Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

917 lines
26 KiB

  1. /*++
  2. Copyright (c) 1989 Microsoft Corporation
  3. Module Name:
  4. austub.c
  5. Abstract:
  6. Local Security Authority AUTHENTICATION service client stubs.
  7. Author:
  8. Jim Kelly (JimK) 20-Feb-1991
  9. Environment: Kernel or User Modes
  10. Revision History:
  11. --*/
  12. #include "lsadllp.h"
  13. #include <string.h>
  14. #include <zwapi.h>
  15. #ifdef _NTSYSTEM_
  16. //
  17. // Unfortunately the security header files are just not at all constructed
  18. // in a manner compatible with kernelmode. For some reason they are totally
  19. // reliant on usermode header definitions. Just assume the text and const
  20. // pragma's will work. If they don't work on an architecture, they can be
  21. // fixed.
  22. //
  23. #pragma alloc_text(PAGE,LsaFreeReturnBuffer)
  24. #pragma alloc_text(PAGE,LsaRegisterLogonProcess)
  25. #pragma alloc_text(PAGE,LsaConnectUntrusted)
  26. #pragma alloc_text(PAGE,LsaLookupAuthenticationPackage)
  27. #pragma alloc_text(PAGE,LsaLogonUser)
  28. #pragma alloc_text(PAGE,LsaCallAuthenticationPackage)
  29. #pragma alloc_text(PAGE,LsaDeregisterLogonProcess)
  30. //#pragma const_seg("PAGECONST")
  31. #endif //_NTSYSTEM_
  32. const WCHAR LsapEvent[] = L"\\SECURITY\\LSA_AUTHENTICATION_INITIALIZED";
  33. const WCHAR LsapPort[] = L"\\LsaAuthenticationPort";
  34. NTSTATUS
  35. LsaFreeReturnBuffer (
  36. IN PVOID Buffer
  37. )
  38. /*++
  39. Routine Description:
  40. Some of the LSA authentication services allocate memory buffers to
  41. hold returned information. This service is used to free those buffers
  42. when no longer needed.
  43. Arguments:
  44. Buffer - Supplies a pointer to the return buffer to be freed.
  45. Return Status:
  46. STATUS_SUCCESS - Indicates the service completed successfully.
  47. Others - returned by NtFreeVirtualMemory().
  48. --*/
  49. {
  50. NTSTATUS Status;
  51. ULONG_PTR Length;
  52. Length = 0;
  53. Status = ZwFreeVirtualMemory(
  54. NtCurrentProcess(),
  55. &Buffer,
  56. &Length,
  57. MEM_RELEASE
  58. );
  59. return Status;
  60. }
  61. NTSTATUS
  62. LsaRegisterLogonProcess(
  63. IN PSTRING LogonProcessName,
  64. OUT PHANDLE LsaHandle,
  65. OUT PLSA_OPERATIONAL_MODE SecurityMode
  66. )
  67. /*++
  68. Routine Description:
  69. This service connects to the LSA server and verifies that the caller
  70. is a legitimate logon process. this is done by ensuring the caller has
  71. the SeTcbPrivilege privilege. It also opens the caller's process for
  72. PROCESS_DUP_HANDLE access in anticipation of future LSA authentication
  73. calls.
  74. Arguments:
  75. LogonProcessName - Provides a name string that identifies the logon
  76. process. This should be a printable name suitable for display to
  77. administrators. For example, "User32LogonProces" might be used
  78. for the windows logon process name. No check is made to determine
  79. whether the name is already in use. This name must NOT be longer
  80. than 127 bytes long.
  81. LsaHandle - Receives a handle which must be provided in future
  82. authenticaiton services.
  83. SecurityMode - The security mode the system is running under. This
  84. value typically influences the logon user interface. For example,
  85. a system running with password control will prompt for username
  86. and passwords before bringing up the UI shell. One running without
  87. password control would typically automatically bring up the UI shell
  88. at system initialization.
  89. Return Value:
  90. STATUS_SUCCESS - The call completed successfully.
  91. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have the
  92. privilege necessary to act as a logon process. The SeTcbPrivilege
  93. privilege is needed.
  94. STATUS_NAME_TOO_LONG - The logon process name provided is too long.
  95. --*/
  96. {
  97. NTSTATUS Status, IgnoreStatus;
  98. UNICODE_STRING PortName, EventName;
  99. LSAP_AU_REGISTER_CONNECT_INFO ConnectInfo;
  100. ULONG ConnectInfoLength;
  101. SECURITY_QUALITY_OF_SERVICE DynamicQos;
  102. OBJECT_ATTRIBUTES ObjectAttributes;
  103. HANDLE EventHandle;
  104. //
  105. // Validate input parameters
  106. //
  107. if (LogonProcessName->Length > LSAP_MAX_LOGON_PROC_NAME_LENGTH) {
  108. return STATUS_NAME_TOO_LONG;
  109. }
  110. //
  111. // Wait for LSA to initialize...
  112. //
  113. RtlInitUnicodeString( &EventName, LsapEvent );
  114. InitializeObjectAttributes(
  115. &ObjectAttributes,
  116. &EventName,
  117. OBJ_CASE_INSENSITIVE,
  118. 0,
  119. NULL
  120. );
  121. Status = NtOpenEvent( &EventHandle, SYNCHRONIZE, &ObjectAttributes );
  122. if (!NT_SUCCESS(Status)) {
  123. return(Status);
  124. }
  125. Status = NtWaitForSingleObject( EventHandle, TRUE, NULL);
  126. IgnoreStatus = NtClose( EventHandle );
  127. if (!NT_SUCCESS(Status)) {
  128. return(Status);
  129. }
  130. //
  131. // Set up the security quality of service parameters to use over the
  132. // port. Use the most efficient (least overhead) - which is dynamic
  133. // rather than static tracking.
  134. //
  135. DynamicQos.Length = sizeof( DynamicQos );
  136. DynamicQos.ImpersonationLevel = SecurityImpersonation;
  137. DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  138. DynamicQos.EffectiveOnly = TRUE;
  139. //
  140. // Set up the connection information to contain the logon process
  141. // name.
  142. //
  143. ConnectInfoLength = sizeof(LSAP_AU_REGISTER_CONNECT_INFO);
  144. strncpy(
  145. ConnectInfo.LogonProcessName,
  146. LogonProcessName->Buffer,
  147. LogonProcessName->Length
  148. );
  149. ConnectInfo.LogonProcessNameLength = LogonProcessName->Length;
  150. ConnectInfo.LogonProcessName[ConnectInfo.LogonProcessNameLength] = '\0';
  151. //
  152. // Connect to the LSA server
  153. //
  154. *LsaHandle = NULL;
  155. RtlInitUnicodeString(&PortName,LsapPort);
  156. Status = ZwConnectPort(
  157. LsaHandle,
  158. &PortName,
  159. &DynamicQos,
  160. NULL,
  161. NULL,
  162. NULL,
  163. &ConnectInfo,
  164. &ConnectInfoLength
  165. );
  166. if ( !NT_SUCCESS(Status) ) {
  167. //DbgPrint("LSA AU: Logon Process Register failed %lx\n",Status);
  168. return Status;
  169. }
  170. if ( !NT_SUCCESS(ConnectInfo.CompletionStatus) ) {
  171. //DbgPrint("LSA AU: Logon Process Register rejected %lx\n",ConnectInfo.CompletionStatus);
  172. if ( LsaHandle && *LsaHandle != NULL ) {
  173. ZwClose( *LsaHandle );
  174. *LsaHandle = NULL;
  175. }
  176. }
  177. (*SecurityMode) = ConnectInfo.SecurityMode;
  178. return ConnectInfo.CompletionStatus;
  179. }
  180. NTSTATUS
  181. LsaConnectUntrusted(
  182. OUT PHANDLE LsaHandle
  183. )
  184. /*++
  185. Routine Description:
  186. This service connects to the LSA server and sets up an untrusted
  187. connection. It does not check anything about the caller.
  188. Arguments:
  189. LsaHandle - Receives a handle which must be provided in future
  190. authenticaiton services.
  191. Return Value:
  192. STATUS_SUCCESS - The call completed successfully.
  193. --*/
  194. {
  195. NTSTATUS Status, IgnoreStatus;
  196. UNICODE_STRING PortName, EventName;
  197. LSAP_AU_REGISTER_CONNECT_INFO ConnectInfo;
  198. ULONG ConnectInfoLength;
  199. SECURITY_QUALITY_OF_SERVICE DynamicQos;
  200. OBJECT_ATTRIBUTES ObjectAttributes;
  201. HANDLE EventHandle;
  202. //
  203. // Wait for LSA to initialize...
  204. //
  205. RtlInitUnicodeString( &EventName, LsapEvent );
  206. InitializeObjectAttributes(
  207. &ObjectAttributes,
  208. &EventName,
  209. OBJ_CASE_INSENSITIVE,
  210. 0,
  211. NULL
  212. );
  213. Status = NtOpenEvent( &EventHandle, SYNCHRONIZE, &ObjectAttributes );
  214. if (!NT_SUCCESS(Status)) {
  215. return(Status);
  216. }
  217. Status = NtWaitForSingleObject( EventHandle, TRUE, NULL);
  218. IgnoreStatus = NtClose( EventHandle );
  219. if (!NT_SUCCESS(Status)) {
  220. return(Status);
  221. }
  222. //
  223. // Set up the security quality of service parameters to use over the
  224. // port. Use the most efficient (least overhead) - which is dynamic
  225. // rather than static tracking.
  226. //
  227. DynamicQos.ImpersonationLevel = SecurityImpersonation;
  228. DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  229. DynamicQos.EffectiveOnly = TRUE;
  230. //
  231. // Set up the connection information to contain the logon process
  232. // name.
  233. //
  234. ConnectInfoLength = sizeof(LSAP_AU_REGISTER_CONNECT_INFO);
  235. RtlZeroMemory(
  236. &ConnectInfo,
  237. ConnectInfoLength
  238. );
  239. //
  240. // Connect to the LSA server
  241. //
  242. RtlInitUnicodeString(&PortName,LsapPort);
  243. Status = ZwConnectPort(
  244. LsaHandle,
  245. &PortName,
  246. &DynamicQos,
  247. NULL,
  248. NULL,
  249. NULL,
  250. &ConnectInfo,
  251. &ConnectInfoLength
  252. );
  253. if ( !NT_SUCCESS(Status) ) {
  254. //DbgPrint("LSA AU: Logon Process Register failed %lx\n",Status);
  255. return Status;
  256. }
  257. if ( !NT_SUCCESS(ConnectInfo.CompletionStatus) ) {
  258. //DbgPrint("LSA AU: Logon Process Register rejected %lx\n",ConnectInfo.CompletionStatus);
  259. ;
  260. }
  261. return ConnectInfo.CompletionStatus;
  262. }
  263. NTSTATUS
  264. LsaLookupAuthenticationPackage (
  265. IN HANDLE LsaHandle,
  266. IN PSTRING PackageName,
  267. OUT PULONG AuthenticationPackage
  268. )
  269. /*++
  270. Arguments:
  271. LsaHandle - Supplies a handle obtained in a previous call to
  272. LsaRegisterLogonProcess.
  273. PackageName - Supplies a string which identifies the
  274. Authentication Package. "MSV1.0" is the standard NT
  275. authentication package name. The package name must not
  276. exceed 127 bytes in length.
  277. AuthenticationPackage - Receives an ID used to reference the
  278. authentication package in subsequent authentication services.
  279. Return Status:
  280. STATUS_SUCCESS - Indicates the service completed successfully.
  281. STATUS_NO_SUCH_PACKAGE - The specified authentication package is
  282. unknown to the LSA.
  283. STATUS_NAME_TOO_LONG - The authentication package name provided is too
  284. long.
  285. Routine Description:
  286. This service is used to obtain the ID of an authentication package.
  287. This ID may then be used in subsequent authentication services.
  288. --*/
  289. {
  290. NTSTATUS Status;
  291. LSAP_AU_API_MESSAGE Message = {0};
  292. PLSAP_LOOKUP_PACKAGE_ARGS Arguments;
  293. //
  294. // Validate input parameters
  295. //
  296. if (PackageName->Length > LSAP_MAX_PACKAGE_NAME_LENGTH) {
  297. return STATUS_NAME_TOO_LONG;
  298. }
  299. Arguments = &Message.Arguments.LookupPackage;
  300. //
  301. // Set arguments
  302. //
  303. strncpy(Arguments->PackageName, PackageName->Buffer, PackageName->Length);
  304. Arguments->PackageNameLength = PackageName->Length;
  305. Arguments->PackageName[Arguments->PackageNameLength] = '\0';
  306. //
  307. // Call the Local Security Authority Server.
  308. //
  309. Message.ApiNumber = LsapAuLookupPackageApi;
  310. Message.PortMessage.u1.s1.DataLength = LSAP_AU_DATA_LENGTH(sizeof(*Arguments));
  311. Message.PortMessage.u1.s1.TotalLength = sizeof(Message);
  312. Message.PortMessage.u2.ZeroInit = 0L;
  313. Status = ZwRequestWaitReplyPort(
  314. LsaHandle,
  315. (PPORT_MESSAGE) &Message,
  316. (PPORT_MESSAGE) &Message
  317. );
  318. //
  319. // Return the authentication package ID.
  320. // If the call failed for any reason, this will be garbage,
  321. // but who cares.
  322. //
  323. (*AuthenticationPackage) = Arguments->AuthenticationPackage;
  324. if ( NT_SUCCESS(Status) ) {
  325. Status = Message.ReturnedStatus;
  326. if ( !NT_SUCCESS(Status) ) {
  327. //DbgPrint("LSA AU: Package Lookup Failed %lx\n",Status);
  328. ;
  329. }
  330. } else {
  331. #if DBG
  332. DbgPrint("LSA AU: Package Lookup NtRequestWaitReply Failed %lx\n",Status);
  333. #else
  334. ;
  335. #endif
  336. }
  337. return Status;
  338. }
  339. NTSTATUS
  340. LsaLogonUser (
  341. IN HANDLE LsaHandle,
  342. IN PSTRING OriginName,
  343. IN SECURITY_LOGON_TYPE LogonType,
  344. IN ULONG AuthenticationPackage,
  345. IN PVOID AuthenticationInformation,
  346. IN ULONG AuthenticationInformationLength,
  347. IN PTOKEN_GROUPS LocalGroups OPTIONAL,
  348. IN PTOKEN_SOURCE SourceContext,
  349. OUT PVOID *ProfileBuffer,
  350. OUT PULONG ProfileBufferLength,
  351. OUT PLUID LogonId,
  352. OUT PHANDLE Token,
  353. OUT PQUOTA_LIMITS Quotas,
  354. OUT PNTSTATUS SubStatus
  355. )
  356. /*++
  357. Arguments:
  358. LsaHandle - Supplies a handle obtained in a previous call to
  359. LsaRegisterLogonProcess.
  360. OriginName - Supplies a string which identifies the origin of the
  361. logon attempt. For example, "TTY1" specify terminal 1, or
  362. "LAN Manager - remote node JAZZ" might indicate a network
  363. logon attempt via LAN Manager from a remote node called
  364. "JAZZ".
  365. LogonType - Identifies the type of logon being attempted. If the
  366. type is Interactive or Batch then a PrimaryToken will be
  367. generated to represent this new user. If the type is Network
  368. then an impersonation token will be generated.
  369. AuthenticationPackage - Supplies the ID of the authentication
  370. package to use for the logon attempt. The standard
  371. authentication package name for NT is called "MSV1.0".
  372. AuthenticationInformation - Supplies the authentication
  373. information specific to the authentication package. It is
  374. expected to include identification and authentication
  375. information such as user name and password.
  376. AuthenticationInformationLength - Indicates the length of the
  377. authentication information buffer.
  378. LocalGroups - Optionally supplies a list of additional group
  379. identifiers to add to the authenticated user's token. The
  380. WORLD group will always be included in the token. A group
  381. identifying the logon type (INTERACTIVE, NETWORK, BATCH) will
  382. also automatically be included in the token.
  383. SourceContext - Supplies information identifying the source
  384. component (e.g., session manager) and context that may be
  385. useful to that component. This information will be included
  386. in the token and may later be retrieved.
  387. ProfileBuffer - Receives a pointer to any returned profile and
  388. accounting information about the logged on user's account.
  389. This information is authentication package specific and
  390. provides such information as the logon shell, home directory
  391. and so forth. For an authentication package value of
  392. "MSV1.0", a MSV1_0_PROFILE_DATA data structure is returned.
  393. This buffer is allocated by this service and must be freed
  394. using LsaFreeReturnBuffer() when no longer needed.
  395. ProfileBufferLength - Receives the length (in bytes) of the
  396. returned profile buffer.
  397. LogonId - Points to a buffer which receives a LUID that uniquely
  398. identifies this logon session. This LUID was assigned by the
  399. domain controller which authenticated the logon information.
  400. Token - Receives a handle to the new token created for this
  401. authentication.
  402. Quotas - When a primary token is returned, this parameter will be
  403. filled in with process quota limits that are to be assigned
  404. to the newly logged on user's initial process.
  405. SubStatus - If the logon failed due to account restrictions, this
  406. out parameter will receive an indication as to why the logon
  407. failed. This value will only be set to a meaningful value if
  408. the user has a legitimate account, but may not currently
  409. logon for some reason. The substatus values for
  410. authentication package "MSV1.0" are:
  411. STATUS_INVALID_LOGON_HOURS
  412. STATUS_INVALID_WORKSTATION
  413. STATUS_PASSWORD_EXPIRED
  414. STATUS_ACCOUNT_DISABLED
  415. Return Status:
  416. STATUS_SUCCESS - Indicates the service completed successfully.
  417. STATUS_QUOTA_EXCEEDED - Indicates the caller does not have
  418. enough quota to allocate the profile data being returned by
  419. the authentication package.
  420. STATUS_NO_LOGON_SERVERS - Indicates that no domain controllers
  421. are currently able to service the authentication request.
  422. STATUS_LOGON_FAILURE - Indicates the logon attempt failed. No
  423. indication as to the reason for failure is given, but typical
  424. reasons include mispelled usernames, mispelled passwords.
  425. STATUS_ACCOUNT_RESTRICTION - Indicates the user account and
  426. password were legitimate, but that the user account has some
  427. restriction preventing successful logon at this time.
  428. STATUS_NO_SUCH_PACKAGE - The specified authentication package is
  429. unknown to the LSA.
  430. STATUS_BAD_VALIDATION_CLASS - The authentication information
  431. provided is not a validation class known to the specified
  432. authentication package.
  433. Routine Description:
  434. This routine is used to authenticate a user logon attempt. This is
  435. used only for user's initial logon, necessary to gain access to NT
  436. OS/2. Subsequent (supplementary) authentication requests must be done
  437. using LsaCallAuthenticationPackage(). This service will cause a logon
  438. session to be created to represent the new logon. It will also return
  439. a token representing the newly logged on user.
  440. --*/
  441. {
  442. NTSTATUS Status;
  443. LSAP_AU_API_MESSAGE Message = {0};
  444. PLSAP_LOGON_USER_ARGS Arguments;
  445. Arguments = &Message.Arguments.LogonUser;
  446. //
  447. // Set arguments
  448. //
  449. Arguments->AuthenticationPackage = AuthenticationPackage;
  450. Arguments->AuthenticationInformation = AuthenticationInformation;
  451. Arguments->AuthenticationInformationLength = AuthenticationInformationLength;
  452. Arguments->OriginName = (*OriginName);
  453. Arguments->LogonType = LogonType;
  454. Arguments->SourceContext = (*SourceContext);
  455. Arguments->LocalGroups = LocalGroups;
  456. if ( ARGUMENT_PRESENT(LocalGroups) ) {
  457. Arguments->LocalGroupsCount = LocalGroups->GroupCount;
  458. } else {
  459. Arguments->LocalGroupsCount = 0;
  460. }
  461. //
  462. // Call the Local Security Authority Server.
  463. //
  464. Message.ApiNumber = LsapAuLogonUserApi;
  465. Message.PortMessage.u1.s1.DataLength = LSAP_AU_DATA_LENGTH(sizeof(*Arguments));
  466. Message.PortMessage.u1.s1.TotalLength = sizeof(Message);
  467. Message.PortMessage.u2.ZeroInit = 0L;
  468. Status = ZwRequestWaitReplyPort(
  469. LsaHandle,
  470. (PPORT_MESSAGE) &Message,
  471. (PPORT_MESSAGE) &Message
  472. );
  473. //
  474. // We may be returning bogus return values here, but it doesn't
  475. // matter. They will just be ignored if an error occured.
  476. //
  477. (*SubStatus) = Arguments->SubStatus;
  478. if ( NT_SUCCESS( Status ) )
  479. {
  480. Status = Message.ReturnedStatus ;
  481. // Don't not clear the ProfileBuffer even in case of error, cause
  482. // subauth packages need the ProfileBuffer.
  483. *ProfileBuffer = Arguments->ProfileBuffer ;
  484. *ProfileBufferLength = Arguments->ProfileBufferLength ;
  485. if ( NT_SUCCESS( Status ) )
  486. {
  487. *LogonId = Arguments->LogonId ;
  488. *Token = Arguments->Token ;
  489. *Quotas = Arguments->Quotas ;
  490. } else {
  491. *Token = NULL;
  492. }
  493. } else {
  494. *ProfileBuffer = NULL ;
  495. *Token = NULL ;
  496. }
  497. return Status;
  498. }
  499. NTSTATUS
  500. LsaCallAuthenticationPackage (
  501. IN HANDLE LsaHandle,
  502. IN ULONG AuthenticationPackage,
  503. IN PVOID ProtocolSubmitBuffer,
  504. IN ULONG SubmitBufferLength,
  505. OUT PVOID *ProtocolReturnBuffer OPTIONAL,
  506. OUT PULONG ReturnBufferLength OPTIONAL,
  507. OUT PNTSTATUS ProtocolStatus OPTIONAL
  508. )
  509. /*++
  510. Arguments:
  511. LsaHandle - Supplies a handle obtained in a previous call to
  512. LsaRegisterLogonProcess.
  513. AuthenticationPackage - Supplies the ID of the authentication
  514. package to use for the logon attempt. The standard
  515. authentication package name for NT is called "MSV1.0".
  516. ProtocolSubmitBuffer - Supplies a protocol message specific to
  517. the authentication package.
  518. SubmitBufferLength - Indicates the length of the submitted
  519. protocol message buffer.
  520. ProtocolReturnBuffer - Receives a pointer to a returned protocol
  521. message whose format and semantics are specific to the
  522. authentication package.
  523. This buffer is allocated by this service and must be freed
  524. using LsaFreeReturnBuffer() when no longer needed.
  525. ReturnBufferLength - Receives the length (in bytes) of the
  526. returned profile buffer.
  527. ProtocolStatus - Assuming the services completion is
  528. STATUS_SUCCESS, this parameter will receive completion status
  529. returned by the specified authentication package. The list
  530. of status values that may be returned are authentication
  531. package specific.
  532. Return Status:
  533. STATUS_SUCCESS - The call was made to the authentication package.
  534. The ProtocolStatus parameter must be checked to see what the
  535. completion status from the authentication package is.
  536. STATUS_QUOTA_EXCEEDED - This error indicates that the call could
  537. not be completed because the client does not have sufficient
  538. quota to allocate the return buffer.
  539. STATUS_NO_SUCH_PACKAGE - The specified authentication package is
  540. unknown to the LSA.
  541. Routine Description:
  542. This routine is used when a logon process needs to communicate with an
  543. authentication package. There are several reasons why a logon process
  544. may want to do this. Some examples are:
  545. o To implement multi-message authentication protocols (such as
  546. the LAN Manager Challenge-response protocol.
  547. o To notify the authentication package of interesting state
  548. change information, such as LAN Manager notifying the MSV1.0
  549. package that a previously unreachable domain controller is
  550. now reachable. In this example, the authentication package
  551. would re-logon any users logged on to that domain controller.
  552. --*/
  553. {
  554. NTSTATUS Status;
  555. LSAP_AU_API_MESSAGE Message = {0};
  556. PLSAP_CALL_PACKAGE_ARGS Arguments;
  557. Arguments = &Message.Arguments.CallPackage;
  558. //
  559. // Set arguments
  560. //
  561. Arguments->AuthenticationPackage = AuthenticationPackage;
  562. Arguments->ProtocolSubmitBuffer = ProtocolSubmitBuffer;
  563. Arguments->SubmitBufferLength = SubmitBufferLength;
  564. //
  565. // Call the Local Security Authority Server.
  566. //
  567. Message.ApiNumber = LsapAuCallPackageApi;
  568. Message.PortMessage.u1.s1.DataLength = LSAP_AU_DATA_LENGTH(sizeof(*Arguments));
  569. Message.PortMessage.u1.s1.TotalLength = sizeof(Message);
  570. Message.PortMessage.u2.ZeroInit = 0L;
  571. Status = ZwRequestWaitReplyPort(
  572. LsaHandle,
  573. (PPORT_MESSAGE) &Message,
  574. (PPORT_MESSAGE) &Message
  575. );
  576. //
  577. // We may be returning bogus return values here, but it doesn't
  578. // matter. They will just be ignored if an error occured.
  579. //
  580. if ( ProtocolReturnBuffer )
  581. {
  582. (*ProtocolReturnBuffer) = Arguments->ProtocolReturnBuffer;
  583. }
  584. if ( ReturnBufferLength )
  585. {
  586. (*ReturnBufferLength) = Arguments->ReturnBufferLength;
  587. }
  588. if ( ProtocolStatus )
  589. {
  590. (*ProtocolStatus) = Arguments->ProtocolStatus;
  591. }
  592. if ( NT_SUCCESS(Status) ) {
  593. Status = Message.ReturnedStatus;
  594. #if DBG
  595. if ( !NT_SUCCESS(Status) ) {
  596. DbgPrint("LSA AU: Call Package Failed %lx\n",Status);
  597. }
  598. } else {
  599. DbgPrint("LSA AU: Call Package Failed %lx\n",Status);
  600. #endif //DBG
  601. }
  602. return Status;
  603. }
  604. NTSTATUS
  605. LsaDeregisterLogonProcess (
  606. IN HANDLE LsaHandle
  607. )
  608. /*++
  609. This function deletes the caller's logon process context.
  610. --- WARNING ---
  611. Logon Processes are part of the Trusted Computer Base, and,
  612. as such, are expected to be debugged to a high degree. If
  613. a logon process deregisters, we will believe it. This
  614. allows us to re-use the old Logon Process context value.
  615. If the Logon process accidently uses its context value
  616. after freeing it, strange things may happen. LIkewise,
  617. if a client calls to release a context that has already
  618. been released, then LSA may grind to a halt.
  619. Arguments:
  620. LsaHandle - Supplies a handle obtained in a previous call to
  621. LsaRegisterLogonProcess.
  622. Return Status:
  623. STATUS_SUCCESS - Indicates the service completed successfully.
  624. --*/
  625. {
  626. NTSTATUS Status;
  627. LSAP_AU_API_MESSAGE Message = {0};
  628. NTSTATUS TempStatus;
  629. //
  630. // Call the Local Security Authority Server.
  631. //
  632. Message.ApiNumber = LsapAuDeregisterLogonProcessApi;
  633. Message.PortMessage.u1.s1.DataLength = 8;
  634. Message.PortMessage.u1.s1.TotalLength = sizeof(Message);
  635. Message.PortMessage.u2.ZeroInit = 0L;
  636. Status = ZwRequestWaitReplyPort(
  637. LsaHandle,
  638. (PPORT_MESSAGE) &Message,
  639. (PPORT_MESSAGE) &Message
  640. );
  641. TempStatus = ZwClose(LsaHandle);
  642. ASSERT(NT_SUCCESS(TempStatus));
  643. if ( NT_SUCCESS(Status) ) {
  644. Status = Message.ReturnedStatus;
  645. #if DBG
  646. if ( !NT_SUCCESS(Status) ) {
  647. DbgPrint("LSA AU: DeRregisterLogonProcess Failed 0x%lx\n",Status);
  648. }
  649. } else {
  650. DbgPrint("LSA AU: Package Lookup NtRequestWaitReply Failed 0x%lx\n",Status);
  651. #endif
  652. }
  653. return Status;
  654. }