Swiften/SASL/WindowsAuthentication.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170

/*
 * Copyright (c) 2015-2016 Isode Limited.
 * All rights reserved.
 * See the COPYING file for more information.
 */

#pragma once

#include <string>

#define SECURITY_WIN32
#include <Windows.h>
#include <Sspi.h>

#include <Swiften/Base/API.h>
#include <boost/signals2.hpp>
#include <Swiften/Base/SafeByteArray.h>

namespace Swift {
    /**
     * Retrieves the names & Windows server domain of the user associated
     * with the calling thread.
     *
     * @param userName Will return the user name in the form "DOMAIN\user"
     * @param clientName Will return the client name in the form "user"
     * @param serverName Will return the server name in the form "DOMAIN"
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> getUserNameEx(std::string& userName, std::string& clientName, std::string& serverName);

    /**
     * Retrieves the handle to preexisting client credentials for the
     * Kerberos security package that were established through a system
     * logon.
     * freeCredentialsHandle() should be called if this function is
     * successful and when credentials are no longer needed.
     *
     * @param credentialsHandle Pointer to the returned credentials handle.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> acquireCredentialsHandle(PCredHandle credentialsHandle);

    /**
     * Releases the credentials handle obtained by the
     * acquireCredentialsHandle() function.
     * freeCredentialsHandle() should be called when credentials are no
     * longer needed.
     *
     * @param credentialsHandle Pointer to the credentials handle.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> freeCredentialsHandle(PCredHandle credentialsHandle);

    /**
     * Builds the security context between the client and remote peer.
     * Kerberos security package that were established through a system
     * logon.
     *
     * @param inputToken NULL or empty on the first call, otherwise the
     *    token returned by the server.
     * @param servicePrincipalNameString Service principal name of the
     *    server.
     * @param credentialsHandle Pointer to the credentials handle acquired
     *    before.
     * @param haveContextHandle False on the first call to this function,
     *    true otherwise.
     * @param contextHandle Pointer to the context handle returned on the
     *    first call and passed on subsequent calls.
     * @param contextRequested Context related requests by the caller. See
     *    the Windows API InitializeSecurityContext for allowed values.
     * @param contextSupported Pointer to context related attributes
     *    returned when context is completely established (when
     *    haveCompleteContext contains true). See the Windows API
     *    InitializeSecurityContext for allowed values.
     * @param haveCompleteContext Pointer to boolean - this will only be
     *    true on return when the context is completely established and
     *    there is no need to call this function again.
     * @param outputToken Returned security token to be sent to the server,
     *    may be empty.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> initializeSecurityContext(const boost::optional<ByteArray>& inputToken, const std::string& servicePrincipalNameString, const PCredHandle credentialsHandle, bool haveContextHandle, PCtxtHandle contextHandle, ULONG contextRequested, ULONG* contextSupported, bool* haveCompleteContext, SafeByteArray& outputToken);

    /**
     * Releases the context handle obtained by the
     * initializeSecurityContext() function.
     * deleteSecurityContext() should be called when the context is no
     * longer needed.
     *
     * @param contextHandle Pointer to the context handle.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> deleteSecurityContext(PCtxtHandle contextHandle);

    /**
     * Completes an authentication token for a partial security context.
     *
     * @param contextHandle Pointer to the context handle.
     * @param token authentication token.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> completeAuthToken(const PCtxtHandle contextHandle, PSecBufferDesc token);

    /**
     * Frees a memory buffer allocated by the security package.
     *
     * @param contextBuffer Pointer to buffer to be freed.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> freeContextBuffer(PVOID contextBuffer);

    /**
     * Decrypt message (assumes that sequence numbers are not maintained).
     *
     * @param contextHandle Pointer to the context handle.
     * @param message Message to decrypt.
     * @param decrypted Returned decrypted message.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> decryptMessage(const PCtxtHandle contextHandle, const ByteArray& message, SafeByteArray& decrypted);

    /**
     * Produces a header or trailer for the message but does not encrypt it
     * (also assumes that sequence numbers are not maintained).
     *
     * @param contextHandle Pointer to the context handle.
     * @param sizes SecPkgContext_Sizes obtained for the context.
     * @param message Input message.
     * @param output Returned output message.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> encryptMessage(const PCtxtHandle contextHandle, const SecPkgContext_Sizes& sizes, const SafeByteArray& message, SafeByteArray& output);

    /**
     * Queries the security package for attributes of the security context.
     *
     * @param contextHandle Pointer to the context handle.
     * @param attribute Attribute to query. See the Windows API
     *    QueryContextAttributes for allowed values.
     * @param buffer Pointer to a structure that receives the output.
     *    The type of structure depends on the queried attribute and
     *    memory for it must be allocated by caller. If the SSP allocates
     *    any memory required to hold some members, that memory should be
     *    freed using the function freeContextBuffer(). See the Windows
     *    API QueryContextAttributes for details.
     *
     * @return NULL for success, otherwise the error code returned by
     * Windows.
     */
    SWIFTEN_API std::shared_ptr<boost::system::error_code> queryContextAttributes(const PCtxtHandle contextHandle, ULONG attribute, PVOID buffer);

}