19 #ifndef INCLUDE_RCF_SSPIFILTER_HPP 20 #define INCLUDE_RCF_SSPIFILTER_HPP 25 #include <RCF/ByteBuffer.hpp> 27 #include <RCF/Filter.hpp> 29 #include <RCF/RecursionLimiter.hpp> 30 #include <RCF/ThreadLibrary.hpp> 31 #include <RCF/Export.hpp> 35 #ifndef SECURITY_WIN32 36 #define SECURITY_WIN32 47 typedef RCF::tstring tstring;
53 typedef std::shared_ptr<SspiFilter> SspiFilterPtr;
70 void revertToSelf()
const;
73 SspiFilterPtr mSspiFilterPtr;
76 static const ULONG DefaultSspiContextRequirements =
77 ISC_REQ_REPLAY_DETECT |
78 ISC_REQ_SEQUENCE_DETECT |
79 ISC_REQ_CONFIDENTIALITY |
84 static const ULONG DefaultSchannelContextRequirements =
85 ASC_REQ_SEQUENCE_DETECT
86 | ASC_REQ_REPLAY_DETECT
87 | ASC_REQ_CONFIDENTIALITY
88 | ASC_REQ_EXTENDED_ERROR
89 | ASC_REQ_ALLOCATE_MEMORY
92 #if defined(SP_PROT_TLS1_3_SERVER) && defined(SP_PROT_TLS1_3_CLIENT) 94 static const DWORD DefaultSchannelServerProtocols =
96 | SP_PROT_TLS1_2_SERVER;
98 static const DWORD DefaultSchannelClientProtocols =
100 | SP_PROT_TLS1_2_CLIENT
101 | SP_PROT_TLS1_1_CLIENT
102 | SP_PROT_TLS1_0_CLIENT;
106 static const DWORD DefaultSchannelServerProtocols =
107 SP_PROT_TLS1_2_SERVER;
109 static const DWORD DefaultSchannelClientProtocols =
110 SP_PROT_TLS1_2_CLIENT
111 | SP_PROT_TLS1_1_CLIENT
112 | SP_PROT_TLS1_0_CLIENT;
116 class SchannelClientFilter;
117 typedef SchannelClientFilter SchannelFilter;
119 class SchannelFilterFactory;
124 class SspiCredentials;
125 typedef std::shared_ptr<SspiCredentials> SspiCredentialsPtr;
127 class RCF_EXPORT SspiFilter :
public Filter
139 PCtxtHandle getSecurityContext()
const;
146 SspiCredentialsPtr credentialsPtr,
149 ULONG contextRequirements,
150 SspiRole clientOrServer,
152 const tstring & packageName = RCF_T(
""),
153 const tstring & packageList = RCF_T(
""));
184 void createClientCredentials();
188 std::size_t bytesRequested);
190 void write(
const std::vector<ByteBuffer> &byteBuffers);
192 void onReadCompleted(
const ByteBuffer &byteBuffer);
193 void onWriteCompleted(std::size_t bytesTransferred);
195 void handleEvent(Event event);
199 void encryptWriteBuffer();
200 bool decryptReadBuffer();
202 void encryptWriteBufferSchannel();
203 bool decryptReadBufferSchannel();
205 bool completeReadBlock();
206 bool completeWriteBlock();
207 bool completeBlock();
209 void resizeReadBuffer(std::size_t newSize);
210 void resizeWriteBuffer(std::size_t newSize);
212 void shiftReadBuffer(
bool shiftEntireBuffer =
true);
213 void trimReadBuffer();
215 bool shouldRetryWithExtraData(
const SecBufferDesc& ibd,
const SecBufferDesc& obd);
217 virtual void handleHandshakeEvent() = 0;
224 ULONG mContextRequirements;
226 SspiCredentialsPtr mCredentialsPtr;
227 tstring mPackageName;
228 tstring mPackageList;
232 ContextState mContextState;
236 const SspiRole mClientOrServer;
240 std::size_t mBytesRequestedOrig;
243 ReallocBufferPtr mReadBufferVectorPtr;
245 std::size_t mReadBufferPos;
246 std::size_t mReadBufferLen;
249 ReallocBufferPtr mWriteBufferVectorPtr;
251 std::size_t mWriteBufferPos;
252 std::size_t mWriteBufferLen;
254 std::vector<ByteBuffer> mByteBuffers;
258 const SspiType mSspiType;
260 std::size_t mMaxMessageLength;
266 tstring mAutoCertValidation;
268 const std::size_t mReadAheadChunkSize;
269 std::size_t mRemainingDataPos;
271 std::vector<RCF::ByteBuffer> mMergeBufferList;
272 std::vector<char> mMergeBuffer;
274 bool mProtocolChecked;
276 bool mResumeUserIoAfterWrite =
false;
279 bool mLimitRecursion;
280 RecursionState<ByteBuffer, int> mRecursionStateRead;
281 RecursionState<std::size_t, int> mRecursionStateWrite;
283 void onReadCompleted_(
const ByteBuffer &byteBuffer);
284 void onWriteCompleted_(std::size_t bytesTransferred);
286 friend class SchannelFilterFactory;
292 class RCF_EXPORT SspiServerFilter :
public SspiFilter
296 SspiCredentialsPtr credentialsPtr,
300 bool doHandshakeSchannel();
302 void handleHandshakeEvent();
305 class NtlmServerFilter :
public SspiServerFilter
308 NtlmServerFilter(SspiCredentialsPtr credentialsPtr);
309 int getFilterId()
const;
312 class KerberosServerFilter :
public SspiServerFilter
315 KerberosServerFilter(SspiCredentialsPtr credentialsPtr);
316 int getFilterId()
const;
319 class NegotiateServerFilter :
public SspiServerFilter
322 NegotiateServerFilter(SspiCredentialsPtr credentialsPtr);
323 int getFilterId()
const;
328 class RCF_EXPORT NtlmFilterFactory :
public FilterFactory
333 FilterPtr createFilter(
RcfServer & server);
338 Mutex mCredentialsMutex;
339 SspiCredentialsPtr mCredentialsPtr;
342 class KerberosFilterFactory :
public FilterFactory
345 KerberosFilterFactory();
347 FilterPtr createFilter(
RcfServer & server);
352 Mutex mCredentialsMutex;
353 SspiCredentialsPtr mCredentialsPtr;
356 class NegotiateFilterFactory :
public FilterFactory
359 NegotiateFilterFactory(
const tstring &packageList = RCF_T(
"Kerberos, NTLM"));
361 FilterPtr createFilter(
RcfServer & server);
366 Mutex mCredentialsMutex;
367 tstring mPackageList;
368 SspiCredentialsPtr mCredentialsPtr;
373 class SspiClientFilter :
public SspiFilter
377 SspiCredentialsPtr credentialsPtr,
380 ULONG contextRequirements,
382 const tstring & packageName,
383 const tstring & packageList) :
398 bool doHandshakeSchannel();
400 void handleHandshakeEvent();
403 class NtlmClientFilter :
public SspiClientFilter
409 ULONG contextRequirements = DefaultSspiContextRequirements);
411 int getFilterId()
const;
414 class KerberosClientFilter :
public SspiClientFilter
417 KerberosClientFilter(
420 ULONG contextRequirements = DefaultSspiContextRequirements);
422 int getFilterId()
const;
425 class NegotiateClientFilter :
public SspiClientFilter
429 NegotiateClientFilter(
432 ULONG contextRequirements = DefaultSspiContextRequirements);
435 int getFilterId()
const;
438 typedef NtlmClientFilter NtlmFilter;
439 typedef KerberosClientFilter KerberosFilter;
440 typedef NegotiateClientFilter NegotiateFilter;
444 typedef NtlmFilter SspiNtlmFilter;
445 typedef KerberosFilter SspiKerberosFilter;
446 typedef NegotiateFilter SspiNegotiateFilter;
448 typedef NtlmServerFilter SspiNtlmServerFilter;
449 typedef KerberosServerFilter SspiKerberosServerFilter;
450 typedef NegotiateServerFilter SspiNegotiateServerFilter;
451 typedef NtlmFilterFactory SspiNtlmFilterFactory;
452 typedef KerberosFilterFactory SspiKerberosFilterFactory;
453 typedef NegotiateFilterFactory SspiNegotiateFilterFactory;
454 typedef NtlmClientFilter SspiNtlmClientFilter;
455 typedef KerberosClientFilter SspiKerberosClientFilter;
456 typedef NegotiateClientFilter SspiNegotiateClientFilter;
458 typedef SspiFilter SspiFilterBase;
459 typedef SspiFilterPtr SspiFilterBasePtr;
463 #endif // ! INCLUDE_RCF_SSPIFILTER_HPP SspiMessageProtection
Definition: Enums.hpp:207
Allows the server side of a SSPI-based connection to impersonate the client. Only applicable to conne...
Definition: SspiFilter.hpp:56
Represents a server side session, associated with a client connection.
Definition: RcfSession.hpp:65
Controls the client side of a RCF connection.
Definition: ClientStub.hpp:83
std::shared_ptr< Win32Certificate > Win32CertificatePtr
Reference counted wrapper for RCF::Win32Certificate.
Definition: RcfFwd.hpp:258
std::function< bool(Certificate *)> CertificateValidationCallback
Describes user-provided callback functions for validating a certificate.
Definition: RcfFwd.hpp:115
RCF_EXPORT bool deinit()
Reference-counted deinitialization of RCF library. For actual deinitialization to take place...
Represents an in-memory certificate, either from a remote peer or loaded from a local certificate sto...
Definition: Win32Certificate.hpp:38
Provides RCF server-side functionality.
Definition: RcfServer.hpp:54
Definition: ByteBuffer.hpp:40
Definition: AmiIoHandler.hpp:24
Base class for all RCF certificate classes.
Definition: Certificate.hpp:30
RCF_EXPORT bool init(RcfConfigT *=nullptr)
Reference-counted initialization of RCF library. May be called multiple times (see deinit())...
Messages are sent in clear text.
Definition: Enums.hpp:210