archive
/
windows-nt-4.0
mirror of https://github.com/lianthony/NT4.0
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Windows NT 4.0 source code leak
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
184 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-nt-4.0/private/lsa/client/ssp/stubs.c

1565 lines
35 KiB
Raw Permalink Normal View History

initial commit
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1992 - 1994
  6. //
  7. // File: stubs.cxx
  8. //
  9. // Contents: user-mode stubs for security API
  10. //
  11. //
  12. // History: 3/5/94 MikeSw Created
  13. //
  14. //------------------------------------------------------------------------
  15. #include <sspdrv.h>
  17. #pragma alloc_text(PAGE, AcquireCredentialsHandleW)
  18. #pragma alloc_text(PAGE, FreeCredentialsHandle)
  19. #pragma alloc_text(PAGE, InitializeSecurityContextW)
  20. #pragma alloc_text(PAGE, AcceptSecurityContext)
  21. #pragma alloc_text(PAGE, DeleteSecurityContext)
  22. #pragma alloc_text(PAGE, ApplyControlToken)
  23. #pragma alloc_text(PAGE, EnumerateSecurityPackagesW)
  24. #pragma alloc_text(PAGE, QuerySecurityPackageInfoW)
  25. #pragma alloc_text(PAGE, FreeContextBuffer)
  27. static CtxtHandle NullContext = {0,0};
  28. static CredHandle NullCredential = {0,0};
  29. static LUID lFake = {0, 0};
  30. static SECURITY_STRING sFake = {0, 0, NULL};
  31. static TOKEN_SOURCE KsecTokenSource = {"KSecDD", {0, 0} };
  33. #define NTLMSSP_REQUIRED_NEGOTIATE_FLAGS ( NTLMSSP_NEGOTIATE_UNICODE | \
  34. NTLMSSP_REQUEST_INIT_RESPONSE )
  38. //+-------------------------------------------------------------------------
  39. //
  40. // Function: AcquireCredentialsHandleW
  41. //
  42. // Synopsis:
  43. //
  44. // Effects:
  45. //
  46. // Arguments:
  47. //
  48. // Requires:
  49. //
  50. // Returns:
  51. //
  52. // Notes:
  53. //
  54. //
  55. //--------------------------------------------------------------------------
  59. SECURITY_STATUS SEC_ENTRY
  60. AcquireCredentialsHandleW(
  61. PSECURITY_STRING pssPrincipal, // Name of principal
  62. PSECURITY_STRING pssPackageName, // Name of package
  63. unsigned long fCredentialUse, // Flags indicating use
  64. void SEC_FAR * pvLogonId, // Pointer to logon ID
  65. void SEC_FAR * pAuthData, // Package specific data
  66. SEC_GET_KEY_FN pGetKeyFn, // Pointer to GetKey() func
  67. void SEC_FAR * pvGetKeyArgument, // Value to pass to GetKey()
  68. PCredHandle phCredential, // (out) Cred Handle
  69. PTimeStamp ptsExpiry // (out) Lifetime (optional)
  70. )
  71. {
  72. SECURITY_STATUS scRet;
  73. SECURITY_STRING Principal;
  74. TimeStamp OptionalTimeStamp;
  75. UNICODE_STRING PackageName;
  77. PAGED_CODE();
  79. if (!pssPackageName)
  80. {
  81. return(SEC_E_SECPKG_NOT_FOUND);
  82. }
  84. //
  85. // We don't accept principal names either.
  86. //
  88. if (pssPrincipal)
  89. {
  90. return(SEC_E_UNKNOWN_CREDENTIALS);
  91. }
  94. //
  95. // Make sure they want the NTLM security package
  96. //
  97. RtlInitUnicodeString(
  98. &PackageName,
  99. NTLMSP_NAME
  100. );
  103. if (!RtlEqualUnicodeString(
  104. pssPackageName,
  105. &PackageName,
  106. TRUE))
  107. {
  108. return(SEC_E_SECPKG_NOT_FOUND);
  109. }
  111. //
  112. // The credential handle is the logon id
  113. //
  115. if (fCredentialUse & SECPKG_CRED_OUTBOUND)
  116. {
  117. if (pvLogonId != NULL)
  118. {
  119. *phCredential = *(PCredHandle) pvLogonId;
  120. }
  121. else
  122. {
  123. return(SEC_E_UNKNOWN_CREDENTIALS);
  124. }
  126. }
  127. else if (fCredentialUse & SECPKG_CRED_INBOUND)
  128. {
  129. //
  130. // For inbound credentials, we will accept a logon id but
  131. // we don't require it.
  132. //
  134. if (pvLogonId != NULL)
  135. {
  136. *phCredential = *(PCredHandle) pvLogonId;
  137. }
  138. else
  139. {
  140. *phCredential = NullCredential;
  141. }
  143. }
  144. else
  145. {
  146. return(SEC_E_UNSUPPORTED_FUNCTION);
  147. }
  150. return(SEC_E_OK);
  152. }
  156. //+-------------------------------------------------------------------------
  157. //
  158. // Function: FreeCredentialsHandle
  159. //
  160. // Synopsis:
  161. //
  162. // Effects:
  163. //
  164. // Arguments:
  165. //
  166. // Requires:
  167. //
  168. // Returns:
  169. //
  170. // Notes:
  171. //
  172. //
  173. //--------------------------------------------------------------------------
  176. SECURITY_STATUS SEC_ENTRY
  177. FreeCredentialsHandle(
  178. PCredHandle phCredential // Handle to free
  179. )
  180. {
  181. PAGED_CODE();
  183. //
  184. // Since the credential handle is just the LogonId, do nothing.
  185. //
  187. return(SEC_E_OK);
  188. }
  191. VOID
  192. PutString(
  193. OUT PSTRING Destination,
  194. IN PSTRING Source,
  195. IN PVOID Base,
  196. IN OUT PUCHAR * Where
  197. )
  198. {
  199. Destination->Buffer = (PCHAR) *Where - (ULONG) Base;
  200. Destination->Length =
  201. Source->Length;
  202. Destination->MaximumLength =
  203. Source->Length;
  205. RtlCopyMemory(
  206. *Where,
  207. Source->Buffer,
  208. Source->Length
  209. );
  210. *Where += Source->Length;
  211. }
  214. //+-------------------------------------------------------------------------
  215. //
  216. // Function: InitializeSecurityContextW
  217. //
  218. // Synopsis:
  219. //
  220. // Effects:
  221. //
  222. // Arguments:
  223. //
  224. // Requires:
  225. //
  226. // Returns:
  227. //
  228. // Notes:
  229. //
  230. //
  231. //--------------------------------------------------------------------------
  234. SECURITY_STATUS SEC_ENTRY
  235. InitializeSecurityContextW(
  236. PCredHandle phCredential, // Cred to base context
  237. PCtxtHandle phContext, // Existing context (OPT)
  238. PSECURITY_STRING pssTargetName, // Name of target
  239. unsigned long fContextReq, // Context Requirements
  240. unsigned long Reserved1, // Reserved, MBZ
  241. unsigned long TargetDataRep, // Data rep of target
  242. PSecBufferDesc pInput, // Input Buffers
  243. unsigned long Reserved2, // Reserved, MBZ
  244. PCtxtHandle phNewContext, // (out) New Context handle
  245. PSecBufferDesc pOutput, // (inout) Output Buffers
  246. unsigned long SEC_FAR * pfContextAttr, // (out) Context attrs
  247. PTimeStamp ptsExpiry // (out) Life span (OPT)
  248. )
  249. {
  250. SECURITY_STATUS scRet;
  251. PMSV1_0_GETCHALLENRESP_REQUEST ChallengeRequest = NULL;
  252. ULONG ChallengeRequestSize;
  253. PMSV1_0_GETCHALLENRESP_RESPONSE ChallengeResponse = NULL;
  254. ULONG ChallengeResponseSize;
  255. PCHALLENGE_MESSAGE ChallengeMessage = NULL;
  256. ULONG ChallengeMessageSize;
  257. PNTLM_CHALLENGE_MESSAGE NtlmChallengeMessage = NULL;
  258. ULONG NtlmChallengeMessageSize;
  259. PAUTHENTICATE_MESSAGE AuthenticateMessage = NULL;
  260. ULONG AuthenticateMessageSize;
  261. PNTLM_INITIALIZE_RESPONSE NtlmInitializeResponse = NULL;
  262. PClient Client = NULL;
  263. UNICODE_STRING PasswordToUse;
  264. UNICODE_STRING UserNameToUse;
  265. UNICODE_STRING DomainNameToUse;
  266. ULONG ParameterControl = USE_PRIMARY_PASSWORD |
  267. RETURN_PRIMARY_USERNAME |
  268. RETURN_PRIMARY_LOGON_DOMAINNAME;
  270. NTSTATUS FinalStatus = STATUS_SUCCESS;
  271. PUCHAR Where;
  272. PSecBuffer AuthenticationToken = NULL;
  273. PSecBuffer InitializeResponseToken = NULL;
  274. BOOLEAN UseSuppliedCreds = FALSE;
  277. PAGED_CODE();
  279. RtlInitUnicodeString(
  280. &PasswordToUse,
  281. NULL
  282. );
  284. RtlInitUnicodeString(
  285. &UserNameToUse,
  286. NULL
  287. );
  289. RtlInitUnicodeString(
  290. &DomainNameToUse,
  291. NULL
  292. );
  294. //
  295. // Check for valid sizes, pointers, etc.:
  296. //
  299. if (!phCredential)
  300. {
  301. return(SEC_E_INVALID_HANDLE);
  302. }
  305. //
  306. // Check that we can indeed call the LSA and get the client
  307. // handle to it.
  308. //
  310. scRet = IsOkayToExec(&Client);
  311. if (!NT_SUCCESS(scRet))
  312. {
  313. return(scRet);
  314. }
  316. //
  317. // Locate the buffers with the input data
  318. //
  320. if (!GetTokenBuffer(
  321. pInput,
  322. 0, // get the first security token
  323. (PVOID *) &ChallengeMessage,
  324. &ChallengeMessageSize,
  325. TRUE // may be readonly
  326. ))
  327. {
  328. scRet = SEC_E_INVALID_TOKEN;
  329. goto Cleanup;
  330. }
  332. //
  333. // If we are using supplied creds, get them now too.
  334. //
  337. if (fContextReq & ISC_REQ_USE_SUPPLIED_CREDS)
  338. {
  339. if (!GetTokenBuffer(
  340. pInput,
  341. 1, // get the second security token
  342. (PVOID *) &NtlmChallengeMessage,
  343. &NtlmChallengeMessageSize,
  344. TRUE // may be readonly
  345. ))
  346. {
  347. scRet = SEC_E_INVALID_TOKEN;
  348. goto Cleanup;
  349. }
  350. else
  351. {
  352. UseSuppliedCreds = TRUE;
  353. }
  355. }
  357. //
  358. // Get the output tokens
  359. //
  361. if (!GetSecurityToken(
  362. pOutput,
  363. 0,
  364. &AuthenticationToken) ||
  365. !GetSecurityToken(
  366. pOutput,
  367. 1,
  368. &InitializeResponseToken ) )
  369. {
  370. scRet = SEC_E_INVALID_TOKEN;
  371. goto Cleanup;
  372. }
  374. //
  375. // Make sure the sizes are o.k.
  376. //
  378. if ((ChallengeMessageSize < sizeof(CHALLENGE_MESSAGE)) ||
  379. (UseSuppliedCreds &&
  380. !(NtlmChallengeMessageSize < sizeof(NTLM_CHALLENGE_MESSAGE))))
  381. {
  382. scRet = SEC_E_INVALID_TOKEN;
  383. }
  385. //
  386. // Make sure the caller wants us to allocate memory:
  387. //
  389. if (!(fContextReq & ISC_REQ_ALLOCATE_MEMORY))
  390. {
  391. scRet = SEC_E_UNSUPPORTED_FUNCTION;
  392. goto Cleanup;
  393. }
  395. //
  396. // BUGBUG: allow calls requesting PROMPT_FOR_CREDS to go through.
  397. // We won't prompt, but we will setup a context properly.
  398. //
  400. // if ((fContextReq & ISC_REQ_PROMPT_FOR_CREDS) != 0)
  401. // {
  402. // scRet = SEC_E_UNSUPPORTED_FUNCTION;
  403. // goto Cleanup;
  404. // }
  406. //
  407. // Verify the validity of the challenge message.
  408. //
  410. if (strncmp(
  411. ChallengeMessage->Signature,
  412. NTLMSSP_SIGNATURE,
  413. sizeof(NTLMSSP_SIGNATURE)))
  414. {
  415. scRet = SEC_E_INVALID_TOKEN;
  416. goto Cleanup;
  417. }
  419. if (ChallengeMessage->MessageType != NtLmChallenge)
  420. {
  421. scRet = SEC_E_INVALID_TOKEN;
  422. goto Cleanup;
  423. }
  425. if (ChallengeMessage->NegotiateFlags & NTLMSSP_REQUIRED_NEGOTIATE_FLAGS !=
  426. NTLMSSP_REQUIRED_NEGOTIATE_FLAGS)
  427. {
  428. scRet = SEC_E_UNSUPPORTED_FUNCTION;
  429. goto Cleanup;
  430. }
  432. if ((ChallengeMessage->NegotiateFlags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY) != 0)
  433. {
  434. ParameterControl |= RETURN_NON_NT_USER_SESSION_KEY;
  435. }
  437. if ((fContextReq & ISC_REQ_USE_SUPPLIED_CREDS) != 0)
  438. {
  439. if ( NtlmChallengeMessage->Password.Buffer != NULL)
  440. {
  441. ParameterControl &= ~USE_PRIMARY_PASSWORD;
  442. PasswordToUse = NtlmChallengeMessage->Password;
  443. PasswordToUse.Buffer = (LPWSTR) ((PCHAR) PasswordToUse.Buffer +
  444. (ULONG) NtlmChallengeMessage);
  445. }
  447. if (NtlmChallengeMessage->UserName.Length != 0)
  448. {
  449. UserNameToUse = NtlmChallengeMessage->UserName;
  450. UserNameToUse.Buffer = (LPWSTR) ((PCHAR) UserNameToUse.Buffer +
  451. (ULONG) NtlmChallengeMessage);
  452. ParameterControl &= ~RETURN_PRIMARY_USERNAME;
  453. }
  454. if (NtlmChallengeMessage->DomainName.Length != 0)
  455. {
  456. DomainNameToUse = NtlmChallengeMessage->DomainName;
  457. DomainNameToUse.Buffer = (LPWSTR) ((PCHAR) DomainNameToUse.Buffer +
  458. (ULONG) NtlmChallengeMessage);
  459. ParameterControl &= ~RETURN_PRIMARY_LOGON_DOMAINNAME;
  460. }
  462. }
  464. //
  465. // Package up the parameter for a call to the LSA.
  466. //
  468. ChallengeRequestSize = sizeof(MSV1_0_GETCHALLENRESP_REQUEST) +
  469. PasswordToUse.Length;
  471. scRet = ZwAllocateVirtualMemory(
  472. NtCurrentProcess(),
  473. &ChallengeRequest,
  474. 0L,
  475. &ChallengeRequestSize,
  476. MEM_COMMIT,
  477. PAGE_READWRITE
  478. );
  479. if (!NT_SUCCESS(scRet))
  480. {
  481. goto Cleanup;
  482. }
  485. //
  486. // Build the challenge request message.
  487. //
  489. ChallengeRequest->MessageType = MsV1_0Lm20GetChallengeResponse;
  490. ChallengeRequest->ParameterControl = ParameterControl;
  491. ChallengeRequest->LogonId = * (PLUID) phCredential;
  492. RtlCopyMemory(
  493. ChallengeRequest->ChallengeToClient,
  494. ChallengeMessage->Challenge,
  495. MSV1_0_CHALLENGE_LENGTH
  496. );
  497. if ((ParameterControl & USE_PRIMARY_PASSWORD) == 0)
  498. {
  499. ChallengeRequest->Password.Buffer = (LPWSTR) (ChallengeRequest+1);
  500. RtlCopyMemory(
  501. ChallengeRequest->Password.Buffer,
  502. PasswordToUse.Buffer,
  503. PasswordToUse.Length
  504. );
  505. ChallengeRequest->Password.Length = PasswordToUse.Length;
  506. ChallengeRequest->Password.MaximumLength = PasswordToUse.Length;
  507. }
  509. //
  510. // Call the LSA to get the challenge response.
  511. //
  513. scRet = LsaCallAuthenticationPackage(
  514. Client->hPort,
  515. PackageId,
  516. ChallengeRequest,
  517. ChallengeRequestSize,
  518. &ChallengeResponse,
  519. &ChallengeResponseSize,
  520. &FinalStatus
  521. );
  522. if (!NT_SUCCESS(scRet))
  523. {
  524. goto Cleanup;
  525. }
  526. if (!NT_SUCCESS(FinalStatus))
  527. {
  528. scRet = FinalStatus;
  529. goto Cleanup;
  530. }
  532. ASSERT(ChallengeResponse->MessageType == MsV1_0Lm20GetChallengeResponse);
  533. //
  534. // Now prepare the output message.
  535. //
  537. if (UserNameToUse.Buffer == NULL)
  538. {
  539. UserNameToUse = ChallengeResponse->UserName;
  540. }
  541. if (DomainNameToUse.Buffer == NULL)
  542. {
  543. DomainNameToUse = ChallengeResponse->LogonDomainName;
  544. }
  546. AuthenticateMessageSize = sizeof(AUTHENTICATE_MESSAGE) +
  547. UserNameToUse.Length +
  548. DomainNameToUse.Length +
  549. ChallengeResponse->CaseSensitiveChallengeResponse.Length +
  550. ChallengeResponse->CaseInsensitiveChallengeResponse.Length;
  552. //
  553. // BUGBUG: where do I get the workstation name from?
  554. //
  556. AuthenticateMessage = (PAUTHENTICATE_MESSAGE) SecAllocate(AuthenticateMessageSize);
  557. if (AuthenticateMessage == NULL)
  558. {
  559. scRet = SEC_E_INSUFFICIENT_MEMORY;
  560. goto Cleanup;
  561. }
  563. Where = (PUCHAR) (AuthenticateMessage + 1);
  564. RtlCopyMemory(
  565. AuthenticateMessage->Signature,
  566. NTLMSSP_SIGNATURE,
  567. sizeof(NTLMSSP_SIGNATURE)
  568. );
  569. AuthenticateMessage->MessageType = NtLmAuthenticate;
  571. PutString(
  572. &AuthenticateMessage->LmChallengeResponse,
  573. &ChallengeResponse->CaseInsensitiveChallengeResponse,
  574. AuthenticateMessage,
  575. &Where
  576. );
  578. PutString(
  579. &AuthenticateMessage->NtChallengeResponse,
  580. &ChallengeResponse->CaseSensitiveChallengeResponse,
  581. AuthenticateMessage,
  582. &Where
  583. );
  585. PutString(
  586. &AuthenticateMessage->DomainName,
  587. (PSTRING) &DomainNameToUse,
  588. AuthenticateMessage,
  589. &Where
  590. );
  592. PutString(
  593. &AuthenticateMessage->UserName,
  594. (PSTRING) &UserNameToUse,
  595. AuthenticateMessage,
  596. &Where
  597. );
  599. //
  600. // BUGBUG: no workstation name to fill in.
  601. //
  603. AuthenticateMessage->Workstation.Length = 0;
  604. AuthenticateMessage->Workstation.MaximumLength = 0;
  605. AuthenticateMessage->Workstation.Buffer = NULL;
  608. //
  609. // Build the initialize response.
  610. //
  612. NtlmInitializeResponse = (PNTLM_INITIALIZE_RESPONSE) SecAllocate(sizeof(NTLM_INITIALIZE_RESPONSE));
  613. if (NtlmInitializeResponse == NULL)
  614. {
  615. scRet = SEC_E_INSUFFICIENT_MEMORY;
  616. goto Cleanup;
  617. }
  620. RtlCopyMemory(
  621. NtlmInitializeResponse->UserSessionKey,
  622. ChallengeResponse->UserSessionKey,
  623. MSV1_0_USER_SESSION_KEY_LENGTH
  624. );
  626. RtlCopyMemory(
  627. NtlmInitializeResponse->LanmanSessionKey,
  628. ChallengeResponse->LanmanSessionKey,
  629. MSV1_0_LANMAN_SESSION_KEY_LENGTH
  630. );
  632. //
  633. // Fill in the output buffers now.
  634. //
  636. AuthenticationToken->pvBuffer = AuthenticateMessage;
  637. AuthenticationToken->cbBuffer = AuthenticateMessageSize;
  638. InitializeResponseToken->pvBuffer = NtlmInitializeResponse;
  639. InitializeResponseToken->cbBuffer = sizeof(NTLM_INITIALIZE_RESPONSE);
  642. //
  643. // Make a local context for this
  644. //
  646. scRet = NtlmInitKernelContext(
  647. NtlmInitializeResponse->UserSessionKey,
  648. NtlmInitializeResponse->LanmanSessionKey,
  649. NULL, // no token,
  650. phNewContext
  651. );
  653. if (!NT_SUCCESS(scRet))
  654. {
  655. goto Cleanup;
  656. }
  657. scRet = SEC_E_OK;
  662. Cleanup:
  664. if (ChallengeRequest != NULL)
  665. {
  666. ZwFreeVirtualMemory(
  667. NtCurrentProcess(),
  668. &ChallengeRequest,
  669. &ChallengeRequestSize,
  670. MEM_RELEASE
  671. );
  672. }
  674. if (ChallengeResponse != NULL)
  675. {
  676. LsaFreeReturnBuffer( ChallengeResponse );
  677. }
  679. if (!NT_SUCCESS(scRet))
  680. {
  681. if (AuthenticateMessage != NULL)
  682. {
  683. SecFree(AuthenticateMessage);
  684. }
  685. if (NtlmInitializeResponse != NULL)
  686. {
  687. SecFree(NtlmInitializeResponse);
  688. }
  689. }
  690. return(scRet);
  691. }
  695. //+-------------------------------------------------------------------------
  696. //
  697. // Function: AcceptSecurityContext
  698. //
  699. // Synopsis:
  700. //
  701. // Effects:
  702. //
  703. // Arguments:
  704. //
  705. // Requires:
  706. //
  707. // Returns:
  708. //
  709. // Notes:
  710. //
  711. //
  712. //--------------------------------------------------------------------------
  715. SECURITY_STATUS SEC_ENTRY
  716. AcceptSecurityContext(
  717. PCredHandle phCredential, // Cred to base context
  718. PCtxtHandle phContext, // Existing context (OPT)
  719. PSecBufferDesc pInput, // Input buffer
  720. unsigned long fContextReq, // Context Requirements
  721. unsigned long TargetDataRep, // Target Data Rep
  722. PCtxtHandle phNewContext, // (out) New context handle
  723. PSecBufferDesc pOutput, // (inout) Output buffers
  724. unsigned long SEC_FAR * pfContextAttr, // (out) Context attributes
  725. PTimeStamp ptsExpiry // (out) Life span (OPT)
  726. )
  727. {
  728. SECURITY_STATUS scRet;
  729. NTSTATUS SubStatus;
  730. PAUTHENTICATE_MESSAGE AuthenticateMessage;
  731. ULONG AuthenticateMessageSize;
  732. PNTLM_AUTHENTICATE_MESSAGE NtlmAuthenticateMessage;
  733. ULONG NtlmAuthenticateMessageSize;
  734. PNTLM_ACCEPT_RESPONSE NtlmAcceptResponse = NULL;
  735. PMSV1_0_LM20_LOGON LogonBuffer = NULL;
  736. ULONG LogonBufferSize;
  737. PMSV1_0_LM20_LOGON_PROFILE LogonProfile = NULL;
  738. ULONG LogonProfileSize;
  739. PSecBuffer AcceptResponseToken = NULL;
  740. PClient Client = NULL;
  741. ANSI_STRING SourceName;
  742. LUID LogonId;
  743. LUID UNALIGNED * TempLogonId;
  744. LARGE_INTEGER UNALIGNED * TempKickoffTime;
  745. HANDLE TokenHandle = NULL;
  746. QUOTA_LIMITS Quotas;
  747. PUCHAR Where;
  748. STRING DomainName;
  749. STRING UserName;
  750. STRING Workstation;
  751. STRING NtChallengeResponse;
  752. STRING LmChallengeResponse;
  753. ULONG EffectivePackageId;
  756. RtlInitString(
  757. &SourceName,
  758. NULL
  759. );
  761. PAGED_CODE();
  763. //
  764. // Check for valid sizes, pointers, etc.:
  765. //
  768. if (!phCredential)
  769. {
  770. return(SEC_E_INVALID_HANDLE);
  771. }
  774. //
  775. // Check that we can indeed call the LSA and get the client
  776. // handle to it.
  777. //
  779. scRet = IsOkayToExec(&Client);
  780. if (!NT_SUCCESS(scRet))
  781. {
  782. return(scRet);
  783. }
  785. //
  786. // Locate the buffers with the input data
  787. //
  789. if (!GetTokenBuffer(
  790. pInput,
  791. 0, // get the first security token
  792. (PVOID *) &AuthenticateMessage,
  793. &AuthenticateMessageSize,
  794. TRUE // may be readonly
  795. ) ||
  796. (!GetTokenBuffer(
  797. pInput,
  798. 1, // get the second security token
  799. (PVOID *) &NtlmAuthenticateMessage,
  800. &NtlmAuthenticateMessageSize,
  801. TRUE // may be readonly
  802. )))
  803. {
  804. scRet = SEC_E_INVALID_TOKEN;
  805. goto Cleanup;
  806. }
  808. //
  809. // Get the output tokens
  810. //
  812. if (!GetSecurityToken(
  813. pOutput,
  814. 0,
  815. &AcceptResponseToken ) )
  816. {
  817. scRet = SEC_E_INVALID_TOKEN;
  818. goto Cleanup;
  819. }
  821. //
  822. // Make sure the sizes are o.k.
  823. //
  825. if ((AuthenticateMessageSize < sizeof(AUTHENTICATE_MESSAGE)) ||
  826. (NtlmAuthenticateMessageSize < sizeof(NTLM_AUTHENTICATE_MESSAGE)))
  827. {
  828. scRet = SEC_E_INVALID_TOKEN;
  829. }
  831. //
  832. // Make sure the caller does not want us to allocate memory:
  833. //
  835. if (fContextReq & ISC_REQ_ALLOCATE_MEMORY)
  836. {
  837. scRet = SEC_E_UNSUPPORTED_FUNCTION;
  838. goto Cleanup;
  839. }
  841. if (AcceptResponseToken->cbBuffer < sizeof(NTLM_ACCEPT_RESPONSE))
  842. {
  843. scRet = SEC_E_INVALID_TOKEN;
  844. goto Cleanup;
  845. }
  848. //
  849. // Verify the validity of the Authenticate message.
  850. //
  852. if (strncmp(
  853. AuthenticateMessage->Signature,
  854. NTLMSSP_SIGNATURE,
  855. sizeof(NTLMSSP_SIGNATURE)))
  856. {
  857. scRet = SEC_E_INVALID_TOKEN;
  858. goto Cleanup;
  859. }
  861. if (AuthenticateMessage->MessageType != NtLmAuthenticate)
  862. {
  863. scRet = SEC_E_INVALID_TOKEN;
  864. goto Cleanup;
  865. }
  867. //
  868. // Fixup the buffer pointers
  869. //
  871. UserName = AuthenticateMessage->UserName;
  872. UserName.Buffer = UserName.Buffer + (ULONG) AuthenticateMessage;
  874. DomainName = AuthenticateMessage->DomainName;
  875. DomainName.Buffer = DomainName.Buffer + (ULONG) AuthenticateMessage;
  877. Workstation = AuthenticateMessage->Workstation;
  878. Workstation.Buffer = Workstation.Buffer + (ULONG) AuthenticateMessage;
  880. NtChallengeResponse = AuthenticateMessage->NtChallengeResponse;
  881. NtChallengeResponse.Buffer = NtChallengeResponse.Buffer + (ULONG) AuthenticateMessage;
  883. LmChallengeResponse = AuthenticateMessage->LmChallengeResponse;
  884. LmChallengeResponse.Buffer = LmChallengeResponse.Buffer + (ULONG) AuthenticateMessage;
  886. //
  887. // Allocate a buffer to pass into LsaLogonUser
  888. //
  890. LogonBufferSize = sizeof(MSV1_0_LM20_LOGON) +
  891. UserName.Length +
  892. DomainName.Length +
  893. Workstation.Length +
  894. LmChallengeResponse.Length +
  895. NtChallengeResponse.Length;
  897. scRet = ZwAllocateVirtualMemory(
  898. NtCurrentProcess(),
  899. &LogonBuffer,
  900. 0L,
  901. &LogonBufferSize,
  902. MEM_COMMIT,
  903. PAGE_READWRITE
  904. );
  906. if (!NT_SUCCESS(scRet))
  907. {
  908. goto Cleanup;
  909. }
  911. //
  912. // Fill in the fixed-length portions
  913. //
  915. LogonBuffer->MessageType = MsV1_0NetworkLogon;
  917. RtlCopyMemory(
  918. LogonBuffer->ChallengeToClient,
  919. NtlmAuthenticateMessage->ChallengeToClient,
  920. MSV1_0_CHALLENGE_LENGTH
  921. );
  923. //
  924. // Fill in the variable length pieces
  925. //
  927. Where = (PUCHAR) (LogonBuffer + 1);
  929. PutString(
  930. (PSTRING) &LogonBuffer->LogonDomainName,
  931. &DomainName,
  932. 0,
  933. &Where
  934. );
  936. PutString(
  937. (PSTRING) &LogonBuffer->UserName,
  938. &UserName,
  939. 0,
  940. &Where
  941. );
  943. PutString(
  944. (PSTRING) &LogonBuffer->Workstation,
  945. &Workstation,
  946. 0,
  947. &Where
  948. );
  950. PutString(
  951. (PSTRING) &LogonBuffer->CaseSensitiveChallengeResponse,
  952. &NtChallengeResponse,
  953. 0,
  954. &Where
  955. );
  957. PutString(
  958. (PSTRING) &LogonBuffer->CaseInsensitiveChallengeResponse,
  959. &LmChallengeResponse,
  960. 0,
  961. &Where
  962. );
  964. LogonBuffer->ParameterControl = MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
  965. NtlmAuthenticateMessage->ParameterControl;
  967. scRet = RtlUnicodeStringToAnsiString(
  968. &SourceName,
  969. (PUNICODE_STRING) &Workstation,
  970. TRUE
  971. );
  973. if (!NT_SUCCESS(scRet))
  974. {
  975. goto Cleanup;
  976. }
  978. if ( fContextReq & ASC_REQ_LICENSING )
  979. {
  980. EffectivePackageId = PackageId | LSA_CALL_LICENSE_SERVER ;
  981. }
  982. else
  983. {
  984. EffectivePackageId = PackageId ;
  985. }
  987. scRet = LsaLogonUser(
  988. Client->hPort,
  989. &SourceName,
  990. Network,
  991. EffectivePackageId,
  992. LogonBuffer,
  993. LogonBufferSize,
  994. NULL, // token groups
  995. &KsecTokenSource,
  996. (PVOID *) &LogonProfile,
  997. &LogonProfileSize,
  998. &LogonId,
  999. &TokenHandle,
  1000. &Quotas,
  1001. &SubStatus
  1002. );
  1004. if (scRet == STATUS_ACCOUNT_RESTRICTION)
  1005. {
  1006. scRet = SubStatus;
  1007. }
  1008. if (!NT_SUCCESS(scRet))
  1009. {
  1010. //
  1011. // LsaLogonUser returns garbage for the token if it fails,
  1012. // so zero it now so we don't try to close it later.
  1013. //
  1015. TokenHandle = NULL;
  1016. goto Cleanup;
  1017. }
  1019. //
  1020. // Create the kernel context
  1021. //
  1023. scRet = NtlmInitKernelContext(
  1024. LogonProfile->UserSessionKey,
  1025. LogonProfile->LanmanSessionKey,
  1026. TokenHandle,
  1027. phNewContext
  1028. );
  1030. if (!NT_SUCCESS(scRet))
  1031. {
  1032. goto Cleanup;
  1033. }
  1035. TokenHandle = NULL;
  1037. //
  1038. // Allocate the return buffer.
  1039. //
  1042. NtlmAcceptResponse = (PNTLM_ACCEPT_RESPONSE) AcceptResponseToken->pvBuffer;
  1043. if (NtlmAcceptResponse == NULL)
  1044. {
  1045. scRet = SEC_E_INSUFFICIENT_MEMORY;
  1046. goto Cleanup;
  1047. }
  1049. TempLogonId = (LUID UNALIGNED *) &NtlmAcceptResponse->LogonId;
  1050. *TempLogonId = LogonId;
  1051. NtlmAcceptResponse->UserFlags = LogonProfile->UserFlags;
  1053. RtlCopyMemory(
  1054. NtlmAcceptResponse->UserSessionKey,
  1055. LogonProfile->UserSessionKey,
  1056. MSV1_0_USER_SESSION_KEY_LENGTH
  1057. );
  1059. RtlCopyMemory(
  1060. NtlmAcceptResponse->LanmanSessionKey,
  1061. LogonProfile->LanmanSessionKey,
  1062. MSV1_0_LANMAN_SESSION_KEY_LENGTH
  1063. );
  1065. TempKickoffTime = (LARGE_INTEGER UNALIGNED *) &NtlmAcceptResponse->KickoffTime;
  1066. *TempKickoffTime = LogonProfile->KickOffTime;
  1068. AcceptResponseToken->cbBuffer = sizeof(NTLM_ACCEPT_RESPONSE);
  1070. if ( fContextReq & ASC_REQ_LICENSING )
  1071. {
  1072. *pfContextAttr = ASC_RET_ALLOCATED_MEMORY | ASC_RET_LICENSING ;
  1073. }
  1074. else
  1075. {
  1076. *pfContextAttr = ASC_RET_ALLOCATED_MEMORY;
  1077. }
  1079. *ptsExpiry = LogonProfile->LogoffTime;
  1080. scRet = SEC_E_OK;
  1083. Cleanup:
  1084. if (SourceName.Buffer != NULL)
  1085. {
  1086. RtlFreeAnsiString(&SourceName);
  1087. }
  1089. if (LogonBuffer != NULL)
  1090. {
  1091. ZwFreeVirtualMemory(
  1092. NtCurrentProcess(),
  1093. &LogonBuffer,
  1094. &LogonBufferSize,
  1095. MEM_RELEASE
  1096. );
  1097. }
  1099. if (LogonProfile != NULL)
  1100. {
  1101. LsaFreeReturnBuffer(LogonProfile);
  1102. }
  1105. if (TokenHandle != NULL)
  1106. {
  1107. NtClose(TokenHandle);
  1108. }
  1110. return(scRet);
  1112. }
  1119. //+-------------------------------------------------------------------------
  1120. //
  1121. // Function: DeleteSecurityContext
  1122. //
  1123. // Synopsis:
  1124. //
  1125. // Effects:
  1126. //
  1127. // Arguments:
  1128. //
  1129. // Requires:
  1130. //
  1131. // Returns:
  1132. //
  1133. // Notes:
  1134. //
  1135. //
  1136. //--------------------------------------------------------------------------
  1139. SECURITY_STATUS SEC_ENTRY
  1140. DeleteSecurityContext(
  1141. PCtxtHandle phContext // Context to delete
  1142. )
  1143. {
  1144. SECURITY_STATUS scRet;
  1146. PAGED_CODE();
  1148. // For now, just delete the LSA context:
  1150. if (!phContext)
  1151. {
  1152. return(SEC_E_INVALID_HANDLE);
  1153. }
  1155. scRet = NtlmDeleteKernelContext(phContext);
  1158. return(scRet);
  1160. }
  1164. //+-------------------------------------------------------------------------
  1165. //
  1166. // Function: ApplyControlToken
  1167. //
  1168. // Synopsis:
  1169. //
  1170. // Effects:
  1171. //
  1172. // Arguments:
  1173. //
  1174. // Requires:
  1175. //
  1176. // Returns:
  1177. //
  1178. // Notes:
  1179. //
  1180. //
  1181. //--------------------------------------------------------------------------
  1184. SECURITY_STATUS SEC_ENTRY
  1185. ApplyControlToken(
  1186. PCtxtHandle phContext, // Context to modify
  1187. PSecBufferDesc pInput // Input token to apply
  1188. )
  1189. {
  1190. PAGED_CODE();
  1194. return(SEC_E_UNSUPPORTED_FUNCTION);
  1197. }
  1202. //+-------------------------------------------------------------------------
  1203. //
  1204. // Function: EnumerateSecurityPackagesW
  1205. //
  1206. // Synopsis:
  1207. //
  1208. // Effects:
  1209. //
  1210. // Arguments:
  1211. //
  1212. // Requires:
  1213. //
  1214. // Returns:
  1215. //
  1216. // Notes:
  1217. //
  1218. //
  1219. //--------------------------------------------------------------------------
  1223. SECURITY_STATUS SEC_ENTRY
  1224. EnumerateSecurityPackagesW(
  1225. unsigned long SEC_FAR * pcPackages, // Receives num. packages
  1226. PSecPkgInfo SEC_FAR * ppPackageInfo // Receives array of info
  1227. )
  1228. {
  1229. ULONG PackageInfoSize;
  1230. PSecPkgInfoW PackageInfo = NULL;
  1231. PUCHAR Where;
  1233. PAGED_CODE();
  1235. //
  1236. // Figure out the size of the returned data
  1237. //
  1239. PackageInfoSize = sizeof(SecPkgInfoW) +
  1240. sizeof(NTLMSP_NAME) +
  1241. sizeof(NTLMSP_COMMENT);
  1243. PackageInfo = (PSecPkgInfoW) SecAllocate(PackageInfoSize);
  1245. if (PackageInfo == NULL)
  1246. {
  1247. return(SEC_E_INSUFFICIENT_MEMORY);
  1248. }
  1250. //
  1251. // Fill in the fixed length fields
  1252. //
  1254. PackageInfo->fCapabilities = SECPKG_FLAG_CONNECTION |
  1255. SECPKG_FLAG_TOKEN_ONLY;
  1256. PackageInfo->wVersion = NTLMSP_VERSION;
  1257. PackageInfo->wRPCID = NTLMSP_RPCID;
  1258. PackageInfo->cbMaxToken = NTLMSSP_MAX_MESSAGE_SIZE;
  1260. //
  1261. // Fill in the fields
  1262. //
  1264. Where = (PUCHAR) (PackageInfo+1);
  1265. PackageInfo->Name = (LPWSTR) Where;
  1266. RtlCopyMemory(
  1267. PackageInfo->Name,
  1268. NTLMSP_NAME,
  1269. sizeof(NTLMSP_NAME)
  1270. );
  1271. Where += sizeof(NTLMSP_NAME);
  1273. PackageInfo->Comment = (LPWSTR) Where;
  1274. RtlCopyMemory(
  1275. PackageInfo->Comment,
  1276. NTLMSP_COMMENT,
  1277. sizeof(NTLMSP_COMMENT)
  1278. );
  1279. Where += sizeof(NTLMSP_COMMENT);
  1282. *pcPackages = 1;
  1283. *ppPackageInfo = PackageInfo;
  1284. return(SEC_E_OK);
  1285. }
  1289. //+-------------------------------------------------------------------------
  1290. //
  1291. // Function: QuerySecurityPackageInfoW
  1292. //
  1293. // Synopsis:
  1294. //
  1295. // Effects:
  1296. //
  1297. // Arguments:
  1298. //
  1299. // Requires:
  1300. //
  1301. // Returns:
  1302. //
  1303. // Notes:
  1304. //
  1305. //
  1306. //--------------------------------------------------------------------------
  1309. SECURITY_STATUS SEC_ENTRY
  1310. QuerySecurityPackageInfoW(
  1311. PSECURITY_STRING pssPackageName, // Name of package
  1312. PSecPkgInfo * ppPackageInfo // Receives package info
  1313. )
  1314. {
  1316. UNICODE_STRING PackageName;
  1317. ULONG PackageCount;
  1319. PAGED_CODE();
  1321. RtlInitUnicodeString(
  1322. &PackageName,
  1323. NTLMSP_NAME
  1324. );
  1327. if (!RtlEqualUnicodeString(
  1328. pssPackageName,
  1329. &PackageName,
  1330. TRUE // case insensitive
  1331. ))
  1332. {
  1333. return(SEC_E_SECPKG_NOT_FOUND);
  1334. }
  1336. return(EnumerateSecurityPackages(&PackageCount,ppPackageInfo));
  1338. }
  1345. //+-------------------------------------------------------------------------
  1346. //
  1347. // Function: FreeContextBuffer
  1348. //
  1349. // Synopsis:
  1350. //
  1351. // Effects:
  1352. //
  1353. // Arguments:
  1354. //
  1355. // Requires:
  1356. //
  1357. // Returns:
  1358. //
  1359. // Notes:
  1360. //
  1361. //
  1362. //--------------------------------------------------------------------------
  1364. SECURITY_STATUS SEC_ENTRY
  1365. FreeContextBuffer(
  1366. void SEC_FAR * pvContextBuffer
  1367. )
  1368. {
  1369. PAGED_CODE();
  1371. SecFree(pvContextBuffer);
  1373. return(SEC_E_OK);
  1374. }
  1377. //+-------------------------------------------------------------------------
  1378. //
  1379. // Function: GetSecurityUserData
  1380. //
  1381. // Synopsis: retrieves information about a logged on user.
  1382. //
  1383. // Effects: allocates memory to be freed with FreeContextBuffer
  1384. //
  1385. // Arguments: pLogonId - Logon id of the user in question
  1386. // fFlags - Indicates whether the caller want Cairo style names
  1387. // or NT styles names. For NT, this is ignored.
  1388. // ppUserInfo - Recieves information about user
  1389. //
  1390. // Requires:
  1391. //
  1392. // Returns:
  1393. //
  1394. // Notes:
  1395. //
  1396. //
  1397. //--------------------------------------------------------------------------
  1400. SECURITY_STATUS SEC_ENTRY
  1401. GetSecurityUserInfo(
  1402. IN PLUID pLogonId,
  1403. IN ULONG fFlags,
  1404. OUT PSecurityUserData * ppUserInfo)
  1405. {
  1406. NTSTATUS Status, FinalStatus;
  1407. PVOID GetInfoBuffer = NULL;
  1408. PVOID GetInfoResponseBuffer = NULL;
  1409. PMSV1_0_GETUSERINFO_REQUEST GetInfoRequest;
  1410. PMSV1_0_GETUSERINFO_RESPONSE GetInfoResponse;
  1411. ULONG ResponseSize;
  1412. ULONG RegionSize = sizeof(MSV1_0_GETUSERINFO_REQUEST);
  1413. PSecurityUserData UserInfo = NULL;
  1414. ULONG UserInfoSize;
  1415. PUCHAR Where;
  1416. SECURITY_STATUS scRet;
  1417. PClient Client = NULL;
  1420. scRet = IsOkayToExec(&Client);
  1421. if (!NT_SUCCESS(scRet))
  1422. {
  1423. return(scRet);
  1424. }
  1426. //
  1427. // Allocate virtual memory for the response buffer.
  1428. //
  1430. Status = ZwAllocateVirtualMemory(
  1431. NtCurrentProcess(),
  1432. &GetInfoBuffer, 0L,
  1433. &RegionSize,
  1434. MEM_COMMIT,
  1435. PAGE_READWRITE
  1436. );
  1438. GetInfoRequest = GetInfoBuffer;
  1440. if (!NT_SUCCESS(Status)) {
  1441. scRet = Status;
  1442. goto Cleanup;
  1443. }
  1445. GetInfoRequest->MessageType = MsV1_0GetUserInfo;
  1447. RtlCopyLuid(&GetInfoRequest->LogonId, pLogonId);
  1449. Status = LsaCallAuthenticationPackage(
  1450. Client->hPort,
  1451. PackageId,
  1452. GetInfoRequest,
  1453. RegionSize,
  1454. &GetInfoResponseBuffer,
  1455. &ResponseSize,
  1456. &FinalStatus);
  1458. GetInfoResponse = GetInfoResponseBuffer;
  1460. if (!NT_SUCCESS(Status)) {
  1461. GetInfoResponseBuffer = NULL;
  1462. scRet = Status;
  1463. goto Cleanup;
  1464. }
  1467. if (!NT_SUCCESS(FinalStatus)) {
  1468. scRet = FinalStatus;
  1469. goto Cleanup;
  1470. }
  1472. ASSERT(GetInfoResponse->MessageType == MsV1_0GetUserInfo);
  1474. //
  1475. // Build a SecurityUserData
  1476. //
  1478. UserInfoSize = sizeof(SecurityUserData) +
  1479. GetInfoResponse->UserName.MaximumLength +
  1480. GetInfoResponse->LogonDomainName.MaximumLength +
  1481. GetInfoResponse->LogonServer.MaximumLength +
  1482. RtlLengthSid(GetInfoResponse->UserSid);
  1486. scRet = ZwAllocateVirtualMemory(
  1487. NtCurrentProcess(),
  1488. &UserInfo,
  1489. 0L,
  1490. &UserInfoSize,
  1491. MEM_COMMIT,
  1492. PAGE_READWRITE
  1493. );
  1494. if (!NT_SUCCESS(scRet))
  1495. {
  1496. goto Cleanup;
  1497. }
  1499. //
  1500. // Pack in the SID first, to respectalignment boundaries.
  1501. //
  1503. Where = (PUCHAR) (UserInfo + 1);
  1504. UserInfo->pSid = (PSID) (Where);
  1505. RtlCopySid(
  1506. UserInfoSize,
  1507. Where,
  1508. GetInfoResponse->UserSid
  1509. );
  1510. Where += RtlLengthSid(Where);
  1512. //
  1513. // Pack in the strings
  1514. //
  1516. PutString(
  1517. (PSTRING) &UserInfo->UserName,
  1518. (PSTRING) &GetInfoResponse->UserName,
  1519. 0,
  1520. &Where
  1521. );
  1523. PutString(
  1524. (PSTRING) &UserInfo->LogonDomainName,
  1525. (PSTRING) &GetInfoResponse->LogonDomainName,
  1526. 0,
  1527. &Where
  1528. );
  1530. PutString(
  1531. (PSTRING) &UserInfo->LogonServer,
  1532. (PSTRING) &GetInfoResponse->LogonServer,
  1533. 0,
  1534. &Where
  1535. );
  1537. *ppUserInfo = UserInfo;
  1538. UserInfo = NULL;
  1539. scRet = STATUS_SUCCESS;
  1541. Cleanup:
  1542. if (GetInfoRequest != NULL)
  1543. {
  1544. ZwFreeVirtualMemory(
  1545. NtCurrentProcess(),
  1546. &GetInfoRequest,
  1547. &RegionSize,
  1548. MEM_RELEASE
  1549. );
  1551. }
  1553. if (UserInfo != NULL)
  1554. {
  1555. FreeContextBuffer(UserInfo);
  1556. }
  1558. if (GetInfoResponseBuffer != NULL)
  1559. {
  1560. LsaFreeReturnBuffer(GetInfoResponseBuffer);
  1561. }
  1563. return(scRet);
  1564. }