archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/base/fs/rdr2/rdbss/smb.mrx/ntsecure.c

560 lines
21 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++ BUILD Version: 0009 // Increment this if a change has global effects
  2. Copyright (c) 1987-1993 Microsoft Corporation
  4. Module Name:
  6. sessetup.c
  8. Abstract:
  10. This module implements the Session setup related routines
  12. Author:
  14. Balan Sethu Raman (SethuR) 06-Mar-95 Created
  16. --*/
  18. #include "precomp.h"
  19. #pragma hdrstop
  21. #include <exsessup.h>
  22. #include "ntlsapi.h"
  23. #include "mrxsec.h"
  25. #ifdef ALLOC_PRAGMA
  26. #pragma alloc_text(PAGE, BuildSessionSetupSecurityInformation)
  27. #pragma alloc_text(PAGE, BuildTreeConnectSecurityInformation)
  28. #endif
  30. extern BOOLEAN EnablePlainTextPassword;
  31. extern BOOLEAN MRxSmbExtendedSignaturesEnabled;
  33. NTSTATUS
  34. BuildSessionSetupSecurityInformation(
  35. PSMB_EXCHANGE pExchange,
  36. PBYTE pSmbBuffer,
  37. PULONG pSmbBufferSize)
  38. /*++
  40. Routine Description:
  42. This routine builds the security related information for the session setup SMB
  44. Arguments:
  46. pServer - the server instance
  48. pSmbBuffer - the SMB buffer
  50. pSmbBufferSize - the size of the buffer on input ( modified to size remaining on
  51. output)
  53. Return Value:
  55. RXSTATUS - The return status for the operation
  57. Notes:
  59. Eventhough the genral structure of the code tries to isolate dialect specific issues
  60. as much as possible this routine takes the opposite approach. This is because of the
  61. preamble and prologue to security interaction which far outweigh the dialect specific
  62. work required to be done. Therefore in the interests of a smaller footprint this approach
  63. has been adopted.
  65. --*/
  66. {
  67. NTSTATUS Status = STATUS_SUCCESS;
  69. UNICODE_STRING UserName;
  70. UNICODE_STRING DomainName;
  72. STRING CaseSensitiveResponse;
  73. STRING CaseInsensitiveResponse;
  75. PVOID pSecurityBlob;
  76. USHORT SecurityBlobSize;
  78. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExchange);
  79. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  80. PSMBCEDB_SERVER_ENTRY pServerEntry = SmbCeGetExchangeServerEntry(pExchange);
  82. SECURITY_RESPONSE_CONTEXT ResponseContext;
  84. KAPC_STATE ApcState;
  85. BOOLEAN AttachToSystemProcess = FALSE;
  86. ULONG BufferSize = *pSmbBufferSize;
  88. PAGED_CODE();
  89. RxDbgTrace( +1, Dbg, ("BuildSessionSetupSecurityInformation -- Entry\n"));
  91. SmbLog(LOG,
  92. BuildSessionSetupSecurityInformation,
  93. LOGPTR(pSession)
  94. LOGULONG(pSession->LogonId.HighPart)
  95. LOGULONG(pSession->LogonId.LowPart));
  97. if ((pServer->DialectFlags & DF_EXTENDED_SECURITY) &&
  98. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  100. //
  101. // For uplevel servers, this gets handled all at once:
  102. //
  104. PREQ_NT_EXTENDED_SESSION_SETUP_ANDX pExtendedNtSessionSetupReq;
  105. PBYTE pBuffer = pSmbBuffer;
  107. // Position the buffer for copying the security blob
  108. pBuffer += FIELD_OFFSET(REQ_NT_EXTENDED_SESSION_SETUP_ANDX,Buffer);
  109. BufferSize -= FIELD_OFFSET(REQ_NT_EXTENDED_SESSION_SETUP_ANDX,Buffer);
  111. pExtendedNtSessionSetupReq = (PREQ_NT_EXTENDED_SESSION_SETUP_ANDX)pSmbBuffer;
  113. pSecurityBlob = pBuffer ;
  114. SecurityBlobSize = (USHORT) BufferSize ;
  116. Status = BuildExtendedSessionSetupResponsePrologue(
  117. pExchange,
  118. pSecurityBlob,
  119. &SecurityBlobSize,
  120. &ResponseContext);
  122. if ( NT_SUCCESS( Status ) )
  123. {
  124. SmbPutUshort(
  125. &pExtendedNtSessionSetupReq->SecurityBlobLength,
  126. SecurityBlobSize);
  128. BufferSize -= SecurityBlobSize;
  129. }
  131. } else {
  132. if (!MRxSmbUseKernelModeSecurity &&
  133. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  134. //NTRAID-455636-2/2/2000-yunlin We should consolidate three routines calling LSA into one
  135. Status = BuildExtendedSessionSetupResponsePrologueFake(pExchange);
  137. if (Status != STATUS_SUCCESS) {
  138. goto FINALLY;
  139. }
  140. }
  142. Status = BuildNtLanmanResponsePrologue(
  143. pExchange,
  144. &UserName,
  145. &DomainName,
  146. &CaseSensitiveResponse,
  147. &CaseInsensitiveResponse,
  148. &ResponseContext);
  150. if (Status == STATUS_SUCCESS) {
  151. // If the security package returns us the credentials corresponding to a
  152. // NULL session mark the session as a NULL session. This will avoid
  153. // conflicts with the user trying to present the credentials for a NULL
  154. // session, i.e., explicitly specified zero length passwords, user name
  155. // and domain name.
  157. RxDbgTrace(0,Dbg,("Session %lx UN Length %lx DN length %ld IR length %ld SR length %ld\n",
  158. pSession,UserName.Length,DomainName.Length,
  159. CaseInsensitiveResponse.Length,CaseSensitiveResponse.Length));
  161. if ((UserName.Length == 0) &&
  162. (DomainName.Length == 0) &&
  163. (CaseSensitiveResponse.Length == 0) &&
  164. (CaseInsensitiveResponse.Length == 1)) {
  165. RxDbgTrace(0,Dbg,("Implicit NULL session setup\n"));
  166. pSession->Flags |= SMBCE_SESSION_FLAGS_NULL_CREDENTIALS;
  167. pSession->SessionKeyState = SmbSessionKeyAvailible;
  168. } else {
  169. if( pServerEntry->SecuritySignaturesEnabled == TRUE &&
  170. pServerEntry->SecuritySignaturesActive == FALSE &&
  171. !FlagOn(pSession->Flags, SMBCE_SESSION_FLAGS_GUEST_SESSION)) {
  173. if (FlagOn(pSession->Flags, SMBCE_SESSION_FLAGS_LANMAN_SESSION_KEY_USED)) {
  174. UCHAR SessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
  176. RtlZeroMemory(SessionKey, sizeof(SessionKey));
  177. RtlCopyMemory(SessionKey, pSession->LanmanSessionKey, MSV1_0_LANMAN_SESSION_KEY_LENGTH);
  179. SmbInitializeSmbSecuritySignature(pServer,
  180. SessionKey,
  181. CaseInsensitiveResponse.Buffer,
  182. CaseInsensitiveResponse.Length);
  183. } else{
  184. SmbInitializeSmbSecuritySignature(pServer,
  185. pSession->UserSessionKey,
  186. CaseSensitiveResponse.Buffer,
  187. CaseSensitiveResponse.Length);
  188. }
  190. if( MRxSmbExtendedSignaturesEnabled )
  191. {
  192. pSession->SessionKeyState = SmbSessionKeyAuthenticating;
  193. ClearFlag( pSession->Flags, SMBCE_SESSION_FLAGS_SESSION_KEY_HASHED );
  194. }
  195. else
  196. {
  197. pSession->SessionKeyState = SmbSessionKeyAvailible;
  198. }
  199. }
  200. else
  201. {
  202. pSession->SessionKeyState = SmbSessionKeyAvailible;
  203. }
  204. }
  205. }
  206. }
  208. if (NT_SUCCESS(Status)) {
  209. PBYTE pBuffer = pSmbBuffer;
  211. if (pServer->Dialect == NTLANMAN_DIALECT) {
  212. if (FlagOn(pServer->DialectFlags,DF_EXTENDED_SECURITY) &&
  213. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  215. //
  216. // Already done above
  217. //
  218. NOTHING ;
  219. } else {
  220. //PREQ_SESSION_SETUP_ANDX pSessionSetupReq = (PREQ_SESSION_SETUP_ANDX)pSmbBuffer;
  221. PREQ_NT_SESSION_SETUP_ANDX pNtSessionSetupReq = (PREQ_NT_SESSION_SETUP_ANDX)pSmbBuffer;
  223. // It it is a NT server both the case insensitive and case sensitive passwords
  224. // need to be copied. for share-level, just copy a token 1-byte NULL password
  226. // Position the buffer for copying the password.
  227. pBuffer += FIELD_OFFSET(REQ_NT_SESSION_SETUP_ANDX,Buffer);
  228. BufferSize -= FIELD_OFFSET(REQ_NT_SESSION_SETUP_ANDX,Buffer);
  229. SmbPutUlong(&pNtSessionSetupReq->Reserved,0);
  231. if (pServer->SecurityMode == SECURITY_MODE_USER_LEVEL){
  232. RxDbgTrace( 0, Dbg, ("BuildSessionSetupSecurityInformation -- NtUserPasswords\n"));
  234. if (pServer->EncryptPasswords) {
  236. SmbPutUshort(
  237. &pNtSessionSetupReq->CaseInsensitivePasswordLength,
  238. CaseInsensitiveResponse.Length);
  240. SmbPutUshort(
  241. &pNtSessionSetupReq->CaseSensitivePasswordLength,
  242. CaseSensitiveResponse.Length);
  244. Status = SmbPutString(
  245. &pBuffer,
  246. &CaseInsensitiveResponse,
  247. &BufferSize);
  249. if (NT_SUCCESS(Status)) {
  250. Status = SmbPutString(
  251. &pBuffer,
  252. &CaseSensitiveResponse,
  253. &BufferSize);
  254. }
  255. } else if (EnablePlainTextPassword) {
  256. if (pSession->pPassword != NULL) {
  257. if (FlagOn(pServer->DialectFlags,DF_UNICODE)) {
  258. PBYTE pTempBuffer = pBuffer;
  260. *pBuffer = 0;
  261. pBuffer = ALIGN_SMB_WSTR(pBuffer);
  262. BufferSize -= (ULONG)(pBuffer - pTempBuffer);
  264. SmbPutUshort(
  265. &pNtSessionSetupReq->CaseInsensitivePasswordLength,
  266. 0);
  268. SmbPutUshort(
  269. &pNtSessionSetupReq->CaseSensitivePasswordLength,
  270. pSession->pPassword->Length + 2);
  272. Status = SmbPutUnicodeString(
  273. &pBuffer,
  274. pSession->pPassword,
  275. &BufferSize);
  276. } else {
  277. SmbPutUshort(
  278. &pNtSessionSetupReq->CaseInsensitivePasswordLength,
  279. pSession->pPassword->Length/2 + 1);
  281. SmbPutUshort(
  282. &pNtSessionSetupReq->CaseSensitivePasswordLength,
  283. 0);
  285. Status = SmbPutUnicodeStringAsOemString(
  286. &pBuffer,
  287. pSession->pPassword,
  288. &BufferSize);
  289. }
  290. } else {
  291. SmbPutUshort(&pNtSessionSetupReq->CaseSensitivePasswordLength,0);
  292. SmbPutUshort(&pNtSessionSetupReq->CaseInsensitivePasswordLength,1);
  293. *pBuffer++ = '\0';
  294. BufferSize -= sizeof(CHAR);
  295. }
  296. } else {
  297. Status = STATUS_LOGIN_WKSTA_RESTRICTION;
  298. }
  299. } else {
  300. RxDbgTrace( 0, Dbg, ("BuildSessionSetupSecurityInformation -- NtSharePasswords\n"));
  302. SmbPutUshort(&pNtSessionSetupReq->CaseInsensitivePasswordLength, 1);
  303. SmbPutUshort(&pNtSessionSetupReq->CaseSensitivePasswordLength, 1);
  304. *pBuffer = 0;
  305. *(pBuffer+1) = 0;
  306. pBuffer += 2;
  307. BufferSize -= 2;
  308. }
  309. }
  310. } else {
  311. PREQ_SESSION_SETUP_ANDX pSessionSetupReq = (PREQ_SESSION_SETUP_ANDX)pSmbBuffer;
  313. // Position the buffer for copying the password.
  314. pBuffer += FIELD_OFFSET(REQ_SESSION_SETUP_ANDX,Buffer);
  315. BufferSize -= FIELD_OFFSET(REQ_SESSION_SETUP_ANDX,Buffer);
  317. if ( (pServer->SecurityMode == SECURITY_MODE_USER_LEVEL)
  318. && (CaseInsensitiveResponse.Length > 0)) {
  320. if (pServer->EncryptPasswords) {
  321. // For other lanman servers only the case insensitive password is required.
  322. SmbPutUshort(
  323. &pSessionSetupReq->PasswordLength,
  324. CaseInsensitiveResponse.Length);
  326. // Copy the password
  327. Status = SmbPutString(
  328. &pBuffer,
  329. &CaseInsensitiveResponse,
  330. &BufferSize);
  331. } else {
  332. if (EnablePlainTextPassword) {
  333. if (pSession->pPassword != NULL) {
  334. SmbPutUshort(
  335. &pSessionSetupReq->PasswordLength,
  336. pSession->pPassword->Length/2 + 1);
  338. Status = SmbPutUnicodeStringAsOemString(
  339. &pBuffer,
  340. pSession->pPassword,
  341. &BufferSize);
  342. } else {
  343. SmbPutUshort(&pSessionSetupReq->PasswordLength,1);
  344. *pBuffer++ = '\0';
  345. BufferSize -= sizeof(CHAR);
  346. }
  347. } else {
  348. Status = STATUS_LOGIN_WKSTA_RESTRICTION;
  349. }
  350. }
  351. } else {
  352. // Share level security. Send a null string for the password
  353. SmbPutUshort(&pSessionSetupReq->PasswordLength,1);
  354. *pBuffer++ = '\0';
  355. BufferSize -= sizeof(CHAR);
  356. }
  357. }
  359. // The User name and the domain name strings can be either copied from
  360. // the information returned in the request response or the information
  361. // that is already present in the session entry.
  362. if (NT_SUCCESS(Status) &&
  363. (!FlagOn(pServer->DialectFlags,DF_EXTENDED_SECURITY) ||
  364. FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION))) {
  365. if ((pServer->Dialect == NTLANMAN_DIALECT) &&
  366. (pServer->NtServer.NtCapabilities & CAP_UNICODE)) {
  367. // Copy the account/domain names as UNICODE strings
  368. PBYTE pTempBuffer = pBuffer;
  370. RxDbgTrace( 0, Dbg, ("BuildSessionSetupSecurityInformation -- account/domain as unicode\n"));
  371. *pBuffer = 0;
  372. pBuffer = ALIGN_SMB_WSTR(pBuffer);
  373. BufferSize -= (ULONG)(pBuffer - pTempBuffer);
  375. Status = SmbPutUnicodeString(
  376. &pBuffer,
  377. &UserName,
  378. &BufferSize);
  380. if (NT_SUCCESS(Status)) {
  381. Status = SmbPutUnicodeString(
  382. &pBuffer,
  383. &DomainName,
  384. &BufferSize);
  386. }
  387. } else {
  388. // Copy the account/domain names as ASCII strings.
  389. RxDbgTrace( 0, Dbg, ("BuildSessionSetupSecurityInformation -- account/domain as ascii\n"));
  390. Status = SmbPutUnicodeStringAsOemString(
  391. &pBuffer,
  392. &UserName,
  393. &BufferSize);
  395. if (NT_SUCCESS(Status)) {
  396. Status = SmbPutUnicodeStringAsOemString(
  397. &pBuffer,
  398. &DomainName,
  399. &BufferSize);
  400. }
  401. }
  402. }
  404. if (NT_SUCCESS(Status)) {
  405. *pSmbBufferSize = BufferSize;
  406. }
  407. }
  409. // Free the buffer allocated by the security package.
  410. if ((pServer->DialectFlags & DF_EXTENDED_SECURITY) &&
  411. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  412. BuildExtendedSessionSetupResponseEpilogue(&ResponseContext);
  413. } else {
  414. BuildNtLanmanResponseEpilogue(pExchange, &ResponseContext);
  415. }
  417. // Detach from the rdr process.
  418. FINALLY:
  419. RxDbgTrace( -1, Dbg, ("BuildSessionSetupSecurityInformation -- Exit, status=%08lx\n",Status));
  420. return Status;
  421. }
  423. NTSTATUS
  424. BuildTreeConnectSecurityInformation(
  425. PSMB_EXCHANGE pExchange,
  426. PBYTE pBuffer,
  427. PBYTE pPasswordLength,
  428. PULONG pSmbBufferSize)
  429. /*++
  431. Routine Description:
  433. This routine builds the security related information for the session setup SMB
  435. Arguments:
  437. pServer - the server instance
  439. pLogonId - the logon id. for which the session is being setup
  441. pPassword - the user supplied password if any
  443. pBuffer - the password buffer
  445. pPasswordLength - where the password length is to be stored
  447. pSmbBufferSize - the size of the buffer on input ( modified to size remaining on
  448. output)
  450. Return Value:
  452. NTSTATUS - The return status for the operation
  454. Notes:
  456. Eventhough the genral structure of the code tries to isolate dialect specific issues
  457. as much as possible this routine takes the opposite approach. This is because of the
  458. preamble and prologue to security interaction which far outweigh the dialect specific
  459. work required to be done. Therefore in the interests of a smaller footprint this approach
  460. has been adopted.
  462. --*/
  463. {
  464. NTSTATUS FinalStatus,Status;
  466. UNICODE_STRING UserName,DomainName;
  467. STRING CaseSensitiveChallengeResponse,CaseInsensitiveChallengeResponse;
  469. SECURITY_RESPONSE_CONTEXT ResponseContext;
  471. ULONG PasswordLength = 0;
  473. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExchange);
  474. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  476. KAPC_STATE ApcState;
  477. BOOLEAN AttachToSystemProcess = FALSE;
  479. PAGED_CODE();
  481. Status = STATUS_SUCCESS;
  483. if (pServer->EncryptPasswords) {
  485. Status = BuildNtLanmanResponsePrologue(
  486. pExchange,
  487. &UserName,
  488. &DomainName,
  489. &CaseSensitiveChallengeResponse,
  490. &CaseInsensitiveChallengeResponse,
  491. &ResponseContext);
  493. if (NT_SUCCESS(Status)) {
  494. if (FlagOn(pServer->DialectFlags,DF_MIXEDCASEPW)) {
  495. RxDbgTrace( 0, Dbg, ("BuildTreeConnectSecurityInformation -- case sensitive password\n"));
  496. // Copy the password length onto the SMB buffer
  497. PasswordLength = CaseSensitiveChallengeResponse.Length;
  499. // Copy the password
  500. Status = SmbPutString(
  501. &pBuffer,
  502. &CaseSensitiveChallengeResponse,
  503. pSmbBufferSize);
  504. } else {
  505. RxDbgTrace( 0, Dbg, ("BuildTreeConnectSecurityInformation -- case insensitive password\n"));
  506. // Copy the password length onto the SMB buffer
  507. PasswordLength = CaseInsensitiveChallengeResponse.Length;
  509. // Copy the password
  510. Status = SmbPutString(
  511. &pBuffer,
  512. &CaseInsensitiveChallengeResponse,
  513. pSmbBufferSize);
  514. }
  516. BuildNtLanmanResponseEpilogue(pExchange, &ResponseContext);
  517. }
  519. } else {
  520. if (pSession->pPassword == NULL) {
  521. // The logon password cannot be sent as plain text. Send a Null string as password.
  523. PasswordLength = 1;
  524. if (*pSmbBufferSize >= 1) {
  525. *((PCHAR)pBuffer) = '\0';
  526. pBuffer += sizeof(CHAR);
  527. Status = STATUS_SUCCESS;
  528. } else {
  529. Status = STATUS_BUFFER_OVERFLOW;
  530. }
  531. } else {
  532. if (EnablePlainTextPassword) {
  533. OEM_STRING OemString;
  535. OemString.Length = OemString.MaximumLength = (USHORT)(*pSmbBufferSize - sizeof(CHAR));
  536. OemString.Buffer = pBuffer;
  537. Status = RtlUnicodeStringToOemString(
  538. &OemString,
  539. pSession->pPassword,
  540. FALSE);
  542. if (NT_SUCCESS(Status)) {
  543. PasswordLength = OemString.Length+1;
  544. }
  545. } else {
  546. Status = STATUS_LOGON_FAILURE;
  547. }
  548. }
  550. // reduce the byte count
  551. *pSmbBufferSize -= PasswordLength;
  552. }
  554. SmbPutUshort(pPasswordLength,(USHORT)PasswordLength);
  556. return Status;
  557. }