geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Made modifications to switch the client to communicate with ATSs over SSL. Still need to make changes to the linux rpc.c to have all of the necessary changes completed.

Browse Source 
Also made a fix to allow credential store scoping all the way into the authentication mechanisms.
This commit is contained in:
Juan Carlos Luciani 2006-11-02 03:49:16 +00:00
parent 920c9c5dff
commit c99e319a3a
16 changed files with 814 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CASA-auth-token/non-java/client/authmech.c
View File

@ -249,6 +249,7 @@ GetAuthTokenIf(
CasaStatus CasaStatus
GetAuthMechToken( GetAuthMechToken(
IN AuthContext *pAuthContext, IN AuthContext *pAuthContext,
IN void *pCredStoreScope,
INOUT char **ppAuthToken) INOUT char **ppAuthToken)
// //
// Arguments: // Arguments:
@ -285,6 +286,7 @@ GetAuthMechToken(
retStatus = pAuthTokenIf->getAuthToken(pAuthTokenIf, retStatus = pAuthTokenIf->getAuthToken(pAuthTokenIf,
pAuthContext->pContext, pAuthContext->pContext,
pAuthContext->pMechInfo, pAuthContext->pMechInfo,
pCredStoreScope,
pAuthToken, pAuthToken,
&authTokenBufLen); &authTokenBufLen);
if (CasaStatusCode(retStatus) == CASA_STATUS_BUFFER_OVERFLOW) if (CasaStatusCode(retStatus) == CASA_STATUS_BUFFER_OVERFLOW)
@ -297,6 +299,7 @@ GetAuthMechToken(
retStatus = pAuthTokenIf->getAuthToken(pAuthTokenIf, retStatus = pAuthTokenIf->getAuthToken(pAuthTokenIf,
pAuthContext->pContext, pAuthContext->pContext,
pAuthContext->pMechInfo, pAuthContext->pMechInfo,
pCredStoreScope,
pAuthToken, pAuthToken,
&authTokenBufLen); &authTokenBufLen);
if (CASA_SUCCESS(retStatus)) if (CASA_SUCCESS(retStatus))

64
CASA-auth-token/non-java/client/client.conf
View File

@ -25,24 +25,62 @@
# Description: Used to configure the port utilized by the # Description: Used to configure the port utilized by the
# ATS to listen for connections. # ATS to listen for connections.
# #
# If this parameter is not set, the client # If this parameter is not set ....
# assummes that the ATS is listening for
# connections on port 443 if configured to
# use SSL, otherwise it assumes that it is
# listening for connections on port 80.
# #
ATS-port 8080 #ATS-port 2645
# #
# UseSSL setting. # DisableSecureConnections setting.
# #
# Description: Used to specify that communications to the ATS # Description: Used to disable the use of secure connections (SSL) between
# should occur over SSL to ensure security. # the Client and ATSs.
# #
# If this parameter is not set, the client # If this parameter is not set to true, the client
# defaults to using SSL when communicating with # defaults to communicating securedly with ATSs.
#
# Security Note: Disabling secure connections allows
# malicious users/processes to view confidential
# information such as username/passwords and to tamper
# with client-ATS communications without being detected.
# You should not disable secure connections unless you are
# trying to debug the authentication token infrastructure.
#
#DisableSecureConnections false
#
# AllowInvalidCerts setting.
#
# Description: Used to specify that the client should ignore
# invalid certificates presented by ATSs when
# performing SSL communications.
#
# If this parameter is not set to true, the client defaults
# to not ignoring invalid certificates presented by ATSs.
# ATSs. # ATSs.
# #
UseSSL false # Security Note: Ignoring invalid certificates downgrades the
# security of your infrastructure by allowing a malicious
# process to impersonate an ATS and obtain information that
# is confidential such as username and passwords.
#
AllowInvalidCerts true
#
# UsersCannotAllowInvalidCerts setting.
#
# Description: Used to specify that the client should not allow users to
# decide that invalid certificates presented by ATSs should be
# ignored.
#
# If this parameter is not set to true, the client defaults
# to allow users to choose whether or not invalid certificates
# presented by ATSs.
#
# If this parameter is set to true then users are not consulted
# when an invalid server certificate is received and communications
# between the client and the ATS fail.
#
# Note: This parameter has no effect if the setting AllowInvalidCerts
# is set to true.
#
#UsersCannotAllowInvalidCerts true

92
CASA-auth-token/non-java/client/engine.c
View File

@ -47,9 +47,9 @@ int DebugLevel = 0;
// Operating parameter // Operating parameter
// //
bool g_bInitialized = false; bool g_bInitialized = false;
bool g_secureRpcSetting = true; long g_rpcFlags = SECURE_RPC_FLAG | ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG;
char *g_pATSHostName = NULL; char *g_pATSHostName = NULL;
uint16_t g_ATSPort = 443; // Default HTTPS uint16_t g_ATSPort = 2645;
//++======================================================================= //++=======================================================================
@ -138,7 +138,9 @@ ObtainSessionToken(
int respLen; int respLen;
// Get authentication mechanism token // Get authentication mechanism token
retStatus = GetAuthMechToken(pAuthContext, &pAuthMechToken); retStatus = GetAuthMechToken(pAuthContext,
pCredStoreScope,
&pAuthMechToken);
if (!CASA_SUCCESS(retStatus)) if (!CASA_SUCCESS(retStatus))
{ {
// We were not able to obtain an authentication mechanism token // We were not able to obtain an authentication mechanism token
@ -156,7 +158,7 @@ ObtainSessionToken(
// Issue rpc // Issue rpc
retStatus = Rpc(pRpcSession, retStatus = Rpc(pRpcSession,
"Authenticate", "Authenticate",
g_secureRpcSetting, g_rpcFlags,
pReqMsg, pReqMsg,
&pRespMsg, &pRespMsg,
&respLen); &respLen);
@ -307,7 +309,7 @@ ObtainAuthTokenFromServer(
// Issue rpc // Issue rpc
retStatus = Rpc(pRpcSession, retStatus = Rpc(pRpcSession,
"GetAuthPolicy", "GetAuthPolicy",
g_secureRpcSetting, g_rpcFlags,
pReqMsg, pReqMsg,
&pRespMsg, &pRespMsg,
&respLen); &respLen);
@ -342,7 +344,7 @@ ObtainAuthTokenFromServer(
// Issue rpc // Issue rpc
retStatus = Rpc(pRpcSession, retStatus = Rpc(pRpcSession,
"GetAuthToken", "GetAuthToken",
g_secureRpcSetting, g_rpcFlags,
pReqMsg, pReqMsg,
&pRespMsg, &pRespMsg,
&respLen); &respLen);
@ -733,7 +735,9 @@ InitializeLibrary(void)
int getConfigStatus = -1; int getConfigStatus = -1;
ConfigIf *pClientConfigIf; ConfigIf *pClientConfigIf;
char *pATSPortSetting; char *pATSPortSetting;
char *pUseSSLSetting; char *pDisableSecureConnections;
char *pAllowInvalidCerts;
char *pUsersCannotAllowInvalidCerts;
DbgTrace(1, "-InitializeLibrary- Start\n", 0); DbgTrace(1, "-InitializeLibrary- Start\n", 0);
@ -748,37 +752,85 @@ InitializeLibrary(void)
g_pATSHostName = pClientConfigIf->getEntryValue(pClientConfigIf, "ATS-hostname"); g_pATSHostName = pClientConfigIf->getEntryValue(pClientConfigIf, "ATS-hostname");
if (g_pATSHostName != NULL) if (g_pATSHostName != NULL)
{ {
DbgTrace(0, "-InitializeLibrary- ATS hostname %s configured\n", g_pATSHostName); DbgTrace(0, "-InitializeLibrary- ATS hostname configured = %s\n", g_pATSHostName);
} }
// Check if the UseSSL setting has been configured // Check if the DisableSecureConnections setting has been configured
pUseSSLSetting = pClientConfigIf->getEntryValue(pClientConfigIf, "UseSSL"); pDisableSecureConnections = pClientConfigIf->getEntryValue(pClientConfigIf, "DisableSecureConnections");
if (pUseSSLSetting != NULL) if (pDisableSecureConnections != NULL)
{ {
DbgTrace(0, "-InitializeLibrary- UseSSL setting %s configured\n", pUseSSLSetting); DbgTrace(0, "-InitializeLibrary- DisableSecureConnections setting configured = %s\n", pDisableSecureConnections);
// Set the g_secureRpcSetting variable based on the setting // Adjust the g_rpcFlags variable based on the setting
if (stricmp(pUseSSLSetting, "false") == 0) if (stricmp(pDisableSecureConnections, "true") == 0)
{ {
g_secureRpcSetting = false; g_rpcFlags &= ~SECURE_RPC_FLAG;
// Change the default ATS port to 80 from 443 // Change the default ATS port to 80 from 443
g_ATSPort = 80; g_ATSPort = 80;
} }
else if (stricmp(pUseSSLSetting, "true") == 0) else if (stricmp(pDisableSecureConnections, "false") == 0)
{ {
g_secureRpcSetting = true; g_rpcFlags |= SECURE_RPC_FLAG;
} }
// Free the buffer holding the UseSSL setting // Free the buffer holding the DisableSecureConnections setting
free(pUseSSLSetting); free(pDisableSecureConnections);
}
// Check the AllowInvalidCerts setting if using secure connections
if (g_rpcFlags & SECURE_RPC_FLAG)
{
// Check if the AllowInvalidCerts setting has been configured
pAllowInvalidCerts = pClientConfigIf->getEntryValue(pClientConfigIf, "AllowInvalidCerts");
if (pAllowInvalidCerts != NULL)
{
DbgTrace(0, "-InitializeLibrary- AllowInvalidCerts setting configured = %s\n", pAllowInvalidCerts);
// Adjust the g_rpcFlags variable based on the setting
if (stricmp(pAllowInvalidCerts, "false") == 0)
{
g_rpcFlags &= ~ALLOW_INVALID_CERTS_RPC_FLAG;
}
else if (stricmp(pAllowInvalidCerts, "true") == 0)
{
g_rpcFlags |= ALLOW_INVALID_CERTS_RPC_FLAG;
}
// Free the buffer holding the AllowInvalidCerts setting
free(pAllowInvalidCerts);
}
// Check the UsersCannotAllowInvalidCerts setting if not allowing invalid certs.
if ((g_rpcFlags & ALLOW_INVALID_CERTS_RPC_FLAG) == 0)
{
// Check if the UsersCannotAllowInvalidCerts setting has been configured
pUsersCannotAllowInvalidCerts = pClientConfigIf->getEntryValue(pClientConfigIf, "UsersCannotAllowInvalidCerts");
if (pUsersCannotAllowInvalidCerts != NULL)
{
DbgTrace(0, "-InitializeLibrary- UsersCannotAllowInvalidCerts setting configured = %s\n", pUsersCannotAllowInvalidCerts);
// Adjust the g_rpcFlags variable based on the setting
if (stricmp(pUsersCannotAllowInvalidCerts, "false") == 0)
{
g_rpcFlags |= ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG;
}
else if (stricmp(pUsersCannotAllowInvalidCerts, "true") == 0)
{
g_rpcFlags &= ~ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG;
}
// Free the buffer holding the UsersCannotAllowInvalidCerts setting
free(pUsersCannotAllowInvalidCerts);
}
}
} }
// Check if an ATS port number has been configured // Check if an ATS port number has been configured
pATSPortSetting = pClientConfigIf->getEntryValue(pClientConfigIf, "ATS-port"); pATSPortSetting = pClientConfigIf->getEntryValue(pClientConfigIf, "ATS-port");
if (pATSPortSetting != NULL) if (pATSPortSetting != NULL)
{ {
DbgTrace(0, "-InitializeLibrary- ATS port number %s configured\n", pATSPortSetting); DbgTrace(0, "-InitializeLibrary- ATS port number configured = %s\n", pATSPortSetting);
// Convert the number to hex // Convert the number to hex
g_ATSPort = (int) dtoul(pATSPortSetting, strlen(pATSPortSetting)); g_ATSPort = (int) dtoul(pATSPortSetting, strlen(pATSPortSetting));

35
CASA-auth-token/non-java/client/internal.h
View File

@ -149,6 +149,7 @@ extern
CasaStatus CasaStatus
GetAuthMechToken( GetAuthMechToken(
IN AuthContext *pAuthContext, IN AuthContext *pAuthContext,
IN void *pCredStoreScope,
INOUT char **ppAuthMechToken); INOUT char **ppAuthMechToken);
// //
@ -358,12 +359,16 @@ void
CloseRpcSession( CloseRpcSession(
IN RpcSession *pSession); IN RpcSession *pSession);
#define SECURE_RPC_FLAG 1
#define ALLOW_INVALID_CERTS_RPC_FLAG 2
#define ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG 4
extern extern
CasaStatus CasaStatus
Rpc( Rpc(
IN RpcSession *pSession, IN RpcSession *pSession,
IN char *pMethod, IN char *pMethod,
IN bool secure, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen); INOUT int *pResponseDataLen);
@ -373,7 +378,7 @@ CasaStatus
InitializeRpc(void); InitializeRpc(void);
// //
// Defined in utils.c // Functions exported by utils.c
// //
extern extern
@ -398,6 +403,32 @@ dtoul(
IN const char *cp, IN const char *cp,
IN const int len); IN const int len);
//
// Functions exported by invalidcert.c
//
extern
bool
InvalidCertsFromHostAllowed(
IN char *pHostName);
extern
void
AllowInvalidCertsFromHost(
IN char *pHostName);
#define INVALID_CERT_CA_FLAG 1
#define INVALID_CERT_CN_FLAG 2
#define INVALID_CERT_DATE_FLAG 4
extern
bool
UserApprovedCert(
IN char *pHostName,
IN char *pCertSubject,
IN char *pCertIssuer,
IN long invalidCertFlags);
//========================================================================= //=========================================================================

140
CASA-auth-token/non-java/client/invalidcert.c Normal file
View File

@ -0,0 +1,140 @@
/***********************************************************************
*
* Copyright (C) 2006 Novell, Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, Novell, Inc.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
*
* Author: Juan Carlos Luciani <jluciani@novell.com>
*
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
//++=======================================================================
bool
InvalidCertsFromHostAllowed(
IN char *pHostName)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L0
//=======================================================================--
{
bool retStatus = false;
DbgTrace(2, "-InvalidCertsFromHostAllowed- Start\n", 0);
// tbd
DbgTrace(2, "-InvalidCertsFromHostAllowed- End, retStatus = %0X\n", retStatus);
return retStatus;
}
//++=======================================================================
void
AllowInvalidCertsFromHost(
IN char *pHostName)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L0
//=======================================================================--
{
bool retStatus = true;
DbgTrace(2, "-AllowInvalidCertsFromHost- Start\n", 0);
// tbd
DbgTrace(2, "-AllowInvalidCertsFromHost- End\n", 0);
}
//++=======================================================================
bool
UserApprovedCert(
IN char *pHostName,
IN char *pCertSubject,
IN char *pCertIssuer,
IN long invalidCertFlags)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L0
//=======================================================================--
{
bool retStatus = false;
DbgTrace(2, "-UserApprovedCert- Start\n", 0);
// tbd
if (invalidCertFlags & INVALID_CERT_CN_FLAG)
{
DbgTrace(0, "-UserApprovedCert- Invalid Cert from Host = %s\n", pHostName);
}
if (invalidCertFlags & INVALID_CERT_CA_FLAG)
{
DbgTrace(0, "-UserApprovedCert- Invalid CA in Cert from Host = %s\n", pHostName);
}
if (invalidCertFlags & INVALID_CERT_DATE_FLAG)
{
DbgTrace(0, "-UserApprovedCert- Invalid DATE in Cert from Host = %s\n", pHostName);
}
DbgTrace(0, "-UserApprovedCert- Approving Invalid Cert from Host = %s\n", pHostName);
DbgTrace(0, "-UserApprovedCert- Invalid Cert Subject = %s\n", pCertSubject);
DbgTrace(0, "-UserApprovedCert- Invalid Cert Issuer = %s\n", pCertIssuer);
DbgTrace(2, "-UserApprovedCert- End, retStatus = %0X\n", retStatus);
return retStatus;
}
//++=======================================================================
//++=======================================================================
//++=======================================================================

8
CASA-auth-token/non-java/client/linux/rpc.c
View File

@ -294,7 +294,7 @@ CasaStatus
InternalRpc( InternalRpc(
IN RpcSession *pSession, IN RpcSession *pSession,
IN char *pMethod, IN char *pMethod,
IN bool secure, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT int *pResponseDataLen)
@ -324,7 +324,7 @@ InternalRpc(
*pResponseDataLen = 0; *pResponseDataLen = 0;
// Setup the URL using the input parameters // Setup the URL using the input parameters
if (secure) if (flags & SECURE_RPC_FLAG)
{ {
pPartialUrl = pSession->pPartialHttpsUrl; pPartialUrl = pSession->pPartialHttpsUrl;
partialUrlLen = pSession->partialHttpsUrlLen; partialUrlLen = pSession->partialHttpsUrlLen;
@ -449,7 +449,7 @@ CasaStatus
Rpc( Rpc(
IN RpcSession *pSession, IN RpcSession *pSession,
IN char *pMethod, IN char *pMethod,
IN bool secure, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT int *pResponseDataLen)
@ -476,7 +476,7 @@ Rpc(
// Issue the RPC // Issue the RPC
retStatus = InternalRpc(pSession, retStatus = InternalRpc(pSession,
pMethod, pMethod,
secure, flags,
pRequestData, pRequestData,
ppResponseData, ppResponseData,
pResponseDataLen); pResponseDataLen);

10
CASA-auth-token/non-java/client/mech_if.h
View File

@ -88,6 +88,7 @@ CasaStatus
IN const void *pIfInstance, IN const void *pIfInstance,
IN const char *pContext, IN const char *pContext,
IN const char *pMechInfo, IN const char *pMechInfo,
IN void *pCredStoreScope,
INOUT char *pTokenBuf, INOUT char *pTokenBuf,
INOUT int *pTokenBufLen); INOUT int *pTokenBufLen);
// //
@ -95,10 +96,6 @@ CasaStatus
// pIfInstance - // pIfInstance -
// Pointer to interface object. // Pointer to interface object.
// //
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pContext - // pContext -
// Pointer to null terminated string containing mechanism specific // Pointer to null terminated string containing mechanism specific
// context information. Another name for context is Authentication // context information. Another name for context is Authentication
@ -112,6 +109,11 @@ CasaStatus
// may be the service principal name to which the user will be // may be the service principal name to which the user will be
// authenticating. // authenticating.
// //
// pCredStoreScope -
// Pointer to CASA structure for scoping credential store access
// to specific users. This can only be leveraged when running in
// the context of System under Windows.
//
// pTokenBuf - // pTokenBuf -
// Pointer to buffer that will receive the authentication // Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the // token. The length of this buffer is specified by the

1
CASA-auth-token/non-java/client/mechanisms/krb5/internal.h
View File

@ -57,6 +57,7 @@ AuthTokenIf_GetAuthToken(
IN const void *pIfInstance, IN const void *pIfInstance,
IN const char *pContext, IN const char *pContext,
IN const char *pMechInfo, IN const char *pMechInfo,
IN void *pCredStoreScope,
INOUT char *pTokenBuf, INOUT char *pTokenBuf,
INOUT int *pTokenBufLen); INOUT int *pTokenBufLen);

10
CASA-auth-token/non-java/client/mechanisms/krb5/windows/get.c
View File

@ -40,6 +40,7 @@ AuthTokenIf_GetAuthToken(
IN const void *pIfInstance, IN const void *pIfInstance,
IN const char *pContext, IN const char *pContext,
IN const char *pMechInfo, IN const char *pMechInfo,
IN void *pCredStoreScope,
INOUT char *pTokenBuf, INOUT char *pTokenBuf,
INOUT int *pTokenBufLen) INOUT int *pTokenBufLen)
// //
@ -47,10 +48,6 @@ AuthTokenIf_GetAuthToken(
// pIfInstance - // pIfInstance -
// Pointer to interface object. // Pointer to interface object.
// //
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pContext - // pContext -
// Pointer to null terminated string containing mechanism specific // Pointer to null terminated string containing mechanism specific
// context information. Another name for context is Authentication // context information. Another name for context is Authentication
@ -64,6 +61,11 @@ AuthTokenIf_GetAuthToken(
// may be the service principal name to which the user will be // may be the service principal name to which the user will be
// authenticating. // authenticating.
// //
// pCredStoreScope -
// Pointer to CASA structure for scoping credential store access
// to specific users. This can only be leveraged when running in
// the context of System under Windows.
//
// pTokenBuf - // pTokenBuf -
// Pointer to buffer that will receive the authentication // Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the // token. The length of this buffer is specified by the

25
CASA-auth-token/non-java/client/mechanisms/pwd/get.c
View File

@ -39,6 +39,7 @@ static
CasaStatus CasaStatus
GetUserCredentials( GetUserCredentials(
IN const char *pRealm, IN const char *pRealm,
IN void *pCredStoreScope,
INOUT char **ppUsername, INOUT char **ppUsername,
INOUT char **ppPassword) INOUT char **ppPassword)
// //
@ -46,6 +47,11 @@ GetUserCredentials(
// pRealm - // pRealm -
// The realm to which the credentials apply. // The realm to which the credentials apply.
// //
// pCredStoreScope -
// Pointer to CASA structure for scoping credential store access
// to specific users. This can only be leveraged when running in
// the context of System under Windows.
//
// ppUsername - // ppUsername -
// Pointer to variable that will receive buffer with the username. // Pointer to variable that will receive buffer with the username.
// //
@ -94,7 +100,7 @@ GetUserCredentials(
NULL, NULL,
&credtype, &credtype,
&credential, &credential,
(SSCS_EXT_T*) NULL); (SSCS_EXT_T*) pCredStoreScope);
if (rcode != NSSCS_SUCCESS) if (rcode != NSSCS_SUCCESS)
{ {
// There were no credentials for the realm, now try to obtain the // There were no credentials for the realm, now try to obtain the
@ -106,7 +112,7 @@ GetUserCredentials(
NULL, NULL,
&credtype, &credtype,
&credential, &credential,
(SSCS_EXT_T*) NULL); (SSCS_EXT_T*) pCredStoreScope);
} }
} }
else else
@ -184,6 +190,7 @@ AuthTokenIf_GetAuthToken(
IN const void *pIfInstance, IN const void *pIfInstance,
IN const char *pContext, IN const char *pContext,
IN const char *pMechInfo, IN const char *pMechInfo,
IN void *pCredStoreScope,
INOUT char *pTokenBuf, INOUT char *pTokenBuf,
INOUT int *pTokenBufLen) INOUT int *pTokenBufLen)
// //
@ -191,10 +198,6 @@ AuthTokenIf_GetAuthToken(
// pIfInstance - // pIfInstance -
// Pointer to interface object. // Pointer to interface object.
// //
// pServiceConfigIf -
// Pointer to service config object to which the client is trying to
// authenticate.
//
// pContext - // pContext -
// Pointer to null terminated string containing mechanism specific // Pointer to null terminated string containing mechanism specific
// context information. Another name for context is Authentication // context information. Another name for context is Authentication
@ -208,6 +211,11 @@ AuthTokenIf_GetAuthToken(
// may be the service principal name to which the user will be // may be the service principal name to which the user will be
// authenticating. // authenticating.
// //
// pCredStoreScope -
// Pointer to CASA structure for scoping credential store access
// to specific users. This can only be leveraged when running in
// the context of System under Windows.
//
// pTokenBuf - // pTokenBuf -
// Pointer to buffer that will receive the authentication // Pointer to buffer that will receive the authentication
// token. The length of this buffer is specified by the // token. The length of this buffer is specified by the
@ -255,7 +263,10 @@ AuthTokenIf_GetAuthToken(
} }
// Get the user credentials // Get the user credentials
retStatus = GetUserCredentials(pContext, &pUsername, &pPassword); retStatus = GetUserCredentials(pContext,
pCredStoreScope,
&pUsername,
&pPassword);
if (CASA_SUCCESS(retStatus)) if (CASA_SUCCESS(retStatus))
{ {
// Now construct the PW token with the following format: // Now construct the PW token with the following format:

1
CASA-auth-token/non-java/client/mechanisms/pwd/internal.h
View File

@ -59,6 +59,7 @@ AuthTokenIf_GetAuthToken(
IN const void *pIfInstance, IN const void *pIfInstance,
IN const char *pContext, IN const char *pContext,
IN const char *pMechInfo, IN const char *pMechInfo,
IN void *pCredStoreScope,
INOUT char *pTokenBuf, INOUT char *pTokenBuf,
INOUT int *pTokenBufLen); INOUT int *pTokenBufLen);

1
CASA-auth-token/non-java/client/windows/authtoken.def
View File

@ -7,4 +7,5 @@ EXPORTS
; DllUnregisterServer PRIVATE ; DllUnregisterServer PRIVATE
; DllGetClassObject PRIVATE ; DllGetClassObject PRIVATE
ObtainAuthToken PRIVATE ObtainAuthToken PRIVATE
ObtainAuthTokenEx PRIVATE
; DllCanUnloadNow PRIVATE ; DllCanUnloadNow PRIVATE

17
CASA-auth-token/non-java/client/windows/client.vcproj
View File

@ -21,7 +21,7 @@
Name="VCCLCompilerTool" Name="VCCLCompilerTool"
AdditionalOptions="/D &quot;XML_STATIC&quot;" AdditionalOptions="/D &quot;XML_STATIC&quot;"
Optimization="0" Optimization="0"
AdditionalIncludeDirectories=".;..\;..\..\include;&quot;C:\Dev\casa\CASA-auth-token\non-java\include\windows&quot;;&quot;\Program Files\novell\casa\include&quot;;&quot;C:\Dev\Expat-2.0.0\Source\lib&quot;" AdditionalIncludeDirectories=".;..\;..\..\include;..\..\include\windows;&quot;\Program Files\novell\casa\include&quot;;&quot;C:\Dev\Expat-2.0.0\Source\lib&quot;"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE" PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
MinimalRebuild="TRUE" MinimalRebuild="TRUE"
BasicRuntimeChecks="3" BasicRuntimeChecks="3"
@ -35,7 +35,7 @@
<Tool <Tool
Name="VCLinkerTool" Name="VCLinkerTool"
IgnoreImportLibrary="FALSE" IgnoreImportLibrary="FALSE"
AdditionalOptions="/EXPORT:ObtainAuthToken" AdditionalOptions="/EXPORT:ObtainAuthToken /EXPORT:ObtainAuthTokenEx"
AdditionalDependencies="ws2_32.lib winhttp.lib libexpatml.lib micasa.lib shlwapi.lib" AdditionalDependencies="ws2_32.lib winhttp.lib libexpatml.lib micasa.lib shlwapi.lib"
OutputFile="$(OutDir)/authtoken.dll" OutputFile="$(OutDir)/authtoken.dll"
LinkIncremental="1" LinkIncremental="1"
@ -53,7 +53,7 @@
mkdir \&quot;Program Files&quot;\novell\casa mkdir \&quot;Program Files&quot;\novell\casa
mkdir \&quot;Program Files&quot;\novell\casa\lib\ mkdir \&quot;Program Files&quot;\novell\casa\lib\
copy $(OutDir)\authtoken.dll \&quot;Program Files&quot;\novell\casa\lib\authtoken.dll copy $(OutDir)\authtoken.dll \&quot;Program Files&quot;\novell\casa\lib\authtoken.dll
copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novell\casa\lib\authtoken.lib copy $(SolutionDir)\client\windows\authtoken.lib \&quot;Program Files&quot;\novell\casa\lib\authtoken.lib
"/> "/>
<Tool <Tool
Name="VCPreBuildEventTool"/> Name="VCPreBuildEventTool"/>
@ -81,7 +81,7 @@ copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novel
<Tool <Tool
Name="VCCLCompilerTool" Name="VCCLCompilerTool"
AdditionalOptions="/D &quot;XML_STATIC&quot;" AdditionalOptions="/D &quot;XML_STATIC&quot;"
AdditionalIncludeDirectories=".;..\;..\..\include;&quot;C:\Dev\casa\CASA-auth-token\non-java\include\windows&quot;;&quot;\Program Files\novell\casa\include&quot;;&quot;C:\Dev\Expat-2.0.0\Source\lib&quot;" AdditionalIncludeDirectories=".;..\;..\..\include;..\..\include\windows;&quot;\Program Files\novell\casa\include&quot;;&quot;C:\Dev\Expat-2.0.0\Source\lib&quot;"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE" PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
RuntimeLibrary="4" RuntimeLibrary="4"
UsePrecompiledHeader="0" UsePrecompiledHeader="0"
@ -92,7 +92,7 @@ copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novel
Name="VCCustomBuildTool"/> Name="VCCustomBuildTool"/>
<Tool <Tool
Name="VCLinkerTool" Name="VCLinkerTool"
AdditionalOptions="/EXPORT:ObtainAuthToken" AdditionalOptions="/EXPORT:ObtainAuthToken /EXPORT:ObtainAuthTokenEx"
AdditionalDependencies="ws2_32.lib winhttp.lib libexpatml.lib micasa.lib shlwapi.lib" AdditionalDependencies="ws2_32.lib winhttp.lib libexpatml.lib micasa.lib shlwapi.lib"
OutputFile="$(OutDir)/authtoken.dll" OutputFile="$(OutDir)/authtoken.dll"
LinkIncremental="1" LinkIncremental="1"
@ -111,7 +111,7 @@ copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novel
mkdir \&quot;Program Files&quot;\novell\casa mkdir \&quot;Program Files&quot;\novell\casa
mkdir \&quot;Program Files&quot;\novell\casa\lib\ mkdir \&quot;Program Files&quot;\novell\casa\lib\
copy $(OutDir)\authtoken.dll \&quot;Program Files&quot;\novell\casa\lib\authtoken.dll copy $(OutDir)\authtoken.dll \&quot;Program Files&quot;\novell\casa\lib\authtoken.dll
copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novell\casa\lib\authtoken.lib copy $(SolutionDir)\client\windows\authtoken.lib \&quot;Program Files&quot;\novell\casa\lib\authtoken.lib
"/> "/>
<Tool <Tool
Name="VCPreBuildEventTool"/> Name="VCPreBuildEventTool"/>
@ -148,7 +148,7 @@ copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novel
RelativePath="..\authpolicy.c"> RelativePath="..\authpolicy.c">
</File> </File>
<File <File
RelativePath=".\win32\authtoken.def"> RelativePath=".\authtoken.def">
</File> </File>
<File <File
RelativePath="..\cache.c"> RelativePath="..\cache.c">
@ -171,6 +171,9 @@ copy $(SolutionDir)client\windows\authtoken.lib \&quot;Program Files&quot;\novel
<File <File
RelativePath="..\gettokenmsg.c"> RelativePath="..\gettokenmsg.c">
</File> </File>
<File
RelativePath="..\invalidcert.c">
</File>
<File <File
RelativePath=".\platform.c"> RelativePath=".\platform.c">
</File> </File>

1
CASA-auth-token/non-java/client/windows/platform.h
View File

@ -71,6 +71,7 @@ typedef struct _RpcSession
{ {
HINTERNET hSession; HINTERNET hSession;
HINTERNET hConnection; HINTERNET hConnection;
char *pHostName;
} RpcSession, *PRpcSession; } RpcSession, *PRpcSession;

584
CASA-auth-token/non-java/client/windows/rpc.c
View File

@ -94,6 +94,62 @@ CopyMultiToWideAlloc(
} }
//++=======================================================================
static
CasaStatus
CopyWideToMultiAlloc(
IN LPWSTR pWide,
IN int wideSize,
INOUT char **ppMulti,
INOUT int *pMultiSize)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L2
//=======================================================================--
{
int retStatus;
int size, i;
DbgTrace(2, "-CopyWideToMultiAlloc- Start\n", 0);
size = wideSize + 1;
if ((*ppMulti = malloc(size)) != NULL)
{
for (i = 0; i < wideSize; i++)
{
*(*ppMulti + i) = (char) *(pWide + i);
}
*(*ppMulti + i) = '\0';
if (pMultiSize)
{
*pMultiSize = size - 1;
}
retStatus = CASA_STATUS_SUCCESS;
}
else
{
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
DbgTrace(2, "-CopyWideToMultiAlloc- End, retStatus = %08X\n", retStatus);
return retStatus;
}
//++======================================================================= //++=======================================================================
RpcSession* RpcSession*
OpenRpcSession( OpenRpcSession(
@ -112,6 +168,7 @@ OpenRpcSession(
//=======================================================================-- //=======================================================================--
{ {
RpcSession *pSession; RpcSession *pSession;
bool success = false;
DbgTrace(1, "-OpenRpcSession- Start\n", 0); DbgTrace(1, "-OpenRpcSession- Start\n", 0);
@ -122,55 +179,60 @@ OpenRpcSession(
// Zero the session structure // Zero the session structure
memset(pSession, 0, sizeof(*pSession)); memset(pSession, 0, sizeof(*pSession));
// Open a Winhttp session // Save copy of the hostname
pSession->hSession = WinHttpOpen(L"CASA Client/1.0", pSession->pHostName = malloc(strlen(pHostName) + 1);
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, if (pSession->pHostName)
WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS,
0);
if (pSession->hSession)
{ {
LPWSTR pWideHostName; strcpy(pSession->pHostName, pHostName);
int wideHostLen;
// Session opened, now convert the host name to Unicode so that // Open a Winhttp session
// we can open a connection. pSession->hSession = WinHttpOpen(L"CASA Client/1.0",
if (CopyMultiToWideAlloc(pHostName, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
(int) strlen(pHostName), WINHTTP_NO_PROXY_NAME,
&pWideHostName, WINHTTP_NO_PROXY_BYPASS,
&wideHostLen) == CASA_STATUS_SUCCESS) 0);
if (pSession->hSession)
{ {
// Now open connection LPWSTR pWideHostName;
pSession->hConnection = WinHttpConnect(pSession->hSession, int wideHostLen;
pWideHostName,
hostPort, // Session opened, now convert the host name to Unicode so that
0); // we can open a connection.
if (pSession->hConnection == NULL) if (CopyMultiToWideAlloc(pHostName,
(int) strlen(pHostName),
&pWideHostName,
&wideHostLen) == CASA_STATUS_SUCCESS)
{ {
DbgTrace(0, "-OpenRpcSession- Failed to open connection, error = %d\n", GetLastError()); // Now open connection
pSession->hConnection = WinHttpConnect(pSession->hSession,
pWideHostName,
hostPort,
0);
if (pSession->hConnection == NULL)
{
DbgTrace(0, "-OpenRpcSession- Failed to open connection, error = %d\n", GetLastError());
}
else
{
success = true;
}
// Free allocated resources // Free the host name wide string buffer
WinHttpCloseHandle(pSession->hSession); free(pWideHostName);
free(pSession); }
pSession = NULL; else
{
DbgTrace(0, "-OpenRpcSession- Error converting host name to wide string\n", 0);
} }
// Free the host name wide string buffer
free(pWideHostName);
} }
else else
{ {
DbgTrace(0, "-OpenRpcSession- Error converting host name to wide string\n", 0); DbgTrace(0, "-OpenRpcSession- Failed to open session, error = %d\n", GetLastError());
// Free allocated resources
WinHttpCloseHandle(pSession->hSession);
free(pSession);
pSession = NULL;
} }
} }
else else
{ {
DbgTrace(0, "-OpenRpcSession- Failed to open session, error = %d\n", GetLastError()); DbgTrace(0, "-OpenRpcSession- Failed to allocate buffer for host name\n", 0);
} }
} }
else else
@ -178,6 +240,25 @@ OpenRpcSession(
DbgTrace(0, "-OpenRpcSession- Failed to allocate buffer for rpc session\n", 0); DbgTrace(0, "-OpenRpcSession- Failed to allocate buffer for rpc session\n", 0);
} }
// Clean up if we did not succeed
if (!success)
{
if (pSession)
{
if (pSession->hConnection)
WinHttpCloseHandle(pSession->hConnection);
if (pSession->hSession)
WinHttpCloseHandle(pSession->hSession);
if (pSession->pHostName)
free(pSession->pHostName);
free(pSession);
pSession = NULL;
}
}
DbgTrace(2, "-OpenRpcSession- End, pSession = %08X\n", pSession); DbgTrace(2, "-OpenRpcSession- End, pSession = %08X\n", pSession);
return pSession; return pSession;
@ -208,6 +289,10 @@ CloseRpcSession(
// Close the session handle // Close the session handle
WinHttpCloseHandle(pSession->hSession); WinHttpCloseHandle(pSession->hSession);
// Free hostname buffer if necessary
if (pSession->pHostName)
free(pSession->pHostName);
// Free the space allocated for the session // Free the space allocated for the session
free(pSession); free(pSession);
@ -215,13 +300,47 @@ CloseRpcSession(
} }
//++=======================================================================
static
void CALLBACK
SecureFailureStatusCallback(
IN HINTERNET hRequest,
IN DWORD *pContext,
IN DWORD internetStatus,
IN LPVOID pStatusInformation,
IN DWORD statusInformationLength)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L0
//=======================================================================--
{
DbgTrace(1, "-SecureFailureStatusCallback- Start\n", 0);
// Only deal with failures related to certificates
if (internetStatus == WINHTTP_CALLBACK_STATUS_SECURE_FAILURE)
{
// Save the specific failure status
*pContext = *(DWORD*) pStatusInformation;
}
DbgTrace(1, "-SecureFailureStatusCallback- End\n", 0);
}
//++======================================================================= //++=======================================================================
static static
CasaStatus CasaStatus
InternalRpc( InternalRpc(
IN RpcSession *pSession, IN RpcSession *pSession,
IN char *pMethod, IN char *pMethod,
IN bool secure, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT int *pResponseDataLen)
@ -237,11 +356,16 @@ InternalRpc(
// L2 // L2
//=======================================================================-- //=======================================================================--
{ {
#define CASA_STATUS_INVALID_SERVER_CERTIFICATE CASA_STATUS_UNSUCCESSFUL // temporary until casa_status.h is updated
CasaStatus retStatus = CASA_STATUS_SUCCESS; CasaStatus retStatus = CASA_STATUS_SUCCESS;
char rpcTarget[256]; char rpcTarget[256];
LPWSTR pWideRpcTarget; LPWSTR pWideRpcTarget;
int wideRpcTargetLen; int wideRpcTargetLen;
WCHAR sendHeaders[] = L"Content-Type: text/html"; WCHAR sendHeaders[] = L"Content-Type: text/html";
DWORD securityFailureStatusFlags;
int retriesAllowed = 1;
bool attemptRetry;
DbgTrace(1, "-InternalRpc- Start\n", 0); DbgTrace(1, "-InternalRpc- Start\n", 0);
@ -258,124 +382,172 @@ InternalRpc(
{ {
HINTERNET hRequest; HINTERNET hRequest;
// Open a request handle do
hRequest = WinHttpOpenRequest(pSession->hConnection,
L"POST",
pWideRpcTarget,
NULL,
WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES,
secure? WINHTTP_FLAG_REFRESH | WINHTTP_FLAG_SECURE : WINHTTP_FLAG_REFRESH);
if (hRequest)
{ {
int reqDataLen = (int) strlen(pRequestData); // Forget about having been told to retry
attemptRetry = false;
// Send the request // Open a request handle
if (WinHttpSendRequest(hRequest, hRequest = WinHttpOpenRequest(pSession->hConnection,
sendHeaders, L"POST",
-1, pWideRpcTarget,
pRequestData,
reqDataLen,
reqDataLen,
0))
{
// Request sent, now await for the response.
if (WinHttpReceiveResponse(hRequest, NULL))
{
WCHAR httpCompStatus[4] = {0};
DWORD httpCompStatusLen = sizeof(httpCompStatus);
// Response received, make sure that it completed successfully.
if (WinHttpQueryHeaders(hRequest,
WINHTTP_QUERY_STATUS_CODE,
NULL, NULL,
&httpCompStatus, WINHTTP_NO_REFERER,
&httpCompStatusLen, WINHTTP_DEFAULT_ACCEPT_TYPES,
WINHTTP_NO_HEADER_INDEX)) flags & SECURE_RPC_FLAG? WINHTTP_FLAG_REFRESH | WINHTTP_FLAG_SECURE : WINHTTP_FLAG_REFRESH);
if (hRequest)
{
int reqDataLen = (int) strlen(pRequestData);
// Check if we need to set options to deal with secure connections
if (flags & SECURE_RPC_FLAG)
{
// We are using secure connections, now proceed based on whether or not
// we are configured to allow invalid certificates.
if (flags & ALLOW_INVALID_CERTS_RPC_FLAG
|| (flags & ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG
&& InvalidCertsFromHostAllowed(pSession->pHostName)))
{ {
// Check that the request completed successfully DWORD secFlags = SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA;
if (memcmp(httpCompStatus, L"200", sizeof(httpCompStatus)) == 0)
// We are configured to allow invalid certificates, inform the HTTP stack.
if (WinHttpSetOption(hRequest,
WINHTTP_OPTION_SECURITY_FLAGS,
&secFlags,
sizeof(secFlags)) == FALSE)
{ {
char *pResponseData; DbgTrace(0, "-InternalRpc- Failed setting options to ignore invalid certs, error = %d\n", GetLastError());
int responseDataBufSize = INITIAL_RESPONSE_DATA_BUF_SIZE; }
int responseDataRead = 0; }
else
{
// We are not configured to allow invalid certificates, set a callback handler
// to detect invalid certificate conditions.
if (WinHttpSetStatusCallback(hRequest,
SecureFailureStatusCallback,
WINHTTP_CALLBACK_FLAG_SECURE_FAILURE,
(DWORD_PTR) NULL) == WINHTTP_INVALID_STATUS_CALLBACK)
{
DbgTrace(0, "-InternalRpc- Failed setting status callback, error = %d\n", GetLastError());
}
}
}
// Now read the response data, to do so we need to allocate a buffer. // Send the request
pResponseData = (char*) malloc(INITIAL_RESPONSE_DATA_BUF_SIZE); securityFailureStatusFlags = 0;
if (pResponseData) if (WinHttpSendRequest(hRequest,
sendHeaders,
-1,
pRequestData,
reqDataLen,
reqDataLen,
(DWORD_PTR) &securityFailureStatusFlags))
{
// Request sent, now await for the response.
if (WinHttpReceiveResponse(hRequest, NULL))
{
WCHAR httpCompStatus[4] = {0};
DWORD httpCompStatusLen = sizeof(httpCompStatus);
// Response received, make sure that it completed successfully.
if (WinHttpQueryHeaders(hRequest,
WINHTTP_QUERY_STATUS_CODE,
NULL,
&httpCompStatus,
&httpCompStatusLen,
WINHTTP_NO_HEADER_INDEX))
{
// Check that the request completed successfully
if (memcmp(httpCompStatus, L"200", sizeof(httpCompStatus)) == 0)
{ {
char *pCurrLocation = pResponseData; char *pResponseData;
DWORD bytesRead; int responseDataBufSize = INITIAL_RESPONSE_DATA_BUF_SIZE;
int responseDataRead = 0;
do // Now read the response data, to do so we need to allocate a buffer.
pResponseData = (char*) malloc(INITIAL_RESPONSE_DATA_BUF_SIZE);
if (pResponseData)
{ {
bytesRead = 0; char *pCurrLocation = pResponseData;
if (WinHttpReadData(hRequest, DWORD bytesRead;
(LPVOID) pCurrLocation,
responseDataBufSize - responseDataRead, do
&bytesRead))
{ {
pCurrLocation += bytesRead; bytesRead = 0;
responseDataRead += bytesRead; if (WinHttpReadData(hRequest,
(LPVOID) pCurrLocation,
// Check if we need to allocate a larger buffer responseDataBufSize - responseDataRead,
if (responseDataRead == responseDataBufSize) &bytesRead))
{ {
char *pTmpBuf; pCurrLocation += bytesRead;
responseDataRead += bytesRead;
// We need to upgrade the receive buffer // Check if we need to allocate a larger buffer
pTmpBuf = (char*) malloc(responseDataBufSize + INCREMENT_RESPONSE_DATA_BUF_SIZE); if (responseDataRead == responseDataBufSize)
if (pTmpBuf)
{ {
memcpy(pTmpBuf, pResponseData, responseDataBufSize); char *pTmpBuf;
free(pResponseData);
pResponseData = pTmpBuf; // We need to upgrade the receive buffer
pCurrLocation = pResponseData + responseDataBufSize; pTmpBuf = (char*) malloc(responseDataBufSize + INCREMENT_RESPONSE_DATA_BUF_SIZE);
responseDataBufSize += INCREMENT_RESPONSE_DATA_BUF_SIZE; if (pTmpBuf)
} {
else memcpy(pTmpBuf, pResponseData, responseDataBufSize);
{ free(pResponseData);
DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0); pResponseData = pTmpBuf;
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, pCurrLocation = pResponseData + responseDataBufSize;
CASA_FACILITY_AUTHTOKEN, responseDataBufSize += INCREMENT_RESPONSE_DATA_BUF_SIZE;
CASA_STATUS_INSUFFICIENT_RESOURCES); }
else
{
DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
} }
} }
else
{
DbgTrace(0, "-InternalRpc- Failed reading response data, error = %d\n", GetLastError());
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
} while (CASA_SUCCESS(retStatus)
&& bytesRead != 0);
// Check if the response data was successfully received
if (CASA_SUCCESS(retStatus))
{
// The response data was received, return it to the caller.
*ppResponseData = pResponseData;
*pResponseDataLen = responseDataRead;
} }
else else
{ {
DbgTrace(0, "-InternalRpc- Failed reading response data, error = %d\n", GetLastError()); // Failed to receive the response data, free the allocated buffer.
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, free(pResponseData);
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
} }
} while (CASA_SUCCESS(retStatus)
&& bytesRead != 0);
// Check if the response data was successfully received
if (CASA_SUCCESS(retStatus))
{
// The response data was received, return it to the caller.
*ppResponseData = pResponseData;
*pResponseDataLen = responseDataRead;
} }
else else
{ {
// Failed to receive the response data, free the allocated buffer. DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0);
free(pResponseData); retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
} }
} }
else else
{ {
DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0); DbgTrace(0, "-InternalRpc- HTTP request did not complete successfully, status = %S\n", httpCompStatus);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN, CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES); CASA_STATUS_UNSUCCESSFUL);
} }
} }
else else
{ {
DbgTrace(0, "-InternalRpc- HTTP request did not complete successfully, status = %S\n", httpCompStatus); DbgTrace(0, "-InternalRpc- Unable to obtain http request completion status, error = %d\n", GetLastError());
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN, CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL); CASA_STATUS_UNSUCCESSFUL);
@ -383,7 +555,7 @@ InternalRpc(
} }
else else
{ {
DbgTrace(0, "-InternalRpc- Unable to obtain http request completion status, error = %d\n", GetLastError()); DbgTrace(0, "-InternalRpc- Unable to receive response, error = %d\n", GetLastError());
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN, CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL); CASA_STATUS_UNSUCCESSFUL);
@ -391,41 +563,141 @@ InternalRpc(
} }
else else
{ {
DbgTrace(0, "-InternalRpc- Unable to receive response, error = %d\n", GetLastError()); int error = GetLastError();
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN, if (error == ERROR_WINHTTP_CANNOT_CONNECT)
CASA_STATUS_UNSUCCESSFUL); {
DbgTrace(0, "-InternalRpc- Unable to connect to server\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_AUTH_SERVER_UNAVAILABLE);
}
else if (error == ERROR_WINHTTP_SECURE_FAILURE)
{
DbgTrace(1, "-InternalRpc- Secure connection failure, flags = %0x\n", securityFailureStatusFlags);
// Try to deal with the issue
if ((securityFailureStatusFlags & ~(WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
| WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
| WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID)) == 0
&& flags & ALLOW_INVALID_CERTS_USER_APPROVAL_RPC_FLAG)
{
WINHTTP_CERTIFICATE_INFO certInfo;
DWORD certInfoLen = sizeof(certInfo);
// The failure was due to an invalid CN, CA, or both.
//
// Obtain information about the server certificate to give user
// the choice of accepting it.
if (WinHttpQueryOption(hRequest,
WINHTTP_OPTION_SECURITY_CERTIFICATE_STRUCT,
&certInfo,
&certInfoLen)
&& certInfo.lpszSubjectInfo != NULL
&& certInfo.lpszIssuerInfo != NULL)
{
char *pSubjectInfo;
int subjectInfoLen;
// Convert the subjectInfo to multi-byte
retStatus = CopyWideToMultiAlloc(certInfo.lpszSubjectInfo,
(int) wcslen(certInfo.lpszSubjectInfo),
&pSubjectInfo,
&subjectInfoLen);
if (CASA_SUCCESS(retStatus))
{
char *pIssuerInfo;
int issuerInfoLen;
// Convert the issuerInfo to multi-byte
retStatus = CopyWideToMultiAlloc(certInfo.lpszIssuerInfo,
(int) wcslen(certInfo.lpszIssuerInfo),
&pIssuerInfo,
&issuerInfoLen);
if (CASA_SUCCESS(retStatus))
{
long invalidCertFlags = 0;
// Setup the invalid cert flags
if (securityFailureStatusFlags & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA)
invalidCertFlags |= INVALID_CERT_CA_FLAG;
if (securityFailureStatusFlags & WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID)
invalidCertFlags |= INVALID_CERT_CN_FLAG;
if (securityFailureStatusFlags & WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID)
invalidCertFlags |= INVALID_CERT_DATE_FLAG;
// Give user the choice to accept the certificate
if (UserApprovedCert(pSession->pHostName,
pSubjectInfo,
pIssuerInfo,
invalidCertFlags))
{
DbgTrace(1, "-InternalRpc- User approved invalid certificate from %s\n", pSession->pHostName);
AllowInvalidCertsFromHost(pSession->pHostName);
// Try to retry the request
attemptRetry = true;
}
else
{
DbgTrace(1, "-InternalRpc- User did not approve invalid certificate from %s\n", pSession->pHostName);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INVALID_SERVER_CERTIFICATE);
}
// Free the buffer containing the issuerInfo
free(pIssuerInfo);
}
// Free the buffer containing the subjectInfo
free(pSubjectInfo);
}
// Free necessary certificate information
if (certInfo.lpszSubjectInfo) LocalFree(certInfo.lpszSubjectInfo);
if (certInfo.lpszIssuerInfo) LocalFree(certInfo.lpszIssuerInfo);
if (certInfo.lpszProtocolName) LocalFree(certInfo.lpszProtocolName);
if (certInfo.lpszSignatureAlgName) LocalFree(certInfo.lpszSignatureAlgName);
if (certInfo.lpszEncryptionAlgName) LocalFree(certInfo.lpszEncryptionAlgName);
}
else
{
DbgTrace(0, "-InternalRpc- Unable to obtain server certificate struct, error = %0x\n", GetLastError());
}
}
else
{
// Decided to no give the user a choice to accept invalid server certificate
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INVALID_SERVER_CERTIFICATE);
}
}
else
{
DbgTrace(0, "-InternalRpc- Unsuccessful send http request, error = %d\n", error);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
} }
// Close the request handle
WinHttpCloseHandle(hRequest);
} }
else else
{ {
int error = GetLastError(); DbgTrace(0, "-InternalRpc- Unable to open http request, error = %d\n", GetLastError());
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
DbgTrace(0, "-InternalRpc- Unsuccessful send http request, error = %d\n", error); CASA_FACILITY_AUTHTOKEN,
if (error == ERROR_WINHTTP_CANNOT_CONNECT) CASA_STATUS_UNSUCCESSFUL);
{
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_AUTH_SERVER_UNAVAILABLE);
}
else
{
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
} }
} while (attemptRetry && retriesAllowed--);
// Close the request handle
WinHttpCloseHandle(hRequest);
}
else
{
DbgTrace(0, "-InternalRpc- Unable to open http request, error = %d\n", GetLastError());
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
// Free the rpc target wide string buffer // Free the rpc target wide string buffer
free(pWideRpcTarget); free(pWideRpcTarget);
@ -446,7 +718,7 @@ CasaStatus
Rpc( Rpc(
IN RpcSession *pSession, IN RpcSession *pSession,
IN char *pMethod, IN char *pMethod,
IN bool secure, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT int *pResponseDataLen)
@ -473,7 +745,7 @@ Rpc(
// Issue the RPC // Issue the RPC
retStatus = InternalRpc(pSession, retStatus = InternalRpc(pSession,
pMethod, pMethod,
secure, flags,
pRequestData, pRequestData,
ppResponseData, ppResponseData,
pResponseDataLen); pResponseDataLen);

78
CASA-auth-token/non-java/package/windows/authtokenclient_msm/authtokenclient_msm.vdproj
View File

@ -28,7 +28,7 @@
"Entry" "Entry"
{ {
"MsmKey" = "8:_313DE095D13281AF91A64E3F3D472413" "MsmKey" = "8:_313DE095D13281AF91A64E3F3D472413"
"OwnerKey" = "8:_8EA1E8FA8F1644718162CEF87F556652" "OwnerKey" = "8:_7A5EA42289F94648877FA695EB1853CE"
"MsmSig" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED"
} }
"Entry" "Entry"
@ -39,7 +39,7 @@
} }
"Entry" "Entry"
{ {
"MsmKey" = "8:_56E85D8D3ACE4CFEAA7D83C8C65771A7" "MsmKey" = "8:_472FEAD17E7B45FF92E93D80B3379C47"
"OwnerKey" = "8:_8292EFFD84EF46C6BD2F1F3E20808684" "OwnerKey" = "8:_8292EFFD84EF46C6BD2F1F3E20808684"
"MsmSig" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED"
} }
@ -51,14 +51,20 @@
} }
"Entry" "Entry"
{ {
"MsmKey" = "8:_7A5EA42289F94648877FA695EB1853CE"
"OwnerKey" = "8:_UNDEFINED"
"MsmSig" = "8:_UNDEFINED"
}
"Entry"
{
"MsmKey" = "8:_8292EFFD84EF46C6BD2F1F3E20808684" "MsmKey" = "8:_8292EFFD84EF46C6BD2F1F3E20808684"
"OwnerKey" = "8:_UNDEFINED" "OwnerKey" = "8:_UNDEFINED"
"MsmSig" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED"
} }
"Entry" "Entry"
{ {
"MsmKey" = "8:_8EA1E8FA8F1644718162CEF87F556652" "MsmKey" = "8:_92336612AC7D083F97ED302BB7674A2D"
"OwnerKey" = "8:_UNDEFINED" "OwnerKey" = "8:_191525A919DD46AD8D70B7735EE4F451"
"MsmSig" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED"
} }
"Entry" "Entry"
@ -69,12 +75,6 @@
} }
"Entry" "Entry"
{ {
"MsmKey" = "8:_92336612AC7D083F97ED302BB7674A2D"
"OwnerKey" = "8:_191525A919DD46AD8D70B7735EE4F451"
"MsmSig" = "8:_UNDEFINED"
}
"Entry"
{
"MsmKey" = "8:_9A3A0F1784E448538A42AE8722C1FE40" "MsmKey" = "8:_9A3A0F1784E448538A42AE8722C1FE40"
"OwnerKey" = "8:_UNDEFINED" "OwnerKey" = "8:_UNDEFINED"
"MsmSig" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED"
@ -468,7 +468,7 @@
} }
"MergeModule" "MergeModule"
{ {
"{35A69C6E-5BA4-440D-803D-762B59A45393}:_56E85D8D3ACE4CFEAA7D83C8C65771A7" "{35A69C6E-5BA4-440D-803D-762B59A45393}:_472FEAD17E7B45FF92E93D80B3379C47"
{ {
"UseDynamicProperties" = "11:FALSE" "UseDynamicProperties" = "11:FALSE"
"IsDependency" = "11:TRUE" "IsDependency" = "11:TRUE"
@ -550,6 +550,34 @@
{ {
} }
} }
"{8062640A-2EEE-46E9-AB67-688E9A886E9F}:_7A5EA42289F94648877FA695EB1853CE"
{
"SourcePath" = "8:..\\..\\..\\client\\mechanisms\\krb5\\windows\\Debug\\krb5mech.dll"
"TargetName" = "8:"
"Tag" = "8:"
"Folder" = "8:_F5F5F604B81645F8B6463F7A7D6A53AD"
"Condition" = "8:"
"Transitive" = "11:FALSE"
"Vital" = "11:TRUE"
"ReadOnly" = "11:FALSE"
"Hidden" = "11:FALSE"
"System" = "11:FALSE"
"Permanent" = "11:FALSE"
"SharedLegacy" = "11:FALSE"
"PackageAs" = "3:1"
"Register" = "3:1"
"Exclude" = "11:FALSE"
"IsDependency" = "11:FALSE"
"IsolateTo" = "8:"
"ProjectOutputGroupRegister" = "3:1"
"OutputConfiguration" = "8:"
"OutputGroupCanonicalName" = "8:Built"
"OutputProjectGuid" = "8:{5499F624-F371-4559-B4C2-A484BCE892FD}"
"ShowKeyOutput" = "11:FALSE"
"ExcludeFilters"
{
}
}
"{8062640A-2EEE-46E9-AB67-688E9A886E9F}:_8292EFFD84EF46C6BD2F1F3E20808684" "{8062640A-2EEE-46E9-AB67-688E9A886E9F}:_8292EFFD84EF46C6BD2F1F3E20808684"
{ {
"SourcePath" = "8:..\\..\\..\\client\\csharp\\Novell.Casa.Authtoken\\obj\\Debug\\Novell.Casa.Client.Auth.dll" "SourcePath" = "8:..\\..\\..\\client\\csharp\\Novell.Casa.Authtoken\\obj\\Debug\\Novell.Casa.Client.Auth.dll"
@ -578,34 +606,6 @@
{ {
} }
} }
"{8062640A-2EEE-46E9-AB67-688E9A886E9F}:_8EA1E8FA8F1644718162CEF87F556652"
{
"SourcePath" = "8:..\\..\\..\\client\\mechanisms\\krb5\\windows\\Debug\\krb5mech.dll"
"TargetName" = "8:"
"Tag" = "8:"
"Folder" = "8:_F5F5F604B81645F8B6463F7A7D6A53AD"
"Condition" = "8:"
"Transitive" = "11:FALSE"
"Vital" = "11:TRUE"
"ReadOnly" = "11:FALSE"
"Hidden" = "11:FALSE"
"System" = "11:FALSE"
"Permanent" = "11:FALSE"
"SharedLegacy" = "11:FALSE"
"PackageAs" = "3:1"
"Register" = "3:1"
"Exclude" = "11:FALSE"
"IsDependency" = "11:FALSE"
"IsolateTo" = "8:"
"ProjectOutputGroupRegister" = "3:1"
"OutputConfiguration" = "8:"
"OutputGroupCanonicalName" = "8:Built"
"OutputProjectGuid" = "8:{5499F624-F371-4559-B4C2-A484BCE892FD}"
"ShowKeyOutput" = "11:FALSE"
"ExcludeFilters"
{
}
}
} }
"Registry" "Registry"
{ {