|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1992 - 1996
//
// File: kerbtick.cxx
//
// Contents: Routines for obtaining and manipulating tickets
//
//
// History: 23-April-1996 Created MikeSw
// 26-Sep-1998 ChandanS
// Added more debugging support etc.
// 15-Oct-1999 ChandanS
// Send more choice of encryption types.
//
//------------------------------------------------------------------------
#include <kerb.hxx>
#include <kerbp.h>
#include <userapi.h> // for GSS support routines
#include <kerbpass.h>
#include <krbaudit.h>
extern "C"{#include <stdlib.h> // abs()
}
#include <utils.hxx>
#ifdef RETAIL_LOG_SUPPORT
static TCHAR THIS_FILE[]=TEXT(__FILE__);#endif
#define FILENO FILENO_KERBTICK
#ifndef WIN32_CHICAGO // We don't do server side stuff
#include <authen.hxx>
CAuthenticatorList * Authenticators;#endif // WIN32_CHICAGO // We don't do server side stuff
#include <lsaitf.h>
//+-------------------------------------------------------------------------
//
// Function: KerbRenewTicket
//
// Synopsis: renews a ticket
//
// Effects: Tries to renew a ticket
//
// Arguments: LogonSession - LogonSession for user, contains ticket caches
// and locks
// Credentials - Present if the ticket being renewed is hanging
// off a credential structure
// CredManCredentials - Credman credential
// Ticket - Ticket to renew
// IsTgt - Whether the ticket is a TGT
// NewTicket - Receives the renewed ticket
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbRenewTicket( IN PKERB_LOGON_SESSION LogonSession, IN OPTIONAL PKERB_CREDENTIAL Credentials, IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials, IN PKERB_TICKET_CACHE_ENTRY Ticket, IN BOOLEAN IsTgt, OUT PKERB_TICKET_CACHE_ENTRY *NewTicket ){ NTSTATUS Status; PKERB_INTERNAL_NAME ServiceName = NULL; PKERB_KDC_REPLY KdcReply = NULL; PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL; UNICODE_STRING ServiceRealm = NULL_UNICODE_STRING; BOOLEAN TicketCacheLocked = FALSE; BOOLEAN LogonSessionsLocked = FALSE; PKERB_PRIMARY_CREDENTIAL PrimaryCred; ULONG CacheFlags = 0; ULONG RetryFlags = 0;
*NewTicket = NULL;
//
// Copy the names out of the input structures so we can
// unlock the structures while going over the network.
//
KerbReadLockTicketCache(); TicketCacheLocked = TRUE;
//
// If the renew time is not much bigger than the end time, don't bother
// renewing
//
if (KerbGetTime(Ticket->EndTime) + KerbGetTime(KerbGlobalSkewTime) >= KerbGetTime(Ticket->RenewUntil)) { Status = STATUS_UNSUCCESSFUL; goto Cleanup; } CacheFlags = Ticket->CacheFlags;
Status = KerbDuplicateString( &ServiceRealm, &Ticket->DomainName ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
Status = KerbDuplicateKdcName( &ServiceName, Ticket->ServiceName ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
if ((Ticket->TicketFlags & KERB_TICKET_FLAGS_renewable) == 0) { Status = STATUS_ILLEGAL_FUNCTION; DebugLog((DEB_ERROR, "KerbRenewTicket trying to renew a non renewable ticket to")); KerbPrintKdcName(DEB_ERROR, ServiceName); goto Cleanup; }
KerbUnlockTicketCache(); TicketCacheLocked = FALSE;
Status = KerbGetTgsTicket( &ServiceRealm, Ticket, ServiceName, 0, // no flags
KERB_KDC_OPTIONS_renew, 0, // no encryption type
NULL, // no authorization data
NULL, // no PaDataList
NULL, // no tgt reply
NULL, // no evidence ticket
NULL, // no endtime
&KdcReply, &KdcReplyBody, &RetryFlags // no retry is necessary
);
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "KerbRenewTicket failed to get TGS ticket for service 0x%x ", Status)); KerbPrintKdcName(DEB_ERROR, ServiceName); goto Cleanup; }
KerbWriteLockLogonSessions(LogonSession); LogonSessionsLocked = TRUE;
if ((Credentials != NULL) && (Credentials->SuppliedCredentials != NULL)) { PrimaryCred = Credentials->SuppliedCredentials; } else if (CredManCredentials) { PrimaryCred = CredManCredentials->SuppliedCredentials; } else { PrimaryCred = &LogonSession->PrimaryCredentials; }
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, ServiceName, &ServiceRealm, CacheFlags, (IsTgt ? &PrimaryCred->AuthenticationTicketCache : &PrimaryCred->ServerTicketCache), NULL, NewTicket );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN, "KerbRenewTicket failed to create a ticket cache entry for service %#x ", Status)); KerbPrintKdcName(DEB_WARN, ServiceName); goto Cleanup; }
Cleanup:
if (TicketCacheLocked) { KerbUnlockTicketCache(); } if (LogonSessionsLocked) { KerbUnlockLogonSessions(LogonSession); }
KerbFreeTgsReply(KdcReply); KerbFreeKdcReplyBody(KdcReplyBody); KerbFreeKdcName(&ServiceName); KerbFreeString(&ServiceRealm); return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbRefreshPrimaryTgt
//
// Synopsis: Obtains a new TGT for a logon session or credential
//
//
// Effects: does a new AS exchange with the KDC to get a TGT for the client
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbRefreshPrimaryTgt( IN PKERB_LOGON_SESSION LogonSession, IN OPTIONAL PKERB_CREDENTIAL Credentials, IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials, IN OPTIONAL PUNICODE_STRING SuppRealm, IN OPTIONAL PKERB_TICKET_CACHE_ENTRY OldTgt, IN BOOLEAN GetInitialPrimaryTgt ){ NTSTATUS Status = STATUS_UNSUCCESSFUL;
if (ARGUMENT_PRESENT(OldTgt)) { PKERB_TICKET_CACHE_ENTRY NewTgt = NULL;
DebugLog((DEB_WARN, "KerbRefreshPrimaryTgt attempting to renew primary TGT\n"));
Status = KerbRenewTicket( LogonSession, Credentials, CredManCredentials, OldTgt, TRUE, // it is a TGT
&NewTgt ); if (NewTgt) { KerbDereferenceTicketCacheEntry(NewTgt); } }
if (!NT_SUCCESS(Status) && GetInitialPrimaryTgt) { DebugLog((DEB_WARN, "KerbRefreshPrimaryTgt getting new TGT for account\n"));
Status = KerbGetTicketForCredential( LogonSession, Credentials, CredManCredentials, SuppRealm ); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetTgtForService
//
// Synopsis: Gets a TGT for the domain of the specified service. If a
// cached one is available, it uses that one. Otherwise it
// calls the KDC to acquire it.
//
// Effects:
//
// Arguments: LogonSession - Logon session for which to acquire a ticket
// Credentials - If present & contains supp. creds, use them
// for the ticket cache
// SuppRealm - This is a supplied realm for which to acquire
// a TGT, this may or may not be the same as the
// TargetDomain.
// TargetDomain - Realm of service for which to acquire a TGT
// NewCacheEntry - Receives a referenced ticket cache entry for
// TGT
// CrossRealm - TRUE if target is known to be in a different realm
//
// Requires: The primary credentials be locked
//
// Returns: Kerberos errors, NT status codes.
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbGetTgtForService( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credential, IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials, IN OPTIONAL PUNICODE_STRING SuppRealm, IN PUNICODE_STRING TargetDomain, IN ULONG TargetFlags, OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry, OUT PBOOLEAN CrossRealm ){ NTSTATUS Status = STATUS_SUCCESS; PKERB_TICKET_CACHE_ENTRY CacheEntry; BOOLEAN DoRetry = TRUE; PKERB_PRIMARY_CREDENTIAL PrimaryCredentials;
*CrossRealm = FALSE; *NewCacheEntry = NULL;
D_DebugLog((DEB_TRACE, "KerbGetTgtForService TargetFlags %#x, SuppRealm %wZ, TargetFlags %wZ\n", TargetFlags, SuppRealm, TargetDomain));
if (ARGUMENT_PRESENT(Credential) && (Credential->SuppliedCredentials != NULL)) { PrimaryCredentials = Credential->SuppliedCredentials; } else if (ARGUMENT_PRESENT(CredManCredentials)) { PrimaryCredentials = CredManCredentials->SuppliedCredentials; } else { PrimaryCredentials = &LogonSession->PrimaryCredentials; }
if (TargetDomain->Length != 0) { CacheEntry = KerbLocateTicketCacheEntryByRealm( &PrimaryCredentials->AuthenticationTicketCache, TargetDomain, 0 );
if (CacheEntry != NULL) { *NewCacheEntry = CacheEntry; goto Cleanup; } }
//
// Well, we didn't find one to the other domain. Return a TGT for our
// domain.
//
Retry:
CacheEntry = KerbLocateTicketCacheEntryByRealm( &PrimaryCredentials->AuthenticationTicketCache, SuppRealm, KERB_TICKET_CACHE_PRIMARY_TGT );
if (CacheEntry != NULL) { //
// The first pass, make sure the ticket has a little bit of life.
// The second pass, we don't ask for as much
//
if (!KerbTicketIsExpiring(CacheEntry, DoRetry)) { Status = STATUS_SUCCESS; *NewCacheEntry = CacheEntry;
//
// If the TGT is not for the domain of the service,
// this is cross realm. If we used the SPN cache, we're
// obviously missing a ticket, and we need to restart the
// referral process.
//
//
if ((TargetDomain->Length != 0) && (TargetFlags & KERB_TARGET_USED_SPN_CACHE) == 0) { *CrossRealm = TRUE; } goto Cleanup; } }
//
// Try to obtain a new TGT
//
if (DoRetry) { PKERB_PRIMARY_CREDENTIAL PrimaryCred;
if ((Credential != NULL) && (Credential->SuppliedCredentials != NULL)) { PrimaryCred = Credential->SuppliedCredentials; } else if (CredManCredentials) { PrimaryCred = CredManCredentials->SuppliedCredentials; } else { PrimaryCred = &LogonSession->PrimaryCredentials; }
//
// Unlock the logon session so we can try to get a new TGT
//
KerbUnlockLogonSessions(LogonSession);
DebugLog((DEB_WARN, "KerbGetTgtForService getting new TGT for account\n"));
if (KerbHaveKeyMaterials(NULL, PrimaryCred)) { Status = KerbGetTicketForCredential( LogonSession, Credential, CredManCredentials, SuppRealm );
} else // no key materials? renew the existing TGT
{ Status = KerbRefreshPrimaryTgt( LogonSession, Credential, CredManCredentials, SuppRealm, CacheEntry, PrimaryCred->PublicKeyCreds != NULL // get initial primary TGT for smartcard credential
); if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN, "KerbGetTgtForService falied to refresh TGT %#x for %wZ@%wZ\n", Status, &PrimaryCred->UserName, &PrimaryCred->DomainName));
DoRetry = FALSE; // do not remove the existing cache entry and allow retry
} }
if (CacheEntry != NULL) { // pull the old TGT from the list, if its been replaced
if (NT_SUCCESS(Status) && DoRetry) { KerbRemoveTicketCacheEntry(CacheEntry); }
KerbDereferenceTicketCacheEntry(CacheEntry); CacheEntry = NULL; }
KerbReadLockLogonSessions(LogonSession); if (!NT_SUCCESS(Status) && DoRetry) { DebugLog((DEB_ERROR, "KerbGetTgtForService failed to refresh primary TGT: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__ )); goto Cleanup; } DoRetry = FALSE; goto Retry; }
if (NT_SUCCESS(Status)) { Status = SEC_E_NO_CREDENTIALS; // can not get TGT, possibly TGT expired
}
Cleanup:
if (!NT_SUCCESS(Status) && (CacheEntry != NULL)) { KerbDereferenceTicketCacheEntry(CacheEntry); *NewCacheEntry = NULL; }
return (Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildKerbCred
//
// Synopsis: Builds a marshalled KERB_CRED structure
//
// Effects: allocates destination with MIDL_user_allocate
//
// Arguments: Ticket - The ticket of the session key to seal the
// encrypted portion (OPTIONAL)
// DelegationTicket - The ticket to marshall into the cred message
// MarshalledKerbCred - Receives a marshalled KERB_CRED structure
// KerbCredSizes - Receives size, in bytes, of marshalled
// KERB_CRED.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildKerbCred( IN OPTIONAL PKERB_TICKET_CACHE_ENTRY Ticket, IN PKERB_TICKET_CACHE_ENTRY DelegationTicket, OUT PUCHAR * MarshalledKerbCred, OUT PULONG KerbCredSize ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr; KERB_CRED KerbCred; KERB_CRED_INFO_LIST CredInfo; KERB_ENCRYPTED_CRED EncryptedCred; KERB_CRED_TICKET_LIST TicketList; PUCHAR MarshalledEncryptPart = NULL; ULONG MarshalledEncryptSize; ULONG ConvertedFlags;
//
// Initialize the structures so they can be freed later.
//
*MarshalledKerbCred = NULL; *KerbCredSize = 0;
RtlZeroMemory( &KerbCred, sizeof(KERB_CRED) );
RtlZeroMemory( &EncryptedCred, sizeof(KERB_ENCRYPTED_CRED) ); RtlZeroMemory( &CredInfo, sizeof(KERB_CRED_INFO_LIST) ); RtlZeroMemory( &TicketList, sizeof(KERB_CRED_TICKET_LIST) );
KerbCred.version = KERBEROS_VERSION; KerbCred.message_type = KRB_CRED;
//
// First stick the ticket into the ticket list.
//
KerbReadLockTicketCache();
TicketList.next= NULL; TicketList.value = DelegationTicket->Ticket; KerbCred.tickets = &TicketList;
//
// Now build the KERB_CRED_INFO for this ticket
//
CredInfo.value.key = DelegationTicket->SessionKey; KerbConvertLargeIntToGeneralizedTime( &CredInfo.value.endtime, NULL, &DelegationTicket->EndTime ); CredInfo.value.bit_mask |= endtime_present;
KerbConvertLargeIntToGeneralizedTime( &CredInfo.value.starttime, NULL, &DelegationTicket->StartTime ); CredInfo.value.bit_mask |= KERB_CRED_INFO_starttime_present;
KerbConvertLargeIntToGeneralizedTime( &CredInfo.value.KERB_CRED_INFO_renew_until, NULL, &DelegationTicket->RenewUntil ); CredInfo.value.bit_mask |= KERB_CRED_INFO_renew_until_present;
ConvertedFlags = KerbConvertUlongToFlagUlong(DelegationTicket->TicketFlags); CredInfo.value.flags.value = (PUCHAR) &ConvertedFlags; CredInfo.value.flags.length = 8 * sizeof(ULONG); CredInfo.value.bit_mask |= flags_present;
//
// The following fields are marked as optional but treated
// as mandatory by the MIT implementation of Kerberos and
// therefore we provide them.
//
KerbErr = KerbConvertKdcNameToPrincipalName( &CredInfo.value.principal_name, DelegationTicket->ClientName ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } CredInfo.value.bit_mask |= principal_name_present;
KerbErr = KerbConvertKdcNameToPrincipalName( &CredInfo.value.service_name, DelegationTicket->ServiceName ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } CredInfo.value.bit_mask |= service_name_present;
//
// We are assuming that because we are sending a TGT the
// client realm is the same as the server realm. If we ever
// send non-tgt or cross-realm tgt, this needs to be fixed.
//
KerbErr = KerbConvertUnicodeStringToRealm( &CredInfo.value.principal_realm, &DelegationTicket->ClientDomainName ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } //
// The realms are the same, so don't allocate both
//
CredInfo.value.service_realm = CredInfo.value.principal_realm; CredInfo.value.bit_mask |= principal_realm_present | service_realm_present;
EncryptedCred.ticket_info = &CredInfo;
//
// Now encrypted the encrypted cred into the cred
//
if (!KERB_SUCCESS(KerbPackEncryptedCred( &EncryptedCred, &MarshalledEncryptSize, &MarshalledEncryptPart ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// If we are doing DES encryption, then we are talking with an non-NT
// server. Hence, don't encrypt the kerb-cred.
//
// Additionally, if service ticket == NULL, don't encrypt kerb cred
//
if (!ARGUMENT_PRESENT(Ticket)) { KerbCred.encrypted_part.cipher_text.length = MarshalledEncryptSize; KerbCred.encrypted_part.cipher_text.value = MarshalledEncryptPart; KerbCred.encrypted_part.encryption_type = 0; MarshalledEncryptPart = NULL; } else if( KERB_IS_DES_ENCRYPTION(Ticket->SessionKey.keytype)) { KerbCred.encrypted_part.cipher_text.length = MarshalledEncryptSize; KerbCred.encrypted_part.cipher_text.value = MarshalledEncryptPart; KerbCred.encrypted_part.encryption_type = 0; MarshalledEncryptPart = NULL; } else { //
// Now get the encryption overhead
//
KerbErr = KerbAllocateEncryptionBufferWrapper( Ticket->SessionKey.keytype, MarshalledEncryptSize, &KerbCred.encrypted_part.cipher_text.length, &KerbCred.encrypted_part.cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
//
// Encrypt the data.
//
KerbErr = KerbEncryptDataEx( &KerbCred.encrypted_part, MarshalledEncryptSize, MarshalledEncryptPart, KERB_NO_KEY_VERSION, KERB_CRED_SALT, &Ticket->SessionKey ); if (!KERB_SUCCESS(KerbErr)) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } }
//
// Now we have to marshall the whole KERB_CRED
//
if (!KERB_SUCCESS(KerbPackKerbCred( &KerbCred, KerbCredSize, MarshalledKerbCred ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
Cleanup: KerbUnlockTicketCache();
KerbFreePrincipalName(&CredInfo.value.service_name);
KerbFreePrincipalName(&CredInfo.value.principal_name);
KerbFreeRealm(&CredInfo.value.principal_realm);
if (MarshalledEncryptPart != NULL) { MIDL_user_free(MarshalledEncryptPart); } if (KerbCred.encrypted_part.cipher_text.value != NULL) { MIDL_user_free(KerbCred.encrypted_part.cipher_text.value); } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetDelegationTgt
//
// Synopsis: Gets a TGT to delegate to another service. This TGT
// is marked as forwarded and does not include any
// client addresses
//
// Effects:
//
// Arguments:
//
// Requires: Logon sesion must be read-locked
//
// Returns:
//
// Notes: This gets a delegation TGT & caches it under the realm name
// "$$Delegation Ticket$$". When we look for it again later,
// it should be discoverable under the same name.
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbGetDelegationTgt( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_PRIMARY_CREDENTIAL Credentials, IN PKERB_TICKET_CACHE_ENTRY ServicetTicket, OUT PKERB_TICKET_CACHE_ENTRY * DelegationTgt ){ PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL; PKERB_INTERNAL_NAME TgsName = NULL; UNICODE_STRING TgsRealm = {0}; PKERB_KDC_REPLY KdcReply = NULL; PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL; BOOLEAN LogonSessionLocked = TRUE; NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING CacheName; BOOLEAN CacheTicket = TRUE; ULONG RetryFlags = 0;
RtlInitUnicodeString( &CacheName, L"$$Delegation Ticket$$" );
*DelegationTgt = KerbLocateTicketCacheEntryByRealm( &Credentials->AuthenticationTicketCache, &CacheName, KERB_TICKET_CACHE_DELEGATION_TGT ); if (*DelegationTgt != NULL ) { KerbReadLockTicketCache();
//
// when use cached tgt, make sure the encryption_type matches and
// life time is no less than that of the service ticket
//
if ((ServicetTicket->Ticket.encrypted_part.encryption_type != (*DelegationTgt)->Ticket.encrypted_part.encryption_type) || (KerbGetTime((*DelegationTgt)->EndTime) < KerbGetTime(ServicetTicket->EndTime))) { KerbUnlockTicketCache(); KerbDereferenceTicketCacheEntry(*DelegationTgt); *DelegationTgt = NULL; CacheTicket = FALSE; } else { KerbUnlockTicketCache(); goto Cleanup; } }
TicketGrantingTicket = KerbLocateTicketCacheEntryByRealm( &Credentials->AuthenticationTicketCache, &Credentials->DomainName, // take the logon TGT
0 );
if ((TicketGrantingTicket == NULL) || ((TicketGrantingTicket->TicketFlags & KERB_TICKET_FLAGS_forwardable) == 0) ) { DebugLog((DEB_WARN, "Trying to delegate but no forwardable TGT\n")); Status = SEC_E_NO_CREDENTIALS; goto Cleanup; }
//
// Get the TGT service name from the TGT
//
KerbReadLockTicketCache();
Status = KerbDuplicateKdcName( &TgsName, TicketGrantingTicket->ServiceName ); if (NT_SUCCESS(Status)) { Status = KerbDuplicateString( &TgsRealm, &TicketGrantingTicket->DomainName ); } KerbUnlockTicketCache(); if (!NT_SUCCESS(Status)) { goto Cleanup; }
DsysAssert( LogonSessionLocked ); KerbUnlockLogonSessions(LogonSession); LogonSessionLocked = FALSE;
//
// Now try to get the ticket.
//
Status = KerbGetTgsTicket( &TgsRealm, TicketGrantingTicket, TgsName, TRUE, // no name canonicalization, no GC lookups.
KERB_KDC_OPTIONS_forwarded | KERB_DEFAULT_TICKET_FLAGS, ServicetTicket->Ticket.encrypted_part.encryption_type, // no encryption type
NULL, // no authorization data
NULL, // no pa data
NULL, // no tgt reply
NULL, // no evidence ticket
NULL, // let kdc determine end time
&KdcReply, &KdcReplyBody, &RetryFlags ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
DsysAssert( !LogonSessionLocked ); KerbReadLockLogonSessions(LogonSession); LogonSessionLocked = TRUE;
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, NULL, // no target name
&CacheName, KERB_TICKET_CACHE_DELEGATION_TGT, CacheTicket ? &Credentials->AuthenticationTicketCache : NULL, NULL, // no credential key
DelegationTgt ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
Cleanup: KerbFreeTgsReply (KdcReply); KerbFreeKdcReplyBody (KdcReplyBody);
if (TicketGrantingTicket != NULL) { KerbDereferenceTicketCacheEntry(TicketGrantingTicket); } KerbFreeKdcName(&TgsName); KerbFreeString(&TgsRealm);
if (!LogonSessionLocked) { KerbReadLockLogonSessions(LogonSession); } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildGssChecskum
//
// Synopsis: Builds the GSS checksum to go in an AP request
//
// Effects: Allocates a checksum with KerbAllocate
//
// Arguments: ContextFlags - Requested context flags
// LogonSession - LogonSession to be used for delegation
// GssChecksum - Receives the new checksum
// ApOptions - Receives the requested AP options
//
// Requires:
//
// Returns:
//
// Notes: The logon session is locked when this is called.
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildGssChecksum( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_PRIMARY_CREDENTIAL PrimaryCredentials, IN PKERB_TICKET_CACHE_ENTRY Ticket, IN OUT PULONG ContextFlags, OUT PKERB_CHECKSUM GssChecksum, OUT PULONG ApOptions, IN PSEC_CHANNEL_BINDINGS pChannelBindings ){ NTSTATUS Status = STATUS_SUCCESS; PKERB_GSS_CHECKSUM ChecksumBody = NULL; PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL; ULONG ChecksumSize = GSS_CHECKSUM_SIZE; ULONG KerbCredSize = 0 ; PUCHAR KerbCred = NULL; BOOL OkAsDelegate = FALSE, OkToTrustMitKdc = FALSE; PKERB_MIT_REALM MitRealm = NULL; BOOLEAN UsedAlternateName; ULONG BindHash[4];
*ApOptions = 0;
//
// If we are doing delegation, built a KERB_CRED message to return
//
if (*ContextFlags & (ISC_RET_DELEGATE | ISC_RET_DELEGATE_IF_SAFE)) { KerbReadLockTicketCache(); OkAsDelegate = ((Ticket->TicketFlags & KERB_TICKET_FLAGS_ok_as_delegate) != 0) ? TRUE : FALSE; if (KerbLookupMitRealm( &Ticket->DomainName, &MitRealm, &UsedAlternateName)) { if ((MitRealm->Flags & KERB_MIT_REALM_TRUSTED_FOR_DELEGATION) != 0) { OkToTrustMitKdc = TRUE; } } KerbUnlockTicketCache();
if (OkAsDelegate || OkToTrustMitKdc) { D_DebugLog((DEB_TRACE, "KerbBuildGssChecksum asked for delegate if safe, and getting delegation TGT\n"));
//
// Check to see if we have a TGT
//
Status = KerbGetDelegationTgt( LogonSession, PrimaryCredentials, Ticket, &TicketGrantingTicket ); if (!NT_SUCCESS(Status)) { //
// Turn off the delegate flag for building the token.
//
*ContextFlags &= ~ISC_RET_DELEGATE; *ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE; DebugLog((DEB_WARN, "KerbBuildGssChecksum failed to get delegation TGT: 0x%x\n", Status)); Status = STATUS_SUCCESS; } else { //
// Build the KERB_CRED message
//
Status = KerbBuildKerbCred( Ticket, TicketGrantingTicket, &KerbCred, &KerbCredSize ); if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "Failed to build KERB_CRED: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__)); goto Cleanup; } //ChecksumSize= sizeof(KERB_GSS_CHECKSUM) - ANYSIZE_ARRAY * sizeof(UCHAR) + KerbCredSize;
ChecksumSize = GSS_DELEGATE_CHECKSUM_SIZE + KerbCredSize;
//
// And if only the DELEGATE_IF_SAFE flag was on, turn on the
// real delegate flag:
//
*ContextFlags |= ISC_RET_DELEGATE ; } } else { //
// Turn off the delegate flag for building the token.
//
*ContextFlags &= ~ISC_RET_DELEGATE; *ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE; } }
ChecksumBody = (PKERB_GSS_CHECKSUM) KerbAllocate(ChecksumSize); if (ChecksumBody == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Convert the requested flags to AP options.
//
if ((*ContextFlags & ISC_RET_MUTUAL_AUTH) != 0) { *ApOptions |= KERB_AP_OPTIONS_mutual_required; ChecksumBody->GssFlags |= GSS_C_MUTUAL_FLAG; }
if ((*ContextFlags & ISC_RET_USE_SESSION_KEY) != 0) { *ApOptions |= KERB_AP_OPTIONS_use_session_key; }
if ((*ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) { ChecksumBody->GssFlags |= GSS_C_DCE_STYLE; }
if ((*ContextFlags & ISC_RET_SEQUENCE_DETECT) != 0) { ChecksumBody->GssFlags |= GSS_C_SEQUENCE_FLAG; }
if ((*ContextFlags & ISC_RET_REPLAY_DETECT) != 0) { ChecksumBody->GssFlags |= GSS_C_REPLAY_FLAG; }
if ((*ContextFlags & ISC_RET_CONFIDENTIALITY) != 0) { ChecksumBody->GssFlags |= GSS_C_CONF_FLAG; }
if ((*ContextFlags & ISC_RET_INTEGRITY) != 0) { ChecksumBody->GssFlags |= GSS_C_INTEG_FLAG; }
if ((*ContextFlags & ISC_RET_IDENTIFY) != 0) { ChecksumBody->GssFlags |= GSS_C_IDENTIFY_FLAG; }
if ((*ContextFlags & ISC_RET_EXTENDED_ERROR) != 0) { ChecksumBody->GssFlags |= GSS_C_EXTENDED_ERROR_FLAG; }
if ((*ContextFlags & ISC_RET_DELEGATE) != 0) { ChecksumBody->GssFlags |= GSS_C_DELEG_FLAG; ChecksumBody->Delegation = 1; ChecksumBody->DelegationLength = (USHORT) KerbCredSize; RtlCopyMemory( ChecksumBody->DelegationInfo, KerbCred, KerbCredSize ); }
ChecksumBody->BindLength = 0x10;
//
// (viz. Windows Bugs 94818)
// If channel bindings are absent, BindHash should be {0,0,0,0}
//
if( pChannelBindings == NULL ) { RtlZeroMemory( ChecksumBody->BindHash, ChecksumBody->BindLength ); } else { Status = KerbComputeGssBindHash( pChannelBindings, (PUCHAR)BindHash );
if( !NT_SUCCESS(Status) ) { goto Cleanup; }
RtlCopyMemory( ChecksumBody->BindHash, BindHash, ChecksumBody->BindLength ); }
GssChecksum->checksum_type = GSS_CHECKSUM_TYPE; GssChecksum->checksum.length = ChecksumSize; GssChecksum->checksum.value = (PUCHAR) ChecksumBody; ChecksumBody = NULL;
Cleanup: if (!NT_SUCCESS(Status)) { if (ChecksumBody != NULL) { KerbFree(ChecksumBody); } } if (TicketGrantingTicket != NULL) { KerbDereferenceTicketCacheEntry(TicketGrantingTicket); }
if (KerbCred != NULL) { MIDL_user_free(KerbCred); } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildApRequest
//
// Synopsis: Builds an AP request message from a logon session and a
// ticket cache entry.
//
// Effects:
//
// Arguments: LogonSession - Logon session used to build this AP request
// Credential - Optional credential for use with supplemental credentials
// TicketCacheEntry - Ticket with which to build the AP request
// ErrorMessage - Optionally contains error message from last AP request
// ContextFlags - Flags passed in by client indicating
// authentication requirements. If the flags can't
// be supported they will be turned off.
// MarshalledApReqest - Receives a marshalled AP request allocated
// with KerbAllocate
// ApRequestSize - Length of the AP reques structure in bytes
// Nonce - Nonce used for this request. if non-zero, then the
// nonce supplied by the caller will be used.
// SubSessionKey - if generated, returns a sub-session key in AP request
// pAuthenticatorTime - timestamp placed on the AP request
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildApRequest( IN PKERB_LOGON_SESSION LogonSession, IN OPTIONAL PKERB_CREDENTIAL Credential, IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials, IN PKERB_TICKET_CACHE_ENTRY TicketCacheEntry, IN OPTIONAL PKERB_ERROR ErrorMessage, IN ULONG ContextAttributes, IN OUT PULONG ContextFlags, OUT PUCHAR * MarshalledApRequest, OUT PULONG ApRequestSize, OUT PULONG Nonce, OUT OPTIONAL PTimeStamp pAuthenticatorTime, IN OUT PKERB_ENCRYPTION_KEY SubSessionKey, IN PSEC_CHANNEL_BINDINGS pChannelBindings ){ NTSTATUS Status; ULONG ApOptions = 0; KERBERR KerbErr; KERB_CHECKSUM GssChecksum = {0}; PKERB_PRIMARY_CREDENTIAL PrimaryCredentials = NULL; TimeStamp ServerTime; ULONG RequestSize; PUCHAR RequestWithHeader = NULL; PUCHAR RequestStart; gss_OID MechId; BOOLEAN LogonSessionLocked = FALSE;
*ApRequestSize = 0; *MarshalledApRequest = NULL;
//
// If we have an error message, use it to compute a skew time to adjust
// local time by
//
if (ARGUMENT_PRESENT(ErrorMessage)) { TimeStamp CurrentTime; GetSystemTimeAsFileTime((PFILETIME) &CurrentTime);
KerbWriteLockTicketCache();
//
// Update the skew cache the first time we fail to a server
//
if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_SKEW) { if (KerbGetTime(TicketCacheEntry->TimeSkew) == 0) { KerbUpdateSkewTime(TRUE); } } KerbConvertGeneralizedTimeToLargeInt( &ServerTime, &ErrorMessage->server_time, ErrorMessage->server_usec ); KerbSetTime(&TicketCacheEntry->TimeSkew, KerbGetTime(ServerTime) - KerbGetTime(CurrentTime)); KerbUnlockTicketCache(); }
//
// Allocate a nonce if we don't have one already.
//
if (*Nonce == 0) { *Nonce = KerbAllocateNonce(); }
D_DebugLog((DEB_TRACE,"BuildApRequest using nonce 0x%x\n",*Nonce));
DsysAssert( !LogonSessionLocked ); KerbReadLockLogonSessions(LogonSession); LogonSessionLocked = TRUE;
if (ARGUMENT_PRESENT(Credential)) { if (Credential->SuppliedCredentials != NULL) { PrimaryCredentials = Credential->SuppliedCredentials; } }
// use cred manager creds if present
if (ARGUMENT_PRESENT(CredManCredentials)) { PrimaryCredentials = CredManCredentials->SuppliedCredentials; }
if (PrimaryCredentials == NULL) { PrimaryCredentials = &LogonSession->PrimaryCredentials; }
//
// get the GSS checksum
//
Status = KerbBuildGssChecksum( LogonSession, PrimaryCredentials, TicketCacheEntry, ContextFlags, &GssChecksum, &ApOptions, pChannelBindings ); if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to build GSS checksum: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// If are an export client, create a subsession key. For datagram,
// the caller passes in a pre-generated session key.
//
//
// For datagram, they subsession key has already been set so we don't need
// to create one here.
//
if ((((*ContextFlags & ISC_RET_DATAGRAM) == 0)) || (((*ContextFlags & (ISC_RET_USED_DCE_STYLE | ISC_RET_MUTUAL_AUTH)) == 0) && !KerbGlobalUseStrongEncryptionForDatagram)) { KERBERR KerbErr;
//
// First free the Subsession key, if there was one.
//
KerbFreeKey(SubSessionKey);
KerbErr = KerbMakeKey( TicketCacheEntry->SessionKey.keytype, SubSessionKey );
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } }
//
// Create the AP request
//
KerbReadLockTicketCache();
//
// Bug 464930: the KDC could generate a NULL client name,
// but doing so is clearly wrong
//
if ( TicketCacheEntry->ClientName == NULL ) {
Status = STATUS_INVALID_PARAMETER; KerbUnlockTicketCache(); goto Cleanup; }
KerbErr = KerbCreateApRequest( TicketCacheEntry->ClientName, &TicketCacheEntry->ClientDomainName, &TicketCacheEntry->SessionKey, (SubSessionKey->keyvalue.value != NULL) ? SubSessionKey : NULL, *Nonce, pAuthenticatorTime, &TicketCacheEntry->Ticket, ApOptions, &GssChecksum, &TicketCacheEntry->TimeSkew, FALSE, // not a KDC request
ApRequestSize, MarshalledApRequest );
KerbUnlockTicketCache();
DsysAssert( LogonSessionLocked ); KerbUnlockLogonSessions(LogonSession); LogonSessionLocked = FALSE;
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to create AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// If we aren't doing DCE style, add in the GSS token headers now
//
if ((*ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) { goto Cleanup; }
//
// Pick the correct OID
//
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0) { MechId = gss_mech_krb5_u2u; } else { MechId = gss_mech_krb5_new; }
RequestSize = g_token_size(MechId, *ApRequestSize); RequestWithHeader = (PUCHAR) KerbAllocate(RequestSize); if (RequestWithHeader == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// the g_make_token_header will reset this to point to the end of the
// header
//
RequestStart = RequestWithHeader;
g_make_token_header( MechId, *ApRequestSize, &RequestStart, KG_TOK_CTX_AP_REQ );
DsysAssert(RequestStart - RequestWithHeader + *ApRequestSize == RequestSize);
RtlCopyMemory( RequestStart, *MarshalledApRequest, *ApRequestSize );
KerbFree(*MarshalledApRequest); *MarshalledApRequest = RequestWithHeader; *ApRequestSize = RequestSize; RequestWithHeader = NULL;
Cleanup:
if (LogonSessionLocked) { KerbUnlockLogonSessions(LogonSession); } if (GssChecksum.checksum.value != NULL) { KerbFree(GssChecksum.checksum.value); } if (!NT_SUCCESS(Status) && (*MarshalledApRequest != NULL)) { KerbFree(*MarshalledApRequest); *MarshalledApRequest = NULL; } return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildNullSessionApRequest
//
// Synopsis: builds an AP request for a null session
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildNullSessionApRequest( OUT PUCHAR * MarshalledApRequest, OUT PULONG ApRequestSize ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr; KERB_AP_REQUEST ApRequest; UNICODE_STRING NullString = CONSTANT_UNICODE_STRING(L""); UCHAR TempBuffer[1]; ULONG RequestSize; PUCHAR RequestWithHeader = NULL; PUCHAR RequestStart;
RtlZeroMemory( &ApRequest, sizeof(KERB_AP_REQUEST) );
TempBuffer[0] = '\0';
//
// Fill in the AP request structure.
//
ApRequest.version = KERBEROS_VERSION; ApRequest.message_type = KRB_AP_REQ;
//
// Fill in mandatory fields - ASN1/OSS requires this
//
if (!KERB_SUCCESS(KerbConvertStringToPrincipalName( &ApRequest.ticket.server_name, &NullString, KRB_NT_UNKNOWN ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
if (!KERB_SUCCESS(KerbConvertUnicodeStringToRealm( &ApRequest.ticket.realm, &NullString ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
ApRequest.ticket.encrypted_part.cipher_text.length = 1; ApRequest.ticket.encrypted_part.cipher_text.value = TempBuffer; ApRequest.authenticator.cipher_text.length = 1; ApRequest.authenticator.cipher_text.value = TempBuffer;
//
// Now marshall the request
//
KerbErr = KerbPackApRequest( &ApRequest, ApRequestSize, MarshalledApRequest );
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to pack AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Since we never do null sessions with user-to-user, we don't have
// to worry about which mech id to use
//
RequestSize = g_token_size((gss_OID) gss_mech_krb5_new, *ApRequestSize);
RequestWithHeader = (PUCHAR) KerbAllocate(RequestSize); if (RequestWithHeader == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// the g_make_token_header will reset this to point to the end of the
// header
//
RequestStart = RequestWithHeader;
g_make_token_header( (gss_OID) gss_mech_krb5_new, *ApRequestSize, &RequestStart, KG_TOK_CTX_AP_REQ );
DsysAssert(RequestStart - RequestWithHeader + *ApRequestSize == RequestSize);
RtlCopyMemory( RequestStart, *MarshalledApRequest, *ApRequestSize );
KerbFree(*MarshalledApRequest); *MarshalledApRequest = RequestWithHeader; *ApRequestSize = RequestSize; RequestWithHeader = NULL;
Cleanup: if (!NT_SUCCESS(Status)) { if (*MarshalledApRequest != NULL) { MIDL_user_free(*MarshalledApRequest); *MarshalledApRequest = NULL; } } KerbFreeRealm(&ApRequest.ticket.realm); KerbFreePrincipalName(&ApRequest.ticket.server_name); return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: KerbMakeSocketCall
//
// Synopsis: Contains logic for sending a message to a KDC in the
// specified realm on a specified port
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbMakeSocketCall( IN PUNICODE_STRING RealmName, IN OPTIONAL PUNICODE_STRING AccountName, IN BOOLEAN CallPDC, IN BOOLEAN UseTcp, IN BOOLEAN CallKpasswd, IN PKERB_MESSAGE_BUFFER RequestMessage, IN PKERB_MESSAGE_BUFFER ReplyMessage, IN OPTIONAL PKERB_BINDING_CACHE_ENTRY OptionalBindingHandle, IN ULONG AdditionalFlags, OUT PBOOLEAN CalledPDC ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr = KDC_ERR_NONE; ULONG Retries; PKERB_BINDING_CACHE_ENTRY BindingHandle = NULL; ULONG DesiredFlags; ULONG Timeout = KerbGlobalKdcCallTimeout;
//
// If the caller wants a PDC, so be it
//
*CalledPDC = FALSE;
if (CallPDC) { DesiredFlags = DS_PDC_REQUIRED; } else { DesiredFlags = 0; }
//
// Now actually get the ticket. We will retry twice.
//
if ((AdditionalFlags & DS_FORCE_REDISCOVERY) != 0) { DesiredFlags |= DS_FORCE_REDISCOVERY; D_DebugLog((DEB_TRACE,"KerbMakeSocketCall() caller wants rediscovery!\n")); }
Retries = 0; do { //
// don't force retry the first time
//
if (Retries > 0) { DesiredFlags |= DS_FORCE_REDISCOVERY; Timeout += KerbGlobalKdcCallBackoff; }
// Use ADSI supplied info, then retry using cached version
if (ARGUMENT_PRESENT(OptionalBindingHandle) && (Retries == 0)) { BindingHandle = OptionalBindingHandle; } else { Status = KerbGetKdcBinding( RealmName, AccountName, DesiredFlags, CallKpasswd, UseTcp, &BindingHandle ); }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_WARN,"Failed to get KDC binding for %wZ: 0x%x\n", RealmName, Status)); goto Cleanup; }
//
// If the KDC doesn't support TCP, don't use TCP. Otherwise
// use it if the sending buffer is too big, or if it was already
// set.
//
if ((BindingHandle->CacheFlags & KERB_BINDING_NO_TCP) != 0) { UseTcp = FALSE; } else { if (RequestMessage->BufferSize > KerbGlobalMaxDatagramSize) { UseTcp = TRUE; } }
//
// Lock the binding while we make the call
//
if (!*CalledPDC) { *CalledPDC = (BindingHandle->Flags & DS_PDC_REQUIRED) ? (BOOLEAN) TRUE : (BOOLEAN) FALSE; }
#ifndef WIN32_CHICAGO
if ((BindingHandle->CacheFlags & KERB_BINDING_LOCAL) != 0) { NTSTATUS TokenStatus; HANDLE ImpersonationToken = NULL; // Are we impersonating?
TokenStatus = NtOpenThreadToken( NtCurrentThread(), TOKEN_QUERY | TOKEN_IMPERSONATE, TRUE, &ImpersonationToken );
if( NT_SUCCESS(TokenStatus) ) { //
// stop impersonating.
//
RevertToSelf(); }
KERB_MESSAGE_BUFFER KdcReplyMessage = {0}; if (!CallKpasswd) {
D_DebugLog((DEB_TRACE,"Calling kdc directly\n"));
DsysAssert(KerbKdcGetTicket != NULL); KerbErr = (*KerbKdcGetTicket)( NULL, // no context,
NULL, // no client address
NULL, // no server address
RequestMessage, &KdcReplyMessage ); } else { DsysAssert(KerbKdcChangePassword != NULL); KerbErr = (*KerbKdcChangePassword)( NULL, // no context,
NULL, // no client address
NULL, // no server address
RequestMessage, &KdcReplyMessage ); }
if( ImpersonationToken != NULL ) {
//
// put the thread token back if we were impersonating.
//
SetThreadToken( NULL, ImpersonationToken ); NtClose( ImpersonationToken ); }
if (KerbErr != KDC_ERR_NOT_RUNNING) { //
// Copy the data so it can be freed with MIDL_user_free.
//
if ((0 != KdcReplyMessage.BufferSize) && (NULL != KdcReplyMessage.Buffer)) { ReplyMessage->BufferSize = KdcReplyMessage.BufferSize; ReplyMessage->Buffer = (PUCHAR) MIDL_user_allocate( KdcReplyMessage.BufferSize); if (ReplyMessage->Buffer != NULL) { RtlCopyMemory( ReplyMessage->Buffer, KdcReplyMessage.Buffer, KdcReplyMessage.BufferSize ); } else { Status = STATUS_INSUFFICIENT_RESOURCES; } (*KerbKdcFreeMemory)(KdcReplyMessage.Buffer); } else { DebugLog((DEB_ERROR, "KerbMakeSocketCall direct kdc call returned %#x and received no error message KdcReplyMessage.BufferSize %#x KdcReplyMessage.Buffer %p\n", KerbErr, KdcReplyMessage.BufferSize, KdcReplyMessage.Buffer)); Status = STATUS_INSUFFICIENT_RESOURCES; // no message returned from KDC
} goto Cleanup; } else { //
// The KDC said it wasn't running.
//
KerbKdcStarted = FALSE; Status = STATUS_NETLOGON_NOT_STARTED;
//
// Get rid of the binding handle so we don't use it again.
// Don't whack supplied optional binding handle though
//
if (BindingHandle != OptionalBindingHandle) { KerbRemoveBindingCacheEntry( BindingHandle ); } } }
else#endif // WIN32_CHICAGO
{ DebugLog((DEB_TRACE_BND_CACHE, "Calling kdc %wZ for realm %S\n", &BindingHandle->KdcAddress, RealmName->Buffer)); Status = KerbCallKdc( &BindingHandle->KdcAddress, BindingHandle->AddressType, Timeout, !UseTcp, CallKpasswd ? (USHORT) KERB_KPASSWD_PORT : (USHORT) KERB_KDC_PORT, RequestMessage, ReplyMessage );
if (!NT_SUCCESS(Status) ) { //
// If the request used UDP and we got an invalid buffer size error,
// try again with TCP.
//
if ((Status == STATUS_INVALID_BUFFER_SIZE) && (!UseTcp)) {
if ((BindingHandle->CacheFlags & KERB_BINDING_NO_TCP) == 0) {
UseTcp = TRUE; Status = KerbCallKdc( &BindingHandle->KdcAddress, BindingHandle->AddressType, Timeout, !UseTcp, CallKpasswd ? (USHORT) KERB_KPASSWD_PORT : (USHORT) KERB_KDC_PORT, RequestMessage, ReplyMessage ); } }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to get make call to KDC %wZ: 0x%x. %ws, line %d\n", &BindingHandle->KdcAddress, Status, THIS_FILE, __LINE__)); //
// The call itself failed, so the binding handle was bad.
// Free it now, unless supplied as optional binding handle.
//
if (BindingHandle != OptionalBindingHandle) { KerbRemoveBindingCacheEntry( BindingHandle ); } } } }
if (BindingHandle != OptionalBindingHandle) { KerbDereferenceBindingCacheEntry( BindingHandle ); Retries++; }
BindingHandle = NULL;
} while ( !NT_SUCCESS(Status) && (Retries < KerbGlobalKdcSendRetries) );
Cleanup:
//
// monitor UDP transmission quality.
//
if (!UseTcp) { if ( !NT_SUCCESS(Status) && ( Retries == KerbGlobalKdcSendRetries )) { DebugLog((DEB_ERROR, "We look to be timing out on UDP \n")); KerbReportTransportError(Status); } else if (NT_SUCCESS(Status) && ( Retries < KerbGlobalKdcSendRetries )) { KerbResetTransportCounter(); } }
if ((BindingHandle != NULL) && (BindingHandle != OptionalBindingHandle)) { KerbDereferenceBindingCacheEntry(BindingHandle); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbMakeKdcCall
//
// Synopsis: Contains logic for calling a KDC including binding and
// retrying.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbMakeKdcCall( IN PUNICODE_STRING RealmName, IN OPTIONAL PUNICODE_STRING AccountName, IN BOOLEAN CallPDC, IN BOOLEAN UseTcp, IN PKERB_MESSAGE_BUFFER RequestMessage, IN PKERB_MESSAGE_BUFFER ReplyMessage, IN ULONG AdditionalFlags, OUT PBOOLEAN CalledPDC ){
if (ARGUMENT_PRESENT(AccountName)) { D_DebugLog((DEB_ERROR, "[trace info] Making DsGetDcName w/ account name\n")); }
return(KerbMakeSocketCall( RealmName, AccountName, CallPDC, UseTcp, FALSE, // don't call Kpasswd
RequestMessage, ReplyMessage, NULL, // optional binding cache handle, for kpasswd only
AdditionalFlags, CalledPDC ));}
//+-------------------------------------------------------------------------
//
// Function: KerbComputeTgsChecksum
//
// Synopsis: computes the checksum of a TGS request body by marshalling
// the request and the checksumming it.
//
// Effects: Allocates destination with KerbAllocate().
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbComputeTgsChecksum( IN PKERB_KDC_REQUEST_BODY RequestBody, IN PKERB_ENCRYPTION_KEY Key, IN ULONG ChecksumType, OUT PKERB_CHECKSUM Checksum ){ PCHECKSUM_FUNCTION ChecksumFunction; PCHECKSUM_BUFFER CheckBuffer = NULL; KERB_MESSAGE_BUFFER MarshalledRequestBody = {0, NULL}; NTSTATUS Status;
RtlZeroMemory( Checksum, sizeof(KERB_CHECKSUM) );
Status = CDLocateCheckSum( ChecksumType, &ChecksumFunction ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Allocate enough space for the checksum
//
Checksum->checksum.value = (PUCHAR) KerbAllocate(ChecksumFunction->CheckSumSize); if (Checksum->checksum.value == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } Checksum->checksum.length = ChecksumFunction->CheckSumSize; Checksum->checksum_type = (int) ChecksumType;
// don't av here.
if ((ChecksumType == KERB_CHECKSUM_REAL_CRC32) || (ChecksumType == KERB_CHECKSUM_CRC32)) { if (ChecksumFunction->Initialize) { Status = ChecksumFunction->Initialize( 0, &CheckBuffer ); } else { Status = STATUS_CRYPTO_SYSTEM_INVALID; } } else { if (ChecksumFunction->InitializeEx2) { Status = ChecksumFunction->InitializeEx2( Key->keyvalue.value, (ULONG) Key->keyvalue.length, NULL, KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT, &CheckBuffer ); } else if (ChecksumFunction->InitializeEx) { Status = ChecksumFunction->InitializeEx( Key->keyvalue.value, (ULONG) Key->keyvalue.length, KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT, &CheckBuffer ); } else { Status = STATUS_CRYPTO_SYSTEM_INVALID; } }
if (!NT_SUCCESS(Status)) { goto Cleanup; }
if (!KERB_SUCCESS(KerbPackData( RequestBody, KERB_MARSHALLED_REQUEST_BODY_PDU, &MarshalledRequestBody.BufferSize, &MarshalledRequestBody.Buffer ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Now checksum the buffer
//
ChecksumFunction->Sum( CheckBuffer, MarshalledRequestBody.BufferSize, MarshalledRequestBody.Buffer );
ChecksumFunction->Finalize( CheckBuffer, Checksum->checksum.value );
Cleanup: if (CheckBuffer != NULL) { ChecksumFunction->Finish(&CheckBuffer); } if (MarshalledRequestBody.Buffer != NULL) { MIDL_user_free(MarshalledRequestBody.Buffer); } if (!NT_SUCCESS(Status) && (Checksum->checksum.value != NULL)) { MIDL_user_free(Checksum->checksum.value); Checksum->checksum.value = NULL; } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetTgsTicket
//
// Synopsis: Gets a ticket to the specified target with the specified
// options.
//
// Effects:
//
// Arguments: ClientRealm
// TicketGrantingTicket - TGT to use for the TGS request
// TargetName - Name of the target for which to obtain a ticket.
// TicketOptions - Optionally contains requested KDC options flags
// Flags
// TicketOptions
// EncryptionType - Optionally contains requested encryption type
// AuthorizationData - Optional authorization data to stick
// in the ticket.
// KdcReply - the ticket to be used for getting a ticket with
// the enc_tkt_in_skey flag.
// ReplyBody - Receives the kdc reply.
// pRetryFlags
//
// Requires:
//
// Returns: Kerberos errors and NT errors
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbGetTgsTicket( IN PUNICODE_STRING ClientRealm, IN PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket, IN PKERB_INTERNAL_NAME TargetName, IN ULONG Flags, IN OPTIONAL ULONG TicketOptions, IN OPTIONAL ULONG EncryptionType, IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData, IN OPTIONAL PKERB_PA_DATA_LIST PADataList, IN OPTIONAL PKERB_TGT_REPLY TgtReply, IN OPTIONAL PKERB_TICKET EvidenceTicket, IN OPTIONAL PTimeStamp OptionalEndTime, OUT PKERB_KDC_REPLY * KdcReply, OUT PKERB_ENCRYPTED_KDC_REPLY * ReplyBody, OUT PULONG pRetryFlags ){ NTSTATUS Status = STATUS_SUCCESS;
ULONG Index = 0; KERB_KDC_REQUEST TicketRequest; PKERB_KDC_REQUEST_BODY RequestBody = &TicketRequest.request_body; PULONG CryptVector = NULL; ULONG EncryptionTypeCount = 0; PKERB_EXT_ERROR pExtendedError = NULL; ULONG Nonce; TimeStamp AuthenticatorTime = {0}; KERB_PA_DATA_LIST ApRequest = {0}; KERBERR KerbErr; KERB_MESSAGE_BUFFER RequestMessage = {0, NULL}; KERB_MESSAGE_BUFFER ReplyMessage = {0, NULL}; BOOLEAN DoRetryGetTicket = FALSE; BOOLEAN RetriedOnce = FALSE; UNICODE_STRING TempDomainName = NULL_UNICODE_STRING; KERB_CHECKSUM RequestChecksum = {0}; BOOLEAN CalledPdc; KERB_TICKET_LIST TicketList[2]; ULONG KdcOptions = 0; ULONG KdcFlagOptions; PKERB_MIT_REALM MitRealm = NULL; BOOLEAN UsedAlternateName = FALSE; BOOLEAN UseTcp = FALSE; BOOLEAN fMitRealmPossibleRetry = FALSE;
D_DebugLog((DEB_TRACE, "KerbGetTgsTicket Flags %#x, ClientRealm %wZ, Tgt DomainName %wZ, Tgt TargetDomainName %wZ, TgtReply %p, EvidenceTicket %p, TargetName ", Flags, ClientRealm, &TicketGrantingTicket->DomainName, &TicketGrantingTicket->TargetDomainName, TgtReply, EvidenceTicket)); D_KerbPrintKdcName((DEB_TRACE, TargetName));
BOOLEAN TicketCacheLocked = FALSE; KERB_ENCRYPTED_DATA EncAuthData = {0};
#ifdef RESTRICTED_TOKEN
if (AuthorizationData != NULL) { Status = KerbBuildEncryptedAuthData( &EncAuthData, TicketGrantingTicket, AuthorizationData ); if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to encrypt auth data: 0x%x\n",Status)); goto Cleanup; } }#endif
//
// This is the retry point if we need to retry getting a TGS ticket
//
RetryGetTicket:
RtlZeroMemory( &ApRequest, sizeof(KERB_PA_DATA_LIST) );
RtlZeroMemory( &RequestChecksum, sizeof(KERB_CHECKSUM) );
RtlZeroMemory( &TicketRequest, sizeof(KERB_KDC_REQUEST) );
*KdcReply = NULL; *ReplyBody = NULL;
//
// Fill in the ticket request with the defaults.
//
if (!ARGUMENT_PRESENT( OptionalEndTime )) { KerbConvertLargeIntToGeneralizedTime( &RequestBody->endtime, NULL, &KerbGlobalWillNeverTime // use HasNeverTime instead
); } else { KerbConvertLargeIntToGeneralizedTime( &RequestBody->endtime, NULL, OptionalEndTime ); }
KerbConvertLargeIntToGeneralizedTime( &RequestBody->KERB_KDC_REQUEST_BODY_renew_until, NULL, &KerbGlobalHasNeverTime // use HasNeverTime instead
);
//
// If the caller supplied kdc options, use those
//
if (TicketOptions != 0) { KdcOptions = TicketOptions; } else { //
// Some missing (TGT) ticket options will result in a ticket not being
// granted. Others (such as name_canon.) will be usable by W2k KDCs
// Make sure we can modify these so we can turn "on" various options
// later.
//
KdcOptions = (KERB_DEFAULT_TICKET_FLAGS & TicketGrantingTicket->TicketFlags) | KerbGlobalKdcOptions; }
Nonce = KerbAllocateNonce();
RequestBody->nonce = Nonce; if (AuthorizationData != NULL) { RequestBody->enc_authorization_data = EncAuthData; RequestBody->bit_mask |= enc_authorization_data_present; }
//
// Build crypt vector.
//
//
// First get the count of encryption types
//
(VOID) CDBuildIntegrityVect( &EncryptionTypeCount, NULL );
//
// Now allocate the crypt vector
//
SafeAllocaAllocate(CryptVector, sizeof(ULONG) * EncryptionTypeCount);
if (CryptVector == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Now get the list of encrypt types
//
(VOID) CDBuildIntegrityVect( &EncryptionTypeCount, CryptVector );
if (EncryptionTypeCount == 0) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// If caller didn't specify a favorite etype, send all that we support
//
if (EncryptionType != 0) { //
// Swap the first one with the encryption type requested.
// do this only if the first isn't already what is requested.
//
UINT i = 0; ULONG FirstOne = CryptVector[0]; if (CryptVector[i] != EncryptionType) {
CryptVector[i] = EncryptionType; for ( i = 1; i < EncryptionTypeCount;i++) { if (CryptVector[i] == EncryptionType) { CryptVector[i] = FirstOne; break; } } } }
//
// convert the array to a crypt list in the request
//
if (!KERB_SUCCESS(KerbConvertArrayToCryptList( &RequestBody->encryption_type, CryptVector, EncryptionTypeCount, FALSE))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// If a TGT reply is present, stick the TGT into the ticket in the
// additional tickets field and include set the enc_tkt_in_skey option.
// The ticket that comes back will be encrypted with the session key
// from the supplied TGT.
//
// For S4U, we present the evidence ticket.
//
// See gettgs.cxx, UnpackAdditionalTickets() for details.
//
Index = 0;
if (ARGUMENT_PRESENT( TgtReply )) { ASSERT(Index == 0); D_DebugLog((DEB_TRACE_U2U, "KerbGetTgsTicket setting KERB_KDC_OPTIONS_enc_tkt_in_skey (index %d)\n", Index));
TicketList[Index].next = NULL; TicketList[Index].value = TgtReply->ticket; KdcOptions |= KERB_KDC_OPTIONS_enc_tkt_in_skey;
//
// increment Index
//
Index++; }
if (ARGUMENT_PRESENT( EvidenceTicket)) { ASSERT(Index < 2);
D_DebugLog((DEB_TRACE, "KerbGetTgsTicket setting KERB_KDC_OPTIONS_cname_in_addl_tkt (index %d)\n", Index));
if (Index > 0) { TicketList[Index - 1].next = &TicketList[Index]; }
TicketList[Index].next = NULL; TicketList[Index].value = (*EvidenceTicket); KdcOptions |= KERB_KDC_OPTIONS_cname_in_addl_tkt; }
if ((KdcOptions & (KERB_KDC_OPTIONS_enc_tkt_in_skey | KERB_KDC_OPTIONS_cname_in_addl_tkt)) != 0) { RequestBody->additional_tickets = &TicketList[0]; RequestBody->bit_mask |= additional_tickets_present; }
//
// Fill in the strings in the ticket request
//
if (!KERB_SUCCESS(KerbConvertKdcNameToPrincipalName( &RequestBody->KERB_KDC_REQUEST_BODY_server_name, TargetName ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } RequestBody->bit_mask |= KERB_KDC_REQUEST_BODY_server_name_present;
//
// Copy the domain name so we don't need to hold the lock
//
Status = KerbDuplicateString( &TempDomainName, &TicketGrantingTicket->TargetDomainName ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Check if this is an MIT kdc or if the spn had a realm in it (e.g,
// a/b/c@realm - if so, turn off name canonicalization
//
if ((Flags & KERB_GET_TICKET_NO_CANONICALIZE) != 0) { KdcOptions &= ~KERB_KDC_OPTIONS_name_canonicalize; }
else if (KerbLookupMitRealm( &TempDomainName, &MitRealm, &UsedAlternateName )) { //
// So the user is getting a ticket from an MIT realm. This means
// if the MIT realm flags don't indicate that name canonicalization
// is supported then we don't ask for name canonicalization
//
if ((MitRealm->Flags & KERB_MIT_REALM_DOES_CANONICALIZE) == 0) { fMitRealmPossibleRetry = TRUE; KdcOptions &= ~KERB_KDC_OPTIONS_name_canonicalize; } else { KdcOptions |= KERB_KDC_OPTIONS_name_canonicalize; } }
KdcFlagOptions = KerbConvertUlongToFlagUlong(KdcOptions); RequestBody->kdc_options.length = sizeof(ULONG) * 8; RequestBody->kdc_options.value = (PUCHAR) &KdcFlagOptions;
//
// Marshall the request and compute a checksum of it
//
if (!KERB_SUCCESS(KerbConvertUnicodeStringToRealm( &RequestBody->realm, &TempDomainName ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE;
//
// Now compute a checksum of that data
//
Status = KerbComputeTgsChecksum( RequestBody, &TicketGrantingTicket->SessionKey, (MitRealm != NULL) ? MitRealm->ApReqChecksumType : KERB_DEFAULT_AP_REQ_CSUM, &RequestChecksum ); if (!NT_SUCCESS(Status)) { KerbUnlockTicketCache(); TicketCacheLocked = FALSE; goto Cleanup; }
//
// Create the AP request to the KDC for the ticket to the service
//
RetryWithTcp:
//
// Lock the ticket cache while we access the cached tickets
//
KerbErr = KerbCreateApRequest( TicketGrantingTicket->ClientName, ClientRealm, &TicketGrantingTicket->SessionKey, NULL, // no subsessionkey
Nonce, &AuthenticatorTime, &TicketGrantingTicket->Ticket, 0, // no AP options
&RequestChecksum, &TicketGrantingTicket->TimeSkew, // server time
TRUE, // kdc request
(PULONG) &ApRequest.value.preauth_data.length, &ApRequest.value.preauth_data.value );
DsysAssert( TicketCacheLocked ); KerbUnlockTicketCache(); TicketCacheLocked = FALSE;
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to create authenticator: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
ApRequest.next = NULL; ApRequest.value.preauth_data_type = KRB5_PADATA_TGS_REQ; TicketRequest.KERB_KDC_REQUEST_preauth_data = &ApRequest; TicketRequest.bit_mask |= KERB_KDC_REQUEST_preauth_data_present;
// Insert additonal preauth into list
if (ARGUMENT_PRESENT(PADataList)) { // better be NULL padatalist
ApRequest.next = PADataList; } else { ApRequest.next = NULL; }
//
// Marshall the request
//
TicketRequest.version = KERBEROS_VERSION; TicketRequest.message_type = KRB_TGS_REQ;
//
// Pack the request
//
KerbErr = KerbPackTgsRequest( &TicketRequest, &RequestMessage.BufferSize, &RequestMessage.Buffer );
if (!KERB_SUCCESS(KerbErr)) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Now actually get the ticket. We will retry once.
//
Status = KerbMakeKdcCall( &TempDomainName, NULL, // **NEVER* call w/ account
FALSE, // don't require PDC
UseTcp, &RequestMessage, &ReplyMessage, 0, // no additional flags (yet)
&CalledPdc );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to call KDC for TGS request: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
KerbErr = KerbUnpackTgsReply( ReplyMessage.Buffer, ReplyMessage.BufferSize, KdcReply ); if (!KERB_SUCCESS(KerbErr)) { PKERB_ERROR ErrorMessage = NULL; DebugLog((DEB_WARN, "KerbGetTgsTicket failed to unpack KDC reply: 0x%x\n", KerbErr));
//
// Try to unpack it as kerb_error
//
KerbErr = KerbUnpackKerbError( ReplyMessage.Buffer, ReplyMessage.BufferSize, &ErrorMessage ); if (KERB_SUCCESS(KerbErr)) { if (ErrorMessage->bit_mask & error_data_present) { KerbUnpackErrorData( ErrorMessage, &pExtendedError ); }
KerbErr = (KERBERR) ErrorMessage->error_code;
KerbReportKerbError( TargetName, &TempDomainName, NULL, NULL, KLIN(FILENO, __LINE__), ErrorMessage, KerbErr, pExtendedError, FALSE );
//
// Check for time skew. If we got a skew error, record the time
// skew between here and the KDC in the ticket so we can retry
// with the correct time.
//
if (KerbErr == KRB_AP_ERR_SKEW) { TimeStamp CurrentTime; TimeStamp KdcTime;
//
// Only update failures with the same ticket once
//
if (KerbGetTime(TicketGrantingTicket->TimeSkew) == 0) { KerbUpdateSkewTime(TRUE); }
GetSystemTimeAsFileTime((PFILETIME) &CurrentTime);
KerbConvertGeneralizedTimeToLargeInt( &KdcTime, &ErrorMessage->server_time, ErrorMessage->server_usec );
KerbWriteLockTicketCache();#if 0
D_DebugLog(( DEB_WARN, "KDC time : \n" )); DebugDisplayTime( DEB_WARN, (PFILETIME)&KdcTime); D_DebugLog(( DEB_WARN, "Current time : \n" )); DebugDisplayTime( DEB_WARN, (PFILETIME)&CurrentTime);#endif
KerbSetTime(&TicketGrantingTicket->TimeSkew, KerbGetTime(KdcTime) - KerbGetTime(CurrentTime));
KerbUnlockTicketCache(); DoRetryGetTicket = TRUE; } else if ((KerbErr == KRB_ERR_RESPONSE_TOO_BIG) && (!UseTcp)) { //
// The KDC response was too big to fit in a datagram. If
// we aren't already using TCP use it now. Clean up allocated memory from UDP try
//
UseTcp = TRUE; KerbFreeKerbError(ErrorMessage); ErrorMessage = NULL; MIDL_user_free(ReplyMessage.Buffer); ReplyMessage.Buffer = NULL;
MIDL_user_free(RequestMessage.Buffer); RequestMessage.Buffer = NULL; MIDL_user_free(ApRequest.value.preauth_data.value); ApRequest.value.preauth_data.value = NULL;
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE; goto RetryWithTcp; } else if (KerbErr == KDC_ERR_S_PRINCIPAL_UNKNOWN) { if (EXT_CLIENT_INFO_PRESENT(pExtendedError) && (STATUS_USER2USER_REQUIRED == pExtendedError->status)) { DebugLog((DEB_WARN, "KerbGetTgsTicket received KDC_ERR_S_PRINCIPAL_UNKNOWN and STATUS_USER2USER_REQUIRED\n")); Status = STATUS_USER2USER_REQUIRED; KerbFreeKerbError(ErrorMessage); goto Cleanup; } //
// This looks to be the MIT Realm retry case, where name canonicalization
// is not on and the PRINCIPAL_UNKNOWN was returned by the MIT KDC
//
else if (fMitRealmPossibleRetry) { *pRetryFlags |= KERB_MIT_NO_CANONICALIZE_RETRY; D_DebugLog((DEB_TRACE, "KerbGetTgsTicket KerbCallKdc this is the MIT retry case\n")); } }
//
// Semi-hack here. Bad option rarely is returned, and usually
// indicates your TGT is about to expire. TKT_EXPIRED is also
// potentially recoverable. Check the e_data to
// see if we should blow away TGT to fix TGS problem.
//
else if ((KerbErr == KDC_ERR_BADOPTION) || (KerbErr == KRB_AP_ERR_TKT_EXPIRED)) { if (NULL != pExtendedError) { Status = pExtendedError->status; if ( Status == STATUS_TIME_DIFFERENCE_AT_DC ) { *pRetryFlags |= KERB_RETRY_WITH_NEW_TGT; D_DebugLog((DEB_TRACE, "Hit bad option retry case - %x \n", KerbErr)); } else if ( Status == STATUS_NO_MATCH ) { DebugLog((DEB_TRACE_S4U, "No match on S4UTarget\n")); *pRetryFlags |= KERB_RETRY_NO_S4UMATCH; KerbFreeKerbError(ErrorMessage); goto Cleanup; } else if ( Status == STATUS_NOT_SUPPORTED ) { D_DebugLog((DEB_TRACE_S4U, "No S4U available\n")); *pRetryFlags |= KERB_RETRY_DISABLE_S4U; KerbFreeKerbError(ErrorMessage); goto Cleanup; } } else { //
// If we get BADOPTION on an S4U request, we've got to
// assume that our server doesn't support it. There are some
// fringe cases where this may not be a reliable mechanism,
// however. FESTER - investigate other BADOPTION cases
//
D_DebugLog((DEB_TRACE_S4U, "No S4U available\n")); *pRetryFlags |= KERB_RETRY_DISABLE_S4U; } } //
// Per bug 315833, we purge on these errors as well
//
else if ((KerbErr == KDC_ERR_C_OLD_MAST_KVNO) || (KerbErr == KDC_ERR_TGT_REVOKED) || (KerbErr == KDC_ERR_NEVER_VALID) || (KerbErr == KRB_AP_ERR_BAD_INTEGRITY)) { *pRetryFlags |= KERB_RETRY_WITH_NEW_TGT; D_DebugLog((DEB_TRACE, " KerbGetTgsTicket got error requiring new tgt\n")); if (EXT_CLIENT_INFO_PRESENT(pExtendedError)) { Status = pExtendedError->status; } else { Status = KerbMapKerbError(KerbErr); }
DebugLog((DEB_WARN, "KerbGetTgsTicket failed w/ error %x, status %x\n", KerbErr, Status)); KerbFreeKerbError(ErrorMessage); goto Cleanup;
} else if ( KerbErr == KDC_ERR_CLIENT_REVOKED ) { if (EXT_CLIENT_INFO_PRESENT(pExtendedError)) { Status = pExtendedError->status; } else { Status = KerbMapKerbError(KerbErr); }
DebugLog((DEB_WARN, "KerbGetTgsTicket CLIENTREVOKED status %x\n",Status)); KerbFreeKerbError(ErrorMessage); goto Cleanup;
} else if ( KerbErr == KDC_ERR_POLICY ) { if (EXT_CLIENT_INFO_PRESENT(pExtendedError)) { Status = pExtendedError->status; } else { Status = KerbMapKerbError(KerbErr); }
DebugLog((DEB_WARN, "KerbGetTgsTicket failed w/ error %x, status %x\n", KerbErr, Status)); KerbFreeKerbError(ErrorMessage); goto Cleanup; } else if (KerbErr == KDC_ERR_NONE) { DebugLog((DEB_ERROR, "KerbGetTgsTicket KerbCallKdc: error KDC_ERR_NONE\n")); KerbErr = KRB_ERR_GENERIC; }
KerbFreeKerbError(ErrorMessage); DebugLog((DEB_WARN, "KerbGetTgsTicket KerbCallKdc: error 0x%x\n", KerbErr)); Status = KerbMapKerbError(KerbErr); } else { Status = STATUS_LOGON_FAILURE; } goto Cleanup; }
//
// Now unpack the reply body:
//
KerbReadLockTicketCache();
KerbErr = KerbUnpackKdcReplyBody( &(*KdcReply)->encrypted_part, &TicketGrantingTicket->SessionKey, KERB_ENCRYPTED_TGS_REPLY_PDU, ReplyBody );
KerbUnlockTicketCache();
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR, "KerbGetTgsTicket failed to decrypt KDC reply body: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_LOGON_FAILURE; goto Cleanup; }
//
// Verify the nonce is correct:
//
if (RequestBody->nonce != (*ReplyBody)->nonce) { D_DebugLog((DEB_ERROR, "KerbGetTgsTicket AS Nonces don't match: 0x%x vs 0x%x. %ws, line %d\n", RequestBody->nonce, (*ReplyBody)->nonce, THIS_FILE, __LINE__)); Status = STATUS_LOGON_FAILURE; goto Cleanup; }
Cleanup:
if (EncAuthData.cipher_text.value != NULL) { MIDL_user_free(EncAuthData.cipher_text.value); } if (RequestChecksum.checksum.value != NULL) { KerbFree(RequestChecksum.checksum.value); }
SafeAllocaFree(CryptVector); CryptVector = NULL;
KerbFreeCryptList( RequestBody->encryption_type );
if (ReplyMessage.Buffer != NULL) { MIDL_user_free(ReplyMessage.Buffer); ReplyMessage.Buffer = NULL; }
if (RequestMessage.Buffer != NULL) { MIDL_user_free(RequestMessage.Buffer); RequestMessage.Buffer = NULL; }
if (ApRequest.value.preauth_data.value != NULL) { MIDL_user_free(ApRequest.value.preauth_data.value); ApRequest.value.preauth_data.value = NULL; }
KerbFreePrincipalName( &RequestBody->KERB_KDC_REQUEST_BODY_server_name );
KerbFreeRealm( &RequestBody->realm ); KerbFreeString( &TempDomainName );
if (NULL != pExtendedError) { KerbFreeData(KERB_EXT_ERROR_PDU, pExtendedError); pExtendedError = NULL; }
//
// If we should retry getting the ticket and we haven't already retried
// once, try again.
//
if (DoRetryGetTicket && !RetriedOnce) { RetriedOnce = TRUE; goto RetryGetTicket; }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetReferralNames
//
// Synopsis: Gets the referral names from a KDC reply. If none are present,
// returned strings are empty.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbGetReferralNames( IN PKERB_ENCRYPTED_KDC_REPLY KdcReply, IN PKERB_INTERNAL_NAME OriginalTargetName, OUT PUNICODE_STRING ReferralRealm ){ NTSTATUS Status = STATUS_SUCCESS; PKERB_PA_DATA_LIST PaEntry; PKERB_PA_SERV_REFERRAL ReferralInfo = NULL; KERBERR KerbErr; PKERB_INTERNAL_NAME TargetName = NULL; PKERB_INTERNAL_NAME KpasswdName = NULL;
RtlInitUnicodeString( ReferralRealm, NULL );
PaEntry = (PKERB_PA_DATA_LIST) KdcReply->encrypted_pa_data;
//
// Search the list for the referral infromation
//
while (PaEntry != NULL) { if (PaEntry->value.preauth_data_type == KRB5_PADATA_REFERRAL_INFO) { break; } PaEntry = PaEntry->next; } if (PaEntry == NULL) {
//
// Check to see if the server name is krbtgt - if it is, then
// this is a referral.
//
KerbErr = KerbConvertPrincipalNameToKdcName( &TargetName, &KdcReply->server_name ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
//
// Build the service name for the ticket
//
Status = KerbBuildKpasswdName( &KpasswdName );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
if ((TargetName->NameCount == 2) && RtlEqualUnicodeString( &KerbGlobalKdcServiceName, &TargetName->Names[0], FALSE // not case sensitive
) && !(KerbEqualKdcNames( OriginalTargetName, TargetName) || KerbEqualKdcNames( OriginalTargetName, KpasswdName) )) { //
// This is a referral, so set the referral name to the
// second portion of the name
//
Status = KerbDuplicateString( ReferralRealm, &TargetName->Names[1] ); }
KerbFreeKdcName(&TargetName); KerbFreeKdcName(&KpasswdName);
return(Status); }
//
// Now try to unpack the data
//
KerbErr = KerbUnpackData( PaEntry->value.preauth_data.value, PaEntry->value.preauth_data.length, KERB_PA_SERV_REFERRAL_PDU, (PVOID *) &ReferralInfo ); if (!KERB_SUCCESS( KerbErr )) { D_DebugLog((DEB_ERROR,"Failed to decode referral info: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
if (!KERB_SUCCESS(KerbConvertRealmToUnicodeString( ReferralRealm, &ReferralInfo->referred_server_realm ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
Cleanup:
KerbFreeKdcName(&TargetName); KerbFreeKdcName(&KpasswdName);
if (ReferralInfo != NULL) { KerbFreeData( KERB_PA_SERV_REFERRAL_PDU, ReferralInfo ); } if (!NT_SUCCESS(Status)) { KerbFreeString( ReferralRealm ); } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbMITGetMachineDomain
//
// Synopsis: Determines if the machine is in a Windows 2000 domain and
// if it is then the function attempts to get a TGT for this
// domain with the passed in credentials.
//
// Effects:
//
// Arguments: LogonSession - the logon session to use for ticket caching
// and the identity of the caller.
// Credential - the credential of the caller
// TargetName - Name of the target for which to obtain a ticket.
// TargetDomainName - Domain name of target
// ClientRealm - the realm of the machine which the retry will use
// TicketGrantingTicket - Will be freed if non-NULL
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbMITGetMachineDomain( IN PKERB_INTERNAL_NAME TargetName, IN OUT PUNICODE_STRING TargetDomainName, IN OUT PKERB_TICKET_CACHE_ENTRY *TicketGrantingTicket ){ NTSTATUS Status = STATUS_SUCCESS; PLSAPR_POLICY_DNS_DOMAIN_INFO DnsDomainInfo = NULL; PLSAPR_POLICY_INFORMATION Policy = NULL; KERBEROS_MACHINE_ROLE Role;
Role = KerbGetGlobalRole();
//
// We're not part of a domain, so bail out here.
//
if (Role == KerbRoleRealmlessWksta) { Status = STATUS_NO_TRUST_SAM_ACCOUNT; goto Cleanup; }
Status = I_LsaIQueryInformationPolicyTrusted( PolicyDnsDomainInformation, &Policy );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_TRACE,"Failed Query policy %x %ws, line %d\n", THIS_FILE, __LINE__)); goto Cleanup; }
DnsDomainInfo = &Policy->PolicyDnsDomainInfo;
//
// make sure the computer is a member of an NT domain
//
if ((DnsDomainInfo->DnsDomainName.Length != 0) && (DnsDomainInfo->Sid != NULL)) { //
// make the client realm the domain of the computer
//
KerbFreeString(TargetDomainName); RtlZeroMemory(TargetDomainName, sizeof(UNICODE_STRING));
Status = KerbDuplicateString( TargetDomainName, (PUNICODE_STRING)&DnsDomainInfo->DnsDomainName );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
(VOID) RtlUpcaseUnicodeString( TargetDomainName, TargetDomainName, FALSE);
if (*TicketGrantingTicket != NULL) { KerbDereferenceTicketCacheEntry(*TicketGrantingTicket); *TicketGrantingTicket = NULL; } } else { Status = STATUS_NO_TRUST_SAM_ACCOUNT; }
Cleanup:
if (Policy != NULL) { I_LsaIFree_LSAPR_POLICY_INFORMATION( PolicyDnsDomainInformation, Policy ); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetServiceTicket
//
// Synopsis: Gets a ticket to a service and handles cross-domain referrals
//
// Effects:
//
// Arguments: LogonSession - the logon session to use for ticket caching
// and the identity of the caller.
// TargetName - Name of the target for which to obtain a ticket.
// TargetDomainName - Domain name of target
// Flags - Flags about the request
// TicketOptions - KDC options flags
// EncryptionType - optional Requested encryption type
// ErrorMessage - Error message from an AP request containing hints
// for next ticket.
// AuthorizationData - Optional authorization data to stick
// in the ticket.
// TgtReply - TGT to use for getting a ticket with enc_tkt_in_skey
// TicketCacheEntry - Receives a referenced ticket cache entry.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbGetServiceTicket( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credential, IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials, IN PKERB_INTERNAL_NAME TargetName, IN PUNICODE_STRING TargetDomainName, IN OPTIONAL PKERB_SPN_CACHE_ENTRY SpnCacheEntry, IN ULONG Flags, IN OPTIONAL ULONG TicketOptions, IN OPTIONAL ULONG EncryptionType, IN OPTIONAL PKERB_ERROR ErrorMessage, IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData, IN OPTIONAL PKERB_TGT_REPLY TgtReply, OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry, OUT LPGUID pLogonGuid OPTIONAL ){ NTSTATUS Status = STATUS_SUCCESS; NTSTATUS AuditStatus = STATUS_SUCCESS; PKERB_TICKET_CACHE_ENTRY TicketCacheEntry = NULL; PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL; PKERB_TICKET_CACHE_ENTRY LastTgt = NULL; PKERB_KDC_REPLY KdcReply = NULL; PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL; BOOLEAN LogonSessionsLocked = FALSE; BOOLEAN TicketCacheLocked = FALSE; BOOLEAN CrossRealm = FALSE; PKERB_INTERNAL_NAME RealTargetName = NULL; UNICODE_STRING RealTargetRealm = NULL_UNICODE_STRING; PKERB_INTERNAL_NAME TargetTgtKdcName = NULL; PKERB_PRIMARY_CREDENTIAL PrimaryCredentials = NULL; BOOLEAN UsedCredentials = FALSE; UNICODE_STRING ClientRealm = NULL_UNICODE_STRING; UNICODE_STRING SpnTargetRealm = NULL_UNICODE_STRING; BOOLEAN CacheTicket = TRUE; ULONG ReferralCount = 0; ULONG RetryFlags = 0; BOOLEAN fMITRetryAlreadyMade = FALSE; BOOLEAN TgtRetryMade = FALSE; BOOLEAN CacheBasedFailure = FALSE; GUID LogonGuid = { 0 };
//
// Check to see if the credential has any primary credentials
//
TGTRetry:
KerbFreeTgsReply(KdcReply); KerbFreeKdcReplyBody(KdcReplyBody); KdcReply = NULL; KdcReplyBody = NULL;
DsysAssert( !LogonSessionsLocked ); KerbReadLockLogonSessions(LogonSession); LogonSessionsLocked = TRUE;
if ((Credential != NULL) && (Credential->SuppliedCredentials != NULL)) { PrimaryCredentials = Credential->SuppliedCredentials; UsedCredentials = TRUE; } else if (CredManCredentials != NULL) { PrimaryCredentials = CredManCredentials->SuppliedCredentials; UsedCredentials = TRUE; } else { PrimaryCredentials = &LogonSession->PrimaryCredentials; UsedCredentials = ((LogonSession->LogonSessionFlags & KERB_LOGON_NEW_CREDENTIALS) != 0); }
//
// Make sure the name is not zero length
//
if ((TargetName->NameCount == 0) || (TargetName->Names[0].Length == 0)) { D_DebugLog((DEB_ERROR, "KerbGetServiceTicket trying to crack zero length name.\n")); Status = SEC_E_TARGET_UNKNOWN; goto Cleanup; }
//
// First check the ticket cache for this logon session. We don't look
// for the target principal name because we can't be assured that this
// is a valid principal name for the target. If we are doing user-to-
// user, don't use the cache because the tgt key may have changed
//
if ((TgtReply == NULL) && ((Flags & KERB_GET_TICKET_NO_CACHE) == 0)) { TicketCacheEntry = KerbLocateTicketCacheEntry( &PrimaryCredentials->ServerTicketCache, TargetName, TargetDomainName ); } else { //
// We don't want to cache user-to-user tickets
//
CacheTicket = FALSE; }
if (TicketCacheEntry != NULL) { //
// If we were given an error message that indicated a bad password
// through away the cached ticket
//
//
// If we were given an error message that indicated a bad password
// through away the cached ticket
//
if (ARGUMENT_PRESENT(ErrorMessage) && ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED)) { KerbRemoveTicketCacheEntry(TicketCacheEntry); KerbDereferenceTicketCacheEntry(TicketCacheEntry); TicketCacheEntry = NULL; } else { ULONG TicketFlags; ULONG CacheTicketFlags; ULONG CacheEncryptionType;
//
// Check if the flags are present
//
KerbReadLockTicketCache(); CacheTicketFlags = TicketCacheEntry->TicketFlags; CacheEncryptionType = TicketCacheEntry->Ticket.encrypted_part.encryption_type; KerbUnlockTicketCache();
TicketFlags = KerbConvertKdcOptionsToTicketFlags(TicketOptions);
if (((CacheTicketFlags & TicketFlags) != TicketFlags) || ((EncryptionType != 0) && (CacheEncryptionType != EncryptionType)))
{ KerbDereferenceTicketCacheEntry(TicketCacheEntry); TicketCacheEntry = NULL; } else { //
// Check the ticket time
//
if (KerbTicketIsExpiring(TicketCacheEntry, TRUE)) { KerbDereferenceTicketCacheEntry(TicketCacheEntry); TicketCacheEntry = NULL; } else { *NewCacheEntry = TicketCacheEntry; D_DebugLog((DEB_TRACE_REFERRAL, "KerbGetServiceTicket found ticket cache entry %#x, TargetName: ", TicketCacheEntry)); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, TicketCacheEntry->TargetName)); D_DebugLog((DEB_TRACE_REFERRAL, "KerbGetServiceTicket target Realm: %wZ\n", &TicketCacheEntry->DomainName)); TicketCacheEntry = NULL; goto Cleanup; } } } }
//
// If the caller wanted any special options, don't cache this ticket.
//
if ((TicketOptions != 0) || (EncryptionType != 0) || ((Flags & KERB_GET_TICKET_NO_CACHE) != 0)) { CacheTicket = FALSE; }
//
// No cached entry was found so go ahead and call the KDC to
// get the ticket.
//
//
// Determine the state of the SPNCache using information in the credential.
// Only do this if we've not been handed
//
if ( ARGUMENT_PRESENT(SpnCacheEntry) && TargetDomainName->Buffer == NULL ) { Status = KerbGetSpnCacheStatus( SpnCacheEntry, PrimaryCredentials, &SpnTargetRealm );
if (NT_SUCCESS( Status )) { KerbFreeString(&RealTargetRealm); RealTargetRealm = SpnTargetRealm; RtlZeroMemory(&SpnTargetRealm, sizeof(UNICODE_STRING)); D_DebugLog((DEB_TRACE_SPN_CACHE, "Found SPN cache entry - %wZ\n", &RealTargetRealm)); D_KerbPrintKdcName((DEB_TRACE_SPN_CACHE, TargetName)); } else if ( Status != STATUS_NO_MATCH ) { D_DebugLog((DEB_TRACE_SPN_CACHE, "KerbGetSpnCacheStatus failed %x\n", Status)); D_DebugLog((DEB_TRACE_SPN_CACHE, "TargetName: \n")); D_KerbPrintKdcName((DEB_TRACE_SPN_CACHE, TargetName));
CacheBasedFailure = TRUE; goto Cleanup; }
Status = STATUS_SUCCESS; }
//
// First get a TGT to the correct KDC. If a principal name was provided,
// use it instead of the target name.
//
// There could also be a host to realm mapping taking place here. If so,
// realtargetrealm != NULL.
//
Status = KerbGetTgtForService( LogonSession, Credential, CredManCredentials, NULL, (RealTargetRealm.Buffer == NULL ? TargetDomainName : &RealTargetRealm), Flags, &TicketGrantingTicket, &CrossRealm );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to get TGT for service: 0x%x :", Status )); KerbPrintKdcName(DEB_ERROR, TargetName); DebugLog((DEB_ERROR, "%ws, line %d\n", THIS_FILE, __LINE__)); goto Cleanup; }
//
// Copy out the client realm name which is used when obtaining the ticket
//
Status = KerbDuplicateString( &ClientRealm, &PrimaryCredentials->DomainName ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
DsysAssert( LogonSessionsLocked ); KerbUnlockLogonSessions(LogonSession); LogonSessionsLocked = FALSE;
ReferralRestart:
D_DebugLog((DEB_TRACE_REFERRAL, "KerbGetServiceTicket ReferralRestart\n")); D_DebugLog((DEB_TRACE_REFERRAL, "ClientRealm %wZ\n, TargetName ", &ClientRealm)); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, TargetName)); D_DebugLog((DEB_TRACE_REFERRAL, "\n ", &ClientRealm));
//
// If this is not cross realm (meaning we have a TGT to the corect domain),
// try to get a ticket directly to the service
//
if (!CrossRealm) { Status = KerbGetTgsTicket( &ClientRealm, TicketGrantingTicket, TargetName, Flags, TicketOptions, EncryptionType, AuthorizationData, NULL, // no pa data
TgtReply, // This is for the service directly, so use TGT
NULL, // no evidence ticket
NULL, // let kdc determine end time
&KdcReply, &KdcReplyBody, &RetryFlags );
if (!NT_SUCCESS(Status)) { //
// Check for bad option TGT purging
//
if (((RetryFlags & KERB_RETRY_WITH_NEW_TGT) != 0) && !TgtRetryMade) { DebugLog((DEB_WARN, "Doing TGT retry - %p\n", TicketGrantingTicket));
//
// Unlink && purge bad tgt
//
KerbRemoveTicketCacheEntry(TicketGrantingTicket); KerbDereferenceTicketCacheEntry(TicketGrantingTicket); TicketGrantingTicket = NULL; TgtRetryMade = TRUE; goto TGTRetry; } //
// Check for the MIT retry case
//
if (((RetryFlags & KERB_MIT_NO_CANONICALIZE_RETRY) != 0) && (!fMITRetryAlreadyMade)) {
Status = KerbMITGetMachineDomain( TargetName, TargetDomainName, &TicketGrantingTicket );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_TRACE,"Failed Query policy information %ws, line %d\n", THIS_FILE, __LINE__)); goto Cleanup; }
fMITRetryAlreadyMade = TRUE; Flags &= ~KERB_TARGET_USED_SPN_CACHE; goto TGTRetry; }
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x : \n", Status )); KerbPrintKdcName(DEB_WARN, TargetName); DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__)); goto Cleanup; }
//
// Check for referral info in the name
//
KerbFreeString(&RealTargetRealm); Status = KerbGetReferralNames( KdcReplyBody, TargetName, &RealTargetRealm ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// If this is not a referral ticket, just cache it and return
// the cache entry.
//
if (RealTargetRealm.Length == 0) { //
// Now we have a ticket - lets cache it
//
KerbReadLockLogonSessions(LogonSession);
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, TargetName, TargetDomainName, 0, CacheTicket ? &PrimaryCredentials->ServerTicketCache : NULL, NULL, // no credential key
&TicketCacheEntry );
KerbUnlockLogonSessions(LogonSession);
if (!NT_SUCCESS(Status)) { goto Cleanup; }
*NewCacheEntry = TicketCacheEntry; TicketCacheEntry = NULL;
//
// We're done, so get out of here.
//
goto Cleanup; }
//
// The server referred us to another domain. Get the service's full
// name from the ticket and try to find a TGT in that domain.
//
Status = KerbDuplicateKdcName( &RealTargetName, TargetName );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
D_DebugLog((DEB_TRACE_REFERRAL, "Got referral ticket for service \n")); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, TargetName)); D_DebugLog((DEB_TRACE_REFERRAL, "in realm %wZ\n", &RealTargetRealm )); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, RealTargetName));
//
// Cache the interdomain TGT
//
DsysAssert( !LogonSessionsLocked ); KerbReadLockLogonSessions(LogonSession); LogonSessionsLocked = TRUE;
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, NULL, // no target name
NULL, // no target realm
0, // no flags
CacheTicket ? &PrimaryCredentials->AuthenticationTicketCache : NULL, NULL, // no credential key
&TicketCacheEntry );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Dereference the old ticket-granting ticket, and use
// the one from the referral. This allows us to chase
// the proper referral path.
//
KerbDereferenceTicketCacheEntry(TicketGrantingTicket); TicketGrantingTicket = TicketCacheEntry; TicketCacheEntry = NULL;
DsysAssert( LogonSessionsLocked ); KerbUnlockLogonSessions(LogonSession); LogonSessionsLocked = FALSE; } else { //
// Set the real names to equal the supplied names
//
Status = KerbDuplicateKdcName( &RealTargetName, TargetName ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Don't overwrite if we're doing a referral, or if we're missing
// a TGT for the target domain name.
//
if (RealTargetRealm.Buffer == NULL) { Status = KerbDuplicateString( &RealTargetRealm, TargetDomainName ); if (!NT_SUCCESS(Status)) { goto Cleanup; } } }
//
// Now we are in a case where we have a realm to aim for and a TGT. While
// we don't have a TGT for the target realm, get one.
//
if (!KERB_SUCCESS(KerbBuildFullServiceKdcName( &RealTargetRealm, &KerbGlobalKdcServiceName, KRB_NT_SRV_INST, &TargetTgtKdcName ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE;
//
// Referral chasing code block - very important to get right
// If we know the "real" target realm, eg. from GC, then
// we'll walk trusts until we hit "real" target realm.
//
while (!RtlEqualUnicodeString( &RealTargetRealm, &TicketGrantingTicket->TargetDomainName, TRUE )) {
//
// If we just got two TGTs for the same domain, then we must have
// gotten as far as we can. Chances our our RealTargetRealm is a
// variation of what the KDC hands out.
//
if ((LastTgt != NULL) && RtlEqualUnicodeString( &LastTgt->TargetDomainName, &TicketGrantingTicket->TargetDomainName, TRUE )) { DsysAssert( TicketCacheLocked ); KerbUnlockTicketCache(); TicketCacheLocked = FALSE;
KerbSetTicketCacheEntryTarget( &RealTargetRealm, LastTgt );
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE; D_DebugLog((DEB_TRACE_REFERRAL, "Got two TGTs for same realm (%wZ), bailing out of referral loop\n", &LastTgt->TargetDomainName)); break; }
D_DebugLog((DEB_TRACE_REFERRAL, "Getting referral TGT for \n")); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, TargetTgtKdcName)); D_KerbPrintKdcName((DEB_TRACE_REFERRAL, TicketGrantingTicket->ServiceName));
DsysAssert( TicketCacheLocked ); KerbUnlockTicketCache(); TicketCacheLocked = FALSE;
//
// Cleanup old state
//
KerbFreeTgsReply(KdcReply); KerbFreeKdcReplyBody(KdcReplyBody); KdcReply = NULL; KdcReplyBody = NULL;
D_DebugLog((DEB_TRACE_REFERRAL, "TGT TargetDomain %wZ\n", &TicketGrantingTicket->TargetDomainName)); D_DebugLog((DEB_TRACE_REFERRAL, "TGT Domain %wZ\n", &TicketGrantingTicket->DomainName));
Status = KerbGetTgsTicket( &ClientRealm, TicketGrantingTicket, TargetTgtKdcName, FALSE, TicketOptions, EncryptionType, AuthorizationData, NULL, // no pa data
NULL, // no tgt reply since target is krbtgt
NULL, // no evidence ticket
NULL, // let kdc determine end time
&KdcReply, &KdcReplyBody, &RetryFlags );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x :", Status )); KerbPrintKdcName(DEB_WARN, TargetTgtKdcName); DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__));
//
// We want to map cross-domain failures to failures indicating
// that a KDC could not be found. This means that for Kerberos
// logons, the negotiate code will retry with a different package
//
// if (Status == STATUS_NO_TRUST_SAM_ACCOUNT)
// {
// Status = STATUS_NO_LOGON_SERVERS;
// }
goto Cleanup; }
//
// Now we have a ticket - lets cache it
//
KerbReadLockLogonSessions(LogonSession);
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, NULL, // no target name
NULL, // no targe realm
0, // no flags
CacheTicket ? &PrimaryCredentials->AuthenticationTicketCache : NULL, NULL, // no credential key
&TicketCacheEntry );
KerbUnlockLogonSessions(LogonSession);
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Make sure we're not in a referral chasing loop.
//
// Basically, this means that the DomainName of
// the last TGT != the TargetDomain of the new
// tgt.
//
if (RtlEqualUnicodeString(&TicketGrantingTicket->DomainName, &TicketCacheEntry->TargetDomainName, TRUE) && !RtlEqualUnicodeString(&TicketGrantingTicket->TargetDomainName, &TicketCacheEntry->TargetDomainName, TRUE)) { DebugLog((DEB_ERROR, "Referral loop TO : %wZ\n", &TicketCacheEntry->DomainName )); DebugLog((DEB_ERROR, "TO : %wZ\n", &TicketCacheEntry->TargetDomainName)); DebugLog((DEB_ERROR, "TKE %p TGT %p\n", TicketCacheEntry, TicketGrantingTicket)); Status = STATUS_DOMAIN_TRUST_INCONSISTENT; goto Cleanup; } if (LastTgt != NULL) { KerbDereferenceTicketCacheEntry(LastTgt); LastTgt = NULL; }
LastTgt = TicketGrantingTicket; TicketGrantingTicket = TicketCacheEntry; TicketCacheEntry = NULL;
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE; } // ** WHILE **
DsysAssert(TicketCacheLocked); KerbUnlockTicketCache(); TicketCacheLocked = FALSE;
//
// Now we must have a TGT to the destination domain. Get a ticket
// to the service.
//
//
// Cleanup old state
//
KerbFreeTgsReply(KdcReply); KerbFreeKdcReplyBody(KdcReplyBody); KdcReply = NULL; KdcReplyBody = NULL; RetryFlags = 0;
Status = KerbGetTgsTicket( &ClientRealm, TicketGrantingTicket, RealTargetName, FALSE, TicketOptions, EncryptionType, AuthorizationData, NULL, // no pa data
TgtReply, NULL, // no evidence ticket
NULL, // let kdc determine end time
&KdcReply, &KdcReplyBody, &RetryFlags );
if (!NT_SUCCESS(Status)) {
//
// Check for bad option TGT purging
//
if (((RetryFlags & KERB_RETRY_WITH_NEW_TGT) != 0) && !TgtRetryMade) { DebugLog((DEB_WARN, "Doing TGT retry - %p\n", TicketGrantingTicket));
//
// Unlink && purge bad tgt
//
KerbRemoveTicketCacheEntry(TicketGrantingTicket); // free from list
KerbDereferenceTicketCacheEntry(TicketGrantingTicket); TicketGrantingTicket = NULL; TgtRetryMade = TRUE; goto TGTRetry; }
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x ", Status )); KerbPrintKdcName(DEB_WARN, RealTargetName); DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__)); goto Cleanup; }
//
// Now that we are in the domain to which we were referred, check for referral
// info in the name
//
KerbFreeString(&RealTargetRealm); Status = KerbGetReferralNames( KdcReplyBody, RealTargetName, &RealTargetRealm ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// If this is not a referral ticket, just cache it and return
// the cache entry.
//
if (RealTargetRealm.Length != 0) { //
// To prevent loops, we limit the number of referral we'll take
//
if (ReferralCount > KerbGlobalMaxReferralCount) { D_DebugLog((DEB_ERROR, "Maximum referral count exceeded for name: ")); D_KerbPrintKdcName((DEB_ERROR, RealTargetName)); Status = STATUS_MAX_REFERRALS_EXCEEDED; goto Cleanup; }
ReferralCount++;
//
// Cache the interdomain TGT
//
KerbReadLockLogonSessions(LogonSession);
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, NULL, // no target name
NULL, // no target realm
0, // no flags
CacheTicket ? &PrimaryCredentials->AuthenticationTicketCache : NULL, NULL, // no credential key
&TicketCacheEntry );
KerbUnlockLogonSessions(LogonSession);
if (RtlEqualUnicodeString(&TicketGrantingTicket->DomainName, &TicketCacheEntry->TargetDomainName, TRUE) && !RtlEqualUnicodeString(&TicketGrantingTicket->TargetDomainName, &TicketCacheEntry->TargetDomainName, TRUE)) { DebugLog((DEB_ERROR, "Referral loop (2) FROM : %wZ\n", &TicketCacheEntry->DomainName )); DebugLog((DEB_ERROR, "TO : %wZ\n", &TicketCacheEntry->TargetDomainName)); DebugLog((DEB_ERROR, "TKE %p tgt %p\n", TicketCacheEntry, TicketGrantingTicket)); Status = STATUS_DOMAIN_TRUST_INCONSISTENT; goto Cleanup; }
//
// Cleanup old state
//
KerbFreeTgsReply(KdcReply); KerbFreeKdcReplyBody(KdcReplyBody); KdcReply = NULL; KdcReplyBody = NULL;
if (!NT_SUCCESS(Status)) { goto Cleanup; }
if (LastTgt != NULL) { KerbDereferenceTicketCacheEntry(LastTgt); LastTgt = NULL; }
LastTgt = TicketGrantingTicket; TicketGrantingTicket = TicketCacheEntry; TicketCacheEntry = NULL;
D_DebugLog((DEB_TRACE_REFERRAL, "Restart referral:%wZ", &RealTargetRealm));
goto ReferralRestart; }
KerbReadLockLogonSessions(LogonSession);
Status = KerbCreateTicketCacheEntry( KdcReply, KdcReplyBody, TargetName, TargetDomainName, TgtReply ? KERB_TICKET_CACHE_TKT_ENC_IN_SKEY : 0, // no flags
CacheTicket ? &PrimaryCredentials->ServerTicketCache : NULL, NULL, // no credential key
&TicketCacheEntry );
KerbUnlockLogonSessions(LogonSession);
if (!NT_SUCCESS(Status)) { goto Cleanup; }
*NewCacheEntry = TicketCacheEntry; TicketCacheEntry = NULL;
Cleanup:
if ( NT_SUCCESS( Status ) ) { //
// Generate the logon GUID
//
AuditStatus = KerbGetLogonGuid( PrimaryCredentials, KdcReplyBody, &LogonGuid );
//
// return the logon GUID if requested
//
if ( NT_SUCCESS(AuditStatus) && pLogonGuid ) { *pLogonGuid = LogonGuid; }
//
// generate SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS
// if explicit credentials were used for this logon.
//
if ( UsedCredentials ) { (void) KerbGenerateAuditForLogonUsingExplicitCreds( LogonSession, PrimaryCredentials, &LogonGuid, TargetName ); } }
//
// Bad or unlocatable SPN -- Don't update if we got the value from the cache, though.
//
if (( TargetName->NameType == KRB_NT_SRV_INST ) && ( NT_SUCCESS(Status) || Status == STATUS_NO_TRUST_SAM_ACCOUNT ) && ( !CacheBasedFailure )) { NTSTATUS Tmp; ULONG UpdateValue = KERB_SPN_UNKNOWN; PUNICODE_STRING Realm = NULL;
if ( NT_SUCCESS( Status )) { Realm = &(*NewCacheEntry)->TargetDomainName; UpdateValue = KERB_SPN_KNOWN; } Tmp = KerbUpdateSpnCacheEntry( SpnCacheEntry, TargetName, PrimaryCredentials, UpdateValue, Realm ); }
KerbFreeTgsReply( KdcReply ); KerbFreeKdcReplyBody( KdcReplyBody ); KerbFreeKdcName( &TargetTgtKdcName ); KerbFreeString( &RealTargetRealm ); KerbFreeString( &SpnTargetRealm );
KerbFreeKdcName(&RealTargetName);
if (TicketCacheLocked) { KerbUnlockTicketCache(); }
if (LogonSessionsLocked) { KerbUnlockLogonSessions(LogonSession); }
KerbFreeString(&RealTargetRealm);
if (TicketGrantingTicket != NULL) { if (Status == STATUS_WRONG_PASSWORD) { KerbRemoveTicketCacheEntry( TicketGrantingTicket ); } KerbDereferenceTicketCacheEntry(TicketGrantingTicket); } if (LastTgt != NULL) { KerbDereferenceTicketCacheEntry(LastTgt); LastTgt = NULL; }
KerbFreeString(&ClientRealm);
//
// If we still have a pointer to the ticket cache entry, free it now.
//
if (TicketCacheEntry != NULL) { KerbRemoveTicketCacheEntry( TicketCacheEntry ); KerbDereferenceTicketCacheEntry(TicketCacheEntry);
} return(Status);}
#ifndef WIN32_CHICAGO
//+-------------------------------------------------------------------------
//
// Function: KerbCountPasswords
//
// Synopsis: Determines how many passwords are in a extra cred list.
//
// Effects:
//
// Arguments:
//
// Requires: Readlock of cred list
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
ULONGKerbCountPasswords( PEXTRA_CRED_LIST ExtraCredentials ){ ULONG Count = 0; PKERB_EXTRA_CRED ExtraCred = NULL; PLIST_ENTRY ListEntry;
for ( ListEntry = ExtraCredentials->CredList.List.Flink ; ( ListEntry != &ExtraCredentials->CredList.List ); ListEntry = ListEntry->Flink ) { ExtraCred = CONTAINING_RECORD(ListEntry, KERB_EXTRA_CRED, ListEntry.Next);
if ( ExtraCred->Passwords ) { Count++; }
if ( ExtraCred->OldPasswords ) { Count++; } }
return Count;}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildKeyList
//
// Synopsis: Used for conglomerating a list of keys for use in
// decrypting AP_REQ.
//
// Effects:
//
// Arguments:
//
// Requires: Readlock logon session
//
// Returns:
//
// Notes: In order to optimize perf, we order this 1. current password,
// 2. "extra" credentials, 3. old passwords
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildKeyArray( IN OPTIONAL PKERB_LOGON_SESSION LogonSession, IN PKERB_PRIMARY_CREDENTIAL PrimaryCred, IN ULONG Etype, IN OUT PKERB_ENCRYPTION_KEY *KeyArray, IN OUT PULONG KeyCount ){ NTSTATUS Status = STATUS_SUCCESS; PLIST_ENTRY ListEntry; PKERB_EXTRA_CRED ExtraCred = NULL;
ULONG LocalKeyCount = 0; PKERB_ENCRYPTION_KEY Key = NULL;
Key = KerbGetKeyFromList( PrimaryCred->Passwords, Etype );
if ( Key == NULL ) { Status = SEC_E_NO_CREDENTIALS; goto cleanup; }
KeyArray[LocalKeyCount++] = Key;
//
// Scan the logon session for extra creds
//
if (ARGUMENT_PRESENT( LogonSession )) { for ( ListEntry = LogonSession->ExtraCredentials.CredList.List.Flink ; ( ListEntry != &LogonSession->ExtraCredentials.CredList.List ); ListEntry = ListEntry->Flink ) { ExtraCred = CONTAINING_RECORD(ListEntry, KERB_EXTRA_CRED, ListEntry.Next);
Key = KerbGetKeyFromList( ExtraCred->Passwords, Etype );
if ( Key == NULL ) { continue; }
KeyArray[LocalKeyCount++] = Key;
Key = KerbGetKeyFromList( ExtraCred->OldPasswords, Etype ); if ( Key == NULL ) { continue; }
KeyArray[LocalKeyCount++] = Key; } }
//
// Fill in old password. If its NULL, we haven't allocated space
//
if ( PrimaryCred->OldPasswords != NULL ) { Key = KerbGetKeyFromList( PrimaryCred->OldPasswords, Etype );
if ( Key != NULL ) { KeyArray[LocalKeyCount++] = Key; } }
DsysAssert(LocalKeyCount <= (*KeyCount));
*KeyCount = LocalKeyCount;
cleanup:
return Status;}
//+-------------------------------------------------------------------------
//
// Function: KerbHaveKeyMaterials
//
// Synopsis: Used to check for conglomerating a list of keys for use in
// decrypting AP_REQ.
//
// Effects:
//
// Arguments:
//
// Requires: Readlock logon session
//
// Returns:
//
// Notes: In order to optimize perf, we order this 1. current password,
// 2. "extra" credentials, 3. old passwords
//
//
//--------------------------------------------------------------------------
BOOLKerbHaveKeyMaterials( IN OPTIONAL PKERB_LOGON_SESSION LogonSession, IN PKERB_PRIMARY_CREDENTIAL PrimaryCred ){ return (PrimaryCred->Passwords != NULL) || (LogonSession && LogonSession->ExtraCredentials.Count) || (PrimaryCred->OldPasswords != NULL);}
//+-------------------------------------------------------------------------
//
// Function: KerbCreateApRequest
//
// Synopsis: builds an AP request message
//
// Effects: allocates memory with MIDL_user_allocate
//
// Arguments: ClientName - Name of client
// ClientRealm - Realm of client
// SessionKey - Session key for the ticket
// SubSessionKey - obtional sub Session key for the authenticator
// Nonce - Nonce to use in authenticator
// pAuthenticatorTime - time stamp used for AP request (generated in KerbCreateAuthenticator)
// ServiceTicket - Ticket for service to put in request
// ApOptions - Options to stick in AP request
// GssChecksum - Checksum for GSS compatibility containing
// context options and delegation info.
// KdcRequest - if TRUE, this is an AP request for a TGS req
// ServerSkewTime - Optional skew of server's time
// RequestSize - Receives size of the marshalled request
// Request - Receives the marshalled request
//
// Requires:
//
// Returns: KDC_ERR_NONE on success, KRB_ERR_GENERIC on memory or
// marshalling failure
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbCreateApRequest( IN PKERB_INTERNAL_NAME ClientName, IN PUNICODE_STRING ClientRealm, IN PKERB_ENCRYPTION_KEY SessionKey, IN OPTIONAL PKERB_ENCRYPTION_KEY SubSessionKey, IN ULONG Nonce, OUT OPTIONAL PTimeStamp pAuthenticatorTime, IN PKERB_TICKET ServiceTicket, IN ULONG ApOptions, IN OPTIONAL PKERB_CHECKSUM GssChecksum, IN OPTIONAL PTimeStamp ServerSkewTime, IN BOOLEAN KdcRequest, OUT PULONG RequestSize, OUT PUCHAR * Request ){ KERBERR KerbErr = KDC_ERR_NONE; KERB_AP_REQUEST ApRequest; ULONG ApFlags;
*Request = NULL; RtlZeroMemory( &ApRequest, sizeof(KERB_AP_REQUEST) );
//
// Fill in the AP request structure.
//
ApRequest.version = KERBEROS_VERSION; ApRequest.message_type = KRB_AP_REQ; ApFlags = KerbConvertUlongToFlagUlong(ApOptions); ApRequest.ap_options.value = (PUCHAR) &ApFlags; ApRequest.ap_options.length = sizeof(ULONG) * 8; ApRequest.ticket = *ServiceTicket;
//
// Create the authenticator for the request
//
KerbErr = KerbCreateAuthenticator( SessionKey, Nonce, pAuthenticatorTime, ClientName, ClientRealm, ServerSkewTime, SubSessionKey, GssChecksum, KdcRequest, &ApRequest.authenticator ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to build authenticator: 0x%x\n", KerbErr )); goto Cleanup; }
//
// Now marshall the request
//
KerbErr = KerbPackApRequest( &ApRequest, RequestSize, Request );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to pack AP request: 0x%x\n",KerbErr)); goto Cleanup; }
Cleanup: if (ApRequest.authenticator.cipher_text.value != NULL) { MIDL_user_free(ApRequest.authenticator.cipher_text.value); } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbVerifyApRequest
//
// Synopsis: Verifies that an AP request message is valid
//
// Effects: decrypts ticket in AP request
//
// Arguments: RequestMessage - Marshalled AP request message
// RequestSize - Size in bytes of request message
// LogonSession - Logon session for server
// Credential - Credential for server containing
// supplied credentials
// UseSuppliedCreds - If TRUE, use creds from credential
// ApRequest - Receives unmarshalled AP request
// NewTicket - Receives ticket from AP request
// NewAuthenticator - receives new authenticator from AP request
// SessionKey -receives the session key from the ticket
// ContextFlags - receives the requested flags for the
// context.
// pChannelBindings - pChannelBindings supplied by app to check
// against hashed ones in AP_REQ
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbVerifyApRequest( IN OPTIONAL PKERB_CONTEXT Context, IN PUCHAR RequestMessage, IN ULONG RequestSize, IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credential, IN BOOLEAN UseSuppliedCreds, IN BOOLEAN CheckForReplay, OUT PKERB_AP_REQUEST * ApRequest, OUT PKERB_ENCRYPTED_TICKET * NewTicket, OUT PKERB_AUTHENTICATOR * NewAuthenticator, OUT PKERB_ENCRYPTION_KEY SessionKey, OUT PKERB_ENCRYPTION_KEY TicketKey, OUT PKERB_ENCRYPTION_KEY ServerKey, OUT PULONG ContextFlags, OUT PULONG ContextAttributes, OUT PKERBERR ReturnKerbErr, IN PSEC_CHANNEL_BINDINGS pChannelBindings ){ KERBERR KerbErr = KDC_ERR_NONE, TmpErr = KDC_ERR_NONE; NTSTATUS Status = STATUS_SUCCESS; PKERB_AP_REQUEST Request = NULL; UNICODE_STRING ServerName[3] = {0}; ULONG NameCount = 0; BOOLEAN UseSubKey = FALSE; BOOLEAN LockAcquired = FALSE, UsedExtraCreds = FALSE; PKERB_GSS_CHECKSUM GssChecksum; BOOLEAN TicketCacheLocked = FALSE; PKERB_ENCRYPTION_KEY* KeyArray = NULL; ULONG KeyCount = 0;
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials; ULONG StrippedRequestSize = RequestSize; PUCHAR StrippedRequest = RequestMessage; PKERB_TICKET_CACHE_ENTRY CacheEntry = NULL; ULONG i, ApOptions = 0; ULONG BindHash[4];
*ApRequest = NULL; *ContextFlags = 0; *NewTicket = NULL; *NewAuthenticator = NULL; *ReturnKerbErr = KDC_ERR_NONE;
RtlZeroMemory( SessionKey, sizeof(KERB_ENCRYPTION_KEY) ); *TicketKey = *SessionKey; *ServerKey = *SessionKey;
//
// First unpack the KDC request.
//
//
// Verify the GSSAPI header
//
D_DebugLog((DEB_TRACE, "KerbVerifyApRequest UseSuppliedCreds %s, CheckForReplay %s\n", UseSuppliedCreds ? "true" : "false", CheckForReplay ? "true" : "false"));
if (!g_verify_token_header( (gss_OID) gss_mech_krb5_new, (INT *) &StrippedRequestSize, &StrippedRequest, KG_TOK_CTX_AP_REQ, RequestSize )) { StrippedRequestSize = RequestSize; StrippedRequest = RequestMessage;
//
// Check if this is user-to-user kerberos
//
if (g_verify_token_header( gss_mech_krb5_u2u, (INT *) &StrippedRequestSize, &StrippedRequest, KG_TOK_CTX_TGT_REQ, RequestSize)) { //
// Return now because there is no AP request. Return a distinct
// success code so the caller knows to reparse the request as
// a TGT request.
//
D_DebugLog((DEB_TRACE_U2U, "KerbVerifyApRequest got TGT reqest\n"));
return (STATUS_REPARSE_OBJECT); } else { StrippedRequestSize = RequestSize; StrippedRequest = RequestMessage;
if (!g_verify_token_header( // check for a user-to-user AP request
gss_mech_krb5_u2u, (INT *) &StrippedRequestSize, &StrippedRequest, KG_TOK_CTX_AP_REQ, RequestSize)) { //
// BUG 454895: remove when not needed for compatibility
//
//
// if that didn't work, just use the token as it is.
//
StrippedRequest = RequestMessage; StrippedRequestSize = RequestSize; D_DebugLog((DEB_TRACE,"KerbVerifyApRequest didn't find GSS header on AP request\n")); } } }
KerbErr = KerbUnpackApRequest( StrippedRequest, StrippedRequestSize, &Request ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to unpack AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Check for a null session
//
if ((Request->version == KERBEROS_VERSION) && (Request->message_type == KRB_AP_REQ) && (Request->ticket.encrypted_part.cipher_text.length == 1) && (*Request->ticket.encrypted_part.cipher_text.value == '\0') && (Request->authenticator.cipher_text.length == 1) && (*Request->authenticator.cipher_text.value == '\0')) { //
// We have a null session. Not much to do here.
//
Status = STATUS_SUCCESS;
RtlZeroMemory( SessionKey, sizeof(KERB_ENCRYPTION_KEY) ); *ContextFlags |= ISC_RET_NULL_SESSION; goto Cleanup; }
DsysAssert( !LockAcquired ); KerbReadLockLogonSessions(LogonSession); LockAcquired = TRUE;
if ( UseSuppliedCreds ) { PrimaryCredentials = Credential->SuppliedCredentials; } else { PrimaryCredentials = &LogonSession->PrimaryCredentials;
KerbLockList(&LogonSession->ExtraCredentials.CredList); if ( LogonSession->ExtraCredentials.Count ) { KeyCount += KerbCountPasswords(&LogonSession->ExtraCredentials); UsedExtraCreds = TRUE; } else { KerbUnlockList(&LogonSession->ExtraCredentials.CredList); } }
//
// Check for existence of a password and use_session_key
//
ApOptions = KerbConvertFlagsToUlong( &Request->ap_options);
D_DebugLog((DEB_TRACE, "KerbVerifyApRequest AP options = 0x%x\n", ApOptions));
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) == 0) { if (!KerbHaveKeyMaterials((UsedExtraCreds ? LogonSession : NULL), PrimaryCredentials)) { Status = SEC_E_NO_CREDENTIALS; *ReturnKerbErr = KRB_AP_ERR_USER_TO_USER_REQUIRED; goto Cleanup; } else { //
// If someone's added credentials to a non-joined machine,then
// there's a possibility that we don't have a pwd w/ our primary
// credentials structure.
//
if (PrimaryCredentials->Passwords != NULL) { KeyCount++; } if (PrimaryCredentials->OldPasswords != NULL) { KeyCount++; } } }
if (!KERB_SUCCESS(KerbBuildFullServiceName( &PrimaryCredentials->DomainName, &PrimaryCredentials->UserName, &ServerName[NameCount++] ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
ServerName[NameCount++] = PrimaryCredentials->UserName;
if (Credential->CredentialName.Length != 0) { ServerName[NameCount++] = Credential->CredentialName; }
//
// Now Check the ticket
//
//
// If this is use_session key, get the key from the tgt
//
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) != 0) { D_DebugLog((DEB_TRACE_U2U, "KerbVerifyApRequest verifying ticket with TGT session key\n"));
*ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
//
// If we have a context, try to get the TGT from it.
//
if (ARGUMENT_PRESENT(Context)) { KerbReadLockContexts(); CacheEntry = Context->TicketCacheEntry; KerbUnlockContexts(); }
//
// If there is no TGT in the context, try getting one from the
// logon session.
//
if (CacheEntry == NULL) { //
// Locate the TGT for the principal, this can never happen!
//
DebugLog((DEB_WARN, "KerbVerifyApRequest tried to request TGT on credential without a TGT\n"));
CacheEntry = KerbLocateTicketCacheEntryByRealm( &PrimaryCredentials->AuthenticationTicketCache, &PrimaryCredentials->DomainName, // get initial ticket
0 ); } else { KerbReferenceTicketCacheEntry( CacheEntry ); } if (CacheEntry == NULL) { DebugLog((DEB_ERROR, "KerbVerifyApRequest tried to request TGT on credential without a TGT\n")); *ReturnKerbErr = KRB_AP_ERR_NO_TGT; Status = SEC_E_NO_CREDENTIALS; goto Cleanup;
}
DsysAssert( !TicketCacheLocked ); KerbReadLockTicketCache(); TicketCacheLocked = TRUE;
KeyCount = 1; SafeAllocaAllocate(KeyArray, ( sizeof(PKERB_ENCRYPTION_KEY) * KeyCount )); if (KeyArray == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
KeyArray[0] = &CacheEntry->SessionKey; } else { SafeAllocaAllocate(KeyArray, ( sizeof(PKERB_ENCRYPTION_KEY) * KeyCount )); if (KeyArray == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup;
}
RtlZeroMemory(KeyArray, ( sizeof(PKERB_ENCRYPTION_KEY) * KeyCount ));
Status = KerbBuildKeyArray( (UsedExtraCreds ? LogonSession : NULL), PrimaryCredentials, Request->ticket.encrypted_part.encryption_type, KeyArray, &KeyCount );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "Couldn't find server key of type 0x%x. %ws, line %d\n", Request->ticket.encrypted_part.encryption_type, THIS_FILE, __LINE__ )); goto Cleanup; } }
for ( i = 0; i < KeyCount ; i++ ) { TmpErr = KerbCheckTicket( &Request->ticket, &Request->authenticator, KeyArray[i], Authenticators, &KerbGlobalSkewTime, NameCount, ServerName, &PrimaryCredentials->DomainName, CheckForReplay, FALSE, // not a KDC request
NewTicket, NewAuthenticator, TicketKey, SessionKey, &UseSubKey );
if (KERB_SUCCESS( TmpErr )) { D_DebugLog((DEB_TRACE, "KerbVerifyApRequest ticket check succeeded using key %x\n", i)); break; } else if ( TmpErr == KRB_AP_ERR_MODIFIED ) { continue; } else { Status = KerbMapKerbError( TmpErr ); *ReturnKerbErr = TmpErr; goto Cleanup; } }
if (!KERB_SUCCESS( TmpErr )) { DebugLog((DEB_ERROR, "KerbVerifyApRequest failed to check ticket %x %p\n", TmpErr, Request)); Status = KerbMapKerbError( TmpErr ); *ReturnKerbErr = TmpErr; goto Cleanup; }
*ReturnKerbErr = TmpErr;
//
// Copy the key that was used.
//
if (!KERB_SUCCESS(KerbDuplicateKey( ServerKey, KeyArray[i]))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
if (UsedExtraCreds) { KerbUnlockList(&LogonSession->ExtraCredentials.CredList); UsedExtraCreds = FALSE; }
//
// Get the context flags out of the authenticator and the AP request
//
if ((((*NewAuthenticator)->bit_mask & checksum_present) != 0) && ((*NewAuthenticator)->checksum.checksum_type == GSS_CHECKSUM_TYPE) && ((*NewAuthenticator)->checksum.checksum.length >= GSS_CHECKSUM_SIZE)) { GssChecksum = (PKERB_GSS_CHECKSUM) (*NewAuthenticator)->checksum.checksum.value;
if (GssChecksum->GssFlags & GSS_C_MUTUAL_FLAG) { //
// Make sure this is also present in the AP request
//
if ((ApOptions & KERB_AP_OPTIONS_mutual_required) == 0) { DebugLog((DEB_ERROR,"KerbVerifyApRequest sent AP_mutual_req but not GSS_C_MUTUAL_FLAG. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_INVALID_PARAMETER; goto Cleanup; } } if (GssChecksum->GssFlags & GSS_C_DCE_STYLE) { *ContextFlags |= ISC_RET_USED_DCE_STYLE; } if (GssChecksum->GssFlags & GSS_C_REPLAY_FLAG) { *ContextFlags |= ISC_RET_REPLAY_DETECT; } if (GssChecksum->GssFlags & GSS_C_SEQUENCE_FLAG) { *ContextFlags |= ISC_RET_SEQUENCE_DETECT; } if (GssChecksum->GssFlags & GSS_C_CONF_FLAG) { *ContextFlags |= (ISC_RET_CONFIDENTIALITY | ISC_RET_INTEGRITY | ISC_RET_SEQUENCE_DETECT | ISC_RET_REPLAY_DETECT ); } if (GssChecksum->GssFlags & GSS_C_INTEG_FLAG) { *ContextFlags |= ISC_RET_INTEGRITY; } if (GssChecksum->GssFlags & GSS_C_IDENTIFY_FLAG) { *ContextFlags |= ISC_RET_IDENTIFY; } if (GssChecksum->GssFlags & GSS_C_DELEG_FLAG) { *ContextFlags |= ISC_RET_DELEGATE; } if (GssChecksum->GssFlags & GSS_C_EXTENDED_ERROR_FLAG) { *ContextFlags |= ISC_RET_EXTENDED_ERROR; }
if( pChannelBindings != NULL ) { Status = KerbComputeGssBindHash( pChannelBindings, (PUCHAR)BindHash );
if( !NT_SUCCESS(Status) ) { goto Cleanup; }
if( RtlCompareMemory( BindHash, GssChecksum->BindHash, GssChecksum->BindLength ) != GssChecksum->BindLength ) { Status = STATUS_BAD_BINDINGS; goto Cleanup; } } }
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) != 0) { *ContextFlags |= ISC_RET_USE_SESSION_KEY; }
if ((ApOptions & KERB_AP_OPTIONS_mutual_required) != 0) { *ContextFlags |= ISC_RET_MUTUAL_AUTH; }
*ApRequest = Request; Request = NULL;
Cleanup:
if (TicketCacheLocked) { KerbUnlockTicketCache(); }
if (CacheEntry) { KerbDereferenceTicketCacheEntry(CacheEntry); }
if (UsedExtraCreds) { KerbUnlockList(&LogonSession->ExtraCredentials.CredList); }
if (LockAcquired) { KerbUnlockLogonSessions(LogonSession); }
if (Request != NULL) { //
// If the client didn't want mutual-auth, then it won't be expecting
// a response message so don't bother with the kerb error. By setting
// KerbErr to KDC_ERR_NONE we won't send a message back to the client.
//
if ( (ApOptions & KERB_AP_OPTIONS_mutual_required) == 0 ) { *ReturnKerbErr = KDC_ERR_NONE; } }
if ( KeyArray != NULL ) { SafeAllocaFree( KeyArray ); }
KerbFreeApRequest(Request); KerbFreeString(&ServerName[0]); if (!NT_SUCCESS(Status)) { KerbFreeKey(TicketKey); }
return (Status);}#endif // WIN32_CHICAGO
//+-------------------------------------------------------------------------
//
// Function: KerbMarshallApReply
//
// Synopsis: Takes a reply and reply body and encrypts and marshalls them
// into a return message
//
// Effects: Allocates output buffer
//
// Arguments: Reply - The outer reply to marshall
// ReplyBody - The reply body to marshall
// SessionKey - Session key to encrypt reply
// ContextFlags - Flags for context
// PackedReply - Recives marshalled reply buffer
// PackedReplySize - Receives size in bytes of marshalled reply
//
// Requires:
//
// Returns: STATUS_SUCCESS or STATUS_INSUFFICIENT_RESOURCES
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbMarshallApReply( IN PKERB_AP_REPLY Reply, IN PKERB_ENCRYPTED_AP_REPLY ReplyBody, IN PKERB_ENCRYPTION_KEY SessionKey, IN ULONG ContextFlags, IN ULONG ContextAttributes, OUT PUCHAR * PackedReply, OUT PULONG PackedReplySize ){ NTSTATUS Status = STATUS_SUCCESS; ULONG PackedApReplySize; PUCHAR PackedApReply = NULL; ULONG ReplySize; PUCHAR ReplyWithHeader = NULL; PUCHAR ReplyStart; KERBERR KerbErr; gss_OID_desc * MechId;
if (!KERB_SUCCESS(KerbPackApReplyBody( ReplyBody, &PackedApReplySize, &PackedApReply ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Now encrypt the response
//
KerbErr = KerbAllocateEncryptionBufferWrapper( SessionKey->keytype, PackedApReplySize, &Reply->encrypted_part.cipher_text.length, &Reply->encrypted_part.cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to get encryption overhead. 0x%x. %ws, line %d\n", KerbErr, THIS_FILE, __LINE__)); Status = KerbMapKerbError(KerbErr); goto Cleanup; }
if (!KERB_SUCCESS(KerbEncryptDataEx( &Reply->encrypted_part, PackedApReplySize, PackedApReply, KERB_NO_KEY_VERSION, KERB_AP_REP_SALT, SessionKey ))) { D_DebugLog((DEB_ERROR,"Failed to encrypt AP Reply. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Now pack the reply into the output buffer
//
if (!KERB_SUCCESS(KerbPackApReply( Reply, PackedReplySize, PackedReply ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// If we aren't doing DCE style, add in the GSS token headers now
//
if ((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) { goto Cleanup; }
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0) { MechId = gss_mech_krb5_u2u; } else { MechId = gss_mech_krb5_new; }
ReplySize = g_token_size( MechId, *PackedReplySize);
ReplyWithHeader = (PUCHAR) KerbAllocate(ReplySize); if (ReplyWithHeader == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// the g_make_token_header will reset this to point to the end of the
// header
//
ReplyStart = ReplyWithHeader;
g_make_token_header( MechId, *PackedReplySize, &ReplyStart, KG_TOK_CTX_AP_REP );
DsysAssert(ReplyStart - ReplyWithHeader + *PackedReplySize == ReplySize);
RtlCopyMemory( ReplyStart, *PackedReply, *PackedReplySize );
KerbFree(*PackedReply); *PackedReply = ReplyWithHeader; *PackedReplySize = ReplySize; ReplyWithHeader = NULL;
Cleanup: if (Reply->encrypted_part.cipher_text.value != NULL) { MIDL_user_free(Reply->encrypted_part.cipher_text.value); Reply->encrypted_part.cipher_text.value = NULL; } if (PackedApReply != NULL) { MIDL_user_free(PackedApReply); } if (!NT_SUCCESS(Status) && (*PackedReply != NULL)) { KerbFree(*PackedReply); *PackedReply = NULL; } return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildApReply
//
// Synopsis: Builds an AP reply message if mutual authentication is
// desired.
//
// Effects: InternalAuthenticator - Authenticator from the AP request
// this reply is for.
// Request - The AP request to which to reply.
// ContextFlags - Contains context flags from the AP request.
// SessionKey - The session key to use to build the reply,.
// receives the new session key (if KERB_AP_USE_SKEY
// is negotiated).
// NewReply - Receives the AP reply.
// NewReplySize - Receives the size of the AP reply.
//
// Arguments:
//
// Requires:
//
// Returns: STATUS_SUCCESS, STATUS_INSUFFICIENT_MEMORY, or errors from
// KIEncryptData
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildApReply( IN PKERB_AUTHENTICATOR InternalAuthenticator, IN PKERB_AP_REQUEST Request, IN ULONG ContextFlags, IN ULONG ContextAttributes, IN PKERB_ENCRYPTION_KEY TicketKey, IN OUT PKERB_ENCRYPTION_KEY SessionKey, OUT PULONG Nonce, OUT PUCHAR * NewReply, OUT PULONG NewReplySize ){ NTSTATUS Status = STATUS_SUCCESS; KERB_AP_REPLY Reply = {0}; KERB_ENCRYPTED_AP_REPLY ReplyBody = {0}; KERB_ENCRYPTION_KEY NewSessionKey = {0};
*NewReply = NULL; *NewReplySize = 0;
Reply.version = KERBEROS_VERSION; Reply.message_type = KRB_AP_REP;
ReplyBody.client_time = InternalAuthenticator->client_time; ReplyBody.client_usec = InternalAuthenticator->client_usec;
//
// Generate a new nonce for the reply
//
*Nonce = KerbAllocateNonce();
D_DebugLog((DEB_TRACE,"BuildApReply using nonce 0x%x\n",*Nonce));
if (*Nonce != 0) { ReplyBody.KERB_ENCRYPTED_AP_REPLY_sequence_number = (int) *Nonce; ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_sequence_number_present;
}
//
// If the client wants to use a session key, create one now
//
if ((InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_subkey_present) != 0 ) { KERBERR KerbErr; //
// If the client sent us an export-strength subkey, use it
//
if (KerbIsKeyExportable( &InternalAuthenticator->KERB_AUTHENTICATOR_subkey )) { D_DebugLog((DEB_TRACE_CTXT,"Client sent exportable key, using it on server on server\n")); if (!KERB_SUCCESS(KerbDuplicateKey( &NewSessionKey, &InternalAuthenticator->KERB_AUTHENTICATOR_subkey ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } } else {
//
// If we are export-strength, create our own key. Otherwise use
// the client's key.
//
D_DebugLog((DEB_TRACE_CTXT,"Client sent strong key, using it on server on server\n")); KerbErr = KerbDuplicateKey( &NewSessionKey, &InternalAuthenticator->KERB_AUTHENTICATOR_subkey );
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
} ReplyBody.KERB_ENCRYPTED_AP_REPLY_subkey = NewSessionKey; ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_subkey_present; } else { KERBERR KerbErr;
//
// Create a subkey ourselves if we are export strength
//
KerbErr = KerbMakeKey( Request->authenticator.encryption_type, &NewSessionKey ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
ReplyBody.KERB_ENCRYPTED_AP_REPLY_subkey = NewSessionKey; ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_subkey_present; }
Status = KerbMarshallApReply( &Reply, &ReplyBody, TicketKey, ContextFlags, ContextAttributes, NewReply, NewReplySize );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// If they asked for a session key, replace our current session key
// with it.
//
if (NewSessionKey.keyvalue.value != NULL) { KerbFreeKey(SessionKey); *SessionKey = NewSessionKey; RtlZeroMemory( &NewSessionKey, sizeof(KERB_ENCRYPTION_KEY) ); }
Cleanup:
if (!NT_SUCCESS(Status)) { KerbFreeKey(&NewSessionKey); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildThirdLegApReply
//
// Synopsis: Builds a third leg AP reply message if DCE-style
// authentication is desired.
//
// Effects: Context - Context for which to build this message.
// NewReply - Receives the AP reply.
// NewReplySize - Receives the size of the AP reply.
//
// Arguments:
//
// Requires:
//
// Returns: STATUS_SUCCESS, STATUS_INSUFFICIENT_MEMORY, or errors from
// KIEncryptData
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildThirdLegApReply( IN PKERB_CONTEXT Context, IN ULONG ReceiveNonce, OUT PUCHAR * NewReply, OUT PULONG NewReplySize ){ NTSTATUS Status = STATUS_SUCCESS; KERB_AP_REPLY Reply; KERB_ENCRYPTED_AP_REPLY ReplyBody; TimeStamp CurrentTime;
RtlZeroMemory( &Reply, sizeof(KERB_AP_REPLY) ); RtlZeroMemory( &ReplyBody, sizeof(KERB_ENCRYPTED_AP_REPLY) ); *NewReply = NULL; *NewReplySize = 0;
Reply.version = KERBEROS_VERSION; Reply.message_type = KRB_AP_REP;
GetSystemTimeAsFileTime((PFILETIME) &CurrentTime );
KerbConvertLargeIntToGeneralizedTimeWrapper( &ReplyBody.client_time, &ReplyBody.client_usec, &CurrentTime );
ReplyBody.KERB_ENCRYPTED_AP_REPLY_sequence_number = ReceiveNonce; ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_sequence_number_present;
D_DebugLog((DEB_TRACE,"Building third leg AP reply with nonce 0x%x\n",ReceiveNonce));
//
// We already negotiated context flags so don't bother filling them in
// now.
//
KerbReadLockContexts();
DsysAssert((int) Context->EncryptionType == Context->TicketKey.keytype);
Status = KerbMarshallApReply( &Reply, &ReplyBody, &Context->TicketKey, Context->ContextFlags, Context->ContextAttributes, NewReply, NewReplySize ); KerbUnlockContexts();
if (!NT_SUCCESS(Status)) { goto Cleanup; }
Cleanup:
return (Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbKerbTimeEqual
//
// Synopsis: Compares two KERB_TIME values
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns: TRUE - times are the same; otherwise FALSE
//
// Notes:
//
//
//--------------------------------------------------------------------------
BOOLEANKerbKerbTimeEqual( PKERB_TIME pt1, PKERB_TIME pt2 ){ if (pt1->day != pt2->day) return (FALSE); if (pt1->diff != pt2->diff) return (FALSE); if (pt1->hour != pt2->hour) return (FALSE); if (pt1->millisecond != pt2->millisecond) return (FALSE); if (pt1->minute != pt2->minute) return (FALSE); if (pt1->month != pt2->month) return (FALSE); if (pt1->second != pt2->second) return (FALSE); if (pt1->universal != pt2->universal) return (FALSE); if (pt1->year != pt2->year) return (FALSE);
return (TRUE);}
//+-------------------------------------------------------------------------
//
// Function: KerbVerifyApReply
//
// Synopsis: Verifies an AP reply corresponds to an AP request
//
// Effects: Decrypts the AP reply
//
// Arguments:
//
// Requires:
//
// Returns: STATUS_SUCCESS or STATUS_LOGON_FAILURE
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbVerifyApReply( IN PKERB_CONTEXT Context, IN PUCHAR PackedReply, IN ULONG PackedReplySize, OUT PULONG Nonce ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr; PKERB_AP_REPLY Reply = NULL; PKERB_ENCRYPTED_AP_REPLY ReplyBody = NULL; BOOLEAN ContextsLocked = FALSE; ULONG StrippedReplySize = PackedReplySize; PUCHAR StrippedReply = PackedReply; gss_OID_desc * MechId; KERB_TIME AP_REQ_client_time; ASN1int32_t AP_REQ_client_usec;
//
// Verify the GSSAPI header
//
KerbReadLockContexts(); if ((Context->ContextFlags & ISC_RET_USED_DCE_STYLE) == 0) { if ((Context->ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0) { MechId = gss_mech_krb5_u2u; } else { MechId = gss_mech_krb5_new; } if (!g_verify_token_header( (gss_OID) MechId, (INT *) &StrippedReplySize, &StrippedReply, KG_TOK_CTX_AP_REP, PackedReplySize )) { //
// BUG 454895: remove when not needed for compatibility
//
//
// if that didn't work, just use the token as it is.
//
StrippedReply = PackedReply; StrippedReplySize = PackedReplySize; D_DebugLog((DEB_WARN,"Didn't find GSS header on AP Reply\n"));
} } KerbUnlockContexts();
if (!KERB_SUCCESS(KerbUnpackApReply( StrippedReply, StrippedReplySize, &Reply ))) { D_DebugLog((DEB_WARN, "Failed to unpack AP reply, %ws, %d\n", THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
if ((Reply->version != KERBEROS_VERSION) || (Reply->message_type != KRB_AP_REP)) { D_DebugLog((DEB_ERROR,"Illegal version or message as AP reply: 0x%x, 0x%x. %ws, line %d\n", Reply->version, Reply->message_type, THIS_FILE, __LINE__ )); Status = STATUS_LOGON_FAILURE; goto Cleanup; }
//
// Now decrypt the encrypted part.
//
KerbReadLockTicketCache(); KerbWriteLockContexts(); ContextsLocked = TRUE;
KerbErr = KerbDecryptDataEx( &Reply->encrypted_part, &Context->TicketKey, KERB_AP_REP_SALT, (PULONG) &Reply->encrypted_part.cipher_text.length, Reply->encrypted_part.cipher_text.value ); KerbUnlockTicketCache();
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "Failed to decrypt AP reply: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); if (KerbErr == KRB_ERR_GENERIC) { Status = STATUS_INSUFFICIENT_RESOURCES; } else { Status = STATUS_LOGON_FAILURE; } goto Cleanup; }
//
// Decode the contents now
//
if (!KERB_SUCCESS(KerbUnpackApReplyBody( Reply->encrypted_part.cipher_text.value, Reply->encrypted_part.cipher_text.length, &ReplyBody))) { DebugLog((DEB_ERROR, "Failed to unpack AP reply body. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Check the mutual auth with ctime/utime reply from remote
// This will check only the ISC KERB AP_Requests & AP_Responses
// We may want to add in more support into the DCE path in ASC() - TBD
//
if ((Context->ContextAttributes & KERB_CONTEXT_OUTBOUND) != 0) { KerbConvertLargeIntToGeneralizedTimeWrapper( &AP_REQ_client_time, &AP_REQ_client_usec, &Context->AuthenticatorTime );
if ((AP_REQ_client_usec != ReplyBody->client_usec) || (!KerbKerbTimeEqual(&AP_REQ_client_time, &(ReplyBody->client_time)))) { DebugLog((DEB_ERROR,"AP Authenticator times match Failed!\n")); D_DebugLog((DEB_ERROR,"Context %d/%d/%d %d:%d:%d.%d\n", AP_REQ_client_time.month, AP_REQ_client_time.day, AP_REQ_client_time.year, AP_REQ_client_time.hour, AP_REQ_client_time.minute, AP_REQ_client_time.second, AP_REQ_client_usec)); D_DebugLog((DEB_ERROR,"AP_Reply %d/%d/%d %d:%d:%d.%d\n", ReplyBody->client_time.month, ReplyBody->client_time.day, ReplyBody->client_time.year, ReplyBody->client_time.hour, ReplyBody->client_time.minute, ReplyBody->client_time.second, ReplyBody->client_usec));
// ASSERT(0);
// Kerb error KRB_AP_ERR_MUT_FAIL
Status = STATUS_MUTUAL_AUTHENTICATION_FAILED; goto Cleanup; } }
if ((ReplyBody->bit_mask & KERB_ENCRYPTED_AP_REPLY_sequence_number_present) != 0) { *Nonce = ReplyBody->KERB_ENCRYPTED_AP_REPLY_sequence_number;
D_DebugLog((DEB_TRACE,"Verifying AP reply: AP nonce = 0x%x, context nonce = 0x%x, receive nonce = 0x%x\n", *Nonce, Context->Nonce, Context->ReceiveNonce )); //
// If this is a third-leg AP reply, verify the nonce.
//
if ((Context->ContextAttributes & KERB_CONTEXT_INBOUND) != 0) { if (*Nonce != Context->Nonce) { D_DebugLog((DEB_ERROR,"Nonce in third-leg AP rep didn't match context: 0x%x vs 0x%x\n", *Nonce, Context->Nonce )); Status = STATUS_LOGON_FAILURE; goto Cleanup; } } } else { *Nonce = 0; }
//
// Check to see if a new session key was sent back. If it was, stick it
// in the context.
//
if ((ReplyBody->bit_mask & KERB_ENCRYPTED_AP_REPLY_subkey_present) != 0) { KerbFreeKey(&Context->SessionKey); if (!KERB_SUCCESS(KerbDuplicateKey( &Context->SessionKey, &ReplyBody->KERB_ENCRYPTED_AP_REPLY_subkey ))) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } }
Status = STATUS_SUCCESS;
Cleanup:
if (ContextsLocked) { KerbUnlockContexts(); } if (Reply != NULL) { KerbFreeApReply(Reply); } if (ReplyBody != NULL) { KerbFreeApReplyBody(ReplyBody); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbInitGlobalVariables
//
// Synopsis: Initializes global variables
//
// Effects:
//
// Arguments: none
//
// Requires: NTSTATUS code
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbInitGlobalVariables( VOID ){ NTSTATUS Status = STATUS_SUCCESS;#ifndef WIN32_CHICAGO
LPNET_CONFIG_HANDLE ConfigHandle = NULL; BOOL TempBool;#endif // WIN32_CHICAGO
ULONG SkewTimeInMinutes = KERB_DEFAULT_SKEWTIME; NET_API_STATUS NetStatus = ERROR_SUCCESS; ULONG FarKdcTimeout = KERB_BINDING_FAR_DC_TIMEOUT; ULONG NearKdcTimeout = KERB_BINDING_NEAR_DC_TIMEOUT; ULONG SpnCacheTimeout = KERB_SPN_CACHE_TIMEOUT; ULONG S4UCacheTimeout = KERB_S4U_CACHE_TIMEOUT; ULONG S4UTicketLifetime = KERB_S4U_TICKET_LIFETIME;
//
// Initialize the kerberos token source
//
RtlCopyMemory( KerberosSource.SourceName, "Kerberos", sizeof( KerberosSource.SourceName ) );
NtAllocateLocallyUniqueId(&KerberosSource.SourceIdentifier);
KerbGlobalKdcWaitTime = KERB_KDC_WAIT_TIME; KerbGlobalKdcCallTimeout = KERB_KDC_CALL_TIMEOUT; KerbGlobalKdcCallBackoff = KERB_KDC_CALL_TIMEOUT_BACKOFF; KerbGlobalMaxDatagramSize = KERB_MAX_DATAGRAM_SIZE; KerbGlobalKdcSendRetries = KERB_MAX_RETRIES; KerbGlobalMaxReferralCount = KERB_MAX_REFERRAL_COUNT; KerbGlobalUseStrongEncryptionForDatagram = KERB_DEFAULT_USE_STRONG_ENC_DG; KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_NT; KerbGlobalMaxTokenSize = KERBEROS_MAX_TOKEN;
#ifndef WIN32_CHICAGO
//
// Set the max authenticator age to be less than the allowed skew time
// on debug builds so we can have widely varying time on machines but
// don't build up a huge list of authenticators.
//
NetStatus = NetpOpenConfigDataWithPath( &ConfigHandle, NULL, // no server name
KERB_PATH, TRUE // read only
); if (NetStatus == ERROR_SUCCESS) { NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_SKEWTIME, KERB_DEFAULT_SKEWTIME, &SkewTimeInMinutes );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_MAX_TOKEN_SIZE, KERBEROS_MAX_TOKEN, &KerbGlobalMaxTokenSize );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// Get the far timeout for the kdc
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_FAR_KDC_TIMEOUT, KERB_BINDING_FAR_DC_TIMEOUT, &FarKdcTimeout );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// Get the near timeout for the kdc
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_NEAR_KDC_TIMEOUT, KERB_BINDING_NEAR_DC_TIMEOUT, &NearKdcTimeout );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// Get the SPN cache lifetime
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_SPN_CACHE_TIMEOUT, KERB_SPN_CACHE_TIMEOUT, &SpnCacheTimeout );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// Get the S4U cache lifetime
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_S4UCACHE_TIMEOUT, KERB_S4U_CACHE_TIMEOUT, &S4UCacheTimeout ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// Get the S4U ticket and ticket cache - must be at least 5
// minutes long, though, or you'll get all sorts of bogus errors.
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_S4UTICKET_LIFETIME, KERB_S4U_TICKET_LIFETIME, &S4UTicketLifetime );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
if ( S4UTicketLifetime < KERB_MIN_S4UTICKET_LIFETIME ) { S4UTicketLifetime = KERB_MIN_S4UTICKET_LIFETIME; }
NetStatus = NetpGetConfigBool( ConfigHandle, KERB_PARAMETER_CACHE_S4UTICKET, KERB_DEFAULT_CACHE_S4UTICKET, &TempBool );
if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
KerbGlobalCacheS4UTicket = (BOOLEAN)(TempBool != 0 ); //
// Get the wait time for the service to start
//
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_START_TIME, KERB_KDC_WAIT_TIME, &KerbGlobalKdcWaitTime ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_KDC_CALL_TIMEOUT, KERB_KDC_CALL_TIMEOUT, &KerbGlobalKdcCallTimeout ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_MAX_UDP_PACKET, KERB_MAX_DATAGRAM_SIZE, &KerbGlobalMaxDatagramSize ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; } else { //
// UDP packets have a 2-byte length field so under no
// circumstances can they be bigger than 64K
//
KerbGlobalMaxDatagramSize = min( KerbGlobalMaxDatagramSize, 64*1024 ); }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_KDC_BACKOFF_TIME, KERB_KDC_CALL_TIMEOUT_BACKOFF, &KerbGlobalKdcCallBackoff ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_MAX_REFERRAL_COUNT, KERB_MAX_REFERRAL_COUNT, &KerbGlobalMaxReferralCount ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_KDC_SEND_RETRIES, KERB_MAX_RETRIES, &KerbGlobalKdcSendRetries ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_DEFAULT_ETYPE, KerbGlobalDefaultPreauthEtype, &KerbGlobalDefaultPreauthEtype ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
NetStatus = NetpGetConfigDword( ConfigHandle, KERB_PARAMETER_REQUEST_OPTIONS, KERB_ADDITIONAL_KDC_OPTIONS, &KerbGlobalKdcOptions ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; }
//
// BUG 454981: get this from the same place as NTLM
//
NetStatus = NetpGetConfigBool( ConfigHandle, KERB_PARAMETER_STRONG_ENC_DG, KERB_DEFAULT_USE_STRONG_ENC_DG, &TempBool ); if (!NT_SUCCESS(NetStatus)) { Status = NetpApiStatusToNtStatus(NetStatus); goto Cleanup; } KerbGlobalUseStrongEncryptionForDatagram = (BOOLEAN)(TempBool != 0 ); }#endif // WIN32_CHICAGO
KerbSetTimeInMinutes(&KerbGlobalSkewTime, SkewTimeInMinutes); KerbSetTimeInMinutes(&KerbGlobalFarKdcTimeout,FarKdcTimeout); KerbSetTimeInMinutes(&KerbGlobalNearKdcTimeout, NearKdcTimeout); KerbSetTimeInMinutes(&KerbGlobalSpnCacheTimeout, SpnCacheTimeout); KerbSetTimeInMinutes(&KerbGlobalS4UCacheTimeout, S4UCacheTimeout); KerbSetTimeInMinutes(&KerbGlobalS4UTicketLifetime, S4UTicketLifetime);
goto Cleanup; // needed for WIN32_CHICAGO builds to use Cleanup label
Cleanup:#ifndef WIN32_CHICAGO
if (ConfigHandle != NULL) { NetpCloseConfigData( ConfigHandle ); }#endif // WIN32_CHICAGO
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbInitTicketHandling
//
// Synopsis: Initializes ticket handling, such as authenticator list
//
// Effects:
//
// Arguments: none
//
// Requires: NTSTATUS code
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbInitTicketHandling( VOID ){ NTSTATUS Status = STATUS_SUCCESS;
// Set global variables
Status = KerbInitGlobalVariables(); if (!NT_SUCCESS(Status)) { goto Cleanup; }
#ifndef WIN32_CHICAGO
Authenticators = new CAuthenticatorList( KerbGlobalSkewTime ); if (Authenticators == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
Status = Authenticators->Init();
if (!NT_SUCCESS(Status)) { goto Cleanup; }#endif WIN32_CHICAGO
//
// Initialize the time skew code
//
Status = KerbInitializeSkewState(); if (!NT_SUCCESS(Status)) { goto Cleanup; }Cleanup:
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbCleanupTicketHandling
//
// Synopsis: cleans up ticket handling state, such as the
// list of authenticators.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns: none
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbCleanupTicketHandling( VOID ){#ifndef WIN32_CHICAGO
if (Authenticators != NULL) { delete Authenticators; }#endif // WIN32_CHICAGO
}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildTgtRequest
//
// Synopsis: Creates a tgt request for user-to-user authentication
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildTgtRequest( IN PKERB_INTERNAL_NAME TargetName, IN PUNICODE_STRING TargetRealm, OUT PULONG ContextAttributes, OUT PUCHAR * MarshalledTgtRequest, OUT PULONG TgtRequestSize ){ KERB_TGT_REQUEST Request = {0}; KERBERR KerbErr = KDC_ERR_NONE; NTSTATUS Status = STATUS_SUCCESS; PBYTE TempRequest = NULL; PBYTE RequestStart; ULONG TempRequestSize = 0;
D_DebugLog((DEB_TRACE_U2U, "KerbBuildTgtRequest TargetRealm %wZ, TargetName ", TargetRealm)); D_KerbPrintKdcName((DEB_TRACE_U2U, TargetName));
//
// First build the request
//
Request.version = KERBEROS_VERSION; Request.message_type = KRB_TGT_REQ; if (TargetName->NameCount > 0) { KerbErr = KerbConvertKdcNameToPrincipalName( &Request.KERB_TGT_REQUEST_server_name, TargetName ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } Request.bit_mask |= KERB_TGT_REQUEST_server_name_present; } else { *ContextAttributes |= KERB_CONTEXT_REQ_SERVER_NAME; }
if (TargetRealm->Length > 0) { KerbErr = KerbConvertUnicodeStringToRealm( &Request.server_realm, TargetRealm ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } Request.bit_mask |= server_realm_present; } else { *ContextAttributes |= KERB_CONTEXT_REQ_SERVER_REALM; }
//
// Encode the request
//
KerbErr = KerbPackData( &Request, KERB_TGT_REQUEST_PDU, &TempRequestSize, &TempRequest );
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
//
// Now add on the space for the OID
//
*TgtRequestSize = g_token_size( gss_mech_krb5_u2u, TempRequestSize );
*MarshalledTgtRequest = (PBYTE) MIDL_user_allocate( *TgtRequestSize );
if (*MarshalledTgtRequest == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
//
// Add the token ID & mechanism
//
RequestStart = *MarshalledTgtRequest;
g_make_token_header( gss_mech_krb5_u2u, TempRequestSize, &RequestStart, KG_TOK_CTX_TGT_REQ );
RtlCopyMemory( RequestStart, TempRequest, TempRequestSize );
Status = STATUS_SUCCESS;
Cleanup:
if (TempRequest != NULL ) { MIDL_user_free(TempRequest); }
KerbFreePrincipalName( &Request.KERB_TGT_REQUEST_server_name );
if ((Request.bit_mask & server_realm_present) != 0) { KerbFreeRealm( &Request.server_realm ); }
return (Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildTgtReply
//
// Synopsis: Builds a TGT reply with the appropriate options set
//
// Effects:
//
// Arguments:
//
// Requires: The logonsession / credential must be LOCKD!
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildTgtReply( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credentials, IN PUNICODE_STRING pSuppRealm, OUT PKERBERR ReturnedError, OUT OPTIONAL PBYTE * MarshalledReply, OUT OPTIONAL PULONG ReplySize, OUT PKERB_TICKET_CACHE_ENTRY * TgtUsed ){ NTSTATUS Status = STATUS_SUCCESS;
KERBERR KerbErr = KDC_ERR_NONE; KERB_TICKET_CACHE_ENTRY* TicketGrantingTicket = NULL; KERB_TGT_REPLY Reply = {0}; UNICODE_STRING TempName = {0}; BOOLEAN CrossRealm = FALSE;
*TgtUsed = NULL; ;
D_DebugLog((DEB_TRACE_U2U, "KerbBuildTgtReply SuppRealm %wZ\n", pSuppRealm));
Status = KerbGetTgtForService( LogonSession, Credentials, NULL, // no credman on the server side
pSuppRealm, // SuppRealm is the server's realm
&TempName, // no target realm
KERB_TICKET_CACHE_PRIMARY_TGT, &TicketGrantingTicket, &CrossRealm );
if (!NT_SUCCESS(Status) || CrossRealm) { DebugLog((DEB_ERROR, "KerbBuildTgtReply failed to get TGT: %#x, CrossRealm ? %s, SuppRealm %wZ\n", Status, CrossRealm ? "true" : "false", pSuppRealm)); *ReturnedError = KRB_AP_ERR_NO_TGT; Status = STATUS_USER2USER_REQUIRED; goto Cleanup; }
Reply.version = KERBEROS_VERSION; Reply.message_type = KRB_TGT_REP;
KerbReadLockTicketCache(); Reply.ticket = TicketGrantingTicket->Ticket;
//
// Marshall the output
//
KerbErr = KerbPackData( &Reply, KERB_TGT_REPLY_PDU, ReplySize, MarshalledReply );
KerbUnlockTicketCache();
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
*TgtUsed = TicketGrantingTicket; TicketGrantingTicket = NULL;
Cleanup:
if (TicketGrantingTicket != NULL) { KerbDereferenceTicketCacheEntry(TicketGrantingTicket); }
KerbFreeString(&TempName);
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildTgtErrorReply
//
// Synopsis: Builds a TgtReply message for use in a KERB_ERROR message
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbBuildTgtErrorReply( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credential, IN BOOLEAN UseSuppliedCreds, IN OUT PKERB_CONTEXT Context, OUT PULONG ReplySize, OUT PBYTE * Reply ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr = KDC_ERR_NONE; PKERB_PRIMARY_CREDENTIAL PrimaryCredentials; PKERB_TICKET_CACHE_ENTRY TgtUsed = NULL, OldTgt = NULL;
KerbReadLockLogonSessions(LogonSession);
if ( UseSuppliedCreds ) { PrimaryCredentials = Credential->SuppliedCredentials; } else { PrimaryCredentials = &LogonSession->PrimaryCredentials; }
Status = KerbBuildTgtReply( LogonSession, Credential, &PrimaryCredentials->DomainName, &KerbErr, Reply, ReplySize, &TgtUsed ); KerbUnlockLogonSessions(LogonSession);
//
//Store the cache entry in the context
//
if (NT_SUCCESS(Status)) { KerbWriteLockContexts(); OldTgt = Context->TicketCacheEntry; Context->TicketCacheEntry = TgtUsed;
//
// On the error path, do not set KERB_CONTEXT_USER_TO_USER because the
// client do not expect user2user at this moment
//
// Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
//
KerbUnlockContexts();
DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in error reply) saving ASC context->TicketCacheEntry, TGT is %p, was %p\n", TgtUsed, OldTgt));
TgtUsed = NULL;
if (OldTgt != NULL) { KerbDereferenceTicketCacheEntry(OldTgt); } } return (Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbHandleTgtRequest
//
// Synopsis: Processes a request for a TGT. It will verify the supplied
// principal names and marshall a TGT response structure
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbHandleTgtRequest( IN PKERB_LOGON_SESSION LogonSession, IN PKERB_CREDENTIAL Credential, IN BOOLEAN UseSuppliedCreds, IN PUCHAR RequestMessage, IN ULONG RequestSize, IN ULONG ContextRequirements, IN PSecBuffer OutputToken, IN PLUID LogonId, OUT PULONG ContextAttributes, OUT PKERB_CONTEXT * Context, OUT PTimeStamp ContextLifetime, OUT PKERBERR ReturnedError ){ ULONG StrippedRequestSize; PUCHAR StrippedRequest; KERBERR KerbErr = KDC_ERR_NONE; NTSTATUS Status = STATUS_SUCCESS; PKERB_TGT_REQUEST Request = NULL; BOOLEAN LockAcquired = FALSE; PKERB_PRIMARY_CREDENTIAL PrimaryCredentials; PKERB_TICKET_CACHE_ENTRY pOldTgt = NULL; ULONG ReplySize = 0; PBYTE MarshalledReply = NULL; ULONG FinalSize; PBYTE ReplyStart; PKERB_TICKET_CACHE_ENTRY TgtUsed = NULL;
D_DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest UseSuppliedCreds %s, ContextRequirements %#x\n", UseSuppliedCreds ? "true" : "false", ContextRequirements));
StrippedRequestSize = RequestSize; StrippedRequest = RequestMessage;
*ReturnedError = KDC_ERR_NONE;
//
// We need an output token
//
if (OutputToken == NULL) { return(SEC_E_INVALID_TOKEN); }
//
// Check if this is user-to-user kerberos
//
if (g_verify_token_header( gss_mech_krb5_u2u, (INT *) &StrippedRequestSize, &StrippedRequest, KG_TOK_CTX_TGT_REQ, RequestSize)) { *ContextAttributes |= ASC_RET_USE_SESSION_KEY; } else { Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Decode the tgt request message.
//
KerbErr = KerbUnpackData( StrippedRequest, StrippedRequestSize, KERB_TGT_REQUEST_PDU, (PVOID *) &Request ); if (!KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_ERROR,"Failed to decode TGT request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__)); Status = KerbMapKerbError(KerbErr); goto Cleanup; }
DsysAssert( !LockAcquired ); KerbReadLockLogonSessions(LogonSession); LockAcquired = TRUE;
if ( UseSuppliedCreds ) { PrimaryCredentials = Credential->SuppliedCredentials; } else { PrimaryCredentials = &LogonSession->PrimaryCredentials; }
//
// Check the supplied principal name and realm to see if it matches
// out credentials
//
//
// We don't need to verify the server name because the client can do
// that.
//
//
// Allocate a context
//
Status = KerbCreateEmptyContext( Credential, ASC_RET_USE_SESSION_KEY, // indicating user-to-user
KERB_CONTEXT_USER_TO_USER | KERB_CONTEXT_INBOUND, 0, // no nego info here.
LogonId, Context, ContextLifetime ); DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in TGT reply) USER2USER-INBOUND set %#x\n", Status));
if (!NT_SUCCESS(Status)) { goto Cleanup; }
Status = KerbBuildTgtReply( LogonSession, Credential, &PrimaryCredentials->DomainName, ReturnedError, &MarshalledReply, &ReplySize, &TgtUsed );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Put it in the context for later use
//
KerbWriteLockContexts(); pOldTgt = (*Context)->TicketCacheEntry; (*Context)->TicketCacheEntry = TgtUsed; KerbUnlockContexts();
DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in TGT reply) saving ASC context->TicketCacheEntry, TGT is %p, was %p\n", TgtUsed, pOldTgt)); TgtUsed = NULL;
if (pOldTgt) { KerbDereferenceTicketCacheEntry(pOldTgt); pOldTgt = NULL; }
//
// Now build the output message
//
FinalSize = g_token_size( gss_mech_krb5_u2u, ReplySize );
if ((ContextRequirements & ASC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < FinalSize) { D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ )); Status = STATUS_BUFFER_TOO_SMALL; goto Cleanup; } } else { OutputToken->pvBuffer = KerbAllocate(FinalSize); if (OutputToken->pvBuffer == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; }
ReplyStart = (PUCHAR) OutputToken->pvBuffer; g_make_token_header( gss_mech_krb5_u2u, ReplySize, &ReplyStart, KG_TOK_CTX_TGT_REP );
RtlCopyMemory( ReplyStart, MarshalledReply, ReplySize );
OutputToken->cbBuffer = FinalSize; KerbWriteLockContexts(); (*Context)->ContextState = TgtReplySentState; KerbUnlockContexts();
Cleanup:
if (LockAcquired) { KerbUnlockLogonSessions(LogonSession); } if (TgtUsed != NULL) { KerbDereferenceTicketCacheEntry(TgtUsed); } if (MarshalledReply != NULL) { MIDL_user_free(MarshalledReply); } if (Request != NULL) { KerbFreeData(KERB_TGT_REQUEST_PDU, Request); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbUnpackTgtReply
//
// Synopsis: Unpacks a TGT reply and verifies contents, sticking
// reply into context.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbUnpackTgtReply( IN PKERB_CONTEXT Context, IN PUCHAR ReplyMessage, IN ULONG ReplySize, OUT PKERB_INTERNAL_NAME * TargetName, OUT PUNICODE_STRING TargetRealm, OUT PKERB_TGT_REPLY * Reply ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr = KDC_ERR_NONE; UNICODE_STRING LocalTargetRealm = {0}; PUCHAR StrippedReply = ReplyMessage; ULONG StrippedReplySize = ReplySize; ULONG ContextAttributes;
*Reply = NULL; KerbReadLockContexts(); ContextAttributes = Context->ContextAttributes; KerbUnlockContexts();
D_DebugLog((DEB_TRACE_U2U, "KerbUnpackTgtReply is User2User set in ContextAttributes? %s\n", ContextAttributes & KERB_CONTEXT_USER_TO_USER ? "yes" : "no"));
//
// Verify the OID header on the response. If this wasn't a user-to-user
// context then the message came from a KERB_ERROR message and won't
// have the OID header.
//
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0) { if (!g_verify_token_header( gss_mech_krb5_u2u, (INT *) &StrippedReplySize, &StrippedReply, KG_TOK_CTX_TGT_REP, ReplySize)) { D_DebugLog((DEB_WARN, "KerbUnpackTgtReply failed to verify u2u token header\n")); Status = SEC_E_INVALID_TOKEN; goto Cleanup; } } else { StrippedReply = ReplyMessage; StrippedReplySize = ReplySize;
//
// this is an error tgt reply
//
KerbWriteLockContexts(); Context->ContextFlags |= ISC_RET_USE_SESSION_KEY;
//
// KERB_CONTEXT_USER_TO_USER needs to be set
//
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER; KerbUnlockContexts();
DebugLog((DEB_TRACE_U2U, "KerbUnpackTgtReply (TGT in error reply) USER2USER-OUTBOUND set\n")); }
//
// Decode the response
//
KerbErr = KerbUnpackData( StrippedReply, StrippedReplySize, KERB_TGT_REPLY_PDU, (PVOID *) Reply );
if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
//
// Pull the target name & realm out of the TGT reply message
//
KerbErr = KerbConvertRealmToUnicodeString( &LocalTargetRealm, &(*Reply)->ticket.realm ); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; }
//
// If we were asked to get the server & realm name, use them now
//
//
// BUG 455793: we also use them if we weren't passed a target name on this
// call. Since we don't require names to be passed, though, this is
// a security problem, as mutual authentication is no longer guaranteed.
//
if (((ContextAttributes & KERB_CONTEXT_REQ_SERVER_REALM) != 0) || (TargetRealm->Length == 0)) { KerbFreeString( TargetRealm ); *TargetRealm = LocalTargetRealm; LocalTargetRealm.Buffer = NULL; }
if (((ContextAttributes & KERB_CONTEXT_REQ_SERVER_NAME) != 0) || (((*TargetName)->NameCount == 1) && ((*TargetName)->Names[0].Length == 0))) { ULONG ProcessFlags = 0; UNICODE_STRING TempRealm = {0};
KerbFreeKdcName( TargetName );
Status = KerbProcessTargetNames( &Context->ServerPrincipalName, NULL, // no local target name
0, // no flags
&ProcessFlags, TargetName, &TempRealm, NULL ); if (!NT_SUCCESS(Status)) { goto Cleanup; } KerbFreeString(&TempRealm); }
Cleanup: if (!NT_SUCCESS(Status)) { if (*Reply != NULL) { KerbFreeData( KERB_TGT_REPLY_PDU, *Reply ); *Reply = NULL; } }
if (LocalTargetRealm.Buffer != NULL) { KerbFreeString( &LocalTargetRealm ); }
return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbComputeGssBindHash
//
// Synopsis: Computes the Channel Bindings Hash for GSSAPI
//
// Effects:
//
// Arguments:
//
// Requires: At least 16 bytes allocated to HashBuffer
//
// Returns:
//
// Notes:
// (viz. RFC1964)
// MD5 hash of channel bindings, taken over all non-null
// components of bindings, in order of declaration.
// Integer fields within channel bindings are represented
// in little-endian order for the purposes of the MD5
// calculation.
//
//--------------------------------------------------------------------------
NTSTATUSKerbComputeGssBindHash( IN PSEC_CHANNEL_BINDINGS pChannelBindings, OUT PUCHAR HashBuffer ){ NTSTATUS Status = STATUS_SUCCESS; PCHECKSUM_FUNCTION MD5Check = NULL; PCHECKSUM_BUFFER MD5ScratchBuffer = NULL;
//
// Locate the MD5 Hash Function
//
Status = CDLocateCheckSum(KERB_CHECKSUM_MD5, &MD5Check);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure Locating MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) );
goto Cleanup; }
//
// Initialize the Buffer
//
Status = MD5Check->Initialize(0, &MD5ScratchBuffer);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure initializing MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) );
goto Cleanup; }
//
// Build the MD5 hash
//
Status = MD5Check->Sum(MD5ScratchBuffer, sizeof(DWORD), (PUCHAR) &pChannelBindings->dwInitiatorAddrType );
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); }
Status = MD5Check->Sum(MD5ScratchBuffer, sizeof(DWORD), (PUCHAR) &pChannelBindings->cbInitiatorLength );
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); }
if( pChannelBindings->cbInitiatorLength ) { Status = MD5Check->Sum(MD5ScratchBuffer, pChannelBindings->cbInitiatorLength, (PUCHAR) pChannelBindings + pChannelBindings->dwInitiatorOffset);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); } }
Status = MD5Check->Sum(MD5ScratchBuffer, sizeof(DWORD), (PUCHAR) &pChannelBindings->dwAcceptorAddrType);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); }
Status = MD5Check->Sum(MD5ScratchBuffer, sizeof(DWORD), (PUCHAR) &pChannelBindings->cbAcceptorLength);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); }
if( pChannelBindings->cbAcceptorLength) { Status = MD5Check->Sum(MD5ScratchBuffer, pChannelBindings->cbAcceptorLength, (PUCHAR) pChannelBindings + pChannelBindings->dwAcceptorOffset);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); } }
Status = MD5Check->Sum(MD5ScratchBuffer, sizeof(DWORD), (PUCHAR) &pChannelBindings->cbApplicationDataLength);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); }
if( pChannelBindings->cbApplicationDataLength) { Status = MD5Check->Sum(MD5ScratchBuffer, pChannelBindings->cbApplicationDataLength, (PUCHAR) pChannelBindings + pChannelBindings->dwApplicationDataOffset);
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure building MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) ); } }
//
// Copy the hash results into the checksum field
//
DsysAssert( MD5Check->CheckSumSize == 4*sizeof(ULONG) );
Status = MD5Check->Finalize( MD5ScratchBuffer, HashBuffer );
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failure Finalizing MD5: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__) );
goto Cleanup; }
Cleanup:
if( MD5Check != NULL ) { MD5Check->Finish( &MD5ScratchBuffer ); }
return Status;}
|
