-1.0
//
#include "Poco/Net/Net.h"
#include <vector>
#ifndef Net_SSPINTLMCredentials_INCLUDED
#define Net_SSPINTLMCredentials_INCLUDED
#include "Poco/Net/Net.h"
#include "Poco/Net/NTLMCredentials.h"
#include "Poco/SharedPtr.h"
namespace Poco {
namespace Net {
struct NTLMContextImpl;
class NTLMContext
/// An opaque context class for working with SSPI NTLM authentication.
{
public:
~NTLMContext();
protected:
NTLMContext(NTLMContextImpl* pImpl);
private:
NTLMContextImpl* _pImpl;
NTLMContext();
NTLMContext(const NTLMContext&);
NTLMContext& operator = (const NTLMContext&);
friend class SSPINTLMProvider;
};
class Net_API SSPINTLMCredentials
/// Support for NTLM authentication using credentials of the currently
/// logged in user via SSPI.
{
public:
static bool available();
/// Returns true if SSPI NTLM support is available.
static Poco::SharedPtr<NTLMContext> createNTLMContext(const std::string& host, const std::string& service);
/// Creates an NTLMContext structure for use with negotiate()
/// and authenticate().
static std::vector<unsigned char> negotiate(NTLMContext& context);
/// Creates the NTLM Type 1 Negotiate message used for initiating NTLM authentication from the client.
static std::vector<unsigned char> authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge);
/// Creates the NTLM Type 3 Authenticate message used for sending the response to the challenge.
static const std::string SERVICE_HTTP;
static const std::string SERVICE_SMTP;
};
} } // namespace Poco::Net
#endif // Net_SSPINTLMCredentials_INCLUDED

1
Net/src/HTTPClientSession.cpp
View File

@@ -475,6 +475,7 @@ void HTTPClientSession::proxyAuthenticateImpl(HTTPRequest& request, const ProxyC
{
_proxyNTLMCreds.setUsername(proxyConfig.username);
_proxyNTLMCreds.setPassword(proxyConfig.password);
_proxyNTLMCreds.setHost(proxyConfig.host);
proxyAuthenticateNTLM(request);
_ntlmProxyAuthenticated = true;
}

5
Net/src/HTTPCredentials.cpp
View File

@@ -67,6 +67,7 @@ void HTTPCredentials::fromURI(const URI& uri)
extractCredentials(uri, username, password);
setUsername(username);
setPassword(password);
setHost(uri.getHost());
_digest.reset();
}
@@ -89,6 +90,10 @@ void HTTPCredentials::authenticate(HTTPRequest& request, const HTTPResponse& res
{
_ntlm.setUsername(_digest.getUsername());
_ntlm.setPassword(_digest.getPassword());
if (_ntlm.getHost().empty())
{
_ntlm.setHost(request.getHost());
}
_ntlm.authenticate(request, iter->second.substr(5));
return;
}

29
Net/src/HTTPNTLMCredentials.cpp
View File

@@ -64,6 +64,12 @@ void HTTPNTLMCredentials::setPassword(const std::string& password)
}
void HTTPNTLMCredentials::setHost(const std::string& host)
{
_host = host;
}
void HTTPNTLMCredentials::authenticate(HTTPRequest& request, const HTTPResponse& response)
{
HTTPAuthenticationParams params(response);
@@ -107,17 +113,33 @@ void HTTPNTLMCredentials::updateProxyAuthInfo(HTTPRequest& request)
std::string HTTPNTLMCredentials::createNTLMMessage(const std::string& responseAuthParams)
{
if (responseAuthParams.empty())
{
std::vector<unsigned char> negotiateBuf;
if (useSSPINTLM())
{
_pNTLMContext = SSPINTLMCredentials::createNTLMContext(_host, SSPINTLMCredentials::SERVICE_HTTP);
negotiateBuf = SSPINTLMCredentials::negotiate(*_pNTLMContext);
}
else
{
NTLMCredentials::NegotiateMessage negotiateMsg;
std::string username;
NTLMCredentials::splitUsername(_username, username, negotiateMsg.domain);
std::vector<unsigned char> negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
}
return NTLMCredentials::toBase64(negotiateBuf);
}
else
{
std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(responseAuthParams);
if (buffer.empty()) throw HTTPException("Invalid NTLM challenge");
std::vector<unsigned char> authenticateBuf;
if (useSSPINTLM() && _pNTLMContext)
{
authenticateBuf = SSPINTLMCredentials::authenticate(*_pNTLMContext, buffer);
}
else
{
NTLMCredentials::ChallengeMessage challengeMsg;
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg))
{
@@ -143,11 +165,12 @@ std::string HTTPNTLMCredentials::createNTLMMessage(const std::string& responseAu
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
std::vector<unsigned char> authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
return NTLMCredentials::toBase64(authenticateBuf);
authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
}
else throw HTTPException("Invalid NTLM challenge");
}
return NTLMCredentials::toBase64(authenticateBuf);
}
}

5
Net/src/NTLMCredentials.cpp
View File

@@ -2,7 +2,7 @@
// NTLMCredentials.cpp
//
// Library: Net
// Package: HTTP
// Package: NTLM
// Module: NTLMCredentials
//
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
@@ -138,7 +138,10 @@ std::vector<unsigned char> NTLMCredentials::createNTLMv2Response(const std::vect
writer << timestamp;
writer.writeRaw(reinterpret_cast<const char*>(&nonce[0]), nonce.size());
writer << Poco::UInt32(0);
if (targetInfo.size() > 0)
{
writer.writeRaw(reinterpret_cast<const char*>(&targetInfo[0]), targetInfo.size());
}
writer << Poco::UInt32(0);
poco_assert_dbg (blobStream.charsWritten() == blob.size() - 16);

32
Net/src/SMTPClientSession.cpp
View File

@@ -21,6 +21,7 @@
#include "Poco/Net/NetException.h"
#include "Poco/Net/NetworkInterface.h"
#include "Poco/Net/NTLMCredentials.h"
#include "Poco/Net/SSPINTLMCredentials.h"
#include "Poco/Environment.h"
#include "Poco/HMACEngine.h"
#include "Poco/MD5Engine.h"
@@ -58,6 +59,7 @@ SMTPClientSession::SMTPClientSession(const StreamSocket& socket):
SMTPClientSession::SMTPClientSession(const std::string& host, Poco::UInt16 port):
_host(host),
_socket(SocketAddress(host, port)),
_isOpen(false)
{
@@ -243,19 +245,35 @@ void SMTPClientSession::loginUsingNTLM(const std::string& username, const std::s
// [MS-SMTPNTLM]: NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smtpntlm/50c668f6-5ffc-4616-96df-b5a3f4b3311d
NTLMCredentials::NegotiateMessage negotiateMsg;
std::string user;
std::string domain;
std::vector<unsigned char> negotiateBuf;
Poco::SharedPtr<NTLMContext> pNTLMContext;
if (username.empty() && password.empty() && !_host.empty() && SSPINTLMCredentials::available())
{
pNTLMContext = SSPINTLMCredentials::createNTLMContext(_host, SSPINTLMCredentials::SERVICE_SMTP);
negotiateBuf = SSPINTLMCredentials::negotiate(*pNTLMContext);
}
else
{
NTLMCredentials::NegotiateMessage negotiateMsg;
NTLMCredentials::splitUsername(username, user, domain);
negotiateMsg.domain = domain;
std::vector<unsigned char> negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
negotiateBuf = NTLMCredentials::formatNegotiateMessage(negotiateMsg);
}
std::string response;
int status = sendCommand("AUTH NTLM", NTLMCredentials::toBase64(negotiateBuf), response);
if (status == 334)
{
std::vector<unsigned char> authenticateBuf;
std::vector<unsigned char> buffer = NTLMCredentials::fromBase64(response.substr(4));
if (buffer.empty()) throw SMTPException("Invalid NTLM challenge");
if (pNTLMContext)
{
authenticateBuf = SSPINTLMCredentials::authenticate(*pNTLMContext, buffer);
}
else
{
NTLMCredentials::ChallengeMessage challengeMsg;
if (NTLMCredentials::parseChallengeMessage(&buffer[0], buffer.size(), challengeMsg))
{
@@ -277,13 +295,13 @@ void SMTPClientSession::loginUsingNTLM(const std::string& username, const std::s
authenticateMsg.lmResponse = NTLMCredentials::createLMv2Response(ntlm2Hash, challengeMsg.challenge, lmNonce);
authenticateMsg.ntlmResponse = NTLMCredentials::createNTLMv2Response(ntlm2Hash, challengeMsg.challenge, ntlmNonce, challengeMsg.targetInfo, timestamp);
std::vector<unsigned char> authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
status = sendCommand(NTLMCredentials::toBase64(authenticateBuf), response);
if (status != 235) throw SMTPException("NTLM authentication failed", response, status);
authenticateBuf = NTLMCredentials::formatAuthenticateMessage(authenticateMsg);
}
else throw SMTPException("Invalid NTLM challenge");
}
status = sendCommand(NTLMCredentials::toBase64(authenticateBuf), response);
if (status != 235) throw SMTPException("NTLM authentication failed", response, status);
}
else throw SMTPException("Server does not support NTLM authentication");
}

307
Net/src/SSPINTLMCredentials.cpp Normal file
View File

@@ -0,0 +1,307 @@
//
// SSPINTLMCredentials.cpp
//
// Library: Net
// Package: NTLM
// Module: SSPINTLMCredentials
//
// Copyright (c) 2019, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier: BSL-1.0
//
#include "Poco/Net/SSPINTLMCredentials.h"
#if POCO_OS == POCO_OS_WINDOWS_NT
#include "Poco/SharedLibrary.h"
#include "Poco/SingletonHolder.h"
#include "Poco/UnicodeConverter.h"
#include <vector>
#define SECURITY_WIN32
#include <security.h>
namespace Poco {
namespace Net {
const std::string SSPINTLMCredentials::SERVICE_HTTP("HTTP");
const std::string SSPINTLMCredentials::SERVICE_SMTP("SMTP");
struct NTLMContextImpl
{
NTLMContextImpl():
maxTokenSize(0)
{
SecInvalidateHandle(&credentials);
SecInvalidateHandle(&context);
}
std::size_t maxTokenSize;
CredHandle credentials;
CtxtHandle context;
std::wstring spn;
};
class SSPINTLMProvider
{
public:
SSPINTLMProvider():
_securityLib("security.dll"),
_pSecFunTable(0)
{
InitSecurityInterfaceW pInitSecurityInterface = reinterpret_cast<InitSecurityInterfaceW>(_securityLib.getSymbol("InitSecurityInterfaceW"));
if (pInitSecurityInterface)
{
_pSecFunTable = pInitSecurityInterface();
}
if (!_pSecFunTable) throw Poco::SystemException("Failed to initialize SSPI");
}
~SSPINTLMProvider()
{
}
bool available()
{
PSecPkgInfoW pSecPkgInfo;
SECURITY_STATUS status = _pSecFunTable->QuerySecurityPackageInfoW(L"NTLM", &pSecPkgInfo);
if (status == SEC_E_OK)
{
_pSecFunTable->FreeContextBuffer(pSecPkgInfo);
return true;
}
else return false;
}
Poco::SharedPtr<NTLMContext> createNTLMContext(const std::string& host, const std::string& service)
{
PSecPkgInfoW pSecPkgInfo;
SECURITY_STATUS status = _pSecFunTable->QuerySecurityPackageInfoW(L"NTLM", &pSecPkgInfo);
if (status != SEC_E_OK) throw Poco::SystemException("NTLM SSPI not available", status);
std::size_t maxTokenSize = pSecPkgInfo->cbMaxToken;
_pSecFunTable->FreeContextBuffer(pSecPkgInfo);
Poco::SharedPtr<NTLMContext> pContext = new NTLMContext(new NTLMContextImpl);
pContext->_pImpl->maxTokenSize = maxTokenSize;
TimeStamp expiry;
status = _pSecFunTable->AcquireCredentialsHandleW(
NULL,
L"NTLM",
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
&pContext->_pImpl->credentials,
&expiry);
if (status != SEC_E_OK) throw Poco::SystemException("Failed to acquire NTLM credentials", status);
std::string spn = service;
spn += '/';
spn += host;
Poco::UnicodeConverter::convert(spn, pContext->_pImpl->spn);
return pContext;
}
std::vector<unsigned char> negotiate(NTLMContext& context)
{
std::vector<unsigned char> buffer(context._pImpl->maxTokenSize);
SecBuffer msgBuffer;
msgBuffer.BufferType = SECBUFFER_TOKEN;
msgBuffer.pvBuffer = &buffer[0];
msgBuffer.cbBuffer = buffer.size();
SecBufferDesc msgBufferDesc;
msgBufferDesc.ulVersion = SECBUFFER_VERSION;
msgBufferDesc.cBuffers = 1;
msgBufferDesc.pBuffers = &msgBuffer;
unsigned long attrs;
TimeStamp expiry;
SECURITY_STATUS status = _pSecFunTable->InitializeSecurityContextW(
&context._pImpl->credentials,
NULL,
const_cast<SEC_WCHAR*>(context._pImpl->spn.c_str()),
0,
0,
SECURITY_NETWORK_DREP,
NULL,
0,
&context._pImpl->context,
&msgBufferDesc,
&attrs,
&expiry);
if (status == SEC_I_COMPLETE_NEEDED || status == SEC_I_COMPLETE_AND_CONTINUE)
{
_pSecFunTable->CompleteAuthToken(&context._pImpl->context, &msgBufferDesc);
}
else if (status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED)
{
throw Poco::SystemException("Failed to initialize NTLM security context", status);
}
buffer.resize(msgBuffer.cbBuffer);
return buffer;
}
std::vector<unsigned char> authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge)
{
std::vector<unsigned char> response(context._pImpl->maxTokenSize);
SecBuffer responseBuffer;
responseBuffer.BufferType = SECBUFFER_TOKEN;
responseBuffer.pvBuffer = &response[0];
responseBuffer.cbBuffer = response.size();
SecBufferDesc responseBufferDesc;
responseBufferDesc.ulVersion = SECBUFFER_VERSION;
responseBufferDesc.cBuffers = 1;
responseBufferDesc.pBuffers = &responseBuffer;
SecBuffer challengeBuffer;
challengeBuffer.BufferType = SECBUFFER_TOKEN;
challengeBuffer.pvBuffer = const_cast<unsigned char*>(&challenge[0]);
challengeBuffer.cbBuffer = challenge.size();
SecBufferDesc challengeBufferDesc;
challengeBufferDesc.ulVersion = SECBUFFER_VERSION;
challengeBufferDesc.cBuffers = 1;
challengeBufferDesc.pBuffers = &challengeBuffer;
unsigned long attrs;
TimeStamp expiry;
SECURITY_STATUS status = _pSecFunTable->InitializeSecurityContextW(
&context._pImpl->credentials,
&context._pImpl->context,
const_cast<SEC_WCHAR*>(context._pImpl->spn.c_str()),
0,
0,
SECURITY_NETWORK_DREP,
&challengeBufferDesc,
0,
&context._pImpl->context,
&responseBufferDesc,
&attrs,
&expiry);
if (status != SEC_E_OK)
{
throw Poco::SystemException("Failed to create NTLM authenticate message", status);
}
response.resize(responseBuffer.cbBuffer);
return response;
}
void clearNTLMContext(NTLMContext& ctx)
{
if (SecIsValidHandle(&ctx._pImpl->context))
{
_pSecFunTable->DeleteSecurityContext(&ctx._pImpl->context);
}
if (SecIsValidHandle(&ctx._pImpl->credentials))
{
_pSecFunTable->FreeCredentialsHandle(&ctx._pImpl->credentials);
}
}
static SSPINTLMProvider& instance();
private:
typedef PSecurityFunctionTableW(APIENTRY *InitSecurityInterfaceW)(VOID);
Poco::SharedLibrary _securityLib;
PSecurityFunctionTableW _pSecFunTable;
};
namespace
{
static Poco::SingletonHolder<SSPINTLMProvider> sspintlmProviderHolder;
}
SSPINTLMProvider& SSPINTLMProvider::instance()
{
return *sspintlmProviderHolder.get();
}
NTLMContext::NTLMContext(NTLMContextImpl* pImpl):
_pImpl(pImpl)
{
}
NTLMContext::~NTLMContext()
{
SSPINTLMProvider::instance().clearNTLMContext(*this);
delete _pImpl;
}
#endif // POCO_OS == POCO_OS_WINDOWS_NT
bool SSPINTLMCredentials::available()
{
#if POCO_OS == POCO_OS_WINDOWS_NT
try
{
return SSPINTLMProvider::instance().available();
}
catch (...)
{
return false;
}
#else
return false;
#endif
}
Poco::SharedPtr<NTLMContext> SSPINTLMCredentials::createNTLMContext(const std::string& workstation, const std::string& service)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().createNTLMContext(workstation, service);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::createNTLMContext() is only available on Windows");
#endif
}
std::vector<unsigned char> SSPINTLMCredentials::negotiate(NTLMContext& context)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().negotiate(context);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::negotiate() is only available on Windows");
#endif
}
std::vector<unsigned char> SSPINTLMCredentials::authenticate(NTLMContext& context, const std::vector<unsigned char>& challenge)
{
#if POCO_OS == POCO_OS_WINDOWS_NT
return SSPINTLMProvider::instance().authenticate(context, challenge);
#else
throw Poco::NotImplementedException("SSPINTLMCredentials::authenticate() is only available on Windows");
#endif
}
} } // namespace Poco::Net