archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/dns/dnslib/secutil.c

805 lines
16 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1998-2001 Microsoft Corporation
  5. Module Name:
  7. secutil.c
  9. Abstract:
  11. Domain Name System (DNS) Library
  13. DNS secure update API.
  15. Author:
  17. Jim Gilroy (jamesg) January, 1998
  19. Revision History:
  21. --*/
  23. #include "local.h"
  25. // security headers
  27. //#define SECURITY_WIN32
  28. //#include "sspi.h"
  29. //#include "issperr.h"
  30. //#include "rpc.h"
  31. //#include "rpcndr.h"
  32. //#include "ntdsapi.h"
  36. //
  37. // Security utilities
  38. //
  40. DNS_STATUS
  41. Dns_CreateSecurityDescriptor(
  42. OUT PSECURITY_DESCRIPTOR * ppSD,
  43. IN DWORD AclCount,
  44. IN PSID * SidPtrArray,
  45. IN DWORD * AccessMaskArray
  46. )
  47. /*++
  49. Routine Description:
  51. Build security descriptor.
  53. Arguments:
  55. ppSD -- addr to receive SD created
  57. AclCount -- number of ACLs to add
  59. SidPtrArray -- array of SIDs to create ACLs for
  61. AccessMaskArray -- array of access masks corresponding to SIDs
  63. Return Value:
  65. ERROR_SUCCESS if successful
  66. Error code on failure.
  68. --*/
  69. {
  70. DNS_STATUS status;
  71. DWORD i;
  72. DWORD lengthAcl;
  73. PSECURITY_DESCRIPTOR psd = NULL;
  74. PACL pacl;
  76. //
  77. // calculate space for SD
  78. //
  80. lengthAcl = sizeof(ACL);
  82. for ( i=0; i<AclCount; i++ )
  83. {
  84. if ( SidPtrArray[i] && AccessMaskArray[i] )
  85. {
  86. lengthAcl += GetLengthSid( SidPtrArray[i] ) + sizeof(ACCESS_ALLOWED_ACE);
  87. }
  88. ELSE
  89. {
  90. DNS_PRINT((
  91. "ERROR: SD building with SID (%p) and mask (%p)\n",
  92. SidPtrArray[i],
  93. AccessMaskArray[i] ));
  94. }
  95. }
  97. //
  98. // allocate SD
  99. //
  101. psd = (PSECURITY_DESCRIPTOR) ALLOCATE_HEAP(
  102. SECURITY_DESCRIPTOR_MIN_LENGTH + lengthAcl );
  103. if ( !psd )
  104. {
  105. status = DNS_ERROR_NO_MEMORY;
  106. goto Failed;
  107. }
  109. DNSDBG( INIT, (
  110. "Allocated SecurityDesc at %p of length %d\n",
  111. psd,
  112. SECURITY_DESCRIPTOR_MIN_LENGTH + lengthAcl ));
  114. //
  115. // build ACL, adding ACE with desired access for each SID
  116. //
  118. pacl = (PACL) ((PBYTE)psd + SECURITY_DESCRIPTOR_MIN_LENGTH);
  120. if ( !InitializeAcl(
  121. pacl,
  122. lengthAcl,
  123. ACL_REVISION ) )
  124. {
  125. status = GetLastError();
  126. goto Failed;
  127. }
  129. for ( i=0; i<AclCount; i++ )
  130. {
  131. if ( SidPtrArray[i] && AccessMaskArray[i] )
  132. {
  133. if ( !AddAccessAllowedAce(
  134. pacl,
  135. ACL_REVISION,
  136. AccessMaskArray[i],
  137. SidPtrArray[i] ) )
  138. {
  139. status = GetLastError();
  140. DNSDBG( ANY, (
  141. "ERROR: failed adding ACE for SID %p, mask %p\n",
  142. SidPtrArray[i],
  143. AccessMaskArray[i] ));
  144. goto Failed;
  145. }
  146. }
  147. }
  149. //
  150. // setup SD with ACL
  151. //
  153. if ( !InitializeSecurityDescriptor(
  154. psd,
  155. SECURITY_DESCRIPTOR_REVISION ))
  156. {
  157. status = GetLastError();
  158. goto Failed;
  159. }
  161. if ( !SetSecurityDescriptorDacl(
  162. psd,
  163. TRUE, // ACL present
  164. pacl,
  165. FALSE // explicit ACL, not defaulted
  166. ))
  167. {
  168. status = GetLastError();
  169. goto Failed;
  170. }
  172. *ppSD = psd;
  174. return( ERROR_SUCCESS );
  177. Failed:
  179. ASSERT( status != ERROR_SUCCESS );
  180. *ppSD = NULL;
  181. FREE_HEAP( psd );
  183. return( status );
  184. }
  188. //
  189. // Credential utilities
  190. //
  192. PSEC_WINNT_AUTH_IDENTITY_W
  193. Dns_AllocateAndInitializeCredentialsW(
  194. IN PSEC_WINNT_AUTH_IDENTITY_W pAuthIn
  195. )
  196. /*++
  198. Description:
  200. Allocates auth identity info and initializes pAuthIn info
  202. Parameters:
  204. pAuthIn -- auth identity info
  206. Return:
  208. Ptr to newly create credentials.
  209. NULL on failure.
  211. --*/
  212. {
  213. PSEC_WINNT_AUTH_IDENTITY_W pauthCopy = NULL;
  215. DNSDBG( SECURITY, (
  216. "Call Dns_AllocateAndInitializeCredentialsW\n" ));
  218. if ( !pAuthIn )
  219. {
  220. return NULL;
  221. }
  222. ASSERT( pAuthIn->Flags == SEC_WINNT_AUTH_IDENTITY_UNICODE );
  224. //
  225. // allocate credentials struct
  226. // - zero for simple cleanup on subfield alloc failures
  227. //
  229. pauthCopy = ALLOCATE_HEAP_ZERO( sizeof(SEC_WINNT_AUTH_IDENTITY_W) );
  230. if ( !pauthCopy )
  231. {
  232. return NULL;
  233. }
  235. //
  236. // copy subfields
  237. //
  239. // user
  241. pauthCopy->UserLength = pAuthIn->UserLength;
  242. if ( pAuthIn->UserLength )
  243. {
  244. ASSERT( pAuthIn->UserLength == wcslen(pAuthIn->User) );
  246. pauthCopy->User = ALLOCATE_HEAP( (pAuthIn->UserLength + 1) * sizeof(WCHAR) );
  247. if ( ! pauthCopy->User )
  248. {
  249. goto Failed;
  250. }
  251. wcscpy( pauthCopy->User, pAuthIn->User );
  252. }
  254. // password
  255. // - must allow zero length password
  257. pauthCopy->PasswordLength = pAuthIn->PasswordLength;
  259. if ( pAuthIn->PasswordLength || pAuthIn->Password )
  260. {
  261. ASSERT( pAuthIn->PasswordLength == wcslen(pAuthIn->Password) );
  263. pauthCopy->Password = ALLOCATE_HEAP( (pAuthIn->PasswordLength + 1) * sizeof(WCHAR) );
  264. if ( ! pauthCopy->Password )
  265. {
  266. goto Failed;
  267. }
  268. wcscpy( pauthCopy->Password, pAuthIn->Password );
  269. }
  271. // domain
  273. pauthCopy->DomainLength = pAuthIn->DomainLength;
  274. if ( pAuthIn->DomainLength )
  275. {
  276. ASSERT( pAuthIn->DomainLength == wcslen(pAuthIn->Domain) );
  278. pauthCopy->Domain = ALLOCATE_HEAP( (pAuthIn->DomainLength + 1) * sizeof(WCHAR) );
  279. if ( ! pauthCopy->Domain )
  280. {
  281. goto Failed;
  282. }
  283. wcscpy( pauthCopy->Domain, pAuthIn->Domain );
  284. }
  286. pauthCopy->Flags = pAuthIn->Flags;
  288. DNSDBG( SECURITY, (
  289. "Exit Dns_AllocateAndInitializeCredentialsW()\n" ));
  291. return pauthCopy;
  294. Failed:
  296. // allocation failure
  297. // - cleanup what was allocated and get out
  299. Dns_FreeAuthIdentityCredentials( pauthCopy );
  300. return( NULL );
  301. }
  305. PSEC_WINNT_AUTH_IDENTITY_A
  306. Dns_AllocateAndInitializeCredentialsA(
  307. IN PSEC_WINNT_AUTH_IDENTITY_A pAuthIn
  308. )
  309. /*++
  311. Description:
  313. Allocates auth identity info and initializes pAuthIn info
  315. Note: it is more work to convert to unicode and call previous
  316. function than to call this one
  318. Parameters:
  320. pAuthIn -- auth identity info
  322. Return:
  324. Ptr to newly create credentials.
  325. NULL on failure.
  327. --*/
  328. {
  329. PSEC_WINNT_AUTH_IDENTITY_A pauthCopy = NULL;
  331. DNSDBG( SECURITY, (
  332. "Call Dns_AllocateAndInitializeCredentialsA\n" ));
  334. //
  335. // allocate credentials struct
  336. // - zero for simple cleanup on subfield alloc failures
  337. //
  339. if ( !pAuthIn )
  340. {
  341. return NULL;
  342. }
  343. ASSERT( pAuthIn->Flags == SEC_WINNT_AUTH_IDENTITY_ANSI );
  345. //
  346. // allocate credentials struct
  347. // - zero for simple cleanup on subfield alloc failures
  348. //
  350. pauthCopy = ALLOCATE_HEAP_ZERO( sizeof(SEC_WINNT_AUTH_IDENTITY_A) );
  351. if ( !pauthCopy )
  352. {
  353. return NULL;
  354. }
  356. //
  357. // copy subfields
  358. //
  360. // user
  362. pauthCopy->UserLength = pAuthIn->UserLength;
  363. if ( pAuthIn->UserLength )
  364. {
  365. ASSERT( pAuthIn->UserLength == strlen(pAuthIn->User) );
  367. pauthCopy->User = ALLOCATE_HEAP( (pAuthIn->UserLength + 1) * sizeof(CHAR) );
  368. if ( ! pauthCopy->User )
  369. {
  370. goto Failed;
  371. }
  372. strcpy( pauthCopy->User, pAuthIn->User );
  373. }
  375. // password
  376. // - must allow zero length password
  378. pauthCopy->PasswordLength = pAuthIn->PasswordLength;
  380. if ( pAuthIn->PasswordLength || pAuthIn->Password )
  381. {
  382. ASSERT( pAuthIn->PasswordLength == strlen(pAuthIn->Password) );
  384. pauthCopy->Password = ALLOCATE_HEAP( (pAuthIn->PasswordLength + 1) * sizeof(CHAR) );
  385. if ( ! pauthCopy->Password )
  386. {
  387. goto Failed;
  388. }
  389. strcpy( pauthCopy->Password, pAuthIn->Password );
  390. }
  392. // domain
  394. pauthCopy->DomainLength = pAuthIn->DomainLength;
  395. if ( pAuthIn->DomainLength )
  396. {
  397. ASSERT( pAuthIn->DomainLength == strlen(pAuthIn->Domain) );
  399. pauthCopy->Domain = ALLOCATE_HEAP( (pAuthIn->DomainLength + 1) * sizeof(CHAR) );
  400. if ( ! pauthCopy->Domain )
  401. {
  402. goto Failed;
  403. }
  404. strcpy( pauthCopy->Domain, pAuthIn->Domain );
  405. }
  407. pauthCopy->Flags = pAuthIn->Flags;
  409. DNSDBG( SECURITY, (
  410. "Exit Dns_AllocateAndInitializeCredentialsA()\n" ));
  412. return pauthCopy;
  415. Failed:
  417. // allocation failure
  418. // - cleanup what was allocated and get out
  420. Dns_FreeAuthIdentityCredentials( pauthCopy );
  421. return( NULL );
  422. }
  426. VOID
  427. Dns_FreeAuthIdentityCredentials(
  428. IN OUT PVOID pAuthIn
  429. )
  430. /*++
  432. Routine Description (Dns_FreeAuthIdentityCredentials):
  434. Free's structure given
  436. Arguments:
  438. pAuthIn -- in param to free
  440. Return Value:
  442. None
  444. --*/
  445. {
  446. register PSEC_WINNT_AUTH_IDENTITY_W pauthId;
  448. pauthId = (PSEC_WINNT_AUTH_IDENTITY_W) pAuthIn;
  449. if ( !pauthId )
  450. {
  451. return;
  452. }
  454. //
  455. // assuming _W and _A structs are equivalent except
  456. // for string types
  457. //
  459. ASSERT( sizeof( SEC_WINNT_AUTH_IDENTITY_W ) ==
  460. sizeof( SEC_WINNT_AUTH_IDENTITY_A ) );
  462. if ( pauthId->User )
  463. {
  464. FREE_HEAP ( pauthId->User );
  465. }
  466. if ( pauthId->Password )
  467. {
  468. FREE_HEAP ( pauthId->Password );
  469. }
  470. if ( pauthId->Domain )
  471. {
  472. FREE_HEAP ( pauthId->Domain );
  473. }
  475. FREE_HEAP ( pauthId );
  476. }
  480. PSEC_WINNT_AUTH_IDENTITY_W
  481. Dns_AllocateCredentials(
  482. IN PWSTR pwsUserName,
  483. IN PWSTR pwsDomain,
  484. IN PWSTR pwsPassword
  485. )
  486. /*++
  488. Description:
  490. Allocates auth identity info and initializes pAuthIn info
  492. Parameters:
  494. pwsUserName -- user name
  496. pwsDomain -- domain name
  498. pwsPassword -- password
  500. Return:
  502. Ptr to newly create credentials.
  503. NULL on failure.
  505. --*/
  506. {
  507. PSEC_WINNT_AUTH_IDENTITY_W pauth = NULL;
  508. DWORD length;
  509. PWSTR pstr;
  512. DNSDBG( SECURITY, (
  513. "Enter Dns_AllocateCredentials()\n"
  514. "\tuser = %S\n"
  515. "\tdomain = %S\n"
  516. "\tpassword = %S\n",
  517. pwsUserName,
  518. pwsDomain,
  519. pwsPassword ));
  521. //
  522. // allocate credentials struct
  523. // - zero for simple cleanup on subfield alloc failures
  524. //
  526. pauth = ALLOCATE_HEAP_ZERO( sizeof(SEC_WINNT_AUTH_IDENTITY_W) );
  527. if ( !pauth )
  528. {
  529. return NULL;
  530. }
  532. // copy user
  534. length = wcslen( pwsUserName );
  536. pstr = ALLOCATE_HEAP( (length + 1) * sizeof(WCHAR) );
  537. if ( ! pstr )
  538. {
  539. goto Failed;
  540. }
  541. wcscpy( pstr, pwsUserName );
  543. pauth->User = pstr;
  544. pauth->UserLength = length;
  546. // copy domain
  548. length = wcslen( pwsDomain );
  550. pstr = ALLOCATE_HEAP( (length + 1) * sizeof(WCHAR) );
  551. if ( ! pstr )
  552. {
  553. goto Failed;
  554. }
  555. wcscpy( pstr, pwsDomain );
  557. pauth->Domain = pstr;
  558. pauth->DomainLength = length;
  560. // copy password
  562. length = wcslen( pwsPassword );
  564. pstr = ALLOCATE_HEAP( (length + 1) * sizeof(WCHAR) );
  565. if ( ! pstr )
  566. {
  567. goto Failed;
  568. }
  569. wcscpy( pstr, pwsPassword );
  571. pauth->Password = pstr;
  572. pauth->PasswordLength = length;
  574. // set to unicode
  576. pauth->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
  578. DNSDBG( SECURITY, (
  579. "Exit Dns_AllocateCredentialsW( %p )\n",
  580. pauth ));
  582. return pauth;
  585. Failed:
  587. // allocation failure
  588. // - cleanup what was allocated and get out
  590. Dns_FreeAuthIdentityCredentials( pauth );
  591. return( NULL );
  592. }
  596. //
  597. // DNS Credential utilities (unused)
  598. //
  600. DNS_STATUS
  601. Dns_ImpersonateUser(
  602. IN PDNS_CREDENTIALS pCreds
  603. )
  604. /*++
  606. Routine Description:
  608. Impersonate a user.
  610. Arguments:
  612. pCreds -- credentials of user to impersonate
  614. Return Value:
  616. ERROR_SUCCESS if successful
  617. Error code on failure.
  619. --*/
  620. {
  621. DNS_STATUS status = NO_ERROR;
  622. HANDLE htoken;
  624. //
  625. // attempt logon
  626. //
  628. if ( ! LogonUserW(
  629. pCreds->pUserName,
  630. pCreds->pDomain,
  631. pCreds->pPassword,
  632. LOGON32_LOGON_SERVICE,
  633. LOGON32_PROVIDER_WINNT50,
  634. &htoken ) )
  635. {
  636. status = GetLastError();
  637. if ( status == NO_ERROR )
  638. {
  639. status = ERROR_CANNOT_IMPERSONATE;
  640. DNS_ASSERT( FALSE );
  641. }
  643. DNSDBG( SECURITY, (
  644. "LogonUser() failed => %d\n"
  645. "\tuser = %S\n"
  646. "\tdomain = %S\n"
  647. "\tpassword = %S\n",
  648. status,
  649. pCreds->pUserName,
  650. pCreds->pDomain,
  651. pCreds->pPassword
  652. ));
  654. return status;
  655. }
  657. //
  658. // impersonate
  659. //
  661. if ( !ImpersonateLoggedOnUser( htoken ) )
  662. {
  663. status = GetLastError();
  664. if ( status == NO_ERROR )
  665. {
  666. status = ERROR_CANNOT_IMPERSONATE;
  667. DNS_ASSERT( FALSE );
  668. }
  670. DNSDBG( SECURITY, (
  671. "ImpersonateLoggedOnUser() failed = %d\n",
  672. status ));
  673. }
  675. CloseHandle( htoken );
  677. DNSDBG( SECURITY, (
  678. "%s\n"
  679. "\tuser = %S\n"
  680. "\tdomain = %S\n"
  681. "\tpassword = %S\n",
  682. (status == NO_ERROR)
  683. ? "Successfully IMPERSONATING!"
  684. : "Failed IMPERSONATION!",
  685. pCreds->pUserName,
  686. pCreds->pDomain,
  687. pCreds->pPassword ));
  689. return status;
  690. }
  694. VOID
  695. Dns_FreeCredentials(
  696. IN PDNS_CREDENTIALS pCreds
  697. )
  698. /*++
  700. Routine Description:
  702. Free DNS credentials.
  704. Arguments:
  706. pCreds -- credentials to free
  708. Return Value:
  710. None
  712. --*/
  713. {
  714. //
  715. // free subfields, then credentials
  716. //
  718. if ( !pCreds )
  719. {
  720. return;
  721. }
  723. if ( pCreds->pUserName )
  724. {
  725. FREE_HEAP( pCreds->pUserName );
  726. }
  727. if ( pCreds->pDomain )
  728. {
  729. FREE_HEAP( pCreds->pDomain );
  730. }
  731. if ( pCreds->pPassword )
  732. {
  733. FREE_HEAP( pCreds->pPassword );
  734. }
  735. FREE_HEAP( pCreds );
  736. }
  740. PDNS_CREDENTIALS
  741. Dns_CopyCredentials(
  742. IN PDNS_CREDENTIALS pCreds
  743. )
  744. /*++
  746. Routine Description:
  748. Create copy of DNS credentials.
  750. Arguments:
  752. pCreds -- credentials of user to copy
  754. Return Value:
  756. Ptr to allocated copy of credentials.
  758. --*/
  759. {
  760. PDNS_CREDENTIALS pnewCreds = NULL;
  761. PWSTR pfield;
  763. //
  764. // allocate credentials
  765. // - copy of subfields
  766. //
  768. pnewCreds = (PDNS_CREDENTIALS) ALLOCATE_HEAP_ZERO( sizeof(*pnewCreds) );
  769. if ( !pnewCreds )
  770. {
  771. return( NULL );
  772. }
  774. pfield = (PWSTR) Dns_CreateStringCopy_W( pCreds->pUserName );
  775. if ( !pfield )
  776. {
  777. goto Failed;
  778. }
  779. pnewCreds->pUserName = pfield;
  781. pfield = (PWSTR) Dns_CreateStringCopy_W( pCreds->pDomain );
  782. if ( !pfield )
  783. {
  784. goto Failed;
  785. }
  786. pnewCreds->pDomain = pfield;
  788. pfield = (PWSTR) Dns_CreateStringCopy_W( pCreds->pPassword );
  789. if ( !pfield )
  790. {
  791. goto Failed;
  792. }
  793. pnewCreds->pPassword = pfield;
  795. return( pnewCreds );
  797. Failed:
  799. Dns_FreeCredentials( pnewCreds );
  800. return( NULL );
  801. }
  803. //
  804. // End secutil.c
  805. //