18 #ifndef INCLUDE_RCF_SSPIFILTER_HPP 19 #define INCLUDE_RCF_SSPIFILTER_HPP 24 #include <RCF/ByteBuffer.hpp> 26 #include <RCF/Filter.hpp> 28 #include <RCF/RecursionLimiter.hpp> 29 #include <RCF/ThreadLibrary.hpp> 30 #include <RCF/Export.hpp> 34 #ifndef SECURITY_WIN32 35 #define SECURITY_WIN32 46 typedef RCF::tstring tstring;
52 typedef std::shared_ptr<SspiFilter> SspiFilterPtr;
69 void revertToSelf()
const;
72 SspiFilterPtr mSspiFilterPtr;
75 static const ULONG DefaultSspiContextRequirements =
76 ISC_REQ_REPLAY_DETECT |
77 ISC_REQ_SEQUENCE_DETECT |
78 ISC_REQ_CONFIDENTIALITY |
83 static const ULONG DefaultSchannelContextRequirements =
84 ASC_REQ_SEQUENCE_DETECT
85 | ASC_REQ_REPLAY_DETECT
86 | ASC_REQ_CONFIDENTIALITY
87 | ASC_REQ_EXTENDED_ERROR
88 | ASC_REQ_ALLOCATE_MEMORY
91 #if defined(SP_PROT_TLS1_3_SERVER) && defined(SP_PROT_TLS1_3_CLIENT) 93 static const DWORD DefaultSchannelServerProtocols =
95 | SP_PROT_TLS1_2_SERVER;
97 static const DWORD DefaultSchannelClientProtocols =
99 | SP_PROT_TLS1_2_CLIENT
100 | SP_PROT_TLS1_1_CLIENT
101 | SP_PROT_TLS1_0_CLIENT;
105 static const DWORD DefaultSchannelServerProtocols =
106 SP_PROT_TLS1_2_SERVER;
108 static const DWORD DefaultSchannelClientProtocols =
109 SP_PROT_TLS1_2_CLIENT
110 | SP_PROT_TLS1_1_CLIENT
111 | SP_PROT_TLS1_0_CLIENT;
115 class SchannelClientFilter;
116 typedef SchannelClientFilter SchannelFilter;
118 class SchannelFilterFactory;
123 class SspiCredentials;
124 typedef std::shared_ptr<SspiCredentials> SspiCredentialsPtr;
126 class RCF_EXPORT SspiFilter :
public Filter
138 PCtxtHandle getSecurityContext()
const;
145 SspiCredentialsPtr credentialsPtr,
148 ULONG contextRequirements,
149 SspiRole clientOrServer,
151 const tstring & packageName = RCF_T(
""),
152 const tstring & packageList = RCF_T(
""));
183 void createClientCredentials();
187 std::size_t bytesRequested);
189 void write(
const std::vector<ByteBuffer> &byteBuffers);
191 void onReadCompleted(
const ByteBuffer &byteBuffer);
192 void onWriteCompleted(std::size_t bytesTransferred);
194 void handleEvent(Event event);
198 void encryptWriteBuffer();
199 bool decryptReadBuffer();
201 void encryptWriteBufferSchannel();
202 bool decryptReadBufferSchannel();
204 bool completeReadBlock();
205 bool completeWriteBlock();
206 bool completeBlock();
208 void resizeReadBuffer(std::size_t newSize);
209 void resizeWriteBuffer(std::size_t newSize);
211 void shiftReadBuffer(
bool shiftEntireBuffer =
true);
212 void trimReadBuffer();
214 bool shouldRetryWithExtraData(
const SecBufferDesc& ibd,
const SecBufferDesc& obd);
216 virtual void handleHandshakeEvent() = 0;
223 ULONG mContextRequirements;
225 SspiCredentialsPtr mCredentialsPtr;
226 tstring mPackageName;
227 tstring mPackageList;
231 ContextState mContextState;
235 const SspiRole mClientOrServer;
239 std::size_t mBytesRequestedOrig;
242 ReallocBufferPtr mReadBufferVectorPtr;
244 std::size_t mReadBufferPos;
245 std::size_t mReadBufferLen;
248 ReallocBufferPtr mWriteBufferVectorPtr;
250 std::size_t mWriteBufferPos;
251 std::size_t mWriteBufferLen;
253 std::vector<ByteBuffer> mByteBuffers;
257 const SspiType mSspiType;
259 std::size_t mMaxMessageLength;
265 tstring mAutoCertValidation;
267 const std::size_t mReadAheadChunkSize;
268 std::size_t mRemainingDataPos;
269 bool mRemainingDataAlreadyShifted;
271 std::vector<RCF::ByteBuffer> mMergeBufferList;
272 std::vector<char> mMergeBuffer;
274 bool mProtocolChecked;
276 bool mResumeUserIoAfterWrite =
false;
279 bool mLimitRecursion;
280 RecursionState<ByteBuffer, int> mRecursionStateRead;
281 RecursionState<std::size_t, int> mRecursionStateWrite;
283 void onReadCompleted_(
const ByteBuffer &byteBuffer);
284 void onWriteCompleted_(std::size_t bytesTransferred);
286 friend class SchannelFilterFactory;
292 class RCF_EXPORT SspiServerFilter :
public SspiFilter
296 SspiCredentialsPtr credentialsPtr,
300 bool doHandshakeSchannel();
302 void handleHandshakeEvent();
305 class NtlmServerFilter :
public SspiServerFilter
308 NtlmServerFilter(SspiCredentialsPtr credentialsPtr);
309 int getFilterId()
const;
312 class KerberosServerFilter :
public SspiServerFilter
315 KerberosServerFilter(SspiCredentialsPtr credentialsPtr);
316 int getFilterId()
const;
319 class NegotiateServerFilter :
public SspiServerFilter
322 NegotiateServerFilter(SspiCredentialsPtr credentialsPtr);
323 int getFilterId()
const;
328 class RCF_EXPORT NtlmFilterFactory :
public FilterFactory
333 FilterPtr createFilter(
RcfServer & server);
338 Mutex mCredentialsMutex;
339 SspiCredentialsPtr mCredentialsPtr;
342 class KerberosFilterFactory :
public FilterFactory
345 KerberosFilterFactory();
347 FilterPtr createFilter(
RcfServer & server);
352 Mutex mCredentialsMutex;
353 SspiCredentialsPtr mCredentialsPtr;
356 class NegotiateFilterFactory :
public FilterFactory
359 NegotiateFilterFactory(
const tstring &packageList = RCF_T(
"Kerberos, NTLM"));
361 FilterPtr createFilter(
RcfServer & server);
366 Mutex mCredentialsMutex;
367 tstring mPackageList;
368 SspiCredentialsPtr mCredentialsPtr;
373 class SspiClientFilter :
public SspiFilter
377 SspiCredentialsPtr credentialsPtr,
380 ULONG contextRequirements,
382 const tstring & packageName,
383 const tstring & packageList) :
398 bool doHandshakeSchannel();
400 void handleHandshakeEvent();
403 class NtlmClientFilter :
public SspiClientFilter
409 ULONG contextRequirements = DefaultSspiContextRequirements);
411 int getFilterId()
const;
414 class KerberosClientFilter :
public SspiClientFilter
417 KerberosClientFilter(
420 ULONG contextRequirements = DefaultSspiContextRequirements);
422 int getFilterId()
const;
425 class NegotiateClientFilter :
public SspiClientFilter
429 NegotiateClientFilter(
432 ULONG contextRequirements = DefaultSspiContextRequirements);
435 int getFilterId()
const;
438 typedef NtlmClientFilter NtlmFilter;
439 typedef KerberosClientFilter KerberosFilter;
440 typedef NegotiateClientFilter NegotiateFilter;
444 typedef NtlmFilter SspiNtlmFilter;
445 typedef KerberosFilter SspiKerberosFilter;
446 typedef NegotiateFilter SspiNegotiateFilter;
448 typedef NtlmServerFilter SspiNtlmServerFilter;
449 typedef KerberosServerFilter SspiKerberosServerFilter;
450 typedef NegotiateServerFilter SspiNegotiateServerFilter;
451 typedef NtlmFilterFactory SspiNtlmFilterFactory;
452 typedef KerberosFilterFactory SspiKerberosFilterFactory;
453 typedef NegotiateFilterFactory SspiNegotiateFilterFactory;
454 typedef NtlmClientFilter SspiNtlmClientFilter;
455 typedef KerberosClientFilter SspiKerberosClientFilter;
456 typedef NegotiateClientFilter SspiNegotiateClientFilter;
458 typedef SspiFilter SspiFilterBase;
459 typedef SspiFilterPtr SspiFilterBasePtr;
463 #endif // ! INCLUDE_RCF_SSPIFILTER_HPP SspiMessageProtection
Definition: Enums.hpp:206
Allows the server side of a SSPI-based connection to impersonate the client. Only applicable to conne...
Definition: SspiFilter.hpp:55
Represents a server side session, associated with a client connection.
Definition: RcfSession.hpp:64
Controls the client side of a RCF connection.
Definition: ClientStub.hpp:82
std::shared_ptr< Win32Certificate > Win32CertificatePtr
Reference counted wrapper for RCF::Win32Certificate.
Definition: RcfFwd.hpp:257
std::function< bool(Certificate *)> CertificateValidationCallback
Describes user-provided callback functions for validating a certificate.
Definition: RcfFwd.hpp:114
RCF_EXPORT bool deinit()
Reference-counted deinitialization of RCF library. For actual deinitialization to take place...
Represents an in-memory certificate, either from a remote peer or loaded from a local certificate sto...
Definition: Win32Certificate.hpp:37
Provides RCF server-side functionality.
Definition: RcfServer.hpp:53
Definition: ByteBuffer.hpp:39
Definition: AmiIoHandler.hpp:23
Base class for all RCF certificate classes.
Definition: Certificate.hpp:29
RCF_EXPORT bool init(RcfConfigT *=nullptr)
Reference-counted initialization of RCF library. May be called multiple times (see deinit())...
Messages are sent in clear text.
Definition: Enums.hpp:209